Monday, April 6, 2009

Mpls Lab #4: using Mpls with cell-mode ATM

Hi all, I've built this lab with GNS3 to trying mpls over LC-ATM (so called "cell mode").

In real life you will never find routers with ATM interfaces connected back-to-back, usually routers are connected with ATM switches... but it's the only way to test LC-ATM with GNS3, so this lab don't represents a real scenario.



note that all "red" links are ATM connections....
main goals of this lab are:

1) configure and verify mpls on LC-ATM links (use session protection for all ldp neighbors)
2) configure mpls vpn for custA (CE-R9 and CE-R10) using eigrp as PE-CE protocol
3) configure mpls vpn for custB (CE-R5, CE-R6 and CE-R7) using ospf as PE-CE protocol
4) configure traffic engineering tunnels: configure a 5 Mbps tunnel for CE-R5 <-> CE-R6 using R4-3-2-0-1 path (it's senseless... I agree ;-) )
5) configure traffic engineering tunnels: configure a 2 Mbps tunnel for CE-R9 <-> CE-R10 using R2-3-4-0-1-8 path


First of all, you have to read the great "Cell-Mode MPLS" post on InterNetworkExpert blog.

Second one: configure GNS3 with the "right" IOS for this lab... I tryed with the "c7200-adventerprisek9-mz.124-22.T" but doesn't support atm mpls subinterfaces... the great "c7200-adventerprisek9-mz.124-11.T" version worked instead, note that requires 256 MB ram for each router, don't try this lab without 2,6 GB free ram ;-)

Then you can proceed with the tasks:

1) configure and verify mpls on LC-ATM links (use session protection for all ldp neighbors)
Enable mpls and TE globally with:
ip cef
mpls ldp neighbor 10.0.0.3 password cisco
mpls ldp neighbor 10.0.0.1 password cisco
mpls ldp loop-detection   !-- very important with atm interfaces... read below
mpls ldp session protection  !-- enables session protection for all neighbors
mpls traffic-eng tunnels  !-- enables RSVP globally
mpls ldp router-id Loopback0 force  !-- configure Lo0 before ;-)

Session protection is useless in this lab... if I shut an ATM interface, ldp session is "closed" so no session protection will happen, but is nice to know how configure it.

Configure your interfaces as follows (you can share the same loopback ip using ip unnumbered for multiple atm subinterfaces):
R4#sh run int lo 0
!
interface Loopback0
ip address 10.0.0.4 255.255.255.255
end

R4#sh run int lo 10   !-- let's add some loopbacks for ospf and TE
!
interface Loopback10
description Used as Ospf router-id and TE
ip address 172.18.0.4 255.255.255.255
end

R4#sh run int atm 1/0
!
interface ATM1/0      !--- no configuration for atm interfaces, only a description ,-)
description R4 <-> R3
no ip address
no atm ilmi-keepalive
end

R4#sh run int atm 1/0.10
!
interface ATM1/0.10 mpls   !--- not all ios versions supports atm mpls subinterfaces..
ip unnumbered Loopback0    !--- don't waste labels (and vpi/vcis) for point2point links
no snmp trap link-status
mpls ip
mpls atm control-vc 10 1   !--- this is the control vpi/vci used to establish ldp session
mpls traffic-eng tunnels   !--- enables TE on the subinterface
ip rsvp bandwidth 155000   !--- optional, used for TE by RSVP
end

Don't forget to enable the ldp loop detection! Remember that with atm interaces the label exchange is DoD (Downsteam-on-Demand), so each LSR requests explicitly for labels to its neighbors... and the neighbors send the request to their neighbors too if they don't know the label for a prefix. In this case, the topology is a l00p, so ldp loop detection will avoid problems with looped requests. ,-)

