Jan 28 2009
A table showing some of the more important reserved MPLS labels. I’ll add more on these labels in a later post.
| Label Value | LDP | TDP |
| 0 | IPv4 Explicit Null | IPv4 Implicit Null |
| 1 | Router Alert | IPv4 Implicit Null |
| 2 | IPv6 Explicit Null | Router Alert |
| 3 | IPv4 Implicit Null | IPv6 Explicit Null |
Jan 3 2009
I’m going to cover following three things in this post.
Consider the topology below.
Some important points worth noting:
Watch the video below or alternatively download the video and watch it on your iPod .
The command used for the above configuration are:
R1
frame-relay switching
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Serial1/0
ip address 10.0.0.1 255.255.255.252
ip router isis
encapsulation frame-relay
clockrate 128000
no arp frame-relay
frame-relay map clns 200 broadcast
frame-relay map ip 10.0.0.2 200
no frame-relay inverse-arp
frame-relay intf-type dce
!
router isis
net 49.0001.0000.0000.0001.00
is-type level-1
passive-interface Loopback0
!
R2
!
frame-relay switching
!
interface Serial1/0
ip address 10.0.0.5 255.255.255.252
ip router isis
encapsulation frame-relay
no fair-queue
serial restart-delay 0
clockrate 128000
no arp frame-relay
frame-relay map ip 10.0.0.6 200
frame-relay map clns 200 broadcast
no frame-relay inverse-arp
frame-relay intf-type dce
isis circuit-type level-2-only
!
interface Serial1/1
ip address 10.0.0.2 255.255.255.252
ip router isis
encapsulation frame-relay
no arp frame-relay
frame-relay map clns 200 broadcast
frame-relay map ip 10.0.0.1 200
no frame-relay inverse-arp
isis circuit-type level-1
!
router isis
net 49.0001.0000.0000.0002.00
redistribute isis ip level-2 into level-1 distribute-list 100
!
access-list 100 permit ip any any
R3
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Serial1/0
ip address 10.0.0.6 255.255.255.252
ip router isis
encapsulation frame-relay
serial restart-delay 0
no arp frame-relay
frame-relay map clns 200 broadcast
frame-relay map ip 10.0.0.5 200
no frame-relay inverse-arp
!
router isis
net 49.0002.0000.0000.0003.00
is-type level-2-only
passive-interface Loopback0
default-information originate
Jan 3 2009
Configuring ISIS over frame-relay requires an additional command due to the fact that ISIS packets do not use IP at layer 3 but rather use CLNS.
Consider the topology below.
Watch the video below or alternatively download it and watch it on your iPod .
The commands used in the configuration can be found below.
R1
!
frame-relay switching
!
interface Serial1/0
ip address 10.0.0.1 255.255.255.252
ip router isis
encapsulation frame-relay
clockrate 128000
no arp frame-relay
frame-relay map clns 200 broadcast
frame-relay map ip 10.0.0.2 200
no frame-relay inverse-arp
frame-relay intf-type dce
!
router isis
net 49.0001.0000.0000.0001.00
is-type level-1
R2
!
interface Serial1/1
ip address 10.0.0.2 255.255.255.252
ip router isis
encapsulation frame-relay
no arp frame-relay
frame-relay map clns 200 broadcast
frame-relay map ip 10.0.0.1 200
no frame-relay inverse-arp
isis circuit-type level-1
!
router isis
net 49.0001.0000.0000.0002.00
Jan 2 2009
Be default ISIS caps ISIS metrics greater than 63.
To address this limitation a new IS-IS TLV was defined to overcome the limited 6-bit metric of 63. This TLV known as TLV Type 135 increased the per-link metric range from <0-63> to <1-16777214> ie the new TLV has 24-bits for the ISIS metric.
This new range can be seen under the interface config mode as shown below.
R2(config)#interface loopback 0
R2(config-if)#isis metric ?
<1-16777214> Default metric
Consider the topology below.
We will attempt to increase the metric of the R2 loopback to greater than 63 with and without wide-metrics enabled.
