Friday, April 20, 2018

Challenge: RIP - GET-VPN - ANSWERS

This is a back-to-basics lesson rolled up with a VPN topic. This will test your understanding of Cisco's default behavior when configuring RIPv1 and RIPv2. This is the solution to my previous blogpost: https://showipintbri.blogspot.com/2018/04/challenge-rip-get-vpn.html

An excellent Cisco resource that I found very useful in preparing for this lab was:

https://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07_554713.html

The Topology:


The Requirements:

1. All routers interfaces must be configured using the ip schema from the topology diagram.

2. You must run RIP protocol between all routers and no other routing protocol
  • Advertise all your connected networks
  • R2 must run RIP version 2
  • All other routers must run RIP version 1, and should see R2's loopback with its real mask

3. You must have routes representing all the subnets(classful or better) from the topology in all your routing tables.

4. configure GET VPN between all routers WAN interfaces
  • R1 must be the key-server

5. pings sourced from the loopbacks of the group members to other group members must be encrypted
  • All other traffic should not be encrypted.

6. You should have full reachability to all loopbacks in the topology 



My Solution:




The Configs:

R1:

int fa0/0
ip add 10.0.0.1 255.255.255.0
no shut

int lo 1
ip add 1.1.1.1 255.255.255.255
no shut

router rip
network 10.0.0.1
network 1.1.1.1
no auto-summary
exit


R2:

int fa0/0
ip add 10.0.0.2 255.255.255.0
ip rip receive 1 2
no shut

int lo 2
ip add 2.2.2.2 255.255.255.255
no shut

router rip
network 10.0.0.2
network 2.2.2.2
version 2
no auto-summary

R3:

int fa0/0
ip add 10.0.0.3 255.255.255.0
no shut

int lo 2
ip add 2.2.2.2 255.255.255.255
no shut

router rip
network 10.0.0.3
network 3.3.3.3
no auto-summary

R4:

int fa0/0
ip add 10.0.0.4 255.255.255.0
no shut

int lo 2
ip add 4.4.4.4 255.255.255.255
no shut

router rip
network 10.0.0.4
network 4.4.4.4
no auto-summary





GET-VPN Configs:

Key Server:


crypto key generate rsa modulus 1024 label GETVPN_KEY



ip access-list extended 100
 permit icmp any any

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key CISCO address 0.0.0.0

crypto ipsec transform-set GETVPN_TRANS esp-3des esp-md5-hmac

crypto ipsec profile GETVPN_PROFILE
 set transform-set GETVPN_TRANS

crypto gdoi group GETVPN_GROUP
 identity number 123
 server local
  rekey authentication mypubkey rsa GETVPN_KEY
  rekey transport unicast
  sa ipsec 1
   profile GETVPN_PROFILE
   match address ipv4 100
   replay counter window-size 64
  address ipv4 10.0.0.1

Group Members:

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key CISCO address 10.0.0.1

crypto ipsec transform-set GETVPN_TRANS esp-3des esp-md5-hmac

crypto ipsec profile GETVPN_PROFILE
 set transform-set GETVPN_TRANS

crypto gdoi group GETVPN_GROUP
 identity number 123
 server address ipv4 10.0.0.1

crypto map GETVPN_MAP 10 gdoi
 set group GETVPN_GROUP


int fa0/0
crypto map GETVPN_MAP
exit



Verification:

foreach address {
1.1.1.1
2.2.2.2
3.3.3.3
4.4.4.4
} { ping $address repeat 1 source 1.1.1.1 }

! Change the 'source x.x.x.x' to the appropriate source IP

Wednesday, April 18, 2018

Configlet: Cisco 3850 Switch Stacking

In this configlet I'll show the few steps needed for a bare minimum switch stack.

A switch stack is when multiple switch are connected via a backplane (stackwise cables) and act as one larger switch. They share a common config and all the interfaces of all the switches are configured via a single running-config.

One of the switches has to be a "master". In this example I'm forcing one switch to be a master by making it's priority the highest value. There is an order that Cisco switches will try, to determine who should be the master, if you don't set any value's manually:

  1. The switch that is currently the active switch.
  2. The switch with the highest stack member priority value.
  3. The switch with the shortest start-up time.
  4. The switch with the lowest MAC address.
From Cisco's website:


Some resources from Cisco's website:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/hardware/installation/guide/b_c3850_hig/b_c3850_hig_chapter_010.html#concept_BACF415ABB244A479BB6C803B181560F

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/ha_stack_manager/configuration_guide/b_hastck_3se_3850_cg/b_hastck_3se_3850_cg_chapter_010.html#concept_6E38EA556E8A4A198FD7BBDC159F4B07


Before you begin:


  • In this scenario I have 2 switches. 
  • The switch I intend to be the master is powered on and running. It currently has an operational running-config.
  • The switch I intend to be the non-master is powered off.
  • I do NOT care about the configs on the non-master switch.

