Networking Basics As I Currently Understand

To access the router(s) we generally make use of the console. We generally have a safe environment and do so. However, what do we do when we want to connect to the router’s console which are remotely located (yes we can still use a terminal server and access the same using reverse telnet, but it’s not very safe). This is when we make use of the IP ALIAS.

Let's have a quick look at the how our setup will look like.

Firstly, we would need to insert a ‘HWIC-16A’ (Cisco 16-Port Asynchronous High-Speed WAN Interface Card) into a locally available ISR router (in my case a CISCO2921/K9 which is local to the remote setup which we want to access). Once the HWIC-16A is up, you can check the same using (show ip interface brief)

As seen here, the Async0/1/0 - Async0/1/15 are the lines which have appeared due to the module.

ISR-2921#show ip interface brief

Interface IP-Address OK? Method Status Protocol

Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down

GigabitEthernet0/0 9.45.66.198 YES NVRAM up up

GigabitEthernet0/1 19.0.0.108 YES NVRAM up up

GigabitEthernet0/2 unassigned YES NVRAM administratively down down

GigabitEthernet0/2/0 unassigned YES NVRAM administratively down down

GigabitEthernet0/3/0 unassigned YES unset administratively down down

GigabitEthernet0/3/1 unassigned YES unset administratively down down

GigabitEthernet0/3/2 unassigned YES unset administratively down down

GigabitEthernet0/3/3 unassigned YES unset administratively down down

GigabitEthernet1/0 unassigned YES NVRAM administratively down down

GigabitEthernet1/1 unassigned YES unset up up

Async0/1/0 unassigned YES unset down down

Async0/1/1 unassigned YES unset down down

Async0/1/2 unassigned YES unset down down

Async0/1/3 unassigned YES unset down down

Async0/1/4 unassigned YES unset down down

Async0/1/5 unassigned YES unset down down

Async0/1/6 unassigned YES unset down down

Async0/1/7 unassigned YES unset down down

Async0/1/8 unassigned YES unset down down

Async0/1/9 unassigned YES unset down down

Async0/1/10 unassigned YES unset down down

Async0/1/11 unassigned YES unset down down

Async0/1/12 unassigned YES unset down down

Async0/1/13 unassigned YES unset down down

Async0/1/14 unassigned YES unset down down

Async0/1/15 unassigned YES unset down down

Loopback0 172.24.131.161 YES NVRAM up up

Loopback1 unassigned YES unset up up

Vlan1 unassigned YES unset up up

ISR-2921#

We can also check the show line:

ISR-2921#show line

*Jan 21 07:45:31.630: %SYS-5-CONFIG_I: Configured from console by cisco on console

ISR-2921#show line

Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int

* 0 0 CTY - - - - - 0 0 0/0 -

1 1 AUX 9600/9600 - - - - - 0 0 0/0 -

2 2 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/0 19 TTY 9600/9600 - - - - - 2 0 0/0 -

0/1/1 20 TTY 9600/9600 - - - - - 3 0 0/0 -

0/1/2 21 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/3 22 TTY 9600/9600 - - - - - 0 1 0/0 -

0/1/4 23 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/5 24 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/6 25 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/7 26 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/8 27 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/9 28 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/10 29 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/11 30 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/12 31 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/13 32 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/14 33 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/15 34 TTY 9600/9600 - - - - - 0 0 0/0 -

67 67 TTY 9600/9600 - - - - - 0 0 0/0 -

388 388 VTY - - - - - 2 0 0/0 -

389 389 VTY - - - - - 0 0 0/0 -

390 390 VTY - - - - - 0 0 0/0 -

391 391 VTY - - - - - 0 0 0/0 -

392 392 VTY - - - - - 0 0 0/0 -

393 393 VTY - - - - - 0 0 0/0 -

Line(s) not in async mode -or- with no hardware support:

3-18, 35-66, 68-387

ISR-2921#

Line 0/1/0 - line 0/1/15 (line numbers 19 - 34) is added via the module.

