a blog for CCIE SP and Security ....

the ccie plaques...

2010-07-15T13:46:00.000+04:00

IP Multicast over DMVPN in MPLS-VPN without mVPN support from ISP

2010-07-01T15:24:00.013+04:00

Scenario -
- we have 3 sites connected by MPLS VPN
- ISP doesn't support mVPN for carrying IP multicast

Requirement -
- Consider CE3 as Hub Site, create a DMVPN overlay to carry IP multicast over MPLS VPN backbone between the three sites.
For Unicast traffic use MPLS VPN.
For Mulicast traffic use DMVPN over MPLS VPN.

Take care of RPF.

Topology -

Solution -

- ip pim sparse-mode will be configured ONLY on Tunnel interfaces. PIM not needed on physcial interface.
- Multicast will only work from Hub to Spoke and vice-versa. Spoke to Spoke multicast is NOT supported due to RPF clause on Hub's Tunnel interface.
- RPF: Since unicast traffic flow doesnt match multicast flow in this scenario, we must manually correct the RPF check to avoid RPF failures. We'll use default static mroute for this.
- DMVPN Phase1 will do the job, Phase2 and Phase3 dont provide any advantage in this scenario cause Spoke to Spoke Multicast is anyway not supported. For sake of simplicity, Phase2 is still used in this example.
- routing protocl on DMVPN network is not needed in this scenario. PIM will generate traffic and build the NHRP tunnel.
- IPSec encryption is not used in this scenario. Its not needed cause we are using private MPLS VPN connectivity.

Verification -

CE3#ping 239.1.1.1 repeat 5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 239.1.1.1, timeout is 2 seconds:

Reply to request 0 from 172.16.1.1, 536 ms
Reply to request 1 from 172.16.1.1, 704 ms
Reply to request 2 from 172.16.1.1, 492 ms
Reply to request 3 from 172.16.1.1, 412 ms
Reply to request 4 from 172.16.1.1, 552 ms

CE1#
*Mar 1 00:49:58.435: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#
*Mar 1 00:50:00.595: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#
*Mar 1 00:50:02.443: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#
*Mar 1 00:50:04.527: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#
*Mar 1 00:50:06.551: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3

CE3#ping 239.1.1.1 repeat 5 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 239.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 30.30.30.30

Reply to request 0 from 172.16.1.1, 356 ms
Reply to request 1 from 172.16.1.1, 336 ms
Reply to request 2 from 172.16.1.1, 236 ms
Reply to request 3 from 172.16.1.1, 360 ms
Reply to request 4 from 172.16.1.1, 492 ms
CE3#

*Mar 1 00:53:08.319: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#
*Mar 1 00:53:10.387: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#
*Mar 1 00:53:12.383: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#
*Mar 1 00:53:14.307: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#
*Mar 1 00:53:16.275: ICMP: echo reply sent, src 172.16.1.1, dst 172.16.1.3
CE1#

Configs -

CE1:

hostname CE1
!
ip cef
ip multicast-routing
!
interface Loopback0
ip address 10.10.10.10 255.255.255.255
ip igmp join-group 239.1.1.1
!
interface Tunnel123
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication CISCO123
ip nhrp map multicast dynamic
ip nhrp map multicast 30.1.1.1
ip nhrp map 172.16.1.3 30.1.1.1
ip nhrp network-id 123
ip nhrp nhs 172.16.1.3
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
redistribute connected subnets route-map RM_CONNECTED_LOOPBACK
network 10.0.0.0 0.255.255.255 area 1
!
ip mroute 0.0.0.0 0.0.0.0 172.16.1.3
!
route-map RM_CONNECTED_LOOPBACK permit 10
match interface Loopback0

CE2:

hostname CE2
!
ip multicast-routing
!
interface Loopback0
ip address 20.20.20.20 255.255.255.255
ip igmp join-group 239.2.2.2
!
interface Tunnel123
ip address 172.16.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication CISCO123
ip nhrp map multicast dynamic
ip nhrp map multicast 30.1.1.1
ip nhrp map 172.16.1.3 30.1.1.1
ip nhrp network-id 123
ip nhrp nhs 172.16.1.3
ip igmp join-group 239.172.2.2
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
!
interface FastEthernet0/0
ip address 20.1.1.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 2
network 20.0.0.0
no auto-summary
!
ip mroute 0.0.0.0 0.0.0.0 172.16.1.3
!
route-map RM_CONNECTED_LOOPBACK permit 10

CE3:

hostname CE3
!
ip multicast-routing
!
interface Loopback0
ip address 30.30.30.30 255.255.255.255
ip igmp join-group 239.3.3.3
!
interface Tunnel123
ip address 172.16.1.3 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication CISCO123
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip igmp join-group 239.172.3.3
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 123
!
interface FastEthernet0/0
ip address 30.1.1.1 255.255.255.0
duplex auto
speed auto
!
router rip
version 2
network 30.0.0.0
no auto-summary
!
ip pim bsr-candidate Tunnel123 0
ip pim rp-candidate Tunnel123
ip mroute 0.0.0.0 0.0.0.0 172.16.1.1

PE1:

hostname PE1
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf VPN
rd 1:1
route-target export 1:1
route-target import 1:1
!
no mpls traffic-eng auto-bw timers frequency 0
mpls ldp router-id Loopback0 force
mpls label protocol ldp
call rsvp-sync
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip vrf forwarding VPN
ip address 10.1.1.254 255.255.255.0
duplex auto
speed auto
no clns route-cache
!
interface Serial1/0
ip address 192.168.1.1 255.255.255.252
ip router isis
mpls ip
serial restart-delay 0
!
router ospf 2 vrf VPN
log-adjacency-changes
redistribute bgp 100 subnets
network 0.0.0.0 255.255.255.255 area 1
!
router isis
net 49.0000.0000.0001.00
passive-interface Loopback0
!
router bgp 100
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 4.4.4.4 remote-as 100
neighbor 4.4.4.4 update-source Loopback0
!
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN
redistribute ospf 2 vrf VPN match internal external 1 external 2
no auto-summary
no synchronization
exit-address-family
!

PE2:

hostname PE2
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf VPN
rd 1:1
route-target export 1:1
route-target import 1:1
!
no mpls traffic-eng auto-bw timers frequency 0
mpls ldp router-id Loopback0 force
mpls label protocol ldp
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip vrf forwarding VPN
ip address 20.1.1.254 255.255.255.0
duplex auto
speed auto
no clns route-cache
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
no clns route-cache
!
interface Serial1/0
ip address 192.168.2.1 255.255.255.252
ip router isis
mpls ip
serial restart-delay 0
!
router eigrp 2
auto-summary
!
address-family ipv4 vrf VPN
redistribute bgp 100 metric 10000 1 255 1 1500
network 20.0.0.0
auto-summary
autonomous-system 2
exit-address-family
!
router isis
net 49.0000.0000.0002.00
passive-interface Loopback0
!
router bgp 100
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 4.4.4.4 remote-as 100
neighbor 4.4.4.4 update-source Loopback0
!
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN
redistribute eigrp 2
no auto-summary
no synchronization
exit-address-family
!
ip classless
!

PE3:

hostname PE3
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf VPN
rd 1:1
route-target export 1:1
route-target import 1:1
!
no mpls traffic-eng auto-bw timers frequency 0
mpls ldp router-id Loopback0 force
mpls label protocol ldp
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip vrf forwarding VPN
ip address 30.1.1.254 255.255.255.0
duplex auto
speed auto
no clns route-cache
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
no clns route-cache
!
interface Serial1/0
ip address 192.168.3.1 255.255.255.252
ip router isis
mpls ip
serial restart-delay 0
!
router isis
net 49.0000.0000.0003.00
passive-interface Loopback0
!
router rip
!
address-family ipv4 vrf VPN
redistribute bgp 100 metric 1
network 30.0.0.0
no auto-summary
version 2
exit-address-family
!
router bgp 100
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 4.4.4.4 remote-as 100
neighbor 4.4.4.4 update-source Loopback0
!
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN
redistribute rip
no auto-summary
no synchronization
exit-address-family
!
ip classless
!
!
!

hostname P
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
no clns route-cache
!
interface Serial1/1
ip address 192.168.1.2 255.255.255.252
ip router isis
mpls ip
serial restart-delay 0
!
interface Serial1/2
ip address 192.168.2.2 255.255.255.252
ip router isis
mpls ip
serial restart-delay 0
!
interface Serial1/3
ip address 192.168.3.2 255.255.255.252
ip router isis
mpls ip
serial restart-delay 0
!
router isis
net 49.0000.0000.0004.00
passive-interface Loopback0
!
router bgp 100
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source Loopback0
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 update-source Loopback0
neighbor 3.3.3.3 remote-as 100
neighbor 3.3.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 route-reflector-client
neighbor 1.1.1.1 send-community extended
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 route-reflector-client
neighbor 2.2.2.2 send-community extended
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 route-reflector-client
neighbor 3.3.3.3 send-community extended
exit-address-family
!
ip classless
!

VRF aware DMVPN with dual ISP on Single HUB + autofailover (using iVRF and FVRF)

2010-06-03T03:11:00.052+04:00

Task Details:
(for lab usage only!)

- We have two separate DMVPN clouds via two different ISPs. The LAN Segments in both these DMVPN clouds use the same IP address.
- Requirement is to merge both the clouds, remove redundant equipments (remove one hub, and two spoke routers), configure DMVPN clouds using both ISPs with automatic failover between the ISPs.
- Use VRF aware DMVPN with fVRF and iVRF.
- Use VRF ISP1 and ISP2 for fVRF to segregate the ISPs.
- Use VRF RED and BLUE for iVRF so that overlapping LAN segments can communicate.
- Configure DMVPN in such a way that VRF RED uses ISP1 as primary. In event of any failure on ISP1, it should switche via ISP2.
- Similarly, VRF BLUE should use ISP2 as primary (active) and ISP1 as secondary (passive).

To be contd. (init configs, Dynamips .NET File, explanation on challenges, and solution)

Few considerations:
1. We'll need total 4 tunnel interfaces on each Spoke and Hub.
      First tunnel for VRF RED via ISP1
      Second tunnel for VRF RED via ISP2
      Third tunnel for VRF BLUE via ISP1
      Fourth tunnel for VRF BLUE via ISP2
Tunnel interfaces on HUB will be ACTIVE/ACTIVE allowing the SPOKES to dynamically choose and switcover during ISP Failure.

Tunnel Interfaces on SPOKES will be ACTIVE/STANDBY per ISP. Again, dynamic failover.

2. So we'll create 4 different DMVPN clouds, two active (one active for VRF RED via ISP1, one active for VRF BLUE via ISP2) and two passive (vice versa).
Challege1: All 4 DMVPN clouds will have their own Tunnel IP subnets. Switchover between the DMVPN clouds during failover should be tracked appropriately.
Example1: if ISP1 on HUB fails, SPOKE1 and SPOKE2 should automatically switch to ISP2.
Example2: if ISP1 on SPOKE1 fails, SPOKE1 should automatically switch to ISP2, HUB2 should support this tunnel switchover dynamically.

3.Challege2: So how do we keep a sync between SPOKEs and HUB.
Here comes Cisco EEM with IP SLA tracking to the rescue.
We'll track ISP connection on each SPOKE, both for the SPOKE itself, and the HUB.
So SPOKE1 will track if its ISP1 connectivity is alive, if YES, it'll use Tunnel1 via ISP1 for DMVPN. IF ISP1 is doen on SPOKE1, it'll switch to ISP2 and use Tunnel2.
At the same time, SPOKE1 will track HUB's ISP1 connection. If ISP1 on HUB is live, SPOKE1 will use ISP1 for itself. If HUB's ISP1 connection is dead, SPOKE1 will shutdown its Tunnel1 going via ISP1, and switch over to Tunnel2 via ISP2.
Note - SPOKE1 can't use Tunnel1 via ISP1 when HUB's ISP1 is dead. Why? Because IP subnet on Tunnel1 on SPOKE1 and IP subnet on HUB's Tunnel interface must match.

Let's get our hands dirty, and move onto the configuration part -

Initial Configs:
HUB:

HUB:
hostname HUB
!
ip cef
!
ip vrf BLUE
rd 1:2
!
ip vrf ISP1
rd 100:1
!
ip vrf ISP2
rd 200:1
!
ip vrf RED
rd 1:1
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding RED
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip vrf forwarding BLUE
ip address 10.1.1.1 255.255.255.0
!
interface Serial1/0
ip vrf forwarding ISP1
ip address 101.1.1.1 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip vrf forwarding ISP2
ip address 201.1.1.1 255.255.255.0
serial restart-delay 0
!
ip route vrf ISP1 0.0.0.0 0.0.0.0 101.1.1.254
ip route vrf ISP2 0.0.0.0 0.0.0.0 201.1.1.254
!

SPOKE1:

hostname SPOKE1
!
ip cef
!
ip vrf BLUE
rd 2:2
!
ip vrf ISP1
rd 100:2
!
ip vrf ISP2
rd 200:2
!
ip vrf RED
rd 2:1
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding RED
ip address 10.2.1.2 255.255.255.0
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip vrf forwarding BLUE
ip address 10.2.1.2 255.255.255.0
!
interface Serial1/0
ip vrf forwarding ISP1
ip address 102.1.1.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip vrf forwarding ISP2
ip address 202.1.1.2 255.255.255.0
serial restart-delay 0
!
ip route vrf ISP1 0.0.0.0 0.0.0.0 102.1.1.254
ip route vrf ISP2 0.0.0.0 0.0.0.0 202.1.1.254
!

SPOKE2:

hostname SPOKE2
!
ip cef
!
ip vrf BLUE
rd 2:3
!
ip vrf ISP1
rd 100:3
!
ip vrf ISP2
rd 200:3
!
ip vrf RED
rd 1:3
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding RED
ip address 10.3.1.3 255.255.255.0
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip vrf forwarding BLUE
ip address 10.3.1.3 255.255.255.0
!
interface Serial1/0
ip vrf forwarding ISP1
ip address 103.1.1.3 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip vrf forwarding ISP2
ip address 203.1.1.3 255.255.255.0
serial restart-delay 0
!
ip route vrf ISP1 0.0.0.0 0.0.0.0 103.1.1.254
ip route vrf ISP2 0.0.0.0 0.0.0.0 203.1.1.254
!
!

ISP1:

ISP1#r
Building configuration...

Current configuration : 2689 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ISP1
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface Serial1/0
ip address 101.1.1.254 255.255.255.0
ip access-group ACL_ESP_ONLY in
serial restart-delay 0
no clns route-cache
!
interface Serial1/1
ip address 102.1.1.254 255.255.255.0
ip access-group ACL_ESP_ONLY in
serial restart-delay 0
no clns route-cache
!
interface Serial1/2
ip address 103.1.1.254 255.255.255.0
ip access-group ACL_ESP_ONLY in
serial restart-delay 0
no clns route-cache
!
interface Serial1/3
ip address 12.1.1.1 255.255.255.0
serial restart-delay 0
no clns route-cache
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
router bgp 100
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor 12.1.1.2 remote-as 200
no auto-summary
!
ip classless
!
no ip http server
!
!
!
ip access-list extended ACL_ESP_ONLY
permit icmp any any echo
permit icmp any any echo-reply
permit esp any any
permit udp any any eq 4500
permit udp any any eq isakmp
deny ip any any log
!
!
!
control-plane
!
!
dial-peer cor custom
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
no login
!
!
end
ISP1#

ISP2:

ISP2#r
Building configuration...

Current configuration : 2394 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ISP2
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface Serial1/0
ip address 201.1.1.254 255.255.255.0
serial restart-delay 0
no clns route-cache
!
interface Serial1/1
ip address 202.1.1.254 255.255.255.0
serial restart-delay 0
no clns route-cache
!
interface Serial1/2
ip address 203.1.1.254 255.255.255.0
serial restart-delay 0
no clns route-cache
!
interface Serial1/3
ip address 12.1.1.2 255.255.255.0
serial restart-delay 0
no clns route-cache
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
no clns route-cache
!
router bgp 200
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor 12.1.1.1 remote-as 100
no auto-summary
!
ip classless
!
no ip http server
!
!
!
!
!
!
control-plane
!
!
dial-peer cor custom
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
no login
!
!
end
ISP2#

DYNAMIPS NET FILE

startautostart = False
[1.1.1.1]
port = 7200
udp = 10000

[[7200]]
image = C:\Program Files\Dynamips\images\c7200-k91p-m.122-25.S15.bin
npe = npe-400
ram = 96
disk0 = 0
disk1 = 0
mmap = false

[[router HUB]]
autostart = False

image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 224
Fa0/0 = LAN 10
S1/0 = ISP1 S1/0
S1/1 = ISP2 S1/0

cnfg = C:\Program Files\Dynamips\sample_labs\DMVPN - VRF AWare iVRF-fVRF\configs\HUB.cfg

[[router SPOKE1]]
autostart = False
image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 224

Fa0/0 = LAN 20
S1/0 = ISP1 S1/1
S1/1 = ISP2 S1/1

cnfg = C:\Program Files\Dynamips\sample_labs\DMVPN - VRF AWare iVRF-fVRF\configs\SPOKE1.cfg

[[router SPOKE2]]
autostart = False
image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 224
Fa0/0 = LAN 30
S1/0 = ISP1 S1/2
S1/1 = ISP2 S1/2

cnfg = C:\Program Files\Dynamips\sample_labs\DMVPN - VRF AWare iVRF-fVRF\configs\SPOKE2.cfg

[[Router ISP1]]
model = 7200
autostart = false
slot0 = PA-C7200-IO-FE
S1/3 = ISP2 S1/3
cnfg = C:\Program Files\Dynamips\sample_labs\DMVPN - VRF AWare iVRF-fVRF\configs\ISP1.cfg

[[Router ISP2]]
model = 7200
autostart = false
slot0 = PA-C7200-IO-FE
cnfg = C:\Program Files\Dynamips\sample_labs\DMVPN - VRF AWare iVRF-fVRF\configs\ISP2.cfg

SOLUTION -:

HUB CONFIG:

HUB CRYPTO CONFIG:
crypto keyring CRYPTO_KEYRING_VRFRED_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFRED_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC_PROFILE_ISP1
set transform-set TRANS
!
crypto ipsec profile IPSEC_PROFILE_ISP2
set transform-set TRANS

TUNNEL CONFIG for VRF RED
interface Tunnel1
description ** DMVPN RED via ISP1 **
ip vrf forwarding RED
ip address 172.16.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map multicast dynamic
ip nhrp network-id 131313
ip ospf network broadcast
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 10
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel3
description ** DMVPN RED via ISP2 **
ip vrf forwarding RED
ip address 172.16.11.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map multicast dynamic
ip nhrp network-id 131313
ip ospf network broadcast
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 11
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared
!

