Wednesday, 30 January 2013

Pointless CCNP Topology Part 2

Welcome back to the second part of this most pointless GNS3 topology. In the previous post we covered lots of ground which should have proven beyond all doubt the pointlessness of the task in hand, and in this post we will continue to drive the nail home. It is however my opinion there are at least one or two items of interest in the second part of Linearnet, such as BGP, PBR, tunnels, 4over6 and the like. Interesting, but still without point.  Let us remind ourselves of the wonderful topology...



What a wonder of science.  However let us proceed where we left off, about hop R10.

R10 - R11 BGP


Although on the face of it this could be just another redistribution - and it is - one small fact made it interesting, which was iBGP will only redistribute eBGP routes into another IGP by default. This is to prevent routing-loops, however in the case of Linearnet, good-luck trying. Other than this the config is elementary (you'd think for all this effort I might throw in something tough, eh?)

R10
router bgp 65000
neighbor group1 peer-group
neighbor group1 remote-as 65000
neighbor 10.10.10.10 peer-group group1
!
address-family ipv4
redistribute eigrp 1
neighbor 10.10.10.10 activate
no auto-summary
bgp redistribute-internal
exit-address-family

R11 - R11.5 - R12 Policy-based Routing


At this point I decided to have a break from the seemingly mindless route-redistribution scenarios and do something different in the form of Policy-based Routing. Strictly speaking this was going to make a mockery of the lab title "Linearnet", however I am hoping no-one will notice - it's more of a roundabout than anything else anyway. Quite simply we want all traffic from 1.1.1.1 (Home) passing through router R11 to go via R11.5. This would take a simple access-list, route-map, set-next-hop and apply the ip policy to the incoming interface fa0/0. Like so:

R11
interface FastEthernet0/0
 ip address 10.10.10.11 255.255.255.0
 ip policy route-map pbr1

route-map pbr1 permit 10
 match ip address 1
 set ip next-hop 11.11.115.115

access-list 1 permit 1.1.1.1

All three routers - R11, R11.5 and R12 - are in the same EIGRP AD, by the way. And here are the relevant traceroutes, one before the policy applied, one after (check out hops 11 and 12 on the latter):
Home#trace 14.14.14.15 
Type escape sequence to abort. Tracing the route to 14.14.14.15 
Home#trace 14.14.14.15

Type escape sequence to abort.
Tracing the route to 14.14.14.15

  1 1.1.1.2 28 msec 4 msec 16 msec
  2 2.2.2.3 24 msec 8 msec 32 msec
  3 3.3.3.4 24 msec 40 msec 36 msec
  4 4.4.4.5 64 msec 32 msec 68 msec
  5 5.5.5.6 52 msec 40 msec 64 msec
  6 6.6.6.7 40 msec 68 msec 36 msec
  7 7.7.7.8 44 msec 68 msec 64 msec
  8 8.8.8.9 64 msec 64 msec 72 msec
  9 9.9.9.10 64 msec 100 msec 68 msec
 10 10.10.10.11 88 msec 60 msec 68 msec
 11 11.11.11.12 160 msec 88 msec 100 msec
 12 192.168.1.1 72 msec 188 msec 140 msec
 13 192.168.1.1 116 msec 88 msec 96 msec
 14 14.14.14.15 104 msec *  160 msec
Home#trace 14.14.14.15

Type escape sequence to abort.
Tracing the route to 14.14.14.15

  1 1.1.1.2 16 msec 40 msec 12 msec
  2 2.2.2.3 20 msec 28 msec 28 msec
  3 3.3.3.4 40 msec 28 msec 40 msec
  4 4.4.4.5 20 msec 84 msec 28 msec
  5 5.5.5.6 28 msec 56 msec 60 msec
  6 6.6.6.7 40 msec 60 msec 44 msec
  7 7.7.7.8 64 msec 64 msec 48 msec
  8 8.8.8.9 124 msec 84 msec 68 msec
  9 9.9.9.10 92 msec 72 msec 160 msec
 10 10.10.10.11 116 msec 76 msec 52 msec
 11 11.11.115.115 140 msec 88 msec 108 msec
 12 11.115.115.12 80 msec 68 msec 80 msec
 13 192.168.1.1 112 msec 112 msec 100 msec
 14 192.168.1.1 76 msec 92 msec 152 msec
 15 14.14.14.15 84 msec *  104 msec
The return route from Office to Home does of course take the preferable R12-R11 route, so just a small diversion on Linearnet.

