Two PE Routers – PE1 and PE2. They are connected with the 10.0.0.0/24 network. PE1 has a loopback of 1.1.1.1 and PE2 has 2.2.2.2. This Provider network could easily be increased in size and number of devices. Most labs will use OSPF or EIGRP for the Provider network with a BGP connection between the specific provider edge devices connecting to the client.
C-1-1 Configuration
hostname C-1-1
!
interface Loopback0
ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
media-type rj45
!
router ospf 1
router-id 11.11.11.11
C-1-2 Configuration
hostname C-1-2
!
interface Loopback0
ip address 12.12.12.12 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.168.2.2 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
media-type rj45
!
router ospf 1
router-id 12.12.12.12
!
C-2-1 Configuration
hostname C-2-1
!
interface Loopback0
ip address 21.21.21.21 255.255.255.255
!
interface GigabitEthernet0/1
ip address 172.16.1.2 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
media-type rj45
!
router ospf 1
router-id 21.21.21.21
!
C-2-2 Configuration
hostname C-2-2
!
interface Loopback0
ip address 22.22.22.22 255.255.255.255
!
interface GigabitEthernet0/1
ip address 172.16.2.2 255.255.255.0
ip ospf 2 area 0
duplex auto
speed auto
media-type rj45
!
router ospf 2
router-id 22.22.22.22
!
PE1
hostname PE1
!
ip vrf Client1
rd 65000:1
route-target export 65000:1
route-target import 65000:1
!
ip vrf Client2
rd 65000:2
route-target export 65000:1
route-target import 65000:1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0
ip vrf forwarding Client1
ip address 192.168.1.1 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip vrf forwarding Client2
ip address 172.16.1.1 255.255.255.0
ip ospf 2 area 0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
media-type rj45
mpls ip
!
router ospf 1 vrf Client1
router-id 192.168.1.1
redistribute bgp 65000 subnets
!
router ospf 2 vrf Client2
router-id 172.16.1.1
redistribute bgp 65000 subnets
!
router bgp 65000
bgp router-id 1.1.1.1
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 65000
neighbor 2.2.2.2 update-source Loopback0
!
address-family ipv4
neighbor 2.2.2.2 activate
exit-address-family
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf Client1
redistribute ospf 1
exit-address-family
!
address-family ipv4 vrf Client2
redistribute ospf 2
exit-address-family
!
ip route 2.2.2.2 255.255.255.255 10.0.0.2
PE2 Configuration
hostname PE2
!
ip vrf Client1
rd 65000:1
route-target export 65000:1
route-target import 65000:1
!
ip vrf Client2
rd 65000:2
route-target export 65000:2
route-target import 65000:2
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/0
ip vrf forwarding Client1
ip address 192.168.2.1 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip vrf forwarding Client2
ip address 172.16.2.1 255.255.255.0
ip ospf 2 area 0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 10.0.0.2 255.255.255.0
duplex auto
speed auto
media-type rj45
mpls ip
!
router ospf 1 vrf Client1
router-id 192.168.2.1
redistribute bgp 65000 subnets
!
router ospf 2 vrf Client2
router-id 172.16.2.1
redistribute bgp 65000 subnets
!
router bgp 65000
bgp router-id 2.2.2.2
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 65000
neighbor 1.1.1.1 update-source Loopback0
!
address-family ipv4
neighbor 1.1.1.1 activate
exit-address-family
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf Client1
redistribute ospf 1
exit-address-family
!
address-family ipv4 vrf Client2
redistribute ospf 2
exit-address-family
!
ip route 1.1.1.1 255.255.255.255 10.0.0.1
NOTE: THIS LAB IS NOT COMPLETE IT IS SETUP SO BGP GOES DOWN DUE TO AN ISSUE WITH KEEP ALIVES. EVERY 3 MINUTES BGP WILL GO DOWN AND THEN THE DYNAMIC ROUTING PROTOCOL WILL TAKE PLACE. AFTER THIS BGP WILL COME UP AGAIN FOR ANOTHER 3 MINUTES AND KEEP REPEATING. THIS IS AN EXAMPLE OF WHY YOU USE STATIC ROUTING ACROSS EXTERNAL PEERS. THERE ARE OTHER SOLUTIONS..FIND THEM!
BGP’s primary purpose is to interconnect autonomous systems.
Autonomous system (ASN) – Networks or a group of networks under the same administrations control and have a common routing policy.
BGP is the glue that holds the internet together!
BGP is designed to carry large amounts of routes.
BGP removes the strain of carrying large amounts for IGPs.
ISP speak ‘customer routes’
External and Internal BGP use different policies.
IBGP is not able to replace IGP’s. IBGP is meant to work alongside an IGP to create an efficient network.
External BGP
External peers must be directly connected.
TTL of 1 is given
Time-to-live (TTL) tells a router whether or not the packet has been in the network too long and should be discarded – it times out at 0 and is discarded. Each hop is -1.
This is to avoid long peering from occurring.
TTL-Security is used to provide security to make sure neighbors are directly connected. This works by using a TTL of 255. This must be enabled on both peers (routers).
