EIGRP – Prefix filtering

Spent the day doing a bunch of different filtering techniques in EIGRP and stumbled upon something new regarding metric filtering that I haven’t seen before so felt like it was worth a post. 🙂

Lab 1 – Filtering with prefix-lists

  • Configure a prefix-list on R4 that only blocks its loopback out on Gi1.45
  • Configure a prefix-list on R1 so it doesn’t accept any updates from R4 on Gi1.146

Before we start our filtering our routing table should look something like this:

R4#sh ip route eigrp | beg Gate
Gateway of last resort is not set

150.1.0.0/32 is subnetted, 10 subnets
D 150.1.1.1 [90/130816] via 155.1.146.1, 00:49:27, GigabitEthernet1.146
D 150.1.2.2 [90/131328] via 155.1.146.1, 00:01:19, GigabitEthernet1.146
D 150.1.3.3 [90/131072] via 155.1.146.1, 00:28:38, GigabitEthernet1.146
D 150.1.5.5 [90/130816] via 155.1.45.5, 00:49:30, GigabitEthernet1.45
D 150.1.6.6 [90/130816] via 155.1.146.6, 00:49:27, GigabitEthernet1.146
D 150.1.7.7 [90/131072] via 155.1.146.6, 00:49:11, GigabitEthernet1.146
D 150.1.8.8 [90/131072] via 155.1.45.5, 00:49:30, GigabitEthernet1.45
D 150.1.9.9 [90/131328] via 155.1.146.6, 00:49:11, GigabitEthernet1.146
D 150.1.10.10 [90/131328] via 155.1.45.5, 00:49:30, GigabitEthernet1.45
155.1.0.0/16 is variably subnetted, 18 subnets, 2 masks
D 155.1.5.0/24 [90/3072] via 155.1.45.5, 00:49:30, GigabitEthernet1.45
D 155.1.7.0/24 
[90/3328] via 155.1.146.6, 00:49:11, GigabitEthernet1.146
D 155.1.8.0/24 [90/3328] via 155.1.45.5, 00:49:30, GigabitEthernet1.45
D 155.1.9.0/24 
[90/3584] via 155.1.146.6, 00:49:11, GigabitEthernet1.146
D 155.1.10.0/24 [90/3584] via 155.1.45.5, 00:49:30, GigabitEthernet1.45
D 155.1.13.0/24 
[90/3072] via 155.1.146.1, 00:49:27, GigabitEthernet1.146
D 155.1.23.0/24 
[90/3328] via 155.1.146.1, 00:28:38, GigabitEthernet1.146
D 155.1.37.0/24 
[90/3328] via 155.1.146.6, 00:28:38, GigabitEthernet1.146
[90/3328] via 155.1.146.1, 00:28:38, GigabitEthernet1.146
D 155.1.58.0/24 [90/3072] via 155.1.45.5, 00:49:30, GigabitEthernet1.45
D 155.1.67.0/24 
[90/3072] via 155.1.146.6, 00:49:27, GigabitEthernet1.146
D 155.1.79.0/24 
[90/3328] via 155.1.146.6, 00:49:11, GigabitEthernet1.146
D 155.1.108.0/24 
[90/3328] via 155.1.45.5, 00:49:30, GigabitEthernet1.45

Let’s start by creating a prefix-list that blocks our loopback and permits everything else.

ip prefix-list BLOCK_R4_LOOP deny 150.1.4.4/32
ip prefix-list BLOCK_R4_LOOP permit 0.0.0.0/0 le 32

router eigrp 100
 distribute-list prefix BLOCK_R4_LOOP out Gi1.45

R5 should no longer see the 150.1.4.4/32 over the Gi1.45 link:

R5#sh ip route 150.1.4.4
Routing entry for 150.1.4.4/32
Known via "eigrp 100", distance 90, metric 25984000, type internal
Redistributing via eigrp 100
Last update from 155.1.0.4 on Tunnel0, 00:00:06 ago
Routing Descriptor Blocks:
* 155.1.0.4, from 155.1.0.4, 00:00:06 ago, via Tunnel0
Route metric is 25984000, traffic share count is 1
Total delay is 15000 microseconds, minimum bandwidth is 100 Kbit
Reliability 255/255, minimum MTU 1400 bytes
Loading 2/255, Hops 1

Lab 2 – Filtering with standard ACLs

  • Configure a standard ACL on R9 to filter out all routes sourced from R7 that have an odd number in the third octet

We need an access-list that only matches odd numbers in the third octet, we control this by using our wildcard-mask. In other words the first bit must always be set to 0 for the network to be accepted (even numbers).

access-list 1 permit 0.0.0.0 255.255.254.0  (only check first bit in third octet, must be 0)

router eigrp 100
 distribute-list 1 in GigabitEthernet 1.79

As we can see, the only odd-numbered network found in our routing table now is R9s own 150.1.9.9/32.

R9#sh ip route | beg Gate
Gateway of last resort is not set

150.1.0.0/32 is subnetted, 6 subnets
D 150.1.2.2 [90/131328] via 155.1.79.7, 00:12:23, GigabitEthernet1.79
D 150.1.4.4 [90/131328] via 155.1.79.7, 01:00:16, GigabitEthernet1.79
D 150.1.6.6 [90/131072] via 155.1.79.7, 01:00:16, GigabitEthernet1.79
D 150.1.8.8 [90/131840] via 155.1.79.7, 01:00:16, GigabitEthernet1.79
C 150.1.9.9 is directly connected, Loopback0
D 150.1.10.10 [90/132096] via 155.1.79.7, 01:00:16, GigabitEthernet1.79

Lab 3 – Filtering with extended ACLs

  • Shutdown R5s ethernetlink to R4
  • Use only extended ACLs to achieve the following:
    • Reroute traffic destined to R4 & R6 Loopbacks to go via R2
    • Reroute traffic destined to R1 & R2 Loopbacks to go via R3
    • Reroute traffic destined to R7 & R9 Loopbacks to go via R1

When we use extended ACLs with distribute-lists remember that the source-field represents the update-source and destination-field the network address. By only closing R5’s Gi1.45 link the routing table looks like this, most of the traffic is routed over the DMVPN-cloud:

R5#sh ip route | beg Gate
Gateway of last resort is not set

150.1.0.0/32 is subnetted, 10 subnets
D 150.1.1.1 [90/25984000] via 155.1.0.1, 00:00:09, Tunnel0
D 150.1.2.2 [90/25984000] via 155.1.0.2, 00:00:09, Tunnel0
D 150.1.3.3 [90/25984000] via 155.1.0.3, 00:00:09, Tunnel0
D 150.1.4.4 [90/25984000] via 155.1.0.4, 00:00:09, Tunnel0
C 150.1.5.5 is directly connected, Loopback0
D 150.1.6.6 [90/25984256] via 155.1.0.4, 00:00:09, Tunnel0
[90/25984256] via 155.1.0.1, 00:00:09, Tunnel0
D 150.1.7.7 [90/25984256] via 155.1.0.3, 00:00:09, Tunnel0
D 150.1.8.8 [90/130816] via 155.1.58.8, 00:22:56, GigabitEthernet1.58
D 150.1.9.9 [90/25984512] via 155.1.0.3, 00:00:09, Tunnel0
D 150.1.10.10 [90/131072] via 155.1.58.8, 00:22:56, GigabitEthernet1.58
155.1.0.0/16 is variably subnetted, 18 subnets, 2 masks
C 155.1.0.0/24 is directly connected, Tunnel0
L 155.1.0.5/32 is directly connected, Tunnel0
C 155.1.5.0/24 is directly connected, GigabitEthernet1.5
L 155.1.5.5/32 is directly connected, GigabitEthernet1.5
D 155.1.7.0/24 [90/25856512] via 155.1.0.3, 00:00:09, Tunnel0
D 155.1.8.0/24 [90/3072] via 155.1.58.8, 00:22:15, GigabitEthernet1.58
D 155.1.9.0/24 [90/25856768] via 155.1.0.3, 00:00:09, Tunnel0
D 155.1.10.0/24 [90/3328] via 155.1.58.8, 00:22:15, GigabitEthernet1.58
D 155.1.13.0/24 [90/25856256] via 155.1.0.3, 00:00:09, Tunnel0
[90/25856256] via 155.1.0.1, 00:00:09, Tunnel0
D 155.1.23.0/24 [90/25856256] via 155.1.0.3, 00:00:09, Tunnel0
[90/25856256] via 155.1.0.2, 00:00:09, Tunnel0
D 155.1.37.0/24 [90/25856256] via 155.1.0.3, 00:00:09, Tunnel0
D 155.1.45.0/24 [90/25856256] via 155.1.0.4, 00:00:09, Tunnel0
C 155.1.58.0/24 is directly connected, GigabitEthernet1.58
L 155.1.58.5/32 is directly connected, GigabitEthernet1.58
D 155.1.67.0/24 [90/25856512] via 155.1.0.4, 00:00:09, Tunnel0
[90/25856512] via 155.1.0.3, 00:00:09, Tunnel0
[90/25856512] via 155.1.0.1, 00:00:09, Tunnel0
D 155.1.79.0/24 [90/25856512] via 155.1.0.3, 00:00:09, Tunnel0
D 155.1.108.0/24 
[90/3072] via 155.1.58.8, 00:22:15, GigabitEthernet1.58
D 155.1.146.0/24 [90/25856256] via 155.1.0.4, 00:00:09, Tunnel0
[90/25856256] via 155.1.0.1, 00:00:09, Tunnel0

There might be a much easier way to do this, but the way I solved it was by blocking all possible “alternative” routes learned in the DMVPN so only the targeted router was accepted as a valid update-source. So if we start with R4 & R6 that we’re supposed to be routed towards R2, lets first create access-list that deny R1, R3 & R5 as update-sources for 150.1.4.4/32.

! R5
access-list 100 deny ip host 155.1.0.1 host 150.1.4.4
access-list 100 deny ip host 155.1.0.3 host 150.1.4.4
access-list 100 deny ip host 155.1.0.4 host 150.1.4.4
access-list 100 permit ip any any

router eigrp 100
distribute-list 100 in Tunnel0

The only way to reach 150.1.4.4 over the DMVPN should now be 155.1.0.2.

R5#sh ip route 150.1.4.4
Routing entry for 150.1.4.4/32
Known via "eigrp 100", distance 90, metric 25984768, type internal
Redistributing via eigrp 100
Last update from 155.1.0.2 on Tunnel0, 00:00:14 ago

To adjust the rest of the networks we just have do modify our ACL with more entries.

! R5
no access-list 100
! Filter for R4
access-list 100 deny ip host 155.1.0.1 host 150.1.4.4
access-list 100 deny ip host 155.1.0.3 host 150.1.4.4
access-list 100 deny ip host 155.1.0.4 host 150.1.4.4
! Filter for R6
access-list 100 deny ip host 155.1.0.1 host 150.1.6.6
access-list 100 deny ip host 155.1.0.3 host 150.1.6.6
access-list 100 deny ip host 155.1.0.4 host 150.1.6.6
! Filter for R1
access-list 100 deny ip host 155.1.0.1 host 150.1.1.1
access-list 100 deny ip host 155.1.0.2 host 150.1.1.1
access-list 100 deny ip host 155.1.0.4 host 150.1.1.1
! Filter for R2
access-list 100 deny ip host 155.1.0.1 host 150.1.2.2
access-list 100 deny ip host 155.1.0.2 host 150.1.2.2
access-list 100 deny ip host 155.1.0.4 host 150.1.2.2
! Filter for R7
access-list 100 deny ip host 155.1.0.2 host 150.1.7.7
access-list 100 deny ip host 155.1.0.3 host 150.1.7.7
access-list 100 deny ip host 155.1.0.4 host 150.1.7.7
! Filter for R9
access-list 100 deny ip host 155.1.0.2 host 150.1.9.9
access-list 100 deny ip host 155.1.0.3 host 150.1.9.9
access-list 100 deny ip host 155.1.0.4 host 150.1.9.9
! Permit rest
access-list 100 permit ip any any

Loopback prefixes for R4 & R6 should now be routed to R2, R1 & R2 to R3, R7 & R9 to R1.

