Hi it's Christmas again....so..
Christmas is the time to rejoice in the glories of Christ's birth and celebrate all the blessings of the Holy Spirit with your friends/family/acquaintances/near and dear ones.
Reach out to them on this joyous occasion with our warm and beautiful Christmas Religious Blessings ecards or whatever and wish them a blessed and fun-filled Christmas season.
God Bless You, Rejoice 'N Be Merry !
Friday, December 12, 2008
Sunday, November 9, 2008
de boys at concert
a special pose for daddy and mak Last Sunday (Nov 9, 2008) we attended our kids concert and graduation which is being held at Alice Smith International School, Equine Park, here are some pictures from the event. enjoy it!
Thursday, October 9, 2008
Secure your network
With the average security breach costing companies millions of money, it is imperative to understand how to properly deploy, configure, and support your firewall infrastructure.
to enable the Security Administrator to maintain day-to-day operation of Check Point security solutions and ensure secure access to information across the network.
Othe proficiencies include creating and installing security policies, using logging and reporting features, and managing anti-spoofing and Network Address Translation (NAT).
CP NGX will help you ....
To provide an understanding of basic concepts and skills necessary to configure VPN-1 NGX. This will help admin to configure a Security Policy, and learn about managing a firewalled network.
How to create rules and modify a Security Policy's properties .
How to use monitoring tools to track, monitor, and account for all connections logged by Check Point components .
smart view tracker
Check Point products provide you with the ability to collect comprehensive information on your network activity in the form of logs. You can then audit these logs at any given time, analyze your traffic patterns and troubleshoot networking and security issues.
Administrators can use SmartView Tracker in order to ensure their products are operating properly, troubleshoot system and security issues, gather information for legal or audit purposes, and generate reports to analyze network traffic patterns. In the case of an attack or other suspicious network activity, administrators can use SmartView Tracker to temporarily or permanently terminate connections from specific IP addresses.
to enable the Security Administrator to maintain day-to-day operation of Check Point security solutions and ensure secure access to information across the network.
Othe proficiencies include creating and installing security policies, using logging and reporting features, and managing anti-spoofing and Network Address Translation (NAT).
CP NGX will help you ....
To provide an understanding of basic concepts and skills necessary to configure VPN-1 NGX. This will help admin to configure a Security Policy, and learn about managing a firewalled network.
How to create rules and modify a Security Policy's properties .
How to use monitoring tools to track, monitor, and account for all connections logged by Check Point components .
smart view tracker
Check Point products provide you with the ability to collect comprehensive information on your network activity in the form of logs. You can then audit these logs at any given time, analyze your traffic patterns and troubleshoot networking and security issues.
Administrators can use SmartView Tracker in order to ensure their products are operating properly, troubleshoot system and security issues, gather information for legal or audit purposes, and generate reports to analyze network traffic patterns. In the case of an attack or other suspicious network activity, administrators can use SmartView Tracker to temporarily or permanently terminate connections from specific IP addresses.
Tuesday, October 7, 2008
Kids explorers, coloring pages
by a ministry of Eden Communications
Hey i found this in the web and could be a good guide for our kids. enjoy it!.
http://www.christiananswers.net/kids/clr-indx.html
Hey i found this in the web and could be a good guide for our kids. enjoy it!.
http://www.christiananswers.net/kids/clr-indx.html
Saturday, September 27, 2008
Trouble eating
Picky eaters can develop problems in growth and development, including social and academic performance.
MOST mothers will agree that it is nerve-wracking when their child refuses to eat or is extremely fussy about food. Besides normal weight gain, meeting the nutritional needs of the child is the other main concern.
After one year, a child may also develop some picky eating because that was when they achieve autonomy and have new habits and ability, hence become less interested in food, said Dr Fisberg, adding that weight gain may slow down at that time too.
Generally, when should parents be concerned that their child is having a picky eating problem?
“Usually one month is enough to rule out other possibilities such as medical problems and to see if the picky eating problem is serious,” said Dr Fisberg, who also anchors a television programme called Body Sciences on University TV in Sao Paulo.
Positive reinforcement
Tips to cultivate healthy eating habits:
1. Avoid distractions during mealtime.
2. Adopt a neutral attitude – do not pressure a child to eat.
3. Encourage appetite by limiting snacks and balancing food portions.
4. Limit duration of meal time.
5. Provide age-appropriate foods.
6. Introduce new foods to a child gradually and regularly.
7. Encourage children to eat independently – do not spoonfeed a child who is old enough to use utensils.
8. Allow children to make a mess when they eat.
MOST mothers will agree that it is nerve-wracking when their child refuses to eat or is extremely fussy about food. Besides normal weight gain, meeting the nutritional needs of the child is the other main concern.
After one year, a child may also develop some picky eating because that was when they achieve autonomy and have new habits and ability, hence become less interested in food, said Dr Fisberg, adding that weight gain may slow down at that time too.
Generally, when should parents be concerned that their child is having a picky eating problem?
“Usually one month is enough to rule out other possibilities such as medical problems and to see if the picky eating problem is serious,” said Dr Fisberg, who also anchors a television programme called Body Sciences on University TV in Sao Paulo.
Positive reinforcement
Tips to cultivate healthy eating habits:
1. Avoid distractions during mealtime.
2. Adopt a neutral attitude – do not pressure a child to eat.
3. Encourage appetite by limiting snacks and balancing food portions.
4. Limit duration of meal time.
5. Provide age-appropriate foods.
6. Introduce new foods to a child gradually and regularly.
7. Encourage children to eat independently – do not spoonfeed a child who is old enough to use utensils.
8. Allow children to make a mess when they eat.
Parenting - taken from Thestar
Handling conflict
CHILDWISE:By RUTH LIEW
How to stop your child from taking advantage of you.
I USED to be a kindergarten teacher. My daughter attended the same kindergarten when she was three. I taught there for six years. Now my daughter is seven years old. I have to deal with her difficult behaviour since her brother was born.
Lately I find that she is taking advantage of me. She refuses to do things on her own. She would seek my help in everything, even in dressing herself or tidying her bedroom.
My son has since grown to be independent. He is able to bathe himself without my help and manage many chores around the house. My daughter is just the opposite; she is dependent and has no initiative.
If I want my daughter to do something, I have to scold her repeatedly or shout at her to get her attention. Most of the time, she does not comply with my wishes. When she does, she would do something different from what I expect.
I stopped working after my son was born. I spend more time with my children than most working mothers. Yet my daughter tells me that I don’t spend enough time with her.
I often find myself in conflict with my daughter. I was a popular kindergarten teacher. Many parents requested for their children to be enrolled in my class. I could manage their behaviour very well, but now I cannot handle my own daughter. - Concerned Mother
THE deep concern parents have for their children often lead to parent-child conflicts. In many homes, parents find their children’s behaviour unacceptable because they do not comply with their wishes.
It is a mistaken belief that only parents can change their children’s negative behaviour. It leads to further dissension when parents force their ideas on children without respecting their individual rights. When you believe that your child is not capable of helping herself, she will do exactly that.
Children can learn self-discipline and cooperation without parents dominating or imposing on them.
If you demand that your daughter follow your ways, she will respond with strong opposition because she wants you to recognise and respect her as a person.
I understand your strong desire to be a good parent, the way you were a good teacher. Having such expectations of yourself will cause you to feel guilty when your child does not behave in a certain way.
Consequently, you find yourself doing everything for your child. The more you do, the less your child will be responsible for herself.
Instead of reprimanding her, help her learn the correct behaviour by allowing her to experience the consequences of her actions. Responsibility cannot be learned when your child is not required to experience the consequences of her irresponsibility. For example, if she does not do her chores, she has to forgo privileges like watching television or playing with her dolls.
Highlight her good moments with special attention. She needs to know that she can be good without your fussing or nagging. More importantly, she will know that you notice her capabilities and love her. Being a parent is not just about teaching; it is also about learning. Know your child’s needs and support her well.
MY DAUGHTER who is two and a half, still wets her bed at night. I have already toilet-trained her. Her toilet habits are good during the day, but at night she cannot wake up to use the toilet and ends up wetting the bed. What should I do? - Worried Mother
FOR most children around your daughter’s age, bladder control at night comes last. Through the years, parents have tried different ways of training their children to stay dry at night.
One of the ways is to take the child to the toilet before going to bed. Some will limit water intake before bedtime. Bed-wetting accidents do happen even to young children who are toilet-trained.
If you feel anxious about your daughter’s bed-wetting, keep the diapers on at night until she wakes up with a dry diaper. When this happens, encourage your child to use the toilet before she goes to sleep. Leave a potty in her room where she can easily use it. Be sure there is a night-light on so she can see what she is doing. Always be prepared to help out when necessary.
Toilet-training will take as long as your child needs to succeed. Remember, the ability to use the potty independently is a milestone in your child’s development. If you pressure her to achieve night-time control before she is ready, she may lose her confidence. This may lead to greater difficulty in bladder control.
To help make things easier, you may want to put a rubber sheet under the bedsheets. You may want her to wear clothes that are easy to remove. This will make it hassle-free when she uses the toilet at night.
Avoid confrontation with your child. If she refuses to use the potty on certain nights, do not force her to do so. Your feelings play an important role in getting her to be toilet-trained at night. Stay calm and in control of your response to your child, no matter what happens.
CHILDWISE:By RUTH LIEW
How to stop your child from taking advantage of you.
I USED to be a kindergarten teacher. My daughter attended the same kindergarten when she was three. I taught there for six years. Now my daughter is seven years old. I have to deal with her difficult behaviour since her brother was born.
Lately I find that she is taking advantage of me. She refuses to do things on her own. She would seek my help in everything, even in dressing herself or tidying her bedroom.
My son has since grown to be independent. He is able to bathe himself without my help and manage many chores around the house. My daughter is just the opposite; she is dependent and has no initiative.
If I want my daughter to do something, I have to scold her repeatedly or shout at her to get her attention. Most of the time, she does not comply with my wishes. When she does, she would do something different from what I expect.
I stopped working after my son was born. I spend more time with my children than most working mothers. Yet my daughter tells me that I don’t spend enough time with her.
I often find myself in conflict with my daughter. I was a popular kindergarten teacher. Many parents requested for their children to be enrolled in my class. I could manage their behaviour very well, but now I cannot handle my own daughter. - Concerned Mother
THE deep concern parents have for their children often lead to parent-child conflicts. In many homes, parents find their children’s behaviour unacceptable because they do not comply with their wishes.
It is a mistaken belief that only parents can change their children’s negative behaviour. It leads to further dissension when parents force their ideas on children without respecting their individual rights. When you believe that your child is not capable of helping herself, she will do exactly that.
Children can learn self-discipline and cooperation without parents dominating or imposing on them.
If you demand that your daughter follow your ways, she will respond with strong opposition because she wants you to recognise and respect her as a person.
I understand your strong desire to be a good parent, the way you were a good teacher. Having such expectations of yourself will cause you to feel guilty when your child does not behave in a certain way.
Consequently, you find yourself doing everything for your child. The more you do, the less your child will be responsible for herself.
Instead of reprimanding her, help her learn the correct behaviour by allowing her to experience the consequences of her actions. Responsibility cannot be learned when your child is not required to experience the consequences of her irresponsibility. For example, if she does not do her chores, she has to forgo privileges like watching television or playing with her dolls.
Highlight her good moments with special attention. She needs to know that she can be good without your fussing or nagging. More importantly, she will know that you notice her capabilities and love her. Being a parent is not just about teaching; it is also about learning. Know your child’s needs and support her well.
MY DAUGHTER who is two and a half, still wets her bed at night. I have already toilet-trained her. Her toilet habits are good during the day, but at night she cannot wake up to use the toilet and ends up wetting the bed. What should I do? - Worried Mother
FOR most children around your daughter’s age, bladder control at night comes last. Through the years, parents have tried different ways of training their children to stay dry at night.
One of the ways is to take the child to the toilet before going to bed. Some will limit water intake before bedtime. Bed-wetting accidents do happen even to young children who are toilet-trained.
If you feel anxious about your daughter’s bed-wetting, keep the diapers on at night until she wakes up with a dry diaper. When this happens, encourage your child to use the toilet before she goes to sleep. Leave a potty in her room where she can easily use it. Be sure there is a night-light on so she can see what she is doing. Always be prepared to help out when necessary.
Toilet-training will take as long as your child needs to succeed. Remember, the ability to use the potty independently is a milestone in your child’s development. If you pressure her to achieve night-time control before she is ready, she may lose her confidence. This may lead to greater difficulty in bladder control.
To help make things easier, you may want to put a rubber sheet under the bedsheets. You may want her to wear clothes that are easy to remove. This will make it hassle-free when she uses the toilet at night.
Avoid confrontation with your child. If she refuses to use the potty on certain nights, do not force her to do so. Your feelings play an important role in getting her to be toilet-trained at night. Stay calm and in control of your response to your child, no matter what happens.
Tuesday, September 23, 2008
Great info on troubleshoot router crashes
When we refer to a "system crash", we mean a situation where the system has detected an unrecoverable error, and has restarted itself.
The errors that cause crashes are typically detected by processor hardware, which automatically branches to special error handling code in the ROM monitor. The ROM monitor identifies the error, prints a message, saves information about the failure, and restarts the system.
Follow the url link;
http://cisco.dnip.net/en/US/products/hw/iad/ps397/products_tech_note09186a00800b4447.shtml
The errors that cause crashes are typically detected by processor hardware, which automatically branches to special error handling code in the ROM monitor. The ROM monitor identifies the error, prints a message, saves information about the failure, and restarts the system.
Follow the url link;
http://cisco.dnip.net/en/US/products/hw/iad/ps397/products_tech_note09186a00800b4447.shtml
Sunday, September 21, 2008
oil palm tree
During my trip to my hometown recently all i saw on the way to my beloved village was oil palm trees (scientific name - Elaeis guineensis).
Oil palm is a crop that bears both male and female flowers on the same tree, meaning they are monoecious. Each tree produces compact bunches weighing between 10 and 25 kilograms with 1000 to 3000 fruitlets per bunch. Each fruitlet is almost spherical or elongated in shape. Generally the fruitlet is dark purple, almost black and the colour turns to orange red when ripe. Each fruitlet consists of of a hard kernel (seed) inside a shell (endocarp) which is surrounded by thea fleshy mesocarp.
A normal oil palm tree will start bearing fruits after 30 months of planting and will continue to be productive for the next 20 to 30 years thus ensuring a consistent supply of oil. Each ripe bunch is commonly known as Fresh Fruit Bunch (FFB).
In our country, the trees planted are mainly the tenera variety, a hybrid between the dura and pisifera. The tenera variety yields about 4 to 5 tonnes of crude palm oil (CPO) per hectare per year and about 1 tonne of palm kernels.
I wish all the best to those who started to plant the trees and hopefully they could get something out of it in 30 months time.
Sunday, August 17, 2008
Discovery channel for perfume.
The ultimate aromas from the ultimate source!
Essential oils, Absolutes, Concretes, Fruit essences, Perfume compositions,
Fruit essences
For soft and alcoholic drinks, pastry products, sugar products and milk foods
Fruit essences are intended for aromatizing of non-alcoholic beverages, alcoholic beverages, sweet, chocolates and confectionary and pastry. The Bulgarian State Standard defines the fruit essences as highly-concentrated solutions. The solutions used in the manufacture of the fruit essences are ethyl alcohol and 1,2-propylenglycol.
Perfume compositions
Fragrances for Detergents, Soaps, Perfumery and Cosmetics
The Perfume compositions are mixtures of natural aromatic products, synthetic aromatic compounds, dilutors and modificators. The natural and synthetic aromatic compounds are the main carriers of the of the aroma of each perfume composition, and the dilutors and modificators facilitate the evenness of the emission.
wild ideas (uwangi - uchuk wang/kebala sa ai in Kenyah language)
I'm going to be completely honest here. this idea is great, but fruity fragrances are difficult to manufacture without using artificial flavors. They're also difficult because most fleshy fruits (strawberries) don't contain the oils that are generally used in fragrances. If you were to go with oranges, the peel can be pressed to make an oil. You could then add this oil to a base (olive oil, canola oil) and have a fragrance. So, consider doing citrusy perfumes like orange, lemon, lime or grapefruit (anything with a peel).
We could use a distillation apparatus to extract the fragrant oils from plants or flowers. You could take leaves from a blueberry plant. There are some lichens that smell like vanilla (you could use those!). You could use rose petals or any flower petal.
If you don't have the patience to play around with distillation apparatuses you can purchase pure essential oils from a health/hippy store and blend them to make your own unique fragrances. May be use a drop of the essential oil and add it to a non scented base (olive oil or canola oil). You need to use olive/canola oil because you can't just add water. Water and oils don't mix. If you drop essential oils in a container of water, the oils will just stick together in a bubble and they won't mix with the water.
