CCIE #21047

OSPF Totally NSSA Area

Chris van den Brink, CCIE #21047 — Sun, 13 Dec 2009 20:13:45 +0000

This post will be about OSPF Totally Not-So-Stubby-Area’s. In the previous posts we talked about the OSPF nssa area type. For this post I will use the same topology as in the previous two posts, see below :

Let’s configure area 2 as a totally not-so-stubby-area. We need to configure the ABR with the area x nssa no-summary command and the rest of the routers in the area with the area x nssa command. See below :

R4 & R2 :


R4(config)#router ospf 1
R4(config-router)#area 2 nssa no-summary

R2(config)#router ospf 1
R2(config-router)#area 2 nssa

Now let’s look at the routing table of router R2 :

R2 :


R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.14.4 to network 0.0.0.0

     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
C    192.168.14.0/24 is directly connected, FastEthernet2/0
O*IA 0.0.0.0/0 [110/2] via 192.168.14.4, 00:09:05, FastEthernet2/0

R2#sh ip ospf dat

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Router Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum Link count
2.2.2.2         2.2.2.2         574         0x80000004 0x0027FD 1
4.4.4.4         4.4.4.4         573         0x80000004 0x00B35C 1

                Net Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum
192.168.14.4    4.4.4.4         573         0x80000003 0x00414D

                Summary Net Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum
0.0.0.0         4.4.4.4         578         0x80000001 0x00C065

As you can see in an totally not-so-stubby-area LSA types 3,4,5 will be blocked. A default-route is generated by the ABR.

OSPF NSSA Area

Chris van den Brink, CCIE #21047 — Sun, 06 Dec 2009 21:51:05 +0000

This post will be about OSPF Not-So-Stubby-Area’s. In the previous posts we talked about stubby and not-so-stubby-area’s. For this post I will use the same topology as in the previous two posts, see below :

On Router 1 we again redistribute the interface 172.20.1.1/24 into OSPF :

R1 :


router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 redistribute connected subnets route-map CONNECTED
 network 172.16.15.1 0.0.0.0 area 51
!
route-map CONNECTED permit 10
 match interface FastEthernet3/0
!
interface FastEthernet3/0
 ip address 172.20.1.1 255.255.255.0
 duplex auto
 speed auto

Let’s make area 2 a nssa area and see how it impacts the LSA’s and the routing-table.

We need to issue the “area 2 nssa” command on Router 2 and Router 4.

R2 :


Router 2 :

router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 area 2 nssa
 network 192.168.14.2 0.0.0.0 area 2

Router 4 :
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 area 2 nssa
 network 10.1.34.4 0.0.0.0 area 0
 network 192.168.14.4 0.0.0.0 area 2

Now let’s take a look at the routing-table and the OSPF database on Router 2 :

R2 :


R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
C    192.168.14.0/24 is directly connected, FastEthernet2/0
     172.16.0.0/24 is subnetted, 1 subnets
O IA    172.16.15.0 [110/4] via 192.168.14.4, 01:29:51, FastEthernet2/0
     10.0.0.0/24 is subnetted, 2 subnets
O IA    10.1.35.0 [110/3] via 192.168.14.4, 01:29:51, FastEthernet2/0
O IA    10.1.34.0 [110/2] via 192.168.14.4, 01:29:51, FastEthernet2/0
R2#sh ip ospf database

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Router Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum Link count
2.2.2.2         2.2.2.2         1412        0x80000008 0x001F02 1
4.4.4.4         4.4.4.4         1402        0x80000008 0x00AB60 1

                Net Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum
192.168.14.4    4.4.4.4         1402        0x80000007 0x003951

                Summary Net Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.34.0       4.4.4.4         412         0x80000007 0x00AE44
10.1.35.0       4.4.4.4         412         0x80000005 0x00B141
172.16.15.0     4.4.4.4         412         0x80000005 0x00A1B2

As you can see a NSSA area blocks type 4 & type 5 LSA’s and doesn’t originate a default-route by default.

Although the ABR doesn’t originate a default-route in a NSSA area by default it is possible to let the ABR originate a default route, this can be done like below on the ABR :

R4 :


R4(config-router)#area 2 nssa default-information-originate

Now let’s take a look on Router 2 again :

R2 :


R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.14.4 to network 0.0.0.0

     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
C    192.168.14.0/24 is directly connected, FastEthernet2/0
     172.16.0.0/24 is subnetted, 1 subnets
O IA    172.16.15.0 [110/4] via 192.168.14.4, 01:34:36, FastEthernet2/0
     10.0.0.0/24 is subnetted, 2 subnets
O IA    10.1.35.0 [110/3] via 192.168.14.4, 01:34:36, FastEthernet2/0
O IA    10.1.34.0 [110/2] via 192.168.14.4, 01:34:36, FastEthernet2/0
O*N2 0.0.0.0/0 [110/1] via 192.168.14.4, 00:01:46, FastEthernet2/0
R2#sh ip ospf database

