CCIE SP Notes For Lab
CCIE SP Notes For Lab
CCIE SP Notes For Lab
IOS
interface X
ip vrf forwarding VPN-A
!
interface X
IOS-XR
interface X
vrf VPN-C
IOS
interface X
ip vrf receive VPN-A
ip vrf receive VPN-B
ip vrf receive VPN-C
ip address 1.1.1.1 255.255.255.0
ip policy route-map VRF-SELECTION-PBR
!
route-map VRF-SELECTION-PBR
permit 10
permit 20
permit 30
Limitations
multicast is not usually supported by PBR
IOS
Limitations
If it's not supported by the router, you'll get the following output:
VRF-Autoclassify
It allows a specific interface on a PE router to route packets to different VPNs based
on the ip addresses
At the same time it also enables certain types of Policy Based Routing (PBR) to be
created dynamically without configuring all the related route maps and access lists.
More specifically it enables the dynamic configuration of policies that are required for
the mapping of packets to the VRFs, depending on whether the source address of the
packet belongs to those connected routes.
IOS
interface X
ip address
ip address
ip address
ip vrf autoclassify source
interface Z
ip vrf forwarding VPN-B
ip address 20.20.20.1 255.255.255.0
Limitations
!
interface Y
It allows packet arriving on ingress VRF to get routed on an egress interface which is in a
different VRF based on various match criteria defined in an ip access list.
So you actually specify a nexthop VRF instead of a specific IP address for the nexthop. When
this config is enabled, packet destination lookup will be performed in the ABF Nexthop VRF.
IOS-XR
interface X
ipv4 address 10.10.10.10 255.255.255.0 vrf VPN-A
ipv4 access-group ABF-ACL ingress
!
ipv4 access-list ABF-ACL
permit ipv4 1.1.2.2 0.0.0.0 any nexthop1 vrf VPN-A permit ipv4
1.1.3.3 0.0.0.0 any nexthop1 vrf VPN-B permit ipv4 1.1.4.4
0.0.0.0 any nexthop1 vrf VPN-C
Limitations
applies only to ASR9k and CRS running IOS-XR
110 NTS for CCIE SP Lab by chatasos
MPLS/LDP
LDP (Label Distribution Protocol) is defined in RFC 5036.
MPLS (Multi-Protocol Label Switching) architecture is defined in RFC 3031. MPLS Label
Stack Encoding is defined in RFC 3032.
LDP messages
A working IGP between neighbors is a requirement for all the above, besides LDP Discovery.
Label retention/distribution
Label retention
o liberal
o conservative
Label distribution
o downstream
unsolicited
on-demand
Liberal, downstream, unsolicited is the most common case.
General
Although in latest software releases LDP is the default label protocol, it's a good
practice to always enable it with"mpls label protocol
ldp".Thesameapplieswiththe"mpls ldp router-id",which should in most
cases be loopback0.
X Label
Fa0/0.1: rx: Len 122 Stack {29 0 253} - ipv4 data Fa0/0.2: tx:
Len 122 Stack {30 0 252} - ipv4 data
o Labeled BGP
a VPN Label (L3VPN) is allocated through
o MP-BGP (VPNv4/v6)
a PW Label (L2VPN) is allocated through
o Targeted LDP
an IPv6 Label (6PE) is allocated through
o Labeled BGP
You can create targeted LDP sessions (assuming ip connectivity exists) using the following
methods:
IOS
R2
Static LDP neighbor on one router and accept targeted hellos on the other R1
Debugging should be the last thing you should do in case of a problem in production
networks. So learn not to
depend on it.
112 NTS for CCIE SP Lab by chatasos
R2
MPLS/LDP under a TE tunnel interface on one router and static LDP neighbor on the other
R1
interface Tunnel0 tunnel destination R2 mpls ip
R2
MPLS/LDP under a TE tunnel interface on one router and accept targeted hellos on the other
R1
R2
IOS-XR
R1
mpls ldp
neighbor R2 targeted
R2
mpls ldp
discovery targeted-hello accept
You can also use RSVP solely for (one-hop) link protection, having tLDP on top of it.
In case of RSVP in the core and LDP in the access, you can have tLDP sessions over RSVP,
where end-to-end
LSPs will have 1 label (LDP) in the access and 2 labels (RSVP/LDP) in the core.
113 NTS for CCIE SP Lab by chatasos
These labels (which are the same as the ones used for the BGP next-hop) are shown only if
you exclusivelydefinethenetworkin"sh mpls forwarding-table"oruse"sh ip
cef".
The rule for LSP usage in BGP is that when an LSP is available for the BGP next-hop of a
route, that LSP
IOS
R2#sh
Local
Label
None
R2#sh 21
Outgoing
Label
22
Prefix
or Tunnel Id
6.6.6.6/32
Bytes Label
Switched
0
Known via "bgp 100", distance 200, metric 0 Tag 20, type
internal
Last update from 5.5.5.5 00:35:32 ago Routing Descriptor
Blocks:
Outgoing
interface
Fa0/0.23
Fa0/0.23
Next Hop
20.2.3.3
20.2.3.3
22 5.5.5.5/32
R2#sh
Routing entry for 6.6.6.6/32
ip route 6.6.6.6
Static Labels
LDP Auto-configuration
IOS
router ospf/isis X
!
interface X
IOS-XR
mpls ldp
!
router ospf/isis X
mpls ldp auto-config
!
interface X
LDP Authentication
After you configure the label range, you need to remove the mpls ldp config from the IGP
process or from the
interfaces in order to use the label range. If you just clear the LDP neighbors, then the old
labels remain.
After setting the LDP password, the LDP session might need to be cleared manually to have
the password
enabled.
per neighbor
o "mpls ldp neighbor x.x.x.x password" (IOS, IOS-XR)
Label Filtering
IOS
The LDP default behavior is to allocate local labels for all non-BGP prefixes, which includes
IGP learned prefixes and connected interfaces with LDP on.
, but LDP does the advertisements (i.e. Inter-AS Option C). LDP neither forwards these
entries, nor releases the local labels allocated by BGP.
Common use of label filtering is to allocate labels only for PE loopback addresses.
LDP does not apply the configured local label filter to redistributed BGP routes in the global
table for which
IOS-XR
When enabled, a new targeted LDP session is created between the neighbors, in order to keep
their LDP session active over any backup path, after the direct/primary link fails. When the
primary/direct link is restored, label bindings do not need to be re-exchanged.
2 implementation choices:
targeted hellos
IOS
IOS-XR
mpls ldp
session protection
session protection for LDP-NEI-ACL duration X
You can enable it for all LDP neighbors or for specific ones using an ACL.
IOS
Successful recovery
Failed recovery
When enabled, links where LDP adjacencies are not established, will have their IGP metric
increased to the max by the local IGP process.
Generally when an IGP adjacency is established on a link with LDP-IGP Sync on, but LDP-
IGP Sync is not yet achieved (or is lost), the IGP advertises the max-metric on that link. That
way the link won't be preferred for passing traffic and black-holing will be prevented.
IOS
router ospf/isis X
!
mpls ldp igp sync holddown x !
interface X
IOS-XR
router ospf/isis X
!
mpls ldp
IOS
R2#sh mpls ldp igp FastEthernet0/0.23:
delay x
sync
IOS-XR
GigabitEthernet0/1/0/1.619:
6.6.6.6:0
Targeted LDP sessions (i.e. AToM) are not supported, which is expected because these are
already tLDP sessions that can use IGP for rerouting.
In IS-IS the maximum wide metric -1 (0XFFFFFE) is used with MPLS LDP IGP
synchronization.
Links
IETF - RFC 5443
IETF - RFC 6138
TTL Propagation
Default behavior is to copy the TTL from the IP header to the MPLS header (topmost
label). 2 extra options are available:
If the TTL is not copied for forwarded packets, then a traceroute from a local CE to a remote
CE, will include the local PE, the remote PE and the remote CE (all the intermediate P
routers won't be shown). You can use this in order to hide the MPLS hops from the customer.
You only need to disable the TTL propagation on the PEs, since the P (LSR) routers do not
see the
o Destination=CE2
o TTL=1
o Source=PE1
o Destination=CE1
o Source = CE1
o Destination=CE2 o TTL=2
o Source=CE1
o Destination=CE2 o TTL=1
o Source=P
o Destination=CE1 o TTL=default
PE2 receives the ICMP response and forwards it to CE1 which is the actual
destination o Source=P
o Destination=CE1
o and so on...
MPLS MTU
Every label adds 4 bytes to the frame size. Common label stacks
L3VPN
o LDP label + VC label
L2VPN/VPLS
o LDP label + VC label
MPLS-TE
120 NTS for CCIE SP Lab by chatasos
chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab
o TE label + VC label
o FRR label + TE label + LDP label + VC label AToM & TE/FRR & CsC
o FRR label + TE label + LDP label + VPN label + VC label Common transport header sizes
(in bytes):
Ethernet port:14
Ethernet VLAN: 14 + 4 per vlan tag
Frame-Relay DLCI: 2 (Cisco), 8 (IETF)
HDLC/PPP: 4
AToM Control Word: 4
All L3 protocols (i.e. IPv4, IPv6, MPLS, CLNS) inherit their MTU settings from L2
MTU.
The default MPLS MTU value of a link equals the interface MTU value. You need to
first change the interface MTU in order to be able to increase the MPLS MTU too.
IOS
IOS
interface FastEthernet0/0
mtu 1530
IOS
In IOS-XR, interface MTU includes the L2 header (i.e. +14 bytes in case of untagged
ethernet).
IOS-XR
interface TenGigE0/0/0/6
mtu 9214
IOS-XR
ASR9k#sh imds int Te0/0/0/6
View: OWN - Owner, L3P - Local 3rd Party, G3P - Global 3rd
Party,
Interface flags:
Protocol
--------
None
None
arp
ipv4
mpls ether_sock ether_link_oam
IFT_TENGETHERNET None
None
GDP|G3P
The"sh imds"commandishiddeninmostIOS-XRreleases.