NOTE: Before inserting the HWIC-16A it’s best to power off the ISR router (that is what I do anyway)

Secondly, we would need a ‘CAB-HD8-ASYNC’ connector, which has Eight RJ45 cables, the same will be used to connect to the consoles of remote routers around this ISR router.

With this, we can easily make connections to the remote routers using our usual ‘telnet <ISR’s router’s reachable IP address> <Line number>’.

Example of making this kind of a connection -

ISR-2921#show running-config interface GigabitEthernet 0/1

Building configuration...

Current configuration : 156 bytes

interface GigabitEthernet0/1

description reachable IP address

ip address 19.0.0.108 255.0.0.0

duplex auto

speed auto

end

ISR-2921#

ISR-2921#show running-config | section username

username user1 privilege 15 password 0 xxxxxxxx

ISR-2921#

On a remote linux client:

[root@pool-100-1-1-100 ~]# telnet 19.0.0.108 2019

Trying 19.0.0.108...

Connected to 19.0.0.108 (19.0.0.108).

Escape character is '^]'.

User Access Verification

Username: user1

Password:

SW-7606>

The above way of accessing the remote router's has two inherent problems:

01. Usage of telnet (security)

02. You will have to remember the line numbers

To ensure, that we can make use of SSH instead of telnet and to avoid remembering the line number we make use of the IP ALIAS.

The configuration is fairly simple with the below steps:

1. Configure - ip ssh port <value> rotary <range>

2. Configure - ip alias <reachable IP address> <port value> ! this port value is linked to the port value used above

3. Configure - under the line (0/1/0 - 0/1/15) rotary <value> ! this value should be within the range mentioned in Step #1

Example of making IP ALIAS connection -

Step #1.

ISR-2921(config)#ip ssh port ?

<2000-10000> Starting Port number

ISR-2921(config)#

ISR-2921(config)#ip ssh port 3001 rotary ?

<1-127> Low (or only) Rotary group number

ISR-2921(config)#ip ssh port 3001 rotary 1 20

ISR-2921(config)#

Step #2.

ISR-2921(config)#ip alias 19.0.0.109 ?

<1-65535> IP port number

ISR-2921(config)#ip alias 19.0.0.109 3001

ISR-2921(config)#

What can also be observed is that the 19.0.0.109 address we are using with ‘ip alias’ is ping-able and the same is listed in the show ip route:

ISR-2921#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

9.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 9.45.0.0/16 is directly connected, GigabitEthernet0/0

L 9.45.66.198/32 is directly connected, GigabitEthernet0/0

19.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 19.0.0.0/8 is directly connected, GigabitEthernet0/1

L 19.0.0.108/32 is directly connected, GigabitEthernet0/1

L 19.0.0.109/32 is directly connected, GigabitEthernet0/1

172.24.0.0/16 is variably subnetted, 3 subnets, 2 masks

C 172.24.131.160/27 is directly connected, Loopback0

L 172.24.131.161/32 is directly connected, Loopback0

L 172.24.131.162/32 is directly connected, Loopback0

202.153.144.0/32 is subnetted, 1 subnets

S 202.153.144.25 [1/0] via 9.45.0.1

ISR-2921#

Step #3.

ISR-2921(config)#line 0/1/0

ISR-2921(config-line)#rotary 1

ISR-2921(config-line)#

Post rotary configuration you can see the same from ‘show line’:

ISR-2921#show line

Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int

* 0 0 CTY - - - - - 0 0 0/0 -

1 1 AUX 9600/9600 - - - - - 0 0 0/0 -

2 2 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/0 19 TTY 9600/9600 - - 1 - - 5 0 0/0 -

0/1/1 20 TTY 9600/9600 - - - - - 3 0 0/0 -

0/1/2 21 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/3 22 TTY 9600/9600 - - - - - 0 1 0/0 -

0/1/4 23 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/5 24 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/6 25 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/7 26 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/8 27 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/9 28 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/10 29 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/11 30 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/12 31 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/13 32 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/14 33 TTY 9600/9600 - - - - - 0 0 0/0 -

