I am going to show you how to implement LDP security between neighbors. These are computed as MD5 Signatures.
Lets verify how our neighborship currently looks on R2 AKA the (P) router. We see have two diffrent neighbors. Lets set a password for each.
R2#show mpls ldp neighbor
Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0
TCP connection: 1.1.1.1.646 - 2.2.2.2.48828
State: Oper; Msgs sent/rcvd: 8/8; Downstream
Up time: 00:00:07
LDP discovery sources:
GigabitEthernet0/0, Src IP addr: 192.168.100.1
Addresses bound to peer LDP Ident:
192.168.100.1 1.1.1.1
Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 2.2.2.2:0
TCP connection: 4.4.4.4.23134 - 2.2.2.2.646
State: Oper; Msgs sent/rcvd: 8/8; Downstream
Up time: 00:00:06
LDP discovery sources:
GigabitEthernet2/0, Src IP addr: 192.168.104.1
Addresses bound to peer LDP Ident:
192.168.104.1 4.4.4.4
R2(config)#mpls ldp neighbor 1.1.1.1 password joel
R2(config)#mpls ldp neighbor 4.4.4.4 password joel
Now we will need to do the same on R1 and R4 but lets not do it yet. I am going to clear the LDP neighborship to see what errors are generated since we have not made any changes on R1 and R4.
R2#clear mpls ldp neighbor *
R2#
*Mar 18 22:27:26.395: %LDP-5-CLEAR_NBRS: Clear LDP neighbors (*) by console
*Mar 18 22:27:26.455: %LDP-5-NBRCHG: LDP Neighbor 1.1.1.1:0 (3) is DOWN (User cleared session manually)
*Mar 18 22:27:26.471: %LDP-5-NBRCHG: LDP Neighbor 4.4.4.4:0 (1) is DOWN (User cleared session manually)
R2#
We can see from the alert below that we are not getting an MD5 from either neighbor 4.4.4.4 or 1.1.1.1. If they had a password set but it was incorrect it would say something alongs the line as it was invalid.
R2#
*Mar 18 22:27:43.707: %TCP-6-BADAUTH: No MD5 digest from 4.4.4.4(35699) to 2.2.2.2(646) tableid - 0
*Mar 18 22:27:44.055: %TCP-6-BADAUTH: No MD5 digest from 1.1.1.1(646) to 2.2.2.2(45946) tableid - 0
Now lets configure R1 and R4.
R1(config)#mpls ldp neighbor 2.2.2.2 password joel
R1(config)#end
R1#
*Mar 18 22:30:03.471: %SYS-5-CONFIG_I: Configured from console by console
R1#
*Mar 18 22:30:13.451: %LDP-5-NBRCHG: LDP Neighbor 2.2.2.2:0 (1) is UP
R4(config)#mpls ldp neighbor 2.2.2.2 password joel
R4(config)#end
R4#
*Mar 18 22:31:05.403: %SYS-5-CONFIG_I: Configured from console by console
R4#
*Mar 18 22:31:17.335: %LDP-5-NBRCHG: LDP Neighbor 2.2.2.2:0 (1) is UP
R4#
We are all done now.
Showing posts with label MPLS. Show all posts
Showing posts with label MPLS. Show all posts
Monday, March 18, 2013
MPLS Neighbor Security
Location:
Avenel, NJ 07001, USA
Saturday, March 16, 2013
Building an MPLS VPN Extranet/Intranet
I spent the past two days researching and building the MPLS VPN network below. It sure was fun and a great refresher. Below you will find details of what is required and some verification output.
You also should check out the following PDF link from NIL,the packet life link and the Cisco Video on building MPLS vpn's. I watched the video and its all relevant information.
Introduction to MPLS VPN [Webcast]
MPLS VPN Cheat Sheet
Creating an MPLS VPN - PacketLife
My goal with this post was not to provide you with all the commands but rather a guide. I find that when configurations are provided, you don't retain as well as if you had to research it. If you want the configs, put a comment in with your email address and I will send them over.