R5#sh ip route | inc 150.1 
150.1.0.0/32 is subnetted, 10 subnets
D 150.1.1.1 [90/25984256] via 155.1.0.3, 00:00:16, Tunnel0
D 150.1.2.2 [90/25984256] via 155.1.0.3, 00:00:16, Tunnel0
D 150.1.3.3 [90/25984000] via 155.1.0.3, 00:02:42, Tunnel0
D 150.1.4.4 [90/25984768] via 155.1.0.2, 00:02:40, Tunnel0
C 150.1.5.5 is directly connected, Loopback0
D 150.1.6.6 [90/25984768] via 155.1.0.2, 00:00:15, Tunnel0
D 150.1.7.7 [90/25984512] via 155.1.0.1, 00:00:16, Tunnel0
D 150.1.8.8 [90/130816] via 155.1.58.8, 00:08:37, GigabitEthernet1.58
D 150.1.9.9 [90/25984768] via 155.1.0.1, 00:00:16, Tunnel0
D 150.1.10.10 [90/131072] via 155.1.58.8, 00:08:37, GigabitEthernet1.58

Lab 4 – Filtering with Offset Lists

  • Configure an offset-list on R7 so traffic to 150.1.3.3/32 is routed to R6
  • If the link to R6 is down, traffic should be rerouted directly to R3

Before we do any changes, here is how R7 sees the 150.1.3.3 network currently.

R7#sh ip eigrp topology 150.1.3.3/32
EIGRP-IPv4 Topology Entry for AS(100)/ID(150.1.7.7) for 150.1.3.3/32
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 130816
Descriptor Blocks:
155.1.37.3 (GigabitEthernet1.37), from 155.1.37.3, Send flag is 0x0
Composite metric is (130816/128256), route is Internal
Vector metric:
Minimum bandwidth is 1000000 Kbit
Total delay is 5010 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 1
Originating router is 150.1.3.3

As R7 has a direct link to R3 with a decently low feasible distance, there’s no alternative route that matches the feasibility condition (adv. distance lower than 130816). But by making the current route less attractive we should be able to make R7 prefer the route to R6 instead as long as it’s up. First we create a simple ACL that matches our network.

access-list 1 permit host 150.1.3.3

We then offset the metric of our current route to make it less desirable.

router eigrp 100
 offset-list 1 in 10000 Gi1.37

Our routing table in R7 looks like this after the changes:

%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 155.1.37.3 (GigabitEthernet1.37) is resync: intf route configuration changed
R7#sh ip eigrp topology 150.1.3.3/32
EIGRP-IPv4 Topology Entry for AS(100)/ID(150.1.7.7) for 150.1.3.3/32
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 131328
Descriptor Blocks:
155.1.67.6 (GigabitEthernet1.67), from 155.1.67.6, Send flag is 0x0
Composite metric is (131328/131072), route is Internal
Vector metric:
Minimum bandwidth is 1000000 Kbit
Total delay is 5030 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 3
Originating router is 150.1.3.3
155.1.37.3 (GigabitEthernet1.37), from 155.1.37.3, Send flag is 0x0
Composite metric is (140816/138256), route is Internal
Vector metric:
Minimum bandwidth is 1000000 Kbit
Total delay is 5400 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 1
Originating router is 150.1.3.3

R7# sh ip route 150.1.3.3
Routing entry for 150.1.3.3/32
Known via "eigrp 100", distance 90, metric 131328, type internal
Redistributing via eigrp 100
Last update from 155.1.67.6 on GigabitEthernet1.67, 00:01:19 ago
Routing Descriptor Blocks:
* 155.1.67.6, from 155.1.67.6, 00:01:19 ago, via GigabitEthernet1.67
Route metric is 131328, traffic share count is 1
Total delay is 5030 microseconds, minimum bandwidth is 1000000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 3

As we’re still receiving the route from R3 we have a backup if our link to R6 goes down.

Lab 5 – Filtering with administrative distance

  • Configure AD filtering on R3 so traffic towards 150.1.7.7 is sent to R1

Should be pretty easy, as you maybe know we can set AD on either route or by neighbor + route, in our case we need to do the latter.

access-list 1 permit host 150.1.7.7

router eigrp 100
 distance 255 155.1.37.7 0.0.0.0 1

R3#sh ip route 150.1.7.7 
Routing entry for 150.1.7.7/32
Known via "eigrp 100", distance 90, metric 131328, type internal
Redistributing via eigrp 100
Last update from 155.1.13.1 on GigabitEthernet1.13, 00:00:37 ago
Routing Descriptor Blocks:
* 155.1.13.1, from 155.1.13.1, 00:00:37 ago, via GigabitEthernet1.13
Route metric is 131328, traffic share count is 1
Total delay is 5030 microseconds, minimum bandwidth is 1000000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 3

Lab 6 – Filtering with Route maps

This lab had something new that I haven’t seen before. The requirements we’re as follows:

  • Configure on R4:
    • Loopback1 – 160.1.4.4/32, redistribute to EIGRP with tag 4
    • Loopback2 – 170.1.4.4/32, redistribute to EIGRP
  • Configure a route-filter on R2 that denies routes with tag 4
  • Configure a route-filter on R3 that denies routes with a metric between 120000 – 140000
  • Filters should not affect any other routes advertised

Let’s start with the R4, shouldn’t be anything tricky. We need two prefix-lists to match the different Loopbacks and a route-map to tag the desired route.

!! R4
interface Lo1
 ip add 160.1.4.4 255.255.255.255

interface Lo2
 ip add 170.1.4.4 255.255.255.255

ip prefix-list 160 permit 160.1.4.4/32
ip prefix-list 170 permit 170.1.4.4/32

route-map TAG permit 10
 match ip address prefix-list 160
 set tag 4
route-map TAG permit 20
 match ip address prefix-list 170

router eigrp 100
 redistribute connected route-map TAG

If we check the routes learned on R2 now 160.1.4.4/32 should be tagged.

Routing entry for 160.1.4.4/32
Known via "eigrp 100", distance 170, metric 131328
Tag 4, type external
Redistributing via eigrp 100
Last update from 155.1.23.3 on GigabitEthernet1.23, 00:02:55 ago
Routing Descriptor Blocks:
* 155.1.23.3, from 155.1.23.3, 00:02:55 ago, via GigabitEthernet1.23
Route metric is 131328, traffic share count is 1
Total delay is 5030 microseconds, minimum bandwidth is 1000000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 3
Route tag 4

R2#sh ip route 170.1.4.4
Routing entry for 170.1.4.4/32
Known via "eigrp 100", distance 170, metric 131328, type external
Redistributing via eigrp 100
Last update from 155.1.23.3 on GigabitEthernet1.23, 00:02:59 ago
Routing Descriptor Blocks:
* 155.1.23.3, from 155.1.23.3, 00:02:59 ago, via GigabitEthernet1.23
Route metric is 131328, traffic share count is 1
Total delay is 5030 microseconds, minimum bandwidth is 1000000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 3

Looks good! Now just have to do a route-map and filter our incoming routes on R2.

route-map BLOCK_TAG4 deny 10
 match tag 4
route-map BLOCK_TAG4 permit 20

router eigrp 100
 distribute-list route-map BLOCK_TAG4 in

We should now only see the 170.1.4.4 in R2.

R2#sh ip route eigrp | inc EX
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
D EX 170.1.4.4 [170/131328] via 155.1.23.3, 00:05:21, GigabitEthernet1.23

R2#sh ip route 160.1.4.4 
% Network not in table

R2#sh ip eigrp topology 160.1.4.4/32
EIGRP-IPv4 Topology Entry for AS(100)/ID(150.1.2.2)
%Entry 160.1.4.4/32 not in topology table

And the final step, filter out routes based on metric. Before configuring anything our routing table looks like this on R2:

150.1.0.0/32 is subnetted, 10 subnets
D 150.1.1.1 [90/130816] via 155.1.13.1, 00:09:51, GigabitEthernet1.13
D 150.1.2.2 [90/130816] via 155.1.23.2, 00:09:51, GigabitEthernet1.23
C 150.1.3.3 is directly connected, Loopback0
D 150.1.4.4 [90/131072] via 155.1.13.1, 00:09:51, GigabitEthernet1.13
D 150.1.5.5 [90/131328] via 155.1.13.1, 00:09:51, GigabitEthernet1.13
D 150.1.6.6 [90/131072] via 155.1.37.7, 00:09:51, GigabitEthernet1.37
[90/131072] via 155.1.13.1, 00:09:51, GigabitEthernet1.13
D 150.1.7.7 [90/130816] via 155.1.37.7, 00:09:51, GigabitEthernet1.37
D 150.1.8.8 [90/131584] via 155.1.13.1, 00:09:51, GigabitEthernet1.13
D 150.1.9.9 [90/131072] via 155.1.37.7, 00:09:51, GigabitEthernet1.37
D 150.1.10.10 [90/131840] via 155.1.13.1, 00:09:51, GigabitEthernet1.13

Matching by metric was new to me but it was pretty easy to find the command as it had to be done with a route-map in my mind. We use the match statement with metric, which has the following options:

R3(config-route-map)#match metric ?
<1-4294967295> Metric value
external match route using external protocol metric
R3(config-route-map)#match metric 120000 ?
+- deviation option to match metric in a range
<1-4294967295> Metric value

For us to match metrics between 120,000 – 140,000 we set the “average” and use deviation-option.

!! R3
route-map BLOCK_METRIC deny 10
match metric 130000 +- 10000
route-map BLOCK_METRIC permit 20

router eigrp 100
distribute-list route-map BLOCK_METRIC in

The 150.1.x.x we’re earlier routed via Gi1.13 & Gi1.37 but should now be filtered out and now take a worse route with metrics above 140k.

R3#sh ip route | inc 150.1
150.1.0.0/32 is subnetted, 10 subnets
D 150.1.1.1 [90/27264000] via 155.1.0.5, 00:04:17, Tunnel0
D 150.1.2.2 [90/27264000] via 155.1.0.5, 00:04:17, Tunnel0
C 150.1.3.3 is directly connected, Loopback0
D 150.1.4.4 [90/27264000] via 155.1.0.5, 00:04:17, Tunnel0
D 150.1.5.5 [90/27008000] via 155.1.0.5, 00:16:14, Tunnel0
D 150.1.6.6 [90/27264256] via 155.1.0.5, 00:04:17, Tunnel0
D 150.1.7.7 [90/27264512] via 155.1.0.5, 00:04:17, Tunnel0
D 150.1.8.8 [90/27008256] via 155.1.0.5, 00:16:14, Tunnel0
D 150.1.9.9 [90/27264768] via 155.1.0.5, 00:04:17, Tunnel0
D 150.1.10.10 [90/27008512] via 155.1.0.5, 00:16:14, Tunnel0

Sweet! Reading is going pretty well currently, I sort of finished “Routing on IOS, IOS XE, IOS XR”, jumping over the chapters I haven’t read anything about yet (multicast/bgp/route manipulation etc to backtrack later). Just started “Internet Routing Architectures” that seems to be focused solely on BGP, fun times! 🙂

 

EIGRP – Poisoned floating summary-routes

Another cool little lab showcasing a new/redesigned functionality that apparently was introduced in IOS 15.x  that was new to me. The lab has the following requirements:

  • Configure EIGRP Classic on R4, R5 & R8 with AS100, only enable it on the .45.0 & .58.0 segments
  • Configure loopbacks on R4 & R5 with subnet 160.1.x.x/24 (x – router id) and advertise them
  • Advertise a summary default-route from R4
  • Advertise a summary route of the two 16.0.1.x.x/24 routes without overlap on R5 to R8
  • Modify the summary route of R5 so a null0 route isn’t installed

All basic steps until the last one so no explanation needed I feel. Keeping up with writing the full config in notepad only is starting to pay of as well, improving both speed and overall knowledge of syntax. Highly recommended! 🙂

! R4

interface Lo1
 ip add 160.1.4.4 255.255.255.0

router eigrp 100
 network 155.1.45.0 0.0.0.255 
 network 160.1.4.0 0.0.0.255

interface Gi1.45
 ip summary-address eigrp 100 0.0.0.0 0.0.0.0

! R5

interface Lo1
 ip add 160.1.5.5 255.255.255.0

router eigrp 100
 network 155.1.45.0 0.0.0.255
 network 155.1.58.0 0.0.0.255
 network 160.1.5.0 0.0.0.255

interface Gi1.58
 ip summary-address eigrp 100 160.1.4.0 255.255.254.0

! R8

router eigrp 100
 network 155.1.58.0 0.0.0.255

Checking the routes in R8 confirms that we “should” have connectivity to the two loopbacks.

