Saturday, February 28, 2009

Explanation: Forwarding Address In LSA 5

I posted a few lines on forwarding address in LSA5 and did not get time to simulate the lab and pass on the results. But packet life has posted a awesome explanantion for the same. Security should be kept in mind while designing and implementing such type of solutions.
Most of time providers never go with these type solutions but in extreme case it could happen only that time if you are owner of both service providers or you are running multiple AS numbers in your SP MPLS/IP VPN cloud.


regards
shivlu jain
Click Here To Read Rest Of The Post...

Sell Bandwidth Not Speed

Selling bandwidth to customers is quite easy but to maintain the speed is such a lobotomize work. Customers always mull to get the same speed whatever they subscribed for bandwidth. But its really hectic job to render the same what was commited to customer. Sales guys always sell the bandsith with respective to the speed. Lets take one example when the bandwidth of 10 Mbps was sold to customer then it doesnot mean customer would get 10 Mbps per/second but customers always demand the same. In fact if we do the calculations as per the given formula we would be able to get to know how much commited burst can be given to customer per interval.

BC=TC*CIR

BC=Commited Burst
TC=Commited Time Interval
CIR=Commited Information Rate

CIR means total number of bits that will be flown in a second or you can say the shaped rate.
TC=Commited time interval per burst.BC=Commited burst whcih can be sent in particular interval.
BC=Commited burst whcih can be sent in particular interval.

In Cisco IOS a second is divided into 8 time intervals of 125ms each(125*8=1000ms or 1 sec). If you want to provide 64000 bits or 64Kbps to a customer then you need to calculate the burst for that because that will be the maximum value which will occue in one time interval of 125ms. So CIR=64000 Tc=125ms Now calculate Bc which will be equals to (125/1000*64000) = 8000 bits. The result is lucid, it means in a sinle interval customer cannot pump more than 8000 bits per interval when he owns spped of 64Kbps. This is what we need to make clear to customer before selling the bandwidth.


regards
shivlu jain
Click Here To Read Rest Of The Post...

Friday, February 27, 2009

Drops Problem In NPE-G2

From the last few days a weird problem of drops is coming on NPE-G2 after the implementation of rate limit, policing or shaping. Everytime a policty is implemented on sub-interface,physical interface or on tunnel a pattern drops start. The total traffic on G2 router is approx 1 Mb. Even the case was raised to ciso TAC and consequence they are saying there might be issue with the IOS. But I have changed the ios many times but in vein. Anyone is facing this type of issue please update us so that we can male some plan of action to resolve it.

I am still working on it and update soon with some affirmative results.


regards
shivlu jain
Click Here To Read Rest Of The Post...

Thursday, February 26, 2009

L2VPN Over Metro Ethernet


In my previous post of http://shivlu.blogspot.com/2009/02/l2vpn-over-ipmpls.htmlL2VPN, I described the modes of L2VPN and its provisioning. In this post I am going to elaborate how to deploy point to point L2VPN over Metro Ethernet rings with Q-in-Q tagging. The deployment is very lucid and trouble-free. As per the diagram customer is terminated on ME switch with Q-in-Q functionality. The focal advantage of using Q-in-Q in Metro Ethernet circuits to make customer frames unique within L2 domain and preserves the customer vlans. The flow is given below:-
CPE will forward the frames to PE switch with vlan tagging, after receiving the frames PE switch will encapsulate a more vlan tag on the existing vlan tag (It is like label with in label of layer 3 vpn). There after a sub interface is created on router physical interface by taking the same vlan as sub interface and xconnect is created over Ethernet domain by taking remote PE loopback as destination. When the frame is received by remote PE it will tag the frame again by preserving the existing customer vlan and forward to the Metro Domain. Where ever the packet will get out form the access port the upper tag of service provider domain will be removed and customer will able to get the valn tag which was being originated.
Why this type connectivity is being asked by service provider? Really awesome question, every service provider don't want to loose the confidentiality of its esteemed customers and used to promise their customers that they are Omni. Whenever customer demands the circuit at some remote locations and SP is not feasible on that location at that time layer 2 vpn services comes mostly in picture. One SP asks the another SP to provide the layer 2 circuit which looks like to customer that the whole backbone is being used by their service provider.
Monitoring of L2 circuits are not possible.



regards

shivlu jain

Click Here To Read Rest Of The Post...

