Wednesday, December 30, 2015

BGP task #3. Best path selection

Topology:



Use configuration from BGP task #2 as initial configuration for this task.

Requirements: 

*You may need to remove or alter parts of configuration from the previous task. 

1. Routers in AS12 should send traffic towards AS8 using link R3-R7 as primary option, R3-R6 as         secondary option and R1-R5 as last resort. 
2. AS67 should be able to signal to AS12 the preferred entry point (R7 or R6), for network 67.0/16.       Use  an optional nontransitive path attribute to complete this task. 
3. AS67 and AS5 are the service-providers for AS12. AS67 and AS5 should not use AS12 to reach         any networks, except networks owned by AS12. 
4. AS5, AS8 and AS67 shall use link R3-R7  to reach AS12 as primary option. If this link is                   unavailable, use link R3-R6. Use link R1-R5 as last resort. Use a well-known mandatory path             attribute to complete this requirement. 

Solution:

Highlight the text below to reveal the solution.

This task requires understanding of best-path selection using AS-PATH, Local-Preference & MED attributes. It also requires understanding of well-known communities.

Requirement #1 - change the inbound policy on R3 and R1 from the previous task, to only set local-preference for prefix 8.0/16. 
Requirement #2 - routers R6 and R7 should set a MED attribute when advertising prefix 67.0/16 to AS12. Lower MED value is preferred. 
Requirement #3 - to prevent the "client" autonomous-system from being used as a transit, service-providers should set a well-known "no-export" community to prefixes advertised to the client. 
Requirement #4 - configure outbound policy on R1 and R3 to set as-path prepend on prefixes advertised to AS5 and AS67. 

R1:

!
route-map LAST permit 100
 set as-path prepend 12 12 12 12 12
!
router bgp 12
 bgp log-neighbor-changes
 neighbor IBGP peer-group
 neighbor IBGP remote-as 12
 neighbor IBGP update-source Loopback0
 neighbor IBGP send-community
 neighbor 5.0.15.5 remote-as 5
 neighbor 5.0.15.5 route-map LAST out
 neighbor 12.0.2.2 peer-group IBGP
 neighbor 12.0.3.3 peer-group IBGP
 neighbor 12.0.4.4 peer-group IBGP
!

R2:

!
router bgp 12
 bgp log-neighbor-changes
 network 12.0.0.0 mask 255.255.0.0
 neighbor IBGP peer-group
 neighbor IBGP remote-as 12
 neighbor IBGP update-source Loopback0
 neighbor IBGP send-community
 neighbor 12.0.1.1 peer-group IBGP
 neighbor 12.0.3.3 peer-group IBGP
 neighbor 12.0.4.4 peer-group IBGP
!

R3:

!
route-policy BGP_ALL
  pass
end-policy
!
route-policy PRIMARY_IN
  if destination in AS8 then
    set local-preference 300
  else
    pass
  endif
end-policy
!
route-policy SECONDARY_IN
  if destination in AS8 then
    set local-preference 200
  else
    pass
  endif
end-policy
!
route-policy SECONDARY_OUT
  prepend as-path 12 3
end-policy
!
router bgp 12
 address-family ipv4 unicast
 !
 neighbor-group IBGP
  remote-as 12
  update-source Loopback0
  address-family ipv4 unicast
  !
 !
 neighbor 12.0.1.1
  use neighbor-group IBGP
 !
 neighbor 12.0.2.2
  use neighbor-group IBGP
 !
 neighbor 12.0.4.4
  use neighbor-group IBGP
 !
 neighbor 67.0.36.6
  remote-as 67
  address-family ipv4 unicast
   route-policy SECONDARY_IN in
   route-policy SECONDARY_OUT out
  !
 !
 neighbor 67.0.37.7
  remote-as 67
  address-family ipv4 unicast
   route-policy PRIMARY_IN in
   route-policy BGP_ALL out
  !
 !
!

R6:

!
route-map NO_TRANSIT permit 10
 match ip address prefix-list AS67
 set metric 10000
 set community no-export
route-map NO_TRANSIT permit 100
 set community no-export
!
router bgp 67
 bgp log-neighbor-changes
 network 67.0.0.0 mask 255.255.0.0
 neighbor 8.0.68.8 remote-as 8
 neighbor 67.0.36.3 remote-as 12
 neighbor 67.0.36.3 send-community
 neighbor 67.0.36.3 route-map NO_TRANSIT out
 neighbor 67.0.67.7 remote-as 67
!

R7:

!
route-map NO_TRANSIT permit 10
 match ip address prefix-list AS67
 set metric 1000
 set community no-export
route-map NO_TRANSIT permit 100
 set community no-export
!
router bgp 67
 bgp log-neighbor-changes
 network 67.0.0.0 mask 255.255.0.0
 neighbor 8.0.78.8 remote-as 8
 neighbor 67.0.37.3 remote-as 12
 neighbor 67.0.37.3 send-community
 neighbor 67.0.37.3 route-map NO_TRANSIT out
 neighbor 67.0.67.6 remote-as 67
!

