I’ve had a few questions on my post over here. How can we effectively connect a CSR to an existing dynamips topology, as well as how to break it out to the real world. The initial goal is to create this topology:
I don’t have an ESX v5 server to play around with, so I’ll be doing all of this under vmware fusion on my Macbook Pro. I’ll show you how to install the CSR first. How to modify a dynamips .net file running on the same laptop to connect to the CSR. And finally how to break that out to a switch where I can connect all manner of real devices. The configuration of vmware player/fusion/workstation and ESX vsphere are going to be very similar
Install the CSR1000v
You need to download the CSR from Cisco’s website. Go to Cisco – Support – Download – Routers – Cloud Routers – CSR1000V
This is a free download. You just need a Cisco account.
In ESX you can install – install from OVF. With vmware fusion installed all I need to do is doubleclick the download from Cisco. That will open up an import dialogue:
Let it import
The first time you run the VM, it’ll fully install. You don’t have to do anything except let it run through its install. Once it reboots your router will start up:
Configure vmware player networking
I’ve installed Ubuntu server 64bit in the meantime and installed dynamaips. What we want to do now is ensure certain virtual interfaces are connected to different virtual switches. Ubuntu/CSR will consider these to be real interfaces.
The CSR comes with three interfaces by default. I’ve mapped two of these to separate internal switched networks.
NOTE – vmware player/esx/workstation makes this very easy. Vmware Fusion doesn’t give you the option to create multiple virtual networks. I’ll add a section at the end of this post to show how to do this.
For dynamips I’ve also got two interfaces. Each mapped to the same networks respectively as the CSR above.
Configure dynamips .net file
The goal now is to map interface. I want to map the two virtual interface (which linux considers real) to a virtual ethernet switch within dynamips. I’ll also connect R1 and R2 directly to each other in dynamips:
autostart = False
[127.0.0.1:7200]
workingdir = /home/darreno/dynamips/working
[[7200]]
image = /home/darreno/dynamips/ios/c7200-advipservicesk9-mz.122-33.SRE7.bin
ram = 256
idlepc = 0x6278f1a4
ghostios = True
[[ROUTER R1]]
model = 7200
console = 2001
f0/0 = s1 1
f1/0 = R2 f1/0
[[ROUTER R2]]
model = 7200
console = 2002
f0/0 = s1 2
[[ETHSW s1]]
1 = access 2
2 = access 3
3 = access 2 NIO_linux_eth:eth1
4 = access 3 NIO_linux_eth:eth2
There is a virtual switch internal to dynamips called ETHSW S1. I’ve mapped R1 interface fa0/0 to port 1 of this switch. Switch port 1 is mapped to vlan 2 untagged. Port 3 of this dynamips switch is also in vlan 2 which connects to what linux considers eth0. eth0 is connected to vmnet2 which we created earlier. This is the virtual network within vmware. The same has been done for R2 and port 4, just that those are in vlan 3 connected to the vmnet3 network inside vmware. It’s a bit confusing at first as we are dealing with multiple levels of virtualisation here, but once you wrap your head around it it’s not so difficult.
Testing
I’ve configured the network as above. I’ve configured a loopback interface on all routers and they are all running OSPF. Let’s check CDP and OSPF:
IOS-XE#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
R2 Gig 2 121 R 7206VXR Fas 0/0
R1 Gig 1 171 R 7206VXR Fas 0/0
IOS-XE#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/DR 00:00:39 10.1.1.50 GigabitEthernet2
1.1.1.1 1 FULL/DR 00:00:34 10.0.0.50 GigabitEthernet1
R1#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
R2 Fas 1/0 157 R 7206VXR Fas 1/0
IOS-XE Fas 0/0 136 R I CSR1000V Gig 1
R1#
R1#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/BDR 00:00:33 192.168.1.2 FastEthernet1/0
5.5.5.5 1 FULL/BDR 00:00:39 10.0.0.1 FastEthernet0/0
2#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
R1 Fas 1/0 125 R 7206VXR Fas 1/0
IOS-XE Fas 0/0 178 R I CSR1000V Gig 2
R2#
R2#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/DR 00:00:32 192.168.1.1 FastEthernet1/0
5.5.5.5 1 FULL/BDR 00:00:34 10.1.1.1 FastEthernet0/0
Connect to the real world
I’m not going to show this as it’s very simple. It’s nearly identical to the config above. All you need to do is map a vmnet to a physical interface. You can also map a vmnet to a physical tagged interface. This means on a single physical interface you can have multiple vmnets mapped. From there you can connect it to a switch where you cn use vlans to connect to other kit.
Footnote – Adding more vmnets in Vmware Fusion
I got these instructions from here: http://www.virtual-hike.com/how-to-create-additional-vmnets-in-vmware-fusion/
The following all needs to be done through the cli. I’m using Fusion 5 so you may need to adjust for different versions. You first need to install your VMs as above. Once that is done, open a terminal and navigate to /Library/Preferences/VMware Fusion
Darrens-MacBook-Pro:/ darrenoconnor$ cd Library/Preferences/VMware\ Fusion/
Copy the vnmet1 folder to vmnet2
Darrens-MacBook-Pro:VMware Fusion darrenoconnor$ sudo cp -R vmnet1 vmnet2 Password:
Navigate to the new folder and edit dhcpd.conf:
arrens-MacBook-Pro:VMware Fusion darrenoconnor$ cd vmnet2 Darrens-MacBook-Pro:vmnet3 darrenoconnor$ sudo vi dhcpd.conf
In that file you should adjust the subnet address, MAC address, and vmnet name. Save and exit.
