telnet vrf default ipv4 server max-servers 10
username test password test
domain name rit.com
commit
crypto key generate rsa general-keys
The name for the keys will be: the_default
Choose the size of the key modulus in the range of 512 to 4096 for your General Purpose Keypair. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [1024]:
Generating RSA keys ...
Done w/ crypto generate keypair
[OK]
control-plane
management-plane
inband
interface all
allow SSH
allow Telnet
Now its time to test Telnet access and SSH. We'll test Telnet first and then SSH.
R2#telnet 172.16.100.11
Trying 172.16.100.11 ... Open
IMPORTANT: READ CAREFULLY
Welcome to the Demo Version of Cisco IOS XRv (the "Software").
The Software is subject to and governed by the terms and conditions
of the End User License Agreement and the Supplemental End User
License Agreement accompanying the product, made available at the
time of your order, or posted on the Cisco website at
www.cisco.com/go/terms (collectively, the "Agreement").
As set forth more fully in the Agreement, use of the Software is
strictly limited to internal use in a non-production environment
solely for demonstration and evaluation purposes. Downloading,
installing, or using the Software constitutes acceptance of the
Agreement, and you are binding yourself and the business entity
that you represent to the Agreement. If you do not agree to all
of the terms of the Agreement, then Cisco is unwilling to license
the Software to you and (a) you may not download, install or use the
Software, and (b) you may return the Software as more fully set forth
in the Agreement.
Please login with any configured user/password, or cisco/cisco
User Access Verification
Username: test
Password:
RP/0/0/CPU0:XR1#
Telnet works!
RP/0/0/CPU0:Feb 28 23:57:38.765 : cinetd[159]: %SECURITY-MPP-6-MSG_INFO : Updated Management Plane configuration for service: telnet
Let's test SSH to make sure it works as well.
R2#ssh -l test 172.16.100.11
IMPORTANT: READ CAREFULLY
Welcome to the Demo Version of Cisco IOS XRv (the "Software").
The Software is subject to and governed by the terms and conditions
of the End User License Agreement and the Supplemental End User
License Agreement accompanying the product, made available at the
time of your order, or posted on the Cisco website at
www.cisco.com/go/terms (collectively, the "Agreement").
As set forth more fully in the Agreement, use of the Software is
strictly limited to internal use in a non-production environment
solely for demonstration and evaluation purposes. Downloading,
installing, or using the Software constitutes acceptance of the
Agreement, and you are binding yourself and the business entity
that you represent to the Agreement. If you do not agree to all
of the terms of the Agreement, then Cisco is unwilling to license
the Software to you and (a) you may not download, install or use the
Software, and (b) you may return the Software as more fully set forth
in the Agreement.
Please login with any configured user/password, or cisco/cisco
Password:
RP/0/0/CPU0:XR1#
RP/0/0/CPU0:XR1(config-mpp-inband)#RP/0/0/CPU0:Feb 28 23:57:38.765 : SSHD_[1135]:
%SECURITY-MPP-6-MSG_INFO : Updated Management Plane configuration for service: ssh
RP/0/0/CPU0:XR1(config-mpp-inband)#RP/0/0/CPU0:Feb 28 23:58:00.003 : exec[65830]: %SECURITY-LOGIN-6-AUTHEN_SUCCESS : Successfully authenticated user 'test' from '10.2.3.2' on 'vty0'
RP/0/0/CPU0:Mar 1 00:01:50.598 : exec[65830]: %SECURITY-LOGIN-6-CLOSE : User 'test' logged out
Wednesday, February 28, 2018
Tuesday, February 27, 2018
CCIE SPv4 - LISP or Locator ID Separation Protocol
LISP or Locator ID Separation Protocol is an interesting technology that is designed to de-couple the endpoint from the location the endpoint is located. Normal routing like your probably used to working with is destination based. The idea is to assign a subnet block to a site and then further subnet it down as needed. The site subnet block is typically the longest match from the other sites perspective, until the routing gets inside the site, where the longest match will eventually become a /32 or host route. The key point is that the endpoint is seen from the rest of the network as part of a location or site. LISP is designed to allow an endpoint to be moved between sites and the endpoints IP info doesn't change. We won't be demoing VM mobility, we will be demoing the core operation of LISP.
LISP has many individual components that enable it to work. The following is a list of components that make up LISP and what they do.
EID - Endpoint ID, this is the server’s IP address
RLOC - Routing Locator, this is the router’s interface IP address
M-DB - Mapping Database, this ts the association between the EID and the RLOC
MS - Map Server, this holds the EID to the RLOC mappings, similar to DNS in operation
MR - Map Resolver, this is used to respond to map-request messages
MS/MR - combined MR and MS on the same device. If the MR and MS are on different devices, the ALT mechanism is used to communicate between the MR and MS
iTR - Ingress tunnel router, this is used to ask the Map Resolver for the EID to RLOC mapping. It encapsulates packet in LISP (UDP).
eTR - Egress tunnel router, this is used to decapsulate LISP and forwards to the destination. It also registers the EID/RLOC mapping to the Map Server
xTR - Combines the eTR and iTR on the same device.