Let's verify if ldp sessions are established and labels exchanged.
R4#sh mpls ldp neighbor detail
Peer LDP Ident: 10.0.0.1:1; Local LDP Ident 10.0.0.4:2
TCP connection: 10.0.0.1.646 - 10.0.0.4.19294; MD5 on
State: Oper; Msgs sent/rcvd: 27/28; Downstream on demand
Up time: 00:11:41; UID: 1; Peer Id 0;
LDP discovery sources:
ATM2/0.10; Src IP addr: 10.0.0.1
holdtime: 15000 ms, hello interval: 5000 ms
Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
Clients: TC ATM
Path Vector Loop Detection Peer/Local: On/On
Path Vector Limit Peer/Local: 255/255
Peer LDP Ident: 10.0.0.3:2; Local LDP Ident 10.0.0.4:1
TCP connection: 10.0.0.3.646 - 10.0.0.4.16280; MD5 on
State: Oper; Msgs sent/rcvd: 22/25; Downstream on demand
Up time: 00:11:40; UID: 2; Peer Id 1;
LDP discovery sources:
ATM1/0.10; Src IP addr: 10.0.0.3
holdtime: 15000 ms, hello interval: 5000 ms
Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
Clients: TC ATM
Path Vector Loop Detection Peer/Local: On/On
Path Vector Limit Peer/Local: 255/255

Well done, let's check the atm-ldp bindings (here you see only the prefixes that this router has requested to neighbors, path is displayed only if ldp loop detection is enabled):
R4#sh mpls atm-ldp bindings path
Destination: 10.0.0.1/32
Tailend Router ATM1/0.10 1/34 Active, VCD=4, CoS=available
Path:    10.0.0.3        10.0.0.4*
Destination: 172.18.0.1/32
Tailend Router ATM1/0.10 1/36 Active, VCD=6, CoS=available
Path:    10.0.0.3        10.0.0.4*
Destination: 10.0.0.2/32
Headend Router ATM1/0.10 (1 hop) 1/33  Active, VCD=3, CoS=available
Path:    10.0.0.4*       10.0.0.3
Destination: 10.0.0.3/32
Headend Router ATM1/0.10 (1 hop) 1/34  Active, VCD=4, CoS=available
Path:    10.0.0.4*       10.0.0.3
Destination: 10.0.0.4/32
Tailend Router ATM1/0.10 1/35 Active, VCD=5, CoS=available
Path:    10.0.0.3        10.0.0.4*


Configure the core ISP igp with a simple single area ospf, use the loopback10 as TE router-id (use the same loopback as update-source configured in bgp...):
R4#sh run | sec inc router ospf
router ospf 1
mpls traffic-eng router-id Loopback10  !-- assign a TE router id
mpls traffic-eng area 0  !-- enable ospf opaque area for TE
router-id 172.18.0.4
log-adjacency-changes
network 10.0.0.4 0.0.0.0 area 0
network 172.18.0.4 0.0.0.0 area 0
!

...and finally let's prepare the MP-bgp sessions for vpnv4 before start the next task:
R4#sh run | sec inc router bgp
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor ISP peer-group
neighbor ISP remote-as 65000
neighbor ISP update-source Loopback10
neighbor ISP send-community both
neighbor ISP next-hop-self
neighbor 172.18.0.1 peer-group ISP
neighbor 172.18.0.2 peer-group ISP
neighbor 172.18.0.3 peer-group ISP
neighbor 172.18.0.8 peer-group ISP
neighbor 172.18.0.100 peer-group ISP
no auto-summary
!
address-family vpnv4      !-- don't forget to activate vpnv4 address family! ,-)
neighbor ISP send-community both
neighbor 172.18.0.1 activate
neighbor 172.18.0.2 activate
neighbor 172.18.0.3 activate
neighbor 172.18.0.8 activate
neighbor 172.18.0.100 activate
exit-address-family

Well, here we can use route reflectors to improve scalability...

