4.1.d Implement and troubleshoot DMVPN [single hub]

4.1.d [ii] DMVPN with IPsec using preshared key

The feature works according to the following rules.

● Each spoke has a permanent IPSec tunnel to the hub, not to the other spokes within the network . Each spoke registers as clients of the NHRP server.

● When a spoke needs to send a packet to a destination (private) subnet on another spoke , it queries the NHRP server for the real (outside) address of the destination (target) spoke.

● After the originating spoke learns the peer address of the target spoke, it can initiate a dynamic IPSec tunnel to the target spoke.

● The spoke-to-spoke tunnel is built over the multipoint GRE (mGRE) interface.

● The spoke-to-spoke links are established on demand whenever there is traffic between the spokes . Thereafter, packets are able to bypass the hub and use the spoke-to-spoke tunnel.

● If an IP multicast stream originates from a spoke location, a rendezvous point (RP) must be deployed at the hub site in order for other spoke site clients to receive the stream

● mGRE Tunnel Interface allows a single GRE interface to support multiple IPSec tunnels and simplifies the size and complexity of the configuration.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4531-4534).  . Kindle Edition.

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/901-cisco-router-dmvpn-configuration.html

4.1.d Implement and troubleshoot DMVPN [single hub]

4.1.d [iii] QoS profile

The Per-Tunnel QoS for DMVPN feature introduces per-tunnel quality of service (QoS) support for Dynamic Multipoint VPN (DMVPN) and increases per-tunnel QoS performance for Internet Protocol Security (IPsec) tunnel interfaces. This feature allows you to apply a QoS policy on a DMVPN hub on a tunnel instance (per-endpoint or per-spoke basis) in the egress direction for DMVPN hub-to-spoke tunnels.

The QoS policy on a DMVPN hub on a tunnel instance allows you to shape the tunnel traffic to individual spokes (parent policy ) and to differentiate individual data flows going through the tunnel for policing (child policy). The QoS policy that is used by the hub for a particular endpoint or spoke is selected by the Next Hop Resolution Protocol (NHRP) group in which the spoke is configured. Even though many spokes may be configured in the same NHRP group, the tunnel traffic of each spoke is measured individually for shaping and policing.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4612-4617).  . Kindle Edition.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-per-tunnel-qos.pdf

4.1.d Implement and troubleshoot DMVPN [single hub]

4.1.d [iv] Pre-classify

Configure qos pre-classify in VPN designs where both QoS and IPsec occur on the same system and QoS needs to match on parameters in the cleartext packet other than the DSCP/ ToS byte.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4647-4648).  . Kindle Edition.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_1.html

 

4.1.c Implement and troubleshoot encapsulation

4.1.c [i] GRE

Tunneling provides a mechanism to transport packets of one protocol within another protocol, the indirection. The protocol that is carried is known as the passenger protocol, and the protocol that is used for carrying the passenger protocol is known as the transport protocol. Generic Routing Encapsulation (GRE) is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different passenger protocols. The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint.

Configuring a GRE tunnel involves creating a tunnel interface, which is a logical interface. Then you must configure the tunnel endpoints for the tunnel interface.

To configure the tunnel source and destination, issue the

tunnel source {ip-address | interface-type} and tunnel destination {host-name | ip-address} commands under the interface configuration mode for the tunnel.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4443-4452).  . Kindle Edition.

http://www.cisco.com/en/US/tech/tk827/tk369/tech_configuration_examples_list.html

 

4.1.c Implement and troubleshoot encapsulation

4.1.c [ii] Dynamic GRE

NHRP is used similarly to the Address Resolution Protocol (ARP) on Ethernet, it provides the ability to map a tunnel IP address with a logical Non-Broadcast Multi-Access (NBMA) IP address; this allows multipoint (mGRE) to have dynamically set up tunnels without having to explicitly configure a mapping entry between each potential next-hop destination. Dynamic GRE is configured using the NHRP based address resolution for mGRE. Multipoint GRE can be used both at hub and at spokes. Dynamic GRE or Dynamic Multipoint VPNs (DMVPNs) can be configured with or without IPSec.

