MPLS VPN load sharing when multihoming

Similar Messages

• MP-BGP and MPLS multipath load sharing

  Hi,
  I am trying to PoC MPLS multi path load sharing by using per-PE-per-VRF RDs in the network.
  I have a simple lab setup with AS65000 which consists of SITE1 PE1&PE2 routers (10.250.0.101 and 10.250.0.102), route reflector RR in the middle (10.250.0.55) and SITE2 PE1&PE2 routers (10.250.0.201 and 10.250.0.202). PE routers only do iBGP peering with centralized route reflector and passing route to 10.1.1.0/24 prefix (learned from single CE router) with 100:1 and 100:2 RDs for specific VRF.
  Route reflector gets routes with multiple RDs, makes copies of these routes in order to make local comparison to RD 55:55 configured, uses these routes and install multiple paths into its routing table (all PE routers and RR have "maximum-paths eibgp 4" configured):
  RR#sh ip bgp vpnv4 all
  BGP table version is 7, local router ID is 10.250.0.55
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  Route Distinguisher: 55:55 (default for vrf VRF-A) VRF Router ID 10.250.0.55
  * i10.1.1.0/24      10.250.0.102             0    100      0 65001 i
  *>i                 10.250.0.101             0    100      0 65001 i
  Route Distinguisher: 100:1
  *>i10.1.1.0/24      10.250.0.101             0    100      0 65001 i
  Route Distinguisher: 100:2
  *>i10.1.1.0/24      10.250.0.102             0    100      0 65001 i
  RR#sh ip route vrf VRF-A
  <output omitted>
       10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  B       10.1.1.0/24 [200/0] via 10.250.0.102, 00:45:52
                            [200/0] via 10.250.0.101, 00:46:22
  BUT, for some reason RR doest reflects routes with multiple RDs down to SITE2 PE1&PE2 - its own clients:
  RR#sh ip bgp vpnv4 all neighbors 10.250.0.201 advertised-routes
  Total number of prefixes 0
  RR#sh ip bgp vpnv4 all neighbors 10.250.0.202 advertised-routes
  Total number of prefixes 0
  Here comes RR BGP configuration:
  router bgp 65000
  no synchronization
  bgp router-id 10.250.0.55
  bgp cluster-id 1.1.1.1
  bgp log-neighbor-changes
  neighbor 10.250.0.101 remote-as 65000
  neighbor 10.250.0.101 update-source Loopback0
  neighbor 10.250.0.101 route-reflector-client
  neighbor 10.250.0.101 soft-reconfiguration inbound
  neighbor 10.250.0.102 remote-as 65000
  neighbor 10.250.0.102 update-source Loopback0
  neighbor 10.250.0.102 route-reflector-client
  neighbor 10.250.0.102 soft-reconfiguration inbound
  neighbor 10.250.0.201 remote-as 65000
  neighbor 10.250.0.201 update-source Loopback0
  neighbor 10.250.0.201 route-reflector-client
  neighbor 10.250.0.201 soft-reconfiguration inbound
  neighbor 10.250.0.202 remote-as 65000
  neighbor 10.250.0.202 update-source Loopback0
  neighbor 10.250.0.202 route-reflector-client
  neighbor 10.250.0.202 soft-reconfiguration inbound
  no auto-summary
  address-family vpnv4
    neighbor 10.250.0.101 activate
    neighbor 10.250.0.101 send-community both
    neighbor 10.250.0.102 activate
    neighbor 10.250.0.102 send-community both
    neighbor 10.250.0.201 activate
    neighbor 10.250.0.201 send-community both
    neighbor 10.250.0.202 activate
    neighbor 10.250.0.202 send-community both
  exit-address-family
  address-family ipv4 vrf VRF-A
    maximum-paths eibgp 4
    no synchronization
    bgp router-id 10.250.0.55
    network 10.255.1.1 mask 255.255.255.255
  exit-address-family
  SITE1 PE1 configuration:
  router bgp 65000
  no synchronization
  bgp router-id 10.250.0.101
  bgp log-neighbor-changes
  neighbor 10.250.0.55 remote-as 65000
  neighbor 10.250.0.55 update-source Loopback0
  neighbor 10.250.0.55 soft-reconfiguration inbound
  no auto-summary
  address-family vpnv4
    neighbor 10.250.0.55 activate
    neighbor 10.250.0.55 send-community both
  exit-address-family
  address-family ipv4 vrf VRF-A
    neighbor 10.1.101.2 remote-as 65001
    neighbor 10.1.101.2 activate
    neighbor 10.1.101.2 soft-reconfiguration inbound
    maximum-paths eibgp 4
    no synchronization
    bgp router-id 10.250.0.101
  exit-address-family
  SITE1 PE2 configuration is similar to SITE1 PE1. They both do eBGP peering with dualhomed CE router in AS65001 which announces 10.1.1.0/24 prefix into VRF-A table.
  My question is: clearly, the issue is that RR doesn't reflect any routes to its clients (SITE2 PE1&PE2) for 10.1.1.0/24 prefix with 100:1 and 100:2 RDs that dont match it's locally configured RD 55:55 for VRF-A, although they are present in its BGP/RIB tables and used for multipathing. Is this an expected behavior or some feature limitation for specific platform or IOS version? Currently, in this test lab setup I run IOS 12.4(24)T8 on all the devices.
  Please, let me know if any further details are needed to get an idea of why this well known and widely used feature is not working correctly in my case. Thanks a lot!
  Regards,
  Sergey

