JNCIP-SP
JN0-664
https:\/\/www.juniper.net\/us\/en\/training\/certification\/tracks\/service-provider-routing-switching\/jncip-sp.html
Advanced Junos Service Provider Routing On-Demand – DONE
Junos Layer 2 VPNs On-Demand
Junos Layer 3 VPNs On-Demand<\/p>\n\n\n\n
https:\/\/jlabs.juniper.net\/vlabs<\/a><\/p>\n\n\n\n ========================================= OSPF for SP LSA types: LS update packet: 24b OSPF header, 4b (num of LSAs), variable: LSA header (20b), LSA data (var), repeat<\/p>\n\n\n\n LSA header 20b LSA1 Router: > show ospf database router extensive<\/p>\n\n\n\n LSA2 Network: > show ospf database network extensive LSA3 Summary: > show ospf databse netsummary extensive LSA4 ASBR summary: > show ospf database asbrsummary extensive LSA5 External: > show ospf database external extensive (not stored as part of any area) LSA7 NSSA: > show ospf database nssa extensive LSA9 Graceful restart – link local scope OSPF DB protection<\/p>\n\n\n\n SPF: candidate db, tree db and LSDB before hold-down (5sec default) timer triggers, junos does three runs of SPF.<\/p>\n\n\n\n spf-options delay x = def 200ms between topology change and SFP run<\/p>\n\n\n\n spf calculation order: Intra-A (E1 cost=3), Inter-A, External E1, External E2,<\/p>\n\n\n\n metric = ref bw \/ link bw<\/p>\n\n\n\n overload: set metric 65535 in all ospf links -> device can be put in maintenance<\/p>\n\n\n\n authentication: none (default), simple, md5<\/p>\n\n\n\n show ospf interface detail<\/p>\n\n\n\n ospfv2 (ipv4 -> protocols ospf3 realm ipv4-unicast) + GR + Auth + ipv6 diff: ipv6 uses link-local addresses to originate packets, auth done at ipv6 layer LSA Function LS type Description Like ospfv2 U bit: unknow: 0 -> link local scope \/ 1 -> flood<\/p>\n\n\n\n S2 S1 – flooding scope shrinking LSDB – route summarization, areas<\/p>\n\n\n\n Stub: lsa1,2,3. no lsa4,5 -Stub: not flooding lsa4,5 by ABR. ABR inject default route (in junos needs to be done manually) set protocols ospf area 1 stub [default-metric 10 (this only in ABR to advertise default route)] All other routers just need stub -totally stub= stub + “no-summaries”: lsa1,2 and just one lsa3 (default route – manual config) only in ABR of Totally Stub your configure this. Other routers just need “stub”<\/p>\n\n\n\n set protocols ospf area 1 stub no-summaries [default-metric 10] ** E-bit must match for OSPF adj to form<\/p>\n\n\n\n -NSSA: asbr injecs LSA7 in NSSA. ABR transforms lsa7 into lsa5 in are0. nssa receives a default route (no-summaries) (as lsa7!) from ABR. set protocols ospf area 1 nssa (in all routers) [default-lsa default-metric 10 (only in ABR! as lsa7)] no-nssa-abr: if ABR connected to several NSSA, and want to disable export lsa7 into nssa<\/p>\n\n\n\n ** if several ABR in same are, the highest RID, floods LSA from areaX to area0<\/p>\n\n\n\n -Totally NSSA: stub + no-summaries. ABR doesnt inject lsa3 from area0. ASBR injects lsa7 into NSSA. ABR converts lsa7->5 into area0 -route summarization: done in ABR,summarize lsa1,2 as a lsa3 into area0. Because ABR forwars lsa1,2 from areaX to area0.<\/p>\n\n\n\n set protocols ospf area 1 area-range IP\/20 [strict (no type3 is generated for this summary in area0)] set protocols ospf area 1 nssa area-range IP\/20 [strict] in ABR. each multi-area adj is a lsa1 p2p. No lsa3 advertised over multi-area adj. one adj is primary (only one!), and the other secondary<\/p>\n\n\n\n set protocols ospf area 0 interface ge-0\/0\/0.0 show ospf interface show ospf neighbor -> shows 2 adj in ge-0\/0\/0.0 !!<\/p>\n\n\n\n control-plane only. between ABR<\/p>\n\n\n\n set protocols ospf area 0 virtual-link neighbor-id RID-R1 transit-area 0.0.0.10 show ospf interface\/neighbor -> vl-xxxx<\/p>\n\n\n\n deafult export policy: reject<\/p>\n\n\n\n set policy-options policy-statement redis-static term static from protocol static then external type 1 accept prefix-limits: 32b — when reached, routers gets “overload” change metric to all prefixes ospf mutual redistribution !!!<\/p>\n\n\n\n ospf import policu !!!!!<\/p>\n\n\n\n LSDB: show ospf database down, init to 2way issus: interface type match, network mask, hello\/dead interval, area type, area number, auth, RID different, fw issue show ospf interface X detail duplicate RID -> continuos SPF runs suboptimal show route protocol ospf: computed routes and attributes by ISO (OSPF by IETF – TCP\/IP) Net = 49.xxxx.yyyy.yyyy.yyyy.zz L2 routers connect areass. L1 router dosnt connect to another area. L2 routers are BB<\/p>\n\n\n\n LS PDU format ISIS Messages: TLV: type, length, value tlv232: ipv6 support l1 router never adj with l2 router set interfacces ge-0\/0\/1 unit 0 family inet address IP set protocols isis interface ge-0\/0\/1.0 level 1 disable [metric x] show isis interface [detail] LS PDU flooding scocpes: L1 stay in its area. L1L2 routes inject L2 in different areas<\/p>\n\n\n\n show isis database -> there is a lsdb for l1 and another for l2 SPF algo: LSDB -> candidate DB -> tree DB -> RIB<\/p>\n\n\n\n set protocols isis spf-delay (def 200ms) delay between back-to-back SPFs<\/p>\n\n\n\n Partial Route Calculation = PRC – enabled by default and can’t be disabled<\/p>\n\n\n\n isis floods LSPDUs to all neighbors by default => no great for mesh topologies -> create mesh-group to avoid the flooding<\/p>\n\n\n\n tlv2,128,130 uses 6b -> max metric=63 set protocols isis level x wide-metrics-only<\/p>\n\n\n\n auth: only in hello. l1, l2 or interface. none, simple, md5.<\/p>\n\n\n\n overload bit: for maintenance. can be scheduled time<\/p>\n\n\n\n csnp interval: DIS sends CSNPs on a LAN every 10s.<\/p>\n\n\n\n user-defined import policies are not allowed l1l2 isis multilevel area = ospf nssa with no summaries default interface enabled for l1\/l2. family iso, level mismatch, ip subnet mismatch (overlap is ok), MTU 1492 and match (init state stuck!!), auth, passive, p2p vs broadcast, same system-id cause issues! -> frequent spf runs!<\/p>\n\n\n\n down narrow vs wide metric, lo0 advertised, route summerization (int vs ext), route leaking,<\/p>\n\n\n\n show isis interface set protocols isis traceoptions file isis flap error detail flag hello send receive detail<\/p>\n<\/blockquote>\n\n\n\n path vector protocol 4096b max idle: all refused bgp update: nlri, origin, aspath, NH, additional<\/p>\n\n\n\n hold = 3xkeep\/hello (def.30) -> 90s hidden routes: reject by import policy, nh issues (fix: next-hop-self or igp passive in external link), as-path issus<\/p>\n\n\n\n show route hidden extensive<\/p>\n<\/blockquote>\n\n\n\n nh exist, +LP, -ASpath, -Origin, -MED, ebgp>ibgp, -IGP metric, -cluster , -rid, -peer_ip<\/p>\n\n\n\n multipath -> ignores rid and peer-id set policy-option policy-statement LB then load-balance per-packet show route forwarding-table matching IP\/MASK<\/p>\n\n\n\n set routing-options router-id IP-lo GTMS: BGP Generalized TTL Security Mechanism: used in BGP single hop. drops any packet lower than max ttl GR: graceful restart. negotiated between peers set routing-options graceful-restart as-override RIB-in: before applying policies. rejected are showing with “hidden”. WK-mandatory: in every bgp update, undertstood by all – ASpath, Origin, NH LP: def 100. only iBGP. set exit AS. Cold potato: keep traffic in your network as long as possible. Hot potato: handover traffic to carriers asap<\/p>\n\n\n\n MED: set entry AS, among same AS peer<\/p>\n\n\n\n ASPATH: junos, before advertising, if neighbor AS is already in ASPATH, it drops advertisiment [] = standard ASPATH Aggregation: ?? PE) set routing-optoins aggregate route 192.168.0.0\/23 as-path atomic-aggreate => removes the as from the contributing paths in the aggreate (ie: 192.168.0.0\/24 from other ASn) -> the output says “atomic” regex in aspath set policy-options as-path NAME regex show route receive-protocol bgp IP aspath-regex “.* ASN”<\/p>\n<\/blockquote>\n\n\n\n Origin: WK-mandatory MED: optional-nontran => Med is not passed between ASs. Less med is better set protocols bgp path-selecction “always-compare-med” -> compare MED for the same prefix coming from different ASs Communities: opt-trans nontransit AS only advertise local-routes<\/p>\n\n\n\n set policy-options community COMM_NAME members COMMUNITY\/regex (multiple communities is with AND !!) regex in community are character based !!! (different form AS path that match a whole ASN)<\/p>\n\n\n\n show route community *:20 [terse|detail] [a-z] = range ibgp full-mesh <- not added as-path for loop preventaion -> escale issue n2 problem set protocols bgp group int-peers type interal local-addres IP cluster IP neighbor X neighbor Y<\/p>\n\n\n\n If you have 2xRR: shall you use the same cluster-id for both or different?<\/p>\n\n\n\n clients do only ibgp to RR<\/p>\n\n\n\n full-mesh between RR !!! (normal ibgp, just need cluster-id)<\/p>\n\n\n\n “no-client-reflect” in RR: stop unnecesary adverts<\/p>\n\n\n\n *be sure RR only change NH for ebgp peers<\/p>\n\n\n\n off-path: better since virtual-RR<\/p>\n\n\n\n Juniper supports only ORR optimal BGP path selection based on client perspective use OSPF\/ISIS – virtual only<\/p>\n\n\n\n suboptimal RR solutions<\/p>\n\n\n\n set protocols bgp group NAME optimal-route-reflectoin ipg-primary IPv4 (from one of the clients so its IGP metric is used for selecting best path)<\/p>\n<\/blockquote>\n\n\n\n rfc3345 oscillation considered legacy! set routing-options autonomous-system 65000 needs multihop!<\/p>\n\n\n\n amplification attacks: memcached (10k-50k), ntp monlist (556), CHARGEN (358), DNS (28-54), SSDP (30)<\/p>\n\n\n\n uRPF: against IP spoofing. RTBH Source-based RTBH: attacked source IP is advertised to ISP via BGP (blackhole community), ISP uses it with uRPF to dropp traffic at edge. BGP FLOWSPEC: rc5575, afi 1 safi 133 = ipv4, afi 1 safi 134 = vpnv4 1- dst prefix 7 icmp-type bgp-community 0x8006 traffic-rate order processing validation config: CUSTOMER<\/p>\n\n\n\n set protocols bgp group SP type external export TO-SP peer-as ASN neigbor IP family inet unicast flow<\/p>\n\n\n\n set routing-options flow route DNS match protocol udp port 53 packet-length 100-65535 destination DESt\/32 then discard set policy-options policy-statement TO-SP term flow-to-SP from rib inetflow.0 then accept SP<\/p>\n\n\n\n set protocol bgp group Customer import Customer-in peer-as X neighbor IPY family inet unicast flow prefix-limit maximum 2<\/p>\n\n\n\n set policy-options policy-statement Customer-in term 1 from rib inetflow.0 route-filter DEST\/24 prefix-lenght-range \/32-\/32 Case-2: customer doesnt do BGP, calls NOC. SP needs RR:<\/p>\n\n\n\n RR:<\/p>\n\n\n\n set protocols bgp group RR-CLIENT-FLOWSPEC import NO-ROUTES-IN export FLOW-ROUTES-OUT type internal local-address X family inet flow cluster X neighbor a,b,c<\/p>\n\n\n\n set routing-options flow route DNS match protocol UDP port 53 packet-lenght 100-65535 destination DEST\/32 then discard set policy-options policy-statement FLOW-ROUTES-OUT term 1 from rib inetflow.0 then community add INTERNAL-FS accept For other PEs:<\/p>\n\n\n\n set protocols bgp group RR-CLIENT-FLOWSPEC import FLOWSPEC-RR-IN type internal local-address X family inet flow no-validate FLOWSPEC-RR-IN<\/p>\n\n\n\n set policy-options policy-statement FLOW-ROUTES-RR-IN term 1 from rib inetflow.0 route-filter 0.0.0\/0 prefix-length-range \/32-\/32 then accept set routing-options rib inetflow.0 maximum-prefixes 1000 show bgp summary LAB<\/p>\n\n\n\n peering session establishment troubleshooting: ibgp: igp dooesnt have loopbackc, missing local src ip. Test: ping loopback_dst source loopback_src, mtu<\/p>\n\n\n\n ebgp: multihop, mtu<\/p>\n\n\n\n routing issues:bgp import policty accepts all routes by default. NH not reachable. aggregating missing contributing<\/p>\n\n\n\n show bgp summary show route protocol bgp source-gateway BGP-NEIGHBOR-IP -> routes after import policy<\/p>\n\n\n\n show route protocol bgp active-path<\/p>\n\n\n\n [terse < brig < no_option < detail < extensive ]]<\/p>\n\n\n\n import policy: before RIB RTBH: Remote triggered black hole: can discard legitimate traffic -> better: FlowSpec<\/p>\n\n\n\n common match conditions: protocol, route-filter and PL, NH and interfac<\/p>\n\n\n\n import\/export policies: order is important, left to right<\/p>\n\n\n\n defaults:<\/p>\n\n\n\n BGP accept accept expresions: be careful!!!, can be unpredictable if policies only modify attribtures and don’t accept\/reject the route!!! regex only for ASPATH (minium value is a ASN) and communities (minimun value is a character)<\/p>\n\n\n\n community set (replace all values with a new onne) <> community add (keep current values and add new one)<\/p>\n\n\n\n no-export: not leave AS (so to iBGP is fine) show route forwarding table -> “ulst” list of unicast NH for LB show ospf database external advertising-router ROUTER | match PREFIX set policy-options as-path-group X as-path P1 65051* LAB<\/p>\n\n\n\n rfc 2439 – bgp route flap damping<\/p>\n\n\n\n figure of merit = points decay = 0 when learned. Increased when flaps (1000) or attributes changes set policy-options damping NAME-DAMP half-life minutes max-suppress minutes reuse number suppress number set policy-options policy-statement C1 then damping dont-damp set protocols bgp damping show route damping history extensive clear bgp damping –> figure of merit=0 for all routes<\/p>\n<\/blockquote>\n\n\n\n ========================================= ipsec vpn (full-mesh, partial, hub-spoke), sd-wan, mpls-vpn. Trade-offs<\/p>\n\n\n\n PE: connect to CEs, bgp to other PEs, ingress\/egress LSP mpls.0 table – just labels (transport and vpn)<\/p>\n\n\n\n l2vpn = virtual switch. label stack: labels are placed between SP ethernet fram (top) and customer ethernet frame (sandwiched)<\/p>\n\n\n\n l2vpns: virtual-wires or virtual-switch<\/p>\n\n\n\n logical pe-ce = attachment circuit !!! 5 types: L2VPN <> l2vpn L2Circuit = Layer2 Circuit = ldp-signaled pseudowires (martini)<\/p>\n\n\n\n vpws: virtual-private wire service evpn: mac learning via bgp, multihming ok (no stp!), no need vrrp<\/p>\n\n\n\n “encapsulation flexible-ethernet-services” you can use all types of vpn in one physical interface<\/p>\n\n\n\n be aware of l2 stretching! -> stretch failure domain<\/p>\n\n\n\n AC = Attachment Circuit, can have several pseudowires. 1 pseudo-wire = 1 p2p vpn<\/p>\n\n\n\n PE interface to CE: configures as<\/p>\n\n\n\n RT: bgp ext community. identify vpn membership target:ASN:number RD: just make advertisements unique L2VPN prefix is just two fiels: RD + local Site-ID ie: 192.168.1.2:222:2 bgp L2VPN update: RT, Encap, RD, Site-ID, LabelBase\/Size\/Offset PE pseudowires dont do mac-learning (BGP does that)<\/p>\n\n\n\n Layer2 Info: BGP extended community: Encap Type (5=raw(all), 4=ether-vlan), layer-mtu.