Archive for November 2013

CCIE R+S V5 - DMVPN

04:37:00 Add Comment
So with the news about the change from the CCIE Routing and Switching V4 blueprint to the V5 many (i.e. some good sources) reckon that DMVPN will be on the new V5 blueprint.

What is DMVPN?

DMVPN stands for Dynamic Multipoint Virtual Private Network, what it does is allow multiple IPSec VPN connections with just one tunnel configuration, so for a site with one central "hub" and three other sites (or "spokes") instead of having three separate VPN configurations there is just one - it does mean that the traffic say from spoke1 to spoke3 needs to go through the hub, but from a configuration standpoint, life is much easier.

DMVPN is based on GRE (and we have covered GRE tunnels before, or mGRE if we are doing spoke-to-spoke tunnels), NHRP (next-hop resolution protocol) and IPSec (because VPN tunnels should be secure). DMVPN also requires a dynamic routing protocol, and CEF (Cisco Express Forwarding).

When it comes to the routing protocol to use within the tunnel EIGRP is preferred because it is an advanced distance vector protocol, better suited to the NBMA network that is built when using DMVPN.

DMVPN can be configured as Hub-and-Spoke or (using mGRE) Spoke-to-Spoke.

Consider the following topology:


We have a central site (called "Hub") and three different spoke at the bottom. In the middle is the cloud, which can be frame-relay or any other method of providing a connection between the hub and the spoke routers.

From the viewpoint of the routers, with our DMVPN in place, they will see the 10.10.1.0/24 network:


We start of with a basic configuration to provide connectivity:

Hub:
hostname Hub
!
interface Serial0/0
 ip address 10.25.1.2 255.255.255.0
!
ip route 10.35.1.0 255.255.255.0 10.25.1.1
ip route 10.45.1.0 255.255.255.0 10.25.1.1
ip route 10.55.1.0 255.255.255.0 10.25.1.1
Cloud:
hostname Cloud
!
interface Serial0/0
 ip address 10.25.1.1 255.255.255.0
!
interface Serial0/1
 ip address 10.35.1.1 255.255.255.0
!
interface Serial0/2
 ip address 10.45.1.1 255.255.255.0
!
interface Serial0/3
 ip address 10.55.1.1 255.255.255.0
Spoke1
hostname Spoke1
!
interface Loopback0
 ip address 10.50.1.1 255.255.255.0
!
interface Serial0/0
 ip address 10.35.1.2 255.255.255.0
!
ip route 10.25.1.2 255.255.255.255 10.35.1.1
Spoke 2
hostname Spoke2
!
interface Loopback0
 ip address 10.60.1.1 255.255.255.0
!
interface Serial0/0
 ip address 10.45.1.2 255.255.255.0
!
ip route 10.25.1.2 255.255.255.255 10.45.1.1
Spoke3
hostname Spoke3
!
interface Loopback0
 ip address 10.70.1.1 255.255.255.0
!
interface Serial0/0
 ip address 10.55.1.2 255.255.255.0
!
ip route 10.25.1.2 255.255.255.255 10.55.1.1
So you can see that we are starting off easy, with just basic connectivity from the Hub to each of the Spokes using the cloud to pass the traffic through. At this stage none of the spoke have any knowledge of each other.

DMVPN Tunnel configuration

The tunnel configuration is much like a standard GRE tunnel but with a couple of additional commands.

The Hub is where everything points to, and we associate the tunnel with a network-id (this is the NBMA identifier), setting the mode as gre multipoint. The spokes map the tunnel IP set on the Hub (10.10.1.1) to the external IP address of the Hub (10.25.1.2), and set this as the next-hop-server (ip nhrp nhs 10.10.1.1).

Hub tunnel: 
interface Tunnel0
 ip address 10.10.1.1 255.255.255.0
 no ip redirects
 ip mtu 1416
 no ip next-hop-self eigrp 1
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 no ip split-horizon eigrp 1
 tunnel source 10.25.1.2
 tunnel mode gre multipoint
Spoke 1 tunnel:
interface Tunnel0
 ip address 10.10.1.2 255.255.255.0
 no ip redirects
 ip mtu 1416
 no ip next-hop-self eigrp 1
 ip nhrp map 10.10.1.1 10.25.1.2
 ip nhrp map multicast 10.25.1.2
 ip nhrp network-id 1
 no ip split-horizon eigrp 1
 ip nhrp nhs 10.10.1.1
 tunnel source 10.35.1.2
 tunnel mode gre multipoint
Spoke 2 tunnel
interface Tunnel0
 ip address 10.10.1.3 255.255.255.0
 no ip redirects
 ip mtu 1416
 no ip next-hop-self eigrp 1
 ip nhrp map 10.10.1.1 10.25.1.2
 ip nhrp map multicast 10.25.1.2
 ip nhrp network-id 1
 no ip split-horizon eigrp 1
 ip nhrp nhs 10.10.1.1
 tunnel source 10.45.1.2
 tunnel mode gre multipoint
Spoke 3 tunnel:
interface Tunnel0
 ip address 10.10.1.4 255.255.255.0
 no ip redirects
 ip mtu 1416
 no ip next-hop-self eigrp 1
 ip nhrp map 10.10.1.1 10.25.1.2
 ip nhrp map multicast 10.25.1.2
 ip nhrp network-id 1
 no ip split-horizon eigrp 1
 ip nhrp nhs 10.10.1.1
 tunnel source 10.55.1.2
 tunnel mode gre multipoint
We can check that our DMVPN tunnel is working using the "sh dmvpn" command:
Hub#sh dmvpn | beg Interface

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:3,

 # Ent Peer NBMA Addr  Peer Tunnel Add State UpDn Tm  Attrb
 ----- --------------- --------------- ----- -------- -----
   1   10.35.1.2       10.10.1.2       UP    00:06:19  D
   1   10.45.1.2       10.10.1.3       UP    00:05:06  D
   1   10.55.1.2       10.10.1.4       UP    00:04:28  D
We can also use basic ping tests:
Hub#ping 10.10.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms
Hub#ping 10.10.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms
Hub#ping 10.10.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms

Adding IPSec to DMVPN

One of the requirements of DMVPN is IPSec, and this is quite easy to add, the same configuration can go on the Hub and the three spokes.The major thing to point out is that we associate the "dmvpn123" key with any IP address by using the 0.0.0.0 0.0.0.0 address and subnet.
crypto isakmp policy 10
 encryption 3des
 hash md5
 authentication pre-share
crypto isakmp key dmvpn123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set MyIPSEC esp-3des
!
crypto ipsec profile DMVPN
 set transform-set MyIPSEC
!
interface Tunnel0
 tunnel protection ipsec profile DMVPN

Adding EIGRP to DMVPN

DMVPNs require a routing protocol within the tunnel (otherwise they would be rather useless), and this is a simple case of adding one!
Hub#sh run | beg router
router eigrp 1 
 network 10.0.0.0
 no auto-summary

Spoke1#sh run | beg router
router eigrp 1
 network 10.0.0.0
 no auto-summary

Spoke2#sh run | beg router
router eigrp 1
 network 10.0.0.0
 no auto-summary

Spoke3#sh run | beg router
router eigrp 1
 network 10.0.0.0
 no auto-summary

Bringing all of DMVPN together

With all of the nuits and bolts in place now we should have some good visilibilty between our spoke routers. We should see routers learned through EIGRP (indicated with a "D") and be able to ping to the loop back addresses that we configured at the start.
 
Spoke1#sh ip route | beg Gateway
Gateway of last resort is not set

   10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
C    10.10.1.0/24 is directly connected, Tunnel0
L    10.10.1.2/32 is directly connected, Tunnel0
D    10.25.1.0/24 [90/27392000] via 10.10.1.1, 00:09:46, Tunnel0
S    10.25.1.2/32 [1/0] via 10.35.1.1
C    10.35.1.0/24 is directly connected, Serial0/0
L    10.35.1.2/32 is directly connected, Serial0/0
C    10.50.1.0/24 is directly connected, Loopback0
L    10.50.1.1/32 is directly connected, Loopback0
D    10.60.1.0/24 [90/28288000] via 10.10.1.3, 00:08:06, Tunnel0
D    10.70.1.0/24 [90/28288000] via 10.10.1.4, 00:07:02, Tunnel0
Spoke1#sh dmvpn | beg Interface
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent Peer NBMA Addr  Peer Tunnel Add State UpDn Tm  Attrb
 ----- --------------- --------------- ----- -------- -----
   3   10.25.1.2       10.10.1.1       UP    00:34:25 S
                       10.10.1.3       UP    00:02:07 D
                       10.10.1.4       UP    00:02:11 D
Spoke1#ping 10.70.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.70.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/48 ms
Spoke1#ping 10.60.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.60.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/48 ms
Spoke1#

Hub-and-spoke or Spoke-to-Spoke?

