This is a follow up netlab article about EXOS ESRP simple setup configuration. The prerequisite is the EXOS ESRP simple setup. In this blog entry 2 new OSPF are added to the network topology, RS1 and RS2, OSPF configuration is added to all routers in the network topology. RS5 is only a switch, nothing is added there. OSPF configuration is added to verify how this vendor described ESRP design is behaving having fully working network topology. This is the simplest EXOS ESRP setup scenario taken from of the Extreme Networks official documentation.
Once again I want to mention this is a blind configuration, I have no experience at all with ESRP, just being curious to see this networking example and learn about EXOS ESRP configuration and operation and how quickly it converges using this example.
network topology
OSPF configuration is added to all topology routers, on top of already running and configured ESRP article from previous blog entry.
| sysName | ospf router-id |
|---|---|
| RS1 | 1.1.1.1 |
| RS2 | 2.2.2.2 |
| RS3 | 5.5.5.5 |
| RS4 | 5.5.5.5 |
Network topology showing relevant IP and OSPF settings:
1.1.1.1 2.2.2.2
+-------+ +-------+
| | 12 12 | |
| RS1 |-----------------------------------| RS2 |
| | | |
+-------+ +-------+
10 | | 10
| (OSPF) |
| |
| |
5.5.5.5 5.5.5.5
+-------+ +-------+
| | 3 3 | |
| RS3 +-----------------------------------+ RS4 |
| | | |
+---+---+ +---+---+
1 | | 1
| ESRP VR1 |
| 10.1.2.3 |
| |
| +-------+ |
| | | |
+-----------------+ RS5 +-----------------+
| |
+-+---+-+
| |
+-------------+ +-------------+
| eth0 eth0 |
+---+---+ +---+---+
| | | |
| node1 | | node2 |
| | | |
+-------+ +-------+
Added port numbers to the network topology above to have a overview how routers are connected in case someone wants to test it by yourself.
EXOS version
EXOS version used in this netlab:
Card Partition Installation Date Version Name Branch ------------------------------------------------------------------------------ Switch primary Thu Jan 16 13:06:22 UTC 2025 32.7.2.19 rescue.xos 32.7.2.19 Switch secondary Thu Jan 16 13:06:22 UTC 2025 32.7.2.19 rescue.xos 32.7.2.19
FHRP protocols are my least favourite topic. Knowing VRRP and HSRP and little of GLBP from configuration and operating side, i have been curious about the EXOS ESRP (FHRP) protocol. Never seen it in action or had the chance to configure it. The FHRP protocol family are most vendor specific and use vendor proprietary protocols. VRRP is the only FHRP protocol that is available on every other networking vendors hardware and software. But VRRP is not the topic here.
This is the simplest EXOS ESRP setup scenario taken from of the Extreme Networks official documentation
This is a rookie netlab, I have never configured ESRP before. So if you spot obvious errors, please write me an email, I will try to correct these.
Network topology
The ESRP configuration example shows a network topology is like following:
+-------+ +-------+
| | | |
| RS1 |-----------------------------------| RS2 |
| | | |
+-------+ +-------+
| |
| (OSPF or RIP) |
| |
routerid routerid
5.5.5.5 5.5.5.5
+-------+ +-------+
| | | |
| RS3 +-----------------------------------+ RS4 |
| | | |
+---+---+ +---+---+
| |
| ESRP VR1 |
| 10.1.2.3 |
| |
| +-------+ |
| | | |
+-----------------+ RS5 +-----------------+
| |
+-+---+-+
| |
+-------------+ +-------------+
| eth0 eth0 |
+---+---+ +---+---+
| | | |
| node1 | | node2 |
| | | |
+-------+ +-------+
The network topology is named Single ESRP Domain Using Layer 2 and Layer 3 Redundancy. OSPF or RIP configuration on RS1/RS2 are not part of the example configuration. This is a ESRP only setup example only.
The network topology above is the simpler version of the one shown on the official vendors website.
EXOS version
This is the EXOS version used in this netlab:
Card Partition Installation Date Version Name Branch ------------------------------------------------------------------------------ Switch primary Thu Jan 16 13:06:22 UTC 2025 32.7.2.19 rescue.xos 32.7.2.19 Switch secondary Thu Jan 16 13:06:22 UTC 2025 32.7.2.19 rescue.xos 32.7.2.19
The most recent image that is available from the official Extreme Networks github repository.
This is the second Huawei VRP segment routing blog post, I never configured SRv6 using this particular router platform, here VRP. Everything is configured from scratch using availbe documentation ressources from 2 different competing routing vendors. The networking topology is taken out of the BRKSPG-2203 Cisco's SRv6 uSID Cisco Live presentation, using the Huawei's NE5000E virtual GNS3 appliance.
Huawei calls its SRv6 implementation SRv6 BE, the BE stands for best effort, but it is SRv6. Best effort is a configuration command found and used in the VRP operating system:
segment-routing ipv6 best-effort
The command is part of the the VRP bgp configuration section.
The network topology and its IP addressing is taken out of the the Cisco's BRKSPG 2203 presentation linked at the bottom in the references part end of the blog entry. Did not find any VRP documentation about the usage and configuration of uSID F3216 in the official Huawei documentation. Configuring a IPv6 link-local SRv6 locator works and the network topology forwards IP packets form end to end just fine. There is no debugging and protocol analysing included, it was hard enough to gather all the information available and build this network topology. If you find errors write me an email, and I will try to correct these spotted errors.
The configurations shown work. Configurations can be copy pasted and will result immediately in a IPv4 forwarding SRv6 topology.
Huawei Versatile Routing Platform Software VRP (R) software, Version 8.180 (NE5000E V800R011C00SPC607B607) Copyright (C) 2012-2018 Huawei Technologies Co., Ltd. HUAWEI NE5000E uptime is 0 day, 2 hours, 48 minutes SVRP Platform Version 1.0
VRP version used in this SRv6 netlab running on all provider routers.
Network topology
PE2
|
|
PE1 -- P1 -- PE3
|
|
RRv6
The network topology is the same as in the previous blog entry except there is no migration implemented from LDP to SRv6. I did not bother cluttering the example and configured the final SRv6 state. The RRv4 BGP route reflector has been lef out of the example to make it more easy to follow. There is no migration path from LDP to SRv6 shown. Additionally the IPv6 addressing is_slightly adjusted for few routers to make it more easy to recognize and follow, once it is running.
| Router | IPv6 Loopack0 | SRv6 locator | NSAP address |
|---|---|---|---|
| P1 | A::1.2.3.4 | (none) | 49.0001.1234.1234.1234.00 |
| PE1 | A::1 | FCBB:0:1::/48 | 49.0001.1111.1111.1111.00 |
| PE2 | A::2 | FCBB:0:2::/48 | 49.0001.2222.2222.2222.00 |
| PE3 | A::3 | FCBB:0:3::/48 | 49.0001.3333.3333.3333.00 |
| RRv6 | A::6 | (none) | 49.0001.6666.6666.6666.00 |
Having never configured and netlab-ed Huawei's VRP, i have been courios if this operating system supports SR-MPLS and how it is documented. This netlab uses a 6 years old VRP NE40 appliance to find this out. At the point of writing and constructing this netlab I had no information about the state of implementation of SR MPLS on VRP operating system. This is the 2nd version of the netlab. The 1-st netlab which is not documented here in my blog used the CE12800 GNS3 appliance to find it out, and failed horribly. Use a NE40 Huawei router appliance for this GNS3 setup, or any router appliance you have available. The CE Huawei appliance does not work, actually it can be setup and configured to have SR-MPLS, but the IP forwarding or label switching using SR-MPLS using the CE12800 switches fails.
Huawei nomenclature uses:
- NE - NetEngine - router platform
- CE - CloudEngine - switch platform
The CE term used here in this blog entry, when used means Customer Edge router, not CloudEngine.
This is plane SR-MPLS configuration using the Huawei's NE40 router. Trying to find out how far the Segment Routing is supported among all big router vendors. And if I am lucky maybe the SRv6 for IPv4 and IPv6 if I get it working, but this will be explained in a separate blog entry. This netlab will be know for experienced network engineers using the old-school (now deprecated) LDP protocol, here LDP is replaced with SR-MPLS.
NE40 image supports SR-MPLS out of the box. This is the version used over here in GNS3:
Huawei Versatile Routing Platform Software VRP (R) software, Version 8.180 (NE40E V800R011C00SPC607B607) Copyright (C) 2012-2018 Huawei Technologies Co., Ltd. HUAWEI NE40E uptime is 0 day, 0 hour, 8 minutes SVRP Platform Version 1.0
If you happen to build this network topology use routers, not switches.
Network topology
The topology is a star topology, all links are point to point using /31 IPv4 addressing:
PE2
|
|
PE1 -- P1 -- PE3
|
|
RRv4
IPv4 loopback0 address overview plus the according SR index, or MPLS label index and IS-IS NSAP addressing overview:
| Router | IPv4 Loopack0 | SR MPLS index | NSAP address |
|---|---|---|---|
| P1 | 1.2.3.4 | 1234 | 49.0001.1234.1234.1234.00 |
| PE1 | 1.1.1.1 | 1 | 49.0001.1111.1111.1111.00 |
| PE2 | 2.2.2.2 | 2 | 49.0001.2222.2222.2222.00 |
| PE3 | 3.3.3.3 | 3 | 49.0001.3333.3333.3333.00 |
| RRv4 | 4.4.4.4 | 4 | 49.0001.4444.4444.4444.00 |
All PE routers have internal BGP neighorship to the BGP route reflector.
Recent lostintransit.de blog post called Adding Arista switch to CML was a source of inspiration to the vEOS running in GNS3. The vEOS appliance runs in QEMU/KVM in GNS3. Follow lostintransit's instructins to download the Aboot and vEOS images from Arista's download portal to run. Arista offers free vEOS downloads after a email registration.
