unRaid and OSX slow directory listing

I have been using unRaid server for several months now, and it works the way I wanted it to be. However, there is one thing that was really annoying. Mapping a network drive on my OSX.

At first, I thought it was the unRaid server’s fault, but after several days of tinkering, it was my OSX that was slow. In Linux, the folder listing shows up very quickly, and the same with Windows, but not on OSX.

To make this post short, the resolution is by going to:

Finder > ViewShow view options then uncheck the Show icons preview

That pretty much fixed my slow directory/folder listing for me. Hope this simple fix would work with yours.

Cheers!

Posted in Misc. | Leave a comment

OpenVPN for Android phone

I am assuming that you already exported the client profile from the OpenVPN server. I am talking about the .ovpn file.

The process is pretty simple. The goal is to import the .ovpn file to the OpenVPN Connect app. Download the OpenVPN Connect app at the Google Play Store. I am lazy, and don’t want to grab the USB cable for my phone. There are three ways to

Now, there are three ways to upload the .ovpn file to an Android phone via USB, email or remote access app.

  • USB is pretty straight forward. Just plug it in to your laptop and drag and drop the .ovpn file.
  • Email – you can attach the.ovpn file to your email and send it to yourself. Open the same email from your phone and download the attached .ovpn. Once downloaded, you will find this .ovpn file in the Download folder Settings > Storage > Explore > Download. I am using Google Pixel so the path might be different compare to yours. 
  • Remote access app – I used the app called AirDroid. It is pretty nice app. You can upload the .ovpn file via web browser. Just remember the location where you uploaded the .ovpn file. Once the app is open via web-browser, I would upload the .ovpn file to Files > Download
    • Here is a youtube video of AirDroid https://youtu.be/51Dti57Z9IY?t=61

Anyways, so once we got the .ovpn file to our Android phone, we need to import it to OpenVPN Connect app. To do so, open the OpenVPN Connect app and click on the three vertical dots in the upper right corner

 

01

Figure 1

 

In the menu, select Import > Import Profile from SD card

 

02

Figure 2

03

Figure 3

 

Navigate to the location of the .ovpn file. In my case, it will be in the Download folder

 

04

Figure 4

 

Select the .ovpn file for the android phone then click on Select

 

05

Figure 5

 

The profile will have a very long name that kind of like gibberish. You can rename the profile by tapping on the Notepad icon then select Rename Profile

 

 

06

Figure 6

08

Figure 7

 

Enter the name that would make sense to me you

 

09

Figure 8

 

Then that is it

 

10

Figure 9

 

Cheers!!!

 

 

Posted in Misc., Sec, Security, vpn | Tagged , , , , , , , , , , , , , , | Leave a comment

OpenVPN for OSX desktop client

I guess we can start with Mac. You can use the Viscosity for $9. You can also use the TunnelBlick which is what I am going to be using here. Download the latest stable release of TunnelBlick, and install it.

Before we start, make sure that you have exported the client vpn profile from OpenVPN server. I got mine from my OPNsense (see the previous post).

Once the TunnelBlick is installed, open the app and you will be prompted with the Welcome message.

 

Screen Shot 2017-05-29 at 8.27.48 AM

Figure 1

Screen Shot 2017-05-29 at 8.29.57 AM

Figure 2

After clicking the OK button, the app will be in the menu bar

Screen Shot 2017-05-29 at 8.36.25 AM

Figure 3

Click on it then select VPN Details. This will open the app

Screen Shot 2017-05-29 at 8.43.45 AM.png

Figure 4

There are two ways to install the VPN profile. You can either drag and drop the .conf file or right click the .conf file and select TunnelBlick. Either one will install the profile. You can either drag and drop the .conf file or right click the .conf file and select TunnelBlick. Either one will install the profile.

You will get a pop-up prompt for the configuration install. Click on Only Me. After this, you may get a prompt to allow the installation by entering the admin user’s credential.

 

Screen Shot 2017-05-29 at 8.48.31 AM

Figure 5

Screen Shot 2017-05-29 at 8.50.32 AM

Figure 6

 

Once the profile is installed, then you can connect to the VPN

Screen Shot 2017-05-29 at 8.53.34 AM.png

After installing the config file, you can rename this config file to any name that makes sense to you by click on the cog or gear icon > Rename configuration in the lower left corner.

