Tuesday, March 3, 2009

Mpls Lab #2: playing with LDP

The topology for this second MPLS lab is a "paper boat" ;-)
Main pourpose is establish LDP sessions with these rules/steps:
1) use a single-area OSPF as IGP
2) use Loopback 0 as Ldp router-id for all routers
3) use a single ldp session for R0 <-> R1 and for R4 <-> R5
4) establish a targeted session between R0 and R5 with session protection of 60s
5) enable mpls synchronization for all routers
6) use ldp authentication for links between R1 <-> R2 <-> R3 <-> R4 with password "cisco"
7) advertise only labels for Loopback 1 routes to R6 and R7




Let's try to solve it...

1) IGP Routing, we must use a single area ospf, note that ospf doesn't support unequal cost load balancing, so to install both serial and eth route on R0-R1 and on R4-R5 we must modify the default cost of some interface:

e.g. on R5:
R5#sh run int ethernet 0/0
interface Ethernet0/0
description R5 <-> R4 Link Ethernet
ip address 172.16.25.10 255.255.255.252
ip ospf cost 64
end

R5#sh run int ser 1/0
interface Serial1/0
description R4 <-> R5 Link Serial
ip address 172.16.25.14 255.255.255.252
end
Let's check the R5 routing table to see if we're using both links:

R5#sh ip route | beg Gate
Gateway of last resort is not set

C 192.168.10.0/24 is directly connected, Loopback1
172.16.0.0/16 is variably subnetted, 17 subnets, 2 masks
O 172.16.25.4/30 [110/148] via 172.16.25.13, 00:01:33, Serial1/0
[110/148] via 172.16.25.9, 00:01:33, Ethernet0/0
O 172.16.30.0/30 [110/84] via 172.16.25.13, 00:01:33, Serial1/0
[110/84] via 172.16.25.9, 00:01:33, Ethernet0/0
O 172.16.25.0/30 [110/148] via 172.16.25.13, 00:01:33, Serial1/0
[110/148] via 172.16.25.9, 00:01:33, Ethernet0/0
O 172.16.30.4/30 [110/74] via 172.16.25.13, 00:01:33, Serial1/0
[110/74] via 172.16.25.9, 00:01:33, Ethernet0/0
C 172.16.25.12/30 is directly connected, Serial1/0
O 172.16.30.8/30 [110/84] via 172.16.25.13, 00:01:33, Serial1/0
[110/84] via 172.16.25.9, 00:01:33, Ethernet0/0
C 172.16.25.8/30 is directly connected, Ethernet0/0
O 172.16.30.12/30 [110/74] via 172.16.25.13, 00:01:33, Serial1/0
[110/74] via 172.16.25.9, 00:01:33, Ethernet0/0
C 172.16.25.20/30 is directly connected, Ethernet0/1
O 172.16.30.16/30 [110/84] via 172.16.25.13, 00:01:33, Serial1/0
[110/84] via 172.16.25.9, 00:01:33, Ethernet0/0
C 172.16.30.22/32 is directly connected, Loopback0
O 172.16.30.23/32 [110/75] via 172.16.25.13, 00:01:33, Serial1/0
[110/75] via 172.16.25.9, 00:01:33, Ethernet0/0
O 172.16.25.16/30 [110/128] via 172.16.25.22, 00:01:36, Ethernet0/1
O 172.16.30.26/32 [110/65] via 172.16.25.13, 00:01:36, Serial1/0
[110/65] via 172.16.25.9, 00:01:36, Ethernet0/0
O 172.16.30.27/32 [110/65] via 172.16.25.22, 00:01:36, Ethernet0/1
O 172.16.30.24/32 [110/85] via 172.16.25.13, 00:01:36, Serial1/0
[110/85] via 172.16.25.9, 00:01:36, Ethernet0/0
O 172.16.30.25/32 [110/75] via 172.16.25.13, 00:01:36, Serial1/0
[110/75] via 172.16.25.9, 00:01:36, Ethernet0/0
O 192.168.5.0/24 [110/75] via 172.16.25.13, 00:01:36, Serial1/0
[110/75] via 172.16.25.9, 00:01:36, Ethernet0/0
2) use Loopback 0 as Ldp router-id for all routers:
mpls ldp router-id Loopback0 force

Note the use of "force", useful only on R0, R2 and R5 because they have a highest ip address on loopback 1... without force, they will use Lo1 address as ldp router-id.

