MPLS network design questions

we have in our company 230 remote sites, and we are changing all of our circuits to MPLS. wondering if i need to get a high end router in our Data Center? currently we have 3925. also what is the best routing protocol to use in this kind of network? Eigrp or ospf? MPLS will be hosted by the service provider

I have found that the provider typically wants to know exactly what routes you will be advertising when using EIGRP or OSPF. This is something they will have to configure on their network to allow. For example EIGRP routes flow from Site A to Site B and you have a new subnet to use for an application. You put the proper network statements in EIGRP and are not learning routes on the other side. You would then have to fill out a form or call a support number to get your new network to the other side.
With BGP there is much more control over what you can advertise with adding networks. With 230 sites you will feel the benefit quickly if you start growing and adding subnets in data centers or additional sites.

Similar Messages

MPLS network design challenge

Hi,
I have a design issue for which I really like your help.
In a MPLS network there are twoPOP gateway routers (G1,G2) peering with various MPLS VPN Service providers via B2B vrf eBGP peering are in 4 different ASN's. They inturn all peer via VPNv4 eBGP with the Core ASN which comprises of 2 Nos VPNv4 RR's and every site in the ASN haveing 2 P/PE per site. Every P/PE is peering via VPNv4- iBGP with the VPNv4 RR's. The RR's are not in the forwarding path of the traffic.
Every site has 2 Nos CE routers and each CE router does a vrf based ebgp peering with the P/PE's.
The P/PE routers import 2Nos RT exported by the 2 Nos POP G/w routers and inturn selects the best path and pass it to the CE routers.
Now it is seen that the P/PE of all sites is selecting the best path adverstised by G1 instead of G2 based on the AS PATH length and the shortest path is being adverstised by G1. So till a situation arises that the G1 is down till that time the P/PE's are forwarding the outbound traffic from the CE to G1 even also when the IGP cost is adding up high and when there is a direct link failure from the P/PE site to G1 site.
It therefore makes sense that if the direct physical link form a P/PE site to the site G1 is located goes down ,the P/PE's then should choose G2 via another path even when G1 is available.
Does these sort of requirements ever come in SP environments from customers ? if so what are the solutions ..
Thanks in advance
Kas

Hi kas,
This type of requirement come to providers and there are few options which provider can implement.
1- Play with local preference along with import map in vrf if requirement is customer specific. I mean if one customer want that G1 should be primary exit point and other customer want G2 as primary exit than he can use import map (which is similar to route-map )
ip vrf ABCD
rd XX
import map ABCD
route-target export XX
route-target import YY
route-map ABCD permit 20
set local-preference >100
2- Or you can play with As-path prepending option if you want to skip selection based on local preference.
it is in provider interest to provide you solution. as there are options of affecting traffic by using communities.
Please provide diagram and some config for complete solution.
Regards
Mahesh

Network Design Questions

Hello All,
I am in the process of replacing some of our current Cisco equipment with newer one as well as incorporating additional third party hardware by Sonicwall NSA 5500. I am attaching the preliminary network diagram.
-The SonicWalls are in Active/Standby mode
-The Core 1 switch is the primary HSRP gateway as well as the primary STP root for all Vlans.
-Core switches perform all of the inter-vlan routing
-The uplinks FROM the Core switches TOWARDS the WAN-ACCESS-STACK will be Port-Channels in trunk modes, carrying traffic for VLAN2 (infrastructure Vlan between Cores, Wan-Access-Switches and Sonicwalls), VLAN 254 (Management Vlan which is the same throughout the entire networks), and the Native VLAN 999.
I have a few questions and would appreciate your input on them:
-I would like to carry the management VLAN all the way to the DMZ-ACCESS-STACK, and ultimately to the the small DMZ-PUB switches (located on different floors). What is the best/safest method of doing this? Should i or shouldn't i extend the management vlan all the way to the DMZ zone? The DMZ zone doesn't use any directly assigned public IP addresses.
-Should the uplinks FROM the WAN-ACCESS-STACK TOWARDS the Sonicwalls be:
-each link in access mode (VLAN2)
-each link in trunk mode (VLAN2, VLAN254, VLAN999)
-all links combined into one port-channel access mode (VLAN2)
-all links combined into one port-channel trunk mode (Vlan 2, 254, 999).
** SonicWall does support port-channeling, i have tested it successfully.
Is this design valid? Any suggestions?
Thank you for your input in advance.

