Wednesday, September 22, 2010

OSPF Mock Lab - Another Challenge To Solve (Solution 2 & 3)

Last month when I posted my OSPF challenge I thought there is only one way to accomplish this challenge. But soon I had another working solution too which was working perfectly fine. Lets now call it Solution 1 for our sake.


So where is my solution or so called Solution 2 ? :-)


hmmm...Ok...Today I am not only going to show you mine original solution which I figured out but also a 3rd solution.....isn't that cool ? :-)


Yup...I picked some pieces of solution 1 and solution 2 and combined them together in a new way :-)


Okay...first of all...my solution 2 may look ugly to you...but solution 3 will definitely look ugly and actually involves good piece of troubleshooting too.

It actually reminds me of a old TV cartoon show - ED, EDD & EDDY




Ok, Lets talk about solution 2 first:


Lets put Initials first, which would be matching the GNS topology I presented during solution 1 post. So lets get started:

------------------
 Solution 2
------------------
<<< R1 >>>

-------------------------
Initials
------------------------
en
!
conf t
!
no ip domain-lo
!
ho R1
!
int s0/0
ip add 123.123.123.1 255.255.255.0
en f
no frame inv
no arp fr
frame map ip 123.123.123.2 102 b
frame map ip 123.123.123.3 103 b
frame map ip 123.123.123.1 102
ip ospf net point-to-m
no sh
exit
!
int f1/0
ip add 14.14.14.1 255.255.255.0
no sh
exit
!
router ospf 1
router-id 1.1.1.1
net 123.123.123.1 0.0.0.0 a 0
net 14.14.14.1 0.0.0.0 a 1
exit
!
int lo0
ip add 11.11.11.11 255.255.255.0
ip ospf net point-to-p
ip ospf 1 a 0
exit
end
!
------------------------------------

<<< R2 >>>

en
!
conf t
!
no ip domain-lo
!
ho R2
!
int s0/0
ip add 123.123.123.2 255.255.255.0
en f
no frame inv
no arp fr
frame map ip 123.123.123.1 201 b
frame map ip 123.123.123.2 201
ip ospf net point-to-m
no sh
exit
!
int lo0
ip add 22.22.22.22 255.255.255.0
ip ospf net point-to-p
ip ospf 1 a 0
exit
!
router ospf 1
router-id 2.2.2.2
net 123.123.123.2 0.0.0.0 a 0
exit
end
!
-------------------------------------

<<< R3 >>>

en
!
conf t
!
no ip domain-lo
!
ho R3
!
int s0/0
ip add 123.123.123.3 255.255.255.0
en f
no frame inv
no arp fr
frame map ip 123.123.123.1 301 b
frame map ip 123.123.123.3 301
ip ospf net point-to-m
no sh
exit
!
int lo0
ip add 33.33.33.33 255.255.255.0
ip ospf net point-to-p
ip ospf 1 a 0
exit
!
router ospf 1
router-id 3.3.3.3
net 123.123.123.3 0.0.0.0 a 0
exit
end
!
--------------------------------------


<<< R4 >>>

en
!
conf t
!
no ip domain-lo
!
ho R4
!
int f0/0
ip add 14.14.14.4 255.255.255.0
no sh
exit
!
int f1/0
ip add 45.45.45.4 255.255.255.0
no sh
exit
!
router ospf 1
router-id 4.4.4.4
net 14.14.14.4 0.0.0.0 a 1
exit
!
int lo0
ip add 44.44.44.44 255.255.255.0
exit
!
int lo1
ip add 144.144.144.144 255.255.255.0
ip ospf 1 a 1
exit
!
router rip
v 2
no au
net 44.0.0.0
net 45.0.0.0
exit
end
!
-----------------------------------------

<<< R5 >>>


en
!
conf t
!
no ip domain-lo
!
ho R5
!
int f0/0
ip add 45.45.45.5 255.255.255.0
no sh
exit
!
int lo0
ip add 55.55.55.55 255.255.255.0
ip ospf net point-to-p
ip ospf 1 a 2
exit
!
int lo1
ip add 155.155.155.155 255.255.255.0
exit
!
int f1/0
ip add 56.56.56.5 255.255.255.0
no sh
!
router ospf 1
router-id 5.5.5.5
net 56.56.56.5 0.0.0.0 a 2
exit
!
router rip
net 45.0.0.0
net 155.155.0.0
v 2
no au
exit
end
!
--------------------------------------------


<<< R6 >>>

en
!
conf t
!
no ip domain-lo
!
ho R6
!
int f0/0
ip add 56.56.56.6 255.255.255.0
no sh
exit
!
int lo0
ip add 66.66.66.66 255.255.255.0
ip ospf 1 a 2
ip ospf net point-to-p
exit
!
router ospf 1
router-id 6.6.6.6
net 56.56.56.6 0.0.0.0 a 2
exit
end
!



