ipnetworking.net

linux and networking articles

Category: Cisco (page 1 of 7)

MPLS LDP label filtering

This post will outline MPLS LDP label filtering on IOS and IOS-XE. It contains LDP label filtering configuration and belonging output.

Why?

Recently we migrated two POPs to a MPLS based network  coming from VRF Lite. With other non-MPLS POPs left to migrate, we still have quite some prefixes in our IGP.

As LDP assigns labels for IGP based routes we ended up with quite some labels that were generated- and advertised without any purpose. This may impact convergence of a network so we setup LDP label filtering to only generate labels for PE’s that have L3VPN or AToM xconnects. Label filtering can be used to minimize the number of prefixes in the LIB and control which labeled prefixes are advertised using LDP.

How?

There are two ways to control LDP label filtering:

  • LDP inbound label filtering (per LDP neighbor configuration)
  • LDP advertised label filtering

The configurations that follow are based on LDP advertised label filtering. Reason for this is that inbound label filtering is error-prone (lots of config) and if you solve the problem at the source (advertising labels), it won’t effect others. :)

This post assumes the following basic MPLS LDP configuration:

The configuration of advertised label filtering starts with a standard access-list for prefixes you would like to generate labels for. For MPLS L3VPN you basicly only wants labels of the PE loopbacks.

Next you need to configure LDP to use this standard access-list:

The result of this config can be obtained with the following commands:

When checking the results on another PE (PE2), it appears that the labels in the LIB are still advertised even though the prefixes do not match the standard ACL of PE1. So the implicit deny of a standard ACL does not work.

There is one missing command on PE1 to fix this:

Total configuration of one PE for LDP label filtering:

I hope this helps someone out there. If you have any questions, please comment!

Python script for PPPoE and PPPoA users

I wrote this python script to check for the amount of PPPoE and PPPoA users on a Cisco IOS-XE box. It’s also used by a provisioning system to check whether a PPPoX session came up or not. (Note: still learning Python)

The output will look like this for PPPoA users:

The output will look like this for PPPoE users:

Here is the script, latest version is always on github

 

Python script for PIM SSM mappings

A small functional python script to generate a lot of static SSM mappings for IOS-XR. The entries of mcast-groups.txt is an excel file (not comma separated).

 

Packetcapture in Nexus VDC

This post will outline how to make a packetcapture in a VDC using a Cisco Nexus device.

The ethanalyzer tool is only available in the Admin VDC, in order to make a packetcapture in a regular VDC some commands are needed to be able to capture the traffic in the Admin VDC.

This can be done by creating ACL’s in the VDC you would like to capture traffic from. If you use the “log” statements per ACE, the packet is punted to the supervisor and you can capture it in the Admin VDC.

Regular VDC configuration:

Creating the ACL:

It is important to permit ip any any at the end of the ACL.

Adding the ACL to a switchport (L2 interface):

Adding the ACL to a routed port (L3 interface):

Note that that the packetcapture is unidirectional. If you want to make a bidirectional packetcapture apply it to the appropiate interface with reverse ACL logic.

You can use wireshark’s mergecap to merge the two packetcaptures.

Admin VDC configuration:

Here is the ethanalyzer capture command syntax. Ofcourse you can use the other available parameters to capture the traffic or even store the pcaps locally on flash for analysis in wireshark.

 

Older posts

© 2017 ipnetworking.net

Theme by Anders NorenUp ↑