L3 switching

Monday, October 26, 2015

Run IOU on OpenSuse converted from VirtualBox to Parallels.

Was tryin' to run IOU on OpenSuse converted from VirtualBox to Parallels.
Lessons learned:
1. Uninstall VirtualBox Guest Additions first.
2. Uninstall VirtualBox Guest Additions first. Seriously.
3. Edit Grub config file to mount hard disk devices by name not by aliases (of any kind).
4. After failing step 1 - manually fix /etc/fstab (-90 secs).
5. After addind new NIC(s) in Parallels to VM - update Yast settings.
6. Fix /etc/ssh/sshd_config to not use DNS (-20 secs).
7. Get to know -N option for telnet client (-15 secs).

All thanks are going to Wireshark (and Google as usually).

Tuesday, July 14, 2015

STP Port-ID.

I found that there are many engineers who don't understand STP Port-ID concept, so I decided to write this blogpost for ease of reference.
STP Tie-breaking sequence is as following:
1. Lowest Root Bridge ID.
2. Lowest Root Path Cost.
3. Lowest Sender Bridge ID.
4. Lowest Sender Port ID.
The key word in the last tie-breaker is "Sender" Port ID, not the local one.
Let's use this simple topology:

I will use RPVST+, but it doesn't really matter, which STP flavor you use.

Firstly, the Root Brdige is being elected (SW1, due to lower MAC-Address).
Then, each non-Root Bridge has to choose one Root Port. SW2 has two equal links connected to SW1.
The tie breaking sequence:
1. SW2 receives BPDUs with the same Root Bridge ID on both links.
2. Since both interfaces are the same, Root Path Cost is the same too.
3. Both links are connected to the same switch, thus Sender Bridge ID in these BPDUs are the same.
4. SW2 receives two BPDUs with different Sender Port ID and chooses the lowest one. It happens to be BPDUs on E0/0.
So, E0/0 is chosen as Root Port, and E0/1 is blocked.
SW2#show spanning-tree detail | begin Port
Port 1 (Ethernet0/0) of VLAN0001 is root forwarding
Port path cost 100, Port priority 128, Port Identifier 128.1.
Designated root has priority 32769, address aabb.cc00.6400
Designated bridge has priority 32769, address aabb.cc00.6400
Designated port id is 128.1, designated path cost 0
Timers: message age 16, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point
BPDU: sent 5, received 233

Port 2 (Ethernet0/1) of VLAN0001 is alternate blocking
Port path cost 100, Port priority 128, Port Identifier 128.2.
Designated root has priority 32769, address aabb.cc00.6400
Designated bridge has priority 32769, address aabb.cc00.6400
Designated port id is 128.2, designated path cost 0
Timers: message age 16, forward delay 0, hold 0
Number of transitions to forwarding state: 0
Link type is point-to-point
BPDU: sent 3, received 233

In the output above take a look at Designated port id. SW2 has no designated ports, so indeed upstream BPDU information is being analyzed.
Just to prove it let's swap ports on SW2:

Even though E0/0 on SW2 has lower Port ID, it is being blocked:
SW2#show spanning-tree detail | begin Port
Port 1 (Ethernet0/0) of VLAN0001 is alternate blocking
Port path cost 100, Port priority 128, Port Identifier 128.1.
Designated root has priority 32769, address aabb.cc00.6400
Designated bridge has priority 32769, address aabb.cc00.6400
Designated port id is 128.2, designated path cost 0
Timers: message age 16, forward delay 0, hold 0
Number of transitions to forwarding state: 0
Link type is point-to-point
BPDU: sent 2, received 121

Port 2 (Ethernet0/1) of VLAN0001 is root forwarding
Port path cost 100, Port priority 128, Port Identifier 128.2.
Designated root has priority 32769, address aabb.cc00.6400
Designated bridge has priority 32769, address aabb.cc00.6400
Designated port id is 128.1, designated path cost 0
Timers: message age 16, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point
BPDU: sent 4, received 121

Dont' forget that Port ID consists of two parts:
- Port Priority - 128 by default, can be configured with values from 0 to 192 in increments of 64.
- Port ID - usually starts with 1 and increments by 1, but with chassis and LAGs this value can be not quite obvious.
Let's change E0/1 Port Priority on SW1, so SW2 will block E0/1 port.
SW1#show running-config interface e0/1
interface Ethernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
duplex auto
spanning-tree link-type point-to-point
spanning-tree port-priority 64
end
SW2#show spanning-tree detail | begin Port
Port 1 (Ethernet0/0) of VLAN0001 is root forwarding
Port path cost 100, Port priority 128, Port Identifier 128.1.
Designated root has priority 32769, address aabb.cc00.6400
Designated bridge has priority 32769, address aabb.cc00.6400
Designated port id is 64.2, designated path cost 0
Timers: message age 16, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point
BPDU: sent 5, received 316

Port 2 (Ethernet0/1) of VLAN0001 is alternate blocking
Port path cost 100, Port priority 128, Port Identifier 128.2.
Designated root has priority 32769, address aabb.cc00.6400
Designated bridge has priority 32769, address aabb.cc00.6400
Designated port id is 128.1, designated path cost 0
Timers: message age 16, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point
BPDU: sent 4, received 317

As you can see, changing the Port Priority on the upstream switch affects blocking decision on the downstream switch.

The topology used along with the configuration files (IOU) is available here.

Sunday, June 28, 2015

[Russian] Link Me Up Podcast #28.

Недавно принял участие в записи подкаста LinkMeUp, посвященного эволюции STP.
Было непривычно, но интересно. Послушать можно здесь:
LinkMeUp. Выпуск № 28. Семейство STP и альтернативы

Презентация, на мой взгляд, не очень удобная, поэтому вот PDF-версия.

Tuesday, April 29, 2014

Interconnecting Huawei eNSP and GNS3.

My OS is Windows 8 64bit.
eNSP - V100R002C00B330.
GSN3 - 0.8.6. I assume it will work with the new GNS3 but haven't tested it since there is no stable version yet.

After installation let's create simple topology in both emulators.
GNS3:

Notice the cloud configuration:

And simple configuration on R1:
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
!
router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 10.0.0.1 0.0.0.0 area 0

eNSP:

Cloud configuration on eNSP side is a bit tricky. Firstly, create two UDP ports - one private and one public (with remote port on the GNS3 side), then map these two ports in settings below:

AR1 has similar configuration:
interface GigabitEthernet0/0/0
ip address 10.0.0.2 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.0.0.2 0.0.0.0

And that's it:
R1#show ip route
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/1] via 10.0.0.2, 00:00:36, FastEthernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, FastEthernet0/0
R1#ping 2.2.2.2 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/14/24 ms

Latest versions of eNSP use VirtualBox to emulate routers. GNS3 supports VMs as well, but I haven't discovered any way to integrate eNSP's VMs into GNS3.

Both topologies used along with the configuration files are available here.

Monday, April 28, 2014

IS-IS configuration.

