Thursday, July 1, 2010

IP Multicast over DMVPN in MPLS-VPN without mVPN support from ISP

Scenario -
- we have 3 sites connected by MPLS VPN
- ISP doesn't support mVPN for carrying IP multicast

Requirement -
- Consider CE3 as Hub Site, create a DMVPN overlay to carry IP multicast over MPLS VPN backbone between the three sites.
For Unicast traffic use MPLS VPN.
For Mulicast traffic use DMVPN over MPLS VPN.

Take care of RPF.

Topology -



Solution -

- ip pim sparse-mode will be configured ONLY on Tunnel interfaces. PIM not needed on physcial interface.
- Multicast will only work from Hub to Spoke and vice-versa. Spoke to Spoke multicast is NOT supported due to RPF clause on Hub's Tunnel interface.
- RPF: Since unicast traffic flow doesnt match multicast flow in this scenario, we must manually correct the RPF check to avoid RPF failures. We'll use default static mroute for this.
- DMVPN Phase1 will do the job, Phase2 and Phase3 dont provide any advantage in this scenario cause Spoke to Spoke Multicast is anyway not supported. For sake of simplicity, Phase2 is still used in this example.
- routing protocl on DMVPN network is not needed in this scenario. PIM will generate traffic and build the NHRP tunnel.
- IPSec encryption is not used in this scenario. Its not needed cause we are using private MPLS VPN connectivity.

Verification -
CE3#ping 239.1.1.1 repeat 5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 239.1.1.1, timeout is 2 seconds:

Reply to request 0 from 172.16.1.1, 536 ms
Reply to request 1 from 172.16.1.1, 704 ms
Reply to request 2 from 172.16.1.1, 492 ms
Reply to request 3 from 172.16.1.1, 412 ms
Reply to request 4 from 172.16.1.1, 552 ms


CE1#
*Mar 1 00:49:58.435: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#
*Mar 1 00:50:00.595: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#
*Mar 1 00:50:02.443: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#
*Mar 1 00:50:04.527: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#
*Mar 1 00:50:06.551: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3

CE3#ping 239.1.1.1 repeat 5 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 239.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 30.30.30.30

Reply to request 0 from 172.16.1.1, 356 ms
Reply to request 1 from 172.16.1.1, 336 ms
Reply to request 2 from 172.16.1.1, 236 ms
Reply to request 3 from 172.16.1.1, 360 ms
Reply to request 4 from 172.16.1.1, 492 ms
CE3#

*Mar 1 00:53:08.319: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#
*Mar 1 00:53:10.387: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#
*Mar 1 00:53:12.383: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#
*Mar 1 00:53:14.307: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#
*Mar 1 00:53:16.275: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#

Configs -


CE1:
hostname CE1
!
ip cef
ip multicast-routing
!
interface Loopback0
ip address 10.10.10.10 255.255.255.255
ip igmp join-group 239.1.1.1
!
interface Tunnel123
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication CISCO123
ip nhrp map multicast dynamic
ip nhrp map multicast 30.1.1.1
ip nhrp map 172.16.1.3 30.1.1.1
ip nhrp network-id 123
ip nhrp nhs 172.16.1.3
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
redistribute connected subnets route-map RM_CONNECTED_LOOPBACK
network 10.0.0.0 0.255.255.255 area 1
!
ip mroute 0.0.0.0 0.0.0.0 172.16.1.3
!
route-map RM_CONNECTED_LOOPBACK permit 10
match interface Loopback0
CE2:
hostname CE2
!
ip multicast-routing
!
interface Loopback0
ip address 20.20.20.20 255.255.255.255
ip igmp join-group 239.2.2.2
!
interface Tunnel123
ip address 172.16.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication CISCO123
ip nhrp map multicast dynamic
ip nhrp map multicast 30.1.1.1
ip nhrp map 172.16.1.3 30.1.1.1
ip nhrp network-id 123
ip nhrp nhs 172.16.1.3
ip igmp join-group 239.172.2.2
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
!
interface FastEthernet0/0
ip address 20.1.1.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 2
network 20.0.0.0
no auto-summary
!
ip mroute 0.0.0.0 0.0.0.0 172.16.1.3
!
route-map RM_CONNECTED_LOOPBACK permit 10
CE3:
hostname CE3
!
ip multicast-routing
!
interface Loopback0
ip address 30.30.30.30 255.255.255.255
ip igmp join-group 239.3.3.3
!
interface Tunnel123
ip address 172.16.1.3 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication CISCO123
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip igmp join-group 239.172.3.3
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
!
interface FastEthernet0/0
ip address 30.1.1.1 255.255.255.0
duplex auto
speed auto
!
router rip
version 2
network 30.0.0.0
no auto-summary
!
ip pim bsr-candidate Tunnel123 0
ip pim rp-candidate Tunnel123
ip mroute 0.0.0.0 0.0.0.0 172.16.1.1
PE1:
hostname PE1
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf VPN
rd 1:1
route-target export 1:1
route-target import 1:1
!
no mpls traffic-eng auto-bw timers frequency 0
mpls ldp router-id Loopback0 force
mpls label protocol ldp
call rsvp-sync
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip vrf forwarding VPN
ip address 10.1.1.254 255.255.255.0
duplex auto
speed auto
no clns route-cache
!
interface Serial1/0
ip address 192.168.1.1 255.255.255.252
ip router isis
mpls ip
serial restart-delay 0
!
router ospf 2 vrf VPN
log-adjacency-changes
redistribute bgp 100 subnets
network 0.0.0.0 255.255.255.255 area 1
!
router isis
net 49.0000.0000.0001.00
passive-interface Loopback0
!
router bgp 100
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 4.4.4.4 remote-as 100
neighbor 4.4.4.4 update-source Loopback0
!
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN
redistribute ospf 2 vrf VPN match internal external 1 external 2
no auto-summary
no synchronization
exit-address-family
!
PE2:
hostname PE2
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf VPN
rd 1:1
route-target export 1:1
route-target import 1:1
!
no mpls traffic-eng auto-bw timers frequency 0
mpls ldp router-id Loopback0 force
mpls label protocol ldp
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip vrf forwarding VPN
ip address 20.1.1.254 255.255.255.0
duplex auto
speed auto
no clns route-cache
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
no clns route-cache
!
interface Serial1/0
ip address 192.168.2.1 255.255.255.252
ip router isis
mpls ip
serial restart-delay 0
!
router eigrp 2
auto-summary
!
address-family ipv4 vrf VPN
redistribute bgp 100 metric 10000 1 255 1 1500
network 20.0.0.0
auto-summary
autonomous-system 2
exit-address-family
!
router isis
net 49.0000.0000.0002.00
passive-interface Loopback0
!
router bgp 100
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 4.4.4.4 remote-as 100
neighbor 4.4.4.4 update-source Loopback0
!
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN
redistribute eigrp 2
no auto-summary
no synchronization
exit-address-family
!
ip classless
!
PE3:
hostname PE3
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf VPN
rd 1:1
route-target export 1:1
route-target import 1:1
!
no mpls traffic-eng auto-bw timers frequency 0
mpls ldp router-id Loopback0 force
mpls label protocol ldp
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip vrf forwarding VPN
ip address 30.1.1.254 255.255.255.0
duplex auto
speed auto
no clns route-cache
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
no clns route-cache
!
interface Serial1/0
ip address 192.168.3.1 255.255.255.252
ip router isis
mpls ip
serial restart-delay 0
!
router isis
net 49.0000.0000.0003.00
passive-interface Loopback0
!
router rip
!
address-family ipv4 vrf VPN
redistribute bgp 100 metric 1
network 30.0.0.0
no auto-summary
version 2
exit-address-family
!
router bgp 100
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 4.4.4.4 remote-as 100
neighbor 4.4.4.4 update-source Loopback0
!
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN
redistribute rip
no auto-summary
no synchronization
exit-address-family
!
ip classless
!
!
!
P:
hostname P
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
no clns route-cache
!
interface Serial1/1
ip address 192.168.1.2 255.255.255.252
ip router isis
mpls ip
serial restart-delay 0
!
interface Serial1/2
ip address 192.168.2.2 255.255.255.252
ip router isis
mpls ip
serial restart-delay 0
!
interface Serial1/3
ip address 192.168.3.2 255.255.255.252
ip router isis
mpls ip
serial restart-delay 0
!
router isis
net 49.0000.0000.0004.00
passive-interface Loopback0
!
router bgp 100
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source Loopback0
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 update-source Loopback0
neighbor 3.3.3.3 remote-as 100
neighbor 3.3.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 route-reflector-client
neighbor 1.1.1.1 send-community extended
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 route-reflector-client
neighbor 2.2.2.2 send-community extended
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 route-reflector-client
neighbor 3.3.3.3 send-community extended
exit-address-family
!
ip classless
!

