Archive for January, 2016

OSPF Virtual Links

Posted: January 30, 2016 in CISCO

Virtual links are used when there are needs to connect backbone area (area 0) and other areas,not directly connected to backbone areas.It happens when backbone area is discontiguous or new area is added to existing ares.

 

Untitled
R1:

!
interface Loopback0
ip address 172.30.30.1 255.255.255.252
!
interface Serial1/0
ip address 10.1.12.1 255.255.255.0
!
router ospf 1
network 10.1.1.0 0.0.0.255 area 0
network 10.1.12.0 0.0.0.255 area 0

 

R2:

!
interface Loopback0
ip address 10.1.2.1 255.255.255.0
!
interface Serial1/0
ip address 10.1.12.2 255.255.255.0
!
interface Serial1/1
ip address 10.1.23.2 255.255.255.0
!
router ospf 1
area 23 virtual-link 192.168.103.1
network 10.1.2.0 0.0.0.255 area 0
network 10.1.12.0 0.0.0.255 area 0
network 10.1.23.0 0.0.0.255 area 23

 

R3:

interface Loopback0
ip address 10.1.3.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback100
ip address 192.168.100.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback101
ip address 192.168.101.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback102
ip address 192.168.102.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback103
ip address 192.168.103.1 255.255.255.0
ip ospf network point-to-point
!
interface Serial1/1
ip address 10.1.23.3 255.255.255.0
!
router ospf 1
area 23 virtual-link 10.1.2.1
network 10.1.3.0 0.0.0.255 area 23
network 10.1.23.0 0.0.0.255 area 23
network 192.168.100.0 0.0.3.255 area 100

 

Take a look at routing tables on R1 nad R2:

 

R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.30.0.0/30 is subnetted, 1 subnets
C       172.30.30.0 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 4 subnets
C       10.1.12.0 is directly connected, Serial1/0
O IA    10.1.3.0 [110/129] via 10.1.12.2, 00:00:32, Serial1/0
O       10.1.2.0 [110/65] via 10.1.12.2, 00:00:32, Serial1/0
O IA    10.1.23.0 [110/128] via 10.1.12.2, 00:00:32, Serial1/0

R2(config-router)#
*Mar  1 00:45:29.419: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.103.1 on OSPF_VL3 from FULL to DOWN, Neighbor Down: Interface down or detached
R2(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 4 subnets
C       10.1.12.0 is directly connected, Serial1/0
O       10.1.3.0 [110/65] via 10.1.23.3, 00:14:23, Serial1/1
C       10.1.2.0 is directly connected, Loopback0
C       10.1.23.0 is directly connected, Serial1/1

We can see that routes in Area 100 (192.168.100-103/24) are not shown although are advertised on R3 in OSPF statement.It’s because area 100 is not connects to area 0.Routes on area 23 are not advertised outside that area.

To overcome this issue,we would create virtual link between ABR (R2) and router in area 100 (R3).Prior creating virtual link,we need to identify Router ID on R2 and R3

R2#sh ip ospf
Routing Process "ospf 1" with ID 10.1.2.1

R3(config-router)#do sh ip ospf
Routing Process "ospf 1" with ID 192.168.103.1
R2(config)#router ospf 1
R2(config-router)#area 23 virtual-link 192.168.103.1

R3(config)#router ospf 1
R3(config-router)#area 23 virtual-link 10.1.2.1

 

Again,take a look at routing tables on R1 and R2:

R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.30.0.0/30 is subnetted, 1 subnets
C       172.30.30.0 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 4 subnets
C       10.1.12.0 is directly connected, Serial1/0
O IA    10.1.3.0 [110/129] via 10.1.12.2, 00:00:00, Serial1/0
O       10.1.2.0 [110/65] via 10.1.12.2, 00:00:00, Serial1/0
O IA    10.1.23.0 [110/128] via 10.1.12.2, 00:00:00, Serial1/0
O IA 192.168.102.0/24 [110/129] via 10.1.12.2, 00:00:01, Serial1/0
O IA 192.168.103.0/24 [110/129] via 10.1.12.2, 00:00:01, Serial1/0
O IA 192.168.100.0/24 [110/129] via 10.1.12.2, 00:00:02, Serial1/0
O IA 192.168.101.0/24 [110/129] via 10.1.12.2, 00:00:02, Serial1/0

R2(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 4 subnets
C       10.1.12.0 is directly connected, Serial1/0
O       10.1.3.0 [110/65] via 10.1.23.3, 00:00:21, Serial1/1
C       10.1.2.0 is directly connected, Loopback0
C       10.1.23.0 is directly connected, Serial1/1
O IA 192.168.102.0/24 [110/65] via 10.1.23.3, 00:00:21, Serial1/1
O IA 192.168.103.0/24 [110/65] via 10.1.23.3, 00:00:21, Serial1/1
O IA 192.168.100.0/24 [110/65] via 10.1.23.3, 00:00:21, Serial1/1
O IA 192.168.101.0/24 [110/65] via 10.1.23.3, 00:00:22, Serial1/1

 

Virtual links,however,add processing overhead and extend backbone area onto routes where they might not belong.

 

Advertisements

Multi-Area OSPF with Stub Areas

Posted: January 29, 2016 in CISCO

In this example i used c3745-advipservicesk9-mz.124-25d.bin,you can download it from here

Untitled.png

 

R1:

!

interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Serial1/0
ip address 10.1.12.1 255.255.255.0
!
router ospf 1
network 10.1.0.0 0.0.255.255 area 0

 

R2:

!
interface Loopback0
ip address 10.1.2.1 255.255.255.0
ip ospf 2 area 0
!
interface Serial1/0
ip address 10.1.12.2 255.255.255.0
ip ospf 2 area 0
!
interface Serial1/1
ip address 10.1.23.2 255.255.255.0
ip ospf 2 area 23

R3

!
interface Loopback0
ip address 10.1.3.1 255.255.255.0
!
interface Loopback1
ip address 172.20.200.1 255.255.255.0
!
interface Serial1/1
ip address 10.1.23.3 255.255.255.0
!
router ospf 3
network 10.1.23.0 0.0.0.255 area 23
network 172.20.200.0 0.0.0.255 area 23

 

Configuring stub area for area 23

Stub areas are used to control injecting external routes (which go through ABR router) into area.In this example R2 is area border router (ABR) because it connects areas O and 23.Stub areas are connected by area <area number> stub command.This command must be executed on ABR and router in related area,otherwise OSPF relationship breaks down.

