Professional Documents
Culture Documents
Routehub TUNNEL L3VPN VRF LITE PDF
Routehub TUNNEL L3VPN VRF LITE PDF
Routehub TUNNEL L3VPN VRF LITE PDF
Tunneling: L3VPN
Practical Cisco Training for Network Engineers & Consultants!
December 8, 2009
Preface i
ROUTEHUB GROUP END-USER LICENSE AGREEMENT
IMPORTANT! BE SURE TO CAREFULLY READ AND UNDERSTAND ALL OF THE RIGHTS AND RESTRICTIONS
SET FORTH IN THIS END-USER LICENSE AGREEMENT ("EULA"). YOU ARE NOT AUTHORIZED TO USE THIS
NETWORK CONFIGURATION GUIDE/TRAINING UNLESS AND UNTIL YOU ACCEPT THE TERMS OF THIS EULA.
This EULA is a binding legal agreement between you and ROUTEHUB GROUP, LLC (hereinafter "Licensor") for the
materials accompanying this EULA, including the accompanying computer Network Configuration Guide/Training, associated
media, printed materials and any "online" or electronic documentation (hereinafter the "Network Configuration Guide/Training").
By using the Network Configuration Guide/Training, you agree to be bound by the terms of this EULA. If you do not agree to
the terms of this EULA, do not install or attempt to use the Network Configuration Guide/Training.
The Guide & Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized
to use the Guide & Training Materials throughout the term of this License.
1. Grant of License
The Network Configuration Guide/Training is protected by copyright laws and international copyright treaties, as well as
other intellectual property laws and treaties. The Network Configuration Guide/Training is licensed, not sold. This EULA grants
you the following rights:
A. You may use, access, display and run only one copy of the Network Configuration Guide/Training, on a single
computer, workstation or terminal ("Computer"). The primary user of the Computer on which the Network Configuration
Guide/Training is installed may make a second copy for his or her exclusive use for archival purposes only.
B. You may store or install a copy of the Network Configuration Guide/Training on a storage device, such as a
network server, used only to run the Network Configuration Guide/Training on your other Computers over an internal network.
You must, however, acquire a license for each separate Computer on which the Network Configuration Guide/Training is run,
displayed or utilized from the server or similar device. A license for the Network Configuration Guide/Training may not be
shared or used concurrently on different Computers.
C. Your license rights under this EULA are non-exclusive. All rights not expressly granted herein are reserved by
Licensor.
D. You may not sell, transfer or convey the Network Configuration Guide/Training to any third party without
Licensor's prior express written consent.
If you have not previously paid the license fee for the Network Configuration Guide/Training, then you must pay the
license fee within the period indicated in the applicable invoice sent to you by Licensor.
3. Support Services
This EULA is a license of the Network Configuration Guide/Training only, and Licensor does not assume any obligation
to provide maintenance, patches or fixes to the Network Configuration Guide/Training. Licensor further disclaims any obligation
to provide support or to prepare and distribute modifications, enhancements, updates and new releases of the Network
Configuration Guide/Training.
Licensor may, from time to time, and for a fee, replace, modify or upgrade the Network Configuration Guide/Training.
When accepted by you, any such replacement or modified Network Configuration Guide/Training code or upgrade to the
Network Configuration Guide/Training will be considered part of the Network Configuration Guide/Training and subject to the
terms of this EULA (unless this EULA is superceded by a further EULA accompanying such replacement or modified version of
or upgrade to the Network Configuration Guide/Training).
ii
Preface
5. Termination
You may terminate this EULA at any time by destroying all your copies of the Network Configuration Guide/Training.
Your license to the Network Configuration Guide/Training automatically terminates if you fail to comply with the terms of this
agreement. Upon termination, you are required to remove the Network Configuration Guide/Training from your computer and
destroy any copies of the Network Configuration Guide/Training in your possession. No refund with the product will be
granted.
6. Copyright
A. All title and copyrights in and to the Network Configuration Guide/Training (including but not limited to any
images, photographs, animations, video, audio, music and text incorporated into the Network Configuration Guide/Training),
the accompanying printed materials, and any copies of the Network Configuration Guide/Training, are owned by Licensor or its
suppliers. This EULA grants you no rights to use such content. If this Network Configuration Guide/Training contains
documentation that is provided only in electronic form, you may print one copy of such electronic documentation. Except for
any copies of this EULA, you may not copy the printed materials accompanying the Network Configuration Guide/Training.
