CCIE Pursuit Blog

February 5, 2008

Internetwork Expert Volume II: Lab 6 – Section 3

Interior Gateway Routing – 24 Points

3.1 OSPF

Basic hub-and-spoke OSPF task:

“Do not use the ip ospf network statement on any of these devices.”

r1(config-router)#do sh ip os int s0/0 | i Type
  Process ID 100, Router ID 150.17.1.1, Network Type NON_BROADCAST, Cost: 64

r2(config-router)#do sh ip os int s0/0 | i Type
  Process ID 100, Router ID 150.17.2.2, Network Type NON_BROADCAST, Cost: 64

r5(config-router)#do sh ip os int s0/0 | i Type
  Process ID 100, Router ID 150.17.5.5, Network Type NON_BROADCAST, Cost: 64

Neighbor statements on the hub and “ip prio 0” on the spokes will take care of the job.

r1#sh ip os neig

Neighbor ID     Pri   State           Dead Time   Address         Interface
150.17.2.2        0   FULL/DROTHER    00:01:54    191.17.125.2    Serial0/0
150.17.5.5        0   FULL/DROTHER    00:01:46    191.17.125.5    Serial0/0

3.2 OSPF

There were a TON of subtasks on this one.

You’ll need to remember that you changed the MTU size on sw3 and sw4 back in task section 1 as you’ll need ‘mtu-ignore’ on r4 and r5.

There are a ton of redistribute connected with route-maps as well.  You’ll need to use redistristribution rather than configuring ‘ip ospf x area y’ under the loopback 0 interfaces because the switches don’t currently support that function yet.

route-map CONN->OSPF permit 10
 match int lo0
 set tag 101
router os 100
 redist conn sub route-map CONN->OSPF

You are asked to advertise r5’s loopback 0 as well but cannot use redistristribution or a network statement under the OSPF process.  You can configure this under the loopback 0 interface.  No area is specified, IE used area 0 (so did I).

r5(config)#int lo0
r5(config-if)#ip ospf 100 area 0

3.3 OSPF

Another task with a lot of configuration.

“Traffic from sw2 to VLAN 7 should transit the Serial link between r2 and r3.”
“In the case that the link between r1 and r3 is down traffic from sw1 to vlan 7 should transit the ethernt link between r4 and r5.”

vlan 7 is on sw1

sw2#sh ip route 191.17.7.7
% Subnet not in table

sw2 is in area 48 which does not have a connection to area 0, so we’ll need to build a virtual link first to get that route to sw2.  As a matter of fact, we’ll need need to build a number of virtual-links to complete our OSPF domain.  After connecting all areas:

sw2#sh ip route 191.17.7.0
Routing entry for 191.17.7.0/24
  Known via “ospf 100”, distance 110, metric 68, type inter area
  Last update from 191.17.48.4 on FastEthernet0/18, 00:14:33 ago
  Routing Descriptor Blocks:
  * 191.17.48.4, from 150.17.4.4, 00:14:33 ago, via FastEthernet0/18
      Route metric is 68, traffic share count is 1

sw2#trace 191.17.7.7

Type escape sequence to abort.
Tracing the route to 191.17.7.7

  1 191.17.48.4 0 msec 0 msec 0 msec
  2 191.17.45.5 8 msec 0 msec 0 msec
  3 191.17.125.1 34 msec 25 msec 34 msec
  4 191.17.125.2 58 msec 51 msec 58 msec
  5 191.17.27.7 59 msec *  51 msec

So I need to make r2 and r1 prefer the path to r3 – rather than the FR.  I can do that with cost or change the bandwidth (indirectly change cost).  The Ethernet connection from r4 to r5 will be used only as a last choice because I cranked up the cost:

r4(config-subif)#ip os cost ?
  <1-65535>  Cost
r4(config-subif)#ip os cost 65534

r5(config-router)#int fa0/1.45
r5(config-subif)#ip os cost 65534

With Frame Relay connection up:

sw2#trace 191.1.7.7

Type escape sequence to abort.
Tracing the route to 191.1.7.7

  1 191.1.48.4 0 msec 9 msec 0 msec
  2 191.1.34.30 msec 0 msec 8 msec
  3 191.1.23.20 msec 9 msec 0 msec
  4 191.1.27.7 8 msec *  0 msec

With Frame Relay down:

r3(config)#int s0/0:0
r3(config-if)#shut

sw2#trace 191.1.7.7

Type escape sequence to abort.
Tracing the route to 191.1.7.7

  1 191.1.48.40 msec 0 msec 8 msec
  2 191.1.45.50 msec 0 msec 0 msec
  3 191.1.125.1 8 msec 9 msec 0 msec
  4 191.1.125.2 8 msec 9 msec 8 msec
  5 191.1.27.7 8 msec *  0 msec

This is a pretty easy to lose track of your IGP build because the last two tasks have you building buttloads of areas.  Make sure to look at your IGP diagram and figure out where your virtual-links need to be built.