Verification:

RP/0/0/CPU0:R3#show bgp
Mon Dec 21 12:46:08.600 UTC
BGP router identifier 12.0.3.3, local AS number 12
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0xe0000000   RD version: 46
BGP main routing table version 46
BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop            Metric LocPrf Weight Path
*>i5.0.0.0/16         5.0.15.5                 0    100      0 5 i
*                     67.0.36.6                              0 67 8 5 i
*                     67.0.37.7                              0 67 8 5 i
*  8.0.0.0/16         67.0.36.6                     200      0 67 8 ?
*>                    67.0.37.7                     300      0 67 8 ?
*>i12.0.0.0/16        12.0.2.2                 0    100      0 i
* i                   12.0.4.4                 0    100      0 i
*  67.0.0.0/16        67.0.36.6            10000             0 67 i
*>                    67.0.37.7             1000             0 67 i


R1#show bgp
BGP table version is 25, local router ID is 12.0.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  5.0.0.0/16       5.0.15.5                 0             0 5 i
 *>i 8.0.0.0/16       67.0.37.7                     300      0 67 8 ?
 *                    5.0.15.5                               0 5 8 ?
 *>i 12.0.0.0/16      12.0.2.2                 0    100      0 i
 * i                  12.0.4.4                 0    100      0 i
 *>i 67.0.0.0/16      67.0.37.7             1000    100      0 67 i
 *                    5.0.15.5                               0 5 8 67 i


R5#sho
R5#show bgp
BGP table version is 7, local router ID is 5.0.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  5.0.0.0/16       0.0.0.0                  0         32768 i
 *>  8.0.0.0/16       8.0.58.8                 0             0 8 ?
 *   12.0.0.0/16      5.0.15.1                               0 12 12 12 12 12 12 i
 *>                   8.0.58.8                               0 8 67 12 i
 *>  67.0.0.0/16      8.0.58.8                               0 8 67 i


R6#show bgp
BGP table version is 5, local router ID is 67.0.6.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 * i 5.0.0.0/16       8.0.78.8                 0    100      0 8 5 i
 *>                   8.0.68.8                               0 8 5 i
 * i 8.0.0.0/16       8.0.78.8                 0    100      0 8 ?
 *>                   8.0.68.8                 0             0 8 ?
 *   12.0.0.0/16      67.0.36.3                              0 12 12 12 12 i
 *>i                  67.0.37.3                0    100      0 12 i
 *>  67.0.0.0/16      0.0.0.0                  0         32768 i
 * i                  67.0.67.7                0    100      0 i

R7#show bgp
BGP table version is 10, local router ID is 67.0.7.7
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 * i 5.0.0.0/16       8.0.68.8                 0    100      0 8 5 i
 *>                   8.0.78.8                               0 8 5 i
 * i 8.0.0.0/16       8.0.68.8                 0    100      0 8 ?
 *>                   8.0.78.8                 0             0 8 ?
 *>  12.0.0.0/16      67.0.37.3                              0 12 i
 * i 67.0.0.0/16      67.0.67.6                0    100      0 i
 *>                   0.0.0.0                  0         32768 i

R8# show bgp
BGP table version is 7, local router ID is 8.0.8.8
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  5.0.0.0/16       8.0.58.5                 0             0 5 i
 *>  8.0.0.0/16       0.0.0.0                  0         32768 ?
 *   12.0.0.0/16      8.0.68.6                               0 67 12 i
 *>                   8.0.78.7                               0 67 12 i
 *   67.0.0.0/16      8.0.68.6                 0             0 67 i
 *>                   8.0.78.7                 0             0 67 i

Monday, December 28, 2015

BGP task #2. Security, Tuning, Best-path selection

Topology:



Use configuration from BGP task #1 as initial configuration for this task.

Requirements: 

1. Configure authentication for eBGP session between R5 and R8. 
2. In AS12, reduce the number of configuration lines required for iBGP configuration. 
3. AS12 should be configured to prefer using link R3-R7 for any outgoing traffic when possible.             When this link is unavailable, link R3-R6 shall be used for all traffic. Link R1-R5 shall be used for      outgoing traffic as last resort option. 

Solution:

Highlight the text below to reveal the solution.

This task requires understanding of BGP authentication, peer-groups and affecting best path selection using local-preference path attribute. 

Requirement #3 - In order to signal preferred exit point from the autonomous-system, use local-preference path-attribute. Higher values are preferred, default value is 100. 