  Hi Ashish,
  I tried to remove VRF and address family configurations completely from RR.
  router bgp 65000
  no synchronization
  bgp router-id 10.250.0.55
  bgp cluster-id 1.1.1.1
  bgp log-neighbor-changes
  neighbor 10.250.0.101 remote-as 65000
  neighbor 10.250.0.101 update-source Loopback0
  neighbor 10.250.0.101 route-reflector-client
  neighbor 10.250.0.101 soft-reconfiguration inbound
  neighbor 10.250.0.102 remote-as 65000
  neighbor 10.250.0.102 update-source Loopback0
  neighbor 10.250.0.102 route-reflector-client
  neighbor 10.250.0.102 soft-reconfiguration inbound
  neighbor 10.250.0.201 remote-as 65000
  neighbor 10.250.0.201 update-source Loopback0
  neighbor 10.250.0.201 route-reflector-client
  neighbor 10.250.0.201 soft-reconfiguration inbound
  neighbor 10.250.0.202 remote-as 65000
  neighbor 10.250.0.202 update-source Loopback0
  neighbor 10.250.0.202 route-reflector-client
  neighbor 10.250.0.202 soft-reconfiguration inbound
  no auto-summary
  address-family vpnv4
    neighbor 10.250.0.101 activate
    neighbor 10.250.0.101 send-community both
    neighbor 10.250.0.102 activate
    neighbor 10.250.0.102 send-community both
    neighbor 10.250.0.201 activate
    neighbor 10.250.0.201 send-community both
    neighbor 10.250.0.202 activate
    neighbor 10.250.0.202 send-community both
  exit-address-family
  After this, RR doesn't accept any routes at all from S1PE1&S1PE2 routers, thus not reflecting any routes down to its clients S2PE1&S2PE2 as well:
  S1PE1#sh ip bgp vpnv4 all
  BGP table version is 6, local router ID is 10.250.0.101
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  Route Distinguisher: 100:1 (default for vrf VRF-A) VRF Router ID 10.250.0.101
  *> 10.1.1.0/24      10.1.101.2               0             0 65001 i
  S1PE1#sh ip bgp vpnv4 all neighbors 10.250.0.55 advertised-routes
  BGP table version is 6, local router ID is 10.250.0.101
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  Route Distinguisher: 100:1 (default for vrf VRF-A) VRF Router ID 10.250.0.101
  *> 10.1.1.0/24      10.1.101.2               0             0 65001 i
  Total number of prefixes 1
  S1PE2#sh ip bgp vpnv4 all
  BGP table version is 6, local router ID is 10.250.0.102
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  Route Distinguisher: 100:2 (default for vrf VRF-A) VRF Router ID 10.250.0.102
  *> 10.1.1.0/24      10.1.201.2               0             0 65001 i
  S1PE2#sh ip bgp vpnv4 all neighbors 10.250.0.55 advertised-routes
  BGP table version is 6, local router ID is 10.250.0.102
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  Route Distinguisher: 100:2 (default for vrf VRF-A) VRF Router ID 10.250.0.102
  *> 10.1.1.0/24      10.1.201.2               0             0 65001 i
  Total number of prefixes 1
  RR#sh ip bgp vpnv4 all
  RR#sh ip bgp vpnv4 all neighbors 10.250.0.101 routes
  Total number of prefixes 0
  RR#sh ip bgp vpnv4 all neighbors 10.250.0.102 routes
  Total number of prefixes 0
  Any feedback is appreciated. Thanks.
  Regards,
  Sergey