3.4 OSPF Filtering

“Configure the network so that r2 filters all routing advertisements to sw1 with the exception of a default route.”
“Do not use a distribute-list or prefix-list to accomplish this.”

Sounds like a stub network to me.  Now to decide which flavor of OSPF stub to use.

We are redistributing int lo0 on sw1:

router ospf 100
 router-id 150.1.7.7
 redistribute connected subnets route-map CONN->OSPF
!
route-map CONN->OSPF permit 10
 match interface Loopback0
 set tag 71

We’ll need to use NSSA with a default route.

area nssa

I had the right idea, but I missed the ‘no-redistribution’ keyword

no-redistribution
 (Optional) Used when the router is an NSSA Area Border Router (ABR) and you want the redistribute command to import routes only into the normal areas, but not into the NSSA area.
 
no-summary
 (Optional) Allows an area to be a not-so-stubby area but not have summary routes injected into it.

The IE solution guide says that the last two subtasks (see above) means that that sw1 should not see a specific route to sw1’s loopback.  I did not get that from reading the task, but it’s obvious that is what is meant if you look at the OSPF routes on sw1 without the no-redistribution keyword:

area 27 nssa no-summary (on r2):
sw1#sh ip route os
     150.1.0.0/24 is subnetted, 2 subnets
O N2    150.1.2.0 [110/20] via 191.1.27.2, 00:00:17, FastEthernet0/14
O*IA 0.0.0.0/0 [110/2] via 191.1.27.2, 00:00:22, FastEthernet0/14

area 27 nssa no-redistribution no-summary (on r2):
sw1#sh ip route os
O*IA 0.0.0.0/0 [110/2] via 191.1.27.2, 00:00:04, FastEthernet0/14

The solution guide has a very detailed write up about this task.

3.5 OSPF Authentication

All area 0 adjacencies should use MD5 hash and all non-area 0 adjacencies should use a clear-text password.

area authentication

message-digest
 (Optional) Enables Message Digest 5 (MD5) authentication on the area specified by the area-id argument.
 
Defaults
Type 0 authentication (no authentication)

ip ospf authentication-key

ip ospf authentication

The biggest pitfall in this task is that you need to remember that OSPF virtual-links are area 0 links (and will require md5 authentication in this task).  Don’t get thrown off by the fact that the virtual-link command shows the area that the link is transversing (i.e. ‘area 12virtual-link 150.1.2.2′) and think that you should apply the authentication method for that non-zero area.

3.6 Default Routing

You’re asked to inject a default route into the OSPF domain on r3 with this stipulation:

“In order to prevent the unnecessary forwarding of traffic that will eventually be dropped, ensure that r3 only advertises this default route if it has an active connection to either bb2 or bb3.”

I was completely lost on this task.  I knew that I needed to use ‘default-information originate’ to inject the default route, but I didn’t know how to make that route conditional.

This is one of those case where you can harvest some points from the DOC:

default-information originate (OSPF)

route-map map-name
 (Optional) Routing process will generate the default route if the route map is satisfied.

3.7 RIPv2

“r3 should not accept any routes from bb3 that have an odd number in the first octet.”

Sweet.  I’ll write an ACL and us an offset-list to poison those routes…..or not:

“Do not use a distribute-list or an offset-list to accomplish this.”

