Category Archives: CCNP ROUTE – RIP

RIP for IPv6 (RIPng) configurations, explanations, and plenty of examples!

IPv6_RIPng

I will be recycling the last labs Topology for this and one final OSPFv3 headache, and then IPv6 is done for now (though I am sure I will recover the topics at some point).

So as can be seen kind of above, it’s a weird sort of RIP boundary to not block the IPv6 addresses at the top in paint, but both FastEthernet and Loopback interfaces will be in the same domain / process.

Now I will go through the main concepts covered bullet point style, since I haven’t done that for awhile and there isn’t a whole lot there, then get to configuring!

  • All the configuration for RIPng can be done on the interfaces (for CCNP purposes)
  • Interface configuration makes you define a process id, which can be a word or number, and these process ID’s DO need to match with other RIPng routers proccess ID’s to advertise to eachother
  • As with OSPF, “default-information originate” can be configured like in OSPF, with a tweak to the command not yet covered I don’t believe
  • The maximum hop count / metric is STILL 15 hops, seriously. No, really.

So I’ve just removed the EIGRP configurations from the last lab and will recycle the IP addresses for this one, and I will jump right into the complete configuration of RIP on this Topology in one fowl swoop:

R2(config)#int fa0/0
R2(config-if)#ipv6 rip ?
  WORD  User selected string identifying this RIP process

R2(config-if)#ipv6 rip Process1 ?
  default-information  Configure handling of default route
  enable               Enable/disable RIP routing
  metric-offset        Adjust default metric increment
  summary-address      Configure address summarization

R2(config-if)#ipv6 rip Process1 enable
R2(config-if)#int lo2
R2(config-if)#ipv6 rip Process1 enable

ASR#3
[Resuming connection 3 to r3 … ]

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#int fa0/0
R3(config-if)#ipv6 rip Proccess1 enable
R3(config-if)#int lo3
R3(config-if)#ipv6 rip Proccess1 enable
R3(config-if)#
ASR#4
[Resuming connection 4 to r4 … ]

R4(config)#int fa0/0
R4(config-if)#ipv6 rip Process1 enable
R4(config-if)#int lo4
R4(config-if)#ipv6 rip Process1 enable
R4(config-if)#^Z
R4#
*Mar 10 00:51:43.247: %SYS-5-CONFIG_I: Configured from console by console
R4#sh ipv6 route rip
IPv6 Routing Table – default – 7 entries
Codes: C – Connected, L – Local, S – Static, U – Per-user Static route
       B – BGP, HA – Home Agent, MR – Mobile Router, R – RIP
       I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary
       D – EIGRP, EX – EIGRP external, NM – NEMO, ND – Neighbor Discovery
       l – LISP
       O – OSPF Intra, OI – OSPF Inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2
       ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2
R   2002::/64 [120/2]
     via FE80::20E:D7FF:FE10:6C60, FastEthernet0/0
R   2003::/64 [120/2]
     via FE80::20F:23FF:FE09:B180, FastEthernet0/0
R4#

And that is absolutely it, lab could be finished right here, thanks for stopping by – It’s that easy. However I did highlight in red some commands I added a ? to show the output / modifiers for the command, of those options I’ll demonstrate a bit of this old friend default-information originate and its other option yet to be shown.

However, that is literally the configuration as shown in the route table output on R4, by the time I configured that, I have R2’s and R3’s loopback in my RIP IPv6 route table.

** Take note of the AD / Metric are the same as IPv4, and yes the hop count limit is still 15.

Now one thing I am not 100% sure on even though I put it in a bullet point, which I will edit if I need to, but I hate editing facts I make up after I find them to be false – I am going to change the Process ID on R2’s Loopback interface to see if it drops off R4’s route table (to see if the process ID’s truly do need to match):

R2(config-if)#no ipv6 rip Process1 enable
R2(config-if)#ipv6 rip Process2 enable
R2(config-if)#
ASR#4
[Resuming connection 4 to r4 … ]

R4#sh ipv6 route rip
IPv6 Routing Table – default – 7 entries
Codes: C – Connected, L – Local, S – Static, U – Per-user Static route
       B – BGP, HA – Home Agent, MR – Mobile Router, R – RIP
       I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary
       D – EIGRP, EX – EIGRP external, NM – NEMO, ND – Neighbor Discovery
       l – LISP
       O – OSPF Intra, OI – OSPF Inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2
       ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2
R   2002::/64 [120/2]
     via FE80::20E:D7FF:FE10:6C60, FastEthernet0/0
R   2003::/64 [120/2]
     via FE80::20F:23FF:FE09:B180, FastEthernet0/0
R4#clear ipv6 route *
R4#sh ipv6 route rip
IPv6 Routing Table – default – 7 entries
Codes: C – Connected, L – Local, S – Static, U – Per-user Static route
       B – BGP, HA – Home Agent, MR – Mobile Router, R – RIP
       I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary
       D – EIGRP, EX – EIGRP external, NM – NEMO, ND – Neighbor Discovery
       l – LISP
       O – OSPF Intra, OI – OSPF Inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2
       ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2
R   2002::/64 [120/2]
     via FE80::20E:D7FF:FE10:6C60, FastEthernet0/0
R   2003::/64 [120/2]
     via FE80::20F:23FF:FE09:B180, FastEthernet0/0
R4#

Ok….. so…. no apparently? Let us check R2, to confirm the Process is indeed changed:

R2#sh ipv6 proto
IPv6 Routing Protocol is “connected”
IPv6 Routing Protocol is “static”
IPv6 Routing Protocol is “rip Process1”
  Interfaces:
    FastEthernet0/0
  Redistribution:
    None
IPv6 Routing Protocol is “rip Process2”
  Interfaces:
    Loopback2
  Redistribution:
    None
R2#

I like that style of “sh ip proto” for IPv6, very concise details, almost like a “sh ip proto brief” or something. To get more information on RIP in IPv6, you will want to use the command “sh ipv6 rip”:

R2#sh ipv6 rip
RIP process “Process1”, port 521, multicast-group FF02::9, pid 54
     Administrative distance is 120. Maximum paths is 16
     Updates every 30 seconds, expire after 180
     Holddown lasts 0 seconds, garbage collect after 120
     Split horizon is on; poison reverse is off
     Default routes are not generated
     Periodic updates 39, trigger updates 3
  Interfaces:
    FastEthernet0/0
  Redistribution:
    None
RIP process “Process2”, port 521, multicast-group FF02::9, pid 78
     Administrative distance is 120. Maximum paths is 16
     Updates every 30 seconds, expire after 180
     Holddown lasts 0 seconds, garbage collect after 120
     Split horizon is on; poison reverse is off
     Default routes are not generated
     Periodic updates 12, trigger updates 0
  Interfaces:
    Loopback2
  Redistribution:
    None
R2#

Now that is how we like our output. Huge, filled with great output, and makes us look like Alien level genius to people who don’t know anything about Cisco CLI. This gives you all the information you need about RIPng on the router, quite literally. Timers, Processes, interfaces, port # for RIPng, Multi-Cast Group #, everything.

So after some time and “clear ipv6 route *” on both routers, R4 finally showed the loopback in Process2 on R2 gone:

R4#sh ipv6 route rip
IPv6 Routing Table – default – 6 entries
Codes: C – Connected, L – Local, S – Static, U – Per-user Static route
       B – BGP, HA – Home Agent, MR – Mobile Router, R – RIP
       I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary
       D – EIGRP, EX – EIGRP external, NM – NEMO, ND – Neighbor Discovery
       l – LISP
       O – OSPF Intra, OI – OSPF Inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2
       ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2
R   2003::/64 [120/2]
     via FE80::20F:23FF:FE09:B180, FastEthernet0/0
R4#

The timing with RIP in IPv6 is a bit odd, its not always 30 seconds for updates as it shows in the above timers output, so if something doesn’t happen in the expected time RIP is still really terrible with convergence times in IPv6 if not more so than IPv4.

Now to tackle default-information in RIP

I will pick on R4 first with our old tried and true friend “default-information originate” and see how it impacts R2’s route table with a  before and after:

R2#sh ipv6 route rip
IPv6 Routing Table – 8 entries
Codes: C – Connected, L – Local, S – Static, R – RIP, B – BGP
       U – Per-user Static route
       I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary
       O – OSPF intra, OI – OSPF inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2
       ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2
       D – EIGRP, EX – EIGRP external
R   2003::/64 [120/2]
     via FE80::20F:23FF:FE09:B180, FastEthernet0/0
R   2004::/64 [120/2]
     via FE80::21B:53FF:FE36:F2CC, FastEthernet0/0
ASR#4
[Resuming connection 4 to r4 … ]

R4(config-if)#ipv6 rip Process1 default-information ?
  only       Advertise only the default route
  originate  Originate the default route

R4(config-if)#ipv6 rip Process1 default-information originate ?
  metric  Default route metric
  <cr>

R4(config-if)#ipv6 rip Process1 default-information originate metric ?
  <1-15>

R4(config-if)#ipv6 rip Process1 default-information originate
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ipv6 route rip
IPv6 Routing Table – 9 entries
Codes: C – Connected, L – Local, S – Static, R – RIP, B – BGP
       U – Per-user Static route
       I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary
       O – OSPF intra, OI – OSPF inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2
       ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2
       D – EIGRP, EX – EIGRP external
R   ::/0 [120/2]
     via FE80::21B:53FF:FE36:F2CC, FastEthernet0/0
R   2003::/64 [120/2]
     via FE80::20F:23FF:FE09:B180, FastEthernet0/0
R   2004::/64 [120/2]
     via FE80::21B:53FF:FE36:F2CC, FastEthernet0/0
R2#

See what I did there? The color coding shows R2’s original route table in red, and in blue you can see the command added to the R4 Fa0/0 interface, as well as the default route now seen in R2’s route table AFTER A PAINFULLY LONG AMOUNT OF TIME.

Really, with RIP in IPv6, if you think you’ve waited long enough and something should have happened by now it really hasn’t. Go take a shower or do the dishes, come back, and it will have maybe have sent route updates. Its surprisingly noticeably worse than IPv4.

ANYWAYS, so that works like it does with OSPF, just sends a default route to itself to all listening routers with it’s same Process ID.

Now let us change this to use “only” instead of originate, and see what happens, we’ll skip before and after as the current route table is just above us all colorful and fun looking:

R4(config)#int fa0/0
R4(config-if)#no ipv6 rip Process1 default-information originate
R4(config-if)#ipv6 rip Process1 default-information only
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ipv6 route rip
IPv6 Routing Table – 8 entries
Codes: C – Connected, L – Local, S – Static, R – RIP, B – BGP
       U – Per-user Static route
       I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary
       O – OSPF intra, OI – OSPF inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2
       ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2
       D – EIGRP, EX – EIGRP external
R   ::/0 [120/2]
     via FE80::21B:53FF:FE36:F2CC, FastEthernet0/0
R   2003::/64 [120/2]
     via FE80::20F:23FF:FE09:B180, FastEthernet0/0
R2#

R2#ping 2004::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2004::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/2/8 ms
R2#

After 10 minutes, R2 got its routing update, which shows that R4 is now only advertising default routes to other RIPng routers listening, and the ping to it’s loopback is successful.

So the difference with originate and only is pretty straight forward, originate just adds a default route to RIPng routers, while “only” on the command will “only” advertise a default route to itself.

** One thing to note from that last output is that it is best practice to remove the original command before replacing it with a new value, however with this be sure not to remove the “ipv6 rip process enable” command because it needs to stay! **

With that, I am done waiting for RIP’s routing updates, next up is one more OSPFv3 lab which will use this same Topology once more. Don’t miss out on all the fun in that post!

Part 6: Troubleshooting of sub-optimal routing via route-maps / redist/ policy routing, and an old friend OSPF distance comes to save the day! (GREAT review!)

labbers_delight_rev3

Not /fin with this Topology of course, after this lab of fine tuning some sub-optimal routing I am taking copies of all “sh run” to be able to spin this lab up again if it ever gets the “wr er”, however it will be /fin for review and onto the subject of VPN’s.

