Preliminary SE800 Router check for MPLS/BGP VPN Configuration
SmartEdge Router Project
Background
The purpose of this document is to make a preliminary sanity check that this node is connected to the MPLS/BGP network and is capable of providing VPN services over it.
This is also assuming that proper turn up of the node via the Installation Guide and its Interior Gateway Protocol (IGP) is properly configured and can reach the appropriate neighbors
Topology
------------ (------------) ------------
| PE Node | ( P nodes ) | PE Node |
| SE800 |-------( IP Cloud )--------| SE800 |
| #1 | ( MPLS enable ) | #2 |
------------ (------------) ------------
SE800-PE1
- context local
--- interface to_cloud = 10.10.10.2 (Cloud's remote address is 10.10.10.1)
--- interface loop1 loop = 100.100.100.64
- context vpn1
--- interface loop1 = 200.200.200.1
SE800-PE2
- context local
--- interface to_cloud = 10.10.20.2 (Cloud's remote address is 10.10.20.1)
--- interface loop1 loop = 100.100.100.66
- context vpn1
--- interface loop1 = 200.200.100.1
Things to check on each of the SE800.
SE800-PE1 and SE800-PE2 are the two SE800s that we are testing
1 Check to make sure that IGP (OSPF or ISIS or RIP) has required routes to other PE node in the "local" context.
2 Check to make sure that iBGP peers are up to remote PE node
3 Check to make sure that LSP is up on MPLS path to remote PE node
4 Check to make sure that ip icmp ping access is reachable to remote vpn loopback
With these checks, this is a simple sanity that will allow us to view from a top level that the lower level processes are working.
All examples below are captured and performed on SE800-PE1. All tasks should be performed on both PEs.
1 Check to make sure that IGP (OSPF or ISIS or RIP) has required routes to other PE node in the "local" context.
In our example below, using OSPF for the IGP and we need to use 'show ip route' to make sure that PE1 has routes to PE2 and vice versa. Below are commands and examples of how to perform this. Please perform task on both SE800s to ensure that routing is working.
Commands:
- show configuration // Shows the configuration
- show ip interface brief // Shows a brief list of ip address
- show ospf interface // Shows what interfaces has ospf enabled
- show ospf neighbor // Shows the ospf neighbor
- show ip route // Shows the routing table of node.
- ping // allows to make sure ip connectivity
[local]SE800-PE1#show configuration
Building configuration...
Current configuration:
!
context local
!
interface loop1 loopback
ip address 100.100.100.64/32
!
interface to_cloud
ip address 10.10.10.2/24
!
router ospf 1
area 0.0.0.0
interface loop1
interface to_cloud
!
port pos 6/1
no shutdown
bind interface to_cloud local
!
end
[local]SE800-PE1#show ip interface brief
Fri Oct 18 21:29:39 2002
Name Address MTU State Bindings
loop1 100.100.100.64/32 1500 Up (Loopback)
to_cloud 10.10.10.2/24 4470 Up cisco-hdlc 6/1
/*
* Check to make sure that the interfaces that should have ospf actually
* has OSPF enabled.
* Notice below that we have the remote OSPF neighbor adjacency formed.
* and that the state of the node is Full.
*/
[local]SE800-PE1#show ospf interface
--- OSPF Interfaces for Instance 1/Router ID 100.100.100.64 ---
Addr Len NetworkType Cost Priority State Area
10.10.10.2 24 point-to-point 1 N/A P2P 0.0.0.0
100.100.100.64 32 loopback 1 N/A Loopback 0.0.0.0
[local]SE800-PE1#show ospf neighbor
--- OSPF Neighbors for Instance 1/Router ID 100.100.100.64 ---
NeighborID NeighborAddress Pri State DR-State IntfAddress TimeLeft
100.100.100.65 10.10.10.1 1 Full Other 10.10.10.2 143
/*
* Below, use "show ip route" to show the routing table to the
* remote PE and also to use the ping command with the source option
* to make sure that our loopbacks are reachable to each other.
*/
[local]SE800-PE1#show ip route
Codes: C - connected, S - static, S dv - dvsr, R - RIP, e B - EBGP, i B - IBGP
O - OSPF , IA - OSPF inter area, N1 - OSPF NSSA external type 1
N2 - OSPF NSSA external type 2, E1 - OSPF external type 1
E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2
> - Active Route
Type Network Next Hop Dist Metric UpTime Interface
> C 10.10.10.0/24 0 0 00:24:50 to_cloud
> O 10.10.20.0/24 10.10.10.1 110 2 00:10:15 to_cloud
> C 100.100.100.64/32 0 0 04:52:54 loop1
> O 100.100.100.66/32 10.10.10.1 110 0 00:09:47 to_cloud
[local]SE800-PE1#ping 100.100.100.66 80 source 100.100.100.64
PING 100.100.100.66 (100.100.100.66): 56 data bytes, timeout is 1 second
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
----100.100.100.66 PING Statistics----
80 packets transmitted, 80 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.772/3.455/12.305/1.245 ms
/*
* Please perform same tasks on the remote PE by checking the IGP
* and ensuring that proper connectivity is available.
