Ccde in Depth
Ccde in Depth
Ccde in Depth
Orhan Ergun
CCDE #2014:17
CCIE #26567
CISCO
CERTIFIED
DESIGN EXPERT
IN DEPTH
ORHAN ERGUN
www.orhanergun.net
Copyright
Orhan Ergun
What Experts are Saying
I attended the Orhan’s training and passed the CCDE Practical
exam in August 2016. I highly recommend taking Orhan Ergun’s CCDE
Bootcamp. I found his resources to be very detailed, thorough and
exceptionally the best around.
I am now the first Nigerian CCDE and thanks Orhan.
Hashiru Aminu , Technical Leader at Cisco Systems
I passed the CCDE Practical exam and Orhan’s CCDE course was
very important contributor to my success.
I definitely recommend his bootcamp to anyone who wants to learn
network design and pass the Practical exam.
Daniel Lardeux, Senior Network Consultant at Post Telecom
I attended Orhan’s CCDE Course and I must say the guy has
exceeded my expectations in all ways in terms of quality, depth etc.
Deepak Kumar, Senior Network Engineer at HCL
Orhan’s Ability to cover the vast technical topics required for the
CCDE is tremendous. He is not only technical; he is also an amazing
teacher.
Thanks Orhan, you are the best CCDE trainer for sure.
Jason Gooley, System Engineer at Cisco Systems
Cisco Certified Design Expert
Written and Practical Study Guide
OrhanErgun.net
To my wife Halise and my sweet son Emin Efe and
everyone who helped to make this project a success,
and not forgetting all those who I worked with and
coached to become outstanding Design Experts.
OrhanErgun.net
8
Contents
What Experts are Saying 5
About the Author 14
Introduction 15
Chapter 1: Layer 2 Technologies 21
Spanning Tree 22
VLAN Based Load Balancing 22
FLOW BASED LOAD BALANCING 24
Spanning Tree Theory 27
Spanning Tree Best Practices 29
Spanning Tree Case Study 30
VLAN, VTP, and the Trunking Best Practices 31
First Hop Redundancy Protocols 32
HSRP 32
GLBP 33
First Hop Redundancy Protocol 35
Requirements: 35
First Hop Redundancy Protocol 36
What about Gateway Load Balancing Protocol (GLBP)? 37
STP/HSRP Interaction 38
Access network design 39
Layer 2 Access Design 40
Layer 2 Loop-Free Topology 40
Layer 2 Looped Topology 41
Layer 3 Access Design/Routed Access Design 42
Also known as routed access design. 42
Layer 2 vs. Layer 3 Access Design Models Comparison 43
Access Network Design Case Study 1 44
Access Network Design Case Study 2 46
Layer 2 Technologies Review Questions 47
Layer 2 FURTHER Study Resources 57
Chapter 2: NETWORK DESIGN TOOLS 58
Reliability 58
Resilience 59
Fast convergence and Fast reroute 60
SCALABILITY 61
COST 62
OPEX: 62
CAPEX: 62
OrhanErgun.net
9
Flexibility 63
MODULARITY 63
Network Mergers /Acquisitions 64
High Availability: 68
Convergence: 68
Scalability: 69
Load Balancing: 70
Optimal Routing: 71
Network Topologies: 71
Modularity: 72
Security: 72
Simplicity and Complexity: 73
Know the purpose of your design! 75
Network Design Tools And The Best Practices
Review Questions 76
Network Design Tools And The Best Practices
Further Study Resources 83
Chapter 3: OSPF 84
OSPF Theory 85
OSPF Link-State Advertisement 87
OSPF LSA Types 89
6 Critical LSAs for OSPF Design 90
OSPF Router LSA 90
OSPF Network LSA 90
OSPF Summary LSA 90
OSPF ASBR Summary LSA 91
OSPF External LSA 91
OSPF NSSA External LSA 92
OSPF Area Types 92
OSPF Stub Area 93
OSPF Totally Stub Area 94
OSPF NSSA Area 94
OSPF Totally NSSA Area 94
OSPF Multi-Area Design 95
How many routers should be in one OSPF area? 96
How many ABR (Area Border Router) per OSPF Area? 97
How many OSPF areas are suitable per OSPF ABR? 98
Best Practices on OSPF Areas: 99
OSPF Single vs. Multi Area Design Comparison 100
Interaction between OSPF and Other Protocols 101
OSPF-BGP Interaction Case Study 102
OrhanErgun.net
10
OrhanErgun.net
11
OrhanErgun.net
12
OrhanErgun.net
13
OrhanErgun.net
14
Contributing Author
Michael “Zig” Zsiga II , CCIE™ #44883
OrhanErgun.net
15
Introduction
Orhan Ergun
OrhanErgun.net
16
OrhanErgun.net
17
OrhanErgun.net
18
This may not be the entire list but definitely you should at least
start asking these questions in your real life design. In the CCDE exam
questions will come most of the time from the above considerations.
Adding Technologies
If you are adding new technologies onto an existing network, these
sorts of questions should be kept in mind:
∗ What can be broken? Does this technology affect others
technologies/protocols in the network?
∗ What does this technology provide? Is it really necessary? If
you have enough bandwidth in your network, do you really need
Quality of Service for example? Or if you would arrange your
routing protocol metric well, would you need MPLS Traffic
engineering at all?
∗ What are the alternatives of these technology or protocol?
(Throughout the book, you will see a lot of comparison charts
which will help you to evaluate alternatives to each technology/
protocol)
∗ Which additional information do you need to deploy this
technology/protocol?
∗ Every new technology adds some amount of complexity, so
consider complexity vs. the benefits of the technology tradeoff!
As it is mentioned above, do you really need to deploy MPLS
Traffic Engineering for better utilization or with the IGP protocol
metric design could you achieve the same goal?
Replacing Technologies
If you are adding new technologies onto an existing network, these
sorts of questions should be kept in mind:
∗ Is this change really needed? Is there a valid business reason
behind it?
∗ What is the potential impact to the overall network?
∗ What will the migration steps be? Order of operation is very
important in network design. If you cannot design the migration
process carefully, you might have unplanned down time or planned
downtime takes longer than your plan.
∗ Are there budget constraints?
∗ Will both of the technology run in the network at the same time?
OrhanErgun.net
19
OrhanErgun.net
20
OrhanErgun.net
21
Chapter 1
Layer 2 Technologies
In this chapter:
• STP theory and design practices will be explained, as well as VLANs,
Layer 2 Technologies
VTP, and Trunking best practices will be shared.
• Layer 3 first-hop redundancy control mechanisms such as HSRP,
VRRP and GLBP will be explained from the network design
perspective.
• Campus and datacenter access networks can be built as Layer 2 and
Layer 3 access. These two design approaches will be explained in detail
and examples will be provided to understand the optimal design for a
given business and application requirements.
• Many case studies will be presented as complementary to the theory
and the best practice information.
• At the end of this section, you will have many quiz questions and the
answers; you will be able to test your layer 2 design knowledge.
• Common network design principles for the availability, scalability,
convergence, security, networking topologies, routing protocols, and
Layer 2 technologies will be shared
OrhanErgun.net
22
Spanning Tree
OrhanErgun.net
23
same port where it was sent, otherwise layer 2 switching or switching loop
occurs.
Let me explain this concept with the topology depicted below
Layer 2 Technologies
Vlan-based load balancing
In the above figure, either Port 1 or Port2 is used to send the traffic,
and the same port should be used to receive the traffic. The switches use
MAC addresses to process the Ethernet frames.
The switch cannot see the same MAC address from two different
ports. In other words, Switch 1 cannot receive the same MAC address
from both Port 1 and Port 2.
In order to resolve this problem, both ports can be placed in a bundle.
In standard terms, we can link aggregation group (LAG) with the vendor
terms, Etherchannel, or port channel.
Since Switch 1, instead of LAG, in the above topology is connected to
two different switches (Switch 2 and Switch3), MLAG (Multi Chassis Link
Aggregation Group) or MEC (Multi Chassis Etherchannel) are created
between the switches.
On the other hand, spanning tree solves the problem by bringing
down one of the ports. If Port 1 sends the frame, Port 2 is disabled.
Spanning tree carries out its full operation by starting to choose the
root switch. The rule is that one of the switches is elected as root switch,
and all the ports of root switch are always forward. Thus, the ports moving
to the root switch or coming from the root switch cannot be blocked.
In the above topology, if Switch 2 is elected as root switch (manually
OrhanErgun.net
24
OrhanErgun.net
25
Layer 2 Technologies
Imagine you have 10 Vlans and the Switch2 is root switch for all 10
Vlans. And in every Vlan you have 10s of hosts.
If the link between switch 2 and switch 3 is Layer 3 link, spanning tree
doesn’t block any links in this topology. This topology is called then Layer
2 loop-free topology.
Spanning tree deals with the logical layer 2 topology. For the layer 3
part, default gateway purpose; one of the first hop redundancy mechanisms
is used. It can be HSRP , VRRP or GLBP.
If HSRP or VRRP is used, one of the switch can be used as a primary
for the given Vlan and other switch is used as standby.
Switch 2 for example can be used for Vlan 5 as primary and switch 3 is
used as standby for Vlan 5. For another Vlan, for example Vlan 6, switch
3 is used as primary and switch 2 as standby. This allows all the uplinks of
switch 1 to be used thus bandwidth is not wasted.
HSRP and VRRP thats why provide Vlan based load balancing. Default
gateway for a particular Vlan can be only one of the switches.
If we use GLBP (Gateway Load Balancing Protocol) in this topology,
for any given Vlan, both Switch 2 and switch 3 can be used as default
gateway. For different host, which come from the same Vlan, Arp replies
are sent by different switches.
Switch 2 can be a default gateway of host 1 in Vlan 5 and switch 3 can
be a default gateway of host 2 in Vlan 5.
OrhanErgun.net
26
As you can understand, traffic for different set of hosts in the same
Vlan can be sent by switch 1 to switch 2 and switch 3 at the same time.
Flow is not described as host of course. For the same host, different
destination IP address and port numbers mean different flows. Then, we
can say that some of the traffic of host 1 in Vlan 5 can be sent to Switch
2, and some of the traffic of the same host can be sent to switch 3.
Chapter 1
OrhanErgun.net
27
As soon as STP detects a loop, it blocks a link to prevent the loop. CST
(Common Spanning Tree) 802.1d which is classic/legacy STP supports
only one instance for all VLANs. One instance mean, there is only one
topology, thus only one root switch for all the Vlans in the network.
