How Internetworks Work

Transmit-Interface Command

2011-08-04T09:22:00.000-07:00

To assign a transmit interface to a receive-only interface, use the transmit-interface command in interface configuration mode

The following example specifies Ethernet interface 0 as a simplex Ethernet interface:

interface ethernet 1

 ip address 128.9.1.2

 transmit-interface ethernet 0

Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services, Release 12.3 - IP Addressing and Services Commands: T through W [Cisco IOS Software Releases 12.3 Mainline] - Cisco Systems

Virtual Switching System

2011-07-10T23:06:00.001-07:00

VSS Overview

The Cisco VSS simplifies network configuration and operation by providing a loop-free Layer 2 topology using two Catalyst 6500 switches acting as one big Virtual switch. VSS reduces number of Layer 3 routing neighbors by providing a Layer 2 connectivity for access/distribution switches.

A VSS is a pair of combined 6500 switches acting as a single network element with redundancy and load balancing over port-channels (etherchannels). One switch becomes the master or active chassis and the other one becomes the VSS standby.

VSS Switch Roles

VSS Active: The active chassis controls the VSS operation. It runs the control plane, L2 and L3 control protocols. It also runs the management plane functions like console interface, logs, file system and even power management.
VSS Standby: Listens to master, checks the status, forwards the ingress traffic but sends all control traffic to the VSS active chassis for processing.

Virtual Switch Link

To share control and data traffic between two chassis a VSL – Virtual Switch Link is required. VSL is implemented as a Port Channel. The control traffic gets higher priority over data on a VSL and never gets discarded.

before configuration make sure that you have right IOS image, proper VS-capable supervisor and line cards, you can check your line cards with the following command:

6500A#switch convert check vss-capable
This is a VSS capable switch.
VSL ports can be configured in slot: 4, 5, 6

VSS Configuration

By default, 6500 series switches are configured to operate in standalone mode. The following steps are required in order to setup virtual stack across two 6500 chassis.

Step1: Make sure SSO and NSF are configured and enabled

Step2: Assign Virtual Switch Doman and Switch numbers

Step3: Configure VSL Port Channel, PO# should be unique on each chassis.

Step4: Convert Standalone Chassis to Virtual Switch mode

Step1:

6500A(config)#redundancy
6500A(config-red)#mode sso
!

Step2:

6500A(config)#switch virtual domain ?
<1-255> Virtual switch domain number

6500A(config)#switch virtual domain 100
Domain ID 100 config will take effect only
after the exec command 'switch convert mode virtual' is issued

6500A(config-vs-domain)#switch 1
6500A(config-vs-domain)#exit

...

6500B(config)#switch virtual domain 100
Domain ID 100 config will take effect only
after the exec command 'switch convert mode virtual' is issued

6500B(config-vs-domain)#switch 2
6500B(config-vs-domain)#exit

Step3:

6500A(config)#int port-channel 100
6500A(config-if)#switch virtual link 1
6500A(config-if)#no shutdown
6500A(config-if)#exit
6500A(config)#int te5/4
6500A(config-if)#channel-group 100 mode on
6500A(config-if)#no shutdown
6500A(config)#int te6/4
6500A(config-if)#channel-group 100 mode on
6500A(config-if)#no shutdown

...

6500B(config)#int port-channel 200
6500B(config-if)#switch virtual link 2
6500B(config-if)#no shutdown
6500B(config-if)#exit
6500B(config)#int te5/4
6500B(config-if)#channel-group 200 mode on
6500B(config-if)#no shutdown
6500B(config)#int te6/4
6500B(config-if)#channel-group 200 mode on
6500B(config-if)#no shutdown

Step4:

6500A#switch convert ?
check check if this switch and its modules are VSS capable or not
mode mode keyword virtual or standalone

6500A#switch convert mode ?
stand-alone stand-alone switch
virtual virtual switch

6500A#switch convert mode virtual

This command will convert all interface names
to naming convention "interface-type switch-number/slot/port",
save the running config to startup-config and
reload the switch.

NOTE: Make sure to configure one or more dual-active detection methods
once the conversion is complete and the switches have come up in VSS mode.

Do you want to proceed? [yes/no]: yes
Converting interface names
Building configuration...
Saving converted configuration to bootflash: ...
Destination filename [startup-config.converted_vs-20110705-214318]?

*** --- SHUTDOWN NOW ---

Ensure that same PFC operating mode is being used on both chassis in order to have a proper SSO redundancy mode:

6500A#show platform hardware pfc mode
PFC operating mode : PFC3C

Now, Let’s look at configuration of VSS switch after reboot:

6500A#sh run
…
!
hostname 6500A
!
switch virtual domain 100
switch mode virtual
!
mls netflow interface
mls cef error action reset
!
spanning-tree mode pvst
spanning-tree extend system-id
diagnostic bootup level minimal
!
redundancy
main-cpu
auto-sync running-config
mode sso
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
!
interface Port-channel100
no switchport
no ip address
switch virtual link 1
mls qos trust cos
no mls qos channel-consistency
!
interface Port-channel200
no switchport
no ip address
switch virtual link 2
mls qos trust cos
no mls qos channel-consistency
!
interface GigabitEthernet1/1/1
no switchport
no ip address
shutdown
!
interface GigabitEthernet1/1/2
no switchport
no ip address
shutdown
...
...
interface TenGigabitEthernet1/5/4
no switchport
no ip address
mls qos trust cos
channel-group 100 mode on
...
...
interface TenGigabitEthernet1/6/4
no switchport
no ip address
mls qos trust cos
channel-group 100 mode on
...
...
interface TenGigabitEthernet2/5/4
no switchport
no ip address
mls qos trust cos
channel-group 200 mode on
...
...
interface TenGigabitEthernet2/6/4
no switchport
no ip address
mls qos trust cos
channel-group 200 mode on
...
...
interface Vlan1
no ip address
shutdown
!
ip classless
ip forward-protocol nd
!
control-plane
!
line con 0
line vty 0 4
login
!
mac-address-table aging-time 480
no event manager policy Mandatory.go_switchbus.tcl type system
!
module provision switch 1
slot 1 slot-type 147 port-type 61 number 48 virtual-slot 17
slot 3 slot-type 152 port-type 31 number 48 virtual-slot 19
slot 4 slot-type 227 port-type 60 number 8 virtual-slot 20
slot 5 slot-type 254 port-type 31 number 2 port-type 61 number 1 port-type 60 number 2 virtual-slot 21
slot 6 slot-type 254 port-type 31 number 2 port-type 61 number 1 port-type 60 number 2 virtual-slot 22
!
module provision switch 2
slot 1 slot-type 147 port-type 61 number 48 virtual-slot 33
slot 3 slot-type 152 port-type 31 number 48 virtual-slot 35
slot 4 slot-type 227 port-type 60 number 8 virtual-slot 36
slot 5 slot-type 254 port-type 31 number 2 port-type 61 number 1 port-type 60 number 2 virtual-slot 37
slot 6 slot-type 254 port-type 31 number 2 port-type 61 number 1 port-type 60 number 2 virtual-slot 38
!
end

Verification:

Verification is the most important part of configuration, you need to make sure that commands that you have entered are working as expected!

6500A#show switch virtual
Switch mode                  : Virtual Switch
Virtual switch domain number : 100
Local switch number          : 1
Local switch operational role: Virtual Switch Active
Peer switch number           : 2
Peer switch operational role : Virtual Switch Standby

6500A#show switch virtual role

Switch Switch Status Preempt    Priority Role     Session ID
        Number         Oper(Conf) Oper(Conf)         Local Remote
------------------------------------------------------------------
LOCAL    1     UP      FALSE(N )   100(100) ACTIVE   0      0
REMOTE   2     UP      FALSE(N )   100(100) STANDBY 4004   1462
In dual-active recovery mode: No

6500A#show switch virtual link
VSL Status : UP
VSL Uptime : 43 minutes
VSL SCP Ping : Pass
VSL ICC Ping : Pass
VSL Control Link : Te1/5/4

6500A#show switch virtual link port-channel
Flags: D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      N - not in use, no aggregation
        f - failed to allocate aggregator

        M - not in use, no aggregation due to minimum links not met
        m - not in use, port not aggregated due to minimum links not met
        u - unsuitable for bundling
        d - default port

        w - waiting to be aggregated

Group Port-channel Protocol    Ports
------+-------------+-----------+-------------------
100    Po100(RU)        -        Te1/5/4(P)     Te1/6/4(P)
200    Po200(RU)        -        Te2/5/4(P)     Te2/6/4(P)

If I connect my console to secondary chassis:

6500A-sdby>
Standby console disabled

Multi-Chassis EtherChannel

One VSS supports a maximum of 512 - 2 port channels (deducting 2 POs for VSL) Configuration of MEC is not different than any regular etherchannel! The Different is physical connectivity, one link connects to VSS Active and the other link connects to VSS Standby chassis creating a high bandwidth active/active aggregated link-bundle (Etherchannel)

Access switch:

interface GigabitEthernet1/1/1
channel-group 10 mode on
!
interface GigabitEthernet1/1/2
channel-group 10 mode on

Core switch:

interface Port-channel10
switchport
!
interface GigabitEthernet1/3/17
switchport
channel-group 10 mode on
!
interface GigabitEthernet2/3/17
switchport
channel-group 10 mode on

Verify:

6500A#sh etherchannel summary
Number of channel-groups in use: 3
Number of aggregators: 3

Group Port-channel Protocol    Ports
------+-------------+-----------+--------------------------------------
10     Po10(SU)         -        Gi1/3/17(P)    Gi2/3/17(P)
100    Po100(RU)        -        Te1/5/4(P)     Te1/6/4(P)
200    Po200(RU)        -        Te2/5/4(P)     Te2/6/4(P)

Switch12#sh etherchannel summary
Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
------+-------------+-----------+--------------------------------------
10 Po10(SU) - Gi1/1/1(P) Gi1/1/2(P)

Service Provider General Tasks

2011-04-24T18:04:00.001-07:00

As you may now, CCIE Service Provider has been updated to new version (V.3) as of April 18 2011. There are several changes in the exam which are very important, ATM seems to be removed and IOS XR has a major role along with more IPv6 plus extended troubleshooting section. I went through my preparation notes and found best practices note which is general rule of thumb for CCIE SP lab.

General Best Practices for exam:

Configure ISIS or OSPF backbone in each AS (Loopback reach-ability)

configure loopback0 as router-id
configure metric parameters (e.g. auto-cost reference-bandwidth / metric-style wide)
configure network types / is-types
configure timers or protocol specific features, DR priority and so on.

Configure BGP in each AS (to advertise loopbacks to other AS)

configure "no bgp default ipv4-unicast"
configure neighbors remote-as
configure update-source as loopback0
configure address-family ipv4 and activate neighbors (and RR if necessary)
configure next-hop-self on border-routers (if necessary)
advertise loopback address with the network command

Configure eBGP neighbors

make sure you have advertised loopback addresses
make sure next-hop is propagated correctly
set "ip bgp-community new-format"
send bgp communities to required neighbors
configure routing policies/controls based on community lists

Configure MPLS Tagging

configure label protocol
configure loopback as ldp session source - router-id
configure label options (numbers, session protection, etc)
configure mpls interfaces

Configure MPLS TE

configure routers for MPLS TE
configure OSPF/ISIS for MPLS TE
configure routing area for MPLS TE (or Level1/2)
configure interfaces for TE and RSVP
configure tunnel interfaces
configure static or dynamic paths

Configure MPLS VPN

configure VRFs and try to import RTs
configure MP-IBGP
configure MP-eBGP
configure send-label in BGP (if required)
configure next-hop-unchanged (between MP-eBGP points if necessary)

Configure Route control in MPLS VPN

set BGP attributes to control routes. e.g:
send MED to MP-BGP CE neighbor (to make it less preferred)
set Weight for a neighbor in different AS to be preferred

For a detailed Lab exam blue print you can refer to:
https://learningnetwork.cisco.com/docs/DOC-10145

CSM Basics and FT

2011-04-12T18:11:00.001-07:00

Cisco Content Switching Module adds layer 4 to layer 7 content switching capabilities to the Catalyst 6500/7600 Series providing high-performance load balancing for servers, firewalls or even NAC boxes! Cisco CSM is old and not a new product, it has been replaced by newer Cisco ACE load-balancers. Cisco ACE is being sold in two different fashions, as Blade modules just like CSM or as 4710 appliances just like CSS appliance-based load-balancers.

ACE supports virtualization (multiple-contexts and resource allocation) while CSM is monolithic. CSM uses IOS configuration file and stores its configuration in the running-config. It’s really easy and straight forward to configure if you know what you’re doing!

It’s been awhile since the last time that I touched CSM as it’s end of sales and support. EOL/EOS reference link! But you might have some customers that are still using this product and they might need some levels of technical support. Last week, a call came through asking for CSM support, the customer has four CSM blades inside 6509s in redundant fashion in main and DR site…

This post quickly reviews the following topics:

CSM Basic setup
Fault tolerant
Multiple set of Client/Server VLAN pairs.
Dual / Multiple Gateways
Direct Server Access
CSM Verification with show commands
How to ping from CSM VIP address

Basic CSM Setup

The most basic and common method of setting up a load-balancer is to have a VLAN pair; one facing servers and the other VLAN facing clients (facing firewall/routers). Then the Load-balancer sits between client and server and creates a VIP (virtual ip address). That VIP is related to several real servers but all are seen as one entity or one VIP. That VIP is reflected by a NAT statement further on a firewall to a public address and is ready for being resolved by DNS.

Client request comes through client VLAN of load-balancer and hits the VIP address then it gets distributed among available real servers.

The first step is to create CLIENT and SERVER VLAN pair:

1. Create two VLANs on 6500 catalyst but do not assign an ip address.

2. Create same VLANs on the CSM and assign IP address inside the CSM:

module ContentSwitchingModule 3

vlan 302 server
ip address 10.8.108.2 255.255.255.0
!
vlan 301 client
ip address 10.8.8.2 255.255.255.0
gateway 10.8.8.254

Gateway is required for CSM to talk to clients (it might be your DMZ firewall interface)

The next step is to create server-farm (real-servers sit there) and vserver (virtual server – VIP)

probe HTTP http
recover 3
request method head
expect status 200
interval 2
failed 6
port 80
!
serverfarm HTTP_2010
nat server
no nat client
real 10.8.108.17
inservice
real 10.8.108.18
inservice
probe HTTP
!
vserver HTTP_2010
virtual 10.8.8.201 tcp www
serverfarm HTTP_2010
replicate csrp connection
persistent rebalance
inservice

The first part of above configuration is probe config. It checks the real servers health and sees whether HTTP code 200 is returned by each HTTP server. If probe to a server fails, that server will not be used.

The Serverfarm section configures two real servers (IP address is from SERVER VLAN) and uses HTTP probe for server health check. The vserver section, defines the VIP and correlates the server farm to vserver. Easy! now let’s verify:

dc1sw01#sh module csm 3 vlan

vlan   IP address       IP mask          type
---------------------------------------------------
301    10.8.8.2         255.255.255.0    CLIENT
302    10.8.108.2       255.255.255.0    SERVER
401    10.8.12.2        255.255.255.0    CLIENT
402    10.8.112.2       255.255.252.0    SERVER
997    0.0.0.0          0.0.0.0          FT

CSM Fault-tolerant configuration

CSM FT configuration is pretty straight-forward. FT is configured when you have two CSM blades located in two 6500 catalysts to work as a fail-over group. You can also create a fault-tolerant configuration with two CSMs in a single Catalyst 6500 series chassis.

First step to create a VLAN on both catalysts specifically for FT and the configure priority on each CSM (master must have higher priority):

vlan 997
name CSM_Failover
!
module ContentSwitchingModule 3
ft group 1 vlan 997
priority 110
preempt
!

Then you need to configure your VLAN-pair to include alternate CSM IP address to be seen as single entity by servers to be used as the default gateway (the alias command):

vlan 302 server
ip address 10.8.108.2 255.255.255.0 alt 10.8.108.3 255.255.255.0
alias 10.8.108.1 255.255.255.0
!
vlan 301 client
ip address 10.8.8.2 255.255.255.0 alt 10.8.8.3 255.255.255.0
gateway 10.8.8.254

Secondary Set of VLAN-pair

What if we need to have more than one CLIENT/SERVER VLAN-pair?

Usually the client side is connected to a firewall (Cisco FWSM, ASA or something else). You can have different client/server VLAN pairs while firewall serves each client VLAN as a different DMZ zone.

You can also use this approach during server migration between DMZs! or even during DMZ migration…

!
vlan 402 server
ip address 10.108.12.2 255.255.255.0 alt 10.108.12.3 255.255.255.0
alias 10.108.12.1 255.255.255.0
!
vlan 401 client
ip address 10.8.12.2 255.255.255.0 alt 10.8.12.2 255.255.255.0
gateway 10.8.12.254

real TEST_1
address 10.108.12.17
inservice
real TEST_2
address 10.108.12.18
inservice
!
serverfarm TEST_SERVERS
nat server
no nat client
real name TEST_1
inservice
real name TEST_2
inservice
probe HTTP
!
vserver TEST_HTTP
virtual 10.8.12.11 tcp www
serverfarm TEST_SERVERS
replicate csrp connection
persistent rebalance
inservice

Perhaps the secondary CLIENT VLAN requires its own default gateway. You need to consider that CSM always uses the lowest CLIENT VLAN ID to reach its configured gateway, so in case of having multiple gateways for different CLIENT VLANs you need to configure the following trick:

Dual Gateway

The first CSM VLAN pair has no problem with gateway reachability. But configuring a gateway for a secondary VLAN pair is not as easy as first one. Based on the above drawing to force CSM to use 10.8.12.254 as gateway for VLAN pair 401/402 you need to configure:

serverfarm VLAN402-out
no nat server
no nat client
real 10.8.12.254
inservice

vserver VLAN402-out
virtual 0.0.0.0 0.0.0.0 any
vlan 402
serverfarm VLAN402-out
inservice

Direct Server Access

If you need to access your servers from different VLANs without using the VIP address, this section is useful for you. You might find it impossible to connect to real servers. The following debug output demonstrate that something is wrong!

Failed LB : access-denied

For direct server access configure a separate serverfarm/vserver pair:

serverfarm ROUTE
no nat server
no nat client
predictor forward
!
vserver REAL_ACCESS
virtual 10.8.112.0 255.255.255.0 any
serverfarm ROUTE
persistent rebalance
inservice

Verification

dc1sw01#show module csm 3 reals

real        server farm    weight state       conns/hits
---------------------------------------------------------
TEST_1      TEST_SERVERS   8       OPERATIONAL 0
TEST_2      TEST_SERVERS   8       OPERATIONAL 0
10.8.12.1   VLAN402-OUT    8       OPERATIONAL 1

dc1sw01#show module csm 3 vservers

vserver        type prot virtual            vlan state        conns
--------------------------------------------------------------------
DIRECT_ACCESS SLB   any 10.8.108.0/24:0    ALL OPERATIONAL 19
TEST_HTTP      SLB   TCP 10.8.12.11/32:80   ALL OPERATIONAL 0
VLAN402-OUT    SLB   any 0.0.0.0/0:0        402 OPERATIONAL 3
REAL_ACCESS    SLB   any 10.8.112.0/24:0    ALL OPERATIONAL 1

dc1sw01#show module csm 3 serverfarm

server farm     type predictor   nat   reals redirect bind id
---------------------------------------------------------------
DIRECT_ACCESS   SLB   Forward     S     0      0        0
TEST_SERVERS    SLB   RoundRobin S     2      0        0
VLAN402-OUT     SLB   RoundRobin none 1      0        0
ROUTE           SLB   Forward     none 0      0        0

dc1sw01#show module csm 3 vlan

vlan   IP address       IP mask          type
---------------------------------------------------
208    10.8.8.2         255.255.255.0    CLIENT
318    10.8.108.2       255.255.255.0    SERVER
401    10.8.12.2        255.255.255.0    CLIENT
402    10.8.112.2       255.255.252.0    SERVER
997    0.0.0.0          0.0.0.0          FT

dc1sw01#show module csm 3 arp

Internet Address Physical Interface VLAN      Type       Status
--------------------------------------------------------------------
10.8.108.1       00-01-64-F9-1A-01   318       -ALIAS-    local
10.8.108.2       00-0F-34-2C-52-06   318       --SLB--    local
10.8.108.3       00-02-FC-E1-CE-60   318       LEARNED    up(0 misses)
10.8.112.1       00-01-64-F9-1A-01   402       -ALIAS-    local
10.8.112.2       00-0F-34-2C-52-06   402       --SLB--    local
10.8.112.3       00-02-FC-E1-CE-60   402       LEARNED    up(0 misses)
10.8.112.17      00-50-56-AD-00-96   402       REAL       up(0 misses)
10.8.112.18      00-50-56-AD-00-96   402       REAL       up(0 misses)
10.8.8.254       00-C0-EA-EA-EA-EA   208       GATEWAY    up(0 misses)
10.8.8.2         00-0F-34-2C-52-06   208       --SLB--    local
10.8.8.3         00-02-FC-E1-CE-60   208       LEARNED    up(0 misses)
10.8.12.254      00-22-90-9D-D3-0F   401       GATEWAY    up(0 misses)
10.8.12.2        00-0F-34-2C-52-06   401       --SLB--    local
10.8.12.3        00-02-FC-E1-CE-60   401       LEARNED    up(0 misses)
10.8.12.11       00-01-64-F9-1A-01   0         VSERVER    local

CSM PING

If you want to PING from a VIP address:

dc1sw01#ping module csm 3 10.8.12.254
IP address Reachable
--------------------------
10.8.12.254 Yes

dc1coresw01#ping module csm 3 gateways

IP address       Reachable
--------------------------
10.8.8.254       Yes
10.8.12.254      Yes

dc1sw01#ping module csm 3 reals

IP address       Reachable
--------------------------
10.8.108.10      Yes
10.8.108.11      Yes
10.8.112.17      Yes
10.8.112.18      Yes
10.8.12.254      Yes

Hope that helps!

