Is MPLS possible on a 1721?

hi all!
is it possible to use MPLS with a Cisco 1721?
If it is possible, what featureset shoud i use?
How could a MPLS-Config look like?
I hope you can help me!
thx
Richard

MPLS is not supported on 1721 .
Go to Feature Navigator tool at
www.cisco.com/go/fn .
Select "MPLS" as a feature. FN will show you all
supporting plattforms, IOS versions and feature sets.
Cheers
Andreas

Similar Messages

Xconnect 20Gb Port-channel over MPLS Possible?

Can anybody confirm if you can establish an Xconnect between two 20Gb port-channels (2x 10Gig bundle). The core is 40Gig and running MPLS. We have many gigabit pseudowires running over it already.
Our intention is to terminate 10Gig server traffic on 4900M's and then have a 20Gb Port channel trunk link into a 6500 (which is part of the MPLS cloud). We would then issue the xconnect directly on the 20Gig port channel in order to traverse the MPLS Core.
Has anyone configured this before? Are there any caveats to watch out for? What sort of performance hit (if any does) xconnect functionality have on 10Gig Traffic.

Hi,
Yes it's supported but test it first (as always ;-) )
HTH
Laurent.

Is it possible to add a firewall between two mpls peers (P-PE)

Hi, I was wandering if there is a way between two routers that 'speak' MPLS to introduce a firewall (i.e. pix firewall). I know by default is not possible but perhaps through tunneling etc?
Ragards.

Hi,
No, it is not possible at least for today. The packets between P and PE router are not IP packet but MPLS packets (it protocol type is different). One exception to that is penultimate hop poping. If P-H-P is placed and there is no other label stack (ex : no vpn ) the packet is pure IP packet.
Also one of the main idea of MPLS is that P router doesn't know anything except label binding information.
If you want to use firewall somewhere , use it on the CE side not between P-PE,P-P or PE-PE.
Best Regards

Is it possible to create l3vpn without enabling mpls in the core and PE routers .

Hi
i have below setup , in this PE1,P,PE2 routers do not have mpls support , it have only MGRE and GRE tunnel support ,
is it possible to create l3vpn without mpls here .
bgp session between PE1 and PE2,
CE1---------------PE1-----------------P---------------PE2------------CE2 .
PE1,P,PE2 do not have mpls support .
Thanks
Duraipandi

hi durai,
you can use the vrf-lite model but this is complex to manage in larger networks.
for example:
CE1 ---PE----core(x)---P------PE---CE1
CE2 --/ \----CE2
in this case, without mpls, I need to create on the core(x) link 2 vrf's with 2 vlans to go to "P".
and the same on the other PE and link.
Now if you think that there are more P's with backup paths or more CE's that linkage exponentially increases to define those vlans and in all your P routers is that awareness of every CE route!
MPLS just simplifies this; single core link,by just using labels. Your P routers only see PE next hops and are opaque to the number of vrf's you carry/service. Adding another P or PE device integrates into the routing naturally and MP BGP takes care of the PE advertisement. So expanding and rerouting are more natural and graceful here too.
So while technically MPLS can be omitted, it is just not a smart thing to do from a design perspective in l3vpn.
cheers!
xander

Is it possible to use Cisco 1721 AUX port to dial into MS-RAS?

Is it possible to use Cisco 1721 AUX port with external modem to dial into Microsoft W2k-RAS server?

Hello Thanks for the link. The place where I'm stuck is when the async is going through the LCP negotiation. the LCP Confreg sends but I dont' get back anything. Cisco documentation states "make sure autoselect PPP or Async mode dedicated are set but I'm actually dialing into a Microsoft RAS server. Do you know where these settings are?
*Mar 1 05:38:04.782: As65 PPP: Phase is ESTABLISHING, Active Open
*Mar 1 05:38:04.782: As65 PPP: No remote authentication for call-out
*Mar 1 05:38:04.782: As65 LCP: O CONFREQ [Closed] id 43 len 20
*Mar 1 05:38:04.782: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
*Mar 1 05:38:04.782: As65 LCP: MagicNumber 0x314EFEBB (0x0506314EFEBB)
*Mar 1 05:38:04.786: As65 LCP: PFC (0x0702)
*Mar 1 05:38:04.786: As65 LCP: ACFC (0x0802)
*Mar 1 05:38:06.782: As65 LCP: TIMEout: State REQsent
*Mar 1 05:38:06.782: As65 LCP: O CONFREQ [REQsent] id 44 len 20
*Mar 1 05:38:06.782: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
*Mar 1 05:38:06.782: As65 LCP: MagicNumber 0x314EFEBB (0x0506314EFEBB)
*Mar 1 05:38:06.782: As65 LCP: PFC (0x0702)
*Mar 1 05:38:06.782: As65 LCP: ACFC (0x0802)
*Mar 1 05:38:08.782: As65 LCP: TIMEout: State REQsent
*Mar 1 05:38:08.782: As65 LCP: O CONFREQ [REQsent] id 45 len 20
*Mar 1 05:38:08.782: As65 LCP: ACCM 0x000A0000 (0x0206000A0000)
*Mar 1 05:38:08.782: As65 LCP: MagicNumber 0x314EFEBB (0x0506314EFEBB)
*Mar 1 05:38:08.782: As65 LCP: PFC (0x0702)
*Mar 1 05:38:08.782: As65 LCP: ACFC (0x0802)

IS O&G - is it possible to use MPL without activating the ECC- DIMP?

Hi
We are an Oil and Gas industry and activated IS oil and gas in ECC6.0, our requirement is to use functionality such as Master Parts list which is there in ECC-DIMP under configuration control, as some companies within same group where MPL is required .
The question is it possible to use MPL without activating the ECC- DIMP
Request you to please help us to understand.
Regards

Hi Venkat,
If a report is created over a DSO, it pulls data from the active table of a DSO. So as suggested in all the posts above it is not possiable to report on the DSO without activating it.
Activation of DSO only allows to generate SID's to link transaction data and master data, SID's could also be generated at the time of reporting (When the report fetches data from BI server, but for the SID generation data is needed in active table). Also activation checks the correctness of data etc.
Could you please let know why you want to report on the unactive request, is it having some problem with activation?
Regards,
Pankaj

SLB with MPLS VPN, is ti possible ?

Hi to all, is it possible to configure IOS SLB (on 7200 or 6500 platform) to be able to balance server inside a configured vrf ?
anyone already tested it ?
many thanks
max

Hi Max,
the IOS SLB code on the C6k platform is not VRF aware at the moment (can only speak of c6k - never tried c7200). It is 'interface-aware' - which means that you can run IOS SLB on a VRF-lite box where the client and real-server facing interfaces are both in the same VRF.
However IOS SLB currently does not support incoming packets with MPLS labels since the corresponding TCAM filter only matches on pure IP packets - so no support on PE boxes :-(
To make it work on a PE we did some nasty workaround:
Loop back a port on the c6k PE and configure the both ends with different VRFs. Route between them and you have a VRF-lite box 'behind' a PE in the same chassis. Not too straight forward though but works as an interim solution ;-)
hth
cheers,
Stefan

Possible to do if/then scenarios?

I work for a large company that has many sales branches throughout the US (40+). Each branch has a MPLS circuit and a local ISP. We have prioritized data that is sent over the MPLS circuit, and all other data over the ISP, with failover configured for either circuit to fail over to the other one. Right now all of the sales branches internet traffic (along with all non-priority traffic such as email) comes back thru the ISP (via a VPN tunnel) to our main location, so we can monitor the internet links. We would like configure the normal internet traffic to go out the ISP directly, but still have the email and so come back via the VPN tunnel. We know how to configure this, however, when we do this we would like to install a PC with some monitoring software on it (surf control), that way we can still monitor the internet traffic. We would like to set it up so that if the PC with Surf Control goes down, that the router will send traffic back over the VPN tunnel or MPLS traffic. So the basis of what I want to do is:
If PC Goes Down = False, Send Traffic To PC
If PC Goes Down = True, Send Data To VPN tunnel or MPLS circuit.
Is it possible to do such a scenario?
We do not currently have the budget for a pix or anything like this, so we are trying to figure it out. I have attached a very basic diagram of the basic network configuration that we have. Any suggestions would be appreciated.
Also we do have a Ciscoworks LMS 2.6 available as well if that would help at all.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/products_feature_guide09186a00801d862d.html
good luck,
Peter

ASA 5505 to allow 2nd network segment through mpls

I have been having a heck of a time trying to configure my 5505 to allow the second segment on my network to use the internet.
Office 1 has a fiber internet connection, and all traffic flows fine.
Office 2 had gotten it's internet from AT&T, via a network based firewall injecting a default route into the mpls cloud.
both offices connunicate to each other through the mpls.
When we added the fiber to office 1, we had the mpls people change the default internet route to the inside address of the 5505 and things worked fine.
when AT&T attempted to remove the NBF defaut route, and inject the 5505's address as default, things didn't go so well.
AT&T claims that it is within my nat cmmands on the 5505, but won't tell me anything else. I assume that they are correct, and I assume that I am not good enough with the 5505 ASDM to tell it what to do.
Office 1 uses 10.10.30.xx addresses and Office 2 uses 10.10.10.xx - the 5505 inside interface is 10.10.30.2 the internal interfaces of the mpls are 10.10.30.1 and 10.10.10.1
I don't know what other information you would need, but am stuck here at Office 1 until I can get this working.
Thanks

Hi,
Ok, so IF I have not understood anything wrong (which is still possible ), it would seem to me that the network mask of the ASA is atleast one reason that will cause problems for WI LAN if they try to use the Internet through the ASA5505 on the PA site.
This is what I would presume will happen when a host on the WI LAN initiates a connection to the Internet
WI PC 10.10.10.10 sends a TCP SYN to initiate/open a TCP connection with a Web server on the Internet
The TCP SYN gets forwarded to the default gateway of the PC which is 10.10.10.1
The TCP SYN packet traverses the ISP MPLS network all the way to the PA Site
The PA Site 3900 has a default route probably towards PA ASA 10.10.30.2
TCP SYN gets forwarded from the PA 3900 to the PA ASA according to the above mentioned default route on the PA 3900
TCP SYN arrives on the ASA and gets forwarded to the Internet
TCP SYN,ACK from the Web server arrives on the ASA
ASA will ARP for the MAC address of the WI PC IP address of 10.10.10.10 because it thinks that the host is directly connected to the ASAs "inside" interface because of the "inside" interfaces large /16 network mask which contains addresses between 10.10.0.0 - 10.10.255.255
The ARP request sent from the ASA never receives a reply since the WI PC isnt directly connected
PA ASA will never be able to forward the traffic to the WI PC which is trying to open the connection to the Internet because of the above mentioned problem. Therefore the TCP connection from WI PC never succeeds and timeouts.
Now you might ask, why does the connections between the PA and WI LAN work. To my understanding is that because the traffic from the PA hosts gets first forwarded to the PA 3900 then they have a working route to the WI LAN. The same way the WI LAN has a working route towards the PA LAN since the ASA isnt not involed in anyway.
The PA Internet connection naturally works as the 10.10.30.0/24 hosts are directly connected to the ASA so the above mentioned ARP will not fail on their part and traffic is forwarded just fine between the PA LAN and the Internet.
So to my understanding the solution to this problem would be to change the PA ASA "inside" subnet mask from 255.255.0.0 to 255.255.255.0.
If you are unsure of the of this change I would suggest you do it when there is low network use (so you can revernt the change) Naturally if you are on the PA LAN then you can probably access the Console connection if something were to go wrong. I cant see any configurations on the PA ASA which would imply that you configure the device remotely through the Internet.
Hope I made sense and hope this helps
Naturally ask more if needed
- Jouni

Performance end to end testing and comparison between MPLS VPN and VPLS VPN

Hi,
I am student of MSc Network Security and as for my project which is " Comparison between MPLS L3 VPN and VPLS VPN, performance monitoring by end to end testing " I have heard a lot of buzz about VPLS as becoming NGN, I wanted to exppore that and produce a comparison report of which technology is better. To accomplish this I am using GNS3, with respect to the MPLS L3 VPN lab setup that is not a problem but I am stuck at the VPLS part how to setup that ? I have searched but unable to find any cost effective mean, even it is not possible in the university lab as we dont have 7600 series
I would appreciate any support, guidence, advice.
Thanks
Shahbaz

Hi Shahbaz,
I am not completely sure I understand your request.
MPLS VPN and VPLS are 2 technologies meant to address to different needs, L3 VPN as opposed as L2 VPN. Not completely sure how you would compare them in terms of performance. Would you compare the performance of a F1 racing car with a Rally racing car?
From the ISP point of view there is little difference (if we don't want to consider the specific inherent peculiarities of each technology) , as in the very basic scenarios we can boil down to the following basic operations for both:
Ingress PE impose 2 labels (at least)
Core Ps swap top most MPLS label
Egress PE removes last label exposing underlying packet or frame.
So whether the LSRs deal with underlying L2 frames or L3 IP packets there is no real difference in terms of performance (actually the P routers don't even notice any difference).
About simulators, I am not aware of anyone able to simulate a L2 VPN (AtoM or VPLS).
Riccardo

Neighbor send-label - a possible bug in 12.4(24)T4 and newer

Dear friends,
I have stumbled across a different behavior of the neighbor send-label in BGP in IOS versions 12.4(24)T4 up to 12.4(24)T6 inclusive, and I wanted to ascertain whether it is a bug or just a new behavior I am not yet aware of.
Consider the following scenario: Router X, Y and Z are peered in BGP according to the exhibit. Router X is in AS 2, routers Y and Z are in AS 1. X/Y are peered using their physical interface addresses, routers Y/Z are peered using their loopback addresses. Each peering is duly configured with neighbor send-label.
The BGP configuration on router Y is as follows:
Y# show run | sec router bgp
router bgp 1
bgp log-neighbor-changes
neighbor 10.1.255.1 remote-as 1
neighbor 10.1.255.1 update-source Loopback0
neighbor 192.168.1.2 remote-as 2
address-family ipv4
redistribute ospf 1
neighbor 10.1.255.1 activate
neighbor 10.1.255.1 send-label
neighbor 192.168.1.2 activate
neighbor 192.168.1.2 send-label
no auto-summary
no synchronization
exit-address-family
Router Y is receiving a set of routes from X, in particular:
Y# show ip bgp regexp _2
BGP table version is 22, local router ID is 10.1.255.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
*> 10.2.12.0/24     192.168.1.2              4             0 2 ?
*> 10.2.23.0/24     192.168.1.2              3             0 2 ?
*> 10.2.34.0/24     192.168.1.2              2             0 2 ?
*> 10.2.45.0/24     192.168.1.2              0             0 2 ?
*> 10.2.255.1/32    192.168.1.2              5             0 2 ?
*> 10.2.255.2/32    192.168.1.2              4             0 2 ?
*> 10.2.255.3/32    192.168.1.2              3             0 2 ?
*> 10.2.255.4/32    192.168.1.2              2             0 2 ?
*> 10.2.255.5/32    192.168.1.2              0             0 2 ?
The show ip bgp label on router Y, however, produces rather interesting results:
Y# show ip bgp labels
   Network          Next Hop      In label/Out label
   10.2.12.0/24     192.168.1.2     nolabel/16
   10.2.23.0/24     192.168.1.2     nolabel/17
   10.2.34.0/24     192.168.1.2     nolabel/18
   10.2.45.0/24     192.168.1.2     nolabel/imp-null
   10.2.255.1/32    192.168.1.2     nolabel/19
   10.2.255.2/32    192.168.1.2     nolabel/20
   10.2.255.3/32    192.168.1.2     nolabel/21
   10.2.255.4/32    192.168.1.2     nolabel/22
   10.2.255.5/32    192.168.1.2     nolabel/imp-null
Note that while the routes are being received with MPLS labels, the router Y does not seem to allocate any local label bindings to these labels although all these routes are being further advertised to router Z via iBGP.
On router Z, the results are also confusing. First of all, networks received from router Y are still learned with the original next-hop set to 192.168.1.2 instead of 10.1.255.5 (using send-label on router Y should imply next-hop-self):
Z# show ip route bgp
     10.0.0.0/8 is variably subnetted, 18 subnets, 2 masks
B       10.2.12.0/24 [200/4] via 192.168.1.2, 00:26:28
B       10.2.23.0/24 [200/3] via 192.168.1.2, 00:26:28
B       10.2.45.0/24 [200/0] via 192.168.1.2, 00:26:28
B       10.2.34.0/24 [200/2] via 192.168.1.2, 00:26:28
B       10.2.255.5/32 [200/0] via 192.168.1.2, 00:26:28
B       10.2.255.4/32 [200/2] via 192.168.1.2, 00:26:28