Depending on the requirements you can either setup a hub-to-spoke or spoke-to-spoke topology. We have been using spoke-to-spoke through this, we can see this using the command "sh ip nhrp", because tunnels will drop if there is no traffic (apart from the one to the hub) we can see what NHRP believes to be the next hop for the end-point - so with the tunnel from Spoke1 to Spoke3 down we can issue a ping and see the tunnel come back up again - also showing the tunnel is a spoke-to-spoke. 
Spoke1#sh ip nhrp
10.10.1.1/32 via 10.10.1.1
   Tunnel0 created 01:15:40, never expire 
   Type: static, Flags: used 
   NBMA address: 10.25.1.2 
Spoke1#ping 10.70.1.1      

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.70.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 ms
Spoke1#sh ip nhrp    
10.10.1.1/32 via 10.10.1.1
   Tunnel0 created 01:15:47, never expire 
   Type: static, Flags: used 
   NBMA address: 10.25.1.2 
10.10.1.4/32 via 10.10.1.4
   Tunnel0 created 00:00:01, expire 00:03:03
   Type: dynamic, Flags: temporary
   NBMA address: 10.25.1.2 
Spoke1#
We can, should we wish make it a true hub-to-spoke topology with adding the line "ip nhrp server-only" to the spokes
With our configuration before we can see that the tunnel to the Hub always remains up. We can ping Spoke3 and confirm that another tunnel is created:
Spoke2#sh dmvpn | beg Interface
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1       10.25.1.2       10.10.1.1    UP 00:01:18     S

Spoke2#ping 10.70.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.70.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/48 ms
Spoke2#sh dmvpn | beg Interface
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     2       10.25.1.2       10.10.1.1    UP 00:01:28     S
                             10.10.1.4    UP 00:00:03     D
If we then go into the interface and add the "ip nhrp server-only" command we can confirm that we still have reachability to Spoke3, but only have one tunnel:
Spoke2(config)#int tunnel 0
Spoke2(config-if)#ip nhrp server-only
Spoke2(config-if)#exit
Spoke2(config)#exit
Spoke2#sh dmvp | beg Interface
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1       10.25.1.2       10.10.1.1    UP 00:02:24     S

Spoke2#ping 10.70.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.70.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/42/48 ms
Spoke2#sh dmvp | beg Interface
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1       10.25.1.2       10.10.1.1    UP 00:02:31     S
There are some more commands we can use to confirm that our tunnels are looking how they should:
Spoke2#sh ip nhrp
10.10.1.1/32 via 10.10.1.1
   Tunnel0 created 00:14:31, never expire
   Type: static, Flags: used
   NBMA address: 10.25.1.2
Spoke2#sh ip cef 10.70.1.0
10.70.1.0/24
  nexthop 10.10.1.4 Tunnel0
So we have full reachability between the spokes! Pretty neat, and so much easier than creating three different VPNs on each router! It is pretty simple really, if you have created a GRE tunnel before then really we are only looking at a couple of extra lines - and these extra few lines can be copied from one spoke router and pasted onto every other spoke router because they are identical!

The BIG lab - Part 9 - IPv6

13:04:00 Add Comment
Now its time to throw some IPv6 over the top of our network. So far our IPv4 topology has been OSPF on the left hand side, RIP in the middle and EIGRP on the right hand side, but let's make things more interesting and go in the opposite direction, and once we have our three separate IPv6 routing processes in place we will do a complete redistribution between the protocols and set up an IPv6 tunnel. In the end we should have full reachability from end to end.

Our IPv4 topology looks like this:


And our IPv6 topology will look like this:


Excuse the drawings, I am not an artist!

Basic IPv6 configuration

By default IPv6 is not enabled on Cisco routers, to enable it we need to run the command
R10(config)#ipv6 unicast-routing
And then enable IPv6 on the interface:
R10(config)#int s1/0
R10(config-if)#ipv6 enable
R10(config-if)#exit
To confirm that IPv6 is running on the interface we then use the command
R10#sh ipv6 interface serial 1/0
Serial1/0 is up, line protocol is up
 IPv6 is enabled, link-local address is FE80::A8BB:CCFF:FE00:A00 
 No Virtual link-local address(es):
 No global unicast address is configured
We can see that R10's s1/0 interface has the link-local IPv6 address FE80::A8BB:CCFF:FE00:A00.

Let's now enable IPv6 on R8, and see if we can ping across to R10
R8(config)#ipv6 unicast-routing
R8(config)#int s0/2
R8(config-if)#ipv6 enable
R8(config-if)#exit
R8(config)#exit
R8#sh ipv6 int serial 0/2
Serial0/2 is up, line protocol is up
 IPv6 is enabled, link-local address is FE80::FF:FE00:8
 No Virtual link-local address(es):
 No global unicast address is configured
 Joined group address(es):
  FF02::1
  FF02::2
  FF02::1:FF00:8
R8#ping ipv6 fe80::a8bb:ccff:fe00:a00
Output Interface: Serial0/2
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to FE80::A8BB:CCFF:FE00:A00, timeout is 2 seconds:
Packet sent with a source address of FE80::FF:FE00:8%Serial0/2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms
R8#
OK, so far so good, and after a few minutes I have added the same commands to R4, R5, and R9, as well as enabling the other interfaces on R8, now we can get on and start configuring OSPFv3.

IPv6 OSPFv3

R10#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R10(config)#ipv6 router ospf 1
R10(config-rtr)#router-id 10.10.10.10
R10(config-rtr)#interface Serial1/0
R10(config-if)#ipv6 ospf 1 area 0
R10(config-if)#ipv6 router ospf 1
R10(config-rtr)#
*Nov 26 10:14:35.227: %OSPFv3-5-ADJCHG: Process 1, Nbr 8.8.8.8 on Serial1/0 from LOADING to FULL, Loading Done
R10(config-rtr)#

R8#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R8(config)#ipv6 router ospf 1
R8(config-rtr)#router-id 8.8.8.8
R8(config-rtr)#int serial 0/2
R8(config-if)#ipv6 ospf 1 area 0
R8(config-if)#
*Nov 26 10:14:35.258: %OSPFv3-5-ADJCHG: Process 1, Nbr 10.10.10.10 on Serial0/2 from LOADING to FULL, Loading Done
R8(config-if)#
With the other routers added in the same way we should be able to see something like:
R10#sh ipv6 ospf database
      OSPFv3 Router with ID (10.10.10.10) (Process ID 1)
      Router Link States (Area 0)
ADV Router   Age    Seq#    Fragment ID Link count Bits
 4.4.4.4     91     0x80000001 0        1 None
 5.5.5.5     31     0x80000002 0        1 None
 8.8.8.8     90     0x80000003 0        3 None
 9.9.9.9     31     0x80000003 0        2 None
 10.10.10.10 286    0x80000002 0        1 None

     Link (Type-8) Link States (Area 0)
ADV Router   Age    Seq#       Link ID  Interface
 8.8.8.8     287    0x80000001 5        Se1/0
 10.10.10.10 334    0x80000001 7        Se1/0
This in itself is not enough to get our routers talking to each other properly, if we try to ping from R10 to R4 we see the following:
R10#ping ipv6 FE80::FF:FE00:4
Output Interface: Serial1/0
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to FE80::FF:FE00:4, timeout is 2 seconds:
Packet sent with a source address of FE80::A8BB:CCFF:FE00:A00%Serial1/0
HHHHH
Success rate is 0 percent (0/5)
What we need to do is configure a site-local IPv6 address, and we can do that with the command:
R10(config)#ipv6 address
R10(config)#int serial 1/0
R10(config-if)#ipv6 address FEc0::/64 eui-64
And we can do the same on the connecting interface on R8, but we cant use the same command on the interface on R8 that connects to R4, as we get an error about overlap. So instead we will use:
R8(config-if)#int serial 0/0
R8(config-if)#ipv6 address FEC0:0:0:100::1/128
And on R4 we will use
R4(config)#int s0/2
R4(config-if)#ipv6 address FEC0:0:0:100::2/128
Now can R10 ping R4?
R10#sh ipv6 route
IPv6 Routing Table - default - 5 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
    B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
    I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
    EX - EIGRP external, ND - Neighbor Discovery
    O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
    ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C  FEC0::/64 [0/0]
   via Serial1/0, directly connected
L  FEC0::A8BB:CCFF:FE00:A00/128 [0/0]
   via Serial1/0, receive
O  FEC0:0:0:100::1/128 [110/64]
   via FE80::FF:FE00:8, Serial1/0
O  FEC0:0:0:100::2/128 [110/128]
   via FE80::FF:FE00:8, Serial1/0
L  FF00::/8 [0/0]
   via Null0, receive
R10#ping ipv6 FEC0:0:0:100::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:0:0:100::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/18/20 ms
R10#
It sure can and we know that it has learnt the address through OSPFv3. Once we add site-local addresses to the other connections using increments in the address (FEC0:0:0:200::2/128, FEC0:0:0:300::2/128 etc) we now have a full topology within our IPv6 OSPFv3 network:

R10#sh ipv6 route
IPv6 Routing Table - default - 9 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
    B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
    I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
    EX - EIGRP external, ND - Neighbor Discovery
    O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
    ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C  FEC0::/64 [0/0]
   via Serial1/0, directly connected
L  FEC0::A8BB:CCFF:FE00:A00/128 [0/0]
   via Serial1/0, receive
O  FEC0:0:0:100::1/128 [110/64]
   via FE80::FF:FE00:8, Serial1/0
O  FEC0:0:0:100::2/128 [110/128]
   via FE80::FF:FE00:8, Serial1/0
O  FEC0:0:0:200::1/128 [110/64]
   via FE80::FF:FE00:8, Serial1/0
O  FEC0:0:0:200::2/128 [110/128]
   via FE80::FF:FE00:8, Serial1/0
O  FEC0:0:0:300::1/128 [110/128]
   via FE80::FF:FE00:8, Serial1/0
O  FEC0:0:0:300::2/128 [110/1690]
   via FE80::FF:FE00:8, Serial1/0
L  FF00::/8 [0/0]
   via Null0, receive
And one last ping to confirm reachability:
R10#ping ipv6 FEC0:0:0:300::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:0:0:300::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/49/52 ms
R10#

IPv6 RIPng

Let's create our IPv6 RIPng process, this time around we will add our site-local addresses first:


The commands are similar to how we set up OSPFv3:
R7#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R7(config)#ipv6 router rip v6RIP
R7(config-rtr)#int s0/1
R7(config-if)#ipv6 rip v6RIP enable
R7(config-if)#
R7#
*Nov 26 11:29:56.565: %SYS-5-CONFIG_I: Configured from console by console
R7#
R7#sh ipv6 route
IPv6 Routing Table - default - 3 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
    B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
    I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
    EX - EIGRP external, ND - Neighbor Discovery
    O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
    ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
R  FEC0:0:0:600::1/128 [120/2]
   via FE80::FF:FE00:6, Serial0/1
LC FEC0:0:0:600::2/128 [0/0]
   via Serial0/1, receive
L  FF00::/8 [0/0]
   via Null0, receive
R7#
 
R6#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R6(config)#ipv6 router rip v6RIP
R6(config-rtr)#int s0/1
R6(config-if)#ipv6 rip v6RIP enable
R6(config-if)#exit
R6(config)#exit
R6#sh ipv6 route
IPv6 Routing Table - default - 4 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
    B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
    I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
    EX - EIGRP external, ND - Neighbor Discovery
    O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
    ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
LC FEC0:0:0:500::2/128 [0/0]
   via Serial0/0, receive
LC FEC0:0:0:600::1/128 [0/0]
   via Serial0/1, receive
R  FEC0:0:0:600::2/128 [120/2]
   via FE80::FF:FE00:7, Serial0/1
L  FF00::/8 [0/0]
   via Null0, receive
R6#ping ipv6 FEC0:0:0:600::2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:0:0:600::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms
R6#
What is interesting is that before we add in the RIPng process even though we have the correct addresses used we didn't have any visibility:
R7#ping FEC0:0:0:600::1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:0:0:600::1, timeout is 2 seconds:
% No valid source address for destination
Success rate is 0 percent (0/1)
Once RIPng is working, all is fine:
R7#ping ipv6 FEC0:0:0:600::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:0:0:600::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms
R7#
After we have added the same configurations to R5 and R4, we can see that R4 has full visibility down to R7:
R4#sh ipv6 route
IPv6 Routing Table - default - 14 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
    B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
    I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
    EX - EIGRP external, ND - Neighbor Discovery
    O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
    ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
O  FEC0::/64 [110/128]
   via FE80::FF:FE00:8, Serial0/2
O  FEC0:0:0:100::1/128 [110/64]
   via FE80::FF:FE00:8, Serial0/2
LC  FEC0:0:0:100::2/128 [0/0]
   via Serial0/2, receive
O  FEC0:0:0:200::1/128 [110/64]
   via FE80::FF:FE00:8, Serial0/2
O  FEC0:0:0:200::2/128 [110/128]
   via FE80::FF:FE00:8, Serial0/2
O  FEC0:0:0:300::1/128 [110/128]
   via FE80::FF:FE00:8, Serial0/2
O  FEC0:0:0:300::2/128 [110/1690]
   via FE80::FF:FE00:8, Serial0/2
LC  FEC0:0:0:400::1/128 [0/0]
   via Serial0/1, receive
R  FEC0:0:0:400::2/128 [120/2]
   via FE80::FF:FE00:5, Serial0/1
R  FEC0:0:0:500::1/128 [120/2]
   via FE80::FF:FE00:5, Serial0/1
R  FEC0:0:0:500::2/128 [120/3]
   via FE80::FF:FE00:5, Serial0/1
R  FEC0:0:0:600::1/128 [120/3]
   via FE80::FF:FE00:5, Serial0/1
R  FEC0:0:0:600::2/128 [120/4]
   via FE80::FF:FE00:5, Serial0/1
L  FF00::/8 [0/0]
   via Null0, receive
R4#
R4#ping FEC0:0:0:600::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:0:0:600::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/26/28 ms
R4#

IPv6 EIGRP

EIGRP is much the same as the other two we have done. We will again start with enabling ipv6 unicast routing and adding the IP addresses:

Then we can create our routing process and add our interfaces int it.
R2(config-if)#ipv6 router eigrp 100
R2(config-rtr)#int multilink 1
R2(config-if)#ipv6 eigrp 100
R2(config-if)#
*Nov 26 12:28:34.719: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor FE80::FF:FE00:1 (Multilink1) is up: new adjacency
R2(config-if)#
The same commands are set on the other routers, and shortly we see that R1 has a decent looking routing table:
R1#sh ipv6 eigrp topology
EIGRP-IPv6 Topology Table for AS(100)/ID(1.2.3.4)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
    r - reply Status, s - sia Status

P FEC0:0:0:900::2/128, 1 successors, FD is 3193856
    via FE80::FF:FE00:2 (3193856/2681856), Multilink1
P FEC0:0:0:800::2/128, 1 successors, FD is 2681856
    via FE80::FF:FE00:2 (2681856/2169856), Multilink1
P FEC0:0:0:140::1/128, 1 successors, FD is 3705856
    via FE80::FF:FE00:2 (3705856/3193856), Multilink1
P FEC0:0:0:130::2/128, 1 successors, FD is 4217856
    via FE80::FF:FE00:2 (4217856/3705856), Multilink1
P FEC0:0:0:110::1/128, 1 successors, FD is 1340928
    via Connected, Multilink1
P FEC0:0:0:110::2/128, 1 successors, FD is 1852928
    via FE80::FF:FE00:2 (1852928/1340928), Multilink1
P FEC0:0:0:120::1/128, 1 successors, FD is 3705856
    via FE80::FF:FE00:2 (3705856/3193856), Multilink1
P FEC0:0:0:140::2/128, 1 successors, FD is 4217856
    via FE80::FF:FE00:2 (4217856/3705856), Multilink1
P FEC0:0:0:700::2/128, 1 successors, FD is 2681856
    via FE80::FF:FE00:2 (2681856/2169856), Multilink1
P FEC0:0:0:700::1/128, 1 successors, FD is 3193856
    via FE80::FF:FE00:2 (3193856/2681856), Multilink1
P FEC0:0:0:800::1/128, 1 successors, FD is 3193856
    via FE80::FF:FE00:2 (3193856/2681856), Multilink1
P FEC0:0:0:120::2/128, 1 successors, FD is 4217856
    via FE80::FF:FE00:2 (4217856/3705856), Multilink1
P FEC0:0:0:900::1/128, 1 successors, FD is 3705856
    via FE80::FF:FE00:2 (3705856/3193856), Multilink1
P FEC0:0:0:130::1/128, 1 successors, FD is 3705856
    via FE80::FF:FE00:2 (3705856/3193856), Multilink1
And we have reachability
R1#ping FEC0:0:0:140::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:0:0:140::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/36/40 ms
R1#

IPv6 Redistribution

Redistribution under IPv6 is no different to that of IPv4 (which we covered in part 4), so using R4 which is our main bridge we can set it up as follows:
ipv6 router eigrp 100
 redistribute ospf 1 metric 10000 100 255 1 1500
 redistribute rip v6RIP metric 10000 100 255 1 1500
!
ipv6 router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 redistribute rip v6RIP metric 100
 redistribute eigrp 100 metric 100
!
ipv6 router rip v6RIP
 redistribute ospf 1 metric 5
 redistribute eigrp 100 metric 5
And we can have a look at a couple of our outer-lying routers to check that they are seeing what we would expect:

R1 can see R8 as an external EIGRP route:
R1#sh ipv6 route FEC0:0:0:200::1
Routing entry for FEC0:0:0:200::1/128
 Known via "eigrp 100", distance 170, metric 2707456, type external
 Route count is 1/1, share count 0
 Routing paths:
  FE80::FF:FE00:2, Multilink1
   Last updated 00:08:59 ago
And R10 can see R14
R10#sh ipv6 route FEC0:0:0:130::2
Routing entry for FEC0:0:0:130::2/128
 Known via "ospf 1", distance 110, metric 100, type extern 2
 Route count is 1/1, share count 0
 Routing paths:
  FE80::FF:FE00:8, Serial1/0
   Last updated 00:09:23 ago
And just to confirm we have reachability:
R10#ping FEC0:0:0:130::2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to FEC0:0:0:130::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/55/60 ms
R10#

R1#ping FEC0:0:0:200::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:0:0:200::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/26/28 ms
R1#
On R5 the configuration is pretty much the same
ipv6 router ospf 1
 router-id 5.5.5.5
 log-adjacency-changes
 redistribute rip v6RIP metric 100
!
ipv6 router rip v6RIP
 redistribute ospf 1 metric 5
Now at this point my 14 routers are starting to slow down, R4 is getting hit quite badly and is reporting %SYS-2-MALLOCFAIL errors, so its probably time to start wrapping this up, but not before we throw in an IPv6 tunnel between R6 and R10.

