branch_office_top

As the Topology shows, with all the Branch Offices and Departments, IT just got real!

Concepts will be learned on pieces of this network, will continue to be built out and troubleshot using different methods, and will eventually be using this similar Topology to create scenarios and try to avoid dry lab manuals if possible and to get some network logical design creative juices flowing as well to perhaps look into CCDA/CCDP at a later time.

That being said, I will try to take it down with one good swing tonight and probably fail ūüôā

So I have thought through how to study this topic both before my break, and now again, and there is no way around setting up some sort of Lab. In this case, I am the Senior Network Architect of the brand new company I’ve created as an example, Myself Inc.

If you are reading this wondering if I’ve lost my mind, the answer is yes, but at some point you will need to think of these loopbacks and corners of your networks as Branch Offices. That way you can set goals to accomplish, make new goals on how you feel the company should be able to communicate, and continue to add to the network.

Here at Myself Inc, we pride ourselves on both working efficiently (as you can see be running RIP over Frame-Relay for a WAN), and not allowing remote branches see networks that they do not need. However first and foremost, we need to get some of the quick intro / details regarding Distribute-Lists on bullet points:

  • ACL’s will need to be created for both, and they can be configured to permit certain network and implicity deny all others, or to deny certain networks and “permit ip any any” other networks – So there is nothing special about the ACL’s (yet)
  • Distribute-Lists are always configured on the ASBR, in the router configuration of the protocol containing the route you want to suppress
  • When writing the distribute-list statements, you cannot define an interface point it towards, only the protocol you intend to filter. EIGRP you can use both interface or protocol to define where to filter with a distribute-list
  • The in / out option in a distribute list defines whether it’s going into the network, or out of the network
  • Distribute-Lists do not drop adjacencies like a passive-interface, and allows you to narrow down what routes to suppress, otherwise acts like a picky passive-interface
  • ALWAYS CONFIGURED ON THE ASBR / PART OF REDISTRIBUTION

All the being said, I have remove lo1 from R1 and lo3 from R3 out of the RIP domain, so they are just connected network for now, so we have another type of filtering¬† we can add into the mix if we don’t already have enough fun.

Task 1: Noone except Home Office needs access to San Diego’s HR / Payroll networks:

And to accomplish this, it needs to be configured on R3 headed outbound, as that will suppress it to the whole network, whereas if we only wanted those hard working and probably under appreciated engineers to not see it, we would apply it on R1 inbound.

Before we make sure only Home Office can see who is paid the most, I want to confirm R5 can currently see and ping the Payroll network:

R5#show ip route
(Route codes redacted)
Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.15.1, 00:44:41, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.15.1, 00:44:12, FastEthernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
D EX     4.4.4.4 [170/1662976] via 172.12.15.1, 00:44:12, FastEthernet0/1
      5.0.0.0/32 is subnetted, 1 subnets
C        5.5.5.5 is directly connected, Loopback5
      172.12.0.0/16 is variably subnetted, 6 subnets, 2 masks
C        172.12.15.0/24 is directly connected, FastEthernet0/1
L        172.12.15.5/32 is directly connected, FastEthernet0/1
D EX     172.12.33.3/32
           [170/1662976] via 172.12.15.1, 00:44:12, FastEthernet0/1
D EX     172.12.34.0/24
           [170/1662976] via 172.12.15.1, 00:44:12, FastEthernet0/1
D EX     172.12.44.4/32
           [170/1662976] via 172.12.15.1, 00:44:12, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.15.1, 00:45:03, FastEthernet0/1

R5#ping 172.12.44.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.44.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
R5#

So the engineers can talk to San Diego, and the only time engineers want to talk to HR and Payroll is never, in fact even the grunts in Data Entry Purgatory don’t want to communicate with them either, so lets get on R3 and quiet them up.

So the first thing needed is an ACL, as the distribute-list will refer to that ACL, but this is going to be one NOT included in the training video I watched. I will be attempted the extended ACL so I can not only signal want subnet I want to permit, but also the destination it is permitted to, we are already taking steps toward a bold new frontier:

R3(config)#ip access-list extended NoSoupForYou
R3(config-ext-nacl)#permit ip 172.12.44.0 0.0.0.255 172.12.123.1 0.0.0.0
R3(config-ext-nacl)#permit ip 172.12.34.0 0.0.0.255 172.12.123.1 0.0.0.0
R3(config-ext-nacl)#permit ip 172.12.33.0 0.0.0.255 172.12.123.1 0.0.0.0
R3(config-ext-nacl)#permit ip 4.4.4.4 0.0.0.0 172.12.123.1 0.0.0.0
R3(config-ext-nacl)#exit
R3(config)#router ospf 1
R3(config-router)#distribute-list ?
        IP access list number
    IP expanded access list number
  WORD         Access-list name
  gateway      Filtering incoming updates based on gateway
  prefix       Filter prefixes in routing updates
  route-map    Filter prefixes based on the route-map

R3(config-router)#distribute-list NoSoupForYou ?
in   Filter incoming routing updates
out  Filter outgoing routing updates

R3(config-router)#distribute-list NoSoupForYou out rip ?

