Layer 2 Qos is part of the R&S Blueprint and the pieces supporting how SRR queuing actually works can get quite confusing even though there is a method to the madness.
Vik Malhi has distilled this information into 3 blog posts which cover classification and marking, ingress queuing and scheduling and closing off with egress queueing, dropping and scheduling which can be found here. Although this is primarily on the Catalyst 3750 platform, it shares many of the concepts that the Catalyst 3560 has and is configured and tested in the same manner.
These blog posts and the explanation from Narbik which he gave at his bootcamp turns a complex topic into something a bit more bearable..
Saturday, 27 August 2011
Sunday, 21 August 2011
OSPF Domain Id and Sham Links
This post is looking at MPLS based VPNs and different aspects associated with routing information when OSPF is the CE-PE routing protocol
The topology under discussion is shown below:
R1(CE)===R2(PE)===R3(PE)===R4(CE)
Here are the base configurations
R1hostname R1
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip ospf 1 area 1
!
interface FastEthernet0/0
description R2 Fa0/0
ip address 10.1.12.1 255.255.255.0
ip ospf 1 area 1
!
R2
hostname R2
ip vrf A
rd 1:1
route-target export 1:1
route-target import 1:1
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip ospf 1 area 0
!
interface FastEthernet0/0
description R1 Fa0/0
ip vrf forwarding A
ip address 10.1.12.2 255.255.255.0
ip ospf 2 area 1
speed 100
full-duplex
!
interface FastEthernet0/1
description R3 Fa0/1
ip address 10.1.23.2 255.255.255.0
ip ospf 1 area 0
mpls ip
!
router ospf 2 vrf A
log-adjacency-changes
redistribute bgp 23 subnets
!
router ospf 1
log-adjacency-changes
!
router bgp 23
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 23
neighbor 3.3.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute ospf 2 vrf A
no synchronization
exit-address-family
!
R3
hostname R3
ip vrf A
rd 1:1
route-target export 1:1
route-target import 1:1
interface Loopback0
ip address 3.3.3.3 255.255.255.255
ip ospf 1 area 0
!
interface FastEthernet0/0
description R4 Fa0/0
ip vrf forwarding A
ip address 10.1.34.3 255.255.255.0
ip ospf 3 area 1
speed 100
full-duplex
!
interface FastEthernet0/1
description R2 Fa0/1
ip address 10.1.23.3 255.255.255.0
ip ospf 1 area 0
mpls ip
!
router ospf 1
log-adjacency-changes
!
router ospf 3 vrf A
log-adjacency-changes
redistribute bgp 23 subnets
!
router bgp 23
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 23
neighbor 2.2.2.2 update-source Loopback0
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute ospf 3 vrf A
no synchronization
exit-address-family
!
R4
hostname R4
interface Loopback0
ip address 4.4.4.4 255.255.255.255
ip ospf 1 area 1
!
interface FastEthernet0/0
description R3 Fa0/0
ip address 10.1.34.4 255.255.255.0
ip ospf 1 area 1
!
R1 Fa0/0 and R4 Fa0/0 interfaces are both in OSPF area 1 when connected to the PEs so we would like to see their associated loopbacks as an "O" route
R1>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
4.0.0.0/32 is subnetted, 1 subnets
O E2 4.4.4.4 [110/2] via 10.1.12.2, 00:04:19, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.12.0 is directly connected, FastEthernet0/0
O E2 10.1.34.0 [110/1] via 10.1.12.2, 00:04:19, FastEthernet0/0
R4>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O E2 1.1.1.1 [110/2] via 10.1.34.3, 00:04:38, FastEthernet0/0
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 2 subnets
O E2 10.1.12.0 [110/1] via 10.1.34.3, 00:04:37, FastEthernet0/0
C 10.1.34.0 is directly connected, FastEthernet0/0
Right now these guys are seeing each other as external routes (Type 5 LSAs) Why is this? Well if you think about it these should be external routes because we are redistributing from OSPF into BGP and then back into OSPF on our PEs. However normally things are smart enough so that the MPLS network super backbone should keep things appearing as OSPF routes. This isn't happening in this case for some reason:
R2#sh ip ospf int brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Fa0/1 1 0 10.1.23.2/24 1 DR 1/1
Lo0 1 0 2.2.2.2/32 1 LOOP 0/0
Fa0/0 2 1 10.1.12.2/24 1 BDR 1/1
R3#sh ip ospf int brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Fa0/0 3 1 10.1.34.3/24 1 BDR 1/1
Fa0/1 1 0 10.1.23.3/24 1 BDR 1/1
Lo0 1 0 3.3.3.3/32 1 LOOP 0/0
The problem here is the OSPF process ID for the CE facing interfaces on the PEs are different - if we had the same ospf domain id (which by default is inherited from the process id) these would not show up as external routes
R2#sh ip ospf | i Process|Domain
Routing Process "ospf 1" with ID 2.2.2.2
Routing Process "ospf 2" with ID 10.1.12.2
Domain ID type 0x0005, value 0.0.0.2
R3#sh ip ospf | i Process|Domain
Routing Process "ospf 3" with ID 10.1.34.3
Domain ID type 0x0005, value 0.0.0.3
Routing Process "ospf 1" with ID 3.3.3.3
So if we want the routes not to appear as external, all we need to do is make both sides agree on the domain id:
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router ospf 2
R2(config-router)#domain-id 0.0.0.3
R2(config-router)#end
*Mar 1 22:11:44.698: %SYS-5-CONFIG_I: Configured from console by console
R2#clear ip ospf proc
Reset ALL OSPF processes? [no]: yes
*Mar 1 22:11:59.690: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 22:11:59.726: %OSPF-5-ADJCHG: Process 2, Nbr 1.1.1.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 22:11:59.778: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet0/1 from LOADING to FULL, Loading Done
*Mar 1 22:11:59.782: %OSPF-5-ADJCHG: Process 2, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
R2#sh ip ospf | i Process|Domain
Routing Process "ospf 1" with ID 2.2.2.2
Routing Process "ospf 2" with ID 10.1.12.2
Domain ID type 0x0005, value 0.0.0.3
R1>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
4.0.0.0/32 is subnetted, 1 subnets
O IA 4.4.4.4 [110/3] via 10.1.12.2, 00:00:40, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.12.0 is directly connected, FastEthernet0/0
O IA 10.1.34.0 [110/2] via 10.1.12.2, 00:00:40, FastEthernet0/0
R4>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O IA 1.1.1.1 [110/3] via 10.1.34.3, 00:00:40, FastEthernet0/0
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 2 subnets
O IA 10.1.12.0 [110/2] via 10.1.34.3, 00:00:40, FastEthernet0/0
C 10.1.34.0 is directly connected, FastEthernet0/0
Well these routes no longer appear as external (Type 5s) but are showing up as Inter-Area (type 3s) which closer but not what we wanted.
