CCIE Pursuit Blog

August 17, 2008

Lab Tip: IPv6 EUI-64 Unexpected (For Me) Behavior

I ran across an unexpected behavior with IPv6 EUI-64 addressing today.  I had configured an interface with EUI-64 addressing.  Knowing that I would need to run OSPFv3 over this Frame Relay interface, I followed my normal procedure of creating a simplified link-local address.  To my surprise, this link-local address changed my EUI-64 address:

interface Serial0/0
 ipv6 address 2001:CC1E:1:1515::/64 eui-64
 ipv6 address FE80::1 link-local

r1(config-if)#do sh ipv int br | sec l0/0
Serial0/0                  [up/up]
    FE80::1
    2001:CC1E:1:1515::1

For some reason the EUI-64 part of the IPv6 address was replaced with the host address of the link-local address.

Let’s recreate the scenario by stripping off the IPv6 addressing:

r1(config-if)#int s0/0
r1(config-if)#no ipv6 address 2001:CC1E:1:1515::/64 eui-64
r1(config-if)#no ipv6 address FE80::1 link-local

r1(config-if)#do sh run int s0/0 | i l0/0|ipv
interface Serial0/0

r1(config-if)#do sh ipv int br | sec l0/0
Serial0/0                  [up/up]
    unassigned

Now configure the EUI-64 address:

r1(config-if)#int s0/0
r1(config-if)#ipv6 address 2001:CC1E:1:1515::/64 eui-64

r1(config-if)#do sh ipv int br | sec l0/0
Serial0/0                  [up/up]
    FE80::211:93FF:FEB0:7640
    2001:CC1E:1:1515:211:93FF:FEB0:7640

Now create add a link-local address:

r1(config-if)#int s0/0
r1(config-if)#ipv add FE80::1 link-local

r1(config-if)#do sh ipv int br | sec l0/0
Serial0/0                  [up/up]
    FE80::1
    2001:CC1E:1:1515::1

It’s good to know about this behavior in case you get a task that asks you to use an EUI-64 address.  Depending on the grading method, you could lose points for this.

Internetwork Expert Volume II: Lab 8 – Section 9

Section 9 – IP Services – 8 Points

9.1 Default Gateways

Users in VLAN 26 have their default-gateway set to their own IP address instead of r6’s address.  Configure r2 and r6 to support them.

WTF?  No clue.

The answer: turn off proxy-arp on those segments.

UPDATE:

It turns out that I read the question wrong. The requirement is:

“Configure r2 and r6 not [sic] support these users.”

It make sense to disable proxy-arp so as NOT to support these users.  The users are set up to ARP for everything.  Proxy-ARP is enabled by default so r2 and r6 will respond to ARPs with their own MAC address if they have a route for the address that the users ARP for. By disabling proxy-arp, the routers will not respond to those ARP requests.

9.2 Web Caching

Configure WCCP for users in VLAN 4.  The web servers are out the Frame link.

“Configure r4 to support this setup, but don not attempt to cache HTTP traffic between VLANs 4 and 45.”

How to Configure WCCP

r4(config)#int fa0/0
r4(config-if)#ip wccp web-cache redirect in
r4(config-if)#int s0/0
r4(config-if)#ip wccp web-cache redirect out

r4(config)#ip wccp ?
  <0-254>             Dynamically defined service identifier number
  check               Enable a WCCP check
  outbound-acl-check  Enable acl check on original outbound interface
  version             protocol version
  web-cache           Standard web caching service

r4(config)#ip wccp web-cache ?
  group-address  Set the multicast group
  group-list     Set the access-list used to permit group membership

  password       Authentication password (key)
  redirect-list  Set the access-list used to permit redirection
  <cr>

The three options that stand out as possibly being useful for the last requirement are the outbound-acl-check, the group-list, and the redirect-list.

I peeked the solution guide. 

Huh?

