BGP OSPF EIGRP HSRP and IPsec VPN Lab: Basic configuration of all routers: R1: interface FastEthernet0/0 ip address 14.14.14.1 255.255.255.0 no shutdown ! interface Serial1/1 ip address 10.0.12.1 255.255.255.252 no shutdown R2: interface FastEthernet0/0 ip address 23.23.23.2 255.255.255.0 no shutdown ! interface Serial1/1 ip address 10.0.12.2 255.255.255.252 no shutdown R3: interface FastEthernet0/0 ip address 23.23.23.3 255.255.255.0 no shutdown ! interface Serial1/2 ip address 10.0.34.1 255.255.255.252 no shutdown R4: interface FastEthernet0/0 ip address 14.14.14.4 255.255.255.0 no shutdown ! interface Serial1/1 ip address 10.0.34.2 255.255.255.252 no shutdown R1 and R4 are running EIGRP AS 14. R2 and R3 are running OSPF. R1 and R2 are running BGP AS 12. R1 redistributes BGP routes into OSPF domain. R2 redistributes BGP routes into EIGRP domain. Configuration of EIGRP between R1 and R4: R1: router eigrp 14 no auto-summary network 14.14.14.1 0.0.0.0 redistribute connected redistribute bgp 12 default-metric 1544 2000 255 1 1500 R4: router eigrp 14 no auto-summary network 14.14.14.4 0.0.0.0 redistribute connected Configuration of OSPF between R2 and R3: R2: router ospf 1 router-id 2.2.2.2 network 23.23.23.2 0.0.0.0 area 0 redistribute connected subnets redistribute bgp 12 subnets R3: router ospf 1 router-id 3.3.3.3 network 23.23.23.3 0.0.0.0 area 0 redistribute connected subnets Configuration of BGP between R1 and R2,we should add the bgp redistribute-internal because by default when redistributing from BGP into IGP ,the IBGP routes are included: R1: router bgp 12 bgp router-id 1.1.1.1 neighbor 10.0.12.2 remote-as 12 network 14.14.14.0 mask 255.255.255.0 bgp redistribute-internal R2: router bgp 12 bgp router-id 2.2.2.2 neighbor 10.0.12.1 remote-as 12 bgp redistribute-internal network 23.23.23.0 mask 255.255.255.0 Lets verify the routing tables of all routers: R1#show ip route | beg Gate Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.0.12.0/30 is directly connected, Serial1/1 L 10.0.12.1/32 is directly connected, Serial1/1 D EX 10.0.34.0/30 [170/2172416] via 14.14.14.4, 00:01:47, FastEthernet0/0 14.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 14.14.14.0/24 is directly connected, FastEthernet0/0 L 14.14.14.1/32 is directly connected, FastEthernet0/0 23.0.0.0/24 is subnetted, 1 subnets B 23.23.23.0 [200/0] via 10.0.12.2, 00:00:25 R1# R2#show ip route | beg Gate Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.0.12.0/30 is directly connected, Serial1/1 L 10.0.12.2/32 is directly connected, Serial1/1 O E2 10.0.34.0/30 [110/20] via 23.23.23.3, 00:02:30, FastEthernet0/0 14.0.0.0/24 is subnetted, 1 subnets B 14.14.14.0 [200/0] via 10.0.12.1, 00:02:18 23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 23.23.23.0/24 is directly connected, FastEthernet0/0 L 23.23.23.2/32 is directly connected, FastEthernet0/0 R2# R3#show ip route | beg Gate Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks O E2 10.0.12.0/30 [110/20] via 23.23.23.2, 00:03:55, FastEthernet0/0 C 10.0.34.0/30 is directly connected, Serial1/2 L 10.0.34.1/32 is directly connected, Serial1/2 14.0.0.0/24 is subnetted, 1 subnets O E2 14.14.14.0 [110/1] via 23.23.23.2, 00:03:43, FastEthernet0/0 23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 23.23.23.0/24 is directly connected, FastEthernet0/0 L 23.23.23.3/32 is directly connected, FastEthernet0/0 R3# R4#show ip route | beg Gate Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks D EX 10.0.12.0/30 [170/2172416] via 14.14.14.1, 00:06:34, FastEthernet0/0 C 10.0.34.0/30 is directly connected, Serial1/1 L 10.0.34.2/32 is directly connected, Serial1/1 14.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 14.14.14.0/24 is directly connected, FastEthernet0/0 L 14.14.14.4/32 is directly connected, FastEthernet0/0 23.0.0.0/24 is subnetted, 1 subnets D EX 23.23.23.0 [170/2172416] via 14.14.14.1, 00:05:12, FastEthernet0/0 R4# Lets configure HSRP on the LAN segment between R1 and R4. The Virtual IP address is 14.14.14.254. The priority of R1 is 105. The priority of R4 is 100. To ensure that R4 will become the active gateway when R1s s1/1 interface is down,we configure a tracking object using the track 1 interface serial 1/1 line-protocol command. When R1s1/1 interface is up, R1 will wait 30 seconds before it assumes the role of active gateway using the standby 1 preempt delay minimum 30. R1: track 1 interface serial 1/1 line-protocol ! interface fastethernet 0/0 standby 1 ip 14.14.14.254 standby 1 priority 105 standby 1 preempt standby 1 preempt delay minimum 30 standby 1 track 1 decrement 10 R4: interface fastethernet 0/0 standby 1 ip 14.14.14.254 standby 1 preempt Lets