Edit the network file:
Darrens-MacBook-Pro:vmnet3 darrenoconnor$ sudo vi ../networking
Add the following with the subnets you used above. We don’t actually need DHCP so you can switch it off:
answer VNET_2_DHCP no answer VNET_2_HOSTONLY_NETMASK 255.255.255.0 answer VNET_2_HOSTONLY_SUBNET x.x.x.x answer VNET_2_VIRTUAL_ADAPTER yes
That’s the second vmnet now created. Now we need to modify our previous VM’s to connect to that new vmnet. Once again this needs to be done via the command line.
Navigate to your VM:
Darrens-MacBook-Pro:vmnet3 darrenoconnor$ cd ~/Documents/Virtual\ Machines.localized/
Go into the folder for each of your VMs you want to add to the vmnet. Open the .vmx file and add it to the vmnet added earlier.
Go down to ethernet2 and change it like so:
ethernet2.present = "TRUE" ethernet2.connectionType = "custom" ethernet2.vnet = "vmnet2" ethernet2.virtualDev = "e1000" ethernet2.wakeOnPcktRcv = "FALSE" ethernet2.addressType = "generated"
Do that for all the needed VMs and away you go. You can add more vmnets as needed
This is part two of my blog started here: http://mellowd.co.uk/ccie/?p=3300
Same diagram as last time:
This time each CPE is going to be connected to a VRF on the PE router. I’m only using one customer for this post, but this is regular L3VPN so scale as you see fit.
Major issue with the Netiron. It doesn’t support the VPNV6 adress family :( – I’m using the latest 5.4b code and nothing. So this means this is a Junos/IOS lab only
CPE config
All the CPEs are running BGP with their directly connected PE routers. All are advertising reachability to their IPv6 loopback addresses to their PE router. I’m only showing R6′s config as the others are the same with different addresses:
interfaces {
ae1 {
unit 36 {
vlan-id 36;
family inet6 {
address 2001:db8:36::6/64;
}
}
lo0 {
unit 6 {
family inet6 {
address 2001:db8:6666::6666/128;
}
}
}
}
protocols {
bgp {
group PROVIDER {
family inet6 {
unicast;
}
export LOOPBACK;
neighbor 2001:db8:36::3 {
peer-as 100;
}
}
}
}
policy-options {
policy-statement LOOPBACK {
from {
protocol direct;
route-filter 2001:db8:6666::6666/128 exact;
}
then accept;
}
}
routing-options {
router-id 6.6.6.6;
autonomous-system 65123 loops 2;
}
You’ll need to statically define your router-id for all sites. If a router is running ONLY IPv6, or your VRF ONLY has a IPv6 address, then the router has no IPv4 address to choose it’s router-id from. This will be a common theme throughout as you’ll also need to set router-ids in IPv6-only VRF instances.
PE config
Junos
First we need to set up the VRF to the customer and run BGP. We then need to enable the VPNV6 family in BGP. I’m going to remove the old IPv6 unicast config used in part one of this series.
USER3:R3> show configuration protocols
mpls {
ipv6-tunneling;
interface ae1.13;
}
bgp {
group 6VPE {
family inet6-vpn {
unicast;
}
peer-as 100;
neighbor 4.4.4.4;
}
}
USER3:R3> show configuration routing-instances
CUSTOMER1 {
instance-type vrf;
interface fe-0/0/3.36;
route-distinguisher 3.3.3.3:1;
vrf-target target:100:1;
routing-options {
router-id 3.3.3.3;
}
protocols {
bgp {
group EXTERNAL {
advertise-peer-as;
family inet6 {
unicast;
}
neighbor 2001:db8:36::6 {
peer-as 65123;
}
}
}
}
}
IPv6 address family running with the customer. VPNv6 address family running with IOS PE R4. Note that I have to use ‘advertise-peer-as’ on R3 as Junos will not advertise a route to an AS that already has the AS number in the path by default.
IOS
The main issue with IOS is that I cannot statically definate a BGP router-id if I’m ONLY running IPv6. BGP requires a router-id on the x.x.x.x format. IOS does not give me the option to hard-code a router-id under the BGP process for the VRF, or the ipv6 unicast address family. So I had to enable the ipv4 address-family under the VRF and define a loopback address in the VRF to use as the router-id. Very silly indeed.
vrf definition CUSTOMER1 rd 4.4.4.4:100 ! address-family ipv4 exit-address-family ! address-family ipv6 route-target export 100:1 route-target import 100:1 exit-address-family ! interface Loopback4 vrf forwarding CUSTOMER1 ip address 4.4.4.4 255.255.255.255 ! router bgp 100 bgp router-id vrf auto-assign no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 3.3.3.3 remote-as 100 neighbor 3.3.3.3 update-source Loopback0 ! address-family vpnv6 neighbor 3.3.3.3 activate neighbor 3.3.3.3 send-community extended exit-address-family ! address-family ipv6 vrf CUSTOMER1 no synchronization neighbor 2001:DB8:47::7 remote-as 65123 neighbor 2001:DB8:47::7 activate exit-address-family
VRF assigned to the CE-PE link. IPv6 unicast running with the CPE and VPNv6 running with the Junos PE R3 router.