B. You may not reverse engineer, de-compile, disassemble, alter, duplicate, modify, rent, lease, loan, sublicense,
make copies of, create derivative works from, distribute or provide others with the Network Configuration Guide/Training in
whole or part, transmit or communicate the application over a network.
7. Export Restrictions
You may not export, ship, transmit or re-export Network Configuration Guide/Training in violation of any applicable law
or regulation including but not limited to Export Administration Regulations issued by the U. S. Department of Commerce.
8. Disclaimer of Warranties
LICENSOR AND ITS SUPPLIERS PROVIDE THE NETWORK CONFIGURATION GUIDE/TRAINING "AS IS" AND
WITH ALL FAULTS, AND HEREBY DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS,
IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO ANY (IF ANY) IMPLIED WARRANTIES OR CONDITIONS
OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF LACK OF VIRUSES, AND OF LACK OF
NEGLIGENCE OR LACK OF WORKMANLIKE EFFORT. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, OF
QUIET ENJOYMENT, OR OF NONINFRINGEMENT. THE ENTIRE RISK ARISING OUT OF THE USE OR PERFORMANCE
OF THE NETWORK CONFIGURATION GUIDE/TRAINING IS WITH YOU.
9. Limitation of Damages
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR OR ITS
SUPPLIERS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, DIRECT, INDIRECT, SPECIAL, PUNITIVE OR OTHER
DAMAGES WHATSOEVER ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE
NETWORK CONFIGURATION GUIDE/TRAINING AND WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT
LIABILITY OR OTHERWISE, EVEN IF LICENSOR OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. THIS EXCLUSION OF DAMAGES WILL BE EFFECTIVE EVEN IF ANY REMEDY FAILS OF ITS
ESSENTIAL PURPOSE.
10. Arbitration
Any dispute arising under this EULA will be subject to binding arbitration by a single Arbitrator with the American
Arbitration Association (AAA), in accordance with its relevant industry rules, if any. The parties agree that this EULA will be
governed by and construed and interpreted in accordance with the laws of the State of California. The arbitration will be held in
California. The Arbitrator will have the authority to grant injunctive relief and specific performance to enforce the terms of this
EULA. Judgment on any award rendered by the Arbitrator may be entered in any Court of competent jurisdiction.
11. Severability
If any term of this EULA is found to be unenforceable or contrary to law, it will be modified to the least extent necessary
to make it enforceable, and the remaining portions of this Agreement will remain in full force and effect.
12. No Waiver
Preface iii
No waiver of any right under this EULA will be deemed effective unless contained in writing signed by a duly authorized
representative of the party against whom the waiver is to be asserted, and no waiver of any past or present right arising from
any breach or failure to perform will be deemed to be a waiver of any future rights arising out of this EULA.
This EULA constitutes the entire agreement between the parties with respect to its subject matter, and supersedes all
prior agreements, proposals, negotiations, representations or communications relating to the subject matter. Both parties
acknowledge that they have not been induced to enter into this EULA by any representations or promises not specifically
stated herein.
