Monday, December 5, 2011

FileZilla FTP Client fails through BlueCoat Proxy

Symptoms:

When using FileZilla FTP client through a bluecoat proxy, the FTP connection attempt fails with the below error message:

Status: Using proxy ftpproxy.mydomain.com
Status: Resolving address of ftpproxy.mydomain.com
Status: Connecting to 10.192.5.37:21...
Status: Connection established, waiting for welcome message...
Response: 220 Blue Coat FTP Service
Command: USER ftpuser@targetftpsite
Response: 331 Enter password.
Command: PASS ********
Response: 332 Enter proxy password.
Error: Login sequence fully executed yet not logged in. Aborting.
Error: Server might require an account. Try specifying an account using the Site Manager
Error: Critical error
Error: Could not connect to server


Versions:
  • FileZilla FTP Client v3.5.2
  • The LAN proxy server is a BlueCoat proxy server

Resolution/Workaround:

1. Go to FileZilla Client > Edit > Settings

2. In Connection > FTP > FTP Proxy

            2.1. Click on Custom and do the following:
            2.2. Under Custom, enter the following:
                                    USER %u@%h
                                    PASS %p
                                    ACCT %a
            2.3. Proxy host: <your_bluecoat_proxy_server>

3. Click OK.

Source:

Monday, May 30, 2011

MPLS Label Distribution Parameters

MPLS Label Distribution Parameter Options:
Label Space OptionsPer-InterfacePer-Plaform
Label DistributionUnsolicited downstreamDownstream-on-Demand
Label AllocationIndependent Control ModeOrdered Control Mode
Label RetentionLiberal Label RetentionConservative Label Retention

Label Space Options

Per-Platform Labels
  • LFIB: [Label | Action | Next Hop ]
  • one label assigned to a destination network and announced to all neighbors
  • locally unique, valid on all incoming interfaces
  • smaller LFIB, FIB; faster label exchange
  • less secure than per-interface labels; label-spoofing
  • default in Frame-Mode MPLS
Per-Interface Labels
  • LFIB:[IN intf | IN Label | NH intf | NH Label]
  • one label for each destination, each device, each interface
  • secure; prevents label-spoofing; labeled packets/ATM cells only accepted from interface where label is assigned
  • default in Cell-Mode MPLS

Label Distribution

Unsolicited Downstream
  • label advertised to all neighbor LSRs, regardless of whether upstream or downstream
  • Frame-Mode
Downstream-On-Demand
  • label advertised only upon request of upstream LSR
  • cell-mode

Label Allocation 

Independent Control
  • LSR can assign a label for a prefix w/o outgoing/downstream label
  • for edge LSRs only (requires L3 capabilities)
  • faster label propagation
  • for unsolicited downstream / frame-mode
Ordered Control
  • local label allocated and propagated only
  • if exist(nexthop label) propagae/allocate label, else request label from nexthop
  • for downstream-on-demand/cell-mode


Label Retention

Liberal Label Retention
  • all received label stored in LIB, even if not from next-hop LSR
  • improves convergence speed; allows easy failover for link failures
  • frame-mode

Conservative Label Retention
  • only received labels from nexthop LSRs are  stored; others are ignored
  • downstream-on-demand/cell-mode


Standard Parameter Sets for Cisco Platforms

ParameterRouters, frame interfacesRouters, ATM interfacesATM switches
Label Spaceper-platformper-interfaceper-interface
Label Distributionunsolicited downstreamdownstream-on-demanddownstream-on-demand
Label Allocationindependent controlindependent controlordered control
Label Retentionliberal label retentionconservative OR liberalconservative

Wednesday, May 25, 2011

BGP Route Dampening

At a Glance:
  • designed to reduce router processing load caused by unstable routes;
  • prevents sustained routing oscillations without affecting well-behaved routes;
  • RFC 2439: BGP Route Flap Dampening;
  • minimizes BGP updates by suppressing unstable routes.
Route-Dampening Operation:
  • EBGP route flaps = 1000 penalty points
    • IBGP route flaps not dampened;
    • penalty not user-configurable;
  • penalty decays via exponential decay algorithm
    • if penalty > suppress limit, route is dampened
    • if penalty < reuse limit, dampened route is propagated
    • if penalty < 1/2 reuse limit, flap history forgotten
  • route is never dampened more than the maximum suppress time limit
  • unreachable route with flap history is in history state (still in BGP table to retain flap history)
  • penalty is applied to an individual path, not the prefix

Configuring Route Dampening:
router(config-router)#
bgp dampening [half-life reuse suppress max-suppress-time] [route-map route-map-name]
half-lifetime for penalty to halve (default 15 minutes)
reusepenalty points when dampened route is reused (default 750)
suppresspenalty points when route is suppressed (default 2000)
max-suppress-timemaximum time a route is suppressed (default 1hour; maximum 255 minutes)

router(config-route-map)#
set dampening half-life reuse suppress max-suppress-time
- used for less aggressive dampening of routes towards root DNS servers
- dampening of smaller prefixes more aggressively
- selective dampening based on BGP neighbors and route-map match criteria

Other Commands:
clear ip bgp ip_addr flap-statistics [{regexp regexp} | {filter-list listname} | {ipaddr mask} ]
clear ip bgp dampening [ipaddr mask]
show ip bgp dampened-paths
show ip bgp flap-statistics [{regexp regexp}|{filter-list listname}|{ipaddr mask [longer-prefix]}]
debug ip bgp dampening

Monday, May 23, 2011

BGP: Regular Expressions for AS-PATH Filtering

SymbolDescription
|logical OR
.match any
[x..y]match one in range
^match beginning of string
$match end of string
_match any delimiter/white space
( )group as a single atom
*match 0 or more instances of previous atom
?match 0 or 1 instance of previous atom
+match 1 or more instances of previous atom
\escape character; if followed by a number n, points to the nth atom 


Example 1: Advertise routes with empty AS-PATH (internal routes)

router bgp 123
 neighbor 5.6.7.8 remote-as 387
 neighbor 5.6.7.8 filter-list 1 out
!
ip as-path access-list 1 permit ^$
!match "blank" atom at the "start" and "end" of string
!



