Part 1: Setting up the new, bigger, and better lab to configure everything we’ve learned up to this point!

 

labbers_delight

As previously mentioned I believe, this will be a multi-part lab in which I will configure “Multi-Point” 2-way Redistribution / Policy-Routing / Distribute-Lists / Route-Maps / and troubleshooting all along the way.

Here are a few things I know I want to achieve over the several parts of this lab:

  • Authentication deep dive for all 3 protocols in Topology
  • DEEP Dive look at Redistribution with Route-Map tagging and Distribute-Lists
  • Policy Routing and Local Policy Routing configuration
  • 3-way Redistribution on R3 if possible, things might get crazy
  • Deep Dive into Policy Routing capabilities, applying around the network
  • Random other topics as I can think of them

I will be working as much with route-maps as possible, as they really are a huge chunk of all of those topics, so I believe those are critical to understand inside out. I have done a “wr er” and “reload” on all routers, and am going to configure the core network in the Topology, but I may review some of my previous posts to get my brain tuned up to lab until my brain melts out of my skull.

That being said I will just configure it for tonight, and add to it slowly while I am fresh, I don’t want to do anything while I am in zombie mode (like now) after a long work day.

So this will all be review, and as I said, saturate this network completely with all the concepts I have posted about and troubleshoot issues as needed.

I am going to whip up this Topology now, and we will get this party started on my next post, see you there ūüôā

The extended traceroute command, and Local Policy Routing Configuration!

policy_routing_top

Still working with the same Topology seen above, I want to round off the Policy Routing videos to see if I can bring that into some scenario or freestyle lab, and see how crazy one can get with Policy Routing.

The first thing to note that I have amazingly not known at all until this video, from a router there are two ways to do extended traceroutes (like extended pings):

  • Type “traceroute” and hit enter to fill in options exactly like an extended ping
  • “traceroute (dest IP) source (source IP)” to simulate traffic from that network

Also to note on the second method, you can actually source several different ways, shown with the extended options as I fill them out, so there shall be a bit of output:

R1#traceroute 4.4.4.4 ?
numeric  display numeric address
port     specify port number
probe    specify number of probes per hop
source   specify source address or name
timeout  specify time out
ttl      specify minimum and maximum ttl
<cr>

R1#traceroute 4.4.4.4 source ?
A.B.C.D            Source address
Async              Async interface
BVI                Bridge-Group Virtual Interface
CDMA-Ix            CDMA Ix interface
CTunnel            CTunnel interface
Dialer             Dialer interface
FastEthernet       FastEthernet IEEE 802.3
Lex                Lex interface
Loopback           Loopback interface
MFR                Multilink Frame Relay bundle interface
Multilink          Multilink-group interface
Null               Null interface
Port-channel       Ethernet Channel of interfaces
Serial             Serial
Tunnel             Tunnel interface
Vif                PGM Multicast Host interface
Virtual-PPP        Virtual PPP interface
Virtual-Template   Virtual Template interface
Virtual-TokenRing  Virtual TokenRing

R1#traceroute 4.4.4.4 source 10.20.30.40 ?
numeric  display numeric address
port     specify port number
probe    specify number of probes per hop
timeout  specify time out
ttl      specify minimum and maximum ttl
<cr>

R1#traceroute 4.4.4.4 source 10.20.30.40

% Invalid source address- IP address not on any of our up interfaces


R1#

It’s like a build your own sundae, you can just keep adding scoops of detail to your traceroute, but as can be seen highlighted in red text we have an important message. The source IP address must be on one of our “Up” interfaces on the local router, so beine this requires a Physical or Logical interface that is in “Up” status, it sounds like Loopback interfaces is the way to go as they won’t go down unless administratively.

However if we are using an extended traceroute, it is because we are simulating traffic from another network for testing the path, but as we well know Policy Routing requires an interface of the incoming traffic to Policy Route and this is where Local Policy Routing comes into play.

To makes things harder on my already exhausted brain, I assigned loopback names to match the IP addresses:

R1(config)#int lo ?
  <0-2147483647>  Loopback interface number (<- What!!!)