B       10.2.255.3/32 [200/3] via 192.168.1.2, 00:26:28
B       10.2.255.2/32 [200/4] via 192.168.1.2, 00:26:28
B       10.2.255.1/32 [200/5] via 192.168.1.2, 00:26:28
Verifying the show ip bgp label on router Z shows another interesting behavior: although Y has claimed it has not allocated any labels itself, it has in fact advertised the eBGP routes to Z with the original labels as allocated by X (hence highlighted in the previous and current output):
Z# show ip bgp labels
   Network          Next Hop      In label/Out label
   10.2.12.0/24     192.168.1.2     nolabel/16
   10.2.23.0/24     192.168.1.2     nolabel/17
   10.2.34.0/24     192.168.1.2     nolabel/18
   10.2.45.0/24     192.168.1.2     nolabel/imp-null
   10.2.255.1/32    192.168.1.2     nolabel/19
   10.2.255.2/32    192.168.1.2     nolabel/20
   10.2.255.3/32    192.168.1.2     nolabel/21
   10.2.255.4/32    192.168.1.2     nolabel/22
   10.2.255.5/32    192.168.1.2     nolabel/imp-null
An ironic fact is that on router Y, the labels 16-22 are already allocated for different internal networks by LDP. If router Z uses the labels as advertised by router Y, this will cause the packets to be heavily misrouted from router Y to completely different destinations:
Y# show mpls forwarding-table
Local Outgoing      Prefix            Bytes Label   Outgoing   Next Hop
Label Label or VC   or Tunnel Id      Switched      interface
16     Pop Label     192.168.1.2/32    0             Fa0/0      192.168.1.2
17     Pop Label     10.1.255.4/32     0             Fa0/1      10.1.45.4
18     20            10.1.255.3/32     0             Fa0/1      10.1.45.4
19     19            10.1.255.2/32     0             Fa0/1      10.1.45.4
20     18            10.1.255.1/32     0             Fa0/1      10.1.45.4
21     16            10.1.12.0/24      0             Fa0/1      10.1.45.4
22     17            10.1.23.0/24      0             Fa0/1      10.1.45.4
So, there are two suspicious facts about the behavior of router Y:
It does not modify the next-hop attribute when advertising the eBGP routes along with MPLS labels via iBGP to another internal BGP neighbor.
It does not allocate its own local MPLS label bindings, rather it simply re-advertises the labels as allocated by router Z, resulting in label value conflicts and misrepresentations
An interesting fact is that after adding the command neighbor 10.1.255.1 next-hop-self to the router's Y configuration, the behavior becomes correct again:
Y(config)# router bgp 1
Y(config-router)# address-family ipv4
Y(config-router-af)# neighbor 10.1.255.1 next-hop-self
Y(config-router-af)# do show ip bgp label
   Network          Next Hop      In label/Out label
   10.2.12.0/24     192.168.1.2     24/16
   10.2.23.0/24     192.168.1.2     25/17
   10.2.34.0/24     192.168.1.2     31/18
   10.2.45.0/24     192.168.1.2     27/imp-null
   10.2.255.1/32    192.168.1.2     26/19
   10.2.255.2/32    192.168.1.2     28/20
   10.2.255.3/32    192.168.1.2     29/21
   10.2.255.4/32    192.168.1.2     30/22
   10.2.255.5/32    192.168.1.2     32/imp-null
On Z:
Z# show ip bgp labels
   Network          Next Hop      In label/Out label
   10.2.12.0/24     10.1.255.5      nolabel/24
   10.2.23.0/24     10.1.255.5      nolabel/25
   10.2.34.0/24     10.1.255.5      nolabel/31
   10.2.45.0/24     10.1.255.5      nolabel/27
   10.2.255.1/32    10.1.255.5      nolabel/26
   10.2.255.2/32    10.1.255.5      nolabel/28
   10.2.255.3/32    10.1.255.5      nolabel/29
   10.2.255.4/32    10.1.255.5      nolabel/30
   10.2.255.5/32    10.1.255.5      nolabel/32
Router Y is a 2811 currently running 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T6. I have originally came across this behavior with 12.4(24)T4. I have confirmed that this behavior is not present with ADVENTERPRISEK9-M 12.4(22)T, so if this is a bug, it must have been "added" in some intermediate versions.
I currently do not have any option of testing newer IOSes from the 15.x series, as the router does not have the inordinate 512MB of RAM necessary for those IOS versions so I apologize for not testing this behavior on the most recent releases.
Did anyone experience similar behavior? Is this really a bug? Will this be corrected in 12.4T train yet? Thank you for all suggestions!
Best regards,
Peter