Wednesday, February 25, 2009

L2VPN Over IP/MPLS


Layer 2 circuits are becoming order of the day. Every service provider desires layer 2 circuits from the other service provider to provision its customers. It can be configured by two methods
a) Point to Point
b) Point To Multipoint
Currently ISR , 6500 and 7200 series supports point to point and 7600 supports point to multipoint. Point to multipoint is also known to VPLS (Virtual Private Lan Services). In this post I will explain about point to point circuit and its provisioning. Services offer on two type of cloud
a) IP Cloud
b) MPLS Cloud
If service provider is using IP cloud, L2 services offer by encapsulation l2tpv3 and if cloud is MPLS enabled then encapsulation mpls can be used. So the difference is lucid. In the given scenario customer is having l2 domain and want to use the l2 services across the service provider cloud. A simple l2 session will be created between Delhi PE and HYD PE over ip cloud on the basics of loopbacks. The provisioning is trouble-free and easy to configure.
Steps for Configuring Layer 2 Services across Service Provider IP Backbone
a) Configure basic IGP.
b) Create PSEUDOWIRE name SHIVLU & use the encapsulation L2TPv3 as source loopback of the router.
c) On Physical interface where the client is coming create a xconnect as destination address of loopback HYD PE & vice versa.
Commands For Creating L2 VPN
Pseudowire SHIVLU
Ip local interface loopback 0
Encapsulation l2tpv3

Interface Specific Command
Interface x/y
Xconnect 400 pw-class SHIVLU
Note:- 400 is the Virtual Circuit ID and it should be the same on the remote end also.

Verify L2 Circuit
After “Show l2 session circuit vcid 400” you can see the est state of l2 session. Now ping end to end laptop.


regards

shivlu jain

Click Here To Read Rest Of The Post...

Tuesday, February 24, 2009

Selection Of Vlan In Local Switching Domain

Till now I have not bring out anything on switching design. In this post I will let you know how to select the vlans in switching domain especially if spanning tree is working in that domain. Have you ever thought during switching design which vlan number should be used for which type of vlans. Let say if we are having one vlan for data, one for voice and one for vlan. For this I select vlan 10 for data, vlan 20 for video and vlan 30 for voice. It’s so simple and easy. But what will happen if STP is running in that domain and the design is like Switch1-Switch2-Switch3-Switch1. One port will be in blocking mode and if the links fails another will be in forwarding mode. This is the way of spanning tree works. A question comes in mind what vlans have to do with this scenario. Definitely vlans plays a major role during the convergence from one link to another; during the convergence always small number vlans get preference over the bigger number vlans. As I mentioned earlier about the three vlans in that always data vlans will flow without any impact because it is shortest in number and voice vlan number is largest one and get to come in picture last. So think about the scenario where voice is always prioritized first during the convergence it will the least one. So if little change is made in the numbers than the voice vlan traffic is always preferred without any delay. So during lan switching design always take the suggest shortest number for critical applications.


regards
shivlu jain
Click Here To Read Rest Of The Post...

Saturday, February 21, 2009

Use Of Scavenger Class In QOS

While implementing QOS the default class is implemented with best effort traffic. Best effort class uses DSCP marking 46. We have one more class which is below to default class, the class is recognized by scavenger class. It provides the less than best effort service. The class is used to distinguish lobotomize traffic. MArking use for class is CS1 or DSCP 8. The major advantage of class comes out when network is flooded with DOS attack & all type of traffic is being added to the class with 1% of bandwdith or what ever you want.


regards
shivlu jain
Click Here To Read Rest Of The Post...

Friday, February 20, 2009

CAR and Policing

CAR is proprietry to cisco where as policing supports RFC 2697. Rate-Limit is used for the implementation of CAR where as police command is used for policing. CAR works on single tocken bucket where as Policing works seperate token buckets for burst. CAr supports two coloring which is confirm and exceed action where as policing supports three coloring which is confirm,exceed and violate action. One major advantage of using policing is that you can remark the packets where as CAR doesnot support the same feature.

How to configure rate limit
rate-limit input 1536000 288000 576000 conform-action transmit exceed-action drop
rate-limit output 1536000 288000 576000 conform-action transmit exceed-action drop

How to configure policingpolicy-map MPLSVPN
class MPLS police 16000 2000 2000 conform-action transmit exceed-action drop

interface fastethernet 0/0 service-policy output MPLSVPN

Cisco recommends using the following formulas when calculating the normal and extended burst parameters in case of car.
normal burst (in bytes) = configured rate (in bits per second) * (1 byte)/(8 bits) * 1.5 seconds extended burst = 2 * normal burst


regards
shivlu jain
Click Here To Read Rest Of The Post...

Thursday, February 19, 2009

Class Based Weighted Fair Queue

In my previous post of QOS I tried to describe the basic qos models. Dennis Hartman is already doing a great job on qos and the way he is explaining a fair enough to understand the basic concept of CBWFQ.
In this post, I only want to add the few common and unforgetable points which should be learn by heart for each and every technology guy.

Facts Of CBWFQ
1. 64 number of clases can be configured and by default per class allocates 64 packets in queue.
2. Trafic shaping and Policing is not supported by CBWFQ.
3. If wred is using under policy map then it cannot be added under interface.
(WRED is weighted random early detection)
4. CBWFQ is not supported on sub interfaces.
5. Default class uses the fair queue mechanism. If any other mechanism is implemented it is overriden.


regards
shivlu jain
Click Here To Read Rest Of The Post...

Wednesday, February 18, 2009

Block Unwanted Traffic

Every service provider has requirement of block web sites from different ip ranges. During googling I found a link which can help you to get the ip list of different countries and able to block them.

Get a smart look on to it.

http://www.blockacountry.com

regards
shivlu jain
Click Here To Read Rest Of The Post...

Tuesday, February 17, 2009

Implementation of SSM

Yesterday I have tested SSM in service provider cloud. In my previous post I have already described the pros and cons of SSM. Opening gambit, how to implement SSM in SP cloud. The configuration nothing only you should know the concept behind the configuration. I have tested the scenario with the help of VLC player; really a useful tool to generate multicast stream. One thing keep in mind if your ldp breaks in the SP cloud MVPN will not going to break because MVPN doesnot work on LDP.
A 239.232.0.0(How to select multicast group) series is used for the default and data mdt(Basics of MVPN). In the first phase I implemented the solution with default mdt and checked the stream. It was flowing across all the neighbors. There after I used the data mdt see its convergence. With the help of show ip mroute vrf mdt send on sender side and how ip mroute vrf mdt receive on receiver side. After this command you can see the ref_count value which atually tells you about the usuage of your mdt groups.
Commands used for SSM

1. All interfaces should be PIM enabled.
ip pim sparse-mode
2. Loopback which is used for MP-iBGP should be pim enabled.
Never use two loopbacks for MP-BGP.
3. Create acl which defines the mdt groups
ip access-list standard 1
permit 239.232.0.0
4. Bind the acl with SSM
ip pim ssm range 1
Note:- Donot use ip pim ssm default because it will use 232.0.0.0 group in this case the stream will stop forwarding.
5. SPT Threshold is not going to work with SSM

Data MDT will be the keen player of SSM. Because no more *,G entries only you will find S,G.

regards
shivlu jain

Click Here To Read Rest Of The Post...

Monday, February 16, 2009

Route Reflector Synchronization

Introduction
Route reflectors are used for breaking full mesh iBGP rule. In this post I am evaluating how to synchronize both the route reflectors especially in case of MPLSVPN network. In my previous post I have described the problems can come if proper route updates are missing. Most of the service providers are using peer-group in BGP. If you are using peer-group then might face the cisco ios bug which is CSCsj09838. According to the bug
BGP sending incomplete updates when using update-groups
BGP fails to send complete update to peers who are part of an update group with more than one member. Soft clear of peer in question will fix the issue.
I have seen the problem which is coming in 12.4.11T4 as well as with 12.4 15T1.

Problem Description
Consider a figure in the last post in which PE1 and PE2 is having VPN-V4 peering with both route reflectors. Any of the vpn which is advertised on PE1 should go to both route reflectors and there on wards replcicated to whole cloud. Assume if a route of vpn is advertised by PE1 to both the route reflectots and being received by route reflectors. But RR1 is only sending the updates to PE2 no updates are being sent by RR2. In this case if RR1 goes down then the sla of vpn will be breached which is really not a good thing for service provider. This arise of this type of problem is nothing except a ios bug.
We can get rid from this problem by making both RRs of different clusters and then use the iBGP between them. By implementing this both RRs with share the routes with each other. In the above mentioned problem if iBGP is configured between the RRs then the vpn route will be advertised to RR2 by RR1 with next hop as PE1. Cluster list will play an important role in that and definitely stop the routing loop problems.

regards
shivlu jain
Click Here To Read Rest Of The Post...