R1(config)#int lo1234
*Mar  1 17:00:40.658: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1234, changed state to up
R1(config-if)#ip add 10.20.30.40 255.255.255.0
R1(config-if)#int lo4321
*Mar  1 17:01:03.131: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback4321, changed state to up
R1(config-if)#ip add 40.30.20.10 255.255.255.0
R1(config-if)#

Another interesting thing, you can make an interface loopback 2,147,483,647 (2.1 billion), I have been setting my bar way too low for loopback interface numbers. Back to the matter at hand, I now have my two loopbacks just created as well as lo1 with IP address 1.1.1.1 /32 to use in the lab.

So the structure of of how you create the route-map is the same of making an ACL / matching it on a route-map / set ip next-hop (ip addy), however there is no incoming interface on the local router so we will examine where we apply this route-map if not to an incoming interface.

To start I will send an initial traceroute to see my current path so I know how to alter it:

R1(config)#do traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

1 172.12.123.3 32 msec 32 msec 36 msec
2 172.12.34.4 32 msec *  32 msec
R1(config)#do traceroute 4.4.4.4 source 40.30.20.10

Type escape sequence to abort.
Tracing the route to 4.4.4.4

1  *  *  *
2  *  *  *
3  *  *  *
4  *  *  *
5  *

This is a good learning lesson, because I just made these loopbacks, but forgot to add them to OSPF so no other routers would know a route back, so I’ll add them to OSPF and we’ll try again:

R1(config)#router ospf 1
R1(config-router)#network 1.1.1.1 0.0.0.0 area 0
R1(config-router)#network 10.20.30.40 0.0.0.255 area 0
R1(config-router)#network 40.30.20.10 0.0.0.255 area 0
R1(config-router)#do traceroute 4.4.4.4 source 40.30.20.10

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.3 36 msec 33 msec 32 msec
  2 172.12.34.4 32 msec *  32 msec
R1(config-router)#

Much better. So being that 172.12.123.3 is the preferred path to R4’s loopback of 4.4.4.4, I want our 2 new loopback interfaces to route traffic towards R2 instead, so I will create a multi-line ACL this time for Policy Routing and create the Route-map:

R1(config)#access-list 105 permit ip host 10.20.30.40 host 4.4.4.4
R1(config)#access-list 105 permit ip host 40.30.20.10 host 4.4.4.4
R1(config)#route-map LocalNextHop permit 10
R1(config-route-map)#match ip add 105
R1(config-route-map)#set ip next-hop 172.12.123.2
R1(config-route-map)#

I am still not sure if you can have multiple route-maps on an interface, I will lab the scenario because I think it makes sense that one interface can have multiple networks coming into it that it needs to route different places, however for now I can confirm that 1 route-map can contain multi-line ACL’s to direct more than one line of traffic towards a next hop destination.

So no incoming interface, where do we configure the route-map? The answer is – Globally:

R1(config)#ip local ?
  policy  Enable policy routing
  pool    IP Local address pool lists

R1(config)#ip local policy ?
  route-map  Policy route map

R1(config)#ip local policy route-map ?
  WORD  Route map name

R1(config)#ip local policy route-map LocalNextHop ?
  <cr>

R1(config)#ip local policy route-map LocalNextHop
R1(config)#

And to test it out, we will use our new friend extended traceroute:

R1#traceroute 4.4.4.4 source 40.30.20.10

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.2 32 msec 32 msec 32 msec
  2 172.12.123.1 25 msec 24 msec 24 msec
  3 172.12.123.3 56 msec 56 msec 56 msec
  4 172.12.34.4 56 msec *  52 msec
R1#traceroute 4.4.4.4 source 1.1.1.1

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.3 33 msec 32 msec 32 msec
  2 172.12.34.4 32 msec *  32 msec
R1#

I’ve highlighted first one of the IP addresses called out in the ACL, then our lo1, to show that we have not only sub-optimal routing (described in last post how to fix), but that it does in fact attempt to take R2 because of the Local Policy Routing happening whereas 1.1.1.1 goes right to R3.

As mentioned how to overcome that sub-optimal routing you see in the first trace is picked apart in detail in my last post, so please read up on how PBR is not one and done on a single router as taught in the video courses I am watching.

Just a couple more points on Local Policy Routing to wrap this up:

  • Local Policy Routing will not effect any other Policy Routing assigned to interfaces
  • Local Policy Route-maps must be named differently than any existing route-maps currently configured on the router

So basically for local policy routing, you just need to remember the global command to apply it, and off to the races you go. I will be doing one more freestyle lab with PBR to see its limitations, as you learn things like in my training materials it did not mention that error we saw saying it needs to be an “Up” interface on the router.

