Diagram

Hub (R1)

HUB#
interface Ethernet0/0
ip address 10.0.1.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.1.1
!
interface Tunnel0
ip address 100.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 1234
ip nhrp holdtime 360
ip nhrp redirect
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf 1 area 0
tunnel source Ethernet0/0
tunnel mode gre multipoint

Spoke (R2, R3)

SPOKE1#
 interface Ethernet0/0
 ip address 10.0.2.2 255.255.255.0
 !
 ip route 0.0.0.0 0.0.0.0 10.0.2.1
 !
 interface Tunnel0
 ip address 100.0.0.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map 100.0.0.1 10.0.1.2
 ip nhrp map multicast 10.0.1.2
 ip nhrp network-id 1234
 ip nhrp holdtime 360
 ip nhrp nhs 100.0.0.1
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 ip ospf network point-to-multipoint
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode gre multipoint

SPOKE2#
 interface Ethernet0/0
 ip address 10.0.3.2 255.255.255.0
 !
 ip route 0.0.0.0 0.0.0.0 10.0.3.1

!
 interface Tunnel0
 ip address 100.0.0.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map 100.0.0.1 10.0.1.2
 ip nhrp map multicast 10.0.1.2
 ip nhrp network-id 1234
 ip nhrp holdtime 360
 ip nhrp nhs 100.0.0.1
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 ip ospf network point-to-multipoint
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode gre multipoint

Troubleshooting

HUB#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
 N - NATed, L - Local, X - No Socket
 # Ent --> Number of NHRP entries with same NBMA peer
 NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
 UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
 1 10.0.2.2 100.0.0.2 UP 01:15:52 D
 1 10.0.3.2 100.0.0.3 UP 01:15:09 D

Before flow between spokes:

SPOKE1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
 N - NATed, L - Local, X - No Socket
 # Ent --> Number of NHRP entries with same NBMA peer
 NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
 UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
 1 10.0.1.2 100.0.0.1 UP 01:16:18 S
 

 

SPOKE1#ping 100.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.3, timeout is 2 seconds:
!!!!!

After a dynamic tunnel to the other spoke is dynamically enabled

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
SPOKE1#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.0.1.2 100.0.0.1 UP 01:16:31 S
1 10.0.3.2 100.0.0.3 UP 00:00:01 D

Configuration d’un switch frame-relay

Dans cette architecture nous avons trois routeurs dont un qui à le role de switch Frame-Relay.

Configuration du swith frame-relay

Pour cela il est necessaire d’activer le frame-relay switching :

frame-relay switching.

Ensuite il faut définir quel port sera attaché à tel routeur avec les bon DLCI. Dans notre exemple, nous aurons la configuration suivante :

 R1 |-DLCI 104 ---------------se0/0-| FR1 |-se0/1---------------DLCI 401-| R4

Configuration de FR1 :

interface Serial0/0
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 frame-relay intf-type dce
 frame-relay route 104 interface Serial0/1 401
!
interface Serial0/1
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 frame-relay intf-type dce
 frame-relay route 401 interface Serial0/0 104
!

Configuration des interfaces series de R1 et R4 :

R1#sh run int se1/0
Building configuration...

Current configuration : 212 bytes
!
interface Serial1/0
 ip address 192.168.1.1 255.255.255.0
 encapsulation frame-relay
 serial restart-delay 0
 frame-relay map ip 192.168.1.4 104
 frame-relay interface-dlci 104
 no frame-relay inverse-arp

interface Serial0/0
 ip address 192.168.1.4 255.255.255.0
 encapsulation frame-relay
 serial restart-delay 0
 frame-relay map ip 192.168.1.1 401
 frame-relay interface-dlci 401
 no frame-relay inverse-arp

Vérification

FR1#sh frame-relay route
Input Intf      Input Dlci      Output Intf     Output Dlci     Status
Serial0/0       104             Serial0/1       401             active
Serial0/1       401             Serial0/0       104             active
!
FR1#sh frame-relay pvc | inc DLCI
DLCI = 104, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial0/0
DLCI = 401, DLCI USAGE = SWITCHED, PVC STATUS = ACTIVE, INTERFACE = Serial0/1

R1#sh frame map
Serial1/0 (up): ip 192.168.1.4 dlci 104(0x68,0x1880), static,
              CISCO, status defined, active
R1#sh frame pvc | inc DLCI
DLCI = 104, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial1/0

R4#sh frame map
Serial0/0 (up): ip 192.168.1.1 dlci 401(0x191,0x6410), static,
              CISCO, status defined, active
R4#sh frame pvc | inc DLCI
DLCI = 401, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0

R1#p 192.168.1.4 re 50

Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 4/14/72 ms

How to configure DHCP and EIGRP on Cisco Router

2011-05-22

In this configuration, we will configure three Cisco router in EIGRP. All routers will be connected to a switch on the same VLAN and will share the same subnet: 172.16.0.0/28.

