Sunday, July 14, 2013

ospf sham-links mpls vpnv4

In this blog we will look at the  ospf sham-links  & a backdoor  route between CEs. Here's the layout  in GNS3

  • Okay the backup route are connected between fas0/1
  • And CEs connects to PEs on fas0/0
  • MPLS ldp is enabled on  both PEs between fas 0/1s


Okay so 1st here's the CE configs;



CE1


interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.1.0.1 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1 
<---- backup route interface in area 0
 ip address 5.5.5.1 255.255.255.0
 speed 100
 full-duplex
!
router ospf 1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 0
 network 5.5.5.0 0.0.0.255 area 0
 network 10.1.0.0 0.0.0.255 area 0
!
 

CE2

interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.2.0.1 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
<---- backup route interface in area 0
  ip address 5.5.5.2 255.255.255.0
 speed 100
 full-duplex
!
router ospf 1
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 5.5.5.0 0.0.0.255 area 0
 network 10.2.0.0 0.0.0.255 area 0




Okay that's straight forward and simple. The PEs are where the funs at.

PE1


!
!
ip vrf ce1
 rd 5706:1
 route-target export 5706:1
 route-target import 5706:1
!

interface Loopback7
 ip vrf forwarding ce1
 ip address 7.7.7.7 255.255.255.255
!
interface Loopback100
 ip address 100.100.100.1 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip vrf forwarding ce1
 ip address 10.1.0.2 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 9.9.9.1 255.255.255.0
 ip ospf 1 area 0
 speed 100
 full-duplex
 mpls ip
!
router ospf 11 vrf ce1   <--- notice ospf proc # ( I will explain this and the next line later )
 domain-id 0.0.0.12
 log-adjacency-changes
 area 0 sham-link 7.7.7.7 7.7.7.8 cost 10
 redistribute bgp 5706 metric 100 subnets route-map nosham
 network 10.1.0.0 0.0.0.255 area 0
!
router ospf 1
 log-adjacency-changes
!
router bgp 5706
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 100.100.100.2 remote-as 5706
 neighbor 100.100.100.2 update-source Loopback100
 !
 address-family vpnv4
  neighbor 100.100.100.2 activate
  neighbor 100.100.100.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf ce1
  redistribute ospf 11 vrf ce1
  no synchronization
  network 7.7.7.7 mask 255.255.255.255
 exit-address-family
!

!
ip access-list standard nosham
 deny   7.7.7.7
 deny   7.7.7.8
 permit any
!
route-map nosham permit 10
 description drop-sham-link-loop7
 match ip address nosham
!
!


and

PE2

!
ip vrf ce2
 rd 5706:1
 route-target export 5706:1
 route-target import 5706:1
!

!
interface Loopback7
 ip vrf forwarding ce2
 ip address 7.7.7.8 255.255.255.255
!
interface Loopback100
 ip address 100.100.100.2 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip vrf forwarding ce2
 ip address 10.2.0.2 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 9.9.9.2 255.255.255.0
 ip ospf 1 area 0
 speed 100
 full-duplex
 mpls ip
!
router ospf 12 vrf ce2 
<--- notice ospf proc #
  log-adjacency-changes
 area 0 sham-link 7.7.7.8 7.7.7.7 cost 10
 redistribute bgp 5706 metric 100 subnets route-map nosham
 network 10.2.0.0 0.0.0.255 area 0
!
router ospf 1
 log-adjacency-changes
!
router bgp 5706
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 100.100.100.1 remote-as 5706
 neighbor 100.100.100.1 update-source Loopback100
 !
 address-family vpnv4
  neighbor 100.100.100.1 activate
  neighbor 100.100.100.1 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf ce2
  redistribute ospf 12 vrf ce2
  no synchronization
  network 7.7.7.8 mask 255.255.255.255
 exit-address-family
!

!
ip access-list standard nosham
 deny   7.7.7.7
 deny   7.7.7.8
 permit any
!
route-map nosham permit 10
 description drop-sham-link-loop7
 match ip address nosham
!
!


Okay looks complex?  Not at all.

The  vrf vpnv4 is simple ans straight MPLS. We enable our vrf interfaces and  routing for bring in our  customer prefixes via it's IGP ( ospf in this case )

We carry these routes via the  MPLS  cloud.


We next build a pair of loopbacks /32 on PE1 & 2

These are advertised  into BGP vrf ce1/ce2 and filter via nosham  route-maps from our  vrf CEs. And filter, from redistribution in the ospf process on #11 & #12 ( CE1 and CE2 respectively )


Finally we crafted the backup router interfaces on the 2 CEs and adjust the ospf cost to make this path less favorable. In this design, I need a cost of 14+ to enforce traffic over the MPLS backbone.

 In the end we want  Intra-Area routes represented over the MPLS-backbne.

( see the finally  route tables from the CEs prespective )



and a trace route to confirm;
( note: simulated a sham-link failure by shutting one of the PEs loopback#7 interface, to enforce the backup route )



Okay simple and straight forward.

Key take-ways;

  • make sure you watch you configuration to limit the  sham-links networks into OSPF on all CEs
  • if ospf process #s don't match adjust them with the ospf domain-id ( see my big note )
  • adjust ospf cost on backup routes until you get the desired route
Ken Felix
Freelance Network & Security Engineer
kfelix  ------at----- socpuppets ---d---o---t---- com

            ^         ^
         (  @    @ )
-------------------------------

No comments:

Post a Comment