Saturday, February 14, 2009

Ping Drops

Most of the people who work in service provider network are accustomed with the ping drops. Sporadically ping drops is the pain area of service provider network. Drops come like clouds and spread like water in the whole cloud. Awful feeling comes in mind and the first thing which I think how to get rid from this smeared problem. I think there must be a system or NMS which can tell when the router would prompt for the drops. This is my thought process I donot know whether a such of system is available in market or not. But I am trying to design such type of system in which artificial intelligence can sense the level of the router and prompt before the drops comes. This will not relief the problem but may provide some type of hints so that the precation can be taken before the problem occurs. Even I donot know how to proceed simply presenting my feelings and would like to request all if you are having any thought process for the same kindly share. May be a day will come when this will become true like today we have the cars who can sense the road and consequence lot of accidents savage.

regards
shivlu jain
Click Here To Read Rest Of The Post...

Friday, February 13, 2009

Netgear Firewall Testing

I did the basic netgear firewall testing for one of our customer. The firewall used to hang most of time. I never recommend to put netgear as firewall in the network.
Kindly find the document Click Here

regards
shivlu jain
Click Here To Read Rest Of The Post...

Thursday, February 12, 2009

GRE Keepalives

2 years back When I was entered in service provider domain, the first I learned how to create GRE tunnel and keepalive is the mandid to get the tunnnel work properly. During googling I found a good document of cisco which is exlicitly defining the keepalive working.

Two routers R1 -> R2 are connected back to back.

When you enable keepalives on the tunnel endpoint of Router A, the router at every interval constructs the inner IP header. At the end of the header, the router also appends a GRE header with a Protocol Type (PT) of 0, and no other payload. The router then sends that packet through the tunnel, which results in its encapsulation with the outer IP header, and a GRE header with the PT of IP. The tunnel keepalive counter increments by one. If there is a way to reach the far end tunnel endpoint, and the tunnel line protocol is not down due to other reasons, the packet arrives on Router B. It is then matched against Tunnel 0, is
decapsulated, and forwarded to the destination IP, which is the tunnel source, Router A. Upon arrival on Router A, the packet is again decapsulated, and the PT is checked. If the result of the PT check is 0, it signifies that this is a keepalive packet. In such a case, the tunnel keepalive counter is reset to 0, and the packet is discarded. In case Router B is unreachable, Router A continues to construct and send the keepalive packets along with
normal traffic. If the line protocol is down, the keepalives do not come back to Router A. Therefore, the keepalive counter continues to increase. The tunnel line protocol stays up only as long as the tunnel keepalive counter remains zero, or less than a configured value. If that condition is not true, the next time you attempt to send a keepalive to Router B, the line protocol is brought down, as soon as the keepalive counter reaches the configured keepalive value. In the up/down state, the tunnel does not forward or process any traffic apart from the keepalive packets. For this to work for keepalive packets only, the tunnel must be forward-and-receive friendly. So the tunnel lookup algorithm must be successful in all cases, and must discard only the data packets if the line protocol is down. When a keepalive packet is received, it implies that the tunnel endpoint is again reachable. The tunnel keepalive counter is then reset to 0, and the line protocol comes back up.

regards
shivlu jain
Click Here To Read Rest Of The Post...

Wednesday, February 11, 2009

PE-CE Labels Security In MPLSVPN

Yesterday I was asked a very good question from the security team that if any of the customer sends the labeled packet by spoofing it then what will happen in that case? I answered quickly that in such cases customer can forward only ip packet not a labeled packet because mpls ip is not configured on that interface and because of this PE is not going to accept the label packet. So no more label spoofing from CE end. But what about if CE sends the spoof ip packet in that case only CE vrf will be affected.

regards
shivlu jain
Click Here To Read Rest Of The Post...

Tuesday, February 10, 2009

Use Of Aggregate Labels

Aggregate labels are used at that time when all type of labels are removed from the packet and it will forward from the global routing table. Now question comes when it can be used? Can we generate aggregate label? Answer is yes. When we use the route laking during that time the packet has outgoing label aggregate instead of no label which means need to do the routing lookup.

Most of time you see it during the route leaking.

regards
shivlu jain
Click Here To Read Rest Of The Post...

Sunday, February 8, 2009

Multicast VPN FAQ

From the last few days a discussion is going on MVPN among me, Chintan Shah (Colt Technologies) & Harold Ritter(Cisco). Consequence lot of hidden concepts come out. So I finally made the faq so that it can be used by others as reference.

Would like to thank hritter for sharing his great experience to us.

MVPN Discussion & FAQ


Q:- Data and Default MDt are based on which draft?
A:- For the data MDT, the method to signal the source address is described in draft-rosen-vpn-mcast section 7.2, which is supported by both IOS and JUNOS.
http://www.potaroo.net/ietf/idref/draft-rosen-vpn-mcast/#page-19

For the default MDT, the signaling in IOS is done using draft-nalawade-idr-mdt-safi, which is not supported in JUNOS.
http://tools.ietf.org/html/draft-nalawade-idr-mdt-safi-03


Q:- Does MVPN require Sparse Mode Or SSM?
A:- MVPN can be implemented with the both. But in multivendor enviorment like juniper SSM only supports data mdt not default mdt. For implementing default mdt one need to deply anycast rp.


Q:- Does SP need to configure all routers for MSDP?
A:- It depends as per the requirement. If SP is having more traffic in doenstream then those P can be used for MSDP peering. So the answer is no if you are having 10 P routers then out of 10 2 or 2 or 10 can be used for MSDP peering.

Q:- How to announce RP in case of using Anycast RP?
A:- If SP deploys anycast RP address in the core then static RP is the best option. Another option to use the dynaic RP like auto rp or bsr.

Q:- Which type of entries created in SSM & in Anycast RP?
A:- In SSM only S,G entrie is created. In Anycast *,G * S,G entries creared.

Q:- How to use "Ip pim spt threshold infinity" in SP domain?
A:- By default cisco IOs set threshold value to 0. Ip pim spt threshold infinity can be used only with ASM becasue it supports *,G while SSM supports only S,G so it cannot be used with this.

Q:- Does Juniper support auto-rp?
A:- Yes, it is supported by juniper.
http://www.juniper.net/techpubs/software/junos/junos91/swconfig-multicast/configuring-auto-rp.html

Q:- How to provide the redundancy in case of Anycast RP & SSM?
A:- In case of anycast RP if any of the RP fails then the other RP will take care from the RP set. In RP set all the routers configured with the same ip address. In case of SSM no rp is required.

Q:- Cisco IOS MDT SAFI implementation is based on which draft?
A:- The IOS MDT SAFI implementation is based on the following draft.
http://tools.ietf.org/html/draft-nalawade-idr-mdt-safi-03

Q:- Advantage of SSM Vs SM
A:- RP infrastructire is not required in case of SSM but in SM it is mandatory.

Q:- Does P routers participate in maintaining the states?
A:- No, only PE will be used. Core will be free from the states.

Q:- Difference between SSM Vs SM in case of update,register messages?
A:- SSM uses PIM-SM with a few modifications. RFC4601 section 4.8.1 defines the modifications to the PIM SM protocol to support SSM. Beyond these modifications, all normal PIM SM functionality and messages are required, including periodic join messages.

http://tools.ietf.org/html/rfc4601

Q:- Can SP use Bi-Dir in core?
A:- Yes, if SP doesnot want to create S,G entries. Bi-dir is used only if SP is having very large number of VPNs.

Q:- Does Cisco/Juniper support bi-dir?
A:- Bi-dir is suported by cisco for all the platforms but juniper doesnot support.
Draft:- http://www.juniper.net/solutions/literature/white_papers/200291.pdf

Q:- Does Anycast RP require MSDP?
A:- RFC4610 allows you to run Anycast RP without MSDP by having the RP receiving the register message to replicate this message to the other RP(s) in the RP set. Section 3 of RFC4610 explains this mechanism in details.

http://www.ietf.or/rfc/rfc4610.txt?number=4610


Q:- Does cisco support Anycast with MSDP?
A:- Yes


regards
shivlu jain
Click Here To Read Rest Of The Post...

