MPLS vs ROUTING

Similar Messages

• MPLS VRF Routes Leaking

  I am designing network to deploy MPLS L3 VPN services for 2000+ branch locations of 1 customer.
  Cisco 7600 series router is used as PE along with FWSM that points towards Global Routing Table (Internet Gateway).
  Customer is requiring the access for internet along with VPN services to all the 2000+ locations.
  What is the best solution to prefer that meets the requirements & also avoids the security loopholes ?

  you could do one of the following ways to implement Internet access for L3 MPLS VPN
  1. using a separate PE interface in global routing table: in this case the FWSM and an interface in the PE/PEs will require to be in the the global routing table to have the Internet access and then you can inject that route to the VRF/VRFs
  2. Internet access using route leaking between VRFs and the global route table: by using this method you will need to configure a static default route with a next hop as an Internet gateway in your case the FWSM, reachable through the global routing table, this VRF default route need to be injected/redistributed in  the PE-CE routing (MP-BGP) to provide the outbound Internet connectivity to your  VRFs.
  inbound traffic from Internet will require either NATed VRF or a static routes from the global routing table points to the VRF interface
  3. the other method is the used of shared service: with this method you need to put the Internet service FWSM in its own VRF then you can control the import and export between the Internet VRF and other VRFs through import/export of the VRFs route-target values
  good luck
  if helpful Rate

• MPLS BGP routes push to DMVPN spokes

  I have an MPLS with BGP. I also have sites that are not connected directly to the MPLS, but have a s2s VPN to hub sites that are connected to the MPLS and that way they access the MPLS resources. I need to communicate the route changes to the MPLS when the DMVPN fails-over to another hub.
  Currently this is my config:
  Datacenter (MPLS only)
  interface GigabitEthernet0/1
  description MPLS
  ip address 192.168.0.34 255.255.255.252
  interface Vlan2
  ip address 192.168.96.2 255.255.255.0
  router bgp 65511
  bgp log-neighbor-changes
  network 192.168.96.0
  neighbor 192.168.0.33 remote-as 65510
  Hub site 1 (MPLS + internet)
  interface Tunnel200
  ip address 10.99.99.1 255.255.255.0
  no ip redirects
  ip mtu 1400
  ip nhrp authentication auth
  ip nhrp map multicast dynamic
  ip nhrp network-id 12345
  ip nhrp holdtime 600
  tunnel source GigabitEthernet0/0
  tunnel mode gre multipoint
  tunnel key 200
  tunnel protection ipsec profile dmvpn
  interface GigabitEthernet0/1
  description MPLS
  ip address 192.168.1.2 255.255.255.0 secondary
  ip address 192.168.0.2 255.255.255.252
  router bgp 65001
  bgp log-neighbor-changes
  network 192.168.1.0
  network 192.168.21.0
  !10.99 clients are DMVPN spokes
  neighbor 10.99.99.3 remote-as 99010
  neighbor 10.99.99.3 route-reflector-client
  neighbor 10.99.99.21 remote-as 99001
  neighbor 10.99.99.21 route-reflector-client
  !as 65000 is the MPLS PE
  neighbor 192.168.0.1 remote-as 65000
  Hub Site 2, has the same configuration, except for local ip address and router BGP ID.
  Spoke site:
  interface Tunnel200
  ip address 10.99.99.3 255.255.255.0
  no ip redirects
  ip mtu 1400
  ip nhrp authentication auth
  ip nhrp map 10.99.99.1 PUBLIC_IP_HUB_1
  ip nhrp map 10.99.99.16 PUBLIC_IP_HUB_2
  ip nhrp network-id 12345
  ip nhrp holdtime 600
  ip nhrp nhs 10.99.99.1 priority 1
  ip nhrp nhs 10.99.99.16 priority 5
  ip nhrp nhs fallback 60
  tunnel source GigabitEthernet0/0
  tunnel mode gre multipoint
  tunnel key 200
  tunnel protection ipsec profile dmvpn
  interface GigabitEthernet0/1
  description Internal
  ip address 192.168.3.1 255.255.255.192
  router bgp 99010
  bgp log-neighbor-changes
  network 192.168.3.0
  neighbor 10.99.99.1 remote-as 65001
  neighbor 10.99.99.16 remote-as 65013
  On this spoke site 
  #sh ip route
  B 192.168.1.0/24 [20/0] via 10.99.99.1, 00:47:01
  which is the HUB network, but the rest of the MPLS routes are not "learned".
  What am I missing?
  Thanks!

