MPLS Tunnel LSP

Posted: September 20, 2010 in Traffic Engineering

Hi All

I am landing now come from Benguela (Fanta Dj tour), i want to make sure i will write a post per week because of time consumed on designing/writing/testing. Let focus on how MPLS Tunnel LSP works, this is our diagram.

These are the initial setup for the MPLS Cloud, the config is pretty simple, no big deal here.
PE1 Config:
PE1#sh run
Building configuration…
!
hostname PE1
!
!
ip vrf IWS
rd 1:1
route-target export 1:1
route-target import 1:1
!
!
mpls ldp router-id Loopback0
mpls label protocol ldp
!
interface Loopback0
ip address 55.5.5.1 255.255.255.255
!
interface Loopback1
ip vrf forwarding IWS
ip address 1.1.1.1 255.255.255.0
!
interface Serial1/0
ip address 55.5.1.1 255.255.255.252
mpls ip
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 55.5.5.2 remote-as 1
neighbor 55.5.5.2 update-source Loopback0
!
address-family vpnv4
neighbor 55.5.5.2 activate
neighbor 55.5.5.2 send-community extended
exit-address-family
!
address-family ipv4 vrf IWS
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
end
PE2 Config:
PE2#sh run
Building configuration…
Current configuration : 1849 bytes
!
hostname PE2
!
!
ip vrf IWS
rd 1:1
route-target export 1:1
route-target import 1:1
!
!
mpls ldp router-id Loopback0
mpls label protocol ldp
!
!
interface Loopback0
ip address 55.5.5.2 255.255.255.255
!
interface Loopback1
ip vrf forwarding IWS
ip address 2.2.2.2 255.255.255.0
!
interface Serial1/0
ip address 55.5.1.10 255.255.255.252
mpls ip
!
interface Serial1/1
ip address 55.5.1.14 255.255.255.252
mpls ip
!
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
router bgp 1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 55.5.5.1 remote-as 1
neighbor 55.5.5.1 update-source Loopback0
!
address-family vpnv4
neighbor 55.5.5.1 activate
neighbor 55.5.5.1 send-community extended
exit-address-family
!
address-family ipv4 vrf IWS
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
end
P1 Config:
P1#sh run
Building configuration…
Current configuration : 1575 bytes
!
!
hostname P1
!
!
mpls label protocol ldp
tag-switching tdp router-id Loopback0
!
!
interface Loopback0
ip address 55.5.5.3 255.255.255.255
!
interface Ethernet0/0
ip address 55.5.1.5 255.255.255.252
ip ospf network point-to-point
tag-switching ip
!
interface Serial1/0
ip address 55.5.1.9 255.255.255.252
tag-switching ip
!
interface Serial1/1
ip address 55.5.1.2 255.255.255.252
tag-switching ip
!
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
end
P2 Config:
P2#sh run
Building configuration…
Current configuration : 1546 bytes
!
hostname P2
!
mpls label protocol ldp
tag-switching tdp router-id Loopback0
!
!
interface Loopback0
ip address 55.5.5.4 255.255.255.255
!
interface Ethernet0/0
ip address 55.5.1.6 255.255.255.252
ip ospf network point-to-point
tag-switching ip
!
interface Serial1/0
ip address 55.5.1.13 255.255.255.252
tag-switching ip
!
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
end

The goal is to have end to end connectivity between IWS remote Sites, we need only to check the LSP between PE1 and PE2.

PE1:

PE1#show mpls forwarding-table 55.5.5.2

Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop
Label  Label or VC   or Tunnel Id      Switched      interface
19     17            55.5.5.2/32       0             Se1/0      point2point
PE1#

We see that to going to loopback of PE2 its gonna use Label 19.
At this point the both P’s perform PHP operations

P1:

P1#show mpls forwarding-table 55.5.5.2
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
17     Pop tag     55.5.5.2/32       4873       Se1/0      point2point

Doesn’t need to check on PE2 because its direct connected.

P2

P2#show mpls forwarding-table 55.5.5.2
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
18     Pop tag     55.5.5.2/32       0          Se1/0      point2point

Ping to IWS remote site with success,

PE1#ping vrf IWS 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/16/28 ms
PE1#

The MPLS is working properly, let says that we want to prefer link for PE1->P2->P1->PE2 for the customer IWS which is simulate on loopback on both PE1 and PE2. So our tunnel will end at the P1, due to prevent misrouting if P1 become PE.
First we gonna trace from PE1 to PE2 to check which path the traffic takes.

PE1#traceroute 55.5.5.2

Type escape sequence to abort.
Tracing the route to 55.5.5.2

1 55.5.1.2 [MPLS: Label 17 Exp 0] 68 msec 12 msec 12 msec
2 55.5.1.10 12 msec *  16 msec
PE1#

Traffic is going from PE1 -> P1 -> PE2. At now all the thing is good and properly work!
Let setup unidirectional Tunnel LSP between P1 and PE2, check the config:

P1 and P2 Configs:

mpls traffic-eng tunnels
!
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!
interface Ethernet0/0
mpls traffic-eng tunnels
ip rsvp bandwidth
!
interface Serial1/0
mpls traffic-eng tunnels
ip rsvp bandwidth
end

PE2:

mpls traffic-eng tunnels
!
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!
interface Serial1/0
mpls traffic-eng tunnels
ip rsvp bandwidth
!
interface Serial1/1
mpls traffic-eng tunnels
ip rsvp bandwidth
!
interface Tunnel0
ip unnumbered Loopback0
tunnel destination 55.5.5.3
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 1 explicit name P2->P1
tunnel mpls traffic-eng path-option 2 dynamic
!
ip explicit-path name P2->P1 enable
next-address 55.5.1.13
next-address 55.5.1.5
next-address 55.5.5.3
!
end

At this point the Tunnel is up and working as u see on the outputs

PE2#show mpls traffic-eng tunnels brief | in PE2_t0
PE2_t0                           55.5.5.3         –         Se1/1     up/up

PE2#show mpls forwarding-table 55.5.5.1 | in Tu0
18     No Label  [T] 55.5.5.1/32       0             Tu0        point2point

At this time the Label Switched Path was broken, as u can see on the ping  output. There is No Label for the specific FEC …

PE2#ping vrf IWS 1.1.1.1 source lo1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
…..
Success rate is 0 percent (0/5)

Unidirectional TE will not work, we must setup another TE Tunnel from P1 to PE2 and enable MPLS on the tunnels link to form a LSP Tunnel.

P1:
P1#sh run int tun0

interface Tunnel0
ip unnumbered Loopback0
mpls ip
tunnel destination 55.5.5.2
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 1 explicit name P2-PE2
tunnel mpls traffic-eng path-option 2 dynamic
no routing dynamic
end

P1#sh run | se ip expli
ip explicit-path name P2->PE2 enable
next-address 55.5.1.6
next-address 55.5.1.14
next-address 55.5.5.2

PE2: just enable the mpls

interface Tunnel0
mpls ip

Now packet is Label Switched out Tunnel

PE2#show mpls forwarding-table 55.5.5.1 | in Tu0
18     18        [T] 55.5.5.1/32       0             Tu0        point2point

Trying ping now …

PE2#ping vrf IWS 1.1.1.1 source lo1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to  1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/36/56 ms
PE2#

So we conclude with this post, this post achieve an in-depth knowledge how MPLS LSP work and advanced concept about MPLS TE on the Field. Keep u understand the concepts and post a comment.

//Jeriel Atienza

Telnet to the star wars

Posted: September 14, 2010 in General

Hi All

Just copy and past …

telnet towel.blinkenlights.nl

Enjoyyy

FWSM (FireWall Switch Module) ‘e um firewall de alta performance comparado com o ASA e o PIX, ‘e um stateful firewall instalado no Catalyst 6500 Switch e no Cisco 7600 Router. Firewalls protegem redes internas de acessos nao autorizados vindo de fora, também de outras redes internas tais como separar a network Finance da Rede Admin, conforme o diagrama.

Abaixo esta a configuração básica do FWSM no contexto Routed com o hostname IWS e o Router, as redes internas estão a ser simuladas pelas loopbacks com as referidas descrições.

FWSM:

C6500-MFW-01# changeto context IWS

C6500-MFW-01/IWS# sh run
: Saved
:
FWSM Version 4.0(4) <context>
!
hostname IWS
!
names
name 10.254.1.8 Finance
name 10.254.1.16 Admin

dns-guard
interface Vlan100
description IWS OUTSIDE L3 INTERACE
nameif outside
security-level 0
ip address 61.1.1.1 255.255.255.0
!
interface Vlan110
description IWS INSIDE L3 INTERFACE
nameif inside
security-level 100
ip address 10.254.1.1 255.255.255.248
!
route outside 0.0.0.0 0.0.0.0 61.1.1.2 1
route inside Admin 255.255.255.248 10.254.1.2
route inside Finance 255.255.255.248 10.254.1.2

!
ssh 10.254.1.16 255.255.255.248 admin
ssh timeout 5
ssh version 2
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect smtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect snmp
inspect icmp // by default, esta desactivado,
!
service-policy global_policy global
Cryptochecksum:ac5d67f215d748f06748d6e469e7066b
: end
C6500-MFW-01/IWS#

!
! Repare nos comandos “route inside”  que as redes foram substituídas pelos seus nomes,
! route inside Admin 255.255.255.248 10.254.1.2 equivale a:
! route inside 10.254.1.16 255.255.255.248 10.254.1.2.
!
O “security-level command” serve para controlar a direcção do trafego, sendo interfaces com security-level altas podem alcancar interfaces com security-level baixa. Faz sentido que a inside interface seja permitida para acessar a outside interface, mas nao o inverso ao menos que seja explicitamente configurado, por ACL/outros. Por padrão se for configurada o nome da interface como sendo inside automaticamente o FWSM assume level 100, e se for outside como level 0, fazendo com que o trafego flui de inside para outside.

