Connect to OSPF area 0 over GRE tunnel

We all know that all OSPF areas have to be connected to area 0. But sometimes you encounter
a situation where it is not possible to connect an area to area 0. This can happen because of
poor network design or because two or more networks merge together. There are several options
to deal with this problem. In the CCNP curriculum you learn that a virtual-link is the way
to go on this problem. But there is an other option which is not as popular, but in my opinion
is even more elegant. I’m talking about a GRE tunnel solution.

Let’s take the topology as shown in the picture below.

OSPF_GRE_TOPOLOGY

Router R2 is connected to R1 in area 0. R2 and R3 are connected in area 1 and R3 is connected
to R4 in area 2. Which means that R3 has no connection to area 0.

Below the configurations of routers R1 to R4 before the configuration of the GRE tunnel.

R1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
switchport access vlan 10
!
!
interface FastEthernet2/0
ip address 10.0.0.1 255.255.255.252
duplex auto
speed auto
!
!
interface Vlan10
ip address 10.100.100.254 255.255.255.0
!
router ospf 10
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.0.0.0 0.0.0.3 area 0
network 10.100.100.0 0.0.0.255 area 0
!
R2
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
!
interface FastEthernet1/0
ip address 10.0.1.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet2/0
ip address 10.0.0.2 255.255.255.252
duplex auto
speed auto
!
!
router ospf 10
router-id 2.2.2.2
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 1
network 10.0.0.0 0.0.0.3 area 0
network 10.0.1.0 0.0.0.3 area 1
!
R3
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
!
interface FastEthernet1/0
ip address 10.0.1.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet2/0
ip address 10.0.3.1 255.255.255.252
duplex auto
speed auto
!
!
router ospf 10
router-id 3.3.3.3
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 1
network 10.0.1.0 0.0.0.3 area 1
network 10.0.3.0 0.0.0.3 area 2
!
R4
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
switchport access vlan 10
!
!
interface FastEthernet2/0
ip address 10.0.3.2 255.255.255.252
duplex auto
speed auto
!
!
interface Vlan10
ip address 10.200.200.254 255.255.255.0
!
!
router ospf 10
router-id 4.4.4.4
log-adjacency-changes
network 4.4.4.4 0.0.0.0 area 2
network 10.0.3.0 0.0.0.3 area 2
network 10.200.200.0 0.0.0.255 area 2
!

To make this topology work there needs to be a connection from R3 to area 0. To make this happen
make the following configurations to router R2 and R3.

R2
!
interface Tunnel0
ip address 172.18.2.1 255.255.255.0
tunnel source Loopback0
tunnel destination 3.3.3.3
!
!
router ospf 10
network 172.18.2.0 0.0.0.255 area 0
!
R3
!
interface Tunnel0
ip address 172.18.2.2 255.255.255.0
tunnel source Loopback0
tunnel destination 2.2.2.2
!
!
router ospf 10
network 172.18.2.0 0.0.0.255 area 0
!

If you do a “show ip ospf neighbors” on R2 you can see there is a full neighborship between router
R2 and R3 in area 0.

show ip ospf neighbors R2-R3
And with the “show ip route” command you see the network from “area 2” is now in the table.

show ip route R2-R3
Now ping from PC1 to PC2 and this will succeed.

ping PC2-PC2

More interesting is a traceroute from PC1 to PC2, this will show the traffic is actually going
trough the GRE Tunnel!

traceroute PC1-PC2

Advertisements

GRE over IPsec tunnels (Part 2)

In my last post I wrote about GRE over IPsec, but only with static routes. One of the benefits of GRE over IPsec tunnels is that you can send multicast traffic  over the tunnel. With a plain IPsec tunnel this is not possible. So to prove that multicast traffic can cross the GRE over IPsec tunnel I took the topology of my last post and removed the static routes from the configuration of the HQ and Branch routers.
Below the used topology:
GRE_over_IPsec

Then configure the EIGRP configuration on both routers.

