Disable XFP laser in JUNOS

Unfortunately JUNOS doesn’t provide a built-in command to disable laser on XFP ports.  If you have to shutdown the laser anyway, you can do this in the “pfe shell” with the command test xfp <index> laser off:

adm@MX80> start shell pfe network tfeb0

TFEB platform (1000Mhz MPC 8544 processor, 1024MB memory, 512KB flash)

TAZ-TBB-0(MX80 vty)# test xfp
    <number>              xfp index
    periodic              xfp periodic

TAZ-TBB-0(MX80 vty)# show xfp list
XFP Toolkit summary:
  wakeup count: 1765963, debug: 0
  thread: 0x42131248, itable: 0x4212ff40

Index  Name
-----  ----
    1  xfp-0/0/0
    2  xfp-0/0/1
    3  xfp-0/0/2
    4  xfp-0/0/3

TAZ-TBB-0(MX80 vty)# test xfp 1
    alarm                 test xfp <xfp_num=0> alarm <test_mask>
    data-rate             set xfp data rate
    laser                 set xfp laser
    loopback              xfp loopback
    periodic              xfp periodic
    power                 set XFP power
    presence              check presence of xfp
    read                  xfp read register
    stats-clear           clear xfp stats
    wavelength            set xfp wavelength
    write                 xfp write register

TAZ-TBB-0(MX80 vty)# test xfp 1 laser off

TAZ-TBB-0(MX80 vty)#

There seems to be a lot of interesting commands in “pfe shell”, but i wouldn’t recommend to use all of them on a production router.

AZ-TBB-0(MX80 vty)#
    blob                  Blob toolkit
    bringup               Bringup commands
    clear                 clear support
    connect               connect to a remote TNP endpoint
    debug                 enable a debugging option
    diagnostic            diagnostic commands
    gr253                 gr253 commands
    ideeprom              ID eeprom management primitives
    issu                  In Software Service Upgrade application in the PFE
    jsim                  Invoke jsim
    macro                 macro processing
    peek-pci              Read and display a PCI register
    peekbyte              display memory in bytes
    peeklong              display memory in 32bit longs
    peekword              display memory in 16bit words
    ping                  Ping a TNP neighbor
    poke-pci              Write a PCI register
    profile               executable profiling commands
    quit                  quit TTY environment
    reboot                reboot hardware
    scan                  Scan commands
    set                   set commands
    show                  show commands
    sleep                 pause for a few seconds
    test                  system bring-up commands
    tftp                  TFTP to or from a TNP neighbor
    undebug               disable a debugging option
    upgrade               upgrade device content
    vty                   open a vty to a remote TNP endpoint
    write                 Write commands

TAZ-TBB-0(MX80 vty)#

Route descriptions in Cisco IOS

Recently, i came accross the name keyword in the ip route command in Cisco IOS.
The CLI help is quite misleading:

router(config)# ip route ?
  <1-255>    Distance metric for this route
  name       Specify name of the next hop
  permanent  permanent route
  tag        Set tag for this route
  track      Install route depending on tracked item

After further investigation, i found a short description in the command reference for IOS release 12.2.

The following example shows that using the name <next-hop-name> keyword and argument combination for each static route in the configuration helps you remember the purpose for each static route.

ip route name Seattle2Detroit

Okay, it’s nothing else than a description for the route entry…
But in my opinion it’s very simple and quite useful and unfortunately i didn’t notice that before. I think will use it more often in the future.

Configure ASA for ASDM access

Cisco has a nice GUI, called Adaptive Security Device Manager (ASDM), for configuring and monitoring ASA devices.
But first of all you have to do some configuration to prepare your ASA for ASDM access.

! authenticate ASDM access against local database
aaa authentication http console LOCAL
username adm password ccc

! enable http server and allow management access
http server enable
http </24-subnet> inside
http <host> inside

! if you have more than one ASDM file in flash, you can specify which to use
asdm image disk0:/asdm-634.bin

After that you can open your browser and enter the URL https://<ASA ip>.

Access ASDM

You can choose, of you like to install the launcher to your PC, run it directly or start an Installation wizard.
I decided to run it directly from the router and executed the .jnlp-file.

Execute .jnlp

Accept the unsigned certificate from the router and enter you login data. If you used the template above, you have to enter user adm with password ccc.

