Monday, December 12, 2011

MPLS VPN

 

image

Ok now the fun stuff start, MPLS VPN’s, I have created nice topology with ISP “someisp.net” and two customers that have connected their branches in NY and Tel Aviv, “google.net” a small company and “shirannet.net” an innovative company working Native IPv6.

Now this time I would go in a different approach instead of talking and talking (I mean writing and writing) I will give you all configurations and .net file I did and let you play around.

MPLS VPN Topology configuration + .net

Some pointers:

1) You can divide the topology into 2 main sections Provider and Customer and 3 virtual divisions (explained below):

image

a) Provider Back Bone, relatively simple configuration P router are set only with IGP (OSPF flat area 0)
b) PE’s are the complex part, holding both the Customer Interconnecting protocol Provider Topology and doing the conversion between them.
c) Customer Edge again simple configuration

2) ttl propagation in the configuration files I have provided you I have left the default behavior of ttl propagation where the inner ttl field (original packet) is decremented along the path reveling Service Provider path, normally it is not what you will have, and the way to change that behavior is very simple with single command on each PE router see below example:

PE_newyork_someisp.n(config)#no mpls ip propagate-ttl

another scenario is where “shirannet.net” customer is using native IPv6 and you will notice that if you perform a trace and and the ttl propagation is enabled your trace will not function properly and that is because the backbone routers P routers are not IPv6 enabled at all they do not know what is IPv6!!!

! Before diableing ttl propagation 
CE_newyork_shirannet.net#traceroute  2001:CE72:68::2
Type escape sequence to abort.
Tracing the route to 2001:CE72:68::2
  1 2001:CE92:68::1 52 msec 16 msec 8 msec
  2  *  *  *
  3  *
CE_newyork_shirannet.net#ping  2001:CE72:68::2
!
! altoug there is nothing wrong with End To End Connectivity
!
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:CE72:68::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/64/88 ms
!
! After diableing ttl propagation also trace is fine :-)
!
CE_newyork_shirannet.net#traceroute  2001:CE72:68::2
Type escape sequence to abort.
Tracing the route to 2001:CE72:68::2
  1 2001:CE92:68::1 36 msec 36 msec 24 msec
  2 2001:CE72:68::1 52 msec 56 msec 32 msec
  3 2001:CE72:68::2 52 msec 48 msec 60 msec
CE_newyork_shirannet.net#traceroute  2001:CE72:68::2

 

3) Another last thing I would like to point your attention again concerning IPv6, notice to the vrf configuration, using the new method:

! This is the new way of define vrf's and the only supported
! When working with IPv6 and vrf's
vrf definition shirannet.net
 rd 20000:40
 route-target export 20000:40
 route-target import 20000:40
 !
 address-family ipv6
 exit-address-family
!
!I did both methods just to get your attention on both ways
!
ip vrf google.net
 rd 10000:80
 route-target export 10000:80
 route-target import 10000:80
!

 

Ok, That is it I hope you will have fun, I think that the basic configuration will allow you to play and test all kind of scenarios and get better understanding on the subject.

Sunday, December 11, 2011

Friday, November 04, 2011

IPV6 NAT-PT Dynamic

 

image

IPv6 NAT-PT is one of the methods out there for migration between V4 to V6, the NAT-PT is not a normal NAT as with normal NAT you would translate one address to another, in our case NAT-PT we do a translation between 2 different protocols ipv6 to ipv4 (and vice versa).

In the above scenario I have done a simple topology R1 is a host running only IPv6, R2 is my translator between IPv6 to IPv4 and R3 is my gateway out side (Only IPv4), on R3 as you can see from above I have connected it to my home network so I have done Normal IPv4 NAT between the what is coming in from f0/0 and going out f0/1 (my home net)

R1 R2 R3
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 ipv6 address 2001:100:100::1/64
 ipv6 address FE80::1 link-local
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
!
!
ip http server
no ip http secure-server
!
ipv6 route ::/0 2001:100:100::2
!
!
!
!
!
ipv6 unicast-routing
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 ipv6 address 2001:100:100::2/64
 ipv6 address FE80::2 link-local
 ipv6 nat
!
interface FastEthernet0/1
 ip address 100.100.0.1 255.255.255.0
 duplex auto
 speed auto
 ipv6 nat
!
ip route 0.0.0.0 0.0.0.0 100.100.0.2
!
!
ip http server
no ip http secure-server
!
ipv6 nat v6v4 source list NAT_TRANSLATIONS pool V4POOL
ipv6 nat v6v4 pool V4POOL 100.100.0.101 100.100.0.110 prefix-length 24
ipv6 nat prefix 2001::/96 v4-mapped NAT_TRANSLATIONS
!
!
!
!
ipv6 access-list NAT_TRANSLATIONS
 permit ipv6 any 2001::/96
!
!
!
!
interface FastEthernet0/0
 ip address 100.100.0.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
!
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/1 overload
!
access-list 100 permit ip 100.100.0.0 0.0.0.255 any
!

 

As you can see from above configuration R1 in IPv6 only, and R3 is IPv4 only

IPV6_HOST#ping 2001::808:808
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::808:808, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/142/184 ms
IPV6_HOST#
From above you can see I ping 2001::808:808, the 2001:: is the prefix I use
for the NAT-PT and the 32 last bits 0808:0808 is translated to 8.8.8.8 (Google DNS)

to verify the translation on the NAT-PT router:

NAT_PT_ROUTER#sh ipv nat translations
Prot  IPv4 source              IPv6 source
      IPv4 destination         IPv6 destination
---   ---                      ---
      10.0.0.2                 2001::A00:2
icmp  100.100.0.102,3764       2001:100:100::1,3764
      8.8.8.8,3764             2001::808:808,3764
---   100.100.0.102            2001:100:100::1
      10.0.0.2                 2001::A00:2
---   100.100.0.102            2001:100:100::1
      ---                      ---
NAT_PT_ROUTER#debug ipv6 nat
IPv6 NAT-PT debugging is on
NAT_PT_ROUTER#
*Mar  1 14:12:06.104: IPv6 NAT: icmp src (2001:100:100::1) -> (100.100.0.102), dst (2001::808:808) -> (8.8.8.8)
*Mar  1 14:12:06.236: IPv6 NAT: icmp src (8.8.8.8) -> (2001::808:808), dst (100.100.0.102) -> (2001:100:100::1)
*Mar  1 14:12:06.256: IPv6 NAT: icmp src (8.8.8.8) -> (2001::808:808), dst (100.100.0.102) -> (2001:100:100::1)
*Mar  1 14:12:06.264: IPv6 NAT: icmp src (8.8.8.8) -> (2001::808:808), dst (100.100.0.102) -> (2001:100:100::1)
*Mar  1 14:12:06.280: IPv6 NAT: icmp src (8.8.8.8) -> (2001::808:808), dst (100.100.0.102) -> (2001:100:100::1)
default timeout for the translation rule to expire from the table is 60 sec, to save some
work from the router i would suggest to increase that timeout
ipv nat translation timeout 300 (increase to 5 min)
now with that said you can increase or decrease timeout for tcp , udp , icmp , I would love if there would be also the
option to specifically decrease the timeout for SYN (prevent from SYN flood attack) currently there is an option only 
for FIN or RST flags (and I suggest to decrease their time out.
ipv nat translation finrst-timeout 10 

Saturday, August 20, 2011

BGP FREE CORE

 

image

In this article I would like to demonstrate the BGP free core power , the simplicity for the ISP as well as for the customer need to have site to site connectivity with out him creating vpns or doing any complex configuration.

R1_VRF_CCIE R2_VRF_CCIE R2_VRF_CCDE R1_VRF_CCDE
R1_VRF_CCIE#sh run
Building configuration...
Current configuration : 641 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1_VRF_CCIE
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 1.1.13.1 255.255.255.0
 duplex auto
 speed auto
!
router rip
 version 2
 network 1.0.0.0
 no auto-summary
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
!
end
R1_VRF_CCIE#
R2_VRF_CCIE#sh run
Building configuration...
Current configuration : 717 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2_VRF_CCIE
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback1
 ip address 1.1.22.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 1.1.42.2 255.255.255.0
 duplex auto
 speed auto
!
router rip
 version 2
 network 1.0.0.0
 network 2.0.0.0
 no auto-summary
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
!
end
R2_VRF_CCIE#
R2_VRF_CCDE#sh run
Building configuration...
Current configuration : 1011 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R2_VRF_CCDE
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
!
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 8.8.8.8 255.255.255.255
 no clns route-cache
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
 no clns route-cache
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 no clns route-cache
!
interface ATM1/0
 no ip address
 no atm enable-ilmi-trap
 no clns route-cache
!
interface ATM1/0.1 point-to-point
 ip address 1.1.48.8 255.255.255.0
 no atm enable-ilmi-trap
 pvc 0/201
  encapsulation aal5snap
 !
!
router eigrp 100
 network 0.0.0.0
 no auto-summary
!
ip classless
!
no ip http server
!
!
!
!
!
!
control-plane
!
!
dial-peer cor custom
!
!
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 no login
!
!
end
R1_VRF_CCDE#sh run
Building configuration...
Current configuration : 1360 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1_VRF_CCDE
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 6.6.6.6 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 1.1.67.6 255.255.255.0
 encapsulation frame-relay
 ip ospf priority 0
 ip ospf 1 area 0
 clock rate 2000000
 frame-relay map ip 1.1.67.3 201 broadcast
 no frame-relay inverse-arp
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/2
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
 router-id 6.6.6.6
 log-adjacency-changes
!
!
!
ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
!
end
R1_VRF_CCDE#

 

you can see in the configuration there is no VRF configured, I only called them VFR routers as this are the CE connected to the ISP PE routers.

below you can see CE for CCIE the path from R1 to R2 can be (R1 –> R3 –> R4 –> R2) or ( R1 –> R3 –>R5 –> R4 –> R2 )

 

R1_VRF_CCIE#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C       1.1.1.1/32 is directly connected, Loopback0
C       1.1.13.0/24 is directly connected, FastEthernet0/0
R       1.1.22.2/32 [120/1] via 1.1.13.3, 00:00:11, FastEthernet0/0
R       1.1.42.0/24 [120/1] via 1.1.13.3, 00:00:11, FastEthernet0/0
     2.0.0.0/32 is subnetted, 1 subnets
R       2.2.2.2 [120/1] via 1.1.13.3, 00:00:11, FastEthernet0/0
R1_VRF_CCIE#ping 2.2.2.2 sou
R1_VRF_CCIE#ping 2.2.2.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/77/120 ms
R1_VRF_CCIE#
R1_VRF_CCIE#traceroute 2.2.2.2 source lo0
Type escape sequence to abort.
Tracing the route to 2.2.2.2
  1 1.1.13.3 32 msec 16 msec 24 msec
  2 1.1.42.4 [MPLS: Labels 19 Exp 0] 28 msec 48 msec 40 msec
  3 1.1.42.2 72 msec *  72 msec
R1_VRF_CCIE#
R1_VRF_CCIE#traceroute 2.2.2.2 source lo0
Type escape sequence to abort.
Tracing the route to 2.2.2.2
  1 1.1.13.3 20 msec 28 msec 16 msec
  2 1.1.35.5 [MPLS: Labels 18/19 Exp 0] 96 msec 80 msec 68 msec
  3 1.1.42.4 [MPLS: Label 19 Exp 0] 68 msec 40 msec 40 msec
  4 1.1.42.2 64 msec *  76 msec
R1_VRF_CCIE#

 

 

I the above trace I have demonstrated the 2 path selection, the first it the natural selection and just by shutting the interface between R3 to R4 I have enforced the routers to select the other path (only to show that both paths are valid and working), please noting another interesting thing is to that we see the MPLS path In the next article I will show you how to keep that information out from the customer need to know Smile but as for this demonstration it help me show you how dose it work.

now we see that the CE is simply configured with ip address under the interface (along with the proper L2 configuration) and IGP again that is another decision I made for simplicity, the next step will be to demonstrate a multi home mode however lets not get ahead of our self.

So lets look how is the ISP configured:

R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/24 is subnetted, 3 subnets
C       1.1.35.0 is directly connected, Serial1/1
C       1.1.43.0 is directly connected, Serial1/0
O       1.1.45.0 [110/128] via 1.1.43.4, 00:10:44, Serial1/0
                 [110/128] via 1.1.35.5, 00:10:44, Serial1/1
     3.0.0.0/32 is subnetted, 1 subnets
C       3.3.3.3 is directly connected, Loopback0
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/65] via 1.1.43.4, 00:10:44, Serial1/0
     5.0.0.0/32 is subnetted, 1 subnets
O       5.5.5.5 [110/65] via 1.1.35.5, 00:10:44, Serial1/1
# Where is the router to 2.2.2.2 and to 1.1.1.1???!
# Remmeber the VRF?!
R3#sh ip route vrf CCIE
Routing Table: CCIE
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
R       1.1.1.1/32 [120/1] via 1.1.13.1, 00:00:15, FastEthernet0/0
C       1.1.13.0/24 is directly connected, FastEthernet0/0
B       1.1.22.2/32 [200/1] via 4.4.4.4, 4d22h
B       1.1.42.0/24 [200/0] via 4.4.4.4, 4d22h
     2.0.0.0/32 is subnetted, 1 subnets
B       2.2.2.2 [200/1] via 4.4.4.4, 4d22h
R3#
# OK now I can see the routes, but wait I do not have BGP
# Configured on my customers!!!

OK so how dose that work in our topology CE to PE we have IGP configured, On the PE I have the IGP to form route distribution with CE’s, I have IGP to between all the ISP routers only for internal and LDP / TDP (MPLS lable mapping) and I have BGP for distributing Customer routes to the IGP, now you ask your self , YOU SAID this should be BGP FREE ???! please noting to the headline is say BGP FREE CORE and by core I refer to all internal ISP network, in my diagram you can see only one core router R5 however ISP’s are build with far more complex and their core may contain a little more than that.

So lets see what we have on R5 as I have demonstrated an instance where the path is using him :

R5#sh ip route vrf *
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/24 is subnetted, 3 subnets
C       1.1.35.0 is directly connected, Serial0/1
O       1.1.43.0 [110/128] via 1.1.45.4, 00:24:19, Serial0/0
                 [110/128] via 1.1.35.3, 00:24:19, Serial0/1
C       1.1.45.0 is directly connected, Serial0/0
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 1.1.35.3, 00:24:19, Serial0/1
     4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/65] via 1.1.45.4, 00:24:19, Serial0/0
     5.0.0.0/32 is subnetted, 1 subnets
C       5.5.5.5 is directly connected, Loopback0
R5#
# AS You can see there is only main routing table no VRF 
# 
R5#sh ip protocols
Routing Protocol is "ospf 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Router ID 5.5.5.5
  Number of areas in this router is 1. 1 normal 0 stub 0 nssa
  Maximum path: 4
  Routing for Networks:
    1.1.35.5 0.0.0.0 area 0
    1.1.45.5 0.0.0.0 area 0
    5.5.5.5 0.0.0.0 area 0
 Reference bandwidth unit is 100 mbps
  Routing Information Sources:
    Gateway         Distance      Last Update
    2.2.2.2              110      5d21h
    1.1.1.1              110      6d00h
    3.3.3.3              110      00:25:24
    4.4.4.4              110      00:25:24
  Distance: (default is 110)
R5#
# Only OSPF of the main table! used as I have mentiond for
# Internal ISP communication and LDP / TDP (MPLS lable mapping)
R5#sh mpls forwarding-table
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     1.1.43.0/24       0          Se0/0      point2point
       Pop tag     1.1.43.0/24       0          Se0/1      point2point
17     Pop tag     3.3.3.3/32        4764362    Se0/1      point2point
18     Pop tag     4.4.4.4/32        5707479    Se0/0      point2point
R5#
You can also see the MPLS table is very small the only thing R5 need to know is what to do when receiving label 16 , 17 , 18  
   
R3#sh run
Building configuration...
Current configuration : 2839 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf CCDE
 rd 333:2
 route-target export 1001:11
 route-target import 1001:11
!
ip vrf CCIE
 rd 333:1
 route-target export 10000:1
 route-target import 10001:1
!
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
 no clns route-cache
!
interface Loopback1
 ip vrf forwarding CCDE
 ip address 33.3.3.3 255.255.255.255
 no clns route-cache
!
interface FastEthernet0/0
 ip vrf forwarding CCIE
 ip address 1.1.13.3 255.255.255.0
 duplex auto
 speed auto
 no clns route-cache
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 no clns route-cache
!
interface Serial1/0
 ip address 1.1.43.3 255.255.255.0
 mpls ip
 serial restart-delay 0
 no clns route-cache
!
interface Serial1/1
 ip address 1.1.35.3 255.255.255.0
 mpls ip
 serial restart-delay 0
 no clns route-cache
!
interface Serial1/2
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 no frame-relay inverse-arp
 no clns route-cache
!
interface Serial1/2.2 multipoint
 ip vrf forwarding CCDE
 ip address 1.1.67.3 255.255.255.0
 frame-relay map ip 1.1.67.6 102 broadcast
 frame-relay map ip 1.1.67.7 103 broadcast
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
 no clns route-cache
!
router ospf 2 vrf CCDE
 router-id 33.3.3.3
 log-adjacency-changes
 redistribute bgp 10000 subnets
 network 1.1.67.3 0.0.0.0 area 0
 network 33.3.3.3 0.0.0.0 area 0
 neighbor 1.1.67.7
 neighbor 1.1.67.6
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 1.1.13.3 0.0.0.0 area 0
 network 1.1.35.3 0.0.0.0 area 0
 network 1.1.43.3 0.0.0.0 area 0
 network 3.3.3.3 0.0.0.0 area 0
!
router rip
 !
 address-family ipv4 vrf CCIE
 redistribute bgp 10000 metric 1
 network 1.0.0.0
 no auto-summary
 version 2
 exit-address-family
!
router bgp 10000
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 10000
 neighbor 4.4.4.4 update-source Loopback0
 !
 address-family ipv4
 neighbor 4.4.4.4 activate
 no auto-summary
 no synchronization
 exit-address-family
 !
 address-family vpnv4
 neighbor 4.4.4.4 activate
 neighbor 4.4.4.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CCIE
 redistribute rip
 no auto-summary
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf CCDE
 redistribute ospf 2 vrf CCDE
 no auto-summary
 no synchronization
 exit-address-family
!
ip classless
!
no ip http server
!
!
!
!
!
!
control-plane
!
!
dial-peer cor custom
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
!
end
R3#
R4#sh run
Building configuration...
Current configuration : 2627 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
ip vrf CCDE
 rd 444:2
 route-target export 1001:11
 route-target import 1001:11
!
ip vrf CCIE
 rd 444:1
 route-target export 10001:1
 route-target import 10000:1
!
no mpls traffic-eng auto-bw timers frequency 0
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
 no clns route-cache
!
interface FastEthernet0/0
 ip vrf forwarding CCIE
 ip address 1.1.42.4 255.255.255.0
 duplex auto
 speed auto
 no clns route-cache
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 no clns route-cache
!
interface Serial1/0
 ip address 1.1.43.4 255.255.255.0
 mpls ip
 serial restart-delay 0
 no clns route-cache
!
interface Serial1/1
 ip address 1.1.45.4 255.255.255.0
 mpls ip
 serial restart-delay 0
 no clns route-cache
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
 no clns route-cache
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
 no clns route-cache
!
interface ATM2/0
 no ip address
 no atm enable-ilmi-trap
 no clns route-cache
!
interface ATM2/0.2 point-to-point
 ip vrf forwarding CCDE
 ip address 1.1.48.4 255.255.255.0
 no atm enable-ilmi-trap
 pvc 0/102
  encapsulation aal5snap
 !
!
router eigrp 100
 no auto-summary
 !
 address-family ipv4 vrf CCDE
 redistribute bgp 10000 metric 1 1 1 1 1
 network 0.0.0.0
 no auto-summary
 autonomous-system 100
 exit-address-family
!
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 1.1.42.4 0.0.0.0 area 0
 network 1.1.43.4 0.0.0.0 area 0
 network 1.1.45.4 0.0.0.0 area 0
 network 4.4.4.4 0.0.0.0 area 0
!
router rip
 !
 address-family ipv4 vrf CCIE
 redistribute bgp 10000 metric 1
 network 1.0.0.0
 no auto-summary
 version 2
 exit-address-family
!
router bgp 10000
 no synchronization
 bgp log-neighbor-changes
 neighbor 3.3.3.3 remote-as 10000
 neighbor 3.3.3.3 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
 neighbor 3.3.3.3 activate
 neighbor 3.3.3.3 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CCIE
 redistribute rip
 no auto-summary
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf CCDE
 redistribute eigrp 100
 no auto-summary
 no synchronization
 exit-address-family
!
ip classless
!
no ip http server
!
!
!
!
!
!
control-plane
!
!
dial-peer cor custom
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
!
end
R4#

Please look into the configuration of R3 and R4 (ISP- PE) now you can see I have configured vrf CCIE and CCDE, IGP for PE to CE, IGP for Internal ISP and BGP for distributing customers routes.

Noting to 2 new configuration rd (route distinguisher) and route target, the rd provide a uniq id to the NLRI so the router will know if route 192.168.0.0 of Customer A from 192.168.0.0 of Customer B as it is perfectly ok for me to use RFC1918 range in my organization and have the same range used in 10 other organization’s however if all 10 are connected to the same ISP and the ISP need to provide the customer vpn between his sites, he also need to know that when he get communication from the CEO of Microsoft not to deliver it by mistake to the CEO of Cisco when he only wanted to send the communication to the CTO of Microsoft (although it will simply not going to work in the application level, this is a raw example of what we want to avoid).

 

R4# sh ip bgp vpnv4 all
BGP table version is 58, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 333:1
*>i1.1.1.1/32       3.3.3.3                  1    100      0 ?
*>i1.1.13.0/24      3.3.3.3                  0    100      0 ?
Route Distinguisher: 333:2
*>i1.1.67.0/24      3.3.3.3                  0    100      0 ?
*>i6.6.6.6/32       3.3.3.3                 65    100      0 ?
*>i33.3.3.3/32      3.3.3.3                  0    100      0 ?
Route Distinguisher: 444:1 (default for vrf CCIE)
*>i1.1.1.1/32       3.3.3.3                  1    100      0 ?
*>i1.1.13.0/24      3.3.3.3                  0    100      0 ?
*> 1.1.22.2/32      1.1.42.2                 1         32768 ?
*> 1.1.42.0/24      0.0.0.0                  0         32768 ?
*> 2.2.2.2/32       1.1.42.2                 1         32768 ?
Route Distinguisher: 444:2 (default for vrf CCDE)
*> 1.1.48.0/24      0.0.0.0                  0         32768 ?
*>i1.1.67.0/24      3.3.3.3                  0    100      0 ?
*>i6.6.6.6/32       3.3.3.3                 65    100      0 ?
   Network          Next Hop            Metric LocPrf Weight Path
*> 8.8.8.8/32       1.1.48.8            146432         32768 ?
*>i33.3.3.3/32      3.3.3.3                  0    100      0 ?
R4# sh ip bgp vpnv4 all
BGP table version is 62, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 333:1
*>i1.1.1.1/32       3.3.3.3                  1    100      0 ?
*>i1.1.13.0/24      3.3.3.3                  0    100      0 ?
*>i192.168.0.0      3.3.3.3                  1    100      0 ?
Route Distinguisher: 333:2
*>i1.1.67.0/24      3.3.3.3                  0    100      0 ?
*>i6.6.6.6/32       3.3.3.3                 65    100      0 ?
*>i33.3.3.3/32      3.3.3.3                  0    100      0 ?
Route Distinguisher: 444:1 (default for vrf CCIE)
*>i1.1.1.1/32       3.3.3.3                  1    100      0 ?
*>i1.1.13.0/24      3.3.3.3                  0    100      0 ?
*> 1.1.22.2/32      1.1.42.2                 1         32768 ?
*> 1.1.42.0/24      0.0.0.0                  0         32768 ?
*> 2.2.2.2/32       1.1.42.2                 1         32768 ?
*>i192.168.0.0      3.3.3.3                  1    100      0 ?
Route Distinguisher: 444:2 (default for vrf CCDE)
*> 1.1.48.0/24      0.0.0.0                  0         32768 ?
   Network          Next Hop            Metric LocPrf Weight Path
*>i1.1.67.0/24      3.3.3.3                  0    100      0 ?
*>i6.6.6.6/32       3.3.3.3                 65    100      0 ?
*> 8.8.8.8/32       1.1.48.8            146432         32768 ?
*>i33.3.3.3/32      3.3.3.3                  0    100      0 ?
*> 192.168.0.0      1.1.48.8            146432         32768 ?

Please notice to route 192.168.0.0

R1_VRF_CCIE#sh run int lo10
Building configuration...
Current configuration : 66 bytes
!
interface Loopback10
 ip address 192.168.0.1 255.255.255.0
end
R2_VRF_CCDE#sh run int lo10
Building configuration...
Current configuration : 87 bytes
!
interface Loopback10
 ip address 192.168.0.1 255.255.255.0
 no clns route-cache
end
R2_VRF_CCDE#
R1_VRF_CCDE#ping 192.168.0.1 r 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 44/44/44 ms
R1_VRF_CCDE#
R2_VRF_CCDE#debug ip icmp
ICMP packet debugging is on
R2_VRF_CCDE#
01:37:17: ICMP: echo reply sent, src 192.168.0.1, dst 1.1.67.6
R2_VRF_CCIE#ping 192.168.0.1 r 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 68/68/68 ms
R2_VRF_CCIE#
R1_VRF_CCIE#debug ip icmp
ICMP packet debugging is on
R1_VRF_CCIE#
*Mar  1 01:38:17.739: ICMP: echo reply sent, src 192.168.0.1, dst 1.1.42.2

So that is the power of rd!

Now what is the route target , I will try to explain it in a simple way, between the PE’s we have BGP running, for the IGP routes to be propagated correctly between them I need to tell each vrf what NLRI to import and export from and to the BGP. it should be unique for per customers as the rd is unique.

! R3 Original config
ip vrf CCDE
 rd 333:2
 route-target export 1001:11
 route-target import 1001:11
!
ip vrf CCIE
 rd 333:1
 route-target export 10000:1
 route-target import 10001:1
!
R3(config)#ip vrf CCIE
R3(config-vrf)#route-target import 1001:11
# See what happen on R1 :
R1_VRF_CCIE#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C       1.1.1.1/32 is directly connected, Loopback0
C       1.1.13.0/24 is directly connected, FastEthernet0/0
R       1.1.22.2/32 [120/1] via 1.1.13.3, 00:00:24, FastEthernet0/0
R       1.1.42.0/24 [120/1] via 1.1.13.3, 00:00:24, FastEthernet0/0
     2.0.0.0/32 is subnetted, 1 subnets
R       2.2.2.2 [120/1] via 1.1.13.3, 00:00:24, FastEthernet0/0
C    192.168.0.0/24 is directly connected, Loopback10
R1_VRF_CCIE#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C       1.1.1.1/32 is directly connected, Loopback0
C       1.1.13.0/24 is directly connected, FastEthernet0/0
R       1.1.22.2/32 [120/1] via 1.1.13.3, 00:00:01, FastEthernet0/0
R       1.1.42.0/24 [120/1] via 1.1.13.3, 00:00:01, FastEthernet0/0
R       1.1.48.0/24 [120/1] via 1.1.13.3, 00:00:01, FastEthernet0/0
R       1.1.67.0/24 [120/1] via 1.1.13.3, 00:00:01, FastEthernet0/0
     2.0.0.0/32 is subnetted, 1 subnets
R       2.2.2.2 [120/1] via 1.1.13.3, 00:00:02, FastEthernet0/0
     33.0.0.0/32 is subnetted, 1 subnets
R       33.3.3.3 [120/1] via 1.1.13.3, 00:00:02, FastEthernet0/0
     6.0.0.0/32 is subnetted, 1 subnets
R       6.6.6.6 [120/1] via 1.1.13.3, 00:00:02, FastEthernet0/0
     8.0.0.0/32 is subnetted, 1 subnets
R       8.8.8.8 [120/1] via 1.1.13.3, 00:00:03, FastEthernet0/0
C    192.168.0.0/24 is directly connected, Loopback10
R1_VRF_CCIE#
by importing CCDE route target I cause a leak and R1 to be aware for routes he do not have any access to
R1_VRF_CCIE#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1_VRF_CCIE#ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
# And even worse I have caused comunication to be replayed from the wrong 
# host just because he hold the same IP!!
R2_VRF_CCDE#
02:07:58: ICMP: echo reply sent, src 8.8.8.8, dst 1.1.13.1
02:08:00: ICMP: echo reply sent, src 8.8.8.8, dst 1.1.13.1
02:08:02: ICMP: echo reply sent, src 8.8.8.8, dst 1.1.13.1
02:08:04: ICMP: echo reply sent, src 8.8.8.8, dst 1.1.13.1
02:08:06: ICMP: echo reply sent, src 8.8.8.8, dst 1.1.13.1

 

I hope that was informative, for now providing you basic understanding to what is BGP FREE CORE advantages and what can cause misunderstanding the basics.