IS-IS was a terra incognita for me for a long time, even though I used to configure several networks with IS-IS (copy'n'paste mostly). Since IS-IS is excluded from CCNP R&S track I decided to study it on my own.
This post will observe basic configuration and some best practices for IS-IS.
The topology is as following:

I adjusted several settings so let's investigate configurations.
R1:
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip router isis 1 #I find it convenient to configure routing process under the interface level.
isis metric 123 #One of the ways to change the interface metric.
!
interface FastEthernet0/0.123
encapsulation dot1Q 123
ip address 10.0.123.1 255.255.255.0
ip router isis 1
isis circuit-type level-2-only #It is excess command, since L2 only is set under the router configuration.
!
router isis 1
net 49.0001.0010.0100.1001.00 #I embedded loopbacks interfaces.
metric-style wide #Without this the maximum metric value is 64. By default all interfaces use the metric of 10 regardless of bandwidth.
is-type level-2-only

R4:
interface Loopback0
ip address 4.4.4.4 255.255.255.255
ip router isis 1
!
interface Loopback1 #Loopbacks below are created for summarization's sake.
ip address 10.0.0.1 255.255.255.252
ip router isis 1
!
interface Loopback2
ip address 10.0.0.5 255.255.255.252
ip router isis 1
!
interface Loopback3
ip address 10.0.0.9 255.255.255.252
ip router isis 1
!
interface FastEthernet0/0.24
encapsulation dot1Q 24
ip address 10.0.24.4 255.255.255.0
ip router isis 1
isis network point-to-point #Like with OSPF you can set the network type, the choice is limited though.
isis hello-interval 2 #Unlike OSPF timers do not have to match between neighbors.
!
router isis 1
net 49.0002.0040.0400.4004.00
metric-style wide
is-type level-1

R2:
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip router isis 1
!
interface FastEthernet0/0.24
encapsulation dot1Q 24
ip address 10.0.24.2 255.255.255.0
ip router isis 1
isis network point-to-point
!
interface FastEthernet0/0.123
encapsulation dot1Q 123
ip address 10.0.123.2 255.255.255.0
ip router isis 1
isis priority 123 #I selected R2 as DIS (analogous to OSPF DR, but there is no BDR).
!
router isis 1
net 49.0002.0020.0200.2002.00
metric-style wide
summary-address 10.0.0.0 255.255.255.240 #This will create aggregated prefix for L1 and L2.

Ok, basic connectivity is established, let's check what do we have.
R2#show isis neighbors
System Id Type Interface IP Address State Holdtime Circuit Id
R1 L2 Fa0/0.123 10.0.123.1 UP 28 R2.02
R3 L2 Fa0/0.123 10.0.123.3 UP 25 R2.02
R4 L1 Fa0/0.24 10.0.24.4 UP 23 02

R4 is L1 only router so it should receive only default route (Like R5):
R4#show ip route
Gateway of last resort is 10.0.24.2 to network 0.0.0.0
2.0.0.0/32 is subnetted, 1 subnets
i L1 2.2.2.2 [115/20] via 10.0.24.2, FastEthernet0/0.24
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback0
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 10.0.0.8/30 is directly connected, Loopback3
C 10.0.0.0/30 is directly connected, Loopback1
C 10.0.0.4/30 is directly connected, Loopback2
C 10.0.24.0/24 is directly connected, FastEthernet0/0.24
i L1 10.0.123.0/24 [115/20] via 10.0.24.2, FastEthernet0/0.24
i*L1 0.0.0.0/0 [115/10] via 10.0.24.2, FastEthernet0/0.24
Actually, R2 doesn't advertise this route, rather R4 creates it on its own and installs in the routing table.

Only L1/2 routers can summarize (R2):
R1#show ip route
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
i L2 2.2.2.2 [115/20] via 10.0.123.2, FastEthernet0/0.123
3.0.0.0/32 is subnetted, 1 subnets
i L2 3.3.3.3 [115/20] via 10.0.123.3, FastEthernet0/0.123
4.0.0.0/32 is subnetted, 1 subnets
i L2 4.4.4.4 [115/30] via 10.0.123.2, FastEthernet0/0.123
5.0.0.0/32 is subnetted, 1 subnets
i L2 5.5.5.5 [115/30] via 10.0.123.3, FastEthernet0/0.123
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
i L2 10.0.0.0/28 [115/30] via 10.0.123.2, FastEthernet0/0.123 #As configured on R2.
i L2 10.0.24.0/24 [115/20] via 10.0.123.2, FastEthernet0/0.123
i L2 10.0.35.0/24 [115/20] via 10.0.123.3, FastEthernet0/0.123
C 10.0.123.0/24 is directly connected, FastEthernet0/0.123

R2#show ip route
1.0.0.0/32 is subnetted, 1 subnets
i L2 1.1.1.1 [115/133] via 10.0.123.1, FastEthernet0/0.123
2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback0
3.0.0.0/32 is subnetted, 1 subnets
i L2 3.3.3.3 [115/20] via 10.0.123.3, FastEthernet0/0.123
4.0.0.0/32 is subnetted, 1 subnets
i L1 4.4.4.4 [115/20] via 10.0.24.4, FastEthernet0/0.24
5.0.0.0/32 is subnetted, 1 subnets
i L2 5.5.5.5 [115/30] via 10.0.123.3, FastEthernet0/0.123
10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
i L1 10.0.0.8/30 [115/20] via 10.0.24.4, FastEthernet0/0.24
i L1 10.0.0.0/30 [115/20] via 10.0.24.4, FastEthernet0/0.24
i su 10.0.0.0/28 [115/20] via 0.0.0.0, Null0 #Notice summary route.
i L1 10.0.0.4/30 [115/20] via 10.0.24.4, FastEthernet0/0.24
C 10.0.24.0/24 is directly connected, FastEthernet0/0.24
i L2 10.0.35.0/24 [115/20] via 10.0.123.3, FastEthernet0/0.123
C 10.0.123.0/24 is directly connected, FastEthernet0/0.123

Let's check that DIS was elected correctly:

R3#show clns interface f0/0.123

FastEthernet0/0.123 is up, line protocol is up

Checksums enabled, MTU 1497, Encapsulation SAP

ERPDUs enabled, min. interval 10 msec.

CLNS fast switching enabled

CLNS SSE switching disabled

DEC compatibility mode OFF for this interface

Next ESH/ISH in 12 seconds

Routing Protocol: IS-IS

Circuit Type: level-1-2

Interface number 0x1, local circuit ID 0x2

Level-1 Metric: 10, Priority: 64, Circuit ID: R3.02

DR ID: 0000.0000.0000.00

Level-1 IPv6 Metric: 10

Number of active level-1 adjacencies: 0

Level-2 Metric: 10, Priority: 64, Circuit ID: R2.02

DR ID: R2.02

Level-2 IPv6 Metric: 10

Number of active level-2 adjacencies: 2

Next IS-IS LAN Level-1 Hello in 2 seconds #I haven't found the exact command to check timers on the interface, the only way as with EIGRP is to periodically repeat this command.

Next IS-IS LAN Level-2 Hello in 65 milliseconds

Next, let's configure IS-IS authentication.

Basic L1 plain text authentication:

R4 & R2:

router isis 1

area-password ISIS-L1-PASS

This doesn't authenticate Hello packets, thus the neighborship is established, but no routes are accepted.

L2 plain text authentication:

R1 & R2 & R3:

router isis 1

domain-password ISIS-L2-PASS authenticate snp validate #Here we authenticate and validate SNP packets. But not Hello packets.

