Monday, August 31, 2009

GDOI In MVPN



This is the excerpt from one of the cisco docs.

With Cisco IOS Secure Multicast, users can enjoy the benefits of encryption of “native IP multicast” traffic within their larger enterprise
environment. Cisco IOS Secure Multicast helps customers extend their reach to all of their corporate IP multicast applications, while providing
enhanced security. Having been tested with many applications and delivered across multiple platforms, Cisco IOS Secure Multicast enhances user
experience and efficiently secures multicast applications. The unique integration between GDOI and IPsec provides a level of trust on the corporate
internal network that is similar to the existing cryptographic techniques. This ability to provide a unique model differentiates Cisco Systems from its competitors.

Click Here To Read Rest Of The Post...

Friday, August 28, 2009

MPLS IP In MPLS TE Tunnel




I have posted various post of MPLS TE and everytime I receive the question why and when mpls ip is used in TE tunnel. In this post I would like to conclude when, where and why mpls ip is used in TE tunnel.

Scenarios Where MPLS IP Is Used Or Not

1. If the MP-iBGP and Tunnel destinations are different, mpls ip command is required.
2. If the MPLS TE terminates at the egress PE, no ldp/tdp is required.
3. If the MPLS TE terminates before the PE router or egress router, tag switching is required (three labels are used).


Click Here To Read Rest Of The Post...

Wednesday, August 19, 2009

Aggregate FEC For Loopback Summarization In MPLS




I have posted loopback summarization is possible but few days back I have seen a draft where in one new model is proposed. The draft has shown the use of aggregate FEC which helps to achieve the loopback summarization.

Click here for more.


Click Here To Read Rest Of The Post...

Tuesday, August 18, 2009

MPLS TE With Three Labels



We always talk about three labels in MPLS but honestly have never ever seen three labels before this post. Three labels usually not seen in a single service provider domain, routers always have two label stack one for VPNv4 and another is for IGP. But in MPLS TE, we have three label stack and definitely it will lead to problems in case of Fast Ethernet because MTU size will be going to change. But if the core is having Gigabyte Ethernet interfaces then no one will screw the happiness of the network. As described in my previous post, everything is same except the termination of the head end tunnel. Previously it was on Mumbai 1 now it is on Mumbai 2. But the vrf which need to be communicated is at Mumbai 1 router. So simply I was terminating the tunnel one hop previous to the egress router.
Click here to download full article.

Click Here To Read Rest Of The Post...

Monday, August 17, 2009

MPLS TE Per VRF Basics - Part 2



While going from home to office and back to home sometimes on same roads lead an excessive time. Everyone want to reach before time so that need to opt any other alternate path which may be long from the regular one. The same fundamental works in networks also. OSPF,EIGRP and BGP are used to manipulate the change the traffic from one path to another. Like in OSPF cost is used to change the path, in EIGRP metric is used and in BGP many attributes like weight,local preference and as-path are used. The problem with all the protocols is that unequal cost load balancing is not possible except EIGRP supports this feature.
In regular topology of service providers, two links are used one for primary and another is for secondary. Many cases the latter path remains empty and unnecessary increasing the capex of the company. With addition to this, to achieve the SLA parameters for esteemed clients, SP need to reroute the traffic of some VPN on the secondary path. For this PBR is used but its very difficult to add the static routes at each and every router in the hop.
For all the problems MPLS TE is the best optimum solution for reroute the traffic on VPN basics. With this case study, all the VPNs will follow the normal path but the one will follow the secondary path which is not used by anyone.

Introduction
The topology is hypothetical model of service provider cloud which servers the MPLS VPN services its customers. New Delhi 2 router is acting as RR and New Delhi1, Hyderabad and Mumbai 1 are acting as PE. All the routers are part of area 0. New Delhi1 ,Hyderabad and Mumbai1 routers are serving two vpns one is TEST and another is TEST1. By default from New Delhi 1 to Mumbai 1 the traffic is routed via directly connected link between the two. But for some specific requirement of vpn TEST, its traffic will follow the new path New Delhi1 → Hyderabad → Mumbai 2 → Mumbai 1.


Basic Topology

Figure 1

MPLS TE
To achieve the objective MPLS TE is used with static routes and RSVP is used for reserving the bandwidth of 200 Kbps on per interfaces.

