Wednesday, February 6, 2013

Designing best and next best path for a network within OSPF area



This is an example of choosing best path to reach network 100.100.100.1/32 Loopback on R4 from R1.

Note: Within an area LSDB or topology table remains synchronized and identical so no manipulation can be done. But distribute-list could be used while installing routes from topology table to Routing table.

 

By default the cost to reach Lo1 100.100.100.1 on R4 from R1 will be 64+1+1.
R1 has two best equal cost path via R1->R2->R4->Lo1 or  R1->R3->R4->Lo1.
Objective:
To reach network Lo1 on R4 we want only one path either, or both the path with any one being best and second path alternative should the primary fail.



R1(config-router)#do show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/30 is subnetted, 1 subnets
O       1.1.1.0 [110/65] via 2.2.2.2, 00:02:59, Serial0/0
     2.0.0.0/30 is subnetted, 1 subnets
C       2.2.2.0 is directly connected, Serial0/0
     100.0.0.0/32 is subnetted, 1 subnets
O  100.100.100.1 [110/66] via 2.2.2.2, 00:02:59, Serial0/0    //**two best path

                             [110/66] via 3.3.3.2, 00:02:59, Serial0/1
     3.0.0.0/30 is subnetted, 1 subnets
C       3.3.3.0 is directly connected, Serial0/1
     101.0.0.0/32 is subnetted, 1 subnets
O       101.101.101.1 [110/66] via 2.2.2.2, 00:03:00, Serial0/0
                                 [110/66] via 3.3.3.2, 00:03:00, Serial0/1
     4.0.0.0/30 is subnetted, 1 subnets
O       4.4.4.0 [110/65] via 3.3.3.2, 00:03:03, Serial0/1


To make R1->R2->R4->Lo1 as best path we will use distribute list gateway command on ospf

On R1:
interface Serial0/0
 ip address 2.2.2.1 255.255.255.252
 clock rate 2000000
!
interface Serial0/1
 ip address 3.3.3.1 255.255.255.252
 clock rate 2000000
!

//** using prefix list by distribution-list below, the Lo1 100.100.100.1 learned from S0/1 interface of R1 has been disallowed to go to the RIB.

router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
 distribute-list prefix FILTER_PREFIX gateway DENY1 in Serial0/1
 !
ip prefix-list DENY1 seq 5 permit 3.3.3.2/32

!

ip prefix-list FILTER_PREFIX seq 5 deny 100.100.100.1/32

ip prefix-list FILTER_PREFIX seq 7 permit 101.101.101.1/32
!

But the above has a disadvantage with regard to if the primary path fails at any stage the backup S0/1 on R1 will still filter the Lo1 route from being installed and thus the access to Lo1 will remain dead.

Second option is,

I have not discovered as yet any way to change the cost when R1 learns about Lo1 from R4. Tried multiple ways to change the metric via route map, also tried tagging the route at R3 and then modify the metric value on R1 via route-map set metric +/- but the output was not any better.

One more option just worked out. Within an area changing AD is the nicest way to manipulate the likelihood to become the best path. But modifying AD on R1 changes the AD for all route learned via R1 source.
R1(config-router)#distance 109 2.2.2.1 0.0.0.0   //*will change AD globally for a source

We can manipulate AD when it traverses from one process to another and that just seems to work out.

On R3:

interface FastEthernet0/0
 ip address 4.4.4.1 255.255.255.252
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 3.3.3.2 255.255.255.252
 clock rate 2000000
!
router ospf 1
 log-adjacency-changes
 redistribute ospf 2 subnets tag 51          //** tagging is done for reference to check on R1
 network 3.3.3.0 0.0.0.3 area 0
!
router ospf 2
 log-adjacency-changes
 redistribute ospf 1
 network 4.4.4.0 0.0.0.3 area 0
!
Since R3 has OSPF process 1 for 3.3.3.0 R1 link and OSPF domain process 2 for 4.4.4.0 R4 link, it will not share each other routes as the processes behaves. We will redistribute them into one another.

Note: Redistribution of subnets are often the cause of loop in OSPF as it breaks broad visibility of OSPF domain. Perform it carefully.
 
At this point on R1 the we could see the route for Lo1 100.100.100.1 is learned as external, since it moved from OSPF process 2 to OSPF process 1 on R3, ignore R2 as of now.

For OSPF path preference is intra-area, then Inter-area , then External routes.

Add the below command  on R1

router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
 distance ospf external 111               //** change the AD of external route learned from ospf process 2                                                        on R3 to 111.

Now under normal scenario R1->R2->R4->Lo1 will have intra-area AD 110 and if it fails the R1->R3->R4->Lo1 which has two ospf process will have AD 111. 

This way R1 has two paths to reach Lo1 by manipulating their AD value with an OSPF area.

