smallseo.info

cisco interview questions

Top cisco frequently asked interview questions

What's the protocol-level difference between IPSec and "Cisco IPSec"?

Most VPN clients distinguish between IPSec and "Cisco IPSec." For example, (Apple's) iOS treats them as essentially separate things.

But I can't find any explanation of what the protocol-level differences are. They may be minor, but there definitely appear to be differences.

Can someone shed light on this? Even just a pointer to a detailed explanation would help a great deal. Thanks!


Source: (StackOverflow)

ARP broadcast flooding network and high cpu usage

Hoping someone here might have some insight to the issue we are facing. Currently we have Cisco TAC looking at the case but they are struggling to find the root cause.

Although the title mentions ARP broadcast and high CPU usage, we are unsure if they are related or unrelated at this stage.

The original issue has been posted on INE Online Community

We have stripped the network down to a single link no redundancy setup, think of it as a star topology.

Facts:

  • We use 3750x switches, 4 in one stack. Version 15.0(1)SE3. Cisco TAC confirms no known issues for high cpu or ARP bugs for this particular version.
  • No hubs/ unmanaged switches connected
  • Reloaded Core stack
  • We don't have a default route "Ip route 0.0.0.0 0.0.0.0 f1/0". Using OSPF for routing.
  • We see large broadcast packets from VLAN 1, VLAN 1 used for desktop devices. We use 192.168.0.0/20
  • Cisco TAC said they don't see anything wrong with using /20, other then we'd have a large broadcast domain but should still function.
  • Wifi, management, printers etc are all on different VLAN
  • Spanning tree has been verified by Cisco TAC & CCNP/CCIE qualified individuals. We shutdown all redundant links.
  • Configuration on the core has been verified Cisco TAC.
  • We have the default ARP timeout on majority of the switches.
  • We do not implement Q & Q.
  • No new switches been added (at least none we know of)
  • Cannot use dynamic arp inspection on edge switches because these are 2950
  • We used show interfaces | inc line|broadcast to figure out where the large number of broadcast coming from, however both Cisco TAC and 2 other engineers(CCNP & CCIE) confirmed this is normal behaviour due to what is happening on the network (as in large number of mac flaps causing the larger broadcast). We verified the STP was functioning correctly on the edge switches.

Symptoms on the network and switches:

  • Large number of MAC flaps
  • High CPU usage for ARP Input process
  • Huge number of ARP packets, rapidly increasing and visible
  • Wiresharks shows that 100s of computers are flooding the network with ARP Broadcast
  • For test purpose, we put approx 80 desktop machines different vlan, however we tested this and made no visible difference to high cpu or arp input
  • Have ran different AV/ malware/ spyware, but no viruses visible on the network.
  • sh mac address-table count, shows us approx 750 different mac addresses as expected on vlan 1.
#sh processes cpu sorted | exc 0.00%
CPU utilization for five seconds: 99%/12%; one minute: 99%; five minutes: 99%

 PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
  12   111438973    18587995       5995 44.47% 43.88% 43.96%   0 ARP Input
 174    59541847     5198737      11453 22.39% 23.47% 23.62%   0 Hulc LED Process
 221     7253246     6147816       1179  4.95%  4.25%  4.10%   0 IP Input
  86     5459437     1100349       4961  1.59%  1.47%  1.54%   0 RedEarth Tx Mana
  85     3448684     1453278       2373  1.27%  1.04%  1.07%   0 RedEarth I2C dri
  • Ran show mac address-table on different switches and core itself (on the core, for example, plugged by desktop directly, my desktop ), and we can see the several different MAC hardware address being registered to the interface, even though that interface has only one computer attached to this:
 Vlan    Mac Address       Type        Ports
 ----    -----------       --------    -----
    1    001c.c06c.d620    DYNAMIC     Gi1/1/3
    1    001c.c06c.d694    DYNAMIC     Gi1/1/3
    1    001c.c06c.d6ac    DYNAMIC     Gi1/1/3
    1    001c.c06c.d6e3    DYNAMIC     Gi1/1/3
    1    001c.c06c.d78c    DYNAMIC     Gi1/1/3
    1    001c.c06c.d7fc    DYNAMIC     Gi1/1/3
  • show platform tcam utilization
 CAM Utilization for ASIC# 0                      Max            Used
                                              Masks/Values    Masks/values

  Unicast mac addresses:                       6364/6364       1165/1165
  IPv4 IGMP groups + multicast routes:         1120/1120          1/1
  IPv4 unicast directly-connected routes:      6144/6144        524/524
  IPv4 unicast indirectly-connected routes:    2048/2048         77/77
  IPv4 policy based routing aces:               452/452          12/12
  IPv4 qos aces:                                512/512          21/21
  IPv4 security aces:                           964/964          45/45

We are now at a stage, where we will require huge amount of downtime to isolate each area at a time unless anyone else has some ideas to identify the source or root cause of this weird and bizarre issue.