R2(config)router ospf 2
R2(config-router)#area 23 stub

R2(config)router ospf 3
R3(config-router)#area 23 stub

Area 23 is now stub area which means that this area no longer receives any external route.It receives a default route and OSPF inter area routes

R3(config-router)#do sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 10.1.23.2 to network 0.0.0.0

O*IA 0.0.0.0/0 [110/65] via 10.1.23.2, 00:00:02, Serial1/0
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
O IA 10.1.1.1/32 [110/129] via 10.1.23.2, 00:00:02, Serial1/0
O IA 10.1.2.0/24 [110/65] via 10.1.23.2, 00:00:02, Serial1/0
C 10.1.3.0/24 is directly connected, Loopback0
L 10.1.3.1/32 is directly connected, Loopback0
O IA 10.1.12.0/24 [110/128] via 10.1.23.2, 00:00:02, Serial1/0
C 10.1.23.0/24 is directly connected, Serial1/0
L 10.1.23.3/32 is directly connected, Serial1/0
172.20.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.20.200.0/24 is directly connected, Loopback1

Default route is set to R2’s s1/0 interface (10.1.23.2)

The benefit is that router memory is conserved because router has less routes to handle with.

Totally stubby area alows only a single summary route from backbone area (Area 0).To configure it,command area <area number> no-summary needs to be executed on ABR (R2 in this case)

OSPF database before configuring totally stuby area:

R2(config-router)#do sh ip ospf dat

OSPF Router with ID (10.1.2.1) (Process ID 2)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count
10.1.1.1 10.1.1.1 319 0x80000003 0x0062CA 3
10.1.2.1 10.1.2.1 313 0x80000008 0x004DD7 3

Summary Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum
10.1.3.1 10.1.2.1 101 0x80000001 0x00E5F8
10.1.23.0 10.1.2.1 938 0x80000001 0x0009C3
172.20.200.1 10.1.2.1 101 0x80000001 0x003F24

Router Link States (Area 23)

Link ID ADV Router Age Seq# Checksum Link count
10.1.2.1 10.1.2.1 106 0x80000006 0x00258E 2
172.20.200.1 172.20.200.1 106 0x80000004 0x007607 4

Summary Net Link States (Area 23)

Link ID ADV Router Age Seq# Checksum
0.0.0.0 10.1.2.1 180 0x80000001 0x003BF4
10.1.1.1 10.1.2.1 180 0x80000002 0x0018C9
10.1.2.0 10.1.2.1 180 0x80000002 0x00948D
10.1.12.0 10.1.2.1 180 0x80000002 0x009E3A


R3(config-router)#do sh ip ospf dat

OSPF Router with ID (172.20.200.1) (Process ID 2)

Router Link States (Area 23)

Link ID ADV Router Age Seq# Checksum Link count
10.1.2.1 10.1.2.1 168 0x80000006 0x00258E 2
172.20.200.1 172.20.200.1 167 0x80000004 0x007607 4

Summary Net Link States (Area 23)

Link ID ADV Router Age Seq# Checksum
0.0.0.0 10.1.2.1 241 0x80000001 0x003BF4
10.1.1.1 10.1.2.1 241 0x80000002 0x0018C9
10.1.2.0 10.1.2.1 241 0x80000002 0x00948D
10.1.12.0 10.1.2.1 241 0x80000002 0x009E3A

 

R2(config)router ospf 2
R2(config-router)#area 23 stub no summary

We can see now that R2 and R3 has only one,default,summary route.

R2(config)router ospf 2
R2(config-router)#do sh ip ospf dat

OSPF Router with ID (10.1.2.1) (Process ID 2)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count
10.1.1.1 10.1.1.1 542 0x80000003 0x0062CA 3
10.1.2.1 10.1.2.1 536 0x80000008 0x004DD7 3

Summary Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum
10.1.3.1 10.1.2.1 324 0x80000001 0x00E5F8
10.1.23.0 10.1.2.1 1162 0x80000001 0x0009C3
172.20.200.1 10.1.2.1 324 0x80000001 0x003F24

Router Link States (Area 23)

Link ID ADV Router Age Seq# Checksum Link count
10.1.2.1 10.1.2.1 329 0x80000006 0x00258E 2
172.20.200.1 172.20.200.1 330 0x80000004 0x007607 4

Summary Net Link States (Area 23)

Link ID ADV Router Age Seq# Checksum
0.0.0.0 10.1.2.1 22 0x80000003 0x0037F6

R3#sh ip ospf dat

OSPF Router with ID (172.20.200.1) (Process ID 2)

Router Link States (Area 23)

Link ID ADV Router Age Seq# Checksum Link count
10.1.2.1 10.1.2.1 341 0x80000006 0x00258E 2
172.20.200.1 172.20.200.1 340 0x80000004 0x007607 4

Summary Net Link States (Area 23)

Link ID ADV Router Age Seq# Checksum
0.0.0.0 10.1.2.1 34 0x80000003 0x0037F6

 

R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.23.2 to network 0.0.0.0

172.20.0.0/24 is subnetted, 1 subnets
C 172.20.200.0 is directly connected, Loopback1
10.0.0.0/24 is subnetted, 2 subnets
C 10.1.3.0 is directly connected, Loopback0
C 10.1.23.0 is directly connected, Serial1/1
O*IA 0.0.0.0/0 [110/65] via 10.1.23.2, 00:35:28, Serial1/1

Routers in the area see default and intra-area routers (routes between areas),this saves router processor times and memory,but drawback is that not optimal routes can be chosen.ARB router is the gateway to the rest of area and is boundary through all LSA’s needs to pass.