<\/p>\n\n\n\n NLRI: AFI=25 =Layer2 VPN, SAFI=65=vpls!!! (although is a bgp-signaled L2VPN!) pre-requisites —- ethernet-mode<\/p>\n\n\n\n PE:CE-facing interface PE config —–ethernet-vlan mode<\/p>\n\n\n\n PE:CE-facing interface set interface ge-0\/0\/0 encapsulation flexible-ethernet-services => when you have different services apart from L2VPN in the interface PE config —– verification<\/p>\n\n\n\n show route table bgp.l2vpn.0 detail -> prefix => RD : remote site_id : offset \/ 96 (96 is the lenght of the NLRI and can be ignored) show l2vpn connections instances INSTANCE_NAME [extensive show logs] L2 Header ether-type: 0x0800 ipv4, 0x086dd ipv6, no LSP to remote PE no l2vpn signaling in iBGP customer interface encapsulaton dont match customer interface vlan tags dont match incorrect customer interface in instance choosing incorrect site-id Site-IDs: hub-spoke show l2vpn connections instance XXX extensive -> Label-base, connection-site = remote-site-id, offset,<\/p>\n<\/blockquote>\n\n\n\n vpn-label = label-base + (remote-site-id – offset) -> incoming label expected (what remote PE needs to use) overprovisioning: add more AC that needed for future growth<\/p>\n\n\n\n PE-HUB **explicit remote-site-id offset=local-site-id show l2vpn connections instance XXX extensive<\/p>\n<\/blockquote>\n\n\n\n **implicit remote-site-id, it is infered base on the order the interfaces are added into the site config. Difficult to see errors!!!! simple to configure sure primary and backup connections with bgp. the backup will use LP=1. primary LP=65535<\/p>\n\n\n\n remote PE; primary PE: backup PE Martini circuit = LDP-signaled pseudowire. Ethernet control word = 4bits=0 + 12bits=0 + Seq Num = 16 bits<\/p>\n\n\n\n swapping vlan tags RR needs LSPs to resolve L2VPN prefixs, but as it is OOB, it can’t resolve the NH with LSPs (inet3.0) set routing-options route-distinguisher-id PE_LO_IP<\/p>\n\n\n\n PE tells neighbors the RT that is interested in (using “family route-target”). Then VPN prefixes are sent second.<\/p>\n\n\n\n show bgp summary -> “bgp.rtarget.0” = the address family has been negotiated<\/p>\n\n\n\n show route table bgp.rtarget.0 in RR: from RR-client needs each PE and RR: bpg (kompella) and ldp (martini) both use AC, martini encap (control word), data plane is identical<\/p>\n\n\n\n easy to config, trade-offs: set protocols ldp interface lo0.0 (update fw to allow tcp\/dp 646)<\/p>\n\n\n\n set interfacces ge-0\/0\/8 encapsulation ethernet-ccc unit 0 (ethernet encap = accept all regardless vlan tag) — identical to L2VPN<\/p>\n\n\n\n set interfacces ge-0\/0\/9 vlan-tagging encapsulation flexible-ethernet-services set protocols l2circuit neighbor Remote-PE-Lo0.IP interface ge-0\/0\/8.0 virtual-circuit-id XXX<\/p>\n\n\n\n set protocols l2circuit neighbor Remomte-Pe-Lo0.IP interface ge-0\/0\/9.100 virtual-circuit-id YYY<\/p>\n\n\n\n show ldp session\/neighbor\/database FEC = Fw Equivalence Class = set of traffic forwarded the same way using MPLS = the traffic goes down the same lsp = remote PE Lo0<\/p>\n\n\n\n ldp l2circuit fec type = 128<\/p>\n\n\n\n ldp advertise: fec type, control word, ethernet mode, PW id (circuit id)v lan, mtu, vpn lable<\/p>\n\n\n\n show l2circuit connections -> OL = no outgoing label -> it is not receiving a label from the remote PE pseudowire status tlv -> only report problems with local customer interface fw filter for ldp udp\/tcp 646 advertised FEC containes the inbound vlan after PE has manipulated the frame (if required)<\/p>\n\n\n\n PE-2 PE-1 set protocols l2circuit traceoptions file FILE.txt flag connections detail fec detail<\/p>\n\n\n\n vccv: virtual circuit connectivity verification: PE generate traffic to remote PE via pseudowire set protocols l2circuit neighbor remote-pe-lo0 interface ge-0\/0\/8.0 virtual-circuit-id X show bfd sessions -> dest address is 127.0.0.1 !!! (different from standard bfd)<\/p>\n\n\n\n the actual primary\/backcup config is done in the remote-PE !!! the multihoming PEs (local) dont talk to each other! show l2circuit connections inteface ge-0\/0\/7.0 -> BK: backup connection in remote-PE. the back-up PE will show the l2circuit as down because it hasn’t received a label from the remote-pe<\/p>\n\n\n\n ** local-switching: two sites connected to the same PE, no need of l2circuit pseudowire show l2circuit connecctions<\/p>\n\n\n\n ** stitching pseudowires (merging companies) need interworking interface iw0 (ie L2VPN+L2Circuit set routnig-instances VPN1 instance-type l2vpn interface iw0.0 route-distinguisher lo0:1 vrf-target target:asn:1 set protocols l2circuit neighbor remote-pe-lo0 interface iw0.1 virtual-circuit-id 1<\/p>\n\n\n\n L2Circuit uses FEC type 128: explicit remote PE config, ldp signals the pseudowire, needs virtual-circuit-id<\/p>\n\n\n\n FEC 129: uses BGP to autodiscovery, so no explicit remote PE config needed, ldp signals the pseudowire. mix of L2Circuit and L2VPN<\/p>\n\n\n\n nowadays there is no notable adv to fec129<\/p>\n\n\n\n AGI: Attachment Group Id = virtual-circuit-id = vpn id -> l2vpn-id:ASN:umber (it is a extendedd bgp community) PE autodiscover is identical as L2VPN (rt, rd, local-site-id) set protocols bgp group INT type internal set routing-instances TEST instance-type l2vpn show route receive-protocol bgp remote-pe-lo0 [detail] show ldp database<\/p>\n\n\n\n show l2vpn connections -> l2vpn-id and target-attachment-id means it is fec129!!!<\/p>\n\n\n\n VPWS – virtual private wire service known MAC signalling: ldp-signalled – martini: routing instenace, virtual circuits = vpls-id. configuration of remote PE per VPLS (no autodiscover), targeted LDP-sessions, no RR.<\/p>\n\n\n\n fec-129: can use bgp or ldp, rfc 6074<\/p>\n\n\n\n PE-CE set intnerfaces ge-0\/0\/8 flexible-vlan-taging 2) lock entire phy interface for only vpls<\/p>\n\n\n\n set intnerfaces ge-0\/0\/8 flexible-vlan-taging PE ** RR out-of-band of MPLS path -> it can’t resolve prefixes ->sol: resolve VPN prefixes in inet.0 instead of inet.3 set routing-instances VPLS instance-type vpls ** with tunnel-services verification show route table bgp.l2vpn.0 match-prefix “PREFIX:RD:*” detail (!!! prefix:rd:remot_site:offset !!!)<\/p>\n\n\n\n show vpls connections instance VPLS [extensive -> see label-base, logs, etc] -> verify control-plane<\/p>\n\n\n\n show vpls mac-table instance VPLS -> verify data-plane<\/p>\n\n\n\n advertise blocl labels in bpg l2vpn? one label for each binding of a local interface to a remote interface = BGP: routing instace vpls, customer interface into vpls, protocols vpls into instance, optonal: no-tunnel-services set protocols ldp interface lo0.0 + FW filter for LDP<\/p>\n\n\n\n set routing-instances VPLS instance-type vpls show ldp database = fec-129 pseudowire: routing-instance, RT, RD and l2vpn-id set protocols ldp interface lo0.0 + Fw filter for LDP<\/p>\n\n\n\n set protocols bgp group EXAM type internal set routing-instance VPLS instance-type vpls show rorute receive-protocol bgp PE2-LO<\/p>\n\n\n\n show vpls connections instance VPS -> L2vpn-id => FEC129 !!!<\/p>\n\n\n\n 4 vlan options in vpls: set interfaces ge-0\/0\/7 flexible-vlan-tagging set interfaces ge-0\/0\/8 flexible-vlan-tagging bridge domain: like advanced vlan, one broadcast domain but not tied to a vlan number<\/p>\n\n\n\n show vpls mac-table instance VPLS -> VLAN: NA => default vlan mode<\/p>\n\n\n\n vlan-aware: one MAC table per vlan. All inside one VPLS instance. NOTE: can’t be used if VPLS contains IRB interfaces !!! (you need to use vlan-normalization instead) vlan-normalization: Any host can reach any host no matter the vlan they are in -> choose random vlan number for entire VPLS -> swap in\/out vlan-tag no-vlan mode: instance of using a random vlan-tag like in vlan-normalization, here, the vlan-tag is removed\/poped. Same goal as vlan-normalization dual-stack: QinQ – C-Tag: customer tag \/ S-Tag: service tag (identifies customer). It follows the default vlan mode => 1 bridge domain, 1 broadcast domain, doesnt care about VLAN. Both inner and outer Vlan-tag need to match for host-to-host communication *set routing-instances VPLS vlan-id inner-all -> QinQ with vlan-aware (in every PE in the VPLS) Automated BGP VPLS Site-Id deployment MAC limiting and flood protection: set firewall family vpls filter FLOOD-CONTROL term police-BU then policer POLICER-200K accept MAC flap protection (for multihoming or redundant links) set routing-instances VPLS protocols vpls enable-mac-move-action<\/p>\n\n\n\n VPLS, IRB and VRRP config ingress-replication may saturate bw (in ring topology) -> use multicast LSP for flooding efficiency (p2mp lsp) -> in ring topology, ingreess PE only send traffic twice. bgp-ldp vpls interworking (at stiching point) Troubleshooting show vpls connections instance VPLS -> output for the second+ local-site shows status = LM and no connections -> can be confusing, but is fine, it is using the first site.<\/p>\n\n\n\n 1) like BGP L2VPN, set one PE as primary and other as backup. The remote PE will only single a pseudowire to the primary PE. The backup PE shutdowns its local cust interface PE backup PE remote 2) Multihome + singlehome in same PE.<\/p>\n\n\n\n 1) Like L2Circuit multihoming. All config is in the remote PE, and not in the PEs connected to the multihomed site.<\/p>\n\n\n\n PE remote 2) VERY OPTIONAL: running STP with a customer -> creates a new instance<\/p>\n\n\n\n show spanning-tree mstp configuration routing-insatance VPLS-MSTP<\/p>\n\n\n\n vpls disadvantage: MAC learning via Data plane (flood and learn: inefficient, inconsistent, fw filter difficult), multi-homing requires to shutdonw CE interfaces to avoid loop (no active-active), only one active RIB at a time, 3 signalling methods<\/p>\n\n\n\n evpn overview: uses BGP: adv\/withdraw\/move MAC, multi-home, irb Ethernet Segment: set of links connect to the same customer device. Multi-home links are advertised in BGP -> key to avoid loops: ESI: ethernet Segment Id (ESI of all zeros = single-home)<\/p>\n\n\n\n active-active IRBs: no need of VRRP<\/p>\n\n\n\n MPLS dataplane is not mandatory, it can use VXLAN -> add VXLAN header: vni = vxlan id<\/p>\n\n\n\n AFI=25 EVPN Instance = EVI = “vrf” ethernet tag = vlan-id<\/p>\n\n\n\n Type2: MAC or MACIP<\/p>\n\n\n\n Type3: request flood traffic from remote PEs. Use L3VPN Multicacst concepts. PE join inclusive-tree for each bridge domain in an EVI *EVI has at least two labels: one for known macs for “all” bridge domains and requisites: set protocols bgp group INTERNAL family evpn signaling –> mandatory vlan-based EVI: instance-type evpn vlan-aware EVI: instance-type virtual-switch IM = inclusive multicast<\/p>\n\n\n\n vlan-aware evi -> each vlan gets its own named bridge domain in the routing instance.<\/p>\n\n\n\n set routing-instance GREEN instance-type virtual-switch set interface ge-0\/0\/0 flexible-vlan-tagging show evpn instance extensive GREEN -> see several bridge domains. One single vpn label for all MACs in all bridge-domain. each vlan has its own label for BUM (IM)<\/p>\n\n\n\n show route table bgp.evpn.0 match-prefix “3:lo-pe:*:”<\/p>\n\n\n\n show evpn database instance GREEN<\/p>\n\n\n\n show bridge mac-table instance GREEN<\/p>\n\n\n\n CE links are in bundle ae to different PEs. All active links.<\/p>\n\n\n\n CE set interfaces ge-0\/0\/0 gigether-options 802.3ad ae0 ->to PE1 set interface ae0 flexible-vlan-tagging ** eachc unit is in a different VRF<\/p>\n\n\n\n PE set interfaces ge-0\/0\/0 gigether-options 802.3ad ae0 ->to CE1<\/p>\n\n\n\n set interface ae0 flexible-vlan-tagging -> each unit can use single or stacked tagging ** eachc unit is in a different VRF<\/p>\n\n\n\n show evpn instance extensive NAME -> check for the aeX and ESI type4 ethernet segment -> avoid loop in multihoming (similar to type1!!!)<\/p>\n\n\n\n type of loops: – remote PE1 send BUM to both multihomed PE-2\/3 -> fixed with DF in segment = DF only PE that forwards recevied BUM from remote-PE to local-CE (COMPLEX!!!)<\/p>\n\n\n\n two types: type1 ethernet auto-discovery **Per-ES: one single type1 is sent for the entire ES => all other PEs learnt about the ES automatically show evpn instance extensive NAME enabled by default<\/p>\n\n\n\n Typ2 + “mobility mobility” community = static flag + seq nu (same seq -> tie braker is PE with lowest IP) +<\/p>\n\n\n\n show route table bgp.evpn.0 match-prefix 2:(RD:lo:x)::vlan::MAC:21\/304 detail<\/p>\n\n\n\n default mac flap protection: 4 moves in 3 minutes -> 5th moved is blocked = PE will not advertise type2 -> manual clearing<\/p>\n\n\n\n clear evpn duplicate-mac-suppresion Every PE can host an active IRB. 3 options<\/p>\n\n\n\n LAB:<\/p>\n\n\n\n CCNH is mandatory for EVPN: enables MAC rewrite and label actions between Vlans<\/p>\n\n\n\n l3vpn -> type: vrf \/ family: inet-vpn unicast<\/p>\n\n\n\n set routing-instances GREEN instance-type vrf irb can be in l3vpn (l3) and evpn (l2)<\/p>\n\n\n\n By default PE advertise for directled connected host (from the irb) -> l3vpn \/32 to remote PE, so dont follow the \/24 irb advertised by all other PEs and can go directly to the PE advertisnig the \/32 — IMPORTANT !!!!<\/p>\n\n\n\n PE advertises 1x EVPN Type2 MAC for each IP leartn in the irb remote PE that receives evpn type2 mac+ip CREATES l3pvn route in l3vpn table with preference 7 (because contains a lot of frame manipulation) and then uses evpn instead of l3vpn => useful for moving frames between vlans !!!!<\/p>\n\n\n\n show route table GREEN_L3.inet.0 10.60.0.11 protocol evpn detail -> “Ethernet header rewrite” set routing-instances GREEN protocols evpn remote-ip-host-routes -> creates local l3vpn host route entries for remote IPs<\/p>\n\n\n\n extra: three methods: A B: each ASBR exchange BGP VPN (and labels) via eBGP (good when both AS belongs to the same org). No LSP between ASBRs. because it is eBGP, all bgp vpn are advertised and accepted. No need of vrfs. VPN labels are swapped at both ASBRs. Good: no need of vrfs in ASBR, simple is you are happy to run MPLS between both networks. Trade-off: ASBRs must learn every single VPN adv and generate a new vpn label -> strong CP and large LFIB<\/p>\n\n\n\n C: family bgp-label-unicast, create LSPs between AS. More complex but more scalable. PEs from each AS peer each other: eBGP + exchange vpn labels and prefixes => Loopbacks from each AS need to be exchanged, LSP between ASNs !!-> BGP-LU fixes it. bgp-lu: advertise regular IPs with a transport!!! MPLS label. Between ASBRs only: PE1 (AS1) show route received-protocol bgp ASBR-1-LO –> you will see the PE2-AS2-LO in inet.0 and inet.3 !!! ASBR1 ** normally from eBGP to iBGP you need to change NH because iBGP peers dont know the eBGP NH\u2026 set protocols mpls traffic-engineering mpls-formarding –> copies LSPs into inet.0 BUT only use for forwarding. IGP still used for CP. *Carrier-of-Carried (CoC) VPNs: Small SP is in two distant locations (with different ASn), and uses a large SP to connect both locations. Inter-AS MPLS but using another SP with option-C => BGP-LU between ASBRs and PEs. BGP-L2VPN ebgp: cust-pe1 <> cust-pe2<\/p>\n\n\n\n LSP cust-pe1 <> cust-asbr1 CUST-PE1 (AS1) show route received-protocol bpg CUST-ASBR1-LO -> in inet.0 and inet.3 (because resolve-vpn and NH changed!) learn CUST-PE2-LO CUST-ASBR1 COC-ASBR1: ** no need of export policy and no need of “resolve-vpn” because COC carrier has no visibility of CUST VPNs No MAC learning (frames are simply forwarded). It can stitch two RSVP LSPs<\/p>\n\n\n\n ** pseudowire: donwside: 2xRSVP LSP, one in each direction, only dedicated to the CCC vpn -> increase RSVP state if you have many ccc pe1: ** you need to define the LSP !!!