Python3 Threading for SSH

This article describes on how to utilize Python Threading module as a complement to make our SSH application more powerful. On threading module, it has Method of operation of the threading.Thread class: The class threading.Thread has a method start(), which can start a Thread. It triggers off the method run(), which has to be overloaded. The join() method makes sure that the main program waits until all threads have terminated. Before we integrate Python Threading module to our previous SSH application, We are going to give a basic tutorial regarding threading.

Threading Basic

At the beginning, let’s create a function like below. This function will show how Python function will execute a code without a threading.

import time
import datetime

def myfunction():
    date_time = datetime.datetime.now().strftime("%I:%M:%S %p")
    print("Start a Thread at %s" % date_time)
    time.sleep(2)
    print("End a Thread at %s" % date_time)
    print("")

for i in range(5):
    myfunction()

output:

Start a Thread at 10:28:58 PM
End a Thread at 10:28:58 PM

Start a Thread at 10:29:00 PM
End a Thread at 10:29:00 PM

Start a Thread at 10:29:02 PM
End a Thread at 10:29:02 PM

Start a Thread at 10:29:04 PM
End a Thread at 10:29:04 PM

Start a Thread at 10:29:06 PM
End a Thread at 10:29:06 PM

On above output, according to the timestamp, we can see print statement executed one by one once the the previous thread is finished. Now let’s add threading module utilized on your codes.

import threading
import datetime
import time

def myfunction2():
    date_time = datetime.datetime.now().strftime("%I:%M:%S %p")
    print("Start a Thread at %s\n" % date_time, end="")
    time.sleep(2)
    print("End a Thread at %s\n" % date_time, end="")

thread_instance = []
for i in range(5):
    trd = threading.Thread(target=myfunction2)
    trd.start()
    thread_instance.append(trd)

for thread in thread_instance:
    thread.join()

Output:

Start a Thread at 05:19:02 PM
Start a Thread at 05:19:02 PM
Start a Thread at 05:19:02 PM
Start a Thread at 05:19:02 PM
Start a Thread at 05:19:02 PM
End a Thread at 05:19:02 PM
End a Thread at 05:19:02 PM
End a Thread at 05:19:02 PM
End a Thread at 05:19:02 PM
End a Thread at 05:19:02 PM

By utilizing threading module, now we can execute the all threads at the same time. You may see the timestamp is identical for each threads.

Python Partial Codes

After we learn basic knowledge of treading module, let’s implement it on our previous SSH application.

# import threading module
import threading

# Create function for ssh threads
def SSH_Thread():
    # create list for each thread
    thread_instance = []
    # create ip address list of the devices
    list_ip = ["172.16.0.21", "172.16.0.22"]
    for ip in list_ip:
        trd = threading.Thread(target=ssh_conn, args=(ip.strip("\n"),))
        trd.start()
        thread_instance.append(trd)
         
    for trd in thread_instance:
        trd.join()

Python Full Codes

import paramiko
import time
import datetime
import re
import threading

def ssh_conn(ip):
    try:
        date_time = datetime.datetime.now().strftime("%Y-%m-%d")
        date_time_s = datetime.datetime.now().strftime("%I:%M:%S %p")
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        ssh.connect(ip, port=22, username='cisco', password='router', look_for_keys=False, timeout=None)
        connection = ssh.invoke_shell()
        connection.send("\n")
        connection.send("terminal length 0\n")
        time.sleep(1)
        connection.send("\n")
        connection.send("show ip eigrp neighbor\n")
        time.sleep(3)
        file_output = connection.recv(9999).decode(encoding='utf-8')
        hostname = (re.search('(.+)#', file_output)).group().strip('#')
        outFile = open(hostname + "-" + str(date_time) + ".txt", "w")
        outFile.writelines(file_output[1328:-3])
        outFile.close()
        ssh.close()
        if re.search('% Invalid input detected', file_output):
            print("* There was at least one IOS syntax error on device %s" % hostname)
        else:
            print("{} is done it was started at {}" .format(hostname, date_time_s))

    except paramiko.AuthenticationException:
        print("User or password incorrect, Please try again!!!")

def SSH_Thread():
    thread_instance = []
    list_ip = ["172.16.0.21", "172.16.0.22"]
    for ip in list_ip:
        trd = threading.Thread(target=ssh_conn, args=(ip.strip("\n"),))
        trd.start()
        thread_instance.append(trd)

    for trd in thread_instance:
        trd.join()

if __name__ == '__main__':
    SSH_Thread()

After you execute above codes, you will be notified that the task is completed at the same time like below.

R1 is done, it was started at 05:22:18 PM
R2 is done, it was started at 05:22:18 PM

Happy labbing!!!.

Contributor:

Ananto Yudi Hendrawan
Network Engineer - CCIE Service Provider #38962, RHCSA, VCP6-DCV
nantoyudi@gmail.com

Python3 and Paramiko for SSH (Router and Switch)

This article describes how to utilize Python programming language to accomplish any automation task against intermediate devices (router and switch). In this demonstration, we are going to establish an SSH session to a Cisco Nexus switch, collect some output using “show ip ospf” and write it to a text file named using its router hostname plus a date information to inform us when the file is collected.

We are going to use Python3.5 as the interpreter and Paramiko module to utilize SSH function on it. Below is the flowchart of our application:

Python Codes

The application codes for this lab is pretty stright forward. We are going to develop it simplier as we can, so you can copy, use and develop it on your own.

Python partial codes
Import related Python modules

import paramiko
import time
import datetime
import re

Define the SSH function

def ssh_conn(ip):

Change exception message to raise any error related to authentication

try:
except paramiko.AuthenticationException:
    print("User or password incorrect, Please try again!!!")

