Category Archives: CCNP ROUTE – Distribute-List’s / Route-Map’s

Part 6: Troubleshooting of sub-optimal routing via route-maps / redist/ policy routing, and an old friend OSPF distance comes to save the day! (GREAT review!)

labbers_delight_rev3

Not /fin with this Topology of course, after this lab of fine tuning some sub-optimal routing I am taking copies of all “sh run” to be able to spin this lab up again if it ever gets the “wr er”, however it will be /fin for review and onto the subject of VPN’s.

So, Part 6, I am so ready to get this review over with – it’s almost taking as long as the initial learning!

As I recall our Local Policy Routing uncovered a case of sub-optimal routing, where OSPF paths are being preferred over much better link speeds, because it’s AD of 110 is lower than RIP’s 120. There are 2 different ways to address this:

  • Create a Policy Route on R2 setting R3 as the next hop for certain networks
  • Change the AD itself either via route-map or redistribution

So my initial thoughts is Policy Route on S0/0 directing traffic to a next-hop of 172.12.23.3 (Ethernet segment) would almost almost definitely introduce more sub-optimal routing to track down and fix, however I am not quite sure the best way to change that AD.

 

I haven’t seen it done before in a route map, so I’m going to try to tack it onto the Route-Map on R3 Redistributing those EIGRP routes into OSPF

 

So to get this configured, I need to check out the route-map for R3 to see where to insert my clause for changing the AD:

R3#show route
route-map EIGRP2RIP, deny, sequence 10
  Match clauses:
    tag 120
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map EIGRP2RIP, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 200
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2EIGRP, deny, sequence 10
  Match clauses:
    tag 200
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2EIGRP, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 120
  Policy routing matches: 0 packets, 0 bytes
route-map EIGRP2OSPF, deny, sequence 5
  Match clauses:
    tag 110
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map EIGRP2OSPF, permit, sequence 10
  Match clauses:
  Set clauses:
    tag 200
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, deny, sequence 10
  Match clauses:
    tag 200
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 110
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2RIP, deny, sequence 5
  Match clauses:
    tag 120
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2RIP, permit, sequence 10
  Match clauses:
  Set clauses:
    tag 110
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2OSPF, deny, sequence 10
  Match clauses:
    tag 110
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2OSPF, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 120
  Policy routing matches: 0 packets, 0 bytes
R3#

Oh yeah, it’s like that, once you get to route-mapping this output gets long and confusing fast! That is why show run is helpful as well, but probably not available come exam day. I located and highlighted in red our EIGRP2OSPF route-map, so I will put it smack dab in the middle, except I have no idea the output to look for but know that I am doing a “permit” on the sequence and “set”ing something:

RR3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#route-map EIGRP2OSPF permit 7
R3(config-route-map)#set ?
as-path           Prepend string for a BGP AS-path attribute
  automatic-tag     Automatically compute TAG value
  clns              OSI summary address
  comm-list         set BGP community list (for deletion)
  community         BGP community attribute
  dampening         Set BGP route flap dampening parameters
  default           Set default information
  extcommunity      BGP extended community attribute
  interface         Output interface
  ip                IP specific information
  ipv6              IPv6 specific information
  level             Where to import route
  local-preference  BGP local preference path attribute
  metric            Metric value for destination routing protocol
  metric-type       Type of metric for destination routing protocol
  mpls-label        Set MPLS label for prefix
  nlri              BGP NLRI type
  origin            BGP origin code
  tag               Tag value for destination routing protocol
  traffic-index     BGP traffic classification number for accounting
  vrf               Define VRF name
  weight            BGP weight for routing table

R3(config-route-map)#set ip ?
address     Specify IP address
  default     Set default information
  df          Set DF bit
  next-hop    Next hop address
  precedence  Set precedence field
  qos-group   Set QOS Group ID
  tos         Set type of service field

R3(config-route-map)#set metric ?
+/-<metric>     Add or subtract metric
  <0-4294967295>  Metric value or Bandwidth in Kbits per second
  <cr>

R3(config-route-map)#set metric

I color coded in red where my commands are on the CLI, and the output from the ? as there is so much output available for “set” options, however we do NOT have anything in there for Administrative Distance. I thought it might be under “set ip” or “set metric” however I was wrong, so very very wrong.

 

Trying using “distance …” command on R2 / Redistribution options

 

Looking back on my notes from 10 months ago (which is why it is good to make your own blog for studies), the administrative distance for OSPF routes can be changed locally right on the router, and the changes will only be locally significant which will be perfect for this scenario we are running into! First let us look at R2’s sub-optimal route table once more:

R2#sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:42:05, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:42:05, Serial0/0
     33.0.0.0/24 is subnetted, 1 subnets
O E2    33.33.33.0 [110/2] via 172.12.123.3, 00:42:05, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:42:05, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O E2    4.4.4.4 [110/20] via 172.12.123.3, 00:04:54, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E2    172.12.34.0 [110/20] via 172.12.123.3, 00:04:56, Serial0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:42:08, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:42:08, Serial0/0
R2#

I just got even MORE EXCITED because I completely forgot, I left RIP and EIGRP AS 200 Redistribution as default E2 external routes, while EIGRP AS 100 is E1 – So if I can change it by External route type that would route traffic exactly right! Lets check it out:

R2(config-router)#distance ?
  <1-255>  Administrative distance
  ospf     OSPF distance

Ah yes, I remember this now, we will either have to make all external routes with an AD of 121, or make an access-list that allows certain routes to get an AD of 121, referenced here:

https://loopedback.com/2016/06/15/ospf-to-rid-4-ways-to-change-ad-sub-optimal-routing-route-loops/

Being that I am currently lazy and a bit fried from work / VPN theory, I’m going to try to just use the “distance ospf # …” command in OSPF configuration to change the local external AD, I will need to review and re-lab that mentioned page at some point but not as another part of this lab session:

R2(config-router)#distance ospf external 121
R2(config-router)#do sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:00:26, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
R       100.0.0.0 [120/2] via 172.12.23.3, 00:00:26, FastEthernet0/0
     33.0.0.0/24 is subnetted, 1 subnets
R       33.33.33.0 [120/1] via 172.12.23.3, 00:00:26, FastEthernet0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:00:26, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.23.3, 00:00:00, FastEthernet0/0
     172.12.0.0/24 is subnetted, 4 subnets
R       172.12.34.0 [120/1] via 172.12.23.3, 00:00:08, FastEthernet0/0
R       172.12.15.0 [120/2] via 172.12.23.3, 00:00:08, FastEthernet0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
R       11.11.11.0 [120/2] via 172.12.23.3, 00:00:08, FastEthernet0/0
R2(config-router)#

Well, I guess I will be reviewing that old page sooner than I thought, eh? So I removed the distance command, and will read through the link posted above quick to see what needs to be done here.

So after a quick skim, we are going to need an access-list to reference in OSPF, this uses the “distance # (ip address) …” command in OSPF config, and I know we need the RID this route is learned off of but being the other spoke I don’t know if it needs to be the hub or R3 / other spoke’s RID, so my first though is to check our neighbor table to see if we even have the ASBR locked and loaded as a neighbor:

R2(config)#do sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
11.11.11.1        1   FULL/DR         00:01:58    172.12.123.1    Serial0/0
R2(config)#

Nope, on a Hub and Spoke OSPF network, your only ally (neighbor) is the Hub, so we will need to use it’s RID right there in the neighbor table to configure this as follows:

R2(config)#access-list 11 permit host 4.4.4.4
R2(config)#access-list 11 permit 172.12.34.0 0.0.0.255
R2(config)#router ospf 1
R2(config-router)#distance 121 ?
  A.B.C.D  IP Source address
  <cr>

R2(config-router)#distance 121 11.11.11.1 ?
  A.B.C.D  Wildcard bits

R2(config-router)#distance 121 11.11.11.1 0.0.0.255 ?
  <1-99>       IP Standard access list number
  <1300-1999>  IP Standard expanded access list number
  WORD         Standard access-list name
  <cr>

R2(config-router)#distance 121 11.11.11.1 0.0.0.255 11 ?
  <cr>

R2(config-router)#distance 121 11.11.11.1 0.0.0.255 11
R2(config-router)#

I have no idea if this is going to work, but excellent review I hadn’t even though of. DRUM ROLL PLEASE, as here we see the new and optimally routing table for R2:

(Failure, same routes). I won’t even bother with the output. It took doing a “clear ip ospf proc” and a “clear ip route *” to finally get these results:

R2#sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
R       1.1.1.1 [120/2] via 172.12.23.3, 00:00:25, FastEthernet0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
R       100.0.0.0 [120/2] via 172.12.23.3, 00:00:25, FastEthernet0/0
     33.0.0.0/24 is subnetted, 1 subnets
R       33.33.33.0 [120/1] via 172.12.23.3, 00:00:26, FastEthernet0/0
     3.0.0.0/32 is subnetted, 1 subnets
R       3.3.3.3 [120/2] via 172.12.23.3, 00:00:27, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.23.3, 00:00:27, FastEthernet0/0
     172.12.0.0/24 is subnetted, 4 subnets
R       172.12.34.0 [110/20] via 172.12.123.3, 00:00:02, Serial0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:00:02, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:00:02, Serial0/0
R2#

So I have managed to turn all OSPF into RIP routes again, and I am not sure how I did that with this command only specifying those 2 routes learned from 11.11.11.1 to have an AD of 121. Time to review exactly what I did here.