Verifications:
R2#show ip ospf interface brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 1 0 2.2.2.2/32 1 LOOP 0/0
Gi2/0 1 0 192.168.104.2/24 1 P2P 1/1
Gi0/0 1 0 192.168.100.2/24 1 P2P 1/1
R2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
4.4.4.4 0 FULL/ - 00:00:38 192.168.104.1 GigabitEthernet2/0
1.1.1.1 0 FULL/ - 00:00:31 192.168.100.1 GigabitEthernet0/0
R2#
R2#show mpls interfaces
Interface IP Tunnel BGP Static Operational
GigabitEthernet0/0 Yes (ldp) No No No Yes
GigabitEthernet2/0 Yes (ldp) No No No Yes
R2#show mpls ldp neighbor
Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0
TCP connection: 1.1.1.1.646 - 2.2.2.2.44858
State: Oper; Msgs sent/rcvd: 135/136; Downstream
Up time: 01:51:40
LDP discovery sources:
GigabitEthernet0/0, Src IP addr: 192.168.100.1
Addresses bound to peer LDP Ident:
192.168.100.1 1.1.1.1
Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 2.2.2.2:0
TCP connection: 4.4.4.4.56543 - 2.2.2.2.646
State: Oper; Msgs sent/rcvd: 136/136; Downstream
Up time: 01:51:24
LDP discovery sources:
GigabitEthernet2/0, Src IP addr: 192.168.104.1
Addresses bound to peer LDP Ident:
192.168.104.1 4.4.4.4
R2#
Keep in mind that the P router is not going to be aware of any customer routes. It will label switch the traffic. Most of the configurations will be on the PE devices and CE.
Building the PE Configurations for R1:
Verifications:
R1#show ip vrf detail
VRF corp (VRF Id = 1); default RD 100:1; default VPNID <not set>
Interfaces:
Fa3/0
VRF Table ID = 1
Export VPN route-target communities
RT:100:1
Import VPN route-target communities
RT:100:1
No import route-map
No global export route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
VRF das (VRF Id = 2); default RD 102:1; default VPNID <not set>
Interfaces:
Gi1/0
VRF Table ID = 2
Export VPN route-target communities
RT:102:1
Import VPN route-target communities
RT:102:1
No import route-map
No global export route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
R1#show ip vrf
Name Default RD Interfaces
corp 100:1 Fa3/0
das 102:1 Gi1/0
R1#show mpls interfaces
Interface IP Tunnel BGP Static Operational
GigabitEthernet0/0 Yes (ldp) No No No Yes
R1#
R1#show mpls ldp neighbor
Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 1.1.1.1:0
TCP connection: 2.2.2.2.44858 - 1.1.1.1.646
State: Oper; Msgs sent/rcvd: 150/148; Downstream
Up time: 02:03:41
LDP discovery sources:
GigabitEthernet0/0, Src IP addr: 192.168.100.2
Addresses bound to peer LDP Ident:
192.168.100.2 2.2.2.2 192.168.104.2
R1#show ip bgp vpnv4 all summary
BGP router identifier 1.1.1.1, local AS number 100
BGP table version is 19, main routing table version 19
9 network entries using 1404 bytes of memory
14 path entries using 1120 bytes of memory
10/6 BGP path/bestpath attribute entries using 1440 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
3 BGP extended community entries using 104 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 4116 total bytes of memory
BGP activity 9/0 prefixes, 14/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
4.4.4.4 4 100 150 151 19 0 0 02:04:16 6
192.168.103.1 4 200 142 142 19 0 0 02:05:06 2
R1#
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 0 FULL/ - 00:00:32 192.168.100.2 GigabitEthernet0/0
7.7.7.7 1 FULL/BDR 00:00:30 192.168.250.1 GigabitEthernet1/0
R1#
Building CE configurations for R3:
Enable EBGP peering between the CE and PE
Update BGP Network statements to reflect any routes you want sent via the MPLS
Verifications:
R3#show ip bgp
BGP table version is 7, local router ID is 200.200.200.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 5.5.5.5/32 192.168.103.2 0 100 300 i
*> 100.100.100.0/24 0.0.0.0 0 32768 i
r> 192.168.103.0/30 192.168.103.2 0 0 100 ?
