Wednesday, April 30, 2008

How to update dynagen in Ubuntu using the rpm file

First check if the update is available through the Synaptic Package Manager. If it's there then select and proceed with the update. Nothing different here.

At the time of writing, the latest version found through the official Ubuntu repositories is 0.10.1, which is what i had installed too:


xxx@ubuntu:~/Desktop$ dynagen --version
dynagen 0.10.1.090807


But there are many cases that you won't find it in Synaptic, especially the beta versions. So go to dynagen site and select one of the following:

If you click on the "Interim Builds" link, you'll see a local page with all the current beta/alpha versions, if there are any. Download the latest rpm file.

If you click on the "Download" link, you'll be directed to Sourceforge.net for the official stable builds where you'll have to download the latest rpm file.

Usually, new beta versions are appearing in the "Interim Builds" section and when after a while they become stable, they are moved to the "Download" section.

Latest version at the time of writing is 0.11.0 (which is not available through synaptic). So proceed and download "dynagen-0.11.0-1.fc9.noarch.rpm" from sourceforge.net in a local directory.

In order to install it, you must first convert it from rpm to deb, using the alien program. So get the alien program through Synaptic or apt-get.


xxx@ubuntu:~/Desktop$ sudo apt-get install alien


However, you should keep in mind what the alien man page says:

"alien should not be used to replace important system packages, like init, libc, or other things that are essential for the functioning of your system. Many of these packages are set up differently by the different distributions, and packages from the different distributions cannot be used interchangeably. In general, if you can't remove a package without breaking your system, don't try to replace it with an alien version."

Then move to the directory where you saved the latest dynagen rpm and run:


xxx@ubuntu:~/Desktop$ sudo alien -k dynagen-0.11.0-1.fc9.noarch.rpm
dynagen_0.11.0-1.fc9_all.deb generated


-k is used so the version number is not increased. Alien by default increases it.

Now you have a deb package. You can use deb-gview (get it through synaptic/apt-get) in order to view its contents (plus the install locations).


xxx@ubuntu:~/Desktop$ deb-gview dynagen_0.11.0-1.fc9_all.deb


Finally, install it using dpkg:


xxx@ubuntu:~/Desktop$ sudo dpkg -i dynagen_0.11.0-1.fc9_all.deb
Selecting previously deselected package dynagen.
(Reading database ... 127883 files and directories currently installed.)
Unpacking dynagen (from dynagen_0.11.0-1.fc9_all.deb) ...
Setting up dynagen (0.11.0-1.fc9) ...


And check its new version after it has been installed:


xxx@ubuntu:~/Desktop$ dynagen --version
dynagen 0.11.0


You can also use the following if you want to automatically install the package after converting it:


xxx@ubuntu:~/Desktop$ sudo alien -i -k dynagen-0.11.0-1.fc9.noarch.rpm

Thursday, April 24, 2008

Proxy test takers, item harvesters and cheaters... be very afraid

"I've been in testing since the 1980's with Control Data's first computer testing implementation," said Randy Trask, Vice President of Market Development for Pearson VUE, "and I can tell you that cheating has always been around. What's changed is the pervasiveness of the internet. In a half second, an individual can compromise intellectual property around the globe in forums that are highly categorized and easily accessible."

That's true.

Trask said that VUE and Cisco had identified three main categories of people who attempt to compromise certification exams: proxy test takers, item harvesters and cheaters. "When we began to devise counter measures, we developed techniques directed to each of the three groups," said Trask.

It's interesting that Cisco hasn't included another category that causes the compromising of its certification exams : its own people who create the kinds of questions that lead people to be "cheaters". And if there weren't cheaters, there wouldn't be any need for item harvesters too.

Proxy test takers go to a test center and sit for an exam registered as another individual. "It's an age old problem," said Trask, "but it's definitely a problem that we continue to see."

That's a real problem and everyone pretending to be another one should be prosecuted.

An item harvester is someone who takes an exam under their real name, but their sole intention is to steal intellectual property. The worst offenders in this category are those in the employ of black market test vendors or other organizations who believe they can profit from stealing test questions. A less sinister item harvester is someone who used a brain dump site to prepare for the exam and returns to the site to post several items that he remembers to "give back" to the group.

These are the people that are usually being paid to do such a "job". If there wasn't a respective need by candidates, these people would be far less. The need for something usually drives the market.

Cheaters are individuals who are not trying to profit stealing intellectual property; they are just dishonest people willing to cheat to pass an exam. "It's like when you were in school and somebody wrote the answers on the bottom of his shoe," said Trask.

I suppose most of them would do the same even if the exams were changed, in order to avoid the usual maxim "there is the correct answer, there is the wrong answer, and there is Cisco's answer."

It's like the people who continue to download pirated movies/songs even if some of them are costing less than their online time. They are addicted to this kind of activity.

But i believe that there is a considerable percentage of people who become cheaters because Cisco is pushing them to that way. This is surely not a good excuse but lost time and money are the two main factors for driving them in that direction.