iv
Preface
Table of Contents
1 Introduction 7
2 Concepts 8
3 Design 10
3.1 Our Design with VRF-lite 10
3.2 Requirements 11
3.3 Solutions and Topology 12
3.4 Topology Services and Sub-Services 13
3.5 Hardware & Software 14
3.6 Network Diagram 15
4 Configuration 16
4.1 Initial Configuration 16
4.2 LAN Distribution (dsr01) 17
4.3 LAN Core (csr01) 22
4.4 Internet Perimeter Zone (zsr01) 26
4.5 Perimeter Firewall (Cisco ASA/PIX OS 7.x) 30
5 Monitor 32
5.1 Operations for Internet Perimeter Edge Router 32
5.1.1 show ip route 32
5.2 Operations for Zone Routers (External) 34
5.2.1 show ip route 34
5.2.2 show ip eigrp neighbor 35
5.2.3 show ospf neighbor 35
5.2.4 show ip route eigrp 678 36
5.2.5 show ip route ospf <PID> 37
5.3 Operations & Traffic Flow for LAN (Internal) 38
5.3.1 show ip route 38
5.3.2 show ip route vrf secret 39
5.3.3 show ip route vrf confid 40
5.3.4 show ip route vrf restrict 40
5.3.5 show ip eigrp neighbors 41
5.3.6 show ip ospf neighbor 41
5.3.7 show ip vrf <vrf-name> 42
5.4 Traffic Flow 44
5.4.1 ping vrf <vrf-name> 44
Preface v
5.4.2 Traceroutes 44
5.5 Troubleshooting Tips 45
5.5.1 Root Causes 45
5.5.2 Initial questions to ask 45
5.5.3 Typical fixes 46
5.5.4 General VRF-lite Troubleshooting 46
6 Full Configuration 47
6.1 Network Diagram 47
6.2 NGN (External) Internet Perimeter Edge Routers 47
6.3 NGN (External): Zone Routers 52
6.4 Policy Enforcement: Cisco ASA/PIX Firewall 61
6.5 NGN (Internal): LAN Core 63
6.6 NGN (Internal): LAN Distribution 76
6.7 NGN (Internal): Access or Building (Routing) 91
6.8 NGN (Internal): Access or Building (Switching) 92
vi
Preface
1 Introduction
Many sites focus on providing training towards certifications or exams. These are important
for career development as we possess the CCIE, CCNP, and CCNA certifications. So we
know that they are very valuable to your network engineering career, however, they do not
teach practical network training relevant for network engineers and consultants in the real
world.
This is what our training format is based upon providing practical solutions and technologies
that are deployed in real working environment. Our training workbooks provide four major
components for learning.
Concepts
Design
Configuration
Monitor
Learn the concepts that matter in terms of the components and protocols involved for a
technology's operation.
Learn how to design a network solution with practical steps, considerations, and tools for
your company or clients.
Learn how to configure a network with best practices and get operational step-by-step. We
also include full working configuration files of the network design.
Learn how to monitor, troubleshoot, and confirm the operational state of your configured
network.
All four are important for network engineers and consultants to know how to manage a
network in real time.
MPLS VPN and VRF are often confused. VPN Routing and Forwarding (VRF) is the
technology that allows isolating layer 3 domains on the same physical hardware or
infrstructure. MPLS VPN is a label switching technology that work by making VRF domains
scalable across many sites and clients.
MPLS VPN contains more configuration requirements and components such as:
MPLS also has high network equipment requirements such as the Cisco Catalyst 6500 series
or any of the Cisco 7000 series routers as an example. MPLS VPN is also geared for large
networks and service provider networks.
But, what about smaller or medium size networks including support on more hardware
models, prehaps a little smaller like the Cisco ISR series.
VRF-lite is that solution. VRF-lite basically eliminates the MPLS components of LDP/TDP
and MP-BGP.
The VRF technology is essentially extended across other components besides the PE
device, which is the most common for MPLS networks. VRFs can be extended down to the
CE, hence the term Multi-CE or even to a LAN Core device.
VRF-lite can be deployed across many different types of solutions such as LAN/Campus,
Data Center, WAN/MAN to DMVPN technologies.
VRF-lite provides a path isolated network (e.g. Confidential, Secret, and Top Secret) between
each other, so there is no route or traffic leakage.
VRF can work with other servcies or features if they are VRF-aware such as IP routing
protocols, Multicast, NAT, and HSRP. If you are deploying VRF confirm what services are
VRF-Aware and non-VRF-Aware.
VRF-lite can be scalable up to 128 VRF-lite instances, but depending on hardware this
number may vary, so confirm this information based on the most recent VRF-lite
whitepapers.
To support multple VRFs on a network infrastructure the use of VLANs for each unique
subnet is needed and the interconnects between the devices on the network would be 802.1q
trunking links. The interconnects should also consist of 10g or many port-channels to provide
higher throughput and resources with continued growth.