• MPLS Traffic Load Sharing

  What is the best way to configure a load sharing policy from multiple CE "remotes" to two CE "hosts" in a MPLS network? Currently, all incoming traffic goes to only one host from the PE.

  Hi,
  you need to have a look at the complete routing architecture to understand possibilities/responsibilities.
  Mainly load distribution for a single prefix can only occur, if more than one path to a destination is known. This however might not be given in the MPLS network. The underlying reason is that BGP will only send the best path in an update - but not all pathes a BGP speaker knows of (RFC mandates this).
  As practically all larger BGP implementations use Route Reflectors, which are (RFC conforming) BGP speakers, they will only forward the best path to a destination. The result is:
  IF more than one path to a destination network exists and is sent to the RR through different PE routers (with same RD) then only one path will be distributed to all other PE routers.
  In this scenario load sharing for a single prefix can not occur, because only one routing table entry exists for this prefix in most if not all PE routers. All you can do is to try to load share by selecting different pathes for different destination prefixes by influencing routing metric. This way part of your traffic will go one way and part will take another path.
  IF the SP however uses different RD values for every VRF and the proper "maximum-path" statements in MP-BGP, then load sharing per prefix can be achieved in the MPLS network. The customer however can not influence the SP setup.
  Hope this Helps! Please rate all posts.
  Regards, Martin

• Discussion on load-balance and load-sharing

  Hi, I found a article, which discuss the difference between load-balance and load-sharing. I think the explanation is pretty good, please see below. But I still have a question: how can we decide to choose one the both balance in the production environment ?  Thank you
  "In short, load balancing tries to distribute traffic evenly over multiple paths, whereas, load sharing intends to do it (for the lack of a better term) equally.  True load balancing is difficult to achieve.  For example, let's say there were two links (100 mbps and 300 mpbs) and a router needed to send out 600 mbps of traffic.  Load balancing would distribute the traffic evenly, sending 300 mbps on each link.  On the contrary, load sharing would divide the traffic equally based on the available resources, sending 200 mbps on the slower link and 400 mbps on the faster one. "

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  That's not how Cisco uses the terms, and generically they are often used almost interchangeably.
  Cisco uses load balancing as the catch all for how a single L3 device routes across multiple paths to the same destination.  Equal metrics or equal actual load distribution are not required.  Most often, load balancing will be discussed with ECMP, but unequal path loading balancing will include Cisco's proprietary IGPs, such as EIGRP.
  Cisco uses load sharing when using multiple paths when a single L3 devices doesn't normally route across multiple paths or multiple L3 devices are involved.  Cisco load sharing discussions usually revolve around BGP.
  Generically, I would say load balancing has more of a dynamic aspect to it, i.e. something is trying to actively balance traffic across multiple paths, while load sharing might mean multiple paths are utilized but not actively dynamically balanced.
  I'm unsure what's your question with a production environment.