<\/p>\n\n\n\n show connections remote-interface-switch CCC1<\/p>\n\n\n\n ** Local switching: connecting two ports in the same device<\/p>\n\n\n\n set interfaces ge-0\/0\/8 flexible-vlan-tagging set protocols connections interface-switch 008_to_009 interface ge-0\/0\/8.300 show connections interface-switch 008_to_009<\/p>\n\n\n\n ** LSP stitching:<\/p>\n\n\n\n abr: show route table mpls.0 lable xxxs<\/p>\n\n\n\n pseudowire need to cross between different AS = Inter-AS option B but! ABRs take part in the vpn<\/p>\n\n\n\n T-PE: Terminating PE = PE hosts the customer-facicn interface = PE terminates the pseudowire SS-PW: single-segment pseudowire: the “normal” one. vpn label is not changed between T-PEs junos uses FEC129 for MS-PW. T-PEX1 show route table mpls.0 S-PEX2 static route to LO-S-PEY2 nh phy-int<\/p>\n\n\n\n set protocols ldp interface ge-TO-T-PEX1.0 show route receive-protocol bgp LO-T-PEX1 –> MS-PW has two new tables: bgp.l2vpn.1 and ldp.l2vpn.1 **LAB: Inter-AS Option-C and MS-PW ***<\/p>\n\n\n\n preventing vpls local switching (two CEs connected to same PE) -> config in all spoke PEs: set routing-instance VPLS_HS no-local-switching<\/p>\n\n\n\n 3 methods SPOKE PE ** site-range with BGP VPLS. use site-range 1 in all spoKe PEs. All spoke PEs have site-id higher than site-range. No routing policies. SPOKE-PE ** Hub-spoke LDP VPLS = hierarchical VPLS: Hub is VPLS, Spokes are L2Circuit (no MAC learning) HUB (vlan-aware -> accepts all vlans) SPOKE ========================================= RD type0: 2B ASN + 4B number Mask (1B) + MPLS Label (3B) + RD( type (2B) + Admin (var + Number (var)) + ipv4 (4B)<\/p>\n\n\n\n vpnv4 afi=1 safi=128<\/p>\n\n\n\n policy-based routing IGP for PE\/P Lo iBPG between PEs Lo + family inet-vpn unicast (show bgp neighbor LO) LDP\/RSVP + LSP between PEs tables: set routing-instances VPNA instance-type vrf set routing-options route-distinguisher LO -> automatically creates type1 RD for each VRF***<\/p>\n\n\n\n site-of-origin SoO – CE is multihome and as-override is required. -> avoid loops between multihome CEs! use vrf-import\/export show route table vrf-table-label: BGP by default accepts\/sends everything (if no import\/export) set routing-instances VPNA instance-type vrf show ospf neighbor instance VPNA<\/p>\n\n\n\n lsa1 router PEs are always area0, although not explicit. PEs dont talk OSPF between then, they do BGP<\/p>\n\n\n\n type1\/3 are exported by default as l3vpn type3 by PEs -> two bgp communities: route-type and domain-id avoid loops -> DN bit + VPN external route-tag (legacy for lsa5) sham-links: multihop OSPF neighbor between PEs. requires a unique Lo in customer VRF. Like a virtual-link. PEs can exchange lsa1<\/p>\n\n\n\n set interface lo0 unit “1”!!! family inet address IP1\/32 sharing routes between vrf tables in same PE **rib-groups: if you want to keep shared vrf routes from other PEs -> create policy<\/p>\n\n\n\n 2 VRFs: Spoke and Hub VRF. Hub CE connected to both. Issues with looping using BGP spoke-PE set policy-options policy-statement VPNA-import term 1 from protocol bgp, community hub then accept Hub-PE set routing-instances HUB instance-type vrf set policy-options policy-statement spoke-in term 1 from protocol bgp, community spoke then accept<\/p>\n\n\n\n recommended rewrite EXP bits in each LSR, same policies in eachc PE ingress PE set class-of-service classifiers exp VPN-class forwarding-class assured-forwarding loss-priority high code-point 101 set protocols mpls explicit-null –> we dont want PHP -> EXP bits lost for egreess PE<\/p>\n\n\n\n vpn prefix mapping: set routing-options forwarding-table expor MAP<\/p>\n\n\n\n show route forwarding-table vpn VPN-A<\/p>\n\n\n\n *BGP PIC Edge: PIC = Prefix Independence Convergence -> install vpn route in fw table as backup -> faster convergence during PE failover<\/p>\n\n\n\n configured in ingress PEs *Provider Edge Link Protection: at ingress PE. only for external peers<\/p>\n\n\n\n configured in ingress PEs and only if best path is already installed in fw table. rfc 4364: create multiple BGP RR for VPN routes, BGP route refresh (supported by default), RT filtering scaling guidelines: num VRF tables (RE dependent), routes per device (hw dependent) in all PE and RR. You need “route resolution RIB” (as above section) in all PE\/RR. Non-VRF internet access: two connections, you connect to a different or same PE. NAT in CE<\/p>\n\n\n\n VRF internet access: 3 types: NAT in CE or in SP router or Hub CE. One connection to PE set policy-options policy-statement SELECT-ROUTES term CORE-INTERFACES from interface ge-0\/0\/0.0 then accept set protocols bgp group GW type internal show route 0\/0 exact -> in inet.0 and VPNA.inet.0 !!! how asbr communicate?: labesl travel between AS? exchange labels? each SP runs its own IGP, how PEs between ASn discover them Option A: each SP treats each other as a CPE -> each ASBR is configured wtih all VRFs and logical interfaces. No MPLS between both ASBRs Option B: ASBRs exchange VPN labels using eBGP. No LSPs between ASBRs! No VRFS in ASBR! Best option when merging SPs Option C: PEs between SPs talk eBGP VPN -> SPs needs to know Lo from the other + LSP between SPs -> use BGP-LU: adv IPs with mpls label (transp) Config: 3 BGPs: PE1-ASBR1 ibgp LU set protocols bgp group INT type internal show route received-protocol bgp SP1-ASBR1-lo -> you will see SP2-PE2 lo in inet.0 (by bgp-lu) and copied to inet.3 SP1-ASBR1 SP1 in two locations (different ASNs!) but not connection. SP2 is used to connect those two locations from SP1, SP2=COC-SP lsp: SP1-PE1 set protocols bgp group TO-SITE2 type external (to sp1-pe2) show route receive-protocol bgp SP1-ASBR1-lo -> inet.0 (learnt via bgp-lu) then copied to inet.3 (resolve-vpn!) SP1-ASBR1 ** real-life: COC will have this config in a L3VPN !!! This example SP1 prefixes will be in COC inet.0 !!!!<\/p>\n\n\n\n ** lab uses “advertise-inactive” in all “type external + bgp-lu” bgp groups???<\/p>\n\n\n\n CP: PE-CE routing, BGP, label protocols DP: ping\/traceroute<\/p>\n\n\n\n MPLS BGP DP QoS is hard. Mostly for UDP 224\/4 (class D: 1110 ) RPF check: uses inet.0, successful checks saved in inet.1. inet.2 alternate table for RFP checks (needs RIB groups)<\/p>\n\n\n\n host sends IGMP report to signal interest in receiving specific multicat traffic. IGMP not routing protocol! perfrom RPF check, build outgoing-interface-list (OIL), exchange multicast fw state with other routers messages: two methods: dual PIM MVPNs (draft rosen – scale issues) or BGP MVPNs (doesnt require multicast config in backbone)<\/p>\n\n\n\n BGP MVPN: replaces PIM with BGP: rfc 6514 for mvpn signaling. can use a RR. PMSI = P-Multcast Service Inteface NLRI: af1=1, safi=5 tables: bgp.mvpn.0 and .mvpn.0. PMSI Attribute: rsvp session id or ldp p2mp fec for p2mp lsps (and labels)<\/p>\n\n\n\n type1: Intra-AS I-PMSI autodiscovery route. Sent by all PE routers participating in MVPN typ3: S-PMSI autodiscovery route: advertised by multicast source PE in response to receiving a typ6\/7 route. (sent by root PE when creating S-PMSI) type4: leaf autodiscovery route: originated by receiver PE in response to receiving typ3 (sent by receiver PE, to join S-PMSI) type5: source active autodiscovery route: sent by PE that discovers an active MC source (propagate info on active sources) typ6: shared-tree route: sent by PE that receives PIM join (C-, C-G) on the vrf interface. (equivalent PIM join (<\/em>,G) type7: source-tree join route: sent by PE that receives PIM join (C-S, C-G) on vrf interface (equivalent PIM join (S,G) p2mp lsp: I-PMSI signaling: RSVP.No PIM in Backbone. source begins sending MC traffic using igmpv3, receivers join a source-specific group (other side of the SP network) after MC fw tree is built, C-DR sends native MC to C-RP. C-RP encapsulates packet. At some point one P, duplicates packet to interested PEs.<\/p>\n\n\n\n S-PMSI signaling: complex!!! hw requirements. Tunnel services on certain routers: C-DR, C-RP, all PEs participating in customers MC network<\/p>\n\n\n\n set protocols bgp family inet-mvpn signallng<\/p>\n\n\n\n set protocos mpls label-switched-path mvpn-example template, no-cspf, link-protection, p2mp<\/p>\n\n\n\n — LDP set routing-instances mc-pe provider-tunnel selective group 224.7.7.7\/32 source lo-ip\/32 ldp-p2mp<\/p>\n\n\n\n set routing-instances mc-pe protocols pim rp local address LO verification 2- BGP family MVPN 3- I-PMSI\/S-PMSI for RSVP\/LDP p2mp JNCIP-SPJN0-664https:\/\/www.juniper.net\/us\/en\/training\/certification\/tracks\/service-provider-routing-switching\/jncip-sp.htmlAdvanced Junos Service Provider Routing On-Demand – DONEJunos Layer 2 VPNs On-DemandJunos Layer 3 VPNs On-Demand https:\/\/jlabs.juniper.net\/vlabs =========================================Advanced Junos Service Provider Routing On-Demand========================================= OSPF for SP============ip protocol 89DR in ethernet segment: highest priority (def 128), highest RID.P2P dont need DR: save 40s wait timepacket types:hello: fomr and maintain adjDB descriptor: header info for contents of … Continue reading “JNCIP-SP”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-2127","post","type-post","status-publish","format-standard","hentry","category-networks"],"_links":{"self":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts\/2127","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/comments?post=2127"}],"version-history":[{"count":1,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts\/2127\/revisions"}],"predecessor-version":[{"id":2128,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts\/2127\/revisions\/2128"}],"wp:attachment":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/media?parent=2127"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/categories?post=2127"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/tags?post=2127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Advanced Junos Service Provider Routing On-Demand
=========================================<\/p>\n\n\n\n
============
ip protocol 89
DR in ethernet segment: highest priority (def 128), highest RID.
P2P dont need DR: save 40s wait time
packet types:
hello: fomr and maintain adj
DB descriptor: header info for contents of LSDB
LS request: request copy of neighbor LSA
LS update: advertise LSA into network
LS ack: ack, ensure reliable floodingof LSAs
States: Down, Init, 2Way, ExStart, Exchange, loading, full
Areo0, ABR: genreate LSA3 from areaX into area0 and viceversa.
add lo0.0 into ospf
set routing-options router-id LO.IP !!!!! must be unique
if lo0 has several ips
set protocols ospf area 0.0.0.0 interface LO.IP.x (instead of interface name)<\/p>\n\n\n\n
max age: 1h, need refresh 3000sec
LSA1 router: sent by each router to describe its links and status
LSA2 network: sent by DR
LSA3 summary: sent by ABR to describe routers from area into another
LSA4 ASBR summary: sent by ABR to describe ASBR
LSA5 external: sent by ASBR to describe routers external to ospf
LSA7 NSSA: sent by ASBR in an NSSA to describe external router
LSA9,10 opaque: TE<\/p>\n\n\n\n
LS age: 2b –
Options: 1b – E=external, P=NSSA
LS type: 1b –
LS ID: 4b – very vary\u2026
Adv Router: 4b – RID of originator
LS seq nu: 4b – increases with each change
LS checlsum: 4b
Length: 2b<\/p>\n\n\n\n\n
cost: cost of sending out packer in the interface
bits: V virtual link 0x4
E by ASBR 0x2
B by ABR 0x1
Link ID: far side of the link
MT = multi topology link type link ID Link Data
1 p2p neighbors RID local router interface IP
2 transit DR interface IP local router interface IP
3 stub Network subnet mask
4 virtual neighbors RID local router interface IP<\/li>\n<\/ul>\n\n\n\n
ID: IP of DR in the segment
Adv Router: DR lo
attachced router: RID of each router attached<\/p>\n\n\n\n
ID: IP advertised
Adv Rtr: RID of advertising router<\/p>\n\n\n\n
Area: 0.0.0.0 (sent to this adjacent area)
ID: RID of ASBR
Net mask: no meaning
Adv Rtr: RID of advertising router<\/p>\n\n\n\n
generated ASBR
E bit: type external metric: type1: add metric to ASBR, type2: only add external metric
ID: IP advertised
Adv Rtr: RID of advertising router<\/p>\n\n\n\n
generated by ASBR in NSSA. Has area scope, not advertised to other areas (as lsa7), the ABR will transate to lsa5. Other routers in the area get the lsa7. If there are several ABR in the NSSA, the hightest RID does the lsa7->5 translation. doesnt require lsa4
lsa7 format is identical to lsa5. only diff, lsa7 uses FWd addr: can be the RID of the originater or the connected IP to reach it
only nssa-capable routers can interpret type7.<\/p>\n\n\n\n
LSA10 MPLS TE – are scope<\/p>\n\n\n\n
you can’t block lsa flooding, just use “set protocols ospf import X” to block external routes in the routing table<\/p>\n\n\n\nospfv3 (ipv6)<\/h2>\n\n\n\n
interfaces MUST have family inet6 !!!<\/p>\n\n\n\n
options fiel expanded, lsa format changes: new lsa and remaining) IA LSA<\/p>\n\n\n\n
1 0x2001 router lsa lsa1 router
2 0x2002 net lsa lsa2 network
3 0x2003 InterA-prefix lsa lsa3 summary
4 0x2004 InterA-router lsa lsa4 asbr summary
5 0x4005 AS-Externa lsa lsa5 external
6 0x2006 Group Memb lsa lsa6 multicast
7 0x2007 type-7 lsa lsa7 nssa
8 0x2008 link lsa none
9 0x2009 IntraA-prefix lsa lsa1 + lsa2<\/p>\n\n\n\n
0 0 link-local
0 1 area
1 0 AS
1 1 reserved<\/p>\n\n\n\nAdvance OSPF for SP<\/h1>\n\n\n\n
totally stub: lsa1,2 and just one lsa3 (default route) no lsa4,5
NSSA: lsa1,2, just lsa7 as default. ????????\/
totally nssa: lsa1,2, ??????<\/p>\n\n\n\n
no virtual-links<\/p>\n\n\n\n\n
interface xx<\/p>\n<\/blockquote>\n\n\n\n
no virtual links<\/p>\n\n\n\n\n
interface xx<\/p>\n<\/blockquote>\n\n\n\n
no virtual-links<\/p>\n\n\n\n\n
[no-summaries – with above -> uses lsa3 as default – only ABR]
interface xx<\/p>\n<\/blockquote>\n\n\n\n
no virtual-links<\/p>\n\n\n\n\n
interface xxx.0<\/p>\n<\/blockquote>\n\n\n\n\n
\n
interface xxx.0<\/p>\n<\/blockquote>\n\n\n\nMulti-Area Adj<\/h2>\n\n\n\n
area 10 interface ge-0\/0\/0.0 secondary<\/p>\n\n\n\n
interf State Area
ge-0\/0\/0.0 BDR 0
ge-0\/0\/0.0 pTp 10<\/p>\n\n\n\nVirtual-Link<\/h2>\n\n\n\n
interface ge-0\/0\/0.0 interface-type p2p<\/p>\n\n\n\nExternal reachability ?????<\/h2>\n\n\n\n
set protocols ospf export redis-static<\/p>\n\n\n\n
set protocols ospf prefix-export-limit x<\/p>\n\n\n\n
Tree DB: show ospf route
inet.0: show route protocol ospf<\/p>\n\n\n\nTroubleshooting OSPF<\/h1>\n\n\n\n
adj issues<\/h2>\n\n\n\n
init: neighbo discover
2way: idem
exstart exchan loading: lsdb sync
full:<\/p>\n\n\n\n
2way stuck: priority both 0?, same IP?, MTU?<\/p>\n\n\n\n
show ospf statistics | find errors
set protocols ospf traceoptos flag error detail, hello detail<\/p>\n\n\n\nlsdb issues<\/h2>\n\n\n\n
broken area0: use virtual-links<\/p>\n\n\n\nrouting issues<\/h2>\n\n\n\n
instability<\/p>\n\n\n\n
show ospf route
show ospf database<\/p>\n\n\n\nIS-IS<\/h1>\n\n\n\n
Connectionless Network Service CLNS \/ CNLO. Single AS
PDUs = ISIS packets
ES = End System = host
IS = routers
L1: route within an area or towards L2 system
L2: route between areas and towards other ASs
L1\/L2 (ABR): sets the attached bit in the L1 PDUs = it can reach L2
L1 routers create default route for InterArea prefixes, witch points to the closest L1\/L2 router<\/p>\n\n\n\n
area sys id selector
(lo.ip) 00<\/p>\n\n\n\n
id lenght: 6b
pdu type: 18=l1 20=l2
max area address = 3b
2xversion!