The fragrance is purely manufactured by using chemicals and unless you have open access to esters and chemicals, then you likely won't have success in making fruity smells.
- proposal for kebala sa-ai/uchuk wang/etc fragrance to be extracted - that would be great and the natural smell is really like issey miyaki
Essential oils, Absolutes, Concretes, Fruit essences, Perfume compositions,
Fruit essences
For soft and alcoholic drinks, pastry products, sugar products and milk foods
Fruit essences are intended for aromatizing of non-alcoholic beverages, alcoholic beverages, sweet, chocolates and confectionary and pastry. The Bulgarian State Standard defines the fruit essences as highly-concentrated solutions. The solutions used in the manufacture of the fruit essences are ethyl alcohol and 1,2-propylenglycol.
Perfume compositions
Fragrances for Detergents, Soaps, Perfumery and Cosmetics
The Perfume compositions are mixtures of natural aromatic products, synthetic aromatic compounds, dilutors and modificators. The natural and synthetic aromatic compounds are the main carriers of the of the aroma of each perfume composition, and the dilutors and modificators facilitate the evenness of the emission.
wild ideas (uwangi - uchuk wang/kebala sa ai in Kenyah language)
I'm going to be completely honest here. this idea is great, but fruity fragrances are difficult to manufacture without using artificial flavors. They're also difficult because most fleshy fruits (strawberries) don't contain the oils that are generally used in fragrances. If you were to go with oranges, the peel can be pressed to make an oil. You could then add this oil to a base (olive oil, canola oil) and have a fragrance. So, consider doing citrusy perfumes like orange, lemon, lime or grapefruit (anything with a peel).
We could use a distillation apparatus to extract the fragrant oils from plants or flowers. You could take leaves from a blueberry plant. There are some lichens that smell like vanilla (you could use those!). You could use rose petals or any flower petal.
If you don't have the patience to play around with distillation apparatuses you can purchase pure essential oils from a health/hippy store and blend them to make your own unique fragrances. May be use a drop of the essential oil and add it to a non scented base (olive oil or canola oil). You need to use olive/canola oil because you can't just add water. Water and oils don't mix. If you drop essential oils in a container of water, the oils will just stick together in a bubble and they won't mix with the water.
The fragrance is purely manufactured by using chemicals and unless you have open access to esters and chemicals, then you likely won't have success in making fruity smells.
- proposal for kebala sa-ai/uchuk wang/etc fragrance to be extracted - that would be great and the natural smell is really like issey miyaki
Tuesday, August 12, 2008
Olympic 2008 Beijing
Michael Phelps celebrating with the American flag on the podium after the 4x100m medley race Sunday. - Reuters
I was watching Olympic all day long....guess who is my fav...Mike Pelps, a very super talented olympic swimmer, he is just incredible, record breakers and a person that really race with passion and determination. He has got 5 gold medals so far 3 more to go that is his personal target....wanna keep my eyes on him on how he performs. Good luck Pelps.
Tuesday, August 5, 2008
WCS
Cisco Wireless Control System (WCS) is the industry leading platform for wireless LAN planning, configuration, and management. Cisco WCS provides a powerful foundation that allows IT managers to design, control, and monitor enterprise wireless networks from a centralized location, simplifying operations and reducing the total cost of ownership.
The Cisco WCS is an optional network component that works in conjunction with Cisco Aironet Lightweight Access Points, Cisco wireless LAN controllers and the Cisco Wireless Location Appliance. With Cisco WCS, network administrators have a single solution for RF prediction, policy provisioning, network optimization, troubleshooting, user tracking, security monitoring, and wireless LAN systems management. Robust graphical interfaces make wireless LAN deployment and operations simple and cost-effective. Detailed trending and analysis reports make Cisco WCS vital to ongoing network operations.
Cisco WCS includes tools for wireless LAN planning and design, RF management, location tracking, Intrusion Prevention System (IPS), and wireless LAN systems configuration, monitoring, and management.
The Cisco WCS is an optional network component that works in conjunction with Cisco Aironet Lightweight Access Points, Cisco wireless LAN controllers and the Cisco Wireless Location Appliance. With Cisco WCS, network administrators have a single solution for RF prediction, policy provisioning, network optimization, troubleshooting, user tracking, security monitoring, and wireless LAN systems management. Robust graphical interfaces make wireless LAN deployment and operations simple and cost-effective. Detailed trending and analysis reports make Cisco WCS vital to ongoing network operations.
Cisco WCS includes tools for wireless LAN planning and design, RF management, location tracking, Intrusion Prevention System (IPS), and wireless LAN systems configuration, monitoring, and management.
Thursday, July 31, 2008
Cisco Aironet Access Points (APs) wifi
Cisco Aironet equipment operates best when you load all the components with the most current version of software. Refer to the Cisco Wireless Software Center ( registered customers only) in order to download the latest software and drivers.
Instructions on how to upgrade Cisco IOS® on Cisco Aironet APs?
Refer to Working with Software images for instructions on how to upgrade the Cisco IOS on the AP.
Note: Use the force-reload option with the archive download-sw command.
Note: When you upgrade the AP or bridge system software by entering the archive download-sw command on the CLI, you must use the force-reload option. If the AP or bridge does not reload the flash memory after the upgrade, the pages in the web-browser interface might not reflect the upgrade. This example shows how to upgrade system software by using the archive download-sw command:
AP#archive download-sw /force-reload /
overwrite tftp://10.0.0.1/image-name
Cisco IOS Software-based APs have a default configuration that includes a username and password combination, both of which are Cisco (case sensitive). After you reset to factory defaults, be ready to give Cisco as both the username and password when either the GUI or the command-line interface (CLI) prompts you.
Use a straight-through cable with nine-pin male to nine-pin female connectors in order to connect the COM1 or COM2 port on your computer to the RS-232 port on the AP. Use a terminal-emulation program on your computer, such as:
Microsoft Windows HyperTerminal
Symantec ProComm
Minicom
Use these port settings:
Speed: 9600 bits per second (bps)
Data bits: 8
Stop bits: 1
Parity: None
Flow Control: Xon/Xoff
Note: If the flow control Xon/Xoff does not work, try using the flow control None.
I have an Aironet 1231 AP. Does Cisco make a 50-foot extension cable so that I can have the AP in one area and the antenna in another?
Yes, the part number of the 50-foot cable is AIR-CAB050LL-R. You can use this cable to connect your AP to the antenna.
How do you check the radio type on autonomous AP?
You can use the show controllers command from the privileged EXEC mode on the AP to get information on the radio type.
Q. I have made some configuration changes to the AP. When I try to save the changes, I get this message on the AP: "Error writing new config file "flash:/config.txt.new" nv_done: unable to open "flash:/config.txt.new" nv_done: unable to open "flash:/private-multiple-fs.new"[OK]". What does the message mean?
A. This error message indicates that there is no space in the Flash to store the new configuration. Try to delete any old crash files that exist. Or, if there is more than one Cisco IOS Software version, delete the one that you do not use. This can free some space on the Flash. Issue the dir flash command in order to determine if there are any old exception crashinfo files that you can delete or old images that are not in use. Issue the write memory command in order to free up space so that you can write the configuration into memory.
Q. How do you set up an IP address on the AP?
A. By default, the AP requests an IP address through DHCP.
However, you can manually set the IP address of the AP. On a Microsoft Windows PC that is connected to the Ethernet segment, from the DOS prompt, issue this command:
arp -s a.b.c.d 00-12-34-56-78-90
Note: The term a.b.c.d represents the IP address that is to be set on the AP, and 00-12-34-56-78-90 is the MAC address. This address appears on the panel on the bottom of the AP.
Issue this command in order to verify the address:
ping a.b.c.d
Note: This procedure does not work if the AP has already been assigned an IP address by another method.
For APs that run VxWorks, you can manually configure the IP address with use of the "express setup" page. Refer to Radio Configuration and Basic Settings for more information.
For APs that run Cisco IOS Software, you can manually configure the IP address via the web interface or through the command-line interface (CLI). Refer to the Assigning an IP Address Using the CLI section of Configuring the Access Point for the First Time.
Q. How do you extend the coverage of the AP?
A. There are several ways to extend the coverage area for an AP. These are the most important methods:
Use APs in repeater mode.
Use a secondary AP in AP mode with nonoverlapping channels.
Change the transmitter power level parameter of the existing AP in order to extend the coverage.
Position the APs optimally.
Refer to WLAN Radio Coverage Area Extension Methods for a complete description of how to implement these methods.
Q. Can you connect two computers together without an AP via wireless interface cards?
A. Yes. From the Aironet Client Utility (ACU), you can configure the clients to run in ad hoc mode. This connection is only a peer-to-peer connection. One PC becomes the parent and controls the connection. The other PCs in ad hoc mode are child stations.
Q. Do you need special hardware to support encryption?
A. The specific hardware model determines the level of encryption for the unit.
341 and 351 models only support 40-bit encryption.
342 and 352 models support both 40- and 128-bit encryption.
All 1100, 1200, and 1300 series models support both 40- and 128-bit encryption.
Q. My access point (AP) accepts and connects to only one client at a time. What could be the reason?
A. One possible reason could be that the max-associations parameter is set to 1 under the service-set identifier (SSID) configuration. Use the max-associations SSID configuration mode command in order to configure the maximum number of associations supported by the radio interface (for the specified SSID). Use the no form of the command in order to reset the parameter to the default value. This default maximum is 255.
Q. How do you save the configuration of the AP?
A. Modifications to the configuration are saved immediately. You can dump the current configuration in a text format from the Setup menu. Then, choose Cisco Services > Manage System Configuration and download the system configuration.
Q. How do I determine the specific frequency or channel that my AP or bridge uses?
A. Use the show controllers dot11Radio0 command in order to show the frequency and channel that the AP or bridge is on. This example output shows where to find the information:
ap#show controllers dot11Radio0
!
interface Dot11Radio0
Radio AIR-AP1242GA, Base Address 0014.1b58.08f
Version 5.80.12
Serial number: GAM09200992
Number of supported simultaneous BSSID on Dot1
Carrier Set: Americas (US )
DFS Required: No
Current Frequency: 2412 MHzChannel 1
Q. At what frequency does an AP communicate?
A. In the United States, IEEE 802.11b APs transmit and receive in one of 11 channels within the 2.4 GHz frequency. The IEEE 802.11a APs transmit and receive in one of eight channels in the 5 GHz frequency. The IEEE 802.11g APs transmit and receive in one of 11 channels within the 2.4 GHz frequency. These are public frequency ranges and are unlicensed by the FCC.
Q. How can you recover forgotten passwords?
A. Refer to Password Recovery Procedure for the Cisco Aironet Equipment
Q. What is a WEP key?
A. WEP stands for Wired Equivalent Privacy. You can use WEP to encrypt and decrypt data signals that transmit between wireless LAN (WLAN) devices. WEP is an optional IEEE 802.11 feature that prevents disclosure and modification of packets in transit and also provides access control for the use of the network. WEP makes a WLAN link as secure as a wired link. As the standard specifies, WEP uses the RC4 algorithm with a 40-bit or 10-bit key. RC4 is a symmetric algorithm because RC4 uses the same key for the encryption and the decryption of data. When WEP is enabled, each radio station has a key. The key is used to scramble the data before transmission of the data through the airwaves. If a station receives a packet that is not scrambled with the appropriate key, the station discards the packet and never delivers such a packet to the host. Refer to Wired Equivalent Privacy (WEP) on Aironet Access Points and Bridges Configuration Example for information on how to configure WEP.
Q. How many service set identifiers (SSIDs) can you have per VLAN?
A. You can have only one SSID per VLAN. The use of multiple SSIDs over a single VLAN is not supported with Aironet APs.
Q. The Cisco Aironet APs in my WLAN network do not broadcast the service set identifiers (SSIDs). What could be the reason? Do I need to enable a particular feature on the AP?
A. As long as you do not enable Guest mode under the SSID Manager, the AP does not broadcast the SSID in its beacons. You can verify with a client and scan for SSIDs in order to make sure it is not listed.
In order to enable guest mode on an SSID, type this command on the AP in global configuration mode:
Ap#dot11 ssid ssid-string
Ap#guest-mode
Q. Is there a way to schedule a time when the Cisco IOS Software-based AP is available? I want to provide time-based access to clients that connect to the AP.
A. You can configure time-based access control lists (ACLs) with use of time ranges. Time-based ACLs help you to make sure that users are able to access the wireless network within a particular time period, for example, 9:00 a.m. to 5:00 p.m. (0900 to 1700). The use of time-based ACLs does not shut down the AP or radio. Time-based ACLs stop the passing of traffic on the AP so that users cannot access the network. For information on how to configure this feature, refer to the Time-Based ACLs Using Time Ranges section of Configuring IP Access Lists.
Instructions on how to upgrade Cisco IOS® on Cisco Aironet APs?
Refer to Working with Software images for instructions on how to upgrade the Cisco IOS on the AP.
Note: Use the force-reload option with the archive download-sw command.
Note: When you upgrade the AP or bridge system software by entering the archive download-sw command on the CLI, you must use the force-reload option. If the AP or bridge does not reload the flash memory after the upgrade, the pages in the web-browser interface might not reflect the upgrade. This example shows how to upgrade system software by using the archive download-sw command:
AP#archive download-sw /force-reload /
overwrite tftp://10.0.0.1/image-name
Cisco IOS Software-based APs have a default configuration that includes a username and password combination, both of which are Cisco (case sensitive). After you reset to factory defaults, be ready to give Cisco as both the username and password when either the GUI or the command-line interface (CLI) prompts you.
Use a straight-through cable with nine-pin male to nine-pin female connectors in order to connect the COM1 or COM2 port on your computer to the RS-232 port on the AP. Use a terminal-emulation program on your computer, such as:
Microsoft Windows HyperTerminal
Symantec ProComm
Minicom
Use these port settings:
Speed: 9600 bits per second (bps)
Data bits: 8
Stop bits: 1
Parity: None
Flow Control: Xon/Xoff
Note: If the flow control Xon/Xoff does not work, try using the flow control None.
I have an Aironet 1231 AP. Does Cisco make a 50-foot extension cable so that I can have the AP in one area and the antenna in another?
Yes, the part number of the 50-foot cable is AIR-CAB050LL-R. You can use this cable to connect your AP to the antenna.
How do you check the radio type on autonomous AP?
You can use the show controllers command from the privileged EXEC mode on the AP to get information on the radio type.
Q. I have made some configuration changes to the AP. When I try to save the changes, I get this message on the AP: "Error writing new config file "flash:/config.txt.new" nv_done: unable to open "flash:/config.txt.new" nv_done: unable to open "flash:/private-multiple-fs.new"[OK]". What does the message mean?
A. This error message indicates that there is no space in the Flash to store the new configuration. Try to delete any old crash files that exist. Or, if there is more than one Cisco IOS Software version, delete the one that you do not use. This can free some space on the Flash. Issue the dir flash command in order to determine if there are any old exception crashinfo files that you can delete or old images that are not in use. Issue the write memory command in order to free up space so that you can write the configuration into memory.
Q. How do you set up an IP address on the AP?
A. By default, the AP requests an IP address through DHCP.
However, you can manually set the IP address of the AP. On a Microsoft Windows PC that is connected to the Ethernet segment, from the DOS prompt, issue this command:
arp -s a.b.c.d 00-12-34-56-78-90
Note: The term a.b.c.d represents the IP address that is to be set on the AP, and 00-12-34-56-78-90 is the MAC address. This address appears on the panel on the bottom of the AP.
Issue this command in order to verify the address:
ping a.b.c.d
Note: This procedure does not work if the AP has already been assigned an IP address by another method.
For APs that run VxWorks, you can manually configure the IP address with use of the "express setup" page. Refer to Radio Configuration and Basic Settings for more information.
For APs that run Cisco IOS Software, you can manually configure the IP address via the web interface or through the command-line interface (CLI). Refer to the Assigning an IP Address Using the CLI section of Configuring the Access Point for the First Time.
Q. How do you extend the coverage of the AP?
A. There are several ways to extend the coverage area for an AP. These are the most important methods:
Use APs in repeater mode.
Use a secondary AP in AP mode with nonoverlapping channels.
Change the transmitter power level parameter of the existing AP in order to extend the coverage.
Position the APs optimally.
Refer to WLAN Radio Coverage Area Extension Methods for a complete description of how to implement these methods.
Q. Can you connect two computers together without an AP via wireless interface cards?
A. Yes. From the Aironet Client Utility (ACU), you can configure the clients to run in ad hoc mode. This connection is only a peer-to-peer connection. One PC becomes the parent and controls the connection. The other PCs in ad hoc mode are child stations.
Q. Do you need special hardware to support encryption?
A. The specific hardware model determines the level of encryption for the unit.
341 and 351 models only support 40-bit encryption.