MPLS Quality of Service – Part Two

2010-09-13T05:20:00.001-07:00

In the pervious post, we went through the Uniform model and its configuration. In this post we are going to see the differences between the Uniform model and the Pipe model. As mentioned earlier in the Part one of MPLS Quality of Service, the Pipe model does not change customer marking (IP TOS – DSCP). So in the following example, we will see that the provider is able to change the EXP marking but will not change the packet marking in the end. Provider also performs QoS tasks (even at the egress LSR) based on EXP and MPLS QoS marking, not based on IP header properties (Short-pipe model is different in this case).

As depicted in the above picture, egress PE is configured to send an Explicit Null to the P router. In this case the egress PE will be able to see transport label EXP field as well as VPN label EXP field.

R1(config)#mpls ldp explicit-null

R0#show mpls forwarding-table
Local Outgoing    Prefix            Bytes tag Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     3.3.3.3/32        0          Et0/0      192.168.30.3
17     0           1.1.1.1/32        137        Et0/1      192.168.10.1

In this case, on R0 (the P router) we don’t need to copy EXP from topmost label (received from R3) to the topmost transport label sent to R1, because the Explicit Null (label 0) maintains the EXP bit. This is only one example to show QoS features. In this example, we like to perform our marking on the topmost label and not rely on the second label, to demonstrate explicit-null feature. The Uniform and the Pipe models difference is not in the ingress part but in the egress, to save or not to save the customer marking on the IP packet.

Configuration

Ingress PE:
!
access-list 110 permit icmp host 5.5.5.5 host 6.6.6.6
!
class-map match-any in1
match access-group 110
class-map match-any out1
match qos-group 7
!
policy-map in1
class in1
   set mpls experimental imposition 3
   set qos-group 7
policy-map out1
class out1
   set mpls experimental topmost 7
!

R3#sh policy-map interface e0/0
Ethernet0/0

Service-policy output: out1

    Class-map: out1 (match-any)
      10 packets, 1220 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: qos-group 7
        10 packets, 1220 bytes
        5 minute rate 0 bps
      QoS Set
        mpls experimental topmost 7
          Packets marked 10

    Class-map: class-default (match-any)
      28 packets, 11442 bytes
      5 minute offered rate 3000 bps, drop rate 0 bps
      Match: any

P:
no configuration!

Egress PE:
!
class-map match-all in1
match mpls experimental topmost 7
class-map match-all out1
match qos-group 7
!
!
policy-map in1
class in1
   set qos-group 7
policy-map out1
class out1
   priority 256
class class-default
   shape average 500000
!

R1#sh policy-map interface e0/1
Ethernet0/1

Service-policy output: out1

    Class-map: out1 (match-all)
      10 packets, 1140 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: qos-group 7
      Queueing
        Strict Priority
        Output Queue: Conversation 264
        Bandwidth 256 (kbps) Burst 6400 (Bytes)
        (pkts matched/bytes matched) 0/0
        (total drops/bytes drops) 0/0

    Class-map: class-default (match-any)
      20 packets, 2080 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
      Traffic Shaping

Why there is no configuration on P LSR? Because IOS by default maintains your EXP and as long as PE LSR requesting Explicit Null, the topmost label is kept and contains EXP value of incoming labeled packet. (there’s no label disposition on the P LSR – R0)

MPLS Quality of Service

2010-09-12T11:39:00.001-07:00

The Quality of Service (QoS) has become more popular than past few years, because of high-bandwidth and delay sensitive applications. QoS is prioritizing more important data over less important traffic. There are two ways to implement QoS in an IP network: IntServ and DiffServ. Internet is operating based on best-effort model.

As the DiffServ model does not require a signaling protocol such as RSVP, it’s more popular or better to say the only applicable model in today's networks. (Although we use RSVP in MPLS TE for path signaling and reservation).

IETF in RFC 3270 has recommended three QoS models for DiffServ tunneled traffic in MPLS networks:

Pipe model
Short Pipe model
Uniform model

The Pipe and Short Pipe models are almost the same: They do not change IP ToS of customers data at all. They might change the EXP field in the path (EXP of MPLS Label) but the IP header QoS field remains unchanged. The Pipe model performs forwarding/discarding/scheduling based on EXP at the egress LSR while the Short Pipe model does that based on IP ToS. Because in the Short pipe model there might be no label at all. (remember PHP operation – Penultimate-Hop Popping)

In the Uniform model, there’s no guarantee that ToS of customers packet remains intact, but the EXP and IP ToS fields of a data packet will always show the same thing. It means if the provider changes the EXP header, that will be copied later to the IP ToS field at the egress point.

IOS Default Behavior: In short IOS does not change your QoS in the path if you don’t change it.
        Imposition - Copy TOS bits to EXP (TOS Reflection) when adding one or more labels by ingress LSR.
        Swap - Copy EXP from old label to new label.
        Disposition - Do NOT Copy EXP from label to IP.

Configuration

Label to Label (on PHP) sets EXP 5 (if top is 5) after disposing the top label:

     class-map match-all in1
      match mpls experimental topmost 5
     class-map match-all out1
      match qos-group 5
    !
     policy-map in1
      class in1
       set qos-group mpls experimental topmost
     policy-map out1
      class out1
       set mpls experimental topmost 5
    !
    interface Ethernet0/0
     service-policy input in1
    !
    interface Ethernet0/1
     service-policy output out1
    !

Label to IP (on PE) sets precedence 5 (if top is 5) after popping the label:

         class-map match-all in1
          match mpls experimental topmost 5
         class-map match-all out1
          match qos-group 5
        !
         policy-map in1
          class in1
           set qos-group mpls experimental topmost
         policy-map out1
          class out1
           set ip precedence 5
        !
        interface Ethernet0/0
         service-policy input in1
        !
        interface Ethernet0/1
         service-policy output out1

Scenario

In this sceniaro based on the service provider’s policy, the EXP value is changed in the path and is copied to inner label by P router. At the egress LSR, the EXP value is copied to the DSCP. (Uniform model)

Ingress PE:
!
policy-map out1
class class-default
set mpls experimental topmost 7
policy-map in1
class class-default
set mpls experimental imposition 3
!

!
class-map match-any in1
match mpls experimental topmost 0 1 2 3 4 5 6 7
class-map match-any out1
match qos-group 0
match qos-group 1
match qos-group 2
match qos-group 3
match qos-group 4
match qos-group 5
match qos-group 6
match qos-group 7
!
policy-map in1
class in1
set qos-group mpls experimental topmost
policy-map out1
class out1
set mpls experimental topmost qos-group
!

Egress PE:

BGP Multipath – Part Three

2010-09-07T10:06:00.001-07:00

After publishing part 1 and part 2 of my BGP Multipath Trilogy! One of our good readers sent a very intelligent question here:

cc said:

Very nice article Shafagh,
Any difference in any of these examples if R0 were both a P and a Route Reflector?
http://www.shafagh.net/2010/09/bgp-multipath-part-two.html?showComment=1283780646233#c5196111639519265964

There’s a known limitation:

Route Reflector Limitation

When multiple iBGP paths installed in a routing table, a route reflector will advertise only one paths (next hop). If a router is behind a route reflector, all routers that are connected to multihomed sites will not be advertised unless a different route distinguisher is configured for each VRF.
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t11/feature/guide/ft11bmpl.html#wp1027175

But like everything else in the computer world, there’s always a workaround, I found a way to make each path a “unique path” (playing with 64 bit prefix - RD) to send prefixes to ingress PE and let PE import different RDs inside the routing table. Here we go:

So in this example, R0 and R1 are using different RD for the same CE (multihomed CE – One or two routers at customer site) This makes two different vpnv4 prefixes pointing to the same ipv4 subnet.

The workaround is to advertise both or several parallel paths from different PEs with different RDs so that RRs advertise all paths. The RR will advertise all parallel paths with different RDs (as they are not same) and ingress PE can run BGP multipath and use all parallel paths.

The route reflector will not filter anything. It sends the best path to the R3. As long as these two prefixes are different they are both best path for their corresponding RDs:

R2#sh ip bgp vpn all
BGP table version is 4, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1
*>i69.69.69.69/32   1.1.1.1                  0    100      0 ?
Route Distinguisher: 1:2
*>i69.69.69.69/32   10.10.10.10              0    100      0 ?

R3 needs this command:

R3(config-router)#address-family ipv4 vrf C1
R3(config-router-af)#maximum-paths ibgp 2 import 1
R3(config-router-af)#^Z
R3#sh ip route vrf C1

Routing Table: C1
Gateway of last resort is not set

     69.0.0.0/32 is subnetted, 2 subnets
B       69.69.69.69 [200/0] via 10.10.10.10, 00:01:30
                    [200/0] via 1.1.1.1, 00:01:22

BGP Multipath – Part Two

2010-09-05T09:18:00.001-07:00

In the previous post, we reviewed basics of iBGP and eBGP multipath. In this post we get introduced with import feature of MP-BGP multipath. When there’s a difference in VRF’s RD, we have to use import keyword to import parallel paths from one VRF into another.

For example, we have the same diagram as BGP Multipath Part One, the only difference is the RD number that is used by R1. The Customer VRF RD at R2,3 and 4 is 1:1, while on the other side RD is 1:2.

When the RD is different, we need additional “import” keyword to tell the router how many parallel routes import from one VRF into another. If RD number is same on both side (both PE devices) previous post and example is enough for you.

Let’s check the configuration without any “maximum-path” command, to see the BGP natural behavior when there are parallel paths. (We know that BGP only selects one)

R1(config-router-af)#do sh ip bgp vpnv4 all
BGP table version is 281, local router ID is 1.1.1.1
Status codes: * valid, > best, i - internal,
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1
* i5.5.5.5/32       4.4.4.4                 10    100      0 1 ?
* i                 3.3.3.3                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i55.55.55.0/24    4.4.4.4                 10    100      0 1 ?
* i                 3.3.3.3                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i192.168.25.0     4.4.4.4                 10    100      0 1 ?
* i                 3.3.3.3                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i192.168.35.0     4.4.4.4                 10    100      0 1 ?
* i                 3.3.3.3                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i192.168.45.0     4.4.4.4                 10    100      0 1 ?
* i                 3.3.3.3                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
Route Distinguisher: 1:2 (default for vrf C1)
   Network          Next Hop            Metric LocPrf Weight Path
* i5.5.5.5/32       3.3.3.3                 10    100      0 1 ?
*> 6.6.6.6/32       192.168.16.6             0             0 2 ?
*>i55.55.55.0/24    2.2.2.2                 10    100      0 1 ?
r> 192.168.16.0     192.168.16.6             0             0 2 ?
*>i192.168.25.0     2.2.2.2                 10    100      0 1 ?
*>i192.168.35.0     2.2.2.2                 10    100      0 1 ?
*>i192.168.45.0     2.2.2.2                 10    100      0 1 ?

R1(config-router-af)#do sh ip route vrf C1

Routing Table: C1

B    192.168.45.0/24 [200/10] via 2.2.2.2, 00:00:17
B    192.168.25.0/24 [200/10] via 2.2.2.2, 00:00:17
     55.0.0.0/24 is subnetted, 1 subnets
B       55.55.55.0 [200/10] via 2.2.2.2, 00:00:17
     5.0.0.0/32 is subnetted, 1 subnets
B       5.5.5.5 [200/10] via 2.2.2.2, 00:00:17
     6.0.0.0/32 is subnetted, 1 subnets
B       6.6.6.6 [20/0] via 192.168.16.6, 07:53:26
B    192.168.35.0/24 [200/10] via 2.2.2.2, 00:00:17
C    192.168.16.0/24 is directly connected, Ethernet0/1

As you can see, there’s only one path (per prefix) at customer VRF. So let’s add “maximum-path ibgp” command for Customer VRF:

R1(config-router)#address-family ipv4 vrf C1
R1(config-router-af)#maximum-paths ibgp 3
R1(config-router-af)#
R1(config-router-af)#do sh ip bgp vpnv4 all
BGP table version is 288, local router ID is 1.1.1.1

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1
* i5.5.5.5/32       4.4.4.4                 10    100      0 1 ?
* i                 3.3.3.3                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i55.55.55.0/24    4.4.4.4                 10    100      0 1 ?
* i                 3.3.3.3                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i192.168.25.0     4.4.4.4                 10    100      0 1 ?
* i                 3.3.3.3                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i192.168.35.0     4.4.4.4                 10    100      0 1 ?
* i                 3.3.3.3                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i192.168.45.0     4.4.4.4                 10    100      0 1 ?
* i                 3.3.3.3                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
Route Distinguisher: 1:2 (default for vrf C1)
   Network          Next Hop            Metric LocPrf Weight Path
*>i5.5.5.5/32       2.2.2.2                 10    100      0 1 ?
*> 6.6.6.6/32       192.168.16.6             0             0 2 ?
*>i55.55.55.0/24    2.2.2.2                 10    100      0 1 ?
r> 192.168.16.0     192.168.16.6             0             0 2 ?
*>i192.168.25.0     2.2.2.2                 10    100      0 1 ?
*>i192.168.35.0     2.2.2.2                 10    100      0 1 ?
*>i192.168.45.0     2.2.2.2                 10    100      0 1 ?

So the “maximum-path ibgp” only indicates how many routes from RIB (VRF’s BGP table) can be imported to the routing table. The problem is that the RIB - RD table for 1:2 (VRF C1) has only path, so maximum-path ibgp has no parallel path to import into the routing table.

The import keyword allows you to configure the VRF table to accept multiple redundant paths in addition to the best path. By default, a VRF will import only one path (best path) per prefix from the source VRF table. If the best path goes down, the destination will not be reachable until the next import event occurs, and then a new best path will be imported into the VRF table. The import event runs every 15 seconds by default.

Note: Configuring redundant paths with the import keyword can increase CPU and memory utilization significantly, especially in a network where there are many prefixes to learn and a large number of configured VRFs. It is recommended that this feature is only configured as necessary and that the minimum number of redundant paths are configured (Typically, not more than two).

maximum-paths ibgp 3 import 3

R1(config-router-af)#maximum-paths ibgp 3 import 3
R1(config-router-af)#do sh ip bgp vpnv4 rd 1:2

BGP table version is 269, local router ID is 1.1.1.1
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:2 (default for vrf C1)
* i5.5.5.5/32       3.3.3.3                 10    100      0 1 ?
* i                 4.4.4.4                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
*> 6.6.6.6/32       192.168.16.6             0             0 2 ?
* i55.55.55.0/24    3.3.3.3                 10    100      0 1 ?
* i                 4.4.4.4                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
r> 192.168.16.0     192.168.16.6             0             0 2 ?
* i192.168.25.0     3.3.3.3                 10    100      0 1 ?
* i                 4.4.4.4                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i192.168.35.0     3.3.3.3                 10    100      0 1 ?
* i                 4.4.4.4                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i192.168.45.0     3.3.3.3                 10    100      0 1 ?
* i                 4.4.4.4                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?

R1(config-router-af)#do sh ip route vrf C1

Routing Table: C1

B    192.168.45.0/24 [200/10] via 4.4.4.4, 00:04:05
                     [200/10] via 3.3.3.3, 00:00:35
                     [200/10] via 2.2.2.2, 00:04:05
B    192.168.25.0/24 [200/10] via 4.4.4.4, 00:04:05
                     [200/10] via 3.3.3.3, 00:00:35
                     [200/10] via 2.2.2.2, 00:04:05
     55.0.0.0/24 is subnetted, 1 subnets
B       55.55.55.0 [200/10] via 4.4.4.4, 00:04:05
                   [200/10] via 3.3.3.3, 00:00:35
                   [200/10] via 2.2.2.2, 00:04:05
     5.0.0.0/32 is subnetted, 1 subnets
B       5.5.5.5 [200/10] via 4.4.4.4, 00:04:06
                [200/10] via 3.3.3.3, 00:00:36
                [200/10] via 2.2.2.2, 00:04:06
     6.0.0.0/32 is subnetted, 1 subnets
B       6.6.6.6 [20/0] via 192.168.16.6, 07:49:57
B    192.168.35.0/24 [200/10] via 4.4.4.4, 00:04:06
                     [200/10] via 3.3.3.3, 00:00:36
                     [200/10] via 2.2.2.2, 00:04:06
C    192.168.16.0/24 is directly connected, Ethernet0/1

Now, let’s play with the variables and see the different results:

maximum-paths ibgp 2 import 3

R1(config-router-af)#maximum-paths ibgp 2 import 3
R1(config-router-af)#do sh ip bgp vpnv4 rd 1:1

BGP table version is 222, local router ID is 1.1.1.1

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1
* i5.5.5.5/32       3.3.3.3                 10    100      0 1 ?
* i                 4.4.4.4                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i55.55.55.0/24    3.3.3.3                 10    100      0 1 ?
* i                 4.4.4.4                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i192.168.25.0     3.3.3.3                 10    100      0 1 ?
* i                 4.4.4.4                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i192.168.35.0     3.3.3.3                 10    100      0 1 ?
* i                 4.4.4.4                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i192.168.45.0     3.3.3.3                 10    100      0 1 ?
* i                 4.4.4.4                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?

R1(config-router-af)#do sh ip bgp vpnv4 rd 1:2
BGP table version is 222, local router ID is 1.1.1.1

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:2 (default for vrf C1)
* i5.5.5.5/32       4.4.4.4                 10    100      0 1 ?
* i                 3.3.3.3                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
*> 6.6.6.6/32       192.168.16.6             0             0 2 ?
* i55.55.55.0/24    4.4.4.4                 10    100      0 1 ?
* i                 3.3.3.3                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
r> 192.168.16.0     192.168.16.6             0             0 2 ?
* i192.168.25.0     4.4.4.4                 10    100      0 1 ?
* i                 3.3.3.3                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i192.168.35.0     4.4.4.4                 10    100      0 1 ?
* i                 3.3.3.3                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i192.168.45.0     4.4.4.4                 10    100      0 1 ?
* i                 3.3.3.3                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?

R1(config-router-af)#do sh ip route vrf C1

Routing Table: C1

B    192.168.45.0/24 [200/10] via 4.4.4.4, 00:01:09
                     [200/10] via 2.2.2.2, 00:01:09
B    192.168.25.0/24 [200/10] via 4.4.4.4, 00:01:10
                     [200/10] via 2.2.2.2, 00:01:10
     55.0.0.0/24 is subnetted, 1 subnets
B       55.55.55.0 [200/10] via 4.4.4.4, 00:01:10
                   [200/10] via 2.2.2.2, 00:01:10
     5.0.0.0/32 is subnetted, 1 subnets
B       5.5.5.5 [200/10] via 4.4.4.4, 00:01:10
                [200/10] via 2.2.2.2, 00:01:10
     6.0.0.0/32 is subnetted, 1 subnets
B       6.6.6.6 [20/0] via 192.168.16.6, 07:41:14
B    192.168.35.0/24 [200/10] via 4.4.4.4, 00:01:27
                     [200/10] via 2.2.2.2, 00:01:27
C    192.168.16.0/24 is directly connected, Ethernet0/1

maximum-paths ibgp 3 import 2

R1(config-router-af)#maximum-paths ibgp 3 import 2
R1(config-router-af)#do sh ip bgp vpnv4 rd 1:1
BGP table version is 264, local router ID is 1.1.1.1

R1(config-router-af)#do sh ip bgp vpnv4 rd 1:2

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:2 (default for vrf C1)
* i5.5.5.5/32       4.4.4.4                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
*> 6.6.6.6/32       192.168.16.6             0             0 2 ?
* i55.55.55.0/24    4.4.4.4                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
r> 192.168.16.0     192.168.16.6             0             0 2 ?
* i192.168.25.0     4.4.4.4                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i192.168.35.0     4.4.4.4                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?
* i192.168.45.0     4.4.4.4                 10    100      0 1 ?
*>i                 2.2.2.2                 10    100      0 1 ?

R1(config-router-af)#do sh ip route vrf C1

Routing Table: C1

B    192.168.45.0/24 [200/10] via 4.4.4.4, 00:00:22
                     [200/10] via 2.2.2.2, 00:00:22
B    192.168.25.0/24 [200/10] via 4.4.4.4, 00:00:22
                     [200/10] via 2.2.2.2, 00:00:22
     55.0.0.0/24 is subnetted, 1 subnets
B       55.55.55.0 [200/10] via 4.4.4.4, 00:00:22
                   [200/10] via 2.2.2.2, 00:00:22
     5.0.0.0/32 is subnetted, 1 subnets
B       5.5.5.5 [200/10] via 4.4.4.4, 00:00:22
                [200/10] via 2.2.2.2, 00:00:22
     6.0.0.0/32 is subnetted, 1 subnets
B       6.6.6.6 [20/0] via 192.168.16.6, 07:46:21
B    192.168.35.0/24 [200/10] via 4.4.4.4, 00:00:31
                     [200/10] via 2.2.2.2, 00:00:31
C    192.168.16.0/24 is directly connected, Ethernet0/1

Final R1 Configuration

!
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 update-source Loopback0
neighbor 3.3.3.3 remote-as 100
neighbor 3.3.3.3 update-source Loopback0
neighbor 4.4.4.4 remote-as 100
neighbor 4.4.4.4 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
exit-address-family
!
address-family ipv4 vrf C1
neighbor 192.168.16.6 remote-as 2
neighbor 192.168.16.6 activate
maximum-paths ibgp 3 import 3
no auto-summary
no synchronization
exit-address-family
!

BGP Multipath

2010-09-04T15:14:00.001-07:00

AS you may know, BGP selects only one best path for each prefix it receives then installs in the IP routing table. So whenever we need load-balancing across different paths, we have to enable BGP multipath, by the “maximum-paths” command.

