Saturday, April 13, 2013

Configuring vPC (Virtual Port Channel) with Cisco Nexus


In this scenario, I have two Cisco Nexus 5548s, two Cisco Nexus 2248 FEXes, and a Windows Server with 4 Ethernet interfaces where two interfaces connect to FEX 100 and the other two connect to FEX 101. I want to configure Virtual Port Channels in such a way that if there is a loss of connectivity from either 5K, the two FEXes will still service clients.



To start, I'll configure the management interface address (10.2.8.13 and .14), and default gateways for both 5Ks (N5K-1 is shown).

N5K-1# conf t
N5K-1(config)# interface mgmt0
N5K-1(config-if)# ip address 10.2.8.13/24
N5K-1(config-if)# exit
N5K-1(config)# ip route 0.0.0.0/0 10.2.8.1

Note that the management interface is in the management VRF. I will use the management network as the keep-alive management link for the vPCs I'll create.

N5K-1(config)# show vrf
VRF-Name                           VRF-ID State   Reason                        
default                                 1 Up      --                            
management                              2 Up      --                            
N5K-1(config)# ping 10.2.8.1 vrf management count 2
PING 10.2.8.1 (10.2.8.1): 56 data bytes
64 bytes from 10.2.8.1: icmp_seq=0 ttl=254 time=0.969 ms
64 bytes from 10.2.8.1: icmp_seq=1 ttl=254 time=0.667 ms

--- 10.2.8.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.00% packet loss
round-trip min/avg/max = 0.667/0.817/0.969 ms
N5K-1(config)# 

Now I'll create uplink trunks to the core network for access to VLAN 930 for both N5Ks (N5K-1 is shown).

N5K-1(config)# interface e1/15-16
N5K-1(config-if-range)# no shut
N5K-1(config-if-range)# switchport mode trunk
N5K-1(config-if-range)# switchport trunk allowed vlan 1,930
N5K-1(config-if-range)# vlan 930
N5K-1(config-vlan)# sh vlan b

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Eth1/1, Eth1/2, Eth1/3, Eth1/4
                                                Eth1/5, Eth1/6, Eth1/7, Eth1/8
                                                Eth1/9, Eth1/10, Eth1/11
                                                Eth1/12, Eth1/13, Eth1/14
                                                Eth1/15, Eth1/16, Eth1/17
                                                Eth1/18, Eth1/19, Eth1/20
                                                Eth1/21, Eth1/22, Eth1/23
                                                Eth1/24, Eth1/25, Eth1/26
                                                Eth1/27, Eth1/28, Eth1/29
                                                Eth1/30, Eth1/31, Eth1/32
930  VLAN0930                         active    Eth1/15, Eth1/16

N5K-1(config-vlan)# show interface trunk 

--------------------------------------------------------------------------------
Port          Native  Status        Port
              Vlan                  Channel
--------------------------------------------------------------------------------
Eth1/15       1       trunking      --
Eth1/16       1       trunking      --

--------------------------------------------------------------------------------
Port          Vlans Allowed on Trunk
--------------------------------------------------------------------------------
Eth1/15       1,930
Eth1/16       1,930

(...output omitted...)
N5K-1(config)# 

Each N5K will have two links to each FEX which I will configure as port-channels. I'll enable the features for fex and lacp for both 5Ks (N5K-1 is shown).

N5K-1(config)# show feature | in enabled|fex|lacp|vpc
fex                   1         disabled
lacp                  1         disabled
lldp                  1         enabled 
sshServer             1         enabled 
vmfex                 1         disabled
vpc                   1         disabled
N5K-1(config)# 
N5K-1(config)# feature fex
N5K-1(config)# feature lacp
N5K-1(config)# 
N5K-1(config)# show feature | in enabled
fex                   1         enabled 
lacp                  1         enabled 
lldp                  1         enabled 
sshServer             1         enabled 
vpc                   1         enabled
N5K-1(config)# 

Now I'll stage connectivity to the two FEX units; 100, and 101 for each 5K. Since I will be creating port-channels afterward, the FEX associations will only require 1 link for pinning. (N5K-1 is shown).

N5K-1(config)# fex 100
N5K-1(config-fex)# pinning max-links 1
Change in Max-links will cause traffic disruption.
N5K-1(config-fex)#
N5K-1(config-fex)# fex 101
N5K-1(config-fex)# pinning max-links 1
Change in Max-links will cause traffic disruption.
N5K-1(config-fex)#

Now I'll create port-channels 78 and 91 (N5K-1 is shown).

N5K-1(config-fex)# interface e1/7-8
N5K-1(config-if-range)# channel-group 78
N5K-1(config-if-range)# no shut
N5K-1(config-if-range)#
N5K-1(config-if-range)# interface e1/9-10
N5K-1(config-if-range)# channel-group 91
N5K-1(config-if-range)# no shut
N5K-1(config-if-range)#

At this point, I should be able to see that the two FEXes have been discovered (N5K-1 is shown)

N5K-1(config-if-range)# show fex
  FEX         FEX           FEX                       FEX               
Number    Description      State            Model            Serial     
------------------------------------------------------------------------
---       --------            Discovered     N2K-C2248TP-1GE   SSI141904QR
---       --------            Discovered     N2K-C2248TP-1GE   SSI14250839
N5K-1(config-if-range)#

Now I'll associate the port-channel interfaces with their respective FEXes (N5K-1 is shown).

N5K-1(config-if-range)# int po78
N5K-1(config-if)# switchport mode fex-fabric
N5K-1(config-if)# fex associate 100
N5K-1(config-if)# 
N5K-1(config-if)# int po91
N5K-1(config-if)# switchport mode fex-fabric 
N5K-1(config-if)# fex associate 101
N5K-1(config-if)# exit
N5K-1(config)#

From N5K-1 I see the two FEXes online (since I configured this one before N5K-2), but for N5K-2, I see them as "offline". This should change once I complete the vPC configuration.

N5K-1(config-if)# show fex
  FEX         FEX           FEX                       FEX               
Number    Description      State            Model            Serial     
------------------------------------------------------------------------
100        FEX0100                Online     N2K-C2248TP-1GE   SSI14250839
101        FEX0101                Online     N2K-C2248TP-1GE   SSI141904QR
N5K-1(config-if)# 


N5K-2# sho fex
  FEX         FEX           FEX                       FEX               
Number    Description      State            Model            Serial     
------------------------------------------------------------------------
---       --------               Offline     N2K-C2248TP-1GE   SSI14310232
---       --------               Offline     N2K-C2248TP-1GE   SSI14270CLA
N5K-2# 

Since the FEXes are online for N5K-1, I should be able to see all interfaces available on both FEXes.

