Multiple next-hops in policy routing

Imagine the following topology with routers 1 to 5:

         / (2) \
(4) - (1) (5)
         \ (3) /

There is Policy-based routing active on router 1, and the possible end-to-end paths are two:
4-1-2-5
4-1-3-5

Let us play around with the next-hop settings of PBR. Imagine we have a rudimentary PBR setup with the following:

route-map test permit 10
match ip address 100
set ip next-hop 10.0.12.2 10.0.13.3

10.0.12.2 is router 2 and 10.0.12.3 is router 3. We really don’t care about the access lists or anything else, let’s see what happens when we have multiple hops defined:

R1#debug ip policy
Policy routing debugging is on
R1#
*Jul 17 12:28:42.387: IP: s=10.0.14.4 (GigabitEthernet1/0), d=5.5.5.5, len 44, FIB policy match
*Jul 17 12:28:42.387: IP: s=10.0.14.4 (GigabitEthernet1/0), d=5.5.5.5, g=10.0.12.2, len 44, FIB policy routed
*Jul 17 12:28:42.447: IP: s=10.0.14.4 (GigabitEthernet1/0), d=5.5.5.5, len 40, FIB policy match
*Jul 17 12:28:42.447: IP: s=10.0.14.4 (GigabitEthernet1/0), d=5.5.5.5, g=10.0.12.2, len 40, FIB policy routed
*Jul 17 12:28:42.459: IP: s=10.0.14.4 (GigabitEthernet1/0), d=5.5.5.5, len 49, FIB policy match
*Jul 17 12:28:42.459: IP: s=10.0.14.4 (GigabitEthernet1/0), d=5.5.5.5, g=10.0.12.2, len 49, FIB policy routed
*Jul 17 12:28:42.467: IP: s=10.0.14.4 (GigabitEthernet1/0), d=5.5.5.5, len 40, FIB policy match
*Jul 17 12:28:42.467: IP: s=10.0.14.4 (GigabitEthernet1/0), d=5.5.5.5, g=10.0.12.2, len 40, FIB policy routed

There, so it keeps using the first next-hop no matter what. I guess the only way to nudge it to use the other one is to shutdown the interface connected to R2. Look what happens after I shut down that interface:

 *Jul 17 12:32:09.551: IP: s=10.0.14.4 (GigabitEthernet1/0), d=5.5.5.5, len 44, FIB policy match
*Jul 17 12:32:09.551: CEF-IP-POLICY: fib for address 10.0.12.2 is with flag 257
*Jul 17 12:32:09.551: IP: s=10.0.14.4 (GigabitEthernet1/0), d=5.5.5.5, g=10.0.13.3, len 44, FIB policy routed
*Jul 17 12:32:09.611: IP: s=10.0.14.4 (GigabitEthernet1/0), d=5.5.5.5, len 40, FIB policy match
*Jul 17 12:32:09.611: CEF-IP-POLICY: fib for address 10.0.12.2 is with flag 257
*Jul 17 12:32:09.611: IP: s=10.0.14.4 (GigabitEthernet1/0), d=5.5.5.5, g=10.0.13.3, len 40, FIB policy routed
*Jul 17 12:32:09.619: IP: s=10.0.14.4 (GigabitEthernet1/0), d=5.5.5.5, len 49, FIB policy match
*Jul 17 12:32:09.619: CEF-IP-POLICY: fib for address 10.0.12.2 is with flag 257
*Jul 17 12:32:09.619: IP: s=10.0.14.4 (GigabitEthernet1/0), d=5.5.5.5, g=10.0.13.3, len 49, FIB policy routed

The process sees that the route towards its next-hop is marked as down (flag 257) in the CEF tables (or non-existent), and goes on towards the next one.

Conclusion: Multiple next-hops in PBR are used for redundancy, not load-sharing/balancing.

Playing around with OSPF

I did some fooling around with OSPF priorities and here’s what I learned:

If you have multiple routers on an Ethernet segment,  and all routers have priority 0 – there will be no DR, no BDR, and only 2way connectivity between all of them.