Thursday, June 3, 2010

VRF aware DMVPN with dual ISP on Single HUB + autofailover (using iVRF and FVRF)



Task Details:
(for lab usage only!)

- We have two separate DMVPN clouds via two different ISPs. The LAN Segments in both these DMVPN clouds use the same IP address.
- Requirement is to merge both the clouds, remove redundant equipments (remove one hub, and two spoke routers), configure DMVPN clouds using both ISPs with automatic failover between the ISPs.
- Use VRF aware DMVPN with fVRF and iVRF.
- Use VRF ISP1 and ISP2 for fVRF to segregate the ISPs.
- Use VRF RED and BLUE for iVRF so that overlapping LAN segments can communicate.
- Configure DMVPN in such a way that VRF RED uses ISP1 as primary. In event of any failure on ISP1, it should switche via ISP2.
- Similarly, VRF BLUE should use ISP2 as primary (active) and ISP1 as secondary (passive).

To be contd. (init configs, Dynamips .NET File, explanation on challenges, and solution)

Few considerations:
1. We'll need total 4 tunnel interfaces on each Spoke and Hub.
      First tunnel for VRF RED via ISP1
      Second tunnel for VRF RED via ISP2
      Third tunnel for VRF BLUE via ISP1
      Fourth tunnel for VRF BLUE via ISP2
Tunnel interfaces on HUB will be ACTIVE/ACTIVE allowing the SPOKES to dynamically choose and switcover during ISP Failure.

Tunnel Interfaces on SPOKES will be ACTIVE/STANDBY per ISP. Again, dynamic failover.

2. So we'll create 4 different DMVPN clouds, two active (one active for VRF RED via ISP1, one active for VRF BLUE via ISP2) and two passive (vice versa).
Challege1: All 4 DMVPN clouds will have their own Tunnel IP subnets. Switchover between the DMVPN clouds during failover should be tracked appropriately.
Example1: if ISP1 on HUB fails, SPOKE1 and SPOKE2 should automatically switch to ISP2.
Example2: if ISP1 on SPOKE1 fails, SPOKE1 should automatically switch to ISP2, HUB2 should support this tunnel switchover dynamically.

3.Challege2: So how do we keep a sync between SPOKEs and HUB.
Here comes Cisco EEM with IP SLA tracking to the rescue.
We'll track ISP connection on each SPOKE, both for the SPOKE itself, and the HUB.
So SPOKE1 will track if its ISP1 connectivity is alive, if YES, it'll use Tunnel1 via ISP1 for DMVPN. IF ISP1 is doen on SPOKE1, it'll switch to ISP2 and use Tunnel2.
At the same time, SPOKE1 will track HUB's ISP1 connection. If ISP1 on HUB is live, SPOKE1 will use ISP1 for itself. If HUB's ISP1 connection is dead, SPOKE1 will shutdown its Tunnel1 going via ISP1, and switch over to Tunnel2 via ISP2.
Note - SPOKE1 can't use Tunnel1 via ISP1 when HUB's ISP1 is dead. Why? Because IP subnet on Tunnel1 on SPOKE1 and IP subnet on HUB's Tunnel interface must match.

Let's get our hands dirty, and move onto the configuration part -

Initial Configs:
HUB:
HUB:
hostname HUB
!
ip cef
!
ip vrf BLUE
rd 1:2
!
ip vrf ISP1
rd 100:1
!
ip vrf ISP2
rd 200:1
!
ip vrf RED
rd 1:1
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding RED
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip vrf forwarding BLUE
ip address 10.1.1.1 255.255.255.0
!
interface Serial1/0
ip vrf forwarding ISP1
ip address 101.1.1.1 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip vrf forwarding ISP2
ip address 201.1.1.1 255.255.255.0
serial restart-delay 0
!
ip route vrf ISP1 0.0.0.0 0.0.0.0 101.1.1.254
ip route vrf ISP2 0.0.0.0 0.0.0.0 201.1.1.254
!