2) configure mpls vpn for custA (CE-R9 and CE-R10) using eigrp as PE-CE protocol
nothing special on the CE side:
CE-R9#sh run | sec inc router
router eigrp 1
network 172.16.0.4 0.0.0.3
network 172.17.0.9 0.0.0.0
network 192.168.30.0
network 192.168.40.0
no auto-summary
CE-R9#

on PE:
ip vrf custA
rd 65000:10
route-target export 65000:10
route-target import 65000:10
!
interface Ethernet3/0
description R2 <-> CE-R9
ip vrf forwarding custA
ip address 172.16.0.5 255.255.255.252
duplex half
!
router eigrp 1
no auto-summary
!
address-family ipv4 vrf custA
redistribute bgp 65000 metric 10000 1000 255 1 1516
network 172.16.0.4 0.0.0.3
no auto-summary
autonomous-system 1  !-- don't forget it!
exit-address-family
!
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor ISP peer-group
neighbor ISP remote-as 65000
neighbor ISP update-source Loopback10
neighbor ISP send-community both
neighbor ISP next-hop-self
neighbor 172.18.0.1 peer-group ISP
neighbor 172.18.0.3 peer-group ISP
neighbor 172.18.0.4 peer-group ISP
neighbor 172.18.0.8 peer-group ISP
neighbor 172.18.0.100 peer-group ISP
no auto-summary
!
address-family vpnv4
neighbor ISP send-community both
neighbor 172.18.0.1 activate
neighbor 172.18.0.3 activate
neighbor 172.18.0.4 activate
neighbor 172.18.0.8 activate
neighbor 172.18.0.100 activate
exit-address-family
!
address-family ipv4 vrf custA
redistribute eigrp 1
no synchronization
exit-address-family


3) configure mpls vpn for custB (CE-R5, CE-R6 and CE-R7) using ospf as PE-CE protocol
You have to use an ospf sham-link betw R1 and R4:
ip vrf custB
rd 65000:20
route-target export 65000:20
route-target import 65000:20
!
interface Loopback10
description Used for mpls TE
ip address 172.18.0.4 255.255.255.255
!
interface Loopback100
description used for sham link vrf custB (must be /32 and assiged to vrf)
ip vrf forwarding custB
ip address 172.16.1.4 255.255.255.255
!
interface Ethernet3/0
description R4 <-> CE-R5
ip vrf forwarding custB
ip address 172.16.0.17 255.255.255.252
duplex half
!
router ospf 20 vrf custB
router-id 172.16.0.17
log-adjacency-changes
area 0 sham-link 172.16.1.4 172.16.1.1 cost 5  !-- the backup "direct" link must have ip ospf cost > ... better if 20-40...
redistribute bgp 65000 metric 5 subnets
network 172.16.0.17 0.0.0.0 area 0
!
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor ISP peer-group
neighbor ISP remote-as 65000
neighbor ISP update-source Loopback10
neighbor ISP send-community both
neighbor ISP next-hop-self
neighbor 172.18.0.1 peer-group ISP
neighbor 172.18.0.2 peer-group ISP
neighbor 172.18.0.3 peer-group ISP
neighbor 172.18.0.8 peer-group ISP
neighbor 172.18.0.100 peer-group ISP
no auto-summary
!
address-family vpnv4
neighbor ISP send-community both
neighbor 172.18.0.1 activate
neighbor 172.18.0.2 activate
neighbor 172.18.0.3 activate
neighbor 172.18.0.8 activate
neighbor 172.18.0.100 activate
exit-address-family
!
address-family ipv4 vrf custB
redistribute ospf 20 vrf custB
no synchronization
network 172.16.1.4 mask 255.255.255.255  !-- declare the lo address used for sham-link into bgp only
exit-address-family
!

Pay attention to the cost of sham-link, and assign a proportionally "bigger" cost on the backup link, in this lab everything worked well with a cost of 5 on sham link, and a cost of 40 on backup.

4) configure traffic engineering tunnels: configure a 5 Mbps tunnel for CE-R5 <-> CE-R6 using R4-3-2-0-1 path (it's senseless... I agree ;-) )

R4#sh run int lo 10
!
interface Loopback10
description Used for mpls TE
ip address 172.18.0.4 255.255.255.255
end

R4#sh run int tun 0
!
interface Tunnel0
ip unnumbered Loopback10
tunnel destination 172.18.0.1
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 5 5
tunnel mpls traffic-eng bandwidth  5000
tunnel mpls traffic-eng path-option 1 explicit identifier 1
tunnel mpls traffic-eng path-option 2 dynamic
no routing dynamic
end

R4#sh ip explicit-paths
PATH 1 (strict source route, path complete, generation 6)
1: next-address 10.0.0.3
2: next-address 10.0.0.2
3: next-address 10.0.0.100
4: next-address 10.0.0.1

..and on R1..
R1#sh run int lo 10
!
interface Loopback10
ip address 172.18.0.1 255.255.255.255
end

R1#sh run int tun 0
!
interface Tunnel0
ip unnumbered Loopback10
tunnel destination 172.18.0.4
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 5 5
tunnel mpls traffic-eng bandwidth  5000
tunnel mpls traffic-eng path-option 1 explicit identifier 1
tunnel mpls traffic-eng path-option 2 dynamic
no routing dynamic
end

R1#sh ip explicit-paths
PATH 1 (strict source route, path complete, generation 6)
1: next-address 10.0.0.100
2: next-address 10.0.0.2
3: next-address 10.0.0.3
4: next-address 10.0.0.4
R1#


(I go mad with the interaction between tunnel and sham link... until I realized that ldp loop detection was missed in my config! ;-) )
Note the use of Loopback 10 as tunnel destination and ip unnumbered... Loopback 0 is already used for atm links, so the LSP for TE will fails if you try to use it for Tunnels too.
Let's verify if traffic is flowing thorugh the tunnel with a traceroute from CE-R5 to CE-R6 subnets:
CE-R5#traceroute 192.168.70.1

Type escape sequence to abort.
Tracing the route to 192.168.70.1

1 172.16.0.17 88 msec 12 msec 8 msec
2 10.0.0.3 [MPLS: Labels 28/34 Exp 0] 48 msec 32 msec 28 msec
3 10.0.0.2 [MPLS: Labels 30/34 Exp 0] 52 msec 32 msec 32 msec
4 10.0.0.100 [MPLS: Labels 32/34 Exp 0] 24 msec 32 msec 44 msec
5 172.16.0.13 [MPLS: Labels 0/34 Exp 0] 32 msec 20 msec 20 msec
6 172.16.0.14 36 msec *  40 msec
CE-R5#


5) configure traffic engineering tunnels: configure a 2 Mbps tunnel for CE-R9 <-> CE-R10 using R2-3-4-0-1-8 path
Same story as Task #4...
R8#sh run int lo 10
!
interface Loopback10
ip address 172.18.0.8 255.255.255.255
end

R8#sh run int tun 0
!
interface Tunnel0
ip unnumbered Loopback10
tunnel destination 172.18.0.2
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 5 5
tunnel mpls traffic-eng bandwidth  2000
tunnel mpls traffic-eng path-option 1 explicit identifier 1
tunnel mpls traffic-eng path-option 2 dynamic
no routing dynamic
end

R8#sh ip explicit-paths
PATH 1 (strict source route, path complete, generation 7)
1: next-address 10.0.0.100
2: next-address 10.0.0.1
3: next-address 10.0.0.4
4: next-address 10.0.0.3
5: next-address 10.0.0.2
R8#