TUNNEL CONFIG for VRF BLUE
!
interface Tunnel2
description ** DMVPN BLUE via ISP1 **
ip vrf forwarding BLUE
ip address 172.16.20.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication BLUE
ip nhrp map multicast dynamic
ip nhrp network-id 242424
no ip split-horizon eigrp 1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 20
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel4
description ** DMVPN BLUE via ISP2 **
ip vrf forwarding BLUE
ip address 172.16.21.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication BLUE
ip nhrp map multicast dynamic
ip nhrp network-id 242424
no ip split-horizon eigrp 1
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 21
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared

ROUTING CONFIG VRF BLUE
router eigrp 1
no auto-summary
!
address-family ipv4 vrf BLUE
network 10.0.0.0
network 172.16.0.0
no auto-summary
autonomous-system 1
eigrp router-id 1.1.1.1
exit-address-family

ROUTING CONFIG VRF RED
router ospf 1 vrf RED
router-id 1.1.1.1
log-adjacency-changes
network 10.1.1.1 0.0.0.0 area 1
network 172.16.10.1 0.0.0.0 area 0
network 172.16.11.1 0.0.0.0 area 0
!

SPOKE1 CONFIG:

crypto keyring CRYPTO_KEYRING_VRFRED_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFRED_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC_PROFILE_ISP1
set transform-set TRANS
!
crypto ipsec profile IPSEC_PROFILE_ISP2
set transform-set TRANS
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
interface Tunnel1
description ** DMVPN RED via ISP1 **
ip vrf forwarding RED
ip address 172.16.10.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map 172.16.10.1 101.1.1.1
ip nhrp map multicast 101.1.1.1
ip nhrp network-id 131313
ip nhrp nhs 172.16.10.1
ip ospf network broadcast
ip ospf priority 0
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 10
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel2
description ** DMVPN BLUE via ISP1 **
ip vrf forwarding BLUE
ip address 172.16.20.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map 172.16.20.1 101.1.1.1
ip nhrp map multicast 101.1.1.1
ip nhrp network-id 242424
ip nhrp nhs 172.16.20.1
ip ospf network broadcast
ip ospf priority 0
shutdown
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 20
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel3
description ** DMVPN RED via ISP2 **
ip vrf forwarding RED
ip address 172.16.11.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map 172.16.11.1 201.1.1.1
ip nhrp map multicast 201.1.1.1
ip nhrp network-id 131313
ip nhrp nhs 172.16.11.1
shutdown
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 11
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared
!
interface Tunnel4
description ** DMVPN BLUE via ISP2 **
ip vrf forwarding BLUE
ip address 172.16.21.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map 172.16.21.1 201.1.1.1
ip nhrp map multicast 201.1.1.1
ip nhrp network-id 242424
ip nhrp nhs 172.16.21.1
ip ospf network broadcast
ip ospf priority 0
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 21
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared
!
router eigrp 1
no auto-summary
!
address-family ipv4 vrf BLUE
network 10.0.0.0
network 172.16.0.0
no auto-summary
autonomous-system 1
eigrp router-id 2.2.2.2
exit-address-family
!
router ospf 1 vrf RED
router-id 2.2.2.2
log-adjacency-changes
network 10.2.1.2 0.0.0.0 area 2
network 172.16.10.2 0.0.0.0 area 0
network 172.16.11.2 0.0.0.0 area 0
!
ip sla 1
icmp-echo 101.1.1.1 source-interface Serial1/0
timeout 15000
vrf ISP1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 201.1.1.1 source-interface Serial1/1
timeout 15000
vrf ISP2
ip sla schedule 2 life forever start-time now
!
!
event manager applet EEM_SHUT_ISP1_HUB
event track 1 state down
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu1"
action 1.5 cli command "shut"
action 1.6 cli command "int tu3"
action 1.7 cli command "no shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_NOSHUT_ISP1_HUB
event track 1 state up
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu1"
action 1.5 cli command "no shut"
action 1.6 cli command "int tu3"
action 1.7 cli command "shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_SHUT_ISP2_HUB
event track 2 state down
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu4"
action 1.5 cli command "shut"
action 1.6 cli command "int tu2"
action 1.7 cli command "no shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_NOSHUT_ISP2_HUB
event track 2 state up
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu4"
action 1.5 cli command "no shut"
action 1.6 cli command "int tu2"
action 1.7 cli command "shut"
action 1.8 cli command "do clear crypto"
!
end

SPOKE2 CONFIG:

crypto keyring CRYPTO_KEYRING_VRFRED_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFRED_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key RED
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP2 vrf ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
crypto keyring CRYPTO_KEYRING_VRFBLUE_ISP1 vrf ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key BLUE
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC_PROFILE_ISP1
set transform-set TRANS
!
crypto ipsec profile IPSEC_PROFILE_ISP2
!
!
!
!
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
interface Tunnel1
description ** DMVPN RED via ISP1 **
ip vrf forwarding RED
ip address 172.16.10.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map 172.16.10.1 101.1.1.1
ip nhrp map multicast 101.1.1.1
ip nhrp network-id 131313
ip nhrp nhs 172.16.10.1
ip ospf network broadcast
ip ospf priority 0
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 10
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel2
description ** DMVPN BLUE via ISP1 **
ip vrf forwarding BLUE
ip address 172.16.20.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map 172.16.20.1 101.1.1.1
ip nhrp map multicast 101.1.1.1
ip nhrp network-id 242424
ip nhrp nhs 172.16.20.1
ip ospf network broadcast
ip ospf priority 0
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel key 20
tunnel vrf ISP1
tunnel protection ipsec profile IPSEC_PROFILE_ISP1 shared
!
interface Tunnel3
description ** DMVPN RED via ISP2 **
ip vrf forwarding RED
ip address 172.16.11.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication RED
ip nhrp map 172.16.11.1 201.1.1.1
ip nhrp map multicast 201.1.1.1
ip nhrp network-id 131313
ip nhrp nhs 172.16.11.1
shutdown
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 11
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared
!
interface Tunnel4
description ** DMVPN BLUE via ISP2 **
ip vrf forwarding BLUE
ip address 172.16.21.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication BLUE
ip nhrp map multicast 201.1.1.1
ip nhrp map 172.16.21.1 201.1.1.1
ip nhrp network-id 242424
ip nhrp nhs 172.16.21.1
shutdown
tunnel source Serial1/1
tunnel mode gre multipoint
tunnel key 21
tunnel vrf ISP2
tunnel protection ipsec profile IPSEC_PROFILE_ISP2 shared
!
router eigrp 1
no auto-summary
!
address-family ipv4 vrf BLUE
network 10.0.0.0
network 172.16.0.0
no auto-summary
autonomous-system 1
eigrp router-id 3.3.3.3
exit-address-family
!
router ospf 1 vrf RED
router-id 3.3.3.3
log-adjacency-changes
network 10.3.1.3 0.0.0.0 area 3
network 172.16.10.3 0.0.0.0 area 0
network 172.16.11.3 0.0.0.0 area 0
!
ip sla 1
icmp-echo 101.1.1.1 source-interface Serial1/0
timeout 15000
vrf ISP1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 201.1.1.1 source-interface Serial1/1
timeout 15000
vrf ISP2
ip sla schedule 2 life forever start-time now
!
event manager applet EEM_SHUT_ISP1_HUB
event track 1 state down
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu1"
action 1.5 cli command "shut"
action 1.6 cli command "int tu3"
action 1.7 cli command "no shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_NOSHUT_ISP1_HUB
event track 1 state up
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu1"
action 1.5 cli command "no shut"
action 1.6 cli command "int tu3"
action 1.7 cli command "shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_SHUT_ISP2_HUB
event track 2 state down
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu4"
action 1.5 cli command "shut"
action 1.6 cli command "int tu2"
action 1.7 cli command "no shut"
action 1.8 cli command "do clear crypto isa"
action 1.9 cli command "do clear crypto sa"
event manager applet EEM_NOSHUT_ISP2_HUB
event track 2 state up
action 1.1 cli command "enable"
action 1.2 cli command "config t"
action 1.3 cli command "int tu4"
action 1.5 cli command "no shut"
action 1.6 cli command "int tu2"
action 1.7 cli command "shut"
action 1.8 cli command "do clear crypto isa"
!
end

Free Counter

A complex VPN MESS LAB!

2010-05-26T02:21:00.043+04:00

LAB Scenario

Summary:
1. GETVPN over DMVPN with OSPF, (RSA authetication); selective traffic
engineering over GET and DMVPNs.
2. VRF Aware IPSec Dynamic VTI based RA VPN with XAuth
3. RA VPN using Dynamic VTI with Xauth
4. Crypto-map based VPN with Dynamic VTI on other side
5. Static VTI based VPN with EIGRP
5. Zone based FW + NAT ..just to add bit more spice
6. MPLS L3 VPN core

SITE1 is the HeadQuarter(HUB). SITE2,3,4 are Branch SITES. RTR-XYZ is external connection. Internet-host is any host on internet. Restriction: Don't modify ISP router (PE1 and PE2) configs.
	TASK1: DMVPN with OSPF
	SITE1, 2 and 3 participate in DMVPN. Use PSK for authentication. RTR-SITE1-HUB functions as DMVPN Hub. Use OSPF routing protocol for DMVPN reachability. ~~Protect the DMVPN cloud using IPSec.~~ *Correction1: Create only mGRE tunnels, tunnels proctection should be configured as per next GETVPN task.
	TASK2: GETVPN over DMVPN
	SITE 1, 2 and 3 run GETVPN over the previously configured DMVPN cloud. Use Digital certificate for authentication (including IKE Ph1 authentication). RTR-SITE1-KS functions as KS Server , CA Server , NTP server. GETVPN routers should enroll certificate from RTR-SITE1-KS. Ensure that GETVPN traffic is encrpyted first, then tunneled via DMVPN. Check IPSec SAs to confirm this.
	TASK3: VRF aware IPSEC Remote Access VPN using Dynamic VTI
	SITE1 RTR-SITE1-HUB uses Dynamic VTI to host EasyVPN Server. We have overlapping IP address in SITE1. 10.1.1.0/24 is overlapped between CUSTOMERX, CUSTOMERY and SITE1's Global Routing table. CUSTOMERX and CustomerY have dedicated VRFs in SITE1. If InternetHost uses Groupname: CUSTOMERX password: CISCO, it can access CUSTOMERX's 10.1.1.0/24 If InternetHost uses Groupname: CUSTOMERY password: CISCO, it can access CUSTOMERY's 10.1.1.0/24 If InternetHost uses Groupname: USER_GRT password: CISCO, it can access SITE1's Global routing table's 10.1.1.0/24 Configure XAUTH for all groups using the same Group credentials respectively. Use local pool address - 10.100.101.1 to 10.100.101.7 Ensure that Remote Access VPN connection using GroupID USER_GRT has access to all LAN segements in SITE1,2,3,4 and RTR-XYZ's LAN segment
	TASK4: L2L Tunnel with Crypto MAP on SITE4 + Dynamic VTI
	SITE4's ASA-SITE4 firewall connects using Crypto-map based L2L tunnel to SITE1's RTR-SITE1-HUB router. SITE1 uses Dynamic VTI. Don't use crypto-map on RTR-SITE1-HUB. Ensure that inside LAN subent in SITE4 has access to other LAN segements in SITE1,2,3, RTR-XYZ's LAN segment and Remote Access VPN Pool.
	TASK5: L2L Tunnel using Static VTI
	Configure a L2L VPN tunnel between SITE1 and RTR-XYZ. Use EIGRP for routing. RTR-XYZ LAN segment should be able to reach all LAN subnets in SITE1,2,3,4 RTR-XYZ LAN segment should also be able to reach Internet-host once InternetHost connects RAVPN using USER_GRT groupID.
	TASK6: VPN Traffic engineering
	Traffic between SITE1,2,3 LAN segments should pass via GETVPN tunnel, then get encapsulated in DMVPN.(vice versa). Dont include SITE1's 10.1.1.0/24 subnet in GETVPN encrypted path. 10.1.1.0/24 should be reachable via DMVPN path between the sites. Traffic from Remote-access-VPN_POol (10.100.101.0/29) to SITE2-Loopback0 and SITE3-Loopback0 should pass via GETVPN tunnel, then get encapsulate in DMVPN.(vice versa) Traffic from Remote-access-VPN_POol (10.100.101.0/29) to SITE4_LAN,RTR-XYZ_LAN should ONLY pass via DMVPN tunnel, not via GetVPN. (vice versa) Traffic to 10.1.1.0/24 in SITE1 shouldnt be included in GetVPN encryption for any of these flows. ~~Ensure that all traffic via ISP routers is IPSEC protected. GETVPN traffic is allowed to be encrypted twice, once by GETVPN, second time by DMVPN.~~ *Correction2 : NON-GETVPN traffic (e.g. between RTR-XYZ and RTR-SITE2 etc.) should only be GRE encapsulated within DMVPN cloud across the Service provider routers, no IPSec protection is needed.
	TASK7: Zone based Firewall with NAT
	Configure Zone based firewall on RTR-SITE2 in SITE2 for Internet access filtering. Allow only ICMP traffic to and from RTR-SITE2 (Self zone). Make sure DMVPN, GETVPN etc. continue to work normally. VPN traffic flow should continue to work. Allow INBOUND TELNET, SMTP to SITE2's LAN segments. ALLOW ALL OUTBOUND TRAFFIC from SITE2's LAN segments (10.2.1.0/24 and 10.23.23.0/24). NAT SITE2 LAN Segment should be able to access Internet host 105.1.1.2 using 102.1.1.3 as source IP. Use PAT. Configure NAT on RTR-SITE2 such that Internet Host can telnet into RTR-SITE3 using 102.1.1.4 as destination IP. SITE2 and SITE3 are connected via a backdoor link with IP 10.23.23.0/24 for testing NAT related tasks. Add static route on RTR-SITE3 to test the access to 105.1.1.2.

