Prefix List filtering and Local Pref at bottom:
- Route matching system better than ACLs. Improved processor utilization., Better subnet mask matching.
- a TWO stage matching: Match network first, then match mask.
example:
ip prefix-list NEWLIST permit 172.30.0.0/16 le 20
(Network) (mask)
ip prefix-list NEWLIST permit 172.30.0.0/16 ge 24 le 24 == exactly 24.
ip prefix-list NEWLIST permit 172.30.0.0/16 ge 24 le 30 == between 24-30 subnet mask.
ip prefix-list NEWLIST permit 0.0.0.0/0 === This does NOT match everything. ONLY match exactly that route. The default route.
ip prefix-list NEWLIST permit 0.0.0.0/0 le 32 ===This match all. Permit any.
ip prefix-list NEWLIST permit 0.0.0.0/0 ge 32 ===This match only Host routes. all hosts /32.
ip prefix-list NEWLIST permit 0.0.0.0/1 ge 24 le 24 === Any class A address, and subnet mask is a /24. The first octet is 0000000.------- in the network section.
class A: 0-127 (bit 0----)
class B: 128-192 (bit 10---)
class C: 192-223 (bit 110--)
ip prefix-list NEWLIST-PF permit 128.0.0.0/2 ge 16 === Any class B network with mask of /16.
128 = 1000000 = class B.
Example:
conf t
router bgp 500
neighbor 1.1.1.1 prefix-list NEWLIST in ===routes coming in filtered.
show ip prefix-list
clear ip bgp 1.1.1.1
example 2:
route-map SET-LP
match ip add prefix-list NEWLIST-PF
st local-pre 9000
route-map SET-LP 20 ==== THIS NEEDS TO BE IN to do permit all at end. else routes not match for this route-map will be filtered.
neighbor 1.1.1.1 route-map SET-LP in ==as route come in from neighbor, change Localpref.
9/24/2015
BGP AS Path Access-list / filtering
AS Path Access-list / filtering
permit .....
deny ....
permit ....
permit .* ===permit all at the end.
Example 1:
conf t
ip as-path access-list 1 deny ^300_ -- match everything from 300 most recently. or _300_ anywhere there's 300, deny.
ip as-path access-list 1 permit .* === need this, else there's a implicit deny all.
route-map FILTER_300 permit 10
match as-path 1 ===if want "or" 1 2 3 4: match as-path 1 or 2 or 3 or 4.
router bgp 500
neighbor 1.1.1.1 route-map FILTER_300 out
Example 2:
match as-path 500 and set weight 1000, so prefer that route from that neighbor.
ip as-path access-list 10 permit _500_
route-map INFLUENCE
match as-path 10
set weight 1000
router bgp 200
neighbor 199.9.9.2 route-map INFLUENCE in == Routes from that neighbor pass to the route map and set weight to 1000...so, routes outbound will prefer path to the neighbor.
permit .....
deny ....
permit ....
permit .* ===permit all at the end.
Example 1:
conf t
ip as-path access-list 1 deny ^300_ -- match everything from 300 most recently. or _300_ anywhere there's 300, deny.
ip as-path access-list 1 permit .* === need this, else there's a implicit deny all.
route-map FILTER_300 permit 10
match as-path 1 ===if want "or" 1 2 3 4: match as-path 1 or 2 or 3 or 4.
router bgp 500
neighbor 1.1.1.1 route-map FILTER_300 out
Example 2:
match as-path 500 and set weight 1000, so prefer that route from that neighbor.
ip as-path access-list 10 permit _500_
route-map INFLUENCE
match as-path 10
set weight 1000
router bgp 200
neighbor 199.9.9.2 route-map INFLUENCE in == Routes from that neighbor pass to the route map and set weight to 1000...so, routes outbound will prefer path to the neighbor.
BGP Regular Expression hints
RegEX:
^ Matches the beginning of input.
$ matches the end of input
| (pipe) A logical "or" statement.
. (period) matches a SINGLE character.
+ matches the character to the left 1 or more times.
* matches the character to the left 0 or more times.
? matches the character to the left 0 or 1 times.
\ removes special meanings.
( ) affects order of operations
[ ] creates a group of characters.
_ white space.
Examples:
150.1.1.0/24
AS Path: 6733 982 43 239 852 4439 10295 6010 10
1. only match 43: _43_
2. only match 43 or 10: _43_|_10_
3. only match the last previous 6733: ^6733 ---begins with 6733, it reads left to right.
4. only match AS originated 10: _10$ --match end of the string, which is 10 orginated AS.
(_33_|_44_)_982_
match EITHER 33 OR 44 FOLLOW BY 982.
^6733_. ====matches most recent AS and anything behind, but not originated from 6733. The period is 1 charater, so matches any AS, no matter how many, after 6733, since 1 character after.
^[0-9]+$ ====match to the left of + one or more times. just match one AS.
[300]+ === match 300 one or more times.
AS 300 300 300 300
to match 300 again and again:
^(300)+$
$([0-9]+)(_\1)*$ ===0-9 one or more times. AS 1234, 555, etc. To match ANY AS that has been prepended.
5. Match stuff originated from my AS. Match internal routes only. Inside our AS. Only when leaves our AS, do we put the AS on it.
^$
6. ^\(64512) ==removes special meaning from the parentheses.
If in AS Path: (6733 982) 43 239 852 4439
The AS inside the AS path with parentheses is Confederation.
7. Match everything: .*
6/29/2015
Cacti Bulk Tree Add Command line
If you want to add hundreds on ports in Cacti automatically without point and click on the GUI, do below:
1. Add a new device using GUI like you normally do.
2. Create your Graph Tree and add your new Tree item for your new device.
3. That's it on the GUI. The rest you will do by command line to add your hundreds of ports to monitor for that device under your Tree.
Go to:
ssh to your cacti server:
cd /usr/share/cacti/cli
sudo php -q add_tree.php --list-trees
sudo php -q add_tree.php --list-hosts
sudo php -q add_tree.php --list-nodes --tree-id=2 | grep Header ===get parent-node.
sudo php -q add_tree.php --list-graphs --host-id=20 ---will see the IDs and need this for next step.
for i in {664..781} ;
do sudo php -q add_tree.php --type=node --node-type=graph --tree-id=2 --parent-node=492 --host-id=20 --graph-id=${i};
Another example:
for i in {35..70}
do sudo php -q add_tree.php --type=node --node-type=graph --tree-id=2 --parent-node=1573 --host-id=11 --graph-id=${i};
done
1. Add a new device using GUI like you normally do.
2. Create your Graph Tree and add your new Tree item for your new device.
3. That's it on the GUI. The rest you will do by command line to add your hundreds of ports to monitor for that device under your Tree.
