Configuring MPLS VPN using static routing

Similar Messages

• Redundant access from MPLS VPN to global routing table

  Several our customers have MPLS VPNs deployed over our infrastructure. Part of them requires access to Internet (global routing table in our case).
  As I'm not aware of any methods how to dynamicaly import/export routes between VRF/Global routing tables, at the moment there are static routes configured - one inside VRF pointing to global next hop, another one in global routing table, pointing to interface inside VRF.
  Task is to configure redundant access to Internet. By redundancy I mean using several exit points (primary and backup), what physically represents separate boxes.
  Here comes tricky part - both global static routes (on both boxes, meaning) are valid and reachable in all cases - no matter if specific prefix is reachable in VRF or not. What I'd like to achieve is that specific static route becomes valid only if specific prefix is reachable inside VRF. Yea, sounds like dynamic routing :), I know
  OK, hope U got the idea. Any solutions/recommendations ? Running all Internet routing inside VRF isn't an option, at least for now :(

  Hi Andris,
  I did not mean to have a VRF on the CE. The CE would have both PVCs in the global routing table - his ONLY routing table in fact. One PVC would be used to announce routes into the customer specific VPN (VRF configured on the PE). The other PVC would allow for internet access through the PE (global IP routing table on the PE).
  dot1q will be ok as well.
  This way the CE can be a normal BGP peer to the PE, i.e. there is no MPLS VPN involved here. This allows all options of customer-ISP connectivity.
  Example:
  PE config:
  interface Serial0/0
  encapsulation frame-relay
  interface Serial0/0.1 point-to-point
  description customer VPN access
  ip vrf customer
  ip address 10.1.1.1 255.255.255.252
  interface Serial0/0.2 point-to-point
  description customer Internet access
  ip address 192.168.1.1 255.255.255.252
  router rip
  address-family ipv4 vrf customer
  version 2
  network 10.0.0.0
  no auto-summary
  redistribute bgp 65000 metric 5
  router bgp 65000
  neighbor 192.168.1.2 remote-as 65001
  address-family ipv4 vrf customer
  redistribute rip
  CE config:
  interface Serial0/0
  encapsulation frame-relay
  interface Serial0.1 point-to-point
  description VPN access
  ip address 10.1.1.2 255.255.255.252
  interface Serial0.2 point-to-point
  description Internet access
  ip address 192.168.1.2 255.255.255.252
  router bgp 65001
  neighbor 192.168.1.1 remote-as 65000
  router rip
  version 2
  network 10.0.0.0
  no auto-summary
  Of course you can replace RIP with whatever is suitable for you. And don´t sue me when you do not apply required BGP filters for internet access... ;-)
  The other option ("mini internet") would be feasible as well. Just make sure your BGP filters are NEVER messed up and additionally apply a limit on the numbers of prefixes in your VRF mini-internet.
  Regards
  Martin

• In A Perfect World - Using Static Routes In RRAS 2012 To Traverse Sites

  I have site-to-site VPN tunnels between my main sites 
  NYC <--> UK
  NYC <----> SANFRAN
  NYC <----> BOSTON
  NYC <----> MALTA
  UK <----> SANFRAN
  UK <----> BOSTON
  And could see ALL sites when I had my DA/RRAS server using one of the existing subnets (for example, when I used US VPN on NYC DHCP (192.168.2.x) I was able to see EVERYTHING on any site we had a site-to-site VPN with (i.e. from VPN client I could access
  MALTA, UK, SANFRAN, BOSTON).
  Alas I had to change that to a different subnet (192.168.145.x) and now only see the 192.168.2.x network in NYC.
  Is there a way to add static routes on the NYC & UK DA/RRAS servers so this access is restored?   Or would this be solved at the Layer 2/3 network level?
  Michael P. O'Hara

  No, you need to allow forwarding of broadcast packet, but it's really against the best-practice, as you can kill easilly your satellite link.
  I agree with you for wins, as I personnaly does not use it and try to remove it when I see someone use it, but it's the only solution for what you want (network discovery over LAN). (even LLTD is not routable beyond router)
  Editted: You need to see all machines, but does the enduser must see them ?
  Regards, Philippe
  Don't forget to mark as answer or vote as
  helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
  Answer an interesting question ? Create a
  wiki article about it!