Update

Thank you @MikePennington and @RickyBeam for the detailed response. I will try and answer what I can.

  • As mentioned, 192.168.0.0/20 is an inherited mess. However, we do intend to split this up in the future but unfortunately this issue occured before we could do this. I personally also agree with majority, whereby the broadcast domain is far too big.
  • Using Arpwatch is definitely something we can try but i suspect because several access port is registering mac address even though it doesn't belong to this port, the conclusion of arpwatch may not be useful.
  • I completely agree with not being 100% sure finding all redundant links and unknown switches on the network, but as best of our finding, this this is the case until we find further evidence.
  • Port security has been looked into, unfortunately management has decided not to use this for various reasons. Common reason is we constantly move computers around (college environment).
  • We have used spanning-tree portfast with in conjunction with spanning-tree bpduguard by default on all access ports (desktop machines).
  • We do not use switchport nonnegotiate at the moment on access port, but we are not getting any Vlan hopping attack bouncing across multitple Vlans.
  • Will give mac-address-table notification a go, and see if we can find any patterns.

"Since you're getting a large number of MAC flaps between switchports, it's hard to find where the offenders are (suppose you find two or three mac addresses that send lots of arps, but the source mac addresses keep flapping between ports)."

  • We started on this, picked any one MAC flaps and continued our way through all the core switch to distribution to access switch, but what we found was once again, the access port interface was hogging multiple mac address hence mac flaps; so back to square one.
  • Storm-control is something that we did consider, but we fear some off the legitimate packets will be dropped causing further issue.
  • Will triple check the VMHost configuration.
  • @ytti the unexplainable MAC addresses is behind many access ports rather then an individual. Haven't found any loops on these interfaces. The MAC addresses also exist on other interfaces, which would explain large number of MAC flaps
  • @RickyBeam i agree with why hosts are sending so many ARP requests; this is one of the puzzling issue. Rouge wireless bridge is an interesting one that i haven't given thought to, as far as we are aware, wireless is on different VLAN; but rogue will obviously mean it may well be on VLAN1.
  • @RickyBeam, i don't really wish to unplug everything as this will cause massive amount of downtime. However this is where it may just be heading. We do have Linux servers but not more then 3.
  • @RickyBeam, can you explain DHCP server "in-use" probing?

We (Cisco TAC, CCIEs, CCNP) globally agree that this is not a switch configuration but a host/device is causing the issue.


Source: (StackOverflow)

IPv6: How to start? (ISP perspective)

In our company we have a range of /21 (2048) IPv4 public addresses.

We have a bunch of Cisco routers and servers.

How to get started with IPv6? What can we do to provide internet to our clients with IPv6 compliment as well?


Source: (StackOverflow)

What is this item that came with my Cisco switch?

We just received a new Cisco Catalyst 2960, and in the box came an item we've never seen before. Interestingly enough, the documentation shows an image of the object, but it is not listed anywhere else in the guide (including the legend, which is numbered incorrectly)!

My buddies and I think it's some type of cable management device. Can anyone identify and elaborate as to its proper use?

Here is an image from the getting started guide (with the object circled):

enter image description here


Source: (StackOverflow)

64-bit Cisco VPN client (IPsec)?

Cisco VPN client (IPsec) does not support 64bit Windows.

Worse, Cisco does not even plan to release a 64-bit version, instead they say that
"For x64 (64-bit) Windows support, you must utilize Cisco's next-generation Cisco AnyConnect VPN Client."

But SSL VPN licences cost extra. For example, most new ASA firewalls come with plenty of IPSec VPN licences but only a few SSL VPN licences.

What alternatives do you have for 64-bit Windows? So far, I know two:

  1. 32-bit Cisco VPN Client on a virtual machine
  2. NCP Secure Entry Client on 64-bit Windows

Any other suggestions or experiences?


Source: (StackOverflow)

Are Cisco admins expected to understand classful networks?

While studying for the CCENT exam, my reference materials have made an alarming number of references to class A/B/C networks. Thankfully they just treat Class A/B/C as shorthand for /8, /16, and /24 CIDR subnets, and don't make any mention of an implicit subnet from the first nibble. Still, it throws me off to have "Class B" pop up in a question or explanation and have to remind myself at every step that there is an implied /16 mask in there.

Is this a convention that is still widely used despite being obsoleted over two decades ago? Am I going to just have to get used to this from my senior admins? And, perhaps most importantly, does Cisco expect its certified technicians/associates/experts to accept and use classful network terminology? (Ignore the last question if it violates Cisco's exam confidentiality policy.)