So, Part 6, I am so ready to get this review over with – it’s almost taking as long as the initial learning!

As I recall our Local Policy Routing uncovered a case of sub-optimal routing, where OSPF paths are being preferred over much better link speeds, because it’s AD of 110 is lower than RIP’s 120. There are 2 different ways to address this:

  • Create a Policy Route on R2 setting R3 as the next hop for certain networks
  • Change the AD itself either via route-map or redistribution

So my initial thoughts is Policy Route on S0/0 directing traffic to a next-hop of 172.12.23.3 (Ethernet segment) would almost almost definitely introduce more sub-optimal routing to track down and fix, however I am not quite sure the best way to change that AD.

 

I haven’t seen it done before in a route map, so I’m going to try to tack it onto the Route-Map on R3 Redistributing those EIGRP routes into OSPF

 

So to get this configured, I need to check out the route-map for R3 to see where to insert my clause for changing the AD:

R3#show route
route-map EIGRP2RIP, deny, sequence 10
  Match clauses:
    tag 120
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map EIGRP2RIP, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 200
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2EIGRP, deny, sequence 10
  Match clauses:
    tag 200
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2EIGRP, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 120
  Policy routing matches: 0 packets, 0 bytes
route-map EIGRP2OSPF, deny, sequence 5
  Match clauses:
    tag 110
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map EIGRP2OSPF, permit, sequence 10
  Match clauses:
  Set clauses:
    tag 200
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, deny, sequence 10
  Match clauses:
    tag 200
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 110
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2RIP, deny, sequence 5
  Match clauses:
    tag 120
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2RIP, permit, sequence 10
  Match clauses:
  Set clauses:
    tag 110
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2OSPF, deny, sequence 10
  Match clauses:
    tag 110
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2OSPF, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 120
  Policy routing matches: 0 packets, 0 bytes
R3#

Oh yeah, it’s like that, once you get to route-mapping this output gets long and confusing fast! That is why show run is helpful as well, but probably not available come exam day. I located and highlighted in red our EIGRP2OSPF route-map, so I will put it smack dab in the middle, except I have no idea the output to look for but know that I am doing a “permit” on the sequence and “set”ing something:

RR3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#route-map EIGRP2OSPF permit 7
R3(config-route-map)#set ?
as-path           Prepend string for a BGP AS-path attribute
  automatic-tag     Automatically compute TAG value
  clns              OSI summary address
  comm-list         set BGP community list (for deletion)
  community         BGP community attribute
  dampening         Set BGP route flap dampening parameters
  default           Set default information
  extcommunity      BGP extended community attribute
  interface         Output interface
  ip                IP specific information
  ipv6              IPv6 specific information
  level             Where to import route
  local-preference  BGP local preference path attribute
  metric            Metric value for destination routing protocol
  metric-type       Type of metric for destination routing protocol
  mpls-label        Set MPLS label for prefix
  nlri              BGP NLRI type
  origin            BGP origin code
  tag               Tag value for destination routing protocol
  traffic-index     BGP traffic classification number for accounting
  vrf               Define VRF name
  weight            BGP weight for routing table

R3(config-route-map)#set ip ?
address     Specify IP address
  default     Set default information
  df          Set DF bit
  next-hop    Next hop address
  precedence  Set precedence field
  qos-group   Set QOS Group ID
  tos         Set type of service field

R3(config-route-map)#set metric ?
+/-<metric>     Add or subtract metric
  <0-4294967295>  Metric value or Bandwidth in Kbits per second
  <cr>

R3(config-route-map)#set metric

I color coded in red where my commands are on the CLI, and the output from the ? as there is so much output available for “set” options, however we do NOT have anything in there for Administrative Distance. I thought it might be under “set ip” or “set metric” however I was wrong, so very very wrong.

 

Trying using “distance …” command on R2 / Redistribution options

 

Looking back on my notes from 10 months ago (which is why it is good to make your own blog for studies), the administrative distance for OSPF routes can be changed locally right on the router, and the changes will only be locally significant which will be perfect for this scenario we are running into! First let us look at R2’s sub-optimal route table once more:

R2#sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:42:05, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:42:05, Serial0/0
     33.0.0.0/24 is subnetted, 1 subnets
O E2    33.33.33.0 [110/2] via 172.12.123.3, 00:42:05, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:42:05, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O E2    4.4.4.4 [110/20] via 172.12.123.3, 00:04:54, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E2    172.12.34.0 [110/20] via 172.12.123.3, 00:04:56, Serial0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:42:08, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:42:08, Serial0/0
R2#

I just got even MORE EXCITED because I completely forgot, I left RIP and EIGRP AS 200 Redistribution as default E2 external routes, while EIGRP AS 100 is E1 – So if I can change it by External route type that would route traffic exactly right! Lets check it out:

R2(config-router)#distance ?
  <1-255>  Administrative distance
  ospf     OSPF distance

Ah yes, I remember this now, we will either have to make all external routes with an AD of 121, or make an access-list that allows certain routes to get an AD of 121, referenced here:

https://loopedback.com/2016/06/15/ospf-to-rid-4-ways-to-change-ad-sub-optimal-routing-route-loops/

Being that I am currently lazy and a bit fried from work / VPN theory, I’m going to try to just use the “distance ospf # …” command in OSPF configuration to change the local external AD, I will need to review and re-lab that mentioned page at some point but not as another part of this lab session:

R2(config-router)#distance ospf external 121
R2(config-router)#do sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:00:26, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
R       100.0.0.0 [120/2] via 172.12.23.3, 00:00:26, FastEthernet0/0
     33.0.0.0/24 is subnetted, 1 subnets
R       33.33.33.0 [120/1] via 172.12.23.3, 00:00:26, FastEthernet0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:00:26, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.23.3, 00:00:00, FastEthernet0/0
     172.12.0.0/24 is subnetted, 4 subnets
R       172.12.34.0 [120/1] via 172.12.23.3, 00:00:08, FastEthernet0/0
R       172.12.15.0 [120/2] via 172.12.23.3, 00:00:08, FastEthernet0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
R       11.11.11.0 [120/2] via 172.12.23.3, 00:00:08, FastEthernet0/0
R2(config-router)#

Well, I guess I will be reviewing that old page sooner than I thought, eh? So I removed the distance command, and will read through the link posted above quick to see what needs to be done here.

So after a quick skim, we are going to need an access-list to reference in OSPF, this uses the “distance # (ip address) …” command in OSPF config, and I know we need the RID this route is learned off of but being the other spoke I don’t know if it needs to be the hub or R3 / other spoke’s RID, so my first though is to check our neighbor table to see if we even have the ASBR locked and loaded as a neighbor:

R2(config)#do sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
11.11.11.1        1   FULL/DR         00:01:58    172.12.123.1    Serial0/0
R2(config)#

Nope, on a Hub and Spoke OSPF network, your only ally (neighbor) is the Hub, so we will need to use it’s RID right there in the neighbor table to configure this as follows:

R2(config)#access-list 11 permit host 4.4.4.4
R2(config)#access-list 11 permit 172.12.34.0 0.0.0.255
R2(config)#router ospf 1
R2(config-router)#distance 121 ?
  A.B.C.D  IP Source address
  <cr>

R2(config-router)#distance 121 11.11.11.1 ?
  A.B.C.D  Wildcard bits

R2(config-router)#distance 121 11.11.11.1 0.0.0.255 ?
  <1-99>       IP Standard access list number
  <1300-1999>  IP Standard expanded access list number
  WORD         Standard access-list name
  <cr>

R2(config-router)#distance 121 11.11.11.1 0.0.0.255 11 ?
  <cr>

R2(config-router)#distance 121 11.11.11.1 0.0.0.255 11
R2(config-router)#

I have no idea if this is going to work, but excellent review I hadn’t even though of. DRUM ROLL PLEASE, as here we see the new and optimally routing table for R2:

(Failure, same routes). I won’t even bother with the output. It took doing a “clear ip ospf proc” and a “clear ip route *” to finally get these results:

R2#sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
R       1.1.1.1 [120/2] via 172.12.23.3, 00:00:25, FastEthernet0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
R       100.0.0.0 [120/2] via 172.12.23.3, 00:00:25, FastEthernet0/0
     33.0.0.0/24 is subnetted, 1 subnets
R       33.33.33.0 [120/1] via 172.12.23.3, 00:00:26, FastEthernet0/0
     3.0.0.0/32 is subnetted, 1 subnets
R       3.3.3.3 [120/2] via 172.12.23.3, 00:00:27, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.23.3, 00:00:27, FastEthernet0/0
     172.12.0.0/24 is subnetted, 4 subnets
R       172.12.34.0 [110/20] via 172.12.123.3, 00:00:02, Serial0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:00:02, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:00:02, Serial0/0
R2#

So I have managed to turn all OSPF into RIP routes again, and I am not sure how I did that with this command only specifying those 2 routes learned from 11.11.11.1 to have an AD of 121. Time to review exactly what I did here.

I can’t see any glaring mistakes, so I am wondering if maybe due to how the ACL is being called out, if that implicit deny is not kicking in quite right, so I put an explicit deny on there:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#access-list 11 deny any
R2(config)#do show access-list 11
Standard IP access list 11
    10 permit 4.4.4.4
    20 permit 172.12.34.0, wildcard bits 0.0.0.255
    30 deny   any
R2(config)#

Now lets clear ip ospf proc again and see what we get:

R2#sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:00:32, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:00:32, Serial0/0
     33.0.0.0/24 is subnetted, 1 subnets
O E2    33.33.33.0 [110/2] via 172.12.123.3, 00:00:32, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:00:32, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O E2    4.4.4.4 [110/20] via 172.12.123.3, 00:00:33, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E2    172.12.34.0 [110/20] via 172.12.123.3, 00:00:36, Serial0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:00:36, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:00:36, Serial0/0
R2#

I just cannot win with this method… WAIT A MINUTE! THAT WILDCARD MASK SHOULD BE 0.0.0.0 NOT THE NETWORK MASK OF 0.0.0.255! LETS TRY THIS AGAIN:

R2#sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
R       1.1.1.1 [120/2] via 172.12.23.3, 00:00:09, FastEthernet0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
R       100.0.0.0 [120/2] via 172.12.23.3, 00:00:09, FastEthernet0/0
     33.0.0.0/24 is subnetted, 1 subnets
R       33.33.33.0 [120/1] via 172.12.23.3, 00:00:09, FastEthernet0/0
     3.0.0.0/32 is subnetted, 1 subnets
R       3.3.3.3 [120/2] via 172.12.23.3, 00:00:10, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.23.3, 00:00:10, FastEthernet0/0
     172.12.0.0/24 is subnetted, 4 subnets
R       172.12.34.0 [110/20] via 172.12.123.3, 00:00:00, Serial0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:00:00, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:00:00, Serial0/0
R2#

The oddity is, only the E1 routes are remaining OSPF, there might be something to that but for now I am going to remove the distance command from R2 and see if there are any options in the redistribute command on R3.

So I wasn’t able to touch AD in Redistribution, but I was able to change the metric-type (as I’d had been able to in the route-map for EIGRP2OSPF as well, so lets see if applying that same command to R2 that allowed O E1 routes to stay holds steady.