BGP Configuration Categories
Configuration consists of two categories.
Session commands tell BGP how to create the session.
session commands can be global or per address family(Apply to all address families or just one)
Policy commands control the routes.
Policy commands are ALWAYS per address family.
Internal Peering
No requirement for direct connectivity when doing iBGP.
Huh?
After the configuration has been completed and we have verified R2 and R4’s loopbacks are being advertised to one another we check the BGP table and find something interesting.
RIB-failure!!?? Normally failure is never a good thing but in this case we can see that we have an internal route that’s not being added to our routing table.
We can check to see if their is a better route for our destination and we certainly see that the route is being learned VIA OSPF which has a lower admin distance than iBGP – thus winning the route.
vIOS1 Configuration
vIOS1#sh runn
Building configuration…
Current configuration : 3589 bytes
!
! Last configuration change at 15:13:59 UTC Sat Mar 13 2021
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vIOS1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.0.1 255.255.255.255
ip ospf 1 area 0
!
interface GigabitEthernet0/0
ip address 192.168.69.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 192.168.26.1 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
!
router eigrp 69
network 192.168.0.0
network 192.168.69.0
!
router ospf 1
!
router bgp 600
bgp log-neighbor-changes
neighbor 192.168.0.2 remote-as 900
neighbor 192.168.0.2 ebgp-multihop 255
neighbor 192.168.0.2 update-source Loopback0
neighbor 192.168.0.4 remote-as 600
neighbor 192.168.0.4 update-source Loopback0
!
address-family ipv4
neighbor 192.168.0.2 activate
neighbor 192.168.0.2 send-community
neighbor 192.168.0.4 activate
neighbor 192.168.0.4 send-community
exit-address-family
!
ip forward-protocol nd
!
ip bgp-community new-format
!
no ip http server
no ip http secure-server
!
vIOS2 Configuration
vIOS2#sh runn
Building configuration…
Current configuration : 3368 bytes
!
! Last configuration change at 15:19:15 UTC Sat Mar 13 2021
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vIOS2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.0.2 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.168.69.2 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
!
router eigrp 69
network 192.168.0.0
network 192.168.69.0
!
router bgp 900
bgp log-neighbor-changes
neighbor 192.168.0.1 remote-as 600
neighbor 192.168.0.1 ebgp-multihop 255
!
address-family ipv4
network 192.168.0.2 mask 255.255.255.255
neighbor 192.168.0.1 activate
neighbor 192.168.0.1 send-community
exit-address-family
!
ip forward-protocol nd
!
ip bgp-community new-format
!
no ip http server
no ip http secure-server
vIOS4 Configuration
vIOS4#sh runn
Building configuration…
Current configuration : 3363 bytes
!
! Last configuration change at 15:18:58 UTC Sat Mar 13 2021
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vIOS4
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.0.4 255.255.255.255
ip ospf 1 area 0
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 192.168.26.2 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router ospf 1
!
router bgp 600
bgp log-neighbor-changes
neighbor 192.168.0.1 remote-as 600
neighbor 192.168.0.1 update-source Loopback0
!
address-family ipv4
network 192.168.0.4 mask 255.255.255.255
neighbor 192.168.0.1 activate
neighbor 192.168.0.1 send-community
exit-address-family
!
ip forward-protocol nd
!
ip bgp-community new-format
!
no ip http server
no ip http secure-server
iBGP Split Horizon – When an iBGP speaker learns of an iBGP Prefix it will not send the prefix to another iBGP speaker.
This means you will need to configure either a full mesh of iBGP peerings or use a function like route reflection or confederation to work around this rule.
eBGP Peering – Peering between different Autonymous Systems.
eBGP multi-hop – Used whenever you want to peer between loopback addresses between eBGP peers.
eBGP Multi-hop Lab
Configure the BGP topology given in the diagram.
All peering should be formed between loopback addresses.
Do not form an iBGP peering between R2 and R3.
Allowed to create static routes in AS 400 and AS 500 if needed.
Make sure R4 sees only 22.22.0.0/16 instead of 22.22.22.0/24 & 22.22.23.0/24
Inject 111.11.1.1/24 without using network command and see if the route is O-E2 or O-E1 on other routes
R1 should inject default route into ospf domain.
Make sure R4 doesn’t see inter-area and external routes
Configure Area 2 NSSA and remove virtual link.
Make sure 4.4.4.0/24 network is seen as /24 on R2.
Configure link authentication on R1 & R2 using the best authentication between R3 & R4 use “CISCOPETE” as password.
Since Loopback 1 is in area 3 in order to advertise it to R2 which belongs to area 2 we create a route-map called LOOP1. We then redistribute the route in our OSPF process 1 on R1. This means that from the connected network we will advertise Loopback 1 – by default it should appear as an O E2 in R-2 routing table.
Now, if we inspect the routing table for R-4 we see that their is one O route which is a local route within the area R-4 is in. We notice one E2 route which is an external route that is being redistributed to R-4 from R-1. Last we notice 8 inter-area routes which are routes learned in different areas.
