Saturday, 11 June 2016

EIGRP unequal cost path load sharing.

Today I will discuss about EIGRP unequal cost path load balancing. The following are the diagram describing the scenario. I have used five router for the setup. Router R1 having three path to connect router R5 loop back address. I have changed the interface bandwidth of router R1 interface F0/1 & F1/0 as 75000 & 50000. Kindly find the diagram & router configuration below.


R1
R1#sh run
Building configuration...

Current configuration : 1224 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!

no ip domain lookup
!
multilink bundle-name authenticated
!
!
!

archive
 log config
  hidekeys
!
!

ip tcp synwait-time 5
ip ssh version 1
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.0
!
interface FastEthernet0/0
 ip address 11.11.11.1 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 bandwidth 75000
 ip address 12.12.12.1 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet1/0
 bandwidth 50000
 ip address 13.13.13.1 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 10
 network 5.0.0.0
 network 11.0.0.0
 network 12.0.0.0
 network 13.0.0.0
 auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!

!
control-plane
!

!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!




R2
R2#sh run
Building configuration...

Current configuration : 1077 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!

archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
interface FastEthernet0/0
 ip address 11.11.11.2 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 no ip address
 speed 100
 full-duplex
!
interface FastEthernet1/0
 ip address 14.14.14.1 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 10
 network 11.0.0.0
 network 14.0.0.0
 auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!

control-plane
!
!

line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

R3
R3#sh run
Building configuration...

Current configuration : 1104 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!

no ip domain lookup
!
multilink bundle-name authenticated
!
!

archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
interface FastEthernet0/0
 ip address 15.15.15.1 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 bandwidth 75000
 ip address 12.12.12.2 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 10
 network 12.0.0.0
 network 15.0.0.0
 auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!

control-plane
!

line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end














R4
 R4#sh run
Building configuration...

Current configuration : 1105 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!

no ip domain lookup
!
multilink bundle-name authenticated
!
!
!

archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface FastEthernet0/0
 ip address 16.16.16.1 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 bandwidth 50000
 ip address 13.13.13.2 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 10
 network 13.0.0.0
 network 16.0.0.0
 auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!

control-plane
!
!
!

line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end







 Configure accordingly on gns3 as shown on above. Now from router R1 having 3 path to reach  router R5 loopback addreass.

Let us check following command out put. 
 R1#sh ip eigrp topology
IP-EIGRP Topology Table for AS(10)/ID(5.5.5.5)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 5.0.0.0/8, 1 successors, FD is 128256
        via Summary (128256/0), Null0
P 5.5.5.0/24, 1 successors, FD is 128256
        via Connected, Loopback0
P 6.0.0.0/8, 1 successors, FD is 158720
        via 11.11.11.2 (158720/156160), FastEthernet0/0
        via 13.13.13.2 (184320/156160), FastEthernet1/0
        via 12.12.12.2 (167168/156160), FastEthernet0/1
P 11.0.0.0/8, 1 successors, FD is 28160
        via Summary (28160/0), Null0
P 11.11.11.0/24, 1 successors, FD is 28160
        via Connected, FastEthernet0/0
P 12.0.0.0/8, 1 successors, FD is 36608
        via Summary (36608/0), Null0
P 12.12.12.0/24, 1 successors, FD is 36608
        via Connected, FastEthernet0/1
P 13.0.0.0/8, 1 successors, FD is 53760
        via Summary (53760/0), Null0

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 13.13.13.0/24, 1 successors, FD is 53760
        via Connected, FastEthernet1/0
P 14.0.0.0/8, 1 successors, FD is 30720
        via 11.11.11.2 (30720/28160), FastEthernet0/0
P 15.0.0.0/8, 1 successors, FD is 33280
        via 11.11.11.2 (33280/30720), FastEthernet0/0
        via 13.13.13.2 (58880/30720), FastEthernet1/0
        via 12.12.12.2 (39168/28160), FastEthernet0/1
P 16.0.0.0/8, 1 successors, FD is 33280
        via 11.11.11.2 (33280/30720), FastEthernet0/0
        via 13.13.13.2 (56320/28160), FastEthernet1/0
        via 12.12.12.2 (41728/30720), FastEthernet0/1

 see the for loopback 6.6.6.0 network we have three path marked in red.

 now run sh ip route 6.6.6.0
R1#sh ip route 6.6.6.0
Routing entry for 6.0.0.0/8
  Known via "eigrp 10", distance 90, metric 158720, type internal
  Redistributing via eigrp 10
  Last update from 11.11.11.2 on FastEthernet0/0, 00:21:08 ago
  Routing Descriptor Blocks:
  * 11.11.11.2, from 11.11.11.2, 00:21:08 ago, via FastEthernet0/0
      Route metric is 158720, traffic share count is 1
      Total delay is 5200 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 2
It is now showing only one path in the routing table. The metric is the lowest one. By default in EIGRP unequal load sharing does not happen.