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Router Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum Link count
2.2.2.2         2.2.2.2         1696        0x80000008 0x001F02 1
4.4.4.4         4.4.4.4         1686        0x80000008 0x00AB60 1

                Net Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum
192.168.14.4    4.4.4.4         1686        0x80000007 0x003951

                Summary Net Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum
10.1.34.0       4.4.4.4         695         0x80000007 0x00AE44
10.1.35.0       4.4.4.4         695         0x80000005 0x00B141
172.16.15.0     4.4.4.4         695         0x80000005 0x00A1B2

                Type-7 AS External Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum Tag
0.0.0.0         4.4.4.4         113         0x80000001 0x00B372 0

As you can see a default-route is now originated by the ABR. This is the type 7 (N2) LSA.

The next post will be about the OSPF totally not so stubby area type.

OSPF Totally Stubby Area

Chris van den Brink, CCIE #21047 — Sun, 06 Dec 2009 13:33:06 +0000

In my previous post I talked about OSPF stub area’s and how they impact the routing table and the OSPF database. This post will be about totally stubby area’s in OSPF.

I will continue this post where the previous post stopped. The diagram that will be used in this post is also the same, see below :

As you can see in the previous post stubby-area’s remove LSA type 4 & type 5 routes and replaces the type 5 LSA with a default-route. See below the routing table when R2 & R4 are configured with the “area 2 stub” command under the OSPF proces :

R2 :



R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.14.4 to network 0.0.0.0

     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
C    192.168.14.0/24 is directly connected, FastEthernet2/0
     172.16.0.0/24 is subnetted, 1 subnets
O IA    172.16.15.0 [110/4] via 192.168.14.4, 00:01:59, FastEthernet2/0
     10.0.0.0/24 is subnetted, 2 subnets
O IA    10.1.35.0 [110/3] via 192.168.14.4, 00:01:59, FastEthernet2/0
O IA    10.1.34.0 [110/2] via 192.168.14.4, 00:01:59, FastEthernet2/0
O*IA 0.0.0.0/0 [110/2] via 192.168.14.4, 00:01:59, FastEthernet2/0

R2#sh ip ospf database

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Router Link States (Area 2) <-- LSA type 1

Link ID         ADV Router      Age         Seq#       Checksum Link count
2.2.2.2         2.2.2.2         136         0x80000005 0x009D8E 1
4.4.4.4         4.4.4.4         136         0x80000005 0x0024F4 1

                Net Link States (Area 2) <-- LSA type 2

Link ID         ADV Router      Age         Seq#       Checksum
192.168.14.4    4.4.4.4         132         0x80000004 0x00B7DD

                Summary Net Link States (Area 2) <-- LSA type 3

Link ID         ADV Router      Age         Seq#       Checksum
0.0.0.0         4.4.4.4         154         0x80000001 0x0039F4
10.1.34.0       4.4.4.4         154         0x80000005 0x002BD1
10.1.35.0       4.4.4.4         154         0x80000003 0x002ECE
172.16.15.0     4.4.4.4         154         0x80000003 0x001E40

To configure an area as a totally stubby area you only need to issue the command “area 2 stub no-summary” under the OSPF process on the ABR.

So on Router 4 :

R4 :


R4(config)#router ospf 1
R4(config-router)#area 2 stub no-summary

Now let’s take a look at the routing-table and the OSPF database so we can compare this with the “stub area” routing-table and the OSPF database on Router R2:

R2 :


R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.14.4 to network 0.0.0.0

     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
C    192.168.14.0/24 is directly connected, FastEthernet2/0
O*IA 0.0.0.0/0 [110/2] via 192.168.14.4, 00:02:36, FastEthernet2/0
R2#sh ip ospf dat

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Router Link States (Area 2) <-- LSA type 1

Link ID         ADV Router      Age         Seq#       Checksum Link count
2.2.2.2         2.2.2.2         169         0x80000005 0x009D8E 1
4.4.4.4         4.4.4.4         145         0x80000005 0x0024F4 1

                Net Link States (Area 2) <-- LSA type 2

Link ID         ADV Router      Age         Seq#       Checksum
192.168.14.4    4.4.4.4         145         0x80000004 0x00B7DD

                Summary Net Link States (Area 2) <-- Default route replaces all LSA type 3 routes 

Link ID         ADV Router      Age         Seq#       Checksum
0.0.0.0         4.4.4.4         172         0x80000001 0x0039F4

As you can see in the routing-table and the OSPF database above not only the LSA type 4 & 5 routes are gone but also the type 3 LSA’s are no longer there. So for totally stubby area’s we can state that no type 3,4 and 5 LSA’s are allowed. A default route is injected into the area from the ABR.

