Ads 468x60px

Wednesday, August 25, 2010

Basic MPLS

This post is for new engineers, those who are learning MPLS L3 VPN. This post include a link of full lab with configuration files.
In this Lab vrf VPN_A from PE to CE , I used BGP and OSPF. For vrf VPN_B EIGRP and static. So Here you will find basic configuration of all protocols between CE to PE. Same time you will see the redistribution.

This topology I am going to use for configurations.
1.       R1 and R6 are in vrf VPN_A,R1 is using BGP to exchange the routes with PE-1 and R6 is using OSPF to share the routes with PE-2.
2.       R7 and R8 are in vrf VPN_B, R7 is using EIGRP to exchange the routes with PE-1 and R8 is using static routes with PE-2.
3.       In Core, OSPF is used as IGP.
4.       MP-IBGP is configured in PE-1 and PE-2.
Here is PE 1 and PE-2 configurations, Download full lab and configuration from link.

PE-1

hostname PE-1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!

!
!
ip vrf VPN_A
 rd 100:1
 route-target export 100:1
 route-target import 100:1
!
ip vrf VPN_B
 rd 100:2
 route-target export 100:2
 route-target import 100:2
!
no ip domain lookup
!
mpls label protocol ldp
!
!
interface Loopback0
 ip address 100.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip vrf forwarding VPN_A
 ip address 10.1.1.2 255.255.255.252
!
interface FastEthernet0/0.30
 encapsulation dot1Q 30
 ip vrf forwarding VPN_B
 ip address 192.168.1.2 255.255.255.252
!
interface FastEthernet0/1
 ip address 172.16.1.1 255.255.255.252
 duplex auto
 speed auto
 mpls label protocol ldp
 mpls ip
!
!
router eigrp 200
 auto-summary
 !
 address-family ipv4 vrf VPN_B
 redistribute bgp 100 metric 256 20 200 100 20
 network 192.168.1.0 0.0.0.3
 no auto-summary
 autonomous-system 100
 exit-address-family
!
router ospf 1
 log-adjacency-changes
 network 100.1.1.1 0.0.0.0 area 0
 network 172.16.1.0 0.0.0.3 area 0
!
router bgp 100
 bgp log-neighbor-changes
 neighbor 100.1.1.3 remote-as 100
 neighbor 100.1.1.3 update-source Loopback0
 !
 address-family ipv4
 neighbor 100.1.1.3 activate
 neighbor 100.1.1.3 next-hop-self
 no auto-summary
 no synchronization
 exit-address-family
 !
 address-family vpnv4
 neighbor 100.1.1.3 activate
 neighbor 100.1.1.3 send-community extended
 neighbor 100.1.1.3 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf VPN_B
 redistribute eigrp 100
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf VPN_A
 neighbor 10.1.1.1 remote-as 200
 neighbor 10.1.1.1 activate
 no synchronization
 exit-address-family
!
ip http server
no ip http secure-server
!
!
control-plane

!
line con 0
line aux 0
line vty 0 4
!
!
end

PE-2:

hostname PE-2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip vrf VPN_A
 rd 100:1
 route-target export 100:1
 route-target import 100:1
!
ip vrf VPN_B
 rd 100:2
 route-target export 100:2
 route-target import 100:2
!
no ip domain lookup
!
mpls label protocol ldp
!
interface Loopback0
 ip address 100.1.1.3 255.255.255.255
!
interface FastEthernet0/0
 ip address 172.17.1.2 255.255.255.252
 duplex auto
 speed auto
 mpls label protocol ldp
 mpls ip
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.20
 encapsulation dot1Q 20
 ip vrf forwarding VPN_A
 ip address 20.1.1.2 255.255.255.252
!
interface FastEthernet0/1.40
 encapsulation dot1Q 40
 ip vrf forwarding VPN_B
 ip address 192.168.2.2 255.255.255.252
!
!
router ospf 2 vrf VPN_A
 log-adjacency-changes
 redistribute bgp 100 subnets
 network 20.1.1.0 0.0.0.3 area 0
!
router ospf 1
 log-adjacency-changes
 network 100.1.1.3 0.0.0.0 area 0
 network 172.17.1.0 0.0.0.3 area 0
!
router bgp 100
 no synchronization
 bgp log-neighbor-changes
 neighbor 100.1.1.1 remote-as 100
 neighbor 100.1.1.1 update-source Loopback0
 neighbor 100.1.1.1 next-hop-self
 no auto-summary
 !
 address-family vpnv4
 neighbor 100.1.1.1 activate
 neighbor 100.1.1.1 send-community extended
 neighbor 100.1.1.1 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf VPN_B
 redistribute connected
 redistribute static
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf VPN_A
 redistribute ospf 2 vrf VPN_A
 no synchronization
 exit-address-family
!
ip route vrf VPN_B 6.6.6.6 255.255.255.255 192.168.2.1
!
!
ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