• BGP requirements and load sharing

  Hi !
  I have been reading memory requirements for running BGP. But, for a tipical scenario with dual ISP for load sharing which are the requirements for the router ?
  Could we use a 1841 or thinking about 37x5 or higher router ? I know that it depends on size for routing table, AS, and so on but what is the rule of thumb for choosing the correct router ?
  Thanks
  Rafa
  http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00800945bf.shtml#conf2
  Load Sharing When Dual-Homed to One Internet Service Provider (ISP) Through a Single Local Router
  http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a83.shtml
  Achieve Optimal Routing and Reduce BGP Memory Consumption

  Routes is one constraint and traffic is one more and the kind of policies i apply would be another. If i took a default from my upstream with about 1 MB of traffic, i would definitely look at 1841. If received routes ( atleast 20,000) and about 1 MB or 2 MB and 2 or more upstreams, I may even settle for a 3850.

• AP- load sharing

  Hi all,
  Is there a way to achieve AP load-sharing when we utilise AP groups?
  This will make life easy from both designers and implementers as we will not have to worry about subnet allocation etc.
  Thanks in advance.
  janesh

  yes i'm talking about having different AP groups per floor and replicating it across multiple floors.
  yestersay u mentioned that u got a 802.11ac- would you be able to let me know the exact ordering code pls?

• MPLS/VPN network load balancing in the core

  Hi,
  I've an issue about cef based load-balancing in the MPLS core in MPLS/VPN environment. If you consider flow-based load balancing, the path (out interface) will be chosen based on source-destination IP address. What about in MPLS/VPN environment? The hash will be based on PE router src-dst loopback addresses, or vrf packet src-dst in P and PE router? The topology would be:
  CE---PE===P===PE---CE
  I'm interested in load balancing efficiency if I duplicate the link between P and PE routers.
  Thank you for your help!
  Gabor

  Hi,
  On the PE router you could set different types and 2 levels of load-balancing.
  For instance, in case of a DUAL-homed site, subnet A prefix for VPN A could be advertised in the VPN by PE1 or PE2.
  PE1 receives this prefix via eBGP session from CE1 and keep this route as best due to external state.
  PE2 receives this prefix via eBGP session from CE2 and keep this route as best due to external state.
                               eBGP
                       PE1 ---------CE1
  PE3----------P1                          Subnet A
                       PE2----------CE2 /
                              eBGP
  Therefore from PE3 point of view, 2 routes are available assuming that IGP metric for PE3/PE1 is equal to PE3/PE2.
  The a 1rst level of load-sharing can be achieve thanks to the maximum-paths ibgp number command.
  2 MP-BGP routes are received on PE3:
  PE3->PE1->CE1->subnet A
  PE3->PE2->CE2->subnet A
  To use both routes you must set the number at 2 at least : maximum-paths ibgp 2
  But gess what, in the real world an MPLS backbone hardly garantee an equal IGP cost between 2 Egress PE for a given prefix.
  So it is often necessary to ignore the IGP metric by adding the "unequal-cost" keyword: maximum-paths unequal-cost ibgp 2
  By default the load-balancing is called "per-session": source and destination addresses are considered to choose the path and the outgoing interface avoiding reordering the packets on the target site. Overwise it is possible to use "per-packet" load-balancing.
  Then a 2nd load-sharing level can occur.
  For instance:
           __P1__PE1__CE1
  PE3           \/                   Subnet A
          \ __P2__PE2__CE2
  There is still 2 MP-BGP paths :
  PE3->P1->PE1->CE1->subnet A
  PE3->P1->PE2->CE2->subnet A
  But this time for 2 MP-BGP paths 4 IGP path are available:
  PE3->P1->PE1->CE1->subnet A
  PE3->P1->PE2->CE2->subnet A
  PE3->P2->PE1->CE1->subnet A
  PE3->P2->PE2->CE2->subnet A
  For a load-balancing to be active between those 4 paths, they must exist in the routing table thanks to the "maximum-path 4 "command in the IGP (ex OSPF) process.
  Therefore if those 4 paths are equal-cost IGP paths then a 2nd level load-balancing is achieved. the default behabior is the same source destination mechanism to selected the "per-session" path as mentionned before.
  On an LSP each LSR could use this feature.
  BR

• MPLS-TE and Load sharing?

