One of the favourite features about Junos when it comes to configuration management is the ability to manage configuration on a methodical manner. This is where the “COMMIT” configuration comes in and takes care of any unnecessary configuration mistakes which could have been made while performing a certain task.

To quote from Juniper’s website

When you commit the current candidate configuration, you can require an explicit confirmation for the commit to become permanent. This is useful if you want to verify that a configuration change works correctly and does not prevent access to the router. If the change prevents access or causes other errors, the router automatically returns to the previous configuration and restores access after the rollback confirmation timeout passes. This feature is called automatic rollback.

This feature will automatically rollback a “Candidate Configuration” unless the commit confirmed command is entered.

You can see are detailed explanation on Juniper’s Website HERE

Concept Extension

We live in an era where Internetworks are growing exponentially and it is near impossible to replicate a test lab to test out configurations before deploying onto the production network. However, an error in the configuration can cause catastrophic impact to the network. Therefore, to minimize such incident the following concept could be added to Junos. This concept extension takes one step further by giving the engineer more control over the configuration change he/she performing on the equipment.

When the Active Configuration (Running Config) is in place, the Juniper Routing Engine will display the verification commands according to the current config and how it will interact with the Router Control Plane (Fig 2). This is the current concept, and not only on Junos, but this is how all routers and switches behave.

The new concept takes account of the “Commit” feature and rebuilds the verification output according to the candidate configuration. The candidate configuration does take effect until it has been committed.

As you can see below (Fig 3) the user adds the Candidate Configuration to the Juniper Routing Engine as follows.

The user will be able to see how the Router Control Plane will behave once the Candidate Configuration is added into the Active Configuration. By doing so; all verification can be done on the router before finalizing Candidate Configuration to work with the Active Configuration.

For example we will assume that the Juniper Routing Engine running OSPF.

1. The user is modifying OSPF network statements into the Candidate Configuration.
2. Juniper Routing Engine combines the candidate Configuration with the Active Configuration and builds a Verification Template.
3. User goes into the Verification Template and verifies how the network will converge when the new configuration is added.
4. If the user is happy with the change, he/she can commit the change which will be installed into the Router Control Plane.

Conclusion

I am sure this idea will indeed create a lot of bottlenecks when it comes to generating a Verification Template based on the Configurations. The resource available on the router will definitely get affected while creating the Verification Template, along with other facts such as live verification tasks such as QoS etc.

Nevertheless, this concept would be a fool proof verification method for an end user on checking how a Router Control Plane (OSPF Database, BGP Prefix exchange etc) behaves when new configuration is added.

This will give the end user more confident while working on the systems and will tremendously minimize any configurations mistakes. At the moment, there is only one way to find out whether such errors could cause an impact on the network is after the configuration is committed which could result in downtime. Thus having a fool proof method as such will eliminate such downtimes in future.

It is possible to configure WPA2 (AES-CCMP) on a Cisco 877w Router and these are the steps required to achieve them.

First of all, do make sure you have the right IOS version. This is important because some versions of the IOS does not support the latest WPA2 Key Management type along with AES-CCMP Encryption. This configuration is based on the following IOS.

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(22)T5, RELEASE SOFTWARE (fc3)
c870-advipservicesk9-mz.124-22.T5.bin

We will be using VLAN 2 for Wireless

!
interface Vlan2
 description WIRELESS VLAN 2
 no ip address
!

Configure the DHCP Pool which the Wireless clients will use.

!
ip dhcp excluded-address 10.10.1.1
!
ip dhcp pool WIRELESS
   network 10.10.1.0 255.255.255.0
   default-router 10.10.1.1 
   dns-server 208.67.222.222 208.67.220.220 
!

Configure the SSID

!
dot11 syslog
!
dot11 ssid Fnode
 vlan 2
 authentication open 
 authentication key-management wpa
 guest-mode
 wpa-psk ascii PASSWORD-HERE
!

Configure the Radio Interface, make sure you are using the ciphers aes-ccm to achieve WPA2 AES-CCMP Encryption. If the option is not there, the current ISO does not support it. (Refer to the IOS Above)

!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 2 mode ciphers aes-ccm 
 !
 ssid Fnode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel least-congested 2412 2442 2462
 station-role root
 no cdp enable
!

Make sure you are using VLAN 2 on the dot1Q encapsulation, along with the IP address configured on the DHCP Section.