R8#sh ip route eigrp | beg Gate
Gateway of last resort is 155.1.58.5 to network 0.0.0.0

D* 0.0.0.0/0 [90/3328] via 155.1.58.5, 00:18:58, GigabitEthernet1.58
155.1.0.0/16 is variably subnetted, 7 subnets, 2 masks
D 155.1.45.0/24 [90/3072] via 155.1.58.5, 00:18:58, GigabitEthernet1.58
160.1.0.0/23 is subnetted, 1 subnets
D 160.1.4.0 [90/130816] via 155.1.58.5, 00:00:43, GigabitEthernet1.58

But ping is still failing to R4:

R8#ping 160.1.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 160.1.4.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

R8#ping 160.1.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 160.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms

How come? All summary-routes created in ex. EIGRP & OSPF will also add a Null0-route to avoid routing-loops! As we only have a default-route to R4 longest match will hit our null0-route instead for 160.1.4.4.

R5#sh ip route eigrp | beg Gate
Gateway of last resort is 155.1.45.4 to network 0.0.0.0

D* 0.0.0.0/0 [90/3072] via 155.1.45.4, 00:22:19, GigabitEthernet1.45
160.1.0.0/16 is variably subnetted, 3 subnets, 3 masks
D 160.1.4.0/23 is a summary, 00:04:05, Null0

R5#sh ip cef 160.1.4.0 
160.1.4.0/23
attached to Null0

So how do we fix this? As mentioned a new feature was added to EIGRP in 15.x (I think in previous versions something similar was done on the interface instead). We can adjust the AD of our summary-route, and by setting it to 255 it will be deemed invalid (poisoned) and not installed in our routing table.

! R5
router eigrp 100
 summary 160.1.4.0/23 distance 255

The summary-route is still active in a way as our router will keep suppressing the advertisements of  160.1.5.0/24 and just forward the default-route instead.

R5#sh ip route eigrp | beg Gate
Gateway of last resort is 155.1.45.4 to network 0.0.0.0

D* 0.0.0.0/0 [90/3072] via 155.1.45.4, 00:26:02, GigabitEthernet1.45

We can now reach both R4 & R5’s loopback from R8.

R8#ping 160.1.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 160.1.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/7 ms

R8#ping 160.1.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 160.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

EIGRP Classic & Named mode – Leak-maps

Back from my vacation in Greece! Took a break from everything network-related to recharge but now i’m all set to keep crunching both labs & books. Currently fighting my way thru “IP Routing on IOS, IOS XE and IOS XR – An essential guide to understanding & implementing IP Routing Protocols” (2.1k pages – yikes… ). Trying to get back into the groove with an easier lab on EIGRP Leak-maps down below:

Requirements:

  • Configure Classic mode on R4 & R5 with AS100 and enable over both ethernet + DMVPN
  • Configure Named mode on R1, R3, R6 & R7 with AS200 and enable over 155.1.0.0/16
  • Configure loopbacks on R4 and redistribute to EIGRP
    • Lo40 -4.0.0.4/24
    • Lo41 – 4.0.1.4/24
  • Configure loopbacks on R6 and redistribute to EIGRP
    • Lo60 – 6.0.0.6/24
    • Lo61 – 6.0.1.6/24
  • Configure default summary-routes on R4 & R6  to be advertised instead of Loopbacks
  • Configure a leak-map on R4 for traffic to Lo40 to be routed via DMVPN
  • Configure a leak-map on R6 for traffic to Lo60 to be routed via R3 from R1
  • If the DMVPN is down, traffic should still be rerouted on the backup-path

Let’s start with the easy part and configure EIGRP, Loopbacks and redistribution:

!! General

! R4 & R5

router eigrp 100
 network 155.1.0.0 0.0.255.255
 network 150.0.0.0 0.0.0.255

! R1, R3, R6, R7

router eigrp MULTI-AF
 address-family ipv4 auto 200
  network 155.1.0.0 0.0.255.255

!! Loopbacks
! R4

int Lo40
 ip add 4.0.0.4 255.255.255.0
int Lo41
 ip add 4.0.1.4 255.255.255.0

router eigrp 100
 redistribute connected

! R6

int Lo60
 ip add 6.0.0.6 255.255.255.0
int Lo61
 ip add 6.0.1.6 255.255.255.0

router eigrp MULTI-AF
 address-family ipv4 auto 200
  topology base 
   redistribute connected

We should now have the baseline working.

R5#sh ip route eigrp | beg Gate
Gateway of last resort is not set

4.0.0.0/24 is subnetted, 2 subnets
D EX 4.0.0.0 [170/130816] via 155.1.45.4, 00:18:52, GigabitEthernet1.45
D EX 4.0.1.0 [170/130816] via 155.1.45.4, 00:18:52, GigabitEthernet1.45
150.1.0.0/32 is subnetted, 2 subnets
D EX 150.1.4.4 [170/130816] via 155.1.45.4, 00:18:52, GigabitEthernet1.45

R1#sh ip route eigrp | beg Gate
Gateway of last resort is not set

6.0.0.0/24 is subnetted, 2 subnets
D EX 6.0.0.0 [170/10880] via 155.1.146.6, 00:14:51, GigabitEthernet1.146
D EX 6.0.1.0 [170/10880] via 155.1.146.6, 00:14:51, GigabitEthernet1.146
150.1.0.0/32 is subnetted, 2 subnets
D EX 150.1.6.6 [170/10880] via 155.1.146.6, 00:14:51, GigabitEthernet1.146
155.1.0.0/16 is variably subnetted, 10 subnets, 2 masks
D 155.1.7.0/24 
[90/20480] via 155.1.146.6, 00:15:53, GigabitEthernet1.146
[90/20480] via 155.1.13.3, 00:15:53, GigabitEthernet1.13
D 155.1.37.0/24 
[90/15360] via 155.1.13.3, 00:15:53, GigabitEthernet1.13
D 155.1.67.0/24 
[90/15360] via 155.1.146.6, 00:15:53, GigabitEthernet1.146
D 155.1.79.0/24 
[90/20480] via 155.1.146.6, 00:15:53, GigabitEthernet1.146
[90/20480] via 155.1.13.3, 00:15:53, GigabitEthernet1.13

Let’s add our summary-routes to R4 & R6:

!! Summary default-route

! R4
int Gi1.45
 ip summary-address eigrp 100 0.0.0.0 0.0.0.0
int Tu0
 ip summary-address eigrp 100 0.0.0.0 0.0.0.0

! R6
router eigrp MULTI-AF
 address-family ipv4 auto 200
  af-interface Gi1.67
   summary-address 0.0.0.0 0.0.0.0
  af-interface Gi1.146
   summary-address 0.0.0.0 0.0.0.0

As we’re doing summarization our loopbacks advertisements will be suppressed and replaced with an internal 0.0.0.0/0 route:

R1#sh ip route eigrp | beg Gate
Gateway of last resort is 155.1.146.6 to network 0.0.0.0

D* 0.0.0.0/0 [90/10880] via 155.1.146.6, 00:01:30, GigabitEthernet1.146
155.1.0.0/16 is variably subnetted, 10 subnets, 2 masks
D 155.1.7.0/24 [90/20480] via 155.1.13.3, 00:01:30, GigabitEthernet1.13
D 155.1.37.0/24 
[90/15360] via 155.1.13.3, 00:01:30, GigabitEthernet1.13
D 155.1.67.0/24 
[90/20480] via 155.1.13.3, 00:01:30, GigabitEthernet1.13
D 155.1.79.0/24 
[90/20480] via 155.1.13.3, 00:01:30, GigabitEthernet1.13

R5#sh ip route eigrp | beg Gate
Gateway of last resort is 155.1.45.4 to network 0.0.0.0

D* 0.0.0.0/0 [90/3072] via 155.1.45.4, 00:00:20, GigabitEthernet1.45

Next step is to use a leak-map so traffic going to R4s loopback is routed via DMVPN-cloud instead of the ethernet-segment. This will be easily solved by advertising that specific route out on our Tu0-interface together with our default-route. Longest-match makes routers prefer our specific-route instead of the default to get to 4.0.0.4. To implement this we use a “leak-map”, I found it in the official DOC here & here.

!! Leak-map

! R4
ip prefix-list LOOP permit 4.0.0.4/24

route-map LEAK permit 10
 match ip add prefix-list LOOP

int Tu0
 ip summary-address eigrp 100 0.0.0.0 0.0.0.0 leak-map LEAK

Neighbors will do a graceful-restart and then the results should be visible in R5:

R5#sh ip route eigrp | beg Gate
Gateway of last resort is 155.1.45.4 to network 0.0.0.0

D* 0.0.0.0/0 [90/3072] via 155.1.45.4, 00:07:01, GigabitEthernet1.45
4.0.0.0/24 is subnetted, 1 subnets
D EX 4.0.0.0 [170/25984000] via 155.1.0.4, 00:00:05, Tunnel0

R5#ping 4.0.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.0.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms

If we close our Tunnel-interface traffic will still be routed over the default-route to Gi1.45.

! R4
int Tu0
 shut

R5#sh ip route eigrp | beg Gate
Gateway of last resort is 155.1.45.4 to network 0.0.0.0

D* 0.0.0.0/0 [90/3072] via 155.1.45.4, 00:09:36, GigabitEthernet1.45

R5#ping 4.0.0.4 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.0.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms

Sweet! Now we just have to do the same thing in R6, by leaking our route on the Gi1.67-interface R1 will prefer the route to R3 over going directly to R6 for reaching 6.0.0.0/24.

!! Leak-map

! R6
ip prefix-list LOOP permit 6.0.0.6/24

route-map LEAK permit 10
 match ip add prefix-list LOOP

router eigrp MULTI-AF
 address-family ipv4 auto 200
  af-interface gi1.67
   summary-address 0.0.0.0 0.0.0.0 leak-map LEAK

Let’s check R1 again:

R1#sh ip route eigrp | beg Gate
Gateway of last resort is 155.1.146.6 to network 0.0.0.0

D* 0.0.0.0/0 [90/10880] via 155.1.146.6, 00:11:33, GigabitEthernet1.146
6.0.0.0/24 is subnetted, 1 subnets
D EX 6.0.0.0 [170/21120] via 155.1.13.3, 00:00:20, GigabitEthernet1.13
155.1.0.0/16 is variably subnetted, 10 subnets, 2 masks
D 155.1.7.0/24 [90/20480] via 155.1.13.3, 00:11:33, GigabitEthernet1.13
D 155.1.37.0/24 
[90/15360] via 155.1.13.3, 00:11:33, GigabitEthernet1.13
D 155.1.67.0/24 
[90/20480] via 155.1.13.3, 00:11:33, GigabitEthernet1.13
D 155.1.79.0/24 
[90/20480] via 155.1.13.3, 00:11:33, GigabitEthernet1.13

All is good! I’m really starting to like EIGRP’s named mode the more I use it, the classic feels so clunky now. Until next time… 🙂

EIGRP Classic & Named mode – Key rotation

My earlier plan to finish reading the “Routing TCP/IP Vol.1” two weeks ago failed miserably. 😀 I’m just about done with the chapters on EIGRP & OSPFv2 currently, it’s crazy how little you actually know after only reading the CCNP-levels of these protocols. This quote sums it up perfectly:

The more you know, the more you know you don’t know.

