MPLS BGP tagging

Similar Messages

• MPLS BGP routes push to DMVPN spokes

  I have an MPLS with BGP. I also have sites that are not connected directly to the MPLS, but have a s2s VPN to hub sites that are connected to the MPLS and that way they access the MPLS resources. I need to communicate the route changes to the MPLS when the DMVPN fails-over to another hub.
  Currently this is my config:
  Datacenter (MPLS only)
  interface GigabitEthernet0/1
  description MPLS
  ip address 192.168.0.34 255.255.255.252
  interface Vlan2
  ip address 192.168.96.2 255.255.255.0
  router bgp 65511
  bgp log-neighbor-changes
  network 192.168.96.0
  neighbor 192.168.0.33 remote-as 65510
  Hub site 1 (MPLS + internet)
  interface Tunnel200
  ip address 10.99.99.1 255.255.255.0
  no ip redirects
  ip mtu 1400
  ip nhrp authentication auth
  ip nhrp map multicast dynamic
  ip nhrp network-id 12345
  ip nhrp holdtime 600
  tunnel source GigabitEthernet0/0
  tunnel mode gre multipoint
  tunnel key 200
  tunnel protection ipsec profile dmvpn
  interface GigabitEthernet0/1
  description MPLS
  ip address 192.168.1.2 255.255.255.0 secondary
  ip address 192.168.0.2 255.255.255.252
  router bgp 65001
  bgp log-neighbor-changes
  network 192.168.1.0
  network 192.168.21.0
  !10.99 clients are DMVPN spokes
  neighbor 10.99.99.3 remote-as 99010
  neighbor 10.99.99.3 route-reflector-client
  neighbor 10.99.99.21 remote-as 99001
  neighbor 10.99.99.21 route-reflector-client
  !as 65000 is the MPLS PE
  neighbor 192.168.0.1 remote-as 65000
  Hub Site 2, has the same configuration, except for local ip address and router BGP ID.
  Spoke site:
  interface Tunnel200
  ip address 10.99.99.3 255.255.255.0
  no ip redirects
  ip mtu 1400
  ip nhrp authentication auth
  ip nhrp map 10.99.99.1 PUBLIC_IP_HUB_1
  ip nhrp map 10.99.99.16 PUBLIC_IP_HUB_2
  ip nhrp network-id 12345
  ip nhrp holdtime 600
  ip nhrp nhs 10.99.99.1 priority 1
  ip nhrp nhs 10.99.99.16 priority 5
  ip nhrp nhs fallback 60
  tunnel source GigabitEthernet0/0
  tunnel mode gre multipoint
  tunnel key 200
  tunnel protection ipsec profile dmvpn
  interface GigabitEthernet0/1
  description Internal
  ip address 192.168.3.1 255.255.255.192
  router bgp 99010
  bgp log-neighbor-changes
  network 192.168.3.0
  neighbor 10.99.99.1 remote-as 65001
  neighbor 10.99.99.16 remote-as 65013
  On this spoke site 
  #sh ip route
  B 192.168.1.0/24 [20/0] via 10.99.99.1, 00:47:01
  which is the HUB network, but the rest of the MPLS routes are not "learned".
  What am I missing?
  Thanks!

  Hi Jon, I've ommited the configuration of the MPLS provider routers in between.  The DC is connected to a router that has the AS 65510.
  DC:CPE---PE:{MPLS}PE---CPE:HUB---{internet}---Spoke
  The DC is ok getting the network information via BGP:
  #sh ip route
  B 192.168.3.0/24 [20/0] via 192.168.0.33, 3d05h
  B 192.168.21.0/24 [20/0] via 192.168.0.33, 3d05h
  #sh ip bgp 192.168.21.0
  BGP routing table entry for 192.168.21.0/24, version 559
  Paths: (1 available, best #1, table default)
  Not advertised to any peer
  Refresh Epoch 1
  65510 3549 6140 3549 65000
  192.168.0.33 from 192.168.0.33 (###.###.###.###)
  Origin IGP, localpref 100, valid, external, best
  #sh ip route 192.168.21.0
  Routing entry for 192.168.21.0/24
  Known via "bgp 65511", distance 20, metric 0
  Tag 65510, type external
  Last update from 192.168.0.33 3d05h ago
  Routing Descriptor Blocks:
  * 192.168.0.33, from 192.168.0.33, 3d05h ago
  Route metric is 0, traffic share count is 1
  AS Hops 5
  Route tag 65510
  MPLS label: none
  Spoke:
  #sh ip bgp
  BGP table version is 494, local router ID is 192.168.21.1
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
  r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
  x best-external, a additional-path, c RIB-compressed,
  Origin codes: i - IGP, e - EGP, ? - incomplete
  RPKI validation codes: V valid, I invalid, N Not found
  Network Next Hop Metric LocPrf Weight Path
  *> 10.0.129.32/27 10.99.99.16 0 65013 65012 3549 ?
  *> 192.168.96.0 10.99.99.16 0 65013 65012 3549 6745 65510 ?
  #sh ip route 192.168.96.0
  Routing entry for 192.168.96.0/24
  Known via "bgp 99001", distance 20, metric 0
  Tag 65013, type external
  Last update from 10.99.99.16 00:02:11 ago
  Routing Descriptor Blocks:
  * 10.99.99.16, from 10.99.99.16, 00:02:11 ago
  Route metric is 0, traffic share count is 1
  AS Hops 5
  Route tag 65013
  MPLS label: none
  #sh ip bgp 192.168.96.0
  BGP routing table entry for 192.168.96.0/24, version 465
  Paths: (1 available, best #1, table default)
  Not advertised to any peer
  Refresh Epoch 2
  65013 65012 3549 6745 65510
  10.99.99.16 from 10.99.99.16 (10.2.16.1)
  Origin incomplete, localpref 100, valid, external, best
  The route is not being updated to the rest of the routers, and the 192.168.21.0 network is still announced via the old route.
  (from spoke)
  ping 192.168.96.2
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.96.2, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  From DC
  #traceroute 192.168.21.1
  Type escape sequence to abort.
  Tracing the route to 192.168.21.1
  VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.0.33 [AS 65510] 0 msec 0 msec 0 msec
  2 172.50.1.33 [AS 65510] 56 msec 36 msec 36 msec
  3 10.80.1.1 [AS 3549] 44 msec 44 msec 44 msec
  4 10.80.1.2 [AS 3549] 172 msec 172 msec 168 msec
  5 172.50.1.1 [AS 3549] 168 msec 168 msec 172 msec
  6 172.50.1.2 [AS 3549] 180 msec 180 msec 176 msec
  7 192.168.0.2 [AS 65000] 172 msec 172 msec 168 msec <- old route, should be 192.168.0.9
  8 192.168.0.2 [AS 65000] !H * !H

• Design Help with MPLS/BGP and Point to Point VPNs using OSPF as backup

  I need some advice on the configuration I want to implement. Basically we have a MPLS cloud using BGP. We are using OSPF for internal routing. Everything is working fine. Now we want to add a Point to Point VPN using new Cisco ASA's for a backup path at all of our remote locations. We want it to be on standby. I want to use OSPF for this. Miami and LA are datacenters. I want the VPN's to go into both datacenters if possible running OSPF for backups. I have a feeling this will be very tricky. I also wanted to use floating routes. Now I know I get the VPN's up and running using OSPF with no problem. Here are my questions:
  But being that I am using different areas, will OSPF through the VPN work correctly? I have the Cisco PDF on setting this up but it looks like they are using the same, AREA0, in the example.
  Can I get both VPN's to work with no problems? Or will it be too much of a pain?
  What would you guys suggest?
  Thanks.

  We are implementing the same solution, and was only able to make this work using HSRP one router for the MPLS connection and one for the VPN tunnel. I opened a TAC case and the tech couldn't get it to work either. I was able to establish the Lan-2-lan tunnel but triggering the route update was the problem. We ended up pulling our ASA5505's out and putting in 1841 routers.

• MPLS lab test

  hi guyz, i got three 2500 router with MPLS support, and a 2621 with Telco feature IOS. One 3620.....
  4 routers can play MPLS & BGP / VPN ??

  Hi,
  yes this is possible. F.e. CE1(3620) - PE1(2500MPLS) - PE2(2500MPLS) - CE2
  In case you have Serial interfaces use Frame Relay with different, separate PVCs and you can also setup "redundancy" and the like.
  If your 3620 and 2621 IOS supports tag-switching you could use them as PE routers. There is no need for a "P" router to test MPLS VPN.
  Hope this helps! Please rate all posts.
  Regards, Martin

