% Advanced Routing Workshop % Basic Routing Lab \pagebreak # Introduction The purpose of this exercise is to: * Configure the basics of a Cisco router * Enable OSPF to exchange internal routing information * Configure static routing towards a service provider ![Physical Topology - Module 1](ex1-1.png) ![Physical Topology - Module 2](ex1-2.png) The network configuration is designed to be modular to allow the lab to grow as needed depending on the number of partipants. Each module will contain 1 ISP and 3 customer networks (universities, etc). Modules will be interconnected (see Fig. 3) ![Topology with 2 modules](ex1-3.png) # Logistics Each participant will be assigned to a network. Depending on the number of participants, either a single person or a group will be responsible for the configuration of a router. You may be asked to rotate and work on a different router so that you have the opportunity to understand the network from another point of view. As you go through the exercises, you will see examples of configurations for one or more routers. **Make sure to take those examples and adapt them to your own router, network topology and addressing scheme. Use the diagrams to guide you.** Refer to the *Lab Access Instructions* document for information about logging into the routers that have been assigned to you. # Address Space Allocation ## End networks (universities, etc) Group IPv4 IPv6 ASN ------- ------------ ------------- ------- 1 10.10.0.0/16 fd00:10::/32 10 2 10.20.0.0/16 fd00:20::/32 20 3 10.30.0.0/16 fd00:30::/32 30 *The list will continue in the same pattern if there are more groups.* Each group will then further partition their space as follows: IPv4 IPv6 Description --------------- --------------- -------------------- 10.X0.0.0/17 fd00:X0::/40 End user space 10.X0.254.0/24 fd00:X0:fe::/64 Point-to-point links 10.X0.255.0/24 fd00:X0:ff::/64 Router loopbacks Where X is your group number (1,2,3...) Prefixes for point to point links will be of length /30 for IPv4 and /127 for IPv6 (we will adopt the recommendations of RFC6164 for IPv6 inter-router links): IPv4 IPv6 Description --------------- ---------------- -------------------- 10.X0.254.0/30 fd00:X0:fe::/127 P2P #1 10.X0.254.4/30 fd00:X0:fe::2/127 P2P #2 10.X0.254.8/30 fd00:X0:fe::4/127 P2P #3 ... and so on. Router loopback addresses will be of size /32 for IPv4 and /128 for IPv6: IPv4 IPv6 Description --------------- ---------------- -------------------- 10.X0.255.1/32 fd00:X0:ff::1/128 RX1 Loopback 10.X0.255.2/32 fd00:X0:ff::2/128 RX2 Loopback ## Commercial Internet Service Providers (ISPs) ISP IPv4 IPv6 ASN ----- ------------ ------------- ------- 1 10.201.0.0/16 fd00:200::/32 201 2 10.202.0.0/16 fd00:201::/32 202 ... and so on. ## Internet Exchange Points (IXPs) IXP IPv4 IPv6 ----- ------------ --------------- 1 10.251.1.0/24 fd00:251:1::/64 # Basic Router Configuration 1. Name the router ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ enable config terminal hostname R11 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2. Configure Authentication ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ aaa new-model aaa authentication login default local aaa authentication enable default enable username nsrc secret nsrc enable secret nsrc service password-encryption line vty 0 4 transport preferred none line console 0 transport preferred none ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3. Configure logging ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ no logging console logging buffered 8192 debugging ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 4. Disable DNS resolution ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ no ip domain-lookup ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 5. Make sure the router understands CIDR. This is the default setting in recent IOS versions, but just in case. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ip subnet-zero ip classless ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 6. Disable source routing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ no ip source-route ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 7. Activate IPv6 routing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ipv6 unicast-routing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8. Exit configuration mode and save ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ end write memory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 9. Configure your interfaces according to the diagram *Notice that for the links to the ISP we will use the ISP's addresses, while for internal links we use internal addresses.* On R11: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ interface GigabitEthernet2/0 description P2P Link to R12 ip address 10.10.254.1 255.255.255.252 no ip directed-broadcast no ip redirects no ip proxy-arp ipv6 address fd00:10:fe::/127 ipv6 nd ra suppress no shutdown ! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On R12: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ interface GigabitEthernet1/0 description P2P Link to ISP1 ip address 10.201.254.2 255.255.255.252 no ip directed-broadcast no ip redirects no ip proxy-arp ipv6 address fd00:201:fe::1/127 ipv6 nd ra suppress no shutdown ! interface GigabitEthernet2/0 description P2P Link to R11 ip address 10.10.254.2 255.255.255.252 no ip directed-broadcast no ip redirects no ip proxy-arp ipv6 address fd00:10:fe::1/127 ipv6 nd ra suppress no shutdown ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Explanations for some of the above commands: *no ip directed-broadcast* An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet, but which originates from a node that is not itself part of that destination subnet. Because directed broadcasts, and particularly Internet Control Message Protocol (ICMP) directed broadcasts, have been abused by malicious persons, we recommend disabling the ip directed-broadcast command on any intereface where directed broadcasts are not needed (probably all). *no ip proxy-arp* Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for another machine. By "faking" its identity, the router accepts responsibility for routing packets to the "real" destination. Proxy ARP can help machines on a subnet reach remote subnets without the need to configure routing or a default gateway. Disadvantages of proxy arp: * It increases the impact of ARP spoofing, in which a machine claims to be another in order to intercept packets. * It hides network misconfigurations in hosts * Hosts will have larger ARP tables *no ip redirects* ICMP redirects can be sent to a host when the router knows that another router in the same subnet has a better path to a destination. If a hacker installs a router in the network that causes the legitimate router to learn these ilegitimate paths, the hacker's router will end up diverting legitimate traffic thanks to ICMP redirects. Thus, we recommend that you disable this feature in all your interfaces. *ipv6 nd ra supress* IPv6 router advertisements are sent periodically by routers to inform hosts that the router is present, and to allow hosts to autoconfigure themselves using stateless autoconfiguration mechanisms. This is not necessary on point-to-point interfaces. 