How to achieve the objective

Now SP want to change the traffic of VRF TEST via Delhi1 → Hyderabadhttp://www.blogger.com/img/blank.gif → Mumbai 2 → Mumbai 1.. To acomplish the task TE tunnel is created. With TE a bgp next-hop attribute is used with in the vrf and a static route is imposed on the headend router for this loopback. By doing this all the VRF TEST routes will come with the new loopback instead of MP-iBGP loopback as next hop. The static route will forward the traffic within the tunnel where the destination will be the new loopback.
MPLS TE tunnels are unidirectional. So new loopback is created at Mumbai1.


Click here to download full article.

Required Configuration

Configuration at Mumbai 1

ip vrf TEST
rd 65500:1
route-target export 65500:1
route-target import 65500:1
bgp next-hop Loopback500
!
ip vrf TEST1
rd 65500:2
route-target export 65500:2
route-target import 65500:2
!
mpls traffic-eng tunnels
!
interface Loopback500
Description ### This loopback will become the next-hop for vrf TEST ###
ip address 172.16.100.100 255.255.255.255
ip ospf 1 area 0
!


Configuration at Delhi 1

ip vrf TEST
rd 65500:1
route-target export 65500:1
route-target import 65500:1
!
ip vrf TEST1
rd 65500:2
route-target export 65500:2
route-target import 65500:2
!
mpls traffic-eng tunnels
!
interface Tunnel100
ip unnumbered Loopback0
mpls ip
tunnel destination 172.16.100.3
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng path-option 1 explicit name TEST
!
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!
ip explicit-path name TEST enable
next-address 172.16.1.9
next-address 172.16.1.14
next-address 172.16.1.26
!
ip route 172.16.100.100 255.255.255.255 Tunnel100


Configuration is required at every router which is participating in MPLS TE

router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0

Interfaces which are part of MPLS TE

mpls traffic-eng tunnels
ip rsvp bandwidth 200 200


Outputs

Figure 2

Figure 2 depicted the output of show ip cef vrf TEST command which is explicitly states that 172.16.100.100 is used as next hop which is loopback 500 on Mumbai 1. 32 is the IG label and 33 is the vpnv4 label. So throughout the path IGP label will be changed.


Figure 3

The above figure 3 depicted that tunnel 100 is using label 32 for outgoing with serial 0/0 as outgoing interface. At Hyderabad end this 32 should be the local label and have mapped some outgoing label for forwarding.


Figure 4
Output of figure 4 is used for cross verifying the outputs captured in Figure 3


Figure 5

Figure 5 depicts the output of local label 32 which is used in figure 3 as outgoing. After reaching hyderabd PE 32 becomes the local label and swapped with 29. Next output depicts that Mumbai 2 is having 29 as local label and pop tag is used for PHP.



Figure 6

Figure 6 depicts that 29 is used as local and further PHP is used for Mumbai 1.



Figure 7

Figure 7 depicts that vrf TEST is following the alternate path.



Figure 8 depicts that vrf TEST1 is following the directly connected path.

