Wednesday, 16 December 2015

VRF Aware IPSEC VPN

In this post we will see how we can support multiple VRFs in site to site IPSEC VPN implementation.

We will use the below topology. The routers CE1 and CE2 are connected to the Internet. For simplicity, I have used the private IP addressing for the WAN connectivity.



Ok so the first step is to configure required VRFs on both the CPEs.

Saturday, 31 October 2015

EIGRP IP FRR & OSPF LFA

In today's modern networks, fast convergence has become a mandatory requirement.
If we want to achieve fast convergence, each of the steps below need to be optimized

1. Failure Detection
2. Failure Propagation
3. Processing of new information
4. Updating RIB/FIB

1. Failure Detection:- "How long does it take me to detect a failure?"
This normally depends on the Hello/Hold down/Dead timers of the routing protocol. We can either tune these timers or use a mechanism such as "BFD" which we have seen in our earlier post.

2. Failure Propagation:- "How long does it take me to tell everyone else?"
In EIGRP, this is done through Query/Reply packets. We can reduce the Query domain by configuring the routers as "stub".

In OSPF, this depends on the area size and the LSA flooding procedure. We can tune the LSA timers to change this.

Friday, 18 September 2015

Carrier Supporting Carrier (CSC)

In this post we will look at the Carrier Supporting Carrier design where smaller service providers use large service providers as backbone in order to connect parts of their network which eliminates the need to build and maintain their own MPLS network.

From customer's point of view, there is no difference in terms of connectivity and it will still appear as they have a normal Layer 3 MPLS connection from the provider.

Let's look at the below topology to understand how it works.



We have a Tier 2 SP who is providing services to customer sites in two different geographical locations. The service provider have their own network within specific regions but not connected with each other directly hence they are using Tier 1 SP's backbone to connect both of their networks and provide end-to-end connectivity to the customer.

Saturday, 29 August 2015

Inter-AS MPLS VPN - Option C (BGP+Label)

In this post, we will look into the Inter-AS MPLS VPN - Option C which is also known as "BGP + Label". 

Option C uses eBGP IPv4 session between ASBRs to exchange reachability to PE loopbacks. There will be a VPNv4 neighbourship between service providers VPNv4 route-reflectors (RRs).

Option C takes away the heavy reliance on ASBRs. In this case, ASBRs are only used to exchange the loopback prefixes using eBGP IPv4 sessions.

To understand how it works, let's look at our topology below.



We have two service providers. Both are connected through ASBR routers. In this specific instance, we have local VPNv4 route-reflector for each SP. The customer site CE1 is connected to SP1 and CE2 is connected to SP2.

Thursday, 13 August 2015

Inter-AS MPLS VPN - Option B (VPNv4 EBGP between ASBRs)

So far we have seen the Inter-AS MPLS VPN using "back to back VRF" method. Even though it's a relatively easy method to implement, it has few drawbacks.

This procedure doesn't require MPLS enabled on the link between ASBRs however it does not scale very well. 

There is another method in which ASBR's establish VPNv4 neighbourship, exchange MPLS labels and can maintain end-to-end LSP. It is know as "Option B".

Let's see how it works. We are going to use the same topology as we used in last post.



The IP addressing and the core routing remains the same. The only difference is the configuration on ASBR where I have removed the EBGP neighbourship statement and removed the local VRF configuration.

Friday, 7 August 2015

Inter-AS MPLS VPN - Option A (Back to Back VRF)

We have seen how standard L3 MPLS works in the previous post http://ciskonetwork.blogspot.co.uk/2015/03/layer-3-mpls-vpn.html. 

In normal implementation, customer sites are served by a single service provider. The PE routers maintain an IBGP session and the routing information gets exchanged through VPNv4 neighbourship.

What if two customer sites are connected through different service providers? The PE routers of each service provider will not be able to establish IBGP neighbourship with each other hence won't be able to exchange VPNv4 routes.

There are mainly three ways to handle this type of a situation. One of three methods is called "Option A - Back to Back VRF".


Tuesday, 28 July 2015

IPv6 NAT-PT

In the recent posts, we discussed how we can transport IPv6 traffic over IPv4 backbone using the tunneling techniques. 

These techniques will not work if we have one part of network which can only run IPv4 and the other part can only run IPv6. Since IPv4 and IPv6 are not compatible with each other, we have to use some sort of translation mechanism. The way we can achieve this is through NAT-PT (NAT protocol translation).

Let's look at the below topology and see how NAT-PT can be implemented.



We have three routers R1, R2 and R3. We are running RIPng and RIPv2 between R1-R2 and R2-R3 respectively. R1 is only aware about IPv6 addresses, similarly R3 is only aware about IPv4 addresses.

Our goal is to establish reachability between the IPv6 loopback (2001:1111::1/128) of R1 to IPv4 loopback (3.3.3.3/32) of R3.

Friday, 10 July 2015

IPv6 tunneling over IPv4 - 6to4 Autotunnel

In the previous post, we looked at the IPv6 tunneling technique using IPv4 manual tunnels. We will now see how dynamic multipoint IPv6 tunnel works.

6to4 tunnels allow for the dynamic creation of IPv6 within IPv4 tunnels. Manual tunnel is normally used as point-to-point however 6to4 tunnels can be point-to-multipoint.

The 2002::/16 range has been reserved to use for tunneling. We will have to add the IPv4 address into this range to generate /48 prefix. i.e. if the IPv4 address of the border router is 192.168.1.1 then the 6to4 site address prefix becomes 2002:C0A8:101::/48 (Convert 192.168.1.1 to Hex which results in C0A8:0101)

We will work on the same topology we used in the previous post.