Hey Jon,
You have a good and valid point about whether the SonicWall interfaces are L3 or L2. Since they are assigned an IP address i assume that they are L3, however, what throws me off is the VLAN ID tag field. I am attaching the screenshot of it.
Moreover, what i have decided to do is the following:
1. Created port-channel in trunk mode from Core 1 owards WAN-ACCESS-STACK allowing vlans 2,254,999.
2. Created port-channel in trunk mode from Core 2 towards WAN-ACCESS-STACK allowing vlans 2,254,999.
3. Created 1 port-channel in access mode for VLAN 2 from WAN-ACCESS-STACK towards the Sonicwalls.
Everything seems fine, however, except one thing. I can't ping the SonicWall IP address 10.100.2.254 nor any other address on the Internet such as 8.8.8.8 from the WAN-ACCESS-STACK. as well as the ACCESS-LAYER-SW1 switch that is connected directly to Cores. I have no such problem with pinging from the Core.
To summarize,
I CAN:
-from WAN-ACCESS-STACK ping my ip default-gateway (vlan 254) 10.100.254.1
-from WAN-ACCESS-STACK ping ACCESS-LAYER-SW1 switch (vlan 254) 10.100.254.15
-from ACCESS-LAYER-SW1 switch ping my ip default-gateway (vlan 254) 10.100.254.1
-from ACESS-LAYER-SW1 ping WAN-ACCESS-STACK switch (vlan 254) 10.100.254.20
-from the CORE switches ping WAN-ACCESS-STACK and ACCESS-LAYER-SW1, along with the SONICWALL LAN IP 10.100.2.254 as well as any address on the Internet such as 8.8.8.8
I CAN'T:
-from WAN-ACCESS-STACK ping the SONICWALL LAN IP 10.100.2.254
-from WAN-ACCESS-STACK ping any Internet address such as 8.8.8.8
-from ACCESS-LAYER-SW1 ping the SONICWALL LAN IP 10.100.2.254
-from ACCESS-LAYER-SW1 ping any Internet address such as 8.8.8.8
When i do the traceroute on the WAN-ACCESS-STACK, the ICMP packets get delivered to the active Core and go nowhere from there. See below:
WAN-ACCESS-STACK#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 10.100.254.2 0 msec 0 msec 10 msec
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
When I ping the Sonicwall i get the same reply:
WAN-ACCESS-STACK#traceroute 10.100.2.254
Type escape sequence to abort.
Tracing the route to 10.100.2.254
VRF info: (vrf in name/id, vrf out name/id)
1 10.100.254.2 10 msec 0 msec 0 msec
2 * * *
3 * * *
4 * *
ACCESS-LAYER-SW1 provides exactly the same output. I am currently confused why the ping works from the Core switches but from the wan stack and the access layer switches. Since the Core is the default gateway it should route this traffic to the appropriate areas of the network. What do you think? Thank you

Wireless authentication network design questions... best practices... etc...

Working on a wireless deployment for a client... wanted to get updated on what the latest best practices are for enterprise wireless.
Right now, I've got the corporate SSID integeatred with AD authentication on the back end via RADIUS.
Would like to implement certificates in addition to the user based authentcation so we have some level of dual factor authentcation.
If a machine is lost, I don't want a certificate to allow an unauthorized user access to a wireless network. I also don't want poorly managed AD credentials (written on a sticky note, for example) opening up the network to an unathorized user either... is it possible to do an AND condition, so that both are required to get access to a wireless network?

There really isn't a true two factor authentication you can just do with radius unless its ISE and your doing EAP Chaining. One way that is a workaround and works with ACS or ISE is to use "Was machine authenticated". This again only works for Domain Computers. How Microsoft works:) is you have a setting for user or computer... this does not mean user AND computer. So when a windows machine boots up, it will sen its system name first and then the user credentials. System name or machine authentication only happens once and that is during the boot up. User happens every time there is a full authentication that has to happen.
Check out these threads and it explains it pretty well.
https://supportforums.cisco.com/message/3525085#3525085
https://supportforums.cisco.com/thread/2166573
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

MPLS design question

Hi all,
what is the best solution to extend a node (PE router) over a third party IP network.
Here is the scenario - there is a need to extend an MPLS network to a new location, but due to commercial/policy reason the only available options are a third part IP Network (non-MPLS) and a back haul wireless link. We are thinking of making the IP Network the primary link and the wireless back haul the back up links.
Is L2TPv3 the only solution? I want to make use of the wireless back haul also for some traffic.
Regards,
san