IE just enabled WCCP globally and then set s0/0 to redirect out???  Does that last requirement mean ALL HTTP request on VLANs 4 and 45 or just the traffic between those two VLANs (as I understood it)?

I get it now.  There are only two egress point for traffic from VLAN 4 or 45.  They can either egress the other VLAN or out the Frame link.  So IE’s solution makes sense.

9.3 IP SLA

This is a basic IP SLA task in which you must set up IP SLA on r6 to ping 115.0.0.1 every 30 seconds with 1250 byte packets and a timeout of 25ms.

I kept getting failures:

r6#sh ip sla mo stat
Round trip time (RTT)   Index 1
        Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *05:04:09.895 UTC Mon Mar 18 2002
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 4
 
Operation time to live: 3503 sec

The reason was simple.  My packets were not fast enough.  :-)

r6#p 115.0.0.1 si 1250

Type escape sequence to abort.
Sending 5, 1250-byte ICMP Echos to 115.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms

9.4 Gateway Redundancy

You need to use the SLA monitor in the last task with HSRP.  R6 should be VLAN 26’s default gateway but only if the SLA monitor is successful, otherwise they should use r2.

r6(config)#track 1 rtr 1

r6(config-track)#int f0/1.26
r6(config-subif)#stand 1 track 1decre 20
r6(config-subif)#stand 1 ip 174.1.26.1
r6(config-subif)#stand 1 preempt

r2(config)#int g0/0.26
r2(config-subif)#stand 1 ip 174.1.26.1
r2(config-subif)#stand 1 preempt
r2(config-subif)#stand 1 prio 90

Since my SLA monitor is failing, r2 should be active and r6 should have a priority of 80:

r2#sh stand
GigabitEthernet0/0.26 – Group 1
  State is Active
    1 state change, last state change 00:01:12
  Virtual IP address is 174.1.26.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.556 secs
  Preemption enabled
  Active router is local
  Standby router is 174.1.26.6, priority 80 (expires in 7.556 sec)
  Priority 90 (configured 90)
  IP redundancy name is “hsrp-Gi0/0.26-1″ (default)

r6#sh stand
FastEthernet0/1.26 – Group 1
  State is Standby
    4 state changes, last state change 00:01:22
  Virtual IP address is 174.1.26.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.232 secs
  Preemption enabled
  Active router is 174.1.26.2, priority 90 (expires in 7.232 sec)
  Standby router is local
  Priority 80 (default 100)
    Track object 1 state Down decrement 20
  IP redundancy name is “hsrp-Fa0/1.26-1″ (default)

Just to see if it will come up I deleted the SLA monitor and re-added it with a timeout and threshold of 50ms:

no ip sla monitor 1
ip sla monitor 1
type echo protocol ipIcmpEcho 115.0.0.1
request-data-size 1250
timeout 50
threshold 50
freq 5

ip sla monitor schedule 1 start-time now

r6#sh ip sla monitor stat
Round trip time (RTT)   Index 1
        Latest RTT: 28 ms
Latest operation start time: *05:14:18.275 UTC Mon Mar 18 2002
Latest operation return code: OK
Number of successes: 12 
Number of failures: 0

Operation time to live: 3543 sec

r6#sh stand
FastEthernet0/1.26 – Group 1
  State is Active
    8 state changes, last state change 00:01:09
  Virtual IP address is 174.1.26.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.296 secs
  Preemption enabled
  Active router is local
  Standby router is 174.1.26.2, priority 90 (expires in 7.296 sec)
  Priority 100 (default 100)
    Track object 1 state Up decrement 20
  IP redundancy name is “hsrp-Fa0/1.26-1″ (default)

r2#sh stand
GigabitEthernet0/0.26 – Group 1
  State is Standby
    5 state changes, last state change 00:01:33
  Virtual IP address is 174.1.26.1
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.280 secs
  Preemption enabled
  Active router is 174.1.26.6, priority 100 (expires in 8.276 sec)
  Standby router is local
  Priority 90 (configured 90)
  IP redundancy name is “hsrp-Gi0/0.26-1″ (default)