IOS-XR
Fragmentation
If a labeled packet is received and the LSR notices that the outgoing MTU is not big enough
for this packet, the LSR strips off the label stack, fragments the IP packet, puts the label stack
(after the pop, swap, or push operation) onto all fragments, and forwards the fragments.
If the IP header has the DF bit set, the LSR doesn't fragment the IP packet, but it drops the
packet and returns an ICMP error message "Fragmentation needed and do not fragment bit
set" to the originator of the IP packet (following the same procedure as with traceroute).
IOS uses MRU in order to "inform" the LSR how big a received labeled packet of a certain
FEC can be in order for that to be forwarded out of this LSR without fragmenting it.
In IOS-XR, if you change the interface MTU, then you need to take into account the L2
header. If you change
Local
Label
None
20.6.19.19
Outgoing
Label
No Label
Prefix
or Tunnel Id 19.19.19.19/32
Bytes Label
Switched
0
Outgoing
interface
Fa0/0.619
Next Hop
L3VPN Redistribution
Configuration Steps
BGP<=>RIP
RIP=>BGP
RIP metric => BGP MED (auto)
RIP=>BGP=>RIP
RIP metric => BGP MED => RIP metric (auto)
OTHER=>BGP=>RIP
BGP X => RIP metric (manual)
If "auto" doesn't work (for whatever reason), you can trying clearing the vrf routing
table on the PE or you can use the following to set manually the RIP metric:
Clearing of vrf routing table might be needed every time a new prefix is redistributed.
If version 2 is to be used, then it must be defined under the ipv4 vrf address-family on
the PE.
Configuration
IOS
router rip
!
router bgp 100
redistribute rip
IOS-XR
router rip
vrf VPN
redistribute bgp 200
!
router bgp 200
vrf VPN
address-family ipv4 unicast
redistribute rip
BGP<=>EIGRP
EIGRP=>BGP
EIGRP composite metric => BGP MED (auto)
EIGRP vector metrics => BGP Extended Cost Community (auto)
EIGRP=>BGP=>EIGRP
EIGRP composite metric => BGP MED => EIGRP composite metric (auto)
EIGRP vector metrics => BGP Extended Cost Community => EIGRP vector metrics (auto)
original internal EIGRP routes appear as internal EIGRP routes when redistributed
original external EIGRP routes appear as external EIGRP routes when redistributed
OTHER=>BGP=>EIGRP
BGP X => EIGRP metrics (manual)
original routes appear as external EIGRP routes when redistributed
If "auto" doesn't work (for whatever reason), you can trying clearing the vrf routing table on
the PE or you can use the following to set manually the EIGRP metrics:
Clearing of vrf routing table might be needed every time a new prefix is redistributed.
EIGRP vector metrics = K1 K2 K3 K4 K5 (i.e. 1000 10 255 1 1500)
Configuration
IOS
!
router bgp 200
redistribute eigrp 1
IOS-XR
router eigrp 100
vrf VPN
address-family ipv4
autonomous-system 1
redistribute eigrp 1
Redistribution of EIGRP into the BGP vrf requires the EIGRP autonomous-system number to
be redistributed. Some software releases may accept the global EIGRP process too.
You can use the SoO extended community to prevent any possible loops.
BGP<=>ISIS
ISIS=>BGP
ISIS metric => BGP MED (auto)
ISIS=>BGP=>ISIS
ISIS metric => BGP MED => ISIS metric (auto)
OTHER=>BGP=>ISIS
BGP X => ISIS metric (manual)
You can use the following to set manually the ISIS metric:
IOS
!
router bgp 200
IOS-XR
vrf VPN
redistribute bgp 200
!
router bgp 200
vrf VPN
address-family ipv4 unicast
Redistribution doesn't take into account the IS-IS connected routes. You have to explicitly
define them.
In order to void a possible loop while doing redistribution (when L1 is involved), you can
change the distance of the ISIS advertised routes (excluding connected) on the PE to be
higher than BGP's.
IOS
BGP<=>OSPF
OSPF=>BGP
OSPF metric => BGP MED + 1 (auto)
OSPF Area/LSA => BGP extended community "OSPF RT" (auto)
OSPF=>BGP=>OSPF
OSPF metric => BGP MED + 1 => OSPF metric (auto)
original intra-area routes appear as inter-area routes when redistributed (if same
OSPF Domain-ID)
original intra-area routes appear as external-2 routes when redistributed (if different
OSPF Domain-
ID)
OTHER=>BGP=>OSPF
BGP X => OSPF metric (manual)
You can always use the following to manually set the OSPF metric:
Type-1/2 => RT 2
Type-3 => RT 3
Type-5 => RT 5
Type-7 => RT 7
Sham-links => RT 129 Examples
o LSA-Type 5
o External 1
OSPF RT:0.0.0.0:5:1
o LSA-Type 5 o External 2
Configuration
IOS
!
router bgp 200
IOS-XR
In IOS, if you don't include the vrf name in the redistribution of OSPF into BGP, it gets
automatically added to the configuration.
For a PE it is necessary to know if a particular prefix has been learned from another PE
router, in order to avoid re-advertisement of it into BGP and cause a loop.
Two mechanisms are mainly used for loop prevention when OSPF is used as PE-CE protocol.
theDN bit
theVPN Route (or OSPF Domain) tag
By default, when a type 3, 5, 7 LSA is sent from a PE to a CE, the DN bit is set by the
PE.
Almost all Cisco software releases support the setting of DN bit only for Type-3
LSAs and they use a 32- bit VPN Route tag for Type-5/7 LSAs. The configuration
and inclusion of the VPN Route Tag is required by all implementations for backward
compatibility with older implementations that do not set the DN bit in type 5/7 LSAs.
If a PE router receives an LSA that contains the same VPN Route Tag as the locally
configured tag, then the
localPErouterknowsthatanotherPErouter(fromthesamedomain)
generatedthisrouteandtheLSAis ignored.
16bit ASNs
o VPN Route tag Format: 1101 000000000000 ASN_of_VPN_Backbone
32bit ASNs
o VPN Route tag must be defined manually
You can change this default value by using the "domain-tag" command within the OSPF
VRF process configuration.
IOS
from that LSA is not used during the OSPF route calculation, which means that the prefix
doesn't get installed
domain-tag 12345
IOS-XR
domain-tag 12345
In case of Multi-VRF (VRF-Lite), the router that is accepting the LSA with the DN bit is
actually a CE router with no BGP VPNv4 functionality, so there is no danger of redistributing
this prefix into BGP. In order to bypass this DN bit check, the following configuration can be
enabled.
IOS
capability vrf-lite
IOS-XR
disable-dn-bit-check
Verification
IOS
Length: 28
Network Mask: /32
MTID: 0 Metric: 2
130
NTS for CCIE SP Lab by chatasos
Links
Length: 36
Network Mask: /32
OSPF Domain-ID
OSPF Domain-ID is an attribute that defines how (internal, external) the OSPF routes will be
transferred from one CE to another CE over their PEs BGP VPNv4 session.
On a PE, if the OSPF Domain-ID of the received BGP prefixes (encoded as extended
community) is the same as the OSPF Domain-ID of the local OSPF process, then:
the MPLS core is treated like a SuperBackbone area (which is considered higher
than area 0)
the PE is treated like an ABR (instead of an ASBR)
internal routes are being redistributed as Type-3 LSAs (instead of Type-5)
OSPF Domain-ID needs to be changed on the PEs (where redistribution between BGP
and OSPF takes place), not on the CEs.
The "type" value can be different is some cases for backwards compatibility (like in
0005 vs 8005).
Detailed Steps
ifthe OSPF Domain tag of the local OSPF process is the same as the VPN Route
tag of the prefix,
ifthe OSPF DN bit check is enabled in the local OSPF process and the OSPF route
has this bit set,
o the Domain-ID of the local OSPF process is encoded into OSPF DOMAIN ID community
on the prefix
o the area and the LSA type of the OSPF prefix is encoded into OSPF RT community on the
prefix
o the Router-ID of the local OSPF process is encoded into OSPF ROUTER ID community
on the prefix
prefix, then that route is passed to the CE as internal else as external Configuration
IOS
IOS-XR
vrf VPN
0005 value 000000440101
Verification
Youcanuse"sh ip ospf"toseetheDomain-IDofthelocalOSPFprocess.
Event-log disabled
It is an area border and autonomous system boundary router
Redistributing External Routes from,
Advertised to update-groups:
1 Local
sourced, best
Extended Community: RT:100:1 OSPF DOMAIN
ID:0x0005:0x000000440101
...
Link ID
1.1.1.1
...
LSA Type-3 (Summary) in local OSPF table is encoded as "OSPF RT:0.0.0.0:3:0" in local
BGP table.
same domain-id
o CE1O=>CE2IA
different domain-id
o CE1O=>CE2E2
o CE1O=>CE2O
IOS
external OSPF routes are tagged by the BGP ASN when BGP=>OSPF redistribution takes
place, which means
If a BGP VPNv4 route is redistributed into OSPF, then redistributed into another IGP like
RIP (where all the information (DN bit, VPN Route-Tag) needed to prevent looping is lost),
and then redistributed back into OSPF, then it is possible that it could be redistributed back
into BGP as a VPNv4 route, thereby causing a loop.
You can use route tags at every step of redistribution in order to avoid possible routing loops,
either caused by the above scenario or by mutual redistribution in two places.
134 NTS for CCIE SP Lab by chatasos
Inter-AS Options
3LSPsfromonePEtotheotherPE
o redistribute connected/static on each ASBR for the interconnection
2LSPsfromonePEtotheotherPE
2LSPsfromonePEtotheotherPE
staticroutesforpeer'sloopbackoneachASBR
LDP between ASBRs
MPLSstaticlabelbindingforpeer'sloopbackpointingtointerconnectiononeach
ASBR
Inter-AS Option C (Multihop MP-eBGP between RRs/PEs)
o o o o o o
o o o
one physical/logical interface for all VRFs in the interconnection labeled eBGP session
between ASBRs for next-hop exchange multihop eBGP VPNv4 session between RRs
MPLS traffic between ASBRs
common RDs/RTs between ASNs (unless RT rewrite is used) change next-hop on each
VPNv4 RR for the eBGP session (default)
1LSPfromonePEtotheotherPE
eBGP session between ASBRs with directly connected interfaces
staticroutesforpeer'sloopbackoneachASBR
LDP between ASBRs
MPLSstaticlabelbindingforpeer'sloopbackpointingtointerconnectiononeach ASBR
135
Inter-AS Option A
ASBR-1
IOS
ip vrf VPN1
rd 1:100 route-target 1:100
!
ip vrf VPN2
rd 1:200
route-target 1:200 !
!
interface FastEthernet0/0.10
!
interface FastEthernet0/0.20
!
router bgp 1
!
address-family vpnv4
exit-address-family !
exit-address-family !
ASBR-2
IOS
ip vrf test1
rd 2:100 route-target 2:100
!
ip vrf test2
rd 2:200
route-target 2:200 !
!
interface FastEthernet0/0.10
!
interface FastEthernet0/0.20
!
router bgp 2
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended neighbor 2.2.2.2
next-hop-self
exit-address-family !
exit-address-family !
Youcanalsouseadifferentrouter-idperVRF,usingthe"bgp router-id"undereachvrfaddress-
family.
Inter-AS Option B
ASBR-1
IOS
no auto-summary !
address-family vpnv4
neighbor PE-1 activate
neighbor PE-1 send-community extended neighbor PE-1 next-hop-
self
neighbor ASBR-2 activate
neighbor ASBR-2 send-community extended
exit-address-family
ASBR-2
IOS
!
router bgp 2
address-family vpnv4
neighbor PE-2 activate
neighbor PE-2 send-community extended neighbor PE-2 next-hop-
self
neighbor ASBR-1 activate
neighbor ASBR-1 send-community extended
exit-address-family
Inter-AS Option C
RR-1
IOS
router bgp 1
no synchronization
neighbor PE-1 remote-as 1
neighbor PE-1 update-source Loopback0
neighbor PE-1 description MP-iBGP with PE-1 neighbor ASBR-1
remote-as 1
neighbor ASBR-1 update-source Loopback0 neighbor ASBR-1
description MP-iBGP with ASBR-1 neighbor RR-2 remote-as 2
neighbor RR-2 ebgp-multihop 255
neighbor RR-2 update-source Loopback0
neighbor RR-2 description MP-eBGP with RR-2
no auto-summary
!
address-family vpnv4
ASBR-1
IOS
!
route-map PE2-TO-IGP permit 10
!
router bgp 1
no synchronization
!
address-family vpnv4
ASBR-2
IOS
!
route-map PE1-TO-IGP permit 10
!
router bgp 2
!
address-family vpnv4
RR-2
IOS
router bgp 2
neighbor PE-2 remote-as 2
neighbor PE-2 update-source Loopback0
neighbor PE-2 description MP-iBGP with PE-2 neighbor ASBR-2
remote-as 2
neighbor ASBR-2 update-source Loopback0 neighbor ASBR-2
description MP-iBGP with ASBR-2 neighbor RR-1 remote-as 1
neighbor RR-1 ebgp-multihop 255
neighbor RR-1 update-source Loopback0
neighbor RR-1 description MP-eBGP with RR-1
!
address-family vpnv4
exit-address-family
In IOS-XR, in order to send IPv4 prefixes with labels over a labeled BGP session, the IOS-
XR router must be the originator of the prefixes. On the other hand, an IOS router can send
labeled IPv4 prefixes over a labeled BGP session whether it's the originator or not of those
prefixes.
141 NTS for CCIE SP Lab by chatasos
chatasos (ccie-in-2-months.blogspot.com) – Notes: The Series (NTS) for CCIE SP Lab
If an output route-map is applied on a labeled BGP session, then labels will be added only to
those prefixes
Generally, if a routerisadvertisingIPv4prefixeswithlabels,thenyoucanuseanoutputroute-
map(withthe"set mpls-
InmostIOSsoftwarereleases,thecommand"mpls bgp
forwarding"isaddedautomaticallyunderthe eBGP peering interface when a VPNv4 or
labeled BGP session is configured between directly connected peers. If you use loopbacks for
peering, then you must manually configure it. Always verify its existence, together with the
interface's mpls operational state.
thathavethecommand"set mpls-label"undertherelevantstatementintheroute-map.
You need to disable the default RT filter from the ASBRs, unless they have all the VRFs
locally configured or
IOS
Generally, Cisco software requires a /32 route for each next-hop that should be label
switched. In the Inter-AS B/C options,
in IOS-XR you must add manually a /32 static route for the peer address of the
interconnection
in order to create a label for that
IOS-XR
. IOS creates automatically a /32 connected route when the relevant VPNv4 or
router static
address-family ipv4 unicast
10.10.10.2/32 GigabitEthernet0/2/1/2
IOS
Inter-AS scenarios emulated in GNS3 might sometimes cause very large delays in data
forwarding. Increase the ping/traceroute timeout in order to verify connectivity.
In some cases you don't have the option of enabling LDP or having a VPNv4 or labeled BGP
session between directly connected peers, but you still need to have the label switching
functionality on their interconnection.
If you want to achieve load-sharing in a MPLS L3VPN environment with RRs, you can use a
different RD per
i.e. if you configure the following static route in order to reach peer's loopback: IOS
IOS
R1#sh mpls
Local
Label
24
Outgoing interface
Fa0/0 12.1.19.19
then you need to also add a static (outgoing) label binding for that:
IOS
Next Hop
IOS
Outgoing labels:
12.1.19.19 implicit-null
R1#sh mpls
Local
Label
24
Outgoing interface
Fa0/0 12.1.19.19
At the same time, you must enable MPLS on this interface without using LDP:
Next Hop
IOS
IOS
interface FastEthernet0/0
IOS
Tunnel
Tunnel No
Interface FastEthernet0/0
IP No
143
multiaccess interfaces
o next-hop ip address required o label required
The above differentiation per interface is applicable only on specific software releases. The
multiaccess interface is the common one.
If you must configure specific static labels, then you must first define the label range (which
will sometimes require a reload).
Implicit-null is used in the above example due to PHP (pop label) that must happen for the
directly connected peer.
Inter-AS L3VPN
If you want to follow a Inter-AS L3VPN path (assuming control-plane has been setup
correctly), then you can execute the following algorithm:
n router
o Follow the Transport top label swaps until there is a "Pop Label" for next router
n+1 router
o Find the local VPN label for the prefix
IfVPNlabelis"nolabel",then routeristheendPE
routerisanRR/ASBR
findtheTransportlabel(s)fortheprefix'snewnext-hop goto"nrouter"
If the route is learned from IGP, the Transport label must be allocated through LDP/RSVP. If
the route is learned from BGP, the Transport label must be allocated through BGP.
144 NTS for CCIE SP Lab by chatasos
VPN label is 26
IOS
R6#sh mpls
Local
Label
None
detail
Bytes Label
Switched
0
Outgoing
interface
Fa0/0.46
Next Hop
20.4.6.4
IOS
IOS
R4#sh mpls
Local
Label
16
20.4.19.19
forwarding-table labels 16 detail Outgoing Prefix Bytes Label
or Tunnel Id Switched Pop Label 19.19.19.19/32 18896
Next Hop
IOS
Outgoing
Next Hop
Label
Outgoing
interface
Fa0/0.419
145
interface
Fa0/0.119
12.1.19.1
IOS
R1#sh mpls
Local
Label
20
Outgoing
interface
Fa0/0.13
Next Hop
10.1.3.3
IOS
R3#sh mpls
Local
Label
19
Outgoing Prefix
Label or Tunnel Id Pop Label 2.2.2.2/32
Bytes Label
Switched
85693
Outgoing
interface
Fa0/0.23
Next Hop
10.2.3.2
VPN label is 26
IOS
R2#sh bgp vpnv4 unicast all 7.7.7.7/32
BGP routing table entry for 102:202:7.7.7.7/32, version 4
Paths: (1 available, best #1, table VPN_B)
Advertised to update-groups: 1
Local
40.2.7.7 from 0.0.0.0 (2.2.2.2)
0x8803:65281:1500 0x8806:0:0
End PE found
146 NTS for CCIE SP Lab by chatasos
RT Rewrite
It is used mainly in Inter-AS topologies, when there is a need to keep different RTs between
the ASes. It allows the ASBR (or any other router that's involved) to replace the peer ASN's
RTs with their own.
Configuration Steps
IOS
match extcommunity 1
set extcomm-list 1 delete
set extcommunity rt 100:1 additive continue 20
!
route-map RT-REWRITE-ROUTEMAP permit 20
match extcommunity 2
set extcomm-list 2 delete
set extcommunity rt 100:2 additive
!
route-map RT-REWRITE-ROUTEMAP permit 30 !
router bgp 100
Use the "additive" keyword when setting the new RT in order to not erase all
other extended communities.
Use the "continue" statement (in ingress route-maps) when you need to rewrite more than
one RTs in the
same prefix.
147 NTS for CCIE SP Lab by chatasos
CsC
CsC (Carrier supporting Carrier) is defined in RFC 4364.
Control-Plane
The Customer Carrier PEs run BGP VPNv4 in order to exchange VPN labels
The Customer Carrier routers run IGP+LDP (or iBGP+Label) in order to exchange
all their internal
The CsC-PEs and CsC-CEs run eBGP (or IGP) in order to exchange BGP next-hop
prefixes
The CsC-PEs and CsC-CEs run eBGP+Label (or IGP+LDP) in order to exchange
labels for the BGP
next-hop prefixes
The
Backbone Carrier routers run IGP+LDP in order to exchange all their internal
BGP next-hops and
their labels
The Backbone Carrier offers a MPLS VPN service to the Customer Carrier which in
turn offers a MPLS VPN or Internet service to its customers.
The Backbone Carrier doesn't need to know the final customer prefixes.
Using IGP+LDP in CsC is not as risky as with Inter-AS MPLS VPN Option 3
because:
Customer Carrier internal routes are put into a specific VRF in the Backbone
Carrier
No Backbone Carrier internal routes are distributed into the Customer Carrier
network
You can have multiple Backbone Carriers, using Inter-AS MPLS L3VPN for
interconnection.
By default a CsC-PE runs PHP towards the CsC-CE. If using an ipv4-labeled PE-CE
session, you can change
thisbehavior(inordertokeeptheQoSconsistentacrossproviders)byusingthe"neighbor
x.x.x.x send-label explicit-null"ontheCsC-CE.
supported.
148
Configuration
Backbone Carrier (CsC-PE1) runs OSPF+LDP with Customer Carrier (CsC-CE1) Backbone
Carrier (CsC-PE2) runs eBGP+Label with Customer Carrier (CsC-CE2)
Customer Site 1 (C-CE1) runs OSPF with Customer Carrier (CC-PE1) Customer Site 2 (C-
CE2) runs ISIS with Customer Carrier (CC-PE2)
CC-PE (Customer Carrier PE serving the final customer site) and CsC-CE (Carrier
supporting Carrier CE) functionalities can be collapsed into a single router.
CsC-PE1 and CsC-PE2 run iBGP VPNv4 in order to exchange Customer Carrier
prefixes/labels CsC-CE1 and CsC-CE2 run iBGP VPNv4 in order to exchange Customer
prefixes/labels
CsC-PE1 (IOS)
!
router isis/ospf x
!
! for connectivity to CsC-CE1 (OSPF+LDP) vrf definition CC-VPN
rd 10:X
"mpls bgp
forwarding"isnotautomaticallyadded,becausetheBGPsessionisnotbetweendirectly
route-target 10:X !
address-family ipv4
exit-address-family !
interface Ethernet1/0
description ** Link to CsC-CE1 ** vrf forwarding CC-VPN
ip address x.x.x.x
mpls ip
!
router ospf 10 vrf CC-VPN
router bgp 10
no bgp default ipv4-unicast
neighbor BC-PE2 remote-as 10
neighbor BC-PE2 update-source Loopback0 !
address-family vpnv4
neighbor BC-PE2 activate
CsC-CE1 (IOS)
!
router ospf 10
CC-PE1 (IOS)
route-target 100:Y !
address-family ipv4 exit-address-family
!
interface Ethernet1/3
!
router ospf 200 vrf C-VPN
redistribute bgp 100 subnets
CsC-PE2 (IOS-XR)
!
mpls ldp
router-id x.x.x.x
interface x !
!forconnectivitytoCsC-CE2 (eBGP+Label)
vrf CC-VPN
address-family ipv4 unicast
!
interface GigabitEthernet0/2/1/1
!
router static
vrf CC-VPN
address-family ipv4 unicast
CsC-CE2/32 GigabitEthernet0/2/1/1 !
router bgp 10
address-family ipv4 unicast !
vrf CC-VPN
rd 10:X
address-family ipv4 unicast
network x.x.x.x
allocate-label all !
neighbor CsC-CE2
remote-as 100 address-family ipv4 unicast
!
address-family ipv4 labeled-unicast
!
route-policy PASS-RPL
pass
end-policy
!
! for connectivity to BC-PE1 (iBGP VPNv4) router bgp 10
remote-as 10
update-source Loopback0 address-family vpnv4 unicast
CsC-CE2 (IOS)
!forconnectivitytoCsC-PE2 (eBGP+Label)
interface Ethernet1/0
description ** Link to CsC-PE2 ** ip address x.x.x.x
mpls bgp forwarding
!
router bgp 100
address-family ipv4
exit-address-family !
!
router isis 200
IOS-XR configuration is similar to IOS, with the major difference of using the labeled
unicast address-family instead of the send-label keyword.
Verification
Customer Carrier PEs must have a BGP VPNv4 route and a label for the VPN
prefix
Customer Carrier routers must have a label for the VPN prefix's next-hop
CsC-PEs must have a BGP VPNv4 route and a label for the VPN prefix's next-hop
Backbone Carrier routers must have a label for the next-hop of VPN prefix's next-
hop
Example
where
Then the following would happen for a VPN packet originating at R1 and terminating
at R10.
Don't forget to create a /32 static route for the CsC-PE/CE next-hop in IOS-XR when using
eBGP+Label.
R1 (1.1.1.1) (Customer Carrier PE router) - vrf VPN o Transport label is 18, VPN label is
20
o next-hop is R10 (10.10.10.10)
VPN label is 20
R1#sh mpls
Local
Label
23
Outgoing
interface
Fa0/0.12 20.1.2.2
Next Hop
R2#sh mpls
Local
Label
18
Outgoing Label
20
Outgoing
interface
Fa0/0.23 20.2.3.3
Next Hop
CsC-CE
R3#sh mpls
Local
Label
20
forwarding-table 10.10.10.10 detail
Outgoing Label
26
CsC-PE
R4#sh mpls
Local
Label
26
Outgoing Label
21
Prefix Bytes Label or Tunnel Id Switched
10.10.10.10/32[V]16033
Outgoing
interface
Fa0/0.45 20.4.5.5
Advertised to update-groups: 3
100
7.7.7.7 (metric 4) from 7.7.7.7 (7.7.7.7)
VPN label (21) for Backbone Carrier is actually Transport label (21) for Customer Carrier
Next Hop
R4#sh mpls
Local
Label
16
Outgoing Label
16
Prefix
or Tunnel Id
7.7.7.7/32
Bytes Label
Switched
0
Outgoing
interface
Fa0/0.45 20.4.5.5
Next Hop
tag 16
Bytes tag
switched
42398
tag 16
Per-packet load-sharing
R7#sh mpls
Local
Label
21
detail
CsC-CE
R8#sh mpls
Local
Label
18
Outgoing
interface
Fa0/0.78
Next Hop
20.7.8.8
Outgoing
interface
Fa0/0.89
Outgoing
interface
Fa0/0.910
Next Hop
20.8.9.9
Next Hop
158
Outgoing Label
No Label
Outgoing
interface
Fa0/0.1010
Next Hop
Outgoing Label
20
Outgoing
interface
Fa0/0.23
Next Hop
20.4.6.4
CsC-CE
00014000
R3#sh mpls
Local
Label Label or Tunnel Id Switched 20 26 10.10.10.10/32 15338
20.4.19.19
Outgoing
interface
Fa0/0.34
Next Hop
CsC-PE
Label
R4#sh mpls
Local
Label
26
Outgoing Label
21
Prefix Bytes Label or Tunnel Id Switched
10.10.10.10/32[V]16645
20.5.6.6
tag 16
C20811080000C209110800008100004E8847 00010000
No output feature configured Per-packet load-sharing
tag 16
switched
interface
Fa0/0.67
20.6.7.7
CA0415180000C20811080000810000118847
R7#sh mpls
Local
Label
21
Outgoing Label
18
Outgoing
interface
Fa0/0.78 20.7.8.8
Next Hop
160 NTS for CCIE SP Lab by chatasos
CsC-CE
R8#sh mpls
Local
Label
18
Outgoing Label
17
Outgoing
interface
Fa0/0.89
Outgoing
interface
Fa0/0.910
Next Hop
20.8.9.9
Next Hop
MAC/Encaps=18/22, MRU=1500, Label Stack{17}
CA0013DC0000CA0710240000810000238847 00011000 No output
feature configured
R9#sh mpls
Local
Label
17
20.9.10.10
Outgoing Label
No Label
Outgoing
interface
Fa0/0.1010
Next Hop
6PE/6VPE
6PE is defined in RFC 4798. 6VPE is defined in RFC 4659.
6PE
o customer's IPv6 prefixes are inside the global routing table
o IPv6 labels/prefixes are exchanged using Labeled IPv6 over IPv4 iBGP between the PEs
6VPE
o customer's IPv6 prefixes are inside a VRF
o IPv6 labels/prefixes are exchanged using VPNv6 over IPv4 iBGP between the PEs
6PE
6PE is a technology that allows IPv6 customers to communicate with each other over an IPv4
MPLS Provider without any tunnel setup, by having the customer IPv6 prefixes using a IPv4-
mapped IPv6 address as next-hop inside the Provider's network and using IPv4 LSPs between
the 6PEs.
In 6PE, labels must be exchanged between the 6PEs for their IPv6 prefixes, which means that
a labeled IPv4 iBGP session must be activated under the IPv6 address family (in IOS) or the
labeled IPv6 capability must be activated for the IPv4 peer 6PE (in IOS-XR).
IOS
IOS-XR
!
neighbor 6PE-IPv4
remote-as 100
update-source Loopback0 address-family ipv6 labeled-unicast
address-family ipv6
remote-as X
address-family ipv6 unicast
The 6PE routers are dual-stack: IPv6 towards the CE and IPv4 towards the MPLS core.
You don't need to set the "next-hop-self" in the labeled IPv4 iBGP session for the IPv6
prefixes, because that happens automatically while creating the IPv4-mapped IPv6 address.
MP_REACH_NLRI attribute
AFI = 2 (IPv6)
SAFI= 4 (labels)
Prefix =X:X:X:X::X
Label = X
next-hop = ::FFFF:IPv4-ADDRESS
The IPv4 address which is encoded into the next-hop must be present in the IPv4
routing table and a LSP must exist to this destination. If the above conditions are not
both met, the IPv6 prefix is declared inaccessible.
If a 6PE receives unlabeled IPv6 prefixes, then the 6PE marks these prefixes as
unreachable in the IPv6 routing table, so that packets to this destination get dropped
and not sent into MPLS core.
If RRs are to be used for 6PE connectivity, then they also must have labeled BGP
enabled.
Control Plane
CEs and 6PEs run eBGP (or IGP) in order to exchange IPv6 prefixes
6PEs run iBGP+Label in order to exchange labels and IPv6 prefixes
Provider routers run IGP+LDP in order to exchange all their internal BGP IPv4
next-hops and their
labels
6PE Example
Assume the following network:
163 NTS for CCIE SP Lab by chatasos
R1 R
R2-R3-R4-R5-
- 6
where
R1 (IPv6)
o next-hop is R2 (IPv6 link-local)
R3 (IPv4)
o next-hop is R5 (IPv4 loopback)
o Transport label is 25, IPv6 label is 28
R4 (IPv4)
o next-hop is R5 (IPv4 loopback)
o Transport label is removed, IPv6 label is 28
R6 (IPv6)
o IPv6 destination reached
The IPv6 label in 6PE can be considered like the VPN label in MPLS VPN.
The customer routers could be IPv4/IPv6, having IPv4 traffic being forwarded as usual and
IPv6 traffic over 6PE.
R1#trace
Protocol [ip]: ipv6
Target IPv6 address: 2001::6:6:6:6 Source address:
2001::1:1:1:1
...
Tracing the route to 2001::6:6:6:6
IPv6 Customer
6PE Provider
Although all traceroute answers are given by the closest interface to the source ip, in some
software releases in the last 6PE router the traceroute answer is given by the IPv6 address on
the PE-CE link.
hops.
Known via "bgp 1", distance 20, metric 0, type external Route
count is 1/1, share count 0
Routing paths:
Advertised to update-groups: 1
20
::FFFF:5.5.5.5(metric 4) from 5.5.5.5(5.5.5.5)
IOS-XR doesn't display the "::FFFF:" in front of the IPv4 next-hop (How Multi is MP-BGP
in IOS-XR - Part #2).
IPv6 label is 28
R2#sh mpls
Local
Label
27
Outgoing Label
26
Prefix
or Tunnel Id
5.5.5.5/32
Bytes Label
Switched
0
165
Transport label is 26
You can follow the next-hop or the labels (like in CsC), but let's follow the next-hop on this
example.
Outgoing
interface
Fa0/0.34
Next Hop
10.3.4.4
R4#sh mpls
Local
Label
25
Outgoing Prefix
Label or Tunnel Id Pop Label 5.5.5.5/32
Bytes Label
Switched
16125
Outgoing Label
No Label
2244
Outgoing
interface
PO2/0
Next Hop
point2point
MAC/Encaps=4/4, MRU=4474, Label Stack{} 0F0086DD
No output feature configured
Next Hop
R5#sh mpls
Local
Label
28
166
Advertised to update-groups: 2
20
2001:10:5:6::6 (FE80::C803:14FF:FED0:8) from 2001:10:5:6::6
(6.6.6.6)
2001:10:5:6::6
28/nolabel
FE80::C803:14FF:FED0:8, POS2/0
6VPE
6VPE is a technology that allows IPv6 VPN customers to communicate with each other over
an IPv4 MPLS Provider without any tunnel setup, by having the customer VPNv6 prefixes
using a v4-mapped IPv6 address as next-hop inside the provider's network and using IPv4
LSPs between the 6VPEs.
In 6VPE, labels must be exchanged between the 6VPEs for their VPNv6 prefixes, which
means that the VPNv6 address-family must be activated on the IPv4 iBGP session between
the 6VPEs.
IOS
IOS-XR
neighbor 6VPE-IPv4
remote-as 100
update-source Loopback0 address-family vpnv6 unicast !
vrf VPN
rd 100:1
address-family ipv6 unicast !
neighbor CE-IPv6
remote-as x
address-family ipv6 unicast
The 6VPE routers are dual-stack: IPv6 towards the CE (inside a VRF) and IPv4 towards the
MPLS core. MP_REACH_NLRI attribute
AFI = 2 (IPv6)
SAFI= 128 (.)
Prefix =X:X:X:X::X
Label = X
next-hop = ::FFFF:IPv4-ADDRESS
The IPv4 address which is encoded into the next-hop must be present in the IPv4
routing table and a LSP must exist to this destination. If the above conditions are not
both met, the IPv6 prefix is declared inaccessible.
If RRs are to be used for 6VPE connectivity, then they also must have the VPNv6
address-family enabled.
Control Plane
CEs and 6VPEs run eBGP (or IGP) in order to exchange IPv6 prefixes
6VPEs run VPNv6 iBGP in order to exchange labels and VPNv6 prefixes
Provider routers run IGP+LDP in order to exchange all their internal BGP IPv4
next-hops and their
labels
In IOS, if you enable the VPNv6 address-family on an existing VPNv4 peering, you might
need to reset the
6VPE Example
where
R1 (IPv6)
o next-hop is R2 (IPv6 link-local)
R3 (IPv4)
o next-hop is R5 (IPv4 loopback)
o Transport label is 25, VPNv6 label is 28
R4 (IPv4)
o next-hop is R5 (IPv4 loopback)
o Transport label is removed, VPNv6 label is 28
R6 (IPv6)
o IPv6 destination reached
Use extended traceroute if you want to source from a specific IPv6 address.
R1#trace 2001:6:6:6::6
Type escape sequence to abort.
Although all traceroute answers are given by the closest interface to the source ip, in some
software releases in the last 6VPE router the traceroute answer is given by the IPv6 address
on the PE-CE link.
R1 R
R2-R3-R4-R5-
- 6
6VPE Provider
hops.
Known via "bgp 1", distance 20, metric 0, type external Route
count is 1/1, share count 0
Routing paths:
Advertised to update-groups: 3
1
::FFFF:5.5.5.5 (metric 4) from 5.5.5.5 (5.5.5.5)
IOS-XR doesn't display the "::FFFF:" in front of the IPv4 next-hop (How Multi is MP-BGP
in IOS-XR - Part #2).
VPNv6 label is 28
R2#sh mpls
Local
Label
19
Outgoing Label
18
Prefix
or Tunnel Id
5.5.5.5/32
Bytes Label
Switched
0
Outgoing Next Hop interface
Fa0/0.23 10.2.3.3
Transport label is 18
R3#sh mpls
Local
Label
18
Outgoing
interface
Fa0/0.34
Next Hop
10.3.4.4
You can follow the next-hop or the labels (like in CsC), but for easiness let's follow the labels
this time.
00019000
Bytes
Switched
45343
Outgoing Prefix
Label or Tunnel Id Pop Label 5.5.5.5/32
Label
Outgoing
interface
Fa0/0.45
Next Hop
10.4.5.5
Outgoing Label
No Label
2820
Outgoing
interface
PO2/0
Next Hop
point2point
MAC/Encaps=4/4, MRU=4474, Label Stack{} 0F0086DD
VPN route: VPN
No output feature configured
Advertised to update-groups: 1
1
2001:10:5:6::6 (FE80::C803:17FF:FEAC:8) from 2001:10:5:6::6
(6.6.6.6)
FE80::C803:17FF:FEAC:8, POS2/0
Usually when doing 6PE or 6VPE, the BGP session between the PE and the CE (which is
used for exchanging the IPv6 prefixes) is IPv6 based.
Otherwise you might have the control plane showing everything is fine, but most probably
data plane won't work.
IOS
next-hop in the PEs in both directions (and then reset the session)
external
IOS
router bgp X
address-family ipv6 vrf VPN
!
route-map SET-IPV6NH-IN-ROUTEMAP permit 10
In general:
PE=>CE (out)
PE<=CE (in)
o set ipv6 next-hop CE-IPv6
IOS
Advertised to update-groups: 4
65001
2001:10:2:8::8 from 10.2.8.8 (10.8.8.8)
use the IPv6 address used for peering (directly connected interface or loopback)
In IOS-XR, you won't even get an IPv4 BGP session up, if there are no IPv6 addresses
configured on the PE-
CE connection.
updates" to see these). This is probably a bug, since the next-hop (PE) is actually
connected to the CE router.
Also, sometimes in the CE you must enable ebgp-multihop for the PE session (2 hops at
least), otherwise
the remote IPv6 routes won't be installed in the CE's BGP table
Example:
IOS
IOS-XR
external
LocPrf Weight Path
100
0 65001 i
0 65001 i
VPN)
0 100 065001i
65001 i
174
When doing the opposite and trying to exchange IPv4 prefixes over an IPv6 BGP session,
you have to set
Hints
Before
After
AToM/L2VPN/VPLS
PW (PseudoWire) architecture is described in RFC 3985.
LDP for PWs is defined in RFC 4447.
EoMPLS (Ethernet over MPLS) is defined in RFC 4448.
L2TPv3 (Layer 2 Tunneling Protocol v3) is defined in RFC 3931.
L2VPN
AToM
o requires MPLS connectivity from end to end o source ip address is the one used for LDP
L2TPv3
o requires IP connectivity from end to end o source ip address is configured manually
L2TPv3
Frame-Relay
Ethernet
VLAN
HDLC
PPP
IPv6
STP for those specific vlans when using any type of PVST. Alternatively you can try to
match vlans on either
side.
To convert an interface with AToM xconnect to L2TPv3 xconnect, remove the xconnect
configuration from
Each L2TPv3 tunneled packet includes the entire Layer 2 frame of the payload:
You can have either dynamic or static pseudowires (where no signaling is required for
session establishment).
IOS
!
interface X
IOS-XR
l2vpn
pw-class L2TP-PWCLASS
!
xconnect group R2-R1-XCONGRP
p2p R2-R1-P2P
interface X
neighbor 1.1.1.1 pw-id 12
pw-class L2TP-PWCLASS
In IOS-XR, you have to define the signaling protocol, while in IOS it's enabled by
default.
IOS
Control Ns 2, Nr 3
Local RWS 1024 (default), Remote RWS 512 Control channel
Congestion Control is disabled Tunnel PMTU checking disabled
Retransmission time 1, max 2 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 1
Total resends 1, ZLB ACKs sent 1
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5 Retransmit time
distribution: 0 1 0 0 0 0 0 0 0 Control message authentication
is disabled
Static PWs require you to define sessions & cookie parameters under the neighbor where the
PW is pointing to.
IOS
!
interface POS2/0
IOS-XR
l2vpn
xconnect group A-XCONGRP
Using static PWs allows the traffic to pass over the PW as soon as possible (avoiding session
parameter
negotiation).
Youneedtodefine"protocol none"underthepw-
class,otherwiseyouwon'tbeabletodothestatic
configuration.
When you use a static L2TPv3 session, you cannot perform interworking.
Authentication
L2TPv3 Control Message Hashing (new method) o hash is computed of entire message
o all message types are hashed
IOS
!
l2tp-class NEWAUTH-L2TP-CLASS
IOS-XR
!
l2tp-class NEWAUTH-L2TP-CLASS
l2vpn
pw-class L2TP-PWCLASS
179 NTS for CCIE SP Lab by chatasos
encapsulation l2tpv3
AToM
pseudowire will come up (unless the PEs do not agree on some parameters).
VRFs.
Interfaces at both sides of a local AC must have a common encapsulation (ppp, hdlc,
frame-relay) in order for the local AC to come up.
When you change the encapsulation of an interface, any xconnect configuration is
removed.
You have to exit from the xconnect or pw-class config mode in order to have it
activated.
Besides dynamic pseudowires (based on LDP), you can also create static pseudowires
by having the labels statically defined on each PE.
Logging
IOS
IOS-XR
l2vpn
logging
In IOS-XR, the L2TP class used for authentication (and other parameters) is configured
outside the l2vpn
same for the interface on the other side of the local AC, to account for any IGPs passing over.
180 NTS for CCIE SP Lab by chatasos
Youcanusethe"clear xconnect"commandifyouwanttoresetapseudowire.
IOS
R1#clear xconnect ?
all All xconnect entries
interface All xconnects by interface
peer All xconnects by Peer IP address
PPP Pseudowires
When using xconnect for PPP L2VPN connectivity, then the PPP process of the local AC is
disabled.
no xconnect configured
xconnect configured
Serial2/0 is up, line protocol is up
Hardware is M4T
MTU 1500 bytes, BW 1544 Kbit/sec, DLY 20000 usec,
Frame-Relay
If you need to transfer all DLCIs of a port, then you have to use HDLC as the interface
encapsulation and do the usual xconnect under the interface.
Frame-relay config on the other side of each AC doesn't have to agree, as long as the DLCIs
are communicated correctly across the MPLS network.
IOS might require to have frame-relay switching enabled on the PE (IOS-XR and GNS3 don't
require it).
APVCthatistransferredacrossthePWisshownas"switched"under"show frame-relay
pvc",while another PVC that terminates locally is shown as "local".
Remember to configure appropriately the IGP network type on the interfaces, if the default
isn't the right one.
181 NTS for CCIE SP Lab by chatasos
IOS
!
pseudowire-class FRoMPLS-PWCLASS
encapsulation mpls !
IOS-XR
!
interface POS0/0/0/0
encapsulation frame-relay
encapsulation mpls !
IOS
R1#sh connection
ID Name Segment 1 Segment State
==============================================================
=========== =======
2 FRCON Se2/0 100 9.9.9.9 19 UP
Ethernet Pseudowires
o VC type 4 (if vlan tag is to be transfered too) Raw mode (port mode)
o VC type 5
Usually the VC type is auto-negotiated while the PW is being setup.
Configuration
IOS
!
interface X
xconnect 9.9.9.9 19 pw-class EoMPLS-PWCLASS
IOS-XR
interface X l2transport !
l2vpn
!
xconnect group R9R1-XCONGRP
p2p R9R1-P2P
interface X
neighbor 1.1.1.1 pw-id 19
pw-class EoMPLS-PWCLASS
Verification
IOS
R1#sh Local
R1#sh mpls l2 vc
Local intf Local circuit Dest address VC ID
Status
------------- -------------------------- ---------------
---------- ---- ------
Fa1/0
: enabled/supported
: enabled
: established, LruRru
Last local dataplane Last local SSS circuit Last local SSS
circuit Last local LDP TLV Last remote LDP TLV Last remote LDP
ADJ
The status you see next to "Label/status state machine" translates to the following:
L=Local, R=Remote
r=ready, n=not ready
u=up, d=down
IOS-XR
Type Ethernet
MTU 1500; XC ID 0x40002; interworking none Statistics:
"imposed label stack" shows the complete label stack (Transport label + PW label) used by
the local PE to
In VC statistics, the send direction counts the traffic from the AC to the PW, while the
receive direction
------
MPLS
------------
Label
VCCV CC
------------
Group ID
Interface
MTU
Control
PW type
VCCV CV
16100
0x1c0
TenGigE0/0/0/9
1500
disabled
Ethernet
0x2
(LSP ping verification)
0x6
(router alert label)
(TTL expiry) ------------------------------
28
0x0
**AC**
1500
disabled
Ethernet
0x2
(LSP ping verification) 0x2
(router alert label)
-----------------------
word
type
type
------
Incoming Status (PW Status
TLV):
Notification message TLV):
Notification message
IOS
XC ST Segment 1
2 S2 ------+---------------------------------+--
+----------------------------- ----+--
UP
UP
IOS
XC ST Segment 1
2 S2 ------+---------------------------------+--
+----------------------------- ----+--
UP
UP mpls 9.9.9.9:19
UP
IOS-XR
XConnect
Group Name ST
ST
------------------------
--
R9R1-XCONGRP R9R1-P2P UP
UP
--------------------------------------------------------------
----------- --
When viewing the LFIB, the direction is the opposite from L3VPNs, pointing towards the AC
this time.
S1 Segment
IOS
R1#sh mpls
Local
Label
28
point2point
IOS-XR
forwarding-table
Segment 1
Description ST
Segment 2
Description
----------------------- Te0/0/0/9 UP
-------------------- 1.1.1.1 19
Outgoing
Label
No Label
Prefix
or Tunnel Id
l2ckt(19)
Bytes Label
Switched
19658
Outgoing
Interface
Outgoing
interface
Fa1/0
Next Hop
Next Hop
Bytes
Local Outgoing
Label Label
Switched
Prefix or ID
186
You can also use ping and traceroute in order to verify the PW (although it won't help you
much in case of a core problem). In IOS-XR, mpls oam must first be activated.
IOS
IOS
Static PWs
You can also use static pseudowires (without tLDP between PEs) if you manually define the
local/remote
labels to be used.
IOS
IOS-XR
l2vpn
xconnect group XCONGRP
p2p LS-P2P
neighbor 1.1.1.1 pw-id 22
Interworking
Interworking is actually a transforming function that is required to interconnect two
heterogeneous ACs, by providing the translation between the different L2 encapsulations.
Ethernet (bridged)
o ethernet frames are extracted from the AC and sent over the PW
o non-ethernet frames are dropped
o ethernet frames with vlan tags, have their tags removed and then send over the PW
Vlan
o ethernet frames are extracted from the AC and sent over the PW
o non-ethernet frames are dropped
o ethernet frames with vlan tags, are send with their tags over the PW
IP (routed)
o ipv4 packets are extracted from the AC and sent over the PW o non-ipv4 packets are
dropped
Supported modes/technologies:
o Ethernet/IP
Ethernet/Vlan to PPP
188 NTS for CCIE SP Lab by chatasos
o MPLS
o IP
Ethernet to Vlan
o MPLS/L2TPv3
o Ethernet/IP
Frame-Relay to PPP
o MPLS/L2TPv3 o IP
In frame-relay interworking the PE router reports the PVC status to the CE router,
based on the status of the pseudowire with the remote PE. Also the status of the local
PVC detected by the PE router will be reflected into the pseudowire status towards the
remote PE.
For ethernet, the PE acts like a proxy-ARP server to all ARP requests from the CE
router. Sometimes you might need to clear the arp table on the CE after making
changes on the PE.
For PPP, proxy IPCP is automatically enabled on the PE router when IP interworking
is configured on the pseudowire.
Although it might not be applicable in the lab, generally you should take care of the
AC MTU so that it doesn't exceed the core MTU.
IOS
IOS-XR
l2vpn
xconnect group A-XCONGRP
p2p A-P2P
interworking ipv4
The rest of the configuration is the same as in normal L2VPN setup. Interworking
doesn't apply in VPLS.
When doing interworking with frame-relay, you can't use inverse-arp (because there is no ip
address on the
other side of the local AC, neither at the other side of the remote AC), so you'll have to either
use static
Most of the times, you must configure all IGPs for point-to-point operation between the CE
routers when
IOS
Ethernet
interface FastEthernet1/0
xconnect 9.9.9.9 19 pw-class EoMPLS-IW-PWCLASS
Frame-Relay
Configure the following if you want to enable logging of the PW redundancy events.
IOS
The PW status is signaled between the PEs, if it's supported (it's enabled by default).
IOS
XC ST Segment 1
2 S2 ------+---------------------------------+--
+----------------------------- ----+--
UP pri ac
Fa1/0(Ethernet) Fa1/0(Ethernet)
Ethernet
Ethernet
5.5.5.5
9.9.9.9
15
19 UP
UP IA sec ac
5.5.5.5:15
R1#sh mpls l2transport vc
S1 Segment
Dest address
VC ID
190
: enabled/supported
: enabled
: established, LrdRru
Last local dataplane Last local SSS circuit Last local SSS
circuit Last local LDP TLV Last remote LDP TLV Last remote LDP
ADJ
116, send 0
8221, send 0
0, seq error 0, send 0
You can configure the topology as "dual-homed" under the pw-class, if you want to have
both primary and
backup pseudowires appear as active simultaneously. In any case, traffic will continue to pass
through the
primary PW only.
Links
IOS
Keep in mind that the xconnect output is based on the configuration, while the mpls l2vc
output is based on the result.
IOS
XC ST Segment 1
2 S2 ------+---------------------------------+--
+----------------------------- ----+--
UP pri ac
Fa1/0(Ethernet) UP Fa1/0(Ethernet)
IA sec ac
5.5.5.5:15
R1#sh mpls l2 vc
Local intf Local circuit
Status
------------- -------------------------- ---------------
---------- ---- ------
Fa1/0
Fa1/0
Ethernet
Ethernet
5.5.5.5
9.9.9.9
15 UP 19 UP
SB
S1 Segment
Dest address
VC ID
192
Everything must be configured under the "l2vpn" hierarchy, including the pw-classes.
VPWS
IOS-XR
l2vpn
xconnect group A-XCONGRP
p2p A-P2P
interface X
!
neighbor Y pw-id k
pw-class Z
VPLS
IOS-XR
l2vpn
bridge group A-BRGRP
vfi A-VFI
neighbor Y1
pw-class Z
neighbor Y2
pw-class Z
A-BRDOM
pw-id k1
pw-id k2
xconnect/bridge groups are used solely for configuration grouping; you can put all bridge-
domains under the same bridge group and all the p2ps under the same xconnect group.
You can have a neighbor directly under the bridge-domain, if you want to make this an
access pseudowire.
For core pseudowires (which will be 99% the case) you need to define the neighbor under the
vfi.
Below you can find some useful commands for verification and troubleshooting.
IOS-XR
brief
detail
encapsulation
group
groups
193
interface
mp2mp
mspw
neighbor
private
pw-class
state
summary
type
Filter on interface
MP2MP Information
ms_pw Information
Filter on neighbor
Private information
Filter on pseudowire class Filter on xconnect state Summary
information
Check VPLS (AC/PW details, status, MTU, traffic, split-horizon, L2 features like storm-
control, unicast/multicast/broadcast flooding, etc.)
IOS-XR
autodiscovery
bd-name
brief
detail
group
hardware
interface
neighbor
objects
pbb
private
summary
Output Modifiers
Check VPLS (mac-addresses and various L2 features like DHCP snooping, ARP inspection,
etc.)
IOS-XR
ASR9k#sh l2vpn forwarding bridge-domain ?
WORD
debug
detail
hardware
location
mac-address
mroute
pbb private
Specify a location
MAC address information
multicast route information
Provider backbone bridge information Include private
information
194
L2transport ethertype
When configuring a l2transport interface in IOS-XR you have the following options
regarding its tagging/ethertype:
dot1ad
o ethertype 0x88a8 (default)
single vlan double vlan
dot1ad
o ethertype 0x88a8 (default)
dot1q refers to 802.1q, while dot1ad refers to 802.1ad (which is the standard).
H-VPLS
N=Network U= User
core domain
o core PWs between all N-PEs
access domains
o access PWs between each U-PE and a core N-PE
You can also have simple L2 ethernet circuits instead of access PWs. Configuration-wise the
idea is the same as above:
CE
U-PE o
N-PE o
P
o
no change
one (or two) p2p PW from the U-PE to one (or two) N-PE full-mesh of p2p PWs between all
N-PEs
just MPLS switching
access domains (containing U-PEs and CEs) and a core domain (containing N-PEs and Ps).
195
IOS-XR
l2vpn
bridge group A-BRGRP
bridge-domain A-BRDOM neighbor U-PE1 pw-id k1
pw-class Z !
vfi A-VFI
neighbor N-PE2 pw-id k1
pw-class Z
neighbor N-PE3 pw-id k2
pw-class Z
The above N-PE is responsible for switching the traffic from the access PW (coming from U-
PE1) to the core PWs (going to N-PE2 and N-PE3) and vice versa, based on the usual mac
learning.
Local Switching
Vlan to Vlan
IOS
!
interface FastEthernet0/0.2
encapsulation dot1q 2 !
IOS-XR
!
interface TenGigE0/0/0/0.2 l2transport
l2vpn
xconnect group XCONGRP
Remember that access PWs go outside the VFI and core PWs go inside the VFI, while
everything goes under
the bridge-domain.
p2p LS-P2P
interface
interface
TenGigE0/0/0/0.1 TenGigE0/0/0/0.2
196
Frame-Relay to Frame-Relay
IOS
frame-relay switching
!
interface Serial2/0
encapsulation frame-relay
frame-relay interface-dlci 100 switched frame-relay intf-type
dce
!
interface Serial2/1
encapsulation frame-relay
frame-relay interface-dlci 200 switched frame-relay intf-type
dce
!
connect FR2FR serial2/0 100 serial2/1 200
IOS
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface Loopback1
ip address 11.11.11.11 255.255.255.255
interface FastEthernet0/0
xconnect 11.11.11.11 111 pw-class L2TP-1-CLASS
!
interface FastEthernet0/1
xconnect 1.1.1.1 111 pw-class L2TP-11-CLASS
IOS
XC ST Segment 1
2 S2 ------+---------------------------------+--
+----------------------------- ----+--
UP ac
1.1.1.1:111
UP ac
11.11.11.11:111
Configuration Steps
Count VPDN
est 11.11.11.11 1
est 1.1.1.1 1
Fa0/1(Ethernet) Fa0/0(Ethernet)
UP UP
UP l2tp
UP l2tp
S1 Segment
create a GRE tunnel with destination the remote L2VPN PE
enable MPLS on the GRE tunnel
route the PW through the GRE tunnel (using IGP, static route, preferred-path)
R2 (IOS)
interface Tunnel0
ip unnumbered Loopback0
mpls ip
interface Ethernet1/0
xconnect 2.2.0.7 27 pw-class PWCLASS
R7 (IOS)
interface Tunnel0
ip unnumbered Loopback0
mpls ip
IOS-XR
interface tunnel-ip0
ipv4 address 10.10.10.1/24 tunnel mode gre ipv4
tunnel source 11.11.11.1 tunnel destination 12.12.12.2
mpls ldp
interface tunnel-ip0
! l2vpn
The other end of the tunnel is also the remote PE where the PW terminates.
In latest IOS-XR, you can also use the preferred tunnel-path feature in order to map the PW
to a specific GRE tunnel, instead of pointing the PW to the remote PE router..
IOS-XR
l2vpn
pw-class GRE-PWCLASS
encapsulation mpls
preferred-path interface tunnel-ip0
You must also enable an IGP on the tunnel (or create a static route for a different hop), in
order to drive the
PW destination across it. Be careful of recursive routing (tunnel destination must not go
through the tunnel
itself).
PW Switching or Multisegment PW
An L2VPN multisegment PW (MS-PW, also known as switched PW) is a set of two or more
PW segments that function as a single PW. They can be inside a single AS or they can span
multiple AS.
The end routers are called terminating PE routers (T-PEs) and the switching routers are called
S-PE routers. S-PE's role is to:
In an MS-PW spanning PE-1 <=> S-PE-2 <=> S-PE-3 <=> PE-4, the configuration
would be the following:
IOS
PE-1
interface X
xconnect S-PE-2 12 encapsulation mpls
S-PE-2
S-PE-3
PE-4
interface X
xconnect S-PE-3 34 encapsulation mpls
200 NTS for CCIE SP Lab by chatasos
It enables each VPLS PE router to discover "automatically" the other PE routers that are part
of the same VPLS domain using BGP.
BGP uses the L2VPN RIB to store endpoint provisioning information, which is updated each
time a L2 VFI is configured. When BGP distributes the endpoint provisioning information in
an update message to all its BGP neighbors, the endpoint information is used to configure a
PW mesh between these neighbors.
In older releases, VPLS Autodiscovery is not supported with L2TPv3 or Inter-AS topologies.
PEs that do not participate in the autodiscovery process (in order to join the VPLS)
PEs that have been configured with the Tunnel Selection feature
U-PEs in H-VPLS configurations that do not participate in the autodiscovery
process and have split-
In older releases, the BGP peer address must be a /32 address bound to the peer's LDP
router-id.
Split-horizon should not be disabled on autodiscovered neighbors.
Route reflectors can be used to reflect the BGP VPLS prefixes without having VPLS
explicitly configured on them.
IOS
!
router bgp 1
The same vpn id must be configured on all PEs that are part of the same VPN.
It'sgoodpracticetoalsouse"bgp update-delay
1"inordertominimizetheinitialupdatetime.
You can configure both autodiscovered and manually configured PWs in the same VFI, but
not for the same
peer PE. If you need to do that, then configure appropriately the RT values to prevent each
peer from
exit-address-family
IOS
Default values:
vpls-id: ASN:vpn-id
rd: ASN:vpn-id
route-target: lower 6 bytes of rd and vpls-id
l2 router-id: LDP router-id
VPLS ID is a BGP extended community value that identifies the VPLS domain. It
must be the same between PEs of the same VPN and unique between different VFIs
of the same PE.
be defined manually and be the same on all PEs of the same VPLS domain, since ASNs are
different.
202 NTS for CCIE SP Lab by chatasos
RSVP/MPLS-TE
MPLS-TE (MPLS Traffic Engineering) Requirements are described in RFC 2702. RSVP
(Resource Reservation Protocol) is defined in RFC 2205.
RSVP-TE (RSVP Traffic Engineering extension) is defined in RFC 3209. OSPFv2
extensions for TE are defined in RFC 3630.
OSPFv3 extensions for TE are defined in RFC 5329. ISIS extensions for TE are defined in
RFC 5305.
RSVP
PATH
o sent with the same source and destination addresses as the actual data (i.e. tunnel src/dst),
in
LabelRequestObject
ExplicitRouteObject(ERO)
RecordRouteObject(RRO)
SessionAttributeObject(SAO) SenderTSpec
RESV
o sent hop-by-hop by having each RSVP router forward a RESV message to the previous
RSVP
LabelObject
RecordRouteObject(RRO)
Each RESV message follows the exact reverse path of the initial PATH message
As a general case (but not applicable to MPLS-TE), if the PATH message arrives at a router
that does not understand RSVP, that router should forward the message as a normal packet
without interpreting the contents of the message and will not reserve resources for the flow.
number 46.
Then the following actions will happen when an RSVP reservation is asked:
1. R1
2. R2
3. R3
4. R4
5. R3
6. R2
7. R1
In case of MPLS-TE, one reservation attribute could be the transport label required in order
to build the LSP tunnel.
The request to bind labels to a specific LSP tunnel is initiated by the tunnel ingress node
(known as RSVP sender) using a PATH message.
The reply to this label allocation PATH message is sent from the egress node (known as
RSVP receiver) back upstream towards the sender using a RESV message, following the path
state across all nodes created by the initial PATH message in reverse order.
Each intermediate node that receives a RESV message containing a label, uses that label for
outgoing traffic associated with this specific LSP tunnel. If the node is not the sender, it
allocates a new label and places that
Labels are allocated downstream (R1=>R4) using PATH messages and propagated upstream
(R4=>R1) using
RESV messages.
204 NTS for CCIE SP Lab by chatasos
new label into a new RESV message which it sends upstream to the previous-hop, until it
reaches the sender and a complete LSP is built.
RSVP hellos are not enabled by default, since they are not needed for normal MPLS TE
operation.
When RSVP signals a TE LSP and there is a failure somewhere along the path, the failure
can remain undetected for as long as two minutes (timeout of RSVP session).
Two solutions can be used for triggering fast detection in case of a failure:
RSVP hellos
BFD RSVP hellos
IOS
!
interface X
IOS-XR
not supported
IOS
Whenusing"sh ip rsvp
int"toverifythersvpbandwidthonaninterface,allrsvpenabledinterfaces
are shown, even the ones that are shut down.
IOS-XR supports only BFD for fast detection (< 1sec). RSVP hellos can be used for simple
reroute (detection
to take place.
R4#sh ip rsvp hello client lsp det Hello Client LSPs (all lsp
tree)
Tun Dest: 19.19.19.19 Tun ID: 0 Ext Tun ID: 2.2.2.2 Tun
Sender: 2.2.2.2 LSP ID: 46
subgrp_id 0
Lsp
R4#sh ip
Local
20.4.5.4
R4#sh ip
Hello
Nbr
Remote Type
20.4.5.5 RR
Client Neighbors
LSPs 1
In IOS, there are 3 different commands to set the hello refresh interval:
ip rsvp signalling hello refresh interval xxx o refresh interval: 10-
30000 ms
The first two ones are the same and are the ones that actually enable/configure FRR. The
number of refresh misses is configured likewise.
BFD
In both cases in IOS, RSVP hellos must be configured both globally on the router and on the
specific interface
in order to be operational.
MPLS-TE Configuration
IOS
! global
mpls traffic-eng tunnels
!
router ospf X
ip unnumbered Loopback0
tunnel mode mpls traffic-eng
tunnel destination x.x.x.x
tunnel mpls traffic-eng path-option 1 dynamic
IOS-XR
interface X !
area 0
mpls traffic-eng
!
router isis X
If you don't set the router-id under the IGP, you won't be able to create any TE paths for the
tunnels.
You have to configure "ip rsvp bandwidth" in order to set the reserved bandwidth per
interface (tunnels can work without setting it, as long as their required bandwidth is 0).
Default bandwidth is 75% in IOS and 0 in IOS-XR (IOS-XR doesn't support the setting of
bandwidth as a percentage).
You won't see the RSVP bandwidth of an interface as allocated, unless the tunnel that passes
through it is fully operational.
RSVP bandwidth is reserved only on the egress interface of a router (based on the direction
of the tunnel).
Don't forget to enable wide metrics if using IS-IS (IOS gives you a warning).
In IOS-XR every tunnel type has a specific interface name. For MPLS-TE tunnels, the name
"tunne-te" is used.
Each TE tunnel is unidirectional, so if you want to make it behave like bidirectional, then you
need to configureareversetunnelfromthetail-endtothehead-endtoo.Only"ip
unnumbered"shouldbeusedin TE tunnels due to their unidirectional nature.
Is IOS-XR you must also enable MPLS LDP (even when LDP is not going to be used),
otherwise data-
Most tunnel changes require to shut/no shut the tunnel interface in order to have immediate
effect.
Setting the (signaled) bandwidth on the tunnel is not necessary for normal operation, but it
might help to verify the TE path when checking the RSVP interface bandwidth on the path.
IOS
teardowns
Log LSP Path Error traps
Log LSP Preemption traps
Log LSP Reservation Error traps Log LSP Establishment Traps
Log LSP Teardown Traps
IOS-XR
C12k(config-if)#logging events ?
link-status Enable interface and line-protocol state change
alarms lsp-status Enable interface LSP state change alarms
insufficient-bandwidth bandwidth
reoptimize
reroute
state
switchover
MPLS-TE Verification
IOS
RSVP.
R2#sh mpls
Local
Label
None
point2point
Outgoing Label
16
IOS
You can also check the labels assigned by RSVP in the intermediate routers and follow the
path like in LDP labels.
Don'tforgettousethecompleteprefixwhencheckingtheLFIBinthePE,otherwise"sh mpls
IOS
R4#sh mpls
InLabel
OutLabel
R5#sh mpls
InLabel
OutLabel
IOS
R4#sh mpls
Local
Label
16
R5#sh mpls
Local
Label
26
20.5.19.19
traffic-eng tunnels | i Label : FastEthernet0/0.24, 16
: FastEthernet0/0.45, 26
forwarding-table
Outgoing Prefix
Label or Tunnel Id 26 2.2.2.2 0 [1]
forwarding-table
Outgoing Prefix
Label or Tunnel Id Pop Label 2.2.2.2 0 [1]
Bytes Label
Switched
7658
Bytes Label
Switched
7540
Outgoing
interface
Fa0/0.45 20.4.5.5
[1]"aftertheprefixarethe"Tun_Id"and"Tun_instance"foundin"sh mpls
210 NTS for CCIE SP Lab by chatasos
Thenumber"0
traffic-eng tunnels"output.
Next Hop
Other options include:
You can use the following command in order to find the optimal path for a tunnel, based on
current resources:
IOS
R2#sh mpls
current
max
resources
none
Thesameinfoisavailableifyouusethe"sh mpls traffic-eng tunnels tunnel
X"command,
IOS
interface Tunnel0
IOS-XR
interface tunnel-te0
record-route
IOS
auto-bw
errors
timers
You can use the following methods in order to steer the tunnel traffic through a specific TE
path:
explicit-path
When using explit-paths in order to define the TE path, you can use either loopbacks
or next-hop addresses as next-address. Also there is no need to define the last-hop,
which is the tail-end.
i.e. for a path R2-R3-R4-R5-R6-R7 you can simply create the following explicit path
on R2:
IOS
interface Tunnel0
ip unnumbered Loopback0 tunnel mode mpls traffic-eng
However, it's good practice to
define next-hop addresses (plus the last-hop) if you want to be as strict as possible about the
path.
next-address R6
IOS-XR
interface tunnel-te0
ipv4 unnumbered Loopback0
destination 2.2.2.2
path-option 1 explicit name R3-R4-R5-R6
!
explicit-path name R3-R4-R5-R6
Whileeditingtheexplicit-path,youcanuse"index
x"inordertochangeaspecificentry,or"list"to view all current entries.
bandwidth
You can define the tunnel required/signaled bandwidth and the interface available bandwidth
in order to steer the traffic through a path that has enough bandwidth to accommodate the
tunnel's need.
IOS
!
interface Tunnel0
actually reserve that amount of bandwidth for the TE tunnel traffic, you have to configure the
appropriate QoS
too.
IOS-XR
rsvp
interface X
bandwidth 100000 !
interface tunnel-te0
ipv4 unnumbered Loopback0 signalled-bandwidth 99000
destination 2.2.2.2 path-option 1 dynamic
You can use the Path Option for Bandwidth Override in order to provide a fallback path
option that allows overriding the bandwidth configured on the TE tunnel (i.e a path option
with bandwidth set to 0 removes the bandwidth constraint imposed by the constraint-based
routing calculation).
When an LSP is signaled using a path option with a configured bandwidth, the bandwidth
associated with the path option is signaled instead of the signaled bandwidth configured
directly on the tunnel. You can have multiple path-options with different bandwidth
requirements.
IOS
interface Tunnel0
ip unnumbered Loopback0
tunnel mode mpls traffic-eng
tunnel destination 19.19.19.19
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 7 7
tunnel mpls traffic-eng bandwidth 50000
tunnel mpls traffic-eng path-option 1 explicit name R3-R4-R6-
R5 tunnel mpls traffic-eng path-option 2 dynamic bandwidth
25000 tunnel mpls traffic-eng path-option 3 dynamic bandwidth
0
With bandwidth override configured on a path option, the traffic engineering software
attempts to reoptimize the bandwidth every 30 seconds.
TE metric
You can influence the path that the tunnel will follow by changing the TE metric
(administrative-weight) on
interface Χ
mpls traffic-eng tunnels
mpls traffic-eng administrative-weight 2
IOS-XR
admin-weight 2
If TE metric is set to its max under a specific interface, then tunnel will never pass through
that interface.
All TE metric changes require to shut/no shut the tunnel interface in order to have immediate
effect.
Default TE metric is the IGP metric for that specific path. Whenever IGP metric changes, TE
metric follows, unless it's explicitly configured, so it gets priority.
Usually it's easier to increase the TE metric on the path that should not be preferred, instead
of decreasing the
IOS
P2P TUNNELS/LSPs:
Name: R1_t0
Status:
path option 1, type dynamic (Basis for Setup, path weight 23)
You can change this default path-selection policy (where TE metric is used) using the
following command,
IOS
mpls traffic-eng path-selection metric igp
!
interface Tunnel0
IOS-XR
!
interface tunnel-te0
IOS
IOS-XR
path-options
You can define multiple path-options (as fall-back methods), with preference 1 having the
highest priority. ThecurrentlyactiveTEpathcanbefoundbycheckingthe"sh mpls
traffic-eng tunnels" command output.
IOS
interface Tunnel0
tunnel mpls traffic-eng path-option 1 explicit name R3-R4-R5-
R6 tunnel mpls traffic-eng path-option 2 dynamic
IOS-XR
interface tunnel-te0
path-option 1 explicit name R3-R4-R5-R6 path-option 2 dynamic
IOS
P2P TUNNELS/LSPs:
Name: R2_t0
Status:
path option 2, type dynamic (Basis for Setup, path weight 40)
path option 1, type explicit R3-R4-R5-R6
...
IOS
IOS-XR
[Labels:
[Labels:
[Labels:
[Labels:
[Labels:
code 0
22 Exp: 0]
22 Exp: 0]
21 Exp: 0]
22 Exp: 0]
implicit-null Exp: 0] 112 ms
76 ms
80 ms
104 ms