Studying the Routing Bits: August 2012

Wednesday 29 August 2012

How much genuine are you as a CCNP certified?

What must be taken into account seriously when MSTP region connects PVST region?
What is the difference between bpduguard and bpdufilter features?
What is BGP soft reconfiguration inbound feature useful for?
What are the loop prevention mechanisms that BGP route reflector used?
What will happen if the two IBGP peers accidently use the same BGP router-id?
Whar are the OSPF route types preferences selecting when there is more than one OSPF routes to the same destination?
What is WRED(weighted random early detection) used for and why?
What does ASBR(of NSSA area) do when receiving N(external routes)?
Can BGP VPNv4 adjacency be formed and forward traffic if the address used to peer is not /32?
When redistributing routes into EIGRP, what parameters must be included? If not included, how does eigrp treat the route?
How do you originate default-route in BGP?
What is the advantage of using prefixe-list over access-list?
What is the difference between pop label and untagged from the output of "show mpls forwarding table"?
What is the command to check theVPNv4 label used for the particular prefix on the router running BGP VPNv4?

*How many questions can you answer? If it is less than 4, it is too bad. But don't feel small, I once was also in the same situation like you. If you can answer more than 4, your skill is better than me.*

BGP Route Aggregation, Route Unsuppression, Default-Route Injection

Objectives

1.AS12 aggregate 203.81.0.0/16 and advertise including the AS path whose advertised prefixes falls within the supernet
2.AS3 needs to receive supernet and 5.5.5.0.24
3.AS3 needs to prevent not to become transit AS between two ISPs
4.AS3 should use cheap ISP as the primary ISP
5,AS4 is the customer who wants all the specific prefixes
6.AS6 needs only default-route to reach the rest of the network
7.AS 4 and AS6 should use the direct link between them to reach each other prefixes

R1 Config

interface Loopback0
ip address 203.81.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.15.1 255.255.255.0
!
interface FastEthernet1/0
ip address 192.168.16.1 255.255.255.0
!
router bgp 12
no synchronization
bgp router-id 1.1.1.1
bgp log-neighbor-changes
network 203.81.1.0
aggregate-address 203.81.0.0 255.255.0.0 as-set summary-only advertise-map REMOVE-AS3_PATH
neighbor 192.168.12.2 remote-as 12
neighbor 192.168.12.2 next-hop-self
neighbor 192.168.15.5 remote-as 5
neighbor 192.168.16.6 remote-as 6
neighbor 192.168.16.6 default-originate
neighbor 192.168.16.6 route-map DENY-ALL out
no auto-summary
!
ip prefix-list R3 seq 5 permit 203.81.3.0/24
!
route-map REMOVE-AS3_PATH deny 10
match ip address prefix-list R3
!
route-map REMOVE-AS3_PATH permit 100
!
route-map DENY-ALL deny 10

R2 Config

interface Loopback0
ip address 203.81.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.24.2 255.255.255.0
!
interface FastEthernet1/0
ip address 192.168.23.2 255.255.255.0
!
router bgp 12
no synchronization
bgp router-id 2.2.2.2
bgp log-neighbor-changes
network 203.81.2.0
aggregate-address 203.81.0.0 255.255.0.0 as-set summary-only advertise-map REMOVE-AS3_PATH
neighbor 192.168.12.1 remote-as 12
neighbor 192.168.12.1 next-hop-self
neighbor 192.168.23.3 remote-as 3
neighbor 192.168.24.4 remote-as 4
neighbor 192.168.24.4 unsuppress-map SPECIFIC_PREFIXES
no auto-summary
!
ip prefix-list SPECIFIC_PREFIXES seq 5 permit 203.81.3.0/24
ip prefix-list SPECIFIC_PREFIXES seq 10 permit 203.81.1.0/24
ip prefix-list SPECIFIC_PREFIXES seq 15 permit 203.81.2.0/24
ip prefix-list SPECIFIC_PREFIXES seq 20 permit 203.81.6.0/24
!
route-map REMOVE-AS3_PATH deny 10
match ip address prefix-list R3
!
route-map REMOVE-AS3_PATH permit 100
!
route-map SPECIFIC_PREFIXES permit 10
match ip address prefix-list SPECIFIC_PREFIXES

R3 Config

interface Loopback0
ip address 203.81.3.3 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.23.3 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.35.3 255.255.255.0
!
router bgp 3
no synchronization
bgp router-id 3.3.3.3
bgp log-neighbor-changes
network 203.81.3.0
neighbor 192.168.23.2 remote-as 12
neighbor 192.168.23.2 route-map PREPEND-AS in
neighbor 192.168.23.2 route-map PREVENT-TRANSIT-AS out
neighbor 192.168.35.5 remote-as 5
neighbor 192.168.35.5 route-map PREVENT-TRANSIT-AS out
no auto-summary
!
route-map PREVENT-TRANSIT-AS permit 10
match as-path 1
!
route-map PREPEND-AS permit 10
set as-path prepend 3 3 3

R4 Config

interface Loopback0
ip address 203.81.4.4 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.24.4 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.46.4 255.255.255.0
!
router bgp 4
no synchronization
bgp router-id 4.4.4.4
bgp log-neighbor-changes
network 203.81.4.0
neighbor 192.168.24.2 remote-as 12
neighbor 192.168.46.6 remote-as 6
neighbor 192.168.46.6 route-map R4-PREFIX out
no auto-summary
!
ip prefix-list R4 seq 5 permit 203.81.4.0/24
!
route-map R4-PREFIX permit 10
match ip address prefix-list R4

R5 Config

interface Loopback0
ip address 5.5.5.5 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.15.5 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.35.5 255.255.255.0
!
router bgp 5
no synchronization
bgp router-id 5.5.5.5
bgp log-neighbor-changes
network 5.5.5.0 mask 255.255.255.0
neighbor 192.168.15.1 remote-as 12
neighbor 192.168.35.3 remote-as 3
no auto-summary

R6 Config

interface Loopback0
ip address 203.81.6.6 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.16.6 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.46.6 255.255.255.0
!
router bgp 6
no synchronization
bgp router-id 6.6.6.6
bgp log-neighbor-changes
network 203.81.6.0
neighbor 192.168.16.1 remote-as 12
neighbor 192.168.46.4 remote-as 4
neighbor 192.168.46.4 route-map R6-PREFIX out
no auto-summary
!
ip prefix-list R6 seq 5 permit 203.81.6.0/24
!
route-map R6-PREFIX permit 10
match ip address prefix-list R6

Verification

R5#show ip bgp

   Network          Next Hop            Metric LocPrf Weight Path
*> 5.5.5.0/24       0.0.0.0                  0         32768 i
*> 203.81.0.0/16    192.168.15.1             0             0 12 {6,4} i
*> 203.81.3.0       192.168.35.3             0             0 3 i

R3#show ip bgp

   Network          Next Hop            Metric LocPrf Weight Path
* 5.5.5.0/24       192.168.23.2                           0 3 3 3 12 5 i
*>                  192.168.35.5             0             0 5 i
*> 203.81.0.0/16    192.168.35.5                           0 5 12 {6,4} i
*                   192.168.23.2             0             0 3 3 3 12 {4,6} i
*> 203.81.3.0       0.0.0.0                  0         32768 i

R3#show ip bgp neighbor 192.168.35.5 advertised-routes

   Network          Next Hop            Metric LocPrf Weight Path
*> 203.81.3.0       0.0.0.0                  0         32768 i

R3#show ip bgp neighbor 192.168.23.2 advertised-routes

   Network          Next Hop            Metric LocPrf Weight Path
*> 203.81.3.0       0.0.0.0                  0         32768 i

R4#show ip bgp

   Network          Next Hop            Metric LocPrf Weight Path
*> 5.5.5.0/24       192.168.24.2                           0 12 5 i
*> 203.81.2.0       192.168.24.2             0             0 12 i
*> 203.81.3.0       192.168.24.2                           0 12 3 i
*> 203.81.4.0       0.0.0.0                  0         32768 i
*> 203.81.6.0       192.168.46.6             0             0 6 i

R6#show ip bgp

   Network          Next Hop            Metric LocPrf Weight Path
*> 0.0.0.0          192.168.16.1             0             0 12 i
*> 203.81.4.0       192.168.46.4             0             0 4 i
*> 203.81.6.0       0.0.0.0                  0         32768 i

Tuesday 28 August 2012

L3VPN over Multipoint L2TPv3 Tunnel

P Router
R1 Config

interface FastEthernet0/0
ip address 10.10.10.6 255.255.255.252
interface FastEthernet0/1
ip address 10.10.10.10 255.255.255.252
interface FastEthernet1/0
ip address 10.10.10.2 255.255.255.252
router ospf 1
network 0.0.0.0 255.255.255.255 area 0

PE Routers
R2 Config

ip vrf cusA
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip vrf l3vpn-l2tpv3
rd 100:100
!
interface Loopback0
ip address 10.10.10.102 255.255.255.255
!
interface Tunnel0
ip vrf forwarding l3vpn-l2tpv3
ip address 172.16.1.102 255.255.255.255
tunnel source Loopback0
tunnel mode l3vpn l2tpv3 multipoint
!
interface FastEthernet1/0
ip address 10.10.10.5 255.255.255.252
!
interface FastEthernet1/1
ip vrf forwarding cusA
ip address 172.16.24.2 255.255.255.0
!
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 10.10.10.103 remote-as 1
neighbor 10.10.10.103 update-source Loopback0
neighbor 10.10.10.106 remote-as 1
neighbor 10.10.10.106 update-source Loopback0
no auto-summary
!
address-family ipv4 tunnel
neighbor 10.10.10.103 activate
neighbor 10.10.10.106 activate
exit-address-family
!
address-family vpnv4
neighbor 10.10.10.103 activate
neighbor 10.10.10.103 send-community extended
neighbor 10.10.10.103 route-map vpn-l2tpv3 in
neighbor 10.10.10.106 activate
neighbor 10.10.10.106 send-community both
neighbor 10.10.10.106 route-map vpn-l2tpv3 in
exit-address-family
!
address-family ipv4 vrf l3vpn-l2tpv3
no synchronization
exit-address-family
!
address-family ipv4 vrf cusA
redistribute connected
redistribute static
no synchronization
exit-address-family
!
ip route vrf cusA 4.4.4.4 255.255.255.255 172.16.24.4
ip route vrf l3vpn-l2tpv3 0.0.0.0 0.0.0.0 Tunnel0
!
route-map vpn-l2tpv3 permit 10
set ip next-hop in-vrf l3vpn-l2tpv3

R3 Config

ip vrf cusA
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip vrf l3vpn-l2tpv3
rd 100:100
!
interface Loopback0
ip address 10.10.10.103 255.255.255.255
!
interface Tunnel0
ip vrf forwarding l3vpn-l2tpv3
ip address 172.16.1.103 255.255.255.255
tunnel source Loopback0
tunnel mode l3vpn l2tpv3 multipoint
!
interface FastEthernet1/0
ip address 10.10.10.9 255.255.255.252
!
interface FastEthernet1/1
ip vrf forwarding cusA
ip address 172.16.35.3 255.255.255.0
!
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 10.10.10.102 remote-as 1
neighbor 10.10.10.102 update-source Loopback0
neighbor 10.10.10.106 remote-as 1
neighbor 10.10.10.106 update-source Loopback0
no auto-summary
!
address-family ipv4 tunnel
neighbor 10.10.10.102 activate
neighbor 10.10.10.106 activate
exit-address-family
!
address-family vpnv4
neighbor 10.10.10.102 activate
neighbor 10.10.10.102 send-community extended
neighbor 10.10.10.102 route-map vpn-l2tpv3 in
neighbor 10.10.10.106 activate
neighbor 10.10.10.106 send-community both
neighbor 10.10.10.106 route-map vpn-l2tpv3 in
exit-address-family
!
address-family ipv4 vrf l3vpn-l2tpv3
no synchronization
exit-address-family
!
address-family ipv4 vrf cusA
redistribute connected
redistribute static
no synchronization
exit-address-family
!
ip route vrf cusA 5.5.5.5 255.255.255.255 172.16.35.5
ip route vrf l3vpn-l2tpv3 0.0.0.0 0.0.0.0 Tunnel0
!
route-map vpn-l2tpv3 permit 10
set ip next-hop in-vrf l3vpn-l2tpv3

R6 Config

ip vrf cusA
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip vrf l3vpn-l2tpv3
rd 100:100
!
interface Loopback0
ip address 10.10.10.106 255.255.255.255
!
interface Tunnel0
ip vrf forwarding l3vpn-l2tpv3
ip address 172.16.1.106 255.255.255.255
tunnel source Loopback0
tunnel mode l3vpn l2tpv3 multipoint
!
interface FastEthernet1/0
ip address 10.10.10.1 255.255.255.252
!
interface FastEthernet1/1
ip vrf forwarding cusA
ip address 172.16.67.6 255.255.255.0
!
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 10.10.10.102 remote-as 1
neighbor 10.10.10.102 update-source Loopback0
neighbor 10.10.10.103 remote-as 1
neighbor 10.10.10.103 update-source Loopback0
no auto-summary
!
address-family ipv4 tunnel
neighbor 10.10.10.102 activate
neighbor 10.10.10.103 activate
exit-address-family
!
address-family vpnv4
neighbor 10.10.10.102 activate
neighbor 10.10.10.102 send-community both
neighbor 10.10.10.102 route-map vpn-l2tpv3 in
neighbor 10.10.10.103 activate
neighbor 10.10.10.103 send-community both
neighbor 10.10.10.103 route-map vpn-l2tpv3 in
exit-address-family
!
address-family ipv4 vrf l3vpn-l2tpv3
no synchronization
exit-address-family
!
address-family ipv4 vrf cusA
redistribute connected
redistribute static
no synchronization
exit-address-family
!
ip route vrf cusA 7.7.7.7 255.255.255.255 172.16.67.7
ip route vrf l3vpn-l2tpv3 0.0.0.0 0.0.0.0 Tunnel0
!
route-map vpn-l2tpv3 permit 10
set ip next-hop in-vrf l3vpn-l2tpv3

CE Routers
R4 Config

interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
ip address 172.16.24.4 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 172.16.24.2

R5 Config

interface Loopback0
ip address 5.5.5.5 255.255.255.255
!
interface FastEthernet0/0
ip address 172.16.35.5 255.255.255.0
ip route 0.0.0.0 0.0.0.0 172.16.35.3

R7 Config

interface Loopback0
ip address 7.7.7.7 255.255.255.255
!
interface FastEthernet0/0
ip address 172.16.67.7 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 172.16.67.6

Verification

R2#show ip bgp ipv4 tunnel

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.10.10.102/32 0.0.0.0                  0         32768 ?
*>i10.10.10.103/32 10.10.10.103             0    100      0 ?
*>i10.10.10.106/32 10.10.10.106             0    100      0 ?

R2#show ip bgp vpnv4 all

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf cusA)
*> 4.4.4.4/32       172.16.24.4              0         32768 ?
*>i5.5.5.5/32       10.10.10.103             0    100      0 ?
*>i7.7.7.7/32       10.10.10.106             0    100      0 ?
*> 172.16.24.0/24   0.0.0.0                  0         32768 ?
*>i172.16.35.0/24   10.10.10.103             0    100      0 ?
*>i172.16.67.0/24   10.10.10.106             0    100      0 ?

R4#ping 5.5.5.5 source loopback 0
!!!!!

R4#ping 7.7.7.7 source loopback 0
!!!!!

Sunday 26 August 2012

MPLS VPN Configuration and Tracing LDP Labels

PE Routers
R1 Config

ip vrf one
rd 1:1
route-target export 1:1
route-target import 1:1
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
mpls ip
interface FastEthernet0/1
ip vrf forwarding one
ip address 192.168.15.1 255.255.255.0
router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 192.168.12.1 0.0.0.0 area 0
router bgp 1
no bgp default ipv4-unicast
neighbor 4.4.4.4 remote-as 1
neighbor 4.4.4.4 update-source Loopback0
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
address-family ipv4 vrf one
redistribute connected
redistribute static
ip route vrf one 5.5.5.5 255.255.255.255 192.168.15.5
ip route vrf one 55.55.55.55 255.255.255.255 192.168.15.5

R4 Config

ip vrf one
rd 1:1
route-target export 1:1
route-target import 1:1
interface Loopback0
ip address 4.4.4.4 255.255.255.255
interface FastEthernet0/0
ip address 192.168.34.4 255.255.255.0
mpls ip
interface FastEthernet0/1
ip vrf forwarding one
ip address 192.168.46.4 255.255.255.0
router ospf 1
network 4.4.4.4 0.0.0.0 area 0
network 192.168.34.4 0.0.0.0 area 0
router bgp 1
no bgp default ipv4-unicast
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source Loopback0
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
address-family ipv4 vrf one
redistribute connected
redistribute static
ip route vrf one 6.6.6.6 255.255.255.255 192.168.46.6
ip route vrf one 66.66.66.66 255.255.255.255 192.168.46.6

P Routers
R2 Config

interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
mpls ip
interface FastEthernet0/1
ip address 192.168.23.2 255.255.255.0
mpls ip
router ospf 1
network 192.168.12.2 0.0.0.0 area 0
network 192.168.23.2 0.0.0.0 area 0

R3 Config

interface FastEthernet0/0
ip address 192.168.23.3 255.255.255.0
mpls ip
interface FastEthernet0/1
ip address 192.168.34.3 255.255.255.0
mpls ip
router ospf 1
network 192.168.23.3 0.0.0.0 area 0
network 192.168.34.3 0.0.0.0 area 0

CE Routers
R5 Config

interface Loopback0
ip address 5.5.5.5 255.255.255.255
interface Loopback1
ip address 55.55.55.55 255.255.255.255
interface FastEthernet0/0
ip address 192.168.15.5 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.15.1

R6 Config

interface Loopback0
ip address 6.6.6.6 255.255.255.255
interface Loopback1
ip address 66.66.66.66 255.255.255.255
interface FastEthernet0/0
ip address 192.168.46.6 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.46.4

Verification

R1#show bgp vpnv4 unicast all summary
Neighbor        V    AS MsgRcvd MsgSent   TblVer InQ OutQ Up/Down State/PfxRcd
4.4.4.4         4     1      18      19       13    0    0 00:13:00        3

R1#show bgp vpnv4 unicast all
Route Distinguisher: 1:1 (default for vrf one)
*> 5.5.5.5/32       192.168.15.5             0         32768 ?
*>i6.6.6.6/32       4.4.4.4                  0    100      0 ?
*> 55.55.55.55/32   192.168.15.5             0         32768 ?
*>i66.66.66.66/32   4.4.4.4                  0    100      0 ?
*> 192.168.15.0     0.0.0.0                  0         32768 ?
*>i192.168.46.0     4.4.4.4                  0    100      0 ?

R5#ping 6.6.6.6 source loopback 0
!!!!!

Ingress PE router imposes two labels on the customers data packets when forwarding to the egress PE router. The bottom label in the label stack is called vpnv4 label which is used by the egress PE router sending the packet to the appropriate customer. The top label is called transport label that is used in the provider core for the purpose of switching the packets to the respective PE router.

Tracing the VPNv4 Label

R5#traceroute 6.6.6.6
1 192.168.15.1 16 msec 28 msec 4 msec
2 192.168.12.2 [MPLS: Labels 18/19 Exp 0] 80 msec 60 msec 76 msec
3 192.168.23.3 [MPLS: Labels 18/19 Exp 0] 64 msec 116 msec 60 msec
4 192.168.46.4 [MPLS: Label 19 Exp 0] 60 msec 68 msec 52 msec
5 192.168.46.6 88 msec * 140 msec

R1#show bgp vpnv4 unicast vrf one 6.6.6.6
BGP routing table entry for 1:1:6.6.6.6/32, version 5
    4.4.4.4 (metric 31) from 4.4.4.4 (4.4.4.4)
         Extended Community: RT:1:1
      mpls labels in/out nolabel/19

R4#show bgp vpnv4 unicast vrf one labels
Route Distinguisher: 1:1 (one)
   6.6.6.6/32       192.168.46.6    19/nolabel

Tracing Transport Label

R1#show mpls forwarding-table
Local Outgoing    Prefix            Bytes tag Outgoing   Next Hop
18     18          4.4.4.4/32        0          Fa0/0      192.168.12.2

R2#show mpls forwarding-table
Local Outgoing    Prefix            Bytes tag Outgoing   Next Hop
18     18          4.4.4.4/32        4463       Fa0/1      192.168.23.3

R3#show mpls forwarding-table
Local Outgoing    Prefix            Bytes tag Outgoing   Next Hop
18     Pop tag     4.4.4.4/32        4748       Fa0/1      192.168.34.4

Saturday 25 August 2012

Multicast MDT Using SSM

PE Routers
R1 Config

vrf definition one
rd 1:1
route-target export 1:1
route-target import 1:1
  address-family ipv4
mdt default 232.0.0.1
mdt data 232.1.1.0 0.0.0.255
ip multicast-routing
ip multicast-routing vrf one
interface Loopback0
ip address 10.10.10.10 255.255.255.255
ip pim sparse-mode
interface FastEthernet1/0
ip address 192.168.12.1 255.255.255.0
ip pim sparse-mode
mpls ip
interface FastEthernet1/1
vrf forwarding one
ip address 192.168.14.1 255.255.255.0
ip pim sparse-mode
router ospf 1
network 10.10.10.10 0.0.0.0 area 0
network 192.168.12.1 0.0.0.0 area 0
router bgp 13
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 30.30.30.30 remote-as 13
neighbor 30.30.30.30 update-source Loopback0
neighbor 60.60.60.60 remote-as 13
address-family vpnv4
neighbor 30.30.30.30 activate
neighbor 30.30.30.30 send-community extended
neighbor 60.60.60.60 activate
neighbor 60.60.60.60 send-community extended
address-family ipv4 mdt
neighbor 30.30.30.30 activate
neighbor 30.30.30.30 send-community extended
neighbor 60.60.60.60 activate
neighbor 60.60.60.60 send-community extended
address-family ipv4 vrf one
redistribute connected
redistribute static
ip pim ssm default
ip route vrf one 40.40.40.40 255.255.255.255 192.168.14.4
ip route vrf one 192.168.49.0 255.255.255.0 192.168.14.4

R3 Config

vrf definition one
rd 1:1
route-target export 1:1
route-target import 1:1
address-family ipv4
mdt default 232.0.0.1
mdt data 232.3.3.0 0.0.0.255
ip multicast-routing
ip multicast-routing vrf one
interface Loopback0
ip address 30.30.30.30 255.255.255.255
ip pim sparse-mode
interface FastEthernet1/0
ip address 192.168.23.3 255.255.255.0
ip pim sparse-mode
mpls ip
interface FastEthernet1/1
vrf forwarding one
ip address 192.168.35.3 255.255.255.0
ip pim sparse-mode
router ospf 1
network 30.30.30.30 0.0.0.0 area 0
network 192.168.23.3 0.0.0.0 area 0
router bgp 13
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.10.10.10 remote-as 13
neighbor 10.10.10.10 update-source Loopback0
neighbor 60.60.60.60 remote-as 13
address-family vpnv4
neighbor 10.10.10.10 activate
neighbor 10.10.10.10 send-community extended
neighbor 60.60.60.60 activate
neighbor 60.60.60.60 send-community extended
address-family ipv4 mdt
neighbor 10.10.10.10 activate
neighbor 10.10.10.10 send-community extended
neighbor 60.60.60.60 activate
neighbor 60.60.60.60 send-community extended
address-family ipv4 vrf one
no synchronization
redistribute connected
redistribute static
ip pim ssm default
ip route vrf one 192.168.105.0 255.255.255.0 192.168.35.5

R6 Config

vrf definition one
rd 1:1
route-target export 1:1
route-target import 1:1
address-family ipv4
mdt default 232.0.0.1
mdt data 232.6.6.0 0.0.0.255
ip multicast-routing
ip multicast-routing vrf one
interface Loopback0
ip address 60.60.60.60 255.255.255.255
ip pim sparse-mode
interface FastEthernet1/0
ip address 192.168.26.6 255.255.255.0
ip pim sparse-mode
mpls ip
interface FastEthernet1/1
vrf forwarding one
ip address 192.168.67.6 255.255.255.0
ip pim sparse-mode
router ospf 1
network 60.60.60.60 0.0.0.0 area 0
network 192.168.26.6 0.0.0.0 area 0
router bgp 13
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor rr peer-group
neighbor rr remote-as 13
neighbor rr update-source Loopback0
neighbor 10.10.10.10 peer-group rr
neighbor 30.30.30.30 peer-group rr
address-family vpnv4
neighbor rr send-community extended
neighbor rr next-hop-self
neighbor 10.10.10.10 activate
neighbor 30.30.30.30 activate
address-family ipv4 mdt
neighbor 10.10.10.10 activate
neighbor 30.30.30.30 activate
address-family ipv4 vrf one
no synchronization
redistribute connected
ip pim ssm default

P Router
R2 Config

interface Loopback0
ip address 20.20.20.20 255.255.255.255
ip pim sparse-mode
interface FastEthernet1/0
ip address 192.168.12.2 255.255.255.0
ip pim sparse-mode
mpls ip
interface FastEthernet1/1
ip address 192.168.23.2 255.255.255.0
ip pim sparse-mode
mpls ip
interface FastEthernet2/0
ip address 192.168.26.2 255.255.255.0
ip pim sparse-mode
mpls ip
router ospf 1
network 20.20.20.20 0.0.0.0 area 0
network 192.168.12.2 0.0.0.0 area 0
network 192.168.23.2 0.0.0.0 area 0
network 192.168.26.2 0.0.0.0 area 0
ip pim bsr-candidate Loopback0 0
ip pim rp-candidate Loopback0
ip pim ssm default

CE Routers
R4 Config

ip multicast-routing
interface Loopback0
ip address 40.40.40.40 255.255.255.255
ip pim sparse-mode!
interface FastEthernet1/0
ip address 192.168.14.4 255.255.255.0
ip pim sparse-mode
interface FastEthernet1/1
ip address 192.168.49.4 255.255.255.0
ip pim sparse-mode
ip pim bsr-candidate Loopback0 0
ip pim rp-candidate Loopback0
ip route 0.0.0.0 0.0.0.0 192.168.14.1

R5 Config

ip multicast-routing
interface FastEthernet1/0
ip address 192.168.35.5 255.255.255.0
ip pim sparse-mode
interface FastEthernet1/1
ip address 192.168.105.5 255.255.255.0
ip pim sparse-mode
ip route 0.0.0.0 0.0.0.0 192.168.35.3

R7 Config

ip multicast-routing
interface FastEthernet1/0
ip address 192.168.67.7 255.255.255.0
ip pim sparse-mode
ip route 0.0.0.0 0.0.0.0 192.168.67.6

C Router
R9 Config

ip multicast-routing
interface FastEthernet0/0
ip address 192.168.49.9 255.255.255.0
ip pim sparse-mode
ip route 0.0.0.0 0.0.0.0 192.168.49.4

R10 Config

ip multicast-routing
interface FastEthernet0/0
ip address 192.168.105.10 255.255.255.0
ip pim sparse-mode
ip route 0.0.0.0 0.0.0.0 192.168.105.5

Verification

R9#show ip pim rp map
PIM Group-to-RP Mappings

Group(s) 224.0.0.0/4
RP 40.40.40.40 (?), v2
    Info source: 40.40.40.40 (?), via bootstrap, priority 0, holdtime 150
         Uptime: 00:09:16, expires: 00:02:10

R1# show bgp ipv4 mdt all

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf one)
*> 10.10.10.10/32   0.0.0.0                                0 ?
*>i30.30.30.30/32   30.30.30.30              0    100      0 ?
*>i60.60.60.60/32   60.60.60.60              0    100      0 ?

R7(config)#interface fast1/0
R7(config-if)#ip igmp join-group 239.0.0.2

R10(config)#interface fast0/0
R10(config-if)#ip igmp join-group 239.0.0.1

R9#ping 239.0.0.1 repeat 10000
Reply to request 0 from 192.168.105.10, 136 ms
Reply to request 1 from 192.168.105.10, 168 ms

R9#ping 239.0.0.2 repeat 1000
Reply to request 19 from 192.168.67.7, 420 ms
Reply to request 20 from 192.168.67.7, 224 ms

R2#show ip mroute
(10.10.10.10, 232.0.0.1), 00:13:05/00:03:11, flags: sT
Incoming interface: FastEthernet1/0, RPF nbr 192.168.12.1
Outgoing interface list:
    FastEthernet2/0, Forward/Sparse, 00:13:05/00:03:11
    FastEthernet1/1, Forward/Sparse, 00:13:05/00:03:10

(60.60.60.60, 232.0.0.1), 00:13:07/00:03:08, flags: sT
Incoming interface: FastEthernet2/0, RPF nbr 192.168.26.6
Outgoing interface list:
    FastEthernet1/0, Forward/Sparse, 00:13:07/00:03:08
    FastEthernet1/1, Forward/Sparse, 00:13:07/00:03:08

(30.30.30.30, 232.0.0.1), 00:13:26/00:02:55, flags: sT
Incoming interface: FastEthernet1/1, RPF nbr 192.168.23.3
Outgoing interface list:
    FastEthernet1/0, Forward/Sparse, 00:13:26/00:02:52
    FastEthernet2/0, Forward/Sparse, 00:13:26/00:02:55

(10.10.10.10, 232.1.1.1), 00:00:31/00:02:58, flags: sT
Incoming interface: FastEthernet1/0, RPF nbr 192.168.12.1
Outgoing interface list:
    FastEthernet2/0, Forward/Sparse, 00:00:31/00:02:58

(10.10.10.10, 232.1.1.0), 00:01:35/00:02:53, flags: sT
Incoming interface: FastEthernet1/0, RPF nbr 192.168.12.1
Outgoing interface list:
    FastEthernet1/1, Forward/Sparse, 00:01:35/00:02:53

(*, 224.0.1.40), 00:15:49/00:02:19, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
    Loopback0, Forward/Sparse, 00:15:46/00:02:19

R1#show ip int bri
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        unassigned      YES NVRAM administratively down down
FastEthernet1/0        192.168.12.1    YES NVRAM up                    up
FastEthernet1/1        192.168.14.1    YES NVRAM up                    up
Loopback0              10.10.10.10     YES NVRAM up                    up
Tunnel0                192.168.12.1    YES unset up                    up
Tunnel1                192.168.14.1    YES unset up                    up
Tunnel2                10.10.10.10     YES unset up                    up

R1#show ip mroute vrf one

(*, 239.0.0.1), 00:03:40/00:02:46, RP 40.40.40.40, flags: S
Incoming interface: FastEthernet1/1, RPF nbr 192.168.14.4
Outgoing interface list:
    Tunnel2, Forward/Sparse, 00:03:40/00:02:46

(192.168.49.9, 239.0.0.1), 00:03:07/00:00:22, flags: T
Incoming interface: FastEthernet1/1, RPF nbr 192.168.14.4
Outgoing interface list:
    Tunnel2, Forward/Sparse, 00:03:07/00:03:18

(*, 239.0.0.2), 00:02:01/00:03:28, RP 40.40.40.40, flags: S
Incoming interface: FastEthernet1/1, RPF nbr 192.168.14.4
Outgoing interface list:
    Tunnel2, Forward/Sparse, 00:02:01/00:03:28

(192.168.49.9, 239.0.0.2), 00:01:58/00:01:31, flags: T
Incoming interface: FastEthernet1/1, RPF nbr 192.168.14.4
Outgoing interface list:
    Tunnel2, Forward/Sparse, 00:01:58/00:03:28

(*, 224.0.1.40), 00:17:29/00:02:36, RP 0.0.0.0, flags: DPL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list: Null

R3#show ip mroute

(10.10.10.10, 232.0.0.1), 00:43:14/stopped, flags: sTIZ
Incoming interface: FastEthernet1/0, RPF nbr 192.168.23.2
Outgoing interface list:
    MVRF one, Forward/Sparse, 00:43:14/00:01:45

(60.60.60.60, 232.0.0.1), 00:43:16/stopped, flags: sTIZ
Incoming interface: FastEthernet1/0, RPF nbr 192.168.23.2
Outgoing interface list:
    MVRF one, Forward/Sparse, 00:43:16/00:01:43

(30.30.30.30, 232.0.0.1), 00:43:34/00:03:17, flags: sT
Incoming interface: Loopback0, RPF nbr 0.0.0.0
Outgoing interface list:
    FastEthernet1/0, Forward/Sparse, 00:43:34/00:03:17

(10.10.10.10, 232.1.1.0), 00:00:56/00:02:03, flags: sTIZ
Incoming interface: FastEthernet1/0, RPF nbr 192.168.23.2
Outgoing interface list:
    MVRF one, Forward/Sparse, 00:00:56/00:02:03

(*, 224.0.1.40), 00:45:38/00:02:25, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
    Loopback0, Forward/Sparse, 00:45:34/00:02:25

R3#show ip mroute vrf one

(*, 239.0.0.1), 00:03:52/00:02:35, RP 40.40.40.40, flags: S
Incoming interface: Tunnel1, RPF nbr 10.10.10.10
Outgoing interface list:
    FastEthernet1/1, Forward/Sparse, 00:03:52/00:02:35

(192.168.49.9, 239.0.0.1), 00:03:19/00:00:10, flags: TY
Incoming interface: Tunnel1, RPF nbr 10.10.10.10, MDT:[10.10.10.10,232.1.1.0]/00:01:50
Outgoing interface list:
    FastEthernet1/1, Forward/Sparse, 00:03:19/00:03:07

(*, 239.0.0.2), 00:02:05/stopped, RP 40.40.40.40, flags: SP
Incoming interface: Tunnel1, RPF nbr 10.10.10.10
Outgoing interface list: Null

(192.168.49.9, 239.0.0.2), 00:02:05/00:01:47, flags: PT
Incoming interface: Tunnel1, RPF nbr 10.10.10.10, MDT:[10.10.10.10,232.1.1.1]/00:01:50
Outgoing interface list: Null

(*, 224.0.1.40), 00:17:02/00:02:59, RP 0.0.0.0, flags: DPL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list: Null

DMVPN with Protection Over IPSEC

Dynamic Multipoint Virtual Private Network (DMVPN) is a dynamic tunneling form of a virtual private network (VPN) supported on Cisco IOS-based routers based on the standard protocols, GRE, NHRP and IPsec. DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management Protocol) peers. DMVPN is initially configured to build out a hub-and-spoke network by statically configuring the hubs (VPN headends) on the spokes, no change in the configuration on the hub is required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes can be dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for and load on the hub to route data between the spoke networks.

It also allows the users to use the central services on the Hub site.

For example, using the central firewall polices on Hub site when all spoke sites users are going to internet through Hub site.

R1 Config

crypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

crypto ipsec transform-set set1 esp-3des esp-sha-hmac

mode transport

crypto ipsec profile dmvpn

set transform-set set1

interface Loopback0

ip address 1.1.1.1 255.255.255.255

interface Tunnel0

ip address 10.10.10.1 255.255.255.0

no ip redirects

no ip next-hop-self eigrp 10

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp network-id 123

no ip split-horizon eigrp 10

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 123

tunnel protection ipsec profile dmvpn

interface FastEthernet0/0

description CONN-TO-ISP

ip address 192.168.14.1 255.255.255.0

interface FastEthernet0/1

ip address 10.10.15.1 255.255.255.0

router eigrp 10

network 10.10.0.0 0.0.255.255

no auto-summary

router ospf 1

router-id 1.1.1.1

network 1.1.1.1 0.0.0.0 area 0

network 192.168.0.0 0.0.255.255 area 0

R2 Config

crypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

crypto ipsec transform-set set1 esp-3des esp-sha-hmac

mode transport

crypto ipsec profile dmvpn

set transform-set set1

interface Loopback0

ip address 2.2.2.2 255.255.255.255

interface Tunnel0

ip address 10.10.10.2 255.255.255.0

no ip redirects

ip nhrp authentication cisco

ip nhrp map 10.10.10.1 1.1.1.1

ip nhrp map multicast 1.1.1.1

ip nhrp network-id 123

ip nhrp nhs 10.10.10.1

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 123

tunnel protection ipsec profile dmvpn

interface FastEthernet0/0

description CONN-TO-ISP

ip address 192.168.24.2 255.255.255.0

interface FastEthernet0/1

ip address 10.10.26.2 255.255.255.0

router eigrp 10

network 10.10.0.0 0.0.255.255

no auto-summary

router ospf 1

router-id 2.2.2.2

network 2.2.2.2 0.0.0.0 area 0

network 192.168.0.0 0.0.255.255 area 0

R3 Config

crypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

crypto ipsec transform-set set1 esp-3des esp-sha-hmac

mode transport

crypto ipsec profile dmvpn

set transform-set set1

interface Loopback0

ip address 3.3.3.3 255.255.255.255

interface Tunnel0

ip address 10.10.10.3 255.255.255.0

no ip redirects

ip nhrp authentication cisco

ip nhrp map 10.10.10.1 1.1.1.1

ip nhrp map multicast 1.1.1.1

ip nhrp network-id 123

ip nhrp nhs 10.10.10.1

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 123

tunnel protection ipsec profile dmvpn

interface FastEthernet0/0

ip address 10.10.37.3 255.255.255.0

interface FastEthernet1/0

description CONN-TO-ISP

ip address 192.168.34.3 255.255.255.0

router eigrp 10

network 10.10.0.0 0.0.255.255

no auto-summary

router ospf 1

router-id 3.3.3.3

network 3.3.3.3 0.0.0.0 area 0

network 192.168.0.0 0.0.255.255 area 0

R4 Config

interface FastEthernet0/0

ip address 192.168.14.4 255.255.255.0

interface FastEthernet0/1

ip address 192.168.24.4 255.255.255.0

interface FastEthernet1/0

ip address 192.168.34.4 255.255.255.0

router ospf 1

network 0.0.0.0 255.255.255.255 area 0

R5 Config

interface FastEthernet0/0

ip address 10.10.15.5 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.10.15.1

R6 Config

interface FastEthernet0/0

ip address 10.10.26.6 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.10.26.2

R7 Config

interface FastEthernet0/0

ip address 10.10.37.7 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.10.37.3

Verification

R1#show crypto isakmp sa
dst             src             state          conn-id slot status
1.1.1.1         3.3.3.3         QM_IDLE              4    0 ACTIVE
1.1.1.1         4.4.4.4         QM_IDLE              2    0 ACTIVE
1.1.1.1         2.2.2.2         QM_IDLE              3    0 ACTIVE

R2#show ip route eigrp

D 10.10.15.0 [90/297270016] via 10.10.10.1, 00:22:58, Tunnel0
D 10.10.37.0 [90/310070016] via 10.10.10.3, 00:19:38, Tunnel0

R5#ping 10.10.37.7

!!!!!