So I invite you or future me to check out the next post of just messing around with PBR in general to see what we can break and fix, and then it is onward to VPNs. Thee ya!

Using Extended ACL’s for Policy Routing to overcome sub-optimal routing

policy_routing_top

As seen in the previous look at policy routing using a standard ACL, it led to sub-optimal routing due to only routing on the source, and not both source and destination addresses – for this we will use an Extended ACL to correct. So I took the old commands off, nothing fancy:

R1(config)#no access-list 5
R1(config)#no route-map R5toR2
R1(config)#int fa0/1
R1(config-if)#no ip policy route-map R5toR2
R1(config-if)#exit
R1(config)#

As can be seen, just really go through each step of setting it up, add a no to the front using ctrl + a to jump to the front of command, and now it’s good to go to setup an Extended ACL. So now we add the new configs to R1, and see what a traceroute shows:

R1(config)#access-list 105 permit ip host 172.12.15.5 host 4.4.4.4
R1(config)#route-map NextHop permit 10
R1(config-route-map)#match ip add 105
R1(config-route-map)#set ip next-hop 172.12.123.2
R1(config-route-map)#int fa0/1
R1(config-if)#ip policy route-map NextHop
R1(config-if)#
ASR#5
[Resuming connection 5 to r5 … ]

R5#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.15.1 0 msec 4 msec 0 msec
  2 172.12.123.2 32 msec 36 msec 32 msec
  3 172.12.123.1 24 msec 24 msec 24 msec
  4 172.12.123.3 56 msec 56 msec 56 msec
  5 172.12.34.4 52 msec *  52 msec
R5#

I am disappointed with this result because it verifies that Chris Bryant did a poor job on his teaching of this section, their obviously needs to be some extra configuration along the route path which wasn’t mentioned at all in the training videos, and even his logical topology did not match his physical setup.

So now that I’ve got my moaning and groaning about that out of my system, we’ll need to review R2 and how to make it not throw that traffic back out S0/0 as it has in it’s route-table to do so and no policy routing is setup over there.

So I noticed one thing right away that needs to be addressed:

R2#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.1 32 msec 32 msec 32 msec
  2 172.12.123.3 64 msec 64 msec 64 msec
  3 172.12.34.4 64 msec *  60 msec
R2#

So what we see here is that even though 4.4.4.4 is on R4 off FastEthernet0/1, it is sending traffic back over both serial interfaces to get there. Now there is a couple of options here which I will demonstrate, the first being a quick static route to save the day:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip route 4.4.4.4 255.255.255.255 fa0/1
R2(config)#exit
R2#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1  *
    172.12.24.4 0 msec *
R2#
ASR#5
[Resuming connection 5 to r5 … ]

R5#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.15.1 4 msec 0 msec 4 msec
  2 172.12.123.2 32 msec 32 msec 32 msec
  3 172.12.24.4 32 msec *  32 msec
R5#

Just to illustrate from both points of view, problem solved, but given that network 4.4.4.4 is shared in the OSPF domain, I don’t want a static route overriding it so I will remove it and see what kind of route-map will allow this traffic to pass but all other traffic to route normally:

R2(config)#no ip route 4.4.4.4 255.255.255.255 fa0/1
R2(config)#access-list 105 permit ip host 172.12.15.5 host 4.4.4.4
R2(config)#route-map NextHop permit 10
R2(config-route-map)#match ip add 105
R2(config-route-map)#set ip next-hop 172.12.24.4
R2(config-route-map)#route-map NextHop permit 20
R2(config-route-map)#int s0/0
R2(config-if)#ip policy route-map NextHop
R2(config-if)#

Now theoretically, I should be able to get to 4.4.4.4 through R2 from R5, but from R2 it should again need to take the long way around, lets see what happens between the two:

R5#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.15.1 4 msec 0 msec 4 msec
  2 172.12.123.2 32 msec 32 msec 32 msec
  3  *
    172.12.24.4 32 msec *
R5#
ASR#2
[Resuming connection 2 to r2 … ]

R2#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.1 36 msec 32 msec 32 msec
  2 172.12.123.3 60 msec 60 msec 64 msec
  3 172.12.34.4 64 msec *  61 msec
R2#

And there it is, I am so glad that worked, because it’s getting late and that is when things tend not to work and drive me bonkers ūüôā

So as can be seen, you will need to follow the path of the traffic and apply route-maps to router interfaces to keep the traffic moving as you configure it, otherwise you will not achieve optimal ‘route manipulation’ you are trying to achieve.

