How you can get top grades, to get a best job.

How you can get top grades, to get a best job.

Sometimes you need advice, Ask a teacher to solve your problems.

Sometimes you need advice, Ask a teacher to solve your problems.

Make a Difference with education, and be the best.

Make a Difference with education, and be the best.

Putting Children First. Preparing Children For Success In Life

Putting Children First. Preparing Children For Success In Life

Latest Posts

Saturday, July 21, 2018

Cisco and Huawei Command references

ılılılı Inderdeep Singh ılılılı
Cisco and Huawei Command references

This is one of the interesting topic where a network using both of the devices in a enterprise shell and want the skills of both routers so that admin can execute the commands for Cisco and Huawei routers. It's a new world where the best of the devices are mixed in the network to get the best practices in the network design.

Although the network is more now moving to the cloud or automation but the concept of the CLI is the major in today's network as many of the devices are still on the CLI based commands which is executed manually in the devices.

You can also share the information like the command lines for Cisco-Juniper, Cisco-Alcatel, Hauwei-Juniper, Huawei-Alcatel and Alcatel-Juniper commands lines with us as well.

Today i am discussing about the CLI commands of these devices as Cisco and Huawei and how they are differ from each other in the commands. Lets have a look on this. If you guys have more commands information between Cisco and Huawei please share with us, so that same can be share with the people around the world.

Fig 1.1- Cisco and Huawei Commands

Above is the some of the commands of Cisco and Huawei that how they differ from each other when used in the Cisco and in Huawei.


Please let me know if i am wrong somewhere so that we can edit and also please share if you have any other information regarding the comparison of the commands between them.

BGP Route Aggregation

ılılılı Inderdeep Singh ılılılı
BGP Route Aggregation

Today, i am going to have the discussion on the topic called as " BGP Route Aggregation". There are many instances in the network where you really want this BGP route aggregation should be there. May be you want to have the aggregated routes not the specified routes from the other networks.

So now question is Why we required " BGP Route Aggregation" in the Network ?
Well there are lot of reason for it, some says you have lot of routes specific from the same network and needs to avoid the same, so they want route aggregation in the network. Some says it is way to shorten the multiple routes in the routing tables. It also saves the CPU utilisation on the device itself.

Where these kinds of Scenario used ?
Like if we have the cases where service provider have so many routes on the PE router and you knew you have so many customers connected to your one PE route and you limit the routes ( may be 50 ) from the customer network and customer is asking for more than 50 routes may be there are lot of routes which are specific routes then you can limit them by using the long IP prefix routes or called as aggregated routes which can accommodate all the specific routes in a one route.

Below is an sample topology showing the route aggregation on Router R2
Fig 1.1- Sample Topology BGP Route Aggregation

Well all the points which is discussed above it right, For example, for the aggregate destination 126.100.0.0/16, routes to 126.100.192.0/19 and 126.100.67.0/24 are contributing routes, but routes to 126.0.0.0./8 and 126.0.0.0/16 are not.

Route aggregation helps to minimizing the number of routing tables in an enterprise IP network which means, it consolidates selected multiple routes into a single route advertisement in which every routing table contains a unique entry for each route.

On the router which does the aggregation, this technique does not help in reducing the size of the routing-table. Whereas when you configure an export policy which only advertises the aggregate but not the contributing routes anymore, you would have the aggregation effect on the routers which receive updates.

A route can contribute only to a single aggregate route. However, an active aggregate route can recursively contribute to a less specific matching aggregate route. For example, an aggregate route to the destination 126.100.0.0/16 can contribute to an aggregate route to 126.96.0.0/13.
When an aggregate route becomes active, it is installed in the routing table with the following information:


  • Reject next hop—If a more-specific packet does not match a more-specific route, the packet is rejected and an ICMP unreachable message is sent to the packet’s originator.
  • Metric value as configured with the aggregate statement. 
  • Preference value that results from the policy filter on the primary contributor, if a filter is specified.
  • AS path as configured in the aggregate statement, if any. Otherwise, the path is computed by aggregating the paths of all contributing routes. 
  • Community as configured in the aggregate statement, if any is specified.
So let us suppose we have one AS 400. we have neighbor BGP addresses are 10.10.10.2 connected to AS 500, while neighbour 20.20.20.2 is connected to AS 600, Neighbour 30.30.30.2 connected to AS 700 and we got 3 routes named 180.10.0.0/16 and 180.20.0.0/16 received from AS 800. For the routes coming from AS 800 we need aggregated routes then we need populate the 180.0.0.0 255.0.0.0 in the BGP configuration as below.