The next post will be about the OSPF NSSA type.

OSPF Stub Area

Chris van den Brink, CCIE #21047 — Thu, 03 Dec 2009 21:36:16 +0000

In this post I will explain OSPF stub area types and the impact this will have on the routing table / OSPF database. Below is the diagram I will use in this post :

Below the configuration for OSPF on the routers with which we will start.

OSPF Configurations :


Router 1 : 

router ospf 1
router-id 1.1.1.1
log-adjacency-changes
redistribute connected subnets route-map CONNECTED
network 172.16.15.1 0.0.0.0 area 51
!
route-map CONNECTED permit 10
 match interface FastEthernet3/0
!
interface FastEthernet3/0
 ip address 172.20.1.1 255.255.255.0
 duplex auto
 speed auto
end

Router 5 :

router ospf 1
 router-id 5.5.5.5
 log-adjacency-changes
 network 10.1.35.5 0.0.0.0 area 0
 network 172.16.15.5 0.0.0.0 area 51

Router 3 :

router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 10.1.34.3 0.0.0.0 area 0
 network 10.1.35.3 0.0.0.0 area 0

Router 4 :

router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 10.1.34.4 0.0.0.0 area 0
 network 192.168.14.4 0.0.0.0 area 2

Router 2 :

router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 192.168.14.2 0.0.0.0 area 2

Let’s take a look at the routing table and the OSPF database of Router R2 since this will be the area we will make stub (and stub no-summary in the next post).

R2 :


R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
C    192.168.14.0/24 is directly connected, FastEthernet2/0
     172.16.0.0/24 is subnetted, 1 subnets
O IA    172.16.15.0 [110/4] via 192.168.14.4, 00:52:10, FastEthernet2/0
     172.20.0.0/24 is subnetted, 1 subnets
O E2    172.20.1.0 [110/20] via 192.168.14.4, 00:52:00, FastEthernet2/0
     10.0.0.0/24 is subnetted, 2 subnets
O IA    10.1.35.0 [110/3] via 192.168.14.4, 00:52:10, FastEthernet2/0
O IA    10.1.34.0 [110/2] via 192.168.14.4, 00:52:10, FastEthernet2/0

R2#sh ip ospf database

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Router Link States (Area 2) <-- LSA type 1

Link ID         ADV Router      Age         Seq#       Checksum Link count
2.2.2.2         2.2.2.2         1252        0x80000003 0x0083A8 1
4.4.4.4         4.4.4.4         1243        0x80000003 0x000A0F 1

                Net Link States (Area 2) <-- LSA type 2

Link ID         ADV Router      Age         Seq#       Checksum
192.168.14.4    4.4.4.4         1243        0x80000002 0x009DF7

                Summary Net Link States (Area 2) <-- LSA type 3

Link ID         ADV Router      Age         Seq#       Checksum
10.1.34.0       4.4.4.4         1243        0x80000004 0x000FEC
10.1.35.0       4.4.4.4         1243        0x80000002 0x0012E9
172.16.15.0     4.4.4.4         1243        0x80000002 0x00025B

                Summary ASB Link States (Area 2) <-- LSA type 4

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         4.4.4.4         1243        0x80000002 0x00F033

                Type-5 AS External Link States <-- LSA type 5

Link ID         ADV Router      Age         Seq#       Checksum Tag
172.20.1.0      1.1.1.1         1238        0x80000002 0x0007D2 0

As you can see there are Inter-Area routes (IA) and External E2 routes (External E2 - these are the redistributed routes into OSPF on router R1) in the routing table.

In the OSPF database you can see LSA types 1,2,3,4 and 5. Now let’s change Area 2 into a Stub area and see what it will do to the routing table and the OSPF database.

R2 & R4 :


R4(config)#router ospf 1
R4(config-router)#area 2 stub

R2(config)#router ospf 1
R2(config-router)#area 2 stub

R2 :



R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.14.4 to network 0.0.0.0

     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
C    192.168.14.0/24 is directly connected, FastEthernet2/0
     172.16.0.0/24 is subnetted, 1 subnets
O IA    172.16.15.0 [110/4] via 192.168.14.4, 00:01:59, FastEthernet2/0
     10.0.0.0/24 is subnetted, 2 subnets
O IA    10.1.35.0 [110/3] via 192.168.14.4, 00:01:59, FastEthernet2/0
O IA    10.1.34.0 [110/2] via 192.168.14.4, 00:01:59, FastEthernet2/0
O*IA 0.0.0.0/0 [110/2] via 192.168.14.4, 00:01:59, FastEthernet2/0