Internetwork Expert Volume II: Lab 8 – Section 8

Section 8 – Security – 7 Points

8.1 Router Hardening

Configure r5 to:

Drop all source-routed packets
Disable proxy-arp and CDP support on the connections to BB2 and BB3
Drop all HTTP an telnet sessions destined for 174.x.0.0/16 and 150.x.0.0/16 from BB2 or BB3
Drop all inbound echo requests coming from BB2 or BB3

In the real lab I would just eat the 3 points rather than mess with connections to the backbone routers.  But this task is pretty easy so I gave it a shot.

The first requirement:

ip source-route
To allow the Cisco IOS software to handle IP datagrams with source routing header options, use the ip source-route command in global configuration mode.

r5(config)#no ip source-route

The second one:

r5(config-subif)#no cdp en
r5(config-subif)#no ip proxy-arp

And the rest:

r5(config)#ip access-list ex TASK_8_1
r5(config-ext-nacl)#deny tcp any 174.1.0.0 0.0.255.255 eq www
r5(config-ext-nacl)#deny tcp any 174.1.0.0 0.0.255.255 eq telnet
r5(config-ext-nacl)#deny tcp any 150.1.0.0 0.0.255.255 eq www
r5(config-ext-nacl)#deny tcp any 150.1.0.0 0.0.255.255 eq telnet
r5(config-ext-nacl)#deny icmp any any echo
r5(config-ext-nacl)#permit ip any any

8.2 Traffic Filtering

Drop all traffic from BB2 to BB3 and vice versa on r5 but do not use any access-lists to do this.

We can police inbound, but how to match on the destination without an ACL?

r5(config)#class-map TASK_8_2
r5(config-cmap)#match ?
  destination-address  Destination address
  input-interface      Select an input interface to match

r5(config-cmap)#match destination-address ?
  mac  MAC address

That will not work:

r5(config-cmap)#do sh int f0/1.52 | i bia
  Hardware is AmdFE, address is 0011.93b0.7521(bia 0011.93b0.7521)
r5(config-cmap)#do sh int f0/1.53 | i bia
  Hardware is AmdFE, address is 0011.93b0.7521(bia 0011.93b0.7521)
r5(config-cmap)#do sh int f0/1 | i bia
  Hardware is AmdFE, address is 0011.93b0.7521(bia 0011.93b0.7521)

Let’s check out the input-interface:

r5(config-cmap)#match input-interface fa0/1.52
                                           ^
% Invalid input detected at ‘^’ marker.

r5(config-cmap)#match input-interface fa0/1

Okay, so I can match on the interface, but only the physical interface (which makes sense). 

r5(config-cmap)#policy-map TASK_8_2
r5(config-pmap)#class TASK_8_2
r5(config-pmap-c)#drop

r5(config-pmap-c)#int fa0/1.52
r5(config-subif)#service-policy out TASK_8_2
r5(config-subif)#int fa0/1.53
r5(config-subif)#service-policy out TASK_8_2

8.3 Traffic Filtering

Open the filter you just configured to allow SMTP from 192.10.1.100 to 204.12.1.0/24

r5(config)#ip access-list ex TASK_8_3_FROM_SERVER
r5(config-ext-nacl)#permit tcp host 192.10.1.100 eq smtp 204.12.10.0 0.0.0.255
r5(config)#ip access-list ex TASK_8_3_TO_SERVER
r5(config-ext-nacl)#perm tcp 204.12.10.0 0.0.0.255 host 192.10.1.100 eq smtp

r5(config)#class-map TASK_8_3_FROM_SERVER
r5(config-cmap)#match access-group name TASK_8_3_FROM_SERVER

r5(config-cmap)#class-map TASK_8_3_TO_SERVER
r5(config-cmap)#match access name TASK_8_3_TO_SERVER