  Hi Jon, I've ommited the configuration of the MPLS provider routers in between.  The DC is connected to a router that has the AS 65510.
  DC:CPE---PE:{MPLS}PE---CPE:HUB---{internet}---Spoke
  The DC is ok getting the network information via BGP:
  #sh ip route
  B 192.168.3.0/24 [20/0] via 192.168.0.33, 3d05h
  B 192.168.21.0/24 [20/0] via 192.168.0.33, 3d05h
  #sh ip bgp 192.168.21.0
  BGP routing table entry for 192.168.21.0/24, version 559
  Paths: (1 available, best #1, table default)
  Not advertised to any peer
  Refresh Epoch 1
  65510 3549 6140 3549 65000
  192.168.0.33 from 192.168.0.33 (###.###.###.###)
  Origin IGP, localpref 100, valid, external, best
  #sh ip route 192.168.21.0
  Routing entry for 192.168.21.0/24
  Known via "bgp 65511", distance 20, metric 0
  Tag 65510, type external
  Last update from 192.168.0.33 3d05h ago
  Routing Descriptor Blocks:
  * 192.168.0.33, from 192.168.0.33, 3d05h ago
  Route metric is 0, traffic share count is 1
  AS Hops 5
  Route tag 65510
  MPLS label: none
  Spoke:
  #sh ip bgp
  BGP table version is 494, local router ID is 192.168.21.1
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
  r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
  x best-external, a additional-path, c RIB-compressed,
  Origin codes: i - IGP, e - EGP, ? - incomplete
  RPKI validation codes: V valid, I invalid, N Not found
  Network Next Hop Metric LocPrf Weight Path
  *> 10.0.129.32/27 10.99.99.16 0 65013 65012 3549 ?
  *> 192.168.96.0 10.99.99.16 0 65013 65012 3549 6745 65510 ?
  #sh ip route 192.168.96.0
  Routing entry for 192.168.96.0/24
  Known via "bgp 99001", distance 20, metric 0
  Tag 65013, type external
  Last update from 10.99.99.16 00:02:11 ago
  Routing Descriptor Blocks:
  * 10.99.99.16, from 10.99.99.16, 00:02:11 ago
  Route metric is 0, traffic share count is 1
  AS Hops 5
  Route tag 65013
  MPLS label: none
  #sh ip bgp 192.168.96.0
  BGP routing table entry for 192.168.96.0/24, version 465
  Paths: (1 available, best #1, table default)
  Not advertised to any peer
  Refresh Epoch 2
  65013 65012 3549 6745 65510
  10.99.99.16 from 10.99.99.16 (10.2.16.1)
  Origin incomplete, localpref 100, valid, external, best
  The route is not being updated to the rest of the routers, and the 192.168.21.0 network is still announced via the old route.
  (from spoke)
  ping 192.168.96.2
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.96.2, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  From DC
  #traceroute 192.168.21.1
  Type escape sequence to abort.
  Tracing the route to 192.168.21.1
  VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.0.33 [AS 65510] 0 msec 0 msec 0 msec
  2 172.50.1.33 [AS 65510] 56 msec 36 msec 36 msec
  3 10.80.1.1 [AS 3549] 44 msec 44 msec 44 msec
  4 10.80.1.2 [AS 3549] 172 msec 172 msec 168 msec
  5 172.50.1.1 [AS 3549] 168 msec 168 msec 172 msec
  6 172.50.1.2 [AS 3549] 180 msec 180 msec 176 msec
  7 192.168.0.2 [AS 65000] 172 msec 172 msec 168 msec <- old route, should be 192.168.0.9
  8 192.168.0.2 [AS 65000] !H * !H

• Cell-mode MPLS / IP routing

  I am studying for CCIP and with my limited knowledge of ATM there is something a don't understand.
  When running cell-mode MPLS over an MPLS aware ATM network are the ATM switches acting as layer 3 routers. If so how.