Update: After switching to a more authoritative reference/study guide, it became clear that Cisco expects knowledge of actual classful networks, insofar as the official study guide dedicates several chapters to them. This makes the question less about the A/B/C terminology and more about if/why admins are expected to know about classful networks.


Source: (StackOverflow)

Code to generate Cisco "secret" password hashes?

Does anyone have a pointer to code (or just the algorithm) that Cisco uses to generate their password hashes for things like "enable secret"?

I'm not trying to break into anything; I'm trying to generate the appropriate "enable secret" line given a clear text password, not decode an existing "enable secret" line with a hashed password. I need this for an automated config-file generator that I'm working on (Netomata Config Generator).

Basically, what I want is the Cisco equivalent of the "htpasswd" command used for web servers.

For example, when I put the following command with clear-text password into a Cisco config:

enable secret foobar

then when I do a 'show config' command (assuming I have "service password-encryption" enabled), what I see is something like this:

enable secret 5 $1$pdQG$0WzLBXV98voWIUEdIiLm11

I want code that translates "foobar" to "5 $1$pdQG$0WzLBXV98voWIUEdIiLm11", so that I can generate the already-hashed passwords in my config-generation tool, rather than putting cleartext passwords in the generated configs and waiting for the router to generate the hash.

I presume that the "5" in the hashed result is some sort of hash algorithm identifier. If there are other hash algorithms that Cisco currently or has historically used, then I'd like to have the code for those algorithms as well.


Source: (StackOverflow)

Blocking Facebook and Myspace by IP address

I'm having some trouble making a Cisco ASA device block certain social networking sites which have become time sinks in our office. This question is really in two parts:

  1. Is there a reliable way to retrieve all of the IP addresses for these sites?
    • It seems that Facebook's DNS servers respond with random IP addresses. A dig followed by an nslookup yield two different IP addresses for www.facebook.com.
  2. Is there a trick to letting me add host names to Cisco ASA through Adaptive Security Device Manager (ASDM).
    • I have found the URL filter, but that requires a third-party piece of software that I doubt I'll get funding for just to block these sites.

We're looking for a temporary solution until I can get Squid up and running, which may be as far out as six months (we need a network administrator, bad).


Source: (StackOverflow)

Why buy high end hardware firewalls?

There exist firewalls from Juniper and Cisco that cost more than a house.

So I wonder: what does one get from a $10.000+ firewall compared to an 2U server with 4x 10Gbit network cards running e.g. OpenBSD/FreeBSD/Linux?

The hardware firewalls probably have a web interface.

But what else does one get for a $10.000 or $100.000 firewall???


Source: (StackOverflow)

Cut network cables in Cisco 2960 PoE

We've a Cisco 2960e that services our VoIP phones and other things. I inherited it.

The question I have is the cut cables: there are about four network connectors that are cut about 1cm away from the end - making it nothing more than a physical connector. These connectors are paired with a working cable either on above or beneath.

I feel certain these connectors are some sort of flag; they can't be loop-backs as there is no cabling to do so (the connectors are cut and nothing else). There's no electrical connections: the only indicator the switch might realize is there is a physical presence in the jack - and I doubt that too.

The free ports are ominously quiet (of network traffic) as well: is this related? Are these connectors marking active ports?

UPDATE: I thought I was very clear; I don't know how I could have explained it any better. In any case, here's a picture:

Connections on Ethernet Switch


Source: (StackOverflow)

Native VLAN mismatch and missing VLAN?

I'm trying to wrap my head around what exactly is going on here with a new site's configuration of their networking stack. This particular piece I am working is pretty simple but I having a hard time figuring out what the original intention was. There is a Cisco Catalyst 3750x with three Port Channels (each with four interfaces a piece) going to three ESXi hosts. The Catalyst is connected to the rest of the network via a Meraki MS42 via a single interface (no Port Channel). VLAN 100 carries the networking traffic, the other VLANs are dedicated to things like vMotion or isolated networks. I think a large part of my difficulty here is I don't speak Cisco-ese.

The Setup

Network Stack


Port-Channel 1

interface Port-channel1
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk

interface GigabitEthernet1/0/1
 description ESX1
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 1 mode on
!
interface GigabitEthernet1/0/2
 description ESX1
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 1 mode on
!
interface GigabitEthernet1/0/3
 description ESX1
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 1 mode on


Port-Channel 2 (I'm leaving out Port-Channel 3 since it is identical in configuration to Port-Channel 2)

interface Port-channel2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/5
 description ESX2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 2 mode on
!
interface GigabitEthernet1/0/6
 description ESX2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 2 mode on
!
interface GigabitEthernet1/0/7
 description ESX2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 2 mode on
!
interface GigabitEthernet1/0/8
 description ESX2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 2 mode on


Uplink Ports

On the Catalyst:

interface GigabitEthernet1/0/24
 description Uplink
 switchport access vlan 100
 switchport trunk native vlan 2
!