I am going to remove all PBR configs from routers, and decide whether I want to delve further into Policy Routing with a free-style sort of lab, or move on to Local Policy Routing.

 

Policy Routing with a Standard Access-list, sub-optimal routing (Ugh)

policy_routing_top

Due to some winter illness and the fact that I had to swap cables with my home production network to make this topology work, it took some time to physically put this all together, so getting it setup just to lab was quite the undertaking but once all said and done I have this to show for it:

R1#show ip route ospf
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/66] via 172.12.123.3, 00:15:03, Serial0/0
     5.0.0.0/32 is subnetted, 1 subnets
O       5.5.5.5 [110/2] via 172.12.15.5, 00:15:03, FastEthernet0/1
     172.12.0.0/24 is subnetted, 4 subnets
O       172.12.34.0 [110/65] via 172.12.123.3, 00:15:03, Serial0/0
O       172.12.24.0 [110/65] via 172.12.123.2, 00:15:03, Serial0/0
R1#

And that is what I am looking for, now let’s set some Policy Routing, and we will test if it is working / what is happening on the network with the “traceroute” command. Essentially we are working from R5, going through the NBMA to gets to network 4.4.4.4 on R4. So appropriately, I will start this off with a traceroute to see what our path looks like:

R5#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.15.1 4 msec 0 msec 4 msec
  2 172.12.123.3 32 msec 32 msec 32 msec
  3 172.12.34.4 32 msec *  32 msec

So it is taking the R3 path to get to R4’s loopback, however I want traffic going to 4.4.4.4 to take R2’s path through the topology, so these are the things required to make this work:

  • Create Standard or Extended ACL to match traffic on incoming interface
  • Create route-map and match the ACL with “match ip address (acl #)”
  • In route-map “set ip next-hop” to create the clause routing the traffic
  • Apply to incoming interface of traffic with “ip policy route-map (name)”

I will just be using a standard ACL to route all traffic coming from R5 to R2, using the remote interface address and not a network address, and lets see what happens:

R1(config)#access-list 5 permit 172.12.15.5 0.0.0.255
R1(config)#route-map R5toR2 permit 10
R1(config-route-map)#match ip add 5

R1(config-route-map)#set ip next-hop ?
  A.B.C.D              IP address of next hop
  dynamic              application dynamically sets next hop
  peer-address         Use peer address (for BGP only)
  recursive            Recursive next-hop
  verify-availability  Verify if nexthop is reachable

R1(config-route-map)#set ip next-hop 172.12.123.2 ?
  A.B.C.D  IP address of next hop
  <cr>

R1(config-route-map)#set ip next-hop 172.12.123.2 1.1.1.1 ?
  A.B.C.D  IP address of next hop
  <cr>

R1(config-route-map)#set ip next-hop 172.12.123.2 1.1.1.1 2.2.2.2 ?
  A.B.C.D  IP address of next hop
  <cr>

R1(config-route-map)#set ip next-hop 172.12.123.2
R1(config-route-map)#int fa0/1
R1(config-if)#ip policy route-map R5toR2
R1(config-if)#

I’ve highlight the actual configs needed to make this route-map work (remember it must be configured on the router with incoming traffic), and I’ve also left a curious discovery in the output, that the next-hop option allows you to keep putting in IP addresses. I assume it is for redundancy if one of the next-hop IP’s becomes unavailable it has others to try.

However, that being said, lets try another ping to 4.4.4.4:

R5#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.15.1 4 msec 0 msec 4 msec
  2 172.12.123.2 32 msec 32 msec 32 msec
  3 172.12.123.1 24 msec 24 msec 24 msec
  4 172.12.123.3 56 msec 56 msec 52 msec
  5 172.12.34.4 56 msec *  52 msec
R5#

That is what is referred to in the CCNP industry as sub-optimal routing at its finest, though not quite a routing loop, although it’d be easy to create with PBR. To understand why this is happening, you must examine R2’s route table, and how it see’s routes to destinations:

R2#show ip route

Gateway of last resort is not set

     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/66] via 172.12.123.3, 01:08:58, Serial0/0
     5.0.0.0/32 is subnetted, 1 subnets
O       5.5.5.5 [110/66] via 172.12.123.1, 01:08:58, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O       172.12.34.0 [110/65] via 172.12.123.3, 01:08:58, Serial0/0
O       172.12.15.0 [110/65] via 172.12.123.1, 01:08:58, Serial0/0
C       172.12.24.0 is directly connected, FastEthernet0/1
C       172.12.123.0 is directly connected, Serial0/0
R2#

So R2 is getting this traffic, looking at its own route table, and sending the traffic back out it’s Serial0/0 interface to reach what it knows as the route to 4.4.4.4 being 172.12.123.3. So the traceroute traffic comes back to R1 no longer with the route-map being applied both because the source address is different (R2 is source address now), but also because the the Serial0/0 interface on R1 has no route-map so it will route it as normal to 172.12.123.3 to deliver the traffic.

The moral of the story, is that blanket Policy Routing with a Standard ACL has it’s place in some networks, but it is a good way to introduce sub-optimal routing on the network.

I intended to finish with Extended Access-List usage to save the day, but I’ll save that for another post, as I am starting to feel blah again. I will “wr mem” all routers so we can go through how to correct this madness on my next post, hope to see you there!

*** Also one detail I always miss with OSPF / NBMA, ALWAYS USE NEIGHBOR STATEMENTS FROM HUBS TO SPOKES FOR ADJACENCIES TO FORM! (AND DON’T FORGET IP OSPF PRI 0 ON SPOKES INTERFACES!) ***

Intro to Policy Routing (PBR) and Local Policy Routing, new Topology soon!

 


This will be the intro to the pointers or theoretical stuff to know before diving into configuration and troubleshooting. On Chris’s initial Topology he has 3 routers connected on one common subnet, so I will need to review the configuration’s to understand what the actual networks are or if there is a reason he did that, so stay tuned for a Topology update.
There are quite a few VERY important details to PBR, and I don’t want to them to get lost or buried in sentences, so here are the facts on Policy Routing and Local Policy Routing:

  • Policy Routing does not effect the final destination of traffic but rather what path it takes to get to that final destination
  • Policy Routing applies to incoming traffic to the router, Local Policy Routing is working with traffic that is created on the local router itself, not incoming traffic
  • If configured on a specified interface, it will only effect traffic incoming traffic to that interface and leave all other traffic to the normal routing process
  • Can route based upon both source address, destination address, etc, so Extended Access-Lists are usually the most effect way to achieve Policy Routing

The next two I need to group together for clarity sake as to why they belong together, but I advise, but you may need to read the next one a couple of times for it to really sink in:

  • If traffic DOES NOT match any permit lines in a route-map, but DOES match a deny line, that traffic is sent to the routing process for normal routing
  • If you want traffic that DOES NOT match any permit or deny lines in the route-map to be discarded and not sent to routing process, you must create a catch-all clause at the end of the route-map sending traffic to Null0

That is it for tonight, I will update once it is configuration time!

Part 3: Finally got Route-Maps for Redistribution working correctly, important notes within on how!

single-point_2way_redist_3routers_new

Boy do I feel stupid. After spending hours of scratching my head at why this is not working yet, as OSPF seems to be gettings tags but RIP is not, that is when I really put my work under a microscope and found that I was applying OSPF2RIP in OSPF router config and the other way around (I think). I have no other way to logically explain why they are working today, as they actually didn’t work earlier as well after “wr er” / “reload” / reconfigure.

So I stripped all redistribution off, deleted the route-maps, and started from square 1, again. Then when I was struggling to remember which way it went with applying what route-map to which protocol, I might have been on auto-pilot last night and completely overlooked that as the issue!

So here is how I applied a fix for that:

R3(config-router)#router ospf 1
R3(config-router)#redistribute rip subnets route-map RIP2OSPF
R3(config-router)#router rip

R3(config-router)#redistribute ospf 1 route-map OSPF2RIP metric 2
R3(config-router)#do sh route-map
route-map OSPF2RIP, permit, sequence 10
  Match clauses:
  Set clauses:
    tag 10
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2OSPF, permit, sequence 10
  Match clauses:
  Set clauses:
    tag 20
  Policy routing matches: 0 packets, 0 bytes

And this is where I was able to verify and FINALLY see the results I was looking for(!!!):
R3(config-router)#
ASR#3
[Resuming connection 3 to r4 … ]