Delhi1#sh conf
Using 3218 out of 129016 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Delhi1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
ip vrf TEST
rd 65500:1
route-target export 65500:1
route-target import 65500:1
!
ip vrf TEST1
rd 65500:2
route-target export 65500:2
route-target import 65500:2
!
mpls traffic-eng tunnels
!!
interface Loopback0
ip address 172.16.100.1 255.255.255.255
ip ospf 1 area 0
!
interface Loopback100
ip vrf forwarding TEST
ip address 192.168.1.1 255.255.255.255
!
interface Loopback200
ip vrf forwarding TEST1
ip address 192.168.1.1 255.255.255.255
interface Tunnel100
ip unnumbered Loopback0
mpls ip
tunnel destination 172.16.100.3
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng path-option 1 explicit name TEST
no routing dynamic
!
interface Serial0/0
ip address 172.16.1.10 255.255.255.252
ip ospf cost 50
ip ospf 1 area 0
mpls label protocol ldp
mpls ip
mpls traffic-eng tunnels
serial restart-delay 0
ip rsvp bandwidth 200 200
!
interface Serial0/1
ip address 172.16.1.30 255.255.255.252
ip ospf cost 50
ip ospf 1 area 0
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial0/2
ip address 172.16.1.33 255.255.255.252
ip ospf cost 1
ip ospf 1 area 0
mpls label protocol ldp
mpls ip
mpls traffic-eng tunnels
serial restart-delay 0
ip rsvp bandwidth 200 200
!
interface Serial0/3
ip address 172.16.1.42 255.255.255.252
ip ospf 1 area 0
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
!
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
router-id 172.16.100.1
log-adjacency-changes
!
router bgp 65500
no synchronization
bgp router-id 172.16.100.1
bgp log-neighbor-changes
neighbor 172.16.100.2 remote-as 65500
neighbor 172.16.100.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 172.16.100.2 activate
neighbor 172.16.100.2 send-community both
exit-address-family
!
address-family ipv4 vrf TEST1
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf TEST
redistribute connected
no synchronization
exit-address-family
!
ip http server
no ip http secure-server
ip route 172.16.100.100 255.255.255.255 Tunnel100
!
!
!
ip explicit-path name TEST enable
next-address 172.16.1.9
next-address 172.16.1.14
next-address 172.16.1.26
!
mpls ldp router-id Loopback0 force
!
control-plane
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
End






mum1#sh configuration
Using 3288 out of 129016 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname mum1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
ip vrf TEST
rd 65500:1
route-target export 65500:1
route-target import 65500:1
bgp next-hop Loopback500
!
ip vrf TEST1
rd 65500:2
route-target export 65500:2
route-target import 65500:2
!
mpls traffic-eng tunnels
!
interface Loopback0
ip address 172.16.100.3 255.255.255.255
ip ospf 1 area 0
!
interface Loopback100
ip vrf forwarding TEST
ip address 192.168.1.3 255.255.255.255
!
interface Loopback200
ip vrf forwarding TEST1
ip address 192.168.1.3 255.255.255.255
!
interface Loopback500
ip address 172.16.100.100 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel100
ip unnumbered Loopback0
mpls ip
tunnel destination 172.16.100.1
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng path-option 1 explicit name TEST
!
interface Serial0/0
ip address 172.16.1.6 255.255.255.252
ip ospf cost 50
ip ospf 1 area 0
mpls label protocol ldp
mpls ip
mpls traffic-eng tunnels
serial restart-delay 0
no fair-queue
ip rsvp bandwidth 200 200
ip rsvp resource-provider none
!
interface Serial0/1
ip address 172.16.1.29 255.255.255.252
ip ospf cost 50
ip ospf 1 area 0
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial0/2
ip address 172.16.1.26 255.255.255.252
ip ospf cost 1
ip ospf 1 area 0
mpls label protocol ldp
mpls ip
mpls traffic-eng tunnels
serial restart-delay 0
no fair-queue
ip rsvp bandwidth 200 200
!
interface Serial0/3
ip address 172.16.1.45 255.255.255.252
ip ospf 1 area 0
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
!
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
router-id 172.16.100.3
log-adjacency-changes
!
router bgp 65500
no synchronization
bgp router-id 172.16.100.3
bgp log-neighbor-changes
neighbor 172.16.100.2 remote-as 65500
neighbor 172.16.100.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 172.16.100.2 activate
neighbor 172.16.100.2 send-community both
exit-address-family
!
address-family ipv4 vrf TEST1
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf TEST
redistribute connected
no synchronization
exit-address-family
!
ip http server
no ip http secure-server
!
ip explicit-path name TEST enable
next-address 172.16.1.25
next-address 172.16.1.13
next-address 172.16.1.10
!
!
ip access-list standard LOOP
deny 172.16.100.100
permit 172.16.100.0 0.0.0.255 log
!
!
mpls ldp router-id Loopback0 force
!
control-plane
!

