This lab will test a Central Services MPLS VPN.
The diagram is the same as my last VPN Lab. Also it uses my MPLs topology found over here: http://mellowd.co.uk/ccie/?p=522
This is the topology for this lab (click for a bigger image):
- Customer1 and Customer 2 both have MPLS vpn’s through the ISP core.
- Customer1 is using OSPF and Customer2 is using EIGRP
- Customers should have no access to each others networks
- Customers should be able to reach all their sites from all their sites
- The ISP is now providing a mail relay for it’s customers to use. Ensure that all customers can get to the 10.200.1.1/24 subnet through their vpn’s, but they must still be seperated from each other.
Hopefully this will be my final tweak. This time I’ve added base configs to the CPE devices. It just gives them a hostname and ensures there is no timeout. This prevents you from having to keep logging back in.
Image-wise, it’s the same. Click for the larger image:
This is the .net file contents:
#MPLS 1.0 Topology created by Darren O'Connor 22/02/10 #MPLS 1.1 created 23/02/10 #MPLS 1.2 created 24/02/10 #www.mellowd.co.uk/ccie #Feel free to use and change as you see fit. However if you do use please leave my details here at the top [localhost:7200] workingdir = /data/dynamips/working [[3640]] image = /data/dynamips/IOS_Images/3640/c3640-js-mz.124-25c.UNCOMPRESSED.bin ram = 128 disk0 = 0 disk1 = 0 mmap = true ghostios = true ########################### # # # Mpls Topology 1.2 # # # ########################### [[Router CR1]] model = 3640 console = 2001 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX s1/0 = AR1 s1/0 s1/2 = AR3 s1/2 Fa0/0 = CR3 Fa0/0 Fa2/0 = CR2 Fa2/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR1.cfg [[Router CR2]] model = 3640 console = 2002 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX s1/0 = AR2 s1/0 s1/2 = AR1 s1/2 Fa0/0 = CR4 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR2.cfg [[Router CR3]] model = 3640 console = 2003 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa2/0 = CR4 Fa2/0 s1/0 = AR3 s1/0 s1/1 = GR1 s1/1 s1/2 = AR4 s1/2 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR3.cfg [[Router CR4]] model = 3640 console = 2004 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX s1/0 = AR4 s1/0 s1/2 = AR2 s1/2 cnfg = /data/dynamips/Topology/Topology_Config/mpls/CR4.cfg [[Router AR1]] model = 3640 console = 2005 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE1 Fa0/0 Fa2/0 = CPE2 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR1.cfg [[Router AR2]] model = 3640 console = 2006 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE4 Fa0/0 Fa2/0 = CPE3 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR2.cfg [[Router AR3]] model = 3640 console = 2007 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE5 Fa0/0 Fa2/0 = CPE6 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR3.cfg [[Router AR4]] model = 3640 console = 2008 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T slot2 = NM-1FE-TX Fa0/0 = CPE8 Fa0/0 Fa2/0 = CPE7 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/AR4.cfg [[Router CPE1]] model = 3640 console = 2009 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE1.cfg [[Router CPE2]] model = 3640 console = 2010 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE2.cfg [[Router CPE3]] model = 3640 console = 2011 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE3.cfg [[Router CPE4]] model = 3640 console = 2012 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE4.cfg [[Router CPE5]] model = 3640 console = 2013 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE5.cfg [[Router CPE6]] model = 3640 console = 2014 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE6.cfg [[Router CPE7]] model = 3640 console = 2021 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE7.cfg [[Router CPE8]] model = 3640 console = 2022 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/CPE8.cfg [[Router GR1]] model = 3640 console = 2023 autostart = true idlepc = 0x605105b8 slot0 = NM-1FE-TX slot1 = NM-4T Fa0/0 = ISP2 Fa0/0 cnfg = /data/dynamips/Topology/Topology_Config/mpls/GR1.cfg [[Router ISP2]] model = 3640 console = 2024 autostart = false idlepc = 0x605105b8 slot0 = NM-1FE-TX cnfg = /data/dynamips/Topology/Topology_Config/mpls/ISP2.cfg
And here are the updated config files: http://mellowd.co.uk/ccie/wp-content/uploads/2010/02/mpls.tar2.gz
This is my first lab to use my MPLS topology found over here: http://mellowd.co.uk/ccie/?p=522 (Click the link as you’ll need the core ISP set up to run this lab)
This is the lab topology – click for a larger image:
- Use RIP as the routing protocol on CPE devices
- CPE1 and CPE5 belong to Company_A
- CPE2 and CPE6 belong to Company_B
- Each site has a /24 that is advertised via the loopback
- CPE1 should be able to ping CPE5′s loopback and vice-versa
- CPE2 should be able to ping CPE6′s loopback and vice-versa
- Different companies should NOT be able to ping each other. They must stay completely separate
- Now remove RIP and configure it so that both companies are using OSPF
- Once complete, remove the OSPF config and use EIGRP
Solution is now here: http://mellowd.co.uk/ccie/?p=570
The main purpose of this post is to show how prefix lists work and how to decipher them vs regular access lists. Access-lists do a great job on Cisco devices, not just for security but all kinds of route filtering, QoS and so on.
