Wednesday, July 7, 2010

INE OLS - PFR COMPONENT SETUP

INSTRUCTOR -  ANTHONY SEQUEIRA


OVERVIEW
  • Focus here is on MC and one or more BRs
______________________________________________________________
REVIEW
  • MC is the BRAINS of the operation.
  • BRs connect to ISP or WAN exit points.
  • MD5 PROTECTS MC to BR communication.
  • SEPARATE protocol exits for their communication.
  • SEPARATE from ALL other routing traffic.
  • EACH BR must have an EXTERNAL interface and an INTERNAL interface.
_____________________________________________________________
PRE-REQUISITES
  • CEF on ALL routers.
  • Routing protocol or static routing in place.
  • IPSEC or GRE VPN support ONLY.
  • MULTIPLE BRs MUST see next-hops in DIFFERENT subnets.
    • BRs communicating with MULTIPLE providers over BC media are NOT supported.
  • Exclude inbound MC source address from PfR control.
  • TOKEN RING IS NOT SUPPORTED.
______________________________________________________________
MASTER CONTROLLER
  • How much does MC do in a network?
    • Function of available memory.
  • NOT in traffic path , but it MUST have EFFICIENT access to BRs.
  • Up to 10 BRs with up to 20 EXTERNAL interfaces are supported.
_____________________________________________________________
BORDER ROUTER
  • This is a device IN TRANSIT PATH.
  • Known as POLICY ENFORCEMENT POINT.
  • There are some caveats associated with 6500 series switches.
______________________________________________________________
PfR INTERFACES
  • EXTERNAL :- Defined on MC.
    • Used for ACTIVE monitoring.
  • INTERNAL :- Defines on MC.
    • Used for PASSIVE monitoring with NetFlow.
  • BOTH INTERFACES EXIST ON BR AND DEFINED ON MC.
  • LOCAL :- Used for BR to MC communication.
    • Defined on BRs
    • FOR A SINGLE MC/BR, A LOOPBACK SHOULD BE USED.
________________________________________________________________
CONFIGURATION STEPS
  • CONFIGURE MC
    • Create KEY CHAIN
    • Define MC
      • oer master
      • Takes CLI into a SUB-MENU
    • Define BRs on MC
      • border (IP) key-chain (NAME)
      • OWN LOOPBACK IP IS USED IF MC/BR IS ONE AND THE SAME.
      • Takes CLI FURTHER into another SUB-MENU
    • Define INTERFACES in BR sub-menu
      • interface (NAME) internal|external
      • External takes CLI into a FURTHER SUB-MENU.
    • Define BRs
      • oer border
      • Define LOCAL interface - MC is POINTING to this IP.
        • local
      • Define MC on BR
        • master key-chain ()
__________________________________________________________________
VERIFICATION
  • show oer master
    • Issued on MC
  • show oer border
    • Issued on BR
Posted by at No comments:
Labels: ,

INE OLS - PFR DEMYSTIFIED

INSTRUCTOR - ANTHONY SEQUEIRA


INTRODUCTION
  • Performance Routing
  • Formerly known as OER - Optimized Edge Routing.
    • Most syntax still remains SAME.
  • Differs from TRADITIONAL routing as in it moves AWAY from the paradigm where routing is based on DESTINATION alone. Instead, PERFORMANCE is taken into consideration.
    • Given a scenario where there are TWO exit points out of an AS.
      1. LOW BW BUT LOW DELAY
      2. HIGH BW BUT HIGH JITTER
        • PfR will allow transmission of VOICE through ONE and DATA through the SECOND exit.
        • Happens dynamically.
    • Originally engineered for OUTBOUND traffic manipulation BUT CAN NOW INFLUENCE INBOUND FLOWS.
_____________________________________________________________
CORE COMPONENTS
  • MASTER CONTROLLER (MC)
    • The BRAINS of the whole operation.
    • Collects statistical data and UPDATES policy decisions.
      • Eg. Prefix injection.
    • DOES NOT HAVE TO BE IN TRAFFIC PATH. 
  • BORDER ROUTERS (BR)
    • Located at the network EDGE.
    • IN THE TRAFFIC PATH.
    • Enacts policy dictated by MC and CONTROLS traffic IN and OUT of external links.
    • INTERNAL LINKS DO NOT HAVE TO BE TRAFFIC PATH.
  • A Cisco router can funciton as a BR and MC SIMULTANEOUSLY. 
_______________________________________________________________
THE PROCESS
  • PROFILE PHASE
    • Identifies the TRAFFIC CLASSES that need to be controlled.
    • TC can be DISCOVERED by PfR or MANUALLY DEFINED.
  • MEASURE PHASE
    • BRs collect statistics and REPORT them to MC.
    • Measurements can be ACTIVE or PASSIVE
      • Passive - Interface statistics, NetFlow.
      • Active - IP SLA used to GENERATE and MEASURE traffic.
  • APPLY POLICY PHASE
    • Acceptable thresholds of performance are defined.
    • MC uses this info to IDENTIFY classes or links that are OUT OF POLICY (OOP)
  • CONTROL PHASE
    • IMPORTANT BUT NOT MANDATORY PHASE.
    • Here, MC controls ROUTING PROTOCOL decisions.
      • INJECT STATIC or BGP routes, CHANGE METRICS etc.
  • VERIFY PHASE
    • ENSURE the changes have brought the network BACK IN POLICY.
_______________________________________________________________
MC AND BR SETUP
  • Basic setup is SIMPLE; most subsequent configuration occurs on MC.
  • MASTER CONTROLLER SAMPLE CONFIG
    • key chain ()
      • key #
        • key-sting ()
    • !
    • oer master
      • keepalive ()
      • logging
      • !
      • border (IP) key-chain ()
        • interface (NAME) [internal | external]
    • KEY CHAIN SETUP IS MANDATORY.
    • LOGGING IS OPTIONAL BUT HELPFUL IN SETUP
    • INTERFACE NAMES ARE ON THE BR!!!!!!!!!!
      • EXTERNAL route OUT.
      • INTERNAL connect BR to MC.
  • BORDER ROUTER SAMPLE CONFIG
    • key chain ()
      • key #
        • key-sting ()
    • !
    • oer border
      • local (INTERFACE) <---------- LOCAL IP USED
      • master (IP) key-chain ()
  • VERIFICATION
    • show oer master|border
_________________________________________________________
THE PfR PROFILE PHASE

  • Dynamic discovery of TC (LEARN) or MANUAL configuration.
  • Any TC PROFILED are stored in MONITORED TRAFFIC CLASSES (MTC) table.
  • LEARNING PREFIX TRAFFIC CLASSES
    • Uses the NetFlow TOP TALKER feature.
      • Identifies prefixes with HIGHEST THROUGHPUT OR DELAY.
    • Aggregation and limits CONTROL the SIZE of the MTC.
    • MINIMAL BASE CONFIG for dynamic learning :-
      • oer master
        • learn
          • throughput
          • delay
  • LEARNING APPLICATION TRAFFIC CLASSES
    • Use the command protocol to identify ONLY those flows associated with an application.
  • CONFIGURING A PREFIX TRAFFIC CLASS
    • Prefixes are MANUALLY added to the MTC table using an OER-MAP.
    • OER map contains ONLY PERMIT entries.
      • Use PREFIX-LIST to DENY certain subnets.
    • SAMPLE CONFIGURATION
      • oer-map (NAME)
        • match ip address prefix-list ()
      • !
      • oer master
        • policy-rules
    • VERIFICATION
      • show oer master prefix learned
_______________________________________________________
THE PfR MEASURE PHASE

  • BRs PASSIVELY measure the MTC information OR ACTIVELY PROBE (IP SLA) configured targets.
    • ALSO monitor the the configured EXTERNAL links (LOAD/ERRORs)
  • Here, PfR classifies TC and LINKS into STATES. POLICY DECISION POINT (PDP)
    • default - TC or LINK is NOT under PfR control.
    • choose exit - PfR is ATTEMPTING to select an EXIT POINT based on PERFORMANCE and configured POLICY.
    • holddown - The MC has REQUESTED a BR to MONITOR the TC.
    • in-policy - Traffic is being forwarded through an interface that SATISFIES the default or user-defined policy.
    • out-of-policy - NO exits conform the policy. The MC may have to select the BEST available exit.
  • PASSIVE measurement is done with NETFLOW.
  • ACTIVE measurement is done with IP SLA.
  • SAMPLE CONFIGURATION
    • oer master
      • active-probe echo (IP)
    • Supported test are :
      • ICMP echo
      • UDP echo
      • Jitter
      • TCP connection.
______________________________________________________________
THE PfR APPLY PHASE

  • Policy can be applied that DICTATES ACCEPTABLE values from the MEASURE phase.
  • Timers help to ensure that network is NOT UNSTABLE as a result of PfR.
  • Policies are applied using the OER-MAP
    • Can be set GLOBALLY or for SPECIFIC TC.
    • SAMPLE CONFIGURATION
      • oer-map (NAME)
        • match ip address prefix-list ()
        • set delay threshold ()
      • !
      • oer master
        • policy-rulse (OER-MAP-NAME)
___________________________________________________________
THE PfR APPLY PHASE

  • OPTIONAL
  • Here, PfR actually CHANGES the FLOW of traffic based on MEASUREMENTS and the POLICY.
  • The mode route control places PfR in a mode where commands are sent to BRs to CONTROL ROUTING.
  • Changes are initiated when :-
    • A TC goes OOP.
    • An exit link goes OOP.
    • The periodic timer EXPIRES and TC are in CHOOSE EXIT.
  • Changes are enacted though IGP metric change, BGP attribute manipulation, route injection or PBR introduction.
__________________________________________________________
THE PfR VERIFY PHASE

  • This phase ENSURES that TC are brought back IN POLICY.
  • NetFlow is relied upon for VERIFY phase.
Posted by at No comments:
Labels: , , ,

Monday, July 5, 2010

NMC VOD Series - Lesson MPLS

Part 1 : BASIC CONFIGURATION
  • MPLS Layer 3 VPN BASICS
    • On Provider Edge router, each VPN (CUSTOMER) has its OWN Virtual Routing and Forwarding table (VRF).
    • Each VRF has TWO associated values it, Route Distinguisher and Route Target.
    • To setup a VRF :-
      • ip vrf
        • rd AA:NN
        • route-target import AA:NN
        • route-target export AA:NN
    • To assign an interface to a VRF :-
      • ip vrf forwarding
    • Routes redistributed INTO MP-BGP from the VRF are marked with EXPORT RT (BGP extended community)
    • On the receiving router, routes are IMPORTED into a VRF using the IMPORT RT.
    • Routes are TRANSPORTED across the MPLS core between PE routers using MP-BGP updates.
      • A 64-bit RD is COMBINED with IPv4 prefixes to create a GLOBALLY UNIQUE VPNv4 route.
      • Depending on the protocol being redistributed in MP-BGP, BGP extended communities are utilized to REPORT route attibutes such as :-
        • Route source
        • Route type
        • Route metric
    • UNICAST traffic between CUSTOMER sites, ACROSS the core between PEs uses MPLS.
      • TWO LABELS are used (STACKED)
      • TOP (TRANSPORT) label is SWAPPED/CHANGED HOP-TO-HOP towards the FAR side PE.
      • INNER (VPN) label remains UNCHANGED.
        • This is the label used by DESTINATION PE to determine the VPN/VRF the packet belongs to.
        • MP-BGP is used as the CONTROL protocol to exchange the VPN labels between PE routers.
_______________________________________________________________________________
  • BASIC LAYER-3 VPN CONFIGURATION
    • ENABLE MPLS IN THE CORE
      • Advertise CORE links via an IGP.
      • ENABLE LDP on core links.
    • ENABLE MP-BGP session between PE routers.
      • Peer the PEs in global BGP.
      • In the VPNv4 address-family, ACTIVATE the PE neighbors.
      • Configure them, in the VPNv4 address-family to exchange BGP extended communities.
    • Create the respective VRFs on PE routers.
      • DEFINE :-
        • VRFs
        • RDs
        • IMPORT/EXPORT RTs.
      • Associate interfaces with VRFs.
      • Usually the value of RT and RD is left the SAME for SANITY's sake but it is the RT value that is used to CONTROL the content of VRF table.
      • On receiving router, a route's RD is NATURALIZED to match the DESTINATION VRF's RD.
      • show ip vrf is used to VERIFY the VRFs.
    • ENABLE routing for PE-CE.
      • Can be ANY IGP with each having its own demands.
      • MANUALLY redistribute IGP into MP-BGP on the PE routers.
        • Also redistribute, inside proper VRF, BGP into IGP.
      • Redistribution is done under address-family vrf (name) ipv4 in MP-BGP.
_______________________________________________________________________________ PART 2 : TESTING AND VERIFICATION
  • Test reachability WITHIN each VPN via PING, TRACEROUTE etc.
    • no mpls ip propagate-ttl makes the P core TRANSPARENT by NOT copying the TTL value of the IP packet header to MPLS header.
      • THIS VALUE IS COPIED BY DEFAULT.
  • Test and verify ALL VRFs on PE routers.
    • Use PING, TRACEROUTE and TELENT PER VRF on the PEs.
  • Use show ip bgp vpnv4 all
    • Shows a SEPERATE BGP table for each RD/VPN/VRF.
    • Prefixes are sorted into the CORRECT VPN table by thier RD values.
  • show ip bgp vpnv4 (IP)
    • Shows individual prefix's information.
      • IP next-hop
      • Prefix metric
      • RT
      • RD/VPN label
________________________________________________________________________________
  • VPN AND LDP LABEL DISTRIBUTION
    • PEs assign VPN labels to PREFIXES to identify LOCAL VPNs.
      • Advertised via MP-BGP to FAR-SIDE PE for it to use as INNER LABEL when sending back a packet.
    • LDP is used to advertise the TRANSPORT label HOP-by-HOP for PE-P-PE.
    • TIP :- TAG/LABEL ADVERTISED BY ONE PE ROUTER IS USED BY ITS NEIGHBOR TO SEND DATA BACK TO ADVERTISING ROUTER.
      • TRUE FOR CONNECTED NEIGHBORS IN LDP AS WELL.
    • Switching of packets INSIDE the core takes place SOLELY on the base of LABEL imposed on the packet.
      • NO IP LOOKUP TAKES PLACE.
_________________________________________________________________________________ PART 3 - PE-CE ROUTER RELATIONSHIP
  • Using OSPF for PE-CE protocol.
    • On PE, configure ONE GLOBAL process and ONE process for EACH VPN.
    • Each OSPF PROCESS-ID must be DIFFERENT.
    • Each OSPF process on the PE router MUST HAVE A DIFFERENT ROUTER-ID
    • If there is an AREA 0 in the customer site, it MUST connect to the PE router.
    • VRF aware OSPF :-
      • router ospf (PID) vrf (NAME)
_________________________________________________________________________
  • OSPF-BGP INTERACTION
    • Manually redistribute between OSPF and BGP at the PE routers.
    • NORMALLY, NO ADJACENCY IS FORMED ACROSS THE CORE
    • BGP reports the ORIGINAL OSPF metric in MED attribute.
    • ORIGINAL AREA and ROUTE-TYPE are reported as an EXTENDED COMMUNITY VALUE.
      • A new value called DOMAIN-ID is reported and compared.
        • EQUAL to PROCESS-ID by default.
        • Can be changed in the OSPF process - domain-id #
        • ALL routes are redistributed as LSA-5 (external) if their DOMAIN-ID differs from the local one.
        • If SAME, routes are redistributed as LSA-3 (InterArea)
        • Core is called the SUPER BACKBONE and ADD another layer of hierarchy.
      • Extended community OSPF RT = X:Y:Z reports :
        • X = Original AREA
        • Y = Original LSA #
        • Z = 1 or 2 if LSA # is 5 or 7.
          • Reports metric type 1 or 2 for external LSA 5 or 7.
____________________________________________________________________________
  • OSPF LOOP AVOIDANCE AND SHAM-LINKS
    • Connecting customer sites to MULTIPLE PE routers can result in ROUTING LOOPS.
      • OSPF uses the concept of DOWN BIT in its redistributed LSA's and SHAM-LINKS to overcome these problems.
  • HOW THE DOWN-BIT AND ROUTE TAG STOP LOOPS
    • The DOWN-BIT keeps LSA-3/IA routes from REMOTE sites from being redistributed BACK into MP-BGP.
      • The PE router that receives the OSPF LSA-3 in MP-BGP updates sets the DOWNWARD bit on the LSA.
      • If another PE router receives this LSA from a VRF ENABLED INTERFACE, it will CLEAR the ROUTING-BIT on the LSA, THEREBY STOPPING THE LSA FROM BEING REDISTRIBUTED BACK INTO MP-BGP.
    • Similarly, a ROUTE-TAG keeps LSA-5/EX routes from being redistributed BACK INTO MP-BGP.
      • LSA-5 DO NOT support the concept of DOWNWARD-BIT.
      • Instead, a route-tag defined by RFC 1403 is used.
      • LAST 16 bits of the TAG define the BGP-AS the LSA was learnt from.
      • PE routers will IGNORE the LSA if the LOCAL AS matches ROUTE-TAG AS.
    • Downward-bit can cause an unnecessary problem if the CE router is using VRFs on its PE-CE interface.
      • Namely, the LSA with the down bit will have its routing bit cleared and will not be used to install routes into the routing table.
      • To overcome this issue, the special OSPF command capability vrf-lite is used.
      • This makes the CE router IGNORE the down bit and install the LSA into the RIB.
        • Using DIFFERENT DOMAIN-IDs to produce LSA-5 at the REMOTE END of MPLS core is the alternative and especially useful on catalyst switches that DO NOT support the above command.
        • The LSA-5, as noted above, do not have the concept of the downward bit and hence will be installed as normal.
__________________________________________________________________
  • OSPF SHAM-LINK
    • Sham-link creates a VIRTUAL INTRA-AREA path/link through the MPLS CORE BETWEEN THE PE ROUTERS.
    • This is needed to OVERCOME the OSPF preference for INTRA-AREA routes over ANY other routes.
      • Useful when the customer sites have a BACKDOOR link configured that is an INTRA-AREA link.
      • Once configured, the PEs will form and ADJACENCY across the MPLS core and exchange ROUTER-LSA (1).
      • COST of this link can now be manipulated to give the sham-link PREFERENCE over the BACKDOOR.
    • area (#) sham-link (local-IP) (remote-IP)
      • show ip ospf sham-link
    • END POINTS MUST BE CUSTOMER VRF HOST ROUTES.
      • Usually REDISTRIBUTED into MP-BGP and NOT advertised in OSPF itself to overcome RECURSIVE routing problems.
