Thursday, 27 November 2014

MPLS: OSPF sham-links

Introduction
The provider’s MPLS cloud has three routers namely – R1 (P-router), R2 (PE-R2) and R3 (PE-R3). These routers formed OSPF adjacency with one another. R2 and R3 are iBGP neighbors peering with each other’s loopback address.
The TTL propagation within the MPLS cloud was suppressed with no mpls ip propagate-ttl command. This is to “hide” the number of mpls routers that exist within the provider’s MPLS core.
Reason to use ospf sham link
It is possible that customer’s network has an OSPF backdoor link to each other despite subscribing MPLS service which links customer’s edge routers.

R4 and R5 has OSPF backdoor link between them.
The OSPF link through the MPLS cloud would be an inter-area link despite both site-a and site-b links are in OSPF area 0, this poses a problem if customer wants traffic to traverse from site-a to site-b or vice versa through the MPLS core. OSPF will prefer the intra-area route, in this case is the backdoor link which resides in the same OSPF area, to reach the destination.
To solve this problem, OSPF sham link is used.

Wednesday, 19 November 2014

Dynamic Multipoint VPN (DMVPN) Configuration

DMVPN (Dynamic Multipoint VPN) is a technique where we use multipoint GRE tunnels instead of GRE point-to-point tunneling. These multipoint GRE tunnels will be encrypted using IPSEC so that we have a secure scalable tunneling solution. If you are unfamiliar with tunneling or IPSEC I highly recommend to check the basic configuration for GRE first and how to configure an encrypted GRE tunnel with IPSEC. Having said that let’s look at the configuration of DMVPN. This is the topology that we will use:
DMVPN Topology
Let me explain this topology to you:
·         R1,R2 and R3 are able to reach each other using their FastEthernet 0/0 interfaces. I used the 192.168.123.0 /24 subnet so that they can reach each other.
·         R1 will be the hub router and R2/R3 will be the spoke routers.
·         R2 and R3 will establish a tunnel to R1 as shown with the green dotted line.
·         When R2 and R3 want to communicate with each other they will create a spoke-to-spoke tunnel as shown with the purple dotted line.
·         We will use the 172.16.123.0 /24 subnet for the tunnel interfaces.
·         Each router has a loopback interface with an IP address. The routers will reach each others loopback by going through the tunnel interface.
The configuration consists of a number of steps:

Monday, 22 September 2014

Failover on Cisco ASA

Configuring high availability requires two identical ASAs connected to each other through a dedicated failover link and, optionally, a Stateful Failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.
The ASA supports two failover configurations, Active/Active failover and Active/Standby failover. Each failover configuration has its own method for determining and performing failover.
With Active/Active failover, both units can pass network traffic. This also lets you configure traffic sharing on your network. Active/Active failover is available only on units running in multiple context mode.
With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby failover is available on units running in either single or multiple context mode.
Both failover configurations support stateful or stateless (regular) failover.

Hardware Requirements

The two units in a failover configuration must be the same model, have the same number and types of interfaces, and the same SSMs installed (if any).
If you are using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail.
Although it is not required, it is recommended that both units have the same amount of RAM memory installed.

Software Requirements

The two units in a failover configuration must be in the same operating modes (routed or transparent, single or multiple context). They must have the same major (first number) and minor (second number) software version. However, you can use different versions of the software during an upgrade process; for example, you can upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active.
The two units in a failover pair constantly communicate over a failover link to determine the operating status of each unit. The following information is communicated over the failover link:
•The unit state (active or standby)
•Hello messages (keep-alives)
•Network link status
•MAC address exchange
•Configuration replication and synchronization
All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. If the ASA is used to terminate VPN tunnels, this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a

Use Google Chrome as a SSH Client

We always use Putty client software for Secure SSH connection between  PC to Router or PC to Firewall.
Today i am going to show you how to use your Google chrome browser as a SSH Client.

Open your Chrome browser and enter chrome://extensions/

then search for Secure Shell chrome extension. Install it

Then after it will prompt you SSH client option


Tuesday, 2 September 2014

IP Unnumbered Explained

In this tutorial we will take a look at IP unnumbered and how to configure it. First of all…what is IP unnumbered and why do we need it?
On a router each interface requires a unique IP address so it can install an entry in the routing table and process IP packets. IP unnumbered allows you to process IP packets without configuring a unique IP address on an interface, this works by “borrowing” an IP address from another interface.
Why would you want this and not just configure an IP address on the interface? To answer that question we have to dive into the past.
Once upon a time we didn’t have VLSM (Variable Length Subnet Mask) and we used classful routing protocols like RIP version 1 and IGRP (the predecessor of EIGRP). This means that the smallest subnet you could use was a /24. When using public IP addresses this is a huge waste of IP space. Take a look at the picture below:
R1 R2 R3 serial links
There are 3 routers connected with each other using point-to-point serial links. We have to use two /24 subnets while we only require 4 IP addresses in total…such a waste!
IP unnumbered was created to solve this problem so you didn’t have to waste entire subnets on point-to-point interfaces. It borrows an IP address from another interface so you don’t have to configure one on the point-to-point interface.

