Tag Archives: cisco

SSH using public key authentication to IOS

23 Monday Jan 2017

Posted by in Tutorial

Leave a comment

Tags

, 

ip domain-name router.fakrul.com
!
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
!
username fakrul privilege 15 secret R@nDomp@$$worD!
!
ip ssh pubkey-chain
 username fakrul
 key-string
 ! copy the entire public key as appears in the cat id_rsa.pub including the ssh-rsa and username@hostname.
 exit
 exit
!
ip ssh server algorithm authentication publickey !enable key based authentication only
!
line vty 0 4
transport input ssh
privilege level 15

Install Cisco IOS XRv in GNS3

09 Friday Dec 2016

Posted by in My Work, Uncategorized

Leave a comment

Tags

, , , ,

Software / Application:

  1. VirtualBox (https://www.virtualbox.org/)
  2. GNS3 (https://www.gns3.com/)

We also need Cisco IOS XRv Router image. For lab we use iosxrv-demo-6.0.0.vmdk which is free to use. The only limitation is it has AAA hardcoded users & rate limit of 2 Mbps. For full features please check the following link:

http://www.cisco.com/en/US/docs/ios_xr_sw/ios_xrv/install_config/b_xrvr_432_chapter_01.html

To download the image please visit https://upload.cisco.com/cgi-bin/swc/fileexg/main.cgi?CONTYPES=Cisco-IOS-XRv. You need Cisco CCO account.

STEP 1: IOS XRV WORKING ON VIRTUALBOX

1. Create a new VM

v-1

2. For the VM please choose:

  1. Name: xrv-1
  2. Type: Other
  3. Version: Other/Unknown (64-bit)

Continue reading

SNMP : Saving & Uploading router config

29 Tuesday Dec 2015

Posted by in My Work

Leave a comment

Tags

,

Save router configuration to tftp server:

#Set copy method via OID ccCopyProtocol:
snmpset -v 2c -c  {community-string} {device-ip-address} 1.3.6.1.4.1.9.9.96.1.1.1.1.2.112 i 1
#Set source filetype to running-config via OID ccCopySourceFileType:
snmpset -v 2c -c  {community-string} {device-ip-address} 1.3.6.1.4.1.9.9.96.1.1.1.1.3.112 i 4
#Set destination to networkfile via OID ccCopyDestFileType:
snmpset -v 2c -c  {community-string} {device-ip-address} 1.3.6.1.4.1.9.9.96.1.1.1.1.4.112 i 1
#Set TFTP server ip via OID ccCopyServerAddress:
snmpset -v 2c -c  {community-string} {device-ip-address} 1.3.6.1.4.1.9.9.96.1.1.1.1.5.112 a {ip-address-tftp-server}
#Set destination filename via OID ccCopyFileName:
snmpset -v 2c -c  {community-string} {device-ip-address} 1.3.6.1.4.1.9.9.96.1.1.1.1.6.112 s router.cfg
#Start tftp download via OID ccCopyEntryRowStatus:
snmpset -v 2c -c  {community-string} {device-ip-address} 1.3.6.1.4.1.9.9.96.1.1.1.1.14.112 i 1

Upload router configuration from tftp server:

#Set copy method:
snmpset -v 2c -c {community-string} {device-ip-address} 1.3.6.1.4.1.9.9.96.1.1.1.1.2.116 i 1
#Set sourcefile to network file:
snmpset -v 2c -c {community-string} {device-ip-address} 1.3.6.1.4.1.9.9.96.1.1.1.1.3.116 i 1
#Set destination to running-config:
snmpset -v 2c -c {community-string} {device-ip-address} 1.3.6.1.4.1.9.9.96.1.1.1.1.4.116 i 4
#Set TFTP server ip:
snmpset -v 2c -c {community-string} {device-ip-address} 1.3.6.1.4.1.9.9.96.1.1.1.1.5.116 a {ip-address-tftp-server}
#Set desination filename:
snmpset -v 2c -c {community-string} {device-ip-address} 1.3.6.1.4.1.9.9.96.1.1.1.1.6.116 s output.cfg
#Start tftp upload via via OID ccCopyEntryRowStatus:
snmpset -v 2c -c {community-string} {device-ip-address} 1.3.6.1.4.1.9.9.96.1.1.1.1.14.116 i 1

Note: The integer highlighted in red is a random integer and you can choose any integer between 1 and 255. Keep in mind to use the same integer for the whole download procedure! See the integer as a session.