  Hi,
  yes one converts ATM switches into routers, so to say. Data plane will still be ATM cell switching. But the control plane is modified and VC setup is controlled by IP routing and LDP.
  One can add the IP routing and LDP capability by adding software to IOS based ATM switches (like 8540) or by adding a real router as Label switch controller (f.e. 7200/RPM to BPX or MGX).
  Hope this helps
  Martin
  P.S.: please rate all posts.

• MPLS : IGP route aggregation and broken LSPs.

  If I do (IGP) route aggregation inside a MPLS domain it would break LSPs created between end-points, I mean ingress-egress points (PEs), that have the node deploying route aggregation is its path.
  Also, LSP creation is topology driven, not traffic driven; and LSPs are created
  among all possible ingress/egress points/options inside a MPLS Domain.
  However as far as I think I know, LSPs are always established between PEs´
  (Edge-LSRs) router-ids, and so the egress PE does Layer 3 forwarding (as result of penultimate hop popping) when routing toward a CE.
  01) Is that right ?
  If so I understand that, if I allocate a CIDR to a PE and all its customers' wans & lans prefixes (or if you prefer, all PE´s connected and static routes) are subnets of this CIDR; the PE IGP could
  advertise to other PEs only one route regarding the whole CIDR instead of all its subnets, without break any LSP that has this PE as one of its endpoints.
  02) Did I make myself clear ?
  03) Is that right ?
  Yours Truly.
  Murilo Pugliese.

  Say you are summarising on Router1 and Router 2 receives the summarized route and router 3 is the loopback you are trying to reach. Router 1 will generate a label for the Summarized route. When the packet comes to router 2 , it will do an IP lookup for router 3 as the label is for the summarised route and hence the LSP breaks.
  Iam sure someone will correct me if iam wrong

• MPLS Customer router physical interface

  My provider wants to sell me MPLS services but I can't seem to get a straight answer regarding what the physical interface on my customer router needs to be.  Some personnel tell me it will be a normal ethernet connection, other say it'll be a DS3 or T1 connection depending on the speed.
  Please give me some advice on what to expect regarding an MPLS circuit?  Or point me to some good documentation to maybe I can communicate better with the service provider.
  Thank you.

  Hi Tod
  Few points from my side for your query
  Access Link should be considered based on whether we are going for MPLS L3 VPN or MPLS L2 VPN Soilution
  MPLS L3 VPN from my understanding is independent of Access Media but the Access Media will definitely put different hardware requirements for your Customer Edge Router
  The Access Link Type and Bandwidth would vary depending upon the BW requirements for the network. The T1/T3 or a Subrate T3 Access Links would be a choice when we have BW requirements in that range(<45 Megs)
  Using FE as an Acces link would require SP to provide Colocation Services or rather go for spanning a Fiber out from their Colo and deploying Optical Mux at Customer Premises and again suitable for BW requirements more than 45 Megs
  MPLS L2 VPN
  Ethernet is the choice for taking MPLS L2 VPN Services to connect your different branches in a point-to-multipoint fashion using VPLS at SP end.
  You can go through the Cisco Doc - "Layer 3 MPLS VPN Enterprise Consumer Guide" which should help you gain more insight for choosing the PE-CE Routing Protocol and other points to consider for an MPLS L3 VPN Service.
  Thats from my understanding. Hope you will get more good advises on this.
  Regards
  Vaibhava Varma

