Wednesday, August 31, 2011

Cisco Mpls VPN Eigrp PE-CE Protocol configuration Example

In this example, we will configure Eigrp as the PE-CE routing protocol in Mpls Vpn Environment.We will also explain  POI(point of Insertion), Cost Community and  SoO (Site of Origin) briefly.

Here is our topology:


PE-1 configuration:

ip vrf a
 rd 1:1
 route-target export 1:1
 route-target import 1:1

interface Loopback0
 ip address 1.1.1.1 255.255.255.255

interface Loopback100
 ip vrf forwarding a
 ip address 100.100.100.1 255.255.255.255

interface FastEthernet1/0
 ip address 192.168.12.1 255.255.255.0
 ip ospf network point-to-point
mpls ip

interface FastEthernet1/1
 ip address 192.168.13.1 255.255.255.0
 ip ospf network point-to-point
mpls ip

interface FastEthernet2/0
 ip vrf forwarding a
 ip address 10.10.1.1 255.255.255.0

router eigrp 100
 auto-summary
address-family ipv4 vrf a
  redistribute bgp 1
  network 0.0.0.0
  default-metric 10000 1000 255 1 1500
  no auto-summary
  autonomous-system 101
 exit-address-family

router ospf 1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.0.0 0.0.255.255 area 0
!
router bgp 1
 no synchronization
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 1
 neighbor 2.2.2.2 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf a
  redistribute connected
  redistribute static
  redistribute eigrp 101
  no synchronization
 exit-address-family

PE-2 Configuration:
ip vrf a
 rd 1:1
 route-target export 1:1
 route-target import 1:1
interface Loopback0
 ip address 3.3.3.3 255.255.255.255

interface Loopback100
 ip vrf forwarding a
 ip address 100.100.100.3 255.255.255.255

interface FastEthernet1/0
 ip address 192.168.23.3 255.255.255.0
 ip ospf network point-to-point
mpls ip

interface FastEthernet1/1
 ip address 192.168.13.3 255.255.255.0
 ip ospf network point-to-point
 duplex auto
 speed auto
 mpls ip

interface FastEthernet2/1
 ip vrf forwarding a
 ip address 10.10.3.3 255.255.255.0

router eigrp 100
 auto-summary

 address-family ipv4 vrf a
  redistribute bgp 1
  network 0.0.0.0
  default-metric 10000 1000 255 1 1500
  no auto-summary
  autonomous-system 101
 exit-address-family

router ospf 1
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.0.0 0.0.255.255 area 0

router bgp 1
 no synchronization
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 1
 neighbor 2.2.2.2 update-source Loopback0
 no auto-summary

 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family
      
 address-family ipv4 vrf a
  redistribute connected
  redistribute static
  redistribute eigrp 101
  no synchronization
 exit-address-family

CE-1 Configuration:

interface Loopback0
 ip address 7.7.7.7 255.255.255.255

interface FastEthernet0/0
 ip address 10.10.1.7 255.255.255.0

interface FastEthernet0/1
 description *** Backdoor Link ***
 bandwidth 1000
 ip address 10.10.78.7 255.255.255.0

router eigrp 101
 redistribute static
 network 0.0.0.0
 default-metric 10000 1000 255 1 1500
 no auto-summary
      
ip route 70.70.70.70 255.255.255.255 Null0

CE-2 Configuration:

interface Loopback0
 ip address 8.8.8.8 255.255.255.255

interface FastEthernet0/0
 ip address 10.10.3.8 255.255.255.0

interface FastEthernet0/1
 description *** Backdoor Link ***
 bandwidth 1000
 ip address 10.10.78.8 255.255.255.0

router eigrp 101
 redistribute static
 network 0.0.0.0
 default-metric 10000 1000 255 1 1500
 no auto-summary

ip route 80.80.80.80 255.255.255.255 Null0



BGP Extended Communities for EIGRP

0x8800 Flags + TAG
0x8801 Autonomous System + Delay
0x8802 Route metric information Reliability + Hop Count + BW
0x8803 Reserved field + Load + MTU
0x8804 Remote Autonomous System + Remote ID
0x8805 Remote Protocol + Remote Metric

The POI (point of insertion) is pre-bestpath.
Cost Community is considered in BGP path selection process before any other comparision steps. Cost community for EIGRP over MPLS VPN is turned on automatically in the case of EIGRP as thePE-CE routing protocol. The costcommunity ID is either 128 or 129.

-        128 for EIGRP internal routes
-       129 for EIGRP external routes

The path with the lowest Eigrp cost is prefered.So internal routes are prefered over external routes.

Lets check route and BGP tables for vrf a on PE-1:

PE-1#show ip route vrf a  

Routing Table: a
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     100.0.0.0/32 is subnetted, 3 subnets
B       100.100.100.4 [200/0] via 4.4.4.4, 00:54:58
C       100.100.100.1 is directly connected, Loopback100
B       100.100.100.3 [200/0] via 3.3.3.3, 00:54:58
     70.0.0.0/32 is subnetted, 1 subnets
D EX    70.70.70.70 [170/514560] via 10.10.1.7, 00:18:11, FastEthernet2/0
     80.0.0.0/32 is subnetted, 1 subnets
B       80.80.80.80 [200/514560] via 3.3.3.3, 00:18:05
     7.0.0.0/32 is subnetted, 1 subnets
D       7.7.7.7 [90/156160] via 10.10.1.7, 00:22:21, FastEthernet2/0
     8.0.0.0/32 is subnetted, 1 subnets
D       8.8.8.8 [90/2716160] via 10.10.1.7, 00:12:42, FastEthernet2/0
     10.0.0.0/24 is subnetted, 4 subnets
C       10.10.1.0 is directly connected, FastEthernet2/0
B       10.10.3.0 [200/0] via 3.3.3.3, 00:25:24
B       10.10.4.0 [200/30720] via 3.3.3.3, 00:16:23
D       10.10.78.0 [90/2588160] via 10.10.1.7, 00:12:52, FastEthernet2/0

PE-1#show ip bgp vpnv4 vrf a
BGP table version is 85, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf a)
*> 7.7.7.7/32       10.10.1.7           156160         32768 ?
*> 8.8.8.8/32       10.10.1.7          2716160         32768 ?
*> 10.10.1.0/24     0.0.0.0                  0         32768 ?
*>i10.10.3.0/24     3.3.3.3                  0    100      0 ?
*>i10.10.4.0/24     3.3.3.3              30720    100      0 ?
*> 10.10.78.0/24    10.10.1.7          2588160         32768 ?
*> 70.70.70.70/32   10.10.1.7           514560         32768 ?
*>i80.80.80.80/32   3.3.3.3             514560    100      0 ?
*> 100.100.100.1/32 0.0.0.0                  0         32768 ?
*>i100.100.100.3/32 3.3.3.3                  0    100      0 ?
*>i100.100.100.4/32 4.4.4.4                  0    100      0 ?

7.7.7.7/32 is internal Eigrp route.So cost community id should be 128

PE-1#show ip bgp vpnv4 vrf a 7.7.7.7   
BGP routing table entry for 1:1:7.7.7.7/32, version 59
Paths: (1 available, best #1, table a)
  Advertised to update-groups:
        1
  Local
    10.10.1.7 from 0.0.0.0 (1.1.1.1)
      Origin incomplete, metric 156160, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:1:1 Cost:pre-bestpath:128:156160 0x8800:32768:0
        0x8801:101:130560 0x8802:65281:25600 0x8803:65281:1500
      mpls labels in/out 25/nolabel

70.70.70.70/32 is internal Eigrp route.So cost community id should be 129

PE-1#show ip bgp vpnv4 vrf a 70.70.70.70
BGP routing table entry for 1:1:70.70.70.70/32, version 65
Paths: (1 available, best #1, table a)
  Advertised to update-groups:
        1
  Local
    10.10.1.7 from 0.0.0.0 (1.1.1.1)
      Origin incomplete, metric 514560, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:1:1 Cost:pre-bestpath:129:514560 0x8800:0:0
        0x8801:101:258560 0x8802:65281:256000 0x8803:65281:1500
        0x8804:0:117901063 0x8805:3:0
      mpls labels in/out 27/nolabel

When the router receives a route across the interface with this route map configured and the SoO(Site of origin)  of the route matches the configured SoO the router rejects the route.SoO helps to speed up the convergence when a route disappears.

