what is MPLS VPN?

When a service provider connects to sites that belong to one customer that uses private address then SP will advertise those routes within his autonomous systems. This could be handled when he is serving one ogranization. What if the SP is connecting 10 customers each with three sites and all of them use network 10.0.0.0!  The SP can’t run seperate networks for these customers to connect them. VPN will not work, how the router will know to which other router to associate, (in the case of same IP address assigned to more than one router). In scenarios such these, MPLS VPN is the perfect solution.

MPLS VPN solves this problem by using multiple routing tables, this featured called Virtual Routing and Forwarding (VRF). VRF table will create different routing tables for each customer, and solve the issue of multiple overlapping IP addressed.

Usually, the costumer router will not be aware of any MPLS cloud, or VRF. Costumer router will be called Customer edge (CE). The first Label Switch Router (LSR) and the last one will be called Provider edge (PE). The LSR router that is connected within the SP is called Provider (P). The PE router will be aware of VRF, while the P routers will just forward packets based on labels.

Router P and PE both will run LDP and IGP, IGP will advertise the SP subnets only (no customer prefexes are advertiesed) to enable MPLS unicast IP routing. PE does the extra work of learning costumer routes, keeping track of which routes belong to which customer. PE will not put the routes in normal IP routing table, but stored in per customer tables. PE will use IBGP to exchange these routes with other PE routers.

PE routers will push two labels for each packet. An Outer label that is used to packet to be switched to the egress PE, and an Inner label that is used to correlate the VRF with the packet destenation.

Figure below shows the operation in a simple manner.

MPLS VPN works using three important concepts. They are VRF, Route Distiguishers (Rds), and Route Targets (RT). Further reading required to get more comprehensive view of MPLS VPN.

How MPLS works?

MPLS protocol uses a different mechanism to forward packets. Packets are sent based on MPLS lable instead of the conventional packet’s destination IP address. It add the ability to make forwarding decisions based on other factors beside the IP address, such as traffic engineering, QoS, and privecy requirements.

MPLS uses unicast IP forwarding, where forwarding logic works based on the labels. These labels are chosen based on the routes in the unicast IP routing table. Hence, they follow the same path as the normal IP packets without making any advantages over IP routing. It is when used with with the different applications of MPLS it shines over IP routing. Specially when used as MPLS VPN or MPLS traffic engineering, as they use MPLS as the principle protocol and add various advantages to it.

For MPLS to work, it requires the use of control plans, any routing protocol and LDP (or TDP) to learn the routes, learn the labels, and to correlate these labels to particular prefixes.

MPLS is transparent to the end users, they never send or receive labeled packets. The routers will add labels, and another router will remove the label. Injecting labels called  (push), while removing labels called (pop) this will be helpful when reading the Label Forwarding Information Base (LFIB) table. LFIB is the table used by Cisco routers to know what action should be done to the labeled packets.

To see an simplified example how MPLS works, refer to the figure below.

1-Host A send a packet to host B
2-R1 is not configured with MPLS, hence the packet is forwarded based on the destination IP address.
3-R2 recieves the packet, and check the LFIB table. It decides to push a new label of value 10 into the packet and send it out the respective interface.
4-R3 checks the LFIB table, and swap the older label with a newer one. From 10 to 33, and forwards the packet.
5-R4 checks the LFIB table, the label is poped and packet is forwarded.
6-R5 forwards the packet as normal IP packet based on the destination IP address.

This is as simple as MPLS unicast IP forwarding works, to understand how the various protocols works, referring to LDP, LFIB will suffice.

Certified Cisco Design Associate – CCDA

This exam will touch the topics of enterprise network in a brief yet fundamentally important way. It covers all the basics from wireless, VOIP, and the enterprise model.

I would recommend to study this not for the sake of certifications but the great knowledge acquired . It shows what are the best practices for network design and operation. It will also direct the engineers during network expansions or upgrades.

CCDA official exam certification guide (v3) is a good book that bring all the topics in one volume for easy, and effective reading.

After reading the book, you would expect to learn the following

• Network design methodology
• Network structure models
• Enterprise LAN design
• Wireless LAN design
• Enterprise edge module design
• WAN design
• IPv4 and IPv6
• Routing protocol selection
• RIP, EIGRP, OSPF, and IS-IS
• BGP, route manipulation, and IP multicast
• Security management, technologies, and design
• Voice architectures and IP telephony design
• Network management

Many topics would have been covered if you have done CCNP, but CCDA is requirement for CCDP. It would be good to get CCNA and CCDA in same time frame, since it will work as a brief introduction to CCNP.

How to aggregate ports?

In many cases we would require higher bandwidth within the organization while we have 1GB uplinks, or we stack switches and want to have multiple uplinks from each switch, or just to keep redundant link that is unblocked by STP. All these are simple scenarios that we face and the solution is rather simple.

Port Aggregation is the answer. Cisco calls it Etherchannel. Before configuring etherchannel, the ports taking part in this channel should have the following unified:
1-Speed
2-Duplex
3-Spanning tree settings
4-access in same vlan
5-if trunk, then native vlan should be same. and should pass the same vlans.
6-all ports should belong to the same ether channel group.

There are besically two protocols to negotiate portchannels, LACP and PAgP. I would prefer to just turn the channel on without negotiating.

sample configuration
switch(config)# int range gig 0/1 – 4
switch(config-if)# channel-group 1 on

do the same configuration at the other side.

AirWave

Last week, we were contacted by Aruba networks. They were marketing their latest WiFi solutions, and AirWave. But what caught our attention is airwave. It is a full management solution for WiFi networks. It has interoperability with various vendors, including Cisco.

After going through the brief training/setup we were able to test the airwave ourselves. Aruba were nice enough to give us a webinar with their System Engineers Director Johan Schaap.

The product is impressive, loaded with so much information in just few clicks. Lets go through main features, a screen shot is shown for the homepage. Keep in mind we have only added one building for testing purposes

The most AP/Devices is the menu to see list of access points, users connected to these access points, and bandwidth utilization. In this list, the IP, Channel, IOS, Location, MAC of LAN and Wireless are all shown for each access point. Clicking on the access point will give us more information regarding the access point, CDP neighbor, Users connected.

Users Tap will show all users connected, their bandwidth usage, the history of the user (based on mac) for upto 2 years. in which access points connected, which SSID, duration, location, signal strength, IP address.

Reports, here all kind of reports can be generated, weekly, daily, yearly bases. about almost every event! it is highly customizable, with all kinda of data, and the data available is just a lot!

RAPIDS is the rouge access points detection, airwave can do much with this. it can block these access points, find their location, etc.

VisualRF is interesting as well. it shows nicely the access points on maps uploaded. Which users connected to which Access point. Signal Strength, data rate, and plenty more. A screen shot for such example.

One of the features is to manage Fat access points. Some organizations still use fat access points, although it is recommended to use thin AP. With AirWave, it is possible to create a template, and the software will make sure that all access points using this configuration (for unified configuration). It can also pushes any new configuration to access points.

All i can say, this is one of the best management tools for wireless that i ever used. I would recommend it to everyone, regardless what their infrastructure consist of.

How to manipulate BGP Routes – part 3

This is the last part of BGP route manipulation. As discussed in the earlier entries, routes can be manipulated by

• neighbor distribute-list (standard ACL / extended ACL)
• neighbor prefix-list
• neighbor filter-list
• neighbor route-map

A valid question before talking bout route-maps is, when to use a route-map? A general rule will be that when route manipulation is concerned with network prefixes, then neighbor distribute-list and prefix-list will suffice. filter-list will be used when route manipulation is based on AS information. route-maps should be used when the conditions are variable. They could be based on network prefixes, AS, next_hop, weight, local_pref, origin, MED, etc.

The following lines are the command line syntax for route-maps

neighbor neighbor-id route-map name {in | out}

route-map name {permit | deny} number

match ….

set …

The match is the condition or conditions that we want to base our route manipulation on, while the set is the course of action we would like to take.

the following example shows how we can set the weight of 200 to routes advertised by a certain BGP neighbor (10.0.0.1) and the routes have ASN 55 in the AS PATH.

router bgp 111

neighbor 10.0.0.1 route-map weight-200 in

ip as-path access-list 5 permit _55_

route-map weight-200 permit 10

match as-path 5

set weight 200

route-map weight-200 permit 20

The second route map was necessary, without it all other routes advertised by neighbor 10.0.0.1 that don’t have ASN 55 will be removed.

This concludes the manipulation of BGP routes.

How to manipulate BGP Routes – part 2

As discussed earlier, BPG mainly uses 4 variations to manipulate the routes

• neighbor distribute-list (standard ACL / extended ACL)
• neighbor prefix-list
• neighbor filter-list
• neighbor route-map

The first two methods were explained in earlier entry. In this entry, I would explain how to use filter-list, and when they should be used.

filter-list is a strong tool to manipulate the routing table, which indirectly will manipulate the routes packet will travel to reach their destinations.

When the goal of the policy is to filter routes based on matching with the AS_PATH filter then filter-list will be used. filter-list will filter BGP updates by matching the AS_PATH PA. The syntax for the filter-list as follows

ip as-path access-list number {permit | deny} regex

neighbor neighbor-id filter-list as-path-filter-number {in | out}

regex are the conditions that are used to match the AS_PATH segments. AS_PATH have four major segments. which are:

• AS_SEQUENCE: Which is an ordered list of ASNs through which the route has been advertised. Delimiters between ASN is space, and there is no character enclosing the segment.
• AS_SET: Which is an umordered list of ASNs through which the route has been advertised. Delimiters between ASN is comma, and there is { } character enclosing the segment. (usually used when a router summarizes a route)
• AS_CONFED_SEQ: similar to AS_SEQ, but holds confederation ASNs only. Delimiters between ASN is space, and there is ( ) character enclosing the segment.
• AS_CONFED_SET: similar to AS_SET, but hold confederation ASNs only. Delimiters between ASN is comma, and there is { } character enclosing the segment.

The following line is an example of AS_CONFED_ST, AS_SEQ, and AS_SET.

*>20.0.0.0/8         10.20.14.50               0              100            0  (111) 4 {1, 404, 200} i

the regex that will match the conditions are kinda tricky and confusing. I think the only way to master them is to practice them, practice making conditions with them. here are the list that explain them in nutshells.

• ^: start of the line
• $: end of line
• |: logical OR applied between the characters.
• _: any delimiter: black, comma, start of line, or end of line.
• .: any single character
• ?: Zero or one instances of the preceding character
• *: Zero or more instances of the preceding character
• +: one or more instances of the preceding character
• (string): Parenthesis combine enclosed string character as a single entity when used with ?,*, or +
• [string]: creates a wild card in which any single character in the string can be used to match that position in the AS_PATH

Brian did a good job explaining the regex in his blog. Please refer it to get more examples and how to use these expressions to match AS_PATH segments.

an example of regex that is used in access list 10.

ip as-path access-list 10 deny ^1_.*_.*_.*_44$ – this will filter routes whose ASN begins with AS 1, has three additional ASNs or any value, and ends with ASN 44.

I would say that practicing these regex is very important, without it route filtering can take unpredictable and undesirable path.

Our next entry will be about the use of route-maps to filter routes.

How to manipulate BGP Routes – part 1

After knowing how BGP select the best route for the routing update, using the BGP PAs. The next step would be to manipulate these PAs to give the desired route for NLRI

BPG mainly uses 4 variations to manipulate the routes:

• neighbor distribute-list (standard ACL / extended ACL)
• neighbor prefix-list
• neighbor filter-list
• neighbor route-map

The first two distribute-list and prefix-list will be able to match the network, and the subnet mask. a prefix-list is a straightforward operation. match certain network, with certain subnet mask and filter it out. a simple example that will deny network range 10.20.0.0/24 to 10.20.255.0/24 and permit any other network to be advertise to the neighbor will follow the following syntax

ip prefix-list sample seq 5 deny 10.20.0.0/16 ge 16 le 24

ip prefix-list sample seq 5 permet 0.0.0.0/0 le 32

router bgp 123

neighbor 1.1.1.1 prefix-list sample out.

BGP’s distributed-list uses ACL to match prefix and prefix length. The way extended ACL is interpreted differently than the normal extended ACL. extended ACL will be used to match the network length (prefix), and the prefix length (subnet). for example

ip prefix-list sample_2 seq 5 deny 10.5.0.0/16

ip prefix-list sample_2 seq 5 deny 10.20.0.0/16 ge 16 le 24

can be written as

ip access0list extended sample_2

deny ip host 10.5.0.0 host 255.255.0.0

deny ip host 10.20.0.0 0.0.255.255 host 255.255.255.0

The following documentation will further help understanding prefix-list. In the next entry, we would discuss how to use neighbor filter-list to match the AS_PATH contents for route manipulation. and a simple guideline when to use which method out of the four to filter and manipulate BGP routes.

How to use IP Prefix List?

IP prefix list mostly used with route filtering in IGP (OSPF, IS-IS, EIGRP) and EGP (BGP) protocols. At first sight, the command will look confusing, but it is pretty simple and straight forward.

Prefix list can be used with route map, and they would be referred with a match command. The command syntax as follows:

ip prefix-list list-name [seq value] {deny network/length | permit network/length} [ge value] [le value]

as seen from the syntax, the command is divided into two parts. First, the network/length. Then, ge, and le. To summarize the meaning of two parts.

1. network/length will determine range of addressed implied by the prefix list.
2. the prefix (subnet mask) of the route must match the prefixes implied by the ge (greater or equal) and le (less or equal).

This mind sound confusing slightly, but an example will show what it means.

1. 192.168.10.0/8. This means any network with 192 in the first octet only. which would mean 192.0.0.0/8 network.
2. 192.168.10.0/16 ge 16. This means any network starting 192.168.0.0/16 to 192.168.xx.xx/32
3. 192.168.10.0/8 ge 8 le 16. This will imply network starting from 192.0.0.0/8 to 192.xx.0.0/16
4. 0.0.0.0/0. This means any network with prefix zero. only default routes have this.
5. 0.0.0.0/0 le 32. This range implies all networks.

Another example to show how it works, imagine the following networks.

1. 10.1.0.0/16
2. 10.0.0.0/8
3. 10.2.0.0/16
4. 10.128.0.0/9

10.0.0.0/8 will match only network 2. since it is exact match.

10.0.0.0/8 ge 8 will match all routes. Since all of the above networks are starting with 10. and the lowest subnet mask is 8.

10.0.0.0/8 ge 9 le 16 will match network 1,3, and 4. Because ge 9 implies a subnet mask equal or greater than 9. and route 2 has subnet mask of 8.

I hope this article did explain how to write and understand prefix list. It is strong tool when it comes to filter routes in any route map. For further reading, please refer to IP prefix List by Cisco.

How BGP selects the best route?

Since, i started studying for CCIE, i would start writing technical topics that are either difficult or interesting, and present them in easy way.

BGP is one of the most interesting routing protocols out there. The interesting part lies in the way routes can be manipulated. There are many Path Attributes (PA) that play part in the way BGP build the routing table from the route updates.

Routes can be manipulated by omitting or filters routes based on prefixes or AS_PATH segments (this will be discussed in next entry)

The main Path Attributes (PAs) are

• Weight (Cisco proprietary)
• Local Pref
• Locally injected routes
• Autonomous System (AS) Path
• Origin PA
• Multi-Exit Discriminator (MED)
• Neighbor Type
• IGP metric for reaching NEXT_HOP

These are the main PAs that can be manipulated to change the way the routing table is built. The Decision of BGP to include a route into a routing table takes the following process.

0- Add the route, if the NEXT_HOP is reachable.  so if there is no route to NEXT_HOP address, the route will be automatically rejected. Although this is not a PA, but it is the first and most important factor for a route to be added to Routing Table.

1-Highest administrative weight, the higher the value the better the route is. This can only be modified locally (on router) and cant be communicated to other routers.

2-Highest local pref, it can be distributed insight the AS. the higher the value the better.

3-Locally injected routes, this will cause BGP to use routes that were injected locally through Network, redistribution or route summarization.

4-Shortest AS_PATH length. the shorter the path, the better the route. It will treat AS_SET as one ASN regardless of the number of ASNs in the variable.

5-ORIGIN PA, IGP (I)> EGP (E) > incomplete (?)

6- Smallest MED. This allows the ISP to let the costumer know which exit to choose in multi-homing designs for reaching particulate Network.

7- Neighbor type, it would prefer eBGP routes over iBGP.

8- IGP metric for reaching the NEXT_HOP, the smaller the value the better the route is.

If all of those fail to decide which route to add in the routing table. then the following tiebreakers will be used.

9- Keep oldest eBGP route. This will give more stability and stop route flops.

10-choose the smallest neighbor RID.

11 smallest neighbor ID. the local router will have to neighbor relationships with a single router (one router, to another router with two links and two neighbor commands) . the lower ID is the better.

One last point to know, with maximum-path BGP will allow more than one route to be added to routing table. BUT, it will always use one BEST route when advertising to neighbors.