Accept certificate

ASDM Login

If your login data is correct. ASDM opens his start page…

ASDM start page

PPPoE Dial-In with ASA5505

If you like to connect your external interface to the internet by using PPPoE, you have to configure a VPDN group first. In this simple example, our group is called PPPOE and we use PAP method for authentication. Unlike IOS, ASA OS accepts only one autentication protocol. Hence you have to know, if your provider uses PAP or CHAP for authentication.

vpdn group PPPOE request dialout pppoe
vpdn group PPPOE localname <username>
vpdn group PPPOE ppp authentication pap
vpdn username <username> password <password>

After that, you can apply it to the desired interface. In my case Vlan2 (bound to Eth0/0).

interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group PPPOE
 ip address pppoe setroute

By the use of ip address pppoe setroute, a default route is inserted after successfull PPPoE dial-in.
With some basic commands, you can verify if an ip address has been assigned from your provider and if the connection to the internet is established.

ciscoasa# show interface outside ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Vlan2                      <assigned ip>   YES manual up                    up
ciscoasa# sh route outside
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is <IP of provider router> to network

S* [1/0] via <IP of provider router>, outside
ciscoasa# ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms

When there are problems with dialin, you can use the following debug commands.

  • debug ppp neg
  • debug ppp auth
  • debug pppoe packet

Configuring VRRP on a Juniper SSG

A few weeks ago, i was confronted with a Juniper Secure Services Gateway (aka SSG) for the first time. After playing a little bit with the box, i quickly learned to like her.
Okay, it took a time to get used to the CLI with its behaviour and the Virtual-System/-Router stuff, but the WebUI is very intuitive and easy to use for the first steps.
Somewhere along the way, i intended to configure VRRP between two SSG140 firewalls but i couldn’t find it neither in CLI nor in WebUI.

I sift through the endless depth of Juniper website and discovered that VRRP was firstly introduced in ScreenOS 6.1.
My SSG140 sadly was running ScreenOS 6.or2. Thus i downloaded a 6.1 version and installed it.
Anyway there was still no possibility to configure VRRP via WebUI…

But here comes the necessary steps to configure VRRP with CLI:

set interface ethernet0/6 protocol vrrp
set interface ethernet0/6 protocol vrrp enable            # activate VRRP for eth6/0
set interface ethernet0/6 ip             # "real" IP for VRRP group 1
set interface ethernet0/6:1 ip           # virtual IP for VRRP group 1
set interface ethernet0/6:1 protocol vrrp preempt         # preemption (if desired)
set interface ethernet0/6:1 protocol vrrp priority 50     # priority (default is 100)

You can obtain inforbations about VRRP with the “get vrrp” command:

SSG-140-> get vrrp ?
interface            vrrp info for all interfaces
statistics           vrrp statistics
virtual-group        vrrp info for all virtual groups

A lot of restritions:

  • works only for native ethernet interfaces, not for bridge-groups
  • only use of one VRRP group supported per interface
  • no secondary VRRP ip possible
  • either VRRP or NSRP can be activated for the whole device, not both
  • no VRRP authentication supported

Hope this helps you, if you really need VRRP. But i think NSRP (NetScreen Redundancy Protocol) is the better choice.

Using two HWIC-4ESW in a Cisco 1841

Recently, there was a need for additional FastEthernet ports on a Cisco 1841. The router had already one  HWIC-4ESW attached, but all ports were occupied.
Fortunately, there was a second HWIC-4ESW at stock which was inserted immediately. Two additional ports was configured quickly to a vlan already in use on the other HWIC.

But then the problem occured:
The “new” ports on HWIC #2 couldn’t neither communicate with the VLAN-Interface on the router nor with other clients in the same VLAN connected to ports at HWIC #1.

In MAC-Address-Table, all was looking okay –> The “new” MAC-Addresses were seen in the corresponding VLAN.
But after pinging from the router, there were only “incompletes” in the ARP-Cache.

After further investigating, i came to the result, that there is a common VLAN-Database shared by both HWICs.
It seems that there is no direct communication between the attached HWIC-4ESW. Perhaps due to hardware- or design limitations.

My first try to fix the problem was a crossover cable between fa0/0/3 and fa0/1/3 which was resulting in a loop.
So, that was not an accurate solution ;-)
I found an answer and the limitations at Cisco Website (Cisco EtherSwitch Modules Comparison).

