SXH + MPLS + EBGP
Hi!
My company has Cisco 6506 with SUP720-3BXL.
I'm trying to kill two birds with one stone
2 BGP Full View + MPLS VPN in one box.
I have a problem with more than 250k labels in LFIB.
Seems it creates a new label for each prefix recived from BGP.
How it can be turned off ?
IOS 12.2 SXH adv ent services.
L3 Forwarding Resources
FIB TCAM usage: Total Used %Used
72 bits (IPv4, MPLS, EoM) 524288 459356 88%
144 bits (IP mcast, IPv6) 262144 7 1%
detail: Protocol Used %Used
IPv4 243728 46%
MPLS 215627 41%
#sh mpls ip binding summary
Total number of prefixes: 211
Generic label bindings
assigned learned
prefixes in labels out labels
211 210 416
Total tib route info allocated: 194
bbn-ms-gw#debug bgp ipv4 unicast mpls
BGP MPLS labels debugging is on
2w0d: BGP: adding MPLS label to 202.52.15.0/24 sending labels not enabled
2w0d: BGP: adding MPLS label to 202.52.12.0/24 sending labels not enabled
Why it added MPLS label to prefix?
Noone told it to do that.
Pavel,
Are the full Internet feeds in VRFs.
If so, IOS allocates one label per VRF prefix. you can use the following command to force IOS to allocate only 1 label per VRF:
mpls label mode { vrf | all-vrfs }protocol bgp_vpnv4 per-vrf
BTW, this is a hidden command.
Hope this helps,
Similar Messages
-
Hi All...
I have this topology:
CE2-->PE1-->P--->PE2-->CE2
.............\-->PE3-->CE2
In router "P" I want to configure MP-BGP, but I have many doubts with configurations this router. I need to do route-reflector too.
Anybody can help me?
CLRGomesThanks, look my configuration:
Router P
router bgp 65500
no synchronization
no bgp default route-target filter
bgp log-neighbor-changes
neighbor MPLS peer-group
neighbor MPLS remote-as 65500
neighbor MPLS ebgp-multihop 255
neighbor MPLS update-source Loopback0
neighbor MPLS route-reflector-client
neighbor MPLS allowas-in
neighbor MPLS soft-reconfiguration inbound
neighbor 10.10.10.2 peer-group MPLS
neighbor 10.10.10.3 peer-group MPLS
neighbor 10.10.10.4 peer-group MPLS
no auto-summary
address-family vpnv4
neighbor MPLS route-reflector-client
neighbor MPLS send-community both
neighbor 10.10.10.2 activate
neighbor 10.10.10.3 activate
neighbor 10.10.10.4 activate
exit-address-family
ok...working perfect, I did MP-BGP between PE routers and I configured RDs differents too...
Later I did between PE->CE with OSPF and working too, loadshare working.
Thanks a lot
CLRGomes
CCIE R&S -
InterAS MPLS Option C (BGP IPv4 + Labels) IOS XR with eBGP multihop session
Hello,
Right now we have InterAS MPLS Option C configured between 2 autonomous systems.
Now we need to add more bandwith and would like to add another interface between the two routers establishing a multihop session using loopbacks to load share traffic.
I know that IOS-XR does not automatically learn directly connected host routes so for the XR router to assign labels you'll need to configure a static host route to ensure MPLS forwarding to the neighboring AS.
This works with directly connected neighbors but when I try to enable the multihop session, the XR does not assign labels even configuring the staic host route.
Does anybody has a configuration like that working?
Thanks!!
Jose.Hello Jose
There are basically two options in Option C L3VPN setup. I will discuss the first option for Multihop.
Following are the key points that distinguish the InterAS Option C from previous options.
1) External Multihop BGP address families are invoked between two different autonomous systems; however, these eBGP sessions are invoked between the route reflectors in each AS and not on the ASBR. The route reflector in each AS thus passes labeled ipv4 unicast VPN routes to the other AS. Note:- The route reflector in this case will have PE clients in the vpnv4 address family within that Autonomous System.
2) ASBRs facilitate the creation of InterAS LSP by providing labeled /32s for PE and Route Reflector loopback.
3) This option enhances scalability because ASBRs do not handle VPNv4 routes in fact this option gets rid of the extra L3VPN LFIB that is created as a result of option B . The LFIB size is minimal as we control the redistribution to the only 2 needed loopback addresses (remote ASBR and remote RR)
Sample config of the RR:
router bgp 102
address-family ipv4 unicast
address-family vpnv4 unicast
neighbor-group ibgp
remote-as 102
update-source Loopback0
address-family ipv4 unicast
route-reflector-client
address-family vpnv4 unicast
route-reflector-client
neighbor 192.168.253.3
remote-as 101
ebgp-multihop 255
description eBGP-RR-PEER-AS101
update-source Loopback0
address-family vpnv4 unicast
route-policy allow-all in
route-policy allow-all out
next-hop-unchanged
neighbor 192.168.254.1
use neighbor-group ibgp
neighbor 192.168.254.3
use neighbor-group ibgp
neighbor 192.168.254.4
use neighbor-group ibgp
On the PE router, the config will look something like this:
router bgp 102
address-family ipv4 unicast
redistribute ospf 1 metric 3333 route-policy interAS-optionc-out
allocate-label route-policy interAS-optionc-out
neighbor 65.10.20.1
remote-as 101
address-family ipv4 labeled-unicast
route-policy interAS-optionc-in in
route-policy interAS-optionc-out out
neighbor 192.168.254.2
remote-as 102
update-source Loopback0
address-family ipv4 unicast
router static
address-family ipv4 unicast
65.10.20.1/32 TenGigE0/0/0/1
192.0.2.0/24 Null0 tag 10
route-policy interAS-optionc-in
if destination in remote-RR-PE then
pass
else
drop
endif
end-policy
route-policy interAS-optionc-out
if destination in local-RR-PE then
pass
else
drop
endif
end-policy
prefix-set local-RR-PE
192.168.254.2/32,
192.168.253.6/32,
192.168.253.5/32
end-set
prefix-set remote-RR-PE
192.168.253.2/32,
192.168.253.3/32,
192.168.253.3/32
end-set
Just for your clarification, 192.168.253.0/24 is the Remote AS networks and 192.168.254.0/24 is the local AS networks.
Hope this clarifies your doubts.
Cheers ... !!!
Vinit -
HTTPS certificate problem on MPLS
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tableau Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi everyone,
We are currently migrating our network from IP to MPLS and we encounter an issue with a only one application using security certificat through HTTPS. All other services are OK such as HTTP, FTP, Mailing, etc.
Network description :
The network architecture is composed by 4 core routers (which play the role of P and PE at the same time) and 2 borders routers (B1 and B2) linked to Internet via STM1 - POS interfaces.
Each borders are both connected to two core routers (C1 and C2) by GigabitEthernet links.
Please also note that there is a DPI (Deep Packet Inspector, model Arbor 100) between each border and core.
Core routers C1,C2, C3 and C4 are connected to each other by GigabitEthernet links.
B1 and B2 are linked to Internet by STM1 (POS) using eBGP.
OSPF is used as the infrastructures routing protocol between all equipments.
(cf the network diagram attached)
Configuration :
When migrating to MPLS, we fixed interfaces MTU at 9216 and the MPLS MTU at 1512 on all concerned interfaces from Core to Border routers.
Below is a sample configuration.
mpls ip
mpls label protocol ldp
mpls ldp router-id loopback0
interface GigabitEthernet1/1
mtu 9216
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XXXXXXXXXXX
ip ospf network point-to-point
ip ospf cost 1
ip ospf hello-interval 1
mpls mtu 1512
mpls ip
Problem :
The service application uses a server on the local network (linked via CE router) which send https requests and files to a server located in the Internet.
When MPLS is activated only on the Core-To-Core interfaces (C1, C2, C3 and C4) the application is working properly.
But when the MPLS is expanded on Core-To-Border / Border-To-Core interfaces, this specific application fails as it appears that the certificate server sees a corrupted frame, some bits have been added to the normal frame. But all other services (HTTP, FTP, everything,)
Below are major differences between Border and Core routers connection schemes:
A DPI equipment between Core and Border,
GibabitEthernet are used for links Border-To-Core and Core-To-Core, STM1(POS) is used for links Border-To-Internet (IP)
The MTU size on STM1 interface is fixed at 4470, MTU size of 9216 is assigned to GE interfaces (Border-To-Core, Core-To-Core)
Regards.Hi,
Would it be possible to disable the functionality of the DPI (passthrough mode?) and test again?
MPLS labels or not on the packet should not make a difference wrt HTTPS only (in theory).
Since you mention corrupted frames, taking a packet capture should show you if this is true or not.
Thanks,
Luc -
BGP Best Practice / Private-AS vs. Public-AS in the MPLS Core
Dears,
We have recently aquired a large network with ASR9K as Internet Gateways and non-Cisco devices in the MPLS Core.
We would liike to know which is the best recommended solution to use Private MP-BGP AS in the MPLS Core or extend the IGW Public AS, knowing that the IGW will be in a VRF and not the global routing table. Moreover, the clients of the MPLS Core have their own BGP Public AS and would need to connect to the MPLS Core to obtain internet services from the IGW.
(Cust1)------EBGP------[VRF_Cust_1](MPLS CORE AS_2)[VRF_IGW]------EBGP-----(IGW AS_1) in the case of having a private BGP AS in the core
(Cust1)------EBGP------[VRF_Cust_1](MPLS CORE AS_1)[VRF_IGW]------iBGP-----(IGW AS_1) in the case of having same public BGP AS in the core
Waiting for your feedback and thoughts.
Thanks,
Michel.Michel,
if your mpls core is also used for internet transit, then it is best to be a public AS.
if not, then you can leave it be and remove the private AS at your border routers.