For area 3 I will use L1 md5 authentication (for L2 it is applicable as well):

R3 & R5:

key chain ISIS-KEY-CHAIN

key 1

key-string ISIS-MD5-L1

interface FastEthernet0/0.35

isis authentication mode md5 level-1

isis authentication key-chain ISIS-KEY-CHAIN level-1

Notice that per interface authentication configuration forces Hello packets to include authentication information, thus preventing neighborship to be established.

Now let's cover an interesting behavior of IS-IS when redistributing between protocols.

In the topology above I will add R6 and configure RIP between R6 and R1:

R1:

interface FastEthernet0/0.16

encapsulation dot1Q 16

ip address 20.0.16.1 255.255.255.0

router rip

version 2

network 20.0.0.0

no auto-summary

R6:

interface Loopback0

ip address 6.6.6.6 255.255.255.255

interface FastEthernet0/0.16

encapsulation dot1Q 16

ip address 20.0.16.6 255.255.255.0

router rip

version 2

network 6.0.0.0

network 20.0.0.0

no auto-summary

Now let's redistribute IS-IS into RIP and vice versa:

R1:

router rip

redistribute isis 1 level-2 metric 5

router isis 1

redistribute rip metric 15

R6:

R6#show ip route

2.0.0.0/32 is subnetted, 1 subnets

R 2.2.2.2 [120/5] via 20.0.16.1, 00:00:06, FastEthernet0/0.16

3.0.0.0/32 is subnetted, 1 subnets

R 3.3.3.3 [120/5] via 20.0.16.1, 00:00:06, FastEthernet0/0.16

4.0.0.0/32 is subnetted, 1 subnets

R 4.4.4.4 [120/5] via 20.0.16.1, 00:00:06, FastEthernet0/0.16

20.0.0.0/24 is subnetted, 1 subnets

C 20.0.16.0 is directly connected, FastEthernet0/0.16

5.0.0.0/32 is subnetted, 1 subnets

R 5.5.5.5 [120/5] via 20.0.16.1, 00:00:07, FastEthernet0/0.16

6.0.0.0/32 is subnetted, 1 subnets

C 6.6.6.6 is directly connected, Loopback0

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

R 10.0.0.0/28 [120/5] via 20.0.16.1, 00:00:07, FastEthernet0/0.16

R 10.0.24.0/24 [120/5] via 20.0.16.1, 00:00:07, FastEthernet0/0.16

R 10.0.35.0/24 [120/5] via 20.0.16.1, 00:00:07, FastEthernet0/0.16

Notice that R6 has no route to 10.0.123.0/24. And the reason for this is that IS-IS doesn't redistribute connected prefixes, which is odd in my opinion. The same rule applies to IPv6 (even though I haven't found the way to redistribute RIPng into IS-IS).

To fix this we can use just "redistribute connected", but I'll do it the right way (:

ip prefix-list CONNECTED-2-RIP seq 5 permit 10.0.123.0/24

ip prefix-list CONNECTED-2-RIP seq 10 deny 0.0.0.0/0 le 32

route-map CONNECTED-2-RIP permit 10

match ip address prefix-list CONNECTED-2-RIP

route-map CONNECTED-2-RIP deny 100

router rip

redistribute connected route-map CONNECTED-2-RIP

Voila:

R6#show ip route 10.0.123.0

Routing entry for 10.0.123.0/24

Known via "rip", distance 120, metric 1

Redistributing via rip

Last update from 20.0.16.1 on FastEthernet0/0.16, 00:00:17 ago

Routing Descriptor Blocks:

* 20.0.16.1, from 20.0.16.1, 00:00:17 ago, via FastEthernet0/0.16

Route metric is 1, traffic share count is 1

Now let's apply some best practices (I'll use R5 as example):

interface FastEthernet0/0.35

isis hello-multiplier 4 #Hello-interval * Hello-multiplier = Hold time.

isis hello-interval minimal #Sets helllo interval to 1 second.

router isis 1

ispf level-1-2 60 #Interval before iSFP execution.

fast-flood 15 #The number of LSPs to be sent before SPF is run.

set-overload-bit on-startup 180 #Signals to other routers not to use this router as a transit point.

max-lsp-lifetime 65535 #This reduces the flooding.

lsp-refresh-interval 65505 #And this too.

spf-interval 5 1 20 #Throttling of SPF calculations.

lsp-gen-interval 5 1 20 #Throttling of LSP generation.

no hello padding #By default Hello packets are padded to match MTU size of the interface.

bfd all-interfaces #Simple and so powerful.

Ok, We've done with IPv4, time to add IPv6 stuff to the topology:

R2:

ipv6 unicast-routing

interface FastEthernet0/0.24

ipv6 address 2024::2/64

ipv6 router isis 1

interface FastEthernet0/0.123

ipv6 address 2123::2/64

ipv6 router isis 1

R1:

ipv6 unicast-routing

interface FastEthernet0/0.123

ipv6 address 2123::1/64

ipv6 router isis 1

Other routers are configured similar.

R1#show ipv6 route

I2 2024::/64 [115/20]

via FE80::C002:12FF:FE5C:0, FastEthernet0/0.123

I2 2035::/64 [115/20]

via FE80::C004:1DFF:FE8C:0, FastEthernet0/0.123

C 2123::/64 [0/0]

via ::, FastEthernet0/0.123

L 2123::1/128 [0/0]

via ::, FastEthernet0/0.123

L FF00::/8 [0/0]

via ::, Null0

Notice that the same IS-IS process is used for both IPv4 and IPv6, because IS-IS doesn't rely on multicast (as most of IPv4 IGPs).

The topology used along with the configuration files is available here.

Some useful tips: IS-IS NOTES

Thursday, March 13, 2014

Integrated Routing and Bridging (IRB).

The concept of IRB is very simple and straightforward. And somehow similar to the concept of vlans and inter-vlan routing. I was surprised that CCNP track didn't include this topic.
This feature is very useful when you need to span a vlan between several ports, but your platform doesn't support vlans, and using additional switch is not an option. Or you need to bridge non-IP protocol, and MPLS is not your protocol of love (:
The topology is simple:

Basic configuration of the router:
interface FastEthernet0/0
no ip address
!
interface FastEthernet0/1
no ip address
!
interface FastEthernet1/0
ip address 10.0.1.2 255.255.255.0
As expected, PC1 and PC2 can't reach each other (routers do not forward broadcast packets), and PC3 is able to ping only the R1's fa1/0 interface IP. I am using VPCs to emulate end stations:
VPCS[1]> show
NAME IP/MASK GATEWAY MAC LPORT RHOST:PORT
VPCS1 10.0.0.1/24 255.255.255.0 00:50:79:66:68:00 20000 127.0.0.1:30000
VPCS2 10.0.0.2/24 255.255.255.0 00:50:79:66:68:01 20001 127.0.0.1:30001
VPCS3 10.0.1.1/24 10.0.1.2 00:50:79:66:68:02 20002 127.0.0.1:30002
VPCS[1]> ping 10.0.0.2
host (10.0.0.2) not reachable
VPCS[3]> ping 10.0.1.2
10.0.1.2 icmp_seq=1 ttl=255 time=10.004 ms
10.0.1.2 icmp_seq=2 ttl=255 time=44.027 ms
10.0.1.2 icmp_seq=3 ttl=255 time=44.009 ms
10.0.1.2 icmp_seq=4 ttl=255 time=33.022 ms
10.0.1.2 icmp_seq=5 ttl=255 time=42.025 ms
Notice, that PC1 and PC2 have no default gateway set yet. Since they are in the same broadcast domain they should be able to reach one another.
The first task is to configure bridging between R1's fa0/0 anf fa0/1 interfaces. Actual configuration is simple:
R1(config)#bridge irb #Enabling IRB, without this command you can get into the issues with bridging IP and "no ip routing".
R1(config)#bridge 10 protocol ieee #Creating the bridge group with ID of 10 and using IEEE version of STP (I'll check this later).
R1(config)#interface fastEthernet 0/0
R1(config-if)#bridge-group 10 #Assign each interface to the bridge group.
R1(config-if)#interface fastEthernet 0/1
R1(config-if)#bridge-group 10
That's it:
VPCS[1]> ping 10.0.0.2
10.0.0.2 icmp_seq=1 ttl=64 time=21.010 ms
10.0.0.2 icmp_seq=2 ttl=64 time=22.015 ms
10.0.0.2 icmp_seq=3 ttl=64 time=20.012 ms
10.0.0.2 icmp_seq=4 ttl=64 time=19.010 ms
10.0.0.2 icmp_seq=5 ttl=64 time=20.011 ms
But they are not able to reach PC3.
VPCS[1]> ping 10.0.1.2
host (255.255.255.0) not reachable
Mainly because they have no default gateway set, let's fix it:
NAME IP/MASK GATEWAY MAC LPORT RHOST:PORT
VPCS1 10.0.0.1/24 10.0.0.3 00:50:79:66:68:00 20000 127.0.0.1:30000
VPCS2 10.0.0.2/24 10.0.0.3 00:50:79:66:68:01 20001 127.0.0.1:30001
VPCS3 10.0.1.1/24 10.0.1.2 00:50:79:66:68:02 20002 127.0.0.1:30002
And of course R1 is bridging frames in this subnet and hasn't it in the routing table at all:
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.1.0 is directly connected, FastEthernet1/0
Next step is to create the BVI (Bridge Group Virtual Interface) and assign an IP address to it. You may think of it as of vlan interface.
R1(config)#interface bvi 10 #The number of the interface has to match the bridge group id configured earlier.
R1(config-if)#ip add 10.0.0.3 255.255.255.0
R1(config)#bridge 10 route ip #Enabling routing of the IP protocol.
That's it:

VPCS[1]> ping 10.0.1.1

10.0.1.1 icmp_seq=1 ttl=63 time=25.016 ms

10.0.1.1 icmp_seq=2 ttl=63 time=22.015 ms

10.0.1.1 icmp_seq=3 ttl=63 time=22.013 ms

10.0.1.1 icmp_seq=4 ttl=63 time=22.007 ms

10.0.1.1 icmp_seq=5 ttl=63 time=22.012 ms

Some useful commands to check:

R1#show interfaces irb

FastEthernet0/0

Routed protocols on FastEthernet0/0:

Bridged protocols on FastEthernet0/0:

appletalk clns decnet ip

Software MAC address filter on FastEthernet0/0

Hash Len Address Matches Act Type

0x00: 0 ffff.ffff.ffff 22 RCV Physical broadcast

0x15: 0 c200.1568.0000 20 RCV Interface MAC address

0x15: 1 c200.1568.0000 0 RCV Bridge-group Virtual Interface

0x2A: 0 0900.2b01.0001 0 RCV DEC spanning tree

0xC0: 0 0100.0ccc.cccc 0 RCV CDP

0xC2: 0 0180.c200.0000 0 RCV IEEE spanning tree

0xC2: 1 0180.c200.0000 0 RCV IBM spanning tree

0xC2: 2 0100.0ccd.cdce 0 RCV VLAN Bridge STP

FastEthernet0/1

Routed protocols on FastEthernet0/1:

Bridged protocols on FastEthernet0/1:

appletalk clns decnet ip

Software MAC address filter on FastEthernet0/1

Hash Len Address Matches Act Type

0x00: 0 ffff.ffff.ffff 3 RCV Physical broadcast

0x14: 0 c200.1568.0001 0 RCV Interface MAC address

0x15: 0 c200.1568.0000 0 RCV Bridge-group Virtual Interface

0x2A: 0 0900.2b01.0001 0 RCV DEC spanning tree

0xC0: 0 0100.0ccc.cccc 0 RCV CDP

0xC2: 0 0180.c200.0000 0 RCV IEEE spanning tree

0xC2: 1 0180.c200.0000 0 RCV IBM spanning tree

0xC2: 2 0100.0ccd.cdce 0 RCV VLAN Bridge STP

FastEthernet1/0

Routed protocols on FastEthernet1/0:

BVI10

Routed protocols on BVI10:

R1#show bridge 10 group

Bridge Group 10 is running the IEEE compatible Spanning Tree protocol

Port 4 (FastEthernet0/0) of bridge group 10 is forwarding

Port 5 (FastEthernet0/1) of bridge group 10 is forwarding

And last but not least thing to check, since we are bridging now and enabled STP, let's confirm that STP works on the routers. The topology is as following:

Configs of R2 and R3 are identical:

bridge irb

interface FastEthernet0/0

no ip address

bridge-group 10

interface FastEthernet0/1

bridge-group 10

bridge 10 protocol ieee

Effectively I created the bridged loop here, but STP is working just as expected:

R2#show spanning-tree

Bridge group 10 is executing the ieee compatible Spanning Tree protocol

Bridge Identifier has priority 32768, address c202.1568.0000

Configured hello time 2, max age 20, forward delay 15

We are the root of the spanning tree

Topology change flag not set, detected flag not set

Number of topology changes 1 last change occurred 00:13:40 ago

from FastEthernet0/1

Times: hold 1, topology change 35, notification 2

hello 2, max age 20, forward delay 15

Timers: hello 0, topology change 0, notification 0, aging 300

Port 4 (FastEthernet0/0) of Bridge group 10 is forwarding

Port path cost 19, Port priority 128, Port Identifier 128.4.

Designated root has priority 32768, address c202.1568.0000

Designated bridge has priority 32768, address c202.1568.0000

Designated port id is 128.4, designated path cost 0

Timers: message age 0, forward delay 0, hold 0

Number of transitions to forwarding state: 1

BPDU: sent 414, received 0

Port 5 (FastEthernet0/1) of Bridge group 10 is forwarding

Port path cost 19, Port priority 128, Port Identifier 128.5.

Designated root has priority 32768, address c202.1568.0000

Designated bridge has priority 32768, address c202.1568.0000

Designated port id is 128.5, designated path cost 0

Timers: message age 0, forward delay 0, hold 0

Number of transitions to forwarding state: 1

BPDU: sent 415, received 0

R2#show spanning-tree

Bridge group 10 is executing the ieee compatible Spanning Tree protocol

Bridge Identifier has priority 32768, address c203.1e50.0000

Configured hello time 2, max age 20, forward delay 15

Current root has priority 32768, address c202.1568.0000

Root port is 4 (FastEthernet0/0), cost of root path is 19

Topology change flag not set, detected flag not set

Number of topology changes 0 last change occurred 00:15:16 ago

Times: hold 1, topology change 35, notification 2

hello 2, max age 20, forward delay 15

Timers: hello 0, topology change 0, notification 0, aging 300

Port 4 (FastEthernet0/0) of Bridge group 10 is forwarding

Port path cost 19, Port priority 128, Port Identifier 128.4.