Variable: PDU headers and TLV
pdu length, remaining lifetime, lsp id (unique!: system id + circuit id + lsp number), seq nu, checksum, IS type bits, TLVs (variable)
ciruit id – 0x01 for lo and p2p
LS flooding: files remaining lifetime: 3b: default: 20minutes
ATT bit: attachment bit – it IS connected to another area
OL bit: overload bit – if LSDB is overloaded (in maintenance mode)
IS type: l1 = -0x1 \/ l1l2 = 0x3<\/p>\n\n\n\n
hello: neighbor discovery, build, maintain adj: LAN hello (L1, type15 – l2 – type16), p2p hello. Hello reg 3s default
circuit type (l1,l2,l1l2), source ID (sysid), hold time, pdu length, priority (for DIS election), LAN ID (sysid or dis + 1b)
LS PDU: sent as result of network change, during adj formation, response to seq nu pdu.
identify adj, describe state adj, describe reachable address
PSNP: Partial Sep Num PDU. Maintain LSDB sync. ack in p2p, request copy lsp on broadcast. contains specific header for lsp acked or req-ed
CSNP: Complete Seq Num PDU. periodically in p2p. only by dis in broadcast. header info for all lsp<\/p>\n\n\n\n
tlv1: area address (of l0). Sent via l1 and l2 i
tlv2: IS neighbor metrics. delay\/expense\/error metric: S bit =1 , I\/E and metric bits = 0.
tlv10: authentication
tlv22: extended IS reach (TE). It has SubTLV
tlv128: ipv4 prefix, mask, metrics from the local router
tlv129: protocols supported (ipv4,6)
tlv130: ip external info (coming from policies)
tlv132: ip interface address (
tlv134: TE IP RID
tlc135: ext ip reachability ( for TE). for larger metric values
tlv137: dynamic hostname mapping<\/p>\n\n\n\n
tlv236: ipv6 support<\/p>\n\n\n\nADJ<\/h2>\n\n\n\n
l1 adj, same area ID
l2 adj, diff area ID
DIS election: 0 (never)-127 priority (higher better). for l1 and l2 (can be the same). In hello pdu
no backup DIS. there is preemption. non-DIS created adl with all others.
pseudo-node: DIS acts as representative and advertises it to all attached router (broadcast network). Pseudo-node hast cost 0<\/p>\n\n\n\n
iso
lo unit 0 family inet address IP1
iso address 49.area_ip.00<\/p>\n\n\n\n\n
lo.0 level 2 disable
reference-bandiwth 1g<\/p>\n\n\n\n
show isis adjacency [detail] (SNPA = mac of next hop)
show isis spf log [detail]
show isis statistics
show isis route
show isis database extensive<\/p>\n\n\n\nISIS flooding<\/h2>\n\n\n\n
\n
you can see the DIS in the output -> router_ID.02-00<\/p>\n<\/blockquote>\n\n\n\nisis wide metrics<\/h2>\n\n\n\n
tlv22,135 -> large metric: 16 777 215 (32b)<\/p>\n\n\n\n
export: ok (beware of routing loops when multiple redistribution points exist<\/p>\n\n\n\n
*l1l2 border is a natural route boundary<\/p>\n\n\n\n\n
set policy-options policy-statement external-l1-summary term X from protocol aggregate route-filter IP\/22 exact
to level 2
then accept
term y from route-filter IP\/22 longer
to level 2
then reject l1l2 attached routers set the attached-bit in their l1 LSPDU\n\n
loopback is always passiv, no need to disable anything<\/p>\n\n\n\n\n
l2 links: between differnt areas
attached bit = generate default
route leaking and summarization: 1) create agg route, 2) create policy 3) export policy into isis<\/li>\n<\/ul>\n\n\n\nTroubleshooting<\/h2>\n\n\n\n
adj<\/h2>\n\n\n\n
new: sent hello
two-way: received hello
init: LSDB sync
up<\/p>\n\n\n\nrouting<\/h2>\n\n\n\n
\n
statistics
overview
adjacency
hostname
spf log
database [extensive] | find TLVs
level x hostname extensive | match PREFIX\/MASK<\/p>\n\n\n\nBGP<\/h1>\n\n\n\n
ibgp: full-mesh, no changes anything (nh)
ebgp: changes aspath and nh<\/p>\n\n\n\n
19b min<\/p>\n\n\n\n
connect: wait for tcp to complete
active: initiates tcp
opensent: tcp completed, waits for open message
openconfirm: waits for a keepalive (moves to establs) or notif message (moves to idle)
established: exchange update, notification, keepalive<\/p>\n\n\n\n
notification: when error is deteccted
refresh: inform peer to resend all routes<\/p>\n\n\n\n\n
path selection<\/h2>\n\n\n\n
LB<\/h2>\n\n\n\n
ebgp: multihop if not directly connected !! (ttl def = 64!)<\/p>\n\n\n\n
set routing-option forwarding-table export LB
hash-key family inet XXX (default only l3)<\/p>\n\n\n\n
autonomous-system ASN<\/p>\n\n\n\n
needs to create firewall policy and apply input interface!!<\/p>\n\n\n\n
End-of-RIB markers sent for each NLRI. Notifies the neighbor that all current routing info was sent
Local router defers path selection alg until the marker is received<\/p>\n\n\n\n
autonomous-system ASN loops X
allow IP_RANGE -> not needed to set each neighbor manually<\/p>\n\n\n\n
local-as [x private]
remove-private<\/p>\n\n\n\nPolicy<\/h2>\n\n\n\n
show route receive-protocol bgp PEER_IP
RIB-local (inet.0): after routing best path decision. only single best bgp path. only active are advertised. you can advertise more than best with ‘add-path’ (good in RR!!!). ‘advertise-inactive’ to advertise the best bgp although is not best in rib (ie: ospf\/isis to same destination is better)
show route protocol bgp source-gateway PEER-IP
RIB-out: after export policy
show route advertise-protocol bgp PEER_IP<\/p>\n\n\n\nAttributes<\/h2>\n\n\n\n
WK-discre: not in every bgp update, undertstood by all – LP
Opt-trans: transmitted even if not understood (communities)
Opt-notrans: no transmite even if not understood (MED)<\/p>\n\n\n\n
2B: priv 64512-65534
4B: xx.yy (old: 0.y) priv: 1.y – 65535.65535<\/p>\n\n\n\n
{} = AS set – group os AS where order is not important
() = confederantion<\/p>\n\n\n\n
CE) show route (without any manipulation)
AS path 65001 (65002 65003) I Aggregator: 65001 (as of the aggregator) nh_ip from pe<\/p>\n\n\n\n
PE) set routing-options aggregate route 192.168.0.0\/23 as-path aggregator 65002 10.0.1.1 => cha<\/p>\n\n\n\n
term: asn or asn path ( . == single asn !!!)
operator: | = or ie: 1024|1025
– = range ie: 1024-2685
. = any asn
() = empty as path
^ = start
$ = end
? = 0 or 1<\/p>\n\n\n\n\n
{m,n} at least m repetions, at most n repetiions<\/li>\n<\/ul>\n\n\n\n
as-path-group -> define list of regex evaluated as logical OR<\/p>\n\n\n\n\n
installed by the originating. I (Internal – learned by IGP – 0), E (External – from EGP – 1 ), ? (Incomplete=2) I > E > ?
anything in inet.0 is Internal<\/p>\n\n\n\n
affects inbound traffic from other AS (several links with same neighbor AS !!!!)
routes redistrib into bgp, will have MED = metric of original route<\/p>\n\n\n\n\n
set protocols bgp group X neighbor IP metric-out Y ( yY = MED value)<\/p>\n<\/blockquote>\n\n\n\n
wellknow communities have global meaning.
no-export: routes must be distributed within the confederation or AS, but not further
no-advertise: routers must not be advertised to other bgp peers
no-export-subconfed: routes must not be advertised to eBGP confined to sub-AS
informational, action, LP, other: communities
4b: 2b=asn + 2b=value (AS:number)
extendended:
4b asn: as.as:number or asL:number
“:<\/em>” = all communities regex<\/p>\n\n\n\n\n
set policy-options policy-statement TEST term X then community add\/delete\/set COMM_NAME<\/p>\n<\/blockquote>\n\n\n\n\n
show route community-name COMM_NAME [detail]<\/p>\n<\/blockquote>\n\n\n\n
(a,b,z) = list values
“((56)|(78)):” – AS is 56 or 78 – ie: 56:100, 78:65000 “56:(2.<\/em>)” – AS is 56 and value starts with 2 – ie: 56:234, 56:2, 56:222
“:(.<\/em>[579])” – Any AS and values ends with either 5,7, or 9 – ie: 213:5, 78:2347, 34:65009
“((56)|(78)):(2.*[2-8])” – AS is 56 or 78, value starts with 2 and ends with any value between 2-8 – 56:22, 56:21197, 78:2678<\/p>\n\n\n\nRoute-Reflector rfc4456<\/h2>\n\n\n\n
route-reflector: can readvertise ibgp prefixes -> loop prevention: cluster-list (similar to as-path) and originator-id (1st router to inject route in RR network)<\/p>\n\n\n\n\n
Optimal RR (ORR)<\/h2>\n\n\n\n
\n
\n
solutions: 1 always compare med > set protocols bgp path-selection always-compare-med
2 add-apth > set protocols bgp family inet unicast add-path receive; send prefix-policy NAME path-count 6s<\/p>\n\n\n\nConfederation<\/h2>\n\n\n\n
limitations: no possilbe to migrate to\/from a confederation setup withou a complete bgp shutdown
no scalable in regard to services and AF
each sub-as still need full-mesh ibgp, private asn
between sub-as, ebgp.
confederation as-path: it appears as a single iBGP as-path<\/p>\n\n\n\n
confederation 201 members [ 65000 \u2026 65004 ]<\/p>\n\n\n\nBGP FLOWSPEC<\/h1>\n\n\n\n
strict: interface packet is received must be the best and active path to the source prefix.
loose: source address must match a prefix in the routing table (accomodates asym routing)<\/p>\n\n\n\n
Destination-based RTBH: customer communicates to ISP. ISP, via iBGP import policy on edge PE, drops traffic heading to the destination IP
bw is restored when attack is targeted to a single IP or prefix
negative: knocks victim offline, force emergency IP change.<\/p>\n\n\n\n
negative: src addr often not known or too numerous, or behind CGNAT or they are public services (DNS,NTP,LDAP, etc)<\/p>\n\n\n\n
afi 2 safi 134 = ipv6, afi 2 safi 134 = vpnv6<\/p>\n\n\n\n
2- src prefix 8 icmp-code
3 ip protocol 9 tcp-flags
4 src or dst port 10 packet-lenght
5 dst port 11 dscp
6 src port 12 fragment encoding<\/p>\n\n\n\n
0x8007 traffic-action
0x8008 redirect
0x8009 traffic-marking<\/p>\n\n\n\n
1 compare left-most components of each NLRI
2 if types differ, lowest type by numeric value is used, if same, then values within that component are compared
3 for ip prefix values (type 1,2,3) the lowest IP is chosen, and if the IP addresses are the same, the most specific prefix is used
4 for all other types, the binary string of content is compared to determine the order<\/p>\n\n\n\n
1 originator of flow spec matches the originator of best-match unicast route for destination prefix embedded in flow spec
2 there are no more-specific unicast routes that have benn received from a different neighbor aS than the best-match unicast router from 1)<\/p>\n\n\n\n\n
family inet unicast + flow peering with ISP<\/p>\n\n\n\n\n
policy<\/li>\n<\/ul>\n\n\n\n
term-order standard<\/p>\n\n\n\n
term CUSTOMER-ROUTES from route-filter DEST\/24 exact then accept
term REJECT then reject<\/p>\n\n\n\n group IBGP local-adress Z family inet unicast flow neigbor A1 neighbor A2....<\/code><\/pre>\n\n\n\n
then community add CUST-FS-COMM accept
term 2 from route-filter DESt\/24 exact then accept
term 3 then reject
community CUST-FS-COMM members 100:9999<\/p>\n\n\n\n *For other PEs:\n set routing-options\n rib inetflow.0 maximum-prefixes 10000 threshold 90\n flow term-order standar<\/code><\/pre>\n\n\n\n
term-order standard<\/p>\n\n\n\n
term 2 then accept
policy-statement NO-ROUTES-IN term 1 then reject<\/p>\n\n\n\n community INTERAL-FS members 100:1000<\/code><\/pre>\n\n\n\n
term 2 then reject<\/p>\n\n\n\n
flow term-order standard<\/p>\n\n\n\n\n
show route table inetflow.0 extensive [hidden] -> Fictitious indicates there is no BGP next-hop in the route
show route flow validation detail -> check “match validation”
show firewall -> flowspec_default_inet<\/strong> applied to all interfaces<\/p>\n<\/blockquote>\n\n\n\nBGP TROUBLESHOOTING SP<\/h1>\n\n\n\n
tcp states for bgp: idle (init state, no route to send tcp syn), connect (wait for tcp to complete, tcp sent), active (tcp timout occurred)<\/p>\n\n\n\n\n
show bgp group
show bgp neighbor IP
show system connections inet extensive | find P
set protocols bgp traceoptions file X size 10m files 2 flag packets details flap general flag open
show log X
monitor start X
show route advertising-protocol bgp IP [extensive: bgo communities, asparth-prepend]-> routes after export policies
received -> routes befor import policies<\/p>\n<\/blockquote>\n\n\n\nPolicy Troubleshooting<\/h1>\n\n\n\n
export policy: after RIB and before reaching neighbor
fw export policy: from RIB to FIB (ie: LB)<\/p>\n\n\n\n Import Export<\/code><\/pre>\n\n\n\n
ISIS accept reject (but ISIS peer accept)
OSPF accept LSA reject (but OSPF peer accept)
RIP accept reject<\/p>\n\n\n\n
ie: export ( policy-one && !policy-two)<\/p>\n\n\n\n
no-advertise: no iBGP, no eBGP
no-export-subconfed: not leave confederation sub-as.<\/p>\n\n\n\n
show policy forwarding-policy (no very useful)
test policy (no very useful)
traceoptions flap policy: powerful but use with care! add “trace” in any “then” term. remove when done!!!!<\/p>\n\n\n\n
show isis database external ROUTER | match PREFIX<\/p>\n\n\n\n
as-path P2 65052*<\/p>\n\n\n\n as-path Y \"65500 .*\"\n\n policy-statement send-customers term T1 from as-path-group X then accept\n policy-statement no-transit term T2 from as-path Y then reject<\/code><\/pre>\n\n\n\nBGP Route Damping<\/h1>\n\n\n\n
points decay = reduce value at certain rate = ‘half-life’ (reduced penalty points by half: def: 15 min)
points above ‘suppress’ (def: 3000) threshold -> route is damped
points drop below ‘reuse’s (def: 750) threshold -> route is used
‘max-suppress’: longest time to suppress a route. def: 60 min<\/p>\n\n\n\n\n
dont-damp disable (not calculate a merit figure for routes = no damping)<\/p>\n\n\n\n
C2 term t1 from route-filter NET\/x or longer then damping dont-damp accept
t2 then damping NAME-DAMP<\/p>\n\n\n\n
import POLCICY-IN<\/p>\n\n\n\n
decayed
suppressed<\/p>\n\n\n\n
Junos Layer 2 VPNs On-Demand
=========================================<\/p>\n\n\n\nREFRESHER L2VPN<\/h2>\n\n\n\n
P: LSP transit, fw only based on labels, PHP, bgp-free
lsp: ldp (igp), rsvp (manual), sr, bgp-lu
transport label (outer – advertisedd by ldp\/rsvp, changes hop-by-hop), vpn label (inner – advertised by bgp PEs, doesnt chnage)<\/p>\n\n\n\nL2VPN flavours<\/h2>\n\n\n\n
pseudowire: CEs think they are directly connected<\/h2>\n\n\n\n
method-1: one single logical unit accepts all traffic
method-2: multiple logical units for multiple pseudowires = vlan-tag identifies pseudowire (hub-spoke)
no need to MAC learning<\/p>\n\n\n\n
l2vpn: bgp autodiscovers PEs and signals vpn (address family l2vpn, longer config)
l2circuit: ldp signals the vpn, neighbord manually defined (address family l2circuit, shorter config)
fec-129: bgp autodiscoverd PEs, ldp signals vpn. bpg overloadd\u2026
circuit-cross-connect: 2xrsvp (one in each direction), 1 label, doesnt scale (family ccc)
bgp-signaled evpn-vpws: evpn without mac-learning (newer)<\/p>\n\n\n\n
L2VPN: bpg-signaled pseudowires in Junos (kompella)
l2vpn: all types of mpls vpn at l2.<\/p>\n\n\n\n
vpls: virtual private lan service, overlay model
pe: learns mac address, unknow mac flooding, irb can be places inside vpls
trade-offs: multihoming can do active\/active, vrrp, mac learning<\/p>\n\n\n\nL2VPN or BGP-signaled pseudowires (kompella) rfc6624<\/h2>\n\n\n\n
\n
Site-ID: unique number for each end of the L2VPN. Used to calculate vpn label
Label-Block: can advertise a range of vpn labels for multiple AC at the same time (efficiency): label base, label size, label offset<\/p>\n\n\n\n
typo 0: 2byASN:4byNumber:IPPrefix
type 1: 4byLo0:2byNumber:IPPrefix -> great for LB and fast failover. Because eachc PE advertise the prefx with its LO in thhe RD so the RR will see always different vpnv4 prefixes.
