Posted by Jo on December 11, 2010
Posted by Jo on September 12, 2009
I have been going through some Inter-AS MPLS VPN labs over the past couple of days. There are basically 3 different methods to achieve Inter-AS connectivity for MPLS VPNS.
Option 10A – Back to Back VRFs between ASBRs
Option 10B – VPNv4 eBGP between ASBRs
Option 10C – VPNv4 between RRs or PEs using multihop eBGP
I have labbed up all three of these methods along with the some slight variations on the specific configuration options within each of them and will be writing these up in the coming days.
These are described in RFC 2547bis of which an extract is below.
10. Multi-AS Backbones
What if two sites of a VPN are connected to different Autonomous Systems (e.g., because the sites are connected to different SPs)? The PE routers attached to that VPN will then not be able to maintain IBGP connections with each other, or with a common route reflector. Rather, there needs to be some way to use EBGP to distribute VPN-IPv4 addresses.
There are a number of different ways of handling this case, which we present in order of increasing scalability.
a) VRF-to-VRF connections at the AS (Autonomous System) border routers.
In this procedure, a PE router in one AS attaches directly to a PE router in another. The two PE routers will be attached by multiple sub-interfaces, at least one for each of the VPNs whose routes need to be passed from AS to AS. Each PE will treat the other as if it were a CE router. That is, the PEs associate each such sub-interface with a VRF, and use EBGP to distribute unlabeled IPv4 addresses to each other.
This is a procedure that “just works”, and that does not require MPLS at the border between ASes. However, it does not scale as well as the other procedures discussed below.
b) EBGP redistribution of labeled VPN-IPv4 routes from AS to neighboring AS.
In this procedure, the PE routers use IBGP to redistribute labeled VPN-IPv4 routes either to an Autonomous System Border Router (ASBR), or to a route reflector of which an ASBR is a client. The ASBR then uses EBGP to redistribute those labeled VPN-IPv4 routes to an ASBR in another AS, which in turn distributes them to the PE routers in that AS, or perhaps to another ASBR which in turn distributes them …
When using this procedure, VPN-IPv4 routes should only be accepted on EBGP connections at private peering points, as part of a trusted arrangement between SPs. VPN-IPv4 routes should neither be distributed to nor accepted from the public Internet, or from any BGP peers which are not trusted. An ASBR should never accept a labeled packet from an EBGP peer unless it has actually distributed the top label to that peer.
If there are many VPNs having sites attached to different Autonomous Systems, there does not need to be a single ASBR between those two ASes which holds all the routes for all the VPNs; there can be multiple ASBRs, each of which holds only the routes for a particular subset of the VPNs.
This procedure requires that there be a label switched path leading from a packet’s ingress PE to its egress PE. Hence the appropriate trust relationships must exist between and among the set of ASes along the path. Also, there must be agreement among the set of SPs as to which border routers need to receive routes with which Route Targets.
c) Multihop EBGP redistribution of labeled VPN-IPv4 routes between source and destination ASes, with EBGP redistribution of labeled IPv4 routes from AS to neighboring AS.
In this procedure, VPN-IPv4 routes are neither maintained nor distributed by the ASBRs. An ASBR must maintain labeled IPv4 /32 routes to the PE routers within its AS. It uses EBGP to distribute these routes to other ASes. ASBRs in any transit ASes will also have to use EBGP to pass along the labeled /32 routes. This results in the creation of a label switched path from the ingress PE router to the egress PE router. Now PE routers in different ASes can establish multi-hop EBGP
connections to each other, and can exchange VPN-IPv4 routes over those connections.
If the /32 routes for the PE routers are made known to the P routers of each AS, everything works normally. If the /32 routes for the PE routers are NOT made known to the P routers (other than the ASBRs), then this procedure requires a packet’s ingress PE to put a three label stack on it. The bottom label is assigned by the egress PE, corresponding to the packet’s destination address in a particular VRF. The middle label is assigned by the ASBR, corresponding to the /32 route to the
egress PE. The top label is assigned by the ingress PE’s IGP Next Hop, corresponding to the /32 route to the ASBR.
To improve scalability, one can have the multi-hop EBGP connections exist only between a route reflector in one AS and a route reflector in another. (However, when the route reflectors distribute routes over this connection, they do not modify the BGP next hop attribute of the routes.) The actual PE routers would then only have IBGP connections to the route reflectors in their own AS.
This procedure is very similar to the “Carrier’s Carrier” procedures described in section 9. Like the previous procedure, it requires that there be a label switched path leading from a packet’s ingress PE to its egress PE.
Posted by Jo on September 9, 2009
Here is part two…
Posted by Jo on September 9, 2009
Check out the video link below that I made of me configuring this lab scenario. This part covers the IGP and basic BGP configuration. Its best to open the video in full screen.
Part 2 is on the way also, just need to upload it to Vimeo, but being on a 100kb/s upstream link doesnt quite work out to well 🙂
Posted by Jo on September 4, 2009
I decided to bring my written date forward, so instead of doing it on the 5th of September, I instead did it on Tuesday the 1st. I was fortunate enough that I am between projects at work at the moment, so had time to study extra for it and thankfully I passed. It had been a while since I did a CCIE written exam (my R&S was back in July 2007), and they have changed the format slightly. You can no longer mark questions for review so once they are answered they stay answered so you have to be sure before moving onto the next question etc.
Anyway, now the true lab prep begins. I had a look on the CCIE Lab scheduling site for potential dates and its fair to say there are not enough SP seats to go around. My first preference was to take the lab in Brussels again, but there are no dates available until March 2009 which was a bit too far out. The SP lab is not available in Dubai, which would have been perfect to get to from Doha, but was not to be. I decided to get a date in Sydney, as I could then combine this with a holiday with my wife. We have some friends over there who it would be nice to go and visit, so it made sense really. The only issue is the 20 hours of travel time to get there, so I am making sure that we arrive in plenty of time to acclimatise and adapt to the time difference. I will however keep my eyes open for a slot to open up in Brussels in early January or late December, just in case.
I scheduled the lab for February 24th 2010, which gives me until November 25th to make payment and confirm. By this time I should be able to make a decision on my progress made and if I need to get the credit card out. I am not sure if there is a blueprint update planned by Cisco for the SP track (I am sure now I have jinxed it and there will be), but this date puts me inside of a 6 month window if they were to announce anything sooner rather than later. I guess the next step will be to include the Short Answer Questions, and when these were introduced to the other tracks they didnt give 6 months notice, but thats something I am going to be prepared to face anyway.
So in terms of prep now I am cracking on with the IPexpert Volume 1 labs. I have been tinkering with these in my Dynamips setup and have not come across any problems yet. I will aim to go through these a couple of times before the end of October, then crack on with the Volume 2 multi protocol labs from November onwards, which should give me a good indication of readyness as these are a set of evil labs I hear! Maybe Rick will add a few more labs to these over the coming months to compliment them.
Posted by Jo on September 2, 2009
- Bridging and Switching
- VTP, VLAN, Trunk, Spanning tree
- Frame Relay, DLCI, FR multilink
- ATM PVC, SVC, FR/ATM interworking
- IGP Routing
- IS-IS, Level 1/2, Metric
- OSPF, LSA, Area
- Redistribution, Summarization, Filtering
- Policy routing
- EGP Routing
- IBGP, EBGP
- BGP attributes
- Confederation, Route reflector
- Synchronization, Aggregation, Stability
- Redistribution, Filtering
- SP Multicast
- PIM-SM, PIM-DM, SSM, PIM-BIDIR, IGMP
- Auto RP, Static RP, BSR, Anycast RP
- MP-BGP for multicast, MSDP
- Label distribution, LDP/ TDP
- Label filtering, Label merging, Multipath
- MPLS COS
- MPLS Netflow
- MPLS over ATM
- MPLS Traffic Engineering
- L3/L2 VPN
- MPLS VPN, MP-iBGP
- PE-CE routing, RIPv2, OSPF, EIGRP, Static, ISIS, EBGP
- BGP Extended Community
- Inter AS MPLS VPN
- Carrier Supporting Carrier
- VRF-Lite, VRF Select
- Multicast MPLS VPN
- GRE, multipoint GRE
- AToM, L2TPv3
- SP QoS and Security
- DSCP/EXP, TOS, NBAR
- Marking, Shaping, Policing
- CAR, FRTS
- WRQ, CBWFQ, LLQ, PQ, CQ
- RED, WRED
- LFI, cRTP
- ACL, RPF, Filtering
- Routing update security
- Common attacks
- High Availability
- NSF, GLBP
- Fast reroute, Link/Node protection
- HSRP, VRRP
- SNMP, SYSLOG, RMON
Posted by Jo on August 27, 2009
Ive been doing some good study for the written exam spent reading though a stack of books. I think that I am still a couple of weeks out from taking the exam, and havent booked it yet. Ive been fortunate that this past week I am in between projects at work so have had some time to put the hours in I have read through the following.
MPLS Enabled Applications
Routing TCP/IP Volume I – IS-IS, OSPF, EIGRP
Routing TCP/IP Volume II – BGP and Multicast
I am also hoping that my copies of MPLS and VPN Architectures Volume I and II will be waiting for me when I go back to the UK towards the end September. This will probably be too late for my attempt at the written exam, but no doubt will be useful for the lab part of the exam.
There are also a couple of RFC’s that I have read through, but I find these quite difficult to digest, so need to go over these again. I got the IPexpert Volume I and II SP workbooks, so have been through a few of the Volume I labs that cover the basics. These labs cover a range of basic technologies, so I havent been focusing too much on them for the written, but it has allowed me to get Dynamips set up on my Mac to get to grips with the different technologies. I also have some Proctor Labs SP vRack vouchers waiting for when I need them.
So I am probably going to go for the exam on the 5th September if I feel I am making good progress over the next week. I have more study time available, so should be able to put in a good 3-4 hours a day until that point.
Posted by Jo on August 7, 2009
Its official, I have put my voice studies on hold and switched over to the SP track. Its a shame to put the work I have done so far for the voice written to the side, but feel I am making the right choice – this just seems a whole lot more logical as there is a lot of overlap with the R&S.
I have not booked the SP written exam yet, but am hopefully going to go for it in the first couple of weeks of September. I have made a start in my reading list, I have MPLS Fundamentals here with me, and while I have read it before in sections, am reading it again from cover to cover – taking notes. I am making good progress, and am onto to Chapter 7 that covers MPLS VPN. My previous job was based on an MPLS VPN network, so Im pretty comfortable with the concepts and configurations with all thats been in the book so far.
I have made the choice to go for the IPexpert SP workbook Volumes 1 and 2, and have started doing some labs from Volume 1 to get back into the swing of things. I have the topologies set up in Dynamips, so its easy to do a couple of hours worth of labbing anytime I choose. I missed my Dynamips labbing days from the R&S. I know it has its quirks, but I am able to work around these and run the topologies fully loaded on my MacBook Pro running at 30-40% utilisation.
I will post a schedule on here for my planned labs, and am also hoping to write some techincal articles along the way as I go through them. I am going to try and go for the lab before the end of 2009, hopefully in or around the November/December timeframe. Its a shame that there isnt an SP lab at Cisco in Dubai at the moment, as that would have been very convieneient, but I will worry about that when I am done with the written and can book a lab date.
Posted by Jo on July 31, 2009
As regular visitors will know, I have been preparing for the written exam for over the past month or so. I have been making decent enough progress going through the CCBootcamp Voice Written Study Guide and also trawling through the Voice SRND’s and information on the Cisco documentation site. I was aiming to take the exam in a few weeks time, but am now having second thoughts about it.
While I have been studying for the written I started off putting in 2-3 hours a night of reading, this has now dropped off to 2-3 hours one or twice a week as I feel I have learned as much as I can. I am also finding myself getting bored of the content, maybe this is a sign that I am ready to take the exam. I am also thinking about the practical side of things, and while I do have a stack of Proctor Labs vRack vouchers, I just dont have the time to schedule in full 8 hour sessions after work and at the weekends to go through the workbooks. I also miss the CLI – I know that voice has a great deal of CLI configuration involved, but thats a way off down the line for where I am in my prep.
So, what does all this mean? Well, I may put the voice studies on hold for a while (I still want to do it), and look at SP instead. Since I passed the R&S I feel that I have zoned out a little on the more complex technologies and routing protocols that I dont work with on a day to day basis, such as BGP and VRF’s etc. Of course SP will have its own challenges, but I think that I am more suited to it at present and should be able to make good progress. I will also be able to do a lot of the workbooks on Dynamips, which appeals greatly to me – I will be able to do shorter sessions of 2-4 hours and then longer ones when required – plus I get to go deeper and build on my R&S knowledge.
Jared wrote a good post on the IPexpert blog about doing SP after R&S which makes sense to me. Im hoping that there isnt a major change in the next 6 months or so, but something tells me there may be seeing as Cisco are making changes to all the other tracks, so I will see how I get on.
I have not yet decided on the workbooks to use, but Rick recommends the INE Volume I and II, and also the IPexpert Volume II labs. I will decide on this once I get done with the written exam.
Posted by Jo on June 18, 2009
I came across a posting on OSL to an article written by Mark Lewis on Network Work entitled ‘How to pass the CCIE Voice written exam’. It has a great breakdown of the different sections on the blueprint along with a recommended reading list – its very imformative reading.
There are also a number of follow up articles that contain some really great information on the various protocols featured in the CCIE Voice exams.
Mark is also the author of the CCIE Voice Exam Quick Reference Sheets, which I am using along with the ccbootcamp study guide to prepare for the exam. I will be blogging fairly soon with an update on my progress so far and detailing the materials and methods that I am using.
Links to Mark Lewis’ articles on Network World:
I also came across a good white paper on the H.323 protocol on the IEC site:
Have a read through these and enjoy and hopefully they will be of some use to you.