*/
2 Check to make sure that iBGP peers are up to other PE node
In this situation, we will be forming an iBGP peer between SE800-PE1 and SE800-PE2 by establishing the peer to each other's loopback address. We will also ensure that we are supporting BGP for Address Family of unicast as well as vpn.
SE800 #1:
- interface loop1 loop = 100.100.100.64
SE800 #2
- interface loop1 loop = 100.100.100.66
Commands:
- show configuration // Shows the configuration
- show bgp neighbor // shows the bgp neighbors.
/*
* Example below is eliminating previously configured information
* and only showing pertinent information for this section.
* At the end, a complete listing of both SE800s will be provided
* Notice that we are pointing our neighbor to the remote PE's loopback
* and also that we are using our 'loop1' as the update-source for BGP
*/
[local]SE800-PE1#show configuration
Building configuration...
Current configuration:
!
context local
!
interface loop1 loopback
ip address 100.100.100.64/32
!
router bgp 179
!
neighbor 100.100.100.66 internal
update-source loop1
next-hop-self
address-family ipv4 unicast
address-family ipv4 vpn
!
end
/*
* Below, we can see that the BGP neighbor is to 100.100.100.66 (loopback
* address of SE800-PE2) and the state is Established
* Also we are supporting both Address-family types of unicast and vpn
*/
[local]SE800-PE1#show bgp neighbor
BGP neighbor: 100.100.100.66, remote AS: 179, internal link
Version: 4, router identifier: 100.100.100.66
State: Established for 00:31:02
Last read 00:00:59, last send 00:00:59
Hold time: configured 180, negotiated 180
Keepalive time: configured 60, negotiated 60
Local restart timer 60 sec, stale route retain timer 180 sec
Received restart timer 60 sec, flag 0x0
Minimum time between advertisement runs: 5 secs
Source IP address used from interface: loop1
Source (local) IP address: 100.100.100.64
Received messages: 308, notifications: 0, in queue: 0
Sent messages: 311, notifications: 1, in queue: 0
Reset count: 1, last reset time: 00:41:07, reset reason: Notification sent (hold time expired)
CapSent: refresh, 4byteAS, unicast, vpn, restart
CapRcvd: refresh 4byteAS, unicast, vpn, restart (time 60, flags 0x0)
Address family: ipv4 unicast
BGP table version: 0, neighbor version: 0
Routes: rcvd 0, imported 0, active 0, history 0, dampend 0, sent 0
Address family: ipv4 vpn
BGP table version: 19, neighbor version: 19
Routes: rcvd 1, imported 1, active 2, history 0, dampend 0, sent 1
/*
* Please perform same tasks on the remote PE by checking the iBGP
* configuration and that the neighbor is Established.
*/
3 Check to make sure that lsp is up on MPLS path to remote PE node
In this particular task, we need to enable MPLS and LDP on the interfaces across from the PE nodes through the P nodes towards the remote PE node.
Commands:
- show configiguration // Shows the configuration
- show ldp neighbor // Shows the LDP neighbors.
- show ldp binding // Shows the bindings for LDP
- show mpls interface // Shows what interfaces has mpls enabled.
- show mpls lm lsp // Shows the label for the lsp.
- show mpls lm label-mapping // Shows the mpls lable mapping.
- show ip route lsp // Shows which routes has an lsp
[local]SE800-PE1#show configuration context local
Building configuration...
Current configuration:
!
context local
!
interface to_cloud
ip address 10.10.10.2/24
!
router mpls 1
interface to_cloud
!
router ldp
interface to_cloud
!
end
/*
* In this particular case, we only have one LDP neighbor (the P cloud)
* but that we have multiple bindings and have populated the labels
* for each remote site that has enabled ldp.
* Below, we can see that our lable to 100.100.100.66 (remote PE)
* is populated.
*/
[local]SE800-PE1#show ldp neighbor
PeerFlags: A - LocalActiveOpen, D - Deleted, R - Reseting, E - OpenExtraDelay
N - OpenNoDelay, P - SetMD5Passwd, T - RetainRoute, F - FlushState
X - ExplicitNullEnabled, C - ExplicitNullStatusChanging
SHld - Session Holdtime Left, HHld - Hello Holdtime Left
NeighborAddr LDP Identifier State Flag SHld HHld Interface
100.100.100.65 100.100.100.65:0 Oper 85 13 to_cloud
[local]SE800-PE1#show ldp binding
> active binding, Local/In - local/input label binding
From - source of remote label, Remote/Out - remote/output label binding
Prefix/FEC Learned-From Local/In Remote/Out Interface
> 10.10.10.0/24 local 3
100.100.100.65:0 3
> 10.10.20.0/24 100.100.100.65:0 524290 3 to_cloud
> 100.100.100.64/32 local 3
> 100.100.100.65/32 100.100.100.65:0 524291 3 to_cloud
> 100.100.100.66/32 100.100.100.65:0 524292 524292 to_cloud
[local]SE800-PE1#show mpls interface
--- All MPLS Interfaces ---
Inst Address/Mask Name Enabled State Bound to
1 10.10.10.2/24 to_cloud Yes Up 6/1
[local]SE800-PE1#show mpls lm lsp
Codes : S - MPLS-Static, R - RSVP, L - LDP, B - BGP
Type Endpoint Direct Next-hop Out Label LSP Circuit
L 10.10.20.0/24 10.10.10.1 3 255/3:2047:31/2/1/1
L 100.100.100.65/32 10.10.10.1 3 255/3:2047:31/2/1/2
L 100.100.100.66/32 10.10.10.1 524292 255/3:2047:31/2/1/3
[local]SE800-PE1#show mpls lm label-mapping
Codes : S - MPLS-Static, R - RSVP, L - LDP, B - BGP
Type In Label Action Direct Next hop Out Label
L 524290 php 10.10.10.1 3
L 524291 php 10.10.10.1 3
L 524292 swap 10.10.10.1 524292
B 589824 pop 0
[local]SE800-PE1#show ip route lsp
Codes: S - static, RSVP - RSVP, LDP - LDP
Type Network UpTime Interface Label LSP Circuit
> LDP 10.10.20.0/24 2d16h to_cloud 3 255/3:2047:31/2/1/1
> LDP 100.100.100.65/32 00:53:03 to_cloud 3 255/3:2047:31/2/1/2
> LDP 100.100.100.66/32 00:53:23 to_cloud 524292 255/3:2047:31/2/1/3
/*
* Please perform same tasks on the remote PE by checking the lsp and
* mpls interfaces for accuracy.
*/
4 Check to make sure that ip icmp ping access is reachable from PE1 vpn context to remote PE's vpn context's loopback address.
SE800 #1:
- [vpn1] VPN-RD 100.100.100.64:1
--- interface loop1 loop = 200.200.200.1
SE800 #2
- [vpn1] VPN-RD 100.100.100.66:1
--- interface loop1 loop = 200.200.100.1
Commands:
- [local] show config context vpn1 // Shows configuration in vpn1 context
- [local] show bgp route ipv4 vpn // Shows vpn routes learned via BGP
- [vpn1] show ip route // Shows ip route in vpn context
- [vpn1] traceroute // Shows traceroute including MPLS label path
- [vpn1] ping // Ping remote PE
[local]SE800-PE1#show configuration context vpn1
Building configuration...
Current configuration:
!
context vpn1 vpn-rd 100.100.100.64:1
!
interface loop1 loopback
ip address 200.200.200.1/32
!
router bgp vpn
address-family ipv4 unicast
export route-target 1:1
import route-target 1:1
redistribute connected
!
end
/*
* The above configuration shows that we have a vpn-rd (Route Distinguisher)
* that is associated to this vpn context. Each vpn context should have an
* unique "RD" so that conflicts in duplicate routes can be avoided.
*
* In the VPN context, we have specified in our "router bgp vpn" to
* import and export a route-target of 1:1
* This route-target should be unique to each "vpn customer" to share
* and exchange routes to each other.
*
* Below, we see via "show bgp route ipv4 vpn" that we get specific
* routes from the remote VPN-RD of 100.100.100.66:1 and therefore
* verify that the routes are being learned via bgp vpn.
*
*/
[local]SE800-PE1#show bgp route ipv4 vpn
Address Family: ipv4 vpn
BGP table version is 27, local router ID is 100.100.100.64
Status codes: d damped, h history, > best, i internal
Origin codes: i - IGP, e - EGP, ? - incomplete
VPN RD : 100.100.100.64:1
Network Next Hop Metric LocPrf Weight Path
>i 200.200.100.1/32 100.100.100.66 0 100 100 ?
> 200.200.200.1/32 0.0.0.0 0 100 32768 ?
VPN RD : 100.100.100.66:1
Network Next Hop Metric LocPrf Weight Path
>i 200.200.100.1/32 100.100.100.66 0 100 100 ?