R1#sh run | se eigrp
router eigrp 10
network 10.10.10.0 0.0.0.255
network 172.18.2.0 0.0.0.255
no auto-summary
R1#

The syslog below confirms that the EIGRP adjacency is up and running:
EIGRP_adj

Then use the “debug ip packet detail” command to verify that multicast is used and allowed:
EIGRP_multicast

To prove the solution is working check the routing table.
sh_ip_route

And that’s all there to configure dynamic routing over a GRE over IPsec tunnel.

Private vlan’s

This blogpost is about private vlan’s. For  my CCIE study I looked into PVLAN’s. First some terminology. When working with PVLAN’s words like primary vlan, secondary vlan, promiscuous port, isolated port and community port have to sound familiar. If not check the following summary:

  • Primary VLAN: Original vlan, used to forward the actual traffic
  • Secondary VLAN: is configured with one of the following types Isolated or Community
  • Isolated port: A switch port configured as Isolated is only able to communicate with the promiscuous port. It is not able to reach any other destination!
  • Community port: A switchport configured as Community is able to communicate with a server in the same community vlan and the promiscuous port. A community port is not able to communicate with an isolated port.

Below a drawing which describes the above summary.

PVLAN

In the configuration below two laptops are configured in an isolated vlan. Therefor they won’t be able to communicate with each other, but they are able to communicate with the promiscuous port.

PVLAN_isolated

 

In the next configuration the two laptops are configured in a community vlan. because of that they are able to ping each other.

PVLAN_community

 

As you probably noticed, the only configuration change is that the private-vlan host-association changed.

Private vlan’s are very useful to large ISP, because with isolated ports it’s possible to use the same subnets. There is virtually no limit to the number of customers and only one firewall is needed for a lot of customers. The only limiting option is the throughput of the used firewall!

 

** to build this topology I used a Cisco 3560 switch and a Cisco ASA 5505 firewall

Port Access-Lists (PACL)

A while ago I blogged about VACL or Vlan Access-Lists. PACL and VACL are really connected to each other. In this blogpost I will show you how PACL works and how to configure it on a Cisco switch.

First of all, what is PACL. PACL makes it possible to filter incoming traffic on a layer 2 interface using layer 3 or 4 information.

First some restrictions on PACL

  • There can only be one ACL applied to a layer 2 interface per direction
  • PACL don’t filter later 2 traffic like CDP, VTP, DTP, UDLD and STP because this traffic is handled by the Route Processor before the applied ACL takes effect
  • The number of ACL’s that can be configured as part of the PACL configuration is bounded by the hardware resources of the switch
  • A MAC ACL is not applied to IP, MPLS or ARP messages
  • Only named MAC ACL can be used

I spoke earlier about the interaction between PACL and VACL. When they are both used on the switch and the traffic is bridged, PACL will always be applied before VACL’s. PACL will even override a “normal” ACL that is applied to the same interface (for this situation is only one exception, if packets are forewarded in software by the RP. If this is true an ” normal” ACL will take precedence over the PACL). Summarizing the above:

  • PACL for the ingress port
  • VACL for the egress vlan
  • VACL vfor the egress vlan

Below a schematic of this.

*PACL_bridged

It’s fairly easy to configure this, below an example of my lab and how to configure this:

topology

PACL_portconfig

PACL_acl

 

It’s a little different when the traffic is routed. The next is true for routed packets:

  • PACL for the ingress port
  • VACL for the ingress vlan
  • Input Cisco IOS ACL
  • Output Cisco IOS ACL
  • VACL for the egress vlan

Below a schematic of the above:

*PACL_routed

 

PACL can come in handy when you want to deny access of a PC/Server to another PC/Server in the same vlan and you can’t change the vlan of the machines.

 

More information on this topic can be found on the Cisco site (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/port_acls.pdf).
*=I found the used schematics on the Cisco site and borrowed them!

Differences between HP, 3COM and Cisco

Lately I have been working a lot with HP(2610, 2620), 3COM(4500, 5500) and Cisco switches. For a customer I migrated the 3COM cores switch to a Cisco Coreswitch. Before this job I never worked with HP or 3COM before. Although networking principles and protocols are the same for Cisco, HP and 3Com, there are some substantial differences between them.

First of all you have to understand that “trunking” in Cisco language means that you configure a port to transport several vlan’s. In HP/3COM it means bundeling two or more physical interfaces to one logical interface. Bundeling physical ports to become one logical port is called “port-channeling” in Cisco language.  The equivalent of Cisco’s trunking in HP/3COM language is “port tagging”.

