NetworkingNexus.net

Network behind an IPSec VPN peer

In this lab, I tried to simulate an environment where there are two customers, each connected to their respective ISP. Now, in real world, this might not be the best way things are done, but this lab is for the sake of understanding how VPNs deal with networks behind a VPN peer.

PE: Provider Edge equipment

CPE: Customer Premise equipment

Following is the network diagram. CPE1 and CPE2 are customer edge routers. PE1 and PE2 are respective ISP provider edge routers. Each router connects to another over a /30 point to point link. Each router has a loopback (Lo0) with an IP address in the 192.168.0.0/16 range as shown.

CPE1 has a site to site VPN tunnel to PE1.

PE1 has two site to site VPN tunnels, one to CPE1 and another to PE2.

PE2 has two site to site VPN tunnels, one to PE1 and another to CPE2.

CPE2 has a site to site VPN tunnel to PE2.

I had a problem with VPN Hairpinning and wanted to build a lab to find possible solutions. I started off building the lab and after bringing up VPNs, I realized I built the lab wrong. Notice how Continue reading

Default route and RIB/FIB entries

If a router has multiple routes to a network over multiple routing protocols, it stores all routing information in the RIB. This information may not be necessarily used when determining best path to the network. To determine best path to the network, CEF uses the FIB. I understand this.

Consider a network where:

R2 ------- R1 ------- R3

R2 (10.0.0.2/24) connects to R1 (10.0.0.1/24)

R1 (192.168.0.1/24) connects to R3 (192.168.0.2/24)

On R2, R3: I have default routes pointing to R1:

R2: ip route 0.0.0.0 0.0.0.0 10.0.0.1

R3: ip route 0.0.0.0 0.0.0.0 192.168.0.1

Now, from R2, I can ping R3 fine.

R2#ping 192.168.0.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/39/44 ms

So, I try to see the route entry for 192.168.0.2

R2#sh ip route 192.168.0.2

% Network not in table

I don't see it. So I look at the CEF/FIB.

Recursive Routing with Tunnels – study case: GRE over IPsec

This post represents the solution and explanation for quiz-6. Running dynamic routing protocols over tunnels can result in recursive problems. Read more to understand the problem and some solutions.

A Cloud Without IPv6

As a Data Center junkie, I daily bear witness to the glorious transformations that are taking place all around me with respect to the “next-generation” of data center. Everyone who wants to move their DC to the next level are millions of dollars worth of DC networking gear that is EXTREMELY cutting edge, enabling virtualization and cloud to do things we only dreamed of being able to do mere years ago.

A Cloud Without IPv6

Using GNS3 for Switching Labs

For so long, I’ve heard - as have many of you I’m sure - that GNS3, though a GREAT emulator for Cisco IOS software, is not practical for studying anything related to switching. Routing is handled just fine, but because of the proprietary ASICs in Cisco switches, it is not something that can be easily reverse-engineered, thus GNS3 cannot do it. After all, all routing is essentially done in software in GNS3.

Using GNS3 for Switching Labs

Quiz #8 &#8211 MPLS: inside Provider’s Core

You are a network engineer of a company that provides MPLS services to more customers. Your teams tries to increase the redundancy, but instead they receive complaints that connectivity is broken. What's wrong?

The “D” in SDN

I have seen the conversation around SDN evolve over what amounts to the last few years from something that was barely whiteboard material, to something on everyone’s lips in this industry. Why? What’s so interesting about these three little letters? Well, if you’ve heard of it, you’ve undoubtedly heard from your local vendor account manager that their product is the leader in the SDN market, or that they just made a big acquisition that really puts them ahead in the SDN space, blah, blah, blah.

The “D” in SDN

TRIO Card: packet capture with pfe commands

During a complex case on Juniper platform, I looked for a tip to capture transit traffic on a MX960 with Trio cards. Indeed, I suspected a Junos box to rewrite transit mpls traffic with an unexpected exp value. As I love carry out reverse engineering,...