The “% TUN-5-RECURDOWN: Tunnel0 temporarily disabled” is caused due to recursive routing.The error message means that the GRE tunnel router has discovered a recursive routing problem. Tunnel interface status depends on the IP reachability to the tunnel destination. When the router detects a recursive routing failure for the tunnel destination, it shuts the tunnel interface down for a few minutes so that the situation causing the problem can resolve itself as routing protocols converge . If the problem is caused by misconfiguration, the link can oscillate indefinitely . Another symptom of this problem is continuously flapping Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), or Border Gateway Protocol (BGP) neighbors , when the neighbors are over a GRE tunnel.

This condition is usually due to one of these causes:

● A misconfiguration that causes the router to try to route to the tunnel destination address using the tunnel interface itself (recursive routing)

● A temporary instability caused by route flapping elsewhere in the network

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4465-4470).  . Kindle Edition.

http://www.cisco.com/en/US/products/ps6604/products_white_paper09186a0080c1e9d3.shtml

4.1.c Implement and troubleshoot encapsulation

4.1.c [iii] LISP encapsulation principles supporting EIGRP OTP

EIGRP Over the Top (OTP) allows the customer to establish EIGRP adjacencies across the MPLS/ VPN provider cloud. An EIGRP targeted adjacency between CEs is created. This EIGRP neighborship is done via unicast packets, using the CE ‘WAN’ IP address. This “over the top” peering allows EIGRP to exchange customer prefixes directly between CEs. Customer prefixes are NOT injected in the providers VRF routing table. In order to allow for proper forwarding of user traffic across the MPLS/ VPN cloud , user packets are encapsulated on the CE. The encapsulation header uses the WAN IP address of the CEs, which are known in the MPLS/ VPN cloud.

Control Plane

OTP control plane consists in an EIGRP targeted adjacency between CEs.

Neighborship is established using the CE WAN address, i.e. address of CE on the PE/ CE link, so there is no need for any dynamic routing protocol between the PE/ CE. The PE just needs to redistribute the connected routes.

Data Plane

Since the customer prefixes are not known in the VRF of provider, customer traffic can’t be natively forwarded through the provider cloud, but needs to be encapsulated by CEs before being sent through the provider cloud.

OTP leverages existing LISP encapsulation which:

● Allows dynamic multi-point tunneling

● Provides instance ID field to optionally support virtualization across WAN (see EVN WAN Extension section)

OTP does not use LISP control plane (map server/ resolver, etc.) instead it uses EIGRP to exchange routes and provide the next-hop, which LISP encapsulation uses to reach remote prefixes.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4478-4488).  . Kindle Edition.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/whitepaper_C11-730404.html

 

 

 

4.1.b Implement and troubleshoot basic MPLS L3VPN

4.1.b [i] L3VPN, CE, PE, P

Multiprotocol Label Switching (MPLS) was originally derived from Tag Switching, and various other vendor methods of IP-switching support enhancements in the scalability and performance of IP-routed networks by combining the intelligence of routing with the high performance of switching.

MPLS is now used for VPNs, which is an appropriate combination because MPLS decouples information used for forwarding of the IP packet (the label) from the information carried in the IP header.

MPLS VPNs can combine any of the following:

● Globally unique and routable addresses

● Globally unique, non-routable addresses

● Private addresses (RFC1918)

● Addresses that are neither globally unique nor private.

Label Switched Paths are bound to VPN-IP routes and are confined to the VPN Service Provider.

P Router or Provider Router is a Label Switch Router (LSR) that functions as a transit router of the core network. A Provider Edge router (PE router) is a router between one network service provider’s area and areas administered by other network providers.

The customer edge (CE) is the router at the customer premises that is connected to the provider edge of a service provider IP/ MPLS network. CE peers with the Provider Edge (PE) and exchanges routes with the corresponding VRF inside the PE. The routing protocol used could be static or dynamic (an Interior Gateway Protocol like OSPF or an Exterior Gateway Protocol like BGP).

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4427-4430).  . Kindle Edition.

http://labelswitched.blogspot.com/2013/01/cisco-bgpmpls-l3vpn-basics.html

 

4.1.b Implement and troubleshoot basic MPLS L3VPN

  • 4.1.b [ii] Extranet [route leaking]

There are two primary uses of route leaking in MPLS VPN context.