IPv6 Tunnels

An IPv6 tunnel is not much different to how we set up our tunnel in part 7:
R10#sh run int tunnel 1
Building configuration...

Current configuration : 153 bytes
!
interface Tunnel1
 no ip address
 ipv6 address FEC0:0:0:150::2/128
 tunnel source Serial1/0
 tunnel mode ipv6
 tunnel destination FEC0:0:0:500::2
end

R6#sh run int tunnel 1
Building configuration...

Current configuration : 162 bytes
!
interface Tunnel1
 no ip address
 ipv6 address FEC0:0:0:150::1/128
 tunnel source Serial0/0
 tunnel mode ipv6
 tunnel destination FEC0::A8BB:CCFF:FE00:A00
end

R10#sh ipv6 route FEC0:0:0:150::2
Routing entry for FEC0:0:0:150::2/128
 Known via "connected", distance 0, metric 0, type receive, connected
 Route count is 1/1, share count 0
 Routing paths:
  receive via Tunnel1
   Last updated 00:00:59 ago
R10#ping FEC0:0:0:150::2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:0:0:150::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/16 ms
R10#

R6#ping FEC0:0:0:150::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:0:0:150::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Thankfully we havn't had any recursive routing issues, but if we had then we could have used a distribute list like we did in part 8.

And that wraps up this part of the series. In part 10 we will cover some IPv6 filtering.
The BIG lab - Part 8 - Route-filtering and fixing route recursion using a distribute list (2.90)

The BIG lab - Part 8 - Route-filtering and fixing route recursion using a distribute list (2.90)

12:55:00 Add Comment
Following on from part 7 when we created a tunnel between R5 and R10 (refer to part 1 for the topology) we have a little bit of tidying up to do (basically static routes are verboten on the proper exam), but first we are going to have a dip into filtering some routes.

We can be a bit creative and prevent routers from learning about specific routes - say for instance we have a "secure" network that we don't want to be advertised to some routers, depending on where we are limiting access to we have a number of options, including access-lists, prefix-lists, distribute-lists and route-maps. We arn't going to use a route-map to prevent a route, as these are mainly used during redistribution, but we can play around with access-lists, prefix-lists and distribute-lists.

R1 has a loopback interface, which will be our "secure network":
R1#sh run int lo0
Building configuration...

Current configuration : 95 bytes
!
interface Loopback0
 ip address 10.10.1.1 255.255.255.0
 ip ospf network point-to-point
end
This is accessible by R10:
R10#ping 10.10.1.1
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms

R10#
R10#sh ip route 10.10.1.0
Routing entry for 10.10.1.0/24
 Known via "eigrp 10", distance 170, metric 2937856, type external
 Redistributing via eigrp 10
Last update from 10.31.1.1 on Serial1/0, 00:22:07 ago
 Routing Descriptor Blocks:
 * 10.31.1.1, from 10.31.1.1, 00:22:07 ago, via Serial1/0
   Route metric is 2937856, traffic share count is 1
   Total delay is 50000 microseconds, minimum bandwidth is 1544 Kbit
   Reliability 255/255, minimum MTU 1500 bytes
   Loading 1/255, Hops 2
R10#

Controlling routes through an access-list

So assuming that everything before R10 is allowed to this "private" network we need to prevent R10 from seeing this route (but lets keep access to R1's interface (1.2.3.4/24) accessible. we can do this in a number of ways. The most obvious place to put any configuration would be on R8's s0/2 interface.

I am going to use a distribute list for this, which references an access-list.
router eigrp 10
 distribute-list 1 out Serial0/2
 network 10.0.0.0
 no auto-summary
!
access-list 1 deny 10.10.1.0 0.0.0.255
access-list 1 permit any
Then I shut down the S0/2 interface on R8, cleared the IP routing table on R10 using "clear ip route *" and brought up the S0/2 interface on R8.

And now do we see the 10.10.1.0/24 network magically disappear from R10?
R10#sh ip route | beg 10.10
D EX  10.10.1.0/24 [170/27136000] via 10.120.2.1, 00:02:47, Tunnel0
D     10.20.1.0/24 [90/3193856] via 10.31.1.1, 00:02:47, Serial1/0
No, it has now learned it from its tunnel interface, that we created in part 7.

So let's add the same access-list to R5 (the other end of the tunnel):
R5(config)#access-list 1 deny 10.10.1.0 0.0.0.255
R5(config)#access-list 1 permit any
R5(config)#router eigrp 10
R5(config-router)#distribute-list 1 out Tunnel 0
R5(config-router)#exit
R5(config)#int tunnel 0
R5(config-if)#shut
Now let's clear the route from R10 
R10#
*Nov 25 13:06:24.635: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.120.2.1 (Tunnel0) is down: holding time expired
R10#sh ip route | i 10.10
R10#
And bring the tunnel back up again, does R10 still have a route to the loopback on R1?
R10#
*Nov 25 13:10:36.375: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.120.2.1 (Tunnel0) is up: new adjacency
R10#sh ip route | i 10.10
R10#
No, it doesn't.

Controlling routes through a prefix-list

Suppose we are told (for some reason) that we are not allowed to use an access-list, we could use a prefix list. So let's first put the 10.10.1.0/24 network back onto R10.
R10#
*Nov 25 13:17:31.431: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.120.2.1 (Tunnel0) is down: peer restarted
R10#
*Nov 25 13:17:35.935: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.120.2.1 (Tunnel0) is up: new adjacency
R10#sh ip route | i 10.10
D EX  10.10.1.0/24 [170/27136000] via 10.120.2.1, 00:00:31, Tunnel0
R10#sh ip route | i 10.10
D EX  10.10.1.0/24 [170/2937856] via 10.31.1.1, 00:00:01, Serial1/0
R10#
*Nov 25 13:18:08.659: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.31.1.1 (Serial1/0) is resync: peer graceful-restart
R10#sh ip route | i 10.10
D EX  10.10.1.0/24 [170/2937856] via 10.31.1.1, 00:00:13, Serial1/0
R10#
We can also use a prefix-list to accomplish the same thing, again we will need to put it on both R8 and R5
R8(config)#ip prefix-list deny-10.10.1.0 seq 5 deny 10.10.1.0/24
R8(config)#router eigrp 10
R8(config-router)#distribute-list prefix deny-10.10.1.0 out s0/2
R8(config-router)#
*Nov 25 13:21:29.207: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.31.1.2 (Serial0/2) is resync: route configuration changed
R8(config-router)#
We can see that EIGRP does its stuff, and again R10 gets its path to 10.10.1.0/24 through the tunnel.
R10#sh ip route | i 10.10
D EX  10.10.1.0/24 [170/2937856] via 10.31.1.1, 00:03:19, Serial1/0
R10#
*Nov 25 13:21:29.223: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.31.1.1 (Serial1/0) is resync: peer graceful-restart
R10#sh ip route | i 10.10
D EX  10.10.1.0/24 [170/27136000] via 10.120.2.1, 00:00:08, Tunnel0
So lets do the same commands on R5:
R5(config)#ip prefix-list deny-10.10.1.0 seq 5 deny 10.10.1.0/24
R5(config)#router eigrp 10
R5(config-router)#distribute-list prefix deny-10.10.1.0 out tunnel 0
R5(config-router)#exit

R10#sh ip route | i 10.10
D EX  10.10.1.0/24 [170/27136000] via 10.120.2.1, 00:00:08, Tunnel0
R10#
*Nov 25 13:23:50.015: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.120.2.1 (Tunnel0) is resync: peer graceful-restart
R10#sh ip route | i 10.10
R10#
Now R10 has no knowledge of the 10.10.1.0/24 network, but has also lost many of the other routes:
R10#sh ip route | beg Gateway

Gateway of last resort is not set
   10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
S    10.1.7.1/32 is directly connected, Serial1/0
C    10.31.1.0/24 is directly connected, Serial1/0
L    10.31.1.2/32 is directly connected, Serial1/0
C    10.120.2.0/24 is directly connected, Tunnel0
L    10.120.2.2/32 is directly connected, Tunnel0
   172.20.0.0/16 is variably subnetted, 9 subnets, 3 masks
C    172.20.20.0/24 is directly connected, Loopback0
L    172.20.20.1/32 is directly connected, Loopback0
C    172.20.30.0/24 is directly connected, Loopback1
L    172.20.30.1/32 is directly connected, Loopback1
D    172.20.40.0/23 is a summary, 00:40:49, Null0
C    172.20.40.0/24 is directly connected, Loopback2
L    172.20.40.1/32 is directly connected, Loopback2
C    172.20.41.0/24 is directly connected, Loopback3
L    172.20.41.1/32 is directly connected, Loopback3
R10 has lost the other routes due to a default deny in the prefix-list. We can overcome this by adding the following permit any any rule:
R8(config)#ip prefix-list deny-10.10.1.0 seq 10 permit 0.0.0.0/0 le 32

R5(config)#ip prefix-list deny-10.10.1.0 seq 10 permit 0.0.0.0/0 le 32
And now R10 can still reach R1, but on a different IP address:
R10#ping 1.2.3.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/35/40 ms
R10#

Fixing recursive routing using a distribute list

Remember back in part 7 when we set up our tunnel, to avoid route recursion and that annoying %TUN-5-RECURDOWN error we had to add a few static routes, well Cisco (in the exam at least) don't like you to use static routes, if they did then the exam would be so much easier, and where would the fun in that be? So what can we do to keep our tunnel working and still control our metrics?