Router:

CE#sh run
Building configuration…
Current configuration : 1035 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CE
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
interface Loopback0
description Admin Network
ip address 10.2541.17 255.255.255.248
!
interface Loopback1
description Finance Network
ip address 10.254.1.9 255.255.255.248
!
interfaceGigabitEthernet0/0
description CONNECTION TO FWSM [CONTEXT IWS]
ip address 10.254.1.2 255.255.255.248
full-duplex
!
!
ip classless
!
ip route 0.0.0.0 0.0.0.0 10.254.1.1 name MY_EXIT
!
line con 0
!
line aux 0
!
line vty 0 4
login local
!
!
end
CE#

Vamos agora testar conectividade,

CE#ping 10.254.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.254.1.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
CE#

Oh, bad news …

Vamos tentar com uma das redes internas …

CE#ping 10.254.1.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.254.1.1, timeout is 2 seconds
Packet sent with a source address of 10.2541.17
…..
Success rate is 0 percent (0/5)
CE#

CE#ping 10.254.1.1 source lo1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.254.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2541.9
…..
Success rate is 0 percent (0/5)
CE#

As falhas de tentativas de pings deve-se ao facto de como o FWSM foi desenhado/programado, por padrão o FWSM nao responde pings, deve ser habilitado.

Vamos configurar o FWSM para responder as requisições dos pings, como best practice apenas para a rede Admin.

FWSM Config:

C6500-MFW-01/IWS# sh run icmp
!
icmp permit 10.254.1.16 255.255.255.248 inside
!
C6500-MFW-01/IWS#

CE#ping 10.254.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.254.1.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
CE#

Life is not easy , Againnn!!!!

Vamos tentar com uma das redes internas …

CE#ping 10.254.1.1 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.254.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2541.17
.!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
CE#

Life is pretty good, …

CE#ping 10.254.1.1 source lo1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.254.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2541.9
…..
Success rate is 0 percent (0/5)
CE#

E’ normal que o primeiro e o ultimo ping nao sejam respondidos sendo um saindo pela interface directamente conectado ao FWSM, nao foram permitidas!

Ja temos a nossa rede a funcionar, agora vamos fazer o NAT para acessar o servidor http://www.iws.co.ao e outros servicos externos. Um dos desafios, e’ o facto de que o dns nao faz parte da nossa rede, vamos usa-lo como sendo nosso dns server interno. Como a  rede outside nao tem rotas para a rede interna, e’ necessário NAT para traduzir a rede interna para um dos enderecos da rede outside..

DNS Server IP 10.254.1.3.
NAT Outside IP 61.1.10

C6500-MFW-01/IWS# sh run static

!
static (outside,inside) 10.254.1.3 61.1.1.53 netmask 255.255.255.255 dns
nat (inside) 1 10.254.1.16 255.255.255.248
nat (inside) 1 10.254.1.8 255.255.255.248
nat (global) 1 61.1.1.10

!
C6500-MFW-01/IWS#

Primeiro cria-se as pools de endereços e associa-se ao NAT-ID, no nosso caso e’ “1”, e depois o mapeamento da pool(INSIDE) com o endereço publico (Global). A chave no nat do dns e’ a feature “dns” a.k.a DNS REPLY Modification.

Configuracao do DNS no router CE:

CE#sh run | in ip name-se
!
ip name-server 10.254.1.3
!
CE#

Vamos agora testar a conectividade com o webserver da Internetworking Solutions (www.iws.co.ao).

CE#ping  http://www.iws.co.ao source lo0

Translating “www.iws.co.ao”…domain server (10.254.1.3) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 61.1.1.80, timeout is 2 seconds:
Packet sent with a source address of 10.2541.17
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
CE#

Realçar que o mesmo funciona no ASA/PIX, mas com pequenas diferenças.

HTH

Hi All

Posted: September 13, 2010 in General

Sejam bem-vindos ao meu blog,

Este blog tem por finalidade compartilhar recursos e melhores practicas no que diz respeito as Tecnologias de Redes e Telecomunicacoes, como guia practico para os Engenheiro de Redes que estejam envolvidos nas tecnologias e para auxilio dos candidatos para as Certificacoes Cisco. O blog vai abordar topicos deste o mais basico ate tecnicas avancadas.

Once again, welcome.