• MPLS L3 Route - 7600

  Hi,
  we have a MPLS L3 between our branches, recently we are facing problem with branches connecivites.
  our setup is 7609 router connected to CE 3900 branch router, we are using a Interface Vlan to route behind the CE subnets.
  CE using sub interface with 802.1q to interconnect with right vlan on the PE. the issue is that we are able to ping the P2P ip between
  PE-CE, while the subnets behind CE including physical CE inside IP is not pingable, some time if we initiate the ping from CE source traffic
  from inside interface then, bidirectional communication ping is working for some time then it stop.
  correct vrf route and redisirbution already one place, same setup is used for hundred of sites, only new sites getting this issue.
  the more interesting thing, while we are unable to ping inside CE IP, some hosts/Servers IP are reachable and work fine.
  we try to get any bug that might related to the same issue without any luck.
  PE:  CISCO7609
  IOS: c7600s72033-advipservicesk9-mz.122-33.SRE5.bin
  any help will be appreicated.
  Mohamed.

  Hi Mohammed
  Are you trying to ping from remote side ?
  Can you provide interface configuration between CE & PE, and routing protocol configuration between CE & PE
  If you have EBGP, have you configured ebgp next-hop-self ?
  Did you try to traceroute from both side and see where it's blocking ?
  Regards,
  Sandip

• MPLS VPN routes with core IGP costs

  Hi,
  Is there any way to use the IGP cost between PEs, and pass that into the VRF prefixes?
  For example:
  A branch site has 2x CEs (CE-A & CE-B), each with a link to a different PE (PE-A & PE-B). EBGP is used between CE-PE. IBGP Between CE-A & CE-B. CE-C is also connected to PE-B with EBGP.
  Without any manual intervention, the link from CE-A to PE-A and the link from CE-B to PE-B would be equal cost away. In reality it would be preferable (in our case at least) for traffic destined to CE-C to use the CE-B to PE-B link, because it would result in a shorter path in the core.
  I have been looking for a way to use the IGP metric associated with the VRF route next hop. Ideally, I would like to have the option to copy the IGP cost to next hope into the VRF prefix's MED field... or if you're already using MED as a metric then perhaps the option to ADD the IGP cost to next hope to the existing MED value. I was hoping you would be able to do this with an Import Map on the VRF but I can't see a way of acheiving this.
  Is there another way to get this result?
  Thanks,
  Peter

  Hi Giuseppe
  Thanks very much for your response but I think perhaps I did not explain my question correctly...
  What I was trying to acheive was to influence the rouitng at the branch (CE level with the use of MED), rather than at the PE VRF as you have described with Local Preference.
  I would like the branch AS (consisting of CE-A & CE-B) to choose the link between CE-B - PE-B to get to CE-C's networks, because it is directly connected or has an IGP cost of 0.
  I'm aware I can do this on CE-B by identifying the prefixes from that AS and applying a route-map on CE-B, but I was hoping there was a solution that would be more automatic and less admin overhead by being able to copy the IGP cost into the BGP MED field, as this would then be sent to the CE-B. The prefix sent from PE-A to CE-A would have a higher IGP cost and so would send a higher MED. I hope what I'm trying to explain makes sense.
  If this is not possible (I can't find any reference to such a feature...) then are you aware of any other feature that would result in similar behaviour withou having to manually identify prefixes with route maps? The best I can come up with so far is to tag routes into each PE with a community and use a route-map outbound on PE to CE to add a higher MED value to prefixes that do not contain this same community... Or perhaps this can be done with the SOO attribute. The trouble with this method is it only works for PEs with directly connected CEs. It would be nice to leverage the information in the IGP routing table...
  Thanks,
  Peter

• MPLS PE Route Availability

  Just learning, but from the enterprise perspective, after successfully creating the MPLS VPN from CE-PE-PE-CE is it possible for either CE device to access networks originating on the PE; other than the vrf forwarding interface?
  Thanks In Advance!

  If the configuration allows, only then the CE would be able to access PE networks.
  Regards.

