EIGRP route influence part 1

This time I use a little complex topology but I will do my best to explain it clearly as I can, this is the topology diagram:

R1 to R5 are belonging to the SP network, all routers are running OSPF, in area 0, as IGP, LDP, BGP in AS65000 where R5 is the route-reflector and MP-BGP.

There is only one customer in this lab with 2 sites, R6 and R7, both sitting in the same VRF (TEST) and each one of them is dual homed (1x ISP, 2x links) with one link as primary and the second as backup. On each site he has a network with various nodes and one server:

R6 site: network 192.168.61.0/24 and the server is R8 – 192.168.61.8

R7 site: network 192.168.71.0/24 and the server is R10 – 192.168.71.10

R9 and R11 simulate the other nodes on each site respectively.

Also both sites running EIGRP as CE-PE routing protocol

Now the customer requirements are as follow:

-          Traffic from and to network 61 to network 71 will go through the primary link and in case of fail it will traverse to the backup link.

-          The servers can communicate with each other ONLY through the backup link; if the backup link fails they won’t go through the primary link.

So let’s start with the configuration, during this lab I will show R7 configuration but it should be done the same on R6 to achieve the result on both sites.

R7 relevant configuration:

interface FastEthernet0/0  ip address 10.1.37.7 255.255.255.0  duplex auto  speed auto ! interface FastEthernet0/1  ip address 10.1.47.7 255.255.255.0  duplex auto  speed auto ! interface FastEthernet1/0  ip address 192.168.71.1 255.255.255.0  speed 100  full-duplex ! router eigrp 200  network 10.1.37.7 0.0.0.0  network 10.1.47.7 0.0.0.0  network 192.168.71.0  no auto-summary

And on R7 routing table:

R7#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route Gateway of last resort is not set      192.168.61.0/24 is variably subnetted, 2 subnets, 2 masks D EX    192.168.61.0/24 [170/284160] via 10.1.47.4, 00:42:41, FastEthernet0/1                         [170/284160] via 10.1.37.3, 00:42:41, FastEthernet0/0 D EX    192.168.61.8/32 [170/284160] via 10.1.47.4, 00:02:37, FastEthernet0/1                         [170/284160] via 10.1.37.3, 00:02:37, FastEthernet0/0      10.0.0.0/24 is subnetted, 4 subnets D EX    10.1.26.0 [170/284160] via 10.1.47.4, 00:02:37, FastEthernet0/1                   [170/284160] via 10.1.37.3, 00:02:38, FastEthernet0/0 D EX    10.1.16.0 [170/284160] via 10.1.47.4, 00:02:38, FastEthernet0/1                   [170/284160] via 10.1.37.3, 00:02:38, FastEthernet0/0 C       10.1.47.0 is directly connected, FastEthernet0/1 C       10.1.37.0 is directly connected, FastEthernet0/0 C    192.168.71.0/24 is directly connected, FastEthernet1/0

We can see that R7 is learning R6 network though 2 routers but it learns only the full subnet (192.168.61.0/24) and not the server specific IP.

So first let’s advertise R6 server IP:

R6(config)# ip route 192.168.61.8 255.255.255.255 fastEthernet 1/0 R6(config)#router eigrp 100 R6(config-router)#redistribute static

And let’s look on R7 routing table:

R7#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route Gateway of last resort is not set      192.168.61.0/24 is variably subnetted, 2 subnets, 2 masks D EX    192.168.61.0/24 [170/284160] via 10.1.47.4, 01:12:33, FastEthernet0/1                         [170/284160] via 10.1.37.3, 01:12:33, FastEthernet0/0 D EX    192.168.61.8/32 [170/284160] via 10.1.47.4, 00:32:28, FastEthernet0/1                         [170/284160] via 10.1.37.3, 00:32:28, FastEthernet0/0      10.0.0.0/24 is subnetted, 4 subnets D EX    10.1.26.0 [170/284160] via 10.1.47.4, 00:32:28, FastEthernet0/1                   [170/284160] via 10.1.37.3, 00:32:30, FastEthernet0/0 D EX    10.1.16.0 [170/284160] via 10.1.47.4, 00:32:30, FastEthernet0/1                   [170/284160] via 10.1.37.3, 00:32:30, FastEthernet0/0 C       10.1.47.0 is directly connected, FastEthernet0/1 C       10.1.37.0 is directly connected, FastEthernet0/0      192.168.71.0/24 is variably subnetted, 2 subnets, 2 masks S       192.168.71.10/32 is directly connected, FastEthernet1/0 C       192.168.71.0/24 is directly connected, FastEthernet1/0

Now R7 learns both 192.168.61.0/24 and 192.168.61.8/32.

Next let’s block the server IP from getting learned through Fa0/0 which is the primary link:

R7(config)#ip access-list standard NET61-DENY-R8 R7(config-std-nacl)#deny host 192.168.61.8 R7(config-std-nacl)#permit any ! R7(config)#router eigrp 200 R7(config-router)#distribute-list NET61-DENY-R8 in fastEthernet 0/0

Let’s look on R7 routing table now:

R7#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route Gateway of last resort is not set      192.168.61.0/24 is variably subnetted, 2 subnets, 2 masks D EX    192.168.61.0/24 [170/284160] via 10.1.47.4, 01:28:47, FastEthernet0/1                         [170/284160] via 10.1.37.3, 01:28:47, FastEthernet0/0 D EX    192.168.61.8/32 [170/284160] via 10.1.47.4, 00:00:16, FastEthernet0/1      10.0.0.0/24 is subnetted, 4 subnets D EX    10.1.26.0 [170/284160] via 10.1.47.4, 00:00:34, FastEthernet0/1                   [170/284160] via 10.1.37.3, 00:00:34, FastEthernet0/0 D EX    10.1.16.0 [170/284160] via 10.1.47.4, 00:00:35, FastEthernet0/1                   [170/284160] via 10.1.37.3, 00:00:35, FastEthernet0/0 C       10.1.47.0 is directly connected, FastEthernet0/1 C       10.1.37.0 is directly connected, FastEthernet0/0      192.168.71.0/24 is variably subnetted, 2 subnets, 2 masks S       192.168.71.10/32 is directly connected, FastEthernet1/0 C       192.168.71.0/24 is directly connected, FastEthernet1/0

Now R7 is learning the server address only from Fa0/1 and it will never learn it from Fa0/0.

And also block server IP from being advertised through Fa0/0:

R7(config)#ip access-list standard NET71-DENY-R10 R7(config-std-nacl)#deny host 192.168.71.10 R7(config-std-nacl)#permit any ! R7(config)#router eigrp 200 R7(config-router)#distribute-list NET71-DENY-R10 out fastEthernet 0/0

Now I have to make sure that traffic from network 192.168.61.0/24 will come and go through Fa0/0 and just in case of failure will go through Fa0/1:

R7(config)#int fa 0/1 R7(config-if)#delay 5000

So now 192.168.61.0/24 is more preferred, due to lower metric, through Fa0/0:

R7#show ip eigrp topology IP-EIGRP Topology Table for AS(200)/ID(192.168.71.1) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,        r - reply Status, s - sia Status P 10.1.26.0/24, 1 successors, FD is 284160         via 10.1.37.3 (284160/28160), FastEthernet0/0         via 10.1.47.4 (1538560/28160), FastEthernet0/1 P 10.1.16.0/24, 1 successors, FD is 284160         via 10.1.37.3 (284160/28160), FastEthernet0/0         via 10.1.47.4 (1538560/28160), FastEthernet0/1 P 10.1.47.0/24, 1 successors, FD is 1536000         via Connected, FastEthernet0/1         via 10.1.37.3 (307200/281600), FastEthernet0/0 P 192.168.71.10/32, 1 successors, FD is 28160         via Rstatic (28160/0) P 10.1.37.0/24, 1 successors, FD is 281600         via Connected, FastEthernet0/0 P 192.168.71.0/24, 1 successors, FD is 28160         via Connected, FastEthernet1/0 P 192.168.61.0/24, 1 successors, FD is 284160         via 10.1.37.3 (284160/28160), FastEthernet0/0         via 10.1.47.4 (1538560/28160), FastEthernet0/1           Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,        r - reply Status, s - sia Status P 192.168.61.8/32, 1 successors, FD is 1538560         via 10.1.47.4 (1538560/28160), FastEthernet0/1

And last final step is to block from the servers to reach each other through the primary link, note that this valid only from server to server, if some node in the network tries to reach one of the server he should succeed.

R7(config)#ip access-list extended R7-OUTBOUND R7(config-ext-nacl)#deny ip host 192.168.71.10 host 192.168.61.8 R7(config-ext-nacl)#permit ip any any R7(config-ext-nacl)#exit R7(config)#int fa 0/0 R7(config-if)#ip access-group R7-OUTBOUND out

Now let’s test the results, from R8 to R10:

R8#traceroute 192.168.71.10 Type escape sequence to abort. Tracing the route to 192.168.71.10   1 192.168.61.1 20 msec 20 msec 28 msec   2 10.1.26.2 24 msec 48 msec 28 msec   3 10.1.25.5 [MPLS: Labels 16/25 Exp 0] 92 msec 108 msec 108 msec   4 10.1.47.4 [MPLS: Label 25 Exp 0] 92 msec 80 msec 108 msec   5 10.1.47.7 84 msec 120 msec 80 msec   6 192.168.71.10 148 msec *  120 msec

And from R10 to R8:

R10#traceroute 192.168.61.8 Type escape sequence to abort. Tracing the route to 192.168.61.8   1 192.168.71.1 44 msec 8 msec 32 msec   2 10.1.47.4 32 msec 40 msec 52 msec   3 10.1.45.5 [MPLS: Labels 18/27 Exp 0] 96 msec 88 msec 112 msec   4 10.1.26.2 [MPLS: Label 27 Exp 0] 104 msec 76 msec 76 msec   5 10.1.26.6 80 msec 100 msec 80 msec   6 192.168.61.8 120 msec *  120 msec

From R9 to R11:

R9#traceroute  192.168.71.11 Type escape sequence to abort. Tracing the route to 192.168.71.11   1 192.168.61.1 48 msec 28 msec 28 msec   2 10.1.16.1 20 msec 44 msec 36 msec   3 10.1.15.5 [MPLS: Labels 19/24 Exp 0] 100 msec 104 msec 96 msec   4 10.1.37.3 [MPLS: Label 24 Exp 0] 80 msec 88 msec 60 msec   5 10.1.37.7 112 msec 96 msec 84 msec   6 192.168.71.11 128 msec *  120 msec

And from R11 to R9:

R11#traceroute 192.168.61.9 Type escape sequence to abort. Tracing the route to 192.168.61.9   1 192.168.71.1 28 msec 36 msec 16 msec   2 10.1.37.3 28 msec 32 msec 28 msec   3 10.1.35.5 [MPLS: Labels 17/28 Exp 0] 96 msec 112 msec 72 msec   4 10.1.16.1 [MPLS: Label 28 Exp 0] 60 msec 72 msec 92 msec   5 10.1.16.6 112 msec 92 msec 88 msec   6 192.168.61.9 136 msec *  132 msec

And when the link from R7 to R4 is down:

R10#traceroute 192.168.61.8 Type escape sequence to abort. Tracing the route to 192.168.61.8   1 192.168.71.1 44 msec 28 msec 20 msec   2 192.168.71.1 !A  *  !A R10#traceroute 192.168.61.9 Type escape sequence to abort. Tracing the route to 192.168.61.9   1 192.168.71.1 32 msec 28 msec 12 msec   2 10.1.37.3 40 msec 48 msec 32 msec   3 10.1.35.5 [MPLS: Labels 17/28 Exp 0] 116 msec 84 msec 116 msec   4 10.1.16.1 [MPLS: Label 28 Exp 0] 68 msec 52 msec 64 msec   5 10.1.16.6 88 msec 60 msec 116 msec   6 192.168.61.9 116 msec *  136 msec

NAT on Cisco IOS-XE

First time I came to configure NAT/PAT on newly installed ASR-1002 I had a surprise! The ASR-1k routers runs Cisco IOS XE version which has a little changes comparing to the regular IOS, one of them is the way it treats NAT.

Here is a link to Cisco IOS-XE NAT configuration guide:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book.pdf

Two important notes from the restrictions section:

-          NAT Virtual Interfaces (NVIs) are not supported in the Cisco IOS XE software.

-          Using the physical interface address of a device as an address pool is not supported. NAT can share the physical interface address of a device only by using the NAT interface overload configuration. A device uses the ports of its physical interface and NAT must receive communication about the ports that it can safely use for translation. This communication happens only when the NAT interface overload is configured.

Now let me explain the result of these notes with the following topology:

Currently with those NAT restrictions we can’t just configure NAT as follows:

interface GigabitEthernet0/0/0 ip address 192.168.10.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/0/1 ip address 10.0.143.2 255.255.255.248 ip nat outside ! ip access-list extended 100 permit ip 192.168.10.0 0.0.0.255 any ! ip nat inside source list 100 interface ge0/0/1 overload

 This configuration won’t work; on an ASR router you can use the IP address of the outside interface for router access or for LAN NAT purpose, you can’t use both as we do on Cisco IOS routers.

So following this restriction I had to configure it as follows:

interface GigabitEthernet0/0/0 ip address 192.168.10.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/0/1 ip address 10.0.143.2 255.255.255.248 ip nat outside ! ip access-list extended 100 permit ip 192.168.10.0 0.0.0.255 any ! ip nat pool LAN_NAT_POOL 10.0.143.3 10.0.143.5 prefix-length 28 ! ip nat inside source list 100 pool LAN_NAT_POOL overload

 And static NAT for accessing the FW, where the inside IP address of the FW is 192.168.20.2:

interface GigabitEthernet0/0/2 ip address 192.168.20.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/0/1 ip address 10.0.143.2 255.255.255.248 ip nat outside ! ip nat inside source static 192.168.20.2 10.0.143.6 no-payload

Cisco IOS ZBFW with IPSec remote access

This post I’m going to show how to configure VPN remote access on Cisco IOS which configured with ZBFW (Zone-Based Firewall).

This is the network topology:

The following configuration is related to setup VPN remote access policy using ZBFW and I assume you already have basic ZBFW configuration configured already with inside (LAN) and outside (WAN) zones.

1.       First configure AAA for user authentication and group authorization:

Aaa new-model aaa authentication login VPN_CLIENT_AUTH local aaa authorization network VPN_GROUP_AUTH local

2.       Configure IP pool which will provide IP addresses to remote users:

ip local pool VPN_POOL 172.16.0.1 172.16.0.254

3.       Configure ISAKMP Phase 1 policy:

crypto isakmp enable ! crypto isakmp policy 10  authentication pre-share  encryption aes 256  hash sha  group 2  lifetime 3600 exit

In this policy I have used AES 256bit as encryption algorithm.

4.       Configure ISAKMP client group configuration:

crypto isakmp client configuration group VPN_GRP  key <SECRET_KEY>  dns 8.8.8.8  wins 192.168.10.1  domain network.local  pool VPN_POOL  max-users 5  acl 108 exit

Note that Cisco uses another layer of security where configuring the VPN client software you will have to provide group password (key <SECRET_KEY>) once, beside the account username and password which you will have to enter each time you connect.

