A lab that worked on Wednesday, didn't work on Thursday, or on Friday but worked on another platform.
I started working on DMVPN with OSPF as the Routing protocol, and that too didn't work in one platform but did work on another.
The Video:
Day 5
Saturday, July 7, 2018
#100DaysOfLabbing - Day 5
Day 5 I fought environment issues for more time than I was labbing. It was frustrating and looking back not the best way to spend my time.
A lab that worked on Wednesday, didn't work on Thursday, or on Friday but worked on another platform.
I started working on DMVPN with OSPF as the Routing protocol, and that too didn't work in one platform but did work on another.
A lab that worked on Wednesday, didn't work on Thursday, or on Friday but worked on another platform.
I started working on DMVPN with OSPF as the Routing protocol, and that too didn't work in one platform but did work on another.
Friday, July 6, 2018
#100DaysOfLabbing - Day 4
Day 4 was rough. My plan was to breeze through the same lab I did yesterday so I could really solidify it, but the universe had other plans.
I hit the ground running with IPv4 DMVPN but fell on my face for IPv6. I spent 30 minutes configuring verifying and working the different phases of IPv4 DMVPN and spent 2.5 hours trouble shooting IPv6. :face_palm: I cannot waste time like that. This was a learning experience but I'll never get that time back.
Also this blogsite was broken and I had to fix it.
I found this resource today:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/xe-3s/ire-xe-3s-book/eigrp-route-map.html
I hit the ground running with IPv4 DMVPN but fell on my face for IPv6. I spent 30 minutes configuring verifying and working the different phases of IPv4 DMVPN and spent 2.5 hours trouble shooting IPv6. :face_palm: I cannot waste time like that. This was a learning experience but I'll never get that time back.
Also this blogsite was broken and I had to fix it.
I found this resource today:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/xe-3s/ire-xe-3s-book/eigrp-route-map.html
The Video:
Day 4
Wednesday, July 4, 2018
#100DaysOfLabbing - Day 3
Dual Stack - Multi Hub - DMVPN
tl;dr - After failure, success tastes so much sweeter.Today was all over the map. This morning I came into the labs charging like a bull. I wanted to do IPv6 DMVPN and I did! I was successful. That carried me on a little engineering high knowing I had done something I have never tried before that seemed so foreign and came out of the battle victorious.
But, I'm wise enough to know anyone can get lucky once, but very few get lucky twice.
So I wiped the routers and did it again, minimal errors and mostly from memory... success.
While I was completing my second run through the configs and topology I got an idea for a topology and a challenge: Dual Stack - Multi Hub - DMVPN
I felt comfortable enough with my understanding of the component technologies that I felt could pull it off and I shrugged "what the hell... we'll do it live". (https://www.youtube.com/watch?v=eUFY8Zw0Bag)
As I began the recording I can be quoted as saying something to the effect of "this might take about 30 minutes"... 65 minutes later I ended up at a dead end and I failed.
I got burned by a couple of items:
- I had to pull off the tunnel protection on the IPv4 DMVPN and put it back on for it too work. I'm not sure if this is a bug or have I unknowingly fell victim of order of operations and I didn't know it?
- Others were oversights and mis-configurations.
Have a Process:
When ever I'm writing configs they rarely look like the running-configs from a routers output or are in the same order, instead I build them in layers, like a cake.
- Think ahead about all the elements that you'll need to complete a task.
- Which configurable elements can be grouped and entered at the same time?
- In-between layers, what can you verify?
Following the process from above I would order the tasks as follows:
- Underlay (NBMA) addresses, connectivty
- Loopbacks
- Crypto
- Tunnel Interface for IPv4 topology
- Routing protocol for IPv4 topology
- Verify
- Tunnel interface for IPv6 topology
- Routing Protocol for IPv6 topology
- Verify
The Resources:
I found this group of documents extremely helpful from all aspects of this configuration. It includes specifics on IPv6 addressing which I still wasn't to keen on, but know I'm much more comfortable. It also broke down the elements we need for the IPv6 DMVPN.
The Videos:
Day 3 - Part 1 (more than 1 hour)
Day 3 - Part 2
The Configs:
R1: (IPv4 Hub, IPv6 Spoke)
hostname R1
no ip domain lookup
ip cef
ipv6 unicast-routing
ipv6 cef
crypto isakmp policy 1
authentication pre-share
crypto isakmp key SHOWIPINTBRI address 0.0.0.0
crypto isakmp key SHOWIPINTBRI address ipv6 ::/0
!
