OSFP details that is esay to ignore:

OSFP details that is esay to ignore:
1, Passive interface will not send hello packet, therefore will not form adjacency to any other router. But subnet that attached to this interface will be advertized inside OSPF
2, SPF calcuateion within the area will be triggered only when there is changes of type1 and type2 LSA in the update. Type1 and type2 LSA will only be exchanged within the area.
3, ABR is the router that at least has one interface connecting to backbone area, the the other one to the other area. ABS will generate 2 self type1 LSA, one is for Backbone type1 LSA, the the other is type1 LSA for the other area which ABR connects to.
4, OSPF uses a reference bandwidth of 100 Mbps for cost calculation. The formula to calculate the cost is reference bandwidth divided by interface bandwidth. For example, in the case of Ethernet, it is 100 Mbps / 10 Mbps = 10. Note: If ip ospf cost cost is used on the interface, it overrides this formulated cost. take reference bandwidth of 100mbps, any interface that greater or equal to 100mbps will have the same cost 1 becuase no fraction is allowed.So the OC-3, FastEthernet and GigabitEthernet will all have an OSPF cost of “1” given the default reference bandwidth.
5, With ‘default-information orignate’ command generate ASBR a default route into ospf area but only if there is a default route exited already in its routing table
6, In Cisco configuraiton, use “area x range” for net summary in ABR, and “summary-address …”in ASBR for external route summary. OSPF DOES NOT perform auto-summarizatio.


OSPF process in short

1, form adjacency

init: each routers will send out hello packets to ( if network type is broadcast) or unique ip address (if network type is none broadcast);

2-way: router A has received hello packet from B router,  the the hello packet includes its A’s id

extat: select DR/BDR if need, point to point network or point to multipoints networks do not select DR/BDR

exchange: exchanges the LSA

full: adjacency formed

When DR/BDR is presented in the network, all other routers can only form adjacency with DR and BDR, the rest of the routers can not form adjacency with each other, they will stay in 2 way state with each other.  When DR/BDR is not presented in the network ( point to point, or point to mulit points networks), adjacency is formed for each link.

Below is the table describing the process:

ospf adjencency process

2, Each router now has all information, LSA database, it will run dijkstra algorithm to calculate the shortest path towards each network work. That means each router will maintain the whole routing table calculated according to the LSA database. So it is critical for OSPF to guarantee that each router has the same LSA database.

3, OSPF routes will be selected to routing table according to administrative distance value  (110)in Cisco and default preference  (10)according to Juniper.

OSPF network types & OSPF network area types

OSPF network types

1, point to point

2, broadcast

3, one to multi points broadcast

4, one to multi points no broadcast

5, no broadcast

Especially, point to point and one to multi points* do not need select DR and BDR, because, one to multi points (both broadcast and no broadcast) will work in the way like several point-to-point links, there is no need to select DR and BDR. Especially, router with the highest priority will become DR and the router with the second highest priority will become BDR. In Juniper router has default priority of 128, in Cisco router has default priority of 1.

On the other side, both type 2 and type 5 need select DR and BDR in order to reduce the numbers of ospf packets (hello, lsa, etc) in the network.

Normally ospf build up adjacency by broadcasting hello packets to, but in some noethernet network (mostly in frame relay network), broadcasting is not applicable, hello packets are sent out with unique ip address of the peer side.

Network area types

1, Backbone area ( area 0 ) , can receive all LSA types information

2, Standard area, can receive type 3 info from ABR (Area border router)

3, Stub area, can receive normaly LSA type 3 info and a default route as subsitute for all external routes

4, Totally stub area, can receive only one LSA type 3 as default router towards outside of the area

5, Not so stub area, can work as stub area or totally stub area, BUT, can send external routes from  ASBR as type 5 LSA to the other area.

LSA types:

type 1:  router

type2: net route, generated and sent only by DR

type3, net summary route, generated and sent only by ABR in order to reduce the numbers of routes sent to the other area.

type4: serve to advertise the presence of an autonomous system boundary router (ASBR).

type 5:external route that send to other network area from NSSB(not so stub  area)

type 7: external route

Especially, type 1 and type 2 does not cross area border.

