Route Leaking in MPLS/VPN Networks (IOX support)

Similar Messages

• Injecting Global default Routes into a MPLS VPN

  Hi,
  I have a PE router running MPBGP which receives two default routes to the internet through an IPV4 BGP session. I need to import these routes in to a VRF and export them to different customer VRFs so that these VRFs are able to access Internet.
  I have used the feature called "BGP Support for IP Prefix Import from Global Table into a VRF Table" (URL:http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00803b8db9.html#wp1063870)
  and imported these routes into a VRF.
  The issue is these routes are not propagated to any of the other PE routers which has customer VRFs configured.
  Has anybody tried this or a similar method to inject a dynamic default route into a MPLS VPN.
  Any suggestions would be highly appreciated.
  Thanks
  Subhash

  Hi Subhash,
  is there anything preventing you from terminating your internet BGP sessions in a VRF? Then everything should go smoothly, i.e. standard VRF import/export.
  So possibility A) create a VRF Internet, move bgp neighbor commands there and use filters preventing anything but the default route, then use route targets to distribute the default route into other VRFs.
  Possibility B) use static routing with packet leaking. Could look like this:
  ip route vrf Internet 0.0.0.0 0.0.0.0 global
  ip route vrf Internet 0.0.0.0 0.0.0.0 global 250
  ip route Serial0/0 !assuming this is where the customer router connects.
  Note: the BGP peer IP does not have to be directly connected! There has to be a LDP label for it though. so include your BGP peers network into your IGP and the backup will work, when you loose the link to the peer.
  Hope this helps! Please rate all posts.
  Regards, Martin

• Managing Route-Map based MPLS VPN

  1) How to derive the VPN information of the MPLS VPN configured using route-maps? As I understand, stitching route-maps information to derive VPN is complex as it is difficult to derive & correlate the filters tied to each of the route-maps that are tied to a VRF :(
  2) Is there any MIB to get from the MIB
  a) Route-maps tied to each VRF
  b) What is the filter associated with each route-map?
  c) Definition of each of the above filter
  It would have been nice if the route-maps' name had global-significance within AS, so that we could have treated route-maps, pretty much like the route-tragets. Alas, I doubt it is :(
  It should be noted here that if the MPLS VPN is configured using route targets, the VPN information derivation is fairly straight forward throught MplsVpn MIB.
  So, the question is what is the simplest way to derive the MPLS VPN info given that they are configured using route-maps in BGP for labelled-route-distribution & for the pkt association with the VRFs.
  Thanks,
  Suresh R

  Each CE in a customer VPN is also added to the management VPN by selecting the Join the management VPN option in the service request user interface.
  The function of the management route map is to allow only the routes to the specific CE into the management VPN. The Cisco IOS supports only one export route map and one import route map per VRF.
  http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/products_user_guide_chapter09186a0080353ac3.html

• MPLS/VPN network load balancing in the core

  Hi,
  I've an issue about cef based load-balancing in the MPLS core in MPLS/VPN environment. If you consider flow-based load balancing, the path (out interface) will be chosen based on source-destination IP address. What about in MPLS/VPN environment? The hash will be based on PE router src-dst loopback addresses, or vrf packet src-dst in P and PE router? The topology would be:
  CE---PE===P===PE---CE
  I'm interested in load balancing efficiency if I duplicate the link between P and PE routers.
  Thank you for your help!
  Gabor