Check the current priority of the intended master:


Switch01#show switch

Switch/Stack Mac Address : 0000.aaaa.aaaa - Local Mac Address
Mac persistency wait time: Indefinite
                                             H/W   Current
Switch#   Role    Mac Address     Priority Version  State
------------------------------------------------------------
*1       Active   0000.aaaa.aaaa     1      V06     Ready


You can see from the above output the priority value is 1 (the lowest). I want this switch to become the master everytime so I will change it to the maximum value of 15 (the highest).


Change the priority on the intended master:


NOTE: These commands are from Privileged-Exec NOT Global Config. You cannot see these configurations in the running-config.

Switch01#switch ?
  <1-9>  Switch Number

Switch01#switch 1 ?
  priority  Set the priority of the specified switch
  renumber  Renumber the specified switch number
  stack     Stack port enable or disable

Switch01#switch 1 priority ?
  <1-15>  Switch Priority

Switch01#switch 1 priority 15 ?
  <cr>

Switch01#switch 1 priority 15
WARNING: Changing the switchpriority may result in a configuration change for that switch. Do you want to continue?[y/n]y
Switch01#
Switch01#
Switch01#



Verify the priority has changed for intended master:

Switch01#sho switch
Switch/Stack Mac Address : 0000.aaaa.aaaa - Local Mac Address
Mac persistency wait time: Indefinite
                                             H/W   Current
Switch#   Role    Mac Address     Priority Version  State
------------------------------------------------------------
*1       Active   0000.aaaa.aaaa     15     V06     Ready



Connect the StackWise cables and power up the second switch. You'll see some console messages similar to what is below.


Nov 11 01:14:07.116: %STACKMGR-1-STACK_LINK_CHANGE: 1 stack-mgr:  Stack port 2 on switch 1 is up
Nov 11 01:14:26.152: %STACKMGR-6-SWITCH_ADDED: 1 stack-mgr:  Switch 2 has been added to the stack.
Nov 11 01:14:37.742: %STACKMGR-6-SWITCH_READY: 1 stack-mgr:  Switch 2 is ready.
Nov 11 01:14:37.748: Starting SWITCH-ADD sequence, switch 2
Nov 11 01:14:39.047: %NGWC_USB_CONSOLE-6-CONFIG_ENABLE: Switch 2: Console media-type changed to default
Nov 11 01:14:42.836: %NGWC_PLATFORM_FEP-6-FRU_PS_OIR: Switch 2: FRU power supply A inserted
Nov 11 01:14:42.837: %NGWC_PLATFORM_FEP-6-FRU_PS_OIR: Switch 2: FRU power supply B inserted
Nov 11 01:15:01.239: SWITCH-ADD sequence complete, switch 2

Nov 11 01:15:03.832: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/1/1, changed state to down
Nov 11 01:15:03.832: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/1/2, changed state to down
Nov 11 01:15:03.832: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/1/3, changed state to down
Nov 11 01:15:03.832: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/1/4, changed state to down
Nov 11 01:15:03.833: %LINEPROTO-5-UPDOWN: Line protoc
Switch01#ol on Interface TenGigabitEthernet2/1/1, changed state to down
Nov 11 01:15:03.833: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/1/2, changed state to down
Nov 11 01:15:03.833: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/1/3, changed state to down
Nov 11 01:15:03.833: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/1/4, changed state to down
Nov 11 01:15:04.769: %PLATFORM_PM-6-FRULINK_INSERTED: 4x1G uplink module inserted in the switch 2 slot 1


The above syslog messages and 'convergence' takes a few minutes. After all the line protocol messages are finished you can from the master switch verify they are stacked.

