Pages

Monday, January 24, 2011

Policy-Base Routing part 1 - GNS3

Policy-Base Routing - route base on source address - GNS3



*this is not a complete routing design, just to prove the Policy-Base Routing concept

all traffic source from 10.1.1.1 and 10.2.2.2 will be route to R3 and R4 respectively using policy-base routing

R1 will have a default route to R2, policy-base routing will be applied on R2

note that policy-base will take over from static or dynamic route if there's a match

R1
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
!
interface Loopback2
 ip address 10.2.2.2 255.255.255.0
!
interface Serial0/0
 ip address 172.16.1.1 255.255.255.252
 clock rate 56000
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2

R2
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 172.16.1.2 255.255.255.252
 ip route-cache policy
 ip policy route-map map1
 clock rate 2000000
!
interface FastEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 2 permit 10.2.2.0 0.0.0.255
route-map map1 permit 10
 match ip address 1
 set ip next-hop 192.168.1.1 192.168.1.2
!
route-map map1 permit 20
 match ip address 2
 set ip next-hop 192.168.2.2

R3
!
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto
!

R4
!
interface FastEthernet0/0
 ip address 192.168.2.2 255.255.255.0
 duplex auto
 speed auto
!

from R1, initiate a ping from with source destination of 10.1.1.1 or 10.2.2.2 .. but, before that a reading from route-map counter first

R2#sh route-map
route-map map1, permit, sequence 10
  Match clauses:
    ip address (access-lists): 1 
  Set clauses:
    ip next-hop 192.168.1.1 192.168.1.2
  Policy routing matches: 0 packets, 0 bytes
route-map map1, permit, sequence 20
  Match clauses:
    ip address (access-lists): 2 
  Set clauses:
    ip next-hop 192.168.2.2
  Policy routing matches: 0 packets, 0 bytes

ping from R1 with source 10.1.1.1 to any IP address beyond R2..

R1#ping
Protocol [ip]: 
Target IP address: 3.3.3.3
Repeat count [5]: 
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: 10.1.1.1 
Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1 
.....
Success rate is 0 percent (0/5)
*just fill up entry in yellow, the rest just press enter

notice that 5 packet was sent.. base on our defined rule, all packet source from 10.1.1.0/24 will be forwarded to 192.168.1.2, now check again the counter

R2#sh route-map
route-map map1, permit, sequence 10
  Match clauses:
    ip address (access-lists): 1 
  Set clauses:
    ip next-hop 192.168.1.1 192.168.1.2
  Policy routing matches: 5 packets, 520 bytes
route-map map1, permit, sequence 20
  Match clauses:
    ip address (access-lists): 2 
  Set clauses:
    ip next-hop 192.168.2.2
  Policy routing matches: 0 packets, 0 bytes

you should see 5 packets matches on access-list 1.. :)  do the same for packet with source address of 10.2.2.2

another way to prove this is by using Wireshark, you can enable on any interface between R2 and R3/R4
this example will capture R2 F0/1 which is facing R4

start capturing and do the ping to 3.3.3.3(or pick any suitable IP) with source address 10.2.2.2 from R1



you can see that there's packet from 10.2.2.2 with ICMP(ping) protocol go thru this link
No comments:

Tuesday, January 18, 2011

Administrative Distance Vs Longest Prefix Match

please setup your lab similar to previous lab

add this line to R2


router eigrp 1
 passive-interface Serial0/0
 network 10.1.1.0 0.0.0.255
 network 172.16.2.0 0.0.0.3
 no auto-summary

ip route 192.168.0.0 255.255.0.0 172.16.2.1

now R2 have two routes to reach 192.168.1.1
via EIGRP with AD = 90
via static route with AD = 1

R2#sh ip route
...
D    192.168.1.0/24 [90/2323456] via 10.1.1.1, 00:05:57, FastEthernet0/0
S    192.168.0.0/16 [1/0] via 172.16.2.1

guess.. which path will the router use to reach 192.168.1.1 ? some of you may though that it'll be static because it has AD = 1, let's test..

R2#traceroute 192.168.1.1
..
  1 10.1.1.1 4 msec 4 msec 4 msec
  2 172.16.1.1 12 msec 12 msec * 

unfortunately it choose to use route learn via EIGRP.. thru R3. This is because it prefer longest prefix match compare to AD

destination : 192.168.1.1
EIGRP route = 192.168.1.0/24
Static route = 192.168.0.0/16

EIGRP has the longest match..


No comments:
Labels: , , , ,

static floating route - gns3

using static route when dynamic route not available

primary link between network 192.168.1.0/24 and 10.1.1.0/24 are thru R3, learn each others via EIGRP . R2 is a backup link in case the primary link is not available

*this is not a complete routing solution, this lab only looking from R1 point of view to reach 10.1.1.0/24

R1
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface Serial0/0
ip address 172.16.2.1 255.255.255.252
clock rate 56000
!
interface Serial0/1
ip address 172.16.1.1 255.255.255.252
clock rate 56000
!
router eigrp 1
network 10.0.0.0
network 172.16.1.0 0.0.0.3
network 192.168.1.0
no auto-summary
!
ip route 10.1.1.0 255.255.255.0 172.16.2.2 190
!

R2
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 172.16.2.2 255.255.255.252
clock rate 56000
!
ip route 192.168.0.0 255.255.0.0 172.16.2.1

R3
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 172.16.1.2 255.255.255.252
clock rate 56000
!
router eigrp 1
network 10.1.1.0 0.0.0.255
network 172.16.1.0 0.0.0.3
no auto-summary

-----------------------------------------------------

we've configure two route for R1 to reach 10.1.1.0

router eigrp 1
network 10.0.0.0
..

and

ip route 10.1.1.0 255.255.255.0 172.16.2.2 190

only one route with the lowest AD installed into the routing table
in this case, route from EIGRP (AD=90), static route(AD=190 as we defined)

R1#sh ip route
..

