Bring MPLS Network at Your Home Lab

March 25, 2009

IPv6 PIM Security

Filed under: Cisco

Tool : GNS3

Purpose : Undestand PIM accept-register filtering options

Topology :

Comments :
All router running OSPFv3
All outer running PIM-SM
R0 is the Candidate RP with priority 100
R1 is the Candidate BSR
R2 is the Candidate RP and BSR with priority 100
HOST1 join groups FF17:7:77::777, FF18:8::88, FF19:9::99
R2 as BSR accept-register for multicast group FF17:7:77::777, FF19:9::99
HOST2 and HOST3 is only able to send multicast traffic to FF17:7:77::777, FF19:9::99

Example Configuration for PIM security

–Configure accept-register
!
ipv6 pim accept-register list allow-group
ipv6 pim register-source Loopback0
ipv6 pim bsr candidate bsr 2001::3 priority 100
ipv6 pim bsr candidate rp 2001::3
!
!
!
ipv6 access-list allow-group
 sequence 20 permit ipv6 any host FF17:7:77::777
 permit ipv6 any host FF19:9::99
!

For detail configuration download at this Link 

IPv6 PIM BSR

Filed under: Cisco

Tool : GNS3

Purpose : Understanding Bootstrap BSR Operation for IPv6 multicast

Topology :

Comments:
All router running OSPFv3
All router running PIM-SM
R0 is the Candidate RP with priority 100
R1 is the Candidate BSR
R2 is the Candidate RP and BSR with priority 100
HOST1 join to group FF17:7:77::777
HOST2 and HOST3 sends multicast traffic to FF17:7:77::777

Example configuration for BSR operations

–Set C-RP and C-BSR
!
ipv6 pim bsr candidate bsr 2001::3 priority 100
ipv6 pim bsr candidate rp 2001::3
!

Let’s verify the configuration

R1#show ipv6 pim bsr election
PIMv2 BSR information

BSR Election Information
  Scope Range List: ff00::/8
     BSR Address: 2001::3
     Uptime: 00:17:25, BSR Priority: 100, Hash mask length: 126
     RPF: FE80::CE02:AFF:FE68:0,FastEthernet1/0
     BS Timer: 00:02:03
  This system is candidate BSR
      Candidate BSR address: 2001::2, priority: 0, hash mask length: 126

R2#show ipv6 pim bsr candidate-rp
PIMv2 C-RP information
    Candidate RP: 2001::3 SM
      All Learnt Scoped Zones, Priority 192, Holdtime 150
      Advertisement interval 60 seconds
      Next advertisement in 00:00:19

U3#ping ff17:7:77::777
Output Interface: fastethernet0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FF17:7:77::777, timeout is 2 seconds:
Packet sent with a source address of 2001:200::3

Reply to request 0 received from 2001:100::3, 580 ms
Reply to request 1 received from 2001:100::3, 616 ms
Reply to request 2 received from 2001:100::3, 516 ms
Reply to request 3 received from 2001:100::3, 496 ms
Request 4 timed out
Success rate is 80 percent (4/5), round-trip min/avg/max = 496/552/616 ms
4 multicast replies and 0 errors.

U2#ping ff17:7:77::777
Output Interface: fastethernet0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FF17:7:77::777, timeout is 2 seconds:
Packet sent with a source address of 2001:400::3

Reply to request 0 received from 2001:100::3, 1060 ms
Reply to request 1 received from 2001:100::3, 736 ms
Reply to request 2 received from 2001:100::3, 896 ms
Request 3 timed out
Request 4 timed out
Success rate is 60 percent (3/5), round-trip min/avg/max = 736/897/1060 ms
3 multicast replies and 0 errors.

Woow I can ping multicast address from HOST2 and HOST3

For detail configuration download at this Link

IPv6 PIM static RP

Filed under: Cisco

Tool : GNS3

Purpose : Simulating IPv6 multicast routing with static-RP

Topology:

Comments:
All router running OSPFv3
All router running PIM-SM
R2 designated as RP
HOST1 join group FF17:7:77::777
HOST2 and HOST3 sends traffic to group FF17:7:77::777
(*,G) and (S,G) entries in every router

Example configuration

–Activate Unicast and multicast traffic forwarding for IPv6
!
ipv6 unicast-routing
ipv6 multicast-routing
!

–Configure interface
!
interface Loopback0
 no ip address
 ipv6 address 2001::1/128
 ipv6 ospf 1 area 0
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 ipv6 address 2001:1::1/126
 ipv6 ospf 1 area 0
 ipv6 pim hello-interval 5
!

–Activate unicast routing
!
ipv6 router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
!

–Set Static-RP
!
ipv6 pim rp-address 2001::3
!

We can ping Multicast group from HOST3

U2#ping ff17:7:77::777
Output Interface: fastethernet0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FF17:7:77::777, timeout is 2 seconds:
Packet sent with a source address of 2001:400::3

Reply to request 0 received from 2001:100::3, 996 ms
Reply to request 1 received from 2001:100::3, 696 ms
Reply to request 2 received from 2001:100::3, 788 ms
Reply to request 3 received from 2001:100::3, 996 ms
Request 4 timed out
Success rate is 80 percent (4/5), round-trip min/avg/max = 696/869/996 ms
4 multicast replies and 0 errors.

For detail configuration download at this Link 

March 23, 2009

Inter-AS Multicast L3VPN

Filed under: Cisco

Tool : GNS3

Puprose : Simulating Inter-AS Multicast L3VPN back-to-back mode/options A

Topology :

Comments:

PE1,P and ASBR-1 router are inside AS 777 and running OSPF
ASBR-2 and PE2 router are inside AS 2500 and running IS-IS
connention between PE and CE use static route  
MPLS between PE1-P-ASBR-1 and ASBR-2-PE2
We are using rip in order to exchange VPN route between AS 777 and AS 2500
All interface running PIM-Spase Mode including vrf interface
CE 1 designed as VPN RP use static RP configuration
PE1,P and ASBR-1 form MDT 224.7.7.7
ASBR-2 and PE2 form MDT 224.6.6.6
CE1 and CE2 established unicast routing
CE1 join in group 239.1.1.1
CE2 is able receiving multicast traffic

The configuration to form MLPS L3VPN and unicast routing are same with Inter-AS MPLS VPN on the privious post
we only add multicast traffic forwarding capability to know how to form Inter-AS MPLS VPN
you can review my privous post or read the whole configuration
In this post I only post how to add multicast traffic forwarding capability

Example configuration for PE router

–Set vrf name and RD and MDT
!
ip vrf vpn1
 rd 202.162.208.1:100
 route-target export 202.162.208.1:100
 route-target import 202.162.208.10:100
 mdt default 224.7.7.7

–Activate Multicast traffic forwarding capability
!
ip multicast-routing
ip multicast-routing vrf vpn1
!

–PIM-SM needs to be activate on all interface
!
interface Loopback0
 ip address 202.162.208.1 255.255.255.255
 ip pim sparse-mode
!
interface Loopback1
 ip vrf forwarding vpn1
 ip address 192.168.1.200 255.255.255.255
!
interface FastEthernet0/0
 ip vrf forwarding vpn1
 ip address 192.168.1.1 255.255.255.128
 ip pim sparse-mode
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 10.1.1.1 255.255.255.0
 ip pim sparse-mode
 duplex auto
 speed auto
 mpls ip
!

–Set Static RP and PIM range
!
ip pim ssm range 1
ip pim vrf vpn1 rp-address 172.17.63.1
!
access-list 1 permit 224.7.7.7
!

Example configuration for ASBR router 

–Set vrf name and RD and MDT
!
ip vrf vpn1
 rd 125.249.1.10:100
 route-target export 125.249.1.10:100
 route-target import 125.249.1.1:100
 mdt default 224.6.6.6

–Activate Multicast traffic forwarding capability
!
ip multicast-routing
ip multicast-routing vrf vpn1
!

–PIM-SM needs to be activate on all interface
!
interface Loopback0
 ip address 125.249.1.10 255.255.255.255
 ip router isis
 ip pim sparse-mode
!
interface FastEthernet0/0
 ip vrf forwarding vpn1
 ip address 172.16.1.10 255.255.255.0
 ip pim sparse-mode
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 10.1.1.10 255.255.255.0
 ip router isis
 ip pim sparse-mode
 duplex auto
 speed auto
 mpls ip
!

–Set Static RP and PIM range
!
ip pim ssm range 1
ip pim vrf vpn1 rp-address 172.17.63.1
!
access-list 1 permit 224.6.6.6

Lets verify the configuration 

 

WOOw THIS ROOCK… I can ping multicast address :)

For detail configuration download at this Link

March 19, 2009

Inter-AS Multicast routing

Filed under: Cisco

Tool : GNS3

Purpose : Simulating Inter-AS Multicast routing

Topology :

Comments:

R0,R1,R2 in AS 777
R0,R1,R2 running OSPF
R3,R4,R5 in AS 2500
R3,R4,R5 running IS-IS
All router running PIM-SM
R2 as RP in AS 777
R3 as RP in AS 2500
MSDP used between R2 and R3
BGP used between R2 and R3 since R2 needs to join R3
MBGP used between R2 and R3 to avoid RPF failure
R5 receive  multicast traffic address 227.7.7.7 from R0  

Example configuration for ASBR router

–Activate multicast traffic forwarding
!
ip multicast-routing
!

–Activate PIM Sparse Mode on every interface
!
interface Loopback0
 ip address 192.168.1.3 255.255.255.255
 ip pim sparse-mode
!
interface FastEthernet0/0
 ip address 10.1.2.10 255.255.255.0
 ip pim sparse-mode
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 10.1.3.1 255.255.255.0
 ip pim sparse-mode
 duplex auto
 speed auto
!

–Activate Unicast routing within AS 777

!
router ospf 1
 router-id 1.1.1.3
 log-adjacency-changes
 redistribute bgp 777 subnets
 network 10.1.2.10 0.0.0.0 area 0
 network 192.168.1.3 0.0.0.0 area 0
!