ASA drop packets unexpectively

We have the following scenario for connection:

A ——– outside inte–ASA–inside inte———B

A has TCP conntion with B, but connection was interrupted sometime during the communicaiton. I did packet capture on both inside and outside interfaces of ASA in order to find out what was going on during this communcation. And I found that some packets on inside interface of ASA has been dropped:
those packets showed up in inside interfaces, but did not present in outside interfaces, instead, ASA reply to B on behave of A. That leads to the issue that A keep sending
retransmission packets but got no reply, when timeout A send Fin packet to close the connection, on the other side B was communicating all the time until got Fin packets from A, in response B send back ACK and FIN packets too, still, this AC &FIN packets was caught by ASA and dropped:

A ———————–ASA———————–B
—–>pktAtoB n———|—–pktAtoB n———–>
——–no traffic——- |<—-pktBtoA n+1———
——–no traffi——– |—->pktAtoB n repeat—>
—–>pketAtoB retrans—|—->pktAto B retrans—>
——-no traffic———|<—-pktBtoA n+1———
——-no traffic———|—->pktAtoB n repeat—-
after 5 retransmission or timeout
—–no traffic———–|<——ACK—————
—–no traffic———–|<——FIN—————-

A closed the connection because got no reply from B, B close the connections too after receiving FIN(supposelly after timeout for half-closing tcp connection)
While ASA still keep this connection in the connection table until idle timeout.

In order to find out the reason why ASA dropped the packet, we may use capture with the following command:
ASA>capture drop type asp-drop all

asp-drop Capture packets dropped with a particular reason

This will capture all the dropped packets by ASA, at most cases if there is a drop-reason “tcp-paws-fail” as example, ASA will print the drop-reason for one packet, other packets that match this connection and dropped for the same reason will be in the outputs with no drop reason until another drop reason appear.

In our case, we have hit the ASA bug ‘ASA drops packet as PAWS failure’, and after consulting Cisco engineer, we got the info that”to know if your version is affected or not, you need to look at the known fixed releases. So, since version 9.1.(7.12) is the first version in the train 9.1.7 that fixed this bug, this mean all other versions before in the same train 9.1.7 are affected with this bug.”

Juniper ex4550 upgrading

Normal upgrading of Juniper switches could follow the following steps:
request system software add http://path/image
request system reboot

I have encountered the following error twice when tried to upgrading software for those newly installed switches:
Ex4550> request system software add http://path/image
Ex4550> …00-15.1R4.6-domestic-signed.tgz
Checking pending install on fpc1
Checking pending install on fpc0
Fetching package…
Pushing bundle to fpc1
Validating on fpc1
Validating on fpc0
Done with validate of </var/tmp/mchassis-4500-install.tgz> on VC members

Verify the signature of the new package
verify-sig: cannot validate certs.pem
certificate is not yet valid: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=PackageProductionRSA_2016/emailAddress=ca@juniper.net

ERROR: Package signature validation failed. Aborting install.

The problem is that the date of the switch is set to a date earlier than the date on which the jloader was built, therefore the certificate for the file is not yet valid. The solution is to either synchronize the date on the switch to a NTP server or to manually set the date.

After configured NTP server, the software image was verified successfully, can upgrading done as always should be.

This problem and solution can be found from the following link

String Manipulation

refer to linux foundation course from edx:

Operator Meaning
[[ string1 > string2 ]] Compares the sorting order of string1 and string2.
[[ string1 == string2 ]] Compares the characters in string1 with the characters in string2.
myLen1=${#string1} Saves the length of string1 in the variable myLen1.

At times, you may not need to compare or use an entire string. To extract the first character of a string we can specify:
${string:0:1} Here 0 is the offset in the string (i.e., which character to begin from) where the extraction needs to start and 1 is the number of characters to be extracted.
To extract all characters in a string after a dot (.), use the following expression: ${string#*.}

to check if a file exists, use the following conditional test:
[ -e <filename> ]
to check if a directory exists, use the following conditional test:
[ -d <filename> ]
to check if a sym-link exists, use the following conditional test:
[ -s <sym-link> ]


Linux process

refer to https://courses.edx.org/courses/course-v1:LinuxFoundationX+LFS101x+1T2016/courseware/1d43788934f04e3dbd5e8f690128e8b7/b771a31838824fc3921b1ef9b3a2bf0d/

Processes can be of different types according to the task being performed. Here are some different process types along with their descriptions and examples.

Process Type Description Example
Interactive Processes Need to be started by a user, either at a command line or through a graphical interface such as an icon or a menu selection. bash, firefox, top
Batch Processes Automatic processes which are scheduled from and then disconnected from the terminal. These tasks are queued and work on a FIFO (First In, First Out) basis. updatedb
Daemons Server processes that run continuously. Many are launched during system startup and then wait for a user or system request indicating that their service is required. httpd, xinetd, sshd
Threads Lightweight processes. These are tasks that run under the umbrella of a main process, sharing memory and other resources, but are scheduled and run by the system on an individual basis. An individual thread can end without terminating the whole process and a process can create new threads at any time. Many non-trivial programs are multi-threaded. gnome-terminal, firefox
Kernel Threads Kernel tasks that users neither start nor terminate and have little control over. These may perform actions like moving a thread from one CPU to another, or making sure input/output operations to disk are completed. kswapd0, migration, ksoftirqd