Candidate Authentication Program

"In a proxy testing investigation, being able to review photographs associated with exams is a powerful investigative tool," said Trask. "If we have the same photograph appearing under different names and signatures, it provides evidence that is difficult to refute."


Let's hope that we don't end up having people being masqueraded in the exam room.

Exam Data Forensics

During a Cisco certification exam, each keystroke is logged and a record is created that includes the length of the test period, how much time was spent on each question, whether an answer was changed, how much time was spent on the second answer, etc. After the exam is completed, but before the results are processed, each exam session is analyzed by forensic software that analyzes the session against established behaviors and suspect exams are flagged for investigation.


That is an interesting approach. Usually you can't answer a question in 15", unless you already know the answer, because you have memorized it. But now, all cheaters will delay their answers and will try to act like they're thinking. Maybe a neuro-electrical head-device translator would solve this problem too?

Program Data Forensics

Another layer of security examines a wide range of other program attributes to determine what is occurring within the program. "We're comparing testing center to testing center, and within a center, we are comparing one administrator to another administrator to see if inconsistencies emerge," Trask said. "We look at things like candidates who live in one country but test in another; we review financial information, credit card information; just a very wide range of information to see patterns and inconsistencies."


Are there any candidates who travel to another country just to give a written exam?

Consequences

In the past when someone was caught cheating they would have their score invalidated and their credential could be revoked. The most serious consequence would be preventing the individual from participating in a certification program. But the stakes are going up.

"Our evidence collection is now done for evidentiary purposes," said Trask. "We intend to pursue civil and criminal remedies against people who choose to profit from violating or infringing on our intellectual property. And I applaud Cisco for it. Previously people wanted to avoid any bad PR related to going after these groups, but both Pearson and Cisco are taking it very seriously and we will take action against them."


Are there going to be civil and criminal remedies for cheaters too? Can the forensics stand up as a proof in court?
Anyhow, i guess now people will -actually- think twice before cheating...


Awareness and Engagement

Cisco and Pearson are developing targeted messaging that will be delivered in email campaigns to certification holders and on posters in testing centers. One central theme will be appropriate vs. inappropriate study methods and behavior. "In many instances, candidates don't see anything wrong about using or contributing to brain dump sites," said Trask. "We are going to be educating people about the local and federal laws governing theft of intellectual property in the various regions around the world."

Another effort will be to engage certification holders to alert program representatives in cases where people don't seem to have the requisite skills for a certification. "People who have earned a certification honestly have a vested interest in protecting the integrity of the process and the value of their certification," said Trask. "Anytime someone has a certification but doesn't have the skills to do the job, it hurts the value of everyone's certification."


I still don't see any plans for changing the exam type. For adding questions/labs that make actually the candidate think and not memorize a book or a dump.
How about mixing the order of answers? That should be an easy one.
How about adding new answers and removing old ones from the same question? This should be easy too.
How about removing all those needless questions that are put on purpose there in order to confuse you?
How about taking into account the candidate's comments and removing all the questions that receive a massive negative reception? Then these candidates should be given a free second chance (if they failed for giving wrong answers to these questions).
How about using dynamips and providing more realistic simulation labs instead of the silly "90% of commands not supported" ones?
How about giving a free recertification every 2 recertifications?
How about giving free lifetime recertification (twice a year) for CCIEs that have done exceptionally well in the lab?

You can read the whole article here.

Sunday, April 20, 2008

e-Islands (Connected Schools) - Greece where are you?

There have been already 3 months since the day i passed my CCIE lab in Brussels. During the same period that i was having my lab exam, a Networkers event was happening in Barcelona. Although i wanted too much to visit it, i had other things in my mind that period, so i gave up the idea in favor of the CCIE.

Together with the Networkers event, there was the Cisco Networkers Innovation Awards event (an event that runs since 2004). The awards recognise those businesses that are at the forefront of deploying and successfully implementing innovative technologies, and delivering real and tangible benefits as a result.

This year the judging panel looked for advanced technology initiatives that clearly demonstrate the benefits of well-managed deployment, that have delivered significant improvements and have introduced innovative services through the effective use of technology.

What was most interesting about this year's awards was the "2008 Most Society Impacting Network" which went to CARNet (Croatian Academic and Research Network) for its project "e-Islands" (Connected Schools).

CARNet's e-Islands project aims to deliver e-contents to schools on Croatian islands, as
well as the possibility of "live" participation in regional school courses in order for the
pupils on islands to have access to the same knowledge regardless of where they live.
CARNet network connected in the first stage of the project 21 regional schools on the
islands around Zadar, Šibenik, Trogir and Dubrovnik with the mainland schools. Before
this project, the children had to leave their homes in order to continue their schooling.

