how to filter vpns from mpls backbone backup path
below is from sp study group.ccstudy.com:
I have four routers linked in a row, let's say A-B-C-D, and a lower
bandwidth backup link between A and D. I have just added MPLS and set
up several VPNs, but I don't want all VPNs to generate traffic on the
backup link when it comes up. Any idea of how to do it?
here is a possible solution. I have put also the CCIE SP list on CC
since this is more a topic for there...
- create a second loopback interface on the pe-routers.
- add your second loopback interface into your igp so it is reachable
- filter your LDP so it is not assigning and distributing any labels
for this second loopback
- change the next-hop ip-address that bgp will advertise for the
VPN that you do not want to have on the low-bandwidth backup link
Example> Assuming Lo1 is the Loopback where you are not distributing labels
for:
!
ip vrf TWO
rd 2:1
route-target export 2:1
route-target import 2:1
bgp next-hop Loopback1
!
- at this point this VPN will not work anymore, because you have no
LSP to the new Loopbacks
- enable MPLS Traffic Engineering, use the new loopback ip as router-id
for mpls traffic engineering
- build mpls-te tunnels between the new loopback addresses. Use an
explicit path that excludes the ip addresses of the low-bandwidth
backup link.
- at this point the VPN will work again. LSPs are provided through
MPLS-TE. As soon as the main link between your PE routers goes
down the MPLS-TE Tunnel will also go down because they are not
allowed to signal a path through your low-bandwidth link.
hope the explanation is not too confusing.
Comments from Gopal:
below is from sp study group.ccstudy.com:
I have four routers linked in a row, let's say A-B-C-D, and a lower
bandwidth backup link between A and D. I have just added MPLS and set
up several VPNs, but I don't want all VPNs to generate traffic on the
backup link when it comes up. Any idea of how to do it?
here is a possible solution. I have put also the CCIE SP list on CC
since this is more a topic for there...
- create a second loopback interface on the pe-routers.
- add your second loopback interface into your igp so it is reachable
- filter your LDP so it is not assigning and distributing any labels
for this second loopback
- change the next-hop ip-address that bgp will advertise for the
VPN that you do not want to have on the low-bandwidth backup link
Example> Assuming Lo1 is the Loopback where you are not distributing labels
for:
!
ip vrf TWO
rd 2:1
route-target export 2:1
route-target import 2:1
bgp next-hop Loopback1
!
- at this point this VPN will not work anymore, because you have no
LSP to the new Loopbacks
- enable MPLS Traffic Engineering, use the new loopback ip as router-id
for mpls traffic engineering
- build mpls-te tunnels between the new loopback addresses. Use an
explicit path that excludes the ip addresses of the low-bandwidth
backup link.
- at this point the VPN will work again. LSPs are provided through
MPLS-TE. As soon as the main link between your PE routers goes
down the MPLS-TE Tunnel will also go down because they are not
allowed to signal a path through your low-bandwidth link.
hope the explanation is not too confusing.
--
comments from Gopal:
- you use 'bgp next-hop loop-1' for the VRFs whose
traffic shd not ride on the low BW link. Other Vrf's
do not need that command, hence use the default
bgp-nexthop, say loop-0. This is what Reinhold meant
to begin with.
I wd agree with Reinhold's solution for most part
except:
- "filter your LDP so it is not assigning and
> distributing any labels for this second loopback" --
* This doesn't serve any purpose. Though this will
make the VPN to fail on non-TE links, it will not save
the low BW link. The traffic will go over the low BW
link and be dropped at the egress PE.
- "add your second loopback interface into your igp
> so it is reachable"
* you should not advertise the loop-1 IP in OSPF. TE
will work fine without loop-1 IP in routing table. If
this IP is in routing table the problem is when the TE
tunnel is DOWN. When the TE tunnel is down, with IP in
routing table, it follows the IP routing table which
include the low BW link (when prefered link goes
down).
- in summary, you do everything except advertising the
loop-1 in IGP. So far I assumed your IGP is OSPF :-).
But if it is not, then it is easier.
- If your IGP is eigrp or RIP, then you don't need TE
tunnels. you may use distribute-list to stop taking
the loop-1 prefix over the low BW link.
- ACL tweaking is not possible(i wd guess) because
they are label packets.