–Set static RP (Rendezvous Point)  and MSDP peers
!
ip pim rp-address 192.168.1.3
ip msdp peer 10.1.3.10
!

–Activate BGP and MBGP

!
router bgp 777
 template peer-session IA-Multicast
  remote-as 2500
  password s10duy
  timers 10 30
 exit-peer-session
 !
 bgp log-neighbor-changes
 neighbor 10.1.3.10 inherit peer-session IA-Multicast
 !
 address-family ipv4
  redistribute ospf 1
  neighbor 10.1.3.10 activate
  no auto-summary
  no synchronization
  network 192.168.1.3 mask 255.255.255.255
 exit-address-family
 !
 address-family ipv4 multicast
  neighbor 10.1.3.10 activate
  no auto-summary
  no synchronization
  network 10.1.1.0 mask 255.255.255.0
 exit-address-family
!

lets Verify

R0#ping 227.7.7.7 source loopback 0 repeat 10

Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 227.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.
Reply to request 1 from 10.2.1.1, 480 ms.
Reply to request 3 from 10.2.1.1, 580 ms
Reply to request 4 from 10.2.1.1, 1652 ms
Reply to request 5 from 10.2.1.1, 1700 ms..
Reply to request 8 from 10.2.1.1, 1312 ms.

R3#show ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
       L - Local, P - Pruned, R - RP-bit set, F - Register flag,
       T - SPT-bit set, J - Join SPT, M - MSDP created entry,
       X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
       U - URD, I - Received Source Specific Host Report,
       Z - Multicast Tunnel, z - MDT-data group sender,
       Y - Joined MDT-data group, y - Sending to MDT-data group
Outgoing interface flags: H - Hardware switched, A - Assert winner
 Timers: Uptime/Expires
 Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 227.7.7.7), 00:07:15/00:02:51, RP 172.17.63.3, flags: S
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    FastEthernet1/0, Forward/Sparse, 00:07:15/00:02:51

(10.1.1.1, 227.7.7.7), 00:01:19/00:03:16, flags: MT
  Incoming interface: FastEthernet0/0, RPF nbr 10.1.3.1, Mbgp
  Outgoing interface list:
    FastEthernet1/0, Forward/Sparse, 00:01:19/00:03:03

(172.17.63.3, 227.7.7.7), 00:03:31/00:00:08, flags: T
  Incoming interface: Loopback0, RPF nbr 0.0.0.0
  Outgoing interface list:
    FastEthernet1/0, Forward/Sparse, 00:03:31/00:02:51

(*, 224.0.1.40), 01:05:30/00:03:25, RP 172.17.63.3, flags: SJCL
  Incoming interface: Null, RPF nbr 0.0.0.0
  Outgoing interface list:
    FastEthernet1/0, Forward/Sparse, 00:07:39/00:03:25
    Loopback0, Forward/Sparse, 01:05:31/00:02:17

For detail configuration download at this Link  

March 18, 2009

Multipath MPLS VPN

Filed under: Cisco

Tool : GNS3

Purpose : Simulating BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS-VPN

Topology :

Comments:
CE2 is multihomed to PE2 and PE3.
P is a vpnv4 route-reflector.
PE1 installs both routing table from PE2 and PE3.
Traffic from CE1 to CE2 goes through PE2 and PE3
IPv6 not working

Example configuration for PE1

–Install both routing table from PE2 & PE3
!
vrf definition vpn1
 rd 100:100
 route-target export 100:100
 route-target import 200:200
 route-target import 300:300
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!

–Set BGP to P router
!
router bgp 777
 template peer-session VPN
  remote-as 777
  password 5 s10duy
  update-source Loopback0
  timers 10 30
 exit-peer-session
 !
 no synchronization
 bgp log-neighbor-changes
 neighbor 202.162.208.10 inherit peer-session VPN
 no auto-summary
 !
 address-family vpnv4
  neighbor 202.162.208.10 activate
  neighbor 202.162.208.10 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf vpn1
  no synchronization
  redistribute connected
  redistribute static
 exit-address-family
!

Example Configuration for P router

–Activate BGP Route reflector vpnv4
!
router bgp 777
 template peer-session VPN
  remote-as 777
  password 5 s10duy
  update-source Loopback0
  timers 10 30
 exit-peer-session
 !
 no synchronization
 bgp log-neighbor-changes
 neighbor 202.162.208.1 inherit peer-session VPN
 neighbor 202.162.208.250 inherit peer-session VPN
 neighbor 202.162.208.252 inherit peer-session VPN
 no auto-summary
 !
 address-family vpnv4
  neighbor 202.162.208.1 activate
  neighbor 202.162.208.1 send-community extended
  neighbor 202.162.208.1 route-reflector-client
  neighbor 202.162.208.250 activate
  neighbor 202.162.208.250 send-community extended
  neighbor 202.162.208.250 route-reflector-client
  neighbor 202.162.208.252 activate
  neighbor 202.162.208.252 send-community extended
  neighbor 202.162.208.252 route-reflector-client
 exit-address-family
!

For detail configuration download at this Link 






















Get free blog up and running in minutes with Blogsome
Theme designed by Hadley Wickham