We can select iBGP and eBGP paths altogether as the best, that is called eiBGP multipath. It means, for example, CE1 is multihomed to PE1 and PE2 via BGP. PE1 has a best path to CE1, PE1 can still use PE2 to CE1 as a parallel pathto reach CE1, so one path is eBGP (to CE1) and another path is iBGP (to PE1 to CE1) this is called eiBGP multipath.

There’s a criteria and several conditions that BGP checks before selecting additional paths in parallel with the best one. The following attributes of parallel paths have to match with the best path:

Weight
Local Pref
Origin
AS-Path Length
MED
Neighbor AS or Sub-AS match for (eBGP multipath)
AS-PATH match (for eiBGP multipath)
IGP metric to BGP next hop

So let’s bring an example:

R5 & R6 = CE

R2, R3, R4 and R1 = PE

There’s iBGP between R2,R3,R4 and R1 (MP-iBGP)

There’s eBGP between R5 and PE R2,R3 & R4 and between R1 and R6

R5 Initial configuration

router bgp 1
redistribute connected metric 10
neighbor 192.168.25.2 remote-as 100
neighbor 192.168.35.3 remote-as 100
neighbor 192.168.45.4 remote-as 100
no auto-summary

R5# sh ip bgp
BGP table version is 8, local router ID is 55.55.55.55
Status codes: * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network       Next Hop     Metric LocPrf Weight Path
*> 5.5.5.5/32    0.0.0.0          10        32768 ?
*> 6.6.6.6/32    192.168.25.2                   0 100 2 ?
*                192.168.45.4                   0 100 2 ?
*                192.168.35.3                   0 100 2 ?

R5# sh ip route
Codes: C - connected, S - static, B – BGP
Gateway of last resort is not set

C    192.168.45.0/24 is directly connected, Ethernet0/2
C    192.168.25.0/24 is directly connected, Ethernet0/0
C    192.168.35.0/24 is directly connected, Ethernet0/1
     5.0.0.0/32 is subnetted, 1 subnets
C       5.5.5.5 is directly connected, Loopback0
     6.0.0.0/32 is subnetted, 1 subnets
B       6.6.6.6 [20/0] via 192.168.25.2, 00:00:13

As you can see, R5 has chosen R2, for 6.6.6.6 signed by “>” character.

eBGP Multipath

To activate the parallel paths, we need to enable eBGP multipath for R5:

R5(config)#router bgp 1
R5(config-router)#maximum-paths 4

R5# sh ip route
Codes: C - connected, S - static, B – BGP
Gateway of last resort is not set

C    192.168.45.0/24 is directly connected, Ethernet0/2
C    192.168.25.0/24 is directly connected, Ethernet0/0
     55.0.0.0/24 is subnetted, 1 subnets
C       55.55.55.0 is directly connected, Loopback1
     5.0.0.0/32 is subnetted, 1 subnets
C       5.5.5.5 is directly connected, Loopback0
     6.0.0.0/32 is subnetted, 1 subnets
B       6.6.6.6 [20/0] via 192.168.45.4, 00:00:21
                [20/0] via 192.168.35.3, 00:00:21
                [20/0] via 192.168.25.2, 00:04:54

Note: The best path won’t change, but parallel paths will be added to routing table.

Now, all three paths through R2, R3 and R4 are available for R5 to reach R6.

Are we done now? Nope! eBGP part is done, but R2, R3 and R4 have iBGP with R1, and R1 is only accepting one path back to R5.

R1# sh ip route vrf C1

Routing Table: C1
Codes: C - connected, S - static, B - BGP
Gateway of last resort is not set

B    192.168.45.0/24 [200/10] via 2.2.2.2, 00:00:14
B    192.168.25.0/24 [200/10] via 2.2.2.2, 00:00:14
B    192.168.35.0/24 [200/10] via 2.2.2.2, 00:00:14
     5.0.0.0/32 is subnetted, 1 subnets
B       5.5.5.5 [200/10] via 2.2.2.2, 00:00:14
     6.0.0.0/32 is subnetted, 1 subnets
B       6.6.6.6 [20/0] via 192.168.16.6, 00:49:14

R1# sh ip bgp vpnv4 all
BGP table version is 114, local router ID is 1.1.1.1
Status codes: * valid, > best, i – internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop       Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf C1)
*>i5.5.5.5/32       2.2.2.2            10    100     0 1 ?
* i                 4.4.4.4            10    100     0 1 ?
* i                 3.3.3.3            10    100     0 1 ?
*> 6.6.6.6/32       192.168.16.6        0            0 2 ?
*>i192.168.25.0     2.2.2.2            10    100     0 1 ?
* i                 4.4.4.4            10    100     0 1 ?
* i                 3.3.3.3            10    100     0 1 ?
*>i192.168.35.0     2.2.2.2            10    100     0 1 ?
* i                 4.4.4.4            10    100     0 1 ?
* i                 3.3.3.3            10    100     0 1 ?
*>i192.168.45.0     2.2.2.2            10    100     0 1 ?
* i                 4.4.4.4            10    100     0 1 ?
* i                 3.3.3.3            10    100     0 1 ?

iBGP Multipath

R1 has to add parallel iBGP paths from R2, R3 & R4 into vrf ip routing table:

R1(config)#router bgp 100
R1(config-router)#address-family ipv4 vrf C1
R1(config-router-af)#maximum-paths ibgp 4

R1# sh ip route vrf C1

Routing Table: C1
Codes: C - connected, S - static, B - BGP
Gateway of last resort is not set

B    192.168.45.0/24 [200/10] via 4.4.4.4, 00:00:07
                     [200/10] via 3.3.3.3, 00:00:07
                     [200/10] via 2.2.2.2, 00:06:26
B    192.168.25.0/24 [200/10] via 4.4.4.4, 00:00:07
                     [200/10] via 3.3.3.3, 00:00:07
                     [200/10] via 2.2.2.2, 00:06:26
B    192.168.35.0/24 [200/10] via 4.4.4.4, 00:00:12
                     [200/10] via 3.3.3.3, 00:00:12
                     [200/10] via 2.2.2.2, 00:06:30
     5.0.0.0/32 is subnetted, 1 subnets
B       5.5.5.5 [200/10] via 4.4.4.4, 00:00:12
                [200/10] via 3.3.3.3, 00:00:12
                [200/10] via 2.2.2.2, 00:06:30
     6.0.0.0/32 is subnetted, 1 subnets
B       6.6.6.6 [20/0] via 192.168.16.6, 00:55:29

Now all three eBGP links PE-CE side (R5 to R2,3,4) are recognized by R1. But there’s a problem with return traffic! Three inside links between PE LSRs and P (R0) are not being used, let’s check the trace route from CE router R6 to R5":

R6#traceroute
Target IP address: 5.5.5.5
Source address: 6.6.6.6

Type escape sequence to abort.
Tracing the route to 5.5.5.5

1 192.168.16.1
2 192.168.10.10 [MPLS: Labels 17/23 Exp 0]
3 192.168.35.3 [AS 1] [MPLS: Label 23 Exp 0]
4 192.168.35.5 [AS 1]

All the traffic destined to 5.5.5.5 is passing through R3. Traffic path is R6->R1->R0->R3->R5

When I debugged MPLS tags on R0, I discovered that R1 is always sending traffic with label 17.

*00:38:04.903: MPLS: Et0/1: recvd: CoS=0, TTL=254, Label(s)=17/23
*00:38:04.903: MPLS: Et0/0: xmit: CoS=0, TTL=253, Label(s)=23

Label 17 refers to R3, thats why traffic is always passing that specific path, because R1 is labeling MPLS VPN tag inside a BGP next_hop label of R3 as top of the stack label:

R1#sh ip bgp vpnv4 all labels
   Network          Next Hop      In label/Out label
Route Distinguisher: 1:1 (C1)
   5.5.5.5/32       4.4.4.4         nolabel/23
                    3.3.3.3         nolabel/23
                    2.2.2.2         nolabel/23
   6.6.6.6/32       192.168.16.6    25/nolabel
   192.168.25.0     4.4.4.4         nolabel/25
                    3.3.3.3         nolabel/25
                    2.2.2.2         nolabel/25
   192.168.35.0     4.4.4.4         nolabel/26
                    3.3.3.3         nolabel/26
                    2.2.2.2         nolabel/26
   192.168.45.0     4.4.4.4         nolabel/27
                    3.3.3.3         nolabel/27
                    2.2.2.2         nolabel/27

R1#sh mpls forwarding-table

Local Outgoing    Prefix            Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      interface
16     Pop tag     192.168.30.0/24   Et0/0      192.168.10.10
17     Pop tag     192.168.40.0/24   Et0/0      192.168.10.10
18     Pop tag     192.168.20.0/24   Et0/0      192.168.10.10
19     Pop tag     10.10.10.10/32    Et0/0      192.168.10.10
20     18          4.4.4.4/32        Et0/0      192.168.10.10
21     16          2.2.2.2/32        Et0/0      192.168.10.10
22     17          3.3.3.3/32        Et0/0      192.168.10.10
25     Untagged    6.6.6.6/32[V]     Et0/1      192.168.16.6
26     Aggregate   192.168.16.0/24[V]

CEF and Load-Sharing

R1 to reach R2,3 and 4 has only one interface which is connected to the P-LSR – R0.

CEF by default compute the hash (per destination) and send the packet to the next hop, so for the same traffic from R6 to R5 the result of destination hash is always the same. To utilize all three P to PE links and labels, we need to change the default CEF behaviour to “per packet load-sharing”

R1(config)#int e0/0
R1(config-if)#ip load-sharing per-packet

With the above command, R1 uses different labels per packet (for forwarding). Now, Let’s check our trace route on R6:

R6#trace 5.5.5.5

Type escape sequence to abort.
Tracing the route to 5.5.5.5

1 192.168.16.1
2 192.168.10.10 [MPLS: Labels 18/23 Exp 0]
3 192.168.45.4 [AS 1] [MPLS: Label 23 Exp 0]
    192.168.35.3 [AS 1] [MPLS: Label 23 Exp 0]
    192.168.25.2 [AS 1] [MPLS: Label 23 Exp 0]
4 192.168.45.5 [AS 1]
    192.168.35.5 [AS 1]
    192.168.25.5 [AS 1]

Per-packet load sharing is not a recommended practice. Also note that when we have different source and destinations the shape and percentage of traffic share among the links gets better and better. As Cisco says: For per-packet load balancing the forwarding process determines the outgoing interface for each packet by looking up the route table and picking the least used interface. This ensures equal utilization of the links, but is a processor intensive task and impacts the overall forwarding performance. This form of per-packet load balancing is not well suited for higher speed interfaces.

R1 Final Configuration

ip vrf C1
rd 1:1
route-target export 1:1
route-target import 1:1
!
ip cef
mpls label protocol ldp
mpls ldp logging neighbor-changes
tag-switching tdp discovery hello interval 20
tag-switching tdp discovery hello holdtime 60
tag-switching tdp router-id Loopback0 force
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip router isis
!
interface Ethernet0/0
ip address 192.168.10.1 255.255.255.0
ip router isis
ip load-sharing per-packet
tag-switching ip
!
interface Ethernet0/1
ip vrf forwarding C1
ip address 192.168.16.1 255.255.255.0
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
router isis
net 01.abcd.abcd.0001.00
is-type level-2-only
!
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 update-source Loopback0
neighbor 3.3.3.3 remote-as 100
neighbor 3.3.3.3 update-source Loopback0
neighbor 4.4.4.4 remote-as 100
neighbor 4.4.4.4 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
exit-address-family
!
address-family ipv4 vrf C1
neighbor 192.168.16.6 remote-as 2
neighbor 192.168.16.6 activate
maximum-paths ibgp 4
no auto-summary
no synchronization
exit-address-family
!

Xirrus

2010-07-19T14:35:00.001-07:00

Perhaps you’ve heard about the Xirrus wireless vendor and its XN16 product: 16 Integrated Access Points in a single device which provides 4.8 Gbps total Wi-Fi bandwidth for up to thousand wireless clients. One array has 16 built-in AP with 48 integrated antennas, giving you 2 GigE ports as uplink to connect to your infrastructure.

What you might not be able to find easily, is how to configure them!!

I searched a lot to find what’s the console baud rate and found this:

Q: What is Xirrus console speed?

A: Use the following setting when establishing a serial connection:

Bits per second 115200

Databits 8

Parity None

Stopbits 1

Flow control None

Q: What is Xirrus default IP address?

A: If a DHCP server is not being used, you may connect using the Array’s default IP
addresses (10.0.2.1).

Q: What is Xirrus default username/password?

A: admin/admin

Sample Configuration?

administrator
reset
edit admin password admin read_write
exit
!
interface eth0
ip dhcp
up
exit
!
interface gig1
ip addr      192.168.0.10
ip mask      255.255.255.0
ip gateway
up
exit
!
interface gig2
up
exit
!
date-time
timezone      0 0
exit
!
ssid
reset
!
edit "xirrus"
    band        both broadcast
    vlan        none
    qos         2
    encryption none global_settings
    auth        open
    enable
exit
exit
!

Further Reference:

To configure XS4
www.xirrus.com/pdfs/array_quick_install_guide_XS4.pdf

To configure XS8 or XS16
www.xirrus.com/pdfs/array_quick_install_guide_XS8-16.pdf

To configure Xirrus Management System (Linux) – XMS
www.xirrus.com/pdfs/XMS_QuickStart_4.0-002B.pdf

ASA Second Internet

2010-04-26T06:19:00.001-07:00

As you may or may not know, ASA does not support having two different default gateways through different interfaces, so you can not have two different internet links. As Internet is expensive in Dubai, our customer wants to use two internet ADSL links, One for browsing/emails and another link for VPN tunnels. VPN tunnels are IPsec - site to site tunnels, so we know where is the end-point. There’s a feature in ASA called tunneled route:

“Users will have the option to configure two default gateways, one with a "tunneled" option and one without. All traffic that arrives at the appliance and cannot be routed using learned routes or static routes will be routed through default gateways. If the traffic was encrypted when it initially arrived at the appliance, it will be routed through Default Tunnel Gateway (DTGW); otherwise, it will be routed through Default Gateway (DGW). A set of default gateways can be installed for each virtual context”
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd805f0bd6.html

But we have to keep in mind that it is not related to our issue, it’s for ingress traffic from tunnel terminating on our ASA… so this feature won’t work for us.

… Not a big deal… we don’t need to configure second default gateway, as we can use static route pointing to that specific site through second outside interface… something like:

route outside2 x.x.x.x 255.255.255.255 217.x.x.x (providers IP)

After setting up a route to destination through the second link, we have to set our IPsec and ISAKMP packes to use the proper source address from second link using crypto identifiers, then check “show crypto isakmp/ipsec sa” to see if traffic is sourced/originated from second internet link’s IP address…

But there’s a small problem, I saw traffic is coming through tunnel endpoint and they are able to send and recieve packets using encrypt/decrypt counter of “show crypto ipsec sa” but we were not able to ping or create a connection to the other side.

Using “debug icmp trace” I figured out that ASA is sending traffic to outside interface (default gateway) instead of outside2, another static route was required for tunneled traffic.

route outside2 10.x.x.x 255.0.0.0 217.x.x.x (providers IP)

Extreme Networks Switches

2010-04-04T10:13:00.001-07:00

Next month we are going to implement a campus area network for an American school using extreme switches, I attended 5 days extreme seminar to learn their command line interface and network management software. Here are some notes for those who like to know more about extreme switches portfolio:

Hardware

BlackDiamond: Chassis-based high-port density switches for Carrier-Ethernet service providers and enterprise core
Summit: Standalone switches from L2 100Mbps to L3 10Gig top-of-rack datacenter switches.
ReachNXT: Port Extender - Manageable by an access switch via XOS
SummitWM: Wireless controllers
Altitude: Wireless Access Points
Sentriant NG: Intrusion Protection System (IPS)
Sentriant AG: Network Access Controller (NAC)

Software

ExtremeWare is VxWorks based = first generation of Extreme networks operating system
ExtremeXOS = 2nd Generation OS based on Linux kernel and BusyBox
EPICenter = Network Management Tool

Configuration

Switch CLI prompt is driven from SNMP host name value

Space bar to go to BootROM: for return to factory default configuration: config none

Extreme FDB = Forwarding Database for MAC addresses - 300 Sec Aging timer per MAC

IP FDB (L3) for IP forwarding
    show iparp
    show fdb
    create fdbentry
    delete fdbentry
    disable learning
    enable learning

# configure ports 1 vlan accounting unlimited-learnings
# configure ports 1 vlan accounting learning-limit 3 (use aging timer also) (only for dynamic entries)

Lock-learning (sticky mac)
# configure ports 1 vlan VLAN1 lock-learning
# configure ports 1 vlan VLAN1 unlock-learning
show vlan default security

ELSM (Extreme Link Status monitoring)
gets link status from other-end
   enable elsm ports
    disable elsm ports
    configure elsm ports
    clear elsm ports

VLANs

Port-based
802.1Q Tagged VLAN
Protocol-based VLAN
        create vlan vlan_name
        delete vlan vlan_name
        configure vlan vlan_name add ports
        configure vlan vlan_name delete ports
        disable vlan vlan_name
        enable vlan vlan_name
        configure vlan vlan_name tag <tag_value>
        configure vlan default delete port 7
        configure vlan ENGINEERING add port 7 untagged
        configure vlan ENGINEERING add ports 2,3 tagged
        show vlan ENGINEERING
        BPDU –> vlan0

Port Sharing (Aggregation) LAG
enable sharing 1 grouping 1-4 algorithm address-based lacp
show port sharing

Port Settings

   enable lldp port all
   show ports configuration no-refresh
   enable jumbo-frame ports all
   show vlan VLAN1 security

spanning-tree is disabled by default
EMI-STP Encapsulation - Extreme Multi Instance Spanning Tree - VST+ additional header

EAPS - Ethernet Automatic Protection Switching (Ring)

Ring Topology
L2 Protocol - Multicast MAC
EAPS version 2 (advanced feature - EAPS shared port for preventing superloop)
50 ms failover
Device Roles: Master node, Transit nodes
Primary/secondary port on each switch
Master blocks its secondary port
Control VLAN and Protected VLAN (one Control VLAN per EAPS domain)
EAPS flush FDB when there's a topology change

        create vlan control_vlan_name
   configure vlan control_vlan_name tag vlan_tag
   configure vlan control_vlan_name add port <primary.secondary> tagged
        create eaps <name>
        configure eaps <name> mode master|transit
        configure eaps <name> primary port <port number>
        configure eaps <name> secondary port <port number>
        configure eaps <name> add control vlan control_vlan_name
        configure eaps <name> add protect vlan <name>
        enable eaps
        enable eaps <name>
        configure eaps fast-convergence [off|on] -> additional 250ms
        configure eaps name failtime expiry-action open secondary-port > by default sends alert!

EAPS with a Shared Port

Configure partner
Configure controller port
link-id must be same on both switches

SummitStack

Should have same image:
download image <ip> <file> slot <slot-number>
40Gbps full duplex capacity per switch
MAX: 8 devices
        enable stacking
        show stacking
        show stacking configuration
        configure stacking easy-setup

IP Routing

By default is disabled
    enable ipforwarding
    configure iproute add x.x.x.x/x y.y.y.y
    show ipconfig
In new vlan ip forwarding might be disabled make sure to check.
show iproute
show ipstats
icmp is enabled by default

OSPF

    enable ipforwarding
    configure ospf routerid 1.1.1.1
    enable loopback vlanname (if you want to have loopback)
    configure ospf address VLAN1 area 0.0.0.0
    configure ospf address VLAN2 area 0.0.0.0
    enable ospf
    show ospf
    show ospf area 0.0.0.0
    show ospf neighbors
    show ospf lsdb

Redistribution is disabled and is configurable by policy files.
Core license required for OSPF DR/BDR function.
on edge / advanced edge license: we can not have DRs so priority:0

ESRP

Extreme Standby Routing Protocol - ESRP is extreme protocol for redundancy something like VRRP

QOS

No much QOS support
Traffic shaping is called metering
8 queue per interface
Queue 1 and 8 are used by default (2q)

Catalyst to ProCurve

2009-11-27T02:12:00.001-08:00

Two months ago, as I blogged about it I passed HP ProCurve AIS exam and shared a summary of my preparation notes, Last week I passed Master ASE – HP ProCurve Campus LANs [2010] online exam (HP2-Z04) and became HP Master ASE – MASE, so I thought to share parts of my study notes as some customers are buying ProCurve instead of Cisco Catalyst (Budget reasons) it’s good to know equivalent terminologies and commands. Do I recommend HP ProCurve over Cisco Catalyst? No.