342 and 352 models support both 40- and 128-bit encryption.
All 1100, 1200, and 1300 series models support both 40- and 128-bit encryption.
Q. My access point (AP) accepts and connects to only one client at a time. What could be the reason?
A. One possible reason could be that the max-associations parameter is set to 1 under the service-set identifier (SSID) configuration. Use the max-associations SSID configuration mode command in order to configure the maximum number of associations supported by the radio interface (for the specified SSID). Use the no form of the command in order to reset the parameter to the default value. This default maximum is 255.
Q. How do you save the configuration of the AP?
A. Modifications to the configuration are saved immediately. You can dump the current configuration in a text format from the Setup menu. Then, choose Cisco Services > Manage System Configuration and download the system configuration.
Q. How do I determine the specific frequency or channel that my AP or bridge uses?
A. Use the show controllers dot11Radio0 command in order to show the frequency and channel that the AP or bridge is on. This example output shows where to find the information:
ap#show controllers dot11Radio0
!
interface Dot11Radio0
Radio AIR-AP1242GA, Base Address 0014.1b58.08f
Version 5.80.12
Serial number: GAM09200992
Number of supported simultaneous BSSID on Dot1
Carrier Set: Americas (US )
DFS Required: No
Current Frequency: 2412 MHzChannel 1
Q. At what frequency does an AP communicate?
A. In the United States, IEEE 802.11b APs transmit and receive in one of 11 channels within the 2.4 GHz frequency. The IEEE 802.11a APs transmit and receive in one of eight channels in the 5 GHz frequency. The IEEE 802.11g APs transmit and receive in one of 11 channels within the 2.4 GHz frequency. These are public frequency ranges and are unlicensed by the FCC.
Q. How can you recover forgotten passwords?
A. Refer to Password Recovery Procedure for the Cisco Aironet Equipment
Q. What is a WEP key?
A. WEP stands for Wired Equivalent Privacy. You can use WEP to encrypt and decrypt data signals that transmit between wireless LAN (WLAN) devices. WEP is an optional IEEE 802.11 feature that prevents disclosure and modification of packets in transit and also provides access control for the use of the network. WEP makes a WLAN link as secure as a wired link. As the standard specifies, WEP uses the RC4 algorithm with a 40-bit or 10-bit key. RC4 is a symmetric algorithm because RC4 uses the same key for the encryption and the decryption of data. When WEP is enabled, each radio station has a key. The key is used to scramble the data before transmission of the data through the airwaves. If a station receives a packet that is not scrambled with the appropriate key, the station discards the packet and never delivers such a packet to the host. Refer to Wired Equivalent Privacy (WEP) on Aironet Access Points and Bridges Configuration Example for information on how to configure WEP.
Q. How many service set identifiers (SSIDs) can you have per VLAN?
A. You can have only one SSID per VLAN. The use of multiple SSIDs over a single VLAN is not supported with Aironet APs.
Q. The Cisco Aironet APs in my WLAN network do not broadcast the service set identifiers (SSIDs). What could be the reason? Do I need to enable a particular feature on the AP?
A. As long as you do not enable Guest mode under the SSID Manager, the AP does not broadcast the SSID in its beacons. You can verify with a client and scan for SSIDs in order to make sure it is not listed.
In order to enable guest mode on an SSID, type this command on the AP in global configuration mode:
Ap
Ap
Q. Is there a way to schedule a time when the Cisco IOS Software-based AP is available? I want to provide time-based access to clients that connect to the AP.
A. You can configure time-based access control lists (ACLs) with use of time ranges. Time-based ACLs help you to make sure that users are able to access the wireless network within a particular time period, for example, 9:00 a.m. to 5:00 p.m. (0900 to 1700). The use of time-based ACLs does not shut down the AP or radio. Time-based ACLs stop the passing of traffic on the AP so that users cannot access the network. For information on how to configure this feature, refer to the Time-Based ACLs Using Time Ranges section of Configuring IP Access Lists.
Tuesday, July 29, 2008
Tuesday, July 8, 2008
Selecting a Weight Loss Program
I was checking on my BMI(body mass index) today and the figure is ~22.2, that's normal according to the figure provided in the table.
Check It Out Before You Sign Up For Any Weight Loss Program
Some people lose weight on their own; others like the support of a structured program. Overweight people who are successful at losing weight, and keeping it off, can reduce their risk factors for heart disease. If you decide to join any kind of weight control program, here are some questions to ask before you join.
Does the program provide counseling to help you change your eating activity, and personal habits?
The program should teach you how to change permanently those eating habits and lifestyle factors, such as lack of physical activity that have contributed to weight gain.
Is the staff made up of a variety of qualified counselors and health professionals such as nutritionists, registered dietitians, doctors, nurses, psychologists, and exercise physiologists?
You need to be evaluated by a physician if you have any health problems, are currently taking any medicine, or plan on taking any medicine, or plan to lose more than 15 to 20 pounds. If your weight control plan uses a very low-calorie diet (a special liquid formula that replaces all food for 1 to 4 months), an exam and follow up visits by a doctor are also needed.
Is training available on how to deal with times when you may feel stressed and slip back to old habits?
The program should provide long-term strategies to deal with weight problems you may have in the future. These strategies might include things like setting up a support system and establishing a physical activity routine.
Is attention paid to keeping the weight off? How long is this phase?
Choose a program that teaches skills and techniques to make permanent changes in eating habits and levels of physical activity to prevent weight gain.
Are food choices flexible and suitable? Are weight goals set by the client and the health professional?
The program should consider your food likes and dislikes and your lifestyle when your weight loss goals are planned.
There are other questions you can ask about how well a program works. Because many programs don't gather this information, you may not get answers. But it's still important to ask them:
What percentage of people complete the program?
What is the average weight loss among people who finish the program?
What percentage of people have problems or side effects? What are they?
Are there fees or costs for additional items, such as dietary supplements?
Remember, quick weight loss methods don't provide lasting results. Weight loss methods that rely on diet aids like drinks, prepackaged foods, or diet pills don't work in the long run. Whether you lose weight on your own or with a group, remember that the most important changes are long term. No matter how much weight you have to lose, modest goals and a slow course will increase your chances of both losing the weight and keeping it off.
Good luck for those who are looking forward for this program.
Check It Out Before You Sign Up For Any Weight Loss Program
Some people lose weight on their own; others like the support of a structured program. Overweight people who are successful at losing weight, and keeping it off, can reduce their risk factors for heart disease. If you decide to join any kind of weight control program, here are some questions to ask before you join.
Does the program provide counseling to help you change your eating activity, and personal habits?
The program should teach you how to change permanently those eating habits and lifestyle factors, such as lack of physical activity that have contributed to weight gain.
Is the staff made up of a variety of qualified counselors and health professionals such as nutritionists, registered dietitians, doctors, nurses, psychologists, and exercise physiologists?
You need to be evaluated by a physician if you have any health problems, are currently taking any medicine, or plan on taking any medicine, or plan to lose more than 15 to 20 pounds. If your weight control plan uses a very low-calorie diet (a special liquid formula that replaces all food for 1 to 4 months), an exam and follow up visits by a doctor are also needed.
Is training available on how to deal with times when you may feel stressed and slip back to old habits?
The program should provide long-term strategies to deal with weight problems you may have in the future. These strategies might include things like setting up a support system and establishing a physical activity routine.
Is attention paid to keeping the weight off? How long is this phase?
Choose a program that teaches skills and techniques to make permanent changes in eating habits and levels of physical activity to prevent weight gain.
Are food choices flexible and suitable? Are weight goals set by the client and the health professional?
The program should consider your food likes and dislikes and your lifestyle when your weight loss goals are planned.
There are other questions you can ask about how well a program works. Because many programs don't gather this information, you may not get answers. But it's still important to ask them:
What percentage of people complete the program?
What is the average weight loss among people who finish the program?
What percentage of people have problems or side effects? What are they?
Are there fees or costs for additional items, such as dietary supplements?
Remember, quick weight loss methods don't provide lasting results. Weight loss methods that rely on diet aids like drinks, prepackaged foods, or diet pills don't work in the long run. Whether you lose weight on your own or with a group, remember that the most important changes are long term. No matter how much weight you have to lose, modest goals and a slow course will increase your chances of both losing the weight and keeping it off.
Good luck for those who are looking forward for this program.
Friday, July 4, 2008
NetWatch from Fluke Networks
This tool has been introduced to replace the MRTG but has not been so popular till now, not sure if anyone has the access to use it. Most of the incoming and outgoing traffic can be monitored from here and this could possibly a very handy network tool for our daily traffic or bandwidth utilization and usage verification job related. Wanna explore more on this tool. Please check it out!
http://www.flukenetworks.com
http://www.flukenetworks.com
Monday, June 23, 2008
Clouds 9 oh no...
Wanna know when this so called bored episode will be ending?, goota tell my God i am having enuff of complicated life - I need to be set free from all these super hot situations do or die. God here am I, i can't take this anymore it is completely hard for me.
I should take a rest maybe make a trip to some isolated places/part of this world, and just enjoy the hol. Playing with my kids is a good idea, as they always ask me a few amazing questions which i can't sometimes answer correctly.
I am planning a trip to hometown very soon, so i may need to spend few days at my favorite places and eat my favorite foods....huh.......God will make a way.
I should take a rest maybe make a trip to some isolated places/part of this world, and just enjoy the hol. Playing with my kids is a good idea, as they always ask me a few amazing questions which i can't sometimes answer correctly.
I am planning a trip to hometown very soon, so i may need to spend few days at my favorite places and eat my favorite foods....huh.......God will make a way.
Wednesday, June 11, 2008
OSPF config for the NERD
before you start configure OSPF ip routing cmd need to be enabled on the router
Now from the global configuration prompt type:
# router ospf processID
The Autonomous System number for the OSPF network is 15615. Use this number for the processID. This will create an OSPF routing process on the router. It will also give you a new prompt, the router configuration prompt:
routername(config-router)#
You now need to tell the router which networks it should advertise routes for. This is done with the command
network network_address wildcard_mask area areaID
network_address is the IP address for the network you wish to add. The wildcard_mask is similar to the reverse of the subnet mask. For our purposes where we are using network addresses like 156.156.subnet.host we can use a wildcard_mask of 0.0.0.255
For example:
ospf4(config-router)#network 156.156.32.0 0.0.0.255 area 0
Would tell the router to advertise the network 156.156.128.0. OSPF can be divided into multiple areas, each of which must be connected to the backbone area, area 0. Since we are configuring just four routers to use OSPF we will place them all in the backbone area and thus assign them all to area 0. You should use the network command for each of the networks that the router is connected to and is a part of the OSPF network.
Unless this router is the exit router it will not know how to get to locations outside of the AS. In order to reach these destinations we need to give the router a default route over which the router will send packets that it does not have a route for in the routing table. Type exit to return to global configuration mode. We will now add a static route to the routing table using the command
ip route prefix mask address
where prefix is the address of the network you are creating a route for, mask is the mask for this network, and address is the IP address of the interface you are routing the packets to. For all of the eigrp routers except the exit router (the one connected to the core) use the following command to create the default route.
ospf3(config)# ip route 0.0.0.0 0.0.0.0 156.156.26.2
You have now completed a basic configuration of OSPF on the router!
There are many more configuration options available to you, such as modifying the metrics for each of the interfaces, adjusting the timers and delays for when updates are sent, routes are declared invalid, etc.
You can also turn on or off various features such as authentication and split-horizon. To find out more about other commands just type a question mark at the router configuration prompt or read the references listed at the end of the page.
It would be a good idea to save your configuration! To do this type the following at the privileged mode prompt:
write
This will save the currently running configuration to the NVRAM. If the router gets rebooted for some reason ( it shouldn't happen, but it could!) it will use the configuration that is stored in the NVRAM. So save often!
You can view the currently running configuration by typing:
write terminal
This will print the configuration to the screen, but it will not save it.
to verify the OSPF use the following cmds
# show ip route OSPF processID
# show ip route network
# show ip ospf ?
Now from the global configuration prompt type:
# router ospf processID
The Autonomous System number for the OSPF network is 15615. Use this number for the processID. This will create an OSPF routing process on the router. It will also give you a new prompt, the router configuration prompt:
routername(config-router)#
You now need to tell the router which networks it should advertise routes for. This is done with the command
network network_address wildcard_mask area areaID
network_address is the IP address for the network you wish to add. The wildcard_mask is similar to the reverse of the subnet mask. For our purposes where we are using network addresses like 156.156.subnet.host we can use a wildcard_mask of 0.0.0.255
For example:
ospf4(config-router)#network 156.156.32.0 0.0.0.255 area 0
Would tell the router to advertise the network 156.156.128.0. OSPF can be divided into multiple areas, each of which must be connected to the backbone area, area 0. Since we are configuring just four routers to use OSPF we will place them all in the backbone area and thus assign them all to area 0. You should use the network command for each of the networks that the router is connected to and is a part of the OSPF network.
Unless this router is the exit router it will not know how to get to locations outside of the AS. In order to reach these destinations we need to give the router a default route over which the router will send packets that it does not have a route for in the routing table. Type exit to return to global configuration mode. We will now add a static route to the routing table using the command
ip route prefix mask address
where prefix is the address of the network you are creating a route for, mask is the mask for this network, and address is the IP address of the interface you are routing the packets to. For all of the eigrp routers except the exit router (the one connected to the core) use the following command to create the default route.
ospf3(config)# ip route 0.0.0.0 0.0.0.0 156.156.26.2
You have now completed a basic configuration of OSPF on the router!
There are many more configuration options available to you, such as modifying the metrics for each of the interfaces, adjusting the timers and delays for when updates are sent, routes are declared invalid, etc.
You can also turn on or off various features such as authentication and split-horizon. To find out more about other commands just type a question mark at the router configuration prompt or read the references listed at the end of the page.
It would be a good idea to save your configuration! To do this type the following at the privileged mode prompt:
write
This will save the currently running configuration to the NVRAM. If the router gets rebooted for some reason ( it shouldn't happen, but it could!) it will use the configuration that is stored in the NVRAM. So save often!
You can view the currently running configuration by typing:
write terminal
This will print the configuration to the screen, but it will not save it.
to verify the OSPF use the following cmds
# show ip route OSPF processID
# show ip route network
# show ip ospf ?
eat and sleep MPLS
Multiprotocol Label Switching (MPLS) is a standards-approved technology for speeding up network traffic flow and making it easier to manage.
MPLS involves setting up a specific path for a given sequence of packets, identified by a label put in each packet, thus saving the time needed for a router to look up the address to the next node to forward the packet to.
MPLS is called multiprotocol because it works with the Internet Protocol (IP), Asynchronous Transport Mode (ATM), and frame relay network protocols. With reference to the standard model for a network (the Open Systems Interconnection, or OSI model), MPLS allows most packets to be forwarded at the layer 2 (switching) level rather than at the layer 3 (routing) level. In addition to moving traffic faster overall, MPLS makes it easy to manage a network for quality of service (QoS). For these reasons, the technique is expected to be readily adopted as networks begin to carry more and different mixtures of traffic.
# show ip protocols - verify routing protocol runs
# show ip route - Ensure that the protocol routes for the MPLS network and all neighbors are present
# show ip cef summary - verify CEF switching
# show ip cef - verify CEF status
# show mpls interfaces - to ensure that MPLS is globally enabled; This command also verifies that a Label Distribution Protocol (LDP) runs on the requested interfaces:
# ping 10.10.10.6 - ping the neighbor
# show tag-switching tdp discovery - verify label distribution
MPLS technology is key to scalable virtual private networks (VPNs) and end-to-end quality of service (QoS), enabling efficient utilization of existing networks to meet future growth and rapid fault correction of link and node failure. The technology also helps deliver highly scalable, differentiated end-to-end IP services with simpler configuration, management, and provisioning for both Internet providers and subscribers.
MPLS involves setting up a specific path for a given sequence of packets, identified by a label put in each packet, thus saving the time needed for a router to look up the address to the next node to forward the packet to.
MPLS is called multiprotocol because it works with the Internet Protocol (IP), Asynchronous Transport Mode (ATM), and frame relay network protocols. With reference to the standard model for a network (the Open Systems Interconnection, or OSI model), MPLS allows most packets to be forwarded at the layer 2 (switching) level rather than at the layer 3 (routing) level. In addition to moving traffic faster overall, MPLS makes it easy to manage a network for quality of service (QoS). For these reasons, the technique is expected to be readily adopted as networks begin to carry more and different mixtures of traffic.
# show ip protocols - verify routing protocol runs
# show ip route - Ensure that the protocol routes for the MPLS network and all neighbors are present
# show ip cef summary - verify CEF switching
# show ip cef - verify CEF status
# show mpls interfaces - to ensure that MPLS is globally enabled; This command also verifies that a Label Distribution Protocol (LDP) runs on the requested interfaces:
# ping 10.10.10.6 - ping the neighbor
# show tag-switching tdp discovery - verify label distribution
MPLS technology is key to scalable virtual private networks (VPNs) and end-to-end quality of service (QoS), enabling efficient utilization of existing networks to meet future growth and rapid fault correction of link and node failure. The technology also helps deliver highly scalable, differentiated end-to-end IP services with simpler configuration, management, and provisioning for both Internet providers and subscribers.
Tuesday, June 3, 2008
Wah majan ale ne nta nyurat blog
Sibuk ale teka e' minggu ji oyan ke petenup tai kerja alem ji, kado ale kerja da nta lepe lepa. Projek kah e ngan kia, change request chen BP, T/Ticket ngan kado ale pe teka inu da' pelempe' ilu singket tau. but God reminds me everyday even when i'm too busy with my daily routine.
Kumin se' shift pattern minggu ji? maan ale teka' handle kelunan kenta' ilu alo', kina', de' saleng didai ngan kado' pe de ca la-a. Here comes June, time flies, and i am still right here, c'mon move on..
PC1 and PS3 project is still in progress, my kids on school holiday now they are real cool and sometimes very cool to us.
God give me the strength to move on...i am too tired !
Kumin se' shift pattern minggu ji? maan ale teka' handle kelunan kenta' ilu alo', kina', de' saleng didai ngan kado' pe de ca la-a. Here comes June, time flies, and i am still right here, c'mon move on..
PC1 and PS3 project is still in progress, my kids on school holiday now they are real cool and sometimes very cool to us.
God give me the strength to move on...i am too tired !
Wednesday, May 28, 2008
Rapture ready?
I could make a list of things that we can do as Christians to serve Jesus, but all that ends up being is a list from which to reference different things to choose from. Is that what we need to do to serve God? Eeny meeny miny mo------ this is the area of service to which I will go. That's a bit pragmatic, don't you think? We all have gifts, which oddly enough tend to be cultivated in the lives we live as children of wrath before we repent of our sins and turn to God. Not always, but often.
I am convinced He is using me in these last days before the Rapture to try to plant a seed of hope and curiosity about Him in the hearts of those I meet.
I think that is what it has all come down to. You don’t have to shout from a mountain-top to be heard. You don’t have to put up bill-boards and run full-page ads in the newspaper to make a point. You can just sit down with some of the other regular shmoes you meet each day and tell them about how God is working in your life. What better occupation in which to be engaging when He comes to call you home?
I always ask and talk to someone about the rapture.
He thinks I’m obsessed and probably a little nuts for believing in “the whole Jesus thing”. They smile, not condescendingly, really—patiently, I guess, when I remind them that when the time comes and I disappear they are NOT to take the mark of the beast, just give in and be one of the 144,000 witnesses and accept Christ right away. They thinks they know better. But if the Rapture happens before I die, and they are there to witness it all the things I’ve told them will come back and, hopefully, they’ll finally believe—I pray daily that the Rapture will happen while we are in the same room so there can be no doubt.
All this may not seem like much, but I can at least plant the seeds. So can we all—with a friend, an acquaintance, a relative who is not a believer. Who knows who you might be preparing for the Kingdom just by telling them you prayed for them? And my motto has become, “When there’s a delay—it’s time to pray.” Talk about passing the time in traffic! There’s always an endless list of people who need prayer, including me.
I’ll never make a huge impact on the world. But I hope that when I finally get to meet my Father and look Him in the eye I won’t be completely ashamed of my efforts. I want Him to place His hand on my head and smile and tell me I did alright—that I didn’t disappoint Him as I fear that I do. And then I want Him to smile on my husband as he comes marching proudly through the pearly gates and I get to tell him, one last time, “I told you so.” by someone_else
I am convinced He is using me in these last days before the Rapture to try to plant a seed of hope and curiosity about Him in the hearts of those I meet.
I think that is what it has all come down to. You don’t have to shout from a mountain-top to be heard. You don’t have to put up bill-boards and run full-page ads in the newspaper to make a point. You can just sit down with some of the other regular shmoes you meet each day and tell them about how God is working in your life. What better occupation in which to be engaging when He comes to call you home?
I always ask and talk to someone about the rapture.
He thinks I’m obsessed and probably a little nuts for believing in “the whole Jesus thing”. They smile, not condescendingly, really—patiently, I guess, when I remind them that when the time comes and I disappear they are NOT to take the mark of the beast, just give in and be one of the 144,000 witnesses and accept Christ right away. They thinks they know better. But if the Rapture happens before I die, and they are there to witness it all the things I’ve told them will come back and, hopefully, they’ll finally believe—I pray daily that the Rapture will happen while we are in the same room so there can be no doubt.
All this may not seem like much, but I can at least plant the seeds. So can we all—with a friend, an acquaintance, a relative who is not a believer. Who knows who you might be preparing for the Kingdom just by telling them you prayed for them? And my motto has become, “When there’s a delay—it’s time to pray.” Talk about passing the time in traffic! There’s always an endless list of people who need prayer, including me.
I’ll never make a huge impact on the world. But I hope that when I finally get to meet my Father and look Him in the eye I won’t be completely ashamed of my efforts. I want Him to place His hand on my head and smile and tell me I did alright—that I didn’t disappoint Him as I fear that I do. And then I want Him to smile on my husband as he comes marching proudly through the pearly gates and I get to tell him, one last time, “I told you so.” by someone_else
Tuesday, May 13, 2008
NAT
Takeaway: Network address translation (NAT) has become one of the key components of today's corporate networks attached to the Internet. See how to set up and manage NAT using the Cisco Internetwork operating system.
Network address translation (NAT) is one of those rare information technology buzzwords that does exactly what its name implies. In this case, it translates one network address into another network address. The most popular use for NAT is to connect an internal network to the Internet. The proliferation of hosts that now connects to the Internet is causing a shortage of IP addresses, so NAT is a key tool for connecting corporate networks using private IP addresses to the Internet. Since Cisco provides the bulk of the routers that connects to the Internet, we're going to show you how to set up NAT using the Cisco Internetwork Operating System (IOS).
Understanding NAT
Using NAT to connect to the Internet allows you to:
·Use only one public, registered IP address for Internet access for many thousands of private IP addresses at your site.
·Change Internet service providers (ISPs) easily, without readdressing the majority of hosts on your network.
·Hide the identity of hosts on your local network behind the single public IP address to keep outside hosts from easily targeting them.
The most difficult part of using NAT in the Cisco IOS is getting a handle on these four key terms:
·Inside Local—This is the local IP address of the private host on your network (i.e., your PC’s IP address).
·Inside Global—This is the public, legal, registered IP address that the outside network sees as the IP address of your local host.
·Outside Local—This is the local IP address from the private network, which your local host sees as the IP address of the remote host.
·Outside Global—This is the public, legal, registered IP address of the remote host (i.e., the IP address of the remote Web server that your PC is connecting to).
Figure A
My first reaction after reading Cisco’s definitions for these terms was nearly total confusion, so don’t feel bad if you feel the same thing. But after seeing a diagram of these terms, it started to click for me. Take a look at Figure A for a logical diagram of these terms.
Figure B
·Configure your pool of legal, public IP addresses that the router can use to represent your local addresses on the Internet. This pool can contain as few as one or as many addresses as you would like to provide. For a small to medium-size network, one address is typically fine. The syntax is:
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
·Define an access-list to specify what range of IP addresses is allowed to be translated from your local network to the remote network. This is, basically, a security feature asking you, “Who (what range of IP addresses) can use the NAT service?” The syntax is:
access-list access-list-number permit source [source-wildcard]
·Specify that you want a dynamic translation from the source IP address to the pool and that you want to overload the pool address (or addresses). The syntax is:
ip nat inside source list access-list-number pool name overload
·Specify which of the router’s interfaces will be the “inside” address. The syntax for the Ethernet 0 interface is:
int en0
ip nat inside
·Specify which of the router’s interfaces will be the “outside” address. The syntax for the Serial 0 interface is:
int s0
ip nat outside
·Add a static route to your router to send any traffic not destined for your local network to the Internet interface. (In our case, I will use a default route to send traffic out the serial interface.) Here’s the syntax:
ip route 0.0.0.0 0.0.0.0 serial0
Configuring NAT
To configure the standard NAT scenario I mentioned in the opening paragraph, refer to Figure B and then look at the simple steps that need to be taken if you are using a Cisco router between your local network and the Internet.
Listing A shows the resulting configuration for the router. One way to examine this on your router would be to issue the command show run.
Listing A
int en0
! This is the Ethernet 0 interface on the Router- attached to the local network
ip address 10.10.10.10 255.0.0.0
ip nat inside
int s0
! This is the Serial 0 interface on the Router- attached to the Internet
ip address 11.11.11.254 255.255.255.128
ip nat outside
ip nat pool mypool 11.11.11.1 11.11.11.127 netmask 255.255.255.128
! Above is the pool of real Internet addresses which will be overloaded
access-list 1 permit 10.0.0.0 0.255.255.255
! Above is the access list which allows who from the local network can use the NAT service
ip nat inside source list 1 pool mypool overload
! Above is the command that brings all the other configs together- it says to DO IT
ip route 0.0.0.0 0.0.0.0 serial0
!the default route to the Internet
IPSEC VPN
Setting Up an IPSEC VPN - VPN between a remote site and a corporate office using Cisco routers
The Main office has a 2620 router (called mainrtr) with 3 ethernet interfaces. One interface is used for the internal network (IP address 172.23.10.1/16) and one is used to connect to the Internet through a DSL service (IP address
207.194.10.198/24).
172.23.10.1/16
207.194.10.198/24
The remote site has a 1751 router
(called remotertr) with 2 ethernet interfaces. One interface
connects to the internal network (IP address 172.25.10.1/16)
and the other connects to the Internet via DSL (IP address
207.194.10.199/24).
172.25.10.1/16
207.194.10.199/24
Both routers are loaded with the latest
version of the IP plus IPSEC 56 IOS image.
The first step is to set up the IKE (Internet Key Exchange) policies on the routers.
The IKE policy states the kind of encryption and hash to use
and the type of authentication that will be implemented.
The parameters need to be the same at either end of the VPN.
On the central office router:
mainrtr(config)# crypto isakmp policy 1
mainrtr(config-isakmp)# encryption des
mainrtr(config-isakmp)# hash sha
mainrtr(config-isakmp)# authentication pre-share
mainrtr(config-isakmp)# lifetime 86400
mainrtr(config-isakmp)# end
job done ------
On the remote site router you would use the exact same
commands. Lines 2 and 3 are used to set the encryption and
hash types. DES encryption and SHA hash algorithm are the
defaults, so those lines could be omitted. Line 4 specifies
that the key used is pre-shared, that is, no certificate
authority (CA) is used. Line 5 states how long the SA is
valid for in seconds (in this case a SA is valid for 1 day).
The next step is to set up the keys that are being used.
Since the keys are pre-shared, you just configure them on the
router itself. Using a CA to issue keys is more complex, but
it is also more secure. To set the pre-shared keys, use the
following commands.
On the central office router:
mainrtr(config)# crypto isakmp identity address
mainrtr(config)# crypto isakmp key key123 address 207.194.10.199
On the remote site router:
remotertr (config)# crypto isakmp identity address
remotertr (config)# crypto isakmp key key123 address 207.194.10.198
The first line indicates the ISAKMP identity the router will
use. The address keyword specifies that the IP address will
be used as the name. The second line states that the key to
be used is 'key123', and the identity of the remote peer (in
the case of mainrtr the remote peer is 207.194.10.199, or
remotertr).
Now the actual IPSEC tunnel needs to be set up. This
involves setting up a crypto access list and defining the
transform sets. Once you have the access list and transforms
in place you can configure the IPSEC tunnel mode.
On the central office router:
mainrtr(config)# access-list 110 permit ip host 207.194.10.198
host 207.194.10.199
This configures access list 110 to encrypt all IP traffic
between the two routers. On the remote site router you
would configure the access list as a mirror image of the
one on the central office router.
On the remote site router:
remotertr (config)# access-list 110 permit ip host 207.194.10.199
host 207.194.10.198
To set up the transform set and configure tunnel mode,
use the following commands.
On the central office router:
mainrtr(config)# crypto ipsec transform-set ts1 ah-sha-hmac esp-des
mainrtr(cfg-ctypto-trans)# mode tunnel
mainrtr(cfg-ctypto-trans)# exit
Line 1 configures the AH transform, the ESP encryption
transform and names the transform set 'ts1'. The same
commands are entered on the remote site router to set up
its transform set. Now a crypto map needs to be created
to define the endpoints of the tunnel.
On the central office router:
mainrtr(config)# cypto map map1 10 ipsec-isakmp
mainrtr(cfg-ctypto-map)# match address 110
mainrtr(cfg-ctypto-map)# set peer 207.194.10.199
mainrtr(cfg-ctypto-map)# set transform-set ts1
mainrtr(cfg-ctypto-map)# exit
The first line defines an IPSEC crypto map called 'map1' and
sets a sequence number of 10. Line 2 applies the access
list we created above to the crypto map. Line 3 defines the
remote peer that can be forwarded IPSEC encrypted traffic,
and line 4 applies the transform set created above to the
crypto map. To set up the crypto map on the remote site
router, you want to set up compatible parameters.
On the remote site router:
remotertr(config)# cypto map map1 10 ipsec-isakmp
remotertr (cfg-ctypto-map)# match address 110
remotertr (cfg-ctypto-map)# set peer 207.194.10.198
remotertr (cfg-ctypto-map)# set transform-set ts1
remotertr (cfg-ctypto-map)# exit
To get it all to work, the crypto map needs to be applied
to an interface on the router.
On the central office router:
mainrtr(config)# interface ethernet 2
mainrtr(config-if)# cypto map map1
mainrtr(config-if)# exit
On the remote site router:
remotertr(config)# interface ethernet 2
remotertr(config-if)# cypto map map1
remotertr(config-if)# exit
You should now have a working IPSEC tunnel between the two
routers. To get traffic to flow between the two networks,
you would need to set up network address translation (NAT)
to resolve the IP addresses of hosts on the internal
network to that of the connected router's external interface.
- Cisco White Paper on IPSEC VPN best practices
- Cisco IOS Enterprise VPN Configuration Guide
- Cisco VPN Top Issues
The Main office has a 2620 router (called mainrtr) with 3 ethernet interfaces. One interface is used for the internal network (IP address 172.23.10.1/16) and one is used to connect to the Internet through a DSL service (IP address
207.194.10.198/24).
172.23.10.1/16
207.194.10.198/24
The remote site has a 1751 router
(called remotertr) with 2 ethernet interfaces. One interface
connects to the internal network (IP address 172.25.10.1/16)
and the other connects to the Internet via DSL (IP address
207.194.10.199/24).
172.25.10.1/16
207.194.10.199/24
Both routers are loaded with the latest
version of the IP plus IPSEC 56 IOS image.
The first step is to set up the IKE (Internet Key Exchange) policies on the routers.
The IKE policy states the kind of encryption and hash to use
and the type of authentication that will be implemented.
The parameters need to be the same at either end of the VPN.
On the central office router:
mainrtr(config)# crypto isakmp policy 1
mainrtr(config-isakmp)# encryption des
mainrtr(config-isakmp)# hash sha
mainrtr(config-isakmp)# authentication pre-share
mainrtr(config-isakmp)# lifetime 86400
mainrtr(config-isakmp)# end
job done ------
On the remote site router you would use the exact same
commands. Lines 2 and 3 are used to set the encryption and
hash types. DES encryption and SHA hash algorithm are the
defaults, so those lines could be omitted. Line 4 specifies
that the key used is pre-shared, that is, no certificate
authority (CA) is used. Line 5 states how long the SA is
valid for in seconds (in this case a SA is valid for 1 day).
The next step is to set up the keys that are being used.
Since the keys are pre-shared, you just configure them on the
router itself. Using a CA to issue keys is more complex, but
it is also more secure. To set the pre-shared keys, use the
following commands.
On the central office router:
mainrtr(config)# crypto isakmp identity address
mainrtr(config)# crypto isakmp key key123 address 207.194.10.199
On the remote site router:
remotertr (config)# crypto isakmp identity address
remotertr (config)# crypto isakmp key key123 address 207.194.10.198
The first line indicates the ISAKMP identity the router will
use. The address keyword specifies that the IP address will
be used as the name. The second line states that the key to
be used is 'key123', and the identity of the remote peer (in
the case of mainrtr the remote peer is 207.194.10.199, or
remotertr).
Now the actual IPSEC tunnel needs to be set up. This
involves setting up a crypto access list and defining the
transform sets. Once you have the access list and transforms
in place you can configure the IPSEC tunnel mode.
