Active/Standby Data Centre Network Design using GNS3/Virtualbox/JUNOS and Cisco – Part-5

In this tutorial I am going to implement IPSEC VPN between karachigw1/lahoregw1 and cloud firewalls karacf3/lahorcf3.

Final Topology

  1. Configure karachigw1 as following:

Define Phase1 & 2 and set both karacf3/larhocf3 as peers

!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 10.236.7.171
crypto isakmp key cisco123 address 10.236.7.179
!
!
crypto ipsec transform-set ptcltrans esp-3des esp-md5-hmac 
 mode transport
!
!
crypto map ptclmap local-address Loopback0
crypto map ptclmap 10 ipsec-isakmp 
 set peer 10.236.7.171
 set peer 10.236.7.179
 set transform-set ptcltrans 
 match address 100
!

Apply profile on interface:

!
interface FastEthernet0/0.116
 description to_karais4
 encapsulation dot1Q 116
 ip address 18.18.18.2 255.255.255.248
 crypto map ptclmap
!

Define encryption domain

!
access-list 100 permit ip 141.97.0.0 0.0.255.255 10.144.58.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.144.58.0 0.0.0.255
!

Create loopback Interface

!
interface Loopback0
 ip address 20.20.20.1 255.255.255.255
!

Define route-map to advertise the loopback with no prepend

!
!
ip access-list standard floating-loopback
 permit 20.20.20.1
!
route-map no-prepend permit 10
 match ip address floating-loopback
!

Apply the route-map to the BGP peer

!
router bgp 65120
 neighbor 18.18.18.1 route-map no-prepend out
 no auto-summary
!
  1. Configure lahoregw1 as following:

Define Phase1 & 2 and set both karacf3/larhocf3 as peers

!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 10.236.7.171
crypto isakmp key cisco123 address 10.236.7.179
!
!
crypto ipsec transform-set ptcltrans esp-3des esp-md5-hmac 
 mode transport
!
crypto map ptclmap local-address Loopback0
crypto map ptclmap 10 ipsec-isakmp 
 set peer 10.236.7.171
 set peer 10.236.7.179
 set transform-set ptcltrans 
 match address 100
!

Apply crypto map on interface

!
interface FastEthernet0/0.117
 description to_lahoris4
 encapsulation dot1Q 117
 ip address 19.19.19.2 255.255.255.248
 crypto map ptclmap
!
!

Define encryption domain

!
access-list 100 permit ip 141.97.0.0 0.0.255.255 10.144.58.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.144.58.0 0.0.0.255
!

Create loopback Interface

!
interface Loopback0
 ip address 20.20.20.1 255.255.255.255
!
!

Define route-map to pre-pend the loopback advertisement so that this not preferred.

!
ip access-list standard floating-loopback
 permit 20.20.20.1
!
!
route-map prepend permit 10
 match ip address floating-loopback
 set as-path prepend 65120 65120 65120
!

Apply route-map to BGP peer

!
router bgp 65120
 neighbor 19.19.19.1 route-map prepend out
 no auto-summary
!

Now at the other side, configure IPSEC VPN on both Cisco ASAv primary cloud firewall karacf3 and DR firewall lahorcf3 as following:

crypto ipsec ikev1 transform-set ptcltransform esp-3des esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map ptclmap 1 match address ptcl-vpn-lan
crypto map ptclmap 1 set peer 20.20.20.1 
crypto map ptclmap 1 set ikev1 transform-set ptcltransform
crypto map ptclmap interface on-ramp
crypto ca trustpool policy
crypto ikev1 enable on-ramp
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
tunnel-group 20.20.20.1 type ipsec-l2l
tunnel-group 20.20.20.1 ipsec-attributes
 ikev1 pre-shared-key cisco123
!
access-list ptcl-vpn-lan extended permit ip 10.144.58.0 255.255.255.0 141.97.0.0 255.255.0.0 
access-list ptcl-vpn-lan extended permit ip 10.144.58.0 255.255.255.0 192.168.1.0 255.255.255.0 
!

Now configure test machine Service-vlan102 in dc-karachi with IP address 10.144.58.2/24 and connect it to local aggregation switch karais3. Similarly configure test machine Service-vlan103 in dc-lahore with IP address 10.144.58.2/24.

In customer’s offices, configure a LAN user PC1 in Karachi Office with IP address 141.97.1.10/16 and PC2 with IP address 192.168.1.10/24 in Lahore office. Connect these two test PC to the Layer-3 switch ESW1 and ESW2.

Configure ESW1 as following:

!
interface FastEthernet1/15
 switchport access vlan 104
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan104
 ip address 141.97.1.1 255.255.0.0
!
router eigrp 100
 network 141.97.0.0
 network 172.168.0.0
 auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.168.3.1
!

Configure ESW2 as following:

!
interface Vlan104
 ip address 192.168.1.1 255.255.255.0
!
router eigrp 100
 network 172.168.0.0
 network 192.168.1.0
 auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.168.4.1
!

Both ESW1 and ESW2 will forward their traffic to R1 and R2 respectively. Configuration of R1 and R2 is following:

R1:

!
interface FastEthernet0/0
 ip address 172.168.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 172.168.3.1 255.255.255.0
 duplex auto
 speed auto
!

Apply HSRP configuration on this interface.

!
interface FastEthernet2/0
 ip address 172.168.1.5 255.255.255.240
 duplex auto
 speed auto
 standby 1 ip 172.168.1.4
 standby 1 timers 1 3
 standby 1 priority 120
 standby 1 preempt
!
router eigrp 100
 network 172.168.0.0
 auto-summary
!

Set default route as following that will be HSRP VIP address of karachigw1 and lahoregw2 which we will configure later:

!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.168.1.1
!

Similarly configure R2 as following:

!
interface FastEthernet0/0
 ip address 172.168.2.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 172.168.4.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet2/0
 ip address 172.168.1.6 255.255.255.240
 duplex auto
 speed auto
 standby 0 preempt
 standby 1 ip 172.168.1.4
 standby 1 timers 1 3
!
router eigrp 100
 network 172.168.0.0
 auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.168.1.1
!

Now configure karachigw1 as following.

  1. Apply IP SLA configuration as following:
!
ip sla 1
 icmp-echo 10.236.7.171 source-interface FastEthernet0/0.116
 timeout 1000
 threshold 1000
 frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 172.168.1.4 source-interface FastEthernet1/0
 timeout 1000
 threshold 1000
 frequency 3
ip sla schedule 2 life forever start-time now
ip sla 3
 icmp-echo 18.18.18.1 source-interface FastEthernet0/0.116
 timeout 1000
 threshold 1000
 frequency 1
ip sla schedule 3 life forever start-time now
!
!         
track 1 ip sla 1 reachability
 delay down 10 up 10
!
track 2 ip sla 2 reachability
 delay down 10 up 10
!
track 3 list boolean and
 object 1
 object 2
!
track 4 ip sla 3 reachability
!
track 5 ip route 10.236.7.168 255.255.255.248 reachability
!
  1. Apply HSRP and Object tracking configuration as following:
!
interface FastEthernet1/0
 ip address 172.168.1.2 255.255.255.240
 duplex auto
 speed auto
 standby 0 ip 172.168.1.1
 standby 0 timers 1 3
 standby 0 priority 120
 standby 0 preempt
 standby 0 track 3 decrement 30
!
  1. Configure static routing as following:
!
ip route 18.18.18.0 255.255.255.248 Null0 track 4
ip route 141.97.0.0 255.255.0.0 172.168.1.4
ip route 192.168.1.0 255.255.255.0 172.168.1.4

Similarly; Apply configuration on lahoregw1 as following:

  1. Apply IP SLA configuration as following:
!
ip sla 1
 icmp-echo 10.236.7.179 source-interface FastEthernet0/0.117
 timeout 1000
 threshold 1000
 frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 172.168.1.4 source-interface FastEthernet1/0
 timeout 1000
 threshold 1000
 frequency 3
ip sla schedule 2 life forever start-time now
ip sla 3
 icmp-echo 19.19.19.1 source-interface FastEthernet0/0.117
 timeout 1000
 threshold 1000
 frequency 1
ip sla schedule 3 life forever start-time now
!
!         
track 1 ip sla 1 reachability
 delay down 10 up 10
!
track 2 ip sla 2 reachability
 delay down 10 up 10
!
track 3 list boolean and
 object 1
 object 2
!
track 4 ip sla 3 reachability
!
track 5 ip route 10.236.7.176 255.255.255.248 reachability
!
  1. Apply HSRP and Object tracking configuration as following:
!
interface FastEthernet1/0
 ip address 172.168.1.3 255.255.255.240
 duplex auto
 speed auto
 standby 0 ip 172.168.1.1
 standby 0 timers 1 3
 standby 0 preempt
 standby 0 track 3 decrement 30
end
  1. Re-configure the static routing as following:
!
ip route 19.19.19.0 255.255.255.248 Null0 track 4
ip route 141.97.0.0 255.255.0.0 172.168.1.4
ip route 192.168.1.0 255.255.255.0 172.168.1.4

Now let’s check the status of karachigw1, lahoregw1 and R1, R2 to identify which one is our Active HSRP router:

karachigw1#sh standby brief 
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa1/0       0    120 P Active  local           172.168.1.3     172.168.1.1

karachigw1#
lahoregw1#sh standby brief 
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa1/0       0    100 P Standby 172.168.1.2     local           172.168.1.1
lahoregw1#

Similarly; Check on R1 and R2:

R1#sh standby brief 
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa2/0       1    120 P Active  local           172.168.1.6     172.168.1.4
R1#
R2#sh standby brief 
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa2/0       1    100   Standby 172.168.1.5     local           172.168.1.4
R2#

Let’s try to ping from PC1 141.97.1.10 to the gateway VIP address 172.168.1.1:

Checking for duplicate address...
PC1 : 141.97.1.10 255.255.0.0 gateway 141.97.1.1
PC1> 
PC1> 
PC1> ping 172.168.1.1
172.168.1.1 icmp_seq=1 timeout
84 bytes from 172.168.1.1 icmp_seq=2 ttl=253 time=31.650 ms
84 bytes from 172.168.1.1 icmp_seq=3 ttl=253 time=36.967 ms
84 bytes from 172.168.1.1 icmp_seq=4 ttl=253 time=26.586 ms
84 bytes from 172.168.1.1 icmp_seq=5 ttl=253 time=29.608 ms
PC1>

Let’s check on PE routers karair3 and lahorir3 that from where we are learning the remote encryption domain network 10.144.58.0/24. Please note this is being advertised from both Cloud firewalls. However this is an internal network and customer will not be advertised to the customer’s gateway routers karachigw1 and larhoregw1.

Note that; we are learning 10.144.58.0/24 from karacf3 firewall on PE karair3:

root@karair3> show route table vpn12725.inet.0 
vpn12725.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.144.58.0/24     *[BGP/170] 00:45:55, MED 0, localpref 100
                      AS path: 65119 ?
                    > to 10.236.7.171 via em3.112
10.236.7.168/29    *[Direct/4] 00:48:49
                    > via em3.112
10.236.7.176/29    *[BGP/170] 00:48:14, localpref 100, from 2.2.2.2
                      AS path: I
                    > to 40.50.60.2 via em0.0, Push 18, Push 299776(top)
18.18.18.0/29      *[Direct/0] 00:48:50
                    > via em1.116
18.18.18.1/32      *[Local/0] 00:48:50
                      Local via em1.116
20.20.20.1/32      *[BGP/170] 00:48:10, MED 0, localpref 100
                      AS path: 65120 I
                    > to 18.18.18.2 via em1.116
root@karair3>

Similarly please note that; we are learning 10.144.58.0/24 from both karacf3 and lahorcf3 firewall on PE lahorir3 but only route learned from karacf3 is being installed in the routing table:

root@lahoreir3> show route table vpn12725.inet.0 
vpn12725.inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.144.58.0/24     *[BGP/170] 00:46:02, MED 0, localpref 100, from 2.2.2.2
                      AS path: 65119 ?
                    > to 10.20.30.2 via em1.0, Push 18, Push 299792(top)
                    [BGP/170] 00:45:59, MED 0, localpref 100
                      AS path: 65119 65119 65119 65119 ?
                    > to 10.236.7.179 via em3.113
10.236.7.168/29    *[BGP/170] 00:48:21, localpref 100, from 2.2.2.2
                      AS path: I
                    > to 10.20.30.2 via em1.0, Push 18, Push 299792(top)
10.236.7.176/29    *[Direct/4] 00:48:56
                    > via em3.113
19.19.19.0/29      *[Direct/0] 00:48:58
                    > via em0.117
19.19.19.1/32      *[Local/0] 00:48:58
                      Local via em0.117
20.20.20.1/32      *[BGP/170] 00:46:54, MED 0, localpref 100
                      AS path: 65120 65120 65120 65120 I
                    > to 19.19.19.2 via em0.117
root@lahoreir3>

Above is happening because we have applied following route-map to firewall lahorcf3 to prepend the route 10.144.58.0/24 while not prepend when advertising via karacf3:

Configure route-map to not prepend 10.144.58.0/24 network as following:

!
access-list dmz standard permit 10.144.58.0 255.255.255.0 
!
route-map no-prepend permit 10
 match ip address dmz
!
!
router bgp 65119
  address-family ipv4 unicast
   neighbor 10.236.7.169 route-map no-prepend out
!

Similarly; confiture route-map to prepend 10.144.58.0/24 network on lahorcf3 as following:

!
access-list dmz standard permit 10.144.58.0 255.255.255.0 
!
route-map no-prepend permit 10
 match ip address dmz
 set as-path prepend 65119 65119 65119
!
!
router bgp 65119
  address-family ipv4 unicast
   neighbor 10.236.7.179 route-map prepend out
!

So if customer LAN PC1 or PC2 will try to ping the test machine 10.144.58.2/24, traffic will be take following path. Also note that I will keep the DR environment completely off, I will keep the lahorcf3 firewall interface Gi0/0.105 in admin down state as caution so it does not conflict.

PC1 > ESW1> R1> SW1> karachigw1> karais4 > karair3> karacf3> Service-vlan102 10.144.58.2/24

PC2 > ESW2> R2> R1> SW1>  karachigw1> karais4 > karair3> karacf3> Service-vlan102 10.144.58.2/24

Let’s see if PC1 can ping 10.144.58.2/24 behind karacf3:

PC1> ping 10.144.58.2
10.144.58.2 icmp_seq=1 timeout
84 bytes from 10.144.58.2 icmp_seq=2 ttl=62 time=65.638 ms
84 bytes from 10.144.58.2 icmp_seq=3 ttl=62 time=40.451 ms
84 bytes from 10.144.58.2 icmp_seq=4 ttl=62 time=42.351 ms
84 bytes from 10.144.58.2 icmp_seq=5 ttl=62 time=42.519 ms
PC1>

Let’s see customer LAN in Lahore office can also ping the 10.144.58.2/24 network:

PC2> ping 10.144.58.2
10.144.58.2 icmp_seq=1 timeout
10.144.58.2 icmp_seq=2 timeout
84 bytes from 10.144.58.2 icmp_seq=3 ttl=61 time=75.396 ms
84 bytes from 10.144.58.2 icmp_seq=4 ttl=61 time=54.293 ms
84 bytes from 10.144.58.2 icmp_seq=5 ttl=61 time=59.567 ms
PC2>

We can see IPSEC tunnel created on karachigw1:

karachigw1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.236.7.171    20.20.20.1      QM_IDLE           1001    0 ACTIVE
IPv6 Crypto ISAKMP SA

karachigw1#sh crypto ipsec sa
interface: FastEthernet0/0.116
    Crypto map tag: ptclmap, local addr 20.20.20.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.144.58.0/255.255.255.0/0/0)
   current_peer 10.236.7.171 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
    #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: 20.20.20.1, remote crypto endpt.: 10.236.7.171
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.116
     current outbound spi: 0xBF602470(3210749040)

     inbound esp sas:
      spi: 0xDBCC2FC5(3687591877)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: SW:3, crypto map: ptclmap
        sa timing: remaining key lifetime (k/sec): (4522540/3492)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xBF602470(3210749040)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: SW:4, crypto map: ptclmap
        sa timing: remaining key lifetime (k/sec): (4522540/3492)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
     local crypto endpt.: 20.20.20.1, remote crypto endpt.: 10.236.7.179
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.116
     current outbound spi: 0x0(0)
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (141.97.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.144.58.0/255.255.255.0/0/0)
   current_peer 10.236.7.171 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: 20.20.20.1, remote crypto endpt.: 10.236.7.171
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.116
     current outbound spi: 0x35480F0B(893914891)
     inbound esp sas:
      spi: 0x2E52E280(777183872)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: ptclmap
        sa timing: remaining key lifetime (k/sec): (4582889/3445)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x35480F0B(893914891)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: ptclmap
        sa timing: remaining key lifetime (k/sec): (4582889/3445)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
     local crypto endpt.: 20.20.20.1, remote crypto endpt.: 10.236.7.179
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.116
     current outbound spi: 0x0(0)
     inbound esp sas:
     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