I have four routers linked in a row, let's say A-B-C-D, and a lower
bandwidth backup link between A and D. I have just added MPLS and set
up several VPNs, but I don't want all VPNs to generate traffic on the
backup link when it comes up. Any idea of how to do it?
here is a possible solution. I have put also the CCIE SP list on CC
since this is more a topic for there...
- create a second loopback interface on the pe-routers.
- add your second loopback interface into your igp so it is reachable
- filter your LDP so it is not assigning and distributing any labels
for this second loopback
- change the next-hop ip-address that bgp will advertise for the
VPN that you do not want to have on the low-bandwidth backup link
Example> Assuming Lo1 is the Loopback where you are not distributing labels
for:
!
ip vrf TWO
rd 2:1
route-target export 2:1
route-target import 2:1
bgp next-hop Loopback1
!
- at this point this VPN will not work anymore, because you have no
LSP to the new Loopbacks
- enable MPLS Traffic Engineering, use the new loopback ip as router-id
for mpls traffic engineering
- build mpls-te tunnels between the new loopback addresses. Use an
explicit path that excludes the ip addresses of the low-bandwidth
backup link.
- at this point the VPN will work again. LSPs are provided through
MPLS-TE. As soon as the main link between your PE routers goes
down the MPLS-TE Tunnel will also go down because they are not
allowed to signal a path through your low-bandwidth link.
hope the explanation is not too confusing.
Comments from Gopal:
below is from sp study group.ccstudy.com:
I have four routers linked in a row, let's say A-B-C-D, and a lower
bandwidth backup link between A and D. I have just added MPLS and set
up several VPNs, but I don't want all VPNs to generate traffic on the
backup link when it comes up. Any idea of how to do it?
here is a possible solution. I have put also the CCIE SP list on CC
since this is more a topic for there...
- create a second loopback interface on the pe-routers.
- add your second loopback interface into your igp so it is reachable
- filter your LDP so it is not assigning and distributing any labels
for this second loopback
- change the next-hop ip-address that bgp will advertise for the
VPN that you do not want to have on the low-bandwidth backup link
Example> Assuming Lo1 is the Loopback where you are not distributing labels
for:
!
ip vrf TWO
rd 2:1
route-target export 2:1
route-target import 2:1
bgp next-hop Loopback1
!
- at this point this VPN will not work anymore, because you have no
LSP to the new Loopbacks
- enable MPLS Traffic Engineering, use the new loopback ip as router-id
for mpls traffic engineering
- build mpls-te tunnels between the new loopback addresses. Use an
explicit path that excludes the ip addresses of the low-bandwidth
backup link.
- at this point the VPN will work again. LSPs are provided through
MPLS-TE. As soon as the main link between your PE routers goes
down the MPLS-TE Tunnel will also go down because they are not
allowed to signal a path through your low-bandwidth link.
hope the explanation is not too confusing.
--
comments from Gopal:
- you use 'bgp next-hop loop-1' for the VRFs whose
traffic shd not ride on the low BW link. Other Vrf's
do not need that command, hence use the default
bgp-nexthop, say loop-0. This is what Reinhold meant
to begin with.
I wd agree with Reinhold's solution for most part
except:
- "filter your LDP so it is not assigning and
> distributing any labels for this second loopback" --
* This doesn't serve any purpose. Though this will
make the VPN to fail on non-TE links, it will not save
the low BW link. The traffic will go over the low BW
link and be dropped at the egress PE.
- "add your second loopback interface into your igp
> so it is reachable"
* you should not advertise the loop-1 IP in OSPF. TE
will work fine without loop-1 IP in routing table. If
this IP is in routing table the problem is when the TE
tunnel is DOWN. When the TE tunnel is down, with IP in
routing table, it follows the IP routing table which
include the low BW link (when prefered link goes
down).
- in summary, you do everything except advertising the
loop-1 in IGP. So far I assumed your IGP is OSPF :-).
But if it is not, then it is easier.
- If your IGP is eigrp or RIP, then you don't need TE
tunnels. you may use distribute-list to stop taking
the loop-1 prefix over the low BW link.
- ACL tweaking is not possible(i wd guess) because
they are label packets.
posted by Jun Wen at 8:52 AM
0 Comments:
Post a Comment
<< Home