Basic OSPF configuration over Frame Relay

Hi all,

I wanted to try to configure OSPF over a Frame Relay netowrk. Let's see how to  do it. For our lab we are considering the  following topology:

To start with we are only  use routers R2, R5 and R4. We are going to use a hub and spoke topology, where R4 is going to be the hub and R2 and R5 spokes.


Frame-Relay Configuration

Let's start with the Frame-Relay configuration on the Routers:

R2#interface Serial0/0 ip address 10.2.1.200 255.255.255.0 encapsulation frame-relay serial restart-delay 0 frame-relay interface-dlci 102

For the Hub router it is used mulitpoint subinterfaces which results in this configuration:

hostname(config)# R4#interface Serial0/0 no ip address encapsulation frame-relay serial restart-delay 0 ! interface Serial0/0.201 multipoint ip address 10.2.1.1 255.255.255.0 frame-relay interface-dlci 201 ! interface Serial0/0.204 multipoint ip address 10.4.1.1 255.255.255.0 frame-relay interface-dlci 204

We can now verify the frame-relay map is up and we can ping from one router to another. As a example, dynamic map is established in router R4:

  The ping from R5 reaches R4 correctly.

OSPF Neighbor Configuration

Once the frame relay netwok is configured and connectivity is verified, it's time to configure ospf. We are just going to make a very easy configuration:

R2#sh run | sec router router ospf 1 log-adjacency-changes network 10.2.1.0 0.0.0.255 area 0

R4#sh run | sec router router ospf 1 log-adjacency-changes network 10.2.1.0 0.0.0.255 area 0 network 10.4.1.0 0.0.0.255 area 1

After configuring the ospf routing process in both routes we should expect they become neighbors. Unfortunately nothing happens. We can find the reason why with the show ip ospf interface serial0/0 command.

 


 The network type is NON_BROADCAST, so no broadcast and mulitcast packets are allowed the interface. For the adjancecy to be form between the 2 routes, one of router needs to send a mulitcast hello packet to the ip 224.0.0.5.

To change that behavior we make use of the ip ospf network broadcast interface command.

R2#sh run | sec interface interface Serial0/0 ip address 10.2.1.200 255.255.255.0 encapsulation frame-relay ip ospf network broadcast serial restart-delay 0 frame-relay interface-dlci 102

Alternatively because we were talking of a non-broadcast network, we could use configure the neighbors manually so we would no need multicast packets to form the adjacency.

Once modified the network type, we can see the packets coming out the interface:

*Mar 1 03:11:35.943: OSPF: Send hello to 224.0.0.5 area 0 on Serial0/0 from 10.2.1.200 *Mar 1 03:11:45.947: OSPF: Send hello to 224.0.0.5 area 0 on Serial0/0 from 10.2.1.200

Although now packets are now being sent, we are still not having the full adjacency. Debugging ospf we should us the reason:

*Mar 1 05:16:32.574: OSPF: Rcv hello from 10.2.1.200 area 0 from Serial0/0.201 10.2.1.200 *Mar 1 05:16:32.578: OSPF: Mismatched hello parameters from 10.2.1.200 *Mar 1 05:16:32.582: OSPF: Dead R 40 C 120, Hello R 10 C 30 Mask R 255.255.255.0 C 255.255.255.0

The hello parameters mismatches because we changes the network type in one router but we forgot to do it in the other one. If we changed in the other router to broadcast, the hello parameters we will be the same

*Mar 1 06:39:52.870: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.1.200 on Serial0/0.201 from LOADING to FULL, Loading Done

Another option is to change manually the hello timers using the commands ip ospf hello-interval and ip ospf dead-interval.

Frame Relay Questions

I have compiled as set of questions about Frame relay, this is my small quiz about the Frame-Relay technology:

1. How can you disable LMI? What are the results?

Disabling LMI makes inARP no longer works (because nothing triggers a router to send an inARP message.

no keepalive

2. How can you reset inARP entries?

Two ways. First one, shutdown the interface and second one, it’s to use  the command:

clear frame-relay inARP

3. Which command will you use to verify frame-relay maps?

show frame-relay map

4. Scenario: We have two routers connected to a Frame Relay Network. R1 is using a point-to-point configuration while R2 is using a multipoint interface with a dynamic map. Once the VC is up, we try to disable the inARP on R1. What will happen?

You cannot disable inARP in a point-to-point interface.

5. How can you  check LMI type?

There are 3 LMI types which are:

• cisco: Allowed dlci range: 16-1007 (cisco propietary)
• ansi:  allowed dlci range: 16-991
• itu: allowed dlci range: 16-991

The commands to verify the LMI type are:

    show interface x/x/x

    show frame lmi

6. Which command will use to modify the lmi type?

    frame-relay lmi-type type

7. Which to commands can you use for Mapping DLCI to L3 addresses?

    frame-relay map

    frame-relay interface-dlci

8. What types of frame relay encapsulation are and how can you configure it?

• ietf
• cisco

    encapsulation frame-relay ietf

    frame-relay interface-dlci ietf

    frame-relay map dlci ietf

The default encapsulation type is cisco.