No tunnel is created on lahoregw1 since this is Standby HSRP router at a moment:

lahoregw1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
IPv6 Crypto ISAKMP SA


lahoregw1#
karacf3# sh crypto isakmp sa
IKEv1 SAs:
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 20.20.20.1
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : MM_ACTIVE 
There are no IKEv2 SAs

karacf3# 

So this proves our design working as expected. Now I am going to test if customer’s gateway router karachigw1 completely fails then traffic will pass via lahoregw1. To simulate this, I am going to shutdown internal and external physical interfaces of the karachigw1 router:

karachigw1#
karachigw1#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  up                    up      
FastEthernet0/0.116        18.18.18.2      YES NVRAM  up                    up      
FastEthernet1/0            172.168.1.2     YES NVRAM  up                    up     
FastEthernet1/1            unassigned      YES NVRAM  administratively down down    
FastEthernet2/0            unassigned      YES NVRAM  administratively down down    
FastEthernet2/1            unassigned      YES NVRAM  administratively down down    
SSLVPN-VIF0                unassigned      NO  unset  up                    up      
Loopback0                  20.20.20.1      YES NVRAM  up                    up      

karachigw1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
karachigw1(config)#int fa0/0
karachigw1(config-if)#sh
karachigw1(config-if)#int fa   
*Apr 11 18:56:54.655: %BGP-5-ADJCHANGE: neighbor 18.18.18.1 Down Interface flap
karachigw1(config-if)#int fa1/0
karachigw1(config-if)#
*Apr 11 18:56:56.619: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
karachigw1(config-if)#sh
karachigw1(config-if)#
*Apr 11 18:56:56.619: %ENTITY_ALARM-6-INFO: ASSERT INFO Fa0/0 Physical Port Administrative State Down 
karachigw1(config-if)#
*Apr 11 18:56:57.491: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 0 state Active -> Init
*Apr 11 18:56:57.619: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
karachigw1(config-if)#
*Apr 11 18:56:59.507: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Apr 11 18:56:59.507: %ENTITY_ALARM-6-INFO: ASSERT INFO Fa1/0 Physical Port Administrative State Down 
karachigw1(config-if)#
*Apr 11 18:57:00.035: %TRACKING-5-STATE: 4 ip sla 3 reachability Up->Down
*Apr 11 18:57:00.507: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
karachigw1(config-if)#
*Apr 11 18:57:09.207: %TRACKING-5-STATE: 5 ip route 10.236.7.168/29 reachability Up->Down
*Apr 11 18:57:10.035: %TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down
*Apr 11 18:57:10.035: %TRACKING-5-STATE: 2 ip sla 2 reachability Up->Down
*Apr 11 18:57:10.127: %TRACKING-5-STATE: 3 list boolean and Up->Down
karachigw1(config-if)#

We can see the IP SLA kicked in as soon along with HSRP status changed. We have lahoregw1 as our Active HSRP router now:

lahoregw1#
*Apr 11 18:55:38.387: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 0 state Standby -> Active
lahoregw1#
lahoregw1#
lahoregw1#sh stan
lahoregw1#sh standby br
lahoregw1#sh standby brief 
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa1/0       0    100 P Active  local           unknown         172.168.1.1
lahoregw1#

Now let’s try to repeat our ping test from PC1 & PC2 to 10.144.58.2/24:

PC1> ping 10.144.58.2
10.144.58.2 icmp_seq=1 timeout
84 bytes from 10.144.58.2 icmp_seq=2 ttl=62 time=39.244 ms
84 bytes from 10.144.58.2 icmp_seq=3 ttl=62 time=70.384 ms
84 bytes from 10.144.58.2 icmp_seq=4 ttl=62 time=67.817 ms
84 bytes from 10.144.58.2 icmp_seq=5 ttl=62 time=56.503 ms
PC1>

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
ping 10.144.58.2
10.144.58.2 icmp_seq=1 timeout
84 bytes from 10.144.58.2 icmp_seq=2 ttl=61 time=52.481 ms
84 bytes from 10.144.58.2 icmp_seq=3 ttl=61 time=54.096 ms
84 bytes from 10.144.58.2 icmp_seq=4 ttl=61 time=39.883 ms
84 bytes from 10.144.58.2 icmp_seq=5 ttl=61 time=54.254 ms
PC2>

We have IPSEC tunnel established via lahoregw1 router to karacf3:

lahoregw1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.236.7.171    20.20.20.1      QM_IDLE           1001    0 ACTIVE
IPv6 Crypto ISAKMP SA
lahoregw1#

lahoregw1#sh crypto ipsec sa
interface: FastEthernet0/0.117
    Crypto map tag: ptclmap, local addr 20.20.20.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.144.58.0/255.255.255.0/0/0)
   current_peer 10.236.7.171 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: 20.20.20.1, remote crypto endpt.: 10.236.7.171
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.117
     current outbound spi: 0xECAD4797(3970779031)
     inbound esp sas:
      spi: 0x58990255(1486422613)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: SW:3, crypto map: ptclmap
        sa timing: remaining key lifetime (k/sec): (4456251/3550)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xECAD4797(3970779031)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: SW:4, crypto map: ptclmap
        sa timing: remaining key lifetime (k/sec): (4456251/3550)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
     local crypto endpt.: 20.20.20.1, remote crypto endpt.: 10.236.7.179
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.117
     current outbound spi: 0x0(0)
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (141.97.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.144.58.0/255.255.255.0/0/0)
   current_peer 10.236.7.171 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: 20.20.20.1, remote crypto endpt.: 10.236.7.171
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.117
     current outbound spi: 0x4D6F843E(1299153982)
     inbound esp sas:
      spi: 0xBCC92296(3167298198)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: ptclmap
        sa timing: remaining key lifetime (k/sec): (4531967/3532)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x4D6F843E(1299153982)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: ptclmap
        sa timing: remaining key lifetime (k/sec): (4531967/3532)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
     local crypto endpt.: 20.20.20.1, remote crypto endpt.: 10.236.7.179
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.117
     current outbound spi: 0x0(0)
     inbound esp sas:
     inbound ah sas: 
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
lahoregw1#  



karacf3# sh crypto isakmp sa
IKEv1 SAs:
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 20.20.20.1
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : MM_ACTIVE 
There are no IKEv2 SAs

karacf3#

Now bring back the interfaces on karachigw1 router and lets discuss the procedure to invoke the DR cloud firewall.

So once customer environment in primary cloud is lost due to any reason and customer cannot connect to the network 10.144.58.0/24, ISP or Cloud provide will be responsible to recover the protected machine in the DR cloud. Since protected machines in primary cloud will be recovered using same IP addressing in DR cloud, there will be no changes required at customer end. It will only need ISP or Cloud service provide to recover them as per the agreed SLA between the customer and ISP.

So the procedure would go like this.