When you configure a trunk port on a Cisco switch, you configure the port to allow trunking of several vlan’s. When configuring port-tagging you create a vlan and add ports to the vlan. An example:

Cisco:
Trunk_Cisco

HP:

HP

3COM:

3com_vlan

3com trunk

 

Since HP bought 3COM in 2010, I was clearly dealing with a lot of old stuff. So the 3COM CLI doesn’t exist anymore on modern switches. It’s all HP now. Nevertheless it is possible you encounter 3COM switches in modern networks. Below a table with some handy show command’s for Cisco and the equivalents for HP and 3COM.

commands

Then there is good old spanning-tree. On the internet you read a lot about horror story’s about spanning-tree between Cisco and HP/3COM. After reading about it, I configured “rapid spannig-tree ” (802.1w) on the Cisco core switchs. On the HP and 3COM switches the equivalent of 802.1w was already configured. After replacing the 3COM core switch with the Cisco model, I did not encounter any problems with spanning-tree!

One other thing that catched my attention, is that the HP 2610 and 2620 only host a maximum of 8 vlan’s and 16 static routes.

Off course there are a lot of other differences between Cisco and HP/3COM, but the ones described as above are the most obvious ones.

 

Web Cache Communication Protocol (WCCP)

A customer implemented a transparant Cisco WSA (Ironport) for the redirection of the http and https traffic. WCCP had to be configured on their Cisco 3750 switch with IOS releas 12.2(55)SE9.
First some background info on WCCP:

The Cisco IOS WCCP feature allows utilization of Cisco Cache Engines (or other caches running WCCP) to localize web traffic patterns in the network, enabling content requests to be fulfilled locally. Traffic localization reduces transmission costs and download time.
WCCP enables Cisco IOS routing platforms to transparently redirect content requests. The main benefit of transparent redirection is that users need not configure their browsers to use a web proxy. Instead, they can use the target URL to request content, and have their requests automatically redirected to a cache engine. The word “transparent” is this case means that the end user does not know that a requested file (such as a web page) came from the cache engine instead of from the originally specified server.
When a cache engine receives a request, it attempts to service it from its own local cache. If the requested information is not present, the cache engine issues its own request to the originally targeted server to get the required information. When the cache engine retrieves the requested information, it forwards it to the requesting client and caches it to fulfill future requests, thus maximizing download performance and substantially reducing transmission costs.
WCCP enables a series of cache engines, called a cache engine cluster, to provide content to a router or multiple routers. Network administrators can easily scale their cache engines to handle heavy traffic loads through these clustering capabilities. Cisco clustering technology enables each cache member to work in parallel, resulting in linear scalability. Clustering cache engines greatly improves the scalability, redundancy, and availability of your caching solution. You can cluster up to 32 cache engines to scale to your desired capacity.

I took the above text from the Cisco website, so if you want to read more on the theory behind WCCP check out: http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/configuration/guide/ffun_c/fcf018.html

To configure WCCP on a Cisco 3750 there are some constraints:

  • Make sure SDM prefer is on an routing image
  • Forwarding can only be L2 (in the WSA this is default GRE or L2, configure it hard on L2 only)
  • Assignement method can only be MASK (in the WSA this is default HASH or MASK, configure it hard on MASK only)
  • Make sure clients and WSA are on different vlan’s
  • Forwarding redirect list can only understand PERMIT statements
  • When usig a dynamic WCCP identifier configure in the WSA the ports that have to be redirected, in this example it has to be 80(http) and 443(https)

Configuration will look like below:
First configure the routed vlan’s
!
vlan 100
name WSA
!
vlan 200
name Clients
!
int vlan 100
ip address 10.10.10.254 255.255.255.0
no shut
!
int vlan 200
ip address 172.18.10.254 255.255.255.0
no shut
!

Then configure the access-lists to “catch” the client traffic that has to be redirected:
!
ip access-list extended 100
permit tcp 172.18.10.0 0.0.0.255 any eq www
permit tcp 172.18.10.0 0.0.0.255 any eq 443
!
I used a numbered ACL, so I can debug it. A named list can’t be debugged! Make the ACL as specific as possible!

