Re: [c-nsp] ME3600 iBGP to RR

[CiscoNSP List]

Thanks for all the feedback/suggestions guys.


> Date: Fri, 6 Mar 2015 07:35:10 +0200
> From: mark.ti...@seacom.mu
> To: adam.vitkov...@gamma.co.uk; cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] ME3600 iBGP to RR
> 
> 
> 
> On 5/Mar/15 19:12, Adam Vitkovsky wrote:
> >
> > Sorry, now I see I haven't made myself clear at all, I meant
> > disconnected from VRFs perspective.
> > Of course the box would have been reachable over OOB management
> > network or via IGP.
> 
> Of course :-).
> >
> >
> > These are interesting numbers indeed.
> > And I wanted to ask you for some time now what prefixes do you
> > actually leak into the FIB to make any use of it.
> 
> Internal iBGP routes, customer routes held in iBGP, some routes from
> peers (they need to be in the FIB as we do some special things with them
> re: forwarding), 0/0 and ::/0.
> 
> > Because how I would use this is just to get the full table to the
> > customer hanging off of the ME.
> 
> We hold everything else in RAM, and just hand it off to customers via
> eBGP sessions.
> 
> >
> > Anyways the problem is 20K is not that much and can easily be
> > exhausted with VPN customer prefixes in which case the SD can't really
> > be used.
> At any rate, BGP-SD is not supported for VPN address families.
> 
> >
> > You just need to make sure you never mess up the route-map used for SD.
> 
> If you want to be simple, a simple "route-map BLAH deny 10" is all you
> need to have nothing installed in the FIB.
> 
> Otherwise, you can create a route-map similar to what you'd do for a BGP
> routing policy to decide what enters the FIB. Nothing more special than
> that.
> 
> Mark.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ME3600 iBGP to RR

[Mark Tinka]

On 5/Mar/15 19:12, Adam Vitkovsky wrote:
>
> Sorry, now I see I haven't made myself clear at all, I meant
> disconnected from VRFs perspective.
> Of course the box would have been reachable over OOB management
> network or via IGP.

Of course :-).
>
>
> These are interesting numbers indeed.
> And I wanted to ask you for some time now what prefixes do you
> actually leak into the FIB to make any use of it.

Internal iBGP routes, customer routes held in iBGP, some routes from
peers (they need to be in the FIB as we do some special things with them
re: forwarding), 0/0 and ::/0.

> Because how I would use this is just to get the full table to the
> customer hanging off of the ME.

We hold everything else in RAM, and just hand it off to customers via
eBGP sessions.

>
> Anyways the problem is 20K is not that much and can easily be
> exhausted with VPN customer prefixes in which case the SD can't really
> be used.
At any rate, BGP-SD is not supported for VPN address families.

>
> You just need to make sure you never mess up the route-map used for SD.

If you want to be simple, a simple "route-map BLAH deny 10" is all you
need to have nothing installed in the FIB.

Otherwise, you can create a route-map similar to what you'd do for a BGP
routing policy to decide what enters the FIB. Nothing more special than
that.

Mark.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] N7k PIM Anycast RP - Do we still need MSDP to sync RPs?

[Phil Mayers]

On 05/03/15 16:46, Adam Vitkovsky wrote:

That is great for intra-domain use -one learns something new every day :)
Strange I have never came across this RFC 4610 when played with Anycast
RPs.
And would you have all the filtering options and knobs as with MSDP?


No, why would you want it? Surely the point of anycast-RP is to have 
them all identical?


MSDP does have some advantages over PIM for this case, specifically when 
you reboot an RP, it will recover the existing source state immediately 
over the MSDP peering, as opposed to having to wait for the registers to 
be re-sent from the DR(s).


OTOH MSDP is one more protocol to run.

Swings and roundabouts; it's nice to have both options. We went for it 
on the basis of simplicity.


Cheers,
Phil
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ME3600 iBGP to RR

[Adam Vitkovsky]

Hi Mark,


> Mark Tinka
> Sent: 05 March 2015 13:16
> > It is a good topic for a discussion.
> > If you reset all the sessions the box becomes completely disconnected
> from the core (as most likely the same amount of routes will be advertised
> by both RRs (clusters)).
> 
> That is why, for my network, all management traffic is handled by the
> IGP (IS-IS, in my case).

Sorry, now I see I haven't made myself clear at all, I meant disconnected from 
VRFs perspective. 
Of course the box would have been reachable over OOB management network or via 
IGP. 

> > If just warning is issued the box remains alive but there might be some
> unexpected states of memory rendering it unusable anyways (all kinds of
> weired issues can happen if the mem is exhausted be it just for a short
> interval).
> 
> Use BGP-SD.
> 
> The ME3600X can hold 2x full IPv4 and 2x full IPv6 tables in RAM. I
> know, I do it. Then you pick and choose what gets installed into FIB
> using BGP-SD.

These are interesting numbers indeed. 
And I wanted to ask you for some time now what prefixes do you actually leak 
into the FIB to make any use of it. 
Because how I would use this is just to get the full table to the customer 
hanging off of the ME. 

Anyways the problem is 20K is not that much and can easily be exhausted with 
VPN customer prefixes in which case the SD can't really be used. 

> > However if a config mistake happens and one of the RRs (or clusters for
> that matter) starts advertising excess routes then it would be desired to
> reset the affected session(s) in which case the box remains perfectly
> operational using the sessions to remaining RRs.
> 
> With BGP-SD, even if the RR suddenly started spewing more routes, you
> don't hurt the FIB.

You just need to make sure you never mess up the route-map used for SD. 


adam
---
 This email has been scanned for email related threats and delivered safely by 
Mimecast.
 For more information please visit http://www.mimecast.com
---

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] N7k PIM Anycast RP - Do we still need MSDP to sync RPs?

[Adam Vitkovsky]

That is great for intra-domain use -one learns something new every day :) 
Strange I have never came across this RFC 4610 when played with Anycast RPs. 
And would you have all the filtering options and knobs as with MSDP? 

adam
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
> Tim Stevenson
> Sent: 05 March 2015 15:59
> To: Phil Mayers; cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] N7k PIM Anycast RP - Do we still need MSDP to sync RPs?
> 
> This is RFC 4610.
> 
> Tim
> 
> At 06:41 AM 3/5/2015  Thursday, Phil Mayers murmered:
> >On 05/03/15 10:00, Gert Doering wrote:
> >>Hi,
> >>
> >>On Wed, Mar 04, 2015 at 03:19:09PM -0800, Tim Stevenson wrote:
> >>>You do not need MSDP under this configuration, Anycast w/PIM &
> >>>Anycast w/MSDP are two different ways to do basically do the same
> thing.
> >>
> >>So, pure curiousity: I know how Anycast w/MSDP works, but with classic
> >>IOS, there is no "Anycast w/PIM" - how is this done, protocol-wise?
> >
> >The PIM RPs forward the PIM register to the other PIM RPs, if it
> >didn't come *from* one of those RPs. They do it over "real" IPs
> >rather than the anycast IP, of course.
> >
> >It's been around on JunOS for ages, and works great. Never tried it
> >on supporting Cisco boxen, but I imagine it works just the same.
> >___
> >cisco-nsp mailing list  cisco-nsp@puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> 
> 
> Tim Stevenson, tstev...@cisco.com
> Routing & Switching CCIE #5561
> Distinguished Engineer, Technical Marketing
> Data Center Switching
> Cisco - http://www.cisco.com
> +1(408)526-6759
> 
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
---
 This email has been scanned for email related threats and delivered safely by 
Mimecast.
 For more information please visit http://www.mimecast.com
---

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] N7k PIM Anycast RP - Do we still need MSDP to sync RPs?

[Tim Stevenson]

This is RFC 4610.