• Problems setting up MPLS

  A Chairde,
  Am having problems setting up MPLS between a AS5350 and 7609 , I have used commands stated in this link, enable MPLS incrementally on a network.
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/switch_c/xcprt4/xcdtagc.pdf
  The commands below are added to each router, and some troubleshooting.
  7609
  ip cef distributed
  interface Loopback0
  ip address 192.168.254.1 255.255.255.255
  tag-switching advertise-tags
  interface GigabitEthernet3/12
  ip address 192.168.230.162 255.255.255.248
  mpls label protocol tdp
  tag-switching ip
  AS5350
  ip cef
  mpls label protocol tdp
  tag-switching advertise-tags
  interface Loopback0
  ip address 192.168.254.2 255.255.255.255
  interface FastEthernet0/0
  ip address 192.168.230.161 255.255.255.248
  duplex auto
  speed auto
  mpls ip
  h323-gateway voip interface
  h323-gateway voip id cnibhco111 ipaddr 192.168.230.129 1719
  h323-gateway voip h323-id cnibhco112
  h323-gateway voip tech-prefix 71401
  h323-gateway voip tech-prefix 0030
  h323-gateway voip bind srcaddr 192.168.230.161
  ip rsvp bandwidth 64 64
  cnibhco112#sh tag-switching tdp neighbor
  Peer TDP Ident: 192.168.254.1:0; Local TDP Ident 192.168.230.161:0
  TCP connection: 192.168.254.1.49842 - 192.168.230.161.711
  State: Oper; PIEs sent/rcvd: 18/23; Downstream
  Up time: 00:12:54
  TDP discovery sources:
  FastEthernet0/0, Src IP addr: 192.168.230.162
  Addresses bound to peer TDP Ident:
  192.168.100.17 192.168.100.25 159.107.212.49 172.16.8.81
  192.168.230.130 192.168.230.77 192.168.230.81 192.168.254.1
  192.168.210.6 192.168.127.6 192.168.210.106 192.168.127.66
  192.168.127.138 192.168.210.146 192.168.210.142 192.168.210.122
  192.168.210.17 192.168.230.140 192.168.230.26 192.168.230.74
  192.168.230.10 192.168.230.14 192.168.127.130 192.168.127.142
  192.168.230.6 192.168.230.70 192.168.230.34 192.168.210.178
  192.168.200.25 192.168.210.126 192.168.232.1 192.168.231.1
  192.168.200.17 192.168.210.102 190.168.200.245 190.168.200.225
  190.168.201.241 192.168.230.98 192.168.210.14 190.168.201.201
  190.168.201.209 192.168.210.162 192.168.210.210 190.168.201.205
  192.168.230.38 190.168.200.249 190.168.200.217 190.168.200.253
  192.168.230.162
  cnibhco112#
  cnibhco112#sh tag-switching forwarding-table 192.168.254.1 detail
  Local Outgoing Prefix Bytes tag Outgoing Next Hop
  tag tag or VC or Tunnel Id switched interface
  cnibhco112#traceroute 192.168.254.1
  Type escape sequence to abort.
  Tracing the route to 192.168.254.1
  1 192.168.230.162 0 msec 0 msec *
  cnibhco112#traceroute 192.168.230.162
  Type escape sequence to abort.
  Tracing the route to 192.168.230.162
  1 192.168.230.162 0 msec 0 msec *
  cnibhco112#

