Afenioux's Blog page

3am; darkness; Maintenance window closing. Safety net: rollback.

SPAN / Port Mirroring

Written by Arnaud no comments

To monitor one Vlan, on a specific switch (here vlan 622 goes on port gi1/0/22):

(config)#monitor session 1 source vlan 622
(config)#monitor session 1 destination interface Gi1/0/22

To check if it's OK :

#show monitor session 1
Session 1
Type                   : Local Session
Source VLANs           :
    Both               : 622
Destination Ports      : Gi1/0/22
    Encapsulation      : Native
          Ingress      : Disabled

To monitor one port (here port gi1/0/11 goes on port gi1/0/22):

(config)#monitor session 1 source interface gi1/0/11
(config)#monitor session 1 destination interface gi1/0/22

To monitor one Vlan, on all your switches (here vlan 500 goes on port gi1/0/22):

On all the switches :

(config)#vlan 21
config-vlan)#name RSPAN_VLAN_500
monitor session 2 source vlan 500 rx
monitor session 2 destination remote vlan 21

On the destination switch

monitor session 1 source remote vlan 21
monitor session 1 destination interface Gi1/0/22
Classified in : cisco Tags : none

How to use VRF

Written by Arnaud no comments

This Example is only working for IPv4 (see the "vrf definition" command below for IPv6) :

First create your VRF and define an RD (Route Distinguisher) which is 16bits:16bits (can also be 32b:16b if you use doted IP notation)

(config)# ip vrf my_vrf_1
(config-vrf)# rd 500:1

Add you interface into the VRF (remeber to set the IP address *after*)

(config)# interface Gi0/0
(config-if)# ip vrf forwarding my_vrf_1
(config-if)# ip

Define your RT (Route Targert), which will tell how you want to export/import between VRF (aka route leaking). You must enable BGP on the router but no BGP neighbor is required.

(config)# ip vrf my_vrf_1
(config-vrf)# route-target export 500:1
(config-vrf)# route-target import 100:1 

Make you BGP

(config)# ip route vrf my_vrf_1 XX.XX.XX.XX Null0
(config)# router bgp 65534
(config-router)# address-family ipv4 vrf my_vrf_1
! next line is for the RT, if you don t do it your interface won't have a route to others vrf
(config-router)# redistribute connected
! next lines are for remote BGP session
(config-router)# network XX.XX.XX.XX mask
(config-router)# neighbor XX.XX.XX.XX remote-as XXXXX
(config-router)# neighbor XX.XX.XX.XX prefix-list PFX-OUT out

And the "show ip bgp sum" & fiends like :

sh ip bgp vpnv4 all sum
sh bgp vpnv6 uni all sum
sh ip bgp vpnv4 vrf NAME sum
sh bgp vpn6 uni vrf NAME sum
clear bgp vrf NAME ipv6 unicast *
clear bgp vrf NAME ipv4 unicast A.B.C.D
ping vrf NAME A.B.C.D

Source : (French) and
(English) What are RD / RT


You can easily import route of you global table into your VRF :

(config)# vrf definition NAME
(config-vrf)# rd XX:XX
(config-vrf)# address-family ipv4
(config-vrf-af)# import ipv4 unicast map RMAP-NAME

You may have noticed we used "vrf definition" instead of "ip vrf", if you want to convert you old vrf conf to "vrf def" use the command below :

(config)#vrf upgrade-cli multi-af-mode common-policies

And the question in now : How to export the route of the VRF to the Global table?
Sadly this feature (BGP Support for IP Prefix Export from a VRF Table into the Global Table) is only available on 15.2+ IOS... You can check on the Cisco Feature Navigator :

(config)# vrf definition NAME
(config-vrf)# rd XX:XX
(config-vrf)# address-family ipv4
(config-vrf-af)# export ipv4 unicast map MAP_NAME

Do not use the "export map RMAP-NAME" it does not what you want! (It's the way to set route-max when leaking between VRF)

Oh BTW you can create a static route in a VRF to an IP in the global table like this :

ip route vrf NAME x.x.x.x s.s.s.s nh.nh.nh.nh global

Souce :

Go futher and read this excellent explanation :

Classified in : cisco Tags : none

Cisco security & misc

Written by Arnaud no comments

Some basic tips, things to remove from IOS default configuration!

Prevent from source routing (ie the souce can specify the path the packet should take)

(config)#no ip source-route


Dont make your router a default gw for bad configured hosts

(config)#int gi0/0
(config-if)#no ip proxy-arp


suppress Router Advertisement messages on an interface:
(config-if)# ipv6 nd suppress-ra
! OR
(config-if)# ipv6 nd ra suppress

Use you own timeout (in minutes) for your enable session

(config)#line vty 0 4
(config-line)#exec-timeout 60 0


Don't try to resolve typo (prevent  from : Translating "xxxxxx"...domain server (xx.xx.xx.xx) )

(config)#no ip domain-lookup

Create a new user localy and add authentication to the console port (timout is 20minutes by default) :

username <USERNAME> secret <PASSWORD>
enable secret <PASSWORD>

aaa new-model
aaa authentication login MY-AUTH-LOCAL local
line console 0
 login authentication MY-AUTH-LOCAL 


And set the Clock / Timezone / Daylight Saving Time :

clock summer-time CEST recurring last Sun Mar 3:00 last Sun Oct 3:00
clock timezone CET 1
ntp server
Classified in : cisco Tags : none
Rss feed of the articles