Cisco VRF Lite Configuration

VRF (Virtual Routing Forwarding) is a tool that enables service providers to support customers with VPNs that have overlapping IP addresses. Usually this tool is part of bigger MPLS and MP-BGP setups and configured on a PE (provider’s edge) router facing a CE (costumer’s edge). VRF can also be used as a sort of VLAN to separate overlapping IPs on a router with no MPLS configured.

In this blog post I will demonstrate how to configure VRF lite in order to separate networks with overlapping IPs.

In the following topology there are three identical networks with the same IP address. Without the use of VRF lite, those networks cannot function. We will use VRF lite to separate those networks.

VRF Lite configuration VRF Lite configuration

These are the steps for VRF lite configuration:

  • Create and name VRFs.

ip vrf VRF1 ip vrf VRF2 ip vrf VRF3

  • Attached VRFs to desired interfaces.

interface FastEthernet0/0 ip vrf forwarding VRF1 ip address 10.0.0.1 255.255.255.0 no shut !

interface FastEthernet1/0 ip vrf forwarding VRF2 ip address 10.0.0.1 255.255.255.0 no shut !

interface FastEthernet2/0 ip vrf forwarding VRF3 ip address 10.0.0.1 255.255.255.0 no shut !

  • Apply routing to specific VRF.

router ospf 1 vrf VRF1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 !

router ospf 2 vrf VRF2 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 !

router ospf 3 vrf VRF1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 !

And you’re done! Now you can use a single router to separate networks with overlapping IPs.

OSPF Virtual Link Configuration

Data connections and led lights in an industrial building grain visable in areas and colours removed from certain images to enhance them., Low aperture used to create a shallow DOF on on connections or lights
OSPF Configuration Virtual Link

We all know about OSPF (Open Shortest Path First) protocol–a fast link state protocol that is a go-to IGP (Interior Gateway Protocol) routing in large enterprises. It is also an open source protocol.

OSPF calculates shortest path for each route using Dijkstra’s algorithm. It uses area 0 as a backbone and every other area must be directly connected to it. There are cases in which we need to circumvent this rule and connect the OSPF area through the transit area to area 0. This occurs, for example, when the OSPF area has no direct connection to the backbone.

The configuration solution is an OSPF virtual link.

Let’s look at the following example:

R3 has no physical connection to the backbone, which means it cannot get routing updates. We will create an OSPF virtual link through R1 and R2 to connect R3 to area 0 by going through transit area AS100.

OSPF Configuration Virtual Link example:

Follow these steps to configure an OSPF virtual link:

  • Configure OSPF

R1:

router ospf 1 log-adjacency-changes network 192.168.1.0 0.0.0.255 area 0 network 10.0.0.0 0.0.0.255 area 100

R2:

router ospf 1 log-adjacency-changes network 10.0.0.0 0.0.0.255 area 100 network 172.16.0.0 0.0.0.255 area 200

  • Apply a virtual link with the following commands:

R1:

area 1 virtual-link 10.0.0.1

R2:

area 1 virtual-link 10.0.0.2

  • To verify the virtual link, use the following command:

show ip ospf virtual-links

This is the output you should get:

R1#

show ip ospf virtual-links

Virtual Link OSPF_VL0 to router 10.0.0.2 is up

Run as demand circuit DoNotAge LSA allowed.

Transit area 100, via interface FastEthernet0/0, Cost of using 1 Transmit Delay is 1 sec, State POINT_TO_POINT,

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:06 Adjacency State FULL (Hello suppressed) Index 1/2, retransmission queue length 0, number of retransmision 0 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 0, maximum is 0 Last retransmission scan time is 0 msec, maximum is 0 msec

That’s it! Now R3 will be able to receive routing updates from area 0 and you will have a converged network.

BGP Peer Group Configuration

BGP peer groups have existed in Cisco’s iOS for a long time and they are a very handy feature in large BGP setups.

The real advantage of using BGP peer groups lies in the reduction of resource usage by routers when they are making updates to BGP neighbors. The routing table is checked once and updates are distributed to all the neighbors in a particular peer group, as opposed to distributing updates to one neighbor at a time.

BGP peer groups also reduce the amount of configuration that needs to be done on the router and centralize BGP administration.

Let’s look at following setup:

R1 is in AS100 and all the routers are in AS 200.

We need to set up BGP so that it will be easy to administer and also scalable (so that adding another BGP neighbor is also easy to do).

BGP Peer Group configuration example BGP Peer Group configuration example

We can use the standard approach:

router bgp 100 neighbor 1.1.1.1 remote-as 200 neighbor 1.1.1.1 timers 30 300 neighbor 1.1.1.1 password indeni

router bgp 100 neighbor 2.2.2.2 remote-as 200 neighbor 2.2.2.2 timers 30 300 neighbor 2.2.2.2 password indeni

router bgp 100 neighbor 3.3.3.3 remote-as 200 neighbor 3.3.3.3 timers 30 300 neighbor 3.3.3.3 password indeni

Pretty simple, isn’t it…?

But what happens when you have 60 of these and you need to add or remove neighbors quickly or apply policy? There’s a lot of room for mistakes.

However, by using a peer group with the name MyGroup, we define it just once, and manage our neighbors with greater ease.

This is how you configure a BGP peer group:

router bgp 100 neighbor MyGroup peer-group neighbor MyGroup remote-as 200 neighbor MyGroup timers 30 300 neighbor MyGroup password indeni neighbor 1.1.1.1 peer-group MyGroup neighbor 2.2.2.2 peer-group MyGroup neighbor 3.3.3.3 peer-group MyGroup

In order to verify your configuration, use the following command:

show ip bgp peer-group peer-group name

In the following screenshot we can see that all of the BGP neighbors are attached to a peer group.