It sure requires going back quite a few times (at least for me) to be able to grasp all the details and I still have lots of work to do here I feel. Going to spend the weekend watching INE/CBT-videos and doing some labs to “relax” before continuing with OSPFv3 & ISIS. New goal is to be done with this book before I fly to Greece for a week the 25/5, maybe is a bit too much but on the other hand ISIS is more or less completely new for me so I think i’ll need the extra days.

I did this little lab today with a mix of both classic & named EIGRP and it shows the main differences between the modes pretty nicely.

Requirements

  • Configure classic mode on R1 – R4, AS100
  • Configure named-mode on R5, MULTI-AF AS100
  • Enable EIGRP on DMVPN
  • Set clock on R5 to current time and configure as NTP master
  • Configure R1 – R4 to use R5 as NTP-server
  • Authenticate adjacencies on DMVPN using the key-chain “KEY_ROTATION”
    • Key-id 10 password CISCO10
    • Key-id 20 password CISCO20
    • Key 10 should be valid between 00:00:00 Jan 1 1993 to 00:10:00 Jan 1 2030 (and accepted an extra 10min)
    • Key 20 should be valid from 00:00:00 Jan 1 2030
  • Modify R5s clock and verify key-chain switches without losing adjacency

Let’s start with setting up basic EIGRP & NTP first as it usually takes a while for routers to sync.

! R1 - R4
clock set 21:17:00 4 MAY 2018

conf t
ntp server 155.1.0.5

router eigrp 100
 network 150.1.0.0 0.0.255.255 
 network 155.1.0.0 0.0.255.255

! R5
clock set 21:17:00 4 MAY 2018

conf t
ntp master 1

router eigrp MULTI-AF
 address-family ipv4 autonomous-system 100
  network 150.1.0.0 0.0.255.255
  network 155.1.0.0 0.0.255.255
  af-interface Tu0
   no split-horizon

The syntax for named-eigrp looks pretty different from the classic one, the biggest change is that everything is now configured under the EIGRP-process, instead of being spread out like classic mode (authentication/eigrp split-horizon configured on interfaces etc). We should now have connectivity between all routers and NTP synced.

R5#sh ip eigrp neighbors 
EIGRP-IPv4 VR(MULTI-AF) Address-Family Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
 (sec) (ms) Cnt Num
4 155.1.0.1 Tu0 11 00:46:00 50 1398 0 40
2 155.1.0.4 Tu0 13 00:46:50 114 1398 0 31
1 155.1.0.3 Tu0 14 00:46:55 48 1398 0 42
0 155.1.0.2 Tu0 13 00:46:59 91 1398 0 26

R1#sh ntp status
Clock is synchronized, stratum 2, reference is 155.1.0.5 
nominal freq is 250.0000 Hz, actual freq is 249.9998 Hz, precision is 2**10
ntp uptime is 357700 (1/100 of seconds), resolution is 4016
reference time is DE974AC9.62D0E670 (21:10:33.386 UTC Fri May 4 2018)
clock offset is 0.0000 msec, root delay is 3.00 msec
root dispersion is 12.70 msec, peer dispersion is 4.56 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000557 s/s
system poll interval is 128, last update was 423 sec ago.

R1#sh ntp associations detail
155.1.0.5 configured, ipv4, our_master, sane, valid, stratum 1
ref ID .LOCL., time DE974C5E.E7AE16F8 (21:17:18.905 UTC Fri May 4 2018)
our mode client, peer mode server, our poll intvl 128, peer poll intvl 128
root delay 0.00 msec, root disp 2.16, reach 377, sync dist 9.05
delay 2.00 msec, offset 0.0000 msec, dispersion 4.56, jitter 0.97 msec
precision 2**10, version 4
assoc id 39556, assoc name 155.1.0.5
assoc in packets 64, assoc out packets 64, assoc error packets 22
org time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
rec time DE974C5F.628F5D38 (21:17:19.385 UTC Fri May 4 2018)
xmt time DE974C5F.628F5D38 (21:17:19.385 UTC Fri May 4 2018)
filtdelay = 3.00 3.00 3.00 3.00 3.00 2.00 3.00 3.00
filtoffset = 0.50 -0.50 0.50 0.50 0.50 0.00 -0.50 0.50
filterror = 1.95 1.98 3.97 4.00 5.98 6.01 8.04 8.07
minpoll = 6, maxpoll = 10

Let’s configure our key-chain now, it will look the same on all routers:

! R1 - R4

key chain KEY_ROTATION
 key 10
  accept-lifetime 00:00:00 1 Jan 1993 00:15:00 Jan 1 2030
  send-lifetime 00:00:00 1 Jan 1993 00:05:00 Jan 1 2030
  key-string CISCO10
 key 20
  accept-lifetime 00:00:00 1 Jan 2030 infinite
  send-lifetime 00:00:00 1 Jan 2030 infinite
  key-string CISCO20

By setting the accept-lifetime 10 minutes longer we should avoid losing connectivity when it’s time to roll over to the next key. On classic-mode we enable authentication on the interface and in named-mode under our af-interface.

! R1 - R4

int tu0
 ip authentication key-chain eigrp 100 KEY_ROTATION
 ip authentication mode eigrp 100 md5

! R5

router eigrp MULTI-AF
 address-family ipv4 autonomous-system 100
 af-interface Tu0
  authentication key-chain KEY_ROTATION
  authentication mode md5

Let’s verify again:

R2#debug eigrp packets hello
 (HELLO)
EIGRP Packet debugging is on
R2#
EIGRP: received packet with MD5 authentication, key id = 10
EIGRP: Received HELLO on Tu0 - paklen 60 nbr 155.1.0.5
 AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0

R2#show key chain 
Key-chain KEY_ROTATION:
 key 10 -- text "CISCO10"
 accept lifetime (00:00:00 UTC Jan 1 1993) - (00:15:00 UTC Jan 1 2030) [valid now]
 send lifetime (00:00:00 UTC Jan 1 1993) - (00:05:00 UTC Jan 1 2030) [valid now]
 key 20 -- text "CISCO20"
 accept lifetime (00:00:00 UTC Jan 1 2030) - (infinite)
 send lifetime (00:00:00 UTC Jan 1 2030) - (infinite)

Let’s change our clock and see what happens:

! R5

set clock 23:59:00 Dec 31 2029

R5#sh key chain 
Key-chain KEY_ROTATION:
 key 10 -- text "CISCO10"
 accept lifetime (00:00:00 UTC Jan 1 1993) - (00:15:00 UTC Jan 1 2030) [valid now]
 send lifetime (00:00:00 UTC Jan 1 1993) - (00:05:00 UTC Jan 1 2030) [valid now]
 key 20 -- text "CISCO20"
 accept lifetime (00:00:00 UTC Jan 1 2030) - (infinite)
 send lifetime (00:00:00 UTC Jan 1 2030) - (infinite)

R5#sh clock 
00:00:04.531 UTC Tue Jan 1 2030
R5#sh key chain 
Key-chain KEY_ROTATION:
 key 10 -- text "CISCO10"
 accept lifetime (00:00:00 UTC Jan 1 1993) - (00:15:00 UTC Jan 1 2030) [valid now]
 send lifetime (00:00:00 UTC Jan 1 1993) - (00:05:00 UTC Jan 1 2030) [valid now]
 key 20 -- text "CISCO20"
 accept lifetime (00:00:00 UTC Jan 1 2030) - (infinite) [valid now]
 send lifetime (00:00:00 UTC Jan 1 2030) - (infinite) [valid now]

As NTP is horribly slow to converge, or if they just think master is insane with the big change in time, I manually set the time in R1 – R4 to speed things up. Checking debug in R1 we’re still receiving key-10 as it’s still valid with our current config:

EIGRP: received packet with MD5 authentication, key id = 10
EIGRP: Received HELLO on Tu0 - paklen 60 nbr 155.1.0.5
 AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
EIGRP: Sending HELLO on Gi1.146 - paklen 20
 AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

5 minutes later we should see the switch to key-20:

R5#sh clock
00:05:12.716 UTC Tue Jan 1 2030
R5#sh key
R5#sh key chain
Key-chain KEY_ROTATION:
 key 10 -- text "CISCO10"
 accept lifetime (00:00:00 UTC Jan 1 1993) - (00:15:00 UTC Jan 1 2030) [valid now]
 send lifetime (00:00:00 UTC Jan 1 1993) - (00:05:00 UTC Jan 1 2030)
 key 20 -- text "CISCO20"
 accept lifetime (00:00:00 UTC Jan 1 2030) - (infinite) [valid now]
 send lifetime (00:00:00 UTC Jan 1 2030) - (infinite) [valid now]

And in R1 we can see R5 is now using key20 instead without losing adjacency:

EIGRP: received packet with MD5 authentication, key id = 20
EIGRP: Received HELLO on Tu0 - paklen 60 nbr 155.1.0.5

R1#sh ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
 (sec) (ms) Cnt Num
1 155.1.0.5 Tu0 11 01:11:08 46 1398 0 39

Sweet!

 

VRF-Lite & BGP

Tänkte skriva ett kortare inlägg om ett rätt intressant problem jag stötte på tidigare vilket löstes med hjälp av VRF-Lite och lite trixande med BGP. Topologin som önskades var enligt följande:

lightvrf

Länken mot ISP-1 önskades vara primär pga bättre serviceavtal & bandbredd samtidigt som länken till ISP-2 endast skulle användas som backup. Både ISP-1 & 2 genererar en default-route samt annonserar varsitt 10.x.0.0/23-nät. Det fanns även önskemål att AS #666 skulle agera transit mellan ISP-1 & 2.

lightvrfigp

Som IGP användes EIGRP inom AS #666 samt mellan R1 – ISP-1 och OSPF mellan R3 – ISP-2 där respektive länknät redistributas. Detta är egentligen helt onödigt men användes för att göra uppgiften lite mer komplicerad bara. 🙂

Problematiken var dock att ISP-1 & ISP-2 består av en och samma router! Den fysiska topologin ser nämligen ut enligt följande:

lightvrftopologi

Med andra ord behöver vi dela upp R1 till två virtuella routrar med separata routing tables & bgp-adjacencys. Detta löser vi med hjälp av VRF-Lite! 🙂

Låt oss ta och kika lite närmare på konfigen för respektive router.

R2

interface Serial1/0
 ip address 12.0.0.2 255.255.255.252
 description Primary uplink to ISP-1
 no shut
interface Loopback3
 description For testing
 ip address 172.32.0.1 255.255.255.0
 no shut
interface Loopback4
 description For testing
 ip address 172.32.1.1 255.255.255.0
 no shut

interface FastEthernet0/0
 description to MLS1
 ip address 172.16.11.11 255.255.255.0
 ip hello-interval eigrp 101 2
 ip hold-time eigrp 101 6
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 s3cr3t
 ip summary-address eigrp 101 172.32.0.0 255.255.254.0 5
 duplex full
 speed 100
 no shut

IGP-konfig

Då vi endast vill redistributa in länknätet mellan R1 & ISP-1 till EIGRP 101 använde jag en en route-map, passade även på att tagga route’sen om vi skulle behöva utföra någon filtrering senare.