Because I did not create separate policy-maps per backbone router, I had to go back and do that:

r5(config-cmap)#policy-map OUT_TO_BB2
r5(config-pmap)# class TASK_8_3_FROM_SERVER
r5(config-pmap-c)# class TASK_8_2
r5(config-pmap-c)#   drop

r5(config-pmap-c)#policy-map OUT_TO_BB3
r5(config-pmap)# class TASK_8_3_TO_SERVER
r5(config-pmap-c)# class TASK_8_2
r5(config-pmap-c)#   drop

Then I had to go in and remove the old class and policy maps and add the new service-policies:

r5(config)#int fa0/1.52
r5(config-subif)#service-policy out OUT_TO_BB2
r5(config-subif)#int fa0/1.53
r5(config-subif)#service-policy out OUT_TO_BB3

IE went with a few less lines of configuration by using a ‘match not’ statement.

Internetwork Expert Volume II: Lab 8 – Section 5

Section 5 – IP Multicast – 11 Points

5.1 PIM

Basic multicast task. We are not told which PIM mode to use, but by reading ahead we can see that we’ll be using Auto-RP so we’ll need sparse-dense mode.

Sparse-Dense Mode for Auto-RP

5.2 Auto-RP

Configure r1 and r2 to use Auto-RP and announce their lo0 interfaces as candidate RP’s.

Configuring Sparse Mode with Auto-RP

“Configure r3 to map all multicast groups with an even numbered first octet to r1 and odd-numbered to r2.”

There’s no “minimal configuration” stipulation so let’s just make so basic access-lists:

r1(config)#ip access-list standard TASK_5_2_EVEN
r1(config-std-nacl)#permit 224.0.0.0 0.255.255.255
r1(config-std-nacl)#permit 226.0.0.0 0.255.255.255
r1(config-std-nacl)#permit 228.0.0.0 0.255.255.255
r1(config-std-nacl)#permit 230.0.0.0 0.255.255.255
r1(config-std-nacl)#permit 232.0.0.0 0.255.255.255
r1(config-std-nacl)#permit 234.0.0.0 0.255.255.255
r1(config-std-nacl)#permit 236.0.0.0 0.255.255.255
r1(config-std-nacl)#permit 238.0.0.0 0.255.255.255

r1(config)#ip pim send-rp-announce lo0 scope 16 group-list TASK_5_2_EVEN

On r3(mapping agent) you will need to apply those same ACLs and then:

r3(config)#ip pim send-rp-discovery lo0 scope 16

Now we need to set up our rp-list ACLs:

r3(config)#ip access-list standard R1_LOOP
r3(config-std-nacl)#permit 150.1.1.1
r3(config-std-nacl)#ip access-list standard R2_LOOP
r3(config-std-nacl)#permit 150.1.2.2

Finally, we set our rp-announce-filters:

r3(config)#ip pim rp-announce-filter rp-list R1_LOOP group-list TASK_5_2_EVEN
r3(config)#ip pim rp-announce-filter rp-list R2_LOOP group-list TASK_5_2_ODD

For some reason I could not get the r2 to map even though my configuration was correct and r2 saw itself elected:

r2#sh ip pim rp map
PIM Group-to-RP Mappings
This system is an RP (Auto-RP)

The problem was that there was no multicast path to r2.  I forgot to configure PIM on the Multilink interfaces on r2 and r3.  DOH!!!

5.3 Multicast Distribution

Multicast traffic should switch to a source based tree once a source is sending 128Kbps or more.

ip pim spt-threshold

r1(config)#ip pim spt-threshold 128

5.4 Multicast Testing

Users in VLAN 4 cannot receive multicast feeds from VLAN 52. 

“Configure…so that r4 responds to ICMP echo requests sent the multicast group 224.4.4.4 from VLAN 52.”