N5K-1(config-if)# show interface brief

--------------------------------------------------------------------------------
Ethernet      VLAN    Type Mode   Status  Reason                   Speed     Por
t
Interface                                                                    Ch 
#
--------------------------------------------------------------------------------
(...output omitted...)

Eth1/7        1       eth  fabric up      none                        10G(D) 78
Eth1/8        1       eth  fabric up      none                        10G(D) 78
Eth1/9        1       eth  fabric up      none                        10G(D) 91
Eth1/10       1       eth  fabric up      none                        10G(D) 91

(...output omitted...)

--------------------------------------------------------------------------------
Port-channel VLAN    Type Mode   Status  Reason                    Speed   Proto
col
Interface                                                                  
--------------------------------------------------------------------------------
Po78         1       eth  fabric up      none                       a-10G(D)  no
ne
Po91         1       eth  fabric up      none                       a-10G(D)  no
ne

--------------------------------------------------------------------------------
Port   VRF          Status IP Address                              Speed    MTU
--------------------------------------------------------------------------------
mgmt0  --           up     10.2.8.53                               1000     1500

--------------------------------------------------------------------------------
Ethernet      VLAN    Type Mode   Status  Reason                   Speed     Por
t
Interface                                                                    Ch 
#
--------------------------------------------------------------------------------
Eth100/1/1    1       eth  access down    Administratively down      auto(D) --
Eth100/1/2    1       eth  access down    Administratively down      auto(D) --
Eth100/1/3    1       eth  access down    Administratively down      auto(D) --

(...output omitted...)

Eth100/1/1    1       eth  access down    Administratively down      auto(D) --
Eth100/1/2    1       eth  access down    Administratively down      auto(D) --

(...output omitted...)

Now I'll establish the vPC configuration. I'll create vPC domain 55, and use the management network for the peer-keepalives. I'll then create a port-channel between the N5Ks, and enable that for vPC peer-linking.

N5K-1(config)# vpc domain 55
N5K-1(config-vpc-domain)# peer-keepalive destination 10.2.8.14
Note: 
 --------:: Management VRF will be used as the default VRF ::--------
N5K-1(config-vpc-domain)# exit
N5K-1(config)# 
N5K-1(config)# int e1/17-18
N5K-1(config-if-range)# channel-group 1718 mode active
N5K-1(config-if-range)# interface po1718
N5K-1(config-if)# switchport mode trunk
N5K-1(config-if)# switchport trunk allow vlan all
N5K-1(config-if)# vpc peer-link
Please note that spanning tree port type is changed to "network" port type on vPC peer-link.
This will enable spanning tree Bridge Assurance on vPC peer-link provided the STP Bridge Assurance
(which is enabled by default) is not disabled.
N5K-1(config-if)# 

Now I'll verify that the vPC is operational.

N5K-1(config-if-range)# sh vpc brief
Legend:
                (*) - local vPC is down, forwarding via vPC peer-link

vPC domain id                   : 55  
Peer status                     : peer adjacency formed ok      
vPC keep-alive status           : peer is alive                 
Configuration consistency status: success 
Per-vlan consistency status     : success                       
Type-2 consistency status       : success 
vPC role                        : secondary                     
Number of vPCs configured       : 0   
Peer Gateway                    : Disabled
Dual-active excluded VLANs      : -
Graceful Consistency Check      : Enabled

vPC Peer-link status
---------------------------------------------------------------------
id   Port   Status Active vlans    
--   ----   ------ --------------------------------------------------
1    Po1718 up     1,930        
N5K-1(config-if-range)# exit
N5K-1(config)# 

On both N5Ks, I'll create port-channel 78 and 91, and create vPC 78 and 91.

N5K-1(config-if)# int po78
N5K-1(config-if)# vpc 78
N5K-1(config-if)# int po91
N5K-1(config-if)# vpc 91
N5K-1(config-if)# 
N5K-1(config-if)# show fex
  FEX         FEX           FEX                       FEX               
Number    Description      State            Model            Serial     
------------------------------------------------------------------------
100        FEX0100                Online     N2K-C2248TP-1GE   SSI14270CLA
101        FEX0101                Online     N2K-C2248TP-1GE   SSI14310232
N5K-1(config-if)# 


N5K-2(config-if)# 
N5K-2(config-if)# show fex
  FEX         FEX           FEX                       FEX               
Number    Description      State            Model            Serial     
------------------------------------------------------------------------
100        FEX0100                Online     N2K-C2248TP-1GE   SSI14270CLA
101        FEX0101                Online     N2K-C2248TP-1GE   SSI14310232
N5K-2(config-if)# 

At this point, I'll enable the access ports for both FEXes to the server. (N5K-1 is shown).

N5K-1(config)# int e100/1/1-2 , e101/1/1-2
N5K-1(config-if-range)# switchport mode access
N5K-1(config-if-range)# switchport access vlan 930
N5K-1(config-if-range)# no shut
N5K-1(config-if-range)# 
N5K-1(config-if-range)# show interface brief

(...output omitted...)

--------------------------------------------------------------------------------
Ethernet      VLAN    Type Mode   Status  Reason                   Speed     Por
t
Interface                                                                    Ch 
#
--------------------------------------------------------------------------------
Eth100/1/1    930     eth  access up      none                       1000(D) --
Eth100/1/2    930     eth  access up      none                       1000(D) --

(...output omitted...)

Eth101/1/1    930     eth  access up      none                       1000(D) --
Eth101/1/2    930     eth  access up      none                       1000(D) --

On the server, I have an Intel Quad port card which I've teamed together.


I've assigned the address of 100.1.1.7/24.


 I'll test connectivity by pinging 10.1.1.21. This is a machine in the core network on VLAN 930.


Note that although the ports are teamed, I've left the adapter in fault tolerance mode. This means that one port will be active, and the rest will remain in standby. 


I'll set a continuous ping, and then reload N5K-1.

N5K-1# copy run start
[########################################] 100%
Copy complete, now saving to disk (please wait)...
N5K-1# reload
WARNING: This command will reboot the system
Do you want to continue? (y/n) [n] y

Note that a ping packet was lost, but the adapter remained the same. This means that FEX 100 was able to continue providing access to the server through the vPC through N5K-2.



Saturday, April 28, 2012

EIGRP Summary Considerations


     When a Router adds the EIGRP summary address interface command, it will inject a route for the summary address to interface Null0 into its global routing table with a default administrative distance (AD) of 5. This is known as the discard route, and it's not exclusive to EIGRP. However, this occurs because if the Router were to lose reachability to a more specific route that fell within the summary, the Router would wind up using the shorter summary route to Null0 for forwarding the traffic, thereby preventing packets from being sent to any neighbors that may no longer have the route. 