R1 will be also a DHCP server and assign IP address to R2 and R3.

The EIGRP area 100 with be secure by and MD5 password.

R1 Configuration

DHCP

no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.0.1
ip dhcp pool r2r3
network 172.16.0.0 255.255.255.248
default-router 172.16.0.1
domain-name zed-network.fr
ip dhcp pool R2
host 172.16.0.2 255.255.255.248
client-identifier 01cc.010c.0c00.00
default-router 172.16.0.1
ip dhcp pool R3
host 172.16.0.3 255.255.255.248
client-identifier 01cc.020c.0c00.00
default-router 172.16.0.1

EIGRP

!
interface FastEthernet0/0
 ip address 172.16.0.1 255.255.255.248
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 cisco
 duplex auto
 speed auto
!
key chain cisco
 key 10
   key-string cisco
!
router eigrp 100
 network 172.16.0.0 0.0.0.7
 no auto-summary

R2 and R3 configuration

interface FastEthernet0/0
 ip address dhcp client-id FastEthernet0/0
 ip authentication mode eigrp 100 md5
 ip authentication key-chain eigrp 100 cisco
 duplex auto
 speed auto
!
key chain cisco
 key 10
   key-string cisco
 ip authentication key-chain eigrp 100 cisco
!
router eigrp 100
 network 172.16.0.0 0.0.0.7
 no auto-summary

Verification

R1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
172.16.0.2          01cc.010c.0c00.00       Infinite                Manual
172.16.0.3          01cc.020c.0c00.00       Infinite                Manual

R2#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            172.16.0.2      YES DHCP   up                    up
FastEthernet1/0            unassigned      YES unset  administratively down down

R1#sh ip eigrp neighbors
IP-EIGRP neighbors for process 100
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
1   172.16.0.2              Fa0/0             11 00:10:35   28   200  0  35
2   172.16.0.3              Fa0/0             13 00:11:54   80   480  0  34

Calcul de wildcard pour faire des filtres

2011-05-18

Exemple nous recevons les réseaux suivants :

172.16.1.0/24, 172.16.2.0/24, 172.16.3.0/24, 172.16.4.0/24, 172.16.5./24, 172.16.6.0/24.

Nous voulons garder uniquement les réseaux suivants : 172.16.2.0/24 à 172.16.5.0/24.

Nous voyons si l’on transforme en binaire ce qui nous interresse que nous avons 3 bits qui changent (envert). Nous transformons donc les trois bits en 1 et nous obtenons un wildcard de 7.

172.16.1.0/24 =     172.16.00000001.0
172.16.2.0/24 =     172.16.00000010.0
172.16.3.0/24 =     172.16.00000011.0
172.16.4.0/24 =     172.16.00000100.0
172.16.5.0/24 =     140.10.00000101.0
172.16.6.0/24 =     140.10.00000110.0

Wild card = 0.0.00000111.0 = 0.0.7.0

Le problème étant que nous voulons que de 2 à 5. Il faut donc segmenter.

En gardant seulement les 4 réseaux qui nous interessent, on peut voir que l’on a possibilité de couper en deux.

172.16.2.0/24 = 172.16.00000010.0
172.16.3.0/24 = 172.16.00000011.0

Et,

172.16.4.0/24 = 172.16.00000100.0
172.16.5.0/24 = 140.10.00000101.0

Dans les deux bits en verts qui reste on voit que seul le premier change. Ce qui fait 1 bits à 1 donc 1 en decimal.