*> 200.200.200.0 0.0.0.0 0 32768 i
R3#show ip bgp summary
BGP router identifier 200.200.200.1, local AS number 200
BGP table version is 7, main routing table version 7
4 network entries using 576 bytes of memory
4 path entries using 320 bytes of memory
3/3 BGP path/bestpath attribute entries using 408 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1352 total bytes of memory
BGP activity 5/1 prefixes, 5/1 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.103.2 4 100 147 147 7 0 0 02:09:38 2
R3#
R5#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
GigabitEthernet1/0 192.168.120.1 YES NVRAM up up
FastEthernet2/0 unassigned YES unset administratively down down
FastEthernet2/1 unassigned YES unset administratively down down
Loopback5 5.5.5.5 YES NVRAM up up
Loopback200 unassigned YES unset up up
R5#
R3#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
GigabitEthernet1/0 unassigned YES NVRAM up up
FastEthernet2/0 192.168.103.1 YES NVRAM up up
FastEthernet2/1 unassigned YES NVRAM administratively down down
Loopback100 100.100.100.1 YES NVRAM up up
Loopback200 200.200.200.1 YES NVRAM up up
R3#ping 5.5.5.5 source loopback 200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 200.200.200.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/119/164 ms
R3#
You also should check out the following PDF link from NIL,the packet life link and the Cisco Video on building MPLS vpn's. I watched the video and its all relevant information.
Introduction to MPLS VPN [Webcast]
MPLS VPN Cheat Sheet
Creating an MPLS VPN - PacketLife
My goal with this post was not to provide you with all the commands but rather a guide. I find that when configurations are provided, you don't retain as well as if you had to research it. If you want the configs, put a comment in with your email address and I will send them over.
Building the MPLS Core:
- Create loopback interfaces on R1,R2 and R4.
- On R1,R2 and R4 you need to enable OSPF as your transport mechanisms for your loopback interfaces and the interconnects (Point to Point Interfaces) between the switches. Put them all in Area 0.
- Enable mpls ip globally and on the interconnects between R1,R2 and R4. Also you want to hard set the LDP router id for LDP with the following command, mpls ldp router-id Loopback0. Hard set it on R1 and R4 as well.
- keep in mind that you will use the loopback interface for BGP peering between the PE devices.
Verifications:
R2#show ip ospf interface brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Lo0 1 0 2.2.2.2/32 1 LOOP 0/0
Gi2/0 1 0 192.168.104.2/24 1 P2P 1/1
Gi0/0 1 0 192.168.100.2/24 1 P2P 1/1
R2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
4.4.4.4 0 FULL/ - 00:00:38 192.168.104.1 GigabitEthernet2/0
1.1.1.1 0 FULL/ - 00:00:31 192.168.100.1 GigabitEthernet0/0
R2#
R2#show mpls interfaces
Interface IP Tunnel BGP Static Operational
GigabitEthernet0/0 Yes (ldp) No No No Yes
GigabitEthernet2/0 Yes (ldp) No No No Yes
R2#show mpls ldp neighbor
Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0
TCP connection: 1.1.1.1.646 - 2.2.2.2.44858
State: Oper; Msgs sent/rcvd: 135/136; Downstream
Up time: 01:51:40
LDP discovery sources:
GigabitEthernet0/0, Src IP addr: 192.168.100.1
Addresses bound to peer LDP Ident:
192.168.100.1 1.1.1.1
Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 2.2.2.2:0
TCP connection: 4.4.4.4.56543 - 2.2.2.2.646
State: Oper; Msgs sent/rcvd: 136/136; Downstream
Up time: 01:51:24
LDP discovery sources:
GigabitEthernet2/0, Src IP addr: 192.168.104.1
Addresses bound to peer LDP Ident:
192.168.104.1 4.4.4.4
R2#
Keep in mind that the P router is not going to be aware of any customer routes. It will label switch the traffic. Most of the configurations will be on the PE devices and CE.
Building the PE Configurations for R1:
- Configure VRF's, Route Distinguisher, and Route-Targets.
- Configure MPLS globally and on Interfaces facing the P router.
- Configure CE facing interfaces to be part of a VRF.
