profu_de_cisco: 2015

miercuri, 29 aprilie 2015

MPLS VPN Layer 3 - Cisco IOS vs Juniper JunOS

In urmatorul post ne uitam si la alt sistem de operare specific echipamentelor Juniper si anume JunOS. Eu consider ca acest sistem de operare este foarte potrivit intr-un cadru de lucru in care greselile de config pot fi corectate foarte usor prin revenirea la o configuratie anterioara cu ajutorul unei singure comenzi, rollback. Un alt avantaj este cel reprezentat de utilizarea comenzii commit, astfel incat nu avem configuratii intermediare/incomplete.

Elementele cheie sunt:

P2 si PE2 ruleaza JunOS
P1 si PE1 ruleaza IOS
intre PE1 si PE2 avem o sesiune iBGP VPNv4
pe fiecare PE am definit doua VRF-uri (VPN-A si VPN-B) cu acelasi plan de adresare, pentru a verifica izolarea corecta atat din control-plane cat si din data-plane

Topologie

Config routere P

P1

interface Loopback0
ip address 11.11.11.11 255.255.255.255

!Fa0/0.5 - leg catre PE1
interface FastEthernet0/0.5
encapsulation dot1Q 5
ip address 172.16.5.1 255.255.255.0
ip router isis AS100
mpls ip

!Fa0/0.10 - leg catre P2
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 172.16.10.2 255.255.255.0
ip router isis AS100
mpls ip

mpls ldp router-id Loopback0 force

router isis AS100
is-type level-2-only
net 49.0001.0110.1101.1011.00
passive-interface Loopback0

P2

interfaces {
em0 {
vlan-tagging;

/*unit 10 - leg catre P1*/
unit 10 {
vlan-id 10;
family inet {
address 172.16.10.1/24;
}
family iso;
family mpls;
}

/*unit 20 - leg catre PE2*/
unit 20 {
vlan-id 20;
family inet {
address 172.16.20.1/24;
}
family iso;
family mpls;
}
}
lo0 {
unit 1 {
family inet {
address 1.1.1.0/32;
}
family iso {
address 49.0001.0010.0100.1001.00;
}
family mpls;
}
}
}

protocols {
mpls {
interface em0.10;
interface em0.20;
}

isis {
level 1 disable;
interface em0.10;
interface em0.20;
interface lo0.1 {
passive;
}
}

ldp {
interface em0.10;
interface em0.20;
}
}

Config routere PE

PE1

ip vrf VPN-A
rd 100:1
route-target export 100:1
route-target import 100:1

ip vrf VPN-B
rd 100:2
route-target export 100:2
route-target import 100:2

interface Loopback0
ip address 22.22.22.22 255.255.255.255

interface Loopback10
ip vrf forwarding VPN-A
ip address 10.1.1.1 255.255.255.255

interface Loopback20
ip vrf forwarding VPN-B
ip address 10.1.1.1 255.255.255.255

!Fa0/0.5 - leg catre P1
interface FastEthernet0/0.5
encapsulation dot1Q 5
ip address 172.16.5.2 255.255.255.0
ip router isis AS100
mpls ip

router isis AS100
net 49.0001.0220.2202.2022.00
passive-interface Loopback0

router bgp 100
no bgp default ipv4-unicast

!sesiune iBGP VPNv4 cu PE2
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 update-source Loopback0

address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family

address-family ipv4 vrf VPN-B
redistribute connected
exit-address-family

address-family ipv4 vrf VPN-A
redistribute connected
exit-address-family

PE2

interfaces {
em0 {
vlan-tagging;
unit 20 {
vlan-id 20;
family inet {
address 172.16.20.2/24;
}
family iso;
family mpls;
}
}

lo0 {
unit 1 {
family inet {
address 2.2.2.2/32;
}
family iso {
address 49.0001.0020.0200.2002.00;
}
}
unit 10 {
family inet {
address 10.2.2.2/32;
}
}
unit 20 {
family inet {
address 10.2.2.2/32;
}
}
}
}

protocols {
mpls {
interface em0.20;
}

bgp {
group iBGP {
local-address 2.2.2.2;
peer-as 100;
local-as 100;
neighbor 22.22.22.22 {
family inet-vpn {
unicast;
}
}
}
}

isis {
level 1 disable;
interface em0.20;
interface lo0.1;
}

ldp {
interface em0.20;
interface lo0.1;
}
}

routing-instances {
VPN-A {
instance-type vrf;
interface lo0.10;
route-distinguisher 100:1;
vrf-target {
import target:100:1;
export target:100:1;
}
vrf-table-label;
}

VPN-B {
instance-type vrf;
interface lo0.20;
route-distinguisher 100:2;
vrf-target {
import target:100:2;
export target:100:2;
}
vrf-table-label;
}
}

Pentru a testa puteti folosi comenzile ping 10.1.1.1 routing-instance VPN-A si ping 10.1.1.1 routing-instance VPN-B de pe routerul PE2.

Pe cei dornici sa aprofundeze ii invit la cursurile academiei Cisco Netschool.

marți, 14 aprilie 2015

MPLS VPN Layer 3 - IOS vs IOS XR

In urmatorul post ne uitam si la alt sistem de operare specific echipamentelor Cisco, acesta fiind IOS XR. Sunt cateva diferente fata de IOS, totusi eu am reusit sa configurez cele necesare pentru scenariul mentionat, fara prea mari eforturi. M-au ajutat foarte mult cunostintele de JunOS (sistemul de operare de pe echipamentele Juniper) si cat de curand voi prezenta o comparatie si intre IOS si JunOS.

Elementele cheie sunt:

P2 si PE2 ruleaza IOS XR
P1 si PE1 ruleaza IOS
intre PE1 si PE2 avem o sesiune iBGP VPNv4 in care PE2 este si Route-Reflector, desi nu era necesar in acest scenariu
pe fiecare PE am definit doua VRF-uri (VPN-A si VPN-B) cu acelasi plan de adresare, pentru a verifica izolarea corecta atat din control-plane cat si din data-plane

Topologie

Config routere P

P1

hostname P1

interface Loopback0
ip address 3.3.3.3 255.255.255.255

!Gi2.942 - leg catre PE1
interface GigabitEthernet2.942
encapsulation dot1Q 942
ip address 172.16.32.3 255.255.255.0
ip router isis AS100
mpls ip
mpls label protocol ldp

!Gi2.943 - leg catre P2
interface GigabitEthernet2.943
encapsulation dot1Q 943
ip address 172.16.43.3 255.255.255.0
ip router isis AS100
mpls ip
mpls label protocol ldp

router isis AS100
net 49.0001.0030.0300.3003.00
is-type level-2-only
passive-interface Loopback0

P2

hostname P2

interface Loopback0
ipv4 address 4.4.4.4 255.255.255.255

!Gi0/0/0/4.845 - leg catre PE2
interface GigabitEthernet0/0/0/4.845
ipv4 address 172.16.45.4 255.255.255.0
encapsulation dot1q 845

!Gi0/0/0/4.943 - leg catre P1
interface GigabitEthernet0/0/0/4.943
ipv4 address 172.16.43.4 255.255.255.0
encapsulation dot1q 943

router isis AS100
is-type level-2-only
net 49.0001.0040.0400.4004.00
interface Loopback0
passive
address-family ipv4 unicast

interface GigabitEthernet0/0/0/4.845
address-family ipv4 unicast

interface GigabitEthernet0/0/0/4.943
address-family ipv4 unicast

mpls ldp
router-id 4.4.4.4

interface GigabitEthernet0/0/0/4.845

interface GigabitEthernet0/0/0/4.943

Config routere PE

PE1

hostname PE1

ip vrf VPN-A
rd 1:1
route-target export 100:1
route-target import 100:1

ip vrf VPN-B
rd 1:2
route-target export 100:2
route-target import 100:2

interface Loopback0
ip address 2.2.2.2 255.255.255.255

! interface Loopback10
ip vrf forwarding VPN-A
ip address 10.1.1.1 255.255.255.0

! interface Loopback20
ip vrf forwarding VPN-B
ip address 10.1.1.1 255.255.255.0

!Gi2.942 - leg catre P1
interface GigabitEthernet2.942
encapsulation dot1Q 942
ip address 172.16.32.2 255.255.255.0
ip router isis AS100
mpls ip
mpls label protocol ldp

router isis AS100
net 49.0001.0020.0200.2002.00
is-type level-2-only
passive-interface Loopback0

router bgp 100

no bgp default ipv4-unicast

!iBGP VPNv4 cu PE2
neighbor 5.5.5.5 remote-as 100
neighbor 5.5.5.5 update-source Loopback0

address-family vpnv4
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community extended
exit-address-family

address-family ipv4 vrf VPN-A
redistribute connected
exit-address-family

address-family ipv4 vrf VPN-B
redistribute connected
exit-address-family

PE2

hostname PE2

vrf VPN-A
address-family ipv4 unicast
import route-target
100:1
export route-target
100:1

vrf VPN-B
address-family ipv4 unicast
import route-target
100:2
export route-target
100:2

interface Loopback0
ipv4 address 5.5.5.5 255.255.255.255

interface Loopback10
vrf VPN-A
ipv4 address 10.2.2.2 255.255.255.255

interface Loopback20
vrf VPN-B
ipv4 address 10.2.2.2 255.255.255.255

!Gi0/0/0/4.845 - leg catre P2
interface GigabitEthernet0/0/0/4.845
ipv4 address 172.16.45.5 255.255.255.0
encapsulation dot1q 845

router isis AS100
is-type level-2-only
net 49.0001.0050.0500.5005.00
interface Loopback0
passive
address-family ipv4 unicast

interface GigabitEthernet0/0/0/4.845
address-family ipv4 unicast

router bgp 100
address-family vpnv4 unicast

!iBGP VPNv4 cu PE1
neighbor 2.2.2.2
remote-as 100
update-source Loopback0
address-family vpnv4 unicast
route-reflector-client

vrf VPN-A
rd 1:1
address-family ipv4 unicast
redistribute connected

vrf VPN-B
rd 1:2
address-family ipv4 unicast
redistribute connected

mpls ldp
router-id 5.5.5.5
interface GigabitEthernet0/0/0/4.845

Acum se poate testa folosind comenzile ping vrf VPN-A 10.2.2.2 source lo10 si ping vrf VPN-B 10.2.2.2 source lo20 de pe routerul PE1. In oglinda, se poate folosi aceleas comenzi si pe routerul PE2.

Pe cei dornici sa aprofundeze ii invit la cursurile academiei Cisco Netschool.

miercuri, 1 aprilie 2015

MPLS Carrier Supporting Carrier

In urmatorul post tratam rutarea traficului unicast VPNv4 intre aceleasi doua AS-uri (AS 100) prin reteaua MPLS a unui alt provider (AS 200).

Elementele cheie sunt:
- MPLS VPN Layer 3 in reteaua AS 200 in care sunt introduse cele doua ASBR-uri ale AS 100
- MPLS VPN Layer 3 in reteaua AS 100 in care sunt introduse cele doua CPE-uri
- sesiune eBGP IPv4 cu optiunea send-label intre ASBR-urile din AS 100 si PE-urile din AS 200
- sesiune iBGP VPNv4 intre PE-urile din AS 200 in care sunt direct conectate ASBR-urile din AS 100
- sesiune iBGP VPNv4 intre PE-urile din AS 100 in care sunt direct conectate CPE-urile
- in reteaua providerului AS100 se defineste un VPN MPLS Layer 3 pentru clientul care administreaza CPE-urile
- in reteaua providerului AS200 se defineste un VPN MPLS Layer 3 pentru providerul AS100

Topologie

Config routere AS200

PE2001

hostname PE2001

ip vrf ISP100
rd 200:1
route-target export 200:1
route-target import 200:1

interface Loopback1
ip address 2.2.2.2 255.255.255.255

!Ethernet0/0.24 - leg catre BR1001
interface Ethernet0/0.24
encapsulation dot1Q 24
ip vrf forwarding ISP100
ip address 192.168.24.2 255.255.255.0

!Ethernet0/1.12 - leg catre P200
interface Ethernet0/1.12
encapsulation dot1Q 12
ip address 172.16.12.2 255.255.255.0
ip router isis 1
mpls ip

router isis 1
net 49.0001.0020.0200.2002.00
is-type level-2-only
passive-interface Loopback1

router bgp 200

!iBGP VPNv4 cu PE2002
neighbor 3.3.3.3 remote-as 200
neighbor 3.3.3.3 update-source Loopback1

address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community both
neighbor 3.3.3.3 next-hop-self
exit-address-family

address-family ipv4 vrf ISP100
!eBGP IPv4 cu BR1001 neighbor 192.168.24.4 remote-as 100
neighbor 192.168.24.4 activate
neighbor 192.168.24.4 as-override
neighbor 192.168.24.4 send-label
exit-address-family

P200

hostname P200

interface Loopback1
ip address 1.1.1.1 255.255.255.255

!Ethernet0/1.12 - leg catre PE2001
interface Ethernet0/1.12
encapsulation dot1Q 12
ip address 172.16.12.1 255.255.255.0
ip router isis 1
mpls ip

!Ethernet0/1.13 - leg catre PE2002
interface Ethernet0/1.13
encapsulation dot1Q 13
ip address 172.16.13.1 255.255.255.0
ip router isis 1
mpls ip

router isis 1
net 49.0001.0010.0100.1001.00
is-type level-2-only
passive-interface Loopback1

PE2002

hostname PE2002

ip vrf ISP100
rd 200:1
route-target export 200:1
route-target import 200:1

interface Loopback1
ip address 3.3.3.3 255.255.255.255

!Ethernet0/0.36 - leg catre BR1002
interface Ethernet0/0.36
encapsulation dot1Q 36
ip vrf forwarding ISP100
ip address 192.168.36.3 255.255.255.0

!Ethernet0/1.13 - leg catre P200
interface Ethernet0/1.13
encapsulation dot1Q 13
ip address 172.16.13.3 255.255.255.0
ip router isis 1
mpls ip

router isis 1
net 49.0001.0030.0300.3003.00
is-type level-2-only
passive-interface Loopback1

router bgp 200

!iBGP VPNv4 cu PE2001
neighbor 2.2.2.2 remote-as 200
neighbor 2.2.2.2 update-source Loopback1

address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
neighbor 2.2.2.2 next-hop-self
exit-address-family

address-family ipv4 vrf ISP100
!eBGP IPv4 cu BR1002 neighbor 192.168.36.6 remote-as 100
neighbor 192.168.36.6 activate
neighbor 192.168.36.6 as-override
neighbor 192.168.36.6 send-label
exit-address-family

Config routere AS100 - stanga

BR1001

hostname BR1001

interface Loopback1
ip address 4.4.4.4 255.255.255.255

!Ethernet0/0.24 - leg catre PE2001
interface Ethernet0/0.24
encapsulation dot1Q 24
ip address 192.168.24.4 255.255.255.0

!Ethernet0/0.45 - leg catre P1001
interface Ethernet0/0.45
encapsulation dot1Q 45
ip address 10.0.45.4 255.255.255.0
mpls ip

router ospf 1
router-id 4.4.4.4
redistribute bgp 100 subnets
network 4.4.4.4 0.0.0.0 area 0
network 10.0.45.4 0.0.0.0 area 0

ip prefix-list 1 seq 5 permit 11.11.11.11/32
route-map Loopbacks permit 10
match ip address prefix-list 1

router bgp 100

no bgp default ipv4-unicast
!eBGP IPv4 cu PE2001
neighbor 192.168.24.2 remote-as 200

address-family ipv4
redistribute ospf 1 route-map Loopbacks
neighbor 192.168.24.2 activate
neighbor 192.168.24.2 send-label
exit-address-family

P1001

interface Loopback1
ip address 5.5.5.5 255.255.255.255

!Ethernet0/0.5 - le catre PE1001 interface Ethernet0/0.5
encapsulation dot1Q 5
ip address 10.0.5.5 255.255.255.0
mpls ip

!Ethernet0/0.45 - leg catre BR1001 interface Ethernet0/0.45
encapsulation dot1Q 45
ip address 10.0.45.5 255.255.255.0
mpls ip

router ospf 1
router-id 5.5.5.5
network 5.5.5.5 0.0.0.0 area 0
network 10.0.5.5 0.0.0.0 area 0
network 10.0.45.5 0.0.0.0 area 0

PE1001

hostname PE1001

ip vrf Client
rd 100:1
route-target export 100:1
route-target import 100:1

interface Loopback1
ip address 11.11.11.11 255.255.255.255

!Ethernet0/0.5 - leg catre P1001
interface Ethernet0/0.5
encapsulation dot1Q 5
ip address 10.0.5.11 255.255.255.0
mpls ip

!Ethernet0/0.200 - leg catre CPE1
interface Ethernet0/0.200
encapsulation dot1Q 200
ip vrf forwarding Client
ip address 100.50.25.1 255.255.255.0

router ospf 1
router-id 11.11.11.11
network 10.0.5.11 0.0.0.0 area 0
network 11.11.11.11 0.0.0.0 area 0

ip route vrf Client 22.22.22.22 255.255.255.255 100.50.25.2

router bgp 100

no bgp default ipv4-unicast
!iBGP VPNv4 cu PE1002
neighbor 8.8.8.8 remote-as 100
neighbor 8.8.8.8 update-source Loopback1

address-family vpnv4
neighbor 8.8.8.8 activate
neighbor 8.8.8.8 send-community both
exit-address-family

address-family ipv4 vrf Client
redistribute connected
redistribute static
exit-address-family

Config routere AS100 - dreapta

BR1002

hostname BR1002

interface Loopback1
ip address 6.6.6.6 255.255.255.255

!Ethernet0/0.36 - leg catre PE2002
interface Ethernet0/0.36
encapsulation dot1Q 36
ip address 192.168.36.6 255.255.255.0
!Ethernet0/0.67 - leg catre P1002
interface Ethernet0/0.67
encapsulation dot1Q 67
ip address 172.16.67.6 255.255.255.0
mpls ip
router ospf 1
router-id 6.6.6.6
redistribute bgp 100 subnets
network 6.6.6.6 0.0.0.0 area 0
network 172.16.67.6 0.0.0.0 area 0

ip prefix-list 1 seq 5 permit 8.8.8.8/32
route-map Loopback permit 10
match ip address prefix-list 1

router bgp 100

no bgp default ipv4-unicast
!eBGP IPv4 cu PE2002
neighbor 192.168.36.3 remote-as 200

address-family ipv4
redistribute ospf 1 route-map Loopback
neighbor 192.168.36.3 activate
neighbor 192.168.36.3 send-label
exit-address-family

P1002

hostname P1002

interface Loopback1
ip address 7.7.7.7 255.255.255.255

!Ethernet0/0.67 - leg catre BR1002
interface Ethernet0/0.67
encapsulation dot1Q 67
ip address 172.16.67.7 255.255.255.0
mpls ip

!Ethernet0/0.78 - leg catre PE1002
interface Ethernet0/0.78
encapsulation dot1Q 78
ip address 172.16.78.7 255.255.255.0
mpls ip

router ospf 1
router-id 7.7.7.7
network 7.7.7.7 0.0.0.0 area 0
network 172.16.67.7 0.0.0.0 area 0
network 172.16.78.7 0.0.0.0 area 0

PE1002

hostname PE1002

ip vrf Client
rd 100:1
route-target export 100:1
route-target import 100:1

interface Loopback1
ip address 8.8.8.8 255.255.255.255

!Ethernet0/1.78 - leag catre P1002
interface Ethernet0/1.78
encapsulation dot1Q 78
ip address 172.16.78.8 255.255.255.0
mpls ip

!Ethernet0/1.300 - leg catre CPE2
interface Ethernet0/1.300
encapsulation dot1Q 300
ip vrf forwarding Client
ip address 200.100.50.1 255.255.255.0

router ospf 1
router-id 8.8.8.8
network 8.8.8.8 0.0.0.0 area 0
network 172.16.78.8 0.0.0.0 area 0

ip route vrf Client 33.33.33.33 255.255.255.255 200.100.50.2

router bgp 100

no bgp default ipv4-unicast
!iBGP VPNv4 cu PE1001
neighbor 11.11.11.11 remote-as 100
neighbor 11.11.11.11 update-source Loopback1

address-family vpnv4
neighbor 11.11.11.11 activate
neighbor 11.11.11.11 send-community extended
exit-address-family

address-family ipv4 vrf Client
redistribute connected
redistribute static
exit-address-family

Config routere CPE

CPE 1

hostname CPE1

interface Loopback1
ip address 22.22.22.22 255.255.255.255

!Ethernet0/0 - leg catre PE1001
interface Ethernet0/0
ip address 100.50.25.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 100.50.25.1

CPE 2

hostname CPE2

interface Loopback1
ip address 33.33.33.33 255.255.255.255

!Ethernet0/0 - leg catre PE1002
interface Ethernet0/0
ip address 200.100.50.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 200.100.50.1

In acest moment se poate testa conectivitatea intre 22.22.22.22 si 33.33.33.33.
Spor la studiu si pe cei dornici sa aprofundeze ii astept la cursurile academiei locale Cisco Netschool unde predau cursuri CCNA, CCNP si CCNA Security.

luni, 16 martie 2015

InterAS Multicast Routing

Problema pe care o analizam mai jos consta in rutarea traficului multicast intre o sursa din AS 100 si o destinatie din AS 200. Mai mult, am analizat o topologie in care Rendezvouz Point-urile (RP) sa nu fie tranzitate de traficul multicast (tot ce am gasit eu sunt scenarii cu RP pe post de bordere, deci traficul tranziteaza RP-urile - cam nerealist din punctul meu de vedere).

Cateva aspecte cheie:
- RP in AS 100 se distribuie automat prin Auto-RP, iar in AS 200 prin BSR
- intre ASBR-uri exista adiacenta PIM, dar ASBR1 filtreaza adresele IP multicast pe care se distribuie mesajele Auto-RP adica 224.0.1.39 (Auto-RP Announce) si 224.0.1.40 (Auto-RP Discovery); ASBR2 filtreaza mesajele BSR (am folosit optiunea BSR-border)
- sesiune eBGP pentru address-family IPv4 multicast intre ASBR-uri, pentru Reverse Path Forwarding (RPF)
- sesiuni iBGP pentru address-family IPv4 multicast intre ASBR-uri si routerele din fiecare AS, tot pentru RPF - aici am configurat ASBR sa fie si Route Reflector pentru AFI/SAFI 1/2 (address-family IPv4 multicast)
- OSPF este protocol IGP in fiecare AS, dar ASBR-urile nu au adiacenta OSPF intre ele, ci doar anunta o ruta implicita
- sesiune MSDP intre RP-uri ca sa isi anunte sursele si astfel sa permita traficul multicast sa porneasca de la o sursa dintr-un AS si sa ajunga la destinatiile multicast din alt AS
- FH (first-hop router) este routerul in care este direct conectat sursa traficului multicast, iar LH (last-hop router) este cel in care se conecteaza direct o destinatie multicast

Topologie

Config routerelor ASBR

ASBR 1

hostname ASBR1

ip multicast-routing

interface Loopback0
ip address 1.1.1.1 255.255.255.255

!Ethernet0/0 - leg cu ASBR 2
interface Ethernet0/0
ip address 10.12.12.1 255.255.255.0
ip pim sparse-mode
ip multicast boundary 1

!Ethernet0/1.121 - leg cu RP 1
interface Ethernet0/1.121
encapsulation dot1Q 121
ip address 192.168.121.1 255.255.255.0
ip pim sparse-mode

!Ethernet0/1.122 - leg cu FH
interface Ethernet0/1.122
encapsulation dot1Q 122
ip address 192.168.122.1 255.255.255.0
ip pim sparse-mode

router ospf 1
network 1.1.1.1 0.0.0.0 area 1
network 192.168.0.0 0.0.255.255 area 0
default-information originate always

router bgp 100

!sesiune eBGP cu ASBR 2
neighbor 10.12.12.2 remote-as 200

!sesiuni iBGP cu RP 1 si FH
neighbor 21.21.21.21 remote-as 100
neighbor 21.21.21.21 update-source Loopback0
neighbor 22.22.22.22 remote-as 100
neighbor 22.22.22.22 update-source Loopback0

address-family ipv4
redistribute ospf 1
neighbor 10.12.12.2 activate
exit-address-family

address-family ipv4 multicast
redistribute ospf 1
neighbor 10.12.12.2 activate
neighbor 21.21.21.21 activate
neighbor 21.21.21.21 route-reflector-client
neighbor 22.22.22.22 activate
neighbor 22.22.22.22 route-reflector-client
exit-address-family

access-list 1 deny 224.0.1.39
access-list 1 deny 224.0.1.40
access-list 1 permit any

ASBR 2

hostname ASBR2

ip multicast-routing

interface Loopback0
ip address 2.2.2.2 255.255.255.255

!Ethernet0/1 - leg cu ASBR 1
interface Ethernet0/1
ip address 10.12.12.2 255.255.255.0
ip pim bsr-border
ip pim sparse-mode

!Ethernet0/0.25 - leg cu RP 2
interface Ethernet0/0.25
encapsulation dot1Q 25
ip address 172.16.25.2 255.255.255.0
ip pim sparse-mode

!Ethernet0/0.26 - leg cu LH
interface Ethernet0/0.26
encapsulation dot1Q 26
ip address 172.16.26.2 255.255.255.0
ip pim sparse-mode

router ospf 1
network 2.2.2.2 0.0.0.0 area 2
network 172.16.0.0 0.0.255.255 area 0
default-information originate always

router bgp 200

!sesiune eBGP cu ASBR 1
neighbor 10.12.12.1 remote-as 100

!sesiuni iBGP cu RP 2 si LH
neighbor 5.5.5.5 remote-as 200
neighbor 5.5.5.5 update-source Loopback0
neighbor 6.6.6.6 remote-as 200
neighbor 6.6.6.6 update-source Loopback0

address-family ipv4
redistribute ospf 1
neighbor 10.12.12.1 activate
exit-address-family

address-family ipv4 multicast
redistribute ospf 1
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 route-reflector-client
neighbor 6.6.6.6 activate
neighbor 6.6.6.6 route-reflector-client
neighbor 10.12.12.1 activate
exit-address-family

Config routerelor RP

RP 1

hostname RP1

ip multicast-routing

interface Loopback0
ip address 21.21.21.21 255.255.255.255
ip pim sparse-mode

!Ethernet0/0.121 - leg cu ASBR 1
interface Ethernet0/0.121
encapsulation dot1Q 121
ip address 192.168.121.21 255.255.255.0
ip pim sparse-mode

!Ethernet0/0.2122 - leg cu FH
interface Ethernet0/0.2122
encapsulation dot1Q 2122
ip address 192.168.0.21 255.255.255.0
ip pim sparse-mode

router ospf 1
network 21.21.21.21 0.0.0.0 area 21
network 192.168.0.0 0.0.255.255 area 0

router bgp 100

!iBGP cu ASBR 1
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source Loopback0

address-family ipv4 multicast
neighbor 1.1.1.1 activate
exit-address-family

!Auto-RP
ip pim send-rp-announce Loopback0 scope 3
ip pim send-rp-discovery Loopback0 scope 3

!sesiune MSDP cu RP 2
ip msdp peer 5.5.5.5 connect-source Loopback0 remote-as 200

RP 2

hostname RP2

ip multicast-routing

interface Loopback0
ip address 5.5.5.5 255.255.255.255
ip pim sparse-mode

!Ethernet0/0.25 - leg cu ASBR 2
interface Ethernet0/0.25
encapsulation dot1Q 25
ip address 172.16.25.5 255.255.255.0
ip pim sparse-mode

!Ethernet0/0.56 - leg cu LH
interface Ethernet0/0.56
encapsulation dot1Q 56
ip address 172.16.56.5 255.255.255.0
ip pim sparse-mode

router ospf 1
network 5.5.5.5 0.0.0.0 area 5
network 172.16.0.0 0.0.255.255 area 0

router bgp 200

!iBGP cu ASBR 2
neighbor 2.2.2.2 remote-as 200
neighbor 2.2.2.2 update-source Loopback0

address-family ipv4 multicast
neighbor 2.2.2.2 activate
exit-address-family

!BSR
ip pim bsr-candidate Loopback0
ip pim rp-candidate Loopback0

!sesiune MSDP cu RP 1
ip msdp peer 21.21.21.21 connect-source Loopback0 remote-as 100

Config routerelor FH si LH

FH

hostname FH

ip multicast-routing

interface Loopback0
ip address 22.22.22.22 255.255.255.255
ip pim sparse-mode

!Ethernet0/0.22 - LAN cu sursa Mcast
interface Ethernet0/0.22
encapsulation dot1Q 22
ip address 192.168.22.22 255.255.255.0
ip pim sparse-mode

!Ethernet0/0.122 - leg cu ASBR 1
interface Ethernet0/0.122
encapsulation dot1Q 122
ip address 192.168.122.22 255.255.255.0
ip pim sparse-mode

!Ethernet0/0.2122 - leg cu RP 1
interface Ethernet0/0.2122
encapsulation dot1Q 2122
ip address 192.168.0.22 255.255.255.0
ip pim sparse-mode

router ospf 1
network 22.22.22.22 0.0.0.0 area 22
network 192.168.0.0 0.0.255.255 area 0

router bgp 100

!iBGP cu ASBR 1
neighbor 1.1.1.1 remote-as 200
neighbor 1.1.1.1 update-source Loopback0

address-family ipv4 multicast
neighbor 1.1.1.1 activate
exit-address-family

LH

hostname LH

ip multicast-routing

interface Loopback0
ip address 6.6.6.6 255.255.255.255
ip pim sparse-mode

!Ethernet0/0.6 - LAN cu destinatia Mcast
interface Ethernet0/0.6
encapsulation dot1Q 6
ip address 172.16.6.6 255.255.255.0
ip pim sparse-mode
ip igmp join-group 226.6.6.6

!Ethernet0/0.26 - leg cu ASBR 2
interface Ethernet0/0.26
encapsulation dot1Q 26
ip address 172.16.26.6 255.255.255.0
ip pim sparse-mode

!Ethernet0/0.56 - leg cu RP 2
interface Ethernet0/0.56
encapsulation dot1Q 56
ip address 172.16.56.6 255.255.255.0
ip pim sparse-mode

router ospf 1
network 6.6.6.6 0.0.0.0 area 6
network 172.16.0.0 0.0.255.255 area 0

router bgp 200

!iBGP cu ASBR 2
neighbor 2.2.2.2 remote-as 200
neighbor 2.2.2.2 update-source Loopback0

address-family ipv4 multicast
neighbor 2.2.2.2 activate
exit-address-family

Ca sa testati, din consola routerului FH introduceti comanda ping 226.6.6.6 source eth0/0.22 repeat 11.

Pe cei dornici sa afle mai multe ii astept la cursurile academiei Cisco Netschool.

luni, 2 martie 2015

1 client, 2 provideri, 3 optiuni - InterAS VPN Layer 3 Option C

Si in acest post vom vedea cum doi provideri (ISP 1 - AS 100 si ISP 2 - AS 200) configureaza un NNI (Network to Network Interconnection) pentru a permite interconectarea a doua site-uri diferite (CPE 1 - LAN 7.7.7.7 /32 si CPE 2 - LAN 1.1.1.1 /32) a aceluiasi client. La fel, aceasta legatura poate fi folosita pentru traficul mai multor clienti care beneficiaza de aceasta optiune, singura diferenta majora fata de 'Option B' este ca ASBR-urile nu mai au nevoie de stie toata tabela de rutare VPNv4, caci RR-urile de VPNv4 din fiecare AS au sesiune eBGP intre ele. ASBR-urile au doar sesiune eBGP IPv4 (scenariu absolut normal intre doi ISP-isti) prin care se anunta interfetele de mgmt ale routerelor PE din fiecare ISP, pentru ca tunelul LSP sa se formeze intre routerul PE dintre un ISP si routerul PE din celalalt ISP. Totusi, traficul nu tranziteaza RR-urile, acestea au doar roluri de distribuire a rutelor VPNv4.

Topologie

Config routerelor CPE

CPE 1

!Loopback0 - LAN
interface Loopback0
ip address 7.7.7.7 255.255.255.255

!Ethernet0/1 - WAN
interface Ethernet0/1
ip address 192.168.78.7 255.255.255.0

!ruta implicita - next hop router-ul PE1
ip route 0.0.0.0 0.0.0.0 192.168.78.8

CPE 2

!Loopback0 - LAN
interface Loopback0
ip address 1.1.1.1 255.255.255.255

!Ethernet0/1 - WAN
interface Ethernet0/1
ip address 192.168.211.1 255.255.255.0

!ruta implicita - next hop router-ul PE2
ip route 0.0.0.0 0.0.0.0 192.168.211.21

Config routerelor P

P1

interface Loopback0
ip address 23.23.23.23 255.255.255.255

!Ethernet0/0.423 - leg cu ASBR 1
interface Ethernet0/0.423
encapsulation dot1Q 423
ip address 10.4.23.23 255.255.255.0
mpls ip

!Ethernet0/0.823 - leg cu PE 1
interface Ethernet0/0.823
encapsulation dot1Q 823
ip address 10.8.23.23 255.255.255.0
mpls ip

!Ethernet0/0.236 - leg cu RR 1
interface Ethernet0/0.236
encapsulation dot1Q 236
ip address 10.23.6.23 255.255.255.0
mpls ip

router ospf 1
network 10.4.23.23 0.0.0.0 area 0
network 10.8.23.23 0.0.0.0 area 0
network 23.23.23.23 0.0.0.0 area 0
network 10.23.6.23 0.0.0.0 area 0

P2

interface Loopback0
ip address 22.22.22.22 255.255.255.255

!Ethernet0/0.322 - leg cu ASBR 2
interface Ethernet0/0.322
encapsulation dot1Q 322
ip address 10.3.22.22 255.255.255.0
mpls ip

!Ethernet0/0.212 - leg cu PE 2
interface Ethernet0/0.212
encapsulation dot1Q 212
ip address 10.21.22.22 255.255.255.0
mpls ip

!Ethernet0/0.222 - leg cu RR 2
interface Ethernet0/0.222
encapsulation dot1Q 222
ip address 10.0.222.22 255.255.255.0
mpls ip

router ospf 1
network 10.3.22.22 0.0.0.0 area 0
network 10.21.22.22 0.0.0.0 area 0
network 22.22.22.22 0.0.0.0 area 0
network 10.0.222.22 0.0.0.0 area 0

Config routerelor ASBR

Aici am folosit filtrari pentru a anunta numai interfetele de mgmt ale routerelor PE si RR. Am folosit acelasi prefix-list, dar se mai poate rafina astfel incat sa aibe un numar mai mic de linii. Comanda 'neighbor send-label' este folosita pentru ca pe langa prefixe, BGP sa anunte si etictehele MPLS asociate.
Routerele ASBR nu au nevoie nici macar de sesiune iBGP cu RR-ul AS-ului din care face parte, el fac doar label-swapping ca si routerele P.

ASBR 1

interface Loopback0
ip address 4.4.4.4 255.255.255.255

interface Ethernet0/0
no shutdown

!Ethernet0/0.43 - leg cu ASBR2
interface Ethernet0/0.43
encapsulation dot1Q 43
ip address 10.0.43.4 255.255.255.0
mpls bgp forwarding

!Ethernet0/0.423 - leg cu P1
interface Ethernet0/0.423
encapsulation dot1Q 423
ip address 10.4.23.4 255.255.255.0
mpls ip

router ospf 1
redistribute bgp 100 subnets route-map bgp-ospf
network 4.4.4.4 0.0.0.0 area 0
network 10.4.23.4 0.0.0.0 area 0

router bgp 100
!sesiune eBGP cu ASBR1
neighbor 10.0.43.3 remote-as 200

address-family ipv4
redistribute ospf 1
neighbor 10.0.43.3 activate
neighbor 10.0.43.3 send-label
exit-address-family

ip prefix-list Loopback seq 5 permit 2.2.2.2/32
ip prefix-list Loopback seq 10 permit 3.3.3.3/32
ip prefix-list Loopback seq 15 permit 4.4.4.4/32
ip prefix-list Loopback seq 20 permit 6.6.6.6/32
ip prefix-list Loopback seq 25 permit 8.8.8.8/32
ip prefix-list Loopback seq 30 permit 22.22.22.22/32
ip prefix-list Loopback seq 35 permit 21.21.21.21/32

route-map bgp-ospf permit 10
match ip address prefix-list Loopback

ASBR 2

interface Loopback0
ip address 3.3.3.3 255.255.255.255

interface Ethernet0/0
no shutdown

!Ethernet0/0.43 - leg cu ASBR1
interface Ethernet0/0.43
encapsulation dot1Q 43
ip address 10.0.43.3 255.255.255.0
mpls bgp forwarding

!Ethernet0/0.322 - leg cu P2
interface Ethernet0/0.322
encapsulation dot1Q 322
ip address 10.3.22.3 255.255.255.0
mpls ip

router ospf 1
redistribute bgp 200 subnets route-map bgp-ospf
network 3.3.3.3 0.0.0.0 area 0
network 10.3.22.3 0.0.0.0 area 0

router bgp 200
! sesiune eBGP cu ASBR2
neighbor 10.0.43.4 remote-as 100

address-family ipv4
redistribute ospf 1
neighbor 10.0.43.4 activate
neighbor 10.0.43.4 send-label
exit-address-family

ip prefix-list Loopback seq 5 permit 2.2.2.2/32
ip prefix-list Loopback seq 10 permit 3.3.3.3/32
ip prefix-list Loopback seq 15 permit 4.4.4.4/32
ip prefix-list Loopback seq 20 permit 6.6.6.6/32
ip prefix-list Loopback seq 25 permit 8.8.8.8/32
ip prefix-list Loopback seq 30 permit 22.22.22.22/32
ip prefix-list Loopback seq 35 permit 21.21.21.21/32

route-map bgp-ospf permit 10
match ip address prefix-list Loopback

Config routerelor RR

Aici, pe langa sesiunea eBGP VPNv4 multihop, este importanta si optiunea neighbor next-hop-unchanged, altfel prefixele din celalalt AS au next-hop RR-ul din celalalt AS si mesajele il vor tranzita in mod inutil.

RR 1

interface Loopback0
ip address 6.6.6.6 255.255.255.255

!Ethernet0/0 - leg cu P1
interface Ethernet0/0
ip address 10.23.6.6 255.255.255.0
mpls ip

router ospf 1
network 6.6.6.6 0.0.0.0 area 0
network 10.23.6.6 0.0.0.0 area 0

router bgp 100
no bgp default ipv4-unicast

!sesiune eBGP multihop cu RR2
neighbor 2.2.2.2 remote-as 200
neighbor 2.2.2.2 ebgp-multihop 255
neighbor 2.2.2.2 update-source Loopback0

!sesiune iBGP cu PE1
neighbor 8.8.8.8 remote-as 100
neighbor 8.8.8.8 update-source Loopback0

address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
neighbor 2.2.2.2 next-hop-unchanged
neighbor 8.8.8.8 activate
neighbor 8.8.8.8 send-community both
neighbor 8.8.8.8 route-reflector-client
exit-address-family

RR 2

interface Loopback0
ip address 2.2.2.2 255.255.255.255

!Ethernet0/1 - leg cu P2
interface Ethernet0/1
ip address 10.0.222.2 255.255.255.0
mpls ip

router ospf 1
network 2.2.2.2 0.0.0.0 area 0
network 10.0.222.2 0.0.0.0 area 0

router bgp 200
no bgp default ipv4-unicast

!sesiune eBGP multihop cu RR1
neighbor 6.6.6.6 remote-as 100
neighbor 6.6.6.6 ebgp-multihop 255
neighbor 6.6.6.6 update-source Loopback0

!sesiune iBGP cu PE2
neighbor 21.21.21.21 remote-as 200
neighbor 21.21.21.21 update-source Loopback0

address-family vpnv4
neighbor 6.6.6.6 activate
neighbor 6.6.6.6 send-community both
neighbor 6.6.6.6 next-hop-unchanged
neighbor 21.21.21.21 activate
neighbor 21.21.21.21 send-community both
neighbor 21.21.21.21 route-reflector-client
exit-address-family

miercuri, 18 februarie 2015

1 client, 2 provideri, 3 optiuni - Inter AS VPN Layer 3 Option B

Mai jos va prezint cum reusesc doi provideri (ISP 1 - AS 100 si ISP 2 - AS 200) sa configureze un NNI (Network to Network Interconnection) pentru a permite interconectarea a doua site-uri diferite (CPE 1 - LAN 7.7.7.7 /32 si CPE 2 - LAN 1.1.1.1 /32) a aceluiasi client. Mai mult, acest mod de configurare permite utilizarea legaturii NNI pentru interconectarea mai multor clienti care au site-uri conectate la ambii ISP-isti.

