Search This Blog

Saturday, June 30, 2012

OSPF Super Backbone


Here is the following LAB:

As for the roles of the routers:
R1, R2 and R3 are all PE routers
R4 is P router
R5, R6, R7 and R8 are all CE routers

Between the PE and the P router I have configured OSPF as IGP, MPLS using LDP and BGP on AS65001 where R4 is acting as the route reflector for this AS.

Each PE is configured with VRF RED and with OSPF process 100 on this VRF while advertising the directly connected and BGP AS65001.

Config snippet:
router ospf 100 vrf RED
 log-adjacency-changes
 redistribute bgp 65001 subnets
 network 10.1.26.2 0.0.0.0 area 0
 network 10.1.27.2 0.0.0.0 area 0
!
Router bgp 65001
address-family ipv4 vrf RED
  redistribute connected
  redistribute static
  redistribute ospf 100 vrf RED
  no synchronization
  bgp redistribute-internal
 exit-address-family

R5, R6 and R8 are advertising their loopback 1 interface into OSPF, while R7 redistribute Lo1 as connected. R8 is also advertise default route (default-information originate).

Looking at R5 route table:

R5#sh ip route                     
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     192.168.60.0/32 is subnetted, 1 subnets
O IA    192.168.60.1 [110/3] via 10.1.15.1, 00:16:03, FastEthernet0/0
     192.168.80.0/32 is subnetted, 1 subnets
O IA    192.168.80.1 [110/3] via 10.1.15.1, 00:15:48, FastEthernet0/0
     10.0.0.0/24 is subnetted, 4 subnets
C       10.1.15.0 is directly connected, FastEthernet0/0
O IA    10.1.27.0 [110/2] via 10.1.15.1, 00:16:06, FastEthernet0/0
O IA    10.1.26.0 [110/2] via 10.1.15.1, 00:16:06, FastEthernet0/0
O IA    10.1.38.0 [110/2] via 10.1.15.1, 00:16:06, FastEthernet0/0
C    192.168.50.0/24 is directly connected, Loopback1

As we can see R5 is learning only the directly connected of R6, R7 and R8 and Lo1 of R6 and R8, all routes as IA which mean Inter-Area or LSA type 3. No default route and no external routes are learned.

Looking on R2, which is the PE for R7, routing table:

R2#sh ip route vrf RED ospf

Routing Table: RED

     192.168.60.0/32 is subnetted, 1 subnets
O       192.168.60.1 [110/2] via 10.1.26.6, 00:19:25, FastEthernet1/1
O E2 192.168.70.0/24 [110/20] via 10.1.27.7, 00:19:15, FastEthernet2/0

We can see the R2 is learning network 192.168.70.0/24 as OSPF E2, looking on R1 routing table:

R1#sh ip route vrf RED

Routing Table: RED
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     192.168.60.0/32 is subnetted, 1 subnets
B       192.168.60.1 [200/2] via 2.2.2.2, 00:18:57
     192.168.80.0/32 is subnetted, 1 subnets
B       192.168.80.1 [200/2] via 3.3.3.3, 00:18:42
     10.0.0.0/24 is subnetted, 4 subnets
C       10.1.15.0 is directly connected, FastEthernet1/1
B       10.1.27.0 [200/0] via 2.2.2.2, 00:33:27
B       10.1.26.0 [200/0] via 2.2.2.2, 00:33:27
B       10.1.38.0 [200/0] via 3.3.3.3, 00:34:12
     192.168.50.0/32 is subnetted, 1 subnets
O       192.168.50.1 [110/2] via 10.1.15.5, 00:18:50, FastEthernet1/1

No network 192.168.70.0/24! So it is must be something on the MP-BGP…

I have configured the following on R2:

Router bgp 65001
Address-family ipv4 vrf RED
redistribute ospf 100 vrf RED match external 2

Now looking again on R1 routing table:

R1#sh ip route vrf RED     

Routing Table: RED
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     192.168.60.0/32 is subnetted, 1 subnets
B       192.168.60.1 [200/2] via 2.2.2.2, 00:23:39
     192.168.80.0/32 is subnetted, 1 subnets
B       192.168.80.1 [200/2] via 3.3.3.3, 00:23:24
     10.0.0.0/24 is subnetted, 4 subnets
C       10.1.15.0 is directly connected, FastEthernet1/1
B       10.1.27.0 [200/0] via 2.2.2.2, 00:38:09
B       10.1.26.0 [200/0] via 2.2.2.2, 00:38:09
B       10.1.38.0 [200/0] via 3.3.3.3, 00:38:54
     192.168.50.0/32 is subnetted, 1 subnets
O       192.168.50.1 [110/2] via 10.1.15.5, 00:00:03, FastEthernet1/1
B    192.168.70.0/24 [200/20] via 2.2.2.2, 00:00:24