On the Meraki:

Trunk port using native VLAN 1; allowed VLANs: all


The Question/s

  • The combination of switchport access and switch port trunk allowed makes the switchport access configuration a no-op, right? You cannot have a port in access mode and trunk mode unless I am mistaken. Can someone confirm this for me?
  • It is my understanding that once you add a port to Port Channel all of the VLAN an STP configuration is done per Port Channel and not per port. If I create a Port Channel out of Fa 1/10 and Fa 1/11, I configure them as trunks using their assigned Port Channel and not their individual ports (at least this is what I do with ProCurves). Is this correct?
  • If the last item is correct that means all of the per-port configuration of Port Channel members is either a no-op or was done prior to that port being made a Port Channel member. Is this a reasonable assumption?
  • How the heck does the traffic from VLAN 100 get across the uplink (I can reach the VMs hosted on the ESXi hosts)? VLAN 100 disappears once it hits the Meraki and the native VLAN tags are different. Things are working but I can't help but feel something is weird with this setup and it would be preferable to push VLAN 100 all the way through to the rest of stack. To make things even stranger VLAN 2 terminates at Port 41 on the Meraki as well, everything else is set to Native VLAN 1.

Moving forward I am inclined to abandon VLAN 100 or reconfigure the rest of our stack so that the subnet that rides on VLAN 100 doesn't use multiple VLANs (100 and 1) and resolve the Native VLAN tag mismatch on the uplink (Port 41 -- Gi 1/0/24). Thoughts on this plan?


Source: (StackOverflow)

Why is my router CPU at 40% when no processes use more than 2%?

I have a problem, I have a Cisco 1841 running Cisco IOS 15, and I get strange behavior. The CPU usage is shown as 40%, but there is no processes that is using this much CPU power.

Here is an example:

lev1841#show processes cpu sorted 
CPU utilization for five seconds: 41%/39%; one minute: 42%; five minutes: 32%
 PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process 
  96          88      147299          0  1.11%  1.04%  0.92%   0 Ethernet Msec Ti 
 117          40       36582          1  0.15%  0.19%  0.17%   0 IPAM Manager     
 240          28       36535          0  0.15%  0.14%  0.12%   0 MMON MENG        
   2          92         236        389  0.07%  0.04%  0.03%   0 Load Meter       
 183          24        1775         13  0.07%  0.02%  0.00%   0 CEF: IPv4 proces 
 140           8        4661          1  0.07%  0.02%  0.00%   0 SSS Feature Time 
 121        2236        1958       1141  0.07%  0.19%  0.17%   0 IP Input         
 176           4        1172          3  0.07%  0.00%  0.00%   0 RUDPV1 Main Proc 
 212           4        2287          1  0.07%  0.00%  0.00%   0 CCE DP URLF cach 
  95           8        6733          1  0.07%  0.03%  0.02%   0 Ethernet Timer C 

lev1841#show processes cpu history 

lev1841   04:11:07 PM Saturday Jan 14 2012 UTC




      444444444444444444444444444444444444444444444444444444444444
      333111111111111111111111111122222111111111111111111111111133
  100                                                             
   90                                                             
   80                                                             
   70                                                             
   60                                                             
   50                                                             
   40 ************************************************************
   30 ************************************************************
   20 ************************************************************
   10 ************************************************************
     0....5....1....1....2....2....3....3....4....4....5....5....6
               0    5    0    5    0    5    0    5    0    5    0
               CPU% per second (last 60 seconds)

lev1841# show processes cpu extended 
################################################################################
Global Statistics
-----------------
5 sec CPU util 41%/39% Timestamp 00:22:52
Queue Statistics
----------------
          Exec Count  Total CPU    Response Time           Queue Length
                                    (avg/max)                (avg/max)
Critical           1          0          0/0                   1/1         
High             683          0          0/0                   1/2         
Normal           462          8          0/4                   1/7         
Low               14          0          0/0                   1/2         
Common Process Information
-------------------------------
 PID Name            Prio Style
-------------------------------
  95 Ethernet Timer C H  New
  96 Ethernet Msec Ti H  New

CPU Intensive processes
-------------------------------------------------------------------------------
 PID Total       Exec    Quant         Burst  Burst size  Schedcall  Schedcall 
     CPUms      Count   avg/max        Count avg/max(ms)      Count Per avg/max
-------------------------------------------------------------------------------

Priority Suspends
------------------------------------
 PID Exec Count Prio-Susps
------------------------------------
  95         38         19
  96        644         19

Latencies
-------------------------
 PID Exec Count   Latency
                  avg/max
-------------------------
################################################################################

I can't find what is causing all this CPU load.

Can you help me ?

Here is some information on the router :

Cisco 1841 (revision 6.0) with 358400K/34816K bytes of memory.
System image file is "flash:c1841-adventerprisek9-mz.151-4.M1.bin"

The system has just been updated to IOS 15.4M1 from IOS 13.

Thank you.


Source: (StackOverflow)

Cisco BGP Unequal Cost Load Balancing

I'm trying to implement BGP Unequal Cost Load Balancing feature in my network. According to cisco manuals (long: http://www.cisco.com/c/en/us/td/docs/ios/12_2s/feature/guide/fsbgplb.html, short: https://ccieblog.co.uk/bgp/bgp-unequal-load-cost-sharing) I have built such net topology:

net topology

R1 - router where I'm trying to implement load balancing for outgoing traffic. VRF table with name nat is used.

R2-R4 - NAT servers running quagga, with default route to R5 shared with R1 over eBGP.

R1 configuration

R1 IOS version: 12.2(33)SXJ4 (s72033-adventerprisek9_wan-mz.122-33.SXJ4.bin)

R2 configuration (R3 R4 only router-id and vlan differs)

In result I have 3 different default routes on R1 with same share count - 1/1 (1:1:1). But proportion 1:2:3 expexted:

R1# sh ip bgp vpnv4 vrf nat 0.0.0.0

Paths: (6 available, best #5, table nat)
Multipath: eiBGP
  Advertised to update-groups:
     2         
  65000
    10.30.227.227 from 10.30.227.227 (10.30.227.227)
      Origin IGP, localpref 100, valid, external, multipath
      Extended Community: RT:192.168.33.4:13
      DMZ-Link Bw 250 kbytes
  65000, (received-only)
    10.30.227.227 from 10.30.227.227 (10.30.227.227)
      Origin IGP, localpref 100, valid, external
      DMZ-Link Bw 250 kbytes
  65000
    10.30.228.228 from 10.30.228.228 (10.30.228.228)
      Origin IGP, localpref 100, valid, external, multipath
      Extended Community: RT:192.168.33.4:13
      DMZ-Link Bw 375 kbytes
  65000, (received-only)
    10.30.228.228 from 10.30.228.228 (10.30.228.228)
      Origin IGP, localpref 100, valid, external
      DMZ-Link Bw 375 kbytes
  65000
    10.30.225.225 from 10.30.225.225 (10.30.225.225)
      Origin IGP, localpref 100, valid, external, multipath, best
      Extended Community: RT:192.168.33.4:13
      DMZ-Link Bw 125 kbytes
  65000, (received-only)
    10.30.225.225 from 10.30.225.225 (10.30.225.225)
      Origin IGP, localpref 100, valid, external
      DMZ-Link Bw 125 kbytes

R1# sh ip cef vrf nat 0.0.0.0/0 internal

0.0.0.0/0, epoch 3, flags rib only nolabel, rib defined all labels, RIB[B], refcount 7, per-destination sharing
  sources: RIB, D/N, DRH
  feature space:
   NetFlow: Origin AS 0, Peer AS 0, Mask Bits 0
   Broker: linked
   IPRM: 0x00018000
  subblocks:
   DefNet source: 0.0.0.0/0
  ifnums:
   Vlan3225(231): 10.30.225.225
   Vlan3227(232): 10.30.227.227
   Vlan3228(233): 10.30.228.228
  path 541B7858, path list 53E3E0D8, share 1/1, type recursive nexthop, for IPv4, flags resolved
  recursive via 10.30.225.225[IPv4:nat], fib 5496C804, 1 terminal fib
    path 541B7BF8, path list 53E3E170, share 1/1, type adjacency prefix, for IPv4
    attached to Vlan3225, adjacency IP adj out of Vlan3225, addr 10.30.225.225 513F6B60
  path 541B78CC, path list 53E3E0D8, share 1/1, type recursive nexthop, for IPv4, flags resolved
  recursive via 10.30.227.227[IPv4:nat], fib 54969B7C, 1 terminal fib
    path 541B7B10, path list 53E3E08C, share 1/1, type adjacency prefix, for IPv4
    attached to Vlan3227, adjacency IP adj out of Vlan3227, addr 10.30.227.227 513F66E0
  path 541B7DC8, path list 53E3E0D8, share 1/1, type recursive nexthop, for IPv4, flags resolved
  recursive via 10.30.228.228[IPv4:nat], fib 54970EAC, 1 terminal fib
    path 541B79B4, path list 53E3E040, share 1/1, type adjacency prefix, for IPv4
    attached to Vlan3228, adjacency IP adj out of Vlan3228, addr 10.30.228.228 513F6560
  output chain:
    loadinfo 51283B80, per-session, 3 choices, flags 0003, 5 locks
    flags: Per-session, for-rx-IPv4
    15 hash buckets
      < 0 > IP adj out of Vlan3225, addr 10.30.225.225 513F6B60
      < 1 > IP adj out of Vlan3227, addr 10.30.227.227 513F66E0
      < 2 > IP adj out of Vlan3228, addr 10.30.228.228 513F6560
      < 3 > IP adj out of Vlan3225, addr 10.30.225.225 513F6B60
      < 4 > IP adj out of Vlan3227, addr 10.30.227.227 513F66E0
      < 5 > IP adj out of Vlan3228, addr 10.30.228.228 513F6560
      < 6 > IP adj out of Vlan3225, addr 10.30.225.225 513F6B60
      < 7 > IP adj out of Vlan3227, addr 10.30.227.227 513F66E0
      < 8 > IP adj out of Vlan3228, addr 10.30.228.228 513F6560
      < 9 > IP adj out of Vlan3225, addr 10.30.225.225 513F6B60
      <10 > IP adj out of Vlan3227, addr 10.30.227.227 513F66E0
      <11 > IP adj out of Vlan3228, addr 10.30.228.228 513F6560
      <12 > IP adj out of Vlan3225, addr 10.30.225.225 513F6B60
      <13 > IP adj out of Vlan3227, addr 10.30.227.227 513F66E0
      <14 > IP adj out of Vlan3228, addr 10.30.228.228 513F6560
    Subblocks:
     None

What am I doing wrong? According to manuals, different dmzlink bw values should cause different load sharing proportion, but in fact - it does not!


UPDATE 1 -- requested by user bangal

R1# show ip bgp all summary

For address family: IPv4 Unicast
BGP router identifier X.X.X.129, local AS number 41096
BGP table version is 22283352, main routing table version 22283352
34749 network entries using 4065633 bytes of memory
61661 path entries using 3206372 bytes of memory
8119/5337 BGP path/bestpath attribute entries using 1299040 bytes of memory
3752 BGP AS-PATH entries using 155474 bytes of memory
2990 BGP community entries using 138266 bytes of memory
146 BGP extended community entries using 5168 bytes of memory
53 BGP route-map cache entries using 1696 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 8871649 total bytes of memory
BGP activity 4716897/4682147 prefixes, 11331539/11269872 paths, scan interval 60 secs

# Here are bgp neighbours from global routing table. Not relevant to the question. IP addresses are hidden 

Neighbor     V       AS    MsgRcvd   MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
X.X.X.1      4       XX219    791704  760380 22283352    0    0 6d17h           1
X.X.X.33     4       XX219 112902498 1315655 22283352    0    0 6d17h           0
X.X.X.238    4       XX772    801422  762830 22283352    0    0 2w5d            0
X.X.X.206    4       XX540   2886112 1313917 22283352    0    0 4w4d         9641
X.X.X.70     4       XX772 188343075 1313853 22283352    0    0 6d14h       25881
X.X.X.78     4       XX772 148265282  941127 22283352    0    0 2w6d        26098

# Here are neighbours for vrf nat.

For address family: VPNv4 Unicast
BGP router identifier X.X.X.129, local AS number 41096
BGP table version is 824, main routing table version 824
1 network entries using 137 bytes of memory
6 path entries using 408 bytes of memory
1 multipath network entries and 3 multipath paths
8119/1 BGP path/bestpath attribute entries using 1299040 bytes of memory
3752 BGP AS-PATH entries using 155474 bytes of memory
2990 BGP community entries using 138266 bytes of memory
146 BGP extended community entries using 5168 bytes of memory
53 BGP route-map cache entries using 1696 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1600189 total bytes of memory
3 received paths for inbound soft reconfiguration
BGP activity 4716897/4682147 prefixes, 11331539/11269872 paths, scan interval 15 secs

Neighbor        V          AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.30.225.225   4       65000   11003   11443      824    0    0 3d18h           1
10.30.227.227   4       65000    9853   10293      824    0    0 3d18h           1
10.30.228.228   4       65000   10992   11432      824    0    0 3d18h           1

R1# sh ip route vrf nat

Routing Table: nat
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.30.228.228 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 4 subnets
C       10.30.0.0 is directly connected, Vlan30
C       10.30.228.0 is directly connected, Vlan3228
C       10.30.227.0 is directly connected, Vlan3227
C       10.30.225.0 is directly connected, Vlan3225
B*   0.0.0.0/0 [20/0] via 10.30.228.228, 3d18h
               [20/0] via 10.30.227.227, 3d18h
               [20/0] via 10.30.225.225, 3d18h

R1# sh ip bgp vpnv4 vrf nat neighbors

R1 sh ip bgp neighbours output

R1# sh run

R1 running config sensitive information is masked


Source: (StackOverflow)

Cisco ASA Site-to-Site VPN Dropping

I have three sites, Toronto (1.1.1.1), Mississauga (2.2.2.2) and San Francisco (3.3.3.3). All three sites have ASA 5520. All the sites are connected together with two site-to-site VPN links between each other location.

My issue is that the tunnel between Toronto and San Francisco is very unstable, dropping every 40 min to 60 mins. The tunnel between Toronto and Mississauga (which is configured in the same manner) is fine with no drops.

I also noticed that my pings with drop but the ASA thinks that the tunnel is still up and running.

Here is the configuration of the tunnel.

Toronto (1.1.1.1)

crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer 3.3.3.3 
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256

group-policy GroupPolicy_3.3.3.3 internal
group-policy GroupPolicy_3.3.3.3 attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
 default-group-policy GroupPolicy_3.3.3.3
tunnel-group 3.3.3.3 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive disable
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

San Francisco (3.3.3.3)

crypto map Outside_map0 2 match address Outside_cryptomap_1
crypto map Outside_map0 2 set peer 1.1.1.1 
crypto map Outside_map0 2 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map Outside_map0 2 set ikev2 ipsec-proposal AES256

group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
 default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive disable
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

I'm at a loss. Any ideas?

Update:

# show crypto isakmp sa

 IKEv1 SAs:

    Active SA: 2
     Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
 Total IKE SA: 2

 1   IKE Peer: 3.3.3.3
     Type    : L2L             Role    : initiator 
     Rekey   : no              State   : MM_ACTIVE 
 2   IKE Peer: 2.2.2.2
     Type    : L2L             Role    : responder 
     Rekey   : no              State   : MM_ACTIVE 

 There are no IKEv2 SAs



 # show crypto ipsec sa
 interface: Outside
     Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1

       access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.99.0.0 255.255.255.0 
       local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (10.99.0.0/255.255.255.0/0/0)
       current_peer: 74.200.4.148

       #pkts encaps: 30948, #pkts encrypt: 30948, #pkts digest: 30948
       #pkts decaps: 28516, #pkts decrypt: 28516, #pkts verify: 28516
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 30948, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
       #send errors: 0, #recv errors: 0

       local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
       path mtu 1500, ipsec overhead 74, media mtu 1500
       current outbound spi: EFADD3D6
       current inbound spi : 756AB014

     inbound esp sas:
       spi: 0x756AB014 (1969926164)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (4372005/17024)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0xFFFFFFFF 0xFFFFFFFF
     outbound esp sas:
       spi: 0xEFADD3D6 (4021146582)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (4369303/17024)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0x00000000 0x00000001

     Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1

       access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.100.0.0 255.255.0.0 
       local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (10.100.0.0/255.255.0.0/0/0)
       current_peer: 2.2.2.2

       #pkts encaps: 18777146, #pkts encrypt: 18777329, #pkts digest: 18777329
       #pkts decaps: 23208489, #pkts decrypt: 23208489, #pkts verify: 23208489
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 18777328, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 1, #pre-frag failures: 0, #fragments created: 2
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
       #send errors: 0, #recv errors: 0

       local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
       path mtu 1500, ipsec overhead 74, media mtu 1500
       current outbound spi: D2002A5B
       current inbound spi : 2E1F7B20

     inbound esp sas:
       spi: 0x2E1F7B20 (773815072)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (3224936/17000)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0xFFFFFFFF 0xFFFFFFFF
     outbound esp sas:
       spi: 0xD2002A5B (3523226203)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (2120164/17000)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0x00000000 0x00000001

     Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1

       access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.110.0.0 255.255.0.0 
       local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (10.110.0.0/255.255.0.0/0/0)
       current_peer: 2.2.2.2

       #pkts encaps: 1289226, #pkts encrypt: 1289226, #pkts digest: 1289226
       #pkts decaps: 1594987, #pkts decrypt: 1594987, #pkts verify: 1594987
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 1289226, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 27
       #send errors: 0, #recv errors: 0

       local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
       path mtu 1500, ipsec overhead 74, media mtu 1500
       current outbound spi: 45B5CECD
       current inbound spi : 862EB1DB

     inbound esp sas:
       spi: 0x862EB1DB (2251207131)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (4318958/16999)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0xFFFFFFFF 0xFFFFFFFF
     outbound esp sas:
       spi: 0x45B5CECD (1169542861)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (4360717/16999)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0x00000000 0x00000001

     Crypto map tag: External_map, seq num: 1, local addr: 1.1.1.1

       access-list Outside_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.10.0.0 255.255.0.0 
       local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
       current_peer: 3.3.3.3

       #pkts encaps: 3444336, #pkts encrypt: 3444336, #pkts digest: 3444336
       #pkts decaps: 1756137, #pkts decrypt: 1756137, #pkts verify: 1756137
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 3444336, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
       #send errors: 0, #recv errors: 0

       local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 3.3.3.3/0
       path mtu 1500, ipsec overhead 74, media mtu 1500
       current outbound spi: 6B0981E6
       current inbound spi : 2F85EB3C

     inbound esp sas:
       spi: 0x2F85EB3C (797305660)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1245184, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (3944948/12647)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0xFFFFFFFF 0xFFFFFFFF
     outbound esp sas:
       spi: 0x6B0981E6 (1795785190)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1245184, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (364451/12647)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0x00000000 0x00000001

Source: (StackOverflow)

Cisco and Linux and Vlans

I appear to have some fundamental misunderstanding of how VLANs work on Linux, and I'm hoping the good people here can educate me.

Cast: One Cisco 3560, one VLAN, and one Linux box [1].

Cisco  ---------------  Linux
    ge0/1           eth0

The Cisco has a Vlan 37 interface, with IP address 10.40.37.252/24. I want to place 10.40.37.1/24 on the Linux box.

When the Cisco de-encapsulates vlan 37, everything works fine [2]:

# Cisco 
interface Vlan37
    ip address 10.40.37.252/24

interface GigabitEthernet 0/1
    switchport mode access
    switchport access vlan 37

# Linux
ip link set eth0 up
ip addr add 10.40.37.1/24 dev eth0

$ ping 10.40.37.252 && echo It works

However, when I set the port to trunking and assign vlan 37 on the Linux side, it stops working:

# Cisco
interface GigabitEthernet 0/1
    switchport trunk encapsulation dot1q
    switchport mode trunk
    ! [3] [4] [7]

# Linux
vconfig add eth0 37
ip link set eth0.37 up
ifconfig eth0 0.0.0.0 up # ensure no address
ip addr add 10.40.37.1/24 dev eth0.37

$ ping 10.40.37.252 || echo Why does this not work

What am I missing here?

Edit: Solutions:

Shane's question about the mac address table led me to a solution: Use "ip addr" to set different unique L2 (MAC) addresses on each of the VLAN sub-interfaces, and it suddenly works.

Another possible solution that I didn't try (because my hardware is too old) is using "ethtool" to disable VLAN offloading by the NIC itself, and forcing the kernel to deal with the tags.

Thank you Shane!

Edit: More info as per comments:

The overall goal is to have three vlans (public, private, oam&p) terminating on three individual IP addresses on the linux box, with different applications binding to the local addresses. I can expand further if necessary, but I'm trying to keep the problem description and discussion simple, since before I can have three vlans working, I kind of need one to be working. :)

Antoine --> ifup versus ifconfig makes no difference.

Pepoluan --> I'm assuming this is what you were looking for. Note the lack of references by phy drivers is apparently normal. [5]

$ lsmod | grep 802
    8021q   25545 1 cxgb3

Handyman -->

$ ifconfig eth0
    eth0  Link encap: Ethernet HWaddr 00:17:08:92:87:22
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 [...]
    TX packets:31932 errors:0 dropped:0 overruns:0 carrier:0 

$ ifconfig eth0.37
    eth0.37 Link encap: Ethernet HWaddr 00:17:08:92:87:22
    UP BROADCAST RUNNING MULTICAST MUT:1500 Metric:1
    RX packets: 0 [...]
    TX packets:32024 errors:90 dropped:0 overruns:0 carrier:0

$ cat /proc/net/vlan/config
    VLAN Dev Name | VLAN ID
    Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD
    eth0.37 | 37 | eth0

Chuck --> wireshark and/or tcpdump do not show the tags, but this is apparently a normal limitation on Linux, due to the processing order of vlan handling and pcap in the kernel [6]. Also, the untagged VLAN is set to 1 [7].

[1] I've tried this with both CentOS 5.5 and Ubuntu 11.04, and both have the same issue.

[2] Note the configs are not a cut&paste, so any typos here are simply my bad memory.

[3] "nonegotiate" on or off has no effect on the problem.

[4] Vlan 37 is shown as active & non-pruned on the link, so "allowed" is not the problem.

[5] serverfault: Enabling 8021q on a nic

[6] http://wiki.wireshark.org/CaptureSetup/VLAN#Linux

[7] The native (untagged) VLAN is 1. Manually setting it with "switchport trunk native vlan 1" has no effect.


Source: (StackOverflow)