I can’t see any glaring mistakes, so I am wondering if maybe due to how the ACL is being called out, if that implicit deny is not kicking in quite right, so I put an explicit deny on there:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#access-list 11 deny any
R2(config)#do show access-list 11
Standard IP access list 11
    10 permit 4.4.4.4
    20 permit 172.12.34.0, wildcard bits 0.0.0.255
    30 deny   any
R2(config)#

Now lets clear ip ospf proc again and see what we get:

R2#sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:00:32, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:00:32, Serial0/0
     33.0.0.0/24 is subnetted, 1 subnets
O E2    33.33.33.0 [110/2] via 172.12.123.3, 00:00:32, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:00:32, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O E2    4.4.4.4 [110/20] via 172.12.123.3, 00:00:33, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E2    172.12.34.0 [110/20] via 172.12.123.3, 00:00:36, Serial0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:00:36, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:00:36, Serial0/0
R2#

I just cannot win with this method… WAIT A MINUTE! THAT WILDCARD MASK SHOULD BE 0.0.0.0 NOT THE NETWORK MASK OF 0.0.0.255! LETS TRY THIS AGAIN:

R2#sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
R       1.1.1.1 [120/2] via 172.12.23.3, 00:00:09, FastEthernet0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
R       100.0.0.0 [120/2] via 172.12.23.3, 00:00:09, FastEthernet0/0
     33.0.0.0/24 is subnetted, 1 subnets
R       33.33.33.0 [120/1] via 172.12.23.3, 00:00:09, FastEthernet0/0
     3.0.0.0/32 is subnetted, 1 subnets
R       3.3.3.3 [120/2] via 172.12.23.3, 00:00:10, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.23.3, 00:00:10, FastEthernet0/0
     172.12.0.0/24 is subnetted, 4 subnets
R       172.12.34.0 [110/20] via 172.12.123.3, 00:00:00, Serial0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:00:00, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:00:00, Serial0/0
R2#

The oddity is, only the E1 routes are remaining OSPF, there might be something to that but for now I am going to remove the distance command from R2 and see if there are any options in the redistribute command on R3.

So I wasn’t able to touch AD in Redistribution, but I was able to change the metric-type (as I’d had been able to in the route-map for EIGRP2OSPF as well, so lets see if applying that same command to R2 that allowed O E1 routes to stay holds steady.

Aaaaand, it did not. I have a feeling that not having a neighbor relationship to that ASBR is making things difficult, so I am resetting the works and putting a policy route on S0/0 as I said I would not be viable in the beginning of the lab as we are running out of options 🙂

 

Using Policy Routing to accomplish my task, and end this never ending lab

 

I’m going brain dead for the night, and while I could review past material for days on end, I need to wrap up the review (for now) and finish this lab tonight – So I will use Policy Routing on R2 to accomplish overcoming the sub-optimal routing we set out to destroy:

R2(config)#ip access-list extended GOTOYOURHOME
R2(config-ext-nacl)#10 permit ip host 11.11.11.1 host 4.4.4.4
R2(config-ext-nacl)#exit
R2(config)#route-map GOHOMEBALL permit 10
R2(config-route-map)#match ip add GOTOYOURHOME
R2(config-route-map)#set ip next-hop 172.12.23.4
R2(config-route-map)#exit
R2(config)#int s0/0
R2(config-if)#ip policy route GOHOMEBALL ?
  <cr>

R2(config-if)#ip policy route GOHOMEBALL

(I hope you enjoyed the Happy Gilmore references) Aaaaand:

R1#traceroute 4.4.4.4 source 11.11.11.1

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.2 36 msec 32 msec 33 msec
  2  *  *  *
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6  *  *  *
  7  *
ASR#2
[Resuming connection 2 to r2 … ]

R2(config-route-map)#^Z
R2#de
*Mar  1 17:24:20.014: %SYS-5-CONFIG_I: Configured from console by console
R2#debug ip pack
IP packet debugging is on
R2#
*Mar  1 17:24:25.624: IP: tableid=0, s=11.11.11.1 (Serial0/0), d=4.4.4.4 (Serial0/0), routed via FIB
*Mar  1 17:24:25.624: IP: s=11.11.11.1 (Serial0/0), d=4.4.4.4 (FastEthernet0/0), g=172.12.23.4, len 28, forward
*Mar  1 17:24:25.624: IP: s=11.11.11.1 (Serial0/0), d=4.4.4.4 (FastEthernet0/0), len 28, encapsulation failed
R2#

SO THIS HAS ONCE AGAIN FAILED, BUT I FINALLY GOT IT, USING THE DISTANCE COMMAND ON R2, AND THIS WRAPS THIS LAB ON UP!

After looking at the extended ip route command for the network, I noticed in its configuration for the route it was learned via 33.33.33.3, not via our only neighbor 11.11.11.1, so I repeated the same syntax only with 33.33.33.3 as the remote RID:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#access-list 11 permit host 4.4.4.4
R2(config)#access-list 11 permit 172.12.34.0 0.0.0.255
R2(config)#router ospf 1
R2(config-router)#distance 121 33.33.33.3 0.0.0.0 ?
  <1-99>       IP Standard access list number
  <1300-1999>  IP Standard expanded access list number
  WORD         Standard access-list name
  <cr>

R2(config-router)#distance 121 33.33.33.3 0.0.0.0 11
R2#clear ip ospf proc
Reset ALL OSPF processes? [no]: yes
R2#
*Mar  1 17:40:54.304: %OSPF-5-ADJCHG: Process 1, Nbr 11.11.11.1 on Serial0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R2#
*Mar  1 17:41:10.094: %OSPF-5-ADJCHG: Process 1, Nbr 11.11.11.1 on Serial0/0 from LOADING to FULL, Loading Done

AAAAAAAAAND:

R2(config)#do sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:02:16, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:02:16, Serial0/0
     33.0.0.0/24 is subnetted, 1 subnets
O E2    33.33.33.0 [110/2] via 172.12.123.3, 00:02:16, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:02:16, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.23.3, 00:00:08, FastEthernet0/0
     172.12.0.0/24 is subnetted, 4 subnets
R       172.12.34.0 [120/1] via 172.12.23.3, 00:00:10, FastEthernet0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:02:19, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:02:19, Serial0/0
R2(config)#

I honestly I did not think I would be able to get this, but there it is, made possible by the distance command in OSPF config in R2. I am saving all routers and running for the door before I find another issue with the config – See you next time for some VPN configuration and theory!

EDIT:

To note for future reference, this is what led me to my answer:

R2#show ip route 4.4.4.4 255.255.255.255
Routing entry for 4.4.4.4/32
  Known via “ospf 1”, distance 110, metric 20
  Tag 200, type extern 2, forward metric 64
  Last update from 172.12.123.3 on Serial0/0, 00:00:22 ago
  Routing Descriptor Blocks:
  * 172.12.123.3, from 33.33.33.3, 00:00:22 ago, via Serial0/0
      Route metric is 20, traffic share count is 1
      Route tag 200

That was a great save, just goes to show, any problem can be worked through if you work at it hard enough. I will also note it tickles me that a configuration I didn’t even think of or mention about as a solution was what ended up saving the day 🙂 Pretty awesome!

Part 5: Turning “IP Routing” on for Layer 3 SW1, Policy / Local Policy Routing, found sub-optimal routing due to AD! (Will be 6th lab to troubleshoot)

labbers_delight_rev3

I took a quick moment to post before this, advising not to study or lab tired, cause as can be seen towards the end of my Part 4 of this lab I am just tired and swinging at air.

Anyway, we now have R1 and R3 both acting as ASBR’s, with R1 doing 2-way route-tagged Distribution and R3 doing 3-way tagged Route Redistribution. We even still have authentication running on all routing domains, life does not get much better than this!

Honestly the fact that I have all protocol Authentication configurations documented, and how that all fits together, in addition to a solid understand of Distribute-List configuration I am very happy. The fact that I was able to get Multi-Point 2-way and 3-way routing to play nice (with some troubleshooting) is awesome, so Policy Routing is going to be my wrap up here to this lab because I have wanted to make the Summary Route do sub-optimal for half the routes since this began! 🙂

 

Quickly turning on L3 functionality for SW1 and testing connectivity

 

I probably didn’t need the new topic blue header for this, but I never know what I’m in for starting out with something new to the lab, so I put SW1 on the RIP network and want to see if it’s pingable with just a management IP for Vlan1.

So the quick config on SW1:

SW1(config)#ip routing
SW1(config)#router rip
SW1(config-router)#no auto
SW1(config-router)#network 172.12.23.0

And then a quick test from R5 to see if it can see it all the way down there:

R5#ping 172.12.23.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.23.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 64/65/68 ms
R5#

Woohoo! Sweet Sweet connectivity, now to path selection / manipulation with PBR.