     If the Router did not have such a mechanism and instead forwarded the traffic anyway, then there could be a risk of a next hop neighbor having connectivity to some path that actually leads back to the Router - creating a loop!


     In this scenario, the Provider sends a default route to R1 via eBGP with an AD of 20.  R1's fa0/1 interface is then configured to send an EIGRP summary route. With no AD configured, a route to the EIGRP summary via interface Null0 with an AD of 5 is injected into the global routing table, thereby removing the previously accepted default route to 10.1.1.100 via eBGP with the AD of 20.
R2 learns the advertised route via EIGRP, and installs the route in its global routing table with the AD of 90. At this point, any destinations that R1 receives packets for that are not specifically in the global routing table will take the default route to Null0.





In this scenario, the Provider sends a default route to R1 via eBGP with an AD of 20. 

Provider Sends Default route to R1:
router bgp 100
 neighbor 10.1.1.1 remote-as 200
 neighbor 10.1.1.1 default-originate

Resulting routing table for R1:
R1#show ip route | in 0.0.0.0
Gateway of last resort is 10.1.1.100 to network 0.0.0.0
B*   0.0.0.0/0 [20/0] via 10.1.1.100, 00:00:10



R1's fa0/1 interface is then configured to send an EIGRP summary route. 

R1 Sends EIGRP Summary to R2:
interface fa0/1
 ip summary-address eigrp 100 0.0.0.0 0.0.0.0

R1#show ip route 0.0.0.0 | include distance
  Known via "eigrp 100", distance 5, metric 2169856, candidate default path, type internal


With no AD configured, a route to the EIGRP summary via interface Null0 with an AD of 5 is injected into the global routing table, thereby removing the previously accepted default route to 10.1.1.100 via eBGP with the AD of 20.

Resulting routing table for R1:
R1# show ip route | include 0.0.0.0
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
D*   0.0.0.0/0 is a summary, 00:21:30, Null0


R2 learns the advertised route via EIGRP, and installs the route in its global routing table with the AD of 90.

Resulting routing table for R2:
R2#show ip route | in 0.0.0.0
Gateway of last resort is 10.12.1.1 to network 0.0.0.0
D*   0.0.0.0/0 [90/2681856] via 10.12.1.1, 00:23:21, Fa0/1


At this point, any destination that R1 receives packets for that are not specifically in the global routing table will take the default route to Null0.

Although not always recommended and depending on your needs, you can remove the Null0 route by adding the AD of 255. However, in this case, a high AD of 220 is configured.

R1 Sends EIGRP Summary to R2:
interface fa0/1
 ip summary-address eigrp 100 0.0.0.0 0.0.0.0 220


This allows the previously accepted route with the AD of 20 back to the global routing table, but still maintains a floating route to Null0 in the event the default eBGP route is lost.

Resulting routing table for R1:
R1# clear ip route*
R1# show ip route  | in 0.0.0.0  
Gateway of last resort is 10.1.1.100 to network 0.0.0.0
B*   0.0.0.0/0 [20/0] via 10.1.1.100, 00:00:08


R2 has no change, and still learns the advertised route via EIGRP

Resulting routing table for R2:
R2#show ip route | in 0.0.0.0
Gateway of last resort is 10.12.1.1 to network 0.0.0.0
D*   0.0.0.0/0 [90/2681856] via 10.12.1.1, 00:33:21, Fa0/1





Sunday, April 15, 2012

Multiple Instance Spanning Tree Protocol (MSTP)


In this scenario, I have 4 switches connected in a loop with two links per switch for peering. I want to configure MSTP in such a way that half of the VLANs use SW1 as the root bridge, and the other half of the VLANs use SW2 as the root bridge. If either SW1 or SW2 were to fail, I want the remaining switch of the two to take over as the root bridge for the failed device. Additionally, I want to ensure that SW3 reaches the root for Instance 1 through SW4 by adjusting port cost, and SW4 to use Fa0/17 to reach the root of Instance 2 adjusting port priority.



To set a baseline; VLANs 10, 20, 30, and 40 are configured for the switching domain, and cabling has been done per the diagram.

I'l start with configuring MST instances 1 and 2 on all 4 Switches (SW1 is shown).


SW1(config)#spanning-tree mode mst
SW1(config)#
SW1(config)#spanning-tree mst configuration 
SW1(config-mst)#name MST
SW1(config-mst)#revision 1
SW1(config-mst)#instance 1 vlan 10,30
SW1(config-mst)#instance 2 vlan 20,40
SW1(config-mst)#
SW1(config-mst)#do show spanning-tree mst configuration  
Name      [MST]
Revision  1     Instances configured 3

Instance  Vlans mapped
--------  ---------------------------------------------------------------------
0         1-9,11-19,21-29,31-39,41-4094
1         10,30
2         20,40
-------------------------------------------------------------------------------
SW1(config-mst)#exit
SW1(config)#


Note that with MST, any VLAN that I have not specifically configured for an instance will be found in MST instance 0.

To configure priority for an instance, I can either use the spanning-tree mst 'x' priority command, or the spanning-tree mst 'x' root command. Using the priority command, I can manually set the value, but using the root command, I allow the switch to calculate the value. Depending on the environment, it may be beneficial to set the priority manually. For MST 1, I'll use the priority command, and for MST 2, I'll use the root command.


SW1(config)#spanning-tree mst 1 priority 0 
SW1(config)#spanning-tree mst 2 root secondary 
SW1(config)#


SW2(config)#spanning-tree mst 1 priority 4096
SW2(config)#spanning-tree mst 2 root primary 
SW2(config)#


Here are the MST 1 and 2 resulting outputs for Switch 1 and 2.