In the above topology, R1 will be the MR/MS binding the IPv4 and IPv6 communication. R5-R8 are customer endpoints that will use LISP to achieve reachability. A default route on each of the customer devices for IPv4 and IPv6 is used to enable connectivity to the core of the network. The loopbacks of the customer devices are not advertised and uses LISP encapsulation to achieve reachability. We will configure the customer devices first and then the MR/MS. The key thing to remember here is the customer devices only need to be able to reach the MR/MS, how is irrelevant.
We'll test reachability to R1.
R5#ping 10.1.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/7 ms
R5#ping 2001:1:3::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:1:3::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/10 ms
R5
router lisp
eid-table default instance-id 1
database-mapping 172.16.100.5/32 IPv4-interface GigabitEthernet1.35 priority 10 weight 10
database-mapping FC00:100::5/128 IPv6-interface GigabitEthernet1.35 priority 10 weight 10
ipv4 itr map-resolver 10.1.3.1
ipv4 itr
ipv4 etr map-server 10.1.3.1 key R5
ipv4 etr
ipv6 itr map-resolver 2001:1:3::1
ipv6 itr
ipv6 etr map-server 2001:1:3::1 key R5
ipv6 etr
exit
R6
router lisp
eid-table default instance-id 1
database-mapping 172.16.100.6/32 IPv4-interface GigabitEthernet1.613 priority 10 weight 10
database-mapping FC00:100::6/128 IPv6-interface GigabitEthernet1.613 priority 10 weight 10
ipv4 itr map-resolver 10.1.3.1
ipv4 itr
ipv4 etr map-server 10.1.3.1 key R6
ipv4 etr
ipv6 itr map-resolver 2001:1:3::1
ipv6 itr
ipv6 etr map-server 2001:1:3::1 key R6
ipv6 etr
exit
R7
router lisp
eid-table default instance-id 1
database-mapping 172.16.100.7/32 IPv4-interface GigabitEthernet1.147 priority 10 weight 10
database-mapping FC00:100::7/128 IPv6-interface GigabitEthernet1.147 priority 10 weight 10
ipv4 itr map-resolver 10.1.3.1
ipv4 itr
ipv4 etr map-server 10.1.3.1 key R7
ipv4 etr
ipv6 itr map-resolver 2001:1:3::1
ipv6 itr
ipv6 etr map-server 2001:1:3::1 key R7
ipv6 etr
exit
R8
router lisp
eid-table default instance-id 1
database-mapping 172.16.100.8/32 IPv4-interface GigabitEthernet1.48 priority 10 weight 10
database-mapping FC00:100::8/128 IPv6-interface GigabitEthernet1.48 priority 10 weight 10
ipv4 itr map-resolver 10.1.3.1
ipv4 itr
ipv4 etr map-server 10.1.3.1 key R8
ipv4 etr
ipv6 itr map-resolver 2001:1:3::1
ipv6 itr
ipv6 etr map-server 2001:1:3::1 key R8
ipv6 etr
exit
We'll configure the MR/MS on R1 and then test reachability.
router lisp
site R5
authentication-key R5
eid-prefix instance-id 1 172.16.100.5/32
eid-prefix instance-id 1 FC00:100::5/128
exit
!
site R6
authentication-key R6
eid-prefix instance-id 1 172.16.100.6/32
eid-prefix instance-id 1 FC00:100::6/128
exit
!
site R7
authentication-key R7
eid-prefix instance-id 1 172.16.100.7/32
eid-prefix instance-id 1 FC00:100::7/128
exit
!
site R8
authentication-key R8
eid-prefix instance-id 1 172.16.100.8/32
eid-prefix instance-id 1 FC00:100::8/128
exit
!
ipv4 map-server
ipv4 map-resolver
ipv6 map-server
ipv6 map-resolver
exit
Now that we have configured everything, there are a couple debugs that we need to enable to verify that LISP is indeed working.
debug lisp control-plane map-server-map-request
debug lisp control-plane map-server-registration
I apply these debugs to R5 and R1. We'll kick off pings from R5s loopback to R8s loopback.
R5#ping 172.16.100.8 source lo0 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 172.16.100.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.100.5
..!!!!!!!!
Success rate is 80 percent (8/10), round-trip min/avg/max = 31/50/85 ms
R1 MR/MS Debug output
*Feb 27 20:39:57.608: LISP: Received map request for IID 1 172.16.100.8/32, source_eid IID 1 172.16.100.5, ITR-RLOCs: 10.3.5.5 2001:3:5::5, records 1, nonce 0x7A8E686A-0x4DBE7E22
*Feb 27 20:39:57.608: LISP-0: MS EID IID 1 prefix 172.16.100.8/32 site R8, Forwarding map request to ETR RLOC 10.4.8.8.
*Feb 27 20:39:59.718: LISP: Processing received Encap-Control(8) message on GigabitEthernet1.111 from 10.4.8.8:4342 to 10.1.3.1:4342
*Feb 27 20:39:59.718: LISP: Processing received Map-Request(1) message on GigabitEthernet1.111 from 172.16.100.5:4342 to 172.16.100.5:4342
*Feb 27 20:39:59.718: LISP: Received map request for IID 1 172.16.100.5/32, source_eid IID 1 172.16.100.8, ITR-RLOCs: 10.4.8.8 2001:4:8::8, records 1, nonce 0x2201BAFC-0x8C9419A4
*Feb 27 20:39:59.718: LISP-0: MS EID IID 1 prefix 172.16.100.5/32 site R5, Forwarding map request to ETR RLOC 10.3.5.5.