/*
* By performing a "show ip route" in the vpn1 context, we can see
* that the route learned via the above RD is now being imported to
* our vpn1 context as an iBGP route.
*
* The Next Hop of (100.100.100.66) is in the MPLS cloud and therefore
* not pingable, but the remote network should be.
*
*/
[vpn1]SE800-PE1#show ip route
Codes: C - connected, S - static, S dv - dvsr, R - RIP, e B - EBGP, i B - IBGP
O - OSPF , IA - OSPF inter area, N1 - OSPF NSSA external type 1
N2 - OSPF NSSA external type 2, E1 - OSPF external type 1
E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2
> - Active Route
Type Network Next Hop Dist Metric UpTime Interface
> i B 200.200.100.1/32 100.100.100.66 200 0 2d16h
> C 200.200.200.1/32 0 0 2d22h loop1
/*
* Notice that the Traceroute below shows an MplsLabel on the path sent.
*
* MplsLabel: 524292 : This is the label of the LSP
* MplsLabel: 589824 : This is the label of the VPN or "bottom label"
*
* Perform the ping to the loopback address of the remote PE's VPN to
* ensure that ip connectivity is established.
*/
[vpn1]SE800-PE1#traceroute 200.200.100.1
se_traceroute to 200.200.100.1 (200.200.100.1), 30 hops max, 40 byte packets
1 10.10.10.1 (10.10.10.1) 4.705 ms 4.068 ms 3.267 ms
MplsLabel: 524292 MplsExpBits: 0 TTL: 1
MplsLabel: 589824 MplsExpBits: 0 TTL: 1
2 200.200.100.1 (200.200.100.1) 3.669 ms 4.806 ms 3.953 ms
[vpn1]SE800-PE1#ping 200.200.100.1 80 source 200.200.200.1
PING 200.200.100.1 (200.200.100.1): 56 data bytes, timeout is 1 second
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
----200.200.100.1 PING Statistics----
80 packets transmitted, 80 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.837/3.253/4.664/0.456 ms
/*
* Please perform same tasks on the remote PE by performing the
* checks of the routes and by pinging the remote vpn's loopback
* address.
*/
Configuration
Configuration on SE800-PE1
[local]SE800-PE1#show config
Building configuration...
Current configuration:
!
service multiple-contexts
!
context local
!
no ip domain-lookup
!
interface loop1 loopback
ip address 100.100.100.64/32
!
interface to_cloud
ip address 10.10.10.2/24
!
router ospf 1
area 0.0.0.0
interface loop1
interface to_cloud
!
router mpls 1
interface to_cloud
!
router ldp
interface to_cloud
!
router bgp 179
!
neighbor 100.100.100.66 internal
update-source loop1
next-hop-self
address-family ipv4 unicast
address-family ipv4 vpn
!
context vpn1 vpn-rd 100.100.100.64:1
!
interface loop1 loopback
ip address 200.200.200.1/32
!
router bgp vpn
address-family ipv4 unicast
export route-target 1:1
import route-target 1:1
redistribute connected
!
! ** End Context **
!
card oc3-8-port 6
!
port pos 6/1
path-trace RedBack
no shutdown
bind interface to_cloud local
!
port ethernet 7/1
! XCRP management ports on slot 7 and 8 are configured through 7/1
no shutdown
bind interface mgmt_ethernet mgmt
!
system hostname SE800-PE1
!
end
Configuration on SE800-PE2
[local]SE800-PE2#show config
Building configuration...
Current configuration:
!
service multiple-contexts
!
context local
!
interface loop1 loopback
ip address 100.100.100.66/32
!
interface to_cloud
ip address 10.10.20.2/24
!
router ospf 1
area 0.0.0.0
interface loop1
interface to_cloud
!
router mpls 1
interface to_cloud
!
router ldp
interface to_cloud
!
router bgp 179
!
neighbor 100.100.100.64 internal
update-source loop1
next-hop-self
address-family ipv4 unicast
address-family ipv4 vpn
!
context vpn1 vpn-rd 100.100.100.66:1
!
interface loop1 loopback
ip address 200.200.100.1/32
!
router bgp vpn
address-family ipv4 unicast
export route-target 1:1
import route-target 1:1
redistribute connected
!
! ** End Context **
!
card oc3-8-port 6
!
port pos 6/2
path-trace RedBack
no shutdown
bind interface to_cloud local
!
!
port ethernet 7/1
! XCRP management ports on slot 7 and 8 are configured through 7/1
no shutdown
bind interface mgmt_ethernet mgmt
!
system hostname SE800-PE2
!
end
扫一扫
4133
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