Designated root has priority 32768, address c202.1568.0000

Designated bridge has priority 32768, address c202.1568.0000

Designated port id is 128.4, designated path cost 0

Timers: message age 2, forward delay 0, hold 0

Number of transitions to forwarding state: 1

BPDU: sent 0, received 420

Port 5 (FastEthernet0/1) of Bridge group 10 is blocking

Port path cost 19, Port priority 128, Port Identifier 128.5.

Designated root has priority 32768, address c202.1568.0000

Designated bridge has priority 32768, address c202.1568.0000

Designated port id is 128.5, designated path cost 0

Timers: message age 2, forward delay 0, hold 0

Number of transitions to forwarding state: 0

BPDU: sent 0, received 416

The topology used along with the configuration files is available here.

Sunday, September 22, 2013

Links.

1. Access to the console via AUX port
Was really surprised.

2. Default routes in BGP
CCNP Route wasn't very detailed regarding BGP.

3. Information about which MIBs are supported by which Cisco products.

4. Salaries by Popular Certifications and Salaries by State.

5. Airconsole. Подключение к Console port Cisco по WiFi
Added to buy-list.

6. Busting myths – PAgP desirable runs in silent mode by default

7. Cisco Catalyst 3560 and 3750 QoS Simplified... Seriously!
I am not a big fan of Kevin (and QoS), but this video is awesome.

8. OSPF conditional default route injection
As I remember, it wasn't in the CCNP Cert Guide.

9. Inside Narbik’s House of Pain
Always enjoy reading those articles.

10. OSPF route selection rules
Routergod's CCNP videos led me here.

Thursday, September 5, 2013

Dynamic IPv6 point-to-multipoint tunnels configuration.

This post is a continuation of the previous one.Recently I was preparing to my CCDA and realised that I remember almost nothing regarding dynamic multipoint IPv6 tunnels.
With dynamic multipoint tunnels we have two options - automatic 6to4 tunnels and ISATAP tunnels. Both options work pretty similarly.

Automatic 6to4 tunnels.
For this type of tunnels you can choose which type of IPv6 addresses you will provide to your users/customers - private or unique global (routable).
If you don't need the Internet access you can assign addresses from those reserved for 6to4 tunnels - 2002::/16.
The topology is as following:

R2 is IPv4 only router (no ipv6 unicast-routing enabled). R1, R3 and R4 will use dynamic IPv6 tunnels. The topology and configuration is very simple so I won't provide it here. As IGP I will use OSPF with single area.
With dynamic tunnels you don't need to specify tunnel destination, only the source. And if you have any kind of redundancy in the topology it is better to use loopbacks.
The idea is that you incorporate IPv4 address in the 2nd and 3rd quartets of the IPv6 address 2002::/16, which is specially reserved for these tunnels.
For R1 as example it will be 2002:0101:0101::/48. And then you just subnetting this prefix for your LANs. In my topology customers receive network 2002:101:101:1::/64 (for R1).
Then for tunnel you assign the ip address from the first subnet with prefix length of 128 (thus host prefix) - 2002:101:101::/128.
In order for all this to work you need to create a static route for prefix 2002::/16 pointing to your tunnel interface (since dynamic IPv6 tunnels don't support IGPs). Then when a router receives a packet destined to remote IPv6 branch it will deduce destination IPv4 address from destination IPv6 address (2nd and 3rd quartets) and send it to appropriate router.
Configuration is fairly simple:
R1:
ipv6 unicast-routing #I spend about 20 minutes trying to figure out why my lab was refusing to work.
!
interface Tunnel0
ipv6 address 2002:101:101::/128
tunnel source Loopback0
tunnel mode ipv6ip 6to4
!
interface FastEthernet1/0
ipv6 address 2002:101:101:1::1/64
!
ipv6 route 2002::/16 Tunnel0 #This route will cover all the tunnels and customers addresses.

R3:
ipv6 unicast-routing
!
interface Tunnel0
ipv6 address 2002:303:303::/128
tunnel source Loopback0
tunnel mode ipv6ip 6to4
!
interface FastEthernet1/0
ipv6 address 2002:303:303:1::3/64
!
ipv6 route 2002::/16 Tunnel0

VPCS[1]> ping 2002:303:303:1::100
2002:303:303:1::100 icmp6_seq=1 ttl=60 time=94.064 ms
2002:303:303:1::100 icmp6_seq=2 ttl=60 time=69.046 ms

VPCS[1]> trace 2002:303:303:1::100
trace to 2002:303:303:1::100, 64 hops max
1 2002:101:101:1::1   16.011 ms 9.005 ms 9.005 ms
2 2002:303:303::   59.039 ms 49.033 ms 48.035 ms
3 2002:303:303:1::100   69.046 ms 59.040 ms 89.059 ms

In theory, you can use any /16 prefix for this type of tunnels and addresses assignement while you use related static route and incorporate IPv4 address in the 2nd and 3rd quarters of the tunnel's IP.
And this is how it works when you assign global unique routable addresses to you customers. The only difference is that you need to specify a static route for each branch LAN including next hop ip (remote tunnel IPv6 address) in order to recursive lookup to work.
Let's consider the same topology but with public addresses (ISP assigned prefix 2999:10:20::/48 to your company and you use /64 subnets):

R1:
ipv6 unicast-routing
!
interface Tunnel0
ipv6 address 2002:101:101::/128 #The same 2002::/16 prefix for tunnels sources.
tunnel source Loopback0
tunnel mode ipv6ip 6to4
!
interface FastEthernet1/0
ipv6 address 2999:10:20:1::1/64 #And different subnet for customers.
!
ipv6 route 2002::/16 Tunnel0
ipv6 route 2999:10:20:3::/64 Tunnel0 2002:303:303:: #Separate statis route for each branch LAN.
ipv6 route 2999:10:20:4::/64 Tunnel0 2002:404:404::

Configuration of R3 and R4 is similar.
VPCS[2]> ping 2999:10:20:1::100
2999:10:20:1::100 icmp6_seq=1 ttl=60 time=92.064 ms
2999:10:20:1::100 icmp6_seq=2 ttl=60 time=60.038 ms

VPCS[2]> trace 2999:10:20:1::100
trace to 2999:10:20:1::100, 64 hops max
1 2999:10:20:3::1   13.007 ms 10.008 ms 9.005 ms
2 2002:101:101::   59.039 ms 49.032 ms 59.040 ms
3 2999:10:20:1::100   59.039 ms 69.046 ms 59.039 ms

ISATAP tunnels.
With ISATAP tunnels you don't have reserved address space like 2002::/16 and you have to use global unicast. The good thing is that all of your tunnel sources are in the same subnet, because ISATAP incorporates IPv4 address in 7th and 8th quartets using changed EUI-64 logic.
The topology is almost the same, only tunnel addresses were changed:

R1:
ipv6 unicast-routing
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel0
ipv6 address 2000::/64 eui-64 #Here I use 2000::/64 for my tunnels. EUI-64 is a must for this type of tunnels. It uses changed EUI-64 logic - incorporate IPv4 address in 7th and 8th quartets and add 0000:5EFE before them (5th and 6th quartets respectively).
tunnel source Loopback0
tunnel mode ipv6ip isatap
!
interface FastEthernet1/0
ipv6 address 2999:10:20:1::1/64 #Customers use the same networks.
!
ipv6 route 2999:10:20:3::/64 2000::5EFE:303:303 #As with automatic 6to4 tunnels you need a static route for each brach LAN. Notice that there is remote tunnel source IPv6 address of R3.
ipv6 route 2999:10:20:4::/64 2000::5EFE:404:404

Configuration of R3 and R4 is similar.
VPCS[2]> ping 2999:10:20:1::100
2999:10:20:1::100 icmp6_seq=1 ttl=60 time=95.062 ms
2999:10:20:1::100 icmp6_seq=2 ttl=60 time=81.054 ms

VPCS[2]> trace 2999:10:20:1::100
trace to 2999:10:20:1::100, 64 hops max
1 2999:10:20:3::1   15.011 ms 9.004 ms 10.007 ms
2 2000::5efe:101:101   61.042 ms 49.033 ms 51.034 ms
3 2999:10:20:1::100   60.040 ms 61.041 ms 81.054 ms

Even though these dynamic tunnels are convenient and simple in use, the scalability isn't their strong side (except maybe Automatic tunnels using 2002::/16). I would recommend them only when you really have no opportunity to implement dual stack.
P.S.: and my simple mind map as a bonus:

Friday, July 12, 2013

Links.

1. CCIE R&S Troubleshooting Lab 1 for GNS3
Just great lab.

2. Multipath Load Sharing with two ISPs
Faced this issue recently.

3. IPv6 Prefixes
Dynamic IPv6 statistics.

4. EtherChannel considerations
Because official cert guide is too poorly written.

5. Dsniff
"dsniff is a collection of tools for network auditing and penetration testing" . Nuff said.

6. Sniffing on IOU
Because you need it.

7. Process, Fast and CEF Switching and Packet Punting
Feel the difference.

8. Charles Spurgeon's Ethernet (IEEE 802.3) Site
All you need to know in one place.

9. Network Engineering beta
"Network Engineering Stack Exchange is a question and answer site for network engineers. It's 100% free, no registration required."

10. Creative Routing Contest
Already completed but still pretty interesting.

Saturday, April 27, 2013

Redistribution between 3 IGPs issue.

After passing my CCNP R&S from time to time I read old BSCI materials and do labs to repeat some materials or cover blank areas. Recently I encountered strange behavior when tried redistribution between 3 IGPs.
The topology is as following:

Let's start with basic configuration:
R1:
interface Loopback0
ip address 172.16.1.1 255.255.255.0
ip ospf network point-to-point
!
interface FastEthernet0/0
ip address 10.0.13.1 255.255.255.0
!
interface FastEthernet0/1
ip address 10.0.12.1 255.255.255.0
!
interface FastEthernet1/0
ip address 20.0.14.1 255.255.255.0
!
router eigrp 1
network 10.0.13.0 0.0.0.255
no auto-summary
!
router ospf 1
network 10.0.12.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
!
router rip
version 2
network 20.0.0.0
no auto-summary

R2:
interface Loopback0
ip address 172.16.2.2 255.255.255.0
ip ospf network point-to-point
!
interface FastEthernet0/1
ip address 10.0.12.2 255.255.255.0
!
router ospf 1
network 10.0.12.0 0.0.0.255 area 0
network 172.16.2.0 0.0.0.255 area 0

R3:
interface Loopback0
ip address 172.16.3.3 255.255.255.0
!
interface FastEthernet0/0
ip address 10.0.13.3 255.255.255.0
duplex auto
speed auto
!
router eigrp 1
network 10.0.13.0 0.0.0.255
network 172.16.3.0 0.0.0.255
no auto-summary

R4:
interface Loopback0
ip address 172.16.4.4 255.255.255.0
!
interface FastEthernet1/0
ip address 20.0.14.4 255.255.255.0
!
router rip
version 2
network 20.0.0.0
network 172.16.0.0
no auto-summary

At this moment everything is working as expected - R1 receives all the routes from all IGPs:
R1#show ip route
     20.0.0.0/24 is subnetted, 1 subnets
C       20.0.14.0 is directly connected, FastEthernet1/0
     172.16.0.0/24 is subnetted, 4 subnets
R       172.16.4.0 [120/1] via 20.0.14.4, 00:00:08, FastEthernet1/0
C       172.16.1.0 is directly connected, Loopback0
O       172.16.2.0 [110/11] via 10.0.12.2, 00:40:36, FastEthernet0/1
D       172.16.3.0 [90/409600] via 10.0.13.3, 00:22:40, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.0.12.0 is directly connected, FastEthernet0/1
C       10.0.13.0 is directly connected, FastEthernet0/0

The main task is to check how works redistribution from EIGRP into OSPF and then from OSPF into RIP. Something like (EIGRP->OSPF)->RIP. I won't bother myself with mutual redistribution, only one-way:
R1:
router ospf 1
log-adjacency-changes
redistribute eigrp 1 subnets
network 10.0.12.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0
!
router rip
version 2
redistribute ospf 1 metric 10
network 20.0.0.0
no auto-summary

In theory, on R4 I should receive all prefixes, nevertheless R4 receives only OSPF prefixes, not EIGRP:
R4#show ip route
     20.0.0.0/24 is subnetted, 1 subnets
C       20.0.14.0 is directly connected, FastEthernet1/0
     172.16.0.0/24 is subnetted, 3 subnets
C       172.16.4.0 is directly connected, Loopback0
R       172.16.1.0 [120/10] via 20.0.14.1, 00:00:10, FastEthernet1/0
R       172.16.2.0 [120/10] via 20.0.14.1, 00:00:10, FastEthernet1/0
     10.0.0.0/24 is subnetted, 1 subnets
R       10.0.12.0 [120/10] via 20.0.14.1, 00:00:11, FastEthernet1/0

Which is pretty surprising because R1 has these prefixes in the OSPF database:
R1#show ip ospf database | begin Type-5
                Type-5 AS External Link States
Link ID         ADV Router      Age         Seq#       Checksum Tag
10.0.13.0       172.16.1.1      195         0x80000001 0x003694 0
172.16.3.0      172.16.1.1      195         0x80000001 0x00A180 0

But it is not advertising them to R4:
R1#debug ip rip
RIP protocol debugging is on
R1#
*Mar 1 01:04:31.991: RIP: sending v2 update to 224.0.0.9 via FastEthernet1/0 (20.0.14.1)
*Mar 1 01:04:31.991: RIP: build update entries
*Mar 1 01:04:31.991:   10.0.12.0/24 via 0.0.0.0, metric 10, tag 0
*Mar 1 01:04:31.995:   172.16.1.0/24 via 0.0.0.0, metric 10, tag 0
*Mar 1 01:04:31.995:   172.16.2.0/24 via 0.0.0.0, metric 10, tag 0