The way that this can be fixed so that the routes will appear as intra-Area (type 1s) is to use sham-links, which is a construct that is somewhat similar to a virtual-link in that it is a tunnel over the backbone area (the MPLS network super backbone in this case) but it can be used for more than just OSPF area 0... How do we make this work?
Firstly we need to add loopbacks on each PE that are associated with the CE's VRF and advertise that into MP-BGP
R2(config-if)#int lo23
R2(config-if)#ip vrf forwarding A
R2(config-if)#ip add 23.23.23.2 255.255.255.255
R2(config-if)#router bgp 23
R2(config-router)#address-family ipv4 vrf A
R2(config-router-af)#network 23.23.23.2 mask 255.255.255.255
R3(config-if)#int lo23
R3(config-if)#ip vrf forwarding A
R3(config-if)#ip add 23.23.23.3 255.255.255.255
R3(config-if)#router bgp 23
R3(config-router)#address-family ipv4 vrf A
R3(config-router-af)#network 23.23.23.3 mask 255.255.255.255
Then within the OSPF process for the VRF we configure the sham-link
R2(config-router-af)#router ospf 2
R2(config-router)#area 1 sham-link 23.23.23.2 23.23.23.3
R3(config-router-af)#router ospf 3
R3(config-router)#area 1 sham-link 23.23.23.3 23.23.23.2
Resulting in
*Mar 1 22:24:17.802: %OSPF-5-ADJCHG: Process 3, Nbr 10.1.12.2 on OSPF_SL1 from LOADING to FULL, Loading Done
R2#sh ip ospf sham-links
Sham Link OSPF_SL1 to address 23.23.23.3 is up
Area 1 source address 23.23.23.2
Run as demand circuit
DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Hello due in 00:00:09
Adjacency State FULL (Hello suppressed)
Index 2/2, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
R1>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/4] via 10.1.12.2, 00:00:39, FastEthernet0/0
23.0.0.0/32 is subnetted, 2 subnets
O E2 23.23.23.3 [110/1] via 10.1.12.2, 00:02:55, FastEthernet0/0
O E2 23.23.23.2 [110/1] via 10.1.12.2, 00:03:54, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.12.0 is directly connected, FastEthernet0/0
O 10.1.34.0 [110/3] via 10.1.12.2, 00:00:39, FastEthernet0/0
R4>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/4] via 10.1.34.3, 00:00:49, FastEthernet0/0
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
23.0.0.0/32 is subnetted, 2 subnets
O E2 23.23.23.3 [110/1] via 10.1.34.3, 00:03:06, FastEthernet0/0
O E2 23.23.23.2 [110/1] via 10.1.34.3, 00:04:01, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
O 10.1.12.0 [110/3] via 10.1.34.3, 00:00:49, FastEthernet0/0
C 10.1.34.0 is directly connected, FastEthernet0/0
As we can see R1 and R2 now see the routes as intra-area (Type 1) as an extra clean up we may want to get rid of the loopbacks for the sham links, which can be done by controlling the redistribution from MP-BGP into OSPF
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 23 deny 23.23.23.0 0.0.0.255
R2(config)#access-list 23 permit any
R2(config)#route-map BGP2OSPF
R2(config-route-map)#match ip address 23
R2(config-route-map)#router ospf 2
R2(config-router)#default domain-id
R2(config-router)#redistribute bgp 23 subnets route-map BGP2OSPF
R2(config-router)#do clear ip ospf proc
Reset ALL OSPF processes? [no]: yes
R2(config-router)#do sh ip ospf | i Process|Domain
Routing Process "ospf 1" with ID 2.2.2.2
Routing Process "ospf 2" with ID 10.1.12.2
Domain ID type 0x0005, value 0.0.0.2
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#access-list 23 deny 23.23.23.0 0.0.0.255
R3(config)#access-list 23 permit any
R3(config)#route-map BGP2OSPF
R3(config-route-map)#match ip address 23
R3(config-route-map)#router ospf 3
R3(config-router)#redistribute bgp 23 subnets route-map BGP2OSPF
R3(config-router)#do sh ip ospf | i Process|Domain
Routing Process "ospf 3" with ID 10.1.34.3
Domain ID type 0x0005, value 0.0.0.3
Routing Process "ospf 1" with ID 3.3.3.3
I reset the domain-id to the default on R2 just to show that for Sham-links the domain id doesn't matter
R1>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/4] via 10.1.12.2, 00:02:00, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.12.0 is directly connected, FastEthernet0/0
O 10.1.34.0 [110/3] via 10.1.12.2, 00:02:00, FastEthernet0/0
R4>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/4] via 10.1.34.3, 00:01:54, FastEthernet0/0
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 2 subnets
O 10.1.12.0 [110/3] via 10.1.34.3, 00:01:54, FastEthernet0/0
C 10.1.34.0 is directly connected, FastEthernet0/0
So why would we even care about this? If there could be a backup link that bypasses the MPLS between between R1 and R2. If OSPF was running on that link as well, the path via the MPLS network would not be used regardless of the link metric because intra-area routes are preferred over inter-area routes which are preferred over external routes. Potentially the backdoor link may require the ospf cost to be increased to ensure that it is used only if the MPLS link is down.
The topology under discussion is shown below:
R1(CE)===R2(PE)===R3(PE)===R4(CE)
Here are the base configurations
R1hostname R1
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip ospf 1 area 1
!
interface FastEthernet0/0
description R2 Fa0/0
ip address 10.1.12.1 255.255.255.0
ip ospf 1 area 1
!
R2
hostname R2
ip vrf A
rd 1:1
route-target export 1:1
route-target import 1:1
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip ospf 1 area 0
!
interface FastEthernet0/0
description R1 Fa0/0
ip vrf forwarding A
ip address 10.1.12.2 255.255.255.0
ip ospf 2 area 1
speed 100
full-duplex
!
interface FastEthernet0/1
description R3 Fa0/1
ip address 10.1.23.2 255.255.255.0
ip ospf 1 area 0
mpls ip
!
router ospf 2 vrf A
log-adjacency-changes
redistribute bgp 23 subnets
!
router ospf 1
log-adjacency-changes
!
router bgp 23
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 23
neighbor 3.3.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute ospf 2 vrf A
no synchronization
exit-address-family
!
R3
hostname R3
ip vrf A
rd 1:1
route-target export 1:1
route-target import 1:1
interface Loopback0
ip address 3.3.3.3 255.255.255.255
ip ospf 1 area 0
!
interface FastEthernet0/0
description R4 Fa0/0
ip vrf forwarding A
ip address 10.1.34.3 255.255.255.0
ip ospf 3 area 1
speed 100
full-duplex
!
interface FastEthernet0/1
description R2 Fa0/1
ip address 10.1.23.3 255.255.255.0
ip ospf 1 area 0
mpls ip
!
router ospf 1
log-adjacency-changes
!
router ospf 3 vrf A
log-adjacency-changes
redistribute bgp 23 subnets
!
router bgp 23
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 23
neighbor 2.2.2.2 update-source Loopback0
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute ospf 3 vrf A
no synchronization
exit-address-family
!
R4
hostname R4
interface Loopback0
ip address 4.4.4.4 255.255.255.255
ip ospf 1 area 1
!
interface FastEthernet0/0
description R3 Fa0/0
ip address 10.1.34.4 255.255.255.0
ip ospf 1 area 1
!
R1 Fa0/0 and R4 Fa0/0 interfaces are both in OSPF area 1 when connected to the PEs so we would like to see their associated loopbacks as an "O" route
R1>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
4.0.0.0/32 is subnetted, 1 subnets
O E2 4.4.4.4 [110/2] via 10.1.12.2, 00:04:19, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.12.0 is directly connected, FastEthernet0/0
O E2 10.1.34.0 [110/1] via 10.1.12.2, 00:04:19, FastEthernet0/0
R4>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O E2 1.1.1.1 [110/2] via 10.1.34.3, 00:04:38, FastEthernet0/0
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 2 subnets
O E2 10.1.12.0 [110/1] via 10.1.34.3, 00:04:37, FastEthernet0/0
C 10.1.34.0 is directly connected, FastEthernet0/0
Right now these guys are seeing each other as external routes (Type 5 LSAs) Why is this? Well if you think about it these should be external routes because we are redistributing from OSPF into BGP and then back into OSPF on our PEs. However normally things are smart enough so that the MPLS network super backbone should keep things appearing as OSPF routes. This isn't happening in this case for some reason:
R2#sh ip ospf int brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Fa0/1 1 0 10.1.23.2/24 1 DR 1/1
Lo0 1 0 2.2.2.2/32 1 LOOP 0/0
Fa0/0 2 1 10.1.12.2/24 1 BDR 1/1
R3#sh ip ospf int brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Fa0/0 3 1 10.1.34.3/24 1 BDR 1/1
Fa0/1 1 0 10.1.23.3/24 1 BDR 1/1
Lo0 1 0 3.3.3.3/32 1 LOOP 0/0
The problem here is the OSPF process ID for the CE facing interfaces on the PEs are different - if we had the same ospf domain id (which by default is inherited from the process id) these would not show up as external routes
R2#sh ip ospf | i Process|Domain
Routing Process "ospf 1" with ID 2.2.2.2
Routing Process "ospf 2" with ID 10.1.12.2
Domain ID type 0x0005, value 0.0.0.2
R3#sh ip ospf | i Process|Domain
Routing Process "ospf 3" with ID 10.1.34.3
Domain ID type 0x0005, value 0.0.0.3
Routing Process "ospf 1" with ID 3.3.3.3
So if we want the routes not to appear as external, all we need to do is make both sides agree on the domain id:
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router ospf 2
R2(config-router)#domain-id 0.0.0.3
R2(config-router)#end
*Mar 1 22:11:44.698: %SYS-5-CONFIG_I: Configured from console by console
R2#clear ip ospf proc
Reset ALL OSPF processes? [no]: yes
*Mar 1 22:11:59.690: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 22:11:59.726: %OSPF-5-ADJCHG: Process 2, Nbr 1.1.1.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 22:11:59.778: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet0/1 from LOADING to FULL, Loading Done
*Mar 1 22:11:59.782: %OSPF-5-ADJCHG: Process 2, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
R2#sh ip ospf | i Process|Domain
Routing Process "ospf 1" with ID 2.2.2.2
Routing Process "ospf 2" with ID 10.1.12.2
Domain ID type 0x0005, value 0.0.0.3
R1>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
4.0.0.0/32 is subnetted, 1 subnets
O IA 4.4.4.4 [110/3] via 10.1.12.2, 00:00:40, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.12.0 is directly connected, FastEthernet0/0
O IA 10.1.34.0 [110/2] via 10.1.12.2, 00:00:40, FastEthernet0/0
R4>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O IA 1.1.1.1 [110/3] via 10.1.34.3, 00:00:40, FastEthernet0/0
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 2 subnets
O IA 10.1.12.0 [110/2] via 10.1.34.3, 00:00:40, FastEthernet0/0
C 10.1.34.0 is directly connected, FastEthernet0/0
Well these routes no longer appear as external (Type 5s) but are showing up as Inter-Area (type 3s) which closer but not what we wanted.