0/1/15 34 TTY 9600/9600 - - - - - 0 0 0/0 -

67 67 TTY 9600/9600 - - - - - 0 0 0/0 -

388 388 VTY - - - - - 2 0 0/0 -

389 389 VTY - - - - - 0 0 0/0 -

390 390 VTY - - - - - 0 0 0/0 -

391 391 VTY - - - - - 0 0 0/0 -

392 392 VTY - - - - - 0 0 0/0 -

393 393 VTY - - - - - 0 0 0/0 -

Line(s) not in async mode -or- with no hardware support:

3-18, 35-66, 68-387

ISR-2921#

On a remote linux client:

[root@pool-100-1-1-100 ~]# ssh user1@19.0.0.109

ssh: connect to host 19.0.0.109 port 22: Connection refused

[root@pool-100-1-1-100 ~]# ssh user1@19.0.0.109

The authenticity of host '19.0.0.109 (19.0.0.109)' can't be established.

RSA key fingerprint is e9:12:7c:54:ad:68:a6:e6:d2:fe:c8:cf:59:10:3c:5c.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '19.0.0.109' (RSA) to the list of known hosts.

Password:

SW-7606>

A bit on the configuration now:

‘ip ssh port 3001 rotary 1 20’:

- here we have used port 3001 and rotary from 1 to 20

‘ip alias 19.0.0.109 3001’:

- here we have used port 3001

‘under line 0/1/0, we use rotary 1’:

- this links our line 0/1/0 (number 19) with port 3001

Now, to show you the relation between the port and the rotary, if I happen to change the rotary value from 1 to 20, the following configurations would also need to be changed:

ISR-2921(config)#line 0/1/0

ISR-2921(config-line)#rotary 20

ISR-2921(config-line)#

ISR-2921(config)#ip alias 19.0.0.109 3020 ! 3001 changed to 3020

ISR-2921(config)#

[root@pool-100-1-1-100 ~]# ssh user1@19.0.0.109

Password:

SW-7606>

With this I would like to conclude this small write up on ‘ip alias’

NOTE: For SSH to work on the router you have to ensure you have configured the crypto key

With the release of XE-3.13 VXLAN gets a much awaited unicast flavor. The configuration doesn't change by much [except from the obvious, that is there are no multicast configurations].

multicast VXLAN, read up: http://stayinginit.blogspot.in/2014/02/vxlan-basics.html

Apart from the addition of the unicast mode suppor for VXLAN, they have also changed the port-number. Initially the port was the same as that used by OTV, however, now that has changed.

Let's look at how these in the below section:

To start off with, the topology; this remains the same as the one seen in the vxlan-basics [however, I have replaced the ASR1K core router with yet another CSR1000v].

The basic router reachability configurations are shown below:

Router1:

router ospf 11
router-id 11.11.11.1
interface GigabitEthernet4
description connected to the CORE
ip address 100.1.1.2 255.255.255.0
ip ospf 11 area 11
no shutdown
interface GigabitEthernet3
description connected to VM1
no shutdown
service instance 11 ethernet
encapsulation dot1q 11
rewrite ingress tag pop 1 symmetric
interface Loopback11
ip address 11.11.11.11 255.255.255.255
ip ospf 11 area 11

Router2:

router ospf 11
router-id 11.11.11.3
interface GigabitEthernet4
description connected to the CORE
ip address 101.1.1.2 255.255.255.0
ip ospf 11 area 11
no shutdown
interface GigabitEthernet3
description connected to VM2
no shutdown
service instance 11 ethernet
encapsulation dot1q 11
rewrite ingress tag pop 1 symmetric
interface Loopback11
ip address 12.12.12.12 255.255.255.255
ip ospf 11 area 11

CORE [here the core router is just placed to bring about IP connectivity]:

router ospf 11
router-id 11.11.11.2
interface GigabitEthernet2
description connected to Router1
ip address 100.1.1.1 255.255.255.0
ip ospf 11 area 11
no shutdown
interface GigabitEthernet3
description connected to Router2
ip address 101.1.1.1 255.255.255.0
ip ospf 11 area 11
no shutdown

Next, we will look at the 'nve' configuration:

On Router1:

interface nve11
no shutdown
member vni 5011
ingress-replication 12.12.12.12 ! this is the new command
source-interface Loopback11

Post the above, we just have to finally configure the bridge-domain members to ensure the MAC addresses are correctly used.

