Search This Blog

Monday, January 14, 2013

EIGRP route influence part 1


This time I use a little complex topology but I will do my best to explain it clearly as I can, this is the topology diagram:



R1 to R5 are belonging to the SP network, all routers are running OSPF, in area 0, as IGP, LDP, BGP in AS65000 where R5 is the route-reflector and MP-BGP.

There is only one customer in this lab with 2 sites, R6 and R7, both sitting in the same VRF (TEST) and each one of them is dual homed (1x ISP, 2x links) with one link as primary and the second as backup. On each site he has a network with various nodes and one server:

R6 site: network 192.168.61.0/24 and the server is R8 – 192.168.61.8

R7 site: network 192.168.71.0/24 and the server is R10 – 192.168.71.10

R9 and R11 simulate the other nodes on each site respectively.

Also both sites running EIGRP as CE-PE routing protocol


Now the customer requirements are as follow:

-          Traffic from and to network 61 to network 71 will go through the primary link and in case of fail it will traverse to the backup link.

-          The servers can communicate with each other ONLY through the backup link; if the backup link fails they won’t go through the primary link.

So let’s start with the configuration, during this lab I will show R7 configuration but it should be done the same on R6 to achieve the result on both sites.

R7 relevant configuration:

interface FastEthernet0/0
 ip address 10.1.37.7 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.1.47.7 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 192.168.71.1 255.255.255.0
 speed 100
 full-duplex
!
router eigrp 200
 network 10.1.37.7 0.0.0.0
 network 10.1.47.7 0.0.0.0
 network 192.168.71.0
 no auto-summary


And on R7 routing table:

R7#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     192.168.61.0/24 is variably subnetted, 2 subnets, 2 masks
D EX    192.168.61.0/24 [170/284160] via 10.1.47.4, 00:42:41, FastEthernet0/1
                        [170/284160] via 10.1.37.3, 00:42:41, FastEthernet0/0
D EX    192.168.61.8/32 [170/284160] via 10.1.47.4, 00:02:37, FastEthernet0/1
                        [170/284160] via 10.1.37.3, 00:02:37, FastEthernet0/0
     10.0.0.0/24 is subnetted, 4 subnets
D EX    10.1.26.0 [170/284160] via 10.1.47.4, 00:02:37, FastEthernet0/1
                  [170/284160] via 10.1.37.3, 00:02:38, FastEthernet0/0
D EX    10.1.16.0 [170/284160] via 10.1.47.4, 00:02:38, FastEthernet0/1
                  [170/284160] via 10.1.37.3, 00:02:38, FastEthernet0/0
C       10.1.47.0 is directly connected, FastEthernet0/1
C       10.1.37.0 is directly connected, FastEthernet0/0
C    192.168.71.0/24 is directly connected, FastEthernet1/0


We can see that R7 is learning R6 network though 2 routers but it learns only the full subnet (192.168.61.0/24) and not the server specific IP.

So first let’s advertise R6 server IP:

R6(config)# ip route 192.168.61.8 255.255.255.255 fastEthernet 1/0
R6(config)#router eigrp 100
R6(config-router)#redistribute static


And let’s look on R7 routing table:


R7#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     192.168.61.0/24 is variably subnetted, 2 subnets, 2 masks
D EX    192.168.61.0/24 [170/284160] via 10.1.47.4, 01:12:33, FastEthernet0/1
                        [170/284160] via 10.1.37.3, 01:12:33, FastEthernet0/0
D EX    192.168.61.8/32 [170/284160] via 10.1.47.4, 00:32:28, FastEthernet0/1
                        [170/284160] via 10.1.37.3, 00:32:28, FastEthernet0/0
     10.0.0.0/24 is subnetted, 4 subnets
D EX    10.1.26.0 [170/284160] via 10.1.47.4, 00:32:28, FastEthernet0/1
                  [170/284160] via 10.1.37.3, 00:32:30, FastEthernet0/0
D EX    10.1.16.0 [170/284160] via 10.1.47.4, 00:32:30, FastEthernet0/1
                  [170/284160] via 10.1.37.3, 00:32:30, FastEthernet0/0
C       10.1.47.0 is directly connected, FastEthernet0/1
C       10.1.37.0 is directly connected, FastEthernet0/0
     192.168.71.0/24 is variably subnetted, 2 subnets, 2 masks
S       192.168.71.10/32 is directly connected, FastEthernet1/0
C       192.168.71.0/24 is directly connected, FastEthernet1/0


