Friday, June 1, 2012

Using GNS3 to create an MPLS VRF Lab

OBJECTIVE: To be able to ping from end to end on each individual VRF: e.g from R5 to R0 using the 10.3.3.0 subnet. Note that on R7, a similar subnet exists:

______________________________________________

R0

hostname Router0
!
!
ip cef
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
!
interface Ethernet1/0
ip address 192.168.15.6 255.255.255.0
no shut
!
!
router eigrp 1
network 10.0.0.0
network 192.168.15.0
no auto-summary
_______________________________

R1

hostname Router1
!
!
ip cef
!
ip vrf Cust-A
rd 1:111
route-target export 1:100
route-target import 1:100
!
ip vrf Cust-B
rd 2:222
route-target export 2:200
route-target import 2:200
!
mpls label protocol ldp
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Ethernet1/0
ip vrf forwarding Cust-A
ip address 192.168.15.3 255.255.255.0
duplex half
!
!
interface Serial2/0
ip address 10.32.12.1 255.255.255.0
mpls ip
serial restart-delay 0
!
interface Serial2/1
ip address 10.32.14.1 255.255.255.0
mpls ip
serial restart-delay 0
!
!
interface FastEthernet3/0
ip vrf forwarding Cust-B
ip address 192.168.16.3 255.255.255.0
duplex auto
speed auto
!
!
router eigrp 1
network 4.4.4.4 0.0.0.0
network 10.32.12.0 0.0.0.255
network 10.32.14.0 0.0.0.255
network 10.32.15.0 0.0.0.255
network 10.32.16.0 0.0.0.255
no auto-summary
!
router eigrp 65001
no auto-summary
!
address-family ipv4 vrf Cust-B
redistribute bgp 65001 metric 10000 1000 255 1 1500
network 192.168.16.3 0.0.0.0
no auto-summary
autonomous-system 1
exit-address-family
!
address-family ipv4 vrf Cust-A
redistribute bgp 65001 metric 10000 1000 255 1 1500
network 192.168.15.3 0.0.0.0
no auto-summary
autonomous-system 1
exit-address-family
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 65001
neighbor 3.3.3.3 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community both
exit-address-family
!
address-family ipv4 vrf Cust-B
redistribute eigrp 1
no synchronization
exit-address-family
!
address-family ipv4 vrf Cust-A
redistribute eigrp 1
no synchronization
exit-address-family
!

-____________________________________________________

R2

hostname Router2
!
ip cef
!
!
mpls label protocol ldp
!
!
interface Serial1/0
ip address 10.32.12.2 255.255.255.0
mpls ip
serial restart-delay 0
no shut
!
interface Serial1/1
ip address 10.32.23.2 255.255.255.0
mpls ip
serial restart-delay 0
no shut
!
interface Serial1/2
ip address 10.32.24.2 255.255.255.0
mpls ip
serial restart-delay 0
no shut
!
!
router eigrp 1
network 10.32.12.0 0.0.0.255
network 10.32.23.0 0.0.0.255
network 10.32.24.0 0.0.0.255
no auto-summary
!

_______________________________________________________

R3

hostname Router3
!
!
ip cef
!
!
mpls label protocol ldp
!
!
interface Serial1/0
ip address 10.32.14.4 255.255.255.0
mpls ip
serial restart-delay 0
no shut
!
interface Serial1/1
ip address 10.32.34.4 255.255.255.0
mpls ip
serial restart-delay 0
no shut
!
interface Serial1/2
ip address 10.32.24.4 255.255.255.0
mpls ip
serial restart-delay 0
no shut
!
!
router eigrp 1
network 10.32.14.0 0.0.0.255
network 10.32.24.0 0.0.0.255
network 10.32.34.0 0.0.0.255
no auto-summary
!
!___________________________________

