Tuesday, March 7, 2017

EIGRP Basic Neighbor Adjacency


EIGRP Basic Neighbor Adjacency Lab:

Topology:

Configuration:
 R1(config)# int gi0/0
 R1(config-if)# ip address 10.0.0.1 255.255.255.0
 R1(config-if)# no shut
 R1(config-if)# exit
 !
 R1(config)# router eigrp 1
 R1(config-router)# eigrp router-id 1.1.1.1
 R1(config-router)# network 10.0.0.0 0.0.0.255 
 R2(config)# int gi0/0
 R2(config-if)# ip address 10.0.0.2 255.255.255.0
 R2(config-if)# no shut
 R2(config-if)# exit
 !
 R2(config)# router eigrp 1
 R2(config-router)# eigrp router-id 2.2.2.2
 R2(config-router)# network 10.0.0.0 0.0.0.255 
Animated Neighborship + Packet Capture


EIGRP Neighborship Packet Capture


Verification:
 R1# show ip eigrp neighbors
  EIGRP-IPv4 Neighbors for AS(1)
  H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                     (sec)         (ms)       Cnt Num
  0   10.0.0.2                Gi0/0                    12 01:50:53    1  3000  0  3
 R1# show ip eigrp topology
   Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
          r - reply Status, s - sia Status
   
   P 10.0.0.0/24, 1 successors, FD is 2816
           via Connected, GigabitEthernet0/0   

Friday, February 3, 2017

Unicast Reverse Path Forwarding (uRPF)



Unicast Reverse Path Forwarding (uRPF)  is used for verifying that the source of an IP packet is reachable.

How does it work?:
  • uRPF gets applied to an interface on which it verifies the source address.
  • It verifies the source by using CEF's (Cisco Express Forwarding) FIB (Forward Information Base)

uRPF has two modes:
  • Strict The router verifies the source of the IP packet via the the interface on which the packet was received.
  • Loose - The router verifies the source of the IP packet via ANY interface.
  • This is configured by using {any | rx} on the following interface command:
 Router1(config-if)# ip verify unicast source reachable-via ?
   any  Source is reachable via any interface
   rx   Source is reachable via interface on which packet was received



uRPF Lab (Strict Mode): 

Problem: Router2 is using a loopback interface to send a spoofed message to the server 192.168.0.10. Router 1 knows how to get to the connected 192.168.0.0/24 network and forwards the message to the server (PC1). We can mitigate this risk by enabling uRPF on Router1's g0/0 interface.



Configuration

Note: For the sake of the lab, we will point the uRPF to an ACL that is going to log so that we can verify traffic passing the interface. Currently, the uRPF only accepts numbered ACLs

Step 1: Verify that CEF is on.
Note: You can do this per interface to get more details such as if 'IP unicast RPF check' is enabled/disables.
 Router1# show cef int gi0/0
 GigabitEthernet0/0 is up (if_number 3)
   Corresponding hwidb fast_if_number 3
   Corresponding hwidb firstsw->if_number 3
   Internet address is 10.0.0.1/24
   ICMP redirects are always sent
   Per packet load-sharing is disabled
   IP unicast RPF check is disabled
   Input features: Access List
   IP policy routing is disabled
   BGP based policy accounting on input is disabled
   BGP based policy accounting on output is disabled
   Hardware idb is GigabitEthernet0/0
   Fast switching type 1, interface type 27
   IP CEF switching enabled
   IP CEF switching turbo vector
   IP CEF turbo switching turbo vector
   IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
   Input fast flags 0x1, Output fast flags 0x0
   ifindex 3(3)
   Slot  Slot unit 0 VC -1
   IP MTU 1500
 
Step 2 (Optional): Configure the uRPF ACL.
 Router1(config)# ip access-list standard 99 Router1(config-std-nacl)# 10 deny any log
 
Step 3: Configure uRPF Strict on Router1's G0/0 interface.
Router1(config)# int gi0/0
Router1(config-if)# ip verify unicast source reachable-via rx {99}

