Calin | IPNET - Part 15

InterVLAN routing using Private VLANs

Private VLANs is one possible solutions for service providers to offer secure connections to their customers and avoid inter-vlan communication in the same switched environment.

I’m sure that you heard (and most probably practice already) InterVLAN routing. When it comes to Private VLANs the routing part may be a bit tricky. Keep in mind that this is not something that I would recommend to use as a standard in a productive environment, but for things like Cisco exams (e.g. CCIE R&S) or last resort solution, it may work.

Consider please the following simple topology:

[adsense_id=”1″]
With simple InterVLAN Routing the things will be easy.
On the Layer 3 Switch you configure the following:
!! We assume that the L2 configuration, like access port in the
!! correct VLAN, is already there
!! Only the routing part will be shown here
configure terminal
!
ip routing
!
vlan 10
!
vlan 20
!
interface vlan 10
ip address 10.10.10.254 255.255.255.255.0
!
interface vlan 20
ip address 20.20.20.254 255.255.255.0
!

On Router 1
!
ip route 0.0.0.0 0.0.0.0 10.10.10.254

On Router 2
!
ip route 0.0.0.0 0.0.0.0 20.20.20.254

That’s it, you’ll have connectivity from R1 to R2.

Now let’s assume that VLAN 10 and 20 are not regular VLANs, but Private ones configured as Secondary, community mode:
On L3 Switch
!! You need VTP in transparent mode
!! for Private VLANs configuration
configure terminal
!
vlan 10
private-vlan community
!
vlan 20
private-vlan community
!
!! Private VLANs need a Primary VLAN
vlan 100
private-vlan primary
private-vlan association 10,20
!
Up to now we have one Primary VLAN (100) and two Secondary ones (10 and 20) associated with primary. Next we will configure the physical ports in their specific VLAN.

On L3 Switch:
!
configure terminal
!
int x/y
description -> to R1
switchport mode private-vlan host
switchport private-vlan host-association 100 10
!
int z/w
description -> to R2
switchport mode private-vlan host
switchport private-vlan host-association 100 20
!
!! We will need a port on VLAN 100;
!! Any other device may be connected to this port
int x/x
description -> Other device in Primary Private-VLAN
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 10,20
!

In a standard environment with Private-VLANs, until now we will have L2 communication possible between hosts in VLAN100 with hosts in VLAN10 or VLAN20. Communication between hosts in VLAN10 and hosts in VLAN20 will not be possible because the ports are in Private-Vlan community mode. Just a small reminder in community mode, the L2 connection is possible in the same VLAN or with the Primary VLAN.

If now you would like to implement the InterVLAN routing presented above, you will see that is not possible. When you will try to bring up a SVI interface for VLAN 10 or 20 an error will occur stating the VLAN is in Private-VLAN mode community and you cannot configure an interface. Let’s see how can we fix this.

On L3 switch
!
Configure terminal
!
ip routing
!! You’ll configure a SVI interface for VLAN 100
!! This is also a private VLAN, but it is the Primary one
interface vlan 100
description -> InterVLAN routing
ip address 10.10.10.254 255.255.255.0
ip address 20.20.20.254 255.255.255.0 secondary
private-vlan mapping 10,20

All you have to do now is add the routing part on R1 and R2 and they will be able to communicate. VLAN 100 will handle the routing part.

[adsense_id=”4″]

Draw network diagrams online (with Cisco stencils)

I’m a Mac and Linux user and if you are like me, then you have the same problems drawing network diagrams. Microsoft Visio does not have a version for this platforms. I’m not saying that there are no alternatives to Visio on Mac or Linux platform, but most of them are either limited in features, expensive or need some tricks to use it (as I described in one of my early post).