Here’s a short summary:

  • only 2 HWIC or EtherSwitch network modules can be in any platform
  • HWICs do not support Etherchannel
  • only one SPAN port supported. SPAN port output also contains always a dot1q-tag (NM-ESW don’t have this limitation)
  • to achive that two ESW share the same L2 domain, you have to configure intra-chassis-stacking with the stacking-partner command (shown below) and connect the corresponding ports externally
  • stacking-interfaces have to be configured as trunks
  • show interface” for stacking-ports shows UP/DOWN while working correctly


! ESW #1
interface FastEthernet0/0/3
 switchport mode trunk
 switchport stacking-partner interface FastEthernet0/1/3

! ESW #2
interface FastEthernet0/1/3
 switchport mode trunk
 switchport stacking-partner interface FastEthernet0/0/3


Though the “stacking-partner” command solved my problem, it’s annoying to lose 2 external ports for communication between modules.
In future, i would rather use a 2960-8TCL and connect it to the switch than attaching a second HWIC-4ESW.
Indeed there is an additional point of failure, but i personally sense this as the cleaner (and also cheaper) solution.

Configuring Resilient Ethernet Protocol

Resilient Ethernet Protocol (REP) is a Cisco propietary protocol which allows you to build redundant Ethernet rings. It’s an alternative to Spanning-Tree protocol and also avoids bridging loops or responds to link failures.
Compared to STP, it offers a faster convergence time (< 300ms) and gives you a simple VLAN load-balancing method.

In our example, we interconnect three switches (Cisco ME3400 with me340x-metroaccess-mz.122-50.SE1.bin) to a ring topology. In REP terminology, this is called a segment.

A REP segment is a chain of ports connected to each other and configured with a segment ID. Each segment consists of standard (nonedge) segment ports and two user-configured edge ports. A switch can have only two ports belonging to the same segment, and each segment port can have only one external neighbor.configuring-rep

REP segments have the following characteristics:

  • When all ports in a segment are operational, one port (referred to as the alternate port) is in the blocked state for each VLAN.
  • If VLAN load balancing is configured, two ports in the segment control the blocked state of VLANs.
  • If one or more ports in a segment is not operational, causing a link failure, all ports forward traffic on all VLANs to ensure connectivity.
  • In case of a link failure, the alternate ports are unblocked as quickly as possible. When the failed link comes back up, a logically blocked port per VLAN is selected with minimal disruption to the network.

Valid port states in REP segments are Failed, Open, or Alternate.

  • A port configured as a regular segment port starts as a failed port.
  • After the neighbor adjacencies are determined, the port changes to alternate port state, blocking all VLANs on the interface. Blocked port negotiations occur and when the segment settles, one blocked port remains in the alternate role, and all other ports become open ports.
  • When a failure occurs in a link, all ports move to the open state. When the alternate port receives the failure notification, it changes to the open state, forwarding all VLANs.

Simple Configuration without VLAN load-balancing

First, we configure all ring interfaces as REP ports with segment ID 911. All interface have to be Layer 2 trunk interfaces.  To get REP working, we have to configure at least on edge port. For VLAN load-balancing, two edge ports are necessary.

I decided to configure the two edge ports on switch ME_A. Ports on ME_B and ME_C are configured as standard segment ports.

interface GigabitEthernet0/11
 description Trunk to ME_B
 port-type nni
 switchport mode trunk
 rep segment 911 edge primary

interface GigabitEthernet0/12
 description Trunk to ME_C
 port-type nni
 switchport mode trunk
 rep segment 911 edge

interface GigabitEthernet0/11
 description Trunk to ME_A
 port-type nni
 switchport mode trunk
 rep segment 911

interface GigabitEthernet0/16
 description Trunk to ME_C
 port-type nni
 switchport mode trunk
 rep segment 911

interface GigabitEthernet0/12
 description Trunk to ME_A
 port-type nni
 switchport mode trunk
 rep segment 911

interface GigabitEthernet0/16
 description Trunk to ME_B
 port-type nni
 switchport mode trunk
 rep segment 911

Activating REP produces a log message and you can examine the topology with “show rep topology” on switch ME_C:

ME_C#sh rep topology
REP Segment 911
BridgeName       PortName   Edge Role
---------------- ---------- ---- ----
ME_A             Gi0/11     Pri  Open
ME_B             Gi0/11          Open
ME_B             Gi0/16          Open
ME_C             Gi0/16          Open
ME_C             Gi0/12          Open
ME_A             Gi0/12     Sec  Alt

As you can see, port Gi0/12 on ME_A is in “Alt-state” and doesn’t forward traffic.  (VLAN load-balancing is disabled per default).