R2#sh ip ospf database

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Router Link States (Area 2) <-- LSA type 1

Link ID         ADV Router      Age         Seq#       Checksum Link count
2.2.2.2         2.2.2.2         136         0x80000005 0x009D8E 1
4.4.4.4         4.4.4.4         136         0x80000005 0x0024F4 1

                Net Link States (Area 2) <-- LSA type 2

Link ID         ADV Router      Age         Seq#       Checksum
192.168.14.4    4.4.4.4         132         0x80000004 0x00B7DD

                Summary Net Link States (Area 2) <-- LSA type 3

Link ID         ADV Router      Age         Seq#       Checksum
0.0.0.0         4.4.4.4         154         0x80000001 0x0039F4
10.1.34.0       4.4.4.4         154         0x80000005 0x002BD1
10.1.35.0       4.4.4.4         154         0x80000003 0x002ECE
172.16.15.0     4.4.4.4         154         0x80000003 0x001E40

In the routing table you can see that the External E2 route is gone, in the OSPF database you can also see the type 4 and 5 LSA’s are gone. So looking at the routing table and the OSPF database we can now state that a stub area blocks type 5 LSA’s and therefore make the type 4 LSA’s unnecessary, the type 5 LSA’s are replaced with a default route. It does allow type 3 lsa’s.

In the next post I will write about stub no-summary area’s and show the impact on the routing-table and OSPF database.

ASA/PIX Basic Configuration I

Chris van den Brink, CCIE #21047 — Wed, 25 Nov 2009 21:27:25 +0000

It’s been a while since I wrote posts on this website, the reason for this was that a lot of things happened to me which kept me from writing posts more often. From now on I will try my best to put some posts up here once in a while again. I’ll start up with some simple Firewall post, hope you appreciate it. Oh yeah for I forget, please click on my google-ads once in a while to keep this site going.
In this lab I am going to show a basic configuration for the network in the picture below.

As you can see the network has an outside, dmz and an inside which has two networks. The security-levels will be 100 on the inside, 50 for DMZ and 0 for outside. When configured like this only traffic from high to low will be permitted. So in this case traffic from inside to DMZ, inside to outside and from DMZ to outside will be possible.

Firewall :


Firewall(config)# interface ethernet0/0
Firewall(config-if)# nameif outside
Firewall(config-if)# security-level 0
Firewall(config-if)# ip address 99.99.99.1 255.255.255.0
Firewall(config-if)# no shutdown
Firewall(config-if)# exit
Firewall(config)# interface ethernet0/1
Firewall(config-if)# nameif inside
Firewall(config-if)# security-level 100
Firewall(config-if)# ip address 10.1.1.1 255.255.255.252
Firewall(config-if)# no shutdown
Firewall(config-if)# exit
Firewall(config)# interface ethernet0/2
Firewall(config-if)# nameif dmz
Firewall(config-if)# security-level 50
Firewall(config-if)# ip address 172.26.1.1 255.255.255.0
Firewall(config-if)# no shutdown

As you can see there are two inside networks. The firewall should know where to find these networks, this can be done like below :


Firewall(config)# route inside 10.10.2.0 255.255.255.0 10.1.1.2
Firewall(config)# route inside 10.10.3.0 255.255.255.0 10.1.1.2

Next we want to make it possible for the inside users and the DMZ users(for now) to go to the internet, for this we will have to put PAT in place. This way the ASA will use its outside ip-address as a PAT address pool. So all inside users going out onto the internet will use the ip-address 99.99.99.1 in this case


Firewall(config)# nat-control
Firewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0
Firewall(config)# nat (dmz) 1 0.0.0.0 0.0.0.0
Firewall(config)# global (outside) 1 interface

In the next post we will configure some basic ACL’s, NAT and Statics.

Inter-AS MPLS solutions - Back-to-Back vrf’s

Chris van den Brink, CCIE #21047 — Thu, 05 Feb 2009 21:20:57 +0000

When configuring inter-as mpls vpn’s you’ve got 3 options to choose from.

A - Back-to-Back VRF’s
B - MP-eBGP for VPNv4
C - Multi-hop EBGP VPNv4

This post is about option A. I will show how to configure inter-as vpn’s using back-to-back vrf’s. Below you can see the diagram used for the purpose of this post.

With back-to-back vrf’s what you’ll do is basically make the connected PE’s think of each other as CE’s. You can run any supported PE-CE routing protocol over the per VPN logical interface between the directly connected ASBR’s. This option is seen as the easiest one to configure, a drawback is that this option doesn’t scale very well as the numbers of VPN’s start to grow.

Below the working configurations for this inter-as solution, I left out the configurations for router R1, R5, R7 and R8 because there is nothing special configured on these routers (they’re just simple P-routers and CE routers running RIPv2).