We are very proud that our project has been recognized as an exceptional achievement
in application of advanced technologies. We are particularly pleased because the project
has been oriented at the development of knowledge society in order for every child,
regardless of where he or she lives, to have access to the best education without having
to leave their homes. It is our wish to expand the project to all Croatian regions with a
similar problem, so that Croatia can fulfill all preconditions for becoming the knowledge
based society. Giving the award to the Croatian project in the international competition
is a great acknowledgment and incentive for further development, implementation and
application of IT-communication solutions in Croatia,
" said Mr. Zvonimir Stanić,
CARNet CEO.

In the near future the plan is to expand the project and include local health care institutions in the network. As a result, this would, among other things, reduce the patient transportation requirements for medical examinations and check-ups outside the islands. It has also been planned to use identical model on land, for schools in hinterland and underdeveloped and geographically less accessible regions.

As you may already know Croatia is the country with the largest archipelago (698 islands, 389 islets and 78 reefs) in the Adriatic Sea, and second largest in the Mediterranean Sea (Greece has the greatest archipelago). So, why didn't Greece think of that?

Although there a also a Greek Research & Technology Network (grnet/EDET) which has deployed many interesting projects, i wish i could say the same about the Greek Government. But....You know there is always a but.

The last months there is a wind change coming here in Greece too, as there are many announcements from the Ministry of Transport and Communications about a FFTx "pilot" project for 2m citizens. Recently i attended (as Cisco's guest) a workshop about all this FTTx talking in Greece, where all the major local players expressed their ideas and their plans about it. There were many interesting views, but imho it might take a while until we see most of them in production. After all, you know very well how the greek system works. I also learned that there will be some pilot FTTx projects in small areas during the next months. Let's hope, Greece won't lose this chance too.


Btw, since i missed the European Networkers event this year, i decided to visit the American one...in Florida (22-26 June 2008)!
Orlando here i come!!! At least i hope so, if i ever get my Visa...

Thursday, April 10, 2008

BGP - How to display incoming/outgoing routes before/after filtering

Below you'll find some simple BGP commands that you can use in order to check your policy-control rules (filter-list, distribute-list, route-map, etc.) locally, when you don't have access to the peer neighbor.

This is our initial network....

Incoming Routes : Before filtering (soft-reconfiguration in must be enabled *)


R1#sh ip bgp nei 10.10.10.2 received-routes
% Inbound soft reconfiguration not enabled on 10.10.10.2

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router bgp 1
R1(config-router)#neighbor 10.10.10.2 soft-reconfiguration inbound

R1#sh ip bgp nei 10.10.10.2 received-routes
BGP table version is 8, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 20.20.0.0/16 10.10.10.2 0 0 2 i
*> 20.20.20.0/24 10.10.10.2 0 0 2 i

Total number of prefixes 2

Incoming Routes : After filtering


R1#sh ip bgp nei 10.10.10.2 routes
BGP table version is 8, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 20.20.0.0/16 10.10.10.2 0 0 2 i
*> 20.20.20.0/24 10.10.10.2 0 0 2 i

Total number of prefixes 2

Outgoing Routes : Before filtering


R1#sh ip bgp
BGP table version is 8, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 0.0.0.0 32768 i
*> 1.1.0.0/16 0.0.0.0 32768 i
s> 1.1.1.0/25 0.0.0.0 0 32768 i
*> 1.1.1.0/24 0.0.0.0 32768 i
*> 20.20.0.0/16 10.10.10.2 0 0 2 i
*> 20.20.20.0/24 10.10.10.2 0 0 2 i

Outgoing Routes : After filtering


R1#sh ip bgp neighbors 10.10.10.2 advertised-routes
BGP table version is 7, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 0.0.0.0 32768 i
*> 1.1.0.0/16 0.0.0.0 32768 i
*> 1.1.1.0/24 0.0.0.0 32768 i


Time to add some filtering....

Let's apply an inbound prefix-list first:


R1(config)#ip prefix-list R2-IN permit 20.20.0.0/16

R1(config)#router bgp 1
R1(config-router)#neighbor 10.10.10.2 prefix-list R2-IN in

Do an inbound soft reconfig :


R1#clear ip bgp 10.10.10.2 soft in

Incoming Routes : Before filtering


R1#sh ip bgp nei 10.10.10.2 received-routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 20.20.0.0/16 10.10.10.2 0 0 2 i
* 20.20.20.0/24 10.10.10.2 0 0 2 i

Total number of prefixes 2

Incoming Routes : After filtering


R1#sh ip bgp nei 10.10.10.2 routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 20.20.0.0/16 10.10.10.2 0 0 2 i

Total number of prefixes 1


So filtering works fine on the inbound.