Once you are connected, you can see the icon will change and if you hover your pointer to the TunnelBlick icon, you will see some data.

Screen Shot 2017-05-29 at 9.10.19 AM

This is pretty much it. Cheers!!!

Posted in Misc., Sec, Security, vpn | Tagged , , , , , , , , , , , , , , , , | Leave a comment

OPNSense as a VPN server

I recently posted a Raspberry Pi3 as an OpenVPN server. It worked great, but I had some issues that I was still trying to fix (at least, at the time of this writing). Basically, I could not get the Internet access working. I mean it works, but I can only get access to some websites or IP addresses.

Therefore, I tried to find some other alternatives that will let me VPN-in using my laptops (MacOS or Linux) and/or mobile devices such as (iPad/iPhone or Android). I found PFsense and OPNsense firewalls. I already have a firewall, so this post is mainly for remote access VPN. Basically, the sole purpose of this OPNsense/PFsense virtual appliance is to be my SSL VPN concentrator.

I am running this VM on my HP N54L micro server just in case you are wondering.

Here is the network topology:

opnsense

Figure 1

I am assuming that you have the OPNsense/PFsense installed and you are able to access its webUI. Also, since I am going to use this for home use, so I’d use DDNS instead of using my dynamic public IP. There are DDNS that offer free accounts – I use no-ip.

Make sure that you have at least two interfaces – one for the WAN (em0) and the other (em1) for management.

This is optional – by default, the OPNsense/PFsense will create firewall rules and Outbound NAT. In this post, I will be disabling the outbound NAT, since I don’t want to NAT my VPN from the OPNsense to my network. Also, I will create my own firewall rules.

If you do not want to do what I am going to do as I mentioned in the paragraph above then you are done once you finish from the beginning to OpenVPN Server, and no need to continue at Firewall Rules and Network Address Translation part of this guide.

Make sure that you are forwarding (destination NAT) the port 1194/udp from the Internet inbound to your OPNsense/PFsense firewall. Otherwise, it is not going to work.

Dynamic DNS

Let’s get started – login to opnsense webUI.
Navigate to Services > DNS Tools > DynDNS > Add
When done click on Save. This will take a few seconds.

Enter all necessary information  – see Figure 2

opn-figure2

Figure 2

Networking

Navigate to SystemGateway All > Add gateway
Select the WAN interface
Give it a Name
Enter the default gateway IP address in the Gateway field
Check the Default Gateway
Click Save and then Apply changes

opn-figure1-2

Figure 3

Navigate to System Settings > General
Make sure that you update the timezone

opn-figure1

Figure 4

Scroll down and set the DNS servers and select Use gateway from the drop-down menu
Uncheck the Allow DNS server list to be overridden by DHCP/PPP on WAN
Click Save and Apply

opn-figure2-2

Figure 5

Navigate to Interfaces [WAN] 
Then uncheck the Block private networks
Leave the Block bogon networks checked
Set the IPv4 Configuration Type to Static IPv4

opn-figure3

Figure 6

Scroll down and give the WAN interface a static IP and select the IPv4 Upstream Gateway that was set up earlier.
Click Save when done.

opn-figure4

Figure 7

Navigate to Interfaces > [LAN]
Set the IPv4 Configuration Type to Static IPv4

opn-figure5

Figure 8

Scroll down and give the interface an static IP for management access

opn-figure6

Figure 9

OpenVPN Package

We need to download the OpenVPN package. Navigate to System Firmware Packages
Select openvpn23reinstall icon (the one that looks like a recycle icon)

opn-figure10

Figure 10

Certificates

We need to create the CA certificate and OpenVPN Server certificate. Navigate to System Trust Authorities Add or import CA
Ensure you select ‘Create an internal Certificate Authority from the Method drop-down menu.
Enter the necessary information as shown in Figure 11 and 12 then click Save

opn ca

Figure 11

Screen Shot 2017-05-28 at 10.20.46 AM

Figure 12

To create the OpenVPN server certificate, navigate to System Trust Certificates Add or import certificates

  1. Ensure you select ‘Create an internal Certificate Authority from the Method drop-down menu
  2. Under the Certificate authority’s drop-down menu, select the CA that was created earlier
  3. The Type should be Server Certificate
Screen Shot 2017-05-28 at 10.29.54 AM