- Configure IBGP peering between PE Devices to Exchange vpnv4 routes.
- Configure CE to PE routing protocol(RIP,EIGRP,OSPF or BGP).
Verifications:
R1#show ip vrf detail
VRF corp (VRF Id = 1); default RD 100:1; default VPNID <not set>
Interfaces:
Fa3/0
VRF Table ID = 1
Export VPN route-target communities
RT:100:1
Import VPN route-target communities
RT:100:1
No import route-map
No global export route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
VRF das (VRF Id = 2); default RD 102:1; default VPNID <not set>
Interfaces:
Gi1/0
VRF Table ID = 2
Export VPN route-target communities
RT:102:1
Import VPN route-target communities
RT:102:1
No import route-map
No global export route-map
No export route-map
VRF label distribution protocol: not configured
VRF label allocation mode: per-prefix
R1#show ip vrf
Name Default RD Interfaces
corp 100:1 Fa3/0
das 102:1 Gi1/0
R1#show mpls interfaces
Interface IP Tunnel BGP Static Operational
GigabitEthernet0/0 Yes (ldp) No No No Yes
R1#
R1#show mpls ldp neighbor
Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 1.1.1.1:0
TCP connection: 2.2.2.2.44858 - 1.1.1.1.646
State: Oper; Msgs sent/rcvd: 150/148; Downstream
Up time: 02:03:41
LDP discovery sources:
GigabitEthernet0/0, Src IP addr: 192.168.100.2
Addresses bound to peer LDP Ident:
192.168.100.2 2.2.2.2 192.168.104.2
R1#show ip bgp vpnv4 all summary
BGP router identifier 1.1.1.1, local AS number 100
BGP table version is 19, main routing table version 19
9 network entries using 1404 bytes of memory
14 path entries using 1120 bytes of memory
10/6 BGP path/bestpath attribute entries using 1440 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
3 BGP extended community entries using 104 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 4116 total bytes of memory
BGP activity 9/0 prefixes, 14/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
4.4.4.4 4 100 150 151 19 0 0 02:04:16 6
192.168.103.1 4 200 142 142 19 0 0 02:05:06 2
R1#
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 0 FULL/ - 00:00:32 192.168.100.2 GigabitEthernet0/0
7.7.7.7 1 FULL/BDR 00:00:30 192.168.250.1 GigabitEthernet1/0
R1#
Building CE configurations for R3:
Enable EBGP peering between the CE and PE
Update BGP Network statements to reflect any routes you want sent via the MPLS
Verifications:
R3#show ip bgp
BGP table version is 7, local router ID is 200.200.200.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 5.5.5.5/32 192.168.103.2 0 100 300 i
*> 100.100.100.0/24 0.0.0.0 0 32768 i
r> 192.168.103.0/30 192.168.103.2 0 0 100 ?
*> 200.200.200.0 0.0.0.0 0 32768 i
R3#show ip bgp summary
BGP router identifier 200.200.200.1, local AS number 200
BGP table version is 7, main routing table version 7
4 network entries using 576 bytes of memory
4 path entries using 320 bytes of memory
3/3 BGP path/bestpath attribute entries using 408 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1352 total bytes of memory
BGP activity 5/1 prefixes, 5/1 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.103.2 4 100 147 147 7 0 0 02:09:38 2
R3#
R5#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
GigabitEthernet1/0 192.168.120.1 YES NVRAM up up
FastEthernet2/0 unassigned YES unset administratively down down
FastEthernet2/1 unassigned YES unset administratively down down
Loopback5 5.5.5.5 YES NVRAM up up
Loopback200 unassigned YES unset up up
R5#
R3#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
GigabitEthernet1/0 unassigned YES NVRAM up up
FastEthernet2/0 192.168.103.1 YES NVRAM up up
FastEthernet2/1 unassigned YES NVRAM administratively down down
Loopback100 100.100.100.1 YES NVRAM up up
Loopback200 200.200.200.1 YES NVRAM up up
R3#ping 5.5.5.5 source loopback 200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 200.200.200.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/119/164 ms
R3#
Location:
Avenel, NJ 07001, USA
Subscribe to:
Posts (Atom)