R1:


!
router bgp 12
 bgp log-neighbor-changes
 neighbor IBGP peer-group
 neighbor IBGP remote-as 12
 neighbor IBGP update-source Loopback0
 neighbor 5.0.15.5 remote-as 5
 neighbor 12.0.2.2 peer-group IBGP
 neighbor 12.0.3.3 peer-group IBGP
 neighbor 12.0.4.4 peer-group IBGP
!

R2:


!
router bgp 12
 bgp log-neighbor-changes
 network 12.0.0.0 mask 255.255.0.0
 neighbor IBGP peer-group
 neighbor IBGP remote-as 12
 neighbor IBGP update-source Loopback0
 neighbor 12.0.1.1 peer-group IBGP
 neighbor 12.0.3.3 peer-group IBGP
 neighbor 12.0.4.4 peer-group IBGP
!

R3:


!
router bgp 12
 address-family ipv4 unicast
 !
 neighbor-group IBGP
  remote-as 12
  update-source Loopback0
  address-family ipv4 unicast
  !
 !
 neighbor 12.0.1.1
  use neighbor-group IBGP
 !
 neighbor 12.0.2.2
  use neighbor-group IBGP
 !
 neighbor 12.0.4.4
  use neighbor-group IBGP
 !
 neighbor 67.0.36.6
  remote-as 67
  address-family ipv4 unicast
   route-policy SECONDARY in
   route-policy BGP_ALL out
  !
 !
 neighbor 67.0.37.7
  remote-as 67
  address-family ipv4 unicast
   route-policy PRIMARY in
   route-policy BGP_ALL out
  !
 !
!
!
route-policy PRIMARY
  set local-preference 300
end-policy
!
route-policy SECONDARY
  set local-preference 200
end-policy
!


R4:


!
router bgp 12
 address-family ipv4 unicast
  network 12.0.0.0/16
 !
 neighbor-group IBGP
  remote-as 12
  update-source Loopback0
  address-family ipv4 unicast
  !
 !
 neighbor 12.0.1.1
  use neighbor-group IBGP
 !
 neighbor 12.0.2.2
  use neighbor-group IBGP
 !
 neighbor 12.0.3.3
  use neighbor-group IBGP
 !
!


R5:


!
router bgp 5
 bgp log-neighbor-changes
 network 5.0.0.0 mask 255.255.0.0
 neighbor 5.0.15.1 remote-as 12
 neighbor 8.0.58.8 remote-as 8
 neighbor 8.0.58.8 password STRONG
!

R8:


!
router bgp 8
 bgp log-neighbor-changes
 redistribute static route-map STATIC
 neighbor 8.0.58.5 remote-as 5
 neighbor 8.0.58.5 password STRONG
 neighbor 8.0.68.6 remote-as 67
 neighbor 8.0.78.7 remote-as 67
!


Verification:

RP/0/0/CPU0:R4#show bgp
Mon Dec 21 11:09:43.077 UTC
BGP router identifier 12.0.4.4, local AS number 12
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0xe0000000   RD version: 8
BGP main routing table version 8
BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop            Metric LocPrf Weight Path
*>i5.0.0.0/16         67.0.37.7                     300      0 67 8 5 i
*>i8.0.0.0/16         67.0.37.7                     300      0 67 8 ?
*> 12.0.0.0/16        0.0.0.0                  0         32768 i
* i                   12.0.2.2                 0    100      0 i
*>i67.0.0.0/16        67.0.37.7                0    300      0 67 i

Processed 4 prefixes, 5 paths


Friday, December 25, 2015

BGP task #1. Basic BGP.

Topology:




Routers R3 and R4 are IOS-XR, remaining routers are IOS routers.

For initial setup, configure loopback0 interfaces on all routers, and links between the routers:
  R7-R8: 8.0.78.X/24
  R6-R8: 8.0.68.X/24
  R5-R8: 8.0.58.X/24
  R3-R6: 67.0.36.X/24
  R3-R7: 67.0.37.X/24
  R1-R5: 5.0.15.X/24
  VLAN-10: 12.0.10.X/24
  VLAN-20: 12.0.20.X/24

Requirements: 

1. Configure iBGP peerings between routers in AS 12. 
2. Configure iBGP peerings between routers in AS 67.
3. Configure eBGP peerings between autonomous systems in the topology. 
4. Each autonomous system should advertise it's assigned IPv4 network into BGP. 
5. On R8, don't use "network" command under BGP configuration. 
6. In autonomous-system 12, routers R2 and R4 should advertise the prefix 12.0/16 the BGP. 

Solution:

Highlight the text below to reveal the solution.

