This blog is about Service provider Network's and Enterprise network's.
You can find post related to these topics : MPLS, Routing , Switching and Maipu Configurations.
MPLS-VPNs provide security and privacy as traffic travels through the provider network. The CE router has no mechanism to guarantee private networks across the traditional LAN network. Traditionally to provide privacy, either a switch needed to be deployed and each client be placed in a separate VLAN or a separate CE router is needed per each client’s organization or IP address grouping attaching to a PE. Figure 5 and 6 shows the traditional solutions for LAN security within an MPLS-VPN network design
These solutions are both costly to the customer as additional equipment is needed and requires more network management and provisioning of each client site.
Multi-VRF CE is a feature, that addresses these issues. Multi-VRF CE extends limited PE functionality to a CE router in an MPLS-VPN model. A CE router now has the ability to maintain separate VRF tables in order to extend the privacy and security of an MPLS-VPN down to a branch office rather than just at the PE router node.
CE routers use VRF interfaces to form a VLAN-like configuration on the customer side. Each VRF on the CE router is mapped to a VRF on the PE router. With Multi-VRF CE, the CE router can only configure VRF interfaces and support VRF routing tables. Multi-VRF CE extends SOME of the PE functionality to the CE router—there is no label exchange, there is no LDP adjacency, there is no labeled packet flow between PE and CE. The only PE-like functionality that is supported is the ability to have multiple VRFs on the CE router so that different routing decisions can be made. The packets are sent toward the PE as IP packets.
Benefits of Multi-VRF CE
1. Without the use of cryptographic techniques (IPSec), security on customer’s LAN is equivalent to that supported by existing Layer 2 (ATM or Frame Relay) connections without the use of an additional switch.
2. Only one CE router is needed thus simplifying provisioning and network management rather than a multiple CE router solution.
3. CE router has VRF functionality to provide VPN routing information. Less routing updates to manage.
4. Overlapping Customer address spaces VPN customers often manage their own networks and use private address spaces.
5. No need for NAT to allow support of overlapping IP address space. However, NAT may still be required in order to send traffic to the Internet.
MPLS Multi-VRF provides the extension to configure and maintain more than one instance of a routing and forwarding table within the same CPE router, That means we are hereby extending the vrf to CPE instead of PE to provide better services to customers by using same physical link and differentiating the same IP network in different VRF’s. This results in, Customer can use same IP network for many different purpose in all locations, No need of more routers and links.
Example :
This is just a example, you can implement multivrf as per your requirement.
In this example, you will find Production and Management LAN is separated by CPE vrf. They are using same IP schema to communicate with remote site users for business work. Both users are not aware about any thing. In this example I Mainly included Multicast to show you in how to run multicast in multi-vrf (VRF-Lite) for each vrf in CPE. Here we configured sparse mode with BSR.
Here you can find some configuration examples for, Different protocols between CPE to PE.
1.OSPF (Bit different from normal vrf config)
2.BGP
Here you can see that, the above requirement is simulated in GNS3.
Plz download the files and run following commands for outputs.
Cisco Router IOS up gradation from ROMMON mode by TFTP
Sometimes When router’s IOS is crashed or may be by any other reason Router is going into ROMMON mode and we have to load the IOS from ROMMON mode, Then at that time we mostly we use Xmodem. But it consumes lot of time. Here is another method which we can use for upgradation. Here you can connect your laptop to router f0 port.
The command is tftpdnld which is used to download the new image from TFTP server to router.
Before you can enter the tftpdnld command, you must set the ROMMON variables.
Rommon> set (This command is to see the variables/parameters)
U will see the parameters which is used of tftpdnld (tftpdnld –r).
IP_ADDRESS=ip_address
IP_SUBNET_MASK=ip_address
DEFAULT_GATEWAY=ip_address
TFTP_SERVER=ip_address
TFTP_FILE=[directory-path/]filename
FE_PORT=[0 | 1]
To change the variable in rommon mode
Rommon> TFTP_FILE=c1841-adventerprisek9-mz.124-11.T.bin (In this way you can change the variables values, try exactly)
Same way u can configure the other variables and then use the tftpdnld –r
It will take 5 -8 mins to load the IOS.
Then after loading it will load form IOS then check whether the IOS is loaded form flash or not.
In this way you can save your time when you are recovering a router from ROMMON Mode.
As many of us learned and done many labs and seen same thing in real time also. Whenever we configure summary route in EIGRP ,It creates a summary route in own router pointing towards Null 0. Many of you will be having question why?
Everybody knows answer also…But then also some confusion. Here I am trying to explain in simple way.
As EIGRP is having flexibility to configure summary route anywhere in network. No restrictions like OSPF (only ABR and ASBR). That is add on advantage for a network administrator to manage his network.
