Default routing with PPP

Creating a default route within a standard PPP link is not complex, but it is not obvious either. We are not running an IGP, so we cannot redistribute a static default route, nor can we do, say, "default-information originate". However, it is just a one-line command, you just need to know what you are looking for!

We start with a couple of routers.

The goal will be for R1 to have a default route in it's routing table, pointing to R2. We start with a basic config:

R1(config)#int s3/0
R1(config-if)#no shut
R1(config-if)#encapsulation ppp
R1(config-if)#ip add 10.1.1.1 255.255.255.0

R2(config)#int s3/0
R2(config-if)#encap ppp
R2(config-if)#ip add 20.1.1.1 255.255.255.0
R2(config-if)#no shut

Now we need R1 to have a default route. We do not have an IGP running between the two, so we cannot do any redistribution or anything like that. We need to look at R1 and see what options we have.

R1(config-if)#ppp ?
  accm              Set initial Async Control Character Map
  accounting        Set PPP network accounting method
  acfc              Options for HDLC Address & Control Field Compression
  authentication    Set PPP link authentication method
  authorization     Set PPP network authorization method
  bcp               Set BCP negotiation options
  bridge            Enable PPP bridge translation
  caller            Caller option when no CLID is available
  chap              Set CHAP authentication parameters
  direction         Override default PPP direction
  disconnect-cause  Set disconnect-cause code
  dnis              Authentication via DNIS before LCP
  eap               Set EAP authentication parameters
  encrypt           Enable PPP encryption
  ipcp              Set IPCP negotiation options
  iphc              Set IPCP Header Compression control options
  ipv6cp            Set IPV6CP negotiation options
  lcp               PPP LCP configuration
  link              Set miscellaneous link parameters
  loopback          PPP loopback options
  max-bad-auth      Allow multiple authentication failures
  max-configure     Number of conf-reqs sent before assuming peer is unable to

R1(config-if)#

We have one called "ipcp". This stands for Internet Protocol Control Protocol. IPCP looks after IP addressing on a PPP link. Within the options for "ppp ipcp" we have:

R1(config-if)#ppp ipcp ?
  accept-address      Accept any non zero IP address from our peer
  address             Additional ipcp address options
  dns                 Specify DNS negotiation options
  header-compression  IPCP header compression option
  ignore-map          Ignore dialer map when negotiating peer IP address
  mask                Specify subnet mask negotiation options
  no-renegotiation    Do not allow client to renegotiate IPCP
  predictive          Predict peers IPCP requests/replies
  route               Install default route thru negotiated peer IP address
  username            Configure how usernames are handled
  wins                Specify WINS negotiation options

R1(config-if)#

So, ppp ipcp route looks like a winner!

R1(config-if)#ppp ipcp route ?
  default  Install default route thru negotiated peer IP address

R1(config-if)#

So the complete command will be:

R1(config-if)#ppp ipcp route default

Let's see what this gets us!

R1(config-if)#do sh ip route | b Gateway
Gateway of last resort is 20.1.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.1.1.1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.1.0/24 is directly connected, Serial3/0
L        10.1.1.1/32 is directly connected, Serial3/0
      20.0.0.0/32 is subnetted, 1 subnets
C        20.1.1.1 is directly connected, Serial3/0
R1(config-if)#

Let's add a loopback interface to R2 and check that we have connectivity:

R2(config-if)#int lo0
R2(config-if)#ip add 2.2.2.2 255.255.255.255
R2(config-if)#

R1(config-if)#do ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/113/148 ms
R1(config-if)#

Nice. A little one-liner and we have a default route between two disparate networks.

Narbik's 10-day bootcamp

I have just finished Micronics Training ten day end-to-end "No excuses" bootcamp course. For those of you who don't know, the word bootcamp comes from the German "bootenkamp"*, meaning "kiss good bye to your family and all hope of a decent night sleep".

(* this translation might not be correct)

I was originally planning to do a day-by-day breakdown, but to be honest, I didn't keep the draft of this post updated, so things got a little hazy. But, hopefully, by the end of this post, you'll understand the haze.

Let's start at the beginning, the day before class starts.

Sunday started with a hangover. Way too much drink the night before had lead to spending several hours in the bathroom, sometimes being sick, mainly being asleep. Not a good way to prepare for a boot camp. I cooked dinner on Sunday, and we went to the fair that had come to town. One of my sons had complained about a poorly stomach before we left, and he highlighted the point by throwing up on the way to the fair, moments after we stepped out of the car. He then followed this up a while later, this time in the fun house and drenching his brother and my wife. We went home. Hardly the best start to the week. I had a relatively early night, feeling better, but also feeling a mixture of nervousness and gleeful anticipation for the next ten days.

Day one

I left early, not having done the relatively short drive from my house to Newport Pagnell in rush hour traffic before. I have driven there many times as I have a friend who lives there, but never during rush hour. The usual half hour drive takes over an hour today. For those who don't know the area, Newport Pagnell is just outside of Milton Keynes. Milton Keynes is famous for a couple of things, the MK Dons, a decent snowboard center, Pearl jam played there a few months ago, and having a road layout designed by someone with a an obsessive-compulsive disorder, its just full of straight roads and roundabouts. Newport Pagnell is a nice area though, its got some decent pubs and food places.

The bootcamp location is about ten minutes walk from town, its got a little shop opposite and a garage just up the road, so living on sandwiches is easy if you don't fancy a walk to get something else to eat (pizza, kebab, chinese, pub grub etc).

We start started at 9. We introduce ourselves, saying where we are in our journey to taking the lab exam, and highlighting all our weak points. Pretty much everyone says QoS and Multicast. We do a six hour Cisco 360 practice exam (from the Cisco Learning Network). The 360 assessments are pretty good, and if you have used IOU then it will be pretty familiar. This was followed by lectures on DMVPN and EIGRP, which started late in the evening.  Trying to do EIGRP metric calculations at midnight is harsh, I must say that I did kind of shut off before we got to that part of the talk, but from what I remember, it was very good. I just could not focus on the topic after being there for fifteen hours. We left about 12:30 am.

Day two

OSPF was the topic of the day, not one of my strongest subjects, but here is where Narbik's course really shines out. Narbik doesn't use overhead projectors, powerpoint, or anything like that. He is armed with a board and a pen. If he can't show us on the board, then he doesn't show us. Believe me, he can show you anything! Granted, he has been doing this for many years now, but to be able to formulate entire configurations just using a whiteboard, and as we follow on our routers (which all live in his basement), to find that this is all working exactly as he says it should, was pretty impressive. I got home by 10:15 pm

Day three

BGP and MPLS, Thankfully, these are my better subjects. It was still a long day, and we were still talking about MPLS at midnight, Someone from one of his previous classes came up with the mnemonic for remembering the BGP decision process as "Who Likes Narbiks Answers Over Mine, Everyone". It's very apt. He does have the answers. My wife was sick that day due to a dodgy batch of ginger beer she had bought. I got home around 1am. 

Day four

This is the day most people are least looking forward to. We have a day of lectures (QoS), followed by a two hour Cisco 360 Troubleshooting mock exam, which started at 7pm. I did this bit in class, but left when it ended so I could go back home ready for the six hour configuration mock exam (again it's Cisco 360). I started this at ten. By about midnight all I can hear is the sound of one of my cats snoring, my typing and this really weird grinding noise. I know there isn't anything outside as the motion controlled security lights are not on. So, logic dictates, that the noise is somewhere in the house. Using the flashlight app on my iPhone I track it down to a slug hat has managed to get into the house. He had a stone chip attached to him, which accounts for the noise. He gets ejected from the house and I return to the assessment lab. By half past two my brain is not relaying information and I quit the assessment and go to bed.

Day five 

I am feeling wrecked, worse than I did on Sunday morning. The good news is that we are due to finish at noon. This actually ended up being about five-ish. I get back, put the kids to bed, have a glass of wine and a beer and went to bed. 

At this point I forgot to complete the day by day breakdown, but here is the gist of it:

Day six home by sixish 

Day seven home eleven. 

Day eight. Home by eleven. 

Day nine home by about ten. 

Day ten start at half seven (am), finished before lunch, leave feeling a little sad to be honest, as it's been a pleasure hanging out with a lovely bunch of guys for the last ten days.

The majority of the second week was spent doing troubleshooting and configuration labs. These are designed by Narbik, and we get the print out of the questions/scenarios, followed by the answer sheet being emailed to us by Janet. These are really good, and get progressively harder. Narbik has a scale, these start at about 2-3 and go up to 11. I havn't completed them all, but look forward to doing so. There are lectures during this time as well.

This is roughly 120-123 hours over the ten days.

Post course thoughts

So what have I taken away from the course?

