Category Archives: IGP

Ospf conditional routing

OSPF conditional routing takes advantage of taking a default route and using that route based off of a route on the local router originating that default route.  Normally conditional routing is used to advertise a default route depending if the originating routers interface facing the service provider is up or not.

Our topology.

OSPFDEFAULT2

Our topology is very simple.  Every router is running OSPF  except for the top two they simply inject a BGP default route.  the CE routers simply have the BGP default route for their rib to pass off the default route into OSPF.  So here is our configuration on the CE routers.

R7

r7#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via “bgp 100”, distance 20, metric 0, candidate default path
Tag 2, type external
Last update from 11.11.11.11 00:25:13 ago
Routing Descriptor Blocks:
* 11.11.11.11, from 11.11.11.11, 00:25:13 ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 2

router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 11.11.11.11 remote-as 2
neighbor 11.11.11.11 ebgp-multihop 5
neighbor 11.11.11.11 update-source Loopback0
no auto-summary

router ospf 1
log-adjacency-changes
network 7.7.7.7 0.0.0.0 area 0
network 27.27.27.0 0.0.0.255 area 0
default-information originate

R6

R6#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via “bgp 100”, distance 20, metric 0, candidate default path
Tag 2, type external
Last update from 12.12.13.12 00:41:36 ago
Routing Descriptor Blocks:
* 12.12.13.12, from 12.12.13.12, 00:41:36 ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 2

router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 12.12.13.12 remote-as 2
neighbor 12.12.13.12 ebgp-multihop 5
neighbor 12.12.13.12 update-source Loopback0
no auto-summary

router ospf 1
log-adjacency-changes
network 6.6.6.6 0.0.0.0 area 0
network 36.36.36.0 0.0.0.255 area 0
default-information originate

Okay so now that we got that out of the way lets check out S2 and see what our default route looks like.

S2#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via “ospf 1”, distance 110, metric 1, candidate default path
Tag 1, type extern 2, forward metric 65
Last update from 32.32.32.3 on Vlan32, 00:00:36 ago
Routing Descriptor Blocks:
32.32.32.3, from 6.6.6.6, 00:00:36 ago, via Vlan32
Route metric is 1, traffic share count is 1
Route tag 1
* 26.26.26.2, from 7.7.7.7, 00:00:36 ago, via Vlan26
Route metric is 1, traffic share count is 1
Route tag 1

ugh oh looks like we have two default routes. Lets check an Upstream router.

R3#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via “ospf 1”, distance 110, metric 1, candidate default path
Tag 1, type extern 2, forward metric 64
Last update from 36.36.36.6 on Serial0/0, 00:01:32 ago
Routing Descriptor Blocks:
* 36.36.36.6, from 6.6.6.6, 00:01:32 ago, via Serial0/0
Route metric is 1, traffic share count is 1
Route tag 1

Its going to load balance the default route due to it being a equal metric you can see that in the drawing.  I really do not want to that due to possible asyncrhonous routing issues.  The most simplistic way to get rid of this is to set the cost on one of the interfaces facing upstream to the CE routers.

R3(config)#int s0/0

R3(config-if)#ip ospf cost 1000

This ill give me one router on S2.

Okay so now the good part here.  I can simple attach the locally connected interface as a prefix-list and tie it in with a route-map.  Then use it in ospf after my default-information originate statement so that if that interface goes down it will traverse the other router. For example.

R7 is Primary its primary interface is Se1/0 71.71.71.0/24

R6 is Secondary due to OSPF cost its interface is Se1/0 62.62.62.0/24

So we will create a prefix list on both routers.  I will simply show R7 to begin with.

ip prefix-list 71 seq 5 permit 71.71.71.0/24

route-map default permit 10
match ip address prefix-list 71

Now before I add anything into OSPF lets check S2 to see where our default route is.