  Hi,
  On the PE router you could set different types and 2 levels of load-balancing.
  For instance, in case of a DUAL-homed site, subnet A prefix for VPN A could be advertised in the VPN by PE1 or PE2.
  PE1 receives this prefix via eBGP session from CE1 and keep this route as best due to external state.
  PE2 receives this prefix via eBGP session from CE2 and keep this route as best due to external state.
                               eBGP
                       PE1 ---------CE1
  PE3----------P1                          Subnet A
                       PE2----------CE2 /
                              eBGP
  Therefore from PE3 point of view, 2 routes are available assuming that IGP metric for PE3/PE1 is equal to PE3/PE2.
  The a 1rst level of load-sharing can be achieve thanks to the maximum-paths ibgp number command.
  2 MP-BGP routes are received on PE3:
  PE3->PE1->CE1->subnet A
  PE3->PE2->CE2->subnet A
  To use both routes you must set the number at 2 at least : maximum-paths ibgp 2
  But gess what, in the real world an MPLS backbone hardly garantee an equal IGP cost between 2 Egress PE for a given prefix.
  So it is often necessary to ignore the IGP metric by adding the "unequal-cost" keyword: maximum-paths unequal-cost ibgp 2
  By default the load-balancing is called "per-session": source and destination addresses are considered to choose the path and the outgoing interface avoiding reordering the packets on the target site. Overwise it is possible to use "per-packet" load-balancing.
  Then a 2nd load-sharing level can occur.
  For instance:
           __P1__PE1__CE1
  PE3           \/                   Subnet A
          \ __P2__PE2__CE2
  There is still 2 MP-BGP paths :
  PE3->P1->PE1->CE1->subnet A
  PE3->P1->PE2->CE2->subnet A
  But this time for 2 MP-BGP paths 4 IGP path are available:
  PE3->P1->PE1->CE1->subnet A
  PE3->P1->PE2->CE2->subnet A
  PE3->P2->PE1->CE1->subnet A
  PE3->P2->PE2->CE2->subnet A
  For a load-balancing to be active between those 4 paths, they must exist in the routing table thanks to the "maximum-path 4 "command in the IGP (ex OSPF) process.
  Therefore if those 4 paths are equal-cost IGP paths then a 2nd level load-balancing is achieved. the default behabior is the same source destination mechanism to selected the "per-session" path as mentionned before.
  On an LSP each LSR could use this feature.
  BR

• Implemting a Sprint MPLS/VPN

  Hello
  I'm implmenting a Sprint MPLS/VPN network. This is a point to point between two of my locations. The connection is handed of to me as a serial connection and I will be connecting to cisco 2800 on bothe ends. Does anyone have what a sample config might look like for my Cisco rotuer?
  Thanks in advance

  HI, [Pls Rate if HELPS]
  In addition to JOE POST,
  You need to configure as normal CE Router. You can handover your Network Traffic either via some DYNAMIC Routing Protocols (BGP, EIGRP, OSPF, RIP) or Static Routing at LAST MILE towards your Service Provider.
  At the Service Provider Side, the Connected Interface with your CE will be added with "ip vrf forwarding " command. Where seperate Routing instance will be maintained on top of Global Routing Table. The MPLS Labels are swapped over their Backbone / partner - NNI to carry your traffic over a Label Switched Path.
  For an MPLS to work, the IP-CEF will be enabled. This kind of MPLS Technology, will enable fast processing of Packets and Traffic over the Large Scale Network.
  Similarly the RT & RD Values are used to distinguish the Customer Prefixes. The RT export and Import will be done at end - to - end at Service Provider Side Routers to make the HO & BO to communicate.
  The CE Router will not involve any MPLS / VRF Configuration Technology.
  Hope I am Informative.
  Pls Rate if HELPS
  Best Regards,
  Guru Prasad R

• Viewing MPLS/VPN packet

  Hi there,
  I would like to know, is there any features on cisco router to view mpls/vpn packet swapping here and there at P,PE or CE routers especially in service provider networks just like "sh ip cache flow" ?
  thanks in advance.
  maher

  MPLS-aware NetFlow should provide you with this functionality. For more information, please refer to the following link:
  http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1829/products_feature_guide09186a008012dc80.html
  Hope this helps,

• L3-MPLS VPN Convergence

  Perhaps someone on this group can identify the missing timers/processing-delays in end-to-end client route convergence
  Scenarios:
  a) BGP New route Advertised by Cleint(CPE1)
  b) BGP Route withdrawn by Client(CPE1)
  PE-to-RR i-M-BGP (Logical)
  ========= ----RR------ ======
  " | | "
  CPE1---->PE1------->P1-------->P2---->PE2----->CPE2
  | |
  --------->P3-------->P4-------
  Routing:
  - eBGP btw CPE and PE (any routing prot within Cust site),
  - OSPF, LDP in Core,
  Timers/Steps I'm aware of:
  - Advertisement of routes from CE to PE and placement into VRF
  - Propagation of routes across the MPLS VPN backbone
  - Import process of these routes into relevant VRFs
  - Advertisement of VRF routes to attached VPN sites
  - BGP advertisement-interval: Default = 5 seconds for iBGP, 30 for eBGP
  - BGP Import Process: Default = 15 seconds
  - BGP Scanner Process Default = 60 seconds
  Would appreciate if you someone can identify any missing process-delay, timers? specially w.r.t RR.
  Thanks
  SH