• MPLS LABLE

  Dear Sir,
  I am observing MPLS Outgoing tag is Untagged in all router .
  This is an Provider edge router.There is no issue with Configuration.
  Kindly see the below sh run config and find out what is the exact issue.
  ERROR LOG
  ============
  R2# sh mpls forwarding-table
  Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
  tag    tag or VC   or Tunnel Id      switched   interface
  16     Untagged    10.0.34.0/24      0          Fa0/1      10.0.23.3
           ==========
  17     Untagged    5.5.5.5/32        0          Fa0/1      10.0.23.3
         ==========
  18     Untagged    10.0.45.0/24      0          Fa0/1      10.0.23.3
         ==========
  19     Untagged    1.1.1.1/32[V]     0          Fa0/0      10.1.12.1
          ==========
  R2#
  R2#sh run
  ===========
  Building configuration...
  Current configuration : 1863 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R2
  boot-start-marker
  boot-end-marker
  no aaa new-model
  memory-size iomem 5
  no ip icmp rate-limit unreachable
  ip cef
  ip vrf SITEA
   rd 200:200
   route-target export 200:200
   route-target import 200:200
  no ip domain lookup
  mpls label protocol ldp
  multilink bundle-name authenticated
  archive
   log config
    hidekeys
  ip tcp synwait-time 5
  ip ssh version 1
  interface Loopback0
   ip address 2.2.2.2 255.255.255.255
  interface FastEthernet0/0
   ip vrf forwarding SITEA
   ip address 10.1.12.2 255.255.255.0
   duplex auto
   speed auto
  interface Serial0/0
   no ip address
   shutdown
   clock rate 2000000
  interface FastEthernet0/1
   ip address 10.0.23.2 255.255.255.0
   ip ospf network point-to-point
   duplex auto
   speed auto
   mpls ip
  interface FastEthernet1/0
   no ip address
   shutdown
   duplex auto
   speed auto
  router ospf 1
   log-adjacency-changes
   network 2.2.2.2 0.0.0.0 area 0
   network 10.0.23.0 0.0.0.255 area 0
  router bgp 200
   no bgp default ipv4-unicast
   bgp log-neighbor-changes
   neighbor 5.5.5.5 remote-as 200
   neighbor 5.5.5.5 update-source Loopback0
   address-family vpnv4
    neighbor 5.5.5.5 activate
    neighbor 5.5.5.5 send-community extended
   exit-address-family
   address-family ipv4 vrf SITEA
    neighbor 10.1.12.1 remote-as 100
    neighbor 10.1.12.1 activate
    no synchronization
   exit-address-family
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  no cdp log mismatch duplex
  mpls ldp router-id Loopback0 force
  control-plane
  line con 0
   exec-timeout 0 0
   privilege level 15
   logging synchronous
  line aux 0
   exec-timeout 0 0
   privilege level 15
   logging synchronous
  line vty 0 4
   login
  end
  R2#sh ver
  =============
  Cisco IOS Software, 2600 Software (C2691-ADVIPSERVICESK9-M), Version 12.4(15)T11, RELEASE SOFTWARE (fc2)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Wed 28-Oct-09 19:00 by prod_rel_team
  ROM: ROMMON Emulation Microcode
  ROM: 2600 Software (C2691-ADVIPSERVICESK9-M), Version 12.4(15)T11, RELEASE SOFTWARE (fc2)
  R2 uptime is 10 minutes
  System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
  System image file is "tftp://255.255.255.255/unknown"
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco 2691 (R7000) processor (revision 0.1) with 124928K/6144K bytes of memory.
  Processor board ID XXXXXXXXXXX
  R7000 CPU at 160MHz, Implementation 39, Rev 2.1, 256KB L2, 512KB L3 Cache
  3 FastEthernet interfaces
  1 Serial(sync/async) interface
  DRAM configuration is 64 bits wide with parity enabled.
  55K bytes of NVRAM.
  1024K bytes of ATA System CompactFlash (Read/Write)
  Configuration register is 0x2102
  R2#sh inventory
  NAME: "2691 chassis", DESCR: "2691 chassis"
  PID:                   , VID: 0.1, SN: XXXXXXXXXXX
  NAME: "WAN Interface Card - Serial (1T) on Slot 0 SubSlot 0", DESCR: "WAN Interface Card - Serial (1T)"
  PID , VID: 2.1, SN: 16777216
  NAME: "One port Fastethernet TX on Slot 1", DESCR: "One port Fastethernet TX"
  PID: NM-1FE-TX=        , VID: 1.0, SN: 7720321
  Logs
  =======
  R2#sh mpls ldp neighbor
  R2#sh mpls ldp neighbor
  R2#sh mpls ldp discovery
   Local LDP Identifier:
      2.2.2.2:0
      Discovery Sources:
      Interfaces:
          FastEthernet0/1 (ldp): xmit/recv
              LDP Id: 3.3.3.3:0; no route
  R2#

  Hi,
  You should be able to view other's post. You can go to different community directory (for different technology deployment).
  You can use the below Video for MPLS L3VPN,
  https://supportforums.cisco.com/video/11928951/ask-experts-webcast-introduction-mpls-vpn 
  In addition, there are various documents as below,
  https://supportforums.cisco.com/community/5891/mpls#quicktabs-community_activity=1
  Hope this helps.
  -Nagendra