    • SHAM-LINK WILL BE CONFIGURED UNDER THE CUSTOMER VRF OSPF PROCESS.
_____________________________________________________________________
  • SUPPORTING EIGRP AS PE-CE PROTOCOL
    • EIGRP uses the concept of address-family just like MP-BGP.
      • autonomous-system (#) inside the address-family allots the AS to the VRF EIGRP instance.
    • If CE sites used DIFFERENT EIGRP AS numbers, the MP-BGP learnt routes are considered external.
    • If SAME AS is used, EIGRP behaves as ONE large AS across MPLS core.
      • ONE IMPORTANT DIFFERENCE IS THAT QUERIES ARE NOT SENT ACROSS MPLS CORE.
    • BGP transports internal metrics and route attributes using EXTENDED communities.
      • 0x8800 : 32768 (INTERNAL), 0 (EXTERNAL)
      • 0x8801 : AS# / SCALED DELAY ( DLY x 256/10)
      • 0x8802 : RELIABILITY, HOP-COUNT, SCALED BW
      • 0x8803 : LOAD, MTU
      • 0x8804 : REMOTE AS (0 FOR EXTERNAL) / ORIGINATING R-ID IN HEX
      • 0x8805 : REMOTE PROTOCOL, R-ID, METRIC (USED FOR REDISTRIBUTED ROUTES)
_______________________________________________________________________
  • BGP COST COMMUNITY
    • Allows user to CONTROL the use of BACKDOOR paths.
    • Contains THREE FIELDS.
      1. POINT OF INSERTION (POI) : PRE-BESTPATH permits COMPARISON BEFORE any other route attribute INCLUDING AD.
      2. COST COMMUNITY ID : 128 for EIGRP internal routes, 129 for EIGRP extrenal routes. LOWER PREFERRED.
      3. COST : EIGRP composite metric.
    • Configuration
      • Automatic but ROUTE-MAPS can be used to set values using extcommunity keyword and applied to neighbor statement.
      • bgp bestpath cost-community ignore can be use to ignore this process.
________________________________________________________________
  • BGP SITE-OF-ORIGIN COMMUNITY
    • Prevents routing loops when sites are MULTIHOMED.
    • EACH route is tagged with a SITE IDENTIFIER.
    • Set INSIDE a SPECIAL ROUTE-MAP.
      • set extcommunity soo AA:NN
    • Applied to customer VRF via a SITE-MAP.
      • ip vrf sitemap
      • This makes sure that the router will APPLY a TAG on EACH EIGRP route learnt VIA THIS INTERFACE.
      • Conversely, EIGRP will FILTER any updates containing this tag from ENTERING the interface.
________________________________________________________________
  • USING BGP AS PE-CE PROTOCOL
    • CEs on remote ends can be EITHER in SAME or DIFFERENT ASs.
    • CE's form eBGP peerings with PEs.
_____________________________________________________________
  • CUSTOMER USING A DIFFERENT BGP AS AT EACH SITE
    • On PE routers, the BGP peering is configured under address-family ipv4 vrf () for the respective CEs.
      • The CE neighbor is ACTIVATED to enable the exchange of routing information for the VRF.
    • The CE routers in the VPN are configured for NORMAL eBGP peering with PE.
    • VPNv4 prepends the RD to EACH advertised prefix, IDENTIFYING it with CORRECT VRF on the far side PE.
    • The CE routers receive ONLY the updates from their VPN.
_____________________________________________________________
  • CUSTOMER USING THE SAME BGP AS AT EACH SITE
    • The BGP loop-prevention (AS-PATH) mechanism prevents ONE site from successfully learning prefixes from ANOTHER.
    • SOLUTION 1 :- The as-override keyword can be used to MODIFY BGP update procedure.
      • EACH leading occurrence of customer AS is replaced by provider's AS.
      • USED on PE routers.
      • CAN OVERCOME AS-PATH PREPENDING.
    • SOLUTION 2 : - The allowas-in can alternatively used on CE routers to ACCEPT routes with OWN AS in AS-PATH.
___________________________________________________
  • MULTI-VRF CE (VRF-LITE)
    • The VRFs are EXTENDED from PE to CE routers in these types of scenario.
    • A TRUNK (using sub-interfaces in separate VRFs) between PE and CE keeps costs down and eases configuration.
    • EACH sub-interface is associated with VRF on BOTH sides of the trunk.
    • The ROUTED CE interfaces are ALSO configured for the VRFs.
    • Since CE routers are VRF-aware, capability vrf-lite will need to be used in OSPF for IGNORING LSA-3 with downward bits.
Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Comments (Atom)