F5 BIG-IP mac address wrong

最近在追查Cisco與BIG-IP的Phyical連接路徑, 在Cisco switch和BIG-IP裏查看一番, 以為是這樣, 結果完全不一樣, 搞得自己很混亂

上圖看到Gi0/2的mac address是0ac6, Gi0/4的mac address是0ac4

下圖看到Gi0/2對應的應該是接1.5, Gi0/4的是接1.3, 但經過Layer 1的追查結果完全不同

在F5的資料看到原來設定vLan後, mac address會重新分配到vLan, 在F5 BIG-IP執行以下command就可以看到正確interface和mac address的分配

tmsh show net vlan | grep -i "Mac\|Net::Vlan"

正確的是這樣

Cisco interface Gi0/2 =0ac6 = F5 BIG-IP interface 1.2

Cisco interface Gi0/4 =0ac4 = F5 BIG-IP interface 1.4

https://support.f5.com/csp/article/K14513

Cisco GRE tunnel with Encryption

基本Topology設定

PC1

no ip routing
ip default-gateway 192.168.0.254
int e0/0
no shut
ip add 192.168.0.11 255.255.255.0

PC2

no ip routing
ip default-gateway 192.168.2.254
int e0/0
no shut
ip add 192.168.2.11 255.255.255.0

Internet

int e0/0
no shut
ip add 202.80.1.2 255.255.255.0
int e0/1
no shut
ip add 202.100.1.2 255.255.255.0

router eigrp 1
no auto
network 202.80.1.0 0.0.0.255
network 202.100.1.0 0.0.0.255

R1

int e0/0
no shut
ip add 202.80.1.1 255.255.255.0
int e0/1
no shut
ip add 192.168.0.254 255.255.255.0

router eigrp 1
no auto
network 202.80.1.0 0.0.0.255

R2

int e0/0
no shut
ip add 202.100.1.1 255.255.255.0
int e0/1
no shut
ip add 192.168.2.254 255.255.255.0

router eigrp 1
no auto
network 202.100.1.0 0.0.0.255

設定好以上的IP和Routing後 R1已經可以ping 202.100.1.1, R2可以ping 202.80.1.1, 下面再設定沒有加密的Tunnel

R1

int t0
ip add 10.0.0.1 255.255.255.252
tunnel source 202.80.1.1
tunnel destination 202.100.1.1

ip route 192.168.2.0 255.255.255.0 t0

R2

int t0
ip add 10.0.0.2 255.255.255.252
tunnel source 202.100.1.1
tunnel destination 202.80.1.1

ip route 192.168.0.0 255.255.255.0 t0

設定好之後PC1可以ping到PC2, 之後我們再設定加密的部份
1. 先設定一個Transform-set
2. 再設定ikev2 profile
3. ipsec profile
4. 使Tunnel0使用ipsec profile

R1

crypto ipsec transform-set VPN_test_transform-set esp-aes 256 esp-sha-hmac

crypto ikev2 keyring VPN_test_keyring
 peer 202.100.1.1
  address 202.100.1.1
  pre-shared-key 0987654321

crypto ikev2 profile VPN_test_profile
 match address local interface e0/0
 match identity remote address 202.100.1.1 255.255.255.255
 authentication local pre-share
 authentication remote pre-share
 keyring local VPN_test_keyring

crypto ipsec profile VPN_test
 set transform-set VPN_test_transform-set
 set pfs group2
 set ikev2-profile VPN_test_profile

interface Tunnel0
 ip unnumbered e0/0
 ip virtual-reassembly in
 ip tcp adjust-mss 1350
 tunnel source e0/0
 tunnel mode ipsec ipv4
 tunnel destination 202.100.1.1
 tunnel protection ipsec profile VPN_test

R2

crypto ipsec transform-set VPN_test_transform-set esp-aes 256 esp-sha-hmac

crypto ikev2 keyring VPN_test_keyring
 peer 202.80.1.1
  address 202.80.1.1
  pre-shared-key 0987654321

crypto ikev2 profile VPN_test_profile
 match address local interface e0/0
 match identity remote address 202.80.1.1 255.255.255.255
 authentication local pre-share
 authentication remote pre-share
 keyring local VPN_test_keyring

crypto ipsec profile VPN_test
 set transform-set VPN_test_transform-set
 set pfs group2
 set ikev2-profile VPN_test_profile

interface Tunnel0
 ip unnumbered e0/0
 ip virtual-reassembly in
 ip tcp adjust-mss 1350
 tunnel source e0/0
 tunnel mode ipsec ipv4
 tunnel destination 202.80.1.1
 tunnel protection ipsec profile VPN_test

