When you go back to the beginning, really go back to the beginning…

After having success yesterday with a small-scale Transparent ASA lab, I went back the main topology and tried to get it working.

Still no luck. So I changed the ASA image to a later one, still no luck then changed to an ASAv image, still no luck.

So what is the problem?

Turns out the problem was between the seat and the keyboard.

Because I have spent so long away from this topology, I forgot how it is intended to run. I should have started afresh, and gone through all of my configurations again. Instead, I thought I remembered everything and expected stuff to work.

I completely forgot that the three sites; NY, LA and London all hinge around a central MPLS core.

The interfaces I was trying to connect on NY1 were configured under a VRF, and as such, needed the EIGRP configuration to be vrf-aware.

This will not work:

NY1(config)#do sh run | s router e
router eigrp NY-EIGRP
 !
 address-family ipv4 unicast autonomous-system 100
  !
  topology base
  exit-af-topology
  network 0.0.0.0
  network 128.2.2.0 0.0.0.255
  network 128.2.2.2 0.0.0.0
 exit-address-family
NY1(config)#

Neither will this:

NY1(config)#no router eigrp NY-EIGRP
NY1(config)#router eigrp 100
NY1(config-router)#eigrp router-id 2.2.2.2
NY1(config-router)#network 128.2.2.2 0.0.0.0 
NY1(config-router)#
NY1(config-router)#
NY1(config-router)#do sh ip eigrp neigh     
EIGRP-IPv4 Neighbors for AS(100)
NY1(config-router)#

This does though:

NY1(config-router)#no router eigrp 100
NY1(config)#router eigrp NY-EIGRP
NY1(config-router)#address-family ipv4 vrf 802101 auto 100
NY1(config-router-af)#eigrp router-id 2.2.2.2
NY1(config-router-af)#network 128.2.2.2 0.0.0.0
NY1(config-router-af)#
%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 128.2.2.1 (GigabitEthernet0/1) is up: new adjacency
NY1(config-router-af)#

It just goes to show that if you are actually starting again, as I am here, then start from the beginning, don’t just try and drop in where you were previously, as vital bits can be missed.

So, this all said and my memory refreshed as to what it is I am supposed to be doing, I should stop fucking about and get the MPLS core finished off so that I don’t get caught again.

This also gives me a great opportunity to plug my MPLS book, if you haven’t read it, go and get it from Amazon!

To get NY1 talking to the MPLS cloud we need to do the following:

NY1(config)#router eigrp NY-EIGRP
NY1(config-router)#address-family ipv4 unicast vrf 802101 autonomous-system 100        
NY1(config-router-af)#topology base 
NY1(config-router-af-topology)#redistribute bgp 1 metric 1000 10 100 1 1500
NY1(config-router-af-topology)#exit
NY1(config-router-af)#exit
NY1(config-router)#router bgp 1
NY1(config-router)#address-family ipv4 vrf 802101
NY1(config-router-af)#redistribute eigrp 100 metric 1
NY1(config-router-af)#

We should give NY2 something to advertise:

NY2(config)#router eigrp 100
NY2(config-router)#network 3.3.3.1 0.0.0.0 
NY2(config-router)#network 3.3.3.2 0.0.0.0
NY2(config-router)#network 3.3.3.3 0.0.0.0
NY2(config-router)#

We can then see these routes on LA1 and LON1:

LA1#sh ip route vrf 802101 | b Gate
Gateway of last resort is not set

      3.0.0.0/32 is subnetted, 3 subnets
B        3.3.3.1 [200/1] via 2.2.2.2, 00:01:50
B        3.3.3.2 [200/1] via 2.2.2.2, 00:01:46
B        3.3.3.3 [200/1] via 2.2.2.2, 00:01:43
      128.2.0.0/24 is subnetted, 1 subnets
B        128.2.2.0 [200/0] via 2.2.2.2, 00:04:29
      128.3.0.0/24 is subnetted, 1 subnets
B        128.3.3.0 [200/1] via 2.2.2.2, 00:04:29
      198.240.5.0/24 is variably subnetted, 2 subnets, 2 masks
C        198.240.5.0/30 is directly connected, GigabitEthernet0/0
L        198.240.5.1/32 is directly connected, GigabitEthernet0/0
LA1#

LON1#sh ip route vrf 802101 | b Gate
Gateway of last resort is not set

      3.0.0.0/32 is subnetted, 3 subnets
B        3.3.3.1 [200/1] via 2.2.2.2, 00:05:49
B        3.3.3.2 [200/1] via 2.2.2.2, 00:05:45
B        3.3.3.3 [200/1] via 2.2.2.2, 00:05:41
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.1.0/24 is directly connected, GigabitEthernet0/1
L        10.1.1.1/32 is directly connected, GigabitEthernet0/1
      128.2.0.0/24 is subnetted, 1 subnets
B        128.2.2.0 [200/0] via 2.2.2.2, 00:08:28
      128.3.0.0/24 is subnetted, 1 subnets
B        128.3.3.0 [200/1] via 2.2.2.2, 00:08:28
LON1#

Let’s set up LON1:

LON1(config)#router ospf 100 vrf 802101 
LON1(config-router)#router-id 10.10.10.10
% OSPF: router-id 10.10.10.10 in use by ospf process 1
LON1(config-router)#int lo1
LON1(config-if)#
LON1(config-if)#ip add 10.10.10.100 255.255.255.255
LON1(config-if)#router ospf 100 vrf 802101
LON1(config-router)#router-id 10.10.10.100             
LON1(config-router)#network 10.1.1.0 0.0.0.255 area 0
LON1(config-router)#red bgp 1 subnets
LON1(config-router)#router bgp 1
LON1(config-router)#address-fam ipv4 vrf 802101
LON1(config-router-af)#red ospf 100
LON1(config-router-af)#

