Connecting IOS-XRv to dynamips through vmware

On February 14, 2014, in CCIE, by Darren

The title should in fact read: How to connect dynamips routers to IOS-XRv, or and other emulated network device, as well as real switches connecting to more devices – But this title is far too long.

I did all of this on an older ESX 4.0 server. I’m pretty sure the steps would be almost identical if not identical on a newer version. Note that this blog shows how I set up and use it. You might tweak it to your own environment. What I do is host a linux VM running dynamips on my ESX server. I load up Firefly and IOS-XRv images as needed. I log into all these devices via telnet over an IPSec tunnel.

Installing

Head over to Cisco to download IOS-XRv
Importing the .ova file is a piece of cake. For now ensure you have at least two E1000 NICS attached to the VM. The first one goes to the management port and the second to Gig0/0/0/0

Create another VM and install your favourite version of *nix on it. Ensure the machine has at least two NICs. Install dynamips and dynagen. As I’m using Ubuntu server 12.04LTS I simply do it like so:

sudo apt-get install dynamips dynagen

Upload your IOS images as needed.

VM Networking

In IOS-XRv, the first NIC connects to the mgmt interface while the second connects to gi0/0/0/0. Add more NICs and you get gi0/0/0/1 and so on. For now we just need our single interface.

On the ESX host, create a new virtual switch. If you are going to connect your virtual devices to real switches and device in the real world, you’ll need to bind a physical NIC to it. If not you don’t need to.

vswitches in vmware drop tagged frames by default. You can add a vlan to the vswitch, but thats only a single vlan and its only for the vswitch sending traffic out the vhost on the physical NIC. You need to let vmware know that you intend to send tagged traffic from your vms. To do this you set the VLAN ID to 4095. When you click OK, it will change that to ‘ALL’
vswitch vlan Connecting IOS XRv to dynamips through vmware

Make sure the second interfaces on both your *nix and IOS-XRv VM are connected to this new vswitch:
network adaptors Connecting IOS XRv to dynamips through vmware

At this point, you can tag your gi0/0/0/0 interface which will send tagged frames into the vswitch. We now need to ensure dynamips can accept those frames and get them to the right router.

I’ll load up a very small topology in dynamips like so:

autostart = False
[127.0.0.1:7200]
    workingdir = /home/darreno/dynamips/working/blog
[[7200]]
        image = /home/darreno/dynamips/ios/7200/c7200-advipservicesk9-mz.122-33.SRE7.bin
        ram = 512
        idlepc = 0x6278f1a4
        ghostios = True
        npe = npe-400
        midplane = vxr
        idlemax = 100
    [[ROUTER R1]]
        model = 7200
        console = 2001
        f1/0 = s1 1
    [[ROUTER R2]]
        model = 7200
        console = 2002
        f1/0 = s1 2
    [[ETHSW s1]]
        1 = dot1q 1 
        2 = dot1q 1
        100 = dot1q 1 nio_gen_eth:eth1

A port on each 7200 is connected to a dynamips dumb switch. The switch is configured to accept tagged frames, with the native vlan being 1. Port 100 on this switch is connected to eth1, the second nic on the system.

You can either use nio_linux_eth or nio_gen_eth. When using nio_linux_eth, it seems to send tagged frames, but not receive them. Stick with nio_gen_eth.

If you wanted to connect all of this to the outside world, you can create another port on the switch that is mapped to eth2. In vmware ensure that eth2 maps to a physical NIC. Turn on promiscuous mode in vmware as well:
prom Connecting IOS XRv to dynamips through vmware
That physical NIC can then go off to a switch which you can then connect anything you want to.

Verification

On both 7200s I have very simple configs:

interface FastEthernet1/0.20
 encapsulation dot1Q 20
 ip address 20.20.20.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip ospf 1 area 0

On an IOS-XRv box:

interface GigabitEthernet0/0/0/0.10
 ipv4 address 10.10.10.4 255.255.255.0
 encapsulation dot1q 10
!
interface GigabitEthernet0/0/0/0.20
 ipv4 address 20.20.20.4 255.255.255.0
 encapsulation dot1q 20
!
router ospf 1
 area 0
  interface Loopback0
  !
  interface GigabitEthernet0/0/0/0.10
   network point-to-point
  !
  interface GigabitEthernet0/0/0/0.20
   network point-to-point
  !
 !
!

Do they speak? IOS:

R1#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.4           0   FULL/  -        00:00:37    10.10.10.4      FastEthernet1/0.10

IOS-XR:

RP/0/0/CPU0:XR4#show ospf neighbor
Fri Feb 14 11:50:25.458 UTC

* Indicates MADJ interface

Neighbors for OSPF 1

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1         1     FULL/  -        00:00:32    10.10.10.1      GigabitEthernet0/0/0/0.10
    Neighbor is up for 00:01:28
2.2.2.2         1     FULL/  -        00:00:31    20.20.20.2      GigabitEthernet0/0/0/0.20
    Neighbor is up for 00:01:28

Total neighbor count: 2

RP/0/0/CPU0:XR4#ping 1.1.1.1
Fri Feb 14 11:57:07.951 UTC
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

Caveats

  • You need to use subinterfaces. I use them extensively in real life so its not a problem for me.
  • It’s possible to do it without subinterfaces, but you’ll need a vswitch per p2p link. There is a limit to how many vnics you can have on a vm so it becomes unworkable quickly
  • With the above, you would need to create a link for every p2p link and add NICs on the fly. By using tagged interfaces I can connect any device to another simply by matching vlan tags.
  • All devices can send to each other directly via untagged interfaces. This generally isn’t a problem, but it can make looking at CDP offer up some interesting results:
 R1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
XR4.CCIE         Fas 1/0           152            R       IOS XRv S Gig 0/0/0/0
R2               Fas 1/0           172            R       7206VXR   Fas 1/0
  • You can prevent the above happening by putting each dynamips port into their own native vlan

 

 

At this point you can spin up any VM network device, like a Juniper FireFly, connect it to the same vswitch, and you’ll have full connectivity via tagged frames.

Tagged with:  

I’ve had a few questions on my post over here. How can we effectively connect a CSR to an existing dynamips topology, as well as how to break it out to the real world. The initial goal is to create this topology:
CSR Connecting the CSR1000V to dynamips and to the external world

I don’t have an ESX v5 server to play around with, so I’ll be doing all of this under vmware fusion on my Macbook Pro. I’ll show you how to install the CSR first. How to modify a dynamips .net file running on the same laptop to connect to the CSR. And finally how to break that out to a switch where I can connect all manner of real devices. The configuration of vmware player/fusion/workstation and ESX vsphere are going to be very similar

Install the CSR1000v

You need to download the CSR from Cisco’s website. Go to Cisco – Support – Download – Routers – Cloud Routers – CSR1000V
This is a free download. You just need a Cisco account.
In ESX you can install – install from OVF. With vmware fusion installed all I need to do is doubleclick the download from Cisco. That will open up an import dialogue:
Screen Shot 2013 04 19 at 09.16.00 Connecting the CSR1000V to dynamips and to the external world
Let it import
Screen Shot 2013 04 19 at 09.16.29 Connecting the CSR1000V to dynamips and to the external world
Screen Shot 2013 04 19 at 09.18.57 Connecting the CSR1000V to dynamips and to the external world
The first time you run the VM, it’ll fully install. You don’t have to do anything except let it run through its install. Once it reboots your router will start up:
Screen Shot 2013 04 19 at 09.24.51 Connecting the CSR1000V to dynamips and to the external world

Configure vmware player networking

I’ve installed Ubuntu server 64bit in the meantime and installed dynamaips. What we want to do now is ensure certain virtual interfaces are connected to different virtual switches. Ubuntu/CSR will consider these to be real interfaces.
The CSR comes with three interfaces by default. I’ve mapped two of these to separate internal switched networks.

NOTEvmware player/esx/workstation makes this very easy. Vmware Fusion doesn’t give you the option to create multiple virtual networks. I’ll add a section at the end of this post to show how to do this.
For dynamips I’ve also got two interfaces. Each mapped to the same networks respectively as the CSR above.

Configure dynamips .net file

The goal now is to map interface. I want to map the two virtual interface (which linux considers real) to a virtual ethernet switch within dynamips. I’ll also connect R1 and R2 directly to each other in dynamips:

autostart = False
[127.0.0.1:7200]
    workingdir = /home/darreno/dynamips/working
[[7200]]
        image = /home/darreno/dynamips/ios/c7200-advipservicesk9-mz.122-33.SRE7.bin
        ram = 256
        idlepc = 0x6278f1a4
        ghostios = True
[[ROUTER R1]]
        model = 7200
        console = 2001
        f0/0 = s1 1
	f1/0 = R2 f1/0
[[ROUTER R2]]
        model = 7200
        console = 2002
        f0/0 = s1 2
[[ETHSW s1]]
        1 = access 2
        2 = access 3
        3 = access 2 NIO_linux_eth:eth1
        4 = access 3 NIO_linux_eth:eth2

There is a virtual switch internal to dynamips called ETHSW S1. I’ve mapped R1 interface fa0/0 to port 1 of this switch. Switch port 1 is mapped to vlan 2 untagged. Port 3 of this dynamips switch is also in vlan 2 which connects to what linux considers eth0. eth0 is connected to vmnet2 which we created earlier. This is the virtual network within vmware. The same has been done for R2 and port 4, just that those are in vlan 3 connected to the vmnet3 network inside vmware. It’s a bit confusing at first as we are dealing with multiple levels of virtualisation here, but once you wrap your head around it it’s not so difficult.

Testing

I’ve configured the network as above. I’ve configured a loopback interface on all routers and they are all running OSPF. Let’s check CDP and OSPF:

IOS-XE#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
R2               Gig 2             121               R    7206VXR   Fas 0/0
R1               Gig 1             171               R    7206VXR   Fas 0/0

IOS-XE#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DR         00:00:39    10.1.1.50       GigabitEthernet2
1.1.1.1           1   FULL/DR         00:00:34    10.0.0.50       GigabitEthernet1
R1#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
R2               Fas 1/0           157            R       7206VXR   Fas 1/0
IOS-XE           Fas 0/0           136           R I      CSR1000V  Gig 1
R1#
R1#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/BDR        00:00:33    192.168.1.2     FastEthernet1/0
5.5.5.5           1   FULL/BDR        00:00:39    10.0.0.1        FastEthernet0/0
2#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
R1               Fas 1/0           125            R       7206VXR   Fas 1/0
IOS-XE           Fas 0/0           178           R I      CSR1000V  Gig 2
R2#
R2#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/DR         00:00:32    192.168.1.1     FastEthernet1/0
5.5.5.5           1   FULL/BDR        00:00:34    10.1.1.1        FastEthernet0/0

Connect to the real world

I’m not going to show this as it’s very simple. It’s nearly identical to the config above. All you need to do is map a vmnet to a physical interface. You can also map a vmnet to a physical tagged interface. This means on a single physical interface you can have multiple vmnets mapped. From there you can connect it to a switch where you cn use vlans to connect to other kit.

Footnote – Adding more vmnets in Vmware Fusion

I got these instructions from here: http://www.virtual-hike.com/how-to-create-additional-vmnets-in-vmware-fusion/

The following all needs to be done through the cli. I’m using Fusion 5 so you may need to adjust for different versions. You first need to install your VMs as above. Once that is done, open a terminal and navigate to /Library/Preferences/VMware Fusion

Darrens-MacBook-Pro:/ darrenoconnor$ cd /Library/Preferences/VMware\ Fusion/

Copy the vnmet1 folder to vmnet2

Darrens-MacBook-Pro:VMware Fusion darrenoconnor$ sudo cp -R vmnet1 vmnet2
Password:

Navigate to the new folder and edit dhcpd.conf:

arrens-MacBook-Pro:VMware Fusion darrenoconnor$ cd vmnet2
Darrens-MacBook-Pro:vmnet3 darrenoconnor$ sudo vi dhcpd.conf

In that file you should adjust the subnet address, MAC address, and vmnet name. Save and exit.

Edit the network file:

Darrens-MacBook-Pro:vmnet3 darrenoconnor$ sudo vi ../networking

Add the following with the subnets you used above. We don’t actually need DHCP so you can switch it off:

answer VNET_2_DHCP no
answer VNET_2_HOSTONLY_NETMASK 255.255.255.0
answer VNET_2_HOSTONLY_SUBNET x.x.x.x
answer VNET_2_VIRTUAL_ADAPTER yes

That’s the second vmnet now created. Now we need to modify our previous VM’s to connect to that new vmnet. Once again this needs to be done via the command line.

Navigate to your VM:

Darrens-MacBook-Pro:vmnet3 darrenoconnor$ cd ~/Documents/Virtual\ Machines.localized/

Go into the folder for each of your VMs you want to add to the vmnet. Open the .vmx file and add it to the vmnet added earlier.

Go down to ethernet2 and change it like so:

ethernet2.present = "TRUE"
ethernet2.connectionType = "custom"
ethernet2.vnet = "vmnet2"
ethernet2.virtualDev = "e1000"
ethernet2.wakeOnPcktRcv = "FALSE"
ethernet2.addressType = "generated"

Do that for all the needed VMs and away you go. You can add more vmnets as needed

Tagged with:  

MHSRP & OSPF design

On September 25, 2010, in CCIE, by Darren

I’m going to start blogging about various design stuff that I do these days at work. Maybe you can get some ideas from these types of posts.

I’m going to run this simple topology:
HSRP Secondary1 MHSRP & OSPF design

The client has 2 networks at the first site – 192.168.1.0/24 and 10.10.10.0/24. These are both connected to R1 and R2 (via a switch not shown) – R1 and R2 are running MHSRP, with R1 being the master of 192.168.1.254 and R2 being the master of 10.10.10.254. Both routers are the backup of each others group.

I want the link from R1 to be used for 192.168.1.0 and I want the link from R2 to be used for 10.10.10.0. I also want return traffic to take the same path. i.e. if R3 needs to send traffic to 10.10.10.0 – it needs to prefer the direct path to R2.

Another constraint is that I need convergence to be fast, therefore I’m not going to run HSRP on the WAN side of R1 and R2 and have to wait for the IGP to re-converge.

The final constraint is that I don’t want to have to use route-map’s on R3 itself. Let’s pretend there are going to be a lot more routers connected to OSPF area 0. I want to make it as simple as possible when newer routers come into the area. Therefore all this routing needs to be controlled by R1 and R2 themselves.

So far, pretty simple. So let’s get cracking!

Let’s do R1 first, this is the relevant config:

interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
standby version 2
standby 1 ip 192.168.1.254
standby 1 priority 110
standby 1 preempt
standby 1 track FastEthernet0/0 50
standby 2 ip 10.10.10.254
standby 2 preempt
standby 2 track FastEthernet0/0 50

And now R2:

interface FastEthernet0/1
ip address 10.10.10.2 255.255.255.0
ip address 192.168.1.2 255.255.255.0 secondary
standby version 2
standby 1 ip 192.168.1.254
standby 1 preempt
standby 1 track FastEthernet0/0 50
standby 2 ip 10.10.10.254
standby 2 priority 110
standby 2 preempt
standby 2 track FastEthernet0/0 50

Now let’s set up OSPF. Remember that I want 192.168.1.0 traffic to go via R1 and 10.10.10.0 to go via R2. There are a number of ways of doing this.

First let’s try and set up regular OSPF with a metric:

router ospf 1
 R1(config-router)#network 10.10.10.0 0.0.0.255 area 0 ?
  cr>
 R1(config-router)#network 10.10.10.0 0.0.0.255 area 0

OSPF will not allow you to specify a metric under the network command!

There is another way. Run 2 OSPF processes and redistribute with a higher metric.

router ospf 1
 redistribute ospf 2 metric 50 metric-type 1 subnets
 network 1.1.1.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 0
!
router ospf 2
 network 10.10.10.0 0.0.0.255 area 0

Let’s check R3′s routing table:

R3#sh ip route
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, FastEthernet0/0
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.50.0 is directly connected, Loopback0
     10.0.0.0/24 is subnetted, 1 subnets
O E1    10.10.10.0 [110/51] via 1.1.1.1, 00:00:39, FastEthernet0/0
O    192.168.1.0/24 [110/2] via 1.1.1.1, 00:00:39, FastEthernet0/0

It works, but I think its messy. We could also use route-maps which would give us a lot finer control over newer subnets that may be added (without having to run more OSPF processes)

Let’s remove that OSPF config from R1 and do the following:

router ospf 1
 redistribute connected metric-type 1 subnets route-map 10_HIGH
 network 1.1.1.0 0.0.0.255 area 0
!
ip prefix-list 10NET seq 5 permit 10.10.10.0/24
!
route-map 10_HIGH permit 10
 match ip address prefix-list 10NET
 set metric +100
!
route-map 10_HIGH permit 20

Now we do this on R2:

router ospf 1
 redistribute connected metric-type 1 subnets route-map 192_HIGH
 network 1.1.1.0 0.0.0.255 area 0
!
ip prefix-list 192NET seq 5 permit 192.168.1.0/24
!
route-map 192_HIGH permit 10
 match ip address prefix-list 192NET
 set metric +100
!
route-map 192_HIGH permit 20

This will ensure R1 redistributes the 10.10.10.0 network with a higher metric to R3, and vice-versa for R2. R3 will have a possible route in it’s database, but won’t use it until the preferred link is down/

Let’s have a look at R3′s routing table:

R3#sh ip route ospf
     10.0.0.0/24 is subnetted, 1 subnets
O E1    10.10.10.0 [110/21] via 1.1.1.2, 00:00:28, FastEthernet0/0
O E1 192.168.1.0/24 [110/21] via 1.1.1.1, 00:00:28, FastEthernet0/0

Excellent, just what we want. but do the backups work correctly? Let’s shut down R1′s interface to the customer LAN and see what happens:

R1(config)#int fa1/0
R1(config-if)#shut
R1(config-if)#
*Mar  1 00:34:20.711: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 1 state Active -> Init
*Mar  1 00:34:20.723: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 2 state Standby -> Init
*Mar  1 00:34:22.723: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Mar  1 00:34:23.723: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down

What does R3 see?

R3#sh ip route ospf
     10.0.0.0/24 is subnetted, 1 subnets
O E1    10.10.10.0 [110/21] via 1.1.1.2, 00:00:18, FastEthernet0/0
O E1 192.168.1.0/24 [110/101] via 1.1.1.2, 00:00:18, FastEthernet0/0

Both are now going via R2, which is exactly what we wanted. Let’s now reconnect R1 and disconnect R2′s WAN link:

R1(config-if)#int fa1/0
R1(config-if)#no shut
R1(config-if)#
*Mar  1 00:35:47.775: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 1 state Listen -> Active
*Mar  1 00:35:47.859: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar  1 00:35:48.859: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
R2(config)#int fa0/0
R2(config-if)#shut
R2(config-if)#
*Mar  1 00:36:16.179: %TRACKING-5-STATE: 1 interface Fa0/0 line-protocol Up->Down
*Mar  1 00:36:16.187: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.3 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar  1 00:36:16.187: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar  1 00:36:18.179: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Mar  1 00:36:18.231: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 2 state Active -> Speak
*Mar  1 00:36:19.179: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down

What does R3 see this time?

R3#sh ip route ospf
     10.0.0.0/24 is subnetted, 1 subnets
O E1    10.10.10.0 [110/101] via 1.1.1.1, 00:00:03, FastEthernet0/0
O E1 192.168.1.0/24 [110/21] via 1.1.1.1, 00:00:03, FastEthernet0/0

Great. Let’s just make sure it all works properly again if all links are up:

R2(config-if)#int fa0/0
R2(config-if)#no shut
R2(config-if)#
*Mar  1 00:37:53.291: %TRACKING-5-STATE: 1 interface Fa0/0 line-protocol Down->Up
*Mar  1 00:37:54.235: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 2 state Standby -> Active
*Mar  1 00:37:55.287: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 00:37:56.287: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3#sh ip route ospf
     10.0.0.0/24 is subnetted, 1 subnets
O E1    10.10.10.0 [110/21] via 1.1.1.2, 00:00:06, FastEthernet0/0
O E1 192.168.1.0/24 [110/21] via 1.1.1.1, 00:00:06, FastEthernet0/0

Let’s see what happens when a client is pinging a network directly connected to R3 over the 192.168.1.0 network. I’ll be using a router as a client, so it’ll be a ping flood.

R4#ping 172.16.50.1 repeat 1000

I’ll quickly shut R1′s LAN interface. Wait a bit, and then no shut it. What happens to R4′s pings?

Sending 1000, 100-byte ICMP Echos to 172.16.50.1, timeout is 2 seconds:
!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (998/1000), round-trip min/avg/max = 1/44/160 ms

I lost only 2 pings! Once when I shut the interface, and the second when it came back up again. Pretty good!

It wont be as fast if the WAN link goes down though. R2 will take over for sending packets out, but return traffic will still go to R1. Why? Well remember R3 still thinks R1 is there. Unless they were directly connected, or you wait for OSPF to realise the peer is down, it’ll continue to send traffic that way. You can speed this up by reducing your OSPF hello timers though. This will need to be balanced on how much OSPF traffic you want going across your WAN link.

Tagged with:  

Lab Solution – MPLS Lab #2

On September 9, 2010, in CCIE, by Darren

Sometimes its so hard to simply find the time to do what I promised. I hope this will spur up some conversation. I still stress that you should always try to do the lab without my help first. This will ensure you learn how to do it properly. Also remember that there are always multiple ways to do certain labs, so don’t take my solution as gospel.

This solution is for the lab I posted here: http://mellowd.co.uk/ccie/?p=527

  • CPE1 and CPE5 belong to Customer1
  • CPE2 and CPE6 belong to Customer2
  • Both customers are running OSPF as their IGP’s
  • The loopbacks as shown in the topology must be advertised into OSPF. Cutomer1 should be able to ping all loopbacks in their networks and Customer2 should be able to ping everything in theirs.
  • Both customers are now running a project together, and need 2 of their offices connected. CPE1 from Customer1 should be able to communicate with CPE6 from Customer2 and vice-versa
  • It’s essential that CPE2 and CPE5 are NOT able to get to all loopbacks. ONLY CPE1 and CPE6 should be able to communicate with each other. This new configuration should not break the previous VPN’s in place
  • Do this without using any ACL’s, Prefix-lists, Route-maps or the like

We start by doing a regular MPLS VPN config – The same for which we did for the first MPLS VPN lab. All the MPLS-specific config is here:

CPE1

interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 10.1.1.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 0

CPE2:

interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.1.2.1 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 10.1.2.0 0.0.0.255 area 0
 network 172.16.1.0 0.0.0.255 area 0

CPE5:

interface Loopback0
 ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.1.3.1 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 10.1.3.0 0.0.0.255 area 0
 network 192.168.2.0 0.0.0.255 area 0

CPE6:

interface Loopback0
 ip address 172.16.2.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.1.4.1 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 10.1.4.0 0.0.0.255 area 0
 network 172.16.2.0 0.0.0.255 area 0

Now for the 2 AR Routers:

ip cef
ip vrf CUS1
 rd 400:1
 route-target export 400:1
 route-target import 400:1

ip vrf CUS2
 rd 400:2
 route-target export 400:2
 route-target import 400:2

interface FastEthernet0/0
 ip vrf forwarding CUS1
 ip address 10.1.1.2 255.255.255.0

interface FastEthernet2/0
 ip vrf forwarding CUS2
 ip address 10.1.2.2 255.255.255.0

router ospf 2 vrf CUS1
redistribute bgp 400 metric 10 subnets
 network 10.1.1.0 0.0.0.255 area 0

router ospf 3 vrf CUS2
 redistribute bgp 400 metric 10 subnets
 network 10.1.2.0 0.0.0.255 area 0

router bgp 400
 bgp log-neighbor-changes
 neighbor 10.255.255.7 remote-as 400
 neighbor 10.255.255.7 update-source Loopback0

 address-family vpnv4
  neighbor 10.255.255.7 activate
  neighbor 10.255.255.7 send-community extended
 
 
 address-family ipv4 vrf CUS2
  redistribute ospf 3 vrf CUS2 metric 10
  no synchronization
 
 address-family ipv4 vrf CUS1
  redistribute ospf 2 vrf CUS1 metric 10
  no synchronization

A similar config is on AR3. (I’m not going to post it here otherwise this post will just get to big)

Let’s now concentrate on CPE1. The initial requirements were to allow CPE1 and CPE5 to speak to each other. Currently CPE1 has the following routing table:

CPE1#sh ip route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 2 subnets
O IA    10.1.3.0 [110/11] via 10.1.1.2, 00:01:20, FastEthernet0/0
C       10.1.1.0 is directly connected, FastEthernet0/0
C    192.168.1.0/24 is directly connected, Loopback0
     192.168.2.0/32 is subnetted, 1 subnets
O IA    192.168.2.1 [110/11] via 10.1.1.2, 00:01:20, FastEthernet0/0

Can CPE1 ping the loopback subnet on CPE5? It sure can!

CPE1#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/112/156 ms

Can CPE1 ping CPE6? No it can’t (as expected at this point)

CPE1#ping 172.16.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

We are now told that we need CPE1 and CPE6 to be able to speak to each other for a project. CPE2 and CPE5 need to be left out of this completely. We need to do this without using any ACL’s or the like.

There is a simple way of doing this. It’s called Extranet MPLS VPN. In the configuration above, each customer is given a route target. We can create a third route-target and have both CPE1 and CPE6 join that third route-target. We then simply don’t add CPE2 and CPE6 to that same route-target.

Let’s add it on AR1 and AR3:

AR1(config)#ip vrf CUS1
AR1(config-vrf)#route-target both 400:100
AR3(config)#ip vrf CUS2
AR3(config-vrf)#route-target both 400:100

If I now check the routing table on CPE1 I see the following:

CPE1#sh ip route

Gateway of last resort is not set

     172.16.0.0/32 is subnetted, 1 subnets
O E2    172.16.2.1 [110/10] via 10.1.1.2, 00:00:21, FastEthernet0/0
     10.0.0.0/24 is subnetted, 3 subnets
O IA    10.1.3.0 [110/11] via 10.1.1.2, 00:08:41, FastEthernet0/0
C       10.1.1.0 is directly connected, FastEthernet0/0
O E2    10.1.4.0 [110/10] via 10.1.1.2, 00:00:21, FastEthernet0/0
C    192.168.1.0/24 is directly connected, Loopback0
     192.168.2.0/32 is subnetted, 1 subnets
O IA    192.168.2.1 [110/11] via 10.1.1.2, 00:08:41, FastEthernet0/0

Can CPE1 now ping CPE6′s loopback subnet?

CPE1#ping 172.16.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/69/92 ms

It works :) – We now need to be sure that CPE2 and CPE5 still cannot see any of this.

CPE2#sh ip route

Gateway of last resort is not set

     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C       172.16.1.0/24 is directly connected, Loopback0
O IA    172.16.2.1/32 [110/11] via 10.1.2.2, 22:04:42, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.2.0 is directly connected, FastEthernet0/0
O IA    10.1.4.0 [110/11] via 10.1.2.2, 22:05:56, FastEthernet0/0

As expected, it cannot ping anywhere in Customer1′s network:

CPE2#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
CPE2#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Job done. :D

Tagged with:  

Lab Solution – MPLS Lab #1

On July 7, 2010, in CCIE, by Darren

As promised, I’ll now start writing up solutions to my previously posted labs. I hope this will spur up some conversation.  I still stress that you should always try to do the lab without my help first. This will ensure you learn how to do it properly. Also remember that there are always multiple ways to do certain labs, so don’t take my solution as gospel.

I’ll be walking through my first MPLS lab which was originally posted over here: http://mellowd.co.uk/ccie/?p=518

  • Use RIP as the routing protocol on CPE devices
  • CPE1 and CPE5 belong to Company_A
  • CPE2 and CPE6 belong to Company_B
  • Each site has a /24 that is advertised via the loopback
  • CPE1 should be able to ping CPE5’s loopback and vice-versa
  • CPE2 should be able to ping CPE6’s loopback and vice-versa
  • Different companies should NOT be able to ping each other. They must stay completely separate
  • Now remove RIP and configure it so that both companies are using OSPF
  • Once complete, remove the OSPF config and use EIGRP

The first part is very easy. As far as the config on the CPE goes, it’s standard. The CPE devices don’t know, or care, that the ISP is running MPLS. As an example, I’ve posted the relevent config from CPE6:

interface Loopback0
 ip address 172.16.2.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.1.4.1 255.255.255.0
 duplex auto
 speed auto
!
router rip
 version 2
 network 10.0.0.0
 network 172.16.0.0
 no auto-summary

The actual core routers also have a very simple configuration. This has already been setup in my provided configuration files. All thats needed is a IGP running correctly; CEF to be enabled; and then MPLS IP to be enabled on all links going to MPLS routers. As an example, I’ll show a bit of the configuration on CR1:

ip cef
!
interface FastEthernet0/0
 ip address 10.0.0.5 255.255.255.252
 duplex auto
 speed auto
 mpls ip
!
interface Serial1/0
 ip address 10.3.0.1 255.255.255.252
 mpls ip
 serial restart-delay 0
!
router ospf 1
 log-adjacency-changes
 network 10.0.0.0 0.0.0.3 area 0
 network 10.0.0.4 0.0.0.3 area 0
 network 10.2.0.0 0.0.0.3 area 0
 network 10.3.0.0 0.0.0.3 area 0
 network 10.255.255.2 0.0.0.0 area 0

The real meat of the configuration comes in on the AR routers. i.e. the edge MPLS routers that the CPE devices connect to. These are the routers which needs to hold the customer routing tables, as well as keeping customer networks separate from each other.

The first thing that needs to be done is to configure the VRF’s on each AR router that will connect. I’ll use the vrf name of CUS1 for the first customer and CUS2 for the second.

For the first customer:

AR1#(config)ip vrf CUS1
AR1#(config)rd 400:1
AR1#(config)route-target both 400:1

And now the second:

AR1#(config)ip vrf CUS2
AR1#(config)rd 400:2
AR1#(config)route-target both 400:2

We now need to setup the interfaces that the CPE devices will connect to:

AR1#interface FastEthernet0/0
AR1#ip vrf forwarding CUS1
AR1#ip address 10.1.1.2 255.255.255.0

AR1#interface FastEthernet2/0
AR1#ip vrf forwarding CUS2
AR1#ip address 10.1.2.2 255.255.255.0

Now it’s time to set up the routing protocol between the ISP vrf and the customer device. We are using RIP for this lab, so the configuration will be as follows for both customers:

AR1#router rip
AR1#version 2
AR1#no auto-summary

AR1#address-family ipv4 vrf CUS2
AR1#redistribute bgp 400 metric 10
AR1#network 10.0.0.0
AR1#no auto-summary
AR1#version 2

AR1#address-family ipv4 vrf CUS1
AR1#redistribute bgp 400 metric 10
AR1#network 10.0.0.0
AR1#no auto-summary
AR1#version 2

You can see in the above commands that we are redistributing BGP even though we haven’t configured BGP yet. Don’t worry, that step is next.

MPLS used MP-BGP for the MPLS VPN feature. i.e. it uses MP-BGP to distribute routes via each customers VRF, through the core, and then out the other side.

The first part of the MP-BGP configuration is a simple iBGP config. AR1′s configuration is below:

AR1#router bgp 400
AR1#neighbor 10.255.255.7 remote-as 400
AR1#neighbor 10.255.255.7 update-source Loopback0
AR1#no auto-summary

The second part of the MP-BGP configuration is to enable the vpnv4 part of BGP:

AR1#address-family vpnv4
 AR1#neighbor 10.255.255.7 activate
 AR1#neighbor 10.255.255.7 send-community extended

The final part is to set up the actual VRF part for each customer, and enable redistribution of RIP routes learned earlier:

AR1#address-family ipv4 vrf CUS2
AR1#redistribute rip metric 10
!
AR1#address-family ipv4 vrf CUS1
AR1#redistribute rip metric 10

To have a quick recap, this is the MPLS specific configuration now on AR1:

ip cef
!
ip vrf CUS1
 rd 400:1
 route-target export 400:1
 route-target import 400:1
!
ip vrf CUS2
 rd 400:2
 route-target export 400:2
 route-target import 400:2
!
!
interface FastEthernet0/0
 ip vrf forwarding CUS1
 ip address 10.1.1.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet2/0
 ip vrf forwarding CUS2
 ip address 10.1.2.2 255.255.255.0
 duplex auto
 speed auto
!
router rip
 version 2
 no auto-summary
 !
 address-family ipv4 vrf CUS2
  redistribute bgp 400 metric 10
  network 10.0.0.0
  no auto-summary
  version 2
 exit-address-family
 !
 address-family ipv4 vrf CUS1
  redistribute bgp 400 metric 10
  network 10.0.0.0
  no auto-summary
  version 2
 exit-address-family
!
router bgp 400
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.255.255.7 remote-as 400
 neighbor 10.255.255.7 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
  neighbor 10.255.255.7 activate
  neighbor 10.255.255.7 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUS2
  redistribute rip metric 10
  no synchronization
 exit-address-family
 !
 address-family ipv4 vrf CUS1
  redistribute rip metric 10
  no synchronization
 exit-address-family

A similar configuration will of course need to be done on AR3.

Once done, we should be able to log onto CPE6 and ensure that it has CPE2′s networks. We should also see that it has NO access to CPE1 and CPE5′s networks. This is exactly what we see:

CPE6#sh ip route
Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 2 subnets
R       172.16.1.0 [120/10] via 10.1.4.2, 00:00:19, FastEthernet0/0
C       172.16.2.0 is directly connected, Loopback0
     10.0.0.0/24 is subnetted, 2 subnets
R       10.1.2.0 [120/10] via 10.1.4.2, 00:00:19, FastEthernet0/0
C       10.1.4.0 is directly connected, FastEthernet0/0

Can we ping CPE2′s loopback? We sure can:

CPE6#ping 172.16.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/60/92 ms

Can we ping CPE1′s loopback? No we cannot!

CPE6#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

If we run a traceroute to CPE2′s loopback, we can see it going through the MPLS core:

CPE6#trace 172.16.1.1

Type escape sequence to abort.
Tracing the route to 172.16.1.1

  1 10.1.4.2 8 msec 0 msec 20 msec
  2 10.8.0.1 [MPLS: Labels 28/38 Exp 0] 44 msec 68 msec 84 msec
  3 10.1.2.2 [MPLS: Label 38 Exp 0] 60 msec 48 msec 28 msec
  4 10.1.2.1 112 msec *  44 msec
CPE6#

Lab done. If there are any questions, please let me know! :)

Tagged with:  

© 2009-2014 Darren O'Connor All Rights Reserved