DYNAMIPS NET FILE/PEMU SCRIPT

Dynamips NET FILE

startautostart = False
[192.168.100.75]
port = 7200
udp = 10000

[[7200]]
image = C:\Program Files\Dynamips\images\c7200-k91p-m.122-25.S15.bin
npe = npe-400
ram = 96
disk0 = 0
disk1 = 0
mmap = false

[[router RTR-SITE1-KS]]
autostart = False

image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 256
Fa0/0 = RTR-SITE1-HUB Fa0/1

cnfg = C:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\RTR-SITE1-KS.cfg

[[router RTR-SITE1-HUB]]
autostart = False
image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 256

# ASA-FW-SITE1 INSIDE #
Fa0/0 = NIO_udp:1011:1.1.1.1:1001
Fa1/0 = LAN 120
cnfg = C:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\RTR-SITE1-HUB.cfg

[[router RTR-SITE2]]
autostart = False
image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = false
ram = 256
Fa0/0 = PE2 Fa1/0
Fa0/1 = LAN 102
Fa1/0 = RTR-SITE3 Fa1/0
cnfg = C:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\RTR-SITE2.cfg

[[Router PE1]]
model = 7200
autostart = false
slot0 = PA-C7200-IO-FE

# ASA-FW-SITE1 OUTSIDE #
Fa0/0 = NIO_udp:1010:1.1.1.1:1000

#TO VM for RA VPN #
Fa2/0 = NIO_gen_eth:\Device\NPF_{597007F5-5BF6-45E2-B348-388172170CF3}

# ASA-FW-SITE4 OUTSIDE #
Fa2/1 = NIO_udp:2010:1.1.1.1:2000

Fa1/0 = PE2 Fa0/0

F1/1 = RTR-XYZ Fa0/0
cnfg = C:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\PE1.cfg

[[Router PE2]]
model = 7200
autostart = false
slot0 = PA-C7200-IO-FE
cnfg = C:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\PE2.cfg

##############
##############
#MutliPC

[192.168.100.35:7200]
udp = 11000
workingdir = Z:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB
[[router RTR-SITE3]]
autostart = False

image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin

model = 3660
mmap = false
ram = 256
Fa0/0 = PE2 Fa1/1
Fa0/1 = LAN 103
cnfg = Z:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\RTR-SITE3.cfg

[[router RTR-XYZ]]
autostart = False
image = C:\Program Files\Dynamips\images\c3660-jk9o3s-m.124-15.T11.bin
model = 3660
mmap = False
ram = 256
F0/0 = PE1 Fa1/1
Fa0/1 = LAN 60
cnfg = Z:\Program Files\Dynamips\sample_labs\CCIE-SEC-HELL-LAB\configs\RTR-XYZ.cfg

###########################################################
PEMU ASA-SITE11

start /belownormal pemu -net nic,vlan=10,macaddr=00:00:00:00:10:01 -net udp,vlan=10,sport=1000,dport=1010,daddr=1.1.1.1 -net nic,vlan=11,macaddr=00:00:00:00:10:02 -net udp,vlan=11,sport=1001,dport=1011,daddr=1.1.1.1 -net nic,vlan=12,macaddr=00:00:00:00:10:03 -net udp,vlan=12,sport=1002,dport=1012,daddr=1.1.1.1 -net nic,vlan=13,macaddr=00:00:00:00:10:04 -net udp,vlan=13,sport=1004,dport=1014,daddr=1.1.1.1 -serial telnet::2050,server,nowait -m 128 FLASH8X-SITE1

###########################################################
PEMU ASA-SITE4

start /belownormal pemu -net nic,vlan=20,macaddr=00:00:00:00:20:01 -net udp,vlan=20,sport=2000,dport=2010,daddr=1.1.1.1 -net nic,vlan=21,macaddr=00:00:00:00:20:02 -net udp,vlan=21,sport=2001,dport=2011,daddr=1.1.1.1 -net nic,vlan=22,macaddr=00:00:00:00:20:03 -net udp,vlan=22,sport=2002,dport=2012,daddr=1.1.1.1 -net nic,vlan=23,macaddr=00:00:00:00:20:04 -net udp,vlan=23,sport=2004,dport=2014,daddr=1.1.1.1 -serial telnet::2051,server,nowait -m 128 FLASH8X-SITE4
____________
############################################################

INIT CONFIGS

########################################################
hostname ASA-SITE1

!
interface Ethernet0
nameif outside
security-level 0
ip address 101.1.1.2 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.1.2 255.255.255.252
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1

###########################################################

hostname ASA-SITE4
!
interface Ethernet0
nameif outside
security-level 0
ip address 104.1.1.2 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.4.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
route outside 0.0.0.0 0.0.0.0 104.1.1.1 1

###########################################################

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname PE1
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf ABC
rd 123:123
route-target export 123:123
route-target import 123:123
route-target import 106:106
!
ip vrf XYZ
rd 106:106
route-target export 106:106
route-target import 106:106
route-target import 123:123
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip vrf forwarding ABC
ip address 101.1.1.1 255.255.255.248
duplex half
no clns route-cache
!
interface FastEthernet1/0
ip address 12.1.1.1 255.255.255.252
ip router isis
duplex auto
speed auto
mpls ip
!
interface FastEthernet1/1
ip vrf forwarding XYZ
ip address 106.1.1.1 255.255.255.252
duplex auto
speed auto
no clns route-cache
!
interface FastEthernet2/0
ip vrf forwarding ABC
ip address 105.1.1.1 255.255.255.252
duplex auto
speed auto
no clns route-cache
!
interface FastEthernet2/1
ip vrf forwarding ABC
ip address 104.1.1.1 255.255.255.252
duplex auto
speed auto
no clns route-cache
!
router isis
net 49.0000.0000.0001.00
passive-interface Loopback0
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 1
neighbor 2.2.2.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf XYZ
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf ABC
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
ip classless
!
!
!
end

###########################################################

version 12.2

hostname PE2
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf ABC
rd 123:123
route-target export 123:123
route-target import 123:123
route-target import 106:106
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.252
ip router isis
duplex full
mpls ip
!
interface FastEthernet1/0
ip vrf forwarding ABC
ip address 102.1.1.1 255.255.255.248
duplex full
speed auto
no clns route-cache
!
interface FastEthernet1/1
ip vrf forwarding ABC
ip address 103.1.1.1 255.255.255.248
duplex full
speed auto
no clns route-cache
!
router isis
net 49.0000.0000.0002.00
passive-interface Loopback0
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf ABC
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
ip classless

end

###########################################################
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-SITE1-HUB
!
boot-start-marker
boot-end-marker
!
!
!
aaa session-id common
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name CCIE19804.COM
!
!
ip vrf CUSTOMERX
rd 1:1
!
ip vrf CUSTOMERY
rd 2:2
!
!
interface Loopback0
ip address 10.100.100.101 255.255.255.255
!
!
interface FastEthernet0/0
ip address 10.10.1.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
!
interface FastEthernet1/0.10
encapsulation dot1Q 10
ip vrf forwarding CUSTOMERX
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet1/0.20
encapsulation dot1Q 20
ip vrf forwarding CUSTOMERY
ip address 10.1.1.1 255.255.255.0
!
end

###########################################################

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-SITE1-KS
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name CCIE19804.COM
!
!
!

!
interface Loopback0
ip address 10.100.100.100 255.255.255.255
!
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
!
ip http server
no ip http secure-server
ip forward-protocol nd
!
!
!
!
end

###########################################################

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-SITE2
!
boot-start-marker
boot-end-marker
!
!
ip cef
no ip domain lookup
ip domain name CCIE19804.COM
!
!
interface Loopback0
ip address 10.100.100.102 255.255.255.255
!
!
interface FastEthernet0/0
ip address 102.1.1.2 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.2.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.23.23.2 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 102.1.1.1
!
!
end

###########################################################

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-SITE3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name CCIE19804.COM
!
!
interface Loopback0
ip address 10.100.100.103 255.255.255.255
!
interface FastEthernet0/0
ip address 103.1.1.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.3.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.23.23.3 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 103.1.1.1
ip route 105.1.1.0 255.255.255.0 10.23.23.2
!
!
end
###########################################################

version 12.4
!
hostname RTR-XYZ
!
ip cef
!
interface FastEthernet0/0
ip address 106.1.1.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.6.1.1 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 106.1.1.1
!
end
############################################################

Free Counter

Passed SP Lab!

2010-05-17T17:06:00.003+04:00

the loong frustrating SP journey has reached its destination..i passed
the SP lab yesterday.

it was a bigger battle with bugs, vague wording and crappy oeqs than
the technology itself.

few things i wud like to share with people preparing for sp lab -

1. mpls vpns -
ahh thts the biggest chunk in sp lab, almost everyone who failed has
got shocking results in vpn section. vpn constitues more than 30% of
the score so less score guarantees a failure.
understand "send-label" feature correctly, when, how , restrictions
etc..knwing the difference between "mpls ip" and "send-label" is
important. The figures shud knw wht to type the moment we see inter-as
and csc. Know when to use “set mpls-label”, and the scary things tht
might happen when not using it when it’s a mandate.

2. multicast -
the RnS bits of multicast is the base. For MVPN/inter-as-multicast
understand RFC3618 for rpf check thoroughly, understand the order of
rpf preference. understand when to make use of bgp multicast SAFI.
Understand which inter-as supports inter-as multicast, and how it
works on a 12.2S code without the mdt safi. Look for Petr’s blog on
mvpn, refer to my blog for some explanation too.
this is one of the easiest sections to score if we knw the game.

3. the important command "reload"! if you know its configured
correctly, you shudn't shy away from doing a reload.

4. join forums, there are some forums where nda stuff is brainstormed
candidly. not the right thing but it helps.

5. for first attempt, avoid locations like bangalore. in B'lore you'll
most likely get ONLY a "smile" as an answer with some ambiguous facial
expression and words to ur questions. Choose a location like brusells
etc. where u have an inhouse rack and a knowledgeable SP related
proctor.

6. avoid complex solutions, i have got real feel tht there is a high
possibility of marking the task incorrect if the proctor doesn't
understand them. its not a matter of just the output. anyways it'll
stay a mystery if something is marked incorrect so keep it simple.

7. think like a script!. take extra precautions like removing alias
etc...anything tht can affect an automated script shud be removed.
it'll hurt a lot to lose marks for such silly things so my
recommendation is to remove them once the lab is about to get over.

8. the lab will have old junk IOS codes running somewhere in the
corners, specifically added to give us a nasty ride via the buggy
road. show outputs might change after reload, so be aware for a double
check. if possible practice on few of them b4 the big day.

9. Read between the lines. Take some time out of config/keyboard, just
read and focus on the tasks thoroughly. try to think beyond the first
instinct. if it says to do something for X and Y, doing it for X,Y,Z
is wrong. in the verification you’ll see tht you successfully did it
for X and Y, but might missout looking at Z. make sure Z is left as
it is. Cryptic but shud be comprehensible as it makes a hell lot of
difference to the score! This is one of the major reasons of getting
low score in vpn section even after having proper end to end
reachability.

10. know the silly rules. there is some fictitious cut off marks below
which you can't request a reread. if u still need it, u need to create
a lot of hell with cisco. (i managed to do it b4 ;) ). So think if
it’s worth it, else move on.

reference list -
1. CCO
2. ciscopress mpls configuration on cisco IOS - very good to start
with, more related to configs than concepts/theory.
3. ciscopress mpls fundamentals - very good to start with, better for
concepts and understanding the nut bolts.
4. l2 vpn architectures - this is by far the best for L2 mpls. Very
good for the crappy OEQs.
5. ciscopress isis network desgin and Jeffdoyle's TCP/IP - covers IGP
including isis very well
6. for ATM/FR srch CCO - it has good reference for OEqs

My actual list is much longer, but these are good enough.

now the lab experience -
lab was somewhat similar to my previous attempt. i got over within
4hrs 20 mins, so i had loads of time for verification. Found few silly
missouts, corrected. Round1 of verification was over in around 2 hrs.
all 100% working. then i left the keyboard, just read the questions
again. thankfully all was ok. I started a second round of
verification, in last 15 minutes i spotted my TE tunnel was down.
WTFFFF! ...it was up an hour back...rechecked everythng dependent.
didnt dare to reload the core coz the lab was to get over soon.
prepared a list of clear commands related, applied, thankfully it came
up and stayed up. last minutes saved such important points. game over.
Got a pass in next 3 hrs. WOWW!

Vincent (SP program manager) has posted that Cisco is over with
finalizing the content for new SP lab blueprint, it will soon be
declared official.

And salute to the Lapukhovs and Scriveners who did all their IE's in
first attempt.

Cheers.

Swap
#19804 (SP,Sec)

Free Counter

Tricky Question1 - OSPF

2010-04-18T23:14:00.007+04:00

Route 1.1.1.1/32 from R1 has been advertised by iBGP to R2 and R3.
On R2 and R3 this BGP route is redistributed into OSPF using the follwing metrics -

R2 --> E1 metric 100

R3 --> E1 metric 200

R1,R2 and R3 form iBGP neighborship.

R2,R3,R4 and R5 form OSPF neighborship. Area details are given in the diagram.

Question -

Q1. On R5 what will be the next-hop for 1.1.1.1/32? Why? What is the metric of the route?

Q2. What happens if we lower the cost of R5-R4 link on R5 to 1. On R5 what will be the next-hop for 1.1.1.1/32 now? Why? What is the metric of the selected route?

Traceroute in MPLS - detailed

2010-03-10T14:25:00.005+04:00

Default Behavoir –

1. IP to MPLS : TTL is decremented by 1 and copied from IP to pushed MPLS label TTL field

(this deceremented copy doesn’t happen in case “no mpls propogate-ttl” is applied, so newly imposed Label gets a default TTL of 255 in that case)

2. MPLS to IP: TTL is checked. IF MPLS TTL is lower than IP TTL, it is copied. Else IP TTL remain intact

a. PUSH/SWAP operation – new label gets ~~the same existing TTL~~ a decremented TTL by 1.

b. POP – if inner label has higher TTL, POP’ped Label’s TTL is overwritten on inner TTL. Else left as it is.

Intermediate LSR doesn’t touch inner label, only decrements outer label.

Intermediate P routers which dont have IP route to a CE will return back the ICMP time-exceeded back onto the same LSR. This way PE1 will receive the ICMP Time-exceeded from P for CE. And Traceroute works.

1. “no mpls propogate-ttl” - newly imposed Label gets a default TTL of 255 for both switched transit traffic and locally generated traffic.

2. “forwarded” - newly imposed Label gets a default TTL of 255 for only switched transit traffic. Locally originated traffic via “trace vrf ” or “trace” command still will have a TTL of 1 imposed on the newly imposed label.

3.no mpls ip propogate-ttl local - when traffic is locally originated using “trace vrf” command or trace, if the packet becomes labeled by the local router, the new label will get 255 TTL.

Note for PE1-P-PE2 topology, packet from PE1 to PE2 is not label switched due to PHP. So the testing by disabling “local” wont give the expected result coz the packet never becomes labeled. The packet will be routed based on IP TTL and we’ll be able to see all the hops inspite having added “no mpls ip propog local”

This can be correctly tested on PE1-P1-P2-PE2 topology where PHP doesn’t apply for packetsets sent from PE1 to PE2.

Logic: If TTL copying is stopped on the first hop where packet becomes labeled, e.g. For CE1 to CE2 trace, if “no mpls propogate” is configured on PE1, this “propogate” command is no more needed anywhere else in the path coz the first hop PE1 will set the Label-TTL as 255. Even if it is reduced by 1 by each hop, it’ll never become zero to be able to retured to the initiator of the trace. This will only become Zero once the packet is ready to be switched based on IP header (when the label is removed on PE2).

Test1:

Topology CE1-PE1-P-PE2-CE2

Configured “no mpls ip propogg forwarded” on PE1.

Trace from CE1 to CE2.

1^st hop will be PE1 VRF interface.

2^nd hop will be PE2 VRF interface

3^rd will be CE2 physcial interface.

P is hidden

Test2:

^{same config –}

Topology CE1-PE1-P-PE2-CE2

Configured “no mpls ip propog forwarded” on PE1.

Trace from PE1-VRF to CE2.

All hops P, PE2 and CE2 will be visible as “local” keyword is not used.

Test3:

Topology CE1-PE1-P-PE2-CE2

Configured “no mpls ip propogg local” on PE1.

Trace from PE1-VRF to CE2.

Only PE2 and CE2 will be visible as “local” keyword now used. P is hidden.

Test4:

Topology CE1-PE1-P-PE2-CE2

Configured “no mpls ip propogg local” on PE1.

Trace from PE1 global to PE2 global.

All hops P, and PE2 will be visible as packet never becomes labeled due to PHP.

Changed topology to Topology CE1-PE1-P1-P2-PE2-CE2

Trace from PE1 global to PE2 global.

Now only P2 and PE2 are visible. P1 is hidden. Packet is labeled on PE1 with MPLS-TTL= 255. P is hidden. Packet crossed P1 and reached P2. P2 makes the packet “IP packet” by removing the label due to PHP. P2 and PE2 will reply to trace based on IP TTL.

7200a#traceroute vrf VRF 120.120.120.120

Type escape sequence to abort.

Tracing the route to 120.120.120.120

1 10.0.3.5 [MPLS: Labels 64/68 Exp 0] 232 msec 180 msec 156 msec

à local router sent the packet to 10.0.3.5 with labels 64,68 (64 is LDP and 68 is VPN)

2 10.0.5.11 [MPLS: Labels 65/68 Exp 0] 84 msec 80 msec 148 msec

à router 10.0.3.5 forwarded the packet with 65,68. (so a swapping of 64 to 65 happened)

3 120.120.120.120 124 msec * 260 msec

à router 10.0.5.11 sent an IP packet to destination router 120.120.120.120

Failed CCIE SP lab and OEQ mystery feedback!