Routing entry for 0.0.0.0/0, supernet
Known via “ospf 1”, distance 110, metric 1, candidate default path
Tag 1, type extern 2, forward metric 65
Last update from 26.26.26.2 on Vlan26, 00:04:58 ago
Routing Descriptor Blocks:
* 26.26.26.2, from 7.7.7.7, 00:04:58 ago, via Vlan26
Route metric is 1, traffic share count is 1
Route tag 1

Great we take the path to R7.  Due to our cost setting we will always take that path.  Now lets go ahead and tie a route-map in on R6 and R7 with our matching prefix lists.

Our default route should still stay the same on S2.  Now lets go ahead and Shut down interface Se1/0 so that there is no RIB match for the Subnet 71.71.71.0/24 if everything works right OSPF will stop advertising a default route originating from R7 and start originating from R6.

r7(config)#int se1/0
r7(config-if)#shut

Now going to S2 if everything worked we should see a default route heading out to R6

S2#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via “ospf 1”, distance 110, metric 1000, candidate default path
Tag 1, type extern 2, forward metric 1001
Last update from 32.32.32.3 on Vlan32, 00:00:20 ago
Routing Descriptor Blocks:
* 32.32.32.3, from 6.6.6.6, 00:00:20 ago, via Vlan32
Route metric is 1000, traffic share count is 1
Route tag 1

This is a nice feature, this can be used the most simplistic ways for conditional routing.  This can also be tied into a IP SLA and other creative routing techniques.

Advertisements

%BGP-4-VPNV4NH_MASK: Nexthop

Wha?

Well I found some interesting stuff while trying to run OSPF as a IGP in a MPLS environment while peering BGP by loop back.  Here is the configuration keep in mind this is with INE’s topology.

ip vrf VPN_A
rd 1:1
route-target export 1:1
route-target import 1:1
!
router bgp 1
neighbor 150.1.1.1 remote-as 1
neighbor 150.1.1.1 update-source lo0
neighbor 150.1.2.2 remote-as 1
neighbor 150.1.2.2 update-source lo0
neighbor 150.1.3.3 remote-as 1
neighbor 150.1.3.3 update-source lo0
neighbor 150.1.4.4 remote-as 1
neighbor 150.1.4.4 update-source lo0
neighbor 150.1.5.5 remote-as 1
neighbor 150.1.5.5 update-source lo0
!
address-family vpnv4 unicast
neighbor 150.1.1.1 activate
neighbor 150.1.1.1 send-community both
neighbor 150.1.2.2 activate
neighbor 150.1.2.2 send-community both
neighbor 150.1.3.3 activate
neighbor 150.1.3.3 send-community both
neighbor 150.1.4.4 activate
neighbor 150.1.4.4 send-community both
neighbor 150.1.5.5 activate
neighbor 150.1.5.5 send-community both
!
address-family ipv4 vrf VPN_A
redistribute ospf 3 vrf VPN_A
no synchronization
exit-address-family
!
router ospf 3 vrf VPN_A
redistribute bgp 1 subnets

Then I get this message.. on Each PE router.

*Mar 1 17:10:19.575: %BGP-4-VPNV4NH_MASK: Nexthop 150.1.1.1 may not be reachable from neigbor 150.1.2.2 – not /32 mask
*Mar 1 17:11:26.579: %BGP-4-VPNV4NH_MASK: Nexthop 150.1.3.3 may not be reachable from neigbor 150.1.1.1 – not /32 mask
*Mar 1 17:11:55.683: %BGP-4-VPNV4NH_MASK: Nexthop 150.1.5.5 may not be reachable from neigbor 150.1.1.1 – not /32 mask

On a CE router.

Rack1SW2#sh ip route 155.1.67.7
Routing entry for 155.1.67.0/24
Known via “ospf 1”, distance 110, metric 3, type inter area
Last update from 155.1.58.5 on Vlan58, 00:04:55 ago
Routing Descriptor Blocks:
* 155.1.58.5, from 5.5.5.5, 00:04:55 ago, via Vlan58
Route metric is 3, traffic share count is 1

Traceroute

Rack1SW2#trace 155.1.67.6

Type escape sequence to abort.
Tracing the route to 155.1.67.6

1 155.1.58.5 0 msec 0 msec 9 msec
2 *

Looking over my MPLS forwarding table it appears that since OSPF by default will take my /24 loopback and advertise it by default as a /32 LDP gets confused.  It shows up in the tag switching table as a /24 but a /32 in the routing table.  The fix for this was making each loop back a point-to-point interface under the loopback via OSPF.  Im not sure how this would scale in a large service provider environment… this might even be a IOS bug not sure.