En conclusion on peut avoir cette ACL :

ip access-list 10 permit 172.16.2.0 0.0.1.0

ip access-list 20 permit 172.16.4.0 0.0.1.0

Plus intéressant maintenant, nous recevons la classe compète 172.16.0.0/24 jusqu’à 172.16.255.0/24. Nous voulons uniquement les réseaux paires : 172.16.0.0, 172.16.2.0, etc…

On fait la même opération que precedement : à Gauche la liste complète de 0 à 32 et à droite en rouge les paires et en noir les impaires. En gros si l’on observe bien la seule différence entre les deux si l’on prend que les paires le premier bit est toujours à 0 et si on prend les impaires le premier est toujours à 1. Donc on peut faire le wildcard suivant : 1111 1110 => 254.

Liste complète des 32 premières entrées	Liste surligné des 32 premières entrées
bin 0000 0000 = dec 0 bin 0000 0001 = dec 1 bin 0000 0010 = dec 2 bin 0000 0011 = dec 3 bin 0000 0100 = dec 4 bin 0000 0101 = dec 5 bin 0000 0110 = dec 6 bin 0000 0111 = dec 7 bin 0000 1000 = dec 8 bin 0000 1001 = dec 9 bin 0000 1010 = dec 10 bin 0000 1011 = dec 11 bin 0000 1100 = dec 12 bin 0000 1101 = dec 13 bin 0000 1110 = dec 14 bin 0000 1111 = dec 15 bin 0001 0000 = dec 16 bin 0001 0001 = dec 17 bin 0001 0010 = dec 18 bin 0001 0011 = dec 19 bin 0001 0100 = dec 20 bin 0001 0101 = dec 21 bin 0001 0110 = dec 22 bin 0001 0111 = dec 23 bin 0001 1000 = dec 24 bin 0001 1001 = dec 25 bin 0001 1010 = dec 26 bin 0001 1011 = dec 27 bin 0001 1100 = dec 28 bin 0001 1101 = dec 29 bin 0001 1110 = dec 30 bin 0001 1111 = dec 31 bin 1111 1110 = dec 32	bin 0000 0000 = dec 0 bin 0000 0001 = dec 1 bin 0000 0010 = dec 2 bin 0000 0011 = dec 3 bin 0000 0100 = dec 4 bin 0000 0101 = dec 5 bin 0000 0110 = dec 6 bin 0000 0111 = dec 7 bin 0000 1000 = dec 8 bin 0000 1001 = dec 9 bin 0000 1010 = dec 10 bin 0000 1011 = dec 11 bin 0000 1100 = dec 12 bin 0000 1101 = dec 13 bin 0000 1110 = dec 14 bin 0000 1111 = dec 15 bin 0001 0000 = dec 16 bin 0001 0001 = dec 17 bin 0001 0010 = dec 18 bin 0001 0011 = dec 19 bin 0001 0100 = dec 20 bin 0001 0101 = dec 21 bin 0001 0110 = dec 22 bin 0001 0111 = dec 23 bin 0001 1000 = dec 24 bin 0001 1001 = dec 25 bin 0001 1010 = dec 26 bin 0001 1011 = dec 27 bin 0001 1100 = dec 28 bin 0001 1101 = dec 29 bin 0001 1110 = dec 30 bin 0001 1111 = dec 31 bin 1111 1110 = dec 32

Liste complète des 32 premières entrées

Liste surligné des 32 premières entrées

bin 0000 0000 = dec 0
bin 0000 0001 = dec 1
bin 0000 0010 = dec 2
bin 0000 0011 = dec 3
bin 0000 0100 = dec 4
bin 0000 0101 = dec 5
bin 0000 0110 = dec 6
bin 0000 0111 = dec 7
bin 0000 1000 = dec 8
bin 0000 1001 = dec 9
bin 0000 1010 = dec 10
bin 0000 1011 = dec 11
bin 0000 1100 = dec 12
bin 0000 1101 = dec 13
bin 0000 1110 = dec 14
bin 0000 1111 = dec 15
bin 0001 0000 = dec 16
bin 0001 0001 = dec 17
bin 0001 0010 = dec 18
bin 0001 0011 = dec 19
bin 0001 0100 = dec 20
bin 0001 0101 = dec 21
bin 0001 0110 = dec 22
bin 0001 0111 = dec 23
bin 0001 1000 = dec 24
bin 0001 1001 = dec 25
bin 0001 1010 = dec 26
bin 0001 1011 = dec 27
bin 0001 1100 = dec 28
bin 0001 1101 = dec 29
bin 0001 1110 = dec 30
bin 0001 1111 = dec 31
bin 1111 1110 = dec 32