Layer 2 Technologies
instance to VLAN mapping.
Enhancements to PVSTP provide good optimization for CST, but
even PVSTP has slow convergence compared to MST and RSTP.
RSTP (802.1w) is the IEEE standard spanning tree mechanism. Main
advantage of RSTP is fast convergence. It provides fast convergence
through Proposal Agreement handshake mechanism. A same mechanism
and convergence characteristic is enabled in MST as well.
OrhanErgun.net
28
tree topologies
• BPDU Guard: Disables a PortFast-enabled port if a BPDU is
received.
• BPDU Filter: Prevents sending or receiving BPDUs on PortFast
enabled ports, but doesn’t block the ports. It can be considered as
monitoring feature mostly.
In the below diagram, you can see where these features are commonly
deployed.
Chapter 1
OrhanErgun.net
29
• Use RSTP or RPVST+ for fast convergence for direct and indirect
Layer 2 Technologies
failures.
• Use MST for scaling. If you have large-scale VLAN deployment and
CPU usages is a concern, take advantage of grouping VLANs to MST
instance.
• Don’t use 802.1d, CST. If you must use standard base, use RSTP or
MST.
• Take advantage of VLAN load-balancing, so you can use your uplink
capacity.
• VLAN load-balancing can be cumbersome, but it has the advantage
of using all uplinks.
• Spanning tree avoids switching loops by blocking some links in the
topology. If the requirement is to use all the available links, link can
be grouped into a bundle
• LACP and the Cisco preparatory protocol PAGP are used to aggregate
multiple physical links into a logical bundle
• LACP is a standard mechanism which can be used only between two
switches or between multiple switches
• If LACP is used between multiple switches, solution is called Multi
Chassis link aggregation or multichassis etherchannel.
• System ID which is generated by the System Priority and MAC
OrhanErgun.net
30
switch environment.
Question 1:
What would be the implication of this?
Question 2:
How can future problems be mitigated?
Answer
This problem happened in the early days of networking. Hubs don’t
generate STP BPDUs. If you connect a hub with two ports to a switch,
forwarding loop occurs.
In order to stop it you can remove one of the cables. However, had
the contractor known the complication from the start they most likely
would have chosen a different configuration.
That’s why a feature that can prevent a loop should be in place in
advance.
• BPDU Guard and BPDU Filter are the two features, which react
OrhanErgun.net
31
Layer 2 Technologies
This is why it is one of the best practices to enable port-security not
only as a security feature, but as an STP feature as well.
HSRP
Chapter 1
HSRP VIP-VMAC
OrhanErgun.net
33
In the above figure only HSRP protocol is shown but VRRP works in
exactly the same way. One Virtual MAC address is mapped to one virtual
IP address. Switches have their own physical IP address as well.
Only one switch can be HSRP active switch in any given time. If
Active switch fails, standby takes the gateway responsibility by responding
the ARP requests with the common Virtual MAC address.
Host’s gateway IP address doesn’t change. On the hosts, virtual IP
address is configured.
GLBP
GLBP uses one virtual IP and several virtual MAC addresses. For
the client’s ARP requests, the Active Virtual Gateway (AVG) responds
Layer 2 Technologies
different virtual MAC addresses, thus network-based load balancing can
be achieved.
Multiple switches can be actively forwarding the network traffic.
GLBP is Cisco preparatory protocol and may not work with the different
vendor equipment together.
Different clients use different devices as their default gateway. But on
all the clients same IP address is configured as default gateway IP address.
This IP address is the Virtual GLBP IP.
GLBP might be suitable for a campus but not for Internet Edge since
the firewall uses the same IGW as its default gateway by using the same
IP address. In order to explain Why GLBP is not suitable on the Internet
Edge in detail, at the end of this chapter, case study will be presented.
Below table summarizes the similarities and the differences of all the
first hop redundancy protocols in great detail. Network designers should
know the pros and cons of the technologies, protocol alternatives and
their capabilities from the design point of view.
OrhanErgun.net
34
Design
HRSP VRRP GLBP
Requirement
Suitable on LAN YES YES YES
Suitable on YES, if layer 3 YES, if layer 3 YES, if layer 3
Datacenter access is not used access is not used access is not used
YES, but YES, but
NO, it creates
theremight be better theremight be better
polarization issues. This
Suitable on options, such as routing options, such as routing
is explained in detail in
Internet Edge with the firewall or with the firewall or
Orhan Ergun’s CCDE
Router behind the Router behind the
Course
firewall firewall
Standard NO, Cisco YES, IETF NO, Cisco
Protocol Propriety Standard Propriety
No, you need to NO, you need to
YES, it is Enabled
configure it manually, configure it manually,
Preemption by default, and you can
and preemption is and preemption is
Support by default disable it on any vendor
important to prevent important to avoid
implementation
suboptimal trafic flow suboptimal traffic flow
Virtual IP and 1 Virtual IP and 1 1 Virtual IP and 1 1 virtual IP and
MAC Virtual MAC Virtual MAC Multiple Virtual MACs
Stuff Experience Very well known Well known Not well known
YES, Active
Chapter 1
Virtual Gateway
responds to ARP
Flow Based
NO NO requests with
Load Balancing
ddifferent Active
Virtual Forwarder in an
individual Vlan
Vlan baseed YES, with HSRP YES, with HSRP YES, with GLBP
Load Balancing groups groups Groups
Transport
Multicast Multicast Multicast
Protocol
Fastest, but
Default
Slow - 10 seconds still slow for some Slow - 10 seconds
Convergence
applications - 3 seconds
MD5 MD5 MD5
Security
Autentication Autentication Autentication
More than 2
YES YES YES
device Support
YES, with VRRP
IPv6 Support YES YES
v3
Active Node YES, with Anycast
YES YES
Support HSRP
OrhanErgun.net
35
Question:
Which FRHP should the company use? Why?
Layer 2 Technologies
Answer:
As previously indicated in this chapter, only one device is used as an
active gateway with HSRP and VRRP.
If failure happens, standby device takes responsibility and even
with fast hellos and BFD there will still be downtime. During network
convergence client’s traffic will be affected.
With GLBP, in any given VLAN, there can be more than two active
gateways, thus allowing client traffic to be divided among the active
gateways.
Thus, for the purposes of this question, GLBP is the best choice.
OrhanErgun.net
36
Which one is more suitable for the Internet edge, HRSP or GLBP?
Let’s look at the images below.
Chapter 1
OrhanErgun.net
37
Layer 2 Technologies
What about Gateway Load Balancing
Protocol (GLBP)?
The firewall sends an ARP request and the AVG (Active Virtual
Gateway) will respond with virtual MAC of either R1 or R2. Traffic is
now polarized to a single link from the Firewall.
If Router 2 is responded as the Active Virtual Forwarder, traffic goes
from the firewall to the Router 2 only.
There might be an issue with this design because, if there is Local
Preference setting on the Routers and the higher local reference on the
R1, all the traffic from the Firewall first go to the R2 and then over the
R1-R2 link to the R1 for outbound traffic forwarding.
From the case study above, we can see that although HSRP might
seem more complex configuration-wise, traffic will not be polarized to
only one exit point, as in the case of GLBP.
In the GLBP case, one of the links from firewall to Internet Gateway
is not used.
OrhanErgun.net
38
STP/HSRP Interaction
In the networks, all protocols interact with each other. Whenever you
add, replace or change the protocol, as a network designer you should
consider the overall impact. Throughout the book many interactions will
be shown and the best practices will be shown to find an optimal design.
First interaction is between layer 2 protocols and the gateway
protocols. Spanning tree and the HSRP interaction is explained in the
below example.
One important factor to take into account when tuning HRSP is its
preemptive behavior.
Preemption causes the primary HSRP peer to re-assume the primary
role when it comes back online after a failure or maintenance event.
Preemption is the desired behavior because the STP/RSTP root should
be the same device as the HSRP primary for a given subnet or VLAN. If
HSRP and STP/RSTP are not synchronized, the interconnection between
the distribution switches can become a transit link, and traffic takes a
Chapter 1
Layer 2 Technologies
traffic goes through first, left distribution switch and then right
distribution switch on the above topology, because the right distribution
switch is the default gateway.
HSRP preemption needs to be aware of switch boot time and
connectivity to the rest of the network. It is possible for HSRP neighbor
relationships to form and preemption to occur before the primary switch
has L3 connectivity to the core. If this happens, traffic can be dropped
until full connectivity is established.
The recommended best practice is to measure the system boot time,
and set the HSRP preempt delay statement to a greater than this value.
OrhanErgun.net
40
In layer 2 loop free topologies same Vlan is not used on every access
switches. As you can see from the above topology, different Data and the
Voice Vlans are used on different access switches. And for the Vlan based
load balancing, different distribution switches are arranged as STP root
and FHRP active for different Vlans.
Layer 2 Technologies
In looped design, the link between distribution layer switches is Layer
2, so STP will block one of the links to prevent loop.
Same VLAN can be used on every access switch.
OrhanErgun.net
42
OrhanErgun.net
43
Design Layer 3/
Layer 2 Access
Concern Routed Access
YES, if there is Link Aggregation
Multiple path from the access Group (LAG) or Fabric YES, Access to Distribution is
to the distribution technologies. layer 3, ECMP might work
NO, if there is spanning tree
Layer 2 Technologies
Distribution switch in 2 and 3
Default Gateway Node Access switch
tier hierarchy
If there is no Fabric Based
Protocols (TRILL, SPB,
Spanning Tree Requirement No spanning tree
Fabricpath) or LAG, otherwise,
spanning tree is required
No default gateway protocol is
required, since there is no HSRP,
Default Gateway Protocols HRSP, VRRP, GLBP
VRRP, or GLBP between Access
Switches
VLAN can be spanned
YES NO
between access switches
Fast, compared to Spannning
Tree, can be a sub-second with
If there is Spanning Tree, it is
fast convergence and sub 50ms
Convergence slow, but if there is LAG, it is
with Fast Reroute Mechanisms.
very fast
ECMP also provides software
based failover between the paths
Stuff Experience Well known Well known
no Layer 2 Loop,Layer 3 Ip
If there is Spanning Tree, header has TTL field, even if
Possible network meltdown Spanning Tree bug can take there is a loop, it is a microloop.
down the network when topology converges, it
stops
Spanning Tree or LAG and Fast
Any Layer 3 routing protocol,
Required Protocols Hop Redundancy Protocols
including Static Routing, can run
(HSRP, VRRP, GLBP)
QoS Support Good Good
Layer 3 based PIM, ASM, SSM
Multicast Support Layer 2 based
and Bidir
Many first hop security
technologies, Dynamic ARP
Security Same as layer 2 Access
Inspection, DHCP Snooping,
Port- Security and so on
OrhanErgun.net
44
Design Layer 3/
Layer 2 Access
Concern Routed Access
IPv6 Support YES YES
Default Convergence Slow Fast
LAN and Datacenter, but mainly
Datacenter. This is because of
the requirement of large scale
LAN and Datacenter, but mainly
Places in the network Datacenter to keep Layer 2
LAN
domain as minimum as possible.
So starting Layer 3 from the edge
of the network
In the figure above, Access and Distribution layer switches are shown.
Question 1.:
Why do we always place STP root switch and FHRP gateway at the
distribution layer in the campus networks?
What is the design implication if it were placed in the access layer
instead?
OrhanErgun.net
45
Answer 1:
A traffic pattern in campus networks is mostly in North/South
direction.
In two or three layer hierarchical designs (Access-Distribution or
Access-Distribution-Core) , Layer 2 and Layer 3 are placed on the
distribution layer.
Distribution layer is used for scalability, modularity, and hierarchy.
When the network has distribution layer, any access layer switches
can be upgraded smoothly. Also, some functions are shared between the
access and distribution layer devices.
Access layer provides edge functions such as filtering, client access,
QoS, and first hop security features such as Dynamic ARP inspection,
DHCP Snooping, Port-Security and so on.
Layer 2 Technologies
Distribution layer is responsible for the route and traffic/speed
aggregation.
Layer 3 starts at the distribution layer. Thus, FHRPs are enabled at the
distribution layer.
Thus, it is logical to place STP root and FHRP gateway at the top
position at the network.
Question 2:
If there is a three-layer hierarchy, can the root switch functionality
be put into the Core layer?
Answer 2:
No. The Layer 2 domain would be much larger in that case and we
always want to keep Layer 2 domain small unless the application requires
it to be much larger such as with VMotion or Layer 2 extension.
With Layer 3 access design, since the default gateway is access layer
switches and there is no First Hop redundancy protocol on the switches,
layer 2 domain size is the smallest compare to the other local area network
design options (Layer 2 looped or loop-free access designs).
OrhanErgun.net
46
Answer:
In an environment where Layer 2 VLAN needs to be spanned on
many access switches. Classic example is the datacenter.
In the datacenter’s hosts (specifically, virtual machines) can move
between access switches. VLANs should be spread on those switches.
It is also very common in campus environments where WLAN is
used commonly on every access switch.
In environments where Layer 2 needs to be extended on many access
switches, Layer 2 looped design is the only design option with Spanning
Tree.
Chapter 1
OrhanErgun.net
47
Question 1:
What is the name of below topology?
A. Layer 2 loop free access design
B. Layer 2 looped access design
C. Layer 3 routed access design
D. Layer 2 routed access design
Layer 2 Technologies
Answer 1:
The topology is called Layer 2 looped topology since the connection
between the two distribution layer switches is Layer 2. Once it is Layer 2,
STP has to block one link, which is far from the root switch to prevent a
forwarding loop.
Question 2:
Spanning tree blocks some link to prevent forwarding loop in layer
OrhanErgun.net
48
Answer 2:
MST is the standard spanning tree protocol.
DTP is dynamic trunking protocol and it is not used for link
aggregation purposes. Two protocols are used to aggregate multiple links
in a bundle. Spanning tree doesn’t block those aggregated links.
These protocols are LACP and Cisco preparatory protocol; PAGP.
That’s why the correct answer of this question is B and C.
Chapter 1
Question 3:
Which below option is true for the LACP?
A. LACP system ID is generated with System Priority and
switch MAC address
B. LACP is a layer 3 mechanism which is used for Layer 3 load
balancing
C. LACP is a first hop redundancy mechanism
D. LACP is a Cisco proprietary link aggregation protocol
Answer 3:
Although it is a link aggregation protocol, LACP is not a Cisco
proprietary protocol.
That’s why Option D is incorrect. It is not a layer 3 load balancing
mechanism. It is not a first hop redundancy mechanism either. Thus
Option B and C are incorrect too.
System ID, which is an important component of LACP, is created
with System Priority and switch mac address. Answer of this question is
A.
OrhanErgun.net
49
Question 4:
Which below technologies can be used as First Hop redundancy
gateway protocol? (Choose Three)
A. HSRP
B. VRRP
C. Spanning Tree
D. OSPF
E. GLBP
Answer 4:
HSRP, VRRP and GLBP can be used as first hop redundancy gateway
Layer 2 Technologies
protocols. First hop redundancy means if the gateway of the users/hosts
fail, secondary device take the gateway responsibility.
That’s why the answer of this question is A, B and E.
Question 5:
Fictitious Company has two datacenters and two interconnect links
between the datacenters. Company is extending a specific Vlan between
the datacenters. Which below protocols allow this Vlan traffic to be used
over the both interconnect links? (Choose Two)
A. RPVST
B. MST
C. Etherchannel
D. Multi Chassis Etherchannel
Answer 5:
If any spanning tree mode is used for those two links, as it was
explained in the Layer 2 technologies chapter of the book, one of the link
is blocked for any particular Vlan as Spanning tree doesn’t support flow
based load balancing.
Etherchannel between the datacenter can provide flow based load
balancing for those two datacenter interconnect links, if both links are
terminated on the same devices.
OrhanErgun.net
50
Question 6:
Which first hop redundancy protocol is more suitable for the below
topology?
A. HSRP
B. GLBP
C. Spanning Tree
D. MLD
Chapter 1
Answer 6:
Spanning Tree and MLD (Multicast Listener Discovery) are not the
first hop redundancy protocols. Before starting to explain whether HSRP
or GLBP is more suitable let me explain some concepts on GLBP and
HSRP.
GLBP provides flow-based load balancing. Two common load-
OrhanErgun.net
51
Layer 2 Technologies
In this way you can use both distribution switches as active-active and
you can utilize all the links in the Layer 2 networks. However, supporting
this configuration instead of using GLBP is more complex from a design
point of view.
If you want both right and left distribution switches to be used
active-active for the same VLAN, e.g., VLAN 100, then you need to use
GLBP. However, STP should not block the Layer 2 links. How can this
be achieved?
One way is to change the inter-distribution link to Layer 3. In that
way none of the access layer links between access and distribution layer
switches will be blocked, thus you can use all the uplinks.
If you use GLBP with the above topology, since the right access
to distribution link will be blocked, all the user traffic from the right
access switch will go first to the left distribution switch then through the
interconnect link traffic will go to the right distribution switch since right
distribution switch as an Active GLBP virtual forwarder replies to the
ARP packets. That’s why in this way always sub optimal path is used.
That’s why answer of this question is HSRP.
Question 7:
Which below technology provide a Spanning Tree unidirectional
failure detection if BPDU is not received?
OrhanErgun.net
52
Answer 7:
As it was mentioned in the Spanning Tree section of the layer 2
technologies chapter of the book, Loop guard protects spanning tree
unidirectional link failure scenarios if BPDU is lost. That’s why the correct
answer of this question is C.
Question 8:
How fast convergence is achieved in RSTP (802.1w)?
Chapter 1
Answer 8:
Fast convergence in RSTP (802.1w) and MST (802.1s) is achieved
with Proposal and Agreement Handshake mechanism as it was explained
in the Layer 2 technologies chapter.
Question 9:
Which below spanning tree mode provides maximum scaling?
A. CST
B. RSTP
C. MST
D. PVSTP+
OrhanErgun.net
53
Answer 9:
As a spanning tree mode, MST provides maximum scaling. If the
requirement is to provide scaling in Spanning Tree topologies, for example
in the datacenter, then MST is the best choice.
Question 10:
What is the main function of Access Layer in hierarchical campus
network design?
A. Provides aggregation points for the network services such
as Firewalls, load balancers
B. Provides user access, first hop security and QoS functions
C. Provides layer 3 routing to the wide area network
Layer 2 Technologies
D. Provides layer 3 virtualization in the campus network
Answer 10:
Main function of access layer in campus network is providing user
access, first hop security mechanisms, QoS functions such as Classification
and markings and so on.
Layer 3 virtualization can be provided if there is routed access design
and VRF configured on the access layer devices but it is specific design
and not the main function.
Layer 3 routing is also the same; it can be done on the access layer
devices if the routed access design is used but not the main function.
That’s why the correct answer is B.
Question 11:
Which below mechanism provides flow based load balancing?
A. HSRP
B. VRRP
C. GLBP
D. Spanning Tree
OrhanErgun.net
54
Answer 11:
Out of given options, only GLBP supports flow based load balancing
as it was explained in detail in the Layer 2 technologies chapter.
Question 12:
Which below mechanism provide optimal layer 2 switching in a
campus network design?
A. BPDU Guard
B. Spanning Tree Portfast
C. Root Guard
D. BPDU filter
E. ECMP
Answer 12:
Chapter 1
Answer 13:
Odd and Vlan number separation is common method in Vlad based
load balancing. That’s why Option D is one of the correct options.
Hosts in different Vlans can use different default gateways. Whole
idea of Vlan based load balancing is this.
There is no Vlan limitation per default gateway.
That’s why answer of this question is A and C.
Layer 2 Technologies
Question 14:
Why Spanning Tree and FHRP synchronization/interaction is
necessary?
A. To prevent blackholing
B. To prevent sub optimal forwarding
C. To provide fast convergence
D. To provide better security
Answer 14:
As it was explained in the Spanning Tree/FHTP part of the Layer 2
technologies chapter, it is necessary to provide optimal forwarding.
Question 15:
Which below statements are true for the Layer 3 routed access design?
(Choose Three)
A. There is no spanning tree between access and distribution
layers
B. Spanning Tree should be enabled on the user facing ports
C. ECMP routing can be done between access and distribution
layer devices
OrhanErgun.net
56
Answer 15:
There is no spanning tree in layer 3-access design/routed access
design between the access and distribution layer switches.
Spanning tree should be enabled on the user facing ports to prevent
intentional and unintentional layer 2 attacks and loop issues.
ECMP (Equal Cost Multipath) routing can be done between access
and distribution layer devices.
You can use 8 or more links between the access and distribution layer
devices depends on hardware and vendor capabilities.
Vlans cannot be spanned between access switches in layer 3-access
design.
Chapter 1
OrhanErgun.net
57
Books
Tiso, J. (2011) Designing Cisco Network Service Architecture (ARCH)
Foundation Learning Guide: (CCDP ARCH 642-874) (Third Edition),
Cisco Press.
Videos
Ciscolive Session-BRKCRS-2031 Ciscolive Session – BRKRST –
3363 Ciscolive Session-BRKCRS-2468
https://www.youtube.c om/watch?v=R75vN-frPhE
Layer 2 Technologies
Articles
http://www.pitt.edu/~dtipper/2011/COE.pdf
http://orhanergun.net/2015/05/common-networking-proto-
cols-in-lan-wan-and-datacenter/
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_
Center/DC_Infra2_5/DCInfra_6.pdf
https://www.cisco.com/web/ME/exposaudi2009/assets/docs/layer2_at-
tacks_and_mitigation_t.pdf
OrhanErgun.net
58
Chapter 2
NETWORK DESIGN TOOLS AND THE BEST
PRACTICES
T here are design tools, which we should consider for every design.
LAN, WAN and the data center where this common design tolls
and attributes should be considered.
Many of the principles in this chapter is not only for the networking
technologies and the protocols but also applicable to compute,
virtualization and storage technologies as well.
First ‘reliability’ will be explained; Components of the reliable network
design and the resiliency concept will be explained.
Chapter 2
RELIABILITY
Reliability is within the reasonable amount of time, which depends
on the application type and architecture, delivering the legitimate packets
from source to destination.
This time is known as delay or latency and it is one of the packet
delivery parameters. Consistency of delay known as jitter and it is very
important for some type of applications such as voice and video, jitter is
our second delivery parameters.
Third packet delivery parameter is packet loss or drop; especially voice
and video traffic is more sensitive to packet loss compare to data traffic.
Packet loss is application dependent and some applications are very
drop/packet loss sensitive. General accepted best practices for the delay,
jitter and packet loss ratio has been defined and knowing and considering
them is important from the network design point of view. For example
for the voice packets one way delay which is also known as ‘mouth to ear’
delay should be less than 150ms.
Reliability should not be considered only at the link level. Network
links, devices such as switches, routers, firewalls, application delivery
controllers, servers, storage systems and others should be reliable; also
OrhanErgun.net
59
OrhanErgun.net
60
OrhanErgun.net
61
But if MPLS is not enabled on the network, adding MPLS and RSVP-
TE for just MPLS TE FRR functionality can be too complicated. In
that case network designers may want to evaluate their existing physical
structure and try to alternate/backup path by adding or removing some
circuit in the network. IGP metric tuning also helps router to find alternate
loop free paths.
IGP, BGP and MPLS Traffic Engineering Fast Reroute details will be
covered in the later chapters in detail.
SCALABILITY
Scalability is the ability to change, modify or remove the part of entire
system without having a huge impact on the overall design. There are two
scalability approaches for the IT systems. These approaches are scale up
or scale out and implies for the Network, Compute, Storage, Application,
OrhanErgun.net
62
COST
Cost is generally afterthought in network design. But most of the
Chapter 2
OPEX:
OpEx refers to operational expenses such as support, maintenance,
labor, bandwidth and utilities. Creating a complex network design may
show off your technical knowledge but it can also cause unnecessary
complexity making it harder to build, maintain, operate and manage the
network.
A well- designed network reduces OpEx through improved network
uptime (which in turn can avoid or reduce penalties related to outages),
higher user productivity, ease of operations, and energy savings. Consider
creating the simplest solution that meets the business requirements.
CAPEX:
CapEx refers to the upfront costs such as purchasing equipment,
inventory, acquiring intellectual property or real estate. A well-thought
design provides longer deployment lifespan, investment protection,
network consolidation and virtualization, producing non-measurable
benefits such as business agility and business transformation and
innovation, thus reducing risk and lowering costs in the long run.
OrhanErgun.net
63
FLEXIBILITY
Flexibility refers to the ability of a network design to adapt to business
changes, which can come in a planned or unplanned way. There are a
MODULARITY
Modularity means to divide the network by functions or policy
boundaries, making it replicable (for example on branches) and thus easier
to scale and operate, and enabling business continuity. How do you make
a design modular?
1. Choose the physical topology: Some topologies such as
hierarchical or leaf&spine are more conducive to allow for
modules than others (fully meshed, for example).
2. Split functions or geographies: Separate campus, branches,
data center and applications, Internet, network management
systems, and security policy boundaries to make each function
easier to expand, upgrade, enhance or change. Make them small
enough to ease replication.
3. Break it into smaller pieces: Create smaller fault domains so
that a failure on a part of the network doesn’t propagate to other
parts, by subdividing the functions as appropriate.
OrhanErgun.net
64
acquisitions projects.
• Business analysis and information gathering
• Applications of the company, at least the business critical applications
should be understood and analyze very well.
• What are the capabilities of these applications and what are the
requirements from the existing network.(Packet loss, jitter, delay,
application traffic flow, security and QoS requirements and so on).
Basically in this step, we analyze the current infrastructure of the
companies. IP addressing scheme, Application requirement, physical
topology gathering, business future growth forecast analysis, security,
QoS, Multicast, OAM and management infrastructure capabilities and
information should be gathered.
• What type of WAN, LAN and DC infrastructure each network is
using, Is any VPN solution deployed on the WAN, is there a traffic
engineering requirement on WAN or DC, Is IPv6 supported on any
of the companies? Is there any single point of failure and what will be
the high availability requirement of merged network?
• What is the convergence time of the network and what is the required
convergence time of any single component failure? (You shouldn’t
design the network for multiple failures)
OrhanErgun.net
65
As you can see there are so many questions, which should be asked
and noted during the business analysis. This is most time consuming step
of any network design but definitely worth to do it properly to avoid any
future problem and having best network design.
Analyzing the design for network mergers and acquisitions is not
different analyzing the design for the greenfield network. Application
and business requirements are always the most important, technology is
second. Alternative technologies always can be found.
• Where will be the first place in the network for the merger ?
When two network merge, generally two networks are connected
through their core network component. If there is any overlapping issue,
for example IP Address, these should be fixed. Traditionally IP address
overlap issue is fixed via NAT (Network Address Translation).
OrhanErgun.net
66
support Multicast?
If Multicast is running on any of the companies, most probably
merged network will require and benefit from the multicast deployment
as well. PIM (Protocol Independent Multicast) and current multicast
best practices should be understood and deploy based on the company
requirements. Some applications of the company may benefit from the
special Multicast routing protocol deployment model such as PIM ASM
(Any source multicast), PIM SSM (Source Specific Multicast) or PIM
Bidir (Bidirectional Multicast).
• What is the new capacity requirement of the merged network?
When two networks merge overall capacity requirement for edge and
core network generally changes. Understanding network capacity planning
is key and network designers should understand the available methods for
backbone and overall network capacity planning tools and best practices.
• How will be the merged network monitored? Do exist Network
Management tools capable to support all the technologies/protocols
of the both network? Both companies may have different monitoring
tool, application support might be different of their tools as well.
Monitoring and management tools should be considered before
the merger because tools should be able to support all applications,
protocols and technologies of the merged network.
OrhanErgun.net
67
• When you divest the network, where will the datacenters be? Can you
decommission any datacenter, POP location for cost optimization?
Some of the locations of the companies may overlap and some POP
locations and/or datacenters, even Head Quarters can be decommissioned
to reduce operational expenses.
Physical topology of the companies should be understood well and if
there is cost of advantage of choosing particular location, definitely needs
to be considered.
This is definitely not be the entire list for network mergers and
acquisitions, but you should at least start your design with these questions
in your real life design as well as in the design certification exams. In the
CCDE exam, questions will be based on above considerations mostly.
OrhanErgun.net
68
OrhanErgun.net
69
OrhanErgun.net
70
Load Balancing:
• Load balancing and load sharing is not the same thing. Load sharing
terminology should be used for the routers or switches but load
balancing requires more intelligence such as Load balancer. If the
downstream device is busy, routers or switches cannot take this
information into an account. But Load Balancers can!
• Load balancing is any intelligence feature that devices need to
support, such as destination health check, considering destination
device resource utilization, the number of connections, etc. The load
balancers do this. Routers perform load sharing. Routers only take
the routing metric into account to send the packet to the destination.
Traffic Sharing can be over equal or unequal cost paths.
• OSPF and IS-IS can do the unequal cost load sharing with the help of
MPLS-Traffic Engineering only. By default they don’t support unequal
cost multipath routing. EIGRP by default can route the packets over
unequal cost paths.
Chapter 2
Redistribution:
• You may need to redistribute routing protocols. You may have a
partner networks or BGP into IGP for default route advertisement.
• Redistribution should be used in conjunction with the filtering
mechanisms such as route tags.
• Keep in mind that these mechanisms increase overall complexity of
the network. Also be aware of routing loops during redistribution
operation. Two-way redistribution is the place where routing loops are
most likely to occur. And most common prevention for routing loop
in this case is to use route tags.
• Redistribution between routing protocols does not happen directly;
routes are installed in RIB and pull from the RIB to other protocol.
So route should be in the RIB to be redistributed. A classic example
of this is BGP. If the network is not in the routing table of the router,
which is RIB, it cannot be taken to the BGP RIB. This is why those
routes cannot be sent to another BGP neighbor.
• If avoidable, don’t use redistribution. Managing redistribution can be
very complex.
OrhanErgun.net
71
Optimal Routing:
• Overlay protocols should follow the underlay protocol to avoid sub
optimal routing and traffic blackholing. In other word, they should
synchronize. For example FHRP (HSRP, VRRP, GLBP) should
synchronize with STP to avoid sub optimal forwarding. IGP/BGP
and IGP/LDP synchronization are the other examples and will be
explain on the topologies, later in the book.
• Control plane state is the aggregate amount of information carried
by the control plane through the network in order to produce the
forwarding table at each device. Each piece of additional information
added to the control plane such as more specific reachability
information, policy information, security configuration, or more
precise topology information adds to the complexity of the control
plane.
OrhanErgun.net
72
Modularity:
• Modular network design allows each module to be managed
independently.
• Common security policy should be deployed across entire network
• Modular design allows different modules to be managed by different
teams. In the Service Provider networks this is common. Access,
Aggregation and Core networks are modular and they generally
managed by individual teams.
• Modular design reduces deployment time since the same configuration
is used for the new module, same physical topologies are used and so
on.
• Hierarchical design is an example of modular design. Hierarchy helps
for flexibility. Also it helps for scalability.
Security:
• Enabling a new feature such as IPv6 or Multicast on part of the
network can open the rest of the network to security attacks.
• Network Address Translation is not a security mechanism.
• MPLS VPNs is equally secure with ATM and TDM based networks.
OrhanErgun.net
73
OrhanErgun.net
74
Which one is salt and which one is pepper? It must be simple to understand!
• Your design shouldn’t be confusing. Can you understand in above
picture; which one is salt and which one is pepper without testing?
When the complexity of your network increases, you cannot simply
operate it without testing and very careful planning.
• Features can be intended for robustness, but instead create fragility.
The impact may not be seen immediately, but it can be huge. In
design this is known as the Butterfly Effect.
OrhanErgun.net
75
OrhanErgun.net
76
Question 1:
In the below figure, two routers are connected through two links.
OSPF routing protocol is running over the links.
Which below statement is true for the below figure?
Chapter 2
Answer 1:
Adding more links don’t provide better security. Resiliency depends
on redundancy, convergence and reliable packet delivery. More links don’t
necessarily provide better resiliency. General rule of thumb, 2 links is best
for resiliency.
We cannot know whether IS-IS would be better since there is no other
requirement.
Option A is definitely correct. More links increase routing table size
since OSPF is running on individual links and more links means more
routing table entry.
OrhanErgun.net
77
Question 2:
Which below technologies provide fast failure detection? (Choose
two)
A. BFD
B. Routing fast hellos
C. Loopguard
D. SPF Timers
Answer 2:
Loopguard, SPF timers and BGP Scanner Timers are not used
for fast failure detection. BGP Scanner time for example is 60seconds
and reducing can create 100% CPU utilization. Thus better and newer
approach Next Hop Tracking is used in BGP, as it will be explained in the
BGP Chapter.
Routing Protocols hellos can be tuned to provide fast failure detection
and the purpose of BFD is to provide fast failure detection.
Thus the correct answer of this question is A and B.
Question 3:
Which of the below protocols support BFD for fast failure detection?
(Choose all that apply)
A. Static Routing
B. OSPF
C. IS-IS
D. EIGRP
E. BGP
F. RIP
OrhanErgun.net
78
Answer 3:
All the routing protocols above except RIP support BFD as it was
mentioned in this chapter. They can register to BFD process for fast
failure detection. In case of failure BFD inform these protocols to tear
down the routing session.
RIPv2 on the other hand supports BFD.
Question 4:
What are the benefits of having modular network design? (Choose Two)
A. Each module can be designed independently from each
other
B. Each module can be managed by different team in the
organization
C. Each module can have a separate routing protocol
D. Each module can have different security policy
Chapter 2
Answer 4:
If the design supports modularity, then each module can be designed
independently, In access, aggregation, core module for example, access
network can be hub and spoke, distribution can be full mesh and core
network can be partial mesh.
Also commonly in the service provider networks, access and core
team are the separate business units and modularity provides this
opportunity. Or in large Enterprises, different team can managed the
different geographical areas of the network, which has been designed by
considering modularity.
Modularity is not done to have different routing protocols and
companies should deploy common security policies across all domains.
That’s why the correct answer of this question is A and B.
Question 4:
Which below statements are true for the network design? (Choose
Two)
A. Predictability increases security
OrhanErgun.net
79
Answer 4:
As it was explained in this chapter, modular network design reduces
deployment time. And predictability increases security. Predictable
networks also reduces troubleshooting time thus increases high availability.
Not every networks need 5x9 or 6x9 high availability. Using more
than one routing protocol in the network, if there is mandatory reason
such as partner network requirement, is not a good design.
Question 5:
If there is two-way redistribution between routing protocols, how can
routing loop is avoided?
A. Deploying Spanning Tree
B. Deploying Fast Reroute
C. Implementing Route tags
D. Only one way redistribution is enough
Answer 5:
As it was explained in the redistribution part of the Best Practices
chapter of the book, route tags are the common method to prevent
routing loops if redistribution is done at multiple locations between the
protocols
That’s why the answer of this question is C.
Question 6:
Which below statements are true for the network design? (Choose
Three)
A. Using triangle topology instead of square reduces
OrhanErgun.net
80
Answer 6:
Network complexity can be reduced by utilizing SDN technologies
as it was explained in this chapter. It helps to shift the configuration task
from the human to the software. That’s why Option E is one of the
correct answers.
Chapter 2
Route summarization can create sub optimal routing but sub optimal
routing is not always bad. For some type of traffic in the network, optimal
routing may not be required at all. And just because we might have sub
optimal routing, we shouldn’t avoid doing summarization. That’s why
Option D is incorrect.
It should be obvious that Option C doesn’t make sense.
Option A and B are also correct. Triangle topology reduces convergence
time and full mesh topologies are the most expensive topologies.
Correct answers of this question are; A, B and E.
Question 7:
What is the key benefit of hierarchical network design?
A. Less Broadcast traffic
B. Increased flexibility and modularity
C. Increased security
D. Increased availability
OrhanErgun.net
81
Answer 7:
Hierarchical design may not be redundant and highly available. Also
it doesn’t bring additional security but key benefit of it is flexibility and
modularity as it was explained in the Best Practices chapter.
That’s why the answer of this question is B.
Question 8:
If routing summarization is done which below statements are valid
for the link state protocols? (Choose Two)
A. Convergence will be slower
B. Sub optimal routing may occur
C. Traffic blackholing may occur
Answer 8:
As it was explained in the chapter, when route summarization is
done routing table size gets smaller which makes converges faster. It can
create sub optimal routing and traffic might be blackholed in some failure
scenarios.
That’s why the answer of this question is B and C.
Question 9:
What would be the impact of doing summarization at the aggregation
layer in three-tier hierarchy? (Choose Two)
A. Core network can be simplified, it doesn’t have to keep all
Access network routes
B. If you have summary in the aggregation layer, core can be
collapsed with aggregation layer
C. Access network changes don’t affect the core network
D. Aggregation is the user termination point and summarization
shouldn’t be made at aggregation layer
OrhanErgun.net
82
Answer 9:
In three-layer hierarchy aggregation layer is the natural summarization
point. When the summarization is done at the aggregation layer, core layer
is simplified and the access network changes don’t affect the core layer.
Collapsing the core is not the result of summarization since the
main reason of using core layer is physical scaling requirement. With
summarization physical requirements don’t go away.
Aggregation layer is not the user termination point. User termination
is the access layer responsibility, thus Option D is incorrect.
Answer of this question is A and C.
Question 10:
Which routing protocol supports unequal cost multi path routing?
A. OSPF
B. IS-IS
Chapter 2
C. EIGRP
D. RIPv2
Answer 10:
In the above question, all the routing protocols are dynamic routing
protocols and among them only EIGRP supports unequal cost multi
path routing. And as it was explained in the chapter, with MPLS Traffic
engineering tunnels only, OSPF and IS-IS can support unequal cost
multipath.
That’s why the correct answer of this question is C.
OrhanErgun.net
83
Videos
http://ripe61.ripe.net/archives/video/19/
Articles
http://orhanergun.net/2015/01/route-redistribution-best-practices/
https://tools.ietf.org/html/draft-ietf-ospf-omp-02
https://www.ietf.org/rfc/rfc3439.txt
http://orhanergun.net/2015/01/load-balancing-vs-load-sharing/
OrhanErgun.net
84
Chapter 3
OSPF
• In this chapter, OSPF theory, design best practices, and case studies
will be covered.
OrhanErgun.net
85
OSPF Theory
OSPF
As you can see from the above picture, OSPF is a Link-State Routing
protocol. But Why OSPF is link state and what is Link State Routing?
OrhanErgun.net
Chapter 3
86
In the link state protocols, each router advertises the state of its link
to every other router in the network.
D determines that it is connected to 192.168.0.0/24 with metric 10.
Connected to B with metric 10 and Connected to C with metric 10 as well.
In turn, Router B and Router C advertise this information to Router A.
In OSPF (Similar in IS-IS) all the connections and their associated
metric is known by all the routers. In above topology, Router A knows
that 192.168.0.0/24 network is connected to Router D.
In Distance Vector Protocols (EIGRP, RIP) Router A would only
know that 192.168.0.0/24 network is reachable through Router B or
Router C. Router A wouldn’t know that the network is connected to
Router D. This is called as OSPF’s distance vector behavior.
This information is called topology information. Since they are Link
State Routing Protocols, in OSPF and IS-IS networks, every router knows
the topology information. (Who is connected to who and how)
OrhanErgun.net
87
OSPF
192.168.0.0/24
OrhanErgun.net
88
A
Chapter 3
192.168.0.0/24
Each router in the network uses this Information (Topology
information) to build shortest path tree to each destination in the network.
The shortest path first (SPF) algorithm is used to build this tree.
Reachability information mean is the Subnets (IP addresses). Knowing
192.168.0.0/24 is reachability, knowing that subnet is connected to Router
D is the Topology information.
Flooding of topology and reachability information throughout the
network seriously impacts the scaling of a network. When scaling becomes
an issue the network is broken into separate flooding domains, which are
called Areas in OSPF.
The router connecting the two OSPF Areas is called an Area Border
Router (ABR). In a particular area every router has identical topology
information. Every router knows which network is behind which router
and it’s metrics.
OrhanErgun.net
89
OSPF
LSA Type Description
1 Router LSA
2 Network LSA
3 and 4 Summary LSAs
5 As External LSA
6 Multicast OSPF LSA
7 Defined for NSSAs
External attribute LSA for Border Gateway
8
Protocol (BGP)
9, 10, 11 Opaque LSAs
Above table lists all the OSPF LSAs, Type 6 and Type 8 is never
implemented. Type 9 through Type 11 is used in specific applications such
as MPLS Traffic Engineering, Segment Routing, OSPF Graceful Restart
and so on.
OrhanErgun.net
90
OrhanErgun.net
91
OSPF
floods Type 4 LSA to the other areas.
If there is no Type 5 LSA, Type 4 LSA is not generated.
There are some special type of Areas which has been explained in
different article on the website such as Stub, NSSA areas which don’t
allow Type 5 LSA, in those areas, there is no Type 4 lsa as well.
OSPF External LSA
Also called as OSPF Type 5 LSA.
External LSA is used to advertise external reachability information.
External LSA is flooded to every router in the domain. ABR don’t
regenerate it. ABR just passes that information as is.
From different routing domain such as BGP or EIGRP, routes might
be redistributed for many reasons.