After the change…

Rack1SW2#trace 155.1.67.6

Type escape sequence to abort.
Tracing the route to 155.1.67.6

1 155.1.58.5 8 msec 0 msec 9 msec
2 155.1.146.1 0 msec 8 msec 0 msec
3 155.1.146.6 25 msec * 0 msec

One thing that someone might want to do to make sure that the Loopback is also the router-id as well so there are no problems is by issues the following command under global configuration.

Rack1R1(config)#mpls ldp router-id lo0 force

That way the router-id is always lo0.  By issuing force at the end of the statement it will drop all current ldp connectivity to the loopback.  So if you have MPLS sessions currently using another loopback or interface they will be dropped reinitialize and use lo0.  Otherwise without the force option the mpls neighbor x.x.x.x command will have to be used.

How to configure a 2511 Terminal server.

Terminal servers cut down a huge amount of time in a test lab and in the real world where if you lock yourself out of a machine you are telnet/ssh’d into it does not matter since you have console access. In my lab I have a 2511, before I configured it it took me a while to find the best configuration.

TermServer#sh run
Building configuration…

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname TermServer
!
no logging console
enable secret 5 $1$t4HZ$dGywOHBSeYs37rzn1mFGZ1
!
!
!
!
!
ip subnet-zero
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
no ip directed-broadcast
!
interface Ethernet0
no ip address
!
interface Serial0
no ip address
no ip directed-broadcast
shutdown
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
ip classless
no ip http server
!
!
menu access-server text 1 3600 Router
menu access-server command 1 telnet 1.1.1.1 2001
menu access-server text 2 Switch-C 1800 series router
menu access-server command 2 telnet 1.1.1.1 2002
menu access-server text 3 Switch-C 3600 series (2)
menu access-server command 3 telnet 1.1.1.1 2003
menu access-server text 4 3650 swouter
menu access-server command 4 telnet 1.1.1.1 2004
menu access-server text 5 3550 swouter
menu access-server command 5 telnet 1.1.1.1 2005
menu access-server text 6 Router-B 2800
menu access-server command 6 telnet 1.1.1.1 2006
menu access-server text 7 Agg Switch
menu access-server command 7 telnet 1.1.1.1 2007
menu access-server text 8 Router-D 3640
menu access-server command 8 telnet 1.1.1.1 2008
menu access-server text 9 Disconnect (Use this to kill sessions to lab devices)
menu access-server command 9 disconnect
menu access-server text 10 Drop to EXEC mode
menu access-server command 10 menu-exit
menu access-server clear-screen
menu access-server line-mode
!
line con 0
autocommand menu access-server
transport input none
line 1 8
no exec
exec-character-bits 8
transport preferred none
transport input all
telnet break-on-ip
telnet ip-on-break
autohangup
stopbits 1
flowcontrol software
line 9 16
line aux 0
line vty 0 4
no login
autocommand menu access-server
!
end

When logged into the server under the IP address 10.100.249.247 I get the following selection.

1 3600 Router
2 Switch-C 1800 series router
3 Switch-C 3600 series (2)
4 3650 swouter
5 3550 swouter
6 Router-B 2800
7 Agg Switch
8 Router-D 3640
9 Disconnect (Use this to kill sessions to lab devices)
10 Drop to EXEC mode

Selection:

By entering one of the numbers I will be able to console directly into that box like I am sitting there with my laptop consoled into the device. 10 drops me right back into EXEc mode for me to make any necessary changes.

EIGRP over VRF-lite

At first glance a VRF’s are slightly confusing since they do not show up directly in the routing table, by running a IP route on a Cisco router / switch the user would not find VRF routes. VRFs are great since you can have multiple routing tables and over lapping subnets. The idea here is to create virtual routing tables to segregate other Layer 3 addresses. This is very similar to VLANs 2 layer 2. This is heavily used in a service provider environment since you can have multiple routing tables in one router saving space and money by not having to purchase more equipment.