Hello Giuseppe,
Thank you very much for your answer. I am not sure I understand it correctly - please let me reexplain my major point and let me ask you for your kind advice.
Issue 1:
All routers are configured with send-label, neither of them is configured with next-hop-self. Router Y receives labeled BGP routes from router X and the show ip bgp labels displays the following table:
Y# show ip bgp labels
   Network          Next Hop      In label/Out label
   10.2.12.0/24     192.168.1.2     nolabel/16
   10.2.23.0/24     192.168.1.2     nolabel/17
   10.2.34.0/24     192.168.1.2     nolabel/18
   10.2.45.0/24     192.168.1.2     nolabel/imp-null
   10.2.255.1/32    192.168.1.2     nolabel/19
   10.2.255.2/32    192.168.1.2     nolabel/20
   10.2.255.3/32    192.168.1.2     nolabel/21
   10.2.255.4/32    192.168.1.2     nolabel/22
   10.2.255.5/32    192.168.1.2     nolabel/imp-null
Note that while router Y knows remote bindings for these networks (the "Out label" column), it has not created any local label bindings to these networks (the "In label" column says nolabel to all networks). I can assume that this is done to prevent assigning local labels to BGP routes that may eventually be routed through a different ASBR and possibly misunderstood en route. In other words, the local label binding has a local significance only. If there is no guarantee the packets will go through Y (without the next-hop-self), local label bindings on Y should not be created nor advertised. Am I correct in this line of reasoning?
Issue 2:
With the same configuration, router Y has advertised the BGP routes to router Z, however, it has retained the same label bindings it has learned itself - i.e. Y has not created any local bindings itself, it just "forgot" to remove the label bindings when advertising the routes to router Z:
Z# show ip bgp labels
   Network          Next Hop      In label/Out label
   10.2.12.0/24     192.168.1.2     nolabel/16
   10.2.23.0/24     192.168.1.2     nolabel/17
   10.2.34.0/24     192.168.1.2     nolabel/18
   10.2.45.0/24     192.168.1.2     nolabel/imp-null
   10.2.255.1/32    192.168.1.2     nolabel/19
   10.2.255.2/32    192.168.1.2     nolabel/20
   10.2.255.3/32    192.168.1.2     nolabel/21
   10.2.255.4/32    192.168.1.2     nolabel/22
   10.2.255.5/32    192.168.1.2     nolabel/imp-null
Note that the outgoing labels on Z are exactly the same as with router Y. This is in my opinion a bug. Take, for example, the route towards 10.2.255.2. The bottom label will be 20, the upper label will be a label towards 192.168.1.2. In my particular topology, the PHP will pop this transport label correctly before the router Y, and Y will receive a packet labeled with label 20. However, on Y, the 20 is not a mapping assigned to the 10.255.255.2, as BGP has not created any local bindings itself, and instead, the label 20 corresponds to a totally different network somewhere inside the cloud between routers Y and Z, as evidenced by the following output on Y:
Y# show mpls forwarding-table
Local Outgoing      Prefix            Bytes Label   Outgoing   Next Hop
Label Label or VC   or Tunnel Id      Switched      interface
16     Pop Label     192.168.1.2/32    0             Fa0/0      192.168.1.2
17     Pop Label     10.1.255.4/32     0             Fa0/1      10.1.45.4
18     20            10.1.255.3/32     0             Fa0/1      10.1.45.4
19     19            10.1.255.2/32     0             Fa0/1      10.1.45.4
20     18            10.1.255.1/32     0             Fa0/1      10.1.45.4
21     16            10.1.12.0/24      0             Fa0/1      10.1.45.4
22     17            10.1.23.0/24      0             Fa0/1      10.1.45.4
So the mere fact that the BGP on Y did not create local bindings is kind of understandable, however, the fact that it retained the remote label bindings as learned from X and advertised them without change to Z is, in my opinion, a grave bug. What is your opinion on this?
Thank you very much!
Best regards,
Peter

URGENT: QoS Design on Data Center MPLS - MediaNet Question...