!
router bgp 400
neighbor 10.10.10.2 remote-as 500
neighbor 20.20.20.2 remote-as 600
neighbor 30.30.30.2 remote-as 700
aggregate-address 180.0.0.0 255.0.0.0 summary-only

!

Let's check the configuration now.

Router# show ip bgp 
BGP table version is 6, local router ID is X.X.X.X
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
*> 160.0.0.0/8      0.0.0.0                            32768 i      <-----Aggregated Route
s> 160.10.0.0       3.3.3.3                  0             0 200 i   <-----Specific Route
s> 160.20.0.0       2.2.2.2                  0             0 100 I   
<-----Specific Route


Hope the above example will clear your concept on " BGP Route Aggregation concept". Now you know which routes can be aggregated and how these routes can be done as route-aggregated routes.

Basic Configuration- Configure a Cisco ASA 5510 Firewall

ılılılı Inderdeep Singh ılılılı
Basic Configuration- Configure a Cisco ASA 5510 Firewall

#Cisco Systems Engineer
#Specially Routing Students
# Network Engineers
#Cisco TAC Engineers
#Cisco CCIE Students

This article gets back to the basics regarding Cisco ASA firewalls. I’m offering you here a basic configuration tutorial for the Cisco ASA 5510 security appliance. This device is the second model in the ASA series (ASA 5505, 5510, 5520 etc) and is fairly popular since is intended for small to medium enterprises. Like the smallest ASA 5505 model, the 5510 comes with two license options:

The Base license and the Security Plus license. The second one (security plus) provides some performance and hardware enhancements over the base license, such as 130,000 Maximum firewall connections (instead of 50,000), 100 Maximum VLANs (instead of 50), Failover Redundancy, etc. Also, the security plus license enables two of the five firewall network ports to work as 10/100/1000 instead of only 10/100.

Next we will see a simple Internet Access scenario which will help us to understand the basic steps needed to setup an ASA 5510. Assume that we are assigned a static public IP address 100.100.100.1 from our ISP. Also, the internal LAN network belongs to subnet 192.168.10.0/24. Interface Ethernet0/0 will be connected to the outside (towards the ISP), and Ethernet0/1 will be connected to the Inside LAN switch. Refer to the diagram below for our example scenario.

The firewall will be configured to supply IP addresses dynamically (using DHCP) to the internal hosts. All outbound communication (from inside to outside) will be translated using Port Address Translation (PAT) on the outside public interface. Let’s see a snippet of the required configuration steps for this basic scenario:

Fig 1.1- Sample Topology ASA 5510
Step1: Configure a privileged level password (enable password)
By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance. Configure this under Configuration Mode:
ASA5510(config)# enable password << my secret password >>

Step2: Configure the public outside interface
ASA5510(config)# interface Ethernet0/0
ASA5510(config-if)# name if outside
ASA5510(config-if)# security-level 0
ASA5510(config-if)# ip address 100.100.100.1 255.255.255.252
ASA5510(config-if)# no shut

Step3: Configure the trusted internal interface
ASA5510(config)# interface Ethernet0/1
ASA5510(config-if)# name if inside
ASA5510(config-if)# security-level 100
ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5510(config-if)# no shut

Step 4: Configure PAT on the outside interface
ASA5510(config)# global (outside) 1 interface
ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0

Step 5: Configure Default Route towards the ISP (assume default gateway is 100.100.100.2)
ASA5510(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1

Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP
ASA5510(config)# dhcpd dns 200.200.200.10
ASA5510(config)# dhcpd address 192.168.10.10-192.168.10.200 inside

ASA5510(config)# dhcpd enable inside

The above basic configuration is just the beginning for making the appliance operational. There are many more configuration features that you need to implement to increase the security of your network, such as Static and Dynamic NAT, Access Control Lists to control traffic flow, DMZ zones, VPN etc. I just tried to offer you a starting point for a basic configuration from where you can build your knowledge further. For a more complete practical guide about Cisco ASA Firewall configuration.

