Archive

Archive for March, 2013

IPv6 operation and best practices – documents to read

March 22, 2013 3 comments

Unfortunately I don’t get to do much v6 at my job yet but I still like to stay updated on
what is happening. Do you run any v6 in your network? If so, do you run it native or tunneled
or something like 6PE?

Here are some interesting sources for operation of v6.

draft-matthews-v6ops-design-guidelines-01

This document discusses if IPv4 and IPv6 traffic
should be mixed on the same interface or should different interfaces be used? Should
link local or global addressing be used for routing? Should v6 routes be transferred
over v4 in BGP sessions?

draft-ietf-v6ops-enterprise-incremental-ipv6-01

This document is for deploying v6 in an enterprise network. Things like security policy,
addressing plan and IPv6 myths are brought up.

draft-ietf-opsec-lla-only-01

This document is purely about the advantages and disadvantages of only running link local
addresses.

Also, don’t miss out on information that is freely available at Cisco Live. Here are
some interesting sessions on IPv6 from Melbourne.

BRKRST-2301 – Enterprise IPv6 Deployment (2013 Melbourne)
BRKRST-1069 – Understanding IPv6 (2013 Melbourne)
ITMGEN-1313 – Preparing for IPv6 in the Enterprise (2013 Melbourne)
BRKRST-2311 – IPv6 Planning, Deployment and Troubleshooting (2013 Melbourne)
BRKSEC-2003 – IPv6 Security Threats and Mitigations (2013 Melbourne)
COCRST-2464 – Inside Cisco IT: Making The Leap To IPv6 (2013 Melbourne)

As you can see. IPv6 is a pretty big deal these days at Cisco Live. Then you also have
books, configuration guides etc but this should give you a good start to see what challenges
and considerations you should have when deploying IPv6.

Advertisements
Categories: IPv6 Tags: , , ,

EIGRP named configuration

March 15, 2013 6 comments

You might think that EIGRP being around for so long is not getting any attention from
Cisco, not true. EIGRP is still being developed and in later releases you can run what
is called named configuration. Doing this you can put all EIGRP config under one named
instance, even v6 which is different from the old syntax. If you are on Twitter you should
follow Donnie Savage @diivious. He works for Cisco and is usually present at Cisco Live
presenting on the development of EIGRP.

We start out with the following topology.

EIGRP_named_1

So we start out by defining our instance and calling it corp

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#router eigrp corp

From there we have the following options:

R2(config-router)#?
Router configuration commands:
  address-family  Enter Address Family command mode
  default         Set a command to its defaults
  exit            Exit from routing protocol configuration mode
  no              Negate a command or set its defaults
  service-family  Enter Service Family command mode
  shutdown        Shutdown this instance of EIGRP

From here we can shutdown the process or configure different address families.
We start by setting up IPv4 in the global table.

R2(config-router)#address-family ipv4 autonomous-system 12
R2(config-router-af)#?
Address Family configuration commands:
  af-interface         Enter Address Family interface configuration
  default              Set a command to its defaults
  eigrp                EIGRP Address Family specific commands
  exit-address-family  Exit Address Family configuration mode
  help                 Description of the interactive help system
  maximum-prefix       Maximum number of prefixes acceptable in aggregate
  metric               Modify metrics and parameters for address advertisement
  neighbor             Specify an IPv4 neighbor router
  network              Enable routing on an IP network
  no                   Negate a command or set its defaults
  shutdown             Shutdown address family
  timers               Adjust peering based timers
  topology             Topology configuration mode
R2(config-router-af)#network 12.12.12.0 255.255.255.0

From here we define networks, setup static neighbors and configure EIGRP parameters.

We will use regular syntax on R2 for setting up EIGRP.

R2(config-if)#router eigrp 12
R2(config-router)#no auto
R2(config-router)#net 12.12.12.0 0.0.0.255

The session comes up.

%DUAL-5-NBRCHANGE: EIGRP-IPv4 12: Neighbor 12.12.12.2 (FastEthernet1/0) is up: new adjacency

R2 is announcing it’s loopback. Lets see if we receive that.