5.       Configure the ACL which define local and remote ident:

Ip access-list extended 100  permit ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255  permit ip 172.16.0.0 0.0.0.255 192.168.10.0 0.0.0.255

6.       Define the crypto transform-set:

crypto ipsec transform-set TRANS-SET esp-aes 256 esp-sha-hmac

7.       Configure ISAKMP profile:

crypto isakmp profile ISAKMP_PROFILE  match identity group VPN_GRP  isakmp authorization list VPN_GROUP_AUTH  client configuration address respond  virtual-template 1 exit

Note we are bonding three items here: the VPN group (configured in step 4), client authentication and group authorization (configured in step 1).

8.       Configure IPSEC profile:

crypto ipsec profile IPSEC_PROFILE  set transform-set TRANS-SET  set isakmp-profile ISAKMP_PROFILE exit

9.       Configure virtual-template interface:

interface Virtual-Template1 type tunnel  ip unnumbered vlan1  zone-member security vpn  tunnel source Dialer1  tunnel mode ipsec ipv4  tunnel protection ipsec profile IPSEC_PROFILE

Note that the VTI is in vpn security zone.

Now let’s move to the ZBFW configuration, there are three zones which we need to configure: inside, outside and vpn

1.       First configure an ACL which allow IPSEC traffic to pass:

ip access-list extended ACL_ISAKMP-IPSEC1  permit ahp any any  permit esp any any  permit udp any any eq non500-isakmp

2.       Configure another ACL which allow IPSEC traffic to be inspected:

ip access-list extended ACL_ISAKMP-IPSEC2  permit udp any any eq isakmp

3.       Configure class-map for IPSEC traffic to pass:

Class-map type inspect CM_ISAKMP-IPSEC1  match access-group name ACL_ISAKMP-IPSEC1

4.       Configure class-map for IPSEC traffic to inspect:

Class-map type inspect CM_ISAKMP-IPSEC2  match access-group name ACL_ISAKMP-IPSEC2

5.       Now configure policy-map from zone outside to self:

Policy-map type inspect PM_OUTSIDE-TO-SELF  class type inspect CM_ISAKMP-IPSEC1   pass  class type inspect CM_ISAKMP-IPSEC2   inspect  class class-default   drop log

6.       Configure the same from zone self to zone outside:

Policy-map type inspect PM_SELF-TO-OUTSIDE  class type inspect CM_ISAKMP-IPSEC1   pass  class type inspect CM_ISAKMP-IPSEC2   inspect  class class-default   drop log

7.       Configure ACL, class-map and policy-map for VPN remote access to LAN:

ip access-list standard ACL_VPN_REMOTE  permit ip 172.16.0.0 0.0.0.255 ! Class-map type inspect CM_VPN_REMOTE_ACCESS  match access-group name ACL_VPN_REMOTE ! Policy-map type inspect PM_VPN-TO-INSIDE  Class type inspect CM_VPN_REMOTE_ACCESS   Inspect  class class-default   drop log

8.       Configure zone-pair between outside and self-zone:

Zone-pair security outside-to-self source outside destination self  Service-policy type inspect PM_OUTSIDE-TO-SELF Exit

9.       Configure zone-pair between self and outside zone:

Zone-pair security self-to-outside source self destination outside  Service-policy type inspect PM_SELF-TO-OUTSIDE Exit

10.   And configure zone-pair between vpn and inside zone:

Zone-pair security vpn-to-inside source vpn destination inside  Service-policy type inspect PM_VPN-TO-INSIDE Exit

Assuming that you LAN interface is in inside zone and WAN interface is in outside zone this configuration should be work fine.

Configuring the Cisco VPN client software is pretty much easy, after installing the client software follow these steps:

1.       Click New for new connection

2.       Enter the connection name

3.       Enter the router outside IP address

4.       Enter the VPN group name (configured on step 4)

5.       Enter group password

Click save and connect.