Lets Check on R1:

R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/30 is subnetted, 1 subnets
O       1.1.1.0 [110/65] via 2.2.2.2, 00:35:09, Serial0/0
     2.0.0.0/30 is subnetted, 1 subnets
C       2.2.2.0 is directly connected, Serial0/0
     100.0.0.0/32 is subnetted, 1 subnets
O       100.100.100.1 [110/66] via 2.2.2.2, 00:35:09, Serial0/0   //**Intra-area path preferred
     3.0.0.0/30 is subnetted, 1 subnets
C       3.3.3.0 is directly connected, Serial0/1
     101.0.0.0/32 is subnetted, 1 subnets
O       101.101.101.1 [110/66] via 2.2.2.2, 00:35:09, Serial0/0
     4.0.0.0/30 is subnetted, 1 subnets
O       4.4.4.0 [110/66] via 2.2.2.2, 00:35:10, Serial0/0


Now I will shut down the f0/0  on R4:


Lets see now if R1 has next best path to reach Lo1 100.100.100.1

R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/30 is subnetted, 1 subnets
O       1.1.1.0 [110/65] via 2.2.2.2, 00:00:16, Serial0/0
     2.0.0.0/30 is subnetted, 1 subnets
C       2.2.2.0 is directly connected, Serial0/0
     3.0.0.0/30 is subnetted, 1 subnets
C       3.3.3.0 is directly connected, Serial0/1
     100.0.0.0/32 is subnetted, 1 subnets
O E2    100.100.100.1 [111/2] via 3.3.3.2, 00:00:14, Serial0/1 //** external path is active now
    101.0.0.0/32 is subnetted, 1 subnets
O E2    101.101.101.1 [111/2] via 3.3.3.2, 00:00:14, Serial0/1
     4.0.0.0/30 is subnetted, 1 subnets
O E2    4.4.4.0 [111/1] via 3.3.3.2, 00:00:16, Serial0/1

Cheers!


No comments:

Sunday, February 3, 2013

IPsec within IPsec: Double tunnel site to site

The below example forms a site to site ipsec tunnel between R1 and R2.
Once configured one more tunnel is formed between R4 and R3.

R1 & R2 encapsulates encrypted packet for internal LAN represented by R4 2.2.2.0 and R3 3.3.3.0 subnet.
So, R4 to R3 tunnel goes encrypted with R1 R2 tunnel.


R1 Config:
crypto logging session
!
crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 lifetime 300
crypto isakmp key CHAMP address 1.1.1.2 255.255.255.0
!
!
crypto ipsec transform-set TS esp-des esp-sha-hmac
crypto mib ipsec flowmib history failure size 100
!
crypto map mapme 1 ipsec-isakmp
 description tunnel2
 set peer 1.1.1.2
 set security-association replay window-size 1024
 set transform-set TS
 match address 101
 qos pre-classify
!
!
!
interface FastEthernet0/0
 ip address 2.2.2.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.1.1.1 255.255.255.0
 duplex auto
 speed auto
 crypto map mapme
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 3.3.3.0 255.255.255.0 1.1.1.2
ip route 200.200.200.0 255.255.255.0 FastEthernet0/1
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255


R2 Config:

crypto logging session
!
crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 lifetime 300
crypto isakmp key CHAMP address 1.1.1.1 255.255.255.0
!
!
crypto ipsec transform-set TS esp-des esp-sha-hmac
crypto mib ipsec flowmib history failure size 100
!
crypto map mapme 1 ipsec-isakmp
 description tunnel2
 set peer 1.1.1.1
 --More--          set security-association replay window-size 1024
 set transform-set TS
 match address 101
 qos pre-classify
!
!
!
interface FastEthernet0/0
 ip address 1.1.1.2 255.255.255.0
 duplex auto
 speed auto
 crypto map mapme
!
interface FastEthernet0/1
 ip address 3.3.3.1 255.255.255.0
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 2.2.2.0 255.255.255.0 FastEthernet0/0
ip route 200.200.200.0 255.255.255.0 FastEthernet0/1
!
no ip http secure-server
!
access-list 101 permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255
!

R3 Config:

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key CHAMEY address 2.2.2.1 255.255.255.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map mapme 1 ipsec-isakmp
 set peer 2.2.2.1
 set transform-set TS
 match address 101
!
!
 --More--         !
interface Loopback1
 ip address 200.200.200.200 255.255.255.0
!
interface FastEthernet0/0
 ip address 3.3.3.2 255.255.255.0
 duplex auto
 speed auto
 crypto map mapme
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
ip http server
no ip http secure-server
!
access-list 101 permit ip host 200.200.200.200 192.168.1.0 0.0.0.255

R4 Config:

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key CHAMEY address 3.3.3.2 255.255.255.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map mapme 1 ipsec-isakmp
 set peer 3.3.3.2
 set transform-set TS
 match address 101
!
!
!
interface FastEthernet0/0
 ip address 2.2.2.1 255.255.255.0
 duplex auto
 speed auto
 crypto map mapme
!
interface FastEthernet0/1             //* F0/1 connects to cloud which connects to my  LAN adapter
 ip address 192.168.1.35 255.255.255.0 
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1            
ip route 1.1.1.0 255.255.255.0 FastEthernet0/0
ip route 3.3.3.0 255.255.255.0 FastEthernet0/0
ip route 200.200.200.0 255.255.255.0 FastEthernet0/0

!
ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 200.200.200.200
!



We will discuss in detail IPsec later in series....
I hope you tried it and had fun learning it!

-Anupam
No comments:
Subscribe to: Posts (Atom)