Set time value to use

date_time = datetime.datetime.now().strftime("%Y-%m-%d")

Use paramiko ssh client

#Use ssh client
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(ip, port=22, username='cisco', password='router', look_for_keys=False, timeout=None)    
     
#Invoke the shell for interactive terminal
connection = ssh.invoke_shell()
connection.send("terminal length 0\n")

#hold the script n seconds second before it execute another script
time.sleep(1)

#Send router command to the device
connection.send("\n")
connection.send("show ip ospf\n")
time.sleep(3)

#Receive buffer output
file_output = connection.recv(9999).decode(encoding='utf-8')

#Create a file output name from the device hostname
hostname = (re.search('(.+)#', file_output)).group().strip('#')

#Print the output interactively to the CLI
print(file_output)

#Write output to a file
outFile = open(hostname + "-" + str(date_time) + ".txt", "w")
outFile.writelines(file_output[678:-19])# this is custom value, you may choose another value on your lab
outFile.close()

#Closing the connection
ssh.close()

#Print information if the task is done
print("%s is done" % hostname)
#call the function        
if __name__ == '__main__':
    ssh_conn("10.10.0.5")

Python Full Codes

Below are the complete codes for this experiment

import paramiko
import time
import datetime
import re


def ssh_conn(ip):
    try:
        date_time = datetime.datetime.now().strftime("%Y-%m-%d")
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        ssh.connect(ip, port=22, username='cisco', password='router', look_for_keys=False, timeout=None)
        connection = ssh.invoke_shell()
        connection.send("terminal length 0\n")
        time.sleep(1)
        connection.send("\n")
        connection.send("show ip ospf\n")
        time.sleep(3)
        file_output = connection.recv(9999).decode(encoding='utf-8')
        hostname = (re.search('(.+)#', file_output)).group().strip('#')
        print(file_output)
        outFile = open(hostname + "-" + str(date_time) + ".txt", "w")
        outFile.writelines(file_output[678:-19])
        outFile.close()
        ssh.close()
        print("%s is done" % hostname)
        
    except paramiko.AuthenticationException:
        print("User or password incorrect, Please try again!!!")

if __name__ == '__main__':
    ssh_conn("10.10.0.5")

Error Exception Test

Before we start our application, we are going generate an error related to SSH authentication. According to The Zen of Python, Errors should never pass silently. We will write down the wrong password by purpose so python will generate an error message on an elegant way. We change the password to router1. Now try to execute the script.

(myvirtualenv02)$python3 PythonSSH_Basic.py 
User or password incorrect, Please try again!!!

As we can see from the output, error messages comes up as expected. Now with the password has been fixed let’s run the application one more time.

(myvirtualenv02)$python3 PythonSSH_Basic.py

Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2012, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
(myvirtualenv02)16. Python3 $python3 PythonSSH_Basic.py 
terminal length 0
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2012, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
LAB-ROUTER# terminal length 0
LAB-ROUTER# 
LAB-ROUTER# show ip ospf

 Routing Process 100 with ID 10.10.0.5 VRF default
 Stateful High Availability enabled
 Graceful-restart is configured
   Grace period: 60 state: Inactive 
   Last graceful restart exit status: None
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 This router is an autonomous system boundary
 Redistributing External Routes from
   static
 Administrative distance 110
 Reference Bandwidth is 10000 Mbps
 SPF throttling delay time of 50.000 msecs,
   SPF throttling hold time of 50.000 msecs, 
   SPF throttling maximum wait time of 5000.000 msecs
 LSA throttling start time of 0.000 msecs,
   LSA throttling hold interval of 50.000 msecs, 
   LSA throttling maximum wait time of 5000.000 msecs
 Minimum LSA arrival 15.000 msec
 LSA group pacing timer 10 secs
 Maximum paths to destination 8
 Number of external LSAs 45996, checksum sum 0x5a495484
 Number of opaque AS LSAs 0, checksum sum 0
 Number of areas is 1, 1 normal, 0 stub, 0 nssa
 Number of active areas is 1, 1 normal, 0 stub, 0 nssa
   Area (0.0.31.65) 
        Area has existed for 4y2w
        Interfaces in this area: 23 Active interfaces: 22
        Passive interfaces: 19  Loopback interfaces: 1
        No authentication available
        SPF calculation has run 7438648 times
         Last SPF ran for 0.001616s
        Area ranges are
        Number of LSAs: 1908, checksum sum 0x3c1d064
LAB-ROUTER# 
LAB-ROUTER is done

If you prefer your terminal cleaner from device output, you may comment the “print(file_output)” code, with this code deactivate you will only receive notification that your task is done (e.g “LAB-ROUTER is done”). Now check on the directory where the applications was executed. You will have a text file created contain of the device output from our last activity.

(myvirtualenv02)$ls -l | grep LAB
LAB-ROUTER-2016-12-27.txt  1435 Dec 27 15:22 
(myvirtualenv02)$cat LAB-ROUTER-2016-12-27.txt
LAB-ROUTER# show ip ospf

 Routing Process 100 with ID 10.10.0.5 VRF default
 Stateful High Availability enabled
 Graceful-restart is configured
   Grace period: 60 state: Inactive 
   Last graceful restart exit status: None
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 This router is an autonomous system boundary
 Redistributing External Routes from
   static
 Administrative distance 110
 Reference Bandwidth is 10000 Mbps
 SPF throttling delay time of 50.000 msecs,
   SPF throttling hold time of 50.000 msecs, 
   SPF throttling maximum wait time of 5000.000 msecs
 LSA throttling start time of 0.000 msecs,
   LSA throttling hold interval of 50.000 msecs, 
   LSA throttling maximum wait time of 5000.000 msecs
 Minimum LSA arrival 15.000 msec
 LSA group pacing timer 10 secs
 Maximum paths to destination 8
 Number of external LSAs 45996, checksum sum 0x5a48c6cf
 Number of opaque AS LSAs 0, checksum sum 0
 Number of areas is 1, 1 normal, 0 stub, 0 nssa
 Number of active areas is 1, 1 normal, 0 stub, 0 nssa
   Area (0.0.31.65) 
        Area has existed for 4y2w
        Interfaces in this area: 23 Active interfaces: 22
        Passive interfaces: 19  Loopback interfaces: 1
        No authentication available
        SPF calculation has run 7438649 times
         Last SPF ran for 0.001670s
        Area ranges are
        Number of LSAs: 1908, checksum sum 0x3c0ad76

Comparing to the output file on the CLI, output file from the “.txt” file is neater. It is because we did a string manipulation before we wrote the terminal output to the txt file. Now we have done basic experiment on how to establish ssh session to a intermediate device. In the future article we will enhance this application to handle more complication task supporting our activity as a network engineer. Happy labbing!!!.

Contributor:

Ananto Yudi Hendrawan
Network Engineer - CCIE Service Provider #38962, RHCSA, VCP6-DCV
nantoyudi@gmail.com

Cisco ISR 4331 Throughput Capacity

This article is describes one of an issue we was faced on the past regarding Cisco router throughput capacity. This issue is quite interesting since I didn’t know that some of Cisco routers delivered with a throughput license feature.