*Feb 27 20:40:05.821: LISP: Processing received Map-Register(3) message on GigabitEthernet1.13 from 10.3.5.5:4342 to 10.1.3.1:4342
*Feb 27 20:40:05.821: LISP: Processing Map-Register no proxy, map-notify, no merge, no security, no mobile-node, not to-RTR, no fast-map-register, no EID-notify, ID-included, 1 record, nonce 0x7512519E-0x955C6AEB, key-id 1, auth-data-len 20, hash-function sha1, xTR-ID 0xAF71BB66-0x921F3EDE-0x29EA8B9A-0x981D5175, site-ID unspecified
*Feb 27 20:40:05.821: LISP: Processing Map-Register mapping record for IID 1 172.16.100.5/32, ttl 1440, action none, authoritative, 1 locator
10.3.5.5 pri/wei=10/10 LpR
*Feb 27 20:40:05.821: LISP-0: MS registration IID 1 prefix 172.16.100.5/32 10.3.5.5 site R5, Updating.
R5#show ip route 172.16.100.6
% Subnet not in table
You can see that there isn't an exact route for R6's loopback.
R5#sh ip cef 172.16.100.6
172.16.100.6/32
nexthop 10.3.5.3 GigabitEthernet1.35
We can see that there is a CEF entry for R6's loopback. It states the outgoing interface is G1.35. However there is no indication that LISP is used.
R5#sh ip cef 172.16.100.6 internal
172.16.100.6/32, epoch 2, flags [sc, lisp elig, defrt], refcnt 6, per-destination sharing
sources: LISP, IPL
feature space:
Broker: linked, distributed at 1st priority
subblocks:
SC owned,sourced: LISP remote EID - locator status bits 0x00000001
LISP remote EID: 192 packets 18297 bytes fwd action encap
LISP source path list
path list 7FBED44A9A30, 3 locks, per-destination, flags 0x49 [shble, rif, hwcn]
ifnums:
LISP0.1(14): 10.6.13.6
1 path
path 7FBED44C7178, share 10/10, type attached nexthop, for IPv4
nexthop 10.6.13.6 LISP0.1, IP midchain out of LISP0.1, addr 10.6.13.6 7FBED44B0E10
1 output chain
chain[0]: IP midchain out of LISP0.1, addr 10.6.13.6 7FBED44B0E10
IP adj out of GigabitEthernet1.35, addr 10.3.5.3 7FBEC6C63158
Dependent covered prefix type LISP, cover 0.0.0.0/0
2 IPL sources [active source]
Dependent covered prefix type inherit, cover 0.0.0.0/0
ifnums:
GigabitEthernet1.35(11): 10.3.5.3
path list 7FBED44A9D50, 2 locks, per-destination, flags 0x69 [shble, rif, rcrsv, hwcn]
path 7FBEC1DE5238, share 1/1, type recursive, for IPv4, flags [dsnt-src-via, cef-intnl]
recursive via 0.0.0.0/0<nh:172.16.100.6>[IPv4:Default], fib 7FBEC93DEDE8, 1 terminal fib, v4:Default:0.0.0.0/0
path list 7FBED408A5B0, 3 locks, per-destination, flags 0x69 [shble, rif, rcrsv, hwcn]
path 7FBEC1DE5970, share 1/1, type recursive, for IPv4
recursive via 10.3.5.3[IPv4:Default], fib 7FBEC1DE4B20, 1 terminal fib, v4:Default:10.3.5.3/32
path list 7FBED408A470, 2 locks, per-destination, flags 0x49 [shble, rif, hwcn]
path 7FBEC1DE5820, share 1/1, type adjacency prefix, for IPv4
attached to GigabitEthernet1.35, IP adj out of GigabitEthernet1.35, addr 10.3.5.3 7FBEC6C63158
output chain:
LISP eligibility check 0x7FBED44C31F8 for IPv4:Default, 4 locks
<L> PushCounter(LISP:172.16.100.6/32) 7FBED44C2E30
IP midchain out of LISP0.1, addr 10.6.13.6 7FBED44B0E10
IP adj out of GigabitEthernet1.35, addr 10.3.5.3 7FBEC6C63158
<N> IP adj out of GigabitEthernet1.35, addr 10.3.5.3 7FBEC6C63158
As you can see from the capture, the ping from R5 to R6 via IPv6 is encapsulated in LISP that is encapsulated in UDP. Encapsulation is really, ICMPv6 inside IPv6 inside LISP inside UDP inside IPv6.
R5#ping fc00:100::6 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FC00:100::6, timeout is 2 seconds:
Packet sent with a source address of FC00:100::5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 51/54/58 ms
Thanks for stopping by!
Rob Riker, CCIE #50693
Subscribe to:
Posts (Atom)