As we configure summary route in particular interface. That means we want to advertise a summary address to that neighbor instead of full routing table. As we configure Summary route on our router(originating router) the neighboring router will receive a summary address route pointing towards our router. But same time in our router one summary route will be created pointing towards Null 0.
Imagine the Packet flow, As the request will generate for a specific network which comes under summary address it will come to our router(originator) and if that time that concern network is unreachable then what will happen, Packet will process like -First it will look the longest prefix (exact route) and longest prefix is not available. Then packet will go to summary route and as summary route is pointing towards Null 0 interface so the packet will be dropped.
Suppose if the Summary route is not configured, then what will be situation. The packet will go to somewhere else where it should not go (May be from default route).
So in EIGRP, Null 0 works as Loop prevention Mechanism.
I think now it’s very clear that, In EIGRP the summary route pointing towards Null0 is a mechanism of Loop prevention in network.
We will see how END to END routing process takes place in MPLS L3 VPN
To make it simple, We will classify the process:
1.CE to PE
2.PE to PE
3.PE to CE
CE to PE
CE to PE a IGP is configured, Routes are properly exchanged between CE-to PE with any IGP(RIP,OSPF,EIGRP,etc) and stored in respective VRF routing table in VRF.
PE to PE
To manage the dedicated routing for each customer, we configure routing in each customer vrf and then the received routes are properly stored in respective vrf. Then as the other fields are configured in vrf (RD and route-target,etc), they are responsible to process the routes.
Before PE router advertises those routes in MPLS cloud, respective RD is pre pended on each vrf routes to make it globally unique in MPLS Cloud (MP-BGP). This time customers IPv4 routes (32 bit IPv4) are converted in VPNv4 routes (96 bit VPNv4). As the routes are converted in VPNv4 routes then RT is attached to these routes (for VPN membership identification). Then PE will propagate routes to MPLS Cloud (via MP-BGP).
This time the update is MP-BGP update which contains lot of information:
96 bit VPNv4 address, MP-BGP communities like route-target and SOO (site of origin),Labels used for VPN route forwarding, Any existing BGP attributes (AS-path,local pref, Med,etc)
Then Downstream PE router (other end PE router) will receive those routes and they will store the routes as per configured parameters. First they will match import route target and import the routes in correct vrf. Then the RD is removed and then the IPv4 routes are stored in VRF routing table.
PE to CE
After the routes received by PE router, It will converge with other end CE site with appropriate routing same as CE to PE process. In this way end to end routing flow works in MPLS L3 VPN’s.
To understand above mentioned topics in practical , Plz go thru LAB... Theory will be covered afterwards...
Topics Covered in this LAB:
1.MPLS L3 VPN
2.PE to CE routing
3.MPLS CORE
4.AS-Override
5.SHAM-Link
MPLS L3 VPN’s:
MPLS L3 VPN’s is a application which runs on the platform of IGP and BGP. After our IGP and BGP is configured properly in backbone then we enable LDP ( MPLS protocol).
After that to carry the customer routes from one site to another site we enable MP-BGP (Multiprotocol BGP).
Then MPLS L3 VPN enables us to achieve the following business requirements :
1.Classification of customers.
2.Same IP schema in many customers.
3.Dedicated routing table.
4.Easy provisioning of links.
5.Emulation of Point to Point across shared media.
6.Efficient routing and optimum performance
LAB description : In this lab you will find
1.MPLS core is configured to provide the services to customers with IGP – OSPF,BGP ,LDP (MPLS) and MP-BGP.
2.Then in PE-CE routing we covered two examples, One is OSPF (VPN_A) and other is BGP (VPN_B).
3.But it’s not Simple MPLS VPN’s , Since here the requirement is changed.
VPN_A – has a backdoor point to point link as a backup and OSPF is configured to converge. Then by default the it will select the backdoor(backup link) to send/receive traffic. So Here we demonstrated the feature of SHAM-Link. Which enables the customer to use MPLS path and other link as backup.
VPN_B – has a requirement that , They want the same AS ( Autonomous system) all our the sites. Since in simple VPN it is not possible. So here we used AS-override feature to achieve the requirement.
Since this is lab, So here we will not discuss theory part. We will move to lab. In other documents you will find theory.
·Note : If you want to do it in practical then download the file from the provided link. Since in this document we can only copy the diagram and document.
Here PE1 , P and PE-2 is MPLS Core .
In this diagram you can see CPE-A1 and CPE-A2 they belongs to single customer VPN_A and CPE_B1 and CPE-B2 belongs to VPN_B.
We configured to VRF in our core and below config to complete this task.