Hi Aasheesh,
The service provider will only give me a L3 connectivity. In this case the LDP session will not establish with my PE on both ends.
I tries GRE on my PE with LDP enabled and it seems to take the command, but i have to try this between two PE. so I am not sure if I can bring the tunnel up and allow the two PEs to exchange LDP. I was just hoping that i could find a doc on it so that I can be sure that it will work. If you know if any doc that would be great.
reagrds,
san

Venturing into MPLS Network

Hi all, it is just my curiousity that ended up with a small discussion like this. Here's about it...
My company has a main client which have tonnes of remote sites connecting to both their HQ and Disaster Recovery Centre. Some of the remote sites still running on frame-relay, while other is purely leased-line. There's a few question I wish I can clear up as follows:
i. When the client have frame-relay device, what we do is create a tunnel and route all the frame-relay traffic over. Is there any advantage if we change it over to MPLS?
ii. Even if comparing to leased-line services, what kind of advantages I can expect if our cliet migrate over to leased-line?
iii. If one customer is running purely on frame-relay connectivity, any difficulties will arise when they want to switch over to MPLS network?
I still never has any hands on experience on the MPLS, that's why need to gather some info in the first place, I'm currently have a glance through those MPLS guides and configuration examples, but I knew that perhaps in real-life network, things may differs, in the meanwhile I'm studying through it, hope to gather some precious opinions. Regards

Hello,
Regarding answer iii: What you have to use inside the MPLS cloud is MBGP to route the customer prefixes. In your LAN however you will have an IGP like EIGRP. This means you need mutual redistribution between MBGP and your IGP. So a routing loop can occur once you have at least two pathes. An Example:
N1-CE1 - PE1 - PE2 - CE2
with: CE1 - PE1 using RIP, CE2 - PE2 using RIP, PE1 - PE2 using MBGP and a FR PVC between CE1 - CE2 using RIP
This would be the case when you migrate from FR to MPLS VPN and do not shut down FR the very moment you activate the MPLS links.
What can happen in this scenario is: CE1 is announcing Network N1 through RIP to CE2 directly over the FR PVC and also to PE1. PE1 will redistribute N1 into MBGP, send the prefix to PE2, which will redistribute N1 into RIP and send the update to CE2.
Now depending on implementation and metrics this will result in all traffic flowing over FR or MPLS (when adjusting metrics). No major problem yet.
The problem might occur once CE1 looses network N1. It will send an update directly to CE2 and to PE1 and a race condition exists. CE2 will still have one valid path to N1 learned from PE2 and announce this one to CE1, which will announce it to PE1 and then PE2, CE2, CE1 again and so on.
This is an intermittend or even persistent routing loop, depending on what you have done with hop count during redistribution.
By designing your overall routing solution carefully you can avoid this scenario.
Hope this helps! Please rate all posts.
Regards, Martin

Ask the Expert: Hierarchical Network Design, Includes Core, Distribution, and Access

Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about hierarchical network design.
Recommending a network topology is required for meeting a customer's corporate network design needs in their business and technical goals and often consists of many interrelated components. The hierarchical design made this easier like "divide and conquer" the job and develop the design in layers.
Network design experts have developed the hierarchical network design model to help to develop a topology in discrete layers. Each layer can be focused on specific functions, to select the right systems and features for the layer.
A typical hierarchical topology is
A core layer of high-end routers and switches that are optimized for availability and performance.
A distribution layer of routers and switches that implement policies.
An access layer that connects users via lower-end switches and wireless access points.
Ahmad Manzoor is a Senior Pre-Sales Engineer at AGCN, Pakistan. He has more than 10 years of experience in first-rate management, commercial and technical skills in the field of data communication and services lifecycle—from solution design through sales pitch, designing RFPs, architecture, and solution—all with the goal toward winning projects (creating win/win situations) of obsolete solutions. Ahmad also has vast experience in designing end-to-end data centers, from building infrastructure design to data communication and network Infrastructure design. He has worked for several large companies in Pakistan and United Arab Emirates markets; for example, National Engineer, WATEEN Telecom, Emircom, Infotech, Global Solutions, NETS International, Al-Aberah, and AGCN, also known as Getronics, Pakistan.
Remember to use the rating system to let Ahmad know if he has given you an adequate response.
Because of the volume expected during this event, Ahmad might not be able to answer every question. Remember that you can continue the conversation in the Solutions and Architectures under the sub-community Data Center & Virtualization, shortly after the event. This event lasts through August 15, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