type 2: 4byASN:2byNumber:IPPrefix<\/p>\n\n\n\n
————— –
RD Site-ID<\/p>\n\n\n\n
bgp.l2vpn.0 -> instance_name.l2vpn.0<\/p>\n\n\n\n
RD, CE-ID, Label Block offset, size, base<\/p>\n\n\n\nL2VPN Config<\/h2>\n\n\n\n
IGP in backbone, 2xLSP between PEs, “family l2vpn signaling” between PEs\/RR<\/p>\n\n\n\n
set interface ge-0\/0\/0 encapsulation ethernet-ccc => AC is in”Ethernet Mode” pseduo-wire (all tags are part of payload)
unit 0<\/p>\n\n\n\n
set routing-instances L2VPN-NAME instance type l2vpn interface ge-0\/0\/9.0 route-distinguier LoIP:xxx vrf-target target:ASN:xxx
protocols l2vpn encapsulation-type ethernet
site NAME site-identifier 1 interface ge-0\/0\/9.0
*remote site-id is implicit: if local is 1, remote is 2 and viceversa<\/p>\n\n\n\n
set interface ge-0\/0\/0 encapsulation extended-vlan-ccc
vlan-tagging
unit 100 vlan-id 100 family ccc
unit 200 vlan-id 200 family ccc
or<\/p>\n\n\n\n
flexible-vlan-tagging
unit 100 vlan-id 100 encapsulation vlan-ccc => pseudo-wire
unit 200 vlan-id 200 family inet address IP\/24 => ipv4<\/p>\n\n\n\n
set routing-instances L2VPN-NAME instance type l2vpn interface ge-0\/0\/9.100 route-distinguier LoIP:xxx vrf-target target:ASN:xxx
protocols l2vpn encapsulation-type ethernet-vlan
site NAME site-identifier 1 interface ge-0\/0\/9.100
*remote site-id is implicit: if local is 1, remote is 2 and viceversa<\/p>\n\n\n\n\n
INSTANCE_NAME.l2vpn.0<\/p>\n\n\n\n
show route table mpls.0 lable LABEL_from_above_command
ccc ge-0\/0\/9.0 detail -> show how PE process incoming traffic in this AC<\/p>\n<\/blockquote>\n\n\n\n
\n\n\n\n
802.1q header: tag protocol id (TPID): 0x8100 = single-vlan frame \/ 0x9100 = double-tag frame (QinQ)
* ethernet-ccc (ethernet-mode) any TPID is accpeted
* extendended-vlan-ccc (ethernet-vlan) only allows 0x8100 \/ 0x9100<\/p>\n\n\n\nL2VPN Troubleshooting<\/h2>\n\n\n\n
show l2vpn connections instance XXX -> no connections found<\/p>\n\n\n\n
show l2vpn connections instance XXX -> no connections found<\/p>\n\n\n\n
show l2vpn connections instance XXX -> encapsulation mismatch (EM)<\/p>\n\n\n\n
show l2vpn connections instance XXX -> doesnt show any issue. vlan tag are not exchanged!
check interface config<\/p>\n\n\n\n
show l2vpn connections instance XXX -> LD: local site signaled is down \/ or RD: remote site is down<\/p>\n\n\n\n
show l2vpn connections instance XXX -> OR: out of range (range = range of labels in the label base, site-id is used to calculate the vpn label)<\/p>\n\n\n\nL2VPN Site-ID, Label Base, Overprovisioning<\/h2>\n\n\n\n
Label Block: one routing-instance, one bgp adv with one block labels -> remote site can calculate label from the block based on site-id<\/p>\n\n\n\n\n
*labels are only significant to the originating router<\/p>\n\n\n\n
set interface ge-0\/0\/9 vlan-tagging
encapsulation extended-vlan-ccc
unit 200 vlan-id 200 family ccc
unit 500 vlan-id 500 family ccc<\/p>\n\n\n\n
set routing-instances XXX instance-type l2vpn
interface ge-0\/0\/9.200
.500
routing-distinguisher LoIP:111
vrf-target target:ASN:111
protocols l2vpn encapsulation-type ethernet-vlan
site ONE
site-identifier 1
interface ge-0\/0\/9.200 remote-site-id 4
site EIGHT
site-identifier 8
interface ge-0\/0\/9.500 remote-site-id 3<\/p>\n\n\n\n
range=number of interfaces configured?<\/p>\n\n\n\n\n
set routing-instances XXX instance-type l2vpn
interface ge-0\/0\/9.200
.300
routing-distinguisher LoIP:111
vrf-target target:ASN:111
protocols l2vpn encapsulation-type ethernet-vlan
site ONE
site-identifier 1
interface ge-0\/0\/9.200 -> remote-site 2 (becaue loca-site is 1)
interface ge-0\/0\/9.500 -> remote-site 3
\u2026<\/p>\n\n\n\nL2VPN Advanced concepts<\/h2>\n\n\n\n
Multihoming<\/h2>\n\n\n\n
show route table INSTANCE.l2id.0 detail -> BGP status after path selection proces: you an see both paths<\/p>\n\n\n\n
show l2vpn connections instance XXX -> you will see the connection from the backup PE with state “RN” because the primary PE is the DF (designated fw)<\/p>\n\n\n\n
show l2vpn connections -> connections are “LN” local site not designated (AC is shutdown), because primary PE is DF.<\/p>\n\n\n\nMartini Encap<\/h2>\n\n\n\n
Martini Encap = how to send l2 traffic via MPLS pseudowire -> “control word” between mpls label and l2 customer header<\/p>\n\n\n\nNormalization<\/h2>\n\n\n\n
set interface ge-0\/0\/8 vlan-tagging encapsulation flexible-ethernet-services
unit 200 encapsulation vlan-ccc
vlan-id 200
input-vlan-map swap vlan-id 100
outout-vlan-map swap
show interfaces ge-0\/0\/8.200 -> it shows the in\/out swap labels)<\/p>\n\n\n\nOOB RR<\/h2>\n\n\n\n
sol: use inet.0 -> set routing-options resolution rib bgp.l2vpn.0 resolution-ribs inet.0<\/p>\n\n\n\nRT constraint<\/h2>\n\n\n\n
advertising_ASN:RT\/96 (ie: 64512:64512:111\/96)<\/p>\n\n\n\n
set protocols bgp \u2026 family route-target advertise-default = “sends me everything”<\/p>\n\n\n\n
show route table bgp.rtarget.0
0:0:0\/0 –> default RT that says send everything to RR<\/p>\n\n\n\n
set routing-options resolution rib bgp.rtarget.0 resolution-ribs inet.0<\/p>\n\n\n\nL2Circuit LDP signaled Pseuowires (Martini)<\/h2>\n\n\n\n
manual targeted ldp sessions, no auto-discovery (like bgp)<\/p>\n\n\n\n
unit 100 encapsulation vlan-ccc vlan-id 100 (ethernet-vlan encap = each vlan tag is a pesudowire) — identical to L2VPN<\/p>\n\n\n\n
show l2circuit connections [neigbor IP]<\/p>\n\n\n\nL2Circuit troubleshooting<\/h2>\n\n\n\n
VC-Dn = problem with pseueowire -> check ldp
EM = encapsulation mismatch: encapsulation, circuit-id mismatch
NP = hw not present -> customer-id is wrong or interface missing ethernet-ccc or vlan-ccc<\/p>\n\n\n\n
set protocols l2circuit neighbor remote-pe-loIP interface ge-0\/0\/8.0 pseudowire-status-tlv<\/p>\n\n\n\n
show ldp session\/neighbor<\/p>\n\n\n\n
set interfaces ge-0\/0\/9 vlan-tagging encapsulation flexible-ethernet-services
unit 100 encapsulation vlan-ccc
vlan-id 200 !!!!<\/p>\n\n\n\n
set interfaces ge-0\/0\/9 vlan-tagging encapsulation flexible-ethernet-services
unit 100 encapsulation vlan-ccc
vlan-id 100
input-vlan-map swap vlan-id 200
output-vlan-map swap<\/p>\n\n\n\nL2Circuit Advanced<\/h2>\n\n\n\n
each L2Circuit negotiates its own vccv options, sent in FEC (bgp)
cv: connectivity verification: icmp ping, lsp ping (udp 3503), bdf ip\/udp
cc: control channel, somehow needs to avoid PHP. use special control word, inserts a special router label above the pseudowire label<\/p>\n\n\n\n
pseudowire-status-tlv
oam ping-interval 30 ping-multiplier 3 bfd-liveness-detection minimum-interval 1000 multi 5<\/p>\n\n\n\nmultihoming<\/h2>\n\n\n\n
set protocols l2circuit neighbor remote-pe-lo0 interface ge-0\/0\/7.0 virtual-circuit-id X backcup-neibhor remote-pe-backcup-lo0
* by default: no preemption, you can modify that with “revert-time x”<\/p>\n\n\n\n
set protocols l2circuit local-switching interface ge-0\/0\/8.0 end-interface ge-0\/0\/7.0<\/p>\n\n\n\n
set interfaces iw0 unti 0 encapsulation vlan-ccc mtu 1514 vlan-id 610 peer-unit 1
unit 1 encapsulation vlan-ccc mtu 1514 vlan-id 610 peer-unit 0
set protocols l2iw<\/p>\n\n\n\n
protocols l2vpn encapsulation-type ethernet-vlan
site VPNA site-identifier 2 interface iw0.0 remote-site-id 1<\/p>\n\n\n\nFEC129 Pseudowire (no standard): auto-discover pseudowires<\/h2>\n\n\n\n
SAII: surce attachment individual id = source site-id
TAII: target . . . = target site-id
same as L2VPN site-ids<\/p>\n\n\n\n
data plane: ldp uses FEC129, AGI, SAII and TAII<\/p>\n\n\n\n\n
local-address lo0
family l2vpn auto-discovery-only !!!
neihbor remote-pe-lo0<\/p>\n\n\n\n
inteface ge-0\/0\/8.0
interface ge-0\/0\/9.100
route-distinguisher Lo0:num
l2vpn-id l2vpn-id:ASN:xxx *<\/strong>
vrf-target target:ASN:xxx
protocols l2vpn site SITE1 source-attachment-identifier 1
interface ge-0\/0\/8.0 target-attachment-identfier 2
SITE2 source-attachment-identfier 2
interface ge-0\/0\/9.100 target-attachment-identifier 4<\/p>\n\n\n\n
under bgp.l2vpn.0 and INSTNACE.l2vpn.0
NLRI = RD:source-attachmen-id\/96<\/p>\n\n\n\nVPLS Intro – Virtual Private Lan Service<\/h2>\n\n\n\n
pseudo-wire: no mac-learning, p2p, 1 ac per pseudowire
VPLS: SP acts as as switches LAN for customer
MAC learning like a switch
several psuedo-wires
signal: bgp (l2vpn), ldp (l2circuit), fec129<\/p>\n\n\n\n
unknow MAC: avoid loop -> if a PE received an unknow MAC from a remote PE, it only floods into the local CE
-replications can be problematic when having many PE and CE
-multi-homed?<\/p>\n\n\n\n\n
bgp-signalled – L2vpn – kompella: autodiscovery (with RT), RR make scalable, block of labels: 1 bgp adv can signal every pseduowire in a vpls to all remote PEs, each site has Site-ID, rfc 4761<\/p>\n\n\n\nVPLS BGP config<\/h2>\n\n\n\n
1) flexible just in case you use differnent encapsulations<\/p>\n\n\n\n
encapsulation flexible-ethernet-services
unit 300 encapsulation vlan-vpls
vlan-id 300<\/p>\n\n\n\n
encapsulation extendend-vlan-vpls
unit 300 family vpls
vlan-id 300<\/p>\n\n\n\n
set protocols bgp group INT type internal local-address LO-IP
family l2vpn signaling
neighbor remote-PE-LO-or-RR**<\/p>\n\n\n\n
** RT family -> avoid unnecessary RT<\/p>\n\n\n\n
interface ge-0\/0\/8.300
route-distinguisher lo:12345
vrf-target target:asn:12345
protocols vpls no-tunnel-servics -> if you dont have a PIC with tunnel services **
label-block-size x (def=8)
site ONE site-identifier 1 –> this implies is a VPLS BGP
interface ge-0\/0\/8.300<\/p>\n\n\n\n
vt-1\/2\/1.0
without tunnel-services
lsi.1242343 (label-switch-interface)<\/p>\n\n\n\n
show bgp summary -> bgp.l2vpn.0 (all advertisements)
VPLS.l2vpn.0<\/p>\n\n\n\n
-> vpn label = label base + (remote-site-id – offset)
** in vpls, vpn label is not bound to a local customer interface !!! -> second look-up
** by default, bgp assing blocks of 8 labels per-vpls<\/p>\n\n\n\nVPLS LDP config and FEC129<\/h2>\n\n\n\n
!=BGP: ldp in lo.0, manualy specify each neighbor PE (for each vpls), choose vpls-id (similar to virtual-circuit-id), no RT, no RD, no Site-ID<\/p>\n\n\n\n
interface ge-0\/0\/0.100
protocols vpls no-tunnels-services
vpls-id XXX
neighbor lo-PE1<\/p>\n\n\n\n
show vpls connections instance VPLS -> VPLS-Id => LDP signaled!<\/p>\n\n\n\n
!= no needed explicit source\/target attachment identifiers (SAII\/TAII) — they are automatically generated (based on remote lo-pe<\/p>\n\n\n\n
local-address LO-IP
family l2vpn auto-discovery-only
neighbor LO-PE2<\/p>\n\n\n\n
interface ge-0\/0\/0.100
route-distinguisher LO:xxx
l2vpn-id l2vpn-id:asn:xxxx -> FEC129 !!!
vrf-target target:ASN:xxxx
protocols vpls no-tunnel-services<\/p>\n\n\n\nVPLS: default vlan mode<\/h2>\n\n\n\n
-default vlan: one mac table or all interfaces regardless of the VLAN tag
=> an interface in a bridge domain receives ALL broadcast traffic with the original sender;s VLAN tag (even if the CE is in a different vlan! -> CE will drop it though)
-vlan-aware: separated mac tables for each unique vlan configued on a interface
-vlan-normalizing: one mac table for the whole vpls, vlan tags automatically swapped
-no-vlan: one mac table for the whole vpls, vlan tags automatically popped.swpapped<\/p>\n\n\n\n
encapsuation flexible-ethernet-services
unit 200 encapsulation vlan-vpls
vlan-id 200<\/p>\n\n\n\n
encapsuation flexible-ethernet-services
unit 100 encapsulation vlan-vpls
vlan-id 100<\/p>\n\n\n\nVPLS VLAN normalization, vlan-aware, dual-stack vlans<\/h2>\n\n\n\n
set routing-instances VPLS vlan-id all -> that’s it! (in every PE in the VPLS)
show vpls mac-table instance VPLS -> for the same routing-instance NAME you will see severl bridgin domain per VLAN<\/p>\n\n\n\n
set routing-instances VPLS vlan-id 200 (in all PEs in VPLS)
show interfaces ge-0\/0\/0.100 –> VLAN-Tag (xxx) In(swap .200) Out(swap .100) \u2026
show vpls mac-table instance VPLS<\/p>\n\n\n\n
set routing-instances VPLS vlan-id none (in all PEs in VPLS) You may lose CoS info because 802.1q header contains it
show interfaces ge-0\/0\/0.100 –> VLAN-Tag (xxx) In(pop) Out(push .100) \u2026
show vpls mac-table instance VPLS -> Bridging domain: VLAN: none<\/p>\n\n\n\n
set routing-instances VPLS vlan-id all -> that’s it! (in every PE in the VPLS)
set interface ge-0\/0\/0.100 encapsulation vlan-vpls
vlan-tags outer 2000 inner 200
show interfaces ge-0\/0\/0.100 –> VLAN-Tag ( S-tag C-tag) In(pop) Out(push .2000) \u2026<\/p>\n\n\n\n
*set routing-instances VPLS vlan-id X -> QinQ with vlan normalization (in every PE in the VPLS) -> S-tag poped, C-tag normalized
*set routing-instances VPLS vlan-id outer-tag X inner-tag Y -> QinQ with vlan normalization for outer and inner (in every PE in the VPLS)<\/p>\n\n\n\nVPLS Adv features and Troubleshooting<\/h2>\n\n\n\n
set routing-instance VPLS protocols vpls site X automatic-site-id -> PE listen to discover other Site-IDs, chooses one, listen again 30s to double-check is not in use<\/p>\n\n\n\n\n
1- manual site-id are preffered (Automatic site-ids have the A flag control bit set =1)
2- auto advertisements are better than auto-claims
3- highest LP
4- lowest BGP NH
show vpls connections<\/li>\n<\/ul>\n\n\n\n
depends on hw: 5120 macs per vpls. 1024 macs per attachment-circuit. When MAC is over limit: New MACs are not lerned, traffic to those new MACs is flooded
set routing-instances VPLS protocols vpls mac-table-size X [packet-action drop]
set routing-instances VPLS protocols vpls interface-mac-limit Y [packet-action drop] (by default exceed MAC is not dropped)<\/p>\n\n\n\n
set firewall policer POLICER-200k if exceeding bandwidth-limit 200k bust-size-limit 15k then discard
set routing-instances VPLS forwarding-options family vpls flood input FLOOD-CONTROL
show vpls statistics instance VPLS<\/p>\n\n\n\n
shutdown physical CE-facing interface if MAC flaps. pseudowire is never shutdown
set protocols l2-learning global-mac-move threshold-time 3 (for MACs learned for more than 300s)
threshold-count 6 (how many times a MAC can flap in threshold time)
statistical-approach-wait-time 3 (for MAC learned less than 300s)
[interface-recovery-time 300] by default CE-facing interface is shutdown
[cooloff-time 1] if MAC flaps between 3+ interfaces. by default Junos waits 30s befor shutddwon addtional interfaces
[virtual-mac MAC] list of MAC to exclude from MAC flapping protection like VRRP<\/p>\n\n\n\n
set interfaces irb.300 family inet address IP vrrp-group 10 virtual-address VIP priority 110 -> each PE will have different priority !!!!
