capwap ap hostname AP1
capwap ap ip 10.20.30.11 255.255.255.0 10.20.30.254
capwap ap primary-base Controller1 10.20.30.200
Cisco
F5 BIG-IP mac address wrong
最近在追查Cisco與BIG-IP的Phyical連接路徑, 在Cisco switch和BIG-IP裏查看一番, 以為是這樣, 結果完全不一樣, 搞得自己很混亂
上圖看到Gi0/2的mac address是0ac6, Gi0/4的mac address是0ac4
下圖看到Gi0/2對應的應該是接1.5, Gi0/4的是接1.3, 但經過Layer 1的追查結果完全不同
在F5的資料看到原來設定vLan後, mac address會重新分配到vLan, 在F5 BIG-IP執行以下command就可以看到正確interface和mac address的分配
tmsh show net vlan | grep -i "Mac\|Net::Vlan"
正確的是這樣
Cisco interface Gi0/2 =0ac6 = F5 BIG-IP interface 1.2
Cisco interface Gi0/4 =0ac4 = F5 BIG-IP interface 1.4
https://support.f5.com/csp/article/K14513
Cisco GRE tunnel with Encryption
基本Topology設定
PC1
no ip routing ip default-gateway 192.168.0.254 int e0/0 no shut ip add 192.168.0.11 255.255.255.0
PC2
no ip routing ip default-gateway 192.168.2.254 int e0/0 no shut ip add 192.168.2.11 255.255.255.0
Internet
int e0/0 no shut ip add 202.80.1.2 255.255.255.0 int e0/1 no shut ip add 202.100.1.2 255.255.255.0 router eigrp 1 no auto network 202.80.1.0 0.0.0.255 network 202.100.1.0 0.0.0.255
R1
int e0/0 no shut ip add 202.80.1.1 255.255.255.0 int e0/1 no shut ip add 192.168.0.254 255.255.255.0 router eigrp 1 no auto network 202.80.1.0 0.0.0.255
R2
int e0/0 no shut ip add 202.100.1.1 255.255.255.0 int e0/1 no shut ip add 192.168.2.254 255.255.255.0 router eigrp 1 no auto network 202.100.1.0 0.0.0.255
設定好以上的IP和Routing後 R1已經可以ping 202.100.1.1, R2可以ping 202.80.1.1, 下面再設定沒有加密的Tunnel
R1
int t0 ip add 10.0.0.1 255.255.255.252 tunnel source 202.80.1.1 tunnel destination 202.100.1.1 ip route 192.168.2.0 255.255.255.0 t0
R2
int t0 ip add 10.0.0.2 255.255.255.252 tunnel source 202.100.1.1 tunnel destination 202.80.1.1 ip route 192.168.0.0 255.255.255.0 t0
設定好之後PC1可以ping到PC2, 之後我們再設定加密的部份
1. 先設定一個Transform-set
2. 再設定ikev2 profile
3. ipsec profile
4. 使Tunnel0使用ipsec profile
R1
crypto ipsec transform-set VPN_test_transform-set esp-aes 256 esp-sha-hmac crypto ikev2 keyring VPN_test_keyring peer 202.100.1.1 address 202.100.1.1 pre-shared-key 0987654321 crypto ikev2 profile VPN_test_profile match address local interface e0/0 match identity remote address 202.100.1.1 255.255.255.255 authentication local pre-share authentication remote pre-share keyring local VPN_test_keyring crypto ipsec profile VPN_test set transform-set VPN_test_transform-set set pfs group2 set ikev2-profile VPN_test_profile interface Tunnel0 ip unnumbered e0/0 ip virtual-reassembly in ip tcp adjust-mss 1350 tunnel source e0/0 tunnel mode ipsec ipv4 tunnel destination 202.100.1.1 tunnel protection ipsec profile VPN_test
R2
crypto ipsec transform-set VPN_test_transform-set esp-aes 256 esp-sha-hmac crypto ikev2 keyring VPN_test_keyring peer 202.80.1.1 address 202.80.1.1 pre-shared-key 0987654321 crypto ikev2 profile VPN_test_profile match address local interface e0/0 match identity remote address 202.80.1.1 255.255.255.255 authentication local pre-share authentication remote pre-share keyring local VPN_test_keyring crypto ipsec profile VPN_test set transform-set VPN_test_transform-set set pfs group2 set ikev2-profile VPN_test_profile interface Tunnel0 ip unnumbered e0/0 ip virtual-reassembly in ip tcp adjust-mss 1350 tunnel source e0/0 tunnel mode ipsec ipv4 tunnel destination 202.80.1.1 tunnel protection ipsec profile VPN_test