R-4 doesn’t have a route to the 1.1.1.1 network. In order to get a route to it we will need to create a virtual-link on R-1 and R-2.
Notice that once we create the virtual-link on R-1’s side we start getting a mismatched area ID from backbone area. This is because we haven’t created the virtual-link on R-2’s side.
Now we can check on R-4 to see if we have a route to 1.1.1.1
If we check our OSPF neighborship on R-1 we will now see that we have 2 neighbors instead of one. This is because of our virtual-link.
Our next step is to perform route summarization because we want R-4 to only see 22.22.0.0/16 in our routing table. This can help with maintenance and general housekeeping to clean up our routing table. Currently we are seeing two routes – 22.22.22.0/24 and 22.22.23.0/24
To solve this task we will go to R-3 which is directly connected to R-4 and use the ospf range command. This command should be applied to the ABR.
Checking on R-4 we can see that our 2 network routes have now been summarized by 22.22.0.0/16 advertisement.
Our next step is to set a default route. If we look at R-4 we notice that their is currently no default gateway. We can solve this by using the default originate command on R-1.
Now, let’s check R-4’s routing table.
For the sake of our objectives we will remove this default route from the OSPF process and continue with our next task.
Notice that defaul-information is still configured under our OSPF process 1. We must delete out the default-information originate command.
We will configure area 1 as a totally stubby area now by going to R-3 and we will need to do some configuration on R-4 as well.
Notice our neighborship on R-3 goes down – this is due to our stub flag being mismatched so we much now go to R-4 and create the stub for Area 1. After this our neighborship will come back.
Now let’s verify with R-4’s routing table that we have a totally stubby area. Notice our O*IA route in the table.
For our next task we will remove our virtual-link’s from R-1 and R-2 and create an NSSA on Area 2.
We can now see we have N2 routes on R-2’s routing table. N2 routes tell OSPF routers to set the metric as the metric at the point of redistribution. N2 routes will occur for routers within the same area. If the routers are in different areas you will see E2 route in the routing table.
Now we will have the 4.4.4.4 network be displayed as a /24 instead of a /32 route on R-2’s routing table. We can do this by configuring out Loopback 0 interface as a point-to-point with OSPF.
Checking R-2’s routing table we will now see the 4 network as a /24.
Finally, we will configure link authentication between R-1 and R-2 using MD5. Notice that once we enable authentication on R-1’s side we eventually lose our neighborship.
To solve this issue we need to configure the same authentication on R-2’s link side.
Now we can see the neighborship has formed back up.
Cisco Pete’s company uses OSPF for their dynamic routing protocol. R-1 has been having some issues since R-4 was added to the network. After troubleshooting you notice that R-1 is an older router that could probably use a memory upgrade and it’s processor is not optimal. Cisco Pete is low on money due to COVID-19…So hitting up Cisco for a new router is out of the option. Instead you want to consolidate your routing table to free up processes and make management of R-1’s routing table easier. Thus you research and come across stubbing OSPF.
Advantages of stub:
Minimize the size of routing table / Cleaner management
Minimize the number of LSA type 1 advertisements
Things to remember:
Area 0 can’t become a stub because it’s considered backbone.
Area doing ASBR can’t be stubbed. This wold stop the route redistribution. (e1/e2 routes)
Area with Virtual links (Virtual area) can’t be a stub.
Every router in the area must be stubbed in order for the neighborship to form. Otherwise you will see the stub flap due to stub mismatch.
When I stub area 10 I am expecting all my E1/E2 routers to become a single O *IA route. On all routers for area 10 we will need to configure 1 command.
router ospf 1
area 10 stub
Notice now I have no route listed for the 14.x.x.x networks. However, we’re still able to ping it. This is because router 3 is the ABR and redistributing those E1/E2 routes from R4 as a default route advertisement.
If we check our OSPF routing table on R-3 (This is the ABR). It will still hold the more specific routes.
we have to assign Gi0/0 as NAT inside interface and Gi0/1 as NAT outside interface on Router. This will tell the router that interesting traffic entering or exiting these two interfaces will be subject to address translation. Next we have to statically translate our inside local to inside global.
Router’s config:
Router#sh runn
Building configuration...
Current configuration : 3552 bytes
!
! Last configuration change at 02:33:55 UTC Sun Aug 2 2020
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
ip dhcp pool PETE
network 192.168.1.0 255.255.255.0
domain-name pete.lab
default-router 192.168.1.1
dns-server 8.8.8.8
!
!
!
ip domain name pete.lab
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
lldp run
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback2
ip address 192.168.22.2 255.255.255.0
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source static 192.168.1.2 192.168.122.156
ip route 0.0.0.0 0.0.0.0 192.168.122.1
!
ipv6 ioam timestamp
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
transport input none
!
no scheduler allocate
!
end
From our Linux PC we ping out to google.com to test.
On our router we can see the address translation debug output.
debug ip nat
term mon
We can also look and see the statistics for our address translation:
sh ip nat stat
We can look at the translations that are occuring in an easy human readable format as well:
