cisco nxos route redistribution

2011.11.06

wanted to redistribute some static routes into eigrp, this is handled differently in nxos.  all redistributes need to use a route map, easiest to populate the route map with a prefix list.

examine your static routes…

n7k1# sh run | inc "ip route "

ip route 0.0.0.0/0 10.0.0.2
ip route 10.10.10.0/24 10.0.0.4
ip route 10.20.10.0/20 10.0.0.1
ip route 192.168.172.0/24 10.10.10.3

create a prefix list of subnets you want into eigrp..

ip prefix-list examplestatic seq 15 permit 10.10.10.0/24
ip prefix-list examplestatic seq 20 permit 10.20.10.0/20
ip prefix-list examplestatic seq 25 permit 192.168.172.0/24

create a route-map, add your prefix-list to it…

route-map examplestaticmap permit 10
match ip address prefix-list examplestatic

add them to your eigrp instance…

router eigrp 14
 redistribute static route-map examplestaticmap

validate whether the routes showed up on your other routers; this is a downstream ios device:

2911#sh ip route 10.20.10.0
Routing entry for 10.20.10.0/20
  Known via "eigrp 14", distance 170, metric 52224, type external
  Redistributing via eigrp 14
  Last update from 192.168.97.19 on GigabitEthernet0/0, 3w5d ago
  Routing Descriptor Blocks:
  * 192.168.97.20, from 192.168.97.20, 3w5d ago, via GigabitEthernet0/0
      Route metric is 52224, traffic share count is 1
      Total delay is 1040 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1492 bytes
      Loading 1/255, Hops 4
    192.168.97.19, from 192.168.97.19, 3w5d ago, via GigabitEthernet0/0
      Route metric is 52224, traffic share count is 1
      Total delay is 1040 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1492 bytes
      Loading 1/255, Hops 4
2911#sh ip route | beg 10.20.10
D EX     10.20.10.0/20 [170/52224] via 192.168.97.20, 3w5d, GigabitEthernet0/0
                       [170/52224] via 192.168.97.19, 3w5d, GigabitEthernet0/0

that’s it.  my examples show up twice because i did the redistribution on two n7ks.


Categories : geek

lab & test multicast

2011.02.19

there’s a couple decent tools to lab & test multicast routing.  one is mcast.exe and the other is VLC.  the third, i suppose, is to join a cisco interface to a multicast group.  dan mentioned a fourth tool, nortel’s multicast hammer.

symantec endpoint protection 11 disabled broadcast & multicast by default.  you will need to disable this if you have it installed.  🙂

mcast.exe is a part of the windows 2003 resource kit.  in windows 7, you need to run your command prompt as administrator for it to work.  on the “source side”, all you need to specify is a source interface/ip-address and multicast group.  i usually test with more packets of obnoxious sizes.  :)  overriding TTL gives you more testing options.

mcast /intf:10.11.13.2 /send /grps:239.192.1.101 /pktsize:65535 /numpkts:20000000000 /ttl:128

on the “destination side”, all you need to specify is a source interface/ip-address and multicast group.

mcast /intf:10.11.12.50 /recv /grps:239.192.1.101

another way to test is with VLC.  i’ve tested this in 0.98 and 1.1.  it’s easier & faster from the command line than the GUI.  on the “source side”, you need to specify a destination multicast group, port, and override the default TTL of 1.

vlc -vvv c:\media\SomeShow.S02E03.720p.HDTV.x264-CTU.mkv –sout udp:239.192.1.100:1234 –ttl 255 –loop

for the “destination side”, specify a multicast group and port to tune into

vlc udp://239.192.1.100:1234

i found an annoying nuance in VLC 1.1 or windows 7 for a client tuning into a multicast stream

vlc udp://@239.192.1.100:1234

last but not least, a cisco interface.

sw1(config-if)#do sh run int loopback 153
Building configuration...