Dear Leo,
We are discussing the following without any product line, discussing the concept of hierarchical design, which will help you to take decision which model is better for you Two Layer or Three Layer hierarchical model.
Two-Layer Hierarchy
In many networks, you need only two layers to fulfill all of the layer functions—core and aggregation
Only one zone exists within the core, and many zones are in the aggregation layer. Examine each of the layer functions to see where it occurs in a two-layer design:
Traffic forwarding—Ideally, all interzone traffic forwarding occurs in the core. Traffic flows from each zone within the aggregation layer up the hierarchy into the network core and then back down the hierarchy into other aggregation zones.
Aggregation—Aggregation occurs along the core/aggregation layer border, allowing only interzone traffic to pass between the aggregation and core layers. This also provides an edge for traffic engineering services to be deployed along.
Routing policy—Routing policy is deployed along the edge of the core and the aggregation layers, generally as routes are advertised from the aggregation layer into the core.
User attachment—User devices and servers are attached to zones within the aggregation layer. This separation of end devices into the aggregation permits the separation of traffic between traffic through a link and traffic to a link, or device. Typically, it is best not to mix transit and destination traffic in the same area of the network.
Controlling traffic admittance—Traffic admittance control always occurs where user and server devices are attached to the network, which is in the aggregation layer. You can also place traffic admittance controls at the aggregation points exiting from the aggregation layer into the core of the network, but this is not common.
You can see, then, how dividing the network into layers enables you to make each layer specialized and to hide information between the layers. For instance, the traffic admittance policy implemented along the edge of the aggregation layer is entirely hidden from the network core.
You also use the core/aggregation layer edge to hide information about the topology of routing zones from each other, through summarization. Each zone within the aggregation layer should have minimal routing information, possibly just how to make it to the network core through a default route, and no information about the topology of the network core. At the same time, the zones within the aggregation layer should summarize their reachability information into as few routing advertisements as possible at their edge with the core and hide their topology information from the network core.
Three-Layer Hierarchy
A three-layer hierarchy divides these same responsibilities through zones in three vertical network layers,
Traffic Forwarding—As with a two-layer hierarchy, all interzone traffic within a three- layer hierarchy should flow up the hierarchy, through the layers, and back down the hierarchy.
Aggregation—A three-layer hierarchy has two aggregation points:
At the edge of the access layer going into the distribution layer
At the edge of the distribution layer going into the core
At the edge of the access layer, you aggregate traffic in two places: within each access zone and flowing into the distribution layer. In the same way, you aggregate interzone traffic at the distribution layer and traffic leaving the distribution layer toward the network core. The distribution layer and core are ideal places to deploy traffic engineering within a network.
Routing policy—The routing policy is deployed within the distribution layer in a three- layer design and along the distribution/core edge. You can also deploy routing policies along the access/distribution edge, particularly route and topology summarization, to hide information from other zones that are attached to the same distribution layer zone.
User attachment—User devices and servers are attached to zones within the access layer. This separation of end devices into the access layer permits the separation of traffic between traffic through a link and traffic to a link, or device. Typically, you do not want to mix transit and destination traffic in the same area of the network.
Controlling traffic admittance—Traffic admittance control always occurs where user and server devices are attached to the network, which is in the access layer. You can also place traffic admittance controls at the aggregation points along the aggregation/core edge.
As you can see, the concepts that are applied to two- and three-layer designs are similar, but you have more application points in a three-layer design.
Now the confusion takes place in our minds where do we use Two Layer and where the Three layer hierarchical model.
Now we are discussing that How Many Layers to Use in Network Design?
Which network design is better: two layers or three layers? As with almost all things in network design, it all depends. Examine some of the following factors involved in deciding whether to build a two- or three-layer network:
Network geography—Networks that cover a smaller geographic space, such as a single campus or a small number of interconnected campuses, tend to work well as two-layer designs. Networks spanning large geographic areas, such as a country, continent, or even the entire globe, often work better as three layer designs.
Network topology depth—Networks with a compressed, or flattened, topology tend to work better as two-layer hierarchies. For instance, service provider networks cover large geographic areas, but reducing number of hops through the network is critical in providing the services they sell; therefore, they are often built on a two-layer design. Networks with substantial depth in their topologies, however, tend to work better as three-layer designs.
Network topology design—Highly meshed networks, with many requirements for interzone traffic flows, tend to work better as two-layer designs. Simplifying the hierarchy to two levels tends to focus the design elements into meshier zones. Networks that focus traffic flows on well-placed distributed resources, or centralized resources, such as a network with a large number of remote sites connecting to a number of centralized Data Centers, tend to work better as three-layer designs.
Policy implementation—If policies of a network tend to focus on traffic engineering, two-layer designs tend to work better. Networks that attempt to limit access to resources attached to the network and other types of policies tend to work better as three-layer designs.
Again, however, these are simple rules of thumb. No definitive way exists to decide whether a network should have two or three layers. Likewise, you cannot point to a single factor and say, “Because of this, the network we are working on should have three layers instead of two.”
I hope that this helps you to understand the purposes of Two Layer & Three layer Hierarchical Model.
Best regards,
Ahmad Manzoor