2010-01-14T00:54:00.004+04:00

From: swap m <xxxxx@gmail.com>
Date: Thu, Jan 14, 2010 at 1:43 AM
Subject: Failed CCIE SP lab and OEQ mystery feedback!
To: Cisco certification <xxxxx@groupstudy.com>
Cc: swap m <xxxxxxx@gmail.com>

time for feedback..i'll keep everything under the NDA.. -

i got screwed on 2 things -

1. OEQs!!

2. oblivious miscalculation of time and the great proctor

oeqs were too much ..one was too ambigious, there cant be a correct answer for tht without more clarification. the proctor had no clue, he is anyway not supposed to assist in the oeqs. another oeq isnt a thing to be found in books, atleast not in the 5-6 books i have read on tht topic. after srching more, i found a reference in the RFC with no reasoning. i'll hv to test and do an analysis on it some time later once i chill down.
only one oeq was directly technically related to the lab, rest all were purely theory which have nothing to do with configuration.

now the lab..
the cisco ccie webpage says lab timing 815am to 545 pm....i never bothered to count the hours for this range..this totals as 9.5 hrs..always had an illusion tht its 8.5hrs including the lunch...a silly mirage..the exam started late, so i added the late hours thinking the lab will be over around 645pm..infact the others doing the lab did the same miscalculation and we had a cogent discussion on this thing in the lunch time!

lab was pretty difficult comparing it to any of the vendor mocklabs..atleast an 8.5 to 9 on IEWB scale.. too much stuff in the lab but i was very well prepared to beat it. the difficult part mostly went smooth other than basic issues. my lab was over in total 5.5hrs (including the oeq time) with 5-points in one subsection not wrking. i kept doing all my RnD/doc cd/multiple restarts etc. no help. i left it after trying for around 1.5 hrs. silly me still thinking tht i have 2 hrs left while in reality i had only 1 hr left...did the reverification very slowly, kept correcting..and moving forward..found many basic missouts, corrected, and all was wrking flawless, word-by-word as per the instructions..2 sections were left to be verified when the proctor came for a final stop..i still thought i have atleast an hour left! ...he simply closed all the my console sessions without letting me even do the write mem! i asked for a minute to just do wr mem but the answer was a blunt no. fair on his part, foolish on mine.

game over.

bad score in oeq, and an ok score in the lab. i dont even remember at wht stage i saved the config on which device. relating the scores to the configuration save, i missed out some of the late config changes for which i lost point the labs. i'm sure now tht SP rack is reloaded before grading, atleast for me it ws done tht way.

learning of the day - i covered a hell lot of stuff for the OEQs but it fall short in the end..and honestly i dont see much improvement in future attempts for oeq preparation..after one stage, u feel comfortable with theory but a lot of luck is needed especially for the ambiguous ones....the intent of oeqs shud be configuration related as the ccie-written is already focusing on theory but unfortunately tht's not the case.....for the lab part, my current level was pretty much sufficient for the clearing the lab, hope i can maintain the same standard for the next attempt...

thanks for the wonderful group...together we win

big best of luck to everyone gng for the lab and the awful oeqs.

Swap
#19804

Free Counter

Detailed working with Multicast InterAS support (IOS 12.0S, not 12.2S) –

2009-12-23T00:28:00.000+04:00

Detailed working with Multicast InterAS support (IOS 12.0S, not 12.2S) –

Summary –

1. PE1 initiates traffic on MDT multicast IP. Traffic passes

1. INTER-AS Option B

- Consider the MDT Default group = 232.1.1.1.

- Let’s assume PE1B initiates the MTI neighborship to PE1A.

- MDT SAFI is needed only between ASBR-to-ASBR and ASBR-PE only. Not with P.

Direction: AS55 <---<------< ----AS65 <---<-----<-----

i.) PE1B advertises the default MDT information for VPN blue using the BGP MDT SAFI with itself (PE1B) as the next hop.

ii.) ASBR1B receives the MDT SAFI information and, in turn, advertises this information to ASBR1A with itself (ASBR1B) as the next hop.

iii.) ASBR1A advertises the MDT SAFI to PE1A with itself (ASBR1A) as the next hop.

iv.) PE1A learns the source PE router, the RD, and the default MDT group address from BGP MDT SAFI updates. In addition, from the same BGP MDT SAFI updates, PE1A learns that the RPF Vector, ASBR1A, is the exit router to source PE1B RD 55:1111.

AS55 -->---->------> to AS65

v.) PE1A learns that P1A is an RPF neighbor through an IGP. PE1A then inserts the RPF Vector into the PIM join (with payload data saying “RPF VECTOR ASBR1A” and “SOURCE PE1B”) and sends the PIM join that is destined for source PE1B to P1A.

vi.) source PE1B is not reachable on P1A, but the RPF Vector ASBR1A is reachable, and the next hop is ASBR1A, as learned from the IGP running in the core. P1A then forwards the PIM join to ASBR1A.

vii.) the PIM join sent from P1A to ASBR1A contains the RPF Vector, ASBR1A. When ASBR1A receives the RPF Vector, it learns that it is ITSELF the exit router for source PE1B with RD 55:1111.

viii.) Source PE1B is not reachable on ASBR1A, but source PE1B, RD 55:1111, and group 232.1.1.1 is known from the BGP MDT SAFI updates.

ix.) ASBR1A realizes that the Proxy Vector is itself and sends a regular PIM join towards PE1B with an RPF neighbor of ASBR1B.

x.) ASBR1B passes on this Join to PE1B

2. Inter-AS Option C

i.) PE1B advertises the default MDT information for VPN blue to RR1B within the BGP MDT SAFI.

ii.) RR1B receives the MDT SAFI information, and, in turn, advertises this information to RR1A_(other AS)

iii.) RR1A receives the MDT SAFI information, and, in turn, advertises this information to PE1A.

iv.) PE1A sends a PIM Join with the Proxy Vector that identifies ASBR1A as the exit router to reach source PE1B with RD 55:1111 and Default MDT 232.1.1.1.

v.) P1A does not know how to reach PE1B. However, the PIM join with the Proxy Vector sent from PE1A identifies ASBR1A as being the exit router to reach source PE1B with RD 55:1111 and Default MDT 232.1.1.1. P1A needs to use the Proxy Vector to reach PE1B. The RPF neighbor to reach ASBR1A is through P2A. P1A, thus, forwards the PIM SSM join to P2A.

vi.) P2A does not know how to reach PE1B. However, the PIM join with the Proxy Vector sent from P1A identifies ASBR1A as being the exit router to reach source PE1B with RD 55:1111 and Default MDT 232.1.1.1. P2A uses the Proxy Vector, ASBR1A, to reach PE1B. The RPF neighbor to reach ASBR1B is through ASBR1A (that is, itself).

vii.) ASBR1A receives a PIM Join with Proxy Vector from P2A. ASBR1A realizes that the Proxy Vector is itself and sends a regular PIM join towards PE1B with an RPF neighbor of ASBR1B. The PIM joins continue hop-by-hop building the SSM Default MDT until PE1B

Issues in 12.2S Inter-AS and CSC Multicast

2009-12-23T00:15:00.002+04:00

Issues in 12.2S without Multicast VPN Inter-AS Support –

Officially InterAS OptionB, optionC and CSC multicast are not supported on any code that doesn't have MDT SAFI support.

InterAS topology used for the below explanation –

CE1----PE1—P1—ASBR1(AS1)------------(AS2)ASBR2—P2—PE2----CE2

Option A – works
1. does not require support for inter-AS MDTs. All works fine.
Option B Inter-AS – doesn't work

the Source PE address is not shared between ASs

1^st issue: PE1 (in AS1 connected to CE1) doesn't have its loopback IP address sent to the other AS (AS2). Only the loopback of ASBR1 is sent via eBGP to the other AS. Hence, P2 router on the other AS won't be able to perform successful RPF check for the PE1's loopback due to absence of routing info.
2^nd issue: when PIM join in received from CE1 to PE1, PE1 will do a route lookup in the VRF routing table for the next-hop destination. This next-hop destination should be reachable via the MTI tunnel and there should be PIM neighborship with the next-hop. But since in Option2, the next-hop is changed by the ASBR to itself, there will be a contradiction and RPF check will fail on the PE.
In an adjacent autonomous system, a PE router that wants to join a particular source of the default MDT for a given MVPN must know the originator's address of the source PE router. This presents some challenges for Option B inter-AS deployments because the originator next hop for VPNv4 routes is rewritten. The default MDT for inter-AS MVPN could not be established coz the P2 routers in other AS don't hold the PE1 routes.

Option C Inter-AS - works
1. In case of a typical deployment where RR contains all VPNv4 routes, it'll work. No issues. PE1-AS1 to PE2-AS2 MTI PIM neighborship should be up.
CSC Hierarchical VPN multicast - works

Check my blog for CSC multicast config (too much config to post here)–

http://eminent-ccie.blogspot.com/2009/11/csc-hierarchical-mpls-vpn-mvpn-csc.html

CSC Hierarchical MPLS VPN mVPN (CSC multicast)

2009-11-08T23:40:00.005+04:00

Brief Explanation -
Between the two customer BGP-AS1's, the below example is configured -
1. PIM-SM with AutoRP (and AutoRP Listener)
(we can either run PIM-SM or PIM-SSM or PIM-BIDIR; PIM-Dense is not supported in the core)
2. MSDP is used between PE1 and PE2.
3. MDT Default group 226.1.1.1

Between Carrier AS -
1. we run MDT 239.1.1.2
2. and use SSM (we can either run PIM-SM or PIM-SSM or PIM-BIDIR; PIM-Desne is not supported in the core)

CE's use sparse-dense mode. (any mode can be used including pure Dense mode).

Configs

CE1#
CE1#
CE1#
CE1#
CE1#r
Building configuration...

Current configuration : 1518 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CE1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
!
!
ip cef
no ip domain lookup
!
ip multicast-routing
!
!
!
!
interface Loopback0
ip address 10.156.1.1 255.255.255.255
ip pim sparse-dense-mode
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip pim sparse-dense-mode
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
end

CE1#ping 225.1.1.2 repeat 5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 225.1.1.2, timeout is 2 seconds:

Reply to request 0 from 20.20.20.2, 1532 ms
Reply to request 0 from 20.20.20.2, 1556 ms
Reply to request 1 from 20.20.20.2, 1620 ms
Reply to request 1 from 20.20.20.2, 1712 ms
Reply to request 2 from 20.20.20.2, 1520 ms
Reply to request 2 from 20.20.20.2, 1520 ms
Reply to request 3 from 20.20.20.2, 340 ms
Reply to request 3 from 20.20.20.2, 472 ms
Reply to request 4 from 20.20.20.2, 1836 ms
Reply to request 4 from 20.20.20.2, 1864 ms
CE1#
---------------------------------------------------

PE1#r
Building configuration...

Current configuration : 3152 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname PE1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf EHDF-DIC
rd 9:9
route-target export 9:9
route-target export 8:8
route-target import 9:9
route-target import 8:8
mdt default 226.1.1.1

!
ip multicast-routing
ip multicast-routing vrf EHDF-DIC
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip pim sparse-mode
no clns route-cache
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface FastEthernet1/0
ip vrf forwarding EHDF-DIC
ip address 10.10.10.254 255.255.255.0
ip pim sparse-dense-mode
duplex auto
speed auto
no clns route-cache
!
interface FastEthernet1/1
ip address 11.11.11.1 255.255.255.0
ip pim sparse-mode
duplex auto
speed auto
mpls ip
no clns route-cache
!
router ospf 2 vrf EHDF-DIC
log-adjacency-changes
redistribute bgp 1 subnets
network 10.10.10.254 0.0.0.0 area 0
!
router ospf 1
router-id 11.11.11.1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 11.11.11.1 0.0.0.0 area 0
!
router bgp 1
bgp router-id 1.1.1.1
bgp log-neighbor-changes
neighbor 4.4.4.4 remote-as 1
neighbor 4.4.4.4 update-source Loopback0
!
address-family ipv4
no neighbor 4.4.4.4 activate
no auto-summary
no synchronization
bgp redistribute-internal
bgp scan-time 5
exit-address-family
!
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
exit-address-family
!
address-family ipv4 vrf EHDF-DIC
redistribute ospf 2 vrf EHDF-DIC match internal external 1 external 2
no auto-summary
no synchronization
exit-address-family
!
ip classless
!
no ip http server
!
ip pim autorp listener
ip pim send-rp-announce Loopback0 scope 255
ip pim send-rp-discovery Loopback0 scope 255
ip msdp peer 4.4.4.4 connect-source Loopback0 remote-as 1
ip msdp cache-sa-state
!
!
!
!
!
end

PE1#

------------------------

P1#r
Building configuration...

Current configuration : 2108 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname P1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip multicast-routing
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 100.100.100.100 255.255.255.255
ip pim sparse-mode
no clns route-cache
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface FastEthernet1/0
ip address 11.11.11.100 255.255.255.0
ip pim sparse-mode
duplex auto
speed auto
mpls ip
no clns route-cache
!
interface FastEthernet1/1
ip address 12.12.12.100 255.255.255.0
ip pim sparse-mode
duplex auto
speed auto
mpls ip
no clns route-cache
!
router ospf 1
router-id 100.100.100.100
log-adjacency-changes
network 11.11.11.100 0.0.0.0 area 0
network 12.12.12.100 0.0.0.0 area 0
network 100.100.100.100 0.0.0.0 area 0
!
ip classless
!
no ip http server
!
ip pim autorp listener
!
!
!
!
!
!

!
end

P1#

-------------------------------

CSC-CE1#
CSC-CE1#r
Building configuration...

Current configuration : 3518 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CSC-CE1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip multicast-routing
no mpls traffic-eng auto-bw timers frequency 0
mpls label range 400 499
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip pim sparse-mode
no clns route-cache
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface FastEthernet1/0
ip address 12.12.12.2 255.255.255.0
ip pim sparse-mode
duplex auto
speed auto
mpls ip
no clns route-cache
!
interface FastEthernet1/1
no ip address
shutdown
duplex half
speed 10
no clns route-cache
!
interface Serial2/0
ip address 200.1.1.1 255.255.255.0
ip pim sparse-mode
mpls bgp forwarding
no fair-queue
serial restart-delay 0
no clns route-cache
!
!
router ospf 1
log-adjacency-changes
redistribute bgp 1 subnets
passive-interface Serial2/0
network 2.2.2.2 0.0.0.0 area 0
network 12.12.12.2 0.0.0.0 area 0
network 200.1.1.1 0.0.0.0 area 0
!
router bgp 1
bgp log-neighbor-changes
neighbor 200.1.1.200 remote-as 2
!
address-family ipv4
redistribute ospf 1 metric 888
neighbor 200.1.1.200 activate
neighbor 200.1.1.200 next-hop-self
neighbor 200.1.1.200 allowas-in
neighbor 200.1.1.200 prefix-list PFL_2.2_1.1 out
neighbor 200.1.1.200 send-label
no auto-summary
no synchronization
bgp redistribute-internal
bgp scan-time 5
exit-address-family
!
ip classless
!
no ip http server
!
ip pim autorp listener
!
!
ip prefix-list PFL_2.2_1.1 seq 5 permit 1.1.1.1/32
!
!
access-list 1 permit any
!
route-map RM_ALLOW_BGP permit 10
match ip address 1
!
route-map RM_ALLOW_BGP permit 20
!
!
!
end

CSC-CE1#

-------------------------------------

CSC-PE1#
CSC-PE1#r
Building configuration...

Current configuration : 3502 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CSC-PE1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf DU
rd 1:1
route-target export 1:1
route-target import 1:1
mdt default 239.1.1.2

!
ip multicast-routing
ip multicast-routing vrf DU
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 20.1.1.200 255.255.255.255
ip pim sparse-mode
no clns route-cache
!
interface FastEthernet0/0
no ip address
duplex half
no clns route-cache
!
interface FastEthernet1/0
no ip address
shutdown
duplex half
speed auto
no clns route-cache
!
interface FastEthernet1/1
no ip address
shutdown
duplex half
speed auto
mpls ip
no clns route-cache
!
interface Serial2/0
ip vrf forwarding DU
ip address 200.1.1.200 255.255.255.0
ip pim sparse-mode
mpls bgp forwarding
serial restart-delay 0
no clns route-cache
!
interface Serial2/1
ip address 21.1.1.200 255.255.255.0
ip pim sparse-mode
mpls ip
serial restart-delay 0
no clns route-cache
!
!
router ospf 1
log-adjacency-changes
network 20.1.1.0 0.0.0.255 area 0
network 21.1.1.0 0.0.0.255 area 0
network 200.1.1.0 0.0.0.255 area 0
!
router bgp 2
no synchronization
bgp router-id 20.1.1.200
bgp log-neighbor-changes
bgp scan-time 5
neighbor 20.1.1.201 remote-as 2
neighbor 20.1.1.201 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 20.1.1.201 activate
neighbor 20.1.1.201 send-community extended
exit-address-family
!
address-family ipv4 vrf DU
neighbor 200.1.1.1 remote-as 1
neighbor 200.1.1.1 activate
neighbor 200.1.1.1 as-override
neighbor 200.1.1.1 send-label
no auto-summary
no synchronization
exit-address-family
!
ip classless
!
no ip http server
!
ip pim ssm range ACL_PIM_SSM
!
!
ip access-list standard ACL_PIM_SSM
permit 239.0.0.0 0.255.255.255
!
!
!
!
end

CSC-PE1#

------------------------------------

CSC-P#
CSC-P#
CSC-P#
CSC-P#r
Building configuration...

Current configuration : 2727 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CSC-P
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip multicast-routing
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 20.1.1.1 255.255.255.255
ip pim sparse-mode
no clns route-cache
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface FastEthernet1/0
no ip address
shutdown
duplex half
speed auto
no clns route-cache
!
interface FastEthernet1/1
no ip address
shutdown
duplex half
speed auto
no clns route-cache
!
interface Serial2/0
ip address 21.1.1.1 255.255.255.0
ip pim sparse-mode
mpls ip
serial restart-delay 0
no clns route-cache
!
interface Serial2/1
ip address 22.1.1.1 255.255.255.0
ip pim sparse-mode
mpls ip
serial restart-delay 0
no clns route-cache
!

router ospf 1
log-adjacency-changes
network 20.1.1.0 0.0.0.255 area 0
network 21.1.1.0 0.0.0.255 area 0
network 22.1.1.0 0.0.0.255 area 0
!
ip classless
!
no ip http server
!
ip pim ssm range ACL_PIM_SSM
!
!
ip access-list standard ACL_PIM_SSM
permit 239.0.0.0 0.255.255.255
!
!