Hello,
I am posting this in hopes I can get some guidance from anyone who has done this in the field. We have a large enterprise customer with 21 sites all around the world, they have Verizon MPLS and are experiencing QoS related issues on their WAN regarding Video/Voice. We have proposed remediating their network acccording to the Enterprise QoS SRND 3.3 and the new MediaNet SRND to account for Video and TP QoS (
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND_40/QoSCampus_40.html )
Here is the problem/question that was proposed in our presales meeting and I honestly don't know where to look for an answer... I am not asking for anyone to design a solution for me, just merely point me in the right direction:
The Data Center has a ~40MB MPLS Connection ( full mesh ) into the cloud ( Verizon )
Site A has a 8MB connection
Site B has a 4MB connection
I know on the Service policy and the interfaces at SiteA and SiteB I can assign "Bandwidth xxxx" and use ~95% of the bandwidth to do queuing and shaping/policing ect. I am not concerned with SiteA and SiteB, that I think I can handle...
Question was posed from the customer, "How can we ensure at the DataCenter level the 40MB MPLS is "chopped" up so that only 8MB of the total speed goes to SiteA ALONG with an attached QoS policy designed for that specific site, as well as ensure only 4MB goes to SiteB with an attached QoS policy.
So I am looking for a way to allocate bandwith per site on the DC 40MB connection going into the cloud ( so that SiteB cannot use more than 4MB ) and attach a MediaNet specific QoS Service policy to that site. The customer does not have seperate MPLS circuits for each site, they all come into the DC on 40MB shared ethernet connection ( no VC, or dedicated circuits to other sites ).
Any thoughts on if this is possible?
Thanks!
Alex

This is an example I have seen and I hope that is useful to you.
Site A
Subnet: 172.16.1.0/24
Site B
Subnet:172.16.2.0/24
HeadOffice:
ip access-list extended Site_A
permit ip any 172.16.1.0 0.0.0.255
ip access-list extended Site_B
permit ip any 172.16.2.0 0.0.0.255
class-map match-any Site_A
match access-group name Site_A
class-map match-any Site_B
match access-group name Site_B
policy-map To_Spokes
class Site_A
shape average 8000000
service-policy Sub_Policy(Optional)
class Site_B
shape average 4000000
service-policy Sub_Policy(Optional)
class class-default
shape average 28000000
service-policy Sub_Policy(Optional)
Interface G0/0
Description To MPLS cloud
bandwidth 40000000
service-policy output To_Spokes
interface G0/1
Description To HeadOffice
bandwidth 40000000
service-policy output To_Spokes
It would be greatly appreciated if someone can correct this or improve it as I am still learning.
Please see the netflow graph from one of our routers using a similar policy as above.

HTTPS certificate problem on MPLS

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tableau Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi everyone,
We are currently migrating our network from IP to MPLS and we encounter an issue with a only one application using security certificat through HTTPS. All other services are OK such as HTTP, FTP, Mailing, etc.
Network description :
The network architecture is composed by 4 core routers (which play the role of P and PE at the same time) and 2 borders routers (B1 and B2) linked to Internet via STM1 - POS interfaces.
Each borders are both connected to two core routers (C1 and C2) by GigabitEthernet links.
Please also note that there is a DPI (Deep Packet Inspector, model Arbor 100) between each border and core.
Core routers C1,C2, C3 and C4 are connected to each other by GigabitEthernet links.
B1 and B2 are linked to Internet by STM1 (POS) using eBGP.
OSPF is used as the infrastructures routing protocol between all equipments.
(cf the network diagram attached)
Configuration :
When migrating to MPLS, we fixed interfaces MTU at 9216 and the MPLS MTU at 1512 on all concerned interfaces from Core to Border routers.
Below is a sample configuration.
mpls ip
mpls label protocol ldp
mpls ldp router-id loopback0
interface GigabitEthernet1/1
mtu 9216
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XXXXXXXXXXX
ip ospf network point-to-point
ip ospf cost 1
ip ospf hello-interval 1
mpls mtu 1512
mpls ip
Problem :
The service application uses a server on the local network (linked via CE router) which send https requests and files to a server located in the Internet.
When MPLS is activated only on the Core-To-Core interfaces (C1, C2, C3 and C4) the application is working properly.
But when the MPLS is expanded on Core-To-Border / Border-To-Core interfaces, this specific application fails as it appears that the certificate server sees a corrupted frame, some bits have been added to the normal frame. But all other services (HTTP, FTP, everything,)
Below are major differences between Border and Core routers connection schemes:
A DPI equipment between Core and Border,
GibabitEthernet are used for links Border-To-Core and Core-To-Core, STM1(POS) is used for links Border-To-Internet (IP)
The MTU size on STM1 interface is fixed at 4470, MTU size of 9216 is assigned to GE interfaces (Border-To-Core, Core-To-Core)
Regards.

