28 août 2009

Basic IPsec Virtual Tunnel Interface - VTI


Le but est de monter un tunnel IPSec entre deux routeurs en utilisant des VTI.
La clé partagée est: 1234.




hostname R1
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key 1234 address 10.2.2.1
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TS-1 esp-aes 256
!
crypto ipsec profile VTI
 set transform-set TS-1
!
interface Tunnel0
 description *** Vers Tunnel 1 premium ***
 ip unnumbered Loopback0
 ip mtu 1380
 ip tcp adjust-mss 1340
 tunnel source Loopback0
 tunnel destination 10.2.2.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface Loopback0
 ip address 10.1.1.1 255.255.255.255
!
interface Loopback10
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 10
 redistribute connected
 network 10.1.1.1 0.0.0.0
 no auto-summary
!
ip route 10.2.2.1 255.255.255.255 192.168.1.2
!


La configuration est identique sur R2.

R1#show crypto ipsec sa


interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.1.1.1


protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 16017, #pkts encrypt: 16017, #pkts digest: 16017
#pkts decaps: 15918, #pkts decrypt: 15918, #pkts verify: 15918
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0


local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0xCF2A12E(217227566)


inbound esp sas:
spi: 0x8C8AD70B(2357909259)
transform: esp-256-aes ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Motorola SEC 2.0:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4596558/1206)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0xCF2A12E(217227566)
transform: esp-256-aes ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Motorola SEC 2.0:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4596542/1204)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE


outbound ah sas:


outbound pcp sas:
R1#
-
Libellés : ,

25 août 2009

Traffic Engineering and logging

mpls traffic-eng logging lsp

To log certain traffic engineering label switched path (LSP) events, use the mpls traffic-eng logging lsp command in global configuration mode.

  • path-errors = Logs RSVP path errors for traffic engineering LSPs.
  • reservation-errors = Logs RSVP reservation errors for traffic engineering LSPs.
  • preemption = Logs events related to the preemption of traffic engineering LSPs.
  • setups = Logs events related to the establishment of traffic engineering LSPs.
  • teardowns = Logs events related to the removal of traffic engineering LSPs.
-
Libellés : , , , , ,

IPv6 - 6PE

1. Introduction

Le lab suivant présente rapidement le fonctionnement de 6PE.
En prérequis, un coeur de réseau IPv4 MPLS constitue le backbone de l'opérateur.
Sur les équipements P (P1 dans le schéma ci-dessous), IPv6 n'est pas activé (ipv6 unicast-routing).
2. Configuration du coeur MPLS IPv4
6PE1:

!
hostname 6PE1
!
interface Loopback0
ip address 10.0.0.2 255.255.255.255
no clns route-cache
!
interface Serial1/1
description ## R2-R3 ##
ip address 192.168.23.2 255.255.255.0
ip router isis
mpls ip
serial restart-delay 0
!
router isis
net 49.0000.0000.0002.00
passive-interface Loopback0
!


6PE2:
!
hostname 6PE2
!
interface Loopback0
ip address 10.0.0.4 255.255.255.255
no clns route-cache
!
interface Serial1/3
description ## R4-R3 ##
ip address 192.168.34.4 255.255.255.0
ip router isis
mpls ip
serial restart-delay 0
!
router isis
net 49.0000.0000.0004.00
passive-interface Loopback0
!


P1:
!
hostname P1
!
interface Loopback0
ip address 10.0.0.3 255.255.255.255
no clns route-cache
!
interface Serial1/1
description ## R2-R3 ##
ip address 192.168.23.3 255.255.255.0
ip router isis
mpls ip
serial restart-delay 0
!
interface Serial1/2
description ## R3-R4 ##
ip address 192.168.34.3 255.255.255.0
ip router isis
mpls ip
serial restart-delay 0
!
router isis
net 49.0000.0000.0002.00
passive-interface Loopback0
!


3. Connexion des CE IPv6 aux 6PE:

6PE1:

!
ipv6 unicast-routing
ipv6 cef
!
interface Serial1/0
no ip address
ipv6 address 3FFE:B00:FFFF::2/48
no fair-queue
serial restart-delay 0
no clns route-cache
!


CE1:

!
ipv6 unicast-routing
ipv6 cef
!
interface Serial1/0
no ip address
ipv6 address 3FFE:B00:FFFF::1/48
no fair-queue
serial restart-delay 0
no clns route-cache
!
ipv6 route ::/0 Serial1/0 3FFE:B00:FFFF::2
!


6PE2:

!
ipv6 unicast-routing
ipv6 cef
!
interface Serial1/3
no ip address
ipv6 address 3FFE:B00:DDDD::2/48
no fair-queue
serial restart-delay 0
no clns route-cache
!


CE2:

!
ipv6 unicast-routing
ipv6 cef
!
interface Serial1/3
no ip address
ipv6 address 3FFE:B00:DDDD::1/48
no fair-queue
serial restart-delay 0
no clns route-cache
!
ipv6 route ::/0 Serial1/0 3FFE:B00:DDDD::2
!


4. Configuration des 6PE pour l'échange des préfixes

Le cœur n'est pas configuré pour IPv6, on se sert des labels.
Une session MP-iBGP est configurée entre les deux '6PE':

6PE1:

!
router bgp 10
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.0.4 remote-as 10
neighbor 10.0.0.4 update-source Loopback0
!
address-family ipv6
neighbor 10.0.0.4 activate
neighbor 10.0.0.4 send-label
network 3FFE:B00:FFFF::/48
exit-address-family
!

6PE2:

!
router bgp 10
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.0.2 remote-as 10
neighbor 10.0.0.2 update-source Loopback0
!
address-family ipv6
neighbor 10.0.0.2 activate
neighbor 10.0.0.2 send-label
network 3FFE:B00:DDDD::/48
exit-address-family
!
5. Résultats et interprétations

Les networks IPv6 vers les CE1 et CE2 sont annoncés par leur PE respectifs.
Le next hop est de la forme ::FFFF:10.0.0.2, 10.0.0.2 est l'interface update source de la session MP-BGP vers 6PE1:


6PE2#show ip bgp ipv6 unicast
BGP table version is 7, local router ID is 10.0.0.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete


Network Next Hop Metric LocPrf Weight Path
*> 3FFE:B00:DDDD::/48 :: 0 32768 i
*>i3FFE:B00:FFFF::/48 ::FFFF:10.0.0.2 0 100 0 i
6PE2#

Le prefixe vers CE2 est présent dans la RIB IPv6:

6PE2#show ipv6 route
IPv6 Routing Table - 5 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C 3FFE:B00:DDDD::/48 [0/0]
via ::, Serial1/3
L 3FFE:B00:DDDD::2/128 [0/0]
via ::, Serial1/3
B 3FFE:B00:FFFF::/48 [200/0]
via ::FFFF:10.0.0.2
L FE80::/10 [0/0]
via ::, Null0
L FF00::/8 [0/0]
via ::, Null0
6PE2#


Le process BGP de 6PE2 génère un label pour le prefixe qu'il annonce, et le remonte dans la LFIB:

6PE2#show mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or VC or Tunnel Id Switched interface
16 16 10.0.0.2/32 0 Se1/2 point2point
17 Pop Label 10.0.0.3/32 0 Se1/2 point2point
18 Pop Label 192.168.23.0/24 0 Se1/2 point2point
19 Aggregate 101.101.101.4/32[V] \
0 CustIPv4
20 No Label 3FFE:B00:DDDD::/48 \
2080 Se1/3 point2point
6PE2#


Le next-hop annoncé par la session MP-iBGP est 10.0.0.2, ldp annonce le label 16 pour ce préfixe.

6PE2#show ipv6 cef 3FFE:B00:FFFF::/48
3FFE:B00:FFFF::/48
nexthop 192.168.34.3 Serial1/2 label 16 20
6PE2#


Pour le second PE, le principe est identique:


6PE1#show ip bgp ipv6 unicast
BGP table version is 7, local router ID is 10.0.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*>i3FFE:B00:DDDD::/48
::FFFF:10.0.0.4 0 100 0 i
*> 3FFE:B00:FFFF::/48
:: 0 32768 i
6PE1#



6PE1#show ipv6 route
IPv6 Routing Table - 5 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
B 3FFE:B00:DDDD::/48 [200/0]
via ::FFFF:10.0.0.4
C 3FFE:B00:FFFF::/48 [0/0]
via ::, Serial1/0
L 3FFE:B00:FFFF::2/128 [0/0]
via ::, Serial1/0
L FE80::/10 [0/0]
via ::, Null0
L FF00::/8 [0/0]
via ::, Null0
6PE1#


6PE1#show mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or VC or Tunnel Id Switched interface
16 Pop Label 10.0.0.3/32 0 Se1/1 point2point
17 17 10.0.0.4/32 0 Se1/1 point2point
18 Pop Label 192.168.34.0/24 0 Se1/1 point2point
20 Aggregate 3FFE:B00:FFFF::/48 \
0
6PE1#


6PE1#sh ipv6 cef
3FFE:B00:DDDD::/48
nexthop 192.168.23.3 Serial1/1 label 17 20
3FFE:B00:FFFF::/48
attached to Serial1/0
3FFE:B00:FFFF::2/128
receive
FE80::/10
receive
FF00::/8
receive
6PE1#

-
Libellés : , , , , ,
Inscription à : Articles (Atom)

NTP - ACL

NTP - Network Time Protocol Packet types: -  Control messages : don't bother with this. -  NTP request/update messages: used for time sy...

  • Unicast Reverse Path Forwarding (uRPF)
    Unicast Reverse Path Forwarding (uRPF) uRPF est une feature permettant d'éviter l'IP Spoofing. Lorsque urpf est activé sur une in...
  • Basic IPsec Virtual Tunnel Interface - VTI
    Le but est de monter un tunnel IPSec entre deux routeurs en utilisant des VTI. La clé partagée est: 1234. hostname R1 ! crypto isakm...
  • NTP - ACL
    NTP - Network Time Protocol Packet types: -  Control messages : don't bother with this. -  NTP request/update messages: used for time sy...