!
interface Dot11Radio0.1
 description WLAN VLAN2
 encapsulation dot1Q 2
 ip address 10.10.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!

Configure the access-list for the Wireless clients. It is best practice to create extended access-list so is becomes intuitive while looking at them…

!
ip access-list extended WIRELESS
 permit ip 10.10.1.0 0.0.0.255 any
!

Add the NAT translation as follows…

I am using VLAN 20 as the External Interface to NAT out, use the corresponding External Interface on your configuration.

!
ip nat inside source list WIRELESS interface Vlan20 overload
!

Verification Method.

Once you have successfully connected a device to the configured SSID, Use the command to verify WPA2/AES-CCMP association.

Router#show dot11 associations all should show the following.

Key Mgmt type: WPAv2 PS
Encryption: AES-CCMP

Along with a similar log message.

*Feb 26 23:30:54.669: %DOT11-6-ASSOC: Interface Dot11Radio0, Station Border 0013.02de.xxxx Associated SSID[Fnode] AUTH_TYPE[OPEN] KEY_MGMT[WPAv2 PSK]

Once you have configured and verified, use the command (config)#service password-encryption to encrypt the WPA2 Password entered above.

The following method can be used when a user login to a linux machine, an email will be sent with IP information.

For this to work, you need to have the program mutt installed.

Then add the following to the user’s .bashrc file, which is located in /home/$user/.bashrc

echo `who` | /usr/bin/mutt -s "SSH Alert" email@address.here

For example, if you want an email sent everytime the user root login, edit the file /home/root/.bashrc and add the above code.

The following configuration is for BE Broadband / O2 Broadband Specific and will work with an external modem working on RFC1493 / Bridge mode.

When it comes to setting up a Cisco Router with a modem under bridge mode, you only need a Layer 3 port to configure the given IP Address. In any Layer 3 capable device, it is rather straight forward. To configure, you only needs to add the IP address, subnet mask to the interface; along with the default route to the ISP given default-gateway and it should work.

When it comes to the 877 / 877w etc, they only come with 4 Layer 2 capable switch port, therefore one needs to configure a VLAN Interface and assign one Switchport to the given VLAN as per following configuration.

You do not need to create a Dialer Interface as PPPoE/PPPoA is not involved in this configuration.

First, we setup FastEthernet3 as part of VLAN 20, which will be our VLAN Interface for the IPoATM Bridge.

!
interface FastEthernet3
 description EXTERNAL DSL IPoATM
 switchport access vlan 20
!

Then we setup Interface Vlan20 and add the IP Address & Subnet Mask given by the ISP.

!
interface Vlan20
 description EXTERNAL DSL IPoATM VLAN INTERFACE
 ip address 87.194.x.x 255.255.x.x
 ip nat outside
 ip virtual-reassembly
!

Then add the default route as follows. The Default-Gateway IP Address is given by the ISP.

!
ip route 0.0.0.0 0.0.0.0 87.194.x.x
!

And add the NAT Statements as follows. Interface VLAN 20 becomes the outside interface, as for Inside Interface, it could use be BVI/Dot11Radio etc

!
ip nat inside source list WIRED interface Vlan20 overload
ip nat inside source list WIRELESS interface Vlan20 overload
!

The following two scripts on crontab will automatically back up and email the database on a timely manner. This script will work on daily backup of Blogs such as WordPress / Drupal etc

In this example, I will be using the directory /home/backup/database

It is recommended to create two different shell script named dbback.sh and dbmail.sh accordingly and set them as executables. chmod +x

The first script will backup the database using MySQLdump, then it will bzip2 the Database with the following filename database_DATE.sql.bz2

#!/bin/bash
BACKUP="/home/backup/database/database_`date +%d-%m-%Y`.sql"
/usr/bin/mysqldump -uUSERNAME -pPASSWORD --opt DATABASE > $BACKUP
/usr/bin/bzip2 $BACKUP

The second script will email the database as an attachment using mutt, to a given email address.

#!/bin/bash
/bin/echo "Backup Database for `date +%d-%m-%Y`" | /usr/bin/mutt -s "Backup Database for `date +%d-%m-%Y`" email@address.here -a /home/backup/database/database_`date +%d-%m-%Y`.sql.bz2

To make it automated, all you have to do is to add both scripts to the crontab. It is advisable to add them 10 minutes apart depending on the size of the MySQL Database. As per example below.