line con 0
line aux 0
line vty 0 4
login
!
!
end

mum1#$



hyd#sh conf
Using 3000 out of 129016 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname hyd
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
ip vrf TEST
rd 65500:1
route-target export 65500:1
route-target import 65500:1
!
ip vrf TEST1
rd 65500:2
route-target export 65500:2
route-target import 65500:2
!
mpls traffic-eng tunnels
!
!
interface Loopback0
ip address 172.16.100.6 255.255.255.255
ip ospf 1 area 0
!
interface Loopback100
ip vrf forwarding TEST
ip address 192.168.1.6 255.255.255.255
!
interface Loopback200
ip vrf forwarding TEST1
ip address 192.168.1.6 255.255.255.255
!
!
interface Serial0/0
ip address 172.16.1.9 255.255.255.252
ip ospf cost 50
ip ospf 1 area 0
mpls label protocol ldp
mpls ip
mpls traffic-eng tunnels
serial restart-delay 0
no fair-queue
ip rsvp bandwidth 200 200
!
interface Serial0/1
ip address 172.16.1.13 255.255.255.252
ip ospf cost 50
ip ospf 1 area 0
mpls label protocol ldp
mpls ip
mpls traffic-eng tunnels
serial restart-delay 0
ip rsvp bandwidth 200 200
!
interface Serial0/2
ip address 172.16.1.17 255.255.255.252
ip ospf cost 50
ip ospf 1 area 0
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial0/3
no ip address
serial restart-delay 0
!
!
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
router-id 172.16.100.6
log-adjacency-changes
!
router bgp 65500
no synchronization
bgp router-id 172.16.100.6
bgp log-neighbor-changes
neighbor 172.16.100.2 remote-as 65500
neighbor 172.16.100.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 172.16.100.2 activate
neighbor 172.16.100.2 send-community both
exit-address-family
!
address-family ipv4 vrf TEST1
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf TEST
redistribute connected
no synchronization
exit-address-family
!
ip http server
no ip http secure-server
!
!
!
ip explicit-path name AHM enable
next-address 172.16.1.10
next-address 172.16.1.34
next-address 172.16.1.1
!
!

!
mpls ldp router-id Loopback0 force
!
control-plane
!

line con 0
line aux 0
line vty 0 4
login
!
!
end

hyd#





delhi2#sh conf
Using 2248 out of 129016 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname delhi2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$qNJk$HN7mwD3RnxWfCHCSmG/QG1
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
mpls traffic-eng tunnels
!
interface Loopback0
ip address 172.16.100.2 255.255.255.255
ip ospf 1 area 0
!
interface Serial0/0
ip address 172.16.1.37 255.255.255.252
ip ospf cost 50
ip ospf 1 area 0
mpls label protocol ldp
mpls ip
serial restart-delay 0
no fair-queue
!
interface Serial0/1
ip address 172.16.1.2 255.255.255.252
ip ospf cost 60
ip ospf 1 area 0
mpls label protocol ldp
mpls ip
mpls traffic-eng tunnels
serial restart-delay 0
ip rsvp bandwidth 200 200
!
interface Serial0/2
ip address 172.16.1.34 255.255.255.252
ip ospf cost 1
ip ospf 1 area 0
mpls label protocol ldp
mpls ip
mpls traffic-eng tunnels
serial restart-delay 0
ip rsvp bandwidth 200 200
!
interface Serial0/3
no ip address
serial restart-delay 0
!
!
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
router-id 172.16.100.2
log-adjacency-changes
!
router bgp 65500
no synchronization
bgp router-id 172.16.100.2
bgp log-neighbor-changes
neighbor 172.16.100.1 remote-as 65500
neighbor 172.16.100.1 update-source Loopback0
neighbor 172.16.100.3 remote-as 65500
neighbor 172.16.100.3 update-source Loopback0
neighbor 172.16.100.6 remote-as 65500
neighbor 172.16.100.6 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 172.16.100.1 activate
neighbor 172.16.100.1 send-community both
neighbor 172.16.100.1 route-reflector-client
neighbor 172.16.100.3 activate
neighbor 172.16.100.3 send-community both
neighbor 172.16.100.3 route-reflector-client
neighbor 172.16.100.6 activate
neighbor 172.16.100.6 send-community both
neighbor 172.16.100.6 route-reflector-client
exit-address-family
!
ip http server
no ip http secure-server
!
mpls ldp router-id Loopback0 force
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
end


Click Here To Read Rest Of The Post...

