Skip to main content

MPLS VPN

 

image

Ok now the fun stuff start, MPLS VPN’s, I have created nice topology with ISP “someisp.net” and two customers that have connected their branches in NY and Tel Aviv, “google.net” a small company and “shirannet.net” an innovative company working Native IPv6.

Now this time I would go in a different approach instead of talking and talking (I mean writing and writing) I will give you all configurations and .net file I did and let you play around.

MPLS VPN Topology configuration + .net

Some pointers:

1) You can divide the topology into 2 main sections Provider and Customer and 3 virtual divisions (explained below):

image

a) Provider Back Bone, relatively simple configuration P router are set only with IGP (OSPF flat area 0)
b) PE’s are the complex part, holding both the Customer Interconnecting protocol Provider Topology and doing the conversion between them.
c) Customer Edge again simple configuration

2) ttl propagation in the configuration files I have provided you I have left the default behavior of ttl propagation where the inner ttl field (original packet) is decremented along the path reveling Service Provider path, normally it is not what you will have, and the way to change that behavior is very simple with single command on each PE router see below example:

PE_newyork_someisp.n(config)#no mpls ip propagate-ttl

another scenario is where “shirannet.net” customer is using native IPv6 and you will notice that if you perform a trace and and the ttl propagation is enabled your trace will not function properly and that is because the backbone routers P routers are not IPv6 enabled at all they do not know what is IPv6!!!

! Before diableing ttl propagation 
CE_newyork_shirannet.net#traceroute  2001:CE72:68::2
Type escape sequence to abort.
Tracing the route to 2001:CE72:68::2
  1 2001:CE92:68::1 52 msec 16 msec 8 msec
  2  *  *  *
  3  *
CE_newyork_shirannet.net#ping  2001:CE72:68::2
!
! altoug there is nothing wrong with End To End Connectivity
!
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:CE72:68::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/64/88 ms
!
! After diableing ttl propagation also trace is fine :-)
!
CE_newyork_shirannet.net#traceroute  2001:CE72:68::2
Type escape sequence to abort.
Tracing the route to 2001:CE72:68::2
  1 2001:CE92:68::1 36 msec 36 msec 24 msec
  2 2001:CE72:68::1 52 msec 56 msec 32 msec
  3 2001:CE72:68::2 52 msec 48 msec 60 msec
CE_newyork_shirannet.net#traceroute  2001:CE72:68::2

 

3) Another last thing I would like to point your attention again concerning IPv6, notice to the vrf configuration, using the new method:

! This is the new way of define vrf's and the only supported
! When working with IPv6 and vrf's
vrf definition shirannet.net
 rd 20000:40
 route-target export 20000:40
 route-target import 20000:40
 !
 address-family ipv6
 exit-address-family
!
!I did both methods just to get your attention on both ways
!
ip vrf google.net
 rd 10000:80
 route-target export 10000:80
 route-target import 10000:80
!

 

Ok, That is it I hope you will have fun, I think that the basic configuration will allow you to play and test all kind of scenarios and get better understanding on the subject.

3 comments

Popular posts from this blog

Step By Step MPLS – Basic MPLS Setup

Initial configuration , very basic with no MPLS, connectivity only to directly connected interfaces.R1R2R3R4!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.31.1 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.42.2 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.31.3 255.255.255.0
duplex auto
speed auto
  no clns route-cache
!
interface Serial1/0
ip address 10.0.43.3 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.42.4 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
ip address 10.0.43.4 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
adding to the following configuration MPLS labels we will start wi…

What is about to change in CISSP from Apr 2018

Change have arrived and like with other professional certification there is almost a standard time before certification gets its update, with most anywhere it is between 3 - 4 years, CISSP is no different and since last update was on 2015 the change is arriving here as well.

For the people that wish to see the official existing and new outline

I have decided to write this post as the new out line is more of a list of Domain and Sections within the domain without hint or indication to what was modified actually and I could not find anyone else that done that comparison, I had to take the task and do the comparison, please be advised that I have done it for my own "pleasure" so apologies if I missed something :-)
Lets start with the obvious change:
CISSP - Before Apr 2018CISSP - from Apr 20181. Security and Risk Management16%15%2. Asset Security10%10%3. Security Engineering12%13%4. Communications and Network Security12%14%5. Identity and Access Management13%13%6. …

VRF Maximum Routes

Maximum routes under customer vrf, if the service provider had unlimited resources he would not have needed that!
however normally resources are limited and expensive, and Service provider would like to make money from his available resources. maximum routes configured under VRF provide a mean of controlling PE local resource and abuse avoidance from the CE side.I have vrf called DC_EXTRANET, you can see that I have 16 routes, I have configured 10 maximum routes under that vrf however I did not want to be aggressive so I have set the warning only option. See that immediately I get a notice that I have more routes then the maximum, however no action is taken other then alerting and sending a syslog. ! PE_ashdod_otherisp.n(config-vrf)# maximum routes 10 warning-only % The current number of routes in the routing table is equal to, or exceeds the configured warning limit PE_ashdod_otherisp.n(config-vrf)# *Nov 26 20:39:41.175: %IPRT-3-ROUTELIMITWARNING: IP routing table limit warning - DC_…