miercuri, 29 aprilie 2015

MPLS VPN Layer 3 - Cisco IOS vs Juniper JunOS

In urmatorul post ne uitam si la alt sistem de operare specific echipamentelor Juniper si anume JunOS. Eu consider ca acest sistem de operare este foarte potrivit intr-un cadru de lucru in care greselile de config pot fi corectate foarte usor prin revenirea la o configuratie anterioara cu ajutorul unei singure comenzi, rollback. Un alt avantaj este cel reprezentat de utilizarea comenzii commit, astfel incat nu avem configuratii intermediare/incomplete.

Elementele cheie sunt:

  • P2 si PE2 ruleaza JunOS
  • P1 si PE1 ruleaza IOS
  • intre PE1 si PE2 avem o sesiune iBGP VPNv4
  • pe fiecare PE am definit doua VRF-uri (VPN-A si VPN-B) cu acelasi plan de adresare, pentru a verifica izolarea corecta atat din control-plane cat si din data-plane

Topologie


Config routere P

P1
interface Loopback0
ip address 11.11.11.11 255.255.255.255

!Fa0/0.5 - leg catre PE1
interface FastEthernet0/0.5
encapsulation dot1Q 5
ip address 172.16.5.1 255.255.255.0
ip router isis AS100
mpls ip

!Fa0/0.10 - leg catre P2
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 172.16.10.2 255.255.255.0
ip router isis AS100
mpls ip

mpls ldp router-id Loopback0 force

router isis AS100
is-type level-2-only
net 49.0001.0110.1101.1011.00
passive-interface Loopback0
P2
interfaces {
em0 {
vlan-tagging;

/*unit 10 - leg catre P1*/
unit 10 {
vlan-id 10;
family inet {
address 172.16.10.1/24;
}
family iso;
family mpls;
}

/*unit 20 - leg catre PE2*/
unit 20 {
vlan-id 20;
family inet {
address 172.16.20.1/24;
}
family iso;
family mpls;
}
}
lo0 {
unit 1 {
family inet {
address 1.1.1.0/32;
}
family iso {
address 49.0001.0010.0100.1001.00;
}
family mpls;
}
}
}

protocols {
mpls {
interface em0.10;
interface em0.20;
}

isis {
level 1 disable;
interface em0.10;
interface em0.20;
interface lo0.1 {
passive;
}
}

ldp {
interface em0.10;
interface em0.20;
}
}

Config routere PE

PE1
ip vrf VPN-A
rd 100:1
route-target export 100:1
route-target import 100:1

ip vrf VPN-B
rd 100:2
route-target export 100:2
route-target import 100:2

interface Loopback0
ip address 22.22.22.22 255.255.255.255

interface Loopback10
ip vrf forwarding VPN-A
ip address 10.1.1.1 255.255.255.255

interface Loopback20
ip vrf forwarding VPN-B
ip address 10.1.1.1 255.255.255.255

!Fa0/0.5 - leg catre P1
interface FastEthernet0/0.5
encapsulation dot1Q 5
ip address 172.16.5.2 255.255.255.0
ip router isis AS100
mpls ip

router isis AS100
net 49.0001.0220.2202.2022.00
passive-interface Loopback0

router bgp 100
no bgp default ipv4-unicast

!sesiune iBGP VPNv4 cu PE2
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 update-source Loopback0

address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family

address-family ipv4 vrf VPN-B
redistribute connected
exit-address-family

address-family ipv4 vrf VPN-A
redistribute connected
exit-address-family
PE2
interfaces {
em0 {
vlan-tagging;
unit 20 {
vlan-id 20;
family inet {
address 172.16.20.2/24;
}
family iso;
family mpls;
}
}

lo0 {
unit 1 {
family inet {
address 2.2.2.2/32;
}
family iso {
address 49.0001.0020.0200.2002.00;
}
}
unit 10 {
family inet {
address 10.2.2.2/32;
}
}
unit 20 {
family inet {
address 10.2.2.2/32;
}
}
}
}

protocols {
mpls {
interface em0.20;
}

bgp {
group iBGP {
local-address 2.2.2.2;
peer-as 100;
local-as 100;
neighbor 22.22.22.22 {
family inet-vpn {
unicast;
}
}
}
}

isis {
level 1 disable;
interface em0.20;
interface lo0.1;
}

ldp {
interface em0.20;
interface lo0.1;
}
}

routing-instances {
VPN-A {
instance-type vrf;
interface lo0.10;
route-distinguisher 100:1;
vrf-target {
import target:100:1;
export target:100:1;
}
vrf-table-label;
}

VPN-B {
instance-type vrf;
interface lo0.20;
route-distinguisher 100:2;
vrf-target {
import target:100:2;
export target:100:2;
}
vrf-table-label;
}
}

Pentru a testa puteti folosi comenzile ping 10.1.1.1 routing-instance VPN-A si ping 10.1.1.1 routing-instance VPN-B de pe routerul PE2.

Pe cei dornici sa aprofundeze ii invit la cursurile academiei Cisco Netschool.

Publicat de la Niciun comentariu:

marți, 14 aprilie 2015

MPLS VPN Layer 3 - IOS vs IOS XR

In urmatorul post ne uitam si la alt sistem de operare specific echipamentelor Cisco, acesta fiind IOS XR. Sunt cateva diferente fata de IOS, totusi eu am reusit sa configurez cele necesare pentru scenariul mentionat, fara prea mari eforturi. M-au ajutat foarte mult cunostintele de JunOS (sistemul de operare de pe echipamentele Juniper) si cat de curand voi prezenta o comparatie si intre IOS si JunOS.

Elementele cheie sunt:

  • P2 si PE2 ruleaza IOS XR
  • P1 si PE1 ruleaza IOS
  • intre PE1 si PE2 avem o sesiune iBGP VPNv4 in care PE2 este si Route-Reflector, desi nu era necesar in acest scenariu
  • pe fiecare PE am definit doua VRF-uri (VPN-A si VPN-B) cu acelasi plan de adresare, pentru a verifica izolarea corecta atat din control-plane cat si din data-plane

Topologie


Config routere P

P1
hostname P1

interface Loopback0
ip address 3.3.3.3 255.255.255.255

!Gi2.942 - leg catre PE1
interface GigabitEthernet2.942
encapsulation dot1Q 942
ip address 172.16.32.3 255.255.255.0
ip router isis AS100
mpls ip
mpls label protocol ldp

!Gi2.943 - leg catre P2
interface GigabitEthernet2.943
encapsulation dot1Q 943
ip address 172.16.43.3 255.255.255.0
ip router isis AS100
mpls ip
mpls label protocol ldp

router isis AS100
net 49.0001.0030.0300.3003.00
is-type level-2-only
passive-interface Loopback0
P2
hostname P2

interface Loopback0
ipv4 address 4.4.4.4 255.255.255.255

!Gi0/0/0/4.845 - leg catre PE2
interface GigabitEthernet0/0/0/4.845
ipv4 address 172.16.45.4 255.255.255.0
encapsulation dot1q 845

!Gi0/0/0/4.943 - leg catre P1
interface GigabitEthernet0/0/0/4.943
ipv4 address 172.16.43.4 255.255.255.0
encapsulation dot1q 943

router isis AS100
is-type level-2-only
net 49.0001.0040.0400.4004.00
interface Loopback0
passive
address-family ipv4 unicast

interface GigabitEthernet0/0/0/4.845
address-family ipv4 unicast

interface GigabitEthernet0/0/0/4.943
address-family ipv4 unicast

mpls ldp
router-id 4.4.4.4

interface GigabitEthernet0/0/0/4.845

interface GigabitEthernet0/0/0/4.943

Config routere PE

PE1
hostname PE1

ip vrf VPN-A
rd 1:1
route-target export 100:1
route-target import 100:1

ip vrf VPN-B
rd 1:2
route-target export 100:2
route-target import 100:2

interface Loopback0
ip address 2.2.2.2 255.255.255.255

! interface Loopback10
ip vrf forwarding VPN-A
ip address 10.1.1.1 255.255.255.0

! interface Loopback20
ip vrf forwarding VPN-B
ip address 10.1.1.1 255.255.255.0

!Gi2.942 - leg catre P1
interface GigabitEthernet2.942
encapsulation dot1Q 942
ip address 172.16.32.2 255.255.255.0
ip router isis AS100
mpls ip
mpls label protocol ldp

router isis AS100
net 49.0001.0020.0200.2002.00
is-type level-2-only
passive-interface Loopback0

router bgp 100

no bgp default ipv4-unicast

!iBGP VPNv4 cu PE2
neighbor 5.5.5.5 remote-as 100
neighbor 5.5.5.5 update-source Loopback0

address-family vpnv4
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community extended
exit-address-family

address-family ipv4 vrf VPN-A
redistribute connected
exit-address-family

address-family ipv4 vrf VPN-B
redistribute connected
exit-address-family
PE2
hostname PE2

vrf VPN-A
address-family ipv4 unicast
import route-target
100:1
export route-target
100:1

vrf VPN-B
address-family ipv4 unicast
import route-target
100:2
export route-target
100:2

interface Loopback0
ipv4 address 5.5.5.5 255.255.255.255

interface Loopback10
vrf VPN-A
ipv4 address 10.2.2.2 255.255.255.255

interface Loopback20
vrf VPN-B
ipv4 address 10.2.2.2 255.255.255.255

!Gi0/0/0/4.845 - leg catre P2
interface GigabitEthernet0/0/0/4.845
ipv4 address 172.16.45.5 255.255.255.0
encapsulation dot1q 845

router isis AS100
is-type level-2-only
net 49.0001.0050.0500.5005.00
interface Loopback0
passive
address-family ipv4 unicast

interface GigabitEthernet0/0/0/4.845
address-family ipv4 unicast

router bgp 100
address-family vpnv4 unicast

!iBGP VPNv4 cu PE1
neighbor 2.2.2.2
remote-as 100
update-source Loopback0
address-family vpnv4 unicast
route-reflector-client

vrf VPN-A
rd 1:1
address-family ipv4 unicast
redistribute connected

vrf VPN-B
rd 1:2
address-family ipv4 unicast
redistribute connected

mpls ldp
router-id 5.5.5.5
interface GigabitEthernet0/0/0/4.845

Acum se poate testa folosind comenzile ping vrf VPN-A 10.2.2.2 source lo10 si ping vrf VPN-B 10.2.2.2 source lo20 de pe routerul PE1. In oglinda, se poate folosi aceleas comenzi si pe routerul PE2.

Pe cei dornici sa aprofundeze ii invit la cursurile academiei Cisco Netschool.

Publicat de la Niciun comentariu:

miercuri, 1 aprilie 2015

MPLS Carrier Supporting Carrier

In urmatorul post tratam rutarea traficului unicast VPNv4 intre aceleasi doua AS-uri (AS 100) prin reteaua MPLS a unui alt provider (AS 200).

Elementele cheie sunt:
- MPLS VPN Layer 3 in reteaua AS 200 in care sunt introduse cele doua ASBR-uri ale AS 100
- MPLS VPN Layer 3 in reteaua AS 100 in care sunt introduse cele doua CPE-uri
- sesiune eBGP IPv4 cu optiunea send-label intre ASBR-urile din AS 100 si PE-urile din AS 200
- sesiune iBGP VPNv4 intre PE-urile din AS 200 in care sunt direct conectate ASBR-urile din AS 100
- sesiune iBGP VPNv4 intre PE-urile din AS 100 in care sunt direct conectate CPE-urile
- in reteaua providerului AS100 se defineste un VPN MPLS Layer 3 pentru clientul care administreaza CPE-urile
- in reteaua providerului AS200 se defineste un VPN MPLS Layer 3 pentru providerul AS100

Topologie

Config routere AS200

PE2001
hostname PE2001

ip vrf ISP100
rd 200:1
route-target export 200:1
route-target import 200:1

interface Loopback1
ip address 2.2.2.2 255.255.255.255

!Ethernet0/0.24 - leg catre BR1001
interface Ethernet0/0.24
encapsulation dot1Q 24
ip vrf forwarding ISP100
ip address 192.168.24.2 255.255.255.0

!Ethernet0/1.12 - leg catre P200
interface Ethernet0/1.12
encapsulation dot1Q 12
ip address 172.16.12.2 255.255.255.0
ip router isis 1
mpls ip

router isis 1
net 49.0001.0020.0200.2002.00
is-type level-2-only
passive-interface Loopback1

router bgp 200

!iBGP VPNv4 cu PE2002
neighbor 3.3.3.3 remote-as 200
neighbor 3.3.3.3 update-source Loopback1

address-family vpnv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community both
neighbor 3.3.3.3 next-hop-self
exit-address-family

address-family ipv4 vrf ISP100
!eBGP IPv4 cu BR1001 neighbor 192.168.24.4 remote-as 100
neighbor 192.168.24.4 activate
neighbor 192.168.24.4 as-override
neighbor 192.168.24.4 send-label
exit-address-family
P200
hostname P200

interface Loopback1
ip address 1.1.1.1 255.255.255.255

!Ethernet0/1.12 - leg catre PE2001
interface Ethernet0/1.12
encapsulation dot1Q 12
ip address 172.16.12.1 255.255.255.0
ip router isis 1
mpls ip

!Ethernet0/1.13 - leg catre PE2002
interface Ethernet0/1.13
encapsulation dot1Q 13
ip address 172.16.13.1 255.255.255.0
ip router isis 1
mpls ip

router isis 1
net 49.0001.0010.0100.1001.00
is-type level-2-only
passive-interface Loopback1
PE2002
hostname PE2002

ip vrf ISP100
rd 200:1
route-target export 200:1
route-target import 200:1

interface Loopback1
ip address 3.3.3.3 255.255.255.255

!Ethernet0/0.36 - leg catre BR1002
interface Ethernet0/0.36
encapsulation dot1Q 36
ip vrf forwarding ISP100
ip address 192.168.36.3 255.255.255.0

!Ethernet0/1.13 - leg catre P200
interface Ethernet0/1.13
encapsulation dot1Q 13
ip address 172.16.13.3 255.255.255.0
ip router isis 1
mpls ip

router isis 1
net 49.0001.0030.0300.3003.00
is-type level-2-only
passive-interface Loopback1

router bgp 200

!iBGP VPNv4 cu PE2001
neighbor 2.2.2.2 remote-as 200
neighbor 2.2.2.2 update-source Loopback1

address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
neighbor 2.2.2.2 next-hop-self
exit-address-family

address-family ipv4 vrf ISP100
!eBGP IPv4 cu BR1002 neighbor 192.168.36.6 remote-as 100
neighbor 192.168.36.6 activate
neighbor 192.168.36.6 as-override
neighbor 192.168.36.6 send-label
exit-address-family

Config routere AS100 - stanga

BR1001

hostname BR1001

interface Loopback1
ip address 4.4.4.4 255.255.255.255

!Ethernet0/0.24 - leg catre PE2001
interface Ethernet0/0.24
encapsulation dot1Q 24
ip address 192.168.24.4 255.255.255.0

!Ethernet0/0.45 - leg catre P1001
interface Ethernet0/0.45
encapsulation dot1Q 45
ip address 10.0.45.4 255.255.255.0
mpls ip

router ospf 1
router-id 4.4.4.4
redistribute bgp 100 subnets
network 4.4.4.4 0.0.0.0 area 0
network 10.0.45.4 0.0.0.0 area 0

ip prefix-list 1 seq 5 permit 11.11.11.11/32
route-map Loopbacks permit 10
match ip address prefix-list 1

router bgp 100

no bgp default ipv4-unicast
!eBGP IPv4 cu PE2001
neighbor 192.168.24.2 remote-as 200

address-family ipv4
redistribute ospf 1 route-map Loopbacks
neighbor 192.168.24.2 activate
neighbor 192.168.24.2 send-label
exit-address-family
P1001

interface Loopback1
ip address 5.5.5.5 255.255.255.255

!Ethernet0/0.5 - le catre PE1001 interface Ethernet0/0.5
encapsulation dot1Q 5
ip address 10.0.5.5 255.255.255.0
mpls ip

!Ethernet0/0.45 - leg catre BR1001 interface Ethernet0/0.45
encapsulation dot1Q 45
ip address 10.0.45.5 255.255.255.0
mpls ip

router ospf 1
router-id 5.5.5.5
network 5.5.5.5 0.0.0.0 area 0
network 10.0.5.5 0.0.0.0 area 0
network 10.0.45.5 0.0.0.0 area 0
PE1001

hostname PE1001

ip vrf Client
rd 100:1
route-target export 100:1
route-target import 100:1

interface Loopback1
ip address 11.11.11.11 255.255.255.255

!Ethernet0/0.5 - leg catre P1001
interface Ethernet0/0.5
encapsulation dot1Q 5
ip address 10.0.5.11 255.255.255.0
mpls ip

!Ethernet0/0.200 - leg catre CPE1
interface Ethernet0/0.200
encapsulation dot1Q 200
ip vrf forwarding Client
ip address 100.50.25.1 255.255.255.0

router ospf 1
router-id 11.11.11.11
network 10.0.5.11 0.0.0.0 area 0
network 11.11.11.11 0.0.0.0 area 0

ip route vrf Client 22.22.22.22 255.255.255.255 100.50.25.2

router bgp 100

no bgp default ipv4-unicast
!iBGP VPNv4 cu PE1002
neighbor 8.8.8.8 remote-as 100
neighbor 8.8.8.8 update-source Loopback1

address-family vpnv4
neighbor 8.8.8.8 activate
neighbor 8.8.8.8 send-community both
exit-address-family

address-family ipv4 vrf Client
redistribute connected
redistribute static
exit-address-family

Config routere AS100 - dreapta

BR1002

hostname BR1002

interface Loopback1
ip address 6.6.6.6 255.255.255.255

!Ethernet0/0.36 - leg catre PE2002
interface Ethernet0/0.36
encapsulation dot1Q 36
ip address 192.168.36.6 255.255.255.0
!Ethernet0/0.67 - leg catre P1002
interface Ethernet0/0.67
encapsulation dot1Q 67
ip address 172.16.67.6 255.255.255.0
mpls ip
router ospf 1
router-id 6.6.6.6
redistribute bgp 100 subnets
network 6.6.6.6 0.0.0.0 area 0
network 172.16.67.6 0.0.0.0 area 0

ip prefix-list 1 seq 5 permit 8.8.8.8/32
route-map Loopback permit 10
match ip address prefix-list 1

router bgp 100

no bgp default ipv4-unicast
!eBGP IPv4 cu PE2002
neighbor 192.168.36.3 remote-as 200

address-family ipv4
redistribute ospf 1 route-map Loopback
neighbor 192.168.36.3 activate
neighbor 192.168.36.3 send-label
exit-address-family
P1002

hostname P1002

interface Loopback1
ip address 7.7.7.7 255.255.255.255

!Ethernet0/0.67 - leg catre BR1002
interface Ethernet0/0.67
encapsulation dot1Q 67
ip address 172.16.67.7 255.255.255.0
mpls ip

!Ethernet0/0.78 - leg catre PE1002
interface Ethernet0/0.78
encapsulation dot1Q 78
ip address 172.16.78.7 255.255.255.0
mpls ip

router ospf 1
router-id 7.7.7.7
network 7.7.7.7 0.0.0.0 area 0
network 172.16.67.7 0.0.0.0 area 0
network 172.16.78.7 0.0.0.0 area 0
PE1002

hostname PE1002

ip vrf Client
rd 100:1
route-target export 100:1
route-target import 100:1

interface Loopback1
ip address 8.8.8.8 255.255.255.255

!Ethernet0/1.78 - leag catre P1002
interface Ethernet0/1.78
encapsulation dot1Q 78
ip address 172.16.78.8 255.255.255.0
mpls ip

!Ethernet0/1.300 - leg catre CPE2
interface Ethernet0/1.300
encapsulation dot1Q 300
ip vrf forwarding Client
ip address 200.100.50.1 255.255.255.0

router ospf 1
router-id 8.8.8.8
network 8.8.8.8 0.0.0.0 area 0
network 172.16.78.8 0.0.0.0 area 0

ip route vrf Client 33.33.33.33 255.255.255.255 200.100.50.2

router bgp 100

no bgp default ipv4-unicast
!iBGP VPNv4 cu PE1001
neighbor 11.11.11.11 remote-as 100
neighbor 11.11.11.11 update-source Loopback1

address-family vpnv4
neighbor 11.11.11.11 activate
neighbor 11.11.11.11 send-community extended
exit-address-family

address-family ipv4 vrf Client
redistribute connected
redistribute static
exit-address-family

Config routere CPE

CPE 1
hostname CPE1

interface Loopback1
ip address 22.22.22.22 255.255.255.255

!Ethernet0/0 - leg catre PE1001
interface Ethernet0/0
ip address 100.50.25.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 100.50.25.1
CPE 2
hostname CPE2

interface Loopback1
ip address 33.33.33.33 255.255.255.255

!Ethernet0/0 - leg catre PE1002
interface Ethernet0/0
ip address 200.100.50.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 200.100.50.1
In acest moment se poate testa conectivitatea intre 22.22.22.22 si 33.33.33.33.
Spor la studiu si pe cei dornici sa aprofundeze ii astept la cursurile academiei locale Cisco Netschool unde predau cursuri CCNA, CCNP si CCNA Security.
Publicat de la Niciun comentariu:
Abonați-vă la: Postări (Atom)