發生問題時, 我曾試用下面指令尋找原因

debug tunnel
show crypto ikev2 sa
show crypto ipsec sa
show crypto session detail

Cisco Private vLAN

PC1

no ip routing
int e0/0
no shut
ip add 192.168.0.1 255.255.255.0

PC2

no ip routing
int e0/0
no shut
ip add 192.168.0.2 255.255.255.0

PC3

no ip routing
int e0/0
no shut
ip add 192.168.0.3 255.255.255.0

PC4

no ip routing
int e0/0
no shut
ip add 192.168.0.4 255.255.255.0

Server1

no ip routing
int e0/0
no shut
ip add 192.168.0.254 255.255.255.0

Private vLan首先要注意的是必須更改VTP, 不清楚的就要先了解啦

SW1

vtp mode transparent

vlan 500
private-vlan primary
private-vlan association 501-502

vlan 501
private-vlan community

vlan 502
private-vlan isolated

interface range g0/0-1
switchport mode private-vlan host
switchport private-vlan host-association 500 501

interface range g0/2-3
switchport mode private-vlan host
switchport private-vlan host-association 500 502

interface g1/0
switchport mode private-vlan promiscuous
switchport private-vlan mapping 500 501-502

由於PC1和PC2在community vLan 501, 所以可以互通, 另外還可以連通在promiscuous的Server1

結果和PC1一樣

PC3和PC4在isolated vLan 502, 所以不能連接, 包括PC1和PC2, 但是可以連通在promiscuous的Server1

結果和PC3一樣

Server1在promiscuous的vLan 500, 所以可以全部PC互通

useful command

show interfaces fastEthernet 0/1 switchport
show interface fa0/24 switchport
show vlan private-vlan
show vlan private-vlan type

Cisco GRE Tunnel

R1

int f0/0
no shut
ip add 202.80.1.1 255.255.255.0

int f0/1
no shut
ip add 192.168.0.254 255.255.255.0

int t0
ip add 10.0.0.1 255.255.255.252
tunnel source 202.80.1.1
tunnel destination 202.80.1.2
ip route 192.168.2.0 255.255.255.0 t0

R2

int f0/0
no shut
ip add 202.80.1.2 255.255.255.0

int f0/1
no shut
ip add 192.168.2.254 255.255.255.0

int t0
ip add 10.0.0.2 255.255.255.252
tunnel source 202.80.1.2
tunnel destination 202.80.1.1
ip route 192.168.0.0 255.255.255.0 t0

PC1

no ip routing

ip default-gateway 192.168.0.254

int f0/0
no shut
ip add 192.168.0.11 255.255.255.0

PC2

no ip routing

ip default-gateway 192.168.2.254

int f0/0
no shut
ip add 192.168.2.11 255.255.255.0

GRE over IPSec 加密

R1

crypto isakmp policy 10
encryption 3des
hash md5
group 5
authentication pre-share
crypto isakmp key YourKey123 address 202.80.1.2

crypto ipsec transform-set YourTunnel esp-aes 256 esp-sha256-hmac
mode transport

crypto ipsec profile YourTunnel
set transform-set YourTunnel

int t0
tunnel mode ipsec ipv4
tunnel protection ipsec profile YourTunnel

R2

crypto isakmp policy 10
encryption 3des
hash md5
group 5
authentication pre-share
crypto isakmp key YourKey123 address 202.80.1.1

crypto ipsec transform-set YourTunnel esp-aes 256 esp-sha256-hmac
mode transport

crypto ipsec profile YourTunnel
set transform-set YourTunnel

int t0
tunnel mode ipsec ipv4
tunnel protection ipsec profile YourTunnel

EIGRP Metric 計算

以下為預設value

K1 = K3 = 1
K2 = K4 = K5 = 0

Metric公式

Metric = 256*((K1*Scaled Bw) + (K2*Scaled Bw)/(256 – Load) + (K3*Scaled Delay)*(K5/(Reliability + K4)))

由於K2, K4, K5預設都是0的原因, 所以公式簡化如下

Metric = 256*(Scaled Bw + Scaled Delay)

離題一下, 我自己試過代入1和0到最原始的公式, (K5/(Reliability + K4))如果是0的話, 應該(K3*Scaled Delay)*0都是0, 不知道為什麼簡化後, Scaled Delay還在, 官方文件說有就有吧

The minimum bandwidth (Bw) of the route, in kilobits per second. It can be 0 or any positive integer. The bandwidth for the formula is scaled and inverted by using the following formula:
Scaled Bw = (10^7/minimum bandwidth (Bw) in kilobits per second)

Route delay, in tens of microseconds
Scaled Delay = (Delay/10)

Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-s/ire-15-s-book/ire-wid-met.pdf

R1

int f0/0
no shut
ip add 192.168.12.1 255.255.255.0

router eigrp 1
no auto
network 192.168.12.0 0.0.0.255

R2

int f0/0
no shut
ip add 192.168.23.2 255.255.255.0

int f0/1
no shut
ip add 192.168.12.2 255.255.255.0

router eigrp 1
no auto
network 192.168.23.0 0.0.0.255
network 192.168.12.0 0.0.0.255

R3

int l0
no shut
ip add 192.168.10.3 255.255.255.0

int f0/1
no shut
ip add 192.168.23.3 255.255.255.0

router eigrp 1
no auto
network 192.168.10.0 0.0.0.255
network 192.168.23.0 0.0.0.255

下圖查看有沒有更改metric設定

由於沒有看到metric的設定, 所以可以用簡化公式計算

Metric = 256*(Scaled Bw + Scaled Delay)

Scaled Bw = (10^7/minimum bandwidth (Bw) in kilobits per second)
Scaled Delay = (Delay/10)

先看192.168.0.0/24的FD是甚麼計算出來
BW = (10^7/8000000)=1.25=1
Delay = (5000/10)=500
Metric = 256*(1 + 500)=128256

再來看看192.168.23.0/24
BW = (10^7/100000)=100
Delay = (100/10)=10
Metric = 256*(100+10)=28160

再來看看R2到R3的192.168.0.0/24, 由於這個網段需要經過next hop 192.168.23.3, 所以BW會R2和R3選最小的, Delay會相加
BW = (10^7/100000)=100
Delay = (100+5000/10)=510
Metric = 256*(100+510)=156160

再來就就是R1去192.168.0.0/24的FD

BW = (10^7/100000)=100
Delay = (100+100+5000/10)=520
Metric = 256*(100+520)=158720

EIGRP offset-list

現在PC2到PC1的路經: PC2 -> R2 -> R1 -> PC1

利用eigrp的offset-list更改路由, PC2 -> R2 -> R3 -> R1 -> PC1

PC1

ip 10.1.1.10/24 10.1.1.1

PC2

ip 20.1.1.10/24 20.1.1.2

R1

int f0/0
no shut
ip add 12.1.1.1 255.255.255.0

int f0/1
no shut
ip add 13.1.1.1 255.255.255.0

int f1/0
no shut
ip add 10.1.1.1 255.255.255.0

router eigrp 1
no auto
network 12.1.1.0 0.0.0.255
network 13.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255

R2

int f0/0
no shut
ip add 12.1.1.2 255.255.255.0

int f0/1
no shut
ip add 23.1.1.2 255.255.255.0

int f1/0
no shut
ip add 20.1.1.2 255.255.255.0

router eigrp 1
no auto
network 12.1.1.0 0.0.0.255
network 23.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255

R3

int f0/0
no shut
ip add 13.1.1.3 255.255.255.0

int f0/1
no shut
ip add 23.1.1.3 255.255.255.0

router eigrp 1
no auto
network 13.1.1.0 0.0.0.255
network 23.1.1.0 0.0.0.255

PC1 和 PC2已經可以互ping對方 及使用最低的FD連接

現在用offset-list在R2的f0/0, 面向R1發佈增加metric, 由於這個動作是發佈出去, 所以是out

R2

access-list 1 permit 10.1.1.0 0.0.0.255

router eigrp 1
offset-list 1 out 3000 f0/0

12.1.1.1由原來28160增加3000變成31160比23.1.1.3更低

Cisco Policy Based Routing(PBR)

PC1: 10.0.0.1
Server1: 192.168.5.1

(config)#access-list 100 permit ip host 10.0.0.1 host 192.168.5.1
(config)#route-map PC1toServer1 permit
(config-route-map)# match ip address 100
(config-route-map)# set ip next-hop 172.17.0.1
(config)#int e1/0
(config-if)#ip policy route-map PC1toServer1

# show route-map
route-map PC1toServer1, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 172.17.0.1
Policy routing matches: 9 packets, 540 bytes

#sh ip policy
Interface Route map
Ethernet1/0 PC1toServer1

GNS3 + Ubuntu

sudo add-apt-repository ppa:gns3/ppa
sudo apt update
sudo apt install gns3-gui gns3-server
sudo dpkg --add-architecture i386
sudo apt update
sudo apt install gns3-iou
wget http://www.ipvanquish.com/download/CiscoIOUKeygen3f.py
python3 CiscoIOUKeygen3f.py

https://docs.gns3.com/docs/getting-started/installation/linux/

How to generate Cisco IOURC licence key on GNS3 VM with Python 3