& Switehing Version 5.0 VPN Workbook www.noasolutions.com yMom oan scary hall,Banjarahills road no 1 Noa solutions oor, id, Page 1 s N.K Arcade, 2nd & 3rd floor, Opposite to Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.About the Author Sikandar Sheik, a dual CCIE (RS/SP# 35012) is a highly experienced and extremely driven senior technical instructor and network consultant. He has been training networking courses for more than 10 years, teaching on a wide range of topics including Routing and Switching, Service Provider and Security (CCNA to CCIE). In addition, he has been developing and updating the content for these courses. He has assisted many engineers in passing out the lab examinations and securing certifications. Sikandar Shaik is highly skilled at designing, planning, coordinating, maintaining, troubleshooting and implementing changes to various aspects of multi-scaled, multiplatform, multi-protocol complex networks as well as course development and instruction for a technical workforce in a varied networking environment. His experience includes responsibilities ranging from operating and maintaining PC's and peripherals to network control programs for multi faceted data communication networks in LAN, MAN and WAN environments. Sikandar Shaik has delivered instructor led trainings in several states in India as well as in abroad in countries like China, Kenya and UAE, He has also worked as a Freelance Cisco Certified Instructor globally for Corporate Major Clients. ‘Acknowledgment First and foremost | would like to thank the Almighty for his continued blessings and for always being there for me. You have given me the power and confidence to believe in myself and pursue my dreams. | could never have done this without the faith | have in you. Secondly | would like to thank my family for understanding my long nights at the computer. | have spent alot of time on preparing workbooks and this workbook would not have been possible without their support and encouragement. ! would also like to recognize the cooperation of my students who took my trainings and workbooks. | believe my workbooks have helped them in upskilling themselves with respect to the subject and technologies and | will continue preparing workbooks for the updated technology versions. ‘Shaik Gouse Moinuddin Sikandar CCIE x 2 (RS/SP) Feedback Please send feedback if there are any issues with respect to the content of this workbook. | would also appreciate suggestions from you which can improve this workbook further. Kindly send your feedback and suggestions at info@noasolutions.com NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 2INDEX PAGE NO MPLS labels srsssossossseesessessesseesssssssssnesnesteseeseesseen cusses Label Distribution protocol CONFIUGURING LDP MPLS LDP Troubleshooting LAB MPLS LDP PEERING MPLS Layer 3 VPNS LAB: MPLS L3 VPN Support for Static Routing LAB: MPLS L3 VPN Support for RIPv2 LAB: MPLS L3\VPN Support for EIGRP LAB: MPLS L3 VPN Support for OSPF ...scsseseeseeee OPSF Super Backbone]. (OSPF Domain-id (OSPF Shamdink LAB: OSPF Shamdink LAB: MPLS L3 VPN Support for EBGP ........ LAB: Overlap VPN: LAB: EXPORT MAPS: Configure Basic setup for VPN labs: Generic Routing Encapsulation LAB: GRE POINT TO POINT TUNNELS ..... DYNAMIC MULTI POINT VPN LAB: DMVPN Phase 1 static Mapping: LAB: DMVPN phase using NHRP Dynamic Mapping: LAB: DMVPN Phase-2 using Static Mappir LAB: DMVEN phase 2 using dynamic mapping: Routing Protocols over DMVPN phase 1 RIPv2 over DMVPN Phase 41 .. EIGRP over DMVPN Phase -t.. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution ste 106 16 20 22 36 a 5 7 101 103 47 80 at 44 152 158 163 167 m 178 181 185 Page 3OSPF over DMVPN Phase -1 189 EBGP over DMVPN Phase-1 193 Routing Protocols over DMVPN phase 2 198 EIGRP over DMVPN Phase-2 201 RIPv2 over DMVPN Phase-2 208 OSPF over DMVPN Phase-2 «+... 2 EBGP over DMVPN Phase-2 24 LAB: NHRP Phase-3 27 IPsec VPN .. 221 LAB : IPsec Site-Sit 239 LAB : IPSec over DMVPN: 249 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 4NETWORK ONLINE ACAGEMY HOA solutions,N-K Arcade, 2nd & 3rd Floor Opposite to banjara function hall, Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 uww.noasolutions, Page 5NA. MPLS Layer 3 VPN Modern SP networks (VPN) NA. + Concept of VPNs + Reasons why VPNs were introduced + VPN implementation models + list benefits and drawbacks of VPNs NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 6Traditional Router-Based Networks MOA, Traditional router-based networks connect customer sites through routers connected via dedicated point-to-point links (leased lines). Customer A Leased lines \ Site B Customer A J Site A site C - — Site D y/ Traditional Router-Based Networks(Contd) A. Advantages + Complete Secure + High Bandwieth + Superior Quality + Reliable Disadvantages + Expensive + Permanent Physical connection + Not scalable NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 7VPN Example MOA. VPNs replace dedicated point-to-point links with emulated point-to-point links that share ‘common infrastructure. + Customers use VPNs primarily to reduce their operational costs. + Example: X.25, Frame-relay, ATM, GRE, DMPVN,, Ipsec, MPLS , L2TPv3 Large Customer Site Customer Site Router Customer Premises Equipment (CPE) or Customer Edge (CE) Advantages of VPNs * Cost savings * Scalability * Improved security * Better performance Flexible + Reliable NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page &VPN Terminology MOA. Large Customer Site VPN Terminology (Cont.) KOA, Large Customer Site Customer Site Other CE Router Customet Customer Edge (CE) Routers Router NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 9VPN Models VPN services can be offered based on two major models: Overlay model + in which the service provider provides virtual point-to-point links between customer sites + Frame relay , ATM, X.25, Ipsec, GRE Peer-to-peer model + in which the service provider participates in the customer routing + MPLS VPN Classification NA, ACLs (Shared router) Split routing (dedicated router) GET VPN. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 10Overlay Layer 2 VPNs + Layer 2 VPN + The service provider establishes Layer 2 VCs between customer sites. + The customer is responsible for all higher layers. Overlay Layer 2 VPN: Frame Relay/ATM XA, Customer site C ‘CE Router ~ SPOKE Customer Site D CE Router ~ SPOKE CE Router ~ SPOKE + virtua circuits VPN is implemented with IP-over-Frame Relay or ATM tunnels: + The service provider establishes Layer 2 VCs between customer sites. NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 11ZA. «The service provider infrastructure appears as point-to-point links to the customer. Overlay Layer 3 VPN The service provider does not see customer routes and is responsible only for providing the point-to-point transport of customer data. Layer3 VPN IP tunneling pT Routing protocols run directly | + GRE is simple (and quicker). + IPsec provides authentication and security. | VPN Classification (Shared router) 25 GE 5 DMVPN (dedicated router) — (“carve ] GET VPN L2TPv3 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 12Peer-to-Peer VPN: implementation Techniques OA. PE-CE routing information is exchanged between CE and PE routers. Customer ste Customer site C CE Router - HUB CE Router ~ SPOKE Customer Site B Customer Site D CCE Router ~ SPOKE (CE Router ~ SPOKE PE routers exchange customer routes | | Customer routes are propagated through the PE through the core network. network and sent to other CE routers. Peer-to-Peer VPN: ACLs (Shared Router) nero OA. POP router carries all customer routes. Isolation between customers is achieved with the use of ACLs (packet filters) on PE-to-CE interfaces. NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 13Peer-to-Peer VPN: Split Routing (Dedicated Router) DECAL The P router contains all cistomer | [Each customer has a dedicated PE routes. router that carries only its routes. CE Router ‘through the lack of routing information ‘on the PE router. MPLS VPN NEA, ’ Customer Site A Customer Site C CE Router, CE routers route traffic to PE routers. Each customer has its own isolated routing table instance on PE router. P routers do not have customer route information. Label switching is enabled in service provider core. NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 14Overlay VPN MOA, » Benefits + Well-known and easy £0 implement + Service provider does not participate in customer routing. + Customer network and service provider network ate well olated, + Drawbacks Implementing optimum routing requires a fll mesh of VG. + VCs have to be provisioned manually + Bandwidth must be provisioned on a site-to-site bass + Overlay VPNs always incur encapsulation overhead (GRE or IPsec) Peer-to-peer VPN MOA. » Benefits + Guarantees optimum routing between customer sites + Exsier to provision an addtional VPN + Only sites provisioned, not links between ther + Drawbacks +The service provider participates in customer routing, Filters should be applied to customer links. +The service provider becomes responsible for customer convergence, + PE routers cary all routes from all customers + Asecure environment must be provided for customers + Complex configuration +The service provider needs detlled IP routing knowledge. NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 15Funan MOA. ‘Two options: + Traditional router-based networks connect via dedicated point-to-point links. + VPNs use emulated point-to-point links sharing a common infrastructure. The two major VPN models are overlay VPN and peer-to-peer VPN: (Overlay VPNs + use well-known technologies and are easy to implement. + VCs have to be provisioned manually. Peer-to-peer VPNs + guarantee optimum routing between customer sites. + require that the service provider participate in customer routing. MPLS VPN + Forward packets based on labels instead of IP » Combines the best of both Overlay and Peer-peer model Customer Site A Customer site C Provider (P) Core CE Router CE Router Customer site 8 Customer Site D CE Router NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 16NA. Multi-Protocol label switching Introduction to MPLS MOA, » Traditional IP Routing » Basic MPLS Features » Cisco Express Forwarding » MPLS Terminology » Benefits of MPLS NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 17Traditional IP Routing XA, 10/24 | Routing Routing Routing protocols are used to distribute Layer 3 routing information. A forwarding decision is made, based on: + Packet header + Local routing table Routing lookups are independently performed at every hop. Basic MPLS Features OA. eu —ememe > MPLS isa forwarding mechanism in which packets are forwarded based on labels. » MPLS packets can run on other layer 2 technologies such as ATM.FR, PPP, Ethernet, > MPLS Leverages both IP routing and CEF switching. NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution J Page 18Cisco Express Forwarding MPLS Architecture: Control Plane Exchange of Routing Information Exchange of Label Information Cisco Express Forwarding XA, MPLS Architecture: Data Plane Incoming IP and Labeled Packets ‘Outgoing IP and Labeled Packets NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 19MPLS Architecture Example NA, LSRs forward packets based on labels and swap labels: + The last LSR in the path also removes the label and forwards the IP packet. Edge LSR: + Labels IP packets (Imposes label) and forwards them into the MPLS domain + Forwards IP packets out of the MPLS domain A sequence of labels to reach a destination Is called an LSP. NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 20Benefits of MPLS MOA. MPLS supports multiple applications including: MPLS Label o [abet ee J] —_ Unicast and multicast IP routing MPLS decreases forwarding overhead on core routers. BGP Free Core. MPLS can support forwarding of non-IP protocols VPN 1 Qos AToM 1920 222324 12 Header MPLS Label IP Packet MPLS uses a 32-bit label header that is inserted between 12 &13 of OSI + 20-bit label + 3-bit experimental field + Lbit bottom-ofstack indicator + 8.bit Time-to-Live field A single label correspond to single route and share them with MPLS neighbors( using LDP. protocol) NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 ww. noasolution: om Page 21MPLS Label Stack NA.. » Usually only one label is assigned to a packet, but multiple labels in a label stack are supported. » These scenarios may produce more than one label: MPLS VPNs (two labels): ‘The top label points to the egress router, and the second label identifies the VPN. MPLS TE (two or more labels): The top label points to the endpoint of the traffic engineering tunnel and the second label points to the destination. MPLS VPNs combined with MPLS TE (three or more labels) | MPLS Label Stack (Example) MOA. fot CNEL) acs The outer label is used for switching the packet in the MPLS network (points to the TE destination). Inner labels are used to separate packets at egress points (point to an egress router and identify a VPN). | NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 22 Inner LabelSharing the label information » MPLS do not forward based on the label automatically » We need to share the label information using LDP Label Distribution Protocols Works with IGP inside the Core Tag distribution Protocol + Cisco proprietary + Old (not used) + TCP port 711 Label distribution protocol + Standard + Default on cisco + UDP port 646 RSVP + Used for MPLS TE labels NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 23Configuring LDP NA. Pre-requirments: CEF enabled # show ip caf Rifsh ip cef ‘%CEF not running Prefix Next Hop Interface To enable CEF Ri(config)#ip cef Configuring LDP NA, Pre-requirements: 1. CEFenabled# show ip cef 2. IGP Routing I(config)mpls label protocol Idp i(config)#mpls Idp routerid loopback O (config) int s1/0 i(confg.i}#mpls ip M(configiend ‘#Show MPLS LDP Neighbor ‘#Show MPLS interfaces # show mplsidp bindings Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 24MOA. How LDP Label forwarding Works 1 IGP built Routing table ( FIB using CEF) ISR assigns a local label for each route learned [SR share the labels with neighbors using LDP [SR built their own LFIB 5. Forward packets based on label lookup Penultimate Hop Popping (PHP) » Penultimate hop popping optimizes MPLS performance » PHP removes the requirement for a double lookup to be performed on a egress PE {one less LFIB lookup) » The UB table will display a value of imp-null. Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 25Without PHP NGA. tabelrmoneon ‘ee Se CRS heecos OA. With PHP Noa solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 26» To disable PHP Rx(config)# mpls Ip explict-null » Tore-enable PHP Rx(config}#no_mpls Idp expliit-null NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 27LAB: _CONFIUGURING LDP TASK: + Configure the basic IP addressing according to the diagram. * Configure ospf area 0 as IGP protocol running inside the MPLS SP network. + Advertise the loopback 0 interface also inside the IGP. Ri(config)#router ospf 1 Ri(config-router)#network 10.0.0.0 0.255.255.255 area 0 Ri(config-router)#network 1.0.0.0 0.255.255.255 area O Ri(config-router Ri(config-router)#exit R2(config)router ospf 1 R2(config-router)#network 20.0.0.0 0.255.255.255 area 0 Ra(config-router)#network 2.0.0.0 0.255.255.255 area 0 R2(config-router)#network 1.0.0.0 0.255.255.255 area 0 Ra(config-router R2(config-router)#end R3(config)router ospf 1 R3(config-router}#network 30.0.0.0 0.255.255.255 area 0 R3(config-router)#network 3.0.0.0 0.255.255.255 area 0 R3(config-router)#network 2.0.0.0 0.255.255.255 area 0 R3(config-router) NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution com Page 28R3(config-router}#exit Ra(config)#router ospf 1 Ra(config-router)#network 40.0.0.0 0.255.255.255 area 0 Ra(config-router)#network 3.0.0.0 0.255.255.255 area 0 fa{contgrouteryetwork 49.0.0 0.0.05 area 0 Ra(config-router)#end R3#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address interface 12.0.3.4 0 FULLJ- 00:00:36 2.2.2.1 Serialt/o 14.034 0 FULL{- 00:00:38 3.3.3.2 Serialt/t Ra#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address _ interface 1.034 0 FULL/ : Serialt/o 13.031 0 FULL - Serial Ri#sh ip route ospf © 2.0.0.0/8 [110/128] via 1.1.1.2, 00:00:20, Serialifo © 3.0.0.0/8 [110/192] via 1.1.1.2, 00: © 20.0.0.0/8 [110/65] via 11.1.2, 00:00: © 40.0.0.0/8 [110/193] via 1.1.1.2, 00: 12.0.0.0/32 is subnetted, 1 subnets © 12.0.0.1[ 110/65] via 1.1.12, 00:00:20, Seriali/o 13,0.0.0/32 is subnetted, 1 subnets © 13.0.0.1 [11oft29] via 1.2, 00:00:20, Serialifo 14.0.0.0/32 is subnetted, 1 subnets © 14,0.0.1 [110/193] via 1.1.1.2, 00:00:20, Serialt/o © 30.0.0.0/8 [110/129] via 1.11.2, 00:00:20, Serialt/o 20, Serialt/o Ri#sh ip cef Prefix Next Hop Interface 0.0.0.00 drop Nullo (default route handler entry) 0.0.0.0/32 receive 1.0.0.0/8 attached Serialiio 1.0.0.0/32 receive 141/32, receive 1.255.255.255/32, receive 2.0.0.0/8 142 Serialilo 3.0.0.0/8 1.44.2 Seriali/o 4,0.0.0/8 attached Serrialy/t 4.0.0.0)32 receive 4.4.4.2/32 receive NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 294.255.255.255/32 receive 10.0.0.0/8 attached -—_—*FastEtherneto/o 10.0.0.0/32 receive to-s.1/32_ receive 10.255.255.255/32 receive 11.0.0.0/24 attached ——_Loopbacko 11.0.0.0/32 receive 11.0.0./32 receive 11.0.0.255/32 receive tt.01.0/24 attached Loopback tt.0.1.0/32 receive Prefix NextHop _ Interface 11.04.32 receive 11.0.1.255/32 receive 11.0.2.0/24 attached ——_Loopback2 11.0.2.0/32 receive 11.02.4132 receive 11.0.2.255/52 receive 11.03.0/24 attached —Loopback3 11.0,3.0/32 receive 11.03.1132 receive 11,0.3.255/32_ receive 12.0.0.1/32 14.2 Serialtfo 13.0.0.1/32 Seriali/o 14.0.0.1/32 Seriali/o 20.0.0.0/8, Serialifo 30.0.0.0/8 Serials/o 40.0.0.08 11.2 Serialifo 224.0.0.0/4 drop 224.0.0.0/24 receive 255.255.255.255/32 receive Ri#sh ip route 40.0.0.0 Routing entry for 40.0.0.0/8 Known via "OSpftt distance) metric 193, type intra area Last update from 1.1.1.2 on Serialt/o, 00:00:50 ago Routing Descriptor Blocks: * 1.1.2, from 14.0:3.1, 00:00:50 ago, via Serialt/o Route metric is 193, traffic share count is 1 Cisco Express Forwarding (CEF) is advanced, Layer 3 IP switching technology. CEF optimizes network performance and scalability for networks with large and dynamic traffic patterns, such as the Internet, on networks characterized by intensive Web-based applications, or interactive sessions. NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 30* Cisco Express Forwarding is enabled by default on most Cisco platforms running Cisco 10S software Release12.0 or later. When Cisco Express Forwarding is enabled on a router, the Route Processor (RP) performs the express forwarding. * To find out if Cisco Express Forwarding is enabled on your platform, enter the show ip cef command. If Cisco Express Forwarding is enabled, you receive output that looks like this: Rt#sh ip cef 40.0.0.0 40.0.0.018, version 30, epach o, cached adjacency to Seriali/o o packets, o bytes (Wig TARE)SEHAHIONG dependencies next hop 1.11.2, Serialt/o valid cached adjacency Todisable CEF: Ri(config)#no ip cef Ri(config)#end If Cisco Express Forwarding is not enabled on your platform, the output for the show ip cef command looks like this: Riésh ip cef CEF not running Prefix Next Hop Interface Toenable CEF Ri(config)#ip cef Ri(config)end Ritesh ip cef 40.0.0.0 40.0.0.0]8, version 30, epoch o, cached adjacency to Seriali/o o packets, o bytes Via 1.1.1.2, Seriali/o, 0 dependencies next hop 1.11.2, Serialt/o valid cached adjacency NOTE: ‘+ Make sure that you are able to ping to loopback 0 of every router as we are going to establish the LDP neighborship based on MPLS router -1D (and it has to be advertised in the IGP for LDP peering) MPLS Label Protocol - LDP MPLS Idp routerid - Best to set it as the 1P must be reachable as i discovery hello messages. is used in the transport address in the LDP How the LDP Router-1D is derived If the MPLS Router1D command has not been applied NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 311. The router checks the IP addresses of all operational interfaces. 2. If any of these interfaces are loopbacks the router selects the highest loopback address for the LDP routerid 3. Ifno loopback interfaces are configured the highest operational IP address is selected as the LDP routerid ‘This default method of assigning the LDP router-id can cause problems if the assigned id is not able to be advertised by the routing protocol. ‘+ The mpls routerid command allows you to specify an interface as the LDP router-id. You need to make sure the specified interface is up s0 it’s IP address can be used. ‘+ Ifyouissue the command without the force option the router will select the ip address of the specified interface when it next selects an LDP router 1D. ‘+ When you issue the mpls Idp router-id with the force option if the interface is up and itis not currently using the IP address as the router-id the routerid changes. This will tear down any existing LOP sessions and will interupt the MPLS forwarding. TASK * Configure MPLS on all routers. Use LDP as protocol. * Configure LDP router ID has to be the loop 0 1D * Configure the routers to select the labels as below Ri 100499 R2 200299 R3 300399 R4 400-499 NOTE: Make sure the CEF is enabled.before you configure. Rifsh ip cef Pref NextHop Interface ‘+ Ifyou see the above output which means CEF is disabled or not runing. ‘+ Make sure that CEFis enabled as MPLS rely on CEF to build its label database. Ri(config)#mpls label range 100 199 Ri(config)#mpls label protocol Idp Ri(config)#mpls Idp router-id loopback o Ri(config)#int st/o Ri(config-f}¥mpls ip Ri(config-if}#end Ra(config)#mpls label range 200 299 R2(config)¢mpls label protocol Idp Ra(config)¢mpls Idp router id loopback 0 R2(config)#int st/o Ra(configif}#mpls ip Ra(config:f)#int stf R2(config-f)#mpls ip Ra(configif)#end NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 323(config)tmpls label range 300 399 3(config)#mpls label protocol Idp R3(config)¢mpls Idp router id loopback 0 R3(config)#int sto R3(config-if}#mpls ip R3(configif)#int sift R3(config-if}¥mpls ip R3(config-if}#end Ra(config)#mpls label range 400 499 Ra(config)#mpls label protocol Idp Ra(config)#mpls Idp router-id loopback 0 Ra(config)#int si/o Ra(config:if}#mpls ip Ra(config:f}¥end R3#sh mpls Idp neighbor Peer LOP Ident: 12.0.0.1:0; Local LDP Ident 13.0.0.1:0 TCP connection: 12.0.0.1.646 - 13.0.0.1.20380 State: Oper; Msgs sentircvd: 17/1 Up time: 00:00:47, LP discovery sources: Serialo, Src IP adi ‘Addresses bound to peer LDP Ident: 204A M2 22.24 12.0.0 ROA 2.024 120.34 Peer LDP Ident: 14.0.0.1:0; Local LDP Ident 13.0.0.t10 TCP connection: 14.0.0.1.30158 -13.0.0.1.646 State: Oper; Msgs sent/rcvd: 17/18; Downstream Up time: 00:00:06 LOP discovery sources: Serialt/t, Src IP addr: 3.3.3.2, Addresses bound to peer LDP Ident: 401A 333.2 4.441 14.0.0.1 140A 140.201 14.0.3-1 R3#sh mpls interfaces Interface 1P Tunnel Operational Serialt/o Yes(Idp) No Yes Serialt/t Yes(Idp) No Yes NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 33R2#sh mpls Idp neighbor SSFLDP ISSR HLGIOGE Local LDP Ident 12.0.0.10 TCP connection: 11.0.0.1.646 - 12.0.0.1.11373 State: Oper; Msgs sent/rcvd: 19/19; Downstream Up time: 00:01:45 LDP discovery sources: Seriali/o, Src IP addr: 1.1.14 ‘Addresses bound to peer LDP Ident: tat 4.4.2 110.01 TCP connection: 13.0.0.1.20380 - 12.0.0.1.646 State: Oper; Msgs sent/revd: 18/18; Downstream Up time: 00:01:10 LDP discovery sources: Serialtft, Src IP addr: 2.2.2.2 Addresses bound to peer LDP Ident: BO 2222 3334 13.0.0. 13.014 13.021 13.034 Rash mpls interfaces Interface iP Tunnel Operational Serialt/o Yes(Idp) No Yes Serial Yes(Idp) No Yes Rr#sh ip cef 40.0.0. 40.0.0.018, version 30, epoch o, cached adjacency to Serialt/o © packets, o bytes tag information set local tag: 19 fast tag rewrite with Se1/o, point2point, tags imposed: {201} Via 1.11.2, Serialt/o, 0 dependencies next hop 1.1.1.2, Serialt/o valid cached adjacency tag rewrite with Set/o, point2point, tags imposed: {201} R4#sh mpls Idp bindings 40.0.0.0 255.0.0.0 tid entry: 40.0.0.0/8, rev 12 local binding: tag: imp-null remote binding: tsr: 13.0.0. 0, tag: 302 R3#sh mpls Idp bindings 40.0.0.0 255.0.0.0 tib entry: 40.0.0.0/8, rev 10 local binding: tag: 302 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 34remote binding: tsr: 12.0.0.1:0, tag: 201 remote binding: tsr: 14.0.0.1:0, tag: imp-null + TIBis also equivalent to LIB. Tag Information Base was its old name when Label Switching was then called Tag Switching. * Local binding means what tag the router will put for the packet to destination, + Imp-null meaning it will not put because this is a locally originated. * Remote Binding means, the label the LDP neighbor router assigned to this subnet. + TSR (Tag Switching Router) old name for Label Switching Router (LDP) R3#sh mpls forwarding-table 40.0.0.08 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tagorVC orTunnelid switched interface 302 Poptag 40.0.0.0/8 0 — Set/t_pointapoint ‘Where does the Untagged keyword appear? It only appears as the output label in the LFIB (Label Forwarding information Base) that you can inspect with the show mpls forwarding-table. means that the router has no output label associated If this LSR receives a packet with top label 102, it removesall labels and forwards the packet as an IP packet, because the outgoing label (tag) is Untagged. If this LSR were to receive a labeled packet with the top label 22, it would swap the label with label 17 and then forward it on the Etherneto/o/o interface. + Pop—The top label is removed. The packet is forwarded with the remaining label stack or as an unlabeled packet. Networks originating on the outside of the MPLS domain are not assigned any label on the edge LSR; instead, the POP label is advertised. + Swap—the top label is removed and replaced with a new label. + Push—The fop label is replaced with a new label (swapped), and dne or more labels dre added (pushed) on top of the swapped label. + Untagged/No Label—The stack is removed, and the packet is forwarded unlabeled. Ra#sh mpls Idp bindings 40.0.0.0 255.0.0.0 tib entry: 40.0.0.0/8, rev 10 local binding: tag: 201 remote binding: ts: 13.0.0.1:0, tag: 302 remote binding: tsr:11.0.0.1:0, tag: 103, Ra#sh mpls forwarding table 40.0.0.0 8 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tagorVC orTunnelid switched interface 201 302 40.0.0.0/8 0 — Seti _point2point Rr#sh mpls Idp bindings 40.0.0.0 8 tib entry: 40.0.0.0/8, rev 12 local binding: tag: 103 remote binding: tsr:12.0.0.1:0, tag: 201 NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 35Résh mpls forwarding-table 40.0.0.0 8 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tagorVC orTunnel id switched interface 103 201 40.0.0.0/8 0 Seto _pointapoint Ri#ping 40.441 source t0.t-4.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 40.1.1, timeout is 2 seconds: Packet sent with a source address of 10.1.1 Success rate is 100 percent (5/5), round-trip min/avgimax = 32/57/76 ms Ri#traceroute 40.1.1 source 10.414 Type escape sequence to abort. Tracing the route to 40.1.1. 11.1.2 [MPLS: Label 201 Exp 0] 68 msec 60 msec 64 msec 22.2.2.2 [MPLS: Label 302 Exp 0] 64 msec 56 msec 52 msec 33.3.3.2.60 msec * 60 msec NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolutions. com Page 36LAB: MPLS LDP Troubleshooting ZA. MPLS LDP Troubleshooting Show commands sh mpls interfaces sh ms Idp neigh shun int shun | in ps Possible issues: 1. _mpls ip not enabled ( MPLS 1P missing on interfaces connected) 2. protocol mismatch (TDP /LDP) global or at interface level 3, _ higher loopback ID taken as router ID which is not advertised In IGP 4, mismatch authentication if configured . 5. Filtering port 646 (LDP packets) TASK: * Continue with the previous lab. * Remove the Mpls Ip Command to Verify Troubleshooting Ri(config)#int s/t Ri(config if) Ri(config.if}# Ri(config.if}#end rsh mpls Idp neighbor Ri#sh mpls interfaces Interface 1P Tunnel Operational Ri(config)#int st/t Ri(config-if)}#mmplsip Ri(config.if)#end ish mpls Idp neighbor Peer LDP Ident: 12.0.0.1:0; Local LDP Ident 11.0.0.1:0 TCP connection: 12.0.0.1.51918 - 11.0.0.1.646 State: Oper; Msgs sent/revd: 52/52; Downstream Up time: 00:22:07 LDP discovery sources: Serialtfo, SreIP addr: 1.1.1.2 ‘Addresses bound to peer LDP Ident: NOA solutions,N.K Arcade, 2nd & 3rd floor,Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 37OA 12 2.2.24 12.0.0.1 ROA 12.024 12.0.3.1 TASK: Change the MPLS protocol to TDP instead of LDP and verify the outputs R2(config)#mpls label protocol tdp Ra(config)vend Rt#sh mpls Idp neighbor Ri#sh mpls interfaces Interface IP Tunnel Operational Seriah/o Yes(Idp) No Yes Seriaht Yes(Idp) No Yes Rrésh run | in mpls mpls label range 100 199 mpls label protocol Idp mplsip mpls Idp routerid Loopbacko Ra¥sh mpls Idp neighbor Ro#sh mpls interfaces Interface 1P___Tunnel_ Operational Seriah/o No Yes Serialift No Yes Ro¥sh run] in mpls mpls label fate 200 299 mpls ip mpls ip mpls Idp router‘id Loopbacko R2(config)#no mpls label protocol tdp R2(config)#mpls label protocol Idp R2i#sh mpls Idp neighbor PEEEIDE MERRIE Local LDP ident 2.0.0110 TCP connection: 1.0.0.1.646 -12.0.0.1.42191 State: Oper; Msgs sent/revd: 27/27; Downstream Up time: 00:00:21 LOP discovery sources: Seriali/o, Src IP addr: 1.1.1.1 Addresses bound to peer LDP Iden fora aa 4d ‘ thos eer LOPIdeRB.0/6%E0; Local LDP Ident 12.0.0.t0 TCP connection: 13.0.0.1.14107 - 12.0.0.1.646 NOA solutions,N.K Arcade, 2nd & 3rd floor, Opposite to banjara function hall,Banjarahills road no 1 Hyderabad, INDIA. +91 40 65890380, +91 7036826345 www.noasolution om Page 38