Shit.  What’s the third way?  I got stumped on this one and I really shouldn’t have been:

distance (IP)

r3#sh run | sec router rip|access-list
router rip
 version 2
 passive-interface default
 no passive-interface FastEthernet0/1
 network 204.12.1.0
 distance 255 204.12.1.254 0.0.0.0 69
 no auto-summary
!
access-list 69 permit 1.0.0.0 254.255.255.255

Before:
r3(config)#do sh ip route rip
     31.0.0.0/16 is subnetted, 4 subnets
R       31.3.0.0 [120/1] via 204.12.1.254, 00:00:04, FastEthernet0/1
R       31.2.0.0 [120/1] via 204.12.1.254, 00:00:04, FastEthernet0/1
R       31.1.0.0 [120/1] via 204.12.1.254, 00:00:04, FastEthernet0/1
R       31.0.0.0 [120/1] via 204.12.1.254, 00:00:04, FastEthernet0/1

     30.0.0.0/16 is subnetted, 4 subnets
R       30.2.0.0 [120/1] via 204.12.1.254, 00:00:04, FastEthernet0/1
R       30.3.0.0 [120/1] via 204.12.1.254, 00:00:04, FastEthernet0/1
R       30.0.0.0 [120/1] via 204.12.1.254, 00:00:04, FastEthernet0/1
R       30.1.0.0 [120/1] via 204.12.1.254, 00:00:04, FastEthernet0/1

After:
r3#sh ip route rip
     30.0.0.0/16 is subnetted, 4 subnets
R       30.2.0.0 [120/1] via 204.12.1.254, 00:00:02, FastEthernet0/1
R       30.3.0.0 [120/1] via 204.12.1.254, 00:00:02, FastEthernet0/1
R       30.0.0.0 [120/1] via 204.12.1.254, 00:00:02, FastEthernet0/1
R       30.1.0.0 [120/1] via 204.12.1.254, 00:00:02, FastEthernet0/1

I’m not sure why IE redistributed r6’s lo0 into RIP.  The subtask states:

“Advertise r6’s loopback 0 into RIP.”

The IE solution shows the 150.1.0.0 network advertised under the RIP process as well as the loopback 0 interface redistributed (via connected) into RIP.  Strange. 

I’m not the only one confused by this: 

Task 3.7

3.8 IGP Redistribution

“Redistribute between OSPF and RIP on r3.”

This has to be the easiest IGP redistribution scenario yet.  I only have to deal with RIP and OSPF and

I’m tasked with mutual redistribution on a single device.  Of course there are these requirements:

“All routers in the OPSF domain should have a longer match for r6’s interface loopback 0.”
“No other routes should be redistributed from RIP to OSPF.”

Huh?

IE says that this means:

“…simply means that RIP should be redistributed into OSPF, but when RIP is redistributed into OPSF the only prefix the should be allowed is r6’s loopback 0 network.”

Lab 6 Task 3.8 IGP redistribution

Task 3.8

Rereading this task (after messing up my configuration) I understand it now.  The last subtask specifies that only r6’s loopback should be redistributed from RIP to OSPF.  This task was like an optical illusion to me.  Once I understood what they wanted, I couldn’t figure out how I had missed it before.  🙂 

I completely screwed this task up.  If I got this in the lab I would have failed for sure.

3.9 EIGRP

You’ll start seeing this message soon after your EIGRP adjacency comes up:

*Mar  5 08:49:19.600: IP-EIGRP(Default-IP-Routing-Table:10): Neighbor 54.1.2.254 not on common subnet for Serial0/0

“…configure r6 so that it does not accept any EIGRP packets on the Frame Relay interface except for those sent from BB1.”

Oh fun.  😦

You have to be careful when building your ACL so that you don’t break EIGRP. Don’t forget to add a permit at the end of your ACL:

ip access-list extended EIGRP_FILTER
 permit eigrp host 54.1.3.254 any
 deny   eigrp any any
 permit ip any any <-IMPORTANT!!!

3.10 VPN Routing

I nearly crapped myself when I saw ‘VPN’.  It turns out that this is a rather easy GRE tunnel task.

“As an additional integrity check ensure that any corrupt packets received on the VPN interface are discarded.”

tunnel checksum 
 

Advertisements

3 Comments »

  1. I liked this lab. I just recently did the Dynamips version again and got to grips with most of the tasks.

    Comment by ccielab — February 5, 2008 @ 11:07 am | Reply

  2. Regarding 3.2 and the MTU. There is another way to get OSPF to form the adjadency. Use “ip mtu 1500” on the Switch’s L3 interface. Always good to know that there’s 2 ways to get this done 😉 Good blog. -Serge

    Comment by Serge — February 5, 2008 @ 5:36 pm | Reply

  3. @Serge:
    Thanks for the tip. didnt know that.

    Comment by M Khan — June 10, 2009 @ 11:43 am | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: