Setting up an ntp/ftp/snmp/syslog/radius/dns proxy VM to test various router features

I just bought inetzero’s JNCIE-SP book and in their lab they have a server running providing a bunch of services. As I have my own lab I’m going to create my own server. A VM running all the above services can be very handy when testing and studying for your CCIE and JNCIE as certain things cannot be tested just on the router alone.

I’ll be creating this server through ESXi, but you can just as easily create it on any VM software. I’ll be installing Ubuntu server 12.04.2 LTS.

Initial Ubuntu install

This is going to be a pretty standard VM. I’ve installed 2 NICs. One will be connected to the internet, while the other will be connected to the test network:

Go through most of your install and at the end ensure SSH is installed.

eth0 on my server will be the internet port. I’ll be configuring eth1 to be the test lab port with an IP address of 10.10.1.100/24

sudo vi /etc/network/interfaces

Add the following:

# Lab Interface
auto eth1
iface eth1 inet static
        address 10.10.1.100
        netmask 255.255.255.0

NTP Server

sudo apt-get install ntp

This will install the daemon. That’s all there is to it.

FTP Server

sudo apt-get install proftpd

Once installed, configure the server to only listen on 10.10.1.100. Add this to /etc/proftpd/proftpd.conf

DefaultAddress                  10.10.1.100
SocketBindTight                 on

SNMP

sudo apt-get install snmp

The above will give you snmpwalk which will be handy when pulling snmp off your kit

Syslog server

Rsyslog comes installed by default on Ubuntu 12.04, however it doesn’t listen for external connections. Edit /etc/rsyslog.conf and uncomment the the following two lines:

$ModLoad imudp
$UDPServerRun 514

Radius Server

sudo apt-get install freeradius

Once installed, edit /etc/freeradius/radiusd.conf – You’ll want to ensure the correct values are as follows:

listen {
        type = auth
        ipaddr = 10.10.1.100
        port = 1645

}

listen {
        ipaddr = 10.10.1.100
        port = 1646
        type = acct
}

log {
        destination = files
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = no
        auth = yes
        auth_badpass = yes
        auth_goodpass = yes
}

Edit clients.conf – I’ve simply deleted everything out of that file and added the following:

client 10.10.1.0/24 {
        secret          = radiuspassword
        shortname       = LAB
	require_message_authenticator = no
        nastype         = cisco
}

DNS Proxy

sudo apt-get install dnsproxy

Edit /etc/dnsproxy.conf – I’ve deleted everthing out of there and simply configured the following:

# Authoritative server
authoritative           8.8.8.8
authoritative-port      53              # It's port. Defaults to 53.
authoritative-timeout   10              # Seconds to wait for answers.

# Recursive resolver
recursive               8.8.8.8
recursive-port          53              # It's port. Defaults to 53.
recursive-timeout       90              # Seconds to wait for answers.

# Local address and port of dnsproxy
listen 10.10.1.100
port 53

# Security features
chroot /var/spool/dnsproxy
user dnsproxy

# Internal networks (allowed to do recursive queries)
internal 10.10.1.0/24   # Our internal network
internal 127.0.0.1

Verification

Nothing works until you verify. I’ll be using a 7200 as an IOS router to test all the features configured above.

NTP

R1#sh run | sec ntp
ntp peer 10.10.1.100
R1#sh ntp status
Clock is synchronized, stratum 3, reference is 10.10.1.100
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is D55310A3.3153F82E (12:05:55.192 UTC Fri May 31 2013)
clock offset is -2.2801 msec, root delay is 115.22 msec
root dispersion is 44.40 msec, peer dispersion is 5.75 msec

FTP

R1#sh run | sec ftp
ip ftp username darreno
ip ftp password 7 BLAHBLAHBLAH
R1#copy run ftp
Address or name of remote host []? 10.10.1.100
Destination filename [r1-confg]?
Writing r1-confg !
1052 bytes copied in 1.496 secs (703 bytes/sec)

Back on server:

[email protected]:~$ ls
r1-confg

SNMP

R1#sh run | sec snmp
snmp-server community snmpt3st1ng RO
snmp-server location "LAB"
snmp-server chassis-id test.7200
snmp-server host 10.10.1.100 snmpt3st1ng

On server:

[email protected]:~$ snmpwalk -v 1 -c snmpt3st1ng 10.10.1.1
iso.3.6.1.2.1.1.1.0 = STRING: "Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), 
Version 12.2(33)SRE7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Thu 13-Sep-12 08:13 by prod_rel_team"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.9.1.222
iso.3.6.1.2.1.1.3.0 = Timeticks: (51815) 0:08:38.15
iso.3.6.1.2.1.1.4.0 = ""
iso.3.6.1.2.1.1.5.0 = STRING: "R1"
iso.3.6.1.2.1.1.6.0 = STRING: "\"LAB\""
iso.3.6.1.2.1.1.7.0 = INTEGER: 78
etc
etc
etc

Syslog

Router:

archive
log config
 logging enable
 notify syslog
 hidekeys
logging trap debugging
logging facility local1
logging 10.10.1.100

This will send a message to syslog whenever a command is configured on the router. Let’s create a loopback and check the server:

[email protected]:~$ tail -f /var/log/syslog
May 31 13:15:13 10.10.1.1 27: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:interface lo100
May 31 13:15:13 10.10.1.1 28: %SYS-5-CONFIG_I: Configured from console by console
May 31 13:15:13 10.10.1.1 29: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback100, changed state to up

Radius

Router:

aaa new-model
!
aaa authentication login default group radius local none
!
radius-server host 10.10.1.100 auth-port 1645 acct-port 1646 key 7 111B18011E07181C05393833272131

On the server I need to create a user. Edit /etc/freeradius/users:

testuser     Password = "password"

Let’s go back to the router and login:

User Access Verification

Username: testuser
Password:

R1>

Back on the server:

[email protected]:~$ sudo tail -f /var/log/freeradius/radius.log
Fri May 31 13:21:20 2013 : Auth: Login OK: [testuser/password] (from client LAB port 0)

DNS Proxy

Router:

ip name-server 10.10.1.100
R1#ping www.cisco.com

Translating "www.cisco.com"...domain server (10.10.1.100) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 95.100.128.170, timeout is 2 seconds:

Resolves just fine.

So there you have it. I might be adding more features to this VM, but for now it’ll suit me quite nicely.

RSVP-TE LSPs without IGP

I recently did a post showing that in order to signal an RSVP-TE signalled path accross an ISP core, you could do this even if all the routers were not in the same OSPF area or IS-IS level. You do of course lose complete end to end information which means things like link affinities cease to work.

You can also signal an RSVP-TE LSP over a link that isn’t even running an IGP.

This is the topology:

R1 and R2 are running OSPF with each other. R3 and R4 are running OSPF with each other. R2 and R3 are not running OSPF over their directly attached link. Let’s configure R1’s RSVP-TE tunnel to R4.

R1:

mpls traffic-eng tunnels
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel4
ip unnumbered Loopback0
tunnel mode mpls traffic-eng
tunnel destination 4.4.4.4
tunnel mpls traffic-eng autoroute destination
tunnel mpls traffic-eng path-option 5 explicit name TO-R4
!
interface FastEthernet0/0
ip address 10.10.12.1 255.255.255.0
ip ospf 1 area 0
mpls traffic-eng tunnels
!
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!
!
ip explicit-path name TO-R4 enable
next-address loose 2.2.2.2
next-address loose 3.3.3.3
next-address loose 4.4.4.4

R4 has similar config, but on the other side.

To confirm, there is no adjacency or static routes between R2 and R3:

R2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/BDR        00:00:34    10.0.12.1        FastEthernet1/0

R2#sh ip route ospf | beg Gate
Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/2] via 10.0.12.1, 00:10:35, FastEthernet1/0

R2#sh ip route 3.3.3.3
% Network not in table

We need to ensure R2 knows how to signal an RSVP tunnel to 3.3.3.3, even though it has no information about that destination in it’s IGP.

R2:

mpls traffic-eng tunnels
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip ospf 1 area 0
!
interface FastEthernet1/0
ip address 20.0.23.2 255.255.255.0
mpls traffic-eng tunnels
mpls traffic-eng passive-interface nbr-te-id 3.3.3.3 nbr-if-addr 20.0.23.3
!
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0

This allows R2 to know that node 3.3.3.3 is actually on the other side of the link with R3’s interface address. This will allow R2 to send the RSVP-TE reservation off to R3, even though there is no IGP running between them:

R1#sh mpls traffic-eng tunnels

P2P TUNNELS/LSPs:

Name: R1_t4                               (Tunnel4) Destination: 4.4.4.4
  Status:
    Admin: up         Oper: up     Path: valid       Signalling: connected
    path option 5, type explicit TO-R4 (Basis for Setup, path weight 1)

  Config Parameters:
    Bandwidth: 0        kbps (Global)  Priority: 7  7   Affinity: 0x0/0xFFFF
    Metric Type: TE (default)
    AutoRoute announce: disabled LockDown: disabled Loadshare: 0        bw-based
    AutoRoute destination: enabled
    auto-bw: disabled
  Active Path Option Parameters:
    State: explicit path option 5 is active
    BandwidthOverride: disabled  LockDown: disabled  Verbatim: disabled


  InLabel  :  -
  OutLabel : FastEthernet0/0, 17
  Next Hop : 10.0.12.2
  RSVP Signalling Info:
       Src 1.1.1.1, Dst 4.4.4.4, Tun_Id 4, Tun_Instance 27
    RSVP Path Info:
      My Address: 10.0.12.1
      Explicit Route: 10.0.12.2 2.2.2.2 3.3.3.3* 4.4.4.4*
      Record   Route:
      Tspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
    RSVP Resv Info:
      Record   Route:  20.0.23.2 20.0.34.3 20.0.34.4
      Fspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
  History:
    Tunnel:
      Time since created: 11 minutes, 53 seconds
      Time since path change: 7 minutes, 37 seconds
      Number of LSP IDs (Tun_Instances) used: 27
    Current LSP: [ID: 27]
      Uptime: 7 minutes, 37 seconds
    Prior LSP: [ID: 26]
      ID: path option unknown
      Removal Trigger: path error

The tunnel is now up. This means I’ll be able to trace to 4.4.4.4 over the non IGP-enabled link:

R1#traceroute 4.4.4.4 so lo0

Type escape sequence to abort.
Tracing the route to 4.4.4.4

  1 10.0.12.2 [MPLS: Label 17 Exp 0] 12 msec 12 msec 12 msec
  2 20.0.23.3 [MPLS: Label 17 Exp 0] 12 msec 12 msec 8 msec
  3 20.0.34.4 8 msec *  20 msec

This could be handy if you wanted to signal and end-to-end LSP with another provider. Far more likely you’ll be running BGP+Label over that type of link though.

Cisco ME3400 notes

The current CCIE SP exams focuses on the metro line of ME3400 switches. For the most part its just another switch. There are a couple of differences which I wanted to put here for my own notes. I’ve spent a lot of time on my L3, so I really need more of these L2 notes.

For references I’m doing this all on a ME-3400G-2CS-A running.

Switch#sh ver | include IOS
Cisco IOS Software, ME340x Software (ME340x-METROIPACCESS-M), Version 12.2(52)SE, RELEASE SOFTWARE

This switch at the start has a blank config.

  • There are three port types: UNI, NNI, and ENI. By default this particular model comes configured like so:
Switch#sh port-type
Port      Name               Vlan       Port Type
--------- ------------------ ---------- ----------------------------
Gi0/1                        1          User Network Interface           (uni)
Gi0/2                        1          User Network Interface           (uni)
Gi0/3                        1          Network Node Interface           (nni)
Gi0/4                        1          Network Node Interface           (nni)

Out of interest, the two default UNI ports are administratively shut, while the NNIs are not:

Switch#sh int status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/1                        disabled     1            auto   auto Not Present
Gi0/2                        disabled     1            auto   auto Not Present
Gi0/3                        notconnect   1            auto   auto Not Present
Gi0/4                        notconnect   1            auto   auto Not Present

Let’s no shut interface gi0/1 and stick it in vlan 3:

Switch(config)#int gi0/1
Switch(config-if)#no shut
Switch(config-if)#switch access vlan 3
% Access VLAN does not exist. Creating vlan 3
Switch(config-if)#end
  • Notice that STP and CDP do not run on this uni port:
Switch#sh span interface gi0/1 detail
no spanning tree info available for GigabitEthernet0/1

Switch#show cdp int
GigabitEthernet0/3 is down, line protocol is down
  Encapsulation ARPA
  Sending CDP packets every 60 seconds
  Holdtime is 180 seconds
GigabitEthernet0/4 is down, line protocol is down
  Encapsulation ARPA
  Sending CDP packets every 60 seconds
  Holdtime is 180 seconds
  • UNI supports etherchannel on only, no LACP or PAgP:
Switch(config-if)#channel-group 1 mode ?
  on  Enable Etherchannel only

Let’s change this to an NNI port to see what options we get:

Switch(config-if)#int gi0/1
Switch(config-if)#port-type nni
Switch(config-if)#channel-group 2 mode ?
  active     Enable LACP unconditionally
  auto       Enable PAgP only if a PAgP device is detected
  desirable  Enable PAgP unconditionally
  on         Enable Etherchannel only
  passive    Enable LACP only if a LACP device is detected
Switch#show cdp interface
GigabitEthernet0/1 is up, line protocol is up
  Encapsulation ARPA
  Sending CDP packets every 60 seconds
  Holdtime is 180 seconds
GigabitEthernet0/3 is down, line protocol is down
  Encapsulation ARPA
  Sending CDP packets every 60 seconds
  Holdtime is 180 seconds
GigabitEthernet0/4 is down, line protocol is down
  Encapsulation ARPA
  Sending CDP packets every 60 seconds
  Holdtime is 180 seconds

 Switch#sh span int gi0/1 detail
 Port 56 (Port-channel1) of VLAN0003 is designated forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.56.
   Designated root has priority 32771, address 10bd.1804.7900
   Designated bridge has priority 32771, address 10bd.1804.7900
   Designated port id is 128.56, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 30, received 0
  • ENI acts like a UNI port, but gives you STP, CDP, and LACP/PAgP. However all of this is disabled by default
Switch(config)#int gi0/1
Switch(config-if)#port-type eni
Switch(config-if)#channel-group 3 mode ?
  active     Enable LACP unconditionally
  auto       Enable PAgP only if a PAgP device is detected
  desirable  Enable PAgP unconditionally
  on         Enable Etherchannel only
  passive    Enable LACP only if a LACP device is detected

Switch(config-if)#cdp ?
  enable  Enable CDP on interface

Switch(config-if)#spanning-tree
  • The spanning-tree mode is rapid by default. But this can be changed. As noted before I have not changed the mode of spanning tree yet:
Switch#sh span | include protocol
  Spanning tree enabled protocol rstp

This can be changed:

Switch(config)#spanning-tree mode ?
  mst         Multiple spanning tree mode
  pvst        Per-Vlan spanning tree mode
  rapid-pvst  Per-Vlan rapid spanning tree mode
  • VTP is not supported:
Switch#sh vtp ?
% Unrecognized command
  • DTP is not supported. Either you run a static trunk or static access port. No DTP (Which I usually disable anyway)
Switch#sh int gi0/1 switchport  | include Nego
Negotiation of Trunking: Off
  • UNI and ENI ports cannot speak to each other by default. Only to an NNI port. This is similar to private-vlans (in particular, isolated private-vlans)
  • Note that private-vlans are still supported as a separate technology.

To view the type, check show vlan uni-vlan. When its empty its the default ‘isolated’ type (very annoying that it doesn’t show:

Switch#sh vlan uni-vlan

VLAN Type              Ports
---- ----------------- -------------------------------------------------------

You can change this to act like a community private vlan. This is so ENI/UNI ports in the same vlan can speak to each other, as well as the NNI port in the same vlan:

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#vlan 3
Switch(config-vlan)#uni-vlan community
Switch(config-vlan)#end
Switch#
*Mar  1 00:33:02.706: %SYS-5-CONFIG_I: Configured from console by console
Switch#
Switch#sh vlan uni-vlan

VLAN Type              Ports
---- ----------------- -------------------------------------------------------
3    UNI community     Gi0/1
  • ISL is not supported. i.e. when configuring a trunk, you just need switchport mode trunk. No need to specify which type when there is only a single type.
  • These are the SDM types with this particular model:
Switch(config)#sdm prefer ?
  default             Default bias
  dual-ipv4-and-ipv6  Support both IPv4 and IPv6
  layer-2             No routing
Switch#sh sdm prefer
 The current template is "default" template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:                  5K
  number of IPv4 IGMP groups + multicast routes:    1K
  number of IPv4 unicast routes:                    9K
    number of directly-connected IPv4 hosts:        5K
    number of indirect IPv4 routes:                 4K
  number of IPv4 policy based routing aces:         0.5K
  number of IPv4/MAC qos aces:                      0.5K
  number of IPv4/MAC security aces:                 1K
  • MPLS is not supported:
Switch(config)#mpls ?
% Unrecognized command
  • MLS QoS is not supported, but MQC QoS is supported.
  • Pretty much everything else is like a regular 3560/3750 switch

Inter-Area MPLS RSVP-TE interop with IOS and Junos

A big advantage of using a single IGP area is the ability to use RSVP-TE. RSVP-TE uses type 10 OSPF LSAs which have an area-wide scope. This would mean that in order to have an end-to-end RSVP-TE singnalled LSP you would need all your routers in the same area.

This is not 100% true.

I’m a firm believer in a single area in an ISP network. However there may come a time when you simple have to have an LSP span multiple areas. I’ll show how this is easily done on Junos and IOS.

RFC 4105 has all the technical details about requirements for this.

Let’s configure the following:

JR1 and JR2 are Junos routers of course.

Config

Cisco P routers

Noting too complicated here. All you need to do is ensure that MPLS traffic-eng is enabled globally and on the transit interfaces. You also need to ensure the correct areas are enabled for TE in OSPF. This is R2’s relevant config:

mpls traffic-eng tunnels
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.0.23.2 255.255.255.0
 ip ospf 1 area 0
 mpls traffic-eng tunnels
!
interface FastEthernet1/0
 ip address 10.0.12.2 255.255.255.0
 ip ospf 1 area 12
 mpls traffic-eng tunnels
!
router ospf 1
 mpls traffic-eng router-id Loopback0
 mpls traffic-eng area 0
 mpls traffic-eng area 12

Juniper P routers

With Junos you need to enable MPLS processing on the transit interfaces, as well as enable RSVP, OSPF, and MPLS on the transit interfaces under the protocols stanza. This is JR1:

[email protected]> show configuration interfaces ge-0/0/1.504
vlan-id 504;
family inet {
    address 10.0.16.1/24;
}
family mpls;

[email protected]> show configuration interfaces ge-0/0/1.503
vlan-id 503;
family inet {
    address 10.0.21.1/24;
}
family mpls;

[email protected]> show configuration protocols
rsvp {
    interface ge-0/0/1.503;
    interface ge-0/0/1.504;
}
mpls {
    expand-loose-hop;
    interface ge-0/0/1.503;
    interface ge-0/0/1.504;
}
ospf {
    traffic-engineering;
    area 0.0.0.124 {
        interface ge-0/0/1.503;
        interface ge-0/0/1.504;
        interface lo0.11;
    }
}

For inter-AS TE to work on Junos, you must configure expand-loose-hop under the MPLS stanza on your P routers.

Cisco PE routers

With Inter-AS TE, you need to ensure that your loose-hops point to devices that has information in the next area. This means ABRs. I’ll set up an explicit path that gets to R2, then R4, then off to JR2. That path will then be referred to in the LSP set up:

ip explicit-path name TO-JR2 enable
 next-address loose 2.2.2.2
 next-address loose 4.4.4.4
 next-address loose 200.200.200.200
!
interface Tunnel200
 ip unnumbered Loopback0
 tunnel mode mpls traffic-eng
 tunnel destination 200.200.200.200
 tunnel mpls traffic-eng autoroute destination
 tunnel mpls traffic-eng path-option 5 explicit name TO-JR2

tunnel mpls traffic-eng autoroute destination adds a static route to 200.200.200.200 via the tunnel once it’s up

Juniper PE routers

Junos is almost the same. One difference being that you have to state to the OS that this LSP will traverse multiple areas:

[email protected]> show configuration protocols mpls
label-switched-path TO-R1 {
    from 200.200.200.200;
    to 1.1.1.1;
    inter-domain;
    primary TO-R1;
}
path TO-R1 {
    4.4.4.4 loose;
    2.2.2.2 loose;
    1.1.1.1 loose;
}
interface ge-0/0/1.503;

Note the inter-domain config under the LSP config

Verification

Let’s check the LSP from R1 to JR2:

R1#sh mpls traffic-eng tunnels tunnel 200

Name: R1_t200                             (Tunnel200) Destination: 200.200.200.200
  Status:
    Admin: up         Oper: up     Path: valid       Signalling: connected
    path option 5, type explicit TO-JR2 (Basis for Setup, path weight 1)

  Config Parameters:
    Bandwidth: 0        kbps (Global)  Priority: 7  7   Affinity: 0x0/0xFFFF
    Metric Type: TE (default)
    AutoRoute announce: enabled  LockDown: disabled Loadshare: 0        bw-based
    auto-bw: disabled
  Active Path Option Parameters:
    State: explicit path option 5 is active
    BandwidthOverride: disabled  LockDown: disabled  Verbatim: disabled