The video below shows how to configure and verify the use of wide metrics in ISIS. Click here to download the video and watch it on your iPod.
The commands used in the video are as below:-
R1
interface FastEthernet1/0
ip router isis
!
router isis
net 49.0001.0000.0000.0001.00
is-type level-2-only
metric-style wide
passive-interface Loopback0de>
R2
interface Loopback0
isis metric 10000
!
interface FastEthernet1/0
ip router isis
!
router isis
net 49.0001.0000.0000.0002.00
is-type level-2-only
metric-style wide
passive-interface Loopback0
R3
interface FastEthernet1/0
ip router isis
!
interface FastEthernet1/1
ip router isis
!
router isis
net 49.0001.0000.0000.0003.00
is-type level-2-only
metric-style wide
passive-interface Loopback0
!
To verify the wide metric on R1 use the command below.
R1#show isis database R2.00-00 detail
IS-IS Level-2 LSP R2.00-00
LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
R2.00-00 0x0000000E 0x1A31 428 0/0/0
Area Address: 49.0001
NLPID: 0xCC
Hostname: R2
IP Address: 2.2.2.2
Metric: 10 IS-Extended R3.02
Metric: 10000 IP 2.2.2.2/32
Metric: 10 IP 10.0.0.4/30
Dec 30 2008
IP Prefix lists can be used with BGP to permit or deny specific prefixes from being advertised or learnt to or from a neighbor.
Consider the topology below.
We will carry out three exercises.
Exercise 1
We configure the following prefix list and attach it to the bgp neighbor 10.0.0.2 using the commands below.
ip prefix-list slash-24-only seq 5 permit 192.168.1.0/24
router bgp 1
!
neighbor 10.0.0.2 prefix-list slash-24-only in
Exercise 2
We configure the following prefix list and attach it to the bgp neighbor 10.0.0.2 using the commands below.
ip prefix-list UP-TO-SLASH-26 seq 5 permit 192.168.1.0/24 le 26
router bgp 1
!
neighbor 10.0.0.2 prefix-list UP-TO-SLASH-26 in
Exercise 3
We configure the following prefix list and attach it to the bgp neighbor 10.0.0.2 using the commands below.
ip prefix-list GE-LE seq 5 permit 192.168.1.0/24 ge 25 le 26
router bgp 1
!
neighbor 10.0.0.2 prefix-list GE-LE in
Now let me try and explain what these 3 prefix lists are actually doing.
Prefix list 1 – slash-24-only
ip prefix-list slash-24-only seq 5 permit 192.168.1.0/24
This is pretty straight forward. This prefix list will match on the exact prefix as configured in the prefix list ie 192.168.1.0/24.
Prefix list 2 – UP-TO-SLASH-26
ip prefix-list UP-TO-SLASH-26 seq 5 permit 192.168.1.0/24 le 26
For a prefix to be permitted by this prefix-list the first 24 bits must match the first 24 bits of 192.168.1.0.
The le 26 then adds a subnet clause which states that the subnet mask being advertised must be less than or equal to 26 bits in length.
Lets consider a bunch of prefixes and see if they would be permited by the above prefix list.
Prefix 1 matches both criteria ie the first 24 bits in prefix 1 match the prefix in the prefix list and the subnet mask is less than 26 bits.
Prefix 2 matches the first criteria ie the first 24 bits in prefix 1 match the prefix in the prefix list, however the subnet mask is greater than 26 bits.
Prefix 3 also matches both criteria ie the first 24 bits in prefix 1 match the prefix in the prefix list and the subnet mask is less than 26 bits.
Prefix 4 is an invalid prefix, I’ll let you work out why.
Prefix 5 matches the first criteria but fails on the subnet mask length criteria and as such the prefix is denied.
Prefix list 3 – GE-Le
ip prefix-list GE-LE seq 5 permit 192.168.1.0/24 ge 25 le 26
Now this is an interesting beast. This prefix-list had 2 match clauses.
Lets consider a bunch of prefixes and see if they would be permited by the above prefix list.
Prefix 1 matches the first criteria ie the first 24 bits match, however the subnet mask is the wrong length.
Prefix 2 matches the first criteria ie the first 24 bits match, however the subnet mask is the wrong length.
Prefix 3 matches both criteria ie the first 24 bits in prefix 1 match the prefix in the prefix list and the subnet mask is greather than 25 bits buts still less than 26 bits.
I hope that makes sense. Anyhow, here is a video showing how to put it all together or alternativley click here to download and watch it on your iPod.
Dec 28 2008
When designing an MPLS network you will have to decide whether to configure a full mesh of MP-iBGP sessions between your PEs as in diagram 1 below or whether to use a hub and spoke topology as in diagram 2 below.
Diagram 1 – BGP full mesh
Diagram 2 – BGP partial mesh
The most obvious benefit of using a hub and spoke topology is that is scales a lot better than a full mesh topology. As you can see there are a lot less BGP sessions when using partial mesh design.
Automatic Route Filtering
iBGP sessions behave slightly differently with VPNv4 prefix than they do with IPv4 prefixes. Using diagram 2 as an example, In IPv4 world, R1 would send IPv4 prefixes to R3. These prefixes would be accepted by R3 and installed into the BGP table.
In VPNv4 world however this is not the case. In VPNv4 world when prefixes are learned from R1, R3 will reject(filter) the prefixes as R3 is not part of the VPN. ie R3 does not contain a vrf for those particular VPNv4 prefixes. This is known as Automatic Route Filtering, and guess what, its turned on by default. There are two ways to overcome this behavior. The first is to turn off ARF, the second is to configure R3 as a route-reflector. When you configure R3 as a route-reflector it turns ARF off by default.
Consider the toplogy below.
We will configure a VPNv4 session between R1 and R3. We will create a VPN on R1 called VPNA, which contains the prefix 192.168.1.0/24. We will redistribute this prefix into MP-BGP which will create a VPNv4 prefix and advertise it to R3. You will see by default that R3 rejects the route by default. To accept the route we will have to turn off ARF using the command below.
no bgp default route-target filter
Anyway, take a look at the video below and see ARF filtering the VPNv4 prefix or alternatively download it here and watch it on your iPod.
Dec 28 2008
I came across this link recently. It suggests that Cisco Certification Logos are changing.
Dec 27 2008
BGP uses Open messages to negotiate BGP sessions. These Open messages have optional parameters which allow additional capabilities to be negotiated during setup.
If you want to run anything other than IPv4 unicast then you will have to configure BGP to advertise its additional capabilities i.e. Multi-Protocol extensions (AFI/SAFI) during initial setup.
As an example you may want to run IPv4 multicast, VPNv4 or even IPv6. The table below shows the different AFI and SAFI values. The AFI and SAFI values combine to form pairs which are used during the BGP negotiation phase. Ie if the BGP speaker wants to negotiate IPv4 multicast, then it advertises capability 1/2.
| AFI | SAFI | TYPE |
| IPv4(1) | Unicast(1) | IPv4 Address |
| IPv4(1) | Multicast(2) | IPv4 Address |
| IPv4(1) | VPN(128) | VPNv4 Address |
| IPv6(2) | Unicast(1) | IPv6 Address |
Lets suppose you wanted to run an MP-iBGP session between two PE routers to advertise IPv4 Unicast and IPv4 VPN(VPNv4) routes. You would need to negotiate AFI/SAFI pairs 1/1 and 1/128 during the initial BGP setup phase. If after the BGP session is established you would like to add an additional AFI/SAFI pair then BGP will have to renegotiate its capabilities which unfortunately means tearing down the original session. Some folks refer to this as BGP fate sharing.
Anyhow, lets see this in action. Consider the topology below.
Watch the video below or alternatively click here to download it and watch it on your iPod.
The commands used to configure the above can be found below.