The way that this can be fixed so that the routes will appear as intra-Area (type 1s) is to use sham-links, which is a construct that is somewhat similar to a virtual-link in that it is a tunnel over the backbone area (the MPLS network super backbone in this case) but it can be used for more than just OSPF area 0... How do we make this work?
Firstly we need to add loopbacks on each PE that are associated with the CE's VRF and advertise that into MP-BGP
R2(config-if)#int lo23
R2(config-if)#ip vrf forwarding A
R2(config-if)#ip add 23.23.23.2 255.255.255.255
R2(config-if)#router bgp 23
R2(config-router)#address-family ipv4 vrf A
R2(config-router-af)#network 23.23.23.2 mask 255.255.255.255
R3(config-if)#int lo23
R3(config-if)#ip vrf forwarding A
R3(config-if)#ip add 23.23.23.3 255.255.255.255
R3(config-if)#router bgp 23
R3(config-router)#address-family ipv4 vrf A
R3(config-router-af)#network 23.23.23.3 mask 255.255.255.255
Then within the OSPF process for the VRF we configure the sham-link
R2(config-router-af)#router ospf 2
R2(config-router)#area 1 sham-link 23.23.23.2 23.23.23.3
R3(config-router-af)#router ospf 3
R3(config-router)#area 1 sham-link 23.23.23.3 23.23.23.2
Resulting in
*Mar 1 22:24:17.802: %OSPF-5-ADJCHG: Process 3, Nbr 10.1.12.2 on OSPF_SL1 from LOADING to FULL, Loading Done
R2#sh ip ospf sham-links
Sham Link OSPF_SL1 to address 23.23.23.3 is up
Area 1 source address 23.23.23.2
Run as demand circuit
DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Hello due in 00:00:09
Adjacency State FULL (Hello suppressed)
Index 2/2, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
R1>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/4] via 10.1.12.2, 00:00:39, FastEthernet0/0
23.0.0.0/32 is subnetted, 2 subnets
O E2 23.23.23.3 [110/1] via 10.1.12.2, 00:02:55, FastEthernet0/0
O E2 23.23.23.2 [110/1] via 10.1.12.2, 00:03:54, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.12.0 is directly connected, FastEthernet0/0
O 10.1.34.0 [110/3] via 10.1.12.2, 00:00:39, FastEthernet0/0
R4>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/4] via 10.1.34.3, 00:00:49, FastEthernet0/0
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
23.0.0.0/32 is subnetted, 2 subnets
O E2 23.23.23.3 [110/1] via 10.1.34.3, 00:03:06, FastEthernet0/0
O E2 23.23.23.2 [110/1] via 10.1.34.3, 00:04:01, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
O 10.1.12.0 [110/3] via 10.1.34.3, 00:00:49, FastEthernet0/0
C 10.1.34.0 is directly connected, FastEthernet0/0
As we can see R1 and R2 now see the routes as intra-area (Type 1) as an extra clean up we may want to get rid of the loopbacks for the sham links, which can be done by controlling the redistribution from MP-BGP into OSPF
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 23 deny 23.23.23.0 0.0.0.255
R2(config)#access-list 23 permit any
R2(config)#route-map BGP2OSPF
R2(config-route-map)#match ip address 23
R2(config-route-map)#router ospf 2
R2(config-router)#default domain-id
R2(config-router)#redistribute bgp 23 subnets route-map BGP2OSPF
R2(config-router)#do clear ip ospf proc
Reset ALL OSPF processes? [no]: yes
R2(config-router)#do sh ip ospf | i Process|Domain
Routing Process "ospf 1" with ID 2.2.2.2
Routing Process "ospf 2" with ID 10.1.12.2
Domain ID type 0x0005, value 0.0.0.2
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#access-list 23 deny 23.23.23.0 0.0.0.255
R3(config)#access-list 23 permit any
R3(config)#route-map BGP2OSPF
R3(config-route-map)#match ip address 23
R3(config-route-map)#router ospf 3
R3(config-router)#redistribute bgp 23 subnets route-map BGP2OSPF
R3(config-router)#do sh ip ospf | i Process|Domain
Routing Process "ospf 3" with ID 10.1.34.3
Domain ID type 0x0005, value 0.0.0.3
Routing Process "ospf 1" with ID 3.3.3.3
I reset the domain-id to the default on R2 just to show that for Sham-links the domain id doesn't matter
R1>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/4] via 10.1.12.2, 00:02:00, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.12.0 is directly connected, FastEthernet0/0
O 10.1.34.0 [110/3] via 10.1.12.2, 00:02:00, FastEthernet0/0
R4>sh ip route | b Gateway
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/4] via 10.1.34.3, 00:01:54, FastEthernet0/0
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 2 subnets
O 10.1.12.0 [110/3] via 10.1.34.3, 00:01:54, FastEthernet0/0
C 10.1.34.0 is directly connected, FastEthernet0/0
So why would we even care about this? If there could be a backup link that bypasses the MPLS between between R1 and R2. If OSPF was running on that link as well, the path via the MPLS network would not be used regardless of the link metric because intra-area routes are preferred over inter-area routes which are preferred over external routes. Potentially the backdoor link may require the ospf cost to be increased to ensure that it is used only if the MPLS link is down.
Thursday, 18 August 2011
IPv6 Tunnelling over IPv4
Today I'm going to play around with some IPv6 tunnelling techniques
The topology for this example will be a string of 4 IPv4 enabled routers connected by Ethernet, each with a Loopback 100.100.100.x/32 with all the interfaces advertised into OSPF
Here are their base configurations:
R1
hostname R1
interface Loopback0
ip address 100.100.100.1 255.255.255.255
!
interface FastEthernet0/0
description R2 Fa0/0
ip address 10.1.12.1 255.255.255.0
!
router ospf 1
network 10.1.12.1 0.0.0.0 area 0
network 100.100.100.1 0.0.0.0 area 0
R2
hostname R2
interface Loopback0
ip address 100.100.100.2 255.255.255.255
!
interface FastEthernet0/0
description R1 Fa0/0
ip address 10.1.12.2 255.255.255.0
!
interface FastEthernet0/1
description R3 Fa0/1
ip address 10.1.23.2 255.255.255.0
!
router ospf 1
network 10.1.12.2 0.0.0.0 area 0
network 10.1.23.2 0.0.0.0 area 0
network 100.100.100.2 0.0.0.0 area 0
R3
hostname R3
interface Loopback0
ip address 100.100.100.3 255.255.255.255
!
interface FastEthernet0/0
description R4 Fa0/0
ip address 10.1.34.3 255.255.255.0
!
interface FastEthernet0/1
description R2 Fa0/1
ip address 10.1.23.3 255.255.255.0
!
router ospf 1
network 10.1.23.3 0.0.0.0 area 0
network 10.1.34.3 0.0.0.0 area 0
network 100.100.100.3 0.0.0.0 area 0
R4
hostname R4
interface Loopback0
ip address 100.100.100.4 255.255.255.255
!
interface FastEthernet0/0
description R3 Fa0/0
ip address 10.1.34.4 255.255.255.0
!
router ospf 1
log-adjacency-changes
network 10.1.34.4 0.0.0.0 area 0
network 100.100.100.4 0.0.0.0 area 0
IPv6 over GRE and IPv6 over IPv4
IPv6 over GRE over IPv4 is the easiest configuration method for a point-to-point tunnel IPv6 over an IPv4 network.
The initial tunnel configuration between R1 and R3 in this example is nothing special - we're just specifying that the tunnel needs to be set up between the Loopback interfaces, the only thing we are doing here is assigning the IPv6 address to each tunnel endpoint
R1
interface Tunnel13
ipv6 address FEC0:13::1/64
tunnel source 100.100.100.1
tunnel destination 100.100.100.3
R3
interface Tunnel13
ipv6 address FEC0:13::3/64
tunnel source 100.100.100.3
tunnel destination 100.100.100.1
R1#ping fec0:13::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:13::1, timeout is 2 seconds:
!!!!!
IPv6 over IPv4 is working fine
R1#sh int tun13 | i transport
Tunnel protocol/transport GRE/IP
As we can see we are tunneling IPv6 over GRE over IPv4 - GRE is a handy protocol since it carries all sorts of protocols over it but in this case it's a little inefficient with regards to the encapsulation overhead and potentially reducing the effective MTU on this path so we could look at directly transporting IPv6 over IPv4 and skip the GRE middle man and have a larger payload MTU
R1
interface Tunnel13
tunnel mode ipv6ip
R3
interface Tunnel13
tunnel mode ipv6ip
R1#sh int tun13 | i transport
Tunnel protocol/transport IPv6/IP
IPv6 over IPv4 automatic tunnels
Another type of tunnelling method is quite interesting in the way that it's defined. The destination address of the tunnel is not actually specified, this is because this is encoded within the destination IPv6 Address. The 2002::/16 network is a special segment that is used to contain the IPv4 destination address and network
no ip address
no ip redirects
ipv6 address 2002:6464:6401:1::/128
tunnel source 100.100.100.1
tunnel mode ipv6ip 6to4
!