A prefix list is a bit different form an access-list, and it’s important to know the differences and when to use either.
I’ve created the following simple topology to illustrate what I’m going to be doing. There are 2 routers, both running BGP. Router1 will have numerous loopbacks with IP addresses that will be advertised into the BGP process. On router2 I’ll use various access-lists and prefix-lists to see what kind of results I get. Remember though that prefix-lists can be used with other routing protocols and not just BGP.
This is the topology (Click for the full view):
This is the config on each:
R1#sh run | begin bgp router bgp 100 no synchronization bgp log-neighbor-changes network 1.1.1.1 mask 255.255.255.255 neighbor 10.1.1.10 remote-as 200 no auto-summary
R2#sh run | begin bgp router bgp 200 no synchronization bgp log-neighbor-changes neighbor 10.1.1.9 remote-as 100 no auto-summary
I’ll put the following subnets on R1 and advertise them in BGP:
- 192.168.1.1/24
- 192.168.2.1/24
- 192.168.3.1/25
- 192.168.3.129/25
- 192.168.4.1/25
- 192.168.4.129/26
- 192.168.4.193/26
#R1 interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface Loopback1 ip address 192.168.1.1 255.255.255.0 ! interface Loopback2 ip address 192.168.2.1 255.255.255.0 ! interface Loopback3 ip address 192.168.3.1 255.255.255.128 ! interface Loopback4 ip address 192.168.3.129 255.255.255.128 ! interface Loopback5 ip address 192.168.4.1 255.255.255.128 ! interface Loopback7 ip address 192.168.4.129 255.255.255.192 ! interface Loopback8 ip address 192.168.4.193 255.255.255.192
This is R1′s BGP config now:
R1#sh run | begin bgp router bgp 100 no synchronization bgp log-neighbor-changes network 1.1.1.1 mask 255.255.255.255 network 192.168.1.0 network 192.168.2.0 network 192.168.3.0 mask 255.255.255.128 network 192.168.3.128 mask 255.255.255.128 network 192.168.4.0 mask 255.255.255.128 network 192.168.4.128 mask 255.255.255.192 network 192.168.4.192 mask 255.255.255.192 neighbor 10.1.1.10 remote-as 200 no auto-summary
On Router2, we can see the routes advertised:
R2#sh ip bgp
BGP table version is 10, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 10.1.1.9 0 0 100 i
*> 192.168.1.0 10.1.1.9 0 0 100 i
*> 192.168.2.0 10.1.1.9 0 0 100 i
*> 192.168.3.0/25 10.1.1.9 0 0 100 i
*> 192.168.3.128/25 10.1.1.9 0 0 100 i
*> 192.168.4.0/25 10.1.1.9 0 0 100 i
*> 192.168.4.128/26 10.1.1.9 0 0 100 i
*> 192.168.4.192/26 10.1.1.9 0 0 100 i
Let’s say I want to filter out the network 192.168.4.0/25. If I use an access-list I need to do it as follows. Create the access list:
R2#conf t R2(config)#access-list 5 deny 192.168.4.0 0.0.0.127 R2(config)#access-list 5 permit any
Add a rule to the BGP config:
R2#sh run | begin bgp router bgp 200 no synchronization bgp log-neighbor-changes neighbor 10.1.1.9 remote-as 100 neighbor 10.1.1.9 distribute-list 5 in no auto-summary
You can see that the 192.168.4.0/25 route has now been filtered out:
R2#sh ip bgp Network Next Hop Metric LocPrf Weight Path *> 1.1.1.1/32 10.1.1.9 0 0 100 i *> 192.168.1.0 10.1.1.9 0 0 100 i *> 192.168.2.0 10.1.1.9 0 0 100 i *> 192.168.3.0/25 10.1.1.9 0 0 100 i *> 192.168.3.128/25 10.1.1.9 0 0 100 i *> 192.168.4.128/26 10.1.1.9 0 0 100 i *> 192.168.4.192/26 10.1.1.9 0 0 100 i
Let’s say I wanted to filter out the 192.168.4.x/26′s as well. In order to do so I’d have to add another line for each network in my access-list. With a prefix-list it’s much easier to do this. Let’s remove the access-list and start again. NB: Prefix-lists, like access-lists, have a implicit DENY at the end. In an ACL you’ll place a permit any at the end. The prefix-list version of this is to permit 0.0.0.0/0 le 32
First I’ll create the prefix-list:
R2(config)#ip prefix-list exclude_4 seq 5 deny 192.168.4.0/24 ge 25 le 26 R2(config)#ip prefix-list exclude_4 seq 10 permit 0.0.0.0/0 le 32
Now I’ll apply it to the BGP process:
router bgp 200 no synchronization bgp log-neighbor-changes neighbor 10.1.1.9 remote-as 100 neighbor 10.1.1.9 prefix-list exclude_4 in no auto-summary
When checking the BGP table I see the following:
R2#sh ip bgp Network Next Hop Metric LocPrf Weight Path *> 1.1.1.1/32 10.1.1.9 0 0 100 i *> 192.168.1.0 10.1.1.9 0 0 100 i *> 192.168.2.0 10.1.1.9 0 0 100 i *> 192.168.3.0/25 10.1.1.9 0 0 100 i *> 192.168.3.128/25 10.1.1.9 0 0 100 i
You can see that all the 192.168.4.1/25 and /26s are gone thanks to the prefix-list.
