IP SLA operation

Posted on April 25, 2016 by clucas

IP SLA is a great tool to automation some treatment. You could do great things with it. We will work on IP SLA Reaction here.

What is it ? You could launch some action on some state of an IP SLA. Such as (Even if it is not a good example) : some nested ping.

The job here, is to check R4 – R3 and R4 – R2 if IP SLA beetween R1 – R4 is awful.

We could do this such as :
R4 :

ip sla 1
 udp-jitter 10.1.12.1 3200 source-ip 10.1.43.4 source-port 6565 codec g711ulaw codec-size 128
 frequency 5
ip sla schedule 1 start now life forever 

ip sla 43 
 icmp-echo 10.1.43.3 source-ip 10.1.43.4
 frequency 5
ip sla schedule 43 start pending life 60

ip sla 42 
 icmp-echo 10.1.32.2 source-ip 10.1.43.4
 frequency 5
ip sla schedule 42 start pending life 60

ip sla reaction-trigger 1 43
ip sla reaction-trigger 43 42
ip sla reaction-configuration 1 react MOS threshold-type consecutive 4 threshold-value 390 220 action-type trapAndTrigger
ip sla reaction-configuration 43 react rtt threshold-value 100 50 threshold-type immediate action-type trapAndTrigger
ip sla reaction-configuration 42 react rtt threshold-value 100 50 threshold-type immediate action-type trapOnly

snmp-server host 10.1.1.1
snmp-server enable traps syslog

We do an analyze on each segment of path and if it fails on our condition, it traps it.

Obvisouly on R1 :

ip sla responder

BGP rib-failure

Posted on February 1, 2016 by clucas

I think everyone now what is a RIB-Failure in BGP context. It sounds obviously as an exact same route with a lowest AD as {e|i}BGP. We have VRF-Lite on R1 here :

We have :

1#show ip bg vpnv4 vrf CUST
BGP table version is 11, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65001:1 (default for vrf CUST)
 *>  10.1.1.1/32      12.0.0.2                 0             0 65002 ?
 *>  10.2.2.1/32      12.0.0.2                 0             0 65002 ?
 r>  10.3.3.1/32      12.0.0.2                 0             0 65002 ?
 r>  10.4.4.1/32      12.0.0.2                 0             0 65002 ?
 r>  10.5.5.1/32      12.0.0.2                 0             0 65002 ?
 r>  10.5.5.5/32      12.0.0.2                 0             0 65002 ?
 r>  10.6.6.6/32      12.0.0.2                 0             0 65002 ?
 r>  12.0.0.0/24      12.0.0.2                 0             0 65002 ?
R1#
R1#show ip route vrf CUST

Routing Table: CUST

Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 2 subnets
B        10.1.1.1 [20/0] via 12.0.0.2, 00:37:49
B        10.2.2.1 [20/0] via 12.0.0.2, 00:37:49
      12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        12.0.0.0/24 is directly connected, Ethernet0/0
L        12.0.0.1/32 is directly connected, Ethernet0/0
R1#

So the only route we can have a RIB-Failure due to lowest AD is : 12.0.0.0/24. What is the problem with others ?
We can know this by using :

R1#show ip bg vpnv4 vrf CUST rib-failure
  Network            Next Hop                      RIB-failure   RIB-NH Matches
Route Distinguisher: 65001:1 (default for vrf CUST)
10.3.3.1/32        12.0.0.2                      Route limit              n/a
10.4.4.1/32        12.0.0.2                      Route limit              n/a
10.5.5.1/32        12.0.0.2                      Route limit              n/a
10.5.5.5/32        12.0.0.2                      Route limit              n/a
10.6.6.6/32        12.0.0.2                      Route limit              n/a
12.0.0.0/24        12.0.0.2            Higher admin distance              n/a
R1#

The problem is :

ip vrf CUST
 rd 65001:1
 maximum routes 4 80
!