In this case, the tunnel source IPv4 address is converted to hexadecimal 100.100.100.1 becomes 6464:6401 and the associated network is 1 (this way we can terminate multiple IPv6 networks using the same IPv4 address if we had to)
All of the remote ends of the tunnel are in the 2002::/16 network so we instruct the router to reach them via the tunnel where it inspects the destination and automatically establishes the tunnel destination
no ip address
no ip redirects
ipv6 address 2002:6464:6402:1:/128
tunnel source 100.100.100.2
tunnel mode ipv6ip 6to4
!
R1#ping 2002:6464:6402:1::
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2002:6464:6402:1::, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/12 ms
This is a multipoint tunnel, if we add another IPv6overIPv4 tunnel or R3, things should work just as easily
no ip address
no ip redirects
ipv6 address 2002:6464:6403:9:/128
tunnel source 100.100.100.3
tunnel mode ipv6ip 6to4
!
R1#ping 2002:6464:6403:9::
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2002:6464:6403:9::, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/10/12 ms
ISATAP tunnels
A similar concept to the above but somewhat different are ISATAP tunnels - unlike IPv6inIPv4 auto tunnels which have to use the 2002::/16 network, ISATAP tunnels are a lot more flexible in the address allocations available. IPv6 addresses are automatically derived from the tunnel source IPv4 address but are created using the eui-64 method to embed the IPv4 address and the special 5EFE identifier which is used before the hex encoded IPv4 address to let us know that this is an ISATAP address
R2
interface Tunnel24
no ip address
no ip redirects
ipv6 address FEC0:24::/64 eui-64
no ipv6 nd ra suppress
tunnel source 100.100.100.2
tunnel mode ipv6ip isatap
R4
interface Tunnel24
no ip address
no ip redirects
ipv6 address FEC0:24::/64 eui-64
no ipv6 nd ra suppress
tunnel source 100.100.100.4
tunnel mode ipv6ip isatap
R2#sh ipv6 int tun24 | i EUI
FEC0:24::5EFE:6464:6402, subnet is FEC0:24::/64 [EUI]
We can see that the EUI address is using the 5EFE flag for ISATAP addressing and 6161:6402 which is the hex encoded version of 100.100.100.2
R4#sh ipv6 int tun24 | i EUI
FEC0:24::5EFE:6464:6404, subnet is FEC0:24::/64 [EUI]
As R4 is on the same subnet as R2 in tunnel 24 we don't need a specific route for it, however a tunnel to R4 (100.100.100.4) will be established by inspecting the destination address
R2#ping FEC0:24::5EFE:6464:6404 source tun24
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:24::5EFE:6464:6404, timeout is 2 seconds:
Packet sent with a source address of FEC0:24::5EFE:6464:6402
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms
These are the main transition techniques for carrying IPv6 over IPv4 enabled networks at least for what should be found in the CCIE for Routing and Switching Version 4.0
The topology for this example will be a string of 4 IPv4 enabled routers connected by Ethernet, each with a Loopback 100.100.100.x/32 with all the interfaces advertised into OSPF
Here are their base configurations:
R1
hostname R1
interface Loopback0
ip address 100.100.100.1 255.255.255.255
!
interface FastEthernet0/0
description R2 Fa0/0
ip address 10.1.12.1 255.255.255.0
!
router ospf 1
network 10.1.12.1 0.0.0.0 area 0
network 100.100.100.1 0.0.0.0 area 0
R2
hostname R2
interface Loopback0
ip address 100.100.100.2 255.255.255.255
!
interface FastEthernet0/0
description R1 Fa0/0
ip address 10.1.12.2 255.255.255.0
!
interface FastEthernet0/1
description R3 Fa0/1
ip address 10.1.23.2 255.255.255.0
!
router ospf 1
network 10.1.12.2 0.0.0.0 area 0
network 10.1.23.2 0.0.0.0 area 0
network 100.100.100.2 0.0.0.0 area 0
R3
hostname R3
interface Loopback0
ip address 100.100.100.3 255.255.255.255
!
interface FastEthernet0/0
description R4 Fa0/0
ip address 10.1.34.3 255.255.255.0
!
interface FastEthernet0/1
description R2 Fa0/1
ip address 10.1.23.3 255.255.255.0
!
router ospf 1
network 10.1.23.3 0.0.0.0 area 0
network 10.1.34.3 0.0.0.0 area 0
network 100.100.100.3 0.0.0.0 area 0
R4
hostname R4
interface Loopback0
ip address 100.100.100.4 255.255.255.255
!
interface FastEthernet0/0
description R3 Fa0/0
ip address 10.1.34.4 255.255.255.0
!
router ospf 1
log-adjacency-changes
network 10.1.34.4 0.0.0.0 area 0
network 100.100.100.4 0.0.0.0 area 0
IPv6 over GRE and IPv6 over IPv4
IPv6 over GRE over IPv4 is the easiest configuration method for a point-to-point tunnel IPv6 over an IPv4 network.
The initial tunnel configuration between R1 and R3 in this example is nothing special - we're just specifying that the tunnel needs to be set up between the Loopback interfaces, the only thing we are doing here is assigning the IPv6 address to each tunnel endpoint
R1
interface Tunnel13
ipv6 address FEC0:13::1/64
tunnel source 100.100.100.1
tunnel destination 100.100.100.3
R3
interface Tunnel13
ipv6 address FEC0:13::3/64
tunnel source 100.100.100.3
tunnel destination 100.100.100.1
R1#ping fec0:13::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:13::1, timeout is 2 seconds:
!!!!!
