Thursday, July 30, 2009

Route Filtering - Route-map, prefix-list, distribute-list, access-list....

Route Filtering –
1. In Route Map, always use permit ACL or permit prefix-list and choose action by route-map. Deny ACL or deny prefix-list means skip the entry.
2. In Distribute-list, only ACLs can be used. ACL acts as through filter ACL. Any traffic permitted, route is permitted and vice-versa. (Remember implicit-deny in the end of acl will deny all routes, so routes must be specifically permitted).

There are advantages of usingf prefix-lists in thhe sense we can define the range of subnet e.g. “/8 le 24”. This means 255.0.0.0 to 255.255.255.0 in one line. Any thing more than /24 is not touched.
In acl /24 (255.255.255.0) will mean “/24 to /32” in prefix-list terms.



Case1: Route-map deny 10 + permit ACL
Route-map perm 20
All traffic permitted by ACL will not be sent. (ACL wrks as pass through filter). All denied ACL traffic will be sent by RM entry 20.

Case2: Route-map perm 10 + deny ACL -> wont work at all the way we expect
For Permitted RM entry - denied entry in acl are simply skipped to the next route-map entry if exists). If 2nd route-map entry doesn’t exist, all routes nor implicit denied by RM.

If the acl has only deny entries, route-map won’t be able to apply the permit logic as there are no permit acl entries. Hency all routes will be dropped.
If acl has one permit ACE in the end, all routes are permitted (even the denied AcE are permitted)

Case3: Route-map deny 10 + deny ACL
This means deny all routes tht r permitted by acl. If no routes r permitted, all get dropped if a 2nd RM permit entry isn’t there. If 2nd permit entry is there, it’ll permit everything tht is permitted by match clause. If no match clause means everything permitted.

In Prefix-list:
To match 112.0.0.0 – Use 112.0.0.0/8 in PFL
To match 112.0.0.0 and 112.0.0.1 – use 112.0.0.0/8 le 32
To match anything, use 0.0.0.0/0 le 32

Prefix-list advanced – it can check network and subnet mask separately in one ACE
10.0.0.0/X le LE ge GE -:
here X means match the network-bits (e.g. 10.0.0.0) from left to right
LE means less than or equal to. If LE = 24 and X= 8 and GE not defined, it’ll check for subnet masks from /8 to/24
GE means greater than or equal to. If GE=24, means /24-/32 will be checked for subnet masks.
172.16.8.0/24 ge 25 le 27 = 172.16.8.0 with masks from /25 to /27.

Wednesday, July 15, 2009

MPLS -- Layer 3 VPNs over L2TPv3 Tunnels and Layer 3 VPNs over mGRE

Layer 3 VPNs over L2TPv3 Tunnels and Layer 3 VPNs over mGRE –
(both these technologies are different – one uses L2TPv3 and other uses GRE; config is very similar)


L2TPv3:
int tu0
tunnel mode l3vpn l2tpv3 multipoint.

#sh tunnel endpo
Tunnel0 running in Multi-L2TPv3 (L3VPN) mode
RFC2547/L3VPN Tunnel endpoint discovery is active on Tu0

#router bgp 1

address-family ipv4 tunnel
neighbor 10.10.10.102 activate
neighbor 10.10.10.103 activate
exit-address-family
…..

------------------------------------------------------

mGRE:
int tu0
tunnel mode l3vpn multipoint.

#sh tunnel endpo
Tunnel0 running in multi-GRE/IP mode
RFC2547/L3VPN Tunnel endpoint discovery is active on Tu0

#router bgp 1
** SAFI “ipv4 tunnel” is not used in mGRE.

--------------------------------------------------------------
(Supported only on 12.0S on 7200 and 7500, no other)
These are needed when SP core is not running MPLS but we need to provide VPN services. This won’t be L2 but will be a L3 VPN with each CE having a different IP subnet.
Implementation of L2TPv3 tunnels creates a tunnel network as an overlay to the IP backbone, which interconnects the PE routers to transport VPN traffic. The multipoint tunnel uses BGP to distribute VPNv4 information between PE routers.