On Router1:

bridge-domain 11
member vni 5011
member GigabitEthernet3 service-instance 11

On Router2:

interface nve11
no shutdown
member vni 5011
ingress-replication 11.11.11.11
source-interface Loopback11
bridge-domain 11
member vni 5011
member GigabitEthernet3 service-instance 11

As seen from the above the new command used is the 'ingress-replication' command which actually is the member vni's sub-command.

That concludes our configuration, we will verify our configuration by sending traffic between VM1 and VM2

NOTE: VM1's IP - 130.1.1.101 and VM2's IP - 130.1.1.100

Before the ping, on Router1:

Router1#show bridge-domain 11
Bridge-domain 11 (2 ports in all)
State: UP                    Mac learning: Enabled
Aging-Timer: 300 second(s)
    GigabitEthernet3 service instance 11
    vni 5011
   AED MAC address    Policy Tag       Age Pseudoport
   1   FFFF.FFFF.FFFF flood   static    0    OLIST_PTR:0xe80e3000

Router1#

[root@localhost ~]# ifconfig eth0
eth0      Link encap:Ethernet HWaddr 00:50:56:B1:3F:71
          inet addr:130.1.1.101 Bcast:130.1.1.255 Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:feb1:3f71/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:439572 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8225 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:124674203 (118.8 MiB) TX bytes:804428 (785.5 KiB)
          Base address:0x2000 Memory:fd5c0000-fd5e0000

[root@localhost ~]#

[root@localhost ~]# ping 130.1.1.100 -c 5
PING 130.1.1.100 (130.1.1.100) 56(84) bytes of data.
64 bytes from 130.1.1.100: icmp_seq=1 ttl=64 time=5.57 ms
64 bytes from 130.1.1.100: icmp_seq=2 ttl=64 time=1.76 ms
64 bytes from 130.1.1.100: icmp_seq=3 ttl=64 time=1.85 ms
64 bytes from 130.1.1.100: icmp_seq=4 ttl=64 time=2.36 ms
64 bytes from 130.1.1.100: icmp_seq=5 ttl=64 time=2.03 ms

--- 130.1.1.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 1.763/2.718/5.573/1.443 ms
[root@localhost ~]#

Post the ping, on Router1:

Router1#show bridge-domain 11
Bridge-domain 11 (2 ports in all)
State: UP                    Mac learning: Enabled
Aging-Timer: 300 second(s)
    GigabitEthernet3 service instance 11
    vni 5011
   AED MAC address    Policy Tag       Age Pseudoport
   0   0050.56B1.6619 forward dynamic   265 nve11.VNI5011, VxLAN --> VM2's MAC
                                             src: 11.11.11.11 dst: 12.12.12.12
   0   0050.56B1.3F71 forward dynamic   265 GigabitEthernet3.EFP11 --> VM1's MAC
   1   FFFF.FFFF.FFFF flood   static    0    OLIST_PTR:0xe80e3000

Router1#

Now, let us quickly look at the port which is being used by VXLAN:

Router1#show platform software vxlan F0 udp-port
VXLAN UDP Port: 4789

Router1#

As seen, the port-number has changed. Hence, incase you have firewall, you need to ensure this port is allowed, else, one will see drops.

This ends this brief overview of VXLAN - Unicast. Hope this post has been helpful.

The image used for demonstrating the above has been: Cisco IOS XE Software, Version 03.13.00.S - Extended Support Release

Networking Basics As I Currently Understand

Saturday, January 21, 2017

IP ALIAS

Tuesday, October 14, 2014

VXLAN - Unicast