  Ro,
  Thanks for the respone, have been playin, with MPLS for last few hours.
  The routing between the loopbacks is now working, can PING 7609 Loopback from AS5350 ,and vice versa. (used static routes).
  Having problem with TDP / LDP on routers,
  mpls label protocol ldp / tdp command works correctly on both routers, but the
  tag-switching tdp router-id Loopback0 force
  command works on the 7609, but when I add it onto the AS5350 , the command "mpls ldp router-id Loopback0 force" appears on the startup script.
  The opposite is true for the 7609 , you add MPLS LDP command, and TAG-SWITCHING command appears instead.
  Any Ideas, as different configs of this leave me with forwarding table with both tags added, but not been able to ping the loopbacks !!!
  When I can ping bot loopbacks, the OUTGOING TAG , disapears.....
  Problem is LOOPBACK Commands on bot routers default to LDP (AS5350) , or TDP (7609). Any Ideas ...
  mpls label protocol tdp
  tag-switching tdp router-id Loopback0 force
  mpls label protocol tdp
  mpls ldp router-id Loopback0 force
  cnibhco100#sh tag-switching forwarding-table 192.168.254.2 detail
  Local Outgoing Prefix Bytes tag Outgoing Next Ho
  tag tag or VC or Tunnel Id switched interface
  18 17 192.168.254.0/24 0 Gi3/12 192.168.2
  MAC/Encaps=14/18, MRU=1500, Tag Stack{17}
  00097CA3293000127FCDBA808847 00011000
  No output feature configured
  Per-packet load-sharing
  cnibhco100#traceroute 192.168.254.2
  Type escape sequence to abort.
  Tracing the route to 192.168.254.2
  1 192.168.230.161 [MPLS: Label 17 Exp 0] 0 msec 0 msec 0 msec
  2 192.168.230.162 0 msec 0 msec 0 msec
  But no PINGING 192.168.254.2
  cnibhco112#sh tag-switching forwarding-table 192.168.254.1 detail
  Local Outgoing Prefix Bytes tag Outgoing Next Hop
  tag tag or VC or Tunnel Id switched interface
  17 18 192.168.254.0/24 1915668 Fa0/0 192.168.230.162
  MAC/Encaps=14/18, MRU=1500, Tag Stack{18}
  00127FCDBA8000097CA329308847 00012000
  No output feature configured
  Per-packet load-sharing
  cnibhco100#sh tag-switching forwarding-table 192.168.254.2 detail
  Local Outgoing Prefix Bytes tag Outgoing Next Ho
  tag tag or VC or Tunnel Id switched interface
  18 17 192.168.254.0/24 752551 Gi3/12 192.168.2
  MAC/Encaps=14/18, MRU=1500, Tag Stack{17}
  00097CA3293000127FCDBA808847 00011000
  No output feature configured
  Per-packet load-sharing
  WHEN BOTH LOCAL AND OUTGOING TAG, CANNOT PING EITHER WAY !!!
  HAVE LABEL PROTOCOL AND LOOPBACK FORCE on AS5350
  HAVE LABEL PROTOCOL ON 7609
  WHEN ADD LOOPBACK FORCE on 7609 , CAN PING BOTH LOOPBACKS,
  BUT OUTGOING TAG DISAPEARS
  cnibhco112#PING 192.168.254.2
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.254.2, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
  cnibhco112#sh tag-switching forwarding-table 192.168.254.1 detail
  Local Outgoing Prefix Bytes tag Outgoing Next Hop
  tag tag or VC or Tunnel Id switched interface
  17 Untagged 192.168.254.0/24 598678 Fa0/0 192.168.230.162
  MAC/Encaps=0/0, MRU=1504, Tag Stack{}
  No output feature configured
  Per-packet load-sharing
  cnibhco112#
  mpls label protocol tdp
  tag-switching tdp router-id Loopback0 force