This is a basic iBGP and eBGP setup, which will use a as base for the next group of tasks. 
Note that IOS-XR requires an explicit in and out route-policy for eBGP peerings. 
In AS12, eBGP next-hop need to be reachable for routers R2 and R4. This can be achieved by either advertising external interfaces into IGP, or using next-hop-self on iBGP peerings. The recommended method, for the fast convergence, is to advertise eBGP next-hop into IGP. External interfaces are configured as passive in OSPF. Same solution shall be implemented in AS67. 
Requirement #5 - since using network command is not allowed, use redistribution of static route into BGP. 

R1:


!
interface Ethernet0/0
 ip address 12.0.20.1 255.255.255.0
 ip ospf 1 area 0
!
interface Ethernet1/0
 ip address 5.0.15.1 255.255.255.0
 ip ospf 1 area 0
!
router bgp 12
 bgp log-neighbor-changes
 neighbor 5.0.15.5 remote-as 5
 neighbor 12.0.2.2 remote-as 12
 neighbor 12.0.2.2 update-source Loopback0
 neighbor 12.0.3.3 remote-as 12
 neighbor 12.0.3.3 update-source Loopback0
 neighbor 12.0.4.4 remote-as 12
 neighbor 12.0.4.4 update-source Loopback0
!
router ospf 1
 router-id 12.0.1.1
 passive-interface Ethernet1/0
!

R2:

!
router bgp 12
 bgp log-neighbor-changes
 network 12.0.0.0 mask 255.255.0.0
 neighbor 12.0.1.1 remote-as 12
 neighbor 12.0.1.1 update-source Loopback0
 neighbor 12.0.3.3 remote-as 12
 neighbor 12.0.3.3 update-source Loopback0
 neighbor 12.0.4.4 remote-as 12
 neighbor 12.0.4.4 update-source Loopback0
!

R3:


!
router ospf CCIE
 router-id 12.0.3.3
 area 0
  interface Loopback0
  !
  interface GigabitEthernet0/0/0/0
   passive enable
  !
  interface GigabitEthernet0/0/0/1
   passive enable
  !
  interface GigabitEthernet0/0/0/2
  !
 !
!
router bgp 12
 address-family ipv4 unicast
 !
 neighbor 12.0.1.1
  remote-as 12
  update-source Loopback0
  address-family ipv4 unicast
  !
 !
 neighbor 12.0.2.2
  remote-as 12
  update-source Loopback0
  address-family ipv4 unicast
  !
 !
 neighbor 12.0.4.4
  remote-as 12
  update-source Loopback0
  address-family ipv4 unicast
  !
 !
 neighbor 67.0.36.6
  remote-as 67
  address-family ipv4 unicast
   route-policy BGP_ALL in
   route-policy BGP_ALL out
  !
 !
 neighbor 67.0.37.7
  remote-as 67
  address-family ipv4 unicast
   route-policy BGP_ALL in
   route-policy BGP_ALL out
  !
 !
!
route-policy BGP_ALL
  pass
end-policy
!


R4:

!
router bgp 12
 address-family ipv4 unicast
  network 12.0.0.0/16
 !
 neighbor 12.0.1.1
  remote-as 12
  update-source Loopback0
  address-family ipv4 unicast
  !
 !
 neighbor 12.0.2.2
  remote-as 12
  update-source Loopback0
  address-family ipv4 unicast
  !
 !
 neighbor 12.0.3.3
  remote-as 12
  update-source Loopback0
  address-family ipv4 unicast
  !
 !
!

R5:


!
router bgp 5
 bgp log-neighbor-changes
 network 5.0.0.0 mask 255.255.0.0
 neighbor 5.0.15.1 remote-as 12
 neighbor 8.0.58.8 remote-as 8
!

R6:


!
interface Ethernet0/0
 ip address 67.0.67.6 255.255.255.0
 ip router isis CCIE
!
interface Ethernet1/0
 ip address 67.0.36.6 255.255.255.0
!
interface Ethernet1/1
 ip address 8.0.68.6 255.255.255.0
!
router isis CCIE
 net 49.0067.0000.0000.0006.00
 passive-interface Ethernet1/0
 passive-interface Ethernet1/1
!
router bgp 67
 bgp log-neighbor-changes
 network 67.0.0.0 mask 255.255.0.0
 neighbor 8.0.68.8 remote-as 8
 neighbor 67.0.36.3 remote-as 12
 neighbor 67.0.67.7 remote-as 67
!

R7:



!
interface Ethernet0/0
 ip address 67.0.67.7 255.255.255.0
 ip router isis CCIE
!
interface Ethernet1/0
 ip address 67.0.37.7 255.255.255.0
!
interface Ethernet1/1
 ip address 8.0.78.7 255.255.255.0
!
router isis CCIE
 net 49.0067.0000.0000.0007.00
 passive-interface Ethernet1/0
 passive-interface Ethernet1/1
!
router bgp 67
 bgp log-neighbor-changes
 network 67.0.0.0 mask 255.255.0.0
 neighbor 8.0.78.8 remote-as 8
 neighbor 67.0.37.3 remote-as 12
 neighbor 67.0.67.6 remote-as 67
!