Multiple Spanning Tree (MST)

By default Cisco Catalyst Switches run PVST+ or Rapid PVST+ (Per VLAN Spanning Tree). This means that each VLAN is mapped to a single spanning tree instance. When you have 20 VLANs, it means there are 20 instances of spanning tree.
Is this a problem? Like always…it depends, let’s take a look at an example:
Cisco MST Topology 200 VLANs
Take a look at the topology above. We have three switches and a lot of VLANs. There’s 199 VLANs in total. If we are running PVST or Rapid PVST this means that we have 199 different calculations for each VLAN. This requires a lot of CPU power and memory.
When SwitchB is the root bridge for VLAN 100 – 200 and SwitchC for VLAN 201 – 300 our spanning-tree topologies will look like this:

Wednesday, 20 August 2014

Data Encapsulation & Decapsulation in the OSI Model

Introduction

Here we are going to explain in detail how data travels through the OSI model. You must keep in mind that the OSI model is a guideline. It tells the computer what it's supposed to do when data needs to be sent or when data is received.

Our Study Case

We are going to analyse an example in order to try and understand how data encapsulation and decapsulation works. This should make it easier for most people.
Try to see it this way :
When a car is built in a factory, one person doesn't do all the jobs, rather it's put into a production line and as the car moves through, each person will add different parts to it so when it comes to the end of the production line, it's complete and ready to be sent out to the dealer.
The same story applies for any data which needs to be sent from one computer to another. The OSI model which was created by the IEEE committee is to ensure that everyone follows these guidelines (just like the production line above) and therefore each computer will be able to communicate with every other computer, regardless of whether one computer is a Macintosh and the other is a PC.
One important piece of information to keep in mind is that data flows 2 ways in the OSI model, DOWN (data encapsulation) and UP (data decapsulation).
The picture below is an example of a simple data transfer between 2 computers and shows how the data is encapsulated and decapsulated:
osi-encap-decap

Explanation:

BGP Route Aggreagation

BGP Route Aggreagation helps to reduce the size of the routing table. A summary route is announced to the peer. The component routes, that make up the aggregate, can be suppressed or announced additionally to the aggregate. At least one component route has to be in the BGP table for the aggregate to be announced.
The BGP setup is as follows. R1 and R2 are in AS 100, R3 is in AS200.
3 Routers for BGP, IPv4
The component routes are announced on R1. As BGP needs valid routes in the routing table before announcing networks to peers, interface Loopback 1 is configured with 5 addresses.
R1#show running-config inter loopback 1
Building configuration...

Monday, 17 February 2014

Parser View

With CLI view, we can restrict which access each network administrator have based on role.Superviews allow a network administrator to easily assign all users within configured CLI views to a superview instead of having to assign multiple CLI views to a group of users. 

Here is the basic configuration of the Parser View.

R2 <----> R3    
192.168.1.1   <---->  192.168.1.2

Task: 

  • Allowing telnet access with the username OPERATOR and password CISCO to be able to configure the HTTP feature in the router only.
  • Configure Username ADMIN and password CISCO to have access to every feature in the router.



aaa new-model
!
!
aaa authentication login default local
aaa authentication login VTY local
aaa authentication login CON none
aaa authorization exec default local
aaa authorization exec VTY local


username OPERATOR view HTTP password 0 CISCO
username ADMIN privilege 15 password 0 CISCO


parser view HTTP
 secret 5 $1$6ZRJ$CIjM5cdVUvhpinttlR/361
 commands configure include ip http
 commands configure include ip
 commands exec include configure terminal
 commands exec include configure
 commands exec include show running-config
 commands exec include show

Monday, 20 January 2014

Any Transport Over MPLS (AToM)

Any Transport over MPLS (AToM) will transport layer 2 frames over a MPLS (Multiprotocol Label Switching) network. This will allow service providers to connect layer 2 networks of customers transparently by using their MPLS backbone. AToM can transport the following:
  • ATM AAL5
  • ATM Cell Relay
  • Ethernet
  • Frame Relay
  • PPP
  • HDLC
I will give you an example how to configure AToM to transport Ethernet over the MPLS backbone, we will use the following topology to do this:
MPLS Atom Ethernet
Above you see a small MPLS backbone that consists of the PE1, P and PE2 router. This ISP only has one customer that has a HQ and Branch. The customer wants to have the HQ and Branch router to be in the same layer 2 segment.