Influencing BGP attributes within MPLS network

pls take a look at my question and diagram is attached in the file. pls help me to fix this problem.
I have following requirement about traffic paths within the
MPLS network.MPLS network is running MP-BGP4.
1.Traffic from Europe branch to Asia branch go through London
router.
2.Traffic from America branch to Asia branch go through Los Angeles
router.
3.The two paths through London and Los Angeles should have redundancy.
That is if path through London is not accessible all the traffic must
go through Los Angeles. IF Los Angeles path go down all the traffic must
go through London.
4.Traffic from Asia to Europe and America is controlled by redistributing
BGP4 learned routes with different metrics at the London and Los Angeles
routers.So that trafic from Asia branch to Europe go through London and
traffic from Asia to America go through Los Angeles.
I have been using below configs on the PE routers. But it is not working.
In the MPLS network only one path is selected for both traffic from Europe
and America.Pls can anyone help me to fix this problem.
#PE3
ip vrf CUSTOMER
rd 1:10
route-target export 1:20
route-target import 1:40
export map EXPORT-ROUTE
import map IMPORT-ROUTE
interface FastEthernet0/0
description LONDON-GW
ip vrf forwarding CUSTOMER
ip address 1.1.1.2 255.255.255.252
router bgp 65400
address-family ipv4 vrf CUSTOMER
redistribute connected
neighbor 1.1.1.1 remote-as 65401
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 next-hop-self
neighbor 1.1.1.1 soft-reconfiguration inbound
no auto-summary
no synchronization
exit-address-family
ip extcommunity-list 1 permit rt 1:10
ip extcommunity-list 2 permit rt 1:40
route-map EXPORT-ROUTE permit 10
description LONDON-GW
match extcommunity 1
set extcomm-list 1 delete
set extcommunity rt 1:20 additive
route-map IMPORT-ROUTE permit 10
description EU & US-BRANCH
match extcommunity 2
#PE4
ip vrf CUSTOMER
rd 1:10
route-target export 1:30
route-target import 1:40
export map EXPORT-ROUTE
import map IMPORT-ROUTE
interface FastEthernet0/0
description LA-GW
ip vrf forwarding CUSTOMER
ip address 2.2.2.2 255.255.255.252
router bgp 65400
address-family ipv4 vrf CUSTOMER
redistribute connected
neighbor 2.2.2.1 remote-as 65402
neighbor 2.2.2.1 activate
neighbor 2.2.2.1 next-hop-self
neighbor 2.2.2.1 soft-reconfiguration inbound
no auto-summary
no synchronization
exit-address-family
ip extcommunity-list 1 permit rt 1:10
ip extcommunity-list 2 permit rt 1:40
route-map EXPORT-ROUTE permit 10
description LA-GW
match extcommunity 1
set extcomm-list 1 delete
set extcommunity rt 1:30 additive
route-map IMPORT-ROUTE permit 10
description EU & US-BRANCH
match extcommunity 2
#PE1
ip vrf CUSTOMER
rd 1:10
route-target export 1:40
route-target import 1:20
route-target import 1:30
export map EXPORT-ROUTE
import map IMPORT-ROUTE
interface FastEthernet0/0
description EU-BRANCH
ip vrf forwarding CUSTOMER
ip address 3.3.3.2 255.255.255.252
router bgp 65400
address-family ipv4 vrf CUSTOMER
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
ip route vrf CUSTOMER 172.16.1.0 255.255.255.0 FastEthernet0/0 3.3.3.1 name EU-BRANCH
ip extcommunity-list 1 permit rt 1:10
ip extcommunity-list 2 permit rt 1:20
ip extcommunity-list 3 permit rt 1:30
route-map EXPORT-ROUTE permit 10
description EU-BRANCH
match extcommunity 1
set extcomm-list 1 delete
set extcommunity rt 1:40 additive
route-map IMPORT-ROUTE permit 10
description LONDON-GW(MAIN)
match extcommunity 2
set metric 100
route-map IMPORT-ROUTE permit 20
description LA-GW(BACKUP)
match extcommunity 3
set metric 200
route-map IMPORT-ROUTE permit 30
description OTHER
#PE2
ip vrf CUSTOMER
rd 1:10
route-target export 1:40
route-target import 1:20
route-target import 1:30
export map EXPORT-ROUTE
import map IMPORT-ROUTE
interface FastEthernet0/0
description US-BRANCH
ip vrf forwarding CUSTOMER
ip address 4.4.4.2 255.255.255.252
router bgp 65400
address-family ipv4 vrf CUSTOMER
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
ip route vrf CUSTOMER 192.168.1.0 255.255.255.0 FastEthernet0/0 4.4.4.1 name US-BRANCH
ip extcommunity-list 1 permit rt 1:10
ip extcommunity-list 2 permit rt 1:20
ip extcommunity-list 3 permit rt 1:30
route-map EXPORT-ROUTE permit 10
description US-BRANCH
match extcommunity 1
set extcomm-list 1 delete
set extcommunity rt 1:40 additive
route-map IMPORT-ROUTE permit 10
description LONDON-GW(BACKUP)
match extcommunity 2
set metric 200
route-map IMPORT-ROUTE permit 20
description LA-GW(MAIN)
match extcommunity 3
set metric 100
route-map IMPORT-ROUTE permit 30
description OTHER