Example 2: Accept only default routes, preferring primary route based on AS PATH:

AS387 (primary ISP)
/
AS123
\
AS462 (backup ISP)

router bgp 123
 neighbor 1.2.3.4 remote-as 462
 neighbor 1.2.3.4 route-map FILTER in
 neighbor 5.6.7.8 remote-as 387
 neighbor 5.6.7.8 route-map FILTER in
!
route-map FILTER permit 10
! default routes from primary ISP (AS 387) accepted are preferred (larger weight)
 match ip prefix-list DEFAULT_ONLY
 match as-path 10
 set weight 150
!
route-map FILTER permit 20
! default routes from backup ISP are accepted, with lower preference than primary ISP routes
 match ip prefix-list DEFAULT_ONLY
 set weight 100
!
ip as-path access-list 10 permit _387$
ip prefix-list DEFAULT_ONLY seq 10 permit 0.0.0.0/0
!



Example 3: AS PATH Filtering with AS Path Prepending:
- customer in AS123 is performing AS-PATH pre-pending

  AS123
10.0.0.1\
  \
   AS462


router bgp 387
 neighbor 10.0.0.1 remote-as 213
 neighbor 10.0.0.1 filter-list 10 in
!
ip as-path access-list 10 permit ^123(_123)*$
! accepts "123", "123 123", or "123 123 123"



Example 4: AS PATH Filtering with AS Path Prepending, multiple customers:
- multiple customers performing AS PATH Prepending

  Customer 1
\
Customer 2 -AS387
/
  Customer 3

!
router bgp 387
 neighbor 10.0.0.1 remote-as 123
 neighbor 10.0.0.1 filter-list 10 in
 neighbor 20.0.0.1 remote-as 456
 neighbor 20.0.0.1 filter-list 10 in
 neighbor 30.0.0.1 remote-as 789
 neighbor 30.0.0.1 filter-list 10 in
!
ip as-path access-list 10 permit ^([0..9]+)(_\1)*$
! accepts repeating instances of "123", "456", and "789"
! does not accept strings non-repeating strings (e.g. "123 123 100")
!

Notes:
atom 1 = at least one instance of a number at the beginning of the string;
atom 2 = 0 or more instances of a whitespace and atom 1 until the end of the string.

Wednesday, May 4, 2011

BGP Path Attributes and Route Selection

BGP Path Attributes

Mandatory Well-Known
 Origin (i, e, ?)
 AS-Path (sequence of AS-Numbers to access network/IP)
 Next-Hop (ip address)
Discretionary Well-Known
 Local Preference (for routing policy)
 Atomic Aggregate (flags route if aggregated)
Optional Non-Transitive
 Multi-Exit Discriminator (MED) - multiple entry pts to one AS
 Originator-ID - for route reflector environment
 Cluster-List - for route reflector environment
Optional Transitive
 Aggregator - IP address & AS of routers that aggregated routes
 Community - for route tagging


BGP Route Selection Order:
  1. Prefer highest weight (local to router)
  2. Prefer highest local preference (global within AS)
  3. Prefer routes that the router originated
  4. Prefer shorter AS paths
  5. Prefer lowest origin code (IGP < EGP < Incomplete)
  6. Prefer lowest MED
  7. Prefer external (EBGP) paths over internal (IBGP)
    1. For IBGP paths, prefer nonreflected routes (no originator-ID) over reflected routes
    2. For reflected routes, prefer shorter cluster-list
  8. For IBGP paths, prefer path through closest IGP neighbor
  9. For EBGP paths, prefer oldest (most stable) path
  10. Prefer paths from router with the lower BGP router-ID

BGP: Multihomed Customer to Single ISP in Load-Sharing Setup with Static Routes

Outbound Traffic (CE to PE):
- each customer router uses closest CE as exit point;
- CE routers must be collocated to have load-sharing;

Inbound/Return Traffic (PE to CE) (pre-IOS 12.2):
- true load-sharing is impossible to achieve with multiple PEs;
- per BGP route selection, only one route will be the best route (to the customer network)
- can be optimized by dividing the customer address space

Customer Network: 11.2.3.0 /24
Customer Network "division" assigned to PE1: 11.2.3.0/25
Customer Network "division" assigned to PE2: 11.2.3.128/25

BGP: Multihomed Customer to Single ISP in Primary-Backup Setup with Static Routes

Scenario:
Multihomed customer connected to a single service provider on multiple permanent links;
Customer network using OSPF; provider network using BGP; CE-PE via static routing;
Floating static routes configured as backup on both CE and PE;

Floating Static Routes in BGP:
Once active, the floating static routes will be permanently installed in BGP; static routes are locally sourced which is preferred;
  • admin distance cannot be used in route-maps; hence, use communities
  • tag floating static routes; tags mapped to specific communities;
  • use route maps to modify the weight and/or local preference;
  • default weight: 32768