Not so stubby area allow routes to be redistributed from ASBR routers into that area which are special LSA types (Type 7),converted to LSA type 5 (known as autonomous system external LSA: The external LSAs are generated by the ASBR) by ABR (R2).To generate an external route into into NSSA,we need to use redistribute connected subnets on R3 router,subnets keyword is used to redistribute classless networks

 

R2(config)router ospf 2 
R2(config-router)#area 23 nssa

R3(config)router ospf 3 
R3(config-router)#area 23 nssa 
R3(config-router)#redistribute connected subnets


R2#sh ip ospf dat

OSPF Router with ID (10.1.2.1) (Process ID 2)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count
10.1.1.1 10.1.1.1 123 0x80000005 0x005ECC 3
10.1.2.1 10.1.2.1 263 0x80000006 0x0061C2 3

Summary Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum
10.1.23.0 10.1.2.1 263 0x80000003 0x0005C5
172.20.200.1 10.1.2.1 1818 0x80000002 0x003D25

Router Link States (Area 23)

Link ID ADV Router Age Seq# Checksum Link count
10.1.2.1 10.1.2.1 1818 0x80000006 0x00B2F6 2
172.20.200.1 172.20.200.1 1955 0x80000008 0x004649 3

Summary Net Link States (Area 23)

Link ID ADV Router Age Seq# Checksum
0.0.0.0 10.1.2.1 1567 0x80000002 0x00C066

Type-7 AS External Link States (Area 23)

Link ID ADV Router Age Seq# Checksum Tag
10.1.3.0 172.20.200.1 1956 0x80000002 0x00086A 0

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag
10.1.3.0 10.1.2.1 1821 0x80000002 0x005C9C 0

R3#sh ip ospf dat

 OSPF Router with ID (172.20.200.1) (Process ID 3)

 Router Link States (Area 23)

Link ID ADV Router Age Seq# Checksum Link count
10.1.2.1 10.1.2.1 1905 0x80000006 0x00B2F6 2
172.20.200.1 172.20.200.1 48 0x80000009 0x00444A 3

 Summary Net Link States (Area 23)

Link ID ADV Router Age Seq# Checksum
0.0.0.0 10.1.2.1 1654 0x80000002 0x00C066

 Type-7 AS External Link States (Area 23)

Link ID ADV Router Age Seq# Checksum Tag
10.1.3.0 172.20.200.1 48 0x80000003 0x00066B 0

We can see external route,injected in R2 as N2 from R3:

R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.20.0.0/32 is subnetted, 1 subnets
O 172.20.200.1 [110/65] via 10.1.23.3, 00:02:23, Serial1/1
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 10.1.12.0/24 is directly connected, Serial1/0
O N2 10.1.3.0/24 [110/20] via 10.1.23.3, 00:02:23, Serial1/1
C 10.1.2.0/24 is directly connected, Loopback0
O 10.1.1.1/32 [110/65] via 10.1.12.1, 00:03:07, Serial1/0
C 10.1.23.0/24 is directly connected, Serial1/1

Look at routing table on R1:

R1(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.20.0.0/32 is subnetted, 1 subnets
O IA 172.20.200.1 [110/129] via 10.1.12.2, 00:03:12, Serial1/0
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 10.1.12.0/24 is directly connected, Serial1/0
O E2 10.1.3.0/24 [110/20] via 10.1.12.2, 00:03:02, Serial1/0
O 10.1.2.1/32 [110/65] via 10.1.12.2, 00:03:45, Serial1/0
C 10.1.1.0/24 is directly connected, Loopback0
O IA 10.1.23.0/24 [110/128] via 10.1.12.2, 00:03:45, Serial1/0

 

Route 10.1.3.0 is now advertised as E2 route becasue R2 transalated type 7 LSA to type 5 LSA

 

 

Configuring EIGRP authentication

Posted: January 24, 2016 in CISCO

EIGRP message authentication is used when we want to prevent injecting incorrect routes into routers,it also prevents purposely or accidentally adding another router to the network which can seriously cripple our network.

Untitled

R1:

!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
!
interface Serial1/0
ip address 172.16.12.1 255.255.255.248
!
interface Serial1/2
ip address 172.16.13.1 255.255.255.248
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 security
serial restart-delay 0
!
router eigrp 1
network 10.0.0.0
network 172.16.0.0
network 192.168.1.0

R2:

!
interface Loopback0
ip address 192.168.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
!
interface Serial1/0
ip address 172.16.12.2 255.255.255.248
!
interface Serial1/1
ip address 172.16.23.2 255.255.255.248
!
router eigrp 1
network 10.0.0.0
network 172.16.0.0
network 192.168.2.0

R3:

!
interface Loopback0
ip address 192.168.3.3 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.3 255.255.255.0
!
interface Serial1/1
ip address 172.16.23.3 255.255.255.248
!
interface Serial1/2
ip address 172.16.13.3 255.255.255.248
!
router eigrp 1
network 10.0.0.0
network 172.16.0.0
network 192.168.0.0

 

EIGRP only supports Message Digest 5 (MD5) authentication.