R8:


!
router bgp 8
 bgp log-neighbor-changes
 redistribute static route-map STATIC
 neighbor 8.0.58.5 remote-as 5
 neighbor 8.0.68.6 remote-as 67
 neighbor 8.0.78.7 remote-as 67
!

Verification:

R8#show bgp
BGP table version is 7, local router ID is 8.0.8.8
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  5.0.0.0/16       8.0.58.5                 0             0 5 i
 *>  8.0.0.0/16       0.0.0.0                  0         32768 ?
 *   12.0.0.0/16      8.0.78.7                               0 67 12 i
 *                    8.0.68.6                               0 67 12 i
 *>                   8.0.58.5                               0 5 12 i
 *   67.0.0.0/16      8.0.68.6                 0             0 67 i
 *>                   8.0.78.7                 0             0 67 i



RP/0/0/CPU0:R4#show bgp
Sun Dec 20 22:19:03.957 UTC
BGP router identifier 12.0.4.4, local AS number 12
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0xe0000000   RD version: 9
BGP main routing table version 9
BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop            Metric LocPrf Weight Path
*>i5.0.0.0/16         5.0.15.5                 0    100      0 5 i
*>i8.0.0.0/16         5.0.15.5                 0    100      0 5 8 ?
* i                   67.0.36.6                     100      0 67 8 ?
*> 12.0.0.0/16        0.0.0.0                  0         32768 i
* i                   12.0.2.2                 0    100      0 i
*>i67.0.0.0/16        67.0.36.6                0    100      0 67 i

Processed 4 prefixes, 6 paths

R2#show bgp
BGP table version is 9, local router ID is 12.0.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 5.0.0.0/16       5.0.15.5                 0    100      0 5 i
 * i 8.0.0.0/16       67.0.36.6                     100      0 67 8 ?
 *>i                  5.0.15.5                 0    100      0 5 8 ?
 * i 12.0.0.0/16      12.0.4.4                 0    100      0 i
 *>                   0.0.0.0                  0         32768 i
 *>i 67.0.0.0/16      67.0.36.6                0    100      0 67 i

Thursday, December 24, 2015

OSPFv3 task #3. Authentication

Topology:



Use configuration from OSPFv3 task #2 as initial configuration for this task.

Requirements: 

1. Configure authentication for Area 0. Authentication should apply for all existing interfaces, except segment R2-R3,  in Area 0, and also for any interfaces that may be added in the future. 
2. Use strongest possible  authentication method. 
3. OSPF packets in Area 0 (except on segment R2-R3) should have Next-Header value of 51. 
4. Attacker which is capable to capture packets on segment R1-R8, should not be able to read the OSPF packets from the capture. 

Solution:

Highlight the text below to reveal the solution.

This task requires understanding of OSPFv3 authentication configuration options (area vs interface) and authentication types - ESP vs AH. 

Requirements #1 - authentication should be configured in Area level, to include all interfaces in the area. Configure null authentication on segment R2-R3 to exclude it from area level configuration. 
Requirement #2 - SHA1 authentication method is considered stronger than MD5. 
Requirement #3 - Use "ospf authentication", which uses AH header with next-deader value of 51. 
Requirement #4 - Use "ospf encryption" which provides both authentication and encryption of the OSPF packets. 

R1:

!
ipv6 router ospf 1
 router-id 11.0.1.1
 auto-cost reference-bandwidth 40000
 area 0 authentication ipsec spi 400 sha1 7 025756085F535976141759485744465E5A53727274796166764651415B5806080A00005B554F4E0008
 distance ospf external 180
!
!
interface Ethernet1/0
 ipv6 address 2001:11:0:18::1/64
 ipv6 ospf encryption ipsec spi 300 esp aes-cbc 128 7 040A59555B741A1951405546405858517C7C7C7163647040534355560E00080206 sha1 7 12485744465E5A53727274796166764651415B5806080A00005B554F4E000806010101015D0C5E5E08
 ipv6 ospf 1 area 2
 ipv6 ospf network point-to-multipoint
!

R2:


!
ipv6 router ospf 1
 router-id 11.0.2.2
 auto-cost reference-bandwidth 40000
 area 3 virtual-link 11.0.4.4
 area 0 authentication ipsec spi 400 sha1 7 091D1C5A4D5041455355547B79777C6663754B5E465253050D0D0503565A48470B0B030604020C520B
 distance ospf external 180
!