Tuesday, July 3, 2018

Cisco Datacenter: vPC ( Single and Double Sided vPC)

ılılılı Inderdeep Singh ılılılı
Cisco Datacenter: vPC ( Single and Double Sided vPC)

Lets talk about the two different scenarios in Cisco Datacenter environment. The two different concept of vPC called single-sided vPC and Dual sided vPC.

We have two different deployment scenarios for vPC in the datacenter as
  • In the single datacenter environment we can use Single-sided vPC (access layer or aggregation layer) or we can go with the scenario Double-sided vPC, also called multilayer vPC (access layer using vPC interconnected to aggregation layer using vPC)
  • In the multi datacenter environment we can have Multilayer vPC for Aggregation and DCI or we can have and Dual Layer 2 /Layer 3 Pod Interconnect.
Let's start discussion on every deployment methods

Single-Sided vPC: In single-sided vPC, access devices are directly dual-attached to pair of Cisco Nexus 7000 Series Switches forming the vPC domain
The access device can be anything like L2 switches, rack mount or blade servers , Load balancers, firewalls or any storage devices. The end device which is an access device will have to support the port-channel connection between them. The Bundling can be LACP mode active, LACP mode passive and static bundling- mode on. There are some recommendations using LACP protocol connecting to the vPC domains.
  • vPC with Cisco Nexus M1 Series module line-card: 16 active member ports (8 on peer device 1 and 8 on peer device 2)
  • vPC with Cisco Nexus F1/F2 Series module line card: 32 active member ports (16 on peer device 1 and 16 on peer device 2)
Fig 1.1- vPC -Single and Double Sided vPCs

Double-Sided vPC: In Dual sided vPC where you have the two different vPC domain from distribution to Access layer parent switch and other vPC domain from parent access switch to the FEX devices you can say. vPC domain at the bottom is used for active/active connectivity from endpoint devices to network access layer. vPC domain at the top is used for active/active FHRP in the L2/L3 boundary aggregation layer

Benefits of double-sided vPC over single-sided vPC topology are listed below:
  • Enables a larger Layer 2 domain.
  • Provides a higher resilient architecture. In double-sided vPC, two access switches are connected to two aggregation switches whereas in single-sided vPC, one access switch is connected to two aggregation switches.
  • Provides more bandwidth from the access to aggregation layer. Using a Cisco Nexus F1 or F2 Series modules line card for vPC and Cisco Nexus 5000 Series Switches
we can further discuss on Multilayer vPC for Aggregation and DCI in another post. Keep connected and supported.

Thursday, June 28, 2018

Introduction to Locator identification/Separator Protocol (LISP)

ılılılı Inderdeep Singh ılılılı
Locator identification/Separator Protocol (LISP) because the name shows separates the region and
the identifier of the community hosts, hence making it viable for digital machines to move
across subnet limitations whilst maintaining their IP deal with. LISP is composed of a community
architecture and a set of protocols that permit new semantics for IP addressing by way of creating namespaces:

Endpoint Identifiers (EIDs): EIDs are assigned to give up hosts.
Routing Locators (RLOCs) : RLOCs are assigned to routers that make up the worldwide
routing device.

The introduction of those separate namespaces provides several advantages, including the following:
  • Topologically aggregated RLOCs permit improved routing system scalability .
  • IP portability .
  • less complicated IPv6 transition .
  • IP mobility, the host EIDs can pass with out changing the IP cope with of the host or
  • digital gadget; most effective the RLOC changes on a bunch pass.
LISP integrates well into the current network infrastructure and requires no changes to
the end host stack. It fosters a simple, incremental, network-based implementation with
most of the deployment at the network edge devices.

LISP Frame Format
 A LISP frame’s outer encapsulation is a UDP frame where the destination and source IP
addresses are the addresses of the Ingress Tunnel Router (ITR) and Egress Tunnel Router
(ETR), respectively. For Layer 3 LISP, the destination UDP port number is 4341. The LISP
header has the Locator reachability bits and the nonce fields.