MPLS Layer3 VPN : Part 3 (Configure L3 VPN for CUSTOMER2)

15 Monday Apr 2013

Posted by in Uncategorized

Leave a comment

Tags

, ,

image

In this phase L3VPN is configured for CUSTOMER2. It is same for CUSTOMER1 but only difference is that between PE router R1 and CE router C2S1 protocol will be OSPF.

PHASE 3: Configure L3 VPN for CUSTOMER2

1. Create Separate VRF for CUSTOMER1

R1(config)#ip vrf CUSTOMER2
R1(config-vrf)#rd 500:2
R1(config-vrf)#route-target export 500:2
R1(config-vrf)#route-target import 500:2

2. MP-BGP with R4, actiavte VPNv4 and redistribute OSPF route to BGP

2.A Configurer MP-BGP/Activate VPNv4
As MP-BGP in place with R1 and R4 (configured in phase 2) do not need configure anything new.

2.B Redistribute CUSTOMER2 VRF OSPF route to BGP

R1(config-router-af)#address-family ipv4 vrf CUSTOMER2
R1(config-router-af)#redistribute ospf 102 match internal
R1(config-router-af)#no auto-summary

3. Create OSPF with R1 and C2S1 and redistribute BGP to OSPF

R1(config)#router ospf 102 vrf CUSTOMER2
R1(config-router)#network 192.168.100.0 0.0.0.3 area 0
R1(config-router)#redistribute bgp 500 subnets

4. Put interface or R1 & R4 in related VRF.

R1(config)#interface FastEthernet2/0
R1(config-if)#ip vrf forwarding CUSTOMER2

PE router R4 configuration will be similar to R1. Bellow is the configuration of R4

R4:

ip vrf CUSTOMER2

rd 500:2

route-target export 500:2
route-target import 500:2
!
interface FastEthernet2/0
ip vrf forwarding CUSTOMER2
!
router ospf 102 vrf CUSTOMER2
log-adjacency-changes
redistribute bgp 500 subnets
network 192.168.110.0 0.0.0.3 area 0
!
router bgp 500
no synchronization
bgp log-neighbor-changes
neighbor 10.10.10.1 remote-as 500
neighbor 10.10.10.1 update-source Loopback0
no auto-summary
 !
address-family vpnv4
neighbor 10.10.10.1 activate
neighbor 10.10.10.1 next-hop-self
neighbor 10.10.10.1 send-community extended
exit-address-family
 !
address-family ipv4 vrf CUSTOMER2
redistribute ospf 102 match internal
no auto-summary
no synchronization
exit-address-family
 !

Check the VRF table for CUSTOMER2

R4#show ip route vrf CUSTOMER2

Routing Table: CUSTOMER2
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

192.168.110.0/30 is subnetted, 1 subnets
C 192.168.110.0 is directly connected, FastEthernet2/0
172.173.0.0/32 is subnetted, 2 subnets
B 172.173.1.1 [200/2] via 10.10.10.1, 02:03:24
O 172.173.2.1 [110/2] via 192.168.110.2, 01:58:20, FastEthernet2/0
192.168.100.0/30 is subnetted, 1 subnets
B 192.168.100.0 [200/0] via 10.10.10.1, 02:03:24

R4 is receiving 172.173.1.0/24 as BGP route via 10.10.10.1. This route is coming via OSPF from C2S1 to R1; R1 is announcing this via MP-BGP to R4. R4 remove MPLS and VPN tag and install it CUSTOMER1 VRF table.

If you check carefully, there is no related route (172.173.1.0/.24 or 172.173.2.0/24) in provider core router(R2,R3 or R5). These routers are not aware about these routes.

C2S1#traceroute

Protocol [ip]:
Target IP address: 172.173.2.1
Source address: 172.173.1.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 172.173.2.1

1 192.168.100.1 56 msec 76 msec 4 msec
2 192.168.12.2 [MPLS: Labels 22/27 Exp 0] 140 msec 132 msec 160 msec
3 192.168.23.2 [MPLS: Labels 20/27 Exp 0] 168 msec 112 msec 140 msec
4 192.168.110.1 [MPLS: Label 27 Exp 0] 100 msec 356 msec 108 msec
5 192.168.110.2 132 msec * 100 msec

MPLS Layer3 VPN : Part 2 (Configure L3 VPN for CUSTOMER1)

15 Monday Apr 2013

Posted by in Uncategorized

Leave a comment

Tags

, ,

image

MPLS L3 VPN involves following steps:

Step 1: The CE router sends an IPv4 routing update to the PE Router.
Step 2: A 64 bit RD is prepended to the customer IPv4 prefix to make it globally unique, resulting in a 96-bit VPNv4 prefix.
Step 3: A 96 bit VPNv4 prefix is propagated via MP-BGP to the other PE router.
Step 4: The RD is removed from the VPNv4 prefix, resulting in a 32 bit IPv4 prefix.
Step 5: The PE router sends the resulting IPv4 prefix to the CE router.

