Post on 31-Dec-2016
Example:CampusDepartments
150.1.3.0/24 192.168.3.0/24
150.1.5.0/24 192.168.5.0/24
150.1.4.0/24R4
R3
R2
R5
Chemistry
Physics 3
SecuritySpecification
• Point-to-PointlinksubnetsshouldnotbeadvertisedbyOSPF.
• Routingofthe150.1.0.0/16subnetsshouldbeunrestricted.
• The192.168.0.0/16subnetsshouldnotbeadvertisedtootherdepartments;onlytothecentraladministrativeLAN.
• AllsecurityshouldbecentrallycontrolledonthehubrouterR2
4
Let’sTryArea-BasedFiltering…
router ospf 1area 1 filter-list CHEMISTRY_ROUTES out
!ip prefix-list CHEMISTRY_ROUTES permit 150.1.5.0/24ip prefix-list CHEMISTRY_ROUTES deny 0.0.0.0/0 le 32
R2Configuration
5
(OSPF:TextbookMyths)
WhattheTextbooksSay• Allinter-areatrafficmust
passthroughArea0.
WhatActuallyHappens• AnABRfloodsType-3LSAs
describingeachareaoutinterfacesparticipatinginallotherareas
• RouterswithanactiveadjacencyinArea0willignoreSummaryLSAsthatarereceivedonnon-backboneinterfaces
• Ergo,OSPFdownshiftstoDVbehaviorwhenallbackboneconnectivityislost.
6
OSPFConfiguration
150.1.3.0/24 192.168.3.0/24
150.1.5.0/24 192.168.5.0/24
150.1.4.0/24R4
R5
R2
R3
Area0
Area0
Area0
7
VRFConfiguration
1. CreateVRFInstances1. PickAlphanumericName2. AssigntheRouteDistinguisher(RD)
2. AssignInterfacestoaVRF1. TheinterfaceIPaddresswillneedtobe
reappliedafterconfiguring:ip vrfforwarding <VRF_NAME>
3. CreateOSPFProcesses1. OneperVRF
8
TheRouteDistinguisher(RD)• Aformatted 8-bytenumber
– <GLOBAL_ADMINISTRATOR>:<LOCAL_IDENTIFIER>
ASNType2
Type1
ASNType0 Identifier
IPAddress Identifier
Identifier
• Usedtocreatenewaddressfamily– RD+IPPrefixà VPNV4address(12-bytes)
• AllowsmultiplecustomersofaSPtoadvertisesameprefix
9
HubConfigurationSoFar…ip vrf BLUErd 10.0.23.3:1
!interface Serial0/0no ip addressencapsulation frame-relayclock rate 2000000no frame-relay inverse-arp
!interface Serial0/0.1 point-to-pointip vrf forwarding BLUEip address 10.0.23.2 255.255.255.0frame-relay interface-dlci 203
!router ospf 1 vrf BLUErouter-id 0.1.0.2network 0.0.0.0 255.255.255.255 area 0
10
OSPFàMP_BGPRedistribution1/2
show ip route vrf {BLUE | GREEN | RED} ospf
show ip bgp vpnv4 all
1.ThreedisconnectedVRFroutingtables.EachfilledwithrouteslearnedfromOSFPneighbors.
2.AddaBGPtablecontainingVPNV4addresses.UniqueRDpreventsduplicateIPprefixesfromclashing 11
R2RIB
vpnv4table
R2RIB
OSPFàMP_BGPRedistribution2/2interface Loopback0ip address 10.0.2.2 255.255.255.255
!router bgp 65534no bgp default ipv4-unicast!address-family ipv4 vrf BLUEredistribute ospf 1 vrf BLUE route-map OSPF_TO_BGPno synchronizationexit-address-family
!ip prefix-list P2P_SUBNETS seq 5 permit 10.0.0.0/8 ge 24!route-map OSPF_TO_BGP deny 10match ip address prefix-list P2P_SUBNETS
!route-map OSPF_TO_BGP permit 20
12
RouteTarget– Export&Import
ExportRT• AssignedtoPrefixes within
aVRFinstance• OneRTperprefix• Exportmapsareauseful
tool
ImportRT• AssignedtoVRFInstances• MultipleImporttagsper
instancepermitted• Usuallybesttoassign
statically
13
BGPExtendedCommunities
• Aformatted 8-Bytevalue– ‘Type’fieldindicatesformatofthe6-Bytevalue– ‘Subtype’fieldindicatesintrinsicmeaning• RouteTargetCommunity(0x02)• OSPFDomainIdentifier(0x05)
• SeeRFC7153forfulldetails14
ConfiguringtheRTip vrf VRF_BLUE
rd 10.0.23.3:1
export map EXPORT_MAP-VRF_BLUE
route-target import 65534:3
route-target import 65534:4
!
ip prefix-list VLAN3 seq 5 permit 192.168.3.0/24
!
route-map EXPORT_MAP-VRF_BLUE permit 10
match ip address prefix-list VLAN3
set extcommunity rt 65534:2
!
route-map EXPORT_MAP-VRF_BLUE permit 20
set extcommunity rt 65534:1 16
MP_BGPà OSPF1/2
• Thisfinalstepcauses‘leaked’routestobeadvertisedtospokerouters
• LeakedroutesperceivedbyOSPFasExternal– Thislooksuglyandisnotrepresentativeofreality– Alternativeroutesmaybepreferred
• SettinganOSPF‘domain-id’willcauseleakedroutestoappearasinter-areaType-III– ThistagispropagatedthroughMP-BGPusingtheOSPFDomainIdentifierExtendedCommunity
17
MP_BGPà OSPF2/2!router ospf 1 vrf VRF_BLUErouter-id 0.1.0.2domain-id 123.123.123.123redistribute bgp 65534 subnetsnetwork 0.0.0.0 255.255.255.255 area 0!
18
But…IHateBGP!
• Routeleakingcanbeaccomplishedstatically– BetweenpairsofVRF– BetweenaVRFandtheGlobalRIB• UsefulforinstallingaDefaultrouteintoaVRF
• Requiretwo staticroutes– OneinVRFpointingtoGlobalprefix– OneinGlobalRIBpointingtoVRF(forreturntraffic)
• RemembertoredistributeStaticà IGP!19
SoWhyDoFolksWanttoUseMPLS?
• Aquestionofscale• Only961DLCIareavailable(16through976)• Rathermore(4,089)VLANtags– Normalrange=1through1005
• Reservednumberscomprise1,1002– 1005– Extendedrange=1006to4094
• StackedMPLSlabels– Outer(aka ‘Transport’)labelconnectspairwisePErouters
– Inner(aka ‘VPN’)labelassignedpercustomer
20