Verification
Let’s first check if our VPNv6 sessions are up:
7200_SRD_R4#show bgp vpnv6 unicast all neighbors 3.3.3.3 | include state|fam$
BGP state = Established, up for 03:09:47
Address family VPNv6 Unicast: advertised and received
For address family: VPNv6 Unicast
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
USER3:R3> show bgp neighbor 4.4.4.4 | match "Estab|NLRI" Type: Internal State: Established Flags:NLRI for restart configured on peer: inet6-vpn-unicast NLRI advertised by peer: inet6-vpn-unicast NLRI for this session: inet6-vpn-unicast
Sessions are up and running the VPNv6 family.
Can the CE’s ping each other from their IPv6 loopbacks?
USER7:R7> ping 2001:db8:6666::6666 source 2001:db8:7777::7777 rapid count 5 PING6(56=40+8+8 bytes) 2001:db8:7777::7777 --> 2001:db8:6666::6666 !!!!! --- 2001:db8:6666::6666 ping6 statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/std-dev = 1.520/1.726/1.997/0.195 ms
USER6:R6> ping 2001:db8:7777::7777 source 2001:db8:6666::6666 rapid count 5 PING6(56=40+8+8 bytes) 2001:db8:6666::6666 --> 2001:db8:7777::7777 !!!!! --- 2001:db8:7777::7777 ping6 statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/std-dev = 1.533/1.706/1.968/0.147 ms
No problems there :)
I wanted to test 6PE and 6VPE interoperability with the three major vendors. As always I’m stuck with IOS only in the Cisco world for now, but what can I do. This test will run over a Junos MPLS core. All my MPLS labs thus far has been using RSVP, so let’s change this to LDP for now just to mix things up a bit.
6PE allows you to run IPv6 transport over a IPv4 MPLS core. MPLS does not have native label support for IPv6 addresses, at least yet. This means if you need to transport IPv6 traffic over your MPLS core, you need to tunnel it over IPv4. 6PE is one of those ways. 6VPE is essentially MPLS layer 3 VPN for IPv6 over an IPv4 as opposed to 6PE which is simple IPv6 over an IPv4 MPLS core.
6PE
There is no need to worry about CPE kit for now. I’ll simply have an IPv6 loopback address on R3, R4, and R8. These PE routers will peer over MP-BGP over the IPv4-only core.
R3 – Junos
interfaces {
ae1 {
unit 13 {
vlan-id 13;
family inet {
address 10.0.4.13/30;
}
family inet6;
family mpls;
}
lo0 {
unit 3 {
family inet {
address 3.3.3.3/32;
}
family inet6 {
address 2001:db8:3333::3333/128;
}
}
}
}
protocols {
mpls {
ipv6-tunneling;
interface ae1.13;
}
bgp {
group 6PE {
family inet6 {
labeled-unicast {
explicit-null;
}
}
export LOOPBACK;
peer-as 100;
neighbor 4.4.4.4;
neighbor 8.8.8.8;
}
}
ldp {
interface ae1.13;
}
}
policy-options {
policy-statement LOOPBACK {
from {
protocol direct;
route-filter 2001:db8:3333::3333/128 exact;
}
then accept;
}
}
routing-options {
autonomous-system 100;
}
Junos requires you to active the family inet6 address family on the core-facing interface, even if no address is applied. LDP is configured. BGP has been configured with family inet6 address family only. You also need to send labelled unicast as well as explicit-null. Junos will not commit if you leave this out.
I’ve then redistributed my IPv6 loopback address into BGP.
R4 – IOS
interface Loopback6 no ip address ipv6 address 2001:DB8:4444::4444/128 ! interface Loopback0 ip address 4.4.4.4 255.255.255.255 ip ospf 1 area 0 ! interface FastEthernet1/0.24 encapsulation dot1Q 24 ip address 10.0.4.9 255.255.255.252 ip ospf network point-to-point mpls ip ! router bgp 100 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 3.3.3.3 remote-as 100 neighbor 3.3.3.3 update-source Loopback0 neighbor 8.8.8.8 remote-as 100 neighbor 8.8.8.8 update-source Loopback0 ! address-family ipv6 no synchronization network 2001:DB8:4444::4444/128 neighbor 3.3.3.3 activate neighbor 3.3.3.3 send-label neighbor 8.8.8.8 activate neighbor 8.8.8.8 send-label exit-address-family
IOS is a bit easier. Create my loopback, IPv6 unicast BGP sessions with send-label configured, and advertise IPv6 loopback.
R8 – Netiron
interface loopback 1 ip ospf area 0 ip address 8.8.8.8/32 ipv6 address 2001:db8:8888::8888/128 ! router bgp local-as 100 next-hop-mpls neighbor 3.3.3.3 remote-as 100 neighbor 3.3.3.3 update-source 8.8.8.8 neighbor 4.4.4.4 remote-as 100 neighbor 4.4.4.4 update-source 8.8.8.8 address-family ipv6 unicast network 2001:db8:8888::8888/128 neighbor 3.3.3.3 activate neighbor 3.3.3.3 send-label neighbor 4.4.4.4 activate neighbor 4.4.4.4 send-label exit-address-family ! router mpls mpls-interface ve2 ldp-enable
Very similar to IOS here.
Verification
First let’s see if each of our boxes has the IPv6 routes to the others loopbacks:
USER3:R3> show route 2001:db8:4444::4444/128
inet6.0: 9 destinations, 10 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
2001:db8:4444::4444/128
*[BGP/170] 00:19:31, MED 0, localpref 100, from 4.4.4.4
AS path: I
> to 10.0.4.14 via ae1.13, Push 16, Push 300016(top)
USER3:R3> show route 2001:db8:8888::8888/128
inet6.0: 9 destinations, 10 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
2001:db8:8888::8888/128
*[BGP/170] 21:40:12, MED 0, localpref 100, from 8.8.8.8
AS path: I
> to 10.0.4.14 via ae1.13, Push 794624, Push 300048(top)
7200_SRD_R4#show ipv6 route 2001:DB8:3333::3333/128
Routing entry for 2001:DB8:3333::3333/128
Known via "bgp 100", distance 200, metric 0, type internal
Route count is 1/1, share count 0
Routing paths:
3.3.3.3%default indirectly connected
MPLS Required
Last updated 00:20:47 ago
7200_SRD_R4#show ipv6 route 2001:DB8:8888::8888/128
Routing entry for 2001:DB8:8888::8888/128
Known via "bgp 100", distance 200, metric 0, type internal
Route count is 1/1, share count 0
Routing paths:
8.8.8.8%default indirectly connected
MPLS Required
Last updated 00:21:00 ago
SSH@XMR_R8#show ipv6 route 2001:db8:3333::3333/128
Type Codes - B:BGP C:Connected I:ISIS L:Local O:OSPF R:RIP S:Static
BGP Codes - i:iBGP e:eBGP
ISIS Codes - L1:Level-1 L2:Level-2
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
STATIC Codes - d:DHCPv6
Type IPv6 Prefix Next Hop Router Interface Dis/Metric Uptime src-vrf
Bi 2001:db8:3333::3333/128
:: LDP (5) 200/0 8m3s -
label information: 2(OUT)
SSH@XMR_R8#show ipv6 route 2001:db8:4444::4444/128
Type Codes - B:BGP C:Connected I:ISIS L:Local O:OSPF R:RIP S:Static
BGP Codes - i:iBGP e:eBGP
ISIS Codes - L1:Level-1 L2:Level-2
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2
STATIC Codes - d:DHCPv6
Type IPv6 Prefix Next Hop Router Interface Dis/Metric Uptime src-vrf
Bi 2001:db8:4444::4444/128
:: LDP (3) 200/0 7m25s -
label information: 16(OUT)
Control plane looks fine. Routes are installed with next-hops associated with labels. Let’s see if data actually flows:
USER3:R3> ping 2001:db8:4444::4444 source 2001:db8:3333::3333 rapid count 5 PING6(56=40+8+8 bytes) 2001:db8:3333::3333 --> 2001:db8:4444::4444 !!!!! --- 2001:db8:4444::4444 ping6 statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/std-dev = 1.262/1.399/1.789/0.196 ms
7200_SRD_R4#ping 2001:DB8:8888::8888 source lo6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:8888::8888, timeout is 2 seconds: Packet sent with a source address of 2001:DB8:4444::4444 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
SSH@XMR_R8#ping ipv6 2001:db8:3333::3333 source 2001:db8:8888::8888 count 5 Sending 5, 16-byte ICMPv6 Echo to 2001:db8:3333::3333 timeout 5000 msec, Hop Limit 64 Type Control-c to abort Reply from 2001:db8:3333::3333: bytes=16 time=1ms Hop Limit=64 Reply from 2001:db8:3333::3333: bytes=16 time<1ms Hop Limit=64 Reply from 2001:db8:3333::3333: bytes=16 time<1ms Hop Limit=64 Reply from 2001:db8:3333::3333: bytes=16 time<1ms Hop Limit=64 Reply from 2001:db8:3333::3333: bytes=16 time<1ms Hop Limit=64 Success rate is 100 percent (5/5), round-trip min/avg/max=0/0/1 ms.
All looks good to me.
You can find part 2 here: hhttp://mellowd.co.uk/ccie/?p=3546
My first of a series of posts for MPLS interoperability between Cisco’s IOS, Juniper’s Junos, and Brocade’s Netiron code. This post will use the same core I set up before:
L3 VPN is one of the more common applications for MPLS. This post will show a very basic three customer site. I’ll leave off all the advanced stuff for another post.
All three customers are connected to different PE routers. The PE and CE devices will run a routing protocol between then and advertise their loopback addresses to the core. This will emulate the customers LAN ranges.
I’m going to run BGP on R5 and R6 as the CE-PE routing protocol and OSPF on R7. The customer is running AS #65123 and the provider AS #100.