I will show in this brief demonstration how to setup what is called VRF-Lite(fancy name for VRF without MPLS) and then configure EIGRP to pass routes from each one of the virtual instances.

My lab is the following
-3550 switch
-3560 switch
-3640 router
-1841 router

The very first thing we will want to create here is the VRFs and create a route distringuisher per vrf. The purpose behind a RD is for the same reason we have over lapping subnets in a VRF.

I will be using the following subnets
test1->192.168.1.0/24
test2->192.168.2.0/24
test3->192.168.3.0/24
test4->192.168.4.0/24

If I wanted to I could create another subnet in test 2 and give it the same subnet as test1, each time a packet goes from switch 1 to switch 2 it will append a route distinguisher to tell the neighboring device it belongs to VRF test1.

First and formost add the VRF’s First under each VRF you will add either the Autonomous system : number or ip address : number.

3550swouter

ip vrf test1
rd 65001:1
!
ip vrf test2
rd 65001:2
!
ip vrf test3
rd 65001:3
!
ip vrf test4
rd 65001:4

Next add the interfaces. Keep in mind when adding VRF’s you will want to add the VRF on the interface before putting in the IP address. If you have a IP address on a interface already it will remove it once the VRF is applied… so make sure you have a clean interface with no configs.

interface Vlan1
ip vrf forwarding test1
ip address 192.168.1.3 255.255.255.0
!
interface Vlan2
ip vrf forwarding test2
ip address 192.168.2.3 255.255.255.0
!
interface Vlan3
ip vrf forwarding test3
ip address 192.168.3.3 255.255.255.0
!
interface Vlan4
ip vrf forwarding test4
ip address 192.168.4.3 255.255.255.0

Over on R1 adding the VRFs and RD

R1

ip vrf test1
rd 65001:1
!
ip vrf test2
rd 65001:2
!
ip vrf test3
rd 65001:3
!
ip vrf test4
rd 65001:4

Since R1 has one interface I had to split each interface into Sub interfaces. This is common in a service provide normally a VRF goes through a Sub interface on a VLAN/Tagged.

interface FastEthernet1/0.1
encapsulation dot1Q 1 native
ip vrf forwarding test1
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet1/0.2
encapsulation dot1Q 2
ip vrf forwarding test2
ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet1/0.3
encapsulation dot1Q 3
ip vrf forwarding test3
ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet1/0.4
encapsulation dot1Q 4
ip vrf forwarding test4
ip address 192.168.4.1 255.255.255.0

On R2, same with tagged traffic.

R2

ip vrf test1
rd 65001:1
!
ip vrf test2
rd 65001:2
!
ip vrf test3
rd 65001:3
!
ip vrf test4
rd 65001:4

interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding test1
ip address 192.168.1.2 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip vrf forwarding test2
ip address 192.168.2.2 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip vrf forwarding test3
ip address 192.168.3.2 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0/0.4
encapsulation dot1Q 4
ip vrf forwarding test4
ip address 192.168.4.2 255.255.255.0
no snmp trap link-status

now for the real test, without any routing protocols or routes since everything under VRF/Test1 should work properly to ping each other.

R1#ping vrf test1 ip 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

By the given syntex here we have to specify the VRF… Theres some really neat commands that will allow a user to ping from one VRF to another. Another useful command is the telnet command.

R2#telnet 1.1.1.1 /vrf test1

Now adding a IGP gets a bit tricky. I decided to use EIGRP since OSPF is a very easy configuration when it comes to VRF’s. I think EIGRP would be a little better when it comes to VRFs since the amount of flexibility you have when it comes to being able to summarize at any point.

Here is the configuration on a 3550 which is the same as R1 and R2.