SW1(config)#do show spanning-tree mst 1

##### MST1    vlans mapped:   10,30
Bridge        address 0023.ab6f.b980  priority      1     (0 sysid 1)
Root          this switch for MST1

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/13           Desg FWD 200000    128.15   P2p 
Fa0/14           Desg FWD 200000    128.16   P2p 
Fa0/16           Desg FWD 200000    128.18   P2p 
Fa0/17           Desg FWD 200000    128.19   P2p 

SW1(config)#do show spanning-tree mst 2

##### MST2    vlans mapped:   20,40
Bridge        address 0023.ab6f.b980  priority      28674 (28672 sysid 2)
Root          address 0014.a8e1.fa80  priority      24578 (24576 sysid 2)
              port    Fa0/13          cost          200000    rem hops 19

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/13           Root FWD 200000    128.15   P2p 
Fa0/14           Altn BLK 200000    128.16   P2p 
Fa0/16           Desg FWD 200000    128.18   P2p 
Fa0/17           Desg FWD 200000    128.19   P2p 

SW1(config)#


SW2(config)#do show spanning-tree mst 1

##### MST1    vlans mapped:   10,30
Bridge        address 0014.a8e1.fa80  priority      4097  (4096 sysid 1)
Root          address 0023.ab6f.b980  priority      1     (0 sysid 1)
              port    Fa0/13          cost          200000    rem hops 19

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/13           Root FWD 200000    128.15   P2p 
Fa0/14           Altn BLK 200000    128.16   P2p 
Fa0/19           Desg FWD 200000    128.21   P2p 
Fa0/20           Desg FWD 200000    128.22   P2p 

SW2(config)#do show spanning-tree mst 2

##### MST2    vlans mapped:   20,40
Bridge        address 0014.a8e1.fa80  priority      24578 (24576 sysid 2)
Root          this switch for MST2

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/13           Desg FWD 200000    128.15   P2p 
Fa0/14           Desg FWD 200000    128.16   P2p 
Fa0/19           Desg FWD 200000    128.21   P2p 
Fa0/20           Desg FWD 200000    128.22   P2p 

SW2(config)#


Note that the output shows SW1 as the root for MST 1, and SW2 as the root for MST 2; with SW1's priority for MST 2 putting it as the successor if there were a root bridge election, and SW2's priority for MST 1 putting it as the successor if there were a root bridge election. I can look at the inferior bridge priorities for SW3 and SW4 to verify that would indeed be the case.


SW3#show spanning-tree mst 1

##### MST1    vlans mapped:   10,30
Bridge        address 000c.30fd.2e80  priority      32769 (32768 sysid 1)
Root          address 0023.ab6f.b980  priority      1     (0 sysid 1)
              port    Fa0/13          cost          200000    rem hops 19

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/13           Root FWD 200000    128.13   P2p 
Fa0/14           Altn BLK 200000    128.14   P2p 
Fa0/19           Desg FWD 200000    128.19   P2p 
Fa0/20           Desg FWD 200000    128.20   P2p 

SW3#show spanning-tree mst 2

##### MST2    vlans mapped:   20,40
Bridge        address 000c.30fd.2e80  priority      32770 (32768 sysid 2)
Root          address 0014.a8e1.fa80  priority      24578 (24576 sysid 2)
              port    Fa0/13          cost          400000    rem hops 18

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/13           Root FWD 200000    128.13   P2p 
Fa0/14           Altn BLK 200000    128.14   P2p 
Fa0/19           Altn BLK 200000    128.19   P2p 
Fa0/20           Altn BLK 200000    128.20   P2p 

SW3#


SW4#show spanning-tree mst 1

##### MST1    vlans mapped:   10,30
Bridge        address 000b.be51.a680  priority      32769 (32768 sysid 1)
Root          address 0023.ab6f.b980  priority      1     (0 sysid 1)
              port    Fa0/16          cost          400000    rem hops 18

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/16           Root FWD 200000    128.16   P2p 
Fa0/17           Altn BLK 200000    128.17   P2p 
Fa0/19           Altn BLK 200000    128.19   P2p 
Fa0/20           Altn BLK 200000    128.20   P2p 

SW4#show spanning-tree mst 2

##### MST2    vlans mapped:   20,40
Bridge        address 000b.be51.a680  priority      32770 (32768 sysid 2)
Root          address 0014.a8e1.fa80  priority      24578 (24576 sysid 2)
              port    Fa0/16          cost          200000    rem hops 19

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/16           Root FWD 200000    128.16   P2p 
Fa0/17           Altn BLK 200000    128.17   P2p 
Fa0/19           Desg FWD 200000    128.19   P2p 
Fa0/20           Desg FWD 200000    128.20   P2p 

SW4#


Looking above, I can see that SW3's root port for MST 1 is currently Fa0/13 which is directly connected to SW1. In order for SW3 to use SW4 for its path to the root using port cost, I'll use 'show spanning-tree mst 1 detail' to learn how much I'll need to adjust the cost.


SW3#show spanning-tree mst 1 detail

##### MST1    vlans mapped:   10,30
Bridge        address 000c.30fd.2e80  priority      32769 (32768 sysid 1)
Root          address 0023.ab6f.b980  priority      1     (0 sysid 1)
              port    Fa0/13          cost          200000    rem hops 19

FastEthernet0/13 of MST1 is root forwarding 
Port info             port id         128.13  priority    128  cost      200000
Designated root       address 0023.ab6f.b980  priority      1  cost           0
Designated bridge     address 0023.ab6f.b980  priority      1  port id   128.18
Timers: message expires in 5 sec, forward delay 0, forward transitions 2
Bpdus (MRecords) sent 6072, received 4544

FastEthernet0/14 of MST1 is alternate blocking 
Port info             port id         128.14  priority    128  cost      200000
Designated root       address 0023.ab6f.b980  priority      1  cost           0
Designated bridge     address 0023.ab6f.b980  priority      1  port id   128.19
Timers: message expires in 4 sec, forward delay 0, forward transitions 1
Bpdus (MRecords) sent 15955, received 15033

FastEthernet0/19 of MST1 is designated forwarding 
Port info             port id         128.19  priority    128  cost      200000
Designated root       address 0023.ab6f.b980  priority      1  cost      200000
Designated bridge     address 000c.30fd.2e80  priority  32769  port id   128.19
Timers: message expires in 0 sec, forward delay 0, forward transitions 1
Bpdus (MRecords) sent 5677, received 7710

FastEthernet0/20 of MST1 is designated forwarding 
Port info             port id         128.20  priority    128  cost      200000
Designated root       address 0023.ab6f.b980  priority      1  cost      200000
Designated bridge     address 000c.30fd.2e80  priority  32769  port id   128.20
Timers: message expires in 0 sec, forward delay 0, forward transitions 2
Bpdus (MRecords) sent 13667, received 19642

SW3#    


Since I have a total cost of 200000 to reach the root through Fa0/13 and Fa0/14, and a total cost of 400000 for ports Fa0/19 and Fa0/20. I'll increase Fa0/13 and Fa0/14's cost to something higher.


