OSPF Loopback interfaces are treated as a stub host and will only have a 32 bit host route on the other devices no matter how the subnet mask is entered under the OSPF network statement.

We will explore how we can disable this default behaviour using a few methods.

As you can see, R4 is configured with IP address 192.168.1.4 and R5 with 192.168.1.5.

We have loopback interfaces added with /24 subnet masks on R4 and R5

R4#sh run int loop0
Building configuration...
Current configuration : 61 bytes
!
interface Loopback0
ip address 4.4.4.4 255.255.255.0
end
R4#

R5#sh run int loop 0
Building configuration...
Current configuration : 61 bytes
!
interface Loopback0
ip address 5.5.5.5 255.255.255.0
end
R5#

We are running basic OSPF Configs as follows…

R4#sh run | se router ospf 1
router ospf 1
router-id 4.4.4.4
log-adjacency-changes
network 4.4.4.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
R4#

R5#sh run | se router ospf 1
router ospf 1
router-id 5.5.5.5
log-adjacency-changes
network 5.5.5.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
R5#

This is what we are seeing on R4 and R5 and we expected this…

R5#sh ip ro ospf
4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/11] via 192.168.1.4, 00:12:27, Ethernet0/0
R5#

R4#sh ip ro ospf
5.0.0.0/32 is subnetted, 1 subnets
O       5.5.5.5 [110/11] via 192.168.1.5, 00:12:43, Ethernet0/0
R4#

Now we will try the first method, this is to set the OSPF Network type to point-to-point under the interface configuration mode.

R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#int loop 0
R4(config-if)#ip ospf network point-to-point
R4(config-if)#

R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#int loop0
R5(config-if)#ip ospf network point-to-point
R5(config-if)#

As you can see this works, and now we are seeing the whole /24 Range…

R4#sh ip ro ospf
5.0.0.0/24 is subnetted, 1 subnets
O       5.5.5.0 [110/11] via 192.168.1.5, 00:00:04, Ethernet0/0
R4#

R5#sh ip ro ospf
4.0.0.0/24 is subnetted, 1 subnets
O       4.4.4.0 [110/11] via 192.168.1.4, 00:00:18, Ethernet0/0
R5#

Second option we got is to redistribute the connected network with the with the redistribute connected subnets under the Router OSPF configuration mode.

When it comes to redistribution, try not to go wild and it is always a good idea to create route-map to point out what you want redistributed.

R4#sh ip ro ospf
5.0.0.0/24 is subnetted, 1 subnets
O E2    5.5.5.0 [110/20] via 192.168.1.5, 00:00:00, Ethernet0/0
R4#

R5#sh ip ro ospf
4.0.0.0/24 is subnetted, 1 subnets
O E2    4.4.4.0 [110/20] via 192.168.1.4, 00:00:15, Ethernet0/0
R5#

The third option we have is to use the Area Range command. To accomplish this, we will need to add a few more Loopback interfaces on R4 then we will use the area x range command to summarise it.

R4#sh ip int brie | i up
Ethernet0/0    192.168.1.4     YES manual up     up
Loopback0      4.4.4.4         YES manual up     up
Loopback10     10.1.1.1        YES manual up     up
Loopback11     11.1.1.1        YES manual up     up
Loopback12     12.1.1.1        YES manual up     up
R4#

When we add the loopback interfaces into OSPF, it is still showing it as a /32 Host route…

R5#sh ip ro ospf
10.0.0.0/32 is subnetted, 1 subnets
O IA    10.1.1.1 [110/11] via 192.168.1.4, 00:00:22, Ethernet0/0
11.0.0.0/32 is subnetted, 1 subnets
O IA    11.1.1.1 [110/11] via 192.168.1.4, 00:00:12, Ethernet0/0
12.0.0.0/32 is subnetted, 1 subnets
O IA    12.1.1.1 [110/11] via 192.168.1.4, 00:00:12, Ethernet0/0
R5#

Now, we will use the Area 1 Range command to summarise it on R4. Once it is done, we can now see the end result.

Note: The above Loopback networks have been added into Area 1 under the Router OFPF configuration.

R5#sh ip ro ospf
O IA 8.0.0.0/5 [110/11] via 192.168.1.4, 00:00:10, Ethernet0/0
R5#

These are the three method I know of when it comes to disabling the /32 host route on OSPF Loopback Networks…

I was going through 6to4 tunnel configs and thought I’d post some info on converting IPv4 address into IPv6 Address. This is pretty straight forward and its obviously involves HEX conversion.