At the beginning, we was received a report from our client that they were experincing slow transfer data when the link reach 90 – 95Mbps. We can see the throughput graph from below picture.

As a basic troubleshooting process, we tried to identify the router CPU process, we saw that all processes were normal. Also there wasn’t any packet drop on the interface. One of the key we have discovered was, slowness only happen for the traffic goes through the congested link (I said congested because our customer has 1Gbps link but it never reaches 100Mbps). Another question that came in mind how it could be slow, what was the evidence so you can say it is slow. Our customer was sent the ping comparation when the traffic is about 40-60 Mbps, ping through the router will have average delay around 2-3ms. When the congestion was occured, ping through the device will have average delay around 40-44ms. According to the graph above it even never reach 90Mbps, but when we verified it from the CLI it did.

After several tests on the network, we started to dig more information from Cisco documentation. According to Cisco, the aggregate throughput handled by isr4331 is 100Mbps to 300Mbps. By default the router is running with 100Mbps of throughput and you can increase it to maximum of 300Mbps using throughput license. you may see the throughput information summary on each ISR4000 series summary on below picture.

At this instance we cannot increase the router throughput capacity unless we buy the throughput license. Fortunately Cisco comes with a trial license on it, so we can do a temporary remediation to let the the current traffic utilise more bandwith space.

Before we start to activate the temporary license, let’s do some verification on the license status.

Current Throughput Level

ISR4331#show platform hardware throughput level 
The current throughput level is 100000 kb/s

Current License Status

ISR4331#sh license feature  
Feature name             Enforcement  Evaluation  Subscription   Enabled  RightToUse 
!
!output omitted for brevity
!
throughput               yes          yes         no             no       yes        
internal_service         yes          no          no             no       no
ISR4331#show license 
!
!output omitted for brevity
!
Index 7 Feature: throughput                     
        Period left: Not Activated
        Period Used: 0  minute  0  second  
        License Type: EvalRightToUse
        License State: Active, Not in Use, EULA not accepted
        License Count: Non-Counted
        License Priority: None

Now let’s enable temporary throughput license on the router. It will be available for next 60 days. Don’t forget to save your configuration and reload the chassis to take effect.

ISR4331(config)#platform hardware throughput level 300000
         Feature Name:throughput
 
PLEASE  READ THE  FOLLOWING TERMS  CAREFULLY. INSTALLING THE LICENSE OR
LICENSE  KEY  PROVIDED FOR  ANY CISCO  PRODUCT  FEATURE  OR  USING SUCH
PRODUCT  FEATURE  CONSTITUTES  YOUR  FULL ACCEPTANCE  OF  THE FOLLOWING
TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO  BE BOUND
BY ALL THE TERMS SET FORTH HEREIN.
 
Use of this product feature requires  an additional license from Cisco,
together with an additional  payment.  You may use this product feature
on an evaluation basis, without payment to Cisco, for 60 days. Your use
of the  product,  including  during the 60 day  evaluation  period,  is
subject to the Cisco end user license agreement
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
If you use the product feature beyond the 60 day evaluation period, you
must submit the appropriate payment to Cisco for the license. After the
60 day  evaluation  period,  your  use of the  product  feature will be
governed  solely by the Cisco  end user license agreement (link above),
together  with any supplements  relating to such product  feature.  The
above  applies  even if the evaluation  license  is  not  automatically
terminated  and you do  not receive any notice of the expiration of the
evaluation  period.  It is your  responsibility  to  determine when the
evaluation  period is complete and you are required to make  payment to
Cisco for your use of the product feature beyond the evaluation period.
 
Your  acceptance  of  this agreement  for the software  features on one
product  shall be deemed  your  acceptance  with  respect  to all  such
software  on all Cisco  products  you purchase  which includes the same
software.  (The foregoing  notwithstanding, you must purchase a license
for each software  feature you use past the 60 days evaluation  period,
so  that  if you enable a software  feature on  1000  devices, you must
purchase 1000 licenses for use past  the 60 day evaluation period.)   
 
Activation  of the  software command line interface will be evidence of
your acceptance of this agreement.

ACCEPT? (yes/[no]): yes

Now let’s verify router status after we enable the temporary throughput license.

ISR4331#show license feature 
Feature name             Enforcement  Evaluation  Subscription   Enabled  RightToUse 
!
!output omitted for brevity
!        
throughput               yes          yes         no             yes      yes        
internal_service         yes          no          no             no       no    
ISR4331#show license         
!
!output omitted for brevity
!                         
Index 7 Feature: throughput                     
        Period left: 8  weeks 4  days 
        Period Used: 0  day  0 hours 
        License Type: EvalRightToUse
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Low

And for the final information. Let me show you the throughput graph after we enable the temporary throughput license.

Contributor:

Ananto Yudi Hendrawan
Network Engineer - CCIE Service Provider #38962, RHCSA, VCP6-DCV
nantoyudi@gmail.com

Cisco DMVPN Single Hub

This article describes how to configure DMVPN using a single hub. We are using below topology for our lab test.

According to our previous discussion on DMVPN, we will configure static tunnel on each router, spoke routers will only have one tunnel to the hub and hub only configured with one dynamic tunnel to communicate to its spoke routers. Also we will verify spoke-to-spoke dynamic tunnel between spokes router.

Connectivity Verification

Before you configure DMVPN on your network, make sure any routers who participate on DMVPN is well establish. I will do ping test from R1-HUB to other routers.

R1-HUB#tclsh
R1-HUB(tcl)#foreach ip {
+>(tcl)#10.155.26.2
+>(tcl)#10.155.36.3
+>(tcl)#} {ping $ip
+>(tcl)#}
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.155.26.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/16 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.155.36.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/7 ms

Leveraging tcl on Cisco IOS, we can see from above output that all routers can communicate to each other.

Configuration

In this subsection, we will have there parts of configuration, cryto, tunnel and routing protocol.

Crypto Configuration

All routers Notes
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 14

crypto isakmp key cisco123 address 10.155.0.0  
   
crypto ipsec transform-set MYTRANSFORMSET esp-aes esp-sha-hmac 
 mode tunnel

crypto ipsec profile MYPROFILE
 set security-association lifetime seconds 900
 set transform-set MYTRANSFORMSET
This is basic configuration required when you want to use additional protection using IPsec. You may use your own parameter setting for the lab experiment.

