Tag: ACL

LAM: Local Area Mobility

Advantages: Allows mobility of a single or multiple addresses onto a different subnet. Essentially, this allows you to take an IP address (10.0.0.1) and put it on a different subnet (172.16.0.1/24) and still maintain the 10.0.0.1 address.

Pros: Easy to setup. Mobility of IP addresses.

Cons: Does not work on the 4500 L3 switches running (cat4500e-ENTSERVICES-M), Version 12.2(54)SG. 6500 switches have not been tested. Potential to allow any IP address on the configured mobility subnet. Essentially, if I plug a device with any IP address I want it will be advertised out from the mobility subnet. You can create acl’s to limit this.

Limitations:Do not move the IP address more than once per second.  Potential additional load on the routers.  The router that advertises the mobile client out will advertise a host route.

 

Configuration:

Router(config)# router mobile

Router(config)# interface GiabitEthernet(0/0)

Router(config-if)# ip mobile arp access-group 10

Router(config)# access-list 10 permit 10.10.10.0 0.0.0.255

What this does:

1. Enables Mobility on the router
2. Enables Mobility on the inside interface of the router with an ACL
3. Limits the Mobility Address Range to 10.10.10.0/24

Configuration
Redistribute Mobile Routes:

Router(config)#router bgp 1

Router(config-router)#redistribute mobile

Router(config)#router eigrp 1

Router(config-router)#redistribute mobile metric 10 2000 255 1 1500

Verification:

Router#sh ip route mobile

Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP

D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2

ia – IS-IS inter area, * – candidate default, U – per-user static route

o – ODR, P – periodic downloaded static route, + – replicated route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 73 subnets, 7 masks

M        10.10.10.213/32[3/1] via 10.10.10.213, 19:46:26, GigabitEthernet0/0

Router#sh ip int bri

Interface IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0    172.16.0.250   YES NVRAM up                    up

Router#sh ip mobile int

IP Mobility interface information:
Interface GigabitEthernet0/0:
IRDP (includes agent advertisement) disabled
Prefix Length not advertised
Lifetime is 36000 seconds

 

Real World
Application-

Ability to easily move Virtual Machines to another site or subnet without the need to Re-IP them.

Error Message-

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at X.X.X.X

Common Debug Commands-

debug crypto isakmp

debug crypto engine

debug crypto ipsec

Results from Debug Crypto Isakmp-

Jul 20 17:08:50: map_db_find_best did not find matching map
Jul 20 17:08:50: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.0.0.1
Jul 20 17:08:50: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.0.0.1, remote= 192.168.0.1,
local_proxy= 10.0.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

What this means-

Access list applied to crypto map is misconfigured.

For Instance-

RTR1

access-list encrypt permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255

RTR2

access-list encrypt permit ip 192.168.0.0 0.0.0.255 10.0.1.0 0.0.0.255

These two access lists conflict which in turn produce the error message above.

Real World Application-

When working with a disparate team at another company, miscommunication will occur. With something as both simple and complex as a VPN connection, mistakes will occur. By producing the above debug code, you can inform the other team of the necessary corrections. Or even maybe make the corrections on your side.

Source 1: Website / PDF