Finally I’ve found something that is:
– accessible (free or paid, but decent prices)
– online
– allow me to use Cisco stencils (not all, but at least a decent set of them)
– import / export Visio .vdx files (for paid version; I would like to have it for free or for Personal plan, but they have to make some money, isn’t it?)
– allow me to save the work in .pdf, .png or .jpeg format

The application is brought by LucidChart.com. I’ve found some other applications online, but I consider this to be the best so far.
I’m using the free version for now, but I’m thinking to buy paid account, especially for the Visio import / export features. As said above the prices are decent:

[adsense_id=”1″]

LucidChart.com may be used for more than just network diagrams, but I’m writing about this kind of drawing as is the most important for me now. Since a picture worth a thousand words, here is a small screencast that I made to show you how it works. No words (I don’t like how my recorded voice sounds) but you can see how a new network diagram is created from start to the point where I can save and use it outside LucidChart.com

P.S. I’m not affiliated in any way to LucidChart.com, the links are not part of any affiliate program and I’m not paid to write this post! I just want to share with you something that I find useful for network engineers.

[adsense_id=”4″]

Cisco Easy VPN Router-to-Router

Cisco Easy VPN is not a new technology. Actually it is pretty old, but still used by many companies or people to connect remote site / remote workers to headquarter.

A few days ago I was looking to connect a remote site in a simple way but still secure and a colleagues suggested me to use Easy VPN. It supposed to be a simple configuration and it was after solving all issues that came into play.

First of all, I needed an Easy VPN Router(client) – to – Router(server). The other method is some client (PC) with software connection to Router / PIX / ASA / VPN Concentrator (Server). Something like this:

[adsense_id=”1″]

The idea is that behind the Client router, I will have a group of people who need to connect to the headquarter, so I don’t want each of them to use personal VPN connections. In search of possible configurations, I’ve found this Cisco configuration example. The only issue in that document is that the Easy VPN tunnel needs manual intervention to connect, which I want to avoid.

For those who need a quick and secure Easy VPN connection here is my sample configuration:

EasyVPN-Server

!! We define a new AAA model for authentication and authorization
!! for remote VPN clients
aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!! Generic username and password
username cisco password 0 cisco123
!
!! We configure a crypto isakmp policy. The number and encryption are your choice
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!! We add a key and ! Important ! “save-password” command
!! “Save-password” allow client to save the password in an automatic vpn connection
!! scenario
crypto isakmp client configuration group vpngrp
key cisco123
save-password
!
!! The IPSec transform set; You can pick a stronger one like esp-aes 256, but
!! for this example will work fine
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
!! We get everything together in a crypto dynamic map
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!! Add the crypto map on the WAN interface or where your VPN tunnels will terminate
interface x/y
description WAN
crypto map clientmap

EasyVPN-Client

!! On the remote side we define an Easy VPN client
!! connect auto – means it will connect automatically
!! network-extension – connection between remote side LAN and server LAN will
!! not need NAT
!! peer is the VPN server IP address
!! xauth mode has to be local for auto connection without manual intervention
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
peer 192.168.0.2
username cisco password cisco123
xauth userid mode local
!
!! Apply the already defined crypto to WAN interface
!! This will be automatically the Outside interface, even if you don’t
!! add the “outside” keyword at the end of the command
interface x/y
description WAN
crypto ipsec client ezvpn ez
!
!! Apply it on ALL L3 LAN interfaces that needs to communicate over VPN
!! more, you need to specifiy the keyword “inside”
interface x/y
description ANY L3 LAN interface (SVI / Physical)
crypto ipsec client ezvpn ez inside

To test if your tunnel is up, issue the following command on the EasyVPN client router

#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : TEST
Inside interface list: GigabitEthernet0/0, GigabitEthernet0/1
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Allowed
Current EzVPN Peer: 192.168.0.2

As you can see the Current State shows IPSEC_ACTIVE

Other commands that will help you see if everything is ok (this can be run on client or server side)
#show crypto isakmp sa
! Look for the “state” (it has to be QM_IDLE) and
! “status” (has to be ACTIVE)

#show crypto ipsec sa
! Look for #pkts encaps and #pkts decaps; the decimal values should be close

I hope this will help you. If anything is unclear please ask in comments.

[adsense_id=”1″]

Would you do such things to an ISR 819?

Lucky there is a big disclaimer at the beginning of this video. Otherwise I would be tempted to test such things and then plug it in to see if it still start (at least) and run.