On the central office router:
mainrtr(config)# access-list 110 permit ip host 207.194.10.198
host 207.194.10.199
This configures access list 110 to encrypt all IP traffic
between the two routers. On the remote site router you
would configure the access list as a mirror image of the
one on the central office router.
On the remote site router:
remotertr (config)# access-list 110 permit ip host 207.194.10.199
host 207.194.10.198
To set up the transform set and configure tunnel mode,
use the following commands.
On the central office router:
mainrtr(config)# crypto ipsec transform-set ts1 ah-sha-hmac esp-des
mainrtr(cfg-ctypto-trans)# mode tunnel
mainrtr(cfg-ctypto-trans)# exit
Line 1 configures the AH transform, the ESP encryption
transform and names the transform set 'ts1'. The same
commands are entered on the remote site router to set up
its transform set. Now a crypto map needs to be created
to define the endpoints of the tunnel.
On the central office router:
mainrtr(config)# cypto map map1 10 ipsec-isakmp
mainrtr(cfg-ctypto-map)# match address 110
mainrtr(cfg-ctypto-map)# set peer 207.194.10.199
mainrtr(cfg-ctypto-map)# set transform-set ts1
mainrtr(cfg-ctypto-map)# exit
The first line defines an IPSEC crypto map called 'map1' and
sets a sequence number of 10. Line 2 applies the access
list we created above to the crypto map. Line 3 defines the
remote peer that can be forwarded IPSEC encrypted traffic,
and line 4 applies the transform set created above to the
crypto map. To set up the crypto map on the remote site
router, you want to set up compatible parameters.
On the remote site router:
remotertr(config)# cypto map map1 10 ipsec-isakmp
remotertr (cfg-ctypto-map)# match address 110
remotertr (cfg-ctypto-map)# set peer 207.194.10.198
remotertr (cfg-ctypto-map)# set transform-set ts1
remotertr (cfg-ctypto-map)# exit
To get it all to work, the crypto map needs to be applied
to an interface on the router.
On the central office router:
mainrtr(config)# interface ethernet 2
mainrtr(config-if)# cypto map map1
mainrtr(config-if)# exit
On the remote site router:
remotertr(config)# interface ethernet 2
remotertr(config-if)# cypto map map1
remotertr(config-if)# exit
You should now have a working IPSEC tunnel between the two
routers. To get traffic to flow between the two networks,
you would need to set up network address translation (NAT)
to resolve the IP addresses of hosts on the internal
network to that of the connected router's external interface.
- Cisco White Paper on IPSEC VPN best practices
- Cisco IOS Enterprise VPN Configuration Guide
- Cisco VPN Top Issues
Saturday, April 12, 2008
mpls troubleshooting
This section contains several MPLS troubleshoot procedures.
Verify That Routing Protocol Runs
Issue the show ip protocols command in order to display the parameters and current state of the active routing protocol process:
Pomerol# show ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.10.10.3
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4 Routing for Networks:
10.1.1.0 0.0.0.255 area 9
10.10.10.0 0.0.0.255 area 9
Routing Information Sources:
Gateway Distance Last Update
10.10.10.2 110 10:41:55
10.10.10.3 110 10:41:55
10.10.10.1 110 10:41:55
10.10.10.6 110 10:41:55
10.10.10.4 110 10:41:55
10.10.10.5 110 10:41:55
Distance: (default is 110)Ensure that the protocol routes for the MPLS network and all neighbors are present. You can also issue the show ip route command in order to verify the routing table:
Pomerol# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - ISIS level-1, L2 - ISIS level-2, ia - ISIS inter area
* - candidate default, U - per-user static route, o - ODR
Gateway of last resort is 10.200.28.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 13 subnets, 3 masks
C 10.1.1.8/30 is directly connected, Serial0/1.2
O 10.1.1.12/30 [110/390] via 10.1.1.5, 15:26:38, Serial0/1.1
O 10.10.10.2/32 [110/196] via 10.1.1.10, 15:26:38, Serial0/1.2
C 10.10.10.3/32 is directly connected, Loopback0
O 10.1.1.0/30 [110/390] via 10.1.1.5, 15:26:38, Serial0/1.1
[110/390] via 10.1.1.10, 15:26:38, Serial0/1.2
O 10.10.10.1/32 [110/196] via 10.1.1.5, 15:26:38, Serial0/1.1
O 10.10.10.6/32 [110/98] via 10.1.1.22, 15:26:38, Serial0/1.3
O 10.10.10.4/32 [110/391] via 10.1.1.5, 15:26:38, Serial0/1.1
C 10.1.1.4/30 is directly connected, Serial0/1.1
C 10.1.1.20/30 is directly connected, Serial0/1.3If the routers or routes are not present, investigate the routing protocol process. Refer to the OSPF Support Page in order to investigate the routing protocol process.
Verify CEF Switching
Issue the show ip cef summary command in order to display specific entries in the Forwarding Information Base (FIB) with IP address information as a basis. This output shows Normal status:
Pomerol# show ip cef summary
IP CEF with switching (Table Version 131), flags=0x0, bits=8
32 routes, 0 reresolve, 0 unresolved (0 old, 0 new)
32 leaves, 18 nodes, 23004 bytes, 125 inserts, 93 invalidations
1 load sharing elements, 336 bytes, 1 references
universal per-destination load sharing algorithm, id B642EBCF
1 CEF resets, 6 revisions of existing leaves
6 in-place modifications
refcounts: 4909 leaf, 4864 nodeIssue the show ip cef and show ip cef interface commands in order to verify CEF status. If CEF has not been enabled, nothing appears:
Pomerol# show ip cef
%CEF not running
Prefix Next Hop InterfaceRefer to the Cisco Express Forwarding Overview if you continue to have problems with the enablement of CEF.
Verify MPLS
Issue the show mpls interfaces command in order to ensure that MPLS is globally enabled. This command also verifies that a Label Distribution Protocol (LDP) runs on the requested interfaces:
Pomerol# show mpls interfaces
Interface IP Tunnel Operational
(...)
Serial0/1.1 Yes (tdp) Yes Yes
Serial0/1.2 Yes Yes No
Serial0/1.3 Yes (tdp) Yes Yes
(...)
Ping the Neighbors
An unlabeled connection must be up between each pair of router neighbors. The routing protocol and the LDP use the unlabeled connection to build the routing table and the label forwarding information base (LFIB).
Pomerol# ping 10.10.10.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 msVerify Label Distribution
Issue the show tag-switching tdp discovery command in order to display the discovered neighbors:
Pomerol# show tag-switching tdp discovery
Local TDP Identifier:
10.10.10.3:0
Discovery Sources:
Interfaces:
Serial0/1.1 (tdp): xmit/recv
TDP Id: 10.10.10.1:0
Serial0/1.2 (tdp): xmit/recv
TDP Id: 10.10.10.2:0
Serial0/1.3 (tdp): xmit/recv
TDP Id: 10.10.10.6:0In the show tag-switching tdp discovery command output, the use of TDP binds labels with routes. If any of the presumed neighbors is not present and you cannot ping the presumed neighbor, a connectivity problem exists and the LDP cannot run. If LDP runs correctly, it assigns one label per forwarding equivalent class.
Note: If the router ID for the LDP cannot be reached from the global routing table, the neighbor relationship fails to establish.
Verify Label Bindings
Issue the show tag-switching tdp bindings command in order to ensure the assignment of labels to each destination. You can use commands such as the show tag-switching forwarding-table {ip address | prefix} detail command in order to verify the different routes and the labels associated with the routes.
The output that this section shows contains label bindings for 10.10.10.x/32 networks, which are the interfaces of each label switch router (LSR):
Note: There are multiple labels for each LSR. Each label corresponds to a different path.
Pomerol# show tag-switching tdp bindings
(...)
tib entry: 10.10.10.1/32, rev 31
local binding: tag: 18
remote binding: tsr: 10.10.10.1:0, tag: imp-null
remote binding: tsr: 10.10.10.2:0, tag: 18
remote binding: tsr: 10.10.10.6:0, tag: 21
tib entry: 10.10.10.2/32, rev 22
local binding: tag: 17
remote binding: tsr: 10.10.10.2:0, tag: imp-null
remote binding: tsr: 10.10.10.1:0, tag: 19
remote binding: tsr: 10.10.10.6:0, tag: 22
tib entry: 10.10.10.3/32, rev 2
local binding: tag: imp-null
remote binding: tsr: 10.10.10.2:0, tag: 17
remote binding: tsr: 10.10.10.1:0, tag: 20
remote binding: tsr: 10.10.10.6:0, tag: 23
tib entry: 10.10.10.4/32, rev 40
local binding: tag: 20
remote binding: tsr: 10.10.10.1:0, tag: 16
remote binding: tsr: 10.10.10.2:0, tag: 20
remote binding: tsr: 10.10.10.6:0, tag: 24
tib entry: 10.10.10.5/32, rev 44
local binding: tag: 22
remote binding: tsr: 10.10.10.1:0, tag: 17
remote binding: tsr: 10.10.10.2:0, tag: 22
remote binding: tsr: 10.10.10.6:0, tag: 25
tib entry: 10.10.10.6/32, rev 48
local binding: tag: 23
remote binding: tsr: 10.10.10.6:0, tag: imp-null
remote binding: tsr: 10.10.10.1:0, tag: 22
remote binding: tsr: 10.10.10.2:0, tag: 24
(...)
Pomerol# show tag-switching forwarding-table 10.10.10.4 detail
Local Outgoing Prefix Bytes
tag Outgoing Next Hoptag tag or VC or Tunnel Id switched interface
20 16 10.10.10.4/32 0 Se0/1.1 point2point
MAC/Encaps=4/8, MTU=1500, Tag Stack{16}
48D18847 00010000
No output feature configured
Per-packet load-sharingVerify That Labels Are Set
Use the debug mpls packet command or the MPLS-aware traceroute command functionality in order to make sure that the labels are set.
Pesaro# traceroute 10.10.10.4
Type escape sequence to abort.
Tracing the route to 10.10.10.4
1 10.1.1.21 [MPLS: Label 20 Exp 0] 272 msec 268 msec 300 msec
2 10.1.1.5 [MPLS: Label 16 Exp 0] 228 msec 228 msec 228 msec
3 10.1.1.14 92 msec * 92 msec
Verify That Routing Protocol Runs
Issue the show ip protocols command in order to display the parameters and current state of the active routing protocol process:
Pomerol# show ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.10.10.3
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4 Routing for Networks:
10.1.1.0 0.0.0.255 area 9
10.10.10.0 0.0.0.255 area 9
Routing Information Sources:
Gateway Distance Last Update
10.10.10.2 110 10:41:55
10.10.10.3 110 10:41:55
10.10.10.1 110 10:41:55
10.10.10.6 110 10:41:55
10.10.10.4 110 10:41:55
10.10.10.5 110 10:41:55
Distance: (default is 110)Ensure that the protocol routes for the MPLS network and all neighbors are present. You can also issue the show ip route command in order to verify the routing table:
Pomerol# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - ISIS level-1, L2 - ISIS level-2, ia - ISIS inter area
* - candidate default, U - per-user static route, o - ODR
Gateway of last resort is 10.200.28.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 13 subnets, 3 masks
C 10.1.1.8/30 is directly connected, Serial0/1.2
O 10.1.1.12/30 [110/390] via 10.1.1.5, 15:26:38, Serial0/1.1
O 10.10.10.2/32 [110/196] via 10.1.1.10, 15:26:38, Serial0/1.2
C 10.10.10.3/32 is directly connected, Loopback0
O 10.1.1.0/30 [110/390] via 10.1.1.5, 15:26:38, Serial0/1.1
[110/390] via 10.1.1.10, 15:26:38, Serial0/1.2
O 10.10.10.1/32 [110/196] via 10.1.1.5, 15:26:38, Serial0/1.1
O 10.10.10.6/32 [110/98] via 10.1.1.22, 15:26:38, Serial0/1.3
O 10.10.10.4/32 [110/391] via 10.1.1.5, 15:26:38, Serial0/1.1
C 10.1.1.4/30 is directly connected, Serial0/1.1
C 10.1.1.20/30 is directly connected, Serial0/1.3If the routers or routes are not present, investigate the routing protocol process. Refer to the OSPF Support Page in order to investigate the routing protocol process.
Verify CEF Switching
Issue the show ip cef summary command in order to display specific entries in the Forwarding Information Base (FIB) with IP address information as a basis. This output shows Normal status:
Pomerol# show ip cef summary
IP CEF with switching (Table Version 131), flags=0x0, bits=8
32 routes, 0 reresolve, 0 unresolved (0 old, 0 new)
32 leaves, 18 nodes, 23004 bytes, 125 inserts, 93 invalidations
1 load sharing elements, 336 bytes, 1 references
universal per-destination load sharing algorithm, id B642EBCF
1 CEF resets, 6 revisions of existing leaves
6 in-place modifications
refcounts: 4909 leaf, 4864 nodeIssue the show ip cef and show ip cef interface commands in order to verify CEF status. If CEF has not been enabled, nothing appears:
Pomerol# show ip cef
%CEF not running
Prefix Next Hop InterfaceRefer to the Cisco Express Forwarding Overview if you continue to have problems with the enablement of CEF.
Verify MPLS
Issue the show mpls interfaces command in order to ensure that MPLS is globally enabled. This command also verifies that a Label Distribution Protocol (LDP) runs on the requested interfaces:
Pomerol# show mpls interfaces
Interface IP Tunnel Operational
(...)
Serial0/1.1 Yes (tdp) Yes Yes
Serial0/1.2 Yes Yes No
Serial0/1.3 Yes (tdp) Yes Yes
(...)
Ping the Neighbors
An unlabeled connection must be up between each pair of router neighbors. The routing protocol and the LDP use the unlabeled connection to build the routing table and the label forwarding information base (LFIB).
Pomerol# ping 10.10.10.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 msVerify Label Distribution
Issue the show tag-switching tdp discovery command in order to display the discovered neighbors:
Pomerol# show tag-switching tdp discovery
Local TDP Identifier:
10.10.10.3:0
Discovery Sources:
Interfaces:
Serial0/1.1 (tdp): xmit/recv
TDP Id: 10.10.10.1:0
Serial0/1.2 (tdp): xmit/recv
TDP Id: 10.10.10.2:0
Serial0/1.3 (tdp): xmit/recv
TDP Id: 10.10.10.6:0In the show tag-switching tdp discovery command output, the use of TDP binds labels with routes. If any of the presumed neighbors is not present and you cannot ping the presumed neighbor, a connectivity problem exists and the LDP cannot run. If LDP runs correctly, it assigns one label per forwarding equivalent class.
Note: If the router ID for the LDP cannot be reached from the global routing table, the neighbor relationship fails to establish.
Verify Label Bindings
Issue the show tag-switching tdp bindings command in order to ensure the assignment of labels to each destination. You can use commands such as the show tag-switching forwarding-table {ip address | prefix} detail command in order to verify the different routes and the labels associated with the routes.
The output that this section shows contains label bindings for 10.10.10.x/32 networks, which are the interfaces of each label switch router (LSR):
Note: There are multiple labels for each LSR. Each label corresponds to a different path.
Pomerol# show tag-switching tdp bindings
(...)
tib entry: 10.10.10.1/32, rev 31
local binding: tag: 18
remote binding: tsr: 10.10.10.1:0, tag: imp-null
remote binding: tsr: 10.10.10.2:0, tag: 18
remote binding: tsr: 10.10.10.6:0, tag: 21
tib entry: 10.10.10.2/32, rev 22
local binding: tag: 17
remote binding: tsr: 10.10.10.2:0, tag: imp-null
remote binding: tsr: 10.10.10.1:0, tag: 19
remote binding: tsr: 10.10.10.6:0, tag: 22
tib entry: 10.10.10.3/32, rev 2
local binding: tag: imp-null
remote binding: tsr: 10.10.10.2:0, tag: 17
remote binding: tsr: 10.10.10.1:0, tag: 20
remote binding: tsr: 10.10.10.6:0, tag: 23
tib entry: 10.10.10.4/32, rev 40
local binding: tag: 20
remote binding: tsr: 10.10.10.1:0, tag: 16
remote binding: tsr: 10.10.10.2:0, tag: 20
remote binding: tsr: 10.10.10.6:0, tag: 24
tib entry: 10.10.10.5/32, rev 44
local binding: tag: 22
remote binding: tsr: 10.10.10.1:0, tag: 17
remote binding: tsr: 10.10.10.2:0, tag: 22
remote binding: tsr: 10.10.10.6:0, tag: 25
tib entry: 10.10.10.6/32, rev 48
local binding: tag: 23
remote binding: tsr: 10.10.10.6:0, tag: imp-null
remote binding: tsr: 10.10.10.1:0, tag: 22
remote binding: tsr: 10.10.10.2:0, tag: 24
(...)