If oyu are connecting multiple MPLS networks together to link L2 or L3 VPN services, I think it is easiest to have it all one AS, otherwise you end up with complex designs such as Carrier supporting Carrier (CSC) or Inter-AS option A (vrf lite), B (using vpnv4 at the inter AS gateay) or C (using vpnv4 at the interAS gateway with route reflectors in each AS peering with each other).
regards
xander
Xander Thuijs CCIE #6775
Principal Engineer
ASR9000, CRS, NCS6000 & IOS-XR -
Best internet access method over MPLS?
Hello!!
once again, i have to choose between design opinions and I'd like to hear about your exeperiences... Now referred to internet access.
I have several customer needing to learn full internet routing and stablishing bgp connection with our PE's (for access backup pourposes).
When needing to use more specific than default routes, it's said to be more conventient to use global routing tables to distribute full internet routes, in order to save memory on the PE's.
Now my doubt: if this design forces me to use diferent subinterfaces and VRF's for a client needing both VPN and internet access, and knowing that maybe I could use the same vpn for providing internet to all our customers, sho internet routes will be available in just one VRF... wouldn't it be cleaner using just one vpn (and one vrf in every PE router) for internet access for all the customer (yet Knowing it will use three times more memory)...?
know ebgp sessions in a PE could be stablished through de internet access vrf. Moreover, any client needing private VPN could use a diferent (sub)interface
what do you think about? global routes or just one vrf carrying internet routes?
Thanks in advanceWell, both are good options, and we have designed networks for SP's with both these options. The deciding factor for them however has been, the requirements form the INternet Service, Wthether this service is for A) End customer who want default or partial/full routing table. Or wtherther this service is for a B) ISP who can serve his TIer 2/3 ISP customer.
A) For End Enterprise Customers.
If its meant for end customer who simply want a default route and some customer who may want partial/full routes but who arent ISP's then You can consider the VRF solution, as it would be very easy for you to provision and deprovision within the network. Just a little more load on the memory but since its one VRF your typical PE can handle the Internet in a VRF with 1 gig of MEM.
B) For Tier2/3 ISP Customers
Now if its for your T2/T3 ISP customer, then the VRF method has certain drawbacks,
Drawback ) ISP customers dont want a single best route coming to them from a RR, Since you are their provider ISP you would be having many connection to upstream peering points and NAP/IXP. So your ISP customers want all these routes so they can themselves decide the best route for different service requirements of their end customer.
Solution) Now if you have to give all these routes to the ISP you have to assign a different RD value for ech upstream peering point,
Caveat) This ould increase your memory requirement on the PE's and RR's tremendously as they would be holding duplicates of you Internet Routing table bcos of different RD values.
Differen Approach ) Having said that, some ISP's have implemented the best of both world, but it comes with cost constraints. You can extend you IBGP of the Internet AS withing a VRF, that is infra routes only within VRF and have dedicated Internet Peering Edge Routers at all locations where you consider to provide this service to ISP's, so you extend you IBGP using the VRF, hence none of the P or PE routes hold no internet routes in any form, they only have the infra routes in the VRF. using these Infra routes, the Internet Peering Edge Routers form IBGP with a Internet RR which is your dedciated regular RR for Internet routers, and exchange all internet routes, and give them to your downstream ISP customers.
Global Routing Table )
Ntohign wrong with this, method, everything works as it was working before your MPLS network was there, except the fact that your intermediate routers dont hold Internet Tabel and its a BGP Free Core.
This is better than the VRF option A method
as you wont hold internet routing table with more memory which is bcos of the VPNV4. And the Second VRF option B is far superior to this method but with added one time cost.
Hope this info helps u to decide better.
HTH-Cheers,
Swaroop -
DMVPN + MPLS best-path selection
Dear Community
We're in the process of deploying DMVPN as a backup solution to MPLS. All that is working great!
The DMVPN wan is dual-cloud, with 2 hub routers in each cloud. Phase 3 (nhrp shortcut) is enabled on all the spokes.
For routing, all the customer subnets are advertised in MPLS, whereas for DMVPN hub advertises only a summary to 10.0.0.0/8. The protocol for both is BGP. For DMVPN, the hub routers resides in one AS (65002) and all the spokes another common AS 65102. DMVPN is therefore peered eBGP hub > spoke.
For customers connected to MPLS, the DMVPN serves as backup only solution. Best-path selection by longest prefix match.
We have other customers coming on board who wish to join the same WAN but don't have the $$$ for MPLS so are opting for DMVPN only.
Now, I have a requirement to enable spoke-to-spoke for a DMVPN only site (spokeA) to an MPLS site (spokeB). The problem is it doesn't seem to work properly as the hub router sees the best path to spokeB site via MPLS, not via DMVPN. The spoke-to-spoke is never formed, and remains spokeA > hub > mpls > spokeB. The return path is better = spokeB > DMVPN > hub > spokeA (this is because spokeB sees no route from MPLS for spokeA, so follows 10.0.0.0/8) route.
I look for any feedback that can help to meet this requirement?
And if any advice on the general design would be really appreciated.
Thanks a lot!
PhilPhil,
I did a short lab around this ... wanted to make sure I'm not saying something stupid.