TRIO Card: packet capture with pfe commands

vSphere Network Security Policies

The idea of security in a vSphere vSwitch is a concept not usually discussed in vSphere peer groups or curricula. They are somewhat specialized features that are normally either not used, or irrelevant due to the presence of another switching architecture such as the vDS (including the Cisco Nexus 1000v) or VM-FEX, where these policies also exist and are much more feature-rich. Thus, the idea of performing these functions on a native vSwitch is usually not talked about.

vSphere Network Security Policies

Quiz #7 &#8211 MLS QOS

You have recently moved to a new company as a network administrator and you've started doing an audit of the existing network. Your network uses an end-to-end QOS approach between multiple offices. Access switches trust QOS markings received from IP Phones and higher layer devices trust the markings received from access switches, as seen in diagram below.

Windows 2008/Vista/7 ARP Cache

1360422920.604391 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:152) (ttl 128, id 311, len 60) ...1360422949.068248 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:171) (ttl 128, id 330, len 60) ...1360422952.102077 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:173) (ttl 128, id 332, len 60)

Password Recovery – Nexus 5548

Recently I had to recover the admin password on the Nexus 5548. The Cisco doc was a little bit uncleared so I figured I’ll make some notes on it.

First thing reboot the switch. The power supplies on these don’t have a on/off switch so you’ll have to pull the power cable.

When you see the output of “Loading system…” press the break command sequence Ctrl+]. This will bring you into the boot mode:

Version 2.00.1201. Copyright (C) 2009 American Megatrends, Inc.
Booting kickstart image: bootflash:/n5000-uk9-kickstart.5.2.1.N1.1b.bin....
...............................................................................
........................Image verification OK

INIT: I2C - Mezz absent
Starting system POST.....
  Executing Mod 1 1 SEEPROM Test:...done (0 seconds)
  Executing Mod 1 1 GigE Port Test:....done (32 seconds)
  Executing Mod 1 1 PCIE Test:.................done (0 seconds)
  Mod 1 1 Post Completed Successfully
POST is completed
can't create lock file /var/lock/mtab~193: No such file or directory (use -n flag to override)
nohup: redirecting stderr to stdout
autoneg unmodified, ignoring
autoneg unmodified, ignoring
Checking all filesystems....r. done.
^]Loading system  <

I was interested to see what commands are available in this mode, there are few that I’ll use for the recovery (->):

switch(boot)# ?
 Continue reading

Layer 2 ASA And OSPF

So recently I had to configure an OSPF adjacency between two routers.

I thought simply permitting multicast traffic to the All Routers and All DR/BDR Routers would permit OSPF Hellos across the link and allow OSPF adjacencies to form. In fact what I saw was routers entering the EXSTART state and the neighbourship failing. I checked the manual, for an OSPF adjacency to form, the following conditions need to be satisfied:

- Area IDs need to match

- Neighbours need to be on the same subnet

- MTUs need to match

- Hello/Dead timers need to match

- Authentication (if any is configured)

So, what I saw was the routers entering the EXSTART state and the neighbourship dropping. Bear in mind, at this point, the only thing permitted through the firewall both ways was multicast traffic to 224.0.0.5 (the AllSPF Routers multicast address) using the OSPF protocol (IP protocol 89). So for some reason the DBD exchange was not taking place.

My initial reaction was to check MTU size. I’d seen a similar issue before where an MTU mismatch (jumbo frames on one side, 1500 bytes on the other side) meant while the non-backbone area’s routes made Continue reading

PBR – Policy Based Routing using Route map

How does the internet work - We know what is networking

About Policy-Based Routing Policy-Based Routing – PBR gives you very simple way of controlling where packets will be forwarded before they enter in the destination-based routing process of the router. It’s a technology that gives you more control over network traffic flow because you will not always want to send certain packets by the obvious […]

PBR – Policy Based Routing using Route map

RFC’s to read for CCIE R&S Lab

As my lab date gets closer I am reading a lot more than I thought I would be, I thought it would be non-stop labbing but I have discovered that I am learning a lot more than I ever thought I would from reading. I have created a page for RFC’s here the list is by […]

The post RFC’s to read for CCIE R&S Lab appeared first on Roger Perkin - Networking Articles.

« Previous 1 … 3,718 3,719 3,720 3,721 3,722 … 3,752 Next »