Information might be useful to other GNS3 users tinkering in GNS3 with the vEOS appliance installation starting. Having booting issues myself right at the start found following GNS3 community discussion thread called - Arista vEOS Fails to boot. This thread gives a generic overview which GNS3 appliance configuration settings are mandatory to get the installation routine of vEOS in GNS3/QEMU in first place.
QEMU vEOS installation requires having a Aboot as CDROM, and target HDD available at boot time, in the correct sequence.
Local application versions running:
GNS3
QEMU
QEMU emulator version 9.0.2 Copyright (c) 2003-2024 Fabrice Bellard and the QEMU Project developers
In previous VyOS post Using freeRtr AAA daemon for VyOS the TACACS+ support has been added at that time, middle of the year 2023. The netlab explains the VyOS RADIUS Authentication and Authorisation method. The RADIUS service runs on a freeRtr appliance. A year later the rolling releases of VyOS include a working TACACS+ prototype.
Knowing that the VyOS TACACS+ support has been added a year ago, suspecting there is not much yet there. But for simple authentication and most simple authorization the building block should be already there.
Terms
Using term server in this context is problematic and leads to misunderstanding. These are the technical terms used here. The AAA TACACS+ server will be referred as AAA daemon:
| Term | Function |
|---|---|
| daemon | AAA TACACS+NG server (tac_plus-ng) |
| NAC | Client or NAC (SSH client) |
| NAS | Device or NAS or NAD (VyOS) |
Since a NAS is sometimes referred to as a server, and a daemon is also often referred to as a server, the term server has been avoided here in favor of the less ambiguous terms NAS and Daemon.
IP addressing
Basic setup. One broadcast domain, network topology with following IP addressing:
| Node | Function | Term | IP address |
|---|---|---|---|
| node-10 | SSH client | NAC | 10.100.100.10 |
| AAA-1 | TACACS+ daemon | daemon | 192.0.2.1 |
| R180 | VyOS firewall | NAS | 10.100.100.180/24 |
VyOS configuration
This is the image used in the configration process, latest release.
R180 login: vyos Password: Welcome to VyOS! ┌── ┐ . VyOS 1.5-rolling-202406060020 └ ──┘ current vyos@R180:~$ show ver Version: VyOS 1.5-rolling-202406060020 Release train: current Release flavor: generic Built by: autobuild@vyos.net Built on: Thu 06 Jun 2024 03:11 UTC ...
IP setup
Basic configration to have reachability and make VyOS managable using SSH:
config
set system host-name R180
set interfaces ethernet eth1 address 10.100.100.180/24
set protocols static route 0.0.0.0/0 next-hop 10.100.100.1
set service ssh
commit
save
Reachability established.
TACACS+ configuration
The TACACS+ configuration is short and simple
- daemon IP and key
- daemon TCP/IP port
- NAS source interface
Configurations commands to get TACACS+ support working:
config
set system login tacacs server 192.0.2.1 key '123-my_tacacs_key'
set system login tacacs server 192.0.2.1 port '49'
set system login tacacs source-address '10.100.100.180'
commit
save
MACsec linux configuration using iproute2.
This is how configure the MACsec IEEE 802.1AE using linux standard toolkit iproute2. Unlike a RFC, the IEEE 802.1AE is a technical standard. MACsec was standardised in 2006 by IEEE (standard IEEE 802.1AE-2006). Using MACsec frames are switched using secure channels SC supported by secure associations SA. Each secure associations SA uses a separate randomly generated key.
The ip macsec command subset is used to configure transmit secure associations and receive secure channels and their secure associations on a MACsec device created with the ip link add command using the macsec type. The ip macsec implementation came to linux in around the year 2016 and has been implemented by Sabrina Dubroca.
Network topology
Network topology with IP addressing:
+-------+ +-------+
| | eth0 eth0 | |
| C1 +-----------------------------------+ C2 |
| | .1 .2 | |
+-------+ ::a ::b +-------+
2 linux nodes. Point to point network. Linux nodes are directly connected. Basic setup. Both nodes are connected using the eth0 NIC.
IP addressing:
IP addressing is attached to the macsec0 interface:
- C1 - macsec0 - 192.0.2.1/30 - 2001:db8::a/127
- C2 - macsec0 - 192.0.2.2/30 - 2001:db8::b/127
PCAP
A random packet dump will show following sequence of headers, when using A ICMP ping test:
- Frame
- Ethernet II
- Internet Protocol
- ICMP [...]
The MACsec packet dump will show following sequence of headers. This is the same ICMP output:
- Frame
- Ethernet II
- 802.1AE Security tag (SecTAG)
- Data (payload) [...]
- Physical Source/DestinationMAC address between both endpoints
- the payload, including ETYPE is encrypted using
GCM-AES - encrypted payload put between the
SecTAGandICV. - MACsec sends frame using own ethernet type ETYPE
0x88E5