Aaaaand, it did not. I have a feeling that not having a neighbor relationship to that ASBR is making things difficult, so I am resetting the works and putting a policy route on S0/0 as I said I would not be viable in the beginning of the lab as we are running out of options 🙂

 

Using Policy Routing to accomplish my task, and end this never ending lab

 

I’m going brain dead for the night, and while I could review past material for days on end, I need to wrap up the review (for now) and finish this lab tonight – So I will use Policy Routing on R2 to accomplish overcoming the sub-optimal routing we set out to destroy:

R2(config)#ip access-list extended GOTOYOURHOME
R2(config-ext-nacl)#10 permit ip host 11.11.11.1 host 4.4.4.4
R2(config-ext-nacl)#exit
R2(config)#route-map GOHOMEBALL permit 10
R2(config-route-map)#match ip add GOTOYOURHOME
R2(config-route-map)#set ip next-hop 172.12.23.4
R2(config-route-map)#exit
R2(config)#int s0/0
R2(config-if)#ip policy route GOHOMEBALL ?
  <cr>

R2(config-if)#ip policy route GOHOMEBALL

(I hope you enjoyed the Happy Gilmore references) Aaaaand:

R1#traceroute 4.4.4.4 source 11.11.11.1

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.2 36 msec 32 msec 33 msec
  2  *  *  *
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6  *  *  *
  7  *
ASR#2
[Resuming connection 2 to r2 … ]

R2(config-route-map)#^Z
R2#de
*Mar  1 17:24:20.014: %SYS-5-CONFIG_I: Configured from console by console
R2#debug ip pack
IP packet debugging is on
R2#
*Mar  1 17:24:25.624: IP: tableid=0, s=11.11.11.1 (Serial0/0), d=4.4.4.4 (Serial0/0), routed via FIB
*Mar  1 17:24:25.624: IP: s=11.11.11.1 (Serial0/0), d=4.4.4.4 (FastEthernet0/0), g=172.12.23.4, len 28, forward
*Mar  1 17:24:25.624: IP: s=11.11.11.1 (Serial0/0), d=4.4.4.4 (FastEthernet0/0), len 28, encapsulation failed
R2#

SO THIS HAS ONCE AGAIN FAILED, BUT I FINALLY GOT IT, USING THE DISTANCE COMMAND ON R2, AND THIS WRAPS THIS LAB ON UP!

After looking at the extended ip route command for the network, I noticed in its configuration for the route it was learned via 33.33.33.3, not via our only neighbor 11.11.11.1, so I repeated the same syntax only with 33.33.33.3 as the remote RID:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#access-list 11 permit host 4.4.4.4
R2(config)#access-list 11 permit 172.12.34.0 0.0.0.255
R2(config)#router ospf 1
R2(config-router)#distance 121 33.33.33.3 0.0.0.0 ?
  <1-99>       IP Standard access list number
  <1300-1999>  IP Standard expanded access list number
  WORD         Standard access-list name
  <cr>

R2(config-router)#distance 121 33.33.33.3 0.0.0.0 11
R2#clear ip ospf proc
Reset ALL OSPF processes? [no]: yes
R2#
*Mar  1 17:40:54.304: %OSPF-5-ADJCHG: Process 1, Nbr 11.11.11.1 on Serial0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R2#
*Mar  1 17:41:10.094: %OSPF-5-ADJCHG: Process 1, Nbr 11.11.11.1 on Serial0/0 from LOADING to FULL, Loading Done

AAAAAAAAAND:

R2(config)#do sh ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:02:16, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:02:16, Serial0/0
     33.0.0.0/24 is subnetted, 1 subnets
O E2    33.33.33.0 [110/2] via 172.12.123.3, 00:02:16, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:02:16, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.23.3, 00:00:08, FastEthernet0/0
     172.12.0.0/24 is subnetted, 4 subnets
R       172.12.34.0 [120/1] via 172.12.23.3, 00:00:10, FastEthernet0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:02:19, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:02:19, Serial0/0
R2(config)#

I honestly I did not think I would be able to get this, but there it is, made possible by the distance command in OSPF config in R2. I am saving all routers and running for the door before I find another issue with the config – See you next time for some VPN configuration and theory!

EDIT:

To note for future reference, this is what led me to my answer:

R2#show ip route 4.4.4.4 255.255.255.255
Routing entry for 4.4.4.4/32
  Known via “ospf 1”, distance 110, metric 20
  Tag 200, type extern 2, forward metric 64
  Last update from 172.12.123.3 on Serial0/0, 00:00:22 ago
  Routing Descriptor Blocks:
  * 172.12.123.3, from 33.33.33.3, 00:00:22 ago, via Serial0/0
      Route metric is 20, traffic share count is 1
      Route tag 200

That was a great save, just goes to show, any problem can be worked through if you work at it hard enough. I will also note it tickles me that a configuration I didn’t even think of or mention about as a solution was what ended up saving the day 🙂 Pretty awesome!

Part 5: Turning “IP Routing” on for Layer 3 SW1, Policy / Local Policy Routing, found sub-optimal routing due to AD! (Will be 6th lab to troubleshoot)

labbers_delight_rev3

I took a quick moment to post before this, advising not to study or lab tired, cause as can be seen towards the end of my Part 4 of this lab I am just tired and swinging at air.

Anyway, we now have R1 and R3 both acting as ASBR’s, with R1 doing 2-way route-tagged Distribution and R3 doing 3-way tagged Route Redistribution. We even still have authentication running on all routing domains, life does not get much better than this!

Honestly the fact that I have all protocol Authentication configurations documented, and how that all fits together, in addition to a solid understand of Distribute-List configuration I am very happy. The fact that I was able to get Multi-Point 2-way and 3-way routing to play nice (with some troubleshooting) is awesome, so Policy Routing is going to be my wrap up here to this lab because I have wanted to make the Summary Route do sub-optimal for half the routes since this began! 🙂

 

Quickly turning on L3 functionality for SW1 and testing connectivity

 

I probably didn’t need the new topic blue header for this, but I never know what I’m in for starting out with something new to the lab, so I put SW1 on the RIP network and want to see if it’s pingable with just a management IP for Vlan1.

So the quick config on SW1:

SW1(config)#ip routing
SW1(config)#router rip
SW1(config-router)#no auto
SW1(config-router)#network 172.12.23.0

And then a quick test from R5 to see if it can see it all the way down there:

R5#ping 172.12.23.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.23.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 64/65/68 ms
R5#

Woohoo! Sweet Sweet connectivity, now to path selection / manipulation with PBR.

 

Policy Routing Configuration / Local Policy Routing configuration

 

Again once you know route-map configuration, PBR is a walk in the park to setup and apply, which is what I say right before I run into 1000 unforseen problems. So I would like half the traffic from our Summary Route to take a different path over the NBMA, as it won’t do equal cost load balancing by default the way EIGRP will, so I’ll set it myself:

R1(config)#$ 105 permit ip 100.1.0.0 0.0.255.255 172.12.23.0 0.0.0.255
R1(config)#$ 105 permit ip 100.2.0.0 0.0.255.255 172.12.23.0 0.0.0.255
R1(config)#$ 105 permit ip 100.3.0.0 0.0.255.255 172.12.23.0 0.0.0.255
R1(config)#$ 105 permit ip 100.4.0.0 0.0.255.255 172.12.23.0 0.0.0.255
R1(config)#route-map SummaryTrafficHop permit 10
R1(config-route-map)#match ip add 105
R1(config-route-map)#set ip next-hop 172.12.123.2
R1(config-route-map)#int fa0/1
R1(config-if)#ip policy route SummaryTrafficHop
R1(config-if)#

So it is now set up on R1 to filter said networks in the summary route, let’s test the preferred route in general from R5, then the networks involved in the Policy Route:

R5#traceroute 172.12.23.1

Type escape sequence to abort.
Tracing the route to 172.12.23.1

  1 172.12.15.1 0 msec 4 msec 0 msec
  2 172.12.123.3 32 msec 36 msec 32 msec
  3 172.12.23.1 32 msec *  32 msec
 
R5#traceroute 172.12.23.1 source 100.4.0.1

Type escape sequence to abort.
Tracing the route to 172.12.23.1

  1 172.12.15.1 0 msec 4 msec 0 msec
  2 172.12.123.2 32 msec 32 msec 36 msec
  3  *
    172.12.23.1 32 msec *
R5#traceroute 172.12.23.1 source 100.5.0.1

Type escape sequence to abort.
Tracing the route to 172.12.23.1

  1 172.12.15.1 4 msec 0 msec 4 msec
  2 172.12.123.3 32 msec 32 msec 32 msec
  3 172.12.23.1 32 msec *  32 msec
R5#

This really surprised me at first, as when there was a Router connected to R2 and R3 via FastEthernet, we would see those traceroute returns up to R1 and back to the other spoke even using OSPF across the board. With a switch on the Ethernet segment however, it is that “One and Done” I was talking about wasn’t possible to truly configure PBR along a network path. I personally think Chris Bryant did a really horse sh*t job of teaching that section, and as much as I love his training, I would say that right to his face 🙂

So for future reference, if this type of Topology pops up with Policy Routing in question, you will need to configure Policy Routes on the next-hop Router to then direct traffic onto the Ethernet to its destination rather than back over the NBMA.

THAT BEING SAID, I THINK WE NEED TO INTRODUCE A LITTLE ANARCHY TO THE NETWORK, AND DOING SO WITH A POLICY ROUTE:

R1(config)#access-list 111 permit ip 11.11.11.0 0.0.0.255 host 4.4.4.4
R1(config)#route-map LocalNextHop permit 10
R1(config-route-map)#match ip add 111
R1(config-route-map)#set ip next-hop 172.12.123.2
R1(config-route-map)#

Now I know I don’t even NEED to tell you at this point, but that is a sub-optimal path even if it zip across the FastEthernet instead of across the Serial Link and Back to R3 to reach R4’s loopback address of 4.4.4.4, but lettuce see what happens when we traceroute it:

R1(config)#access-list 111 permit ip 11.11.11.0 0.0.0.255 host 4.4.4.4
R1(config)#route-map LocalNextHop permit 10
R1(config-route-map)#match ip add 111
R1(config-route-map)#set ip next-hop 172.12.123.2
R1(config-route-map)#do traceroute 4.4.4.4 source 11.11.11.1

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.3 76 msec 32 msec 32 msec
  2 172.12.34.4 33 msec *  32 msec
R1(config-route-map)#

… The result of this traceroute displeases me. However, after staring at that configuration for a moment, I realize I completely spaced putting in the actual local policy statement.

This is why I made a post about studying tired, and why I am wrapping this up !

R1(config)#ip local policy route LocalNextHop
R1(config)#do traceroute 4.4.4.4 source 11.11.11.1

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 172.12.123.2 32 msec 32 msec 32 msec
  2 172.12.123.1 24 msec 24 msec 24 msec
  3 172.12.123.3 56 msec 52 msec 57 msec
  4 172.12.34.4 56 msec *  52 msec
R1(config)#

I am a bit surprised by this, I would have thought it would take the ethernet segment over to R3, I must advice R3’s route table quick to understand this madness of sending back over the Serial Link rather than through the Ethernet:

R2#show ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 02:03:41, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 02:03:41, Serial0/0
     33.0.0.0/24 is subnetted, 1 subnets
O E2    33.33.33.0 [110/2] via 172.12.123.3, 02:03:41, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 02:03:41, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O E2    4.4.4.4 [110/20] via 172.12.123.3, 02:03:42, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E2    172.12.34.0 [110/20] via 172.12.123.3, 02:03:44, Serial0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 02:03:44, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 02:03:44, Serial0/0
R2#

I smell a 6th lab needed for sub-optimal routing, and changing AD’s! This should have taken the path through the RIP domain to get to R4 (along with other traffic), however it’s the tie breaker (it’s AD) beat RIP 110 vs 120 so the OSPF route is in the route table as an E2 route.