R4#show ip route ospf

Gateway of last resort is not set

      5.0.0.0/24 is subnetted, 1 subnets
O E2     5.5.5.0 [110/20] via 172.12.34.3, 00:02:47, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
O E2     172.12.15.0/24 [110/20] via 172.12.34.3, 00:02:47, FastEthernet0/1
O E2     172.12.123.0/24 [110/20] via 172.12.34.3, 00:02:47, FastEthernet0/1
R4#show ip route 5.5.5.5
Routing entry for 5.5.5.0/24
¬† Known via “ospf 1”, distance 110, metric 20
  Tag 20, type extern 2, forward metric 1
  Last update from 172.12.34.3 on FastEthernet0/1, 00:02:05 ago
  Routing Descriptor Blocks:
  * 172.12.34.3, from 3.3.3.3, 00:02:05 ago, via FastEthernet0/1
      Route metric is 20, traffic share count is 1
      Route tag 20

ASR#1
[Resuming connection 1 to r1 … ]

R1#show ip route rip
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.123.3, 00:00:00, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
R       172.12.34.0 [120/1] via 172.12.123.3, 00:00:00, Serial0/0
     40.0.0.0/32 is subnetted, 1 subnets
R       40.40.40.1 [120/2] via 172.12.123.3, 00:00:00, Serial0/0
     44.0.0.0/32 is subnetted, 1 subnets
R       44.44.44.1 [120/2] via 172.12.123.3, 00:00:00, Serial0/0
R1#show route 4.4.4.4
route-map 4.4.4.4 not found
R1#show ip route 4.4.4.4
Routing entry for 4.4.4.4/32
¬† Known via “rip”, distance 120, metric 2
  Tag 10
  Redistributing via rip
  Last update from 172.12.123.3 on Serial0/0, 00:00:16 ago
  Routing Descriptor Blocks:
  * 172.12.123.3, from 172.12.123.3, 00:00:16 ago, via Serial0/0
      Route metric is 2, traffic share count is 1
      Route tag 10

R1#

OSPF is showing up as tag 10 on the RIP side, and RIP routes as tagged 20 on the OSPF side. Now I am going to try redistributing connected routes with these same route-maps and see if that breaks anything, and if not we will cap it off by adding some deny statements in our route-maps:

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#router rip
R3(config-router)#redistribute connected route-map OSPF2RIP metric 3
R3(config-router)#router ospf 1
R3(config-router)#redistribute connected subnets route-map RIP2OSPF
R3(config-router)#

And now to pray I have some routes on R1:
R1#sh ip route rip
     3.0.0.0/32 is subnetted, 1 subnets
R       3.3.3.3 [120/3] via 172.12.123.3, 00:00:22, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.123.3, 00:00:22, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
R       172.12.34.0 [120/1] via 172.12.123.3, 00:00:22, Serial0/0
     40.0.0.0/32 is subnetted, 1 subnets
R       40.40.40.1 [120/2] via 172.12.123.3, 00:00:22, Serial0/0
     44.0.0.0/32 is subnetted, 1 subnets
R       44.44.44.1 [120/2] via 172.12.123.3, 00:00:22, Serial0/0
R1#

This is a sweet roll to be on, where was this last night! I think it was both that I was getting the route-map’s named mixed up, and I was relying too much on how it was worded rather than what actions were happening. It took a mix of “show ip proto” / “sh route-map / “sh run” (which I wouldn’t count on for exam day) to read the route maps and how they will impact each other as explained below.

I will now attempt to do one more thing, add deny’s into the route maps, which is really the core of this lesson is using tags to stop route leaks or route loops from forming. Both route-maps have a “permit 10” sequence #, with a “set tag 10/20” to define ‘let all the traffic through but apply this tag to it’.

However the trick to this is placing the deny sequence # lower than the permit / set tag sequence for it to filter traffic, otherwise it will just hit the ‘let everything through with a tag’ clause and skip the deny clause, so this is why you want to plan for both current and future growth of sequences. So¬† will make these both sequence 5, so I have 1-4 and 6-9 to add additional clauses as needed

**REMEMBER YOU WANT TO WRITE ‘PERMIT’ SEQUENCES TO ‘SET’ A TAG FOR ROUTES, AND WRITE ‘DENY’ SEQUENCES TO ‘MATCH’ THE TAG # TO BE FILTERED!!**

Now I am done yelling at myself lets get back to configuring:

R3(config-router)#exit
R3(config)#route-map OSPF2RIP deny 5
R3(config-route-map)#match tag 10
% “OSPF2RIP” used as redistribute connected into rip route-map, tag match not supported
R3(config-route-map)#route-map RIP2OSPF deny 5
R3(config-route-map)#match tag 20
% “RIP2OSPF” used as redistribute connected into ospf route-map, tag match not supported

As you can see by the complaints we got from the console about connected routes, that they are already active, and as soon as I hit enter to “match” the tag # to on the route-maps deny list, it kicked out the message about connected routes don’t support tag matching.