R4
hostname Router4
!
ip cef
!
!
ip vrf Cust-A
rd 1:111
route-target export 1:100
route-target import 1:100
!
ip vrf Cust-B
rd 2:222
route-target export 2:200
route-target import 2:200
!
mpls label protocol ldp
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
!
interface Serial1/0
ip address 10.32.34.3 255.255.255.0
mpls ip
serial restart-delay 0
no shut
!
interface Serial1/1
ip address 10.32.23.3 255.255.255.0
no shutdown
mpls ip
serial restart-delay 0
no shut
!
!
interface FastEthernet2/0
ip vrf forwarding Cust-A
ip address 192.168.37.3 255.255.255.0
duplex auto
speed auto
no shut
!
interface FastEthernet2/1
ip vrf forwarding Cust-B
ip address 192.168.38.3 255.255.255.0
duplex auto
speed auto
no shut
!
router eigrp 1
network 3.3.3.3 0.0.0.0
network 10.32.23.0 0.0.0.255
network 10.32.34.0 0.0.0.255
network 10.32.36.0 0.0.0.255
network 10.32.38.0 0.0.0.255
no auto-summary
!
router eigrp 65001
auto-summary
!
address-family ipv4 vrf Cust-B
redistribute bgp 65001 metric 10000 1000 255 1 1500
network 192.168.38.3 0.0.0.0
no auto-summary
autonomous-system 1
exit-address-family
!
address-family ipv4 vrf Cust-A
redistribute bgp 65001 metric 10000 1000 255 1 1500
network 192.168.37.3 0.0.0.0
no auto-summary
autonomous-system 1
exit-address-family
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
neighbor 4.4.4.4 remote-as 65001
neighbor 4.4.4.4 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community both
exit-address-family
!
address-family ipv4 vrf Cust-B
redistribute eigrp 1
no synchronization
exit-address-family
!
address-family ipv4 vrf Cust-A
redistribute eigrp 1
no synchronization
exit-address-family
!
______________________________________

R5

hostname Router5
ip cef
!
!
interface Loopback0
ip address 10.3.3.10 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no shut
!
interface FastEthernet1/0
ip address 192.168.37.6 255.255.255.0
duplex auto
speed auto
no shut
!
!
router eigrp 1
network 10.3.3.0 0.0.0.255
network 192.168.37.0
auto-summary
!
!
______________________________________
R6
hostname Router6
!
ip cef
!
!
interface Loopback0
ip address 10.2.2.1 255.255.255.0
no shut
!
!
interface FastEthernet1/0
ip address 192.168.16.6 255.255.255.0
duplex auto
speed auto
no shut
!
!
router eigrp 1
network 10.2.2.0 0.0.0.255
network 192.168.16.0
no auto-summary
!
!
_____________________________________

R7

hostname Router7
!
ip cef
!
!
!
interface Loopback0
ip address 10.3.3.1 255.255.255.0
no shut
!
!
interface FastEthernet1/0
ip address 192.168.38.6 255.255.255.0
duplex auto
speed auto
no shut
!
!
router eigrp 1
network 10.0.0.0
network 192.168.38.0
no auto-summary
!
____________________________________

IPv6 Frame-relay Lab on GNS3

R3

!
hostname R3
!
!
ipv6 unicast-routing
ipv6 cef
!
!

!
interface Loopback0
no ip address
ipv6 address 3001:0:3::/64 eui-64
ipv6 ospf 1 area 704
!
interface Loopback1
ip address 10.3.3.6 255.255.255.0
!
interface Loopback2
no ip address
ipv6 address 3001:0:3:2::/64 eui-64
ipv6 ospf network point-to-point
ipv6 ospf 1 area 0
!
interface Loopback4
no ip address
ipv6 address 3001:0:3:4::/64 eui-64
ipv6 ospf 1 area 708
!
interface Loopback5
no ip address
ipv6 address 2001:211:10:1::2/64
ipv6 ospf 1 area 0
!
interface Serial0/0
bandwidth 128
no ip address
encapsulation frame-relay
ipv6 address 2001:210:10:1::1/64
ipv6 ospf neighbor FE80::CE04:17FF:FE30:10
ipv6 ospf 1 area 0
serial restart-delay 0
clock rate 128000
no fair-queue
cdp enable
frame-relay map ipv6 2001:210:10:1::2 807
frame-relay map ipv6 FE80::CE04:17FF:FE30:10 807 broadcast
!
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
ipv6 address 2001:0:3::/64 eui-64
ipv6 ospf 1 area 704
!
no ip http server
!
!
!
ipv6 router ospf 1
router-id 2.2.2.2
log-adjacency-changes
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!_____________________________________________________________

R4C

!
hostname R4C
!
!
ipv6 unicast-routing
ipv6 cef
!
!
interface Loopback0
no ip address
ipv6 address 3001:0:4::/64 eui-64
ipv6 ospf 1 area 66
!
interface Loopback2
no ip address
ipv6 address 3001:0:4:2::/64 eui-64
ipv6 ospf network point-to-point
ipv6 ospf 1 area 0
!
interface Loopback5
no ip address
ipv6 address 2001:211:10:1::1/64
ipv6 ospf 1 area 0
!
interface Serial0/0
bandwidth 128
no ip address
encapsulation frame-relay
ipv6 address 2001:210:10:1::2/64
ipv6 ospf 1 area 0
serial restart-delay 0
clock rate 128000
no fair-queue
cdp enable
frame-relay map ipv6 2001:210:10:1::1 708
frame-relay map ipv6 FE80::CE03:17FF:FE30:10 708 broadcast
!
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
ipv6 address 2001:0:4::/64 eui-64
ipv6 ospf 1 area 77
!
no ip http server
!
!
ipv6 router ospf 1
router-id 1.1.1.1
log-adjacency-changes
!