Tim

At 06:41 AM 3/5/2015  Thursday, Phil Mayers murmered:

On 05/03/15 10:00, Gert Doering wrote:

Hi,

On Wed, Mar 04, 2015 at 03:19:09PM -0800, Tim Stevenson wrote:

You do not need MSDP under this configuration, Anycast w/PIM &
Anycast w/MSDP are two different ways to do basically do the same thing.


So, pure curiousity: I know how Anycast w/MSDP works, but with classic
IOS, there is no "Anycast w/PIM" - how is this done, protocol-wise?


The PIM RPs forward the PIM register to the other PIM RPs, if it 
didn't come *from* one of those RPs. They do it over "real" IPs 
rather than the anycast IP, of course.


It's been around on JunOS for ages, and works great. Never tried it 
on supporting Cisco boxen, but I imagine it works just the same.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/






Tim Stevenson, tstev...@cisco.com
Routing & Switching CCIE #5561
Distinguished Engineer, Technical Marketing
Data Center Switching
Cisco - http://www.cisco.com
+1(408)526-6759


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] N7k PIM Anycast RP - Do we still need MSDP to sync RPs?

[Phil Mayers]

On 05/03/15 10:00, Gert Doering wrote:

Hi,

On Wed, Mar 04, 2015 at 03:19:09PM -0800, Tim Stevenson wrote:

You do not need MSDP under this configuration, Anycast w/PIM &
Anycast w/MSDP are two different ways to do basically do the same thing.


So, pure curiousity: I know how Anycast w/MSDP works, but with classic
IOS, there is no "Anycast w/PIM" - how is this done, protocol-wise?


The PIM RPs forward the PIM register to the other PIM RPs, if it didn't 
come *from* one of those RPs. They do it over "real" IPs rather than the 
anycast IP, of course.


It's been around on JunOS for ages, and works great. Never tried it on 
supporting Cisco boxen, but I imagine it works just the same.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ME3600 iBGP to RR

[Mark Tinka]

On 5/Mar/15 11:48, Adam Vitkovsky wrote:
> Hi,
>
> It is a good topic for a discussion.
> If you reset all the sessions the box becomes completely disconnected from 
> the core (as most likely the same amount of routes will be advertised by both 
> RRs (clusters)).

That is why, for my network, all management traffic is handled by the
IGP (IS-IS, in my case).

As BGP appears higher in the routing layer, a failure of BGP does not
affect access to the box. Typically, a failure of the IGP signals a much
bigger problem anyway, so it is a reliable method to manage the box.

IGP routes all end up in the FIB by default.
> If just warning is issued the box remains alive but there might be some 
> unexpected states of memory rendering it unusable anyways (all kinds of 
> weired issues can happen if the mem is exhausted be it just for a short 
> interval).

Use BGP-SD.

The ME3600X can hold 2x full IPv4 and 2x full IPv6 tables in RAM. I
know, I do it. Then you pick and choose what gets installed into FIB
using BGP-SD.
> However if a config mistake happens and one of the RRs (or clusters for that 
> matter) starts advertising excess routes then it would be desired to reset 
> the affected session(s) in which case the box remains perfectly operational 
> using the sessions to remaining RRs.

With BGP-SD, even if the RR suddenly started spewing more routes, you
don't hurt the FIB.

Yes, if the routes were too many that they overwhelmed the ME3600X's
control plane, then that is a different issue.
>
> In any case you should be closely monitoring the syslog messages related to 
> crossing the 70% watermark so that you know you are approaching the memory 
> limits of the box and there's a need to migrate some of the VRFs to other 
> boxes or to add another ME to the POP.

Again, BGP-SD is your friend. A very elegant solution to an interesting
problem.

Mark.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ME3600 iBGP to RR

[Mark Tinka]

On 5/Mar/15 10:26, CiscoNSP List wrote:
> Hi Everyone,
>
> Using ME3600's to terminate customer tails (VRF's and Inet), and am after 
> some recommendations on a template for the RR-Client->RR session..ME3600 only 
> supports 20K IPv4 routes so was going to implement something like:
>
>  template peer-policy TO_RR_iBGP
>   next-hop-self
>   soft-reconfiguration inbound
>   maximum-prefix 2 70
>   send-community both
>  exit-peer-policy
>
> address-family ipv4
>   neighbor xxx.xxx.xxx.xxx inherit peer-policy TO_RR_iBGP
>
> plus route-maps controlling in/out prefixes
>
> Any other suggestions (i.e. resetting bgp session if certain threshold is 
> hit, then re-establishing session after x minutes, or being more frugal on 
> number of routes allowed etc) are greatly appreciated.

Don't do "soft-reconfiguration", you'll just eat up more memory for no
reason.

Do what I do for this - deploy BGP-SD and don't worry about the lack of
FIB space on this platform.

You can filter what gets into the FIB using BGP-SD. Much more elegant
than "max-prefix".

Mark.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Can VRF lite support BGP routing? I test lab not work.

[Plawansai RMUTT CPE IX]

I test lab follow to this document
  is work. I test with static route and OSPF is work. Now,
I'm testing with BGP route. I found the PE doesn't send the BGP routes from
the other sites to the CE. How should I do?

Topology:
BGP vrf lite (vrf v11) CE1 - BGP - MPLS L3VPN (vrf v1) PE1 - PE2 (vrf v1)
MPLS L3VPN - BGP - CE2 (vrf v11) vrf lite BGP


PE1#sho ip rou vrf v1

Gateway of last resort is not set

 

B10.0.252.1/32 [200/0] via 10.0.0.11 (nexthop in vrf default), 1d22h

B10.0.252.2/32 [200/0] via 10.0.0.14 (nexthop in vrf default), 1d22h

L10.0.252.3/32 is directly connected, 1d22h, Loopback101

B38.0.0.0/24 [200/0] via 10.0.0.11 (nexthop in vrf default), 1d04h

B39.0.0.0/24 [200/0] via 10.0.0.14 (nexthop in vrf default), 05:13:07

B40.0.0.0/24 [200/0] via 10.0.0.11 (nexthop in vrf default), 1d04h

C41.0.0.0/24 is directly connected, 1d22h, GigabitEthernet0/0/1/2.14

L41.0.0.3/32 is directly connected, 1d22h, GigabitEthernet0/0/1/2.14

-> B208.0.0.0/24 [200/0] via 10.0.0.11 (nexthop in vrf default),
00:06:55

-> B209.0.0.0/24 [200/0] via 10.0.0.14 (nexthop in vrf default),
00:08:14

B210.0.0.0/24 [20/0] via 41.0.0.8, 00:11:17

 

CE1#sho ip bgp vpnv4 vrf v11

BGP table version is 23, local router ID is 172.16.30.5

 

   Network  Next HopMetric LocPrf Weight Path

Route Distinguisher: 800:1 (default for vrf v11)

*> 10.0.252.1/3241.0.0.3   0 18252 ?

*> 10.0.252.2/3241.0.0.3   0 18252 ?

*> 10.0.252.3/3241.0.0.3 0 0 18252 ?

*> 38.0.0.0/24  41.0.0.3   0 18252 ?

*> 39.0.0.0/24  41.0.0.3   0 18252 ?

*> 40.0.0.0/24  41.0.0.3   0 18252 ?

r> 41.0.0.0/24  41.0.0.3 0 0 18252 ?

*> 210.0.0.00.0.0.0  0 32768 i

CE1#

 

Thank you very much.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] N7k PIM Anycast RP - Do we still need MSDP to sync RPs?

[Gert Doering]

Hi,

On Wed, Mar 04, 2015 at 03:19:09PM -0800, Tim Stevenson wrote:
> You do not need MSDP under this configuration, Anycast w/PIM & 
> Anycast w/MSDP are two different ways to do basically do the same thing.