First things first:

r4(config)#int f0/0
r4(config-if)#ip igmp join-group 224.4.4.4

These VLANs are on the spokes.  PIM NBMA mode is needed on the hub.

Before:

r5#p 224.4.4.4 source 174.1.45.5

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 224.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 174.1.45.5
.
r5#

r1(config-if)#ip pim nbma-mode
PIM nbma-mode is not recommended for sparse-dense-mode

After:

r5#p 224.4.4.4 source 174.1.45.5

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 224.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 174.1.45.5

Reply to request 0 from 174.1.145.4, 52 ms

5.5 Broadcast Distribution

This is a common scenario in which we need to map a multicast feed to a broadcast address using the ‘ip multicast helper-map’ command.

Internetwork Expert Volume II: Lab 8 – Section 4

Section 4 – Exteriour Gateway Routing – 13 Points

4.1 BGP

Easy BGP peering task.  Only “twist” is that you’ll be configuring confederations.

SubAS 65145 has a full mesh. 65267 does not.  You’ll need make r6 a route-reflector.

You’ll also need to remember to set ‘next-hop-self’ between inter-confederation peers where needed (unlike true EBGP peerings, inter-confederation peers do not automatically set ‘next-hop-self’).  Or not…this will be addressed in later tasks.  :-)

For some reason IE peered between the loopbacks on the routers in SubAS 65145.

4.2 BGP Summarization

Advertise a summary of 174.x.0.0/16 to the backbone routers.

“Do not allow any other devices in your BGP network to see this prefix.”
“Use one static router on r5 and r6 to accomplish this.”

So we’ll need to create a static route to Null0 on r5 and r6 and redistribute it into BGP…while filtering it for the rest of the BGP routers.

First, create the static route:

r5(config)#ip route 174.1.0.0 255.255.0.0 null0

Next, match that route in a prefix-list and create route-maps to filter it for our network:

r5(config)#ip prefix-list TASK_4_2 permi 174.1.0.0/16

r5(config)#route-map OUT_TO_R4 deny 10
r5(config-route-map)#match ip add pre TASK_4_2
r5(config-route-map)#route-map OUT_TO_R4 permi 1000
r5(config-route-map)#do sh hist

r5(config-route-map)#route-map OUT_TO_R1 deny 10
r5(config-route-map)#match ip add pre TASK_4_2
r5(config-route-map)#route-map OUT_TO_R1 permi 1000

Finally, redistribute the static route into BGP and apply the route-maps outbound to the neighbors we need to filter for:

r5(config-route-map)#router bgp 65145
r5(config-router)#redistribute static
r5(config-router)#neigh 174.1.145.4 route-map OUT_TO_R4 out
r5(config-router)#neigh 174.1.145.1 route-map OUT_TO_R1 out

We are advertising the summary to BB3:

r5#sh ip bgp neigh 204.12.1.254 adv| b Netw
   Network          Next Hop            Metric LocPrf Weight Path
*> 174.1.0.0        0.0.0.0                  0         32768 ?

Total number of prefixes 1

But we’re not advertising the summary to r4 and r1:

r5#sh ip bgp neigh 174.1.145.4 adv| b Netw
   Network          Next Hop            Metric LocPrf Weight Path
*> 28.119.16.0/24   204.12.1.254             0             0 54 i
*> 28.119.17.0/24   204.12.1.254             0             0 54 i

Total number of prefixes 2

r5#sh ip bgp neigh 174.1.145.1 adv| b Netw
   Network          Next Hop            Metric LocPrf Weight Path
*> 28.119.16.0/24   204.12.1.254             0             0 54 i
*> 28.119.17.0/24   204.12.1.254             0             0 54 i

Total number of prefixes 2

4.3 BGP Next-Hop Processing

“Configure the network in such a way that all devices throughout your network have reachablility to the BGP prefixes learned from AS54.”