This is a good note to end it on for me, next lab I will be troubleshooting some sub-optimal routing I find around the network with PBR and AD changes, then it is time to learn about and configure some VPN’s on our Authenticated and Redistributed monster of a network 🙂

Part 4: The right ACL for the right job (Distribute-List vs Route-Map), Configuring 3-way Route Redistribution with a lot of failures but final success!!!

labbers_delight_rev3

(Added interface #’s to the Topology as we increase working with both IP’s and interfaces)

I wanted to touch this quick before moving on to policy routing, whether Distribute-Lists can block certain networks from a Summary Route, or if it’s possibly at all. So I’ll run through it quick here to move on:

 

Distribute-List vs Summary Route on R5, Standard vs Extended ACL’s

 

First I want to confirm that my Distribute-List configured in OSPF is still blocking 5.5.5.5 from Redistributing into OSPF from the vantage of R2:

R2#show ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:05:28, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:05:28, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:05:28, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:05:28, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:05:28, Serial0/0
R2#

It looks like the Distribute-List is still rocking, so I am going to attempt to add onto the existing ACL on R1 for it:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#do sh access-list 5
Standard IP access list 5
    10 deny   5.5.5.5 (1 match)
    20 permit any (3 matches)
R1(config)#access-list 5 ?
  deny    Specify packets to reject
  permit  Specify packets to forward
  remark  Access list entry comment

R1(config)#access-list 5 deny ?
  Hostname or A.B.C.D  Address to match
  any                  Any source host
  host                 A single host address

R1(config)#access-list 5 deny 100.3.0.0 ?
  A.B.C.D  Wildcard bits
  log      Log matches against this entry
  <cr>

R1(config)#access-list 5 deny 100.3.0.0 0.0.255.255 ?
  log  Log matches against this entry
  <cr>

This is to demonstrate that with Standard Access-Lists you cannot add lines where you need them, that is going to require an Extended Access-Lists. Any new / additional statements to ACL 5 will be tacked onto the end, and they will be useless due to the permit any already on the ACL.

SO, I will blow away that ACL and try an Extended ACL that just uses ‘any’ for a destination addy, to simulate the feel of a Standard ACL. I’m also going to give it a name, to see if Distribute-Lists will accept named ACL’s, and it’s name will be “Bob”.

Now I have a couple piece of output here, as I was curious after I remove the list, will the Distribute-List dynamically be pulled from the OSPF config once it is removed from the router, and if it is isn’t will R2 then be able to see 5.5.5.5 anyways:

R1(config)#no access-list 5
R1(config)#ip access-list extended Bob
R1(config-ext-nacl)#10 deny ip host 5.5.5.5 any
R1(config-ext-nacl)#20 deny ip 100.4.0.0 0.0.255.255 any
R1(config-ext-nacl)#30 deny ip 100.6.0.0 0.0.255.255 any
R1(config-ext-nacl)#40 permit ip any any
R1(config-ext-nacl)#exit

ACL 5 is gone and Bob is now rampant on R1, lets look at the running config:

R1(config)#do show run
Building configuration…

(run output)
!
router ospf 1
 log-adjacency-changes
 area 0 authentication message-digest
 redistribute eigrp 100 subnets route-map EIGRP2OSPF
 network 1.1.1.1 0.0.0.0 area 0
 network 172.12.123.0 0.0.0.255 area 0
 neighbor 172.12.123.2
 neighbor 172.12.123.3
 distribute-list 5 out eigrp 100
!
(More run output)

R1(config)#

And it is still referencing ACL 5, so we will want to remove that as well (which we do anyways as best practice before adding our Bob Distribute-List), but to confirm on R2:
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:40:24, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:40:24, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:40:24, Serial0/0
     5.0.0.0/32 is subnetted, 1 subnets
O E1    5.5.5.5 [110/84] via 172.12.123.1, 00:03:34, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:40:24, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:40:24, Serial0/0
R2#

Sure enough 5.5.5.5 returns to the route table. So time to see if we can apply Bob in ACL 5’s stead and see what happens:

R1(config-router)#no distribute-list 5 out eigrp 100
R1(config-router)#distribute-list Bob out eigrp 100
Access-list type conflicts with prior definition
% This command only accepts named standard IP access-lists.
R1(config-router)#

So the lesson learned here – ***DISTRIBUTE-LISTS ONLY ACCEPT STANDARD ACL’S!!!***

My training materials only instructed to use Standard ACL’s for distribute-lists but did not specifically mention that Extended ACL’s would not take, so I am going to keep Bob around for another test here but first lets see about making a new ACL 5 and applying it:

R1(config-router)#exit
R1(config)#access-list 5 deny host 5.5.5.5
R1(config)#access-list 5 deny 100.4.0.0 0.0.255.255
R1(config)#access-list 5 deny 100.6.0.0 0.0.255.255
R1(config)#access-list 5 permit any
R1(config)#router ospf 1
R1(config-router)#distribute-list 5 out eigrp 100
R1(config-router)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:57:03, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:57:03, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:57:03, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:57:03, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:57:03, Serial0/0
R2#ping 100.4.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.4.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
R2#

So it worked for 5.5.5.5, but it didn’t even touch the connectivity of the Summary Route, so I am going for the full on block of the Summary itself as one last try with Distribute-Lists:

R1(config-router)#exit
R1(config)#no access-list 5
R1(config)#access-list 5 deny host 5.5.5.5
R1(config)#access-list 5 deny 100.0.0.0 0.7.255.255
R1(config)#access-list 5 permit any
R1(config)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#show ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:59:53, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:59:53, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:00:08, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:0008, Serial0/0
R2#

Aaaaaaaaaand it’s gone! Notice I didn’t need to touch the distribute-list config as it’s already reference ACL 5, I just had to recreate ACL 5, and it kicked right in. So I want to keep my Summary Route in the mix, so I’ll set the Distribute-List back to only filtering 5.5.5.5 and see what we can do with Route-maps:

R1(config)#no access-list 5
R1(config)#access-list 5 deny 5.5.5.5
R1(config)#access-list 5 permit any
R1(config)#

So to move things right along, what’s see if we can use our Redistribution Route-Map to enforce Bob on our unsuspecting victim the Summary-Route:

 

Extended ACL blocking certain networks in a Summary Route on Route-map via Redistribution

 

Since we already have a route-map on our routes redistributing into OSPF, I wanted to see if I could possibly sneak a “Bob”clause in there to stop connectivity to 100.4.0.0 and 100.6.0.0, and of course to start this we want to examine our route-maps for the proper sequence spot for it to be inserted:

R1(config)#do sh route-map
route-map EIGRP2OSPF, deny, sequence 5
  Match clauses:
    tag 110
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
(Right here before the (‘permit all’) tagging traffic)
route-map EIGRP2OSPF, permit, sequence 10
  Match clauses:
  Set clauses:
    metric-type type-1
    tag 100
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, deny, sequence 10
  Match clauses:
    tag 100
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, permit, sequence 15
  Match clauses:
  Set clauses:
    tag 110
  Policy routing matches: 0 packets, 0 bytes
R1(config)#

We want it before sequence 10 because that clause will permit all traffic and tag it with a 100, so I’ll put it between our tag deny and permit sequences:

R1(config)#route-map EIGRP2OSPF deny 8
R1(config-route-map)#match ip add Bob
R1(config-route-map)#
ASR#2
[Resuming connection 2 to r2 … ]

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 01:22:53, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 01:22:53, Serial0/0
R2#

So it sort of worked, I guess, but now we are missing every external route despite my ‘permit ip any any’ at the end of the Bob. So I review Bob on R1 to see if anything looks wrong in the configuration in show run:

ip access-list extended Bob
 deny   ip host 5.5.5.5 any
 deny   ip 100.4.0.0 0.0.255.255 any
 deny   ip 100.6.0.0 0.0.255.255 any
 permit ip any any

And then R2 once Bob is removed:

R2#show ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 01:29:55, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:00:06, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 01:29:55, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:00:06, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:00:06, Serial0/0

So the interesting thing, is R1 is configured with 11.11.11.0 /24 and 172.12.15.0 /24 on it’s EIGRP configuration, however the access-list match on the route-map Redistributing EIGRP routes just blocks everything from EIGRP if applied at all.

So it turns out, there is no room in this network for Bob (yet), poor guy.

 

Configuring 3-way Route Redistribution with tagging via Route-Maps

 

I was going to move onto Policy Routing, but until all of my networks know of eachother, I don’t many hops around the network to mess with Policy Routing, so I am going to attempt to Redistribute OSPF / EIGRP / RIP into eachother on R3, again using the Tags listed in the Topology:

labbers_delight_rev3

I felt it was a good idea to post it down here as well, as it may belong down here for this even more. So lettuce not waste any time, and get right into the configuration, I’m going to start with 2-way between OSPF and EIGRP ensure our tagging is working to separate the 2 EIGRP domains:

R3#
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#route-map EIGRP2OSPF permit 10
R3(config-route-map)#set tag 200
R3(config-route-map)#route-map OSPF2EIGRP deny 10
R3(config-route-map)#match tag 200
R3(config-route-map)#route-map OSPF2EIGRP permit 20
R3(config-route-map)#set tag 110
R3(config-route-map)#router ospf 1
R3(config-router)#redistribute eigrp 100 route-map EIGRP2OSPF subnets
R3(config-router)#router eigrp 200
R3(config-router)#default-metric 1544 10 255 1 1500
R3(config-router)#redistribute ospf 1 route-map OSPF2EIGRP
R3(config-router)#

I am feeling pretty confident in this configuration, though I did delete a LOT of ? output for clarity sake of the configuration, I think we are going to see both EIGRP domains routes in each others route table with no route leaking (and of course OSPF will now have all EIGRP routes from the Topology). Lets check it out on R4:

R4#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D EX     11.11.11.0 [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
D EX     100.0.0.0 [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX     172.12.15.0/24
           [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.34.3, 00:04:17, FastEthernet0/1
R4#

Beautiful, notice 5.5.5.5 is still being filtered by the Distribute-List, lets check R2 and R5 to confirm they are looking good as well:

R2#
R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:08:10, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:08:10, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:08:10, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:08:10, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:08:10, Serial0/0
R2#

Problem #1: Where the fudge are R4’s redistributed routes? So this is going to be an issue I need to look into, let’s see how R5 is looking:

R5#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.15.1, 02:33:22, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.15.1, 02:31:11, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D        11.11.11.0 [90/156160] via 172.12.15.1, 02:33:22, FastEthernet0/1
      100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D        100.0.0.0/13 is a summary, 02:33:27, Null0
      172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
D EX     172.12.123.0/24
           [170/1662976] via 172.12.15.1, 02:33:22, FastEthernet0/1
R5#

Problem #2  Routes are also missing here!

So I am beginning to think that perhaps this is a config on R4 and what networks it is advertising in it’s EIGRP domain, so time to start the troubleshooting, so lets take a look at R4’s configurations to find the issue here:

R4#show ip proto

(Output)

  Automatic Summarization: disabled
  Maximum path: 4
  Routing for Networks:
    4.4.4.4/32
    172.12.34.0/24
  Routing Information Sources:
    Gateway         Distance      Last Update
    172.12.34.3           90      00:19:03
  Distance: internal 90 external 170

R4#

So that should be working, was the redistribution messed up somehow?

R3#sh route-map
route-map EIGRP2OSPF, permit, sequence 10
  Match clauses:
  Set clauses:
    tag 200
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, deny, sequence 10
  Match clauses:
    tag 200
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map OSPF2EIGRP, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 110
  Policy routing matches: 0 packets, 0 bytes
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#route-map EIGRP2OSPF deny 5
R3(config-route-map)#match tag 110
R3(config-route-map)#

One glaring mistake, I forgot to put a sequence before the permit, to deny traffic back out into OSPF with it’s tag of 110 from EIGRP AS 200. Lets see if that (hopefully) did the trick here:

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:16:06, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:16:06, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:16:06, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:16:06, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:16:06, Serial0/0
R2#

Nope, until I see 4.4.4.4 we on R2 it is not working, but how odd that R4 is rocking and rolling while R2 and R5 are not having any of it. Speaking of R1, or lack of it, I checked it’s route table and it is not seeing R4’s two networks either so it has to be on R3.