Step 4: Verify that 'IP unicast RPF check' is enabled based on the same command ran on Step 1.
 Router1# show cef int gi0/0
 GigabitEthernet0/0 is up (if_number 3)
   Corresponding hwidb fast_if_number 3
   Corresponding hwidb firstsw->if_number 3
   Internet address is 10.0.0.1/24
   ICMP redirects are always sent
   Per packet load-sharing is disabled
   IP unicast RPF check is enabled
   Input features: Access List
   IP policy routing is disabled
   BGP based policy accounting on input is disabled
   BGP based policy accounting on output is disabled
   Hardware idb is GigabitEthernet0/0
   Fast switching type 1, interface type 27
   IP CEF switching enabled
   IP CEF switching turbo vector
   IP CEF turbo switching turbo vector
   IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
   Input fast flags 0x1, Output fast flags 0x0
   ifindex 3(3)
   Slot  Slot unit 0 VC -1
   IP MTU 1500
Conclusion: If we send packets with a source that is not in the routing table for G0/0, the packet will be dropped.
Here is what the FIB looks like for g0/0:
 Router1# show ip cef g0/0
 0.0.0.0/0
   nexthop 10.0.0.2 GigabitEthernet0/0
 10.0.0.0/24
   attached to GigabitEthernet0/0
 10.0.0.2/32
   attached to GigabitEthernet0/0
 10.1.0.0/16
   nexthop 10.0.0.2 GigabitEthernet0/0
Note: The default-route (0.0.0.0/0 next hop 10.0.0.2 in this case) is still going to be dropped. The allow-default option needs to be allowed using the command below. There are also other options.
 Router1(config-if)# ip verify unicast source reachable-via rx ?
   <1-199>          IP access list (standard or extended)
   <1300-2699>      IP expanded access list (standard or extended)
   allow-default    Allow default route to match when checking source address
   allow-self-ping  Allow router to ping itself (opens vulnerability in
                    verification)
   l2-src           Check packets arrive with correct L2 source address
   <cr>

Verification Steps:

Step 1: Ping from loopback on Router 2 to 192.168.0.10
Router2# ping 192.168.0.10 source 192.168.0.2
Step 2: Review Router 1 log from the ACL setup earlier.
Router1# *Feb  3 12:07:59.059: %SEC-6-IPACCESSLOGS: list 99 denied 192.168.0.2 5 packets
Note: You can also run  'sh ip traffic'  to see how many packets have been dropped globally by uRPF. You can also see this per interface by doing a  'sh ip int gi0/0' .
 Router1# show ip traffic 
 IP statistics:
   Rcvd:  125 total, 80 local destination
          0 format errors, 0 checksum errors, 0 bad hop count
          0 unknown protocol, 0 not a gateway
          0 security failures, 0 bad options, 0 with options
   Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
          0 timestamp, 0 extended security, 0 record route
          0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
          0 other
   Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
          0 fragmented, 0 fragments, 0 couldn't fragment
   Bcast: 0 received, 0 sent
   Mcast: 0 received, 0 sent
   Sent:  85 generated, 30 forwarded
   Drop:  5 encapsulation failed, 0 unresolved, 0 no adjacency
          0 no route, 25 unicast RPF, 0 forced drop, 0 unsupported-addr
          0 options denied, 0 source IP address zero


Monday, January 30, 2017

EIGRP Overview

EIGRP Overview



EIGRP (Relevant) Tables
  • Neighbor Table - Directly connected routers -  show ip eigrp neighbors 
  • Topology Table - Successor / Feasible Successor Routes -  show ip eigrp topology {all-links}
  • Routing Table   - The best routes from the topology table -  show ip route {eigrp}



Adjacency Terminology
  • Hello - Forms Relationships 
  • Update - Sends updates 
  • Query - Asks about Routes 
  • Reply - Responce to Query 
  • Ack - Acknowledges the update, query, and reply messages.
  • SIA (Stuck-in-Active) - This is bad... Waiting for Query to see if any router knows the network route.
    • Here is a crappy GIF I made to make things more clear.


Routing Terminology
  • Advertised Distance (AD) - The distance the neighbor has listed for a network.
  • Feasible Distance (FD) - The AD + the cost of the interface.
  • Successor - The route that has the lowest FD.
  • Feasible Successor - The routes with a lower FD than the Successor.
    • Note: To be considered a Feasible Successor, the AD must be less than the FD of the successor. This is called the Feasibility Condition.
  • Active Route - The route is down and you are actively trying to find a route for that network.
  • Passive Route - There is no activity on the route to the network.



My First Post

I am going to use this site as a blog of my adventure of being a Network Engineer. I am creating this blog to keep all of my notes in one place.

I am currently working on my CCNP Route exam and I am sure my first few posts will start down that path. I already have quite a few notes to upload to this so hopefully everyone enjoys this content.

I am also going to put notes from everyday random networking that I run into. I try to include some type of config when possible but it might take a little to figure out what I am doing.

Thanks for reading,
nethero