So, what is this network infrastructure doing exactly? In this design we have our internal
network, which consist of a Core, Distribution, and Access layers making up our LAN
Campus environment. The Core we be the backbone for the entire network. The Distribution
will provide routing capabilities for the access networks (users, servers, etc) including
extending its routing establishment with the LAN Core. The Access networks will be either
wiring closets with desktops and IP phones or buildings which will have their own network
infrastructure internally to them. The connectivity to the Access network can be established
via routing adjacencies where the other end is controlling the routes to be advertised to the
rest of the network. Or the access network can be Layer-2 where the downlink from the
Distribution is an 802.1q trunk carrying specific networks desired for the access users in that
Wiring closet or building.
Now on to the network virtualization piece. There are many ways to virtualize our network,
which can be done mainly with GRE tunnels, MPLS VPNs or the scaled down version of
MPLS called VRF-lite. In our design we have four different networks (Top Secret, Secret,
Confidential, and Restricted) and need to be completely separated from each other in terms
of routing. If one of the networks wants to communicate with another network we need to
force our routing to the Zone router. There the Zone router will route between the two
networks and send it across another routing neighbor. The security enforcement in terms of
policy and access rights for access between different networks is done on the Cisco PIX
device. That is why we are forcing our routing through Zone layer, so we can apply security
policies. So, for us to accomplish four separate routing domains or virtualize these networks
we can use VRF-lite to accomplish this.
Our design we will configure VRF-lite on the Core and Distribution, which will create a routing
domain (or routing table) for each network to be independent from the other networks. Each
will have their own routing table and the routing neighbors will be formed between the two
VRF-lite setups between the Core and Distribution. We will then create a routing relationship
from each virtualized network on the Core and establish them with our Zone router to enforce
policy.
Within this design we will configure a basic IP Multicast setup using IP PIM Sparse Mode.
There I can configure a different Multicast domain for each virtualized network configured. At
the time of this design and deployment of VRF-lite support with IPv6 Unicast and Multicast
routing is not yet available. Cisco TAC notes that this will be available in short time.
The one thing you will notice with our virtualized networks is that only three are configured to
be virtualized (via VRF-lite). One network, Top Secret, will be configured natively to use the
native routing table and other relationships. This is a good way to really see this separation.
When we say native, we mean the normal functions on how you would normally configure a
routing protocol or interface. The configurations will reflect this.
Below are some of the technologies deployed and part of this overall design is the following:
This training document will show you the actual working configuration and some show
commands on the working operation of this network design. We have also included a lot of
best practice configuration with our implementation.
3.2 Requirements
First, we need to determine all the business and technical requirements. Understand what is
needed, the expectations involved, budgetary considerations, network services, security
regulations, and more much outlined by the company or business
We would gather details for building our design based on the following:
Requirements and Expectations
Traffic
Budgetary Considerations
Existing Components and Services
Technical Objectives
The technical objectives are what define best practices and recommendations in a network
design. These are often challenges that many networks face early or further down the road
with a network. When there are issues its usually due to one of the objectives that were no
met or considered during the design phase.
Below are the technical objectives our design should consider, include, and bring up with the
requirements gathering:
Performance
Reliability
Scalability
Security
Flexibility
Network Management
At a high level the solutions is the network that deals with a specific function or task based on
the requirements gathered. Many network solutions listed here do require the existing of
other solutions to work. The one network solution that is required for all solutions is the LAN
solution which is essentially the network backbone that connects all the other solutions
together.
Once the solutions have been determined it is time to build our topology. The topology is
basically the framework in our design that doesnt contain any technologies, services,
protocols, or hardware devices by name yet. We are essentially just building a street with
nothing on it.
There are many ways to build a design and usually common topologies and case studies are
often used.
These topologies really include tier levels in the design. One way to explain is with a LAN
topology which is often discussed in many networking textbooks. A best practice and
recommended LAN would consist of a LAN Core, LAN Distribution, and LAN Access. This is
a tier level model consisting of 3 tier levels, each with a certain ideal purpose.
A LAN Access provides direct access to nodes like computers, printers, IP Phones, access
points, etc. LAN Distribution deals with aggregating the traffic from the Access layer
including other roles with routing, switching, and security policies. And the LAN Core is seen
at the backbone where the LAN Distribution connects into providing high-speed switching
and forwarding. This three tier model accommodates much of the technical objectives
especially with scalability and reliability among others. But a 3-tier model is often seen with
larger networks.