Go to:
ssh to your cacti server:
cd /usr/share/cacti/cli
sudo php -q add_tree.php --list-trees
sudo php -q add_tree.php --list-hosts
sudo php -q add_tree.php --list-nodes --tree-id=2 | grep Header ===get parent-node.
sudo php -q add_tree.php --list-graphs --host-id=20 ---will see the IDs and need this for next step.
for i in {664..781} ;
do sudo php -q add_tree.php --type=node --node-type=graph --tree-id=2 --parent-node=492 --host-id=20 --graph-id=${i};
Another example:
for i in {35..70}
do sudo php -q add_tree.php --type=node --node-type=graph --tree-id=2 --parent-node=1573 --host-id=11 --graph-id=${i};
done
4/03/2015
Basic Juniper Setup with VLAN Routing, OSPF, Display Set
Basic Juniper Setup:
1. From factory default, login as:
root / no password
login: root
Password:
root@:RE:0%
2. At % prompt type:
root@:RE:0% cli
3. root> show version
4. root> show interfaces terse
5. root> configure or edit
root#
6. Set the hostname. For example:
root# set system host-name Chicago
7. Set the IP addresses of the built-in Ethernet ports. For example:
root# set interfaces ge-0/0/0 unit 0 family inet address 1.1.2.31/24
root# set interfaces ge-0/0/1 unit 0 family inet address 1.6.2.1/24
root# set interfaces ge-0/0/2 unit 0 family inet address 2.8.3.1/24
The unit number is the logical interface number. IP addresses are configured on the logical interface. Setting
the protocol family to inet specifies the routing table of IPv4 addresses.
7b. Set a default route (default gateway) for IPv4 packets. For example:
root# set routing-options static route 1.6.2.1/24 next-hop 10.1.1.50
7c. Configure one or more static routes:
root# set routing-options static route destination-prefix next-hop address
8. root# commit
===========
9. set root password / create user acct
set system root-authentication plain-text-password
set system login user BOB class super-user authentication plain-text-password
=== VLAN, VLAN IP Address, and Interface mapping to VLAN: 2 OPTIONS ===
OPTION 1 SET ROOT MODE#:
10. Create some VLANs.
a. root# set vlans WIFI vlan-id 1 === assign vlan 1 to WIFI vlan.
b. root# set vlans v10 vlan-id 10
c. root# set vlans STUDENT vlan-id 20
11. Assign IP Address to the VLAN: Create RVI.
a. root# set interfaces vlan unit 1 family inet address 192.168.1.2/24 === associates ip address to
(unit 1) the vlan-id 1, which is the WIFI vlan.
b. root# set interfaces vlan unit 10 family inet address 10.16.23.65/26 ==== the unit 10 here associates the vlan-id 10 (v10) to the IP Address.
c. root# set interfaces vlan unit 20 family inet address 10.1.20.1/24
12. Assign interfaces to their respective VLANs.
a. set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members WIFI
b. set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members WIFI
c. set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members WIFI
d. set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members v10
e. set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members v10
f. set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members v10
g. set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members STUDENT
h. set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members STUDENT
i. set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members STUDENT
13. Enable INTER-VLAN routing:
a. root# set vlans WIFI l3-interfce vlan.1
b. root# set vlans v10 l3-interfce vlan.10
c. root# set vlans STUDENT l3-interfce vlan.20
14. Set Default Route in the Switch:
a. root# set routing-options static route 0.0.0.0/0 next-hop 10.16.23.10
15. Set management path:
a. root# set system services web-management http interface vlan.20 === This only allows web management for the switch only from VLAN 20, STUDENT VLAN.
16. Enable Telnet / SSH:
a. root# set system services telnet
b. root# set system services ssh
17. Set DHCP forwarding options (in cisco ip helper address).
a. root# set forwarding-options helpers bootp interface vlan.1 server 10.16.23.10 === DHCP forwarding
for WIFI VLAN, VLAN1.
b. root# set forwarding-options helpers bootp interface vlan.10 server 10.16.23.68 === DHCP forwarding
for v10 VLAN, VLAN 10.
c. root# set forwarding-options helpers bootp interface vlan.20 server 10.16.23.99 === DHCP forwarding
for STUDENT VLAN, VLAN 20.
18. Save the config
root# commit and-quit
19. root# run show interfaces terse vlan
root> show ethernet-switching interfaces
SHOW:
show vlans
root# run show interfaces terse vlan
root# run show route 192.168.1/24
OPTION 2 hierarchy mode:
On EX4200
== VLAN, VLAN IP Address, and Interface mapping to VLAN ===
1. root@:RE:0% cli
2. root> show vlans
3. root> edit
4. root# edit vlans
5. root# set VLAN10 vlan-id 10
6. root# set ENDUSERS vlan-id 20
7. root# set SERVERS vlan-id 30
8. root# show
9. Apply the VLANs to interfaces and mode access
root# top === exit out of vlan config.
root# edit interfaces === enter interfaces hierarchy
root# edit ge-0/0/1 unit 0 family ethernet-switching
root# set port-mode access
root# set vlan members VLAN10 === Map this interface to VLAN10 or ENDUSERS or other VLAN.
root# up 3 === go up 3 levels in the hierarchy.
root# edit ge-0/0/2 unit 0 family ethernet-switching
root# set port-mode access
root# set vlan members ENDUSERS
root# up 3
root# edit ge-0/0/3 unit 0 family ethernet-switching
root# set port-mode access
root# set vlan members SERVERS
10. Create TRUNK interface on Juniper switch:
root# edit interfaces
root# edit ge-0/0/0 unit 0 family ethernet-switching
root# set port-mode trunk
root# set vlan members VLAN10
root# set vlan members ENDUSERS
root# set vlan members SERVERS
root# show
11. commit
12. root# exit
root> show vlans
====== Juniper Factory Default Config ===
root% cli
root> configure
root# load factory-default
root# set system root-authentication plain-text-password == Set new root password
root# commit and-quit
root# request system reboot === reload the switch
====================================
==== Enable OSPF in Juniper ====
set interfaces ge-0/2/0 unit 0 family inet address 10.0.0.1
set protocols ospf area 0.0.0.0 interface ge-0/2/0
commit
or
set interfaces ge-0/2/0 unit 0 family inet address 10.0.0.1
edit protocols ospf
set area 0 interface ge-0/0/1
set area 0 interface lo0
==== Troubleshoot or Debug OSPF Juniper ====
1. do debug by: It need to create a file to do a debug in /var/log.