Pomerol# show tag-switching forwarding-table 10.10.10.4 detail
Local Outgoing Prefix Bytes
tag Outgoing Next Hoptag tag or VC or Tunnel Id switched interface
20 16 10.10.10.4/32 0 Se0/1.1 point2point
MAC/Encaps=4/8, MTU=1500, Tag Stack{16}
48D18847 00010000
No output feature configured
Per-packet load-sharingVerify That Labels Are Set
Use the debug mpls packet command or the MPLS-aware traceroute command functionality in order to make sure that the labels are set.
Pesaro# traceroute 10.10.10.4
Type escape sequence to abort.
Tracing the route to 10.10.10.4
1 10.1.1.21 [MPLS: Label 20 Exp 0] 272 msec 268 msec 300 msec
2 10.1.1.5 [MPLS: Label 16 Exp 0] 228 msec 228 msec 228 msec
3 10.1.1.14 92 msec * 92 msec
Friday, April 11, 2008
Fix the four biggest problems with VPN connections
Takeaway: When they work, VPNs are great. When they don't, you can go crazy trying to figure out what's wrong. Here are four of the biggest trouble areas with VPN connections and how you can fix them.
VPNs have gone from obscurity to being a common method of linking private networks together across the Internet. Although VPNs initially became popular because they free companies from the expense of connecting networks with dedicated leased lines, part of the reason that VPNs have become so accepted is that they tend to be very reliable. Even so, VPN connections do occasionally experience problems. Here are several techniques you can use to troubleshoot VPN connections.
What’s the problem?
There are four types of problems that tend to occur with VPN connections. These include:
1.The VPN connection being rejected.
2.The acceptance of an unauthorized connection.
3.The inability to reach locations that lie beyond the VPN server.
4.The inability to establish a tunnel.
The VPN connection is rejected
Having a VPN client’s connection rejected is perhaps the most common VPN problem. Part of the reason this problem is so common is that there are a lot of issues that can cause a connection to be rejected. If your VPN server is rejecting client connections, the first thing you need to do is to check to make sure the Routing And Remote Access service is running. You can check this by opening the server’s Control Panel and clicking on the Administrative Tools icon, followed by the Services icon.
Once you've verified that the necessary services are running, try pinging the VPN server by IP address from the VPN client. You should ping by IP address initially so that you can verify that basic TCP/IP connectivity exists. If the ping is successful, then ping the server again, but this time ping by the server’s fully qualified domain name (FQDN) rather than by its address. If this ping fails where the IP address ping succeeded, you have a DNS problem, because the client is unable to resolve the server’s name to an IP address.
Check on the authentication process
Once you've established that there is a valid TCP/IP connection between the VPN client and server, and that name resolution is working correctly, the next thing to check is the authentication process. As you may know, there are a lot of different authentication methods available to a VPN connection. Both the VPN client and the VPN server must have at least one authentication method in common.
You can check to see which authentication methods the VPN server is configured to use by entering the MMC command at the Run prompt. When you do, Windows will open an empty Microsoft Management Console session. Now, select the Add / Remove Snap In command from the Console menu. When you see the Add / Remove Snap In properties sheet, click the Add button on the Standalone tab. This will reveal a list of the available snap-ins. Select Routing And Remote Access from the list and click the Add button, followed by the Close and OK buttons.
Now, the Routing And Remote Access snap-in should be added to the console. Right-click on the listing for your VPN server and select the Properties command from the resulting shortcut menu. This will display the server’s properties sheet. Select the Security tab and click the Authentication Methods button. This will cause Windows to display a dialog box with all of the available authentication methods. You can enable or disable authentication methods by selecting or deselecting the appropriate check boxes.
The method for checking the authentication method on the client end varies depending on the client’s operating system. For a Windows XP system, right-click on the VPN connection and select the Properties command from the resulting shortcut menu. This will reveal the connection’s properties sheet. Now, select the properties sheet’s Security tab, select the Advanced radio button, and click the Settings button to reveal the available authentication methods.
I usually prefer to use Windows Authentication in VPN environments, but RADIUS is also a popular choice. If you are using RADIUS Authentication, you must verify that the client supports RADIUS and that the VPN server has no trouble communicating with the RADIUS server.
More things to check
If the authentication methods appear to be set correctly, the next step is to check the technique by which the client is trying to connect to the VPN server. If the client is dialing in to the server, rather than connecting through the Internet, it could be that the remote user has no dial-in privileges. You can check the privileges either by looking at the Dial In tab on the user’s properties sheet in Active Directory Users And Computers, or by looking at the domain’s remote access policy. This would also be a good time to verify that the user actually knows how to establish the VPN connection and that the user is using the correct username and password.
This may sound obvious, but if your domain is running in Windows 2000 Native Mode, your VPN server needs to be a member of the domain. If the VPN server hasn’t joined the domain, it will be unable to authenticate logins.
You also need to take a look at IP addresses. Each Web-based VPN connection actually uses two different IP addresses for the VPN client computer. The first IP address is the one that was assigned by the client’s ISP. This is the IP address that’s used to establish the initial TCP/IP connection to the VPN server over the Internet. However, once the client attaches to the VPN server, the VPN server assigns the client a secondary IP address. This IP address has the same subnet as the local network and thus allows the client to communicate with the local network.
At the time you set up the VPN server, you must either specify that the server will use a DHCP server to assign addresses to clients, or you can create a bank of IP addresses to assign to clients directly from the VPN server. In either case, if the server runs out of valid IP addresses, it will be unable to assign an address to the client and the connection will be refused.
For environments in which a DHCP server is used, one of the more common setup errors is specifying an incorrect NIC. If you right-click on the VPN server in the Routing And Remote Access console and select the Properties command from the resulting shortcut menu, you’ll see the server’s properties sheet. The properties sheet’s IP tab contains radio buttons that allow you to select whether a static address pool or a DHCP server will be used. If you select the DHCP server option, you must select the appropriate network adapter from the drop-down list at the bottom of the tab. You must select a network adapter that has a TCP/IP path to the DHCP server.
Acceptance of unauthorized connections
Now that I’ve discussed reasons why a connection might be refused, let’s take a look at the opposite problem in which unauthorized connections are accepted. This problem is much less common than not getting connected at all, but is much more serious because of the potential security issues.
If you look at a user’s properties sheet in the Active Directory Users And Computers console, you’ll notice that the Dial In tab contains an option to control access through the remote access policy. If this option is selected and the effective remote access policy is set to allow remote access, the user will be able to attach to the VPN. Although I have been unable to re-create the situation personally, I have heard rumors that a bug exists in Windows 2000 that causes the connection to be accepted even if the effective remote access policy is set to deny a user’s connection, and that it’s best to allow or deny connections directly through the Active Directory Users And Computers console.
Inability to reach locations beyond the VPN server
Another common VPN problem is that a connection is successfully established, but that the remote user is unable to access the network lying beyond the VPN server. By far, the most common cause of this problem is that permission hasn’t been granted for the user to access the entire network. If you have ever worked with Windows NT 4.0, you may recall a setting in RAS that allowed you to control whether a user had access to one computer or to the entire network. This particular setting doesn’t exist in Windows 2000, but there is another setting that does the same thing.
To allow a user to access the entire network, go to the Routing And Remote Access console and right-click on the VPN server that’s having the problem. Select the Properties command from the resulting shortcut menu to display the server’s properties sheet, and then select the properties sheet’s IP tab. At the top of the IP tab is an Enable IP Routing check box. If this check box is enabled, VPN and RAS users will be able to get to the rest of the network. If the check box is not selected, these users will be able to access only the VPN server, but nothing beyond.
The problem could also be related to other routing issues. For example, if a user is dialing directly in to the VPN server, it’s usually best to configure a static route between the client and the server. You can configure a static route by going to the Dial In tab of the user’s properties sheet in Active Directory Users And Computers, and selecting the Apply A Static Route check box. This will cause Windows to display the Static Routes dialog box. Click the Add Route button and then enter the destination IP address and network mask in the space provided. The metric should be left at 1.
If you're using a DHCP server to assign IP addresses to clients, there are a couple of other problems that could cause users not to be able to go beyond the VPN server. One such problem is that of duplicate IP addresses. If the DHCP server assigns the user an IP address that is already in use elsewhere on the network, Windows will detect the conflict and prevent the user from accessing the rest of the network.
Another common problem is the user not receiving an address at all. Most of the time, if the DHCP server can’t assign the user an IP address, the connection won’t make it this far. However, there are situations in which an address assignment fails, so Windows automatically assigns the user an address from the 169.254.x.x range. If the client is assigned an address in this range, but this address range isn’t present in the system’s routing tables, the user will be unable to navigate the network beyond the VPN server.
Difficulty establishing a tunnel
If everything seems to be working well, but you can’t seem to establish a tunnel between the client and the server, there are two main possibilities of what could be causing the problem. The first possibility is that one or more of the routers involved is performing IP packet filtering. IP packet filtering could prevent IP tunnel traffic. I recommend checking the client, the server, and any machines in between for IP packet filters. You can do this by clicking the Advanced button on each machine’s TCP/IP Properties sheet, selecting the Options tab from the Advanced TCP/IP Settings Properties sheet, selecting TCP/IP Filtering, and clicking the Properties button.
The other possibility is that a proxy server is standing between the client and the VPN server. A proxy server performs NAT translation on all traffic flowing between the client and the Internet. This means that packets appear to be coming from the proxy server rather than from the client itself. In some cases, this interaction could prevent a tunnel from being established, especially if the VPN server is expecting the client to have a specific IP address. You must also keep in mind that a lot of older or low-end proxy servers (or NAT firewalls) don’t support the L2TP, IPSec, or PPTP protocols that are often used for VPN connections.
VPNs have gone from obscurity to being a common method of linking private networks together across the Internet. Although VPNs initially became popular because they free companies from the expense of connecting networks with dedicated leased lines, part of the reason that VPNs have become so accepted is that they tend to be very reliable. Even so, VPN connections do occasionally experience problems. Here are several techniques you can use to troubleshoot VPN connections.
What’s the problem?
There are four types of problems that tend to occur with VPN connections. These include:
1.The VPN connection being rejected.
2.The acceptance of an unauthorized connection.
3.The inability to reach locations that lie beyond the VPN server.
4.The inability to establish a tunnel.
The VPN connection is rejected
Having a VPN client’s connection rejected is perhaps the most common VPN problem. Part of the reason this problem is so common is that there are a lot of issues that can cause a connection to be rejected. If your VPN server is rejecting client connections, the first thing you need to do is to check to make sure the Routing And Remote Access service is running. You can check this by opening the server’s Control Panel and clicking on the Administrative Tools icon, followed by the Services icon.
Once you've verified that the necessary services are running, try pinging the VPN server by IP address from the VPN client. You should ping by IP address initially so that you can verify that basic TCP/IP connectivity exists. If the ping is successful, then ping the server again, but this time ping by the server’s fully qualified domain name (FQDN) rather than by its address. If this ping fails where the IP address ping succeeded, you have a DNS problem, because the client is unable to resolve the server’s name to an IP address.
Check on the authentication process
Once you've established that there is a valid TCP/IP connection between the VPN client and server, and that name resolution is working correctly, the next thing to check is the authentication process. As you may know, there are a lot of different authentication methods available to a VPN connection. Both the VPN client and the VPN server must have at least one authentication method in common.
You can check to see which authentication methods the VPN server is configured to use by entering the MMC command at the Run prompt. When you do, Windows will open an empty Microsoft Management Console session. Now, select the Add / Remove Snap In command from the Console menu. When you see the Add / Remove Snap In properties sheet, click the Add button on the Standalone tab. This will reveal a list of the available snap-ins. Select Routing And Remote Access from the list and click the Add button, followed by the Close and OK buttons.
Now, the Routing And Remote Access snap-in should be added to the console. Right-click on the listing for your VPN server and select the Properties command from the resulting shortcut menu. This will display the server’s properties sheet. Select the Security tab and click the Authentication Methods button. This will cause Windows to display a dialog box with all of the available authentication methods. You can enable or disable authentication methods by selecting or deselecting the appropriate check boxes.
The method for checking the authentication method on the client end varies depending on the client’s operating system. For a Windows XP system, right-click on the VPN connection and select the Properties command from the resulting shortcut menu. This will reveal the connection’s properties sheet. Now, select the properties sheet’s Security tab, select the Advanced radio button, and click the Settings button to reveal the available authentication methods.
I usually prefer to use Windows Authentication in VPN environments, but RADIUS is also a popular choice. If you are using RADIUS Authentication, you must verify that the client supports RADIUS and that the VPN server has no trouble communicating with the RADIUS server.
More things to check
If the authentication methods appear to be set correctly, the next step is to check the technique by which the client is trying to connect to the VPN server. If the client is dialing in to the server, rather than connecting through the Internet, it could be that the remote user has no dial-in privileges. You can check the privileges either by looking at the Dial In tab on the user’s properties sheet in Active Directory Users And Computers, or by looking at the domain’s remote access policy. This would also be a good time to verify that the user actually knows how to establish the VPN connection and that the user is using the correct username and password.
This may sound obvious, but if your domain is running in Windows 2000 Native Mode, your VPN server needs to be a member of the domain. If the VPN server hasn’t joined the domain, it will be unable to authenticate logins.
You also need to take a look at IP addresses. Each Web-based VPN connection actually uses two different IP addresses for the VPN client computer. The first IP address is the one that was assigned by the client’s ISP. This is the IP address that’s used to establish the initial TCP/IP connection to the VPN server over the Internet. However, once the client attaches to the VPN server, the VPN server assigns the client a secondary IP address. This IP address has the same subnet as the local network and thus allows the client to communicate with the local network.
At the time you set up the VPN server, you must either specify that the server will use a DHCP server to assign addresses to clients, or you can create a bank of IP addresses to assign to clients directly from the VPN server. In either case, if the server runs out of valid IP addresses, it will be unable to assign an address to the client and the connection will be refused.
For environments in which a DHCP server is used, one of the more common setup errors is specifying an incorrect NIC. If you right-click on the VPN server in the Routing And Remote Access console and select the Properties command from the resulting shortcut menu, you’ll see the server’s properties sheet. The properties sheet’s IP tab contains radio buttons that allow you to select whether a static address pool or a DHCP server will be used. If you select the DHCP server option, you must select the appropriate network adapter from the drop-down list at the bottom of the tab. You must select a network adapter that has a TCP/IP path to the DHCP server.
Acceptance of unauthorized connections
Now that I’ve discussed reasons why a connection might be refused, let’s take a look at the opposite problem in which unauthorized connections are accepted. This problem is much less common than not getting connected at all, but is much more serious because of the potential security issues.
If you look at a user’s properties sheet in the Active Directory Users And Computers console, you’ll notice that the Dial In tab contains an option to control access through the remote access policy. If this option is selected and the effective remote access policy is set to allow remote access, the user will be able to attach to the VPN. Although I have been unable to re-create the situation personally, I have heard rumors that a bug exists in Windows 2000 that causes the connection to be accepted even if the effective remote access policy is set to deny a user’s connection, and that it’s best to allow or deny connections directly through the Active Directory Users And Computers console.
Inability to reach locations beyond the VPN server
Another common VPN problem is that a connection is successfully established, but that the remote user is unable to access the network lying beyond the VPN server. By far, the most common cause of this problem is that permission hasn’t been granted for the user to access the entire network. If you have ever worked with Windows NT 4.0, you may recall a setting in RAS that allowed you to control whether a user had access to one computer or to the entire network. This particular setting doesn’t exist in Windows 2000, but there is another setting that does the same thing.
To allow a user to access the entire network, go to the Routing And Remote Access console and right-click on the VPN server that’s having the problem. Select the Properties command from the resulting shortcut menu to display the server’s properties sheet, and then select the properties sheet’s IP tab. At the top of the IP tab is an Enable IP Routing check box. If this check box is enabled, VPN and RAS users will be able to get to the rest of the network. If the check box is not selected, these users will be able to access only the VPN server, but nothing beyond.
The problem could also be related to other routing issues. For example, if a user is dialing directly in to the VPN server, it’s usually best to configure a static route between the client and the server. You can configure a static route by going to the Dial In tab of the user’s properties sheet in Active Directory Users And Computers, and selecting the Apply A Static Route check box. This will cause Windows to display the Static Routes dialog box. Click the Add Route button and then enter the destination IP address and network mask in the space provided. The metric should be left at 1.
If you're using a DHCP server to assign IP addresses to clients, there are a couple of other problems that could cause users not to be able to go beyond the VPN server. One such problem is that of duplicate IP addresses. If the DHCP server assigns the user an IP address that is already in use elsewhere on the network, Windows will detect the conflict and prevent the user from accessing the rest of the network.
