BGP Configuration for Cisco Routers

I want to show a basic BGP configuration for Internet access. In our case, we have two carriers (Sprint & Level3) and we act as an enterprise company, which needs reliable Internet access.
As a precondition we need an Autonomous System Number (ASN) and an IP address block assigned to us. We have to apply ARIN / RIPE / APNIC / LACNIC / AFRINIC for this purpose. We assume that we have 6767 as our AS number and 193.93.93.0/24 as our official IP block.

To show some different conditions, our connected Level3 router is also the BGP router, but the Sprint BGP router has been located 3 hops away.

! We are starting with the router command with our ASN like EIGRP/OSPF configuration
router bgp 6767
! We have one router in our case and we don’t need IGP / BGP synchronization it is the default in newest IOSes
no synchronization
! To have some idea about our peering history we are recording events
bgp log-neighbor-changes
! We are announcing our network
network 193.93.93.0
! Our first neighbor is Sprint, we have to define neighbor ASN
neighbor 122.22.33.1 remote-as 1239
! Descriptions are always helpful
neighbor 122.22.33.1 description Sprint
! Our bgp neighbor in Sprint 3 hops away
neighbor 122.22.33.1 ebgp-multihop 3
! Sprint will use our Loopback IP (193.93.94.1) for us as the neighbor
neighbor 122.22.33.1 update-source Loopback 0
! If we have enough memory, we can prevent BGP session resets on inbound updates
neighbor 122.22.33.1 soft-reconfiguration inbound
! We won’t announce any network other than ourselves
neighbor 122.22.33.1 filter-list 1 out
! Now the Level 3
neighbor 111.11.11.1 remote-as 3356
neighbor 111.11.11.1 description LevelThree
neighbor 111.11.11.1 soft-reconfiguration inbound
neighbor 111.11.11.1 filter-list 1 out
no auto-summary

!
! Sprint BGP bridgehead is not directly connected to our router
! We must add necessary routing
ip route 122.22.33.1 255.255.255.255 122.22.22.1
!
! This filter means we are not announcing Sprint networks to Level3 or vice versa.
ip as-path access-list 1 permit ^$
!

In the end, if you are not in the middle of the Internet, BGP configuration is not a big issue.

Multilink PPP over Frame Relay

If you have two frame relay line between two location and you need these lines to balance the load, then this article will guide you. We need combination of two techniques to do it. First one is multilink PPP, which can be used to bundle leased lines. The second one is PPP over Frame Relay, which lets frame relay lines used like leased lines.

PPPoFR Schema

In my example, I will show how I bundle two 2 Mbps frame relay line to act as one 4 Mbps line.

We have to do below configuration on both sides.

1)We will make an ordinary frame relay configuration on serial interfaces except “frame-relay interface-dlci 16 ppp Virtual-Template1” line. Here we are adding Virtual-Template1. frame-relay traffic-shaping command is a MUST.
2)Under “interface Virtual-Template1“, we describe that it is a part of multilink interface
3)Under “interface Multilink1” we will configure IP settings.

interface Serial0/0
description Physical Interface 1
bandwidth 2000
no ip address
encapsulation frame-relay
frame-relay fragmentation voice-adaptive deactivation 15
frame-relay traffic-shaping
frame-relay interface-dlci 16 ppp Virtual-Template1
frame-relay lmi-type ansi

interface Serial0/1
description Physical Interface 2
bandwidth 2000
no ip address
encapsulation frame-relay
frame-relay fragmentation voice-adaptive deactivation 15
frame-relay traffic-shaping
frame-relay interface-dlci 16 ppp Virtual-Template1
frame-relay lmi-type ansi

interface Virtual-Template1
no ip address
ppp multilink
ppp multilink group 1

interface Multilink1
description Bundled Interface
bandwidth 4000
ip address 10.87.1.1 255.255.255.248
ppp multilink
ppp multilink group 1

Standalone or stackable Cisco switches do not support NetFlow

NetFlow is a must have technology suitable for mid size to enterprise companies. Nowadays, it has become an IEEE standard as IPFIX (Internet Protocol Flow Information eXport). We will be able to find NetFlow technology support on any brand in the market soon. However, which devices of Cisco itself supports NetFlow technology?