 

Policy Routing Configuration / Local Policy Routing configuration

 

Again once you know route-map configuration, PBR is a walk in the park to setup and apply, which is what I say right before I run into 1000 unforseen problems. So I would like half the traffic from our Summary Route to take a different path over the NBMA, as it won’t do equal cost load balancing by default the way EIGRP will, so I’ll set it myself:

R1(config)#$ 105 permit ip 100.1.0.0 0.0.255.255 172.12.23.0 0.0.0.255
R1(config)#$ 105 permit ip 100.2.0.0 0.0.255.255 172.12.23.0 0.0.0.255
R1(config)#$ 105 permit ip 100.3.0.0 0.0.255.255 172.12.23.0 0.0.0.255
R1(config)#$ 105 permit ip 100.4.0.0 0.0.255.255 172.12.23.0 0.0.0.255
R1(config)#route-map SummaryTrafficHop permit 10
R1(config-route-map)#match ip add 105
R1(config-route-map)#set ip next-hop 172.12.123.2
R1(config-route-map)#int fa0/1
R1(config-if)#ip policy route SummaryTrafficHop
R1(config-if)#

So it is now set up on R1 to filter said networks in the summary route, let’s test the preferred route in general from R5, then the networks involved in the Policy Route:

R5#traceroute 172.12.23.1

Type escape sequence to abort.
Tracing the route to 172.12.23.1

  1 172.12.15.1 0 msec 4 msec 0 msec
  2 172.12.123.3 32 msec 36 msec 32 msec
  3 172.12.23.1 32 msec *  32 msec
 
R5#traceroute 172.12.23.1 source 100.4.0.1

Type escape sequence to abort.
Tracing the route to 172.12.23.1

  1 172.12.15.1 0 msec 4 msec 0 msec
  2 172.12.123.2 32 msec 32 msec 36 msec
  3  *
    172.12.23.1 32 msec *
R5#traceroute 172.12.23.1 source 100.5.0.1

Type escape sequence to abort.
Tracing the route to 172.12.23.1

  1 172.12.15.1 4 msec 0 msec 4 msec
  2 172.12.123.3 32 msec 32 msec 32 msec
  3 172.12.23.1 32 msec *  32 msec
R5#

This really surprised me at first, as when there was a Router connected to R2 and R3 via FastEthernet, we would see those traceroute returns up to R1 and back to the other spoke even using OSPF across the board. With a switch on the Ethernet segment however, it is that “One and Done” I was talking about wasn’t possible to truly configure PBR along a network path. I personally think Chris Bryant did a really horse sh*t job of teaching that section, and as much as I love his training, I would say that right to his face 🙂

So for future reference, if this type of Topology pops up with Policy Routing in question, you will need to configure Policy Routes on the next-hop Router to then direct traffic onto the Ethernet to its destination rather than back over the NBMA.

THAT BEING SAID, I THINK WE NEED TO INTRODUCE A LITTLE ANARCHY TO THE NETWORK, AND DOING SO WITH A POLICY ROUTE:

R1(config)#access-list 111 permit ip 11.11.11.0 0.0.0.255 host 4.4.4.4
R1(config)#route-map LocalNextHop permit 10
R1(config-route-map)#match ip add 111
R1(config-route-map)#set ip next-hop 172.12.123.2
R1(config-route-map)#

Now I know I don’t even NEED to tell you at this point, but that is a sub-optimal path even if it zip across the FastEthernet instead of across the Serial Link and Back to R3 to reach R4’s loopback address of 4.4.4.4, but lettuce see what happens when we traceroute it:

R1(config)#access-list 111 permit ip 11.11.11.0 0.0.0.255 host 4.4.4.4
R1(config)#route-map LocalNextHop permit 10
R1(config-route-map)#match ip add 111
R1(config-route-map)#set ip next-hop 172.12.123.2
R1(config-route-map)#do traceroute 4.4.4.4 source 11.11.11.1

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.3 76 msec 32 msec 32 msec
  2 172.12.34.4 33 msec *  32 msec
R1(config-route-map)#

… The result of this traceroute displeases me. However, after staring at that configuration for a moment, I realize I completely spaced putting in the actual local policy statement.

This is why I made a post about studying tired, and why I am wrapping this up !

R1(config)#ip local policy route LocalNextHop
R1(config)#do traceroute 4.4.4.4 source 11.11.11.1

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.2 32 msec 32 msec 32 msec
  2 172.12.123.1 24 msec 24 msec 24 msec
  3 172.12.123.3 56 msec 52 msec 57 msec
  4 172.12.34.4 56 msec *  52 msec
R1(config)#

I am a bit surprised by this, I would have thought it would take the ethernet segment over to R3, I must advice R3’s route table quick to understand this madness of sending back over the Serial Link rather than through the Ethernet:

R2#show ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 02:03:41, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 02:03:41, Serial0/0
     33.0.0.0/24 is subnetted, 1 subnets
O E2    33.33.33.0 [110/2] via 172.12.123.3, 02:03:41, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 02:03:41, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O E2    4.4.4.4 [110/20] via 172.12.123.3, 02:03:42, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E2    172.12.34.0 [110/20] via 172.12.123.3, 02:03:44, Serial0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 02:03:44, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 02:03:44, Serial0/0
R2#

I smell a 6th lab needed for sub-optimal routing, and changing AD’s! This should have taken the path through the RIP domain to get to R4 (along with other traffic), however it’s the tie breaker (it’s AD) beat RIP 110 vs 120 so the OSPF route is in the route table as an E2 route.

This is a good note to end it on for me, next lab I will be troubleshooting some sub-optimal routing I find around the network with PBR and AD changes, then it is time to learn about and configure some VPN’s on our Authenticated and Redistributed monster of a network 🙂

Part 4: The right ACL for the right job (Distribute-List vs Route-Map), Configuring 3-way Route Redistribution with a lot of failures but final success!!!

labbers_delight_rev3

(Added interface #’s to the Topology as we increase working with both IP’s and interfaces)

I wanted to touch this quick before moving on to policy routing, whether Distribute-Lists can block certain networks from a Summary Route, or if it’s possibly at all. So I’ll run through it quick here to move on:

 

Distribute-List vs Summary Route on R5, Standard vs Extended ACL’s

 

First I want to confirm that my Distribute-List configured in OSPF is still blocking 5.5.5.5 from Redistributing into OSPF from the vantage of R2:

R2#show ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:05:28, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:05:28, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:05:28, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:05:28, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:05:28, Serial0/0
R2#

It looks like the Distribute-List is still rocking, so I am going to attempt to add onto the existing ACL on R1 for it:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#do sh access-list 5
Standard IP access list 5
    10 deny   5.5.5.5 (1 match)
    20 permit any (3 matches)
R1(config)#access-list 5 ?
  deny    Specify packets to reject
  permit  Specify packets to forward
  remark  Access list entry comment

R1(config)#access-list 5 deny ?
  Hostname or A.B.C.D  Address to match
  any                  Any source host
  host                 A single host address

R1(config)#access-list 5 deny 100.3.0.0 ?
  A.B.C.D  Wildcard bits
  log      Log matches against this entry
  <cr>

R1(config)#access-list 5 deny 100.3.0.0 0.0.255.255 ?
  log  Log matches against this entry
  <cr>

This is to demonstrate that with Standard Access-Lists you cannot add lines where you need them, that is going to require an Extended Access-Lists. Any new / additional statements to ACL 5 will be tacked onto the end, and they will be useless due to the permit any already on the ACL.

SO, I will blow away that ACL and try an Extended ACL that just uses ‘any’ for a destination addy, to simulate the feel of a Standard ACL. I’m also going to give it a name, to see if Distribute-Lists will accept named ACL’s, and it’s name will be “Bob”.

Now I have a couple piece of output here, as I was curious after I remove the list, will the Distribute-List dynamically be pulled from the OSPF config once it is removed from the router, and if it is isn’t will R2 then be able to see 5.5.5.5 anyways:

R1(config)#no access-list 5
R1(config)#ip access-list extended Bob
R1(config-ext-nacl)#10 deny ip host 5.5.5.5 any
R1(config-ext-nacl)#20 deny ip 100.4.0.0 0.0.255.255 any
R1(config-ext-nacl)#30 deny ip 100.6.0.0 0.0.255.255 any
R1(config-ext-nacl)#40 permit ip any any
R1(config-ext-nacl)#exit

ACL 5 is gone and Bob is now rampant on R1, lets look at the running config:

R1(config)#do show run
Building configuration…

(run output)
!
router ospf 1
 log-adjacency-changes
 area 0 authentication message-digest
 redistribute eigrp 100 subnets route-map EIGRP2OSPF
 network 1.1.1.1 0.0.0.0 area 0
 network 172.12.123.0 0.0.0.255 area 0
 neighbor 172.12.123.2
 neighbor 172.12.123.3
 distribute-list 5 out eigrp 100
!
(More run output)

R1(config)#

And it is still referencing ACL 5, so we will want to remove that as well (which we do anyways as best practice before adding our Bob Distribute-List), but to confirm on R2:
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:40:24, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:40:24, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:40:24, Serial0/0
     5.0.0.0/32 is subnetted, 1 subnets
O E1    5.5.5.5 [110/84] via 172.12.123.1, 00:03:34, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:40:24, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:40:24, Serial0/0
R2#

