Route Leaking in MPLS/VPN Networks (IOX support)
Hi all,
I would like to if IOX of CRS-1 can support route leaking between VRF<>Global routing table?
hhttp://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtmlttp://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml
Regards
Hi,
You can use the vrf keyword after the prefix you want to join and before specifying the NH. It will tell the router in which VRF the lookup should be done:
http://www.cisco.com/en/US/docs/routers/crs/software/crs_r4.0/routing/command/reference/rr40crs1book_chapter9.html#wp172562637
The vrf name "default" is reserved to reference the GRT.
HTH
Laurent.
Similar Messages
-
Injecting Global default Routes into a MPLS VPN
Hi,
I have a PE router running MPBGP which receives two default routes to the internet through an IPV4 BGP session. I need to import these routes in to a VRF and export them to different customer VRFs so that these VRFs are able to access Internet.
I have used the feature called "BGP Support for IP Prefix Import from Global Table into a VRF Table" (URL:http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00803b8db9.html#wp1063870)
and imported these routes into a VRF.
The issue is these routes are not propagated to any of the other PE routers which has customer VRFs configured.
Has anybody tried this or a similar method to inject a dynamic default route into a MPLS VPN.
Any suggestions would be highly appreciated.
Thanks
SubhashHi Subhash,
is there anything preventing you from terminating your internet BGP sessions in a VRF? Then everything should go smoothly, i.e. standard VRF import/export.
So possibility A) create a VRF Internet, move bgp neighbor commands there and use filters preventing anything but the default route, then use route targets to distribute the default route into other VRFs.
Possibility B) use static routing with packet leaking. Could look like this:
ip route vrf Internet 0.0.0.0 0.0.0.0 global
ip route vrf Internet 0.0.0.0 0.0.0.0 global 250
ip route Serial0/0 !assuming this is where the customer router connects.
Note: the BGP peer IP does not have to be directly connected! There has to be a LDP label for it though. so include your BGP peers network into your IGP and the backup will work, when you loose the link to the peer.
Hope this helps! Please rate all posts.
Regards, Martin -
Managing Route-Map based MPLS VPN
1) How to derive the VPN information of the MPLS VPN configured using route-maps? As I understand, stitching route-maps information to derive VPN is complex as it is difficult to derive & correlate the filters tied to each of the route-maps that are tied to a VRF :(
2) Is there any MIB to get from the MIB
a) Route-maps tied to each VRF
b) What is the filter associated with each route-map?
c) Definition of each of the above filter
It would have been nice if the route-maps' name had global-significance within AS, so that we could have treated route-maps, pretty much like the route-tragets. Alas, I doubt it is :(
It should be noted here that if the MPLS VPN is configured using route targets, the VPN information derivation is fairly straight forward throught MplsVpn MIB.
So, the question is what is the simplest way to derive the MPLS VPN info given that they are configured using route-maps in BGP for labelled-route-distribution & for the pkt association with the VRFs.
Thanks,
Suresh REach CE in a customer VPN is also added to the management VPN by selecting the Join the management VPN option in the service request user interface.
The function of the management route map is to allow only the routes to the specific CE into the management VPN. The Cisco IOS supports only one export route map and one import route map per VRF.
http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/products_user_guide_chapter09186a0080353ac3.html -
MPLS/VPN network load balancing in the core
Hi,
I've an issue about cef based load-balancing in the MPLS core in MPLS/VPN environment. If you consider flow-based load balancing, the path (out interface) will be chosen based on source-destination IP address. What about in MPLS/VPN environment? The hash will be based on PE router src-dst loopback addresses, or vrf packet src-dst in P and PE router? The topology would be:
CE---PE===P===PE---CE
I'm interested in load balancing efficiency if I duplicate the link between P and PE routers.
Thank you for your help!
GaborHi,
On the PE router you could set different types and 2 levels of load-balancing.
For instance, in case of a DUAL-homed site, subnet A prefix for VPN A could be advertised in the VPN by PE1 or PE2.
PE1 receives this prefix via eBGP session from CE1 and keep this route as best due to external state.
PE2 receives this prefix via eBGP session from CE2 and keep this route as best due to external state.
eBGP
PE1 ---------CE1
PE3----------P1 Subnet A
PE2----------CE2 /
eBGP
Therefore from PE3 point of view, 2 routes are available assuming that IGP metric for PE3/PE1 is equal to PE3/PE2.
The a 1rst level of load-sharing can be achieve thanks to the maximum-paths ibgp number command.
2 MP-BGP routes are received on PE3:
PE3->PE1->CE1->subnet A
PE3->PE2->CE2->subnet A
To use both routes you must set the number at 2 at least : maximum-paths ibgp 2
But gess what, in the real world an MPLS backbone hardly garantee an equal IGP cost between 2 Egress PE for a given prefix.
So it is often necessary to ignore the IGP metric by adding the "unequal-cost" keyword: maximum-paths unequal-cost ibgp 2
By default the load-balancing is called "per-session": source and destination addresses are considered to choose the path and the outgoing interface avoiding reordering the packets on the target site. Overwise it is possible to use "per-packet" load-balancing.
Then a 2nd load-sharing level can occur.
For instance:
__P1__PE1__CE1
PE3 \/ Subnet A
\ __P2__PE2__CE2
There is still 2 MP-BGP paths :
PE3->P1->PE1->CE1->subnet A
PE3->P1->PE2->CE2->subnet A
But this time for 2 MP-BGP paths 4 IGP path are available:
PE3->P1->PE1->CE1->subnet A
PE3->P1->PE2->CE2->subnet A
PE3->P2->PE1->CE1->subnet A
PE3->P2->PE2->CE2->subnet A
For a load-balancing to be active between those 4 paths, they must exist in the routing table thanks to the "maximum-path 4 "command in the IGP (ex OSPF) process.
Therefore if those 4 paths are equal-cost IGP paths then a 2nd level load-balancing is achieved. the default behabior is the same source destination mechanism to selected the "per-session" path as mentionned before.
On an LSP each LSR could use this feature.
BR -
Implemting a Sprint MPLS/VPN
Hello
I'm implmenting a Sprint MPLS/VPN network. This is a point to point between two of my locations. The connection is handed of to me as a serial connection and I will be connecting to cisco 2800 on bothe ends. Does anyone have what a sample config might look like for my Cisco rotuer?
Thanks in advanceHI, [Pls Rate if HELPS]
In addition to JOE POST,
You need to configure as normal CE Router. You can handover your Network Traffic either via some DYNAMIC Routing Protocols (BGP, EIGRP, OSPF, RIP) or Static Routing at LAST MILE towards your Service Provider.
At the Service Provider Side, the Connected Interface with your CE will be added with "ip vrf forwarding " command. Where seperate Routing instance will be maintained on top of Global Routing Table. The MPLS Labels are swapped over their Backbone / partner - NNI to carry your traffic over a Label Switched Path.
For an MPLS to work, the IP-CEF will be enabled. This kind of MPLS Technology, will enable fast processing of Packets and Traffic over the Large Scale Network.
Similarly the RT & RD Values are used to distinguish the Customer Prefixes. The RT export and Import will be done at end - to - end at Service Provider Side Routers to make the HO & BO to communicate.
The CE Router will not involve any MPLS / VRF Configuration Technology.
Hope I am Informative.
Pls Rate if HELPS
Best Regards,
Guru Prasad R -
Hi there,
I would like to know, is there any features on cisco router to view mpls/vpn packet swapping here and there at P,PE or CE routers especially in service provider networks just like "sh ip cache flow" ?
thanks in advance.
maherMPLS-aware NetFlow should provide you with this functionality. For more information, please refer to the following link:
http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1829/products_feature_guide09186a008012dc80.html
Hope this helps, -
Perhaps someone on this group can identify the missing timers/processing-delays in end-to-end client route convergence
Scenarios:
a) BGP New route Advertised by Cleint(CPE1)
b) BGP Route withdrawn by Client(CPE1)
PE-to-RR i-M-BGP (Logical)
========= ----RR------ ======
" | | "
CPE1---->PE1------->P1-------->P2---->PE2----->CPE2
| |
--------->P3-------->P4-------
Routing:
- eBGP btw CPE and PE (any routing prot within Cust site),
- OSPF, LDP in Core,
Timers/Steps I'm aware of:
- Advertisement of routes from CE to PE and placement into VRF
- Propagation of routes across the MPLS VPN backbone
- Import process of these routes into relevant VRFs
- Advertisement of VRF routes to attached VPN sites
- BGP advertisement-interval: Default = 5 seconds for iBGP, 30 for eBGP
- BGP Import Process: Default = 15 seconds
- BGP Scanner Process Default = 60 seconds
Would appreciate if you someone can identify any missing process-delay, timers? specially w.r.t RR.
Thanks
SHCheck the LDP/TDP timers in the core. Remember if a link fails in the core, reroute occurs, LDP/TDP binding needs to be renewed. tags are binded on those routes being in the routing table (IGP). So, there is a delay possible from a core prespective:
mpls ldp holdtime
mpls ldp discovery hello [holdtime | interval]
In case you are using TE check these:
mpls traffic-eng topology holddown
mpls traffic-eng signalling forwarding sync
mpls traffic-eng fast-reroute timers promotion
I believe the latter one onyl applies to SDH. In which you use segment loss feature.
Regards,
Frank -
Leaking MPLS VPN learned routes from VRF to Global
I'm trying to leak routes from a VRF to global. I can get the routes leaked from directly connected CE to the global, however I can't get the routes from remote CE's to leak in to the global routing table. Below are my configurations
RP/0/0/CPU0:B25BR1#sh run vrf TR
Wed Dec 17 22:40:33.772 UTC
vrf TR
address-family ipv4 unicast
import route-target
65000:7020
export to default-vrf route-policy TR-2-GLOBAL
export route-target
65000:7020
RP/0/0/CPU0:B25BR1#sh rpl route-policy TR-2-GLOBAL
Wed Dec 17 22:40:50.851 UTC
route-policy TR-2-GLOBAL
if destination in TR-2-GLOBAL then
pass
endif
end-policy
RP/0/0/CPU0:B25BR1#sh rpl prefix-set TR-2-GLOBAL
Wed Dec 17 22:40:57.861 UTC
prefix-set TR-2-GLOBAL
192.168.0.17/32,
192.168.0.18/32,
192.168.0.19/32,
192.168.0.20/32
end-set
!Routes that I want to see also are 192.168.0.19/32 and 192.168.0.20/32 which are there in the VRF routing table
RP/0/0/CPU0:B25BR1#sh route vrf TR
Wed Dec 17 22:41:45.767 UTC
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is not set
B 10.1.0.0/30 [20/0] via 10.1.0.5, 00:14:32
C 10.1.0.4/30 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
L 10.1.0.6/32 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
B 10.1.128.0/30 [20/0] via 10.1.0.5, 00:14:32
B 192.168.0.17/32 [20/0] via 10.1.0.5, 00:13:56
B 192.168.0.18/32 [20/0] via 10.1.0.5, 00:13:56
B 192.168.0.19/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
B 192.168.0.20/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
RP/0/0/CPU0:B25BR1#sh ip rou
Wed Dec 17 22:41:50.097 UTC
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is not set
S 10.0.0.0/27 is directly connected, 08:04:01, Null0
O 10.0.0.4/30 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
C 10.0.0.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
L 10.0.0.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
O 10.0.0.12/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 10.0.0.16/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 10.0.0.24/30 [110/3] via 10.0.128.9, 06:29:14, GigabitEthernet0/0/0/1
O 10.0.0.28/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
S 10.0.128.0/29 is directly connected, 08:04:01, Null0
O 10.0.128.0/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 10.0.128.4/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
C 10.0.128.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
L 10.0.128.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
S 10.1.0.4/30 is directly connected, 06:57:23, Null0
S 10.1.128.4/30 is directly connected, 08:04:01, Null0
C 10.18.0.0/16 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
L 10.18.0.9/32 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
L 127.0.0.0/8 [0/0] via 0.0.0.0, 08:04:04
O 192.168.0.1/32 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
O 192.168.0.2/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 192.168.0.3/32 [110/3] via 10.0.128.9, 08:03:40, GigabitEthernet0/0/0/1
O 192.168.0.4/32 [110/3] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 192.168.0.5/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 192.168.0.6/32 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 192.168.0.7/32 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
L 192.168.0.8/32 is directly connected, 08:04:00, Loopback0
B 192.168.0.17/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
B 192.168.0.18/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
I'm only seeing the routes from the directly connected CE, but not the routes received from RR. What am I missing here?
Thanks!
-SajithI'm trying to leak routes from a VRF to global. I can get the routes leaked from directly connected CE to the global, however I can't get the routes from remote CE's to leak in to the global routing table. Below are my configurations
RP/0/0/CPU0:B25BR1#sh run vrf TR
Wed Dec 17 22:40:33.772 UTC
vrf TR
address-family ipv4 unicast
import route-target
65000:7020
export to default-vrf route-policy TR-2-GLOBAL
export route-target
65000:7020
RP/0/0/CPU0:B25BR1#sh rpl route-policy TR-2-GLOBAL
Wed Dec 17 22:40:50.851 UTC
route-policy TR-2-GLOBAL
if destination in TR-2-GLOBAL then
pass
endif
end-policy
RP/0/0/CPU0:B25BR1#sh rpl prefix-set TR-2-GLOBAL
Wed Dec 17 22:40:57.861 UTC
prefix-set TR-2-GLOBAL
192.168.0.17/32,
192.168.0.18/32,
192.168.0.19/32,
192.168.0.20/32
end-set
!Routes that I want to see also are 192.168.0.19/32 and 192.168.0.20/32 which are there in the VRF routing table
RP/0/0/CPU0:B25BR1#sh route vrf TR
Wed Dec 17 22:41:45.767 UTC
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is not set
B 10.1.0.0/30 [20/0] via 10.1.0.5, 00:14:32
C 10.1.0.4/30 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
L 10.1.0.6/32 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
B 10.1.128.0/30 [20/0] via 10.1.0.5, 00:14:32
B 192.168.0.17/32 [20/0] via 10.1.0.5, 00:13:56
B 192.168.0.18/32 [20/0] via 10.1.0.5, 00:13:56
B 192.168.0.19/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
B 192.168.0.20/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
RP/0/0/CPU0:B25BR1#sh ip rou
Wed Dec 17 22:41:50.097 UTC
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR
A - access/subscriber, a - Application route, (!) - FRR Backup path
Gateway of last resort is not set
S 10.0.0.0/27 is directly connected, 08:04:01, Null0
O 10.0.0.4/30 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
C 10.0.0.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
L 10.0.0.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
O 10.0.0.12/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 10.0.0.16/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 10.0.0.24/30 [110/3] via 10.0.128.9, 06:29:14, GigabitEthernet0/0/0/1
O 10.0.0.28/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
S 10.0.128.0/29 is directly connected, 08:04:01, Null0
O 10.0.128.0/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 10.0.128.4/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
C 10.0.128.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
L 10.0.128.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
S 10.1.0.4/30 is directly connected, 06:57:23, Null0
S 10.1.128.4/30 is directly connected, 08:04:01, Null0
C 10.18.0.0/16 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
L 10.18.0.9/32 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
L 127.0.0.0/8 [0/0] via 0.0.0.0, 08:04:04
O 192.168.0.1/32 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
O 192.168.0.2/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 192.168.0.3/32 [110/3] via 10.0.128.9, 08:03:40, GigabitEthernet0/0/0/1
O 192.168.0.4/32 [110/3] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 192.168.0.5/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
O 192.168.0.6/32 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
O 192.168.0.7/32 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
[110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
L 192.168.0.8/32 is directly connected, 08:04:00, Loopback0
B 192.168.0.17/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
B 192.168.0.18/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
I'm only seeing the routes from the directly connected CE, but not the routes received from RR. What am I missing here?