Some solutions typically can have 1 or 2 tiers in most designs. Again 3 tier designs are often
seen with large size networks or very large networks. But some of the tier levels can be
consolidated where needed and the hardware that you choose that can also change the tier
level in the design. For example, an Internet Edge solution typically consists of 3 tiers (the
Edge Router, the Edge Switch, and the Perimeter Firewall). Well nowadays the edge switch
has been eliminated being integrated with the Edge Router leaving us with a 2 tier model,
which is the most common, however, the firewall services can also be integrated with our
Edge router that provide stateful firewall inspection with capabilities such as rACL (Reflexive
ACL) or CBAC. Thus, our Internet Edge device can be a 1 tier model.
2 tier models are very common for small and medium sized networks.
Topology sub-services deals with the extended features within the services within the
network design.
For example, one of our topology services could be Routing using OSPF. Well OSPF has
many design considerations and best practices that can include configuring route
summarization within a LAN Distribution to send summary routes up to a LAN Core. A
common best practice discussed with OSPF including Stub routing within the LAN Access
network among other sub-services.
For MPLS, which is a topology service, these are sub-services that can be deployed with
MPLS.
General
Route Reflectors
VRF Selection
Traffic Engineering (TE)
Extranet
MPLS over GRE, MPLS over DMVPN
QoS service to MPLS VPN
IPv6
Internet Access service
Multicast service to MPLS VPN
The hardware device can be any vendor besides Cisco. Make sure the hardware chosen
supports the requirements and services in our design including considerations for the
business size of the network and the technical objectives.
In our design, the hardware for this infrastructure will consist of the following:
This document is a companion to the main configuration guide presented. This document is
focused on showing you how to configure VRF-lite step-by-step for some of our devices in
the network diagram.
The VRF-lite design has different components with different configuration purposes. We will
show how to configure one of our LAN Distributions, LAN Core and Zone for one of the VRF
networks, Secret. Implementing the others would be the same steps.
Second, complete all basic configurations for all devices based on the following:
Configure all interfaces based on the network diagram in terms of IP addressing and the
subnet mask.
First confirm that all interfaces are up and running. This command will show all interfaces
and there status in a basic or brief view. Confirm that all interfaces once configured shows
an UP UP status.
show ip interface brief
And second, confirm basic network connectivity by pinging the directed connected IP address
of the other router. Do this for each device.
VLANs 200, 201, and 250 will be used for various server and desktops designated for the
Secret network.
VLANs 295 and 299 will be used only between other switches (csr01 and dsr02) to extend
the virtualized Secret network to the LAN Core and the secondary LAN Distribution L3-
switch. Remember, refer to the network diagram for how the VLANs are connected and
used.
vlan 200
name secret-vlan1
!
vlan 201
name secret-vlan2
!
vlan 250
name secret-testbed
!
vlan 295
name secret-ict-295
!
vlan 299
name secret-ict-299
Now we have configured our VLANs for the Secret network. As you will see in the network
diagram, we are using VLAN250 for servers/desktops on our Secret network. Since VLAN
250 is the only VLAN that is extended to the other switch, dsr02, (for reliability reasons) we
have a Layer 2 loop thus Spanning Tree would kick in. We will make dsr01 our primary root
bridge for VLAN 250. Leaving the default STP BID priority on dsr02 intact, which is 32768.
We will configure RootGuard that will prevent the connected switch in becoming the Root
Bridge for any VLANs. We will also disable Dynamic Trunk Protocol (DTP) messages and
relying on DTP to negotiate the Trunking protocol used. We have manually set the
encapsulation of choice to be 802.1q.
The default mode is dynamic, here we have statically configuring the mode to be a trunk.
Lastly, Carrier Detect is configured to 0 msec as a best practice for Cisco IOS throttling if an
interface fails causing faster convergence and notification of a failure with our routing
protocols configured to converge quickly.