In that case, for those routes, type 5 OSPF external LSA is created by
the router, which does the redistribution. That router is called an ASBR
(Autonomous System Boundary Router).
OrhanErgun.net
92
OrhanErgun.net
93
OSPF
In the topology above Area 10 is a regular non-backbone area. Regular
OSPF areas allow all the LSA Types into the Area.
There is no auto summarization in OSPF between the areas that’s why
reachability information by default is sent between OSPF backbone area
and the regular OSPF non-backbone areas.
In the above topology, Area 30 has an ABR connected to the EIGRP
domain. The external subnets are sent into Area 10 since it is a regular
OSPF area. (Not Stub, Totally Stub, NSSA or Totally NSSA).
We will see that this will be not the case with other OSPF non-
backbone areas.
OrhanErgun.net
94
That’s why the Area 20 routers cannot learn external subnets, which
come from the EIGRP domain.
Instead those networks are reached via default route. Default route is
sent into the OSPF stub area as OSPF Type 3 LSA, which is Inter-Area
OSPF LSA.
OrhanErgun.net
95
OSPF
Stub 1, 2, 3
Totally Stubby 1, 2, Default 3
Not So Stubby 1, 2, 3, 4, 7
OrhanErgun.net
97
Also, every link and node fails, doesn’t matter how much redundancy
you have. That is unavoidable. Rate of failure impacts the number of
routers in an OSPF area. Stabile links and nodes are the key for large scale
OSPF design.
OSPF
In the previous diagram, there are two ABRs in Area 10. For
redundancy and optimal traffic flow, two is always enough. More ABRs
will create more Type 3 LSA replications within the backbone and non-
backbone areas.
In large-scale OSPF design, the number of ABRs will have a huge
impact on the number of prefixes. Thus having two ABR is good for
redundancy for the critical sites.
For example some of the remote offices or POP locations may not
be critical as others and having only one ABR can be tolerated by the
company. In this case that specific location may have only one ABR as
well.
Keep in mind that, two is company, three is crowded in design.
OrhanErgun.net
98
• More areas per ABR might create a resource problem on the ABR.
• Much more Type 3 LSA will be generated by the ABR. Also, when the
failure happens ABR slows down the convergence (Similar to BGP
Route Reflector and will be explain in the BGP chapter).
Chapter 3
OrhanErgun.net
99
OSPF
• Having single OSPF area per OSPF ABR is very bad and there is no
use case for that. You should monitor the routers resources carefully
and placed as much router as you can in one OSPF area.
• Not every router has powerful CPU and Memory, you can split up
the router based on their resource availability. Low end devices can be
placed in a separate OSPF area and that area type can be changed as
Stub, Totally Stub, NSSA or Totally NSSA.
• Always look for the summarization opportunity, but know that
summarization can create sub optimal routing. (OSPF summarization
and sub optimal routing will be explained in this chapter).
• Good IP addressing plan is important for OSPF Multi Area design.
It allows OSPF summarization (Reachability) thus faster convergence
and smaller routing table.
• Having smaller routing table provides easier troubleshooting.
• OSPF NSSA area in general is used at the Internet Edge of the
network since on the Internet routers where you don’t need to have
all the OSPF LSAs yet still redistribution of selected BGP prefixes
are common.
OrhanErgun.net
100
YES YES
Spoke
ABR adds additional latency
Better than Multi Area
Convergence (Processing delay) during
Design
convergence
YES, by default all the
YES, Inside an Area, all prefixws are learnt by
Reachability Information routers have the same Likk every router in any OSPF
State Database Area. there is no automatic
summmarization
NO, ABR stops topolgy
YES, Inside an Area, all
information, one Area
Topology Information routers have the same Likk
topology is not known by the
State Database
other OSPF Area
Type 1 and Type 2 ( If there Type 1 and Type 2 ( If there
Which LSAs are shown in
is external, then Type and is external, then Type and
the Link State Database
Type 7 as well) Type 7 as well)
Good, every router has same
topology information: which Hard, it requires MPLS
MPLS traffic Engineering router is connected to which, TE extension or Path
and the metric between them, Computation Element
and so on
More nodes, more
LSAs makes it harder to
Easier than Multi Area OSPF
Troubleshooting troubleshoot, compared
design
to Single Area/Flat OSPF
design
Stuff Experience Welll known Well known
OrhanErgun.net
101
OSPF
OSPF Flat/Single Area vs. Multi Area Design Models Comparison
OrhanErgun.net
102
Let’s take a look at a case study regarding OSPF interaction with BGP to
understand why they should synchronized.
OrhanErgun.net
103
infrastructure for the overlay protocols such as BGP, LDP, and PIM.
In this case study, one of the routers in the path towards BGP next-
hop will be reloaded (Router B). So there might be two problems here.
First problem: When Router B is reloaded, traffic going through
Router B shouldn’t be dropped. Router B should signal the other OSPF
routers and inform that it should be going down. Traffic shouldn’t be sent
to Router B during reload.
This signaling is done with the OSPF Stub Router Advertisement
feature.
“Max-metric router-lsa” configuration knob is used by OSPF for
graceful restart purpose.
With this feature, OSPF routers are not used as Transit node anymore.
Important note is, routers loopback is still sent with the regular metric,
not with the max-metric. Otherwise BGP neighborship with the reloaded
router wouldn’t come up.
OSPF
Second problem: when Router B comes back, BGP traffic towards
Router B will be black holed, because the IGP process of Router B will
converge faster than its BGP process.
IGP should wait until BGP to converge. Router B should take the
BGP traffic once BGP prefixes are installed in the routing table.
This is done with the OSPF Stub Router Advertisement feature as
well. “Max-metric router-lsa on-startup wait-for-bgp” is used by OSPF,
so until BGP process is converged; OSPF process doesn’t use the Router
B as its path towards any destination.
These two features are known as OSPF Stub Router Advertisement.
In this case study, with the OSPF Stub Router Advertisement
feature, other OSPF routers are signaled for graceful restart and OSPF
convergence is synchronized with BGP convergence. (Router doesn’t
receive traffic until BGP converge).
OrhanErgun.net
104
Design
OSPFv2 OSPFv3
Requirement
Better, since router and
Network LSA doesn’t contain
Scalability Good
prefix information, but only
Chapter 3
topology information
Working on Full Mesh Works well with mesh group Works well with mesh group
Working on Hub and Works poorly, requires a lot Doesn’t work well, requires
Spoke of tuning tuning
YES, IP FRR, but limited
Fast Reroute Support YES, IP FRR
platform support
Suitable on WAN YES YES
DCs are full mesh, therefore,
Suitable on Datacenter DCs are full mesh not so well
not well
OrhanErgun.net
105
Design
OSPFv2 OSPFv3
Requirement
Same, but with IPv6
Multicast, 224.0.0.5 and
Transport addresses. Multicast FF02::5
224.0.0.6
and FF02::6
Inside an area, reachability
information is carried in
Inside an Area and Network
Intra-area Prefix LSA (Type
LSA carriess the reachability
9), which is a new LSA type.
Reachability info handling information between areas
Inter-Area Prefixes are still
reachability info is carried in
carried in type 3 LSA, but the
Summary(Type 3) LSA
name is changed as Inter-
Area Prefix LSA
Inside an Area Router and Same. Inside an Area Router,
Network LSA, carries the and Network LSA carries the
Topology info handling topology information. topology information, and
Topology info is not carried this is not carried beyond an
beyond an area area
Not well known, especially
topology and reachability
information handling, Multi
Stuff experience Very well known
Area Adjacency and new LSA
types should be understood
OSPF
better
Overlay Tunnel Support YES, it supports YES, it supports
MPLS Traffic Engineering YES, with CSPF or external YES, with CSPF or external
Support controllee controller
Authentication is removed,
since it runs on IPv6.
Security MDS Authentication IPv6 supports IPSEC and
Authentication, this simplifies
OSPF header
Suitable as Interprise IGP YES YES
Suitable as Service
YES Definitely
Provider IGP
Complexity Easy Moderate
If topology doesn’t change,
Full SPF runs on prefix full SPF is not needed. Prefix
Resource requirement or topology change as it is information is carried in new
worsee than OSPFv3 LSA, not in Router LSA any
longer
Ipv6 Support NO YES
IPv4 Support YES YES
Even Slower, if multiple
Default Convergence Slow
address families are used
OrhanErgun.net
106
Design
OSPFv2 OSPFv3
Requirement
Harder, requires
understanding of IPv6
Troubleshooting Easy addressing, after that, it is the
same packet types, LSA, LSU,
DBD
Inter area prefixes Should be Same as OSPFv2. Inter area
recieved from ABR. All non- prefixes should be recieved
Routing Loop backbone areas should be from ABR, all non-backbone
connected to the backbone areas should be connected to
area the backbone area
OSPFv2 vs. OSPFv3 Comparison
OSPF
with
Study:
OrhanErgun.net
Chapter 3
108
Inside the Area 10, Router E chooses the closest ABR to go out from
the area. Since both ABR sends with the same metric, Router E, for both
192.168.0.0/24 and 192.168.1.0/24 destined traffic, does ECMP (Equal
cost multipath).
Half of the traffic from Router E to 192.168.0.0/24 and 192.168.1.0/24
always goes through sub optimal path.
If the Router C – D link is in Area 10, Router E to 192.168.1.0/24
traffic follows the green path (E-C-A-B). The reason is, when the traffic
arrives from Router E to Router C, Router C receives 192.168.1.0/24
traffic from the Router C-D link as Inter area route (Type 3). But Router
C sees 192.168.1.0/24 traffic from the Router A as Intra Area route (Type
1). Since Intra are route is preferred over Inter area route in OSPF, if the
Router C-D link is in Area 10, longer path is chosen.
OrhanErgun.net
109
OSPF
sensitive applications.
When a link, node or SRLG (Shared Risk Ling Group) failure occurs
in a routed network, there is inevitably a period of disruption to the
delivery of traffic until the network reconverges on the new topology.
Fast reaction is essential for the failed element. There are two
approaches for the fast reaction:
Fast convergence and fast reroute.
When a local failure occur four steps are necessary for the convergence.
1. Failure detection
Layer 1 Failure detection mechanisms:
• Carrier delay
• Debounce Timer
• Sonet/SDH APS timers
OrhanErgun.net
110
2. Failure propagation
Propagation of failure throughout the network.
Here LSA throttling timers come into play. You can tune LSA
throttling for faster information propagation. It can be used to slow down
the information processing as well.
Also LSA pacing timers can be tuned for sending update much faster.