• HTTPS certificate problem on MPLS

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Tableau Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi everyone,
  We are currently migrating our network from IP to MPLS and we encounter an issue with a only one application using security certificat through HTTPS. All other services are OK such as HTTP, FTP, Mailing, etc.
  Network description :
  The network architecture is composed by 4 core routers (which play the role of P and PE at the same time) and 2 borders routers (B1 and B2) linked to Internet via STM1 - POS interfaces.
  Each borders are both connected to two core routers (C1 and C2) by GigabitEthernet links.
  Please also note that there is a DPI (Deep Packet Inspector, model Arbor 100) between each border and core.
  Core routers C1,C2, C3 and C4 are connected to each other by GigabitEthernet links.
  B1 and B2 are linked to Internet by STM1 (POS) using eBGP.
  OSPF is used as the infrastructures routing protocol between all equipments.
  (cf the network diagram attached)
  Configuration :
  When migrating to MPLS, we fixed interfaces MTU at 9216 and the MPLS MTU at 1512 on all concerned interfaces from Core to Border routers.
  Below is a sample configuration.
  mpls ip
  mpls label protocol ldp
  mpls ldp router-id loopback0
  interface GigabitEthernet1/1
  mtu 9216
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 XXXXXXXXXXX
  ip ospf network point-to-point
  ip ospf cost 1
  ip ospf hello-interval 1
  mpls mtu 1512
  mpls ip
  Problem :
  The service application uses a server on the local network (linked via CE router) which send https requests and files to a server located in the Internet.
  When MPLS is activated only on the Core-To-Core interfaces (C1, C2, C3 and C4) the application is working properly.
  But when the MPLS is expanded on Core-To-Border / Border-To-Core interfaces, this specific application fails as it appears that the certificate server sees a corrupted frame, some bits have been added to the normal frame. But all other services (HTTP, FTP, everything,)
  Below are major differences between Border and Core routers connection schemes:
      A DPI equipment between Core and Border,
  GibabitEthernet are used for links Border-To-Core and Core-To-Core, STM1(POS) is used for links Border-To-Internet (IP)
  ­    The MTU size on STM1 interface is fixed at 4470, MTU size of 9216 is assigned to GE interfaces (Border-To-Core, Core-To-Core)
  Regards.

  Hi,
  Would it be possible to disable the functionality of the DPI (passthrough mode?) and test again?
  MPLS labels or not on the packet should not make a difference wrt HTTPS only (in theory).
  Since you mention corrupted frames, taking a packet capture should show you if this is true or not.
  Thanks,
  Luc

• Database tool for routing table history changes

  Dear Community, I'm looking for a freeware tool to hold history changes in routing tables for small to medium network running BGP, OSPF and MPLS VPN routing tables via VRFs. This tool need a way to compare the database in order to know if these are the same during the time.
  Is there a way to do this in Cisco Works?
  Thanks in advances for your recommendations.

  Julius,
  There are no industry recommended open source DB tools.
  Normally it depends upon the developer preferences that how he/she wants to see the tool usability.
  I can suggest you to go through the below link:
  http://sourceforge.net/search/?type_of_search=soft&words=SQL+Tools
  You can find many open source SQL tools, which you have to test and select one among them.
  I can suggest you to use:
  1) TOra
  2) Easy SQL
  3) SQuirrel
  "Choose a Tool which is easy to use and efficient, Dont worry about Look n Feel"
  Best of Luck

• Do I need "advanced license" to run MPLS on ME3600X?

  Those who have dealt with ME3600X switch, can you tell me if I need to purchase the “Advanced Metro IP Access License” in order to run L2/L3 MPLS VPN? The license is $3995 in addition. It is a big cost for us. More specifically, I want to know if the following commands are supported with the license comes with the switch. No advanced MPLS features like traffic engineering is required at this point.
  ip vrf vpnA
  rd 100:1
  route-target export 100:1
  route-target import 100:1
  interface Ethernet1/0
  ip vrf forwarding vpnA
  interface Ethernet1/1
  mpls ip
  router ospf 1 vrf vpnA
  log-adjacency-changes
  area 1 sham-link 12.12.100.4 12.12.100.5
  redistribute bgp 100 metric-type 1 subnets
  network 12.12.128.130 0.0.0.0 area 1
  router bgp 100
  no synchronization
  bgp router-id 12.12.4.4
  bgp log-neighbor-changes
  neighbor 12.12.5.5 remote-as 100
  neighbor 12.12.5.5 update-source Loopback0
  no auto-summary
  address-family vpnv4
  neighbor 12.12.5.5 activate
  neighbor 12.12.5.5 send-community both
  exit-address-family
  address-family ipv4 vrf vpnA
  redistribute ospf 1 vrf vpnA match internal external 1 external 2
  no synchronization
  network 12.12.100.4 mask 255.255.255.255
  exit-address-family
  mpls ldp router-id Loopback0 force

  Hi dear,
  according to the information available on CCO over here
  http://www.cisco.com/en/US/prod/collateral/switches/ps6568/ps10956/data_sheet_c78-601946.html
  you indeed need to get that license in your gear to let it run MPLS.
  The commands highlighted in red should work after that.
  HTH,
  Ivan.