R3(config-router)#distribute-list NoSoupForYou out rip
Access-list type conflicts with prior definition
% This command only accepts named standard IP access-lists.
R3(config-router)#

I just don’t get it. Why put Extended ACL # ranges and even WORD as an ACL option IF YOU ARE NOT GOING TO ALLOW EXTENDED ACL’S TO BE USED. So I know there was some quirks in the ACL statement (using a host address in hopes only R1’s S0/0 interface would receive the routes), which can show you how long it’s been since I’ve studied R/S – I am still depending on hopes to make logical things happen ūüôā

So I will do some adjusting here to see if I can salvage this, and make extended ACL’s work, I have added a loopback Lo11 with 172.12.11.0 /24 assigned to it, and this will be the LAN to our Home Office Branch off R1:

R3(config-router)#no distribute-list NoSoupForYou out rip
R3(config-router)#exit
R3(config)#
R3(config)#$ 101 permit ip 172.12.44.0 0.0.0.255 172.12.11.0 0.0.0.255 ?
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  precedence  Match packets with given precedence value
  time-range  Specify a time-range
  tos         Match packets with given TOS value
 

R3(config)#$ 101 permit ip 172.12.44.0 0.0.0.255 172.12.11.0 0.0.0.255
R3(config)#router ospf 1

R3(config-router)#distribute-list 101 out rip ?
 

R3(config-router)#distribute-list 101 out rip
R3(config-router)#

This has me wondering if it is because I did “ip access-list permit (name)” and dropped into ACL config mode, rather than typing it out line after line, so I am going to check around to who has the route 172.12.44.0 /24 in their route table. That statement should have an implicit deny to any other router / network except 172.12.11.0 /24:
R2#clear ip route *
R2#sh ip route
(Route codes redacted)
Gateway of last resort is not set

     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/3] via 172.12.123.3, 00:00:15, Serial0/0
     5.0.0.0/32 is subnetted, 1 subnets
R       5.5.5.5 [120/1] via 172.12.123.1, 00:00:15, Serial0/0
     172.12.0.0/16 is variably subnetted, 6 subnets, 2 masks
R       172.12.34.0/24 [120/2] via 172.12.123.3, 00:00:15, Serial0/0
R       172.12.33.3/32 [120/2] via 172.12.123.3, 00:00:15, Serial0/0
R       172.12.44.4/32 [120/3] via 172.12.123.3, 00:00:16, Serial0/0
R       172.12.11.0/24 [120/1] via 172.12.123.1, 00:00:16, Serial0/0
R       172.12.15.0/24 [120/1] via 172.12.123.1, 00:00:16, Serial0/0
C       172.12.123.0/24 is directly connected, Serial0/0
R2#
ASR#5
[Resuming connection 5 to r5 … ]

R5#
R5#show ip route
(Route codes redacted)
Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.15.1, 01:29:05, FastEthernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
D EX     4.4.4.4 [170/1662976] via 172.12.15.1, 01:58:28, FastEthernet0/1
      5.0.0.0/32 is subnetted, 1 subnets
C        5.5.5.5 is directly connected, Loopback5
      172.12.0.0/16 is variably subnetted, 7 subnets, 2 masks
D EX     172.12.11.0/24
           [170/1662976] via 172.12.15.1, 00:21:23, FastEthernet0/1
C        172.12.15.0/24 is directly connected, FastEthernet0/1
L        172.12.15.5/32 is directly connected, FastEthernet0/1
D EX     172.12.33.3/32
           [170/1662976] via 172.12.15.1, 01:58:28, FastEthernet0/1
D EX     172.12.34.0/24
           [170/1662976] via 172.12.15.1, 01:58:28, FastEthernet0/1
D EX     172.12.44.4/32
           [170/1662976] via 172.12.15.1, 01:58:28, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.15.1, 01:59:17, FastEthernet0/1
R5#

Just in case, I did a “clear ip route *” on R2 just to make sure we had a fresh up to date routing table, and there it is, along with over on R5 learned as a route redistributed into RIP that was then redistributed into EIGRP. Why? WHY??? Looking at the access-list 101, it states to permit 172.12.44.0 to 172.12.11.0 and no further statements should mean it implicitly denies that. There is no should, it DOES mean that.

So I am just going to make this as absolutely simple as I can, write a standard ACL just blocking that network from being advertised at all, to see if I can at least get that under my belt before I halt the lab session:

R3(config)#access-list 3 deny 172.12.44.0 0.0.0.255
R3(config)#router ospf 1
R3(config-router)#distribute-list 3 out rip
R3(config-router)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#

R2#clear ip route *
R2#show ip route
(Route codes redacted)

Gateway of last resort is not set

     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/3] via 172.12.123.3, 00:00:03, Serial0/0
     5.0.0.0/32 is subnetted, 1 subnets
R       5.5.5.5 [120/1] via 172.12.123.1, 00:00:03, Serial0/0
     172.12.0.0/16 is variably subnetted, 6 subnets, 2 masks
R       172.12.34.0/24 [120/2] via 172.12.123.3, 00:00:03, Serial0/0
R       172.12.33.3/32 [120/2] via 172.12.123.3, 00:00:03, Serial0/0
R       172.12.44.4/32 [120/3] via 172.12.123.3, 00:00:04, Serial0/0
R       172.12.11.0/24 [120/1] via 172.12.123.1, 00:00:04, Serial0/0
R       172.12.15.0/24 [120/1] via 172.12.123.1, 00:00:04, Serial0/0
C       172.12.123.0/24 is directly connected, Serial0/0
R2#

Still even with the simplest configuration, it is not working, and I am wondering if running RIPv2 as the “WAN” between branches might be the issue, I may switch have to play with that at a later time. I am not sure why this isn’t working, but it’s midnight and I am fried, so I will need to look at this again when I am all here.

To not, the training video I watched had a single router, with two protocols on each side with a host attached on each end. So what we are doing here is far from a simple exercise lab I could setup to demonstrate it, but I want to know how to make it work on THIS topology and I am wondering if the thorn in my side may be RIP going over the NBMA – I may have to swap that out with EIGRP and put RIP where Area 15 used to reside.

Where there is a will, there is a way, and that way WILL be found!