10/15/2014

Redistribute EIGRP and OSPF / Route Tagging

In route redistribution, the router process asks this question first:

Ask this question:

1. Does the route exist in my router process that it will redistribute into?
    No, then Redistribute the route.
    Yes, then Go TO 2.

2. If so, Does the route have a better AD?
    NO, then Don't redistribute the route.
    YES, then Redistribute the route.

Example:
    So, change the external EIGRP route from default 170 to 171 when redistribute into OSPF.

170 = is AD for External EIGRP routes.
171 = in this example, we use 171 for external OSPF route to stop the routing loops, but when you shutdown the interface with the injected route, the route updated LSAs still goes in circle.

R2(config)#

router eigrp 10
    redistribute ospf 1
    network x.x.x.x 0.0.0.255
    default-metric 100000 0 255 1 1500
    no-auto

router ospf 1
redistribute eigrp 10 subnets
distance ospf external 171   ==== only locally significant.

Use route tagging is better.

Route Tagging:

Most situation, you don't need route tags, since the above 2 questions hold.  But in situations where you have external routes coming into your domain, then you'll need route tagging.


STEPS:


route-map OSPF-TO-EIGRP deny 10
    match tag 170

route-map OSPF-TO-EIGRP PERMIT 20
    SET tag 110

route-map EIGRP-TO-OSPF DENY 10
    match tag 110

route-map EIGRP-TO-OSPF permit 20
    set tag 170


R2:
conf t

router eigrp 10
 network 10.1.12.0 0.0.0.3
 network 10.1.15.0 0.0.0.3
 redistribute ospf 1 metric 100000 1 255 1 1500 route-map OSPF-TO-EIGRP ===
!
router ospf 1
 log-adjacency-changes
 redistribute eigrp 10 subnets route-map EIGRP-TO-OSPF  ======
 network 10.1.22.0 0.0.0.3 area 0.0.0.0


R3:
conf t

router eigrp 10
 network 10.1.13.0 0.0.0.3
 network 10.1.15.0 0.0.0.3
 redistribute ospf 1 metric 100000 1 255 1 1500 route-map OSPF-TO-EIGRP  ====
!
router ospf 1
 log-adjacency-changes
 redistribute eigrp 100 subnets route-map EIGRP-TO-OSPF  ==========
 network 10.1.23.0 0.0.0.3 area 0.0.0.0

DONE.

TEST:
R4-EIGRP-ROUTER# sh ip ro 192.168.1.1
Routing entry for 192.168.1.1/32
  Known via "eigrp 100", distance 170, metric 28416
  Tag 110, type external
  Redistributing via eigrp 100
  Last update from 10.1.12.2 on FastEthernet1/0, 00:38:36 ago
  Routing Descriptor Blocks:
  * 10.1.13.2, from 10.1.13.2, 00:38:36 ago, via FastEthernet1/1
      Route metric is 28416, traffic share count is 1
      Total delay is 110 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
      Route tag 110
    10.1.12.2, from 10.1.12.2, 00:38:36 ago, via FastEthernet1/0
      Route metric is 28416, traffic share count is 1
      Total delay is 110 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
      Route tag 110

R1-OSPF-ROUTER# sh ip ro 172.16.1.1
Routing entry for 172.16.1.0/24
  Known via "ospf 1", distance 110, metric 20
  Tag 170, type extern 2, forward metric 1
  Last update from 10.1.22.2 on FastEthernet1/0, 00:40:31 ago
  Routing Descriptor Blocks:
  * 10.1.23.2, from 10.1.23.2, 00:48:47 ago, via FastEthernet1/1
      Route metric is 20, traffic share count is 1
      Route tag 170
    10.1.22.2, from 10.1.22.2, 00:40:31 ago, via FastEthernet1/0
      Route metric is 20, traffic share count is 1
      Route tag 170


10/08/2014

Block RFC 1918 and Others Coming In Your Network

If you're an enterprise, chances are your ISP may have already blocked some or all private addresses from the internet.
But you should also block the IP subnets assigned to you by your ISP, if you see that IP coming in, then somone is spoofing your IP.
For security, it's best to block all RFC 1918 and you many want to block others as well.

Below is what I use:

access-list 199 deny   ip 10.0.0.0 0.255.255.255 any
access-list 199 deny   ip 127.0.0.0 0.255.255.255 any
access-list 199 deny   ip 172.16.0.0 0.15.255.255 any
access-list 199 deny   ip 169.254.0.0 0.0.255.255 any
access-list 199 deny   ip 192.0.2.0 0.0.0.255 any
access-list 199 deny   ip 192.168.0.0 0.0.255.255 any
access-list 199 deny   ip 224.0.0.0 0.0.0.255 any
access-list 199 deny   ip 239.0.0.0 0.255.255.255 any
access-list 199 deny   ip host 255.255.255.255 any
access-list 199 deny   ip YOUR-SUBNET-HERE 0.0.0.31 any
--- This should be the IP Subnet assigned to you by your ISP.  You don't want to see the originator's IP is your own IP.

access-list 199 permit ip any any  --- This permits everything else.

Now apply this access list to the interface facing or connecting to your ISP.

interface Serial0/1/0
 ip address 29.6.11.261 255.255.255.252
 ip access-group 199 in
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 no cdp enable


You want to apply the access-list 199 to inbound traffic.

Done.

10/01/2014

EXPECT: Can not telnet/ssh to switches directly - Only one switch to others

Can not telnet/ssh to switches directly. Can only ssh into a ASR/switch then from the switch ssh to each switch.

ACL only allows ASR device to SSH to each switch.

This can be done with a for loop within the "expectscript.exp" script.

Create a file with the names/IP’s of the devcies you want to connect to from the ASR:

STEPS:

1. [root@localhost script]# vi device-list
    10.x.x.1
    10.x.x.2
    10.x.x.3
    10.x.x.4


2. [root@localhost script]# vi from-one-device-TO-ALL-others.exp

#!/usr/bin/expect -f

# Set variables - some of which were sent from the calling bash script

    set hostname [lindex $argv 0]
    set username "YOURUSERNAME"
    set password [lindex $argv 1]
    set enablepassword [lindex $argv 2]
    set timeout 5

# Where to put the Log file results
 log_file -a /root/script/results.log

    spawn ssh -o StrictHostKeyChecking=no $username\@$hostname
    expect "*assword: "
    send "$password\r"

# SSH to each IP/Hostname in local file named "device-list", do a "show clock", then exit

    set devicelist [open device-list]
    while {[gets $devicelist line] != -1} {
    expect "*>"
    send "ssh $line \n"
    expect "Password:"
    send "$password\r"
    expect "*>"
    send "show clock\n"
    expect "*>"
    send "exit\n"
    expect "*>"
    }
    close $devicelist

    send "exit\n"
    expect ":~\$"
    exit


3. Now RUN it:

[root@localhost script]# ./from-one-device-TO-ALL-others.exp