• Load-balancing in MPLS Core

  How is load-balancing achieved in MPLS L3 vpns and equal cost multiple links exist to reach egress PE along with per-destination load-balancing enabled on interfaces.
  I have tried to simulate the network below
  Ingress PE--->P1--->>P2--->Egress PE
  Multiple equal cost links exist between P1 and P2, cisco platform,LDP, IGP-ospf being used.

  Hi,
  Destination based load balancing in MPLS L3VPNs can be categorized into two scenarios:
  1) multiple pathes between two PE routers
  2) multiple access links to a single CE or site
  Your question as I understand it was about the first scenario. So let me first quickly review how customer traffic is forwarded between VRFs on two different PE routers.
  The VRF routing table will have BGP entries for the routes learned from the remote PE usually with next hop addresses being the remote PE loopback IP used for PE-to-PE BGP peering.
  The traffic will be forwarded across P routers using the label for the BGP next hop.
  Thus the load balancing accross the MPLS core in a first step is decided by the IGP, which has to insert several equal cost pathes into the global routing table for the BGP next hop networks (PE loopbacks).
  Side note: MPLS traffic engineering in the core would allow for unequal cost load balancing.
  The decision, which labeled packet to send across which path in the core is done by CEF using a hash algorithm. To achieve the same load balancing as with unlabeled IP traffic, a Cisco MPLS enabled router will look for the bottom label - the one with bottom-of-stack bit set to 1 - and try to determine, if the transported packet behind the bottom label is IP. If so, the hash is calculated for the customer IP header like for normal IP traffic. This ensures all traffic for a certain customer destination will always go through the same path. No unwanted packet reordering will occur.
  Be aware, that the customer IP packet header will only be used for CEF hash calculation, no IP lookup will be performed, as core routers in MPLS L3VPNs do not have any knowledge about customer addresses.
  As a side note: if the traffic transported is not IP (e.g. Ethernet over MPLS), the bottom label will be used for the CEF load balancing (e.g. the VC label).
  For the second scenario - CE load balancing with multihomed CE/sites - it is first required to have two equal cost entries in the VRF routing tables. The difference will be the two different PE BGP next hop addresses. The first load balancing decision is the performed by CEF based on the IP packet received by the CE and the VRF routing table entries. Once CEF decided, which VRF entry to use, the required BGP next hop label (and the VPN label) is applied and the packet is transported across the MPLS core. load balancing there is done as described above.
  Hope this helps! Please rate all posts.
  Regards, Martin

• MPLS for small network

  In the past we have always had point to point links between our 3 remote offices and our corporate office. We're now switching to a MPLS network for all four sites.
  We currently use Cisco 1721 routers for our WAN. What protocol should we use for routing across this new MPLS network? I'm also looking for a document what else I may need to configure for this MPLS design on the router itself.
  We will have 1721 routers at all sites.

  Hi,
  for you as a customer the most appropriate picture is: The MPLS VPN behaves like one single IP router interconnecting your sites.
  In your case just consider your 4 1721 being connected to one ISP router. There is no MPLS specific config needed on your 1721, MPLS is only within your ISP network.
  This means: you send IP routing updates from one site to the "MPLS IP router simulator" and the updates will be sent further on to the other 3 1721. You forward an IP packet to the "MPLS IP router simulator" and it forwards it as IP packet to one of your other 3 1721.
  If you are not dual homed or using backups then RIP would address all your needs. Also static routing might be suitable and the most simple aproach in your scenario.
  Hope this helps! Please rate all posts.
  Regards, Martin