!
!
end

CSC-P#

----------------------

CSC-PE2#
CSC-PE2#r
Building configuration...

Current configuration : 3462 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CSC-PE2
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf DU
rd 1:1
route-target export 1:1
route-target import 1:1
mdt default 239.1.1.2

!
ip multicast-routing
ip multicast-routing vrf DU
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 20.1.1.201 255.255.255.255
ip pim sparse-mode
no clns route-cache
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface FastEthernet1/0
no ip address
shutdown
duplex half
speed auto
no clns route-cache
!
interface FastEthernet1/1
no ip address
shutdown
duplex half
speed auto
no clns route-cache
!
interface Serial2/0
ip address 22.1.1.201 255.255.255.0
ip pim sparse-mode
mpls ip
serial restart-delay 0
no clns route-cache
!
interface Serial2/1
ip vrf forwarding DU
ip address 201.1.1.201 255.255.255.0
ip pim sparse-mode
mpls bgp forwarding
serial restart-delay 0
no clns route-cache
!
!
router ospf 1
log-adjacency-changes
network 20.1.1.0 0.0.0.255 area 0
network 22.1.1.0 0.0.0.255 area 0
network 201.1.1.0 0.0.0.255 area 0
!
router bgp 2
no synchronization
bgp router-id 20.1.1.201
bgp log-neighbor-changes
bgp scan-time 5
neighbor 20.1.1.200 remote-as 2
neighbor 20.1.1.200 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 20.1.1.200 activate
neighbor 20.1.1.200 next-hop-self
neighbor 20.1.1.200 send-community extended
exit-address-family
!
address-family ipv4 vrf DU
neighbor 201.1.1.1 remote-as 1
neighbor 201.1.1.1 activate
neighbor 201.1.1.1 as-override
neighbor 201.1.1.1 send-label
no auto-summary
no synchronization
exit-address-family
!
ip classless
!
no ip http server
!
ip pim ssm range ACL_PIM_SSM
!
!
ip access-list standard ACL_PIM_SSM
permit 239.0.0.0 0.255.255.255
!
!
!
!
control-plane
!
!

end

CSC-PE2#

---------------------------

CSC-CE2#r
Building configuration...

Current configuration : 3293 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CSC-CE2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip multicast-routing
no mpls traffic-eng auto-bw timers frequency 0
mpls label range 500 599
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
ip pim sparse-mode
ip router isis
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface FastEthernet1/0
no ip address
shutdown
duplex half
speed 10
no clns route-cache
!
interface FastEthernet1/1
ip address 32.32.32.3 255.255.255.0
ip pim sparse-mode
ip router isis
duplex auto
speed auto
mpls ip
!
interface Serial2/0
ip address 201.1.1.1 255.255.255.0
ip pim sparse-mode
mpls bgp forwarding
no fair-queue
serial restart-delay 0
no clns route-cache
!

!
router isis
net 49.0001.3333.3333.3333.00
is-type level-2-only
redistribute bgp 1
!
router bgp 1
bgp log-neighbor-changes
neighbor 201.1.1.201 remote-as 2
!
address-family ipv4
redistribute isis level-2 metric 777
neighbor 201.1.1.201 activate
neighbor 201.1.1.201 next-hop-self
neighbor 201.1.1.201 allowas-in
neighbor 201.1.1.201 send-label
no auto-summary
no synchronization
bgp scan-time 5
exit-address-family
!
ip classless
!
no ip http server
!
ip pim autorp listener
!
!
ip prefix-list PFL_3.3_4.4 seq 10 permit 4.4.4.4/32
!
!
!
route-map RM_ALLOW_BGP permit 10
match ip address prefix-list PFL_3.3_4.4
!
!
!

!
!
end

CSC-CE2#

-----------------

P2#
P2#
P2#r
Building configuration...

Current configuration : 2009 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname P2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip multicast-routing
no mpls traffic-eng auto-bw timers frequency 0
mpls label range 600 699
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 200.200.200.200 255.255.255.255
ip pim sparse-mode
ip router isis
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface FastEthernet1/0
ip address 32.32.32.200 255.255.255.0
ip pim sparse-mode
ip router isis
duplex auto
speed auto
mpls ip
!
interface FastEthernet1/1
ip address 24.24.24.200 255.255.255.0
ip pim sparse-mode
ip router isis
duplex auto
speed auto
mpls ip
!
router isis
net 49.0001.2222.2222.2222.00
is-type level-2-only
!
ip classless
!
no ip http server
!
ip pim autorp listener
!
!
!
!

!
!
end

P2#

--------------------

PE2#
PE2#
PE2#r
Building configuration...

Current configuration : 2913 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname PE2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf EHDF-IMPZ
rd 8:8
route-target export 8:8
route-target export 9:9
route-target import 8:8
route-target import 9:9
mdt default 226.1.1.1

!
ip multicast-routing
ip multicast-routing vrf EHDF-IMPZ
no mpls traffic-eng auto-bw timers frequency 0
mpls label range 700 799
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
ip pim sparse-mode
ip router isis
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
no clns route-cache
!
interface FastEthernet1/0
ip address 24.24.24.4 255.255.255.0
ip pim sparse-mode
ip router isis
duplex auto
speed auto
mpls ip
!
interface FastEthernet1/1
ip vrf forwarding EHDF-IMPZ
ip address 20.20.20.254 255.255.255.0
ip pim sparse-dense-mode
duplex auto
speed auto
no clns route-cache
!
router isis
net 49.0001.4444.4444.4444.00
is-type level-2-only
!
router bgp 1
bgp router-id 4.4.4.4
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
!
address-family ipv4
no neighbor 1.1.1.1 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf EHDF-IMPZ
neighbor 20.20.20.2 remote-as 65002
neighbor 20.20.20.2 activate
no auto-summary
no synchronization
exit-address-family
!
ip classless
!
no ip http server
!
ip pim autorp listener
ip pim send-rp-announce Loopback0 scope 255
ip pim send-rp-discovery Loopback0 scope 255
ip msdp peer 1.1.1.1 connect-source Loopback0 remote-as 1
ip msdp cache-sa-state
!
!
!
!

!
!

end

PE2#

---------------------------

CE2#
CE2#r
Building configuration...

Current configuration : 1655 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CE2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
!
!
ip cef
no ip domain lookup
!
ip multicast-routing
!
!
!
!
interface Loopback0
ip address 10.152.1.1 255.255.255.0
ip pim sparse-dense-mode
ip igmp join-group 225.1.1.1
!
interface FastEthernet1/0
ip address 20.20.20.2 255.255.255.0
ip pim sparse-dense-mode
ip igmp join-group 225.1.1.2
duplex auto
speed auto
!
router bgp 65002
no synchronization
bgp log-neighbor-changes
bgp scan-time 5
redistribute connected
neighbor 20.20.20.254 remote-as 1
no auto-summary
!
ip http server
ip classless
!
end

CE2#

CBWFQ and LLQ – revisited!

2009-11-04T19:59:00.001+04:00

Class based Weighted Fair queue (CBWFQ)

CBWFQ : Not supported on sub-interfaces without hierarchical policy

CBWFQ is supported on sub-interfaces if combined with a hierarchical policy with "Shaping" enabled

else only on physical

policy-map child

class voice

priority/bandw 512

policy-map parent

class class-default

shape average 2000000

service-policy child

interface ethernet0/0.1

service-policy parent -> valid

service-policy child ànot-valid if child is directly applied

Classes r defined

Static: Class-non-default ->

Will match custom traffic; BW defined statically for this class. Weight is derived from a formula in a way tht Static will supersede dynamic queue/ class.

Dynamic: Class-default->

Will be like fair-queue with dynamic queues and weights are assigned based on IP Prec values.

Note that if Shaping is enabled, CBWFQ queues will be numbered according to Traffic-shaping queue numbers and not WFQ no.

dynamic queues per Flow +higher Weight Static Queues based on the no. of flows (not classes).

CBWFQ Queue numbering Part1-:

Assuming WFQ queues = 256.

And traffic-shaping disabled

(traffis shaping not used, IF TS used, TS queues will be used to number the queues. TS queue is = 16 by default)

0-255 = WFQ dynamic

256-263 = System reserved

264 (16+8) = Priority

265 onwards = CBWFQ

Counts depend on no. of classes used. (and ACE in class?)

WFQ flows	Constant
16	64
32	64
64	57
128	30
256	16
512	8
1024	4
2048	2
4096	1

interface Serial 0/1
bandwidth 128
max-reserved-bandwidth 100 -> default 75%
no fair-queue -> disabled here, configured under class-default; manual disabling needed for interface with less than 2Mbps BW since fair-queue is default for them

hold-queue 512 out -> total buffers in all the classes combined
!
policy-map SERIAL_LINK
class HTTP
bandwidth 32

queue-limit 16 -> no .of packets to hold in this queue
class SCAVENGER

bandwidth 32 <or bandwidth percent 25>
queue-limit 24

class class-default
fair-queue -à
practically this is not needed as this class will auto treated as fair-queue. The only reason I can think of is without this, we can't use the next command of "queue-limit"

queue-limit 32->

the maximum number of packets the queue can hold, default 64

#sh service-pol int fa0/0

CBWFQ Queue numbering Part2 -:

IF TS enabled, queue number for CBWFQ starts from 25.

(0-15 = Shaping Queues ;

16-23 = System reserved;

24 (16+8) = Priority; 25 onwards = CBWFQ

Counts depends on no. of classes used. One class gives one Queue??? Test using more than one ACE inside a class)

If the idea is to allocate "bandwidth" to a few classes and then police the full policy to some specific CIR, this is not supported.

#CBWFQ : Hierarchy supported only if shaping is configured in this class

So the full policy cant be policed, instead it can be shaped when shaper will use internal Shaping queues to shape. CBWFQ needs different queues.

--------à

This problem happens even if we manually configure "fair-queue" under class-default.

It's better to use LLQ which has an inbuilt policer.

Or put shaping on the same reserved BW.

E.g2:

UDP1000 sending 4Mbps with LLQ 6Mbps

UDP1001 sending 20 MBps

Class-map: CM_UDP1000 (match-all)

140021 packets, 173906082 bytes

30 second offered rate 4140000 bps----à CBWFQ gets its 4Mbps

Match: access-group 100

Class-map: CM_UDP1001 (match-all)

190593 packets, 236716506 bytes

30 second offered rate 5669000 bps----à rest unclassified gets 6Mbps

Match: access-group 101

On 12.4 mainline( all IOS prior to 12.4(22)T:

CBWFQ leaves the unused BW for rest.

But if CBWFQ flow is more, it'll eat more and others will suffer!

On12.4(22)T, CBWFQ has inbuilt policer.

12.4(22)T onwards have Hierarchical Queueing Framework (HQF)..
In HQF images, flow-based fair-queues, configurable in both user-defined classes and class default with fair-queue, are scheduled equally (instead of by Weight). At all times, regardless of configuration, class class-default in HQF images will always have an implicit bandwidth reservation equal to the unused interface bandwidth not consumed by user-defined classes. By default, the class-default class receives a minimum of 1% of the interface or parent shape bandwidth. It is also possible to explicitly configure the bandwidth CLI in class default. URL:

http://www.cisco.com/en/US/products/hw/routers/ps341/products_tech_note09186a0080af893d.shtml

MQC equivalent of a combination of the legacy interface level Weighted
fair-queue command and the custom-queue.

This has dynamic queues + Link queus (8 in totoal) + static Queues
IOS auto calculates the no. of dynamic queues
Static Queues are defined manually. Static Queues are numbers after dynamic, then Link queus (system queus 8 in total). e.g. 32 dynamic queus means manual queues will start from 41 onward (33-40 will be link queues used for L2 keepalives and L3 routing updates)
In summary, the key point about CBWFQ is that it uses the same scheduling logic as the legacy WFQ, but user-configurable classes have a special low weight based on constant, making them more important than any dynamic conversation.

Assigned weights based on WFQ logic -Weight (dynamic)= 32384/(IP Precedence+1).

Static Weight (i) = Const * Interface_Bandwidth/Bandwith(i) ; const is inversely proportional to no. Dynamic queues.

So traffic that falls in a class with "bandwidth" keyword defined will be treated as CBWFQ. Individual Flows will be allotted individual CBWFQ queue.

Any Flows inside a class without "bandwidth" will be allotted a WFQ queue. Even if one single class is

On 12.4 mainline (behavior changed in 12.4T(22), 12.4T (22) has kind of inbuilt policer)

This is dangerous on older IOS than 12.4(22)T; if a heavy traffic is configured with "bandwidth" and class-default is left as it is.

E.g. 4 flows; each of 20Mbps; Total Link is 10Mbps; one flow is reserved for 6Mbps. Rest all flows default. (default flows will use fair-queuing with lower weight)

Working: heavy traffic will be guaranteed 6Mbps + it'll eat more based on its higher weight. Practically this went to 9.2 Mbps, other got only in Kbps.

So make sure class-default is also allocated some remaining bandwidth e.g. 3990kbps in this example.

Or the same LLQ type behavior can be achieved using shaping on the 6Mbps reserved class so that it doesn't cross a certain limit. E.g.

policy-map PM_QOS

class CM_UDP1000

bandwidth 6000

shape average 6000000

interface FastEthernet0/1

bandwidth 10000

ip address 192.168.58.1 255.255.255.0

load-interval 30

duplex auto

speed 10

no keepalive

max-reserved-bandwidth 100

service-policy output PM_QOS

On 12.4T, CBWFQ behaves as if it has an inbuilt policer for the reserved BW.
E.g1:.

UDP1000 with BW=6000kbps sending at the rate of 8MBps

UDP1001 sending at 20Mbps

In 12.4T,

WAN#sh policy-map int fa0/1

FastEthernet0/1

Service-policy input: PM_QOS_STATS

Class-map: CM_UDP1000 (match-all)

226396 packets, 281183832 bytes

30 second offered rate 5945000 bps
----à CBWFQ gets 6Mbps even when sending at 8Mbps

Match: access-group 100

Class-map: CM_UDP1001 (match-all)

146264 packets, 181659888 bytes

30 second offered rate 3864000 bps
-> other flow gets remaining 4MBps

Match: access-group 101

In 12.4 Mainline (and all IOS prior to 12.4(22)T,

WAN#sh policy-map int fa0/1

FastEthernet0/1

Service-policy input: PM_QOS_STATS

Class-map: CM_UDP1000 (match-all)

1185545 packets, 1472446890 bytes

30 second offered rate 8161000 bps ----à CBWFQ gets 8.0Mbps when sending at 8Mbps based of the higher weight

Match: access-group 100

Class-map: CM_UDP1001 (match-all)

373738 packets, 464182596 bytes

30 second offered rate 1649000 bps-> other flow get only around 2 Mbps

Match: access-group 101

LLQ - Low Latency queue

Combo of one priority + CBWFQ

LLQ on IOS has a BW parameter in the priority keyword.

PIX/ASA don't have this BW parameter. PIX/ASA don't police the Priority queue.

Max-bandwidth reserved on interface applies on both LLQ and Bandwitdh reservation.

Both the values shud be within the reserved bandwidth value. E.g. interface=10Mbps, LLQ=6000 …below e.g.

DFM(config-if)# max-reserved-bandwidth 50

Reservable bandwidth is being reduced.

Some existing reservations may be terminated.

CBWFQ: Not enough available bandwidth for all classes Available 5000 (kbps) Needed 6010 (kbps)

1 Priority - static
CBWFQ (dynamic queues per Flow +higher Weight Static Queues)

Auto enables CBWFQ on the interface for traffic not having "priority keyword"

These traffic are treated as per CBWFQ if "bandwith" is assigned

Else based on WFQ if IPP is assigned

Or just treated equally

There are some IOS where the priority command accepts without any additional kbps argument. In tht case all of the interface BW is for LLQ. This is present in IOS12.1 Cisco 7300.

policy-map SERIAL_LINK
class VOICE
priority 27
---> 27Kbps (e.g. 60 bytes L3 packet with 50 packets per second = (60-L3+7-L2)*50*8bits=26800bps = 27kbps) ; traffic exceeding this will be auto dropped based on single token bucket system

auto maps to dscp ef

class HTTP
no bandwidth
bandwidth remaining percent 33
class SCAVENGER
no bandwidth
bandwidth remaining percent 33

#sh service-pol int fa0/0

e.g. 3:

UDP1000 sending 20Mbps with LLQ 6Mbps

UDP1001 sending 5 MBps with no IPP=0

Total Link = 10Mbps

Class-map: CM_UDP1000 (match-all)

88004 packets, 109300968 bytes

30 second offered rate 6015000 bps -> 6 Mbps

Match: access-group 100

Class-map: CM_UDP1003 (match-all)

54388 packets, 67549896 bytes

30 second offered rate 3795000 bps -> 3.8 Mbps

Match: access-group 103

This means during a slight congestion LLQ doesn't fight for anything more. Instead stays within limit and other flows get the rest.