# edit protocols ospf
edit traceoptions
set file ospf-trace
set flag hello detail ===type of packets to capture.
commit
2. run monitor start ospf-trace == the file you created.
3. run monitor stop ==== STOPS all debug on the box. But still be written to the log file.
4. run show log ospf-trace === The filename == See log still increment after monitor stop.
5. To completely disable Debug or trace
# deactivate traceoptions
#show === When do show, will see the "inactive" statement. And when commit, Junos will ignore the inactive statement in the config.
=====================================================
# show interfaces
user@host# show protocols ospf
show ospf interface detail
show ospf3 interface detail
show configuration protocols ospf
show ospf interface
show ospf nei
show ospf data
==== Config OSPF Passive Interface Juniper ====
Enabling OSPF on an interface (by including the interface statement), disabling it (by including the disable
statement), and not actually having OSPF run on an interface (by including the passive statement) are mutually
exclusive states.
set protocols ospf area 0.0.0.1 interface ge-0/2/0 passive
user@host# show protocols ospf
area 0.0.0.1 {
interface ge-0/2/0.0 {
passive;
}
}
================== commit / compare ====
To check what has been changed, but UNcommited in Junos configuration, go to cli top and do "show | compare".
This will show the candidate configuration and compare it to current commited configuration.
User@Host# show | compare
sysT3ms@FIFE-DC-EX1> show system commit
====================================================
cisco vs juniper
Cisco
conf t
Int Gi1/0/1
shut
no shut
Juniper
config
set interfaces ge-5/0/42 disable
commit
delete interfaces ge-5/0/42 disable
commit
1. From factory default, login as:
root / no password
login: root
Password:
root@:RE:0%
2. At % prompt type:
root@:RE:0% cli
3. root> show version
4. root> show interfaces terse
5. root> configure or edit
root#
6. Set the hostname. For example:
root# set system host-name Chicago
7. Set the IP addresses of the built-in Ethernet ports. For example:
root# set interfaces ge-0/0/0 unit 0 family inet address 1.1.2.31/24
root# set interfaces ge-0/0/1 unit 0 family inet address 1.6.2.1/24
root# set interfaces ge-0/0/2 unit 0 family inet address 2.8.3.1/24
The unit number is the logical interface number. IP addresses are configured on the logical interface. Setting
the protocol family to inet specifies the routing table of IPv4 addresses.
7b. Set a default route (default gateway) for IPv4 packets. For example:
root# set routing-options static route 1.6.2.1/24 next-hop 10.1.1.50
7c. Configure one or more static routes:
root# set routing-options static route destination-prefix next-hop address
8. root# commit
===========
9. set root password / create user acct
set system root-authentication plain-text-password
set system login user BOB class super-user authentication plain-text-password
=== VLAN, VLAN IP Address, and Interface mapping to VLAN: 2 OPTIONS ===
OPTION 1 SET ROOT MODE#:
10. Create some VLANs.
a. root# set vlans WIFI vlan-id 1 === assign vlan 1 to WIFI vlan.
b. root# set vlans v10 vlan-id 10
c. root# set vlans STUDENT vlan-id 20
11. Assign IP Address to the VLAN: Create RVI.
a. root# set interfaces vlan unit 1 family inet address 192.168.1.2/24 === associates ip address to
(unit 1) the vlan-id 1, which is the WIFI vlan.
b. root# set interfaces vlan unit 10 family inet address 10.16.23.65/26 ==== the unit 10 here associates the vlan-id 10 (v10) to the IP Address.
c. root# set interfaces vlan unit 20 family inet address 10.1.20.1/24
12. Assign interfaces to their respective VLANs.
a. set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members WIFI
b. set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members WIFI
c. set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members WIFI
d. set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members v10
e. set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members v10
f. set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members v10
g. set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members STUDENT
h. set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members STUDENT
i. set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members STUDENT
13. Enable INTER-VLAN routing:
a. root# set vlans WIFI l3-interfce vlan.1
b. root# set vlans v10 l3-interfce vlan.10
c. root# set vlans STUDENT l3-interfce vlan.20
14. Set Default Route in the Switch:
a. root# set routing-options static route 0.0.0.0/0 next-hop 10.16.23.10
15. Set management path:
a. root# set system services web-management http interface vlan.20 === This only allows web management for the switch only from VLAN 20, STUDENT VLAN.
16. Enable Telnet / SSH:
a. root# set system services telnet
b. root# set system services ssh
17. Set DHCP forwarding options (in cisco ip helper address).
a. root# set forwarding-options helpers bootp interface vlan.1 server 10.16.23.10 === DHCP forwarding
for WIFI VLAN, VLAN1.
b. root# set forwarding-options helpers bootp interface vlan.10 server 10.16.23.68 === DHCP forwarding
for v10 VLAN, VLAN 10.
c. root# set forwarding-options helpers bootp interface vlan.20 server 10.16.23.99 === DHCP forwarding
for STUDENT VLAN, VLAN 20.
18. Save the config
root# commit and-quit
19. root# run show interfaces terse vlan
root> show ethernet-switching interfaces
SHOW:
show vlans
root# run show interfaces terse vlan
root# run show route 192.168.1/24
OPTION 2 hierarchy mode:
On EX4200
== VLAN, VLAN IP Address, and Interface mapping to VLAN ===
1. root@:RE:0% cli
2. root> show vlans
3. root> edit
4. root# edit vlans
5. root# set VLAN10 vlan-id 10
6. root# set ENDUSERS vlan-id 20
7. root# set SERVERS vlan-id 30
8. root# show
9. Apply the VLANs to interfaces and mode access
root# top === exit out of vlan config.
root# edit interfaces === enter interfaces hierarchy
root# edit ge-0/0/1 unit 0 family ethernet-switching
root# set port-mode access
root# set vlan members VLAN10 === Map this interface to VLAN10 or ENDUSERS or other VLAN.
root# up 3 === go up 3 levels in the hierarchy.
root# edit ge-0/0/2 unit 0 family ethernet-switching
root# set port-mode access
root# set vlan members ENDUSERS
root# up 3
root# edit ge-0/0/3 unit 0 family ethernet-switching
root# set port-mode access
root# set vlan members SERVERS
10. Create TRUNK interface on Juniper switch:
root# edit interfaces
root# edit ge-0/0/0 unit 0 family ethernet-switching
root# set port-mode trunk
root# set vlan members VLAN10
root# set vlan members ENDUSERS
root# set vlan members SERVERS
root# show
11. commit
12. root# exit
root> show vlans
====== Juniper Factory Default Config ===
root% cli
root> configure
root# load factory-default
root# set system root-authentication plain-text-password == Set new root password
root# commit and-quit
root# request system reboot === reload the switch
====================================
==== Enable OSPF in Juniper ====
set interfaces ge-0/2/0 unit 0 family inet address 10.0.0.1
set protocols ospf area 0.0.0.0 interface ge-0/2/0
commit
or
set interfaces ge-0/2/0 unit 0 family inet address 10.0.0.1
edit protocols ospf
set area 0 interface ge-0/0/1
set area 0 interface lo0
==== Troubleshoot or Debug OSPF Juniper ====
1. do debug by: It need to create a file to do a debug in /var/log.