Here, I will convert the address 192.168.25.234

First we divide each octet by 16 and write down the remainder, primary school maths!

192 ÷ 16 = 12 remainder 0
168 ÷ 16 = 10 remainder 8
25 ÷ 16 = 1 remainder 9
234 ÷ 16 = 14 remainder 10

We also know that HEX has the following Values

A = 10
B = 11
C = 12
D = 13
E = 14
F = 15

So we can write 192.168.25.234 into HEX like so… C0A8:19EA

Now we will change the HEX Address C0A8:19EA into regular IPv4

C0 = (12 x 16) + 0 = 192
A8 = (10 x 16) + 8 = 168
19 = (1 x 16) + 9 = 25
EA = (14 x 16) + 10 = 234

QED

I was going through some TCP windowing over a high speed WAN link, and thought it might be worth to post some info regarding this.

We do face a typical problem of having slow speed file transfer even if the dedicated pipe is capable of supporting it.

There are three factors which affects this…

1. TCP Window Size.
2. Round trip latency of the circuit.
3. Bandwidth of the circuit.

Maximum throughput you can get from a line with 10ms latency and a TCP window of 32KB can be calculated with…

32KB –> 32 x 1024 x 8 = 262144 Bits

262144 ÷ 0.01 = 26214400 bps = 26.2144 Mbps

Let’s say we have an OC-3 line, which is at 155 Mbps and a round trip latency of 10ms, and we need to calculate the TCP window size to maximize the throughput…

155.52 x 10⁶ = 155520000 bps

TCP_WINDOW = 155520000 x 0.01 = 1555200 Bits = 194400 Bytes = 189.84375 KB

Hope I got the calculation right

Multilink is a way of bundling more than one PPP WAN links and bundle them together into one logical interface. This is one of the method you can implement when you have a primary and secondary links in place and create a logical conduit where both links are present.

This method can be used to load balance data across the links and at the same time it will support redundancy when one one link fails.

I have tested this configuration on 2 of my 2500 Routers and I haven’t tested these on more recent IOS so some commands may vary. I will be checking them on a pair of 3845s/2691s on a later date and will add my findings to this post.

As you can see the Diagram, I am using R4 and R5 which are connected via Serial 0 and Serial 1 respectivly.

R4 Configuration

Multilink Interface
interface Multilink1
ip address 172.16.1.1 255.255.255.252
ppp multilink
ppp multilink links maximum 2
ppp multilink links minimum 1
ppp multilink group 1

Serial 0

interface Serial0
no ip address
encapsulation ppp
clock rate 64000
ppp multilink
ppp multilink group 1

Serial 1

interface Serial1
no ip address
encapsulation ppp
clock rate 64000
ppp multilink
ppp multilink group 1

As you can see, since this is a lab scenario, I have set the clock rate on the link. If you are setting this up on a WAN link, you don’t need to do this as the circuit provider would be setting this up for you.

Also another thing to watch out for is to create the Multilink interface first then move onto configuring the Serial interfaces. If you do the other way around, it will not allow you to set the multilink group as it is not present on the router (See the error message below).

R4(config-if)#ppp multi gr 1
% Cannot set multilink group. Interface Multilink1 does not exist

That is all to watch out for and you can see my R5 configuration below…

R5 Configuration

Multilink

interface Multilink1
ip address 172.16.1.2 255.255.255.252
ppp multilink
ppp multilink links maximum 2
ppp multilink links minimum 1
ppp multilink group 1

Serial 0

interface Serial0
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1

Serial 1

interface Serial1
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1

Here is how it should look…

R4#sh ip int br | i up
Multilink1    172.16.1.1    YES   manual  up  up
Serial0       unassigned    YES   manual  up  up
Serial1       unassigned    YES   manual  up  up

R5#sh ip int br | i up
Multilink1    172.16.1.2    YES   manual  up  up
Serial0       unassigned    YES   manual  up  up
Serial1       unassigned    YES   manual  up  up

R4#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/52 ms
R4#

Now I will bring Serial 0 interface down and test the Multilink…

R4(config)#int se0
R4(config-if)#shut
R4(config-if)#

*Mar  1 01:19:41.123: %LINK-5-CHANGED: Interface Serial0, changed state to administratively down
*Mar  1 01:19:42.123: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down