All routers including the oldest (e.g. Cisco 2500 series) and smallest (e.g. Cisco 800 series) support NetFlow. Some functions does not exist in older IOS versions.
Catalyst 6500 series switches support NetFlow. Catalyst 4500 series switches support NetFlow with Supervisor IV/V + WS-F4531 Catalyst 4500 NetFlow Services Card.

Standalone or stackable switches do not support NetFlow. This means Catalyst 4948, Catalyst 3750 or Catalyst 3560 series switches do not support NetFlow. You can see the necessary commands on config mode, but they are not effective. It is not about IOS version or feature set. You need a modular switch for NetFlow.

Unfortunately, the answer of “What Cisco switches support netflow?” is only the modular switches.

SSH @ Cisco

Recently, I had to swap the Internet router of my company. BGP and cef ate up the whole memory and it was not possible to upgrade the memory of Cisco 3725 router beyond 256MB. It was time to change it.

I had a chance to install a new Cisco 3845 with 1GB memory. Everything was fine except SSH access that I needed because of security policy. I searched the web and found“Configuring Secure Shell on Routers and Switches Running Cisco IOS” document on Cisco web site. It was a little bit different than current one. I made a configuration as explained, but it was not good enough and access to the router via SSH was not possible.

About one week later, I realized that

  • SSH only supports authentication with username/password, but it does not support just access password like telnet
  • So, I had to create a user and set a password with username command
  • I had to enable aaa new-model OR issue login local command under line vty for username/password authentication.
  • Also a hostname and a domain name were required to generate the keys, since router uses its FQDN as the label of the key pair.
  • SSH is enabled by default and I do not need to enable it myself.

Necessary steps to enable SSH are mentioned below.

PRECONDITION: You need a K9 IOS (newer than 12.1) to enable SSH. Catalyst 2900 Series switches do not support SSH.

1) You MUST set a host name
hostname ciscolab

2) You MUST set a ip domain name
ip domain-name mydomain.com

3) You MUST enable aaa new-model OR set “login local” under vty configuration but not just “login”
aaa new-model

4) You MUST create a user
username sshtest password 0 sshpass

5) You MUST generate RSA keys
crypto key generate rsa

if you have RSA keys before you will receive a message, type yes
% You already have RSA keys defined named ciscolab.mydomain.com.
% Do you really want to replace them? [yes/no]: yes

it will ask for modulus size, 1024 is fine (it depends your security needs)
How many bits in the modulus [512]: 1024

6) You MUST set vty access method to all OR ssh (if you chose ssh telnet will be disabled)
line vty 0 4
transport input ssh

7) By using SecureCRT (licensed) or Putty (free), chose SSH1 (SSH in Putty) for the protocol enter hostname or IP address and click connect (Open in Putty). It will ask for username and password. Do not touch the other settings, you do not need them.

If you are able to access your device with SSH and still have some other questions please have a look at Advanced SSH settings for Cisco IOS .

Cisco Aironet Power Injector Media Converter

If you need a wireless solution on industrial areas like factories or warehouses, Cisco Aironet 1240AG Series Access Point would be a good option for you. The hardened case, wide range of antenna options and capabilities just make you feel that it is the best device. Unfortunately, if you have a closer look, you will see that this device only has a UTP (Copper) Ethernet port but no fiber options (Other models do not have fiber ports either). You require fiber to reach access points that are located at the far ends of a large warehouse. Moreover, you can have concerns about using a media converter from other vendors.

In this case Cisco has a solution.Cisco Aironet Power Injector Media Converter (AIR-PWRINJ-FIB) is a media converter and a Power over Ethernet (PoE) source. You just need a UTP cable between converter and Access Point. You can place the converter on a more convenient place than the access point. Thus, you do not need power cabling on the roof of the warehouse.

WARNING:This power injector only support Cisco pre-standard power. It means that it is not usable for other devices which requires 802.3af power ( e.g. Avaya IP telephone or non-cisco IP camera).

For the details please check the Cisco web site:Cisco Aironet Power Injector Media Converter