LAB Link :
http://www.ziddu.com/download/11368307/basicmpls.rar.html

I hope this lab will helpful for beginners.Post comments for any queries.






Posted by Uttamkumar at 12:55 PM 11 comments
Labels:

Wednesday, August 18, 2010

OSPF Network Types






  • Here we will discuss, what are the OSPF network type’s which supports on interface level to form adjacency. Some time we have to configure different network types in OSPF configuration as per network requirement. Let’s see what they are,

    *But before you will read more… To run OSPF network, we preferably use same network type in network, but if in such conditions when we have to configure OSPF between different OSPF network types, what we have to do? It is possible but till some extent by tuning hello and dead timers.
    You can use different OSPF types as mentioned below:
    Point-to-Point with Point to Multipoint (Tune hello and dead timers)
    Broadcast with NON-broadcast (Tune hello and dead timers)
    Let me know what your results…are. It will work.

    Below are OSPF network types:

    Point to Point networks:
    This network type works on point to point networks. If you are using this network type, no DR/BDR selection in this network, 10 sec hello timer and 40 sec is dead timer, Routers will communicate to only one multicast IP address 224.0.0.5.
    This network type is majorly used between two routers.

    Broadcast:
    This network type works on Ethernet networks/Shared media. In this network DR/BDR elected for further communication between Routers. In this every router can reach each other, so it is Multi access. 10 sec hello timers and 40 sec dead timers, in this network type router will communicate to two multicast IP address 224.0.0.5 and 224.0.0.6.

    NBMA, Multi-access networks:  This is having five modes which we can use, two are industry standard and three are Cisco proprietary.

    Non Broadcast mode –
          It’s a default mode for frame relay networks and ATM networks.
    In this mode no broadcast and multicast are allowed, so here is issue. How the OSPF neighborship is going to form. We have to statically configure neighbors with neighbor statements in Hub location/DR, the router will communicate to neighbors by unicast.

    router ospf 1
    neighbor x.x.x.x priority 0

    This mode acts like a LAN environment, So DR and BDR selection will happen. (Full state with DR/BDR)
    The whole network should be in one single subnet.
    30 sec hello timers and 120 sec dead timers.
    In frame relay network make sure about frame relay map statements to all neighbors with same DLCI. They should able to ping each other.

    Point to Multipoint mode –
         No DR/BDR in this mode. It overcomes the limitations Non- broadcast mode, No need of extra frame map statements. The whole network should be in same subnet. 30 sec hello timers and 120 sec dead timers. No need to configure neighbor statement manually. Each router will be in full state with each other. It allows broadcast and multicast in network, so neighborship is auto discovered.

    ip ospf network point-to-multipoint

    Point to Multipoint, NON- broadcast mode – (Cisco)


    • It is Cisco proprietary mode, This is same like Point to multipoint mode, But in this broadcast are not allowed, So we have to configure the neighbors manually with neighbor statements in OSPF Process and same time in interface specify the network type –                                                                                                                                                



    Router(config-if)#ip ospf network point-to-multipoint ?
     non-broadcast  Specify non-broadcast point-to-mpoint network 

    In this also NO DR/BDR elections and network should be in one single subnet.

