Category: Route

LAB IX – RIPv2 -> OSPF Case Study

Building a use case from the CCDP FLG:

Topology:

  • Each site has two links to their HQ (top) via WAN (Prio) and Internet ( backup ).
  • Internet and WAN connectivity goes over multipoint GRE tunnels to the sites with static NHRP mappings.
  • Cost of Internet links are increased so they’re used as backup links.
  • Backbone area configured over WAN and Internet

Building the LAB:

OSPF Design

Building the Backbone:

Adding the tunnel interface and NHRP mappings on the WAN Hub Router (R1):

And we have some routing on the Hubs:

LAB VII: BGP communities

Building a case study from the ARCH FLG book; BGP communities.

The idea is to use BGP communities to influence the routing between Autonomous Systems with the following goals in mind:

  • Configure communities to tag the routes per building on each AS.
  • Configure communities as no-export so the routes of AS65001.building2 and AS65002.building2 are not exported through AS65000.
    • The routes will be tagged on R6 and R9 with community 65000:99 and processed on the AS boundry.
    • The routes of AS65001.building1 and AS65002.building1 are allowed to be exported.
  • Configure communities so that R7 and R8 can set their local preference on the AS65000 side.
    • The routes will be tagged on R7 will be tagged with 65000:200 resulting in a local-preference of 200.
    • The routes will be tagged on R8 will be tagged with 65000:300 resulting in a local-preference of 300.
ASBuildingSubnetCommunityDescription
AS65000Building 1 ( Router 1 )10.0.1.0/2465000:5001
AS65000Building 2 ( Router 2 )10.0.2.0/2465000:5002Single uplink to AS65001
AS65000Building 3 ( Router 3 )10.0.3.0/2465000:5003Double uplink to AS65002
AS65000Building 3 ( Router 4 )10.0.3.0/2465000:5003Double uplink to AS65002
AS65001Building 1 ( Router 5 )10.0.111.0/2465001:5102
AS65001Building 2 ( Router 6 )10.0.112.0/2465001:5102
65000:99
Community 65000:99 is used for no-export
AS65002Building 1 ( Router 7 )10.0.221.0/2465002:5202
65000:200
65000:200 is used for local preference 200 in AS65000
AS65002Building 1 ( Router 8 )10.0.221.0/2465002:5201
65000:300
65000:300 is used for local preference 300 in AS65000
AS65002Building 3 ( Router 9 )10.0.222.0/2465002:5202
65000:99
Community 65000:99 is used for no-export

LAB:

LAYER3:

(more…)

LAB IV ( vPC – virtual Port-channels )

ComponentDescription
vPC Domain Includes the vPC Peers, KeepAlive Links and the PortChannels that use the vPC technology.
vPC Peer SwitchThe other switch within the vPC domain. Each switch is connected via the vPC peer link. Its also worth noting that one device is selected as primary and the other secondary.
vPC Member PortPorts included within the vPCs.
vPC Peer Keepalive LinkConnects both vPC peer switches and carries monitoring traffic to/from each peer switch. Monitoring is performed to ensures the switch(s) is both operational and running vPC.
vPC Peer LinkConnects both vPC peer switches. And carries BPDUs, HSRPs, and MAC addresses to its vPC peer. In the event of vPC member port failure it also carries unicast traffic to the peer switch.
Orphan PortAn orphan port is a port that is configured with a vPC VLAN (i.e a VLAN that is carried over the vPC peer link) and is not configured as a vPC member port.

A virtual PortChannel (vPC) allows links that are physically connected to two different Cisco Nexus™ 5000 Series devices to appear as a single PortChannel to a third device. The third device can be a Cisco Nexus 2000 Series Fabric Extender or a switch, server, or any other networking device. A vPC can provide Layer 2 multipathing, which allows you to create redundancy by increasing bandwidth, enabling multiple parallel paths between nodes and load-balancing traffic where alternative paths exist.

After you enable the vPC function, you create a peer keepalive link, which sends heartbeat messages between the two vPC peer devices.

The vPC domain includes both vPC peer devices, the vPC peer keepalive link, the vPC peer link, and all the PortChannels in the vPC domain connected to the downstream device. You can have only one vPC domain ID on each device.

(more…)

IPv6 Review

  • Unicast:  One-to-one.
  • Multicast: One-to-many.
  • Anycast: One-to-closest.

 

  • Link-local scope address:  layer2 domain
  • Unique / Site-local scope address: Organization
  • Global scope address: Internet

(more…)

LAB I ( OSPF over GRE with and without IPsec )

Setup:

  • R1 functions as the internet.
  • R2 is the first location with Public IP 1.1.1.2/30
  • R3 is the second location with Public IP 1.1.2.2/30

There must be a GRE tunnel configured between R2 and R3 so that OSPF can be used between them. In the example we will use a tunnel with and without IPsec.

Configuration without IPsec:

ROUTER 2:

R2:

# WAN ADDRESS
interface FastEthernet0/0
 ip address 1.1.1.2 255.255.255.0
 duplex auto
 speed auto
!

# TUNNEL ADDRESS
interface Tunnel0
 ip address 10.10.10.1 255.255.255.252
 tunnel source 1.1.1.2
 tunnel destination 1.1.2.2
!

# LAN ADDRESS
interface Loopback0
 ip address 192.168.10.1 255.255.255.0
!

# OSPF CONFIG
router ospf 1
 log-adjacency-changes
 network 10.10.10.0 0.0.0.3 area 0
 network 192.168.10.0 0.0.0.255 area 0
!

# DEFAULT ROUTE (TRAFFIC TOWARDS R3)
ip route 0.0.0.0 0.0.0.0 1.1.1.1

(more…)

SNMP & NTP

SNMP – Simple network management protocol

  • Manager – Monitoring device
  • Agent – Devices being monitored
  • MIB – management information Base
  • UDP port 161
  • Uses GETs and SETs
  • SNMP Traps
    • Agent informs the manager.
  • SNMPv1 and 2c have community strings.
  • SNMPv3 has encryption and authentication.
    • auth – Group using the AuthNoPriv Security Level
      • Authentication: yes
      • Privacy ( encryption ): no
    • noauth – Group using the noAuthNoPriv Security Level
      • Authentication: no
      • Privacy ( encryption ): no
    • Priv – Group using the AuthPriv Security Level
      • Authentication: yes
      • Privacy ( encryption ): yes
  • If no read view is defined , all objects can be read.
  • If no write view is defined , no objects can be written.
  • If no notify view is defined , group members are not sent notifications.

(more…)

DMVPN

LAB III ( DMVPN, MGRE, NHRP, EIGRP)

  • Point-to-multipoint layer 3 overlay VPN
  • Logical hub and spoke topology
  • Direct spoke to spoke is support

DMVPN uses a combination of:

  • Multipoint GRE tunnels (mGRE)
  • Next Hop Resolution Protocol ( NHRP )
  • IPsec Crypto Profiles
  • Routing

(more…)

VPN

  • Virtual Private Network
    • Route exchange privacy
    • Path determination for packets
    • Data Security
      • IPSec IP security
    • Collection of standized protocols that provide
      • Confidentiality
      • Integrity
      • Authentication
      • Anti-Reply

(more…)

NAT64

  • Transition technique designed to allow native IPv6 hosts to access IPv4-only content.
    • (Translation technique not a tunneling technique).
  • Primarily used to allow v6 hosts to initiate connections to IPv4 content.
    • Mechanisms do exist to allow the reverse.
  • Stateful and stateless versions.
    • stateful can use any prefix
    • stateless has restriction on prefix

NAT64 and DNS64 co-existance.

  1. IPv6 host sends AAAA DNS Query
  2. DNS64 server tries AAAA lookup and fails
  3. DNS64 server successfully resolves IPv4 address
  4. DNS64 server generates AAAA DNS response of <IPv6 prefix:IPv4 adress> and sends it back to the client.

(more…)

IPv6 Tunnels

  • point-to-point tunnels
  • MCT ( manually configured tunnel )
  • GRE ( Generic Routing Encapsulation )
  • Virtual point-to-point between two IPv4 routers
  • IPv6 iGP routing protocols can run over these virtual links.

(more…)