  1. I will shutdown the karacf3 firewall so it will loose BGP peering within vpn12745 with PE karair3. So it will be effectively isolated. This is to simulate the primary cloud failure.
  2. This will cause customer’s primary gateway karachigw1 to change status to HSRP Standby since we have Object tracking and IP SLA configured to monitor the 10.236.7.171.
  3. I will also shutdown the loopback 0 interface on karachigw1 because we are still learning 20.20.20.1/32 from karachigw1 since BGP peering between karahigw1 and PE router karair3 is still intact. Shutting loopback 0 will allow IPSEC tunnel to be establish between lahoregw1 and lahorc3 in this situation.
  4. Traffic from customer’s LAN in Lahore & Karachi will take following path:

PC1 > ESW1 > R1 > SW1 > SW2 > lahoregw1 > Lahoris4 >  lahorir3 > lahorcf3> Service-vlan103 10.144.58.2/24

PC2 > ESW2 > R2 > SW2 > lahoregw1 > lahoris4 >  lahorir3 > lahorcf3> Service-vlan103 10.144.58.2/24

Let’s ping from both PC1 and PC2 and check the IPSEC tunnel status in cloud and customer environment:

PC1> ping 10.144.58.2
10.144.58.2 icmp_seq=1 timeout
84 bytes from 10.144.58.2 icmp_seq=2 ttl=62 time=58.001 ms
84 bytes from 10.144.58.2 icmp_seq=3 ttl=62 time=59.092 ms
^C

PC1> sh
NAME   IP/MASK              GATEWAY           MAC                LPORT  RHOST:PORT
PC1    141.97.1.10/16       141.97.1.1        00:50:79:66:68:04  10092  127.0.0.1:10093
       fe80::250:79ff:fe66:6804/64
PC1> 

lahoregw1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.236.7.179    20.20.20.1      QM_IDLE           1005    0 ACTIVE
IPv6 Crypto ISAKMP SA


lahoregw1#
lahoregw1#sh crypto ipsec sa
interface: FastEthernet0/0.117
    Crypto map tag: ptclmap, local addr 20.20.20.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.144.58.0/255.255.255.0/0/0)
   current_peer 10.236.7.179 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0
     local crypto endpt.: 20.20.20.1, remote crypto endpt.: 10.236.7.171
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.117
     current outbound spi: 0x0(0)
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
     local crypto endpt.: 20.20.20.1, remote crypto endpt.: 10.236.7.179
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.117
     current outbound spi: 0x0(0)
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (141.97.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.144.58.0/255.255.255.0/0/0)
   current_peer 10.236.7.179 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 37, #pkts encrypt: 37, #pkts digest: 37
    #pkts decaps: 37, #pkts decrypt: 37, #pkts verify: 37
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 7, #recv errors 0
     local crypto endpt.: 20.20.20.1, remote crypto endpt.: 10.236.7.171
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.117
     current outbound spi: 0x0(0)
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
     local crypto endpt.: 20.20.20.1, remote crypto endpt.: 10.236.7.179
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.117
     current outbound spi: 0xA620859(174196825)
     inbound esp sas:
      spi: 0x5AFAF123(1526395171)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 13, flow_id: SW:13, crypto map: ptclmap
        sa timing: remaining key lifetime (k/sec): (4598244/3535)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xA620859(174196825)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 14, flow_id: SW:14, crypto map: ptclmap
        sa timing: remaining key lifetime (k/sec): (4598244/3535)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
lahoregw1#

So we have successfully tested the DR Cloud as well and every things seems to be working as per design.

Let’s also verify the R1 & R2 failover scenario. We have R1 as an Active HSRP router at a moment while R2 is Standby:

R1#
*Mar  1 00:00:20.819: %HSRP-5-STATECHANGE: FastEthernet2/0 Grp 1 state Standby -> Active
R1#
R2#
*Mar  1 00:00:26.755: %HSRP-5-STATECHANGE: FastEthernet2/0 Grp 1 state Speak -> Standby
R2#

I am going to shutdown the R1 interface Fa2/0 so that R1 will change its status to Standby. After doing that we should still be able to ping the HSRP VIP address of gateway routers karachigw1 and lahoregw1:

R1#sh standby brief 
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa2/0       1    120 P Active  local           172.168.1.6     172.168.1.4
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int fa2/0
R1(config-if)#sh
R1(config-if)#
*Mar  1 00:06:38.659: %HSRP-5-STATECHANGE: FastEthernet2/0 Grp 1 state Active -> Init
*Mar  1 00:06:38.759: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.168.1.6 (FastEthernet2/0) is down: interface down
R1(config-if)#
*Mar  1 00:06:40.671: %LINK-5-CHANGED: Interface FastEthernet2/0, changed state to administratively down
*Mar  1 00:06:41.671: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0, changed state to down
R1(config-if)#
R2#
*Mar  1 00:06:28.571: %HSRP-5-STATECHANGE: FastEthernet2/0 Grp 1 state Standby -> Active
R2#
*Mar  1 00:06:42.995: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.168.1.5 (FastEthernet2/0) is down: holding time expired
R2#

 

Let’s PING the HSRP VIP address 172.168.1.1:

PC1 : 141.97.1.10 255.255.0.0 gateway 141.97.1.1
PC1> ping 172.168.1.1
172.168.1.1 icmp_seq=1 timeout
84 bytes from 172.168.1.1 icmp_seq=2 ttl=252 time=44.984 ms
84 bytes from 172.168.1.1 icmp_seq=3 ttl=252 time=50.125 ms
84 bytes from 172.168.1.1 icmp_seq=4 ttl=252 time=77.711 ms
84 bytes from 172.168.1.1 icmp_seq=5 ttl=252 time=71.789 ms
PC1>

 

This is also working as expected.

Advertisements

Active/Standby Data Centre Network Design using GNS3/Virtualbox/JUNOS and Cisco – Part-4

You can see the previous tutorial Part-3 of this design series to understand the work I have done so far.

I this tutorial, I am going to add vpn12745 at both lahorir3 and karair3 PE routers. This is stretched VPN so this will need to be configured at both PE lahorir3 & karair3. vpn12745 will host incoming routes from subnets behind the virtual data center firewalls. I will use eBGP between karacf3/lahorcf3 Cisco ASAv firewalls and karair3/lahorir3 PE routers in vpn12745 to allow customer’s offices to reach their subnets in their virtual cloud hosted in Karachi and Lahore data centers.

I will add 2nd VPN vpn12725 at both PE routers (karair3/lahorir3). This is again stretched VPN and will carry incoming routes from two different locations of customer’s office (PTCL Karachi and Lahore office). These customer’s offices are connected via a WAN link provider to the PE routers (karair3/lahorir3). Customer use their routers (lahoregw1 and karachigw1) to establish eBGP connectivity to these PE routers (karair3/lahorir3) to reach their subnets in virtual clouds dc-lahore/dc-karachi, hosted in Karachi & Lahore data centres.

As part of adding above two VPN, I will also leak routes between above two vpn (vpn12725 and vpn12745) and filter the routes passing via these two VPN.

Final Topology

 

LAN users in customer’s offices in Lahore & Karachi will be connected to the Layer-3 Ethernet switch (ESW1 & ESW2). I am using 3700 series switch in this design. R1 & R2 will provide failover protection hence HSRP will be used between R1 & R2. Similarly; gateway routers karachigw1 & lahoregw1 will also provide failover protection and run HSRP between them.

Once configured, customer’s router lahoregw1/karachigw1 should be able to ping their relevant firewall interfaces in their data centers karacf3 (dc-karachi interface service vlan 102) and lahorcf3 (dc-lahore interface service vlan 103).

So I will go through following steps to build further as discussed above.

  1. Add vpn12745 layer-3 vpn on karair3/lahorir3 and establish eBGP peering with karair3/lahorir3 virtual data centre firewalls.
root@karair3> show configuration groups vpn12745 | display set 
set groups vpn12745 interfaces em3 unit 112 description vpn=12745
set groups vpn12745 interfaces em3 unit 112 vlan-id 112
set groups vpn12745 interfaces em3 unit 112 family inet address 10.236.7.169/29
set groups vpn12745 interfaces em3 unit 112 family mpls
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 0 then next term
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from interface em3.112
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 then community add vpn12745
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 0 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 0 then preference 4
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from community vpn12725
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 1 from route-filter 0.0.0.0/0 exact
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 2 then reject
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 2 then reject
set groups vpn12745 policy-options community vpn12745 members target:65000:12745
set groups vpn12745 policy-options community vpn12725 members target:65000:12725
set groups vpn12745 routing-instances vpn12745 description vpn=12745
set groups vpn12745 routing-instances vpn12745 instance-type vrf
set groups vpn12745 routing-instances vpn12745 interface em3.112
set groups vpn12745 routing-instances vpn12745 route-distinguisher 65000:12745
set groups vpn12745 routing-instances vpn12745 vrf-import vpn12745-import-vrf
set groups vpn12745 routing-instances vpn12745 vrf-export vpn12745-export-vrf
set groups vpn12745 routing-instances vpn12745 vrf-table-label
set groups vpn12745 routing-instances vpn12745 routing-options auto-export
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 type external
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 import vpn12745-import-ce
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 authentication-key cisco123
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 export vpn12745-export-ce
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 peer-as 65119
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 neighbor 10.236.7.171
root@lahorir3> show configuration groups vpn12745 | display set 
set groups vpn12745 interfaces em3 unit 113 description vpn=12745
set groups vpn12745 interfaces em3 unit 113 vlan-id 113
set groups vpn12745 interfaces em3 unit 113 family inet address 10.236.7.177/29
set groups vpn12745 interfaces em3 unit 113 family mpls
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 0 then next term
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from interface em3.113
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 then community add vpn12745
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 0 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 0 then preference 4
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from community vpn12725
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 1 from route-filter 0.0.0.0/0 exact
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 2 then reject
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 2 then reject
set groups vpn12745 policy-options community vpn12745 members target:65000:12745
set groups vpn12745 policy-options community vpn12725 members target:65000:12725
set groups vpn12745 routing-instances vpn12745 description vpn=12745
set groups vpn12745 routing-instances vpn12745 instance-type vrf
set groups vpn12745 routing-instances vpn12745 interface em3.113
set groups vpn12745 routing-instances vpn12745 route-distinguisher 65000:12745
set groups vpn12745 routing-instances vpn12745 vrf-import vpn12745-import-vrf
set groups vpn12745 routing-instances vpn12745 vrf-export vpn12745-export-vrf
set groups vpn12745 routing-instances vpn12745 vrf-table-label
set groups vpn12745 routing-instances vpn12745 routing-options auto-export
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 type external
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 import vpn12745-import-ce
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 authentication-key cisco123
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 export vpn12745-export-ce
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 peer-as 65119
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 neighbor 10.236.7.179