• DMVPN will not bring up dynamic tunnel unless using static routes

  I have a hub and two spokes and each spoke is bringing up a tunnel to the hub and is routing normally. My problem is that if I try to route from spoke1 (10.30.1.1) to spoke2 (10.30.3.1) it will not bring up a new tunnel but instead will route through the hub.
  If I put 'ip route 10.30.3.0 255.255.255.0 tunnel 0' on spoke1, it will then bring up the tunnel to spoke2. I know this is an EIGRP issue (my misconfiguration somewhere), can someone look at the configs and point me in the right direction?
  Thanks!!!

  Use the Debug commands that run on the hub router confirm that the correct parameters are matched for the spoke and VPN Client connections. Run these debug commands.
  debug crypto isakmp-Displays messages about IKE events.
  debug crypto ipsec-Displays information about IPsec events.
  Here is the configuration guide with the Hub & Spoke example. http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801eafcb.shtml

• Injecting Global default Routes into a MPLS VPN

  Hi,
  I have a PE router running MPBGP which receives two default routes to the internet through an IPV4 BGP session. I need to import these routes in to a VRF and export them to different customer VRFs so that these VRFs are able to access Internet.
  I have used the feature called "BGP Support for IP Prefix Import from Global Table into a VRF Table" (URL:http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00803b8db9.html#wp1063870)
  and imported these routes into a VRF.
  The issue is these routes are not propagated to any of the other PE routers which has customer VRFs configured.
  Has anybody tried this or a similar method to inject a dynamic default route into a MPLS VPN.
  Any suggestions would be highly appreciated.
  Thanks
  Subhash

  Hi Subhash,
  is there anything preventing you from terminating your internet BGP sessions in a VRF? Then everything should go smoothly, i.e. standard VRF import/export.
  So possibility A) create a VRF Internet, move bgp neighbor commands there and use filters preventing anything but the default route, then use route targets to distribute the default route into other VRFs.
  Possibility B) use static routing with packet leaking. Could look like this:
  ip route vrf Internet 0.0.0.0 0.0.0.0 global
  ip route vrf Internet 0.0.0.0 0.0.0.0 global 250
  ip route Serial0/0 !assuming this is where the customer router connects.
  Note: the BGP peer IP does not have to be directly connected! There has to be a LDP label for it though. so include your BGP peers network into your IGP and the backup will work, when you loose the link to the peer.
  Hope this helps! Please rate all posts.
  Regards, Martin

• Configuring static routes at the network edge

  We have some Cisco 1750 routers at the edge of our network which are running RIP. We were advised to use static routes on the router, since there was only one route (across a WAN link) for traffic to go from the hub connected to the router, as RIP would only waste the limited bandwidth to the router. We posted this problem previously and got a response which stated :You could set up a default static route on your edge router, run RIP on your internal routers in order to propagate the default, but block the RIP to the outside.
  On your edge router, make a default route to your external link. Keep RIP running as before, but add the line redistribute static in your rip configuration. That will get the default route propagated.
  Now to stop the RIP on the external interface: If the link is on a different major IP network to your internal network, you can simply not include it in the network commands under rip. But if it is in the same network, then RIP will be enabled on the interface, so you will have to add passive-interface xxxxx, where xxxxx refers to the interface carrying your external link,
  Alternatively, you could define your default route using the ip default-network command. This will get propagated automatically into the RIP even without the redistribute command.
  We tried it, the problem is that the router is unreachable, via the serial or Ethernet, although if connected to the router via console port, with the configuration screen , you are able to ping external locations, and are able to telnet into the router, but he PC's on the Ethernet side of the router cant see the network.
  Assistance\Advice requested.
  attached you wll find , the actual reply , and a copy of some info from our work file.

  Ernie
  I have looked at the config that you posted and I see several issues. The serial interface on Salvage is 172.20.2.2. Your message indicates that it is connected via serial to a 3640 which your message seems to indicate is 172.20.1.4. But that makes the 3640 on a different subnet. Connections over a serial link should be in the same subnet on both ends. (The exception to that is when you are using the ip unnumbered feature - which you are not). I suspect that part of your problem is that the routers do not see themselves on a connected subnet. When you run RIP over the link it can compensate for that to some degree. But when you stop RIP the problem has impact.
  Also I see that you have a static default route as Kevin suggested. And in RIP you have redistribute static. But there is no default metric defined. To redistribute into RIP you need a default metric. Another aspect of the problem with the default route is that the next hop for the default route is 172.20.1.4, but without RIP running I believe that Salvage has no idea how to get to that address. You can confirm this by doing show ip route 172.20.1.4 on Salvage. I suspect that you will get an error about route not in table.
  Beyond these issues I believe that there is a larger problem of misunderstanding. When I look at your original post in this thread it talks about not running RIP over the serial link. And when I read Kevin's response the first paragraph is describing not running RIP over the serial interface when it says do static default on your edge router and run RIP on your internal router. If you are not running RIP over the serial interface then I see no reason to run RIP on Salvage at all. There is one piece of this that Kevin did not address. If you do not run RIP over the serial link then how does the 3640 know about the Ethernet subnet at Salvage. I believe that the answer is that the 3640 needs to configure a static route to 172.20.27.0 with the 1750 serial interface as the next hop. And if there are other routers that the 3640 communicates with via RIP then the 3640 needs to redistribute static into RIP (remembering to have a default metric).
  If you address these issues I believe that you will have connectivity from the central network to the remote subnet on Salvage.
  HTH
  Rick

• Problems to configure VPN in a router COMTREND HG536+

  I can't configure my VPN in the router COMTREND HG536+. It post me a fail. Can anybody help me?. In the University told me to hability the port 47 UDP and the 1723 TCP to my PC (IP). I dont know how to do it. Thank you very much.

  Dear Bruno Ambrio     
  try to do the following :
  - uninstall the MI from the mobile
  - delete the MI folder
  - restart the Mobile device
  - install the MI again
  - restart the mobile device
  - make the first synchronization
  - assign the DB2E as a mobile component to the mobile device
  - do synchronization again
  if you got any problems ... tell me which version of MI and Db2e are you using ?
  hope it may helps
  Ahmed Saber

• MPLS VPN DC/DR

  Hi,
  In VPN n/w i have DC & DR. Both DC & DR r geographically separate. Server IP pool used both in DC & DR is different. Need to configure MPLS VPN in such way that when DC is active spoke should not able to access DR. when DC becomes unvailable spoke shoould able to access DR.
  I m thinkin of conditional BGP. Let me know if you have any suggestion on conditional BGP or different solution.
  Thanks...

  Hello Sachin,
  in your case what could help is BGP conditional advertising:
  the PE routers (or the CE routers) of the DR site start to advertise the DR ip subnets when the DC subnets disappear from the VRF routing table.
  see
  http://www.cisco.com/en/US/docs/ios/12_1/iproute/configuration/guide/1cdbgp.html#wp1023602
  Hope to help
  Giuseppe

• Connecting VPNs using a PIX Firewall

  Hi,
  We are trying to configure a PIX firewall to connect differents VPNs on a MPLS enviroment and we have a problem when we use more than one firewall.
  With one FW all works fine, but with two or more in some situation we can have recursive routing and It doens't work.
  Do you know any way to connect differents MPLS VPNs using differents Firewalls.
  Regards.
  Enrique.

  Would appreciate if you can elaborate more on the topology and the minute details on the problem that you experience with multiple firewalls.

• Static routes within VRF

  Is there a limit to the number of static route one could use within a VRF ?
  We have a large customer connected to MPLS VRF based backbone and due to various limiting factors this customer uses static routing from a PE-CE perspective.
  We have been experiencing a problem where a static needsto be removed and placed back as routing to a site stops (No traffic passed) , this happes intermittently and to different sites within diffrent regions as well. All the general or expected troubleshooting procedures have been followed i.e. Check routing table , bgp , CEF tables , FIB etc. All seems fine , the only thing that reloves this is removing the static and then replacing it.
  My thinking is that there might be a limit to the number of static's that one can use within a VRF and that we have reached the limit for this customer , which causes the intermittent failure.
  Please advise.

  I know of a "maximum routes limit " command to limit the number of routes in a Vrf on a PE.
  From this command reference i find there are no default values for this.
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fswtch_r/xrfscmd3.htm#1032272
  So I assume, the default is to allow a huge value and the only limitations would be the memory/capacity and the number of vrfs on the PE router.
  If you are experiencing a problem in this regard and removing a static route is helping to overcome it, then I would only suspect a bug here.
  I am also curious to know how may many static routes you have in this particular vrf.

• Good CCIE question: Can multiple site-2-site VPNs support dynamic routing protocols?

  Hi All,
  Was not sure if this should be posted in LAN routing, WAN routing or VPN forums: I have posted here as the VPN tunnels are the limiting factors...
  I am trying to understand if it is possible to have dynamic routing between LANs when using site to site VPNs on three or more ASA55x5-x (9.0).
  To best explain the question I have put together an example scenario:
  Lets say we have three sites, which are all connected via a separate site-2-site IKEv2 VPNs, in a full mesh topology (6 x SAs).
  Across the whole system there would be a 192.168.0.0/16 subnet which is divided up by VLSM across all sites.
  The inside / outside interfaces of the ASA would be static IPs from a /30 subnet.
  Routing on the outside interface is not of concern in this scenario.
  The inside interface of the ASA connects directly to a router, which further uses VLSM to assign additional subnets.
  VLSM is not cleanly summarised per site. (I know this flys against VLSM best practice, but makes the scenario clearer...)
  New subnets are added and removed at each site on a frequent basis.
  EIGRP will be running on each core router, and any stub routers at each site.
  So this results in the following example topology, of which I have exaggerated the VLSM position:
  (http://www.diagram.ly/?share=#OtprIYuOeKRb3HBV6Qy8CL8ZUE6Bkc2FPg2gKHnzVliaJBhuIG)
  Now, using static route redistribution from the ASAs into EIGRP and making the ASAs to be an EIGRP neighbour, would be one way. This would mean an isolated EIGRP AS per site, but each site would only learn about a new remote subnet if the crypto map match ACL was altered. But the bit that I am confused over, is the potential to have new subnets added or removed which would require EIGRP routing processes on the relevant site X router to be altered as well as crypto map ACLs being altered at all sites. This doesn't seem a sensible approach...
  The second method could be to have the 192.168.0.0/16 network defined in the crypto map on all tunnels and allow the ASAs routing table to chose which tunnel to send the traffic over. This would require multiple neighbours for the ASA, but for example in OSPF, it can only support one neighbour over a S2S VPN when manually defined (point-to-point). The only way round this I can see is to share our internal routing tables with the IP cloud, but this then discloses information that would be otherwise protected by the IPSEC tunnel...
  Is there a better method to propagate the routing information dynamically around the example scenario above?
  Is there a way to have dynamic crypto maps based on router information?
  P.S. Diagram above produced via http://www.diagram.ly/

  Hi Guys,
  Thanks for your responses!  I am learning here, hence the post.
  David: I had looked in to the potential for GRE tunnels, but the side-effects could out weight the benifits.  The link provided shows how to pass IKEv1 and ISAKMP traffic through the ASA.  In my example (maybe not too clear?) the IPSEC traffic would be terminated on the ASA and not the core router behind.
  Marcin: Was looking at OSPF, but is that not limited to one neighbour, due to the "ospf network point-to-point non-broadcast" command in the example (needed to force the unicast over the IPSEC tunnel)? Have had a look in the ASA CLI 9.0 config guide and it is still limited to one neighbour per interface when in point-to-point:
  ospf network point-to-point non-broadcastSpecifies the interface as a point-to-point, non-broadcast network.When you designate an interface as point-to-point and non-broadcast, you must manually define the OSPF neighbor; dynamic neighbor discovery is not possible. See the "Defining Static OSPFv2 Neighbors" section for more information. Additionally, you can only define one OSPF neighbor on that interface.
  Otherwise I would agree it would be happy days...
  Any other ideas (maybe around iBGPs like OSPF) which do not envolve GRE tunnels or terminating the IPSEC on the core router please?
  Kindest Regards,
  James.

• Overlapping addresses in MPLS VPN

  I know that you can have overlapping addresses in a MPLS VPN and that route distiguisher is used for distiguishing them, by converting IPv4 to VPNv4.
  My question is that if an IP range of a Branch A overlapps with IP range of branch B of the same VPN, How could a host in Branch A ping any host in Branch B, if they are in a same subnet? I mean, how could the router (CE) know to forward it to PE ? if the range is directly connected (to CE).
  I will apreciate any help

  Within a VPN the normal IP routing rules apply, eg. if you have 2 networks that overlap within a VPN you need to use NAT in one of the CE routers.
  Hth,
  Niels

• Multiple instances of EIGRP or static routes

  I'm building a network which needs to have All but one of it's private networks pass through a DMVPN, all the routes are advertised through EIGRP, that part works great!
  I have a private VLAN that only has access onto the internet, the address is Nat'ed over to a public IP address. Each router, there's six of them, are neighbors to two other routers. The furthest router to the internet has to go through three routers to get to the internet. My current idea is to use static routes on all the routers to the Internet gateway router. Then let recursive routing sort out each hop. What I would rather do is have EIGRP do all that. I really don't want to mess with the EIGRP that's running for the DMVPN tunnels, I'd like to have another instance of EIGRP run on the routers that will route the users to the Internet.
  Does anyone have any thoughts concerning this design.
  Thanks.
  Mitch

  Mitch
  I am not clear about what you are attempting to achieve and not very clear about the topology. So my answer may or may not be on target. If it is not perhaps you can help us understand a little better what is involved.
  I believe that what you are saying is that you have an existing network with multiple locations connected over DMVPN and that you run EIGRP as the routing protocol for that network. I believe you are also saying that there is one network segment which needs access to the Internet but should not be able to access the other parts of your network.
  You say that the address of this other segment is NATed but are not clear whether the translation is ont the router where the segment is located or is on the Internet gateway router.
  Probably the traditional solution for this would be to provide a default route for this segment pointing toward the Internet gateway router, to have a route on the Internet gateway router (and other routers along the path toward where the network is located), and a series of access lists on each router along the way which allows passage to the Internet and denies access to local resources.
  I would propose a somewhat different solution. I believe that it would work if you configure a GRE tunnel between the router where the segment is located and the Internet Gateway router. On the router where the segment is located you could do Policy Based Routing to send traffic from the private segment to the Internet over the GRE tunnel (which effectively isolates it from your other resources). You might want Policy Based Routing on the Internet gateway router to be sure that traffic from the private segment was forwarded only to the Internet (though you might not need that). The Internet gateway router could have a route (probably a static route) which sends traffic to the private segment over the GRE tunnel.
  Let us know what you think of this. And if it is off the mark perhaps you could clarify a bit.
  HTH
  Rick

• Linksys E3000 Invalid Static Route

  I just got a Linksys E3000 to replace my old WRt54G router.  I have another Linksys router  configured as a bridge and all is working well now.  My issue is that I am trying to add a static route to the new E3000 for my subnet behind the bridge and it keeps telling me "Invalid Static Route".  Now I have the ethernet interface IP set to 192.168.1.1 with a subnet mask of 255.255.255.128.  the static route I am trying to add is 
  Destination LAN IP: 192.168.0.128
  Subnet Mask: 255.255.255.128
  Gateway: 192.168.1.7 (2nd router configured as bridge)
  This static route works great on the existing router, but the E3000 will not take it.  

  I would also be very interested in seeing this resolved.   I have spent a couple of days trying to resolve and Linksys support advise "we can't help you with this - too complicated for us".   I am trying to solve exactly the same problem.   Bridged modem is on 192.168.0.1 and I am using standard subnet mask for class C adressing (255.255.255.0).  Intuitively i would have thought the following would do the trick:
  Destination LAN address would be: 192.168.0.0
  Subnet mask: 255.255.255.0
  Gateway: 192.168.1.1 (the address of the ES3000 router)
  I consider myself a novice here however and welcome any solution.   Linksys only suggestion was to put everything on the same network which requires the DHCP server to run from the modem .... no longer really bridged and what i was trying to avoid.  I want this functionality to be performed by the router.
  Thanks in advance (P.S. the ES3000 is a week old and has the next to latest firmare.   The notes for the latest do not appear to adress this issue so i haven't reflashed it at this stage).

• Configuring Static Route Tracking Using ASDM 7.1(3) ASA 9.1(2)

  I have recently updated my ASA5520 to 9.1(2) and I am using ASDM 7.1(3) to configure Static Route Tracking. I have done this previoussy in earlier version of ASDM without a problem.  There seems to be a new field in the Tracked Options section.  What is the "Target Interface"?  Is it the interface I want to use as the standby route when the Monitor fails? Or is it the Interface that is doing the monitoring?
  I have looked through Cisco ASA Series General Operations ASDM Configuration Guide Software Version 7.1, as well as older ASDM books and this field is never listed or described.

  Hi,
  The target interface will be the interface through which you will be polling some destination IP address with ICMP Echos to determine if the route through that interface is still valid.
  So in your case you would use "Outside"
  Heres the link to the ASA Command Reference listing the above "type" command under the "sla monitor 1" configuration
  http://www.cisco.com/en/US/docs/security/asa/command-reference/t2.html#wp1568359
  - Jouni