Now R7 learns both 192.168.61.0/24 and 192.168.61.8/32.

Next let’s block the server IP from getting learned through Fa0/0 which is the primary link:

R7(config)#ip access-list standard NET61-DENY-R8
R7(config-std-nacl)#deny host 192.168.61.8
R7(config-std-nacl)#permit any
!
R7(config)#router eigrp 200
R7(config-router)#distribute-list NET61-DENY-R8 in fastEthernet 0/0


Let’s look on R7 routing table now:

R7#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     192.168.61.0/24 is variably subnetted, 2 subnets, 2 masks
D EX    192.168.61.0/24 [170/284160] via 10.1.47.4, 01:28:47, FastEthernet0/1
                        [170/284160] via 10.1.37.3, 01:28:47, FastEthernet0/0
D EX    192.168.61.8/32 [170/284160] via 10.1.47.4, 00:00:16, FastEthernet0/1
     10.0.0.0/24 is subnetted, 4 subnets
D EX    10.1.26.0 [170/284160] via 10.1.47.4, 00:00:34, FastEthernet0/1
                  [170/284160] via 10.1.37.3, 00:00:34, FastEthernet0/0
D EX    10.1.16.0 [170/284160] via 10.1.47.4, 00:00:35, FastEthernet0/1
                  [170/284160] via 10.1.37.3, 00:00:35, FastEthernet0/0
C       10.1.47.0 is directly connected, FastEthernet0/1
C       10.1.37.0 is directly connected, FastEthernet0/0
     192.168.71.0/24 is variably subnetted, 2 subnets, 2 masks
S       192.168.71.10/32 is directly connected, FastEthernet1/0
C       192.168.71.0/24 is directly connected, FastEthernet1/0


Now R7 is learning the server address only from Fa0/1 and it will never learn it from Fa0/0.

And also block server IP from being advertised through Fa0/0:

R7(config)#ip access-list standard NET71-DENY-R10
R7(config-std-nacl)#deny host 192.168.71.10
R7(config-std-nacl)#permit any
!
R7(config)#router eigrp 200
R7(config-router)#distribute-list NET71-DENY-R10 out fastEthernet 0/0


Now I have to make sure that traffic from network 192.168.61.0/24 will come and go through Fa0/0 and just in case of failure will go through Fa0/1:

R7(config)#int fa 0/1
R7(config-if)#delay 5000


So now 192.168.61.0/24 is more preferred, due to lower metric, through Fa0/0:

R7#show ip eigrp topology
IP-EIGRP Topology Table for AS(200)/ID(192.168.71.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status
P 10.1.26.0/24, 1 successors, FD is 284160
        via 10.1.37.3 (284160/28160), FastEthernet0/0
        via 10.1.47.4 (1538560/28160), FastEthernet0/1
P 10.1.16.0/24, 1 successors, FD is 284160
        via 10.1.37.3 (284160/28160), FastEthernet0/0
        via 10.1.47.4 (1538560/28160), FastEthernet0/1
P 10.1.47.0/24, 1 successors, FD is 1536000
        via Connected, FastEthernet0/1
        via 10.1.37.3 (307200/281600), FastEthernet0/0
P 192.168.71.10/32, 1 successors, FD is 28160
        via Rstatic (28160/0)
P 10.1.37.0/24, 1 successors, FD is 281600
        via Connected, FastEthernet0/0
P 192.168.71.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet1/0
P 192.168.61.0/24, 1 successors, FD is 284160
        via 10.1.37.3 (284160/28160), FastEthernet0/0
        via 10.1.47.4 (1538560/28160), FastEthernet0/1
         