Lets start by shutting down our tunnel and removing the static routes:
R5(config)#int tunnel 0
R5(config-if)#shut
R5(config-if)#
*Nov 25 14:33:24.711: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.120.2.2 (Tunnel0) is down: interface down
R5(config-if)#exit
R5(config)#
*Nov 25 14:33:26.711: %LINK-5-CHANGED: Interface Tunnel0, changed state to administratively down
*Nov 25 14:33:27.715: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R5(config)#no ip route 172.20.40.0 255.255.255.0 Serial0/0
R5(config)#no ip route 172.20.40.0 255.255.255.0 Serial 0/2 10

R10(config)#int tunnel 0
R10(config-if)#shut
*Nov 25 14:34:27.411: %LINK-5-CHANGED: Interface Tunnel0, changed state to administratively down
*Nov 25 14:34:28.411: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R10(config-if)#no ip route 10.1.7.1 255.255.255.255 Serial1/0
R10 knows of 10.1.7.0/24 through EIGRP, so the easiest thing to do is to use an incoming distribute list, coupled with an ACL to deny the EIGRP process from learning about the tunnel endpoint on R10. R5 is being used as this is the router that is complaining about route recursion.
router eigrp 10
 distribute-list prefix deny-10.10.1.0 out Tunnel0
 distribute-list 20 in
 network 10.0.0.0
 redistribute rip metric 10000 1000 255 1 1500
 no auto-summary
!
ip prefix-list deny-10.10.1.0 seq 5 deny 10.10.1.0/24
ip prefix-list deny-10.10.1.0 seq 10 permit 0.0.0.0/0 le 32
access-list 20 deny 10.120.2.2
And with this in place our tunnel is stable and we have avoided using any static routes.

In part 9 we will add IPv6 onto our network, which should be interesting!
Free CCIE R+S quiz

Free CCIE R+S quiz

02:32:00 Add Comment
Finally I have posted the start of the free CCIE Written test. 

 There are 83 questions so far, and more will be added as we go.

 Obviously the questions I have done are not the same as those in the real exam, after all it would be pretty dumb to incur the wrath of Cisco in order to bring something (hopefully) entertaining to this site. So any questions that are similar to the real questions in any way is purely coincidental and I would be happy to remove them, should Cisco request me to do so.

 That said, I hope you enjoy it and please follow us on your social networking site of choice, or follow by email, so that when more questions are added you can come back again.

Take the quiz!

Cisco ASA failover, redundant interfaces, Catalyst HSRP and power

07:37:00 8 Comments
Most networks have redundancy (or at least should do). This can be in the form of additional cables cross-connecting devices, dual power supplies going to different feeds and HSRP on switches. All of this is good stuff, but some things can easily be taken for granted.

 Consider the following topology:

 We have two ASAs in a failover pair (Outside interface 10.30.1.1 with standby ip 10.30.1.2), both connecting to a switch (10.30.1.254), that has a loopback interface assigned to it to simulate the internet (10.250.1.1). The ASAs also connect to a pair of switches, set up in an HSRP group (ASA inside interface 10.40.1.1, standby ip 10.40.1.10, switch vlan 40 ip 10.40.1.254). The topology looks like this:

It looks pretty redundant right? But let's work through the config and see what could go wrong. We'll start by setting up the ASAs in a failover pair.

Cisco ASA failover setup

On the first ASA we set up failover as follows:
ciscoasa(config)# enable password cisco
ciscoasa(config)# hostname ASA1
ASA1(config)# failover
ASA1(config)# failover lan unit primary
ASA1(config)# failover lan interface FAILOVER GigabitEthernet0/3
INFO: Non-failover interface config is cleared on GigabitEthernet0/3 and its sub-interfaces
ASA1(config)# failover key fail0ver
ASA1(config)# failover replication http
ASA1(config)# failover link FAILOVER GigabitEthernet0/3
ASA1(config)# failover interface ip FAILOVER 10.20.1.1 255.255.255.252 standby 10.20.1.1
ASA1(config)# int gi0/3
ASA1(config-if)# no shut
ASA1(config-if)# exit
ASA1(config)# exit
ASA1# copy run start
The second ASA is similar:
ciscoasa(config)# enable password cisco
ciscoasa(config)# hostname ASA2
ASA2(config)# failover
ASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface FAILOVER GigabitEthernet0/3
INFO: Non-failover interface config is cleared on GigabitEthernet0/3 and its sub-interfaces
ASA2(config)# failover key fail0ver
ASA2(config)# failover replication http
ASA2(config)# failover link FAILOVER GigabitEthernet0/3
ASA2(config)# failover interface ip FAILOVER 10.20.1.1 255.255.255.252 standby 10.20.1.2
ASA2(config)# int gi0/3
ASA2(config-if)# no shut
ASA2(config-if)#exit
ASA2(config)#exit
ASA2# copy run start
We can then save our configuration, so that the partner (or mate) firewall gets sent the active configuration:
ASA1# copy run start
ASA1# Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
I do like to set the prompt to show me easily which firewall I am currently on:
ASA1#
ASA1# conf t
ASA1(config)# prompt hostname state
ASA1/act(config)# exit
ASA1/act# copy run start

Source filename [running-config]?
Cryptochecksum: 9f0c4260 95438d98 2d1439ef 0704bf77

2693 bytes copied in 3.310 secs (897 bytes/sec)
ASA1/act#
Our partner ASA will now change to show its status in the prompt:
ASA1#
ASA1/stby# Cryptochecksum: 0df25109 9f4fecb5 cebb9db5 93664d73

ASA1/stby#
2691 bytes copied in 3.230 secs (897 bytes/sec)
ASA1/stby#
Now we can configure our connection to the "internet" and to the inside network:

ASA Outside (internet) connection

ASA1/act# conf t
ASA1/act(config)# int Gi0/0
ASA1/act(config-if)# nameif OUTSIDE
INFO: Security level for "OUTSIDE" set to 0 by default.
ASA1/act(config-if)# ip address 10.30.1.1 255.255.255.0 standby 10.30.1.2
ASA1/act(config-if)# no shut
ASA1/act(config-if)#exit
ASA1/act(config)# exit
ASA1/act# copy run start

ASA Inside connection

ASA1/act(config-if)# int gi 0/1
ASA1/act(config-if)# nameif INSIDE
INFO: Security level for "INSIDE" set to 100 by default.
ASA1/act(config-if)# ip address 10.40.1.1 255.255.255.0 standby 10.40.1.10
ASA1/act(config-if)# no shut
ASA1/act(config-if)# exit
ASA1/act(config)# exit
ASA1/act# copy run start
Now we have connections on the inside and outside:

Switch HSRP setup

I have covered HSRP a few times now, so won't go into any details, but here is the configuration walkthrough:
Switch(config)#hostname SW1
SW1(config)#vlan 40
SW1(config-vlan)#exit
SW1(config)#int vlan 40
SW1(config-if)#ip address 10.40.1.2 255.255.255.0
00:06:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan40, changed state to down
SW1(config-if)#standby 40 ip 10.40.1.254
SW1(config-if)#standby 40 pri 150
SW1(config-if)#
00:09:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to down
SW1(config-if)#exit
00:09:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up
SW1(config)#int fastEthernet 1/0/2
SW1(config-if)#switchport trunk encap dot1q
SW1(config-if)#switchport mode trunk
00:09:49: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan40, changed state to up
SW1(config-if)#
00:10:10: %HSRP-6-STATECHANGE: Vlan40 Grp 40 state Standby -> Active
SW1(config-if)#

Switch(config)#hostname SW2
SW2(config)#vlan 40
SW2(config-vlan)#exit
SW2(config)#int vlan 40
*Mar  1 00:06:56.997: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan40, changed state to down
SW2(config-if)#ip address 10.40.1.3 255.255.255.0
SW2(config-if)#standby 40 ip 10.40.1.254
SW2(config-if)#standby pri 90
SW2(config-if)#exit
SW2(config)#int fa0/2
SW2(config-if)#switchport trunk encap dot1q
SW2(config-if)#switchport mode trunk
SW2(config-if)#
*Mar  1 00:09:22.447: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
*Mar  1 00:09:25.517: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
*Mar  1 00:09:55.515: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan40, changed state to up
*Mar  1 00:10:36.561: %HSRP-5-STATECHANGE: Vlan40 Grp 40 state Speak -> Standby
SW2(config-if)#