Cisco vs. HP terminology

Trunk Port = Tagged Port
Port Channel Interface = Trunk Port
Access port = Untagged Port
Auxiliary VLAN (voice) = tagged/untagged
Access port with Auxiliary = tagged (voice) + untagged (data)
              vlan11
            untagged a1
        vlan12
            voice
            tagged a1
Interface Gigabitethernet0/1 = interface 1
Modular switches = interface a1 "Module name: a,b,c... from top left"
HP does not send CDP (can receive) - HP speaks LLDP - IEEE802.1AB
BPDU Guard = BPDU protection
Keepalive = Loop protection
SPAN = traffic mirroring

HP ProCurve software license

Edge License Features:

IPv4 RIP + Static Routes
IGMP
ACLs
QoS
Bandwidth Control
Edge Security
Basic IPv6

Premium Features:

OSPF + ECMP
PIM
IPv6 RIP + OSPFv3
VRRP
QinQ VLANs

WLAN Evolution

1st Gen: Standalone Access Points
2nd Gen: Centralized WLAN Management with Thin APs
3rd Gen: Multiservice Controller
4th Gen: Unified WLAN Architecture (Controller Blades) Mobility Controller
- Multi-Service Mobility Solution (MSM7xx)
  - Mobility License: Guest Roaming
- Mobility Manager Software (on top of ProCurve Manager - PCM)
  - Software updates
  - WLAN Security settings
  - Radio settings
  - Rogue detection
  - Monitoring and Troubleshooting
- ProCurve Guest Management Software
  - Authentication
  - Temporary Credentials + expiration + Printable Vouchers
- RF Manager
  - IDS/IPS
- RF Planner
  - Windows based WLAN planning software

PoE Devices

PD - Powered Device
PSE - Power Sourcing Equipment
- IEEE802.3af
- IEEE802.3at (PoE+) up to 24W
- Keep higher priority ports on lower port numbers
- We can use power shelf (zl switch) or RPS for additional power

LLDP vs. LLDP-MED

LLDP
- Network Management + Inventory data + IP/speed/duplex
LLDP-MED
- Voice VLAN, QoS, Location services, advanced PoE. detailed inventory management:
  - Class I IP communications controller
  - Class II IP phones, end user IP communication
  - Class III media streams, conference bridges

Quality of Service

Queues per port: 8
Rate limits: ingress & egress
GMB (guaranteed minimum bandwidth): egress only
Classification
- CoS
- DSCP/IPP
- VLAN
- Interface
- L2 Protocol
- IP Address/port
Marking
- 802.1p
- DSCP

Configurations

CLI
Menu Interface
GUI (HTTP/HTTPS)
PCM/PCM+
User Level:
- Operator Level
- Manager Level
  #password operator user-name operator plaintext password
  #password manager user-name manager plaintext password
  #include-credentials > to include security hashed texts in configuration views (Passwords/SSH key/RADIUS key, etc)
  show front-panel-security > to check reset/clear button setting

Port Configurations
#speed-duplex 1000-full

Aggregated Port (Trunk)
    #trunk 47-48 trunk1 trunk
    #trunk 47-48 trunk1 lacp
    #vlan 11 tagged trunk1
    #interface 47 name 'link to other switch'
    show trunk
        Once the trunk is configured ports will become "untagged vlan1"

Spanning Tree
    #spanning tree
    #spanning tree 1-3 admin-edge-port (default is auto-edge-port which will wait for 3 seconds to see if there's any BPDU)
    #no spanning tree 4 edge-port
    #spanning tree protocol-version mstp
    reload
    #spanning tree config-name "name"
    #spanning tree config-revision 1
    #spanning tree instance 1 vlan 1,2
    #spanning tree instance 2 vlan 3,4
    show spanning tree mst-config
    #spanning tree priority 0 (on root switch)
    #spanning tree priority 1 (on secondary root switch)
    #spanning tree instance 1 priority 0 (on root switch)
    #spanning tree instance 2 priority 1 (on secondary root/instance)

PoE
    show power-management
    show power-management brief
    #power threshold n (1-99) to alert if power usage raises

DHCP
    #dhcp-snooping
    #dhcp-snooping vlan 2
    #dhcp-snooping trust a1 (trusted port)
    #dhcp-snooping authorized-server 1.1.1.1 (DHCP server)

Traffic Mirroring
    #interface a1 monitor all both mirror 1
    #vlan 2 monitor ip access-group acl1 mirror 1
    #mirror 1 port a2
    show monitor

VLAN sample
    vlan 11
        name "VLAN11"
        untagged a9-a12
        ip helper-address 10.10.10.10
        ip address 10.11.11.11 255.255.255.0
        exit

IP Routing
    #ip routing
    #interface loopback 1 ip address 10.1.1.1
    #ip route 10.0.0.0/24 10.1.1.254

    router ospf
        area backbone
    vlan 2
        ip address 10.1.1.1 255.255.255.0
        ip ospf 10.1.1.1 passive
        ip ospf 10.1.1.1 area backbone
        ip ospf cost 10

Internet Through MPLS – Default Route Propagation

2009-11-09T14:32:00.001-08:00

Yesterday we had a customer network migration from IPsec VPN to MPLS. Customer’s headquarter network wanted to be the point of internet sharing so that all branch offices use that point for internet browsing. OSPF was chosen to be the dynamic routing protocol between CE and PE, as ASA is deaf to BGP. We configured everything on CE side and contacted customer’s service provider to check their configuration, everything was fine, but the default route. We had injected a default route at HQ but the branch offices were unable to get that particular 0.0.0.0/0 route through MPLS.

The service provider (DU) told me that OSPF is not able to inject default route from one CE to another CE… and you have to migrate to BGP! what!? It’s not true… I’ve sent them a sample configuration to set on their PE LSRs, now it’s time to explain the problem in detail:

Customer 1 is injecting default-information via OSPF by “default-information originate” command to the service provider’s PE router.
Service provider receives LSA type 5 and should “redistribute ospf x vrf Customer1 match external” into MP-BGP to other PE.
BGP will not redistribute default-information unless we configure “default-information originate” under bgp address-family ipv4 vrf Customer1 (Tricky)
The other PE receives 0.0.0.0/0 via BGP from the first PE and should redistribute it to OSPF but it won’t unless we configure “default-information originate” under OSPF process.

In our example R7 is connected to internet using a static route. R7 injects internet to PE (R3) by “redistribute static subnets”. R3 redistribute that to BGP by “default-information originate” to the other PE (R2). Now R2 has 0.0.0.0/0 in the BGP and should redistribute it into OSPF and use “default-information originate” to send it to its own connected CE.

So I sent the following diagram to the provider for their reference:

Example (based on the first topology):

R7 (CE-Internet):
router ospf 1
redistribute static subnets
network 172.16.37.7 0.0.0.0 area 0
default-information originate
!
ip route 0.0.0.0 0.0.0.0 172.16.69.68
!

R3 (PE):
router ospf 147 vrf VPN1
redistribute bgp 666 subnets
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 666
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 666
neighbor 2.2.2.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN1
redistribute ospf 147 vrf VPN1 match internal external 1 external 2
default-information originate
no synchronization
exit-address-family
!

R2 (PE):

router ospf 147 vrf VPN1
redistribute bgp 666 subnets
network 0.0.0.0 255.255.255.255 area 0
default-information originate
!
router bgp 666
no synchronization
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 666
neighbor 3.3.3.3 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN1
redistribute ospf 147 vrf VPN1 match internal external 1 external 2
no synchronization
exit-address-family

Verification:

R3#show ip ospf 147 database

OSPF Router with ID (172.16.37.3) (Process ID 147)

Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#
172.16.37.3     172.16.37.3     1047        0x8000
172.16.37.7     172.16.37.7     1021        0x8000

Net Link States (Area 0)

Link ID ADV Router Age Seq#
172.16.37.3 172.16.37.3 1047 0x8000

Summary Net Link States (Area 0)

Link ID ADV Router Age Seq#
172.16.24.0 172.16.37.3 1047 0x8000

Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#
0.0.0.0         172.16.37.7     482         0x8000
47.47.47.4      172.16.37.3     1047        0x8000
47.47.47.7      172.16.37.7     1021        0x8000

R3#show ip route vrf VPN1

Routing Table: VPN1
Gateway of last resort is 172.16.37.7 to network 0.0.0.0

     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.37.0 is directly connected, Ethernet0/2
B       172.16.24.0 [200/0] via 2.2.2.2, 01:27:35
     47.0.0.0/32 is subnetted, 2 subnets
O E2    47.47.47.7 [110/20] via 172.16.37.7, 01:24:49, Ethernet0/2
B       47.47.47.4 [200/20] via 2.2.2.2, 01:27:35
O*E2 0.0.0.0/0 [110/1] via 172.16.37.7, 00:09:39, Ethernet0/2

R2#show ip bgp vpnv4 vrf VPN1
BGP table version is 41, local router ID is 2.2.2.2
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 172.16.12.2:1 (default for vrf VPN1)
*>i0.0.0.0          3.3.3.3                  1    100      0 ?
*> 47.47.47.4/32    172.16.24.4             20         32768 ?
*>i47.47.47.7/32    3.3.3.3                 20    100      0 ?
*> 172.16.24.0/24   0.0.0.0                  0         32768 ?
*>i172.16.37.0/24   3.3.3.3                  0    100      0 ?

R4#show ip route
Gateway of last resort is 172.16.24.2 to network 0.0.0.0

     172.16.0.0/24 is subnetted, 2 subnets
O IA    172.16.37.0 [110/11] via 172.16.24.2, 03:32:41, Ethernet0/0
C       172.16.24.0 is directly connected, Ethernet0/0
     47.0.0.0/32 is subnetted, 2 subnets
O E2    47.47.47.7 [110/20] via 172.16.24.2, 01:27:21, Ethernet0/0
C       47.47.47.4 is directly connected, Loopback0
O*E2 0.0.0.0/0 [110/1] via 172.16.24.2, 00:12:15, Ethernet0/0

Note that branch offices still have their own internet as backup, so whenever MPLS goes down, they can use their own internet with IPsec capability to connect to the headquarter automatically, if I would use “default-information originate always” then CE would always advertise default route regardless of it’s existence in the routing table but in our case we have IP SLA monitored static route to the internet, and whenever it goes down OSPF will take back default-route advertisement (default-information originate – without always!) and branch office will use the higher administrative distance static route to its own internet (floating route). Then it will use IPsec to HQ as the crypto-map on internet interface will be triggered.

MPLS Traffic Engineering

2009-11-01T11:53:00.001-08:00

TE was the main driver and reason for MPLS invention. To utilize bandwidth of unused links, to have flexibility in path selection just like previous WAN switching technologies. To create Virtual circuits on top of IP networks. IP Routing is performed hop by hop and you can not dictate a policy to other hops. TE is configured on Head-End LSR and gets/uses a particular label for a particular path. (Explicit Routing/Source-based routing)

RSVP is used to prepare a path and create a tunnel and label to route packets through the network. Link State routing protocols are required as well to report available bandwidth on each link and also other extra information such as Maximum reserve-able bandwidth and so on. Extensions were made to RSVP (Carry Label, Record Route), OSPF and ISIS (Constrained Metric) to be able to do Traffic Engineering. So once that we want to enable Traffic Engineering on our SP backbone, we have to enable specific technologies in order to run TE, such as:

Enable TE (mpls traffic-engineering tunnels) on routers and ports.
Adjust reversable bandwidth with “ip rsvp bandwidth” on ports.
Tune your link state routing protocol to deliver TE attributes.
Create your tunnel on the head-end LSR (uni-directional) and send packets through it.

Example:

In our example, we will configure a TE tunnel from R3 to R4, and from R4 to R3 (reverse direction) to transit our traffic through R3 – R1 – R2 – R4.

Configuration

R3:

mpls traffic-eng tunnels
!
interface Tunnel1000
ip unnumbered Loopback0
tunnel destination 10.10.4.4
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 7 7
tunnel mpls traffic-eng bandwidth 100
tunnel mpls traffic-eng path-option 5 explicit name myway
!
interface Loopback0
ip address 10.10.3.3 255.255.255.255
!
interface FastEthernet0/0
ip address 10.10.35.3 255.255.255.0
mpls ip
!
interface FastEthernet0/1
ip address 10.10.34.3 255.255.255.0
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth 1000
!
interface ATM2/0
ip address 10.10.13.3 255.255.255.0
ip ospf network point-to-point
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth 1000
pvc 100/0
protocol ip 10.10.13.1 broadcast
!
!
router ospf 10
network 10.10.0.0 0.0.255.255 area 0
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!
ip explicit-path name myway enable
next-address 10.10.1.1
next-address 10.10.12.2
next-address 10.10.24.4
!

R1:

mpls traffic-eng tunnels
!
interface Loopback0
ip address 10.10.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.10.12.1 255.255.255.0
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth 1000
!
interface ATM2/0
ip address 10.10.13.1 255.255.255.0
ip ospf network point-to-point
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth 1000
pvc 100/0
protocol ip 10.10.13.3 broadcast
!
!
router ospf 10
network 0.0.0.0 255.255.255.255 area 0
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!

R2:

mpls traffic-eng tunnels
!
interface Loopback0
ip address 10.10.2.2 255.255.255.255
!
interface Ethernet0/0
ip address 10.10.12.2 255.255.255.0
mpls label protocol ldp
mpls ip
mpls traffic-eng tunnels
ip rsvp bandwidth 1000
!
interface Serial1/0
ip address 10.10.24.2 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
mpls ip
mpls traffic-eng tunnels
frame-relay map ip 10.10.24.2 204
frame-relay map ip 10.10.24.4 204 broadcast
no frame-relay inverse-arp
ip rsvp bandwidth 1000
!
router ospf 10
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
network 0.0.0.0 255.255.255.255 area 0
!

R4:

mpls traffic-eng tunnels
!
interface Loopback0
ip address 10.10.4.4 255.255.255.255
!
interface Tunnel1000
ip unnumbered Loopback0
tunnel destination 10.10.3.3
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 5 explicit name myway
no routing dynamic
!
interface Ethernet0/0
ip address 10.10.46.4 255.255.255.0
mpls ip
!
interface Ethernet0/1
ip address 10.10.34.4 255.255.255.0
mpls ip
mpls traffic-eng tunnels
ip rsvp bandwidth 1000
!
interface Serial1/0
ip address 10.10.24.4 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
mpls ip
mpls traffic-eng tunnels
frame-relay map ip 10.10.24.2 402 broadcast
frame-relay map ip 10.10.24.4 402
no frame-relay inverse-arp
ip rsvp bandwidth 1000
!
router ospf 10
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
log-adjacency-changes
network 10.10.0.0 0.0.255.255 area 0
!
ip explicit-path name myway enable
next-address 10.10.24.2
next-address 10.10.12.1
next-address 10.10.13.3
!

R3#show mpls traffic tunnel

Name: R3_t1000             (Tunnel1000) Destination: 10.10.4.4

Status:    Admin: up Oper: up Path: valid   Signalling: connected
path option 5, type explicit myway (Basis for Setup, path weight 66)
Config Parameters:
Bandwidth: 100   kbps (Global) Priority: 7 7   Affinity: 0x0/0xFFFF
    Metric Type: TE (default)
    AutoRoute: enabled   LockDown: disabled Loadshare: 100   bw-based
    auto-bw: disabled

InLabel : -
OutLabel : ATM2/0, 26
RSVP Signalling Info:
Src 10.10.3.3, Dst 10.10.4.4, Tun_Id 1000, Tun_Instance 176
RSVP Path Info:
My Address: 10.10.13.3
Explicit Route: 10.10.13.1 10.10.12.1 10.10.12.2 10.10.24.4 10.10.4.4
      Record   Route:   NONE
      Tspec: ave rate=100 kbits, burst=1000 bytes, peak rate=100 kbits
    RSVP Resv Info:
      Record   Route:   NONE
      Fspec: ave rate=100 kbits, burst=1000 bytes, peak rate=100 kbits

LSP Tunnel R4_t1000 is signalled, connection is up
InLabel : ATM2/0, implicit-null
OutLabel : -
RSVP Signalling Info:
Src 10.10.4.4, Dst 10.10.3.3, Tun_Id 1000, Tun_Instance 131

Verification

Before:

R5#trace 10.10.6.6

Type escape sequence to abort.
Tracing the route to 10.10.6.6

1 10.10.35.3 [MPLS: Label 23 Exp 0]
2 10.10.34.4 [MPLS: Label 17 Exp 0]
3 10.10.46.6

After:

R5#trace 10.10.6.6

Type escape sequence to abort.
Tracing the route to 10.10.6.6

1 10.10.35.3 [MPLS: Labels 23 Exp 0]
2 10.10.13.1 [MPLS: Label 26 Exp 0]
3 10.10.12.2 [MPLS: Label 25 Exp 0]
4 10.10.24.4
5 10.10.46.6

Dynamic Path Configuration:

interface Tunnel1000
ip unnumbered Loopback0
tunnel destination 10.10.4.4
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 7 7
tunnel mpls traffic-eng bandwidth 100
tunnel mpls traffic-eng path-option 10 dynamic
!

R3(config-if)#do sh mpls traf tu

Name: R3_t1000 (Tunnel1000) Destination: 10.10.4.4
Status:
Admin: up Oper: up Path: valid Signalling: connected

path option 10, type dynamic (Basis for Setup, path weight 1)

Config Parameters:
    Bandwidth: 100 kbps (Global) Priority: 7 7   Affinity: 0x0/0xFFFF
    Metric Type: TE (default)
    AutoRoute: enabled   LockDown: disabled Loadshare: 100 bw-based
    auto-bw: disabled

InLabel : -
OutLabel : FastEthernet0/1, implicit-null
RSVP Signalling Info:
       Src 10.10.3.3, Dst 10.10.4.4, Tun_Id 1000, Tun_Instance 178
    RSVP Path Info:
      My Address: 10.10.34.3
      Explicit Route: 10.10.34.4 10.10.4.4
      Record   Route:   NONE

R5#trace 10.10.6.6

Type escape sequence to abort.
Tracing the route to 10.10.6.6

1 10.10.35.3 [MPLS: Labels 23 Exp 0]
2 10.10.34.4
3 10.10.46.6

R3(config-if)#int fa 0/1
R3(config-if)#no mpls tra tun

R3#sh mpls tra tun

Name: R3_t1000 (Tunnel1000) Destination: 10.10.4.4
Status:
Admin: up Oper: up Path: valid Signalling: connected

path option 10, type dynamic (Basis for Setup, path weight 66)

InLabel : -
OutLabel : ATM2/0, 26
RSVP Signalling Info:
       Src 10.10.3.3, Dst 10.10.4.4, Tun_Id 1000, Tun_Instance 180
    RSVP Path Info:
      My Address: 10.10.13.3
      Explicit Route: 10.10.13.1 10.10.12.1 10.10.12.2 10.10.24.4
                      10.10.4.4
      Record   Route:   NONE
      Tspec: ave rate=100 kbits, burst=1000 bytes, peak rate=100 kbits
    RSVP Resv Info:
      Record   Route:   NONE
      Fspec: ave rate=100 kbits, burst=1000 bytes, peak rate=100 kbits
History:
    Tunnel:
      Time since created: 2 hours, 42 minutes
      Time since path change: 12 seconds
    Current LSP:
      Uptime: 12 seconds
    Prior LSP:
      ID: path option 10 [179]
      Removal Trigger: tunnel shutdown

LSP Tunnel R4_t1000 is signalled, connection is up
InLabel : ATM2/0, implicit-null
OutLabel : -
RSVP Signalling Info:
Src 10.10.4.4, Dst 10.10.3.3, Tun_Id 1000, Tun_Instance 136

CCIE Magazine

2009-10-29T07:25:00.001-07:00

For those of you who haven’t heard about CCIE flyer magazine, is not a bad idea to check their website: http://www.ccieflyer.com. They have CCIE related stories, interviews, CCIE training boot camps with special pricing and also workbook promotions. CCIE Agent, Eman (Emmanuel Conde) is a CCIE recruiter promoted by Worldwide Channels of Cisco Systems.

Cisco VPN Client for Windows 7

2009-10-24T00:59:00.001-07:00

October 2009 seems to be a super active month for Cisco, after introducing IOS 15, ISR 2nd Generation and the new version of CCIE, (and rumors of new catalysts), it’s time for Windows 7 and MacOS Snow Leopard to have Cisco VPN Client and Cisco SSL AnyConnect VPN Client versions, available to download. Here are some cool new features:

Split DNS Fallback: AnyConnect tunnels only DNS queries that match specific domains, sending other request to a public DNS server.
Log-on/off Scripting
Proxy Support Enhancements
Trusted Network Detection: AnyConnect automatically disconnect a VPN connection inside the trusted network.

Cisco VPN Client 5.0.06

vpnclient-win-msi-5.0.06.0110-k9.exe

Release Date: 19/Oct/2009

VPN Client Software for x86 version of 2000/XP/Vista/Windows 7 - Microsoft Installer

Note:

Win7 64bit and Vista 64bit are still not supported by Cisco VPN Client (IPsec), Cisco is pushing customers toward SSL VPN solution.

Cisco AnyConnect VPN Client 2.4

anyconnect-dart-win-2.4.0202-k9.pkg for Windows platforms.

anyconnect-linux-2.4.0202-k9.tar.gz tarball package for Linux platforms.

anyconnect-wince-ARMv4I-2.4.0202-k9.cab for Windows Mobile platforms.

anyconnect-macosx-i386-2.4.0202-k9.dmg for Mac OS X "Intel" platforms.

CCIE SP - L2TPv3

2009-10-21T17:32:00.001-07:00

Layer2 Tunneling protocol version 3 (L2TPv3) has the capability to tunnel any Layer 2 payload over IP networks. L2TPv3 uses IP as transport so it can be used in any IP-aware network including MPLS. L2TPv3 tunnels are point to point.

Pseudowire = like a wire, but not really, emulates Layer2 over a packet switched network.
No IP or VRF configuration is required between PE-CE.

Example:

In this example R5 and R6 are provider’s PE routers. R7 and R8 are CE routers connected to R5 and R6. Using psudeowire R7 can connect to R8 just like a regular point-to-point ethernet connection.

R5:
!
pseudowire-class Customer1
encapsulation l2tpv3
ip local interface Loopback0
!
interface Loopback0
ip address 10.10.5.5 255.255.255.255
!
interface Ethernet0/3
no ip address
xconnect 10.10.6.6 1 pw-class Customer1
!

R6:
!
pseudowire-class Customer1
encapsulation l2tpv3
ip local interface Loopback0
!
interface Loopback0
ip address 10.10.6.6 255.255.255.255
!
interface Ethernet0/3
no ip address
xconnect 10.10.5.5 1 pw-class Customer1
!

R7#sh cdp neighbor

Device ID Local Intrfce Holdtme Capability Platform Port ID
R8 Eth 0/0 161 R S I 3640 Eth 0/0

CCIE SP - Multicast for MPLS VPNs (MVPN)

2009-10-18T13:26:00.001-07:00

The MPLS VPN network needs to be carefully designed and the service provider core must be configured for native multicast service: PIM-SM, Source specific multicast (PIM-SSM), or Bidirectional PIM (PIM-BIDIR) are required at core. PIM-DM is not supported as core protocol for MVPN services, but all multicast protocols are supported within multicast VRF for customers (CE).

