Wednesday, December 28, 2011

Little Story Of Ping - The Story Behind RFC 792


http://ftp.arl.mil/mike/ping.html

Few More Technical Details -  http://tools.ietf.org/pdf/rfc792.pdf

HTH...
Deepak Arora
Evil CCIE

Posted by at 1 comment:
Labels:

Tuesday, December 20, 2011

How Well Do You Understand Traceroute

Posted by at 1 comment:
Labels: , , , , , , , ,

Thursday, December 8, 2011

DMVPN For Dummies - Phase 1 & 2 (Phase 3 Added Too Now)



R1(HUB)
=======

!
crypto isakmp policy 10
 authentication pre-share
 crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set TRANSFORMSET esp-des esp-md5-hmac
  mode transport
!
crypto ipsec profile CRYPTOPROFILE
 set transform-set TRANSFORMSET
!
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 99
 no ip split-horizon eigrp 1
 ip tcp adjust-mss 1360
 tunnel source f0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile CRYPTOPROFILE
 no ip next-hop-self eigrp 1 < To Be Removed If Using Phase 3 Configuration
 ip nhrp redirect
!
router eigrp 1
 network 10.0.0.1 0.0.0.0
 network 1.1.1.1 0.0.0.0
 no au
 end
!

##################################################################

R2(SPOKE 1)
===========
!
crypto isakmp policy 10
 authentication pre-share
 crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set TRANSFORMSET esp-des esp-md5-hmac
  mode transport
!
crypto ipsec profile CRYPTOPROFILE
 set transform-set TRANSFORMSET
!
interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map 10.0.0.1 123.0.0.1
 ip nhrp map multicast 123.0.0.1
 ip nhrp network-id 99
 ip nhrp nhs 10.0.0.1
 ip tcp adjust-mss 1360
 tunnel source f0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile CRYPTOPROFILE
 ip nhrp redirect
 ip nhrp shortcut
!
router eigrp 1
 network 10.0.0.2 0.0.0.0
 network 2.2.2.2 0.0.0.0
 no au
 end
!

##################################################################

R3(SPOKE 2)
===========

!
crypto isakmp policy 10
 authentication pre-share
 crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set TRANSFORMSET esp-des esp-md5-hmac
  mode transport
!
crypto ipsec profile CRYPTOPROFILE
 set transform-set TRANSFORMSET
!
interface Tunnel0
 ip address 10.0.0.3 255.255.255.0
 ip mtu 1400
 ip nhrp authentication cisco
 ip nhrp map 10.0.0.1 123.0.0.1
 ip nhrp map multicast 123.0.0.1
 ip nhrp network-id 99
 ip nhrp nhs 10.0.0.1
 ip tcp adjust-mss 1360
 tunnel source f0/0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile CRYPTOPROFILE
 ip nhrp redirect
 ip nhrp shortcut
!
router eigrp 1
 network 10.0.0.3 0.0.0.0
 network 3.3.3.3 0.0.0.0
 no au
 end
!

Benefit of adding Phase 3 Configuration allows us to reduce control-plane information on Hub Router. Also it allows us to use default routing and perform summarization on Hub.


More Details :


http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/prod_white_paper0900aecd8055c34e_ps6658_Products_White_Paper.html

HTH...
Deepak Arora
Evil CCIE
Posted by at No comments:
Labels: , , , , , ,

Tuesday, December 6, 2011

Site To Site VPNs Using IPSEC - Different Variations








IPSEC LAN TO LAN VPN USING CRYPTOMAP (With host to host routing configured)
***************************************************************************


R1
===


!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 5
 lifetime 3600
 hash sha
!
crypto isakmp key cisco address 23.23.23.3
!
crypto ipsec transform-set PHASE2 esp-3des esp-sha-hmac
!
access-list 100 permit ip 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
crypto map CRYPTOMAP 10 ipsec-isakmp
 set peer 23.23.23.3
 set transform-set PHASE2
 match address 100
!
!
interface FastEthernet0/0
 crypto map CRYPTOMAP
!




