FlexVPN over MPLS with NAT

Similar Messages

• Cell-relay over MPLS using MGX 8850

  we have existing ATM network using TDM links between MGX 8850 & have PVCs for voice & data traffic. We are planning to migrate the same over MPLS network
  following is the setup.
  MGX1----> PE1 ------>MPLS Cloud ------> PE2 ---->MGX2
  As per this plan we will terminate existing TDM trunks to PE routers at both the end & map VPI/VCI values at PE routers for virtual ATM pvcs over MPLS cloud.We are using cell-relay over MPLS with VC mode. My query is, can we enable MPLS L3 & L2 on the same last mile in this scenario? We want to have one IP over ATM interface on same ATM interface at PE router & make that part of VRF & enable L3 MPLS VPN between all the sites for any to any data transfer. For data we don't want to use L2 MPLS as its any to any & it will end up with too many ATM PVCs.
  In this setup PE router & MGX will be configured in NNI-NNI at both end. If we want to create one sub-interface at same ATM interface at PE router end, then that port need to be in UNI. Is it possible to use same ATM trunk port as NNI & UNI?
  In MGX 8850 we have RPM,AXSM & VISM modules.

  the following document should give you some idea,
  http://www.cisco.com/en/US/products/hw/modules/ps2797/products_module_installation_guide_chapter09186a0080086f9a.html

• How to provied Redundancy for VRF MGMT with help of BGP over MPLS(MPBGP)

  Hi,
  Please find the Network Topology.
  This is One Remote site and mamaged by Mgmt office.
  All devices on remote site is accessed by MGMT Office. My organisation seek for Redundancy for Managing devices.
  My administration is from MGW to R1. I am new to MPLS.
  AS u can see in diagram, R1 have 3 VRF(Voice,Signal and MGMT).Currently i have primary link over whitch we are running MPBGP.
  Traffic from these VRF goes to this primary link. Currently Secondary link is not connected.
  Now my organisation proposed for  the  secondary  link  and they want that only traffic from VRF -- MGMT should go through MPLS RTR R2 (the secondary link ) , when the mgmt routes  not learned from MPLS  RTR R1 (Connected to the SP1 ).
  Current  R1 config
  There is IBGP betweem R1 to both MPLS RTR.
  BGP Config
  router bgp 64513
    synchronization disable
    neighbor 10.36.150.1 remote-as 64513
    neighbor 10.36.150.1 activate
    neighbor 10.36.150.1 update-source loopback1
    address-family ipv4 vrf signalling
      redistribute connected
      redistribute static
    $
    address-family ipv4 vrf voice
      redistribute connected
      redistribute static
    $
    address-family ipv4 vrf OAM-T
      redistribute connected
      redistribute static
    $
    address-family vpnv4
      neighbor 10.36.150.1 activate
      neighbor 10.36.150.1 send-community
    $
  !<ospfv2>
  router ospf 100
    interface gei-3/3
      network point-to-point
    $
    network 10.36.150.49 0.0.0.0 area 0.0.0.0  --- loopback ip (Configured)
    network 10.36.149.60 0.0.0.3 area 0.0.0.0 ---- p2p ip bet R1 and MPLS R1.(Configured)
  network 10.36.149.64 0.0.0.3 area 0.0.0.0 ---- p2p ip bet R1 and MPLS R2. ----------  (till now not configured as secondary link is not connected)
  router-id 10.36.150.49
  so what configuration need to done at R1  to achiev the redunancy for MGMT vrf ?
  if possible please reply with sample configuration.
  or
  IN MPBGP protocol, where i will apply routing policy to apply  as- path prepand    so that Route  would be secondary to  neighbor.
  IGP-OSPF and BGP over MPLS is running.
  on Which  address-familiy nbr,should i apply, is it in VPNV4 or IPV4 or IPV4  VRF ?
  if i want 10.36.128.0/26 prefix should go to Neigbhor MPLS R2, what should i use access-list or Prefix list?
  please provide the reply with its config .
  thanks in advance,
  Regards,
  Ajay
  Message was edited by: Ajaykumar yadav

  Hi,
  Please find the Network Topology.
  This is One Remote site and mamaged by Mgmt office.
  All devices on remote site is accessed by MGMT Office. My organisation seek for Redundancy for Managing devices.
  My administration is from MGW to R1. I am new to MPLS.
  AS u can see in diagram, R1 have 3 VRF(Voice,Signal and MGMT).Currently i have primary link over whitch we are running MPBGP.
  Traffic from these VRF goes to this primary link. Currently Secondary link is not connected.
  Now my organisation proposed for  the  secondary  link  and they want that only traffic from VRF -- MGMT should go through MPLS RTR R2 (the secondary link ) , when the mgmt routes  not learned from MPLS  RTR R1 (Connected to the SP1 ).
  Current  R1 config
  There is IBGP betweem R1 to both MPLS RTR.
  BGP Config
  router bgp 64513
    synchronization disable
    neighbor 10.36.150.1 remote-as 64513
    neighbor 10.36.150.1 activate
    neighbor 10.36.150.1 update-source loopback1
    address-family ipv4 vrf signalling
      redistribute connected
      redistribute static
    $
    address-family ipv4 vrf voice
      redistribute connected
      redistribute static
    $
    address-family ipv4 vrf OAM-T
      redistribute connected
      redistribute static
    $
    address-family vpnv4
      neighbor 10.36.150.1 activate
      neighbor 10.36.150.1 send-community
    $
  !<ospfv2>
  router ospf 100
    interface gei-3/3
      network point-to-point
    $
    network 10.36.150.49 0.0.0.0 area 0.0.0.0  --- loopback ip (Configured)
    network 10.36.149.60 0.0.0.3 area 0.0.0.0 ---- p2p ip bet R1 and MPLS R1.(Configured)
  network 10.36.149.64 0.0.0.3 area 0.0.0.0 ---- p2p ip bet R1 and MPLS R2. ----------  (till now not configured as secondary link is not connected)
  router-id 10.36.150.49
  so what configuration need to done at R1  to achiev the redunancy for MGMT vrf ?
  if possible please reply with sample configuration.
  or
  IN MPBGP protocol, where i will apply routing policy to apply  as- path prepand    so that Route  would be secondary to  neighbor.
  IGP-OSPF and BGP over MPLS is running.
  on Which  address-familiy nbr,should i apply, is it in VPNV4 or IPV4 or IPV4  VRF ?
  if i want 10.36.128.0/26 prefix should go to Neigbhor MPLS R2, what should i use access-list or Prefix list?
  please provide the reply with its config .
  thanks in advance,
  Regards,
  Ajay
  Message was edited by: Ajaykumar yadav

• Ask the Expert:Concepts, Configuration and Troubleshooting Layer 2 MPLS VPN – Any Transport over MPLS (AToM)

  With Vignesh R. P.
  Welcome to the Cisco Support Community Ask the Expert conversation.This is an opportunity to learn and ask questions about  concept, configuration and troubleshooting Layer 2 MPLS VPN - Any Transport over MPLS (AToM) with Vignesh R. P.
  Cisco Any Transport over MPLS (AToM) is a solution for transporting Layer 2 packets over an MPLS backbone. It enables Service Providers to supply connectivity between customer sites with existing data link layer (Layer 2) networks via a single, integrated, packet-based network infrastructure: a Cisco MPLS network. Instead of using separate networks with network management environments, service providers can deliver Layer 2 connections over an MPLS backbone. AToM provides a common framework to encapsulate and transport supported Layer 2 traffic types over an MPLS network core.
  Vignesh R. P. is a customer support engineer in the Cisco High Touch Technical Support center in Bangalore, India, supporting Cisco's major service provider customers in routing and MPLS technologies. His areas of expertise include routing, switching, and MPLS. Previously at Cisco he worked as a network consulting engineer for enterprise customers. He has been in the networking industry for 8 years and holds CCIE certification in the Routing & Switching and Service Provider tracks.
  Remember to use the rating system to let Vignesh know if you have received an adequate response. 
  Vignesh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Service Provider sub-community discussion forum shortly after the event. This event lasts through through September 21, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Tenaro,
  AToM stands for Any Transport over MPLS and it is Cisco's terminology used for Layer 2 MPLS VPN or Virtual Private Wire Service. It is basically a Layer 2 Point-to-Point Service. AToM basically supports various Layer 2 protocols like Ethernet, HDLC, PPP, ATM and Frame Relay.
  The customer routers interconnect with the service provider routers at Layer 2. AToM eliminates the need for the legacy network from the service provider carrying these kinds of traffic and integrates this service into the MPLS network that already transports the MPLS VPN traffic.
  AToM is an open standards-based architecture that uses the label switching architecture of MPLS and can be integrated into any network that is running MPLS. The advantage to the customer is that they do not need to change anything. Their routers that are connecting to the service provider routers can still use the same Layer 2 encapsulation type as before and do not need to run an IP routing protocol to the provider edge routers as in the MPLS VPN solution.
  The service provider does not need to change anything on the provider (P) routers in the core of the MPLS network. The intelligence to support AToM sits entirely on the PE routers. The core label switching routers (LSRs) only switch labeled packets, whereas the edge LSRs impose and dispose of labels on the Layer 2 frames.
  Whereas pseudowire is a connection between the PE routers and emulates a wire that is carrying Layer 2 frames. Pseudowires use tunneling. The Layer 2 frames are encapsulated into a labeled (MPLS) packet. The result is that the specific Layer 2 service—its operation and characteristics—is emulated across a Packet Switched Network.
  Another technology that more or less achieves the result of AToM is L2TPV3. In the case of L2TPV3 Layer 2 frames are encapsulated into an IP packet instead of a labelled MPLS packet.
  Hope the above explanation helps you. Kindly revert incase of further clarification required.
  Thanks & Regards,
  Vignesh R P

• GRE over MPLS

  Hello people,
  im facing  problem trying to establish a GRE tunnel over  mpls. The topology goes as follows:
  (server) ----CE1(6500)-----PE1(6500)----vrf cloud-----CE2(6500)--FW
  -server needs to establish a gre tunnel with FW.
  -server receives a default route from CE1 via OSPF.
  -CE1 has an default static route pointing to the next hop which is an interface VLAN (in a vrf)  on PE1.
  - PE1 receives a default route generated by CE2 (via mpbgp).
  In this situation the GRE tunnel wouldnt come up.The only way i got the GRE to work was replacing the default static route on CE1 with a more specific static route.
  On both cases (default AND specific static routes) the connectivity(ping)  from end to end was there.
  Has anybody seen anything alike?
  thanks,
  Bruno

  You could be looking at some recursive routing throug the GRE interface, so the second it comes up it will try to put the GRE packets through the GRE tunnel, this creating a loop. Are you using a dynamic routing protocol to get network info over the GRE tunnel or a static route if so, how is it setup ?

• IPSEC tunnel with NAT and NetMeeting

  I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
  Thanks,

  The following doc should help...
  http://www.cisco.com/warp/public/707/ipsecnat.html

• Sample Configuration For Ethernet over MPLS.

  I am looking for a sample configuration and scenario for the Ethernet over MPLS.I would appreciate if I get some explaination with it.How the LDP is configured for the directed sessions (as per Martini draft) and the auto discovery (as per kompella draft) with respect to Ethernet over MPLS.Cam anyone help me in this ?

  Here's a sample EoMPLS configuration on the PE routers:
  R1:
  interface Loopback0
  ip address 1.1.1.1 255.255.255.255
  interface Ethernet0/0.10
  encapsulation dot1Q 10
  ! 10 = vcid must match the vcid configured on the other side
  mpls l2transport route 2.2.2.2 10
  R2:
  interface Loopback0
  ip address 2.2.2.2 255.255.255.255
  interface Ethernet0/0.10
  encapsulation dot1Q 10
  mpls l2transport route 1.1.1.1 10
  The LDP directed session will be setup automatically by the router when the xconnect statement is configured.
  Cisco IOS doesn't support the Kompella Draft.
  For more information, see the following URL:
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/atomt/ftatomtb.htm
  Hope this helps,

• Ethernet over MPLS/VPLS

  Hi,
  I would appreciate if you answer my following questions :
  - As you know EoMPLS is based on physical port, but how about VPLS?
  - Could you tell me minimum router which supports VPLS?
  - Any other solutions for transfer ethernet frames over MPLS except VPLS and EoMPLS?
  - I think VPLS is better EoMPLS because it supports multipoint to multipoint ,is it true? could you please tell me VPLS advantage and disadvatage?
  Regards,
  M.Arshad rad

  Ehlo ,
  1)EoMPLS is available in port and vlan mode.Since VPLS
  is actually using martini encapsulations ( both lasserre and kompella ) it is possible to use raw and tagged modes.
  2)IMHO only Cisco router that supports VPLS now is 7600.Additionaly VFI can be only assigned to SVI.
  3)Juniper CCC ( RSVP based ) - but obviously you won't use it since it's proprietary ( nevertherless it has nice feature like lsp-stiching ) and IOS couldn't signall it .
  4) VPLS is designed to support p-to-mp and therefore
  it's more complex.IF you don't need its features you can stick with raw p2p martini , which is relatively simple and widely implemented ( no problem for example to configure it between ios and junos boxes ).
  pm

• Implementing SAN over MPLS

  Hello,
  we have 2 datacenter (backup), we need to implement SAN over MPLS (perhaps with copper : G.SHDSL, or FO ), is it possible ?
  and how can we interconnect the 2 MDS, (through our WAN connexion, router, firewall, IPS...?) or connect directely the MDS to IP MPLS (without other equipment, in this case is it secured ?), with witch interterfaces we interconnect 2 MDS via MPLS?

  MPLS networks can pose a challenge for FCIP
  If you do implement FCIP over MPLS, be sure to monitor for out of order TCP packets on the FCIP interfaces. Within an MPLS network, individual FCIP packets may take different paths though the network based on the current network load. This could lead to TCP packets arriving at the destination FCIP interface out or order in some instances. OOO (out of order) packets can lead to decreased performance. I have seen a few MDS install decide to use static routing within the MPLS network to avoid a high % of OOO.
  The CLI command to monitor for OOO is
  show ips stats tcp interface gigabit x/y detail
  Under TCP receive stats, look for Out of Order packets. Be sure to monitor both ends. You might see OOO is 1 direction, and not the other.
  Hope this helps,
  Mike

• L2TPv3 over MPLS

  Hi folks,
  I've to implement two L2TPv3 tunnels over MPLS backbone, primary and backup. I'm thinking about L2 pseudowires, but my question is: with 2 pseudowires, how could I do, if possible, to create a primary and a backup tunnel? Something like FRR?
  I've found in a recent post a configuration for two tunnels:
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddda49d
  but no idea about how to implement a fault tolerance solution.
  Any advice will be appreciated
  Thanks
  Andrea

  Andrea,
  I think I understand where my confusion comes from. You are using L2TPv3 in a context of VPDN rather than using it as a transport a pseudowire, right?
  In this case the L2TPv3 session could just be routed as IP traffic through the core. Or if you want to use pseudowires through the core, it would certainly be possible to use MPLS for this purpose.
  Let me know if that helps,

• I accidentally quit my CC on my Macbook pro and now the cloud icon is grayed out and every time I hover over it with the mouse I get the spinning beach ball of death on the icon. I have no idea how to open it because when I use spotlight search to open it

  I accidentally quit my CC on my Macbook pro and now the cloud icon is grayed out and every time I hover over it with the mouse I get the spinning beach ball of death on the icon. I have no idea how to open it because when I use spotlight search to open it it gives me a message saying "Creative Cloud is not open anymore" help!

  Since you didn't include any pertinent info such as the Mac model and OS version you are running, here is some general information:
  Mac OS X: Gray screen appears during startup
  Depending on which OS yours came with originally - and which OS you are now running - you would either need your original install disks - you can call Apple for replacements by giving them your serial number. Or you may be able to reinstall the OS by using recovery (again, depends on which model/which OS).

• Can i text international from one iphone to another iphone over wifi with other friends who will be with us overseas?

  can i text international from one iphone to another iphone over wifi with other friends that have iPhones
  who will be with us overseas?

  Yes, if you are provisioned by your carrier to do so.  IF both phones are iphones with IOS 5.0 or higher then you can use imessage.

• Airtune Over Ethernet  with Time Capsule or Airport Extreme

  Can the previous generation Time Capsule or Airport Extreme bridge an ethernet client to an Airtunes network?
  Current Setup: I have an aluminum iMac wired to my Time Capsule; currently, I use the aluminum as a music server by connecting to several Airport Express clients over the the iMac's built-in Airport for Airtunes support.
  Problem: I have 3-802.11g clients dragging my wifi network. I would like to dedicate the iMac's internal network to the g-clients so I don't have to use compatibility mode for my n-network. However, I will lose Airtunes speaker support when I use internet sharing over the built-in Airport. Airtunes does not appear to support the Time Capsule ethernet client.
  Nodes:
  -AE 802.11g (Airtunes only)
  -AE 802.11n (Airtunes and USB printer)
  -1st gen Time Capsule (Internet gateway, "creating network" 802.11 g/n,
  -iMac 8,1 (Music server via internal wifi, wired TC client)
  -Macbook 4,1 (wifi client)
  -iPhone
  -Canon MP620 (USB to iMac, wifi to Macbook)

  Further to Bob's comments..
  A Gen1 TC will be using marvel wireless chip and your 2008 and 2010 Macbook will use atheros and/or broadcom cards.. Just open your system profiler and look for info on the airport. We find the mixture of wireless chipsets especially older draft N and later N products can give very varied results.
  The very fact you are linking at 270 and not 300mbps shows some reduction from theoretical max speed.. and really to get over 100mbps with any wireless you need perfect setup.. matched wireless chips etc.
  Do a test uploading and downloading a file to the TC to see if the LAN speed is better than internet speed.
  In reality I think you are doing especially well.. we see loads of people complaining about slow internet here who are getting less than 10% of the speed they get direct when routed through the TC. And on most occasions the limit in speed is not really going to affect what you do, as the real links to the internet are not that fast.

• Database link from Oracle 11g (64 bit) to MySQL over UnixODBC with dg4odbc

  Hello,
  I want to connect to a MySQL Database from Oracle over a database link, but i get always the Error Message ORA-28528: Heterogeneous Services datatype conversion error .
  In the forum or internet I can't find a solution for my problem, so I try now to post this problem.
  Here a detailed description of the problem:
  I use a Oracle 11.1.0.7.0 64bit database which is running on a redhat linux 5.3 64bit.
  I want to connect to a MySql Database 5.0, which is running on a redhat linux 5.2 32bit over unixODBC.
  The configuration from the ODBC seems to be good, because with isql on the ora server I can connect and query all data correct from the MySQL database.
  Also the tsnnames.ora and listener.ora should be configured correctly. The tnsping works also fine.
  But when i try to catch the data over SQLPlus with the database link I always get the error ORA-28528.
  If I try to select just one column it works, but the returned data are incomplete or truncated.
  the version of my libs:
  between mysql and odbc I use libmyodbc3.so version 3.51.12-2.2 (I also tried the version 5, but with them I get a segmentation fault error on isql).
  between odbc and dg4odbc I use libodbc.so version 2.2.11-7.1
  Has anybody a solution or hint for me?
  Many Thanks in advance,
  best regards from Austria
  Manuel
  Edited by: user11243186 on 09.06.2009 02:59

  kdgmanu wrote:
  Hello,
  I always get the error ORA-28528.
  If I try to select just one column it works, but the returned data are incomplete or truncated.
  maybe you are facing bug 6772397, so do a search on metalink for bug 6772397
  >
  Has anybody a solution or hint for me?you could also see the following notes 554409.1 and 603801.1
  Many Thanks in advance,
  best regards from Austriacheers from Zagreb

• Problems with NAT and UDP

  hi Everyone,
  I'm running a Cisco 3620 with two interfaces, a FE and an ADSL WIC, and I'm noticing some unexpected behaviour with NAT(ing) some UDP ports, here are the config rules in question:
  ip nat inside source static udp 192.168.100.26 14000 interface Dialer1  14000
  ip nat inside source static udp 192.168.100.26 14001 interface Dialer1  14001
  ip nat inside source static udp 192.168.100.26 14001 interface Dialer1  14002
  when I receive traffic through those ports, I see the following in
  show ip nat translations | include 14000
  udp 64.7.136.227:1038     192.168.100.26:14000  67.163.252.29:62564    67.163.252.29:62564
  udp 64.7.136.227:1039     192.168.100.26:14000   67.163.252.29:62564   67.163.252.29:62564
  udp 64.7.136.227:1040      192.168.100.26:14000  67.163.252.29:62564   67.163.252.29:62564
  udp  64.7.136.227:1041     192.168.100.26:14000  67.163.252.29:62564    67.163.252.29:62564
  udp 64.7.136.227:1042     192.168.100.26:14000   67.163.252.29:62564   67.163.252.29:62564
  udp 64.7.136.227:1043      192.168.100.26:14000  67.163.252.29:62564   67.163.252.29:62564
  udp  64.7.136.227:1044     192.168.100.26:14000  67.163.252.29:62564    67.163.252.29:62564
  udp 64.7.136.227:14000    192.168.100.26:14000   ---                   ---
  How can I make this NAT static so that every host originates from port 14000 rather then a dynamic one that is being assigned now?
  Any help is greatly appreaciated.
  Aleks

  Perhaps I wasn't clear enough in what I needed it to do, here's a show ip nat translations for another (working) NAT
  (d) port on the same router:
  tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:54375 xxx.xxx.xxx.xxx:54375
  tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:50183  xxx.xxx.xxx.xxx:50183
  tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:50891  xxx.xxx.xxx.xxx:50891
  tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:60443   xxx.xxx.xxx.xxx:60443
  tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:2897     xxx.xxx.xxx.xxx:2897
  tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:51890    xxx.xxx.xxx.xxx:51890
  Notice how the forwarded port is the same on the router interface (64.7.136.227:6667) accross all of the connections that have connected. Now this NAT rule behaves as it should, same syntax used as for the one I originally posted
  ip nat inside source static tcp 192.168.100.199 6667 interface Dialer1 6667
  the only difference is that this one gets properly assigned to the requested port, whereas these rules
  ip nat inside source static udp 192.168.100.26 14000 interface  Dialer1  14000
  ip nat inside source static udp 192.168.100.26  14001 interface Dialer1  14001
  ip nat inside source static udp  192.168.100.26 14001 interface Dialer1  14002
  have a dynamically assigned port on (64.7.136.227) interface, as the show ip nat translations shows:
  udp 64.7.136.227:1038     192.168.100.26:14000  67.163.252.29:62564     67.163.252.29:62564
  udp 64.7.136.227:1039     192.168.100.26:14000    67.163.252.29:62564   67.163.252.29:62564
  udp 64.7.136.227:1040       192.168.100.26:14000  67.163.252.29:62564   67.163.252.29:62564
  Basically how do I get the three rules to behave the same way as the one on top does...
  Thank you,
  Aleks