Category Archives: Routing

Static routes, routing protocols, etc.

Protocol Independent Multicast (PIM) Capture

Routing, , , , , , , , , , ,

You never stop learning. One topic that hadn’t crossed my path in the past decade is: Multicast. Whew. Alongside all the technical literature, online presentations, and various blog posts, I decided to approach it the classic way – through packet captures. ;)

So here’s a new part of the #UltimatePCAP, which contains quite a bit of PIM traffic, including Hello, Join/Prune, Register (via unicast!), and more. Of course, for IPv6 and legacy IP (IPv4). Let’s have a look:

Continue reading Protocol Independent Multicast (PIM) Capture

Multicast Routing w/ Palo

Palo Alto Networks, Routing, , ,

A rare use case on a Palo (at least from my point of view): Multicast Routing. And it can become as complex as you want. Fortunately, the basics are relatively easy to configure, at least if you have a rough understanding of multicast and routing with PIM and IGMP. (Recommended YouTube session here.) Let’s have a look at the common configuration steps on PAN-OS, the needed security policies to the special destination zone type of “multicast”, as well as some “show” outputs that can be used for troubleshooting:

Continue reading Multicast Routing w/ Palo

OSPFv3 Authentication on a Palo Alto (Logical Router)

Authentication, IPv6, Palo Alto Networks, Routing, , , , , ,

I had a hard time figuring out how to configure OSPFv3 authentication on a Palo Alto Networks NGFW due to its different configuration formats compared to a Cisco router.

TL;DR: The SPI must be set in hexadecimal, while the actual key (40 chars, hexadecimal) must be grouped in 5 sections, separated with hyphens.

Continue reading OSPFv3 Authentication on a Palo Alto (Logical Router)

ICMP-Meldungen zur Fehlersuche im Netz einspannen

ICMP/ICMPv6, Internet Access, Routing, , , , , , , , , , , ,

Sie sind Admin und Ihr Netz kränkelt. Wo fangen Sie an mit der Fehlersuche? Unser Tipp: Tasten Sie Ihre Netzwerkpatienten mal nach ICMP-Symptomen ab. Viele führen direkt zur Ursache.

Wenn man Netzwerkschluckauf behandeln muss, gilt Wireshark als eines der Lieblingswerkzeuge von Netzwerkadmins. Denn falsch angestöpselten oder fehlkonfigurierten Servern kommt man oft schon anhand eines Netzwerkmitschnitts auf die Spur und erspart sich so den Adminzugriff auf Abteilungsrouter oder -switches. Als behandelnder Admin müssen Sie das aufgefangene Paketkonfetti nur noch mit einem geeigneten Display-Filter sieben, um jene Paketsorte im Kescher zu behalten, die Fehlerhinweise gratis unter Ihre wissenden Augen bringt: die ICMP-Päckchen.

Continue reading ICMP-Meldungen zur Fehlersuche im Netz einspannen

Path MTU Discovery

ICMP/ICMPv6, Internet Access, Routing, , , , , , ,

One of the mysteries for me in IP networks was the Path MTU Discovery (PMTUD) process. I’ve seldom seen any problems with the MTU at all. Fortunately, while troubleshooting some router issues, I captured several ICMP “packet too big” errors along with the original packets. 👍🏻

Let’s have a look at those PMTUD processes for IPv6 and legacy IP with Wireshark. Of course, these captured connections are part of the Ultimate PCAP as well, hence, you can download the most current version of it and analyze it by yourself.

Continue reading Path MTU Discovery

PANW: Dynamic Routing between Logical Routers

Palo Alto Networks, Routing, , , , , ,

How to route traffic between multiple logical routers aka Inter-LR Routing on a Palo Alto Networks Strata firewall? More precisely, inclusive route redistribution rather than a few static routes. –> Via iBGP through loopback interfaces. ✅ Let’s go:

Continue reading PANW: Dynamic Routing between Logical Routers

BGP Route Filtering with Palo’s Advanced Routing Engine (ARE)

Palo Alto Networks, Routing, , , , , ,

With PAN-OS 10.2, Palo Alto Networks has introduced the “Advanced Routing Engine” (ARE) with its “Logical Routers” (LR) rather than the legacy “Virtual Routers” (VR).

The Advanced Routing Engine simplifies operations with a standards-based configuration, which reduces your learning curve since it is similar to that of other router vendors.