[b] Full Config [\b]
-------------------------
Configurations for PE Routers


hostname PE1-AS1
!
ip cef
ip vrf CustA
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip vrf l3vpn_l2tpv3
rd 100:100
!
interface Loopback0
ip address 10.10.10.101 255.255.255.255
!
interface Tunnel0
ip vrf forwarding l3vpn_l2tpv3
ip address 172.16.1.101 255.255.255.255
tunnel source Loopback0
tunnel mode l3vpn l2tpv3 multipoint
!
interface Serial0/0
ip address 10.10.10.1 255.255.255.252
!
interface Serial1/0
description connection to CE1-A
ip vrf forwarding CustA
ip address 172.16.1.1 255.255.255.252
!
router ospf 100
network 10.0.0.0 0.255.255.255 area 0
!
router bgp 1
no synchronization
neighbor 10.10.10.102 remote-as 1
neighbor 10.10.10.102 update-source Loopback0
neighbor 10.10.10.103 remote-as 1
neighbor 10.10.10.103 update-source Loopback0
no auto-summary
!
address-family ipv4 tunnel
neighbor 10.10.10.102 activate
neighbor 10.10.10.103 activate
exit-address-family
!
address-family vpnv4
neighbor 10.10.10.102 activate
neighbor 10.10.10.102 send-community extended
neighbor 10.10.10.102 route-map vpn_l2tpv3 in
neighbor 10.10.10.103 activate
neighbor 10.10.10.103 send-community extended
neighbor 10.10.10.103 route-map vpn_l2tpv3 in
exit-address-family
!
address-family ipv4 vrf CustA
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
!
ip route vrf CustA 172.16.100.1 255.255.255.255 172.16.1.2
ip route vrf l3vpn_l2tpv3 0.0.0.0 0.0.0.0 Tunnel0
!
route-map vpn_l2tpv3 permit 10
set ip next-hop in-vrf l3vpn_l2tpv3
________________________________________________________________
hostname PE2-AS1
!
ip cef
ip vrf CustA
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip vrf l3vpn_l2tpv3
rd 100:100
!
interface Loopback0
ip address 10.10.10.102 255.255.255.255
!
interface Tunnel0
ip vrf forwarding l3vpn_l2tpv3
ip address 172.16.1.102 255.255.255.255
tunnel source Loopback0
tunnel mode l3vpn l2tpv3 multipoint
!
interface Serial0/0
ip address 10.10.10.5 255.255.255.252
!
interface Serial1/0
description connection to CE2-A
ip vrf forwarding CustA
ip address 172.16.2.1 255.255.255.252
!
router ospf 100
network 10.0.0.0 0.255.255.255 area 0
!
router bgp 1
no synchronization
neighbor 10.10.10.101 remote-as 1
neighbor 10.10.10.101 update-source Loopback0
neighbor 10.10.10.103 remote-as 1
neighbor 10.10.10.103 update-source Loopback0
no auto-summary
!
address-family ipv4 tunnel
neighbor 10.10.10.101 activate
neighbor 10.10.10.103 activate
exit-address-family
!
address-family vpnv4
neighbor 10.10.10.101 activate
neighbor 10.10.10.101 send-community extended
neighbor 10.10.10.101 route-map vpn_l2tpv3 in
neighbor 10.10.10.103 activate
neighbor 10.10.10.103 send-community extended
neighbor 10.10.10.103 route-map vpn_l2tpv3 in
exit-address-family
!
address-family ipv4 vrf CustA
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
!
ip route vrf CustA 172.16.100.2 255.255.255.255 172.16.2.2
ip route vrf l3vpn_l2tpv3 0.0.0.0 0.0.0.0 Tunnel0
!
route-map vpn_l2tpv3 permit 10
set ip next-hop in-vrf l3vpn_l2tpv3
________________________________________________________________
hostname PE3-AS1
!
ip cef
ip vrf CustA
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip vrf l3vpn_l2tpv3
rd 100:100
!
interface Loopback0
ip address 10.10.10.103 255.255.255.255
!
interface Tunnel0
ip vrf forwarding l3vpn_l2tpv3
ip address 172.16.1.103 255.255.255.255
tunnel source Loopback0
tunnel mode l3vpn l2tpv3 multipoint
!
interface Serial0/0
ip address 10.10.10.9 255.255.255.252
!
interface Serial1/0
description connection to CE1-A
ip vrf forwarding CustA
ip address 172.16.3.1 255.255.255.252
!
router ospf 100
network 10.0.0.0 0.255.255.255 area 0
!
router bgp 1
no synchronization
neighbor 10.10.10.101 remote-as 1
neighbor 10.10.10.101 update-source Loopback0
neighbor 10.10.10.102 remote-as 1
neighbor 10.10.10.102 update-source Loopback0
no auto-summary
!
address-family ipv4 tunnel
neighbor 10.10.10.101 activate
neighbor 10.10.10.102 activate
exit-address-family
!
address-family vpnv4
neighbor 10.10.10.101 activate
neighbor 10.10.10.101 send-community extended
neighbor 10.10.10.101 route-map vpn_l2tpv3 in
neighbor 10.10.10.102 activate
neighbor 10.10.10.102 send-community extended
neighbor 10.10.10.102 route-map vpn_l2tpv3 in
exit-address-family
!
address-family ipv4 vrf CustA
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
!
ip route vrf CustA 172.16.100.3 255.255.255.255 172.16.3.2
ip route vrf l3vpn_l2tpv3 0.0.0.0 0.0.0.0 Tunnel0
!
route-map vpn_l2tpv3 permit 10
set ip next-hop in-vrf l3vpn_l2tpv3