Tuesday, 30 June 2015

IPv6 tunneling over IPv4 - Manual Tunnel

We know that IPv4 and IPv6 addresses are not compatible with each other. Let's say the existing infrastructure is running on IPv4. If we need to implement IPv6 on few of the hosts, we need to use some sort of a technique for IPv6 hosts to communicate with each other using existing IPv4 network. One of the ways we can achieve this is by using a tunneling method.

In this post we will see how we can implement "Manual Tunnel". 

As shown in the diagram below, we have R1, R2 and R3 connected with each other. 



All three routers are running EIGRP and there is an IPv4 reachability from R1 to R3.

Thursday, 18 June 2015

BFD (Bidirectional Forwarding Detection)

In this post, we will look into a feature called BFD (bidirectional forwarding detection). In normal routing protocol operation, the link failure is detected by using the hello/holddown/dead timers. 

Depending on the routing protocol, you can lower the timers to achieve fast failure detection. e.g. in the case of OSPF the lowest dead time can be one second and one can set the hello interval as low as 50ms.

However lowering these timers can result in higher CPU utilization. Also it will unnecessarily waste the link bandwidth. 

There is a better way of achieving fast failure detection through BFD. BFD is a UDP-based protocol that provides fast (in milliseconds) routing protocol independent detection of layer-3 next hop failures.

Let's see how it works. As shown in the diagram below, routers R1 and R2 are connected via Switch 1 and Switch 2. Both the routers are running OSPF and we can see the OSPF neighbourship is up.


Thursday, 7 May 2015

Multicast Notes

Well Known Multicast Addresses

224.0.0.1 - All Hosts
224.0.0.2 - All Multicast Routers
224.0.0.9 - RIPv2 Routers
224.0.0.10 - EIGRP Routers
224.0.0.12 - HSRPv2
224.0.0.13 - PIM Routers
224.0.0.22 - IGMPv3
224.0.1.1 - NTP
224.0.1.39 - Cisco-RendezvousPoint-Announce
224.0.1.40 - Cisco-RendezvousPoint-Discovery
232.0.0.0/8 - Reserved for SSM
233.0.0.0/8 - GLOP address range

PIM (Protocol Independent Multicast)
  • Protocol independent means that it can work with any unicast routing protocol 
  • Pim can be implemented in three modes: sparse mode, dense mode and sparse-dense mode.

Tuesday, 14 April 2015

Layer 2 MPLS VPN (AToM)

In the previous post, we have seen the configuration of Layer 3 VPN. here we will see how we can configure Layer 2 VPN. 

Layer 3 VPN requires the PE participating in the CE routing. Sometimes PE cannot support specific routing protocol as required by the customer or the CE devices may not be IP aware.

Also customer will have to involve the service provider if they want to do any routing changes.

Layer 2 VPN resolves this issue by providing a layer 2 connectivity between CEs, effectively providing a broadcast domain. Customer can run any routing protocol between the CEs and will be in full control of the routing.

Generally it's done by using AToM (Any transport over MPLS) or L2TPV3 (Layer 2 tunnelling protocol). 

The key difference between both the methods is that AToM uses the MPLS as the transport while L2TPV3 uses IP. 

Let's look at the below scenario and see how we can implement this. We will use AToM in our example.

Wednesday, 1 April 2015

6VPE

6VPE (IPv6 VPN Provider Edge Router) is a feature which connects the customer sites configured with IPv6 addressing over the existing IPv4 MPLS backbone.

In our last post, we have seen how we can configure standard Layer 3 MPLS connection on Cisco routers and advertise customer's IPv4 prefixes over that. 

We will use the same topology for 6VPE however we will configure IPv6 addresses between PE to CE (R1-R2 and R5-R6) and on the Loopbacks of the CEs (R1 and R6).

This is how our topology looks like


Wednesday, 18 March 2015

Layer 3 MPLS VPN

In this post we will look at the steps of configuring Layer 3 MPLS VPN on Cisco routers.

As shown in the diagram, R1 and R6 are CE routers. R2 and R5 are PEs while R3 and R4 are P routers.


Wednesday, 25 February 2015

DMVPN Phase 3

DMVPN Phase 2 and Phase 3 are identical however in Phase 3, there is no need for the command "no ip next-hop-sef eigrp 10". 

To implement Phase 3, we will have to configure one additional command "ip nhrp redirect" on the hub and one additional command on the spokes ""ip nhrp shortcut". 

The idea here is that when a spoke try to send packets to another spoke, the initial packet will be forwarded to the hub. Upon receiving the packet on mGRE interface, hub will reply back with an "NHRP Redirect" packet which will indicate that the spoke is not using an optimal path and it should look for alternate way by using NHRP reosolution.

The spoke will then sends an NHRP request directly to the destination spoke address (not the hub). The destination spoke will reply abck with the IP routing prefix. When the source spoke receives this reply, it will then know the NBMA IP address of the destination.

Tuesday, 27 January 2015

DMVPN Phase 2

Continuing from the previous post, let's now see how phase 2 works. 

The major difference between phase 1 and phase 2 is that in phase 2, the spokes can communicate to other spokes directly by using the NHRP mapping information from the hub.

To enable the spoke to create dynamic tunnels, we will remove the tunnel destination command and change the tunnel mode to "gre multipoint".




At the moment, we can see that R2 is learning the loopback of R3 with the next hop 10.1.1.1 (hub's tunnel IP). 



Wednesday, 14 January 2015

DMVPN Phase 1

As shown in the diagram below, let's assume that a customer has three sites. R1 represents the hub, R2 and R3 are the remote spokes. Each site has a local internet connection. Our aim to provide connectivity between the LAN subnets of all three sites.


The IP addresses 1.1.1.1/30, 2.2.2.1/30 and 3.3.3.1/30 are the public IPs provided by the local ISPs at respective locations. The 192.168.X.0/24 is the LAN IP subnet at each site.