Tunnel Configuration

R1-HUB Notes
interface Tunnel0
 ip address 192.168.123.1 255.255.255.0
 no ip redirects
 ip mtu 1440
 no ip next-hop-self eigrp 100
 no ip split-horizon eigrp 100
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel key 12345
 tunnel protection ipsec profile MYPROFILE
  • To instruct EIGRP that the IP next hop is itself, use the ip next-hop-self eigrp command in interface configuration mode.
  • With “no ip next-hop-self eigrp 100” implemented it will bypass spoke-to-spoke traffic not using hub as the gateway. We will see it further on verification section.
  • Regarding split horizon rule, spoke router will not receive other spokes prefix unless you disable it.
R2-SPOKE Notes
interface Tunnel0
 ip address 192.168.123.2 255.255.255.0
 no ip redirects
 ip mtu 1440
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp map 192.168.123.1 10.155.16.1
 ip nhrp map multicast 10.155.16.1
 ip nhrp network-id 1
 ip nhrp nhs 192.168.123.1
 tunnel source GigabitEthernet0/2
 tunnel mode gre multipoint
 tunnel key 12345
 tunnel protection ipsec profile MYPROFILE
Since this is a static mapping, the Key point of the tunnel configuration on the spokes are nhrp mapping and nhs mapping.
R3-SPOKE Notes
interface Tunnel0
 ip address 192.168.123.3 255.255.255.0
 no ip redirects
 ip mtu 1440
 ip nhrp authentication cisco123
 ip nhrp map multicast dynamic
 ip nhrp map 192.168.123.1 10.155.16.1
 ip nhrp map multicast 10.155.16.1
 ip nhrp network-id 1
 ip nhrp nhs 192.168.123.1
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel key 12345
 tunnel protection ipsec profile MYPROFILE
Since this is a static mapping, the Key point of the tunnel configuration on the spokes are nhrp mapping and nhs mapping.

Routing Protocol Configuration

R1-HUB Notes
router eigrp 100
 network 10.150.1.1 0.0.0.0
 network 192.168.123.1 0.0.0.0
We include only network from tunnel0 and loopback0 interface to participating on EIGRP route.
R2-SPOKE Notes
router eigrp 100
 network 10.150.2.2 0.0.0.0
 network 192.168.123.2 0.0.0.0
We include only network from tunnel0 and loopback0 interface to participating on EIGRP route.
R3-SPOKE Notes
router eigrp 100
 network 10.150.3.3 0.0.0.0
 network 192.168.123.3 0.0.0.0
We include only network from tunnel0 and loopback0 interface to participating on EIGRP route.

Tunnel Verification

R1-HUB

R1-HUB#show dmvpn 
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 10.155.26.2       192.168.123.2    UP 00:22:26     D
     1 10.155.36.3       192.168.123.3    UP 00:22:26     D

R2-SPOKE

R2-SPOKE#show dmvpn 
!
! output omitted for brevity
!
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:1, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 10.155.16.1       192.168.123.1    UP 00:20:41     S

R3-SPOKE

R3-SPOKE#sh dmvpn 
!
! output omitted for brevity
!
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:1, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 10.155.16.1       192.168.123.1    UP 00:00:15     S

On the Hub router output. We can see information from two tunnels from R2 and R3, Hub router learn the spoke tunnel dynamically. From the spoke routers perspective, since those routers statically mapped hub interface for tunnel connection it will have only one tunnel connection to the Hub and it marked as a static tunnel.

Route Verification

R1-HUB

R1#sh ip route eigrp 
!
! output omitted for brevity
!
      10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D        10.150.2.2/32 [90/27008000] via 192.168.123.2, 1w4d, Tunnel0
D        10.150.3.3/32 [90/27008000] via 192.168.123.3, 1w4d, Tunnel0

R2-SPOKE

R2#show ip route eigrp 
!
! output omitted for brevity
!
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D        10.150.1.1/32 [90/27008000] via 192.168.123.1, 1w4d, Tunnel0
D        10.150.3.3/32 [90/28288000] via 192.168.123.3, 1w4d, Tunnel0

R3-SPOKE

R3#sh ip route eigrp 
!
! output omitted for brevity
!
      10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D        10.150.1.1/32 [90/27008000] via 192.168.123.1, 1w4d, Tunnel0
D        10.150.2.2/32 [90/28288000] via 192.168.123.2, 1w4d, Tunnel0

From the routing table on each router, each router learns prefix from other routers through the EIGRP.

Connectivity Test

From the Hub router, make sure you have full connectivity to the network behind the spoke routers.

R1-HUB#tclsh
R1(tcl)#foreach ip {
+>(tcl)#10.150.2.2
+>(tcl)#10.150.3.3
+>(tcl)#} {ping $ip   
+>(tcl)#}
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.150.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/16 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.150.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/9 ms

Trace route from one of spoke router to another spoke router will go through the HUB.

R2-SPOKE#traceroute 10.150.3.3 source loopback 0
Type escape sequence to abort.
Tracing the route to 10.150.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.123.1 2 msec 4 msec 9 msec
  2 192.168.123.3 18 msec *  1 msec

The first trace route will establish DMVPN session between R2-SPOKE and R3-SPOKE as it will create Spoke-to-Spoke dynamic tunnel.

R2-SPOKE#show dmvpn 
!
! output omitted for brevity
!
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 10.155.16.1       192.168.123.1    UP 00:00:48     S
     1 10.155.36.3       192.168.123.3    UP 00:00:31     D

Lets repeat the traceroute command you will see packet with destination to R3-SPOKE will directly send to it. When you enable “ip next-hop-self eigrp” any spoke-to-spoke traffic will go through the Hub. To mitigate this issue you may enable “ip nhrp shortcut” in the interface tunnel on each routers.

R2-SPOKE#traceroute 10.150.3.3 source loopback 0
Type escape sequence to abort.
Tracing the route to 10.150.3.3
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.123.3 2 msec *  1 msec

Don’t forget to do the ping test to Hub site and other spoke router.

