Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASK THE EXPERT- TRAFFIC ENGINEERING AND VPN SERVICES

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss traffic engineering and VPN services with Cisco expert Eric Osborne. Eric is a Network Consulting Engineer at Cisco Systems, Inc. He joined Cisco in 1998 and he initially worked in the Cisco Technical Assistance Center (TAC). Later on he moved to the ISP Expert team and then to the MPLS Deployment team. He has been involved in MPLS since the Cisco IOS Software Release 11.1CT days. He has a CCIE # 4122. Eric is the co-author of "Traffic Engineering with MPLS" with Ajay Simha. He has also been giving Traffic Engineering talks at Networkers since 2000. Remember to use the rating system to let Eric know if you have received an adequate response.

Eric might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through March 12. Visit this forum often to view responses to your questions and the questions of other community members.

28 REPLIES
Community Member

Re: ASK THE EXPERT- TRAFFIC ENGINEERING AND VPN SERVICES

Hello everyone,

I was recently asked how to accomplish the following.

The scenario has an internet router currently setup with one Ethernet port connected to the local network and one serial interface connected to a t1 circuit for internet access. Remote users connect to Citrix servers through this t1. They just installed a DSL circuit and have added a second Ethernet port into the router. They want to route local users that want to browse the internet out this new Ethernet port which is connected to the DSL modem while remote users use the t1 circuit. I was thinking that they should use Policy Based Routing, does anyone have any suggestions

Anonymous
N/A

Re: ASK THE EXPERT- TRAFFIC ENGINEERING AND VPN SERVICES

Depends; you could solve this with PBR, as you've indicated, or you could solve it with MPLS-VPNs; for a one-box solution, you wouldn't even need MPLS encapsulation, just VRFs (virtual routing and forwarding tables). PBR is definetly going to be simpler; if you want to explore PBR, check out the Network Infrastructure forum. If you want to explore MPLS-VPNs, let me know and we can deal with it here.

Community Member

Re: ASK THE EXPERT- TRAFFIC ENGINEERING AND VPN SERVICES

Hi Eric,

Which IOS version do you recommend for testing MPLS in a lab environment using 2500 series routers?

Thanks

Anonymous
N/A

Re: ASK THE EXPERT- TRAFFIC ENGINEERING AND VPN SERVICES

It depends - for TE, you really can't use 2500s, since TE is only in 12.0S right now and there are no 2500 images for 12.0S. For MPLS VPNs, you can try the latest 12.2/12.2T/12.3/12.3T code, you should be able to get somewhere with those.

Community Member

Re: ASK THE EXPERT- TRAFFIC ENGINEERING AND VPN SERVICES

Dear Eric,

I am interested in building additional tunnels from sites that have 1720 routers, 32M ram.

I am concerned about performance without upgrading to a VPN accelerator module.

I will only have a maximum of 3 tunnels active. I plan on testing this in a lab but I am looking for research information at this point.

Could you point me to a web page or just share any similar experiences

Thank You,

Robert

Anonymous
N/A

Re: ASK THE EXPERT- TRAFFIC ENGINEERING AND VPN SERVICES

Unfortunately, I can't help you much; altough this talk is currently titled "Traffic Engineering and VPN Services", it really should have been "Traffic Engineering and MPLS VPN Services"; I'm no IPSec/VAM/PIX/etc expert, by any means.

I'll find a place for your questions to get answered and get back to you in this forum. Offhand, I wouldn't think you need to worry about the performance of 3 tunnels in software, but you shouldn't take me as the authoritative source for this sort of stuff.

Community Member

Re: ASK THE EXPERT- TRAFFIC ENGINEERING AND VPN SERVICES

Mr. Osborne,

Can you give a overview of this technology or post a link for reading.

I currently have 90 IPSec VPN's terminating on a PIX 525. The distand ends are PIX 501's thru 1721 VPN bundles and also client VPN connections. The 90 are all LAN TO LAN connections. How and/or can this technology help me out?

Thanks

John

Anonymous
N/A

Re: ASK THE EXPERT- TRAFFIC ENGINEERING AND VPN SERVICES

It's not clear to me what you mean by "this technology". From the rest of your question, it sounds like you're asking about MPLS-VPN - right?

Assuming so, the canonical reference for such stuff is "MPLS and VPN Architectures", cisco press, by Guichard et. al. If you don't want to take the full book-buying plunge, check out my 2003 MPLS-VPN Networkers talk at

ftp://ftp-eng.cisco.com/eosborne/mpls/

or are you looking for something else?

Community Member

Re: ASK THE EXPERT- TRAFFIC ENGINEERING AND VPN SERVICES

Hello Eric,

With this topology:

_____________L3______L6

R1 ------> R2 --------> R3 ----->

_____L1____--------> R4 -----> R5

_____________L2_______L5

The Router R1 is a MPLS PE that receive some

MPLS/VPNs, for example VPN A, VPN B and VPN C.

The Routers R2, R3 and R4 son MPLS Ps.

The Router R5 is a MPLS PE where terminate the VPNs A, B and C.

The Link L1 is FastEthernet between Routers R 1 and R2. The Links L2 and L3 are two Serials parallels with the same IGP metrics (ISIS) between R2 and R3, R4 routers respective, and the L5 and L6 Links are a LAN network (FastEthernet) where are the three

routers R3, R4 and R5.

Then the problem is the following:

I need send Traffic ONLY of the VPN A for the L3 link(one of parallels links) with destination R5.

The two possibles paths for the traffic between R1 and R5 are:

Firts Path: R1->L1->R2->L3->R3->L6->R5

Second path: R1->L1->R2->L2->R4->L5->R5

I created a tunnel MPLS TE with the firts ip explicit path with tunnel destination the loopback IP of R5 from R1, but ALL traffic (of the all MPLS/VPNs) go it for the firts path fill up because the others MPLS/VPNs (VPN B and VPN C) too learn yours prefixs BGP-VpnV4 with Next-hop the Loopback IP of R5 Router,and I NEED that ONLY the traffic of VPN A follow this

path, the traffic for the others VPNs could be load balanced for the two links (L2 and L3).

How is the procedure or configuration for that the tunnel MPLS TE are used ONLY for the traffic of One MPLS/VPN?

Anonymous
N/A

Re: ASK THE EXPERT- TRAFFIC ENGINEERING AND VPN SERVICES

"How is the procedure or configuration for that the tunnel MPLS TE are used ONLY for the traffic of One MPLS/VPN?"

Architectually, this is not something we recommend - it doesn't scale well, and it buys you very little, if anything. However, if you want to do this, you have to play games with BGP next-hops. Consider:

PE1---P---PE2

where PE2 has 2 VRFs, VRFa and VRFb. You have a TE tunnel from PE1 to PE2 that you only want to carry traffic for VRFb. What you need to do is

on PE2 or PE1:

--------------

for all routes in VRFb that should go down the tunnel, set the BGP next-hop to a bogus address, like 2.2.2.2

on PE1:

-------

point a static route for 2.2.2.2 down the tunnel for VRFb.

It's a little weird (you have to make sure you can handle the case where the tunnel goes down, or make sure your tunnel never goes down) but it works.

Community Member

Re: ASK THE EXPERT- TRAFFIC ENGINEERING AND VPN SERVICES

Ok, then with this topology:

PE1---P----PE2

I dont't have a BGP session between PE1 and PE2, I have a BGP session between PE1--P and P--PE2

1. How Can change the Next-hop attribute (in a PE1 for example) to ONly the prefix of vrfb learn from PE2?

2. With this all the routes in PE1 in vrfb table will be with next-hop a bogus address, then in this same router (PE1) i put a static?

3. The static be will:

ip route vrf vrfb 2.2.2.2 255.255.255.255 tunn 0 or ip route 2.2.2.2 255.255.255.255 tunn 0?

Thanks in advanced

JABE

Anonymous
N/A

Re: ASK THE EXPERT- TRAFFIC ENGINEERING AND VPN SERVICES

"Ok, then with this topology:

PE1---P----PE2

I dont't have a BGP session between PE1 and PE2, I have a BGP session between PE1--P and P--PE2"

So the P router is a route reflector?

1)

Set the next-hop on PE2 (matching on ext or std comm) or on PE1 (set a std comm on PE2, match on it on PE1)

2) & 3)

it's a global route, since the BGP NH for a VPN is in the global table. So the second form of static route.

Community Member

Re: ASK THE EXPERT- TRAFFIC ENGINEERING AND VPN SERVICES

CONFIG PE1

interface Loopback0

ip address 10.1.0.177 255.255.255.255

ip router isis

!

interface Loopback1

ip address 10.0.0.177 255.255.255.255

ip router isis

!

interface Tunnel0

ip unnumbered Loopback0

tag-switching ip

tunnel destination 10.1.0.193

tunnel mode mpls traffic-eng

tunnel mpls traffic-eng path-option 10 explicit name xxx

!

router isis

net 49.0000.0000.0000.0007.00

is-type level-2-only

metric-style wide

mpls traffic-eng router-id Loopback0

mpls traffic-eng level-2

CONFIG PE2

interface Loopback0

ip address 10.1.0.193 255.255.255.255

ip router isis

!

interface Loopback1

ip address 10.0.0.193 255.255.255.255

ip router isis

!

interface Tunnel0

ip unnumbered Loopback0

tag-switching ip

tunnel destination 10.1.0.177

tunnel mode mpls traffic-eng

tunnel mpls traffic-eng path-option 10 explicit name xxx

!

router isis

net 49.0000.0000.0000.0003.00

is-type level-2-only

metric-style wide level-2

mpls traffic-eng router-id Loopback0

mpls traffic-eng level-2

With this config, the tunnel run perfect!!!.

The problem is when i modified the tunnel destination in both sides, put the tunnel destination to the ip loopback 1, the tunnel go to down.

I change in the isis process the command

mpls traffic-eng router-id Loopback0 for

mpls traffic-eng router-id Loopback1 and the tunnel go to UP.

The Questions are:

1. Can I configure a tunnel with a tunnel destination ip different to the ip configured in the isis process as mpls traffic-eng router-id?

2. If Not are there other form for configure tunnels TE with differente tunnel destination to the same router destination?

Thanks in advanced

JABE

Anonymous
N/A

Re: ASK THE EXPERT- TRAFFIC ENGINEERING AND VPN SERVICES

"1. Can I configure a tunnel with a tunnel destination ip different to the ip configured in the isis process as mpls traffic-eng router-id?"

Answer: no. The tunnel tail IP addr has to be the TE RID of the device in question.

"2. If Not are there other form for configure tunnels TE with differente tunnel destination to the same router destination?"

Answer: no. Why do you want to do this? As far as I can see, it has no utility whatsoever.

54
Views
0
Helpful
28
Replies
CreatePlease to create content