Routehub TUNNEL L3VPN VRF LITE PDF

Multi-CE VRF (VRF-lite)
Tunneling: L3VPN
Practical Cisco Training for Network Engineers & Consultants!
RouteHub Group, LLC

www.RouteHub.net
December 8, 2009
Preface i
ROUTEHUB GROUP END-USER LICENSE AGREEMENT
END USER LICENSE FOR ONE (1) PERSON ONLY

IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS,
DO NOT OPEN OR USE THE TRAINING MATERIALS.
IMPORTANT! BE SURE TO CAREFULLY READ AND UNDERSTAND ALL OF THE RIGHTS AND RESTRICTIONS
SET FORTH IN THIS END-USER LICENSE AGREEMENT ("EULA"). YOU ARE NOT AUTHORIZED TO USE THIS
NETWORK CONFIGURATION GUIDE/TRAINING UNLESS AND UNTIL YOU ACCEPT THE TERMS OF THIS EULA.
This EULA is a binding legal agreement between you and ROUTEHUB GROUP, LLC (hereinafter "Licensor") for the
materials accompanying this EULA, including the accompanying computer Network Configuration Guide/Training, associated
media, printed materials and any "online" or electronic documentation (hereinafter the "Network Configuration Guide/Training").
By using the Network Configuration Guide/Training, you agree to be bound by the terms of this EULA. If you do not agree to
the terms of this EULA, do not install or attempt to use the Network Configuration Guide/Training.
The Guide & Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized
to use the Guide & Training Materials throughout the term of this License.
1. Grant of License
The Network Configuration Guide/Training is protected by copyright laws and international copyright treaties, as well as
other intellectual property laws and treaties. The Network Configuration Guide/Training is licensed, not sold. This EULA grants
you the following rights:
A. You may use, access, display and run only one copy of the Network Configuration Guide/Training, on a single
computer, workstation or terminal ("Computer"). The primary user of the Computer on which the Network Configuration
Guide/Training is installed may make a second copy for his or her exclusive use for archival purposes only.
B. You may store or install a copy of the Network Configuration Guide/Training on a storage device, such as a
network server, used only to run the Network Configuration Guide/Training on your other Computers over an internal network.
You must, however, acquire a license for each separate Computer on which the Network Configuration Guide/Training is run,
displayed or utilized from the server or similar device. A license for the Network Configuration Guide/Training may not be
shared or used concurrently on different Computers.
C. Your license rights under this EULA are non-exclusive. All rights not expressly granted herein are reserved by
Licensor.
D. You may not sell, transfer or convey the Network Configuration Guide/Training to any third party without
Licensor's prior express written consent.
2. Price and Payment
If you have not previously paid the license fee for the Network Configuration Guide/Training, then you must pay the
license fee within the period indicated in the applicable invoice sent to you by Licensor.
3. Support Services
This EULA is a license of the Network Configuration Guide/Training only, and Licensor does not assume any obligation
to provide maintenance, patches or fixes to the Network Configuration Guide/Training. Licensor further disclaims any obligation
to provide support or to prepare and distribute modifications, enhancements, updates and new releases of the Network
Configuration Guide/Training.
4. Replacement, Modification and/or Upgrades
Licensor may, from time to time, and for a fee, replace, modify or upgrade the Network Configuration Guide/Training.
When accepted by you, any such replacement or modified Network Configuration Guide/Training code or upgrade to the
Network Configuration Guide/Training will be considered part of the Network Configuration Guide/Training and subject to the
terms of this EULA (unless this EULA is superceded by a further EULA accompanying such replacement or modified version of
or upgrade to the Network Configuration Guide/Training).
ii
Preface
5. Termination
You may terminate this EULA at any time by destroying all your copies of the Network Configuration Guide/Training.
Your license to the Network Configuration Guide/Training automatically terminates if you fail to comply with the terms of this
agreement. Upon termination, you are required to remove the Network Configuration Guide/Training from your computer and
destroy any copies of the Network Configuration Guide/Training in your possession. No refund with the product will be
granted.
6. Copyright
A. All title and copyrights in and to the Network Configuration Guide/Training (including but not limited to any
images, photographs, animations, video, audio, music and text incorporated into the Network Configuration Guide/Training),
the accompanying printed materials, and any copies of the Network Configuration Guide/Training, are owned by Licensor or its
suppliers. This EULA grants you no rights to use such content. If this Network Configuration Guide/Training contains
documentation that is provided only in electronic form, you may print one copy of such electronic documentation. Except for
any copies of this EULA, you may not copy the printed materials accompanying the Network Configuration Guide/Training.
B. You may not reverse engineer, de-compile, disassemble, alter, duplicate, modify, rent, lease, loan, sublicense,
make copies of, create derivative works from, distribute or provide others with the Network Configuration Guide/Training in
whole or part, transmit or communicate the application over a network.
7. Export Restrictions
You may not export, ship, transmit or re-export Network Configuration Guide/Training in violation of any applicable law
or regulation including but not limited to Export Administration Regulations issued by the U. S. Department of Commerce.
8. Disclaimer of Warranties
LICENSOR AND ITS SUPPLIERS PROVIDE THE NETWORK CONFIGURATION GUIDE/TRAINING "AS IS" AND
WITH ALL FAULTS, AND HEREBY DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS,
IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO ANY (IF ANY) IMPLIED WARRANTIES OR CONDITIONS
OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF LACK OF VIRUSES, AND OF LACK OF
NEGLIGENCE OR LACK OF WORKMANLIKE EFFORT. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, OF
QUIET ENJOYMENT, OR OF NONINFRINGEMENT. THE ENTIRE RISK ARISING OUT OF THE USE OR PERFORMANCE
OF THE NETWORK CONFIGURATION GUIDE/TRAINING IS WITH YOU.
9. Limitation of Damages
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR OR ITS
SUPPLIERS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, DIRECT, INDIRECT, SPECIAL, PUNITIVE OR OTHER
DAMAGES WHATSOEVER ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE
NETWORK CONFIGURATION GUIDE/TRAINING AND WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT
LIABILITY OR OTHERWISE, EVEN IF LICENSOR OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. THIS EXCLUSION OF DAMAGES WILL BE EFFECTIVE EVEN IF ANY REMEDY FAILS OF ITS
ESSENTIAL PURPOSE.
10. Arbitration
Any dispute arising under this EULA will be subject to binding arbitration by a single Arbitrator with the American
Arbitration Association (AAA), in accordance with its relevant industry rules, if any. The parties agree that this EULA will be
governed by and construed and interpreted in accordance with the laws of the State of California. The arbitration will be held in
California. The Arbitrator will have the authority to grant injunctive relief and specific performance to enforce the terms of this
EULA. Judgment on any award rendered by the Arbitrator may be entered in any Court of competent jurisdiction.
11. Severability
If any term of this EULA is found to be unenforceable or contrary to law, it will be modified to the least extent necessary
to make it enforceable, and the remaining portions of this Agreement will remain in full force and effect.
12. No Waiver
Preface iii
No waiver of any right under this EULA will be deemed effective unless contained in writing signed by a duly authorized
representative of the party against whom the waiver is to be asserted, and no waiver of any past or present right arising from
any breach or failure to perform will be deemed to be a waiver of any future rights arising out of this EULA.
13. Entire Agreement
This EULA constitutes the entire agreement between the parties with respect to its subject matter, and supersedes all
prior agreements, proposals, negotiations, representations or communications relating to the subject matter. Both parties
acknowledge that they have not been induced to enter into this EULA by any representations or promises not specifically
stated herein.
iv
Preface
Table of Contents
1 Introduction 7
2 Concepts 8
3 Design 10
3.1 Our Design with VRF-lite 10
3.2 Requirements 11
3.3 Solutions and Topology 12
3.4 Topology Services and Sub-Services 13
3.5 Hardware & Software 14
3.6 Network Diagram 15
4 Configuration 16
4.1 Initial Configuration 16
4.2 LAN Distribution (dsr01) 17
4.3 LAN Core (csr01) 22
4.4 Internet Perimeter Zone (zsr01) 26
4.5 Perimeter Firewall (Cisco ASA/PIX OS 7.x) 30
5 Monitor 32
5.1 Operations for Internet Perimeter Edge Router 32
5.1.1 show ip route 32
5.2 Operations for Zone Routers (External) 34
5.2.2 show ip eigrp neighbor 35
5.2.3 show ospf neighbor 35
5.2.4 show ip route eigrp 678 36
5.2.5 show ip route ospf <PID> 37
5.3 Operations & Traffic Flow for LAN (Internal) 38
5.3.2 show ip route vrf secret 39
5.3.3 show ip route vrf confid 40
5.3.4 show ip route vrf restrict 40
5.3.5 show ip eigrp neighbors 41
5.3.6 show ip ospf neighbor 41
5.3.7 show ip vrf <vrf-name> 42
5.4 Traffic Flow 44
5.4.1 ping vrf <vrf-name> 44
Preface v
5.4.2 Traceroutes 44
5.5 Troubleshooting Tips 45
5.5.1 Root Causes 45
5.5.2 Initial questions to ask 45
5.5.3 Typical fixes 46
5.5.4 General VRF-lite Troubleshooting 46
6 Full Configuration 47
6.1 Network Diagram 47
6.2 NGN (External) Internet Perimeter Edge Routers 47
6.3 NGN (External): Zone Routers 52
6.4 Policy Enforcement: Cisco ASA/PIX Firewall 61
6.5 NGN (Internal): LAN Core 63
6.6 NGN (Internal): LAN Distribution 76
6.7 NGN (Internal): Access or Building (Routing) 91
6.8 NGN (Internal): Access or Building (Switching) 92
vi
Preface
1 Introduction
Many sites focus on providing training towards certifications or exams. These are important
for career development as we possess the CCIE, CCNP, and CCNA certifications. So we
know that they are very valuable to your network engineering career, however, they do not
teach practical network training relevant for network engineers and consultants in the real
world.
This is what our training format is based upon providing practical solutions and technologies
that are deployed in real working environment. Our training workbooks provide four major
components for learning.
Concepts
Design
Configuration
Monitor
Learn the concepts that matter in terms of the components and protocols involved for a
technology's operation.
Learn how to design a network solution with practical steps, considerations, and tools for
your company or clients.
Learn how to configure a network with best practices and get operational step-by-step. We
also include full working configuration files of the network design.
Learn how to monitor, troubleshoot, and confirm the operational state of your configured
network.
All four are important for network engineers and consultants to know how to manage a
network in real time.
RouteHub Group, LLC Page 7 www.routehub.net

2 Concepts
Multi-CE VRF or VRF-lite is considered as a scaled down version of MPLS or a light-weight

version of MPLS.
MPLS VPN and VRF are often confused. VPN Routing and Forwarding (VRF) is the
technology that allows isolating layer 3 domains on the same physical hardware or
infrstructure. MPLS VPN is a label switching technology that work by making VRF domains
scalable across many sites and clients.
MPLS VPN contains more configuration requirements and components such as:
VPN Routing and Forwarding (VRF)

LDP or TDP for the Label Switching Protocol
MP-BGP for peering between PE devices
IGP Routing using either OSPF or ISIS for routing within the MPLS cloud
MPLS also has high network equipment requirements such as the Cisco Catalyst 6500 series
or any of the Cisco 7000 series routers as an example. MPLS VPN is also geared for large
networks and service provider networks.
But, what about smaller or medium size networks including support on more hardware
models, prehaps a little smaller like the Cisco ISR series.
VRF-lite is that solution. VRF-lite basically eliminates the MPLS components of LDP/TDP
and MP-BGP.
The VRF technology is essentially extended across other components besides the PE
device, which is the most common for MPLS networks. VRFs can be extended down to the
CE, hence the term Multi-CE or even to a LAN Core device.
VRF-lite can be deployed across many different types of solutions such as LAN/Campus,
Data Center, WAN/MAN to DMVPN technologies.
VRF-lite provides a path isolated network (e.g. Confidential, Secret, and Top Secret) between
each other, so there is no route or traffic leakage.
VRF can work with other servcies or features if they are VRF-aware such as IP routing
protocols, Multicast, NAT, and HSRP. If you are deploying VRF confirm what services are
VRF-Aware and non-VRF-Aware.
VRF-lite can be scalable up to 128 VRF-lite instances, but depending on hardware this
number may vary, so confirm this information based on the most recent VRF-lite
whitepapers.
To support multple VRFs on a network infrastructure the use of VLANs for each unique
subnet is needed and the interconnects between the devices on the network would be 802.1q
trunking links. The interconnects should also consist of 10g or many port-channels to provide
higher throughput and resources with continued growth.