10.0.0.0/24 is subnetted, 1 subnets
D 10.1.1.0 [90/2195456] via 172.16.1.2, 00:05:22, Serial0/1
C 192.168.1.0/24 is directly connected, Loopback1

this what we call floating static route, by default AD for static route is 1, because we want this route to backup primary link w/ EIGRP in case it's not available.. we made it's AD higher than EIGRP AD

shutdown primary link to see the effect..


R1(config)#int ser 0/1
R1(config-if)#shut

R1#sh ip route
..
     10.0.0.0/24 is subnetted, 1 subnets
S       10.1.1.0 [190/0] via 172.16.2.2

new route come into place.. via static with AD 190, thru 172.16.2.2 which is R2

2 comments:
Labels: , , ,

a few useful show IP command..

sh ip route


R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route


Gateway of last resort is not set


     172.16.0.0/30 is subnetted, 2 subnets
C       172.16.1.0 is directly connected, Serial0/1
C       172.16.2.0 is directly connected, Serial0/0
     10.0.0.0/24 is subnetted, 1 subnets
D       10.1.1.0 [90/2195456] via 172.16.1.2, 00:02:01, Serial0/1
C    192.168.1.0/24 is directly connected, Loopback1

  • type of network ; static, connected
  • or how the router learn it ; EIGRP, OSPF.from which interface it learned

let's be more specific
show ip route [address]

R1#sh ip rou 10.1.1.1
Routing entry for 10.1.1.0/24
  Known via "eigrp 1", distance 90, metric 2195456, type internal
  Redistributing via eigrp 1
  Last update from 172.16.1.2 on Serial0/1, 00:07:16 ago
  Routing Descriptor Blocks:
  * 172.16.1.2, from 172.16.1.2, 00:07:16 ago, via Serial0/1
      Route metric is 2195456, traffic share count is 1
      Total delay is 21000 microseconds, minimum bandwidth is 1544 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1

  • how it's learned . ex; EIGRP, static or connected..
  • how long since the route learned, this can be useful when you want to check how long link down, up time.. etc,
  • the bandwidth information are reflected by the value configured on the interface .. what ever value you put, it's gonna show the same in here

show ip route connected
show ip route static

  • issue this two cmd if you want to filter or be more specific on the type of route

show ip route summary

R1#sh ip rou sum
IP routing table name is Default-IP-Routing-Table(0)
IP routing table maximum-paths is 16
Route Source    Networks    Subnets     Overhead    Memory (bytes)
connected       1           2           216         408
static               0           0           0           0
eigrp 1            0           1           72          136
internal            2                                   2312
Total               3           3           288         2856
Removing Queue Size 0

  • this will summarize all you information base on Net, Subnet, Overhead(other memory used) and Memory


No comments:
Labels: , , ,

Wednesday, January 12, 2011

AAA Authentication Tacacs with ACS - adding device into ACS


Adding device

  • Click onNetwork Configuration
  • Go to the bottom of the page, click onAdd Entry
































  • Create a group, give a name, ex.. Branch_1
  • *Shared Secret : if all of your devices in this group share the same key, you can fill it now.. I leave it blank because I want to fill the key on each individual router later
  • Leave the rest of the option as default

  • Click again on Network Configuration, should be able to see your group now
  • Click on it
  • Got to the bottom page, click add entry















  • Fill up the form, leave the rest as default ..
  • *Authenticate using : since this tutorial is for Cisco IOS, so I choose Cisco IOS
  • On bottom page, click Submit + Apply

1 comment:
Labels: , , ,

AAA Authentication with ACS - Tacacs


Click here for setting on ACS

aaa new-model

aaa authentication login default group tacacs+

aaa authentication enable default group tacacs+

tacacs-server host 1.1.1.1

Tacacs-server host 2.2.2.2

tacacs-server key secret

Tacacs-server attempts 3

end


Once you configure aaa authentication, router start to ignore local pwd for all line (vty, console etc..)

2nd and 3rd line tell router to use tacacs server (for login and enable)

define your tacac server, can put more than server for failover purpose.. Router will try sequentially

Define your key or pwd for this router to communicate w/ tacacs server, both side must be same

3 attempt before session dropped



Another way to define tacacs server is by grouping it

aaa group server tacacs+ groupA

server 1.1.1.1

server 2.2.2.2

Then remove this line


tacacs-server host 1.1.1.1 (and 2.2.2.2)

And replaceTacacs+ word with group name


aaa authentication login default group groupA



What if there's no connection to tacacs+ server at all, for whatever reason..

Solution is, add another method after tacacs+, should tacacs+ unreachable router will try the next method in yellow


aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

This mean that if tacacs fail to reach.. Then router will prompt for enable password

List of methods

tacacs+

TACACS+ authentication

radius

RADIUS authentication

line

Line-based authentication (password)

local

Local username authentication

local-case

Case-sensitive local authentication

enable

Enable password or enable secret

none

No authentication

In my environment we prefer Console line to use local password, this is how to do it


Add new authorization group, define it to use method local

aaa authentication login default group tacacs+

aaa authentication enable default group tacacs+

aaa authentication login groupB local

..

Nothing happen yet until you put this line

line con 0

login authentication groupB


Once user console to router, this line will tell that console is under groupB, and this group use method local
No comments:
Labels: , , ,
Subscribe to: Posts (Atom)