Now R1 is learning network 192.168.70.0/24 as BGP route, and advertise it to R5:

R5#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     192.168.60.0/32 is subnetted, 1 subnets
O IA    192.168.60.1 [110/3] via 10.1.15.1, 00:02:33, FastEthernet0/0
     192.168.80.0/32 is subnetted, 1 subnets
O IA    192.168.80.1 [110/3] via 10.1.15.1, 00:02:33, FastEthernet0/0
     10.0.0.0/24 is subnetted, 4 subnets
C       10.1.15.0 is directly connected, FastEthernet0/0
O IA    10.1.27.0 [110/2] via 10.1.15.1, 00:02:33, FastEthernet0/0
O IA    10.1.26.0 [110/2] via 10.1.15.1, 00:02:33, FastEthernet0/0
O IA    10.1.38.0 [110/2] via 10.1.15.1, 00:02:34, FastEthernet0/0
C    192.168.50.0/24 is directly connected, Loopback1
O E2 192.168.70.0/24 [110/20] via 10.1.15.1, 00:02:34, FastEthernet0/0

R5 in turn learns this network as external route.

Now the major problem left is the fact that all CE routers should learn their neighbors loopbacks as Intra-Area (LSA type 1) networks and not Inter-Area (LSA type 3) networks, in order to fix this we will need to connect and “join” all area 0 between all PE routers, for this to be accomplish we will need to use sham-link.

Sham-link will be configured on the PE routers, because their backbone - the MP-BGP, is the root cause of this behavior.In order to configure sham-link we will need to configure a separate /32 address on the remote PE so that OSPF packets can be sent over the VPN backbone to the remote end of the sham-link. The /32 addresses must meet the following criteria:
Belong to a VRF.
Not be advertised by OSPF.
Be advertised by BGP.
You can use the /32 address for other sham-links.
- Associate the sham-link with an existing OSPF area.

(http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ospfshmk.html#wp1025241)

So I configured on R1:

interface Loopback1
 ip vrf forwarding RED
 ip address 10.10.10.10 255.255.255.255
!
Router ospf 100 vrf RED
area 0 sham-link 10.10.10.10 30.30.30.30

On R3:

interface Loopback1
 ip vrf forwarding RED
 ip address 30.30.30.30 255.255.255.255
!
Router ospf 100 vrf RED
area 0 sham-link 30.30.30.30 10.10.10.10

R5 routing table before the sham-link:

R5#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     192.168.60.0/32 is subnetted, 1 subnets
O IA    192.168.60.1 [110/3] via 10.1.15.1, 00:00:03, FastEthernet0/0
     192.168.80.0/32 is subnetted, 1 subnets
O IA    192.168.80.1 [110/3] via 10.1.15.1, 00:00:03, FastEthernet0/0
     10.0.0.0/24 is subnetted, 4 subnets
C       10.1.15.0 is directly connected, FastEthernet0/0
O IA    10.1.27.0 [110/2] via 10.1.15.1, 01:01:49, FastEthernet0/0
O IA    10.1.26.0 [110/2] via 10.1.15.1, 01:01:49, FastEthernet0/0
O IA    10.1.38.0 [110/2] via 10.1.15.1, 01:01:51, FastEthernet0/0
C    192.168.50.0/24 is directly connected, Loopback1

R5 after sham-link has been configured:
R5#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.15.1 to network 0.0.0.0