The bottom line is that VRF-lite is a good design solution for large companies (or any size)
with high security requirements for isolating a small number of networks without using
multiple separate hardware components for each network. This solution is very scalable and
robust for small and medium sized networks needing to virtualize routing domains on same
network infrastructure.

3 Design
3.1 Our Design with VRF-lite

This design is considered as one design solution for the Next Generation Network (NGN).
This is a solution that will detail many technologies and provide strong level of security,
growth, and ease of administration.
So, what is this network infrastructure doing exactly? In this design we have our internal
network, which consist of a Core, Distribution, and Access layers making up our LAN
Campus environment. The Core we be the backbone for the entire network. The Distribution
will provide routing capabilities for the access networks (users, servers, etc) including
extending its routing establishment with the LAN Core. The Access networks will be either
wiring closets with desktops and IP phones or buildings which will have their own network
infrastructure internally to them. The connectivity to the Access network can be established
via routing adjacencies where the other end is controlling the routes to be advertised to the
rest of the network. Or the access network can be Layer-2 where the downlink from the
Distribution is an 802.1q trunk carrying specific networks desired for the access users in that
Wiring closet or building.
Now on to the network virtualization piece. There are many ways to virtualize our network,
which can be done mainly with GRE tunnels, MPLS VPNs or the scaled down version of
MPLS called VRF-lite. In our design we have four different networks (Top Secret, Secret,
Confidential, and Restricted) and need to be completely separated from each other in terms
of routing. If one of the networks wants to communicate with another network we need to
force our routing to the Zone router. There the Zone router will route between the two
networks and send it across another routing neighbor. The security enforcement in terms of
policy and access rights for access between different networks is done on the Cisco PIX
device. That is why we are forcing our routing through Zone layer, so we can apply security
policies. So, for us to accomplish four separate routing domains or virtualize these networks
we can use VRF-lite to accomplish this.
Our design we will configure VRF-lite on the Core and Distribution, which will create a routing
domain (or routing table) for each network to be independent from the other networks. Each
will have their own routing table and the routing neighbors will be formed between the two
VRF-lite setups between the Core and Distribution. We will then create a routing relationship
from each virtualized network on the Core and establish them with our Zone router to enforce
policy.
Within this design we will configure a basic IP Multicast setup using IP PIM Sparse Mode.
There I can configure a different Multicast domain for each virtualized network configured. At
the time of this design and deployment of VRF-lite support with IPv6 Unicast and Multicast
routing is not yet available. Cisco TAC notes that this will be available in short time.
The one thing you will notice with our virtualized networks is that only three are configured to
be virtualized (via VRF-lite). One network, Top Secret, will be configured natively to use the
native routing table and other relationships. This is a good way to really see this separation.
When we say native, we mean the normal functions on how you would normally configure a
routing protocol or interface. The configurations will reflect this.
Below are some of the technologies deployed and part of this overall design is the following:

LAN Switching
OSPF
EIGRP
IP Multicast (PIM Sparse Mode)
Firewall Virtualization (using Security contexts)
Best Practices and Standards
VRF-lite
This training document will show you the actual working configuration and some show
commands on the working operation of this network design. We have also included a lot of
best practice configuration with our implementation.
3.2 Requirements
First, we need to determine all the business and technical requirements. Understand what is
needed, the expectations involved, budgetary considerations, network services, security
regulations, and more much outlined by the company or business
We would gather details for building our design based on the following:
Requirements and Expectations
Traffic
Budgetary Considerations
Existing Components and Services
Technical Objectives
The technical objectives are what define best practices and recommendations in a network
design. These are often challenges that many networks face early or further down the road
with a network. When there are issues its usually due to one of the objectives that were no
met or considered during the design phase.
Below are the technical objectives our design should consider, include, and bring up with the
requirements gathering:
Performance
Reliability
Scalability
Security
Flexibility
Network Management

3.3 Solutions and Topology
Once the requirements and objectives have been gathered, that info will help with the design
process of our solutions and topology.
At a high level the solutions is the network that deals with a specific function or task based on
the requirements gathered. Many network solutions listed here do require the existing of
other solutions to work. The one network solution that is required for all solutions is the LAN
solution which is essentially the network backbone that connects all the other solutions
together.
Below are the solutions we can choose from.

Local Area Network (LAN)
Wide Area Network (WAN), Metropolitan Area Network (MAN)
Voice & Unified Communications
Internet Edge
Wireless
Data Center
Once the solutions have been determined it is time to build our topology. The topology is
basically the framework in our design that doesnt contain any technologies, services,
protocols, or hardware devices by name yet. We are essentially just building a street with
nothing on it.
There are many ways to build a design and usually common topologies and case studies are
often used.
These topologies really include tier levels in the design. One way to explain is with a LAN
topology which is often discussed in many networking textbooks. A best practice and
recommended LAN would consist of a LAN Core, LAN Distribution, and LAN Access. This is
a tier level model consisting of 3 tier levels, each with a certain ideal purpose.
A LAN Access provides direct access to nodes like computers, printers, IP Phones, access
points, etc. LAN Distribution deals with aggregating the traffic from the Access layer
including other roles with routing, switching, and security policies. And the LAN Core is seen
at the backbone where the LAN Distribution connects into providing high-speed switching
and forwarding. This three tier model accommodates much of the technical objectives
especially with scalability and reliability among others. But a 3-tier model is often seen with
larger networks.
Some solutions typically can have 1 or 2 tiers in most designs. Again 3 tier designs are often
seen with large size networks or very large networks. But some of the tier levels can be
consolidated where needed and the hardware that you choose that can also change the tier
level in the design. For example, an Internet Edge solution typically consists of 3 tiers (the
Edge Router, the Edge Switch, and the Perimeter Firewall). Well nowadays the edge switch
has been eliminated being integrated with the Edge Router leaving us with a 2 tier model,
which is the most common, however, the firewall services can also be integrated with our
Edge router that provide stateful firewall inspection with capabilities such as rACL (Reflexive
ACL) or CBAC. Thus, our Internet Edge device can be a 1 tier model.
2 tier models are very common for small and medium sized networks.

3.4 Topology Services and Sub-Services
Once the topology has been determined (or narrowed down), the next thing to determine is
the topology services that will overlay on-top of our topology.
This can include the following services:

Routing & Switching
Security & VPN
Tunneling
Voice & Unified Communications
Wireless
Other Technologies (like QoS and HSRP)
Topology sub-services deals with the extended features within the services within the
network design.
For example, one of our topology services could be Routing using OSPF. Well OSPF has
many design considerations and best practices that can include configuring route
summarization within a LAN Distribution to send summary routes up to a LAN Core. A
common best practice discussed with OSPF including Stub routing within the LAN Access
network among other sub-services.
For MPLS, which is a topology service, these are sub-services that can be deployed with
MPLS.
General
Route Reflectors
VRF Selection
Traffic Engineering (TE)
Extranet
MPLS over GRE, MPLS over DMVPN
QoS service to MPLS VPN
IPv6
Internet Access service
Multicast service to MPLS VPN

3.5 Hardware & Software
Determine the best hardware and software solutions for each component in the design to
accommodate the following points:
Requirements
Topology Service and Sub-Services
Business Size considerations
The hardware device can be any vendor besides Cisco. Make sure the hardware chosen
supports the requirements and services in our design including considerations for the
business size of the network and the technical objectives.
In our design, the hardware for this infrastructure will consist of the following:
Cisco Catalyst 3560

Cisco Catalyst 3750G
Cisco PIX 515E Series (OX 7.x)
Cisco 2600 Router Series
Cisco Catalyst 2900XL Series

3.6 Network Diagram
The network diagram below depicts a large LAN campus infrastructure as part of the Next
Generation Network (NGN) running advanced technologies such as VRF-lite. A large version
of this picture is included in this package.

4 Configuration
This document is a companion to the main configuration guide presented. This document is
focused on showing you how to configure VRF-lite step-by-step for some of our devices in
the network diagram.
The VRF-lite design has different components with different configuration purposes. We will
show how to configure one of our LAN Distributions, LAN Core and Zone for one of the VRF
networks, Secret. Implementing the others would be the same steps.
4.1 Initial Configuration

The first we need to do is console or connect into each device on our network based on the
information presented in the network diagram.
Second, complete all basic configurations for all devices based on the following:
Configure all interfaces based on the network diagram in terms of IP addressing and the
subnet mask.
Next enable all interfaces by issuing a no shutdown
Once that has been completed we need to check on two things.
First confirm that all interfaces are up and running. This command will show all interfaces
and there status in a basic or brief view. Confirm that all interfaces once configured shows
an UP UP status.
show ip interface brief
And second, confirm basic network connectivity by pinging the directed connected IP address
of the other router. Do this for each device.

4.2 LAN Distribution (dsr01)
Step 1: Setup VTP and Rapid Spanning Tree
The default VTP mode is server mode. We will change the VTP mode to be Transparent
mode as a best practice, thus any VLAN changes would happen on each switch. Our
environment is small enough to not cause a huge administrative ordeal. We will also enable
Rapid Spanning Tree that provides fast convergence for switching networks providing
additional STP ports (Alternate Port, Backup Port, and Disabled Port). RSTP is a best
practice and design recommendation for all switching infrastructures to prevent loops.
vtp domain routehub.com

vtp mode transparent
spanning-tree mode rapid-pvst
Step 2: Create VLANs for Secret network

Once we have enabled VTP and STP globally. We will configure some VLANs for our Secret
network that will later to be associated to an IP interface enabled for VRF. VLAN1 is a
default VLAN, which is left untagged by default with 802.1q. We will not use VLAN1 and will
shutdown that interface. We will also configure a bit-bucket (or NULL) VLAN, 999, for any
interfaces we dont want to be active on our network.
VLANs 200, 201, and 250 will be used for various server and desktops designated for the
Secret network.
VLANs 295 and 299 will be used only between other switches (csr01 and dsr02) to extend
the virtualized Secret network to the LAN Core and the secondary LAN Distribution L3-
switch. Remember, refer to the network diagram for how the VLANs are connected and
used.
vlan 200
name secret-vlan1
!
vlan 201
name secret-vlan2
!
vlan 250
name secret-testbed
!
vlan 295
name secret-ict-295
!
vlan 299
name secret-ict-299
Now we have configured our VLANs for the Secret network. As you will see in the network
diagram, we are using VLAN250 for servers/desktops on our Secret network. Since VLAN
250 is the only VLAN that is extended to the other switch, dsr02, (for reliability reasons) we
have a Layer 2 loop thus Spanning Tree would kick in. We will make dsr01 our primary root
bridge for VLAN 250. Leaving the default STP BID priority on dsr02 intact, which is 32768.
spanning-tree vlan 250 priority 24576

Step 3: Enable VLAN and Trunking on Customer/Building Interfaces
Next, go to interface GigabitEthernet0/12, which is connected to a building that has
computers on the Secret network and Top Secret network. Thus, multiple VLANs would be
used across this connection. We will configure this interface to be a Trunk using the industry
standard Trunking protocol, 802.1q. We will configure the Trunk to allow VLAN 250. Use the
add syntax if there is already other allowed VLANs setup. If not it will overwrite what has
been configured.
We will configure RootGuard that will prevent the connected switch in becoming the Root
Bridge for any VLANs. We will also disable Dynamic Trunk Protocol (DTP) messages and
relying on DTP to negotiate the Trunking protocol used. We have manually set the
encapsulation of choice to be 802.1q.
The default mode is dynamic, here we have statically configuring the mode to be a trunk.
Lastly, Carrier Detect is configured to 0 msec as a best practice for Cisco IOS throttling if an
interface fails causing faster convergence and notification of a failure with our routing
protocols configured to converge quickly.
interface GigabitEthernet0/12
description Switching to Building
switch port trunk encapsulation dot1q
switchport trunk allowed vlan add 250
switchport mode trunk
switchport nonegotiate
carrier-delay msec 0
spanning-tree guard root
Step 4: Configure Inter-Connection interfaces as a 802.1q Trunk

Next we will configure the interfaces that connect with the primary LAN Core and the
secondary LAN Distribution. These will be configured as Trunk interfaces carrying VLAN
tags across the Trunk. Now these are Inter-Connection or Point-to-Point connections. These
VLANs are only used between two devices for establishing routing neighbors (OSPF and
EIGRP). The question is why not just configure these interfaces as Layer 3 (L3) interfaces?
Well remember, in this design we are configuring four separate networks that will have four
different routing tables. Thus each network would have its own routing protocol domain or
instance. So, we would have four different routing neighbors established. Configuring
VLANs allows us to establish four neighbors securely to extend these networks to our LAN
Core and eventually our Zone network. Again use the add syntax if there is already other
allowed VLANs setup. If not it will overwrite what has been configured.
description TO: dsr02 Gi0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan add 200,201,250,295
description TO: csr01 Gi1/0/3

Step 5: Configure VRF globally for Secret
Configuring VRF is fairly easy. First configure a VRF instance and give it a name, in our
case, it would be Secret. You can treat this as naming a VLAN in some ways. Next, RD or
Route Distinguisher is configured which would act very much like a VLAN. This is an
arbitrary number and if we configure a VRF instance on one router we would use the same
RD on other routers that would share this virtual routing domain. Very similar to a VLAN in
some ways. Route Targets (RT) are mainly used with MPLS networks and provides
capabilities if we want other VRF instances to communicate with this VRF directly. We will
keep our configuration simple and reuse the RD number of 10:200 for our route targets.
ip vrf secret
rd 10:200
route-target export 10:200
route-target import 10:200
Step 6: Configure VLAN SVI Interfaces

Next we will configure the VLAN SVI interfaces. These are interfaces that allow our
configured VLANs to become routable. Once the interfaces are configured we need to
specify that these interfaces will be associated to the VRF instance, Secret. Very much like
adding a port to a VLAN. Once we do that then we can configure our IP addresses and
other best practice configuration such as disabling IP redirects, unreachables, and proxy arp.
interface Vlan200
description VLAN: SECRET Client network
ip vrf forwarding secret
ip address 10.254.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan201
description VLAN: SECRET Server network
ip address 10.254.101.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan250
description Secret testbed
ip address 10.254.102.21 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan295
description ICT: Secret Inter-Connection
ip address 10.43.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp

ip pim sparse-mode
ip ospf authentication message-digest
!
interface Vlan299
ip address 10.31.2.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
Step 7: Configure OSPF VRF routing for the Secret network

We will configure a dynamic routing protocol, OSPF, for exchanging routes within our Secret
routing domain. This is the same configuration if we configure OSPF without VRF. However,
this time we will specify that this routing protocol instance of OSPF is for the VRF network,
Secret.
We will advertise all of our connected L3 interfaces and networks configured for the Secret
network. Continuing with best practices we will summarize routes from the Distribution into
our LAN Core using the area X range command.
router ospf 40 vrf secret

router-id 10.31.2.2
log-adjacency-changes
area 40 range 10.254.0.0 255.255.0.0
network 10.31.2.0 0.0.0.3 area 0
network 10.43.2.0 0.0.0.3 area 0
network 10.254.102.0 0.0.0.255 area 40
network 10.254.100.0 0.0.0.255 area 40
network 10.254.101.0 0.0.0.255 area 40
Step 8: Additional OSPF interface configuration

Once OSPF routing has been configured we will improve the security of our OSPF neighbors
including lower our OSPF timers to provide fast convergence if failures occur. We will do this
for all interfaces configured for the Secret network.
We will configure MD5 authentication for all OSPF enabled interfaces to help protect who can
establish neighbor relationships and exchange routes.
For the OSPF Fast Timers, many numbers are usually brought up and discussed during best
practice configuration. Here we are configuring our hello timer to every 1-second with its
dead timer being 3 seconds if no hello messages are received. Our Routing NCG package
provides another way to increase fast convergence to sub-second (msec) times.
interface Vlan200
ip ospf message-digest-key 1 md5 7 094F471A1A0A464058
!
interface Vlan201

ip ospf message-digest-key 1 md5 7 02050D4808095E731F
!
interface Vlan250
ip ospf message-digest-key 1 md5 7 045802150C2E1D1C5A
!
interface Vlan295
ip ospf message-digest-key 1 md5 7 14141B180F0B7B7977
ip ospf hello-interval 1
ip ospf dead-interval 3
!
interface Vlan299
ip ospf cost 10
Step 9: Configure Basic Multicast Routing using PIM Sparse Mode

Here we will enable Multicast routing for the Secret VRF network. Since we are using PIM
Spare Mode, we will configure an RP address, which points back to an IP address (on the
Secret VRF network) located on the LAN Core. Lastly we will enable multicast routing on all
Secret VRF interfaces that will have either members or multicast sources connected to it.
Note that we are adding vrf secret for enabling multicast routing.
ip multicast-routing vrf secret distributed
ip pim vrf secret rap-address 10.33.2.1
interface Vlan200
ip pim sparse-mode
!
interface Vlan201
ip pim sparse-mode
!
interface Vlan250
ip pim sparse-mode
!
interface Vlan295
ip pim sparse-mode
!
interface Vlan299
ip pim sparse-mode

4.3 LAN Core (csr01)


VLANs 294, 298, and 299 will be used between only between other switches (csr02, zsr01,
and dsr01) to extended the virtualized Secret network to the LAN Distribution, primary Zone
Router, and the secondary LAN Core L3-switch. Remember, refer to the network diagram for
how the VLANs are connected and used.
vlan 294
name secret-ict-294
!
vlan 298
name secret-ict-298
!
vlan 299
name secret-ict-299

Step 3: Configure Inter-Connection interfaces as an 802.1q Trunk
Next we will configure the interfaces that connect with the primary Zone router, primary LAN
Distribution, and the secondary LAN Core. These will be configured as Trunk interfaces
carrying VLAN tags across the Trunk. Now these are Inter-Connection or Point-to-Point
connections. These VLANs are only used between two devices for establishing routing
neighbors (OSPF and EIGRP). The question is why not just configure these interfaces as
Layer 3 (L3) interfaces? Well remember, in this design we are configuring four separate
networks that will have four different routing tables. Thus each network would have its own
routing protocol domain or instance. So, we would have four different routing neighbors
established. Configuring VLANs allows us to establish four neighbors securely to extend
these networks to our LAN Core, LAN Distribution, and eventually our Zone network. Again
use the add syntax if there is already other allowed VLANs setup. If not it will overwrite
what has been configured.
interface GigabitEthernet1/0/1
!
description TO: zsr01 Gi0/3
!
Step 4: Configure VRF globally for Secret

Configuring VRF is fairly easy. First configure a VRF instance and give it a name, in our
case, it would be Secret. You can treat this as naming a VLAN in some ways. Next, RD or
Route Distinguisher is configured which would act very much like a VLAN. This is an
arbitrary number and if we configure a VRF instance on one router we would use the same
RD on other routers that would share this virtual routing domain. Very similar to a VLAN in
some ways. Route Targets (RT) are mainly used with MPLS networks and provides
capabilities if we want other VRF instances to communicate with this VRF directly. We will
keep our configuration simple and reuse the RD number of 10:200 for our route targets
ip vrf secret
rd 10:200

configured VLANs to become routable. Once the interfaces are configured we need to
specify that these interfaces will be associated to the VRF instance, Secret. Very much like
adding a port to a VLAN. Once we do that then we can configure our IP addresses and
other best practice configuration such as disabling IP redirects, unreachables, and proxy arp.
interface Vlan294
ip address 10.33.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan298
ip address 10.21.2.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan299
ip address 10.31.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
Step 6: Configure OSPF VRF routing for the Secret network

routing domain. This is the same configuration if we configure OSPF without VRF. However,
this time we will specify that this routing protocol instance of OSPF is for the VRF network,
Secret.
network.

router-id 10.31.2.1
network 10.21.2.0 0.0.0.3 area 0
network 10.31.2.0 0.0.0.3 area 0
network 10.33.2.0 0.0.0.3 area 0

interface Vlan294
!
interface Vlan298
ip ospf message-digest-key 1 md5 7 05080F1C22431F5B4A
ip ospf cost 10
!
interface Vlan299
ip ospf message-digest-key 1 md5 7 01100F175804575D72
ip ospf cost 10

Step 8: Configure Basic Multicast Routing using PIM Sparse Mode
Here we will enable Multicast routing for the Secret VRF network. Since we are using PIM
Spare Mode, we will configure an RP address, which points back to an IP address (on the
Secret VRF network) located on the LAN Core. Lastly we will enable multicast routing on all
Secret VRF interfaces that will have either members or multicast sources connected to it.
Note that we are adding vrf secret for enabling multicast routing.
ip pim vrf secret rp-address 10.33.2.1
interface Vlan294
ip pim sparse-mode
!
interface Vlan298
ip pim sparse-mode
!
interface Vlan299
ip pim sparse-mode
4.4 Internet Perimeter Zone (zsr01)



VLANs 293 and 298 will be used only between other switches (csr01 and zsr02) to extend
the virtualized Secret network from the LAN Distribution and LAN Core VRF networks.
Remember, refer to the network diagram for how the VLANs are connected and used.
vlan 293
name secret-ict-293
!
vlan 298
name secret-ict-298

Step 3: Configure Inter-Connection interfaces as an 802.1q Trunk
Next we will configure the interfaces that connect with the primary Zone router, primary LAN
Distribution, and the secondary LAN Core. These will be configured as Trunk interfaces
carrying VLAN tags across the Trunk. Now these are Inter-Connection or Point-to-Point
connections. These VLANs are only used between two devices for establishing routing
neighbors (OSPF and EIGRP). The question is why not just configure these interfaces as
Layer 3 (L3) interfaces? Well remember, in this design we are configuring four separate
networks that will have four different routing tables. Thus each network would have its own
routing protocol domain or instance. So, we would have four different routing neighbors
established. Configuring VLANs allows us to establish four neighbors securely to extend
these networks to our LAN Core and the secondary Zone network. Again use the add
syntax if there is already other allowed VLANs setup. If not it will overwrite what has been
configured.
switchport trunk allowed vlan 293
switchport trunk allowed vlan 298

configured VLANs to become routable.
Remember, at the Zone network NO VRFs are configured. This is the point where all
networks (Top Secret, Secret, etc) are present together in one global routing table. The PIX
firewall in between the LAN Core and Zone provides the Security for users from accessing
other separate networks natively. Everyone is routed to the Zone network enforcing any
security policy by the Firewalls.
Configure our IP addresses and other best practice configuration to disable IP redirects,
unreachables, and proxy arp.
interface Vlan293
ip address 10.23.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan298

ip address 10.21.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
Step 5: Configure OSPF routing for the Secret network

routing domain from the LAN Core and Distribution blocks. Note, that VRF is not configured
with this particular OSPF configuration.
We will also redistribute routes from our other routing protocols into this OSPF routing
domain including controlling which routes will be injected into the Secret routing domain. We
will also configure a OSPF default route via default-information originate always to our LAN
Core and LAN Distribution forcing all gateway of last resort traffic through the Zone router
and routing to the other networks (e.g. Top Secret, Restrict, etc).
network.
router ospf 20
router-id 10.21.2.1
redistribute eigrp 678 subnets
redistribute ospf 21 subnets
network 10.21.2.0 0.0.0.3 area 0
network 10.23.2.0 0.0.0.3 area 0
default-information originate always
distribute-list topsecret-net-acl out eigrp 678
distribute-list confid-net-acl out ospf 21
distribute-list restrict-net-acl out ospf 22
ip access-list standard secret-net-acl

permit 10.254.0.0 0.0.255.255
ip access-list standard confid-net-acl
permit 172.18.0.0 0.0.255.255
ip access-list standard restrict-net-acl
permit 172.16.0.0 0.0.255.255
ip access-list standard topsecret-net-acl
permit 172.29.0.0 0.0.255.255
permit 172.30.0.0 0.0.255.255
permit 172.31.0.0 0.0.255.255

interface Vlan293
!
interface Vlan298
ip ospf message-digest-key 1 md5 7 121A0C0411045D5679
ip ospf cost 10

4.5 Perimeter Firewall (Cisco ASA/PIX OS 7.x)
Step 1: Enabling Firewall in Layer 2 Mode, Contexts, and Creating Sub-Interfaces
Make sure your Cisco ASA (or PIX) Firewall has the licensing to support different firewall
modes (transparent) and has the right number of contexts (aka virtual firewalls). To allow
multiple contexts we need to enable that mode on our firewall first:
mode multiple
Here we are enabling our PIX firewall running OS 7.x to act as a Transparent firewall, to
allow established OSPF and EIGRP routing neighbors through the firewall between the LAN
Core and the Zone routers. So, this would enable the firewall to act as a Layer 2 Firewall,
thus using VLANs and 802.1q Trunking to support our design.
firewall transparent
Next we will configure two sub-interfaces for the Secret network. GigabitEthernet0 is for the
outside connecting to the Zone router and GigabitEthernet1 is for the inside connecting to the
LAN Core.
The .298 is the sub-interface being created and the 298 is the VLAN that is already
configured between the LAN Core and Zone routers. Hence, this sub-interface is acting as
an 802.1q Trunk carrying VLAN 298, which is for the isolated Secret network.
interface gigabitethernet 0.298

no shutdown

no shutdown
Step 2: Setting up the Virtual Firewall for the Secret Network

Next we will configure a virtual firewall (or context) globally on our Cisco ASA/PIX firewall for
the Secret network. Here we will call this virtual firewall, secret-fw, which will actually
partition and virtually create a separate firewall with its own policies for the Secret network.
context secret-fw
description This is the context for Secret network
Next, we will allocate which interfaces will exist in this virtual firewall, which are the sub-
interfaces we created in the last step:
allocate-interface gigabitethernet 0.298

Next, this specifies the configuration for the Secret virtual firewall and where the configuration
will be stored from that context:
configure disk0://secret-fw.cfg

Step 3: Configuring Firewall and Policies for Secret Network
Once that is created we would context secret-fw from our global firewall into that virtual
firewall that is created. From there we can start configuring the firewall with the firewall
policies, passwords, and more.
hostname secret-fw
domain routehub.com
nameif outside
security-level 0
no shutdown
nameif inside
security-level 100
no shutdown
passwd secret123
enable password secret123
access-list secret-acl extended permit 89 any any
access-list secret-acl extended permit tcp any host 10.254.101.100 eq 8080
access-group secret-acl in interface outside

5 Monitor
5.1 Operations for Internet Perimeter Edge Router

The following reflects various show commands on the Internet Perimeter, reflecting the
configuration we applied to our network and what we expect to see on our perimeter. The
heart of our NGN network is with the external & internal sections, but we want to show the
routing tables and what the perimeter sees in terms of all the virtualized networks on our
infrastructure. Remember no VRF-lite configuration was configured or needed on the Edge
and Zone layers.
5.1.1 show ip route

This command shows the global routing table for all routes learned via EIGRP or other
protocols on the Edge router. Here we can see that all routes, even routes redistributed from
other routing protocols like OSPF from our Zone router are shown here. Basically our Edge
router is the component that is facing towards the Internet and with our Zone routers. All
routing to one or more of our VRF domains within our LAN will be routed to the Zone router.
esr01#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Loopback0
D 33.33.33.0 [90/130816] via 10.13.1.2, 01:42:13, GigabitEthernet1/0/1
S* 0.0.0.0/32 is directly connected, Loopback1
C 6.7.7.8/32 is directly connected, Loopback1
D EX 172.16.0.0/16 [170/269056] via 10.11.1.2, 00:11:48, GigabitEthernet1/0/2
D 172.30.0.0/16 [90/41216] via 10.11.1.2, 00:10:29, GigabitEthernet1/0/2
10.0.0.0/8 is variably subnetted, 32 subnets, 2 masks
C 10.11.1.0/30 is directly connected, GigabitEthernet1/0/2
C 10.13.1.0/30 is directly connected, GigabitEthernet1/0/1
D EX 10.31.4.0/30
[170/269056] via 10.11.1.2, 00:11:49, GigabitEthernet1/0/2
D EX 10.31.3.0/30

D EX 10.31.2.0/30
D EX 10.22.4.0/30
D EX 10.23.4.0/30
D EX 10.21.4.0/30
D EX 10.21.3.0/30
D EX 10.21.2.0/30
D EX 10.23.3.0/30
D EX 10.22.2.0/30
D EX 10.23.2.0/30
D EX 10.22.3.0/30
D EX 10.43.3.0/30
D EX 10.43.2.0/30
D EX 10.43.4.0/30
D EX 10.33.3.0/30
D EX 10.32.2.0/30
D EX 10.33.2.0/30
D EX 10.32.3.0/30
D EX 10.32.4.0/30
D EX 10.33.4.0/30
D EX 10.254.0.0/16
D EX 172.18.0.0/16 [170/269056] via 10.11.1.2, 00:11:58, GigabitEthernet1/0/2

5.2 Operations for Zone Routers (External)
The following reflects various show commands on the External NGN infrastructure, reflecting
the configuration we applied to our network and what we expect to see with a virtualized
network. VRF-lite is not configured, but reflects the different routing processes configured
and what the adjacencies look like from the perspective from the outside. The Zone routers
main function is to route between the different virtualized networks.
5.2.1 show ip route

This command shows the global routing table for all routes learned via EIGRP and OSPF on
our Zone router. Here we can see all routes learned from all the VRF domains within our
LAN isolated from other VRF domains. This would be considered as our master routing table
for all routes, public or private, that exist. The firewall between the Zone router and the LAN
provides the restriction of what access users can access in other VRF domains. Each VRF
domain is essentially mapped to a VLAN, so routes to a particular VRF would be routed to
that particular VLAN. Below reflects the routing table from the primary Zone router:
zsr01#show ip route
Gateway of last resort is 10.11.1.1 to network 0.0.0.0

D 1.1.1.0 [90/143360] via 10.11.1.1, 7w0d, GigabitEthernet0/2
D EX* 0.0.0.0/32 [170/143360] via 10.11.1.1, 7w0d, GigabitEthernet0/2
D 6.7.7.9/32 [90/143616] via 10.11.1.1, 7w0d, GigabitEthernet0/2
O IA 172.16.0.0/16 [110/21] via 10.21.4.2, 00:20:18, Vlan498
D 172.30.0.0/16 [90/28416] via 10.21.1.2, 00:20:33, Vlan198
D 172.29.0.0/16 [90/28416] via 10.21.1.2, 00:20:33, Vlan198
C 10.11.1.0/30 is directly connected, GigabitEthernet0/2
D 10.13.1.0/30 [90/15616] via 10.11.1.1, 7w0d, GigabitEthernet0/2
O 10.31.4.0/30 [110/20] via 10.21.4.2, 00:20:19, Vlan498
D 10.31.1.0/30 [90/28160] via 10.21.1.2, 00:20:33, Vlan198
O 10.31.3.0/30 [110/20] via 10.21.3.2, 00:20:19, Vlan398
O 10.31.2.0/30 [110/20] via 10.21.2.2, 00:20:19, Vlan298
C 10.21.4.0/30 is directly connected, Vlan498
D 10.43.1.0/30 [90/28416] via 10.21.1.2, 00:20:34, Vlan198
O 10.43.3.0/30 [110/21] via 10.21.3.2, 00:20:20, Vlan398

O 10.43.2.0/30 [110/21] via 10.21.2.2, 00:20:20, Vlan298
O 10.43.4.0/30 [110/21] via 10.21.4.2, 00:20:20, Vlan498
O 10.33.3.0/30 [110/11] via 10.21.3.2, 00:20:20, Vlan398
O 10.32.2.0/30 [110/111] via 10.21.2.2, 00:20:20, Vlan298
O 10.33.2.0/30 [110/11] via 10.21.2.2, 00:20:20, Vlan298
O 10.32.3.0/30 [110/111] via 10.21.3.2, 00:20:20, Vlan398
D 10.33.1.0/30 [90/15616] via 10.21.1.2, 00:20:34, Vlan198
D 10.32.1.0/30 [90/41216] via 10.21.1.2, 00:20:34, Vlan198
O 10.32.4.0/30 [110/111] via 10.21.4.2, 00:20:20, Vlan498
O 10.33.4.0/30 [110/11] via 10.21.4.2, 00:20:20, Vlan498
O IA 10.254.102.0/24 [110/21] via 10.21.2.2, 00:20:20, Vlan298
D 172.31.102.0/24 [90/28416] via 10.21.1.2, 00:20:34, Vlan198
O IA 10.254.0.0/16 [110/21] via 10.21.2.2, 00:20:21, Vlan298
D 172.31.0.0/16 [90/28416] via 10.21.1.2, 00:20:35, Vlan198
O IA 172.18.0.0/16 [110/21] via 10.21.3.2, 00:20:21, Vlan398
5.2.2 show ip eigrp neighbor

This command shows established EIGRP neighbors with our primary Internet Perimeter edge
router and with one of the LAN subnets (not in a VRF, Top Secret) on our LAN Core
configured for EIGRP. This is the first thing we should confirm before looking into our routing
tables; confirm that our routing neighbors for EIGRP or OSPF exist.
zsr01#show ip eigrp neighbors

IP-EIGRP neighbors for process 45
H Address Interface Hold Uptime SRTT RTO Q Seq Type
(sec) (ms) Cnt Num
1 10.21.1.2 Vl198 2 00:20:42 3 200 0 496
0 10.11.1.1 Gi0/2 2 21w4d 3 200 0 1034
5.2.3 show ospf neighbor

This command shows established OSPF neighbors with three of the VRF instances on our
LAN Core configured for OSPF. This is the first thing we should confirm before looking into
our routing tables; confirm that routing neighbors for EIGRP or OSPF exist.
zsr01#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface

10.31.4.1 1 FULL/DR 00:00:02 10.21.4.2 Vlan498
10.31.3.1 1 FULL/DR 00:00:02 10.21.3.2 Vlan398
10.31.2.1 1 FULL/DR 00:00:02 10.21.2.2 Vlan298

5.2.4 show ip route eigrp 678
This is a similar command to show ip route, but this command simplifies what we see in our
routing table which can contain hundreds of routes. Here we see routes only pertaining to
EIGRP in AS 678, and no other EIGRP AS or OSPF routing information.
zsr01#show ip route eigrp 678

D 1.1.1.0 [90/143360] via 10.11.1.1, 00:08:25, GigabitEthernet0/2
D EX* 0.0.0.0/32
[170/143360] via 10.11.1.1, 00:31:41, GigabitEthernet0/2
D 6.7.7.8/32
D 6.7.7.9/32
D 172.30.0.0/16 [90/28416] via 10.21.1.2, 00:08:29, Vlan198
D 172.29.0.0/16 [90/28416] via 10.21.1.2, 00:08:29, Vlan198
D 10.13.1.0/30 [90/15616] via 10.11.1.1, 00:08:27, GigabitEthernet0/2
D 10.12.1.0/30 [90/28416] via 10.23.1.2, 00:08:27, Vlan193
D 10.31.1.0/30 [90/28160] via 10.21.1.2, 00:08:29, Vlan198
D 10.22.1.0/30 [90/28416] via 10.23.1.2, 00:08:29, Vlan193
D 10.43.1.0/30 [90/28416] via 10.21.1.2, 00:08:29, Vlan198
D 10.33.1.0/30 [90/15616] via 10.21.1.2, 00:08:29, Vlan198
D 10.32.1.0/30 [90/41216] via 10.21.1.2, 00:08:30, Vlan198
D 172.31.0.0/16 [90/28416] via 10.21.1.2, 00:08:30, Vlan198

5.2.5 show ip route ospf <PID>
This is a similar command to show ip route, but this command simplifies what we see in our
routing table which can contain hundreds of routes. Here we see routes only pertaining to
OSPF with PID 20, 21, and 22 with no routing information from other routing protocols.
zsr01#show ip route ospf 20

O 10.31.2.0/30 [110/20] via 10.21.2.2, 00:08:21, Vlan298
O 10.22.2.0/30 [110/101] via 10.23.2.2, 00:08:21, Vlan293
O 10.43.2.0/30 [110/21] via 10.21.2.2, 00:08:21, Vlan298
O 10.32.2.0/30 [110/111] via 10.21.2.2, 00:08:21, Vlan298
O 10.33.2.0/30 [110/11] via 10.21.2.2, 00:08:21, Vlan298

O 10.31.3.0/30 [110/20] via 10.21.3.2, 00:08:24, Vlan398
O 10.22.3.0/30 [110/101] via 10.23.3.2, 00:08:24, Vlan393
O 10.43.3.0/30 [110/21] via 10.21.3.2, 00:08:24, Vlan398
O 10.33.3.0/30 [110/11] via 10.21.3.2, 00:08:24, Vlan398
O 10.32.3.0/30 [110/111] via 10.21.3.2, 00:08:24, Vlan398
O E2 10.254.0.0/16 [110/22] via 10.23.3.2, 00:08:24, Vlan393

O IA 172.16.0.0/16 [110/21] via 10.21.4.2, 00:08:26, Vlan498
O 10.31.4.0/30 [110/20] via 10.21.4.2, 00:08:26, Vlan498
O 10.22.4.0/30 [110/101] via 10.23.4.2, 00:08:26, Vlan493
O 10.43.4.0/30 [110/21] via 10.21.4.2, 00:08:26, Vlan498
O 10.32.4.0/30 [110/111] via 10.21.4.2, 00:08:26, Vlan498
O 10.33.4.0/30 [110/11] via 10.21.4.2, 00:08:26, Vlan498
O E2 172.18.0.0/16 [110/22] via 10.23.4.2, 00:08:26, Vlan493

5.3 Operations & Traffic Flow for LAN (Internal)
The following reflects various show commands on the Internal NGN infrastructure, reflecting
the configuration we applied to our network and what we expect to see with a virtualized
network. We will look at the routing tables and many VRF tables for the different virtualized
networks. Viewing the routing table for each of the virtualized networks will be unique, so
look at the actual examples and the syntax used for many of these commands. They are
very straight-forward once you understand how it used for verification, monitoring, and
troubleshooting purposes.
5.3.1 show ip route

This command shows the global routing table for all routes learned via EIGRP on our LAN
Core, but the routes in the other VRF domains are isolated from being injected into the global
routing table. Here we can see that all routes learned within our LAN are isolated from the
VRF domains.
csr01#show ip route

D 1.1.1.0 [90/156160] via 10.21.1.1, 3w0d, Vlan198
D 2.2.2.0 [90/156160] via 10.21.1.1, 3w0d, Vlan198
D 33.33.33.0 [90/156416] via 10.21.1.1, 3w0d, Vlan198
D 3.3.3.0 [90/156160] via 10.21.1.1, 3w0d, Vlan198
D EX* 0.0.0.0/32 [170/156160] via 10.21.1.1, 3w0d, Vlan198
D 6.7.7.9/32 [90/156416] via 10.21.1.1, 3w0d, Vlan198
D 4.4.4.0 [90/156160] via 10.21.1.1, 3w0d, Vlan198
D 5.5.5.0 [90/156160] via 10.21.1.1, 3w0d, Vlan198
D EX 172.16.0.0/16 [170/269056] via 10.21.1.1, 3w0d, Vlan198
D 22.22.22.0 [90/156416] via 10.21.1.1, 3w0d, Vlan198
D 172.30.0.0/16 [90/15616] via 10.31.1.2, 7w0d, Vlan199
D 172.29.0.0/16 [90/15616] via 10.31.1.2, 7w0d, Vlan199
D 10.11.1.0/30 [90/28160] via 10.21.1.1, 3w0d, Vlan198
D 10.13.1.0/30 [90/28416] via 10.21.1.1, 3w0d, Vlan198
D EX 10.31.4.0/30 [170/269056] via 10.21.1.1, 3w0d, Vlan198
C 10.30.0.1/32 is directly connected, Loopback0
D EX 10.31.3.0/30 [170/269056] via 10.21.1.1, 3w0d, Vlan198
D EX 10.31.2.0/30 [170/269056] via 10.21.1.1, 3w0d, Vlan198
D EX 10.21.4.0/30 [170/269056] via 10.21.1.1, 3w0d, Vlan198
D EX 10.21.3.0/30 [170/269056] via 10.21.1.1, 3w0d, Vlan198
D EX 10.21.2.0/30 [170/269056] via 10.21.1.1, 3w0d, Vlan198
D 10.43.1.0/30 [90/15616] via 10.31.1.2, 7w0d, Vlan199
D EX 10.43.3.0/30 [170/269056] via 10.21.1.1, 3w0d, Vlan198
D EX 10.43.2.0/30 [170/269056] via 10.21.1.1, 3w0d, Vlan198
D EX 10.43.4.0/30 [170/269056] via 10.21.1.1, 3w0d, Vlan198
D EX 10.33.3.0/30 [170/269056] via 10.21.1.1, 3w0d, Vlan198

D EX 10.32.2.0/30 [170/269056] via 10.21.1.1, 3w0d, Vlan198
D EX 10.33.2.0/30 [170/269056] via 10.21.1.1, 3w0d, Vlan198
D EX 10.32.3.0/30 [170/269056] via 10.21.1.1, 3w0d, Vlan198
D 10.32.1.0/30 [90/28416] via 10.33.1.2, 7w0d, Vlan194
D EX 10.32.4.0/30 [170/269056] via 10.21.1.1, 3w0d, Vlan198
D EX 10.33.4.0/30 [170/269056] via 10.21.1.1, 3w0d, Vlan198
D EX 10.254.102.0/24 [170/269056] via 10.21.1.1, 3w0d, Vlan198
D 172.31.102.0/24 [90/15616] via 10.31.1.2, 7w0d, Vlan199
D EX 10.254.0.0/16 [170/269056] via 10.21.1.1, 3w0d, Vlan198
D 11.11.11.0 [90/156416] via 10.21.1.1, 3w0d, Vlan198
D 172.31.0.0/16 [90/15616] via 10.31.1.2, 7w0d, Vlan199
D 44.44.44.0 [90/156416] via 10.21.1.1, 3w0d, Vlan198
D EX 172.18.0.0/16 [170/269056] via 10.21.1.1, 3w0d, Vlan198
5.3.2 show ip route vrf secret

This command on CSR01 shows the routing table for VRF domain Secret isolated from our
global routing table and the other VRF instances configured within our LAN Core and
Distribution. Confirm if the correct routes exist within our VRF instances from interface such
as our VLANs being assigned to the Secret VRF. You will also see that a default OSPF route
exist meaning nodes within that VRF for nodes that want to access the Internet, resources in
other networks or VRF instances, they would be routed through to the Zone routers passing
through the transparent firewalls restricting what access the node can or cannot access.
csr01#show ip route vrf secret
Routing Table: secret

O E2 172.16.0.0/16 [110/21] via 10.21.2.1, 3w0d, Vlan298

O E2 172.30.0.0/16 [110/20] via 10.21.2.1, 3w0d, Vlan298
O E2 172.29.0.0/16 [110/20] via 10.21.2.1, 3w0d, Vlan298
O 10.43.2.0/30 [110/11] via 10.31.2.2, 3w0d, Vlan299
O 10.32.2.0/30 [110/101] via 10.33.2.2, 3w0d, Vlan294
O IA 10.254.102.0/24 [110/11] via 10.31.2.2, 3w0d, Vlan299
O IA 10.254.0.0/16 [110/11] via 10.31.2.2, 3w0d, Vlan299
O E2 172.31.0.0/16 [110/20] via 10.21.2.1, 3w0d, Vlan298
O*E2 0.0.0.0/0 [110/1] via 10.21.2.1, 3w0d, Vlan298
O E2 172.18.0.0/16 [110/21] via 10.21.2.1, 3w0d, Vlan298

5.3.3 show ip route vrf confid
This command on CSR01 shows the routing table for VRF domain Confid isolated from our
global routing table and the other VRF instances configured within our LAN Core and
Distribution. Confirm if the correct routes exist within our VRF instances from interfaces such
as our VLANs being assigned to the Confid VRF. You will also see that a default OSPF route
exist meaning nodes within that nodes within this VRF that want to access the Internet,
resources in other networks or VRF instances they will need to be routed through to the Zone
routers passing through the transparent firewalls restricting what access the node can or
cannot access.
csr01#show ip route vrf confid
Routing Table: confid

O E2 172.16.0.0/16 [110/21] via 10.21.3.1, 3w0d, Vlan398

O E2 172.30.0.0/16 [110/20] via 10.21.3.1, 3w0d, Vlan398
O E2 172.29.0.0/16 [110/20] via 10.21.3.1, 3w0d, Vlan398
O 10.43.3.0/30 [110/11] via 10.31.3.2, 3w0d, Vlan399
O 10.32.3.0/30 [110/101] via 10.33.3.2, 3w0d, Vlan394
O E2 10.254.0.0/16 [110/21] via 10.21.3.1, 3w0d, Vlan398
O E2 172.31.0.0/16 [110/20] via 10.21.3.1, 3w0d, Vlan398
O*E2 0.0.0.0/0 [110/1] via 10.21.3.1, 3w0d, Vlan398
O IA 172.18.0.0/16 [110/11] via 10.31.3.2, 3w0d, Vlan399
5.3.4 show ip route vrf restrict

This command on CSR01 shows the routing table for VRF domain Restrict isolated from
our global routing table and the other VRF instances configured within our LAN Core and
Distribution. Confirm if the correct routes exist within our VRF instances from interfaces such
as our VLANs being assigned to the Restrict VRF. You will also see that a default OSPF
route exist meaning nodes within that nodes within this VRF that want to access the Internet,
resources in other networks or VRF instances they will need to be routed through to the Zone
routers passing through the transparent firewalls restricting what access the node can or
cannot access.
csr01#show ip route vrf restrict
Routing Table: restrict


O IA 172.16.0.0/16 [110/11] via 10.31.4.2, 3w0d, Vlan499

O E2 172.30.0.0/16 [110/20] via 10.21.4.1, 3w0d, Vlan498
O E2 172.29.0.0/16 [110/20] via 10.21.4.1, 3w0d, Vlan498
O 10.43.4.0/30 [110/11] via 10.31.4.2, 3w0d, Vlan499
O 10.32.4.0/30 [110/101] via 10.33.4.2, 3w0d, Vlan494
O E2 10.254.0.0/16 [110/21] via 10.21.4.1, 3w0d, Vlan498
O E2 172.31.0.0/16 [110/20] via 10.21.4.1, 3w0d, Vlan498
O*E2 0.0.0.0/0 [110/1] via 10.21.4.1, 3w0d, Vlan498
O E2 172.18.0.0/16 [110/21] via 10.21.4.1, 3w0d, Vlan498
5.3.5 show ip eigrp neighbors

This command shows established EIGRP neighbors with our secondary LAN Core, primary
LAN Distribution, and the primary Zone router, which is the routing domain for our Top Secret
network domain part of our global routing table, but still isolated from the three VRF domains.
This is the first thing we should confirm before looking into our routing tables; confirm that
routing neighbors for EIGRP or OSPF exist.
csr01#show ip eigrp neighbors

IP-EIGRP neighbors for process 45
H Address Interface Hold Uptime SRTT RTO Q Seq Type
(sec) (ms) Cnt Num
0 10.21.1.1 Vl198 2 3w0d 9 200 0 505
2 10.31.1.2 Vl199 2 21w4d 1 200 0 483
1 10.33.1.2 Vl194 2 21w4d 1 200 0 753
5.3.6 show ip ospf neighbor

This command shows established OSPF neighbors with our secondary LAN Core, primary
LAN Distribution, and the primary Zone router, three times, for each VRF instance configured
for OSPF routing, which would be our routing domain for our Confid, Secret, and the Restrict
networks isolated from each other and the global routing table where our Top Secret domain
resides. This is the first thing we should confirm before looking into our routing tables; confirm
that routing neighbors for EIGRP or OSPF exist.
csr01#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface

10.32.4.1 1 FULL/DR 00:00:02 10.33.4.2 Vlan494
10.31.4.2 1 FULL/DR 00:00:02 10.31.4.2 Vlan499
10.23.2.1 1 FULL/DR 00:00:02 10.21.4.1 Vlan498
10.32.3.1 1 FULL/DR 00:00:02 10.33.3.2 Vlan394
10.31.3.2 1 FULL/DR 00:00:02 10.31.3.2 Vlan399
10.23.3.1 1 FULL/DR 00:00:02 10.21.3.1 Vlan398
10.32.2.1 1 FULL/DR 00:00:02 10.33.2.2 Vlan294
10.31.2.2 1 FULL/DR 00:00:02 10.31.2.2 Vlan299
10.21.2.1 1 FULL/DR 00:00:02 10.21.2.1 Vlan298

5.3.7 show ip vrf <vrf-name>
These commands from our LAN Core shows brief info of what VRFs are configured including
the RD ID assigned and the interfaces they are mapped to. If polices for routing between
other VRFs exist then those details would be listed under the details of the same command.
These commands can be helpful to confirm that the correct interfaces are associated with the
correct VRF domain including knowing what the RD ID assignments are for each VRF.
csr01#show ip vrf secret
Name Default RD Interfaces
secret 10:200 Vlan294
Vlan298
Vlan299
csr01#show ip vrf confid

confid 10:300 Vlan394
Vlan398
Vlan399
csr01#show ip vrf restrict

restrict 10:400 Vlan494
Vlan498
Vlan499
csr01#show ip vrf brief

secret 10:200 Vlan294
Vlan298
Vlan299
confid 10:300 Vlan394
Vlan398
Vlan399
restrict 10:400 Vlan494
Vlan498
Vlan499
csr01#show ip vrf detail

VRF secret; default RD 10:200; default VPNID <not set>
VRF Table ID = 1
Interfaces:
Vlan294 Vlan298 Vlan299
Connected addresses are not in global routing table
Export VPN route-target communities
RT:10:200
Import VPN route-target communities
RT:10:200
No import route-map
No export route-map
VRF confid; default RD 10:300; default VPNID <not set>
VRF Table ID = 2
Interfaces:
RT:10:300
RT:10:300
No import route-map
No export route-map
VRF restrict; default RD 10:400; default VPNID <not set>
VRF Table ID = 3
Interfaces:
RT:10:400
RT:10:400

No import route-map
No export route-map
csr01#show ip vrf id secret

VPN Id Name RD
<not set> secret 10:200
csr01#
csr01#
csr01#
csr01#
csr01#show ip vrf id confid
VPN Id Name RD
<not set> confid 10:300
csr01#
csr01#
csr01#
csr01#
csr01#show ip vrf id restrict
VPN Id Name RD
<not set> restrict 10:400
csr01#show ip vrf interfaces secret

Interface IP-Address VRF Protocol
Vlan294 10.33.2.1 secret up
csr01#
csr01#
csr01#
csr01#
csr01#
csr01#
csr01#show ip vrf interfaces confid
Vlan394 10.33.3.1 confid up
csr01#
csr01#
csr01#
csr01#
csr01#show ip vrf interfaces restrict
Vlan494 10.33.4.1 restrict up

5.4 Traffic Flow
5.4.1 ping vrf <vrf-name>

The many show commands above that we discussed shows the operational status of VRF-
lite on our LAN/Campus NGN network, but validating traffic flow is another thing. We can try
to ping nodes within a particular VRF or even within our global routing table to emulate what
a typical node within that network would do. Below are two ping tests we did to validate that
network functionality through-out our VRF-lite network is truly working.
csr01#ping vrf secret 10.254.102.23
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.254.102.23, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
csr01#ping 10.254.102.23

Sending 5, 100-byte ICMP Echos to 10.254.102.23, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
5.4.2 Traceroutes
Using Traceroutes will also validate traffic flow through-out our VRF-lite network the way we
designed it. Just like using ping, we can use traceroute to confirm that traffic within a VRF is
routed internally. If routing to other VRFs or networks is needed the traceroute should go
from the LAN Core to the LAN Zone router (passing through the L2 Firewalls) then back
down to the LAN Core but in a new VRF domain then to the LAN Distribution if that
destination network exist on that device. This is shown within the first traceroute example.
The second traceroute example is veiwing local traffic flow within a VRF.
csr01#traceroute 10.254.102.23

Tracing the route to 10.254.102.23
1 10.21.1.1 0 msec 0 msec 8 msec

2 10.21.2.2 0 msec 0 msec 0 msec
3 10.31.2.2 0 msec 0 msec 0 msec
4 10.254.102.23 0 msec 0 msec 0 msec
csr01#traceroute vrf secret 10.254.102.23

Tracing the route to 10.254.102.23
1 10.31.2.2 0 msec 0 msec 0 msec

2 10.254.102.23 0 msec 0 msec 0 msec

5.5 Troubleshooting Tips
5.5.1 Root Causes

Once a network has been deployed and working operational any issue that will occur will
likely be due to one of the following below:
1. User Error
2. Software Error or Failure
3. Hardware Error or Failure
4. Power Error or Failure
5. Traffic Increase
6. Security Related
7. Third-Party Components
5.5.2 Initial questions to ask

Once a network has been deployed and working operational any issue that will occur will
likely be due to the following:
1. What has changed recently anywhere on the network?
a. Not just routers or switch, but with servers and various services such as
DNS, SMTP, etc. This tends to be the most common issue we have seen
where different groups make services changes like DNS, as an example, and
certain things on the network break where nothing was changed on the
routers or firewalls. However, the DNS changes affected some of the other
services on the network. That group who made the change will assume that
they didn't think that change would affect the network. Remember, IT is all
connected in more than one way, so validating all changes with all IT groups
is critical to confirm what could break including other considerations. Plus
any changes should rerun (or test) there baseline punch list to confirm that
all services outlined in the baseline are operational as they were before and
after any changes.
2. Confirm for any network changes? If so, check for configuration syntax errors and
cross check against a known working configuration.

5.5.3 Typical fixes
Identifying the root cause and resolving it are two separate things. Fixing a problem will
usually involve one or more of the following
Configuration change or rollback

Reboot
Software upgrade
Hardware replacement
It may require a configuration change or a rollback to a previously working configuration

known to work.
A reboot may do it or a software upgrade may be needed where a bug has emerged and/or a
hardware replacement may be needed, though is very rare.
5.5.4 General VRF-lite Troubleshooting
Identifying the root cause and resolving it are two separate things. Fixing a problem will
usually involve one or more of the following
Matching route distinguisher (RD) for VRF

VRF interface association
Other troubleshooting relating to VRF-lite can include the following:
Make sure to use the same RD or route distinguisher for the same VRF configured.
Remember a VRF is a like a VLAN but for Layer 3 networks.
Also make sure to have the right interfaces associated or mapped to the right VRF instance.
Those are the most common issues and more related issues will be updated here as they
come up.

6 Full Configuration
6.1 Network Diagram
6.2 NGN (External) Internet Perimeter Edge Routers

ESR01
Current configuration : 2995 bytes

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname esr01
!
!
no aaa new-model
switch 1 provision ws-c3750g-24ts
ip subnet-zero
ip routing
no ip domain-lookup
!
!
!
key chain seigrp
key 1
key-string 7 02050D4808095E731F

!
!
no file verify auto
!
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface Loopback0
description INTERNET: Public network
ip address 2.2.2.2 255.255.255.0 secondary
ip address 1.1.1.1 255.255.255.0
!
interface Loopback1
description INTERNET: default gateway
ip address 6.7.7.8 255.255.255.255
!
description TO: esr02 Gi1/0/1
no switchport
ip address 10.13.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip hello-interval eigrp 678 1
ip hold-time eigrp 678 3
ip authentication mode eigrp 678 md5
ip authentication key-chain eigrp 678 seigrp
!
no switchport
ip address 10.11.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
delay 50
!
!
!
!
!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
no ip address
shutdown
!
router eigrp 678
redistribute static
passive-interface default
no passive-interface GigabitEthernet1/0/1
network 1.1.1.0 0.0.0.255
network 2.2.2.0 0.0.0.255
network 3.3.3.0 0.0.0.255
network 4.4.4.0 0.0.0.255
network 5.5.5.0 0.0.0.255
network 10.11.1.0 0.0.0.3
network 10.13.1.0 0.0.0.3
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Loopback1
ip http server
!
!
!
control-plane
!
alias exec c config t
!
line con 0
logging synchronous
line vty 0 4
no login
line vty 5 15
no login
!
!
end
ESR02

!
version 12.2

no service pad
!
hostname esr02
!
!
no aaa new-model
ip subnet-zero
ip routing
no ip domain-lookup
!
!
!
key chain seigrp
key 1
key-string 7 05080F1C22431F5B4A
!
!
no file verify auto
!
!
!
!
interface Loopback0
description INTERNET: Public network
ip address 11.11.11.11 255.255.255.0
!
interface Loopback1
description INTERNET: default gateway
ip address 6.7.7.9 255.255.255.255
!
no switchport
ip address 10.13.1.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
no switchport
ip address 10.12.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
delay 100
!
!
!

!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
no ip address
shutdown
!
router eigrp 678
redistribute static
network 10.12.1.0 0.0.0.3
network 10.13.1.0 0.0.0.3
network 11.11.11.0 0.0.0.255
network 22.22.22.0 0.0.0.255
network 33.33.33.0 0.0.0.255
network 44.44.44.0 0.0.0.255
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Loopback1 254
ip http server
!
!
!

control-plane
!
!
line con 0
logging synchronous
line vty 0 4
no login
line vty 5 15
no login
!
!
end
6.3 NGN (External): Zone Routers

ZSR02

!
version 12.2
no service pad
!
hostname zsr02
!
!
no aaa new-model
ip subnet-zero
ip routing
no ip domain-lookup
!
!
!
key chain seigrp
key 1
key-string 7 104D000A061843595F
!
!
no file verify auto
!
!
!
vlan 193
name topsecret-ict-193
!
vlan 196
!
vlan 293
name secret-ict-293
!
vlan 296
name secret-ict-296
!
vlan 393

name confid-ict-393
!
vlan 396
name confid-ict-396
!
vlan 493
name restrict-ict-493
!
vlan 496
!
vlan 999
name bit-bucket
!
!
switchport trunk allowed vlan 193,293,393,493
!
no switchport
ip address 10.12.1.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
delay 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan193
description ICT: Topsecret Inter-Connection
ip address 10.23.1.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan196
ip address 10.22.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
delay 100
!
interface Vlan293
ip address 10.23.2.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan296
ip address 10.22.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf cost 100
!

interface Vlan393
description ICT: Confid Inter-Connection
ip address 10.23.3.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan396
ip address 10.22.3.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf message-digest-key 1 md5 7 104D000A061843595F
ip ospf cost 100
!
interface Vlan493
description ICT: Restrict Inter-Connection
ip address 10.23.4.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan496
ip address 10.22.4.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf message-digest-key 1 md5 7 0822455D0A16544541
ip ospf cost 100
!
router eigrp 678
redistribute ospf 20 metric 10000 1 255 1 1500
no passive-interface Vlan193
no passive-interface GigabitEthernet0/2
network 10.12.1.0 0.0.0.3
network 10.22.1.0 0.0.0.3
network 10.23.1.0 0.0.0.3
no auto-summary
!
router ospf 20
router-id 10.22.2.1
network 10.22.2.0 0.0.0.3 area 0
network 10.23.2.0 0.0.0.3 area 0
!

router ospf 21
network 10.22.3.0 0.0.0.3 area 0
network 10.23.3.0 0.0.0.3 area 0
distribute-list secret-net-acl out ospf 20
!
router ospf 22
network 10.22.4.0 0.0.0.3 area 0
network 10.23.4.0 0.0.0.3 area 0
!
ip classless
ip http server
!
!
permit 10.254.0.0 0.0.255.255
permit 172.18.0.0 0.0.255.255
permit 172.16.0.0 0.0.255.255
permit 172.29.0.0 0.0.255.255
permit 172.30.0.0 0.0.255.255
permit 172.31.0.0 0.0.255.255
!
!
control-plane
!
!
line con 0
logging synchronous
line vty 0 4
no login
line vty 5 15
no login
!
end
ZSR01

!
version 12.2
no service pad
!
hostname zsr01
!
!
no aaa new-model
ip subnet-zero
ip routing

no ip domain-lookup
!
!
!
key chain seigrp
key 1
key-string 7 104D000A061843595F
!
!
no file verify auto
!
!
!
vlan 193
!
vlan 198
!
vlan 293
name secret-ict-293
!
vlan 298
name secret-ict-298
!
vlan 393
name confid-ict-393
!
vlan 398
name confid-ict-398
!
vlan 493
!
vlan 498
!
vlan 999
name bit-bucket
!
!
!
no switchport
ip address 10.11.1.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
delay 50
!

!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan193
ip address 10.23.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan198
ip address 10.21.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp

delay 50
!
interface Vlan293
ip address 10.23.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan298
ip address 10.21.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf cost 10
!
interface Vlan393
ip address 10.23.3.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan398
ip address 10.21.3.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf message-digest-key 1 md5 7 104D000A061843595F
ip ospf cost 10
!
interface Vlan493
ip address 10.23.4.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan498
ip address 10.21.4.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf cost 10

!
router eigrp 678
network 10.11.1.0 0.0.0.3
network 10.21.1.0 0.0.0.3
network 10.23.1.0 0.0.0.3
no auto-summary
!
router ospf 20
router-id 10.21.2.1
network 10.21.2.0 0.0.0.3 area 0
network 10.23.2.0 0.0.0.3 area 0
!
router ospf 21
network 10.21.3.0 0.0.0.3 area 0
network 10.23.3.0 0.0.0.3 area 0
!
router ospf 22
network 10.21.4.0 0.0.0.3 area 0
network 10.23.4.0 0.0.0.3 area 0
!
ip classless
ip http server
!
!
permit 10.254.0.0 0.0.255.255
permit 172.18.0.0 0.0.255.255
permit 172.16.0.0 0.0.255.255
permit 172.29.0.0 0.0.255.255
permit 172.30.0.0 0.0.255.255
permit 172.31.0.0 0.0.255.255
!
!
control-plane
!

!
line con 0
logging synchronous
line vty 0 4
no login
line vty 5 15
no login
!
end
6.4 Policy Enforcement: Cisco ASA/PIX Firewall

IPFW01 / IPFW02
>Global Configuration
mode multiple
firewall transparent
hostname ipfw01
password cisco123
enable password cisco123
admin-context admin
interface gigabitethernet 0
no shutdown
no shutdown
no shutdown
no shutdown
no shutdown
interface gigabitethernet 1
no shutdown
no shutdown
no shutdown
no shutdown
no shutdown
context topsec-fw
description This is the context for Top Secret network
config-url disk0://topsec-fw.cfg
context secret-fw
description This is the context for Secret network
config-url disk0://secret-fw.cfg
context confid-fw
description This is the context for Confidential network
config-url disk0://confid-fw.cfg
context restrict-fw
description This is the context for Restricted network

config-url disk0://restrict-fw.cfg
>Context: Top Secret configuration
hostname topsec-fw
domain routehub.com
nameif outside
security-level 0
no shutdown
nameif inside
security-level 100
no shutdown
passwd topsec123
enable password topsec123
access-list topsec-acl extended permit 88 any any
access-list topsec-acl extended permit tcp any host 172.31.101.100 eq 443
access-group topsec-acl in interface outside
>Context: Secret configuration
hostname secret-fw
domain routehub.com
nameif outside
security-level 0
no shutdown
nameif inside
security-level 100
no shutdown
passwd secret123
enable password secret123
access-list secret-acl extended permit 89 any any
access-group secret-acl in interface outside
>Context: Confidential configuration
hostname confid-fw
domain routehub.com
nameif outside
security-level 0
no shutdown
nameif inside
security-level 100
no shutdown
passwd confid123
enable password confid123
access-list confid-acl extended permit 89 any any
access-list confid-acl extended permit tcp any host 172.18.101.100 eq 80
access-group confid-acl in interface outside
>Context: Restricted configuration
hostname restrict-fw
domain routehub.com

nameif outside
security-level 0
no shutdown
nameif inside
security-level 100
no shutdown
passwd restrict123
enable password restrict123
access-list restrict-acl extended permit 89 any any
access-list restrict-acl extended permit tcp any host 172.16.101.100 eq 23
access-list restrict-acl extended permit tcp any host 172.16.101.101 eq 5001
access-list restrict-acl extended permit udp any host 172.16.101.102 eq snmp
access-group restrict-acl in interface outside
6.5 NGN (Internal): LAN Core

CSR01
Building configuration...

!
version 12.2
no service pad
!
hostname csr01
!
!
no aaa new-model
ip subnet-zero
ip routing
no ip domain-lookup
!
ip multicast-routing distributed
ip multicast-routing vrf confid distributed
ip multicast-routing vrf restrict distributed
ip vrf secret
rd 10:200
!
ip vrf confid
rd 10:300
!
ip vrf restrict
rd 10:400
!
!
!
key chain seigrp
key 1
key-string 7 0822455D0A16544541
!

!
!
!
no file verify auto
!
!
!
vlan 100
name vlan100-secret
!
vlan 101
name vlan101-secret
!
vlan 102
name vlan102-secret
!
vlan 194
!
vlan 198
!
vlan 199
!
vlan 200
name vlan200-confid
!
vlan 201
name vlan201-confid
!
vlan 202
name vlan202-confid
!
vlan 294
name secret-ict-294
!
vlan 298
name secret-ict-298
!
vlan 299
name secret-ict-299
!
vlan 394
name confid-ict-394
!
vlan 398
name confid-ict-398
!
vlan 399
name confid-ict-399
!
vlan 494
!
vlan 498
!
vlan 499
!
vlan 999
name bit-bucket
!
!
interface Loopback0
ip address 10.30.0.1 255.255.255.255
no ip redirects
no ip unreachables

no ip proxy-arp
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan194
ip address 10.33.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan198
ip address 10.21.1.2 255.255.255.252
no ip redirects

no ip unreachables
no ip proxy-arp
ip pim sparse-mode
delay 50
!
interface Vlan199
ip address 10.31.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
delay 50
!
interface Vlan294
ip address 10.33.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan298
ip address 10.21.2.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf cost 10
!
interface Vlan299
ip address 10.31.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf cost 10
!
interface Vlan394
ip vrf forwarding confid
ip address 10.33.3.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode

!
interface Vlan398
ip address 10.21.3.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf cost 10
!
interface Vlan399
ip address 10.31.3.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf cost 10
!
interface Vlan494
ip vrf forwarding restrict
ip address 10.33.4.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan498
ip address 10.21.4.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf cost 10
!
interface Vlan499
ip address 10.31.4.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf cost 10

!
router eigrp 678
network 10.21.1.0 0.0.0.3
network 10.31.1.0 0.0.0.3
network 10.33.1.0 0.0.0.3
no auto-summary
!
router-id 10.31.2.1
network 10.21.2.0 0.0.0.3 area 0
network 10.31.2.0 0.0.0.3 area 0
network 10.33.2.0 0.0.0.3 area 0
!
router ospf 31 vrf confid
router-id 10.31.3.1
network 10.21.3.0 0.0.0.3 area 0
network 10.31.3.0 0.0.0.3 area 0
network 10.33.3.0 0.0.0.3 area 0
!
router ospf 32 vrf restrict
router-id 10.31.4.1
network 10.21.4.0 0.0.0.3 area 0
network 10.31.4.0 0.0.0.3 area 0
network 10.33.4.0 0.0.0.3 area 0
!
ip classless
ip http server
ip http secure-server
!
ip pim rp-address 10.33.1.1
ip pim vrf confid rp-address 10.33.3.1
ip pim vrf restrict rp-address 10.33.4.1
!
!
!
control-plane
!
!
line con 0
logging synchronous
line vty 0 4
no login
line vty 5 15
no login
!
!
end
CSR02

!
version 12.2
no service pad
!
hostname csr02

!
!
no aaa new-model
ip subnet-zero
ip routing
no ip domain-lookup
!
ip vrf secret
rd 10:200
!
ip vrf confid
rd 10:300
!
ip vrf restrict
rd 10:400
!
ipv6 unicast-routing
!
!
key chain seigrp
key 1
key-string 7 0822455D0A16544541
!
!
!
!
no file verify auto
!
!
!
vlan 10
name vlan10
!
vlan 20
name vlan20
!
vlan 30
name vlan30
!
vlan 40
name vlan40
!
vlan 100
name vlan100-secret
!
vlan 101
name vlan101-secret
!
vlan 102
name vlan102-secret
!
vlan 194
!
vlan 196

!
vlan 197
!
vlan 199
name ic-secret
!
vlan 200
name vlan200-confid
!
vlan 201
name vlan201-confid
!
vlan 202
name vlan202-confid
!
vlan 294
name secret-ict-294
!
vlan 296
name secret-ict-296
!
vlan 297
name secret-ict-297
!
vlan 299
name ic-confid
!
vlan 394
name confid-ict-394
!
vlan 396
name confid-ict-396
!
vlan 397
name confid-ict-397
!
vlan 494
!
vlan 496
!
vlan 497
!
vlan 999
name bit-bucket
!
!
interface Loopback0
ip address 10.30.0.2 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
!
!

!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan194
ip address 10.33.1.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan196
ip address 10.22.1.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
delay 100
!
interface Vlan197
ip address 10.32.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp

ip pim sparse-mode
delay 100
!
interface Vlan294
ip address 10.33.2.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan296
ip address 10.22.2.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf cost 100
!
interface Vlan297
ip address 10.32.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf cost 100
!
interface Vlan394
ip address 10.33.3.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan396
ip address 10.22.3.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf cost 100
!

interface Vlan397
ip address 10.32.3.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf cost 100
!
interface Vlan494
ip address 10.33.4.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan496
ip address 10.22.4.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf cost 100
!
interface Vlan497
ip address 10.32.4.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf cost 100
!
router eigrp 678
network 10.22.1.0 0.0.0.3
network 10.32.1.0 0.0.0.3
network 10.33.1.0 0.0.0.3
no auto-summary
!
router-id 10.32.2.1
network 10.22.2.0 0.0.0.3 area 0
network 10.32.2.0 0.0.0.3 area 0
network 10.33.2.0 0.0.0.3 area 0
!

router-id 10.32.3.1
network 10.22.3.0 0.0.0.3 area 0
network 10.32.3.0 0.0.0.3 area 0
network 10.33.3.0 0.0.0.3 area 0
!
router-id 10.32.4.1
network 10.22.4.0 0.0.0.3 area 0
network 10.32.4.0 0.0.0.3 area 0
network 10.33.4.0 0.0.0.3 area 0
!
ip classless
ip http server
ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
line vty 0 4
no login
line vty 5 15
no login
!
!
end
6.6 NGN (Internal): LAN Distribution

DSR01

!
version 12.2
no service pad
!
hostname dsr01
!
!
no aaa new-model
ip subnet-zero
ip routing
no ip domain-lookup
!

ip vrf secret
rd 10:200
!
ip vrf confid
rd 10:300
!
ip vrf restrict
rd 10:400
!
!
!
key chain seigrp
key 1
key-string 7 00071A1507545A545C
!
!
no file verify auto
!
spanning-tree vlan 150,250 priority 24576
!
!
vlan 100
name topsecret-vlan1
!
vlan 101
!
vlan 102
!
vlan 103
!
vlan 104
!
vlan 105
!
vlan 150
name topsecret-testbed
!
vlan 195
!
vlan 199
!
vlan 200
name secret-vlan1
!
vlan 201
name secret-vlan2
!
vlan 250
name secret-testbed
!
vlan 295
name secret-ict-295
!
vlan 299
name secret-ict-299
!

vlan 300
name confid-vlan1
!
vlan 301
name confid-vlan2
!
vlan 395
name confid-ict-395
!
vlan 399
name confid-ict-399
!
vlan 400
name restrict-vlan1
!
vlan 401
name restrict-vlan2
!
vlan 495
!
vlan 499
!
!
switchport trunk allowed vlan 100-105,150,195,200,201,250,295,300,301,395,400
switchport trunk allowed vlan add 401,495
!
!
!
!
!
!
!
!
!
!
description Routing to Building
no switchport
ip address 10.51.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
delay 50
!

