Tags

, ,

Ok, time for some MPLS!  For this lab I will be using the OSPF routing protocol first, then we can move to IS-IS next.  All we will be doing here is configuring LDP

First up, lets enabled LDP on all OSPF interfaces.  Normally you would do this under each interface, but here we will use the MPLS LDP AUTOCONFIG command.  This is a good command to use as it ensures that you do not miss configuring LDP on an interface.

RP/0/7/CPU0:R1#conf t
Sun Apr  1 18:58:04.084 UTC
RP/0/7/CPU0:R1(config)#router ospf LAB

Under the OSPF LAB process, we need to configure mpls ldp autoconfig and then commit it.
RP/0/7/CPU0:R1(config-ospf)#mpls ldp auto
RP/0/7/CPU0:R1(config-ospf)#commit
Sun Apr  1 18:58:12.277 UTC
RP/0/7/CPU0:R1(config-ospf)#exit
RP/0/7/CPU0:R1(config)#exit

Ok, now lets see what interfaces have LDP on them
RP/0/7/CPU0:R1#sh mpls ldp int
Sun Apr  1 18:58:18.902 UTC
MPLS LDP application must be enabled to use this command

Ahh, we configured the command but never enabled MPLS LDP.  Remember, if a process is not needed – it does not run.  So, lets enable the process
RP/0/7/CPU0:R1#conf t
Sun Apr  1 18:58:22.811 UTC
RP/0/7/CPU0:R1(config)#mpls ldp

Now, one thing to note on IOS XR, LDP is the only label protocol supported, TDP is not available.
To show that, let us take a look and see what options we have after label
RP/0/7/CPU0:R1(config-ldp)#label ?
  accept     Configure inbound label acceptance control
  advertise  Configure outbound label advertisement control
  allocate   Configure label allocation control
  <cr>       

No options there that we can use, wonder if tag is there?
RP/0/7/CPU0:R1(config-ldp-lbl)#tag?

                                                           ^
% Invalid input detected at ‘^’ marker.
See, no tag either – just LDP by default.
Ok, lets commit this change.
RP/0/7/CPU0:R1(config-ldp)#comm

Now, lets check our interfaces and check for a neighbor.
RP/0/7/CPU0:R1#sh mpls ldp int
Sun Apr  1 19:04:23.402 UTC
Interface GigabitEthernet0/3/0/2 (0x4000500)
   Enabled via config: IGP Auto-config
Interface GigabitEthernet0/3/0/3.100 (0x4000700)
   Disabled

Yup, we see it’s enabled on g0/3/0/2 via IGP Auto-config.  Nice!
Now, let’s check for a neighbor
RP/0/7/CPU0:R1#sh mpls ldp neighbor
Sun Apr  1 19:04:27.582 UTC

Peer LDP Identifier: 2.2.2.2:0
  TCP connection: 2.2.2.2:35051 – 1.1.1.1:646
  Graceful Restart: No
  Session Holdtime: 180 sec
  State: Oper; Msgs sent/rcvd: 13/24; Downstream-Unsolicited
  Up time: 00:05:57
  LDP Discovery Sources:
    GigabitEthernet0/3/0/2
  Addresses bound to this peer:
    2.2.2.2          150.1.12.2       200.100.200.100  200.200.200.200  
    200.200.200.201  200.200.200.202  200.200.200.203  200.200.200.204  
    200.200.200.205  200.200.200.206  200.200.200.207  200.200.200.208  
    200.200.200.209  200.200.200.210  

RP/0/7/CPU0:R1#

There you can see we have LDP neighbor with router-id 2.2.2.2 (R2) on G0/3/0/2.  You can also see the ports we are using for this communication.  Our local port is 646 and the remote port is 35051.

LDP Authentication
Ok, now onto neighbor password for LDP (both directed and all)

Lets configure a password for our neighbor, 2.2.2.2, of cisco
RP/0/7/CPU0:R1#conf t
Sun Apr  1 19:39:35.480 UTC

This is done under the LDP section
RP/0/7/CPU0:R1(config)#mpls ldp
RP/0/7/CPU0:R1(config-ldp)#nei 2.2.2.2 password cisco
RP/0/7/CPU0:R1(config-ldp)#comm
Sun Apr  1 19:40:04.498 UTC

Now here is something different than normal IOS, as soon as you enable authentication – the LDP session resets and enables the password.  With IOS, you would need to clear the LDP session and allow it to re-establish.
RP/0/7/CPU0:Apr  1 19:40:06.205 : tcp[400]: %IP-TCP-3-BADAUTH : Invalid MD5 digest from 2.2.2.2:57032 to 1.1.1.1:646

Ok, I made the change to R2 so the passwords match, now we can look at our neighbor
RP/0/7/CPU0:R1#sh mpls ldp neighbor
Sun Apr  1 19:40:33.961 UTC

Peer LDP Identifier: 2.2.2.2:0
  TCP connection: 2.2.2.2:57491 – 1.1.1.1:646; MD5 on
  Graceful Restart: No
  Session Holdtime: 180 sec
  State: Oper; Msgs sent/rcvd: 7/18; Downstream-Unsolicited
  Up time: 00:00:10
  LDP Discovery Sources:
    GigabitEthernet0/3/0/2
  Addresses bound to this peer:
    2.2.2.2          150.1.12.2       200.100.200.100  200.200.200.200  
    200.200.200.201  200.200.200.202  200.200.200.203  200.200.200.204  
    200.200.200.205  200.200.200.206  200.200.200.207  200.200.200.208  
    200.200.200.209  200.200.200.210  

RP/0/7/CPU0:R1#
As you can see, next to the TCP connection, it now says MD5 on.  Previously nothing was after the port number.