After some review, I found my first brain getting exhausted Derp of the night – I put “eigrp 100” in the redistribute command, after removing the palm from my face I fixed it and verified the fix as shown here:

R3(config-route-map)#router ospf 1
R3(config-router)#no redistribute eigrp 100 route-map EIGRP2OSPF subnets
R3(config-router)#redistribute eigrp 200 route-map EIGRP2OSPF subnets
R3(config-router)#

Aaaaaand on R2:

R2#sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:25:04, Serial0/0
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:25:04, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:25:04, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O E2    4.4.4.4 [110/20] via 172.12.123.3, 00:00:52, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E2    172.12.34.0 [110/20] via 172.12.123.3, 00:00:52, Serial0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:25:04, Serial0/0
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:25:04, Serial0/0
R2#

For now I will leave those as default E2 routes so I can tell them apart in the Route Table, lets see if R5 is on board as well and we have successfully configured “Multi-Point 2-way Redistribution” successfully with Route Tagging!! :

R5#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.15.1, 02:59:27, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.15.1, 02:57:16, FastEthernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
D EX     4.4.4.4 [170/1662976] via 172.12.15.1, 00:03:29, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D        11.11.11.0 [90/156160] via 172.12.15.1, 02:59:27, FastEthernet0/1
      100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D        100.0.0.0/13 is a summary, 02:59:32, Null0
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX     172.12.34.0/24
           [170/1662976] via 172.12.15.1, 00:03:29, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.15.1, 02:59:27, FastEthernet0/1
R5#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/65/68 ms
R5#

This is great to see, the route-maps both came right to me how to configure the set / match, however lets see if this is the case with bringing the RIP domain into the mix:
R3(config-router)#exit
R3(config)#route-map OSPF2RIP permit 10
R3(config-route-map)#set tag 110
R3(config-route-map)#route-map OSPF2RIP deny 5
R3(config-route-map)#match tag 120
R3(config)#route-map RIP2OSPF deny 10
R3(config-route-map)#match tag 110
R3(config-route-map)#route-map RIP2OSPF permit 20
R3(config-route-map)#set tag 120
R3(config)#router ospf 1
R3(config-router)#redistribute rip route-map RIP2OSPF subnets metric 2
R3(config-router)#router rip
R3(config-router)#redistribute ospf 1 ?
  match      Redistribution of OSPF routes
  metric     Metric for redistributed routes
  route-map  Route map reference
  vrf        VPN Routing/Forwarding Instance
  <cr>

R3(config-router)#redistribute ospf 1 route-map OSPF2RIP metric 2
R3(config-router)#router ospf 1
R3(config-router)#no redistribute rip route-map RIP2OSPF subnets metric 2
R3(config-router)#redistribute rip route-map RIP2OSPF subnets
R3(config-router)#

I took out a lot of ? output once again to keep the config tight and concise, however I did highlight where along the configuration, I forgot the metric has to be set on the OSPF routes going into RIP because of its hop count limit, but I didn’t need to set a metric for RIP routes going into OSPF so I removed that from the config.

So lets take a look at R2 to see if we see any RIP networks at all:

R2#show ip route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/65] via 172.12.123.1, 00:43:21, Serial0/0
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     100.0.0.0/13 is subnetted, 1 subnets
O E1    100.0.0.0 [110/84] via 172.12.123.1, 00:43:21, Serial0/0
     33.0.0.0/24 is subnetted, 1 subnets
O E2    33.33.33.0 [110/2] via 172.12.123.3, 00:07:39, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:43:21, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O E2    4.4.4.4 [110/20] via 172.12.123.3, 00:19:09, Serial0/0
     172.12.0.0/24 is subnetted, 4 subnets
O E2    172.12.34.0 [110/20] via 172.12.123.3, 00:19:14, Serial0/0
O E1    172.12.15.0 [110/84] via 172.12.123.1, 00:43:27, Serial0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
     11.0.0.0/24 is subnetted, 1 subnets
O E1    11.11.11.0 [110/84] via 172.12.123.1, 00:43:27, Serial0/0

Alright!! That highlighted is a RIP network configured on R3, so we are officially getting RIP networks into OSPF, so now lets take a look at R5 and see if that is able to see them as well:

R5#show ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.15.1, 03:18:59, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.15.1, 03:16:48, FastEthernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
D EX     4.4.4.4 [170/1662976] via 172.12.15.1, 00:23:01, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D        11.11.11.0 [90/156160] via 172.12.15.1, 03:18:59, FastEthernet0/1
      22.0.0.0/24 is subnetted, 1 subnets
D EX     22.22.22.0 [170/1662976] via 172.12.15.1, 00:11:31, FastEthernet0/1
      33.0.0.0/24 is subnetted, 1 subnets
D EX     33.33.33.0 [170/1662976] via 172.12.15.1, 00:11:31, FastEthernet0/1
      100.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
D        100.0.0.0/13 is a summary, 03:19:04, Null0
      172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
D EX     172.12.23.0/24
           [170/1662976] via 172.12.15.1, 00:11:31, FastEthernet0/1
D EX     172.12.34.0/24
           [170/1662976] via 172.12.15.1, 00:23:01, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.15.1, 03:18:59, FastEthernet0/1
R5#

So at this point we have verified that R5 knows about both EIGRP AS 200 Routes, OSPF routes, and RIP routes!

With that, I am going to conclude for the night as my brain is starting to melt once again out of my ears, however very good practical material covered in here, and a good example that 3-way protocol Redistribution can be performed just by tagging traffic into one protocol so that it will redistribute into the other because it is not claused to deny the routes tag.

That was a mouth full of a summary of the lesson to say, anyways, that’s it for tonight, next we’ll mess with some Policy routing and then it’s time to get back into study mode and tackle everything about VPN on routers.

EDIT EDIT EDIT, DAG NAB IT :

On my way to “wr mem” the routers, I did a quick “sh ip route” on R4 just to quickly confirm it was working as well, and it is missing the loopback22 22.22.22.0 /24 on R2 being advertised by RIP:

R2#sh ip proto

Routing Protocol is “rip”

 (Output)
  Automatic network summarization is not in effect
  Maximum path: 4
  Routing for Networks:
    22.0.0.0
    172.12.0.0
  Routing Information Sources:
    Gateway         Distance      Last Update
    172.12.23.3          120      00:00:01
  Distance: (default is 120)

And here is R4’s dag nab #Y&%$&* route table:

R4#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.34.3, 00:14:35, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.34.3, 00:14:35, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.34.3, 00:17:38, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D EX     11.11.11.0 [170/1662976] via 172.12.34.3, 00:14:35, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
D EX     100.0.0.0 [170/1662976] via 172.12.34.3, 00:14:35, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX     172.12.15.0/24
           [170/1662976] via 172.12.34.3, 00:14:35, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.34.3, 00:17:38, FastEthernet0/1
R4#

So I saw this and just shut the routers down thinking I’ll get it next time, and I didn’t get to the bottom of the stairs before it was driving me crazy what it’s problem is. So I got food (getting cold) and a 5 hour energy, and time to go back at this and hopefully take it down with one more configuration here.

I am thinking because RIP is local to router EIGRP AS 200 is on, we need a Redistribution between those two as well, with their own route-maps. So my food isn’t getting any hotter (or probably colder at this point) so lets do this:

R3(config)#route-map EIGRP2RIP deny 10
R3(config-route-map)#match tag 120
R3(config-route-map)#route-map EIGRP2RIP permit 20
R3(config-route-map)#set tag 200
R3(config-route-map)#route-map RIP2EIGRP deny 10
R3(config-route-map)#set tag 200 <- WRONG – SHOULD BE MATCH TAG 200
R3(config)#route-map RIP2EIGRP permit 20
R3(config-route-map)#set tag 120
R3(config-route-map)#

That looks about right, now to Redistribute them into each other:

R3(config-route-map)#router eigrp 100
R3(config-router)#redistribute rip ?
R3(config-router)#redistribute rip route-map RIP2EIGRP
R3(config-router)#router rip
R3(config-router)#redistribute eigrp 200 route-map EIGRP2RIP metric ?
  <0-16>       Default metric
  transparent  Transparently redistribute metric

R3(config-router)#redistribute eigrp 200 route-map EIGRP2RIP metric 2
R3(config-router)#

Aaaaaaaand, let there be light? :

R4#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.34.3, 00:38:22, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.34.3, 00:38:12, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.34.3, 00:41:14, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D EX     11.11.11.0 [170/1662976] via 172.12.34.3, 00:38:22, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
D EX     100.0.0.0 [170/1662976] via 172.12.34.3, 00:38:22, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX     172.12.15.0/24
           [170/1662976] via 172.12.34.3, 00:38:22, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.34.3, 00:41:14, FastEthernet0/1
R4#

Nope, still nothing, HOWEVER A QUICK SHOW RUN AND STARE DOWN OF R3 SAVES THE DAY!!! :

R3(config-router)#do sh run

(Output)
!
router eigrp 200
 redistribute ospf 1 route-map OSPF2EIGRP
 network 172.12.34.0 0.0.0.255
 default-metric 1544 10 255 1 1500
 no auto-summary
!
router eigrp 100
 redistribute rip route-map RIP2EIGRP
 auto-summary
!
router ospf 1
 log-adjacency-changes
 redistribute eigrp 200 subnets route-map EIGRP2OSPF
 redistribute rip metric 2 subnets route-map RIP2OSPF
 redistribute eigrp 100
 network 3.3.3.3 0.0.0.0 area 0
 network 172.12.123.0 0.0.0.255 area 0
!
router rip
 version 2
 redistribute eigrp 200 metric 2 route-map EIGRP2RIP
 redistribute ospf 1 metric 2 route-map OSPF2RIP
 network 33.0.0.0
 network 172.12.0.0
 no auto-summary
!

Iiiiiii, need to correct this, and stop labbing for the night as my stupid mistakes are now running rampant on my network:

R3(config-router)#exit
R3(config)#no router eigrp 100
R3(config)#router eigrp 200
R3(config-router)#redistribute rip route-map RIP2EIGRP
R3(config-router)#

AND NOW LETS SEE THAT NETWORK NUMBER 22.22.22.0 /24 ON R4!!! :

R4#sh ip route eigrp

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.34.3, 00:47:11, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.34.3, 00:47:01, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.34.3, 00:50:03, FastEthernet0/1
      11.0.0.0/24 is subnetted, 1 subnets
D EX     11.11.11.0 [170/1662976] via 172.12.34.3, 00:47:11, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
D EX     100.0.0.0 [170/1662976] via 172.12.34.3, 00:47:11, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
D EX     172.12.15.0/24
           [170/1662976] via 172.12.34.3, 00:47:11, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.34.3, 00:50:03, FastEthernet0/1
R4#

It is still not there, so I highlighted the issue above from retrospect, however the issue was found using the route-map command, in conjunction with looking at the route-maps on “sh run” which makes them a bit easier to read for me without the extra output.