PE MP-BGP
The first thing we need to do is set up our MP-BGP peering between our PE routers. Let’s start off with IOS as it’s what most people know:
router bgp 100 no bgp default ipv4-unicast neighbor 3.3.3.3 remote-as 100 neighbor 3.3.3.3 update-source Loopback0 neighbor 8.8.8.8 remote-as 100 neighbor 8.8.8.8 update-source Loopback0 ! address-family vpnv4 neighbor 3.3.3.3 activate neighbor 3.3.3.3 send-community extended neighbor 8.8.8.8 activate neighbor 8.8.8.8 send-community extended exit-address-family
Junos:
USER3:R3> show configuration routing-options
autonomous-system 100;
USER3:R3> show configuration protocols bgp
group L3VPN {
type internal;
local-address 3.3.3.3;
family inet-vpn {
unicast;
}
neighbor 4.4.4.4;
neighbor 8.8.8.8;
}
Netiron:
router bgp local-as 100 neighbor 3.3.3.3 remote-as 100 neighbor 3.3.3.3 update-source 8.8.8.8 neighbor 4.4.4.4 remote-as 100 neighbor 4.4.4.4 update-source 8.8.8.8 ! address-family vpnv4 unicast neighbor 3.3.3.3 activate neighbor 3.3.3.3 send-community extended neighbor 4.4.4.4 activate neighbor 4.4.4.4 send-community extended exit-address-family
Netiron is very similar to IOS when it comes to IGP/BGP. On all three we have simply created a vpnv4 BGP session between all three PE routers. We are not running the regular IPv4 address family on these sessions. Let’s confirm.
IOS:
7200_SRD_R4#sh bgp vpnv4 unicast all summary | beg Nei Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 3.3.3.3 4 100 46 43 18 0 0 00:19:06 0 8.8.8.8 4 100 26 23 18 0 0 00:18:59 0
Junos:
USER3:R3> show bgp summary Groups: 1 Peers: 2 Down peers: 0 Table Tot Paths Act Paths Suppressed History Damp State Pending bgp.l3vpn.0 0 0 0 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State 4.4.4.4 100 43 48 0 1 19:58 Establ bgp.l3vpn.0: 0/0/0/0 8.8.8.8 100 3285 3241 0 0 1d 0:25:07 Establ bgp.l3vpn.0: 0/0/0/0
Netiron:
SSH@XMR_R8#sh ip bgp vpnv4 sum | beg AS# Neighbor Address AS# State Time Rt:Accepted Filtered Sent ToSend 3.3.3.3 100 ESTAB 1d 0h26m 2 0 0 0 4.4.4.4 100 ESTAB 0h20m43s 0 0 0 0
All of our vpn4 sessions are now up.
CE-PE – R3-R6 – Junos
R6 is a regular BGP config so I’m not pasting it here. It is simply peering with AS #100 and advertising it’s loopback address. On Junos, you configure any ce-pe protocol under the routing instance you make for your customer:
USER3:R3> show configuration routing-instances
CUSTOMER1 {
description "Our First Customer";
instance-type vrf;
interface fe-0/0/3.36;
route-distinguisher 3.3.3.3:1;
vrf-target target:100:1;
protocols {
bgp {
group EXTERNAL {
neighbor 10.0.2.13 {
family inet {
unicast;
}
peer-as 65123;
}
}
}
}
}
USER3:R3> show bgp summary instance CUSTOMER1 Groups: 1 Peers: 1 Down peers: 0 Table Tot Paths Act Paths Suppressed History Damp State Pending CUSTO.inet.0 1 1 0 0 0 0 CUSTOM.mdt.0 0 0 0 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State 10.0.2.13 65123 93 98 0 0 40:54 Establ CUSTOMER1.inet.0: 1/1/1/0
USER3:R3> show route table CUSTOMER1 6.6.6.6
CUSTOMER1.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
6.6.6.6/32 *[BGP/170] 00:30:52, localpref 100
AS path: 65123 I
> to 10.0.2.13 via fe-0/0/3.36
CE-PE – R4-R7 – IOS
R7 is a simple OSPF config over area 0 advertising it’s loopback interface. The PE router is configured like so:
ip vrf CUS1 rd 4.4.4.4:1 route-target export 100:1 route-target import 100:1 ! interface FastEthernet1/0.47 encapsulation dot1Q 47 ip vrf forwarding CUS1 ip address 10.0.2.18 255.255.255.252 ip ospf network point-to-point ip ospf 2 area 0 ! router ospf 2 vrf CUS1 redistribute bgp 100 subnets ! router bgp 100 ! address-family ipv4 vrf CUS1 no synchronization redistribute ospf 2 vrf CUS1 exit-address-family
7200_SRD_R4#sh ip ospf neighbor fa0/0.47 Neighbor ID Pri State Dead Time Address Interface 7.7.7.7 0 FULL/ - 00:00:39 10.0.2.17 FastEthernet1/0.47
7200_SRD_R4#sh ip route vrf CUS1 7.7.7.7
Routing Table: CUS1
Routing entry for 7.7.7.7/32
Known via "ospf 2", distance 110, metric 1, type intra area
Redistributing via bgp 100
Advertised by bgp 100
Last update from 10.0.2.17 on FastEthernet1/0.47, 00:32:06 ago
Routing Descriptor Blocks:
* 10.0.2.17, from 7.7.7.7, 00:32:06 ago, via FastEthernet1/0.47
Route metric is 1, traffic share count is 1
CE-PE – R8-R5 – Netiron
Standard config on the CE router once again. PE router configured as follows:
vrf CUS1 rd 8.8.8.8:1 address-family ipv4 route-target export 100:1 route-target import 100:1 exit-address-family exit-vrf ! interface ve35 vrf forwarding CUS1 ip address 10.0.2.2/30 ! router bgp address-family ipv4 unicast vrf CUS1 neighbor 10.0.2.1 remote-as 65123 exit-address-family
SSH@XMR_R8#show ip bgp vrf CUS1 summary | beg AS# Neighbor Address AS# State Time Rt:Accepted Filtered Sent ToSend 10.0.2.1 65123 ESTAB 0h18m57s 1 0 4 0
SSH@XMR_R8#sh ip route vrf CUS1 5.5.5.5 | beg Des
Destination Gateway Port Cost Type Uptime src-vrf
1 5.5.5.5/32 10.0.2.1 ve 35 20/0 Be 10m58s -
At this point each PE router is running their PE-CE protocol with their CE peer and learning the loopback address. Without configuring anything else, do we see any of the routes from the other PE devices?
