MPLS OSPF L3 VPN and SHAM links

 

image

Building this lab on our previous lab

we will run OSPF between PE and CE and we will see how the OSPF process number on the PE affects the type of routes advertised to the CE

We will also see how to setup sham links in mpls environment and why they are used.

Configuration:

R1

interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.1.12.1 255.255.255.0
 interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router ospf 1
router-id 1.1.1.1
net 0.0.0.0 0.0.0.0 area 0
  

R2

ip vrf CUST_A
 rd 2.2.2.2:1
 route-target export 1:1
 route-target import 1:1

interface Loopback0
 ip address 2.2.2.2 255.255.255.255
interface FastEthernet0/0
 ip vrf forwarding CUST_A
 ip address 10.1.12.2 255.255.255.0
interface FastEthernet0/1
 ip address 10.1.23.2 255.255.255.0
 mpls ip

router ospf 1
 log-adjacency-changes
 network 10.1.12.2 0.0.0.0  area 0

router bgp 100
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 100
 neighbor 4.4.4.4 update-source Loopback0
 address-family vpnv4
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community extended
 exit-address-family

R3

interface FastEthernet0/0
 ip address 10.1.23.3 255.255.255.0
 mpls ip
!
interface FastEthernet0/1
 ip address 10.1.34.3 255.255.255.0
 mpls ip
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0

R4


ip vrf CUST_A
 rd 4.4.4.4:1
route-target export 1:1
 route-target import 1:1

interface Loopback0
 ip address 4.4.4.4 255.255.255.255

interface FastEthernet0/0
 ip vrf forwarding CUST_A
 ip address 10.1.45.4 255.255.255.0
interface FastEthernet0/1
 ip address 10.1.34.4 255.255.255.0
 mpls ip
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 10.1.45.4 0.0.0.0  area 0
router bgp 100
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 100
 neighbor 2.2.2.2 update-source Loopback0
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family

R5

interface Loopback0
 ip address 5.5.5.5 255.255.255.0
interface FastEthernet0/1
 ip address 10.1.15.5 255.255.255.0
 shutdown

router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0

so we have our basic setting ready, we need to enable OSPF for the VRF  and redistribute between OSPF and MP-BGP

on both R2  and R4

router ospf 3 vrf CUST_A
 redistribute bgp 100 subnets

router bgp 100
 address-family ipv4 vrf CUST_A
  redistribute ospf 3 vrf CUST_A
 exit-address-family

Note how the ospf vrf  is configured, even the vrf is referenced the same process id can’t be re-used, you need to create a new opsf process for each vrf process

Now let’s check the OSPF table on R1

R1(config-if)#do sh ip route ospf      
     5.0.0.0/32 is subnetted, 1 subnets
O IA    5.5.5.5 [110/21] via 10.1.12.2, 00:39:34, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
O IA    10.1.45.0 [110/11] via 10.1.12.2, 00:39:34, FastEthernet0/0

so we see that routes are received as inter-area routes

let’s check the BGP for that specific VRF on R2 and R4

R4(config-router-af)#do sh bgp vpn unica vrf CUST_A 1.1.1.1 | in ID
BGP routing table entry for 4.4.4.4:1:1.1.1.1/32, version 224
Paths: (1 available, best #1, table CUST_A)
  Not advertised to any peer
  Local, imported path from 2.2.2.2:1:1.1.1.1/32
    2.2.2.2 (metric 21) from 2.2.2.2 (2.2.2.2)
      Origin incomplete, metric 11, localpref 100, valid, internal, best
      Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000030200
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:10.1.12.2:0
      mpls labels in/out nolabel/18
ID:44.4.4.4:0
      mpls labels in/out 22/nolabel
R4(config-router-af)#do sh bgp vpn unica vrf CUST_A 5.5.5.5
BGP routing table entry for 4.4.4.4:1:5.5.5.5/32, version 236
Paths: (1 available, best #1, table CUST_A)
  Advertised to update-groups:
        1
  Local
    10.1.45.5 from 0.0.0.0 (4.4.4.4)
      Origin incomplete, metric 11, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000030200
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:44.4.4.4:0
      mpls labels in/out 22/nolabel

As we can see the OSPF Domain-ID matches on both PE that’s why routes are received as Inter-area routes,  if the domain ID doiesn’t match the routes should appear as External routes on the CE .The Domain-ID is the ospf process ID on the PE  in Hexa this can be verified by changing the OSPF domain-id on any of the CE.

So let’s change the Domain-ID under R4 to 40

router ospf 3 vrf CUST_A
 domain-id 0.0.0.40
clear ip os process

now let’s check the routes on R4

 

!
R4(config-router-af)#do sh bgp vpn unica vrf CUST_A 1.1.1.1
BGP routing table entry for 4.4.4.4:1:1.1.1.1/32, version 224
Paths: (1 available, best #1, table CUST_A)
  Not advertised to any peer
  Local, imported path from 2.2.2.2:1:1.1.1.1/32
    2.2.2.2 (metric 21) from 2.2.2.2 (2.2.2.2)
      Origin incomplete, metric 11, localpref 100, valid, internal, best
      Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000030200
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:10.1.12.2:0
      mpls labels in/out nolabel/18

R4(config-router-af)#do sh bgp vpn unica vrf CUST_A 5.5.5.5
BGP routing table entry for 4.4.4.4:1:5.5.5.5/32, version 236
Paths: (1 available, best #1, table CUST_A)
  Advertised to update-groups:
        1
  Local
    10.1.45.5 from 0.0.0.0 (4.4.4.4)
      Origin incomplete, metric 11, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:1:1 OSPF DOMAIN ID:0x0005:0x000000280200
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:44.4.4.4:0
      mpls labels in/out 22/nolabel

we see the domain ID for 1.1.1.1 is 3 in HEX while the domain ID for 5.5.5.5 is 28 HEX

Now let’s check the routes on R5

R5(config-if)#do sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O E2    1.1.1.1 [110/11] via 10.1.45.4, 00:32:41, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
O E2    10.1.12.0 [110/1] via 10.1.45.4, 00:32:41, FastEthernet0/0

As expected the routes are now showing as External OSPF routes

Now imagine that this customer has a secondary link that runs directly between R1 and R5, the backup link should be used only when primary MPLS links fail

so let’s un-shut f0/1 interface on both R1 and R5 and check the OSPF

R1(config-if)#do sh ip route ospf      
     5.0.0.0/32 is subnetted, 1 subnets
O       5.5.5.5 [110/11] via 10.1.15.5, 00:12:32, FastEthernet0/1
     10.0.0.0/24 is subnetted, 3 subnets
O       10.1.45.0 [110/20] via 10.1.15.5, 00:12:32, FastEthernet0/1

R5(config-if)#do sh ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/11] via 10.1.15.1, 00:12:14, FastEthernet0/1
     10.0.0.0/24 is subnetted, 3 subnets
O       10.1.12.0 [110/20] via 10.1.15.1, 00:12:14, FastEthernet0/1

As we can see, both R1 and R5 are using the direct link to reach each other, the reason that inter-area routes will always be preferred over any other routes so cost wouldn’t help much in this scenario sham links was introduced for this type of scenarios

to configure sham links over MPLS PE routers we need the following

1- Two loopback interfaces with  /32 prefix

2- advertise the new prefixes under the BGP-MP

3- configure sham link under the PE VRF OSPF process using this command

area X sham-link x.x.x.x y.y.y.y

where x.x.x.x is the source and y.y.y.y is the source of the sham link on each router

so let’s try this on R2 and R4

R2

interf lo1
ip vrf forwarding CUST_A
ip address 22.2.2.2 255.255.255.255

router bgp 100
address-family ipv4 vrf CUST_A
net 22.2.2.2 mask 255.255.255.255

router ospf 3
area 0 sham-link 22.2.2.2 44.4.4.4 

R4

interface Loopback1
ip vrf forwarding CUST_A
ip address 44.4.4.4 255.255.255.255

router bgp 100
address-family ipv4 vrf CUST_A
net 44.4.4.4 mask 255.255.255.255

router ospf 3
area 0 sham-link 44.4.4.4 22.2.2.2

now let’s check the routes on R5

R5(config-if)#do sh ip route os
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/11] via 10.1.15.1, 00:13:51, FastEthernet0/1
     22.0.0.0/32 is subnetted, 1 subnets
O E2    22.2.2.2 [110/1] via 10.1.45.4, 00:05:46, FastEthernet0/0
     10.0.0.0/24 is subnetted, 3 subnets
O       10.1.12.0 [110/20] via 10.1.15.1, 00:13:51, FastEthernet0/1
     44.0.0.0/32 is subnetted, 1 subnets
O E2    44.4.4.4 [110/1] via 10.1.45.4, 00:07:40, FastEthernet0/0

We see that R5 is still using R1 to reach 1.1.1.1 prefix and the cost is 11

now let’s check the OSPF routes on R4 for that particular VRF

R4(config-router)#do sh ip route vrf CUST_A ospf

Routing Table: CUST_A

     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/12] via 2.2.2.2, 00:05:41
     5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O       5.5.5.5/32 [110/11] via 10.1.45.5, 00:11:06, FastEthernet0/0
     10.0.0.0/24 is subnetted, 3 subnets
O       10.1.15.0 [110/20] via 10.1.45.5, 00:11:06, FastEthernet0/0
O       10.1.12.0 [110/11] via 2.2.2.2, 00:05:41

We see that we do receive the route from R2 as Intra area routes and the cost is 12

if we change the cost on R5  to R1 we should be able to use the mpls link as primary

R5(config)# interf f0/1
R5(config-if)# ip ops cost 100

R5(config-if)#do sh ip route os
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/22] via 10.1.45.4, 00:00:14, FastEthernet0/0
     22.0.0.0/32 is subnetted, 1 subnets
O E2    22.2.2.2 [110/1] via 10.1.45.4, 00:10:11, FastEthernet0/0
     10.0.0.0/24 is subnetted, 3 subnets
O       10.1.12.0 [110/21] via 10.1.45.4, 00:00:14, FastEthernet0/0
     44.0.0.0/32 is subnetted, 1 subnets
O E2    44.4.4.4 [110/1] via 10.1.45.4, 00:12:05, FastEthernet0/0

As expected we see that after changing the cost on R5 forced it to use the R4 link to R1 loopback interface

Also check R4 and R2 OSPF neighborship

R4(config-router)#do sh ip os ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.1.12.2         0   FULL/  -           -        22.2.2.2        OSPF_SL0

R2


R2(config-router)#do sh ip os ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.1.45.4         0   FULL/  -           -        44.4.4.4        OSPF_SL0

Comments

Post a Comment

Popular posts from this blog

IPv6 EIGRP

Image
In this post we will try to configure IPv6 EIGRP see the different options for the protocol and how these options are almost identical to the IPv4 version of EIGRP configuration R1 ipv6 unicast-routing interface lo0 ipv6 address 2001:1:1::1/64 interface FastEthernet0/0   ipv6 address FE80::1 link-local   ipv6 address FC00:1:12::1/64 ! interface FastEthernet0/1   ipv6 address FE80::1 link-local   ipv6 address FC00:1:13::1/64 !          R2 ipv6 unicast-routing interface lo0 ipv6 address 2001:2:2::2/64 interface FastEthernet0/0   ipv6 address FE80::2 link-local   ipv6 address FC00:1:12::2/64 ! interface FastEthernet0/1   ipv6 address FE80::2 link-local   ipv6 address FC00:1:23::2/64 R3 ipv6 unicast-routing interface lo0 ipv6 address 2001:3:3::3/64 interface lo1 ipv6 address 2001:3:4::3/64 interface lo2 ipv6 address 2001:3:5::3/64 interface FastEthernet0/0   ipv6 address FE80::3 link-...
Read more

BPDU Filter vs BPDU Guard

        Today we will try to explore the difference between these 2 options, BPDU guard and BPDU filter We know that BPDU are used to communicate between switches in L2 networks  to ensure loop free topology. BPDU Guard is used to protect our access (or trunks incase of servers) ports from receiving undesired BPDU packets, this feature is helpful in enforcing your network boundary in access layer BPDU Guard can be enabled on global configuration as well as under the interface configuration BPDU Filter on the other hand is used to filter BPDU packets outbound when configured  in global configuration (after sending 11 BPDU out ) and will filter BPDU inbound/outbound when configured under the interface level To better understand these two features, let’s use this simple topology R1 is connected to SW1 through F0/0 to have R1 send and receive BPDU we will simple configure bridging group 1 on the router and we will join the bridge group when desired to...
Read more

Private VLANS and protected ports

Image
In this post we will try to learn two layer 2 technologies, private vlans and protected ports Private vlans is used to segregate the layer 2 domain within the same vlan so we don’t waste any IP addresses, think about as sub-vlans within the same vlan that share the same layer 3 address. These sub-vlans can be of two kinds                      1- Community 2- Isolated The difference between community and isolated sub-vlans that hosts within community vlan can communicate together however hosts within isolated vlans con’t communicate to each others, also note that hosts from different community vlans can’t communicate/isolated vlans can’t communicate together. The question is how these hosts in community/isolated vlans communicate to the outside world, and the answer is they communicate through the promiscuous port which is part of parent vlan but this port is allowed to communicat...
Read more