SPOKE1:
hostname SPOKE1
!
ip cef
!
ip vrf BLUE
rd 2:2
!
ip vrf ISP1
rd 100:2
!
ip vrf ISP2
rd 200:2
!
ip vrf RED
rd 2:1
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding RED
ip address 10.2.1.2 255.255.255.0
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip vrf forwarding BLUE
ip address 10.2.1.2 255.255.255.0
!
interface Serial1/0
ip vrf forwarding ISP1
ip address 102.1.1.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip vrf forwarding ISP2
ip address 202.1.1.2 255.255.255.0
serial restart-delay 0
!
ip route vrf ISP1 0.0.0.0 0.0.0.0 102.1.1.254
ip route vrf ISP2 0.0.0.0 0.0.0.0 202.1.1.254
!


SPOKE2:
hostname SPOKE2
!
ip cef
!
ip vrf BLUE
rd 2:3
!
ip vrf ISP1
rd 100:3
!
ip vrf ISP2
rd 200:3
!
ip vrf RED
rd 1:3
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding RED
ip address 10.3.1.3 255.255.255.0
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip vrf forwarding BLUE
ip address 10.3.1.3 255.255.255.0
!
interface Serial1/0
ip vrf forwarding ISP1
ip address 103.1.1.3 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip vrf forwarding ISP2
ip address 203.1.1.3 255.255.255.0
serial restart-delay 0
!
ip route vrf ISP1 0.0.0.0 0.0.0.0 103.1.1.254
ip route vrf ISP2 0.0.0.0 0.0.0.0 203.1.1.254
!
!

ISP1:

ISP1#r
Building configuration...

Current configuration : 2689 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ISP1
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface Serial1/0
ip address 101.1.1.254 255.255.255.0
ip access-group ACL_ESP_ONLY in
serial restart-delay 0
no clns route-cache
!
interface Serial1/1
ip address 102.1.1.254 255.255.255.0
ip access-group ACL_ESP_ONLY in
serial restart-delay 0
no clns route-cache
!
interface Serial1/2
ip address 103.1.1.254 255.255.255.0
ip access-group ACL_ESP_ONLY in
serial restart-delay 0
no clns route-cache
!
interface Serial1/3
ip address 12.1.1.1 255.255.255.0
serial restart-delay 0
no clns route-cache
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
router bgp 100
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor 12.1.1.2 remote-as 200
no auto-summary
!
ip classless
!
no ip http server
!
!
!
ip access-list extended ACL_ESP_ONLY
permit icmp any any echo
permit icmp any any echo-reply
permit esp any any
permit udp any any eq 4500
permit udp any any eq isakmp
deny ip any any log
!
!
!
control-plane
!
!
dial-peer cor custom
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
no login
!
!
end
ISP1#


ISP2:

ISP2#r
Building configuration...

Current configuration : 2394 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ISP2
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface Serial1/0
ip address 201.1.1.254 255.255.255.0
serial restart-delay 0
no clns route-cache
!
interface Serial1/1
ip address 202.1.1.254 255.255.255.0
serial restart-delay 0
no clns route-cache
!
interface Serial1/2
ip address 203.1.1.254 255.255.255.0
serial restart-delay 0
no clns route-cache
!
interface Serial1/3
ip address 12.1.1.2 255.255.255.0
serial restart-delay 0
no clns route-cache
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
router bgp 200
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor 12.1.1.1 remote-as 100
no auto-summary
!
ip classless
!
no ip http server
!
!
!
!
!
!
control-plane
!
!
dial-peer cor custom
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
no login
!
!
end
ISP2#

DYNAMIPS NET FILE
startautostart = False
[1.1.1.1]
port = 7200
udp = 10000

[[7200]]
image = C:\Program Files\Dynamips\images\c7200-k91p-m.122-25.S15.bin
npe = npe-400
ram = 96
disk0 = 0
disk1 = 0
mmap = false

[[router HUB]]
autostart = False

image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 224
Fa0/0 = LAN 10
S1/0 = ISP1 S1/0
S1/1 = ISP2 S1/0

cnfg = C:\Program Files\Dynamips\sample_labs\DMVPN - VRF AWare iVRF-fVRF\configs\HUB.cfg

[[router SPOKE1]]
autostart = False
image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 224

Fa0/0 = LAN 20
S1/0 = ISP1 S1/1
S1/1 = ISP2 S1/1

cnfg = C:\Program Files\Dynamips\sample_labs\DMVPN - VRF AWare iVRF-fVRF\configs\SPOKE1.cfg

[[router SPOKE2]]
autostart = False
image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 224
Fa0/0 = LAN 30
S1/0 = ISP1 S1/2
S1/1 = ISP2 S1/2

cnfg = C:\Program Files\Dynamips\sample_labs\DMVPN - VRF AWare iVRF-fVRF\configs\SPOKE2.cfg

[[Router ISP1]]
model = 7200
autostart = false
slot0 = PA-C7200-IO-FE
S1/3 = ISP2 S1/3
cnfg = C:\Program Files\Dynamips\sample_labs\DMVPN - VRF AWare iVRF-fVRF\configs\ISP1.cfg

[[Router ISP2]]
model = 7200
autostart = false
slot0 = PA-C7200-IO-FE
cnfg = C:\Program Files\Dynamips\sample_labs\DMVPN - VRF AWare iVRF-fVRF\configs\ISP2.cfg

SOLUTION -:

HUB CONFIG:

HUB CRYPTO CONFIG:
crypto keyring CRYPTO_KEYRING_VRFRED_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFRED_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC_PROFILE_ISP1
set transform-set TRANS
!
crypto ipsec profile IPSEC_PROFILE_ISP2
set transform-set TRANS

TUNNEL CONFIG for VRF RED
interface Tunnel1
description ** DMVPN RED via ISP1 **
ip vrf forwarding RED
ip address 172.16.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map multicast dynamic
ip nhrp network-id 131313
ip ospf network broadcast
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 10
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel3
description ** DMVPN RED via ISP2 **
ip vrf forwarding RED
ip address 172.16.11.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map multicast dynamic
ip nhrp network-id 131313
ip ospf network broadcast
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 11
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared
!