R4(config-if)#do sh ip int br
Interface     IP-Address   OK?    Method  Status              Protocol
Ethernet0     unassigned   YES    NVRAM   administratively    down  down
Multilink1    172.16.1.1   YES    manual  up                  up
Serial0       unassigned   YES    manual  administratively    down  down
Serial1       unassigned   YES    manual  up                  up

R4(config-if)#do ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/36 ms
R4(config-if)#

As you can see, it works even when one interface is down…

Frame-Relay is one of the core concept of networking and nowadays it is one of the under appreciated part on modern networking.

I am just going to go over how to configure it using 4 Routers and one will act as a Frame-Relay cloud.

Before I go ahead and explain the configuration, You can see the below diagram which represents the physical topology.

As you can see, FRS is connected via…

Serial 1/1 to R1 Serial 1/0
Serial 1/2 to R2 Serial 1/0
Serial 1/3 to R3 Serial 1/0

Now we have got the physical topology clear, we will move onto Frame-Relay configuration and the DLCI assignment.

As you can see the DLCI configuration…

On R1 : DLCI 122 is connected to R2 and DLCI 123 is connected to R3
On R2 : DLCI 221 is connected to R1
On R3: DLCI 321 is connected to R3.

If you are configuring the DLCI then I would suggest you follow this method of numbering, Because from the DLCI Number, I can simply distinguish where the DLCI is connecting to…

For Example, we will take DLCI 122 (One Two Two ) I remember it as; From Router One 2 Two and the same goes for DLCI 321 (Three Two One) Router Three 2 One.

Here are the configuration on the FRS (Please see the first diagram for interface info…)

Serial 1/1

interface Serial1/1
no ip address
encapsulation frame-relay
logging event subif-link-status
logging event dlci-status-change
clock rate 64000
no frame-relay inverse-arp
frame-relay intf-type dce
frame-relay route 122 interface Serial1/2 221
frame-relay route 123 interface Serial1/3 321

Serial 1/2

interface Serial1/2
no ip address
encapsulation frame-relay
logging event subif-link-status
logging event dlci-status-change
clock rate 64000
no frame-relay inverse-arp
frame-relay intf-type dce
frame-relay route 221 interface Serial1/1 122

Serial 1/3

interface Serial1/3
no ip address
encapsulation frame-relay
logging event subif-link-status
logging event dlci-status-change
clock rate 64000
no frame-relay inverse-arp
frame-relay intf-type dce
frame-relay route 321 interface Serial1/1 123

As you can see, if you are configuring Frame-Relay you should understand what every command does and I will be writing a more detailed post on Frame-Relay switching where all of these commands will be covered.

Now the FRS is set, we will go ahead and configure each interface of the routers R1, R2 and R3.

R1

interface Serial1/0
ip address 172.16.10.1 255.255.255.0
encapsulation frame-relay
logging event subif-link-status
logging event dlci-status-change
no fair-queue
frame-relay map ip 172.16.10.2 122 broadcast
frame-relay map ip 172.16.10.3 123 broadcast
no frame-relay inverse-arp

R2

interface Serial1/0
ip address 172.16.10.2 255.255.255.0
encapsulation frame-relay
logging event subif-link-status
logging event dlci-status-change
no fair-queue
frame-relay map ip 172.16.10.1 221 broadcast
frame-relay map ip 172.16.10.3 221 broadcast
no frame-relay inverse-arp

R3

interface Serial1/0
ip address 172.16.10.3 255.255.255.0
encapsulation frame-relay
logging event subif-link-status
logging event dlci-status-change
no fair-queue
frame-relay map ip 172.16.10.1 321 broadcast
frame-relay map ip 172.16.10.2 321 broadcast
no frame-relay inverse-arp

The most important commands are “Frame-Relay Map” on the Routers and the “Frame-Relay Route” command on the Frame switching router.

As you can see, I have the Broadcast option at the end of the “frame-relay map” command; It is there to allow routing packets such as RIP to be passed through the Frame network. Without this option, it will not allow IP traffic to be switch through frame network.

If you don’t get the DLCI mapping correct, you will not get the circuit to come “active”

You can check the Frame route by issuing the “show frame-relay route” command on FRS.