Let's apply an outbound prefix-list now :


R1(config)#ip prefix-list R2-OUT permit 1.0.0.0/8 le 16

R1(config)#router bgp 1
R1(config-router)#neighbor 10.10.10.2 prefix-list R2-OUT out

Do an outbound soft reconfig


R1#clear ip bgp 10.10.10.2 soft out

Outgoing Routes : Before filtering


R1#sh ip bgp
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 0.0.0.0 32768 i
*> 1.1.0.0/16 0.0.0.0 32768 i
s> 1.1.1.0/25 0.0.0.0 0 32768 i
*> 1.1.1.0/24 0.0.0.0 32768 i
*> 20.20.0.0/16 10.10.10.2 0 0 2 i

Outgoing Routes : After filtering


R1#sh ip bgp nei 10.10.10.2 advertised-routes
BGP table version is 10, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 0.0.0.0 32768 i
*> 1.1.0.0/16 0.0.0.0 32768 i


So filtering works fine on the outbound too.

You can also use the following commands in order to test your policy-controls on your BGP table before you actually apply them.


R1#sh ip bgp ?
community Display routes matching the communities
community-list Display routes matching the community-list
filter-list Display routes conforming to the filter-list
prefix-list Display routes matching the prefix-list
quote-regexp Display routes matching the AS path "regular expression"
regexp Display routes matching the AS path regular expression
route-map Display routes matching the route-map


* : Because soft-reconfiguration creates an extra copy of all routes received per neighbor, you want to be careful when implementing this feature in a production network or a network with many routes/neighbors. Route-refresh is a much better solution; you just miss the functionality of viewing the incoming routes before filtering.

Monday, April 7, 2008

BGP - Can an aggregate-address suppress another aggregate-address on the same router?

Or can an aggregate-address aggregate another aggregate-address on the same router?

Today i was playing with BGP a little (i found some time to prepare for my CCIP) and here is what i found out:

Suppose you have the following config on a router:


interface Loopback1
ip address 1.1.1.1 255.255.255.128
!
router bgp 1
no synchronization
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.128
aggregate-address 1.1.0.0 255.255.0.0 summary-only
aggregate-address 1.1.1.0 255.255.255.0 summary-only
neighbor 10.10.10.2 remote-as 2
no auto-summary


What do you think "sh ip bgp" will show? (please take some time and think about it...)

To be honest, as a first thought i was hoping it would display only the 1.1.0.0/16 summary, which actually "overlaps" the 1.1.1.0/24 summary.

Guess what?


R1#sh ip bgp
BGP table version is 5, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 1.1.0.0/16 0.0.0.0 32768 i
s> 1.1.1.0/25 0.0.0.0 0 32768 i
*> 1.1.1.0/24 0.0.0.0 32768 i


According to Cisco, in order to aggregate an address, you must have a more-specific route of that address in the BGP table. And if you want the more-specific route to be suppressed, you must use the "summary-only" keyword.

So, if we want to be as strict as possible, in our case we do have a more-specific route in the BGP table (and in the routing table).


R1#sh ip bgp 1.1.1.0/24
BGP routing table entry for 1.1.1.0/24, version 5
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
10.10.10.2
Local, (aggregated by 1 1.1.1.1)
0.0.0.0 from 0.0.0.0 (1.1.1.1)
Origin IGP, localpref 100, weight 32768, valid, aggregated, local, atomic-aggregate, best
R1#
R1#sh ip route 1.1.1.0 255.255.255.0
Routing entry for 1.1.1.0/24
Known via "bgp 1", distance 200, metric 0, type locally generated
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1
AS Hops 0


Although the aggregation part seems to be working fine (it actually isn't), the suppression one isn't. As it seems, an aggregate-address cannot suppress another more-specific aggregate-address, when both are created locally in the same router.

Now, let's change the configuration and make it more interesting by removing the "summary-only" keyword from the more-specific aggregate-address :


router bgp 1
no synchronization
bgp log-neighbor-changes
network 1.1.1.0 mask 255.255.255.128
aggregate-address 1.1.0.0 255.255.0.0 summary-only
aggregate-address 1.1.1.0 255.255.255.0
neighbor 10.10.10.2 remote-as 2
no auto-summary


R1#clear ip bgp *

R1#sh ip bgp
BGP table version is 5, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 1.1.0.0/16 0.0.0.0 32768 i
s> 1.1.1.0/25 0.0.0.0 0 32768 i
*> 1.1.1.0/24 0.0.0.0 32768 i


What do you think of that? We still have the same output. The more-specific (lower level) aggregate-address is not suppressed, but the more-specific network is (by the 1.1.0.0/16 aggregate-address).

Why is that? Although i'm not sure, looking at the following debugs (after adding another level of aggregation using the "aggregate-address 1.0.0.0 255.0.0.0 summary-only" command and reseting the bgp session), i have come to this explanation:


*Mar 1 02:28:52.107: BGP(0): nettable_walker 1.1.1.0/25 route sourced locally
*Mar 1 02:28:52.111: BGP(0): Aggregate processing for IPv4 Unicast
*Mar 1 02:28:52.111: BGP(0): For aggregate 1.0.0.0/8
*Mar 1 02:28:52.111: BGP(0): 1.0.0.0/8 subtree has an entry 1.1.1.0/25
*Mar 1 02:28:52.115: BGP(0): sub-prefix : 1.1.1.0/25
*Mar 1 02:28:52.115: BGP(0): Needs to be re-aggregated
*Mar 1 02:28:52.115: BGP(0): 1.0.0.0/8 subtree has an entry 1.1.1.0/25
*Mar 1 02:28:52.115: BGP(0): 1.0.0.0/8 aggregate has 1.1.1.0/25 more-specific
*Mar 1 02:28:52.115: BGP(0): 1.0.0.0/8 aggregate created, attributes updated
*Mar 1 02:28:52.115: BGP(0): created aggregate route for 1.0.0.0/8
*Mar 1 02:28:52.115: BGP(0): 1.0.0.0/8 subtree has an entry 1.0.0.0/8
*Mar 1 02:28:52.115: BGP(0): 1.0.0.0/8 subtree has another entry 1.1.1.0/25
*Mar 1 02:28:52.115: BGP(0): Found sub-prefix 1.1.1.0/25: suppressed
*Mar 1 02:28:52.115: BGP(0): For aggregate 1.1.0.0/16
*Mar 1 02:28:52.115: BGP(0): 1.1.0.0/16 subtree has an entry 1.1.1.0/25
*Mar 1 02:28:52.115: BGP(0): sub-prefix : 1.1.1.0/25
*Mar 1 02:28:52.115: BGP(0): Needs to be re-aggregated
*Mar 1 02:28:52.115: BGP(0): 1.1.0.0/16 subtree has an entry 1.1.1.0/25
*Mar 1 02:28:52.115: BGP(0): 1.1.0.0/16 aggregate has 1.1.1.0/25 more-specific
*Mar 1 02:28:52.115: BGP(0): 1.1.0.0/16 aggregate created, attributes updated
*Mar 1 02:28:52.115: BGP(0): created aggregate route for 1.1.0.0/16
*Mar 1 02:28:52.115: BGP(0): 1.1.0.0/16 subtree has an entry 1.1.0.0/16
*Mar 1 02:28:52.115: BGP(0): 1.1.0.0/16 subtree has another entry 1.1.1.0/25
*Mar 1 02:28:52.115: BGP(0): Found sub-prefix 1.1.1.0/25: suppressed
*Mar 1 02:28:52.115: BGP(0): For aggregate 1.1.1.0/24
*Mar 1 02:28:52.115: BGP(0): 1.1.1.0/24 subtree has an entry 1.1.1.0/25
*Mar 1 02:28:52.115: BGP(0): sub-prefix : 1.1.1.0/25
*Mar 1 02:28:52.115: BGP(0): Needs to be re-aggregated
*Mar 1 02:28:52.115: BGP(0): 1.1.1.0/24 subtree has an entry 1.1.1.0/25
*Mar 1 02:28:52.115: BGP(0): 1.1.1.0/24 aggregate has 1.1.1.0/25 more-specific
*Mar 1 02:28:52.115: BGP(0): 1.1.1.0/24 aggregate created, attributes updated
*Mar 1 02:28:52.115: BGP(0): created aggregate route for 1.1.1.0/24
*Mar 1 02:28:52.115: BGP(0): 1.1.1.0/24 subtree has an entry 1.1.1.0/25
*Mar 1 02:28:52.115: BGP(0): Found sub-prefix 1.1.1.0/25: suppressed
*Mar 1 02:28:52.115: BGP(0): Found sub-prefix 1.1.1.0/24:
*Mar 1 02:28:52.115: BGP(0): Revise route installing 1 of 1 route for 1.0.0.0/8 -> 0.0.0.0 to main IP table
*Mar 1 02:28:52.119: RT: network 1.0.0.0 is now variably masked
*Mar 1 02:28:52.119: RT: add 1.0.0.0/8 via 0.0.0.0, bgp metric [200/0]
*Mar 1 02:28:52.119: RT: NET-RED 1.0.0.0/8
*Mar 1 02:28:52.119: BGP(0): Revise route installing 1 of 1 route for 1.1.0.0/16 -> 0.0.0.0 to main IP table
*Mar 1 02:28:52.119: RT: add 1.1.0.0/16 via 0.0.0.0, bgp metric [200/0]
*Mar 1 02:28:52.119: RT: NET-RED 1.1.0.0/16
*Mar 1 02:28:52.119: BGP(0): nettable_walker 1.1.1.0/25 route sourced locally
*Mar 1 02:28:52.119: BGP(0): Revise route installing 1 of 1 route for 1.1.1.0/24 -> 0.0.0.0 to main IP table
*Mar 1 02:28:52.119: RT: add 1.1.1.0/24 via 0.0.0.0, bgp metric [200/0]
*Mar 1 02:28:52.119: RT: NET-RED 1.1.1.0/24


During the initial scanning, the aggregate processing algorithm of BGP doesn't even check the locally aggregated addresses (is recursive scanning too difficult/dangerous to implement?), because they aren't in the BGP routing table at the time of scanning (i guess if the scanning was happening from more-specific to less-specific, it would find them). So it checks only the networks that are injected into BGP through the 3 known ways (network command, redistribution, other ASs). In our case, every configured aggregate-address is aggregating and suppressing only the locally configured more-specific network. Specifically, the more-specific local network is aggregated & suppressed 3 times, one for each aggregate-address definition.