BGP neighbors attached to a peer group BGP neighbors attached to a peer group

That’s it. Happy BGP configuration!

How to Upgrade OpenSSL to a Patched Version – Heartbleed Vulnerability

As you probably have heard already, a new OpenSSL vulnerability (called “Heartbleed” ) was recently found. A bounds checking bug made it possible for an attacker to exploit the SSL heartbeat functionality to uncover sensitive data from the web server process memory. xkcd’s Randall Munroe did a wonderful job explaining it here: http://xkcd.com/1354/

While indeni does utilize SSL both as its internal communication protocol and the web application, it is NOT vulnerable to the Heartbleed bug as indeni uses Java’s implementation of SSL and not the open source OpenSSL library, in which the bug was found.

indeni provides its own operating system installation – based on the excellent CentOS Linux. Two major versions of CentOS are in use by indeni as of today: A CentOS 5.3 based indeni which is using OpenSSL 0.9.8 and is not vulnerable, and a newer CentOS 6.5 based indeni which has OpenSSL 1.0.1 which is vulnerable to Heartbleed.

However, Heartbleed attack is possible only if a HTTPS server is relying on OpenSSL to provide the SSL heartbeat functionality. indeni does not use this functionality in any way and you don’t have to do anything to protect yourself against Heartbleed attacks.

If you would like to upgrade OpenSSL to a patched version in any case, please contact our support and we will be happy to guide you through this process – support@indeni.com.

Metro Ethernet

In today’s business networks, the demand for high bandwidth throughput, a flexible network and easy maintenance is critical. Metro Ethernet Area Network (MAN) comes as a simple and familiar technology, derived from local area networks (LAN), and used as a carrier link (WAN) by ISPs for enterprises.

The advantages of Metro Ethernet are enormous.

From the point of view of speed, MAN can provide Ethernet bandwidths of 1Gbit/s, 10Gbit/s, 100Gbit/s, 400Gbit/s and there are even vendors developing Terra speeds. This is good news for large enterprises, since today’s market is all about Data Centers, cloud and SaaS (Software as a Service). Upgrading the bandwidth is easy and requires no additional equipment.

Metro Area Network is also very simple to implement. Simply connect the provider’s cable to your switch/router interface–and you’re done!

In terms of topology, MAN can be deployed as point-to-point, point to multipoint, and multipoint networks. It provides fast convergence and resiliency in case of a failure via Rapid Spanning Tree (less than 50 ms). MAN can operate as pure Ethernet on existing SDH layout and over MPLS.

Easy troubleshooting is another advantage of MAN. In order to troubleshoot MAN, simply follow LAN topology (MAX, VLANs, STP, etc.). Troubleshooting MAN becomes complex in very large environments, but this task can be easily achieved via automation.

In conclusion, there is a great future for Metro Ethernet because it is a relatively affordable way to use and access a large amount of data. Major, broad-based providers such as Comcast, Verizon and AT&T are already offering this technology to large enterprises, and we’re expecting to see usage of MAN in consumer markets soon.

The EIGRP Challenge #1

We’ve put together a few challenges because… well, we’re just fun like that. Here is the first of a few to come, show us how well you know EIGRP. Go!

A mid-sized company in New York hired a promising new network engineer — Jeff — after the previous network engineer retired. Intent on making a good impression, Jeff did some research and decided to implement EIGRP in the network that he’s looking after.

To his surprise and dismay, when he made, what he considered necessary configuration changes, the network stopped functioning! Angry users have started calling in from all over the organization. His manager and the Head of IT Operations want answers now.

Jeff has tried to find the problem by analyzing his monitoring systems, but the results only confirm that all routers are powered on and functioning properly.

What should he do?

Help Jeff locate and resolve the problem so that he can go home and watch the new season of Game of Thrones (and keep his job)!

Here is the topology of Jeff’s network:

The EIGRP Challenge The EIGRP Challenge

The first one to identify the problem, resolve it and provide an elegant solution will win a brand new Phantom Keystroker (so you could ”help” your work friends in future)!

How does the challenge work?

  • Download the GNS3 simulator from here.
  • Load the network topology from the EIGRP_CHALLENGE folder.
  • Power on GNS3 (c3640 is the IOS image you should be using).
  • BE THE FIRST ONE to solve all the issues in Jeff’s network. Prove that there is full coverage of EIGRP in the network by sending us a screenshot of the routing tables, topolgy.net and config files.

The winner will be announced on April 30th in the indeni community blog.

* Contest Rules

Introduction to Traffic Engineering with MPLS

MPLS (Multiprotocol Label Switching) is a data forwarding method using labels instead of IP addresses. It is a simple, secure and fast technology that can encapsulate and transport many kinds of protocols (Ethernet, ATM, Frame-Relay, etc.), hence the name Multiprotocol.

Also, there is visibility of IP addressing, as MPLS operates both in Layer 2 and Layer 3 of the OSI network model. MPLS is mainly used by ISPs to provide Virtual Private Networks (VPNs), and we see its deployment in large enterprises as well.

A major feature of MPLS is its traffic engineering capabilities. Resource management, performance and optimization are essential for Service Providers to deliver high-end services to their multiple customers, which span across the MPLS backbone.

MPLS essentially builds several paths called LSPs (Label Switch Path), based on required recourses and network capabilities. Then it transmits that data to the Interior Gateway Protocol (OSPF, IS-IS), and IGP routes data through these fast LSP paths, using labels. Also, there is support for Quality of Service (QoS), since the MPLS header contains 3bit EXP (Experimental Field) Class of Service.

Cisco has a large role in MPLS technology and it is implemented in almost all of their high-end routers. Although providing advantageous capabilities, there is still a learning curve regarding MPLS, and there’s a chance of making mistakes that will affect large-scale topologies.