Connecting the world…

EIGRP

ISDN Backup – still alive?

Nowadays everybody wants redundancy within their network, especially when using remote sites. Customers are using multiple ISP’s for redundancy and/or configure BGP solutions. In the old days (hear me talking with my 27 years) ISDN was often used for backup purposes and I still use it sometimes as redundancy mechanism. Everybody knows that bandwidth is the main limitation for ISDN connections, but for emergency purposes or for low-bandwidth applications, ISDN could be the ideal backup mechanism.

Lets take a look at the scenario, where two networks (HQ and branch office) are isdn_backupconnected by an IP VPN connection. This connection is the primary channel for communication between the HQ and the branch office. The IP VPN connection is terminated by a Cisco router or something comparable. Both locations also have a backup connection based on ISDN technology. The ISDN connection is also terminated on a Cisco router. You can also terminate both connections on the same router, but to increase the availability you should use separate routers. The IP VPN is preferred over the secondary ISDN connection. Both routers within the same location are configured with HSRP and the IP VPN router is the active gateway for its LAN.

The failover from the primary to the secondary connection should be performed automatically. This requires at least the configuration of a routing protocol. Since I often use Cisco routers, I would configure EIGRP as routing protocol to exchange routing information. You could also choose to use OSPF. Choosing EIGRP or OSPF as the preferred routing protocol could be worth a blog post on its own.

To form an adjacency between to routers, both routers need to be neighbors of each other. I normally configure a GRE tunnel between the two IP VPN routers, so they become “directly connected”. Both IP VPN routers can now exchange routing information. Next I would configure the dial-up connection. Mostly all traffic is directed from the branch office to the HQ, so the branch office would dial the HQ.

The ISDN router could participate in the EIGRP process. If you do so you need to exclude the EIGRP packet from the ISDN interesting traffic to prevent the ISDN connection from dialing to the HQ. There are more choices to make, like letting the ISDN routers form adjacencies when the ISDN connection is active. You can also use floating static routes on the ISDN routers and redistribute these routes into the routing protocol. You can tweak the HSRP operation by using HSRP tracking to promote the ISDN router to the active default gateway, when the IP VPN connection is unavailable.

In my opinion ISDN connections could still be a very valid way to provide a backup connection between two network locations. What is your opinion about this technology?

Redundant DMVPN network

Today I looked at the configuration DMVPN (Dynamic Multipoint VPN). A Dynamic Multipoint Virtual Private Network is an enhancement of the virtual private network (VPN) configuration process of Cisco IOS-based routers. DMVPN prevents the need for pre-configured (static) IPsec peers in crypto-map configurations and ISAKMP peer statements. This feature of Cisco IOS allows greater scalability over previous IPsec configurations. An IPsec tunnel between two Cisco routers may be created on an as needed basis.

I have created a situation with GNS3, where I have two hub routers and one spoke router. This situation creates extra redundancy when connecting to the hub location. There are two ways to configure redundancy in DMVPN:

  1. Dual hub-dual DMVPN cloud
  2. Dual hub-single DMVPN cloud

In the first scenario the hub routers are connecting to there own DMVPN network. This means that the spoke need to configure two tunnel interfaces to connect to two different DMVPN networks. In the second scenario both hub routers connect to the same DMVPN network. I configured the second scenario using GNS3. The figure below shows my practice setup.

redundant_dmvpn

The configuration from the three routers can be found below.

router R0

key chain authen-hsrp
key 1
key-string hsrp@test
key chain authen-eigrp
key 1
key-string eigrp@test
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key pr3sh@r3d-k3y address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 30 periodic
!
!
crypto ipsec transform-set stong-ts esp-aes 256 esp-sha-hmac
!
crypto ipsec profile dmvpn
set transform-set strong-ts
set pfs group5
!
interface Tunnel0
ip address 192.168.255.1 255.255.255.0
no ip redirects
ip mtu 1440
ip hello-interval eigp 1024 15
ip hold-time eigrp 1024 45
no ip next-hop-self eigrp 1024
ip authentication mode eigrp 1024 md5
ip authentication key-chain eigrp 1024 authen-eigrp
ip nhrp authentication nhrp@booches
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
no ip split-horizon eigrp 1024
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile dmvpn
!
interface FastEthernet0/0
description outside
ip address 80.80.10.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description inside
ip address 10.10.13.2 255.255.255.0
duplex auto
speed auto
standby 1 ip 10.10.13.1
standby 1 priority 200
standby 1 preempt
standby 1 authentication md5 key-chain authen-hsrp
!
router eigrp 1024
network 10.10.13.2 0.0.0.0
network 192.168.255.1 0.0.0.0
no auto-summary