Configuration

First we will enable OSPF to advertise the loopback interfaces, these will be used as the router ID for MPLS LDP:
PE1(config)#router ospf 1
PE1(config-router)#network 192.168.12.0 0.0.0.255 area 0
PE1(config-router)#network 1.1.1.1 0.0.0.0 area 0
P(config)#router ospf 1
P(config-router)#network 192.168.12.0 0.0.0.255 area 0
P(config-router)#network 192.168.23.0 0.0.0.255 area 0
P(config-router)#network 2.2.2.2 0.0.0.0 area 0
PE2(config)#router ospf 1
PE2(config-router)#network 192.168.23.0 0.0.0.255 area 0
PE2(config-router)#network 3.3.3.3 0.0.0.0 area 0
Now we will enable MPLS LDP on the interfaces connecting the PE1, P and PE2 routers:
PE1(config)#interface fastEthernet 0/1
PE1(config-if)#mpls ip
P(config)#interface fastEthernet 0/0
P(config-if)#mpls ip

P(config)#interface fastEthernet 0/1
P(config-if)#mpls ip
PE2(config)#interface fastEthernet 0/0
PE2(config-if)#mpls ip
Just to be sure let’s verify that we have LDP neighbors:
P#show mpls ldp neighbor | include Peer
Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0
Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 2.2.2.2:0
That seems to be the case! Now we can configure AToM so that the HQ and Branch router are able to reach each other:
PE1(config)#interface fastEthernet 0/0
PE1(config-if)#xconnect 3.3.3.3 13 encapsulation mpls
PE2(config)#interface fastEthernet 0/1
PE2(config-if)#xconnect 1.1.1.1 13 encapsulation mpls
We need to use the xconnect command between PE1 and PE2. The VC ID (13) has to be the same on both routers.

Verification

First we will check our LDP peers:
PE1#show mpls ldp neighbor 3.3.3.3
Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 1.1.1.1:0
TCP connection: 3.3.3.3.64567 - 1.1.1.1.646
State: Oper; Msgs sent/rcvd: 15/15; Downstream
Up time: 00:05:19
LDP discovery sources:
Targeted Hello 1.1.1.1 -> 3.3.3.3, active, passive
Addresses bound to peer LDP Ident:
192.168.23.3 3.3.3.3
PE2#show mpls ldp neighbor 1.1.1.1
Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 3.3.3.3:0
TCP connection: 1.1.1.1.646 - 3.3.3.3.64567
State: Oper; Msgs sent/rcvd: 15/15; Downstream
Up time: 00:05:38
LDP discovery sources:
Targeted Hello 3.3.3.3 -> 1.1.1.1, active, passive
Addresses bound to peer LDP Ident:
192.168.12.1 1.1.1.1
PE1 and PE2 are LDP neighbors, now we’ll verify that they are transporting our Ethernet traffic:
PE1#show mpls l2transport binding 
Destination Address: 3.3.3.3, VC ID: 13
Local Label: 19
Cbit: 1, VC Type: Ethernet, GroupID: 0
MTU: 1500, Interface Desc: n/a
VCCV: CC Type: CW [1], RA [2]
CV Type: LSPV [2]
Remote Label: 19
Cbit: 1, VC Type: Ethernet, GroupID: 0
MTU: 1500, Interface Desc: n/a
VCCV: CC Type: CW [1], RA [2]
CV Type: LSPV [2]
PE2#show mpls l2transport binding 
Destination Address: 1.1.1.1, VC ID: 13
Local Label: 19
Cbit: 1, VC Type: Ethernet, GroupID: 0
MTU: 1500, Interface Desc: n/a
VCCV: CC Type: CW [1], RA [2]
CV Type: LSPV [2]
Remote Label: 19
Cbit: 1, VC Type: Ethernet, GroupID: 0
MTU: 1500, Interface Desc: n/a
VCCV: CC Type: CW [1], RA [2]
CV Type: LSPV [2]
A label has been assigned to this virtual circuit, you can see it says “Ethernet”. There’s another useful command that lets us check the AToM configuration:
PE1#show mpls l2transport vc 