 

The answer to why R3 isn’t getting RIP routes

 

In my tired stupor, I did not closely review my route maps, or it would be clear that I set the RIP2EIGRP twice, meaning I put a “set” in each sequence for both matching a tag to deny and setting the RIP route tag #’s :

R3(config)#do sh route
route-map EIGRP2RIP, deny, sequence 10
  Match clauses:
    tag 120
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map EIGRP2RIP, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 200
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2EIGRP, deny, sequence 10
  Match clauses:
  Set clauses:
    tag 200
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2EIGRP, permit, sequence 20
  Match clauses:
  Set clauses:
    tag 120

 

So I apply the fix and check on R4 with both fingers crossed:

R3(config)#no route-map RIP2EIGRP
R3(config)#route-map RIP2EIGRP deny 10
R3(config-route-map)#match tag 200
R3(config-route-map)#route-map RIP2EIGRP permit 20
R3(config-route-map)#set tag 120
R3(config-route-map)#
ASR#4
[Resuming connection 4 to r4 … ]

R4#sh ip route

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D EX     1.1.1.1 [170/1662976] via 172.12.34.3, 00:15:04, FastEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
D EX     2.2.2.2 [170/1662976] via 172.12.34.3, 00:15:04, FastEthernet0/1
      3.0.0.0/32 is subnetted, 1 subnets
D EX     3.3.3.3 [170/1662976] via 172.12.34.3, 00:17:56, FastEthernet0/1
      4.0.0.0/32 is subnetted, 1 subnets
C        4.4.4.4 is directly connected, Loopback4
      11.0.0.0/24 is subnetted, 1 subnets
D EX     11.11.11.0 [170/1662976] via 172.12.34.3, 00:15:04, FastEthernet0/1
      22.0.0.0/24 is subnetted, 1 subnets
D EX     22.22.22.0 [170/1662976] via 172.12.34.3, 00:00:09, FastEthernet0/1
      33.0.0.0/24 is subnetted, 1 subnets
D EX     33.33.33.0 [170/1662976] via 172.12.34.3, 00:00:09, FastEthernet0/1
      100.0.0.0/13 is subnetted, 1 subnets
D EX     100.0.0.0 [170/1662976] via 172.12.34.3, 00:15:04, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
D EX     172.12.15.0/24
           [170/1662976] via 172.12.34.3, 00:15:04, FastEthernet0/1
D EX     172.12.23.0/24
           [170/1662976] via 172.12.34.3, 00:00:09, FastEthernet0/1
C        172.12.34.0/24 is directly connected, FastEthernet0/1
L        172.12.34.4/32 is directly connected, FastEthernet0/1
D EX     172.12.123.0/24
           [170/1662976] via 172.12.34.3, 00:17:56, FastEthernet0/1
R4#

AND THERE IS OUR RIP ROUTES, FINALLY, 3-WAY REDISTRIBUTION ON ONE ROUTER!!!

Next lab I’ll look at sub-optimal routing all this redistribution may have caused, see if I can correct it with different mechanisms (Mainly Policy Routing), but for now that is all 🙂

Part 2: Deep Dive into EIGRP / OSPF / RIP Authentication, Route Summarization, OSPF troubleshooting to end lab!

labbers_delight_rev1

Tonight I had a whole agenda of tasks to configure as much as I could on this network, however I was only able to demonstrate authentication configuration for all 3 protocols thoroughly, create a Summary Route for R5, and troubleshoot an OSPF issue that was a bit tricky to catch but finally got it (which I added as its own section to demonstrate how I troubleshoot the issue).

And with that lets get rocking on some configurations, I will separate each topic before configuration with a header, and note that the topology now reflect loopbacks and may be revised as the lab moves forward to reflect changes made / configs added.

Prepare yourself for a lot of router output, with explanations tucked between the output, so without further ado:

 

Summary Route Configuration on R5

 

R5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R5(config)#
R5(config)#interface Loopback101
R5(config-if)# ip address 100.1.0.1 255.255.0.0
R5(config-if)#!
R5(config-if)#interface Loopback102
R5(config-if)# ip address 100.2.0.1 255.255.0.0
R5(config-if)#!
R5(config-if)#interface Loopback103
R5(config-if)# ip address 100.3.0.1 255.255.0.0
R5(config-if)#!
R5(config-if)#interface Loopback104
R5(config-if)# ip address 100.4.0.1 255.255.0.0
R5(config-if)#!
R5(config-if)#interface Loopback105
R5(config-if)# ip address 100.5.0.1 255.255.0.0
R5(config-if)#!
R5(config-if)#interface Loopback106
R5(config-if)# ip address 100.6.0.1 255.255.0.0
R5(config-if)#!
R5(config-if)#interface Loopback107
R5(config-if)# ip address 100.7.0.1 255.255.0.0
R5(config-if)#!
R5(config-if)#
*Feb  2 05:20:35.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
*Feb  2 05:20:35.427: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback101, changed state to up
*Feb  2 05:20:35.563: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback102, changed state to up
*Feb  2 05:20:35.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback103, changed state to up
*Feb  2 05:20:35.711: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback104, changed state to up
*Feb  2 05:20:35.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback105, changed state to up
R5(config-if)#
*Feb  2 05:20:35.843: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback106, changed state to up
*Feb  2 05:20:35.911: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback107, changed state to up

As you can tell by the !’s I’ve pulled these summary addresses from prior configs and put them in a notepad file, along with the “network …” commands to make quick summary routes, work smart not hard 🙂

R5(config)#router eigrp 100
R5(config-router)#network 100.1.0.0 0.0.255.255
R5(config-router)#network 100.2.0.0 0.0.255.255
R5(config-router)#network 100.3.0.0 0.0.255.255
R5(config-router)#network 100.4.0.0 0.0.255.255
R5(config-router)#network 100.5.0.0 0.0.255.255
R5(config-router)#network 100.6.0.0 0.0.255.255
R5(config-router)#network 100.7.0.0 0.0.255.255
R5(config-router)#int fa0/1
R5(config-if)#ip summary-address eigrp 100 ?
  A.B.C.D  IP address

R5(config-if)#ip summary-address eigrp 100 100.0.0.0 ?
  A.B.C.D  IP network mask

R5(config-if)#ip summary-address eigrp 100 100.0.0.0 255.248.0.0
R5(config-if)#
*Feb  2 05:47:05.207: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.15.1 (FastEthernet0/1) is resync: summary configured
R5(config-if)#

Neighbor change message, do I detect a disturbance in the force?


R5(config-if)#do sh ip eigrp nei
EIGRP-IPv4 Neighbors for AS(100)
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
(sec)         (ms)       Cnt Num
0   172.12.15.1             Fa0/1             10 01:01:03    1   200  0  14
R5(config-if)#

Nope, we are good to go, and to confirm lets check out R1’s EIGRP routes:

R1#sh ip route eigrp
     100.0.0.0/13 is subnetted, 1 subnets
D       100.0.0.0 [90/156160] via 172.12.15.5, 00:03:06, FastEthernet0/1
     5.0.0.0/32 is subnetted, 1 subnets
D       5.5.5.5 [90/156160] via 172.12.15.5, 01:02:36, FastEthernet0/1
R1#

Rock and Roll, Summary Route accomplished, onto setting authentication in each domain!

I will have to refer to my notes for this unfortunately at least for EIGRP, I will need to start configuring authentication even if not needed in more labs to get this down.

 

EIGRP Authentication for AS 100 and AS 200

 

EIGRP is set with a Key Chain config, then set on the interface with two commands as shown below.

R5(config)#key chain CCNP
R5(config-keychain)#key ?
  <0-2147483647>  Key identifier

R5(config-keychain)#key 1
R5(config-keychain-key)#?
Key-chain key configuration commands:
  accept-lifetime  Set accept lifetime of key
  default          Set a command to its defaults
  exit             Exit from key-chain key configuration mode
  key-string       Set key string
  no               Negate a command or set its defaults
  send-lifetime    Set send lifetime of key

R5(config-keychain-key)#key-string CISCO
R5(config-keychain-key)#int fa0/1
R5(config-if)#ip eigrp ?
% Unrecognized command
R5(config-if)#ip auth
R5(config-if)#ip authentication ?
  key-chain  key-chain
  mode       mode

R5(config-if)#ip authentication mode ?
  eigrp  Enhanced Interior Gateway Routing Protocol (EIGRP)

R5(config-if)#ip authentication mode eigrp ?
  <1-65535>  AS number

R5(config-if)#ip authentication mode eigrp 100 ?
  md5  Keyed message digest

R5(config-if)#ip authentication mode eigrp 100 md5 ?
  <cr>

R5(config-if)#ip authentication mode eigrp 100 md5
R5(config-if)#
*Feb  2 06:07:11.879: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.15.1 (FastEthernet0/1) is down: authentication mode changed
R5(config-if)#ip authentic
R5(config-if)#ip authentication key-chain ?
  eigrp  Enhanced Interior Gateway Routing Protocol (EIGRP)

R5(config-if)#ip authentication key-chain eigrp 100 CCNP
R5(config-if)#

Couple of things to note quick:

  • In global config the command syntax is “key chain” while on interface it’s “key-chain” in the commands
  • On the interface configs, the command defining the key-chain can be set without impacting the adjacency, however once the command configuring authentication itself on the interface is entered it will drop the adj if not config’d on the other side as can be seen in this snippet of output:

R5(config-if)#no ip authentication mode eigrp 100 md5
*Feb  2 06:11:56.323: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.15.1 (FastEthernet0/1) is up: new adjacency
R5(config-if)#no ip authentication key-chain eigrp 100 CCNP
R5(config-if)#ip authentication key-chain eigrp 100 CCNP
R5(config-if)#ip authentication mode eigrp 100 md5
R5(config-if)#
*Feb  2 06:12:36.791: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.12.15.1 (FastEthernet0/1) is down: authentication mode changed
R5(config-if)#

  • Also to note is that you use the key chain name, not the key name on interface config

And over on R1:

R1(config)#router eigrp 100
R1(config-router)#exit
R1(config)#key chain CCNP
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string ?
0     Specifies an UNENCRYPTED password will follow
7     Specifies a HIDDEN password will follow
LINE  The UNENCRYPTED (cleartext) user password

R1(config-keychain-key)#key-string CISCO
R1(config-keychain-key)#int fa0/1
R1(config-if)#ip authentication mode eigrp 100 md5
R1(config-if)#ip authentication key-chain eigrp 100 CCNP
R1(config-if)#
*Mar  1 18:33:43.996: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.12.15.5 (FastEthernet0/1) is up: new adjacency
R1(config-if)#

That was a struggle once again to remember those commands, I deleted a lot of ? output from R1, but got it Authenticated, now to slap that on R3 to R4 hopefully without the need of ?’s at all here:

R3(config)#key chain CCNP
R3(config-keychain)#key 1
R3(config-keychain-key)#key-string CISCO
R3(config-keychain-key)#exit
R3(config-keychain)#int fa0/1
R3(config-if)#ip authen
R3(config-if)#ip authentication mode eigrp 200 md5
*Mar  2 01:38:07.304: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 200: Neighbor 172.12.34.4 (FastEthernet0/1) is down: authentication mode changed

R3(config-if)#ip authentication key-chain CCNP
                                          ^
% Invalid input detected at ‘^’ marker.

R3(config-if)#ip authentication key-chain ?
  eigrp  Enhanced Interior Gateway Routing Protocol (EIGRP)

R3(config-if)#ip authentication key-chain eigrp 200 CCNP
R3(config-if)#

Almost had it! Now over to R4 to complete without any errors or ?’s:

R4(config)#key chain CCNP
R4(config-keychain)#key 1
R4(config-keychain-key)#key-string CISCO
R4(config-keychain-key)#int fa0/1
R4(config-if)#ip authentication mode eigrp 200 md5
R4(config-if)#ip authentication key-string eigrp 200 CCNP
                                    ^
% Invalid input detected at ‘^’ marker.

R4(config-if)#ip authentication key-chain eigrp 200 CCNP
R4(config-if)#
*Feb  2 05:32:37.855: %DUAL-5-NBRCHANGE: EIGRP-IPv4 200: Neighbor 172.12.34.3 (FastEthernet0/1) is up: new adjacency
R4(config-if)#

As can be seen, really unneeded error to receive, I think my brain is already hitting exhaustion as I started later in the night today (almost midnight), so time to boogie.

EIGRP Autonomous System Authentication Completed! Onto OSPF!

 

OSPF Authentication for Area 0

 

So here is a big mess of output to explain:

R1(config-router)#area 0 ?
  authentication  Enable authentication
  default-cost    Set the summary default-cost of a NSSA/stub area
  filter-list     Filter networks between OSPF areas
  nssa            Specify a NSSA area
  range           Summarize routes matching address/mask (border routers only)
  sham-link       Define a sham link and its parameters
  stub            Specify a stub area
  virtual-link    Define a virtual link and its parameters

R1(config-router)#area 0 authentication ?
  message-digest  Use message-digest authentication
  <cr>

R1(config-router)#area 0 authentication messa
R1(config-router)#area 0 authentication message-digest ?