And verify with a traceroute..
CE-R10#traceroute 192.168.30.1

Type escape sequence to abort.
Tracing the route to 192.168.30.1

1 172.16.0.1 20 msec 4 msec 8 msec
2 10.0.0.100 [MPLS: Labels 26/28 Exp 0] 68 msec 56 msec 36 msec
3 10.0.0.1 [MPLS: Labels 26/28 Exp 0] 56 msec 64 msec 36 msec
4 10.0.0.4 [MPLS: Labels 26/28 Exp 0] 68 msec 60 msec 48 msec
5 10.0.0.3 [MPLS: Labels 26/28 Exp 0] 60 msec 52 msec 56 msec
6 172.16.0.5 [MPLS: Labels 0/28 Exp 0] 52 msec 40 msec 52 msec
7 172.16.0.6 60 msec *  36 msec
CE-R10#


CONCLUSION: It's possible to study the obsolete, deprecated LC-ATM technology with GNS3! And it will help you to study for CCIP-MPLS exam ;-)

11 comments:

pierky said...

Hi Marco, it seems to be a very nice lab!

It would be great if you could post .net and basic config files... I would like to try it out! ;)

Bye,

Pierky

Marco Rizzi said...

thanks a lot Pierky, you'll see the files on www.gns3-labs.com when finished ,-)

Marco

Amit said...

Hi Marco,

Since this is cell-mode MPLS operation, the LSRs exchange VPI/VCI values using LDP. How come the traceroute output show proper label values rather than VPI/VCI values?

Can you please explain.

Marco Rizzi said...

good point Amit!

I've just read your q&a with Ivan Pepelnjak on NIL forum ( http://forum.nil.com/viewtopic.php?f=10&t=58&p=193 )

It's a really interesting question, we both have to further investigate it... suddently GNS3 doesn't support capture on Atm links ;-(

however... if Ivan haven't found a solution.. there are few chances for me to be honest ;-)
Marco

Marco Rizzi said...

Hey Amit!

Maybe the easy answer for your question is this:

-we are using GNS3 for cell-mode MPLS
-cell mode mpls uses vpi/vci instead of labels
-suddently GNS3 doesn't support MPLS on ATM switch, so we must use a router with multiple ATM interfaces connected back-to-back

this is the point, interfaces are configured with cell-mode, but only LC-ATM switches can perform cell-mode mpls switching using labels in vci/vpi... routers can use forwarding
table only!
So routers accept atm cells, reassemble the frame and looks to labels, then sends out to the atm outgoing interface.
The traceroute shows the local generated label number instead of vci/vpi.

hth

Marco

Amit said...

Hi Marco,

To be honest, that doesn't make sense to me.

The routers have LC-ATM interfaces and uses Downstream-on-Demand label allocation method. That way, they received VPI/VCI values (labels in this case) from their downstream routers.

I have checked these labels (VPI/VCI values) are stored in MPLS Forwarding-table as well.

If they are there, why not use it?

phuc said...

I would be grateful if you send me .net and basic configure files ... I really need it!

Marco Rizzi said...

Hi Phuc, here you can find the .net file and the final configurations for the Mpls #4 lab ( http://www.uploadhookup.com/index.php/files/get/G5QCD9vT7I/mpls-lab4-lc-atm.zip )

My base dir was /opt , modify the .net file to match yours.

Please note the IOS version of 7200 in the .net file is different from the 12.4-11T ... long time is passed, I forget suddently what was the right one :-=)

Anyway, have fun studying mpls and labbing with dynamips/gns3 !

Marco

phuc said...

Oh really is great! Thanks a lot Marco :)

Shivlu Jain said...

if i remove control-VC command still am able to have my ldp neighborship. seems to be weired. anyone is having knowledge of it, please share.


regards
Shivlu Jain
http://www.mplsvpn.info

Marco Rizzi said...

hi Shivlu, nice to hear from you again!

If you remove the control-VC command, you are using the default control VC, that is 0/32.

With show mpls interfaces detail you can see the control VC you actually using.

congrats for your blog, pretty interesting as usual!


cheers
Marco