FRS#sh fr ro
Input Intf   Input Dlci   Output Intf   Output Dlci   Status
Serial1/1    122          Serial1/2     221           active
Serial1/1    123          Serial1/3     321           active
Serial1/2    221          Serial1/1     122           active
Serial1/3    321          Serial1/1     123           active
FRS#

And “show frame-relay map” on the Routers (R1, R2, R3)

R1#sh frame map
Serial1/0 (up): ip 172.16.10.2 dlci 122(0x7A,0x1CA0), static,
broadcast,
CISCO, status defined, active
Serial1/0 (up): ip 172.16.10.3 dlci 123(0x7B,0x1CB0), static,
broadcast,
CISCO, status defined, active

R2#sh frame map
Serial1/0 (up): ip 172.16.10.1 dlci 221(0xDD,0x34D0), static,
broadcast,
CISCO, status defined, active
Serial1/0 (up): ip 172.16.10.3 dlci 221(0xDD,0x34D0), static,
broadcast,
CISCO, status defined, active

R3#sh frame map
Serial1/0 (up): ip 172.16.10.1 dlci 321(0x141,0x5010), static,
broadcast,
CISCO, status defined, active
Serial1/0 (up): ip 172.16.10.2 dlci 321(0x141,0x5010), static,
broadcast,
CISCO, status defined, active

If it says “inactive” or “deleted”, I would first check the DLCI assignment and encapsulation and so forth…

And it is always nice to see the following message…

*Mar  1 00:00:21.005: %FR-5-DLCICHANGE: Interface Serial1/1 - DLCI 122 state changed to ACTIVE
*Mar  1 00:00:21.005: %FR-5-DLCICHANGE: Interface Serial1/1 - DLCI 123 state changed to ACTIVE
*Mar  1 00:00:21.098: %FR-5-DLCICHANGE: Interface Serial1/2 - DLCI 221 state changed to ACTIVE
*Mar  1 00:00:21.146: %FR-5-DLCICHANGE: Interface Serial1/3 - DLCI 321 state changed to ACTIVE

If you want to jump between servers without any password authentication but you still need security here is what you have to do.
There are two ways of achieving this:

On Debian/Ubuntu you can just type:

$ cd $HOME
~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key:

Press Enter each question and you will have a pair of keys ready to use.
You will be asked for a passphrase but if you do not want to insert anything just leave it blank.
This procedure will create one private and one public key.
$ ls .ssh/
id_rsa id_rsa.pub known_hosts
The private key must be secured on your box whereas the public key can be copied across
~$ ssh-copy-id -i .ssh/id_rsa.pub 192.168.1.30
At this time you will be asked for the password but once the key has been copied you will be able to ssh just perfectly.

As additional security you could lock the account to prevent someone without key to ssh into the box. In order to do that

me@mybox:~$ ssh 192.168.1.30
me@server:~$ su -
password:
root@server:~# usermod -L me

usermod -L will lock the account “me” preventing anyone using password credentials for that account. You will only be able to access with you trusted ssh-key. If you don’t want anymore the account locked just type:
root@server:~# usermod -U me
-U flag will unlock the account

ON SOME OTHER DISTROS:
the “ssh-copy-id” utility doesn’t exist so you will have to copy it manually.
If you can copy and paste then
~$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAv4k0ChLXCfpF+o/4HcqAqYEivRSHHYsTlXfT4I0jmOAI+MKjVTB/CtKqq4h7KMyXrUUo7vtceac4i2FRSm6PdsWksJXsYxkOj+ZXXD2fOnJIDKfIr41URcZH4qmztYO+/9YYcQudPzNlt9tLx5jrkhI7sLy56OmKRwfrxq+UY7ebt+j7y5DmevJP0u7bzREPUA/rcVoPxH0/u015O2BcaJmNoxR1pNfMC3Oefn1eAkodo6fOa3vHHo7WhSpDL/42xsBWPnOAAEDM9tmOUyCJDc8l4Mzm+TindqY2yL2GPspabaEAV3rfuF9O4Ywe+tVIPc2/YXo9XvQxyXZqHxtcw==== me@mybox

and paste the line into the remote server’s .ssh/authorized_keys file. REMEMBER that it’s just one line so if during copy and paste you get some new line characters that key won’t work.