SW3#conf t       
Enter configuration commands, one per line.  End with CNTL/Z.
SW3(config)#interface range fa0/13 - 14
SW3(config-if-range)#spanning-tree mst 1 cost 20000000
SW3(config-if-range)#exit
SW3(config)# 
SW3(config)#do show spanning-tree mst 1

##### MST1    vlans mapped:   10,30
Bridge        address 000c.30fd.2e80  priority      32769 (32768 sysid 1)
Root          address 0023.ab6f.b980  priority      1     (0 sysid 1)
              port    Fa0/19          cost          600000    rem hops 17

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/13           Altn BLK 20000000  128.13   P2p 
Fa0/14           Altn BLK 20000000  128.14   P2p 
Fa0/19           Root FWD 200000    128.19   P2p 
Fa0/20           Altn BLK 200000    128.20   P2p 

SW3(config)#


Looking above, I can see that SW4 is currently using Fa0/16 to reach the root bridge for MST 2. I'll adjust where SW4 will use Fa0/17 as the root port to reach MST 2 by changing the port priority on SW2. Note that this adjustment must be done on SW2 and NOT on SW4 to be effective.


SW2(config)#interface fa0/20
SW2(config-if)#spanning-tree mst 2 port-priority 0
SW2(config-if)#
SW2(config-if)#do show spanning-tree mst 2

##### MST2    vlans mapped:   20,40
Bridge        address 0014.a8e1.fa80  priority      24578 (24576 sysid 2)
Root          this switch for MST2

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/13           Desg FWD 200000    128.15   P2p 
Fa0/14           Desg FWD 200000    128.16   P2p 
Fa0/19           Desg FWD 200000    128.21   P2p 
Fa0/20           Desg FWD 200000      0.22   P2p 

SW2(config-if)#


With the port priority adjusted on SW2, I should now see on SW4 that Fa0/17 is the root port for MST 2.


SW4#show spanning-tree mst 2

##### MST2    vlans mapped:   20,40
Bridge        address 000b.be51.a680  priority      32770 (32768 sysid 2)
Root          address 0014.a8e1.fa80  priority      24578 (24576 sysid 2)
              port    Fa0/17          cost          200000    rem hops 19

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/16           Altn BLK 200000    128.16   P2p 
Fa0/17           Root FWD 200000    128.17   P2p 
Fa0/19           Desg FWD 200000    128.19   P2p 
Fa0/20           Desg FWD 200000    128.20   P2p 

SW4#



Wednesday, April 11, 2012

Private VLANs


I want to simulate an environment where two customers - Customer A and Customer B - are supported by a service provider with private VLANs. In this scenario Customer A has two routers; R3 and R5, Customer B has a single router; R4, and the provider is offering Internet access with R1 and monitoring services to the Customers' loopback addresses with R2.



In this scenario, all Router FastEthernet interfaces are in "Primary" VLAN 20 with addressing in the 10.20.1.0/24 space. With private VLANs, the provider can conserve VLANs by not assigning each customer their own VLAN ID. With this configuration I will allow both Customers access to the services they need, but also ensure that they do not gain access to each other.

Here's a baseline before I begin configuring the Private VLANs.

Switches:

Both switches have had their VTP domain names set to cisco, and have had their VTP modes set to transparent. Fa0/13 on both switches will serve as the trunk port. Currently, only VLAN 1 is configured.

Routers:

All routers have had their Fa0/0 interfaces configured with the IP and mask of 10.20.1.X/24, where X = the router number.

With a PINGSCRIPT, I'll test connectivity from R3 to all devices.



R3#tclsh
R3(tcl)#proc PINGSCRIPT [] {
+>(tcl)#foreach IP {
+>(tcl)#10.20.1.1
+>(tcl)#10.20.1.2
+>(tcl)#10.20.1.3
+>(tcl)#10.20.1.4
+>(tcl)#10.20.1.5
+>(tcl)#} {
+>(tcl)#                set RESULT [exec "ping $IP repeat 3 timeout 1"];
+>(tcl)#if { [regexp "!!!"  $RESULT]} { puts "$IP OK"} else { puts "$IP Unreachable" }     
+>(tcl)#                }
+>(tcl)#  }


R3(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 OK
10.20.1.4 OK
10.20.1.5 OK


R3(tcl)#

Connectivity appears to be successful.

Note: there are 3 port types, or roles, that are used in Private VLANs. There are Promiscuous ports, which talk to all ports, there are Isolated ports, which can only talk to Promiscuous ports, and there are Community ports, which can talk to other Community ports in the same community, as well as promiscuous ports.

In this scenario, R1 and R2's Fa0/0s are operating as Promiscuous ports, R3 and R5's Fa0/0s are operating as mutual Community Ports, and R4's Fa0/0 is operating as an Isolated port. After a successful Private VLAN configuration, I should be able to see that R3 and R5 can communicate within their own Community, as well as with the Promiscuous ports, but will not be able to speak to R4's Isolated port.

Starting with SW1, I'll configure primary and secondary VLANs, and associate the secondaries to the primary:

Sw1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Sw1(config)#vlan 21
Sw1(config-vlan)#name PVLAN_Community
Sw1(config-vlan)#private-vlan ?
  association       Configure association between private VLANs
  community         Configure the VLAN as a community private VLAN
  isolated          Configure the VLAN as an isolated private VLAN
  primary           Configure the VLAN as a primary private VLAN
  twoway-community  Configure the VLAN as a two way community private VLAN
Sw1(config-vlan)#private-vlan community
Sw1(config-vlan)#
Sw1(config-vlan)#vlan 22
Sw1(config-vlan)#name PVLAN_Isolated
Sw1(config-vlan)#private-vlan isolated
Sw1(config-vlan)#
Sw1(config-vlan)#vlan 20
Sw1(config-vlan)#name PVLAN_Primary
Sw1(config-vlan)#private-vlan primary
Sw1(config-vlan)#private-vlan association 21,22
Sw1(config-vlan)#exit
SW1(config)#do sh vlan b


VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24, Gi0/1
                                                Gi0/2
20   PVLAN_Primary                    active    
21   PVLAN_Community                  active    
22   PVLAN_Isolated                   active    
1002 fddi-default                     act/unsup 
1003 trcrf-default                    act/unsup 
1004 fddinet-default                  act/unsup 
1005 trbrf-default                    act/unsup 
SW1(config)#

Next, I'll configure the individual port modes and map the private VLANs to the correct ports for R1, R3 and R5's switchports on SW1.


SW1(config)#int fa0/1
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#switchport private-vlan mapping 20 21,22
SW1(config-if)#
SW1(config-if)#int fa0/3
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 20 21
SW1(config-if)#
SW1(config-if)#int fa0/5
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 20 21
SW1(config-if)#


I'll test connectivity from R1 to R3 and R5. I should not be able to connect to R4.