Local intf Local circuit Dest address VC ID Status
------------- -------------------------- --------------- ---------- ----------
Fa0/0 Ethernet 3.3.3.3 13 UP
PE2#show mpls l2transport vc

Local intf Local circuit Dest address VC ID Status
------------- -------------------------- --------------- ---------- ----------
Fa0/1 Ethernet 1.1.1.1 13 UP
Above you have a nice overview with the interfaces, transport type, virtual circuit ID and the status. Everything is looking good to let’s give it a test drive:
HQ#ping 172.16.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/40 ms
Our ping is successful, we can verify the number of packets that have been sent as following:
PE1#show mpls l2transport vc detail            
Local interface: Fa0/0 up, line protocol up, Ethernet up
Destination address: 3.3.3.3, VC ID: 13, VC status: up
Next hop: 192.168.12.2
Output interface: Fa0/1, imposed label stack {17 19}
Create time: 00:09:46, last status change time: 00:09:41
Signaling protocol: LDP, peer 3.3.3.3:0 up
MPLS VC labels: local 19, remote 19
Group ID: local 0, remote 0
MTU: local 1500, remote 1500
Remote interface description:
Sequencing: receive disabled, send disabled
VC statistics:
packet totals: receive 84, send 83
byte totals: receive 9445, send 9045
packet drops: receive 0, seq error 0, send 0
That’s how you configure AToM to transport Ethernet. I hope this has been useful to you, if you enjoyed this article please share it with your friends.

Cisco IOS NAT on a Stick Configuration Example

NAT (Network Address Translation) is most commonly used to let users on our LAN access the Internet using a single public IP address but it can be used for some more interesting scenarios. Recently I encountered an interesting CCIE R&S task that had the following requirement:
"Make sure that whenever R2 responds to a traceroute it replies with the IP address on the loopback 0 interface"
This sounds easy enough but there’s no such thing as a “traceroute source loopback 0″ command or anything alike. To make this work we have to configure the NAT on a stick feature. In this tutorial I’ll show you this is done. First of all, this is the topology that we will use:
Two Routers R2 Loopback Interface
There are only two routers that are directly connected to each other. R2 has a loopback 0 interface with IP address 2.2.2.0 /24. Let’s configure these IP addresses first:

R1(config)#interface fa0/0
R1(config-if)#no shutdown
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R2(config)#interface fa0/0
R2(config-if)#no shutdown
R2(config-if)#ip address 192.168.12.2 255.255.255.0
R2(config-if)#interface loopback0
R2(config-if)#ip address 2.2.2.2 255.255.255.0
Before we dive into the NAT configuration let’s do a trace and look at the output:
R1#traceroute 192.168.12.2

Type escape sequence to abort.
Tracing the route to 192.168.12.2

1 192.168.12.2 0 msec 4 msec *
As expected R2 responds with the IP address on its FastEthernet interface. The task requires this output to show the 2.2.2.2 address from the loopback interface. To achieve this we’ll configure NAT on R2:
R2(config)#access-list 100 permit icmp any any time-exceeded
R2(config)#access-list 100 permit icmp any any port-unreachable

R2(config)#ip nat inside source list 100 interface loopback0 overload

R2(config)#interface fastethernet 0/0
R2(config-if)#ip nat inside

R2(config)#interface loopback 0
R2(config-if)#ip nat outside
The configuration above defines the FastEthernet interface as NAT inside and the loopback interface as NAT outside. An access-list is used to permit the ICMP time-exceeded and port-unreachable packets that are used as a response to a traceroute. The NAT configuration itself is complete but we still have a problem with this setup, take a look at the following picture:
Cisco Traceroute ReplyIf you look closely at the image above you can see that whenever R1 does a trace, R2 will reply with its FastEthernet 0/0 interface. In order for NAT to work traffic has to flow from the inside interface to the outside interface. To fix this we can configure policy based routing on R2 to forward traffic to the loopback 0 interface:
R2(config)#route-map FORWARD_TO_L0
R2(config-route-map)#match ip address 100
R2(config-route-map)#set interface loopback0
R2(config)#ip local policy route-map FORWARD_TO_L0
This route-map matches on the interface that we created before and forwards the traffic towards the loopback 0 interface. We also require the ip local policy command to apply the route-map to self-generated traffic. Let’s enable a debug on R2 and try that traceroute again from R1:
R2#debug ip policy 
Policy routing debugging is on