TUNNEL CONFIG for VRF BLUE
!
interface Tunnel2
description ** DMVPN BLUE via ISP1 **
ip vrf forwarding BLUE
ip address 172.16.20.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication BLUE
ip nhrp map multicast dynamic
ip nhrp network-id 242424
no ip split-horizon eigrp 1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 20
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel4
description ** DMVPN BLUE via ISP2 **
ip vrf forwarding BLUE
ip address 172.16.21.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication BLUE
ip nhrp map multicast dynamic
ip nhrp network-id 242424
no ip split-horizon eigrp 1
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 21
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared

ROUTING CONFIG VRF BLUE
router eigrp 1
no auto-summary
!
address-family ipv4 vrf BLUE
network 10.0.0.0
network 172.16.0.0
no auto-summary
autonomous-system 1
eigrp router-id 1.1.1.1
exit-address-family

ROUTING CONFIG VRF RED
router ospf 1 vrf RED
router-id 1.1.1.1
log-adjacency-changes
network 10.1.1.1 0.0.0.0 area 1
network 172.16.10.1 0.0.0.0 area 0
network 172.16.11.1 0.0.0.0 area 0
!

SPOKE1 CONFIG:
crypto keyring CRYPTO_KEYRING_VRFRED_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFRED_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC_PROFILE_ISP1
set transform-set TRANS
!
crypto ipsec profile IPSEC_PROFILE_ISP2
set transform-set TRANS
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
interface Tunnel1
description ** DMVPN RED via ISP1 **
ip vrf forwarding RED
ip address 172.16.10.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map 172.16.10.1 101.1.1.1
ip nhrp map multicast 101.1.1.1
ip nhrp network-id 131313
ip nhrp nhs 172.16.10.1
ip ospf network broadcast
ip ospf priority 0
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 10
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel2
description ** DMVPN BLUE via ISP1 **
ip vrf forwarding BLUE
ip address 172.16.20.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map 172.16.20.1 101.1.1.1
ip nhrp map multicast 101.1.1.1
ip nhrp network-id 242424
ip nhrp nhs 172.16.20.1
ip ospf network broadcast
ip ospf priority 0
shutdown
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 20
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel3
description ** DMVPN RED via ISP2 **
ip vrf forwarding RED
ip address 172.16.11.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map 172.16.11.1 201.1.1.1
ip nhrp map multicast 201.1.1.1
ip nhrp network-id 131313
ip nhrp nhs 172.16.11.1
shutdown
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 11
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared
!
interface Tunnel4
description ** DMVPN BLUE via ISP2 **
ip vrf forwarding BLUE
ip address 172.16.21.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map 172.16.21.1 201.1.1.1
ip nhrp map multicast 201.1.1.1
ip nhrp network-id 242424
ip nhrp nhs 172.16.21.1
ip ospf network broadcast
ip ospf priority 0
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 21
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared
!
router eigrp 1
no auto-summary
!
address-family ipv4 vrf BLUE
network 10.0.0.0
network 172.16.0.0
no auto-summary
autonomous-system 1
eigrp router-id 2.2.2.2
exit-address-family
!
router ospf 1 vrf RED
router-id 2.2.2.2
log-adjacency-changes
network 10.2.1.2 0.0.0.0 area 2
network 172.16.10.2 0.0.0.0 area 0
network 172.16.11.2 0.0.0.0 area 0
!
ip sla 1
icmp-echo 101.1.1.1 source-interface Serial1/0
timeout 15000
vrf ISP1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 201.1.1.1 source-interface Serial1/1
timeout 15000
vrf ISP2
ip sla schedule 2 life forever start-time now
!
!
event manager applet EEM_SHUT_ISP1_HUB
event track 1 state down
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu1"
action 1.5 cli command "shut"
action 1.6 cli command "int tu3"
action 1.7 cli command "no shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_NOSHUT_ISP1_HUB
event track 1 state up
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu1"
action 1.5 cli command "no shut"
action 1.6 cli command "int tu3"
action 1.7 cli command "shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_SHUT_ISP2_HUB
event track 2 state down
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu4"
action 1.5 cli command "shut"
action 1.6 cli command "int tu2"
action 1.7 cli command "no shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_NOSHUT_ISP2_HUB
event track 2 state up
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu4"
action 1.5 cli command "no shut"
action 1.6 cli command "int tu2"
action 1.7 cli command "shut"
action 1.8 cli command "do clear crypto"
!
end

SPOKE2 CONFIG:
crypto keyring CRYPTO_KEYRING_VRFRED_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFRED_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC_PROFILE_ISP1
set transform-set TRANS
!
crypto ipsec profile IPSEC_PROFILE_ISP2
!
!
!
!
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
interface Tunnel1
description ** DMVPN RED via ISP1 **
ip vrf forwarding RED
ip address 172.16.10.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map 172.16.10.1 101.1.1.1
ip nhrp map multicast 101.1.1.1
ip nhrp network-id 131313
ip nhrp nhs 172.16.10.1
ip ospf network broadcast
ip ospf priority 0
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 10
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel2
description ** DMVPN BLUE via ISP1 **
ip vrf forwarding BLUE
ip address 172.16.20.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map 172.16.20.1 101.1.1.1
ip nhrp map multicast 101.1.1.1
ip nhrp network-id 242424
ip nhrp nhs 172.16.20.1
ip ospf network broadcast
ip ospf priority 0
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 20
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel3
description ** DMVPN RED via ISP2 **
ip vrf forwarding RED
ip address 172.16.11.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map 172.16.11.1 201.1.1.1
ip nhrp map multicast 201.1.1.1
ip nhrp network-id 131313
ip nhrp nhs 172.16.11.1
shutdown
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 11
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared
!
interface Tunnel4
description ** DMVPN BLUE via ISP2 **
ip vrf forwarding BLUE
ip address 172.16.21.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map multicast 201.1.1.1
ip nhrp map 172.16.21.1 201.1.1.1
ip nhrp network-id 242424
ip nhrp nhs 172.16.21.1
shutdown
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 21
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared
!
router eigrp 1
no auto-summary
!
address-family ipv4 vrf BLUE
network 10.0.0.0
network 172.16.0.0
no auto-summary
autonomous-system 1
eigrp router-id 3.3.3.3
exit-address-family
!
router ospf 1 vrf RED
router-id 3.3.3.3
log-adjacency-changes
network 10.3.1.3 0.0.0.0 area 3
network 172.16.10.3 0.0.0.0 area 0
network 172.16.11.3 0.0.0.0 area 0
!
ip sla 1
icmp-echo 101.1.1.1 source-interface Serial1/0
timeout 15000
vrf ISP1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 201.1.1.1 source-interface Serial1/1
timeout 15000
vrf ISP2
ip sla schedule 2 life forever start-time now
!
event manager applet EEM_SHUT_ISP1_HUB
event track 1 state down
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu1"
action 1.5 cli command "shut"
action 1.6 cli command "int tu3"
action 1.7 cli command "no shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_NOSHUT_ISP1_HUB
event track 1 state up
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu1"
action 1.5 cli command "no shut"
action 1.6 cli command "int tu3"
action 1.7 cli command "shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_SHUT_ISP2_HUB
event track 2 state down
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu4"
action 1.5 cli command "shut"
action 1.6 cli command "int tu2"
action 1.7 cli command "no shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_NOSHUT_ISP2_HUB
event track 2 state up
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu4"
action 1.5 cli command "no shut"
action 1.6 cli command "int tu2"
action 1.7 cli command "shut"
action 1.8 cli command "do clear crypto isa"
!
end