 Now see the trace route below.
 R1#traceroute 6.6.6.6

Type escape sequence to abort.
Tracing the route to 6.6.6.6

  1 11.11.11.2 80 msec 72 msec 16 msec
  2 14.14.14.2 60 msec 24 msec 44 msec
So for unequal load sharing we have to use variance command as below.

 R1#sh run | b router
router eigrp 10
 variance 3
 network 5.0.0.0
 network 11.0.0.0
 network 12.0.0.0
 network 13.0.0.0
 auto-summary

 now check the IP route output below.

 R1#sh ip route 6.6.6.0
Routing entry for 6.0.0.0/8
  Known via "eigrp 10", distance 90, metric 158720, type internal
  Redistributing via eigrp 10
  Last update from 12.12.12.2 on FastEthernet0/1, 00:01:28 ago
  Routing Descriptor Blocks:
    13.13.13.2, from 13.13.13.2, 00:01:28 ago, via FastEthernet1/0
      Route metric is 184320, traffic share count is 69
      Total delay is 5200 microseconds, minimum bandwidth is 50000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 2
    12.12.12.2, from 12.12.12.2, 00:01:28 ago, via FastEthernet0/1
      Route metric is 167168, traffic share count is 76
      Total delay is 5200 microseconds, minimum bandwidth is 75187 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 2
  * 11.11.11.2, from 11.11.11.2, 00:01:28 ago, via FastEthernet0/0
      Route metric is 158720, traffic share count is 80
      Total delay is 5200 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 2

 Now you can find three path on the routing table to reach 6.6.6.0 network. actually variance 3 multiply 3 with lowest metric. now check the trace route below.

  R1#traceroute 6.6.6.6

Type escape sequence to abort.
Tracing the route to 6.6.6.6

  1 13.13.13.2 68 msec
    12.12.12.2 84 msec
    11.11.11.2 40 msec
  2 16.16.16.2 40 msec
    15.15.15.2 28 msec
    14.14.14.2 28 msec

 It is awesome. You can  try this on your lab.

Thanks
 
 

 
Posted by at No comments:

Monday, 25 January 2016

Redstribute stactic route with tag


scenario: Redistribute static route with tag is very useful in many scenario. The above diagram shows one.There are four routers in  the picture. Router R1,R2 & R3 are running EIGRP routing protocol to advertise their network.But router R1 & R2 are exchanging static route to advertise their network.Router R1 having three more static route to other network. We want to advertise only single network i.e. 12.12.12.0/24 " to other two routers(R2 & R3) from R1. The following configuration defining the scenario. The route distribution using TAG is done on router R1.

R1

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
ip tcp synwait-time 5
!
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 11.11.11.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet2/0
ip address 9.9.9.1 255.255.255.252
 shutdown
 duplex auto
 speed auto
!
router eigrp 100
 redistribute static route-map san
 network 5.0.0.0
 network 10.0.0.0
 no auto-summary
!
no ip http server
no ip http secure-server
!
ip route 12.12.12.0 255.255.255.0 11.11.11.1 tag 20
ip route 19.19.19.0 255.255.255.0 9.9.9.1
ip route 20.20.20.0 255.255.255.0 9.9.9.1
ip route 21.21.21.0 255.255.255.0 9.9.9.1

!
!
no cdp log mismatch duplex
!
route-map san permit 1
 match tag 20
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

R2
 version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
!
ip tcp synwait-time 5
!
!
interface FastEthernet0/0
 ip address 10.10.10.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 10.10.10.5 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 100
 network 10.0.0.0
 no auto-summary
!
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

 R3
 !
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
!
ip tcp synwait-time 5
!
!
interface Loopback0
 ip address 6.6.6.6 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 10.10.10.6 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
router eigrp 100
 network 6.0.0.0
 network 10.0.0.0
 no auto-summary
!
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

 R4

 !version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 5
ip ssh version 1
!
interface Loopback0
 ip address 12.12.12.12 255.255.255.0
!
interface FastEthernet0/0
 ip address 11.11.11.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 11.11.11.2
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end


The out put of show ip route at router R4 shown below.



Posted by at No comments:

Friday, 27 March 2015

IP sec tunnel between two Cisco Router.