R2-SPOKE#tclsh
R2-SPOKE(tcl)#foreach ip {
+>(tcl)#10.150.1.1
+>(tcl)#10.150.3.3
+>(tcl)#} {ping $ip
+>(tcl)#}
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.150.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/7 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.150.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms

More on Verification

Next Hop Resolution Protocol (NHRP)

R2-SPOKE#sh ip nhrp nhs detail
Legend: E=Expecting replies, R=Responding, W=Waiting
Tunnel0:
192.168.123.1  RE priority = 0 cluster = 0  req-sent 432  req-failed 0  repl-recv 429 (00:19:31 ago)
R2-SPOKE#show ip nhrp detail 
192.168.123.1/32 via 192.168.123.1
   Tunnel0 created 1w4d, never expire 
   Type: static, Flags: used 
   NBMA address: 10.155.16.1
R2-SPOKE#show ip nhrp detail   
192.168.123.1/32 via 192.168.123.1
   Tunnel0 created 1w4d, never expire 
   Type: static, Flags: used 
   NBMA address: 10.155.16.1 
192.168.123.2/32 via 192.168.123.2
   Tunnel0 created 00:00:04, expire 01:59:55
   Type: dynamic, Flags: router unique local 
   NBMA address: 10.155.26.2 
    (no-socket) 
  Requester: 192.168.123.3 Request ID: 13
192.168.123.3/32 via 192.168.123.3
   Tunnel0 created 00:00:05, expire 01:59:55
   Type: dynamic, Flags: router nhop 
   NBMA address: 10.155.36.3

Crypto Isakmp Session Association

R2-SPOKE#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.155.16.1     10.155.26.2     QM_IDLE           1029 ACTIVE
R2-SPOKE#show crypto engine connections active 
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
  621  IPsec   AES+SHA                   0       13       13 10.155.26.2
  622  IPsec   AES+SHA                  13        0        0 10.155.26.2
 1029  IKE     SHA+AES                   0        0        0 10.155.26.2

Above output occur when spoke-to-spoke session is not yet established. It consist only IKE phase 1 and two IKE phase 2 (IPsec) for traffic incoming and outgoing from R2-SPOKE perpective.

 
R2-SPOKE#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.155.36.3     10.155.26.2     QM_IDLE           1048 ACTIVE
10.155.16.1     10.155.26.2     QM_IDLE           1029 ACTIVE
10.155.26.2     10.155.36.3     QM_IDLE           1047 ACTIVE
R2-SPOKE#show crypto engine connections active
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
  621  IPsec   AES+SHA                   0       41       41 10.155.26.2
  622  IPsec   AES+SHA                  42        0        0 10.155.26.2
  625  IPsec   AES+SHA                   0        0        0 10.155.26.2
  626  IPsec   AES+SHA                   0        0        0 10.155.26.2
  627  IPsec   AES+SHA                   0        0        0 10.155.26.2
  628  IPsec   AES+SHA                   0        0        0 10.155.26.2
 1029  IKE     SHA+AES                   0        0        0 10.155.26.2
 1047  IKE     SHA+AES                   0        0        0 10.155.26.2
 1048  IKE     SHA+AES                   0        0        0 10.155.26.2

When spoke-to-spoke session established, you will have two more information on crypto isakmp sa, two more IKE phase 1 tunnel and four IKE phase 2 tunnel (IPsec)

Crypto IPsec Session Association

R2-SPOKE#show crypto ipsec sa | i encaps|decaps|endpt|local|transform|Status
    Crypto map tag: Tunnel0-head-0, local addr 10.155.26.2
   local  ident (addr/mask/prot/port): (10.155.26.2/255.255.255.255/47/0)
    #pkts encaps: 123, #pkts encrypt: 123, #pkts digest: 123
    #pkts decaps: 108, #pkts decrypt: 108, #pkts verify: 108
     local crypto endpt.: 10.155.26.2, remote crypto endpt.: 10.155.16.1
        transform: esp-aes esp-sha-hmac ,
        Status: ACTIVE(ACTIVE)
        transform: esp-aes esp-sha-hmac ,
        Status: ACTIVE(ACTIVE)
R2-SPOKE#show crypto ipsec sa | i encaps|decaps|endpt|local|transform|Status
    Crypto map tag: Tunnel0-head-0, local addr 10.155.26.2
   local  ident (addr/mask/prot/port): (10.155.26.2/255.255.255.255/47/0)
    #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
    #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
     local crypto endpt.: 10.155.26.2, remote crypto endpt.: 10.155.36.3
        transform: esp-aes esp-sha-hmac ,
        Status: ACTIVE(ACTIVE)
        transform: esp-aes esp-sha-hmac ,
        Status: ACTIVE(ACTIVE)
   local  ident (addr/mask/prot/port): (10.155.26.2/255.255.255.255/47/0)
    #pkts encaps: 123, #pkts encrypt: 123, #pkts digest: 123
    #pkts decaps: 108, #pkts decrypt: 108, #pkts verify: 108
     local crypto endpt.: 10.155.26.2, remote crypto endpt.: 10.155.16.1
        transform: esp-aes esp-sha-hmac ,
        Status: ACTIVE(ACTIVE)
        transform: esp-aes esp-sha-hmac ,
        Status: ACTIVE(ACTIVE)

The second output was taken after spoke-to-spoke session is established. It add information regarding source spoke and desination spoke router. Also it shows that packet through the WAN is encrypted as expected.

Contributor:

Ananto Yudi Hendrawan
Network Engineer - CCIE Service Provider #38962, RHCSA, VCP6-DCV
nantoyudi@gmail.com

Cisco DMVPN Overview

DMVPN is a Cisco IOS® Software solution for building IPsec + GRE VPNs in an easy, dynamic and scalable manner. DMVPN relies on two proven technologies:

  • Next Hop Resolution Protocol (NHRP): Creates a distributed (NHRP) mapping database of all the spoke tunnels to real (public interface) addresses.
  • Multipoint GRE Tunnel Interface: Single GRE interface to support multiple GRE and IPsec tunnels; simplifies size and complexity of configuration

Benefits of Dynamic Multipoint VPN (DMVPN)

  • Configuration reduction and no-touch deployment
  • Supports IP Unicast, IP Multicast, and dynamic routing protocols
  • Supports remote peers with dynamically assigned addresses
  • Supports spoke routers behind dynamic NAT and hub routers behind static NAT
  • Dynamic spoke-to-spoke tunnels for scaling partial- or full-mesh VPNs
  • Usable with or without IPsec encryption

Routing Protocol on DMVPN

*Scaling can be increased by using a BGP Route Reflector model; i.e., terminating BGP session at the hub
location on a number of BGP route reflectors—hub is a route reflector client
**Can be used for spoke-to-spoke

DMVPN Dynamic Tunnel

This feature eliminates the need for spoke-to-spoke configuration for direct tunnel. When a spoke router wants to transmit a packet to another spoke router, it can now use NHRP to dynamically determine the required destination address of the target spoke router.