___________________________________________________

Friday, February 10, 2012

Resolving layer 1 issues

Often times we have issues with cabling and don't know how to prove it. Fortunately if you are using Cisco switches you are in luck since there is a way to test the cabling using commands in the Cisco switches. Please not that this will bring that interface down, and is not recommended to be done during production hours.....
As can see from the log below:

3d00h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
3d00h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
3d00h: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
3d00h: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
3d00h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
3d00h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

How do we do that you ask? Well here goes:

Test_Switch01#test cable-diagnostics tdr interface GigabitEthernet0/1

To see the results:

Test_Switch01#sh cable-diagnostics tdr int gigabitEthernet 0/1

TDR test last run on: March 04 00:36:40

Interface Speed Local pair Pair length Remote pair Pair status

--------- ----- ---------- ------------------ ----------- ------------- -------

Gi0/1 100M Pair A 0 +/- 4 meters Pair B Normal

Pair B 0 +/- 4 meters Pair A Normal

Pair C 1 +/- 4 meters Pair C Short

Pair D 2 +/- 4 meters Pair D Short

Test_Switch01#

Hope this will help you tell the facilities guys to check the cabling...

Thursday, February 9, 2012

NPS Server R2 2008 for Radius on Cisco Devices

How to Make an NPS your Radius Authentication Server for Cisco Device Admin Access

1. In NPS once you have your NPS server running, first add your client,

A. In the Server Manager, click on Roles > Network Policy and Access > NPS (Local) >Radius Clients and Servers > Radius Clients -à Click on New on the Right hand side of the window under Actions and you will get a window as follows:

B. Add your Friendly name for your device and the IP address, Add the Shared secret that you will also use as your Radius key in the Cisco devices

2. On the advance Tab either select Cisco or just leave it as Radius Standard as this does not really matter.

Click on Apply and then now we go to the interesting part.

3. Under Policies, you would want to create two policies:

I). Connection Request Policy

ii). Network Policy

Connection Request Policy

4. Click on Connection Request Policy and click on new under Actions:

On the window as below, Name your policy and click next

5. On the the next window you are going to set the conditions that are required for your devices to pass authorization :

6. Select One of the conditions that apply to your network, In mine I used the Client IPv4 Address so that I could use the wildcard and be selective on what range of IP address could get Authentication from the NPS.

Hit Ok and click next on to get the window below:

Hit next on this window as well:

Hit next and then finish on this window:

Now we go to the Network Policy and please follow this carefully as this can make or break your authentication and Authorization:

Network Policy

7. Click on the Network Policies and then new under the Actions:

8. Name your policy accordingly and click Next:

9. Now you have to add the conditions for your devices to be able to get Authenticated:

10. Click on ADD and you will get the following window and “Select User Group”, this is very important when you have an AD Group, let’s say Network_Admins:

Add the AD group that is supposed to have access to device management.

11. On the next window, select Access Granted

Hit next:

Unselect everything except Unencrypted authentication (PAP,SPAP)

Click No on the next annoying Windows help window:

Hit next and go to the Configure Constraints:

Hit Next:

IMPORTANT:

12. On the following window, under Radius Attributes > Standard : remove the Framed-Protocol - PPP and then Edit the Service Type

This is a very important step as some Cisco devices will not work without this Attribute.

Now Click on the Vendor Specific :

Click on add:

Click on the Cisco-AV-Pair and then Add:

Click on Add and then type in the following to give your shell access level 15 access:

shell:priv-lvl=15

This attribute can be changed and applied to different groups i.e level 1 , 15

Note:

By default, there are three privilege levels on the router.

privilege level 1 = non-privileged (prompt is router>), the default level for logging in
privilege level 15 = privileged (prompt is router#), the level after going into enable mode
privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

Close the window and hit next:

Hit finish on this window and now you have fully configured your NPS to be a radius server for your Cisco devices.

Cisco Configuration

For your Cisco devices this is all you need:

aaa authentication login default group radius local-case

aaa authentication login vty group radius local-case

aaa authorization exec default group radius local if-authenticated

aaa accounting system default start-stop group radius

ip radius source-interface Vlan1 <<<--- Configure the interface that has the IP address on the NPS Client

radius-server host <ip address of the NPS server> auth-port 1645 acct-port 1646

radius-server key <Key that was configured on the Radius client in the NPS>

line vty 0 4

Please note that the privelege levels can be changed and applied according your needs:

See Cisco documentation here:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml