traceroute follow MPLS label (inet.3)

Tags

junos, mpls

inet.0 is the route table used for regular IGP recursion. Inet.3 is only used by BGP to resolve next-hops by default. This means that only traffic sent to destinations learned by BGP will be label-switched.

If you have a requirement that all traffic uses labeled next-hops you can move routes from inet.3 into inet.0

set protocols mpls traffic-engineering bgp-igp-both-ribs

Before

dhakacom@rt-01-mx.dhakacom.com> show route 118.179.191.6

inet.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

118.179.191.6/32 *[OSPF/10] 3d 02:49:03, metric 2
 > to 202.4.100.21 via ge-1/0/0.0

inet.3: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

118.179.191.6/32 *[LDP/9] 08:40:00, metric 1> to 202.4.100.21 via ge-1/0/0.0, Push 299936

After

dhakacom@rt-01-mx.dhakacom.com> show route 118.179.191.6

inet.0: 20 destinations, 26 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

118.179.191.6/32 *[LDP/9] 00:05:42, metric 1
 > to 202.4.100.21 via ge-1/0/0.0, Push 299936
 [OSPF/10] 00:06:34, metric 2
 > to 202.4.100.21 via ge-1/0/0.0

inet.3: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

118.179.191.6/32 *[LDP/9] 00:02:37, metric 1
 > to 202.4.100.21 via ge-1/0/0.0, Push 299936

Hiding MPLS core to the client

Tags

mpls

In this post we will look at what happens to the TTL value of a packet when it enters the MPLS VPN. We will also see how we can change that behavior to hide the provider network from customers.

C1S1(CE)—R1(PE)—R2(P)—R3(P)—R4(PE)—C1S2(CE)

Before disabling TTL propagation bellow is the trace route:

1 192.168.10.1 20 msec 16 msec 16 msec
2 192.168.12.2 [MPLS: Labels 22/25 Exp 0] 112 msec 112 msec 104 msec
3 192.168.23.2 [MPLS: Labels 22/25 Exp 0] 112 msec 88 msec 84 msec
4 192.168.11.1 [MPLS: Label 25 Exp 0] 76 msec 80 msec 76 msec
5 192.168.11.2 64 msec * 120 msec

After putting no mpls ip propagate-ttl forwarded bellow is the trace route output:

1 192.168.10.1 8 msec 52 msec 20 msec
2 192.168.11.1 [MPLS: Label 25 Exp 0] 88 msec 88 msec 76 msec
3 192.168.11.2 116 msec * 160 msec

It hides the P routers from the client. You need put this command in all your PE and P router.

MPLS Layer3 VPN : Part 3 (Configure L3 VPN for CUSTOMER2)

Tags

cisco, mpls, MPLS L3 VPN

In this phase L3VPN is configured for CUSTOMER2. It is same for CUSTOMER1 but only difference is that between PE router R1 and CE router C2S1 protocol will be OSPF.

PHASE 3: Configure L3 VPN for CUSTOMER2

1. Create Separate VRF for CUSTOMER1

R1(config)#ip vrf CUSTOMER2
R1(config-vrf)#rd 500:2
R1(config-vrf)#route-target export 500:2
R1(config-vrf)#route-target import 500:2

2. MP-BGP with R4, actiavte VPNv4 and redistribute OSPF route to BGP

2.A Configurer MP-BGP/Activate VPNv4
As MP-BGP in place with R1 and R4 (configured in phase 2) do not need configure anything new.

2.B Redistribute CUSTOMER2 VRF OSPF route to BGP

R1(config-router-af)#address-family ipv4 vrf CUSTOMER2
R1(config-router-af)#redistribute ospf 102 match internal
R1(config-router-af)#no auto-summary

3. Create OSPF with R1 and C2S1 and redistribute BGP to OSPF

R1(config)#router ospf 102 vrf CUSTOMER2
R1(config-router)#network 192.168.100.0 0.0.0.3 area 0
R1(config-router)#redistribute bgp 500 subnets

4. Put interface or R1 & R4 in related VRF.

R1(config)#interface FastEthernet2/0
R1(config-if)#ip vrf forwarding CUSTOMER2

PE router R4 configuration will be similar to R1. Bellow is the configuration of R4

R4:

ip vrf CUSTOMER2

rd 500:2

route-target export 500:2
route-target import 500:2
!
interface FastEthernet2/0
ip vrf forwarding CUSTOMER2
!
router ospf 102 vrf CUSTOMER2
log-adjacency-changes
redistribute bgp 500 subnets
network 192.168.110.0 0.0.0.3 area 0
!
router bgp 500
no synchronization
bgp log-neighbor-changes
neighbor 10.10.10.1 remote-as 500
neighbor 10.10.10.1 update-source Loopback0
no auto-summary
 !
address-family vpnv4
neighbor 10.10.10.1 activate
neighbor 10.10.10.1 next-hop-self
neighbor 10.10.10.1 send-community extended
exit-address-family
 !
address-family ipv4 vrf CUSTOMER2
redistribute ospf 102 match internal
no auto-summary
no synchronization
exit-address-family
 !

Check the VRF table for CUSTOMER2

R4#show ip route vrf CUSTOMER2

Routing Table: CUSTOMER2
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

192.168.110.0/30 is subnetted, 1 subnets
C 192.168.110.0 is directly connected, FastEthernet2/0
172.173.0.0/32 is subnetted, 2 subnets
B 172.173.1.1 [200/2] via 10.10.10.1, 02:03:24
O 172.173.2.1 [110/2] via 192.168.110.2, 01:58:20, FastEthernet2/0
192.168.100.0/30 is subnetted, 1 subnets
B 192.168.100.0 [200/0] via 10.10.10.1, 02:03:24

R4 is receiving 172.173.1.0/24 as BGP route via 10.10.10.1. This route is coming via OSPF from C2S1 to R1; R1 is announcing this via MP-BGP to R4. R4 remove MPLS and VPN tag and install it CUSTOMER1 VRF table.

If you check carefully, there is no related route (172.173.1.0/.24 or 172.173.2.0/24) in provider core router(R2,R3 or R5). These routers are not aware about these routes.

C2S1#traceroute

Protocol [ip]:
Target IP address: 172.173.2.1
Source address: 172.173.1.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 172.173.2.1

1 192.168.100.1 56 msec 76 msec 4 msec
2 192.168.12.2 [MPLS: Labels 22/27 Exp 0] 140 msec 132 msec 160 msec
3 192.168.23.2 [MPLS: Labels 20/27 Exp 0] 168 msec 112 msec 140 msec
4 192.168.110.1 [MPLS: Label 27 Exp 0] 100 msec 356 msec 108 msec
5 192.168.110.2 132 msec * 100 msec

MPLS Layer3 VPN : Part 2 (Configure L3 VPN for CUSTOMER1)

Tags

cisco, mpls, MPLS L3 VPN

MPLS L3 VPN involves following steps:

Step 1: The CE router sends an IPv4 routing update to the PE Router.
Step 2: A 64 bit RD is prepended to the customer IPv4 prefix to make it globally unique, resulting in a 96-bit VPNv4 prefix.
Step 3: A 96 bit VPNv4 prefix is propagated via MP-BGP to the other PE router.
Step 4: The RD is removed from the VPNv4 prefix, resulting in a 32 bit IPv4 prefix.
Step 5: The PE router sends the resulting IPv4 prefix to the CE router.

For the provider R1 & R4 work as PE Router.

PHASE 2: Configure L3 VPN for CUSTOMER1

1. Create Separate VRF for CUSTOMER1
R1(config)#ip vrf CUSTOMER1
R1(config-vrf)#rd 500:1
R1(config-vrf)#route-target export 500:1
R1(config-vrf)#route-target import 500:1

2. MP-BGP with R4, actiavte VPNv4 and redistribute static route to BGP
2.A Configurer MP-BGP

R1(config)#router bgp 500
R1(config-router)#neighbor 10.10.10.4 remote-as 500
R1(config-router)#neighbor 10.10.10.4 update-source Loopback0

2.B Activate VPNv4

R1(config-router)# address-family vpnv4
R1(config-router-af)#neighbor 10.10.10.4 activate
R1(config-router-af)#neighbor 10.10.10.4 next-hop-self
R1(config-router-af)#neighbor 10.10.10.4 send-community extended

2.C Redistribute CUSTOMER1 VRF static route to BGP

R1(config-router-af)#address-family ipv4 vrf CUSTOMER1
R1(config-router-af)#redistribute static
R1(config-router-af)#no auto-summary

3. Create static route in CUSTOMER1 VRF.

R1(config)#ip route vrf CUSTOMER1 172.172.1.0 255.255.255.0 192.168.10.2

4. Put interface or R1 & R4 in related VRF.

R1(config)#interface FastEthernet1/0
R1(config-if)#ip vrf forwarding CUSTOMER1

5. From C1S1 route just provide a default route to R1.

PE router R4 configuration will be similar to R1. Bellow is the configuration of R4

R4:

ip vrf CUSTOMER1
rd 500:1
route-target export 500:1
route-target import 500:1
!
interface FastEthernet1/0
ip vrf forwarding CUSTOMER1
!
router bgp 500
no synchronization
bgp log-neighbor-changes
neighbor 10.10.10.1 remote-as 500
neighbor 10.10.10.1 update-source Loopback0
no auto-summary
 !
address-family vpnv4
neighbor 10.10.10.1 activate
neighbor 10.10.10.1 next-hop-self
neighbor 10.10.10.1 send-community extended
exit-address-family
 !
address-family ipv4 vrf CUSTOMER1
redistribute static
no auto-summary
no synchronization
exit-address-family
!
ip route vrf CUSTOMER1 172.172.2.0 255.255.255.0 192.168.11.2

Check the VRF table for CUSTOMER1

R4#show ip route vrf CUSTOMER1

Routing Table: CUSTOMER1
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

172.172.0.0/24 is subnetted, 2 subnets
B 172.172.1.0 [200/0] via 10.10.10.1, 01:35:55
S 172.172.2.0 [1/0] via 192.168.11.2
192.168.11.0/30 is subnetted, 1 subnets
C 192.168.11.0 is directly connected, FastEthernet1/0

R4 is receiving 172.172.1.0/24 as BGP route via 10.10.10.1. This route is coming statically coming to R1; R1 is announcing this via MP-BGP to R4. R4 remove MPLS and VPN tag and install it CUSTOMER1 VRF table.

If you check carefully, there is no related route (172.172.1.0/.24 or 172.172.2.0/24) in provider core router(R2,R3 or R5). These routers are not aware about these routes.

Check the reachability from C1S1:

C1S1# traceroute
Protocol [ip]:
Target IP address: 172.172.2.1
Source address: 172.172.1.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 172.172.2.1

1 192.168.10.1 12 msec 24 msec 8 msec
2 192.168.12.2 [MPLS: Labels 22/25 Exp 0] 112 msec 160 msec 136 msec
3 192.168.23.2 [MPLS: Labels 20/25 Exp 0] 92 msec 156 msec 148 msec
4 192.168.11.1 [MPLS: Label 25 Exp 0] 80 msec 112 msec 112 msec
5 192.168.11.2 96 msec * 104 msec

MPLS Layer3 VPN : Part 1 (Enable MPLS in Provider Core)

Tags

cisco, mpls, MPLS L3 VPN

Loopback Interface:
R1: 10.10.10.1/32
R2: 10.10.10.2/32
R3: 10.10.10.3/32
R4: 10.10.10.4/32
R5: 10.10.10.5/32

Connectivity between Provider Routers:
IP block used to connect Provider routers is 192.168. In additional there is additional loopback1 interface in R1(172.16.1.0/24) & R4(172.16.4.0/24).

OSPF as IGP used in provider network.

Provider has two customer. Customer1 Site1 will communicate with Customer1 Site2. For this Customer1 will connect with Provider via static route. Customer2 Site1 will communicate with Customer2 Site2. For this Customer2 will connect with Provider via OSPF.

TASK:
1. Configure interface accordingly.
2. Enable OSPF as IGP in Provider Core.
3. Enable MPLS in Provider Core.
4. Ensure that R1 loopback1 is reachable from R4 loopback1
5. Check the MPLS lable and tags.

Bellow is the standard templates used for all the routers:

hostname ROUTERNAME
ip cef
no ip domain-lookup
no ip http server
no ip http secure-server
no ip finger
no service pad
no service udp-small-server
no service tcp-small-server
no ip bootp server
no ip source-route
logging source-interface loopback 0
logging buffered 16384
service timestamps debug datetime msec
service timestamps log datetime msec
clock timezone UTC 06
ip routing
ip subnet-zero
ip classless
!
line console 0
logging synchronous
transport preferred none
exec-timeout 0 0

PHASE 1:

In PHASE 1 we enable MPLS in provider routers.

1. Enable CEF globally

R1(config)#ip cef

2. Activate LDP

R1(config)#mpls label protocol ldp

3. Enable MPLS per interface

R1(config-if)#mpls ip

[Please do the same for the rest of the routers R2, R3, R4 & R5]

Bellow are the routers configurations:

R1:

interface Loopback0
ip address 10.10.10.1 255.255.255.255
!
interface Loopback1
ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.252
duplex auto
speed auto
mpls label protocol ldp
tag-switching ip
!
router ospf 100
network 10.10.10.1 0.0.0.0 area 0
network 172.16.1.0 0.0.0.255 area 0
network 192.168.12.0 0.0.0.3 area 0

R2:

interface Loopback0
ip address 10.10.10.2 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.252
duplex auto
speed auto
mpls label protocol ldp
tag-switching ip
!
interface FastEthernet1/0
ip address 192.168.23.1 255.255.255.252
duplex auto
speed auto
mpls label protocol ldp
tag-switching ip
!
interface FastEthernet2/0
ip address 192.168.25.1 255.255.255.252
duplex auto
speed auto
mpls label protocol ldp
tag-switching ip
!
router ospf 100
log-adjacency-changes
network 10.10.10.2 0.0.0.0 area 0
network 192.168.12.0 0.0.0.3 area 0
network 192.168.23.0 0.0.0.3 area 0
network 192.168.25.0 0.0.0.3 area 0

R3:

interface Loopback0
ip address 10.10.10.3 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.23.2 255.255.255.252
duplex auto
speed auto
mpls label protocol ldp
tag-switching ip
!
interface FastEthernet1/0
ip address 192.168.34.1 255.255.255.252
duplex auto
speed auto
mpls label protocol ldp
tag-switching ip
!
interface FastEthernet2/0
ip address 192.168.35.1 255.255.255.252
duplex auto
speed auto
mpls label protocol ldp
tag-switching ip
!
router ospf 100
log-adjacency-changes
network 10.10.10.3 0.0.0.0 area 0
network 192.168.23.0 0.0.0.3 area 0
network 192.168.34.0 0.0.0.3 area 0
network 192.168.35.0 0.0.0.3 area 0

R4:

interface Loopback0
ip address 10.10.10.4 255.255.255.255
!
interface Loopback1
ip address 172.16.4.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.34.2 255.255.255.252
duplex auto
speed auto
mpls label protocol ldp
tag-switching ip
!
router ospf 100
log-adjacency-changes
network 10.10.10.4 0.0.0.0 area 0
network 172.16.4.0 0.0.0.255 area 0
network 192.168.34.0 0.0.0.3 area 0

R5:

interface Loopback0
ip address 10.10.10.5 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.35.2 255.255.255.252
duplex auto
speed auto
mpls label protocol ldp
tag-switching ip
!
interface FastEthernet1/0
ip address 192.168.25.2 255.255.255.252
duplex auto
speed auto
mpls label protocol ldp
tag-switching ip
!
router ospf 100
log-adjacency-changes
network 10.10.10.5 0.0.0.0 area 0
network 192.168.25.0 0.0.0.3 area 0
network 192.168.35.0 0.0.0.3 area 0

Few output:

R1#show mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 192.168.23.0/30 0 Fa0/0 192.168.12.2
17 17 192.168.35.0/30 0 Fa0/0 192.168.12.2
18 16 192.168.34.0/30 0 Fa0/0 192.168.12.2
19 Pop tag 192.168.25.0/30 0 Fa0/0 192.168.12.2
20 Pop tag 10.10.10.2/32 0 Fa0/0 192.168.12.2
21 19 10.10.10.3/32 0 Fa0/0 192.168.12.2
22 20 10.10.10.5/32 0 Fa0/0 192.168.12.2
23 22 10.10.10.4/32 0 Fa0/0 192.168.12.2
24 23 172.16.4.1/32 0 Fa0/0 192.168.12.2

R1#traceroute
Protocol [ip]:
Target IP address: 172.16.4.1
Source address: 172.16.1.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 172.16.4.1

1 192.168.12.2 [MPLS: Label 23 Exp 0] 140 msec 136 msec 252 msec
2 192.168.23.2 [MPLS: Label 23 Exp 0] 100 msec 156 msec 16 msec
3 192.168.34.2 316 msec * 8 msec

In next blog we will configure MPLS L3 VPN for Customer 1 & Customer 2.