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status
P 192.168.61.8/32, 1 successors, FD is 1538560
        via 10.1.47.4 (1538560/28160), FastEthernet0/1


And last final step is to block from the servers to reach each other through the primary link, note that this valid only from server to server, if some node in the network tries to reach one of the server he should succeed.

R7(config)#ip access-list extended R7-OUTBOUND
R7(config-ext-nacl)#deny ip host 192.168.71.10 host 192.168.61.8
R7(config-ext-nacl)#permit ip any any
R7(config-ext-nacl)#exit
R7(config)#int fa 0/0
R7(config-if)#ip access-group R7-OUTBOUND out


Now let’s test the results, from R8 to R10:

R8#traceroute 192.168.71.10
Type escape sequence to abort.
Tracing the route to 192.168.71.10
  1 192.168.61.1 20 msec 20 msec 28 msec
  2 10.1.26.2 24 msec 48 msec 28 msec
  3 10.1.25.5 [MPLS: Labels 16/25 Exp 0] 92 msec 108 msec 108 msec
  4 10.1.47.4 [MPLS: Label 25 Exp 0] 92 msec 80 msec 108 msec
  5 10.1.47.7 84 msec 120 msec 80 msec
  6 192.168.71.10 148 msec *  120 msec


And from R10 to R8:

R10#traceroute 192.168.61.8
Type escape sequence to abort.
Tracing the route to 192.168.61.8
  1 192.168.71.1 44 msec 8 msec 32 msec
  2 10.1.47.4 32 msec 40 msec 52 msec
  3 10.1.45.5 [MPLS: Labels 18/27 Exp 0] 96 msec 88 msec 112 msec
  4 10.1.26.2 [MPLS: Label 27 Exp 0] 104 msec 76 msec 76 msec
  5 10.1.26.6 80 msec 100 msec 80 msec
  6 192.168.61.8 120 msec *  120 msec


From R9 to R11:

R9#traceroute  192.168.71.11
Type escape sequence to abort.
Tracing the route to 192.168.71.11
  1 192.168.61.1 48 msec 28 msec 28 msec
  2 10.1.16.1 20 msec 44 msec 36 msec
  3 10.1.15.5 [MPLS: Labels 19/24 Exp 0] 100 msec 104 msec 96 msec
  4 10.1.37.3 [MPLS: Label 24 Exp 0] 80 msec 88 msec 60 msec
  5 10.1.37.7 112 msec 96 msec 84 msec
  6 192.168.71.11 128 msec *  120 msec


And from R11 to R9:

R11#traceroute 192.168.61.9
Type escape sequence to abort.
Tracing the route to 192.168.61.9
  1 192.168.71.1 28 msec 36 msec 16 msec
  2 10.1.37.3 28 msec 32 msec 28 msec
  3 10.1.35.5 [MPLS: Labels 17/28 Exp 0] 96 msec 112 msec 72 msec
  4 10.1.16.1 [MPLS: Label 28 Exp 0] 60 msec 72 msec 92 msec
  5 10.1.16.6 112 msec 92 msec 88 msec
  6 192.168.61.9 136 msec *  132 msec


And when the link from R7 to R4 is down:

R10#traceroute 192.168.61.8
Type escape sequence to abort.
Tracing the route to 192.168.61.8
  1 192.168.71.1 44 msec 28 msec 20 msec
  2 192.168.71.1 !A  *  !A
R10#traceroute 192.168.61.9
Type escape sequence to abort.
Tracing the route to 192.168.61.9
  1 192.168.71.1 32 msec 28 msec 12 msec
  2 10.1.37.3 40 msec 48 msec 32 msec
  3 10.1.35.5 [MPLS: Labels 17/28 Exp 0] 116 msec 84 msec 116 msec
  4 10.1.16.1 [MPLS: Label 28 Exp 0] 68 msec 52 msec 64 msec
  5 10.1.16.6 88 msec 60 msec 116 msec
  6 192.168.61.9 116 msec *  136 msec