Figure 13

VPN Users

Now, we need to create the vpn users.
Navigate to System > Access  > Users
Click the + symbol to add a user

Screen Shot 2017-05-28 at 11.04.33 AM

Figure 14

Enter only the following:

  • Username
  • Password
  • Expiration (optional)
  • Make sure that you put a check mark on Certificate  > Click to create a user certificate
Screen Shot 2017-05-28 at 11.41.29 AM

Figure 15

Screen Shot 2017-05-28 at 11.41.46 AM

Figure 16

Since you marked the Click to create a user certificateafter clicking Save, it will take you automatically to System > Trust > Certificates

From here, make sure that you change the Method to Create an internal certificate
It should auto-populate the rest of the fields for you.  All you need to do is click Save

Screen Shot 2017-05-28 at 11.50.06 AM.png

Figure 17

After click Save, it will bring you back to the user creation page (Figure 15 and Figure 16). From here, just click Save

OpenVPN Server

Now we need to create the OpenVPN server. Navigate to VPN OpenVPN > Servers add server

Under General Information, set the Server Mode to Remote Access (SSL/TLS). The rest of the information should be automatically populated.

Screen Shot 2017-05-28 at 1.25.04 PM.png

Figure 18

Under the Cryptographic Settings, make sure to select the OpenVPN server certificate that was created earlier from the Server Certificate drop-down menu.
The rest of the fields should already auto-populated, but modify them if needed for better security as shown below

Screen Shot 2017-05-28 at 1.26.09 PM

Figure 19

Under the Tunnel Settings, do the following:

  1. IPv4 Tunnel Network this is the IP pool where the VPN users going to get their IP address
  2. IPv4 Local Network – this is the resources that the VPN users will have access to. You can add multiple subnets separated by a comma
  3. Redirect Gateway – enabling this will remove the IPv4 Local Network and it will tunnel all the traffic to the VPN tunnel
    1. You probably guessed it already. Leaving the ‘Redirect Gateway‘ disable, the VPN traffic will be set to split tunneling (this is the default)
  4. Concurrent connections – this is number of allowed connections that can connect to the VPN server
  5. Compression –  should be set to Enable with Adaptive Compression
Screen Shot 2017-05-28 at 1.28.03 PM.png

Figure 20

Under Client Settings, the mark the following: Dynamic IP, Address Pool, and TopologyMark the DNS Servers if you have a preferred DNS servers as shown in Figure 21

Screen Shot 2017-05-28 at 3.10.38 PM.png

Figure 21

Under Advanced Configuration,

Screen Shot 2017-05-28 at 4.42.15 PM.png

Figure 22

At this point, you everything is good to go. What is missing is exporting the users profile. Navigate to VPN > OpenVPN > Client Export

  1. Select the OpenVPN server you have created from the Remote Access Server drop-down menu. If you created just one server, then it should already be selected
  2. Select the DDNS that was created at the beginning of this post from the Host Name Resolution drop-down menu
  3. Leave everything as is. Scroll down at the bottom and you will see the users you have created
  4. Select the type of profile you will need for the user in the Export column

Firewall Rules and Network Address Translation

I am going to disable the outbound NAT and will create my own firewall rules. Now, before I disable my NAT, I had a static route for the OpenVPN subnet with the next-hop IP of the WAN interface of the OPNsense.

To disable source NAT (outbound NAT), navigate to Firewall NAT Outbound
Select the Disable outbound NAT rule generation then click Save

Screen Shot 2017-05-28 at 10.12.52 PM.png

Figure 23

The firewall rule is very simple. It is just an inbound to the WAN interface. Basically, what you needed is the second line. I have the third line because I created two OpenVPN servers for two different purposes.

Screen Shot 2017-05-28 at 11.27.00 PM.png

Figure 24

This is the OpenVPN firewall rules. I disabled the default ‘allow all’ rule and created several rules for specific needs

 

Screen Shot 2017-06-09 at 5.10.07 AM.png

Figure 25

 

I believe this is it. Hope you will find this helpful. Cheers!!!

Posted in Misc., Sec, Security, vmware | Tagged , , , , , , , , , , | Leave a comment

OpenVPN and Raspberry Pi 3 – part 1

I used to use the remote access VPN that came with my SRX100 and now SRX300. However, it is limited to two users only. I need more than two users. I thought of using the Raspberry Pi and OpenVPN since OpenVPN can be used on most platforms – Windows, MacOS (or OSX), Linux, and mobile devices such as Android, and iOS.

Another issue that I found was on the iOS devices, I could not VPN-in to my SRX via PulseSecure app. I kept getting this whenever I tried to VPN-in.

pulsesecure_ios

Figure 1

There are times that I don’t have a laptop with me. Therefore, access using my phone is important. It seems like OpenVPN meets my requirements for home VPN.

I am going to split this post into two.

  • Part 1 – configuring OpenVPN on a Raspberry Pi 3 and setting up Destination NAT on the Juniper SRX
  • Part 2 – configuring OpenVPN on the clients (Ubuntu, OSX, iOS)

Let’s get started:

The installation is pretty simple thanks to pivpn. I would highly recommend that if your public IP is dynamic, make sure you choose the Use a public DNS then enter you hostname. I used no-ip service for mine. Anyways, the script is pretty straight forward. The issue now is the Pi’s iptables. By default, OpenVPN is not allowed. This guide will help you configuring the iptables.

If you follow those two guides, you pi should be good to go. Now we need to configure the SRX to allow inbound traffic from anywhere on the Internet to the Pi via Destination NAT / port-forwarding.

SSH to the SRX, and create an application for the OpenVPN ports. OpenVPN uses 1194/udp.

Example 1

set applications application OPENVPN-APP term UDP-1194 protocol udp
set applications application OPENVPN-APP term UDP-1194 destination-port 1194

Create a destination NAT pool

Example 2

set security nat destination pool untrust_TO_PI-OPENVPN address 192.168.9.2/32
set security nat destination pool untrust_TO_PI-OPENVPN address port 1194

Then create a rule-set for inbound traffic.

Example 3

set security nat destination rule-set DST-NAT from zone untrust
set security nat destination rule-set DST-NAT rule untrust_TO_PI-OPENVPN description "OPEN VPN DESTINATION NAT"
set security nat destination rule-set DST-NAT rule untrust_TO_PI-OPENVPN match destination-address 1.1.1.1/32
set security nat destination rule-set DST-NAT rule untrust_TO_PI-OPENVPN match destination-port 1194
set security nat destination rule-set DST-NAT rule untrust_TO_PI-OPENVPN then destination-nat pool untrust_TO_PI-OPENVPN

The Destination NAT is created. We need to create a policy to allow the inbound traffic. Let’s start with creating an address-book

Example 4

set security address-book global address PI-OPENVPN-BOOK 192.168.9.2/32

Then an inbound security policy

Example 5

set security policies from-zone untrust to-zone VPN-ZONE policy untrust_TO_PI-OPENVPN description "INBOUND TRAFFIC FROM untrust TO PI-OPENVPN VIA PORT 1194"
set security policies from-zone untrust to-zone VPN-ZONE policy untrust_TO_PI-OPENVPN match source-address any
set security policies from-zone untrust to-zone VPN-ZONE policy untrust_TO_PI-OPENVPN match destination-address PI-OPENVPN-BOOK
set security policies from-zone untrust to-zone VPN-ZONE policy untrust_TO_PI-OPENVPN match application OPENVPN-APP
set security policies from-zone untrust to-zone VPN-ZONE policy untrust_TO_PI-OPENVPN then permit

At this point, you should be able to VPN in. However, do not test the VPN from inside your LAN. This will not work because when you were configuring your Pi VPN, you specified you public IP or DDNS. Therefore, in your .ovpn profile, it shows the destination is you public IP. Now, if you really want to VPN from you LAN, you would need to configure the SRX with U-Turn NAT, but that’s going to be for another discussion.

Now, you would need to create a security policy to allow the VPN users to reach the internal destination.

Example 6

set security policies from-zone VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN description "ALLOW DYNAMIC VPN TO REACH THE TRUST ZONE RESOURCES"
set security policies from-zone VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN match source-address any
set security policies from-zone VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN match destination-address any
set security policies from-zone VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN match application any
set security policies from-zone VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN then permit

The last part is to tell SRX that you have a new network 10.8.0.0/24. By default, OpenVPN uses 10.8.0.0/24 for the VPN users. You may be able to send traffic to your destination, but the SRX does not know how to get to 10.8.0.0/24. Add a static route with the next-hop is the Pi.

Example 7

set routing-options static route 10.8.0.0/24 next-hop 192.168.9.2

That’s about it.

Cheers

 

Posted in CCNA Security, Juniper, Linux, Misc., Sec, Security | Tagged , , , , , , | Leave a comment

ExpressVPN on Linux

I tried to install ExpressVPN on my Ubuntu Gnome, and I was following the “how to” guide by ExpressVPN, and got some issues. Luckily I found this thread https://ubuntuforums.org/showthread.php?t=2342534

To view the server list, simply enter the following in terminal: expressvpn list

netshinobi@netshinobiug:~$ expressvpn list | less
ALIAS   COUNTRY                                  LOCATION                         RECOMMENDED
-----   ---------------                          ------------------------------   -----------
smart   Smart Location                           USA - New York                   Y
usny    United States (US)                       USA - New York                   Y
usla                                             USA - Los Angeles                Y
usch                                             USA - Chicago                    Y
usny2                                            USA - New York - 2 
...
...

Once you selected your server, to connect enter the following: expressvpn connect <server-alias>

Let’s say that I want to connect to Atlanta

netshinobi@netshinobiug:~$ expressvpn connect usat
Connecting to USA - Atlanta... 100.0%
Connected.
netshinobi@netshinobiug:~$

To check the status of the vpn, type-in: expressvpn status

netshinobi@netshinobiug:~$ expressvpn status
Connected to USA - Atlanta
netshinobi@netshinobiug:

To disconnect, just type in expressvpn disconnect

netshinobi@netshinobiug:~$ expressvpn disconnect 
Disconnecting...
Disconnected.
netshinobi@netshinobiug:~$

Or you can check the man page: man expressvpn

Cheers!

Posted in Misc. | Tagged , , | Leave a comment

EIGRP with the same Router ID – part 2

This is the continuation from part 1. We are still going to be using the same topology – see Figure 1. We are going to lab scenario two where R1 and R3 will have both the same eigrp router ID.

eigrp-rid-topo

Figure 1

I have removed the router-id 1.1.1.1 on R2 using the command no eigrp router-id 1.1.1.1. R3 has full neighbor relationship with R2 and R3 is receiving routes from R2. After fixing the router ID of R2. R2 is now accepting routes from R1 and R2 is advertising the routes to R3. Example 1 shows R3 route table.

Example 1

R3#show ip route
...
      10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
D       10.0.1.0/24 [90/435200] via 10.0.23.2, 00:00:14, Ethernet1/1
D       10.0.2.0/24 [90/409600] via 10.0.23.2, 00:00:14, Ethernet1/1
C       10.0.3.0/24 is directly connected, Loopback0
L       10.0.3.1/32 is directly connected, Loopback0
D EX    10.0.10.0/24 [170/309760] via 10.0.23.2, 00:00:14, Ethernet1/1
D       10.0.12.0/24 [90/307200] via 10.0.23.2, 00:00:14, Ethernet1/1
D       10.0.20.0/24 [90/409600] via 10.0.23.2, 00:00:14, Ethernet1/1
C       10.0.23.0/24 is directly connected, Ethernet1/1
L       10.0.23.3/32 is directly connected, Ethernet1/1
C       10.0.30.0/24 is directly connected, Loopback1
L       10.0.30.1/32 is directly connected, Loopback1
R3#

As you can see, R3 is receiving the routes 10.0.1.0/24 and 10.0.10.0/24 from R1. R1 is also receiving R3 routes as shown in Example 2.

Example 2

R1#show ip route
...
     10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
C      10.0.1.0/24 is directly connected, Loopback0
L      10.0.1.1/32 is directly connected, Loopback0
D      10.0.2.0/24 [90/409600] via 10.0.12.2, 00:01:11, Ethernet1/0
D      10.0.3.0/24 [90/435200] via 10.0.12.2, 00:01:11, Ethernet1/0
C      10.0.10.0/24 is directly connected, Loopback1
L      10.0.10.1/32 is directly connected, Loopback1
C      10.0.12.0/24 is directly connected, Ethernet1/0
L      10.0.12.1/32 is directly connected, Ethernet1/0
D      10.0.20.0/24 [90/409600] via 10.0.12.2, 00:01:11, Ethernet1/0
D      10.0.23.0/24 [90/307200] via 10.0.12.2, 00:01:11, Ethernet1/0
D      10.0.30.0/24 [90/435200] via 10.0.12.2, 00:01:11, Ethernet1/0
R1#

I am going to change the router ID of R3 to 1.1.1.1, and let’s see what’s going to happen. In Example 3

Example 3

R3#show run | sec router
router eigrp 1
 network 0.0.0.0
 eigrp router-id 1.1.1.1
R3#

In Example 4, R2 shows that it is still has a neighbor relationship to both R1 and R2 despite that both routers have the same RID.

Example 4

R2#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H   Address             Interface       Hold Uptime     SRTT    RTO  Q   Seq
                                        (sec)           (ms)         Cnt Num
1   10.0.23.3           Et1/1             14 00:00:57     16    100   0   17
0   10.0.12.1           Et1/0             11 00:06:45     12    100   0   13
R2#

Example 5 shows R1, R2 and R3 route tables. As you noticed, R1 lost all the routes (10.0.3.0/24 and 10.0.30.0/24) from R3 and R3 lost R1’s routes (10.0.1.0.24 and 10.0.10.0/24). However, R2 is still has the all the routes.

Example 5

R1#show ip route eigrp 
...
     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
D      10.0.2.0/24 [90/409600] via 10.0.12.2, 00:19:15, Ethernet1/0
D      10.0.20.0/24 [90/409600] via 10.0.12.2, 00:19:15, Ethernet1/0
D      10.0.23.0/24 [90/307200] via 10.0.12.2, 00:19:15, Ethernet1/0
R1#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

R2#show ip route eigrp 
...
     10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
D      10.0.1.0/24 [90/409600] via 10.0.12.1, 00:19:39, Ethernet1/0
D      10.0.3.0/24 [90/409600] via 10.0.23.3, 00:13:52, Ethernet1/1
D EX   10.0.10.0/24 [170/284160] via 10.0.12.1, 00:19:39, Ethernet1/0
D      10.0.30.0/24 [90/409600] via 10.0.23.3, 00:13:52, Ethernet1/1
R2#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

R3#show ip route eigrp 
...
     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
D      10.0.2.0/24 [90/409600] via 10.0.23.2, 00:13:38, Ethernet1/1
D      10.0.12.0/24 [90/307200] via 10.0.23.2, 00:13:38, Ethernet1/1
D      10.0.20.0/24 [90/409600] via 10.0.23.2, 00:13:38, Ethernet1/1
R3#

Even though there is a router in the middle of R1 and R3, eigrp behaves the same way as it was in part 1. When the router sees its router ID in an update, it will not accept the update because it thinks that there is a loop in the network.

I removed the router ID 1.1.1.1 on R3, and put the router ID 1.1.1.1 back on R2. By doing this R1 lost R2 routes, but kept R3 routes. See Example 6 for R1, R2 and R3 route tables.

Example 6

R1#show ip route eigrp 
...
     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
D      10.0.3.0/24 [90/435200] via 10.0.12.2, 00:07:07, Ethernet1/0
D      10.0.30.0/24 [90/435200] via 10.0.12.2, 00:07:07, Ethernet1/0
R1#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

R2#show ip route eigrp 
...
     10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
D      10.0.3.0/24 [90/409600] via 10.0.23.3, 00:07:40, Ethernet1/1
D      10.0.30.0/24 [90/409600] via 10.0.23.3, 00:07:40, Ethernet1/1
R2#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[
R3#show ip route eigrp 
...
     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
D     10.0.2.0/24 [90/409600] via 10.0.23.2, 00:08:07, Ethernet1/1
D     10.0.12.0/24 [90/307200] via 10.0.23.2, 00:08:07, Ethernet1/1
D     10.0.20.0/24 [90/409600] via 10.0.23.2, 00:08:07, Ethernet1/1
R3#

R1 accepted the routes (10.0.3.0/24 and 10.0.30.0/24) from R3 which is being advertised my R2 to R1. The reason R1 accepted this routes is because the updates generated by R3 does not have 1.1.1.1 RID in it; therefore, R1 accepted the routes from R3, but ignores the route update from R2 because of duplicated RID.

R3 does not have R1 routes because R2 thinks R1 updates would cause a routing loop. Therefore, R2 will not install R1 updates to its route table and it will not pass it along to R3.

There you have it.

Posted in CCIE, CCNP, EIGRP, GNS3 | Tagged , , , , , , , , , , | Leave a comment