Thanks!
-Sajith -
I am designing network to deploy MPLS L3 VPN services for 2000+ branch locations of 1 customer.
Cisco 7600 series router is used as PE along with FWSM that points towards Global Routing Table (Internet Gateway).
Customer is requiring the access for internet along with VPN services to all the 2000+ locations.
What is the best solution to prefer that meets the requirements & also avoids the security loopholes ?you could do one of the following ways to implement Internet access for L3 MPLS VPN
1. using a separate PE interface in global routing table: in this case the FWSM and an interface in the PE/PEs will require to be in the the global routing table to have the Internet access and then you can inject that route to the VRF/VRFs
2. Internet access using route leaking between VRFs and the global route table: by using this method you will need to configure a static default route with a next hop as an Internet gateway in your case the FWSM, reachable through the global routing table, this VRF default route need to be injected/redistributed in the PE-CE routing (MP-BGP) to provide the outbound Internet connectivity to your VRFs.
inbound traffic from Internet will require either NATed VRF or a static routes from the global routing table points to the VRF interface
3. the other method is the used of shared service: with this method you need to put the Internet service FWSM in its own VRF then you can control the import and export between the Internet VRF and other VRFs through import/export of the VRFs route-target values
good luck
if helpful Rate -
Configuring MPLS VPN using static routing
Hi,
I am managed to set up a BGP/MPLS VPN in a laboratory using CS3620 routers running IOS 12.2(3) with ISIS. I am thinking of using static routes among the PE and P routers instead of a IGP. Does anyone know if Cisco routers supports static configuration of LSP? I have tried but could not get it work.You can very well run MPLS with static routing in the core, as in Cisco we have to meet 2 criterias to have a MPLS forwarding Table.
1) Creating the LIB
This thing lies in having LDP neighborship netween two peers and you have Label bindings.
This is irrespective of what is the best next hop to reach the advertising peers LDP_ID.
2) Creating the LFIB
Now after considering all the Label bindings, the LDP_ID which can be reached out an interface
as a next hop, those Label bindings get installed in the LFIB.
So considering the above two points, we have to be careful in static routes
only for interfaces like Ethernet (Multiaccess Segments).
As in CEF when you give a static route pointing to an Ethernet Interface, CEF creates a
GLean Adjacency (Meaning there could be multiple hosts as the next hop on this segement, and it will glean for the right next-hop)
Now you may observe that when you give a static route only pointing to an Ethernet interface,
you LDP adjacency may come up and you may exchange the bindings with each other. But the Label Forarding Table is not created. This is bcos of this being a Multiaccess interface. And you have
Glean For it. If its a Normal WAN interface like Serial or POS, then there is no problem of
GLean and you would have a Valid Cached Adjacency.
So to avoid probelems with Ethernet interfaces you can simply specify the next-hop-ip address.
For Eg: ip route 10.10.31.250 255.255.255.255 10.10.31.226 (Without the Interface)
ip route 10.10.31.250 255.255.255.255 fa0/0 10.10.31.226 (Or with the Interface)
Only Difference in both is in the first one it has to do a recursive lookup for the outgoing interface. Otherwise both work well. And you can have static routes in your network
running MPLS.
And doing this CEF would would work as it should and you would have a Valid Cached Adjacency.
So this is applicable for Cisco devices which use CEF, including 6500 with SUP720.