R1#sh ip route eigrp | be Gateway
Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
D        2.2.2.2 [90/2662400] via 12.12.12.2, 00:00:23, FastEthernet1/0

What more can we configure under the address-family?

R1(config-router-af)#af-interface f1/0
R1(config-router-af-interface)#?
Address Family Interfaces configuration commands:
  authentication      authentication subcommands
  bandwidth-percent   Set percentage of bandwidth percentage limit
  bfd                 Enable Bidirectional Forwarding Detection
  dampening-change    Percent interface metric must change to cause update
  dampening-interval  Time in seconds to check interface metrics
  default             Set a command to its defaults
  exit-af-interface   Exit from Address Family Interface configuration mode
  hello-interval      Configures hello interval
  hold-time           Configures hold time
  next-hop-self       Configures EIGRP next-hop-self
  no                  Negate a command or set its defaults
  passive-interface   Suppress address updates on an interface
  shutdown            Disable Address-Family on interface
  split-horizon       Perform split horizon
  summary-address     Perform address summarization

We configure all EIGRP interface commands under the af-interface. We can setup
authentication of the peering.

R1(config-router-af)#af-interface f1/0
R1(config-router-af-interface)#authentication mode ?
  hmac-sha-256  HMAC-SHA-256 Authentication
  md5           Keyed message digest
R1(config-router-af-interface)#authentication mode md5
R1(config-router-af-interface)#authentication key-chain EIGRP
%DUAL-5-NBRCHANGE: EIGRP-IPv4 12: Neighbor 12.12.12.2 (FastEthernet1/0) is down: authentication mode changed
%DUAL-5-NBRCHANGE: EIGRP-IPv4 12: Neighbor 12.12.12.2 (FastEthernet1/0) is up: new adjacency

What’s new here is that sha-256 is now also supported. From this af-interface mode
we can configure timers and BFD as well.

Now we will configure IPv4 in a VRF called 13.

R1(config)#vrf definition 13
R1(config-vrf)#rd 13:13
R1(config-vrf)#int f1/1
R1(config-if)#no sh
R1(config-if)#vrf forwarding 13
R1(config-if)#ip add 13.13.13.1 255.255.255.0
R1(config-router)#address-family ipv4 vrf 13 autonomous-system 13
R1(config-router-af)#net 13.13.13.0 0.0.0.255
%DUAL-5-NBRCHANGE: EIGRP-IPv4 13: Neighbor 13.13.13.3 (FastEthernet1/1) is up: new adjacency

Do we receive any prefixes?

R1#sh ip route vrf 13 | be Gate
Gateway of last resort is not set

      3.0.0.0/32 is subnetted, 1 subnets
D        3.3.3.3 [90/2662400] via 13.13.13.3, 00:00:31, FastEthernet1/1
      13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        13.13.13.0/24 is directly connected, FastEthernet1/1
L        13.13.13.1/32 is directly connected, FastEthernet1/1

Which we do. Nothing strange here, just a new syntax for defining VRFs compared
to the old ip vrf syntax.

Finally we will configure IPv6 peering as well. Because EIGRP sends packets from
link local address we don’t even need to configure a global IPv6 address.

R1(config-router)#int f2/0
R1(config-if)#ipv6 enable
R1(config-if)#no sh
R1(config-if)#router eigrp corp
R1(config-router)#address-family ipv6 autonomous-system 14
R1(config-router-af)#af-interface default
R1(config-router-af-interface)#no shut

Only difference here is that instead of defining network we use the interface command
instead to enable it on all active IPv6 interfaces.

R1#sh ipv6 route eigrp
IPv6 Routing Table - default - 2 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
       I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
       EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
       NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
       OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
D   2001::/64 [90/2662400]
     via FE80::C803:82FF:FE80:1C, FastEthernet2/0

And that’s about it. Named configuration is made to unify configuration under
one instance and remove the commands that we used to type under the interface
like authentication and such. It’s now all done under the address-family.
In future posts I will look at Multi Topology Routing (MTR).

Tiebreakers with routes from different OSPF processes

March 15, 2013 17 comments

This post is inspired by a discussion at Twitter with Ivan Pepelnjak and
Nicolas Michel. Nicolas asked what happens when there is the same route from two
different OSPF processes. Which one will be selected? Ivan explained how
to use the distance command. First before I show how it works and why we
need to get some few basic concepts explained.