R2 :


hostname R2
!
ip cef
!
ip vrf VPN_A
 rd 2.2.2.2:1
 route-target export 2.2.2.2:1
 route-target import 3.3.3.3:1
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback1
 ip vrf forwarding VPN_A
 ip address 22.22.22.22 255.255.255.255
!
interface FastEthernet0/0
 ip vrf forwarding VPN_A
 ip address 24.24.24.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 12.12.12.2 255.255.255.0
 duplex auto
 speed auto
 tag-switching ip
!
router ospf 100 vrf VPN_A
 log-adjacency-changes
 redistribute bgp 123 subnets
 network 22.22.22.22 0.0.0.0 area 0
 network 24.24.24.2 0.0.0.0 area 0
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 12.12.12.2 0.0.0.0 area 0
!
router bgp 123
 bgp router-id 2.2.2.2
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 3.3.3.3 remote-as 123
 neighbor 3.3.3.3 update-source Loopback0
 !
 address-family vpnv4
 neighbor 3.3.3.3 activate
 neighbor 3.3.3.3 send-community both
 exit-address-family
 !
 address-family ipv4 vrf VPN_A
 redistribute ospf 100 vrf VPN_A match internal external 1 external 2
 no auto-summary
 no synchronization
 exit-address-family

R4 :


hostname R4
!
ip cef
!
ip vrf VPN_A
 rd 4.4.4.4:1
 route-target export 4.4.4.4:1
 route-target import 6.6.6.6:1
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Loopback1
 ip vrf forwarding VPN_A
 ip address 44.44.44.44 255.255.255.255
!
interface FastEthernet0/0
 ip vrf forwarding VPN_A
 ip address 24.24.24.4 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 45.45.45.4 255.255.255.0
 duplex auto
 speed auto
 tag-switching ip
!
router ospf 100 vrf VPN_A
 log-adjacency-changes
 redistribute bgp 456 subnets
 network 24.24.24.4 0.0.0.0 area 0
 network 44.44.44.44 0.0.0.0 area 0
!
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 4.4.4.4 0.0.0.0 area 0
 network 45.45.45.4 0.0.0.0 area 0
!
router bgp 456
 bgp router-id 4.4.4.4
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 6.6.6.6 remote-as 456
 neighbor 6.6.6.6 update-source Loopback0
 !
 address-family vpnv4
 neighbor 6.6.6.6 activate
 neighbor 6.6.6.6 send-community both
 exit-address-family
 !
 address-family ipv4 vrf VPN_A
 redistribute ospf 100 vrf VPN_A match internal external 1 external 2
 no auto-summary
 no synchronization
 exit-address-family

R3 :


hostname R3
!
ip cef
!
ip vrf VPN_A
 rd 3.3.3.3:1
 route-target export 3.3.3.3:1
 route-target import 2.2.2.2:1
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 13.13.13.3 255.255.255.0
 duplex auto
 speed auto
 tag-switching ip
!
interface FastEthernet2/0
 ip vrf forwarding VPN_A
 ip address 37.37.37.3 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 0
 network 13.13.13.3 0.0.0.0 area 0
!
router rip
 version 2
 no auto-summary
 !
 address-family ipv4 vrf VPN_A
 redistribute bgp 123 metric transparent
 network 37.0.0.0
 no auto-summary
 exit-address-family
!
router bgp 123
 bgp router-id 3.3.3.3
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 123
 neighbor 2.2.2.2 update-source Loopback0
 !
 address-family vpnv4
 neighbor 2.2.2.2 activate
 neighbor 2.2.2.2 send-community both
 exit-address-family
 !
 address-family ipv4 vrf VPN_A
 redistribute rip
 no auto-summary
 no synchronization
 exit-address-family

R6 :


hostname R6
!
ip cef
!
ip vrf VPN_A
 rd 6.6.6.6:1
 route-target export 6.6.6.6:1
 route-target import 4.4.4.4:1
!
interface Loopback0
 ip address 6.6.6.6 255.255.255.255
!
interface FastEthernet0/0
 ip vrf forwarding VPN_A
 ip address 61.61.61.6 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 56.56.56.6 255.255.255.0
 duplex auto
 speed auto
 tag-switching ip
!
interface FastEthernet2/0
 ip vrf forwarding VPN_A
 ip address 68.68.68.6 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 router-id 6.6.6.6
 log-adjacency-changes
 network 6.6.6.6 0.0.0.0 area 0
 network 56.56.56.6 0.0.0.0 area 0
!
router rip
 version 2
 no auto-summary
 !
 address-family ipv4 vrf VPN_A
 redistribute bgp 456 metric transparent
 network 68.0.0.0
 no auto-summary
 exit-address-family
!
router bgp 456
 bgp router-id 6.6.6.6
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 456
 neighbor 4.4.4.4 update-source Loopback0
 !
 address-family vpnv4
 neighbor 4.4.4.4 activate
 neighbor 4.4.4.4 send-community both
 exit-address-family
 !
 address-family ipv4 vrf VPN_A
 redistribute rip
 no auto-summary
 no synchronization
 exit-address-family

As you can see we run a separate instance of the OSPF process between router R2 and R4, under this process we redistribute BGP.

Now let’s do a “show ip route” on router R7 :

R7 :


R7#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     68.0.0.0/24 is subnetted, 1 subnets
R       68.68.68.0 [120/2] via 37.37.37.3, 00:00:07, FastEthernet1/3
     37.0.0.0/24 is subnetted, 1 subnets
C       37.37.37.0 is directly connected, FastEthernet1/3
     22.0.0.0/32 is subnetted, 1 subnets
R       22.22.22.22 [120/1] via 37.37.37.3, 00:00:07, FastEthernet1/3
     7.0.0.0/32 is subnetted, 1 subnets
C       7.7.7.7 is directly connected, Loopback0
     8.0.0.0/32 is subnetted, 1 subnets
R       8.8.8.8 [120/2] via 37.37.37.3, 00:00:07, FastEthernet1/3
     24.0.0.0/24 is subnetted, 1 subnets
R       24.24.24.0 [120/1] via 37.37.37.3, 00:00:07, FastEthernet1/3
     44.0.0.0/32 is subnetted, 1 subnets
R       44.44.44.44 [120/3] via 37.37.37.3, 00:00:09, FastEthernet1/3

As you can see router R7 can see router R8

MPLS LAB - PE to CE routing - OSPF (different PID)

Chris van den Brink, CCIE #21047 — Fri, 16 Jan 2009 16:21:25 +0000

In this post OSPF will again be the PE to CE routing-protocol. The only difference with the previous post is that the OSPF PID between router R3 and R7 will be 20.

Below the diagram again :

The changes made on router R3 and R7 below :

R3 :


router ospf 20 vrf VPN_A
 router-id 37.37.37.3
 log-adjacency-changes
 redistribute bgp 100 subnets
 network 37.37.37.3 0.0.0.0 area 0
!
router bgp 100
 no synchronization
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 neighbor 6.6.6.6 remote-as 100
 neighbor 6.6.6.6 update-source Loopback0
 no auto-summary
 !
 address-family ipv4 vrf VPN_A
 redistribute ospf 20 vrf VPN_A match internal external 1 external 2
 no auto-summary
 no synchronization
 exit-address-family

R7 :


router ospf 20
 router-id 7.7.7.7
 log-adjacency-changes
 redistribute connected subnets
 network 37.37.37.7 0.0.0.0 area 0

The “show ip route” output on router R7 before changing the PID from 10 (like configured in the previous post) to 20 on router R3 and R7 :

R7 :


R7#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     37.0.0.0/24 is subnetted, 1 subnets
C       37.37.37.0 is directly connected, FastEthernet1/3
     7.0.0.0/32 is subnetted, 1 subnets
C       7.7.7.7 is directly connected, Loopback0
     11.0.0.0/32 is subnetted, 1 subnets
O E2    11.11.11.11 [110/20] via 37.37.37.3, 00:02:19, FastEthernet1/3
     61.0.0.0/24 is subnetted, 1 subnets
O IA    61.61.61.0 [110/2] via 37.37.37.3, 00:02:19, FastEthernet1/3

After changing the PID to 20 the “show ip route” output on router R7 looks like below , notice that now all routes are seen as external routes.

The “show ip route” output on router R7 after changing the PID on router R3 and R7 :

R7 :


R7#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     37.0.0.0/24 is subnetted, 1 subnets
C       37.37.37.0 is directly connected, FastEthernet1/3
     7.0.0.0/32 is subnetted, 1 subnets
C       7.7.7.7 is directly connected, Loopback0
     11.0.0.0/32 is subnetted, 1 subnets
O E2    11.11.11.11 [110/20] via 37.37.37.3, 00:00:59, FastEthernet1/3
     61.0.0.0/24 is subnetted, 1 subnets
O E2    61.61.61.0 [110/1] via 37.37.37.3, 00:00:59, FastEthernet1/3

MPLS LAB - PE to CE routing - OSPF (same PID)

Chris van den Brink, CCIE #21047 — Fri, 16 Jan 2009 06:53:29 +0000

In this post I will configure OSPF as the PE to CE routing protocol. You can see the drawing below. Notice that for this post I will use the same proces-id’s between te PE’s and CE’s (PID 10).

The domain-id is derived from the proces-id but can also be manually set (More on this in the next post).