For the provider R1 & R4 work as PE Router.

PHASE 2: Configure L3 VPN for CUSTOMER1

1. Create Separate VRF for CUSTOMER1
R1(config)#ip vrf CUSTOMER1
R1(config-vrf)#rd 500:1
R1(config-vrf)#route-target export 500:1
R1(config-vrf)#route-target import 500:1

2. MP-BGP with R4, actiavte VPNv4 and redistribute static route to BGP
2.A Configurer MP-BGP

R1(config)#router bgp 500
R1(config-router)#neighbor 10.10.10.4 remote-as 500
R1(config-router)#neighbor 10.10.10.4 update-source Loopback0

2.B Activate VPNv4

R1(config-router)# address-family vpnv4
R1(config-router-af)#neighbor 10.10.10.4 activate
R1(config-router-af)#neighbor 10.10.10.4 next-hop-self
R1(config-router-af)#neighbor 10.10.10.4 send-community extended

2.C Redistribute CUSTOMER1 VRF static route to BGP

R1(config-router-af)#address-family ipv4 vrf CUSTOMER1
R1(config-router-af)#redistribute static
R1(config-router-af)#no auto-summary

3. Create static route in CUSTOMER1 VRF.

R1(config)#ip route vrf CUSTOMER1 172.172.1.0 255.255.255.0 192.168.10.2

4. Put interface or R1 & R4 in related VRF.

R1(config)#interface FastEthernet1/0
R1(config-if)#ip vrf forwarding CUSTOMER1

5. From C1S1 route just provide a default route to R1.

PE router R4 configuration will be similar to R1. Bellow is the configuration of R4

R4:

ip vrf CUSTOMER1
rd 500:1
route-target export 500:1
route-target import 500:1
!
interface FastEthernet1/0
ip vrf forwarding CUSTOMER1
!
router bgp 500
no synchronization
bgp log-neighbor-changes
neighbor 10.10.10.1 remote-as 500
neighbor 10.10.10.1 update-source Loopback0
no auto-summary
 !
address-family vpnv4
neighbor 10.10.10.1 activate
neighbor 10.10.10.1 next-hop-self
neighbor 10.10.10.1 send-community extended
exit-address-family
 !
address-family ipv4 vrf CUSTOMER1
redistribute static
no auto-summary
no synchronization
exit-address-family
!
ip route vrf CUSTOMER1 172.172.2.0 255.255.255.0 192.168.11.2

Check the VRF table for CUSTOMER1

R4#show ip route vrf CUSTOMER1

Routing Table: CUSTOMER1
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

172.172.0.0/24 is subnetted, 2 subnets
B 172.172.1.0 [200/0] via 10.10.10.1, 01:35:55
S 172.172.2.0 [1/0] via 192.168.11.2
192.168.11.0/30 is subnetted, 1 subnets
C 192.168.11.0 is directly connected, FastEthernet1/0

R4 is receiving 172.172.1.0/24 as BGP route via 10.10.10.1. This route is coming statically coming to R1; R1 is announcing this via MP-BGP to R4. R4 remove MPLS and VPN tag and install it CUSTOMER1 VRF table.

If you check carefully, there is no related route (172.172.1.0/.24 or 172.172.2.0/24) in provider core router(R2,R3 or R5). These routers are not aware about these routes.

Check the reachability from C1S1:

C1S1# traceroute
Protocol [ip]:
Target IP address: 172.172.2.1
Source address: 172.172.1.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 172.172.2.1

1 192.168.10.1 12 msec 24 msec 8 msec
2 192.168.12.2 [MPLS: Labels 22/25 Exp 0] 112 msec 160 msec 136 msec
3 192.168.23.2 [MPLS: Labels 20/25 Exp 0] 92 msec 156 msec 148 msec
4 192.168.11.1 [MPLS: Label 25 Exp 0] 80 msec 112 msec 112 msec
5 192.168.11.2 96 msec * 104 msec