While I can't claim it's the _optimal_ solution for your setup it seems to work in my lab.
Spoke1 LAN 192.168.101.0/24 (AS 65001)
Spoke2 LAN 192.168.102.0/24 (AS 65002)
HUB LAN 192.168.111.0/24 (AS 65000)
192.168.1.0/24 DMVPN subnet.
A single (i)VRF - DMVPN exists on hub, only and is assigned only to DMVPN tunnel interface.
Excuse a few hacks a had to use... default routed via default-originate for example :-)
Hub
R10-P#sh run int tu0
Building configuration...
Current configuration : 281 bytes
interface Tunnel0
vrf forwarding DMVPN
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp shortcut
ip nhrp redirect
tunnel source Loopback0
tunnel mode gre multipoint
tunnel protection ipsec profile PRO
end
R10-P#sh run | s r b
router bgp 65000
bgp log-neighbor-changes
network 192.168.111.0
redistribute static
neighbor 10.112.112.1 remote-as 65001
neighbor 10.112.112.1 route-map SPOKES_MPLS in
default-information originate
address-family ipv4 vrf DMVPN
neighbor 192.168.1.101 remote-as 65001
neighbor 192.168.1.101 activate
neighbor 192.168.1.102 remote-as 65002
neighbor 192.168.1.102 activate
exit-address-family
R10-P#sh run | s vrf defini
vrf definition DMVPN
rd 1:1
route-target export 100:1
route-target import 100:1
address-family ipv4
import ipv4 unicast map DEFAULT
export ipv4 unicast map SPOKE_SUBNETS
route-target export 100:1
route-target import 100:1
exit-address-family
address-family ipv6
route-target export 100:1
route-target import 100:1
exit-address-family
Result on spoke
R1-PE#traceroute 192.168.102.1 source e2/0
Type escape sequence to abort.
Tracing the route to 192.168.102.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.1 [AS 65000] 5 msec 10 msec 2 msec
2 192.168.1.102 [AS 65000] 4 msec * 5 msec
R1-PE#traceroute 192.168.102.1 source e2/0
Type escape sequence to abort.
Tracing the route to 192.168.102.1
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.102 [AS 65000] 6 msec * 6 msec
routing on hub
(sanitized)
R10-P# sho ip route
Gateway of last resort is 10.100.100.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.100.100.2
10.0.0.0/8 is variably subnetted, 13 subnets, 2 masks
B 192.168.101.0/24 [20/0] via 10.112.112.1, 00:06:40
B 192.168.102.0/24 [20/0] via 192.168.1.102 (DMVPN), 00:00:03
192.168.111.0/24 is variably subnetted, 2 subnets, 2 masks
R10-P# sho ip route vrf DMVPN
Routing Table: DMVPN
Gateway of last resort is 10.100.100.2 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 10.100.100.2, 00:06:40
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Tunnel0
L 192.168.1.1/32 is directly connected, Tunnel0
B 192.168.101.0/24 [20/0] via 192.168.1.101, 00:06:40
B 192.168.102.0/24 [20/0] via 192.168.1.102, 00:06:25 -
OSPF design for branch offices across MPLS
Hello fellow networking engineers,
I want to implement OSPF in our network. We have multiple branch offices, all linked to an MPLS backbone.
I know that in order to get linked areas, I would need to setup GRE tunnels between them, but I want to avoid static/manual configurations as much as possible. With multiple sites, it would become cumbersome to create a mesh real fast.
Is running OSPF independent areas at each site, and simply redistributing over eBGP a valid solution? This will host voice and data, and will failover to VPN connection (Cisco ASAs) if the MPLS goes down.
For the VPN backup links, I thought of two options. Either simply using the default route to send everything to the ASA in case of MPLS "death", or inject routes using IP SLA...
Any input would be appreciated.Marc
You don't GRE tunnels to link your areas if that is what you want to do.
If the SP supports it then you can exchange your OSPF routes between areas and they will still be seen as inter area routes rather than OSPF externals which they would if you simply treated each area as isolated from each other.
In effect the MPLS network becomes an OSPF super backbone area and your main site would also be part of the backbone area with all your other sites having an area each.
You still redistribute your OSPF routes into BGP but with some extra configuration on both your CEs and the SP PE devices.
Like I say you would need to check with your SP but it is possible.
Whether or not you need or want it I don't know.
Your other option is as you have proposed to treat each OSPF area as an isolated one and simply redistribute into OSPF at each CE. Then within each site all non local routes would be seen as OSPF external routes.
Either way in terms of backup I would keep it simple and use a default route at each site pointing to the ASA device. I can't see what you gain from IP SLA because if the main MPLS link goes down at any site the only other path they have out is via the ASA so there is nothing really worth tracking.
The only other thing I would mention is remote site to remote site traffic. If there is any then presumably with your VPN tunnels you would be doing a sort of hub and spoke where the hub is the main site so you may need to think about traffic coming in from one VPN tunnel and going out to another VPN tunnel on the main site ASA.
This would only really be needed if two or more sites had to use their backup links at the same time.
In terms of which is better ie. OSPF inter area across the MPLS cloud or OSPF externals I can't really say to be honest. With the MPLS networks i have worked on we ran EIGRP and simply treated each remote site as an isolated AS.
If you are already running OSPF then you may want to preserve your existing areas so it would make sense to go with the inter area option.
If it is a new setup then I don't really know the pros and cons of either so can't really comment.
Perhaps others may add to the thread with their thoughts.
Jon -
Hi,
I have a design issue for which I really like your help.
In a MPLS network there are twoPOP gateway routers (G1,G2) peering with various MPLS VPN Service providers via B2B vrf eBGP peering are in 4 different ASN's. They inturn all peer via VPNv4 eBGP with the Core ASN which comprises of 2 Nos VPNv4 RR's and every site in the ASN haveing 2 P/PE per site. Every P/PE is peering via VPNv4- iBGP with the VPNv4 RR's. The RR's are not in the forwarding path of the traffic.
Every site has 2 Nos CE routers and each CE router does a vrf based ebgp peering with the P/PE's.
The P/PE routers import 2Nos RT exported by the 2 Nos POP G/w routers and inturn selects the best path and pass it to the CE routers.
Now it is seen that the P/PE of all sites is selecting the best path adverstised by G1 instead of G2 based on the AS PATH length and the shortest path is being adverstised by G1. So till a situation arises that the G1 is down till that time the P/PE's are forwarding the outbound traffic from the CE to G1 even also when the IGP cost is adding up high and when there is a direct link failure from the P/PE site to G1 site.
It therefore makes sense that if the direct physical link form a P/PE site to the site G1 is located goes down ,the P/PE's then should choose G2 via another path even when G1 is available.
Does these sort of requirements ever come in SP environments from customers ? if so what are the solutions ..
Thanks in advance
KasHi kas,
This type of requirement come to providers and there are few options which provider can implement.
1- Play with local preference along with import map in vrf if requirement is customer specific. I mean if one customer want that G1 should be primary exit point and other customer want G2 as primary exit than he can use import map (which is similar to route-map )
ip vrf ABCD
rd XX
import map ABCD
route-target export XX
route-target import YY
route-map ABCD permit 20
set local-preference >100
2- Or you can play with As-path prepending option if you want to skip selection based on local preference.
it is in provider interest to provide you solution. as there are options of affecting traffic by using communities.
Please provide diagram and some config for complete solution.
Regards
Mahesh -
MPLS/VPN network load balancing in the core
Hi,
I've an issue about cef based load-balancing in the MPLS core in MPLS/VPN environment. If you consider flow-based load balancing, the path (out interface) will be chosen based on source-destination IP address. What about in MPLS/VPN environment? The hash will be based on PE router src-dst loopback addresses, or vrf packet src-dst in P and PE router? The topology would be:
CE---PE===P===PE---CE
I'm interested in load balancing efficiency if I duplicate the link between P and PE routers.
Thank you for your help!
GaborHi,
On the PE router you could set different types and 2 levels of load-balancing.
For instance, in case of a DUAL-homed site, subnet A prefix for VPN A could be advertised in the VPN by PE1 or PE2.
PE1 receives this prefix via eBGP session from CE1 and keep this route as best due to external state.
PE2 receives this prefix via eBGP session from CE2 and keep this route as best due to external state.
eBGP
PE1 ---------CE1
PE3----------P1 Subnet A
PE2----------CE2 /
eBGP
Therefore from PE3 point of view, 2 routes are available assuming that IGP metric for PE3/PE1 is equal to PE3/PE2.
The a 1rst level of load-sharing can be achieve thanks to the maximum-paths ibgp number command.
2 MP-BGP routes are received on PE3:
PE3->PE1->CE1->subnet A
PE3->PE2->CE2->subnet A
To use both routes you must set the number at 2 at least : maximum-paths ibgp 2
But gess what, in the real world an MPLS backbone hardly garantee an equal IGP cost between 2 Egress PE for a given prefix.
So it is often necessary to ignore the IGP metric by adding the "unequal-cost" keyword: maximum-paths unequal-cost ibgp 2
By default the load-balancing is called "per-session": source and destination addresses are considered to choose the path and the outgoing interface avoiding reordering the packets on the target site. Overwise it is possible to use "per-packet" load-balancing.
Then a 2nd load-sharing level can occur.
For instance:
__P1__PE1__CE1
PE3 \/ Subnet A
\ __P2__PE2__CE2
There is still 2 MP-BGP paths :
PE3->P1->PE1->CE1->subnet A
PE3->P1->PE2->CE2->subnet A
But this time for 2 MP-BGP paths 4 IGP path are available:
PE3->P1->PE1->CE1->subnet A
PE3->P1->PE2->CE2->subnet A
PE3->P2->PE1->CE1->subnet A
PE3->P2->PE2->CE2->subnet A
For a load-balancing to be active between those 4 paths, they must exist in the routing table thanks to the "maximum-path 4 "command in the IGP (ex OSPF) process.
Therefore if those 4 paths are equal-cost IGP paths then a 2nd level load-balancing is achieved. the default behabior is the same source destination mechanism to selected the "per-session" path as mentionned before.
On an LSP each LSR could use this feature.
BR -
MPLS for Private WAN between 2 service provider
Hello All,
we are current running an MPLS network from service provider 1 across our Branch office network. we need moe redudnancy and are looking to add another MPLS cloud from service provider 2. How would we integrate service provider 2 onto the same Cisco routers due to the fact the only 1 BGP AS can run inside the router? Any info would be appreciated.Hi vpollifrone
For this Scenario whereby we have a single router and already peered with one ISP on private AS and now need peering with another ISP on Public AS we can make use of the "local-as" feature provided we own a Public AS...
This way we can establish peering with the new ISP using the Public AS as the local AS in the neighbourship config and also reatain the existing peering with old ISP..What we need to make sure is that while sending update to the second ISP we replace the original private AS with the Public AS....
Below commands will be handy for same..
R5(config)#router bgp 64515
R5(config-router)#neighbor x.x.x.x local-as zzzz ?
no-prepend Do not prepend local-as to updates from ebgp peers
R5(config-router)#neighbor x.x.x.x local-as zzzz no
R5(config-router)#neighbor x.x.x.x local-as zzzz no-prepend ?
replace-as Replace real AS with local AS in the EBGP updates
R5(config-router)#neighbor x.x.x.x local-as zzzz no-prepend
R5(config-router)#neighbor x.x.x.x local-as zzzz no-prepend replace-as
You can refer the below very Useful Cisco Document for same
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gtbgpdas.html
Hope this helps to answer your query.
Regards
Varma -
we are having a gateway router which is running a public as and having a direct peering with service provider. We are also working as MPLS-SP and providing internet services to our esteemed clients. Now I am facing a one issue if the customer is coming at remote pop which is having a BGP with private as number and customer itself is having a global as number with his own ip pool. For that I created a peering with my gateway router by putting a route for loopback and created e-bgp peering. Now when the customer pool was advertised by my gateway it doesnot get the reverse path?
Kindly give your suggestions or designs how the ebgp can be used with gateway router in case SP is runnig MPLS.
regards
shivlu jainShivlu,
Its not clear why u have Private-AS at one of ur POPs , while u could have the Same Public-AS configured and run IBGP session between Your PoPs. If you have Myltiple POPs than u can go for (Route-Reflector) design.
The Second point, If you mean what type of Internet access, Then you can have one of the following:
1- Classic Internet Access.
2- a dedicated Vrf for Internet Access.
HTH
Mohamed -
MP-BGP and MPLS multipath load sharing
Hi,
I am trying to PoC MPLS multi path load sharing by using per-PE-per-VRF RDs in the network.
I have a simple lab setup with AS65000 which consists of SITE1 PE1&PE2 routers (10.250.0.101 and 10.250.0.102), route reflector RR in the middle (10.250.0.55) and SITE2 PE1&PE2 routers (10.250.0.201 and 10.250.0.202). PE routers only do iBGP peering with centralized route reflector and passing route to 10.1.1.0/24 prefix (learned from single CE router) with 100:1 and 100:2 RDs for specific VRF.
Route reflector gets routes with multiple RDs, makes copies of these routes in order to make local comparison to RD 55:55 configured, uses these routes and install multiple paths into its routing table (all PE routers and RR have "maximum-paths eibgp 4" configured):
RR#sh ip bgp vpnv4 all
BGP table version is 7, local router ID is 10.250.0.55
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 55:55 (default for vrf VRF-A) VRF Router ID 10.250.0.55
* i10.1.1.0/24 10.250.0.102 0 100 0 65001 i
*>i 10.250.0.101 0 100 0 65001 i
Route Distinguisher: 100:1
*>i10.1.1.0/24 10.250.0.101 0 100 0 65001 i
Route Distinguisher: 100:2
*>i10.1.1.0/24 10.250.0.102 0 100 0 65001 i
RR#sh ip route vrf VRF-A
<output omitted>
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B 10.1.1.0/24 [200/0] via 10.250.0.102, 00:45:52
[200/0] via 10.250.0.101, 00:46:22
BUT, for some reason RR doest reflects routes with multiple RDs down to SITE2 PE1&PE2 - its own clients:
RR#sh ip bgp vpnv4 all neighbors 10.250.0.201 advertised-routes
Total number of prefixes 0
RR#sh ip bgp vpnv4 all neighbors 10.250.0.202 advertised-routes
Total number of prefixes 0
Here comes RR BGP configuration:
router bgp 65000
no synchronization
bgp router-id 10.250.0.55
bgp cluster-id 1.1.1.1
bgp log-neighbor-changes
neighbor 10.250.0.101 remote-as 65000
neighbor 10.250.0.101 update-source Loopback0
neighbor 10.250.0.101 route-reflector-client
neighbor 10.250.0.101 soft-reconfiguration inbound
neighbor 10.250.0.102 remote-as 65000