Wednesday, May 26, 2010

A complex VPN MESS LAB!


LAB Scenario
Summary:
1. GETVPN over DMVPN with OSPF, (RSA authetication); selective traffic
engineering over GET and DMVPNs.
2. VRF Aware IPSec Dynamic VTI based RA VPN with XAuth
3. RA VPN using Dynamic VTI with Xauth
4. Crypto-map based VPN with Dynamic VTI on other side
5. Static VTI based VPN with EIGRP
5. Zone based FW + NAT ..just to add bit more spice
6. MPLS L3 VPN core


SITE1 is the HeadQuarter(HUB). SITE2,3,4 are Branch SITES.

RTR-XYZ is external connection.

Internet-host is any host on internet.

Restriction: Don't modify ISP router (PE1 and PE2) configs.
  

TASK1: DMVPN with OSPF

SITE1, 2 and 3 participate in DMVPN. Use PSK for authentication.
RTR-SITE1-HUB functions as DMVPN Hub. Use OSPF routing protocol for DMVPN reachability.
Protect the DMVPN cloud using IPSec. *Correction1: Create only mGRE tunnels, tunnels proctection should be configured as per next GETVPN task.
  
  

 TASK2: GETVPN over DMVPN


SITE 1, 2 and 3 run GETVPN over the previously configured DMVPN cloud. Use Digital certificate for authentication (including IKE Ph1 authentication).

RTR-SITE1-KS functions as KS Server , CA Server , NTP server.

GETVPN routers should enroll certificate from RTR-SITE1-KS.

Ensure that GETVPN traffic is encrpyted first, then tunneled via DMVPN. Check IPSec SAs to confirm this.
  

TASK3:  VRF aware IPSEC Remote Access VPN using Dynamic VTI

SITE1 RTR-SITE1-HUB uses Dynamic VTI to host EasyVPN Server.

We have overlapping IP address in SITE1. 10.1.1.0/24 is overlapped between CUSTOMERX, CUSTOMERY and SITE1's Global Routing table. CUSTOMERX and CustomerY have dedicated VRFs in SITE1.

If InternetHost uses Groupname: CUSTOMERX password: CISCO, it can access CUSTOMERX's 10.1.1.0/24

If InternetHost uses Groupname: CUSTOMERY password: CISCO, it can access CUSTOMERY's 10.1.1.0/24

If InternetHost uses Groupname: USER_GRT password: CISCO, it can access SITE1's Global routing table's 10.1.1.0/24

Configure XAUTH for all groups using the same Group credentials respectively. Use local pool address - 10.100.101.1 to 10.100.101.7

Ensure that Remote Access VPN connection using GroupID USER_GRT has access to all LAN segements in SITE1,2,3,4 and RTR-XYZ's LAN segment
  

TASK4:  L2L Tunnel with Crypto MAP on SITE4 + Dynamic VTI


SITE4's ASA-SITE4 firewall connects using Crypto-map based L2L tunnel to SITE1's RTR-SITE1-HUB router. SITE1 uses Dynamic VTI. Don't use crypto-map on RTR-SITE1-HUB.

Ensure that inside LAN subent in SITE4 has access to other LAN segements in SITE1,2,3, RTR-XYZ's LAN segment and Remote Access VPN Pool.

  

TASK5: L2L Tunnel using Static VTI

Configure a L2L VPN tunnel between SITE1 and RTR-XYZ. Use EIGRP for routing. RTR-XYZ LAN segment should be able to reach all LAN subnets in SITE1,2,3,4

RTR-XYZ LAN segment should also be able to reach Internet-host once InternetHost connects RAVPN using USER_GRT groupID.
  

TASK6: VPN Traffic engineering

Traffic between SITE1,2,3 LAN segments should pass via GETVPN tunnel, then get encapsulated in DMVPN.(vice versa).

Dont include SITE1's 10.1.1.0/24 subnet in GETVPN encrypted path. 10.1.1.0/24 should be reachable via DMVPN path between the sites.

Traffic from Remote-access-VPN_POol (10.100.101.0/29) to SITE2-Loopback0 and SITE3-Loopback0 should pass via GETVPN tunnel, then get encapsulate in DMVPN.(vice versa)

Traffic from Remote-access-VPN_POol (10.100.101.0/29) to SITE4_LAN,RTR-XYZ_LAN should ONLY pass via DMVPN tunnel, not via GetVPN. (vice versa)

Traffic to 10.1.1.0/24 in SITE1 shouldnt be included in GetVPN encryption for any of these flows.

Ensure that all traffic via ISP routers is IPSEC protected. GETVPN traffic is allowed to be encrypted twice, once by GETVPN, second time by DMVPN.
*Correction2 : NON-GETVPN traffic (e.g. between RTR-XYZ and RTR-SITE2 etc.) should only be GRE encapsulated within DMVPN cloud across the Service provider routers, no IPSec protection is needed.
  