Sure enough 5.5.5.5 returns to the route table. So time to see if we can apply Bob in ACL 5’s stead and see what happens:

R1(config-router)#no distribute-list 5 out eigrp 100
R1(config-router)#distribute-list Bob out eigrp 100
Access-list type conflicts with prior definition
% This command only accepts named standard IP access-lists.
R1(config-router)#

So the lesson learned here – ***DISTRIBUTE-LISTS ONLY ACCEPT STANDARD ACL’S!!!***

My training materials only instructed to use Standard ACL’s for distribute-lists but did not specifically mention that Extended ACL’s would not take, so I am going to keep Bob around for another test here but first lets see about making a new ACL 5 and applying it:

R1(config-router)#exit
R1(config)#access-list 5 deny host 5.5.5.5
R1(config)#access-list 5 deny 100.4.0.0 0.0.255.255
R1(config)#access-list 5 deny 100.6.0.0 0.0.255.255
R1(config)#access-list 5 permit any
R1(config)#router ospf 1
R1(config-router)#distribute-list 5 out eigrp 100
R1(config-router)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:57:03, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:57:03, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:57:03, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:57:03, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:57:03, Serial0/0
R2#ping 100.4.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.4.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
R2#

So it worked for 5.5.5.5, but it didn’t even touch the connectivity of the Summary Route, so I am going for the full on block of the Summary itself as one last try with Distribute-Lists:

R1(config-router)#exit
R1(config)#no access-list 5
R1(config)#access-list 5 deny host 5.5.5.5
R1(config)#access-list 5 deny 100.0.0.0 0.7.255.255
R1(config)#access-list 5 permit any
R1(config)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#show ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:59:53, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:59:53, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:00:08, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:0008, Serial0/0
R2#

Aaaaaaaaaand it’s gone! Notice I didn’t need to touch the distribute-list config as it’s already reference ACL 5, I just had to recreate ACL 5, and it kicked right in. So I want to keep my Summary Route in the mix, so I’ll set the Distribute-List back to only filtering 5.5.5.5 and see what we can do with Route-maps:

R1(config)#no access-list 5
R1(config)#access-list 5 deny 5.5.5.5
R1(config)#access-list 5 permit any
R1(config)#

So to move things right along, what’s see if we can use our Redistribution Route-Map to enforce Bob on our unsuspecting victim the Summary-Route:

 

Extended ACL blocking certain networks in a Summary Route on Route-map via Redistribution

 

Since we already have a route-map on our routes redistributing into OSPF, I wanted to see if I could possibly sneak a “Bob”clause in there to stop connectivity to 100.4.0.0 and 100.6.0.0, and of course to start this we want to examine our route-maps for the proper sequence spot for it to be inserted:

R1(config)#do sh route-map
route-map EIGRP2OSPF, deny, sequence 5
  Match clauses:
    tag 110
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
(Right here before the (‘permit all’) tagging traffic)
route-map EIGRP2OSPF, permit, sequence 10
  Match clauses:
  Set clauses:
    metric-type type-1
    tag 100
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, deny, sequence 10
  Match clauses:
    tag 100
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, permit, sequence 15
  Match clauses:
  Set clauses:
    tag 110
  Policy routing matches: 0 packets, 0 bytes
R1(config)#

We want it before sequence 10 because that clause will permit all traffic and tag it with a 100, so I’ll put it between our tag deny and permit sequences:

R1(config)#route-map EIGRP2OSPF deny 8
R1(config-route-map)#match ip add Bob
R1(config-route-map)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 01:22:53, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 01:22:53, Serial0/0
R2#

So it sort of worked, I guess, but now we are missing every external route despite my ‘permit ip any any’ at the end of the Bob. So I review Bob on R1 to see if anything looks wrong in the configuration in show run:

ip access-list extended Bob
 deny   ip host 5.5.5.5 any
 deny   ip 100.4.0.0 0.0.255.255 any
 deny   ip 100.6.0.0 0.0.255.255 any
 permit ip any any

And then R2 once Bob is removed:

R2#show ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 01:29:55, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:00:06, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 01:29:55, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:00:06, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:00:06, Serial0/0

So the interesting thing, is R1 is configured with 11.11.11.0 /24 and 172.12.15.0 /24 on it’s EIGRP configuration, however the access-list match on the route-map Redistributing EIGRP routes just blocks everything from EIGRP if applied at all.

So it turns out, there is no room in this network for Bob (yet), poor guy.

 

Configuring 3-way Route Redistribution with tagging via Route-Maps

 

I was going to move onto Policy Routing, but until all of my networks know of eachother, I don’t many hops around the network to mess with Policy Routing, so I am going to attempt to Redistribute OSPF / EIGRP / RIP into eachother on R3, again using the Tags listed in the Topology:

labbers_delight_rev3

I felt it was a good idea to post it down here as well, as it may belong down here for this even more. So lettuce not waste any time, and get right into the configuration, I’m going to start with 2-way between OSPF and EIGRP ensure our tagging is working to separate the 2 EIGRP domains:

R3#
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#route-map EIGRP2OSPF permit 10
R3(config-route-map)#set tag 200
R3(config-route-map)#route-map OSPF2EIGRP deny 10
R3(config-route-map)#match tag 200
R3(config-route-map)#route-map OSPF2EIGRP permit 20
R3(config-route-map)#set tag 110
R3(config-route-map)#router ospf 1
R3(config-router)#redistribute eigrp 100 route-map EIGRP2OSPF subnets
R3(config-router)#router eigrp 200
R3(config-router)#default-metric 1544 10 255 1 1500
R3(config-router)#redistribute ospf 1 route-map OSPF2EIGRP
R3(config-router)#

I am feeling pretty confident in this configuration, though I did delete a LOT of ? output for clarity sake of the configuration, I think we are going to see both EIGRP domains routes in each others route table with no route leaking (and of course OSPF will now have all EIGRP routes from the Topology). Lets check it out on R4:

R4#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D EX     11.11.11.0 [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
D EX     100.0.0.0 [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX     172.12.15.0/24
           [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
R4#

Beautiful, notice 5.5.5.5 is still being filtered by the Distribute-List, lets check R2 and R5 to confirm they are looking good as well:

R2#
R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:08:10, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:08:10, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:08:10, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:08:10, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:08:10, Serial0/0
R2#

Problem #1: Where the fudge are R4’s redistributed routes? So this is going to be an issue I need to look into, let’s see how R5 is looking:

R5#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.15.1, 02:33:22, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.15.1, 02:31:11, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D        11.11.11.0 [90/156160] via 172.12.15.1, 02:33:22, FastEthernet0/1
      100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D        100.0.0.0/13 is a summary, 02:33:27, Null0
      172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
D EX     172.12.123.0/24
           [170/1662976] via 172.12.15.1, 02:33:22, FastEthernet0/1
R5#

Problem #2  Routes are also missing here!

So I am beginning to think that perhaps this is a config on R4 and what networks it is advertising in it’s EIGRP domain, so time to start the troubleshooting, so lets take a look at R4’s configurations to find the issue here:

R4#show ip proto

(Output)

  Automatic Summarization: disabled
  Maximum path: 4
  Routing for Networks:
    4.4.4.4/32
    172.12.34.0/24
  Routing Information Sources:
    Gateway         Distance      Last Update
    172.12.34.3           90      00:19:03
  Distance: internal 90 external 170

R4#

So that should be working, was the redistribution messed up somehow?

R3#sh route-map
route-map EIGRP2OSPF, permit, sequence 10
  Match clauses:
  Set clauses:
    tag 200
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, deny, sequence 10
  Match clauses:
    tag 200
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 110
  Policy routing matches: 0 packets, 0 bytes
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#route-map EIGRP2OSPF deny 5
R3(config-route-map)#match tag 110
R3(config-route-map)#

One glaring mistake, I forgot to put a sequence before the permit, to deny traffic back out into OSPF with it’s tag of 110 from EIGRP AS 200. Lets see if that (hopefully) did the trick here:

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:16:06, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:16:06, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:16:06, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:16:06, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:16:06, Serial0/0
R2#

Nope, until I see 4.4.4.4 we on R2 it is not working, but how odd that R4 is rocking and rolling while R2 and R5 are not having any of it. Speaking of R1, or lack of it, I checked it’s route table and it is not seeing R4’s two networks either so it has to be on R3.