2. Add vpn12725 layer-3 vpn on karair3/lahorir3 and establish eBGP peering with customer’s routers karachigw1 and lahoregw1.

root@lahorir3> show configuration groups vpn12725 | display set    
set groups vpn12725 interfaces em0 vlan-tagging
set groups vpn12725 interfaces em0 unit 117 description vpn=12725
set groups vpn12725 interfaces em0 unit 117 vlan-id 117
set groups vpn12725 interfaces em0 unit 117 family inet address 19.19.19.1/29
set groups vpn12725 interfaces em0 unit 117 family mpls
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 0 then next term
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from interface em0.117
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 then community add vpn12725
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 0 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 0 then preference 4
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from community vpn12725
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from community vpn12745
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-ce term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-ce term 2 then reject
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 2 then reject
set groups vpn12725 policy-options community vpn12725 members target:65000:12725
set groups vpn12725 policy-options community vpn12745 members target:65000:12745
set groups vpn12725 routing-instances vpn12725 description vpn=12725
set groups vpn12725 routing-instances vpn12725 instance-type vrf
set groups vpn12725 routing-instances vpn12725 interface em0.117
set groups vpn12725 routing-instances vpn12725 route-distinguisher 65000:12725
set groups vpn12725 routing-instances vpn12725 vrf-import vpn12725-import-vrf
set groups vpn12725 routing-instances vpn12725 vrf-export vpn12725-export-vrf
set groups vpn12725 routing-instances vpn12725 vrf-table-label
set groups vpn12725 routing-instances vpn12725 routing-options auto-export
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 type external
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 import vpn12725-import-ce
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 authentication-key cisco123
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 export vpn12725-export-ce
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 peer-as 65120
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 neighbor 19.19.19.2
root@karair3> show configuration groups vpn12725 | display set    
set groups vpn12725 interfaces em1 vlan-tagging
set groups vpn12725 interfaces em1 unit 116 description vpn=12725
set groups vpn12725 interfaces em1 unit 116 vlan-id 116
set groups vpn12725 interfaces em1 unit 116 family inet address 18.18.18.1/29
set groups vpn12725 interfaces em1 unit 116 family mpls
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 0 then next term
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from interface em1.116
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 then community add vpn12725
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 0 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 0 then preference 4
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from community vpn12725
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from community vpn12745
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-ce term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-ce term 2 then reject
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 2 then reject
set groups vpn12725 policy-options community vpn12725 members target:65000:12725
set groups vpn12725 policy-options community vpn12745 members target:65000:12745
set groups vpn12725 routing-instances vpn12725 description vpn=12725
set groups vpn12725 routing-instances vpn12725 instance-type vrf
set groups vpn12725 routing-instances vpn12725 interface em1.116
set groups vpn12725 routing-instances vpn12725 route-distinguisher 65000:12725
set groups vpn12725 routing-instances vpn12725 vrf-import vpn12725-import-vrf
set groups vpn12725 routing-instances vpn12725 vrf-export vpn12725-export-vrf
set groups vpn12725 routing-instances vpn12725 vrf-table-label
set groups vpn12725 routing-instances vpn12725 routing-options auto-export
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 type external
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 import vpn12725-import-ce
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 authentication-key cisco123
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 export vpn12725-export-ce
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 peer-as 65120
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 neighbor 18.18.18.2 passive
  1. Customer aggregation switches karais3 and lahoris3 are configured as following:
!
interface FastEthernet1/0
 description to_karair3:em1
 switchport mode trunk
 duplex full
 speed 100
!
interface FastEthernet1/1
 description to_karachigw1:f0/0
 switchport mode trunk
 duplex full
 speed 100
!
         
karais3#sh int trunk 
Port      Mode         Encapsulation  Status        Native vlan
Fa1/0     on           802.1q         trunking      1
Fa1/1     on           802.1q         trunking      1
Port      Vlans allowed on trunk
Fa1/0     1-4094
Fa1/1     1-4094
Port      Vlans allowed and active in management domain
Fa1/0     1,116
Fa1/1     1,116
Port      Vlans in spanning tree forwarding state and not pruned
Fa1/0     1,116
Fa1/1     1,116
!
interface FastEthernet1/0
 description to_lahorir3:em0
 switchport mode trunk
 no ip address
 duplex full
 speed 100
!         
interface FastEthernet1/1
 description to_lahoregw1:fa0/0
 switchport mode trunk
 no ip address
 duplex full
 speed 100
!

lahoris3#sh int trunk 
Port      Mode         Encapsulation  Status        Native vlan
Fa1/0     on           802.1q         trunking      1
Fa1/1     on           802.1q         trunking      1
Port      Vlans allowed on trunk
Fa1/0     1-1005
Fa1/1     1-1005
Port      Vlans allowed and active in management domain
Fa1/0     1,117
Fa1/1     1,117
Port      Vlans in spanning tree forwarding state and not pruned
Fa1/0     1,117
Fa1/1     1,117
  1. Configuration of customer managed routers karachigw1/lahoregw1 in their office in Karachi and Lahore configured as following:
karachigw1#

!
interface FastEthernet0/0.116
 description to_karair3
 encapsulation dot1Q 116
 ip address 18.18.18.2 255.255.255.248
!
!
router bgp 65120
 no synchronization
 bgp log-neighbor-changes
 network 18.18.18.0 mask 255.255.255.248
 neighbor 18.18.18.1 remote-as 65000
 neighbor 18.18.18.1 password cisco123
 neighbor 18.18.18.1 soft-reconfiguration inbound
 no auto-summary
!         
ip route 10.141.33.96 255.255.255.240 18.18.18.1
ip route 18.18.18.0 255.255.255.248 Null0
!
lahoregw1#
!
interface FastEthernet0/0.117
 description to_lahoris3
 encapsulation dot1Q 117
 ip address 19.19.19.2 255.255.255.248
!

router bgp 65120
 no synchronization
 bgp router-id 19.19.19.2
 bgp log-neighbor-changes
 network 19.19.19.0 mask 255.255.255.248
 neighbor 19.19.19.1 remote-as 65000
 neighbor 19.19.19.1 password cisco123
 neighbor 19.19.19.1 soft-reconfiguration inbound
 no auto-summary
!
ip forward-protocol nd
ip route 10.141.212.144 255.255.255.240 19.19.19.1
ip route 19.19.19.0 255.255.255.248 Null0
!

Now let’s try to ping from karachigw1 and lahoregw1 customer managed routers to the Cloud Firewall interfaces karacf3/lahorcf3 in dc-karachi & dc-lahore respectively.

lahoregw1#ping 10.236.7.179
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.236.7.179, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/10/12 ms
lahoregw1#
karachigw1#ping 10.236.7.171
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.236.7.171, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/16 ms
karachigw1#

We have now IP reachability from customer’s offices in Lahore & Karachi to their dc-lahore & dc-karachi firewalls.