# edit protocols ospf
edit traceoptions
set file ospf-trace
set flag hello detail ===type of packets to capture.
commit
2. run monitor start ospf-trace == the file you created.
3. run monitor stop ==== STOPS all debug on the box. But still be written to the log file.
4. run show log ospf-trace === The filename == See log still increment after monitor stop.
5. To completely disable Debug or trace
# deactivate traceoptions
#show === When do show, will see the "inactive" statement. And when commit, Junos will ignore the inactive statement in the config.
=====================================================
# show interfaces
user@host# show protocols ospf
show ospf interface detail
show ospf3 interface detail
show configuration protocols ospf
show ospf interface
show ospf nei
show ospf data
==== Config OSPF Passive Interface Juniper ====
Enabling OSPF on an interface (by including the interface statement), disabling it (by including the disable
statement), and not actually having OSPF run on an interface (by including the passive statement) are mutually
exclusive states.
set protocols ospf area 0.0.0.1 interface ge-0/2/0 passive
user@host# show protocols ospf
area 0.0.0.1 {
interface ge-0/2/0.0 {
passive;
}
}
================== commit / compare ====
To check what has been changed, but UNcommited in Junos configuration, go to cli top and do "show | compare".
This will show the candidate configuration and compare it to current commited configuration.
User@Host# show | compare
sysT3ms@FIFE-DC-EX1> show system commit
====================================================
cisco vs juniper
Cisco
conf t
Int Gi1/0/1
shut
no shut
Juniper
config
set interfaces ge-5/0/42 disable
commit
delete interfaces ge-5/0/42 disable
commit
Cacti Backup and Restore Script
Cacti Backup:
Files will be saved in /home/cacti-backup/
-rw-r--r-- 1 root root 6851095 Mar 31 08:23 /home/cacti-backup/CactiFolder-2015-03-31.tar.gz
-rw-r--r-- 1 root root 25800 Mar 31 08:20 /home/cacti-backup/CLI_files-2015-03-31.tar.gz
-rw-r--r-- 1 root root 845639 Mar 31 08:20 /home/cacti-backup/LOG_files-2015-03-31.tar.gz
-rw-r--r-- 1 root root 65301949 Mar 31 08:20 /home/cacti-backup/RRAXML_files-2015-03-31.tar.gz
-rw-r--r-- 1 root root 5806 Mar 31 08:20 /home/cacti-backup/SCRIPT_files-2015-03-31.tar.gz
-rw-r--r-- 1 root root 2462302 Mar 31 08:23 /home/cacti-backup/Cacti-Database-2015-03-31.sql
Script:
After run the backup script, enter your mysql password when ask.
[root@localhost backup]# cat cactibackup.sh
##################################################
#!bin/bash
#
# Script for backing up Cacti and all related folders
#
# This function finds all rrd files runs the rrdtool dump feature and deletes the xml file
rrdump ()
{
for rrd in `find /home/cacti-backup/rra/ -type f -name "*.rrd"`
do
xml=`echo $rrd | sed 's/.rrd//g'`
rrdtool dump $rrd > $xml.xml
rm $rrd
done
}
#
# Timestamp in YYYY-MM-DD
TIME_STAMP="$(date +%Y-%m-%d)"
#
# Backup the MySQL database
mysqldump -u root -p cacti > /home/cacti-backup/Cacti-Database-${TIME_STAMP}.sql
#
# Backup and archive the Cacti folder
tar -cvpzf /home/cacti-backup/CactiFolder-${TIME_STAMP}.tar.gz /usr/share/cacti
#
# Copy the RRA directory to the backup directory
cd /var/lib/cacti
cp -R rra /home/cacti-backup/
#
# Find all files with the extension rrd and run the RRDTOOL DUMP feature
rrdump
#
# Backup and archive the RRA folder
tar -cvpzf /home/cacti-backup/RRAXML_files-${TIME_STAMP}.tar.gz /home/cacti-backup/rra
#
# Remove the RRA folder
cd /home/cacti-backup
rm -rf rra
#
# Backup and archive all other required folders
tar -cvpzf /home/cacti-backup/CLI_files-${TIME_STAMP}.tar.gz /var/lib/cacti/cli
tar -cvpzf /home/cacti-backup/LOG_files-${TIME_STAMP}.tar.gz /var/log/cacti/
tar -cvpzf /home/cacti-backup/SCRIPT_files-${TIME_STAMP}.tar.gz /var/lib/cacti/scripts
##################################################
=============================================
Cacti restore:
cacti@cacti01:~/cacti-backup$ cat restore.sh
##################################################
#!/bin/bash
#
# Script for restoring Cacti and all related folders
#
# This function finds all rrd files runs the rrdtool dump feature and deletes the xml file
rrdrestore ()
{
for xml in `find . -type f -name "*.xml"`
do
rrd=`echo $xml | sed 's/.xml//g'`
rrdtool restore $xml $rrd.rrd
rm $xml
done
}
restore ()
{
#Restoring Database
mysql -u root -p cacti < $MySQLDatabase
#Unpacking RRA files from archive
tar -xvzf $RRAFiles -C /
#Restore RRD files using RRDTOOL restore
rrdrestore
#Copy RRA folder to /var/lib/cacti
cd /home/cacti-backup/
cp -R rra /var/lib/cacti/
#Delete RRA folder
cd /home/cacti-backup
rm -rf rra
#Change ownership of RRA directory
chown -R cacti:cacti /var/lib/cacti/rra
chown cacti:root /var/lib/cacti/rra
#Restore all other folders
tar -xvzf $LOGFiles -C /
tar -xvzf $CLIFiles -C /
tar -xvzf $SCRIPTFiles -C /
tar -xvzf $CactiFolder -C /
#Change ownershipt of log/cacti directory
chown -R cacti:apache /var/log/cacti
echo
echo Restoration Complete. Please restart server.