=========================


R3
===


!
crypto isakmp policy 10
 enc aes
 hash sha
 gr 5
 life 3600
 authen pre
 exit
!
crypto isakmp key cisco address 12.12.12.1
!
crypto ipsec transform-set PHASE2 esp-3des esp-sha-hmac
!
access-l 100 per ip 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.255
!
crypto map CRYPTOMAP 10 ipsec-isakmp
 set peer 12.12.12.1
 set transform PHASE2
 match add 100
!
int f0/0
 crypto map CRYPTOMAP
!
==========================
###########################################################


IPSEC OVER GRE ( With No host to host routing )
****************************************


R1
===


!
router ospf 1
 no network 14.14.14.1 0.0.0.0 area 0
!
interface Tunnel0
 ip address 13.13.13.1 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 23.23.23.3
!
router eigrp 1
 no au
 net 14.14.14.1 0.0.0.0
 net 13.13.13.1 0.0.0.0
!
no access-list 100 permit ip 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
access-list 100 permit gre 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
no access-list 100 permit gre 14.14.14.0 0.0.0.255 35.35.35.0 0.0.0.255
!
access-list 100 permit gre ho 12.12.12.1 ho 23.23.23.3 
!


R3
===


!
router ospf 1
 no network 35.35.35.3 0.0.0.0 area 0
!
interface Tunnel0
 ip address 13.13.13.3 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 12.12.12.1
!
router eigrp 1
 no au
 net 35.35.35.3 0.0.0.0
 net 13.13.13.3 0.0.0.0
!
no access-list 100 permit ip 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.255
!
access-list 100 permit gre 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.25
!
no access-list 100 permit gre 35.35.35.0 0.0.0.255 14.14.14.0 0.0.0.255
!
access-list 100 permit gre ho 23.23.23.3 ho 12.12.12.1
!
=========================================================================
#############################################################################


IPSEC LAN TO LAN Using IPSEC Profile (No host to host routing)
*****************************************************


R1
==
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set PHASE2
!
int f0/0
 no crypto map CRYPTOMAP
!
int tu0
 tunnel protection ipsec profile IPSEC-PROFILE
!




R3
==


!
crypto ipsec profile IPSEC-PROFILE
 set transform-set PHASE2
!
int f0/0
 no crypto map CRYPTOMAP
!
int tu0
 tunnel protection ipsec profile IPSEC-PROFILE
!


=========================================================================
#########################################################################


IPSEC LAN TO LAN Using Static VTI (No host to host routing)
**************************************************




R1
==


!
int tu0
 tunnel mode ipsec ipv4
!
no access-list 100 permit gre host 12.12.12.1 host 23.23.23.3
!






R3
==


!
int tu0
 tunnel mode ipsec ipv4
!
no access-list 100 permit gre host 23.23.23.3 host 12.12.12.1
!
=========================================================================


HTH...
Deepak Arora
Evil CCIE

Posted by at 3 comments:
Labels: , , , ,

Tuesday, November 22, 2011

Best CCNA Training In Market For Free - Till 31st December 2011







Yet again INE surprises their customer with Free Access to best CCNA Training in Industry till 31st December, 2011. Since the product is executed and compiled by Brian McGahan so you guys just don't worry at all about quality of material you gonna get. IMHO there will be no match. Here are the URLs :



HTH...
Deepak Arora
Evil CCIE

Posted by at 4 comments:
Labels: , , , , , , , , , , , , , , , , , , ,

Friday, October 28, 2011

Redistribution Mock Lab - The Crazy Stuff

Last year while I was preparing for my R&S Lab, I felt I was not well prepared for complex redistribution scenarios. I took a look at Vol-1 workbooks outline from IP Expert and Internetwork Expert but none of them seems to cover Redistribution as part of Technology labs. So I thought to create some ugly redistribution lab my self.


So let me quickly share the physical & logical topology here with you guys along with initials.

Requirement is simple - to perform mutual redistribution at all redistribution points without creating a routing loop. 