Ugh.  That “all devices” bit had me worried that I would need to redistribute BGP into IGP. But the only devices not running BGP are sw3 and sw4 and they are in an OSPF stub area so they will just send traffic for unknown destinations to r3.  So we should be cool.

“Do not advertise the Frame Relay link to BB1 or the Ethernet link to BB3 into IGP or BGP to accomplish this.”

Not a problem I just use ‘next-hop-self’

“Do not use the next-hop-self command to accomplish this.”

Oh poop. I’m stumped.  Should I summarize the routes?  Create a default route? 

Nope. IE was being a bit tricky.  I need to use next-hop modification BUT I cannot use the command ‘next-hop-self’.  Instead I can set the next-hop in a route-map with ‘set ip next-hop peer-address':

We can use the route-maps that we created for the last task and just add the line:

r6(config)#route-map OUT_TO_R2 perm 1000
r6(config-route-map)#set ip next-hop peer-address

I can ping prefixes from BB1 and BB3 from sw3 even though BGP is not running:

sw3#p 28.119.17.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 28.119.17.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms

sw3#p 112.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 112.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms

sw3#sh ip proto sum
Index Process Name
0     connected
1     static
2     ospf 100
*** IP Routing is NSF aware ***

4.4 BGP Bestpath Selection

Advertise some networks into BGP and then make the routes to some of these networks be preferred via one of the AS 54 backbone routers.

We’re affecting inbound traffic so we have a choice of AS-Path or MED. I picked AS-Path.

We also have this requirement:

“Other AS’s beyond AS 54 should not see these specific subnets, but instead should only see the previously advertised aggregate.”

This task would be very difficult without our good friend the BGP community attribute.  :-)

r6(config)#ip prefix-list VLAN3 permi 174.1.3.0/24
r6(config)#ip prefix-list VLAN4 permi 174.1.4.0/24
r6(config)#ip prefix-list VLAN7 permi 174.1.7.0/24

r6(config)#route-map OUT_TO_BB1
r6(config-route-map)#match ip add pre VLAN3 VLAN7
r6(config-route-map)#set as-path prepend 100 100 100 100
r6(config-route-map)#set community no-export
r6(config-route-map)#route-map OUT_TO_BB1 20
r6(config-route-map)#match ip add pre VLAN4
r6(config-route-map)#set community no-export
r6(config-route-map)#route-map OUT_TO_BB1 permit 1000

r6(config)#router bgp 65267
r6(config-router)#neigh 54.1.2.254 send-community
r6(config-router)#neigh 54.1.2.254 route-map OUT_TO_BB1 out

IE used MED instead of AS-Path (although they noted that both were acceptable).  They did drop this on me (I can’t believe that I didn’t know this):

MED is only compared (by default) between prefixes learned from the same autonomous system.

4.5 BGP Filtering

Advertise VLAN 1001 into BGP but make sure that devices outside of AS 65145 don’t have reachbility to this VLAN.

“Do not use any access-lists or prefix-lists to accomplish this.”

Another job for the BGP community attribute.  r1 is inside a confederation so we should use local-AS.

r1(config)#route-map TASK_4_5
r1(config-route-map)#set community local-AS

r1(config)#router bgp 65145
r1(config-router)#net 174.1.1.0 ma 255.255.255.0 route-map TASK_4_5
r1(config-router)#neighbor 174.1.145.4 send-comm
r1(config-router)#neighbor 174.1.145.5 send-comm

We see the route in AS 65145:

r4#sh ip bgp 174.1.1.0 255.255.255.0
BGP routing table entry for 174.1.1.0/24, version 20
Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised outside local AS)
Flag: 0x880
  Not advertised to any peer
  Local
    174.1.145.1 from 174.1.145.1 (150.1.1.1)
      Origin IGP, metric 0, localpref 100, valid, confed-internal, best
      Community: local-AS

We do not see it outside of AS 65145:

r2#sh ip bgp 174.1.1.0 255.255.255.0
% Network not in table

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 112 other followers