TASK7: Zone based Firewall with NAT

Configure Zone based firewall on RTR-SITE2 in SITE2 for Internet access filtering.

Allow only ICMP traffic to and from RTR-SITE2 (Self zone). Make sure DMVPN, GETVPN etc. continue to work normally. VPN traffic flow should continue to work.

Allow INBOUND TELNET, SMTP to SITE2's LAN segments.

ALLOW ALL OUTBOUND TRAFFIC from SITE2's LAN segments (10.2.1.0/24 and 10.23.23.0/24).

NAT

SITE2 LAN Segment should be able to access Internet host 105.1.1.2 using 102.1.1.3 as source IP. Use PAT.

Configure NAT on RTR-SITE2 such that Internet Host can telnet into RTR-SITE3 using 102.1.1.4 as destination IP.

SITE2 and SITE3 are connected via a backdoor link with IP 10.23.23.0/24 for testing NAT related tasks.

Add static route on RTR-SITE3 to test the access to 105.1.1.2.

DYNAMIPS NET FILE/PEMU SCRIPT

Dynamips NET FILE

startautostart = False
[192.168.100.75]
port = 7200
udp = 10000

[[7200]]
image = C:\Program Files\Dynamips\images\c7200-k91p-m.122-25.S15.bin
npe = npe-400
ram = 96
disk0 = 0
disk1 = 0
mmap = false

[[router RTR-SITE1-KS]]
autostart = False

image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 256
Fa0/0 = RTR-SITE1-HUB Fa0/1

cnfg = C:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\RTR-SITE1-KS.cfg

[[router RTR-SITE1-HUB]]
autostart = False
image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 256

# ASA-FW-SITE1 INSIDE #
Fa0/0 = NIO_udp:1011:1.1.1.1:1001
Fa1/0 = LAN 120
cnfg = C:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\RTR-SITE1-HUB.cfg

[[router RTR-SITE2]]
autostart = False
image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 256
Fa0/0 = PE2 Fa1/0
Fa0/1 = LAN 102
Fa1/0 = RTR-SITE3 Fa1/0
cnfg = C:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\RTR-SITE2.cfg

[[Router PE1]]
model = 7200
autostart = false
slot0 = PA-C7200-IO-FE

# ASA-FW-SITE1 OUTSIDE #
Fa0/0 = NIO_udp:1010:1.1.1.1:1000

#TO VM for RA VPN #
Fa2/0 = NIO_gen_eth:\Device\NPF_{597007F5-5BF6-45E2-B348-388172170CF3}

# ASA-FW-SITE4 OUTSIDE #
Fa2/1 = NIO_udp:2010:1.1.1.1:2000

Fa1/0 = PE2 Fa0/0

F1/1 = RTR-XYZ Fa0/0
cnfg = C:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\PE1.cfg

[[Router PE2]]
model = 7200
autostart = false
slot0 = PA-C7200-IO-FE
cnfg = C:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\PE2.cfg


##############
##############
#MutliPC

[192.168.100.35:7200]
udp = 11000
workingdir = Z:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB
[[router RTR-SITE3]]
autostart = False

image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin

model = 3660
mmap = false
ram = 256
Fa0/0 = PE2 Fa1/1
Fa0/1 = LAN 103
cnfg = Z:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\RTR-SITE3.cfg

[[router RTR-XYZ]]
autostart = False
image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = False
ram = 256
F0/0 = PE1 Fa1/1
Fa0/1 = LAN 60
cnfg = Z:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\RTR-XYZ.cfg


###########################################################
PEMU ASA-SITE11

start /belownormal pemu -net nic,vlan=10,macaddr=00:00:00:00:10:01 -net udp,vlan=10,sport=1000,dport=1010,daddr=1.1.1.1 -net nic,vlan=11,macaddr=00:00:00:00:10:02 -net udp,vlan=11,sport=1001,dport=1011,daddr=1.1.1.1 -net nic,vlan=12,macaddr=00:00:00:00:10:03 -net udp,vlan=12,sport=1002,dport=1012,daddr=1.1.1.1 -net nic,vlan=13,macaddr=00:00:00:00:10:04 -net udp,vlan=13,sport=1004,dport=1014,daddr=1.1.1.1 -serial telnet::2050,server,nowait -m 128 FLASH8X-SITE1

###########################################################
PEMU ASA-SITE4

start /belownormal pemu -net nic,vlan=20,macaddr=00:00:00:00:20:01 -net udp,vlan=20,sport=2000,dport=2010,daddr=1.1.1.1 -net nic,vlan=21,macaddr=00:00:00:00:20:02 -net udp,vlan=21,sport=2001,dport=2011,daddr=1.1.1.1 -net nic,vlan=22,macaddr=00:00:00:00:20:03 -net udp,vlan=22,sport=2002,dport=2012,daddr=1.1.1.1 -net nic,vlan=23,macaddr=00:00:00:00:20:04 -net udp,vlan=23,sport=2004,dport=2014,daddr=1.1.1.1 -serial telnet::2051,server,nowait -m 128 FLASH8X-SITE4
____________
############################################################


INIT CONFIGS

########################################################
hostname ASA-SITE1

!
interface Ethernet0
nameif outside
security-level 0
ip address 101.1.1.2 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.1.2 255.255.255.252
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1


###########################################################


hostname ASA-SITE4
!
interface Ethernet0
nameif outside
security-level 0
ip address 104.1.1.2 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.4.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
route outside 0.0.0.0 0.0.0.0 104.1.1.1 1

###########################################################


version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname PE1
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf ABC
rd 123:123
route-target export 123:123
route-target import 123:123
route-target import 106:106
!
ip vrf XYZ
rd 106:106
route-target export 106:106
route-target import 106:106
route-target import 123:123
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip vrf forwarding ABC
ip address 101.1.1.1 255.255.255.248
duplex half
no clns route-cache
!
interface FastEthernet1/0
ip address 12.1.1.1 255.255.255.252
ip router isis
duplex auto
speed auto
mpls ip
!
interface FastEthernet1/1
ip vrf forwarding XYZ
ip address 106.1.1.1 255.255.255.252
duplex auto
speed auto
no clns route-cache
!
interface FastEthernet2/0
ip vrf forwarding ABC
ip address 105.1.1.1 255.255.255.252
duplex auto
speed auto
no clns route-cache
!
interface FastEthernet2/1
ip vrf forwarding ABC
ip address 104.1.1.1 255.255.255.252
duplex auto
speed auto
no clns route-cache
!
router isis
net 49.0000.0000.0001.00
passive-interface Loopback0
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 1
neighbor 2.2.2.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf XYZ
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf ABC
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
ip classless
!
!
!
end

###########################################################


version 12.2

hostname PE2
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf ABC
rd 123:123
route-target export 123:123
route-target import 123:123
route-target import 106:106
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.252
ip router isis
duplex full
mpls ip
!
interface FastEthernet1/0
ip vrf forwarding ABC
ip address 102.1.1.1 255.255.255.248
duplex full
speed auto
no clns route-cache
!
interface FastEthernet1/1
ip vrf forwarding ABC
ip address 103.1.1.1 255.255.255.248
duplex full
speed auto
no clns route-cache
!
router isis
net 49.0000.0000.0002.00
passive-interface Loopback0
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf ABC
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
ip classless

end

###########################################################
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-SITE1-HUB
!
boot-start-marker
boot-end-marker
!
!
!
aaa session-id common
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name CCIE19804.COM
!
!
ip vrf CUSTOMERX
rd 1:1
!
ip vrf CUSTOMERY
rd 2:2
!
!
interface Loopback0
ip address 10.100.100.101 255.255.255.255
!
!
interface FastEthernet0/0
ip address 10.10.1.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
!
interface FastEthernet1/0.10
encapsulation dot1Q 10
ip vrf forwarding CUSTOMERX
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet1/0.20
encapsulation dot1Q 20
ip vrf forwarding CUSTOMERY
ip address 10.1.1.1 255.255.255.0
!
end

###########################################################


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-SITE1-KS
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name CCIE19804.COM
!
!
!

!
interface Loopback0
ip address 10.100.100.100 255.255.255.255
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
!
ip http server
no ip http secure-server
ip forward-protocol nd
!
!
!
!
end

###########################################################


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-SITE2
!
boot-start-marker
boot-end-marker
!
!
ip cef
no ip domain lookup
ip domain name CCIE19804.COM
!
!
interface Loopback0
ip address 10.100.100.102 255.255.255.255
!
!
interface FastEthernet0/0
ip address 102.1.1.2 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.2.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.23.23.2 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 102.1.1.1
!
!
end

###########################################################


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-SITE3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name CCIE19804.COM
!
!
interface Loopback0
ip address 10.100.100.103 255.255.255.255
!
interface FastEthernet0/0
ip address 103.1.1.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.3.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.23.23.3 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 103.1.1.1
ip route 105.1.1.0 255.255.255.0 10.23.23.2
!
!
end
###########################################################

version 12.4
!
hostname RTR-XYZ
!
ip cef
!
interface FastEthernet0/0
ip address 106.1.1.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.6.1.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 106.1.1.1
!
end
############################################################

Monday, May 17, 2010

Passed SP Lab!


the loong frustrating SP journey has reached its destination..i passed
the SP lab yesterday.

it was a bigger battle with bugs, vague wording and crappy oeqs than
the technology itself.

few things i wud like to share with people preparing for sp lab -

1. mpls vpns -
ahh thts the biggest chunk in sp lab, almost everyone who failed has
got shocking results in vpn section. vpn constitues more than 30% of
the score so less score guarantees a failure.
understand "send-label" feature correctly, when, how , restrictions
etc..knwing the difference between "mpls ip" and "send-label" is
important. The figures shud knw wht to type the moment we see inter-as
and csc. Know when to use “set mpls-label”, and the scary things tht
might happen when not using it when it’s a mandate.

2. multicast -
the RnS bits of multicast is the base. For MVPN/inter-as-multicast
understand RFC3618 for rpf check thoroughly, understand the order of
rpf preference. understand when to make use of bgp multicast SAFI.
Understand which inter-as supports inter-as multicast, and how it
works on a 12.2S code without the mdt safi. Look for Petr’s blog on
mvpn, refer to my blog for some explanation too.
this is one of the easiest sections to score if we knw the game.

3. the important command "reload"! if you know its configured
correctly, you shudn't shy away from doing a reload.

4. join forums, there are some forums where nda stuff is brainstormed
candidly. not the right thing but it helps.

5. for first attempt, avoid locations like bangalore. in B'lore you'll
most likely get ONLY a "smile" as an answer with some ambiguous facial
expression and words to ur questions. Choose a location like brusells
etc. where u have an inhouse rack and a knowledgeable SP related
proctor.

6. avoid complex solutions, i have got real feel tht there is a high
possibility of marking the task incorrect if the proctor doesn't
understand them. its not a matter of just the output. anyways it'll
stay a mystery if something is marked incorrect so keep it simple.

7. think like a script!. take extra precautions like removing alias
etc...anything tht can affect an automated script shud be removed.
it'll hurt a lot to lose marks for such silly things so my
recommendation is to remove them once the lab is about to get over.

8. the lab will have old junk IOS codes running somewhere in the
corners, specifically added to give us a nasty ride via the buggy
road. show outputs might change after reload, so be aware for a double
check. if possible practice on few of them b4 the big day.

9. Read between the lines. Take some time out of config/keyboard, just
read and focus on the tasks thoroughly. try to think beyond the first
instinct. if it says to do something for X and Y, doing it for X,Y,Z
is wrong. in the verification you’ll see tht you successfully did it
for X and Y, but might missout looking at Z. make sure Z is left as
it is. Cryptic but shud be comprehensible as it makes a hell lot of
difference to the score! This is one of the major reasons of getting
low score in vpn section even after having proper end to end
reachability.