• MPLS feature on 2911 Router

  Hi dears,
  I already have a MPLS network built on old Cisco 1841 with 12.4(24)T4 release, now for a new branch we move on new 2911 with 15.1(4)M3
  To configure MPLS tag switching I apply on C1841 configuration like:
  mpls label protocol ldp
  interface Tunnel3
  description tunnel with central
  ip address x.x.x.x 255.255.255.252
  mpls bgp forwarding
  I try to "migrate" these configuration but the commands
  mpls label protocol ldp
  and under IF
  mpls bgp forwarding
  are not available!!
  I search trough the documentation, but it's no clear if the command is unsupported in th 15.1(4)M3 release, in the feauture navigation tools MPLS is supported and also these command are linked from Cisco 15M&T command reference guide (http://www.cisco.com/en/US/products/ps10592/prod_command_reference_list.html)
  I need to activate the feature in some way?
  Could you help me?
  Thanks
  Valerio

  To have that feature is necessary to activate license on DataK9 feauture

• Layer 3 to the Access Layer and MPLS Design Considerations

  Hi,
  We are about to install a new network consisting of Cat 4500s with Sup7E at the Access Layer, with Nexus 7000 at the Distribution and Core layers.
  We have 14 floors with at least three 4500s on each floor. Within the office block where the Access Layer and Distribution Layer reside we need to support secure borderless networking using 802.1x to place users from different parts of the business into segregated networks at layer 3.
  All switches will have the feature sets to support MPLS/ VRF / OSPF / EIGRP / BGP etc.
  We quickly dismissed the idea of using VRF-Lite due to the sheer number of Vlans we would need to managage and maintain,  the point to point links alone just to get one additional VRF on each floor required far too many Vlans.
  As a result we are now considering deploying MPLS. The obvious benefits include scalability and manageability, the fact that all switch to switch links can now be routed, instead of having to using SVIs.
  My query is one of design surrounding MPLS and how this maps to an enterprise network with a routed access layer. Do Cat 4500s become the CEs and take part in MPLS / BGP and Label Distribution, or does the BGP peering and Label Distribution only occur between the Distrubtion - Core - Distrubtion layers, mapping to the PE - P - PE topology in an ISP environment, the access layer simply uses the IGP (OSPF in this case) to learn routes ?
  Any help would be greatly appreciated.
  Chris.

  Hi Andy,
  Thanks for your response.
  I have been doing a little bit more research it seems the Cat 4500s do not support MPLS!! Nor do Cisco have any plans to support it on this platform. I find this a little rediculous considering the level that Cisco are pitching this platform. With the Sup 7E only VRF Lite is supported, with plans to support EVN (which still uses trunk links for logical separation).
  So it looks like we are going to have to go back to the drawing board.
  (perhaps we should have gone HP or Juniper!)
  Chris.

• NX-OS vrf bgp local-as interaction with L3vpn

  I use standard MPLS BGP-L3vpn to forward traffic between VRFs on Nexus 7k routers.  All of my VRFs are within the same BGP process, so have the same local-as.
  I'd like to bring-up an eBGP session from one VRF to a carrier, but the carriers requires that they peer with a specific BGP ASN (call it "65432").  It doesn't look like NX-OS supports the "router bgp 1234, vrf VRF1 neighbor w.x.y.z local-as 65432" command.  However, it does appear to support "router bgp 1234, vrf VRF1, local-as 65432".  
  My limited understanding is that this would prepend "65432" onto all routes advertised to all VRF1 neighbors?  And that all neighbors defined under VRF1 on this router would learn routes from me with as-path "^65432 1234 ..."?
  If so, would this have any affect on routes exchanged with other VRFs using import/export rd? 

  It's tricky given that BGP's AD is always going to beat out EIGRP's all other things being equal. Most of the things you can do with BGP route-maps involve making one BGP route preferred over another.
  You could inject the preferred path as a static route (AD = 1) to the firewall using an ip sla operation and having the static route track that. Once the ip sla operation fails, the static route is withdrawn and then the BGP-learned route (AD = 20) will take precedence.

• In ASR901 can you tag MSTP BPDU's

  I have an ASR901 ring, dual homed to 2 ME3800's with a management VPLS connection between the 3800's.  Running MPLS on all interfaces of the ring.  Would like to use a VRF for in-band management of the 901's.  These devices will be located at customer premises.  I am using SVI's for MPLS interfaces and SVI's for in-band Management interfaces on the ring.  Untagged encaps for MPLS and Tagged (vlan 2) for Management.   In the 3800's, I have a VPLS to bring the traffic back to the Management router.  So basically, in-band management uses a Layer 2 vlan switching on the ring, with vlan interfaces attached to a VRF.  Customer traffic uses MPLS cross-connects.
  Problem is the need for MSTP so management can be dual homed to both 3800's and Layer 2 Protocol forwarding over the VPLS in order for STP to work properly.
  This doesn't work because the management traffic is tagged VLAN 2 and the BPDU's are untagged, therefore they are getting dropped at the service instance ingress to the 3800's (encap dot1q 2).  Is there a way to tag MTSP BPDU's to make this work?  MSTP is the only STP option on the ASR901.
  Or is there a way to add a management interface to an EFP cross-connect?  Or some other way to dual home the in-band management while using a VRF for management?  Note ASR901 doesn't support VPLS.