● Route leaking from a global routing table into a VPN routing/ forwarding instance (VRF) and route leaking from a VRF into a global routing table

● Route leaking between different VRFs

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4433-4437).  . Kindle Edition.

http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml

4.1.a Implement and troubleshoot MPLS operations

4.1.a [i] Label stack, LSR, LSP

As packets are forwarded in a label-switching framework , MPLS routers encapsulate the packets with special headers called labels. A label basically tells the router which Label Switched Path (LSP) it belongs to. The router can then use the ingress port and the LSP information to determine where the next hop in the LSP is. You can actually add labels to packets that already have labels (known as label stacking).

A MPLS router that performs routing based only on the label is called a label switch router (LSR) or transit router.

An LSP is a path through an MPLS network, set up by a signaling protocol such as LDP, RSVP-TE, BGP or CR-LDP. The path is set up based on criteria in the Forwarding Equivalence Class (FEC).

In order to scale an MPLS network, where there are different types of platforms and services in parts of the network, it makes sense to split the network into different areas. A typical design introduces a hierarchy that has a core in the center with aggregation on the side. In order to scale, there can be different Interior Gateway Protocols (IGPs) in the the core versus the aggregation. In order to scale, you cannot distribute the IGP prefixes from one IGP into the other. If you do not distribute the IGP prefixes from one IGP into the other IGP, the end-to-end Label-Switched Paths (LSPs) are not possible. In order to deliver the MPLS services end-to-end, you need the LSP to be end-to-end. The goal is to keep the MPLS services (MPLS VPN, MPLS L2VPN) as they are, but introduce greater scalability. In order to do this, move some of the IGP prefixes into Border Gateway Protocol (BGP) (the loopback prefixes of the Provider Edge (PE) routers), which then distributes the prefixes end-to-end. This is called unified or seamless MPLS.

RRs advertise the BGP prefixes with the next hop set to themselves, they assign a local MPLS label to the BGP prefixes. This means that in the data plane, the packets forwarded on these end-to-end LSPs have an extra MPLS label in the label stack. The RRs are in the forwarding path. In order to set the next hop to self for reflected iBGP routes, you must configure the neighbor x.x.x.x next-hop-self all command.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4349-4360).  . Kindle Edition.

http://www.cisco.com/en/US/tech/tk436/tk428/technologies_q_and_a_item09186a00800949e5.shtml

4.1.a Implement and troubleshoot MPLS operations

4.1.a [ii] LDP

MPLS LDP provides the means for LSRs to request, distribute, and release label prefix binding information to peer routers in a network. LDP enables LSRs to discover potential peers and to establish LDP sessions with those peers for the purpose of exchanging label binding information.

MPLS LDP enables one LSR to inform another LSR of the label bindings it has made. Once a pair of routers communicate the LDP parameters, they establish a label-switched path (LSP). MPLS LDP enables LSRs to distribute labels along normally routed paths to support MPLS forwarding. This method of label distribution is also called hop-by-hop forwarding. With IP forwarding, when a packet arrives at a router the router looks at the destination address in the IP header, performs a route lookup, and forwards the packet to the next hop. With MPLS forwarding, when a packet arrives at a router the router looks at the incoming label, looks up the label in a table , and then forwards the packet to the next hop. MPLS LDP is useful for applications that require hop-by-hop forwarding, such as MPLS VPNs.

When you enable MPLS LDP, the LSRs send out messages to try to find other LSRs with which they can create LDP sessions. An LSR engages in discovery by periodically transmitting LDP Hello messages to signal its desire to advertise label bindings. The LSR sends the LDP Hello messages as UDP packets to the well known LDP port (646).

LDP defines two types of discovery:

● Basic discovery—Used to discover directly connected LDP LSRs. For basic discovery, an LSR sends Hellos messages to the “all routers on this subnet” multicast address on interfaces for which LDP has been configured.

● Extended discovery—Used between nondirectly connected LDP LSRs. For extended discovery, an LSR sends targeted Hello messages to a specific IP address.

The Hello messages carry the LDP ID of the label space that the sending LSR wants to advertise , as well as other information. When an LSR receives an LDP Hello message from another LSR, it considers that LSR and the specified label space to be “discovered.” After two LSRs discover each other in this manner, they attempt to establish an LDP session

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 4373-4384).  . Kindle Edition.

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/ftldp41.html