Nor it has them in the RIP database:
R1#show ip rip database
10.0.0.0/8    auto-summary
10.0.12.0/24    redistributed
    [10] via 0.0.0.0,
20.0.0.0/8    auto-summary
20.0.14.0/24    directly connected, FastEthernet1/0
172.16.0.0/16    auto-summary
172.16.1.0/24    redistributed
    [10] via 0.0.0.0,
172.16.2.0/24    redistributed
    [10] via 10.0.12.2,
172.16.4.0/24
    [1] via 20.0.14.4, 00:00:22, FastEthernet1/0

The only way to solve it is redistribution EIGRP directly into RIP:
R1:
router rip
version 2
redistribute ospf 1 metric 10
redistribute eigrp 1 metric 9
network 20.0.0.0
no auto-summary

And now these prefixes are there:
R4#show ip route
     20.0.0.0/24 is subnetted, 1 subnets
C       20.0.14.0 is directly connected, FastEthernet1/0
     172.16.0.0/24 is subnetted, 4 subnets
C       172.16.4.0 is directly connected, Loopback0
R       172.16.1.0 [120/10] via 20.0.14.1, 00:00:23, FastEthernet1/0
R       172.16.2.0 [120/10] via 20.0.14.1, 00:00:23, FastEthernet1/0
R       172.16.3.0 [120/9] via 20.0.14.1, 00:00:23, FastEthernet1/0
     10.0.0.0/24 is subnetted, 2 subnets
R       10.0.12.0 [120/10] via 20.0.14.1, 00:00:24, FastEthernet1/0
R       10.0.13.0 [120/9] via 20.0.14.1, 00:00:24, FastEthernet1/0

The same behavior occurs when I change the redistribution order. For example (RIP->EIGRP)->OSPF:
R1:
router eigrp 1
redistribute rip metric 1500 100 255 1 1500
network 10.0.13.0 0.0.0.255
no auto-summary
!
router ospf 1
log-adjacency-changes
redistribute eigrp 1 subnets
network 10.0.12.0 0.0.0.255 area 0
network 172.16.1.0 0.0.0.255 area 0

R2#show ip route
     172.16.0.0/24 is subnetted, 3 subnets
O       172.16.1.0 [110/11] via 10.0.12.1, 01:03:05, FastEthernet0/1
C       172.16.2.0 is directly connected, Loopback0
O E2    172.16.3.0 [110/20] via 10.0.12.1, 00:00:32, FastEthernet0/1
     10.0.0.0/24 is subnetted, 2 subnets
C       10.0.12.0 is directly connected, FastEthernet0/1
O E2    10.0.13.0 [110/20] via 10.0.12.1, 00:00:32, FastEthernet0/1

But at this time R1 doesn't have these prefixes in the OSPF database:
R1#show ip ospf database | b Type-5
                Type-5 AS External Link States
Link ID         ADV Router      Age         Seq#       Checksum Tag
10.0.13.0       172.16.1.1      272         0x80000001 0x003694 0
172.16.3.0      172.16.1.1      272         0x80000001 0x00A180 0

Only in the EIGRP topology table:
R1#show ip eigrp topology
IP-EIGRP Topology Table for AS(1)/ID(172.16.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 10.0.13.0/24, 1 successors, FD is 281600
        via Connected, FastEthernet0/0
P 20.0.14.0/24, 1 successors, FD is 1732096
        via Redistributed (1732096/0)
P 172.16.4.0/24, 1 successors, FD is 1732096
        via Redistributed (1732096/0)
P 172.16.3.0/24, 1 successors, FD is 409600
        via 10.0.13.3 (409600/128256), FastEthernet0/0

UPD.: the same is true for IPv6 IGP redistribution.

UPD2.: I checked this in the Huawei environment (with IS-IS instead of EIGRP), the result is the same:
R1:
isis 1
is-level level-2
cost-style wide
network-entity 49.0001.7201.6001.0001.00
is-name R1
#
ospf 1
import-route isis 1 cost 1000
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 10.0.12.0 0.0.0.255
#
rip 1
undo summary
version 2
network 20.0.0.0
import-route ospf 1 cost 10

[R4]display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 9        Routes : 9

Destination/Mask    Proto   Pre Cost      Flags NextHop         Interface

      10.0.12.0/24 RIP     100 11          D   20.0.14.1       GigabitEthernet0/0/2
      20.0.14.0/24 Direct 0    0           D   20.0.14.4       GigabitEthernet0/0/2
      20.0.14.4/32 Direct 0    0           D   127.0.0.1       GigabitEthernet0/0/2
      127.0.0.0/8   Direct 0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32 Direct 0    0           D   127.0.0.1       InLoopBack0
     172.16.1.0/24 RIP     100 11          D   20.0.14.1       GigabitEthernet0/0/2
     172.16.2.2/32 RIP     100 11          D   20.0.14.1       GigabitEthernet0/0/2
     172.16.4.0/24 Direct 0    0           D   172.16.4.4      LoopBack0
     172.16.4.4/32 Direct 0    0           D   127.0.0.1       LoopBack0

UPD3.: Finally, I came to conclusion regarding this issue. The main requirement for a redistributed prefix to be announced to a neighbor is that it has to be presented in the routing table. But it is not the only requirement. Besides being in the routing table this prefix have to be learned by the routing process which is redistributing it.
In the example above it means that EIGRP prefixes that are redistributed into OSPF have to be in the routing table of R1 with IGP code O (for OSPF) to be presented in the RIP updates to R4.

Wednesday, February 27, 2013

OSPF Network Types.

I think this topic is one of my weakest areas in the CCNP track. So I need to strengthen it. And the better way to do so is practice.
OSPF uses broadcast and DR/BDR elections which means some issues with underlying L2 protocols. So let's consider all L2 options and how OSPF handles them.

Point-to-point.
It is the easiest one:

R1#show running-config interface serial 1/0
interface Serial1/0
ip address 10.0.0.1 255.255.255.0
ip ospf 1 area 0
end
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 0 FULL/ - 00:00:31 10.0.0.2 Serial1/0
R1#show ip ospf interface serial 1/0
Serial1/0 is up, line protocol is up
Internet Address 10.0.0.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 64
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
It is default network type for serial links. This type of media supports broadcast (and, therefore, OSPF multicast) so neighboring routers are automatically discovered.
The main reason for DR/BDR election is reducing of full-mesh LSA flooding between adjacent routers on the media. But serial links by default aren't multiaccess media, so DR/BDR election is not necessary.

Broadcast.
The second easiest one:

R1#show running-config interface FastEthernet 0/0
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip ospf 1 area 0
end
R1#show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   2WAY/DROTHER    00:00:39    10.0.0.2        FastEthernet0/0
3.3.3.3           1   FULL/BDR        00:00:37    10.0.0.3        FastEthernet0/0
4.4.4.4           1   FULL/DR         00:00:36    10.0.0.4        FastEthernet0/0
R1#show ip ospf interface FastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 10.0.0.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 10
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State DROTHER, Priority 1
Designated Router (ID) 4.4.4.4, Interface address 10.0.0.4
Backup Designated router (ID) 3.3.3.3, Interface address 10.0.0.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

Non-Broadcast Multiaccess.
The rest of this post is related to obscure Frame Relay technology which I have never seen in real production networks. Configuration examples can be found here.
With Frame Relay you have several interface configuration options, namely - physical interface, point-to-point subinterfaces, point-to-multipoint subinterfaces. Let's consider all of them.