If you have just one router has with priority >0, then that router will be the DR, but there will still be no bdr, and the only full connection would be, obviously, between the DR and the others.

With P2P links, OSPF doesn’t care about priority, but does care about area mismatches:

An area mismatch, for example (r1:normal)-(r2:stub) would tear down neighborship due to the mismatch, and it’s possible it won’t even show up on the error logs. Fun fun :)

Cisco Command Prompt Tricks and Gotchas part 2

Shall you ever be unfortunate enough to come across a device with a setup similar to

exec-timeout 0 1

or maybe you’re just doing a CCIE exam, then you’ll need a little bit of practical trickstery to overcome the one second timeout – just use notepad or whatever text editor you have to type something like

enable
conf t
line vty 0 4/line con 0
exec-timeout 10

and then quickly paste it in the window of 1 second. Done! :)

Permanently delete files on HP/H3C devices

It has come to my attention that a lot of users are visiting this site looking for info on how to permanently delete files on an HP/H3C router or switch.

This is a very easy task, though it may not be as obvious as it seems.

The delete file command moves a file to the recycle bin. To restore the file, use the undelete command. If you delete two files with the same file name in different directories, only the last one is retained in the recycle bin.

The dir /all command displays the files moved to the recycle bin. These files are enclosed in pairs of square brackets [ ]. To permanently delete these files, use the reset recycle-bin command.

To permanently delete a file and (finally) free some space for that dreaded firmware upgrade, use the delete /unreserved file command. Of course, it goes without saying that the deleted file cannot be restored.

Routallica – WAN / Metallica – One

Original song courtesy of Metallica
No copyright infringement intended, just having fun

Routallica – WAN

I can’t connect to anything
Can’t tell if this is routing or bridging
Deep down inside I want to ping
This terrible access-list stops me

Now that the routes are passed to me
Network is convergin, but I cannot see
And there are not many neighbors here
Nothing is up but loopbacks

Hold my frames as I wait for STP
Oh please, broadcasts, don’t storm me

Back in the WAN it’s much too serial
Terrible speeds that I must feel
But I look forward to police
Police those excess TCP bursts

Weighted RED is throttling me
Just like a greedy TCP stream
Class-based shaping’s buffering me
Dropping tokens from the bucket

Hold my updates as I split horizons
Oh please, RIP, route me

Now the network’s gone, I’m just one
Oh redundant link, help me
Split my brain as my peer faces death
Oh please, VSS, help me

VLANs imprisoning me
No adjacency
Asymmetric routing
I cannot ping
I cannot trace
Trapped in my shell
Subnet my holding cell

Black holes have poisoned my routes
Taken my ping
Taken my peering
Taken my ARPs
Taken my V(e)RFs
Taken my pools
Left me with Frame Relaaay

Cisco Command Prompt Tricks and Gotchas

I guess most of you are familiar with the usual CLI prompt, be it on a Linux system, Cisco device, or whatever. On a standard *nix machine, you can modify your prompt appearance, and its configuration is specific to the shell you’re using – BASH, KSH, ZSH, etc.

Recently, I was surprised to figure out that you can also modify the standard Cisco prompt. I owe this knowledge to my friend and mentor Vladi – thanks! :) Interestingly, the only place I could find more info on the matter was the Cisco IOS in a Nutshell book.

Back on topic. A regular prompt would read

[hostname]>
or
[hostname]#

You can modify the prompt directly with prompt command, and use any of the following escaped variables with it:

%% - the percent character itself
%h - hostname
%n - tty command counter number
%p - prompt character (> or #)
%s - white space character
%t - tab character

For example:

Router#config t
Router (config)# prompt %h:%n%p
Router:1# show ver
[output omitted]
Router:2#

So now you can either modify your prompt, or play a trick on a fellow colleague :D

all those routes and paths

Follow

Get every new post delivered to your Inbox.