!
crypto ipsec transform-set MYTRANS esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile DMVPN
set transform-set MYTRANS
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Loopback6
no ip address
ipv6 address FC01::1/128
ipv6 eigrp 6
!
interface Tunnel0
ip address 10.123.234.1 255.255.255.0
no ip redirects
no ip split-horizon eigrp 90
ip nhrp map multicast dynamic
ip nhrp network-id 1234
tunnel source 172.17.100.1
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
interface Tunnel1
no ip address
ipv6 address FE80::1 link-local
ipv6 address FC00:1234::1/64
ipv6 eigrp 6
ipv6 nhrp map FC00:1234::4/64 2001::4
ipv6 nhrp map multicast 2001::4
ipv6 nhrp network-id 10123
ipv6 nhrp nhs FC00:1234::4
ipv6 nhrp shortcut
tunnel source 2001::1
tunnel mode gre multipoint ipv6
tunnel protection ipsec profile DMVPN
!
interface GigabitEthernet0/0
ip address 172.17.100.1 255.255.255.0
duplex auto
speed auto
media-type rj45
ipv6 address 2001::1/48
router eigrp 90
network 0.0.0.0
passive-interface default
no passive-interface Tunnel0
no passive-interface Loopback0
router eigrp ipv6
!
address-family ipv6 unicast autonomous-system 6
!
af-interface GigabitEthernet0/0
shutdown
exit-af-interface
!
topology base
exit-af-topology
exit-address-family
line con 0
logging synchronous
R2: (IPv4 Spoke, IPv6 Spoke)
hostname R2
no ip domain lookup
ip cef
ipv6 unicast-routing
ipv6 cef
crypto isakmp policy 1
authentication pre-share
crypto isakmp key SHOWIPINTBRI address 0.0.0.0
crypto isakmp key SHOWIPINTBRI address ipv6 ::/0
!
!
crypto ipsec transform-set MYTRANS esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile DMVPN
set transform-set MYTRANS
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Loopback6
no ip address
ipv6 address FC02::2/128
ipv6 eigrp 6
!
interface Tunnel0
ip address 10.123.234.2 255.255.255.0
no ip redirects
ip nhrp map multicast 172.17.100.1
ip nhrp map 10.123.234.1 172.17.100.1
ip nhrp network-id 1234
ip nhrp nhs 10.123.234.1
tunnel source 172.17.100.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
interface Tunnel1
no ip address
ipv6 address FE80::2 link-local
ipv6 address FC00:1234::2/64
ipv6 eigrp 6
ipv6 nhrp map FC00:1234::4/64 2001::4
ipv6 nhrp map multicast 2001::4
ipv6 nhrp network-id 10123
ipv6 nhrp nhs FC00:1234::4
ipv6 nhrp shortcut
tunnel source 2001::2
tunnel mode gre multipoint ipv6
tunnel protection ipsec profile DMVPN
!
interface GigabitEthernet0/0
ip address 172.17.100.2 255.255.255.0
duplex auto
speed auto
media-type rj45
ipv6 address 2001::2/48
router eigrp 90
network 0.0.0.0
passive-interface default
no passive-interface Tunnel0
no passive-interface Loopback0
router eigrp ipv6
!
address-family ipv6 unicast autonomous-system 6
!
af-interface GigabitEthernet0/0
shutdown
exit-af-interface
!
topology base
exit-af-topology
exit-address-family
line con 0
logging synchronous
R3: (IPv4 Spoke, IPv6 Spoke)
hostname R3
no ip domain lookup
ip cef
ipv6 unicast-routing
ipv6 cef
crypto isakmp policy 1
authentication pre-share
crypto isakmp key SHOWIPINTBRI address 0.0.0.0
crypto isakmp key SHOWIPINTBRI address ipv6 ::/0
!
!
crypto ipsec transform-set MYTRANS esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile DMVPN
set transform-set MYTRANS
interface Loopback0
ip address 3.3.3.3 255.255.255.255
interface Loopback6
no ip address
ipv6 address FC03::3/128
ipv6 eigrp 6
interface Tunnel0
ip address 10.123.234.3 255.255.255.0
no ip redirects
ip nhrp map multicast 172.17.100.1
ip nhrp map 10.123.234.1 172.17.100.1
ip nhrp network-id 1234
ip nhrp nhs 10.123.234.1
tunnel source 172.17.100.3
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
interface Tunnel1
no ip address
ipv6 address FE80::3 link-local
ipv6 address FC00:1234::3/64
ipv6 eigrp 6
ipv6 nhrp map FC00:1234::4/64 2001::4
ipv6 nhrp map multicast 2001::4
ipv6 nhrp network-id 10123
ipv6 nhrp nhs FC00:1234::4
ipv6 nhrp shortcut
tunnel source 2001::3
tunnel mode gre multipoint ipv6
tunnel protection ipsec profile DMVPN
interface GigabitEthernet0/0
ip address 172.17.100.3 255.255.255.0
duplex auto
speed auto
media-type rj45
ipv6 address 2001::3/48
router eigrp 90
network 0.0.0.0
passive-interface default
no passive-interface Tunnel0
no passive-interface Loopback0
router eigrp ipv6
!
address-family ipv6 unicast autonomous-system 6
!
af-interface GigabitEthernet0/0
shutdown
exit-af-interface
!
topology base
exit-af-topology
exit-address-family
line con 0
logging synchronous
R4: (IPv4 Spoke, IPv6 Hub)
hostname R4
no ip domain lookup
ip cef
ipv6 unicast-routing
ipv6 cef
crypto isakmp policy 1
authentication pre-share
crypto isakmp key SHOWIPINTBRI address 0.0.0.0
crypto isakmp key SHOWIPINTBRI address ipv6 ::/0
!