HTH-Cheers,
Swaroop -
ASA 5505 VPN clients can't ping router or other clients on network
I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
Result of the command: "show running-config"
: Saved
ASA Version 7.2(4)
hostname ASA
domain-name default.domain.invalid
enable password kdnFT44SJ1UFX5Us encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.4 Server
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list vpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www Server www netmask 255.255.255.255
static (inside,outside) tcp interface https Server https netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 480
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
username admin password wwYXKJulWcFrrhXN encrypted privilege 15
username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
username VPNuser attributes
vpn-group-policy vpn
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool VPNpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:df7d1e4f34ee0e155cebe86465f367f5
: end
Any ideas what I need to add to get the vpn client to be able to ping the router and clients?
Thanks.I tried that and it didn't work. As for upgrading the ASA version, I'd like to but this is an old router and I don't have a support contract with Cisco anymore, so I can't access the latest firmware.
here is the runnign config again:
Result of the command: "show startup-config"
: Saved
: Written by enable_15 at 01:48:37.789 MDT Wed Jun 20 2012
ASA Version 7.2(4)
hostname ASA
domain-name default.domain.invalid
enable password kdnFT44SJ1UFX5Us encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.4 Server
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list vpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm location Server 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www Server www netmask 255.255.255.255
static (inside,outside) tcp interface https Server https netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 480
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
username admin password wwYXKJulWcFrrhXN encrypted privilege 15
username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
username VPNuser attributes
vpn-group-policy vpn
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool VPNpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:78864f4099f215f4ebdd710051bdb493 -
Selective Route Import/Export in MPLS VPN
Champs
I have multiple brach locations and 3 DC locations.DC locations host my internal applications , DC's also have central Internet breakout for the region. My requirement is to have full mesh MPLS-VPN but at same time brach location Internet access should be from nearest IDC in the region if nearest IDC is not availalbe it should go to second nearest DC for internet.I have decided which are primary and seconday DC for Internet breakout. How can this be achieved in MPLS-VPN scenario.Logically i feel , i have to announce specific LAN subnet and default route(with different BGP attribute like AS Path) from all 3 DCs. Spokes in the specific region should be able to import default route from primary DC and secondary DCs only using some route filter?
Regards
VHello Aaron,
the route example works for all routers except the one, where the VRF vpn2 is configured. What you can do for management purposes is either to connect through a neighbor router using packet leaking or configure another Loopback into VRF vpn2.
The last option (and my recommendation) is to establish another separate IP connection from your NMS to the MPLS core. Once VRFs are failing (for whatever reason, f.e. erroneously deleted) you might just not get connectivity to your backbone anymore to repair what went wrong.
So I would create an "interconnection router" with an interface in the VRF vpn2 and one interface in global IP routing table. This way you will still be able to access PEs, even if VRFs or MBGP is gone.
Hope this helps! Please rate all posts.
Regards, Martin -
Redundant access from MPLS VPN to global routing table
Several our customers have MPLS VPNs deployed over our infrastructure. Part of them requires access to Internet (global routing table in our case).
As I'm not aware of any methods how to dynamicaly import/export routes between VRF/Global routing tables, at the moment there are static routes configured - one inside VRF pointing to global next hop, another one in global routing table, pointing to interface inside VRF.
Task is to configure redundant access to Internet. By redundancy I mean using several exit points (primary and backup), what physically represents separate boxes.
Here comes tricky part - both global static routes (on both boxes, meaning) are valid and reachable in all cases - no matter if specific prefix is reachable in VRF or not. What I'd like to achieve is that specific static route becomes valid only if specific prefix is reachable inside VRF. Yea, sounds like dynamic routing :), I know
OK, hope U got the idea. Any solutions/recommendations ? Running all Internet routing inside VRF isn't an option, at least for now :(Hi Andris,
I did not mean to have a VRF on the CE. The CE would have both PVCs in the global routing table - his ONLY routing table in fact. One PVC would be used to announce routes into the customer specific VPN (VRF configured on the PE). The other PVC would allow for internet access through the PE (global IP routing table on the PE).
dot1q will be ok as well.
This way the CE can be a normal BGP peer to the PE, i.e. there is no MPLS VPN involved here. This allows all options of customer-ISP connectivity.