USER3:R3> show route table CUSTOMER1 7.7.7.7
CUSTOMER1.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
7.7.7.7/32 *[BGP/170] 00:31:46, MED 1, localpref 100, from 4.4.4.4
AS path: ?
> to 10.0.4.14 via ae1.13, label-switched-path TO-R4
USER3:R3> show route table CUSTOMER1 5.5.5.5
CUSTOMER1.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
5.5.5.5/32 *[BGP/170] 00:21:03, localpref 100, from 8.8.8.8
AS path: 65123 I
> to 10.0.4.14 via ae1.13, label-switched-path TO-R8
Junos sees both loopbacks. Note too that the next-hops are both via LSPs. One to R4 and one to R8.
SSH@XMR_R8#show ip route vrf CUS1 6.6.6.6
Type Codes - B:BGP D:Connected I:ISIS O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP Codes - i:iBGP e:eBGP
ISIS Codes - L1:Level-1 L2:Level-2
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2 s:Sham Link
STATIC Codes - d:DHCPv6
Destination Gateway Port Cost Type Uptime src-vrf
1 6.6.6.6/32 DIRECT lsp TO-R3 200/0 Bi 42m12s -
SSH@XMR_R8#show ip route vrf CUS1 7.7.7.7
Type Codes - B:BGP D:Connected I:ISIS O:OSPF R:RIP S:Static; Cost - Dist/Metric
BGP Codes - i:iBGP e:eBGP
ISIS Codes - L1:Level-1 L2:Level-2
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2 s:Sham Link
STATIC Codes - d:DHCPv6
Destination Gateway Port Cost Type Uptime src-vrf
1 7.7.7.7/32 DIRECT lsp TO-R4 200/1 Bi 33m17s -
Netiron also sees both with a next-hop of each respective LSP.
7200_SRD_R4#sh ip route vrf CUS1 6.6.6.6
Routing Table: CUS1
Routing entry for 6.6.6.6/32
Known via "bgp 100", distance 200, metric 0
Tag 65123, type internal
Redistributing via ospf 2
Advertised by ospf 2 subnets
Last update from 3.3.3.3 00:46:36 ago
Routing Descriptor Blocks:
* 3.3.3.3 (default), from 3.3.3.3, 00:46:36 ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 65123
MPLS Required
7200_SRD_R4#
7200_SRD_R4#sh ip route vrf CUS1 5.5.5.5
Routing Table: CUS1
Routing entry for 5.5.5.5/32
Known via "bgp 100", distance 200, metric 0
Tag 65123, type internal
Redistributing via ospf 2
Advertised by ospf 2 subnets
Last update from 8.8.8.8 00:24:47 ago
Routing Descriptor Blocks:
* 8.8.8.8 (default), from 8.8.8.8, 00:24:47 ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 65123
MPLS Required
IOS has the routes, but there is an issue. IOS does not use the RSVP-TE tunnels for anything unless we tell it to. We can prove this to R5 like so:
7200_SRD_R4#sh ip cef vrf CUS1 5.5.5.5 detail
5.5.5.5/32, epoch 0
recursive via 8.8.8.8 label 500000
nexthop 10.0.4.10 FastEthernet1/0.24
Traffic would never hit the other PE routers. We need to ensure IOS actually uses these tunnels:
7200_SRD_R4#conf t 7200_SRD_R4(config)#int tun 0 7200_SRD_R4(config-if)#tunnel mpls traffic-eng autoroute announce 7200_SRD_R4(config-if)#int tun 1 7200_SRD_R4(config-if)#tunnel mpls traffic-eng autoroute announce
7200_SRD_R4#sh ip cef vrf CUS1 5.5.5.5 detail
5.5.5.5/32, epoch 0
recursive via 8.8.8.8 label 500000
nexthop 8.8.8.8 Tunnel1
So now our PE routers have all the required routes. They have also correctly installed these routes to go over the RSVP-TE tunnels. There is another issue to resolve though, and that’s the fact that R5 and R6 are in the same AS number. Remember with BGP, it uses the AS-PATH as a loop prevention mechanism. Therefore if R5 received a BGP update from it’s PE router with it’s own AS number in the path, that route will get dropped.