echo Please note: You may need to rebuild the poller cache once logged into Cacti
}
#
# Requesting information from user - date of backup in format YYYY-MM-DD
echo
echo
echo -n "Please enter the date from which you would like to restore from (YYYY-MM-DD):"
read date
echo
echo
echo Restoring from date $date
echo
echo
#
# Checking files exist
cd /home/cacti-backup/
MySQLDatabase=Cacti-Database-$date.sql
CactiFolder=CactiFolder-$date.tar.gz
RRAFiles=RRAXML_files-$date.tar.gz
LOGFiles=LOG_files-$date.tar.gz
CLIFiles=CLI_files-$date.tar.gz
SCRIPTFiles=SCRIPT_files-$date.tar.gz
#
#
echo Checking if files exist:
echo
echo
if [ -f $MySQLDatabase ]; then
echo "File $MySQLDatabase exists. SUCCESS!"
else
echo "File $MySQLDatabase does not exist. FAIL!"
fi
#
#
if [ -f $CactiFolder ]; then
echo "File $CactiFolder exists. SUCCESS!"
else
echo "File $CactiFolder does not exist. FAIL!"
fi
#
#
if [ -f $RRAFiles ]; then
echo "File $RRAFiles exists. SUCCESS!"
else
echo "File $RRAFiles does not exist. FAIL!"
fi
#
#
if [ -f $CLIFiles ]; then
echo "File $CLIFiles exists. SUCCESS!"
else
echo "File $CLIFiles does not exist. FAIL!"
fi
#
#
if [ -f $LOGFiles ]; then
echo "File $LOGFiles exists. SUCCESS!"
else
echo "File $LOGFiles does not exist. FAIL!"
fi
#
#
if [ -f $SCRIPTFiles ]; then
echo "File $SCRIPTFiles exists. SUCCESS!"
else
echo "File $SCRIPTFiles does not exist. FAIL!"
fi
#
echo
echo
#
#Asking user if they want to continue
echo WARNING: IF ANY OF THE FILES ABOVE FAIL, RESTORE MAY.
while true; do
read -p "DO YOU WANT TO CONTINUE?" yn
case $yn in
[Yy]* ) restore; break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
##################################################
Or if you ONLY want the database restored that contains all your devices and ports monitored just do:
After a fresh reinstall of Cacti:
cacti@cacti01:~/script$ mysql -u root -p cacti < Cacti-Database-2015-03-31.sql
Files will be saved in /home/cacti-backup/
-rw-r--r-- 1 root root 6851095 Mar 31 08:23 /home/cacti-backup/CactiFolder-2015-03-31.tar.gz
-rw-r--r-- 1 root root 25800 Mar 31 08:20 /home/cacti-backup/CLI_files-2015-03-31.tar.gz
-rw-r--r-- 1 root root 845639 Mar 31 08:20 /home/cacti-backup/LOG_files-2015-03-31.tar.gz
-rw-r--r-- 1 root root 65301949 Mar 31 08:20 /home/cacti-backup/RRAXML_files-2015-03-31.tar.gz
-rw-r--r-- 1 root root 5806 Mar 31 08:20 /home/cacti-backup/SCRIPT_files-2015-03-31.tar.gz
-rw-r--r-- 1 root root 2462302 Mar 31 08:23 /home/cacti-backup/Cacti-Database-2015-03-31.sql
Script:
After run the backup script, enter your mysql password when ask.
[root@localhost backup]# cat cactibackup.sh
##################################################
#!bin/bash
#
# Script for backing up Cacti and all related folders
#
# This function finds all rrd files runs the rrdtool dump feature and deletes the xml file
rrdump ()
{
for rrd in `find /home/cacti-backup/rra/ -type f -name "*.rrd"`
do
xml=`echo $rrd | sed 's/.rrd//g'`
rrdtool dump $rrd > $xml.xml
rm $rrd
done
}
#
# Timestamp in YYYY-MM-DD
TIME_STAMP="$(date +%Y-%m-%d)"
#
# Backup the MySQL database
mysqldump -u root -p cacti > /home/cacti-backup/Cacti-Database-${TIME_STAMP}.sql
#
# Backup and archive the Cacti folder
tar -cvpzf /home/cacti-backup/CactiFolder-${TIME_STAMP}.tar.gz /usr/share/cacti
#
# Copy the RRA directory to the backup directory
cd /var/lib/cacti
cp -R rra /home/cacti-backup/
#
# Find all files with the extension rrd and run the RRDTOOL DUMP feature
rrdump
#
# Backup and archive the RRA folder
tar -cvpzf /home/cacti-backup/RRAXML_files-${TIME_STAMP}.tar.gz /home/cacti-backup/rra
#
# Remove the RRA folder
cd /home/cacti-backup
rm -rf rra
#
# Backup and archive all other required folders
tar -cvpzf /home/cacti-backup/CLI_files-${TIME_STAMP}.tar.gz /var/lib/cacti/cli
tar -cvpzf /home/cacti-backup/LOG_files-${TIME_STAMP}.tar.gz /var/log/cacti/
tar -cvpzf /home/cacti-backup/SCRIPT_files-${TIME_STAMP}.tar.gz /var/lib/cacti/scripts
##################################################
=============================================
Cacti restore:
cacti@cacti01:~/cacti-backup$ cat restore.sh
##################################################
#!/bin/bash
#
# Script for restoring Cacti and all related folders
#
# This function finds all rrd files runs the rrdtool dump feature and deletes the xml file
rrdrestore ()
{
for xml in `find . -type f -name "*.xml"`
do
rrd=`echo $xml | sed 's/.xml//g'`
rrdtool restore $xml $rrd.rrd
rm $xml
done
}
restore ()
{
#Restoring Database
mysql -u root -p cacti < $MySQLDatabase
#Unpacking RRA files from archive
tar -xvzf $RRAFiles -C /
#Restore RRD files using RRDTOOL restore
rrdrestore
#Copy RRA folder to /var/lib/cacti
cd /home/cacti-backup/
cp -R rra /var/lib/cacti/
#Delete RRA folder
cd /home/cacti-backup
rm -rf rra
#Change ownership of RRA directory
chown -R cacti:cacti /var/lib/cacti/rra
chown cacti:root /var/lib/cacti/rra
#Restore all other folders
tar -xvzf $LOGFiles -C /
tar -xvzf $CLIFiles -C /
tar -xvzf $SCRIPTFiles -C /
tar -xvzf $CactiFolder -C /
#Change ownershipt of log/cacti directory
chown -R cacti:apache /var/log/cacti
echo
echo Restoration Complete. Please restart server.