Saturday, February 7, 2009

Static are recursive in nature

Static routes are recursive in nature. Recursive means to check the route for the next hop address which is used for static route like bgp does recursive lookip for finding the next hop address. A good example of recursive lookup is MPLSVPN SP network.In SP network always PE loopback is used for customer VPNv4 routes and bgp does the recursive lookup to reach to that loopback. It means when you are going to place the static route in the routing table and the interface which is directly connected to it get down at that time the route should flush from the routing table. It usually happens but if the next hop is reachable by some other path in that case the route is not going to flush from the routing table because recursive lookup will take for finding the next hop address. This type or problem usually comes in service provider network when customer requires the redundancy. In those type scenarios try to use the static route with interface and next hop address. The main advantage of using the command is that the next hop is reachable only if the interface state is up else it will not reachable and route will be flushed from the routing table. If you configure a simple static route pointing the next hop address in that case the route is not going to flush from the table and floating route will never come in picture consequence traffic will be blackholed.


regards
shivlu jain
Click Here To Read Rest Of The Post...

Friday, February 6, 2009

Use of more route targets cause of memory issue

I have seen most of time provisioning team create a vrf named internet and when ever the new internet provisioing of any client occurs at that time the route target of that client exported to the internet vrf. This is actual not a good design because everytime route targets are going to increase and every route target consumes 8 bytes of memory. So you can assume if you are having 100 number of internet customers and for each and every customer route target is exporting to the customer vrf in that case 100 route targets will attach to the default route which will cater 100*8=800 bytes of memory which is irrelevant. So the best design is that create a internet vrf with route target export 65500:100 and the same route target will be imported by each and every customer. In this case the you are carrying only one route target with each default route and saving lot of memory. This memory can be used for catering more customers.
The main reason to write this post is that I have seen when ever the number of route targets increase in the update and SP network is using multi vendor policies in that case you might face some issues. Till now I donot know how many route targets can be attached to an update. If you find do comment on this.


regards
shivlu jain
Click Here To Read Rest Of The Post...

Thursday, February 5, 2009

Weird Issue With 12.2 (31)SB13 Series:Internet VRF Leaking

In my last post (12.2 31 SB13 Internet VRF Issue) I talked about the SB series which was creating problem in term of route leaking in global table from anotehr vrf. I have tested the scenario in which if you are having default route and customer vrf on the same pe and that default route is being used by internet vrf in this case the tarffic stops flowing. I have checked the cisco bug tool to fectch the information but did not find any relevant bug which can show this. So next time if you will upgrade your router to 12.2(31)SB13 series then care should be taken if you are serving internet customers from internet vrf.

Workarounds:- Try to shift the default route along with vrf to another router so that customers can run smootly.

regards
shivlu jain
Click Here To Read Rest Of The Post...

Wednesday, February 4, 2009

Weird Issue With 12.2 (31)SB13 Series

Since now it is assumed that SB series is one of the trusted series for service provider network. But as per my experience this is one of the series which is having only 56 number of bugs in cisco site but actually is affected with those problem which one cannot think about. I am along with my colleages working on to the same and hopefully with in a day or two come up with the new issues.

Currently it is affected with mdt bug.

Workaround:- Simply remove the mdt configuration from vrf and add it again.

How to check:- Use the command "show ip pim mdt"

regards
shivlu jain
Click Here To Read Rest Of The Post...

Tuesday, February 3, 2009

Problem In Route Reflector Update

Introduction & Findings
From the last few days we were facing a problem with route reflector server which was not receiving proper routes from its clients. Think for a while if you were managing a service provider or immense enterprises network with multiple route reflectors in the domain and a day you come to know that one of your route reflector is not receiving the full route updates from its clients. What you will do that time? Might be look for an expert who is having good knowledge of route reflectors, bgp & mpls. But till the time network will be black holed. In this post I am giving the workaround for the problem which can be tried on imperative basics.
I will let you know a scenario in which you may face another type of problem. Assume you are having service provider domain with two route reflectors in the domain. Every PE is having peering with both the route reflectors. The route reflector you are using for both ipv4 as well as for vpnv4 routes. At any point of time both route reflectors will advertise the route advertisements to every PE. But PE will select the one out of them as best and another will be used if anything would go wrong with the first one.