Thursday, January 10, 2013

NAT on Cisco IOS-XE



First time I came to configure NAT/PAT on newly installed ASR-1002 I had a surprise! The ASR-1k routers runs Cisco IOS XE version which has a little changes comparing to the regular IOS, one of them is the way it treats NAT.

Here is a link to Cisco IOS-XE NAT configuration guide:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book.pdf

Two important notes from the restrictions section:

-          NAT Virtual Interfaces (NVIs) are not supported in the Cisco IOS XE software.

-          Using the physical interface address of a device as an address pool is not supported. NAT can share the physical interface address of a device only by using the NAT interface overload configuration. A device uses the ports of its physical interface and NAT must receive communication about the ports that it can safely use for translation. This communication happens only when the NAT interface overload is configured.

Now let me explain the result of these notes with the following topology:


Currently with those NAT restrictions we can’t just configure NAT as follows:

interface GigabitEthernet0/0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1
ip address 10.0.143.2 255.255.255.248
ip nat outside
!
ip access-list extended 100
permit ip 192.168.10.0 0.0.0.255 any
!
ip nat inside source list 100 interface ge0/0/1 overload

 This configuration won’t work; on an ASR router you can use the IP address of the outside interface for router access or for LAN NAT purpose, you can’t use both as we do on Cisco IOS routers.

So following this restriction I had to configure it as follows:


interface GigabitEthernet0/0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1
ip address 10.0.143.2 255.255.255.248
ip nat outside
!
ip access-list extended 100
permit ip 192.168.10.0 0.0.0.255 any
!
ip nat pool LAN_NAT_POOL 10.0.143.3 10.0.143.5 prefix-length 28
!
ip nat inside source list 100 pool LAN_NAT_POOL overload

 And static NAT for accessing the FW, where the inside IP address of the FW is 192.168.20.2:

interface GigabitEthernet0/0/2
ip address 192.168.20.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1
ip address 10.0.143.2 255.255.255.248
ip nat outside
!
ip nat inside source static 192.168.20.2 10.0.143.6 no-payload



Sunday, January 6, 2013

Cisco IOS ZBFW with IPSec remote access



This post I’m going to show how to configure VPN remote access on Cisco IOS which configured with ZBFW (Zone-Based Firewall).

This is the network topology:


The following configuration is related to setup VPN remote access policy using ZBFW and I assume you already have basic ZBFW configuration configured already with inside (LAN) and outside (WAN) zones.

1.       First configure AAA for user authentication and group authorization:
Aaa new-model
aaa authentication login VPN_CLIENT_AUTH local
aaa authorization network VPN_GROUP_AUTH local

2.       Configure IP pool which will provide IP addresses to remote users:
ip local pool VPN_POOL 172.16.0.1 172.16.0.254

3.       Configure ISAKMP Phase 1 policy:
crypto isakmp enable
!
crypto isakmp policy 10
 authentication pre-share
 encryption aes 256
 hash sha
 group 2
 lifetime 3600
exit

In this policy I have used AES 256bit as encryption algorithm.

4.       Configure ISAKMP client group configuration:
crypto isakmp client configuration group VPN_GRP
 key <SECRET_KEY>
 dns 8.8.8.8
 wins 192.168.10.1
 domain network.local
 pool VPN_POOL
 max-users 5
 acl 108
exit

Note that Cisco uses another layer of security where configuring the VPN client software you will have to provide group password (key <SECRET_KEY>) once, beside the account username and password which you will have to enter each time you connect.

5.       Configure the ACL which define local and remote ident:
Ip access-list extended 100
 permit ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255
 permit ip 172.16.0.0 0.0.0.255 192.168.10.0 0.0.0.255

6.       Define the crypto transform-set:
crypto ipsec transform-set TRANS-SET esp-aes 256 esp-sha-hmac

7.       Configure ISAKMP profile:
crypto isakmp profile ISAKMP_PROFILE
 match identity group VPN_GRP
 isakmp authorization list VPN_GROUP_AUTH
 client configuration address respond
 virtual-template 1
exit

Note we are bonding three items here: the VPN group (configured in step 4), client authentication and group authorization (configured in step 1).

8.       Configure IPSEC profile:
crypto ipsec profile IPSEC_PROFILE
 set transform-set TRANS-SET
 set isakmp-profile ISAKMP_PROFILE
exit

9.       Configure virtual-template interface:
interface Virtual-Template1 type tunnel
 ip unnumbered vlan1
 zone-member security vpn
 tunnel source Dialer1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE

Note that the VTI is in vpn security zone.

Now let’s move to the ZBFW configuration, there are three zones which we need to configure: inside, outside and vpn

1.       First configure an ACL which allow IPSEC traffic to pass:
ip access-list extended ACL_ISAKMP-IPSEC1
 permit ahp any any
 permit esp any any
 permit udp any any eq non500-isakmp

2.       Configure another ACL which allow IPSEC traffic to be inspected:
ip access-list extended ACL_ISAKMP-IPSEC2
 permit udp any any eq isakmp

3.       Configure class-map for IPSEC traffic to pass:
Class-map type inspect CM_ISAKMP-IPSEC1
 match access-group name ACL_ISAKMP-IPSEC1

4.       Configure class-map for IPSEC traffic to inspect:
Class-map type inspect CM_ISAKMP-IPSEC2
 match access-group name ACL_ISAKMP-IPSEC2

5.       Now configure policy-map from zone outside to self:
Policy-map type inspect PM_OUTSIDE-TO-SELF
 class type inspect CM_ISAKMP-IPSEC1
  pass
 class type inspect CM_ISAKMP-IPSEC2
  inspect
 class class-default
  drop log

6.       Configure the same from zone self to zone outside:
Policy-map type inspect PM_SELF-TO-OUTSIDE
 class type inspect CM_ISAKMP-IPSEC1
  pass
 class type inspect CM_ISAKMP-IPSEC2
  inspect
 class class-default
  drop log

7.       Configure ACL, class-map and policy-map for VPN remote access to LAN:
ip access-list standard ACL_VPN_REMOTE
 permit ip 172.16.0.0 0.0.0.255
!
Class-map type inspect CM_VPN_REMOTE_ACCESS
 match access-group name ACL_VPN_REMOTE
!
Policy-map type inspect PM_VPN-TO-INSIDE
 Class type inspect CM_VPN_REMOTE_ACCESS
  Inspect
 class class-default
  drop log

8.       Configure zone-pair between outside and self-zone:
Zone-pair security outside-to-self source outside destination self
 Service-policy type inspect PM_OUTSIDE-TO-SELF
Exit

9.       Configure zone-pair between self and outside zone:
Zone-pair security self-to-outside source self destination outside
 Service-policy type inspect PM_SELF-TO-OUTSIDE
Exit

10.   And configure zone-pair between vpn and inside zone:
Zone-pair security vpn-to-inside source vpn destination inside
 Service-policy type inspect PM_VPN-TO-INSIDE
Exit

Assuming that you LAN interface is in inside zone and WAN interface is in outside zone this configuration should be work fine.
Configuring the Cisco VPN client software is pretty much easy, after installing the client software follow these steps:


1.       Click New for new connection
2.       Enter the connection name
3.       Enter the router outside IP address
4.       Enter the VPN group name (configured on step 4)
5.       Enter group password

Click save and connect.