3. New information process
Processing of newly arrived LSA to find the next best path. SPF
throttling timers can be tuned for faster information process for fast
convergence.
4. Update new route into RIB/FIB
For fast convergence, these steps may need to be tuned.
Although the RIB/FIB update is hardware dependent, the network
operator can configure all other steps.
One thing always needs to be kept in mind; Fast convergence and fast
reroute can affect network stability.
Unlike fast convergence, for the fast reroute, routes are precomputed
and preprogrammed into the router RIB/FIB.
OrhanErgun.net
111
OSPF
there are only two routers in the topology, the total number of links
between them is one; if there are three routers, there are three links; if
there are four routers, there are six links; and if there are five routers,
there are ten links.
In the above topology there are six routers, so there are fifteen links.
Even if one loopback is added to any one of these routers, that loopback
information is flooded in all of the routers over all of the links.
Chapter 3
OrhanErgun.net
113
OSPF
In the above picture, A is Hub router; B, C and D are the spoke
routers. In Hub and Spoke topologies, Hub router should be the OSPF
DR. Otherwise flooding fails. In the above topology, if any of the spokes
consider itself as DR and Hub also believes that spoke is the DR (Because
higher DR priority), remote sites cannot reach each other.
Thus the best practice in Hub and Spoke network, configure Hub
router as DR and set the priority as ‘ 0 ‘ on all the spoke routers. With
Priority 0, spoke routers don’t even participate DR/BDR election.
In large scale Hub and Spoke deployment, other design
recommendation is; spoke sites should be placed in Stub, Totally Stub,
NSSA or Totally NSSA areas if the optimal routing is not a concern from
the spokes sites.
If redistribution is required, then NSSA and Totally NSSA area should
be chosen for the spoke sites.
OrhanErgun.net
114
Between Router A and Router B there are 1800 different paths. (5x6)
x 2 (5x6). If we put all of them in the same area there would be flooding,
convergence, resource utilization, and troubleshooting problems. If we
use Router G, or if Router H as an ABR, we will have only 32 paths max
(5x6) +2 between Routers A and B. This will greatly reduce the load on
the resources, reduce the overall complexity, and make troubleshooting
easier.
Always put an ABR where you can separate the complex topologies
from each other.
OrhanErgun.net
115
OSPF
• If Link 1 is in Area 0, Router C will choose a path through E, F, and D
to 192.168.10.0/24 rather than Link 1. This is because OSPF always
prefers intra-area routes over inter-area routes.
• If Link 1 is placed in Area 10, Router D will choose a path through B,
A, and C to 192.168.0.0/24 for the same reason. This is suboptimal.
• Placing link into Area 1 and creating virtual link is a temporary
solution. New OSPF adjacency is also required for each additional
non-backbone.
Best solution: RFC 5185 -OSPF Multi-Area Adjacency.
More than one OSPF adjacency multiple-area can be allowed with the
RFC 5185
• Below is a sample configuration from the Cisco device which supports
RFC 5185:
• rtr-C(config)# interface Ethernet 0/0
• rtr-C(config-if)# ip address 192.168.12.1 255.255.255.0
OrhanErgun.net
116
Solution:
If OSPF is used at the Internet edge, IGWs (Internet Gateways) don’t
need to have full OSPF routing table.
Using Stub or NSSA areas is most suitable. Firewalls only need a
OrhanErgun.net
117
OSPF
OrhanErgun.net
118
• A. 50
• B. 100
• C. 250
• D. Less than 50
• E. It depends
Answer 1:
As it is explained in the OSPF chapter, you cannot have a numeric
answer for this question.
Chapter 3
Question 2:
Why there are many different types of LSAs are used in OSPF?
(Chose all that apply)
A. Provides Scalability
B. Allow Multi-Area OSPF design
C. Provides fast convergence
D. Provides High Availability
E. Better Traffic Engineering
OrhanErgun.net
119
Answer 2:
Question here is asking the reason of having multiple different types
of OSPF LSAs. As you have seen in the OSPF chapter there are 11
different types of OSPF LSAs.
Although there are other reasons to use OSPF LSAs, two important
ones are scalability and Multi-Area design. They don’t help for fast
convergence or high availability LSAs are not related with High
Availability or Fast convergence. Although MPLS Traffic engineering can
use OSPF Opaque LSAs for the distributed CSPF calculation, CSPF is
not mandatory and many networks which have MPLS Traffic engineering
uses Offline Path calculation tool such as Cariden Mate.
Question 3:
What does topology information mean in OSPF?
A. IP addresses of the directly connected interface
B. IP addresses of the loopback interfaces of all the routers
C. Provides an IP reachability information and the metric of
OSPF
all the physical and logical interfaces
D. Provides a graph of the OSPF network by advertising
connection information such as which router is connected
to which one and the metric of the connections
Answer 3:
There are two type of information is provided in link state protocols:
Topology and reachability information.
Reachability information means IP addresses of the physical or logical
interfaces of the routers. Topology information explains, which router is
connected to which one, what is the OSPF metric value between them,
thus provide a graph of the OSPF network.
Based on this information every router runs SPF algorithm to find a
shortest path to each and every destination in the network.
Question 4:
Why more than one Area is used in an OSPF network?
A. They are used for high availability
OrhanErgun.net
120
Answer 4:
OSPF areas are used mainly for scalability. Having smaller domain
means, keeping topology information in an area and not sending between
the areas. More than one area doesn’t provide high availability and doesn’t
make troubleshooting easier.
Also in OSPF having more than one area doesn’t prevent a route to
be propagated to other areas by default, it requires manual configuration
and even in that case it doesn’t bring extra security.
Chapter 3
Question 5:
Which router in the below topology should be an ABR?
OrhanErgun.net
121
A. G or H
B. A or B
C. C or D
D. E or F
E. G
Answer 5:
Router G or H should be an ABR to separate two full mesh topology
from each other. Otherwise each router in the top full mesh network
would run full SPF algorithm for each other router in the below full mesh
network in case link failure, metric change or when new link or prefix is
added.
Question 6:
In the below topology, Router B needs to be reloaded. Network
OSPF
operator doesn’t want any traffic loss during and after Router B’s
maintenance operation. Which feature should be enabled on the Router
B?
OrhanErgun.net
122
Answer 6:
BGP as an overlay protocol needs next hop reachability. Static routing
or the dynamic routing protocol is used to create an underlay network
infrastructure for the overlay protocols such as BGP, LDP, PIM and so
on.
One of the routers in the forwarding path towards BGP next hop will
be reloaded. We might have two problems here
When Router B is reloaded, traffic is going to Router B shouldn’t be
dropped. Router B should signal the other OSPF routers.
This signaling is done with OSPF Stub Router advertisement feature.
Chapter 3
Question 7:
How many level of hierarchy is supported by OSPF?
A. One
B. Two
C. Three
D. As many as possible
OrhanErgun.net
123
Answer 7:
OSPF supports two level of hierarchy. Hierarchy is common network
design term, which is used to identify the logical boundaries. Backbone
area and Non-Backbone areas are the only two areas, which are supported
by OSPF, thus it supports only two level of hierarchy.
Question 8:
Which below options are correct for OSPF ABR? (Choose all that
apply)
A. It slows down the convergence
B. It generates Type 4 LSA in Multi Area OSPF design
C. It does translation between Type7 to Type 5 in NSSA area
D. It does translation between Type 5 to Type 7 in NSSA area
E. It prevents topology information between OSPF areas
OSPF
Answer 8:
OSPF ABR slows down the network convergence. Because it needs to
calculate for each Type 1 and Type 2 LSAs, corresponding Type 3 LSAs
and send its connected OSPF areas.
OSPF ABR generates Type 4 LSAs in Multi Area OSPF Design.
When ABR receives the external prefixes in an Area, it translates Type 1
LSAs of the ASBR to Type 4 LSA and sends it to the other areas.
In NSSA Area, ABR translates Type 7 LSA to Type 5 LSA, but there
is no Type 5 to Type 7 LSA translation. It is not allowed.
Topology information is not sent between the OSPF Areas, ABR
stops topology information.
Thus the answer of this question is A- B – C- E.
Question 9:
Why Designated Router is used in OSPF network?
A. It is used to have an ABR in the network
B. It is used to create topology information
C. It is used to centralize the database, instead of keeping
OrhanErgun.net
124
Answer 9:
Designated Router (DR) is used to avoid flooding information
between each OSPF device in Multi-Access networks such as Ethernet
or Frame Relay.
Routers only send their update to DR and DR floods this information
to the every router in the segment. Multicast Group addresses 2224.0.0.5
and 224.0.0.6 is used for communication in IPv4.
Question 10:
Which below feature is used to avoid blackholing when OSPF and
LDP are used together?
Chapter 3
Answer 10:
The problem occurs when link or node fails when OSPF and LDP
is used together. It also occurs when IS-IS and LDP is together and the
IG-LDP synchronization provides a label for the IGP prefixes in the
Label database, otherwise since IGP converge first and then LDP, packets
would be blackholed.
Chicken and egg problem is solved and blackholing is avoided.
Question 11:
Which below option is correct for the given topology?
OrhanErgun.net
125
OSPF
A. Area 20 has to be Stub area
B. Sending default route might create suboptimal routing for
internal Area 20 routers
C. ABR of Area 20 has to be Designated Router
D. Area 20 doesn’t receive Type 1 and Type 2 LSAs from the
other areas
Answer 11:
Area 20 can be any type of OSPF area since there is no given
requirement.
Sending default route cannot create suboptimal routing because there
is only one exit point from the Area 20. Sub optimal routing can only be
created if there is more than one exit from the Area.
ABR of Area 20 doesn’t have to DR. In fact, DR and ABR shouldn’t
be the same router. Since both operations are resource intensive and
separating these two ask is a best practice.
Type 1 and Type 2 LSAs cannot be received from the other Areas
because topology information is not allowed between the OSPF areas
OrhanErgun.net
126
Question 12:
In the below topology Area 30 is an NSSA area. Which below option
is true?
Chapter 3
Answer 12:
Since Area 30 is an NSSA area; there will be Type 3 LSA, that’s why
Option A is incorrect. There will be Type 1 and Type 2 LSA, but not from
the other Areas.
OrhanErgun.net
127
In Are 30, every router generates Type 1 LSAs, and of there is multi-
access network, the DR will generate Type 2 LSA as well.
EIGRP prefixes will be allowed and they will be seen as Type 7 LSA
in the Area 30.