After some review, I found my first brain getting exhausted Derp of the night – I put “eigrp 100” in the redistribute command, after removing the palm from my face I fixed it and verified the fix as shown here:

R3(config-route-map)#router ospf 1
R3(config-router)#no redistribute eigrp 100 route-map EIGRP2OSPF subnets
R3(config-router)#redistribute eigrp 200 route-map EIGRP2OSPF subnets
R3(config-router)#

Aaaaaand on R2:

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:25:04, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:25:04, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:25:04, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O E2    4.4.4.4 [110/20] via 172.12.123.3, 00:00:52, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E2    172.12.34.0 [110/20] via 172.12.123.3, 00:00:52, Serial0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:25:04, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:25:04, Serial0/0
R2#

For now I will leave those as default E2 routes so I can tell them apart in the Route Table, lets see if R5 is on board as well and we have successfully configured “Multi-Point 2-way Redistribution” successfully with Route Tagging!! :

R5#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.15.1, 02:59:27, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.15.1, 02:57:16, FastEthernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
D EX     4.4.4.4 [170/1662976] via 172.12.15.1, 00:03:29, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D        11.11.11.0 [90/156160] via 172.12.15.1, 02:59:27, FastEthernet0/1
      100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D        100.0.0.0/13 is a summary, 02:59:32, Null0
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX     172.12.34.0/24
           [170/1662976] via 172.12.15.1, 00:03:29, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.15.1, 02:59:27, FastEthernet0/1
R5#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
R5#

This is great to see, the route-maps both came right to me how to configure the set / match, however lets see if this is the case with bringing the RIP domain into the mix:
R3(config-router)#exit
R3(config)#route-map OSPF2RIP permit 10
R3(config-route-map)#set tag 110
R3(config-route-map)#route-map OSPF2RIP deny 5
R3(config-route-map)#match tag 120
R3(config)#route-map RIP2OSPF deny 10
R3(config-route-map)#match tag 110
R3(config-route-map)#route-map RIP2OSPF permit 20
R3(config-route-map)#set tag 120
R3(config)#router ospf 1
R3(config-router)#redistribute rip route-map RIP2OSPF subnets metric 2
R3(config-router)#router rip
R3(config-router)#redistribute ospf 1 ?
  match      Redistribution of OSPF routes
  metric     Metric for redistributed routes
  route-map  Route map reference
  vrf        VPN Routing/Forwarding Instance
  <cr>

R3(config-router)#redistribute ospf 1 route-map OSPF2RIP metric 2
R3(config-router)#router ospf 1
R3(config-router)#no redistribute rip route-map RIP2OSPF subnets metric 2
R3(config-router)#redistribute rip route-map RIP2OSPF subnets
R3(config-router)#

I took out a lot of ? output once again to keep the config tight and concise, however I did highlight where along the configuration, I forgot the metric has to be set on the OSPF routes going into RIP because of its hop count limit, but I didn’t need to set a metric for RIP routes going into OSPF so I removed that from the config.

So lets take a look at R2 to see if we see any RIP networks at all:

R2#show ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:43:21, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:43:21, Serial0/0
     33.0.0.0/24 is subnetted, 1 subnets
O E2    33.33.33.0 [110/2] via 172.12.123.3, 00:07:39, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:43:21, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O E2    4.4.4.4 [110/20] via 172.12.123.3, 00:19:09, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E2    172.12.34.0 [110/20] via 172.12.123.3, 00:19:14, Serial0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:43:27, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:43:27, Serial0/0

Alright!! That highlighted is a RIP network configured on R3, so we are officially getting RIP networks into OSPF, so now lets take a look at R5 and see if that is able to see them as well:

R5#show ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.15.1, 03:18:59, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.15.1, 03:16:48, FastEthernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
D EX     4.4.4.4 [170/1662976] via 172.12.15.1, 00:23:01, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D        11.11.11.0 [90/156160] via 172.12.15.1, 03:18:59, FastEthernet0/1
      22.0.0.0/24 is subnetted, 1 subnets
D EX     22.22.22.0 [170/1662976] via 172.12.15.1, 00:11:31, FastEthernet0/1
      33.0.0.0/24 is subnetted, 1 subnets
D EX     33.33.33.0 [170/1662976] via 172.12.15.1, 00:11:31, FastEthernet0/1
      100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D        100.0.0.0/13 is a summary, 03:19:04, Null0
      172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
D EX     172.12.23.0/24
           [170/1662976] via 172.12.15.1, 00:11:31, FastEthernet0/1
D EX     172.12.34.0/24
           [170/1662976] via 172.12.15.1, 00:23:01, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.15.1, 03:18:59, FastEthernet0/1
R5#

So at this point we have verified that R5 knows about both EIGRP AS 200 Routes, OSPF routes, and RIP routes!

With that, I am going to conclude for the night as my brain is starting to melt once again out of my ears, however very good practical material covered in here, and a good example that 3-way protocol Redistribution can be performed just by tagging traffic into one protocol so that it will redistribute into the other because it is not claused to deny the routes tag.

That was a mouth full of a summary of the lesson to say, anyways, that’s it for tonight, next we’ll mess with some Policy routing and then it’s time to get back into study mode and tackle everything about VPN on routers.

EDIT EDIT EDIT, DAG NAB IT :

On my way to “wr mem” the routers, I did a quick “sh ip route” on R4 just to quickly confirm it was working as well, and it is missing the loopback22 22.22.22.0 /24 on R2 being advertised by RIP:

R2#sh ip proto

Routing Protocol is “rip”

 (Output)
  Automatic network summarization is not in effect
  Maximum path: 4
  Routing for Networks:
    22.0.0.0
    172.12.0.0
  Routing Information Sources:
    Gateway         Distance      Last Update
    172.12.23.3          120      00:00:01
  Distance: (default is 120)

And here is R4’s dag nab #Y&%$&* route table:

R4#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.34.3, 00:14:35, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.34.3, 00:14:35, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.34.3, 00:17:38, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D EX     11.11.11.0 [170/1662976] via 172.12.34.3, 00:14:35, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
D EX     100.0.0.0 [170/1662976] via 172.12.34.3, 00:14:35, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX     172.12.15.0/24
           [170/1662976] via 172.12.34.3, 00:14:35, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.34.3, 00:17:38, FastEthernet0/1
R4#

So I saw this and just shut the routers down thinking I’ll get it next time, and I didn’t get to the bottom of the stairs before it was driving me crazy what it’s problem is. So I got food (getting cold) and a 5 hour energy, and time to go back at this and hopefully take it down with one more configuration here.

I am thinking because RIP is local to router EIGRP AS 200 is on, we need a Redistribution between those two as well, with their own route-maps. So my food isn’t getting any hotter (or probably colder at this point) so lets do this:

R3(config)#route-map EIGRP2RIP deny 10
R3(config-route-map)#match tag 120
R3(config-route-map)#route-map EIGRP2RIP permit 20
R3(config-route-map)#set tag 200
R3(config-route-map)#route-map RIP2EIGRP deny 10
R3(config-route-map)#set tag 200 <- WRONG – SHOULD BE MATCH TAG 200
R3(config)#route-map RIP2EIGRP permit 20
R3(config-route-map)#set tag 120
R3(config-route-map)#

That looks about right, now to Redistribute them into each other:

R3(config-route-map)#router eigrp 100
R3(config-router)#redistribute rip ?
R3(config-router)#redistribute rip route-map RIP2EIGRP
R3(config-router)#router rip
R3(config-router)#redistribute eigrp 200 route-map EIGRP2RIP metric ?
  <0-16>       Default metric
  transparent  Transparently redistribute metric

R3(config-router)#redistribute eigrp 200 route-map EIGRP2RIP metric 2
R3(config-router)#

Aaaaaaaand, let there be light? :

R4#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.34.3, 00:38:22, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.34.3, 00:38:12, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.34.3, 00:41:14, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D EX     11.11.11.0 [170/1662976] via 172.12.34.3, 00:38:22, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
D EX     100.0.0.0 [170/1662976] via 172.12.34.3, 00:38:22, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX     172.12.15.0/24
           [170/1662976] via 172.12.34.3, 00:38:22, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.34.3, 00:41:14, FastEthernet0/1
R4#

Nope, still nothing, HOWEVER A QUICK SHOW RUN AND STARE DOWN OF R3 SAVES THE DAY!!! :

R3(config-router)#do sh run

(Output)
!
router eigrp 200
 redistribute ospf 1 route-map OSPF2EIGRP
 network 172.12.34.0 0.0.0.255
 default-metric 1544 10 255 1 1500
 no auto-summary
!
router eigrp 100
 redistribute rip route-map RIP2EIGRP
 auto-summary
!
router ospf 1
 log-adjacency-changes
 redistribute eigrp 200 subnets route-map EIGRP2OSPF
 redistribute rip metric 2 subnets route-map RIP2OSPF
 redistribute eigrp 100
 network 3.3.3.3 0.0.0.0 area 0
 network 172.12.123.0 0.0.0.255 area 0
!
router rip
 version 2
 redistribute eigrp 200 metric 2 route-map EIGRP2RIP
 redistribute ospf 1 metric 2 route-map OSPF2RIP
 network 33.0.0.0
 network 172.12.0.0
 no auto-summary
!

Iiiiiii, need to correct this, and stop labbing for the night as my stupid mistakes are now running rampant on my network:

R3(config-router)#exit
R3(config)#no router eigrp 100
R3(config)#router eigrp 200
R3(config-router)#redistribute rip route-map RIP2EIGRP
R3(config-router)#

AND NOW LETS SEE THAT NETWORK NUMBER 22.22.22.0 /24 ON R4!!! :

R4#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.34.3, 00:47:11, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.34.3, 00:47:01, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.34.3, 00:50:03, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D EX     11.11.11.0 [170/1662976] via 172.12.34.3, 00:47:11, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
D EX     100.0.0.0 [170/1662976] via 172.12.34.3, 00:47:11, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX     172.12.15.0/24
           [170/1662976] via 172.12.34.3, 00:47:11, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.34.3, 00:50:03, FastEthernet0/1
R4#

It is still not there, so I highlighted the issue above from retrospect, however the issue was found using the route-map command, in conjunction with looking at the route-maps on “sh run” which makes them a bit easier to read for me without the extra output.

 

The answer to why R3 isn’t getting RIP routes

 

In my tired stupor, I did not closely review my route maps, or it would be clear that I set the RIP2EIGRP twice, meaning I put a “set” in each sequence for both matching a tag to deny and setting the RIP route tag #’s :

R3(config)#do sh route
route-map EIGRP2RIP, deny, sequence 10
  Match clauses:
    tag 120
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map EIGRP2RIP, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 200
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2EIGRP, deny, sequence 10
  Match clauses:
  Set clauses:
    tag 200
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2EIGRP, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 120

 

So I apply the fix and check on R4 with both fingers crossed:

R3(config)#no route-map RIP2EIGRP
R3(config)#route-map RIP2EIGRP deny 10
R3(config-route-map)#match tag 200
R3(config-route-map)#route-map RIP2EIGRP permit 20
R3(config-route-map)#set tag 120
R3(config-route-map)#
ASR#4
[Resuming connection 4 to r4 … ]

R4#sh ip route

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.34.3, 00:15:04, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.34.3, 00:15:04, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.34.3, 00:17:56, FastEthernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
C        4.4.4.4 is directly connected, Loopback4
      11.0.0.0/24 is subnetted, 1 subnets
D EX     11.11.11.0 [170/1662976] via 172.12.34.3, 00:15:04, FastEthernet0/1
      22.0.0.0/24 is subnetted, 1 subnets
D EX     22.22.22.0 [170/1662976] via 172.12.34.3, 00:00:09, FastEthernet0/1
      33.0.0.0/24 is subnetted, 1 subnets
D EX     33.33.33.0 [170/1662976] via 172.12.34.3, 00:00:09, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
D EX     100.0.0.0 [170/1662976] via 172.12.34.3, 00:15:04, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
D EX     172.12.15.0/24
           [170/1662976] via 172.12.34.3, 00:15:04, FastEthernet0/1
D EX     172.12.23.0/24
           [170/1662976] via 172.12.34.3, 00:00:09, FastEthernet0/1
C        172.12.34.0/24 is directly connected, FastEthernet0/1
L        172.12.34.4/32 is directly connected, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.34.3, 00:17:56, FastEthernet0/1
R4#

AND THERE IS OUR RIP ROUTES, FINALLY, 3-WAY REDISTRIBUTION ON ONE ROUTER!!!

Next lab I’ll look at sub-optimal routing all this redistribution may have caused, see if I can correct it with different mechanisms (Mainly Policy Routing), but for now that is all 🙂

Part 1: Setting up the new, bigger, and better lab to configure everything we’ve learned up to this point!

 

labbers_delight

As previously mentioned I believe, this will be a multi-part lab in which I will configure “Multi-Point” 2-way Redistribution / Policy-Routing / Distribute-Lists / Route-Maps / and troubleshooting all along the way.

Here are a few things I know I want to achieve over the several parts of this lab:

  • Authentication deep dive for all 3 protocols in Topology
  • DEEP Dive look at Redistribution with Route-Map tagging and Distribute-Lists
  • Policy Routing and Local Policy Routing configuration
  • 3-way Redistribution on R3 if possible, things might get crazy
  • Deep Dive into Policy Routing capabilities, applying around the network
  • Random other topics as I can think of them

I will be working as much with route-maps as possible, as they really are a huge chunk of all of those topics, so I believe those are critical to understand inside out. I have done a “wr er” and “reload” on all routers, and am going to configure the core network in the Topology, but I may review some of my previous posts to get my brain tuned up to lab until my brain melts out of my skull.

That being said I will just configure it for tonight, and add to it slowly while I am fresh, I don’t want to do anything while I am in zombie mode (like now) after a long work day.

So this will all be review, and as I said, saturate this network completely with all the concepts I have posted about and troubleshoot issues as needed.

I am going to whip up this Topology now, and we will get this party started on my next post, see you there 🙂

Using Extended ACL’s for Policy Routing to overcome sub-optimal routing

policy_routing_top

As seen in the previous look at policy routing using a standard ACL, it led to sub-optimal routing due to only routing on the source, and not both source and destination addresses – for this we will use an Extended ACL to correct. So I took the old commands off, nothing fancy:

R1(config)#no access-list 5
R1(config)#no route-map R5toR2
R1(config)#int fa0/1
R1(config-if)#no ip policy route-map R5toR2
R1(config-if)#exit
R1(config)#

As can be seen, just really go through each step of setting it up, add a no to the front using ctrl + a to jump to the front of command, and now it’s good to go to setup an Extended ACL. So now we add the new configs to R1, and see what a traceroute shows:

R1(config)#access-list 105 permit ip host 172.12.15.5 host 4.4.4.4
R1(config)#route-map NextHop permit 10
R1(config-route-map)#match ip add 105
R1(config-route-map)#set ip next-hop 172.12.123.2
R1(config-route-map)#int fa0/1
R1(config-if)#ip policy route-map NextHop
R1(config-if)#
ASR#5
[Resuming connection 5 to r5 … ]

R5#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.15.1 0 msec 4 msec 0 msec
  2 172.12.123.2 32 msec 36 msec 32 msec
  3 172.12.123.1 24 msec 24 msec 24 msec
  4 172.12.123.3 56 msec 56 msec 56 msec
  5 172.12.34.4 52 msec *  52 msec
R5#

I am disappointed with this result because it verifies that Chris Bryant did a poor job on his teaching of this section, their obviously needs to be some extra configuration along the route path which wasn’t mentioned at all in the training videos, and even his logical topology did not match his physical setup.

So now that I’ve got my moaning and groaning about that out of my system, we’ll need to review R2 and how to make it not throw that traffic back out S0/0 as it has in it’s route-table to do so and no policy routing is setup over there.

So I noticed one thing right away that needs to be addressed:

R2#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.1 32 msec 32 msec 32 msec
  2 172.12.123.3 64 msec 64 msec 64 msec
  3 172.12.34.4 64 msec *  60 msec
R2#

So what we see here is that even though 4.4.4.4 is on R4 off FastEthernet0/1, it is sending traffic back over both serial interfaces to get there. Now there is a couple of options here which I will demonstrate, the first being a quick static route to save the day:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip route 4.4.4.4 255.255.255.255 fa0/1
R2(config)#exit
R2#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1  *
    172.12.24.4 0 msec *
R2#
ASR#5
[Resuming connection 5 to r5 … ]

R5#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.15.1 4 msec 0 msec 4 msec
  2 172.12.123.2 32 msec 32 msec 32 msec
  3 172.12.24.4 32 msec *  32 msec
R5#

Just to illustrate from both points of view, problem solved, but given that network 4.4.4.4 is shared in the OSPF domain, I don’t want a static route overriding it so I will remove it and see what kind of route-map will allow this traffic to pass but all other traffic to route normally:

R2(config)#no ip route 4.4.4.4 255.255.255.255 fa0/1
R2(config)#access-list 105 permit ip host 172.12.15.5 host 4.4.4.4
R2(config)#route-map NextHop permit 10
R2(config-route-map)#match ip add 105
R2(config-route-map)#set ip next-hop 172.12.24.4
R2(config-route-map)#route-map NextHop permit 20
R2(config-route-map)#int s0/0
R2(config-if)#ip policy route-map NextHop
R2(config-if)#

Now theoretically, I should be able to get to 4.4.4.4 through R2 from R5, but from R2 it should again need to take the long way around, lets see what happens between the two:

R5#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.15.1 4 msec 0 msec 4 msec
  2 172.12.123.2 32 msec 32 msec 32 msec
  3  *
    172.12.24.4 32 msec *
R5#
ASR#2
[Resuming connection 2 to r2 … ]

R2#traceroute 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.1 36 msec 32 msec 32 msec
  2 172.12.123.3 60 msec 60 msec 64 msec
  3 172.12.34.4 64 msec *  61 msec
R2#

And there it is, I am so glad that worked, because it’s getting late and that is when things tend not to work and drive me bonkers 🙂

So as can be seen, you will need to follow the path of the traffic and apply route-maps to router interfaces to keep the traffic moving as you configure it, otherwise you will not achieve optimal ‘route manipulation’ you are trying to achieve.

I am going to remove all PBR configs from routers, and decide whether I want to delve further into Policy Routing with a free-style sort of lab, or move on to Local Policy Routing.

 

Part 3: Finally got Route-Maps for Redistribution working correctly, important notes within on how!

single-point_2way_redist_3routers_new

Boy do I feel stupid. After spending hours of scratching my head at why this is not working yet, as OSPF seems to be gettings tags but RIP is not, that is when I really put my work under a microscope and found that I was applying OSPF2RIP in OSPF router config and the other way around (I think). I have no other way to logically explain why they are working today, as they actually didn’t work earlier as well after “wr er” / “reload” / reconfigure.