echo Please note: You may need to rebuild the poller cache once logged into Cacti
}
#
# Requesting information from user - date of backup in format YYYY-MM-DD
echo
echo
echo -n "Please enter the date from which you would like to restore from (YYYY-MM-DD):"
read date
echo
echo
echo Restoring from date $date
echo
echo
#
# Checking files exist
cd /home/cacti-backup/
MySQLDatabase=Cacti-Database-$date.sql
CactiFolder=CactiFolder-$date.tar.gz
RRAFiles=RRAXML_files-$date.tar.gz
LOGFiles=LOG_files-$date.tar.gz
CLIFiles=CLI_files-$date.tar.gz
SCRIPTFiles=SCRIPT_files-$date.tar.gz
#
#
echo Checking if files exist:
echo
echo
if [ -f $MySQLDatabase ]; then
echo "File $MySQLDatabase exists. SUCCESS!"
else
echo "File $MySQLDatabase does not exist. FAIL!"
fi
#
#
if [ -f $CactiFolder ]; then
echo "File $CactiFolder exists. SUCCESS!"
else
echo "File $CactiFolder does not exist. FAIL!"
fi
#
#
if [ -f $RRAFiles ]; then
echo "File $RRAFiles exists. SUCCESS!"
else
echo "File $RRAFiles does not exist. FAIL!"
fi
#
#
if [ -f $CLIFiles ]; then
echo "File $CLIFiles exists. SUCCESS!"
else
echo "File $CLIFiles does not exist. FAIL!"
fi
#
#
if [ -f $LOGFiles ]; then
echo "File $LOGFiles exists. SUCCESS!"
else
echo "File $LOGFiles does not exist. FAIL!"
fi
#
#
if [ -f $SCRIPTFiles ]; then
echo "File $SCRIPTFiles exists. SUCCESS!"
else
echo "File $SCRIPTFiles does not exist. FAIL!"
fi
#
echo
echo
#
#Asking user if they want to continue
echo WARNING: IF ANY OF THE FILES ABOVE FAIL, RESTORE MAY.
while true; do
read -p "DO YOU WANT TO CONTINUE?" yn
case $yn in
[Yy]* ) restore; break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
##################################################
Or if you ONLY want the database restored that contains all your devices and ports monitored just do:
After a fresh reinstall of Cacti:
cacti@cacti01:~/script$ mysql -u root -p cacti < Cacti-Database-2015-03-31.sql
3/24/2015
Juniper Switch Software Install, Upgrade, or Downgrade using USB port
I bought 2 EX4200 from eBay and wanted to do virtual-chassis. Here are some things I learned:
1. The 2 switches came with different Software version 10 and 12.
2. Had to buy the vcp cable for virtual chassis.
3. Had to connect the cable in the back vcp-0 to vcp-0 and vcp-1 to vcp-1 to make a ring, else wouldn't work. You'll see a status of "NotPrsnt."
4. Both switches need to be on the same software, so this is what I did:
I had to downgrade the new switch to 10.4R5.5 – the simplest and safest way to do this is with the switch in standalone and put the image on a USB Key and plug in back of EX4200.
Here are the steps:
a. Download your image from Juniper.net and put in the root of a FAT32 formatted USB Key in your laptop/
b. Insert the USB key into the back of the EX4200 and boot the switch if Needed.
Then mount the usb key
root@:RE:0% mount_msdosfs /dev/da1s1 /mnt
Once the USB has been mounted you can run the request system software add command. This command installs any software version you specified...upgrade or downgrade.
root> request system software add /mnt/jinstall-ex-4200-10.4R5.5-domestic-signed.tgz
You now have to be patient as this process takes a few minutes, once the image has been loaded you will be asked to reboot.
Checking pending install on fpc0
Validating on fpc0
Done with validate on all virtual chassis members
fpc0:
WARNING: A reboot is required to install the software
WARNING: Use the ‘request system reboot’ command immediately
root@:RE:0% cli
{master:0}
root> request system reboot
Reboot the system ? [yes,no] (no) yes
*** FINAL System shutdown message from root@ ***
System going down IMMEDIATELY
Once the switch has rebooted a show version will show the switch is now running the 10 or any Image you had installed.
root> show version
1. The 2 switches came with different Software version 10 and 12.
2. Had to buy the vcp cable for virtual chassis.
3. Had to connect the cable in the back vcp-0 to vcp-0 and vcp-1 to vcp-1 to make a ring, else wouldn't work. You'll see a status of "NotPrsnt."
4. Both switches need to be on the same software, so this is what I did:
I had to downgrade the new switch to 10.4R5.5 – the simplest and safest way to do this is with the switch in standalone and put the image on a USB Key and plug in back of EX4200.
Here are the steps:
a. Download your image from Juniper.net and put in the root of a FAT32 formatted USB Key in your laptop/
b. Insert the USB key into the back of the EX4200 and boot the switch if Needed.
Then mount the usb key
root@:RE:0% mount_msdosfs /dev/da1s1 /mnt
Once the USB has been mounted you can run the request system software add command. This command installs any software version you specified...upgrade or downgrade.
root> request system software add /mnt/jinstall-ex-4200-10.4R5.5-domestic-signed.tgz
You now have to be patient as this process takes a few minutes, once the image has been loaded you will be asked to reboot.
Checking pending install on fpc0
Validating on fpc0
Done with validate on all virtual chassis members
fpc0:
WARNING: A reboot is required to install the software
WARNING: Use the ‘request system reboot’ command immediately
root@:RE:0% cli
{master:0}
root> request system reboot
Reboot the system ? [yes,no] (no) yes
*** FINAL System shutdown message from root@ ***
System going down IMMEDIATELY
Once the switch has rebooted a show version will show the switch is now running the 10 or any Image you had installed.
root> show version
3/16/2015
BGP LAB 1: BGP Access List Filtering and Answer
2 routers connected with eBGP. Want to filter some routes (10.x.x.x) from the neighbor router using Extended Access List.
Goal:
Config like diagram.
Configure EBGP between router Tristram and Sanctuary.
Advertise the loopback interfaces on both routers in BGP.
Configure a summary that advertises 10.0.0.0/8 towards router Sanctuary.
Configure an extended access-list on router Sanctuary that will block the 10.0.0.0/8 prefix but allows all other prefixes.
Configure an extended access-list on router Tristram that blocks network 10.2.2.0/24.