neighbor 10.250.0.102 update-source Loopback0
neighbor 10.250.0.102 route-reflector-client
neighbor 10.250.0.102 soft-reconfiguration inbound
neighbor 10.250.0.201 remote-as 65000
neighbor 10.250.0.201 update-source Loopback0
neighbor 10.250.0.201 route-reflector-client
neighbor 10.250.0.201 soft-reconfiguration inbound
neighbor 10.250.0.202 remote-as 65000
neighbor 10.250.0.202 update-source Loopback0
neighbor 10.250.0.202 route-reflector-client
neighbor 10.250.0.202 soft-reconfiguration inbound
no auto-summary
address-family vpnv4
neighbor 10.250.0.101 activate
neighbor 10.250.0.101 send-community both
neighbor 10.250.0.102 activate
neighbor 10.250.0.102 send-community both
neighbor 10.250.0.201 activate
neighbor 10.250.0.201 send-community both
neighbor 10.250.0.202 activate
neighbor 10.250.0.202 send-community both
exit-address-family
address-family ipv4 vrf VRF-A
maximum-paths eibgp 4
no synchronization
bgp router-id 10.250.0.55
network 10.255.1.1 mask 255.255.255.255
exit-address-family
SITE1 PE1 configuration:
router bgp 65000
no synchronization
bgp router-id 10.250.0.101
bgp log-neighbor-changes
neighbor 10.250.0.55 remote-as 65000
neighbor 10.250.0.55 update-source Loopback0
neighbor 10.250.0.55 soft-reconfiguration inbound
no auto-summary
address-family vpnv4
neighbor 10.250.0.55 activate
neighbor 10.250.0.55 send-community both
exit-address-family
address-family ipv4 vrf VRF-A
neighbor 10.1.101.2 remote-as 65001
neighbor 10.1.101.2 activate
neighbor 10.1.101.2 soft-reconfiguration inbound
maximum-paths eibgp 4
no synchronization
bgp router-id 10.250.0.101
exit-address-family
SITE1 PE2 configuration is similar to SITE1 PE1. They both do eBGP peering with dualhomed CE router in AS65001 which announces 10.1.1.0/24 prefix into VRF-A table.
My question is: clearly, the issue is that RR doesn't reflect any routes to its clients (SITE2 PE1&PE2) for 10.1.1.0/24 prefix with 100:1 and 100:2 RDs that dont match it's locally configured RD 55:55 for VRF-A, although they are present in its BGP/RIB tables and used for multipathing. Is this an expected behavior or some feature limitation for specific platform or IOS version? Currently, in this test lab setup I run IOS 12.4(24)T8 on all the devices.
Please, let me know if any further details are needed to get an idea of why this well known and widely used feature is not working correctly in my case. Thanks a lot!
Regards,
SergeyHi Ashish,
I tried to remove VRF and address family configurations completely from RR.
router bgp 65000
no synchronization
bgp router-id 10.250.0.55
bgp cluster-id 1.1.1.1
bgp log-neighbor-changes
neighbor 10.250.0.101 remote-as 65000
neighbor 10.250.0.101 update-source Loopback0
neighbor 10.250.0.101 route-reflector-client
neighbor 10.250.0.101 soft-reconfiguration inbound
neighbor 10.250.0.102 remote-as 65000
neighbor 10.250.0.102 update-source Loopback0
neighbor 10.250.0.102 route-reflector-client
neighbor 10.250.0.102 soft-reconfiguration inbound
neighbor 10.250.0.201 remote-as 65000
neighbor 10.250.0.201 update-source Loopback0
neighbor 10.250.0.201 route-reflector-client
neighbor 10.250.0.201 soft-reconfiguration inbound
neighbor 10.250.0.202 remote-as 65000
neighbor 10.250.0.202 update-source Loopback0
neighbor 10.250.0.202 route-reflector-client
neighbor 10.250.0.202 soft-reconfiguration inbound
no auto-summary
address-family vpnv4
neighbor 10.250.0.101 activate
neighbor 10.250.0.101 send-community both
neighbor 10.250.0.102 activate
neighbor 10.250.0.102 send-community both
neighbor 10.250.0.201 activate
neighbor 10.250.0.201 send-community both
neighbor 10.250.0.202 activate
neighbor 10.250.0.202 send-community both
exit-address-family
After this, RR doesn't accept any routes at all from S1PE1&S1PE2 routers, thus not reflecting any routes down to its clients S2PE1&S2PE2 as well:
S1PE1#sh ip bgp vpnv4 all
BGP table version is 6, local router ID is 10.250.0.101
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf VRF-A) VRF Router ID 10.250.0.101
*> 10.1.1.0/24 10.1.101.2 0 0 65001 i
S1PE1#sh ip bgp vpnv4 all neighbors 10.250.0.55 advertised-routes
BGP table version is 6, local router ID is 10.250.0.101
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf VRF-A) VRF Router ID 10.250.0.101
*> 10.1.1.0/24 10.1.101.2 0 0 65001 i
Total number of prefixes 1
S1PE2#sh ip bgp vpnv4 all
BGP table version is 6, local router ID is 10.250.0.102
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100:2 (default for vrf VRF-A) VRF Router ID 10.250.0.102
*> 10.1.1.0/24 10.1.201.2 0 0 65001 i
S1PE2#sh ip bgp vpnv4 all neighbors 10.250.0.55 advertised-routes
BGP table version is 6, local router ID is 10.250.0.102
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100:2 (default for vrf VRF-A) VRF Router ID 10.250.0.102
*> 10.1.1.0/24 10.1.201.2 0 0 65001 i
Total number of prefixes 1
RR#sh ip bgp vpnv4 all
RR#sh ip bgp vpnv4 all neighbors 10.250.0.101 routes
Total number of prefixes 0
RR#sh ip bgp vpnv4 all neighbors 10.250.0.102 routes
Total number of prefixes 0
Any feedback is appreciated. Thanks.
