Showing posts with label MPLS. Show all posts
Showing posts with label MPLS. Show all posts

Monday, March 18, 2013

MPLS Neighbor Security

I am going to show you how to implement LDP security between neighbors.  These are computed as MD5 Signatures.


Lets verify how our neighborship currently looks on R2 AKA the (P) router. We see have two diffrent neighbors.  Lets set a password for each.

R2#show mpls ldp neighbor
    Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0
        TCP connection: 1.1.1.1.646 - 2.2.2.2.48828
        State: Oper; Msgs sent/rcvd: 8/8; Downstream
        Up time: 00:00:07
        LDP discovery sources:
          GigabitEthernet0/0, Src IP addr: 192.168.100.1
        Addresses bound to peer LDP Ident:
          192.168.100.1   1.1.1.1
    Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 2.2.2.2:0
        TCP connection: 4.4.4.4.23134 - 2.2.2.2.646
        State: Oper; Msgs sent/rcvd: 8/8; Downstream
        Up time: 00:00:06
        LDP discovery sources:
          GigabitEthernet2/0, Src IP addr: 192.168.104.1
        Addresses bound to peer LDP Ident:
          192.168.104.1   4.4.4.4

R2(config)#mpls ldp neighbor 1.1.1.1 password joel
R2(config)#mpls ldp neighbor 4.4.4.4 password joel

Now we will need to do the same on R1 and R4 but lets not do it yet. I am going to clear the LDP neighborship to see what errors are generated since we have not made any changes on R1 and R4.

R2#clear mpls ldp neighbor *
R2#
*Mar 18 22:27:26.395: %LDP-5-CLEAR_NBRS: Clear LDP neighbors (*) by console
*Mar 18 22:27:26.455: %LDP-5-NBRCHG: LDP Neighbor 1.1.1.1:0 (3) is DOWN (User cleared session manually)
*Mar 18 22:27:26.471: %LDP-5-NBRCHG: LDP Neighbor 4.4.4.4:0 (1) is DOWN (User cleared session manually)
R2#

We can see from the alert below that we are not getting an MD5 from either neighbor 4.4.4.4 or 1.1.1.1. If they had a password set but it was incorrect it would say something alongs the line as it was invalid.

R2#
*Mar 18 22:27:43.707: %TCP-6-BADAUTH: No MD5 digest from 4.4.4.4(35699) to 2.2.2.2(646) tableid - 0
*Mar 18 22:27:44.055: %TCP-6-BADAUTH: No MD5 digest from 1.1.1.1(646) to 2.2.2.2(45946) tableid - 0

Now lets configure R1 and R4.

R1(config)#mpls ldp neighbor 2.2.2.2 password joel
R1(config)#end
R1#
*Mar 18 22:30:03.471: %SYS-5-CONFIG_I: Configured from console by console
R1#
*Mar 18 22:30:13.451: %LDP-5-NBRCHG: LDP Neighbor 2.2.2.2:0 (1) is UP

R4(config)#mpls ldp neighbor 2.2.2.2 password joel
R4(config)#end
R4#
*Mar 18 22:31:05.403: %SYS-5-CONFIG_I: Configured from console by console
R4#
*Mar 18 22:31:17.335: %LDP-5-NBRCHG: LDP Neighbor 2.2.2.2:0 (1) is UP
R4#

We are all done now.

Saturday, March 16, 2013

Building an MPLS VPN Extranet/Intranet

I spent the past two days researching and building the MPLS VPN network below. It sure was fun and a great refresher.  Below you will find details of what is required and some verification output.
You also should check out the following PDF link from NIL,the packet life link and the Cisco Video on building MPLS vpn's. I watched the video and its all relevant information.

Introduction to MPLS VPN [Webcast]

MPLS VPN Cheat Sheet

Creating an MPLS VPN - PacketLife

My goal with this post was not to provide you with all the commands but rather a guide. I find that when configurations are provided, you don't retain as well as if you had to research it. If you want the configs, put a comment in with your email address and I will send them over.

Building the MPLS Core:
  1. Create loopback interfaces on R1,R2 and R4.
  2. On R1,R2 and R4 you need to enable OSPF as your transport mechanisms for your loopback interfaces and the interconnects (Point to Point Interfaces) between the switches. Put them all in Area 0.
  3. Enable mpls ip globally and on the interconnects between R1,R2 and R4. Also you want to hard set the LDP router id for LDP with the following command, mpls ldp router-id Loopback0.  Hard set it on R1 and R4 as well.
  4. keep in mind that you will use the loopback interface for BGP peering between the PE devices.

Verifications:

R2#show ip ospf interface brief
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Lo0          1     0               2.2.2.2/32         1     LOOP  0/0
Gi2/0        1     0               192.168.104.2/24   1     P2P   1/1
Gi0/0        1     0               192.168.100.2/24   1     P2P   1/1

R2#show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.4           0   FULL/  -        00:00:38    192.168.104.1   GigabitEthernet2/0
1.1.1.1           0   FULL/  -        00:00:31    192.168.100.1   GigabitEthernet0/0
R2#

R2#show mpls interfaces
Interface              IP            Tunnel   BGP Static Operational
GigabitEthernet0/0     Yes (ldp)     No       No  No     Yes
GigabitEthernet2/0     Yes (ldp)     No       No  No     Yes

R2#show mpls ldp neighbor
    Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0
        TCP connection: 1.1.1.1.646 - 2.2.2.2.44858
        State: Oper; Msgs sent/rcvd: 135/136; Downstream
        Up time: 01:51:40
        LDP discovery sources:
          GigabitEthernet0/0, Src IP addr: 192.168.100.1
        Addresses bound to peer LDP Ident:
          192.168.100.1   1.1.1.1

Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 2.2.2.2:0
        TCP connection: 4.4.4.4.56543 - 2.2.2.2.646
        State: Oper; Msgs sent/rcvd: 136/136; Downstream
        Up time: 01:51:24
        LDP discovery sources:
          GigabitEthernet2/0, Src IP addr: 192.168.104.1
        Addresses bound to peer LDP Ident:
          192.168.104.1   4.4.4.4
R2#

Keep in mind that the P router is not going to be aware of any customer routes. It will label switch the traffic. Most of the configurations will be on the PE devices and CE.