Current configuration : 121 bytes
!
interface Loopback153
ip address 10.11.153.1 255.255.255.0
ip pim sparse-mode
ip igmp join-group 239.192.1.110
end

verify igmp memberships. maybe check pim rp if you’re up for it:


sw1#sh ip igmp groups
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter Group Accounted
239.192.152.143 Vlan2 3d02h 00:02:57 10.11.12.110
239.192.1.110 Loopback153 00:01:56 00:02:49 10.11.153.1
239.255.255.250 Vlan2 27w4d 00:02:52 10.11.12.236
224.0.1.24 Vlan2 1w1d 00:02:51 10.11.12.4
224.0.1.60 Vlan2 07:09:12 00:02:53 10.11.12.9
224.0.1.40 Vlan1 27w4d 00:02:52 192.168.200.1

Categories : geek

IronPort Web-Security and Cisco ASA 5500 series

2010.02.08

Some nuances I figured out while setting up an IronPort Web-Security appliance with a ASA firewalls.  The how-tos I’ve seen online were a bit lacking.

It’s easiest to use WCCP to hand-off traffic to the IronPort WSA.  WCCP requires basically three things to function:  Which ACLs you want to redirect, where you want to redirect them to, and which WCCP ‘service’ you want to use:

  1. In ASDM, the standard ACLs can be edited in Firewall | Advanced | ACL Manager
  2. Create an ACL of IPs you want to (or not) redirect to your WSA.  Redirect only the TCP/UDP services you want sent to the WSA.  If you configure ip/any in the ACL, then all packets will get sent over to the WSA.  This seems to break ICMP.  Do this through the GUI or from the CLI.  Some http-based apps don’t like this redirection so putting a ‘deny’ at the top of the ACL works.
  3. Create another ACL of your IronPort WSAs.  I think these need to be on the same subnet as the WCCP is happening (multicast and all).  i didn’t try putting the WSA on a separate interface than the ASA, nor did i try it with multicast routing enabled between them either.
  4. Third, we need to configure the redirection, and which interfaces the ASA listens to for WCCP.  In the GUI, Device Management | Advanced | WCCP.  Create a Service Redirection first.  This binds which IPs get to which WSAs.  Leave it on Web Cache for the simplest configuration.  I tried setting a password but that seemed to break WCCP.  (See notes below)


    The ‘redirection’ binds which interface the ASA listens for WCCP on.
  5. Lastly, don’t forget to set up ACLs so your WSAs can access the internet
  6. configuring the WSA-end of things is straight forward.  following the instructions from the help menu is about all you need.

Notes:

  • So far, I’ve only worked with the WSA 6.3.x code tree.
  • About policy matching:  Identity Polcy matches first.  Whether it’s IP or authentication based, first rule wins.  Take the matching Identity Policy that won and match it to the first Access Policy.  Then applications, URL categories, objects, etc.
  • As of ASA code 8.2.1, WCCP load balancing is only hash-based.  There’s no way to change it to (subnet) mask balancing.  if you need mask balancing, use an IOS-based device for now.
  • As of ASA code 8.2.1, any time you apply policy on the WSA (update access lists, identities, anything at all, really) you need to re-apply the service group (step 4); delete the policy, apply it.  create the policy and apply it.
  • The redirection password may be an issue with re-applying WSA policies.  We’re in production now so I haven’t taken it down to play.
  • If you use a ‘warning’ page for suspect URL categories (streaming media, social networking, etc) and you have hash-based load balancing, the users will get warned from each WSA you have load balanced
  • At this time, there’s no central management for multiple WSAs.  If you change policy on one WSA, you need to apply it to the other manually.
Categories : geek

math joke

2010.01.11

from a comment buried in a slashdot (people still read slashdot?) thread

As part of a psychological experiment, two single men, a physicist and mathematician, were placed in an otherwise empty room with a beautiful naked women at the far end.

They were instructed that they’d be allowed to close half the distance to the women every 10 minutes. Disgusted at the obvious subterfuge, the mathematician walked away in disgust. But the physicist stayed behind, occasionally glancing at his watch.

The experimenters looked puzzled, then asked the physicist, “You do realize, of course, that mathematically speaking, you can never actually reach the woman?”

“Naturally”, replied the physician, looking up. “But I can sure get close enough for all practical purposes!”

Categories : fun  geek

Nick vs Pre

2009.12.04

Amanda and I migrated to Sprint over the weekend and picked up a couple of Palm Pre handsets.

Sprint’s service has been fine so far, we’ll see if there’s any billing or customer service fiascoes to deal with over time.

Good parts about the Pre:

  • Compact hardware
  • Slick OS
  • Screen
  • WiFi
  • Google integration (contacts, address book, mail, maps, chat, etc)
  • GPS
  • Synergy
  • Homebrew Community – there’s an active homebrew app/tweak development community with a few good repositories of such stuff.  I wonder how much of the official App Catalog‘s efforts are being thwarted by the increasingly popular homebrew stuff.  In all seriousness, is it that tough to get software approved for proper distribution?
  • ‘developer mode’ easter egg of searching for upupdowndownleftrightleftrightbastart
  • Browser – The Webkit browser is pretty quick at rendering webpages.  It handles zooming, panning, and scrolling nicely
  • Touchstone charger – although kinda pricey, inductive charging base is pretty sweet.

Bad Parts:

  • Battery life – some of this can be mitigated by changing data sync settings, screen timeout settings, and GPS settings
  • Select/Copy/Paste – Gestures for managing these are a bit cumbersome
  • it can be a bit slow.  for example, i have about 300 well-populated contacts.  the address book can take a few seconds to come up
  • Smallish keyboard takes some getting used to.  The ‘alt’ key is annoyingly close to the / key, which is the alternate for q (typing URLs is a pain.)

What I miss and might come later:

  • having both a ‘d-pad’ and touchscreen like previous Palm devices.  Makes it easier when you have to move one character over.  🙂
  • Screen brightness control – homebrew to the rescue for now though
  • on-screen keyboard – this one can be done with homebrew apps but nothing official yet
  • ability to remove some of the carrier-provided default applications

Essential Official Apps:

  • TweeFree – Twitter client that’s fast
  • Pandora – music genome project, 40 hours/month of free music
  • Facebook – Faster than the mobile site but less featured
  • Yelp – Location-based business reviews (restaurants, stores, etc).  I wish you could update/post from it though.

Essential Homebrew Apps:

  • Preware – Framework for installing homebrew apps
  • drPodder / PrePod – Podcast client which supports downloads for offline listening
  • Battery Icon and Percent
  • Brightness in Device Menu – saving battery
  • Calendar Month View Default
  • Call Duration in Call Log
  • Char Count in Messaging – Finding out when you’re close to 160 characters
  • GPS in Device Menu – Easier access to turning off the radio, saving battery
  • Just Charge by Default
Categories : geek  mobile  reviews

Machinarium

2009.10.26

Amanda‘s been playing Machinarium.  The music is awesome and peaceful.  It has to be since it can be a pretty nerve racking puzzle game.  I played the free demo through steam though.

Turns out, all the music is MP3s and they’re in the game’s install folder!  There’s a sub-folder called 11 that has a bunch of .001 files.

They’re MP3s!  Copy them somewhere, rename them to mp3 and play them in your favorite MP3 player.  I’ve tried them in Winamp, WMP, and VLC.

Of course, you could support the artist.

Categories : fun  geek

The 4th

2009.08.22

We spent the 4th with Joe, Christine, and others, followed by Clawson’s fireworks.

Categories : events  fun  geek

MPCon and GOF Part Ways

2009.05.08

Because of ideological and fundamental differences between the MPCon Staff and Gamer’s Outreach Foundation, we have decided to go our separate ways.

MPCon will not be concentrating on fundraising or growth. We are returning to having events that are stable, consistent, easy to run, and most importantly, fun.

Categories : about  fun  geek

9-Layer OSI Model

2009.05.08

Yes.   I can’t find a higher-res version though.  It seems you can get it on a shirt.  Here is another version, picture of the tshirt.

thanks fulbert

Categories : fun  geek

MPCon 24!

2009.04.22

MPCon!

Our staff is busy planning the next MPCon and subsequent events.  We’re putting processes and documentation in place to make this event better and smoother than ever before.

  • July 24-26 2009
  • EMU Student Center
  • 320 people
  • some tournaments yet to be announced
  • you should go

I’m excited. 🙂

Categories : events  geek