R1(tcl)#
R1(tcl)#proc PINGSCRIPT [] {
+>(tcl)#
+>(tcl)#foreach IP {
+>(tcl)#10.20.1.3
+>(tcl)#10.20.1.5
+>(tcl)#10.20.1.4
+>(tcl)#} { set RESULT [exec "ping $IP repeat 3 timeout 1"];
+>(tcl)#        $p "!!!"  $RESULT]} { puts "$IP OK"} else { puts "$IP Unreachable" }         
+>(tcl)#}
+>(tcl)# }


R1(tcl)#PINGSCRIPT
10.20.1.3 OK
10.20.1.5 OK
10.20.1.4 Unreachable


Now I'll configure primary and secondary VLANs, and associate the secondaries to the primary for SW2. I'll follow it up with configuring the individual port modes and map the private VLANs to the correct ports for R2 and R4's switchports.


SW2(config)#vlan 21
SW2(config-vlan)#name PVLAN_Community
SW2(config-vlan)#private-vlan community
SW2(config-vlan)# 
SW2(config-vlan)#vlan 22
SW2(config-vlan)#name PVLAN_Isolated
SW2(config-vlan)#private-vlan isolated 
SW2(config-vlan)#vlan 20
SW2(config-vlan)#name PVLAN_Primary
SW2(config-vlan)#private-vlan association 21,22
SW2(config-vlan)#exit
SW2(config)#
SW2(config)#int fa0/4
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#
SW2(config-if)#switchport private-vlan host-association 20 22
SW2(config-if)#end
SW2#


At this point, I should have connectivity from R2 to all other router's FastEthernet ports, but R4 should only have access to R1 and R2's FastEthernet ports.

R1:

R1(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 OK
10.20.1.4 OK
10.20.1.5 OK

R3:

R3(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 OK
10.20.1.4 Unreachable
10.20.1.5 OK


R5:

R5(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 OK
10.20.1.4 Unreachable
10.20.1.5 OK


R2:

R2(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 OK
10.20.1.4 OK
10.20.1.5 OK


R4:

R4(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 Unreachable
10.20.1.4 OK
10.20.1.5 Unreachable

Looks good!

Tuesday, January 17, 2012

EIGRP - Authentication and Summarization with Leak-Maps


I have R1, R2, and R3, and I want to configure EIGRP with MD5 authentication with rotating keys based on time. Additionally, I want to redistribute RIP into EIGRP. I want to follow up the redistribution by summarizing a default route from R1, and then leak a single network along with the default route.


(All interfaces have already been assigned)


I'll start by configuring RIPv2 on R1

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config-if)#router rip    
R1(config-router)#version 2
R1(config-router)#no auto-summary
R1(config-router)#net 10.10.1.1
R1(config-router)#net 10.11.1.1
R1(config-router)#do show ip protocols
Routing Protocol is "rip"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Sending updates every 30 seconds, next due in 0 seconds
  Invalid after 180 seconds, hold down 180, flushed after 240
  Redistributing: rip
  Default version control: send version 2, receive version 2
    Interface             Send  Recv  Triggered RIP  Key-chain
    FastEthernet0/0       2     2                                  
    Loopback10            2     2                                  
    Loopback11            2     2                                  
  Automatic network summarization is not in effect
  Maximum path: 4
  Routing for Networks:
    10.0.0.0
  Routing Information Sources:
    Gateway         Distance      Last Update
  Distance: (default is 120)

Next, I'll configure EIGRP with autonomous system 1

R1(config)#router eigrp 1
R1(config-router)#network 10.1.12.1 0.0.0.0
R1(config-router)#no auto-summary
R1(config-router)#do show ip protocols
<...RIPv2 output supressed>
Routing Protocol is "eigrp 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Default networks flagged in outgoing updates
  Default networks accepted from incoming updates
  EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  EIGRP maximum hopcount 100
  EIGRP maximum metric variance 1
  Redistributing: eigrp 1
  EIGRP NSF-aware route hold timer is 240s
  Automatic network summarization is in effect
  Maximum path: 4
  Routing for Networks:
    10.1.12.1/32
  Routing Information Sources:
    Gateway         Distance      Last Update
  Distance: internal 90 external 170

I'll configure EIGRP 1 for R2 and R3.

R2(config)#router eigrp 1
R2(config-router)#network 10.1.12.2 0.0.0.0
R2(config-router)#network
*Mar  1 00:39:46.683: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.1 (FastEthernet0/0) is up: new adjacency
R2(config-router)#network 10.1.23.2 0.0.0.0
R2(config-router)#do show ip protocols
Routing Protocol is "eigrp 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Default networks flagged in outgoing updates
  Default networks accepted from incoming updates
  EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  EIGRP maximum hopcount 100
  EIGRP maximum metric variance 1
  Redistributing: eigrp 1
  EIGRP NSF-aware route hold timer is 240s
  Automatic network summarization is in effect
  Maximum path: 4
  Routing for Networks:
    10.1.12.2/32
    10.1.23.2/32
  Routing Information Sources:
    Gateway         Distance      Last Update
  Distance: internal 90 external 170


R3(config)#router eigrp 1
R3(config-router)#network 10.1.23.3 0.0.0.0
R3(config-router)#
*Mar  1 00:40:44.511: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.23.2 (FastEthernet0/0) is up: new adjacency
R3(config-router)#do show ip protocols
Routing Protocol is "eigrp 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Default networks flagged in outgoing updates
  Default networks accepted from incoming updates
  EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  EIGRP maximum hopcount 100
  EIGRP maximum metric variance 1
  Redistributing: eigrp 1
  EIGRP NSF-aware route hold timer is 240s
  Automatic network summarization is in effect
  Maximum path: 4
  Routing for Networks:
    10.1.23.3/32
  Routing Information Sources:
    Gateway         Distance      Last Update
    10.1.23.2             90      00:00:06
  Distance: internal 90 external 170

Now, I'll look at the routing tables of each device.