The result?


R1#sh ip bgp
BGP table version is 6, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 1.0.0.0 0.0.0.0 32768 i
*> 1.1.0.0/16 0.0.0.0 32768 i
s> 1.1.1.0/25 0.0.0.0 0 32768 i
*> 1.1.1.0/24 0.0.0.0 32768 i


If we add the less-specific aggregate after the BGP has already started, we get different debug logs:


*Mar 1 00:05:26.995: BGP(0): Aggregate processing for IPv4 Unicast
*Mar 1 00:05:26.995: BGP(0): For aggregate 1.0.0.0/8
*Mar 1 00:05:26.995: BGP(0): 1.0.0.0/8 subtree has an entry 1.1.0.0/16
*Mar 1 00:05:26.999: BGP(0): sub-prefix : 1.1.0.0/16
*Mar 1 00:05:26.999: BGP(0): Needs to be re-aggregated
*Mar 1 00:05:26.999: BGP(0): 1.0.0.0/8 subtree has an entry 1.1.0.0/16
*Mar 1 00:05:27.003: BGP(0): 1.0.0.0/8 aggregate has 1.1.1.0/25 more-specific
*Mar 1 00:05:27.007: BGP(0): 1.0.0.0/8 aggregate created, attributes updated
*Mar 1 00:05:27.007: BGP(0): created aggregate route for 1.0.0.0/8
*Mar 1 00:05:27.011: BGP(0): 1.0.0.0/8 subtree has an entry 1.0.0.0/8
*Mar 1 00:05:27.011: BGP(0): 1.0.0.0/8 subtree has another entry 1.1.0.0/16
*Mar 1 00:05:27.011: BGP(0): Found sub-prefix 1.1.0.0/16: not suppressed
*Mar 1 00:05:27.011: BGP(0): Found sub-prefix 1.1.1.0/25: suppressed
*Mar 1 00:05:27.011: BGP(0): Found sub-prefix 1.1.1.0/24: not suppressed
*Mar 1 00:05:27.011: BGP(0): For aggregate 1.1.0.0/16
*Mar 1 00:05:27.011: BGP(0): 1.1.0.0/16 subtree has an entry 1.1.0.0/16
*Mar 1 00:05:27.011: BGP(0): 1.1.0.0/16 subtree has another entry 1.1.1.0/25
*Mar 1 00:05:27.011: BGP(0): sub-prefix : 1.1.1.0/25
*Mar 1 00:05:27.011: BGP(0): Needs to be re-aggregated
*Mar 1 00:05:27.011: BGP(0): 1.1.0.0/16 subtree has an entry 1.1.0.0/16
*Mar 1 00:05:27.011: BGP(0): 1.1.0.0/16 subtree has another entry 1.1.1.0/25
*Mar 1 00:05:27.011: BGP(0): 1.1.0.0/16 aggregate has 1.1.1.0/25 more-specific
*Mar 1 00:05:27.011: BGP(0): 1.1.0.0/16 aggregate updated
*Mar 1 00:05:27.011: BGP(0): 1.1.0.0/16 subtree has an entry 1.1.0.0/16
*Mar 1 00:05:27.011: BGP(0): 1.1.0.0/16 subtree has another entry 1.1.1.0/25
*Mar 1 00:05:27.011: BGP(0): Found sub-prefix 1.1.1.0/25: suppressed
*Mar 1 00:05:27.011: BGP(0): Found sub-prefix 1.1.1.0/24: not suppressed
*Mar 1 00:05:27.011: BGP(0): For aggregate 1.1.1.0/24
*Mar 1 00:05:27.011: BGP(0): 1.1.1.0/24 subtree has an entry 1.1.1.0/25
*Mar 1 00:05:27.011: BGP(0): sub-prefix : 1.1.1.0/25
*Mar 1 00:05:27.011: BGP(0): Needs to be re-aggregated
*Mar 1 00:05:27.011: BGP(0): 1.1.1.0/24 subtree has an entry 1.1.1.0/25
*Mar 1 00:05:27.011: BGP(0): 1.1.1.0/24 aggregate has 1.1.1.0/25 more-specific
*Mar 1 00:05:27.011: BGP(0): 1.1.1.0/24 aggregate updated
*Mar 1 00:05:27.011: BGP(0): 1.1.1.0/24 subtree has an entry 1.1.1.0/25
*Mar 1 00:05:27.011: BGP(0): Found sub-prefix 1.1.1.0/25: suppressed
*Mar 1 00:05:27.011: BGP(0): Found sub-prefix 1.1.1.0/24:
*Mar 1 00:05:27.011: BGP(0): Revise route installing 1 of 1 route for 1.0.0.0/8 -> 0.0.0.0 to main IP table
*Mar 1 00:05:27.011: RT: add 1.0.0.0/8 via 0.0.0.0, bgp metric [200/0]
*Mar 1 00:05:27.011: RT: NET-RED 1.0.0.0/8


This time, all the existing more-specific aggregates are scanned, but they are clearly not suppressed.