LSDB – Link State Database – All OSPF LSAs populate the LSDB
RIB – Routing Information Base – The best routes from every protocol
compete to get installed to the RIB
FIB – Forwarding Information Base – Routes are copied from the RIB
and used for forwarding (CEF)
CEF – Cisco Express Forwarding – The algorithm that Cisco uses for
the forwarding (FIB)

If we have for example OSPF, this is how a route gets selected to the RIB(global).
The routers exchange LSAs with each other. Within an area every router has the same
view of the network. These LSAs populate the LSDB. If there are multiple paths to
a destination they will compete with each other unless they are of same type and equal
cost. Intra area is preferred first, then inter and finally external routes. There is no
way of modifying this behaviour. The best route then goes to the OSPF RIB, could be several
if they are equal. From there this route will compete with other routing protocols and the
AD will decide which one is installed. If the OSPF one is best then that one goes to the global
RIB. Then finally the RIB populates FIB with this information and forwarding can ensue.

This is a picture I made that describes the process.

Route_selection

We start out with a very basic topology looking like this.

Multiple_OSPF_1

R1 and R3 will announce the same network 1.1.1.1/32. R2 will use two different OSPF processes.
We start out with the basic configuration:

R1

R1(config)#int f1/0
R1(config-if)#ip add 12.12.12.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#ip ospf 1 area 0
R1(config-if)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.255
R1(config-if)#ip ospf 1 area 0

R2

R2(config)#int f1/0
R2(config-if)#ip add 12.12.12.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#ip ospf 1 area 0
R2(config-if)#int f1/1
R2(config-if)#ip add 23.23.23.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#ip ospf 3 area 0
%OSPF-5-ADJCHG: Process 1, Nbr 12.12.12.1 on FastEthernet1/0 from LOADING to FULL, Loading Done

We see the session coming up immediately. Now lets bring up R3 as well.

R3

R3(config)#int f1/0
R3(config-if)#ip add 23.23.23.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#ip ospf 3 area 0
R3(config-if)#int lo0
R3(config-if)#ip add 1.1.1.1 255.255.255.255
R3(config-if)#ip ospf 3 area 0
%OSPF-5-ADJCHG: Process 3, Nbr 23.23.23.2 on FastEthernet1/0 from LOADING to FULL, Loading Done

Both OSPF peerings are up. Now lets follow the steps that was shown in
the picture above starting by looking at the database.

R2#sh ip ospf data router 12.12.12.1

            OSPF Router with ID (23.23.23.2) (Process ID 3)

            OSPF Router with ID (12.12.12.2) (Process ID 1)

                Router Link States (Area 0)

  LS age: 184
  Options: (No TOS-capability, DC)
  LS Type: Router Links
  Link State ID: 12.12.12.1
  Advertising Router: 12.12.12.1
  LS Seq Number: 80000003
  Checksum: 0xF78
  Length: 48
  Number of Links: 2

    Link connected to: a Stub Network
     (Link ID) Network/subnet number: 1.1.1.1
     (Link Data) Network Mask: 255.255.255.255
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 12.12.12.1
     (Link Data) Router Interface address: 12.12.12.1
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

We see that R1 is announcing 1.1.1.1/32 and we have a metric of 2 to it.
Do we see R3 announcing that as well?

R2#sh ip ospf data router 23.23.23.3

            OSPF Router with ID (23.23.23.2) (Process ID 3)

                Router Link States (Area 0)

  LS age: 148
  Options: (No TOS-capability, DC)
  LS Type: Router Links
  Link State ID: 23.23.23.3
  Advertising Router: 23.23.23.3
  LS Seq Number: 80000003
  Checksum: 0x54A7
  Length: 48
  Number of Links: 2

    Link connected to: a Stub Network
     (Link ID) Network/subnet number: 1.1.1.1
     (Link Data) Network Mask: 255.255.255.255
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 23.23.23.2
     (Link Data) Router Interface address: 23.23.23.3
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

Yes, it’s there. Now we take a look at the OSPF RIB. Which ones do we see there?