Note: Dense mode PIM (PIM-DM) is not supported as core protocol in MVPN configurations.

An MDT default configuration is mandatory for MVPN to work (Multicast Distribution Tree).
Configuring data MDT is optional.
The IP address of the default MDT determines which multicast domain VRF belongs to (to share multicast packets with other VRFs)
Multicast needs to be enabled on MBGP peers loopbacks (between PEs)

Reference:

http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a0080242aa8.shtml

Example:

Configuration

R5:

ip vrf A
rd 10.10.5.5:1
route-target export 666:1
route-target import 666:1
mdt default 232.10.10.10
!
ip multicast-routing
ip multicast-routing vrf A
!
interface Loopback0
ip address 10.10.5.5 255.255.255.255
ip pim sparse-dense-mode
!
interface Ethernet0/0
ip address 10.10.35.5 255.255.255.0
ip pim sparse-mode
!
interface Ethernet0/3
ip vrf forwarding A
ip address 10.10.57.5 255.255.255.0
ip pim dense-mode
!
router ospf 1
mpls ldp autoconfig area 0
log-adjacency-changes
network 10.10.0.0 0.0.255.255 area 0
!
router bgp 666
bgp log-neighbor-changes
neighbor 10.10.6.6 remote-as 666
neighbor 10.10.6.6 update-source Loopback0
!
address-family ipv4
neighbor 10.10.6.6 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 10.10.6.6 activate
neighbor 10.10.6.6 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
no synchronization
exit-address-family
!

R6:

ip vrf A
rd 10.10.6.6:1
route-target export 666:1
route-target import 666:1
mdt default 232.10.10.10
!
ip multicast-routing
ip multicast-routing vrf A
!
interface Loopback0
ip address 10.10.6.6 255.255.255.255
ip pim sparse-dense-mode
!
interface Ethernet0/0
ip address 10.10.46.6 255.255.255.0
ip pim sparse-mode
!
interface Ethernet0/3
ip vrf forwarding A
ip address 10.10.68.6 255.255.255.0
ip pim dense-mode
!
router ospf 1
mpls ldp autoconfig area 0
log-adjacency-changes
network 10.10.0.0 0.0.255.255 area 0
!
router bgp 666
bgp log-neighbor-changes
neighbor 10.10.5.5 remote-as 666
neighbor 10.10.5.5 update-source Loopback0
!
address-family ipv4
neighbor 10.10.5.5 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 10.10.5.5 activate
neighbor 10.10.5.5 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
no synchronization
exit-address-family
!

Verification

R5#deb ip mpacket

IP(1): s=10.10.57.7 (Ethernet0/3) d=224.69.69.69 (Tunnel0) id=820, ttl=254, prot=1, len=100(100), mforward

IP(0): s=10.10.5.5 (Loopback0) d=232.10.10.10 (Ethernet0/0) id=563, ttl=255, prot=47, len=124(124), mforward

R5#sh ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, C - Connected,
L - Local, T - SPT-bit set, Z - Multicast Tunnel,
z - MDT-data group sender…

(10.10.5.5, 232.10.10.10), 00:28:22/00:03:23, flags: sT
Incoming interface: Loopback0, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0/0, Forward/Sparse, 00:01:04/00:02:26

(10.10.6.6, 232.10.10.10), 01:25:37/00:02:53, flags: sTIZ
Incoming interface: Ethernet0/0, RPF nbr 10.10.35.3
Outgoing interface list:
MVRF A, Forward/Sparse-Dense, 01:22:53/00:00:00

(*, 224.0.1.40), 12:23:16/00:02:34, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0/0, Forward/Sparse, 12:23:16/00:00:00

R5#sh ip pim mdt
* implies group is the MDT default group
MDT Group Interface Source VRF
* 232.10.10.10 Tunnel0 Loopback0 A

R5#sh ip pim mdt bgp
Peer (Route Distinguisher + IPv4) Next Hop
MDT group 232.10.10.10
2:2570:101056513:10.10.6.6 10.10.6.6

CCIE SP – IP Multicast Anycast RP

2009-10-18T09:21:00.001-07:00

In the previous port, we reviewed MSDP, Multicast Source Discovery Protocol (MSDP) is the key protocol that makes Anycast RP possible. The Anycast RP uses MSDP for redundancy and failover between RPs in Protocol Independent Multicast sparse mode (PIM-SM) networks. Rendezvous Points can share one IP address (same-address allocated to their loopback) and load-balance multicast traffic within the network. Data is routed to the nearest and the best destination as viewed by the routing topology. RP can be configured statically by “ip pim rp-address” command or dynamically using Auto-RP or PIMv2 (BSR).

Note: Adding a new loopback can change your OSPF/BGP/LDP Router-ID, it’s always recommended to hard-code your router-ID by router-id command.

Example:

Multicast path is: R7-> R5 –> R3 –> R1 –> R2 –> R4 –> R6 –> R8

R1:
interface Loopback0
ip address 10.10.1.1 255.255.255.255
ip pim sparse-mode
!
interface Loopback69
ip address 10.10.69.69 255.255.255.255
ip pim sparse-mode
!
interface FastEthernet0/0
ip pim sparse-mode
!
interface ATM2/0
ip pim sparse-mode
!
!
router ospf 1
router-id 10.10.1.1
network 10.10.0.0 0.0.255.255 area 0
!
ip pim autorp listener
ip pim send-rp-announce Loopback69 scope 255
ip pim send-rp-discovery Loopback69 scope 255
ip msdp peer 10.10.12.2 connect-source FastEthernet0/0
!

R2:
interface Loopback0
ip address 10.10.2.2 255.255.255.255
ip pim sparse-mode
!
interface Loopback69
ip address 10.10.69.69 255.255.255.255
ip pim sparse-mode
!
interface Ethernet0/0
ip pim sparse-mode
!
interface Serial1/0
ip pim sparse-mode
!
router ospf 1
router-id 10.10.2.2
network 10.10.0.0 0.0.255.255 area 0
!
ip pim bsr-candidate Loopback69 0
ip pim rp-candidate Loopback69
ip msdp peer 10.10.12.1 connect-source Ethernet0/0
!

R2#sh ip msdp sa-cache
MSDP Source-Active Cache - 1 entries
(10.10.57.7, 224.100.100.100), RP 10.10.69.69,
AS ?,00:00:15/00:05:44, Peer 10.10.12.1

R5#sh ip pim rp mapping
PIM Group-to-RP Mappings

Group(s) 224.0.0.0/4
RP 10.10.69.69 (?), v2v1
Info source: 10.10.69.69 (?), elected via Auto-RP

R6#sh ip pim rp mapping
PIM Group-to-RP Mappings

Group(s) 224.0.0.0/4
RP 10.10.69.69 (?), v2
Info source: 10.10.69.69 (?), via bootstrap

For more information:

http://www.cisco.com/en/US/docs/ios/solutions_docs/ip_multicast/White_papers/anycast.html

CCIE SP - Multicast BGP

2009-10-18T05:39:00.001-07:00

Multicast BGP feature adds capabilities to BGP to enable multicast routing to connect multicast topologies within and between BGP autonomous systems. MBGP is an enhanced BGP that carries IP multicast routes. PIM uses the multicast BGP database to perform Reverse Path Forwarding (RPF) lookups for multicast-capable sources. In our example, we will create a simple RPF failure in the network and then we will solve it by the multicast BGP. Example:

All routers are configured with PIM dense mode end-to-end. The multicast traffic path is:

R7 –> R5 –> R3 –> R1 –> R2 –> R4 –> R6 –> R8

Due to existence of eBGP between R3 and R4, Unicast path is:

R7 –> R5 –> R3 –> R4 –> R6 –> R8

So there’s an RPF failure, detected by R4… We can solve it either statically by “ip mroute” command or dynamically by MBGP.

Note: MBGP’s duty is to solve RPF failure, In fact multicast BGP routes are preferred over BGP unicast routes. We still need PIM for end to end delivery of IP multicast packets.

Configuration

R5:
ip multicast-routing
!
interface Ethernet0/0
ip pim dense-mode
!
interface Ethernet0/3
ip pim dense-mode
!

R3:
ip multicast-routing
!
interface FastEthernet0/0
ip pim dense-mode
!
interface ATM2/0
ip pim dense-mode
!

R1:
ip multicast-routing
!
interface FastEthernet0/0
ip pim dense-mode
!
interface ATM2/0
ip pim dense-mode
!
router bgp 135
neighbor 10.10.12.2 remote-as 246
neighbor 10.10.13.3 remote-as 135
!
address-family ipv4
neighbor 10.10.12.2 activate
neighbor 10.10.13.3 activate
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 multicast
neighbor 10.10.12.2 activate
no auto-summary
network 10.10.57.0 mask 255.255.255.0
exit-address-family
!
R2:
ip multicast-routing
!
interface Ethernet0/0
ip pim dense-mode
!
interface Serial1/0
ip pim dense-mode
!
router bgp 246
neighbor 10.10.12.1 remote-as 135
neighbor 10.10.24.4 remote-as 246
!
address-family ipv4
neighbor 10.10.12.1 activate
neighbor 10.10.24.4 activate
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 multicast
neighbor 10.10.12.1 activate
neighbor 10.10.24.4 activate
no auto-summary
no synchronization
exit-address-family
!
R4:
ip multicast-routing
!
interface Ethernet0/0
ip pim dense-mode
!
interface Serial1/0
ip pim dense-mode
!
router bgp 246
neighbor 10.10.24.2 remote-as 246
neighbor 10.10.34.3 remote-as 135
neighbor 10.10.46.6 remote-as 246
!
address-family ipv4
neighbor 10.10.24.2 activate
neighbor 10.10.24.2 route-reflector-client
neighbor 10.10.34.3 activate
neighbor 10.10.46.6 activate
neighbor 10.10.46.6 route-reflector-client
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 multicast
neighbor 10.10.24.2 activate
no auto-summary
no synchronization
exit-address-family
!
R6:
ip multicast-routing
!
interface Ethernet0/0
ip pim dense-mode
!
interface Ethernet0/3
ip pim dense-mode
!
R8:
interface Ethernet0/0
ip address 10.10.68.8 255.255.255.0
ip igmp join-group 224.69.69.69
!

Verification

R7#ping
Protocol [ip]:
Target IP address: 224.69.69.69
Repeat count [1]: 100
Extended commands [n]: y
Interface [All]: ethernet0/0
Time to live [255]:
Source address: 10.10.57.7
Sending 100, 100-byte ICMP Echos to 224.69.69.69:
Packet sent with a source address of 10.10.57.7

Reply to request 0 from 10.10.68.8
Reply to request 1 from 10.10.68.8
Reply to request 2 from 10.10.68.8

R2#sh ip bgp ipv4 multicast

Network Next Hop Metric LocPrf Weight Path
*> 10.10.57.0/24 10.10.12.1 12 0 135 i

R2#sh ip bgp

   Network          Next Hop   Metric LocPrf Weight Path
* i10.10.57.0/24    10.10.34.3 0    100      0 135 i
*>                  10.10.12.1                0 135 i
r>i10.10.68.0/24    10.10.46.6 0    100      0 i

R4#sh ip bgp ipv4 multicast

Network Next Hop Metric LocPrf Weight Path
*>i10.10.57.0/24 10.10.12.1 12 100 0 135 i

R4#sh ip rpf event
Last 15 triggered multicast RPF check events

RPF backoff delay: 500 msec
RPF maximum delay: 5 sec

DATE/TIME          BACKOFF PROTOCOL   EVENT      RPF CHANGES
Mar 1 00:20:24.767 500 msec BGP        Route Modified 1
Mar 1 00:05:08.631 500 msec OSPF       Route UP        0
Mar 1 00:05:05.851 500 msec BGP        Route UP        0
Mar 1 00:05:01.595 500 msec PIM        Nbr UP          0
Mar 1 00:03:08.263 500 msec OSPF       Route UP        0
Mar 1 00:03:00.531 500 msec PIM        Nbr UP          0
Mar 1 00:01:22.611 500 msec Connected Route UP        0
Mar 1 00:01:02.747 500 msec Connected Route Down      0
Mar 1 00:00:51.635 500 msec PIM        Nbr UP          0
Mar 1 00:00:44.995 500 msec OSPF       Route UP        0
Mar 1 00:00:28.915 500 msec Connected Route UP        0

R4#sh ip rpf 10.10.57.7
RPF information for ? (10.10.57.7)
RPF interface: Serial1/0
RPF neighbor: ? (10.10.24.2)
RPF route/mask: 10.10.57.0/24
RPF type: mbgp
RPF recursion count: 0
Doing distance-preferred lookups across tables

R4#sh ip mroute
IP Multicast Routing Table

(*, 224.0.1.40), 01:34:08/00:02:39, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0/0, Forward/Dense, 01:19:37/00:00:00

(*, 224.69.69.69), 00:10:43/stopped, RP 0.0.0.0, flags: D
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Serial1/0, Forward/Dense, 00:10:43/00:00:00
Ethernet0/0, Forward/Dense, 00:10:43/00:00:00

(10.10.57.7, 224.69.69.69), 00:10:43/00:00:02, flags: T
Incoming interface: Serial1/0, RPF nbr 10.10.24.2, Mbgp
Outgoing interface list:
Ethernet0/0, Forward/Dense, 00:10:23/00:00:00

CCIE SP - MSDP

2009-10-17T03:19:00.001-07:00

MSDP or Multicast Source Distribution Protocol allows multicast sources for a group to be known to all rendezvous points (RPs) in different domains. Each PIM-SM domain uses its own RP and MSDP connects source based trees to destination trees. MSDP uses TCP as control protocol and you will require end to end multicast routing protocol such as PIM. At boundries (Autonomous systems) we will filter RP announcements from other autonomous systems. Example:

Our example is very simple, two multicast domains with no RPF failure and end-to-end PIM sparse mode between R5 and R6. Multicast source is R7 (sending Ping to multicast group) and R8 as multicast member (IGMP join). R1 is Auto-RP MA and RP for AS135 and R2 is BSR for AS246. R1 and R2 communicate with MSDP language and deliver SA (Source Active) messages to each-others as peers, in this way each RP is infromed about active sources in different domain and can join its memebers to that multicast tree (S,G) to (*,G). To debug MSDP messages we can use “debug ip msdp peer” and “debug ip msdp routes”

Multicast path from source to member is:

R7 –> R5 –> R3 -> R1 –> R2 –> R4 –> R6 –> R8

R7#trace 10.10.68.8

1 10.10.57.5
2 10.10.35.3
3 10.10.13.1
4 10.10.12.2
5 10.10.24.4
6 10.10.46.6
7 10.10.68.8

Configuration

R7:

R5:

ip multicast-routing
!
interface Ethernet0/0
ip address 10.10.35.5 255.255.255.0
ip pim sparse-mode
!
interface Ethernet0/3
ip address 10.10.57.5 255.255.255.0
ip pim sparse-mode
!
ip pim autorp listener
!

R3:

ip multicast-routing
!
interface FastEthernet0/0
ip address 10.10.35.3 255.255.255.0
ip pim sparse-mode
!
interface ATM2/0
ip address 10.10.13.3 255.255.255.0
ip pim sparse-mode
!
ip pim autorp listener
!

R1:

ip multicast-routing
!
interface Loopback0
ip address 10.10.1.1 255.255.255.255
ip pim sparse-mode
!
interface FastEthernet0/0
ip address 10.10.12.1 255.255.255.0
ip pim bsr-border
ip pim sparse-mode
ip multicast boundary 1
!
interface ATM2/0
ip address 10.10.13.1 255.255.255.0
ip pim sparse-mode
!
ip pim autorp listener
ip pim send-rp-announce Loopback0 scope 255
ip pim send-rp-discovery Loopback0 scope 255
ip msdp peer 10.10.12.2 connect-source FastEthernet0/0
!
access-list 1 deny 224.0.1.39
access-list 1 deny 224.0.1.40
access-list 1 permit any
!

R2:

ip multicast-routing
!
interface Loopback0
ip address 10.10.2.2 255.255.255.255
ip pim sparse-mode
!
interface Ethernet0/0
ip address 10.10.12.2 255.255.255.0
ip pim bsr-border
ip pim sparse-mode
ip multicast boundary 1
!
interface Serial1/0
ip address 10.10.24.2 255.255.255.0
ip pim sparse-mode
!
ip pim bsr-candidate Loopback0 0
ip pim rp-candidate Loopback0
ip msdp peer 10.10.12.1 connect-source Ethernet0/0
!
access-list 1 deny 224.0.1.39
access-list 1 deny 224.0.1.40
access-list 1 permit any
!

R4:

ip multicast-routing
!
interface Ethernet0/0
ip address 10.10.46.4 255.255.255.0
ip pim sparse-mode
!
interface Serial1/0
ip address 10.10.24.4 255.255.255.0
ip pim sparse-mode
!

R6:

ip multicast-routing
!
interface Ethernet0/0
ip address 10.10.46.6 255.255.255.0
ip pim sparse-mode
!
interface Ethernet0/3
ip address 10.10.68.6 255.255.255.0
ip pim sparse-mode
!

R8:

interface Ethernet0/0
ip address 10.10.68.8 255.255.255.0
ip igmp join-group 224.69.69.69
!

Verification

At this point, R8 joins multicast tree and R2 is aware of multicast source through MSDP SA messages from R1 and can responses are sent back from R8 to R7:

R7#ping
Protocol [ip]:
Target IP address: 224.69.69.69
Repeat count [1]: 10
Extended commands [n]: y
Interface [All]: ethernet0/0
Source address: 10.10.57.7

Sending 10, 100-byte ICMP Echos to 224.69.69.69, timeout is 2 seconds:
Packet sent with a source address of 10.10.57.7
..
Reply to request 3 from 10.10.68.8
Reply to request 4 from 10.10.68.8
Reply to request 5 from 10.10.68.8
Reply to request 6 from 10.10.68.8
Reply to request 7 from 10.10.68.8
Reply to request 8 from 10.10.68.8
Reply to request 9 from 10.10.68.8

R1#sh ip pim rp mapping
PIM Group-to-RP Mappings
This system is an RP (Auto-RP)
This system is an RP-mapping agent (Loopback0)

Group(s) 224.0.0.0/4
RP 10.10.1.1 (?), v2v1
Info source: 10.10.1.1 (?), elected via Auto-RP
Uptime: 17:03:06, expires: 00:02:52

R1#sh ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, C - Connected,
       L - Local, P - Pruned, T - SPT-bit set, J - Join SPT,
       M - MSDP created entry,
       A - Candidate for MSDP Advertisement

(*, 224.0.1.39), 17:04:10/stopped, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Loopback0, Forward/Sparse, 17:03:11/00:00:00
ATM2/0, Forward/Sparse, 17:04:10/00:00:00

(10.10.1.1, 224.0.1.39), 17:04:10/00:02:49, flags: LTA
Incoming interface: Loopback0, RPF nbr 0.0.0.0
Outgoing interface list:
ATM2/0, Forward/Sparse, 17:03:11/00:00:00

(*, 224.0.1.40), 17:06:10/stopped, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Loopback0, Forward/Sparse, 17:03:11/00:00:00
ATM2/0, Forward/Sparse, 17:06:10/00:00:00

(10.10.1.1, 224.0.1.40), 17:03:10/00:02:54, flags: LTA
Incoming interface: Loopback0, RPF nbr 0.0.0.0
Outgoing interface list:
ATM2/0, Forward/Sparse, 17:03:11/00:00:00

(*, 224.69.69.69), 00:01:50/stopped, RP 10.10.1.1, flags: SP
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list: Null

(10.10.57.7, 224.69.69.69), 00:01:50/00:01:54, flags: TA
Incoming interface: ATM2/0, RPF nbr 10.10.13.3
Outgoing interface list:
FastEthernet0/0, Forward/Sparse, 00:01:49/00:02:39

R1#sh ip msdp peer
MSDP Peer 10.10.12.2 (?), AS 246
Description:
Connection status:
    State: Up, Resets: 0,
    Connection source: FastEthernet0/0 (10.10.12.1)
    Uptime(Downtime): 14:14:08, Messages sent/received: 922/854
    Output messages discarded: 0
    Connection and counters cleared 14:16:09 ago
SA Filtering:
    Input (S,G) filter: none, route-map: none
    Input RP filter: none, route-map: none
    Output (S,G) filter: none, route-map: none
    Output RP filter: none, route-map: none
SA-Requests:
    Input filter: none
Peer ttl threshold: 0
SAs learned from this peer: 0
Input queue size: 0, Output queue size: 0

R2 Verification

R2#sh ip pim rp mapping
PIM Group-to-RP Mappings
This system is a candidate RP (v2)
This system is the Bootstrap Router (v2)

Group(s) 224.0.0.0/4
RP 10.10.2.2 (?), v2
Info source: 10.10.2.2 (?), via bootstrap, priority 0
holdtime 150 Uptime: 16:13:59, expires: 00:01:27

R2#sh ip msdp summary
MSDP Peer Status Summary
Peer Address     AS    State    Uptime/ Reset SA    Peer Name
                                Downtime Count Count
10.10.12.1       135   Up       14:15:47 0     1     ?