  Hi,
  I have been reading and searching for a long time,
  I have an issue with MPLS-TE, ok, let me explain..
  We have
  PE(7600) -> MPLS-network <- PE(7300)
  We have EoMPLS connection between these points
  over 2x STM-1, and we want to lets say,
  STM1(tunnel0) take 155Mbit of link1, and
  STM1(tunnel1) take 155Mbit of link2, so
  we could get full use of both links,
  I use exact path option, and everythings
  works, but, the traffic seems to choose only
  the one of the tunnels..
  Then the question is, with the tag-switching,
  does the traffic tunnels go with the CEF switching
  so, src->dst flows occurs?
  Because if i did like,
  show ip cef dstip internal
  I saw the load sharing all fine..

  Solved,
  Sorry, I found another conversation that pointed
  my conclusion out,
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd62298
  Best Regards,
  Kjarri.

• Multihoming Primary/Backup PE MPLS VPN

  Hi there,
  I kind of stuck of implementing and configuring Primary/Backup scenario for MPLS VPN enviroment.
  Currently, only singe CE router connected to 2 PE router, Primary PE and Backup PE in the same POP.
  PE-CE IGP is running OSPF. On CE router prespective, how do I achieve primary/backup scenario and on other remote PE, how does MPLS VPN cloud noticed that there is Primary and Backup PE towords this CE router?
  Any configuration or sample out there? Appreciate for the help.
  regards,
  maher

  Hello Maher,
  I would try to set the interface metric to a higher value for the backup PE. With OSPF->BGP redistribution you should then get a higher MED in BGP making the path less preferable. Example:
  interface Serial0/0
  description to primary PE
  ip ospf cost 100
  interface Serial0/1
  description to backup PE
  ip ospf cost 1000
  Alternatively you could modify the MED while redistributiing into BGP:
  router bgp 65000
  address-family ipv4 vrf VRFname
  redistribute ospf 123 vrf VRFname match internal external route-map OSPF2BGP
  route-map OSPF2BGP permit 10
  set metric 10000
  Hope this helps! Please rate all posts.
  Regards, Martin

• ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  This topic has been beat to death, but I did not see a real answer. Here is configuration:
  1) 2 x ASA 5520, running 8.2
  2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
  3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
  4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
  This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
  Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
  The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
  In any case, any experts out there that can answer question? TIA!

  Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
  Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
  Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
  Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
  Thanks much,
  Mike

• How can I find the all path available for a MPLS VPN in SP network

  How can I find the all path available for a MPLS VPN in SP network between PE to PE and CE to CE?

  Hi There
  If we need to find all the available paths for a remote CE from a local PE it will depend upon whether its a RR or non-RR design. If the MP-iBGP deisgn is non-RR  the below vrf specific command
  sh ip bgp vpnv4 vrf "vrf_name"  will show us the MP-iBGP RT for that particular VPN. It will show us the next hop. Checking the route for same in the Global RT will show us the path(s) available for same ( load-balancing considered) .Then we can do a trace using the Local PE MP-iBGP loopback as source to remote PE's MP-iBGP loopback to get the physical Hops involved.
  However if the design is RR-based there might be complications involved when the RR is in the forwarding path ie we have NHS being set to RR-MP-iBGP loopback and the  trace using the Local PE MP-iBGP loopback as source to remote PE's MP-iBGP loopback will get us the physical Hops involved.
  If we have redundant RRs being used with NHS being set then the output of sh ip bgp vpnv4 vrf "vrf_name" will show us two different available paths for the remote CE destination but just one being used.
  RR-based design with no NHS being used will always to cater to single path for the remote CE detsination.
  So in any case the actual path used for the remote CE connectivity would be a single unless we are using load-balancing.
  Hope this helps you a bit on your requirement
  Thanks & Regards
  Vaibhava Varma