PE1 Config : Only required config is pasted here… (For full config Plz download the file)
………
ip vrf VPN_A
description VPN_A
rd 100:1
route-target export 100:1
route-target import 100:1
mdt default 239.1.1.1
!
ip vrf VPN_B
description VPN_B
rd 100:2
route-target export 100:2
route-target import 100:2
mdt default 239.254.254.254
!
no ip domain lookup
ip multicast-routing
ip multicast-routing vrf VPN_A
ip multicast-routing vrf VPN_B
!
mpls label protocol ldp
no mpls ip propagate-ttl
!
interface Loopback0
ip address 100.1.1.1 255.255.255.255
ip pim sparse-dense-mode
!
interface Loopback2
ip vrf forwarding VPN_A
ip address 200.1.1.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
ip pim sparse-dense-mode
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip vrf forwarding VPN_A
ip address 192.168.1.1 255.255.255.0
ip pim sparse-dense-mode
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip vrf forwarding VPN_B
ip address 10.1.1.2 255.255.255.0
ip pim sparse-dense-mode
!
interface FastEthernet0/1
description *** CONNECTED TO P ***
ip address 172.16.1.2 255.255.255.0
ip pim sparse-dense-mode
duplex auto
speed auto
mpls ip
!
!
router ospf 2 vrf VPN_A
log-adjacency-changes
area 0 sham-link 200.1.1.1 200.1.1.2 cost 10
redistribute bgp 100 subnets
network 192.168.1.0 0.0.0.255 area 0
!
router ospf 1
log-adjacency-changes
network 100.1.1.1 0.0.0.0 area 0
network 172.16.1.0 0.0.0.255 area 0
!
router bgp 100
bgp log-neighbor-changes
neighbor 100.1.1.2 remote-as 100
neighbor 100.1.1.2 update-source Loopback0
!
address-family ipv4
neighbor 100.1.1.2 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 100.1.1.2 activate
neighbor 100.1.1.2 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN_B
neighbor 10.1.1.1 remote-as 65000
neighbor 10.1.1.1 activate
neighbor 10.1.1.1 as-override
no synchronization
exit-address-family
!
address-family ipv4 vrf VPN_A
redistribute ospf 2 vrf VPN_A
no synchronization
network 200.1.1.1 mask 255.255.255.255
exit-address-family
!
PE-2 Config : only required config is pasted here ( For Full configuration Plz download the file)
……..
ip vrf VPN_A
description VPN_A
rd 100:1
route-target export 100:1
route-target import 100:1
mdt default 239.1.1.1
!
ip vrf VPN_B
description VPN B
rd 100:2
route-target export 100:2
route-target import 100:2
mdt default 239.254.254.254
!
no ip domain lookup
ip multicast-routing
ip multicast-routing vrf VPN_A
ip multicast-routing vrf VPN_B
!
mpls label protocol ldp
no mpls ip propagate-ttl
!
!
interface Loopback0
ip address 100.1.1.3 255.255.255.255
ip pim sparse-dense-mode
!
interface Loopback2
ip vrf forwarding VPN_A
ip address 200.1.1.2 255.255.255.255
!
interface FastEthernet0/0
description *** CONNECTED TO P ****
ip address 172.17.1.2 255.255.255.0
ip pim sparse-dense-mode
duplex auto
speed auto
mpls ip
!
interface FastEthernet0/1
no ip address
ip pim sparse-dense-mode
duplex auto
speed auto
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip vrf forwarding VPN_A
ip address 192.168.2.1 255.255.255.0
ip pim sparse-dense-mode
!
interface FastEthernet0/1.40
encapsulation dot1Q 40
ip vrf forwarding VPN_B
ip address 20.1.1.2 255.255.255.0
ip pim sparse-dense-mode
!
!
router ospf 2 vrf VPN_A
log-adjacency-changes
area 0 sham-link 200.1.1.2 200.1.1.1 cost 10
redistribute bgp 100 subnets
network 192.168.2.0 0.0.0.255 area 0
!
router ospf 1
log-adjacency-changes
network 100.1.1.3 0.0.0.0 area 0
network 172.17.1.0 0.0.0.255 area 0
!
router bgp 100
bgp log-neighbor-changes
neighbor 100.1.1.2 remote-as 100
neighbor 100.1.1.2 update-source Loopback0
!
address-family ipv4
neighbor 100.1.1.2 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 100.1.1.2 activate
neighbor 100.1.1.2 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN_B
neighbor 20.1.1.1 remote-as 65000
neighbor 20.1.1.1 activate
neighbor 20.1.1.1 as-override
no synchronization
exit-address-family
!
address-family ipv4 vrf VPN_A
redistribute connected
redistribute static
redistribute ospf 2 vrf VPN_A match internal
no synchronization
network 200.1.1.2 mask 255.255.255.255
exit-address-family
!