  Check the LDP/TDP timers in the core. Remember if a link fails in the core, reroute occurs, LDP/TDP binding needs to be renewed. tags are binded on those routes being in the routing table (IGP). So, there is a delay possible from a core prespective:
  mpls ldp holdtime
  mpls ldp discovery hello [holdtime | interval]
  In case you are using TE check these:
  mpls traffic-eng topology holddown
  mpls traffic-eng signalling forwarding sync
  mpls traffic-eng fast-reroute timers promotion
  I believe the latter one onyl applies to SDH. In which you use segment loss feature.
  Regards,
  Frank

• Leaking MPLS VPN learned routes from VRF to Global

  I'm trying to leak routes from a VRF to global. I can get the routes leaked from directly connected CE to the global, however I can't get the routes from remote CE's to leak in to the global routing table. Below are my configurations
  RP/0/0/CPU0:B25BR1#sh run vrf TR
  Wed Dec 17 22:40:33.772 UTC
  vrf TR
   address-family ipv4 unicast
    import route-target
     65000:7020
    export to default-vrf route-policy TR-2-GLOBAL
    export route-target
     65000:7020
  RP/0/0/CPU0:B25BR1#sh rpl route-policy TR-2-GLOBAL
  Wed Dec 17 22:40:50.851 UTC
  route-policy TR-2-GLOBAL
    if destination in TR-2-GLOBAL then
      pass
    endif
  end-policy
  RP/0/0/CPU0:B25BR1#sh rpl prefix-set TR-2-GLOBAL
  Wed Dec 17 22:40:57.861 UTC
  prefix-set TR-2-GLOBAL
    192.168.0.17/32,
    192.168.0.18/32,
    192.168.0.19/32,
    192.168.0.20/32
  end-set
  !Routes that I want to see also are  192.168.0.19/32 and 192.168.0.20/32 which are there in the VRF routing table
  RP/0/0/CPU0:B25BR1#sh route vrf TR
  Wed Dec 17 22:41:45.767 UTC
  Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
         U - per-user static route, o - ODR, L - local, G  - DAGR
         A - access/subscriber, a - Application route, (!) - FRR Backup path
  Gateway of last resort is not set
  B    10.1.0.0/30 [20/0] via 10.1.0.5, 00:14:32
  C    10.1.0.4/30 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
  L    10.1.0.6/32 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
  B    10.1.128.0/30 [20/0] via 10.1.0.5, 00:14:32
  B    192.168.0.17/32 [20/0] via 10.1.0.5, 00:13:56
  B    192.168.0.18/32 [20/0] via 10.1.0.5, 00:13:56
  B    192.168.0.19/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
  B    192.168.0.20/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
  RP/0/0/CPU0:B25BR1#sh ip rou
  Wed Dec 17 22:41:50.097 UTC
  Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
         U - per-user static route, o - ODR, L - local, G  - DAGR
         A - access/subscriber, a - Application route, (!) - FRR Backup path
  Gateway of last resort is not set
  S    10.0.0.0/27 is directly connected, 08:04:01, Null0
  O    10.0.0.4/30 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
  C    10.0.0.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
  L    10.0.0.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
  O    10.0.0.12/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                    [110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  O    10.0.0.16/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  O    10.0.0.24/30 [110/3] via 10.0.128.9, 06:29:14, GigabitEthernet0/0/0/1
  O    10.0.0.28/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  S    10.0.128.0/29 is directly connected, 08:04:01, Null0
  O    10.0.128.0/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                     [110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  O    10.0.128.4/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  C    10.0.128.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
  L    10.0.128.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
  S    10.1.0.4/30 is directly connected, 06:57:23, Null0
  S    10.1.128.4/30 is directly connected, 08:04:01, Null0
  C    10.18.0.0/16 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
  L    10.18.0.9/32 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
  L    127.0.0.0/8 [0/0] via 0.0.0.0, 08:04:04
  O    192.168.0.1/32 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
  O    192.168.0.2/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                      [110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  O    192.168.0.3/32 [110/3] via 10.0.128.9, 08:03:40, GigabitEthernet0/0/0/1
  O    192.168.0.4/32 [110/3] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  O    192.168.0.5/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                      [110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  O    192.168.0.6/32 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  O    192.168.0.7/32 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                      [110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  L    192.168.0.8/32 is directly connected, 08:04:00, Loopback0
  B    192.168.0.17/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
  B    192.168.0.18/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
  I'm only seeing the routes from the directly connected CE, but not the routes received from RR. What am I missing here?
  Thanks!
  -Sajith

  I'm trying to leak routes from a VRF to global. I can get the routes leaked from directly connected CE to the global, however I can't get the routes from remote CE's to leak in to the global routing table. Below are my configurations
  RP/0/0/CPU0:B25BR1#sh run vrf TR
  Wed Dec 17 22:40:33.772 UTC
  vrf TR
   address-family ipv4 unicast
    import route-target
     65000:7020
    export to default-vrf route-policy TR-2-GLOBAL
    export route-target
     65000:7020
  RP/0/0/CPU0:B25BR1#sh rpl route-policy TR-2-GLOBAL
  Wed Dec 17 22:40:50.851 UTC
  route-policy TR-2-GLOBAL
    if destination in TR-2-GLOBAL then
      pass
    endif
  end-policy
  RP/0/0/CPU0:B25BR1#sh rpl prefix-set TR-2-GLOBAL
  Wed Dec 17 22:40:57.861 UTC
  prefix-set TR-2-GLOBAL
    192.168.0.17/32,
    192.168.0.18/32,
    192.168.0.19/32,
    192.168.0.20/32
  end-set
  !Routes that I want to see also are  192.168.0.19/32 and 192.168.0.20/32 which are there in the VRF routing table
  RP/0/0/CPU0:B25BR1#sh route vrf TR
  Wed Dec 17 22:41:45.767 UTC
  Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
         U - per-user static route, o - ODR, L - local, G  - DAGR
         A - access/subscriber, a - Application route, (!) - FRR Backup path
  Gateway of last resort is not set
  B    10.1.0.0/30 [20/0] via 10.1.0.5, 00:14:32
  C    10.1.0.4/30 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
  L    10.1.0.6/32 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
  B    10.1.128.0/30 [20/0] via 10.1.0.5, 00:14:32
  B    192.168.0.17/32 [20/0] via 10.1.0.5, 00:13:56
  B    192.168.0.18/32 [20/0] via 10.1.0.5, 00:13:56
  B    192.168.0.19/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
  B    192.168.0.20/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
  RP/0/0/CPU0:B25BR1#sh ip rou
  Wed Dec 17 22:41:50.097 UTC
  Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
         U - per-user static route, o - ODR, L - local, G  - DAGR
         A - access/subscriber, a - Application route, (!) - FRR Backup path
  Gateway of last resort is not set
  S    10.0.0.0/27 is directly connected, 08:04:01, Null0
  O    10.0.0.4/30 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
  C    10.0.0.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
  L    10.0.0.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
  O    10.0.0.12/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                    [110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  O    10.0.0.16/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  O    10.0.0.24/30 [110/3] via 10.0.128.9, 06:29:14, GigabitEthernet0/0/0/1
  O    10.0.0.28/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  S    10.0.128.0/29 is directly connected, 08:04:01, Null0
  O    10.0.128.0/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                     [110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  O    10.0.128.4/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  C    10.0.128.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
  L    10.0.128.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
  S    10.1.0.4/30 is directly connected, 06:57:23, Null0
  S    10.1.128.4/30 is directly connected, 08:04:01, Null0
  C    10.18.0.0/16 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
  L    10.18.0.9/32 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
  L    127.0.0.0/8 [0/0] via 0.0.0.0, 08:04:04
  O    192.168.0.1/32 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
  O    192.168.0.2/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                      [110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  O    192.168.0.3/32 [110/3] via 10.0.128.9, 08:03:40, GigabitEthernet0/0/0/1
  O    192.168.0.4/32 [110/3] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  O    192.168.0.5/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                      [110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  O    192.168.0.6/32 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  O    192.168.0.7/32 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                      [110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  L    192.168.0.8/32 is directly connected, 08:04:00, Loopback0
  B    192.168.0.17/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
  B    192.168.0.18/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
  I'm only seeing the routes from the directly connected CE, but not the routes received from RR. What am I missing here?
  Thanks!
  -Sajith