!Internal IGP-routing
router eigrp 101
 redistribute eigrp 666 route-map EIGRP666-EIGRP101
 passive-interface default
 no passive-interface FastEthernet0/1
 network 172.16.0.0
 network 172.32.0.0 0.0.0.255
 network 172.32.1.0 0.0.0.255
 no auto-summary
 eigrp router-id 172.16.99.11

ip prefix-list EIGRP666-EIGRP101 seq 5 permit 12.0.0.0/30

route-map EIGRP666-EIGRP101 permit 10
 match ip address prefix-list EIGRP666-EIGRP101
 set metric 100000 100 255 1 1500
 set tag 1666

route-map EIGRP666-EIGRP101 deny 20

!External IGP routing ISP-1
router eigrp 666
 passive-interface default
 no passive-interface Serial1/0
 network 12.0.0.0 0.0.0.3
 no auto-summary

BGP

Inga konstigheter här, peer-groups för lite mer “kompakt” konfig.

router bgp 666
 no synchronization
 bgp log-neighbor-changes
 network 172.16.0.0
 network 172.32.0.0 mask 255.255.254.0
 redistribute eigrp 666

 neighbor 12.0.0.1 remote-as 65001
 neighbor 12.0.0.1 description ISP-1

 neighbor IBGP peer-group
 neighbor IBGP remote-as 666
 neighbor IBGP next-hop-self
 neigbhor IBGP password s3cr3t

 neighbor 172.16.11.1 peer-group IBGP
 neighbor 172.16.11.1 description MLS1
 neighbor 172.16.13.3 peer-group IBGP
 neighbor 172.16.13.3 description MLS2
 neighbor 172.16.33.33 peer-group IBGP
 neighbor 172.16.33.33 description R3
 no auto-summary

Konfigen är mer eller mindre identisk för R3.

Default-route

Som nämndes tidigare önskades företaget att vi använda denna länk som primär, både ISP-1 & 2 genererade varsin default-route. Att ändra local pref för samtliga routes vi lär oss från ISP-1 hade inte varit något hit då det även skulle påverka trafik vi är transit för. Tänkte istället använda en route-map som sätter en högre local pref endast för default-routen. Vi behöver även se till så att vi ej annonserar default-routen vidare utanför vårat AS.

R2

router bgp 666
 neighbor 12.0.0.1 prefix-list DEFAULT-ROUTE-BLOCK out
 neighbor 12.0.0.1 route-map ISP1-routes in

ip prefix-list DEFAULT-ROUTE-BLOCK seq 5 deny 0.0.0.0/0
ip prefix-list DEFAULT-ROUTE-BLOCK seq 10 permit 0.0.0.0/0 le 32

ip prefix-list default-route seq 5 permit 0.0.0.0/0

route-map ISP1-routes permit 10
 match ip address prefix-list default-route
 set local-preference 150

route-map ISP1-routes permit 20

R3

router bgp 666
 neighbor 13.0.0.1 prefix-list DEFAULT-ROUTE-BLOCK out
 neighbor 13.0.0.1 route-map ISP2-routes in

ip prefix-list DEFAULT-ROUTE-BLOCK seq 5 deny 0.0.0.0/0
ip prefix-list DEFAULT-ROUTE-BLOCK seq 10 permit 0.0.0.0/0 le 32

ip prefix-list default-route seq 5 permit 0.0.0.0/0

route-map ISP2-routes permit 10
 match ip address prefix-list default-route
 set local-preference 110

route-map ISP2-routes permit 20

Vilket ger följande resultat:

R3#sh ip bgp 0.0.0.0
BGP routing table entry for 0.0.0.0/0, version 4
Paths: (2 available, best #1, table Default-IP-Routing-Table)
 Not advertised to any peer
 65001
  172.16.11.11 (metric 30720) from 172.16.11.11 (172.32.1.1)
   Origin IGP, metric 0, localpref 150, valid, internal, best
 65002
  13.0.0.1 from 13.0.0.1 (2.2.2.2)
   Origin IGP, metric 0, localpref 100, valid, external

VRF-Lite / R1

Nu över till det lite roligare. 🙂 VRF:er har vi ju redan konfat i flera tidigare inlägg, så detta är väl inte direkt något nytt men själva användningsområdet  är något jag aldrig stött på tidigare.

interface Loopback1
 ip vrf forwarding ISP-1
 ip address 10.1.0.1 255.255.255.0

interface Loopback2
 ip vrf forwarding ISP-1
 ip address 10.1.1.1 255.255.255.0

interface Loopback3
 ip vrf forwarding ISP-2
 ip address 10.2.0.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0

interface Loopback4
 ip vrf forwarding ISP-2
 ip address 10.2.1.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0

interface Loopback5
 ip vrf forwarding Shared
 ip address 1.1.1.1 255.255.255.255

interface Loopback6
 ip vrf forwarding Shared
 ip address 2.2.2.2 255.255.255.255

interface Loopback11
description Management - RID
ip address 11.11.11.11 255.255.255.255

interface Serial0/0/0
 description ISP-1 to CustomerA-R1
 ip vrf forwarding ISP-1
 ip address 12.0.0.1 255.255.255.252
 ip summary-address eigrp 666 10.1.0.0 255.255.254.0 5

interface Serial0/0/1
 description ISP-2 to CustomerA-R3
 ip vrf forwarding ISP-2
 ip address 13.0.0.1 255.255.255.252
 ip ospf 1 area 666

Vi konfar först upp några VRF-instanser, shared simulerar i detta fallet externa routes/internet. La även till en export-map för att endast exportera 1.1.1.1/32 och 2.2.2.2/32 från Shared till ISP-1 & ISP-2 vrf:erna.

ip vrf ISP-1
 rd 65000:1
 route-target export 65000:1
 route-target import 65000:1

ip vrf ISP-2
 rd 65000:2
 route-target export 65000:2
 route-target import 65000:2

ip vrf Shared
 rd 65000:3
 export map ISP-Loopback-Inject
 route-target export 65000:3
 route-target import 65000:3
 route-target import 65000:1
 route-target import 65000:2

route-map ISP-Loopback-Inject permit 10
 match ip address prefix-list ISP-1
 set extcommunity rt 65000:1 additive

route-map ISP-Loopback-Inject permit 20
 match ip address prefix-list ISP-2
 set extcommunity rt 65000:2 additive

route-map ISP-Loopback-Inject deny 30

IGP

Då vi använder oss av vrf:er måste vi även justera våra IGP-instanser precis som tidigare.

router eigrp 666
 passive-interface default
 no passive-interface Serial0/0/0
 no auto-summary

 address-family ipv4 vrf ISP-1
  network 10.1.0.0 0.0.0.255
  network 10.1.1.0 0.0.0.255
  network 12.0.0.0 0.0.0.3
  no auto-summary
  autonomous-system 666
  exit-address-family
 eigrp router-id 1.1.1.1

router ospf 1 vrf ISP-2
 router-id 2.2.2.2
 log-adjacency-changes
 area 0 range 10.2.0.0 255.255.254.0
 passive-interface default
 no passive-interface Serial0/0/1

BGP

Här stöter vi på ett litet problem då vi endast kan ha en aktiv BGP-instans, dvs skriver vi “router bgp 65001” kan vi ej konfa upp “router bgp 65002” för ISP-2 efteråt.

BGP har ju dock som bekant en hel del roliga funktioner vi kan använda oss av, och i detta fall kan vi lösa problemet med hjälp av “local-as“, “no-prepend” & “replace-as“. Klicka på respektive för mer info, Lostintransit.se har även en läsvärd artikel om detta här!

router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 no auto-summary

 address-family ipv4 vrf Shared
  redistribute connected
  no synchronization
  exit-address-family

 address-family ipv4 vrf ISP-2
  neighbor 13.0.0.2 remote-as 666
  neighbor 13.0.0.2 local-as 65002 no-prepend replace-as
  neighbor 13.0.0.2 activate
  neighbor 13.0.0.2 default-originate
  no synchronization
  bgp router-id 2.2.2.2
  network 10.2.0.0 mask 255.255.255.0
  network 10.2.1.0 mask 255.255.255.0
  aggregate-address 10.2.0.0 255.255.254.0 summary-only
  exit-address-family

 address-family ipv4 vrf ISP-1
  neighbor 12.0.0.2 remote-as 666
  neighbor 12.0.0.2 local-as 65001 no-prepend replace-as
  neighbor 12.0.0.2 activate
  neighbor 12.0.0.2 default-originate
  no synchronization
  bgp router-id 1.1.1.1
  network 10.1.0.0 mask 255.255.255.0
  network 10.1.1.0 mask 255.255.255.0
  aggregate-address 10.1.0.0 255.255.254.0 summary-only
  exit-address-family

Vilket ger följande resultat:

R1#sh ip bgp neighbors 12.0.0.1
 BGP neighbor is 12.0.0.1, remote AS 65001, external link
 BGP version 4, remote router ID 1.1.1.1
 BGP state = Established, up for 00:45:25
 Last read 00:00:16, last write 00:00:31, hold time is 180, keepalive interval is 60 seconds

R3#sh ip bgp neighbors 13.0.0.1
 BGP neighbor is 13.0.0.1, remote AS 65002, external link
 BGP version 4, remote router ID 2.2.2.2
 BGP state = Established, up for 00:46:18
 Last read 00:00:05, last write 00:00:21, hold time is 180, keepalive interval is 60 seconds

R2#sh ip bgp vpnv4 vrf ISP-1
 BGP table version is 60, local router ID is 1.1.1.1
 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
 r RIB-failure, S Stale
 Origin codes: i - IGP, e - EGP, ? - incomplete
 Network Next Hop Metric LocPrf Weight Path
 Route Distinguisher: 65000:1 (default for vrf ISP-1) VRF Router ID 1.1.1.1
 *> 1.1.1.1/32 0.0.0.0 0 32768 ?
 *> 2.2.2.2/32 12.0.0.2 0 666 65002 ?
 s> 10.1.0.0/24 0.0.0.0 0 32768 i
 r> 10.1.0.0/23 0.0.0.0 32768 i
 s> 10.1.1.0/24 0.0.0.0 0 32768 i
 *> 10.2.0.0/23 12.0.0.2 0 666 65002 i
 *> 13.37.0.0/16 0.0.0.0 0 32768 ?
 *> 172.16.0.0 12.0.0.2 28416 0 666 i
 *> 172.32.0.0/23 12.0.0.2 128256 0 666 i

R2#sh ip bgp vpnv4 vrf ISP-1
 BGP table version is 60, local router ID is 1.1.1.1
 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
 r RIB-failure, S Stale
 Origin codes: i - IGP, e - EGP, ? - incomplete
 Network Next Hop Metric LocPrf Weight Path
 Route Distinguisher: 65000:1 (default for vrf ISP-1) VRF Router ID 1.1.1.1
 *> 1.1.1.1/32 0.0.0.0 0 32768 ?
 *> 2.2.2.2/32 12.0.0.2 0 666 65002 ?
 s> 10.1.0.0/24 0.0.0.0 0 32768 i
 r> 10.1.0.0/23 0.0.0.0 32768 i
 s> 10.1.1.0/24 0.0.0.0 0 32768 i
 *> 10.2.0.0/23 12.0.0.2 0 666 65002 i
 *> 13.37.0.0/16 0.0.0.0 0 32768 ?
 *> 172.16.0.0 12.0.0.2 28416 0 666 i
 *> 172.32.0.0/23 12.0.0.2 128256 0 666 i

Vi kan även verifiera att vår transit fungerar som önskat, ISP-1 har följande information för 2.2.2.2/32 som ligger på samma router men under ISP-2s VRF.