verify the HSRP operation: R1 is the Active router and R4 is the standby router: R1#show standby fastethernet 0/0 FastEthernet0/0 - Group 1 State is Active 2 state changes, last state change 00:00:26 Virtual IP address is 14.14.14.254 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.864 secs Preemption enabled, delay min 30 secs Active router is local Standby router is 14.14.14.4, priority 100 (expires in 8.720 sec) Priority 105 (configured 105) Track object 1 state Up decrement 10 Group name is hsrp-Fa0/0-1 (default) R1# R4#show standby fastethernet 0/0 FastEthernet0/0 - Group 1 State is Standby 1 state change, last state change 00:01:18 Virtual IP address is 14.14.14.254 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.960 secs Preemption enabled Active router is 14.14.14.1, priority 105 (expires in 11.536 sec) Standby router is local Priority 100 (default 100) Group name is hsrp-Fa0/0-1 (default) R4# Now the purpose is: when the R1-R2 link is down, the traffic between the 14.14.14.0/24 and 23.23.23.0/24 subnets will use the R3-R4 link and will be protected using an IPsec VPN Site to Site between R3 and R4: Here the detailed parameters of the IPsec VPN: 1.Advanced Encryption Standard (AES) is the encryption algorithm 2.Use AES 256 bit encryption key 3.pre-shared key authentication with a shared key of cisco123 4.Diffie-Hellman group 5 Keep in mind by default the subnets are advertised by from an IBGP domain, therefore they are received by OSPF and EIGRP with an administrative distance of 200 which is the default AD value. To ensure that the path R3-R4 is only used as a backup path, we need to modify the default administrative distance of the External EIGRP routes and External OSPF route on R1 and R2 respectivelly.And configure a floating statics routes as a backup path on R3 and R4 toward 14.14.14.0/24 and 23.23.23.0/24 respectivelly with an Administrative distance 254 which is higher that the AD of 210 configured above for the EXTERNAL EIGRP and OSPF routes,these floating static routes should be redistributed by R3 and R4 into OSPF and EIGRP respectivelly and will be used as a backup route to go through the backup link R3-R4 : R1: router eigrp 14 distance eigrp 90 210 R2: router ospf 1 distance ospf external 210 R3: ip route 14.14.14.0 255.255.255.0 10.0.34.2 254 ! router ospf 1 redistribute static subnets ! ip access-list extended VPN-TRAFFIC permit ip 23.23.23.0 0.0.0.255 14.14.14.0 0.0.0.255 ! crypto isakmp policy 1 encryption aes 256 authentication pre-share group 5 ! crypto isakmp key cisco123 address 10.0.34.2 crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha512-hmac ! crypto map VPN-MAP 1 ipsec-isakmp set peer 10.0.34.2 set transform-set TRANSFORM match address VPN-TRAFFIC ! interface serial 1/2 crypto map VPN-MAP R4: ip route 23.23.23.0 255.255.255.0 10.0.34.1 254 ! router eigrp 14 redistribute static ! ip access-list extended VPN-TRAFFIC permit ip 14.14.14.0 0.0.0.255 23.23.23.0 0.0.0.255 ! crypto isakmp policy 1 encryption aes 256 authentication pre-share group 5 ! crypto isakmp key cisco123 address 10.0.34.1 crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha512-hmac ! crypto map VPN-MAP 1 ipsec-isakmp set peer 10.0.34.1 set transform-set TRANSFORM match address VPN-TRAFFIC ! interface serial 1/1 crypto map VPN-MAP Before verifying the routing tables ,lets check the routes for the subnets 14.14.14.0/24 and 23.23.23.0/24 : Remember that both R1 and R2 are receiving two Routes toward 23.23.23.0/24 and 14.14.14.0/24 respectivelly,R1 learns one route through BGP domain with AD 200 and another through EIGRP domain with AD 210, R2 learns one route through BGP domain with AD 200 and another route through OSPF domain with AD 210 : R1 prefers the BGP route learned through R1-R2 link from R2 to reach 23.23.23.0/24 because 200 is less than 210: R1#show ip route 23.23.23.0 Routing entry for 23.23.23.0/24 Known via bgp 12, distance 200, metric 0, type internal Redistributing via eigrp 14 Advertised by eigrp 14 Last update from 10.0.12.2 00:29:57 ago Routing Descriptor Blocks: * 10.0.12.2, from 10.0.12.2, 00:29:57 ago Route metric is 0, traffic share count is 1 AS Hops 0 MPLS label: none R1# R2 prefers the BGP route learned through R1-R2 link from R1 to reach 14.14.14.0/24 because 200 is less than 210: R2#show ip route 14.14.14.0 Routing entry for 14.14.14.0/24 Known via bgp 12, distance 200, metric 0, type internal Redistributing via ospf 1 Advertised by ospf 1 subnets Last update from 10.0.12.1 00:31:38 ago Routing Descriptor Blocks: * 10.0.12.1, from 10.0.12.1, 00:31:38 ago Route metric is 0, traffic share count is 1 AS Hops 0 MPLS label: none R2# R3 prefers the OSPF