Notes from the Networking Field: September 2019

Sunday 22 September 2019

Part1 - Cisco MPLS L3VPN Lab

In this series of posts, we will look at various technologies used for Inter-AS design. To build these labs, we will use:

OSPF
IS-IS
MPLS
Layer3 VPN (VRFs)
Multi-protocol BGP

A few years ago I passed the CCIE Service Provider certification. The lab side of this course is heavily focused on ISIS, BGP, OSPF and L2/L3 VPNs. These build together to form Inter-AS designs, with Option A, B and C being practiced for the lab.

InterAS Option C (which is knows as "MPLS VPN Inter-AS with ASBRs Exchanging IPv4 Routes and MPLS Labels" - Option C is much easier..) is a method to enable to AS's to join together, and allow IPv4/v6 routes to be distributed between the AS (via their route reflectors), and VPNv4/v6 routes to pass across the network to support end customer CE devices connected to the different AS's.

Assumed Knowledge

This series assumes some core understanding of the above listed technologies. I do provide config for each of the steps, but if you ever need to troubleshoot what has been loaded, you will need some basic understanding of how the tech works. If you have CCNP-SP/JNCIP-SP level knowledge, that should suit these posts.

To create this environment, I have used the following lab and images:

. Intel Core i7 with 32GB ram [10GB is needed for the lab to be built, so a 16GB system would be fine]
. 256GB SSD [20GB max is needed for the lab]

. VMware ESXi 6.7 [this can be built on any platform that EVE-NG can be installed on]

. EVE-NG community edition virtual environment (latest version - im using 2.0.3-95) with the following images:

. vIOS        - vios-adventerprisek9-m-15.5
. iosXR       - xrv-k9-6.0.0
. csr1000v - csr1000v-3.16.00.S.155-3.S
. vSRX      - vsrx-12.1X47-D20.7-domestic

The Cisco router layout for the lab looks like this:

What are we trying to achieve ?

We need to get traffic between each separate customer (Cust1=YELLOW, Cust2=ORANGE) across the 2 networks, in a segmented VRF without customer routes appearing in either core network. The IPv4 core will have NONE of the customer routes within the RIBs of any of the core routers (this is handled via MP-BGPv4).
The aim is to create a scalable network in the core which can support lots more customers transiting traffic in the same way, via simple MPLS paths and Layer3 VPN tunnels.

When I build and design, normally Ill look to do it in layers. For the CCIE lab this is critical (as you are time limited and you need to build it Layer2 - Layer3 - IGP - BGP - special config, with verification of each step, otherwise troubleshooting faults is a nightmare), and it's great way to learn making sure each step is validated correctly.

The steps we will go through to build this design over the following posts are as follows:

Stage 1 - Build OSPF/ISIS Areas
Stage 2 - Configure BGP, Create ASBRs/PEs, use RR via R7/R8
Stage 3 - Enable MPLS
Stage 4 - Create InterAS OptC (multihop vpnv4 ebgp between RR lo)
Stage 5 - Connect CEs, CUST1=OSPF CUST2=BGP
Stage 6 - replace some routers with Juniper

Download the LAB from HERE
Download the base config from HERE

OK lets start the lab up. You can select all the devices to start them, and then let the routers fire up. This will take 5-10 minutes depending on your system performance, so give them all a chance to get up to the login prompts. The IOS XR units use cisco/cisco as the login, and the other devices should not need a login. Go through the routers and apply the base config to them all (making sure that interfaces are UP as well during the setup, and that you can ping the other end of each of the links you create). This sets up the IP addressing and port config, ready for Stage1.

Once you have Layer3 connectivity, lets begin and work on Stage1 - OSPF/ISIS. We need IGP connectivity, so that we can then move on to create the BGP peering and InterAS design.

AS21 - OSPF (R1,R2,R6,R7,R10)

R1

router ospf 21
address-family ipv4
area 0
interface Loopback0
!
interface GigabitEthernet0/0/0/0
!
interface GigabitEthernet0/0/0/1
!
interface GigabitEthernet0/0/0/2
!
!
!

R2

router ospf 21
address-family ipv4
area 0
interface Loopback0
passive enable
!
interface GigabitEthernet0/0/0/0
!
interface GigabitEthernet0/0/0/1
!
interface GigabitEthernet0/0/0/2
!
!
!

R6

router ospf 21
network 6.6.6.6 0.0.0.0 area 0
network 10.0.0.0 0.0.255.255 area 0

R7

router ospf 21
router-id 7.7.7.7
network 7.7.7.7 0.0.0.0 area 0
network 10.0.0.0 0.0.255.255 area 0

R10

router ospf 21
network 10.0.0.0 0.0.255.255 area 0
network 10.10.10.10 0.0.0.0 area 0

Once completed, we should find we have OSPF adjacency to each connected peer, and a OSPF Database (and RIB) list with the interfaces and loopback addresses all listed for the AS:

Looks good - OSPF intra area routes are in the RIB (TYPE = O), and all router LSAs are present in the OSPF DB.

Lets create the ISIS peering for the other AS. Here we use metric-style wide to support the MPLS TLVs used in ISIS:

AS111 - ISIS (R3,R4,R5,R8,R9)

R3

router isis 1
is-type level-2-only
net 49.1111.0000.0000.0003.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/1
address-family ipv4 unicast
!
!
!

R4
router isis 1
is-type level-2-only
net 49.1111.0000.0000.0004.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/1
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/2
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/3
address-family ipv4 unicast
!
!
!

R5
router isis 1
net 49.1111.0000.0000.0005.00
is-type level-2-only
metric-style wide
!
interface Loopback0
ip router isis 1
!
interface GigabitEthernet2
ip router isis 1
!
interface GigabitEthernet3
ip router isis 1

R8
router isis
net 49.1111.0000.0000.0008.00
is-type level-2-only
metric-style wide
!
interface Loopback0
ip router isis
!
interface GigabitEthernet1
ip router isis
!
interface GigabitEthernet2
ip router isis

R9
router isis
net 49.1111.0000.0000.0009.00
is-type level-2-only
metric-style wide
!
interface Loopback0
ip router isis
!
interface GigabitEthernet1
ip router isis
!
interface GigabitEthernet2
ip router isis
!
interface GigabitEthernet3
ip router isis

This should now show a complete ISIS network, with all routes and neighbours verified:

Great! Routes present (Type L2) and all loopbacks in the RIB. In the next post we will move on to Stage2 and get the BGP peering working. Check out the next post HERE

Part 2 - Cisco MPLS L3VPN Lab

In the previous post we looked at the IGP configuration. That's now verified and working, so lets move on the BGP and MPLS.

Stage 1 - Build OSPF/ISIS Areas - COMPLETE
Stage 2 - Configure BGP, Create ASBRs/PEs, use RR via R7/R8
Stage 3 - Enable MPLS
Stage 4 - Create InterAS OptC (multihop vpnv4 ebgp between RR lo)
Stage 5 - Connect CEs, CUST1=OSPF CUST2=BGP
Stage 6 - replace some routers with Juniper

Just as a reminder, here is our lab design:

Now for Stage2 - we need to create BGP peering within each AS (to the AS route reflector - R7 or R8) and also create a eBGP peering between AS's. We will also add in the MPLS label function to BGP, as we will need that for the next stage. A few points about the BGP peers:

1. We are using BGP IPv4 labeled-unicast for the peering, since MPLS labels need to be passed between BGP peers.
2. We will pass the loopback addresses between the eBGP peers via the network statement (rather than a redistribute statement)
3. IOS-XR blocks eBGP route passing by default, so we need the PASS route-policy in place to support the route flow
4. We use the next-hop-self on the ASBR so that routers inside the AS know how to get across to the other AS for their loopbacks and routes

AS21 (R1,R2,R6,R7,R10)

R1

router bgp 21
bgp router-id 1.1.1.1
address-family ipv4 unicast
allocate-label all
!
neighbor 7.7.7.7
remote-as 21
update-source Loopback0
address-family ipv4 labeled-unicast
   next-hop-self
!

R2
route-policy PASS
pass
end-policy
!
router bgp 21
bgp router-id 2.2.2.2
address-family ipv4 unicast
network 1.1.1.1/32
network 2.2.2.2/32
network 6.6.6.6/32
network 7.7.7.7/32
network 10.10.10.10/32
allocate-label all
!
neighbor 7.7.7.7
remote-as 21
update-source Loopback0
address-family ipv4 labeled-unicast
   next-hop-self
!
!
neighbor 10.0.29.2
remote-as 111
address-family ipv4 labeled-unicast
   route-policy PASS in
   route-policy PASS out
!
!
!

R6
router bgp 21
bgp router-id 6.6.6.6
bgp log-neighbor-changes
neighbor 7.7.7.7 remote-as 21
neighbor 7.7.7.7 update-source Loopback0
neighbor 10.22.22.2 remote-as 2
!
address-family ipv4
neighbor 7.7.7.7 activate
neighbor 7.7.7.7 next-hop-self
neighbor 7.7.7.7 send-label
neighbor 10.22.22.2 activate
exit-address-family
!

R7
router bgp 21
template peer-policy AS21
route-reflector-client
send-community both
send-label
exit-peer-policy
!
template peer-session AS21_SESS
remote-as 21
update-source Loopback0
exit-peer-session
!
bgp router-id 7.7.7.7
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 1.1.1.1 inherit peer-session AS21_SESS
neighbor 2.2.2.2 inherit peer-session AS21_SESS
neighbor 6.6.6.6 inherit peer-session AS21_SESS
neighbor 10.10.10.10 inherit peer-session AS21_SESS
!
address-family ipv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 inherit peer-policy AS21
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 inherit peer-policy AS21
neighbor 6.6.6.6 activate
neighbor 6.6.6.6 inherit peer-policy AS21
neighbor 10.10.10.10 activate
neighbor 10.10.10.10 inherit peer-policy AS21
exit-address-family
!

R10
router bgp 21
bgp router-id 10.10.10.10
bgp log-neighbor-changes
neighbor 7.7.7.7 remote-as 21
neighbor 7.7.7.7 update-source Loopback0
neighbor 10.0.103.1 remote-as 111
!
address-family ipv4
network 1.1.1.1 mask 255.255.255.255
network 2.2.2.2 mask 255.255.255.255
network 6.6.6.6 mask 255.255.255.255
network 7.7.7.7 mask 255.255.255.255
network 10.10.10.10 mask 255.255.255.255
neighbor 7.7.7.7 activate
neighbor 7.7.7.7 next-hop-self
neighbor 7.7.7.7 send-label
neighbor 10.0.103.1 activate
neighbor 10.0.103.1 send-label
exit-address-family

BGP peers should now be up, with the 5 local routes coming in from the 2 ASBRs. The RIB failure here is due to the OSPF route already being present in the RIB, so BGP can't add those routes in (as its less preferred).

OK on to the next AS:

AS111 (R3,R4,R5,R8,R9)
R3
route-policy PASS
pass
end-policy
!
router bgp 111
bgp router-id 3.3.3.3
address-family ipv4 unicast
network 3.3.3.3/32
network 4.4.4.4/32
network 5.5.5.5/32
network 8.8.8.8/32
network 9.9.9.9/32
allocate-label all
!
neighbor 8.8.8.8
remote-as 111
update-source Loopback0
address-family ipv4 labeled-unicast
   next-hop-self
!
!
neighbor 10.0.103.2
remote-as 21
address-family ipv4 labeled-unicast
   route-policy PASS in
   route-policy PASS out
!
!
!

R4
router bgp 111
bgp router-id 4.4.4.4
address-family ipv4 unicast
allocate-label all
!
address-family vpnv4 unicast
!
neighbor 8.8.8.8
remote-as 111
update-source Loopback0
address-family ipv4 labeled-unicast
   next-hop-self
!

R5
router bgp 111
bgp router-id 5.5.5.5
bgp log-neighbor-changes
neighbor 8.8.8.8 remote-as 111
neighbor 8.8.8.8 update-source Loopback0
neighbor 10.22.222.2 remote-as 2
!
address-family ipv4
neighbor 8.8.8.8 activate
neighbor 8.8.8.8 next-hop-self
neighbor 8.8.8.8 send-label
neighbor 10.22.222.2 activate
exit-address-family
!

R8
router bgp 111
template peer-policy AS111
route-reflector-client
send-community both
send-label
exit-peer-policy
!
template peer-session AS111_SESS
remote-as 111
update-source Loopback0
exit-peer-session
!
bgp router-id 8.8.8.8
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 3.3.3.3 inherit peer-session AS111_SESS
neighbor 4.4.4.4 inherit peer-session AS111_SESS
neighbor 5.5.5.5 inherit peer-session AS111_SESS
neighbor 9.9.9.9 inherit peer-session AS111_SESS
!
address-family ipv4
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 inherit peer-policy AS111
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 inherit peer-policy AS111
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 inherit peer-policy AS111
neighbor 9.9.9.9 activate
neighbor 9.9.9.9 inherit peer-policy AS111
exit-address-family
!

R9
router bgp 111
bgp router-id 9.9.9.9
bgp log-neighbor-changes
neighbor 8.8.8.8 remote-as 111
neighbor 8.8.8.8 update-source Loopback0
neighbor 10.0.29.1 remote-as 21
!
address-family ipv4
network 3.3.3.3 mask 255.255.255.255
network 4.4.4.4 mask 255.255.255.255
network 5.5.5.5 mask 255.255.255.255
network 9.9.9.9 mask 255.255.255.255
neighbor 8.8.8.8 activate
neighbor 8.8.8.8 next-hop-self
neighbor 8.8.8.8 send-label
neighbor 10.0.29.1 activate
neighbor 10.0.29.1 send-label
exit-address-family

We should now have AS111 active, and all peers up, with routes from both AS111 AND loopbacks from AS21, due to the eBGP peering between AS.

Looking at the routing table, we now have BGP routes present (B) from the AS21. Now we need to move on to the next stage, and enable MPLS across the different networks, so that we can get end to end connectivity.

Stage3 - Enable MPLS

We need to turn on MPLS and LDP on each of the routers, and create a static route on the XR ASBR units (since they require a /32 host route between peers to create a correct label path). The easiest way to enable ldp on all the links is to use the auto-config under the IGP, which makes sure that for all IGP enabled interfaces, LDP is also enabled and labels will be created.

R1
router ospf 21
mpls ldp auto-config

mpls ldp
router-id 1.1.1.1
address-family ipv4
!
!

R2
router static
address-family ipv4 unicast
10.0.29.2/32 GigabitEthernet0/0/0/0
!
!
router ospf 21
mpls ldp auto-config
!
mpls ldp
router-id 2.2.2.2
address-family ipv4
!
interface GigabitEthernet0/0/0/0
!
!

R3
router static
address-family ipv4 unicast
10.0.103.2/32 GigabitEthernet0/0/0/2
!
!
router isis 1
address-family ipv4 unicast
mpls ldp auto-config
!
mpls ldp
router-id 3.3.3.3
address-family ipv4
!
interface GigabitEthernet0/0/0/2
address-family ipv4
!
!
!

R4
router isis 1
address-family ipv4 unicast
mpls ldp auto-config
!
mpls ldp
router-id 4.4.4.4
address-family ipv4
!
!

R5
router isis 1
mpls ldp autoconfig
!
mpls ldp router-id Loopback0
!

R6
router ospf 21
mpls ldp autoconfig
!

R7
router ospf 21
mpls ldp autoconfig
!
mpls ldp router-id Loopback0
!

R8
router isis
mpls ldp autoconfig
!

R9
router isis
mpls ldp autoconfig
!
interface GigabitEthernet4
mpls bgp forwarding
!
mpls ldp router-id Loopback0

R10
interface GigabitEthernet1
mpls bgp forwarding
router ospf 21
mpls ldp autoconfig
!
mpls ldp router-id Loopback0

So we should now have a full label switched path end to end between the loopbacks of the 2 AS - lets have a look !

Trace from router 5 lo0 to router 6 lo0:

We start with 2 labels in the stack, 24008 is maintained across AS111, then it is pop'ed at the ASBR, and label 27 then label 24005 takes the traffic across AS21 to the final destination.

If we have a look across the other diagonal from AS21 to AS111:

We get the same result, with 2 labels within AS21, then a single label in AS111.

Looking at the MPLS forwarding table on R1, we can also see that routes have either a label or a pop label on them, which is what we want to see. If we see No Label listed here, that normally points to an issue in the config (e.g. MPLS not enabled on one of the interfaces).

We now have end to end MPLS label path, so we are ready to move on to Stage4 and build the L3 VPN tunnels across the core. The next post is HERE

Part 3 - Cisco MPLS L3VPN Lab

In the previous post we looked at the BGP and MPLS configuration.

Stage 1 - Build OSPF/ISIS Areas - COMPLETE
Stage 2 - Configure BGP, Create ASBRs/PEs, use RR via R7/R8 - COMPLETE
Stage 3 - Enable MPLS - COMPLETE
Stage 4 - Create InterAS OptC (multihop vpnv4 ebgp between RR lo)
Stage 5 - Connect CEs, CUST1=OSPF CUST2=BGP
Stage 6 - replace some routers with Juniper

Lets move on to configure the final stages ! So far what we have is a joined network at the same level via MPLS+BGP. The issue is, for us to create the Layer3 VPN tunnels, each AS needs to know about the VPNV4 destinations in the other AS, so that MPLS paths can be built for the MPLS traffic from the CE devices. The secret of this ? Connect the route-reflectors within each AS, and share routes. A few notes on this design:

. the next hop needs to remain unchanged when it is sent between the route-reflectors, to make sure the route reflectors do not become part of the data path
. add the VPNV4 family to the do the route-reflectors first, to make the config update easier
. ebgp multihop is required for the route-reflectors to be able to reach each other across the AS paths
. the ASBRs do NOT need VPNV4 configured on them, since they are not taking part in the VPNV4 process (they are simply forwarding traffic based on MPLS label), BUT the ASBRs do need a static route to address a fault in the XRv code that doesn't allocate the route correctly

The following shows us the peerings that we will now create:

Stage 4 - Create InterAS OptC

We need to peer the route-reflectors, and turn on the VPNV4 address family for all BGP peers.

R7
router bgp 21
neighbor 8.8.8.8 remote-as 111
neighbor 8.8.8.8 ebgp-multihop 255
neighbor 8.8.8.8 update-source Loopback0
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
neighbor 1.1.1.1 inherit peer-policy AS21
neighbor 6.6.6.6 activate
neighbor 6.6.6.6 send-community extended
neighbor 6.6.6.6 inherit peer-policy AS21
neighbor 8.8.8.8 activate
neighbor 8.8.8.8 send-community both
neighbor 8.8.8.8 next-hop-unchanged
exit-address-family
!

R1
router bgp 21
address-family vpnv4 unicast
!
neighbor 7.7.7.7
address-family vpnv4 unicast
   next-hop-self
!

R2
router static
address-family ipv4 unicast
10.0.29.2/32 GigabitEthernet0/0/0/0
!
!

R6
router bgp 21
!
address-family vpnv4
neighbor 7.7.7.7 activate
neighbor 7.7.7.7 send-community extended
neighbor 7.7.7.7 next-hop-self
exit-address-family
!

R8
router bgp 111
neighbor 7.7.7.7 remote-as 21
neighbor 7.7.7.7 ebgp-multihop 255
neighbor 7.7.7.7 update-source Loopback0
!
!
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
neighbor 4.4.4.4 inherit peer-policy AS111
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community extended
neighbor 5.5.5.5 inherit peer-policy AS111
neighbor 7.7.7.7 activate
neighbor 7.7.7.7 send-community both
neighbor 7.7.7.7 next-hop-unchanged
exit-address-family
!
!

R3
router static
address-family ipv4 unicast
10.0.103.2/32 GigabitEthernet0/0/0/2
!
!

R4
router bgp 111
address-family vpnv4 unicast
!
neighbor 8.8.8.8
address-family vpnv4 unicast
   next-hop-self
!
!

R5
router bgp 111
address-family vpnv4
neighbor 8.8.8.8 activate
neighbor 8.8.8.8 send-community extended
neighbor 8.8.8.8 next-hop-self
exit-address-family
!

That's done ! Lets go have a look at the BGP output now on the route reflector:

R8# sh ip bgp all sum
For address family: IPv4 Unicast

Neighbor        V           AS MsgRcvd MsgSent   TblVer InQ OutQ Up/Down State/PfxRcd
3.3.3.3           4          111     102     123       58    0    0 01:27:10        8
4.4.4.4           4          111       9       32        58    0    0 00:05:11        0
5.5.5.5           4          111       6       20        58    0    0 00:01:32        0
7.7.7.7           4           21      10       10        43    0    0 00:00:26        5
9.9.9.9           4          111     115     136       58    0    0 01:27:21        6

For address family: VPNv4 Unicast

Neighbor        V           AS MsgRcvd MsgSent   TblVer InQ OutQ Up/Down State/PfxRcd
4.4.4.4           4          111       9      32        1    0    0 00:05:11        0
5.5.5.5           4          111       6      20        1    0    0 00:01:32        0
7.7.7.7           4           21      10      10        1    0    0 00:00:26        0

Looks good ! Now we have peering to the local AS PEs, as well as the other AS route reflector, via VPNv4.

Stage 5 - Connect CEs, CUST1=OSPF CUST2=BGP

Time to setup the VRFs on the PEs, and peer between the PE and CE devices, so that we can get traffic across the Inter-AS MPLS core between CEs.

We will setup the VRF and create the BGP/OSPF peering at the same time.

. for the OSPF peering, we will use process 1.
. we need to redistribute from the OSPF/BGP peering into the VPNv4 BGP network, so we can transmit across the MPLS core.
. Route-Distinguisher and Route-Target need to be configured, which are specific to the CUST1/2 network peering (so that the PEs know which route-targets to import for that customer)

R1
vrf CUST1
address-family ipv4 unicast
import route-target
   100:100
!
export route-target
   100:100
!
!
!
router ospf 1
vrf CUST1
router-id 1.1.1.1
redistribute connected
redistribute bgp 21
address-family ipv4 unicast
area 0
   interface GigabitEthernet0/0/0/3
   !
!
!
!
router bgp 21
vrf CUST1
rd 1:11
address-family ipv4 unicast
   network 10.11.11.0/30
   redistribute ospf 1 match internal external nssa-external
!

R11
router ospf 1
router-id 11.11.11.11
network 0.0.0.0 255.255.255.255 area 0
!

R6
vrf definition CUST2
rd 2:2
route-target export 200:200
route-target import 200:200
!
address-family ipv4
exit-address-family
!
interface GigabitEthernet3
vrf forwarding CUST2
ip address 10.22.22.1 255.255.255.252
!
router bgp 21
!
address-family ipv4 vrf CUST2
redistribute connected
neighbor 10.22.22.2 remote-as 2
neighbor 10.22.22.2 activate
neighbor 10.22.22.2 send-community both
exit-address-family

R12
router bgp 2
bgp router-id 12.12.12.12
bgp log-neighbor-changes
neighbor 10.22.22.1 remote-as 21
!
address-family ipv4
redistribute connected
neighbor 10.22.22.1 activate
neighbor 10.22.22.1 send-community both
neighbor 10.22.22.1 allowas-in
exit-address-family

R4

vrf CUST1
address-family ipv4 unicast
import route-target
   100:100
!
export route-target
   100:100
!
!
!
router ospf 1
vrf CUST1
router-id 4.4.4.4
redistribute connected
redistribute bgp 111
address-family ipv4 unicast
area 0
   interface GigabitEthernet0/0/0/0
   !
!
!
!
router bgp 111
vrf CUST1
rd 1:1
address-family ipv4 unicast
   network 10.11.111.0/30
   redistribute ospf 1 match internal external nssa-external
!
!
!

R14
router ospf 1
router-id 14.14.14.14
network 0.0.0.0 255.255.255.255 area 0
!

R5
vrf definition CUST2
rd 2:22
route-target export 200:200
route-target import 200:200
!
address-family ipv4
exit-address-family
!
interface GigabitEthernet1
vrf forwarding CUST2
ip address 10.22.222.1 255.255.255.252
!
router bgp 111
address-family ipv4 vrf CUST2
redistribute connected
neighbor 10.22.222.2 remote-as 2
neighbor 10.22.222.2 activate
neighbor 10.22.222.2 send-community both
exit-address-family
!

R13
router bgp 2
bgp router-id 13.13.13.13
bgp log-neighbor-changes
neighbor 10.22.222.1 remote-as 111
!
address-family ipv4
redistribute connected
neighbor 10.22.222.1 activate
neighbor 10.22.222.1 send-community both
neighbor 10.22.222.1 allowas-in
exit-address-family
!

And we should now be configured ! Lets have a look at R13 and R14 routers, and see what the trace looks like across to their other CE's connected to the other AS:

R13# sh ip route

      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
B        10.22.22.0/30 [20/0] via 10.22.222.1, 00:06:28
C        10.22.222.0/30 is directly connected, GigabitEthernet0/0
L        10.22.222.2/32 is directly connected, GigabitEthernet0/0
      12.0.0.0/32 is subnetted, 1 subnets
B        12.12.12.12 [20/0] via 10.22.222.1, 00:06:28
      13.0.0.0/32 is subnetted, 1 subnets
C        13.13.13.13 is directly connected, Loopback0

R13# traceroute 12.12.12.12 source lo0
Type escape sequence to abort.
Tracing the route to 13.13.13.13
VRF info: (vrf in name/id, vrf out name/id)
1 10.22.222.1 5 msec 4 msec 5 msec
2 10.0.35.1 [MPLS: Labels 24004/23/27 Exp 0] 18 msec 16 msec 17 msec
3 10.0.39.2 [MPLS: Labels 23/27 Exp 0] 19 msec 44 msec 71 msec
4 10.0.29.1 [MPLS: Labels 24002/27 Exp 0] 30 msec 16 msec 16 msec
5 10.22.22.1 [AS 21] [MPLS: Label 27 Exp 0] 16 msec 16 msec 17 msec
6 10.22.22.2 [AS 21] 18 msec 18 msec *

R14# sh ip route
      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O E2     10.11.11.0/30 [110/1] via 10.11.111.1, 00:07:58, GigabitEthernet0/0
C        10.11.111.0/30 is directly connected, GigabitEthernet0/0
L        10.11.111.2/32 is directly connected, GigabitEthernet0/0
        11.0.0.0/32 is subnetted, 1 subnets
O IA     11.11.11.11 [110/2] via 10.11.111.1, 00:07:58, GigabitEthernet0/0
        14.0.0.0/32 is subnetted, 1 subnets
C        14.14.14.14 is directly connected, Loopback0

R14# traceroute 11.11.11.11 so lo0
Type escape sequence to abort.
Tracing the route to 11.11.11.11
VRF info: (vrf in name/id, vrf out name/id)
1 10.11.111.1 4 msec 3 msec 2 msec
2 10.0.49.2 [MPLS: Labels 16/24005/24016 Exp 0] 19 msec 17 msec 18 msec
3 10.0.39.1 [MPLS: Labels 24005/24016 Exp 0] 21 msec 22 msec 19 msec
4 10.0.103.2 [MPLS: Labels 16/24016 Exp 0] 20 msec 21 msec 81 msec
5 10.0.110.1 [MPLS: Label 24016 Exp 0] 20 msec 19 msec 21 msec
6 10.11.11.2 21 msec * 22 msec

Exactly what we were looking for ! At the start of each trace, there are 3 labels. One gets stripped as they cross the core eBGP peering, and then one final label is left to PHP (penultimate hop - second to last) to the destination.

So thats done. We now have a working Cisco based Inter-AS option C design. Feel free to play with this design and config - its great for testing and also learning on OSPF/ISIS databases and peering designs, as well as VPNv4 route traffic and VRFs.

You can download the complete Cisco config HERE

In the final post, we will have a quick look at changing some of the routers from Cisco to Juniper. You can jump to that post HERE.

Part 4 - Cisco and Juniper MPLS L3VPN Lab

In the previous post we completed the Inter-AS design with Cisco.

Stage 1 - Build OSPF/ISIS Areas - COMPLETE
Stage 2 - Configure BGP, Create ASBRs/PEs, use RR via R7/R8 - COMPLETE
Stage 3 - Enable MPLS - COMPLETE
Stage 4 - Create InterAS OptC (multihop vpnv4 ebgp between RR lo) - COMPLETE
Stage 5 - Connect CEs, CUST1=OSPF CUST2=BGP - COMPLETE
Stage 6 - replace some routers with Juniper

In this final post, we will review the config required on the Juniper routers to take part in OSPF, ISIS and MPLS.

Our updated design looks like this, when we replace some of the Cisco routers with Juniper. To experiment, I have replaced R4, R7 and R10. This will give us a Juniper Route Reflector, ASBR and PE.

The core config required for Juniper is as follows (to remove the SRx security features that we don't need):

delete security
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
set security forwarding-options family iso mode packet-based

Also some of the common commands that are needed (for the non Juniper amoung us) are:

set interfaces ge-0/0/0 unit 0 family inet address 10.0.210.2/30
set interfaces ge-0/0/1 unit 0 family inet address 10.0.110.2/30
set interfaces ge-0/0/2 unit 0 family inet address 10.0.103.2/30
set interfaces ge-0/0/3 unit 0 family inet address 10.0.107.2/30

set interfaces lo0 unit 0 family inet address 10.10.10.10/32

set system host R10

set system root-authentication encrypted-password "$1$Siw1mUfw$jKFGWROP5tRUrUe0idGXp."
[this sets it to Juniper1]

I won't go through all the steps to configure each router, since it is the same process as the Cisco units (just with the Juniper relevant command instead). The following are the configs for each of the devices:

R4
set interfaces ge-0/0/0 unit 0 family inet address 10.0.48.1/30
set interfaces ge-0/0/0 unit 0 family iso
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 unit 0 family inet address 10.11.111.1/30
set interfaces ge-0/0/2 unit 0 family inet address 10.0.49.1/30
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/2 unit 0 family mpls
set interfaces ge-0/0/3 unit 0 family inet address 10.0.45.1/30
set interfaces ge-0/0/3 unit 0 family iso
set interfaces ge-0/0/3 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 4.4.4.4/32
set interfaces lo0 unit 0 family iso address 49.1111.0000.0000.0004.00
set routing-options router-id 4.4.4.4
set routing-options autonomous-system 111
set protocols mpls interface lo0.0
set protocols mpls interface ge-0/0/0.0
set protocols mpls interface ge-0/0/2.0
set protocols mpls interface ge-0/0/3.0
set protocols bgp family inet labeled-unicast resolve-vpn
set protocols bgp family inet-vpn unicast
set protocols bgp group as111 type internal
set protocols bgp group as111 local-address 4.4.4.4
set protocols bgp group as111 neighbor 8.8.8.8 family inet labeled-unicast
set protocols bgp group as111 neighbor 8.8.8.8 family inet-vpn unicast
set protocols bgp group as111 neighbor 8.8.8.8 export next-hop-self
set protocols isis level 2 wide-metrics-only
set protocols isis interface all ldp-synchronization
set protocols isis interface all level 1 disable
set protocols ldp interface all
set policy-options policy-statement bgp-to-ospf term 1 from protocol bgp
set policy-options policy-statement bgp-to-ospf term 1 then accept
set policy-options policy-statement bgp-to-ospf term 2 then reject
set policy-options policy-statement next-hop-self then next-hop self
set policy-options policy-statement vpnexport term 1 from protocol ospf
set policy-options policy-statement vpnexport term 1 then community add cust1_comm
set policy-options policy-statement vpnexport term 1 then accept
set policy-options policy-statement vpnexport term 2 then reject
set policy-options policy-statement vpnimport term 1 from protocol bgp
set policy-options policy-statement vpnimport term 1 from community cust1_comm
set policy-options policy-statement vpnimport term 1 then accept
set policy-options policy-statement vpnimport term 2 then reject
set policy-options community cust1_comm members target:100:100
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
set security forwarding-options family iso mode packet-based
set routing-instances CUST1 instance-type vrf
set routing-instances CUST1 interface ge-0/0/1.0
set routing-instances CUST1 route-distinguisher 1:1
set routing-instances CUST1 vrf-import vpnimport
set routing-instances CUST1 vrf-export vpnexport
set routing-instances CUST1 protocols ospf export bgp-to-ospf
set routing-instances CUST1 protocols ospf area 0.0.0.0 interface ge-0/0/1.0

