Cisco | IPNET - Part 4

BGP Conditional Advertisement

BGP Conditional Advertisement – it let the impression of a very complex task. Actually you will find it very easy to implement once you understand it.

In simple words I would say that BGP conditional advertisement it’s a feature that let you advertise a prefix to one of your neighbors if mandatory condition is satisfied. To implement this feature you must configure at least two of the following three maps:

– Advertise-map -> this contains the selected prefixes which will be advertised if the mandatory condition is satisfied
– Exist-map -> condition to be satisfied (e.g. advertise the prefixes in the “advertise-map” only if the prefixes in this condition exist)
– Non-exist-map -> condition to be satisfied (e.g. advertise the prefixes in the “advertise-map” only if the prefixes in this condition doesn’t exist)

Let’s take an example. We have the following topology:

We have here a simple topology, with eBGP peering between R1 – R2 and R2 – R3. Each router has a Loopback interface with the following IP addresses:

R1 – L0 – 1.1.1.1 /24
R2 -L0 – 2.2.2.2 /24
R3 – L0 – 3.3.3.3 /24

These interfaces are advertised into BGP and they have full reachability:

R2#sh ip bgp sum | b Nei
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.10.12.1      4   100       5       4        0    0    0 00:01:27        1
10.10.23.3      4   300       2       2        0    0    0 00:00:24        0
 
R2#sh ip bgp | b Net
   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       10.10.12.1               0             0 100 i
*> 2.2.2.0/24       0.0.0.0                  0         32768 i
*> 3.3.3.0/24       10.10.23.3               0             0 300 i
 
R2#sh ip route bgp
     1.0.0.0/24 is subnetted, 1 subnets
B       1.1.1.0 [20/0] via 10.10.12.1, 00:04:02
     3.0.0.0/24 is subnetted, 1 subnets
B       3.3.3.0 [20/0] via 10.10.23.3, 00:04:02

Task

An easy task would ask you to solve something like if 1.1.1.0 /24 is NOT in the BGP table of R2, then R2 should advertise its 2.2.2.0 /24 to R3.

Solution

Let’s analyze this request a little bit. The prefix to be advertised or not, depending of the satisfaction of the condition, is 2.2.2.0 /24. According to what I said before about the necessary “maps” for BGP conditional advertisement, this prefix will go into the “advertise-map”. R2 is the only router you need to configure to accomplish this task.

conf t
access-list 2 permit 2.2.2.0 0.0.0.255
route-map ADVERTISE permit 10
match ip address 2

OK, we have the advertisement map. What about the condition? The task request that 2.2.2.0 /24 should be advertised if 1.1.1.0 / 24 does NOT exist in the BGP table of R2. Using logical deduction we can say that “non-exist-map” is what we need to configure.

conf t
access-list 1 permit 1.1.1.1 0.0.0.255
route-map NOT-EXIST permit 10
match ip address 1

Let’s add everything together in BGP:

conf t
router bgp 200
neighbor 10.10.23.3 advertise-map ADVERTISE non-exist-map NOT-EXIST

Verification

On R2 check the BGP table:

R2#sh ip bgp | b Net
   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       10.10.12.1               0             0 100 i
*> 2.2.2.0/24       0.0.0.0                  0         32768 i
*> 3.3.3.0/24       10.10.23.3               0             0 300 i

We have the 1.1.1.0 /24 prefix in the BGP table. According to our task, 2.2.2.0 /24 should be advertised if 1.1.1.0 /24 does NOT EXIST. By analogy, if 1.1.1.0 /24 EXIST, the 2.2.2.0 /24 should NOT be advertised. You see? It’s just a tricky words game.

R2#sh ip bgp neigh 10.10.23.3 adv | b Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       10.10.12.1               0             0 100 i
 
Total number of prefixes 1

We advertise only one network. The 2.2.2.0 /24 is not advertised to R3:

R3#sh ip bgp | b Net
   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.0/24       10.10.23.2                             0 200 100 i
*> 3.3.3.0/24       0.0.0.0                  0         32768 i

To check that the conditional advertisement really works, stop R1 from announcing 1.1.1.0 /24 in BGP. You can just shutdown the interface.
Check if the L0 of R1 is in the routing table / BGP table of R2:

R2#sh ip bgp | b Net
   Network          Next Hop            Metric LocPrf Weight Path
*> 2.2.2.0/24       0.0.0.0                  0         32768 i
*> 3.3.3.0/24       10.10.23.3               0             0 300 i