Connection using physical interfaces.

This is a hub-and-spoke topology with R1 as a hub-router, mening R2 and R3 don't have common DLCI.
R1#show running-config interface s1/0
interface Serial1/0
ip address 10.0.0.1 255.255.255.0
encapsulation frame-relay
ip ospf 1 area 0
no keepalive
frame-relay interface-dlci 102
frame-relay interface-dlci 103
frame-relay lmi-type ansi
end
Because only R1 has DLCIs to all other routers, it should become DR, on other routers the ospf priority is set to 0:
R2#show running-config interface s1/0
interface Serial1/0
ip address 10.0.0.2 255.255.255.0
encapsulation frame-relay
ip ospf priority 0
ip ospf 1 area 0
no keepalive
frame-relay map ip 10.0.0.3 201
frame-relay interface-dlci 201
frame-relay lmi-type ansi
end
R1#show ip ospf interface serial 1/0
Serial1/0 is up, line protocol is up
Internet Address 10.0.0.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type NON_BROADCAST, Cost: 64
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 1.1.1.1, Interface address 10.0.0.1
No backup designated router on this network
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
The network type is non-broadcast which means that no OSPF multicast messages are allowed. So you need to manually specify neighbors, forcing OSPF to use unicast messages:
R1#show running-config | section router ospf
router ospf 1
neighbor 10.0.0.2
neighbor 10.0.0.3
R1#show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           0   FULL/DROTHER    00:01:41    10.0.0.2        Serial1/0
3.3.3.3           0   FULL/DROTHER    00:01:55    10.0.0.3        Serial1/0

Notice, that with Frame Relay you actually can specify ospf network type as broadcast. But this will require frame-relay mappings with "broadcast" keyword:
R1#show running-config interface serial 1/0
interface Serial1/0
ip address 10.0.0.1 255.255.255.0
encapsulation frame-relay
ip ospf network broadcast
ip ospf 1 area 0
no keepalive
frame-relay map ip 10.0.0.3 103 broadcast
frame-relay map ip 10.0.0.2 102 broadcast
frame-relay interface-dlci 102
frame-relay interface-dlci 103
frame-relay lmi-type ansi
end
R1#show ip ospf interface serial 1/0
Serial1/0 is up, line protocol is up
Internet Address 10.0.0.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 64
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 1.1.1.1, Interface address 10.0.0.1
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
R1#show running-config | section router ospf 1
router ospf 1
log-adjacency-changes
Router will send multicast packets as unicast according to configured Frame Relay mappings, which will lead essentially to dynamic neighbor discovery.
R1#show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           0   FULL/DROTHER    00:00:36    10.0.0.2        Serial1/0
3.3.3.3           0   FULL/DROTHER    00:00:30    10.0.0.3        Serial1/0

Connection using point-to-point subinterfaces.
The topology is the same:

R1#show running-config interface serial 1/0
interface Serial1/0
no ip address
encapsulation frame-relay
no keepalive
end
R1#show running-config interface serial 1/0.102
interface Serial1/0.102 point-to-point
ip address 10.0.0.1 255.255.255.128
ip ospf 1 area 0
frame-relay interface-dlci 102
end
R1#show running-config interface serial 1/0.103
interface Serial1/0.103 point-to-point
ip address 10.0.0.129 255.255.255.128
ip ospf 1 area 0
frame-relay interface-dlci 103
On other routers the configuration is almost the same.
R1#show ip ospf interface serial 1/0.102
Serial1/0.102 is up, line protocol is up
Internet Address 10.0.0.1/25, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 64
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
As we can see IOS uses point-to-point network type, which is pretty logical.
R1#show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           0   FULL/ -        00:00:34    10.0.0.2        Serial1/0.102
3.3.3.3           0   FULL/ -        00:00:38    10.0.0.130      Serial1/0.103
And as long these interfaces are point-to-point we don't need DR/BDR on them.

Connection using point-to-multipoint subinterfaces.

R1#show running-config interface serial 1/0
interface Serial1/0
no ip address
encapsulation frame-relay
no keepalive
end
R1#show running-config interface serial 1/0.1
interface Serial1/0.1 multipoint
ip address 10.0.0.1 255.255.255.0
ip ospf network point-to-multipoint
ip ospf 1 area 0
snmp trap link-status
frame-relay map ip 10.0.0.3 103 broadcast
frame-relay map ip 10.0.0.2 102 broadcast
end
R1#show ip ospf interface serial 1/0.1
Serial1/0.1 is up, line protocol is up
Internet Address 10.0.0.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_MULTIPOINT, Cost: 64
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
By default OSPF treats these multipoint-subinterfaces as regular non-broadcast interfaces, preventing dynamic neighbor discovery. Therefore "ip ospf network point-to-multipoint" is required. Frame relay mappings with "broadcast" keyword required as well. After this configuration OSPF treats each pair of routers (that have common DLCI) as point-to-point neighbors and DR/BDR therefore aren't needed:
R1#show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           0   FULL/ -        00:01:43    10.0.0.3        Serial1/0.1
2.2.2.2           0   FULL/ -        00:01:59    10.0.0.2        Serial1/0.1

Alternatively you can use "ip ospf network point-to-multipoint non-broadcast". As with regular non-broadcast interfaces you have to specify neighbors manually, but no DR/BDR elections will occur, because each pair of adjacencies will be treated as point-to-point:
R1#show running-config interface serial 1/0.1
interface Serial1/0.1 multipoint
ip address 10.0.0.1 255.255.255.0
ip ospf network point-to-multipoint non-broadcast
ip ospf 1 area 0
frame-relay interface-dlci 102 #Notice, that there is no more frame-relay mappings due to lack of multicast requirement.
frame-relay interface-dlci 103
end
R1#show running-config | section router ospf
router ospf 1
neighbor 10.0.0.3
neighbor 10.0.0.2
R1#show ip ospf interface serial 1/0.1
Serial1/0.1 is up, line protocol is up
Internet Address 10.0.0.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_MULTIPOINT, Cost: 64
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5

To sum up the information above:

Type	DR/BDR	Dynamic Neighbors	Hello/Dead	Labels
Broadcast	Y	Y	10/40	Default for Ethernet links, requires broadcast mappings (for Frame Relay)
Non-Broadcast	Y	N	30/120	Default for Frame Relay physical and multipoint interfaces
Point-to-Point	N	Y	10/40	Default for Serial links and Frame Relay point-to-point subinterfaces
Point-to-Multipoint	N	Y	30/120	Requires static neighbors and broadcast mappings (for Frame Relay)
Point-to-Multipoint Non-Broadcast	N	N	30/120	Requires static neighbors

And the last important thing - you can mix network types on different ends of the link as long as they can interoprate with each other, in other words when these two types of networks both (not) require DR/BDR, dynamic neighbor discovery and have identical timers values:
OSPF over Frame-Relay – Part 6: Troubleshooting
Understanding OSPF Network Types