---------------------------------------------



Now we have all basic reachability. The problem is that we can not have route exchange between two different ospf areas without having area 0 in middle or some way logically connected to it.  That's why we designed Virtual Links Right ? :-)


But problem here is that we are not allowed to use them :-(


Ok...next idea that comes in mind is GRE tunnels :-)


But that's also not allowed :-(


Hey...but remember If I go under tunnel interface and change tunnel mode to IP-IP with command "tunnel mode ipip" at that point I am not running GRE tunnel technically but IP-IP tunnel. Which also adds benefit of less overhead.


I know...some of you may be saying that's not right :-)...but didn't you notice from comments of CCIE people over web that real lab may trick you same way with wording of tasks ? 

So lets create our first tunnel between R5 & R4 and ultimate goal here is to pull area 2 upto area 1 first.


-----------------------------------------------

<<< R4 >>>


R4(config)#do sh run int tu0
Building configuration...

Current configuration : 146 bytes
!
interface Tunnel0
 ip address 100.100.100.101 255.255.255.0
 tunnel source Loopback0
 tunnel destination 155.155.155.155
 tunnel mode ipip
end

R4(config)#router ospf 1
R4(config-router)#net 100.100.100.101 0.0.0.0 a 2
--------------------------------------
<<< R5 >>>


R5#sh run int tu0
Building configuration...

Current configuration : 142 bytes
!
interface Tunnel0
 ip address 100.100.100.100 255.255.255.0
 tunnel source Loopback1
 tunnel destination 44.44.44.44
 tunnel mode ipip
end

R5(config)#router ospf 1
R5(config-router)#net 100.100.100.100 0.0.0.0 a 2

*Mar  1 00:24:35.739: %OSPF-5-ADJCHG: Process 1, Nbr 5.5.5.5 on Tunnel0 from LOADING to FULL, Loading Done
---------------------------------------------------
<<< R4 >>>

 R4#s ip ro os | i T
O       55.55.55.0 [110/11112] via 100.100.100.100, 00:04:40, Tunnel0
O       66.66.66.0 [110/11113] via 100.100.100.100, 00:04:40, Tunnel0
O       56.56.56.0 [110/11112] via 100.100.100.100, 00:04:40, Tunnel0

---------------------------------------------------
 
<<< R5 >>>
 
R5#sh ip ro os
     66.0.0.0/24 is subnetted, 1 subnets
O       66.66.66.0 [110/2] via 56.56.56.6, 00:05:50, FastEthernet1/0


-----------------------------------------------------------



Now lets create another tunnel between R1 & R4 and pulls area 2 which is at R4 now back to Area 0 over R1:
------------------------------------------------------------


<<< R4 >>>

R4(config)#int tu 1
R4(config-if)#ip add 125.125.125.4 255.255.255.0
R4(config-if)#tu so tu0 <- See I am putting one tunnel inside another here
R4(config-if)#tu dest 11.11.11.11
R4(config-if)#ip ospf 1 a 2
R4(config-if)#tunnel mode ipip
R4(config-if)#exit


----------------------------------------------------
 
<<< R1 >>>

R1(config)#int tu 1
R1(config-if)#ip add 125.125.125.1 255.255.255.0
R1(config-if)#tu so lo0
R1(config-if)#tu dest 100.100.100.101
R1(config-if)#ip ospf 1 a 2
R1(config-if)#tunnel mode ipip
R1(config-if)#exit


----------------------------------------------------

Now lets check the Routing Table over R1 and See if we have Route for R6's loopback:


R1(config-if)#do sh ip ro | i T
R1(config-if)#                        <- Nothing in here

-----------------------------------------------------



Hmmm... Lets see if tunnel is indeed UP:


R1(config-if)#do sh ip int b | i T
Tunnel1                    125.125.125.1   YES manual up   down

So tunnel is down.