  Thanks for the link but unfortunately it didn't help.  Although I did follow the instructions on the link but without success, I noticed that the link spoke of the iPod nano (5th generation).   I'm wondering if the tagging feature isn't available for the iphone 4s.  I bet it is but something just isnt right. 

• 7600 platform for MPLS based L2 and L3 services

  Hi,
  We are planning to deploy 7600s (testing to be done) for L2 and L3 services. Has anyone out there found some issues with both the layers functioning in unison on the same.
  Thanks
  Cheers,
  ~sultan

  Hello Charles,
  Thanks for you reply, actually I wanted to know more specific details, like IOS and modules being used by others, which you have stated.
  I am planning to go for SIP-200 and SIP-400 with STM-1 POS, 2xGIG and FE8 modules.
  Services would be EoMPLS, including VPLS and MPLS/BGP IP VPNs.
  Thanks
  Cheers
  ~sultan

• SXH + MPLS + EBGP

  Hi!
  My company has Cisco 6506 with SUP720-3BXL.
  I'm trying to kill two birds with one stone
  2 BGP Full View + MPLS VPN in one box.
  I have a problem with more than 250k labels in LFIB.
  Seems it creates a new label for each prefix recived from BGP.
  How it can be turned off ?
  IOS 12.2 SXH adv ent services.
  L3 Forwarding Resources
  FIB TCAM usage: Total Used %Used
  72 bits (IPv4, MPLS, EoM) 524288 459356 88%
  144 bits (IP mcast, IPv6) 262144 7 1%
  detail: Protocol Used %Used
  IPv4 243728 46%
  MPLS 215627 41%
  #sh mpls ip binding summary
  Total number of prefixes: 211
  Generic label bindings
  assigned learned
  prefixes in labels out labels
  211 210 416
  Total tib route info allocated: 194
  bbn-ms-gw#debug bgp ipv4 unicast mpls
  BGP MPLS labels debugging is on
  2w0d: BGP: adding MPLS label to 202.52.15.0/24 sending labels not enabled
  2w0d: BGP: adding MPLS label to 202.52.12.0/24 sending labels not enabled
  Why it added MPLS label to prefix?
  Noone told it to do that.

  Pavel,
  Are the full Internet feeds in VRFs.
  If so, IOS allocates one label per VRF prefix. you can use the following command to force IOS to allocate only 1 label per VRF:
  mpls label mode { vrf | all-vrfs }protocol bgp_vpnv4 per-vrf
  BTW, this is a hidden command.
  Hope this helps,

• VPN tag not generated

  Hello group,
  Recenlty I'm having some problem in my production PE routers. At times, the PE is not generating any MPLS VPN tag. When this happens, a syslog comes saying:
  "Jun 30 10:16:16.169: %TFIB-4-FIBCBLK: Missing MPLS Forwarding Information Base table for tableid 65535 during Route Tag Change event"
  On the PE, 'show ip cef vrf xxx prefix' does not show any local tag [attached].
  So, on the upstream PE no MPLS-VPN tag is there except for the top most label for downstream PE.
  To resolve this probelm, I enable and disable cef on the VPN interface by 'no ip cef/ ip cef' command. Then it works fine.
  The IOS version is: c3745-js-mz.122-15.T14
  Might be, someone in the group find any reason to this type of problem.
  Regards,
  Dabraj Sarkar
  Grameenphone Ltd

  Dear Gautam,
  Thanks for the response. Could you please explain non-recursive route in this context? I'm running static routing between PE-CE. Does non-recursive route mean that to configure exit interface along with next hop IP in the static route definition?
  I'm trying to change the IOS. Any suggestion regarding stable S-train codes?
  Regards,
  Dabraj

• Can not enable tag-switching on the router

  Good day for all,
  i have 7206 g1 router with 7200 Software (C7200-JK9S-M), Version 12.3(4)T4 (enterprise)
  and i can not enable mpls.
  Router(config)#int gigabitEthernet 0/2.102
  Router(config-subif)#mpls ip
  % Tag switching not supported on interface GigabitEthernet0/2.102
  this error on all interfaces
  what is the problem? (cef enable)
  Thank You