R2#sh ip ospf rib

            OSPF Router with ID (23.23.23.2) (Process ID 3)


                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB

*   1.1.1.1/32, Intra, cost 2, area 0
      via 23.23.23.3, FastEthernet1/1
*   23.23.23.0/24, Intra, cost 1, area 0, Connected
      via 23.23.23.2, FastEthernet1/1

            OSPF Router with ID (12.12.12.2) (Process ID 1)


                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB

*>  1.1.1.1/32, Intra, cost 2, area 0
      via 12.12.12.1, FastEthernet1/0
*   12.12.12.0/24, Intra, cost 1, area 0, Connected
      via 12.12.12.2, FastEthernet1/0

The greater than sign indicates that the one from OSPF process 1 was selected.
Why? When running multiple OSPF processes the one that first installs to the
RIB will be selected to the global RIB. Now we confirm by looking in the
global RIB.

R2# show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/2] via 12.12.12.1, 00:06:35, FastEthernet1/0

Yes, that looks correct. Final step is to verify that FIB is also updated.

R2#sh ip cef 1.1.1.1/32
1.1.1.1/32
  nexthop 12.12.12.1 FastEthernet1/0

So the one that first writes to the global RIB wins. Now lets bring down the
process that is currently winning.

R2(config)#int f1/0
R2(config-if)#sh
R2(config-if)#

The OSPF RIB and global RIB should now be updated.

R2#show ip ospf rib

            OSPF Router with ID (23.23.23.2) (Process ID 3)


                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB

*>  1.1.1.1/32, Intra, cost 2, area 0
      via 23.23.23.3, FastEthernet1/1
*   23.23.23.0/24, Intra, cost 1, area 0, Connected
      via 23.23.23.2, FastEthernet1/1

            OSPF Router with ID (12.12.12.2) (Process ID 1)


                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB
R2#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/2] via 23.23.23.3, 00:00:42, FastEthernet1/1

Now if we bring back OSPF process 1, what will happen? Process 3 should still be
winning since it installed to global RIB first.

R2(config)#int f1/0
R2(config-if)#no sh
R2#sh ip ospf rib

            OSPF Router with ID (2.2.2.2) (Process ID 11)


                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB


            OSPF Router with ID (23.23.23.2) (Process ID 3)


                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB

*   1.1.1.1/32, Intra, cost 2, area 0
      via 23.23.23.3, FastEthernet1/1
*   23.23.23.0/24, Intra, cost 1, area 0, Connected
      via 23.23.23.2, FastEthernet1/1

            OSPF Router with ID (12.12.12.2) (Process ID 1)


                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB

*>  1.1.1.1/32, Intra, cost 2, area 0
      via 12.12.12.1, FastEthernet1/0
*   12.12.12.0/24, Intra, cost 1, area 0, Connected
      via 12.12.12.2, FastEthernet1/0

Now process 1 is winning, which is odd. Lets debug ip routing to see what is
really happening. We shutdown interface in process 1.

*Mar 14 23:26:36.555: RT: del 1.1.1.1 via 12.12.12.1, ospf metric [110/2]
*Mar 14 23:26:36.559: RT: delete subnet route to 1.1.1.1/32
*Mar 14 23:26:36.579: RT: updating ospf 1.1.1.1/32 (0x0):
    via 23.23.23.3 Fa1/1
*Mar 14 23:26:36.583: RT: add 1.1.1.1/32 via 23.23.23.3, ospf metric [110/2]

Now we bring back process 1.

*Mar 14 23:29:04.163: RT: updating ospf 1.1.1.1/32 (0x0):
    via 12.12.12.1 Fa1/0
*Mar 14 23:29:04.171: RT: closer admin distance for 1.1.1.1, flushing 1 routes
*Mar 14 23:29:04.175: RT: add 1.1.1.1/32 via 12.12.12.1, ospf metric [110/2]

We can see that IOS is claiming that distance is lower which it is clearly not.
What happens if we change process 1 to process 11 and we shutdown the interface
in process 3?

R2(config)#int f1/1
R2(config-if)#sh
R2(config-if)#int f1/0
R2(config-if)#ip ospf 11 area 0

Now we look at the output from the debug.