If you can’t copy and paste and want to have the confidence the key has been correctly copied just scp the id_rsa.pub to the server

me@mybox:~$ scp .ssh/id_rsa.pub 192.168.1.30:/home/me/
me@server:~$ ssh 192.168.1.30
me@server:~$ cat id_rsa.pub >> .ssh/authorized_keys


For more info
man usermod
man ssh-keygen

Doing visudo you get nano instead of your favorite text editor?
Mine is vim therefore I issue:

DEBIAN/UBUNTU way

# update-alternatives --config editor
There are 4 alternatives which provide `editor'.
Selection Alternative
-----------------------------------------------
1 /usr/bin/vim.tiny
2 /bin/ed
*+ 3 /bin/nano
4 /usr/bin/vim.basic
Press enter to keep the default[*], or type selection number:

Selecting 4 I’m ready to use my full syntax colors when I edit any file.

OTHER DISTROS
Edit your .bashrc file and add the following:
EDITOR=vim
export EDITOR
Next login you will have your VIM working.
If you want to have it immediately and only for this session just type
# export EDITOR=vim
and press enter.

I’ve come across multiple ways of doing it but so far the best way is the following (I assume you are on i386 platform and you have access to the net):
1. Download boot.img.gz from Debian website
2. Download the net-install image choosing i386.
3. Plug your USB drive into a Linux PC, open the shell and type

$ dmesg

Last few lines should be like the following:

sd 7:0:0:0: [sdb] Attached SCSI removable disk
sd 8:0:0:0: [sdb] 4030464 512-byte logical blocks: (2.06 GB/1.92 GiB)
sd 8:0:0:0: [sdb] Write Protect is off

Now we know it has been mapped as sdb

4. Use zcat to load the boot.img.gz onto your USB drive

# zcat boot.img.gz > /dev/sdb

CAUTION!!! this will destroy the entire data on the USB drive, make sure you have done the backup.
If you get an error ensure the following:
- You are root (don’t use sudo)
- The USB drive it’s not mounted, if it is umount it before issuing the above command.

5. Now mount the USB drive and copy the net-inst.iso image on it.

All done! Now plug it into the box you want to setup and enjoy the old fashion Debian installer

This tip might comes handy when you do a system check and you want to make sure you don’t check the same file twice.

Let’s pretend that our “file1″ is a conf file that needs review. As you can see the output of the command issued below shows that the file was last edited in June.
Today I want to check the file without editing it and make sure next time I won’t check it again:

$ ls -l
total 0
-rw-r--r-- 1 luca luca 290 2009-06-29 16:33 file1


Touch is an excellent tool in this case:

$ touch file1
$ ls -l
total 0
-rw-r--r-- 1 luca luca 0 2009-08-29 19:43 file1

The Modification Time has changed and so has the access time.

If you want to change just the modification time leaving the access time untouched try with the -m option

$ touch -m file1
$ ls -l
total 0
-rw-r--r-- 1 luca luca 0 2009-08-29 19:46 file1
$ stat file1
[..]
Access: 2009-08-29 19:43:45.000000000 +0100
Modify: 2009-08-29 19:46:15.000000000 +0100
Change: 2009-08-29 19:46:15.000000000 +0100

And -a is just for the Access Time.

Another interesting option is -t. It lets you set the time and the date with whatever you like. This is often used to do fishy things

$ touch -t 200701012301 file1
$ stat file1
[..]
Access: 2007-01-01 23:01:00.000000000 +0000
Modify: 2007-01-01 23:01:00.000000000 +0000
Change: 2009-08-29 19:52:26.000000000 +0100


All broadcasts messages are dropped by the router when it receives on an interface. This specific command is enables the router to convert the broadcast messages distended for a specific destination into unicast. This interface level command needs to be applied on the interface which the broadcast receives from.

R1(config-if)#ip helper-address 10.10.10.10

Also there are other options where you point the address to a vrf etc…

The following broadcasts are forwarded by default…

TIME – Port 37
TACACS – Port 49
DNS – Port 53
BOOTP/DHCP Server – Port 67
BOOTP/DHCP Client – Port 68
TFTP – Port 69
NetBIOS Name Service – Port 137
NetBios Datagram Service – Port 138

Other protocols can be forwarded by using the following Global config commanding…

R1(config)#ip forward-protocol udp ?

Use the ? to see the supported protocols. You may use the following command to remove a specific protocol being forwarded…

R1(config)#no ip forward-protocol udp ?