Hmmm...for tunnel to come up we should have reachability between Tunnel Source and Destination address...right?


lets check that:

 R1(config-if)#do sh ip ro 100.100.100.101
% Network not in table

---------------------------------------------------------

Hmmm...lets make tunnel destination reachable by adding /32 static route: Remember I allowed to use one static route in entire config :-)


R1(config)#ip route 100.100.100.101 255.255.255.255 14.14.14.4
R1(config)#
*Mar  1 01:01:18.051: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
*Mar  1 01:01:18.247: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Tunnel1 from LOADING to FULL, Loading Done

R1(config)#do sh ip ro 100.100.100.101                       
Routing entry for 100.100.100.101/32
  Known via "static", distance 1, metric 0
  Routing Descriptor Blocks:
  * 14.14.14.4
      Route metric is 0, traffic share count is 1

------------------------------------------------------

R1(config)#do ping 100.100.100.101

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/10/16 ms

-------------------------------------------------------





So finally our magical tunnel has come up and by this time we should have reachability to R6's loopback:


R1(config)#do sh ip ro | i T
O       100.100.100.0/24 [110/22222] via 125.125.125.4, 00:01:17, Tunnel1
O       55.55.55.0 [110/22223] via 125.125.125.4, 00:01:17, Tunnel1
O       66.66.66.0 [110/22224] via 125.125.125.4, 00:01:17, Tunnel1
C       125.125.125.0 is directly connected, Tunnel1
O       56.56.56.0 [110/22223] via 125.125.125.4, 00:01:17, Tunnel1


Which we have :-)
------------------------------------------------


------------------
 Solution 3
------------------


The major problem (not exactly) with My solution 2 is that you have full reachability among all OSPF routes but No reachability for RIP routes. Although In my original post I just asked for OSPF routes reachability only so which makes my Solution perfectly valid :-)


Now lets put some more restrictions once again :-P

1. No Static Routing Is allowed anywhere now
2. RIP Routes should also be reachable from entire ospf Domain and vice versa


Hmmm...that really makes life very complicated now.


Lets remove static route from R1 now:


R1(config)#do sh run | i ip route
R1(config)# 
                               <- So As you can see I removed it



Now lets put "default information originate always" command over R4 since we don't have static route now for reachability upto R4's Tunnel 1 Source & see if this can help us

R4(config-if)#do sh run | s r o
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 redistribute rip
 network 14.14.14.4 0.0.0.0 area 1
 network 100.100.100.101 0.0.0.0 area 2
 default-information originate always


R2#sh ip ro | i 0.0.0.0
Gateway of last resort is 123.123.123.1 to network 0.0.0.0
     100.0.0.0/24 is subnetted, 1 subnets
O*E2 0.0.0.0/0 [110/1] via 123.123.123.1, 01:53:08, Serial0/0
 

R6#sh ip ro | i 0.0.0.0
Gateway of last resort is 56.56.56.5 to network 0.0.0.0
     100.0.0.0/24 is subnetted, 1 subnets
O*E2 0.0.0.0/0 [110/1] via 56.56.56.5, 01:53:41, FastEthernet0/0

 

But...As soon as I do that I have another problem:

R1(config-router)#
*Mar  1 01:50:01.775: %TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing
*Mar  1 01:50:02.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
*Mar  1 01:50:02.791: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Tunnel1 from FULL to DOWN, Neighbor Down: Interface down or detached

*Mar  1 01:51:02.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
*Mar  1 01:51:02.867: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Tunnel1 from LOADING to FULL, Loading Done
*Mar  1 01:51:09.771: %TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing
*Mar  1 01:51:10.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
*Mar  1 01:51:10.787: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on Tunnel1 from FULL to DOWN, Neighbor Down: Interface down or detached


Hmmm...so our old  GRE route recursion issue comes back which we discussed in detail few posts back :-)


So no need to panic...right :-)


Lets dig little deeper to find the cause of issue:


R1(config-router)#do debug ip routing 

*Mar  1 01:52:28.919: RT: Pruning routes for Tunnel1 (4)
*Mar  1 01:52:28.919: RT: delete route to 100.100.100.0 via 125.125.125.4, Tunnel1
*Mar  1 01:52:28.919: RT: no routes to 100.100.100.0, flushing
*Mar  1 01:52:28.919: RT: NET-RED 100.100.100.0/24
*Mar  1 01:52:28.919: RT: delete network route to 100.0.0.0
*Mar  1 01:52:28.919: RT: NET-RED 100.0.0.0/8



Hmmm... You see ? We are learning tunnel destination from R1's point of view from tunnel itself.