9. What is the broadcast keyword use for?

The broadcast keyword tells the router to send copies of broadcast and multicast packets over a specific DLCI.

Without the broadcast option, dynamic routing protocols such as EIGRP, OSPF and RIPv2 would not be able to advertise multicast route updates over the DLCI.

10. Is it possible to ping your own ip on a multipoint frame-relay?

By default, you are not able to ping your own ip.  To be able, you need to configure a  static map for  your own IP address to use the local DLCI.

This is because Frame Relay multipoint interfaces are non-broadcast, (unlike Ethernet and point-to-point interfaces High-Level Data Link Control [HDLC]), and Frame Relay point-to-point subinterfaces.

NAT configuration in Cisco ASA 8.4

NAT in Cisco ASA 8.3 and 8.4

With Cisco ASA version 8.3, cisco has changed completelythe way NAT was working .
Let's try to sum up the changes and how NAT  is working since version 8.3.

Nat-control feature 

Nat-control has been deprecated since version 8.3 That means, that it is not necessary to NAT traffic from one interface to another, that is, from now on, all traffic will allowing without the need of nat rules (if access list allow the traffic of course)

Nat types

Other old commands in 8.2 and earlier versions are also deprecated, that includes global, static, alias.

In this new version, the NAT types are:

•  Static NAT
• Dynamic NAT
• Dynamic Port Address Translation (PAT)
• Identity NAT

Static NAT:  A mapping between a real and a mapped IP address.
Dynamic NAT A group of real IP addresses mapped to a group of mapped IP addresses.
Dynamic Port Address Translation (PAT)—A group of real IP addresses are mapped to a single IP address.
Identity NAT  A real address is statically transalted to itself, essentially bypassing NAT (nat 0 in ealier versions)

Implementing NAT rules

Depending the way with implement the NAT rules we find the following distiction: 

• Network Object NATs
• Twice NAT

Network Object NATs

It compress all NAT rules that use an object network to configured them.

An example of a static NAT using object network is (instead of the static command used in version 8.2)

hostname(config)# object network nat_object_1 hostname(config-network-object)# host 192.168.10.1 hostname(config-network-object)# nat (inside,outside) static 192.168.20.2

Twice NAT

Twice NAT lets you identify both the source and destination address in a single rule. In a way, it  is the analog for using access-list in nat or static rules in version 8.2 and earlier.

As a prerequisite, it is necessary to configure network objects or network object groups for the real and the map addresses. 

object-group network object_nat_1 network-object 192.168.100.0 255.255.255.0 network-object 192.168.200.0 255.255.255.0 object network object_nat_2 subnet 172.16.10.0 255.255.255.0 nat (inside,outside) source static object_nat_1 object_nat_1 destination static object_nat_2 object_nat_2

It is case, we have defined a static nat and there is no  translation for the source network address neither the destination (in case we would like to translate the source address or the destination address we would modify the second term in the source or destination accordingly).

Order of NAT rules

•Section 1 (twice NAT rules)—These rules are assessed based on the order they appear in the configuration.

•Section 2 (network object NAT  rules)

•Section 3 (twice NAT rules that you specifically want to be evaluated after the network object NAT rules).  You will need to introduce the after-auto command for that purpose. As an example:

nat (inside,outside) after-auto source dynamic object_nat_1 interface

To verify the order NAT rules are applied just type show nat and the firewall will show you the different NAT translations for the different sections.

Juniper Routers with Qemu

Lately, I've been dealing trying to run Junipers routers in my laptop. After some attempts I could final sort out.

All the information to make it I got it from these posts:

http://blog.gns3.net/2009/10/olive-juniper/

http://brezular.wordpress.com/2012/07/03/installing-olive-12-1r1-9-under-qemu/

In my case I am running and Ubuntu 12.04.1 LTS.

1. Qemu installation

First of all, the following dependencies must be installed prior the qemu package:

libncurses5-dev
zlib1g-dev
libsdl-dev
libpcap-dev

Second, get the qemu package and the olive patch.. For instance, you can download it from here:

http://mirrors.fe.up.pt/pub/nongnu//qemu/qemu-0.11.0.tar.gz

http://ignum.dl.sourceforge.net/project/gns-3/Qemu/qemu-0.11.0-olive.patch4

I used the same version recommended in the gns3 blog. I would like to play with newer versions of qemu when I have a bit more time.

and install it in your computer:

tar xvzf qemu-0.11.0.tar.gz
cd qemu-0.11.0
patch -p1 -i qemu-0.11.0-olive.patch
./configure --target-list=i386-softmmu
make
sudo make install