R2#debug ip nat
IP NAT debugging is on
Time to trace!
R1#traceroute 192.168.12.2

Type escape sequence to abort.
Tracing the route to 192.168.12.2

1 2.2.2.2 0 msec 4 msec *
Excellent, we now see IP address 2.2.2.2 from R2 in our traceroute. Let’s take a look at the debug on R2:
R2#
IP: s=192.168.12.2 (local), d=192.168.12.1, len 56, policy match
IP: route map FORWARD_TO_L0, item 10, permit
IP: s=192.168.12.2 (local), d=192.168.12.1 (Loopback0), len 56, policy routed
IP: local to Loopback0 192.168.12.1
NAT: s=192.168.12.2->2.2.2.2, d=192.168.12.1 [17]
The first line is the ICMP packet from R2 towards R1 that it wants to send as a reply to the traceroute. It matches the route-map so it is being policy based routed towards the loopback 0 interface. Since the loopback 0 interface is configured for NAT outside, IP address 192.168.12.2 is translated to 2.2.2.2 and then routed towards R1. Basically it looks like this:
Cisco NAT on a Stick Example
Great! it’s working as it should…what if we make this scenario a little bit more interesting by changing the task as following:
"Make sure that whenever R2 responds to a traceroute it replies with the IP address on the loopback 0 interface, you are not allowed to configure NAT on the FastEthernet interface but you may configure an additional interface and IP address."
No problem! We can still make this work but we’ll have to use another interface that is configured with the “IP NAT inside” command. Traffic still has to flow from a NAT inside interface to a NAT outside interface in order to be translated. To accomplish this we will create a new loopback interface that has the “IP NAT inside” command. We will send traffic from the FastEthernet interface to the new loopback and then forward it to the first loopback interface. I know this sounds funky so let me help you visualize it:
Cisco NAT on a Stick Two Loopback Interfaces
Just follow the arrows starting at R1.  This is what we have to configure:
  1. Configure policy based routing so that the ICMP replies are forwarded from the FastEthernet interface to the new loopback 1 (NAT inside) interface.
  2. Configure policy based routing so that the ICMP replies are forwarded from the loopback 1 interface to the loopback 0 (NAT outside) interface.
First we’ll remove the NAT configuration from the FastEthernet interface and I’ll also get rid of the policy based routing configuration:
R2(config)#interface fa0/0
R2(config-if)#no ip nat inside
R2(config)#no ip local policy route-map FORWARD_TO_L0
Let’s create a new loopback interface. I just made up an IP address, it really doesn’t matter what we configure here as long as there’s something. Don’t forget to add IP NAT inside:
R2(config)#interface loopback 1
R2(config-if)#ip address 22.22.22.22 255.255.255.0
R2(config-if)#ip nat inside
We will create a new route-map that forwards ICMP traffic to the loopback 1 interface:
R2(config)#ip local policy route-map FORWARD_TO_L1
R2(config)#route-map FORWARD_TO_L1
R2(config-route-map)#match ip address 100
R2(config-route-map)#set interface loopback 1
The route-map that we created before can now be applied to the loopback 1 interface. This ensures that traffic is forwarded to the loopback 0 interface:
R2(config)#interface loopback1
R2(config-if)#ip policy route-map FORWARD_TO_L0
That should do it. Let’s try our trace again:
R1#traceroute 192.168.12.2

Type escape sequence to abort.
Tracing the route to 192.168.12.2

1 2.2.2.2 4 msec 4 msec *
Excellent, it’s working! What does the debug look like now?
R2#
IP: s=192.168.12.2 (local), d=192.168.12.1, len 56, policy match
IP: route map FORWARD_TO_L1, item 10, permit
IP: s=192.168.12.2 (local), d=192.168.12.1 (Loopback1), len 56, policy routed
IP: local to Loopback1 192.168.12.1
IP: s=192.168.12.2 (Loopback1), d=192.168.12.1, len 56, policy match
IP: route map FORWARD_TO_L0, item 10, permit
IP: s=192.168.12.2 (Loopback1), d=192.168.12.1 (Loopback0), len 56, policy routed
IP: Loopback1 to Loopback0 192.168.12.1
NAT: s=192.168.12.2->2.2.2.2, d=192.168.12.1 [21]
Look closely at the debug and you can see that the ICMP traffic is forwarded to the loopback 1 interface, then to the loopback 0 interface and because it flowed from a NAT inside to a NAT outside interface it can now be translated.
That’s all I have for you now, hopefully you enjoyed this tutorial! If you have any questions feel free to leave a comment.


Read more: http://networklessons.com/network-services/cisco-ios-nat-stick-configuration-example/#ixzz2r0GlbUxU