Configuring key chain named security:

R1(config)#key chain security
R2(config)#key chain security
R3(config)#key chain security

Under key chain we configure key which needs to math on all routers in topology

R1(config-keychain)#key 1
R2(config-keychain)#key 1
R3(config-keychain)#key 1

 

Specifying the authentication string (cisco) for key 1 (configured in previous step):

R1(config-keychain-key)#key-string cisco
R2(config-keychain-key)#key-string cisco
R3(config-keychain-key)#key-string cisco
EIGRP authentication in interfaces
R1(config t)#int s1/0 
!Enable EIGRP message authentication.The 1 is the autonomous system number of the !network.md5 is hash to be used for authentication.
R1(config-if)#ip authentication mode eigrp 1 md5
!The keychain that is to be used for authentication.1 is the autonomous system num!ber. security is key chain created in key-chain command
R1(config-if)#ip authentication key-chain eigrp 1 security
R1(config t)#int f0/0
R1(config-if)#ip authentication mode eigrp 1 md5
R1(config-if)#ip authentication key-chain eigrp 1 security
R1(config t)#int s1/2
R1(config-if)#ip authentication mode eigrp 1 md5
R1(config-if)#ip authentication key-chain eigrp 1 security

R2(config t)#int f0/0
R2(config-if)#ip authentication mode eigrp 1 md5
R2(config-if)#ip authentication key-chain eigrp 1 security
R2(config t)#int s1/0
R2(config-if)#ip authentication mode eigrp 1 md5
R2(config-if)#ip authentication key-chain eigrp 1 security
R2(config t)#int s1/1
R2(config-if)#ip authentication mode eigrp 1 md5
R2(config-if)#ip authentication key-chain eigrp 1 security

R3(config t)#int f0/0
R3(config-if)#ip authentication mode eigrp 1 md5
R3(config-if)#ip authentication key-chain eigrp 1 security
R3(config t)#int s1/0
R3(config-if)#ip authentication mode eigrp 1 md5
R3(config-if)#ip authentication key-chain eigrp 1 security
R3(config t)#int s1/1
R3(config-if)#ip authentication mode eigrp 1 md5
R3(config-if)#ip authentication key-chain eigrp 1 security

 

R1#sh ip eigrp interfaces detail
EIGRP-IPv4 Interfaces for AS(1)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Fa0/0 0 0/0 0/0 0 0/0 1120 0
Hello-interval is 5, Hold-time is 15
Split-horizon is enabled
Next xmit serial <none>
Packetized sent/expedited: 5/0
Hello’s sent/expedited: 1458/3
Un/reliable mcasts: 0/3 Un/reliable ucasts: 8/5
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 2 Out-of-sequence rcvd: 1
Topology-ids on interface – 0
Authentication mode is md5, key-chain is “security”

Enable debugging on router (R3 in this example)

R3#debug eigrp packets

R3#debug eigrp packets
*Jan 24 17:38:24.043: EIGRP: Sending HELLO on Se1/2 – paklen 60
*Jan 24 17:38:24.047: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Jan 24 17:38:24.207: EIGRP: received packet with MD5 authentication, key id = 1
*Jan 24 17:38:24.207: EIGRP: Received HELLO on Fa0/0 – paklen 60 nbr 10.1.1.2
*Jan 24 17:38:24.211: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
R3#no debug eigrp packets
EIGRP Packet debugging is off
R3#
*Jan 24 17:38:25.123: EIGRP: Fa0/0: ignored packet from 10.1.1.1, opcode = 5 (missing authentication)
*Jan 24 17:38:26.023: EIGRP: Sending HELLO on Fa0/0 – paklen 60
*Jan 24 17:38:26.027: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
R3#
*Jan 24 17:38:26.203: EIGRP: received packet with MD5 authentication, key id = 1
*Jan 24 17:38:26.203: EIGRP: Received HELLO on Se1/2 – paklen 60 nbr 172.16.13.1
*Jan 24 17:38:26.207: AS 1, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

 

EIGRP manual route summarization

Posted: January 23, 2016 in CISCO

Why use route summarization:

Summarization would decrease the number of routes advertised by EIGRP. Decreasing the number of routes causes less bandwidth utilization,smaller IP routing tables, and smaller EIGRP topology tables. This can also result in less CPU utilization and less memory usage.
Summarization could prevent updates regarding flapping routes from being propagated throughout the EIGRP domain if those flapping routes fall within a summary address placed at a critical point in the network (usually as close to the source as possible).
Summarization limits the depth of the network into which a query is propagated. Because upstream routers know only about a summary route and not about its individual components, they immediately respond with an infinite metric to any query about component routes without propagating the query further. This helps to limit the scope of diffusing computation and prevent the stuck-in-active states.

Summarization,however,can cause suboptimal route (when router don’t take shortest route to destination).Summarization can also cause that packet destined for inaccessible destination will flow to the summarizing router when it will be discarded.

Untitled

R1:

!
interface Serial1/0
ip address 192.168.100.1 255.255.255.248

!
interface Serial1/1
no ip address

!
router eigrp 100
network 172.31.1.0 0.0.0.255
network 192.168.100.0

 

R2:

interface Loopback1
ip address 192.168.200.1 255.255.255.252
!
interface Loopback5
ip address 192.168.200.5 255.255.255.252
!
interface Loopback9
ip address 192.168.200.9 255.255.255.252
!
interface Loopback13
ip address 192.168.200.13 255.255.255.252
!
interface Loopback17
ip address 192.168.200.17 255.255.255.252
!
interface Loopback21
ip address 192.168.200.21 255.255.255.252
ip summary-address eigrp 100 192.168.200.0 255.255.255.224
!
interface Loopback25
ip address 192.168.200.25 255.255.255.252
!
interface Serial1/0
ip address 192.168.100.2 255.255.255.248
!
interface Serial1/1
ip address 10.1.1.2 255.255.255.248
!
router eigrp 100
network 10.1.1.0 0.0.0.255
network 192.168.100.0
network 192.168.200.0

 

R3:

!
interface Loopback1
ip address 192.168.1.1 255.255.254.0
!
interface Loopback5
ip address 192.168.5.5 255.255.254.0
!
interface Loopback9
ip address 192.168.9.9 255.255.254.0
!
interface Loopback13
ip address 192.168.13.13 255.255.254.0
!
interface Loopback17
ip address 192.168.17.17 255.255.254.0
!
interface Loopback21
ip address 192.168.21.21 255.255.254.0
!
interface Loopback25
ip address 192.168.25.25 255.255.254.0
!
interface Loopback100
ip address 10.1.3.1 255.255.255.252
!
interface Loopback172
ip address 172.16.1.1 255.255.255.0
!
interface Serial1/0
ip address 10.1.1.3 255.255.255.248
!
router eigrp 100
network 10.1.1.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 172.16.0.0
network 192.168.0.0 0.0.31.255

 

Routing table on R1 before summarization

R1#sh ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
+ – replicated route, % – next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D 10.1.1.0/29 [90/2681856] via 192.168.100.2, 02:08:59, Serial1/0
D 10.1.3.0/30 [90/2809856] via 192.168.100.2, 02:08:59, Serial1/0
172.16.0.0/24 is subnetted, 1 subnets
D 172.16.1.0 [90/2809856] via 192.168.100.2, 02:10:12, Serial1/0
172.31.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.31.1.0/24 is directly connected, Loopback0
L 172.31.1.1/32 is directly connected, Loopback0
D 192.168.0.0/23 [90/2809856] via 192.168.100.2, 00:01:52, Serial1/0
D 192.168.4.0/23 [90/2809856] via 192.168.100.2, 00:01:52, Serial1/0
D 192.168.8.0/23 [90/2809856] via 192.168.100.2, 00:01:52, Serial1/0
D 192.168.12.0/23 [90/2809856] via 192.168.100.2, 00:01:52, Serial1/0
D 192.168.16.0/23 [90/2809856] via 192.168.100.2, 00:01:52, Serial1/0
D 192.168.20.0/23 [90/2809856] via 192.168.100.2, 00:01:52, Serial1/0
D 192.168.24.0/23 [90/2809856] via 192.168.100.2, 00:01:52, Serial1/0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/29 is directly connected, Serial1/0
L 192.168.100.1/32 is directly connected, Serial1/0
192.168.200.0/30 is subnetted, 7 subnets
D 192.168.200.0 [90/2297856] via 192.168.100.2, 00:00:15, Serial1/0
D 192.168.200.4 [90/2297856] via 192.168.100.2, 00:00:15, Serial1/0
D 192.168.200.8 [90/2297856] via 192.168.100.2, 00:00:15, Serial1/0
D 192.168.200.12 [90/2297856] via 192.168.100.2, 00:00:15, Serial1/0
D 192.168.200.16 [90/2297856] via 192.168.100.2, 00:00:15, Serial1/0
D 192.168.200.20 [90/2297856] via 192.168.100.2, 00:00:15, Serial1/0
D 192.168.200.24 [90/2297856] via 192.168.100.2, 00:00:15, Serial1/0

In this example we’ll sumarize 192.168. network in R3

first 16 bits are the same for all networks.3rd octet is not the same (1,5,9,13,17,21,25)

128      64       32       16       8        4         2        1           1

0          0         0         0       0        0        0        1           5

0          0         0         0       1         0         0        1           9

0          0         0         0       1          1         0        1           13

0          0         0         1        0         0         0       1            17

0          0         0         1        0          1         0        1           21

0          0         0         1        1          0         0         1           25

3 bits in 3rd octets are the same,adding this 3 bits to first two octets gives 19 (8+8+3=19)

Faster method:

larger number in 3rd octet is 27,starting from left to right,the larger number just before 27 is 16,so 3 bits lefts off (128,64,32)

128      64       32       16       8        4         2        1

1           1         1          0        0        0         0       0

128+64+32=224  so summary subnet mask will be 255.255.224.0   (first two octets are the same (255.255) and third is 224 (128+64+32)

R3(config-router)#int s1/0
R3(config-if)#ip summary-address eigrp 100 192.168.0.0 255.255.224.0

 

In the same way,we can summarize 192.168.200.0 network on R2

This time,first three octets are the same (192.168.200),because subnet numbers in 4-th octets are the same (1,5,9,13,17,21,25) subnet mask would be 255.255.255.224 (8+8+8+3=27)

Because R2 has 2 interfaces,summarization should be set on s1/0 and s1/0

R4(config-router)#int s1/0
R3(config-if)#ip summary-address eigrp 100 192.168.200.0 255.255.255.224

R4(config-router)#int s1/1
R3(config-if)#ip summary-address eigrp 100 192.168.200.0 255.255.255.224

 

 

Routing table after summarization:

R1(config-router)#do sh ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
+ – replicated route, % – next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
D 10.1.1.0/29 [90/2681856] via 192.168.100.2, 02:05:56, Serial1/0
D 10.1.3.0/30 [90/2809856] via 192.168.100.2, 02:05:56, Serial1/0
172.16.0.0/24 is subnetted, 1 subnets
D 172.16.1.0 [90/2809856] via 192.168.100.2, 02:07:09, Serial1/0
172.31.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.31.1.0/24 is directly connected, Loopback0
L 172.31.1.1/32 is directly connected, Loopback0
D 192.168.0.0/19 [90/2809856] via 192.168.100.2, 01:02:50, Serial1/0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/29 is directly connected, Serial1/0
192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks
D 192.168.200.0/24 [90/2297856] via 192.168.100.2, 00:09:44, Serial1/0

We can see that routing table is now significant smaller,and summary routes are adverised

 

 

 

 

 

 

Filtering EIGRP routes in GNS3

Posted: January 21, 2016 in CISCO

Sometime,there are need to prohibit route advertisement to other network segments.

Untitled.png

 

For example,let’s say we need to prohibit some  routes advertised by Router 5 (10.17.35.0,10.17.35.128),to be prohibited on router R1.

To reach 10.17.35.0 network,R1 has 2 path:via R3 and R4,so route filters must be set on R3 and R4.