set routing-instance VPLS instance-type vpls
vlan-id 300
interface ge-0\/0\/0.300
routing-interface irb.300 (irb can be in vpls and l3vpn)
show vpls connections extensive -> shows if there is an IRB in VPLS<\/p>\n\n\n\n
set routing-instances VPLS provider-tunnel rsvp-te label-switched-path-template default-template => enable p2mp lsp!! only in BGP-signaled VPLS!
show rsvp session -> p2mp lsp name convention: DstPE_LOip:RD(loIP:xxx):vpls:routing-instance-name. Only one label!!!
show route table mpls.0 lable XXX
(lsi = label switch interface – virtual interface created so MAC addresses can be associated with a particular pseudowire in VPLS)<\/p>\n\n\n\n
set routing-instances INTERW instance-type vpls
vrf-target target:ASN:xxx
route-distinguisher LOIP:xxx
protocols vpls site BORDER site-identifier 2
mesh-group LDP-SIGNALED vpls-id 123 (this is the key config)
neighbor LO-IP-PE-peer<\/p>\n\n\n\n
*In L2VPNs, there is a single pseudowire for a mapping between local attachment circuit and a remote attachment circuit
In BGP VPLS, there is a single pseudowire for a local site to a remote site, and there is a any2any mapping of local interface to remote interface
A PE makes a pseudowire for each local site, to each remote site -> this can create loops for BU traffic -> solution: just use one pseudowire that is shared by the local sites<\/p>\n\n\n\n\n
VPLS Multihoming (loop prevention)<\/h2>\n\n\n\n
BGP-VPLS<\/h2>\n\n\n\n
PE primary
set routing-instance VPLS interface ge-0\/0\/0.300
route-distinguisher LO:12345
protocols vpls site FOUR multi-homing
site-identifier 4
site-preference primary -> LP=65535
interface ge-0\/0\/0.300<\/p>\n\n\n\n
set routing-instance VPLS interface ge-0\/0\/0.300
route-distinguisher LO:12345
protocols vpls site FOUR multi-homing
site-identifier 4
site-preference backuo -> LP=1
interface ge-0\/0\/0.300
show vpls connections instance VPLS -> status LN = local site not designated = you are the backup, lost DF election -> no getting tunnels to other VPLS sites<\/p>\n\n\n\n
show route table VPLS.l2vpn.0 -> you will see the diff LP!
show vpls connections instance VPLS -> you will only see the pseudowire to the primary PE<\/p>\n\n\n\n\n
set routing-instance VPLS interface ge-0\/0\/0.300
interface ge-0\/0.1.200
route-distinguisher LO:12345
protocols vpls site TWO site-identifer 2 -> this pseudowire will come-up
interface ge-0\/0\/1.200
FOUR multi-homing
site-identifier 4 -> this pseudowire will not come-up, will use site-2
site-preference primary -> LP=65535
interface ge-0\/0\/0.300 PE remote
show vpls connections instances VPLS -> for Site 2, you will see Up but for Site 4, you will see RM (remote-site-ID not minimum designated) 3) Best site: overrides the default election of signaling the pseudowire with the lowest site-id
=> use best-site with a dummy site-id that has no interfaces!!! => you will have a pseudowire always up between PEs no matter which site is up or down in the PE. So each PE has a dummy site-id. PE multihome + singlehome + dummy site
set routing-instance VPLS interface ge-0\/0\/0.300
interface ge-0\/0.1.200
route-distinguisher LO:12345
protocols vpls site TWO site-identifer 2
interface ge-0\/0\/1.200
FOUR multi-homing
site-identifier 4
site-preference primary
interface ge-0\/0\/0.300
NINE_NINE_ONE site-identifer 991
best-site -> this pseudowire will be always up and shared by the other sites in the PE
mac-flush PE remote
show vpls connections instance VPLS -> only your dummy local-site will have connections up or RB (for the multihome not best-site), the other local-site will show connections as LB = Local site not best-site best-site is advertised via control-flaps in the L2 info BGP community:
it uses:
down-bit: signals if a CE is up or down
flush-bit: flushes MAC addresses
best-site bit: bit for the best site, not officially assigned!!!<\/li>\n<\/ul>\n\n\n\nLDP-VPLS<\/h2>\n\n\n\n
set routing-instances VPLS \u2026
protocols vpls vpls-id 123
neighbor LO-PE2 revert-time 5
backup-neihbor lO-PE3 standby<\/p>\n\n\n\nset routing-instances VPLS-MSTP\n instance-type layer-control !!!!\n interface ge-0\/0\/1.100\n interface ge-0\/0\/2.100 \n protocols mstp configuration-name SITE1\n revision-level 1\n interface ge-0\/0\/1\n interface ge-0\/0\/2\n msti 1 vlan 1-4094<\/code><\/pre>\n\n\n\nLAB: LDP-VPLS, BGP-VPLS.<\/h2>\n\n\n\n
EVPN INTRO (RFC 7432)<\/h2>\n\n\n\n
BGP RT to autodiscovery, no flood-and-learn. remote MACs learnt via control-plane <- PE snoop ARPs to learn MAC-IP and advertise via bgp PE can answer local ARP request for remote MACs = ARP supression allow\/reject MAC -> routing policy.
MAC mobility protection:<\/p>\n\n\n\n
sAFI=80=evpn<\/p>\n\n\n\nEVPN Using BGP to Advertise MACs and to Flood Traffic<\/h2>\n\n\n\n
EVPN Types
type1: ethernet auto-discovery route
type2: mac\/ip advertisement route <- arp snooping: it sends 2xtype2: one with MAC only and other with MAC\/IP
type3: inclusive multicast ethernet tag route (BUM traffic)
type4: ethernet segment route<\/p>\n\n\n\n\n
MAC, Vlan tag and VPN label is enough<\/li>\n<\/ul>\n\n\n\n
contains PMSI attribute -> that is a path attribute inthe BGP update message. It has a unique MPLS label (different from typ2). Tunnel type is Ingress Replication (sending PE replicates the flood packet for each remote PE, instead of using multicast)
type3 content is quite short. most things are in the PMSI section<\/p>\n\n\n\n
one for flood traffic “per” bridge domain (ie 4 bridge domains -> 4 unique vpn labels)<\/p>\n\n\n\nEVPN Configuring a Single-Homed VLAN-Based EVI<\/h2>\n\n\n\n
ISIS\/OSPF all PEs-RR
MPLS LSP between PEs (RR can be oob of the mpls path -> must do: set routing-options resolution rib bgp.evpn.0 resolution-ribs inet.0 (RR must resolve NH in inet0 instead of inet3 because it is not in the MPLS path)
FW filters: bpg, igp, ldp\/rsvp
LB: set policy-options policy-statement LB then load-balance per-packet
set routing-options forwarding-table export LB<\/p>\n\n\n\n
inet-vpn unicast –> optional for L3VPN!<\/p>\n\n\n\n
only one vlan-id
one single bridge domain with automatic vlan normalization (it doesnt matter what vlan tag you configure on the various customer-facing interfaces)<\/p>\n\n\n\nset routing-instance BLUE instance-type evpn\n vlan-id 90\n inteface ge-0\/0\/0.90\n route-distinguisher LO:90\n vrf-target target:ASN:90\n protocols evpn\n\/\/ MX l2 interface\nset interface ge-0\/0\/0 flexible-vlan-tagging\n encapsuation flexible-ethernet-services\n unit 90 encapsulation vlan-bridge\n vlan-id 90\n family-bridge\n\nshow bgp summary\n\nshow route table bgp.evpn.0 match-prefix \"2:RD:*\"\n 2:RD(lo:vlan)::ethe-tag(vlan-id)::(mac|mac::ip)\/304\n 3:RD(lo:vlan)::ethe-tag(vlan-id)::sender-pe-lo\/248\n\nshow evpn instance BLUE extensive (very long!)\n\nshow evpn database\n\nshow evpn mac-table (for vlan-based evi \/ instance-type evpn)\n\nshow bridge mac-table (for vlan-aware evi \/ instance-type virtual-switch) <\/code><\/pre>\n\n\n\n
as many bridge domains as you like
each bridge domain is aware of the vlans it hosts<\/p>\n\n\n\nEVPN Configuring a Single-Homed VLAN-aware bundle EVI<\/h2>\n\n\n\n
interface ge-0\/0\/0.1245
interface ge-0\/0\/1.3525
route-distinguisher lo:aaa
vrf-target target:asn:aaa
protocols evpn extended-vlan-list [ 50 60 70 ]
bridge-domains v50 vlan-id 50
v60 vlan-id 60
v70 vlan-id 70<\/p>\n\n\n\n
encapsulation flexible-ethernet-service
unit 1245 family bridge interface-mode trunk
vlan-id-list [ 50 60 70 ]<\/p>\n\n\n\nEVPN Multihoming Configuration and Type 4 Routes (Ethernet Segment: advertise PEs in a ES, and choose DF) Prevent loops when traffic comes from remote PE<\/h2>\n\n\n\n
set chassis aggregated-devices ethernet device-count 1<\/p>\n\n\n\n
set interfaces ge-0\/0\/1 gigether-options 802.3ad ae0 ->to PE2<\/p>\n\n\n\n
mac xx:xx:xx:00:02:30 (optional)
aggregated-ether-options lacp active
unit 11 vlan-id 11
family-inet address IP\/24<\/p>\n\n\n\n
set chassis aggregated-devices ethernet device-count 1<\/p>\n\n\n\n
encapsulation flexible-ethernet-services -> each unit can use any service: vpls, evpn, etc
aggregated-ether-options lacp system-id xx:xx:xx:xx:xx:xx (same in both PEs!)
esi 00:xx:xx:xx:xx:xx:xx:xx:xx:xx all-active (same in both PEs) (if ESI all zero -> single-home)
unit 90 encapsulation vlan-bridge
vlan-id 90
family bridge
unit 1234 family bridge interface-mode trunk
vlan-id-list 11-14<\/p>\n\n\n\n
show evpn instance NAME designated-forwarder
show route table bgp.evpn.0 match-prefix “4:*” [detail] -> 4::ESI:PE_loIP\/296<\/p>\n\n\n\n\n
multihomed CE send BUM to both PE2\/3 ech EVI has A DF<\/p>\n\n\n\nEVPN Multihoming Features Using Type 1 Routes (Ethernet Auto-Discovery: accepted by every PE in the VPN, not just the ES) Prevent loops when traffic comes from local-CE<\/h2>\n\n\n\n
3 pieces: advertise RT of each EVI in ES, special ESI MPLS Label community to avoid loops (all-active=0, be careful with 20b vs 24b), ESI and MPLS Label = 0 (the actual label is the ESI MPLS label) !!!
two functions: Mass MAC withdrawal: PE withdraws its type1 per-ES when the CE-link goes down. So remote PE uses other type1 for that segment. This is quicker than sendng one type2 withdraw for each MAC in the segment.
Loop prevention: PE-3 received BUM from CE, it sends to PE-2 (that is in ES), but PE-2 doesnt send the BUM to the CE because the ESI in the type1, it sends it to other different ESI (= split horizon filtering). Keep in mind that there are 3 labels here: bottom = ESI label, medium = VPN label, top = Transport label.
**Per-EVI: multiple type1 sent, one per EVPN instance in ES: MPLS Label != 0 !!!!
twp functions: Enable remote-PEs to LB to all-active ESI = aliasing (if the receiver PE doesnt now the MAC, still can forward it)
faster failover in single-active ESI = backup path
You need both type1 AD
1st: type AD per-ES: remote-PE know about the ES exists
2nd: type AD per-EVI: remote-PE can send traffic to devices connected to ESI<\/p>\n\n\n\n\n
show evpn database instance GREEN -> if “Active Source” = ESI -> it can LB<\/p>\n<\/blockquote>\n\n\n\nEVPN MAC Mobility and IRB Interfaces<\/h2>\n\n\n\n
show evpn database extensive mac-address MAC instance EXAMPLE
set routing-instance EXAMPLE protocols evpn duplicate-mac-detection detection-threshol 4 detection-window 180 auto-recovery-time 300 (default 0 -> manual recovery)<\/p>\n\n\n\n\n
set interfaces irb unit 50 family inet address 10.50.0.1\/24 mac 00:00:10:50:00:01
set routing-instancces GREEM bridge-domains v50 routing-interface irb.50
protocols evpn default-gateway advertise (default)
PE2
set interfaces irb unit 50 family inet address 10.50.0.2\/24 mac 00:00:10:50:00:02
idem show route table bgp.evpn.0 match-prefix 2:(RD:lo:x)::vlan::MACirb::IPirb detail
show bridge evpn peer-gateway-macs -> list of all automatic-gateways MACs received
show evpn instance extensive trade-off: migrated VMs lose their gw IF the original PE goes down<\/li>\n\n\n\n
set interfac irb unit 50 family inet address 10.50.0.1\/24 mac 00:00:10:50:00:01
set routing-instances GREEN protocols evpn default-gateway do-not-advetise
bridge-domains v50 routing-interface irb.50 show evpn instance GREEN extensive (no default gw MAC advertisement !!!) trade-off: mgmt is limited because all PE irb have the same IP<\/li>\n\n\n\n
set interfaces irb unit 50 family inet address 10.50.0.1\/24 virtual-gateway-adress 10.50.0.254
set routing-instance GREEM protocos evpn default-gateway no-gateway-community -> type2 is generated for irb unique IP but withtou cmmunity
bridge-domains v50 routing-interface irb.50
PE2
set interfaces irb unit 50 family inet address 10.50.0.2\/24 virtual-gateway-adress 10.50.0.254
idem trade-off: a bit more complex, use more IPs and MAC table increases<\/li>\n<\/ul>\n\n\n\nEVPN Integration with L3VPNs (COMPLEX !!!! chained composite next hop -> efficiency in PFE: can rewrite big ammount of entries when NH (PE failover\/changes)<\/h2>\n\n\n\n
interface irb.50
route-distinguisher LO:xxx vrf-target target:asn:xxx vrf-table-lable (one-label for entire vrf)<\/p>\n\n\n\n
1x EVPN type2 MAC+IP idem
1x l3vpn \/32 (useful for PE that dont talk evpn)<\/p>\n\n\n\n
detail -> “Composite Next Hop”<\/p>\n\n\n\n
evpn-vpws (virtual private wire services) evpn signals pseudo-wires, no mac learning. only type1\/4 (no type2), active\/active multihoming
evpn-etree: hub-spoke, prevent spoke-to-spoke, no need for routing-policies or asym RTs<\/p>\n\n\n\nInter-AS MPLS VPNs (complex but interesting, I think i understand it)<\/h2>\n\n\n\n
A: treat the other AS like a regular customer site so it is added to the VRF. No unique config required. Trade-off: extensive config to maintain (routes and MAC to learn)
From AS1, the ASBR from AS2 is like a CE, and viceversa. No MPLS between the devices, just VLAN multiplexing<\/p>\n\n\n\n
Good: no vrfs in ASBR, no large LFIB in ASBR
trade-off: complicated, increase label stackc<\/p>\n\n\n\n
There are three LSP, one inside AS1, other between ASBRs and other in AS2.