DMVPN Components: Next Hop Resolution Protocol (NHRP)

  • NHRP Registration
    • Spoke dynamically register its mapping with Next Hop Server (NHS).
    • Supports spokes with dynamic NBMA addresses or NAT
  • NHRP resolutions and redirects
    • Supports building dynamic spoke-to-spoke tunnels.
    • Control and IP Multicast traffic still through hub
    • Unicast data traffic direct; reduced load on hub routers

NHRP Registration Example

NHRP Resolutions and Redirects

On the upcoming post, we are going to configure some devices on basic DMVPN.

Sources:

Contributor:

Ananto Yudi Hendrawan
Network Engineer - CCIE Service Provider #38962, RHCSA, VCP6-DCV
nantoyudi@gmail.com

IS-IS Route Redistribution

Overview

Redistributed routes are given a Default Metric of zero (0) unless otherwise specified. IS-IS LSP Level of redistributed routes depends on the IS-Type of the router.

  • A router configured as a level-1 rotuer will redistribute routes as Level-1 LSPs.
  • A router configured as either a Level-1/2 or level-2-only router will redistribute routes as Level-2 LSPs by default.

Like OSPF, a default route (0.0.0.0) learned via another protocol (or static) will be excluded from redistribution.

  • Default-information-originate can be used, but this will not be seen by Level-1-only routers.
  • Can associate “default-info” command with a Route-Map that has “set level level-1” to inject a Level-1 default LSP.

OSPF to IS-IS Redistribution

Level-1 Redistribution

This article describes other routing protocol to IS-IS. According to the topology we are using OSPF as an external domain.

At the beginning, let’s verify vIOS08 databases before it does the redistribution. It populates prefixes from its direct connected network that runs IS-IS.

vIOS08#sh isis database level-1 vIOS08.00-00 detail 

Tag 8:

IS-IS Level-1 LSP vIOS08.00-00
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
vIOS08.00-00        * 0x0000004C   0x4557        824               0/0/0
  Area Address: 49.0002
  NLPID:        0xCC 
  Hostname: vIOS08
  IP Address:   10.150.8.8
  Metric: 10         IP 10.150.8.8 255.255.255.255
  Metric: 10         IP 10.155.48.0 255.255.255.0
  Metric: 10         IS vIOS04.02

Create all requirements to redistribute prefix from OSPF domain. In this case we are going to redistribute prefix 10.150.11.11 on OSPF domain. This prefix is belong to vIOS11 loopback0.

ip access-list extended ACL_OSPF_ISIS
 permit ip host 10.150.11.11 any
!
route-map OSPF_ISIS permit 10
 match ip address ACL_OSPF_ISIS
!
router isis 8
 net 49.0002.0000.0000.0008.00
 redistribute ospf 8 match internal external 1 route-map OSPF_ISIS level-1

As you can see on below output, vIOS08 now has prefix 10.150.11.11 on its databases. The prefix it self marked as IP-External.

vIOS08#show isis database level-1 vIOS08.00-00 detail 

Tag 8:

IS-IS Level-1 LSP vIOS08.00-00
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
vIOS08.00-00        * 0x0000004D   0xE3F0        1176              0/0/0
  Area Address: 49.0002
  NLPID:        0xCC 
  Hostname: vIOS08
  IP Address:   10.150.8.8
  Metric: 10         IP 10.150.8.8 255.255.255.255
  Metric: 10         IP 10.155.48.0 255.255.255.0
  Metric: 10         IS vIOS04.02
  Metric: 0          IP-External 10.150.11.11 255.255.255.255

Since we are doing Level-1 redistribution, information regarding level-1 LSP will be sent to vIOS04(L1 router) and other L1 or L1/L2 routers.

vIOS04#sh isis database vIOS08.00-00 detail 

Tag 4:

IS-IS Level-1 LSP vIOS08.00-00
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
vIOS08.00-00          0x0000004D   0xE3F0        594               0/0/0
  Area Address: 49.0002
  NLPID:        0xCC 
  Hostname: vIOS08
  IP Address:   10.150.8.8
  Metric: 10         IP 10.150.8.8 255.255.255.255
  Metric: 10         IP 10.155.48.0 255.255.255.0
  Metric: 10         IS vIOS04.02
  Metric: 0          IP-External 10.150.11.11 255.255.255.255
vIOS04#sh ip route 10.150.11.11
Routing entry for 10.150.11.11/32
  Known via "isis", distance 115, metric 10, type level-1
  Redistributing via isis 4
  Last update from 10.155.48.8 on GigabitEthernet0/3, 00:01:54 ago
  Routing Descriptor Blocks:
  * 10.155.48.8, from 10.150.8.8, 00:01:54 ago, via GigabitEthernet0/3
      Route metric is 10, traffic share count is 1

vIOS05 is an inter-area border router and it runs L1/L2 router. At this instance, vIOS05 will receive level-1 LSP for the external prefix and insert it to level-2 database as an internal prefix and send it as level-2 LSP to other L1/L2 and L2 routers.

vIOS05#show isis database level-1 detail vIOS08.00-00

Tag 5:

IS-IS Level-1 LSP vIOS08.00-00
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
vIOS08.00-00          0x00000054   0xD5F7        840               0/0/0
  Area Address: 49.0002
  NLPID:        0xCC 
  Hostname: vIOS08
  IP Address:   10.150.8.8
  Metric: 10         IP 10.150.8.8 255.255.255.255
  Metric: 10         IP 10.155.48.0 255.255.255.0
  Metric: 10         IS vIOS04.02
  Metric: 0          IP-External 10.150.11.11 255.255.255.255
vIOS05#show isis database detail level-2 vIOS08.00-00

Tag 5:
vIOS05#show isis database detail level-2 vIOS05.00-00

Tag 5:

IS-IS Level-2 LSP vIOS05.00-00
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
vIOS05.00-00        * 0x00000057   0xB819        1054              0/0/0
  Area Address: 49.0002
  NLPID:        0xCC 
  Hostname: vIOS05
  IP Address:   10.150.5.5
  Metric: 10         IS vIOS03.01
  Metric: 20         IP 10.150.4.4 255.255.255.255
  Metric: 10         IP 10.150.5.5 255.255.255.255
  Metric: 30         IP 10.150.8.8 255.255.255.255
  Metric: 20         IP 10.150.11.11 255.255.255.255
  Metric: 10         IP 10.155.35.0 255.255.255.0
  Metric: 10         IP 10.155.45.0 255.255.255.0
  Metric: 20         IP 10.155.48.0 255.255.255.0
vIOS05#sh ip route 10.150.11.11
Routing entry for 10.150.11.11/32
  Known via "isis", distance 115, metric 20, type level-1
  Redistributing via isis 5
  Last update from 10.155.45.4 on GigabitEthernet0/2, 00:16:54 ago
  Routing Descriptor Blocks:
  * 10.155.45.4, from 10.150.8.8, 00:16:54 ago, via GigabitEthernet0/2
      Route metric is 20, traffic share count is 1