R1#show ip route | exclude -


Gateway of last resort is not set


     10.0.0.0/24 is subnetted, 4 subnets
C       10.11.1.0 is directly connected, Loopback11
C       10.10.1.0 is directly connected, Loopback10
C       10.1.12.0 is directly connected, FastEthernet0/0
D       10.1.23.0 [90/307200] via 10.1.12.2, 00:02:22, FastEthernet0/0


R2#sh ip route | exclude -


Gateway of last resort is not set


     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.12.0 is directly connected, FastEthernet0/0
C       10.1.23.0 is directly connected, FastEthernet0/1
R2#


R3#show ip route | exclude -


Gateway of last resort is not set


     10.0.0.0/24 is subnetted, 2 subnets
D       10.1.12.0 [90/307200] via 10.1.23.2, 00:02:24, FastEthernet0/0
C       10.1.23.0 is directly connected, FastEthernet0/0
R3#

I notice that R2 and R3 neither have access to the loopback networks of R1. I also notice that there is no Gateway of last resort set for any router.
Next, I'll look at the routing information base of each device

R1#show ip rip database
10.0.0.0/8    auto-summary
10.1.12.0/24    directly connected, FastEthernet0/0
10.10.1.0/24    directly connected, Loopback10
10.11.1.0/24    directly connected, Loopback11


R1#show ip eigrp topology | exclude -


P 10.1.12.0/24, 1 successors, FD is 281600
        via Connected, FastEthernet0/0
P 10.1.23.0/24, 1 successors, FD is 307200
        via 10.1.12.2 (307200/281600), FastEthernet0/0


R2#show ip eigrp topology | exclude -


P 10.1.12.0/24, 1 successors, FD is 281600
        via Connected, FastEthernet0/0
P 10.1.23.0/24, 1 successors, FD is 281600
        via Connected, FastEthernet0/1


R3#show ip eigrp topology | exclude -


P 10.1.12.0/24, 1 successors, FD is 307200
        via 10.1.23.2 (307200/281600), FastEthernet0/0
P 10.1.23.0/24, 1 successors, FD is 281600
        via Connected, FastEthernet0/0
R3#


Now I'll verify EIGRP neighbors; Ensuring that the queue count is zero. If this value was not zero, I would need to troubleshoot the cause of an increasing queue count.

R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   10.1.12.2               Fa0/0             13 07:35:11   31  5000  0  4


R2#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
1   10.1.23.3               Fa0/1             14 07:34:22   56   336  0  4
0   10.1.12.1               Fa0/0             12 07:35:19 1027  5000  0  3


R3#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   10.1.23.2               Fa0/0             11 07:34:33   61   366  0  7


Something I've seen asked several times is; what does the H value mean? From Cisco's 12.4T EIGRP command reference, this column lists the order in which a peering session was established with the specified neighbor. The order is specified with sequential numbering starting with 0.


Now that the EIGRP neighbor relationship, topology and routing tables are displaying expected results, I want to configure MD5 authentication for EIGRP. Since I will be doing key rotation based on time, I will configure R2 as the NTP master with a stratum of 1, and point R1 and R3 there for time.
R2#show clock
08:25:26.269 UTC Fri Mar 1 2002
R2#clock set 00:40:00 17 Jan 2012
R2#
.Jan 17 00:40:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 08:27:01 UTC Fri Mar 1 2002 to 00:40:00 UTC Tue Jan 17 2012, configured from console by console.
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ntp master 1
R2(config)#do sh ntp associations

      address         ref clock     st  when  poll reach  delay  offset    disp
*~127.127.7.1      .LOCL.            1     9    64  377     0.0    0.00     0.0
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
R2(config)#

R1#sh clock
*08:26:22.657 UTC Fri Mar 1 2002
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ntp server 10.1.12.2
R1(config)#do show ntp associations

      address         ref clock     st  when  poll reach  delay  offset    disp
*~10.1.12.2        .LOCL.            1     0    64   77    23.9   10.05    10.5
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
R1(config)#do sh clock
00:46:45.522 UTC Tue Jan 17 2012

R3#show clock
*08:34:33.645 UTC Fri Mar 1 2002
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#ntp server 10.1.23.2
R3(config)#do show ntp associations

      address         ref clock     st  when  poll reach  delay  offset    disp
*~10.1.23.2        .LOCL.            1     0    64    7    11.9  -15.88  3878.0
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
R3(config)#do sh clock
00:48:26.877 UTC Tue Jan 17 2012
R3(config)#

Now with time syncronized across the devices, I'll create a key chain two keys on each device. The first key will remain valid for use for the next 12 hours. At that point, the new key will become vaild, and will remain as such. Note that a space in a key string is a valid character.

R1(config)#key chain EIGRP-NOW
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string CISCO-NOW
R1(config-keychain-key)#send-lifetime 00:40:00 17 Jan 2012 12:40:00 17 Jan 2012
R1(config-keychain-key)#accept-lifetime 00:40:00 17 Jan 2012 12:40:00 17 Jan 2012
R1(config-keychain-key)#key 2
R1(config-keychain-key)#key-string CISCO-LATER
R1(config-keychain-key)#send-lifetime 12:40:00 17 Jan 2012 infinite
R1(config-keychain-key)#accept-lifetime 12:40:00 17 Jan 2012 infinite


R2(config)#key chain KC_EIGRP_1
R2(config-keychain)#key 1
R2(config-keychain-key)#key-string CISCO-NOW
R2(config-keychain-key)#accept-lifetime 00:40:00 Jan 17 2012 12:40:00 Jan 17 2012  
R2(config-keychain-key)#send-lifetime 00:40:00 Jan 17 2012 12:40:00 Jan 17 2012    
R2(config-keychain-key)#key 2
R2(config-keychain-key)#key-string CISCO-LATER
R2(config-keychain-key)#accept-lifetime 12:40:00 Jan 17 2012 infinite
R2(config-keychain-key)#send-lifetime 12:40:00 Jan 17 2012 infinite


R3(config)#key chain KC_EIGRP_1
R3(config-keychain)#key 1
R3(config-keychain-key)#key-string CISCO-NOW
R3(config-keychain-key)#accept-lifetime 00:40:00 Jan 17 2012 12:40:00 Jan 17 2012  
R3(config-keychain-key)#send-lifetime 00:40:00 Jan 17 2012 12:40:00 Jan 17 2012    
R3(config-keychain-key)#key 2
R3(config-keychain-key)#key-string CISCO-LATER
R3(config-keychain-key)#accept-lifetime 12:40:00 Jan 17 2012 infinite
R3(config-keychain-key)#send-lifetime 12:40:00 Jan 17 2012 infinite


Verify the key chain

R1#show key chain
Key-chain KC_EIGRP_1:
    key 1 -- text "CISCO-NOW"
        accept lifetime (00:40:00 UTC Jan 17 2012) - (12:40:00 UTC Jan 17 2012) [valid now]
        send lifetime (00:40:00 UTC Jan 17 2012) - (12:40:00 UTC Jan 17 2012) [valid now]
    key 2 -- text "CISCO-LATER"
        accept lifetime (12:40:00 UTC Jan 17 2012) - (infinite)
        send lifetime (12:40:00 UTC Jan 17 2012) - (infinite)


With the keys configured on each device, I will configure the interfaces for EIGRP authentication.