PEs (inter AS!!) talk “family l2vpn signaling + eBGP!!”.
PES and its ASBR talk “family inet labeled-unicast + iBGP!!!”
ASBRs talk “family inet labeled-unicast + eBGP!!”
three label stack: top: transport to ASBR
middle: bgp-lu label processed by ASBR, and then swapped to send it to neigbbor ASBR
bottom: vpn label.<\/p>\n\n\n\n
set routing-instances L2VPN-1 instance-type l2vpn
interface ge-0\/0\/6.620
route-distinguisher lo:asn
vrf-target target:asn:xxx
protocols l2vpn encapsulation-type ethernet-vlan
site CE1 site-identifier 1
interface ge-0\/0\/6.620 remote-site-id 2
set protocols bgp group INTERNAL type internal (no export policies!)
local-address lo
family inet labeled-unicast resolve-vpn (copies bpg-lu from inet.0 to inet.3 -> PE1 can use PE2-lo to resolve vpn prefixes)
neighbor ASBR-1-lo
EXTERNAL type external (to remote PEs in AS2)
multihop
local-address lo
family l2vpn signaling
peer-as AS2
neighbor PE2-AS2-lo<\/p>\n\n\n\n
PE2-AS2-LO –> you wil see bgp.l2vpn.0 and L2VPN-1.l2vpn.0 prefixes !!!
table mpls.0 -> you will see three labels to PE2-AS2
show l2vpn connections<\/p>\n\n\n\n
set protocols bgp group INTERNAL type internal ** when new label is generated, NH is changed !!! for that reason dont need next-hop-self here!
local-address lo
family inet labeled unicast
neighbor PE1-lo
EXTERNAL type external
family inet labeled unicast
export AS1-PE-LO-EXPORT
peer AS2
neighbor ASBR2-physical-ip<\/p>\n\n\n\n
interface all<\/p>\n\n\n\n
BGP-LU ibgp: cust-pe1 <> cut-asbr1
BGP-LU ebgp: cust-asbr1 <> coc-asbr1
BGP-LU ibgp: coc-asbr1 <> coc-asbr2
BGP-LU ebgp: coc-asbr2 <> cust-asbr2
BGP-LU ibgp: cust-asbr2 <> cust-pe2<\/p>\n\n\n\n
LSP coc-asbr1 <> coc-asbr2
LSP cust-asbr <> cust-pe2<\/p>\n\n\n\n
set routing-instances L2VPN-1 instance-type l2vpn
interface ge-0\/0\/6.620
route-distinguisher lo:asn
vrf-target target:asn:xxx
protocols l2vpn encapsulation-type ethernet-vlan
site CE1 site-identifier 1
interface ge-0\/0\/6.620 remote-site-id 2
set protocols bgp group CUST-AS2 type external
multihop
local-address lo
family l2vpn signalinb
peer-as AS2
neighbor CUST-PE2-lo
INTERNAL type internal
local-address cust-pe1-lo
family inet labeled-unicast resolve-vpn (copies bgp-lu from inet.0 to inet.3)
neighbor cust-asbr1-lo<\/p>\n\n\n\n
CUST-PE2-LO -> bgp.l2vpn.0 and L2VPN-1.l2vpn.0
show l2vpn connections<\/p>\n\n\n\n
set protocols bgp group COC-SP type external
family inet labeled unicast
export CUST-PE-LO-EXPORT
peer-as COC-ASN
neighbor coc-asbr1-phy-ip
INTERNAL type internal
local-address cust-asbr1-lo
family inet labeled-unicast)
neighbor cust-pe1-lo<\/p>\n\n\n\n
** no need of NH-self like in option-C because when advertising a new label, NH is updated automcatically ebgp->ibgp
** in real world, the COC puts CUST into a L3VPN to keep separation.
set protocols bgp group CUST type external
family inet labeled unicast
peer-as CUST
neighbor cust-asbr1-phy-ip
INTERNAL type internal
local-address coc-asbr1-lo
family inet labeled-unicast
neighbor coc-asbr2-lo<\/p>\n\n\n\nCircuit Cross-Connect (ccc)<\/h2>\n\n\n\n
upside: just one label<\/p>\n\n\n\n
set protocols connetions remote-interface-switch CCC1 interface ge-0\/0\/9.300
transmit-lsp LSP_CEA-to_CEB
receive-lsp LSP_CEB-to_CEA
pe2:
set protocols connetions remote-interface-switch CCC1 interface ge-0\/0\/8.300
transmit-lsp LSP_CEB-to_CEA
receive-lsp LSP_CEA-to_CEB<\/p>\n\n\n\n
encapsulation extended-vlan-ccc
unit 300 vlan-id 300
unit 300 family ccc
9 idem<\/p>\n\n\n\n
interface ge-0\/0\/9.300<\/p>\n\n\n\n
set protocols connections lsp-switch pe1-to-pe2 transmit-lsp abr-to-pe2
receive-lsp pe1-to-abr
pe2-to-pe1 transmit-lsp abr-to-pe1
receive-lsp pe2-to-abr
** you need to define the LSP !!!<\/p>\n\n\n\nMultisegment Pseudowires: RFC 6073<\/h2>\n\n\n\n
S-PE: Switching PE = PE that stitches two segments (ABR)<\/p>\n\n\n\n
MS-PW: multi-segment pseudowire: set of pw segments that function as a single p2p pw. VPN label changes<\/p>\n\n\n\n
BGP autodiscover the router at the other end of the segment.
T-PE only needs to see the next S-PE in the path
LDP exchange VPN label for the specific segment: S-PEs swap vpn labels between segments
LSP between S-PEs (ABRs)
family l2vpn autodiscovery-mspw: 3xLSP: T-PEX1 <> S-PEX2 (ibgp), S-PEX2 <> S-PEY2 (ebgp), S-PEY2 <> T-PEY1 (ibgp)<\/p>\n\n\n\n
set routing-instances MS1 instance-type l2vpn
interface ge-0\/0\/9.0
route-distinguisher LO:200
l2vpn-id l2vpn-id:ASN:200
vrf-target target:ASN:200
protocols l2vpn site CE1 source-attachment-identifier 200:200:1 => Type 2 AII !!!
interface ge-0\/0\/9.0 target-attachment-identifier 200:200:2
pseudowire-status-tlv
set protocols bgp group INT type internal
local-address LO
family l2vpn auto-discovery-mspw
neigbor LO-S-PEX2<\/p>\n\n\n\n
show l2vpn connections extensive –> l2vpn-id = FEC129 + segments<\/p>\n\n\n\n
set protocols bgp group INT type internal
local-address LO
family l2vpn auto-discovery-mspw
export NH-SELF
neighbor LO-T-PEX1
group EXT type external
multihop ttl 1
local-address LO-S-PEX2
family l2vpn auto-discovery-mspw
peer-as AS2
neighbor LO-S-PEY2<\/p>\n\n\n\n
lo.0
rsvp interface ge-To-S-PEY2
mpls label-switched-path TO-S-PEY2 to LO-S-PEY2, no-cspf
interface ge-TO-T-PEX1 ??
interface ge-TO-S-PEY2 ??<\/p>\n\n\n\n
LO-S-PEY2<\/p>\n\n\n\nVPLS Hub and Spoke Topologies<\/h2>\n\n\n\n
** asymmetric RT: by deault all PEs in the VPLS use the same RT
H&S: Hub PE sends RT1 to Spoke PEs
Spoke PEs send RT2 to Hub PE, onl accepted by Hub PE!
HUB PE
set policy-options community Hub2Spoke members target:ASN:123
Spoke2Hub members target:ASN:456
policy-statement ADVERT-H2S term h2s then community add Hub2Spoke, accept
RECEIVE-S2H term accept-spoke from community Spoke2Hub then accept
reject then reject<\/p>\n\n\n\n set routing-instances VPLS_HS vrf-import RECEIVE-S2H\n vrf-export ADVERT-H2S\n\n show vpls connections instance VPLS_HS --> nothing new here<\/code><\/pre>\n\n\n\n
set policy-options community Hub2Spoke members target:ASN:123
Spoke2Hub members target:ASN:456
policy-statement ADVERT-S2H term s2h then community add Spoke2Hub, accept
RECEIVE-H2S term accept-hub from community Hub2Spoke then accept
reject then reject
set routing-instances VPLS_HS vrf-import RECEIVE-H2S
vrf-export ADVERT-S2H
no-local-switching<\/p>\n\n\n\n show vpls connections instance VPLS_HS --> connection-site: only to Hub PE<\/code><\/pre>\n\n\n\n
Hub PE has site-id 1.<\/p>\n\n\n\n
set routing-instances VPLS_HS instance-type vpls
no-local-switching
vrf-target target:asn:123
protocols vpls site-range 1
no-tunnel-services
site N20
site-identifier 20<\/p>\n\n\n\n show vpls connections instances VPLS_HS -> the connections to other PE spkes are in OR=Out of range !!!<\/code><\/pre>\n\n\n\n
spoke-PE = MTU-s = multitenant unit switch
hub-PE = PE-rs = PE routing and switching (RFC 4762)<\/p>\n\n\n\n
set routing-instances VPLS_HS instance-type vpls
vlan-id all
interface ge-0\/0\/8.0
protocols vpls no-tunnel-service
vpls-id 1234
neighbor PE1-S-lo
neighbor PE2-S-lo<\/p>\n\n\n\nset interface ge-0\/0\/8 (CE) encapsulation ethernet-vpls unit 0 famiy vpls\n\nshow vpls connections instances VPLS_HS\nshow vpls mac-table instance VPLS_HS\n\n***if you want spoke2spoke via hub: create mesh group in HUb \nset routing-instances VPLS_HS instance-type vpls\n vlan-id all\n interface ge-0\/0\/8.0\n protocols vpls no-tunnel-service\n mesh-group L2-circuits <----\n vpls-id 1234\n local-switching <------\n neighbor PE1-S-lo\n neighbor PE2-S-lo<\/code><\/pre>\n\n\n\n
set protocols l2circuit neighbor PE1-S-lo interface ge-0\/0\/8.0 virtcual-circuit-id 1234 (matches vpls-id in HUB !!!!)<\/p>\n\n\n\nset interface ge-0\/0\/8 (CE) encapsulation ethernet-ccc unit 0\n\nshow l2circuit connections<\/code><\/pre>\n\n\n\n
Junos Layer 3 VPNs On-Demand
=========================================<\/p>\n\n\n\nRefresher VPNs and MPLS: LDP (automatic LSP via IGP), RSVP (manual LSP but with TE). LSP between PEs. LSP are unidirect<\/h2>\n\n\n\n
Layer 3 VPNs Overview<\/h2>\n\n\n\n
type1: 4B IP (PE-lo) + 2B number (best for CE multihome because a RR would see two different vpnv4)
type2: 4B ASN + 2B number<\/p>\n\n\n\nLayer 3 VPNs Operation Characteristics<\/h2>\n\n\n\n
RT: vrf-target
inner label: advertised by BGP (vrf lable)
outer label: advertised by LDP, RSVP. (transport label)<\/p>\n\n\n\nLayer 3 VPN Configuration<\/h2>\n\n\n\n
isis or ospf<\/p>\n\n\n\n
set protocols bgp group IBGP type internal
family inet-vpn unicast
local-address LO
neighbor PEx-LO<\/p>\n\n\n\n
set interfaces X unit 0 family mpls
set protocols mpls interface X
set protocols ldp interface X
lo0
show mpls interface
show ldp interface<\/p>\n\n\n\n
inet.0 – igp and bgp
inet.3 – rsvp\/ldp routes used to resolve BGP nh
mpls.0 – all labels + actions
bgp.l3vpn.0 – all vpnv4 received from remote PEs. NH resolved using inet.3
.inet.0 –<\/p>\n\n\n\n
interface ge-1\/0\/4.0 (PE-CE)
route-distinguisher LO:xxx
vrf-target target:asn:xxx (should match remote-PE) \/\/ you can use vrf-import\/export policies
protocols bgp group G1 type external
peer ASG1
neighbir CE-IP
import IMPORT-G1
**routing-option autonomous-system ASX indepedent-domain (optional: customer attributes preserved using ATTRSET)
**as-override: when CEs are in the same ASN<\/p>\n\n\n\n
set policy-options community SoO members origin:LO:yyy<\/p>\n\n\n\nLayer 3 VPN Verification<\/h2>\n\n\n\n
show route table bgp.l3vpn.0
show route receive\/advertised-route
show route forwarding-table vpn VPN<\/p>\n\n\n\n
by default: egress PE label allocaton is per NH. IP header is not evaluated for fw in egree PE
vrf-table-label: egrees PE label is per VRF, IP header is used for fw after popping mpls label<\/p>\n\n\n\nOSPF as the PE-to-CE Protocol (rfc4577)<\/h2>\n\n\n\n
OSPF needs a export policy !!! (bgp doesnt automaticallu redistribute to ospf)<\/p>\n\n\n\n
interface ge-0\/0\/9.0
route-distinguisher lo:123
vrf-target target:asn:123
protocols ospf area 0.0.0.0 interface ge-0\/0\/9.0
export CUST_BGP_TO_OSPF (this creates LSA-5 external!)<\/p>\n\n\n\n
lsa2 network: when in multiaccess network, only advertise 1 connection to “pseudonode”, not to each other.
lsa1\/2 stay in the area
lsa3 summary: generated by ABR, and stays within an area. Other ABR regenerate the lsa3
lsa5 external: generated by ASBR, ABR doesnt change it.<\/p>\n\n\n\n
route-type: rte-type:area:lsa_type:lsa5_external(1=ext-type2,0=ext-type1)
domain-id: if source and remote domain-id are different -> PE generates lsa5. By default domain-id=null=0.0.0.0
equal -> PE generates lsa3<\/p>\n\n\n\nOSPF Optimal Routing (DN bit) ***<\/h2>\n\n\n\n
*PE sets DN bit on any lsa3\/5 generates –> LSA with this bit are never readvertisd back to the vpn
*vpn route-tag only used for legacy devices can’t set DN in lsa5 -> vpn route-tag=32b based on SP ASN
set routing-instances VPNA protocols ospf domain-vpn-tag XXXX (only if 4B-ASN!)
no-domain-vpn-tag (disable vpn-tag and DN bit!)<\/p>\n\n\n\n
set routing-instance VPNA interface lo0.1
protocols ospf area 0.0.0.0 interface lo0.1
area 0.0.0.0 sham-link-remote PE3-lo0.1-IP metric 10
sham-link local IP1<\/p>\n\n\n\nRoute Leaking **<\/h2>\n\n\n\n
**auto-export: PE analyzes vrf-import\/expor policies and vrf-target and copies VPN routes that match that
set routing-instances VPNA vrt-target target:asn:123 !!! the same RT in both VRFs!
routing-options auto-export
VPNB vrf-target target:asn:123 !!!
routing-options auto-export<\/p>\n\n\n\n
set routing-options rib-groups A2B import-rib [ VPNA.inet.0 VPNB.inet.0 ]
B2A import-rib [ VPNB.inet.0 VPNA.inet.0 ]
set routing-instances VPNA routing-options interface-routes rib-group inet A2B
protocols bgp group EXT family inet unicast rib-group A2B
VPNb routing-options interface-routes rib.group inet B2A
protocols bgp group EXT family inet unicast rib-group B2A<\/p>\n\n\n\nHub-and-Spoke Topologies<\/h2>\n\n\n\n
CE spokes advertise prefixes with spoke-RT
CE Hub leanrs that and readvertise with hub-RT to spoke sites<\/p>\n\n\n\n
set routing-instances VPNA instance-type vrf
interface ge-0\/0\/0.0
route-distinguisher lo0:xx
vrf-import VPNA-import !!!
vrf-export VPNA-export !!!
protocols bgp group EXT type external
peer-as HUB
as-override
neighbor HUB-lo0<\/p>\n\n\n\n
2 then reject
VPNA-export term 1 from protocol [bgp static direct] then community add spoke, accept
2 then reject<\/p>\n\n\n\n community hub members target:ASN:100\n spoke memebers target:ASN:101<\/code><\/pre>\n\n\n\n
set interfaces ge-0\/0\/0 vlan-tagging unit 0 vlan-id 100 \/\/ SPOKE
family inet adress 10.0.29.1\/24
unit 1 vlan-id 101 \/\/ HUB
family inet address 10.0.30.1\/24<\/p>\n\n\n\n
routing-options autonomouns-system loops 2 !!!!
interface ge-0\/0\/0.1
route-distinguisher lo0:xx
vrf-import null !!!
vrf-export hub-out !!!
protocols bgp group EXT type external
peer-as SPOKE
as-override
neighbor spoke-PE-lo0
SPOKE instance-type vrf
routing-options autonomouns-system loops 2 !!!!
interface ge-0\/0\/0.0
route-distinguisher lo0:xx
vrf-import spoke-in !!!
vrf-export null !!!
protocols bgp group EXT type external
peer-as SPOKE
as-override !!!!
neighbor spoke-PE-lo0<\/p>\n\n\n\n hub-out term 1 from protocol bgp then community add hub, accept\n\n null term 1 then reject\n\n community hub members target:ASN:100\n spoke memebers target:ASN:101<\/code><\/pre>\n\n\n\nLayer 3 VPN CoS (need to repeat, it didnt follow)<\/h2>\n\n\n\n
firewall filter<\/p>\n\n\n\n
set firewall family inet filter exp-class term 1 from source IP\/16 then forwarding-class assured-forwarding
loss-priority high
2 then accept
set interface ge-0\/0\/2 unit 0 family inet filter input exp-class (interface to CE)
address ip\/30<\/p>\n\n\n\n
best-effort loss-priority low code-point 000
expedite-forwarding loss-priority high code-point 111
network-control loss-priority high code-point 001<\/p>\n\n\n\n schedulers af transmit-rate percent 50\n priority high\n be transmit-rate remainder\n priority low\n ef transmit-rate percent 20\n pririty high\n nc transmit-rate percent 10\n pririty high\n\n scheduler-maps VPN-map forwarding-class assured-forwarding scheduler af\n forwarding-class best-effort scheduler be\n forwarding-class expedited-forwarding scheduler ef\n forwarding-class network-control scheduler nc\n\n rewrite-rules exp VPN-rewrite forwarding-class assured-forwarding loss-priority high code-point 101\n best-effor loss-priority low code-point 000\n expedited-forwarding loss-priority high code-point 111\n network-control loss-priority high code-point 001 \n\n interfaces ge-0\/0\/0 unit 0 classifiers exp VPN-class (link to another PE\/P!!)\n rewrite-rules exp VPN-rewrite<\/code><\/pre>\n\n\n\n
set policy-options policy-statement MAP term 1 from community GOLD then install-nexthop lsp PE1_PE2, accept
2 from community SILBER then install-nexthop lsp PE1_PE3, accept<\/p>\n\n\n\nLayer 3 VPN Protection Mechanisms<\/h2>\n\n\n\n
set policy-options policy-statement LB then load-balance per-packet
set routing-options forwarding-table export LB
set routing-instances CUST1 instance-type vrf
routing-options protect core -> PIC enabled!