Firstly the workbooks we get (two volumes of the Foundation to bridge the gap between CCNP and CCIE, and two volumes of the Advanced workbook) are really good. They are very clear and in full color, giving a step by step breakdown of everything. My plan is to work through these (and they run to about 4000 pages) after I do my written exam.

Secondly, it has changed the way I am going to approach my studies. As Narbik says, you should have a method for everything, such as DMVPN creation. It will make the exam easier and leave less room for error.

Thirdly, the people in the class were a great bunch, from all over the world and were a pleasure to be with.

Narbik himself is a great guy. He is funny. He has some of the best stories. He talks of the little green men at Cisco (the ones who make up all those funny little rules such as inverting bits in IPv6 addresses), he taught us the best way to open a banana, he made QoS less mystifying, he made us all laugh with a story about multicast, he bought us dinner. He is knowledgeable and approachable. He brought us together as a group and made ten days fly by. He even bought my BGP book from Amazon (I gave him a copy of the MPLS book). I would attend another of his bootcamps in a heartbeat. Whether I can get the pass from my wife is another matter, but we'll get to that in a moment.

The course is tiring, but its not called the "No Excuses" course for nothing. At one point in the second week my chair decided to start leaning back, and that was it, my eyes were closing and I could feel sleeps warm embrace. If you are used to a 40 hour week, then this is like working three full weeks all in the space of ten days. I did miss my family, I missed seeing my children, I missed seeing my wife, but she spurred me on (at one point telling me to "man-up" and get back to the course), and single handedly looked after our children for the duration. If you have a young child, or children then you know how demanding and tiring they can be. So I think my wife may have had a harder time during those ten days than I did. I can't reiterate enough how tiring the course is. But it is definitely worth it. Narbik isn't there to take your money and run, you can resit the course as many times as you want (spaces permitting) - you may have to rent the rack off him, or use your own (IOU is an option), and you will have to pay for the Cisco 360 stuff if you want to do that, but he will welcome you back.

I walked into the class with a pretty good idea of where I was in my journey to becoming a CCIE, and that was a far way away. I walked out closer to that goal, but still not planning to do the lab until March (if seats are available). I still have plenty of time to study, I have the materials in the form of his workbooks, and I have more confidence and better idea of what's ahead.

If you get the chance, and don't mind missing sleep for ten days, then definitely attend his course. I hope to see him again, preferably on his 5 day Service Provider bootcamp. If you are reading this, Narbik, then please can I have the ISBN numbers for the SP books you mentioned!

Poor ASA site to site VPN performance? It could be DNS!

I have been troubleshooting an interesting issue recently, with poor performance on a site to site (L2L) VPN between two sites. The sites are very close, say about 20 miles from each other, with a decent number of users in both sites. The VPNs are established, and encrypting and decrypting traffic ok.

The problem is that the performance is pretty bad. Site B cannot stream media from the Site A, accessing file shares is slow, and access to other things is also slow.

Naturally I looked at the VPN first, the flow of packets looked fine, not obvious lags there, and as the tunnels were up we could eliminate ISAKMP and IPSec from the list of possible issues.

No other sites are affected by this slowness, Site A is our main site with multiple VPNs coming into it.

We logged a call with the ISP for Site B and they reported no issues. So I widened the search. Watching the logs go past I could see a number of failed DNS queries to the root hints servers from the domain controller at Site B:

Dropped UDP DNS reply from OUTSIDE_PRIMARY:199.7.87.1/53 to INSIDE:x.x.x.x/63095; packet length 697 bytes exceeds configured limit of 512 bytes
Dropped UDP DNS reply from OUTSIDE_PRIMARY:125.19.40.90/53 to INSIDE:x.x.x.x/63095; packet length 697 bytes exceeds configured limit of 512 bytes
Dropped UDP DNS reply from OUTSIDE_PRIMARY:194.0.9.1/53 to INSIDE:x.x.x.x/62464; packet length 618 bytes exceeds configured limit of 512 bytes

This shouldn't directly affect site to site traffic, it would certainly affect external traffic (though no reports of slow external traffic were reported), but it certainly wouldn't hurt to fix this.
Under Configuration -> Firewall -> Objects -> Inspect maps is an entry for DNS. Highlighting this we can see that the default Message Length Maximum is set to 512. So I increased this to 1024 and the errors were not logged anymore.

For the CLI user this is set with:

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 1024
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 

Immediately file access between sites was improved and video streaming was usable again.

So if you are having poor site to site VPN issues, this is worth checking out.