Active/Standby Data Centre Network Design using GNS3/Virtualbox/JUNOS and Cisco – Part-3

In this tutorial, I am going to explain the Cloud firewall configuration and connectivity in more detail.

Final Topology

 

  • Interface e1/0 (Gi0/0) on both Firewalls is configured as trunk interface to carry multiple VLAN by creating sub-interfaces in trusted zone towards core switch karais3 fa1/0 and lahoris3 fa1/0.
  • Interface e2/0 (Gi0/1) on both Firewalls is configured as sub-interface and placed in un-trusted zone similarly towards core switch karais3 fa1/2 and lahorcf3 fa1/2. This link will carry traffic to the internet.
  • Both Firewalls are connected to the Core switch (karais3 and lahoris3) on trunk ports fa1/2 and fa1/0 to carry multiple VLAN.
  • To test connectivity between LAN interfaces behind Firewall, I have placed VPCS server named Service-vlan102 IP address 10.141.33.98/28 under VLAN 102 on Access port Fa1/14 on karais3 switch at dc-karachi. Similarly Service-vlan103 10.141.212.147/28 is connected to lahoris3 switch port F1/14 at dc-lahore under VLAN 103. These two Service machines are in LAN subnets behind cloud firewalls for which we have created static routes in our VPN configuration as well (vpn12729 and vpn12730). So Ideally these two host should be able to ping each other.

Configuration of both Firewalls (karacf3 and lahorcf3) is below:

karacf3#
!
interface GigabitEthernet0/0.100
 vlan 100
 nameif s2s
 security-level 100
 ip address 10.144.213.92 255.255.255.248 
!
interface GigabitEthernet0/0.102
 vlan 102
 nameif service
 security-level 100
 ip address 10.141.33.97 255.255.255.240 
!
route s2s 10.141.212.144 255.255.255.240 10.144.213.90 1
route s2s 10.144.253.120 255.255.255.248 10.144.213.90 1
!

lahorcf3
========

!
!
interface GigabitEthernet0/0.101
 vlan 101
 nameif s2s
 security-level 100
 ip address 10.144.253.124 255.255.255.248 
!
interface GigabitEthernet0/0.103
 vlan 103
 nameif service
 security-level 100
 ip address 10.141.212.145 255.255.255.248 
!
route s2s 10.141.33.96 255.255.255.240 10.144.253.122 1
route s2s 10.144.213.88 255.255.255.248 10.144.253.122 1
!

To test connectivity between both Service-vlan102 & Service-vlan103  test machines in dc-karahi and dc-lahore, I performed following tests:

  1. PING from karair3 VRF vpn12729 to the Firewall karacf3 interface 10.144.213.92/29 – testing okay.
  2. PING from karair3 VRF vpn12729 to the Firewall lahorcf3 interface 10.144.253.124/29 -testing okay.
  3. PING from karair3 VRF vpn12729 to Service-vlan102 test machine in Service VLAN 102 – IP address 10.141.33.98/28 – testing okay in dc-karachi.
  4. PING from Service-vlan102 test machine in Service VLAN 102 at dc-karachi to Service-vlan103 test machine in VLAN 103 at dc-lahore – testing okay.

NOTE:

If you are failing to ping between the test machines then check, If PE are receiving the next-hop information in the routing table. Also Router-Reflector has next-hop information in bgp3.l3pn.0 table as well. If you cannot PING, then  this means though PE have received the routes from the RR but did not populate their vpn12730.inet.0 and vpn12729.inet.0 table with next-hop information. Hence, no transport MPLS label assigned. This means PING was being dropped at Router Reflector due to that fact that PE doesn’t know what is the next hop.

To fix, you can try few things:

  1. Add the next-hop resolution to inet.0 or inet.3. Please check Juniper documentation for Route Reflector next-hop resolution. You may only need to use if your Route Reflector is not within the Core. Please see documentation from Juniper or search on internet for various resources.
  2. Make sure the MP-BGP peering between PE (karair3 and lahorir3) to RR (pakcore) is sourced from loopback interfaces.
  3. Reboot the P and PE routers one by one and see if this makes difference:

For our configuration, I am seeing routing table at Route-Reflector as following which is showing we have learned the routes from both PE routers for vpn12739 and vpn12730:

root@pakcore> show route table bgp.l3vpn.0 
bgp.l3vpn.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
65000:12729:10.141.33.96/28                
                   *[BGP/170] 00:03:09, localpref 100, from 1.1.1.1
                      AS path: I
                    > to 40.50.60.1 via em0.0, Push 16
65000:12729:10.144.213.88/29                
                   *[BGP/170] 00:03:09, localpref 100, from 1.1.1.1
                      AS path: I
                    > to 40.50.60.1 via em0.0, Push 16
65000:12730:10.141.212.144/28                
                   *[BGP/170] 00:03:05, localpref 100, from 3.3.3.3
                      AS path: I
                    > to 10.20.30.1 via em1.0, Push 16
65000:12730:10.144.253.120/29                
                   *[BGP/170] 00:03:05, localpref 100, from 3.3.3.3
                      AS path: I
                    > to 10.20.30.1 via em1.0, Push 16
root@pakcore>

If I look at the vpn12729 routing table on PE karair3, I have now two MPLS label allocated to the routes we have learned from the remote dc. One label is to identify the VPN in MPLS core. And Top level label is the MPLS transport label ( that is LDP) in our case.

root@karair3> show route table vpn12729.inet.0    
vpn12729.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.141.33.96/28    *[Static/5] 00:57:06
                    > to 10.144.213.92 via em3.100
10.141.212.144/28  *[BGP/170] 00:56:32, localpref 100, from 2.2.2.2
                      AS path: I
                    > to 40.50.60.2 via em0.0, Push 16, Push 299792(top)
10.144.213.88/29   *[Direct/0] 00:57:06
                    > via em3.100
10.144.213.90/32   *[Local/0] 00:57:07
                      Local via em3.100
10.144.253.120/29  *[BGP/170] 00:56:32, localpref 100, from 2.2.2.2
                      AS path: I
                    > to 40.50.60.2 via em0.0, Push 16, Push 299792(top)

Since all looks good at the routing table. I am getting PING response from PE karair3 to local LAN and also to the remote LAN.

root@lahorir3> ping routing-instance vpn12730 10.141.33.98 
PING 10.141.33.98 (10.141.33.98): 56 data bytes
64 bytes from 10.141.33.98: icmp_seq=0 ttl=64 time=12.530 ms
64 bytes from 10.141.33.98: icmp_seq=1 ttl=64 time=1.741 ms
64 bytes from 10.141.33.98: icmp_seq=2 ttl=64 time=11.981 ms
64 bytes from 10.141.33.98: icmp_seq=3 ttl=64 time=2.722 ms
64 bytes from 10.141.33.98: icmp_seq=4 ttl=64 time=2.423 ms
64 bytes from 10.141.33.98: icmp_seq=5 ttl=64 time=2.371 ms
^C
--- 10.141.33.98 ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.741/5.628/12.530/4.698 ms
root@lahorir3>
root@lahorir3> ping routing-instance vpn12730 10.141.212.147  
PING 10.141.212.147 (10.141.212.147): 56 data bytes
64 bytes from 10.141.212.147: icmp_seq=0 ttl=64 time=1.855 ms
64 bytes from 10.141.212.147: icmp_seq=1 ttl=64 time=1.768 ms
64 bytes from 10.141.212.147: icmp_seq=2 ttl=64 time=1.350 ms
64 bytes from 10.141.212.147: icmp_seq=3 ttl=64 time=1.346 ms
^C
--- 10.141.212.147 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.346/1.580/1.855/0.234 ms
root@lahorir3>

We have Service LAN communication in place between two VDC. Both host in Service LAN can PING each other.

Active/Standby Data Centre Network Design using GNS3/Virtualbox/JUNOS and Cisco – Part-2

In this section, I am going to add additional configuration to our existing service provider network which we build in Part-1. So let’s begin.

Assuming as a IP/MPLS service provider, we also have two hosted Data Centers named as dc-Karachi and dc-Lahore at service provider location at Karachi & Lahore. We need to connect both of these hosted DC to the MPLS network via PE routers. These DC may be VDC or hosted as well for example Virtual Firewalls, Nexus 1000v Switch and Virtual Machines hosting customer Database, Applications and Web Servers.