interface GigabitEthernet0/12
description Switching to Building
switch port trunk encapsulation dot1q
switchport trunk allowed vlan add 250
switchport mode trunk
switchport nonegotiate
carrier-delay msec 0
spanning-tree guard root
interface GigabitEthernet0/1
description TO: dsr02 Gi0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 200,201,250,295
switchport mode trunk
switchport nonegotiate
carrier-delay msec 0
interface GigabitEthernet0/2
description TO: csr01 Gi1/0/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 299
switchport mode trunk
switchport nonegotiate
carrier-delay msec 0
ip vrf secret
rd 10:200
route-target export 10:200
route-target import 10:200
interface Vlan200
description VLAN: SECRET Client network
ip vrf forwarding secret
ip address 10.254.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan201
description VLAN: SECRET Server network
ip vrf forwarding secret
ip address 10.254.101.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan250
description Secret testbed
ip vrf forwarding secret
ip address 10.254.102.21 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan295
description ICT: Secret Inter-Connection
ip vrf forwarding secret
ip address 10.43.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
We will advertise all of our connected L3 interfaces and networks configured for the Secret
network. Continuing with best practices we will summarize routes from the Distribution into
our LAN Core using the area X range command.
We will configure MD5 authentication for all OSPF enabled interfaces to help protect who can
establish neighbor relationships and exchange routes.
For the OSPF Fast Timers, many numbers are usually brought up and discussed during best
practice configuration. Here we are configuring our hello timer to every 1-second with its
dead timer being 3 seconds if no hello messages are received. Our Routing NCG package
provides another way to increase fast convergence to sub-second (msec) times.
interface Vlan200
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 094F471A1A0A464058
!
interface Vlan201
interface Vlan200
ip pim sparse-mode
!
interface Vlan201
ip pim sparse-mode
!
interface Vlan250
ip pim sparse-mode
!
interface Vlan295
ip pim sparse-mode
!
interface Vlan299
ip pim sparse-mode
VLANs 294, 298, and 299 will be used between only between other switches (csr02, zsr01,
and dsr01) to extended the virtualized Secret network to the LAN Distribution, primary Zone
Router, and the secondary LAN Core L3-switch. Remember, refer to the network diagram for
how the VLANs are connected and used.
vlan 294
name secret-ict-294
!
vlan 298
name secret-ict-298
!
vlan 299
name secret-ict-299
interface GigabitEthernet1/0/1
description TO: csr02 Gi1/0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 294
switchport mode trunk
switchport nonegotiate
carrier-delay msec 0
!
interface GigabitEthernet1/0/2
description TO: zsr01 Gi0/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 298
switchport mode trunk
switchport nonegotiate
carrier-delay msec 0
!
interface GigabitEthernet1/0/3
description TO: dsr01 Gi0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 299
switchport mode trunk
switchport nonegotiate
carrier-delay msec 0
ip vrf secret
rd 10:200
route-target export 10:200
route-target import 10:200
interface Vlan294
description ICT: Secret Inter-Connection
ip vrf forwarding secret
ip address 10.33.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan298
description ICT: Secret Inter-Connection
ip vrf forwarding secret
ip address 10.21.2.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan299
description ICT: Secret Inter-Connection
ip vrf forwarding secret
ip address 10.31.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
We will advertise all of our connected L3 interfaces and networks configured for the Secret
network.
We will configure MD5 authentication for all OSPF enabled interfaces to help protect who can
establish neighbor relationships and exchange routes.
For the OSPF Fast Timers, many numbers are usually brought up and discussed during best
practice configuration. Here we are configuring our hello timer to every 1-second with its
dead timer being 3 seconds if no hello messages are received. Our Routing NCG package
provides another way to increase fast convergence to sub-second (msec) times.
interface Vlan294
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 14141B180F0B7B7977
ip ospf hello-interval 1
ip ospf dead-interval 3
!
interface Vlan298
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 05080F1C22431F5B4A
ip ospf cost 10
ip ospf hello-interval 1
ip ospf dead-interval 3
!
interface Vlan299
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 01100F175804575D72
ip ospf cost 10
ip ospf hello-interval 1
ip ospf dead-interval 3
interface Vlan294
ip pim sparse-mode
!
interface Vlan298
ip pim sparse-mode
!
interface Vlan299
ip pim sparse-mode
VLANs 293 and 298 will be used only between other switches (csr01 and zsr02) to extend
the virtualized Secret network from the LAN Distribution and LAN Core VRF networks.
Remember, refer to the network diagram for how the VLANs are connected and used.
vlan 293
name secret-ict-293
!
vlan 298
name secret-ict-298
interface GigabitEthernet0/1
description TO: zsr02 Gi0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 293
switchport mode trunk
switchport nonegotiate
carrier-delay msec 0
interface GigabitEthernet0/3
description TO: csr01 Gi1/0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 298
switchport mode trunk
switchport nonegotiate
carrier-delay msec 0
Remember, at the Zone network NO VRFs are configured. This is the point where all
networks (Top Secret, Secret, etc) are present together in one global routing table. The PIX
firewall in between the LAN Core and Zone provides the Security for users from accessing
other separate networks natively. Everyone is routed to the Zone network enforcing any
security policy by the Firewalls.
Configure our IP addresses and other best practice configuration to disable IP redirects,
unreachables, and proxy arp.
interface Vlan293
description ICT: Secret Inter-Connection
ip address 10.23.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan298
description ICT: Secret Inter-Connection
We will also redistribute routes from our other routing protocols into this OSPF routing
domain including controlling which routes will be injected into the Secret routing domain. We
will also configure a OSPF default route via default-information originate always to our LAN
Core and LAN Distribution forcing all gateway of last resort traffic through the Zone router
and routing to the other networks (e.g. Top Secret, Restrict, etc).
We will advertise all of our connected L3 interfaces and networks configured for the Secret
network.
router ospf 20
router-id 10.21.2.1
log-adjacency-changes
redistribute eigrp 678 subnets
redistribute ospf 21 subnets
redistribute ospf 22 subnets
network 10.21.2.0 0.0.0.3 area 0
network 10.23.2.0 0.0.0.3 area 0
default-information originate always
distribute-list topsecret-net-acl out eigrp 678
distribute-list confid-net-acl out ospf 21
distribute-list restrict-net-acl out ospf 22
We will configure MD5 authentication for all OSPF enabled interfaces to help protect who can
establish neighbor relationships and exchange routes.
For the OSPF Fast Timers, many numbers are usually brought up and discussed during best
practice configuration. Here we are configuring our hello timer to every 1-second with its
dead timer being 3 seconds if no hello messages are received. Our Routing NCG package
provides another way to increase fast convergence to sub-second (msec) times.
interface Vlan293
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 14141B180F0B7B7977
ip ospf hello-interval 1
ip ospf dead-interval 3
!
interface Vlan298
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 121A0C0411045D5679
ip ospf cost 10
ip ospf hello-interval 1
ip ospf dead-interval 3
mode multiple
Here we are enabling our PIX firewall running OS 7.x to act as a Transparent firewall, to
allow established OSPF and EIGRP routing neighbors through the firewall between the LAN
Core and the Zone routers. So, this would enable the firewall to act as a Layer 2 Firewall,
thus using VLANs and 802.1q Trunking to support our design.
firewall transparent
Next we will configure two sub-interfaces for the Secret network. GigabitEthernet0 is for the
outside connecting to the Zone router and GigabitEthernet1 is for the inside connecting to the
LAN Core.
The .298 is the sub-interface being created and the 298 is the VLAN that is already
configured between the LAN Core and Zone routers. Hence, this sub-interface is acting as
an 802.1q Trunk carrying VLAN 298, which is for the isolated Secret network.
context secret-fw
description This is the context for Secret network
Next, we will allocate which interfaces will exist in this virtual firewall, which are the sub-
interfaces we created in the last step:
Next, this specifies the configuration for the Secret virtual firewall and where the configuration
will be stored from that context:
configure disk0://secret-fw.cfg
hostname secret-fw
domain routehub.com
interface gigabitethernet 0.298
nameif outside
security-level 0
no shutdown
interface gigabitethernet 1.298
nameif inside
security-level 100
no shutdown
passwd secret123
enable password secret123
access-list secret-acl extended permit 89 any any
access-list secret-acl extended permit tcp any host 10.254.101.100 eq 8080
access-list secret-acl extended permit tcp any host 10.254.101.101 eq 22
access-list secret-acl extended permit tcp any host 10.254.101.102 eq 3389
access-group secret-acl in interface outside
esr01#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
zsr01#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
csr01#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
csr01#ping 10.254.102.23
5.4.2 Traceroutes
Using Traceroutes will also validate traffic flow through-out our VRF-lite network the way we
designed it. Just like using ping, we can use traceroute to confirm that traffic within a VRF is
routed internally. If routing to other VRFs or networks is needed the traceroute should go
from the LAN Core to the LAN Zone router (passing through the L2 Firewalls) then back
down to the LAN Core but in a new VRF domain then to the LAN Distribution if that
destination network exist on that device. This is shown within the first traceroute example.
The second traceroute example is veiwing local traffic flow within a VRF.
csr01#traceroute 10.254.102.23
Identifying the root cause and resolving it are two separate things. Fixing a problem will
usually involve one or more of the following
A reboot may do it or a software upgrade may be needed where a bug has emerged and/or a
hardware replacement may be needed, though is very rare.
Identifying the root cause and resolving it are two separate things. Fixing a problem will
usually involve one or more of the following
Make sure to use the same RD or route distinguisher for the same VRF configured.
Remember a VRF is a like a VLAN but for Layer 3 networks.
Also make sure to have the right interfaces associated or mapped to the right VRF instance.
Those are the most common issues and more related issues will be updated here as they
come up.
ESR02
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Loopback1 254
ip http server
!
!
!
ZSR01
>Global Configuration
mode multiple
firewall transparent
hostname ipfw01
password cisco123
enable password cisco123
admin-context admin
interface gigabitethernet 0
no shutdown
interface gigabitethernet 0.198
no shutdown
interface gigabitethernet 0.298
no shutdown
interface gigabitethernet 0.398
no shutdown
interface gigabitethernet 0.498
no shutdown
interface gigabitethernet 1
no shutdown
interface gigabitethernet 1.198
no shutdown
interface gigabitethernet 1.298
no shutdown
interface gigabitethernet 1.398
no shutdown
interface gigabitethernet 1.498
no shutdown
context topsec-fw
description This is the context for Top Secret network
allocate-interface gigabitethernet 0.198
allocate-interface gigabitethernet 1.198
config-url disk0://topsec-fw.cfg
context secret-fw
description This is the context for Secret network
allocate-interface gigabitethernet 0.298
allocate-interface gigabitethernet 1.298
config-url disk0://secret-fw.cfg
context confid-fw
description This is the context for Confidential network
allocate-interface gigabitethernet 0.398
allocate-interface gigabitethernet 1.398
config-url disk0://confid-fw.cfg
context restrict-fw
description This is the context for Restricted network
allocate-interface gigabitethernet 0.498
allocate-interface gigabitethernet 1.498
hostname topsec-fw
domain routehub.com
interface gigabitethernet 0.198
nameif outside
security-level 0
no shutdown
interface gigabitethernet 1.198
nameif inside
security-level 100
no shutdown
passwd topsec123
enable password topsec123
access-list topsec-acl extended permit 88 any any
access-list topsec-acl extended permit tcp any host 172.31.101.100 eq 443
access-list topsec-acl extended permit tcp any host 172.31.101.101 eq 22
access-list topsec-acl extended permit tcp any host 172.31.101.102 eq 25
access-group topsec-acl in interface outside
hostname secret-fw
domain routehub.com
interface gigabitethernet 0.298
nameif outside
security-level 0
no shutdown
interface gigabitethernet 1.298
nameif inside
security-level 100
no shutdown
passwd secret123
enable password secret123
access-list secret-acl extended permit 89 any any
access-list secret-acl extended permit tcp any host 10.254.101.100 eq 8080
access-list secret-acl extended permit tcp any host 10.254.101.101 eq 22
access-list secret-acl extended permit tcp any host 10.254.101.102 eq 3389
access-group secret-acl in interface outside
hostname confid-fw
domain routehub.com
interface gigabitethernet 0.398
nameif outside
security-level 0
no shutdown
interface gigabitethernet 1.398
nameif inside
security-level 100
no shutdown
passwd confid123
enable password confid123
access-list confid-acl extended permit 89 any any
access-list confid-acl extended permit tcp any host 172.18.101.100 eq 80
access-list confid-acl extended permit tcp any host 172.18.101.101 eq 22
access-list confid-acl extended permit tcp any host 172.18.101.102 eq 21
access-group confid-acl in interface outside
hostname restrict-fw
domain routehub.com
interface gigabitethernet 0.498
Building configuration...
CSR02
Building configuration...
Building configuration...
DSR02