IPv6 over IPv4 is working fine
R1#sh int tun13 | i transport
Tunnel protocol/transport GRE/IP
As we can see we are tunneling IPv6 over GRE over IPv4 - GRE is a handy protocol since it carries all sorts of protocols over it but in this case it's a little inefficient with regards to the encapsulation overhead and potentially reducing the effective MTU on this path so we could look at directly transporting IPv6 over IPv4 and skip the GRE middle man and have a larger payload MTU
R1
interface Tunnel13
tunnel mode ipv6ip
R3
interface Tunnel13
tunnel mode ipv6ip
R1#sh int tun13 | i transport
Tunnel protocol/transport IPv6/IP
IPv6 over IPv4 automatic tunnels
Another type of tunnelling method is quite interesting in the way that it's defined. The destination address of the tunnel is not actually specified, this is because this is encoded within the destination IPv6 Address. The 2002::/16 network is a special segment that is used to contain the IPv4 destination address and network
R1
interface Tunnel123no ip address
no ip redirects
ipv6 address 2002:6464:6401:1::/128
tunnel source 100.100.100.1
tunnel mode ipv6ip 6to4
!
ipv6 route 2002::/16 Tunnel123
In this case, the tunnel source IPv4 address is converted to hexadecimal 100.100.100.1 becomes 6464:6401 and the associated network is 1 (this way we can terminate multiple IPv6 networks using the same IPv4 address if we had to)
All of the remote ends of the tunnel are in the 2002::/16 network so we instruct the router to reach them via the tunnel where it inspects the destination and automatically establishes the tunnel destination
R2
interface Tunnel123no ip address
no ip redirects
ipv6 address 2002:6464:6402:1:/128
tunnel source 100.100.100.2
tunnel mode ipv6ip 6to4
!
ipv6 route 2002::/16 Tunnel123
R1#ping 2002:6464:6402:1::
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2002:6464:6402:1::, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/12 ms
This is a multipoint tunnel, if we add another IPv6overIPv4 tunnel or R3, things should work just as easily
R3
interface Tunnel123no ip address
no ip redirects
ipv6 address 2002:6464:6403:9:/128
tunnel source 100.100.100.3
tunnel mode ipv6ip 6to4
!
ipv6 route 2002::/16 Tunnel123
R1#ping 2002:6464:6403:9::
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2002:6464:6403:9::, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/10/12 ms
ISATAP tunnels
A similar concept to the above but somewhat different are ISATAP tunnels - unlike IPv6inIPv4 auto tunnels which have to use the 2002::/16 network, ISATAP tunnels are a lot more flexible in the address allocations available. IPv6 addresses are automatically derived from the tunnel source IPv4 address but are created using the eui-64 method to embed the IPv4 address and the special 5EFE identifier which is used before the hex encoded IPv4 address to let us know that this is an ISATAP address
R2
interface Tunnel24
no ip address
no ip redirects
ipv6 address FEC0:24::/64 eui-64
no ipv6 nd ra suppress
tunnel source 100.100.100.2
tunnel mode ipv6ip isatap
R4
interface Tunnel24
no ip address
no ip redirects
ipv6 address FEC0:24::/64 eui-64
no ipv6 nd ra suppress
tunnel source 100.100.100.4
tunnel mode ipv6ip isatap
R2#sh ipv6 int tun24 | i EUI
FEC0:24::5EFE:6464:6402, subnet is FEC0:24::/64 [EUI]
We can see that the EUI address is using the 5EFE flag for ISATAP addressing and 6161:6402 which is the hex encoded version of 100.100.100.2
R4#sh ipv6 int tun24 | i EUI
FEC0:24::5EFE:6464:6404, subnet is FEC0:24::/64 [EUI]
As R4 is on the same subnet as R2 in tunnel 24 we don't need a specific route for it, however a tunnel to R4 (100.100.100.4) will be established by inspecting the destination address
R2#ping FEC0:24::5EFE:6464:6404 source tun24
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:24::5EFE:6464:6404, timeout is 2 seconds:
Packet sent with a source address of FEC0:24::5EFE:6464:6402
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms
These are the main transition techniques for carrying IPv6 over IPv4 enabled networks at least for what should be found in the CCIE for Routing and Switching Version 4.0
Wednesday, 17 August 2011
Enabling RSH in IOS
Here's a very quick recipe for enabling RSH on IOS routers - Where abouts on the DOC-CD? Assuming you're starting at the beginning of the IOS Software Release page for the version you care about (12.4T)
Configuration Guides -> System Management -> Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4T -> Part 6: Configuring Basic File Transfer Services
Lets start with a very simple topology R1 and R2 are back to back over ethernet:
network 1.1.1.1 0.0.0.0
network 10.10.12.1 0.0.0.0
no auto-summary
network 2.2.2.2 0.0.0.0
network 10.10.12.2 0.0.0.0
no auto-summary
Make sure we have Loopback to Loopback connectivity before we go further:
1.0.0.0/32 is subnetted, 1 subnets
D 1.1.1.1 [90/409600] via 10.10.12.1, 00:00:31, FastEthernet0/0
R2#ping 1.1.1.1 source 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Okay, so in this example R1 will be the RSH server and R2 will be the RSH client
Lets create two local accounts which will be able to be used for RSH one will be used to execute non-priviledged commands while the other will be used for enable level commands
Now we want to enable R2 to use the above accounts for RSH commands that come from R2's Loopback0. The level2 user will be able to execute enable level commands
R1(config)#ip rcmd remote-host level1 2.2.2.2 R2
R1(config)#ip rcmd remote-host level2 2.2.2.2 R2 enable
Now we enable RSH
For R2, we want to set our source interface to be loopback 0, otherwise we will just use the closest interface IP to the destination (Fa0/0)
Lets see if R2 can get the IOS version that is running R1
R2(config)#do rsh 1.1.1.1 /user level1 show ver | i IOS
Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)
Cool - ok, lets verify that the enable permissions are working - lets try to get the running config of interface loopback0 using the level1 user
R2(config)#do rsh 1.1.1.1 /user level1 show run int lo0
Line has invalid autocommand "show run int lo0"
Okay, that appears to have failed as expected, lets try with the level2 user
R2(config)#do rsh 1.1.1.1 /user level2 show run int lo0
Building configuration...