route learned from R2 to reach 14.14.14.0/24 because 110 is less than 254: R3#show ip route 14.14.14.0 Routing entry for 14.14.14.0/24 Known via ospf 1, distance 110, metric 1, type extern 2, forward metric 1 Last update from 23.23.23.2 on FastEthernet0/0, 00:32:55 ago Routing Descriptor Blocks: * 23.23.23.2, from 2.2.2.2, 00:32:55 ago, via FastEthernet0/0 Route metric is 1, traffic share count is 1 R3# R4 prefers the EIGRP route learned from R1 to reach 23.23.23.0/24 because 170 is less than 254: R4#show ip route 23.23.23.0 Routing entry for 23.23.23.0/24 Known via eigrp 14, distance 170, metric 2172416, type external Redistributing via eigrp 14 Last update from 14.14.14.1 on FastEthernet0/0, 00:08:59 ago Routing Descriptor Blocks: * 14.14.14.1, from 14.14.14.1, 00:08:59 ago, via FastEthernet0/0 Route metric is 2172416, traffic share count is 1 Total delay is 20100 microseconds, minimum bandwidth is 1544 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 1 R4# Lets disable the link R1-R2: R1(config)#int s1/1 R1(config-if)#shutdown R1 installs the backup external EIGRP route learned from R4(which is the static route redistributed by R4): R1#show ip route 23.23.23.0 Routing entry for 23.23.23.0/24 Known via eigrp 14, distance 210, metric 2172416, type external Redistributing via eigrp 14 Last update from 14.14.14.4 on FastEthernet0/0, 00:00:25 ago Routing Descriptor Blocks: * 14.14.14.4, from 14.14.14.4, 00:00:25 ago, via FastEthernet0/0 Route metric is 2172416, traffic share count is 1 Total delay is 20100 microseconds, minimum bandwidth is 1544 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 1 R1# R2 installs the backup external OSPF route learned from R3 with the AD 210 (which is the static route redistributed by R3): R2#show ip route 14.14.14.0 Routing entry for 14.14.14.0/24 Known via ospf 1, distance 210, metric 20, type extern 2, forward metric 1 Last update from 23.23.23.3 on FastEthernet0/0, 00:02:45 ago Routing Descriptor Blocks: * 23.23.23.3, from 3.3.3.3, 00:02:45 ago, via FastEthernet0/0 Route metric is 20, traffic share count is 1 R2# R4 now installs the floating static route with the AD 254: R4#show ip route 23.23.23.0 Routing entry for 23.23.23.0/24 Known via static, distance 254, metric 0 Redistributing via eigrp 14 Advertised by eigrp 14 Routing Descriptor Blocks: * 10.0.34.1 Route metric is 0, traffic share count is 1 R4# Now R1 and R2 are using the backup link R3-R4 so lets test the IPsec VPN by initiating a ping from R1 and R2: R1#ping 23.23.23.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.23.23.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 72/83/92 ms R1# R2#ping 14.14.14.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 14.14.14.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 136/178/240 ms R2# The traffic is encrypted as shown by the show crypto ipsec sa command on R3 and the show crypto session detail command on R4: R3#show crypto ipsec sa interface: Serial1/2 Crypto map tag: VPN-MAP, local addr 10.0.34.1 protected vrf: (none) local ident (addr/mask/prot/port): (23.23.23.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (14.14.14.0/255.255.255.0/0/0) current_peer 10.0.34.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9 #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.0.34.1, remote crypto endpt.: 10.0.34.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial1/2 current outbound spi: 0xD721BA96(3609311894) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xD3931479(3549631609) transform: esp-256-aes esp-sha512-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: VPN-MAP sa timing: remaining key lifetime (k/sec): (4224688/3489) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xD721BA96(3609311894) transform: esp-256-aes esp-sha512-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: VPN-MAP sa timing: remaining key lifetime (k/sec): (4224688/3489) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: R4#show crypto session detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, T - cTCP encapsulation X - IKE Extended Authentication, F - IKE Fragmentation Interface: Serial1/1 Uptime: 00:03:39 Session status: UP-ACTIVE Peer: 10.0.34.1 port 500 fvrf: (none) ivrf: (none) Phase1_id: 10.0.34.1 Desc: (none) IKEv1 SA: local 10.0.34.2/500 remote 10.0.34.1/500 Active Capabilities:(none) connid:1001 lifetime:23:56:19 IPSEC FLOW: permit ip 14.14.14.0/255.255.255.0 23.23.23.0/255.255.255.0 Active SAs: 2, origin: crypto map Inbound: #pkts deced 9 drop 0 life (KB/Sec) 4272396/3380 Outbound: #pkts enced 9 drop 0 life (KB/Sec) 4272396/3380 R4#
Posted on: Wed, 05 Nov 2014 09:57:48 +0000
Trending Topics
Recently Viewed Topics
© 2015