\u2026
show route extensive table CUST1.inet.0 IP\/24 –> “indirect next hop” weight=0x1 (active) 0x4000 (backcup)
show route forwarding-table table CUST1 destination IP\/24 –? idr xxx matches the “indirect nex hop” index<\/p>\n\n\n\n
set policy-options policy-statement LB then load-balance per-packet
set routing-options forwarding-table export LB
set routing-instances CUST1 instance-type vrf
routing-options protect core –> it seems it needs PIC too???
protocols bgp group EBGP type external
family inet unicast protection -> enabled!!!
show route IP –> see “Multipath” two bgp NH<\/p>\n\n\n\nLayer 3 VPN Scaling<\/h2>\n\n\n\n
RR: on a P or device not part of MPLS fw path.
must resolve the advertised NH of PEs ->
not recommened: LSP from RR to all PEs.
static default route in inet.3
*best: route resolution RIB: set routing-options resolution rib bgp.l3vpn.0 resolution-ribs inet.0
no needed VRFs, just VPN address-family<\/p>\n\n\n\n
vrf localization: chained composite NH feature: sets of routes sharing same destination to a common fw NH
core-facing interfaces: set chassis fpc 3 vpn-localization vpn-core-facing-default -> install VRF routes with NH in FPC
network-services enhanced-ip
ce-facing interfaces: set routing-instances VPNA routing-options localizaton fib -> determines FPC that interfac belongs<\/p>\n\n\n\n show route vpn-localization [vpn VPNA]<\/code><\/pre>\n\n\n\nBGP Route Target Filtering<\/h2>\n\n\n\n
set protocols bgp group PE type internal
family route-target (afi=1, safi=132) –> created bgp.rtarget.0 table !! (show bgp summary)
\u2026<\/p>\n\n\n\nLayer 3 VPNs and Internet Access (LAB: RR, RT filter, LDP tunnelling and Internet VPN !!!) ***<\/h2>\n\n\n\n
ie NAT in CE, RIB groups in PE, routing
1) CE NAT config
set security nat source rule-set VRF-inet-access from interface ge-0\/0\/1.0
to interface ge-0\/0\/2.0
rule VRF match source-addres LAN1\/24
destination-add LAN2\/24
then source-nat off
rule inet-access match source-add LAN1\/24
destina-add defau
then source-nat interfce
2) PE RIB group
set routing-options interface-routes rib-group inet inet0_VPNA
static route CE-NAT-PUBLUC\/32 next-table VPNA.inet.0 <— this is for the return traffic !!!!
rib-groups inet0_VPNA import-rib [ inet.0 VPNA.inet.0 ] <– copy inet.0 into VPNA table
import-policy SELECT-ROUTES <– policy states which routes to accept \/\/ optional<\/p>\n\n\n\n
term DEFAULT-ROUTE from route-filter 0.0.0.0\/0 exact then accept
term REJECT-OTHER then reject
send_VPNA term 1 from protocol static
route-filter CE-NAT-PUBLUC\/32 exact
then accept<\/p>\n\n\n\n
export send_VPNA <– GW route needs to know where to return traffic to CE
neighbor IP-GW famil inet unicast rib-group inet0_VPNA <—- needed to accept the default route !!!!<\/p>\n\n\n\n
show route table VPNA.inet.0
show route CE-NAT-PUBLIC exact –> it should point to table VPNA.inet.0 !!!
show route advertising-protocol bgp GW-IP -> we need to send CE-NAT-PUBLUC to GW
bgp CE-NAT-PUBLIC -> we need to send default and other VPN routes to CE1<\/p>\n\n\n\nInter-AS Layer 3 VPNs (similar to the l2vpn)<\/h2>\n\n\n\n
Solutions:<\/p>\n\n\n\n
easy but doesnt scale well (for ASBR many VRFs!). Best options when two SPs engaged<\/p>\n\n\n\n
scale bettern than optionA, easy if you want to talk mpls between SPs. but ASBRs must learn all VPN labels and generate new one (big LFIB)<\/p>\n\n\n\n
ASBRs talk BPL-LU to exchange labels for each other infra lo’s => end to end LSP between PEs (LSP in SP1 + BGP-LU LSP + LSP in SP2)
-> 3-label stack (outer transport for SPx,
middle bgp-lu label
inner vpn label)
good: no VRFs and no big LFIB in ASBRs
bad: complex. big label stack, RR more difficutl even.<\/p>\n\n\n\n
ASBR1-ASBR2 ebgp LU
PE1-PE2 ebgp inet-vpn unicast
SP1-PE1
set routing-instances L3VPN1 instance-type vrf, rd, rt, inteface, vrf-table-label<\/p>\n\n\n\n
local-address SP1-PE1-Lo
family inet labeled-unicast resolve-vpn -> copy bgp-lu prefixes from inet.0 into inet.3
neighbor SP1-ASBR1-lo
group EXT type external
multihop
local-address SP1-PE1-lo
family inet-vpn unicat
peer-as SP2
neighbor SP2-PE2-lo<\/p>\n\n\n\n
show route table L3VPN1.inet.0 -> you will see 3 label stack to SP2-CE2 \/24<\/p>\n\n\n\n
set protocols bgp group INT type internal –> NO NEED NH-self, because when new label is generated, nh is updated automatically
local-address SP1-ASBR1-lo
family-inet labeled-unicast
neighbor SP1-PE1-lo
group EXT type external
family inet labeles-unicast
export INTERNALS (redistribute SP1 lo to SP2-ASBR2)
peer-as SP2
neighbor SP2-ASBR2-phy
mpls traffic-engineering mpls-forwarding !!!! Important: copy LSP from inet.3 to inet.0 BUT LSP only for fw, IGP for CP.
inteface all<\/p>\n\n\n\nCarrier-of-Carriers VPNs (similar to l2vpn) = LAB!<\/h2>\n\n\n\n
You can use l2vpn psedowire -> not scale
Use CoC – Carrier-of-Carrier model -> similar to Option-C (BGP-LU). COC-ASBR will learn SP1 PEs-lo. BGP-LU between PEs and ASBRs
bgp: new things you have to add to the already BGP config in place. There is ibgp inet-vpn unicast already in COC between ASBRs
sp1-pe1 <> sp1-asbr1: ibgp-lu
sp1-asbr1 <> coc-asbr1: ebgp-lu
coc-asbr1 <> coc-asbr2: ibgp-lu
coc-asbr2 <> sp1-asbr2: ebgp-lu
sp1-asbr2 <> sp1-pe2: ibgp-lu
sp1-pe1 <> sp1-pe2: ebgp-inet-vpn !!<\/p>\n\n\n\n
sp1-pe1 <> sp1-asbr1
coc-asbr1 <> coc-asbr2
sp1-asbr2 <> sp1-pe2<\/p>\n\n\n\n
set routing-instances L3VPN1 instance-type vrf, interface, rd, rt, vrt-table-label<\/p>\n\n\n\n
multihop
local-address SP1-PE1-lo
family inet-vpn unicast
peer-as SP1-SITE2
neighbor SP1-PE2-Lo
INT type internal
local-address SP1-PE1-lo
family inet labeled-unicast resolve-vpn !!! -> copy bgp-lu prefixes from inet.0 into inet.3 for vpn resolution
neighbor SP1-ASBR1-lo<\/p>\n\n\n\n
SP1-PE2-lo -> in L3VPN1.inet.0 you will see COC ASN!
table L3VPN1.inet.0 -> you can see 3-label stack<\/p>\n\n\n\n
set protocols bgp group TO-COC type external
family inet labeled-unicast
export SP1-SITE1-LO !!!!!!!!!! (just advertise all PEx-lo from SITE1 of SP1)
peer-as COC-ASN
neighbor COC-ASBR1-phy
INT type internal
local-address SP1-ASBR1-lo
family inet labeled-unicast
neighbor SP1-PE1-lo
COC-ASBR1
set protocols bgp group TO-SP1-SITE1 type external
family inet labeled-unicast
peer-as SP1-SITE1-ASN
neighbor SP1-ASRB1-phy
INT type internal
local-address COC-ASBR1-lo
family inet labeled-unicast
neighbor COC-ASBR2-lo<\/p>\n\n\n\nTroubleshooting Layer 3 VPN – Overview<\/h2>\n\n\n\n
show route table VPN.inet.0 [protocol bgp hidden detail]
show bgp summary | neigbor CE-IP
show route advertising\/receive-protocol bgp CE-IP<\/p>\n\n\n\n\n
” CE in same AS as PE -> as-override
ospf; use domain-id to redistribute vpn routes as type3 instead of type5. Sham-links<\/li>\n\n\n\n
show ospf database instance VPN1 advertising-router self
lsa-id IP detail<\/li>\n<\/ul>\n\n\n\nAdditional Layer 3 VPN Troubleshooting + LAB<\/h2>\n\n\n\n
show route table inet.3 -> each PE.lo must be here. If using bgp-lu needs to use “resolve-vpn”. Maybe “traffic-enginnering mpls-forwarding” is needed too.
show rsvp interface\/session\/statistics
show ldp interface\/neighbor\/session\/statistics\/database
show mpls lsp<\/p>\n\n\n\n
show bgp summary | neighbor PE
show route table bgp.l3vpn.0 [community target:x:y]
show route receive\/advertised-routes bgp PE [hidden]
show route table inet.3 [NH from hidden route] -> check if LSP to PE is up!
unknown RT are discarded
** RR must have BGP NH in inet.3 (set routing-optios resolution rib bgp.l3vpn.0 resolution-ribs inet.0<\/p>\n\n\n\n
PE-CE: ping\/traceroute in routing-instance, show arp
PE-PE: ping\/traceroute mpls ldp|rsvp|segment-routing LSP_NAME
ping mpls l3vpn VRF prefix xxxx\/x [sweep]= find path MTU<\/p>\n\n\n\nMulticast Overview<\/h2>\n\n\n\n
DR: designated router
IGMP: receiver and local router
PIM: between routers
Any source multicast
SSM source-specific multicast
Dense M vs Sparse Mode
Source-Tree = Shortest-path tree (S,G)
Shared-Tree or RP (rendezvous point) tree = (*,G) receiver to RP is shared-tree<\/p>\n\n\n\n
224.0.0.x\/24 local net
232.x.x.x\/8 SSM block
233.(0-251).x.x GLOP based on ASN gives you an \/24s
234\/8 – public multicast
239\/8 – private ips<\/p>\n\n\n\nIntroduction to IGMP (host <> routers)<\/h2>\n\n\n\n
router sends IGMP queries to check there is interest
igmp v2: asm + explicit leave so router knows if stop sending traffic. router querier = lowest IP
igmp v3: v2 + supports ssm<\/p>\n\n\n\nMulticast Routing Protocols<\/h2>\n\n\n\n
dense (implicit join, (S,G) = source-tree)
sparse (explicit join, use RP for source discovery or use SSM (igm3 needed), (*,G) intiallu to RP (suboptimal) then move to (S,G)
v2: own protocol<\/p>\n\n\n\n
hello: maintein and discover neighbor (224.13), elect DR (highest priority, highest IP is tiebraker)
join\/prune
graft-ack (dense): indicate interest in receiving traffic on previously pruned interfaces
assert: elect DW, shortest distance to the src
register (sparse) signaling between source router and RP
bootstrap and candidate-RP advert (sparse)<\/p>\n\n\n\nBGP MVPN Overview – rfc 6513 (Messy !!!!!)<\/h2>\n\n\n\n
PMSI: tunel PE to PE to transport multicast (rsvp p2mp lsp, mldp)
I-PMSI: (Inclusive) multidirectional: all PEs can transmit to all other PEs
unidirectional: one particular PE to transmit multicast to other PEs
S-PMSI: (Selective) one particular PE to transmit to a subset of PEs<\/p>\n\n\n\n
type2: Inter-AS I-PMSU autodiscovery route. Sent by ASBR participating in MVPN.
typex:PE-RD:PE-lo<\/p>\n\n\n\n
3:PE-RD:C-S Mask: C-S S-PMSI: C-G mask: C-G S-PMSI: PE-lo<\/p>\n\n\n\n
4: typ3 : pe-lo<\/p>\n\n\n\n
5:PE-RD:c-s mask:C-S:C-G mask:C-G<\/p>\n\n\n\n
6:upstream-PE-RD:ASN-upstream-PE:C-RP mask: C-RP IP: C-G mask: C-G<\/p>\n\n\n\n
7:upstream-PE-RD:ASN-upstream-PE:C-S mask:C-S:C-G mask:C-G<\/p>\n\n\n\n
inclusive tree: each tree serves one MVPN. ineficient
selective tree: servers selected MC groups from a given MPVN<\/p>\n\n\n\n
C-DR: customer DR (a CE)
C-RP: customer RP (a PE)<\/p>\n\n\n\n
With no receivers or source active, each PE:
advertises an inclusive MPVN A-D route to each other tagged with a route target and PMSI tunnel attribute (type1)
uses rsvp PMSI automatically builds a P2MP LSP to other PEs with itself as root and no PHP
uses incoming MPLS label encapsulating the MC packets
a p2mp lsp is signaled with a label-3 (explicit null) oin the penultime hop. A virtual tunnel interface or vrf-table-label must be configured<\/p>\n\n\n\n
C-DR sends PIM register to C-RP
C-RP sends type5 to remote PEs<\/p>\n\n\n\n
Receiver CEs send PIM (S,G) upstream to PEs. Those PEs convert PIM into type7 sent to C-RP
C-RP converts type7 into PIM S,G and sends to C-DR<\/p>\n\n\n\n
RSVP and LDP examples<\/p>\n\n\n\n\n
set chassis fpc1 pic0 tunnel-services bandwidth 1g<\/li>\n<\/ul>\n\n\n\nConfiguring BGP MVPNs + LAB !!!<\/h2>\n\n\n\n
RSVP
I-PMSI (required)
set routing-instances mc-pe provider-tunnel rsvp-te label-switched-path-template mvpn-example
vrf-table-label -> disable PHP !!
S-PMSI
set routing-instances mc-pe provider-tunnel selective group 224.7.7.0\/24 wilcard-source rsvp-te label-switched-path default-template<\/p>\n\n\n\n
set protocols ldp interface ge-0\/0\/0.0
p2mp !!!
I-PMSI (required)
set routing-instances mc-pe provider-tunnel ldp-p2mp
vrf-table-label
S-PMSI<\/p>\n\n\n\n
interface alll mode sparse
mvpn mvpn-mode [spt-only | rpt-spt ]<\/p>\n\n\n\n
1- PIM customer domain
show pim interface|join|source|statistics
show mvpn c-multcast instance-name VPN_NAME extensive<\/p>\n\n\n\n
show route table VPN.mvpn.0 -> check for type1,2,3,4,5,6,7
show pim join instance mc-pe extensive
show multicast route instance mc-pe extensive
show route forwarding-table destination 224.7.7.7 exntensive (label and inteface outout should be the same as above command(
show route table bgp.mvpn.0<\/p>\n\n\n\n
show rsvp session
show ldp database<\/p>\n","protected":false},"excerpt":{"rendered":"