  <cr>

R1(config-router)#area 0 authentication message-digest
R1(config-router)#int s0/0
R1(config-if)#ip ospf authent
R1(config-if)#ip ospf authentication ?
  message-digest  Use message-digest authentication
  null            Use no authentication
  <cr>

R1(config-if)#ip ospf authentication message-dig
R1(config-if)#ip ospf authentication message-digest ?

  <cr>

R1(config-if)#ip ospf ?
  <1-65535>            Process ID
  authentication       Enable authentication
  authentication-key   Authentication password (key)
  bfd                  Enable BFD on this interface
  cost                 Interface cost
  database-filter      Filter OSPF LSA during synchronization and flooding
  dead-interval        Interval after which a neighbor is declared dead
  demand-circuit       OSPF demand circuit
  flood-reduction      OSPF Flood Reduction
  hello-interval       Time between HELLO packets
  lls                  Link-local Signaling (LLS) support
  message-digest-key   Message digest authentication password (key)
  mtu-ignore           Ignores the MTU in DBD packets
  network              Network type
  priority             Router priority
  resync-timeout       Interval after which adjacency is reset if oob-resync is
                       not started
  retransmit-interval  Time between retransmitting lost link state
                       advertisements
  transmit-delay       Link state transmit delay

R1(config-if)#ip ospf
*Mar  1 18:57:13.326: %OSPF-5-ADJCHG: Process 1, Nbr 22.22.22.2 on Serial0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
R1(config-if)#ip ospf
*Mar  1 18:57:18.695: %OSPF-5-ADJCHG: Process 1, Nbr 33.33.33.3 on Serial0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
R1(config-if)#ip ospf messag
R1(config-if)#ip ospf message-digest-key ?
  <1-255>  Key ID

R1(config-if)#ip ospf message-digest-key 1 ?
  md5  Use MD5 algorithm

R1(config-if)#ip ospf message-digest-key 1 md5 ?
  <0-7>  Encryption type (0 for not yet encrypted, 7 for proprietary)
  LINE   The OSPF password (key) (maximum 16 characters)

R1(config-if)#ip ospf message-digest-key 1 md5 CCNP ?
LINE    <cr>

R1(config-if)#ip ospf message-digest-key 1 md5 CCNP
R1(config-if)#

Do the commands highlighted in red on the interface and in router configuration to “set” authentication look familiar? That’s because they are, it can either be “set” in router config or on the interface, however the actual Key name must be on the interface as can eventually be seen there.

I’m going to set R2 and R3 with the “set” portion on the serial interface instead of in router config and see if the adjacency comes back up:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int s0/0
R2(config-if)#ip ospf authentican ?
% Unrecognized command
R2(config-if)#ip ospf au
R2(config-if)#ip ospf authentication ?
  message-digest  Use message-digest authentication
  null            Use no authentication
  <cr>

R2(config-if)#ip ospf authentication mess
R2(config-if)#ip ospf authentication message-digest ?
  <cr>

R2(config-if)#ip ospf authentication message-digest
R2(config-if)#ip ospf mess
R2(config-if)#ip ospf message-digest-key ?
  <1-255>  Key ID

R2(config-if)#ip ospf message-digest-key 1 ?
  md5  Use MD5 algorithm

R2(config-if)#ip ospf message-digest-key 1 md5 ?
  <0-7>  Encryption type (0 for not yet encrypted, 7 for proprietary)
  LINE   The OSPF password (key) (maximum 16 characters)

R2(config-if)#ip ospf message-digest-key 1 md5 CCNP
R2(config-if)#
*Mar  1 17:22:31.104: %OSPF-5-ADJCHG: Process 1, Nbr 11.11.11.1 on Serial0/0 from LOADING to FULL, Loading Done

R2(config-if)#

  • So no matter where Authentication is set, as long as it’s on the proper interface it will work with another neighbor that has it configured in the router config

Will slap an all interface configuration on R3, and we are done with that unless there are any issues:

R3(config-if)#int s0/2
R3(config-if)#ip ospf authentication message-digest
R3(config-if)#ip ospf mess
R3(config-if)#ip ospf message-digest-key 1 md5 CCNP
R3(config-if)#
*Mar  2 01:59:41.266: %OSPF-5-ADJCHG: Process 1, Nbr 11.11.11.1 on Serial0/2 from LOADING to FULL, Loading Done
R3(config-if)#

Done deal. Now onto RIP Authentication, though it’s been so long I don’t even remember if it has an authentication to set.

 

RIP Authentication… maybe?

 

A quick google search and good old Cisco documentation shows RIP authentication to be the same as EIGRP, with a key chain, and directly on the interface.

So for this I already have a key chain CCNP for EIGRP on R3, so I am going to try to use that same key chain and just apply it on the interface, though I will of course have to configure the key chain on R2 so I will actually start there:

R2(config)#router rip
R2(config-router)#exit
R2(config)#key chain CCNP
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string CISCO
R2(config-keychain-key)#int fa0/1
R2(config-if)#ip rip ?
  advertise       Specify update interval
  authentication  Authentication control
  receive         advertisement reception
  send            advertisement transmission
  v2-broadcast    send ip broadcast v2 update

R2(config-if)#ip rip authe
R2(config-if)#ip rip authentication ?
  key-chain  Authentication key-chain
  mode       Authentication mode

R2(config-if)#ip rip authentication mode ?
  md5   Keyed message digest
  text  Clear text authentication

R2(config-if)#ip rip authentication mode md5 ?
  <cr>

R2(config-if)#ip rip authentication mode md5 <- Look familiar?

R2(config-if)#ip rip authentication key-chain ?
  LINE  name of key-chain

R2(config-if)#ip rip authentication key-chain CCNP ?
LINE    <cr>

R2(config-if)#ip rip authentication key-chain CCNP <- Slight difference from EIGRP

R2(config-if)#

Just a very slight difference in the syntax in that the command starts off with the protocol name instead of almost ending with it, so lets see if we can re-use R3’s key chain – But one thing to note:

R3(config)#do sh ip route rip
     22.0.0.0/24 is subnetted, 1 subnets
R       22.22.22.0 [120/1] via 172.12.23.2, 00:00:11, FastEthernet0/0
R3(config)#do sh ip route rip
     22.0.0.0/24 is subnetted, 1 subnets
R       22.22.22.0 [120/1] via 172.12.23.2, 00:00:15, FastEthernet0/0
R3(config)#do sh ip route rip
     22.0.0.0/24 is subnetted, 1 subnets
R       22.22.22.0 [120/1] via 172.12.23.2, 00:00:24, FastEthernet0/0
R3(config)#do sh ip route rip
     22.0.0.0/24 is subnetted, 1 subnets
R       22.22.22.0 [120/1] via 172.12.23.2, 00:00:26, FastEthernet0/0
R3(config)#do sh ip route rip
     22.0.0.0/24 is subnetted, 1 subnets
R       22.22.22.0 [120/1] via 172.12.23.2, 00:00:01, FastEthernet0/0
R3(config)#

As can be seen there is no adjacency or neighbor relationship to lose, it only cares about Hello’s and hop counts, so I am wondering what exactly the authentication is even for. However I am too tired to care to be honest, I just wanted to point out the remote router with no interface config yet for Authentication still is getting RIP route updates.

Now to config int Fa0/1 on R3 for RIP Authentication with a shared EIGRP authentication key:

R3(config-if)#no ip rip authentication key-chain CCNP
R3(config-if)#do ping 2.2.2.2 (<- Ooops, in OSPF domain)

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
….. (<- … What??)
Success rate is 0 percent (0/5)
R3(config-if)#do sh ip route rip

     22.0.0.0/24 is subnetted, 1 subnets
R       22.22.22.0 [120/1] via 172.12.23.2, 00:00:01, FastEthernet0/0

R3(config-if)#do ping 22.22.22.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3(config-if)#

So as can be seen I found out 2 things:

  • RIPv2 Authentication appears to be worthless, as I can still ping R3’s loopback IP 22.22.22.2 from R3 and continue to get Hellos and Routing updates
  • That for some reason when I accidentally pinged 2.2.2.2 thinking it was in the RIP domain, I got no response, so what is going on there

So I am calling this the end of Authentication for all domains are now authenticating (I put the config back on R3’s RIP interface just because I guess, but now I have an OSPF route propagation issue to look at, and I just love these end of lab issues when I am fried 🙂

 

Troubleshooting what happened to R2 broadcasting 2.2.2.2 via OSPF

 

As mentioned I did a quick verification and R2 has no route to it, so I went over to R2 to confirm it has the network in it’s OSPF config:

R2(config-if)#
R2(config-if)#do sho ip proto
Routing Protocol is “ospf 1”
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Router ID 22.22.22.2
  Number of areas in this router is 1. 1 normal 0 stub 0 nssa
  Maximum path: 4
  Routing for Networks:
    2.2.2.2 0.0.0.0 area 0
    172.12.123.0 0.0.0.255 area 0 (<- Confirmation of correct NBMA network)
 Reference bandwidth unit is 100 mbps
  Routing Information Sources:
    Gateway         Distance      Last Update
    11.11.11.1           110      00:49:52
    33.33.33.3           110      00:49:52
  Distance: (default is 110)
R2(config-if)#do sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
11.11.11.1        1   FULL/DR         00:01:53    172.12.123.1    Serial0/0

R2(config-if)#

Being that both of those two highlighted parts are in the config / output, I am betting the house the lo2 is network 2.2.2.0 /24 :

R2(config-if)#do sh int lo2
Loopback2 is up, line protocol is up
  Hardware is Loopback
  Internet address is 2.2.2.2/32

Well what the fudge, this is the end of lab / night stuff that just kills my brain, cause I cannot stop until I find out what the deal is. So I look at R2’s route table, and look at it in all it’s majesty:

R2(config-if)#do sh ip route

Gateway of last resort is not set

     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback2
     33.0.0.0/24 is subnetted, 1 subnets
R       33.33.33.0 [120/1] via 172.12.23.3, 00:00:03, FastEthernet0/0
     172.12.0.0/24 is subnetted, 3 subnets
R       172.12.34.0 [120/1] via 172.12.23.3, 00:00:03, FastEthernet0/0
C       172.12.23.0 is directly connected, FastEthernet0/0
C       172.12.123.0 is directly connected, Serial0/0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.22.22.0 is directly connected, Loopback22
R2(config-if)#

Not a single OSPF route, even though it is neighbors with the hub, and the hub is getting the loopback route from R3 via OSPF:

R1(config-if)#do show ip route ospf
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:58:54, Serial0/0
R1(config-if)#

And in R1’s running config the neighbor statement is verified there:

router ospf 1
 log-adjacency-changes
 area 0 authentication message-digest
 network 1.1.1.1 0.0.0.0 area 0
 network 172.12.123.0 0.0.0.255 area 0
 neighbor 172.12.123.2
 neighbor 172.12.123.3

So all that’s left in my mind is “debug ip ospf pack” and hope to catch it in there, lets see if any output smokes out this weasel so I can call it a night with a clear conscience:

R1#debug ip ospf pack
OSPF packet debugging is on
R1#
*Mar  1 20:17:13.495: OSPF: rcv. v:2 t:1 l:48 rid:22.22.22.2
      aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x3C7FC8A0 from Serial0/0
*Mar  1 20:17:13.515: OSPF: rcv. v:2 t:1 l:48 rid:22.22.22.2
      aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x3C7FC8A0 from Serial0/0
R1#
*Mar  1 20:17:18.839: OSPF: rcv. v:2 t:1 l:48 rid:33.33.33.3
      aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x3C8040C7 from Serial0/0
R1#
*Mar  1 20:17:33.856: OSPF: rcv. v:2 t:4 l:76 rid:33.33.33.3
      aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x3C8040D6 from Serial0/0
*Mar  1 20:17:33.888: OSPF: rcv. v:2 t:4 l:60 rid:33.33.33.3
      aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x3C8040D6 from Serial0/0
R1#
*Mar  1 20:17:41.288: OSPF: rcv. v:2 t:5 l:64 rid:22.22.22.2
      aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x3C7FC8BB from Serial0/0
R1#
*Mar  1 20:17:43.496: OSPF: rcv. v:2 t:1 l:48 rid:22.22.22.2
      aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x3C7FC8BE from Serial0/0
*Mar  1 20:17:43.516: OSPF: rcv. v:2 t:1 l:48 rid:22.22.22.2
      aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x3C7FC8BE from Serial0/0
R1#
*Mar  1 20:17:48.841: OSPF: rcv. v:2 t:1 l:48 rid:33.33.33.3
      aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x3C8040E4 from Serial0/0

Absolutely nothing, so I am going to hammer out a clear ip ospf proc on R1 and R2 to see what happens, and sure enough it did nothing, but in looks at the peers after doing it I found a hintiditty hint hint:

R1#show ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
22.22.22.2        0   FULL/DROTHER    00:01:54    172.12.123.2    Serial0/0
33.33.33.3        1   FULL/DR         00:01:29    172.12.123.3    Serial0/0 (<- No Bueno)

So I actually made sure R2 had “ip ospf pri 0” on it’s interface before the clear ip ospf proc, but this proves that there was an issue there, as R3 should never become DR if it has that configured. So I am not sure if I was just dead tired (like now) and forgot to add it, it didn’t save, or what happened so I made sure both spokes are now rocking the config on their serial interface and “clear ip ospf proc”s all around.