It’s a nice commercial from Cisco, but to be honest I feel bad for this poor device:

[adsense_id=”2″]

Interface software loop

If you ever worked in an environment where you have to deal with leased / dedicated lines provider by your SP (service provider) then you know that whenever it’s a problem on the line they request, if possible, to put a loop on the line from one end toward the other end, so they can do some measurements. Usually from my experience with SP, this is a standard approach in case that they don’t know exactly what problem is with your line or where the issue occurred, especially if they use sub-providers of their own.

Lately I saw some questions on Cisco support forums regarding the usage of software loops on Ethernet interfaces so I’ve decided to write a small how-to about the basic configuration of a soft loop on different interfaces.

Controller (E3, T3) soft loop on all channels

configure terminal
! Apply the loop on the controller interface to loop the entire (e.g.) T3 interface (all 28 x T1 channels)
controller t3 3/0
loopback [local | network | remote]

Mandatory parameter:

– loopback – place the loop

Optional:

local – Loops the data back toward the router and sends an AIS signal out toward the network

network – Loops the data toward the network at the T1 framer

remote – Sends a far-end alarm control (FEAC) request to the remote end requesting that it enter into a network line loopback. FEAC requests (and therefore remote loopbacks) are only possible when the T3 is configured for C-bit framing.

Controller (T3, E3) soft loop on one channel (T1, E1)

If your controller is channelized for T1, E1, you can avoid to loop the entire controller, but choose to apply the soft loop on only one channel:

configure terminal
! Apply the soft loop under interface configuration rather than controller
interface Serial3/0:1
loopback [local | network {line | payload} | remote {line {fdl {ansi | bellcore} | inband} | payload [fdl] [ansi]}]

Mandatory:

loopback – applies the soft loop

Optional:

local – Loops the router output data back toward the router at the T1 framer and sends an AIS signal out toward the network.

network – Loops the data back toward the network before the T1 framer and automatically sets a local loopback at the HDLC controllers (line) or loops the payload data back toward the network at the T1 framer and automatically sets a local loopback at the HDLC controllers (payload

remote line fdl – Sends a repeating, 16-bit ESF data link code word; ansi—Places the CSU into loopback, per the ANSI T1.403 Specification; bellcore—Places the SmartJack into loopback, per the TR-TSY-000312 Specification

remote line inband – Sends a repeating, 5-bit inband pattern (00001) to the remote end requesting that it enter into a network line loopback.

payload – Sends a repeating, 16-bit ESF data link code word to the remote end requesting that it enter into a network payload loopback. Enables the remote payload Facility Data Link (FDL) ANSI bit loopback on the T1 channel. Rarely it’s necessary to specify fdl or ansi keywords

To be honest I never used here more than local or network parameters. The other ones I add them here with explanation, but never use them.

Serial interfaces (PA-E3 or a PA-T3 port adapter)

configure terminal
! Apply the soft loop on the serial interface
interface Serial3/0
! If the interface is a port on a PA-E3
loopback [dte | local | network {line | payload}]
! If the interface is a port on a PA-T3
loopback [dte | local | network {line | payload} | remote]

Mandatory:

loopback – apply the soft loop

Optional:

dte – Sets the loopback after the LIU toward the terminal.

local – Sets the loopback after going through the framer toward the terminal.

network – Sets the loopback toward the network before going through the framer (line) or after going through the framer (payload).

remote (only T3) – Sends a far-end alarm control (FEAC) to set the remote framer in loopback.

Ethernet interfaces

configure terminal
! Apply the soft loop on a Ethernet interface
interface GigabitEthernet
loopback [driver | mac]

Mandatory:

loopback – apply the loop

Optional (only on Gigabit Interfaces):

– driver – apply the loop at the transceiver level

– mac – apply the loop at the MAC controller level

You can use the loopback driver and loopback mac interface configuration commands with the 2-Port 10/100/1000 Gigabit Ethernet SPA. These commands do not apply to the 4-Port 10/100 Fast Ethernet SPA.To properly enable internal loopback, you must disable autonegotiation (under interface configuration, you have to apply no negotiation auto)
Due to different card/router models, IOS versions and specific SP configuration not all the commands will fit exactly how described above, but at least this is a starting point to check when you need to enable a soft loop. If you are a beginner you may wonder why I’m calling it soft loop. This is because is a software loop, opposite to a hardware loop which implies that wires are physically looped.

[adsense_id=”2″]