3550swouter(config)#router eigrp 1
3550swouter(config-router)#no auto-summary
3550swouter(config-router)#address-family ipv4 vrf test1
3550swouter(config-router-af)#network 192.168.1.0 0.0.0.255
3550swouter(config-router-af)#network 0.0.0.0
3550swouter(config-router-af)#autonomous-system 10
3550swouter(config-router)#address-family ipv4 vrf test2
3550swouter(config-router-af)#network 192.168.2.0 0.0.0.255
3550swouter(config-router-af)#network 0.0.0.0
3550swouter(config-router-af)#auton
3550swouter(config-router-af)#autonomous-system 20
3550swouter(config-router-af)#exi
3550swouter(config-router)#address-family ipv4 vrf test3
3550swouter(config-router-af)#network 192.168.3.0 0.0.0.255
3550swouter(config-router-af)#autonomous
3550swouter(config-router-af)#autonomous-system 30
3550swouter(config-router-af)#exi

Different on 3560’s
3650swouter(config-router)#address-family ipv4 vrf test1 au
3650swouter(config-router)#address-family ipv4 vrf test1 autonomous-system 10
3650swouter(config-router-af)#network 0.0.0.0
3650swouter(config-router-af)#

Verifying we have Eigrp Connectivity

3550swouter#sh ip protocol vrf test1
*** IP Routing is NSF aware ***

Routing Protocol is “eigrp 10”
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
Redistributing: eigrp 10

Address Family Protocol EIGRP-IPv4:(10)
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
EIGRP NSF-aware route hold timer is 240
Topologies : 0(base)

Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
192.168.1.0
0.0.0.0
Routing Information Sources:
Gateway Distance Last Update
Distance: internal 90 external 170

R2#sh ip route vrf test1

Routing Table: test1
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

D 1.0.0.0/8 [90/156160] via 192.168.1.1, 00:02:52, FastEthernet0/0.1
C 192.168.1.0/24 is directly connected, FastEthernet0/0.1

R2#sh ip eigrp vrf test1 neighbors
IP-EIGRP neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 192.168.1.1 Fa0/0.1 14 00:03:16 432 2592 0 3
0 192.168.1.3 Fa0/0.1 14 00:03:20 8 200 0 11
R2#

I will now setup what is called MBGP within one iBGP AS through the two switchs. This will alow the two switchs to have all the routes and VRF’s to so they can easily route from even the outside world if
needed

router bgp 65001
no synchronization
bgp log-neighbor-changes
neighbor 192.168.5.2 remote-as 65001
no auto-summary
!
address-family ipv4 vrf test4
redistribute eigrp 40
no synchronization
exit-address-family
!
address-family ipv4 vrf test2
redistribute eigrp 20
no synchronization
exit-address-family
!
address-family ipv4 vrf test1
redistribute eigrp 10
no synchronization
exit-address-family

Next we will use what are called Route targets, so if we wanted to have Test1 talk to Test2 and vice versa. So I will take that exact example.

ip vrf test1
rd 65001:1
route-target export 65001:11
!
ip vrf test2
rd 65001:2
route-target export 65001:22
!
ip vrf test3
rd 65001:3
route-target export 65001:33
!
ip vrf test4
rd 65001:4
route-target export 65001:44

Now what happens here is that on test one we have 192.168.1.0/24 network. It will export it same goes with all the other VRF’s. So if I wanted to import 192.168.1.0 network into the 192.168.2.0 network
All I have to do is import it there. So here is what it looks like currently on the VRF.

3650swouter#sh ip route vrf test2

Routing Table: test2
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

D 2.0.0.0/8 [90/130816] via 192.168.2.2, 01:00:12, Vlan2
C 192.168.2.0/24 is directly connected, Vlan2

I go ahead and import routes from test1.

ip vrf test2
rd 65001:2
route-target export 65001:22
route-target import 65001:11

3650swouter#sh ip route vrf test2

Routing Table: test2
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

B 1.0.0.0/8 [20/130816] via 192.168.1.1 (test1), 00:00:01, Vlan1
D 2.0.0.0/8 [90/130816] via 192.168.2.2, 01:01:00, Vlan2
B 192.168.1.0/24 is directly connected, 00:00:01, Vlan1
C 192.168.2.0/24 is directly connected, Vlan2

alright, my brain hurts.