Without congestion, LLQ can go to 100% of interface BW (even when 75% is available for allotment)

1 priority queue with a defined internal policed BW + Class based Weighted Fair queue

e.g1 . 4 Flows of each 20Mbps with LLQ

Class-map: CM_UDP1000 (match-all) -> LLQ 6000kbps

30 second offered rate 5981000 bps = 5.9 Mbps

Match: access-group 100

Class-map: CM_UDP1001 (match-all) -> set ip precedence 1

30 second offered rate 846000 bps -> 846Kbps

Match: access-group 101

Class-map: CM_UDP1002 (match-all) -> set ip precedence 2

30 second offered rate 1269000 bps -> 1.26 Mbps

Match: access-group 102

Class-map: CM_UDP1003 (match-all) -> IPP 3

30 second offered rate 1693000 bps -> 1.7 Mbps

Match: access-group 103

Class-map: class-default (match-any)

97 packets, 5820 bytes

30 second offered rate 0 bps, drop rate 0 bps

e.g. 2:

UDP1000 sending 20Mbps with LLQ 6Mbps

UDP1001 sending 3 MBps with IPP1

Total Link = 10Mbps

Class-map: CM_UDP1000 (match-all) -> LLQ 6000

66054 packets, 82039068 bytes

30 second offered rate 6997000 bps -> 7mbps

Match: access-group 100

Class-map: CM_UDP1001 (match-all) -> IPP 1

26277 packets, 32636034 bytes

30 second offered rate 2811000 bps
->2.9 Mbps

Match: access-group 101

e.g. 3:

UDP1000 sending 2Mbps with LLQ 6Mbps

UDP1001 sending 20 MBps

Result:

LLQ – UDP1000 get its 2Mbps and rest 8Mbps stays free.

Rest 8 can be used by any other flow without issue.

e.g. 4:

UDP1000 sending 8Mbps with LLQ 6Mbps

UDP1001 sending 20 MBps

Class-map: CM_UDP1000 (match-all)

455068 packets, 565194456 bytes

30 second offered rate 6000000 bps ----à LLQ doesn't try to get more than 6Mbps

Match: access-group 100

Class-map: CM_UDP1001 (match-all)

288129 packets, 357856218 bytes

30 second offered rate 3810000 bps --à rest of the flows get the remaining 4 Mbps

Match: access-group 101

Dynamic route leakage between Global and VRF routing table on Cisco IOS

2009-11-03T01:09:00.001+04:00

To leak route between BGP IPv4 global routing table and any VRF table use this :

NOTE : this is only valid for BGP routes in routing table, not for other IGP routes!

#access-l 1 perm any

#route-map RM_ACL_ANY

Match ip addr 1

#ip vrf XYZ

import ipv4 unicast <max no. of routes> map RM_ACL_ANY

To stop leakage of static routes –

#no ip route static inter-vrf

à this will stop leakage between VRF/Global and VRF/VRF!

By default this leakage is allowed.

01:00:06: %IPRT-3-STATICROUTESACROSSVRF: Un-installing static route x.x.x.x/32 from global routing table with outgoing interface intx/x

PPPoE PPPoEoFR PPPoFR PPPoA PPPoEoA MFR MLPPP MLPPPoFR MLPPPoA

2009-10-23T16:00:00.002+04:00

PPPoEoFR not supported on Cisco. Found one reference in 2000 Networkers slide saying it'll pe supported in DSL Phase2 which never happened I guess till 2009!

Plain PPPoFR is supported.

Similarly on ATM,

PPPoA is supported.

PPPoEoA (PPPoE over ATM) is also supported.

MLPPPoA and MLPPPoFR are supported.

---

PPPoE

Server Config		Client Config
define BBA group and attach Virtual-template
bba-group pppoe BBA_GRP_PPPoE_SERVER		interface FastEthernet0/0
virtual-template 1		no ip address
!		duplex auto
create loopback for Virtual-template addressing		speed auto
interface Loopback1		pppoe enable
ip address 1.1.1.1 255.255.255.255		"pppoe-client" dial-pool-number 1
!		no clns route-cache
enable PPPoE on WAN interface		!
interface FastEthernet0/0		!
ip address 10.1.1.1 255.255.255.252		interface Dialer0
duplex auto		ip address negotiated
speed auto		dialer persistent à this is needed if no dialer list is being used. This means interface can be brought up without interesting traffic
pppoe enable group BBA_GRP_PPPoE_SERVER		option2: ip addr dhcp or ip addr x y
no clns route-cache		ip mtu 1492
!		encapsulation ppp
Virtual-Access "member" interface is cloned from the Virtual-Template interface when the PPP connection comes up. Therefore the Virtual-Template interface itself will always be in the down/down state.		dialer pool 1
interface Virtual-Template1		ppp ipcp route default -> if Server should provide a default route
ip unnumbered Loopback1		ppp chap hostname CLIENT1 ppp chap password *****
peer default ip address pool POOL_PPPoE -> not needed if DHCP is used to provide IP or if Static IP is used on the Client side		or ppp eap ident CLIENT1 ppp eap password ****
ppp authentication chap user CLIENT1 pass **** user CLIENT1 priv 0		!
or ppp authentication eap ppp eap local

!
ip local pool POOL_PPPoE 10.1.1.2

if DHCP has to be used
ip dhcp pool CE1
network 12.12.12.0 255.255.255.0

---------

PPPoFR

PPP can be configured either on physical interface or p2p PVC.

Dialer interfaces can't be used !! (Dialer can be used in PPPoE and ATM)

R1-Server:

interface Serial1/0

no ip address

encapsulation frame-relay

interface Serial1/0.102 point-to-point

no ip addr

frame-relay interface-dlci 102 ppp Virtual-Template2

interface Virtual-Template2

ip address 11.1.1.1 255.255.255.252 or ip unnumbered

no peer default ip address

or peer default ip addr pool <POOL_PPPoFR>

R2-Client:

interface Serial1/0

no ip address

encapsulation frame-relay

frame-relay interface-dlci 201 ppp Virtual-Template1

no frame-relay inverse-arp

interface Virtual-Template1

ip address 11.1.1.2 255.255.255.252

or ip addr negotiated

---------

Multilink PPPoFR

R1-Server:

interface Multilink1

ip address 11.1.1.1 255.255.255.252 ----à ip is defined on Multilink interface

ppp multilink

ppp multilink group 1 --à
VT and multilink interfaces are tied together with multilink group #

interface Serial1/0

no ip address

encapsulation frame-relay

frame-relay traffic-shaping
---à must enable this else error -
%FR-3-MLPOFR_ERROR: MLPoFR not configured properly on Link Virtual-Access1 Bundle Multilink1 :Frame Relay traffic shaping must be enabled

Frame Relay traffic shaping must be enabled for MLPoFR PVCs on the Frame Relay router.

http://www.cisco.com/en/US/tech/tk1077/technologies_tech_note09186a00800b6098.shtml

interface Serial1/0.102 point-to-point

frame-relay interface-dlci 102 ppp Virtual-Template2

interface Serial1/0.112 point-to-point

frame-relay interface-dlci 112 ppp Virtual-Template2 --à
both PVC will point to the same VT interf

interface Virtual-Template2

ip unnumbered Loopback1 -> no ip assigned to VT or unnumbered loopback

no peer default ip address

ppp multilink

ppp multilink group 1

R2-Client:

interface Multilink1

ip address 11.1.1.2 255.255.255.252 (or ip addr negotiated)

ppp multilink

ppp multilink group 1

interface FastEthernet0/0

interface Serial1/0

no ip address

encapsulation frame-relay

frame-relay traffic-shaping

frame-relay interface-dlci 201 ppp Virtual-Template1

no frame-relay inverse-arp

frame-relay lmi-type ansi

interface Serial1/1

no ip address

frame-relay traffic-shaping

encapsulation frame-relay

frame-relay interface-dlci 212 ppp Virtual-Template1

interface Virtual-Template1

no ip address

ppp multilink

ppp multilink group 1

--------------------

PPPoA

(this is different than PPPoE over ATM; this is plain PPPoA)

Method 1: using Virtual-Template

interface ATM1/0.809 multipoint

no atm enable-ilmi-trap

pvc 0/809

encapsulation aal5snap

protocol ppp Virtual-Template1

interface Virtual-Template2

ip address unnumbered loopback0

no peer default ip address

or peer default ip addr pool <POOL_PPPoA>

Method 2: using Dialers

interface ATM1/0.789 multipoint

no atm enable-ilmi-trap

pvc 0/708

encapsulation aal5snap

protocol ppp dialer

dialer pool-member 8

interface Dialer8

ip unnumbered Loopback789

encapsulation ppp

dialer pool 8

dialer-group 1

peer default ip address pool R8

no clns route-cache

ip local pool R8 10.1.1.8

dialer-list 1 protocol ip permit

---------------------------------

Multilink PPPoA

Similar to Multilink PPPoFR

http://www.cisco.com/en/US/tech/tk1077/technologies_tech_note09186a00800b6098.shtml

int s1/0.1 p

pvc 0/100

encap aal5snap

protocol ppp virtual-temp 1

int s2/0.1 p

pvc 0/200

encap aal5snap

protocol ppp virtual-tem 1

int virtual-temp 1

multilink ppp

[ multilink ppp interleave]

[multilink ppp fragment 10]

ip uunum lo0

multilink-group 1

int mul1

ip addr 200.1.1.1

etc.

---------

Plain Multilink PPP on Serial

int multilink1

ip address 132.32.34.4 255.255.255.0

ppp multilink
à by default added by IOS

multilink-group 1
à by default added by IOS

int s1/1

encap ppp

ppp multilink-group 1

int s2/1

encap ppp

ppp multilink-group 1

---------

Multilink FR Interfaces using MFR interface

R1 and R2 connected back to back via redundant links

R1-S1/1 ------ßà---- S1/1-R2

R1-S2/0 --- ßà---S2/0-R2

On R1

interface Serial1/1

no ip address

encapsulation frame-relay MFR1

serial restart-delay 0

no dce-terminal-timing-enable

no arp frame-relay

interface Serial2/0

no ip address

encapsulation frame-relay MFR1

serial restart-delay 0

no dce-terminal-timing-enable

no arp frame-relay

interface MFR1

no ip address

interface MFR1.1 point-to-point

ip address 192.168.100.1 255.255.255.252

frame-relay interface-dlci 122

interface MFR1.2 point-to-point

ip address 192.168.200.1 255.255.255.252

frame-relay interface-dlci 123

On R2

interface MFR1

no ip address

no frame-relay inverse-arp

frame-relay intf-type dce

interface MFR1.1 point-to-point

ip address 192.168.100.2 255.255.255.252

frame-relay interface-dlci 122

interface MFR1.2 point-to-point

ip address 192.168.200.2 255.255.255.252

frame-relay interface-dlci 123

interface Serial1/1

no ip address

encapsulation frame-relay MFR1

serial restart-delay 0

no dce-terminal-timing-enable

no arp frame-relay

interface Serial2/0

no ip address

encapsulation frame-relay MFR1

serial restart-delay 0

no dce-terminal-timing-enable

no arp frame-relay

PER VRF TE TUNNEL

2009-09-30T14:36:00.006+04:00

If there is a requirement to have a TE tunnel per VRF, we need to use the BGP-next hop trick.
- Three VPNs are configured on R1(CE1) and R7(CE2).
- Three TE tunnels are created between R2(PE1) and R6(PE6) using the same global Loopback IP.
- VPN1 traffic goes via the TE tunnel CE1-R2-R3-R6-CE2 in both directions
- VPN2 traffic goes via the TE tunnel CE1-R2-R4-R6-CE2 in both directions
- VPN3 traffic goes via the TE tunnel CE1-R2-R5-R6-CE2 in both directions

In case of failure of any one tunnel, traffic will auto switch to any other tunnel. Autroute is used for this purpose on all tunnels + Static route is used to force the respective tunnel when the respective tunnel is up.
BGP next-hop method is used to separate the BGP next-hops per VRF. Three separate Loopbacks have been created. This method has a few disadvantages including the AS_PATH information loss. So kind of not recommended.
Targeted LDP is needed since BGP-NEXT hop is different than TE tunnel IP addr.

Config:
ip vrf VPN1
rd 1:1
route-target export 1:1
route-target import 1:1
bgp next-hop Loopback1-> dedicated Loopback for VPN1; this is used and sent as the BGP next-hop.
!
ip vrf VPN2
rd 1:2
route-target export 1:2
route-target import 1:2
bgp next-hop Loopback2-> dedicated Loopback for VPN1; this is used and sent as the BGP next-hop as well.
!
ip vrf VPN3
rd 1:3
route-target export 1:3
route-target import 1:3
bgp next-hop Loopback3-> dedicated Loopback for VPN1; this is used and sent as the BGP next-hop as well.
!
mpls traffic-eng tunnels
!
interface Tunnel0
description ## TE_VPN1_VIA_P3 ##
ip unnumbered Loopback0 -------------> tunnel using the shared global Loopback
mpls ip
tunnel destination 6.6.6.6 -------------> tunnel using the shared global Loopback
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce -------> other routing optins can be used
tunnel mpls traffic-eng priority 7 7
tunnel mpls traffic-eng bandwidth 500
tunnel mpls traffic-eng path-option 1 explicit name TE_VPN1_VIA_P3
no clns route-cache
!
interface Tunnel1
ip unnumbered Loopback0
mpls ip
tunnel destination 6.6.6.6
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 1 explicit name TE_VPN2_VIA_P4
no clns route-cache
!
interface Tunnel2
ip unnumbered Loopback0
mpls ip
tunnel destination 6.6.6.6
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 1 explicit name TE_VPN3_VIA_P5
no clns route-cache
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip router isis
!
interface Loopback1
ip address 10.254.254.1 255.255.255.255 -> dedicated Loopback for VPN1; this is used and sent as the BGP next-hop as well.
ip router isis
!
interface Loopback2
ip address 11.254.254.1 255.255.255.255 -> dedicated Loopback for VPN2; this is used and sent as the BGP next-hop as well.
ip router isis
!
interface Loopback3
ip address 12.254.254.1 255.255.255.255 -> dedicated Loopback for VPN3; this is used and sent as the BGP next-hop as well.
ip router isis
!
interface Ethernet1/0
ip vrf forwarding VPN1
ip address 10.1.1.2 255.255.255.0
duplex full
no clns route-cache
!
interface Ethernet1/1
ip vrf forwarding VPN2
ip address 11.1.1.2 255.255.255.0
duplex full
no clns route-cache
!
interface Ethernet1/2
ip vrf forwarding VPN3
ip address 12.1.1.2 255.255.255.0
duplex full
no clns route-cache
!
interface Serial2/0
ip address 23.23.23.1 255.255.255.0
ip router isis
mpls traffic-eng tunnels
mpls ip
serial restart-delay 0
ip rsvp bandwidth 700
!
interface Serial2/1
ip address 24.24.24.1 255.255.255.0
ip router isis
mpls traffic-eng tunnels
mpls ip
serial restart-delay 0
ip rsvp bandwidth
!
interface Serial2/2
ip address 25.25.25.1 255.255.255.0
ip router isis
mpls traffic-eng tunnels
mpls ip
serial restart-delay 0
ip rsvp bandwidth
!
router ospf 2 vrf VPN1
log-adjacency-changes
redistribute bgp 1 subnets
network 10.0.0.0 0.255.255.255 area 0
!
router ospf 3 vrf VPN2
log-adjacency-changes
redistribute bgp 1 subnets
network 11.0.0.0 0.255.255.255 area 0
!
router ospf 4 vrf VPN3
log-adjacency-changes
redistribute bgp 1 subnets
network 12.0.0.0 0.255.255.255 area 0
!
router isis
net 49.1111.1111.1111.00
metric-style wide
mpls traffic-eng router-id Loopback0
mpls traffic-eng level-1
!
router bgp 1
bgp router-id 1.1.1.1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 6.6.6.6 remote-as 1
neighbor 6.6.6.6 update-source Loopback0
!
address-family ipv4
neighbor 6.6.6.6 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 6.6.6.6 activate
neighbor 6.6.6.6 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN3
redistribute ospf 4 vrf VPN3
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf VPN2
redistribute ospf 3 vrf VPN2
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf VPN1
redistribute ospf 2 vrf VPN1
no auto-summary
no synchronization
exit-address-family
!
ip classless
ip route 20.254.254.6 255.255.255.255 Tunnel0 -> static route for the other side's received BGP-Next-hop
ip route 21.254.254.6 255.255.255.255 Tunnel1
ip route 22.254.254.6 255.255.255.255 Tunnel2
!
no ip http server
!
!
ip explicit-path name TE_VPN1_VIA_P3 enable
next-address 23.23.23.3
next-address 36.36.36.6
next-address 6.6.6.6
!
ip explicit-path name TE_VPN2_VIA_P4 enable
next-address 24.24.24.4
next-address 46.46.46.6
next-address 6.6.6.6
!
ip explicit-path name TE_VPN3_VIA_P5 enable
next-address 25.25.25.5
next-address 56.56.56.6
next-address 6.6.6.6

OSPF capability VRF-Lite Command, down-bit and domain-tag

2009-09-28T13:35:00.004+04:00

OSPF capability VRF-Lite Command, down-bit and domain-tag

Details-

MP-BGP sets the Downbit or Domain TAG when redistributing from MP-BGP into OSPF. VRF-based-OSPF only performs the checking, (also forwards them) but doesn't set them.
Whenever OSPF is enabled via a VRF process, by default the process becomes "no capability vrf-lite" which means DOWN-BIT and DOMAIN-TAG checks are turned ON.
When checking is enabled –

If the DN bit is set, the Type-3 LSA is not considered during the SPF calculation.
If the Tag in the LSA is equal to the VPN-tag, the Type-5 or-7 LSA is not considered during the SPF calculation.