Switch to ASA configuration

SW1(config)#int fa1/0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 40
SW1(config-if)#exit
SW1(config)#exit
SW1#ping 10.40.1.1
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.40.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

SW2(config)#int fa0/1
SW2(config-if)#switchport mode access
SW2(config-if)#switchport access vlan 40
SW2(config-if)#exit
SW2(config)#exit
SW2#
*Mar  1 01:09:09.651: %SYS-5-CONFIG_I: Configured from console by console
SW2#ping 10.40.1.1
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.40.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

ASAs to "Internet" Configuration

On the active ASA we need to set a route out to the internet:
ASA1/act# sh run | i route
route OUTSIDE 0.0.0.0 0.0.0.0 10.30.1.254 1

Internet configuration

The internet is very simple, we have a loopback that will be our end-point for testing, and a vlan for the ASAs to communicate with:
3550-SW3#sh run
interface Loopback0
  ip address 10.250.1.1 255.255.255.0
!
interface FastEthernet0/1
  switchport access vlan 10
  switchport mode access
!
interface FastEthernet0/11
  switchport access vlan 10
  switchport mode access
!
interface Vlan10
  ip address 10.30.1.254 255.255.255.0

NAT statements to allow access

To allow the inside to talk to the internet we need to set up NATing on the ASAs:
global (OUTSIDE) 1 interface
nat (INSIDE) 1 10.40.1.0 255.255.255.0

Testing

Let's see how out connectivity looks:
ASA1/act# ping 10.250.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.250.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ASA1/stby> ping 10.250.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.250.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

SW1#ping 10.250.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.250.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

SW2#ping 10.250.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.250.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
SW2#
So far so good!

Forcing failover and simulating outages 

We can simulate issues in a number of ways. I started by removing the power to SW1. This made SW2 go active for vlan 40. SW2 has a good connection to ASA2 so pings were 100% successful.

With ASA1 as the standby we can force a failover from ASA2:
ASA1/stby# failover active

    Switching to Active

SW2#ping 10.250.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.250.1.1, timeout is 2 seconds:
....!
Success rate is 20 percent (1/5), round-trip min/avg/max = 1/1/1 ms

ASA1/act# Waiting for the earlier webvpn instance to terminate...
Previous instance shut down. Starting a new one.

    Switching to Standby
At this point the firewalls failed back, due to the traffic generated by SW2, so that ASA2 became the active mate again. If ASA2 had the power removed then they would not be able to fail back, and therefore SW2 would have no way to route the traffic over to SW1 (which would be the active firewall), and therefore the inside of the network would lose all internet communication.

So we can survive one ASA power outage and one switch outage (ASA1 and SW1 or ASA2 and SW2) but not if we lose SW2 and ASA1 or SW1 and ASA2.

So how can we get better resiliency? We can do this with a cable from SW1 to ASA2 and from SW2 to ASA1. This does require some reconfiguration on the ASAs, but how can we do this? We certainly can't have another physical interface on the ASAs with the same IP range, as we would get an error informing us of an IP overlap. They key work here is physical interface. We can however set up a different type of interface to achieve this.

Cisco ASA Redundant interfaces

Redundant interfaces are two or more interfaces joined together in a redundancy group. They act like physical interfaces, in that they have an IP address, but with the added bonus of having multiple links.

We start by adding another interface on the switches (fa1/0/3 on SW1 and fa0/3 on SW3) to be access ports on vlan 40, and these interfaces are connected to GigabitEthernet 0/2 on the "other" ASA:



Next we move onto the firewalls and remove the IP information from the existing inside interfaces:
ASA1/act(config)# int GigabitEthernet0/1
ASA1/act(config-if)# no nameif
ASA1/act(config-if)# no ip address
ASA1/act(config-if)# exit
Then we can create a redundant port:
ASA1/act(config)# interface Redundant1
ASA1/act(config-if)# member-interface GigabitEthernet0/1
INFO: security-level and IP address are cleared on GigabitEthernet0/1.
ASA1/act(config-if)# member-interface GigabitEthernet0/2
INFO: security-level and IP address are cleared on GigabitEthernet0/2.
ASA1/act(config-if)# nameif INSIDE
INFO: Security level for "INSIDE" set to 100 by default.
ASA1/act(config-if)# ip address 10.40.1.1 255.255.255.0 standby 10.40.1.10
ASA1/act(config-if)#
I could have saved a bit of typing as adding a member interface to a redundant interface will clear the security-level and IP address automatically, but its useful to do manually.

Once we have saved our config we can check on the standby ASA:
ASA1/stby# sh run
: Saved
<Truncated>
interface GigabitEthernet0/1
  no nameif
  no security-level
  no ip address
!
interface GigabitEthernet0/2
  no nameif
  no security-level
  no ip address
!
interface Redundant1
  member-interface GigabitEthernet0/1
  member-interface GigabitEthernet0/2
  nameif INSIDE
  security-level 100
  ip address 10.40.1.1 255.255.255.0 standby 10.40.1.10
!
At this point we cant ping the loopback of 10.250.1.1 on the "internet", and to do this we need to do some NATing on the ASA, because when we clear the interface on the ASA it removes our NAT statement:
ASA1/act(config)# nat (INSIDE) 1 10.40.1.0 255.255.255.0
Once that is done we can ping the loopback again:
SW1#ping 10.250.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.250.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

SW2#ping 10.250.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.250.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
SW2#

Testing the redundant interface with failover

Now if we failover the ASAs (ASA1 being the primary, so testing from SW1) do we lose any pings?
SW1#ping 10.250.1.1 repeat 4000

Type escape sequence to abort.
Sending 4000, 100-byte ICMP Echos to 10.250.1.1, timeout is 2 seconds:
!!!!!
<omitted>
!!!!!
Success rate is 100 percent (4000/4000), round-trip min/avg/max = 1/2/9 ms
No we dont.

If we remove SW1 (simulating a power outage) does SW2 lose any pings?
SW2#ping 10.250.1.1 repeat 4000

Type escape sequence to abort.
Sending 4000, 100-byte ICMP Echos to 10.250.1.1, timeout is 2 seconds:
<omitted>
*Mar  5 02:12:17.681: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
<omitted>
*Mar  5 02:12:18.746: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to down
Success rate is 100 percent (4000/4000), round-trip min/avg/max = 1/3/34 ms
Again no ping loss. And if we turn off ASA2 (now the primary):
SW2#ping 10.250.1.1 repeat 4000

Type escape sequence to abort.
Sending 4000, 100-byte ICMP Echos to 10.250.1.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
*Mar  5 02:13:49.133: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
*Mar  5 02:13:50.140: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down.......!!!!!!!!!!!!!!!!!!!!!!!
<omitted>
Success rate is 99 percent (3992/4000), round-trip min/avg/max = 1/3/17 ms
Then yes we do lose a few pings, but only in the time it takes ASA 1 to become the active again. But losing a couple of pings is better than losing all communication! Now we can lose one switch and one ASA on different sides of the topology and still have a working (redundant) network.
Can I be CCIE by July?

Can I be CCIE by July?

02:19:00 Add Comment
It's always good to have a goal, and aiming towards a certain date is certainly a good way to push yourself forward.

 There is a CCIE R+S remote lab in London between June 30 and July 4th next year. Can I be ready by then?

 I reckon I am about half way there. There is six months between now and then, and hopefully I can get onto the INE course on London in April. As part of INE's course they offer to pay for the exam fee, and this includes the mobile labs. They do however require 100 days notice, not sure if this is written in stone or not, but I can ask Tami, the lovely person at INE who is superbly helpful...

 Assuming I get the last day available booked for the lab (4th July) that puts the notify time to the 26th March, and in order to book the lab I need to have passed the written exam.

 This would give me 132 days (from today) to pass the written in order to give INE the 100 days notice to take the lab exam.

 So in 132 days, lets call it 130 to give me a couple of days to do the written exam, I need to either finish or cover (going strictly by the V4 blueprint):

  • BGP
  • Frame Relay
  • IPv6
  • MPLS
  • Multicast
  • Security
  • Network Services
  • QoS
  • Troubleshooting
  • Optimizing
As the version 5 blueprint details will be released soon I might leave Frame Relay and some of the network services till last, just in case they are dropped as indications about the new CCIE R+S lab would suggest, and leave room for the new V5 topics.

 This works out to be 13 days per topic. Now some will be quicker than others, certainly the network services and the Optimizing topics I reckon I can whizz through. Other will take longer (MPLS, QoS and Multicast especially).

 The other alternative is the October 6 -10 mobile lab, which is slightly more feasible, and actually keeps in line with my original one year plan.

 Either way, its good to have a goal to work towards.
The BIG lab - Part 7 - GRE Tunnels and recursive routing (2.20)

The BIG lab - Part 7 - GRE Tunnels and recursive routing (2.20)

04:10:00 Add Comment
Now that our networks are all talking to each other, following the previous redistribution post, we can start playing around with them a bit more. So let's create a tunnel, actually we are going to create a few tunnels, but only one today.