Hi Manoj
"send-community both" will export both Standard and Extended Communities
The Standard Community Values which we are setting up New on PE3 and PE4 and Matching on PE1 and PE2 can be anything in ASN:nn Format..I Just randomly chose them as 65400:1111 on PE3/PE1 and 65400:2222 on PE4/PE2.
The extcommunity values to be used on PE3/PE4 will be the export RT values used in the VRF Customer Config as posted in your first post..
#PE3
ip vrf CUSTOMER
rd 1:10
route-target export 1:20
route-target import 1:40
export map EXPORT-ROUTE
import map IMPORT-ROUTE
#PE4
ip vrf CUSTOMER
rd 1:10
route-target export 1:30
route-target import 1:40
export map EXPORT-ROUTE
import map IMPORT-ROUTE
I think I mixed up little with PE3 as PE1 and PE4 as PE2 instead ..Revised corrected config would be
On PE3-- Under VPNv4 We enable sending out the normal community values out to the RR.Then we match the extcommunity rt for the VRF Customer and set the community value to 65400:1111 which will be matched at PE1
router bgp 65400
address-family vpnv4
neighbor "RR-IP" send-community both
neighbor "RR-IP" route-map community out
exit-address-family
route-map community permit 10
match extcommunity CUSTOMER
set community 65400:1111
route-map community permit 20
ip extcommunity-list standard CUSTOMER permit rt 1:20
On PE4-- Under VPNv4 We enable sending out the normal community values out to the RR.Then we match the extcommunity rt for the VRF Customer and set the community value to 65400:2222 which will be matched at PE2
router bgp 65400
address-family vpnv4
neighbor "RR-IP" send-community both
neighbor "RR-IP" route-map community out
exit-address-family
route-map community permit 10
match extcommunity CUSTOMER
set community 65400:2222
route-map community permit 20
ip extcommunity-list standard CUSTOMER permit rt 1:30
On PE1-- Under VPNv4 We match the community value 65400:1111 which was set at PE3 and set the LP to 110
router bgp 65400
address-family vpnv4
neighbor "RR-IP" route-map community in
exit-address-family
route-map community permit 10
match community CUSTOMER
set local-preference 110
route-map community permit 20
ip community-list standard CUSTOMER permit 65400:1111
On PE2-- Under VPNv4 We match the community value 65400:2222 which was set at PE4 and set the LP to 110
router bgp 65400
address-family vpnv4
neighbor "RR-IP" route-map community in
exit-address-family
route-map community permit 10
match community CUSTOMER
set local-preference 110
route-map community permit 20
ip community-list standard CUSTOMER permit 65400:2222
Make Sure that RR is enabled to propogate the normal BGP communities as well...
Hope this helps to answer your question..Please let me know for any clarifications..
Regards
Varma