• MPLS VRF Routes Leaking

  I am designing network to deploy MPLS L3 VPN services for 2000+ branch locations of 1 customer.
  Cisco 7600 series router is used as PE along with FWSM that points towards Global Routing Table (Internet Gateway).
  Customer is requiring the access for internet along with VPN services to all the 2000+ locations.
  What is the best solution to prefer that meets the requirements & also avoids the security loopholes ?

  you could do one of the following ways to implement Internet access for L3 MPLS VPN
  1. using a separate PE interface in global routing table: in this case the FWSM and an interface in the PE/PEs will require to be in the the global routing table to have the Internet access and then you can inject that route to the VRF/VRFs
  2. Internet access using route leaking between VRFs and the global route table: by using this method you will need to configure a static default route with a next hop as an Internet gateway in your case the FWSM, reachable through the global routing table, this VRF default route need to be injected/redistributed in  the PE-CE routing (MP-BGP) to provide the outbound Internet connectivity to your  VRFs.
  inbound traffic from Internet will require either NATed VRF or a static routes from the global routing table points to the VRF interface
  3. the other method is the used of shared service: with this method you need to put the Internet service FWSM in its own VRF then you can control the import and export between the Internet VRF and other VRFs through import/export of the VRFs route-target values
  good luck
  if helpful Rate

• Configuring MPLS VPN using static routing

  Hi,
  I am managed to set up a BGP/MPLS VPN in a laboratory using CS3620 routers running IOS 12.2(3) with ISIS. I am thinking of using static routes among the PE and P routers instead of a IGP. Does anyone know if Cisco routers supports static configuration of LSP? I have tried but could not get it work.

  You can very well run MPLS with static routing in the core, as in Cisco we have to meet 2 criterias to have a MPLS forwarding Table.
  1) Creating the LIB
  This thing lies in having LDP neighborship netween two peers and you have Label bindings.
  This is irrespective of what is the best next hop to reach the advertising peers LDP_ID.
  2) Creating the LFIB
  Now after considering all the Label bindings, the LDP_ID which can be reached out an interface
  as a next hop, those Label bindings get installed in the LFIB.
  So considering the above two points, we have to be careful in static routes
  only for interfaces like Ethernet (Multiaccess Segments).
  As in CEF when you give a static route pointing to an Ethernet Interface, CEF creates a
  GLean Adjacency (Meaning there could be multiple hosts as the next hop on this segement, and it will glean for the right next-hop)
  Now you may observe that when you give a static route only pointing to an Ethernet interface,
  you LDP adjacency may come up and you may exchange the bindings with each other. But the Label Forarding Table is not created. This is bcos of this being a Multiaccess interface. And you have
  Glean For it. If its a Normal WAN interface like Serial or POS, then there is no problem of
  GLean and you would have a Valid Cached Adjacency.
  So to avoid probelems with Ethernet interfaces you can simply specify the next-hop-ip address.
  For Eg: ip route 10.10.31.250 255.255.255.255 10.10.31.226 (Without the Interface)
  ip route 10.10.31.250 255.255.255.255 fa0/0 10.10.31.226 (Or with the Interface)
  Only Difference in both is in the first one it has to do a recursive lookup for the outgoing interface. Otherwise both work well. And you can have static routes in your network
  running MPLS.
  And doing this CEF would would work as it should and you would have a Valid Cached Adjacency.
  So this is applicable for Cisco devices which use CEF, including 6500 with SUP720.
  HTH-Cheers,
  Swaroop

• ASA 5505 VPN clients can't ping router or other clients on network

  I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
  Result of the command: "show running-config"
  : Saved
  ASA Version 7.2(4)
  hostname ASA
  domain-name default.domain.invalid
  enable password kdnFT44SJ1UFX5Us encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.4 Server
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list vpn_splitTunnelAcl standard permit any
  access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
  static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface www Server www netmask 255.255.255.255
  static (inside,outside) tcp interface https Server https netmask 255.255.255.255
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable 480
  http 10.0.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  group-policy vpn internal
  group-policy vpn attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn_splitTunnelAcl
  username admin password wwYXKJulWcFrrhXN encrypted privilege 15
  username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
  username VPNuser attributes
  vpn-group-policy vpn
  tunnel-group vpn type ipsec-ra
  tunnel-group vpn general-attributes
  address-pool VPNpool
  default-group-policy vpn
  tunnel-group vpn ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:df7d1e4f34ee0e155cebe86465f367f5
  : end
  Any ideas what I need to add to get the vpn client to be able to ping the router and clients?
  Thanks.

  I tried that and it didn't work. As for upgrading the ASA version, I'd like to but this is an old router and I don't have a support contract with Cisco anymore, so I can't access the latest firmware.
  here is the runnign config again:
  Result of the command: "show startup-config"
  : Saved
  : Written by enable_15 at 01:48:37.789 MDT Wed Jun 20 2012
  ASA Version 7.2(4)
  hostname ASA
  domain-name default.domain.invalid
  enable password kdnFT44SJ1UFX5Us encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.0.0.4 Server
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list vpn_splitTunnelAcl standard permit any
  access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  asdm location Server 255.255.255.255 inside
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
  static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface www Server www netmask 255.255.255.255
  static (inside,outside) tcp interface https Server https netmask 255.255.255.255
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable 480
  http 10.0.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  group-policy vpn internal
  group-policy vpn attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn_splitTunnelAcl
  username admin password wwYXKJulWcFrrhXN encrypted privilege 15
  username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
  username VPNuser attributes
  vpn-group-policy vpn
  tunnel-group vpn type ipsec-ra
  tunnel-group vpn general-attributes
  address-pool VPNpool
  default-group-policy vpn
  tunnel-group vpn ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:78864f4099f215f4ebdd710051bdb493

• Selective Route Import/Export in MPLS VPN

  Champs
  I have multiple brach locations and 3 DC locations.DC locations host my internal applications , DC's  also have central Internet breakout for the region. My requirement is to have full mesh MPLS-VPN but at same time brach location Internet access should be from nearest IDC in the region  if nearest IDC is not availalbe it should go to second nearest DC for internet.I have decided which are primary and seconday DC for Internet breakout. How can this be achieved in MPLS-VPN scenario.Logically i feel , i have to announce specific LAN subnet and default route(with different BGP attribute like AS Path)  from all 3 DCs. Spokes in the specific region should be able to import default route  from primary DC and secondary DCs only  using some route filter?
  Regards
  V

  Hello Aaron,
  the route example works for all routers except the one, where the VRF vpn2 is configured. What you can do for management purposes is either to connect through a neighbor router using packet leaking or configure another Loopback into VRF vpn2.
  The last option (and my recommendation) is to establish another separate IP connection from your NMS to the MPLS core. Once VRFs are failing (for whatever reason, f.e. erroneously deleted) you might just not get connectivity to your backbone anymore to repair what went wrong.
  So I would create an "interconnection router" with an interface in the VRF vpn2 and one interface in global IP routing table. This way you will still be able to access PEs, even if VRFs or MBGP is gone.
  Hope this helps! Please rate all posts.
  Regards, Martin

• Redundant access from MPLS VPN to global routing table

  Several our customers have MPLS VPNs deployed over our infrastructure. Part of them requires access to Internet (global routing table in our case).
  As I'm not aware of any methods how to dynamicaly import/export routes between VRF/Global routing tables, at the moment there are static routes configured - one inside VRF pointing to global next hop, another one in global routing table, pointing to interface inside VRF.
  Task is to configure redundant access to Internet. By redundancy I mean using several exit points (primary and backup), what physically represents separate boxes.
  Here comes tricky part - both global static routes (on both boxes, meaning) are valid and reachable in all cases - no matter if specific prefix is reachable in VRF or not. What I'd like to achieve is that specific static route becomes valid only if specific prefix is reachable inside VRF. Yea, sounds like dynamic routing :), I know
  OK, hope U got the idea. Any solutions/recommendations ? Running all Internet routing inside VRF isn't an option, at least for now :(

  Hi Andris,
  I did not mean to have a VRF on the CE. The CE would have both PVCs in the global routing table - his ONLY routing table in fact. One PVC would be used to announce routes into the customer specific VPN (VRF configured on the PE). The other PVC would allow for internet access through the PE (global IP routing table on the PE).
  dot1q will be ok as well.
  This way the CE can be a normal BGP peer to the PE, i.e. there is no MPLS VPN involved here. This allows all options of customer-ISP connectivity.
  Example:
  PE config:
  interface Serial0/0
  encapsulation frame-relay
  interface Serial0/0.1 point-to-point
  description customer VPN access
  ip vrf customer
  ip address 10.1.1.1 255.255.255.252
  interface Serial0/0.2 point-to-point
  description customer Internet access
  ip address 192.168.1.1 255.255.255.252
  router rip
  address-family ipv4 vrf customer
  version 2
  network 10.0.0.0
  no auto-summary
  redistribute bgp 65000 metric 5
  router bgp 65000
  neighbor 192.168.1.2 remote-as 65001
  address-family ipv4 vrf customer
  redistribute rip
  CE config:
  interface Serial0/0
  encapsulation frame-relay
  interface Serial0.1 point-to-point
  description VPN access
  ip address 10.1.1.2 255.255.255.252
  interface Serial0.2 point-to-point
  description Internet access
  ip address 192.168.1.2 255.255.255.252
  router bgp 65001
  neighbor 192.168.1.1 remote-as 65000
  router rip
  version 2
  network 10.0.0.0
  no auto-summary
  Of course you can replace RIP with whatever is suitable for you. And don´t sue me when you do not apply required BGP filters for internet access... ;-)
  The other option ("mini internet") would be feasible as well. Just make sure your BGP filters are NEVER messed up and additionally apply a limit on the numbers of prefixes in your VRF mini-internet.
  Regards
  Martin

• How can I find the all path available for a MPLS VPN in SP network

  How can I find the all path available for a MPLS VPN in SP network between PE to PE and CE to CE?

  Hi There
  If we need to find all the available paths for a remote CE from a local PE it will depend upon whether its a RR or non-RR design. If the MP-iBGP deisgn is non-RR  the below vrf specific command
  sh ip bgp vpnv4 vrf "vrf_name"  will show us the MP-iBGP RT for that particular VPN. It will show us the next hop. Checking the route for same in the Global RT will show us the path(s) available for same ( load-balancing considered) .Then we can do a trace using the Local PE MP-iBGP loopback as source to remote PE's MP-iBGP loopback to get the physical Hops involved.
  However if the design is RR-based there might be complications involved when the RR is in the forwarding path ie we have NHS being set to RR-MP-iBGP loopback and the  trace using the Local PE MP-iBGP loopback as source to remote PE's MP-iBGP loopback will get us the physical Hops involved.
  If we have redundant RRs being used with NHS being set then the output of sh ip bgp vpnv4 vrf "vrf_name" will show us two different available paths for the remote CE destination but just one being used.
  RR-based design with no NHS being used will always to cater to single path for the remote CE detsination.
  So in any case the actual path used for the remote CE connectivity would be a single unless we are using load-balancing.
  Hope this helps you a bit on your requirement
  Thanks & Regards
  Vaibhava Varma

• MPLS VPN Supported Platforms

  Does the 3745 router support MPLS VPN?

  ignore this message - brain fade - I was talking about the 3750ME