R7
set interfaces ge-0/0/0 unit 0 family inet address 10.0.107.1/30
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 unit 0 family inet address 10.0.17.2/30
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 7.7.7.7/32
set routing-options router-id 7.7.7.7
set routing-options autonomous-system 21
set routing-options resolution
set protocols mpls interface lo0.0
set protocols mpls interface ge-0/0/0.0
set protocols mpls interface ge-0/0/1.0
set protocols bgp family inet labeled-unicast resolve-vpn
set protocols bgp group as21 type internal
set protocols bgp group as21 local-address 7.7.7.7
set protocols bgp group as21 family inet labeled-unicast
set protocols bgp group as21 family inet-vpn unicast
set protocols bgp group as21 cluster 7.7.7.7
set protocols bgp group as21 neighbor 2.2.2.2 family inet labeled-unicast
set protocols bgp group as21 neighbor 2.2.2.2 family inet-vpn unicast
set protocols bgp group as21 neighbor 6.6.6.6 family inet labeled-unicast
set protocols bgp group as21 neighbor 6.6.6.6 family inet-vpn unicast
set protocols bgp group as21 neighbor 1.1.1.1 family inet labeled-unicast
set protocols bgp group as21 neighbor 1.1.1.1 family inet-vpn unicast
set protocols bgp group as21 neighbor 10.10.10.10 family inet labeled-unicast
set protocols bgp group as21 neighbor 10.10.10.10 family inet-vpn unicast
set protocols bgp group as111 type external
set protocols bgp group as111 multihop no-nexthop-change
set protocols bgp group as111 local-address 7.7.7.7
set protocols bgp group as111 neighbor 8.8.8.8 multihop
set protocols bgp group as111 neighbor 8.8.8.8 family inet-vpn unicast
set protocols bgp group as111 neighbor 8.8.8.8 peer-as 111
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0
set protocols ospf area 0.0.0.0 interface all ldp-synchronization
set protocols ldp interface all
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
set security forwarding-options family iso mode packet-based

R10
set interfaces ge-0/0/0 unit 0 family inet address 10.0.210.2/30
set interfaces ge-0/0/0 unit 0 family mpls
set interfaces ge-0/0/1 unit 0 family inet address 10.0.110.2/30
set interfaces ge-0/0/1 unit 0 family mpls
set interfaces ge-0/0/2 unit 0 family inet address 10.0.103.2/30
set interfaces ge-0/0/2 unit 0 family mpls
set interfaces ge-0/0/3 unit 0 family inet address 10.0.107.2/30
set interfaces ge-0/0/3 unit 0 family mpls
set interfaces lo0 unit 0 family inet address 10.10.10.10/32
set routing-options router-id 10.10.10.10
set routing-options autonomous-system 21
set protocols mpls interface lo0.0
set protocols mpls interface ge-0/0/0.0
set protocols mpls interface ge-0/0/2.0
set protocols mpls interface ge-0/0/3.0
set protocols mpls interface ge-0/0/1.0
set protocols bgp family inet labeled-unicast
set protocols bgp group as21 type internal
set protocols bgp group as21 local-address 10.10.10.10
set protocols bgp group as21 neighbor 7.7.7.7 family inet labeled-unicast
set protocols bgp group as21 neighbor 7.7.7.7 export next-hop-self
set protocols bgp group ebgp type external
set protocols bgp group ebgp local-address 10.0.103.2
set protocols bgp group ebgp neighbor 10.0.103.1 family inet labeled-unicast
set protocols bgp group ebgp neighbor 10.0.103.1 export TO-AS111
set protocols bgp group ebgp neighbor 10.0.103.1 peer-as 111
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0
set protocols ospf area 0.0.0.0 interface ge-0/0/3.0
set protocols ospf area 0.0.0.0 interface all ldp-synchronization
set protocols ldp interface all
set policy-options policy-statement TO-AS111 term 1 from route-filter 1.1.1.1/32 exact
set policy-options policy-statement TO-AS111 term 1 from route-filter 2.2.2.2/32 exact
set policy-options policy-statement TO-AS111 term 1 from route-filter 6.6.6.6/32 exact
set policy-options policy-statement TO-AS111 term 1 from route-filter 7.7.7.7/32 exact
set policy-options policy-statement TO-AS111 term 1 from route-filter 10.10.10.10/32 exact
set policy-options policy-statement TO-AS111 term 1 then accept
set policy-options policy-statement next-hop-self then next-hop self
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
set security forwarding-options family iso mode packet-based

Once configured, you should find you have MPLS labels, routes and IGP/BGP peering up as per Cisco. A completed Inter-AS design, with Cisco and Juniper happily working together !

You can download the Juniper (only) config file HERE

Thanks for reading, and I wish you good learning in your journey towards CCIE (or any form of service provider knowledge). Feel free to leave a post or send me an email with any comments or questions !