In the figure I made a scenario which explicitly tells about the service provider network with MPLS in the core. Every PE is having a connection with both route reflectors. Client is VPN A and having three locations across the service provider cloud. On CE1VPNA location client is having internet for that it is imposing a default route towards the vrf and service provider is advertising that route in all the VPNA vrf. On PE1 if we verify the any route of remote location we will be getting two entries with next hop loopback of PE2 and both the routes will be advertised by both RRs and only one will be shown as best. In this case RR1 route is the first preferred route if RR1 goes down then RR2 route will be preferred. We assume at point of time PE2 advertises the routes to both RRs but RR2 is getting the proper updates. On RR2 only 10.1.2.0/24, 10.1.3.0/24 & 0.0.0.0/0 route is coming and it is advertising the route to all the PEs. At any point of time if RR1 goes down and the same time CE3 wants to reach CE2 lan. CE3 will forward the packet to PE1 and on PE1 the above three routes will be installed. But CE3 wants to reach 10.1.1.0/24 which actually is not available so it will go to the default route and traffic may be black holed any time.
Cisco commands which can be used for checking the vpnv4 route is cited below
Show ip bgp vpnv4 all summary
Show ip bgp vpnv4 rd x:y neighbor routes
Show ip bgp vpnv4 rd x:y neighbor advertise routes
On both RRs you can check the installed routes.

Workaround
This is nothing but the cisco bug. In this case you need to check IOS. A part from this you can clear the full bgp neighbourship or reload the router. After that it receives the full routes.
So if you see your traffic behaving abnormally then check your route reflectors updates first. The reason for writing this document because I faced the same problem and it is not a test lab scenario.

regards
shivlu jain
Click Here To Read Rest Of The Post...

Monday, February 2, 2009

Upgradation of RR to MDT SAFI

How to upgrade the core router to MDT SAFI
To upgrade the core routers to mdt safi is one of the biggest challenge in service provider. Assuming SP is having two RR and every PE is having peering with them. A test bed is created with the given scenario given which is explicitly showing with some test cases and the outputs.


Basic Scenario
PE1, PE2, RR1 & RR2 are cisco 7200 with IOS 12.4 15T1

We have created a test vrf with default mdt for group 239.1.1.1. End to end multicast tunnel established.


Figure 1

Test Bed 1
In test bed one we upgraded the ios of PE1 to cisco 12.2 (31)SB13 series which supports the mdt features. But the route reflectors are still using the non standard mdt features. But we did not faced any issue after up gradation and route reflectors are receiving the mdt values from PE1 with extended community 2:65500:1.


Test Bed 2
In the second test bed we upgraded the ios of RR1 from 12.4 15 T1 to 12.2 (31)SB 13 series. After the boot up process completed we checked the mdt bgp values but did not find anything. So under bgp address family ipv4 mdt we activated the neighbourship of PE1. After that we checked the same on RR1 but did not find anything. Corresponding on RR2 we are receiving the values with extended community 2:65500:1 from PE2 not from PE1. There after we activated the neighbourship of ipv4 mdt on PE1 towards RR1. As soon as it get activated on RR2 was able to receive mdt bgp routes with no extended community. But still on RR2 routes are coming from PE2 only not from PE1. Then we activated the neighbourship of ipv4 mdt for RR2. After that we received the updates from PE1 to RR2 with extended community 2:65500:1. But RR1 is not forwarding the mdt safi updates to PE2. PE2 is only receiving the updates with extended 2 community from RR2. For this we need to activate the mdt for PE2. As soon as it is activated, PE2 is able to receive the routes from the both RRs.

Results:- If the PE is using mdt safi and route reflectors are using mdt safi & pre mdt safi in this case on PE you need to activate the ipv4 mdt for both the route reflectors so that PE can send the updates to RR1 with mdt safi and for RR2 it sends the update with extended 2:65500:1 community. In short we can upgraded RR1 is backward compatabile to the PE with respect to the mdt. Only one thing which we need to take is that to enable mdt safi for the non mdt PE.


Test 3
In this test bed we upgraded the ios of PE2 to 12.2 (31) SB13. After the boot up process we checked the values of mdt bgp but did not find anything. Then we activated the ipv4 mdt neighbourship of RR2 which is running on 12.4. 15 T1 ios. As soon as it came up PE2 is able to receive the updates from RR2. Ther after neighbourship of RR1 was activated and PE2 is able to receive the routes from RR1 also. The routes received by PE2 are without standard extended 2 community.

Result:- 12.4 15 T1 code was providing the backward compatibility with both. But if the RR is upgraded with 12.2 (31) 13SB series then it can send and receive the updates only to mdt group members not to non mdt group members.

If we are going to upgrade the ios of one route reflector and second will be running on non mdt safi code. In this type of scenario core routers will be getting the mvpn routes only from the non mdt safi RR. You cannot provide the redundancy. So the best is that first upgrade the PE routers there after upgrade the route reflectors.

regards
shivlu jain
Click Here To Read Rest Of The Post...