R12 - R13 - R14 IPSec VPN


As we all now know - since I filled in the gap - a routing protocol will not work over an IPSec tunnel. It will however work over a GRE tunnel, and GRE over IPSec of course. So lets have one of those please. The config is as basic as it gets, without the "need" to do any NATing either so no thoughtful accecss-lists - just one to match the GRE tunnel packets. Here is the config on R14, much the same on R12.


R14
crypto isakmp policy 10
authentication pre-share
crypto isakmp key linearnet address 12.12.12.12
!
crypto ipsec transform-set linearset esp-3des esp-sha-hmac
mode transport
!
crypto map 4over6 10 ipsec-isakmp
set peer 12.12.12.12
set transform-set linearset
match address 150
!
access-list 150 permit gre host 192.168.1.1 host 192.168.1.2
!
interface Tunnel0
crypto map 4over6

The EIGRP neighbor came up nicely through the ipsec tunnel and routes in the chain continue.

R14 - R15 - OFFICE IPv4 over IPv6


Woohoo, it is nearly the end!! I wanted to do a bit of IPv6 to show how easy it is, which we all of course know anyway, right? Hopefully IPv6 will really begin to pick up pace and become available on major ISPs, until this point only a few early-adopters will be using it, and then I would imagine just for the heck, not because they need to. In the future as IPv6 becomes the norm I can see plenty of retrograde scenarios where aging networks cling-on to IPv4 address-space until the dinosaurs which manage them become instinct (there may of course be other, equally legitimate reasons). Enter the need for IPv4 over IPv6 - the tunnel of the future! Whilst we're all tunneling IPv6 over IPv4 just now, pay attention because this is coming.

Quick description: R14 and OFFICE act as the tunnel endpoints via R15. IPv6 static routes on both these routers point the way (could've used an IGP). The tunnel interfaces have IPv4 address and dont forget "tunnel mode ipv6" command or it won't work.

R14

interface Tunnel1
ip address 14.14.14.14 255.255.255.0
tunnel source 2000:14::14:1
tunnel destination 2000:15::15:2
tunnel mode ipv6
!
interface FastEthernet0/0
ipv6 address 2000:14::14:1/64
!
ipv6 route 2000:15::/64 2000:14::14:2


R15
interface FastEthernet0/0
ipv6 address 2000:14::14:2/64
!
interface FastEthernet0/1
ipv6 address 2000:15::15:1/64

OFFICE
interface Tunnel1
ip address 14.14.14.15 255.255.255.0
tunnel source 2000:15::15:2
tunnel destination 2000:14::14:1
tunnel mode ipv6
!
interface FastEthernet0/0
ipv6 address 2000:15::15:2/64

Conclusion


It is a fairly pointless network, however it has been a good practice, and if you learn one small thing each lab, then that is a result - what is the point labbing things you already know? I have learnt small things about redistribution, tiny things about IPv6...ok so not much else. I've also learnt you can run 15 GNS routers on cloud-hosting with only 2Gb RAM, a 2.5Ghz processor and a trusty Ubuntu 10.10 installation! Thank you for reading, I hope it has been mildly diverting. And finally, to conclude where it all began, here is the backward traceroute:

OFFICE#traceroute 1.1.1.1
Type escape sequence to abort.
Tracing the route to 1.1.1.1
1 14.14.14.14 16 msec 28 msec 36 msec
2 192.168.1.2 48 msec 52 msec 24 msec
3 11.11.11.11 100 msec 52 msec 20 msec
4 10.10.10.10 100 msec 52 msec 24 msec
5 9.9.9.9 68 msec 44 msec 64 msec
6 8.8.8.8 40 msec 120 msec 56 msec
7 7.7.7.7 96 msec 56 msec 100 msec
8 6.6.6.6 56 msec 84 msec 96 msec
9 5.5.5.5 104 msec 88 msec 124 msec
10 4.4.4.4 68 msec 116 msec 44 msec
11 3.3.3.3 148 msec 100 msec 132 msec
12 2.2.2.2 88 msec 140 msec 96 msec
13 1.1.1.1 156 msec * 96 msec

No comments:

Post a Comment

Found this pointless and feel you must comment? Really, there is no need, we are fully aware of the pointlessness of this article. But if you must...

Google+ Followers