    Broadcast mode – (Cisco)


    • It works like LAN network in NBMA cloud. But Full mesh is required in this network, one subnet is required in network. DR/BDR is elected. Neighbors are auto discovered. 



    Syntax – ip ospf network broadcast.

    Point-to-Point Mode – (Cisco)
    Use separate sub interfaces, No DR/BDR is elected, requires different subnets, Neighbors auto discovered.

    This networks are depends on network design and your preference.
Posted by Uttamkumar at 1:44 PM 123 comments
Labels:

Tuesday, August 17, 2010

OSPF Neighborship

OSPF Neighbor Relationship Process

In this post , We will see about OSPF neighborship process.
  •  First you have to give the IP address to any interface of router which is going to participate in OSPF, As you type router ospf 1,it will choose ospf router id. The criteria is highest IP address will became ospf router id but loopback interface will beat the election process. You can manually configure in router id in ospf process: router-id syntax. This will override every dynamic process.
  • After that configure network command in ospf routing process for particular interface with proper subnet mask, this will add that interface in ospf routing process, After that particular interface will send hello packets to 224.0.0.5
  • Have a look on OSPF Packet format:


  • Hello packet format: (Wireshark view) This is OSPF hello packet captured from tool,You can see the required fields in OSPF Hello packet.

Different States of OSPF neighborship,
There are different states of OSPF neighborship process, Which can be seen by show ip ospf neighbor command.
  • Down State: In this state no hello packet is received from neighbor within last dead interval.
  •   INIT State: Router A sent Hello packet to router B. Router B received the hello packet but can’t see own router id in hello packet.(the valid hello packet is, receiving router should see its router id in hello in sender’s hello packet) 

  • 2 WAY State: This state means in both router bidirectional communication is happened, both router can see each other router id in hello packets. At this state Router decides the how to form the adjacency with other (on broadcast or NBMA) same time it will form full state only with DR and BDR and for other neighbors it will in 2-way state. For point to point link it will form full neighborship. In the stage DR and BDR are elected.
  • EXSTART State: In this state master and slave negotiation happens between Router and DR/BDR, to start the communication first and exchange the LSA’s. In Point to Point link it negotiation happens between neighbors. 

  • EXCHANGE State: In this state both will exchange DBD (Database descriptors) packets with sequence numbers. Router will send LSR and LSU to each other.'
  • Loading State: In this state, both routers will compare DBD sent by each other and if some information is missing, Then again router sends LSR and receives LSU. After all process all database is compared, it should be same in both routers. Both should be properly synchronized. 

  • Full State: In this state, routers are fully adjacent with each other. All the router and network LSAs are exchanged and the routers databases are fully synchronized. SPF algorithm is applied and best path is calculated and Routing table of neighbors are completed.
Now we completed the neighborship process. Let's have a look on OSPF packet types:

OSPF Packet Types:

  •  Hello Packet
  •  DBD – Database description
  •  LSR – Link state Request
  •  LSU – Link state Update
  •  LSACK – Link state Acknowledgement.




Posted by Uttamkumar at 7:50 PM 9 comments
Labels:

Saturday, August 14, 2010

Cisco ACL and Route Map

Today we will discuss about basics, Everybody is aware about ACL and Route-maps. But then also some confusion, Here in this post I will share some information about ACL and route-maps. Which can help you to understand these two terms more…

ACL :
The Cisco ACL  are used for filtering traffic based on a given filtering criteria on a router or switch interface. Based on the configured ACL, a packet is allowed or blocked from interface.

Cisco ACLs are available for several types of routed protocols including IP, IPX, AppleTalk, XNS, DECnet, and others.
Majorly we are using TCP/IP

ACLs for TCP/IP traffic filtering are classified into two types:
  • Standard Access Lists, and
  • Extended Access Lists
Standard Access Control Lists: 
Standard IP ACLs range from 1 to 99. A Standard Access List  allows you to permit or deny traffic FROM specific IP address ( source). We can’t filter packet on destination basis.


Syntax: access-list access-list-number {permit|deny} {host|source source-wildcard|any}


Standard ACL example:
access-list 10 permit 10.1.1.0 0.0.0.255
This list allows traffic from all addresses in the range 10.1.1.0 to 10.1.1.255
There is an implicit deny added to every access list at last.

show access-list 10

The output looks like:
access-list 10 permit 10.1.1.0 0.0.0.255
access-list 10 deny any

Extended Access Control Lists:
 Extended IP ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to have granular control by specifying controls for different types of protocols such as ICMP, TCP, UDP, etc within the ACL statements.
the access-list-number can be 101 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs begin to use additional numbers (2000 to 2699)

access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence]

Extended ACL example:
access-list 110 permit tcp 10.1.1.0 0.0.0.255 any eq 80

ACL 110 permits traffic originating from any address on the 10.1.1.0 network. The 'any' statement means that the traffic is allowed to have any destination address with the limitation of going to port 80.

Applying an ACL to a router interface:
After the ACL is defined, it must be applied to the interface (inbound or outbound). The syntax for applying an ACL to a router interface is given below:
interface
ip access-group {number|name} {in|out}

An Access List may be specified by a name or a number. "in" applies the ACL to the inbound traffic, and "out" applies the ACL on the outbound traffic.

Example:
To apply the standard ACL created in the previous example, use the following commands:
Rouer(config)#interface serial 0
Rouer(config-if)#ip access-group 10 out


Route-map
Route-maps have many features in common with widely known access control lists (ACLs). These are some of the traits common to both mechanisms:
They are an ordered sequence of individual statements; each has a permit or deny result. Evaluation of ACL or route-maps consists of a list scan, in  order, and an evaluation of the criteria of each statement that matches. A list scan is aborted once the first statement match is found and an action associated with the statement match is performed.
These are some of the differences between route-maps and ACLs:
Route-maps frequently use ACLs as matching criteria.
The result from an access list is a yes or no answer—an ACL either permits or denies input data. Applied to redistribution, an ACL determines if a particular route can (route matches ACLs permit statement) or cannot (matches deny statement) be redistributed.
Typical route-maps not only permit redistributed routes but also modify information associated with the route, when it is redistributed into another protocol.


route-map ospf-to-eigrp deny 10
 match tag 6
 match route-type external type-2
!
route-map ospf-to-eigrp permit 20
 match ip address 110
 set metric 20000 2000 255 1 1500
!
route-map ospf-to-eigrp permit 30
 set tag 8
!
router eigrp 1
 redistribute ospf 1 route-map ospf-to-eigrp
 default-metric 20000 2000 255 1 1500


Route-maps are more flexible than ACLs and can verify routes based
on criteria which ACLs can not verify. For example, a route-map can verify if
the type of route is internal or if it has a specific tag.
Each ACL ends with an implicit deny statement, there is no similar
convention for route-maps. If the end of a route-map is reached during matching
attempts, the result depends on the specific application of the route-map.Route-maps
that are applied to redistribution behave the same way as ACLs: if the route
does not match any clause in a route-map then the route redistribution is
denied, as if the route-map contained deny statement at the end

Route-maps is used in BGP, redistribution,etc.

In BGP :
  • Route-map can match on:
    • A network number and subnet mask match with an IP prefix list
    • Route originator
    • BGP next hop address
    • BGP origin
    • Tag attached to IGP route
    • AS-path
    • BGP community
    • IGP route type (internal/external)
  • Route-maps can also change the attributes of BGP routes
  • Route-maps can set
    • Origin
    • BGP community
    • BGP next hop
    • Local preference
    • Weight
    • MED

Hope this information will help you.


Posted by Uttamkumar at 1:34 PM 13 comments
Labels:
Subscribe to: Posts (Atom)
Related Posts Plugin for WordPress, Blogger...