Wednesday, August 12, 2009

VPDN From Router Over IPSec In MPLS Cloud



Introduction

Customers are looking for PE-CE security in case of remote access from various locations. The solution which can sophise the requirement is IPSec. With the help of this solution customers traffic send to the PE in the encrypted form and PE will decrypt the packets and forward the various locations vice versa.


Test Setup

The IPSec is tested for VPDN which is being orginated by the customer router. The customer router wil originate the VPDN session towards LNS_test_ipsec, after sucessful authentication, a IP will be given to the CE which will be a part of the vrf and end to end communication will go on.


Basic Connectivity

Routers used 2800 for CE as well as for LNS





Note:- IPSec uses tcp port500 for session establishment. Make sure the ports are open at its end.


Configuration Of LNS PE


aaa new-model
!
!
aaa group server radius default-group
server-private 71.5.101.2 auth-port 1645 acct-port 1646 key 7 06121A2D455E0A160B19170818
ip radius source-interface FastEthernet0/0
deadtime 0
!





aaa authentication ppp default group default-group local
aaa authorization config-commands
aaa authorization network default local group default-group
!
The above commands are used for creating L2 session with radius.

ip cef
!
!
ip vrf TEST
rd 65500:800
route-target export 65500:800
route-target import 65500:800
!
vpdn enable
vpdn multihop
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto keyring shivlu123 vrf TEST
pre-shared-key address 10.100.101.2 key shivlu123 -> shivlu123 is preshared key and need to be same.
!
crypto isakmp policy 1 ----> Crypto policy created with priority 1
hash md5
authentication pre-share
lifetime 28800
!
!
crypto ipsec transform-set shivlu esp-des esp-md5-hmac
!
crypto map shivlunoc 1 ipsec-isakmp
set peer 10.100.101.2 ---> This is the customer IP address
set transform-set shivlu -----> This is the above shivlu tranfform set which is called here.
set pfs group1 ---------> It could be group 1 or group5
match address 101 --------------> Acl 101 is called
!
interface Loopback100
ip vrf forwarding TEST
ip address 10.100.101.1 255.255.255.252
!
interface Loopback101
ip vrf forwarding TEST
ip address 10.10.10.100 255.255.255.255
!
interface Loopback100001
ip vrf forwarding TEST
ip address 100.250.250.1 255.255.255.248
!
interface FastEthernet0/0
ip address 10.5.230.220 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip vrf forwarding TEST
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
!
interface Virtual-Template1
no ip address
no peer default ip address
ppp authentication pap chap callin
ppp multilink
!
ip forward-protocol nd
ip route 10.0.0.0 255.0.0.0 10.5.230.1
no ip http server
no ip http secure-server
!
!
!
ip radius source-interface FastEthernet0/0
access-list 101 permit ip 10.10.10.0 0.0.0.3 10.1.1.0 0.0.0.3
!

Crypto is not called on LNS, it is in RADIUS
--> cd attributes/

[ //localhost/Radius/UserLists/default/test_ipsec@shivlu.blogspot.com/Attributes ]
cisco-avpair = "lcp:interface-config=ip vrf forwarding TEST"
cisco-avpair = "lcp:interface-config=ip unnumbered loopback100"
cisco-avpair = "lcp:interface-config=crypto map shivlunoc"
framed-ip-address = 10.100.101.2 ----> IP will be given after dialing
framed-protocol = ppp
framed-route = 10.1.1.0/30 ---> Customer LAN Route
service-type = framed



Configuratio Of CE End

l2tp-class TestClass
!
!
crypto keyring shivlu123 -> Keyring is used after IP Dialing in VRF
pre-shared-key address 10.100.101.1 key shivlu123
!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 28800
!
crypto isakmp peer address 10.100.101.1
set aggressive-mode password cisco
!
!
crypto ipsec transform-set shivlu esp-des esp-md5-hmac
crypto map shivlunoc 1 ipsec-isakmp
set peer 10.100.101.1
set transform-set shivlu
set pfs group1
match address 101
!
!
!
pseudowire-class TestClass
encapsulation l2tpv2
protocol l2tpv2 TestClass
ip local interface FastEthernet0/0
!
!
!
!
!
interface FastEthernet0/0
ip address 10.5.230.101 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.252
duplex auto
speed auto
!
interface Virtual-PPP1 -> Router is intiating ppp session for vpdn after that crypto will be used
ip address negotiated
no cdp enable
ppp chap hostname test_ipsec@shivlu.blogspot.com
ppp chap password 0 cisco
pseudowire 10.5.230.220 100 pw-class TestClass
crypto map shivlunoc
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 --> After VPDN this route will work
ip route 10.0.0.0 255.0.0.0 10.5.230.1 --> This route is added for VPDN dialing
ip http server
no ip http secure-server
!
access-list 101 permit ip 10.1.1.0 0.0.0.3 10.10.10.0 0.0.0.3 -> CE lan to VRF TEST
!