Answer:
Tristram Router:
router bgp 1
no synchronization
bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.255
network 10.0.0.0 === Advertise the 10.x network, then need the summary-only next statement.
aggregate-address 10.0.0.0 255.0.0.0 summary-only === This is to summarize the 10.x.
neighbor 192.168.12.2 remote-as 2
neighbor 192.168.12.2 distribute-list 100 in ===Deny the ACL 100 from coming in.
access-list 100 deny ip 10.0.0.0 0.255.255.255 any === Deny the 10.x network.
access-list 100 permit ip any any
Sanctuary Router:
router bgp 2
no synchronization
bgp log-neighbor-changes
network 2.2.2.2 mask 255.255.255.255
network 10.2.2.0 mask 255.255.255.0
aggregate-address 10.0.0.0 255.0.0.0 summary-only
neighbor 192.168.12.1 remote-as 1
neighbor 192.168.12.1 soft-reconfiguration inbound
neighbor 192.168.12.1 distribute-list 100 in
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
sh ip bgp nei 192.168.12.1 received-routes
sh ip route
====================================
Note: I got this from gns3vault.com, but I posted my answer for my own reference.
Goal:
Config like diagram.
Configure EBGP between router Tristram and Sanctuary.
Advertise the loopback interfaces on both routers in BGP.
Configure a summary that advertises 10.0.0.0/8 towards router Sanctuary.
Configure an extended access-list on router Sanctuary that will block the 10.0.0.0/8 prefix but allows all other prefixes.
Configure an extended access-list on router Tristram that blocks network 10.2.2.0/24.
Answer:
Tristram Router:
router bgp 1
no synchronization
bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.255
network 10.0.0.0 === Advertise the 10.x network, then need the summary-only next statement.
aggregate-address 10.0.0.0 255.0.0.0 summary-only === This is to summarize the 10.x.
neighbor 192.168.12.2 remote-as 2
neighbor 192.168.12.2 distribute-list 100 in ===Deny the ACL 100 from coming in.
access-list 100 deny ip 10.0.0.0 0.255.255.255 any === Deny the 10.x network.
access-list 100 permit ip any any
Sanctuary Router:
router bgp 2
no synchronization
bgp log-neighbor-changes
network 2.2.2.2 mask 255.255.255.255
network 10.2.2.0 mask 255.255.255.0
aggregate-address 10.0.0.0 255.0.0.0 summary-only
neighbor 192.168.12.1 remote-as 1
neighbor 192.168.12.1 soft-reconfiguration inbound
neighbor 192.168.12.1 distribute-list 100 in
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
sh ip bgp nei 192.168.12.1 received-routes
sh ip route
====================================
Note: I got this from gns3vault.com, but I posted my answer for my own reference.
3/04/2015
How to Secure Your Network
This is a precursor to my new post on how to secure your network from the outside.
Securing networks from the outside in is quite easy. All you need is to buy an appliance device, either a hardware device or software device to do the job.
But how does one decide with vendor to get, Cisco ASA, Juniper, or others, like the NextGen Firewall and UTM.
I will tell you that we decided to get rid of our Cisco ASA FW and Content filtering, with Sophos UTM. And it has worked wonderfully. NO SPAM, Virus, Web filtering, stopping outside threat coming in, etc.
On my next post I will tell you why.
Securing networks from the outside in is quite easy. All you need is to buy an appliance device, either a hardware device or software device to do the job.
But how does one decide with vendor to get, Cisco ASA, Juniper, or others, like the NextGen Firewall and UTM.
I will tell you that we decided to get rid of our Cisco ASA FW and Content filtering, with Sophos UTM. And it has worked wonderfully. NO SPAM, Virus, Web filtering, stopping outside threat coming in, etc.
On my next post I will tell you why.
Cisco to Juniper (Junos) Redistributing EIGRP to OSPF
In my previous post,
A problem comes up when you're redistributing from EIGRP to OSPF with external routes, ie. external EIGRP.
This is when you use the redistribute command in EIGRP, which gives AD of 170. To solve this, you'll need to add:
distance ospf external 171
in the router ospf 1 process. Do a "show ip route ospf" in the core router that does the EIGRP/OSPF redistribution to see the difference.
To simulate:
Router 4 / router 6 / other normal router:
router eigrp 2
network 172.17.39.0 0.0.0.3
redistribute connected
redistribute static === The redistribute command will have the AD of 170 (external EIGRP). Internal EIGRP is 90 with the "network" command.
Router 2: == This is the router that does the EIGRP/OSPF redistribution and connected to the JUNIPER.
router eigrp 2
network 172.17.0.0
redistribute ospf 1 metric 100000 1 255 1 1500 route-map OSPF-TO-EIGRP
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
redistribute eigrp 2 subnets route-map EIGRP-TO-OSPF
network 172.17.34.0 0.0.0.3 area 0
default-information originate
distance ospf external 171 === Need this on the router that does the EIGRP/OSPF redistribution. Else traffic FROM EIGRP domain GOING TO another EIGRP domain that did the REDISTRIBUTE STATIC, etc. will take the path of OSPF, and not through the EIGRP to EIGRP.
Router 3: == The core router that does the EIGRP/OSPF redistribution and connected to the JUNIPER.
router eigrp 2
network 172.17.0.0
redistribute ospf 1 metric 100000 1 255 1 1500 route-map OSPF-TO-EIGRP
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
redistribute eigrp 2 subnets route-map EIGRP-TO-OSPF
network 172.17.35.0 0.0.0.3 area 0
default-information originate
distance ospf external 171 === Need this on the router that does the EIGRP/OSPF redistribution. Else traffic FROM EIGRP domain GOING TO another EIGRP domain that did the REDISTRIBUTE STATIC, etc. will take the path of OSPF, and not through the EIGRP to EIGRP.
Both R2 and R3# sh ip ro os === WILL SHOW THE SAME OSPF route to the OSPF domain.
Gateway of last resort is 172.17.32.1 to network 0.0.0.0
192.168.60.0/32 is subnetted, 1 subnets
O 192.168.60.1 [110/3] via 172.17.34.1, 2d01h, FastEthernet1/0
R2#
Redistribute EIGRP and OSPF / Route Tagging
I talked about route tagging, but it works only for internal routes redistributing from EIGRP to OSPF.A problem comes up when you're redistributing from EIGRP to OSPF with external routes, ie. external EIGRP.
This is when you use the redistribute command in EIGRP, which gives AD of 170. To solve this, you'll need to add:
distance ospf external 171
in the router ospf 1 process. Do a "show ip route ospf" in the core router that does the EIGRP/OSPF redistribution to see the difference.
To simulate:
Router 4 / router 6 / other normal router:
router eigrp 2
network 172.17.39.0 0.0.0.3
redistribute connected
redistribute static === The redistribute command will have the AD of 170 (external EIGRP). Internal EIGRP is 90 with the "network" command.
Router 2: == This is the router that does the EIGRP/OSPF redistribution and connected to the JUNIPER.
router eigrp 2
network 172.17.0.0
redistribute ospf 1 metric 100000 1 255 1 1500 route-map OSPF-TO-EIGRP
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
redistribute eigrp 2 subnets route-map EIGRP-TO-OSPF
network 172.17.34.0 0.0.0.3 area 0
default-information originate
distance ospf external 171 === Need this on the router that does the EIGRP/OSPF redistribution. Else traffic FROM EIGRP domain GOING TO another EIGRP domain that did the REDISTRIBUTE STATIC, etc. will take the path of OSPF, and not through the EIGRP to EIGRP.
Router 3: == The core router that does the EIGRP/OSPF redistribution and connected to the JUNIPER.
router eigrp 2
network 172.17.0.0
redistribute ospf 1 metric 100000 1 255 1 1500 route-map OSPF-TO-EIGRP
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
redistribute eigrp 2 subnets route-map EIGRP-TO-OSPF
network 172.17.35.0 0.0.0.3 area 0
default-information originate
distance ospf external 171 === Need this on the router that does the EIGRP/OSPF redistribution. Else traffic FROM EIGRP domain GOING TO another EIGRP domain that did the REDISTRIBUTE STATIC, etc. will take the path of OSPF, and not through the EIGRP to EIGRP.
Both R2 and R3# sh ip ro os === WILL SHOW THE SAME OSPF route to the OSPF domain.
Gateway of last resort is 172.17.32.1 to network 0.0.0.0
192.168.60.0/32 is subnetted, 1 subnets
O 192.168.60.1 [110/3] via 172.17.34.1, 2d01h, FastEthernet1/0
R2#
2/10/2015
BGP Load Balancing
BGP Load Balancing
In order to do BGP load balancing, the route selection must be the same up to 5.5. I had thought it was at 8.5, but after testing, it's at 5.5.
1 Weight
2 Local pref
3 Self-originated next hop = 0.0.0.0)
4 AS Path
5 Origin i, then, e, then, ?
5.5 --note: When "bgp bestpath as-path multipath-relax" is used, it's actually at this point it will load balance when above 3 are the same. Not anything else below. Any else below don't matter. If above 5 are the same for that route, it will load balance when do a "show ip route" will see 2 routes there.
6 Med (metric)
7 external ebgp over igp
8 IGP cost
8.5 --Max Path Checks -- If all above are the same for a route with multiexit points, will load balance. Put in routing table. Will see 2 routes in "sh ip ro", then you know it's load balanced.
R1(config)#
router bgp 100
maximum-paths 2
bgp bestpath as-path multipath-relax (A hidden Command).
9 Ebgp peering -older routes better
10 rid lower
R1#sh run | s bgp
router bgp 1
no synchronization
bgp log-neighbor-changes
bgp bestpath as-path multipath-relax
network 1.1.1.1 mask 255.255.255.255
neighbor 192.168.12.2 remote-as 2
neighbor 192.168.12.2 soft-reconfiguration inbound
neighbor 192.168.12.2 route-map SET-MED-ASPATH in
neighbor 192.168.13.3 remote-as 3
neighbor 192.168.13.3 route-map SET-ORIGIN-IGP in
maximum-paths 2
no auto-summary
=====
R1#sh ip bgp
m multipath,
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 0.0.0.0 0 32768 i
*m 5.5.5.5/32 192.168.12.2 999 0 2 2 5 i
*> 192.168.13.3 3 0 3 4 5 i
R1#
R1#sh ip route
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
5.0.0.0/32 is subnetted, 1 subnets
B 5.5.5.5 [20/999] via 192.168.13.3, 03:14:22
[20/999] via 192.168.12.2, 03:14:22
192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.12.0/24 is directly connected, FastEthernet0/1
L 192.168.12.1/32 is directly connected, FastEthernet0/1
192.168.13.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.13.0/24 is directly connected, FastEthernet0/0
L 192.168.13.1/32 is directly connected, FastEthernet0/0
R1#
From R1, you want to BGP load balance out to R2, R3.
In order to do BGP load balancing, the route selection must be the same up to 5.5. I had thought it was at 8.5, but after testing, it's at 5.5.
1 Weight
2 Local pref
3 Self-originated next hop = 0.0.0.0)
4 AS Path
5 Origin i, then, e, then, ?
5.5 --note: When "bgp bestpath as-path multipath-relax" is used, it's actually at this point it will load balance when above 3 are the same. Not anything else below. Any else below don't matter. If above 5 are the same for that route, it will load balance when do a "show ip route" will see 2 routes there.
6 Med (metric)
7 external ebgp over igp
8 IGP cost
8.5 --Max Path Checks -- If all above are the same for a route with multiexit points, will load balance. Put in routing table. Will see 2 routes in "sh ip ro", then you know it's load balanced.
R1(config)#
router bgp 100
maximum-paths 2
bgp bestpath as-path multipath-relax (A hidden Command).
9 Ebgp peering -older routes better
10 rid lower
R1#sh run | s bgp
router bgp 1
no synchronization
bgp log-neighbor-changes
bgp bestpath as-path multipath-relax
network 1.1.1.1 mask 255.255.255.255
neighbor 192.168.12.2 remote-as 2
neighbor 192.168.12.2 soft-reconfiguration inbound
neighbor 192.168.12.2 route-map SET-MED-ASPATH in
neighbor 192.168.13.3 remote-as 3
neighbor 192.168.13.3 route-map SET-ORIGIN-IGP in
maximum-paths 2
no auto-summary
=====
R1#sh ip bgp
m multipath,
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 0.0.0.0 0 32768 i
*m 5.5.5.5/32 192.168.12.2 999 0 2 2 5 i
*> 192.168.13.3 3 0 3 4 5 i
R1#
R1#sh ip route
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
5.0.0.0/32 is subnetted, 1 subnets
B 5.5.5.5 [20/999] via 192.168.13.3, 03:14:22
[20/999] via 192.168.12.2, 03:14:22
192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.12.0/24 is directly connected, FastEthernet0/1
L 192.168.12.1/32 is directly connected, FastEthernet0/1
192.168.13.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.13.0/24 is directly connected, FastEthernet0/0
L 192.168.13.1/32 is directly connected, FastEthernet0/0
R1#
Subscribe to:
Posts (Atom)