Current configuration : 63 bytes
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
end
Working as desired. The biggest part is to make sure the router acting as the rsh server has the command string for the remote user set up correctly in this form:
ip rcmd remote-host LOCAL-USER-ACCOUNT REMOTE-IP REMOTE-HOSTNAME
Configuration Guides -> System Management -> Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4T -> Part 6: Configuring Basic File Transfer Services
Lets start with a very simple topology R1 and R2 are back to back over ethernet:
R1
interface FastEthernet0/0
ip address 10.10.12.1 255.255.255.0
!
ip address 10.10.12.1 255.255.255.0
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
router eigrp 12ip address 1.1.1.1 255.255.255.255
!
network 1.1.1.1 0.0.0.0
network 10.10.12.1 0.0.0.0
no auto-summary
R2
interface FastEthernet0/0 ip address 10.10.12.2 255.255.255.0
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
router eigrp 12ip address 2.2.2.2 255.255.255.255
!
network 2.2.2.2 0.0.0.0
network 10.10.12.2 0.0.0.0
no auto-summary
Make sure we have Loopback to Loopback connectivity before we go further:
R1#sh ip route eigrp
2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/409600] via 10.10.12.2, 00:00:19, FastEthernet0/0
R2#sh ip route eigrp2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/409600] via 10.10.12.2, 00:00:19, FastEthernet0/0
1.0.0.0/32 is subnetted, 1 subnets
D 1.1.1.1 [90/409600] via 10.10.12.1, 00:00:31, FastEthernet0/0
R2#ping 1.1.1.1 source 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Okay, so in this example R1 will be the RSH server and R2 will be the RSH client
Lets create two local accounts which will be able to be used for RSH one will be used to execute non-priviledged commands while the other will be used for enable level commands
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#username level1 password 0 admin
R1(config)#username level2 password 0 admin
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#username level1 password 0 admin
R1(config)#username level2 password 0 admin
Now we want to enable R2 to use the above accounts for RSH commands that come from R2's Loopback0. The level2 user will be able to execute enable level commands
R1(config)#ip rcmd remote-host level1 2.2.2.2 R2
R1(config)#ip rcmd remote-host level2 2.2.2.2 R2 enable
Now we enable RSH
R1(config)#ip rcmd rsh-enable
For R2, we want to set our source interface to be loopback 0, otherwise we will just use the closest interface IP to the destination (Fa0/0)
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip rcmd source-interface Loopback0
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip rcmd source-interface Loopback0
Lets see if R2 can get the IOS version that is running R1
R2(config)#do rsh 1.1.1.1 /user level1 show ver | i IOS
Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)
Cool - ok, lets verify that the enable permissions are working - lets try to get the running config of interface loopback0 using the level1 user
R2(config)#do rsh 1.1.1.1 /user level1 show run int lo0
Line has invalid autocommand "show run int lo0"
Okay, that appears to have failed as expected, lets try with the level2 user
Building configuration...
Current configuration : 63 bytes
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
end
Working as desired. The biggest part is to make sure the router acting as the rsh server has the command string for the remote user set up correctly in this form:
ip rcmd remote-host LOCAL-USER-ACCOUNT REMOTE-IP REMOTE-HOSTNAME
Monday, 15 August 2011
Scheduled Attempt #2
It's just about 4 weeks before I have my second stab at the CCIE Lab. When I attended the Micronics Bootcamp they were running the Cisco LabSafe program which included a lab-retake voucher if you did well enough in the assessment labs, which is quite helpful as it takes away some of the costs for the next shot. Interestingly, Cisco has increased the price from $US1400 to $US1500 on the first of August. The voucher covered $US1400, so I had to make up the difference plus the 10% Goods and Service Tax that they like to charge us in Australia, so having to pay $US250 for another go at the lab is not too bad at all - flights and accomodation also need paying for too but thats the price. Looking at the CCIE numbers being announced in places like GroupStudy, should I get through this time my guess is that my number will be in the 30,000+ range.
As for my preparation - I've been pretty flat out with work particularly since I've been inter-state but I have been keeping at the labs (I brought a personal laptop that is running dynamips to lab small things up). When I'm home I'm still going through the Troubleshooting workbook with two labs left to do I will have gone through it all once but I plan to revisit some of the labs just to keep the practice going. There seems to be a pretty good level of difficulty and variety in there, I'm finding it useful because sometimes I jump into trying to fix a problem that is probably deep, when it's possibly something as basic as a sub-interface is up but the main interface is down.
As for my preparation - I've been pretty flat out with work particularly since I've been inter-state but I have been keeping at the labs (I brought a personal laptop that is running dynamips to lab small things up). When I'm home I'm still going through the Troubleshooting workbook with two labs left to do I will have gone through it all once but I plan to revisit some of the labs just to keep the practice going. There seems to be a pretty good level of difficulty and variety in there, I'm finding it useful because sometimes I jump into trying to fix a problem that is probably deep, when it's possibly something as basic as a sub-interface is up but the main interface is down.
Subscribe to:
Comments (Atom)