From vIOS03 perspective, it will receive prefix 10.150.11.11 as a level-2 LSP originated from vIOS05.

vIOS03#sh isis database detail level-2 vIOS05.00-00

Tag 3:

IS-IS Level-2 LSP vIOS05.00-00
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
vIOS05.00-00          0x00000057   0xB819        621               0/0/0
  Area Address: 49.0002
  NLPID:        0xCC 
  Hostname: vIOS05
  IP Address:   10.150.5.5
  Metric: 10         IS vIOS03.01
  Metric: 20         IP 10.150.4.4 255.255.255.255
  Metric: 10         IP 10.150.5.5 255.255.255.255
  Metric: 30         IP 10.150.8.8 255.255.255.255
  Metric: 20         IP 10.150.11.11 255.255.255.255
  Metric: 10         IP 10.155.35.0 255.255.255.0
  Metric: 10         IP 10.155.45.0 255.255.255.0
  Metric: 20         IP 10.155.48.0 255.255.255.0
vIOS03#show ip route 10.150.11.11
Routing entry for 10.150.11.11/32
  Known via "isis", distance 115, metric 30, type level-2
  Redistributing via isis 3
  Last update from 10.155.35.5 on GigabitEthernet0/2, 00:29:24 ago
  Routing Descriptor Blocks:
  * 10.155.35.5, from 10.150.5.5, 00:29:24 ago, via GigabitEthernet0/2
      Route metric is 30, traffic share count is 1

Level-2 redistribution

After we complete some procedure on level-1 redistribution, we will see how level-2 redistribution works on our previous topology above. When we execute the level-2 redistribution it vIOS08 will have prefix 10.150.11.11 on its level-2 database.

vIOS08#sh isis database detail level-2 vIOS08.00-00

Tag 8:

IS-IS Level-2 LSP vIOS08.00-00
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
vIOS08.00-00        * 0x00000076   0xAE8F        744               0/0/0
  Area Address: 49.0002
  NLPID:        0xCC 
  Hostname: vIOS08
  IP Address:   10.150.8.8
  Metric: 20         IP 10.150.4.4 255.255.255.255
  Metric: 30         IP 10.150.5.5 255.255.255.255
  Metric: 10         IP 10.150.8.8 255.255.255.255
  Metric: 0          IP-External 10.150.11.11 255.255.255.255
  Metric: 30         IP 10.155.35.0 255.255.255.0
  Metric: 20         IP 10.155.45.0 255.255.255.0
  Metric: 10         IP 10.155.48.0 255.255.255.0

As vIOS04 is a L1 router, it will not have level-2 database on it. So, in this case, vIOS04 will not have any redistribution prefix from vIOS08.

vIOS04#sh isis database detail vIOS08.00-00

Tag 4:

IS-IS Level-1 LSP vIOS08.00-00
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
vIOS08.00-00          0x00000071   0xFA7C        1139              0/0/0
  Area Address: 49.0002
  NLPID:        0xCC 
  Hostname: vIOS08
  IP Address:   10.150.8.8
  Metric: 10         IP 10.150.8.8 255.255.255.255
  Metric: 10         IP 10.155.48.0 255.255.255.0
  Metric: 10         IS vIOS04.02

Same goes with vIOS04, vIOS05 won’t have any level-2 LSP for any redistribution prefix from vIOS08, even it runs as L1/L2 router, because it communicates with vIOS08 through vIOS04 (L1 router).

vIOS05#sh isis database detail vIOS08.00-00

Tag 5:

IS-IS Level-1 LSP vIOS08.00-00
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
vIOS08.00-00          0x00000071   0xFA7C        1023              0/0/0
  Area Address: 49.0002
  NLPID:        0xCC 
  Hostname: vIOS08
  IP Address:   10.150.8.8
  Metric: 10         IP 10.150.8.8 255.255.255.255
  Metric: 10         IP 10.155.48.0 255.255.255.0
  Metric: 10         IS vIOS04.02

According to our experiment on level-1 and level-2 redistribution, it is important to select the correct method on your production enviroment. Good understanding on how LSP on each levels advertise, will help you to accomplish the task.

Level-1 Default Information Originate

In some case you might have only one area consist of large routers. To access the external network you set L1/L2 router as a border router and do the resditribution on it. The issue then came when you want to redistribute a large routing table, such as bgp which has more that hundred thousand routing information will harm your gear resource. To overcome this condition, IS-IS can advertise default route to other IS, so it can forward any other packets destined to external network.

Using above topology, we are going to simulate how default information originate works. On the topology, we have two routers on area 49.0002. vIOS08 is a border router connected to external network. vIOS08 will advertise default route to vIOS04 instead of full route redistribution. Let’s configure vIOS08 to advertise default route to vOS04

router isis 8
 default-information originate

After we add above config, vIOS08 will add information regarding default route on its databases. By default, default route information will only populate to level-2 databse. This condition makes other L1 routers connected to vIOS08 won’t have any default route information on their routing table.

vIOS08#sh isis database detail vIOS08.00-00

Tag 8:

IS-IS Level-1 LSP vIOS08.00-00
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
vIOS08.00-00        * 0x0000003C   0x6547        1001              0/0/0
  Area Address: 49.0002
  NLPID:        0xCC 
  Hostname: vIOS08
  IP Address:   10.150.8.8
  Metric: 10         IP 10.150.8.8 255.255.255.255
  Metric: 10         IP 10.155.48.0 255.255.255.0
  Metric: 10         IS vIOS04.02