3) use a single ldp session for R0 <-> R1 and for R4 <-> R5: to accomplish this task, we must have first configured ospf for load balancing, then we can set the ldp transport-address on both sides of R0 - R1 and R4 - R5 as follows.

R5#sh run int eth 0/0
interface Ethernet0/0
description R5 <-> R4 Link Ethernet
ip address 172.16.25.10 255.255.255.252
ip ospf cost 64
half-duplex
mpls ldp discovery transport-address 172.16.30.22
end

R5#sh run int ser 1/0
interface Serial1/0
description R4 <-> R5 Link Serial
ip address 172.16.25.14 255.255.255.252
mpls ldp discovery transport-address 172.16.30.22
serial restart-delay 0
no fair-queue
end

So R5 will use Lo0 address in the hellos sent out eth 0/0 and ser 1/0. Note that we can't specify the interface, but only the ip address.
To check it:
R4#sh mpls ldp neighbor 172.16.30.22 detail
Peer LDP Ident: 172.16.30.22:0; Local LDP Ident 172.16.30.26:0
TCP connection: 172.16.30.22.646 - 172.16.30.26.24401
State: Oper; Msgs sent/rcvd: 32/33; Downstream; Last TIB rev sent 45
Up time: 00:07:04; UID: 3; Peer Id 2;
LDP discovery sources:
Ethernet0/1; Src IP addr: 172.16.25.10
holdtime: 15000 ms, hello interval: 5000 ms
Serial1/0; Src IP addr: 172.16.25.14
holdtime: 15000 ms, hello interval: 5000 ms
Addresses bound to peer LDP Ident:
172.16.25.10 172.16.25.21 172.16.25.14 172.16.30.22
192.168.10.1
Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
R4#
One neighbour, two discovery sources...

4) establish a targeted session between R0 and R5 with session protection of 60s

R5(config)#mpls ldp neighbor 172.16.30.21 targeted

R1(config)#mpls ldp neighbor 172.16.30.22 targeted

R5#sh mpls ldp neighbor 172.16.30.21 detail
Peer LDP Ident: 172.16.30.21:0; Local LDP Ident 172.16.30.22:0
TCP connection: 172.16.30.21.646 - 172.16.30.22.37144
State: Oper; Msgs sent/rcvd: 77/75; Downstream; Last TIB rev sent 46
Up time: 00:45:35; UID: 3; Peer Id 2;
LDP discovery sources:
Targeted Hello 172.16.30.22 -> 172.16.30.21, active, passive;
holdtime: infinite, hello interval: 10000 ms
Addresses bound to peer LDP Ident:
172.16.30.21 192.168.0.1 172.16.25.1 172.16.30.25
172.16.25.5
Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
Clients: Dir Adj Client
R5#

I realized that session protection isn't supported on targeted sessions, but only on directly connected ldp neighbors... the "protection" consists in facts to transform a directly connected neighbor in a targeted neighbor when physical link goes down... so no session protection for this task.

5) enable mpls synchronization for all routers :
Tricky one... first of all, just enable synchronization on all routers with:

R7(config)#router ospf 1
R7(config-router)#mpls ldp sync
R7(config-router)#exit
R7(config)#exit
R7#
and verify it with
R7#sh mpls ldp igp sync
Serial1/0:
LDP configured; LDP-IGP Synchronization enabled.
Sync status: sync achieved; peer reachable.
IGP holddown time: infinite.
Peer LDP Ident: 172.16.30.28:0
IGP enabled: OSPF 1
Ethernet2/0:
LDP configured; LDP-IGP Synchronization enabled.
Sync status: sync achieved; peer reachable.
IGP holddown time: infinite.
Peer LDP Ident: 172.16.30.22:0
IGP enabled: OSPF 1
R7#

Ok, now synchronization is enabled, but what this means? Whats happens when a link goes down or a router reboots?
If you shutdown a link and then shut it up... you see something like this:
R7#
*Mar 9 22:58:35.143: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.30.28 on Serial1/0 from LOADING to FULL, Loading Done
*Mar 9 22:58:35.727: OSPF: schedule to build router LSA after notification from LDP
*Mar 9 22:58:40.399: %LDP-5-NBRCHG: LDP Neighbor 172.16.30.28:0 (2) is UP
*Mar 9 22:58:40.399: OSPF: schedule to build router LSA after notification from LDP
R7#

Ospf "waits" until an LDP session is established... suddently if you have only a link to reach the Ldp peer, it can wait to infinite, because if there is no route to peer, no ldp session will establish....
So much better set a timer value for session protection, the default is infinite:
R7(config)#mpls ldp igp sync holddown ?
<1-2147483647> Hold down time in milliseconds
R7(config)#mpls ldp igp sync holddown 30000

And verify it:
R7#sh mpls ldp igp sync
Serial1/0:
LDP configured; LDP-IGP Synchronization enabled.
Sync status: sync achieved; peer reachable.
IGP holddown time: 30000 milliseconds.
Peer LDP Ident: 172.16.30.28:0
IGP enabled: OSPF 1
Ethernet2/0:
LDP configured; LDP-IGP Synchronization enabled.
Sync status: sync achieved; peer reachable.
IGP holddown time: 30000 milliseconds.
Peer LDP Ident: 172.16.30.22:0
IGP enabled: OSPF 1
R7#


6) use ldp authentication for links between R1 <-> R2 <-> R3 <-> R4 with password "cisco"
for each neighbor:
R1(config)#mpls ldp neighbor 172.16.30.23 password cisco

and the ldp session goes down with:
R1(config)#
*Mar 1 01:18:52.547: ldp: Sent notif msg to 172.16.30.23:0 (pp 0x64CE6434)
*Mar 1 01:18:52.547: ldp: notif msg: LDP Id: 172.16.30.24:0; First PDU msg:
*Mar 1 01:18:52.551: 0x00 0x01 0x00 0x32 0xAC 0x10 0x1E 0x18 0x00 0x00
*Mar 1 01:18:52.551: 0x00 0x01 0x00 0x12 0x00 0x00 0x01 0x8E 0x03 0x00 0x00 0 x0A
*Mar 1 01:18:52.555: 0x80 0x00 0x00 0x09 0x00 0x00 0x00 0x00 0x00 0x00
*Mar 1 01:18:52.555: ldp: Sent notif msg to 172.16.30.23:0 (pp 0x64CE6434)
*Mar 1 01:18:52.555: ldp: notif msg: LDP Id: 172.16.30.24:0; Next PDU msg:
*Mar 1 01:18:52.555: 0x00 0x01 0x00 0x12 0x00 0x00 0x01 0x8F 0x03 0x00 0x00 0 x0A
*Mar 1 01:18:52.555: 0x80 0x00 0x00 0x0A 0x00 0x00 0x00 0x00 0x00 0x00
R1(config)#
*Mar 1 01:18:52.567: %LDP-5-NBRCHG: LDP Neighbor 172.16.30.23:0 (2) is DOWN (Se ssion's MD5 password changed)
R1(config)#
*Mar 1 01:18:56.055: %TCP-6-BADAUTH: No MD5 digest from 172.16.30.23(646) to 17 2.16.30.24(45329) (RST)

When finally the neighbor has the same password:
*Mar  1 01:20:35.695: %LDP-5-NBRCHG: LDP Neighbor 172.16.30.23:0 (2) is UP


7) advertise only labels for Loopback 1 routes to R6 and R7
To accomplish this last task I worked only on R0 and R5, using the "advertise-labels" feature.
The task for R0 is:
(advertise only labels for Lo1 prefixes to R6) AND (advertise all labels to R1)
So we must construct the appropriate acls...

no mpls ldp advertise-labels !-- == do not advertise labels
mpls ldp advertise-labels for PREF_192 to NEIGH_RCV_LABELS_192 !-- == advertise labels for prefixes 192.168.... to neighbors R6 AND R1
mpls ldp advertise-labels for PREF_ALL to R1 !-- == advertise labels for all other prefixes (not for 192.168...) only to neighbor R1

ip access-list standard R1
permit 172.16.30.24

ip access-list standard NEIGH_RCV_LABELS_192
permit any

ip access-list standard PREF_192
permit 192.168.0.0 0.0.0.255
permit 192.168.5.0 0.0.0.255
permit 192.168.10.0 0.0.0.255

ip access-list standard PREF_ALL
permit any


If you forget to permit all labels to all neighbors... you will see only Lo1 prefixes on R6 labeled... and the rest without ;-(
Let's check on R0:
R0#  sh mpls ldp bindings advertisement-acls
Advertisement spec:
Prefix acl = PREF_192; Peer acl = NEIGH_RCV_LABELS_192
Prefix acl = PREF_ALL; Peer acl = R1