I have created a simple IP SEC tunnel configuration between two cisco router i.e. Router R1 & Router R2.  The loop back address 2.2.2.2 & 3.3.3.3 are communicating over IP sec tunnel formed between router R1 & Router R3. I have used 3 routers on  GNS 3 for the configuration. Find the configuration  of the router below.

R1

 !
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr aes
 hash sha
 authentication pre-share
 group 2
 lifetime 86400
crypto isakmp key san address 15.15.15.1
!
!
crypto ipsec transform-set VPN esp-aes esp-sha-hmac
!
crypto map test 10 ipsec-isakmp
 set peer 15.15.15.1
 set transform-set VPN
 match address traffic
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface Loopback1
 ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
 ip address 14.14.14.1 255.255.255.0
 duplex auto
 speed auto
 crypto map test
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 3.3.3.0 255.255.255.0 14.14.14.2
ip route 15.15.15.0 255.255.255.0 14.14.14.2
!
!
no ip http server
no ip http secure-server
!
ip access-list extended traffic
 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
ip access-list extended traffuc
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end
R2
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface FastEthernet0/0
 ip address 14.14.14.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 15.15.15.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

R3

 !
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr aes
hash sha
 authentication pre-share
 group 2
lifetime 86400
crypto isakmp key san address 14.14.14.1
!
!
crypto ipsec transform-set VPN esp-aes esp-sha-hmac
!
crypto map test 10 ipsec-isakmp
 set peer 14.14.14.1
 set transform-set VPN
 match address traffic
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface Loopback1
 ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 15.15.15.1 255.255.255.0
 duplex auto
 speed auto
 crypto map test
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 2.2.2.0 255.255.255.0 15.15.15.2
ip route 14.14.14.0 255.255.255.0 15.15.15.2
!
!
no ip http server
no ip http secure-server
!
ip access-list extended traffic
 permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

 Find the test from both the router.

 test at Router R1.
R1#ping 3.3.3.3 source 2.2.2.2

 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/102/120 ms
R1#sh cry
R1#sh crypto is
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
15.15.15.1      14.14.14.1      QM_IDLE           1001    0 ACTIVE

 IPv6 Crypto ISAKMP SA
 R1#sh crypto ipsec sa

 interface: FastEthernet0/0
    Crypto map tag: test, local addr 14.14.14.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (3.3.3.0/255.255.255.0/0/0)
   current_peer 15.15.15.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 32
    #pkts decaps: 110, #pkts decrypt: 110, #pkts verify: 110
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 14.14.14.1, remote crypto endpt.: 15.15.15.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xBFD855E(201164126)

     inbound esp sas:
      spi: 0xCDCC62CF(3452723919)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: test
        sa timing: remaining key lifetime (k/sec): (4566030/727)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBFD855E(201164126)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: test
        sa timing: remaining key lifetime (k/sec): (4566037/724)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

 TEST at Router R3
R3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
15.15.15.1      14.14.14.1      QM_IDLE           1001    0 ACTIVE

 IPv6 Crypto ISAKMP SA

 R3#ping 2.2.2.2 source 3.3.3.3

 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/101/108 ms
R3#sh crypto ipsec sa

 interface: FastEthernet0/1
    Crypto map tag: test, local addr 15.15.15.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (3.3.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
   current_peer 14.14.14.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 115, #pkts encrypt: 115, #pkts digest: 115
    #pkts decaps: 37, #pkts decrypt: 37, #pkts verify: 37
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 15.15.15.1, remote crypto endpt.: 14.14.14.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0xCDCC62CF(3452723919)

     inbound esp sas:
      spi: 0xBFD855E(201164126)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: test
        sa timing: remaining key lifetime (k/sec): (4574294/621)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCDCC62CF(3452723919)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: test
        sa timing: remaining key lifetime (k/sec): (4574288/619)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
R3#




Posted by at No comments:

Monday, 16 July 2012

Here we discuss about the uses of  VLAN access-map. Suppose your company give you a task to block communication between two hosts in a same VLAN. Definitely IP access-list does not going to help you because the communication does not use the vlan gateway. Vlan access-map will do the job for you. on The below figure I have create the scenario.






There are three host connected with a 3560 switch.There IP address is 10.10.10.100 ,10.10.10.50 & 10.10.10.200.All the three hosts are member of vlan 10.The vlan gateway is 10.10.10.1.We need to block the communication between 10.10.10.100 & 10.10.10.200.find the configuration below.After done the configuration try ping from 10.10.10.100 & 10.10.10.200 & vice verse. you will observe a drop. if you ping to 10.10.10.50 you will get a reply. The configuration is simple but the output is very powerful.

vlan access-map deny-IP 20
 action drop
 match ip address 101
vlan access-map deny-IP 30
 action forward

vlan filter deny-IP vlan-list 10

interface FastEthernet0/1
 switchport access vlan 10

interface FastEthernet0/2
 switchport access vlan 10

interface FastEthernet0/8
 switchport access vlan 10

interface Vlan10
 ip address 10.10.10.1 255.255.255.0
Posted by at 1 comment:

Tuesday, 6 March 2012

Overlapping destinations IP address from network


scenario: Suppose your company buys a company . Now your management want you to connect the new company network with the exiting company network. Now you have got a very serious problem. one of your network is overlapping with the new company network. How to go about it. Find the network diagram below. suppose SITEA is your company. SITE A already connected with SITEB.Your  new company is SITEC. SITEB & SITEC having overlapping network i.e 10.10.10.0/24. I have created NAT on SITEC router & the problem get resloved. Find the router configuration below. You can simulated the same scenario on GNS3 & check yourself.


SITEA
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SITEA
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
!
interface Loopback0
 ip address 172.29.55.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 2.2.2.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 3.3.3.2 255.255.255.0
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 3.3.3.1
ip route 192.168.1.0 255.255.255.0 2.2.2.1
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 password cisco
 login
!
!
end
SITEB

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SITEB
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
!
!
interface Loopback0
 ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 3.3.3.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 172.29.55.0 255.255.255.0 3.3.3.2
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
!
!
end

SITEC
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SMP
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
!
interface Loopback0
 no ip address
 ip nat inside
!
interface FastEthernet0/0
 ip address 2.2.2.1 255.255.255.0
 ip nat outside
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 172.29.55.0 255.255.255.0 2.2.2.2
!
no ip http server
no ip http secure-server
ip nat inside source static network 10.10.10.0 192.168.1.0 /24
!
access-list 50 permit 10.10.10.0 0.0.0.255
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
!
!
end

R5
!
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
!
!
interface FastEthernet0/0
 ip address 10.10.10.20 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 password cisco
 login
!
!
end

On SITEC router Check by excute the following command.

SITEC#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 192.168.1.1        10.10.10.1         ---                ---
--- 192.168.1.2        10.10.10.2         ---                ---
--- 192.168.1.20       10.10.10.20        ---                ---
--- 192.168.1.0        10.10.10.0         ---                ---

Cheers




Posted by at No comments:

Saturday, 20 August 2011

network: GRE tunnel

scenario: 
There are 3 router as shown in the picture. Consider they are in three different location & manage by three different administrator.Find the configuration of all the router below. you can see every thing is working fine by static route. The  ip 10.10.10.1 & 11.11.11.1 between router R2 & R6 are working fine. The corresponding static route has been given in router R3.
  consider there is another network 192.168.1.1 /192.168.1.2 need to communicate between Router R2 & router R6 & the administrator of router R3 is not available.So what the administrator of router R2 & R6 will do.
They can able to do this by GRE tunnel. The tunnel will be form between router R2 & R6. And any destination can be directly pass through the tunnel.
  find all the router configuration below with the diagram & do the lab by yourself.

R2
interface Loopback0
 ip address 10.10.10.1 255.255.255.0
!
interface Loopback2
 ip address 192.168.1.1 255.255.255.0
!
interface Tunnel1
 ip address 10.100.100.1 255.255.255.0
 tunnel source 10.10.10.1
 tunnel destination 11.11.11.1
!
interface FastEthernet0/0
 ip address 2.2.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 3.3.3.2 255.255.255.255 2.2.2.2
ip route 11.11.11.1 255.255.255.255 2.2.2.2
ip route 192.168.1.2 255.255.255.255 10.100.100.2

R3
interface FastEthernet0/0
 ip address 2.2.2.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 3.3.3.1 255.255.255.0
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 10.10.10.1 255.255.255.255 2.2.2.1
ip route 11.11.11.1 255.255.255.255 3.3.3.2

 R6
interface Loopback1
 ip address 11.11.11.1 255.255.255.0
!
interface Loopback2
 ip address 192.168.1.2 255.255.255.0
!
interface Tunnel1
 ip address 10.100.100.2 255.255.255.0
 tunnel source 11.11.11.1
 tunnel destination 10.10.10.1
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 3.3.3.2 255.255.255.0
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 2.2.2.1 255.255.255.255 3.3.3.1
ip route 10.10.10.1 255.255.255.255 3.3.3.1
ip route 192.168.1.1 255.255.255.255 10.100.100.1
!


R6#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 276/323/352 ms


Posted by at 2 comments:
Subscribe to: Posts (Atom)