R2#sh ip bgp vpnv4 vrf ISP-1 2.2.2.2/32
 BGP routing table entry for 65000:1:2.2.2.2/32, version 50
 Paths: (1 available, best #1, table ISP-1)
 Not advertised to any peer
 666 65002
 12.0.0.2 from 12.0.0.2 (172.16.99.11)
 Origin incomplete, localpref 100, valid, external, best
 Extended Community: RT:65000:1
 mpls labels in/out 31/nolabel

Vackert! VRF-Lite ger oss ett enkelt sätt att segmentera upp en router om vi exempelvis måste separera två avdelningar från varandra som ansluter till en och samma router. Fler läsvärda artiklar om detta finns här:

http://packetlife.net/blog/2009/apr/30/intro-vrf-lite/

Inter-VRF routing using VRF-lite

CCNP – MDH Switchprojekt del 2

Har varit lite dåligt med inlägg på senare tid, har pluggat multicast senaste ~2 veckorna men inte riktigt funnit motivationen att skriva inlägg om de mer teoretiska bitarna då det redan finns så oändligt med info om det redan.

Tänkte istället visa några av lösningarna vi använt oss av i switch-projektet som nämdes i tidigare inlägg.

Topologin ser ut enligt följande:

switchprojekt

Vi kör EIGRP på alla L3-enheter, dvs R1-3, S1 & S3.

MSTP

7. Konfigurera MSTP på alla switchar. Lägg VLAN 10 och 20 till instans 1, och VLAN 30 och 99 till instans 2. Gör S1 till spanning-tree root for instans 1 och backup root för instans 2. S3 skall vara root for instans 2 och backuproot för instans 1.

S1

spanning-tree mode mst
spanning-tree mst configuration
 name cisco
 revision 1
 instance 1 vlan 10, 20
 instance 2 vlan 30, 99
!
spanning-tree mst 1 priority 24576
spanning-tree mst 2 priority 28672

S2

spanning-tree mode mst
spanning-tree mst configuration
 name cisco
 revision 1
 instance 1 vlan 10, 20
 instance 2 vlan 30, 99

S3

spanning-tree mode mst
spanning-tree mst configuration
 name cisco
 revision 1
 instance 1 vlan 10, 20
 instance 2 vlan 30, 99
!
spanning-tree mst 1 priority 28672
spanning-tree mst 2 priority 24576

HSRP

8. S1 och S3 skall vara gateways för VLANen och ni skall använda HSRP för redundans. för access layer hosts i VLANs 10, 20, 30, and 99.
9. S1 skall vara active HSRP router för VLAN 10 och 20 konfigurera S3 som backup. Konfigurera S3 som active router för VLAN 30 och 99 och S1 som backup för dessa VLAN.

S1

interface Vlan10
 description Client
 ip address 172.16.10.1 255.255.255.0
 ip helper-address 172.16.32.193
 standby 1 ip 172.16.10.254
 standby 1 priority 150
 standby 1 preempt
 no shutdown
!
interface Vlan20
 description Voice
 ip address 172.16.20.1 255.255.255.0
 standby 1 ip 172.16.20.254
 standby 1 priority 150
 standby 1 preempt
 no shutdown
!
interface Vlan30
 description Server
 ip address 172.16.30.1 255.255.255.0
 ip helper-address 172.16.32.193
 standby 2 ip 172.16.30.254
 standby 2 priority 80
 no shutdown
! 
interface Vlan99
 description Management
 ip address 172.16.99.1 255.255.255.0
 standby 2 ip 172.16.99.254
 standby 2 priority 80
 no shutdown

S3

interface Vlan10
 description Client
 ip address 172.16.10.3 255.255.255.0
 ip helper-address 172.16.32.193
 standby 1 ip 172.16.10.254
 standby 1 priority 80
 no shutdown
!
interface Vlan20
 description Voice
 ip address 172.16.20.3 255.255.255.0
 standby 1 ip 172.16.20.254
 standby 1 priority 80
 no shutdown
!
interface Vlan30
 description Server
 ip address 172.16.30.3 255.255.255.0
 ip helper-address 172.16.32.193
 standby 2 ip 172.16.30.254
 standby 2 priority 120
 standby 2 preempt
 no shutdown
!
interface Vlan99
 ip address 172.16.99.3 255.255.255.0
 standby 2 ip 172.16.99.254
 standby 2 priority 120
 standby 2 preempt

EIGRP

16. På S1 och S3 ska ni routa med EIGRP, det som skall synas i routingtabellerna på 2800-routrarna är en manuellt summerad adress av de adresser som finns på S1, S2 och S3. Givetvis skall adresser som används på R1, R2 och R3 summeras på lämpligt sätt om man tittar på det i någon av 3560-switcharna.

Fixade en visio-bild så det blir lite tydligare vad det är som efterfrågas:

summary-projekt

Konfigen för S1 & S3 är väldigt simpel.

S1

interface FastEthernet0/5
 description To R1
 no switchport
 ip address 172.16.11.1 255.255.255.0
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 GRPM
 ip summary-address eigrp 1 172.16.0.0 255.255.0.0
 srr-queue bandwidth share 1 30 35 5
 priority-queue out 
 mls qos trust dscp
 auto qos trust 
 speed 100
 duplex full

S3

interface FastEthernet0/5
 description To R1
 no switchport
 ip address 172.16.33.3 255.255.255.0
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 GRPM
 ip summary-address eigrp 1 172.16.0.0 255.255.0.0
 srr-queue bandwidth share 1 30 35 5
 priority-queue out 
 mls qos trust dscp
 spanning-tree portfast
 speed 100
 duplex full

För R1 vill vi endast annonsera 172.16.32.0/24 ner till S1, och 172.16.0.0/16 upp till R2.

interface FastEthernet0/1
 description to S1
 ip address 172.16.11.11 255.255.255.0
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 GRPM
 ip summary-address eigrp 1 172.16.32.0 255.255.255.0 5
 duplex full
 speed 100
 auto qos voip trust 
 service-policy output AutoQoS-Policy-Trust
 no shutdown

För att filtrera bort alla “Connected”-nät och endast annonsera 172.16.0.0/16 till R2 behöver vi dock använda oss av en distribute-list.

interface Serial0/0/0
 description to R2
 bandwidth 256000
 ip address 172.16.32.1 255.255.255.192
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 GRPM
 auto qos voip trust 
 clock rate 256000
 service-policy output AutoQoS-Policy-Trust
 no shutdown

ip prefix-list INTERNAL-R2 seq 5 permit 172.16.0.0/16

router eigrp 1
 passive-interface default
 no passive-interface FastEthernet0/1
 no passive-interface Serial0/0/0
 no passive-interface Serial0/0/1
 network 172.16.0.0 0.0.255.255
 distribute-list prefix INTERNAL-R2 out Serial0/0/0
 no auto-summary

Samma sak gäller för R3.

interface FastEthernet0/1
 description to S1
 ip address 172.16.33.13 255.255.255.0
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 GRPM
 ip summary-address eigrp 1 172.16.32.0 255.255.255.0 5
 duplex full
 speed 100
 auto qos voip trust 
 service-policy output AutoQoS-Policy-Trust
 no shutdown

interface Serial0/0/0
 description to R1
 bandwidth 256000
 ip address 172.16.32.66 255.255.255.192
 ip authentication mode eigrp 1 md5
 ip authentication key-chain eigrp 1 GRPM
 auto qos voip trust 
 clock rate 256000
 service-policy output AutoQoS-Policy-Trust
 no shutdown

ip prefix-list INTERNAL-R2 seq 5 permit 172.16.0.0/16

router eigrp 1
 passive-interface default
 no passive-interface FastEthernet0/1
 no passive-interface Serial0/0/0
 no passive-interface Serial0/0/1 
 network 172.16.0.0 0.0.255.255
 distribute-list prefix INTERNAL-R2 out Serial0/0/1
 no auto-summary

Då jag nu precis börjat läsa CCDP denna vecka samtidigt som CCNP-kursen kan vi nog komma tillbaka till den här topologin och införa lite förbättringar senare. 🙂

EIGRP – “Veckans frågor”

I skolan har vi kört igång med CCNP Routing nu så det blir bara lite repetition för mig ett tag framöver. Läser dock CCIE-boken istället men känns ändå inte som det skiljer något speciellt i nivån, iaf på de områden som redan tagits upp i CCNP. Denna vecka var det mjukstart med EIGRP, det ingick även att ta fram lite frågor som vi sedan ställde till en opponerande grupp idag. De vi tog fram var:

Variance

eigrp1-fraga

Rätt svar:

R1’s successor-route till Cloud kommer ha en metric på 22. R2’s AD är också 22 och kvalificeras därför ej som en Feasible Successor. 
För att lastbalansera över R1-R4-R5 behöver vi därför sätta variance till: 103 / 22 = 4,68 = 5.

Tables

Vilka tre tables använder EIGRP och viken är den huvudsakliga informationen i dem?

Rätt svar:

Neighbor Table – Har information om vilka direkt kopplade eigrp-neighbor processen har. Informationen innehåller bl.a. next-hop och utgående interface där grannen finns.
Topology Table – Information om alla routes den lärt sig från neighbors samt som vi själva lagt till
Routing Table – Kräver väl inte direkt någon förklaring, successor (och ev. feasible successors om vi modiferat variance)

Update-packet

Vad innehåller update-paketet för information?

Rätt svar:

Innehåller information om Prefix, Prefix-length, Metric-components, K-Values, Nonmetric Items; MTU och Hop-count.

Har förövrigt bokat in Tshoot & Switch-certning på Onsdag 9/10 så snart ska jag väl förhoppningsvis kunna skriva CCNP på CVet. 🙂

TSHOOT – Part III, Dist-layer

tshoot-distlayer

Tar och bygger vidare på vårat tshoot-nät med Distribution-layer den här gången. Vi behöver bl.a. konfa upp EIGRP<->OSPF & RIP_NG <->OSPFv3 redistrubution.

Men först måste vi givetvis fixa L2/L3-konfig.. Tyvärr är just switch-funktionen i GNS3 väldigt begränsad (använder endast NM-16ESW-kort i 3640s), så våra port-channel nummer kommer inte stämma överens. Det finns inte heller möjlighet att skapa en L3-channel mellan DSW1 & DSW2 så här blir det endast en port som kommer användas.

