Reload in X ? Why not just revert the config instead of reloading the router?

If you’re configuring an IOS router remotely with a chance of losing the device, most engineers might decide to do a reload in 5 before starting. If you happen to lose connection to the box after a change, the router will reload in 5 minutes erasing any unsaved changes. This works, but is less than ideal. It can take a few minutes for a box to reload. What happens if the box is looking after multiple customers as well?

There is a better way. Just revert the config. Using this is pretty trivial. You do need to turn on the archive command first though. If I try to do it without I get an error:

C1921#conf t revert timer 1
%Turn config archive on before using Rollback Confirmed Change

So let’s configure the archive command:

C1921#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
C1921(config)#archive
C1921(config-archive)#path usbflash0:backup-config
C1921(config-archive)#end
C1921#wr me
Building configuration...

Now let’s give it a try. Let’s create a loopback interface. I’ll not confirm the change which will cause the router to rollback the change after a minute:

C1921#conf t revert time 1
Rollback Confirmed Change: Backing up current running config to 
usbflash0:backup-config-Apr-23-2013-10-57-27.899-BST-0

Enter configuration commands, one per line.  End with CNTL/Z.
C1921(config)#Rollback Confirmed Change: Rollback will begin in one minute.
Enter "configure confirm" if you wish to keep what you've configured

*Apr 23 2013 10:57:29.703 BST: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_BACKUP: 
Backing up current running config to usbflash0:backup-config-Apr-23-2013-10-57-27.899-BST-0
*Apr 23 2013 10:57:29.703 BST: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_START_ABSTIMER: 
User: hsoadmin: Scheduled to rollback to config usbflash0:backup-config-Apr-23-2013-10-57-27.899-BST-0 
in 1 minutes
*Apr 23 2013 10:57:29.707 BST: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_WARNING_ABSTIMER: 
System will rollback to config usbflash0:backup-config-Apr-23-201
C1921(config)#3-10-57-27.899-BST-0 in one minute. Enter "configure confirm" 
if you wish to keep what you've configured
C1921(config)#int lo50
*Apr 23 2013 10:57:41.523 BST: %LINK-3-UPDOWN: Interface Loopback50, changed state to up
*Apr 23 2013 10:57:42.523 BST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback50, changed state to up
C1921(config-if)#ip address 50.50.50.50 255.255.255.255

After one minute:

C1921(config-if)#Rollback Confirmed Change: 
rolling to:usbflash0:backup-config-Apr-23-2013-10-57-27.899-BST-0

*Apr 23 2013 10:58:29.703 BST: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_ROLLBACK_START: 
Start rolling to: usbflash0:backup-config-Apr-23-2013-10-57-27.899-BST-0
C1921(config-if)#
*Apr 23 2013 10:58:29.711 BST: Rollback:Acquired Configuration lock.
C1921(config-if)#
!Pass 1
!List of Rollback Commands:
interface Loopback50
 no ip address 50.50.50.50 255.255.255.255
no interface Loopback50
end


Total number of passes: 1
Rollback Done

C1921(config-if)#command:exit
*Apr 23 2013 10:58:33.139 BST: %LINK-5-CHANGED: Interface Loopback50, changed state to administratively down
*Apr 23 2013 10:58:34.139 BST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback50, changed state to down

If I wanted to save the change, you need to get back to your prompt and confirm the change:

C1921#conf t revert time 1
Rollback Confirmed Change: Backing up current running config to 
usbflash0:backup-config-Apr-23-2013-11-00-09.903-BST-1

Enter configuration commands, one per line.  End with CNTL/Z.
C1921(config)#Rollback Confirmed Change: Rollback will begin in one minute.
Enter "configure confirm" if you wish to keep what you've configured

*Apr 23 2013 11:00:11.015 BST: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_BACKUP: Backing up current running 
config to usbflash0:backup-config-Apr-23-2013-11-00-09.903-BST-1
*Apr 23 2013 11:00:11.015 BST: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_START_ABSTIMER: 
User: hsoadmin: Scheduled to 
rollback to config usbflash0:backup-config-Apr-23-2013-11-00-09.903-BST-1 in 1 minutes
*Apr 23 2013 11:00:11.019 BST: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_WARNING_ABSTIMER: System will 
rollback to config usbflash0:backup-config-Apr-23-201
C1921(config)#3-11-00-09.903-BST-1 in one minute. Enter "configure confirm" 
if you wish to keep what you've configured
C1921(config)#int lo50
C1921(config-if)#ip address 50.50.50.50 255.255.255.255
*Apr 23 2013 11:00:21.239 BST: %LINK-3-UPDOWN: Interface Loopback50, changed state to up
*Apr 23 2013 11:00:22.239 BST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback50, changed state to up
C1921(config-if)#exit
C1921(config)#
*Apr 23 2013 11:00:31.375 BST: %PARSER-5-CFGLOG_LOGGEDCMD: User:hsoadmin  logged command:exit
C1921(config)#exit

C1921#configure confirm
C1921#
*Apr 23 2013 11:00:39.603 BST: %ARCHIVE_DIFF-5-ROLLBK_CNFMD_CHG_CONFIRM: 
User: hsoadmin: Confirm the configuration change

Once confirmed, your config will stay that way

Connecting the CSR1000V to dynamips and to the external world

I’ve had a few questions on my post over here. How can we effectively connect a CSR to an existing dynamips topology, as well as how to break it out to the real world. The initial goal is to create this topology:

I don’t have an ESX v5 server to play around with, so I’ll be doing all of this under vmware fusion on my Macbook Pro. I’ll show you how to install the CSR first. How to modify a dynamips .net file running on the same laptop to connect to the CSR. And finally how to break that out to a switch where I can connect all manner of real devices. The configuration of vmware player/fusion/workstation and ESX vsphere are going to be very similar

Install the CSR1000v

You need to download the CSR from Cisco’s website. Go to Cisco – Support – Download – Routers – Cloud Routers – CSR1000V
This is a free download. You just need a Cisco account.
In ESX you can install – install from OVF. With vmware fusion installed all I need to do is doubleclick the download from Cisco. That will open up an import dialogue:

Let it import


The first time you run the VM, it’ll fully install. You don’t have to do anything except let it run through its install. Once it reboots your router will start up:

Configure vmware player networking

I’ve installed Ubuntu server 64bit in the meantime and installed dynamaips. What we want to do now is ensure certain virtual interfaces are connected to different virtual switches. Ubuntu/CSR will consider these to be real interfaces.
The CSR comes with three interfaces by default. I’ve mapped two of these to separate internal switched networks.

NOTEvmware player/esx/workstation makes this very easy. Vmware Fusion doesn’t give you the option to create multiple virtual networks. I’ll add a section at the end of this post to show how to do this.
For dynamips I’ve also got two interfaces. Each mapped to the same networks respectively as the CSR above.

Configure dynamips .net file

The goal now is to map interface. I want to map the two virtual interface (which linux considers real) to a virtual ethernet switch within dynamips. I’ll also connect R1 and R2 directly to each other in dynamips:

autostart = False
[127.0.0.1:7200]
    workingdir = /home/darreno/dynamips/working
[[7200]]
        image = /home/darreno/dynamips/ios/c7200-advipservicesk9-mz.122-33.SRE7.bin
        ram = 256
        idlepc = 0x6278f1a4
        ghostios = True
[[ROUTER R1]]
        model = 7200
        console = 2001
        f0/0 = s1 1
	f1/0 = R2 f1/0
[[ROUTER R2]]
        model = 7200
        console = 2002
        f0/0 = s1 2
[[ETHSW s1]]
        1 = access 2
        2 = access 3
        3 = access 2 NIO_linux_eth:eth1
        4 = access 3 NIO_linux_eth:eth2

There is a virtual switch internal to dynamips called ETHSW S1. I’ve mapped R1 interface fa0/0 to port 1 of this switch. Switch port 1 is mapped to vlan 2 untagged. Port 3 of this dynamips switch is also in vlan 2 which connects to what linux considers eth0. eth0 is connected to vmnet2 which we created earlier. This is the virtual network within vmware. The same has been done for R2 and port 4, just that those are in vlan 3 connected to the vmnet3 network inside vmware. It’s a bit confusing at first as we are dealing with multiple levels of virtualisation here, but once you wrap your head around it it’s not so difficult.

Testing

I’ve configured the network as above. I’ve configured a loopback interface on all routers and they are all running OSPF. Let’s check CDP and OSPF:

IOS-XE#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
R2               Gig 2             121               R    7206VXR   Fas 0/0
R1               Gig 1             171               R    7206VXR   Fas 0/0

IOS-XE#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DR         00:00:39    10.1.1.50       GigabitEthernet2
1.1.1.1           1   FULL/DR         00:00:34    10.0.0.50       GigabitEthernet1
R1#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
R2               Fas 1/0           157            R       7206VXR   Fas 1/0
IOS-XE           Fas 0/0           136           R I      CSR1000V  Gig 1
R1#
R1#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/BDR        00:00:33    192.168.1.2     FastEthernet1/0
5.5.5.5           1   FULL/BDR        00:00:39    10.0.0.1        FastEthernet0/0
2#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
R1               Fas 1/0           125            R       7206VXR   Fas 1/0
IOS-XE           Fas 0/0           178           R I      CSR1000V  Gig 2
R2#
R2#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/DR         00:00:32    192.168.1.1     FastEthernet1/0
5.5.5.5           1   FULL/BDR        00:00:34    10.1.1.1        FastEthernet0/0

Connect to the real world

I’m not going to show this as it’s very simple. It’s nearly identical to the config above. All you need to do is map a vmnet to a physical interface. You can also map a vmnet to a physical tagged interface. This means on a single physical interface you can have multiple vmnets mapped. From there you can connect it to a switch where you cn use vlans to connect to other kit.

Footnote – Adding more vmnets in Vmware Fusion

I got these instructions from here: http://www.virtual-hike.com/how-to-create-additional-vmnets-in-vmware-fusion/

The following all needs to be done through the cli. I’m using Fusion 5 so you may need to adjust for different versions. You first need to install your VMs as above. Once that is done, open a terminal and navigate to /Library/Preferences/VMware Fusion

Darrens-MacBook-Pro:/ darrenoconnor$ cd /Library/Preferences/VMware\ Fusion/

Copy the vnmet1 folder to vmnet2

Darrens-MacBook-Pro:VMware Fusion darrenoconnor$ sudo cp -R vmnet1 vmnet2
Password:

Navigate to the new folder and edit dhcpd.conf:

arrens-MacBook-Pro:VMware Fusion darrenoconnor$ cd vmnet2
Darrens-MacBook-Pro:vmnet3 darrenoconnor$ sudo vi dhcpd.conf

In that file you should adjust the subnet address, MAC address, and vmnet name. Save and exit.

Edit the network file:

Darrens-MacBook-Pro:vmnet3 darrenoconnor$ sudo vi ../networking

Add the following with the subnets you used above. We don’t actually need DHCP so you can switch it off:

answer VNET_2_DHCP no
answer VNET_2_HOSTONLY_NETMASK 255.255.255.0
answer VNET_2_HOSTONLY_SUBNET x.x.x.x
answer VNET_2_VIRTUAL_ADAPTER yes

That’s the second vmnet now created. Now we need to modify our previous VM’s to connect to that new vmnet. Once again this needs to be done via the command line.

Navigate to your VM:

Darrens-MacBook-Pro:vmnet3 darrenoconnor$ cd ~/Documents/Virtual\ Machines.localized/

Go into the folder for each of your VMs you want to add to the vmnet. Open the .vmx file and add it to the vmnet added earlier.

Go down to ethernet2 and change it like so:

ethernet2.present = "TRUE"
ethernet2.connectionType = "custom"
ethernet2.vnet = "vmnet2"
ethernet2.virtualDev = "e1000"
ethernet2.wakeOnPcktRcv = "FALSE"
ethernet2.addressType = "generated"

Do that for all the needed VMs and away you go. You can add more vmnets as needed

Road to CCIE

I initially started writing this post on the 27th of Jan, soon after passing the lab. For some reason I never published. This simply sat in my drafts. Well here it is now. Almost four months later and more learned, this is my CCIE story from beginning to end.

The beginning

I started this blog on the 12th of October 2009. At the time I was a fresh CCNP going towards my CCIP and then eventually my CCIE. 17th May 2010 I had my CCIP in the bag.

I then decided to do a bit of Junos study. We had Juniper M routers in our network and I wanted to learn how to use them better. September 20th 2010 I had completed by JNCIA-EX

Once that was completed work got very busy. I was involved in a number of new network designs which I was really enjoying. I was also doing a LOT of Junos work.

350-001

January 15th 2011. Finally get the blueprint together and see what exactly I’m up against. The blueprint is huge. I know some things about various techs, but a lot of the stuff is new to me. Also start getting my physical switches together. CCIE Written is booked for March 21st 2011 and I pass. I have my lab ticket!

Home lab complete

April 22nd, 2011. My home lab is complete. I can now begin my lab studies in earnest.

This is where I go through INE’s vol 2 labs. I learn how to only ever use the DocCD when I need to find information. No more Google. I read a LOT. Loads and loads of 700+ page tomes of information. If I get stuck, I check the DocCD. If I can’t find it there I look through my books. I learn a TON during this period. This time is also very difficult. I have a full time job. I have a wife. I have a ton of things to do and I’m studying every single day after work, as well as weekends.

New position at work

October 11th 2011. I am promoted to Network Architect at work. While this is great for my experience and career, it leaves even less time for studying! The show must go on however!

First Lab Booked

November 12th 2011. I have now booked the lab for 27th April 2012. The daily labbing ritual continues.

First lab failed

I passed the TS section, failed the configuration section. I’ll spare you the sorry details and point you to my first lab experience post over here: http://mellowd.co.uk/ccie/?p=2261

What next?

I was very very upset about failing. It really hurt bad. I decided to take my mind off Cisco for about a month and then reschedule for about 3-4 months down the line. However I then ran into a VISA problem as was essentially forced to stay within the UK borders for at least six months.

So what could I do? Six months is a fairly long time. I didn’t want to just learn Cisco IOS for that entire time with no hope of doing my lab exam, so I went off and did some Brocade and Juniper stuff. Managed to get my BCSPNE and JNCIP-SP as well as a few lesser certs in that time. I learnt a lot on both platforms which I believe was good for me in the long run.

During this time I was pretty much concentrating on various technologies, especially cross-platform. A lot of service provider centric stuff as well like RSVP-TE etc. While I was looking at Cisco stuff again, I wasn’t focusing that much time on it as I had before.

Second Lab Booked

Around August of 2012 I decided I may as well pre-book my lab for Feb/March of 2013. I knew I should’ve received my passport back by that time so I was confident I would not have a problem. I went through the booking process and found that between the dates of 21-25 January 2013, there was going to be a mobile lab in London! Excellent! I immediately booked the 25th of Jan and requested that week off from work. Being able to take the lab exam down the road? Sign me up please!

Pretty much no-one knew. About three people in total knew I booked this second lab. I did not want the expectant pressure from everyone this second time around. I wanted to take it easy.

My labbing schedule suddenly gets fuller than it’s ever been. I’m labbing every single day again. I’m even going into the office every Sunday and labbing for 8-10 hours. Our 24 hour NOC see me at my desk every Sunday, but don’t exactly know what’s up ;)

Passport arrives back anyway

A couple of days before Christmas my passport arrives back with my new VISA. Oh well, lab is still booked for London!

Cisco London Scope Out

I check the address well in advance and have a look at where the lab will be. It’s actually around the corner from where I work. Same station I used to get to work (Liverpool Street Station) – Right outside. I check through the window and see that Cisco is located on the 7th floor. Check the address in my email again. Same place. I know I have the right place. I know how long it’ll take me to get here on lab day.

One week before

I’ve taken the week off. I’m not really going to study, but wanted to go deep into a couple of things I was not 100% satisfied with. I also did not want any work related stuff stressing me out. Mon/Tue/Wed I’m pretty much labbing all day as usual. Thursday I take a bit of a break. I end up writing a blog post in the morning as I get bored. Then what? I didn’t know what to do. The nerves were sky high. I end up walking to a few shops and buying rubbish. I get my hair cut. It kiils the time.

Second lab day

All covered here.

Mission complete. I have the CCIE number I wanted from the beginning.

VRF Selection Using Filter Based Forwarding – Junos

I wanted to replicate the VRF using PBR post I did over here. Anyne who has used Junos will tell you that their version of PBR, while more powerful, is a lot more complicated that Cisco’s offering.

Let’s use the following topology:

R3 is going to be my source. It will have multiple interfaces configured. When I send traffic off to R2, I would like R2 to decide which VRF the packet should go into based on the source address used by R3. R2 and R4 are going to be simple ISP PE devices. R1 and R5 are going to be in VRF’s CUS1 and CUS5 respectively.

Configuration

CPE config

All the CPE routers have their loopback configured and have a static route pointing to their connected PE.
All the CPEs are configured simiraily. I’m only going to show the configuration of one.

USER3:R3> show configuration interfaces
ae1 {
    unit 12 {
        vlan-id 12;
        family inet {
            address 10.0.4.5/30;
        }
    }
}
lo0 {
    unit 3 {
        family inet {
            address 3.3.3.3/32;
        }
    }
}

USER3:R3> show configuration routing-options
static {
    route 0.0.0.0/0 next-hop 10.0.4.6;
}

PE Config

R4 is a regular PE so nothing special:

USER4:R4> show configuration
interfaces {
    fe-0/0/3 {
        unit 24 {
            vlan-id 24;
            family inet {
                address 10.0.4.9/30;
            }
            family mpls;
        }
    }
    ae1 {
        unit 34 {
            vlan-id 34;
            family inet {
                address 10.0.2.5/30;
            }
        }
        unit 45 {
            vlan-id 45;
            family inet {
                address 10.0.8.9/30;
            }
        }
    }
    lo0 {
        unit 4 {
            family inet {
                address 4.4.4.4/32;
            }
        }
    }
}
protocols {
    mpls {
        interface fe-0/0/3.24;
    }
    bgp {
        group L3VPN {
            local-address 4.4.4.4;
            family inet-vpn {
                unicast;
            }
            peer-as 100;
            neighbor 2.2.2.2;
        }
    }
    ospf {
        area 0.0.0.0 {
            interface fe-0/0/3.24;
            interface lo0.4;
        }
    }
    ldp {
        interface fe-0/0/3.24;
    }
}
routing-instances {
    CUS1 {
        instance-type vrf;
        interface ae1.34;
        route-distinguisher 100:1;
        vrf-target target:100:1;
        routing-options {
            static {
                route 1.1.1.1/32 next-hop 10.0.2.6;
            }
        }
    }
    CUS5 {
        instance-type vrf;
        interface ae1.45;
        route-distinguisher 100:5;
        vrf-target target:100:5;
        routing-options {
            static {
                route 5.5.5.5/32 next-hop 10.0.8.10;
            }
        }
    }
}
routing-options {
    autonomous-system 100;
}

As you can see, R4 has a static route to R1 and R5 in each respective VRF. That information is then sent off to R2 as an MP-BGP update.

R2 is where all the magic happens. I need to ensure that packets coming into interface fe-0/0/3.12 via R3 is put into various VRFs based on the source address. I also need to ensure that R2 is able to get back to either these addresses over the VRF, even though interface fe-0/0/3.12 is not in a VRF.

First, let’s create a firewall filter that will match and move packets to the right VRF:

USER2:R2> show configuration firewall
family inet {
    filter VRF_FBF {
        term CUS1 {
            from {
                address {
                    192.168.1.1/32;
                }
            }
            then {
                routing-instance CUS1;
            }
        }
        term CUS5 {
            from {
                address {
                    192.168.5.5/32;
                }
            }
            then {
                routing-instance CUS5;
            }
        }
        term ANY {
            then accept;
        }
    }
}

If a packet comes in with a source address of 192.168.1.1/32, send that off to the CUS1 vrf. If it comes in with a source address of 192.168.5.5/32, send that off to the CUS2 vrf. I’ve then got a catch-all to ensure any other packets are not dropped. Once that filter is created. I need to apply it inbound in my interface:

USER2:R2> show configuration interfaces fe-0/0/3.12
vlan-id 12;
family inet {
    filter {
        input VRF_FBF;
    }
    address 10.0.4.6/30;
}

This is great for packets coming into R2 from R3, but what about getting back? I could create static routes in each VRF, but the actual link between R2 and R3 is not in any VRF. i.e. the next-hops will not be able to be resolved. I could have a static route pointing to the default/global vrf, but I could also use a rib-group to get that interface into both vrfs.

Let’s try the second option. I wanted to get 10.0.4.4/30 into both VRFs. I also want to ensure only this link gets into the vrf and not all the others.

USER2:R2> show configuration policy-options
policy-statement R2-R3-LINK {
    term 1 {
        from {
            route-filter 10.0.4.4/30 exact;
        }
        then accept;
    }
    term 2 {
        then reject;
    }
}

USER2:R2> show configuration routing-options rib-groups
GLOBAL_TO_VRF {
    import-rib [ inet.0 CUS1.inet.0 CUS5.inet.0 ];
    import-policy R2-R3-LINK;
}

USER2:R2> show configuration routing-options interface-routes
rib-group inet GLOBAL_TO_VRF;

The above says to match 10.0.4.4/30 and nothing else. That is applied to interface-routes which calls a rib-group. That rib-group states that when the interface route is placed in the default/global RIB, place it in CUS1 and CUS5’s RIB at the same time.

Verification

The end result of this is from from R2’s perspective, in the CUS1 RIB I should see R1’s address, R3’s 192.168.1.1/32 address, the R2-R3 link, and the R4-R1 link:

USER2:R2> show route table CUS1

CUS1.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[BGP/170] 01:17:21, localpref 100, from 4.4.4.4
                      AS path: I
                    > to 10.0.4.9 via ae1.24, Push 299792
10.0.2.4/30        *[BGP/170] 01:17:21, localpref 100, from 4.4.4.4
                      AS path: I
                    > to 10.0.4.9 via ae1.24, Push 299792
10.0.4.4/30        *[Direct/0] 00:56:02
                    > via fe-0/0/3.12
192.168.1.1/32     *[Static/5] 00:56:02
                    > to 10.0.4.5 via fe-0/0/3.12

If we check CUS5’s RIB, I should see R5’s address, R3’s 192.168.5.5/32 address, the R2-R3 link again, and the R4-R5 link:

USER2:R2> show route table CUS5

CUS5.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

5.5.5.5/32         *[BGP/170] 01:23:36, localpref 100, from 4.4.4.4
                      AS path: I
                    > to 10.0.4.9 via ae1.24, Push 299808
10.0.4.4/30        *[Direct/0] 00:58:51
                    > via fe-0/0/3.12
10.0.8.8/30        *[BGP/170] 01:23:36, localpref 100, from 4.4.4.4
                      AS path: I
                    > to 10.0.4.9 via ae1.24, Push 299808
192.168.5.5/32     *[Static/5] 00:58:51
                    > to 10.0.4.5 via fe-0/0/3.12

So our control plane is working perfectly fine. Let’s check our data plane for the final verification:

USER3:R3> ping 1.1.1.1 source 192.168.1.1 rapid
PING 1.1.1.1 (1.1.1.1): 56 data bytes
!!!!!
--- 1.1.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.252/1.466/1.823/0.211 ms

USER3:R3> ping 1.1.1.1 source 192.168.5.5 rapid
PING 1.1.1.1 (1.1.1.1): 56 data bytes
.....
--- 1.1.1.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

R3 to R1 is working as expected. Let’s check R3 to R5:

USER3:R3> ping 5.5.5.5 source 192.168.5.5 rapid
PING 5.5.5.5 (5.5.5.5): 56 data bytes
!!!!!
--- 5.5.5.5 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.262/1.358/1.577/0.115 ms

USER3:R3> ping 5.5.5.5 source 192.168.1.1 rapid
PING 5.5.5.5 (5.5.5.5): 56 data bytes
.....
--- 5.5.5.5 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

No problems there.

Inter-AS MPLS L3VPN – Option C Interop – IOS-XE, IOS, Junos

I initially wanted to test option C between IOS, Junos, and Brocade Netiron, but the Netiron doesn’t support option B or C

Cisco has released the csr1000v ios-xe router that runs in vmware. So what better way to test that little router with an inter-op blog?

The Junos and IOS-XE boxes will be the router reflectors. In this scenario they are nowhere in the data path. They are simply doing control-plane duties.

This inter-op is a bit of a cheat. IOS-XE is nearly identical to IOS. I do not have readily available access to IOS-XR so can’t easy attach that to my Junos lab.

Most of the config is listed from my regular option C post over here. I’ve removed the route-reflector config off of R12 and R8.

IOS-XE config

This is the version of IOS-XE I’m using:

IOS-XE-RR#sh ver | include IOS
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.3(2)S0a
IOS XE Version: 03.09.00a.S
Cisco IOS-XE software, Copyright (c) 2005-2013 by cisco Systems, Inc.

Let’s start off with the usual IGP config:

interface Loopback0
 ip address 30.30.30.30 255.255.255.255
 ip router isis
!
interface GigabitEthernet1
 ip address 10.0.0.30 255.255.255.0
 ip router isis
!
router isis
 net 49.0000.0000.0030.00
 is-type level-2-only
 metric-style wide

Now we need to set up our BGP sessions. As the previous post showed, I need to ensure the next-hop remains unchanged when advertising off to the Juniper. I also need to rewrite the RT values inbound:

ip extcommunity-list standard 200:1 permit rt 200:1
ip extcommunity-list standard 200:2 permit rt 200:2
!
route-map CHANGE_COMMUNITY permit 10
 match extcommunity 200:1
 set extcommunity rt 100:1
!
route-map CHANGE_COMMUNITY permit 20
 match extcommunity 200:2
 set extcommunity rt 100:2
!
router bgp 100
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 2.2.2.2 remote-as 100
 neighbor 2.2.2.2 update-source Loopback0
 neighbor 12.12.12.12 remote-as 100
 neighbor 12.12.12.12 update-source Loopback0
 neighbor 20.20.20.20 remote-as 200
 neighbor 20.20.20.20 ebgp-multihop 255
 neighbor 20.20.20.20 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
  neighbor 2.2.2.2 route-reflector-client
  neighbor 12.12.12.12 activate
  neighbor 12.12.12.12 send-community extended
  neighbor 12.12.12.12 route-reflector-client
  neighbor 20.20.20.20 activate
  neighbor 20.20.20.20 send-community extended
  neighbor 20.20.20.20 next-hop-unchanged
  neighbor 20.20.20.20 route-map CHANGE_COMMUNITY in
 exit-address-family

Junos config

With Junos we are doing the same thing, the config just looks very different of course. I’ve configured regular OSPF and LDP a number of times so I won’t post it here again. As before, I need to be able to rewrite the RT values inbound so let’s create a policy to do so:

policy-options {
    policy-statement CHANGE_COMMUNITY {
        term 1 {
            from community 100:1;
            then {
                community set 200:1;
            }
        }
        term 2 {
            from community 100:2;
            then {
                community set 200:2;
            }
        }
    }
    community 100:1 members target:100:1;
    community 100:2 members target:100:2;
    community 200:1 members target:200:1;
    community 200:2 members target:200:2;
}

This will be applied inbound on our eBGP session. One thing to note under Junos is that usually you change attributes through a routing-policy. If I want to ensure the next-hop doesn’t change it goes under multihop – no-nexthop-change. A bit odd but that’s the way it is. This is my BGP config:

USERJR1:JR1> show configuration protocols bgp
group VPNv4_EXTERNAL {
    multihop {
        no-nexthop-change;
    }
    local-address 20.20.20.20;
    import CHANGE_COMMUNITY;
    family inet-vpn {
        unicast;
    }
    peer-as 100;
    neighbor 30.30.30.30 {
        multihop;
    }
}
group VPNv4_INTERNAL {
    local-address 20.20.20.20;
    family inet-vpn {
        unicast;
    }
    cluster 20.20.20.20;
    peer-as 200;
    neighbor 8.8.8.8;
    neighbor 9.9.9.9;
}

Verification

At this point, our BGP updates are going like so:

I’ve added the new loopbacks to my ASBRs route-map on R13, R15, R5, and R6. Let’s ensure our BGP sessions are up:

IOS-XE-RR#  show bgp vpnv4 un all summary | beg Neigh
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
2.2.2.2         4          100      38      42        9    0    0 00:30:11        2
12.12.12.12     4          100      38      43        9    0    0 00:30:09        2
20.20.20.20     4          200      71      72        9    0    0 00:30:04        4
USERJR1:JR1> show bgp summary
Groups: 2 Peers: 3 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet.0                 0          0          0          0          0          0
bgp.l3vpn.0            8          8          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active
8.8.8.8                 200         94         99       0       4       42:21 Establ
  bgp.l3vpn.0: 2/2/2/0
9.9.9.9                 200        194        206       0       4       42:24 Establ
  bgp.l3vpn.0: 2/2/2/0
30.30.30.30             100         72         71       0       4       30:20 Establ
  bgp.l3vpn.0: 4/4/4/0

Let’s drill down a bit deeper. 11.11.11.11/32 should be on the XE router with an RT value of 100:1 – Is that what we see?

IOS-XE-RR#show bgp vpnv4 unicast rd 8.8.8.8:1   11.11.11.11
BGP routing table entry for 8.8.8.8:1:11.11.11.11/32, version 5
Paths: (1 available, best #1, no table)
  Advertised to update-groups:
     1
  Refresh Epoch 1
  200
    8.8.8.8 (metric 20) from 20.20.20.20 (20.20.20.20)
      Origin incomplete, localpref 100, valid, external, best
      Extended Community: RT:100:1 OSPF DOMAIN ID:0x0005:0x000000020200
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:10.0.118.8:0
      mpls labels in/out nolabel/27
      rx pathid: 0, tx pathid: 0x0

We do see that. Notice too that the next-hop is set to the PE address of 8.8.8.8. This is what we want.

From the Junos side we should see 1.1.1.1/32 coming in with an RT value of 200:1:

USERJR1:JR1> show route table bgp.l3vpn.0 rd-prefix 2.2.2.2:1:1.1.1.1 detail

bgp.l3vpn.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
2.2.2.2:1:1.1.1.1/32 (1 entry, 1 announced)
        *BGP    Preference: 170/-101
                Route Distinguisher: 2.2.2.2:1
                Next hop type: Indirect
                Address: 0x8fadd00
                Next-hop reference count: 1
                Source: 30.30.30.30
                Protocol next hop: 2.2.2.2
                Push 27
                Indirect next hop: 2 no-forward
                State: 
                Local AS:   200 Peer AS:   100
                Age: 33:40      Metric2: 1
                Task: BGP_100.30.30.30.30+18533
                Announcement bits (1): 0-BGP RT Background
                AS path: 100 ?
                Communities: target:200:1
                Accepted
                VPN Label: 27
                Localpref: 100
                Router ID: 30.30.30.30

That’s exactly what we see. Notice again that the protocol next-hop is set to R2’s address.

So this should mean that not only can R1 get to R11, but it also goes the optimal path:

R1#traceroute 11.11.11.11 so lo0

Type escape sequence to abort.
Tracing the route to 11.11.11.11

  1 10.0.12.2 12 msec 12 msec 4 msec
  2 10.0.23.3 [MPLS: Labels 23/29/27 Exp 0] 32 msec 52 msec 40 msec
  3 10.0.33.13 [MPLS: Labels 29/27 Exp 0] 44 msec 52 msec 8 msec
  4 10.13.14.14 [MPLS: Labels 24/27 Exp 0] 32 msec 32 msec 60 msec
  5 10.0.146.6 [MPLS: Labels 26/27 Exp 0] 24 msec 52 msec 24 msec
  6 10.0.118.8 [MPLS: Label 27 Exp 0] 32 msec 32 msec 28 msec
  7 10.0.118.11 60 msec *  24 msec

Let’s be 100% sure the reverse path is also the optimal path:

R11#traceroute 1.1.1.1 so lo0

Type escape sequence to abort.
Tracing the route to 1.1.1.1

  1 10.0.118.8 8 msec 12 msec 4 msec
  2 10.0.68.6 [MPLS: Labels 28/27 Exp 0] 44 msec 48 msec 24 msec
  3 10.0.146.14 [MPLS: Labels 29/27 Exp 0] 12 msec 60 msec 44 msec
  4 10.13.14.13 [MPLS: Labels 22/27 Exp 0] 48 msec 40 msec 48 msec
  5 10.0.33.3 [MPLS: Labels 26/27 Exp 0] 48 msec 40 msec 8 msec
  6 10.0.12.2 [MPLS: Label 27 Exp 0] 40 msec 12 msec 28 msec
  7 10.0.12.1 56 msec *  20 msec

I’d like to add a few more things to this particular lab, but I’ll leave that for another day.