Now lets see if that finally resolved this issue, please oh please let this be done:

R1#show ip route ospf
     2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/65] via 172.12.123.2, 00:01:35, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 172.12.123.3, 00:01:35, Serial0/0
R1#

Yes!!!!!! I won even in my deliriously tired state!!! This is how troubleshooting is done my friends, keep looking at it from the different angles, and if you know what to look for you will eventually find it 🙂

Okay, it is 1:30am, I am going to call it for tonight and wr mem across the board on the routers.

 

Part 1: Setting up the new, bigger, and better lab to configure everything we’ve learned up to this point!

 

labbers_delight

As previously mentioned I believe, this will be a multi-part lab in which I will configure “Multi-Point” 2-way Redistribution / Policy-Routing / Distribute-Lists / Route-Maps / and troubleshooting all along the way.

Here are a few things I know I want to achieve over the several parts of this lab:

  • Authentication deep dive for all 3 protocols in Topology
  • DEEP Dive look at Redistribution with Route-Map tagging and Distribute-Lists
  • Policy Routing and Local Policy Routing configuration
  • 3-way Redistribution on R3 if possible, things might get crazy
  • Deep Dive into Policy Routing capabilities, applying around the network
  • Random other topics as I can think of them

I will be working as much with route-maps as possible, as they really are a huge chunk of all of those topics, so I believe those are critical to understand inside out. I have done a “wr er” and “reload” on all routers, and am going to configure the core network in the Topology, but I may review some of my previous posts to get my brain tuned up to lab until my brain melts out of my skull.

That being said I will just configure it for tonight, and add to it slowly while I am fresh, I don’t want to do anything while I am in zombie mode (like now) after a long work day.

So this will all be review, and as I said, saturate this network completely with all the concepts I have posted about and troubleshoot issues as needed.

I am going to whip up this Topology now, and we will get this party started on my next post, see you there 🙂

Part 3: Finally got Route-Maps for Redistribution working correctly, important notes within on how!

single-point_2way_redist_3routers_new

Boy do I feel stupid. After spending hours of scratching my head at why this is not working yet, as OSPF seems to be gettings tags but RIP is not, that is when I really put my work under a microscope and found that I was applying OSPF2RIP in OSPF router config and the other way around (I think). I have no other way to logically explain why they are working today, as they actually didn’t work earlier as well after “wr er” / “reload” / reconfigure.

So I stripped all redistribution off, deleted the route-maps, and started from square 1, again. Then when I was struggling to remember which way it went with applying what route-map to which protocol, I might have been on auto-pilot last night and completely overlooked that as the issue!

So here is how I applied a fix for that:

R3(config-router)#router ospf 1
R3(config-router)#redistribute rip subnets route-map RIP2OSPF
R3(config-router)#router rip

R3(config-router)#redistribute ospf 1 route-map OSPF2RIP metric 2
R3(config-router)#do sh route-map
route-map OSPF2RIP, permit, sequence 10
  Match clauses:
  Set clauses:
    tag 10
  Policy routing matches: 0 packets, 0 bytes
route-map RIP2OSPF, permit, sequence 10
  Match clauses:
  Set clauses:
    tag 20
  Policy routing matches: 0 packets, 0 bytes

And this is where I was able to verify and FINALLY see the results I was looking for(!!!):
R3(config-router)#
ASR#3
[Resuming connection 3 to r4 … ]

R4#show ip route ospf

Gateway of last resort is not set

      5.0.0.0/24 is subnetted, 1 subnets
O E2     5.5.5.0 [110/20] via 172.12.34.3, 00:02:47, FastEthernet0/1
      172.12.0.0/16 is variably subnetted, 4 subnets, 2 masks
O E2     172.12.15.0/24 [110/20] via 172.12.34.3, 00:02:47, FastEthernet0/1
O E2     172.12.123.0/24 [110/20] via 172.12.34.3, 00:02:47, FastEthernet0/1
R4#show ip route 5.5.5.5
Routing entry for 5.5.5.0/24
  Known via “ospf 1”, distance 110, metric 20
  Tag 20, type extern 2, forward metric 1
  Last update from 172.12.34.3 on FastEthernet0/1, 00:02:05 ago
  Routing Descriptor Blocks:
  * 172.12.34.3, from 3.3.3.3, 00:02:05 ago, via FastEthernet0/1
      Route metric is 20, traffic share count is 1
      Route tag 20

ASR#1
[Resuming connection 1 to r1 … ]

R1#show ip route rip
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.123.3, 00:00:00, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
R       172.12.34.0 [120/1] via 172.12.123.3, 00:00:00, Serial0/0
     40.0.0.0/32 is subnetted, 1 subnets
R       40.40.40.1 [120/2] via 172.12.123.3, 00:00:00, Serial0/0
     44.0.0.0/32 is subnetted, 1 subnets
R       44.44.44.1 [120/2] via 172.12.123.3, 00:00:00, Serial0/0
R1#show route 4.4.4.4
route-map 4.4.4.4 not found
R1#show ip route 4.4.4.4
Routing entry for 4.4.4.4/32
  Known via “rip”, distance 120, metric 2
  Tag 10
  Redistributing via rip
  Last update from 172.12.123.3 on Serial0/0, 00:00:16 ago
  Routing Descriptor Blocks:
  * 172.12.123.3, from 172.12.123.3, 00:00:16 ago, via Serial0/0
      Route metric is 2, traffic share count is 1
      Route tag 10

R1#

OSPF is showing up as tag 10 on the RIP side, and RIP routes as tagged 20 on the OSPF side. Now I am going to try redistributing connected routes with these same route-maps and see if that breaks anything, and if not we will cap it off by adding some deny statements in our route-maps:

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#router rip
R3(config-router)#redistribute connected route-map OSPF2RIP metric 3
R3(config-router)#router ospf 1
R3(config-router)#redistribute connected subnets route-map RIP2OSPF
R3(config-router)#

And now to pray I have some routes on R1:
R1#sh ip route rip
     3.0.0.0/32 is subnetted, 1 subnets
R       3.3.3.3 [120/3] via 172.12.123.3, 00:00:22, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.123.3, 00:00:22, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
R       172.12.34.0 [120/1] via 172.12.123.3, 00:00:22, Serial0/0
     40.0.0.0/32 is subnetted, 1 subnets
R       40.40.40.1 [120/2] via 172.12.123.3, 00:00:22, Serial0/0
     44.0.0.0/32 is subnetted, 1 subnets
R       44.44.44.1 [120/2] via 172.12.123.3, 00:00:22, Serial0/0
R1#

This is a sweet roll to be on, where was this last night! I think it was both that I was getting the route-map’s named mixed up, and I was relying too much on how it was worded rather than what actions were happening. It took a mix of “show ip proto” / “sh route-map / “sh run” (which I wouldn’t count on for exam day) to read the route maps and how they will impact each other as explained below.

I will now attempt to do one more thing, add deny’s into the route maps, which is really the core of this lesson is using tags to stop route leaks or route loops from forming. Both route-maps have a “permit 10” sequence #, with a “set tag 10/20” to define ‘let all the traffic through but apply this tag to it’.

However the trick to this is placing the deny sequence # lower than the permit / set tag sequence for it to filter traffic, otherwise it will just hit the ‘let everything through with a tag’ clause and skip the deny clause, so this is why you want to plan for both current and future growth of sequences. So  will make these both sequence 5, so I have 1-4 and 6-9 to add additional clauses as needed

**REMEMBER YOU WANT TO WRITE ‘PERMIT’ SEQUENCES TO ‘SET’ A TAG FOR ROUTES, AND WRITE ‘DENY’ SEQUENCES TO ‘MATCH’ THE TAG # TO BE FILTERED!!**

Now I am done yelling at myself lets get back to configuring:

R3(config-router)#exit
R3(config)#route-map OSPF2RIP deny 5
R3(config-route-map)#match tag 10
% “OSPF2RIP” used as redistribute connected into rip route-map, tag match not supported
R3(config-route-map)#route-map RIP2OSPF deny 5
R3(config-route-map)#match tag 20
% “RIP2OSPF” used as redistribute connected into ospf route-map, tag match not supported

As you can see by the complaints we got from the console about connected routes, that they are already active, and as soon as I hit enter to “match” the tag # to on the route-maps deny list, it kicked out the message about connected routes don’t support tag matching.

So lets once more see if R1 survived this change:

R1#show ip route rip
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/2] via 172.12.123.3, 00:00:14, Serial0/0
     172.12.0.0/24 is subnetted, 3 subnets
R       172.12.34.0 [120/1] via 172.12.123.3, 00:00:15, Serial0/0
     40.0.0.0/32 is subnetted, 1 subnets
R       40.40.40.1 [120/2] via 172.12.123.3, 00:00:15, Serial0/0
     44.0.0.0/32 is subnetted, 1 subnets
R       44.44.44.1 [120/2] via 172.12.123.3, 00:00:15, Serial0/0

Amazing, well that is going to do it for me today, that was relatively easy, just be sure to watch how you are applying those route-map’s, AND NAME THEM AS INTUITIVELY AS POSSIBLE to not make the mistakes I did.

For review of how it should look on the ASBR, I’m going to paste the running configuration below for future reference, and that is it for tonight and then onto PBR lessons :

R3#sh run
Building configuration…

Current configuration : 1588 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.iVA$HbHo0g/PqIytO6Yf5XLAm1
!
no aaa new-model
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller T1 0/0
 framing sf
 linecode ami
!
controller T1 0/1
 framing sf
 linecode ami
!
!
!
!
!
!
interface Loopback3
 ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.12.34.3 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/2
 ip address 172.12.123.3 255.255.255.0
 no fair-queue
!
interface Serial0/3
 no ip address
 shutdown
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets route-map RIP2OSPF
 redistribute rip subnets route-map RIP2OSPF
 network 172.12.34.0 0.0.0.255 area 0
!
router rip
 version 2
 redistribute connected metric 3 route-map OSPF2RIP
 redistribute ospf 1 metric 2 route-map OSPF2RIP
 network 172.12.0.0
 no auto-summary
!
!
!
ip http server
no ip http secure-server
!
!
!
!
route-map OSPF2RIP deny 5
 match tag 10
!
route-map OSPF2RIP permit 10
 set tag 10
!
route-map RIP2OSPF deny 5
 match tag 20
!
route-map RIP2OSPF permit 10
 set tag 20
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 password CCNP
 logging synchronous
 login
!
!
end

R3#