Centralized WLC Design Question

Dears,
In my scenario, i am designing CEntralized WLC deployment. I have 30 AP in Buidling X(200 Users) and 20 AP in Buidling Y(150 Users). I am planning to install HA WLC CLuster where Pimary & Secondary WLC will reside in physically different Data Centers A & B.
I have a wireless Design Question and i am not able to get clear answers. Please refer to the attached drawing and answer the following queries:
If Buidling X users want to talk to building Y Users, then how Control & Data Traffic flow will happen between Buidling X & Y. Would all the traffic will go to Primary WLC from Bldg X APs first and then it will be Re Routed back to Buidling Y APs? Can i achieve direct switching between Bldg X&Y APs without going toward WLC?
If Building X & Y Users want to access the internet, how would be traffic flow? Would the traffic from X&Y AP will go tunnel all the traffic towards WLC and then it will be routed to internet gateway?is it possible for Bldg X&Y AP to directly send traffic towards Internet Gateway without going to controllers?
I have planned to put WLC at physically different locations in different DC A & B. Is it recommended to have such a design? What would be the Failver traffic volume if Primary WLC goes down and secondary controller takes over?
My Reason to go for Centralized deployment is that i want to achieve Centralized Authentication with Local Switching. Please give your recommendations and feedback
Regards,
Rameez

If Buidling X users want to talk to building Y Users, then how Control & Data Traffic flow will happen between Buidling X & Y. Would all the traffic will go to Primary WLC from Bldg X APs first and then it will be Re Routed back to Buidling Y APs? Can i achieve direct switching between Bldg X&Y APs without going toward WLC?
Traffic flows to the WLC that is the primary for the AP's, then its routed over your network.
If Building X & Y Users want to access the Internet, how would be traffic flow? Would the traffic from X&Y AP will go tunnel all the traffic towards WLC and then it will be routed to Internet gateway?is it possible for Bldg X&Y AP to directly send traffic towards Internet Gateway without going to controllers?
The WLC isn't a router, so you would have to put the Internet traffic an a subnet and route.
I have planned to put WLC at physically different locations in different DC A & B. Is it recommended to have such a design? What would be the Failover traffic volume if Primary WLC goes down and secondary controller takes over?
Like I mentioned... earlier, the two HA WLC has to be on the same layer 2 subnet in order for you to use HA. The guide mentions an Ethernet cable to connect both the HA ports on the WLC.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

ISE Design Question

I have few design questions regarding ISE v.1.0.4.573
Do ISE 3395 gigabit ports support Link aggregation? how can i utilize all 4 ports for uplink ?
When doing a standalone HA setup of 2x3395, Is there a heartbeat link between the two ISE or they will use the same uplink to the network for heartbeat and synchronizing?
I am designing ISE with WLC. My WLC (5508) setup is like 5 floors having different Vlans but same SSID. How can i make ISE authenticate in this scenario since WGB AP is not supported in ISE v.1.0. Is there a work around for this type of WiFi setup in ISE?
Continuing from the above setup, while roaming from one floor to another floor after changing Vlan, the user will re-authenticate or use the same session?
Thanks for the help.
Regards,
Zohaib

1. The current version does not support Link aggregation..
2. They will use the same uplink to the network for heartbeat and synchronizing.
3. My suggestion is to assign your SSID an interface group, containing all interfaces belonging to your VLANs, on your WLC and set AAA override. Then, in ISE, create authorization profiles which include the appropriate VLAN. use RADIUS attribute Called-Station-ID with your AP MAC address as condition.
4. They will use the same session.

Debugging and monitoring MPLS networks

Hi ,
I've had the following problem with a customer of ours and I'd like to know if there's any tools I can use in the future to better diagnose the problem if it may arise again.
The customer is a bank with hundreds of brnach sites. All of them are connected to the corporate via a MPLS network managed by a local TELCO company .
In the last ten days they have experienced long delays during logons of users in the branch sites . This delay has been initially thought due to new operating systems deployed on the clients ( XP ) . In fact there's a rollout of XP computers at all the branch sites .
Trying to troubleshoot the problem we have started looking at all OS related known problems but found nothing important.
Next I tried looking at the network connections with the few tools I have ( basically ping , traceroute and protocol analyzer ) but all seemed ok .
Having no access to the telco routers I monitored the corporate's switch ports to which the two telco router are attched .
Finally I found some packet discarded and could call the telco and having the routers checked.
They found a problem , they didn't told us what it was , and suddendly most of the problems were gone.
This was really tricky because a part from the slow logon we had no other mulfunctions . I found the problem thanks to a Microsoft tool to check group policy problem which point me to possible networks problem.
The question , after this long post , is ; is there any tool, agent , software I can install or use to check MPLS network efficiency having no access to the TELCO routers ?
Thanks in advance
Stefano Colombo
CCNA - CCSP
MCSE NT/2k/2003 Messaging

havent not told us what the actual problem was it is kinda difficult to suggest tools. However IF this was an MTU issue then you should have used ping with the DF bit set to see how big a packet you could get over the mpls network. Let us know what the issue was and hopefully we can be a bit more detailed in our responses.
HTH

Network Design Pointers...

