Monday, 3 September 2012

Steering the traffic into VPN


For the labbing purpose, I use a router in the place of URL_FILTERING_SERVER.
The policy I place on R4 and R5 is to drive the customers' http traffic to pass through URL_FILTERING_ROUTER, any other traffic should take normal path.

R1 Config

interface FastEthernet0/1
 ip address 192.168.19.1 255.255.255.0
 ip ospf 1 area 0
!
interface FastEthernet1/0
 ip address 192.168.1.1 255.255.255.0
 ip ospf 1 area 0
!
router ospf 1
!
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 neighbor 3.3.3.3 remote-as 1
 neighbor 3.3.3.3 update-source Loopback0
 neighbor 3.3.3.3 next-hop-self
 neighbor 192.168.19.9 remote-as 9
 no auto-summary


R2 Config

interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 192.168.26.2 255.255.255.0
 ip ospf 1 area 0
!
interface FastEthernet1/0
 ip address 192.168.23.2 255.255.255.0
 ip ospf 1 area 0
!
router ospf 1
!
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 neighbor 3.3.3.3 remote-as 1
 neighbor 3.3.3.3 update-source Loopback0
 neighbor 3.3.3.3 next-hop-self
 neighbor 192.168.19.9 remote-as 9
 neighbor 192.168.26.6 remote-as 6
 no auto-summary


R3 Config

ip vrf one
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 192.168.34.3 255.255.255.0
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 192.168.35.3 255.255.255.0
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 ip vrf forwarding one
 ip address 192.168.3.3 255.255.255.0
!
interface FastEthernet2/0
 ip address 192.168.23.3 255.255.255.0
 ip ospf 1 area 0
!
router ospf 1
!
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 neighbor rc peer-group
 neighbor rc remote-as 1
 neighbor rc update-source Loopback0
 neighbor rc route-reflector-client
 neighbor 1.1.1.1 peer-group rc
 neighbor 2.2.2.2 peer-group rc
 neighbor 4.4.4.4 peer-group rc
 neighbor 5.5.5.5 peer-group rc
 no auto-summary
 !
 address-family vpnv4
  neighbor rc send-community extended
  neighbor rc route-reflector-client
  neighbor 4.4.4.4 activate
  neighbor 5.5.5.5 activate
 exit-address-family
 !
 address-family ipv4 vrf one
  default-information originate
  no synchronization
  network 0.0.0.0
 exit-address-family
!
ip route vrf one 0.0.0.0 0.0.0.0 192.168.3.10

R4 Config

ip vrf one
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 192.168.34.4 255.255.255.0
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 192.168.48.4 255.255.255.0
 ip policy route-map IN-VRF
 ip ospf 1 area 0
!
router ospf 1
!
router bgp 1
 bgp log-neighbor-changes
 neighbor 3.3.3.3 remote-as 1
 neighbor 3.3.3.3 update-source Loopback0
 !
 address-family ipv4
  redistribute static
  neighbor 3.3.3.3 activate
  no auto-summary
  no synchronization
  network 192.168.48.0
 exit-address-family
 !
 address-family vpnv4
  neighbor 3.3.3.3 activate
  neighbor 3.3.3.3 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf one
  no synchronization
 exit-address-family
!
ip route 8.8.8.8 255.255.255.255 192.168.48.8
!
ip access-list extended HTTP
 permit tcp any any eq www
!
route-map IN-VRF permit 10
 match ip address HTTP
 set vrf one


R5 Config

ip vrf one
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 192.168.35.5 255.255.255.0
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 192.168.57.5 255.255.255.0
 ip policy route-map IN-VRF
 ip ospf 1 area 0
!
router ospf 1
!
router bgp 1
 bgp log-neighbor-changes
 neighbor 3.3.3.3 remote-as 1
 neighbor 3.3.3.3 update-source Loopback0
 !
 address-family ipv4
  redistribute static
  neighbor 3.3.3.3 activate
  no auto-summary
  no synchronization
  network 192.168.57.0
 exit-address-family
 !
 address-family vpnv4
  neighbor 3.3.3.3 activate
  neighbor 3.3.3.3 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf one
  no synchronization
 exit-address-family
!
ip route 7.7.7.7 255.255.255.255 192.168.57.7
!
ip access-list extended HTTP
 permit tcp any any eq www
!
route-map IN-VRF permit 10
 match ip address HTTP
 set vrf one

R6 Config

interface Loopback0
 ip address 6.6.6.6 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.26.6 255.255.255.0
!
router bgp 6
 no synchronization
 bgp log-neighbor-changes
 network 6.6.6.6 mask 255.255.255.255
 neighbor 192.168.26.2 remote-as 1
 no auto-summary
!
ip http server

R7 Config

interface Loopback0
 ip address 7.7.7.7 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.57.7 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.57.5

R8 Config

interface Loopback0
 ip address 8.8.8.8 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.48.8 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.48.4

R9 Config

interface Loopback0
 ip address 9.9.9.9 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.19.9 255.255.255.0
!
router bgp 9
 no synchronization
 bgp log-neighbor-changes
 network 9.9.9.9 mask 255.255.255.255
 neighbor 192.168.19.1 remote-as 1
 no auto-summary
!
ip http server

URL_FILTERING_SERVER Config

interface FastEthernet1/0
 ip address 192.168.1.10 255.255.255.0
!
interface FastEthernet2/0
 ip address 192.168.3.10 255.255.255.0
 ip access-group HTTP in
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip access-list extended HTTP
 permit tcp any any eq www


Verification

-In order to test whether http traffic sourced from customer router are passing through the filter server or not, I write the acl that match the http packets and apply it on filtering server. And I configure R6 and R9 as http server.
Later on check to see the counters are incrementing or not when http traffic are generating.

-We see that icmp packets are taking the normal forwarding path.

R7#ping 6.6.6.6
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/54/92 ms

R7#traceroute 6.6.6.6
  1 192.168.57.5 32 msec 12 msec 12 msec
  2 192.168.35.3 [MPLS: Label 18 Exp 0] 28 msec 16 msec 20 msec
  3 192.168.23.2 36 msec 32 msec 40 msec
  4 192.168.26.6 52 msec *  96 msec



-Currently R3 is generating default route into vrf one.


R4#show bgp vpnv4 unicast all
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf one)
*>i0.0.0.0          3.3.3.3                  0    100      0 i
-Before we start testing http traffic, the http acl counters are inactive on URL_FILTERING_SERVER.

URL_FILTERING_SERVER#show ip access-lists
Extended IP access list HTTP
    10 permit tcp any any eq www

-Now lets try to generate http traffic and we will see that http acl counters are incrementing.


R7#telnet 6.6.6.6 80
Trying 6.6.6.6, 80 ... Open


exit
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 00:44:45 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 6.6.6.6 closed by foreign host]


URL_FILTERING_SERVER#show ip access-lists
Extended IP access list HTTP
    10 permit tcp any any eq www (18 matches)





Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)