1.1.1.0 /24 is not in the BGP table of R2, then 2.2.2.0 /24 should be advertised to R3:

R2#sh ip bgp neigh 10.10.23.3 adv | b Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 2.2.2.0/24       0.0.0.0                  0         32768 i
 
Total number of prefixes 1

On R3:

R3#sh ip bgp | b Net
   Network          Next Hop            Metric LocPrf Weight Path
*> 2.2.2.0/24       10.10.23.2               0             0 200 i
*> 3.3.3.0/24       0.0.0.0                  0         32768 i

Remember that usually in the exams, the tasks related to BGP Conditional Advertisement are more word tricks than complex. As an example, base on the above topology, resolve the following:
– If 1.1.1.0 /24 and 2.2.2.0 /24 are both in the BGP table of R2, both prefixes should be advertised to R3
– If 1.1.1.0 /24 is not in the BGP table of R2, then 2.2.2.0 /24 should not be advertised to R3
– If 1.1.1.0 /24 and 2.2.2.0 /24 are not in the BGP table of R2, then none of them should be advertised to R3

If you don’t understand the trick, let me know and I will explain.

RIPv2 MD5 authentication – routing trick

I must admit that the following example is more a CCIE exam topic and not a solution that you would add in real network environments.

Let’s assume that we have the following topology:

[adsense_id=”1″]
The Loopback interfaces are there to have some networks which we will advertise into RIPv2. The request for this topic is to have RIPv2 MD5 authentication in place, Router1 to receive all routes from Router2, but Router2 will not have any prefixes in routing table from Router1. Don’t use any access-list, prefix-list, distribution-list, RIP packet version send / receive command under interface…well not use anything which is common to carry out this task.

Let’s start the configuration:
Router 1
!
version 2
network 10.0.0.0
network 192.168.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
network 192.168.5.0
no auto-summary
!
!! Let’s define the key chain
!! The RIPv2 MD5 authentication need
!! to have the same key number on
!! both ends
key chain RIP
key 1
key-string cisco
!
!! let’s apply RIPv2 authentication
int fa0/1
ip rip authentication mode md5
ip rip authentication key-chain RIP
!
Now the configuration on Router 2
!
router rip
version 2
network 10.0.0.0
network 172.16.0.0
no auto-summary
!
key chain RIP
key 1
key-string cisco
!
int fa0/0
ip rip authentication mode md5
ip rip authentication key-chain RIP

If you want to check if the RIPv2 authentication is running fine, shutdown / no shutdown one interface and on the other end do:
debug ip rip
You should see something like:
*Mar 12 03:22:08.261: RIP: received packet with MD5 authentication

OK, let’s check the routing tables.

Router1

R1#sh ip route rip
R 172.16.4.0 [120/1] via 10.10.12.2, 00:00:20, FastEthernet0/1
R 172.16.5.0 [120/1] via 10.10.12.2, 00:00:20, FastEthernet0/1
R 172.16.0.0 [120/1] via 10.10.12.2, 00:00:20, FastEthernet0/1
R 172.16.1.0 [120/1] via 10.10.12.2, 00:00:20, FastEthernet0/1
R 172.16.2.0 [120/1] via 10.10.12.2, 00:00:20, FastEthernet0/1
R 172.16.3.0 [120/1] via 10.10.12.2, 00:00:20, FastEthernet0/1

Router 2

R2#sh ip route rip
R 192.168.4.0/24 [120/1] via 10.10.12.1, 00:00:23, FastEthernet0/0
R 192.168.5.0/24 [120/1] via 10.10.12.1, 00:00:23, FastEthernet0/0
R 192.168.0.0/24 [120/1] via 10.10.12.1, 00:00:23, FastEthernet0/0
R 192.168.1.0/24 [120/1] via 10.10.12.1, 00:00:23, FastEthernet0/0
R 192.168.2.0/24 [120/1] via 10.10.12.1, 00:00:23, FastEthernet0/0
R 192.168.3.0/24 [120/1] via 10.10.12.1, 00:00:23, FastEthernet0/0

We have all routes. Until now we just configured a RIPv2 with authentication which is working fine, but still we haven’t accomplish our task.
Here is how we will do it. I found out this recently. I believe some of you already know this trick, but for the rest will be pretty interesting.