  I have 2 identical 7206VXR, same IOS, same PAs
  And one of em allows tag-switching on FasteEthernet 0/0.30 (dot1q), other - doesnt :(
  --- rtr 1 ----
  Cisco Internetwork Operating System Software
  IOS (tm) 7200 Software (C7200-P-M), Version 12.2(18)S5, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2004 by cisco Systems, Inc.
  Compiled Sat 08-May-04 10:43 by nmasa
  Image text-base: 0x60008FE0, data-base: 0x6151E000
  ROM: System Bootstrap, Version 12.0(19990210:195103) [12.0XE 105], DEVELOPMENT SOFTWARE
  BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(18)S, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
  TV3 uptime is 3 weeks, 14 hours, 28 minutes
  System returned to ROM by reload at 23:02:24 EEST Thu Aug 12 2004
  System image file is "slot0:c7200-p-mz.122-18.S5.bin"
  Last reload reason: Reload command
  cisco 7206VXR (NPE300) processor (revision D) with 229376K/65536K bytes of memory.
  Processor board ID 21265679
  R7000 CPU at 262Mhz, Implementation 39, Rev 2.1, 256KB L2 Cache
  6 slot VXR midplane, Version 2.0
  Last reset from power-on
  Channelized E1, Version 1.0.
  X.25 software, Version 3.0.0.
  Bridging software.
  Primary Rate ISDN software, Version 1.1.
  PCI bus mb0_mb1 has 200 bandwidth points
  PCI bus mb2 has 0 bandwidth points
  1 FastEthernet/IEEE 802.3 interface(s)
  53 Serial network interface(s)
  48 Channelized E1/PRI port(s)
  125K bytes of non-volatile configuration memory.
  20480K bytes of Flash PCMCIA card at slot 0 (Sector size 128K).
  4096K bytes of Flash internal SIMM (Sector size 256K).
  Configuration register is 0x2112
  --- rtr 2 ---
  Cisco Internetwork Operating System Software
  IOS (tm) 7200 Software (C7200-P-M), Version 12.2(18)S5, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2004 by cisco Systems, Inc.
  Compiled Sat 08-May-04 10:43 by nmasa
  Image text-base: 0x60008FE0, data-base: 0x6151E000
  ROM: System Bootstrap, Version 12.0(19990210:195103) [12.0XE 105], DEVELOPMENT SOFTWARE
  BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(9)S, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
  TV1 uptime is 3 weeks, 14 hours, 39 minutes
  System returned to ROM by reload at 22:51:22 EEST Thu Aug 12 2004
  System restarted at 22:53:54 EEST Thu Aug 12 2004
  System image file is "slot0:c7200-p-mz.122-18.S5.bin"
  Last reload reason: Reload command
  cisco 7206VXR (NPE300) processor (revision D) with 229376K/65536K bytes of memory.
  Processor board ID 18285647
  R7000 CPU at 262Mhz, Implementation 39, Rev 1.0, 256KB L2 Cache
  6 slot VXR midplane, Version 2.0
  Last reset from power-on
  Channelized E1, Version 1.0.
  X.25 software, Version 3.0.0.
  Bridging software.
  Primary Rate ISDN software, Version 1.1.
  PCI bus mb0_mb1 has 200 bandwidth points
  PCI bus mb2 has 0 bandwidth points
  1 FastEthernet/IEEE 802.3 interface(s)
  68 Serial network interface(s)
  48 Channelized E1/PRI port(s)
  125K bytes of non-volatile configuration memory.
  20480K bytes of Flash PCMCIA card at slot 0 (Sector size 128K).
  4096K bytes of Flash internal SIMM (Sector size 256K).
  Configuration register is 0x102
  TV3(config)#in fas 0/0.30
  TV3(config-subif)#tag ip
  % Tag switching not supported on interface FastEthernet0/0.30