From NY2 we can now reach LON1:

NY2#sh ip route eigrp | b Gate
Gateway of last resort is not set

      10.0.0.0/24 is subnetted, 1 subnets
D EX     10.1.1.0 [170/2562816] via 128.2.2.2, 00:00:29, GigabitEthernet0/0
NY2#
NY2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 14/14/16 ms
NY2#

We cant get beyond LON1 (into our LON network) as LON-SW is not running OSPF (yet). Let’s set up the LA side:

LA1(config)#router eigrp LA-EIGRP
LA1(config-router)#address-family ipv4 vrf 802101 auto 200
LA1(config-router-af)#eigrp router-id 4.4.4.4
LA1(config-router-af)#network 198.240.5.1 0.0.0.0
LA1(config-router-af)#top base  
LA1(config-router-af-topology)#red bgp 1 metr 1000 10 100 1 1500
LA1(config-router-af-topology)#exi
LA1(config-router-af)#exi
LA1(config-router)#router bgp 1
LA1(config-router)#address-f ipv4 vrf 802101
LA1(config-router-af)#red eigrp 200 metric 1
LA1(config-router-af)#

How does this look?

LON1#sh ip route vrf 802101 | b Gate
Gateway of last resort is not set

      3.0.0.0/32 is subnetted, 3 subnets
B        3.3.3.1 [200/1] via 2.2.2.2, 00:21:10
B        3.3.3.2 [200/1] via 2.2.2.2, 00:21:06
B        3.3.3.3 [200/1] via 2.2.2.2, 00:21:02
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.1.0/24 is directly connected, GigabitEthernet0/1
L        10.1.1.1/32 is directly connected, GigabitEthernet0/1
      128.2.0.0/24 is subnetted, 1 subnets
B        128.2.2.0 [200/0] via 2.2.2.2, 00:23:49
      128.3.0.0/24 is subnetted, 1 subnets
B        128.3.3.0 [200/1] via 2.2.2.2, 00:23:49
      198.240.5.0/30 is subnetted, 1 subnets
B        198.240.5.0 [200/0] via 4.4.4.4, 00:00:17
LON1#

NY2#sh ip route eigrp | b Gate
Gateway of last resort is not set

      10.0.0.0/24 is subnetted, 1 subnets
D EX     10.1.1.0 [170/2562816] via 128.2.2.2, 00:10:18, GigabitEthernet0/0
      198.240.5.0/30 is subnetted, 1 subnets
D EX     198.240.5.0 [170/2562816] via 128.2.2.2, 00:01:24, GigabitEthernet0/0
NY2#ping 198.240.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.240.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/12 ms
NY2#

Pretty good!
Let’s get LON-SW into OSPF and then we’ll turn our attention to the LA-FW and multiple contexts.

LON-SW(config)#int lo0
LON-SW(config-if)#ip add 10.10.10.110 255.255.255.255
LON-SW(config-if)#router ospf 100
LON-SW(config-router)#router-id 10.10.10.110
LON-SW(config-router)#network 10.1.1.2 0.0.0.0 area 0
LON-SW(config-router)#
%OSPF-5-ADJCHG: Process 100, Nbr 10.10.10.100 on Vlan10 from LOADING to FULL, Loading Done
LON-SW(config-router)#
LON-SW(config-router)#network 21.38.5.1 0.0.0.0 area 0
LON-SW(config-router)#

Should be reachable from the NY and LA offices now:

NY2#sh ip route eigrp | b Gate
Gateway of last resort is not set

      10.0.0.0/24 is subnetted, 1 subnets
D EX     10.1.1.0 [170/2562816] via 128.2.2.2, 00:22:55, GigabitEthernet0/0
      21.0.0.0/24 is subnetted, 1 subnets
D EX     21.38.5.0 [170/2562816] via 128.2.2.2, 00:00:56, GigabitEthernet0/0
      198.240.5.0/30 is subnetted, 1 subnets
D EX     198.240.5.0 [170/2562816] via 128.2.2.2, 00:14:01, GigabitEthernet0/0
NY2#ping 21.38.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 21.38.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 14/17/22 ms
NY2#

LA1#sh ip route vrf 802101 | b Gate                                        
Gateway of last resort is not set

      3.0.0.0/32 is subnetted, 3 subnets
B        3.3.3.1 [200/1] via 2.2.2.2, 00:36:43
B        3.3.3.2 [200/1] via 2.2.2.2, 00:36:39
B        3.3.3.3 [200/1] via 2.2.2.2, 00:36:36
      10.0.0.0/24 is subnetted, 1 subnets
B        10.1.1.0 [200/0] via 10.10.10.10, 00:24:44
      21.0.0.0/24 is subnetted, 1 subnets
B        21.38.5.0 [200/2] via 10.10.10.10, 00:02:50
      128.2.0.0/24 is subnetted, 1 subnets
B        128.2.2.0 [200/0] via 2.2.2.2, 00:39:22
      128.3.0.0/24 is subnetted, 1 subnets
B        128.3.3.0 [200/1] via 2.2.2.2, 00:39:22
      198.240.5.0/24 is variably subnetted, 2 subnets, 2 masks
C        198.240.5.0/30 is directly connected, GigabitEthernet0/0
L        198.240.5.1/32 is directly connected, GigabitEthernet0/0
LA1#ping vrf 802101 21.38.5.1      
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 21.38.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/11/15 ms
LA1#

Sweet, now let’s get going with some multiple context firewalls!