The neat thing, as always: You can configure everything through the GUI. Here’s a basic example of how I’m using a prefix list to filter incoming BGP routes:

Continue reading BGP Route Filtering with Palo’s Advanced Routing Engine (ARE)

Capturing – because I can: IS-IS, GLBP, VRRP

Cisco Systems, Network, Routing, , , , , , , ,

I am constantly trying to add more protocols to the Ultimate PCAP. Hence I used some time in my (old) Cisco lab to configure and capture the following protocols: IS-IS, GLBP, and VRRP. And since Alexis La Goutte sent me some CAPWAP traffic, this protocol is also added. All packets are now found in another update of the Ultimate PCAP. Here are some details:

Continue reading Capturing – because I can: IS-IS, GLBP, VRRP

SharkFest’18 Europe: Crash Course: IPv6 and Network Protocols

Conference Talks, IPv6, Routing, Switching, , , , , , ,

I did a session at SharkFest’18 Europe in Vienna with the title of “Crash Course: IPv6 and Network Protocols“. Since the presentation slides + audio were recorded you can listen to the talk, too. Here are some notes about the motivation for this session as well as feedback from the attendees.

Continue reading SharkFest’18 Europe: Crash Course: IPv6 and Network Protocols

My CCNP TSHOOT Lab: The Overall Picture

Cisco Systems, IPv6, Routing, , , , , , , , , , , , , ,

During the last few weeks I published a couple of blogposts concerning routing protocols such as BGP, OSPFv3, and EIGRP. (Use the “Cisco Router” tag on my blog to list all of them.) They are all part of my current Cisco lab that I am using for my CCNP TSHOOT exam preparation. While I depicted only the details of the routing protocols in those blogposts, I am showing my overall lab with all of its Cisco IOS configs here. Just to have the complete picture. There are a couple of not-yet-blogged configs such as VRRP, GLBP, NTP authentication, embedded event manager (EEM), or route-maps and distribute/prefix lists though.

Continue reading My CCNP TSHOOT Lab: The Overall Picture

EIGRP Capture

Cisco Systems, IPv6, Routing, , , , , , , , ,

And again: Here comes a pcapng capture taken for the dynamic routing protocol EIGRP. If you want to dig into EIGRP messages, download the trace file and browse around it with Wireshark. Since I used both Internet Protocols (IPv6 and legacy IP), MD5 authentication, route redistribution, etc., you can find many different messages in it.

Continue reading EIGRP Capture

Dual-Stack EIGRP Lab

Authentication, Cisco Systems, IPv6, Routing, , , , , , , , ,

Yet another routing protocol I played with in my lab. ;) This time: EIGRP, Enhanced Interior Gateway Routing Protocol, the proprietary distance-vector routing protocol developed by Cisco, which is now public available (RFC 7868). However, no third-party products in here but only Cisco routers. I am using named EIGRP for both Internet Protocols, IPv6 and legacy IP, along with MD5 authentication and redistribution from OSPF.

Continue reading Dual-Stack EIGRP Lab

OSPFv3 with IPsec Authentication

Authentication, Cisco Systems, IPsec/VPN, IPv6, Routing, , , , , , , , , , , , , ,

Here comes a small lab consisting of three Cisco routers in which I used OSPFv3 for IPv6 with IPsec authentication. I am listing the configuration commands and some show commands. Furthermore, I am publishing a pcapng file so that you can have a look at it with Wireshark by yourself.

Continue reading OSPFv3 with IPsec Authentication

OSPFv2 Capture

Authentication, Cisco Systems, Routing, , , , , , , , ,

I already had an OSPFv2 for IPv4 lab on my blog. However, I missed capturing a pcap file in order to publish it. So, here it is. Feel free to have a look at another small lab with three Cisco routers and OSPFv2. Just another pcapng file to practise some protocol and Wireshark skills.

Continue reading OSPFv2 Capture

MP-BGP Capture

IPv6, Routing, , , , , , , , , , , , ,

For those who are interested in analyzing basic BGP messages: I have a trace file for you. ;) It consists of two session establishments as I cleared the complete BGP session on two involved routers for it. Refer to my previous blog post for details about the lab, that is: MP-BGP with IPv6 and legacy IP, neighbouring via both protocols as well, with and without password. The involved routers were 2x Cisco routers, one Palo Alto Networks firewall, and one Fortinet FortiGate firewall.

Continue reading MP-BGP Capture