• L2 tunnel between me3600x and 3925

  Hello,
  We are currently trying to configure a l2tunnel between a ME3600X (running 15.3(3)S3 with the AdvancedMetroIPAccess licence) and a 3925 (running 15.0(1)M2 with the datak9 licence).
  We are part of a CsC architecture, playing the role of the customer carrier, using BGP for label distribution between the Backbone carrier and the Customer carrier.
  Our architecture is quite flat as the CE and PE roles are on the same routers.
  we have the view on the following architecture and can configure the R1, RCV1, RCV2 and R2 routers :
  R1 --- RCV1---(Backbone Carrier)---RCV2--- R2
  We have 3 sites  A,B and C but only 2 dark fibers to connect them.
  We are using the CsC to build a L2 tunnel and close the triangle :
      A-ME=tun=3925-B
       df                    df
                 C
  For year were using a 2911 and a 3900 to build the tunnel and it was good. The tunnel was build with an xconnect l2tpv3.
  we replaced our 2911 for a ME3600X few weeks ago following the advice of our backbone CsC contact, and we are now facing the following problem :
  the configuration we used is not working any more : we can build the tunnel but the spanning tree BDPU are not passing through (We use rstp for spanning-tree protocol).
  3925 : ______________
  pseudowire-class backup-sro-ypa
   encapsulation l2tpv3
   ip local interface GigabitEthernet0/0/0.777
  interface GigabitEthernet0/1
   description interface connecting site B
   no ip address
   duplex auto
   speed auto
   no keepalive
   no cdp enable
   xconnect 10.193.32.50 5 pw-class backup-sro-ypa
  interface GigabitEthernet0/0/0.777
   description interface facing the CsC
   encapsulation dot1Q 777
   ip address 10.193.32.42 255.255.255.252
   mpls bgp forwarding
  ME3600 : ______________
  pseudowire-class backup-ypa-sro
   encapsulation l2tpv3
   sequencing both
   ip local interface Vlan777
  interface GigabitEthernet0/1
   description interface facing the CsC
   switchport trunk allowed vlan none
   switchport mode trunk
   mtu 1512
   service instance 777 ethernet
    description *** Transport vers to CsC***
    encapsulation dot1q 777
    rewrite ingress tag pop 1 symmetric
    l2protocol tunnel
    bridge-domain 777
  interface GigabitEthernet0/2
   description interface connecting site A
   no switchport
   no ip address
   xconnect 10.193.32.42 5 encapsulation l2tpv3 pw-class backup-ypa-sro
  interface Vlan777
   description vers RCV
   dampening
   mtu 1512
   ip address 10.193.32.50 255.255.255.252
   no ip unreachables
   mpls bgp forwarding
  As we have no experience with the ME3600X and their EVC and service instance concepts we have a hard time figuring out what solution to use :
  - According to this post l2tpv3 is not supported on the ME3600X : https://supportforums.cisco.com/discussion/11919131/configuring-pseudowire-between-3800-router-and-me3600x
  - According to this one it seems possible to interoperate a tunnel between a 2911 and a Me3600 : https://supportforums.cisco.com/discussion/11848451/eompls-and-layer-2-tunneling
  Our need is slightly different though, as we are trying to pass a dot1Q trunk in the tunnel.
  We tried to switch to encapsulation mpls, with no luck so far...
  Any help or feedback would be greatly appreciated.
  Best Regards,
  Jérôme Schlumberger

  News from the lab...
  I decided to start again my config from scratch :
  On the ME3600X___________ :
  pseudowire-class backup-ypa-sro
   encapsulation l2tpv3
   ip local interface Vlan777
   sequencing both 
  interface GigabitEthernet0/2
   description *** Backup L2 VLans Internes avec RSROHES1 ***
   no switchport
   no ip address
   no keepalive
   no cdp enable
   xconnect 10.193.32.42 5 pw-class backup-ypa-sro
  On the 3900___________
  pseudowire-class backup-sro-ypa
   encapsulation l2tpv3
   ip local interface GigabitEthernet0/0/0.777
   sequencing both
  interface GigabitEthernet0/1
   description Tunnel_BB_HEIGVD
   no ip address
   duplex auto
   speed auto
   no keepalive
   no cdp enable
   xconnect 10.193.32.50 5 pw-class backup-sro-ypa
   -> The "sequencing both" is mandatory to get the tunnel UP.
  -> I configured l3 interfaces on the devices facing the ends of the tunnel and I can't ping them. Looking a little bit more carefully, I noticed that the arp table does not fill on the 3900, but it does on the 3600. I guessed that's a limitation on the 3600, but still not sure.
  I then tried to switch to mpls encapsulation with the following configuration :
  On the ME3600X_____________________________
  pseudowire-class backup-ypa-sro
   encapsulation mpls
  interface GigabitEthernet0/2
   description *** Backup L2 VLans Internes avec RSROHES1 ***
   no switchport
   no ip address
   no cdp enable
   xconnect 10.193.32.42 5  pw-class backup-ypa-sro
  On the 3900___________
  pseudowire-class backup-sro-ypa
   encapsulation mpls
  interface GigabitEthernet0/1
   description Tunnel_BB_HEIGVD
   no ip address
   duplex auto
   speed auto
   no keepalive
   no cdp enable
   xconnect 10.193.32.50 5 pw-class backup-sro-ypa
  This time, impossible to get the tunnel UP :
  sh xconnect all detail :
  XC ST  Segment 1                         S1 Segment 2                         S2
  ------+---------------------------------+--+---------------------------------+--
  DN     ac   Gi0/1(Ethernet)              UP mpls 10.193.32.50:5               DN
              Interworking: none                   Local VC label 147             
                                                   Remote VC label unassigned     
                                                   pw-class: backup-sro-ypa      
  Actually, as I am in a CsC architecture using BGB for label distribution with the CsC core, there is not ldp neighbor, and it seems to be the reason why I can't get the tunnel UP.
  I am now trying to avoid ldp for the signaling of the tunnel using AToM Static Pseudowire Provisioning but I am to much of a newbie for that. I get a  "Incomplete AToM manual config" when configuring the xconnect on the me3600...
  Here is my config on the ME3600x so far :
  pseudowire-class backup-ypa-sro
   encapsulation mpls
   protocol none
  interface GigabitEthernet0/2
   description *** Backup L2 VLans Internes avec RSROHES1 ***
   no switchport
   no ip address
   no cdp enable
   xconnect 10.193.32.42 5 encapsulation mpls manual pw-class backup-ypa-sro
    ! Incomplete AToM manual config
  Funny, I tried to configure
  RYPRC01(config-if-xconn)#mpls label 0 1048500
  on the xconnect sub config section of the interface, but it won't appear in the config...
  I am really stuck, and any help would really be appreciated.
  Best Regards,
  Jérôme Schlumberger