2. Freebsd installation

To create a new virtual machine in qemu type the following command:

qemu-img create -f qcow2 olive-base.img 4GB

And launch the installation thourgh:

qemu -m 512 -hda olive-base.img -cdrom ./4.11-RELEASE-i386-miniinst.iso -enable-kvm

It begins the FreeBSD installation. Choose the following options:

- Skip kernel configuration
- Standard Installation
- In FDISK Partition Editor, press A to allocate the entire disk for FreeBSD and then Q to confirm.
- Install a Standard MBR and create the following partitions:

     ad0s1a / 1024M
     ad0s1b swap 1024M
     ad0s1e /config 12M
     ad0s1f /var rest

-  “User” distribution type and answer no for the question “Would you like to install the FreeBSD ports collection?”.
- install from a FreeBSD CD/DVD
- Once the files are copied, the installer program will ask you many user confirmation questions. Answer no to all of them.

3. Junos installation

For getting Junos running you will have to get a copy of a junos olive image. Once you have it, you can proceeed as it follows:

qemu-system-i386 -m 1024M -boot c -net nic,macaddr=00:aa:00:60:01:01,model=e1000 -hda olive-base3.img -enable-kvm -net user -serial telnet:0.0.0.0:3000,server
QEMU waiting for connection on: telnet:0.0.0.0:3000,server

Check you get an IP address by dhcp:

dhclient em0
netstat -r
ping 10.0.2.2

Copy the olive image from your pc to the freebsd virtual mahchine:

scp user@10.0.2.2:~/Desktop/jinstall-8.5R1.14-domestic-signed.tgz /var/tmp

mkdir ./jinst-signed
cd jinst-signed
tar zxvf ../jinstall-8.5R1.14-domestic-signed.tgz

Remove or rename the sig and md5 files:

rm *.sig *.sha1 *.md5

mkdir ./jinst
cd jinst
tar zxvf ../jinstall-8.5R1.14-domestic.tgz


mkdir ./pkgtools
cd pkgtools
tar zxvf ../pkgtools.tgz
cd ./bin
cp /hvar7tmp/true ./checkpic
cd ..

tar zcvf ../pkgtools.tgz *
cd ..
rm -rf pkgtools

tar zcfv /var/tmp/jinstall-8.5R1.14-domestic-olive.tgz *

And finally install the junos package with the following command:

pkg_add -f /var/tmp/jinstall-8.5R1.14-domestic-olive.tgz

Once the installation is finished the system will reboot.

4. Running the router

Create a new image off of your base image. You can repeat it for all your routers you want to emulate:

qemu-img create -b olive-base.img -f qcow2 R1.img

qemu R1.img -m 96 -nographic -daemonize -serial telnet::2001,server,nowait \ -localtime -net nic,vlan=1,macaddr=00:aa:00:60:01:01,model=e1000 \ -net udp,vlan=10,sport=10000,dport=10001,daddr=127.0.0.1

For a second router, we repeat the same commands

qemu R2.img -m 96 -nographic -daemonize -serial telnet::2002,server,nowait \ -localtime -net nic,vlan=10,macaddr=00:aa:00:60:11:02,model=e1000 -net udp,vlan=10,sport=10001,dport=10000,daddr=127.0.0.1

Once the routers runnig you can configure an interface on both in the same network and test that ping works correctly!!

sysopt connection permit-vpn

When creating VPNs in Cisco ASA Firewall a very important configuration to be in mind it's the sysopt connection permit-vpn.

When enabled the commands allow packets from an IPsec tunnel and their payloads to bypass interface ACLs on the security appliance. In other works, the traffic will bypasss the access lists configured in the interfaces, so it will be no necessary to explicitly allow the traffic.

To verify if it is enable you have to perform the show run all sysopt command:

ASA# show running-config all sysopt no sysopt connection timewait sysopt connection tcpmss 1380 sysopt connection tcpmss minimum 0 no sysopt nodnsalias inbound no sysopt nodnsalias outbound no sysopt radius ignore-secret sysopt connection permit-vpn

In case you want to filter the traffic encapsulated, you have to use the vpn-filter command in the group policy attributes and applied to the tunnel-group associated with the VPN you are configuring:

access-list 100 extended deny tcp any host 10.10.1.10 eq 80 access-list 100 extended permit ip any any group-policy CustomerA internal group-policy CustomerA attributes vpn-filter value 100 tunnel-group 172.16.1.1 general-attributes default-group-policy CustomerA

New Year Proposition

Happy new year 2013,

My proposition for this new year 2013, it's to keep the roadmap for the CCIE R&S. I know it is going to be a long way so I am going to take my time.

First goal, it is the CCIE R&S Written. I hope to achieve it by June or July.

Right now I am reading some stuff, several books, and doing some labs in GNS3 to check what I am reading until now. Not just focus on the Written but also keeping an eye in the lab exam.

In the meantime, I Would also like to spend some more time to Juniper stuff.

See you soon!