IS-IS Level-2 LSP vIOS08.00-00
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
vIOS08.00-00        * 0x0000003D   0xC1AE        1001              0/0/0
  Area Address: 49.0002
  NLPID:        0xCC 
  Hostname: vIOS08
  IP Address:   10.150.8.8
  Metric: 0          IP 0.0.0.0 0.0.0.0
  Metric: 20         IP 10.150.4.4 255.255.255.255
  Metric: 10         IP 10.150.8.8 255.255.255.255
  Metric: 10         IP 10.155.48.0 255.255.255.0
vIOS04#sh ip route isis 
--------------------------------output omitted-------------------------------
      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
i L1     10.150.8.8/32 [115/20] via 10.155.48.8, 13:19:10, GigabitEthernet0/3

To modify this behaviour, you can set a route map to convert any default route to level-1 and add this information on the router isis instance.

route-map DEFAULT permit 10
 set level level-1
!
router isis 8
 default-information originate route-map DEFAULT

After this modification, you may see default route information is now resides on level-1 database, at this instance any L1 router connected to vIOS08 will receive information regarding it. And now L1 router (vIOS04) can access nodes on the external domain.

vIOS08#sh isis database detail vIOS08.00-00

Tag 8:

IS-IS Level-1 LSP vIOS08.00-00
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
vIOS08.00-00        * 0x00000042   0xFC9B        1154              0/0/0
  Area Address: 49.0002
  NLPID:        0xCC 
  Hostname: vIOS08
  IP Address:   10.150.8.8
  Metric: 10         IP 10.150.8.8 255.255.255.255
  Metric: 10         IP 10.155.48.0 255.255.255.0
  Metric: 10         IS vIOS04.02
  Metric: 0          IP 0.0.0.0 0.0.0.0

IS-IS Level-2 LSP vIOS08.00-00
LSPID                 LSP Seq Num  LSP Checksum  LSP Holdtime      ATT/P/OL
vIOS08.00-00        * 0x00000043   0xD91E        1154              0/0/0
  Area Address: 49.0002
  NLPID:        0xCC 
  Hostname: vIOS08
  IP Address:   10.150.8.8
  Metric: 20         IP 10.150.4.4 255.255.255.255
  Metric: 10         IP 10.150.8.8 255.255.255.255
  Metric: 10         IP 10.155.48.0 255.255.255.0
vIOS04#sh ip route isis 
----------------------------output omitted----------------------------------
Gateway of last resort is 10.155.48.8 to network 0.0.0.0

i*L1  0.0.0.0/0 [115/10] via 10.155.48.8, 00:09:54, GigabitEthernet0/3
      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
i L1     10.150.8.8/32 [115/20] via 10.155.48.8, 13:43:02, GigabitEthernet0/3
vIOS04#ping 10.150.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.150.11.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/16 ms

Happy labbing!!!

Contributor:

Ananto Yudi Hendrawan
Network Engineer - CCIE Service Provider #38962, RHCSA, VCP6-DCV
nantoyudi@gmail.com

IS-IS Route Leaking

This article describes, how we can propagate route prefixes from one area to another. As we discussed on previous article, an L1 router forwards packets destined for an address outside of the local area to the closest L1/L2 router, it use default route pointing to the nearest L1/L2 router. In some situation, we need to manipulate path for spesific route to its destination.

We are going to use below topology for our lab.

Here are the scenario:

  • Loopback 0 is configured with IP 10.150.5.5 on vIOS05.
  • Loopback 1 is configured with IP 10.150.50.50 on vIOS05.
  • Traffic to 10.150.5.5 from vIOS03 should use XRv01 as the gateway
  • Traffic to 10.150.50.50 from vIOS03 should use vIOS04 as the gateway

Before we do some configurations, let’s verify current routing table on vIOS03.

vIOS03#sh ip route isis 
i*L1  0.0.0.0/0 [115/10] via 10.155.34.4, 00:01:25, GigabitEthernet0/3
                [115/10] via 10.155.13.1, 00:01:25, GigabitEthernet0/1
      10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
i L1     10.150.1.1/32 [115/20] via 10.155.13.1, 00:30:44, GigabitEthernet0/1
i L1     10.150.4.4/32 [115/20] via 10.155.34.4, 00:03:53, GigabitEthernet0/3

From above information, you can see vIOS03 has two default route pointing to its nearest L1/L2 router. For this lab purpose, I was configured XRv01 not to send ATT-Bit to the vIOS03. So, vIOS03 will not have any default route pointing toward to XRv01.

Now let’s move to configuration section. On the first section we need to configure route policy on XRv01 to allow prefix 10.150.5.5 propagated to vIOS03.

route-policy L2-L1
  if destination in (10.150.5.5/32) then
    pass
  endif
end-policy

Next, implement the route policy on the router isis instance.

router isis 1
 address-family ipv4 unicast
  propagate level 2 into level 1 route-policy L2-L1

To check whether the scenario is working or not, let’s verify it from vIOS03. Make sure vIOS03 receive 10.150.5.5 and it has XRv01 as its gateway.

vIOS03#sh ip route isis 
i*L1  0.0.0.0/0 [115/10] via 10.155.34.4, 00:02:09, GigabitEthernet0/3
      10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
i L1     10.150.1.1/32 [115/20] via 10.155.13.1, 00:34:25, GigabitEthernet0/1
i L1     10.150.4.4/32 [115/20] via 10.155.34.4, 00:07:34, GigabitEthernet0/3
i ia     10.150.5.5/32 [115/158] via 10.155.13.1, 00:34:25, GigabitEthernet0/1

Trace to 10.150.5.5, make sure it goes through vIOS03.

vIOS03#traceroute 10.150.5.5  
Type escape sequence to abort.
Tracing the route to 10.150.5.5
VRF info: (vrf in name/id, vrf out name/id)
  1 10.155.13.1 1 msec 2 msec 1 msec ---> XRv01 IP
  2 10.155.15.5 2 msec *  2 msec

Trace to 10.150.50.50, make sure it goes through vIOS04.

vIOS03#traceroute 10.150.50.50
Type escape sequence to abort.
Tracing the route to 10.150.50.50
VRF info: (vrf in name/id, vrf out name/id)
  1 10.155.34.4 1 msec 0 msec 0 msec ---> vIOS03 IP
  2 10.155.45.5 2 msec *  4 msec

You can reach the same goal on the IOS device using below procedure.

access-list 101 permit ip 10.150.5.5 255.255.255.255 any
!
router isis
 net 49.0001.0000.0000.0004.00
 redistribute isis ip level-2 into level-1 distribute-list 101

Source:

ISIS Route Leaking

Contributor:

Ananto Yudi Hendrawan
Network Engineer - CCIE Service Provider #38962, RHCSA, VCP6-DCV
nantoyudi@gmail.com