10. Do some PING tests ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ R12# ping 10.10.254.1 <- R11 R12# ping fd00:10:fe::0 <- R11 R12# ping 10.201.254.1 <- ISP1 R12# ping fd00:201:fe::0 <- ISP1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ and then verify the output of the following commands: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ show arp : Show ARP cache show interface : Show interface state and config show ip interface : Show interface IP state and config show ipv6 neighbors : Show IPv6 neighbors show ipv6 interface : Show interface state and config show cdp neighbors : Show neighbors seen via CDP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 11. Create Loopback interface On R11: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ interface loopback 0 ip address 10.10.255.1 255.255.255.255 ipv6 address fd00:10:ff::1/128 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ do the same for R12 (obviously, using different addresses). 12. Verify and save the configuration. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ show running-config write memory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Routing ## OSPF 1. Try pinging the loopback addresses of your neighbor ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ R11# ping 10.10.255.2 <- R12 loopback R11# ping fd00:10:ff:2 <- R12 loopback ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Q. What is happening? 2. Configure a new OSPF routing process. Notice that we will use the number "10" as the OSPF process number for routers R11 and R12. This number is local to the router, so it doesn't need to match the process number of a neighboring router. However, it is recommended that you use the same number throughout your network. Most people use their Autonomous System number (although OSPF has nothing to do with the BGP ASN). On R11 and R12: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ router ospf 10 log-adjacency-changes passive-interface default ! ipv6 router ospf 10 log-adjacency-changes passive-interface default area 0 authentication ipsec spi 256 md5 0123456789ABCDEF0123456789ABCDEF ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3. Now configure OSPF on the interfaces where adjacencies need to be established: On R11 and R12: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ interface GigabitEthernet2/0 ip ospf 10 area 0 ip ospf authentication message-digest ip ospf authentication-key N$RC ip ospf network point-to-point ipv6 ospf 10 area 0 ipv6 ospf network point-to-point ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Notice two things: a) We are configuring authentication to have control over who becomes an adjacent router and protect against ilegitimate routing information. We configure authentication per interface in IPv4 and per area in IPv6, just because it is simpler that way. b) We use the "network point-to-point" statement because we are using point-to-point links over a broadcast network. There is no reason for OSPF to elect a Designated Router (DR) and Backup Designated Router (BDR). Then, since we have configured OSPF to make all interfaces passive by default (recommended!), we need to explicitly activate the *OSPF Hello* function on the interfaces where routing information needs to be exchanged: R11 and R12: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ router ospf 10 no passive-interface GigabitEthernet2/0 ! ipv6 router ospf 10 no passive-interface GigabitEthernet2/0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Now configure OSPF on any interface that needs to have its subnets advertised by OSPF, if OSPF has not been enabled already: On R11 and R12: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ interface Loopback0 ip ospf 10 area 0 ipv6 ospf 10 area 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 5. STOP. Checkpoint Now try the following show commands: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sh ip ospf neighbor : show adjacencies sh ip route : show routes in routing table sh ip ospf : show general OSPF information sh ip ospf interface : show the status of OSPF in an interface show ipv6 ospf neighbor show ipv6 route show ipv6 ospf show ipv6 ospf interface ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Repeat the last ping tests. Q. Can you ping the loopback address of the neighboring router now? ## Static default routes 1. Configure static default routes to reach the outside world. On R11: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ip route 0.0.0.0 0.0.0.0 10.10.254.2 ipv6 route ::/0 fd00:10:fe::1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On R12: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ip route 0.0.0.0 0.0.0.0 10.201.254.1 ipv6 route ::/0 fd00:201:fe:: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Do some ping and traceroute tests. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ R11# ping 10.20.255.1 R11# ping 10.30.255.1 R11# traceroute 10.20.255.1 R11# traceroute 10.30.255.1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Q. Can you reach the routers in other networks? Don't forget to save your configurations. \pagebreak # Appendix A - ISP1 Sample Configuration ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ hostname ISP1 aaa new-model aaa authentication login default local aaa authentication enable default enable username nsrc secret nsrc enable secret nsrc service password-encryption line vty 0 4 transport preferred none line console 0 transport preferred none no logging console logging buffered 8192 debugging no ip domain-lookup ip subnet-zero ip classless no ip source-route ipv6 unicast-routing ! interface Loopback0 ip address 10.201.255.1 255.255.255.255 ipv6 address fd00:201:ff::1/128 ! interface GigabitEthernet1/0 description Link to IXP ip address 10.251.1.1 255.255.255.0 no ip directed-broadcast no ip redirects no ip proxy-arp ipv6 address fd00:251:1::1/64 ipv6 nd ra supress no shutdown ! interface GigabitEthernet3/0 description P2P Link to R12 ip address 10.201.254.1 255.255.255.252 no ip directed-broadcast no ip redirects no ip proxy-arp ipv6 address fd00:201:fe::/127 ipv6 nd ra supress no shutdown ! ip route 10.10.0.0 255.255.0.0 10.201.254.2 ipv6 route fd00:10::/32 fd00:201:fe::1 ! ip route 0.0.0.0 0.0.0.0 10.251.1.2 ipv6 route ::/0 fd00:251:1::2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~