Another common problem is the user not receiving an address at all. Most of the time, if the DHCP server can’t assign the user an IP address, the connection won’t make it this far. However, there are situations in which an address assignment fails, so Windows automatically assigns the user an address from the 169.254.x.x range. If the client is assigned an address in this range, but this address range isn’t present in the system’s routing tables, the user will be unable to navigate the network beyond the VPN server.
Difficulty establishing a tunnel
If everything seems to be working well, but you can’t seem to establish a tunnel between the client and the server, there are two main possibilities of what could be causing the problem. The first possibility is that one or more of the routers involved is performing IP packet filtering. IP packet filtering could prevent IP tunnel traffic. I recommend checking the client, the server, and any machines in between for IP packet filters. You can do this by clicking the Advanced button on each machine’s TCP/IP Properties sheet, selecting the Options tab from the Advanced TCP/IP Settings Properties sheet, selecting TCP/IP Filtering, and clicking the Properties button.
The other possibility is that a proxy server is standing between the client and the VPN server. A proxy server performs NAT translation on all traffic flowing between the client and the Internet. This means that packets appear to be coming from the proxy server rather than from the client itself. In some cases, this interaction could prevent a tunnel from being established, especially if the VPN server is expecting the client to have a specific IP address. You must also keep in mind that a lot of older or low-end proxy servers (or NAT firewalls) don’t support the L2TP, IPSec, or PPTP protocols that are often used for VPN connections.
Troubleshoot multicast
Troubleshooting Strategies
When you troubleshoot multicast networks, it is good to consider the signaling protocol used in the network and packet flow. The signaling protocol is used to setup and tear down the multicast sessions (such as PIM dense mode, PIM sparse mode, and DVMRP), and packet flow is the actual sending, replicating, and receiving of the multicast packets between the source and receiver, based on the forwarding table created by the signaling process.
Check Source Packet Flow
Complete these steps to determine if the source is actually sourcing the packets and inserting the correct packet fields:
Check the interface counters on the host. First, check the interface counters (if you are on a UNIX system, use the netstat command) on the source host to see if it is sending packets. If it is not, check for misconfiguration or bugs in the host stack and application.
Use the show ip igmp groups interface-name command to check the upstream router to see if it received a join membership report at the interface directly connected to source.
Check the TTL value in the application sourcing packets; it should be greater than 1. If the application sends packets with a TTL value less than 1, you should see the traffic dropped at the first upstream router. To verify, use the show ip traffic command and look for an increase in the value of the "bad hop count" counter. Any packet with a TTL value of 1, or less than the TTL threshold set by the interface with the ip multicast ttl-threshold command, is dropped and the "bad hop-count" counter is increased by one. Use the show ip igmp interface interface-name command to see the interface TTL threshold value.
Use the show ip mroute count and show ip mroute active commands to check the first upstream router or switch to see if it sees multicast packets from the source. The command output shows the traffic flow statistics for each (S,G) pair. If you do not observe any traffic, check receiver signaling.
Use the debug ip mpacket command on the nearest upstream router, with the detail or acl argument for granularity. Use this command with caution when there is heavy multicast traffic on the network. Only if necessary, use the debug ip mpacket command on the route. Use the detail argument to show packet headers in the debug output, and access lists to check for traffic from specific sources. Remember that this command can have a serious performance impact on other traffic, so use it with caution.
Check Network Signaling
This is the most complex and important piece of troubleshooting in any network. It depends on the network signaling protocol used, such as PIM sparse mode, PIM dense mode, and DVMRP. We recommend the multi-step approach described in this section.
Troubleshooting PIM Sparse Mode
Complete these steps to troubleshoot PIM sparse mode.
Check that IP multicast routing is enabled on all multicast routers.
Use the show ip pim neighbor command to check the expiration timer and mode to ensure sucessful PIM neighbor establishment, and look for any possible connectivity and timer issues that might inhibit the establishment of PIM neighbors. If necessary, use the ip pim [version] [dense-mode] [sparse-mode] [sparse-dense-mode] interface level subcommand to set the correct mode and version to successfully establish the PIM neighbors.
Use the show ip pim rp mapping command to ensure the correct RP-Group mapping and to check the expiration timer if auto-RP is configured. Use the debug ip pim auto-rp command to help figure out any auto-RP failures. If you do not see any PIM Group-to-RP Mappings, check the Auto-RP configuration, or configure static Group-RP mappings with the ip pim rp-address ip address of RP [access-list] [named-accesslist] [override] command.
Use the show ip rpf ip address of source command to check the RPF failure for the source address. PIM dense mode and PIM sparse mode send Prune messages back to the source if traffic arrives on a non-RPF point-to-point interface. The debug ip pim command helps identify possible reasons for a failure in a PIM network—it compares the typical output with what you see. Use this output to identify the three discrete stages in PIM sparse mode: joining, registering, and SPT-switchover. The show ip mroute command allows you to watch the null entries in the Outgoing Interface lists and pruned entries in the mroute table.
Check Network Packet Flow
Use these commands to check the flow of multicast packets across the network:
multicast trace hop-by-hop using the mtrace command
mstat
ping
show ip mroute count
show ip mroute active
debug ip mpacket
Check Receiver Signaling
Complete these steps to check receiver signaling:
Use the show ip igmp groups command at the first upstream router connected to the receiver to check that the interface has joined the group.
Use the ping command to check the reachability of the host and the first upstream router.
Use the show ip igmp interface command to check the IGMP version of the interface.
Remember that a router configured with IGMP version 1 considers IGMP version 2 packets received from the host as invalid. These IGMP packets do not join the group until the router receives an IGMP version 1 packet from the host.
Use the debug ip igmp command to further troubleshoot receiver signaling.
Check Receiver Packet Flow
Complete these steps to check the receiver packet flow.
Use the netstat command on a UNIX system to check the receiver interface statistics.
Check that the TCP/IP stack was installed and configured properly.
Check that the Multicast receiver client application was installed and configured properly.
Watch for duplicate multicast packets on a multiaccess segment.
show Commands
The commands in this section help you gather useful information when troubleshooting a multicast problem. Refer to the IP Multicast Command Reference Guide for more extensive information on these show commands.
If your show command responses are sluggish, the most probable reason is that router currently performs an IP domain lookup for IP addresses in the show command. You can disable IP domain lookup You can use the the no ip domain-lookup command, under the router global configuration mode, to disable IP domain lookup. This stops the IP domain lookup and increases the show command output speed.
show ip igmp groups
This command shows which multicast groups are directly connected to the router, and which are learned via Internet Group Management Protocol (IGMP). You can use this command to verify that a source or receiver has actually joined the target group on the router interface. The "Last Reporter" column shows only one IGMP host, which indicates that it has sent either an unsolicited IGMP Join or IGMP Report in response to a IGMP Query from the PIM router for that particular group. You should only see one "Last Reporter" per Group Address.
R1# show ip igmp groups
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
239.255.0.1 Ethernet1 00:10:54 00:01:10 192.168.9.1
224.0.1.40 Ethernet0 01:36:27 00:02:45 192.168.10.2
224.0.1.40 Ethernet1 01:48:15 never 192.168.9.3
show ip igmp interface
Use this command to display multicast-related information about an interface, and to verify that IGMP is enabled, the correct version is running, the timers, Time To Live (TTL) threshold value, and IGMP querier router are properly set. IGMP does not need to be configured on an interface. It is enabled by default when you configure ip pim dense-modesparse-modesparse-dense-mode .
R1# show ip igmp interface
Ethernet1 is up, line protocol is up
Internet address is 192.168.9.3/24
IGMP is enabled on interface
Current IGMP version is 2
CGMP is disabled on interface
IGMP query interval is 60 seconds
IGMP querier timeout is 120 seconds
IGMP max query response time is 10 seconds
Last member query response interval is 1000 ms
Inbound IGMP access group is not set
IGMP activity: 22 joins, 18 leaves
Multicast routing is enabled on interface
Multicast TTL threshold is 0
Multicast designated router (DR) is 192.168.9.5
IGMP querying router is 192.168.9.3 (this system)
Multicast groups joined (number of users):
224.0.1.40(1)
show ip pim neighbor
Use this command to list the Protocol Independent Multicast (PIM) neighbors discovered by the Cisco IOS® Software.
R1# show ip pim neighbor
PIM Neighbor Table
Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
10.10.10.1 Ethernet0/0 02:19:41/00:01:38 v2 1 / DR B S
Details of each field are explained below.
Neighbor Address - Specifies a PIM neighbor's IP address
Interface - An interface where a PIM neighbor was discovered
Uptime - The total uptime of neighbor
Expires - The time before a neighbor is timed out and until next PIM hello is received
Ver - The version of PIM on neighbor's interface
DR Prio - The possible values are 0 to 4294967294 or "N"
This is a new column which tracks the priority of a PIM interface for DR election. The feature to configure a DR based on highest priority versus highest IP address was introduced in Cisco IOS versions 12.1(2)T and 12.2 and Cisco IOS images with Bidir-PIM. You can use the ip pim dr-priority <0-4294967294> interface command to set the DR priority. The default DR priority is set to 1. For interoperability, if a PIM neighbor is running an older Cisco IOS version which does not support the DR priority feature, the "DR Prior" column shows as "N". If the neighbor is the only router showing "N" for the interface, it becomes the DR regardless of which router actually has the highest IP address. If there are serveral PIM neighbors with "N" listed under this column, the tie breaker is the highest IP address among them.
Mode - Information regarding the DR and other PIM capabilities.
This column lists the DR in addition to any capabilities supported by the PIM neighbor:
DR - The PIM neighbor is Designated Router
B - Bidirectional PIM (Bidir-PIM) capable
S - State refresh capable (applies only for dense mode)
When you troubleshoot, use this command to verify that all neighbors are up and that they use the proper mode, version, and expiration timer. You can also check the router configuration, or use the show ip pim interface command to verify the mode (PIM sparse or dense mode). Use the debug ip pim command to observe the pim-query message exchange.
show ip pim interface
Use this command to display information about interfaces configured for PIM. In addition, you can use this command to verify that the correct PIM mode (dense or sparse) is configured on the interface, the neighbor count is correct, and the designated router (DR) is correct (which is critical for PIM sparse mode). Multi-access segments (such as Ethernet, Token Ring, FDDI) elect a DR based on highest IP address. Point-to-Point links do not display DR information.
R1# show ip pim interface
Address Interface Version/Mode Nbr Query DR
Count Intvl
192.168.10.1 Ethernet0 v2/Sparse-Dense 1 30 192.168.10.2
192.168.9.3 Ethernet1 v2/Sparse-Dense 1 30 192.168.9.5
show ip mroute summary
Use this command to display the summarized contents of the IP multicast routing table. You can also use it to verify the active multicast group(s) and which multicast senders are active by looking at the timers and flags.
R1## show ip mroute summary
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned
R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT
M - MSDP created entry, X - Proxy Join Timer Running
A - Advertised via MSDP
Outgoing interface flags: H - Hardware switched
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode
(*, 239.255.0.1), 01:57:07/00:02:59, RP 192.168.7.2, flags: SJCF
(133.33.33.32, 239.255.0.1), 01:56:23/00:02:59, flags: CJT
(192.168.9.1, 239.255.0.1), 01:57:07/00:03:27, flags: CFT
(*, 224.0.1.40), 1d00h/00:00:00, RP 192.168.7.2, flags: SJPCL
show ip mroute
Use this command to display the full contents of the IP multicast routing table. When you troubleshoot, use this command to verify:
The (S,G) and (*,G) state entries from the flags.
The incoming interface is correct. If it is not, check the unicast routing table.
The outgoing interface(s) is correct. If it is incorrectly pruned, check the state in the downstream router.
R1# show ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned
R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT
M - MSDP created entry, X - Proxy Join Timer Running
A - Advertised via MSDP
Outgoing interface flags: H - Hardware switched
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode
(*, 239.255.0.1), 01:55:27/00:02:59, RP 192.168.7.2, flags: SJCF
Incoming interface: Ethernet0, RPF nbr 192.168.10.2
Outgoing interface list:
Ethernet1, Forward/Sparse, 01:55:27/00:02:52
(133.33.33.32, 239.255.0.1), 01:54:43/00:02:59, flags: CJT
Incoming interface: Ethernet0, RPF nbr 192.168.10.2
Outgoing interface list:
Ethernet1, Forward/Sparse, 01:54:43/00:02:52
(192.168.9.1, 239.255.0.1), 01:55:30/00:03:26, flags: CFT
Incoming interface: Ethernet1, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0, Forward/Sparse, 01:55:30/00:03:12
(*, 224.0.1.40), 1d00h/00:00:00, RP 192.168.7.2, flags: SJPCL
Incoming interface: Ethernet0, RPF nbr 192.168.10.2
Outgoing interface list: Null
show ip mroute active
Use this command to display the active traffic sources and groups above the threshold. When you troubleshoot, use it to verify active source groups, the traffic rate for each source group (S,G) pair (you must have switched to Shortest Path Tree (SPT)), and to check if the target group multicast traffic is being received. If the traffic is not being received, look for active traffic starting from the source towards the receiver.
R1# show ip mroute active
Active IP Multicast Sources - sending >= 4 kbps
Group: 239.255.0.1, (?)
Source: 133.33.33.32 (?)
Rate: 10 pps/115 kbps(1sec), 235 kbps(last 23 secs), 87 kbps(life avg)
show ip rpf
Use this command to display how IP multicast routing does Reverse Path Forwarding (RPF). When you troubleshoot, use it to verify that the RPF information is correct. If it is not, check the unicast routing table for the source address. Also use the ping and trace commands on the source address to verify that unicast routing works. You may need to use Distance Vector Multicast Routing Protocol (DVMRP) routes or static mroutes to fix any unicast-multicast inconsistencies.
R1# show ip rpf 133.33.33.32
RPF information for ? (133.33.33.32)
RPF interface: Ethernet0
RPF neighbor: ? (192.168.10.2)
RPF route/mask: 133.33.0.0/16
RPF type: unicast (eigrp 1)
RPF recursion count: 0
Doing distance-preferred lookups across tables
show ip mcache
This command can verify the IP multicast fast switching cache and debug fast switching bugs.
R1# show ip mcache
IP Multicast Fast-Switching Cache
(133.33.33.32/32, 239.255.0.1), Ethernet0, Last used: 00:00:00
Ethernet1 MAC Header: 01005E7F000100000C13DBA90800
(192.168.9.1/32, 239.255.0.1), Ethernet1, Last used: 00:00:00
Ethernet0 MAC Header: 01005E7F000100000C13DBA80800
show ip mroute count
Use this command to verify that multicast traffic is received and to check on its flow rates and drops. If no traffic is received, work from the source to the receiver until you find where the traffic stops. You can also use this command to verify that traffic is being forwarded. If it is not, use the show ip mroute command to look for "Null Outgoing interface list" and RPF failures.
R1# show ip mroute count
IP Multicast Statistics
routes using 2406 bytes of memory
2 groups, 1.00 average sources per group
Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second
Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)
Group: 239.255.0.1, Source count: 2, Group pkt count: 11709
RP-tree: Forwarding: 3/0/431/0, Other: 3/0/0
Source: 133.33.33.32/32, Forwarding: 11225/6/1401/62, Other: 11225/0/0
Source: 192.168.9.1/32, Forwarding: 481/0/85/0, Other: 490/0/9
Group: 224.0.1.40, Source count: 0, Group pkt count:
show ip route
Use this command to check the unicast routing table and fix the RPF failures in the mroute table.
R2# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
D 192.168.9.0/24 [90/307200] via 192.168.10.1, 00:59:45, Ethernet0
C 192.168.10.0/24 is directly connected, Ethernet0
D 192.168.4.0/24 [90/11040000] via 192.168.7.1, 23:21:00, Serial0
D 192.168.5.0/24 [90/11023872] via 192.168.7.1, 23:21:02, Serial0
C 192.168.7.0/24 is directly connected, Serial0
D 133.33.0.0/16 [90/2195456] via 192.168.7.1, 1d23h, Serial0
D 192.168.1.0/24 [90/11552000] via 192.168.7.1, 22:41:27, Serial0
show ip pim rp mapping
Use this command to check the RP assignment by multicast group range, and to verify that the source of RP learning (static or auto-RP) and the mapping are correct. If you find an error, check the local router configuration or auto-RP configuration.
R1# show ip pim rp mapping
PIM Group-to-RP Mappings
Group(s) 224.0.1.40/32
RP 192.168.7.2 (?), v1
Info source: local, via Auto-RP
Uptime: 2d00h, expires: never
Group(s): 224.0.0.0/4, Static
RP: 192.168.7.2 (?)
clear ip igmp group
To delete entries from the IGMP cache, use the clear ip igmp group EXEC command. clear ip igmp group [group-name group-address type number]
group-name
(Optional) Name of the multicast group, as defined in the DNS hosts table or with the ip host command.
group-address
(Optional) Address of the multicast group. This is a multicast IP address in four-part, dotted notation.
type number
(Optional) Interface type and number.
clear ip mroute
To delete entries from the IP multicast routing table, use the clear ip mroute EXEC command. clear ip mroute {* group [source]}
*
Deletes all entries from the IP multicast routing table.
group
Can be either one of the following:
· Name of the multicast group, as defined in the DNS hosts table or with the ip host command.