• Issue with multipath load-sharing of VPNv4 routes

  Hi Sir,
  Below is output of "show ip bgp vpnv4 all 10.1.36.0/24" on a PE router in an MPLS VPN environment:
  KP1#sh ip bgp vpnv4 all 10.1.36.0/24
  BGP routing table entry for 65001:202:10.1.36.0/24, version 1732
  Paths: (2 available, best #1, no table)
  Not advertised to any peer
  Local
  172.18.254.56 (metric 31) from 172.18.254.54 (172.18.254.54)
  Origin incomplete, metric 0, localpref 100, valid, internal, best
  Extended Community: RT:65001:1200
  Originator: 172.18.254.56, Cluster list: 172.18.254.54
  Local
  172.18.254.56 (metric 31) from 172.18.255.254 (172.18.255.254)
  Origin incomplete, metric 0, localpref 100, valid, internal
  Extended Community: RT:65001:1200
  Originator: 172.18.254.56, Cluster list: 172.18.255.254
  BGP routing table entry for 65001:203:10.1.36.0/24, version 2439
  Paths: (2 available, best #2, no table)
  Not advertised to any peer
  Local
  172.18.255.4 (metric 21) from 172.18.255.254 (172.18.255.254)
  Origin incomplete, metric 0, localpref 100, valid, internal
  Extended Community: RT:65001:1200
  Originator: 172.18.255.4, Cluster list: 172.18.255.254
  Local
  172.18.255.4 (metric 21) from 172.18.254.54 (172.18.254.54)
  Origin incomplete, metric 0, localpref 100, valid, internal, best
  Extended Community: RT:65001:1200
  Originator: 172.18.255.4, Cluster list: 172.18.254.54
  BGP routing table entry for 65001:204:10.1.36.0/24, version 2441
  Paths: (2 available, best #2, table V1:TEST)
  Multipath: iBGP
  Not advertised to any peer
  Local, imported path from 65001:202:10.1.36.0/24
  172.18.254.56 (metric 31) from 172.18.254.54 (172.18.254.54)
  Origin incomplete, metric 0, localpref 100, valid, internal
  Extended Community: RT:65001:1200
  Originator: 172.18.254.56, Cluster list: 172.18.254.54
  Local, imported path from 65001:203:10.1.36.0/24
  172.18.255.4 (metric 21) from 172.18.254.54 (172.18.254.54)
  Origin incomplete, metric 0, localpref 100, valid, internal, best
  Extended Community: RT:65001:1200
  Originator: 172.18.255.4, Cluster list: 172.18.254.54
  KP1#
  There are two RRs on the network: RR1 (172.18.254.54) and RR2 (172.18.255.254). All PE routers peer with these two RRs.
  The VPNv4 prefix 10.1.36.0/24 is advertised by two PE routers; the first is 172.18.254.56 (hostname: SK1) using RD 65001:202, another is 172.18.255.4 (hostname: SK2) using RD 65001:203. This is an Intranet VPN with RT value of 65001:1200.
  I understand why KP1 selects the path via SK2 as the best because it matches the BGP best-path selection criteria: "Prefer the path with the lowest IGP metric to the BGP next hop".
  I want to load-balance traffic destined to 10.1.36.0/24 across SK1 and SK2. Thus, I modified the config on KP1 as follows:
  router bgp 65001
  address-family ipv4 vrf V1:TEST
  maximum-paths ibgp 2
  But still only one best path is selected and installed into the VRF routing tables, as follows:
  KP1#sh ip route vrf V1:TEST
  Routing Table: V1:TEST
  10.0.0.0/24 is subnetted, 6 subnets
  B 10.1.36.0 [200/0] via 172.18.255.4, 20:53:01
  KP1#sh ip bgp vpnv4 vrf V1:TEST
  Network Next Hop Metric LocPrf Weight Path
  Route Distinguisher: 10081:204 (default for vrf V1:TEST)
  * i10.1.36.0/24 172.18.254.56 0 100 0 ?
  *>i 172.18.255.4 0 100 0 ?
  KP1 only installs the two paths when I configured the following:
  router bgp 65001
  address-family ipv4 vrf V1:TEST
  maximum-paths ibgp unequal-cost 2 (I can't exactly remember the command. It should be this one.)
  Please advise if this is the correct way to install both routes.
  Thank you.
  B.Rgds,
  Lim TS