 Creating a tunnel is very straight forward, but there is also one major "gotcha". A tunnel must have a route to its destination. So if we have a tunnel from router A to router C via router B router A must know of a way to get to router C. This can either be static routes, or learned through an IGP (or as we will be doing, learned through redistribution). Nothing too complex so far, right? But what if router A learns of its route to router C through the tunnel - i.e. if the tunnel offers a better metric, well then we are going to start seeing problems.

 But let's cross that bridge when, and hopefully when, we come to it.

 For today we are going to create a tunnel from the loopback 0 on R7 (10.60.1.1) which is in our RIPv2 network and connect it to loopback 1 on R10 (172.20.30.1) , which is in our EIGRP network.

 So firstly lets see if they still can see each other after yesterday's redistribution exercise:
R7#sh ip route | beg Gate
Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets
R        1.2.3.0 [120/4] via 10.20.3.1, 00:00:24, Serial0/1
      10.0.0.0/8 is variably subnetted, 17 subnets, 2 masks
R        10.1.1.0/24 [120/4] via 10.20.3.1, 00:00:24, Serial0/1
R        10.1.2.0/24 [120/4] via 10.20.3.1, 00:00:24, Serial0/1
R        10.1.3.0/24 [120/4] via 10.20.3.1, 00:00:24, Serial0/1
R        10.1.4.0/24 [120/4] via 10.20.3.1, 00:00:24, Serial0/1
R        10.1.5.0/24 [120/4] via 10.20.3.1, 00:00:24, Serial0/1
R        10.1.6.0/24 [120/3] via 10.20.3.1, 00:00:24, Serial0/1
R        10.10.1.0/24 [120/4] via 10.20.3.1, 00:00:24, Serial0/1
R        10.20.1.0/24 [120/2] via 10.20.3.1, 00:00:24, Serial0/1
R        10.20.2.0/24 [120/1] via 10.20.3.1, 00:00:24, Serial0/1
C        10.20.3.0/24 is directly connected, Serial0/1
L        10.20.3.2/32 is directly connected, Serial0/1
R        10.25.1.0/24 [120/3] via 10.20.3.1, 00:00:24, Serial0/1
R        10.30.1.0/24 [120/3] via 10.20.3.1, 00:00:24, Serial0/1
R        10.31.1.0/24 [120/3] via 10.20.3.1, 00:00:24, Serial0/1
R        10.35.1.0/24 [120/2] via 10.20.3.1, 00:00:24, Serial0/1
C        10.60.1.0/24 is directly connected, Loopback0
L        10.60.1.1/32 is directly connected, Loopback0
      172.20.0.0/16 is variably subnetted, 3 subnets, 2 masks
R        172.20.20.0/24 [120/3] via 10.20.3.1, 00:00:25, Serial0/1
R        172.20.30.0/24 [120/3] via 10.20.3.1, 00:00:25, Serial0/1
R        172.20.40.0/23 [120/3] via 10.20.3.1, 00:00:25, Serial0/1

 So R7 can see R10's Lo1, and has learned it via RIP (metric 120).

 R10#sh ip route | beg Gate
Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets
D EX     1.2.3.0 [170/2937856] via 10.31.1.1, 00:00:51, Serial1/0
      10.0.0.0/8 is variably subnetted, 16 subnets, 2 masks
D EX     10.1.1.0/24 [170/2937856] via 10.31.1.1, 00:00:51, Serial1/0
D EX     10.1.2.0/24 [170/2937856] via 10.31.1.1, 00:00:51, Serial1/0
D EX     10.1.3.0/24 [170/2937856] via 10.31.1.1, 00:00:51, Serial1/0
D EX     10.1.4.0/24 [170/2937856] via 10.31.1.1, 00:00:51, Serial1/0
D EX     10.1.5.0/24 [170/2937856] via 10.31.1.1, 00:00:51, Serial1/0
D        10.1.6.0/24 [90/3193856] via 10.31.1.1, 00:01:48, Serial1/0
D EX     10.10.1.0/24 [170/2937856] via 10.31.1.1, 00:00:51, Serial1/0
D        10.20.1.0/24 [90/3193856] via 10.31.1.1, 00:11:53, Serial1/0
D        10.20.2.0/24 [90/3705856] via 10.31.1.1, 00:11:53, Serial1/0
D EX     10.20.3.0/24 [170/2937856] via 10.31.1.1, 00:04:04, Serial1/0
D        10.25.1.0/24 [90/2681856] via 10.31.1.1, 00:11:53, Serial1/0
D        10.30.1.0/24 [90/2681856] via 10.31.1.1, 00:11:53, Serial1/0
C        10.31.1.0/24 is directly connected, Serial1/0
L        10.31.1.2/32 is directly connected, Serial1/0
D        10.35.1.0/24 [90/41536000] via 10.31.1.1, 00:11:53, Serial1/0
D EX     10.60.1.0/24 [170/2937856] via 10.31.1.1, 00:04:04, Serial1/0
      172.20.0.0/16 is variably subnetted, 9 subnets, 3 masks
C        172.20.20.0/24 is directly connected, Loopback0
L        172.20.20.1/32 is directly connected, Loopback0
C        172.20.30.0/24 is directly connected, Loopback1
L        172.20.30.1/32 is directly connected, Loopback1
D        172.20.40.0/23 is a summary, 00:11:55, Null0
C        172.20.40.0/24 is directly connected, Loopback2
L        172.20.40.1/32 is directly connected, Loopback2
C        172.20.41.0/24 is directly connected, Loopback3
L        172.20.41.1/32 is directly connected, Loopback3

 R10 also knows of R7's Lo0, which it has learned from Eigrp External (D EX) with an AD of 170.

 Note - if we know exactly what IP prefix we are looking for, then we can just do:

R10#sh ip route | i 10.60           

D EX     10.60.1.0/24 [170/2937856] via 10.31.1.1, 00:07:48, Serial1/0

Now let's start setting up our tunnels.

Creating a GRE tunnels on Cisco IOS

Creating a GRE tunnel only takes a couple of commands, and really is not much different than creating any non-physical interface: 
R7#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R7(config)#interface tunnel0
R7(config-if)#ip address 10.120.1.1 255.255.255.0
R7(config-if)#tunnel source Lo0
R7(config-if)#tunnel destination 172.20.30.1
R7(config-if)#
*Nov  8 09:27:10.335: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R7(config-if)#

R10#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R10(config)#interface tunnel 0
R10(config-if)#ip address 10.120.1.2 255.255.255.0
R10(config-if)#tunnel source lo1
R10(config-if)#tunnel destination 10.60.1.1
R10(config-if)#
*Nov  8 09:28:19.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R10(config-if)#
We can test that our tunnel is up by pinging the tunnel interface IP on the other side:
R7#ping 10.120.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.120.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/44 ms

R10#ping 10.120.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.120.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/42/44 ms
GRE (Generic Routing Encapsulation) is the default for these tunnels:

R10#sh int tunnel 0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 10.120.1.2/24
  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 172.20.30.1 (Loopback1), destination 10.60.1.1
   Tunnel Subblocks:
      src-track:
         Tunnel0 source tracking subblock associated with Loopback1
          Set of tunnels with source Loopback1, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
<output omitted>

But we can switch to a number of modes using the command "tunnel mode" and then the mode, useful if the ISP(s) do not like GRE for any reason, or if we want to ensure our tunnel is IPv6, or for setting up an MPLS tunnel:

R7(config-if)#tunnel mode ?
  aurp       AURP TunnelTalk AppleTalk encapsulation
  cayman  Cayman TunnelTalk AppleTalk encapsulation
  dvmrp    DVMRP multicast tunnel
  eon         EON compatible CLNS tunnel
  gre         generic route encapsulation protocol
  ipip        IP over IP encapsulation
  ipsec      IPSec tunnel encapsulation
  iptalk     Apple IPTalk encapsulation
  ipv6       Generic packet tunneling in IPv6
  ipv6ip    IPv6 over IP encapsulation
  mpls      MPLS encapsulations
  nos        IP over IP encapsulation (KA9Q/NOS compatible)
  rbscp     RBSCP in IP tunnel

It's important to note that both sides of the tunnel must match.  

So far our tunnel has been rock-solid, so we could just end this session here. But where would the fun in that be? Let's make some recursive routing 
R5(config)#int lo0
R5(config-if)#ip address 10.1.7.1 255.255.255.0
R5(config-if)#int tunnel 0
*Nov  8 10:11:05.475: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R5(config-if)#ip address 10.120.2.1 255.255.255.0
R5(config-if)#tunnel source lo0
R5(config-if)#tunnel destination 172.20.40.1
R5(config-if)#
*Nov  8 10:11:50.195: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

R10#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R10(config)#int tunnel 1
R10(config-if)#ip address 10.120.2.2 255.255.255.0
R10(config-if)#tunnel source lo2
R10(config-if)#tunnel destination 10.1.7.1
R10(config-if)#
OK, so far so good, the tunnel comes up... but then goes down, then then up and down, and you get the general idea :

*Nov  8 10:11:50.195: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R5(config-if)#
*Nov  8 10:12:59.619: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.120.2.2 (Tunnel0) is up: new adjacency
*Nov  8 10:12:59.731: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel0 - looped chain attempting to stack
R5(config-if)#
*Nov  8 10:13:04.491: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
*Nov  8 10:13:05.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Nov  8 10:13:05.491: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.120.2.2 (Tunnel0) is down: interface down
R5(config-if)#
*Nov  8 10:14:06.495: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov  8 10:14:06.783: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.120.2.2 (Tunnel0) is up: new adjacency
*Nov  8 10:14:06.839: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel0 - looped chain attempting to stack

R10(config-if)#
*Nov  8 10:13:14.063: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.120.2.1 (Tunnel1) is down: holding time expired
R10(config-if)#
*Nov  8 10:14:06.123: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.120.2.1 (Tunnel1) is up: new adjacency
R10(config-if)#
*Nov  8 10:14:21.215: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.120.2.1 (Tunnel1) is down: holding time expired
R10(config-if)#

The main error we need to look for is %TUN-5-RECURDOWN: Tunnel0 temporarily disabled to to recursive routing.