Then create an ACL for the redirect-list. This ACL consists of the WSA addresses.
!
access-list 10 permit 10.10.10.1
access-list 10 permit 10.10.10.2
!

The actual WCCP configuration consist out of two command.
A global command:
!
ip wccp 100 redirect-list 10
!

And a command on the client vlan interface:
!
int vlan 200
ip wccp 100 redirect in
!

There isn’t more to it. To check if WCCP is functioning use the “show ip wccp 100 [detail|view]” command.
To check a little deeper, use the “debug ip wccp packets” command. If you see the “WCCP2_HERE_I_AM” and “WCCP2_I_SEE_YOU” packets than the WCCP mechanism is functioning.
Even if WCCP functions it’s possible traffic does not get redirected. This can be due to a dozen of problems. First step is to check if the client traffic is redirect at all. This can be done by using the “debug ip packet detail 100” command. If no traffic hits the ACL, traffic won’t be redirected to the WSA.

VSS on Cisco 4500-X

For a customer I recently configured two Cisco 4500-x switches with VSS (Virtual Switching System). VSS makes two 4500-x switches to function as one logical switch. By configuring VSS on botch switches, there is one active RP (Route Processor) and one hot standby RP. When the active RP fails, the hot standby RP will take over operations without the loss of data.

The VSS switches are connected by an VSL (Virtual Switch Link), which is normally build as an etherchannel. The VSL serves as logical connection that carries critical system control information such as hot-standby supervisor programming, line card status, Distributed Forwarding Card (DFC) card programming, system management, diagnostics, and more. In addition, VSL is also capable of carrying user data traffic when necessary.

By using VSS it’s possible to uplink a switch with two uplinks in an etherchannel.This is called a MEC (Multichassis Etherchannel). Because you connect the uplinks to two switches functioning as one, there is no need for spanning-tree to block one of the links. So instead of two uplinks with one blocked by spanning-tree, there are two active links which makes it possible to use a 2 x 1/10/40Gb etherchannel as uplink.

To prevent both switches from becoming active, there is a mechanism called “Dual active detection” or VSLP (Virtual Switch Link Protocol). Two modes are available, PagP and Fast-hello. In the following configuration example, I’ll give an example of VSS with “Fast-hello” dual active detection.

The picture below depicts the written above:
VSS

Now let’s take a look at the configuration:

First configure the switches seperatly
Switch1
!
conf t
!
switch virtual domain 100
switch 1
switch 1 priority 110
mac-address use-virtual
!
int pox
switchport
swi virtual link 1
no shutdown
!
int range tx/x/x – x
channel-group 101 mode on
no shut
!
switch set switch_num 1 local
switch read switch_num 1 local
!
end
!
wr
!

Switch2
!
conf t
!
switch virtual domain 100
switch 2
switch 2 priority 90
mac-address use-virtual
!
int poxx
switchport
sw virtual link 2
no shutdown
!
int range tx/x/x – x
no switchport nonegotiate
channel-group x mode on
no shutdown
!
end
!
switch set switch_num 2 local
switch read switch_num 2 local
!
wr
!

After this give the following command on both switches to convert them to VSS mode:
!
switch convert mode virtual
!

After rebooting the Fast-hello dual active detection can be configured.
Switch1
!
conf t
!
switch vitrual domain 100
dual-active detection fast-hello
!
int tx/x/x
dual-active fast-hello
no shut
!
end
!
wr
!

Switch2
!

conf t
!
switch virtual domain 100
dual-active detection fast-hello
!
!
int tx/x/x
dual-active fast-hello
no shut
!
end
!
wr
!

Make sure u use an IOS XE version higher than:  cat4500euniversal.SPA.03.04.03.SG.151-2.SG3.bin
The IOS XE version above supports only PagP dual active detection!

To be fully complete in the IOS XE version mentioned earlier is a bug. If you try to configure the Fast Ethernet ports for management, the won’t work. It’s possible to configure a IP address and so one. The “show ip int brie” commando will even say the interface is up, but it’s just not possible to ping the interface.
After an IOS upgrade everthing came to life and functioned as intended.