發生問題時, 我曾試用下面指令尋找原因
debug tunnel
show crypto ikev2 sa
show crypto ipsec sa
show crypto session detail
Cisco Private vLAN
PC1
no ip routing int e0/0 no shut ip add 192.168.0.1 255.255.255.0
PC2
no ip routing int e0/0 no shut ip add 192.168.0.2 255.255.255.0
PC3
no ip routing int e0/0 no shut ip add 192.168.0.3 255.255.255.0
PC4
no ip routing int e0/0 no shut ip add 192.168.0.4 255.255.255.0
Server1
no ip routing int e0/0 no shut ip add 192.168.0.254 255.255.255.0
Private vLan首先要注意的是必須更改VTP, 不清楚的就要先了解啦
SW1
vtp mode transparent vlan 500 private-vlan primary private-vlan association 501-502 vlan 501 private-vlan community vlan 502 private-vlan isolated interface range g0/0-1 switchport mode private-vlan host switchport private-vlan host-association 500 501 interface range g0/2-3 switchport mode private-vlan host switchport private-vlan host-association 500 502 interface g1/0 switchport mode private-vlan promiscuous switchport private-vlan mapping 500 501-502 由於PC1和PC2在community vLan 501, 所以可以互通, 另外還可以連通在promiscuous的Server1
結果和PC1一樣
PC3和PC4在isolated vLan 502, 所以不能連接, 包括PC1和PC2, 但是可以連通在promiscuous的Server1
結果和PC3一樣
Server1在promiscuous的vLan 500, 所以可以全部PC互通
useful command
show interfaces fastEthernet 0/1 switchport
show interface fa0/24 switchport
show vlan private-vlan
show vlan private-vlan type
Cisco GRE Tunnel
R1
int f0/0 no shut ip add 202.80.1.1 255.255.255.0 int f0/1 no shut ip add 192.168.0.254 255.255.255.0 int t0 ip add 10.0.0.1 255.255.255.252 tunnel source 202.80.1.1 tunnel destination 202.80.1.2
ip route 192.168.2.0 255.255.255.0 t0
R2
int f0/0 no shut ip add 202.80.1.2 255.255.255.0 int f0/1 no shut ip add 192.168.2.254 255.255.255.0 int t0 ip add 10.0.0.2 255.255.255.252 tunnel source 202.80.1.2 tunnel destination 202.80.1.1
ip route 192.168.0.0 255.255.255.0 t0
PC1
no ip routing ip default-gateway 192.168.0.254 int f0/0 no shut ip add 192.168.0.11 255.255.255.0
PC2
no ip routing ip default-gateway 192.168.2.254 int f0/0 no shut ip add 192.168.2.11 255.255.255.0
GRE over IPSec 加密
R1
crypto isakmp policy 10 encryption 3des hash md5 group 5 authentication pre-share crypto isakmp key YourKey123 address 202.80.1.2 crypto ipsec transform-set YourTunnel esp-aes 256 esp-sha256-hmac mode transport crypto ipsec profile YourTunnel set transform-set YourTunnel int t0 tunnel mode ipsec ipv4 tunnel protection ipsec profile YourTunnel
R2
crypto isakmp policy 10 encryption 3des hash md5 group 5 authentication pre-share crypto isakmp key YourKey123 address 202.80.1.1 crypto ipsec transform-set YourTunnel esp-aes 256 esp-sha256-hmac mode transport crypto ipsec profile YourTunnel set transform-set YourTunnel int t0 tunnel mode ipsec ipv4 tunnel protection ipsec profile YourTunnel
EIGRP Metric 計算
以下為預設value
K1 = K3 = 1
K2 = K4 = K5 = 0
Metric公式
Metric = 256*((K1*Scaled Bw) + (K2*Scaled Bw)/(256 – Load) + (K3*Scaled Delay)*(K5/(Reliability + K4)))
由於K2, K4, K5預設都是0的原因, 所以公式簡化如下
Metric = 256*(Scaled Bw + Scaled Delay)
離題一下, 我自己試過代入1和0到最原始的公式, (K5/(Reliability + K4))如果是0的話, 應該(K3*Scaled Delay)*0都是0, 不知道為什麼簡化後, Scaled Delay還在, 官方文件說有就有吧
The minimum bandwidth (Bw) of the route, in kilobits per second. It can be 0 or any positive integer. The bandwidth for the formula is scaled and inverted by using the following formula:
Scaled Bw = (10^7/minimum bandwidth (Bw) in kilobits per second)
Route delay, in tens of microseconds
Scaled Delay = (Delay/10)
Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/15-s/ire-15-s-book/ire-wid-met.pdf
R1
int f0/0 no shut ip add 192.168.12.1 255.255.255.0 router eigrp 1 no auto network 192.168.12.0 0.0.0.255
R2
int f0/0 no shut ip add 192.168.23.2 255.255.255.0 int f0/1 no shut ip add 192.168.12.2 255.255.255.0 router eigrp 1 no auto network 192.168.23.0 0.0.0.255 network 192.168.12.0 0.0.0.255
R3
int l0 no shut ip add 192.168.10.3 255.255.255.0 int f0/1 no shut ip add 192.168.23.3 255.255.255.0 router eigrp 1 no auto network 192.168.10.0 0.0.0.255 network 192.168.23.0 0.0.0.255
下圖查看有沒有更改metric設定
由於沒有看到metric的設定, 所以可以用簡化公式計算
Metric = 256*(Scaled Bw + Scaled Delay)
Scaled Bw = (10^7/minimum bandwidth (Bw) in kilobits per second)
Scaled Delay = (Delay/10)
先看192.168.0.0/24的FD是甚麼計算出來
BW = (10^7/8000000)=1.25=1
Delay = (5000/10)=500
Metric = 256*(1 + 500)=128256
再來看看192.168.23.0/24
BW = (10^7/100000)=100
Delay = (100/10)=10
Metric = 256*(100+10)=28160
再來看看R2到R3的192.168.0.0/24, 由於這個網段需要經過next hop 192.168.23.3, 所以BW會R2和R3選最小的, Delay會相加
BW = (10^7/100000)=100
Delay = (100+5000/10)=510
Metric = 256*(100+510)=156160
再來就就是R1去192.168.0.0/24的FD
BW = (10^7/100000)=100
Delay = (100+100+5000/10)=520
Metric = 256*(100+520)=158720
EIGRP offset-list
現在PC2到PC1的路經: PC2 -> R2 -> R1 -> PC1
利用eigrp的offset-list更改路由, PC2 -> R2 -> R3 -> R1 -> PC1
PC1
ip 10.1.1.10/24 10.1.1.1
PC2
ip 20.1.1.10/24 20.1.1.2
R1
int f0/0 no shut ip add 12.1.1.1 255.255.255.0 int f0/1 no shut ip add 13.1.1.1 255.255.255.0 int f1/0 no shut ip add 10.1.1.1 255.255.255.0 router eigrp 1 no auto network 12.1.1.0 0.0.0.255 network 13.1.1.0 0.0.0.255 network 10.1.1.0 0.0.0.255
R2
int f0/0 no shut ip add 12.1.1.2 255.255.255.0 int f0/1 no shut ip add 23.1.1.2 255.255.255.0 int f1/0 no shut ip add 20.1.1.2 255.255.255.0 router eigrp 1 no auto network 12.1.1.0 0.0.0.255 network 23.1.1.0 0.0.0.255 network 20.1.1.0 0.0.0.255
R3
int f0/0 no shut ip add 13.1.1.3 255.255.255.0 int f0/1 no shut ip add 23.1.1.3 255.255.255.0 router eigrp 1 no auto network 13.1.1.0 0.0.0.255 network 23.1.1.0 0.0.0.255
PC1 和 PC2已經可以互ping對方 及使用最低的FD連接
現在用offset-list在R2的f0/0, 面向R1發佈增加metric, 由於這個動作是發佈出去, 所以是out
R2
access-list 1 permit 10.1.1.0 0.0.0.255 router eigrp 1 offset-list 1 out 3000 f0/0
12.1.1.1由原來28160增加3000變成31160比23.1.1.3更低
Cisco Policy Based Routing(PBR)
PC1: 10.0.0.1
Server1: 192.168.5.1
(config)#access-list 100 permit ip host 10.0.0.1 host 192.168.5.1
(config)#route-map PC1toServer1 permit
(config-route-map)# match ip address 100
(config-route-map)# set ip next-hop 172.17.0.1
(config)#int e1/0
(config-if)#ip policy route-map PC1toServer1
# show route-map
route-map PC1toServer1, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 172.17.0.1
Policy routing matches: 9 packets, 540 bytes
#sh ip policy
Interface Route map
Ethernet1/0 PC1toServer1
GNS3 + Ubuntu
sudo add-apt-repository ppa:gns3/ppa sudo apt update sudo apt install gns3-gui gns3-server
sudo dpkg --add-architecture i386 sudo apt update sudo apt install gns3-iou
wget http://www.ipvanquish.com/download/CiscoIOUKeygen3f.py python3 CiscoIOUKeygen3f.py
https://docs.gns3.com/docs/getting-started/installation/linux/
How to generate Cisco IOURC licence key on GNS3 VM with Python 3