 To fix this we start by shutting down the tunnel interface and give our routing protocols a few seconds to recover.

R10 learned the route to R5's 10.1.7.1 interface through EIGRP, and R5 learned of R10's Lo2 interface through EIGRP as well. But clearly this is causing problems with both EIGRP and the tunnel, in fact it's caused recursion. Where our tunnel from R7 to R10 caused us no issues going from EIGRP to RIP, a tunnel from R5 to R10 actually tries to form a new EIGRP adjacency, and hence will actually try to use the tunnel for the adjacency, thereby losing the actual route to the tunnel end-point.

 So what can we do here? 

 The easiest method is to add a static route, remember from the post on redistribution that routing just cares about metrics, with lower being the preferred metric.

Routing Protocol Administrative Distance
Connected interface 0
Static route 1
EIGRP Summary route 5
External BGP 20
Internal EIGRP 90
IGRP 100
OSPF 110
IS-IS 115
RIP 120
EGP 140
ODR 160
External EIGRP 170
Internal BGP 200
As R5 has two links to R10 we can create two static routes (with different metrics) to R10, but R10 only needs one static route:
R5(config)#ip route 172.20.40.0 255.255.255.0 s0/0 1
R5(config)#ip route 172.20.40.0 255.255.255.0 s0/2 10

R10(config)#ip route 10.1.7.1 255.255.255.255 s1/0
Note that we have different metrics on R5, so that if interface serial0/0 (preferred) goes down then serial 0/2 can be used, but at the same time will not interfere with out EIGRP operations.

Once we have done a "no shut" on our tunnel interface the tunnel reestablishes and our EIGRP operations are not affected:

R5(config)#int tunnel 0
R5(config-if)#no shut
*Nov  8 10:38:02.903: %LINK-3-UPDOWN: Interface Tunnel0, changed state to up
*Nov  8 10:38:03.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R5(config-if)#exit
R5(config)#
*Nov  8 10:38:04.215: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.120.2.2 (Tunnel0) is up: new adjacency
R5(config)#exit
*Nov  8 10:38:10.471: %SYS-5-CONFIG_I: Configured from console by console
R5#sh ip route | beg Gate
Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets
R        1.2.3.0 [120/2] via 10.20.1.1, 00:00:25, Serial0/0
      10.0.0.0/8 is variably subnetted, 23 subnets, 2 masks
R        10.1.1.0/24 [120/2] via 10.20.1.1, 00:00:25, Serial0/0
R        10.1.2.0/24 [120/2] via 10.20.1.1, 00:00:25, Serial0/0
R        10.1.3.0/24 [120/2] via 10.20.1.1, 00:00:25, Serial0/0
R        10.1.4.0/24 [120/2] via 10.20.1.1, 00:00:25, Serial0/0
R        10.1.5.0/24 [120/2] via 10.20.1.1, 00:00:25, Serial0/0
D        10.1.6.0/24 [90/2681856] via 10.20.1.1, 01:20:52, Serial0/0
C        10.1.7.0/24 is directly connected, Loopback0
L        10.1.7.1/32 is directly connected, Loopback0
R        10.10.1.0/24 [120/2] via 10.20.1.1, 00:00:25, Serial0/0
C        10.20.1.0/24 is directly connected, Serial0/0
L        10.20.1.2/32 is directly connected, Serial0/0
C        10.20.2.0/24 is directly connected, Serial0/1
L        10.20.2.1/32 is directly connected, Serial0/1
R        10.20.3.0/24 [120/1] via 10.20.2.2, 00:00:05, Serial0/1
D        10.25.1.0/24 [90/2681856] via 10.20.1.1, 01:30:59, Serial0/0
D        10.30.1.0/24 [90/3193856] via 10.20.1.1, 01:31:00, Serial0/0
D        10.31.1.0/24 [90/3193856] via 10.20.1.1, 00:01:22, Serial0/0
C        10.35.1.0/24 is directly connected, Serial0/2
L        10.35.1.1/32 is directly connected, Serial0/2
R        10.60.1.0/24 [120/2] via 10.20.2.2, 00:00:06, Serial0/1
D        10.120.1.0/24 [90/28160000] via 10.120.2.2, 00:01:23, Tunnel0
C        10.120.2.0/24 is directly connected, Tunnel0
L        10.120.2.1/32 is directly connected, Tunnel0
      172.20.0.0/16 is variably subnetted, 5 subnets, 2 masks
D        172.20.20.0/24 [90/3321856] via 10.20.1.1, 00:01:23, Serial0/0
D        172.20.30.0/24 [90/3321856] via 10.20.1.1, 00:01:23, Serial0/0
D        172.20.40.0/23 [90/3321856] via 10.20.1.1, 01:30:58, Serial0/0
S        172.20.40.0/24 is directly connected, Serial0/0
D        172.20.41.0/24 [90/27008000] via 10.120.2.2, 00:01:23, Tunnel0
R5#

We can see on R5 that the network 172.20.40.0/24 is learnt through a static route (denoted by an S), and through EIGRP (D). It will be the static route that is the preferred route.

R10#sh ip route | beg Gate
Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets
D EX     1.2.3.0 [170/2937856] via 10.31.1.1, 00:01:03, Serial1/0
      10.0.0.0/8 is variably subnetted, 22 subnets, 2 masks
D EX     10.1.1.0/24 [170/2937856] via 10.31.1.1, 00:01:03, Serial1/0
D EX     10.1.2.0/24 [170/2937856] via 10.31.1.1, 00:01:03, Serial1/0
D EX     10.1.3.0/24 [170/2937856] via 10.31.1.1, 00:01:03, Serial1/0
D EX     10.1.4.0/24 [170/2937856] via 10.31.1.1, 00:01:03, Serial1/0
D EX     10.1.5.0/24 [170/2937856] via 10.31.1.1, 00:01:03, Serial1/0
D        10.1.6.0/24 [90/3193856] via 10.31.1.1, 00:01:03, Serial1/0
D        10.1.7.0/24 [90/3321856] via 10.31.1.1, 00:01:03, Serial1/0
S        10.1.7.1/32 is directly connected, Serial1/0
D EX     10.10.1.0/24 [170/2937856] via 10.31.1.1, 00:01:03, Serial1/0
D        10.20.1.0/24 [90/3193856] via 10.31.1.1, 00:01:03, Serial1/0
D        10.20.2.0/24 [90/3705856] via 10.31.1.1, 00:01:03, Serial1/0
D EX     10.20.3.0/24 [170/2937856] via 10.31.1.1, 00:01:03, Serial1/0
D        10.25.1.0/24 [90/2681856] via 10.31.1.1, 00:01:03, Serial1/0
D        10.30.1.0/24 [90/2681856] via 10.31.1.1, 00:01:03, Serial1/0
C        10.31.1.0/24 is directly connected, Serial1/0
L        10.31.1.2/32 is directly connected, Serial1/0
D        10.35.1.0/24 [90/41536000] via 10.31.1.1, 00:01:03, Serial1/0
D EX     10.60.1.0/24 [170/2937856] via 10.31.1.1, 00:01:03, Serial1/0
C        10.120.1.0/24 is directly connected, Tunnel1
L        10.120.1.2/32 is directly connected, Tunnel1
C        10.120.2.0/24 is directly connected, Tunnel0
L        10.120.2.2/32 is directly connected, Tunnel0
      172.20.0.0/16 is variably subnetted, 9 subnets, 3 masks
C        172.20.20.0/24 is directly connected, Loopback0
L        172.20.20.1/32 is directly connected, Loopback0
C        172.20.30.0/24 is directly connected, Loopback1
L        172.20.30.1/32 is directly connected, Loopback1
D        172.20.40.0/23 is a summary, 01:30:39, Null0
C        172.20.40.0/24 is directly connected, Loopback2
L        172.20.40.1/32 is directly connected, Loopback2
C        172.20.41.0/24 is directly connected, Loopback3
L        172.20.41.1/32 is directly connected, Loopback3
R10#

Again R10 has learned of the 10.1.7.1/32 host through our static command, but also of the 10.1.7/0/24 network through EIGRP. Again the static route will be the one preferred.

And that is how we set up a tunnel between two routers, and fix route recursion.

In part 8 will will look at how we can filter routes, as well as changing how routes are advertised.
Subscribe to: Posts (Atom)