 



R1#sh ver | i IOS
Cisco IOS Software, 3600 Software (C3640-JS-M), Version 12.4(17), RELEASE SOFTWARE (fc1)





<<< R1 >>>

!
en
!
debug ip ro
!
conf t
!
no ip domain-lo
!
ho R1
!
int lo0
ip add 1.1.1.1 255.255.255.0
ip ospf network point-to-p
exit
!
int f1/0
ip add 15.15.15.1 255.255.255.0
no sh
exit
!
int s0/0
ip add 10.10.10.1 255.255.255.0
en f
no frame inv
frame map ip 10.10.10.2 102 b
frame map ip 10.10.10.3 103 b
frame map ip 10.10.10.4 104 b
frame map ip 10.10.10.1 102
ip ospf network point-to-m
no sh
exit
!
router ospf 1
router-id 111.111.111.111
net 1.1.1.1 0.0.0.0 a 0
net 15.15.15.1 0.0.0.0 a 0
net 10.10.10.1 0.0.0.0 a 0
end
!
!
wr mem
---------------------------

<<< R2 >>>

!
en
!
debug ip ro
!
conf t
!
no ip domain-lo
!
ho R2
!
int lo0
ip add 2.2.2.2 255.255.255.0
ip ospf network point-to-p
exit
!
int s0/0
ip add 10.10.10.2 255.255.255.0
en f
no frame inv
frame map ip 10.10.10.1 201 b
frame map ip 10.10.10.2 201
ip ospf network point-to-m
no sh
exit
!
router ospf 1
router-id 222.222.222.222
net 2.2.2.2 0.0.0.0 a 0
net 10.10.10.2 0.0.0.0 a 0
exit
!
int lo1
ip add 12.12.12.12 255.255.255.0
exit
!
int s0/1
ip add 24.24.24.2 255.255.255.0
no sh
exit
!
router eigrp 100
no au
net 12.12.12.12 0.0.0.0
net 24.24.24.2 0.0.0.0
end
!
!
wr mem
------------------------------

<<< R3 >>>

!
en
!
debug ip ro
!
conf t
!
no ip domain-lo
!
ho R3
!
int lo0
ip add 3.3.3.3 255.255.255.0
ip ospf network point-to-p
exit
!
int s0/0
ip add 10.10.10.3 255.255.255.0
en f
no frame inv
frame map ip 10.10.10.1 301 b
frame map ip 10.10.10.3 301
ip ospf network point-to-m
no sh
exit
!
int s0/1
ip add 34.34.34.3 255.255.255.0
no sh
exit
!
int lo1
ip add 13.13.13.13 255.255.255.0
exit
!
router ospf 1
router-id 333.333.333.333
net 3.3.3.3 0.0.0.0 a 0
net 10.10.10.3 0.0.0.0 a 0
exit
!
router eigrp 100
no au
net 13.13.13.13 0.0.0.0
net 34.34.34.3 0.0.0.0
exit
!
int lo2
ip add 133.133.133.133 255.255.255.0
exit
!
int f1/0
ip add 63.63.63.3 255.255.255.0
no sh
exit
!
router rip
v 2
no au
net 133.133.0.0
net 63.0.0.0
end
!
!
wr mem
------------------------------
--

<<< R4 >>>

!
en
!
debug ip ro
!
conf t
!
no ip domain-lo
!
ho R4
!
int lo0
ip add 4.4.4.4 255.255.255.0
ip ospf network point-to-p
exit
!
int s0/0
ip add 10.10.10.4 255.255.255.0
en f
no frame inv
frame map ip 10.10.10.1 401 b
frame map ip 10.10.10.4 401
ip ospf network point-to-m
no sh
exit
!
router ospf 1
router-id 444.444.444.444
net 4.4.4.4 0.0.0.0 a 0
net 10.10.10.4 0.0.0.0 a 0
exit
!
int lo1
ip add 14.14.14.14 255.255.255.0
exit
!
int s0/1
ip add 24.24.24.4 255.255.255.0
no sh
exit
!
int s0/2
ip add 34.34.34.4 255.255.255.0
no sh
exit
!
router eigrp 100
no au
net 14.14.14.14 0.0.0.0
net 24.24.24.4 0.0.0.0
net 34.34.34.4 0.0.0.0
exit
!
int f1/0
ip add 100.100.100.4 255.255.255.0
no sh
exit
!
router rip
v 2
no au
net 100.0.0.0
end
!
!
wr mem
------------------------------
-