switchport trunk allowed vlan 150,250
!
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
no ip address
!
interface Vlan100
description VLAN: Topsecret Client network
ip address 172.29.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan101
description VLAN: Topsecret Server network
ip address 172.29.101.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan102
ip address 172.30.100.1 255.255.255.0
no ip redirects
no ip unreachables

no ip proxy-arp
ip pim sparse-mode
ip ospf message-digest-key 1 md5 7 00071A1507545A545C
!
interface Vlan103
ip address 172.30.101.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf message-digest-key 1 md5 7 060506324F41584B56
!
interface Vlan104
ip address 172.31.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf message-digest-key 1 md5 7 00071A1507545A545C
!
interface Vlan105
ip address 172.31.101.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf message-digest-key 1 md5 7 13061E010803557878
!
interface Vlan150
description Topsecret testbed
ip address 172.31.102.21 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan195
ip address 10.43.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan199
ip address 10.31.1.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip summary-address eigrp 678 172.31.0.0 255.255.0.0 5
delay 50
!
interface Vlan200

ip address 10.254.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf message-digest-key 1 md5 7 094F471A1A0A464058
!
interface Vlan201
ip address 10.254.101.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan250
ip address 10.254.102.21 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan295
ip address 10.43.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan299
ip address 10.31.2.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf cost 10
!
interface Vlan300
description VLAN: Confid Client network
ip address 172.18.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan301
description VLAN: Confid Server network

ip address 172.18.101.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan395
ip address 10.43.3.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan399
ip address 10.31.3.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf message-digest-key 1 md5 7 070C285F4D06485744
ip ospf cost 10
!
interface Vlan400
description VLAN: Restrict Client network
ip address 172.16.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan401
description VLAN: Restrict Server network
ip address 172.16.101.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan495
ip address 10.43.4.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan499

ip address 10.31.4.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf message-digest-key 1 md5 7 1511021F07257A767B
ip ospf cost 10
!
router eigrp 678
network 10.31.1.0 0.0.0.3
network 10.43.1.0 0.0.0.3
network 10.51.1.0 0.0.0.3
network 172.31.102.0 0.0.0.255
network 172.30.0.0
network 172.29.0.0
network 172.31.0.0
no auto-summary
!
router-id 10.31.2.2
area 40 range 10.254.0.0 255.255.0.0
network 10.31.2.0 0.0.0.3 area 0
network 10.43.2.0 0.0.0.3 area 0
network 10.254.102.0 0.0.0.255 area 40
network 10.254.100.0 0.0.0.255 area 40
network 10.254.101.0 0.0.0.255 area 40
!
router-id 10.31.3.2
area 50 range 172.18.0.0 255.255.0.0
network 10.31.3.0 0.0.0.3 area 0
network 10.43.3.0 0.0.0.3 area 0
network 172.18.100.0 0.0.0.255 area 50
network 172.18.101.0 0.0.0.255 area 50
!
router-id 10.31.4.2
area 60 range 172.16.0.0 255.255.0.0
network 10.31.4.0 0.0.0.3 area 0
network 10.43.4.0 0.0.0.3 area 0
network 172.16.100.0 0.0.0.255 area 60
network 172.16.101.0 0.0.0.255 area 60
!
ip classless
ip http server
!
ip ospf name-lookup
!
!
control-plane
!
!
line con 0
logging synchronous
line vty 0 4

no login
line vty 5 15
no login
!
end
DSR02

!
version 12.2
no service pad
!
hostname dsr02
!
!
no aaa new-model
ip subnet-zero
ip routing
no ip domain-lookup
!
ip vrf secret
rd 10:200
!
ip vrf confid
rd 10:300
!
ip vrf restrict
rd 10:400
!
!
!
key chain seigrp
key 1
key-string 7 104D000A061843595F
!
!
no file verify auto
!
spanning-tree vlan 150,250 priority 28672
!
!
vlan 100
!
vlan 101
!
vlan 102
!
vlan 103

!
vlan 104
!
vlan 105
!
vlan 150
!
vlan 195
!
vlan 197
!
vlan 200
name secret-vlan1
!
vlan 201
name secret-vlan2
!
vlan 250
name secret-testbed
!
vlan 295
name secret-ict-295
!
vlan 297
name secret-ict-297
!
vlan 300
name confid-vlan1
!
vlan 301
name confid-vlan2
!
vlan 395
name confid-ict-395
!
vlan 397
name confid-ict-397
!
vlan 400
name restrict-vlan1
!
vlan 401
name restrict-vlan2
!
vlan 495
!
vlan 497
!
!
switchport trunk allowed vlan 100-105,150,195,200,201,250,295,300,301,395,400
switchport trunk allowed vlan add 401,495
!

!
!
!
!
!
!
!
!
!
description Routing to Building
no switchport
ip address 10.51.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
delay 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

interface Vlan1
no ip address
!
interface Vlan100
ip address 172.29.100.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan101
ip address 172.29.101.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan102
ip address 172.30.100.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan103
ip address 172.30.101.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan104
ip address 172.31.100.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan105
ip address 172.31.101.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan150
description Topsecret testbed
ip address 172.31.102.22 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan195
ip address 10.43.1.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan197

ip address 10.32.1.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
delay 100
!
interface Vlan200
ip address 10.254.100.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan201
ip address 10.254.101.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan250
ip address 10.254.102.22 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan295
ip address 10.43.2.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan297
ip address 10.32.2.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf cost 100
!
interface Vlan300
description VLAN: Confid Client network

ip address 172.18.100.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan301
description VLAN: Confid Server network
ip address 172.18.101.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan395
ip address 10.43.3.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan397
ip address 10.32.3.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf cost 100
!
interface Vlan400
description VLAN: Restrict Client network
ip address 172.16.100.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan401
description VLAN: Restrict Server network
ip address 172.16.101.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
!
interface Vlan495
ip address 10.43.4.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode

!
interface Vlan497
ip address 10.32.4.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
ip ospf cost 100
!
router eigrp 678
network 10.32.1.0 0.0.0.3
network 10.43.1.0 0.0.0.3
network 10.51.2.0 0.0.0.3
network 172.31.102.0 0.0.0.255
network 172.30.0.0
network 172.29.0.0
network 172.31.0.0
no auto-summary
!
router-id 10.32.2.2
area 40 range 10.254.0.0 255.255.0.0
network 10.32.2.0 0.0.0.3 area 0
network 10.43.2.0 0.0.0.3 area 0
network 10.254.102.0 0.0.0.255 area 40
network 10.254.100.0 0.0.0.255 area 40
network 10.254.101.0 0.0.0.255 area 40
!
router-id 10.32.3.2
area 50 range 172.18.0.0 255.255.0.0
network 10.32.3.0 0.0.0.3 area 0
network 10.43.3.0 0.0.0.3 area 0
network 172.18.100.0 0.0.0.255 area 50
network 172.18.101.0 0.0.0.255 area 50
!
router-id 10.32.4.2
area 60 range 172.16.0.0 255.255.0.0
network 10.32.4.0 0.0.0.3 area 0
network 10.43.4.0 0.0.0.3 area 0
network 172.16.100.0 0.0.0.255 area 60
network 172.16.101.0 0.0.0.255 area 60
!
ip classless
ip http server
!
!
!
control-plane
!
!
line con 0
logging synchronous

line vty 0 4
no login
line vty 5 15
no login
!
end
6.7 NGN (Internal): Access or Building (Routing)


!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname bldg-network
!
logging queue-limit 100
!
ip subnet-zero
!
!
!
ip multicast-routing
mpls ldp logging neighbor-changes
!
!
key chain seigrp
key 1
key-string cisco123
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 172.31.200.1 255.255.255.0
ip pim sparse-mode
!
interface Ethernet0/0
ip address 10.51.1.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp

ip pim sparse-mode
delay 50
half-duplex
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface Ethernet0/1
ip address 10.51.2.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
delay 100
half-duplex
!
interface Serial0/1
no ip address
shutdown
!
router eigrp 678
no passive-interface Ethernet0/0
no passive-interface Ethernet0/1
network 10.51.1.0 0.0.0.3
network 10.51.2.0 0.0.0.3
network 172.31.200.0 0.0.0.255
network 172.31.201.0 0.0.0.255
network 172.31.202.0 0.0.0.255
no auto-summary
!
ip http server
ip classless
!
!
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
6.8 NGN (Internal): Access or Building (Switching)

!

version 12.1
no service pad
no service password-encryption
!
hostname as01
!
!
ip subnet-zero
!
!
!
no spanning-tree optimize bpdu transmission
!
!
!
!
vlan 150
!
vlan 250
name secret-testbed
!
interface FastEthernet0/1
!
!
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
!
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
!
!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan150
ip address 172.31.102.23 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
!
ip default-gateway 172.31.102.21
ip http server
!
line con 0
line vty 5 15
!
!
end

Routehub TUNNEL L3VPN VRF LITE PDF

Uploaded by

Copyright:

Available Formats

You might also like

Routehub TUNNEL L3VPN VRF LITE PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Routehub TUNNEL L3VPN VRF LITE PDF

Uploaded by

Copyright:

Available Formats

Multi-CE VRF (VRF-lite)

RouteHub Group, LLC

END USER LICENSE FOR ONE (1) PERSON ONLY

2. Price and Payment

4. Replacement, Modification and/or Upgrades

13. Entire Agreement

RouteHub Group, LLC Page 7 www.routehub.net

Multi-CE VRF or VRF-lite is considered as a scaled down version of MPLS or a light-weight

VPN Routing and Forwarding (VRF)

RouteHub Group, LLC Page 8 www.routehub.net

RouteHub Group, LLC Page 9 www.routehub.net

3.1 Our Design with VRF-lite

RouteHub Group, LLC Page 10 www.routehub.net

RouteHub Group, LLC Page 11 www.routehub.net

Below are the solutions we can choose from.

RouteHub Group, LLC Page 12 www.routehub.net

This can include the following services:

RouteHub Group, LLC Page 13 www.routehub.net

Cisco Catalyst 3560

RouteHub Group, LLC Page 14 www.routehub.net

RouteHub Group, LLC Page 15 www.routehub.net

4.1 Initial Configuration

Next enable all interfaces by issuing a no shutdown

Once that has been completed we need to check on two things.

RouteHub Group, LLC Page 16 www.routehub.net

vtp domain routehub.com

Step 2: Create VLANs for Secret network

spanning-tree vlan 250 priority 24576

RouteHub Group, LLC Page 17 www.routehub.net

Step 4: Configure Inter-Connection interfaces as a 802.1q Trunk

RouteHub Group, LLC Page 18 www.routehub.net

Step 6: Configure VLAN SVI Interfaces

RouteHub Group, LLC Page 19 www.routehub.net

Step 7: Configure OSPF VRF routing for the Secret network

router ospf 40 vrf secret

Step 8: Additional OSPF interface configuration

RouteHub Group, LLC Page 20 www.routehub.net

Step 9: Configure Basic Multicast Routing using PIM Sparse Mode

ip multicast-routing vrf secret distributed

ip pim vrf secret rap-address 10.33.2.1

RouteHub Group, LLC Page 21 www.routehub.net

vtp domain routehub.com

Step 2: Create VLANs for Secret network

RouteHub Group, LLC Page 22 www.routehub.net

Step 4: Configure VRF globally for Secret

RouteHub Group, LLC Page 23 www.routehub.net

Step 6: Configure OSPF VRF routing for the Secret network

router ospf 30 vrf secret

RouteHub Group, LLC Page 24 www.routehub.net

RouteHub Group, LLC Page 25 www.routehub.net

ip multicast-routing vrf secret distributed

ip pim vrf secret rp-address 10.33.2.1

4.4 Internet Perimeter Zone (zsr01)

vtp domain routehub.com

Step 2: Create VLANs for Secret network

RouteHub Group, LLC Page 26 www.routehub.net

Step 4: Configure VLAN SVI Interfaces

RouteHub Group, LLC Page 27 www.routehub.net