• VRF-Lite with 6500 w/ Sup720

  I am working with a customer who would like to utilize path isolation in their network using VRF-Lite. I am currently debating between the use of GRE tunnels vs. VLANs between 3 core switches they currently have in place today. This is going to be overlay network on top of what they currently have. The core is all L2 today with 802.1q trunks between each of 3 cores in a ring topology. Closets are single homed into the core throughout.
  My question is regarding GRE vs. VLANs. Currently, we are looking at having to deploy 12 VRFs to support 12 seperate network types they would like to isolate. The Access layer switches will trunk to the cores where the core will apply VRFs to specific VLANs based on their role.
  Which is going to be a more scalable solution from a performance and adminstration standpoint. GRE, VLANs, or MPLS?
  Currently the GRE implementation is going to require that we configure many loopbacks and tunnels on each core in order to get the VRFs talking to each other in each core. The VLAN approach will require 24 VLANs per core (assuming we would go with PTP vs Multipoint for routing inside the VRF).
  Any thoughts on which way to proceed? From what i have read GRE is more appropriate when you have multiple hops between VRF tables, which in this case we do not. I am just concerned with loopbacks,tunnels, and then routing on top of that the GRE solution will lack scalability as they add more VRFs. A PTP VLAN will pose a similar problem without the need for loopbacks which should simplify the solution.
  Can we use MPLS here and just do PE to PE MPLS and still get the VRF segmentation we need between cores?
  I would like eventually migrate the entire core to L3 completely but today we are stuck with having to support legacy networks (DEC/LAT/SNA) and have to keep some L2 in place.
  Whats the best approach here?

  Shine,
  I actually ended up with basically the same design you are talking about here except that I ended up adding a couple 6500 +FWSM and NAC L3/L2 CAM/CAS into the mix.
  Here is the high level overview
  1. Every Closet had a minimum of 6 VLANs - unique to the stack or closet switch - Subnets were created for each VLAN as well - no spanning of L2 VLANs across switch stacks.
  2. VLANs were assigned for - Voice, Data, LWAPP VLAN, Guest/Unauthorized, Switch/Device Management, and at least 1 special purpose VLAN - (Lab, Building Controls, Security, etc).
  3. Then we trunked all the VLANs back to 1 of 3 cores - 6509s with Sup-720s
  4. Each Core 6509 was configured for each L2 VLAN with a L3 SVI (The VLANs configured here were not configured on any other cores - we didn't have available fiber runs to do any type of redundant pathing across multiple cores so it wasn't valid in this design to configure VLAN SVIs on more than one core).
  5. Each L3 SVI was assigned to the appropriate VRF based on use - Voice, Data, LWAPP, etc
  6. Spanning-Tree Roots for all VLANs trunked to a core were specific to that core - they did not trunk between Cores - no loops
  7. Each Core was connected via a L2 Trunk that carried Point to Point VLANs for VRFs traffic - We had an EIGRP AS assigned to each VRF on the link - so we had 6 VRFs and 6 EIGRP AS per trunk.
  8. This design occurred on each core x2 as it connected to the other cores in a triangle core fashion.
  9. Each of the Cores had a trunk to to 6500 with a FWSM configured - VRF/L3 PTP VLAN design continued here as well
  10. The 6500+FWSM was configured with multiple SVIs and VRFs - we had to issue mult-vlan mode on the FWSM to get it to work.
  11. Layer 2 NAC was configured with VLAN translation coming into the Core 6500/FWSM for Wireless in L2 InBand Mode - the L3 SVIs were configured on the clean side of the NAC CAM so traffic was pulled through the CAM from from the dirty side - where the controller mapped host SSIDs to appropriate VLANs. We only had to configure a couple host VLANs here - Guest and Private so this was not much of an issue - Private was NAC enabled, Guest VLAN/SVI was mapped to a DMZ on the firewall
  12. For Layer 3 NAC we justed used an out of band CAM configurations with ACLs on the Unauthorized VLAN
  It worked like a charm.
  If I had to do it all over again I would go with MPLS/BGP for more scalability. Configuring trunks between the cores and then having the mulitple EIGRP AS/PTP VLANs works well in networks this small but it doesn't scale indefinately. It sounds like your network is quite large. I would look into MPLS between a set of at least 3-4 Core PE/CE devices. Do you plan on building a pure MPLS core for tagged switched traffic only? Is your campus and link make up significant enough to benefit from such a flexible design?