Routing table before applying prefix list

R1#sh ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
+ – replicated route, % – next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 19 subnets, 6 masks
D 10.1.1.4/30 [90/2684416] via 10.1.2.1, 00:06:35, Serial1/0
C 10.1.2.0/30 is directly connected, Serial1/0
L 10.1.2.2/32 is directly connected, Serial1/0
D 10.1.2.4/30 [90/2681856] via 10.1.2.1, 00:06:35, Serial1/0
D 10.9.1.0/30 [90/2172416] via 10.1.2.1, 00:06:35, Serial1/0
D 10.9.1.4/30 [90/2174976] via 10.1.2.1, 00:06:35, Serial1/0
D 10.9.1.8/30 [90/2174976] via 10.1.2.1, 00:06:35, Serial1/0
D 10.9.1.12/30 [90/2172416] via 10.1.2.1, 00:06:35, Serial1/0
D 10.9.1.16/30 [90/2177536] via 10.1.2.1, 00:06:35, Serial1/0
D 10.9.1.20/30 [90/2174976] via 10.1.2.1, 00:06:35, Serial1/0
C 10.11.1.0/24 is directly connected, Loopback0
L 10.11.1.1/32 is directly connected, Loopback0
D 10.12.1.0/24 [90/2809856] via 10.1.2.1, 00:06:36, Serial1/0
D 10.17.32.0/23 [90/2300416] via 10.1.2.1, 00:06:36, Serial1/0
D 10.17.34.0/24 [90/2300416] via 10.1.2.1, 00:06:36, Serial1/0
D 10.17.35.0/25 [90/2300416] via 10.1.2.1, 00:00:33, Serial1/0
D 10.17.35.128/25 [90/2300416] via 10.1.2.1, 00:00:33, Serial1/0
D 10.17.36.0/26 [90/2300416] via 10.1.2.1, 00:06:37, Serial1/0
D 10.17.36.64/26 [90/2300416] via 10.1.2.1, 00:06:37, Serial1/0

Method 1:ACL

R3(config)#access-list 2 deny 10.17.35.0 0.0.0.0
R3(config)#access-list 2 deny 10.17.35.128 0.0.0.0
! allow all other networks
R3(config)#access-list 2 permit any

!Now add this filter to eigrp protocol:

R3(config)#access-list 2 permit any
R3(config)#router eigrp 20
!apply route filter to interface connected to R1
R3(config-router)#distribute-list 2 out s1/1
R4(config)#access-list 2 deny 10.17.35.0 0.0.0.0
R4(config)#access-list 2 deny 10.17.35.128 0.0.0.0
R4(config)#access-list 2 permit any
R4(config)#router eigrp 20
!apply route filter to interface connected to R1
R4(config-router)#distribute-list 2 out s1/0

 

Method2:Prefix List

Concept:http://packetlife.net/blog/2010/feb/1/understanding-ip-prefix-lists/

!with singe line we deny both,10.17.35.0 and 10.17.35.128 using
!ge (Greater than or Equal to) and le (less than or equal to) operators
!deny 10.17.35.0/24 and 10.17.35.0/25 (sequence number 5)
R3(config)#ip prefix-list 10_17 seq 5 deny 10.17.35.0/24 ge 25 le 25
!permit other prefixes (sequence 10):
R3(config)#ip prefix-list 10_17 seq 10 permit 0.0.0.0/0 le 32
!Apply prefix list to interface connected to R1
R3(config-router)#distribute-list prefix 10_17 out s1/1

!R4:

R4(config)#ip prefix-list 10_17 seq 5 deny 10.17.35.0/24 ge 25 le 25
R4(config)#ip prefix-list 10_17 seq 10 permit 0.0.0.0/0 le 32
R4(config-router)#distribute-list prefix 10_17 out s1/0

Method3:route-map

Route map has several route map commands in same route map,all having same text name.Route map uses ip prefix lists for route matching.Optionaly,sequence number can be set.After route being matched (deny or permit),Cisco IOS stops processing route map for that route.

Setting ip prefix list (note that although 10.17.35/25-128 networks needs to be prohibited,permit clause is used:

R3(config)#ip prefix-list 10_17 seq 5 permit 10.17.35.0/24 ge 25 le 25
R3(config)#ip prefix-list all_net seq 10 permit 0.0.0.0/0 le 32

R4(config)#ip prefix-list 10_17 seq 5 permit 10.17.35.0/25 ge 25 le 25
R4(config)#ip prefix-list all_net seq 10 permit 0.0.0.0/0 le 32

Creating route map:

 

!creating route map named 10_17 sequence 5,with deny clause:
R3(config)#route-map 10_17 deny 5
!match prefix list 10_17
R3(config-route-map)#match ip address prefix-list 10_17
R3(config-route-map)#exit
!add another sequence (10) to permit other subnets
R3(config)#route-map 10_17 permit 10
R3(config-route-map)#match ip address prefix-list all_net
R3(config-route-map)#exit
!add another sequence (note no match exists-match all) to allow all other traffic
R3(config)#route-map 10_17 permit 15
!R4:
R4(config)#route-map 10_17 deny 5
R4(config-route-map)#match ip address prefix-list 10_17
R4(config-route-map)#exit
R4(config)#route-map 10_17 permit 10
R4(config-route-map)#match ip address prefix-list all_net
R4(config-route-map)#exit
R4(config)#route-map 10_17 permit 15

 

Apply route map 10_17 to eigrp process:

R3(config-router)#distribute-list route-map 10_17 out s1/1
R4(config-router)#distribute-list route-map 10_17 out s1/0