Hi,
Would it be possible to disable the functionality of the DPI (passthrough mode?) and test again?
MPLS labels or not on the packet should not make a difference wrt HTTPS only (in theory).
Since you mention corrupted frames, taking a packet capture should show you if this is true or not.
Thanks,
Luc

L3 mpls network with out P router, all PE to PE plus daisy chainging

Guys, is it possible to run a core l3 MPLS network over 7600s and 3800s with out any P routers? The reason i aak is because of the particular situation where we will have to daisy chain PE routers due to lack of fiber.
any thoughts?

As martin says absolutley limited problems with this it will work a charm UNTIL yo urun into scaling issues. You are daisy chaining all the PEs which would also suggest to me that you are daisy chaining your RRs. In an mpls network the RR's have enough state to handle to keep them busy enough without also having to deal with passing labels about the network. Also you will have any cisco account team breaking down your door putting the fear of god into you for not having at least 2 P routers ;-). So yes you can indeed run it like you say but the lifetime of your network will be very limited indeed. If your not an SP then dont be concerned - unless you are an enterprise with 10000000s routes then id start to worry. Oh they (cisco) also state that PEs also have enough to do in their life without passing labelled packets about the place. sit and think about what your poor PE is having to do daily it could be 100 vrfs routing tables, which in turn means layer 3 lookups to find out where the packet has to go, qos, multicast, bgp, ospf, rip, eigrp, your own internal IGP, TE tunnels, RSVP - this poor router has enough to do without also adding transit traffic. ;-)

QoS best practise in MPLS

Hi, I'm having a scenarios for applying QoS on the entire customer network. Its something like this:
i. Equipment -> Layer2 SW -> PE VRF -> P
The equipment's traffics are not marked with anything at least, the equipment gateway would be the PE VRF. I'm thinking of such QoS in these scenarios:
i. PE ingress, match any based on the VRF and set dscp marking from here
ii. PE egress, match by the dscp marked @ the ingress interface and perform policing/shaping and then conversion to MPLS Experimental bit
iii. P ingress, implement congestion avoidance here, as far as I understand, congestion avoidance are based on dscp, if I perform DSCP convertion to EXP bit in the PE egress interface, would the P ingress interface still use the congestion avoidance?
I'm venturing into the possibility on how the QoS is best implemented in such scenarios, and appreciate if you guys with such experiences to shed some lights and ideas here...
Thanks and have a nice day

can I safely says the approach would be something like this?
@ the PE
Router(config)# policy-map policy1
Router(config-pmap)# class class1
Router(config-pmap-c)# configure the dscp marking
check-in this policy as input under the vrf table as this is where the traffic would initiate from the equipment
Router(config)# policy-map policy2
Router(config-pmap)# class class2
Router(config-pmap-c)# match the dscp marked @ the input vrf
Router(config-pmap-c)# set the mpls experimental topmost bit
Router(config-pmap-c)# policing the traffic based on bandwidth percent or CIR
check-in this policy as input @ the PE egress interfaces -> P routers, means the PE egress interface will perform the EXP marking based on the DSCP bit and perform the policing here, would be be efficient way of doing QoS?
Then from there onwards, P routers only based on the EXP bit to adjust the congestion avoidance? But I saw we can use random-detect dscp @ the P routers, is there any congestion avoidance using the EXP bit @ the P routers end? As if we set the EXP bit on the PE egress interface, P routers would not be able to configure congestion avoidance based on the DSCP right?
I'm just venturing out the easier and cleaner way to configure the QoS so configuration maintenance would be better in near future.
Thanks for your suggestion bro

Is MPLS possible on a 1721?

Similar Messages

Maybe you are looking for