I can configure both CE routers to accept routes with their own AS number in like so:
USER5:R5> show configuration routing-options autonomous-system 65123 loops 2;
R5 now sees R6′s route:
USER5:R5> show route 6.6.6.6
inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
6.6.6.6/32 *[BGP/170] 00:03:04, localpref 100
AS path: 100 65123 I
> to 10.0.2.2 via ae1.35
But R6 still does not see R5′s route:
USER6:R6> show route 5.5.5.5 USER6:R6>
The reason why is more clear from R3, the PE’s perspective. Is R3 even advertising that route?
USER3:R3> show route advertising-protocol bgp 10.0.2.13 CUSTOMER1.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * 7.7.7.7/32 Self ? * 10.0.2.16/30 Self ?
No it isn’t. Let’s go back to the Netiron and see if it was advertising everything over:
SSH@XMR_R8#sh ip bgp vrf CUS1 neighbors 10.0.2.1 advertised-routes
There are 4 routes advertised to neighbor 10.0.2.1
Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST E:EBGP I:IBGP L:LOCAL
Prefix Next Hop MED LocPrf Weight Status
1 10.0.2.12/30 10.0.2.2 0 BI
AS_PATH: 100
2 10.0.2.16/30 10.0.2.2 0 0 BI
AS_PATH: 100
3 7.7.7.7/32 10.0.2.2 1 0 BI
AS_PATH: 100
4 6.6.6.6/32 10.0.2.2 0 BI
AS_PATH: 100 65123
The Netiron was always sending everything. Initially R5 was simply dropping those updates. As an optimisation, Junos will not bother advertising a route with the same AS path as the session as it knows the other side will just drop it. So why bother time advertising it to begin with? You need to specifically tell Junos to advertise under these circumstances:
USER3:R3# set routing-instances CUSTOMER1 protocols bgp group EXTERNAL advertise-peer-as
R6 now received the route:
USER6:R6> show route 5.5.5.5
inet.0: 13 destinations, 14 routes (13 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
5.5.5.5/32 *[BGP/170] 00:00:20, localpref 100
AS path: 100 65123 I
> to 10.0.2.14 via ae1.36
That’s it for part one. If I don’t split this post I’ll never get it finished. If you’ve made it this far, congratulations! :)
You can find part 2 over here: http://mellowd.co.uk/ccie/?p=3456
While my previous post showed how to create RSVP tunnels between these three providers, I did not mention some of the caveats between these devices.
The biggest thing is that even if you hard code paths through the network, the tunnels on IOS will refuse to come up until traffic engineering is actually running on the IGP and the required interfaces.
Let’s use the same topology as last time:
I’m going to disable traffic engineering on R2. I’m also going to run a debug mpls traffic-eng tunnels signalling detail
USER2:R2# delete protocols ospf traffic-engineering [edit] USER2:R2# commit and-quit
Straight away, I see this output on the 7200:
*Feb 20 18:09:40.646: LSP-TUNNEL-SIG: Tunnel0 [7]: path verification failed (unprotected) [Can't use link 10.0.4.9 on node 4.4.4.4] *Feb 20 18:09:40.650: LSP-TUNNEL-SIG: tunnel Tunnel0 [7]: RSVP head-end close *Feb 20 18:09:40.650: LSP-TUNNEL-SIG: received DELETE RESV request for tunnel 4.4.4.4 0 [7] *Feb 20 18:09:40.650: LSP-TUNNEL-SIG: tunnel 4.4.4.4 0 [7]: path next hop is 10.0.4.10 (Fa0/0.24) *Feb 20 18:09:40.650: LSP-TUNNEL-SIG: sending DELETE RESV reply for tunnel 4.4.4.4 0 [7] *Feb 20 18:09:40.650: LSP-TUNNEL-SIG: Tunnel0 [7] notified of disappearing label information *Feb 20 18:09:40.650: LSP-TUNNEL-SIG: Tunnel0 [7] label information Changed *Feb 20 18:09:40.650: LSP-TUNNEL-SIG: Tunnel1 [7]: path verification failed (unprotected) [Can't use link 10.0.4.9 on node 4.4.4.4] *Feb 20 18:09:40.654: LSP-TUNNEL-SIG: tunnel Tunnel1 [7]: RSVP head-end close *Feb 20 18:09:40.654: LSP-TUNNEL-SIG: received DELETE RESV request for tunnel 4.4.4.4 1 [7] *Feb 20 18:09:40.654: LSP-TUNNEL-SIG: tunnel 4.4.4.4 1 [7]: path next hop is 10.0.4.10 (Fa0/0.24) *Feb 20 18:09:40.654: LSP-TUNNEL-SIG: sending DELETE RESV reply for tunnel 4.4.4.4 1 [7] *Feb 20 18:09:40.654: LSP-TUNNEL-SIG: Tunnel1 [7] notified of disappearing label information *Feb 20 18:09:40.658: LSP-TUNNEL-SIG: Tunnel1 [7] label information Changed *Feb 20 18:09:45.658: RT: updating ospf 8.8.8.8/32 (0x0) via 10.0.4.10 Fa0/0.24 *Feb 20 18:09:45.658: RT: add 8.8.8.8/32 via 10.0.4.10, ospf metric [110/3] *Feb 