So I stripped all redistribution off, deleted the route-maps, and started from square 1, again. Then when I was struggling to remember which way it went with applying what route-map to which protocol, I might have been on auto-pilot last night and completely overlooked that as the issue!

So here is how I applied a fix for that:

R3(config-router)#router ospf 1
R3(config-router)#redistribute rip subnets route-map RIP2OSPF
R3(config-router)#router rip

R3(config-router)#redistribute ospf 1 route-map OSPF2RIP metric 2
R3(config-router)#do sh route-map
route-map OSPF2RIP, permit, sequence 10
  Match clauses:
  Set clauses:
    tag 10
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2OSPF, permit, sequence 10
  Match clauses:
  Set clauses:
    tag 20
  Policy routing matches: 0 packets, 0 bytes

And this is where I was able to verify and FINALLY see the results I was looking for(!!!):
R3(config-router)#
ASR#3
[Resuming connection 3 to r4 … ]

R4#show ip route ospf

Gateway of last resort is not set

      5.0.0.0/24 is subnetted, 1 subnets
O E2     5.5.5.0 [110/20] via 172.12.34.3, 00:02:47, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
O E2     172.12.15.0/24 [110/20] via 172.12.34.3, 00:02:47, FastEthernet0/1
O E2     172.12.123.0/24 [110/20] via 172.12.34.3, 00:02:47, FastEthernet0/1
R4#show ip route 5.5.5.5
Routing entry for 5.5.5.0/24
  Known via “ospf 1”, distance 110, metric 20
  Tag 20, type extern 2, forward metric 1
  Last update from 172.12.34.3 on FastEthernet0/1, 00:02:05 ago
  Routing Descriptor Blocks:
  * 172.12.34.3, from 3.3.3.3, 00:02:05 ago, via FastEthernet0/1
      Route metric is 20, traffic share count is 1
      Route tag 20

ASR#1
[Resuming connection 1 to r1 … ]

R1#show ip route rip
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.123.3, 00:00:00, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
R       172.12.34.0 [120/1] via 172.12.123.3, 00:00:00, Serial0/0
     40.0.0.0/32 is subnetted, 1 subnets
R       40.40.40.1 [120/2] via 172.12.123.3, 00:00:00, Serial0/0
     44.0.0.0/32 is subnetted, 1 subnets
R       44.44.44.1 [120/2] via 172.12.123.3, 00:00:00, Serial0/0
R1#show route 4.4.4.4
route-map 4.4.4.4 not found
R1#show ip route 4.4.4.4
Routing entry for 4.4.4.4/32
  Known via “rip”, distance 120, metric 2
  Tag 10
  Redistributing via rip
  Last update from 172.12.123.3 on Serial0/0, 00:00:16 ago
  Routing Descriptor Blocks:
  * 172.12.123.3, from 172.12.123.3, 00:00:16 ago, via Serial0/0
      Route metric is 2, traffic share count is 1
      Route tag 10

R1#

OSPF is showing up as tag 10 on the RIP side, and RIP routes as tagged 20 on the OSPF side. Now I am going to try redistributing connected routes with these same route-maps and see if that breaks anything, and if not we will cap it off by adding some deny statements in our route-maps:

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#router rip
R3(config-router)#redistribute connected route-map OSPF2RIP metric 3
R3(config-router)#router ospf 1
R3(config-router)#redistribute connected subnets route-map RIP2OSPF
R3(config-router)#

And now to pray I have some routes on R1:
R1#sh ip route rip
     3.0.0.0/32 is subnetted, 1 subnets
R       3.3.3.3 [120/3] via 172.12.123.3, 00:00:22, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.123.3, 00:00:22, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
R       172.12.34.0 [120/1] via 172.12.123.3, 00:00:22, Serial0/0
     40.0.0.0/32 is subnetted, 1 subnets
R       40.40.40.1 [120/2] via 172.12.123.3, 00:00:22, Serial0/0
     44.0.0.0/32 is subnetted, 1 subnets
R       44.44.44.1 [120/2] via 172.12.123.3, 00:00:22, Serial0/0
R1#

This is a sweet roll to be on, where was this last night! I think it was both that I was getting the route-map’s named mixed up, and I was relying too much on how it was worded rather than what actions were happening. It took a mix of “show ip proto” / “sh route-map / “sh run” (which I wouldn’t count on for exam day) to read the route maps and how they will impact each other as explained below.

I will now attempt to do one more thing, add deny’s into the route maps, which is really the core of this lesson is using tags to stop route leaks or route loops from forming. Both route-maps have a “permit 10” sequence #, with a “set tag 10/20” to define ‘let all the traffic through but apply this tag to it’.

However the trick to this is placing the deny sequence # lower than the permit / set tag sequence for it to filter traffic, otherwise it will just hit the ‘let everything through with a tag’ clause and skip the deny clause, so this is why you want to plan for both current and future growth of sequences. So  will make these both sequence 5, so I have 1-4 and 6-9 to add additional clauses as needed

**REMEMBER YOU WANT TO WRITE ‘PERMIT’ SEQUENCES TO ‘SET’ A TAG FOR ROUTES, AND WRITE ‘DENY’ SEQUENCES TO ‘MATCH’ THE TAG # TO BE FILTERED!!**

Now I am done yelling at myself lets get back to configuring:

R3(config-router)#exit
R3(config)#route-map OSPF2RIP deny 5
R3(config-route-map)#match tag 10
% “OSPF2RIP” used as redistribute connected into rip route-map, tag match not supported
R3(config-route-map)#route-map RIP2OSPF deny 5
R3(config-route-map)#match tag 20
% “RIP2OSPF” used as redistribute connected into ospf route-map, tag match not supported

As you can see by the complaints we got from the console about connected routes, that they are already active, and as soon as I hit enter to “match” the tag # to on the route-maps deny list, it kicked out the message about connected routes don’t support tag matching.

So lets once more see if R1 survived this change:

R1#show ip route rip
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.123.3, 00:00:14, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
R       172.12.34.0 [120/1] via 172.12.123.3, 00:00:15, Serial0/0
     40.0.0.0/32 is subnetted, 1 subnets
R       40.40.40.1 [120/2] via 172.12.123.3, 00:00:15, Serial0/0
     44.0.0.0/32 is subnetted, 1 subnets
R       44.44.44.1 [120/2] via 172.12.123.3, 00:00:15, Serial0/0

Amazing, well that is going to do it for me today, that was relatively easy, just be sure to watch how you are applying those route-map’s, AND NAME THEM AS INTUITIVELY AS POSSIBLE to not make the mistakes I did.

For review of how it should look on the ASBR, I’m going to paste the running configuration below for future reference, and that is it for tonight and then onto PBR lessons :

R3#sh run
Building configuration…

Current configuration : 1588 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.iVA$HbHo0g/PqIytO6Yf5XLAm1
!
no aaa new-model
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller T1 0/0
 framing sf
 linecode ami
!
controller T1 0/1
 framing sf
 linecode ami
!
!
!
!
!
!
interface Loopback3
 ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.12.34.3 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/2
 ip address 172.12.123.3 255.255.255.0
 no fair-queue
!
interface Serial0/3
 no ip address
 shutdown
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets route-map RIP2OSPF
 redistribute rip subnets route-map RIP2OSPF
 network 172.12.34.0 0.0.0.255 area 0
!
router rip
 version 2
 redistribute connected metric 3 route-map OSPF2RIP
 redistribute ospf 1 metric 2 route-map OSPF2RIP
 network 172.12.0.0
 no auto-summary
!
!
!
ip http server
no ip http secure-server
!
!
!
!
route-map OSPF2RIP deny 5
 match tag 10
!
route-map OSPF2RIP permit 10
 set tag 10
!
route-map RIP2OSPF deny 5
 match tag 20
!
route-map RIP2OSPF permit 10
 set tag 20
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 password CCNP
 logging synchronous
 login
!
!
end

R3#

 

Part 1: Route-Map tagging for 2-way Redistribution, a prevention mechanism for routing loops!

single-point_2way_redist

Above is a “Single-Point 2-way Redistribution” in our network, which is honestly not going to (probably ever) present a loop from sharing or “leaking”routes back into their own domains, however route-tagging usefulness goes beyond just Redistribution as we will see it I assume in the next topic up PBR (Policy Based Routing / Policy Routing) and Route-Maps have quite a few BGP mechanisms so I expect to see it there as well.