Lets fix this with a Distribute list:


R1(config-router)#do sh ip access-l 1
Standard IP access list 1
    10 deny   100.100.100.0
or
 ip access-l 1 de 100.100.100.0 0.0.0.0<- Actual ACL I applied was this :-)

R1(config)#router ospf 1
R1(config-router)#distribute-list 1 in Tunnel1



*Mar  1 01:54:26.651: RT: add 0.0.0.0/0 via 14.14.14.4, ospf metric [110/1]
*Mar  1 01:54:26.655: RT: NET-RED 0.0.0.0/0
*Mar  1 01:54:26.655: RT: default path is now 0.0.0.0 via 14.14.14.4
*Mar  1 01:54:26.655: RT: new default network 0.0.0.0
*Mar  1 01:54:26.655: RT: NET-RED 0.0.0.0/0
*Mar  1 01:54:31.627: RT: NET-RED 0.0.0.0/0
*Mar  1 01:54:36.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
*Mar  1 01:54:36.915: RT: is_up: Tunnel1 1 state: 4 sub state: 1 line: 0 has_route: False
*Mar  1 01:54:36.915: RT: SET_LAST_RDB for 125.125.125.0/24
  NEW rdb: is directly connected

*Mar  1 01:54:36.915: RT: add 125.125.125.0/24 via 0.0.0.0, connected metric [0/0]
*Mar  1 01:54:36.915: RT: NET-RED 125.125.125.0/24
*Mar  1 01:54:36.915: RT: interface Tunnel1 added to routing table

R1(config)#do sh access-l 1
Standard IP access list 1
    10 deny   100.100.100.0 (2 matches)
<- See we have hits for this ACL



By this point we should be good to go and run our final TCL script to verify full connectivity including for RIP routes:


--------------------------------------------------

R3>en
R3#tclsh
R3(tcl)#foreach address {
+>(tcl)#123.123.123.1
+>(tcl)#14.14.14.1
+>(tcl)#11.11.11.11
+>(tcl)#123.123.123.2
+>(tcl)#22.22.22.22
+>(tcl)#123.123.123.3
+>(tcl)#33.33.33.33
+>(tcl)#14.14.14.4
+>(tcl)#45.45.45.4
+>(tcl)#44.44.44.44
+>(tcl)#144.144.144.144
+>(tcl)#45.45.45.5
+>(tcl)#56.56.56.5
+>(tcl)#55.55.55.55
+>(tcl)#155.155.155.155
+>(tcl)#56.56.56.6
+>(tcl)#66.66.66.66
+>(tcl)#} {ping $address}

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.123.123.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/9/20 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.14.14.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/16 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/17/24 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.123.123.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/38/56 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/36 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.123.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/40/52 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.33, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.14.14.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/37/60 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 45.45.45.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/23/32 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/20/40 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 144.144.144.144, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/15/24 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 45.45.45.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/36 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 56.56.56.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/33/40 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 55.55.55.55, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/46/60 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.155.155.155, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/43/56 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 56.56.56.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/39/60 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.66.66.66, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/36/56 ms
R3(tcl)#


So again ...one problem and multiple ways to fix it :-)
 HTH...
Deepak Arora 




2 comments:

Mahi said...

Hi Deepak,

As per the solution3, if you have extended area2 upto R4, there was no need to extend it till R1 to complete the solution. You already added default route in R4 which R4 will be injecting in area0 and area2 so R4 will be central point for both sides routers and R4 also know about all rip routes. It will be a working solution.

Things need to be done.

1.) Default-information originate always on R4.
2.) IPIP tunnel betweenn R4 & R5 and form ospf neighborship between R4 & R5 with area2.
3.) Bingo!! you have a working solution now..

Regards
Mahi

Deepak Arora said...

Your solution is right but I was just combining all pieces together to make it as functional solution cause there are always many ways to achieve a common goal.

But on the other hand apart from Manish I didn't find anyone able to solve this challenge so far at that point.

But still your solution can be consider a valid solution number 4 :-)

But as you were too late maybe you should try EIGRP challenge :-)
As no one fixed it...BTW "No Googling" to all readers is strongly recommended :-)