R3:


!
router ospfv3 CCIE
 router-id 11.0.3.3
 auto-cost reference-bandwidth 40000
 distance ospfv3 external 180
 area 0
  authentication ipsec spi 400 sha1 password 03550958525A771B1650495445415F59527D737D7862677147524054590F090901075A564E41010107
  interface Loopback0
   network point-to-point
  !
  interface GigabitEthernet0/0/0/0
  !
  interface GigabitEthernet0/0/0/1
   authentication disable
  !
 !
 area 3
  virtual-link 11.0.5.5
  !
  interface GigabitEthernet0/0/0/2
  !
 !
!

R8:


!
interface Ethernet0/0
 ipv6 address 2001:11:0:18::8/64
 ipv6 ospf encryption ipsec spi 300 esp aes-cbc 128 7 03550958525A771B1650495445415F59527D737D7862677147524054590F090901 sha1 7 025756085F535976141759485744465E5A53727274796166764651415B5806080A00005B554F4E0008
 ipv6 ospf 1 area 2
 ipv6 ospf network point-to-multipoint
!

Verification:

R8#show ipv6 ospf interface eth0/0
Ethernet0/0 is up, line protocol is up
  Link Local Address FE80::A8BB:CCFF:FE00:400, Interface ID 3
  Area 2, Process ID 1, Instance ID 0, Router ID 11.0.8.8
  Network Type POINT_TO_MULTIPOINT, Cost: 4000
  AES-CBC-128 encryption SHA-1 auth SPI 300, secure socket UP (errors: 0)
  Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT
  Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
    Hello due in 00:00:02
  Graceful restart helper support enabled
  Index 1/2/2, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 5, maximum is 5
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 11.0.1.1
  Suppress hello for 0 neighbor(s)

R2#show ipv6 ospf interface ethernet 0/0
Ethernet0/0 is up, line protocol is up
  Link Local Address FE80::A8BB:CCFF:FE00:300, Interface ID 3
  Area 0, Process ID 1, Instance ID 0, Router ID 11.0.2.2
  Network Type BROADCAST, Cost: 4000
  authentication NULL
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 11.0.2.2, local address FE80::A8BB:CCFF:FE00:300
  Backup Designated router (ID) 11.0.3.3, local address FE80::250:56FF:FE3A:3264
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:04
  Graceful restart helper support enabled
  Index 1/1/1, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 2, maximum is 12
  Last flood scan time is 0 msec, maximum is 1 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 11.0.3.3  (Backup Designated Router)
  Suppress hello for 0 neighbor(s)


R2#show ipv6 ospf interface ethernet 0/1
Ethernet0/1 is up, line protocol is up
  Link Local Address FE80::A8BB:CCFF:FE00:310, Interface ID 4
  Area 0, Process ID 1, Instance ID 0, Router ID 11.0.2.2
  Network Type BROADCAST, Cost: 4000
  SHA-1 authentication (Area) SPI 400, secure socket UP (errors: 0)
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 11.0.2.2, local address FE80::A8BB:CCFF:FE00:310
  Backup Designated router (ID) 11.0.1.1, local address FE80::A8BB:CCFF:FE00:610
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:08
  Graceful restart helper support enabled
  Index 1/2/2, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 0, maximum is 15
  Last flood scan time is 0 msec, maximum is 1 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 11.0.1.1  (Backup Designated Router)
  Suppress hello for 0 neighbor(s)


Wednesday, December 23, 2015

OSPFv3 task #2. Multiple area OSPF

Topology:




Use configuration from OSPFv3 task #1 as initial configuration for this task.
Routers R6 and R7 (both IOS) are added to this topology. 

Requirements: 

1. Configure the following interfaces in OSPF Area 4:
      Loopback0 interfaces of R6 and R7.
      Link R5-R7.
      Link R6-R7.
      Link R4-R6. 
2. This network is expected to contains links with bandwidth up to 40gbps. Configure the OSPF to          use the appropriate interface metrics. 
3. Configure interface loopback1 on R7 with IPv6 address of 2001:7::7/64. This prefix should appear      in routing tables inside Area 4 as "ON2 2001:7::/64 [180/20]" and outside Area 4 as "OE2                  2001:4::/30 [180/20]". 

Solution:

Highlight the text below to reveal the solution.

This task requires understanding of OSPF virtual links, reference bandwidth, OSPF network types and administrative distance. 

Requirement #1 - configure virtual links on R2-R4 and R3-R5 to connect Area 4 to Area 0.
Requirement #2 - configure OSPF reference bandwidth to 40000 or higher, to allow OSPF to differentiate between links with bandwidth up to 40gbps.
Requirement #3 - configure Area 4 as NSSA. Redistribute connected loopback1 on R7 with metric-type 2, and change OSPF External AD to 180 on all routers. Configure summary address on R4 and R5.  

R1:


!
ipv6 router ospf 1
 router-id 11.0.1.1
 auto-cost reference-bandwidth 40000
 distance ospf external 180
!

R2:

!
ipv6 router ospf 1
 router-id 11.0.2.2
 auto-cost reference-bandwidth 40000
 area 3 virtual-link 11.0.4.4
 distance ospf external 180
!

R3:

!
router ospfv3 CCIE
 router-id 11.0.3.3
 auto-cost reference-bandwidth 40000
 distance ospfv3 external 180
 area 0
  interface Loopback0
   network point-to-point
  !
  interface GigabitEthernet0/0/0/0
  !
  interface GigabitEthernet0/0/0/1
  !
 !
 area 3
  virtual-link 11.0.5.5
  !
  interface GigabitEthernet0/0/0/2
  !
 !
!

R4:

!
ipv6 router ospf 1
 router-id 11.0.4.4
 auto-cost reference-bandwidth 40000
 area 3 virtual-link 11.0.2.2
 area 4 nssa
 summary-prefix 2001:4::/30
 distance ospf external 180
!

R5:

!
router ospfv3 CCIE
 router-id 11.0.5.5
 auto-cost reference-bandwidth 40000
 summary-prefix 2001:4::/30
 distance ospfv3 external 180
 area 3
  virtual-link 11.0.3.3
  !
  interface Loopback0
  !
  interface GigabitEthernet0/0/0/1
   network point-to-multipoint non-broadcast
   neighbor fe80::a8bb:ccff:fe00:100
  !
  interface GigabitEthernet0/0/0/2
  !
 !
 area 4
  nssa
  interface GigabitEthernet0/0/0/0
  !
 !
!

R6:

!
ipv6 router ospf 1
 router-id 11.0.6.6
 auto-cost reference-bandwidth 40000
 area 4 nssa
 distance ospf external 180
!

R7: 


!
ipv6 router ospf 1
 router-id 11.0.7.7
 auto-cost reference-bandwidth 40000
 area 4 nssa
 distance ospf external 180
 redistribute connected route-map CONNECTED
!

R8:

!
ipv6 router ospf 1
 router-id 11.0.8.8
 auto-cost reference-bandwidth 40000
 distance ospf external 180
!




Verification:

R8#show ipv6 route ospf
IPv6 Routing Table - default - 30 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
       IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
OE2 2001:4::/30 [180/20]
     via FE80::A8BB:CCFF:FE00:601, Ethernet0/0


R1# show ipv6 route ospf
IPv6 Routing Table - default - 30 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
       IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
OE2 2001:4::/30 [180/20]
     via FE80::250:56FF:FE27:8072, Ethernet0/0

R4#show ipv6 route ospf
IPv6 Routing Table - default - 32 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
       IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
OE2 2001:4::/30 [180/20]
     via FE80::250:56FF:FE29:F5EA, Ethernet0/0
ON2 2001:7::/64 [180/20]
     via FE80::A8BB:CCFF:FE00:520, Ethernet0/2

R6#show ipv6 route ospf
IPv6 Routing Table - default - 27 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
       IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
ON2 2001:7::/64 [180/20]
     via FE80::A8BB:CCFF:FE00:500, Ethernet0/0


Tuesday, December 22, 2015

OSPFv3 task #1. Simple multiple level configuration.

Topology:



Routers R6 and R7 are not active in this task.
Routers R3 and R5 run IOS-XR, remaining routers run IOS.
Configure loopback0 interfaces and connecting interfaces between the routers, using the allocated IPv6 prefix.

Requirements: 

1. Use OSPFv3 protocol to provide IPv6 routing between all active devices in the topology. 
2. On IOS routers, don't use "ospfv3" keyword for configuration. 
3. Configure loopback0 interfaces and segments connecting routers R1, R2 and R3 in OSPF Area 0.
4. Configure loopback0 interface of R8, and  segments R1-R8 in OSPF Area 2.
5. Configure loopback0 interfaces of R4 and R5, and segments R3-R5, R2-R4 and R4-R5 in 
     OSPF Area 3.
6. Network type on segment R1-R8 should be standards based, and there should be no DR/BDR             election on this segment. 
7. Network type on segment R4-R5 should be Cisco proprietary, with Hello being sent every 30             seconds. 

Solution:

Highlight the text below to reveal the solution.

Requirement #2 - IOS allows two options for OSPFv3 configuration. In this task, use syntax                                             "ipv6 router ospf PID".

Requirement #6 - Standards based network types are NBMA and point-to-multipoint.  DR/BDR not                                elected on point-to-multipoint network types. 

Requirement #7 - Cisco proprietary network types are broadcast, point-to-multipoint and point-to-                                    multipoint non-broadcast. The last one has a hello/hold interval of 30/120.