15 20 * * * /home/backup/script/dbbackup.sh 
25 20 * * * /home/backup/script/dbmail.sh

Be very Cautious on emailing Larger/Sensitive Database via email.

I have presented my question to Juniper CEO Kevin Johnson and It has been answered on the first episode of 5in5.

My Question was the following and can be seen on 3:25

What is Juniper doing in the enterprise or service provider market to close the gap on Cisco?

Overview

I have been seeing a number of articles on the Internet trying to persuade Cisco to offer some kind of real-time emulation software for their IOS. I remember Greg Ferro from Etherealmind started a petition a while back and I have yet to see any development on that…

The fact that the matter is, Cisco already have such platform called IOU, which is designed to emulate their IOS to a near hardware experience for their internal testing environment. (Don’t quote me on this, but this is pretty good from what I have heard, or researched)

Currently we have Dynamips, which is one of the resource hungry Cisco Hardware emulation platform where testing can be done to a certain extend but it is nowhere near perfect, and here are some facts.

• Dynamips does require a Lot of resources.
• This is extremely processor heavy.
• QoS does not work very well.

If you want to have a detailed explanation on, please have a look at the following post by Wendell Odom who explains thoroughly on the NWW.

What puzzles me is the fact that Cisco goes out of their way to promote their Educational sector, yet they are reluctant to offer some kind of Software Emulation to accommodate their IOS.

I can understand that fact that Cisco is trying to draw a line between testing and learning… When it comes to learning, it is fine. But, when it comes to Testing, Cisco might be concerned that it would affect their after sale services and revenue.

They are also maybe concerned about the lOS architecture getting onto the wrong hand. If you think about it, it does make sense because if they don’t support the Students, they would have put a stop to Dynamips

Suggestion

That is why I was wondering whether Cisco would consider releasing a pre built Topology such as the R&S 360 Lab within IOU/L2IOS (which they run on the R&S Lab for the troubleshooting section) and lock it with an encryption so it cannot be decompiled. There is still a risk on there, but it might be worth it. That way, it is only used for studying purposes and they don’t have to worry about it is being used for commercial use which might affect their after sale services…

That is why I suggest that if they released a “supersized” topology like the TS section on their RS Lab exam (with the correct IOS version), one can pretty much turn a few routers off and accommodate to the students needs.

With such topology, I personally think a student can pretty much cover CCNA/CCNP or even unto a level of a CCIP exams… If a CCNA student is overwhelmed by such topology, they can start with Packet trace and once they are comfortable, they can move onto this.

I do understand people wants such technology to test and troubleshoot, but I personally think, since they promote the 360 Learning solutions vigorously, they should consider this option to help the students.

Update

As of 21st April 2011, Cisco has finally listen to the request now offering the IOU Labs at their Cisco Learning Network Store. If you need more info, you can have a look Here

I have been working on some xDSL sync issues and and here are some of my findings to boost the xDSL Sync rate and have a stable line.

Option 1

First of all, make sure which standard your ISP’s DSLAM running on. This is important because some standards have limitations which will create a bottleneck when it comes to the hardware you are using. First rule of thumb for people who are not sure is to use the ISP’s provided hardware.

For example ITU G.992.5 (ADSL2+) will have an upload limitation of 1.3 Mbps, you might have a line which is capable of handling more than 1.3 Mbps but the hardware you use will cause a limitation. This is why you need to make sure which standard the ISP is running the DSLAM on. If the ISP happen to run ITU G.992.5 Annex M (ADSL2+ M) you are likely to get an upload speed of more than 1.3 Mbps, thus having a router which is capable of supporting Annex M will be beneficial.

Option 2

Run your ADSL line from the Master Socket. This way, you are likely to eradicate any noise on the line which will affect the DSL connection.

Option 3

It is highly advisable to remove the ringer cable on the phone line. This cable causes a lot of noise on the line and no longer required because the DSL Micro-Filter takes care of the ringer.
Only connect the wires on (2) and (5) on the BT NTE5 box and disconnect all the other wires. This way, there will be no static looping back via the ringer cable.

I would recommend going through all three Options above to make sure those are ticked and If you require any further assistance, I recommend you to do a Google Search and there are plenty of information out there which explains in more detail.

This procedure is quite simple and the following is done on Linux. When you have an uncompressed IOS, you don’t need to wait for it when it comes to loading it on Dynamips.

unzip -p c3725-adventerprisek9-mz.124-25.bin > c3725-adventerprisek9-mz.124-25.image

You can see both compressed and uncompressed versions below.