So, pure curiousity: I know how Anycast w/MSDP works, but with classic
IOS, there is no "Anycast w/PIM" - how is this done, protocol-wise?

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgp3cdY6ayqDu.pgp
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ME3600 iBGP to RR

[Adam Vitkovsky]

Hi,

It is a good topic for a discussion.
If you reset all the sessions the box becomes completely disconnected from the 
core (as most likely the same amount of routes will be advertised by both RRs 
(clusters)).
If just warning is issued the box remains alive but there might be some 
unexpected states of memory rendering it unusable anyways (all kinds of weired 
issues can happen if the mem is exhausted be it just for a short interval).
However if a config mistake happens and one of the RRs (or clusters for that 
matter) starts advertising excess routes then it would be desired to reset the 
affected session(s) in which case the box remains perfectly operational using 
the sessions to remaining RRs.

In any case you should be closely monitoring the syslog messages related to 
crossing the 70% watermark so that you know you are approaching the memory 
limits of the box and there's a need to migrate some of the VRFs to other boxes 
or to add another ME to the POP.

 
adam
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
> CiscoNSP List
> Sent: 05 March 2015 08:26
> To: cisco-nsp@puck.nether.net
> Subject: [c-nsp] ME3600 iBGP to RR
> 
> Hi Everyone,
> 
> Using ME3600's to terminate customer tails (VRF's and Inet), and am after
> some recommendations on a template for the RR-Client->RR
> session..ME3600 only supports 20K IPv4 routes so was going to implement
> something like:
> 
>  template peer-policy TO_RR_iBGP
>   next-hop-self
>   soft-reconfiguration inbound
>   maximum-prefix 2 70
>   send-community both
>  exit-peer-policy
> 
> address-family ipv4
>   neighbor xxx.xxx.xxx.xxx inherit peer-policy TO_RR_iBGP
> 
> plus route-maps controlling in/out prefixes
> 
> Any other suggestions (i.e. resetting bgp session if certain threshold is hit,
> then re-establishing session after x minutes, or being more frugal on number
> of routes allowed etc) are greatly appreciated.
> 
> Cheers.
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
---
 This email has been scanned for email related threats and delivered safely by 
Mimecast.
 For more information please visit http://www.mimecast.com
---

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ME3600 iBGP to RR

[Nick Hilliard]

On 05/03/2015 08:26, CiscoNSP List wrote:
> Any other suggestions (i.e. resetting bgp session if certain threshold
> is hit, then re-establishing session after x minutes, or being more
> frugal on number of routes allowed etc) are greatly appreciated.

re-establishing sessions is probably highly advisable.  Otherwise you will
need to manually reset all bgp sessions from the rr clients if there's a
problem.  This will increase your service unavailability if you blow
maxprefixes from your RRs.

Also, check your SDM templates to ensure that you're using the correct profile:

Router#show sdm prefer current

Finally, make sure you're running recent code, e.g. 15.3(3)S4.  These boxes
have had some hilariously awful bugs on older code.  E.g. port based l3vpn
not forwarding traffic on early 15.3, port based pseudowires causing the
entire unit to crash and reboot on 15.2, and so on.

Nick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ME3600 iBGP to RR

[CiscoNSP List]

Hi Everyone,

Using ME3600's to terminate customer tails (VRF's and Inet), and am after some 
recommendations on a template for the RR-Client->RR session..ME3600 only 
supports 20K IPv4 routes so was going to implement something like:

 template peer-policy TO_RR_iBGP
  next-hop-self
  soft-reconfiguration inbound
  maximum-prefix 2 70
  send-community both
 exit-peer-policy

address-family ipv4
  neighbor xxx.xxx.xxx.xxx inherit peer-policy TO_RR_iBGP

plus route-maps controlling in/out prefixes

Any other suggestions (i.e. resetting bgp session if certain threshold is hit, 
then re-establishing session after x minutes, or being more frugal on number of 
routes allowed etc) are greatly appreciated.

Cheers.
  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/