R1(config)#interface fa0/0
R1(config-if)#ip authentication key-chain eigrp 1 KC_EIGRP_1  
R1(config-if)#ip authentication mode eigrp 1 md5
R1(config-if)#
Jan 17 01:11:53.746: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEthernet0/0) is down: keychain changed
Jan 17 01:11:53.982: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEthernet0/0) is up: new adjacency
Jan 17 01:11:54.418: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEthernet0/0) is down: authentication mode changed


R2(config)#interface fa0/0
R2(config-if)#ip authentication key-chain eigrp 1 KC_EIGRP_1  
R2(config-if)#ip authentication mode eigrp 1 md5
R2(config-if)#
Jan 17 01:13:07.463: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.1 (FastEthernet0/0) is up: new adjacency


R2(config-if)#interface fa0/1
R2(config-if)#ip authentication key-chain eigrp 1 KC_EIGRP_1  
R2(config-if)#ip authentication mode eigrp 1 md5
R2(config-if)#
Jan 17 01:13:37.947: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.23.3 (FastEthernet0/1) is down: keychain changed


R3(config)#interface fa0/0
R3(config-if)#ip authentication key-chain eigrp 1 KC_EIGRP_1  
R3(config-if)#ip authentication mode eigrp 1 md5
R3(config-if)#
Jan 17 01:14:20.018: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.23.2 (FastEthernet0/0) is up: new adjacency


I'll verify that EIGRP authentication is working properly with Key 1. I will check later to verify that the key change occurs at the correct time.

R1#debug eigrp packets hello
EIGRP Packets debugging is on
    (HELLO)
R1#
Jan 17 01:23:19.207: EIGRP: received packet with MD5 authentication, key id = 1
Jan 17 01:23:19.207: EIGRP: Received HELLO on FastEthernet0/0 nbr 10.1.12.2
Jan 17 01:23:19.207:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0


R2#debug eigrp packets hello
EIGRP Packets debugging is on
    (HELLO)
R2#
Jan 17 01:24:46.795: EIGRP: received packet with MD5 authentication, key id = 1
Jan 17 01:24:46.795: EIGRP: Received HELLO on FastEthernet0/1 nbr 10.1.23.3
Jan 17 01:24:46.795:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
Jan 17 01:24:48.975: EIGRP: received packet with MD5 authentication, key id = 1
Jan 17 01:24:48.975: EIGRP: Received HELLO on FastEthernet0/0 nbr 10.1.12.1
Jan 17 01:24:48.979:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0


R3#debug eigrp packet hello
EIGRP Packets debugging is on
    (HELLO)
R3#
Jan 17 03:36:41.447: EIGRP: received packet with MD5 authentication, key id = 1
Jan 17 03:36:41.451: EIGRP: Received HELLO on FastEthernet0/0 nbr 10.1.23.2
Jan 17 03:36:41.451:   AS 1, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0


Now I'll redistribute the RIP routes into EIGRP and verify visibility of the RIP networks on R3

R1(config)#router eigrp 1
R1(config-router)#redistribute rip metric 10000 1 255 1 1500


R3#sh ip route | ex -


Gateway of last resort is not set


     10.0.0.0/24 is subnetted, 4 subnets
D EX    10.11.1.0 [170/307456] via 10.1.23.2, 00:01:05, FastEthernet0/0
D EX    10.10.1.0 [170/307456] via 10.1.23.2, 00:01:05, FastEthernet0/0
D       10.1.12.0 [90/307200] via 10.1.23.2, 03:09:18, FastEthernet0/0
C       10.1.23.0 is directly connected, FastEthernet0/0


Now I'll summarize a default route from R1 to R2's interface and view the results on R3

R1(config)#interface fa0/0
R1(config-if)#ip summary-address eigrp 1 0.0.0.0 0.0.0.0
R1(config-if)#
Jan 17 03:52:10.316: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEthernet0/0) is resync: summary configured


R3#sh ip route | ex -


Gateway of last resort is 10.1.23.2 to network 0.0.0.0


     10.0.0.0/24 is subnetted, 2 subnets
D       10.1.12.0 [90/307200] via 10.1.23.2, 03:11:34, FastEthernet0/0
C       10.1.23.0 is directly connected, FastEthernet0/0
D*   0.0.0.0/0 [90/307456] via 10.1.23.2, 00:00:49, FastEthernet0/0
R3#ping 10.10.1.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/60 ms
R3#ping 10.11.1.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.11.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/41/60 ms


I see that the gateway of last resort is now set, and I still have reachability to the loopback networks on R1. Although I don't need the loopback networks in R3s routing table for reachability, I still want to meet my requirement of leaking a single network through with the default route with a leak-map

R1(config)#ip prefix-list LM_LEAK permit 10.10.1.0/24
R1(config)#route-map RM_LEAK permit 10
R1(config-route-map)#match ip address prefix LM_LEAK
R1(config-route-map)#exit
R1(config)#interface fa0/0
R1(config-if)#ip summary-address eigrp 1 0.0.0.0 0.0.0.0 leak-map RM_LEAK
R1(config-if)#
Jan 17 03:59:20.693: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.1.12.2 (FastEthernet0/0) is resync: summary configured


Now on R3, I should see the 10.10.1.0/24 network leaked from the summary route.

R3#show ip route | ex -


Gateway of last resort is 10.1.23.2 to network 0.0.0.0


     10.0.0.0/24 is subnetted, 3 subnets
D EX    10.10.1.0 [170/307456] via 10.1.23.2, 00:00:57, FastEthernet0/0
D       10.1.12.0 [90/307200] via 10.1.23.2, 03:18:52, FastEthernet0/0
C       10.1.23.0 is directly connected, FastEthernet0/0
D*   0.0.0.0/0 [90/307456] via 10.1.23.2, 00:00:57, FastEthernet0/0


At this point, I'll set the NTP master clock to 11:40, and see what happens after lunch!

R2#show key chain
Key-chain KC_EIGRP_1:
    key 1 -- text "CISCO-NOW"
        accept lifetime (00:40:00 UTC Jan 17 2012) - (12:40:00 UTC Jan 17 2012)
        send lifetime (00:40:00 UTC Jan 17 2012) - (12:40:00 UTC Jan 17 2012)
    key 2 -- text "CISCO-LATER"
        accept lifetime (12:40:00 UTC Jan 17 2012) - (infinite) [valid now]
        send lifetime (12:40:00 UTC Jan 17 2012) - (infinite) [valid now]


R2#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
1   10.1.23.3               Fa0/1             14 10:06:05   77   462  0  20
0   10.1.12.1               Fa0/0             11 10:06:08   68   408  0  44
R2#


Looks as expected.