· IP address of the multicast group. This is a multicast IP address in four-part, dotted notation.
source
(Optional) If you specify a group name or address, you can also specify a name or address of a multicast source that is transmitting to the group. A source does not need to be a member of the group.
When you troubleshoot multicast networks, it is good to consider the signaling protocol used in the network and packet flow. The signaling protocol is used to setup and tear down the multicast sessions (such as PIM dense mode, PIM sparse mode, and DVMRP), and packet flow is the actual sending, replicating, and receiving of the multicast packets between the source and receiver, based on the forwarding table created by the signaling process.
Check Source Packet Flow
Complete these steps to determine if the source is actually sourcing the packets and inserting the correct packet fields:
Check the interface counters on the host. First, check the interface counters (if you are on a UNIX system, use the netstat command) on the source host to see if it is sending packets. If it is not, check for misconfiguration or bugs in the host stack and application.
Use the show ip igmp groups interface-name command to check the upstream router to see if it received a join membership report at the interface directly connected to source.
Check the TTL value in the application sourcing packets; it should be greater than 1. If the application sends packets with a TTL value less than 1, you should see the traffic dropped at the first upstream router. To verify, use the show ip traffic command and look for an increase in the value of the "bad hop count" counter. Any packet with a TTL value of 1, or less than the TTL threshold set by the interface with the ip multicast ttl-threshold command, is dropped and the "bad hop-count" counter is increased by one. Use the show ip igmp interface interface-name command to see the interface TTL threshold value.
Use the show ip mroute count and show ip mroute active commands to check the first upstream router or switch to see if it sees multicast packets from the source. The command output shows the traffic flow statistics for each (S,G) pair. If you do not observe any traffic, check receiver signaling.
Use the debug ip mpacket command on the nearest upstream router, with the detail or acl argument for granularity. Use this command with caution when there is heavy multicast traffic on the network. Only if necessary, use the debug ip mpacket command on the route. Use the detail argument to show packet headers in the debug output, and access lists to check for traffic from specific sources. Remember that this command can have a serious performance impact on other traffic, so use it with caution.
Check Network Signaling
This is the most complex and important piece of troubleshooting in any network. It depends on the network signaling protocol used, such as PIM sparse mode, PIM dense mode, and DVMRP. We recommend the multi-step approach described in this section.
Troubleshooting PIM Sparse Mode
Complete these steps to troubleshoot PIM sparse mode.
Check that IP multicast routing is enabled on all multicast routers.
Use the show ip pim neighbor command to check the expiration timer and mode to ensure sucessful PIM neighbor establishment, and look for any possible connectivity and timer issues that might inhibit the establishment of PIM neighbors. If necessary, use the ip pim [version] [dense-mode] [sparse-mode] [sparse-dense-mode] interface level subcommand to set the correct mode and version to successfully establish the PIM neighbors.
Use the show ip pim rp mapping command to ensure the correct RP-Group mapping and to check the expiration timer if auto-RP is configured. Use the debug ip pim auto-rp command to help figure out any auto-RP failures. If you do not see any PIM Group-to-RP Mappings, check the Auto-RP configuration, or configure static Group-RP mappings with the ip pim rp-address ip address of RP [access-list] [named-accesslist] [override] command.
Use the show ip rpf ip address of source command to check the RPF failure for the source address. PIM dense mode and PIM sparse mode send Prune messages back to the source if traffic arrives on a non-RPF point-to-point interface. The debug ip pim command helps identify possible reasons for a failure in a PIM network—it compares the typical output with what you see. Use this output to identify the three discrete stages in PIM sparse mode: joining, registering, and SPT-switchover. The show ip mroute command allows you to watch the null entries in the Outgoing Interface lists and pruned entries in the mroute table.
Check Network Packet Flow
Use these commands to check the flow of multicast packets across the network:
multicast trace hop-by-hop using the mtrace command
mstat
ping
show ip mroute count
show ip mroute active
debug ip mpacket
Check Receiver Signaling
Complete these steps to check receiver signaling:
Use the show ip igmp groups command at the first upstream router connected to the receiver to check that the interface has joined the group.
Use the ping command to check the reachability of the host and the first upstream router.
Use the show ip igmp interface command to check the IGMP version of the interface.
Remember that a router configured with IGMP version 1 considers IGMP version 2 packets received from the host as invalid. These IGMP packets do not join the group until the router receives an IGMP version 1 packet from the host.
Use the debug ip igmp command to further troubleshoot receiver signaling.
Check Receiver Packet Flow
Complete these steps to check the receiver packet flow.
Use the netstat command on a UNIX system to check the receiver interface statistics.
Check that the TCP/IP stack was installed and configured properly.
Check that the Multicast receiver client application was installed and configured properly.
Watch for duplicate multicast packets on a multiaccess segment.
show Commands
The commands in this section help you gather useful information when troubleshooting a multicast problem. Refer to the IP Multicast Command Reference Guide for more extensive information on these show commands.
If your show command responses are sluggish, the most probable reason is that router currently performs an IP domain lookup for IP addresses in the show command. You can disable IP domain lookup You can use the the no ip domain-lookup command, under the router global configuration mode, to disable IP domain lookup. This stops the IP domain lookup and increases the show command output speed.
show ip igmp groups
This command shows which multicast groups are directly connected to the router, and which are learned via Internet Group Management Protocol (IGMP). You can use this command to verify that a source or receiver has actually joined the target group on the router interface. The "Last Reporter" column shows only one IGMP host, which indicates that it has sent either an unsolicited IGMP Join or IGMP Report in response to a IGMP Query from the PIM router for that particular group. You should only see one "Last Reporter" per Group Address.
R1# show ip igmp groups
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
239.255.0.1 Ethernet1 00:10:54 00:01:10 192.168.9.1
224.0.1.40 Ethernet0 01:36:27 00:02:45 192.168.10.2
224.0.1.40 Ethernet1 01:48:15 never 192.168.9.3
show ip igmp interface
Use this command to display multicast-related information about an interface, and to verify that IGMP is enabled, the correct version is running, the timers, Time To Live (TTL) threshold value, and IGMP querier router are properly set. IGMP does not need to be configured on an interface. It is enabled by default when you configure ip pim dense-modesparse-modesparse-dense-mode .
R1# show ip igmp interface
Ethernet1 is up, line protocol is up
Internet address is 192.168.9.3/24
IGMP is enabled on interface
Current IGMP version is 2
CGMP is disabled on interface
IGMP query interval is 60 seconds
IGMP querier timeout is 120 seconds
IGMP max query response time is 10 seconds
Last member query response interval is 1000 ms
Inbound IGMP access group is not set
IGMP activity: 22 joins, 18 leaves
Multicast routing is enabled on interface
Multicast TTL threshold is 0
Multicast designated router (DR) is 192.168.9.5
IGMP querying router is 192.168.9.3 (this system)
Multicast groups joined (number of users):
224.0.1.40(1)
show ip pim neighbor
Use this command to list the Protocol Independent Multicast (PIM) neighbors discovered by the Cisco IOS® Software.
R1# show ip pim neighbor
PIM Neighbor Table
Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
10.10.10.1 Ethernet0/0 02:19:41/00:01:38 v2 1 / DR B S
Details of each field are explained below.
Neighbor Address - Specifies a PIM neighbor's IP address
Interface - An interface where a PIM neighbor was discovered
Uptime - The total uptime of neighbor
Expires - The time before a neighbor is timed out and until next PIM hello is received
Ver - The version of PIM on neighbor's interface
DR Prio - The possible values are 0 to 4294967294 or "N"
This is a new column which tracks the priority of a PIM interface for DR election. The feature to configure a DR based on highest priority versus highest IP address was introduced in Cisco IOS versions 12.1(2)T and 12.2 and Cisco IOS images with Bidir-PIM. You can use the ip pim dr-priority <0-4294967294> interface command to set the DR priority. The default DR priority is set to 1. For interoperability, if a PIM neighbor is running an older Cisco IOS version which does not support the DR priority feature, the "DR Prior" column shows as "N". If the neighbor is the only router showing "N" for the interface, it becomes the DR regardless of which router actually has the highest IP address. If there are serveral PIM neighbors with "N" listed under this column, the tie breaker is the highest IP address among them.
Mode - Information regarding the DR and other PIM capabilities.
This column lists the DR in addition to any capabilities supported by the PIM neighbor:
DR - The PIM neighbor is Designated Router
B - Bidirectional PIM (Bidir-PIM) capable
S - State refresh capable (applies only for dense mode)
When you troubleshoot, use this command to verify that all neighbors are up and that they use the proper mode, version, and expiration timer. You can also check the router configuration, or use the show ip pim interface command to verify the mode (PIM sparse or dense mode). Use the debug ip pim command to observe the pim-query message exchange.
show ip pim interface
Use this command to display information about interfaces configured for PIM. In addition, you can use this command to verify that the correct PIM mode (dense or sparse) is configured on the interface, the neighbor count is correct, and the designated router (DR) is correct (which is critical for PIM sparse mode). Multi-access segments (such as Ethernet, Token Ring, FDDI) elect a DR based on highest IP address. Point-to-Point links do not display DR information.
R1# show ip pim interface
Address Interface Version/Mode Nbr Query DR
Count Intvl
192.168.10.1 Ethernet0 v2/Sparse-Dense 1 30 192.168.10.2
192.168.9.3 Ethernet1 v2/Sparse-Dense 1 30 192.168.9.5
show ip mroute summary
Use this command to display the summarized contents of the IP multicast routing table. You can also use it to verify the active multicast group(s) and which multicast senders are active by looking at the timers and flags.
R1## show ip mroute summary
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned
R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT
M - MSDP created entry, X - Proxy Join Timer Running
A - Advertised via MSDP
Outgoing interface flags: H - Hardware switched
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode
(*, 239.255.0.1), 01:57:07/00:02:59, RP 192.168.7.2, flags: SJCF
(133.33.33.32, 239.255.0.1), 01:56:23/00:02:59, flags: CJT
(192.168.9.1, 239.255.0.1), 01:57:07/00:03:27, flags: CFT
(*, 224.0.1.40), 1d00h/00:00:00, RP 192.168.7.2, flags: SJPCL
show ip mroute
Use this command to display the full contents of the IP multicast routing table. When you troubleshoot, use this command to verify:
The (S,G) and (*,G) state entries from the flags.
The incoming interface is correct. If it is not, check the unicast routing table.
The outgoing interface(s) is correct. If it is incorrectly pruned, check the state in the downstream router.
R1# show ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned
R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT
M - MSDP created entry, X - Proxy Join Timer Running
A - Advertised via MSDP
Outgoing interface flags: H - Hardware switched
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode
(*, 239.255.0.1), 01:55:27/00:02:59, RP 192.168.7.2, flags: SJCF
Incoming interface: Ethernet0, RPF nbr 192.168.10.2
Outgoing interface list:
Ethernet1, Forward/Sparse, 01:55:27/00:02:52
(133.33.33.32, 239.255.0.1), 01:54:43/00:02:59, flags: CJT
Incoming interface: Ethernet0, RPF nbr 192.168.10.2
Outgoing interface list:
Ethernet1, Forward/Sparse, 01:54:43/00:02:52
(192.168.9.1, 239.255.0.1), 01:55:30/00:03:26, flags: CFT
Incoming interface: Ethernet1, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0, Forward/Sparse, 01:55:30/00:03:12
(*, 224.0.1.40), 1d00h/00:00:00, RP 192.168.7.2, flags: SJPCL
Incoming interface: Ethernet0, RPF nbr 192.168.10.2
Outgoing interface list: Null
show ip mroute active
Use this command to display the active traffic sources and groups above the threshold. When you troubleshoot, use it to verify active source groups, the traffic rate for each source group (S,G) pair (you must have switched to Shortest Path Tree (SPT)), and to check if the target group multicast traffic is being received. If the traffic is not being received, look for active traffic starting from the source towards the receiver.
R1# show ip mroute active
Active IP Multicast Sources - sending >= 4 kbps
Group: 239.255.0.1, (?)
Source: 133.33.33.32 (?)
Rate: 10 pps/115 kbps(1sec), 235 kbps(last 23 secs), 87 kbps(life avg)
show ip rpf
Use this command to display how IP multicast routing does Reverse Path Forwarding (RPF). When you troubleshoot, use it to verify that the RPF information is correct. If it is not, check the unicast routing table for the source address. Also use the ping and trace commands on the source address to verify that unicast routing works. You may need to use Distance Vector Multicast Routing Protocol (DVMRP) routes or static mroutes to fix any unicast-multicast inconsistencies.
R1# show ip rpf 133.33.33.32
RPF information for ? (133.33.33.32)
RPF interface: Ethernet0
RPF neighbor: ? (192.168.10.2)
RPF route/mask: 133.33.0.0/16
RPF type: unicast (eigrp 1)
RPF recursion count: 0
Doing distance-preferred lookups across tables
show ip mcache
This command can verify the IP multicast fast switching cache and debug fast switching bugs.
R1# show ip mcache
IP Multicast Fast-Switching Cache
(133.33.33.32/32, 239.255.0.1), Ethernet0, Last used: 00:00:00
Ethernet1 MAC Header: 01005E7F000100000C13DBA90800
(192.168.9.1/32, 239.255.0.1), Ethernet1, Last used: 00:00:00
Ethernet0 MAC Header: 01005E7F000100000C13DBA80800
show ip mroute count
Use this command to verify that multicast traffic is received and to check on its flow rates and drops. If no traffic is received, work from the source to the receiver until you find where the traffic stops. You can also use this command to verify that traffic is being forwarded. If it is not, use the show ip mroute command to look for "Null Outgoing interface list" and RPF failures.
R1# show ip mroute count
IP Multicast Statistics
routes using 2406 bytes of memory
2 groups, 1.00 average sources per group
Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second
Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)
Group: 239.255.0.1, Source count: 2, Group pkt count: 11709
RP-tree: Forwarding: 3/0/431/0, Other: 3/0/0
Source: 133.33.33.32/32, Forwarding: 11225/6/1401/62, Other: 11225/0/0
Source: 192.168.9.1/32, Forwarding: 481/0/85/0, Other: 490/0/9
Group: 224.0.1.40, Source count: 0, Group pkt count:
show ip route
Use this command to check the unicast routing table and fix the RPF failures in the mroute table.
R2# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
D 192.168.9.0/24 [90/307200] via 192.168.10.1, 00:59:45, Ethernet0
C 192.168.10.0/24 is directly connected, Ethernet0
D 192.168.4.0/24 [90/11040000] via 192.168.7.1, 23:21:00, Serial0
D 192.168.5.0/24 [90/11023872] via 192.168.7.1, 23:21:02, Serial0
C 192.168.7.0/24 is directly connected, Serial0
D 133.33.0.0/16 [90/2195456] via 192.168.7.1, 1d23h, Serial0
D 192.168.1.0/24 [90/11552000] via 192.168.7.1, 22:41:27, Serial0
show ip pim rp mapping
Use this command to check the RP assignment by multicast group range, and to verify that the source of RP learning (static or auto-RP) and the mapping are correct. If you find an error, check the local router configuration or auto-RP configuration.
R1# show ip pim rp mapping
PIM Group-to-RP Mappings
Group(s) 224.0.1.40/32
RP 192.168.7.2 (?), v1
Info source: local, via Auto-RP
Uptime: 2d00h, expires: never
Group(s): 224.0.0.0/4, Static
RP: 192.168.7.2 (?)
clear ip igmp group
To delete entries from the IGMP cache, use the clear ip igmp group EXEC command. clear ip igmp group [group-name group-address type number]
group-name
(Optional) Name of the multicast group, as defined in the DNS hosts table or with the ip host command.
group-address
(Optional) Address of the multicast group. This is a multicast IP address in four-part, dotted notation.
type number
(Optional) Interface type and number.
clear ip mroute
To delete entries from the IP multicast routing table, use the clear ip mroute EXEC command. clear ip mroute {* group [source]}
*
Deletes all entries from the IP multicast routing table.
group
Can be either one of the following:
· Name of the multicast group, as defined in the DNS hosts table or with the ip host command.
· IP address of the multicast group. This is a multicast IP address in four-part, dotted notation.
source
(Optional) If you specify a group name or address, you can also specify a name or address of a multicast source that is transmitting to the group. A source does not need to be a member of the group.
Subscribe to:
Posts (Atom)
beach
cottesloe beach restaurant
City of Perth
view from King's park
Houston TX
San antonio