R2#sh ip mroute

(*, 224.0.1.40), 16:22:23/00:02:02, RP 0.0.0.0, flags: DPL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list: Null

(*, 224.69.69.69), 01:17:15/stopped, RP 10.10.2.2, flags: S
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Serial1/0, Forward/Sparse, 01:17:15/00:03:03

(10.10.57.7, 224.69.69.69), 00:00:02/00:02:57, flags: M
Incoming interface: Ethernet0/0, RPF nbr 10.10.12.1
Outgoing interface list:
Serial1/0, Forward/Sparse, 00:00:02/00:03:28

R6 Verification

R6#sh ip mroute

(*, 224.0.1.40), 16:17:35/00:02:49, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0/0, Forward/Sparse, 16:17:35/00:02:49

(*, 224.69.69.69), 01:13:28/stopped, RP 10.10.2.2, flags: SJC
Incoming interface: Ethernet0/0, RPF nbr 10.10.46.4
Outgoing interface list:
Ethernet0/3, Forward/Sparse, 01:13:28/00:02:30

(10.10.57.7, 224.69.69.69), 00:00:02/00:02:57, flags: JT
Incoming interface: Ethernet0/0, RPF nbr 10.10.46.4
Outgoing interface list:
Ethernet0/3, Forward/Sparse, 00:00:02/00:02:57

R6#sh ip pim rp mapping
PIM Group-to-RP Mappings

Group(s) 224.0.0.0/4
RP 10.10.2.2 (?), v2
Info source: 10.10.2.2 (?), via bootstrap, priority 0, holdtime 150
Uptime: 16:15:26, expires: 00:02:27

CCIE SP - MPLS VPN Carrier Supporting Carrier

2009-10-15T07:06:00.001-07:00

The carrier supporting carrier feature enables one MPLS VPN-based service provider to allow other service providers (Tier2) to use its backbone network for connectivity of their POPs. It is also called a carrier-of-carriers VPN. It is a two-tiered relationship between a provider carrier and a customer carrier. In a carrier-of-carriers VPN, the provider carrier provides a VPN backbone network for the customer carrier. The customer carrier, in turn, provides layer 3 VPN or Internet services to its end customers.

You may say that: “so what’s the difference between MPLS VPN and CSC? in MPLS VPN we do the same thing for customers!” well, It is true with one exception, in CSC, the provider carrier does not like to have all routing information for it’s customer carriers, the provider only delivers customers tag regardless of the final destionation. In this case customer (Tier 2 ISP) sends labelled traffic to carrier (Tier 1 ISP) just to deliver it to the next-hop on the other side of the network.

Example 1:

In our example, R1 and R2 are CSC_PE while R3 and R4 are CSC_CE, acting like CE routers for the provider carrier’s PE routers and the only difference is that customer carrier speaks in label language. So whenever we run a label protocol on a VRF port – then it is CSC.

Note: To the customer carrier, the router it uses to connect to the provider carrier's VPN is a PE router. However, the provider carrier views this device as a CE router (http://www.juniper.net/techpubs/software/erx/junose53/swconfig-routing-vol2/html/bgp-mpls-vpns-config12.html)

Configuration

R1:
ip vrf A
rd 10.10.1.1:1
route-target export 666:1
route-target import 666:1
!
interface Loopback0
ip address 10.10.1.1 255.255.255.255
ip router isis
!
interface FastEthernet0/0
ip address 10.10.12.1 255.255.255.0
ip router isis
mpls label protocol ldp
mpls ip
!
interface ATM2/0
ip vrf forwarding A
ip address 10.10.13.1 255.255.255.0
ip ospf network point-to-point
mpls ip
pvc 100/0
protocol ip 10.10.13.3 broadcast
!
!
router ospf 10 vrf A
redistribute bgp 666 subnets
network 10.10.13.1 0.0.0.0 area 0
area 0 sham-link 10.10.134.1 10.10.134.2
!
router isis
net 69.0000.0000.0001.00
is-type level-2-only
!
router bgp 666
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.10.2.2 remote-as 666
neighbor 10.10.2.2 update-source Loopback0
!
address-family vpnv4
neighbor 10.10.2.2 activate
neighbor 10.10.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute ospf 10 vrf A
no auto-summary
no synchronization
exit-address-family
!

R2:
ip vrf A
rd 10.10.2.2:1
route-target export 666:1
route-target import 666:1
!
interface Loopback0
ip address 10.10.2.2 255.255.255.255
ip router isis
!
interface Ethernet0/0
ip address 10.10.12.2 255.255.255.0
ip router isis
mpls label protocol ldp
mpls ip
!
interface Serial1/0
ip vrf forwarding A
ip address 10.10.24.2 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
mpls ip
frame-relay map ip 10.10.24.2 204
frame-relay map ip 10.10.24.4 204 broadcast
no frame-relay inverse-arp
!
router ospf 10 vrf A
redistribute bgp 666 subnets
network 10.10.24.2 0.0.0.0 area 0
area 0 sham-link 10.10.134.2 10.10.134.1
!
router isis
net 69.0000.0000.0002.00
is-type level-2-only
!
router bgp 666
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.10.1.1 remote-as 666
neighbor 10.10.1.1 update-source Loopback0
!
address-family ipv4
neighbor 10.10.1.1 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 10.10.1.1 activate
neighbor 10.10.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute ospf 10 vrf A
no synchronization
exit-address-family
!

R3:
interface ATM2/0
ip address 10.10.13.3 255.255.255.0
ip ospf network point-to-point
mpls ip
pvc 100/0
protocol ip 10.10.13.1 broadcast
!
!
router ospf 10
network 10.10.3.3 0.0.0.0 area 0
network 10.10.13.3 0.0.0.0 area 0
network 10.10.35.3 0.0.0.0 area 0
!
router bgp 3456
no synchronization
neighbor 10.10.4.4 remote-as 3456
neighbor 10.10.4.4 update-source Loopback0
neighbor 10.10.35.5 remote-as 3456
neighbor 10.10.35.5 route-reflector-client
no auto-summary
!

R4:
interface Serial1/0
ip address 10.10.24.4 255.255.255.0
encapsulation frame-relay
ip ospf network point-to-point
mpls ip
frame-relay map ip 10.10.24.2 402 broadcast
frame-relay map ip 10.10.24.4 402
no frame-relay inverse-arp
!
router ospf 10
network 10.10.4.4 0.0.0.0 area 0
network 10.10.24.4 0.0.0.0 area 0
network 10.10.46.4 0.0.0.0 area 0
!
router bgp 3456
no synchronization
bgp log-neighbor-changes
neighbor 10.10.3.3 remote-as 3456
neighbor 10.10.3.3 update-source Loopback0
neighbor 10.10.46.6 remote-as 3456
neighbor 10.10.46.6 route-reflector-client
no auto-summary
!

R5:
router ospf 10
network 10.10.35.5 0.0.0.0 area 0
!
router rip
version 2
redistribute bgp 3456 metric transparent
passive-interface default
no passive-interface Ethernet0/2
no passive-interface Ethernet0/3
network 10.0.0.0
no auto-summary
!
router bgp 3456
no synchronization
bgp log-neighbor-changes
bgp redistribute-internal
network 10.10.7.7 mask 255.255.255.255
network 10.10.9.9 mask 255.255.255.255
neighbor 10.10.35.3 remote-as 3456
neighbor 10.10.35.3 next-hop-self
no auto-summary
!

R6:
router ospf 10
network 10.10.46.6 0.0.0.0 area 0
!
router rip
version 2
redistribute bgp 3456 metric transparent
passive-interface default
no passive-interface Ethernet0/2
no passive-interface Ethernet0/3
network 10.0.0.0
no auto-summary
!
router bgp 3456
no synchronization
bgp log-neighbor-changes
bgp redistribute-internal
network 10.10.8.8 mask 255.255.255.255
network 10.10.10.10 mask 255.255.255.255
neighbor 10.10.46.4 remote-as 3456
neighbor 10.10.46.4 next-hop-self
no auto-summary
!

CE:
R7#trace 10.10.8.8 source 10.10.7.7

1 10.10.57.5
2 10.10.35.3
3 10.10.13.1 [MPLS: Label 22 Exp 0]
4 10.10.24.2 [MPLS: Label 21 Exp 0]
5 10.10.24.4
6 10.10.46.6
7 10.10.68.8

R8#trace 10.10.7.7 source 10.10.8.8

1 10.10.68.6
2 10.10.46.4
3 10.10.12.2 [MPLS: Label 20 Exp 0]
4 * * *
5 10.10.13.3
6 10.10.35.5
7 10.10.57.7

What if the customer carrier wants to run MPLS VPN, it’s same as previous example with minor adjusments.

Example 2:

In our second example, MP-iBGP is used between customer carrier and OSPF as IGP. LSP is end to end from PE to PE.

R1:

ip vrf A
rd 10.10.1.1:1
route-target export 666:1
route-target import 666:1
!
interface Loopback0
ip address 10.10.1.1 255.255.255.255
ip router isis
!
interface Loopback2
ip vrf forwarding A
ip address 10.10.134.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.10.12.1 255.255.255.0
ip router isis
mpls label protocol ldp
mpls ip
!
interface ATM2/0
ip vrf forwarding A
ip address 10.10.13.1 255.255.255.0
ip ospf network point-to-point
mpls ip
pvc 100/0
protocol ip 10.10.13.3 broadcast
!
!
router ospf 10 vrf A
log-adjacency-changes
area 0 sham-link 10.10.134.1 10.10.134.2
redistribute bgp 666 subnets
network 10.10.13.1 0.0.0.0 area 0
!
router isis
net 69.0000.0000.0001.00
is-type level-2-only
!
router bgp 666
no bgp default ipv4-unicast
neighbor 10.10.2.2 remote-as 666
neighbor 10.10.2.2 update-source Loopback0
!
address-family vpnv4
neighbor 10.10.2.2 activate
neighbor 10.10.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute ospf 10 vrf A
no auto-summary
no synchronization
network 10.10.134.1 mask 255.255.255.255
exit-address-family
!

R3:

interface ATM2/0
ip address 10.10.13.3 255.255.255.0
ip ospf network point-to-point
mpls ip
pvc 100/0
protocol ip 10.10.13.1 broadcast
!
!
router ospf 10
network 10.10.3.3 0.0.0.0 area 0
network 10.10.13.3 0.0.0.0 area 0
network 10.10.35.3 0.0.0.0 area 0
!

R5:

ip vrf A
rd 10.10.5.5:1
route-target export 56:1
route-target import 56:1
!
ip vrf B
rd 10.10.5.5:2
route-target export 56:2
route-target import 56:2
!
router ospf 10
network 10.10.5.5 0.0.0.0 area 0
network 10.10.35.5 0.0.0.0 area 0
!
router rip
version 2
no auto-summary
!
address-family ipv4 vrf B
redistribute bgp 56 metric transparent
network 10.0.0.0
no auto-summary
exit-address-family
!
address-family ipv4 vrf A
redistribute bgp 56 metric transparent
network 10.0.0.0
no auto-summary
exit-address-family
!
router bgp 56
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.10.6.6 remote-as 56
neighbor 10.10.6.6 update-source Loopback0
!
address-family vpnv4
neighbor 10.10.6.6 activate
neighbor 10.10.6.6 send-community extended
exit-address-family
!
address-family ipv4 vrf B
redistribute rip
no synchronization
exit-address-family
!
address-family ipv4 vrf A
redistribute rip
no synchronization
exit-address-family
!

CE:
R7#traceroute 10.10.8.8 source 10.10.7.7

1 10.10.57.5
2 10.10.35.3 [MPLS: Labels 19/22 Exp 0]
3 10.10.13.1 [MPLS: Labels 23/22 Exp 0]
4 10.10.24.2 [MPLS: Labels 23/22 Exp 0]
5 10.10.24.4 [MPLS: Labels 19/22 Exp 0]
6 10.10.68.6 [MPLS: Label 22 Exp 0]
7 10.10.68.8

In this case, as we have only two routers at provider’s core, we do not see a third label in the label stack.

CCIE SP – Inter-AS MP-BGP with RR

2009-10-13T22:27:00.001-07:00

In MP-BGP, VPN label assignment is always performed by BGP next hop. In the following picture, if we create eBGP relationship beween R3 and R1 (instead of R2), VPN label from CE (R5) to other CE (R4) will point to R1 as R1 is the next hop for R3. The reason behind this is simple, it’s the normal BGP behaviour which always change the next hop at AS boundries, from iBGP to eBGP.

The problem that might happen with this kind of label assignment is that R1 puts itself in traffic path, while its not required. The solution is simple, on R1 set “next-hop-unchanged” for R3, keep in mind that, then R3 should also have a route to R2. Compare client trace route before and after the next-hop change:

Before:

R5#trace 150.1.4.4 source 150.1.5.5

1 172.16.35.3
2 172.16.30.10 [MPLS: Labels 17/16 Exp 0]
3 172.16.70.7 [MPLS: Labels 20/16 Exp 0]
4 172.16.67.6 [MPLS: Labels 18/16 Exp 0]
5 172.16.16.1 [MPLS: Labels 18/16 Exp 0]
6 172.16.24.2 [MPLS: Label 16 Exp 0]
7 172.16.24.4

After:

R5#trace 150.1.4.4 source 150.1.5.5

1 172.16.35.3 508 msec 244 msec 272 msec
2 172.16.30.10 [MPLS: Labels 17/16 Exp 0]
3 172.16.70.7 [MPLS: Labels 20/16 Exp 0]
4 172.16.67.6 [MPLS: Labels 18/16 Exp 0]
5 172.16.24.2 [MPLS: Label 16 Exp 0]
6 172.16.24.4

Notes:

If we configure R1 as RR (Route Reflector) and R6 as RR-Client, then we do not need to configure “no bgp default route-target filter”, because RR never filters route-targets by default.
Routes to R1 (AS600 eBGP) and R2 (AS 600 PE) are required for R3 (AS700 eBGP PE).
If you use a route map at ASBRs don’t forget to “set mpls-label” as long as end-to-end LSP is required for MP-BGP VPN to work.

Configurations

R3:

router bgp 700
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 600
neighbor 1.1.1.1 ebgp-multihop 5
neighbor 1.1.1.1 update-source Loopback0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute rip
no synchronization
exit-address-family
!

R6:

router ospf 10
log-adjacency-changes
redistribute bgp 600 subnets route-map AS700->MPBGP
network 6.6.6.6 0.0.0.0 area 0
network 172.16.16.0 0.0.0.255 area 0
network 172.16.26.0 0.0.0.255 area 0
!
router bgp 600
bgp log-neighbor-changes
neighbor 172.16.67.7 remote-as 700
!
address-family ipv4
neighbor 172.16.67.7 activate
neighbor 172.16.67.7 send-label
no auto-summary
no synchronization
network 1.1.1.1 mask 255.255.255.255
network 2.2.2.2 mask 255.255.255.255
exit-address-family
!
ip prefix-list AS700->MPBGP seq 5 permit 3.3.3.3/32
!
route-map AS700->MPBGP permit 10
match ip address prefix-list AS700->MPBGP
!

R1:

router bgp 600
no synchronization
no bgp default route-target filter
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 600
neighbor 2.2.2.2 update-source Loopback0
neighbor 3.3.3.3 remote-as 700
neighbor 3.3.3.3 ebgp-multihop 5
neighbor 3.3.3.3 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
neighbor 3.3.3.3 next-hop-unchanged
exit-address-family
!

R2:

router bgp 600
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 600
neighbor 1.1.1.1 update-source Loopback0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute rip
no synchronization
exit-address-family
!

If R1 acts as Route Reflector then there’s no need of “no bgp default route-target filter”:

R1:

router bgp 600
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 600
neighbor 2.2.2.2 update-source Loopback0
neighbor 3.3.3.3 remote-as 700
neighbor 3.3.3.3 ebgp-multihop 5
neighbor 3.3.3.3 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
neighbor 2.2.2.2 route-reflector-client
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
neighbor 3.3.3.3 next-hop-unchanged
exit-address-family
!

CCIE SP – Multihop MP-eBGP for Inter-AS MPLS VPN

2009-10-13T04:25:00.001-07:00

The third option for Inter-AS MPLS VPN is using multihop feature of eBGP between VPNv4 PE routers directly from one SP to another one. In the previous posts, we reviewed two other options:

Back to back VRF Inter-AS MPLS VPN

External MP-BGP for VPNv4

In the multihop MP-eBGP, LSP is built end-to-end by PE routers between providers. ASBRs only provide routing between PE routers within two autonomous systems. With having PE routing information, VPNv4 BGP can be built directly from one VRF to another VRF by eBGP multihop between MP-BGP neighbors at different autonomous systems. So that VPN PE routers do not need to run BGP with anyone else and routing information is not exchanged with ASBRs. Let’s go back to our example:

Now we extend the VPN with end-to-end LSP from AS700 VPN-PE (R3) to other PE (R2) at AS 600:

ASBRs (R6 & R7) exchange routes for R2 and R3 reachability.
R6 advertises prefix 2.2.2.2/32 and R7 advertises 3.3.3.3/32 (both ASBR advertise internal MP-eBGP PE routers)
R6 and R7 redistribute the received BGP route of other PE to their IGP for creating multihop reachability.
R6 and R7, exchange labels by “neighbor x.x.x.x send-label” command to join the end to end LSP.

PE Configuration

R3:

ip vrf A
rd 3.3.3.3:1
route-target export 700:1
route-target import 600:1
!
router ospf 1
mpls ldp autoconfig area 0
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router rip
version 2
no auto-summary
!
address-family ipv4 vrf A
redistribute bgp 700 metric transparent
network 172.16.0.0
no auto-summary
exit-address-family
!
router bgp 700
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 600
neighbor 2.2.2.2 ebgp-multihop 6
neighbor 2.2.2.2 update-source Loopback0
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute rip
no synchronization
exit-address-family
!

R3#sh ip bgp vpn all
BGP table version is 24, local router ID is 3.3.3.3

   Network          Next Hop        Metric Weight Path
Route Distinguisher: 2.2.2.2:1
*> 150.1.4.4/32     2.2.2.2              1       0 600 ?
*> 172.16.24.0/24   2.2.2.2              0       0 600 ?
*> 172.16.45.0/24   2.2.2.2              1       0 600 ?
Route Distinguisher: 3.3.3.3:1 (default for vrf A)
*> 150.1.4.4/32     2.2.2.2              1       0 600 ?
*> 150.1.5.5/32     172.16.35.5          1       32768 ?
*> 172.16.24.0/24   2.2.2.2              0       0 600 ?
*> 172.16.35.0/24   0.0.0.0              0       32768 ?
* 172.16.45.0/24   2.2.2.2              1       0 600 ?
*>                  172.16.35.5          1       32768 ?

R3#sh ip bgp vpn all label
   Network          Next Hop      In label/Out label
Route Distinguisher: 2.2.2.2:1
   150.1.4.4/32     2.2.2.2         nolabel/16
   172.16.24.0/24   2.2.2.2         nolabel/20
   172.16.45.0/24   2.2.2.2         nolabel/21
Route Distinguisher: 3.3.3.3:1 (A)
   150.1.4.4/32     2.2.2.2         nolabel/16
   150.1.5.5/32     172.16.35.5     24/nolabel
   172.16.24.0/24   2.2.2.2         nolabel/20
   172.16.35.0/24   0.0.0.0         23/aggregate(A)
   172.16.45.0/24   2.2.2.2         22/21
                    172.16.35.5     22/nolabel

R3#sh mpls forwarding-table
Local Outgoing    Prefix             Outgoing Next Hop
tag    tag or VC   or Tunnel Id       interface
16     17          2.2.2.2/32         Et0/0     172.16.30.10
17     Pop tag     172.16.70.0/24     Et0/0     172.16.30.10
18     16          7.7.7.7/32         Et0/0     172.16.30.10
20     Pop tag     10.10.10.10/32     Et0/0     172.16.30.10
22     Untagged    172.16.45.0/24[V] Et0/1     172.16.35.5
23     Aggregate   172.16.35.0/24[V]
24     Untagged    150.1.5.5/32[V]    Et0/1     172.16.35.5

R0:

R0#sh mpls forwarding-table
Local Outgoing    Prefix            Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      interface
16     Pop tag     7.7.7.7/32        Et0/0      172.16.70.7
17     20          2.2.2.2/32        Et0/0      172.16.70.7
19     Pop tag     3.3.3.3/32        Et0/1      172.16.30.3

R7:

router ospf 10
log-adjacency-changes
redistribute bgp 700 metric-type 1 subnets route-map AS600->MPBGP
network 7.7.7.7 0.0.0.0 area 0
network 172.16.70.0 0.0.0.255 area 0
!
router bgp 700
bgp log-neighbor-changes
neighbor 172.16.67.6 remote-as 600
!
address-family ipv4
neighbor 172.16.67.6 activate
neighbor 172.16.67.6 send-label
no auto-summary
no synchronization
network 3.3.3.3 mask 255.255.255.255
exit-address-family
!
ip prefix-list AS600->MPBGP seq 5 permit 2.2.2.2/32
!
route-map AS600->MPBGP permit 10
match ip address prefix-list AS600->MPBGP
!

R7#sh mpls forwarding-table
Local Outgoing    Prefix            Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      interface
16     19          3.3.3.3/32        Et0/0      172.16.70.10
17     Pop tag     172.16.30.0/24    Et0/0      172.16.70.10
18     Pop tag     10.10.10.10/32    Et0/0      172.16.70.10
19     Pop tag     172.16.67.6/32    Et0/1.10   172.16.67.6
20     18          2.2.2.2/32        Et0/1.10   172.16.67.6

CE Router:

R5#trace 150.1.4.4 source 150.1.5.5

1 172.16.35.3
2 172.16.30.10 [MPLS: Labels 17/16 Exp 0]
3 172.16.70.7 [MPLS: Labels 20/16 Exp 0]
4 172.16.67.6 [MPLS: Labels 18/16 Exp 0]
5 172.16.16.1 [MPLS: Labels 18/16 Exp 0]
6 172.16.24.2 [MPLS: Label 16 Exp 0]
7 172.16.24.4

CCIE SP - External MP-BGP for VPNv4

2009-10-12T09:19:00.001-07:00

In the previous post, we reviewed VRF-to-VRF Inter-AS MPLS VPNs, now we want to go over the other option, which is the use of MP-eBGP at ASBRs for prefix exchange. This method is more scalable and felixable than back-to-back VRFs and only one interface is required between providers routers.