!
crypto ipsec transform-set MYTRANS esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile DMVPN
set transform-set MYTRANS
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface Loopback6
no ip address
ipv6 address FC04::4/128
ipv6 eigrp 6
!
interface Tunnel0
ip address 10.123.234.4 255.255.255.0
no ip redirects
ip nhrp map multicast 172.17.100.1
ip nhrp map 10.123.234.1 172.17.100.1
ip nhrp network-id 1234
ip nhrp nhs 10.123.234.1
tunnel source 172.17.100.4
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
interface Tunnel1
no ip address
ipv6 address FE80::4 link-local
ipv6 address FC00:1234::4/64
ipv6 eigrp 6
no ipv6 split-horizon eigrp 6
ipv6 nhrp map multicast dynamic
ipv6 nhrp network-id 10123
ipv6 nhrp redirect
tunnel source 2001::4
tunnel mode gre multipoint ipv6
tunnel protection ipsec profile DMVPN
!
interface GigabitEthernet0/0
ip address 172.17.100.4 255.255.255.0
duplex auto
speed auto
media-type rj45
ipv6 address 2001::4/48
router eigrp 90
network 0.0.0.0
passive-interface default
no passive-interface Tunnel0
no passive-interface Loopback0
!
!
router eigrp ipv6
!
address-family ipv6 unicast autonomous-system 6
!
af-interface GigabitEthernet0/0
shutdown
exit-af-interface
!
af-interface Tunnel1
no split-horizon
exit-af-interface
!
topology base
exit-af-topology
exit-address-family
line con 0
logging synchronous
#100DaysOfLabbing - Day 1 & 2
It's actually day 3 as I write this but I wanted to put down some documentation I've been keeping in a text document.
I learned a few things doing the configs on Day 1 and Day 2. Some of them simpler than others but worth noting.
This is the DMVPN Cisco Validated Design Guide I mentioned:
https://supportforums.cisco.com/legacyfs/online/legacy/3/9/5/26593-DMVPNbk.pdf
I learned a few things doing the configs on Day 1 and Day 2. Some of them simpler than others but worth noting.
This is the DMVPN Cisco Validated Design Guide I mentioned:
https://supportforums.cisco.com/legacyfs/online/legacy/3/9/5/26593-DMVPNbk.pdf
Day 1
Day 2
Basic DMVPN
#1 Lesson Learned
|
!Hub int tun 0 ip add 10.123.234.1 255.255.255.0 tunnel source Gi0/0 tunnel mode gre multipoint no shut !Spoke int tun 0 ip add 10.123.234.2 255.255.255.0 tunnel source Gi0/0 tunnel destination 10.123.234.1 no shut ! Broke R2#sho int tun 0 Tunnel0 is up, line protocol is down Hardware is Tunnel Internet address is 10.123.234.2/24 MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel linestate evaluation down - no output interface Tunnel source 172.17.100.2 (GigabitEthernet0/0), destination 10.123.234.1 Tunnel Subblocks: src-track: Tunnel0 source tracking subblock associated with GigabitEthernet0/0 Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface <OK> Tunnel protocol/transport GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255, Fast tunneling enabled Tunnel transport MTU 1476 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input never, output never, output hang never Lesson Learned: I made the error of incorrectly defining the tunnel destination. I defined it as the remote tunnel interface when actually I needed to use the public NBMA address. Fixed:
R2#sho int tun 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.123.234.2/24
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 172.17.100.2 (GigabitEthernet0/0), destination 172.17.100.1
Tunnel Subblocks:
src-track:
Tunnel0 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Explanation: The tunnel interface linestate stays down until it has a valid exit interface and route to the remote tunnel destination.
|
#2 Lesson Learned - Tunnel Keepalives
|
In the output below you can see "Keepalive not set". Tunnel keepalives are not set by default. You can configure keepalives under the tunnel interface. You can do this be specifying just the keyword "keepalive" and press enter. This will give you the default value of keepalives sent every 10 seconds and will retry 3 times before considering the tunnel down. Conversely you can specify the keepalive values( example 5 seconds) the retry values can also be set but if they are excluded will default to 3 retries.
R4#sho int tun 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.123.234.4/24
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
[ ... output omitted ... ]
Keepalive with default values
R3(config-if)#keepalive ?
<0-32767> Keepalive period (default 10 seconds)
<cr>
R3(config-if)#keepalive
R3(config-if)#
R3(config-if)#do sho int tun 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.123.234.3/24
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec), retries 3
[ ... output omitted ... ]
Keepalive with defined values
R4(config)#int tun 0R4(config-if)#keepalive 5 R4(config-if)#end R4# R4#sho int tun 0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 10.123.234.4/24 MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive set (5 sec), retries 3
[ ... output omitted ... ]
|
Subscribe to:
Posts (Atom)