Workstation IOS # ls -ltrh |grep 3725
-rw-r--r-- 1 root root 38M 2010-11-29 16:47 c3725-adventerprisek9-mz.124-25.bin
-rw-r--r-- 1 root root 79M 2010-11-29 20:23 c3725-adventerprisek9-mz.124-25.image
Workstation IOS #

Before you read through this post, I assume you have got at least the basic understanding of BGP and how it works.

Here are some facts:

BGP is a path vector Routing Protocol works on TCP port 179.

Neighbor with the lowers IP address will establish the connection to the Remote Peer on TCP port 179 with a random source port.

In this case, the Remote Peer will become the Server and the Local Peer will become the client. This peering relationship will change when we clear the BGP process on either peer or the underlying BGP connection get severed for any reason.

In case you want to specifically want to set one Peer as the Server and one as the Client, the IOS does support it.

This is how it is done…

R1 and R2 have a eBGP peering where R1 is on AS 100 and R2 is on 200.

R1#sh run | s bgp
router bgp 100
no synchronization
bgp router-id 1.1.1.1
bgp log-neighbor-changes
redistribute connected
neighbor 10.0.0.2 remote-as 200
no auto-summary
R1#

R2#sh run | s bgp
router bgp 200
no synchronization
bgp router-id 2.2.2.2
bgp log-neighbor-changes
redistribute connected
neighbor 10.0.0.1 remote-as 100
no auto-summary
R2#

If you are wondering, I am redistribution the connected routes because I want to make sure the BGP is in-fact exchanging prefixed. (I don’t fully trust Dynamips when it comes to emulation… )

As you can see below, here are the BGP connection info…

R1#sh ip bgp neighbors 10.0.0.2 | i host|state
BGP state = Established, up for 01:27:40
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Local host: 10.0.0.1, Local port: 46257
Foreign host: 10.0.0.2, Foreign port: 179
R1#

R2#sh ip bgp neighbors 10.0.0.1 | i host|state
BGP state = Established, up for 01:28:07
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Local host: 10.0.0.2, Local port: 179
Foreign host: 10.0.0.1, Foreign port: 46257
R2#

As you can see above, R1 is the Client and R2 is the Server (As you can see, the Local port is 179)

As you can see below, I have cleared the BGP session and the peering arrangement is changed from R1 being the Client to Server…

R1#sh ip bgp neighbors 10.0.0.2 | i host|state
BGP state = Established, up for 00:00:31
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Local host: 10.0.0.1, Local port: 179
Foreign host: 10.0.0.2, Foreign port: 62021
R1#

R2#sh ip bgp neighbors 10.0.0.1 | i host|state
BGP state = Established, up for 00:00:06
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Local host: 10.0.0.2, Local port: 62021
Foreign host: 10.0.0.1, Foreign port: 179
R2#

In case, you want to hard-code one Peer as Client and another Peer as Server. This is possible under the Cisco IOS. I have never seen such configuration on Production Environment but this will come in handy when we have some kind of firewalling on one side of the peer or we want to specifically set which neighbor becomes the Server and which becomes the Client.

This is accomplished under the neighbor statement and I will be configuring R1 as Server and R2 as the Client. On the command itself, Active being the Client and Passive being the Server.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#router bgp 100
R1(config-router)#neighbor 10.0.0.2 transport connection-mode ?
active   Actively establish the TCP session
passive  Passively establish the TCP session

R1(config-router)#neighbor 10.0.0.2 transport connection-mode passive
R1(config-router)#

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#router bgp 200
R2(config-router)#neighbor 10.0.0.1 transport connection-mode ?
active   Actively establish the TCP session
passive  Passively establish the TCP session

R2(config-router)#neighbor 10.0.0.1 transport connection-mode active
R2(config-router)#

Now I have Cleared the BGP session numerous times and as you can see below, the Client / Server relationship is not changed.

R1#sh ip bgp neighbors 10.0.0.2 | i host|state
BGP state = Established, up for 00:02:24
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Local host: 10.0.0.1, Local port: 179
Foreign host: 10.0.0.2, Foreign port: 14953
R1#

R2#sh ip bgp neighbors 10.0.0.1 | i host|state
BGP state = Established, up for 00:01:22
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Local host: 10.0.0.2, Local port: 14953
Foreign host: 10.0.0.1, Foreign port: 179
R2#