When Domain ID on PE's are same, when MP-BGP redistributes routes into OSPF as Type3 LSA, it sets the DOWN-BIT
When domain ID of PE's are different, MP-BGP sets DOMAIN-TAG = Local BGP AS no.
The down bit is not set because LSA Type 5 does not support the down bit.
When the route is redistributed into another OSPF domain, the tag field is propagated. Another PE router running OSPF-VRF-process receives the external OSPF route and filters the route based on the tag field. The tag field matches the AS number so the route is not redistributed into MP-BGP.
When a normal CE with plain OSPF (without VRF) router receives a Type3-LSA or Type-5LSA with downbit/DomainTag set from a PE (PE has MP-BGP so PE will set downbit or Domaintag), it doesn't perform any check on the LSA and is allowed to forward the LSA to other neighbors.
In case of VRF based CE , the case is different. In VRF mode, OSPF-VRF processes will autocheck the DownBit and domaintag and filters accordingly. This means it will not forward a Type3 LSA to anybody. In case of Type7, it'll forward the same domain tag further. IF this forwarded Type-7LSA is passed onto MP-BGP at somepoint of time, the MP-BGP enabled router will check the LSA against it's own AS and will drop the LSA if Domain-TAG matches its own AS.

QoS – Congestion Management demystified!!

2009-09-24T16:16:00.002+04:00

no. of queues

command

detail

Priority Queue

Play with 4 static queues based on high, med, normal, low

4 static

priority-list 1 protocol ip high list 101
priority-list 1 protocol ip medium gt 120
access-lists 101 permit ip any 150.1.1.0 0.0.0.127

int fa0/0
priority-group 1

#show queueing interface fa0/0

#sh queueing priority

High – will always be serviced before other…downward
Medium
Normal
Low

Custom queue

Play with 16 static queues based on byte-count and packet count.

16 Static

access-list 101 permit ip any 150.1.1.0 0.0.0.127
queue-list 1 protocol ip 1 list 101
queue-list 1 protocol ip 2 tcp 80
…..
queue-list 1 queue 6 limit 100 -> the no. of packets tht can be queued =100 (default 20 packets can be queued)
queue-list 1 queue 6 byte-count 2000 -> 2000 bytes will be served b4 moving to next queue (default 1500 bytes)

int fa0/0

custom-queue-list 1

#show queueing interface fa0/0

#sh queueing custom

where frames in each queue are serviced until a byte-counter limit threshold is met. Once this byte-count limit threshold is met, the frames in the next queue are serviced

Weighted Fair queue or

Fair queue

This queuing strategy only makes sense if IPP is used. Else it behaves exactly like FIFO. Using IPP assigns weights and thereby customizes the flow.

Or if CDT is configured.

Even without IPP values, WFQ works dynamically based on source/dest ip/port. Such flows are assigned a queue. Multiple flows can share one same queue if there are more flows. Each queue is given a chance. Kind of multi door exit.

For better control:

Pre-mark the traffic with IP Precedence value. The better the precedence, the less the weight and the more priority the traffic gets.

Dynamic queues but still the count can be manually configured; tune the CDT value to drop packets from any queue that crosses a certain limit.

dynamic queues per Flow/converation

256 by default

(16-4096 permitted manually)

Weight=

32384 *(IPP+1)

Default weight = 32384 (IPP=0)

int s0/0
hold-queue <N> out --> total max buffer in all queues ; Outbound software queue length of N
packets

hold-queue 256 out

fair-queue <CDT> <N Flow Queues> <N Reservable Queues>.

fair-queue 16 128 8

16 -> each queue can hold 16 packets. This changes the CDT congestive discard threshold (CDT), instead of the default 64.

128 -> no. of queues;

0 -> The 0 at the end says that there is no queues being used with RSVP (Resource Reservation Protocol).

IF any queue crosses 16 packets, one packet from the most aggressive queue will be dropped (this can be any other queue also).

EHDF-PMM-RTR1#sh queueing fair

Current fair queue configuration:

Interface Discard Dynamic Reserved Link Priority

threshold queues queues queues queues

Serial0/2/0 64 256 0 8 1

#sh queueing s2/0 -à remember this queue is different than the Traffic-shaping queue. TS queue is shown using #sh traffic-shape queu

DFM#sh queue fastEthernet 0/1

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3945592

Queueing strategy: weighted fair

Output queue: 47/1000/64/3945592 (size/max total/threshold/drops)

Conversations 1/2/16 (active/max active/max total)

1-> only one conversation queued currently (at tht very second)

2-> max-queued at any given second

16-> max-queues defined using "fair-q 64 16 0)

Reserved Conversations 0/0 (allocated/max allocated)

Available Bandwidth 7500 kilobits/sec

(depth/weight/total drops/no-buffer drops/interleaves) 47/32384/3526957/0/0

Conversation 7, linktype: ip, length: 62

source: 169.253.10.2, destination: 192.168.58.2, id: 0x5B67, ttl: 127, prot: 17

Default for all interfaces less than E1 line 2.048Mbps

IOS implementation of WFQ assigns weights automatically based on the IP Precedence (IPP) value in the packet's IP header.

Weight(1) = 32384/(0+1) = 32384
Weight(2) = 32384/(1+1) = 16192
..
Step 2:
Compute the sum of all weights:
Sum(Weight(i),1…4) = 32384+16192*2+8096 = 72864
Step 3:
Compute the shares:
Share(1) = 72864/Weight(1) = 72864/32384 = 2.25
Share(2) = 72864/Weight(2) = 72864/16192 = 4.5
Share(3) = 72864/Weight(3) = 72864/16192 = 4.5
Share(4) = 72864/Weight(4) = 72864/8096 = 9
The proportion is 2.25:4.5:4.5:9 = 1:2:2:4

once any Queue crosses the CDT value, one packet is dropped is dropped in any queue tht has the maximum schedule time i.e. the most aggressive queue. This is kind of similar to WRED

During congestion,

IF one flow of 96kbps is assigned IP PREC = 5

Other flow of 500kbps is assigned IP PREC = 0 (default)

The ratio of flow = 32765(1+5):32384(1+0) = 6:1

So packets of 96kbps will be sent 6 times and 500kbps will be sent one time. This rate only depends on IP PREC Value and not the received throughput. Even if the traffic received is 1mbps for IPPREC-0, the ratio will still stay same.

Thts the purpose of WFQ!!

--------------------------------

Test:

policy-map PM_MARK

class CM_TELNET

set ip precedence 5

class CM_UDP1000

set ip precedence 4

class CM_UDP1001

set ip precedence 1

class CM_UDP1002

set ip precedence 2

class CM_UDP1003

set ip precedence 3

The below stats are taken at different timeperiods. Shows tht queues are totally dynamic and the flow changes every second. Conversation 11 is assigned for UDP1000 and 1002 wheres their IPP values are different..

DFM#sh queue fastEthernet 0/1

(depth/weight/total drops/no-buffer drops/interleaves) 426/10794/92394/13989/0

Conversation 11, linktype: ip, length: 1242

source: 169.253.10.2, destination: 192.168.58.2, id: 0x6213, ttl: 127,

TOS: 64 prot: 17, source port 4932, destination port 1002

(depth/weight/total drops/no-buffer drops/interleaves) 571/8096/15724/2483/0

Conversation 2, linktype: ip, length: 1242

source: 169.253.10.2, destination: 192.168.58.2, id: 0x6218, ttl: 127,

TOS: 96 prot: 17, source port 4938, destination port 1003

(depth/weight/total drops/no-buffer drops/interleaves) 517/6476/157534/24106/0

Conversation 11, linktype: ip, length: 1242

source: 169.253.10.2, destination: 192.168.58.2, id: 0xF60C, ttl: 127,

TOS: 128 prot: 17, source port 4934, destination port 1000

Class based Weighted Fair queue (CBWFQ)

CBWFQ : Not supported on sub-interfaces without hierarchical policy

CBWFQ is supported on sub-interfaces if combined with a hierarchical policy with "Shaping" enabled

else only on physical

policy-map child

class voice

priority/bandw 512

policy-map parent

class class-default

shape average 2000000

service-policy child

interface ethernet0/0.1

service-policy parent -> valid

service-policy child ànot-valid if child is directly applied

Classes r defined

Static: Class-non-default ->

Will match custom traffic; BW defined statically for this class. Weight is derived from a formula in a way tht Static will supersede dynamic queue/ class.

Dynamic: Class-default->

Will be like fair-queue with dynamic queues and weights are assigned based on IP Prec values.

Note that if Shaping is enabled, CBWFQ queues will be numbered according to Traffic-shaping queue numbers and not WFQ no.

dynamic queues per Flow +higher Weight Static Queues based on the no. of flows (not classes).

CBWFQ Queue numbering Part1-:

Assuming WFQ queues = 256.

And traffic-shaping disabled

(traffis shaping not used, IF TS used, TS queues will be used to number the queues. TS queue is = 16 by default)

0-255 = WFQ dynamic

256-263 = System reserved

264 (16+8) = Priority

265 onwards = CBWFQ

Counts depend on no. of classes used. (and ACE in class?)

WFQ flows	Constant
16	64
32	64
64	57
128	30
256	16
512	8
1024	4
2048	2
4096	1

queue-limit 32->

the maximum number of packets the queue can hold, default 64

#sh service-pol int fa0/0

CBWFQ Queue numbering Part2 -:

IF TS enabled, queue number for CBWFQ starts from 25.

(0-15 = Shaping Queues ;

16-23 = System reserved;

24 (16+8) = Priority; 25 onwards = CBWFQ

Counts depends on no. of classes used. One class gives one Queue??? Test using more than one ACE inside a class)

If the idea is to allocate "bandwidth" to a few classes and then police the full policy to some specific CIR, this is not supported.

#CBWFQ : Hierarchy supported only if shaping is configured in this class

So the full policy cant be policed, instead it can be shaped when shaper will use internal Shaping queues to shape. CBWFQ needs different queues.

--------à

This problem happens even if we manually configure "fair-queue" under class-default.

It's better to use LLQ which has an inbuilt policer.

Or put shaping on the same reserved BW.

E.g2:

UDP1000 sending 4Mbps with LLQ 6Mbps

UDP1001 sending 20 MBps

Class-map: CM_UDP1000 (match-all)

140021 packets, 173906082 bytes

30 second offered rate 4140000 bps----à CBWFQ gets its 4Mbps

Match: access-group 100

Class-map: CM_UDP1001 (match-all)

190593 packets, 236716506 bytes

30 second offered rate 5669000 bps----à rest unclassified gets 6Mbps

Match: access-group 101

On 12.4 mainline:

CBWFQ leaves the unused BW for rest.

But if CBWFQ flow is more, it'll eat more and others will suffer!

On12.4T, CBWFQ has inbuilt policer.

Assigned weights based on WFQ logic -Weight (dynamic)= 32384/(IP Precedence+1).

Static Weight (i) = Const * Interface_Bandwidth/Bandwith(i) ; const is inversely proportional to no. Dynamic queues.

So traffic that falls in a class with "bandwidth" keyword defined will be treated as CBWFQ. Individual Flows will be allotted individual CBWFQ queue.

Any Flows inside a class without "bandwidth" will be allotted a WFQ queue. Even if one single class is

On 12.4 mainline (behavior changed in 12.4T(24), 12.4T (24) has kind of inbuilt policer)

This is dangerous if a heavy traffic is configured with "bandwidth" and class-default is left as it is.

E.g. 4 flows; each of 20Mbps; Total Link is 10Mbps; one flow is reserved for 6Mbps. Rest all flows default. (default flows will use fair-queuing with lower weight)

Working: heavy traffic will be guaranteed 6Mbps + it'll eat more based on its higher weight. Practically this went to 9.2 Mbps, other got only in Kbps.

So make sure class-default is also allocated some remaining bandwidth e.g. 3990kbps in this example.

Or the same LLQ type behavior can be achieved using shaping on the 6Mbps reserved class so that it doesn't cross a certain limit. E.g.

policy-map PM_QOS

class CM_UDP1000

bandwidth 6000

shape average 6000000

interface FastEthernet0/1

bandwidth 10000

ip address 192.168.58.1 255.255.255.0

load-interval 30

duplex auto

speed 10

no keepalive

max-reserved-bandwidth 100

service-policy output PM_QOS

On 12.4T, CBWFQ behaves as if it has an inbuilt policer for the reserved BW.
E.g1:.

UDP1000 with BW=6000kbps sending at the rate of 8MBps

UDP1001 sending at 20Mbps

In 12.4T,

WAN#sh policy-map int fa0/1

FastEthernet0/1

Service-policy input: PM_QOS_STATS

Class-map: CM_UDP1000 (match-all)

226396 packets, 281183832 bytes

30 second offered rate 5945000 bps
----à CBWFQ gets 6Mbps even when sending at 8Mbps

Match: access-group 100

Class-map: CM_UDP1001 (match-all)

146264 packets, 181659888 bytes

30 second offered rate 3864000 bps
-> other flow gets remaining 4MBps

Match: access-group 101

In 12.4 Mainline,

WAN#sh policy-map int fa0/1

FastEthernet0/1

Service-policy input: PM_QOS_STATS

Class-map: CM_UDP1000 (match-all)

1185545 packets, 1472446890 bytes

30 second offered rate 8161000 bps ----à CBWFQ gets 8.0Mbps when sending at 8Mbps based of the higher weight

Match: access-group 100

Class-map: CM_UDP1001 (match-all)

373738 packets, 464182596 bytes

30 second offered rate 1649000 bps-> other flow get only around 2 Mbps

Match: access-group 101

LLQ - Low Latency queue

Combo of one priority + CBWFQ

LLQ on IOS has a BW parameter in the priority keyword.

PIX/ASA don't have this BW parameter. PIX/ASA don't police the Priority queue.

Max-bandwidth reserved on interface applies on both LLQ and Bandwitdh reservation.

Both the values shud be within the reserved bandwidth value. E.g. interface=10Mbps, LLQ=6000 …below e.g.

DFM(config-if)# max-reserved-bandwidth 50

Reservable bandwidth is being reduced.

Some existing reservations may be terminated.

CBWFQ: Not enough available bandwidth for all classes Available 5000 (kbps) Needed 6010 (kbps)

1 Priority - static
CBWFQ (dynamic queues per Flow +higher Weight Static Queues)

Auto enables CBWFQ on the interface for traffic not having "priority keyword"

These traffic are treated as per CBWFQ if "bandwith" is assigned

Else based on WFQ if IPP is assigned

Or just treated equally

There are some IOS where the priority command accepts without any additional kbps argument. In tht case all of the interface BW is for LLQ. This is present in IOS12.1 Cisco 7300.

auto maps to dscp ef

class HTTP
no bandwidth
bandwidth remaining percent 33
class SCAVENGER
no bandwidth
bandwidth remaining percent 33

#sh service-pol int fa0/0

e.g. 3:

UDP1000 sending 20Mbps with LLQ 6Mbps

UDP1001 sending 5 MBps with no IPP=0

Total Link = 10Mbps

Class-map: CM_UDP1000 (match-all)

88004 packets, 109300968 bytes

30 second offered rate 6015000 bps -> 6 Mbps

Match: access-group 100

Class-map: CM_UDP1003 (match-all)

54388 packets, 67549896 bytes

30 second offered rate 3795000 bps -> 3.8 Mbps

Match: access-group 103

This means during a slight congestion LLQ doesn't fight for anything more. Instead stays within limit and other flows get the rest.

Without congestion, LLQ can go to 100% of interface BW (even when 75% is available for allotment)

1 priority queue with a defined internal policed BW + Class based Weighted Fair queue

e.g1 . 4 Flows of each 20Mbps with LLQ

Class-map: CM_UDP1000 (match-all) -> LLQ 6000kbps

30 second offered rate 5981000 bps = 5.9 Mbps

Match: access-group 100

Class-map: CM_UDP1001 (match-all) -> set ip precedence 1

30 second offered rate 846000 bps -> 846Kbps

Match: access-group 101

Class-map: CM_UDP1002 (match-all) -> set ip precedence 2

30 second offered rate 1269000 bps -> 1.26 Mbps

Match: access-group 102

Class-map: CM_UDP1003 (match-all) -> IPP 3

30 second offered rate 1693000 bps -> 1.7 Mbps

Match: access-group 103

Class-map: class-default (match-any)

97 packets, 5820 bytes

30 second offered rate 0 bps, drop rate 0 bps

e.g. 2:

UDP1000 sending 20Mbps with LLQ 6Mbps

UDP1001 sending 3 MBps with IPP1

Total Link = 10Mbps

Class-map: CM_UDP1000 (match-all) -> LLQ 6000

66054 packets, 82039068 bytes

30 second offered rate 6997000 bps -> 7mbps

Match: access-group 100

Class-map: CM_UDP1001 (match-all) -> IPP 1

26277 packets, 32636034 bytes

30 second offered rate 2811000 bps
->2.9 Mbps

Match: access-group 101

e.g. 3:

UDP1000 sending 2Mbps with LLQ 6Mbps

UDP1001 sending 20 MBps

Result:

LLQ – UDP1000 get its 2Mbps and rest 8Mbps stays free.