<<< R5 >>>

!
en
!
debug ip ro
!
conf t
!
no ip domain-lo
!
ho R5
!
int lo0
ip add 5.5.5.5 255.255.255.0
ip ospf net point-to-p
exit
!
int f0/0
ip add 15.15.15.5 255.255.255.0
no sh
exit
!
router ospf 1
router-id 555.555.555.555
net 5.5.5.5 0.0.0.0 a 0
net 15.15.15.5 0.0.0.0 a 0
exit
!
int lo1
ip add 115.115.115.115 255.255.255.0
exit
!
int f1/0
ip add 56.56.56.5 255.255.255.0
no sh
exit
!
router rip
v 2
no au
net 115.115.0.0
net 56.0.0.0
end
!
!
wr mem
---------------------------

<<< R6 >>>

!
en
!
debug ip ro
!
conf t
!
no ip domain-lo
!
ho R6
!
int lo0
ip add 6.6.6.6 255.255.255.0
exit
!
int f1/0
ip add 63.63.63.6 255.255.255.0
no sh
exit
!
int f0/0
ip add 56.56.56.6 255.255.255.0
no sh
exit
!
router rip
v 2
no au
net 6.0.0.0
net 63.0.0.0
net 56.0.0.0
end
!
!
wr mem
---------------------------------

<<< R7 >>>

!
en
!
debug ip ro
!
conf t
!
no ip domain-lo
!
ho R7
!
int lo0
ip add 7.7.7.7 255.255.255.0
exit
!
int f0/0
ip add 100.100.100.7 255.255.255.0
no sh
exit
!
router rip
v 2
no au
net 7.0.0.0
net 100.0.0.0
end
!
!
wr mem

---------------------------------------


<<< R8 >>>

!
en
!
debug ip ro
!
conf t
!
no ip domain-lo
!
ho R8
!
int lo0
ip add 8.8.8.8 255.255.255.0
exit
!
int f0/0
ip add 100.100.100.8 255.255.255.0
no sh
exit
!
router rip
v 2
no au
net 8.0.0.0
net 100.0.0.0
end
!
!
wr mem
I would like to mention here that I am not looking for optimal routing here after redistribution, R4 has 3 routing protocols running, so make sure all three have mutual redistribution.
All you need to know about redistribution is right here
Deepak Arora
Evil CCIE 
Posted by at 2 comments:
Labels: , , , , ,

Tuesday, October 25, 2011

My Updated Linkedin Profile

Posted by at No comments:
Labels:

Tuesday, October 11, 2011

OSPF Loopback Advertisements With Proper Mask - The Tricky Part

There is always a talk going on about among CCNP/CCIP/CCIE candidates that why a loopback interface is always treated as Stub Host into OSPF and Advertised as /32 route even the actual mask for the interface was configured differently.

Actually It's based on RFC standard 2328 for OSPF ver2. Here are ref details :

RFC - 2328  http://www.ietf.org/rfc/rfc2328.txt
Protocol - OSPF Ver 2
Section - 9.1
Page - 66
Tag - Interface States > Loopback

Now interestingly Cisco Documentation provides only a one work-around to this by putting command - ip ospf network point-to-point under the loopback interface itself.

But are there any other ways ? ....

What if our Evil CCIE Lab ask to advertise Loopback interfaces with correct mask and we are not allowed use the command mentioned above :-)

Actually there are three ways to do it, lets explore them one by one.

