bin 0000 0000 = dec 0
bin 0000 0001 = dec 1
bin 0000 0010 = dec 2
bin 0000 0011 = dec 3
bin 0000 0100 = dec 4
bin 0000 0101 = dec 5
bin 0000 0110 = dec 6
bin 0000 0111 = dec 7
bin 0000 1000 = dec 8
bin 0000 1001 = dec 9
bin 0000 1010 = dec 10
bin 0000 1011 = dec 11
bin 0000 1100 = dec 12
bin 0000 1101 = dec 13
bin 0000 1110 = dec 14
bin 0000 1111 = dec 15
bin 0001 0000 = dec 16
bin 0001 0001 = dec 17
bin 0001 0010 = dec 18
bin 0001 0011 = dec 19
bin 0001 0100 = dec 20
bin 0001 0101 = dec 21
bin 0001 0110 = dec 22
bin 0001 0111 = dec 23
bin 0001 1000 = dec 24
bin 0001 1001 = dec 25
bin 0001 1010 = dec 26
bin 0001 1011 = dec 27
bin 0001 1100 = dec 28
bin 0001 1101 = dec 29
bin 0001 1110 = dec 30
bin 0001 1111 = dec 31
bin 1111 1110 = dec 32

Donc pour garder les réseaux paires, on part de 172.16.0.0 avec le masque 0.0.254.0 et on vire tous les impaires. Idem pour avoir que les impaires on part de 172.16.1.0 avec le meme masque 0.0.254.0.

Et voila on a ce que l’on veut en 1 ACL.

Dernier exemple un peu plus complexe. Nous allons combiner ce que l’on a vu en acceptant que les paires entre 20 et 30 exclus avec le moins de ligne d’ACL possible.

L’idée est de récupérer ce que l’on a d’abord entre 20 et 30. Si l’on fait le meme exercice on se rend compte que l’on va matcher sur 16, 18 et 30. Il faudra donc supprimer c’est enregistrement un par un.

bin 0001 0000 = dec 16
bin 0001 0010 = dec 18
bin 0001 0100 = dec 20
bin 0001 0110 = dec 22
bin 0001 1000 = dec 24
bin 0001 1010 = dec 26
bin 0001 1100 = dec 28
bin 0001 1110 = dec 30

le premier wildcard est 14 0000 1110. Cela va prendre les paires de 16 à 30. Il suffit après d’interdire les intrus.

#do sh ip access
Standard IP access list 1
    1 deny   172.16.16.0, wildcard bits 0.0.0.255
    2 deny   172.16.18.0, wildcard bits 0.0.0.255
    3 deny   172.16.30.0, wildcard bits 0.0.0.255 
    20 permit 172.16.16.0, wildcard bits 0.0.14.0 
!
#do sh ip bgp
BGP table version is 6, local router ID is 10.0.1.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 172.16.20.0/24   10.0.1.1                 0             0 100 i
*> 172.16.22.0/24   10.0.1.1                 0             0 100 i
*> 172.16.24.0/24   10.0.1.1                 0             0 100 i
*> 172.16.26.0/24   10.0.1.1                 0             0 100 i
*> 172.16.28.0/24   10.0.1.1                 0             0 100 i

Cisco Frame Relay RTP compression

2011-05-14

Activer la compression sur les entetes RTP sur une liaison Frame Relay :

R1(config-if)#$.0.0.2 102 bro rtp header-compression ?
  active            Always compress RTP headers
  connections       Maximum number of compressed RTP connections
  passive           Compress for destinations sending compressed RTP headers
  periodic-refresh  Send periodic refresh packets

!
interface Serial0/1
 bandwidth 128
 ip address 10.0.0.1 255.255.255.0
 encapsulation frame-relay
 frame-relay map ip 10.0.0.2 102 broadcast rtp header-compression passive connections 15

La commande precedante permet donc d’activer la compression RTP. La commande passive permet en plus de dire d’effectuer la compression seulement si on recoit des paquets compressés. La commande connection permet de limiter le nombre de paquet à compresser.

Zed-Network

Network Effect

Category: CCIE R&S

DMVPN Phase 3 with OSPF