MD5 authentication in RIPv2 states that the key number in the key chain has to be the same so everything is running fine. But what if we change one key to a higher number than (in our case) 1?

The result will be that the router with the higher key number will receive ALL routes and the one with the lower key number will receive NO routes. Our task is that R1 has all routes but R2 has no prefixes (from RIP process) in routing table. Since both keys are having number 1, we cannot lower the key number on R2 so we have to increase it on R1

On Router 1
!
R1#conf t
R1(config)#key chain RIP
R1(config-keychain)#no key 1
R1(config)#key chain RIP
R1(config-keychain)#key 5
R1(config-keychain-key)#key-string cisco
R1(config-keychain-key)#end

Let’s check again the routing table on those 2 devices. You may want to clear the IP routing table to speed up the process.

Router 1

R1#sh ip route rip
R 172.16.4.0 [120/1] via 10.10.12.2, 00:00:06, FastEthernet0/1
R 172.16.5.0 [120/1] via 10.10.12.2, 00:00:06, FastEthernet0/1
R 172.16.0.0 [120/1] via 10.10.12.2, 00:00:06, FastEthernet0/1
R 172.16.1.0 [120/1] via 10.10.12.2, 00:00:06, FastEthernet0/1
R 172.16.2.0 [120/1] via 10.10.12.2, 00:00:06, FastEthernet0/1
R 172.16.3.0 [120/1] via 10.10.12.2, 00:00:06, FastEthernet0/1

Router 2

R2#sh ip route rip

There is nothing in the routing table.

Let’s check with ping:

R1#ping 172.16.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/13/24 ms

Of course is working, as the source interface from which the packet is send will be the direct connected interface. Let’s try to ping having the source one of the Loopback interfaces on R1:

R1#ping 172.16.1.1 source lo10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
…..
Success rate is 0 percent (0/5)

It’s not working as R2 doesn not have a route back to Loopback10 subnet which is 192.168.0.0 /24

If you’ll do a “debug ip rip” on R2 you will see something like this:

*Mar 12 03:39:57.001: RIP: ignored v2 packet from 10.10.12.1 (invalid authentication)
*Mar 12 03:39:58.261: RIP: received packet with MD5 authentication

I hope this example will help in your preparation.

[adsense_id=”3″]

InterVLAN routing using Private VLANs

Private VLANs is one possible solutions for service providers to offer secure connections to their customers and avoid inter-vlan communication in the same switched environment.

I’m sure that you heard (and most probably practice already) InterVLAN routing. When it comes to Private VLANs the routing part may be a bit tricky. Keep in mind that this is not something that I would recommend to use as a standard in a productive environment, but for things like Cisco exams (e.g. CCIE R&S) or last resort solution, it may work.

Consider please the following simple topology:

[adsense_id=”1″]
With simple InterVLAN Routing the things will be easy.
On the Layer 3 Switch you configure the following:
!! We assume that the L2 configuration, like access port in the
!! correct VLAN, is already there
!! Only the routing part will be shown here
configure terminal
!
ip routing
!
vlan 10
!
vlan 20
!
interface vlan 10
ip address 10.10.10.254 255.255.255.255.0
!
interface vlan 20
ip address 20.20.20.254 255.255.255.0
!

On Router 1
!
ip route 0.0.0.0 0.0.0.0 10.10.10.254

On Router 2
!
ip route 0.0.0.0 0.0.0.0 20.20.20.254

That’s it, you’ll have connectivity from R1 to R2.

Now let’s assume that VLAN 10 and 20 are not regular VLANs, but Private ones configured as Secondary, community mode:
On L3 Switch
!! You need VTP in transparent mode
!! for Private VLANs configuration
configure terminal
!
vlan 10
private-vlan community
!
vlan 20
private-vlan community
!
!! Private VLANs need a Primary VLAN
vlan 100
private-vlan primary
private-vlan association 10,20
!
Up to now we have one Primary VLAN (100) and two Secondary ones (10 and 20) associated with primary. Next we will configure the physical ports in their specific VLAN.

On L3 Switch:
!
configure terminal
!
int x/y
description -> to R1
switchport mode private-vlan host
switchport private-vlan host-association 100 10
!
int z/w
description -> to R2
switchport mode private-vlan host
switchport private-vlan host-association 100 20
!
!! We will need a port on VLAN 100;
!! Any other device may be connected to this port
int x/x
description -> Other device in Primary Private-VLAN
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 10,20
!