On the topic of going beyond what we are learning here today, and what this type of topology this information is really going to be useful or necessary for:

multi-point_2way_redist

That’s right, I hit you with TWO paint pictures in a single post, things are starting to heat up! What you see in the above Topology is a “Multi-Point 2-way Redistribution” scenario where all 3 ASBR’s are going to be sharing routes between domains, and you do not want OSPF routes going into the RIP domain being redistributed back into the OSPF domain as a RIP route. This is CCIE level configuration and troubleshooting, so we will stick Single-Point 2-way Redistribution.

single-point_2way_redist

So back to this scenario we have some work with R3 to do here, and firstly that is to remove all redistribution / route maps / ACL’s from our last lab:

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#no access-list 5 permit 5.0.0.0 0.255.255.255
R3(config)#no access-list 15 permit 172.12.15.0 0.0.0.255
R3(config)#router ospf 1
R3(config-router)#no redistribute rip subnets route-map RIP2OSPF
R3(config-router)#no route-map RIP2OSPF
R3(config)#do show ip proto
Routing Protocol is “ospf 1”
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Router ID 172.12.33.3
  It is an area border and autonomous system boundary router
  Redistributing External Routes from,
    rip

I wanted to point out a VERY IMPORTANT concept again here when removing all the attributes, and I did a show run to verify that they were all gone, but “sh ip proto” shows rip is still being redistributed despite being specifically removed it seems to always leave a general rip redist behind, so always “no redistribute rip” or “no redistribute connected” as well no “no redistribute rip/connected subnets” – ALWAYS MAKE SURE TO REMOVE IT AT IT’S BASE AS REMOVING THE LONGER REDISTRIBUTE COMMANDS!!

Speaking of connected subnets, I have released lo3 (3.3.3.3 /32) and lo30 (30.30.30.0 /24) into the wild as “Connected” routes on R3, as they have an interesting error console message that I would like to demonstrate so I removed those from the RIP network:

R3(config)#router rip
R3(config-router)#no network 3.3.3.3
R3(config-router)#no network 30.30.30.0
R3(config-router)#

Route-map Tagging on Redistribution as stated above is a route loop prevention mechanism that is usually reserved for multi-point 2 way redistributes, but is best practice to also put on single-point’s like ours to prevent the very unlikely possibility of route leaking (OSPF re-learning its own routes via Redist).

These are where sequence numbers will become more significant as we need the right permit and deny’s in place to stop route leaks, while allowing legitimate routes to be redistributed. I have a (hopefully) pretty simple example I will step through the configuration, with explanations and pointers throughout the configuration.

So without further ado, I have a couple of things I want to demonstrate:

R3(config)#route-map RIP2OSPF permit 10
R3(config-route-map)#set tag 10
R3(config-route-map)#router ospf 1
R3(config-router)#redistribute rip subnets ?
  metric       Metric for redistributed routes
  metric-type  OSPF/IS-IS exterior metric type for redistributed routes
  route-map    Route map reference
  tag          Set tag for routes redistributed into OSPF
  <cr>

R3(config-router)#redistribute rip route-map RIP2OSPF ?
  metric       Metric for redistributed routes
  metric-type  OSPF/IS-IS exterior metric type for redistributed routes
  subnets      Consider subnets for redistribution into OSPF
  tag          Set tag for routes redistributed into OSPF
  <cr>

R3(config-router)#redistribute rip route-map RIP2OSPF subnets ?
  metric       Metric for redistributed routes
  metric-type  OSPF/IS-IS exterior metric type for redistributed routes
  tag          Set tag for routes redistributed into OSPF
  <cr>

R3(config-router)#redistribute rip route-map RIP2OSPF subnets
R3(config-router)#redistribute connected route-map RIP2OSPF subnets
R3(config-router)#

I’ve highlight the few things to be learned from this output:

  • When redistributing, you can put metrics / metric-types / subnets before or after your route-map statement and it will work the same way
  • You can use the same route-maps on different routing domains your Redistributing

So now all O EX routes should have the route tag of 10, lets check it out:

R4#sh ip route ospf

Gateway of last resort is not set

      3.0.0.0/32 is subnetted, 1 subnets
O E2     3.3.3.3 [110/20] via 172.12.34.3, 00:05:42, FastEthernet0/1
O E2  5.0.0.0/8 [110/20] via 172.12.34.3, 00:05:56, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 7 subnets, 2 masks
O E2     172.12.15.0/24 [110/20] via 172.12.34.3, 00:05:56, FastEthernet0/1
O        172.12.33.3/32 [110/2] via 172.12.34.3, 02:07:56, FastEthernet0/1
O E2     172.12.123.0/24 [110/20] via 172.12.34.3, 00:05:56, FastEthernet0/1
R4#sh ip proto
*** IP Routing is NSF aware ***

Routing Protocol is “ospf 1”
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Router ID 172.12.44.4
  It is an area border router
  Number of areas in this router is 4. 4 normal 0 stub 0 nssa
  Maximum path: 4
  Routing for Networks:
    4.4.4.4 0.0.0.0 area 4
    172.12.34.0 0.0.0.255 area 34
    172.12.44.0 0.0.0.255 area 51
  Routing Information Sources:
    Gateway         Distance      Last Update
    172.12.33.3          110      00:06:14
  Distance: (default is 110)

R4#

So Redistribution is happening, but neither “sh ip route” or “sh ip proto” is going to show you route tags, and surprisingly neither is the gigantic amount of output from “sh ip ospf”

To see your route tags, you will need to do and extended “sh ip route” :

R4#sh ip route 3.3.3.3
Routing entry for 3.3.3.3/32
  Known via “ospf 1”, distance 110, metric 20
  Tag 10, type extern 2, forward metric 1
  Last update from 172.12.34.3 on FastEthernet0/1, 00:25:12 ago
  Routing Descriptor Blocks:
  * 172.12.34.3, from 172.12.33.3, 00:25:12 ago, via FastEthernet0/1
      Route metric is 20, traffic share count is 1
      Route tag 10
R4#

And there it can be seen a couple times, so this is how it will need to be determined if a particular route is tagged in a route-map. Now to Redistribute OSPF2RIP via route-map, and I am about to hit a snag that you will see:

R3(config)#route-map OSPF2RIP permit 20
R3(config-route-map)#set tag 20
R3(config-route-map)#router rip
R3(config-router)#redistribute ospf 1 route-map OSPF2RIP
R3(config-router)#do sh ip route

Gateway of last resort is 172.12.123.1 to network 0.0.0.0

     3.0.0.0/32 is subnetted, 1 subnets
C       3.3.3.3 is directly connected, Loopback3
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/2] via 172.12.34.4, 00:33:18, FastEthernet0/1
R    5.0.0.0/8 [120/1] via 172.12.123.1, 00:00:14, Serial0/2
     172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
C       172.12.33.0/24 is directly connected, Loopback33
C       172.12.34.0/24 is directly connected, FastEthernet0/1
O IA    172.12.44.4/32 [110/2] via 172.12.34.4, 00:33:19, FastEthernet0/1
R       172.12.15.0/24 [120/1] via 172.12.123.1, 00:00:15, Serial0/2
C       172.12.123.0/24 is directly connected, Serial0/2
R*   0.0.0.0/0 [120/1] via 172.12.123.1, 00:00:15, Serial0/2
R3(config-router)#do sh ip route 4.4.4.4
Routing entry for 4.4.4.4/32
  Known via “ospf 1”, distance 110, metric 2, type inter area
  Redistributing via rip
  Last update from 172.12.34.4 on FastEthernet0/1, 00:33:32 ago
  Routing Descriptor Blocks:
  * 172.12.34.4, from 172.12.44.4, 00:33:32 ago, via FastEthernet0/1
      Route metric is 2, traffic share count is 1

So we will not be able to verify the route tags on the ASBR applying them because it already has both networks running on it, so there is not redistributed routes on the ASBR, however to verify a tag I need a down-stream router and being this is connected to the NBMA network I have to see if R1 is able to see the routes:

R1#sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback1
     5.0.0.0/32 is subnetted, 1 subnets
D       5.5.5.5 [90/156160] via 172.12.15.5, 02:35:39, FastEthernet0/1
     172.12.0.0/24 is subnetted, 4 subnets
R       172.12.33.0 [120/1] via 172.12.123.3, 00:00:10, Serial0/0
R       172.12.34.0 [120/1] via 172.12.123.3, 00:00:10, Serial0/0
C       172.12.15.0 is directly connected, FastEthernet0/1
C       172.12.123.0 is directly connected, Serial0/0
R1#clear ip route *
R1#sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback1
     5.0.0.0/32 is subnetted, 1 subnets
D       5.5.5.5 [90/156160] via 172.12.15.5, 00:00:07, FastEthernet0/1
     172.12.0.0/24 is subnetted, 4 subnets
R       172.12.33.0 [120/1] via 172.12.123.3, 00:00:06, Serial0/0
R       172.12.34.0 [120/1] via 172.12.123.3, 00:00:06, Serial0/0
C       172.12.15.0 is directly connected, FastEthernet0/1
C       172.12.123.0 is directly connected, Serial0/0
R1#

I even did the “clear ip route *” as I thought perhaps RIP wasn’t updating, but no it just doesn’t see the routes. Now like with Distribute-List’s, I don’t know if this is an NBMA issue or a RIP issue routing over the NBMA, so I will need to put a different protocol on the WAN once I “wr erase” and “reload” these routers to give this another try.

So I hate to do this, but I’ll stop it here as I will need to re-cable a router to directly connect to R3, and reconfigure that router from scratch which sounds like a blast at 10:30pm on a Saturday night but I will save it for Sunday.

Once we have the third router, we will be able to explore how to configure denying traffic by tag #, so that routes are not leaking back into their own domains – I will be back to finish this up as soon as I get motivated tomorrow 🙂