No VRF is required.
Automatic Route filtering must be disabled (no bgp default route-target filter)
MPLS Label switching between providers is required (using MP-eBGP)
Next-hop-self is required on ASBRs for internal PE neighbors.
Eliminates the need of any other label protocol like LDP/TDP between two ASBRs.
non-VPN networks can act as transit network for VPN traffic.

With reference to our previous setup, we are going to create MP-iBGP between PEs inside AS and MP-eBGP between ASBRs.

PE Configurations

R3:

ip vrf A
rd 3.3.3.3:1
route-target export 700:1
route-target import 600:1
!
router ospf 1
mpls ldp autoconfig area 0
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router rip
version 2
no auto-summary
!
address-family ipv4 vrf A
redistribute bgp 700 metric transparent
network 172.16.0.0
no auto-summary
exit-address-family
!
router bgp 700
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 7.7.7.7 remote-as 700
neighbor 7.7.7.7 update-source Loopback0
!
address-family vpnv4
neighbor 7.7.7.7 activate
neighbor 7.7.7.7 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute rip
no synchronization
exit-address-family
!

R7:
router bgp 700
no bgp default ipv4-unicast
no bgp default route-target filter
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 700
neighbor 3.3.3.3 update-source Loopback0
neighbor 172.16.67.6 remote-as 600
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
neighbor 3.3.3.3 next-hop-self
neighbor 172.16.67.6 activate
neighbor 172.16.67.6 send-community extended
exit-address-family
!

R7#sh mpls forwarding-table
Local Outgoing   Prefix         Bytes tag Outgoing Next Hop
tag    tag or VC or Tunnel Id   switched interface
16     19         3.3.3.3/32               Et0/0    172.16.70.10
17     Pop tag    172.16.30.0/24           Et0/0    172.16.70.10
18     Pop tag    10.10.10.10/32           Et0/0    172.16.70.10
19     26         2.2.2.2:1:172.16.24.0/24 Et0/1.10 172.16.67.6
20     25         2.2.2.2:1:150.1.4.4/32   Et0/1.10 172.16.67.6
21     24         2.2.2.2:1:172.16.45.0/24 Et0/1.10 172.16.67.6
22     Pop tag    172.16.67.6/32           Et0/1.10 172.16.67.6
23     24         3.3.3.3:1:150.1.5.5/32   Et0/0    172.16.70.10
24     22         3.3.3.3:1:172.16.45.0/24 Et0/0    172.16.70.10
25     23         3.3.3.3:1:172.16.35.0/24 Et0/0    172.16.70.10

R7#sh ip bgp vpnv4 all labels
   Network          Next Hop      In label/Out label
Route Distinguisher: 2.2.2.2:1
   150.1.4.4/32     172.16.67.6     20/25
   172.16.24.0/24   172.16.67.6     19/26
   172.16.45.0/24   172.16.67.6     21/24
Route Distinguisher: 3.3.3.3:1
   150.1.5.5/32     3.3.3.3         23/24
   172.16.35.0/24   3.3.3.3         25/23
   172.16.45.0/24   3.3.3.3         24/22

CE Trace-route

R5#sh ip route

     172.16.0.0/24 is subnetted, 3 subnets
C       172.16.45.0 is directly connected, Ethernet0/3
C       172.16.35.0 is directly connected, Ethernet0/0
R       172.16.24.0 [120/1] via 172.16.35.3, 00:00:25, Ethernet0/0
     150.1.0.0/32 is subnetted, 2 subnets
C       150.1.5.5 is directly connected, Loopback0
R       150.1.4.4 [120/1] via 172.16.35.3, 00:00:25, Ethernet0/0

R5#trace 150.1.4.4 source 150.1.5.5

1 172.16.35.3
2 172.16.30.10 [MPLS: Labels 16/20 Exp 0]
3 172.16.70.7 [MPLS: Label 20 Exp 0]
4 172.16.67.6 [MPLS: Label 25 Exp 0]
5 172.16.16.1 [MPLS: Labels 18/16 Exp 0]
6 172.16.24.2 [MPLS: Label 16 Exp 0]
7 172.16.24.4

CCIE SP – Back to Back VRF Inter-AS MPLS VPN

2009-10-12T06:10:00.001-07:00

When customer’s sites are connected to different MPLS providers, there are several options available for providers to connect customer sites just like regular MLPS VPNs transparent to customers. In our example below, the Customer1 has two sites, each connected to an individual service provider. Service providers have several options to achieve this goal, the simplest one - is the VRF-to-VRF (as stated in RFC 4364) or the back-to-back VRF (as named by Cisco). SP connects to other SP through a VRF just like the way they connect to CE so that they can exchange IPv4 routes on that connection point. Each sub-interface between SP to SP has to be dedicated to a single VRF (single customer VPN). These PE routers between service providers are called ASBR. (R6 and R7 in our example)

In this method IP packets are forwarded between ASBRs and no form of LSP exists between providers. Although this form of connectivity is very basic however this is the widely deployed Inter-AS option used today.

CE routers (4 & 5) communicate with PE (R2 & R3) using RIP.
PE routers redistribute RIP routes into MP-iBGP (RT=600:1 & RT=700:1)
PE routers send routes to ASBR PE routers (R6 & R7) using MPLS Core.
ASBR routers redistribute MP-iBGP into RIP and send them to VRF.
ASBR routers recieve routes through RIP and export them as RT:600:1 fo AS700 and RT:700:1 for AS600 and import them on PE and redistribute them back to RIP for CE routers.

PE and ASBR Configuration of AS700

R3:

ip vrf A
rd 3.3.3.3:1
route-target export 700:1
route-target import 600:1
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.30.3 255.255.255.0
!
interface Ethernet0/1
ip vrf forwarding A
ip address 172.16.35.3 255.255.255.0
!
router ospf 1
mpls ldp autoconfig area 0
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router rip
version 2
no auto-summary
!
address-family ipv4 vrf A
redistribute bgp 700 metric transparent
network 172.16.0.0
no auto-summary
exit-address-family
!
router bgp 700
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 7.7.7.7 remote-as 700
neighbor 7.7.7.7 update-source Loopback0
!
address-family vpnv4
neighbor 7.7.7.7 activate
neighbor 7.7.7.7 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute rip
no synchronization
exit-address-family
!

R7:

ip vrf A
rd 7.7.7.7:1
route-target export 600:1
route-target import 700:1
!
interface Loopback0
ip address 7.7.7.7 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.70.7 255.255.255.0
mpls ip
!
interface Ethernet0/1.10
encapsulation dot1Q 10
ip vrf forwarding A
ip address 172.16.67.7 255.255.255.0
!
router ospf 10
log-adjacency-changes
network 7.7.7.7 0.0.0.0 area 0
network 172.16.70.0 0.0.0.255 area 0
!
router rip
version 2
no auto-summary
!
address-family ipv4 vrf A
redistribute bgp 700 metric transparent
network 172.16.0.0
no auto-summary
exit-address-family
!
router bgp 700
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 700
neighbor 3.3.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute rip
no synchronization
exit-address-family
!

PE and ASBR Configration of AS600

R2:

ip vrf A
rd 2.2.2.2:1
route-target export 600:1
route-target import 700:1
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.12.2 255.255.255.0
!
interface Ethernet0/2
ip vrf forwarding A
ip address 172.16.24.2 255.255.255.0
!
router ospf 1
mpls ldp autoconfig area 0
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router rip
version 2
no auto-summary
!
address-family ipv4 vrf A
redistribute bgp 600 metric transparent
network 172.16.0.0
no auto-summary
exit-address-family
!
router bgp 600
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 6.6.6.6 remote-as 600
neighbor 6.6.6.6 update-source Loopback0
!
address-family vpnv4
neighbor 6.6.6.6 activate
neighbor 6.6.6.6 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute rip
no synchronization
exit-address-family
!

R6:

ip vrf A
rd 6.6.6.6:1
route-target export 700:1
route-target import 600:1
!
interface Loopback0
ip address 6.6.6.6 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.16.6 255.255.255.0
mpls ip
!
interface Ethernet0/1.10
encapsulation dot1Q 10
ip vrf forwarding A
ip address 172.16.67.6 255.255.255.0
!
router ospf 10
log-adjacency-changes
network 6.6.6.6 0.0.0.0 area 0
network 172.16.16.0 0.0.0.255 area 0
!

router rip
version 2
no auto-summary
!
address-family ipv4 vrf A
redistribute bgp 600 metric transparent
network 172.16.0.0
no auto-summary
exit-address-family
!
router bgp 600
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 600
neighbor 2.2.2.2 update-source Loopback0
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf A
redistribute rip
no synchronization
exit-address-family
!

CE Routers

R4#sh ip route

     172.16.0.0/24 is subnetted, 4 subnets
C       172.16.45.0 is directly connected, Ethernet0/3
R       172.16.35.0 [120/2] via 172.16.24.2, 00:00:02, Ethernet0/0
C       172.16.24.0 is directly connected, Ethernet0/0
R       172.16.67.0 [120/1] via 172.16.24.2, 00:00:02, Ethernet0/0
     150.1.0.0/32 is subnetted, 2 subnets
R       150.1.5.5 [120/3] via 172.16.24.2, 00:00:02, Ethernet0/0
C       150.1.4.4 is directly connected, Loopback0

R4#ping 150.1.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
.!!!!

R4#traceroute 150.1.5.5 source 150.1.4.4

Type escape sequence to abort.
Tracing the route to 150.1.5.5

1 172.16.24.2
2 172.16.12.1 [MPLS: Labels 16/22 Exp 0]
3 172.16.67.6 [MPLS: Label 22 Exp 0]
4 172.16.67.7
5 172.16.70.10 [MPLS: Labels 19/16 Exp 0]
6 172.16.35.3 [MPLS: Label 16 Exp 0]
7 172.16.35.5

CCIE SP – BGP as PE-CE

2009-10-11T10:49:00.001-07:00

Usually service providers assign a unique AS number to each customer’s site for MPLS BGP routing (between PE and CE)… In our example, the Customer1, our favorite customer has four sites using R4, R5, R6 and R7 from AS64 to 67 to use MPLS backbone as transit network to deliver their applications. Customer1 is peering with AS666 (Provider) at each location:

Customer configuration on R4, R5, R6 and R7 is almost similar to each other:

R4:

router bgp 64
no synchronization
bgp log-neighbor-changes
network 150.1.4.4 mask 255.255.255.255
neighbor 172.16.24.2 remote-as 666
no auto-summary

Configuration of PE

R2:

ip vrf CUSTOMER1
rd 2.2.2.2:1
route-target export 666:1
route-target import 666:1
!
router bgp 666
no synchronization
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 666
neighbor 3.3.3.3 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf CUSTOMER1
neighbor 172.16.24.4 remote-as 64
neighbor 172.16.24.4 activate
neighbor 172.16.26.6 remote-as 66
neighbor 172.16.26.6 activate
no synchronization
exit-address-family
!

R3:

ip vrf CUSTOMER1
rd 3.3.3.3:1
route-target export 666:1
route-target import 666:1
!
router bgp 666
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 666
neighbor 2.2.2.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf CUSTOMER1
neighbor 172.16.35.5 remote-as 65
neighbor 172.16.35.5 activate
neighbor 172.16.37.7 remote-as 67
neighbor 172.16.37.7 activate
no synchronization
network 30.30.30.30 mask 255.255.255.255
exit-address-family
!

R3#sh ip bgp vpnv4 vrf CUSTOMER1 summary
BGP router identifier 3.3.3.3, local AS number 666
BGP table version is 7, main routing table version 7
4 network entries using 548 bytes of memory
4 path entries using 272 bytes of memory
7/4 BGP path/bestpath attribute entries using 868 bytes of memory
4 BGP AS-PATH entries using 96 bytes of memory
1 BGP extended community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1808 total bytes of memory
BGP activity 59/55 prefixes, 225/221 paths, scan interval 15 secs

Neighbor     V AS Rcvd Sent TblVer InQ OutQ Up/Down State/PfxRcd
172.16.35.5 4 65   98 101      7   0    0 01:33:48       1
172.16.37.7 4 67   99 102      7   0    0 01:34:07       1

R3#sh ip bgp vpnv4 all
BGP table version is 7, local router ID is 3.3.3.3

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 2.2.2.2:1 (default for vrf CUSTOMER1)
*>i150.1.4.4/32     2.2.2.2                  0    100      0 64 i
*> 150.1.5.5/32     172.16.35.5              0             0 65 i
*>i150.1.6.6/32     2.2.2.2                  0    100      0 66 i
*> 150.1.7.7/32     172.16.37.7              0             0 67 i

And the Customer1 routing table:

R7#sh ip route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.37.0 is directly connected, Ethernet0/0
     150.1.0.0/32 is subnetted, 3 subnets
C       150.1.7.7 is directly connected, Loopback0
B       150.1.6.6 [20/0] via 172.16.37.3, 01:28:18
B       150.1.5.5 [20/0] via 172.16.37.3, 01:37:56
B       150.1.4.4 [20/0] via 172.16.37.3, 01:35:49

R7#ping 150.1.4.4 source 150.1.7.7
!!!!!
R7#ping 150.1.5.5 source 150.1.7.7
!!!!!
R7#ping 150.1.6.6 source 150.1.7.7
!!!!!

Now, what might happen if we put all customer’s sites into one autonomous system?

BGP has a loop prevention mechanism called AS_Path: If you see your own AS in an update, drop it… It’s a loop. Let’s try it and watch it in action:

PE Configuration

R2:
router bgp 666
no synchronization
bgp log-neighbor-changes
neighbor 3.3.3.3 remote-as 666
neighbor 3.3.3.3 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf CUSTOMER1
neighbor 172.16.24.4 remote-as 69
neighbor 172.16.24.4 activate
neighbor 172.16.26.6 remote-as 69
neighbor 172.16.26.6 activate
no synchronization
network 20.20.20.20 mask 255.255.255.255
exit-address-family

R3:

router bgp 666
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 666
neighbor 2.2.2.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf CUSTOMER1
neighbor 172.16.35.5 remote-as 69
neighbor 172.16.35.5 activate
neighbor 172.16.37.7 remote-as 69
neighbor 172.16.37.7 activate
no synchronization
network 30.30.30.30 mask 255.255.255.255
exit-address-family

From PE’s point of view, there’s no problemo:

R3#sh ip bgp vpn vrf CUSTOMER1
BGP table version is 11, local router ID is 30.30.30.30

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 3.3.3.3:1 (default for vrf CUSTOMER1)
*>i20.20.20.20/32   2.2.2.2                  0    100      0 i
*> 30.30.30.30/32   0.0.0.0                  0         32768 i
*>i150.1.4.4/32     2.2.2.2                  0    100      0 69 i
*> 150.1.5.5/32     172.16.35.5              0             0 69 i
*>i150.1.6.6/32     2.2.2.2                  0    100      0 69 i
*> 150.1.7.7/32     172.16.37.7              0             0 69 i

But look at CE (R4):

BGP(0): 172.16.24.2 rcv UPDATE about 150.1.7.7/32 -- DENIED due to: AS-PATH contains our own AS;
BGP(0): 172.16.24.2 rcv UPDATE about 150.1.5.5/32 -- DENIED due to: AS-PATH contains our own AS;
BGP(0): 172.16.24.2 rcv UPDATE about 150.1.6.6/32 -- DENIED due to: AS-PATH contains our own AS;
BGP(0): Revise route installing 1 of 1 routes for 20.20.20.20/32 -> 172.16.24.2(main) to main IP table
BGP(0): Revise route installing 1 of 1 routes for 30.30.30.30/32 -> 172.16.24.2(main) to main IP table

R4#sh ip bgp
BGP table version is 4, local router ID is 150.1.4.4

   Network          Next Hop            Metric LocPrf Weight Path
*> 20.20.20.20/32   172.16.24.2              0             0 666 i
*> 30.30.30.30/32   172.16.24.2                            0 666 i
*> 150.1.4.4/32     0.0.0.0                  0         32768 i

CE does not accept routes to other CE routers as those are in its own AS. AS_PATH loop prevention method does not let them to install in RIB. There are two methods to solve this issue as workaround:

BGP AS-Override
BGP AllowAS-in

The first method replaces customer’s AS number with provider’s AS (by the PE).
The second method ignores own AS in AS_PATH (by CE).

Now, let’s try both:

BGP AS_Override

R2(config)#router bgp 666
R2(config-router)#add ipv4 vrf CUSTOMER1
R2(config-router-af)#neighbor 172.16.24.4 as-override
R2(config-router-af)#
%BGP-5-ADJCHANGE: neighbor 172.16.24.4 vpn vrf CUSTOMER1 Down AS-override change
%BGP-5-ADJCHANGE: neighbor 172.16.24.4 vpn vrf CUSTOMER1 Up

R4#sh ip bgp
BGP table version is 11, local router ID is 150.1.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop    Metric LocPrf Weight Path
*> 20.20.20.20/32   172.16.24.2      0             0 666 i
*> 30.30.30.30/32   172.16.24.2                    0 666 i
*> 150.1.4.4/32     0.0.0.0          0         32768 i
*> 150.1.5.5/32     172.16.24.2                    0 666 666 i
*> 150.1.6.6/32     172.16.24.2                    0 666 666 i
*> 150.1.7.7/32     172.16.24.2                    0 666 666 i

BGP AllowAS_in

R5(config)#router bgp 69
R5(config-router)#neighbor 172.16.35.3 allowas-in
R5(config-router)#do cle ip bgp *
*Mar 3 07:48:05.946: %BGP-5-ADJCHANGE: neighbor 172.16.35.3 Down User reset
*Mar 3 07:48:06.918: %BGP-5-ADJCHANGE: neighbor 172.16.35.3 Up

R5(config-router)#^Z
R5#sh ip bgp
BGP table version is 7, local router ID is 150.1.5.5

   Network          Next Hop            Metric LocPrf Weight Path
*> 20.20.20.20/32   172.16.35.3                            0 666 i
*> 30.30.30.30/32   172.16.35.3              0             0 666 i
*> 150.1.4.4/32     172.16.35.3                            0 666 69 i
*> 150.1.5.5/32     0.0.0.0                  0         32768 i
*> 150.1.6.6/32     172.16.35.3                            0 666 69 i
*> 150.1.7.7/32     172.16.35.3                            0 666 69 i

AS_PATH loop prevention method is a good thing. When we ignore it, some bad things might happen to us… and BGP Site of Origin is introduced… BGP SOO keeps track of updates and the location that they are originated from, in an extended community, just like EIGRP SOO that we covered earlier.

BGP SOO is an extended community that helps us to prevent loop and suboptimal routing especially when a backdoor link is present in the network. We set it on PE routers as ingress route-map inside BGP configuration. If you want to do this for other routing protocols, you have to set it on interface with ip vrf site-map command.

R3(config)#route-map SOO
R3(config-route-map)#set extcommunity soo 666:1
R3(config-route-map)#router bgp 666
R3(config-router)#address-family ipv4 vrf CUSTOMER1
R3(config-router-af)#neighbor 172.16.35.5 route-map SOO in

…

R2#sh ip bgp vpnv4 all 150.1.5.5
BGP routing table entry for 2.2.2.2:1:150.1.5.5/32, version 58
Paths: (1 available, best #1, table CUSTOMER1)
Flag: 0x820
Advertised to update-groups:
     2          3
69, imported path from 3.3.3.3:1:150.1.5.5/32
    3.3.3.3 (metric 31) from 3.3.3.3 (3.3.3.3)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Extended Community: SoO:666:1 RT:666:1
      mpls labels in/out nolabel/23

Note: Don’t forget to set BGP SOO at each ingress point at each PE per CE neighbor.

CCIE SP – OSPF Super-Backbone

2009-10-10T15:53:00.001-07:00

Once upon a time there was one RIP and not so many problems with its simplicity! Nowadays networks are larger in scale and more complex in action, convergence time and redundancy are more important than ever. It’s not too bad, lots of fun for us… Once the customers want to use OSPF on C Routers, we have to provide OSPF on each PE and span customer area across MPLS backbone. It’s not difficult but there were some conceptual problems at first! Consistency of area LSAs while we are redistributing them on each PE router from OSPF to BGP and vice versa became an issue… Routes inside an area became IA (Inter-Area) across the MPLS network, reported by LSA type 3 network summary.

The Solution is simple, extend the customer backbone area across MPLS backbone using some virtual links… called “Sham Link”. Sham links help us to deliver routes as intra-area - regular routes - not the inter-area, resulting in better route selection. OSPF prefers intra-area routes to inter-area then external and after all NSSA external routes so it’s important to have routes as intra-area inside one area… Now let’s bring an example and the interesting part of configuration:

Customer1, our favorite customer has 4 sites and area 0 is used and configured on all CE routers. Our mission is to make them connected to work! Now let’s start it without sham links and see what might happen. Configuration on CE routers:

router ospf 100
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0

Note1: By default OSPF external routes are not redistributed using “redistributed ospf”. Make sure to include the “external” keyword while configuring redistribution.

Note2: By default OSPF Domain-ID equals to Process-ID, so routers with same Process-ID are considered to be in same OSPF domain. When you use different OSPF Process-IDs make sure to modify Domain-ID to be equal between neighbors, unless you want to have your routes treated as the External-Type-2 for other OSPF routers in different domain.

PE Configuration:

router ospf 666 vrf CUSTOMER1
domain-id 0.0.0.10
redistribute bgp 666 subnets
network 172.16.0.0 0.0.255.255 area 0
!
router bgp 666
no synchronization
neighbor 3.3.3.3 remote-as 666
neighbor 3.3.3.3 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf CUSTOMER1
redistribute ospf 666 vrf CUSTOMER1 match internal external 1 external 2
no synchronization
exit-address-family

R2#sh ip route vrf CUSTOMER1

     172.16.0.0/24 is subnetted, 5 subnets
B       172.16.45.0 [200/110] via 3.3.3.3, 00:02:52
B       172.16.37.0 [200/0] via 3.3.3.3, 00:02:52
B       172.16.35.0 [200/0] via 3.3.3.3, 00:02:52
C       172.16.24.0 is directly connected, Ethernet0/2
C       172.16.26.0 is directly connected, Ethernet0/1
     150.1.0.0/32 is subnetted, 4 subnets
B       150.1.7.7 [200/11] via 3.3.3.3, 00:02:52
O       150.1.6.6 [110/11] via 172.16.26.6, 00:03:07, Ethernet0/1
B       150.1.5.5 [200/11] via 3.3.3.3, 00:02:52
O       150.1.4.4 [110/11] via 172.16.24.4, 00:03:07, Ethernet0/2

R4#sh ip route

     172.16.0.0/24 is subnetted, 5 subnets
O IA    172.16.45.0 [110/120] via 172.16.24.2, 00:04:05, Ethernet0/0
O IA    172.16.37.0 [110/11] via 172.16.24.2, 00:04:05, Ethernet0/0
O IA    172.16.35.0 [110/11] via 172.16.24.2, 00:04:05, Ethernet0/0
C       172.16.24.0 is directly connected, Ethernet0/0
O       172.16.26.0 [110/20] via 172.16.24.2, 00:04:06, Ethernet0/0
     150.1.0.0/32 is subnetted, 4 subnets
O IA    150.1.7.7 [110/21] via 172.16.24.2, 00:04:06, Ethernet0/0
O       150.1.6.6 [110/21] via 172.16.24.2, 00:04:06, Ethernet0/0
O IA    150.1.5.5 [110/21] via 172.16.24.2, 00:04:05, Ethernet0/0
C       150.1.4.4 is directly connected, Loopback0

But once we connect the backdoor link between R4 and R5:

R4(config)#int e 0/3
R4(config-if)#no shut
%LINK-3-UPDOWN: Interface Ethernet0/3, changed state to up

R4(config-if)#ip os cost 100
R4(config-if)#do sh ip route

     172.16.0.0/24 is subnetted, 5 subnets
C       172.16.45.0 is directly connected, Ethernet0/3
O       172.16.37.0 [110/120] via 172.16.45.5, 00:00:22, Ethernet0/3
O       172.16.35.0 [110/110] via 172.16.45.5, 00:00:22, Ethernet0/3
C       172.16.24.0 is directly connected, Ethernet0/0
O       172.16.26.0 [110/20] via 172.16.24.2, 00:00:22, Ethernet0/0
     150.1.0.0/32 is subnetted, 4 subnets
O       150.1.7.7 [110/121] via 172.16.45.5, 00:00:22, Ethernet0/3
O       150.1.6.6 [110/21] via 172.16.24.2, 00:00:22, Ethernet0/0
O       150.1.5.5 [110/101] via 172.16.45.5, 00:00:22, Ethernet0/3
C       150.1.4.4 is directly connected, Loopback0

Even after increasing the backdoor cost by ‘ip ospf cost’ command, routes through backdoor are prefered, why? Because intra-area routes are better than inter-area routes regardless of metric. Now the magical ‘sham-link’ comes into the play:

R2:

R2(config)#int loopback 1
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up

R2(config-if)#ip address 20.20.20.20 255.255.255.255
R2(config-if)#router bgp 666
R2(config-router)#address-family ipv4 vrf CUSTOMER1
R2(config-router-af)#network 20.20.20.20 mask 255.255.255.255
R2(config-router-af)#exit
R2(config-router)#router ospf 666 vrf CUSTOMER1
R2(config-router)#area 0 sham-link 20.20.20.20 30.30.30.30

%OSPF-5-ADJCHG: Process 666, Nbr 172.16.37.3 on OSPF_SL0 from LOADING to FULL, Loading Done

R2#sh ip os 666 sham
Sham Link OSPF_SL0 to address 30.30.30.30 is up
Area 0 source address 20.20.20.20
Run as demand circuit
DoNotAge LSA allowed. Cost of using 1 State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
    Hello due in 00:00:02
    Adjacency State FULL (Hello suppressed)
    Index 3/3, retransmission queue length 0, number of retransmission 2
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 6
    Last retransmission scan time is 0 msec, maximum is 0 msec

R2#sh ip route vrf CUSTOMER1

     20.0.0.0/32 is subnetted, 1 subnets
C       20.20.20.20 is directly connected, Loopback1
     172.16.0.0/24 is subnetted, 5 subnets
O       172.16.45.0 [110/110] via 172.16.24.4, 00:02:00, Ethernet0/2
O       172.16.37.0 [110/11] via 3.3.3.3, 00:02:00
O       172.16.35.0 [110/11] via 3.3.3.3, 00:02:00
C       172.16.24.0 is directly connected, Ethernet0/2
C       172.16.26.0 is directly connected, Ethernet0/1
     150.1.0.0/32 is subnetted, 4 subnets
O       150.1.7.7 [110/12] via 3.3.3.3, 00:02:00
O       150.1.6.6 [110/11] via 172.16.26.6, 00:02:00, Ethernet0/1
O       150.1.5.5 [110/12] via 3.3.3.3, 00:02:01
O       150.1.4.4 [110/11] via 172.16.24.4, 00:02:01, Ethernet0/2
     30.0.0.0/32 is subnetted, 1 subnets
B       30.30.30.30 [200/0] via 3.3.3.3, 00:03:09

R4#show ip route

     20.0.0.0/32 is subnetted, 1 subnets
O E2    20.20.20.20 [110/1] via 172.16.24.2, 00:02:34, Ethernet0/0
     172.16.0.0/24 is subnetted, 5 subnets
C       172.16.45.0 is directly connected, Ethernet0/3
O       172.16.37.0 [110/21] via 172.16.24.2, 00:02:34, Ethernet0/0
O       172.16.35.0 [110/21] via 172.16.24.2, 00:02:34, Ethernet0/0
C       172.16.24.0 is directly connected, Ethernet0/0
O       172.16.26.0 [110/20] via 172.16.24.2, 00:02:34, Ethernet0/0
     150.1.0.0/32 is subnetted, 4 subnets
O       150.1.7.7 [110/22] via 172.16.24.2, 00:02:34, Ethernet0/0
O       150.1.6.6 [110/21] via 172.16.24.2, 00:02:34, Ethernet0/0
O       150.1.5.5 [110/22] via 172.16.24.2, 00:02:34, Ethernet0/0
C       150.1.4.4 is directly connected, Loopback0
     30.0.0.0/32 is subnetted, 1 subnets
O E2    30.30.30.30 [110/1] via 172.16.24.2, 00:02:35, Ethernet0/0

R3:

interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Loopback1
ip vrf forwarding CUSTOMER1
ip address 30.30.30.30 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.30.3 255.255.255.0
!
interface Ethernet0/1
ip vrf forwarding CUSTOMER1
ip address 172.16.35.3 255.255.255.0
!
interface Ethernet0/2
ip vrf forwarding CUSTOMER1
ip address 172.16.37.3 255.255.255.0
!
router ospf 666 vrf CUSTOMER1
domain-id 0.0.0.10
log-adjacency-changes
area 0 sham-link 30.30.30.30 20.20.20.20
redistribute bgp 666 subnets
network 172.16.0.0 0.0.255.255 area 0
!
router ospf 1
mpls ldp autoconfig area 0
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 666
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 666
neighbor 1.1.1.1 update-source Loopback0
neighbor 2.2.2.2 remote-as 666
neighbor 2.2.2.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf CUSTOMER1
redistribute ospf 666 vrf CUSTOMER1 match internal external 1 external 2
no synchronization
network 30.30.30.30 mask 255.255.255.255
exit-address-family
!

R3#show ip ospf 666 neighbor

Neighbor ID   Pri   State      Dead Time   Address       Interface
150.1.7.7       1   FULL/DR    00:00:34    172.16.37.7   Ethernet0/2
150.1.5.5       1   FULL/DR    00:00:36    172.16.35.5   Ethernet0/1
172.16.26.2     0   FULL/ -      -        20.20.20.20   OSPF_SL0

Final Note: The sham link source and destination should not be included in OSPF network that’s why we are advertising them in BGP domain.

SOO for EIGRP – Site-of-Origin

2009-10-10T11:37:00.001-07:00

To speed up the reconvergence of EIGRP in MPLS networks -when there’s a backdoor link between sites (outside of MPLS boundary) EIGRP uses SOO extended community attribute to tag the site of origin of particular routes for each site. This method reduces the time of convergence as it eliminates count to infinity of EIGRP which is 100 hops by default in case of loop occurrence. In each site we set a unique SOO ID so PE routers can distinguish between routes based on the site of origin value inside BGP community value of each update.

Configuration on PE:

R2:

ip vrf CUSTOMER1
rd 2.2.2.2:1
route-target export 666:1
route-target import 666:1
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.12.2 255.255.255.0
!
interface Ethernet0/1
ip vrf forwarding CUSTOMER1
ip vrf sitemap soo6
ip address 172.16.26.2 255.255.255.0
!
interface Ethernet0/2
ip vrf forwarding CUSTOMER1
ip vrf sitemap soo4
ip address 172.16.24.2 255.255.255.0
!
router eigrp 1
no auto-summary
!
address-family ipv4 vrf CUSTOMER1
redistribute bgp 666 metric 10000 10 255 1 1500
network 172.16.0.0
auto-summary
autonomous-system 10
exit-address-family
!
router ospf 1
mpls ldp autoconfig area 0
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 666
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 666
neighbor 1.1.1.1 update-source Loopback0
neighbor 3.3.3.3 remote-as 666
neighbor 3.3.3.3 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf CUSTOMER1
redistribute eigrp 10
no synchronization
exit-address-family
!
route-map soo6 permit 10
set extcommunity soo 10:6
!
route-map soo4 permit 10
set extcommunity soo 10:4

R3:

ip vrf CUSTOMER1
rd 2.2.2.2:1
route-target export 666:1
route-target import 666:1
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.30.3 255.255.255.0
!
interface Ethernet0/1
ip vrf forwarding CUSTOMER1
ip vrf sitemap soo5
ip address 172.16.35.3 255.255.255.0
!
interface Ethernet0/2
ip vrf forwarding CUSTOMER1
ip vrf sitemap soo7
ip address 172.16.37.3 255.255.255.0
!
router eigrp 1
no auto-summary
!
address-family ipv4 vrf CUSTOMER1
redistribute bgp 666 metric 10000 10 255 1 1500
network 172.16.0.0
auto-summary
autonomous-system 10
exit-address-family
!
router ospf 1
mpls ldp autoconfig area 0
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 666
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 666
neighbor 1.1.1.1 update-source Loopback0
neighbor 2.2.2.2 remote-as 666
neighbor 2.2.2.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf CUSTOMER1
redistribute eigrp 10
no synchronization
exit-address-family
!
route-map soo7 permit 10
set extcommunity soo 10:7
!
route-map soo5 permit 10
set extcommunity soo 10:5
!

R3#sh ip bgp vpn all 172.16.45.0
BGP routing table entry for 2.2.2.2:1:172.16.45.0/24, version 174
Paths: (2 available, best #1, table CUSTOMER1)
Flag: 0x820
Advertised to update-groups:
     1
Local
    172.16.35.5 from 0.0.0.0 (3.3.3.3)
      Origin incomplete, metric 537600, localpref 100, weight 32768, valid, sourced, best
      Extended Community: SoO:10:5 RT:666:1 Cost:pre-bestpath:128:537600
        0x8800:32768:0 0x8801:10:281600 0x8802:65281:256000 0x8803:65281:1500
      mpls labels in/out 21/nolabel
Local
    2.2.2.2 (metric 31) from 2.2.2.2 (2.2.2.2)
      Origin incomplete, metric 537600, localpref 100, valid, internal
      Extended Community: SoO:10:4 RT:666:1 Cost:pre-bestpath:128:537600
        0x8800:32768:0 0x8801:10:281600 0x8802:65281:256000 0x8803:65281:1500
      mpls labels in/out 21/33

R3#sh ip bgp vpn all
BGP table version is 174, local router ID is 3.3.3.3
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 2.2.2.2:1 (default for vrf CUSTOMER1)
*>i150.1.4.4/32     2.2.2.2             409600    100      0 ?
*> 150.1.5.5/32     172.16.35.5         409600         32768 ?
*>i150.1.6.6/32     2.2.2.2             409600    100      0 ?
*> 150.1.7.7/32     172.16.37.7         409600         32768 ?
*> 172.16.24.0/24   172.16.35.5         563200         32768 ?
* i                 2.2.2.2                  0    100      0 ?
*>i172.16.26.0/24   2.2.2.2                  0    100      0 ?
r>i172.16.35.0/24   2.2.2.2             563200    100      0 ?
r                   0.0.0.0                  0         32768 ?
*> 172.16.37.0/24   0.0.0.0                  0         32768 ?
*> 172.16.45.0/24   172.16.35.5         537600         32768 ?
* i                 2.2.2.2             537600    100      0 ?

CCIE SP – MPLS VPN - EIGRP as PE-CE

2009-10-10T07:59:00.001-07:00

Cisco has added EIGRP metrics and attributes inside BGP extended communities. BGP cost community delivers EIGRP costs between MP-BGP neighbors to extend EIGRP autonoumous system across service provider network. Let’s bring an example to understand it better. Customer1 has 4 sites connected to our MPLS backbone using EIGRP as CE to PE routing protocol. R4, R5, R6 and R7 are customer equipments. R4 and R5 are more important sites, so there’s a backdoor link connecting these two as a backup to MPLS connectivity.

To set your GNS3 for following practice you can download GNS3 configuration text from initial MPLS-VPN post.

Configuration on customer edge routers is quite simple:

router eigrp 10
network 150.1.0.0
network 172.16.0.0
no auto-summary

172.16.x.x is assigned for links, while 150.1.x.x is for routers loopbacks. All four customer routers are in the same autonomous system of 10. now PE configuration, inside R2 we have to create VRF for customer1:

R2(config)#ip vrf CUSTOMER1
R2(config-vrf)#rd 2.2.2.2:1
R2(config-vrf)#route-target ?
ASN:nn or IP-address:nn Target VPN Extended Community
both                     Both import and export Target-VPN community
export                   Export Target-VPN community
import                   Import Target-VPN community
R2(config-vrf)#route-target both 666:1
R2(config-vrf)#exit

R2(config)#do sh cdp ne
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater

Device ID        Local Intrfce     Holdtme    Capability Platform Port ID
R1               Eth 0/0            123        R S I      3640      Eth 0/1
R6               Eth 0/1            167        R S I      3640      Eth 0/0
R4               Eth 0/2            179        R S I      3640      Eth 0/0

R2(config)#int ran e 0/1 -2
R2(config-if-range)#ip vrf forwarding CUSTOMER1

R2(config-if-range)#int e 0/1
R2(config-if)#ip add 172.16.26.2 255.255.255.0
R2(config-if)#int e 0/2
R2(config-if)#ip add 172.16.24.2 255.255.255.0
R2(config-if)#do ping vrf CUSTOMER1 172.16.26.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.26.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
R2(config-if)#do ping vrf CUSTOMER1 172.16.24.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.24.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 10/22/68 ms

R2(config-if)#router eigrp 1
R2(config-router)#no auto-summary
R2(config-router)#address-family ipv4 vrf CUSTOMER1
R2(config-router-af)#net 172.16.0.0 0.0.255.255
R2(config-router-af)#autonomous-system 10
R2(config-router-af)#redistribute bgp 666 metric 10000 10 255 1 1500
%DUAL-5-NBRCHANGE: IP-EIGRP(1) 10: Neighbor 172.16.26.6 (Ethernet0/1) is up: new adjacency
%DUAL-5-NBRCHANGE: IP-EIGRP(1) 10: Neighbor 172.16.24.4 (Ethernet0/2) is up: new adjacency
R2(config-router-af)#exit

Note: After applying VRF configuraion on interface, IP address have to be configured again as VRF removes that configuration.

R2(config-router)#router bgp 666
R2(config-router)#address-family ipv4 vrf CUSTOMER1
R2(config-router-af)#redistribute eigrp 1
%VRF specified does not match AS
R2(config-router-af)#redistribute eigrp 10

We have to do the same configuration (except IP addresses) on R3 (PE router)… Now let’s look at routing table on CE devices:

R4#sh ip route

     172.16.0.0/24 is subnetted, 5 subnets
C       172.16.45.0 is directly connected, Ethernet0/3
D       172.16.37.0 [90/307200] via 172.16.24.2, 00:02:08, Ethernet0/0
D       172.16.35.0 [90/307200] via 172.16.45.5, 00:02:08, Ethernet0/3
                    [90/307200] via 172.16.24.2, 00:02:08, Ethernet0/0
C       172.16.24.0 is directly connected, Ethernet0/0
D       172.16.26.0 [90/307200] via 172.16.24.2, 00:03:19, Ethernet0/0
     150.1.0.0/32 is subnetted, 4 subnets
D       150.1.7.7 [90/435200] via 172.16.24.2, 00:02:08, Ethernet0/0
D       150.1.6.6 [90/435200] via 172.16.24.2, 00:03:19, Ethernet0/0
D       150.1.5.5 [90/409600] via 172.16.45.5, 00:02:08, Ethernet0/3
C       150.1.4.4 is directly connected, Loopback0

Everything is fine, except one thing: R4 and R5 communicate with each not through the MPLS link but using the backdoor link. There are several ways to change the route preference, we can simply change bandwidth or delay on ethernet interface between R4 and R5 to prefer MPLS link:

R5(config-if)#delay 1000000

R5#sh ip eigrp topology
IP-EIGRP Topology Table for AS(10)/ID(150.1.5.5)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 172.16.45.0/24, 1 successors, FD is 256256000
        via Connected, Ethernet0/3
        via 172.16.35.3 (332800/307200), Ethernet0/0
P 150.1.7.7/32, 1 successors, FD is 435200
        via 172.16.35.3 (435200/409600), Ethernet0/0
P 150.1.6.6/32, 1 successors, FD is 435200
        via 172.16.35.3 (435200/409600), Ethernet0/0
P 150.1.4.4/32, 1 successors, FD is 435200
        via 172.16.35.3 (435200/409600), Ethernet0/0
        via 172.16.45.4 (256384000/128256), Ethernet0/3
P 150.1.5.5/32, 1 successors, FD is 128256
        via Connected, Loopback0
P 172.16.37.0/24, 1 successors, FD is 307200
        via 172.16.35.3 (307200/281600), Ethernet0/0
P 172.16.35.0/24, 1 successors, FD is 281600
        via Connected, Ethernet0/0
P 172.16.24.0/24, 1 successors, FD is 307200
        via 172.16.35.3 (307200/281600), Ethernet0/0
        via 172.16.45.4 (256281600/281600), Ethernet0/3
P 172.16.26.0/24, 1 successors, FD is 307200
        via 172.16.35.3 (307200/281600), Ethernet0/0

R3#sh ip bgp vpnv4 vrf CUSTOMER1 150.1.4.4
BGP routing table entry for 2.2.2.2:1:150.1.4.4/32, version 62
Paths: (1 available, best #1, table CUSTOMER1)
Not advertised to any peer
Local
    2.2.2.2 (metric 31) from 2.2.2.2 (2.2.2.2)
      Origin incomplete, metric 409600, localpref 100, valid, internal, best
      Extended Community: RT:666:1 Cost:pre-bestpath:128:409600
        0x8800:32768:0 0x8801:10:153600 0x8802:65281:256000 0x8803:65281:1500
      mpls labels in/out nolabel/29

The above output shows BGP cost community to deliver EIGRP metrics, so that router ignore administrative distance of iBGP in route selection criteria and compares the metrics. This process is completely automatic and does not need any configuration.

Final Configurations:

R2:
ip vrf CUSTOMER1
rd 2.2.2.2:1
route-target export 666:1
route-target import 666:1
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.12.2 255.255.255.0
!
interface Ethernet0/1
ip vrf forwarding CUSTOMER1
ip address 172.16.26.2 255.255.255.0
!
interface Ethernet0/2
ip vrf forwarding CUSTOMER1
ip address 172.16.24.2 255.255.255.0
!
router eigrp 1
no auto-summary
!
address-family ipv4 vrf CUSTOMER1
redistribute bgp 666 metric 10000 10 255 1 1500
network 172.16.0.0
auto-summary
autonomous-system 10
exit-address-family
!
router ospf 1
mpls ldp autoconfig area 0
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 666
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 666
neighbor 1.1.1.1 update-source Loopback0
neighbor 3.3.3.3 remote-as 666
neighbor 3.3.3.3 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf CUSTOMER1
redistribute eigrp 10
no synchronization
exit-address-family
!

R3:
!
ip vrf CUSTOMER1
rd 2.2.2.2:1
route-target export 666:1
route-target import 666:1
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.30.3 255.255.255.0
!
interface Ethernet0/1
ip vrf forwarding CUSTOMER1
ip address 172.16.35.3 255.255.255.0
!
interface Ethernet0/2
ip vrf forwarding CUSTOMER1
ip address 172.16.37.3 255.255.255.0
!
router eigrp 1
no auto-summary
!
address-family ipv4 vrf CUSTOMER1
redistribute bgp 666 metric 10000 10 255 1 1500
network 172.16.0.0
auto-summary
autonomous-system 10
exit-address-family
!
router ospf 1
mpls ldp autoconfig area 0
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 666
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 666
neighbor 1.1.1.1 update-source Loopback0
neighbor 2.2.2.2 remote-as 666
neighbor 2.2.2.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf CUSTOMER1
redistribute eigrp 10
no synchronization
exit-address-family
!

R5:
interface Loopback0
ip address 150.1.5.5 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.35.5 255.255.255.0
!
interface Ethernet0/3
ip address 172.16.45.5 255.255.255.0
delay 1000000
!
router eigrp 10
network 150.1.0.0
network 172.16.0.0
no auto-summary
!