Building the PE Configurations for R1:

  1. Configure VRF's, Route Distinguisher, and Route-Targets.
  2. Configure MPLS globally and on Interfaces facing the P router.
  3. Configure CE facing interfaces to be part of a VRF.
  4. Configure IBGP peering between PE Devices to Exchange vpnv4 routes.
  5. Configure CE to PE routing protocol(RIP,EIGRP,OSPF or BGP).

Verifications:
R1#show ip vrf detail
VRF corp (VRF Id = 1); default RD 100:1; default VPNID <not set>
  Interfaces:
    Fa3/0
VRF Table ID = 1
  Export VPN route-target communities
    RT:100:1
  Import VPN route-target communities
    RT:100:1
  No import route-map
  No global export route-map
  No export route-map
  VRF label distribution protocol: not configured
  VRF label allocation mode: per-prefix

VRF das (VRF Id = 2); default RD 102:1; default VPNID <not set>
  Interfaces:
    Gi1/0
VRF Table ID = 2
  Export VPN route-target communities
    RT:102:1
  Import VPN route-target communities
    RT:102:1
  No import route-map
  No global export route-map
  No export route-map
  VRF label distribution protocol: not configured
  VRF label allocation mode: per-prefix


R1#show ip vrf
  Name                             Default RD          Interfaces
  corp                             100:1               Fa3/0
  das                              102:1               Gi1/0

R1#show mpls interfaces
Interface              IP            Tunnel   BGP Static Operational
GigabitEthernet0/0     Yes (ldp)     No       No  No     Yes
R1#

R1#show mpls ldp neighbor
    Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 1.1.1.1:0
        TCP connection: 2.2.2.2.44858 - 1.1.1.1.646
        State: Oper; Msgs sent/rcvd: 150/148; Downstream
        Up time: 02:03:41
        LDP discovery sources:
          GigabitEthernet0/0, Src IP addr: 192.168.100.2
        Addresses bound to peer LDP Ident:
          192.168.100.2   2.2.2.2         192.168.104.2

R1#show ip bgp vpnv4 all summary
BGP router identifier 1.1.1.1, local AS number 100
BGP table version is 19, main routing table version 19
9 network entries using 1404 bytes of memory
14 path entries using 1120 bytes of memory
10/6 BGP path/bestpath attribute entries using 1440 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
3 BGP extended community entries using 104 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 4116 total bytes of memory
BGP activity 9/0 prefixes, 14/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
4.4.4.4         4                100     150     151               19        0    0         02:04:16        6
192.168.103.1   4          200     142     142               19        0    0         02:05:06        2
R1#

R1#show ip ospf neighbor
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           0   FULL/  -        00:00:32    192.168.100.2   GigabitEthernet0/0
7.7.7.7           1   FULL/BDR        00:00:30    192.168.250.1   GigabitEthernet1/0
R1#

Building CE configurations for R3:

Enable EBGP peering between the CE and PE
Update BGP Network statements to reflect any routes you want sent via the MPLS

Verifications:
R3#show ip bgp
BGP table version is 7, local router ID is 200.200.200.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  5.5.5.5/32       192.168.103.2                          0 100 300 i
 *>  100.100.100.0/24 0.0.0.0                  0         32768 i
 r>  192.168.103.0/30 192.168.103.2            0             0 100 ?
 *>  200.200.200.0    0.0.0.0                  0         32768 i

R3#show ip bgp summary
BGP router identifier 200.200.200.1, local AS number 200
BGP table version is 7, main routing table version 7
4 network entries using 576 bytes of memory
4 path entries using 320 bytes of memory
3/3 BGP path/bestpath attribute entries using 408 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1352 total bytes of memory
BGP activity 5/1 prefixes, 5/1 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.103.2   4          100     147     147        7    0    0 02:09:38        2
R3#

R5#show ip int brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        unassigned      YES NVRAM  administratively down down
GigabitEthernet1/0     192.168.120.1   YES NVRAM  up                    up
FastEthernet2/0        unassigned      YES unset  administratively down down
FastEthernet2/1        unassigned      YES unset  administratively down down
Loopback5              5.5.5.5         YES NVRAM  up                    up
Loopback200            unassigned      YES unset  up                    up
R5#

R3#show ip int brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        unassigned      YES NVRAM  administratively down down
GigabitEthernet1/0     unassigned      YES NVRAM  up                    up
FastEthernet2/0        192.168.103.1   YES NVRAM  up                    up
FastEthernet2/1        unassigned      YES NVRAM  administratively down down
Loopback100            100.100.100.1   YES NVRAM  up                    up
Loopback200            200.200.200.1   YES NVRAM  up                    up

R3#ping 5.5.5.5 source loopback 200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 200.200.200.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/119/164 ms
R3#