Basic L3

R4

R4(config)#inte fa0/0
R4(config-if)#ip add 10.1.4.5 255.255.255.252
R4(config-if)#descrip to DSW1
R4(config-if)#no shut
R4(config-if)#ipv6 add 2026::2:1/122
R4(config-if)#inte fa0/1
R4(config-if)#ip add 10.1.4.9 255.255.255.252
R4(config-if)#desc to DSW2
R4(config-if)#no shut

DSW1

DSW1(config)#ip routing
DSW1(config)#ipv6 unicast-routing
DSW1(config)#int fa0/0
DSW1(config-if)#ip add 10.1.4.6 255.255.255.252
DSW1(config-if)#descrip to R4
DSW1(config-if)#no shut
DSW1(config-if)#ipv6 add 2026::2:2/122
DSW1(config)#int range fa1/13 - 14
DSW1(config-if-range)#descrip L3 Etherchannel to DSW2
DSW1(config-if-range)#no switchport
DSW1(config-if-range)#shut
DSW1(config-if-range)#
DSW1(config-if-range)#inte fa1/13
DSW1(config-if)#ip add 10.2.4.13 255.255.255.252
DSW1(config-if)#ipv6 add 2026::3:1/122
DSW1(config-if)#no shut

DSW2

DSW2(config)#ip routing
DSW2(config)#ipv6 uni
DSW2(config)#ipv6 unicast-routing
DSW2(config)#inte fa0/0
DSW2(config-if)#ip add 10.1.4.10 255.255.255.252
DSW2(config-if)#descrip to R4
DSW2(config-if)#no shut
DSW2(config-if)#int range fa1/13 - 14
DSW2(config-if-range)#descrip L3 Etherchannel to DSW1
DSW2(config-if-range)#no switchport
DSW2(config-if-range)#shut
DSW2(config-if-range)#inte fa1/13
DSW2(config-if)#ip add 10.2.4.14 255.255.255.252
DSW2(config-if)#no shut
DSW2(config-if)#ipv6 add 2026::3:2/122
DSW2(config-if)#exit

EIGRP

R4

R4(config)#router eigrp 10
R4(config-router)#no auto
R4(config-router)#no auto-summary
R4(config-router)#passive-
R4(config-router)#passive-interface default
R4(config-router)#no passive
R4(config-router)#no passive-interface fa0/0
R4(config-router)#no passive-interface fa0/1
R4(config-router)#network 10.1.4.4 0.0.0.3
R4(config-router)#network 10.1.4.8 0.0.0.3

DSW1

DSW1(config)#router eigrp 10
DSW1(config-router)#no auto-summary
DSW1(config-router)#passive-interface default
DSW1(config-router)#no passive-interface fa0/0
DSW1(config-router)#no passive-interface fa1/13
DSW1(config-router)#network 10.1.4.4 0.0.0.3
DSW1(config-router)#network 10.2.4.12 0.0.0.3

DSW2

DSW2(config)#router eigrp 10
DSW2(config-router)#no auto-summary
DSW2(config-router)#passive-interface default
DSW2(config-router)#no passive-interface fa0/0
DSW2(config-router)#no passive-interface fa1/13
DSW2(config-router)#network 10.1.4.8 0.0.0.3
DSW2(config-router)#network 10.2.4.12 0.0.0.3

RIPng

R4

R4(config-router)#inte fa0/0
R4(config-if)#ipv6 rip RIP_ZONE enable
R4(config-if)#int fa0/1
R4(config-if)#ipv6 rip RIP_ZONE enable

DSW1

DSW1(config)#inte fa0/0
DSW1(config-if)#ipv6 rip RIP_ZONE enable
DSW1(config)#int fa1/13
DSW1(config-if)#ipv6 rip RIP_ZONE enable

DSW2

DSW2(config)#inte fa0/0
DSW2(config-if)#ipv6 rip RIP_ZONE enable
DSW2(config)#int fa1/13
DSW2(config-if)#ipv6 rip RIP_ZONE enable

Redistribution

Då vi inte har multipoint-redistribution behöver vi inte använda oss av route-maps/tags i det här fallet.

R4(config)#router eigrp 10
R4(config-router)#redistribute ospf 1 metric 1500 1 255 1 1500
R4(config-router)#router ospf 1
R4(config-router)#redistribute eigrp 10 subnets
R4(config)#ipv6 router ospf 6
R4(config-rtr)#redistribute rip RIP_ZONE include-connected metric 20
R4(config)#ipv6 router rip RIP_ZONE
R4(config-rtr)#redistribute ospf 6 metric 5 include-connected

Verifiering

DSW2#sh ipv6 rip database
RIP process "RIP_ZONE", local RIB
 2026::2:0/122, metric 2, installed
 FastEthernet1/13/FE80::CE03:13FF:FE54:F10D, expires in 165 secs
 2026::3:0/122, metric 2
 FastEthernet1/13/FE80::CE03:13FF:FE54:F10D, expires in 165 secs
 2026::34:0/122, metric 7, installed
 FastEthernet1/13/FE80::CE03:13FF:FE54:F10D, expires in 165 secs
 ::/0, metric 7, installed
 FastEthernet1/13/FE80::CE03:13FF:FE54:F10D, expires in 165 secs

Ping till R1 från DSW2

DSW2#ping ipv6 2026::12:1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2026::12:1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/160/200 ms
DSW2#ping 10.1.1.1
Translating "10.1.1.1"
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/111/192 ms

Vackert!

En trace till webservern fungerar dock ej:

DSW2#traceroute 209.65.200.241 Translating "209.65.200.241"
Type escape sequence to abort.
 Tracing the route to 209.65.200.241
1 10.1.4.9 16 msec 48 msec 48 msec
 2 10.1.1.9 108 msec 48 msec 44 msec
 3 10.1.1.5 40 msec 80 msec 84 msec
 4 10.1.1.1 140 msec 108 msec 156 msec
 5 * * *

Detta beror helt enkelt på att vi inte konfigurerat upp någon NAT ännu i R1 så trafiken hittar inte tillbaka. Det fixar vi imorgon tillsammans med DHCP-tjänsten & access-layer. 🙂

MDH Lab – Switch Case Study

Topologi

lab4-3clean

Objectives

  • Plan and design the International Travel Agency switched network as shown in the diagram and described below.
  • Implement the design on the switches and router.
  • Verify that all configurations are operational and functioning according to the requirements.

Requirements

You will configure a group of switches and a router for the International Travel Agency. The network includes two distribution switches, S1 and S3, and two one access layer switches, S2. External router R3 and S1 provide inter-VLAN routing. Design the addressing scheme using the address space 172.16.0.0/16 range. You can subnet it any way you want, although it is recommended to use /24 subnets for simplicity.

  1. Place all switches in the VTP domain CISCO. Make S1 the VTP server and all other switches VTP clients.
  2. On S1, create the VLANs shown in the VLAN table and assign the names given. For subnet planning, allocate a subnet for each VLAN.
  3. Configure S1 as the primary spanning-tree root bridge for all VLANs. Configure S3 as the backup root bridge for all VLANs.
  4. Configure Fa0/4 between S1 and S3 as a Layer 3 link and assign a subnet to it.
  5. Create a loopback interface on S1 and assign a subnet to it.
  6. Configure the Fa0/3 link between S1 and S3 as an ISL trunk.
  7. Statically configure all inter-switch links as trunks.
  8. Configure all other trunk links using 802.1Q.
  9. Bind together the links from S1 & S3 to the access-switch together in an EtherChannel.
  10. Enable PortFast on all access ports.
  11. On S2, place Fa0/15 through Fa0/17 in VLAN 10. Place Fa0/19 and Fa0/25 in VLAN 20. Place Fa0/21-22 in VLAN 30.
  12. Create an 802.1Q trunk link between R3 and S3. Only VLANs 10 and 40 to pass through the trunk.
  13. Configure R2 subinterfaces for VLANs 10 and 40.
  14. Create an SVI on S1 in VLANs 20, 30, and 40. Create an SVI on S3 in VLAN 10 and 30, an SVI on S2 in VLAN 40.
  15.  Enable IP routing on S1 and S3. On R2 and S1, configure EIGRP for the whole major network (172.16.0.0/16) and disable automatic summarization.

VLANs:

  • Vlan 10 – Red
  • Vlan 20 – Blue
  • Vlan 30 – Orange
  • Vlan 40 – Green

Genomförande

Subnetting

Jag har som synes redan lagt in den subnetting jag gjorde i topologin men såhär ser den ut iaf: 172.16.0.0/16

Vlan 10 - Red 172.16.10.0/24
 Vlan 20 - Blue 172.16.20.0/24
 Vlan 30 - Orange 172.16.30.0/24
 Vlan 40 - Green 172.16.40.0/24

S1

Lo0 - 172.16.1.1/24
Vlan 20 - 172.16.20.1/24
Vlan 30 - 172.16.30.1/24
Vlan 40 - 172.16.40.1/24
S1-S3 Link - 172.16.13.1/24

S3

Vlan 10 - 172.16.10.3/24
S1-S3 Link - 172.16.13.3/24

S2

Vlan 40 - 172.16.40.2/24

R3

Vlan 40 - 172.16.40.200/24
Vlan 10 - 172.16.10.200/24

Med den information vi fått ovan kan vi uppdatera vår topologi lite:

Basic L2-konfig

S1 – Kom ihåg att S1 även ska vara Root-bridge för samtliga VLAN & VTP-server

Switch(config)#hostname S1
 S1(config)#line con 0
 S1(config-line)#logging sync
 S1(config-line)#!Trunk-links till S2
 S1(config-line)#int range fa0/1 - 2
 S1(config-if-range)#switchport trunk encaps dot1q
 S1(config-if-range)#switchport mode trunk
 S1(config-if-range)#description to S2
 S1(config-if-range)#channel-protocol lacp
 S1(config-if-range)#channel-group 1 mode active
 Creating a port-channel interface Port-channel 1
S1(config-if-range)#!L3-link till S3
 S1(config-if-range)#inte fa0/4
 % Command exited out of interface range and its sub-modes.
 Not executing the command for second and later interfaces
 S1(config-if)#no switchport
 S1(config-if)#ip add 172.16.13.1 255.255.255.0
 S1(config-if)#description to S3 L3-port
 S1(config-if)#!ISL-trunk till S3
 S1(config-if)#int fa0/3
 S1(config-if)#switchport trunk encapsulation isl
 S1(config-if)#switchport mode trunk
 S1(config-if)#description Trunklink to S3
 S1(config-if)#!VTP
 S1(config-if)#exit
 S1(config)#vtp mode server
 Device mode already VTP SERVER.
 S1(config)#vtp domain CISCO
 Changing VTP domain name from NULL to CISCO
 S1(config)#
 *Mar 1 00:14:20.226: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to CISCO.
 S1(config)#!VLANs
 S1(config)#vlan 10
 S1(config-vlan)#name Red
 S1(config-vlan)#vlan 20
 S1(config-vlan)#name Blue
 S1(config-vlan)#vlan 30
 S1(config-vlan)#name Orange
 S1(config-vlan)#vlan 40
 S1(config-vlan)#name Green
 S1(config-vlan)#exit
 S1(config)#spanning-tree vlan 1,10,20,30,40 root primary

S3 – Ska även vara Secondary Root-bridge för samtliga vlan

Switch(config)#hostname S3
 S3(config)#line con 0
 S3(config-line)#logging sync
 S3(config-line)#!Trunk-links till S2
 S3(config-line)#int range fa0/1 - 2
 S3(config-if-range)#switchport trunk encaps dot1q
 S3(config-if-range)#switchport mode trunk
 S3(config-if-range)#channel-protocol lacp
 S3(config-if-range)#channel-group 1 mode active
 Creating a port-channel interface Port-channel 1
S3(config-if-range)#
 S3(config-if-range)#description to S2
 S3(config-if-range)#inte fa0/3
 % Command exited out of interface range and its sub-modes.
 Not executing the command for second and later interfaces
 S3(config-if)#!ISL-trunk till S1
 S3(config-if)#switchport trunk encaps ISL
 S3(config-if)#switchport mode trunk
 S3(config-if)#description ISL-trunk to S1
 S3(config-if)#!L3-port till S1
 S3(config-if)#int fa0/4
 S3(config-if)#no switchport
 S3(config-if)#ip add 172.16.13.3 255.255.255.0
 S3(config-if)#description L3-link to S1
 S3(config-if)#exit
 S3(config)#vtp mode client
 Setting device to VTP CLIENT mode.
 S3(config)#vtp domain CISCO
 Domain name already set to CISCO.
 S3(config)#spanning-tree vlan 1,10,20,30,40 root secondary