20 18:09:45.658: RT: del 8.8.8.8 via 8.8.8.8, ospf metric [110/3] *Feb 20 18:09:45.658: RT: updating ospf 3.3.3.3/32 (0x0) via 10.0.4.10 Fa0/0.24 *Feb 20 18:09:45.658: RT: add 3.3.3.3/32 via 10.0.4.10, ospf metric [110/3] *Feb 20 18:09:45.658: RT: del 3.3.3.3 via 3.3.3.3, ospf metric [110/3] *Feb 20 18:09:45.658: RT: updating ospf 2.2.2.2/32 (0x0) via 10.0.4.10 Fa0/0.24 *Feb 20 18:09:45.658: RT: updating ospf 1.1.1.1/32 (0x0) via 10.0.4.10 Fa0/0.24 *Feb 20 18:09:45.658: RT: updating ospf 172.16.2.0/24 (0x0) via 10.0.4.10 Fa0/0.24 *Feb 20 18:09:45.658: RT: updating ospf 172.16.1.0/24 (0x0) via 10.0.4.10 Fa0/0.24 *Feb 20 18:09:45.658: RT: updating ospf 172.16.0.12/30 (0x0) via 10.0.4.10 Fa0/0.24 *Feb 20 18:09:45.658: RT: add 172.16.0.12/30 via 10.0.4.10, ospf metric [110/4] *Feb 20 18:09:45.658: RT: del 172.16.0.12 via 3.3.3.3, ospf metric [110/4] *Feb 20 18:09:45.662: RT: updating ospf 22.22.22.0/24 (0x0) via 10.0.4.10 Fa0/0.24 *Feb 20 18:09:45.662: RT: updating ospf 10.0.5.0/24 (0x0) via 10.0.4.10 Fa0/0.24 *Feb 20 18:09:45.662: RT: updating ospf 10.0.4.12/30 (0x0) via 10.0.4.10 Fa0/0.24 *Feb 20 18:09:45.662: RT: updating ospf 192.168.1.0/30 (0x0) via 10.0.4.10 Fa0/0.24 *Feb 20 18:09:45.662: RT: updating ospf 10.0.4.4/30 (0x0) via 10.0.4.10 Fa0/0.24 *Feb 20 18:09:55.390: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down *Feb 20 18:09:55.390: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down *Feb 20 18:09:55.390: is_up: 0 state: 4 sub state: 1 line: 0 *Feb 20 18:09:55.390: RT: interface Tunnel0 removed from routing table *Feb 20 18:09:55.390: is_up: 0 state: 4 sub state: 1 line: 0 *Feb 20 18:09:55.390: RT: interface Tunnel1 removed from routing table
IOS really doesn’t like it at all. However only tunnels originating from R4 actually have this issue. If you check the LSPs on R4, you can see the two incoming tunnels are still fine:
7200_SRD_R4#sh mpls traffic-eng tun brief
Signalling Summary:
LSP Tunnels Process: running
Passive LSP Listener: running
RSVP Process: running
Forwarding: enabled
Periodic reoptimization: every 3600 seconds, next in 822 seconds
Periodic FRR Promotion: Not Running
Periodic auto-bw collection: every 300 seconds, next in 222 seconds
TUNNEL NAME DESTINATION UP IF DOWN IF STATE/PROT
7200_SRD_R4_t0 3.3.3.3 - unknown up/down
7200_SRD_R4_t1 8.8.8.8 - unknown up/down
TO-R4 4.4.4.4 Fa0/0.24 - up/up
TO-R4 4.4.4.4 Fa0/0.24 - up/up
Even MPLS pings work TO R4:
SSH@XMR_R8#ping mpls rsvp lsp TO-R4 Send 5 96-byte MPLS Echo Requests over RSVP LSP TO-R4, timeout 5000 msec Type Control-c to abort !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max=0/1/1 ms.
USER3:R3> ping mpls rsvp TO-R4 !!!!! --- lsping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss
The Juniper and Brocade are happy to run without any TE extensions on the IGP.
Brocade and Juniper both record the path along the way to the other side by default. Cisco does not. You can however turn it on in IOS.
Brocade:
SSH@XMR_R8#sh mpls lsp detail
LSP TO-R3, to 3.3.3.3
From: 8.8.8.8, admin: UP, status: UP, tunnel interface(primary path): tnl0
[etc etc]
Recorded routes:
Protection codes/Rtr Id flag: P: Local N: Node B: Bandwidth I: InUse R: RtrId
192.168.1.1 -> 10.0.4.5 -> 10.0.4.13
Juniper:
USER3:R3> show mpls lsp detail
Ingress LSP: 2 sessions
4.4.4.4
From: 3.3.3.3, State: Up, ActiveRoute: 0, LSPname: TO-R4
[etc etc]
Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt 20=Node-ID):
10.0.4.14 10.0.4.6 10.0.4.9
Cisco:
7200_SRD_R4#sh mpls traffic-eng tunnels | include Record
Record Route:
7200_SRD_R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
7200_SRD_R4(config-if)#int tun 1
7200_SRD_R4(config-if)#tunnel mpls traffic-eng record-route
7200_SRD_R4(config-if)#end
7200_SRD_R4#sh mpls traffic-eng tunnels | include Record
Record Route: 10.0.4.10 192.168.1.2
UPDATE (24/02/13)
Note that there is a way on IOS to get the tunnel up without running TE on your IGP. You need to specify the verbatim keyword on the path option. This only works with an explicit path (though it could be strict or loose) and is only supported on certain versions of IOS. More info here:http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsvbmlsp.html
Comments