You know surely now why it is in ‘RIB-Failure’ state…

BGP review – ‘received-only’ prefix state

Posted on January 31, 2016 by clucas

Today a little review :

edge12.bor03>show ip bg 37.8.8.8
BGP routing table entry for 37.8.0.0/20, version 47221703
Paths: (3 available, best #2, table Default-IP-Routing-Table)
  Advertised to update-groups:
     1
  15975, (received-only)
    17.69.240.117 from 17.69.240.117 (17.69.255.1)
      Origin IGP, metric 16, localpref 500, valid, internal
  12671 15975 15975 15975 15975, (received & used)
    46.218.1.1 from 46.218.1.1 (172.17.1.6)
      Origin IGP, localpref 100, valid, external, best
  12671 15975 15975 15975 15975, (received & used)
    46.218.1.1 from 46.218.1.1 (172.17.1.2)
      Origin IGP, localpref 100, valid, external
edge12.bor03>

Why the path through 17.69.240.117 is not used, although it is the a better path to 37.8.0.0/20 ?
Why is it marked as “received-only”

“Received-only” means as it says that this prefix is received, stored in Adj-IN, but cannot be selected for a valid prefix. Why ?

Lot of reasons. Commons are : route-maps, NEXTHOP not reachable…

http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html

In my example, the problem is here : a route-map without an explicit permit.

GETVPN : Group Encrypted Transport VPN

Posted on October 28, 2015 by clucas

Here it comes. We will use the same topology as the last two blog posts.
This time we will play with GETVPN. GETVPN is a Cisco technology. One of the advantage of GETVPN is that we are able to build somespoke-to-spoke IPSEC tunnel without Tunnel interface and it is highly scalable.

We could say to me : ok, man ! but you could do this by means of static tunnels. Yes you can, BUT with GETVPN you can maintain easily full mesh networks by means of Key Server and the GETVPN technology.

Tunnel is build between GM (Group Member). The Key Server (KS) maintains security policies and is not part of the Forwarding Path. This server is here to provide security policy and make it possible to GM to build a encrypted tunnel between each other. No need to pass through a central node. GETVPN is a answer, DMVPN phase 3 is another 🙂

We have R4 as KS with a loopback address : 4.4.4.4/32
We have R2 and R3 as our spokes. These routers has each other a loopback 99 with a different /24 subnet.

R2 : 99.99.99.0/24
R3 : 100.100.100.0/24

Let’s go and see how it is configured. Begin with the Key Server :

crypto key generate rsa modulus 1024 label REKEYRSA

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set SET esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec profile PROFILE
 set transform-set SET
crypto gdoi group GDOI-GROUP1
 identity number 12345
 server local
  rekey algorithm aes 128
  rekey authentication mypubkey rsa REKEYRSA
  rekey transport unicast
  sa ipsec 1
   profile PROFILE
   match address ipv4 getvpn-acl
   replay time window-size 5
   no tag
  address ipv4 4.4.4.4

ip access-list extended getvpn-acl
 permit ip 99.99.99.0 0.0.0.255 100.100.100.0 0.0.0.255
 permit ip 100.100.100.0 0.0.0.255 99.99.99.0 0.0.0.255
 deny   ip any any

Now R2 and R3 :

R2 : 

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set SET esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec profile PROFILE
 set transform-set SET
crypto gdoi group GDOI-GROUP1
 identity number 12345
 server address ipv4 4.4.4.4
crypto map gdoimap 1 gdoi
 set group GDOI-GROUP1
 crypto map gdoimap

interface Ethernet0/1
 ip address 123.0.0.2 255.255.255.0
 ip router isis
 crypto map gdoimap

R3 : 
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0
crypto ipsec transform-set SET esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec profile PROFILE
 set transform-set SET
crypto gdoi group GDOI-GROUP1
 identity number 12345
 server address ipv4 4.4.4.4
crypto map gdoimap 1 gdoi
 set group GDOI-GROUP1
 crypto map gdoimap

GM use and interact with the KS to build their IPSec SA. Here, the security policy is identified by “identity number 12345”.

To make my topology works I have been obliged to add a static route towards my remote endpoints. I have been obliged to due to a bug on my IOS. It crashes if I add a “reverse-route” command in my crypto map.