Confirmation Outputs:
PE-1 :
PE-1
Outputs :
PE-1#sh ip vrf
Name Default RD Interfaces
VPN_A 100:1 Lo2
Fa0/0.10
VPN_B 100:2 Fa0/0.30
PE-1#
PE-1#sh ip route vrf VPN_A
Routing Table: VPN_A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/11] via 192.168.1.2, 00:37:12, FastEthernet0/0.10
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/21] via 100.1.1.3, 00:37:12
200.1.1.0/32 is subnetted, 2 subnets
C 200.1.1.1 is directly connected, Loopback2
B 200.1.1.2 [200/0] via 100.1.1.3, 00:37:19
C 192.168.1.0/24 is directly connected, FastEthernet0/0.10
O 192.168.2.0/24 [110/20] via 100.1.1.3, 00:37:12
O 192.168.3.0/24 [110/205] via 192.168.1.2, 00:37:12, FastEthernet0/0.10
PE-1#
PE-1#sh ip route vrf VPN_B
Routing Table: VPN_B
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
B 20.1.1.0 [200/0] via 100.1.1.3, 00:38:14
5.0.0.0/24 is subnetted, 1 subnets
B 5.5.5.0 [20/0] via 10.1.1.1, 00:38:29
6.0.0.0/24 is subnetted, 1 subnets
B 6.6.6.0 [200/0] via 100.1.1.3, 00:38:14
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0.30
PE-1#
PE-1#sh ip ospf sham-links
Sham Link OSPF_SL0 to address 200.1.1.2 is up
Area 0 source address 200.1.1.1
Run as demand circuit
DoNotAge LSA allowed. Cost of using 10 State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Hello due in 00:00:09
Adjacency State FULL (Hello suppressed)
Index 2/2, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
PE-1#
PE-2:
PE-2#sh ip vrf
Name Default RD Interfaces
VPN_A 100:1 Lo2
Fa0/1.20
VPN_B 100:2 Fa0/1.40
PE-2#
PE-2#sh ip route vrf VPN_A
Routing Table: VPN_A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/21] via 100.1.1.1, 00:40:01
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/11] via 192.168.2.2, 00:40:01, FastEthernet0/1.20
200.1.1.0/32 is subnetted, 2 subnets
B 200.1.1.1 [200/0] via 100.1.1.1, 00:40:21
C 200.1.1.2 is directly connected, Loopback2
O 192.168.1.0/24 [110/20] via 100.1.1.1, 00:40:02
C 192.168.2.0/24 is directly connected, FastEthernet0/1.20
O 192.168.3.0/24 [110/205] via 192.168.2.2, 00:40:02, FastEthernet0/1.20
PE-2#
PE-2#sh ip route vrf VPN_B
Routing Table: VPN_B
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
C 20.1.1.0 is directly connected, FastEthernet0/1.40
5.0.0.0/24 is subnetted, 1 subnets
B 5.5.5.0 [200/0] via 100.1.1.1, 00:40:39
6.0.0.0/24 is subnetted, 1 subnets
B 6.6.6.0 [20/0] via 20.1.1.1, 00:43:42
10.0.0.0/24 is subnetted, 1 subnets
B 10.1.1.0 [200/0] via 100.1.1.1, 00:40:39
PE-2#
PE-2#sh ip ospf sham-links
Sham Link OSPF_SL0 to address 200.1.1.1 is up
Area 0 source address 200.1.1.2
Run as demand circuit
DoNotAge LSA allowed. Cost of using 10 State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Hello due in 00:00:04
Adjacency State FULL (Hello suppressed)
Index 2/2, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
PE-2#
VRF VPN_A:
CPE-A1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/31] via 192.168.1.1, 00:41:38, FastEthernet0/0.10
200.1.1.0/32 is subnetted, 2 subnets
O E2 200.1.1.1 [110/1] via 192.168.1.1, 00:41:38, FastEthernet0/0.10
O E2 200.1.1.2 [110/1] via 192.168.1.1, 00:41:38, FastEthernet0/0.10
C 192.168.1.0/24 is directly connected, FastEthernet0/0.10
O 192.168.2.0/24 [110/30] via 192.168.1.1, 00:41:38, FastEthernet0/0.10
C 192.168.3.0/24 is directly connected, FastEthernet0/1
In case of any issue in downloading , Plz leave comment with mail id. I will send you the .rar file ASAP.
I am here to share and gain knowledge, It’s my request that if anybody has any queries or new questions , Plz let us know. We will try our level best to answer it.
!!!! SHARE THE KNOWLEDGE, EVERY BODY IS STUDENT !!!!