R1
!
ipv6 unicast-routing
!
interface FastEthernet1/0
description "Interface connected to R2"
ip address 10.0.0.1 255.255.255.252
!
router ospf 1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.0.0.0 0.0.0.3 area 0
!
router bgp 1
no bgp default ipv4-unicast
neighbor 2.2.2.2 remote-as 1
neighbor 2.2.2.2 update-source Loopback0
!
address-family ipv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community
exit-address-family
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv6
neighbor 2.2.2.2 activate
exit-address-family
R2
!
ipv6 unicast-routing
!
interface FastEthernet1/0
description "Interface connected to R1"
ip address 10.0.0.2 255.255.255.252
!
router ospf 1
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 10.0.0.0 0.0.0.3 area 0
!
router bgp 1
no bgp default ipv4-unicast
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
!
address-family ipv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community
exit-address-family
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv6
neighbor 1.1.1.1 activate
exit-address-family
Dec 26 2008
There are times when it is required to aggregate a set of prefixes. There are a number of reasons why you would want to do this such as, your peering transit edge may not accept certain size prefixes, you may want to reduce the size of the routing table in some part of your network etc etc.
Consider the topology below:-
Watch how to use the aggregate command below, or alternatively download the video and watch it on your iPod.
The commands used in the above setup are as below.
R1
interface FastEthernet1/0
description "Interface connected to R2"
ip address 10.0.0.1 255.255.255.252
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 10.0.0.2 remote-as 2
no auto-summary
R2
interface FastEthernet1/0
description "Interface connected to R1"
ip address 10.0.0.2 255.255.255.252
!
interface Loopback0
ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
ip address 192.168.2.1 255.255.255.0
!
interface Loopback3
ip address 192.168.3.1 255.255.255.0
!
router bgp 2
no synchronization
bgp log-neighbor-changes
network 192.168.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
aggregate-address 192.168.0.0 255.255.252.0 suppress-map SUPPRESS-2-ONLY
neighbor 10.0.0.1 remote-as 1
no auto-summary
!
access-list 1 permit 192.168.2.0 0.0.0.255
!
route-map SUPPRESS-2-ONLY permit 10
match ip address 1
Dec 25 2008
Consider the topology below.
PC1 sends a syn flood attack using source IP 192.168.1.1 to PC2 destination address 172.16.1.1.
The network engineer at ZeeNet spots the attack and quickly logs onto the trigger router. He adds a static route to the trigger router which states that the next hop for 192.168.1.1/32 is Null0. This static route is then redistributed into BGP and advertised using iBGP to R1. When the static route is redistributed into iBGP, the route-map attached to the redist static command changes the next hop to 192.0.2.1.
R1 has a static route which states to get to 192.0.2.1 go via the null0 interface.
R1 has Unicast Reverse Path Forwarding (URPF) configured on fa1/1. URPF is a cool technology. When a packet enter fa1/1 URPF checks the source address of the packet to see whether it has an entry in the local routing table. If there is no entry in the local routing table or the entry points to a different interface or if the entry points to null0 then the packet is dropped.
In our case, there is an entry in the local routing table for 192.168.1.1/32 which points to null0. Therefore URPF will drop the packet.
Once again, you have to understand the implications of using this approach, if for example an attacker is sending a syn flood attack to PC2 and he is spoofing address 10.10.10.1/32 for example and you black hole 10.10.10.1/32 using source based RTBH, then the actual user 10.10.10.1/32 will be black holed.
Now lets look at how to configure Source based RTBH below, or alternatively click here to download it and watch it on your iPod.
The commands used to configure Source based RTBH are as follows.
R1
! To configure URPF on interface facing attacker.
interface FastEthernet1/1
ip verify unicast reverse-path
! Black hole static route.
ip route 192.0.2.1 255.255.255.255 Null0
Trigger router
! route-map which matches tagged static routes and sets the ip next hop as well as add a no-export community.
route-map BLACK-HOLE permit 10
match tag 100
set ip next-hop 192.0.2.1
set community no-export
! Attach the route map to redist static command under BGP.
router bgp 1
redistribute static route-map BLACK-HOLE
! Also you add a static route which you would like to black hole.
ip route 192.168.1.1 255.255.255.255 Null0 tag 100
! Black hole static route.
ip route 192.0.2.1 255.255.255.255 Null0