Hey everyone, I am not too sure if this is the correct location to be posting this, but I have some questions regarding networking design.
I have created a test network within Packet Tracer, which I have added as an attachment. I just wanted some pointers on how I could have changed things, just regarding the topology. My main arean of concern is with the printers, could they have been better located.
I have uploaded a screen shoot, and the Packet Tracer file of my design, please let me know what you guys think. This is my first time creating a network, this helps me study for my exams, as I just finished my CCENT, and now working on CCNA.
Thanks so much for your time everyone.
Paul St.Onge

>
Threaded interfaces - do you mean user
interfaces?Not quite, and it possibly comes as part of the other questions, but a description (or an attempt at) is, imagine that you have one application on a server and some small applications in a series of pcs connected with the server. This applications,when started, send a command to te server which creates a thread that interfaces with the client app so that the processing can be spread more or less evenly. <hope to make sense>
>
Detection of java/javaw - what do you mean by that?The System.getProperties(... was what i was looking for

Full mesh VPN solution for on MPLS network with PE and CPEs

Hi,
We are trying to evaluate some best solution for Hub-Spoke mesh vpn solution in a MPLS network. The VPN hub router will be in PE router and all the VPN spoke will be in CPE.
Can someone please let us know what will be the best vpn solution, we understands that there will be some technical limitations going with GETVPN but still we did counld find any documenation for possiblity of using DMVPN.
How about the recent flexvpn, can fex-vpn work on this requirement, where can i get a design/configuration document.?
thanks in advance.

Hello,
GetVPN is intended for (ANY-to-ANY) type of VPN communication, over an MPLS network with Hub and Spoke Topology, your best Option is to look for Cisco (DMVPN) implementation where this type of VPN is primarily designed for Hub & Spoke.
Regards,
Mohamed

MPLS network CE1A pinging CE1B other side

Im trying to expand my knowledge about MPLS but have a bunch of questions. Here is one. In a MPLS network, should the CEA1 from one side ping the the other CEB1 and viceversa? I can see the route in the routing table from both side, however ping doesnt past thru. Explain?

Hi Pedro,
Yuu should be able to ping, if you have setup MPLS L3 VPN correctly and if you don't have any configs to drop the ping
First you need to chec kif your LSP is fine.
1. Check if you have MPLS IP configured on the core devices and Core facing interfaces of PE. make sure you have cef enabled on the routers
To check if the LSP is fine, try a ping between PEs using source and destination as VRF IPs
Share your topoplogy. That will hep

Network Designs

Hi all
I wanted to know if someone can give me some adivce,I've started my own consulting company and I have a client who wants a network redesign and a
Core network design.Both of these are for different sites and I wanted to know what questions should I ask the client and is there some books that I can
read upon about network design that will give me a good feel on how to proceed. I have a good ideal already about the hardware that is needed at each layer, but the network I learned on was a large enterprise network and these are smaller networks and I really want to do a good job for this user so that
I can get repeat business.Thanks in advance and have a great day and I look forward to your replies.

1) you should ask is why does the client want a network redesign and what are they looking to achieve by doing this ie. no one does a network redesign just for the fun of it
2) based on the answers to the first question you need to see the existing network design and then work out why it does not meet the clients needs.
3) probably as important as anything else is what budget is available for the redesign ie. consultancy for you and hardware budget.
4) what inhouse experience the client has. You can setup the loveliest shiny network but if the customer cannot then support it it is not particularly useful to them.
5) future plans for expansion for the client
6) the hardest part - application, traffic patterns, bandwidth requirements of the network. Make sure you at least identify the apps that the client makes their money from and design accordingly.
Don't decide on hardware before the design. The design dictates the hardware design and not the other way around. If you already have an idea of the hardware you are going to use you either have answers to all the above or you are getting ahead of yourself
A good place for design info are Cisco's design papers -
www.cisco.com/go/srnd
Jon

MPLS network design questions

Similar Messages

Maybe you are looking for