HTH...
Deepak Arora
Evil CCIE
Posted by at 1 comment:
Labels: , , ,

Thursday, September 29, 2011

Free INE CCNP Workbook

Just got this URL today at IEOC.COM where Brian McGahan has provided download URL to INE CCNP Workbook. Though it was written for CCNP Ver 5. But contents are still relavant for current Route and Switch exams.

http://www.ine.com/downloads/ine.ccnp.lab.workbook.1.01.zip 

HTH...
Deepak Arora
Posted by at 5 comments:
Labels: , , , , , , , , , , , , , , , , , ,

Wednesday, August 31, 2011

INE Video – Auto-RP over NBMA Design Issues







Posted by at No comments:
Labels: , ,

Wednesday, August 10, 2011

Interview with Jeff Doyle

Posted by at No comments:
Labels: ,

Tuesday, August 2, 2011

Some More Bridging - Updates

Posted by at No comments:
Labels: ,

Some Nice Surprises

Posted by at 1 comment:
Labels:

Friday, July 29, 2011

Rate Limit Calculator AKA CAR (Committed Access Rate)

Recently I have been asked for quick method to calculate " CAR Parameters also known as Rate Limit ". 





So don't confuse this CAR with our well known CAR :-)

Anyways... here is a great work done by "Brian" on Cisco learning Network site for your help... awesome work I would say.


BTW.... In modern days we have QOS tool called " policing " which is essentially modern way of doing CAR using MQC (Moduler QOS CLI).

HTH...
Deepak Arora
Posted by at No comments:
Labels:

Monday, July 25, 2011

BGP Rule Of Synchronization


Recently I saw lots of discussions going around on Cisco Learning Network (CLN) about BGP Rule Of Synchronization. I feel the rule sounds quiet confusing to most of beginners. Following are the common confusions that people have:















Rule - " Route learned from One IBGP Peer cannot be advertised to another IBGP peer unless it's verified by the IGP Routing or IGP Routing table has match for same route in routing table."


Now to overcome this rule we have few options.


1. Run IGP.... hehe... Simple enough ? :-)


But problem with doing that is you need to redistributed BGP into IGP. If these are few BGP routes that not a big deal, but if we are talking about redistributing entire Global BGP Internet Routing Table... You gonna mess up with Your IGP, since IGPs are not designed to manage Route Tables this big.


2. Make BGP Peerings Full Mesh.


3. Route BGP updtes beteen EDGE BGP Devices of SP core using Tunnels such as GRE... of-course not a scalable solution though.


4. Run MPLS in the SP core and use concept of BGP free Core.



Common Confusions :

1. The Rule only applies to learned routes by IBGP peer from an EBGP Peer or also to it's locally Originated Routes ?

2. By IGP means do we have to run some sort of IGP like OSPF, EIGRP or RIP. Or it means IGP reach-ability in general which means static routing is valid solution too ?

Lets Bring Up the topology and see things in action.



So lets turn on "Synchronization"  and see how things are going.


BTW... In most of the modern IOS "Synchronization" is off by Default.















Now as discussed above to overcome " Synchronization" issue, we have few options:


1. Run IGP inside the domain.


2. Create Full Mesh Connectivity.


Since in our scenario, we don't have Full mesh connectivity, so lets turn of synchronization and Configure R3 as Route Reflectors(RR) first.


Route Reflectors and Confederations are two possible solutions BTW to overcome "BGP Rule of Split Horizon" which states that " One IBGP Learned Route Can not be advertised to another IBGP peer"


Lets Turn Sync off now and configure R3 as RR.








Ummm... Seems like we have some Next-Hop Issues. Lets fix those out.

What we have are two options:

1. Tell neighbor to use me as next hop ( nei x.x.x.x next-hop-self)
2. Configure a Route-Map, pointing myself as Next Hop IP  and configure it for  neighbor. ( nei x.x.x.x route-map out )

But it is important to Note that first options doesn't work if your local router is a RR :-)

See yourself....









Lets turn on "SYNC" back and this time instead of running an IGP, Lets see if I put static routes pointing to Null0 (IGP Reach-ability not IGP in itself) can help us.








Seems like the rule indeed talks about the IGP reach-ability and didn't specifically want us to run IGP Protocol.

Though all routes looks now valid and life looks all good, but when we try to ping R5's loopback from R1 with Source as loopback, the packets don't make through.

Reason being is that, static routes that we added are pointing to Null0. Which essentially is Black Holing all your packets.

Lets fix it :





Now Life Looks all good :-)


HTH...
Deepak Arora












Posted by at 1 comment:
Labels: , ,
Subscribe to: Posts (Atom)