In a standard environment with Private-VLANs, until now we will have L2 communication possible between hosts in VLAN100 with hosts in VLAN10 or VLAN20. Communication between hosts in VLAN10 and hosts in VLAN20 will not be possible because the ports are in Private-Vlan community mode. Just a small reminder in community mode, the L2 connection is possible in the same VLAN or with the Primary VLAN.

If now you would like to implement the InterVLAN routing presented above, you will see that is not possible. When you will try to bring up a SVI interface for VLAN 10 or 20 an error will occur stating the VLAN is in Private-VLAN mode community and you cannot configure an interface. Let’s see how can we fix this.

On L3 switch
!
Configure terminal
!
ip routing
!! You’ll configure a SVI interface for VLAN 100
!! This is also a private VLAN, but it is the Primary one
interface vlan 100
description -> InterVLAN routing
ip address 10.10.10.254 255.255.255.0
ip address 20.20.20.254 255.255.255.0 secondary
private-vlan mapping 10,20

All you have to do now is add the routing part on R1 and R2 and they will be able to communicate. VLAN 100 will handle the routing part.

[adsense_id=”4″]

Cisco Easy VPN Router-to-Router

Cisco Easy VPN is not a new technology. Actually it is pretty old, but still used by many companies or people to connect remote site / remote workers to headquarter.

A few days ago I was looking to connect a remote site in a simple way but still secure and a colleagues suggested me to use Easy VPN. It supposed to be a simple configuration and it was after solving all issues that came into play.

First of all, I needed an Easy VPN Router(client) – to – Router(server). The other method is some client (PC) with software connection to Router / PIX / ASA / VPN Concentrator (Server). Something like this:

[adsense_id=”1″]

The idea is that behind the Client router, I will have a group of people who need to connect to the headquarter, so I don’t want each of them to use personal VPN connections. In search of possible configurations, I’ve found this Cisco configuration example. The only issue in that document is that the Easy VPN tunnel needs manual intervention to connect, which I want to avoid.

For those who need a quick and secure Easy VPN connection here is my sample configuration:

EasyVPN-Server

!! We define a new AAA model for authentication and authorization
!! for remote VPN clients
aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!! Generic username and password
username cisco password 0 cisco123
!
!! We configure a crypto isakmp policy. The number and encryption are your choice
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!! We add a key and ! Important ! “save-password” command
!! “Save-password” allow client to save the password in an automatic vpn connection
!! scenario
crypto isakmp client configuration group vpngrp
key cisco123
save-password
!
!! The IPSec transform set; You can pick a stronger one like esp-aes 256, but
!! for this example will work fine
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
!! We get everything together in a crypto dynamic map
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!! Add the crypto map on the WAN interface or where your VPN tunnels will terminate
interface x/y
description WAN
crypto map clientmap

EasyVPN-Client

!! On the remote side we define an Easy VPN client
!! connect auto – means it will connect automatically
!! network-extension – connection between remote side LAN and server LAN will
!! not need NAT
!! peer is the VPN server IP address
!! xauth mode has to be local for auto connection without manual intervention
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
peer 192.168.0.2
username cisco password cisco123
xauth userid mode local
!
!! Apply the already defined crypto to WAN interface
!! This will be automatically the Outside interface, even if you don’t
!! add the “outside” keyword at the end of the command
interface x/y
description WAN
crypto ipsec client ezvpn ez
!
!! Apply it on ALL L3 LAN interfaces that needs to communicate over VPN
!! more, you need to specifiy the keyword “inside”
interface x/y
description ANY L3 LAN interface (SVI / Physical)
crypto ipsec client ezvpn ez inside

To test if your tunnel is up, issue the following command on the EasyVPN client router

#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : TEST
Inside interface list: GigabitEthernet0/0, GigabitEthernet0/1
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Allowed
Current EzVPN Peer: 192.168.0.2

As you can see the Current State shows IPSEC_ACTIVE

Other commands that will help you see if everything is ok (this can be run on client or server side)
#show crypto isakmp sa
! Look for the “state” (it has to be QM_IDLE) and
! “status” (has to be ACTIVE)

#show crypto ipsec sa
! Look for #pkts encaps and #pkts decaps; the decimal values should be close

I hope this will help you. If anything is unclear please ask in comments.

