Saturday, July 7, 2012

Compute Complex Wildcard for ACL

This will help you for compute  the most specific address and wildcard pair for acl and summry route

First we need to know the basic of XOR and AND cuse  access-list address and wildcard are based on the AND and XOR logic gates
A and B and the output C we can show the XOR function as,The output is true when either inputs A or B are true, but not if both A and B are true:


A XOR  B  C

0 XOR 0 -> 0

0 XOR 1 -> 1

1 XOR 0 -> 1

1 XOR 1 -> 0

A and B and the output C we can show the AND function as,The output is true only when both inputs A and B are true:
A AND B    C

0 XOR 0 -> 0

0 XOR 1 -> 0

1 XOR 0 -> 0

1 XOR 1 -> 1

after we understand that we can proggress to calc
lets take 10.20.30.40 and 40.30.20.10 and we create an access-list that is the most specific match for these two addresses.
conversion to binary : (128 ,64 ,32, 16,8,4,2,1)
10.20.30.40 = 00001010.00010100.00011110.00101000

40.30.20.10 = 00101000.00011110.00010100.00001010


AND:
00001010.00010100.00011110.00101000

00101000.00011110.00010100.00001010
--------------------------------------
00001000.00010100.00010100.00001000
the result is our address: 8.20.20.8
 
XOR:
00001010.00010100.00011110.00101000

00101000.00011110.00010100.00001010
---------------------------------------
00100010.00001010.00001010.00100010
The result is our wildcard: 34.10.10.34


the ACL of the most specific match for both 10.20.30.40 and 40.30.20.10
is : access-list 1 permit 8.20.20.8 34.10.10.34




 

Monday, July 2, 2012

IPv6 over MPLS VPN

6VPE: IPv6 over MPLS VPN
6VPE can be compared to a regular IPv4 MPLS VPN Provider Edge with the addition of IPv6 support within a VRF. Providers logically separate routing table entries for VPN member devices. 6VPE can be deployed over an existing IPv4 backbone and does not require modification of the MPLS core routers.



 :CEs Configuration

CE1 router:
ipv6 unicast-routing
ipv6 cef
interface Loopback0
 no ip address
 ipv6 address FACE::1/128

 interface FastEthernet1/0
 no ip address
 speed auto
 duplex auto
 ipv6 address 2001:2222::1/124

 router bgp 65022
 bgp router-id 1.1.1.1
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 2001:2222::2 remote-as 65025
 !
 address-family ipv6
  redistribute connected
  no synchronization
  network FACE::1/128
  neighbor 2001:2222::2 activate
 exit-address-family

 CE2 router:

 ipv6 unicast-routing
 ipv6 cef
interface Loopback0
 no ip address
 ipv6 address FACE::2/128
 ipv6 enable

 interface FastEthernet1/0
 no ip address
 speed auto
 duplex auto
 ipv6 address 2001:2212::2/124

 router bgp 65022
 bgp router-id 2.2.2.2
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 2001:2212::1 remote-as 65025
 !
 address-family ipv4
  no synchronization
  neighbor 2001:2212::1 activate
  no auto-summary
 exit-address-family
 !
 address-family ipv6
  redistribute connected
  no synchronization
  network FACE::2/128
  neighbor 2001:2212::1 activate
 exit-address-family


 6VPE Configuration:


6VPE1:

 vrf definition CUST1
 rd 1:100
 !
 address-family ipv6
 route-target export 1:100
 route-target import 1:100
 exit-address-family

 ipv6 unicast-routing
ipv6 cef
mpls label protocol ldp
interface Loopback0
 ip address 172.20.31.11 255.255.255.255
 ip router isis

 interface FastEthernet1/0
 vrf forwarding CUST1
 no ip address
 speed auto
 duplex auto
 ipv6 address 2001:2222::2/124
 ipv6 enable


 router bgp 65025
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 172.20.31.12 remote-as 65025
 neighbor 172.20.31.12 update-source Loopback0
 !       
 !                
 address-family vpnv6    /*/Address-family VPNv6 is configured on 6VPE routers for iBGP /*/
  neighbor 172.20.31.12 activate
  neighbor 172.20.31.12 send-community extended
 exit-address-family
 !       
 address-family ipv6 vrf CUST1
  redistribute connected
  no synchronization
  neighbor 2001:2222::1 remote-as 65022
  neighbor 2001:2222::1 activate /*/There is eBGP connection between 6VPE and CE routers/*/
  neighbor 2001:2222::1 as-override
 exit-address-family


6VPE2:
!
 ipv6 unicast-routing
ipv6 cef
mpls label protocol ldp
!
vrf definition CUST1
 rd 1:100
 !
 address-family ipv6
 route-target export 1:100
 route-target import 1:100
 exit-address-family
!
interface Loopback0
 ip address 172.20.31.12 255.255.255.255
 ip router isis
 !
 interface FastEthernet1/1
 vrf forwarding CUST1
 no ip address
 speed auto
 duplex auto
 ipv6 address 2001:2212::1/124
 !
 !
 router bgp 65025
 no synchronization
 bgp log-neighbor-changes
 neighbor 172.20.31.11 remote-as 65025
 neighbor 172.20.31.11 update-source Loopback0
 no auto-summary
 !       
 address-family vpnv6
  neighbor 172.20.31.11 activate
  neighbor 172.20.31.11 send-community extended
 exit-address-family
 !       
 address-family ipv6 vrf CUST1
  redistribute connected
  no synchronization
  neighbor 2001:2212::2 remote-as 65022
  neighbor 2001:2212::2 activate
  neighbor 2001:2212::2 as-override
 exit-address-family
 !
 Test:
6VPE2# show bgp vpnv6 unicast vrf CUST1
BGP table version is 9, local router ID is 172.20.31.12
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:100 (default for vrf CUST1)
*> 2001:2212::/124  ::                       0         32768 ?
*                   2001:2212::2             0             0 65022 ?
*>i2001:2222::/124  ::FFFF:172.20.31.11
                                             0    100      0 ?
*>iFACE::1/128      ::FFFF:172.20.31.11
                                             0    100      0 65022 i
*> FACE::2/128      2001:2212::2             0             0 65022 i
6VPE2#show bgp vpnv6 unicast vrf CUST1 FACE::1/128
BGP routing table entry for [1:100]FACE::1/128, version 7
Paths: (1 available, best #1, table CUST1)
  Advertised to update-groups:
     5        
  65022
    ::FFFF:172.20.31.11 (metric 30) from 172.20.31.11 (172.20.31.11)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:1:100
      mpls labels in/out nolabel/22  /*/Label imposition bottom lable/*/
6VPE2#sh ip ce
6VPE2#sh ip cef 172.20.31.11
172.20.31.11/32
  nexthop 172.16.2.1 FastEthernet1/0 label 19 /*/Label imposition Top lable/*/
CE2#sh ipv6 route
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
       IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
       ND - Neighbor Discovery
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C   2001:2212::/124 [0/0]
     via FastEthernet1/0, directly connected
L   2001:2212::2/128 [0/0]
     via FastEthernet1/0, receive
B   2001:2222::/124 [20/0]
     via FE80::C804:14FF:FE10:1D, FastEthernet1/0
B   FACE::1/128 [20/0]
     via FE80::C804:14FF:FE10:1D, FastEthernet1/0
LC  FACE::2/128 [0/0]
     via Loopback0, receive
L   FF00::/8 [0/0]
     via Null0, receive
CE2#ping FACE::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FACE::1, timeout is 2 seconds:
!!!!!


Video :