Rest 8 can be used by any other flow without issue.

e.g. 4:

UDP1000 sending 8Mbps with LLQ 6Mbps

UDP1001 sending 20 MBps

Class-map: CM_UDP1000 (match-all)

455068 packets, 565194456 bytes

30 second offered rate 6000000 bps ----à LLQ doesn't try to get more than 6Mbps

Match: access-group 100

Class-map: CM_UDP1001 (match-all)

288129 packets, 357856218 bytes

30 second offered rate 3810000 bps --à rest of the flows get the remaining 4 Mbps

Match: access-group 101

OSPF States and related troubleshooting

2009-09-24T14:14:00.002+04:00

Neighbor States
state = down
state = init -> multicast reachability issue
state = 2-way ->
2WAY/DROTHER is ok between non DR/BDRs
For two-way communication to be established with a neighbor, a router also must see its own Router ID in the Neighbor field of the neighbor's HELLO packets.
state = exstart -> MTU mismatch ; The router with the higher router ID becomes the master and starts the exchange, and as such, is the only router that can increment the sequence number. Note that one would logically conclude that the DR/BDR with the highest router ID will become the master during this process of master-slave relation. Remember that the DR/BDR election might be purely by virtue of a higher priority configured on the router instead of highest router ID.
Thus, it is possible that a DR plays the role of slave. And also note that master/slave election is on a per-neighbor basis
state = exchange
state = loading -> uncommon, open TAC
state = Full
fully adjacent with routers with which they have successfully completed the database synchronization process.

ISIS Authentication types

2009-09-24T13:54:00.003+04:00

ISIS Authentication

- "key" keyword is mandatory for inserting a MD5 password.

- must use interface level commands to insert password into Hello – either "isis authentication-key" or "isis-password".

Method	Clear Text	MD5	Password inserted into	Password inserted into	Password inserted into	Password inserted into
Method	Clear Text	MD5	LSP	CSNP	PSNP	Hello
router isis (config-router)#area-password [authenticate snp {validate send-only}] Between same area; only insert a password in level-1 LSPs, CSNPs and PSNPs; Not Hello authenticate snp à mandatory to insert password in CSNP and PSNP, else only LSP will have password insterted. Validate à mandatory if received packets has to be checked for password. If not used, received packets are not checked, send-only à will only be sent	yes	no	yes	yes	yes	no
router isis (config-router)#domain-password [authenticate snp {validate send-only}] Between different areas; only insert a password in level-2 LSPs, CSNPs and PSNPs; Not Hello Same logic for "authenticate snp"	yes	no	yes	yes	yes	no
(config-router)#authentication-key Inserts password into all LSPs, CSNPs and PSNPs; Not Hello	yes	yes	yes	yes	yes	no
(config-if)isis authentication-key only applies a password into hello packets. Can be either clear or MD5	yes	yes	no	no	no	yes
Interface level (config-if)#isis password can enable the password for Level 1, Level 2, or both Level 1/Level 2-(default), only for Hello.	yes	no	no	no	no	yes

Authentication mode command overrides area and domain pwds.

Over point-to-point interfaces, only one hello packet is sent for Level 1/Level 2 adjacencies। On those interfaces, the same password must be configured as a Level 1 and Level 2 password।

"area-password" and "domain-password" can be used to control the insertion of passwords into CSNP+PSNP specifically and LSPs। By playing with the "authenticate-snp" keyword.

"authentication-key" will insert password in CSNP, PSNP and LSP at the same time. No specific selection. We can't select the SNP specifically.

QoS pre-classify

2009-08-02T01:49:00.002+04:00

QoS pre-classification - Policy applied on physical interface can match clear text traffic using this feature.

e.g. GRE with IPSec
---------------------
1. Case1 : no qos pre-classify
Matching of QoS traffic will be based on ESP on physical interface

2. Case2: qos pre-classify inside crypto-map attached to Physical interface
Matching of QoS traffic will be based on GRE traffic
e.g
crypto map MAP 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set TRANS
match address CRYPTO-ACL
qos pre-classify

3. Case3: qos pre-classify on Tunnel interface
Matching will be done on clear-text traffic i.e. icmp etc.

When you turn on this feature on a tunnel interface (GRE/mGRE, IPIP, IPsec, Virtual-Template) you no longer need to apply a service policy inside the tunnel interface. Thanks to QoS preclassification, the service-policy applied at the interface level can “see” the tunnel encapsulated packets as is they cross the interface without any encapsulation. However, the physical interface level policy still accounts for tunnel header overhead, thus allowing for fair scheduling.

Policy applied on physical interface will match clear text traffic.

Config:
interface Tunnel0
tunnel source 155.1.146.6
tunnel destination 155.1.146.1
ip unnumbered FastEthernet 0/0.146
qos pre-classify -> If turned on physical interface, it’ll provide us GRE traffic insight in class-map.
When configured on Tunnel interface, works for clear text traffic before GRE.
!
ip route 150.1.1.0 255.255.255.0 Tunnel0
!
ip access-list extended LOOPBACKS
permit ip 150.1.6.0 0.0.0.255 150.1.1.0 0.0.0.255
!
class-map LOOPBACKS_DSCP_EF
match access-group name LOOPBACKS
match dscp ef
!
policy-map LLQ
class LOOPBACKS_DSCP_EF
!
policy-map SHAPE_VLAN_146
class class-default
shape average 256000
service-policy LLQ
!
interface FastEthernet 0/0.146
service-policy output SHAPE_VLAN_146

Route Filtering - Route-map, prefix-list, distribute-list, access-list....

2009-07-30T00:39:00.004+04:00

Route Filtering –
1. In Route Map, always use permit ACL or permit prefix-list and choose action by route-map. Deny ACL or deny prefix-list means skip the entry.
2. In Distribute-list, only ACLs can be used. ACL acts as through filter ACL. Any traffic permitted, route is permitted and vice-versa. (Remember implicit-deny in the end of acl will deny all routes, so routes must be specifically permitted).

There are advantages of usingf prefix-lists in thhe sense we can define the range of subnet e.g. “/8 le 24”. This means 255.0.0.0 to 255.255.255.0 in one line. Any thing more than /24 is not touched.
In acl /24 (255.255.255.0) will mean “/24 to /32” in prefix-list terms.

Case1: Route-map deny 10 + permit ACL
Route-map perm 20
All traffic permitted by ACL will not be sent. (ACL wrks as pass through filter). All denied ACL traffic will be sent by RM entry 20.

Case2: Route-map perm 10 + deny ACL -> wont work at all the way we expect
For Permitted RM entry - denied entry in acl are simply skipped to the next route-map entry if exists). If 2nd route-map entry doesn’t exist, all routes nor implicit denied by RM.

If the acl has only deny entries, route-map won’t be able to apply the permit logic as there are no permit acl entries. Hency all routes will be dropped.
If acl has one permit ACE in the end, all routes are permitted (even the denied AcE are permitted)

Case3: Route-map deny 10 + deny ACL
This means deny all routes tht r permitted by acl. If no routes r permitted, all get dropped if a 2nd RM permit entry isn’t there. If 2nd permit entry is there, it’ll permit everything tht is permitted by match clause. If no match clause means everything permitted.

In Prefix-list:
To match 112.0.0.0 – Use 112.0.0.0/8 in PFL
To match 112.0.0.0 and 112.0.0.1 – use 112.0.0.0/8 le 32
To match anything, use 0.0.0.0/0 le 32

Prefix-list advanced – it can check network and subnet mask separately in one ACE
10.0.0.0/X le LE ge GE -:
here X means match the network-bits (e.g. 10.0.0.0) from left to right
LE means less than or equal to. If LE = 24 and X= 8 and GE not defined, it’ll check for subnet masks from /8 to/24
GE means greater than or equal to. If GE=24, means /24-/32 will be checked for subnet masks.
172.16.8.0/24 ge 25 le 27 = 172.16.8.0 with masks from /25 to /27.

MPLS -- Layer 3 VPNs over L2TPv3 Tunnels and Layer 3 VPNs over mGRE

2009-07-15T20:24:00.005+04:00

Layer 3 VPNs over L2TPv3 Tunnels and Layer 3 VPNs over mGRE –
(both these technologies are different – one uses L2TPv3 and other uses GRE; config is very similar)

L2TPv3:
int tu0
tunnel mode l3vpn l2tpv3 multipoint.

#sh tunnel endpo
Tunnel0 running in Multi-L2TPv3 (L3VPN) mode
RFC2547/L3VPN Tunnel endpoint discovery is active on Tu0

#router bgp 1
…
address-family ipv4 tunnel
neighbor 10.10.10.102 activate
neighbor 10.10.10.103 activate
exit-address-family
…..

------------------------------------------------------

mGRE:
int tu0
tunnel mode l3vpn multipoint.

#sh tunnel endpo
Tunnel0 running in multi-GRE/IP mode
RFC2547/L3VPN Tunnel endpoint discovery is active on Tu0

#router bgp 1
** SAFI “ipv4 tunnel” is not used in mGRE.

--------------------------------------------------------------
(Supported only on 12.0S on 7200 and 7500, no other)
These are needed when SP core is not running MPLS but we need to provide VPN services. This won’t be L2 but will be a L3 VPN with each CE having a different IP subnet.
Implementation of L2TPv3 tunnels creates a tunnel network as an overlay to the IP backbone, which interconnects the PE routers to transport VPN traffic. The multipoint tunnel uses BGP to distribute VPNv4 information between PE routers.

[b] Full Config [\b]
-------------------------
Configurations for PE Routers

hostname PE1-AS1
!
ip cef
ip vrf CustA
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip vrf l3vpn_l2tpv3
rd 100:100
!
interface Loopback0
ip address 10.10.10.101 255.255.255.255
!
interface Tunnel0
ip vrf forwarding l3vpn_l2tpv3
ip address 172.16.1.101 255.255.255.255
tunnel source Loopback0
tunnel mode l3vpn l2tpv3 multipoint
!
interface Serial0/0
ip address 10.10.10.1 255.255.255.252
!
interface Serial1/0
description connection to CE1-A
ip vrf forwarding CustA
ip address 172.16.1.1 255.255.255.252
!
router ospf 100
network 10.0.0.0 0.255.255.255 area 0
!
router bgp 1
no synchronization
neighbor 10.10.10.102 remote-as 1
neighbor 10.10.10.102 update-source Loopback0
neighbor 10.10.10.103 remote-as 1
neighbor 10.10.10.103 update-source Loopback0
no auto-summary
!
address-family ipv4 tunnel
neighbor 10.10.10.102 activate
neighbor 10.10.10.103 activate
exit-address-family
!
address-family vpnv4
neighbor 10.10.10.102 activate
neighbor 10.10.10.102 send-community extended
neighbor 10.10.10.102 route-map vpn_l2tpv3 in
neighbor 10.10.10.103 activate
neighbor 10.10.10.103 send-community extended
neighbor 10.10.10.103 route-map vpn_l2tpv3 in
exit-address-family
!
address-family ipv4 vrf CustA
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
!
ip route vrf CustA 172.16.100.1 255.255.255.255 172.16.1.2
ip route vrf l3vpn_l2tpv3 0.0.0.0 0.0.0.0 Tunnel0
!
route-map vpn_l2tpv3 permit 10
set ip next-hop in-vrf l3vpn_l2tpv3
________________________________________________________________
hostname PE2-AS1
!
ip cef
ip vrf CustA
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip vrf l3vpn_l2tpv3
rd 100:100
!
interface Loopback0
ip address 10.10.10.102 255.255.255.255
!
interface Tunnel0
ip vrf forwarding l3vpn_l2tpv3
ip address 172.16.1.102 255.255.255.255
tunnel source Loopback0
tunnel mode l3vpn l2tpv3 multipoint
!
interface Serial0/0
ip address 10.10.10.5 255.255.255.252
!
interface Serial1/0
description connection to CE2-A
ip vrf forwarding CustA
ip address 172.16.2.1 255.255.255.252
!
router ospf 100
network 10.0.0.0 0.255.255.255 area 0
!
router bgp 1
no synchronization
neighbor 10.10.10.101 remote-as 1
neighbor 10.10.10.101 update-source Loopback0
neighbor 10.10.10.103 remote-as 1
neighbor 10.10.10.103 update-source Loopback0
no auto-summary
!
address-family ipv4 tunnel
neighbor 10.10.10.101 activate
neighbor 10.10.10.103 activate
exit-address-family
!
address-family vpnv4
neighbor 10.10.10.101 activate
neighbor 10.10.10.101 send-community extended
neighbor 10.10.10.101 route-map vpn_l2tpv3 in
neighbor 10.10.10.103 activate
neighbor 10.10.10.103 send-community extended
neighbor 10.10.10.103 route-map vpn_l2tpv3 in
exit-address-family
!
address-family ipv4 vrf CustA
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
!
ip route vrf CustA 172.16.100.2 255.255.255.255 172.16.2.2
ip route vrf l3vpn_l2tpv3 0.0.0.0 0.0.0.0 Tunnel0
!
route-map vpn_l2tpv3 permit 10
set ip next-hop in-vrf l3vpn_l2tpv3
________________________________________________________________
hostname PE3-AS1
!
ip cef
ip vrf CustA
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip vrf l3vpn_l2tpv3
rd 100:100
!
interface Loopback0
ip address 10.10.10.103 255.255.255.255
!
interface Tunnel0
ip vrf forwarding l3vpn_l2tpv3
ip address 172.16.1.103 255.255.255.255
tunnel source Loopback0
tunnel mode l3vpn l2tpv3 multipoint
!
interface Serial0/0
ip address 10.10.10.9 255.255.255.252
!
interface Serial1/0
description connection to CE1-A
ip vrf forwarding CustA
ip address 172.16.3.1 255.255.255.252
!
router ospf 100
network 10.0.0.0 0.255.255.255 area 0
!
router bgp 1
no synchronization
neighbor 10.10.10.101 remote-as 1
neighbor 10.10.10.101 update-source Loopback0
neighbor 10.10.10.102 remote-as 1
neighbor 10.10.10.102 update-source Loopback0
no auto-summary
!
address-family ipv4 tunnel
neighbor 10.10.10.101 activate
neighbor 10.10.10.102 activate
exit-address-family
!
address-family vpnv4
neighbor 10.10.10.101 activate
neighbor 10.10.10.101 send-community extended
neighbor 10.10.10.101 route-map vpn_l2tpv3 in
neighbor 10.10.10.102 activate
neighbor 10.10.10.102 send-community extended
neighbor 10.10.10.102 route-map vpn_l2tpv3 in
exit-address-family
!
address-family ipv4 vrf CustA
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
!
ip route vrf CustA 172.16.100.3 255.255.255.255 172.16.3.2
ip route vrf l3vpn_l2tpv3 0.0.0.0 0.0.0.0 Tunnel0
!
route-map vpn_l2tpv3 permit 10
set ip next-hop in-vrf l3vpn_l2tpv3

my next CCIE journey ....the SP world!

2009-05-27T00:09:00.000+04:00

after an year and half of sloth, i'm bak with a bang on a new track...this time its Service Provider track

a blog for CCIE SP and Security ....

the ccie plaques...

IP Multicast over DMVPN in MPLS-VPN without mVPN support from ISP

VRF aware DMVPN with dual ISP on Single HUB + autofailover (using iVRF and FVRF)

A complex VPN MESS LAB!

TASK1: DMVPN with OSPF

TASK2: GETVPN over DMVPN

TASK3: VRF aware IPSEC Remote Access VPN using Dynamic VTI

TASK4: L2L Tunnel with Crypto MAP on SITE4 + Dynamic VTI

TASK5: L2L Tunnel using Static VTI

TASK6: VPN Traffic engineering

TASK7: Zone based Firewall with NAT

Passed SP Lab!

Tricky Question1 - OSPF

Traceroute in MPLS - detailed

Failed CCIE SP lab and OEQ mystery feedback!

Detailed working with Multicast InterAS support (IOS 12.0S, not 12.2S) –

Issues in 12.2S Inter-AS and CSC Multicast

CSC Hierarchical MPLS VPN mVPN (CSC multicast)

CBWFQ and LLQ – revisited!

Dynamic route leakage between Global and VRF routing table on Cisco IOS

PPPoE PPPoEoFR PPPoFR PPPoA PPPoEoA MFR MLPPP MLPPPoFR MLPPPoA

PER VRF TE TUNNEL

OSPF capability VRF-Lite Command, down-bit and domain-tag

QoS – Congestion Management demystified!!

OSPF States and related troubleshooting

ISIS Authentication types

QoS pre-classify

Route Filtering - Route-map, prefix-list, distribute-list, access-list....

MPLS -- Layer 3 VPNs over L2TPv3 Tunnels and Layer 3 VPNs over mGRE

my next CCIE journey ....the SP world!