But for the simplicity, we assume Service Provider’s Data center in Karachi is hosting dc-Karachi VDC and dc-Lahore in Lahore Data Center. And to reach both of these hosted data center, we have an aggregation switches karais3/lahoris3 in Karachi/Lahore that connects PE router karair3/lahorir3 to the customer’s Physical Firewall in their hosted data center karacf3 and lahorcf3. We will create a trunk link between PE router karair3/lahorir3 to the aggregation switch to carry customer’s VLAN. We will also connect customer’s hosted physical firewalls to one of the trunk port on the switch that act as a aggregation switches.

So our network design would look like following:

Final Topology

 

So based on above design, In this tutorial, I am only focusing on to perform following tasks:

  1. Add layer3 vpn12729 at karair3 and vpn12730 at lahorir3. These two vpn will overlap each other and carry the data we need to replicate from primary dc-karachi to secondary dc-lahore. 
  2. Configure the aggregation switch karais3 and lahoris3.
  3. Configure the dc-karachi ASAv firewall karacf3 and dc-lahore ASAv Firewall lahorcf3 so that they can ping the PE router.

Task – 1:

Create two layer3 vpn at each DC as following. At lahorir3 create layer3 vpn named as vpn12730:

I am creating vpn12730 at lahorir3 PE router and using IP connector block of 10.144.253.120/29 in VLAN 101 to identify this VPN in IP/MPLS core.

set groups vpn12730 interfaces em3 vlan-tagging
set groups vpn12730 interfaces em3 unit 101 description vpn=12730
set groups vpn12730 interfaces em3 unit 101 vlan-id 101
set groups vpn12730 interfaces em3 unit 101 family inet address 10.144.253.122/29
set groups vpn12730 interfaces em3 unit 101 family mpls
set groups vpn12730 policy-options policy-statement vpn12730-export-vrf term 0 then next term
set groups vpn12730 policy-options policy-statement vpn12730-export-vrf term 1 from protocol direct
set groups vpn12730 policy-options policy-statement vpn12730-export-vrf term 1 from protocol static
set groups vpn12730 policy-options policy-statement vpn12730-export-vrf term 1 from protocol bgp
set groups vpn12730 policy-options policy-statement vpn12730-export-vrf term 1 from interface em3.101
set groups vpn12730 policy-options policy-statement vpn12730-export-vrf term 1 then community add vpn12730
set groups vpn12730 policy-options policy-statement vpn12730-export-vrf term 1 then accept
set groups vpn12730 policy-options policy-statement vpn12730-import-vrf term 0 from protocol direct
set groups vpn12730 policy-options policy-statement vpn12730-import-vrf term 0 then preference 4
set groups vpn12730 policy-options policy-statement vpn12730-import-vrf term 1 from protocol direct
set groups vpn12730 policy-options policy-statement vpn12730-import-vrf term 1 from protocol static
set groups vpn12730 policy-options policy-statement vpn12730-import-vrf term 1 from protocol bgp
set groups vpn12730 policy-options policy-statement vpn12730-import-vrf term 1 from community vpn12729
set groups vpn12730 policy-options policy-statement vpn12730-import-vrf term 1 then accept
set groups vpn12730 policy-options community vpn12730 members target:65000:12730
set groups vpn12730 policy-options community vpn12729 members target:65000:12729
set groups vpn12730 routing-instances vpn12730 description vpn=12730
set groups vpn12730 routing-instances vpn12730 instance-type vrf
set groups vpn12730 routing-instances vpn12730 interface em3.101
set groups vpn12730 routing-instances vpn12730 route-distinguisher 65000:12730
set groups vpn12730 routing-instances vpn12730 vrf-import vpn12730-import-vrf
set groups vpn12730 routing-instances vpn12730 vrf-export vpn12730-export-vrf
set groups vpn12730 routing-instances vpn12730 vrf-table-label
set groups vpn12730 routing-instances vpn12730 routing-options static route 10.141.212.144/28 next-hop 10.144.253.124
set groups vpn12730 routing-instances vpn12730 routing-options auto-export
set apply-groups vpn12730

At karair3 create layer3 vpn named as vpn12729:

I am creating vpn12729 at karair3 PE router and using IP connector block of 10.144.213.88/29 in VLAN 100 to identify this VPN in IP/MPLS core.

set groups vpn12729 interfaces em3 vlan-tagging
set groups vpn12729 interfaces em3 unit 100 description vpn-12729
set groups vpn12729 interfaces em3 unit 100 vlan-id 100
set groups vpn12729 interfaces em3 unit 100 family inet address 10.144.213.90/29
set groups vpn12729 interfaces em3 unit 100 family mpls
set groups vpn12729 policy-options policy-statement vpn12729-export-vrf term 0 then next term
set groups vpn12729 policy-options policy-statement vpn12729-export-vrf term 1 from protocol direct
set groups vpn12729 policy-options policy-statement vpn12729-export-vrf term 1 from protocol static
set groups vpn12729 policy-options policy-statement vpn12729-export-vrf term 1 from protocol bgp
set groups vpn12729 policy-options policy-statement vpn12729-export-vrf term 1 from interface em3.100
set groups vpn12729 policy-options policy-statement vpn12729-export-vrf term 1 then community add vpn12729
set groups vpn12729 policy-options policy-statement vpn12729-export-vrf term 1 then accept
set groups vpn12729 policy-options policy-statement vpn12729-import-vrf term 0 from protocol direct
set groups vpn12729 policy-options policy-statement vpn12729-import-vrf term 0 then preference 4
set groups vpn12729 policy-options policy-statement vpn12729-import-vrf term 1 from protocol direct
set groups vpn12729 policy-options policy-statement vpn12729-import-vrf term 1 from protocol static
set groups vpn12729 policy-options policy-statement vpn12729-import-vrf term 1 from protocol bgp
set groups vpn12729 policy-options policy-statement vpn12729-import-vrf term 1 from community vpn12730
set groups vpn12729 policy-options policy-statement vpn12729-import-vrf term 1 then accept
set groups vpn12729 policy-options community vpn12730 members target:65000:12730
set groups vpn12729 policy-options community vpn12729 members target:65000:12729
set groups vpn12729 routing-instances vpn12729 description vpn=12729
set groups vpn12729 routing-instances vpn12729 instance-type vrf
set groups vpn12729 routing-instances vpn12729 interface em3.100
set groups vpn12729 routing-instances vpn12729 route-distinguisher 65000:12729
set groups vpn12729 routing-instances vpn12729 vrf-import vpn12729-import-vrf
set groups vpn12729 routing-instances vpn12729 vrf-export vpn12729-export-vrf
set groups vpn12729 routing-instances vpn12729 vrf-table-label
set groups vpn12729 routing-instances vpn12729 routing-options static route 10.141.33.96/28 next-hop 10.144.213.92
set groups vpn12729 routing-instances vpn12729 routing-options auto-export
set apply-groups vpn12729

Since we created vpn12729 in vpn12730 and created an overlap between these two by policies within configuration above, we should see the routing table for both vpn12739 and vpn12730 should have routes exchanged including 10.141.33.96/28 and 10.141.212.144/28 networks which are within the DC dc-lahore and dc-karachi Firewalls.

root@karair3> show route table vpn12729.inet.0 
vpn12729.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.141.33.96/28    *[Static/5] 00:17:34
                    > to 10.144.213.92 via em3.100
10.141.212.144/28  *[BGP/170] 00:16:56, localpref 100, from 2.2.2.2
                      AS path: I
                    > to 40.50.60.2 via em0.0, Push 16, Push 299792(top)
10.144.213.88/29   *[Direct/0] 00:17:34
                    > via em3.100
10.144.213.90/32   *[Local/0] 00:17:35
                      Local via em3.100
10.144.253.120/29  *[BGP/170] 00:16:56, localpref 100, from 2.2.2.2
                      AS path: I
                    > to 40.50.60.2 via em0.0, Push 16, Push 299792(top)
root@karair3>
root@lahorir3> show route table vpn12730.inet.0 
vpn12730.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.141.33.96/28    *[BGP/170] 00:18:50, localpref 100, from 2.2.2.2
                      AS path: I
                    > to 10.20.30.2 via em1.0, Push 16, Push 299776(top)
10.141.212.144/28  *[Static/5] 00:19:21
                    > to 10.144.253.124 via em3.101
10.144.213.88/29   *[BGP/170] 00:18:50, localpref 100, from 2.2.2.2
                      AS path: I
                    > to 10.20.30.2 via em1.0, Push 16, Push 299776(top)
10.144.253.120/29  *[Direct/0] 00:19:21
                    > via em3.101
10.144.253.122/32  *[Local/0] 00:19:23
                      Local via em3.101
root@lahorir3>

So far we can see that both PE routers have routes from vpn12729 and vpn12739 as seen above. Lets move on to the next.

