Sunday 31 July 2016

r>i in BGP Routes



Basically this happens when routes with lower AD values are present in the routing table   ( for example EIGRP-90 or OSPF-110) . So the BGP route cannot be inserted into the routing table because the EIGRP or OSPF route is preferred in the route table.


If you run "sh ip bgp rib-failure" on the router it gives exact reason why it was not installed in the routing table.


ASA5515 WITH FIREPOWER - Red Color Alarm

Refer Following document to find the exact Reason

http://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5500xguide/5500xhw/asa_overview.html#87733

You need to get access via console, or any management access will help you find actual cause.

Saturday 30 July 2016

Etherchannel- One interface is getting utilized higher than the other



If you are seeing, one or more interfaces in a port-channel is getting utilized more than than others, you may need to look in to ether channel -Load balancing algorithms. 

In case of catalyst switches, "source mac" will be the default one used for load balancing.

You can refer below cisco article and change Load balance method based on your needs

http://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12023-4.html

Also you can verify the same using below command

#show etherchannel load-balance

But if you want to change, it will be a global command and will affect all channels

config#port-channel load-balance <new method>

How to do Packet Capture on F5 box.

F5 is basically Linux machine where we can use basic tcpdump utlity to do packet capture.

Below commands will help on the same

tcpdump -i <interface>
tcpdump -i <Vlan Name>
Use -w to append the same to a file
tcpdump -i <interface> -w <location>
To filter Based on Host
tcpdump host <IP address>

How to do Packet Capture on F5 box.

F5 is basically Linux machine where we can use basic tcpdump utlity to do packet capture.

Below commands will help on the same

tcpdump -i <interface>
tcpdump -i <Vlan Name>
Use -w to append the same to a file
tcpdump -i <interface> -w <location>
To filter Based on Host
tcpdump host <IP address>

What is Delta Time in Wireshark

If you sort the packets in order , Delta time is the difference between the time for a frame and the time for the previous frame .

If delta time is higher, higher is the delay. Visit wire shark website to find out , how to display Delta time.
This will be useful while analyzing the captures especially if captures includes timeout intervals.

Capture traffic from Cisco ASA command line

Commands

ASA#capture <capname> interface <interface> match ip Source Destination

ASA#capture captureinside interface inside match ip host 192.168.1.1 host 192.168.2.1

View the capture file with following command

ASA#show capture <capname>

If you want the same to be opened in wireshark or require it as a file

https://<ip address of asa>/capture/<capname>/pcap from the browser, it will be downloaded to the local machine

What is BGP Route Reflector

A route reflector is used to break the iBGP loop avoidance rule. Route Reflectors are BGP Routers that can advertise updates received from an iBGP peer to another iBGP  ( under conditions).So this breaks the rule of full mesh requirement of iBGP peers.
But the question is, how this can be achieved and prevent loops.
iBGP routers are divide in to Route Reflectors(RR), RR Clients and non Client Peers. Routes received from RR client will be distributed to other clients and non-client neighbors. Routes Received from non-client neighbors distributed to RR client neighbors, not to others. Also RR will be set originator-ID and cluster ID in update.
Loop Prevention
Suppose , if a router receives an iBGP route with originator-ID or Cluster ID same as his, then that route is discarded.  
Full mesh  requirement of BGP can be met for a simple setup, but as network grows it will be difficult . Also it is advised to make redundancy for Route-Reflectors. A failure RR can affect entire routes.
Also RR should be in neighbors with many iBGP Routers to reflect the routes. But still it will help us from building a complete mesh.

Pinging Another Interface other than the connected interface -Cisco ASA

In Cisco ASA, we cannot ping another interface from the interface we are connected to.

For example, we would be able to ping dmz from inside and vice versa

It is disabled by design , and we cannot change that behaviour.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic0

BGP Multipath Load-balancing

BGP Multipath load balancing needs to be configured manually where other protocols works that automatically.

Also routes should be some matching criteria include weight, local preference, AS path, origin code, MED, and IGP metric .

Here is the command

Router(config)#router bgp <As no> 
Router(config-router)#maximum-paths <no>


verify new routing table by sh ip route command

If there is difference in AS-numbers, apply below command as well.

Router(config)#bgp bestpath as-path multipath-relax


Friday 29 July 2016

SSL Handshake- Messages

1. Client Hello- Client Sends Client-Hello with Supported SSL options
2. Server Hello- Server Sends Server Hello with selected SSL options
3. Certificate- Server Sends its certificate chain to Client
4. Done- Server completes its part of negotiation
5.ClientKeyExchange- Client sends encrypted session key to be used
6.ChangeCipherSpecs- Client initializes all negotiated options for all future messages
7.Done-Client informs the server to verify negotiated options
8.ChangeCipherSpecs-Server initializes all negotiated options for all future messages
9.Application data

ip bgp-community new-format

By default, Community numbers seen as big numbers.

We can change the same to Human-Readable ASN:VALUE format by applying
 "ip bgp-community new-format" command globally on the router

Thursday 28 July 2016

ASDM Real-Time Log Viewer not showing log messages

Make sure following commands are enabled

logging enable logging asdm informational

If you are seeing some messages, and some are not showing

Do a check on
# sh run | i log
to see any syslogs are kept disabled
Eg:
ASA(config)#no logging message 304001
ASA(config)#no logging message 304002
ASA(config)#no logging message 304003
ASA(config)#no logging message 304004
ASA(config)#no logging message 304005

Note: check cpu usage after enabling logging . if you are logging to multiple Syslogs , it can cause high CPU.
Also do a check why it is kept disabled before enabling the same.