  Hi,
  "maximum-path ... unequal-cost" means install two pathes EVEN IF paths have unequal IGP metric. If the metric is identical then the BGP path selection is identical to not configuring "unequal-cost".
  This option is used to skip the normal BGP path selection step "closest IGP neighbor" when it comes to decide what to insert into the IP routing table.
  So typically you would use "unequal-cost" as for the VPN customer your core network is not interesting (not even visible). So routing decisions based on your core network metrics are (often) not in the customers interest. The customer is usually interested in loading the redundant access lines. This would potentially not be possible because of the SP BGP selection mechanism.
  Hope this helps!
  Regards, Martin

• MPLS VPNs - Latency

  Hello All,
  I have a MPLS VPN setup for one of my sites. We have a 10M pipe (Ethernet handoff) from the MPLS SP, and it is divided into 3 VRFs.
  6M - Corp traffic
  2M - VRF1
  2M - VRF2
  The users are facing lot of slowness while trying to access application on VRF1. I can see the utilization on the VRF1 is almost 60% of it's total capacity (2M). Yesterday when trying to ping across to the VRF1 Peer in the MPLS cloud, I was getting a Max response time of 930ms.
  xxxxx#sh int FastEthernet0/3/0.1221
  FastEthernet0/3/0.1221 is up, line protocol is up
    Hardware is FastEthernet, address is 503d.e531.f9ed (bia 503d.e531.f9ed)
    Description: xxxxx
    Internet address is x.x.x.x/30
    MTU 1500 bytes, BW 2000 Kbit, DLY 1000 usec,
       reliability 255/255, txload 71/255, rxload 151/255
    Encapsulation 802.1Q Virtual LAN, Vlan ID  1221.
    ARP type: ARPA, ARP Timeout 04:00:00
    Last clearing of "show interface" counters never
  I also see a lot of Output drops on the physical interface Fa0/3/0. Before going to the service provider, can you please tell me if this can be an issue with the way QoS is configured on these VRFs?
  xxxxxxx#sh int FastEthernet0/3/0 | inc drops
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3665
  Appreciate your help.
  Thanks
  Mikey

  Hi Kishore,
  Thanks for the clarification. Let me speak to the service provider and see if we can sort out the Output drops issue.
  I had a few more queries.
  1) Will output drops also contribute to the latency here?
  2) The show int fa0/3/0.1221 output below only shows the load on the physical interface (fa0/3/0) and not of that particuar interface.Right?
  xxxxxx#sh int fa0/3/0.1221 | inc load
       reliability 255/255, txload 49/255, rxload 94/255
  xxxxx#sh int fa0/3/0 | inc load
       reliability 255/255, txload 49/255, rxload 94/255
  I can try and enable IP accounting on that sub-interface (VRF) and see the load. Thoughts?
  3) As you said, if the 2M gets maxed out I would see latency as the shaper is getting fully utilized. But I don't see that on the interface load as mentioned above? I have pasted the ping response during the time load output was taken. I can;t read much into the policy map output, but does it talk anything about 2M being fully utilized and hence packets getting dropped.
  xxxxxxx#ping vrf ABC x.x.x.x re 1000
  Type escape sequence to abort.
  Sending 1000, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds:
  Success rate is 99 percent (997/1000), round-trip min/avg/max = 12/216/1972 ms
  xxxx#sh policy-map interface fa0/3/0.1221
  FastEthernet0/3/0.1221
    Service-policy output: ABC
      Class-map: class-default (match-any)
        114998 packets, 36909265 bytes
        5 minute offered rate 11000 bps, drop rate 0 bps
        Match: any
        Traffic Shaping
             Target/Average   Byte   Sustain   Excess    Interval  Increment
               Rate           Limit  bits/int  bits/int  (ms)      (bytes)
            2000000/2000000   12500  50000     50000     25        6250
          Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
          Active Depth                         Delayed   Delayed   Active
          -      0         114998    36909265  1667      2329112   no
  Thanks
  Mikey