Now, we could try to ping each other :

R2#  ping 100.100.100.3 so lo 99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.3, timeout is 2 seconds:
Packet sent with a source address of 99.99.99.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/7 ms
R2#

Good ! it pings. Let’s see if it is encrypted :

https://www.cloudshark.org/captures/a99bd1404eaa or http://www.clucas.fr/downloads/GETVPN.pcap

Great it works 🙂

Now see some troubleshooting commands :

R2#show crypto session
Crypto session current status

Interface: Ethernet0/1
Session status: UP-ACTIVE
Peer: 0.0.0.0 port 500
  Session ID: 0
  IKEv1 SA: local 123.0.0.2/848 remote 4.4.4.4/848 Active
  IPSEC FLOW: deny ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 100.100.100.0/255.255.255.0 99.99.99.0/255.255.255.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 99.99.99.0/255.255.255.0 100.100.100.0/255.255.255.0
        Active SAs: 2, origin: crypto map

R2#
R2#show crypto gdoi gm
Group Member Information For Group GDOI-GROUP1:
    IPSec SA Direction       : Both
    ACL Received From KS     : gdoi_group_GDOI-GROUP1_temp_acl

    Group member             : 123.0.0.2       vrf: None
       Local addr/port       : 123.0.0.2/848
       Remote addr/port      : 4.4.4.4/848
       fvrf/ivrf             : None/None
       Version               : 1.0.8
       Registration status   : Registered
       Registered with       : 4.4.4.4
       Re-registers in       : 2673 sec
       Succeeded registration: 1
       Attempted registration: 1
       Last rekey from       : 4.4.4.4
       Last rekey seq num    : 10
       Unicast rekey received: 2
       Rekey ACKs sent       : 2
       Rekey Rcvd(hh:mm:ss)  : 00:11:50
       DP Error Monitoring   : OFF

R2#
R2# show crypto ipsec sa

interface: Ethernet0/1
    Crypto map tag: gdoimap, local addr 123.0.0.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (100.100.100.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (99.99.99.0/255.255.255.0/0/0)
   Group: GDOI-GROUP1
   current_peer 0.0.0.0 port 848
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25
[...]
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (99.99.99.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (100.100.100.0/255.255.255.0/0/0)
   Group: GDOI-GROUP1
   current_peer 0.0.0.0 port 848
     PERMIT, flags={}
    #pkts encaps: 25, #pkts encrypt: 25, #pkts digest: 25
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
[...]

Ok each SA encrypt and decrypts the correct number of packets 🙂

KS side :

R4#show crypto gdoi ks
Total group members registered to this box: 2

Key Server Information For Group GDOI-GROUP1:
    Group Name               : GDOI-GROUP1
    Re-auth on new CRL       : Disabled
    Group Identity           : 12345
    Group Members            : 2
    IPSec SA Direction       : Both
    ACL Configured:
	access-list getvpn-acl


R4#show crypto gdoi ks acl
Group Name: GDOI-GROUP1
 Configured ACL:
   access-list getvpn-acl  permit ip 99.99.99.0 0.0.0.255 100.100.100.0 0.0.0.255
   access-list getvpn-acl  permit ip 100.100.100.0 0.0.0.255 99.99.99.0 0.0.0.255
   access-list getvpn-acl  deny ip any any


R4#

For more information : http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07_554713.html

Have fun with GETVPN !!

IPSEC VTI

Posted on October 27, 2015 by clucas

IPSEC VTI stands for IPSEC Virtual Tunnel Interface.

Besides traditionnal IPSEC configuration with cyrpto map, VTI allows to use an interface. It is useful to apply some policies as we can do as other : service-policy, …

For this example, I will use the previous topology with four routers (R1, R2, R3, R4) : see the blog post below for a diagram.

I will implement a IPSEC VTI tunnel between R2 and R4.

VTI is really simple to implement :

R4#  show run int tun 11
Building configuration...

Current configuration : 179 bytes
!
interface Tunnel11
 ip address 11.1.1.4 255.255.255.0
 tunnel source Loopback0
 tunnel mode ipsec ipv4
 tunnel destination 2.2.2.2
 tunnel protection ipsec profile PROFILE
end

R4#show run | sec crypto
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0        
crypto ipsec transform-set SET esp-3des esp-md5-hmac 
 mode tunnel
crypto ipsec profile PROFILE
 set transform-set SET 
R4#

And :

R2#show run | sec crypto
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0        
crypto ipsec transform-set SET esp-3des esp-md5-hmac 
 mode tunnel
crypto ipsec profile PROFILE
 set transform-set SET 
R2#show run int tun 11
Building configuration...

Current configuration : 179 bytes
!
interface Tunnel11
 ip address 11.1.1.2 255.255.255.0
 tunnel source Loopback0
 tunnel mode ipsec ipv4
 tunnel destination 4.4.4.4
 tunnel protection ipsec profile PROFILE
end

R2#

When the two tunnels are implemented the two tunnels states to up/up. Previous state is up/down.

We could do this kind of things and others :

R4(config)#int tun 11
R4(config-if)#service-policy output pm

R4#ping 11.1.1.2 rep 200
Type escape sequence to abort.
Sending 200, 100-byte ICMP Echos to 11.1.1.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (200/200), round-trip min/avg/max = 3/7/25 ms
R4#show policy-map interface tunnel 11
 Tunnel11 

  Service-policy output: pm

    Class-map: class-default (match-any)  
      200 packets, 20000 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any 
R4#

DMVPN and QOS

Posted on October 26, 2015 by clucas

How can DMVPN can make some QOS per spoke ?

It is what we will configure today :

Here is the network :

I will not explain how NHRP works in detail here.

R1, R2, R3, R4 use IS-IS (for fun) as IGP.

router isis
net 49.MAC_ADD.00

interface etc x/y
ip router isis

Now, here it comes DMVPN configurations :

R4#show run int tun 0
Building configuration...

Current configuration : 351 bytes
!
interface Tunnel0
 bandwidth 1000
 ip address 77.0.0.4 255.255.255.0
 no ip redirects
 ip nhrp authentication 1111
 ip nhrp map multicast dynamic
 ip nhrp map group toto service-policy output pm
 ip nhrp network-id 1111
 ip nhrp redirect
 load-interval 30
 qos pre-classify
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel key 1111
end

R4#

And for R3 :

R3#show run int tun 0
Building configuration...

Current configuration : 340 bytes
!
interface Tunnel0
 ip address 77.0.0.3 255.255.255.0
 no ip redirects
 ip nhrp authentication 1111
 ip nhrp group toto
 ip nhrp map 77.0.0.4 4.4.4.4
 ip nhrp map multicast 4.4.4.4
 ip nhrp network-id 1111
 ip nhrp nhs 77.0.0.4
 ip nhrp shortcut
 qos pre-classify
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel key 1111
end

R3#

!!! WARNING !!! ‘ip nhrp group’ and ‘ip nhrp map group xxx service-policy output yyy’ commands are not displayed with ‘?’. But the correct way is ‘nhrp group xxx’ and ‘nhrp map group xxx service-policy out pm’.

The mapping of the policy-map on the multipoint tunnel is done when the NHRP request is sent (on the spoke we flag it by means of ‘ip nhrp group toto’). Some extra fields in the NHRP packet show that ‘this’ kind of trafic through this IP must be grouped with ‘this’ spoke.

We can see the mapping by :

4#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
	N - NATed, L - Local, X - No Socket
	# Ent --> Number of NHRP entries with same NBMA peer
	NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
	UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface Tunnel0 is up/up, Addr. is 77.0.0.4, VRF ""
   Tunnel Src./Dest. addr: 4.4.4.4/MGRE, Tunnel VRF ""
   Protocol/Transport: "multi-GRE/IP", Protect ""
   Interface State Control: Disabled
   nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 2

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------
    1 2.2.2.2                77.0.0.2    UP 09:21:51    D        77.0.0.2/32
    1 3.3.3.3                77.0.0.3    UP 09:22:34    D        77.0.0.3/32
NHRP group: toto
 Output QoS service-policy applied: pm


Crypto Session Details:
--------------------------------------------------------------------------------

Pending DMVPN Sessions:

R4#

And we can see statistics by this command :

R4#show policy-map multipoint Tunnel 0 3.3.3.3

Interface Tunnel0  3.3.3.3

  Service-policy output: pm

    Class-map: class-default (match-any)
      8 packets, 1061 bytes
      30 second offered rate 0000 bps, drop rate 0000 bps
      Match: any
R4#

OSPF : Outbound filtering

Posted on May 29, 2015 by clucas

If you read/see videos about OSPF, it will be said that you can only filter on INBOUND or 1/0 on OUTBOUND (via ip ospf database-filter all out / neighbor x.x.x.x database-filter all out).
You will say to me, no problem I can filter by means of “area range xxxxx not-advertise” (LSA Type 3) or “summary-address xxxx no-advertise” (LSA Type 5).
Ok, now let’s say, I want with distribute-list and ACL, you filter out some routes ?

You could do this as :

R1(config-router)#distribute-list 10 out connected
R1(config-router)#do sh run | sec router
router ospf 1
 router-id 1.1.1.1
 no capability transit
 area 14 nssa
 summary-address 10.1.4.4 255.255.255.255 not-advertise
 summary-address 10.22.4.4 255.255.255.255 not-advertise
 network 10.1.1.1 0.0.0.0 area 0
 network 10.1.14.0 0.0.0.255 area 14
 network 11.1.1.0 0.0.0.255 area 0
 neighbor 11.1.1.2 database-filter all out
 distribute-list 10 out connected
 distance 255 9.9.9.9 0.0.0.0 41
R1(config-router)#

And you could do more :

R1(config-router)#distribute-list 10 out ?
  Async              Async interface
  Auto-Template      Auto-Template interface
  BVI                Bridge-Group Virtual Interface
  CDMA-Ix            CDMA Ix interface
  CTunnel            CTunnel interface
  Dialer             Dialer interface
  Ethernet           IEEE 802.3
  GMPLS              MPLS interface
  LongReachEthernet  Long-Reach Ethernet interface
  Loopback           Loopback interface
  Lspvif             LSP virtual interface
  MFR                Multilink Frame Relay bundle interface
  Multilink          Multilink-group interface
  Null               Null interface
  Tunnel             Tunnel interface
  Vif                PGM Multicast Host interface
  Virtual-PPP        Virtual PPP interface
  Virtual-Template   Virtual Template interface
  Virtual-TokenRing  Virtual TokenRing
  bgp                Border Gateway Protocol (BGP)
  connected          Connected
  eigrp              Enhanced Interior Gateway Routing Protocol (EIGRP)
  isis               ISO IS-IS
  lisp               Locator ID Separation Protocol (LISP)
  ospf               Open Shortest Path First (OSPF)
  ospfv3             OSPFv3
  rip                Routing Information Protocol (RIP)
  static             Static routes
  vmi                Virtual Multipoint Interface

Have lot of fun to lab all these great OSPF features.

Some fun on this off-day.

Posted on May 14, 2015 by clucas

I have found again this networking game. The first time I play with it was in 2009. It was fun to take some hours to play with it.
It is not hosted by Cisco, so if you want to retrieve the archive you can download it here for those of you that were not in this industry or not know this cisco networking game.

OSPFv3 address-family

Posted on May 13, 2015 by clucas

This is possible to run the two address-families under the same OSPF process since Cisco IOS Software Release 15.1(3)S.

You can do this as :R9(config)# ipv6 unicast-routing R9(config)# ipv6 cef

Then :
R9(config)# router ospfv3 1 R9(config-router)#address-family ipv4 unicast R9(config-router-af)#router-id 10.1.9.9 R9(config-router-af)#redistribute connected R9(config-router-af)#exit-a

And then configure the OSPF link by means of configuration on the interface :R9(config-router-af)#int ser 3/0 R9(config-if)#ospfv3 1 ipv4 area 236 *May 13 20:31:14.956: %OSPFv3-5-ADJCHG: Process 1, IPv4, Nbr 10.1.6.6 on Serial3/0 from LOADING to FULL, Loading Done R9(config-if)#ospfv3 1 ipv6 area 236 R9(config-if)#

This is where I think it is really powerful.
I recommend you to check IPv6 and OSPF only with the keyword “ospfv3” such as :

R9#show ospfv3 neighbor

          OSPFv3 1 address-family ipv4 (router-id 10.1.9.9)

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
10.1.6.6          0   FULL/  -        00:00:33    15              Serial3/0

          OSPFv3 1 address-family ipv6 (router-id 20.1.9.9)

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
10.1.6.6          0   FULL/  -        00:00:31    15              Serial3/0
R9#

On R6 we can see now :

6#show ip route ospf?
Hostname or A.B.C.D  ospf  ospfv3

R6#show ip route ospfv3
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
O E2     10.1.9.9/32 [110/20] via 10.1.69.9, 00:04:16, Serial3/0
      20.0.0.0/32 is subnetted, 2 subnets
O E2     20.1.9.9 [110/20] via 10.1.69.9, 00:04:16, Serial3/0
R6#