The basics of the prefix list is as follows. If I write
ip prefix-list exclude_4 seq 5 deny 192.168.4.0/24 ge 25 le 26
The /24 tells the IOS to match only the first 24 bits. i.e. 192.168.4 – I then tell the IOS to match only those prefixes that have a subnet mask of /25 or /26. i.e. If I had another network advertised which was 192.168.4.200/27 it would NOT match as even though the 192.168.4 part matches, it has a subnet mask of /27
Let’s say I wanted to now match 192.168.x.x/25 but I wanted to leave the /26′s in place. This would be easy with a prefix list as follows:
R2(config)#ip prefix-list exclude_4 seq 5 deny 192.168.3.0/16 ge 25 le 25 R2(config)#ip prefix-list exclude_4 seq 10 permit 0.0.0.0/0 le 32
I’ve told the IOS to only match on the first 16 bits, i.e. 192.168 – I then told IOS to only match those prefixes that have a subnet mask of /25. If I apply this to my BGP process I can see that it works as expected:
R2#sh ip bgp Network Next Hop Metric LocPrf Weight Path *> 1.1.1.1/32 10.1.1.9 0 0 100 i *> 192.168.1.0 10.1.1.9 0 0 100 i *> 192.168.2.0 10.1.1.9 0 0 100 i *> 192.168.4.128/26 10.1.1.9 0 0 100 i *> 192.168.4.192/26 10.1.1.9 0 0 100 i
Only the 3 /25′s have disappeared, everything else is still there.
You can also do all of this with extended access-lists, but it’s so much more work, why make life difficult? Once you understand the context of prefix-lists it becomes very easy
New lab for today. This one is a little more complex than the rest I’ve posted thus far. It should give you good practice. Topology used is over here: http://mellowd.co.uk/ccie/?p=243
BGP Lab 7:
- Customer1 and Customer2 are both customers of ISP1
- ISP1 is running OSPF internally
- ISP1 has decided to give each of them a private AS number as these companies are rapidly expanding
- Customer1 and Customer2 then buy a high speed link between the 2 of them and run OSPF. You need to ensure that they use the high speed link when going to each others subnets and NOT transit through ISP1 – Though they need to transit when the frame-relay link is down
- Ensure that Customer1 and Customer2 will never use each other for transit when going out to ISP2
- Static routes are NOT allowed
- Ensure that ISP1 sends all routes to ISP2, but the private AS numbers need to be stripped
- Ensure that ISP2 uses the link to Router2 when getting to Customer2 and uses the link to Router3 when going to Customer1
Click on the thumbnail for the full topology:
New lab for today. I’ve just completed it myself and it’s a good one for practice. This will cover BGP, EIGRP, OSPF and RIPv2. It will cover redistribution of routes as well. Topology used is over here:http://mellowd.co.uk/ccie/?p=243
BGP Lab 6:
- Customer 1 is running RIPv2 internally and Customer 2 is running EIGRP internally
- Both customers have default routes pointing to ISP1
- Ensure this default route is redistributed into each customer via IGP redistribution
- ISP1 is running OSPF and BGP internally, however Router10 is NOT running BGP
- ISP1 and ISP2 are eBGP peers
- Using redistribution, ensure Customer 2 is able to get to all subnets in Customer1 and vice versa
- ISP2 should be able to get to all loopbacks
- Add another loopback on Router14 with the IP 140.140.140.140. Redistribute it into RIP and then ensure all other routers can ping it without modifying any config on any other router
Click the image for a larger picture of the lab
EIGRP is pretty simple so I only have 1 lab here.
EIGRP Lab 1:
- Allow both routes to be used to route to loopbacks
- Note that 1 interface is a 100Mb FastEthernet interface and the second is a 10Mb Ethernet interface
Comments