You can also configure a password for any LDP session, that is done like follows:
RP/0/7/CPU0:R1#conf t
Sun Apr  1 19:40:45.561 UTC
RP/0/7/CPU0:R1(config)#mpls ldp
RP/0/7/CPU0:R1(config-ldp)#neighbor ?
  A.B.C.D   IP address of neighbor
  password  Configure password for MD5 authentication for all neighbors
RP/0/7/CPU0:R1(config-ldp)#neighbor password cisco
RP/0/7/CPU0:R1(config-ldp)#comm
Sun Apr  1 19:40:57.167 UTC

Now any LDP session must have a password. Now remember this in case you need to do directed LDP session some time down the road.

ISIS
Changing Metrics on an interface.
To change a metric on an interface in IS-IS, it is pretty simple.  Just like before, all configuration are done under the routing protocol section of the config, interface subsection, and address family.
RP/0/7/CPU0:R1#conf t
Sun Apr  1 22:40:33.251 UTC
RP/0/7/CPU0:R1(config)#router ISIS LAB
RP/0/7/CPU0:R1(config-isis)#int g0/3/0/2
RP/0/7/CPU0:R1(config-isis-if)#address-family ipv4 un
RP/0/7/CPU0:R1(config-isis-if-af)#metric 20
RP/0/7/CPU0:R1(config-isis-if-af)#

And to check:
RP/0/7/CPU0:R1#sh isis interface g0/3/0/2
Sun Apr  1 22:42:11.124 UTC

GigabitEthernet0/3/0/2      Enabled
  Adjacency Formation:      Enabled
  Prefix Advertisement:     Enabled
  <–SNIP – Information removed for brevity –>
 
  IPv4 Unicast Topology:    Enabled
    Adjacency Formation:    Running
    Prefix Advertisement:   Running
    Metric (L1/L2):         20/20
    MPLS LDP Sync (L1/L2):  Disabled/Disabled
  IPv6 Unicast Topology:    Enabled
    Adjacency Formation:    Running
    Prefix Advertisement:   Running
    Metric (L1/L2):         10/10
    MPLS LDP Sync (L1/L2):  Disabled/Disabled
 
  IPv4 Address Family:      Enabled
    Protocol State:         Up
    Forwarding Address(es): 150.1.12.1
    Global Prefix(es):      150.1.12.0/24
  IPv6 Address Family:      Enabled
    Protocol State:         Up
    Forwarding Address(es): fe80::201:c9ff:fee8:dd7c
    Global Prefix(es):      2001:1:1:12::/64
 
  LSP transmit timer expires in 0 ms
  LSP transmission is idle
  Can send up to 9 back-to-back LSPs in the next 0 ms
RP/0/7/CPU0:R1#

As you can see, IPv4 now has a metric of 20 whereas IPv6 has the default metric of 10.
Passive Interfaces
Now, typically in ISIS you make the loopback interface passive.

To make an interface passive, is very simple.
RP/0/7/CPU0:R1#conf t
Sun Apr  1 22:45:10.308 UTC
RP/0/7/CPU0:R1(config)#router isis LAB

Change to the interface uder the protocol
RP/0/7/CPU0:R1(config-isis)#int loop0

And set it as passive.
RP/0/7/CPU0:R1(config-isis-if)#passive
RP/0/7/CPU0:R1(config-isis-if)#commit

Authentication
Time to configure IS-IS authentication.  Again, all this is done under the routing process – makes keeping all relevant changes very close together.

RP/0/7/CPU0:R1(config)#router ISIS LAB
RP/0/7/CPU0:R1(config-isis)#inter g0/3/0/2

Now, to configure authentication we need to set the hello-password.  As you can see we have some options listed – but for this lab we will use hmac-md5.
RP/0/7/CPU0:R1(config-isis-if)#hello-password ?        
  WORD       The unencrypted (clear text) hello password
  accept     Use password for incoming authentication only
  clear      Specifies an unencrypted password will follow
  encrypted  Specifies an encrypted password will follow
  hmac-md5   Use HMAC-MD5 authentication
  keychain   Specifies a Key Chain name will follow
  text       Use cleartext password authentication
RP/0/7/CPU0:R1(config-isis-if)#hello-password hmac-md5 cisco

Now before we commit, let’s look at our neighbors
RP/0/7/CPU0:R1(config-isis-if)#do show isis neighbors
Sun Apr  1 22:49:07.800 UTC

IS-IS LAB neighbors:
System Id      Interface        SNPA           State Holdtime Type IETF-NSF
GSR-R2         Gi0/3/0/2        00d0.7901.3a78 Up    7        L2   Capable

Total neighbor count: 1
RP/0/7/CPU0:R1(config-isis-if)#commit
Sun Apr  1 22:49:10.443 UTC
RP/0/7/CPU0:R1(config-isis-if)#
RP/0/7/CPU0:R1#

You may or may not have to clear the process; I did not and was able to catch this in the log with regards to ISIS neighbor authentication failure.
RP/0/7/CPU0:Apr  1 22:52:58.265 : isis[1003]: %ROUTING-ISIS-5-AUTH_FAILURE_DROP : Dropped L2 LAN IIH from GigabitEthernet0/3/0/2 SNPA 00d0.7901.3a78 due to authentication TLV not found

Once I configured the password on the other router, we have neighbors again!
RP/0/7/CPU0:R1#sh isis neighbors
Sun Apr  1 22:55:55.066 UTC

IS-IS LAB neighbors:
System Id      Interface        SNPA           State Holdtime Type IETF-NSF
GSR-R2         Gi0/3/0/2        00d0.7901.3a78 Up    7        L2   Capable

Total neighbor count: 1
RP/0/7/CPU0:R1#

   Send article as PDF