Example:
PE config:
interface Serial0/0
encapsulation frame-relay
interface Serial0/0.1 point-to-point
description customer VPN access
ip vrf customer
ip address 10.1.1.1 255.255.255.252
interface Serial0/0.2 point-to-point
description customer Internet access
ip address 192.168.1.1 255.255.255.252
router rip
address-family ipv4 vrf customer
version 2
network 10.0.0.0
no auto-summary
redistribute bgp 65000 metric 5
router bgp 65000
neighbor 192.168.1.2 remote-as 65001
address-family ipv4 vrf customer
redistribute rip
CE config:
interface Serial0/0
encapsulation frame-relay
interface Serial0.1 point-to-point
description VPN access
ip address 10.1.1.2 255.255.255.252
interface Serial0.2 point-to-point
description Internet access
ip address 192.168.1.2 255.255.255.252
router bgp 65001
neighbor 192.168.1.1 remote-as 65000
router rip
version 2
network 10.0.0.0
no auto-summary
Of course you can replace RIP with whatever is suitable for you. And don´t sue me when you do not apply required BGP filters for internet access... ;-)
The other option ("mini internet") would be feasible as well. Just make sure your BGP filters are NEVER messed up and additionally apply a limit on the numbers of prefixes in your VRF mini-internet.
Regards
Martin -
How can I find the all path available for a MPLS VPN in SP network
How can I find the all path available for a MPLS VPN in SP network between PE to PE and CE to CE?
Hi There
If we need to find all the available paths for a remote CE from a local PE it will depend upon whether its a RR or non-RR design. If the MP-iBGP deisgn is non-RR the below vrf specific command
sh ip bgp vpnv4 vrf "vrf_name" will show us the MP-iBGP RT for that particular VPN. It will show us the next hop. Checking the route for same in the Global RT will show us the path(s) available for same ( load-balancing considered) .Then we can do a trace using the Local PE MP-iBGP loopback as source to remote PE's MP-iBGP loopback to get the physical Hops involved.
However if the design is RR-based there might be complications involved when the RR is in the forwarding path ie we have NHS being set to RR-MP-iBGP loopback and the trace using the Local PE MP-iBGP loopback as source to remote PE's MP-iBGP loopback will get us the physical Hops involved.
If we have redundant RRs being used with NHS being set then the output of sh ip bgp vpnv4 vrf "vrf_name" will show us two different available paths for the remote CE destination but just one being used.
RR-based design with no NHS being used will always to cater to single path for the remote CE detsination.
So in any case the actual path used for the remote CE connectivity would be a single unless we are using load-balancing.
Hope this helps you a bit on your requirement
Thanks & Regards
Vaibhava Varma -
Does the 3745 router support MPLS VPN?
ignore this message - brain fade - I was talking about the 3750ME
Maybe you are looking for
-
How to catch SSO userid and store it in deployment database?
Hi, Environment: OID,Portal,forms,reports 9.0.2.3 How do I do if I have a SSO user, lets say DAVE, and he has a resource pointing to a Deployment database un/pw@ORAC? When he has made his SSO login and choose a form I want store his real userid in th
-
I am a newbie to this forum but I have used AA since it was Cool Edit. I "upgraded" to AA1.0 when it was first introduced. I have used it exclusively for stereo recordings and never had any trouble. I recently built a mobile multitrack studio using M
-
When I click on the firefox icon it was not opening up or it would open then say unable to make connection. I had no problem using Internet explorer. So I thought I should download Mozilla firefox again and I did. It seemed to be functioning but then
-
As SAP says that BW 3.5 object is used AS IS in BW7.0 why do we need to do testing for all objects available in PRD?
-
How do I remove annoying black box surrounding icons and windows...
I hate to think that this something very simple but I can't figure it out. There is a black box that surrounds icons when I single click on them and while I'm in my browser its surrounding the red x circle in top left of window. Whole in iTunes it su