Topologie

Config routerelor CPE

CPE 1

CPE 2

Config routerelor P

P1

interface Loopback0
ip address 23.23.23.23 255.255.255.255

!Ethernet0/0.423 - leg cu ASBR 1
interface Ethernet0/0.423
encapsulation dot1Q 423
ip address 10.4.23.23 255.255.255.0
mpls ip

!Ethernet0/0.823 - leg cu PE 1
interface Ethernet0/0.823
encapsulation dot1Q 823
ip address 10.8.23.23 255.255.255.0
mpls ip

router ospf 1
network 10.4.23.23 0.0.0.0 area 0
network 10.8.23.23 0.0.0.0 area 0
network 23.23.23.23 0.0.0.0 area 0

P2

interface Loopback0
ip address 22.22.22.22 255.255.255.255

!Ethernet0/0.322 - leg cu ASBR 2
interface Ethernet0/0.322
encapsulation dot1Q 322
ip address 10.3.22.22 255.255.255.0
mpls ip

!Ethernet0/0.212 - leg cu PE 2
interface Ethernet0/0.212
encapsulation dot1Q 212
ip address 10.21.22.22 255.255.255.0
mpls ip

router ospf 1
network 10.3.22.22 0.0.0.0 area 0
network 10.21.22.22 0.0.0.0 area 0
network 22.22.22.22 0.0.0.0 area 0

Config routerelor PE

PE1

ip vrf Client
rd 100:1
route-target export 100:1
route-target import 100:1

!RT 200:1 il au rutele anuntate din AS 200 route-target import 200:1

interface Loopback0
ip address 8.8.8.8 255.255.255.255

!Ethernet0/0.78 - leg catre CPE 1
interface Ethernet0/0.78
encapsulation dot1Q 78
ip vrf forwarding Client
ip address 192.168.78.8 255.255.255.0

!Ethernet0/0.823 - leg catre P1
interface Ethernet0/0.823
encapsulation dot1Q 823
ip address 10.8.23.8 255.255.255.0
mpls ip

router ospf 1
network 8.8.8.8 0.0.0.0 area 0
network 10.8.23.8 0.0.0.0 area 0

router bgp 100
no bgp default ipv4-unicast

!adiacenta iBGP cu ASBR 1
neighbor 4.4.4.4 remote-as 100
neighbor 4.4.4.4 update-source Loopback0

address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community both
exit-address-family

address-family ipv4 vrf Client
redistribute connected
redistribute static
exit-address-family

!ruta statica prin CPE 1 catre LAN 1
ip route vrf Client 7.7.7.7 255.255.255.255 192.168.78.7

PE2

ip vrf Client
rd 200:1
route-target export 200:1
route-target import 200:1

!RT 100:1 il au rutele anuntate din AS 100
route-target import 100:1

interface Loopback0
ip address 21.21.21.21 255.255.255.255

!Ethernet0/0.211 - leg catre CPE 2
interface Ethernet0/0.211
encapsulation dot1Q 211
ip vrf forwarding Client
ip address 192.168.211.21 255.255.255.0

!Ethernet0/0.212 - leg catre P2
interface Ethernet0/0.212
encapsulation dot1Q 212
ip address 10.21.22.21 255.255.255.0
mpls ip

router ospf 1
network 10.21.22.21 0.0.0.0 area 0
network 21.21.21.21 0.0.0.0 area 0

router bgp 200
no bgp default ipv4-unicast

!adiacenta iBGP cu ASBR 2
neighbor 3.3.3.3 remote-as 200
neighbor 3.3.3.3 update-source Loopback0

address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community both
exit-address-family

address-family ipv4 vrf Client
redistribute connected
redistribute static
exit-address-family

!ruta statica prin CPE 2 catre LAN 2
ip route vrf Client 1.1.1.1 255.255.255.255 192.168.211.1

Config routerelor ASBR

Pe aceste routere trebuie sa existe toata tabela de adrese VPNv4, la fel ca pe Route Reflector, fara insa sa definim VRF-uri pentru fiecare client, asa cum facem pentru Option A. Se poate aplica un nivel de filtrare ale adreselor VPNv4 pentru a anunta numai retele clientilor care au nevoie de acest NNI. In plus, toate PE-urile unui ISP trebuie sa aibe ca next-hop propriul ASBR pentru adresele VPNv4 invatate de la celalalt ISP.

ASBR1

interface Loopback0
ip address 4.4.4.4 255.255.255.255

!Ethernet0/0.43 - leg catre ASBR2
interface Ethernet0/0.43
encapsulation dot1Q 43
ip address 10.0.43.4 255.255.255.0
mpls bgp forwarding

!Ethernet0/0.423 - leg catre P1
interface Ethernet0/0.423
encapsulation dot1Q 423
ip address 10.4.23.4 255.255.255.0
mpls ip

router ospf 1
network 4.4.4.4 0.0.0.0 area 0
network 10.4.23.4 0.0.0.0 area 0

router bgp 100
no bgp default ipv4-unicast

!comanda de mai jos permite invatarea tuturor adreselor VPNv4, similar cu RR
no bgp default route-target filter

!adiacenta iBGP cu PE1
neighbor 8.8.8.8 remote-as 100
neighbor 8.8.8.8 update-source Loopback0
!adiacenta eBGP cu ASBR2
neighbor 10.0.43.3 remote-as 200

address-family vpnv4
neighbor 8.8.8.8 activate
neighbor 8.8.8.8 send-community both
neighbor 8.8.8.8 next-hop-self
neighbor 10.0.43.3 activate
neighbor 10.0.43.3 send-community both
exit-address-family

ASBR2

interface Loopback0
ip address 3.3.3.3 255.255.255.255

!Ethernet0/0.43 - leg catre ASBR1
interface Ethernet0/0.43
encapsulation dot1Q 43
ip address 10.0.43.3 255.255.255.0
mpls bgp forwarding

!Ethernet0/0.322 - leg catre P2
interface Ethernet0/0.322
encapsulation dot1Q 322
ip address 10.3.22.3 255.255.255.0
mpls ip

router ospf 1
network 3.3.3.3 0.0.0.0 area 0
network 10.3.22.3 0.0.0.0 area 0

router bgp 200
no bgp default ipv4-unicast

!comanda de mai jos permite invatarea tuturor adreselor VPNv4, similar cu RR
no bgp default route-target filter

!adiacenta eBGP cu ASBR1
neighbor 10.0.43.4 remote-as 100
!adiacenta iBGP cu PE2
neighbor 21.21.21.21 remote-as 200
neighbor 21.21.21.21 update-source Loopback0

address-family vpnv4
neighbor 10.0.43.4 activate
neighbor 10.0.43.4 send-community both
neighbor 21.21.21.21 activate
neighbor 21.21.21.21 send-community both
neighbor 21.21.21.21 next-hop-self
exit-address-family

Probleme similare adresam in cadrul cursurilor de CCNA / CCNP de la academia Netschool. Spor la invatat si urmatorul post la fi despre Option C.