Console login to priv 15

Found out today that I had forgotten how to set the console port to automatically log in a user as priv 15 if they were set that way on their account using a local user database.

I had the typical configuration:

aaa new-model

username cisco privilege 15 password cisco

username test privilege 1 password cisco

aaa authentication login default local

aaa authorization exec default local

However, user cisco would still log in on console as a non-enabled user.

There is an additional command

aaa authorization console required at the global configuration level.


Once I added that line everything works as expected.

User Access Verification

Username: test

Password:

R1>
R1>exit

User Access Verification

Username: cisco

Password:

R1#

MPLS on 2621XM

In searching for IOS support for full MPLS support on the 26xxXM series routers for lab racks the feature set is listed on the navigator for 12.4 but doesn't actually work. Have to go back to the 12.3 version.
c2600-jk9o3s-mz.123-24.bin works fine but has some different defaults.

Today's Lab - MPLS VPN under GNS3

For today's practice I worked through the MPLS VPN lab 1 on the Bowler CBT series.

The intial topology is:

The initial GNS3 net and router configs are: GNS3 Initial configs and topology


The first step was configuring MPLS on each of the 4 provider routers:

The common configuration sets the label range for 999 labels relative to the router number.

mpls label range 1000 1999
mpls label protocol ldp
mpls ldp router-id Loopback 0

Under the common provider interfaces enable mpls:

int fa0/0

 mpls ip

Once completed on each of the routers, display the neighbors for verification:

Example from R2:

R2#show mpls ldp neighbor
    Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0
        TCP connection: 1.1.1.1.646 - 2.2.2.2.22261
        State: Oper; Msgs sent/rcvd: 37/38; Downstream
        Up time: 00:23:47
        LDP discovery sources:
          FastEthernet0/0, Src IP addr: 192.168.12.1
        Addresses bound to peer LDP Ident:
          192.168.12.1    192.168.14.1    1.1.1.1
    Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 2.2.2.2:0
        TCP connection: 3.3.3.3.23134 - 2.2.2.2.646
        State: Oper; Msgs sent/rcvd: 35/35; Downstream
        Up time: 00:21:10
        LDP discovery sources:
          FastEthernet1/0, Src IP addr: 192.168.23.3
        Addresses bound to peer LDP Ident:
          192.168.23.3    192.168.35.3    3.3.3.3


The next step is to configure BGP across the vpn backbone as indicated on the topology diagram. The PE will be AS 100 and the CE AS 200. 

R3 BGP Cofiguration:

router bgp 100
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 100
 neighbor 4.4.4.4 update-source Loopback0
 !
 address-family vpnv4
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community both
  neighbor 4.4.4.4 next-hop-self
 exit-address-family
!


R4 BGP Configuration

router bgp 100
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 3.3.3.3 remote-as 100
 neighbor 3.3.3.3 update-source Loopback0
 !
 address-family vpnv4
  neighbor 3.3.3.3 activate
  neighbor 3.3.3.3 send-community both
  neighbor 3.3.3.3 next-hop-self
 exit-address-family


Verification of the BGP state between R3 and R4:

R3#show ip bgp vpnv4 all summary
BGP router identifier 3.3.3.3, local AS number 100
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
4.4.4.4         4   100       6       6        1    0    0 00:02:29        0


Routers R5 and R6 run a typical public BGP connection

Example from R6:

router bgp 200
 no synchronization
 bgp log-neighbor-changes
 network 172.16.0.0
 neighbor 192.168.46.4 remote-as 100
 no auto-summary
!


Next, create the VRF on R3 and associate it with the serial interface going to R5

ip vrf R5
 rd 1:56
 route-target export 1:500
 route-target import 1:500
!
!

int s1/0

ip vrf R5

ip add 192.168.35.3 255.255.255.0

The BGP process on R3 needs to be modified to enable the neighbor under the vrf:

router bgp 100

address-family ipv4 vrf R5
  neighbor 192.168.35.5 remote-as 200



Now perform the same configuration on R4 to build the vrf to R6

ip vrf R6
 rd 1:50
 route-target export 1:500
 route-target import 1:500
!

router bgp 100

 address-family ipv4 vrf R6
  neighbor 192.168.46.6 remote-as 200
  neighbor 192.168.46.6 activate

Verify reachability on R4 of the Loopback on R6

R4#ping vrf R6 172.16.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/25/76 ms



The final step is to allow the routes back into the AS on the customer routers. The default BGP behavior is to not accept BGP routes from the AS to enter the AS on an EBGP connection.

On R5 and R6, modify the BGP configuration:

R6
router bgp 200
neighbor 192.168.46.4 allowas-in

R5
router bgp 200
neighbor 192.168.35.3 allowas-in

This completes the lab example. Router 6 is and Router 5 are now able to ping each other sourcing from their loopback interfaces.

Final router configurations: Final Configs

Rack hardware power control

For power control of my rack hardware I am using APC master switches. These allow web, telnet, or snmp based control of 8 power switches per unit. It's a pain to go through all the ports of two units to power up the rack each time I'm ready to work so I found the snmp set commands to switch the outlets and created several batch files


The oid for my switches is below along with the sample syntax for a dos file that takes parameters of device and state. The device being the outlet number and state being 1 for on or 2 for off.

snmpset -r:10.10.10.10 -c:private -o:1.3.6.1.4.1.318.1.1.4.4.2.1.3.%1 -val:%2 -tp:int

I have created other hard set batch files such as s1 that is hard set with the port. So I can type 'r1 on' or 'r1 off' to turn Router1 on or off. A combined file rackoff.bat does all the devices at once.

First Post!

Today I have decided to start a blog of my adventures in the pursuit of a CCIE.  This will serve as a foundation for my notes as well as sharing information with others along the way.

For the first topic, I have been finalizing my lab hardware setup and deciding what needs to be updated for the v4.0 blueprint. I have lots of old series 2500 and 2600 routers from past studies. Checking the INE topology I can use the 2500's for the backbone routers. So, just need to upgrade the IOS on them to support ipv6 ospf. Okay...how hard can that be.  Well three days since trying to get it working I finally finished.

I started by trying the typical copy tftp flash command. Each time the transfer via FLH would start but immediately abort. I tried crossover cabling, moving from Windows tftp to a linux server, etc, etc and always the same thing. Tried on my other 2500 series routers with the same failure. Searched the forums but no answers. Posted on the INE forum but no patience for a reply so I keep searching...I finally came across a seemingly unrelated message (TekTips) about the flash being read only due to a hardware issue. A quick check of show ver indicated:


32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read ONLY)

Configuration register is 0x2102

This setting of x2102 on the configuration register sets the flash memory to read only. So, the issue was never with the network or servers, the router was just unable to write what it was trying to receive to the flash.

Issuing a confreg 0x2101 and then a reload brings the router to a mini boot prompt with the flash memory now set to read-write. I was then able to copy the new IOS via tftp. Set the conf reg back to 0x2102 and reloaded.


----

This is the rack topology I am configuring as indicated on on INE's site: http://www.ine.com/topology.htm