     192.168.60.0/32 is subnetted, 1 subnets
O IA    192.168.60.1 [110/3] via 10.1.15.1, 00:00:05, FastEthernet0/0
     192.168.80.0/32 is subnetted, 1 subnets
O       192.168.80.1 [110/4] via 10.1.15.1, 00:00:05, FastEthernet0/0
     10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O E2    10.10.10.10/32 [110/1] via 10.1.15.1, 00:00:05, FastEthernet0/0
C       10.1.15.0/24 is directly connected, FastEthernet0/0
O IA    10.1.27.0/24 [110/2] via 10.1.15.1, 00:00:05, FastEthernet0/0
O IA    10.1.26.0/24 [110/2] via 10.1.15.1, 00:00:07, FastEthernet0/0
O       10.1.38.0/24 [110/3] via 10.1.15.1, 00:00:07, FastEthernet0/0
C    192.168.50.0/24 is directly connected, Loopback1
O E2 192.168.70.0/24 [110/20] via 10.1.15.1, 00:00:07, FastEthernet0/0
     30.0.0.0/32 is subnetted, 1 subnets
O E2    30.30.30.30 [110/1] via 10.1.15.1, 00:00:07, FastEthernet0/0
O*E2 0.0.0.0/0 [110/1] via 10.1.15.1, 00:00:07, FastEthernet0/0

We can see the networks 10.1.38.0/24 and 192.168.80.0/24 are marked with O and not with O IA, and we got a default route which points to R1 and leads to R8.

Configure sham-links on R2:

interface Loopback1
 ip vrf forwarding RED
 ip address 20.20.20.20 255.255.255.255
!
Router ospf 100 vrf RED
area 0 sham-link 20.20.20.20 30.30.30.30
area 0 sham-link 20.20.20.20 10.10.10.10

And on R1 and R3 accordingly and we got full mesh OSPF area 0 while the sham-link has helped us to create OSPF super backbone over the MPLS backbone.



Posted by at No comments:
Labels: , , , ,

Monday, June 25, 2012

How to mark DSCP on Check Point R7x

    The following post will show how to mark IP packets with DSCP, in Check Point R7x platform (in my case SPLAT R75.4). DSCP marking will allow us to use PHB QoS and to apply congestion avoidance.

 
      1.       Create Class of service under Manage (A) ->QoS (B) ->QoS Classes (C)
 

      2.       On the opened window press New… and choose DiffServ Class of Service

      3.       Type in a desired name for the class of service, enter comment and choose color then select the type of the service

      4.       Click on Close to close the window

      5.       Click the QoS tab (A) then right click on Default (B) and choose Add Class of Service->Above (C)

      6.       Choose the Class of Service we have just created at step 3

      7.       Right click on the new Class of Service (A) and choose Add Rule Below (B)

      8.       Give the rule a name

      9.       Create rules like and other firewall rules

      10.  Install the policy 
  
Posted by at 2 comments:
Labels: , , ,

Saturday, June 23, 2012

IPv4 over IPv6


Another LAB:

Note that R4 is not relevant for this post and will be used later on.

R2, R3 and R5 are all configured with IPv6 address and running EIGRP AS100,
the basic IPv6 EIGRP configuration on each router is basiclly the same beside the IPv6 addresses:
R2:
ipv6 unicast-routing
!
int s2/0
ipv6 address 2001:23::2/112
ipv6 eigrp 100
!
ipv6 router eigrp 100
eigrp router-id 2.2.2.2
no shutdown
!

pay attention not to forget the no shutdown under the IPv6 EIGRP process else the EIGRP process will not run and % EIGRP 100 is in SHUTDOWN message will be shown while trying to see neighbors.

R2 and R1 are directly connected with IPv4 and running OSPF(v2), R2 is advertising default-route originate always to R1 and pretty much the same for R5 and R6.
Now my goal is to connect R1 and R6 to share the same routing information using OSPF as routing protocol.

i have configured an IPv6 tunnel from R2 to R5, as IPv6 source and destination and used IPv4 as inner IP addresses for the tunnel.
R2:
interface Tunnel0
 ip address 192.168.1.2 255.255.255.252
 tunnel source 2001:23::2
 tunnel destination 2001:35::5
 tunnel mode gre ipv6

R5:
interface Tunnel0
 ip address 192.168.1.1 255.255.255.252
 tunnel source 2001:35::5
 tunnel destination 2001:23::2
 tunnel mode gre ipv6

this tunnel allowed me to run OSPF between R1 and R6:
R1#sh ip route ospf
     10.0.0.0/24 is subnetted, 2 subnets
O       10.1.45.0 [110/1002] via 10.1.12.2, 00:09:38, FastEthernet0/0
     192.168.1.0/30 is subnetted, 1 subnets
O       192.168.1.0 [110/1001] via 10.1.12.2, 00:09:38, FastEthernet0/0
O*E2 0.0.0.0/0 [110/1] via 10.1.12.2, 00:09:38, FastEthernet0/0

Posted by at 2 comments:
Labels: , , ,
Subscribe to: Posts (Atom)