Fig 1.1-CCIE Data-Center: LISP ( Locator ID/Separation Protocol)

 LISP Routing
As a bunch transmits a packet, if the destination of the packet is in every other LISP area,
it reaches the LISP ITR. The ITR maps the vacation spot endpoint id (EID) to an RLOC with the aid of looking up the vacation spot in a map server. As shown in figure 2-6 , using this facts he ITR encapsulates the packet with an outer header. The destination RLOC is ETR
at the back of which the destination host exists.  when the destination ETR is understood, the ITR encapsulates the packet, putting the destination deal with to the RLOC of the vacation spot ETR lower back with the aid of the mapping infrastructure.

Fig 1.2-CCIE Data-Center: LISP ( Locator ID/Separation Protocol)

 In addition to LISP routing, the location and EID separation provides flexible and unmatched mobility for IP endpoints without any subnet boundary limitation allowing IP endpoints, regardless of their IP addresses, to be deployed anywhere. These EIDs can freely move within and across data center racks and across geographical and organisational boundaries. The LISP Mobility solution has the following characteristics:
  • Optimal shortest path routing .
  • Both IPv4 and IPv6 addresses are supported .
  • Support for load balancing and multi homing .
  • Provides a solution that is transparent to both EIDs and the core network .
By allowing IP endpoints to change location while maintaining their assigned IP address,
the LISP mobility solution enables the IP endpoints to move between different subnets,

while guaranteeing optimal routing to the IP endpoint.

Introduction to Cisco IOS Zone Based Firewall

ılılılı Inderdeep Singh ılılılı
Introduction to Cisco IOS Zone Based Firewall

In this article we will consider the topic of Cisco IOS Zone Based Firewall. Cisco IOS Zone Based Firewall allows us to define Security Zones and to give each zone its own policy.

Thanks for such a huge support to our projects 
www.networksbaseline.com
www.routexp.com

Security Zone – interface or group of interfaces, on which particular policy is applied.  By default in the same Security Zone all traffic is permitted, but between security zones all traffic is blocked, except the traffic generated by the router. For permitting traffic between security zones, creating zone-pairs and policies for each zone are required.

Zone-pair – allows us to determine uni-directional firewall policy between zones. To put it simply, a zone-pair determines the direction of interesting traffic. The direction is determined between source and destination zones.

Zone policy – determines what kind of traffic should be denied or permitted between zones. For example: we want to permit HTTP traffic and deny SMTP traffic. Zone policy has three actions: “pass”, “drop” and “inspect”. Pass and drop actions have immediate effect on traffic, but Inspect action tells the router to use pre-defined class map for traffic filtration.

Fig 1.1- Cisco IOS Zone Based Firewall

Let’s consider an example in details. In the following scenario, we will create two zones, inside and outside, and allow only PING (ICMP) for Inside Zone to pass to Outside Zone (not vice-versa).

Before starting configuration of Zone Based Firewall, make sure that everything works and all hosts are connected to each other. We will need to identify interfaces that will belong in the same security zone and group them together.

R1(config)#zone security INSIDE
R1(config)#zone security OUTSIDE
R1(config)#interface fa0/0
R1(config-if)#zone-member security INSIDE
R1(config)#interface fa0/1
R1(config-if)#zone-member security INSIDE
R1(config)#interface fa1/0
R1(config-if)#zone-member security OUTSIDE
R1(config)#class-map type inspect match-any CLASS_INSIDE_2_OUTSIDE
R1(config-cmap)#match protocol icmp

In class-map configuration parameters basically we use two parameters: match-any and match-all. In case of “match-any”, traffic can be matched to any match criteria, but in case of match-all the traffic must match all criteria, which are determined in Class-map. In our case we check only ICMP and we can use any of it.

We’ve already determined what traffic we want to control and now we determine what to do with this traffic.


R1(config)#policy-map type inspect POLICY_INSIDE_2_OUTSIDE
R1(config-pmap)#class type inspect CLASS_INSIDE_2_OUTSIDE
R1(config-pmap-c)#inspect
note: at the end of the policy map there is an implicit “deny all” by default, which looks  like this :
class class-default
drop

Router(config)#zone-pair security PAIR_INSIDE_2_OUTSIDE source INSIDE destination OUTSIDE
Router(config-sec-zone-pair)#service-policy type inspect POLICY_INSIDE_2_OUTSIDE

Let’s do some checking. According to our scenario, hosts in Inside zone must ping hosts located in outside zone, but hosts in outside zone will not be able to ping hosts located in inside zone. Let’s see the result.

host1#ping 192.168.12.1
!!!!
host3#ping 192.168.1.2
…..
host3#ping 192.168.2.2

…..