tib entry: 172.16.25.0/30, rev 258
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.25.4/30, rev 259
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.25.8/30, rev 260
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.25.12/30, rev 261
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.25.16/30, rev 262
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.25.20/30, rev 263
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.30.0/30, rev 264
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.30.4/30, rev 265
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.30.8/30, rev 266
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.30.12/30, rev 267
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.30.16/30, rev 268
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.30.21/32, rev 269
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.30.22/32, rev 270
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.30.23/32, rev 271
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.30.24/32, rev 272
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.30.24/30, rev 273
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.30.25/32, rev 274
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.30.26/32, rev 275
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.30.27/32, rev 276
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 172.16.30.28/32, rev 277
Advert acl(s): Prefix acl PREF_ALL; Peer acl R1
tib entry: 192.168.0.0/24, rev 255
Advert acl(s): Prefix acl PREF_192; Peer acl NEIGH_RCV_LABELS_192
tib entry: 192.168.5.0/24, rev 256
Advert acl(s): Prefix acl PREF_192; Peer acl NEIGH_RCV_LABELS_192
tib entry: 192.168.10.0/24, rev 257
Advert acl(s): Prefix acl PREF_192; Peer acl NEIGH_RCV_LABELS_192
R0#


And on R6 and R1:

R6#sh mpls ldp bindings neighbor 172.16.30.21
tib entry: 192.168.0.0/24, rev 38
remote binding: tsr: 172.16.30.21:0, tag: imp-null
tib entry: 192.168.5.0/24, rev 40
remote binding: tsr: 172.16.30.21:0, tag: 28
tib entry: 192.168.10.0/24, rev 42
remote binding: tsr: 172.16.30.21:0, tag: 29
R6#

R1#sh mpls ldp bindings neighbor 172.16.30.21
tib entry: 172.16.25.0/30, rev 6
remote binding: tsr: 172.16.30.21:0, tag: imp-null
tib entry: 172.16.25.4/30, rev 2
remote binding: tsr: 172.16.30.21:0, tag: imp-null
tib entry: 172.16.25.8/30, rev 24
remote binding: tsr: 172.16.30.21:0, tag: 22
tib entry: 172.16.25.12/30, rev 26
remote binding: tsr: 172.16.30.21:0, tag: 23
tib entry: 172.16.25.16/30, rev 44
remote binding: tsr: 172.16.30.21:0, tag: 30
tib entry: 172.16.25.20/30, rev 28
remote binding: tsr: 172.16.30.21:0, tag: 24
tib entry: 172.16.30.0/30, rev 4
remote binding: tsr: 172.16.30.21:0, tag: 16
tib entry: 172.16.30.4/30, rev 20
remote binding: tsr: 172.16.30.21:0, tag: 20
tib entry: 172.16.30.8/30, rev 8
remote binding: tsr: 172.16.30.21:0, tag: 17
tib entry: 172.16.30.12/30, rev 22
remote binding: tsr: 172.16.30.21:0, tag: 21
tib entry: 172.16.30.16/30, rev 18
remote binding: tsr: 172.16.30.21:0, tag: 19
tib entry: 172.16.30.21/32, rev 12
remote binding: tsr: 172.16.30.21:0, tag: imp-null
tib entry: 172.16.30.22/32, rev 30
remote binding: tsr: 172.16.30.21:0, tag: 25
tib entry: 172.16.30.23/32, rev 32
remote binding: tsr: 172.16.30.21:0, tag: 26
tib entry: 172.16.30.24/32, rev 10
remote binding: tsr: 172.16.30.21:0, tag: 18
tib entry: 172.16.30.24/30, rev 14
remote binding: tsr: 172.16.30.21:0, tag: imp-null
tib entry: 172.16.30.26/32, rev 36
remote binding: tsr: 172.16.30.21:0, tag: 27
tib entry: 172.16.30.28/32, rev 46
remote binding: tsr: 172.16.30.21:0, tag: 31
tib entry: 192.168.0.0/24, rev 16
remote binding: tsr: 172.16.30.21:0, tag: imp-null
tib entry: 192.168.5.0/24, rev 38
remote binding: tsr: 172.16.30.21:0, tag: 28
tib entry: 192.168.10.0/24, rev 40
remote binding: tsr: 172.16.30.21:0, tag: 29
R1#

1 comment:

Josinfo Networks said...

My Marco

Here is Josinfo From Brazil, that's great what you doing with this blog very great, for who wanna get more practice in configuration environment, i wanna be CCIE one day hope soon hahahha I did this Cenario very great step-by-step.

BR,
JOSINFO