*Mar 14 23:33:27.615: RT: updating ospf 1.1.1.1/32 (0x0):
    via 12.12.12.1 Fa1/0

*Mar 14 23:33:27.619: RT: add 1.1.1.1/32 via 12.12.12.1, ospf metric [110/2]
*Mar 14 23:33:39.927: RT: updating connected 23.23.23.0/24 (0x0):
    via 0.0.0.0 Fa1/1
*Mar 14 23:33:39.931: RT: add 23.23.23.0/24 via 0.0.0.0, connected metric [0/0]
*Mar 14 23:33:39.939: RT: interface FastEthernet1/1 added to routing table
*Mar 14 23:33:39.947: RT: updating connected 23.23.23.2/32 (0x0):
    via 0.0.0.0 Fa1/1
*Mar 14 23:33:39.951: RT: network 23.0.0.0 is now variably masked
*Mar 14 23:33:39.951: RT: add 23.23.23.2/32 via 0.0.0.0, connected metric [0/0]
*Mar 14 23:33:55.447: RT: updating ospf 1.1.1.1/32 (0x0):
    via 23.23.23.3 Fa1/1
*Mar 14 23:33:55.455: RT: closer admin distance for 1.1.1.1, flushing 1 routes
*Mar 14 23:33:55.455: RT: add 1.1.1.1/32 via 23.23.23.3, ospf metric [110/2]

We can see that first process 11 is the only option available so the 1.1.1.1/32
route is installed via f1/0. Then f1/1 comes back up and now 1.1.1.1/32 is reachable
via f1/1 and is chosen because of “closer admin distance” which is not true. This must
mean that the OSPF process number is the tie breaker.

We take a look at the OSPF RIB and global RIB to verify once more.

R2#sh ip ospf rib

            OSPF Router with ID (22.22.22.22) (Process ID 11)


                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB

*   1.1.1.1/32, Intra, cost 2, area 0
      via 12.12.12.1, FastEthernet1/0
*   12.12.12.0/24, Intra, cost 1, area 0, Connected
      via 12.12.12.2, FastEthernet1/0

            OSPF Router with ID (23.23.23.2) (Process ID 3)


                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB

*>  1.1.1.1/32, Intra, cost 2, area 0
      via 23.23.23.3, FastEthernet1/1
*   23.23.23.0/24, Intra, cost 1, area 0, Connected
      via 23.23.23.2, FastEthernet1/1

            OSPF Router with ID (12.12.12.2) (Process ID 1)


                Base Topology (MTID 0)

OSPF local RIB
Codes: * - Best, > - Installed in global RIB

R2#sh ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/2] via 23.23.23.3, 00:09:02, FastEthernet1/1

What if we change the AD of process 11?

R2(config)#router ospf 11
R2(config-router)#distance ospf intra-area 100
*Mar 14 23:43:31.315: RT: updating ospf 1.1.1.1/32 (0x0):
    via 12.12.12.1 Fa1/0

*Mar 14 23:43:31.319: RT: closer admin distance for 1.1.1.1, flushing 1 routes
*Mar 14 23:43:31.323: RT: add 1.1.1.1/32 via 12.12.12.1, ospf metric [100/2]

That makes process 11 win again. So these tests seems to indicate that if everything
is the same then the tiebreaker is the lowest process number. For EIGRP it is the
lowest AS number so maybe Cisco chose to make it comparable.
Also take a look at what Ivan is saying at IOS hints

Categories: OSPF, Routing Tags: , , , ,

Some interesting RFCs

March 13, 2013 2 comments

To stay updated what’s happening in the network industry it doesn’t hurt to
read some RFCs and IETF drafts. Here are two I recommend that you read.

A comparison of IPv6 tunneling mechanisms- draft-steffann-tunnels-00

It describes different ways of tunneling v6. Could be very useful for a
CCIE candidate as well if you want to experiment with deploying v6 and can’t
dual stack yet.

Evolution of the IP Model

This one describes how IP has evolved and some of the “networking truths” that
may not be true.

I recommend you read both of them.

Categories: Other Tags: , ,