Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Protocols, Premium & VPNs-Batch-32

Download as pdf or txt
Download as pdf or txt
You are on page 1of 44

Understanding

Protocols, Premium & VPNs Circuits


TAC Refresher
Batch # 32

Trainer :
Omar Tariq
SNE-TAC
May 2017
Objective

To discuss Key protocol used in Nayatel


Core and their purpose and to develop
better understanding & troubleshooting skills
of Premium, Layer 2 & Layer 3 VPNs
Pre-requisites:

• Basic Knowledge of OSI layers


• Basic understanding of Dynamic and Static Routing
• Basic understanding of Switching Concept
• Basic understanding of Routing Concept
• Basic understanding of VPNs & their Use
• Basic Knowledge of Terms VLAN, Encapsulation.
• Understanding of Routing Table and its function
• Connected & Static Routes
1. Key Protocols Used in Nayatel Core

i. BGP
 Quick Review
 BGP as Used in Nayatel

ii. ISIS
 Quick Review
 BGP as Used in Nayatel

iii. MPLS
 Quick Review
 BGP as Used in Nayatel

2. Concept & Troubleshooting

i. PREMIUM Circuits
ii. Layer 2 VPNs
iii. Layer 3 VPNs
The Protocols
Quick Review : Autonomous System

IGP ? EGP ?
Quick Review
• Static Routing : Manually Configured

• Dynamic Routing : Based on Routing Protocols

• Connected Route

• Static Route
Learning a Routing Protocol
How to Start
Dynamically

Routing Protocol

Administrative Distance
(Trustworthiness)

Example wrt TAC


BGP Quick Review
BGP Quick Review
BGP Attributes For In Bound
& Out Bound Traffic Control

MED
AS Path Local Preference
BGP as configured in Nayatel
ISIS Quick Review
IGP designed to be used Inside AS
OSI Layer Layer 2
Key Advantage Scalable
Hello Types ISH, ESH, IIH
Router Types L1, L2, L1-L2
Routing Levels 0,1,2,3
OSI Addressing Area – System ID–NSEL
Metric Cost used by Cisco

Cisco NSAP format:


Area – System ID–NSEL (always 00 on ISs)
49.0001.2222.2222.2222.00

Area ID ISIS Area


System ID MAC or IP
NSEL identifies network layer Device
always 00 for Router
ISIS as Configured in Nayatel
ISIS-Type 2

Enabled on all CORE


links & Loopbacks

Connected & Static


Private IPs

BGP Next Hop

Public IPs

IP Pool
MPLS Quick Review
Layer Layer 2.5
Labels Maps IP to Fix Length Labels
Label Header 4 Bytes
Multi Protocol Can run on Ethernet, FR, ATM
MPLS architecture Control & Data Plane
Route Distiguisher Address Space Uniqueness
Route Target Indicates VPN membership
MPLS Quick Review
MPLS as Configured in Nayatel

Applications Used
VPNs
AToM

IP / MPLS Backbone
Layer 2 VPNs
Layer 3 VPNs
VPNv4
MPBGP
RD
RT
What is VRF
Virtual routing and forwarding (VRF) is a technology included in IP (Internet
Protocol) network routers that allows multiple instances of a routing table to exist in
a router and work simultaneously.

192.168.10.0/30
Can be reused
Route Distinguisher
• VRFs allow IP address space to be reused among isolated routing domains. For
example, 192.168.10.0/30 can be used for each VRF.

• This works well, but we need a way to keep track of which 192.168.10.0/30 route
belongs to which customer (VRF). This is where route distinguishers come in.

• As its name implies, a route distinguisher (RD) distinguishes one set of routes (one
VRF) from another. It is a unique number prepended to each route within a VRF to
identify it as belonging to that particular VRF or customer.

ip vrf Site_A
AS Number Number assigned by
rd 23674 :10
the service provider
Multiprotocol BGP
(MPBGP)
• BGP protocol can carry just IPv4 Unicast Routes

• MPBGP is an extension of BGP which can carry different types of routes


 IPv4 Unicast
 IPv4 Multicast
 IPv6 Unicast
 VPN v4 Address Family ( RD, RT, VPN label)

• An RD is carried along with a route via MP-BGP when exchanging VPN routes with
other PE routers.
Route Target
• Route distinguishers are used to maintain uniqueness among identical routes in
different VRFs,
• Route Targets can be used to share routes among VRFs.
• We can apply route targets to a VRF to control the import and export of routes
among it and other VRFs.

ip vrf Customer_A
rd 23674:100
route-target export 23674:100
route-target export 23674:1234
route-target import 23674:100
Day-1 Summary / Revision
BGP ISIS MPLS
OSI Layer OSI Layer Layer
Autonomous System IGP Label
eBGP & its AD Hello Types Label Header
iBGP & its AD Router Types Architecture
Transport Routing Level Tables
Packet Types Metric Applications
Neighbor States NSAP App in Nayatel
Attributes
Path Selection ISIS in Nayatel MPLS in Nayatel
BGP in Nayatel
The Services
Premium / IP Routed
IPoE
Always ON
No dialer Account Soft Lock
No Authentication
Controlled from Core Router / ASR.
No Accounting
If Admin Down on ASR the it means account
Static is locked Manually.
Configurations/ASRs So always refer to account status from
Admin Down CRM and then confirm it from ASR

No Usage History
FP-ASR9010#sh int desc | i NTLPREMIUM

BE141.1234 admin-down admin-down NTLPREMIUM,INTERNET_NTL#112233_24TH,JULY,2016


Troubleshooting
• Premium Link Down
• Slow Browsing
• Packet Loss

115.186.138.72/30

(Note: Core Network has been upgraded.)


(old diagram for understanding)
Example
RP/0/RSP0/CPU0:NYT-FP-ASR9010#show interfaces description | i 47791
Mon Nov 14 20:48:22.769 PKT
BE1412.962 up up ABC_INTERNET_NTL#47791_29TH,OCTOBER,2016

RP/0/RSP0/CPU0:NYT-FP-ASR9010#show running-config interface BE1412.962


Mon Nov 14 20:48:37.928 PKT
interface Bundle-Ether1412.962
description ABC_INTERNET_NTL#47791_29TH,OCTOBER,2016
service-policy input PREMIUM_12MB
service-policy output PREMIUM_12MB
ipv4 address 115.186.132.13 255.255.255.252
encapsulation dot1q 962
ipv4 access-group PREMIUM_FILTER ingress
ipv4 access-group PREMIUM_FILTER_OUT egress
!
115.186.132.13 is gateway and 115.186.132.14 is customers IP
ping ipv4 115.186.132.14
sh arp 115.186.132.14
Layer 2 VPN
• Concept
– Nayatel as Switch
– No IPs at Nayatel end
– No Routing done by Nayatel
– Customer is responsible For IPs
– Customer himself gives IP
schemes
– Customer can ping IPs of one side
From other
– Both sides have different VLANs
– We can check Layer two information only
– Layer 2 VPNs will have two ends
– Both can be on Nayatel or One at Nayatel and other on
any of interconnect partner
– Nayatel is offering P2P Layer 2 VPNs
– For P2M Layer 2 VPNs , VPLS used
Troubleshooting
Layer 2 Circuit Down Slow Access / Packet Loss on Layer 2 Circuit
Check ONT status Confirm BW on ASR
Check account status on ASR Check MRTG
Check Running Configurations BERs, Optical Power, Duplex
Check OLT Breaking in Layer 3 by Core

Xconnect / virtual Connection Status

Share VLAN, OLT infor with AccessTac

Access TAC will Check MAC swapping

Commands:
FP-ASR9010#sh int des | i NTLL2
FP-ASR9010#sh running-config int bundle-ether 142.354
FP-ASR9010#sh running-config int bundle-ether 142
Example of Layer 2
RP/0/RSP0/CPU0:NYT-FP-ASR9010#sh int des | i NTLL2
Sat Jul 30 10:34:02.008 PKT
BE142.354 up up NTLL2_L2VPN_NTL#1234_15TH,AUG,2015
BE1412.3850 up up NTLL2_L2VPN_NTL#1234_15TH,AUG,2015

RP/0/RSP0/CPU0:NYT-FP-ASR9010#sh running-config int bundle-ether 142.354


Mon Aug 1 11:03:40.577 PKT
interface Bundle-Ether142.354 l2transport description
PLANETZONG_L2VPN_NTL#23050_15TH,AUG,2015
encapsulation dot1q 354

rewrite ingress tag pop 1 symmetric


!

RP/0/RSP0/CPU0:NYT-FP-ASR9010#sh running-config int bundle-ether 1412.3850


Mon Aug 1 11:03:52.537 PKT
interface Bundle-Ether1412.3850 l2transport description
PLANETZONG_L2VPN_NTL#23050_15TH,AUG,2015
encapsulation dot1q 3850
rewrite ingress tag pop 1 symmetric
service-policy input PREMIUM_2MB
service-policy output PREMIUM_2MB
!
How to check OLT
RP/0/RSP0/CPU0:NYT-FP-ASR9010#sh running-config int bundle-ether 142
Mon Aug 1 11:03:57.470 PKT
interface Bundle-Ether142
description HUAWEI,FPOP-4-2,BUNDLE
mtu 9194
bundle maximum-active links 16
load-interval 30
!
Layer 2 VPN Summary
• Are their some IPs?
• Can we ping IPs from TAC?
• Can we check MAC on ASR?
• How MAC can be checked then?
• Do we have MRTG Plotted for Layer 2 VPN?
• What information is present in Layer 2 VPN?
• If Layer2 is down , what TAC engineer will do?
Layer 3 VPN
• Concept
– IP based VPNs
– ISP is responsible for Routing
– Multiple sites can participates in a layer 3 VPN
– Topology
• Hub & Spoke
• Full Mesh
– P, PE, CE
– VPN Routing and Forwarding Instance (VRF)
– PE-CE Routing (Static, RIP, EIGRP, OSPF, etc)
– MP-BGP VPNv4
– Connected on ASR
– We can ping IPs and Check MAC on ASR
Troubleshooting
Check ONT status (Note: Core Network has been upgraded.)
(old diagram for understanding)
Check the Interface on the Core
Router
Ping HUB Site ASR interface IP
Ping HUB Site Customer End IP
Ping Spoke Site ASR interface IP
using HUB Site VRF
Ping Spoke Site Customer End IP
using HUB Site VRF
Check MAC
Check VRF / Routing table
Identify site via IPs
Example of Layer 3
RP/0/RSP0/CPU0:NYT-FP-ASR9010#sh int des | i EFACTOR3
Sat Jul 30 11:04:43.162 PKT
BE311.1343 up up EFACTOR3_L3VPN_NTL#1744_
BE321.1092 up up EFACTOR3-H-HUBSITE_L3VPN_NTL#1744_
Running Configurations
RP/0/RSP0/CPU0:NYT-FP-ASR9010#sh run interface bundle-ether 311.1343
Sat Jul 30 11:05:07.131 PKT
interface Bundle-Ether311.1343
description EFACTOR3_L3VPN_NTL#1744_
service-policy input PREMIUM_2MB
service-policy output PREMIUM_2MB
vrf efactor3
ipv4 address 192.168.14.1 255.255.255.252
encapsulation dot1q 1343

RP/0/RSP0/CPU0:NYT-FP-ASR9010#sh run interface bundle-ether 321.1092


Sat Jul 30 11:10:27.482 PKT
interface Bundle-Ether321.1092
description EFACTOR3-H-HUBSITE_L3VPN_NTL#1744_
vrf earthfactor
ipv4 address 192.168.16.81 255.255.255.252
encapsulation dot1q 1092
!
Ping HUB Site ASR interface IP

RP/0/RSP0/CPU0:NYT-FP-ASR9010#ping vrf earthfactor 192.168.16.81


Sat Jul 30 11:11:14.958 PKT
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.81, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),

What Logically Happened

192.168.16.81

Earthfactor
Ping HUB Site Customer End IP

RP/0/RSP0/CPU0:NYT-FP-ASR9010#ping vrf earthfactor 192.168.16.82


Sat Jul 30 11:11:16.734 PKT
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.82, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),

What Logically Happened


Router Earthfactor

192.168.16.81

CPE
(ONT/Router)
Ping Spoke Site ASR interface IP using HUB Site VRF

RP/0/RSP0/CPU0:NYT-FP-ASR9010#ping vrf earthfactor 192.168.14.1


Sat Jul 30 11:11:25.428 PKT
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.14.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),

What Logically Happened


Router Router
Efactor3 Earthfactor

192.168.14.1
Ping Spoke Site Customer End IP using HUB Site VRF

RP/0/RSP0/CPU0:NYT-FP-ASR9010#ping vrf earthfactor 192.168.14.2


Sat Jul 30 11:11:27.746 PKT
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.14.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5)

What Logically Happened


Router Router
Efactor3 Earthfactor

192.168.14.2

CPE (ONT or Router)


Check MAC
• In case ping not successful then ICMP can be blocked or CPE not responding due to
some issue or unreachable

• Checking MAC against earthfactor-Hub Side

RP/0/RSP0/CPU0:NYT-FP-ASR9010# sh arp vrf earthfactor


Sat Jul 30 11:11:54.534 PKT

-------------------------------------------------------------------------------
1/0/CPU0
-------------------------------------------------------------------------------
Address Age Hardware Addr State Type Interface
192.168.16.81 - 5087.8937.4ac7 Interface ARPA Bundle-Ether321.1092
192.168.16.82 00:39:34 ec44.762b.e3c1 Dynamic ARPA Bundle-Ether321.1092
Checking VRF / Routing Table
RP/0/RSP0/CPU0:NYT-FP-ASR9010#show route vrf efactor3
Sat Jul 30 11:05:23.542 PKT

Codes: L-Local, C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path


D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default

Gateway of last resort is 192.168.16.82 to network 0.0.0.0

B* 0.0.0.0/0 [200/0] via 192.168.16.82 (nexthop in vrf earthfactor), 1d19h


B 192.168.1.0/24 [200/0] via 192.168.16.82 (nexthop in vrf earthfactor), 1d19h
S 192.168.4.0/24 [1/0] via 192.168.14.2, 11w6d
B 192.168.10.0/24 [200/0] via 192.168.16.82 (nexthop in vrf earthfactor), 1d19h
C 192.168.14.0/30 is directly connected, 11w6d, Bundle-Ether311.1343
L 192.168.14.1/32 is directly connected, 11w6d, Bundle-Ether311.1343
B 192.168.16.80/30 is directly connected, 1d19h, Bundle-Ether321.1092 (nexthop in vrf earthfactor)
B 192.168.20.0/22 [200/0] via 192.168.16.82 (nexthop in vrf earthfactor), 1d19h

In above display, routes with codes S, C, L means this site routes whereas, with Code B, are routes of
other sites learned via BGP.
Identify Customer Site By IP
Suppose customer tells you IP address : 192.168.12.162 (this is CPE end IP) so ASR
end IP will be 192.168.12.161

RP/0/RSP0/CPU0:NYT-FP-ASR9010#sh ipv4 vrf all int brief | i 192.168.12.161


Sat Jul 30 15:06:35.598 PKT
Bundle-Ether111.1482 192.168.12.161 Up Up habib-bank

RP/0/RSP0/CPU0:NYT-FP-ASR9010#sh run int bundle-ether 111.1482


Sat Jul 30 15:05:59.211 PKT
interface Bundle-Ether111.1482
description HBLNADRA-HBLSIDE_L3VPN_NTL#95_4TH,DEC
service-policy input PREMIUM_6MB
service-policy output PREMIUM_6MB
vrf habib-bank
ipv4 address 192.168.12.161 255.255.255.252
encapsulation dot1q 1482
!
Layer 3 VPN Summary
• Are there some IPs?
• IPs are private or public?
• Can we ping IPs from TAC?
• Can we check MAC on ASR?
• Do we have MRTG Plotted for Layer 3 VPN?
• What information is present in Layer 3 VPN?
• If Layer3 is down , what TAC engineer will do?

You might also like