Verify the Switch Stack:

Switch01#sho switch
Switch/Stack Mac Address : 0000.aaaa.aaaa - Local Mac Address
Mac persistency wait time: Indefinite
                                             H/W   Current
Switch#   Role    Mac Address     Priority Version  State
------------------------------------------------------------
*1       Active   0000.aaaa.aaaa     15     V06     Ready
 2       Member   0000.bbbb.bbbb     1      V07     Ready



Switch01#sho switch neighbors
  Switch #    Port 1       Port 2
  --------    ------       ------
      1        None           2
      2         1            None


Switch01#sho switch detail
Switch/Stack Mac Address : 0000.aaaa.aaaa - Local Mac Address
Mac persistency wait time: Indefinite
                                             H/W   Current
Switch#   Role    Mac Address     Priority Version  State
------------------------------------------------------------
*1       Active   0000.aaaa.aaaa     15     V06     Ready
 2       Member   0000.bbbb.bbbb     1      V07     Ready



         Stack Port Status             Neighbors
Switch#  Port 1     Port 2           Port 1   Port 2
--------------------------------------------------------
  1       DOWN         OK             None       2
  2         OK       DOWN               1      None

Switch01#


Saturday, April 14, 2018

Challenge: RIP - GET-VPN

UPDATE (4/20/2018) : I posted the answers a day early: https://showipintbri.blogspot.com/2018/04/challenge-rip-get-vpn-answers.html

As I was working through some studies I had a challenge idea.

This is not a "stump the chump" instead this is a back to basics.

Answers will be posted April 21, 2018.

Topology:

Requirements:

1. All routers interfaces must be configured using the ip schema from the topology diagram.

2. You must run RIP protocol between all routers and no other routing protocol
  • Advertise all your connected networks
  • R2 must run RIP version 2
  • All other routers must run RIP version 1, and should see R2's loopback with its real mask

3. You must have routes representing all the subnets(classful or better) from the topology in all your routing tables.

4. configure GET VPN between all routers WAN interfaces
  • R1 must be the key-server

5. pings sourced from the loopbacks of the group members to other group members must be encrypted
  • All other traffic should not be encrypted.

6. You should have full reachability to all loopbacks in the topology 

Sunday, April 1, 2018

LinkedIn Challenge - VXLAN Alternatives

Now, I would not say these are alternatives to VXLAN in production environments but these are alternative solutions to solving the networking challenge.

Original Linked Challenge Post: https://www.linkedin.com/feed/update/urn:li:activity:6384425951123554304

Sorry for taking so long to get these out I sat for my CCIE Written this week, that took a higher priority than this. Never the less here we are.

I could not execute the challenge as designed for a few reasons:

  1. I don't have the proper images that support VXLAN
  2. I have never used VXLAN and am not familiar with the particulars

I proposed two alternative solutions to this challenge, these are solutions I am familiar with. They share a similar config's but achieve the solution differently.

  1. AToM - Any Transport over MPLS
  2. L2TPv3 - Layer 2 Tunneling Protocol v3

The Challenge:

My Solution:



My Topology:


Solution #1: AToM

R1:

int gi0/0
 ip add 10.1.14.1 255.255.255.0
 no shut
exit

R4:

int gi0/0

 ip add 10.1.14.4 255.255.255.0
 no shut
exit

R2:

mpls label protocol mpls
mpls ldp router-id Gi0/1 force

int gi0/1
 ip add 10.1.23.2 255.255.255.0
 mpls ip
no shut

pseudowire-class LAB1
 encapsulation mpls
exit

int gi0/0
 xconnect 10.1.23.3 1 pw-class LAB1
no shut
exit

R3:

mpls label protocol mpls
mpls ldp router-id Gi0/1 force

int gi0/1
 ip add 10.1.23.3 255.255.255.0
 mpls ip
no shut

pseudowire-class LAB1
 encapsulation mpls
exit

int gi0/0
 xconnect 10.1.23.2 1 pw-class LAB1
no shut
exit



Solution #2: L2TPv3


R1:

int gi0/0
 ip add 10.1.14.1 255.255.255.0
 no shut
exit

R4:

int gi0/0

 ip add 10.1.14.4 255.255.255.0
 no shut
exit

R2:

int gi0/1
 ip add 10.1.23.2 255.255.255.0
no shut

pseudowire-class LAB2
 encapsulation l2tpv3
 ip local interface GigabitEthernet0/1
exit

int gi0/0
 xconnect 10.1.23.3 1 pw-class LAB2
no shut
exit

R3:

int gi0/1
 ip add 10.1.23.3 255.255.255.0
no shut

pseudowire-class LAB2
 encapsulation l2tpv3
 ip local interface GigabitEthernet0/1
exit

int gi0/0
 xconnect 10.1.23.2 1 pw-class LAB2
no shut
exit