[adsense_id=”1″]

Interface software loop

If you ever worked in an environment where you have to deal with leased / dedicated lines provider by your SP (service provider) then you know that whenever it’s a problem on the line they request, if possible, to put a loop on the line from one end toward the other end, so they can do some measurements. Usually from my experience with SP, this is a standard approach in case that they don’t know exactly what problem is with your line or where the issue occurred, especially if they use sub-providers of their own.

Lately I saw some questions on Cisco support forums regarding the usage of software loops on Ethernet interfaces so I’ve decided to write a small how-to about the basic configuration of a soft loop on different interfaces.

Controller (E3, T3) soft loop on all channels

configure terminal
! Apply the loop on the controller interface to loop the entire (e.g.) T3 interface (all 28 x T1 channels)
controller t3 3/0
loopback [local | network | remote]

Mandatory parameter:

– loopback – place the loop

Optional:

local – Loops the data back toward the router and sends an AIS signal out toward the network

network – Loops the data toward the network at the T1 framer

remote – Sends a far-end alarm control (FEAC) request to the remote end requesting that it enter into a network line loopback. FEAC requests (and therefore remote loopbacks) are only possible when the T3 is configured for C-bit framing.

Controller (T3, E3) soft loop on one channel (T1, E1)

If your controller is channelized for T1, E1, you can avoid to loop the entire controller, but choose to apply the soft loop on only one channel:

configure terminal
! Apply the soft loop under interface configuration rather than controller
interface Serial3/0:1
loopback [local | network {line | payload} | remote {line {fdl {ansi | bellcore} | inband} | payload [fdl] [ansi]}]

Mandatory:

loopback – applies the soft loop

Optional:

local – Loops the router output data back toward the router at the T1 framer and sends an AIS signal out toward the network.

network – Loops the data back toward the network before the T1 framer and automatically sets a local loopback at the HDLC controllers (line) or loops the payload data back toward the network at the T1 framer and automatically sets a local loopback at the HDLC controllers (payload

remote line fdl – Sends a repeating, 16-bit ESF data link code word; ansi—Places the CSU into loopback, per the ANSI T1.403 Specification; bellcore—Places the SmartJack into loopback, per the TR-TSY-000312 Specification

remote line inband – Sends a repeating, 5-bit inband pattern (00001) to the remote end requesting that it enter into a network line loopback.

payload – Sends a repeating, 16-bit ESF data link code word to the remote end requesting that it enter into a network payload loopback. Enables the remote payload Facility Data Link (FDL) ANSI bit loopback on the T1 channel. Rarely it’s necessary to specify fdl or ansi keywords

To be honest I never used here more than local or network parameters. The other ones I add them here with explanation, but never use them.

Serial interfaces (PA-E3 or a PA-T3 port adapter)

configure terminal
! Apply the soft loop on the serial interface
interface Serial3/0
! If the interface is a port on a PA-E3
loopback [dte | local | network {line | payload}]
! If the interface is a port on a PA-T3
loopback [dte | local | network {line | payload} | remote]

Mandatory:

loopback – apply the soft loop

Optional:

dte – Sets the loopback after the LIU toward the terminal.

local – Sets the loopback after going through the framer toward the terminal.

network – Sets the loopback toward the network before going through the framer (line) or after going through the framer (payload).

remote (only T3) – Sends a far-end alarm control (FEAC) to set the remote framer in loopback.

Ethernet interfaces

configure terminal
! Apply the soft loop on a Ethernet interface
interface GigabitEthernet
loopback [driver | mac]

Mandatory:

loopback – apply the loop

Optional (only on Gigabit Interfaces):

– driver – apply the loop at the transceiver level

– mac – apply the loop at the MAC controller level

You can use the loopback driver and loopback mac interface configuration commands with the 2-Port 10/100/1000 Gigabit Ethernet SPA. These commands do not apply to the 4-Port 10/100 Fast Ethernet SPA.To properly enable internal loopback, you must disable autonegotiation (under interface configuration, you have to apply no negotiation auto)
Due to different card/router models, IOS versions and specific SP configuration not all the commands will fit exactly how described above, but at least this is a starting point to check when you need to enable a soft loop. If you are a beginner you may wonder why I’m calling it soft loop. This is because is a software loop, opposite to a hardware loop which implies that wires are physically looped.

[adsense_id=”2″]