You can also examine the REP status of a particular interface with “show int <interface> rep [detail]“

ME_C#sh int g0/12 rep
Interface              Seg-id Type            LinkOp      Role
---------------------- ------ --------------- ----------- ----
GigabitEthernet0/12    911                    TWO_WAY     Open

ME_C#sh int g0/12 rep det
GigabitEthernet0/12   REP enabled
Segment-id: 911 (Segment)
PortID: 000C0024F7C1FE00
Preferred flag: No
Operational Link Status: TWO_WAY
Current Key: 00100024F7C1FE0070BB
Port Role: Open
Blocked VLAN: <empty>
Admin-vlan: 1
Preempt Delay Timer: disabled
LSL Ageout Timer: 5000 ms
Configured Load-balancing Block Port: none
Configured Load-balancing Block VLAN: none
STCN Propagate to: none
LSL PDU rx: 11400, tx: 7422
HFL PDU rx: 0, tx: 0
BPA TLV rx: 8680, tx: 860
BPA (STCN, LSL) TLV rx: 0, tx: 0
BPA (STCN, HFL) TLV rx: 0, tx: 0
EPA-ELECTION TLV rx: 148, tx: 19
EPA-COMMAND TLV rx: 0, tx: 0
EPA-INFO TLV rx: 2197, tx: 2202

I case of a link failure on Gi0/16 between ME_B and ME_C , you will see the following syslog message:

*Mar  1 07:03:17.617: %REP-4-LINKSTATUS: GigabitEthernet0/16 (segment 911) is non-operational due to
 port become non-trunk

REP converges immediately and unblocks the “Alt”-Link. Gi0/16 changes to “fail -state

ME_C#sh rep topology
REP Segment 911
Warning: REP detects a segment failure, topology may be incomplete

BridgeName       PortName   Edge Role
---------------- ---------- ---- ----
ME_C             Gi0/16          Fail
ME_C             Gi0/12          Open
ME_A             Gi0/12     Sec  Open

(All informations taken from Cisco Website)

Well-known multicast addresses

A lot of dynamic routing protocols uses ip multicast for neighbor discovery, hellos and other things.

Here are some well known multicast adresses:

  • all hosts on a subnet
  • all routers on a subnet
  • Distance Vector Multicast Routing Protocols (DVMRP)
  • OSPF routers
  • OSPF designated routers
  • RIP Version 2 routers
  • EIGRP routers
  • Protocol independent Multicast (PIM) routers

How to enable IP Forwarding in Debian

IP routing/forwarding is disabled per default in Debian.

For enabling on the fly, you only have to write “1″ in /proc/sys/net/ipv4/ip_forward or to set the kernel parameter net.ipv4.ip_forward to “1″.

Method #1:
echo 1 > /proc/sys/net/ipv4/ip_forward
Method #2:
sysctl -w net.ipv4.ip_forward=1

The actual setting can be checked as following:

debian:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
debian:~# cat /proc/sys/net/ipv4/ip_forward

If you want permanent setting, the most common way is to add a line containing  “net.ipv4.ip_forward = 1″ to the file /etc/sysctl.conf

net.ipv4.ip_forward = 1

You can activate the changes made in the kernel parameter configuration file by running the command:

sysctl -p /etc/sysctl.conf

Perhaps there are some distribution specific scripts available in Debian, but i didn’t check it.

Interface range macro

I often use the feature interface-range on Cisco switches running IOS.
Not so long ago, i discovered the command interface-range macro, from which i never heard before.

With this macro, you can visit group several interfaces together and address them by a significant name.

Short example:

define interface-range UPLINKS FastEthernet0/1, FastEthernet0/24
define interface-range USERPORTS FastEthernet0/2 - 23


switch#conf t
switch(config)#interface range macro USERPORTS
switch(config-if-range)#switchport access vlan 111
switch(config-if-range)#no shutdown
switch(config-if-range)#description User-Ports

This command was introduced in 12.0(7)XE and extended to the T train in 12.1(5)T