According to RFC 4271:


3.2. Routing Information Base

The Routing Information Base (RIB) within a BGP speaker consists of
three distinct parts:

a) Adj-RIBs-In: The Adj-RIBs-In stores routing information learned
from inbound UPDATE messages that were received from other BGP
speakers. Their contents represent routes that are available
as input to the Decision Process.

b) Loc-RIB: The Loc-RIB contains the local routing information the
BGP speaker selected by applying its local policies to the
routing information contained in its Adj-RIBs-In. These are
the routes that will be used by the local BGP speaker. The
next hop for each of these routes MUST be resolvable via the
local BGP speaker's Routing Table.

c) Adj-RIBs-Out: The Adj-RIBs-Out stores information the local BGP
speaker selected for advertisement to its peers. The routing
information stored in the Adj-RIBs-Out will be carried in the
local BGP speaker's UPDATE messages and advertised to its
peers.

...
The Decision Process takes place in three distinct phases, each
triggered by a different event:

a) Phase 1 is responsible for calculating the degree of preference
for each route received from a peer.

b) Phase 2 is invoked on completion of phase 1. It is responsible
for choosing the best route out of all those available for each
distinct destination, and for installing each chosen route into
the Loc-RIB.

c) Phase 3 is invoked after the Loc-RIB has been modified. It is
responsible for disseminating routes in the Loc-RIB to each
peer, according to the policies contained in the PIB. Route
aggregation and information reduction can optionally be
performed within this phase
.

...
9.2.2.2. Aggregating Routing Information

Aggregation is the process of combining the characteristics of
several different routes in such a way that a single route can be
advertised. Aggregation can occur as part of the Decision Process to
reduce the amount of routing information that will be placed in the
Adj-RIBs-Out.



If someone else can provide a better (preferred technical) explanation for both cases, i would be very happy to hear it.

Btw, someone must tell Cisco to write more detailed docs :
"Aggregation applies only to routes that exist in the BGP routing table. An aggregated route is forwarded if at least one more specific route of the aggregation exists in the BGP routing table"

Anyhow, you may want to keep that in mind.

Saturday, April 5, 2008

CCIE practice - My new desktop environment in Ubuntu

After having taken the decision to move to Ubuntu for all the future dynamips labs, i sat down and tried to create a comfortable desktop environment in Ubuntu like the one i had in Windows.

By default Ubuntu comes with 2 workspaces. I added one more (right click on a workspace in the bottom/right corner, choose Preferences and increase the number of columns), so i'm having 3 in total. I'll be using the 2nd workspace for all my routers' consoles and the 3rd one for all my switches' consoles. The 1st one is going to be used for everything else; browser windows, new shells, etc. You can very easily move between workspaces by using this keyboard shortcut: CRTL+ALT+Left/Right Arrow.

I then created 10 new launchers (6 for routers, 4 for switches) in the bottom panel. You can add them in the top panel if you like, or you can create a new panel and add them there. You can also use a dock utility or anything else that can group icons and execute programs by clicking on them. As i have already written in a previous post of mine, i prefer the concept of a window per router/switch instead of using the terminal server and a single window for all the routers/switches. After all, in the lab you're given the option of both.

I also created 10 icons for these launchers, each one representing a router or a switch : R1-R6 and SW1-SW4 (you can see my icons below). Since i'm not a graphic designer, you can always use your own icons if you don't like mine. The icons are stored in a new directory i created under "/usr/share/icons/", called "dynamips".












In order to create a launcher, you can do the following:

Right click on the panel you want to add the launcher on and choose "Add to Panel...". Then choose "Custom Application Launcher" and enter the following:


Type : Application
Name : R1
Command : xterm -T R1 -geometry 80x30 -fn -*-fixed-medium-r-*-*-13-*-*-*-*-*-iso8859-* -sb -sl 5000 -rightbar -e telnet 127.0.0.1 2001


For every router/switch, you'll have to change the "R1" word (in Name and Command) and the "2001" port (in Command). The port number should be the same as the console port for this router/switch in your net file.

In the command field you can use your own terminal program if you don't like xterm. The options i used for xterm are the following:


-T R1 : title of the window
-geometry 80x30 : dimensions of the window in columns x rows
-fn -*-fixed-medium-r-*-*-13-*-*-*-*-*-iso8859-* : font used in the window (you can use "xfontsel" to see the available fonts)
-sb : display a scrollbar in the window
-sl 5000 : keep 5000 lines of scroll buffer
-rightbar : display the scrollbar on the right of the window
-e telnet 127.0.0.1 2001 : execute this command into the xterm window (this command has to be the last one)


There are many tricks to avoid configuring all these parameters for all routers/switches.

i.e. you can create an alias of xterm with these options (besides the -T, -e and maybe -geometry) already defined and use that command instead:


alias xterm-dynamips='xterm -fn -*-fixed-medium-r-*-*-13-*-*-*-*-*-iso8859-* -sb -sl 5000 -rightbar'


or you can define them in the .Xresources file in your home dir (and restart X), but then these will have effect for every xterm window.

