Wednesday, 30 January 2013

Pointless CCNP Topology Part 2

Welcome back to the second part of this most pointless GNS3 topology. In the previous post we covered lots of ground which should have proven beyond all doubt the pointlessness of the task in hand, and in this post we will continue to drive the nail home. It is however my opinion there are at least one or two items of interest in the second part of Linearnet, such as BGP, PBR, tunnels, 4over6 and the like. Interesting, but still without point.  Let us remind ourselves of the wonderful topology...

What a wonder of science.  However let us proceed where we left off, about hop R10.

R10 - R11 BGP

Although on the face of it this could be just another redistribution - and it is - one small fact made it interesting, which was iBGP will only redistribute eBGP routes into another IGP by default. This is to prevent routing-loops, however in the case of Linearnet, good-luck trying. Other than this the config is elementary (you'd think for all this effort I might throw in something tough, eh?)

router bgp 65000
neighbor group1 peer-group
neighbor group1 remote-as 65000
neighbor peer-group group1
address-family ipv4
redistribute eigrp 1
neighbor activate
no auto-summary
bgp redistribute-internal

R11 - R11.5 - R12 Policy-based Routing

At this point I decided to have a break from the seemingly mindless route-redistribution scenarios and do something different in the form of Policy-based Routing. Strictly speaking this was going to make a mockery of the lab title "Linearnet", however I am hoping no-one will notice - it's more of a roundabout than anything else anyway. Quite simply we want all traffic from (Home) passing through router R11 to go via R11.5. This would take a simple access-list, route-map, set-next-hop and apply the ip policy to the incoming interface fa0/0. Like so:

interface FastEthernet0/0
 ip address
 ip policy route-map pbr1

route-map pbr1 permit 10
 match ip address 1
 set ip next-hop

access-list 1 permit

All three routers - R11, R11.5 and R12 - are in the same EIGRP AD, by the way. And here are the relevant traceroutes, one before the policy applied, one after (check out hops 11 and 12 on the latter):
Type escape sequence to abort. Tracing the route to 

Type escape sequence to abort.
Tracing the route to

  1 28 msec 4 msec 16 msec
  2 24 msec 8 msec 32 msec
  3 24 msec 40 msec 36 msec
  4 64 msec 32 msec 68 msec
  5 52 msec 40 msec 64 msec
  6 40 msec 68 msec 36 msec
  7 44 msec 68 msec 64 msec
  8 64 msec 64 msec 72 msec
  9 64 msec 100 msec 68 msec
 10 88 msec 60 msec 68 msec
 11 160 msec 88 msec 100 msec
 12 72 msec 188 msec 140 msec
 13 116 msec 88 msec 96 msec
 14 104 msec *  160 msec

Type escape sequence to abort.
Tracing the route to

  1 16 msec 40 msec 12 msec
  2 20 msec 28 msec 28 msec
  3 40 msec 28 msec 40 msec
  4 20 msec 84 msec 28 msec
  5 28 msec 56 msec 60 msec
  6 40 msec 60 msec 44 msec
  7 64 msec 64 msec 48 msec
  8 124 msec 84 msec 68 msec
  9 92 msec 72 msec 160 msec
 10 116 msec 76 msec 52 msec
 11 140 msec 88 msec 108 msec
 12 80 msec 68 msec 80 msec
 13 112 msec 112 msec 100 msec
 14 76 msec 92 msec 152 msec
 15 84 msec *  104 msec
The return route from Office to Home does of course take the preferable R12-R11 route, so just a small diversion on Linearnet.

R12 - R13 - R14 IPSec VPN

As we all now know - since I filled in the gap - a routing protocol will not work over an IPSec tunnel. It will however work over a GRE tunnel, and GRE over IPSec of course. So lets have one of those please. The config is as basic as it gets, without the "need" to do any NATing either so no thoughtful accecss-lists - just one to match the GRE tunnel packets. Here is the config on R14, much the same on R12.

crypto isakmp policy 10
authentication pre-share
crypto isakmp key linearnet address
crypto ipsec transform-set linearset esp-3des esp-sha-hmac
mode transport
crypto map 4over6 10 ipsec-isakmp
set peer
set transform-set linearset
match address 150
access-list 150 permit gre host host
interface Tunnel0
crypto map 4over6

The EIGRP neighbor came up nicely through the ipsec tunnel and routes in the chain continue.

R14 - R15 - OFFICE IPv4 over IPv6

Woohoo, it is nearly the end!! I wanted to do a bit of IPv6 to show how easy it is, which we all of course know anyway, right? Hopefully IPv6 will really begin to pick up pace and become available on major ISPs, until this point only a few early-adopters will be using it, and then I would imagine just for the heck, not because they need to. In the future as IPv6 becomes the norm I can see plenty of retrograde scenarios where aging networks cling-on to IPv4 address-space until the dinosaurs which manage them become instinct (there may of course be other, equally legitimate reasons). Enter the need for IPv4 over IPv6 - the tunnel of the future! Whilst we're all tunneling IPv6 over IPv4 just now, pay attention because this is coming.

Quick description: R14 and OFFICE act as the tunnel endpoints via R15. IPv6 static routes on both these routers point the way (could've used an IGP). The tunnel interfaces have IPv4 address and dont forget "tunnel mode ipv6" command or it won't work.


interface Tunnel1
ip address
tunnel source 2000:14::14:1
tunnel destination 2000:15::15:2
tunnel mode ipv6
interface FastEthernet0/0
ipv6 address 2000:14::14:1/64
ipv6 route 2000:15::/64 2000:14::14:2

interface FastEthernet0/0
ipv6 address 2000:14::14:2/64
interface FastEthernet0/1
ipv6 address 2000:15::15:1/64

interface Tunnel1
ip address
tunnel source 2000:15::15:2
tunnel destination 2000:14::14:1
tunnel mode ipv6
interface FastEthernet0/0
ipv6 address 2000:15::15:2/64


It is a fairly pointless network, however it has been a good practice, and if you learn one small thing each lab, then that is a result - what is the point labbing things you already know? I have learnt small things about redistribution, tiny things about IPv6...ok so not much else. I've also learnt you can run 15 GNS routers on cloud-hosting with only 2Gb RAM, a 2.5Ghz processor and a trusty Ubuntu 10.10 installation! Thank you for reading, I hope it has been mildly diverting. And finally, to conclude where it all began, here is the backward traceroute:

Type escape sequence to abort.
Tracing the route to
1 16 msec 28 msec 36 msec
2 48 msec 52 msec 24 msec
3 100 msec 52 msec 20 msec
4 100 msec 52 msec 24 msec
5 68 msec 44 msec 64 msec
6 40 msec 120 msec 56 msec
7 96 msec 56 msec 100 msec
8 56 msec 84 msec 96 msec
9 104 msec 88 msec 124 msec
10 68 msec 116 msec 44 msec
11 148 msec 100 msec 132 msec
12 88 msec 140 msec 96 msec
13 156 msec * 96 msec

No comments:

Post a comment

Found this pointless and feel you must comment? Really, there is no need, we are fully aware of the pointlessness of this article. But if you must...