10. know the silly rules. there is some fictitious cut off marks below
which you can't request a reread. if u still need it, u need to create
a lot of hell with cisco. (i managed to do it b4 ;) ). So think if
it’s worth it, else move on.

reference list -
1. CCO
2. ciscopress mpls configuration on cisco IOS - very good to start
with, more related to configs than concepts/theory.
3. ciscopress mpls fundamentals - very good to start with, better for
concepts and understanding the nut bolts.
4. l2 vpn architectures - this is by far the best for L2 mpls. Very
good for the crappy OEQs.
5. ciscopress isis network desgin and Jeffdoyle's TCP/IP - covers IGP
including isis very well
6. for ATM/FR srch CCO - it has good reference for OEqs

My actual list is much longer, but these are good enough.

now the lab experience -
lab was somewhat similar to my previous attempt. i got over within
4hrs 20 mins, so i had loads of time for verification. Found few silly
missouts, corrected. Round1 of verification was over in around 2 hrs.
all 100% working. then i left the keyboard, just read the questions
again. thankfully all was ok. I started a second round of
verification, in last 15 minutes i spotted my TE tunnel was down.
WTFFFF! ...it was up an hour back...rechecked everythng dependent.
didnt dare to reload the core coz the lab was to get over soon.
prepared a list of clear commands related, applied, thankfully it came
up and stayed up. last minutes saved such important points. game over.
Got a pass in next 3 hrs. WOWW!

Vincent (SP program manager) has posted that Cisco is over with
finalizing the content for new SP lab blueprint, it will soon be
declared official.

And salute to the Lapukhovs and Scriveners who did all their IE's in
first attempt.

Cheers.

Swap
#19804 (SP,Sec)



Sunday, April 18, 2010

Tricky Question1 - OSPF

Route 1.1.1.1/32 from R1 has been advertised by iBGP to R2 and R3.
On R2 and R3 this BGP route is redistributed into OSPF  using the follwing metrics -

R2 --> E1 metric 100

R3 --> E1 metric 200


R1,R2 and R3 form iBGP neighborship.
R2,R3,R4 and R5 form OSPF neighborship. Area details are given in the diagram.


Question -
Q1. On R5 what will be the next-hop for 1.1.1.1/32? Why? What is the metric of the route?
Q2. What happens if we lower the cost of R5-R4 link on R5 to 1. On R5 what will be the next-hop for 1.1.1.1/32 now? Why? What is the metric of the selected route?

Wednesday, March 10, 2010

Traceroute in MPLS - detailed


Default Behavoir –
1.       IP to MPLS : TTL is decremented by 1 and copied from IP to pushed MPLS label TTL field
(this deceremented copy doesn’t happen in case “no mpls propogate-ttl” is applied, so newly imposed Label gets a default TTL of 255 in that case)
2.       MPLS to IP: TTL is checked. IF MPLS TTL is lower than IP TTL, it is copied. Else IP TTL remain intact
a.       PUSH/SWAP operation – new label gets the same existing TTL  a decremented TTL by 1.
b.      POP – if inner label has higher TTL, POP’ped Label’s TTL is overwritten on inner TTL. Else left as it is.
Intermediate LSR doesn’t touch inner label, only decrements outer label.
Intermediate P routers which dont have IP route to a CE will return back the ICMP time-exceeded back onto the same LSR. This way PE1 will receive the ICMP Time-exceeded from P for CE. And Traceroute works.

1. “no mpls propogate-ttl” - newly imposed Label gets a default TTL of 255 for both switched             transit traffic and locally generated traffic.

2. “forwarded” - newly imposed Label gets a default TTL of 255 for only switched transit traffic.             Locally originated traffic via “trace vrf ” or “trace” command still will have a TTL of 1 imposed on the newly imposed label.

3.no mpls ip propogate-ttl local - when traffic is locally originated using “trace vrf” command or trace, if the packet becomes labeled by the local router, the new label will get 255 TTL.
Note for PE1-P-PE2 topology, packet from PE1 to PE2 is not label switched due to PHP. So the testing by disabling “local” wont give the expected result coz the packet never becomes labeled. The packet will be routed based on IP TTL and we’ll be able to see all the hops inspite having added “no mpls ip propog local”
            This can be correctly tested on PE1-P1-P2-PE2 topology where PHP doesn’t apply for packetsets sent from PE1 to PE2.

Logic: If TTL copying is stopped on the first hop where packet becomes labeled, e.g. For CE1 to CE2 trace, if “no mpls propogate” is configured on PE1, this “propogate” command is no more needed anywhere else in the path coz the first hop PE1 will set the Label-TTL as 255. Even if it is reduced by 1 by each hop, it’ll never become zero to be able to retured to the initiator of the trace. This will only become Zero once the packet is ready to be switched based on IP header (when the label is removed on PE2).

Test1:
Topology CE1-PE1-P-PE2-CE2
Configured “no mpls ip propogg forwarded” on PE1.
Trace from CE1 to CE2.

1st hop will be PE1 VRF interface.
2nd hop will be PE2 VRF interface
3rd will be CE2 physcial interface.
P is hidden

Test2:
same config –
Topology CE1-PE1-P-PE2-CE2
Configured “no mpls ip propog forwarded” on PE1.
Trace from PE1-VRF to CE2.
All hops P, PE2 and CE2 will be visible as “local” keyword is not used.

 Test3:
Topology CE1-PE1-P-PE2-CE2
Configured “no mpls ip propogg local” on PE1.
Trace from PE1-VRF to CE2.
Only PE2 and CE2 will be visible as “local” keyword now used. P is hidden.

Test4:
Topology CE1-PE1-P-PE2-CE2
Configured “no mpls ip propogg local” on PE1.
Trace from PE1 global to PE2 global.
All hops P, and PE2 will be visible as packet never becomes labeled due to PHP.

Changed topology to Topology CE1-PE1-P1-P2-PE2-CE2
Trace from PE1 global to PE2 global.
Now only P2 and PE2 are visible. P1 is hidden. Packet is labeled on PE1 with MPLS-TTL= 255. P is hidden. Packet crossed P1 and reached P2. P2 makes the packet “IP packet” by removing the label due to PHP.  P2 and PE2 will reply to trace based on IP TTL.




7200a#traceroute vrf VRF 120.120.120.120

Type escape sequence to abort.
Tracing the route to 120.120.120.120

  1 10.0.3.5 [MPLS: Labels 64/68 Exp 0] 232 msec 180 msec 156 msec
à local router sent the packet to 10.0.3.5 with labels 64,68 (64 is LDP and 68 is VPN)

  2 10.0.5.11 [MPLS: Labels 65/68 Exp 0] 84 msec 80 msec 148 msec
à router 10.0.3.5 forwarded the packet with 65,68. (so a swapping of 64 to 65 happened)

  3 120.120.120.120 124 msec *  260 msec
à router 10.0.5.11 sent an IP packet to destination router 120.120.120.120