So lets once more see if R1 survived this change:

R1#show ip route rip
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.123.3, 00:00:14, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
R       172.12.34.0 [120/1] via 172.12.123.3, 00:00:15, Serial0/0
     40.0.0.0/32 is subnetted, 1 subnets
R       40.40.40.1 [120/2] via 172.12.123.3, 00:00:15, Serial0/0
     44.0.0.0/32 is subnetted, 1 subnets
R       44.44.44.1 [120/2] via 172.12.123.3, 00:00:15, Serial0/0

Amazing, well that is going to do it for me today, that was relatively easy, just be sure to watch how you are applying those route-map’s, AND NAME THEM AS INTUITIVELY AS POSSIBLE to not make the mistakes I did.

For review of how it should look on the ASBR, I’m going to paste the running configuration below for future reference, and that is it for tonight and then onto PBR lessons :

R3#sh run
Building configuration…

Current configuration : 1588 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.iVA$HbHo0g/PqIytO6Yf5XLAm1
!
no aaa new-model
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller T1 0/0
 framing sf
 linecode ami
!
controller T1 0/1
 framing sf
 linecode ami
!
!
!
!
!
!
interface Loopback3
 ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.12.34.3 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/2
 ip address 172.12.123.3 255.255.255.0
 no fair-queue
!
interface Serial0/3
 no ip address
 shutdown
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets route-map RIP2OSPF
 redistribute rip subnets route-map RIP2OSPF
 network 172.12.34.0 0.0.0.255 area 0
!
router rip
 version 2
 redistribute connected metric 3 route-map OSPF2RIP
 redistribute ospf 1 metric 2 route-map OSPF2RIP
 network 172.12.0.0
 no auto-summary
!
!
!
ip http server
no ip http secure-server
!
!
!
!
route-map OSPF2RIP deny 5
 match tag 10
!
route-map OSPF2RIP permit 10
 set tag 10
!
route-map RIP2OSPF deny 5
 match tag 20
!
route-map RIP2OSPF permit 10
 set tag 20
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 password CCNP
 logging synchronous
 login
!
!
end

R3#

 

Part 2: A struggle getting RIP on R1 to get any Redistributed OSPF, may need router reconfigs

single-point_2way_redist_3routers

So to begin this, right off the bat I am having trouble seeing some routes on R1 from R4, as I just did a “wr er” and reloaded / reconfigured it to be directly connected. However, on R4, things couldn’t possible be going better, I created lo5 and lo15 to simulate those networks from the NBMA topology. Also I added the connected routes on R3, as I know they are showing up as “connected” instead of OSPF learned routes for both OSPF and RIP networks:

R3(config)#router rip
R3(config-router)#redistribute connected route-map OSPF2RIP
R3(config-router)#router ospf 1
R3(config-router)#redistribute connected subnets route-map RIP2OSPF

Thinking this might help, I went back to look at R1’s route table, but it did not help really what so ever:

R1#sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback1
     3.0.0.0/32 is subnetted, 1 subnets
R       3.3.3.3 [120/1] via 172.12.123.3, 00:00:11, Serial0/0
     5.0.0.0/24 is subnetted, 1 subnets
C       5.5.5.0 is directly connected, Loopback5
     172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
R       172.12.33.0/24 [120/1] via 172.12.123.3, 00:00:11, Serial0/0
R       172.12.34.0/24 [120/1] via 172.12.123.3, 00:00:11, Serial0/0
C       172.12.15.0/24 is directly connected, Loopback15
C       172.12.123.3/32 is directly connected, Serial0/0
C       172.12.123.0/24 is directly connected, Serial0/0
R1#

What I really looking for here, is to see 4.4.4.4 from R4’s loopback on here, then I will know redistribution is working. However, this got me thinking about why I am not getting routes, which the first logical step in my mind was “sh ip proto” on R4 to see if that may give me a clue:

R4(config-router)#do sh ip proto
*** IP Routing is NSF aware ***

Routing Protocol is “ospf 1”
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Router ID 172.12.44.4
  It is an area border router
  Number of areas in this router is 3. 3 normal 0 stub 0 nssa
  Maximum path: 4
  Routing for Networks:
    4.4.4.4 0.0.0.0 area 4
    172.12.34.0 0.0.0.255 area 34
    172.12.44.0 0.0.0.255 area 51
  Routing Information Sources:
    Gateway         Distance      Last Update
    172.12.33.3          110      00:20:47
  Distance: (default is 110)

So this shows me that the only “Intra-Area” networks in Area 34 and Area 0 are both “connected to R4, so I created some lo40 with 40.40.40.0 /24, and added that as well as taking 4.4.4.4 out of Area 4 and putting it into Area 34, resulting in this:

R4(config-router)#do sh ip proto
*** IP Routing is NSF aware ***

Routing Protocol is “ospf 1”
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Router ID 172.12.44.4
  It is an area border router
  Number of areas in this router is 3. 3 normal 0 stub 0 nssa
  Maximum path: 4
  Routing for Networks:
    4.4.4.4 0.0.0.0 area 34
    40.40.40.0 0.0.0.255 area 34
    172.12.34.0 0.0.0.255 area 34
    172.12.44.0 0.0.0.255 area 51
  Routing Information Sources:
    Gateway         Distance      Last Update
    172.12.33.3          110      00:20:47
  Distance: (default is 110)

And now back on R1 let us see those routes being Redistributed(!!!) :

R1#sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback1
     3.0.0.0/32 is subnetted, 1 subnets
R       3.3.3.3 [120/1] via 172.12.123.3, 00:00:02, Serial0/0
     5.0.0.0/24 is subnetted, 1 subnets
C       5.5.5.0 is directly connected, Loopback5
     172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
R       172.12.33.0/24 [120/1] via 172.12.123.3, 00:00:02, Serial0/0
R       172.12.34.0/24 [120/1] via 172.12.123.3, 00:00:02, Serial0/0
C       172.12.15.0/24 is directly connected, Loopback15
C       172.12.123.3/32 is directly connected, Serial0/0
C       172.12.123.0/24 is directly connected, Serial0/0
R1#

GAH. Ok, somewhere I messed up on R3 with the distribution, because it is Redistributing the connected routes (including those in OSPF domains) but not any OSPF routes. Looking at R3 I cannot see an issue in the configuration either, and OMG I JUST THOUGHT OF IT, I need to set a freegin metric that RIP can understand because hop count only goes up to 15 before the route is invalid!

So let me reconfigure this and look at R1 after:

R3(config)#router rip
R3(config-router)#no redistribute ospf 1 route-map OSPF2RIP
R3(config-router)#redistribute ospf 1 route-map OSPF2RIP metric ?
  <0-16>       Default metric
  transparent  Transparently redistribute metric

R3(config-router)#redistribute ospf 1 route-map OSPF2RIP metric 2
R3(config-router)#
ASR>1
[Resuming connection 1 to r1 … ]

R1#sh ip route
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback1
     5.0.0.0/24 is subnetted, 1 subnets
C       5.5.5.0 is directly connected, Loopback5
     172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
R       172.12.33.0/24 [120/1] via 172.12.123.3, 00:00:15, Serial0/0
R       172.12.34.0/24 [120/1] via 172.12.123.3, 00:00:15, Serial0/0
C       172.12.15.0/24 is directly connected, Loopback15
C       172.12.123.3/32 is directly connected, Serial0/0
C       172.12.123.0/24 is directly connected, Serial0/0

Ok…. so I am just going to blow away RIP configuration and Route-Map on R3, and try to just redistribute first, then go with a route-map to go step by step to see where the issue is. After a quick reconfiguration and just a baseline redistribution, it is not working at all.

So here is what I am going to do, I am going to “wr er” R1, R3, and R4 tonight. Tomorrow I building these configs from fresh, and I won’t have anything fancy going on with OSPF, just very basic networks to see if we can get this working at all between just 3 routers with our ASBR in the middle.

So I will write erase, reload, and reconfigure all 3 routers tomorrow and we WILL be finish this Route-Map lab as I really would like to get into the Policy Based Routing section!