Sunday, August 28, 2011

Cisco Mpls VPN OSPF down-bit, domain-tag and domain-id

Down Bit:

If a OSPF route has been advertised from a PE router into an OSPF area, the down bit is set. Another PE router in the same area does not redistribute this route into iBGP of the MPLS VPN network if down is set.

We can see this bit like below:

CPE-2#show ip ospf 10 database  summary

            OSPF Router with ID (8.8.8.8) (Process ID 10)

                Summary Net Link States (Area 0)

  LS age: 2
  Options: (No TOS-capability, DC, Downward)
  LS Type: Summary Links(Network)
  Link State ID: 1.1.1.111 (summary Network Number)
  Advertising Router: 100.100.100.3
  LS Seq Number: 80000001
  Checksum: 0x1CFB
  Length: 28
  Network Mask: /32
        TOS: 0  Metric: 2

  Domain Tag:

If a  PE router that is connected to the same site or another site that is connected through a backdoor link receives Ospf route and it matches the configured domain tag, the route is not redistributed into iBGP.By default this value is BGP AS number of PE routers.

We can see this value like below:

PE-1(config)#router ospf 10
PE-1(config-router)#domain-tag 100

PE-1#show ip ospf 10 database external

            OSPF Router with ID (100.100.100.1) (Process ID 10)

                Type-5 AS External Link States


  LS age: 30
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 80.80.80.80 (External Network Number )
  Advertising Router: 100.100.100.1
  LS Seq Number: 80000002
  Checksum: 0x17B4
  Length: 36
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 100

Domain ID:

By default, it is equal to the Ospf process id.If domain-id of the route received by a PE
router does not match the OSPF process ID of the particular VRF, the route is advertised as an
OSPF external route (Type-5 E2). If the domain ID does match the OSPF process ID, the
route is advertised as an internal route.

Saturday, August 27, 2011

Supervisor Replacement Procedure for Cisco Modular IOS VSS

These steps explains the Supervisor Replacement Procedure for the VSS which runs Modular IOS:

1 -  Firstly, we should insert a compact flash disk to the one of the compact flash slot to the active or standby supervisor on the VSS chassises.

2 -We copy the modular IOS file and startup-config to the new flash disk.
Example

Copy sup-bootdisk: s72033-adventerprisek9-vz.122-33.SXI.bin disk0:
Copy nvram:startup-config disk0:
Or
Copy sup-bootdisk: s72033-adventerprisek9-vz.122-33.SXI.bin slavedisk0:
Copy nvram:startup-config slavedisk0:

3 - We power off the the chassis whose supervisor will be replaced and insert the new disk0 to the sup-bootdisk of the new supervisor module.

4 – Then new supervisor will be inserted to chassis and switch will be booted.

5 –  Connect the new supervisor through console port.After the new supervisor boots then it will be upgraded to modular ios and startup-config should be copied into it.

Example:
Dir sup-bootdisk0:
install file disk0:s72033-adventerprisek9-vz.122-33.SXI.bin sup-bootdisk:/sys
conf t
install bind sup-bootdisk:/sys
exit
copy sup-bootdisk0:startup-config nvram:startup-config

6 -  Go to active chassis and enter this command:

VSS#switch read switch_num local
Read switch_num from Active rommon is 1

If it is 1 on the active chassis then we should enter  this command on the new supervisor:

Router#switch set switch_num 2
Set rommon's switch_num to 2

If it is 2 on the active chassis then we should enter  this command on the new supervisor:

Router#switch set switch_num 1
Set rommon's switch_num to 1

7- Then we should reboot chassis without copying running-config to the startup-config

8- Then VSS should work after new supervisor boots.

Friday, August 26, 2011

Cisco Mpls VPN with OSPF Shamlink configuration Example

If there is a backdoor link between VPN sites and the VPN sites are in the same OSPF area, the routes that  learned  from backdoor link more valuable than the routes that learned from  the PE routers.
Because intra area routes are prefered over the inter area routes.
Shamlinks can be configured to prevent this route selection.With shamlink, routes are learned from PE are intra area instead of inter area.External routes do not change, they come as external routes like  before.
In this example we will configure Ospf Shamlinks.

Here is the topology:


PE-1 Configuration:

ip vrf a
 rd 1:1
 route-target export 1:1
 route-target import 1:1
interface Loopback0
 ip address 1.1.1.1 255.255.255.255

interface FastEthernet1/0
 ip address 192.168.12.1 255.255.255.0
 ip ospf network point-to-point
 mpls ip

interface FastEthernet1/1
 ip address 192.168.13.1 255.255.255.0
 ip ospf network point-to-point
mpls ip

interface FastEthernet2/0
 ip vrf forwarding a
 ip address 10.10.1.1 255.255.255.0

router ospf 10 vrf a
 log-adjacency-changes
 redistribute bgp 1 subnets
 network 10.10.1.1 0.0.0.0 area 0

router ospf 1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.0.0 0.0.255.255 area 0

router bgp 1
 no synchronization
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 1
 neighbor 2.2.2.2 update-source Loopback0
 no auto-summary

 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family

 address-family ipv4 vrf a
  redistribute connected
  redistribute static
  redistribute ospf 10 vrf a match internal external 1 external 2
  no synchronization
 exit-address-family

PE-2 Configuration
ip vrf a
 rd 1:1
 route-target export 1:1
 route-target import 1:1

interface Loopback0
 ip address 3.3.3.3 255.255.255.255


interface FastEthernet1/0
 ip address 192.168.23.3 255.255.255.0
 ip ospf network point-to-point
 mpls ip

interface FastEthernet1/1
 ip address 192.168.13.3 255.255.255.0
 ip ospf network point-to-point
 mpls ip

interface FastEthernet2/1
 ip vrf forwarding a
 ip address 10.10.3.3 255.255.255.0

router ospf 10 vrf a
 log-adjacency-changes
redistribute bgp 1 subnets
 network 10.10.3.3 0.0.0.0 area 0
        
router ospf 1
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 0
 network 192.168.0.0 0.0.255.255 area 0

router bgp 1
 no synchronization
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 1
 neighbor 2.2.2.2 update-source Loopback0
 no auto-summary

 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family

 address-family ipv4 vrf a
  redistribute connected
  redistribute static
  redistribute ospf 10 vrf a match internal external 1 external 2
  no synchronization
 exit-address-family

CE-1 Configuration:

interface Loopback0
 ip address 7.7.7.7 255.255.255.255

interface FastEthernet0/0
 ip address 10.10.1.7 255.255.255.0
 ip ospf cost 10

interface FastEthernet0/1
 description *** Backdoor Link ***
 ip address 10.10.78.7 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 15

router ospf 10
 log-adjacency-changes
 redistribute static subnets
 network 7.7.7.7 0.0.0.0 area 0
 network 10.10.1.7 0.0.0.0 area 0
 network 10.10.78.7 0.0.0.0 area 0     
ip route 70.70.70.70 255.255.255.255 Null0

CE-2 Configuration:

interface Loopback0
 ip address 8.8.8.8 255.255.255.255

interface FastEthernet0/0
 ip address 10.10.3.8 255.255.255.0
 ip ospf cost 10

interface FastEthernet0/1
 description *** Backdoor Link ***
 ip address 10.10.78.8 255.255.255.0
 ip ospf network point-to-point
 ip ospf cost 15

router ospf 10
 log-adjacency-changes
 redistribute static subnets
 network 8.8.8.8 0.0.0.0 area 0
 network 10.10.3.8 0.0.0.0 area 0
 network 10.10.78.8 0.0.0.0 area 0
        
ip route 80.80.80.80 255.255.255.255 Null0

Without shamlink configurations, when the backdoor link is shutdown, CPE-1 learns these routes through PE-1 router:

CPE-1#show ip route ospf
     80.0.0.0/32 is subnetted, 1 subnets
O E2    80.80.80.80 [110/20] via 10.10.1.1, 00:02:15, FastEthernet0/0
     8.0.0.0/32 is subnetted, 1 subnets
O IA    8.8.8.8 [110/12] via 10.10.1.1, 00:02:25, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
O IA    10.10.3.0 [110/11] via 10.10.1.1, 00:02:25, FastEthernet0/0

When the backdoor link is shutdown, CPE-2 learns these routes through PE-2 router:

CPE-2#show ip route ospf
     70.0.0.0/32 is subnetted, 1 subnets
O E2    70.70.70.70 [110/20] via 10.10.3.3, 00:03:02, FastEthernet0/0
     7.0.0.0/32 is subnetted, 1 subnets
O IA    7.7.7.7 [110/12] via 10.10.3.3, 00:03:02, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
O IA    10.10.1.0 [110/11] via 10.10.3.3, 00:03:02, FastEthernet0/0

When we open the backdoor link:

CPE-1#show ip route ospf
     80.0.0.0/32 is subnetted, 1 subnets
O E2    80.80.80.80 [110/20] via 10.10.78.8, 00:00:00, FastEthernet0/1
     8.0.0.0/32 is subnetted, 1 subnets
O       8.8.8.8 [110/16] via 10.10.78.8, 00:00:01, FastEthernet0/1
     10.0.0.0/24 is subnetted, 3 subnets
O       10.10.3.0 [110/25] via 10.10.78.8, 00:00:01, FastEthernet0/1

CPE-2#show ip route ospf
     70.0.0.0/32 is subnetted, 1 subnets
O E2    70.70.70.70 [110/20] via 10.10.78.7, 00:00:15, FastEthernet0/1
     7.0.0.0/32 is subnetted, 1 subnets
O       7.7.7.7 [110/11] via 10.10.78.7, 00:00:28, FastEthernet0/1
     10.0.0.0/24 is subnetted, 3 subnets
O       10.10.1.0 [110/20] via 10.10.78.7, 00:00:28, FastEthernet0/1

When the PE router redistributes bgp routes into ospf Type-1 LSAs are converted Type-3 LSA.Type-1 LSAs are more valuable than the Type-3 LSAs.So Type-1 LSAs take place in the routing tables.

Lets Configure shamlink:

On PE-1
interface Loopback100
 ip vrf forwarding a
 ip address 100.100.100.1 255.255.255.255
router ospf 10 vrf a
area 0 sham-link 100.100.100.1 100.100.100.3

On PE-2:
interface Loopback100
 ip vrf forwarding a
 ip address 100.100.100.3 255.255.255.255
router ospf 10 vrf a
area 0 sham-link 100.100.100.3 100.100.100.1

PE-1#show ip ospf 10 neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.3.3         0   FULL/  -           -        100.100.100.3   OSPF_SL0
10.10.1.7         1   FULL/BDR        00:00:34    10.10.1.7       FastEthernet2/0

CPE-1#show ip route ospf
     100.0.0.0/32 is subnetted, 2 subnets
O E2    100.100.100.1 [110/1] via 10.10.1.1, 00:11:09, FastEthernet0/0
O E2    100.100.100.3 [110/1] via 10.10.1.1, 00:11:09, FastEthernet0/0
     80.0.0.0/32 is subnetted, 1 subnets
O E2    80.80.80.80 [110/20] via 10.10.1.1, 00:11:09, FastEthernet0/0
     8.0.0.0/32 is subnetted, 1 subnets
O       8.8.8.8 [110/13] via 10.10.1.1, 00:11:09, FastEthernet0/0
     10.0.0.0/24 is subnetted, 3 subnets
O       10.10.3.0 [110/12] via 10.10.1.1, 00:11:09, FastEthernet0/0

CPE-2#show ip route ospf      
     100.0.0.0/32 is subnetted, 2 subnets
O E2    100.100.100.1 [110/1] via 10.10.3.3, 00:00:35, FastEthernet0/0
O E2    100.100.100.3 [110/1] via 10.10.3.3, 00:00:35, FastEthernet0/0
     70.0.0.0/32 is subnetted, 1 subnets
O E2    70.70.70.70 [110/20] via 10.10.3.3, 00:00:35, FastEthernet0/0
     7.0.0.0/32 is subnetted, 1 subnets
O       7.7.7.7 [110/13] via 10.10.3.3, 00:00:35, FastEthernet0/0
     10.0.0.0/24 is subnetted, 3 subnets
O       10.10.1.0 [110/12] via 10.10.3.3, 00:00:35, FastEthernet0/0

CPE-2#traceroute 7.7.7.7 source 8.8.8.8 num

Type escape sequence to abort.
Tracing the route to 7.7.7.7

  1 10.10.3.3 0 msec 192 msec 96 msec
  2 10.10.1.1 [MPLS: Label 22 Exp 0] 76 msec 92 msec 72 msec
  3 10.10.1.7 116 msec *  200 msec