• Error while loading shared libraries

  error while loading shared libraries
  I just installed 10g . on a Fedora Core 4 machine and after a reboot I tried to run sqlplus and got this type of error. I also got the same error when trying to lsnrctl status ...
  [oracle@localhost ~]$ sqlplus
  sqlplus: error while loading shared libraries: /apps/oracle/product/10g/lib/libnnz10.so: cannot restore segment prot after reloc: Permission denied
  [oracle@localhost ~]$
  declare -x CLASSPATH="/apps/oracle/product/10g/JRE:/apps/oracle/product/10g/jlib:/apps/oracle/product/10g/rdbms/jlib"
  declare -x EDITOR="vi"
  declare -x G_BROKEN_FILENAMES="1"
  declare -x HISTSIZE="1000"
  declare -x HOME="/home/oracle"
  declare -x HOSTNAME="localhost.localdomain"
  declare -x INPUTRC="/etc/inputrc"
  declare -x KDEDIR="/usr"
  declare -x LANG="en_US.UTF-8"
  declare -x LD_LIBRARY_PATH="/apps/oracle/product/10g/lib:/lib:/usr/lib"
  declare -x LESSOPEN="|/usr/bin/lesspipe.sh %s"
  declare -x LOGNAME="oracle"
  declare -x LS_COLORS="no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:"
  declare -x MAIL="/var/spool/mail/oracle"
  declare -x OLDPWD="/home/oracle"
  declare -x ORACLE_BASE="/apps/oracle"
  declare -x ORACLE_HOME="/apps/oracle/product/10g"
  declare -x ORACLE_SID="TST2"
  declare -x ORACLE_TERM="xterm"
  declare -x PATH="/apps/oracle/product/10g/bin:/usr/sbin:/apps/oracle/product/10g/bin:/usr/sbin:/apps/oracle/product/10g/bin:/usr/sbin:/apps/oracle/product/10g/bin:/usr/sbin:/apps/oracle/product/10g/bin:/usr/sbin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin"
  declare -x PWD="/home/oracle"
  declare -x QTDIR="/usr/lib/qt-3.3"
  declare -x SHELL="/bin/bash"
  declare -x SHLVL="1"
  declare -x SSH_ASKPASS="/usr/libexec/openssh/gnome-ssh-askpass"
  declare -x SSH_CLIENT="::ffff:192.168.1.152 2503 22"
  declare -x SSH_CONNECTION="::ffff:192.168.1.152 2503 ::ffff:192.168.121.8 22"
  declare -x SSH_TTY="/dev/pts/2"
  declare -x TERM="xterm"
  declare -x TMP="/home/oracle/tmp"
  declare -x TMPDIR="/home/oracle/tmp"
  declare -x USER="oracle"
  [oracle@localhost ~]$
  Any input would be highly appreciated.
  Thanks
  Ambrosius

  yap. got it..
  disabled SELinux then run it.
  I didn't get any errors and have it up and running. Here is what I did:
  Full Fedora Core 4 install with SELinux enabled (default settings). Then, after install, disable SELinux in the /etc/selinux/config file.
  Thanks
  Ambrosius

• Preference Error: Could not load sharing preference pane

  For some reason my second computer (iMac 27) is no longer showing up on the left pane of any finder window on my MBP. The iMac is running Yosemite and the MBP is running Mavericks. So I open System preferences to see if there is a problem with "Sharing" on the MBP. I'm getting a Preference Error: Could not load sharing preference pane. Do I need to install the update to fix this? I'm not ready to commit to Yosemite completely. I build apps for iOS and Mac and really need to test in both OS environments.

  Do a backup.
  Quit the application.
  Go to Finder and select your user/home folder. With that Finder window as the front window, either select Finder/View/Show View options or go command - J.  When the View options opens, check ’Show Library Folder’. That should make your user library folder visible in your user/home folder.  Select Library. Then go to Preferences/com.apple.systempreferences.plist. Move the .plist to your desktop.
  Restart the computer, open the application and test. If it works okay, delete the plist from the desktop.
  If the application is the same, return the .plist to where you got it from, overwriting the newer one.
  Thanks to leonie for some information contained in this.