Task -2:

Configure aggregation switches karais3 and lahoris3 as following. Configuration of karais3 is given below. lahoris3 configuration is similar but ofcourse using VLAN 101.

!
interface FastEthernet1/0
description to_Firewall
switchport access vlan 100
no ip address
duplex full
speed 100
!
!
interface FastEthernet1/1
description to_PE
switchport mode trunk
no ip address
!

Task -3:

Configure the karacf3 Firewall with IP address 10.144.213.92/29 to connect with vpn 12729 at PE karair3 while configure lahorcf3 Firewall with IP address 10.144.253.124/29 to connect with vpn12730 configured at lahorir3. This is how both ASA firewalls are configured:

karacf3#
!
interface GigabitEthernet0/0.100
 vlan 100
 nameif s2s
 security-level 100
 ip address 10.144.213.92 255.255.255.248 
!
lahorcf3#
!
interface GigabitEthernet0/0.101
 vlan 101
 nameif s2s
 security-level 100
 ip address 10.144.253.124 255.255.255.248 
!

 

I can ping the logical interface of PE router from karacf3 IP 10.141.213.92 to its gateway 10.141.213.90 in vpn12729.

Similarly, lahorcf3 Firewall can also ping from its IP address 10.144.253.124/29 to it’s gateway 10.144.253.122/29 in vpn12730.

 

Active/Standby Data Centre Network Design using GNS3/Virtualbox/JUNOS/Cisco – Part-1

In this tutorial, I am going to build a MPLS core network using GNS3/Virtualbox and JUNOS Olive. Once completed, we will look into adding different features to implement Active/Standby Data Center design.

First step is to have your IGP running. I am using OSPF in this design. I will use LDP for label distribution MBGP for VPNV4 routes exchange.

So let’s begin with following steps:

1. Create three virtual machines by importing Olive into Virtualbox. I am using Olive version Olive12.1R1.9 Virtualbox image. These three machines will serve as 2 x PE routers and one P router for simplicity. 

part-1-1

2. Now import there machines into GNS3. Setting under GNS3 is same for three machines. I am showing GNS3 settings of one machine below:

part-1-2

3. Place all three machines in GNS3 and connect them together as shown below. I have named PE routers as karair3 and lahorir3. While P router is names as pakcore.

part-1-3

pakcore router is acting as our P router along with Router Reflector. We have two PE routers karair3 and lahorir3. I will create MP-BGP session from karair3 and lahorir3 to route reflector pakcore router to exchange VPNV4 routes.

4. Power-on all three machines. Once machines are up, you will be prompted to login. Use username as root and press enter to get into the machine.

5. Configure PE (karair3 and lahorir3) and P (pakcore) routers as following:

PE router karair3:

set system host-name karair3
set system time-zone Asia/Karachi
set system root-authentication encrypted-password "$Q.sdT9$aXZnvHSVyTzUM5Wt/B85V."
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em0 unit 0 family inet address 40.50.60.1/30
set interfaces em0 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 1.1.1.1/32
set interfaces lo0 unit 0 family mpls
set routing-options router-id 1.1.1.1
set routing-options autonomous-system 65000
set routing-options resolution
set protocols mpls interface em0.0      
set protocols mpls interface lo0.0
set protocols mpls interface em1.0
set protocols mpls interface em2.0
set protocols mpls interface em3.0
set protocols bgp group mp-bgp-internal type internal
set protocols bgp group mp-bgp-internal local-address 1.1.1.1
set protocols bgp group mp-bgp-internal family inet-vpn unicast
set protocols bgp group mp-bgp-internal neighbor 2.2.2.2 description to_pakcore
set protocols ospf area 0.0.0.0 interface em0.0 interface-type p2p
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ldp interface em0.0
set protocols ldp interface lo0.0

PE router lahorir3:

set system host-name lahorir3
set system time-zone Asia/Karachi
set system root-authentication encrypted-password "$1$m5bIr1x7nN50Fitn/"
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em1 unit 0 family inet address 10.20.30.1/30
set interfaces em1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 3.3.3.3/32
set interfaces lo0 unit 0 family mpls
set routing-options router-id 3.3.3.3
set routing-options autonomous-system 65000
set routing-options resolution
set protocols mpls interface em1.0      
set protocols mpls interface lo0.0
set protocols mpls interface em3.0
set protocols mpls interface em2.0
set protocols mpls interface em0.0
set protocols bgp group mp-bgp-internal type internal
set protocols bgp group mp-bgp-internal local-address 3.3.3.3
set protocols bgp group mp-bgp-internal family inet-vpn unicast
set protocols bgp group mp-bgp-internal neighbor 2.2.2.2 description to_pakcore
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface em1.0 interface-type p2p
set protocols ldp interface em1.0
set protocols ldp interface lo0.0
 root@lahorir3> 

P router pakcore:

set version 12.1R1.9
set system host-name pakcore
set system time-zone Asia/Karachi
set system root-authentication encrypted-password "$1$F.STYfO4GkMRpg9b1"
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em0 unit 0 family inet address 40.50.60.2/30
set interfaces em0 unit 0 family mpls
set interfaces em1 unit 0 family inet address 10.20.30.2/30
set interfaces em1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 2.2.2.2/32
set interfaces lo0 unit 0 family mpls
set routing-options router-id 2.2.2.2
set routing-options autonomous-system 65000
set routing-options resolution
set protocols mpls interface em0.0
set protocols mpls interface em1.0
set protocols mpls interface lo0.0
set protocols bgp group mp-bgp-internal type internal
set protocols bgp group mp-bgp-internal local-address 2.2.2.2
set protocols bgp group mp-bgp-internal family inet-vpn unicast
set protocols bgp group mp-bgp-internal cluster 2.2.2.2
set protocols bgp group mp-bgp-internal neighbor 1.1.1.1 description to_karair3
set protocols bgp group mp-bgp-internal neighbor 3.3.3.3 description to_lahorir3
set protocols ospf area 0.0.0.0 interface em0.0 interface-type p2p
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface em1.0 interface-type p2p
set protocols ldp interface em0.0
set protocols ldp interface em1.0
set protocols ldp interface lo0.0

6. Verify basic functionality from the core P router:

root@pakcore> show ldp neighbor 
Address            Interface          Label space ID         Hold time
40.50.60.1         em0.0              1.1.1.1:0                11
10.20.30.1         em1.0              3.3.3.3:0                11

root@pakcore> show mpls interface 
Interface        State       Administrative groups (x: extended)
em0.0            Up         
em1.0            Up         
lo0.0            Up         

root@pakcore> show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
40.50.60.1       em0.0                  Full      1.1.1.1          128    33
10.20.30.1       em1.0                  Full      3.3.3.3          128    35
root@pakcore>        

root@pakcore> show ldp interface 
Interface            Label space ID        Nbr count   Next hello
em0.0                2.2.2.2:0                1           1
em1.0                2.2.2.2:0                1           2
lo0.0                2.2.2.2:0                0           0
root@pakcore>

7. And finally ping the loopback interfaces of the PE routers from P core router and verify the reachability

root@pakcore> ping 1.1.1.1 
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=64 time=0.517 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.730 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.473 ms
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.473/0.573/0.730/0.112 ms

root@pakcore> ping 3.3.3.3 
PING 3.3.3.3 (3.3.3.3): 56 data bytes
64 bytes from 3.3.3.3: icmp_seq=0 ttl=64 time=0.421 ms
64 bytes from 3.3.3.3: icmp_seq=1 ttl=64 time=0.792 ms
64 bytes from 3.3.3.3: icmp_seq=2 ttl=64 time=0.773 ms
^C
--- 3.3.3.3 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.421/0.662/0.792/0.171 ms
root@pakcore>

You should have now simple MPLS core in place to mimic the Service Provider network. I shall build further on in upcoming tutorial when I will add VRF on PE routers.