Wednesday, June 20, 2018

Lan-to-Lan IPSEC VPN between two Cisco Routers

ılılılı Inderdeep Singh ılılılı
Lan-to-Lan IPSEC VPN between two Cisco Routers

With IPSEC VPNs, businesses can connect together remote office LANs over the Internet with the strong encryption and security offered by the IPSEC protocol. IPSEC is an IETF security standard. It is basically a suit of several protocols that offer secure communication over insecure paths. It is therefore ideal for connecting securely distant LAN networks over the insecure Internet. 

We have two types of IPSEC VPNs: Lan-to-Lan (or site-to-site) encrypted VPN and Remote Access VPN. The first one is extensively used to securely connect distant office networks and the second one for allowing remote users/teleworkers to access resources on a central site network. In this post we will describe briefly a Lan-to-Lan IPSEC VPN and provide a full configuration example with two Cisco IOS Routers using IPSEC.

We could use a private WAN network with Frame Relay or MPLS connections, which however would bring the cost very high. Instead, with IPSEC VPN we can use cheap Internet connectivity (which will be secured by IPSEC) for communication between our remote sites.

We will be using the example diagram above for the configuration scenario. Generally, there are two Phases for IPSEC VPN:
  • Phase 1: In this Phase we configure an ISAKMP policy. This policy establishes an initial secure channel over which further communication will follow. It defines how the ipsec peers will authenticate each other and what security protocols will be used.
  • Phase 2: In this Phase we configure a crypto map and crypto transform sets. In general, Phase 2 deals with traffic management of the actual data communication between sites. The transform sets configured here, define what authentication and encryption protocols will be used on the data traffic.
There is a software VPN Configuration Tool which generates a fully working Router configuration  for site-to-site VPN between Cisco Routers  which can be very handy in many situations requiring the configuration of different Cisco VPN scenarios. 



Fig 1.1- LAN to LAN IPSEC communication

For manual site-to-site VPN config check out the following examples.
Let’s see the complete configurations for NBRouter_A and NBRouter_B below:

Configuration for NBRouter_A

NBRouter_A#show run
Building configuration…
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER-A
!
boot-start-marker
boot-end-marker
!
!
!
ip audit po max-events 100
no ip domain lookup
no ftp-server write-enable
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
crypto isakmp key testkey1234 address 200.0.0.1
!
crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
crypto map aesmap 10 ipsec-isakmp
set peer 200.0.0.1
set transform-set aes-sha-transform
match address acl_vpn
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
ip nat outside
crypto map aesmap
!
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip nat inside source list acl_nat interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 100.0.0.2
no ip http server
no ip http secure-server
!
ip access-list extended acl_nat
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended acl_vpn
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
end

Configuration forNBRouter_B

NBRouter_B#show run
Building configuration…
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER-B
!
boot-start-marker
boot-end-marker
!
ip audit po max-events 100
no ip domain lookup
no ftp-server write-enable
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
crypto isakmp key testkey1234 address 100.0.0.1
!
crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
crypto map aesmap 10 ipsec-isakmp
set peer 100.0.0.1
set transform-set aes-sha-transform
match address acl_vpn
!
interface FastEthernet0/0
ip address 200.0.0.1 255.255.255.0
ip nat outside
!— Apply crypto map to the outside interface.
crypto map aesmap
!
interface FastEthernet0/1
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip nat inside source list acl_nat interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 200.0.0.2
no ip http server
no ip http secure-server
!
ip access-list extended acl_nat
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended acl_vpn
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!

end

Introduction to Multicast VPN

ılılılı Inderdeep Singh ılılılı
Introduction to Multicast VPN

The new way refers to the setting up of Multipoint LSP in the MPLS VPN environment to carry multicast traffic in the VPN. Here, all CE routers belong to a single customer at different branches. There is no multicast receiver behind CE3 router. The MPLS core is PIM-free. Only PE routers will run PIM with the CE routers.