Troubleshooting Commands

1.Check the l2session
LNS_TEST_IPSEC#sh l2tun session
L2TP Session Information Total tunnels 1 sessions 1

LocID RemID TunID Username, Intf/ State Last Chg Uniq ID
Vcid, Circuit
4 313 10056 test_ipsec@tuli, Vi2 est 00:06:55 3

2. Check the crypto session
LNS_TEST_IPSEC#show crypto session
Crypto session current status

Interface: Virtual-Access2
Session status: DOWN --> Status is down
Peer: 10.100.101.2 port 500
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.252 10.1.1.0/255.255.255.252 -> Acl 101
Active SAs: 0, origin: crypto map

The status is showing down with peer 10.100.101.2. It happens if the traffic is not matching the acl. It means to intiate a session a ping is required with the mentioned acl source and destination.

Ping intiated from
T2800#ping 10.10.10.1 source 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/8 ms

Now check the status of crypto on LNS
LNS_TEST_IPSEC#sh crypto session
Crypto session current status

Interface: Virtual-Access2
Session status: UP-ACTIVE -> Showing active with peer 10.100.101.2
Peer: 10.100.101.2 port 500
IKE SA: local 10.100.101.1/500 remote 10.100.101.2/500 Active
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.252 10.1.1.0/255.255.255.252
Active SAs: 2, origin: crypto map

3.Check the Phase 1 with given command
LNS_TEST_IPSEC#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.100.101.1 10.100.101.2 QM_IDLE 1002 ACTIVE
QM_IDLE state means the connection is established.


4. Check the encrypted packets
LNS_TEST_IPSEC#sh crypto engine connections active
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt IP-Address
1002 IKE MD5+DES 0 0 10.100.101.1
2005 IPsec DES+MD5 0 4 10.100.101.1
2006 IPsec DES+MD5 4 0 10.100.101.1

ID 1002 is for IKE phase 1 and 2005 and 2006 is for IPSec.

Intiate a ping from CE with count 10 and see the packets are encryted
LNS_TEST_IPSEC#sh crypto engine connections active
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt IP-Address
1002 IKE MD5+DES 0 0 10.100.101.1
2005 IPsec DES+MD5 0 14 10.100.101.1
2006 IPsec DES+MD5 14 0 10.100.101.1

5. IPSec vrf TEST status
LNS_TEST_IPSEC#show crypto ipsec sa vrf TEST
PFS (Y/N): Y, DH group: group1

interface: Virtual-Access2
Crypto map tag: shivlunoc, local addr 10.100.101.1

protected vrf: TEST
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.252/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.252/0/0)
current_peer 10.100.101.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.100.101.1, remote crypto endpt.: 10.100.101.2
path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
current outbound spi: 0x2F0548BC(788875452)

inbound esp sas:
spi: 0x1B071345(453448517)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: NETGX:5, sibling_flags 80000046, crypto map: shivlunoc
sa timing: remaining key lifetime (k/sec): (4441107/3382)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x2F0548BC(788875452)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: NETGX:6, sibling_flags 80000046, crypto map: shivlunoc
sa timing: remaining key lifetime (k/sec): (4441107/3382)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:
outbound pcp sas:



Click Here To Read Rest Of The Post...

Monday, August 10, 2009

MPLS TE Per VRF Basics




Service Providers are looking to divert some vpns traffic on redundant part so as so utilize the links and provide priority to delay sensitive traffic. MPLS TE is the best tool to use this.
Click here to download full article.

Click Here To Read Rest Of The Post...