  InLabel  :  -
  OutLabel : FastEthernet0/0, 16
  Next Hop : 10.0.12.2
  RSVP Signalling Info:
       Src 1.1.1.1, Dst 200.200.200.200, Tun_Id 200, Tun_Instance 7
    RSVP Path Info:
      My Address: 10.0.12.1
      Explicit Route: 10.0.12.2 2.2.2.2 4.4.4.4* 200.200.200.200*
      Record   Route:
      Tspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
    RSVP Resv Info:
      Record   Route:  10.0.23.2 10.0.34.3 10.0.16.6 10.0.16.1
                       10.0.21.2
      Fspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
  Shortest Unconstrained Path Info:
    Path Weight: UNKNOWN
    Explicit Route:  UNKNOWN
  History:
    Tunnel:
      Time since created: 12 minutes, 57 seconds
      Time since path change: 12 minutes, 12 seconds
      Number of LSP IDs (Tun_Instances) used: 7
    Current LSP: [ID: 7]
      Uptime: 12 minutes, 12 seconds

All looks good. Let’s run a traceroute to JR2:

R1#traceroute 200.200.200.200

Type escape sequence to abort.
Tracing the route to 200.200.200.200

  1 10.0.12.2 [MPLS: Label 16 Exp 0] 52 msec 8 msec 16 msec
  2 10.0.23.3 [MPLS: Label 16 Exp 0] 20 msec 8 msec 16 msec
  3 10.0.34.4 [MPLS: Label 16 Exp 0] 12 msec 8 msec 12 msec
  4 10.0.16.1 [MPLS: Label 299920 Exp 0] 12 msec 12 msec 24 msec
  5 200.200.200.200 16 msec 24 msec 44 msec

Looks good from there. Let’s check JR2:

[email protected]> show mpls lsp ingress detail
Ingress LSP: 1 sessions

1.1.1.1
  From: 200.200.200.200, State: Up, ActiveRoute: 0, LSPname: TO-R1
  ActivePath: TO-R1 (primary)
  PathDomain: Inter-domain
  LSPtype: Static Configured
  LoadBalance: Random
  Encoding type: Packet, Switching type: Packet, GPID: IPv4
 *Primary   TO-R1            State: Up
    Priorities: 7 0
    SmartOptimizeTimer: 180
    Computed ERO (S [L] denotes strict [loose] hops): (CSPF metric: 2)
 10.0.21.1 S 10.0.16.6 S 2.2.2.2 L 1.1.1.1 L
    Received RRO (ProtectionFlag 1=Available 2=InUse 4=B/W 8=Node 10=SoftPreempt 20=Node-ID):
          10.0.21.1 10.0.34.4 10.0.23.3 10.0.12.2 10.0.12.1
Total 1 displayed, Up 1, Down 0

In Junos, Labelled end point are only used for BGP hops by default, so a traceroute won’t show it going through as labelled traffic. However a show route does show that 1.1.1.1 comes up as an RSVP route which will be used for BGP next-hops:

[email protected]> show route 1.1.1.1

inet.0: 22 destinations, 22 routes (22 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[OSPF/10] 00:17:23, metric 6
                    > to 10.0.21.1 via ge-0/0/1.503

inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[RSVP/7/1] 00:17:02, metric 6
                    > to 10.0.21.1 via ge-0/0/1.503, label-switched-path TO-R1

Notes

This also works with IS-IS. Instead of loose hopping to ABR routers, you simply loose hop to your L1/L2 boundary router.

Checking your BGP MSS on Junos and IOS

Oddly enough, neither platform shows you directly what your MSS between your BGP speakers is. Quite annoying. To quickly check on Junos do this:

[email protected]> show system connections extensive |  match "179|mss"
tcp4       0      0  10.250.8.9.59064                         10.0.1.89.179
    rttmin:       1000  mss:        512
tcp4       0      0  10.0.0.1.65081                         10.1.0.1.179
    rttmin:       1000  mss:        492
tcp4       0      0  10.10.0.1.56298                            10.20.0.1.179
    rttmin:       1000  mss:       1440

For IOS its quite similar:

par8.the1#show tcp      | include .179|Datagrams
Foreign host: 10.20.30.1, Foreign port: 179
Datagrams (max data segment is 556 bytes):
Foreign host: 10.30.20.1, Foreign port: 179
Datagrams (max data segment is 8860 bytes):

Would be nice of this was show in the actual BGP neighbourship output, but BGP does ride on top of TCP so…

EDIT: Actually IOS does show this in a neighbour command:

R2#show bgp vpnv4 unicast all neighbors 19.19.19.19 | include Data
Datagrams (max data segment is 1460 bytes):