A separate function is required to enable IP multicast over a Multiprotocol Label Switching Virtual Private Networks (MPLS VPNs) network, as MPLS has no native ability to support it.

The Service Provider MVPN network forwards the customer IP multicast data to remote customer sites. To achieve this, customer traffic (C-packets) is encapsulated at the Service Provider PE inside P- packets. The encapsulated P-packet is then forwarded to remote PE sites as native multicast inside the P-Network.

During this process, the P-Network has no knowledge of the C-Network traffic. The PE is the device that participates in both networks. Note there may be more than one Customer Network per PE

PE routers configuration

The Loopback 0 interface of PE1 router is configured to be used as the Root Node IP address. The Opaque value for the multipoint LSP is constructed based on the VPN ID value of 1:1. The mdt default mpls mldp command creates the MP2MP LSP known to all PE routers for that particular VRF. This LSP is used to forward all customer multicast traffic by default.

Fig 1.1- Multicast VPN


Configuration on PE1 Router
!
ip vrf CUST1
 rd 1:1 vpn id 1:1                             
 route-target both 1:1 mdt default mpls mldp 1.1.1.1            
!
interface Loopback 0
 ip address 1.1.1.1 255.255.255.255
 ip ospf 1 area 0!ip multicast-routing vrf CUST1         
!ip pim vrf CUST1 rp-address 12.1.1.1
!
interface fastethernet 1/1
 ip vrf forwarding CUST1
 ip address 192.168.1.1 255.255.255.0 ip pim sparse-mode
!
router bgp 100
 neighbor 3.3.3.3 remote-as 100
 neighbor 3.3.3.3 update-source Loopback 0
 neighbor 4.4.4.4 remote-as 100
 neighbor 4.4.4.4 update-source Loopback 0
 !
 address-family vpnv4
 neighbor 3.3.3.3 activate
 neighbor 4.4.4.4 activate
 exit-address-family
 !
 address-family ipv4 vrf CUST1
 redistribute connected
 exit-address-family
!

The configuration of PE2 and PE3 is same as PE1 router.

Configuration on PE2 Router
!
ip vrf CUST1
 rd 1:1
 vpn id 1:1        
 route-target both 1:1
 mdt default mpls mldp 1.1.1.1          
!
interface Loopback 0
 ip address 3.3.3.3 255.255.255.255
 ip ospf 1 area 0!ip multicast-routing vrf CUST1        
!ip pim vrf CUST1 rp-address 12.1.1.1
!
interface fastethernet 1/1
 ip vrf forwarding CUST1
 ip address 192.168.2.1 255.255.255.0 ip pim sparse-mode
!
router bgp 100
 neighbor 1.1.1.1 remote-as 100
 neighbor 1.1.1.1 update-source Loopback 0
 neighbor 4.4.4.4 remote-as 100
 neighbor 4.4.4.4 update-source Loopback 0
 !
 address-family vpnv4
 neighbor 1.1.1.1 activate
 neighbor 4.4.4.4 activate
 exit-address-family
 !
 address-family ipv4 vrf CUST1
 redistribute connected
 exit-address-family
!

Configuration on PE3 Router
!
ip vrf CUST1
 rd 1:1
 vpn id 1:1        
 route-target both 1:1
 mdt default mpls mldp 1.1.1.1          
!
interface Loopback 0
 ip address 4.4.4.4 255.255.255.255
 ip ospf 1 area 0!ip multicast-routing vrf CUST1        
!ip pim vrf CUST1 rp-address 12.1.1.1
!
interface fastethernet 1/1
 ip vrf forwarding CUST1
 ip address 192.168.3.1 255.255.255.0 ip pim sparse-mode
!
router bgp 100
 neighbor 1.1.1.1 remote-as 100
 neighbor 1.1.1.1 update-source Loopback 0
 neighbor 3.3.3.3 remote-as 100
 neighbor 3.3.3.3 update-source Loopback 0
 !
 address-family vpnv4
 neighbor 1.1.1.1 activate
 neighbor 3.3.3.3 activate
 exit-address-family
 !
 address-family ipv4 vrf CUST1
 redistribute connected
 exit-address-family
!

No multicast traffic is sent by CE routers at this stage.

Popular Posts