Regards,
Sergey -
Multiple MPLS Carriers/Networks
Does anyone have any experience with using 2 MPLS carriers for load balancing. We'd like to have a primary MPLS network with ATT and then a backup MPLS network with MCI. But rather than use MCI strictly for backup we'd like to load balance traffic across both networks. Most of our bigger sites will have a connection into both clouds. Anyone have any idea how we'd handle the routing for that?
I assist in supporting an environment which might almost be identical to that you want to move into.
The first issue you might bump into is the way EBGP will prefer to always use its CE-PE link if it sees otherwise equal paths. Simple solution, divide your traffic to your CEs. We do this either by using GLBP for small sites, or via equal cost paths within the LANs routing topology to the CE routers.
Second issue you might bump into is if the AS topologies are different between the MPLS providers making AS hop counts different between sites. We addressed this issue by defining and maintaining our own logical topology that looks identical between the different MPLS providers.
Both of the prior principally perform static load balancing but if you working with 12.4 or later, you might also want to look at OER. It can dynamically load balance, either with the static techniques, above, or without them.
PS:
We also deal with the situation where two sites are not on the same provider's MPLS. (Usually the result of some problem.) For this, we leak routes between the providers at major hubs permitting traffic to transit between the providers for sites that can not be reached on the same provider. -
Perhaps someone on this group can identify the missing timers/processing-delays in end-to-end client route convergence
Scenarios:
a) BGP New route Advertised by Cleint(CPE1)
b) BGP Route withdrawn by Client(CPE1)
PE-to-RR i-M-BGP (Logical)
========= ----RR------ ======
" | | "
CPE1---->PE1------->P1-------->P2---->PE2----->CPE2
| |
--------->P3-------->P4-------
Routing:
- eBGP btw CPE and PE (any routing prot within Cust site),
- OSPF, LDP in Core,
Timers/Steps I'm aware of:
- Advertisement of routes from CE to PE and placement into VRF
- Propagation of routes across the MPLS VPN backbone
- Import process of these routes into relevant VRFs
- Advertisement of VRF routes to attached VPN sites
- BGP advertisement-interval: Default = 5 seconds for iBGP, 30 for eBGP
- BGP Import Process: Default = 15 seconds
- BGP Scanner Process Default = 60 seconds
Would appreciate if you someone can identify any missing process-delay, timers? specially w.r.t RR.
Thanks
SHCheck the LDP/TDP timers in the core. Remember if a link fails in the core, reroute occurs, LDP/TDP binding needs to be renewed. tags are binded on those routes being in the routing table (IGP). So, there is a delay possible from a core prespective:
mpls ldp holdtime
mpls ldp discovery hello [holdtime | interval]
In case you are using TE check these:
mpls traffic-eng topology holddown
mpls traffic-eng signalling forwarding sync
mpls traffic-eng fast-reroute timers promotion
I believe the latter one onyl applies to SDH. In which you use segment loss feature.
Regards,
Frank
Maybe you are looking for
-
Swapping out internal hard drives within the Mac Pro
I'm thinking the answer is a huge NO but was curious to know for sure. Is it safe to switch out internal drives from within a Mac Pro while the machine is up and running? Meaning if the drive is ejected from the machine by unmounting the drive in the
-
Hi All, I created a table as follows and wanted to test how a partition by range works. CREATE TABLE test_partition ( emp_id NUMBER, time_period_from DATE, time_period_to DATE, time_period_desc VARCHAR(10), empfigure NUMBER, CONSTRAINT pk_tes
-
Can any one please send me approximately abt the below question
interview person asks where ever i go how many comapny , company codes, sales org , dis channel , divisions , can some one tell me wt is the approximately figure i can say , plz dont say depnds on client , approximately plz , thanks in advance for th
-
Persistent kernel panics on iMac G4
Hi folks. Over the last few days I've had persisent kernel panics. I've gone through full troubleshooting including Hardware Tests, Tech Tool Pro tests, running fsck -fy, zeroing all data and reinstalling. At last, I've managed to obtain a full panic
-
Is there a setting for template BOM's which allows the BOM item to be displayed in a sales document, be defaults the item sell price to 0, regardless of the price list it is linked too?