R1:


!
interface Ethernet0/0
 ipv6 address 2001:11:0:13::1/64
 ipv6 ospf 1 area 0
!
interface Ethernet0/1
 ipv6 address 2001:11:0:12::1/64
 ipv6 ospf 1 area 0
!
interface Ethernet1/0
 ipv6 address 2001:11:0:18::1/64
 ipv6 ospf 1 area 2
 ipv6 ospf network point-to-multipoint
!
interface Loopback0
 ipv6 address 2001:11:0:1::1/64
 ipv6 ospf 1 area 0
!
ipv6 router ospf 1
 router-id 11.0.1.1
!

R2:

!
interface Loopback0
 ipv6 address 2001:11:0:2::2/64
 ipv6 ospf 1 area 0
!
interface Ethernet0/0
 ipv6 address 2001:11:0:23::2/64
 ipv6 ospf 1 area 0
!
interface Ethernet0/1
 ipv6 address 2001:11:0:12::2/64
 ipv6 ospf 1 area 0
!
ipv6 router ospf 1
 router-id 11.0.2.2
!

R3:

!
router ospfv3 CCIE
 router-id 11.0.3.3
 area 0
  interface Loopback0
  !
  interface GigabitEthernet0/0/0/0
  !
  interface GigabitEthernet0/0/0/1
  !
 !
 area 3
  interface GigabitEthernet0/0/0/2
  !
 !
!

R4:

!
interface Loopback0
 ipv6 address 2001:11:0:4::4/64
 ipv6 ospf 1 area 3
!
interface Ethernet0/0
 ipv6 address 2001:11:0:45::4/64
 ipv6 ospf 1 area 3
 ipv6 ospf neighbor FE80::250:56FF:FE29:F5EA
 ipv6 ospf network point-to-multipoint non-broadcast
!
interface Ethernet0/1
 ip address 11.0.24.4 255.255.255.0
 ipv6 address 2001:11:0:24::4/64
 ipv6 ospf 1 area 3
!
ipv6 router ospf 1
 router-id 11.0.4.4
!

R5:

!
router ospfv3 CCIE
 router-id 11.0.5.5
 area 3
  interface Loopback0
  !
  interface GigabitEthernet0/0/0/1
   network point-to-multipoint non-broadcast
   neighbor fe80::a8bb:ccff:fe00:100
  !
  interface GigabitEthernet0/0/0/2
  !
 !
!

R8:

!
interface Loopback0
 ipv6 address 2001:11:0:8::8/64
 ipv6 ospf 1 area 2
!
interface Ethernet0/0
 ipv6 address 2001:11:0:18::8/64
 ipv6 ospf 1 area 2
 ipv6 ospf network point-to-multipoint
!
ipv6 router ospf 1
 router-id 11.0.8.8
!

Verification:


Ethernet0/0 is up, line protocol is up
  Link Local Address FE80::A8BB:CCFF:FE00:100, Interface ID 3
  Area 3, Process ID 1, Instance ID 0, Router ID 11.0.4.4
  Network Type POINT_TO_MULTIPOINT, Cost: 10
  Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT
  Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
    Hello due in 00:00:12
  Graceful restart helper support enabled
  Index 1/1/2, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 8
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 11.0.5.5
  Suppress hello for 0 neighbor(s)

R4#show ipv6 route ospf
IPv6 Routing Table - default - 23 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
       IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
OI  2001:11:0:1::1/128 [110/20]
     via FE80::A8BB:CCFF:FE00:301, Ethernet0/1
OI  2001:11:0:2::2/128 [110/10]
     via FE80::A8BB:CCFF:FE00:301, Ethernet0/1
OI  2001:11:0:3::3/128 [110/20]
     via FE80::A8BB:CCFF:FE00:301, Ethernet0/1
     via FE80::250:56FF:FE29:F5EA, Ethernet0/0
O   2001:11:0:5::5/128 [110/10]
     via FE80::250:56FF:FE29:F5EA, Ethernet0/0
OI  2001:11:0:8::8/128 [110/30]
     via FE80::A8BB:CCFF:FE00:301, Ethernet0/1
OI  2001:11:0:12::/64 [110/20]
     via FE80::A8BB:CCFF:FE00:301, Ethernet0/1
OI  2001:11:0:13::/64 [110/30]
     via FE80::A8BB:CCFF:FE00:301, Ethernet0/1
     via FE80::250:56FF:FE29:F5EA, Ethernet0/0
OI  2001:11:0:18::1/128 [110/20]
     via FE80::A8BB:CCFF:FE00:301, Ethernet0/1
OI  2001:11:0:18::8/128 [110/30]
     via FE80::A8BB:CCFF:FE00:301, Ethernet0/1
OI  2001:11:0:23::/64 [110/20]
     via FE80::A8BB:CCFF:FE00:301, Ethernet0/1
O   2001:11:0:35::/64 [110/20]
     via FE80::250:56FF:FE29:F5EA, Ethernet0/0
O   2001:11:0:45::5/128 [110/10]
     via FE80::250:56FF:FE29:F5EA, Ethernet0/0