Networks 10.17.35.0/24-25 are no longer shown in R1 routing table

R1(config)#do sh ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
+ – replicated route, % – next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 17 subnets, 5 masks
D 10.1.1.4/30 [90/2684416] via 10.1.2.1, 00:04:27, Serial1/0
C 10.1.2.0/30 is directly connected, Serial1/0
L 10.1.2.2/32 is directly connected, Serial1/0
D 10.1.2.4/30 [90/2681856] via 10.1.2.1, 00:04:27, Serial1/0
D 10.9.1.0/30 [90/2172416] via 10.1.2.1, 00:04:27, Serial1/0
D 10.9.1.4/30 [90/2174976] via 10.1.2.1, 00:04:27, Serial1/0
D 10.9.1.8/30 [90/2174976] via 10.1.2.1, 00:04:27, Serial1/0
D 10.9.1.12/30 [90/2172416] via 10.1.2.1, 00:04:27, Serial1/0
D 10.9.1.16/30 [90/2177536] via 10.1.2.1, 00:04:27, Serial1/0
D 10.9.1.20/30 [90/2174976] via 10.1.2.1, 00:04:27, Serial1/0
C 10.11.1.0/24 is directly connected, Loopback0
L 10.11.1.1/32 is directly connected, Loopback0
D 10.12.1.0/24 [90/2809856] via 10.1.2.1, 00:04:28, Serial1/0
D 10.17.32.0/23 [90/2300416] via 10.1.2.1, 00:04:29, Serial1/0
D 10.17.34.0/24 [90/2300416] via 10.1.2.1, 00:04:29, Serial1/0
D 10.17.36.0/26 [90/2300416] via 10.1.2.1, 00:04:29, Serial1/0
D 10.17.36.64/26 [90/2300416] via 10.1.2.1, 00:04:29, Serial1/0

Dynamic Multipoint VPN on GNS3

Posted: January 18, 2016 in CISCO

DMVPN (Dynamic Multipoint VPN)  uses multipoint GRE tunnels between endpoints.

GRE tunnels are described here.

DMVPN is best explained through example.

Untitled.png

GRE tunnels are created between R1 and R3,R1-R5 and R3-R5.One router is declared as hub.Usually router in HQ,main router (R1 in this example).Spoke routers (R3 and R5) comunicate with R1 to obtain connection info about other routers in topology.

 

 

R1 provide public IP of R3 to R5 and vice-versa so R3 and R5 can make direct connection.

R1 uses Next Hop Resolution protocol (NHRP) to communicate with R3 and R5 and to inform routers R3 and R5 about fastest route between them.

NHRP provides the optimal path (minimum hop) to spoke routers in topology (R3 and R5 in this example).

R1 config:

interface FastEthernet0/0
ip address 10.30.10.1 255.255.255.252
!
interface Serial1/0
ip address 10.10.10.2 255.255.255.252
ip route 0.0.0.0 0.0.0.0 10.10.10.1

R3:

interface FastEthernet0/0
ip address 10.40.10.1 255.255.255.252
!
interface Serial1/0
ip address 10.20.10.2 255.255.255.252
ip route 0.0.0.0 0.0.0.0 10.20.10.1

 

R5:

interface FastEthernet0/0
ip address 10.60.10.1 255.255.255.252
!
interface Serial1/0
ip address 10.50.10.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.50.10.1

ISP:

interface Serial1/0
ip address 10.10.10.1 255.255.255.252
!
interface Serial1/1
ip address 10.20.10.1 255.255.255.252
!
interface Serial1/2
ip address 10.50.10.1 255.255.255.252
ip route 0.0.0.0 0.0.0.0 10.10.10.2
ip route 10.40.10.0 255.255.255.252 10.20.10.2
ip route 10.60.10.0 255.255.255.252 10.50.10.2

 

Create GRE tunnels on hub-R1:

R1(config)#int tunnel 0
!source tunnel interface:
R1(config-if)#tunnel source int s1/0
!designates tunnel as a multipoint GRE tunnel:
R1(config-if)#tunnel mode gre multipoint
!securing tunnel:
R1(config-if)#tunnel key 1234
! identify this DMVPN cloud. All routers participating in this DMVPN cloud must have the same network-id configured in order for tunnels to form:
R1(config-if)#ip nhrp network-id 1
! allow the authenticated updates and queries to the NHRP Database:
R1(config-if)#ip nhrp authentication qwerty
!enables the forwarding of multicast traffic across the tunnel to dynamic spokes:
R1(config-if)#ip nhrp map multicast dynamic
!assign tunnel ip address:
R1(config-if)#ip address 192.168.0.1 255.255.255.0

 

Create GRE tunnels on spoke-R3:

R3(config)#int tunnel 0
!source tunnel interface:
R3(config-if)#tunnel source int s1/0
!designates tunnel as a multipoint GRE tunnel:
R3(config-if)#tunnel mode gre multipoint
!securing tunnel:
R3(config-if)#tunnel key 1234
! identify this DMVPN cloud. All routers participating in this DMVPN cloud must have the same network-id configured in order for tunnels to form:
R3(config-if)#ip nhrp network-id 1
! allow the authenticated updates and queries to the NHRP Database:
R3(config-if)#ip nhrp authentication qwerty
!enables the forwarding of multicast traffic across the tunnel to dynamic spokes:
R3(config-if)#ip nhrp map multicast dynamic
!assign tunnel ip address:
R3(config-if)#ip address 192.168.0.2 255.255.255.0
!nhs-next hop server-from which server to obtain IP address of other servers
!in topology (Hub:R1-tunnel interface IP address,defined in previous step-192.168.0.1)
R3(config-if)#ip nhrp nhs 192.168.0.1
!to reach private IP of R1 tunnel interface (192.168.0.1),use public R1 adddress
!(10.10.10.2):
R3(config-if)#ip nhrp map 192.168.0.1 10.10.10.2
!Allow multicast traffic to Hub server (R1 Public IP-10.10.10.2)
R3(config-if)#ip nhrp map multicast 10.10.10.2

 

Create GRE tunnels on spoke-R5:

R5(config)#int tunnel 0
!source tunnel interface:
R5(config-if)#tunnel source int s1/0
!designates tunnel as a multipoint GRE tunnel:
R5(config-if)#tunnel mode gre multipoint
!securing tunnel:
R5(config-if)#tunnel key 1234
! identify this DMVPN cloud. All routers participating in this DMVPN cloud must have the same network-id configured in order for tunnels to form:
R5(config-if)#ip nhrp network-id 1
! allow the authenticated updates and queries to the NHRP Database:
R5(config-if)#ip nhrp authentication qwerty
!enables the forwarding of multicast traffic across the tunnel to dynamic spokes:
R5(config-if)#ip nhrp map multicast dynamic
!assign tunnel ip address:
R5(config-if)#ip address 192.168.0.3 255.255.255.0
!nhs-next hop server-from which server to obtain IP address of other servers
!in topology (Hub:R1-tunnel interface IP address,defined in previous step-192.168.0.1)
R5(config-if)#ip nhrp nhs 192.168.0.1
!to reach private IP of R1 tunnel interface (192.168.0.1),use public R1 adddress
!(10.10.10.2):
R5(config-if)#ip nhrp map 192.168.0.1 10.10.10.2
!Allow multicast traffic to Hub server (R1 Public IP-10.10.10.2)
R5(config-if)#ip nhrp map multicast 10.10.10.2

At this point,you should ping between tunnel interfaces on R1,R3 and R5

R1#sh dmvpn
Legend: Attrb –> S – Static, D – Dynamic, I – Incomplete
N – NATed, L – Local, X – No Socket
# Ent –> Number of NHRP entries with same NBMA peer
NHS Status: E –> Expecting Replies, R –> Responding, W –> Waiting
UpDn Time –> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

# Ent Peer NBMA Addr       Peer Tunnel Add      State     UpDn Tm Attrb
—– ————— ————— —– ——– —–
1         10.20.10.2                      192.168.0.2                UP        01:46:40 D
1         10.50.10.2                      192.168.0.3                 UP        01:40:10 D

Peer NBMA:spoke’s public IP address

Peer Tunnel Add:spoke’s local Tunnel’s IP address

State:current tunnel’s state

UpDn:uptime/downtime

 

 

 

 

Generic routing encapsulation tunnel encapsulates data within a packet that needs to be delivered to destination.It can carry almost any layer 3 protocol.GRE creates point-to-point tunnel interface between endpoints, which is,in fact, a logical interface.With GRE it’s possible to transfer data which wouldn’t be transfered  over public network.

GRE doesn’t provide any security for data being transfered,but GRE can be passed over IPsec VPN.

So,what’s the point of GRE tunnels then ?.

Well,GRE can be used to enable multicast traffic across the links.(Routing protocols use multicast traffic).We can also leverage GRE tunnels for creating VPN connections.

In this example,we’ll create GRE tunnel between R1 and R3 endpoints.We’ll use GRE tunnels to deploy OSPF routing protocol so host1 (10.30.10.0 network) can reach host2  network (10.40.10.0)

 

Untitled.png
R1 config:

!
interface FastEthernet0/0
ip address 10.30.10.1 255.255.255.252
!
interface Serial1/0
ip address 10.10.10.2 255.255.255.252
!I used static route to create connection between R1 and R3

ip route 0.0.0.0 0.0.0.0 10.10.10.1

 

ISP config:

!
interface Serial1/0
ip address 10.10.10.1 255.255.255.252
serial restart-delay 0
!
interface Serial1/1
ip address 10.20.10.1 255.255.255.0

!static route
ip route 0.0.0.0 0.0.0.0 10.10.10.2
!static route to 10.40.10.0 network
ip route 10.40.10.0 255.255.255.252 10.20.10.2

 

R3 config:

!
interface FastEthernet0/0
ip address 10.40.10.1 255.255.255.252

!
interface Serial1/0
ip address 10.20.10.2 255.255.255.252

!static route
ip route 0.0.0.0 0.0.0.0 10.20.10.1

 

Create GRE tunnel on R1:

R1(config)#interface Tunnel 0
!ip address of R1
R1(config-if)#tunnel source 10.10.10.2
!ip address of R3
R1(config-if)#tunnel destination 10.20.10.2
!ip address of tunnel 0 interface
R1(config-if)#ip address 192.168.0.1 255.255.255.0

 

Create GRE tunnel on R3:

R3(config)#interface Tunnel 0
!ip address of R3
R3(config-if)#tunnel source 10.20.10.2
!ip address of R1
R3(config-if)#tunnel destination 10.10.10.2
!ip address of tunnel 0 interface
R1(config-if)#ip address 192.168.0.2 255.255.255.0

 

Configure routing protocols on R1 and R3 (i used OSPF)

R1:

R1(config)#router ospf 1
!physical interface S1/0
R1(config-router)#network 10.30.10.0 0.0.0.255 area 0
!Tunnel 0 interface
R1(config-router)#network 192.168.0.0 0.0.0.255 area

R3: 

<pre>R3(config)#router ospf 1
!physical interface S1/0
R3(config-router)#network 10.40.10.0 0.0.0.255 area 0
!Tunnel 0 interface
R3(config-router)#network 192.168.0.0 0.0.0.255 area 0

 

Host1 and host3 are routers simulate client computers:

Host1 config:

interface FastEthernet0/0
 ip address 10.30.10.2 255.255.255.252
!remove routing capabilities
host1(config)#no ip routing
host1(config)#ip default-gateway 10.30.10.1

 

Host2 config:

interface FastEthernet0/0
 ip address 10.40.10.2 255.255.255.252
!remove routing capabilities
host2(config)#no ip routing
host2(config)#ip default-gateway 10.40.10.1

 

Routing table on R1:

Untitled

We can see that OSPF route (O) to 10.40.10.0 network is advertised via Tunnel 0 interface

 

 

Ping from R1 to host2:

We can see OSPF hello packet was sent using GRE protocol

Untitled.png

Ping from host1 (10.30.10.2) to host2 (10.40.10.2)

Untitled

Again,GRE protocol is used