- When the domain-id’s match between the PE and CE’s like on the drawing below OSPF routes will show up as inter-area routes.

- When the domain-id’s do not match between the PE and CE’s like the drawing in the next post, OSPF routes will show up as external routes.

Below the coniguration that goes with the drawing (I am only going to show the configuration for VPN_A again since the configuration for VPN_B is the same) :

Router R3 :

R3 :


router ospf 10 vrf VPN_A
 router-id 37.37.37.3
 log-adjacency-changes
 redistribute bgp 100 subnets
 network 37.37.37.3 0.0.0.0 area 0
!
router bgp 100
 no synchronization
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 neighbor 6.6.6.6 remote-as 100
 neighbor 6.6.6.6 update-source Loopback0
 no auto-summary
 !
 address-family ipv4 vrf VPN_A
 redistribute ospf 10 vrf VPN_A match internal external 1 external 2
 no auto-summary
 no synchronization
 exit-address-family

Router R7 :

R7 :


router ospf 10
 router-id 7.7.7.7
 log-adjacency-changes
 redistribute connected subnets
 network 37.37.37.7 0.0.0.0 area 0

Router R6 :

R6 :


router ospf 10 vrf VPN_A
 router-id 61.61.61.6
 log-adjacency-changes
 redistribute bgp 100 subnets
 network 61.61.61.6 0.0.0.0 area 0
!
router bgp 100
 no synchronization
 bgp router-id 6.6.6.6
 bgp log-neighbor-changes
 neighbor 3.3.3.3 remote-as 100
 neighbor 3.3.3.3 update-source Loopback0
 no auto-summary
 !
 address-family ipv4 vrf VPN_A
 redistribute ospf 10 vrf VPN_A match internal external 1 external 2
 no auto-summary
 no synchronization
 exit-address-family

Router R11 :

R11 :


router ospf 10
 router-id 11.11.11.11
 log-adjacency-changes
 redistribute connected subnets
 network 61.61.61.11 0.0.0.0 area 0

Below the “show ip route” output on router R11 and R7 :

R7 and R11 :


R7#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     37.0.0.0/24 is subnetted, 1 subnets
C       37.37.37.0 is directly connected, FastEthernet1/3
     7.0.0.0/32 is subnetted, 1 subnets
C       7.7.7.7 is directly connected, Loopback0
     11.0.0.0/32 is subnetted, 1 subnets
O E2    11.11.11.11 [110/20] via 37.37.37.3, 00:10:11, FastEthernet1/3
     61.0.0.0/24 is subnetted, 1 subnets
O IA    61.61.61.0 [110/2] via 37.37.37.3, 00:11:11, FastEthernet1/3

R11#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     37.0.0.0/24 is subnetted, 1 subnets
O IA    37.37.37.0 [110/2] via 61.61.61.6, 00:08:29, FastEthernet2/0
     7.0.0.0/32 is subnetted, 1 subnets
O E2    7.7.7.7 [110/20] via 61.61.61.6, 00:08:29, FastEthernet2/0
     11.0.0.0/32 is subnetted, 1 subnets
C       11.11.11.11 is directly connected, Loopback0
     61.0.0.0/24 is subnetted, 1 subnets
C       61.61.61.0 is directly connected, FastEthernet2/0

As you can see external routes remain external and the routes from VPN site 1 show up as inter-area routes on VPN site 2.

In the next post I will configure OSPF as PE to CE routing protocol with different proces-id’s.

MPLS LAB - PE to CE routing - EIGRP (different AS PE-CE)

Chris van den Brink, CCIE #21047 — Wed, 14 Jan 2009 21:31:22 +0000

Now that we’ve seen EIGRP as PE to CE routing protocol with the same AS being used between the PE and CE at different VPN sites I will configure EIGRP between the PE and CE but this time with AS number 21047 between router R6 and router R11 and AS number 21048 between router R3 and router R7.

The config will be the same as in the previous post only the config for router R3 and R7 is changed somewhat, see below the config on router R3 and router R7.

Router R3’s config :

R3 :


router eigrp 21047
 no auto-summary
 !
 address-family ipv4 vrf VPN_A
 redistribute bgp 100 metric 10000 1 255 1 1500
 network 37.37.37.3 0.0.0.0
 no auto-summary
 autonomous-system 21048
 exit-address-family
!
router bgp 100
 no synchronization
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 neighbor 6.6.6.6 remote-as 100
 neighbor 6.6.6.6 update-source Loopback0
 no auto-summary
 !
address-family ipv4 vrf VPN_A
 redistribute eigrp 21048
 no auto-summary
 no synchronization
 exit-address-family

Router R7’s config :

R7 :


router eigrp 21048
 redistribute connected metric 10000 1 255 1 1500 route-map LO1
 network 7.7.7.7 0.0.0.0
 network 37.37.37.7 0.0.0.0
 no auto-summary

And the “show ip route” on router R11 :

R11 :


R11#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     37.0.0.0/24 is subnetted, 1 subnets
D EX    37.37.37.0 [170/258816] via 61.61.61.6, 00:13:10, FastEthernet2/0
     7.0.0.0/32 is subnetted, 1 subnets
D EX    7.7.7.7 [170/258816] via 61.61.61.6, 00:11:40, FastEthernet2/0
     77.0.0.0/32 is subnetted, 1 subnets
D EX    77.77.77.77 [170/258816] via 61.61.61.6, 00:11:40, FastEthernet2/0
     11.0.0.0/32 is subnetted, 1 subnets
C       11.11.11.11 is directly connected, Loopback0
     61.0.0.0/24 is subnetted, 1 subnets
C       61.61.61.0 is directly connected, FastEthernet2/0

As you can see above all routes now show up as external routes in the router R11’s routing table because of the different AS numbers used.

MPLS LAB - PE to CE routing - EIGRP (same AS PE-CE)

Chris van den Brink, CCIE #21047 — Wed, 14 Jan 2009 16:34:13 +0000

In this post I will show how to configure EIGRP as the PE to CE routing protocol. The network used is the same as used in the rest of this series. You can see it below again :

In this first example we are going to use the same AS number between the PE and CE router for EIGRP.

When using the same AS between the PE and CE router internal routes from one VPN site will be remain internal routes in other VPN sites.
When using the same AS between the PE and CE router external routes will remain external routes.

We are only going to configure VPN_A since the configuration for VPN_B is pretty much the same.

router R3’s config :

R3 :


router eigrp 21047
 no auto-summary
 !
 address-family ipv4 vrf VPN_A
 redistribute bgp 100 metric 10000 1 255 1 1500
 network 37.37.37.3 0.0.0.0
 no auto-summary
 autonomous-system 21047
 exit-address-family
!
router bgp 100
 no synchronization
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 neighbor 6.6.6.6 remote-as 100
 neighbor 6.6.6.6 update-source Loopback0
 no auto-summary
 !
 address-family ipv4 vrf VPN_A
 redistribute eigrp 21047
 no auto-summary
 no synchronization
 exit-address-family

router R7’s config :

R7:


router eigrp 21047
 redistribute connected metric 10000 1 255 1 1500 route-map LO1
 network 7.7.7.7 0.0.0.0
 network 37.37.37.7 0.0.0.0
 no auto-summary
!
route-map LO1 permit 10
 match interface Loopback1
!
interface Loopback1
 ip address 77.77.77.77 255.255.255.255

Notice that I created a loopback 1 to show that redistributed routes (External routes) remain external on the other side of the VPN.

router R6’s config :

R6 :


router eigrp 21047
 no auto-summary
 !
 address-family ipv4 vrf VPN_A
 redistribute bgp 100 metric 10000 1 255 1 1500
 network 61.61.61.6 0.0.0.0
 no auto-summary
 autonomous-system 21047
 exit-address-family
!
router bgp 100
 no synchronization
 bgp router-id 6.6.6.6
 bgp log-neighbor-changes
 neighbor 3.3.3.3 remote-as 100
 neighbor 3.3.3.3 update-source Loopback0
 no auto-summary
 !
address-family ipv4 vrf VPN_A
 redistribute eigrp 21047
 no auto-summary
 no synchronization
 exit-address-family

router R11’s config :

R11 :


router eigrp 21047
 network 11.11.11.11 0.0.0.0
 network 61.61.61.11 0.0.0.0
 no auto-summary

Now let’s do a “sh ip route” on R11 :

R11 :


R11#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     37.0.0.0/24 is subnetted, 1 subnets
D       37.37.37.0 [90/30720] via 61.61.61.6, 00:13:12, FastEthernet2/0
     7.0.0.0/32 is subnetted, 1 subnets
D       7.7.7.7 [90/158720] via 61.61.61.6, 00:13:12, FastEthernet2/0
     77.0.0.0/32 is subnetted, 1 subnets
D EX    77.77.77.77 [170/261376] via 61.61.61.6, 00:09:45, FastEthernet2/0
     11.0.0.0/32 is subnetted, 1 subnets
C       11.11.11.11 is directly connected, Loopback0
     61.0.0.0/24 is subnetted, 1 subnets
C       61.61.61.0 is directly connected, FastEthernet2/0

As you can see above the internal EIGRP routes remain internal and the external route (the redistributed route from router R7’s loopback 1 interface) remains

external when using EIGRP with the same AS number between the PE and CE at different VPN sites.

In the next post I will show the configuration of EIGRP as the PE to CE routing protocol with different AS numbers.