If you don't want to allow Ubuntu/Gnome to automatically choose the positions that the xterm windows open, you can be more specific in the "-geometry" option. In my case, where i have 2 different workspaces for the xterm windows and a resolution of 1280x1024, i used the following options for each router/switch.

Workspace 2
R1 : -geometry 80x30+0+0
R2 : -geometry 80x30+680+0
R3 : -geometry 80x30+0+660
R4 : -geometry 80x30+680+660
R5 : -geometry 80x30+0+330
R6 : -geometry 80x30+680+330

Workspace 3
SW1 : -geometry 80x30+0+0
SW2 : -geometry 80x30+680+0
SW3 : -geometry 80x30+0+660
Sw4 : -geometry 80x30+680+660

On the top/left corner of the "Create Launcher" window you can see the default icon used for this kind of launcher. By clicking it, you can change it and use the one i said above.



After repeating this process for every router and switch, you'll end up with something like this in the bottom panel :



If you want to move each icon as close as possible to the other, you can right click at the icon you want to move and choose "Move" from the menu. That way you can have very precise placement of your icons.

Keep in mind that all these launchers are saved as text files in the "~/.gnome2/panel2.d/default/launchers" directory :


xxx@ubuntu:~/.gnome2/panel2.d/default/launchers$ ls -al
total 56
drwx------ 2 xxx xxx 4096 2008-04-05 20:37 .
drwx------ 3 xxx xxx 4096 2008-03-29 18:13 ..
-rw-r--r-- 1 xxx xxx 5538 2008-04-05 15:57 gnome-terminal.desktop
-rw-r--r-- 1 xxx xxx 330 2008-04-05 20:36 xterm-1.desktop
-rw-r--r-- 1 xxx xxx 328 2008-04-05 20:36 xterm-2.desktop
-rw-r--r-- 1 xxx xxx 332 2008-04-05 20:37 xterm-3.desktop
-rw-r--r-- 1 xxx xxx 363 2008-04-05 20:32 xterm-4.desktop
-rw-r--r-- 1 xxx xxx 365 2008-04-05 20:32 xterm-5.desktop
-rw-r--r-- 1 xxx xxx 365 2008-04-05 20:32 xterm-6.desktop
-rw-r--r-- 1 xxx xxx 367 2008-04-05 20:32 xterm-7.desktop
-rw-r--r-- 1 xxx xxx 365 2008-04-05 20:35 xterm-8.desktop
-rw-r--r-- 1 xxx xxx 367 2008-04-05 20:35 xterm-9.desktop
-rw-r--r-- 1 xxx xxx 330 2008-04-05 20:36 xterm.desktop
xxx@ubuntu:~/.gnome2/panel2.d/default/launchers$


and each one of them has the following contents:


[Desktop Entry]
Version=1.0
Encoding=UTF-8
Type=Application
Terminal=false
Icon[en_US]=/usr/share/icons/dynamips/SW3.png
Exec=xterm -T SW3 -geometry 80x30+0+660 -fn -*-fixed-medium-r-*-*-13-*-*-*-*-*-iso8859-* -sb -sl 5000 -rightbar -e telnet 127.0.0.1 2009
Icon=gnome-panel-launcher
GenericName[en_US]=
Name[en_US]=SW3
Name=SW3


If you're wondering where are the 3 BB routers, the answer is that i don't need to have console access to them all the time. I can always access them through the telnet command of dynagen, when i need to.

Clicking on any icon, won't do anything right now, because dynamips is not running. So start dynamips, then start all routers/switches through dynagen and voila! You have 2 workspaces filled with xterm windows.

In order to display the 6 routers' windows in the 2nd workspace and the 4 switches in the 3rd workspace, you have to click on the 6 R1-R6 icons while viewing the 2nd workspace and then move to the 3rd workspace and click the 4 SW1-SW4 icons.

There is also a program available (DevilsPie) if you want to define the workspace where each application window opens automatically, but it relies on pre-defined scripts.

I must admit that the feeling is much better in comparison to my Windows environment. I have access to all windows simultaneously and if i want i can move the SW1-SW4 windows to the same workspace as the R1-R6 ones, in order to resemble my Windows environment more closely.

Finally, some hints for xterm:

Ctrl + Left mouse click opens a menu with options for logging to a file (the default name is something like Xterm.log.ubuntu.2008.04.05.18.54.10.12838, where 12838 is the current xterm process number).
Ctrl + Right mouse click opens a menu with options for changing the font size.
Ctrl + Middle mouse click opens a menu with various options regarding xterm appearance/behavior.

 
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Greece License.