S2

Switch(config)#hostname S2
 S2(config)#line con 0
 S2(config-line)#logging sync
 S2(config-line)#!Etherchannels till S1 & S3
 S2(config-line)#inte range fa0/1 - 2
 S2(config-if-range)#switchport mode trunk
 S2(config-if-range)#description to S1
 S2(config-if-range)#channel-protocol lacp
 S2(config-if-range)#channel-group 1 mode passive
 Creating a port-channel interface Port-channel 1
S2(config-if-range)#int range fa0/3 - 4
 S2(config-if-range)#switchport mode trunk
 S2(config-if-range)#description to S3
 S2(config-if-range)#channel-protocol lacp
 S2(config-if-range)#channel-group 2 mode passive
 Creating a port-channel interface Port-channel 2
S2(config-if-range)#exit
 S2(config)#!VTP
 S2(config)#vtp mode client
 Setting device to VTP CLIENT mode.
 S2(config)#vtp domain CISCO
 Domain name already set to CISCO.
S2(config)#!Host-interface
 S2(config)#int range fa0/15 - 17
 S2(config-if-range)#switchport mode access
 S2(config-if-range)#switchport access vlan 10
 S2(config-if-range)#spanning-tree portfast
 S2(config-if-range)#int range fa0/19 - 20
 S2(config-if-range)#switchport mode access
 S2(config-if-range)#switchport access vlan 20
 S2(config-if-range)#spanning-tree portfast
 S2(config-if-range)#int range fa0/21-22
 S2(config-if-range)#switchport mode access
 S2(config-if-range)#switchport access vlan 30
 S2(config-if-range)#spanning-tree portfast
 S2(config-if-range)end

L3-Konfig

S1 – Kom ihåg att aktivera routing innan vi lägger in EIGRP-konfig

S1(config)#int lo0
 S1(config-if)#ip add 172.16.1.1 255.255.255.0
 S1(config-if)#!SVIs for VLANs
 S1(config-if)#int vlan 20
 S1(config-if)#ip add 172.16.20.1 255.255.255.0
 S1(config-if)#description Red
 S1(config-if)#int vlan 30
 S1(config-if)#ip add 172.16.30.1 255.255.255.0
 S1(config-if)#description Blue
 S1(config-if)#int vlan 40
 S1(config-if)#ip add 172.16.40.1 255.255.255.0
 S1(config-if)#description Green
 S1(config-if)#exit
 S1(config)#ip routing
 S1(config)#router eigrp 1
 S1(config-router)#network 172.16.0.0
 S1(config-router)#no auto
 S1(config-router)#no auto-summary

S3

S3(config)#int vlan 10
 S3(config-if)#ip add 172.16.10.3 255.255.255.0
 S3(config-if)#description Red
 S3(config-if)#int vlan 30
 S3(config-if)#ip add 172.16.30.3 255.255.255.0
 S3(config-if)#description Orange
 S3(config-if)#exit
 S3(config)#ip routing
S3(config-if)#!trunk to R3
S3(config-if)#int fa0/5
S3(config-if)#description trunk to R3
S3(config-if)#switchport mode trunk
S3(config-if)#switchport trunk allowed vlan 10,40

S2

S2(config)#int vlan 40 
S2(config-if)#ip add 172.16.40.2 255.255.255.0 
S2(config-if)#description Green

Då var all switch-konfig klar, endast routern kvar.. R3

Router(config)#hostname R3
 R3(config)#inte fa0/1
 R3(config-if)#description to S3-trunklink
 R3(config-if)#no shut
 R3(config-if)#inte fa0/1.10
 R3(config-subif)#encapsulation dot1q 10
 R3(config-subif)#ip add 172.16.10.200 255.255.255.0
 R3(config-subif)#inte fa0/1.40
 R3(config-subif)#encapsulation dot1q 40
 R3(config-subif)#ip add 172.16.40.200 255.255.255.0
 R3(config-subif)#exit
R3(config)#router eigrp 1
 R3(config-router)#network 172.16.0.0
 R3(config-router)#no auto-summary
 R3(config-router)#end

Verifiering – L3

S1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 6 subnets
C 172.16.40.0 is directly connected, Vlan40
C 172.16.30.0 is directly connected, Vlan30
C 172.16.20.0 is directly connected, Vlan20
C 172.16.13.0 is directly connected, FastEthernet0/4
D 172.16.10.0 [90/28416] via 172.16.40.200, 00:01:51, Vlan40
C 172.16.1.0 is directly connected, Loopback0
R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 6 subnets
C 172.16.40.0 is directly connected, FastEthernet0/1.40
D 172.16.30.0 [90/28416] via 172.16.40.1, 00:02:35, FastEthernet0/1.40
D 172.16.20.0 [90/28416] via 172.16.40.1, 00:02:35, FastEthernet0/1.40
D 172.16.13.0 [90/30720] via 172.16.40.1, 00:02:35, FastEthernet0/1.40
C 172.16.10.0 is directly connected, FastEthernet0/1.10
D 172.16.1.0 [90/156160] via 172.16.40.1, 00:02:35, FastEthernet0/1.40
S1#ping 172.16.40.200
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
S1#ping 172.16.10.200
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
S1#ping 172.16.40.2
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
R3#ping 172.16.40.2
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Verifiering L2

S3#sh interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/3 on isl trunking 1
Fa0/5 on 802.1q trunking 1
Po1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/3 1-4094
Fa0/5 10,40
Po1 1-4094
S1#sh spanning-tree summary
Switch is in pvst mode
Root bridge for: VLAN0001, VLAN0010, VLAN0020, VLAN0030, VLAN0040
S2#sh etherchannel summary
Flags: D - down P - bundled in port-channel
 I - stand-alone s - suspended
 H - Hot-standby (LACP only)
 R - Layer3 S - Layer2
 U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
 u - unsuitable for bundling
 w - waiting to be aggregated
 d - default port

Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/1(P) Fa0/2(P) 
2 Po2(SU) LACP Fa0/3(P) Fa0/4(P)

Härligt! Stötte på lite problem under labben då det visade sig att interfacet jag tänkte använda mellan Switch & Router inte var directly connected. Det var inga problem att sätta upp trunkingen etc men trafiken fastnade i någon dold switch eller dylikt. Från början var det tänkt att Routern skulle vara ansluten till S2 men det fanns tyvärr inget interface att använda där som fungerade. Fick istället göra om ritningen lite och använda länken mellan R3-S3 men det fungerade ju precis lika bra efter lite mindre modifieringar. 🙂 Kul labb!

IPv6 – EIGRP

Detta blir ett kort inlägg om EIGRP för att ta upp de skillnader som finns i implementering av EIGRP under IPv6 till skillnad mot IPv4. Se tidigare inlägg för information om mer grundläggande saker som Query-packets, Successor/Feasible successor, Stuck in Active etc.

  • Aktiveras per interface istället för via network-statements (ipv6 eigrp n)
  • Vi måste konfigurera ett router-id under eigrp-processen
  • EIGRP-processen är per default i shutdown, aktiveras genom “no shutdown” under ipv6 router eigrp n
  • Kräver IOS >=12.4.(6)T
  • Split-Horizon inaktiverat då vi kan ha flera ip-adresser per interface
  • Ingen klassfull routing eller auto-summering
  • Använder multicast-adressen FF02::A (L2 dst-adr 33:33:00:00:00:0A)

Vi konfar upp EIGRP-IPV6 enligt följande:

R1(config)#inte fa0/1
R1(config-if)#ipv6 eigrp 10 
R1(config-if)#ipv6 router eigrp 10
R1(config-rtr)#router-id 10.10.10.10
R1(config-rtr)#no shutdown
*Mar 1 00:14:58.123: %DUAL-5-NBRCHANGE: IPv6-EIGRP(0) 10: Neighbor FE80::2 (FastEthernet0/1) is up: new adjacency

Vi kan verifiera att allt är ok via:

R1#show ipv6 protocols
IPv6 Routing Protocol is "connected"
IPv6 Routing Protocol is "static"
IPv6 Routing Protocol is "eigrp 10"
 EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
 EIGRP maximum hopcount 100
 EIGRP maximum metric variance 1
 Interfaces:
 FastEthernet0/1
 Redistribution:
 None
 Maximum path: 16
 Distance: internal 90 external 170
R1#show ipv6 eigrp neighbors 
IPv6-EIGRP neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
 (sec) (ms) Cnt Num
0 Link-local address: Fa0/1 11 00:24:58 1291 5000 0 3
 FE80::2
R1#show ipv6 eigrp topology 
IPv6-EIGRP Topology Table for AS(10)/ID(10.10.10.10)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
 r - reply Status, s - sia Status
P 2001:DB8:6783::/64, 1 successors, FD is 281600
 via Connected, FastEthernet0/1
R1#show ipv6 eigrp traffic 
IPv6-EIGRP Traffic Statistics for AS 10
 Hellos sent/received: 332/332
 Updates sent/received: 4/5
 Queries sent/received: 0/0
 Replies sent/received: 0/0
 Acks sent/received: 3/2
 SIA-Queries sent/received: 0/0
 SIA-Replies sent/received: 0/0
 Hello Process ID: 230
 PDM Process ID: 194
 IPv6 Socket queue: 0/50/1/0 (current/max/highest/drops)
 Eigrp input queue: 0/2000/1/0 (current/max/highest/drops)

Debug från skapande av adjacency (debug ipv6 eigrp):

*Mar 1 00:40:48.855: %DUAL-5-NBRCHANGE: IPv6-EIGRP(0) 10: Neighbor FE80::2 (FastEthernet0/1) is up: new adjacency
*Mar 1 00:40:48.871: IPv6-EIGRP(0:10): 2001:DB8:6783::/64 - do advertise out FastEthernet0/1
*Mar 1 00:40:48.875: IPv6-EIGRP(0:10): Int 2001:DB8:6783::/64 metric 281600 - 256000 25600
*Mar 1 00:40:48.967: IPv6-EIGRP(0:10): Processing incoming UPDATE packet
*Mar 1 00:40:50.919: IPv6-EIGRP(0:10): 2001:DB8:6783::/64 - do advertise out FastEthernet0/1
*Mar 1 00:40:50.927: IPv6-EIGRP(0:10): Int 2001:DB8:6783::/64 metric 281600 - 256000 25600
*Mar 1 00:40:50.931: IPv6-EIGRP(0:10): Processing incoming UPDATE packet
*Mar 1 00:40:50.931: IPv6-EIGRP(0:10): Int 2001:DB8:6783::/64 M 307200 - 256000 51200 SM 281600 - 256000 25600
*Mar 1 00:40:50.935: IPv6-EIGRP(0:10): 2001:DB8:6783::/64 routing table not updated

Om vi vill summera ett nät använder vi kommandot:

R1(config-if)#ipv6 summary-address eigrp 10 2001:DB8:6783::/32
R2#sh ipv6 route eigrp
 IPv6 Routing Table - 18 entries
 Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
 U - Per-user Static route, M - MIPv6
 I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
 O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
 D - EIGRP, EX - EIGRP external
D 2001:DB8::/32 [90/307200]
 via FE80::1, FastEthernet0/1

En debug visar följande, observera att vi precis som i IPv4 river adjacency och inte bara skickar ett nytt Update-packet:

*Mar 1 00:43:32.199: IPv6-EIGRP(0:10): 2001:DB8::/32 (5/281600) added to RIB
 *Mar 1 00:43:32.199: %DUAL-5-NBRCHANGE: IPv6-EIGRP(0) 10: Neighbor FE80::2 (FastEthernet0/1) is down: summary configured
 *Mar 1 00:43:34.299: %DUAL-5-NBRCHANGE: IPv6-EIGRP(0) 10: Neighbor FE80::2 (FastEthernet0/1) is up: new adjacency
 *Mar 1 00:43:34.315: IPv6-EIGRP(0:10): 2001:DB8:6783::/64 - don't advertise out FastEthernet0/1
 *Mar 1 00:43:34.319: IPv6-EIGRP(0:10): 2001:DB8::/32 - do advertise out FastEthernet0/1
 *Mar 1 00:43:34.319: IPv6-EIGRP(0:10): Int 2001:DB8::/32 metric 281600 - 256000 25600
 *Mar 1 00:43:34.379: IPv6-EIGRP(0:10): Processing incoming UPDATE packet

Det finns inte så mycket mer att ta upp faktiskt, det mesta är sig likt från IPv4. Next up, BGP! 🙂