The Lazy Man’s Guide…
1
…toVirtualRouting&Forwarding
(ForCampusEngineers)
Dr.JohnS.Graham
(OARnet)
Example:CampusDepartments
Chemistry
150.1.5.0/24
R5
192.168.5.0/24
R2
R4
150.1.3.0/24
R3
Physics
150.1.4.0/24
192.168.3.0/24
3
SecuritySpecification
• Point-to-Pointlinksubnetsshouldnotbe
advertisedbyOSPF.
• Routingofthe150.1.0.0/16subnetsshouldbe
unrestricted.
• The192.168.0.0/16subnetsshouldnotbe
advertisedtootherdepartments;onlytothe
centraladministrativeLAN.
• Allsecurityshouldbecentrallycontrolledon
thehubrouterR2
4
Let’sTryArea-BasedFiltering…
router ospf 1
area 1 filter-list CHEMISTRY_ROUTES out
!
ip prefix-list CHEMISTRY_ROUTES permit 150.1.5.0/24
ip prefix-list CHEMISTRY_ROUTES deny 0.0.0.0/0 le 32
R2Configuration
5
(OSPF:TextbookMyths)
WhattheTextbooksSay
• Allinter-areatrafficmust
passthroughArea0.
WhatActuallyHappens
• AnABRfloodsType-3LSAs
describingeachareaout
interfacesparticipatinginall
otherareas
• Routerswithanactive
adjacencyinArea0willignore
SummaryLSAsthatare
receivedonnon-backbone
interfaces
• Ergo,OSPFdownshiftstoDV
behaviorwhenallbackbone
connectivityislost.
6
OSPFConfiguration
150.1.5.0/24
R5
192.168.5.0/24
Area0
Area0
R4
R2
150.1.4.0/24
Area0
150.1.3.0/24
R3
192.168.3.0/24
7
VRFConfiguration
1. CreateVRFInstances
1. PickAlphanumericName
2. AssigntheRouteDistinguisher(RD)
2. AssignInterfacestoaVRF
1. TheinterfaceIPaddresswillneedtobe
reappliedafterconfiguring:ip vrf
forwarding <VRF_NAME>
3. CreateOSPFProcesses
1. OneperVRF
8
TheRouteDistinguisher(RD)
• Aformatted 8-bytenumber
– <GLOBAL_ADMINISTRATOR>:<LOCAL_IDENTIFIER>
Type0
ASN
Identifier
Type1
IPAddress
Identifier
Type2
ASN
Identifier
• Usedtocreatenewaddressfamily
– RD+IPPrefixà VPNV4address(12-bytes)
• AllowsmultiplecustomersofaSPtoadvertise
sameprefix
9
HubConfigurationSoFar…
ip vrf BLUE
rd 10.0.23.3:1
!
interface Serial0/0
no ip address
encapsulation frame-relay
clock rate 2000000
no frame-relay inverse-arp
!
interface Serial0/0.1 point-to-point
ip vrf forwarding BLUE
ip address 10.0.23.2 255.255.255.0
frame-relay interface-dlci 203
!
router ospf 1 vrf BLUE
router-id 0.1.0.2
network 0.0.0.0 255.255.255.255 area 0
10
OSPFà MP_BGPRedistribution1/2
R2RIB
show ip route vrf {BLUE | GREEN | RED} ospf
1.ThreedisconnectedVRFroutingtables.EachfilledwithrouteslearnedfromOSFPneighbors.
R2RIB
show ip bgp vpnv4 all
vpnv4table
2.AddaBGPtablecontainingVPNV4addresses.UniqueRDpreventsduplicateIPprefixesfrom
11
clashing
OSPFà MP_BGPRedistribution2/2
interface Loopback0
ip address 10.0.2.2 255.255.255.255
!
router bgp 65534
no bgp default ipv4-unicast
!
address-family ipv4 vrf BLUE
redistribute ospf 1 vrf BLUE route-map OSPF_TO_BGP
no synchronization
exit-address-family
!
ip prefix-list P2P_SUBNETS seq 5 permit 10.0.0.0/8 ge 24
!
route-map OSPF_TO_BGP deny 10
match ip address prefix-list P2P_SUBNETS
!
route-map OSPF_TO_BGP permit 20
12
RouteTarget– Export&Import
ExportRT
• AssignedtoPrefixes within
aVRFinstance
• OneRTperprefix
• Exportmapsareauseful
tool
ImportRT
• AssignedtoVRFInstances
• MultipleImporttagsper
instancepermitted
• Usuallybesttoassign
statically
13
BGPExtendedCommunities
• Aformatted 8-Bytevalue
– ‘Type’fieldindicatesformatofthe6-Bytevalue
– ‘Subtype’fieldindicatesintrinsicmeaning
• RouteTargetCommunity(0x02)
• OSPFDomainIdentifier(0x05)
• SeeRFC7153forfulldetails
14
RouteLeakingSchema
15
ConfiguringtheRT
ip vrf VRF_BLUE
rd 10.0.23.3:1
export map EXPORT_MAP-VRF_BLUE
route-target import 65534:3
route-target import 65534:4
!
ip prefix-list VLAN3 seq 5 permit 192.168.3.0/24
!
route-map EXPORT_MAP-VRF_BLUE permit 10
match ip address prefix-list VLAN3
set extcommunity rt 65534:2
!
route-map EXPORT_MAP-VRF_BLUE permit 20
set extcommunity rt 65534:1
16
MP_BGPà OSPF1/2
• Thisfinalstepcauses‘leaked’routestobe
advertisedtospokerouters
• LeakedroutesperceivedbyOSPFasExternal
– Thislooksuglyandisnotrepresentativeofreality
– Alternativeroutesmaybepreferred
• SettinganOSPF‘domain-id’willcauseleaked
routestoappearasinter-areaType-III
– ThistagispropagatedthroughMP-BGPusingthe
OSPFDomainIdentifierExtendedCommunity
17
MP_BGPà OSPF2/2
!
router ospf 1 vrf VRF_BLUE
router-id 0.1.0.2
domain-id 123.123.123.123
redistribute bgp 65534 subnets
network 0.0.0.0 255.255.255.255 area 0
!
18
But…IHateBGP!
• Routeleakingcanbeaccomplishedstatically
– BetweenpairsofVRF
– BetweenaVRFandtheGlobalRIB
• UsefulforinstallingaDefaultrouteintoaVRF
• Requiretwo staticroutes
– OneinVRFpointingtoGlobalprefix
– OneinGlobalRIBpointingtoVRF(forreturn
traffic)
• RemembertoredistributeStaticà IGP!
19
SoWhyDoFolksWanttoUseMPLS?
• Aquestionofscale
• Only961DLCIareavailable(16through976)
• Rathermore(4,089)VLANtags
– Normalrange=1through1005
• Reservednumberscomprise1,1002– 1005
– Extendedrange=1006to4094
• StackedMPLSlabels
– Outer(aka ‘Transport’)labelconnectspairwisePE
routers
– Inner(aka ‘VPN’)labelassignedpercustomer
20
21