router R1

key chain authen-hsrp
key 1
key-string hsrp@test
key chain authen-eigrp
key 1
key-string eigrp@test
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key pr3sh@r3d-k3y address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 30 periodic
!
crypto ipsec transform-set strong-ts esp-aes 256 esp-sha-hmac
!
crypto ipsec profile dmvpn
set transform-set strong-ts
set pfs group5
!
interface Tunnel0
ip address 192.168.255.2 255.255.255.0
no ip redirects
ip mtu 1440
ip hello-interval eigrp 1024 15
ip hold-time eigrp 1024 45
no ip next-hop-self eigrp 1024
ip authentication mode eigrp 1024 md5
ip authentication key-chain eigrp 1024 authen-eigrp
ip nhrp authentication nhrp@booces
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
no ip split-horizon eigrp 1024
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile dmvpn
!
interface FastEthernet0/0
description outside
ip address 50.50.1.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description inside
ip address 10.10.13.3 255.255.255.0
duplex auto
speed auto
standby 1 ip 10.10.13.1
standby 1 priority 100
standby 1 preempt
standby 1 authentication md5 key-chain authen-hsrp
!
router eigrp 1024
network 10.10.13.3 0.0.0.0
network 192.168.255.2 0.0.0.0
no auto-summary

router R3

key chain authen-eigrp
key 1
key-string eigrp@booches
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key pr3sh@r3d-k3y address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 30 periodic
!
crypto ipsec transform-set strong-ts esp-aes 256 esp-sha-hmac
!
crypto ipsec profile dmvpn
set transform-set strong-ts
set pfs group
!
interface Tunnel0
ip address 192.168.255.3 255.255.255.0
no ip redirects
ip mtu 1440
ip hello-interval eigrp 1024 15
ip hold-time eigrp 1024 45
ip authentication mode eigrp 1024 md5
ip authentication key-chain eigrp 1024 authen-eigrp
ip nhrp authentication nhrp@booches
ip nhrp map multicast dynamic
ip nhrp map 192.168.255.1 80.80.10.2
ip nhrp map multicast 80.80.10.2
ip nhrp map 192.168.255.2 50.50.1.3
ip nhrp map multicast 50.50.1.3
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs 192.168.255.1
ip nhrp nhs 192.168.255.2
no ip route-cache cef
no ip route-cache
no ip mroute-cache
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile dmvpn shared
!
interface FastEthernet0/0
description outside
ip address 40.40.10.4 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet0/1
description inside
ip address 192.168.1.1 255.255.255.0
speed auto
duplex auto
!
router eigrp 1024
network 192.168.1.1 0.0.0.0
network 192.168.255.3 0.0.0.0
no auto-summary

I configured EIGRP authentication as an extra feature. This setup was configured with GNS3, so I guess it needs more tweaking to implement it in a real network. It should however provide a solid base for configuring a redundant DMVPN solution.

Troubleshooting EIGRP

To troubleshoot EIGRP you should obvious have a grasp understanding of the specific routing protocol. Of course this doesn’t only apply to the EIGRP routing protocol.

Troubleshooting the EIGRP routing protocol on a Cisco devices is mainly about logging the correct information to a syslog server, the buffer or the console and know what the output of several show commands mean.

Neighbor instability on a router has mostly one of the following reasons:

  • Holding time expired;
  • Retry limit exceeded;
  • Manual changes like route filter changes;
  • Unidirectional links;
  • Primary / secondary IP address mismatch (EIGRP uses the primary IP address);
  • Routes get Stuck-in-Active aka SIA (“Active” means recovering from a change in the network, for example flapping links). Routes can get SIA by the following reasons: bad or congested links, query range is “too long”, excessive redundancy, overloaded router, router memory shortage and so one;

Many problems with EIGRP appear when using external routes, like redistributing a routing protocol like OSPF into EIGRP. The most common cause of this problem is the absence of setting the metrics. Important when using the redistribute command is specifying the metrics with the default-metric <metric> or redistribute <protocol> metric <metric> command.

Black Hole Summary Routing is also a common problem when using EIGRP. Black Hole Summary Routing is caused when manual summary routes are configured.

BHR

The picture shows a case of Black Hole Routing. Routers A and B summary the different /24 networks as one /16 network to router X. Suddenly the link between router A and router C gets lost. Because we used summarization between router A and router X, router X isn’t aware of the lost link, so router X keeps sending traffic for network 10.1.1.0/24 to router A and router B ((un)equal cost load-balancing). All traffic send to router A would get lost in the process.

A solution to this problem is connecting routers A and B by using a physical link or creating a GRE tunnel between both, if the physical links isn’t possible.

As mentioned before, troubleshooting the routing protocol can be done by using the correct show, logging and debug commands. Important commands for troubleshooting EIGRP are:

  • show ip eigrp neighbors: for checking neighbors, hold timers, uptime, Smooth Round Trip Timer (SRTT) and Retransmit Time Out (RTO);
  • show ip eigrp topology active: used for noticing if route is SIA;
  • show ip eigrp events: check what EIGRP events are going on;
  • RTR(config-router)#eigrp-log-neighbor-changes;
  • RTR(config-router)#logging buffered <size>;
  • debug eigrp packet hello: showing the processing of hello packets;
  • debug eigrp packet terse: shows all EIGRP packet debugging except hellos;
  • debug ip eigrp notifications: troubleshooting redistribution by showing what happens between EIGRP and the routing table as routes are redistributed;

Troubleshooting a routing protocol can only be done if you know what the protocol is actually doing. When troubleshooting it is necessary to know the correct way to troubleshoot and start exempting possibilities for the routing problems. Exempting possibilities narrows the scope, which can result in finding the actual problem.