Only Option B is correct, because ABR of Area 30 translate Type
7 LSA which is the EIGRP prefixes to Type 5 LSA send them to the
network.
Question 13:
In the below topology Area 10 is Totally NSSA Area. Which below
option is true?
OSPF
OrhanErgun.net
128
Answer 13:
Area 10 will be able to reach EIGRP network through default route
even if it is Totally NSSA. But Area 10 devices cannot have specific
EIGRP prefixes because Type 3, 4, 5 LSAs are not allowed in Totally
NSSA Area. Answer of this question is B.
Question 14:
Which below topology OSPF is worse than EIGRP in large-scale
implementation?
A. Full Mesh
B. Partial Mesh
C. Hub and Spoke
D. Ring
Chapter 3
Answer 14:
In Full Mesh physical topology, Mesh Group feature allows only two
routers to flood LSAs into the area. Mesh Group is supported by both
OSPF and IS-IS.
This brings scalability into OSPF.
Ring and Partial mesh topologies are hard for all the routing protocols.
Ring and Partial mesh are cheaper to build but convergence, optimal
routing and fast reroute is very hard in Ring and Partial mesh.
EIGRP is best in Hub and Spoke topology from the scalability point
of view, because it doesn’t require so many configurations for its operation.
OSPF on the other hand, requires a lot of tuning for its operation in
Large scale Hub and spoke topology.
Question 15:
Why OSPF is used as an Infrastructure IGP in an MPLS VPN
environment?
A. To carry the customer prefixes
B. Reachability between the MPLS VPN endpoints
C. OSPF is not used in MPLS VPN environment as an
Infrastructure IGP protocol but BGP is used
OrhanErgun.net
129
Answer 15:
LDP requires IGP yes but it is not relevant. It could be EIGRP or
IS-IS as well.
And the purpose of OSPF or any other IGP.as an Infrastructure
protocol is to carry the loopback interface addresses of the MPLS VPN
endpoints.
So the OSPF is used for reachability between the VPN endpoints (PE
devices) in SP networks. OSPF is not used to carry the customer prefixes
as an Infrastructure IGP.
Knowing the difference between the Infrastructure IGP and the PE-
CE IGP protocol in MPLS VPN is important. This will be explained in
detail in the MPLS chapter.
Question 16:
OSPF
Which OSPF feature in MPLS VPN PE-CE is used to ensure MPLS
service is always chosen as primary link?
A. OSPF max-metric
B. OSPF prefer-primary path
C. OSPF sham-link
D. Passive-interface
E. Virtual link
Answer 16:
Even domain IDs are the same in both site of the MPLS VPN, without
sham-link feature only Type 3 LSA can be received from the PE by CE.
Sham-link is used to receive Type 1 LSA and even if there is a backup
connection between the CEs, only changing cost on either PE-CE or CE-
CE link make MPLS link as primary.
OSPF as a PE-CE protocol will be explained in detail in the MPLS
chapter.
OrhanErgun.net
130
Question 17:
Which below options are correct for OSPF? (Choose all that apply)
A. OSPFv2 doesn’t support IPv6 so when IPv6 is needed,
OSPFv3 is necessary
B. OSPF virtual link shouldn’t be used as permanent solution
is OSPF design
C. OSPF and BGP are the two separate protocols so when
OSPF cost changes, it doesn’t affect BGP path selection
D. OSPF can carry the label information in Segment Routing
so LDP wouldn’t be necessary
E. OSPF unlike EIGRP, supports MPLS Traffic Engineering
with dynamic path calculation
Answer 17:
Chapter 3
Question 18:
What is the reason to place all routers in Area 0/Backbone Area, even
in flat OSPF design?
A. You cannot place routers in non-backbone area without
backbone area
B. Type 3 LSAs should be received from the ABR
C. Future Multi Area design migration can be easier
D. It is not a best practice to place all the routers in Area 0 in
Flat/Single OSPF area design
OrhanErgun.net
131
Answer 18:
In OSPF design, all the routers can be placed in any Non-Backbone
area. If you have 50 routers in your network, you can place all of them in
Area 100 for example.
But having the routers in OSPF Backbone area (Area 0) from the early
stage of network design provides easier migration to Multi Area OSPF
design.
This is true for the IS-IS as well. In IS-IS you can have all the routers
in the network in Level 1 domain. But having them in Level 2 allows
easier Multi-Level IS-IS design if it is required in the future. This will be
explained in the IS-IS chapter with the case study.
Question 19:
In OSPFv2 which LSA types cause Partial SPF run? (Choose Three)
A. Type 1
B. Type 2
OSPF
C. Type 3
D. Type 4
E. Type 5
Answer 19:
In OSPFv2, Type 3, 4 and 5 causes Partial SPF run. Not full SPF.
Partial SPF is less CPU intensive process compare to Full SPF run.
Thus the correct answer of this question is C, D and E.
Question 20:
Based on which design attributes, number of maximum routers
change in OSPF area?
A. It depends on how many area is in the OSPF domain
B. Maximum number of routers in OSPF area should be
around 50
C. Depends on link stability, physical topology, number of
links, hardware resources, rate of change in the network
OrhanErgun.net
132
Answer 20:
Depends on link stability, physical topology, number of links on the
routers, hardware resources and rate of change in the network. If some
links flap all the time, this affects the routers resources and the scalability
of the network.
Question 21:
How many OSPF ABR routers should be in place in OSPF by keeping
also redundancy in mind?
A. One
B. Two
C. Three
Chapter 3
Answer 21:
In large-scale OSPF design, the number of ABRs will have a huge
impact on the number of prefixes. Thus having two ABRs is good for
redundancy for the critical sites.
For example some of the remote offices or POP locations may not be
critical as other locations and having only one ABR in those locations, can
be tolerated by the company.
In this case that specific location may have only one ABR as well.
Keep in mind that; two is company, three is crowded in design.
Question 22:
What are the most important reasons of route summarization in
OSPF (Choose Two)
A. In order to reduce the routing table size so routers have to
store and process less information
B. In order to increase the availability of the network
OrhanErgun.net
133
Answer 22:
If there is route summarization, sub optimal routing might occur as it
was explained in the OSPF chapter. Thus Option E is incorrect.
Availability and security doesn’t increase with route summarization.
But topology change affects is definitely reduced.
Also the routing table size is reduced and this provides better memory
and CPU utilization, fast convergence and better troubleshooting.
That’s why the answer of this question A and D.
OSPF
OrhanErgun.net
134
OrhanErgun.net
135
Chapter 4
IS-IS
IS-IS
IS-IS shares similar convergence characteristics with OSPF. SPF, LSA
Throttling timers, LSA Pacing, and Processing and Propagation timers
are tunable in IS-IS as well.
IS-IS, like OSPF supports MPLS Traffic Engineering, IP Traffic
Engineering (LFA, Remote LFA) and also supports Segment Routing.
Totally different protocols are not necessary to support new extensions.
With IS- IS IPv6, MTR, and many other protocols just can be used with
additional TLVs.
• IPv6 Address Family support (RFC 2308)
• Multi-Topology support (RFC 5120)
• MPLS Traffic Engineering (RFC 3316)
OrhanErgun.net
136
IS-IS.
ISPs commonly choose addresses as follows:
• First 8 bits: pick a number (49 used in these examples) Next 16
bits=area ID
• Next 48 bits: router loopback address (6 bytes, every 4 numbers is 2
bytes)
• Final 8 bits (2 Numbers) is 00 on the routers
Example:
• NET: 49.0001.1921.6800.1001.00 49.0001 is the IS-IS Area ID
• 192.168.1.1 (Router loopback) in Area 1
• 00 is the NSEL
OSPF IS-IS
Host End System (ES)
Router Intermediate System (IS)
Link Circuit
Packet Protocol Data Unit (PDU)
Designated Router (DR) Designated IS (DIS)
Backup Designated Router (BDR) N/A (No backup DIS is used)
Link-State Advertisement (LSA) Link-State PDU (LSP)
Hello Packet IIH PDU
Complete Sequence Number PDU
Database Description (DBP)
(CSNP)
Sub-Domain (Area) Area
Level-1 Area Non-backbone Area
Level-2 Subdomain (backbone) Backbone Area
L1L2 Router Area Border Router (ABR)
Autonomous System Boundary
Any IS
Router (ASBR)
OrhanErgun.net
137
IS-IS fast convergence steps are very similar to OSPF fast convergence.
Four necessary steps in fast convergence
1. Failure detection
Layer 1 Failure detection mechanisms:
• Carrier delay
• Debounce Timer
• Sonet/SDH APS timers
• Layer 3 Failure detection mechanisms:
• Protocol timers (Hello/Dead)
• BFD (Bidirectional Forwarding Detection)
IS-IS
For the failure detection, best practice is always use Physical down
detection mechanism first. Even BFD cannot detect the failure faster than
physical failure detection mechanism.
Because BFD messages is pull based detection mechanism which is
sent and receive periodically, but physical layer detection mechanism is
event driven and always faster than BFD and Protocol hellos.
If physical layer detection mechanisms cannot be used (Maybe because
there is a transport element in the path), then instead of tuning protocol
hello timers aggressively, BFD should be used. Common example to this
is if there are two routers and connected through an Ethernet switch, best
method is to use BFD.
Compare to protocol hello timers, BFD is much ligher in size, thus
consumes less resource and bandwidth.
2. Failure propagation
Propagation of failure throughout the network.
Here LSP throttling timers come into play. You can tune LSA
throttling for faster information propagation. It can be used to slow down
the information processing as well. Also LSP pacing timers can be tuned
for sending update much faster.
OrhanErgun.net
138
OrhanErgun.net
139
IS-IS
Level 1 routers look at the ATT bit in L1 LSP of L1-L2 routers and
use it as a default route to reach the closest Level 1-2 router in the area.
This can create suboptimal routing.
OrhanErgun.net
140
IS-IS Design
In new IS-IS design, starting with L2-only is the best option; migration
to multi-level design is easier when starting with L2. Domain migration
will be harder if design is started with L1.
If you start with L1-L2 then all the routers have to keep two databases
for every prefix. This is resource-intensive without additional benefit.
When designing multi-level IS-IS with more than one exit (L1-L2
routers), you will more likely create suboptimal routing. Suboptimal
routing is not always bad, just know the application requirements. Some
applications can tolerate suboptimal routing and you can have low-end
devices in L1 areas; edge and core can be placed in L1.
OrhanErgun.net
141
IS-IS
L2 in the POP and the Core
OrhanErgun.net
142
OrhanErgun.net
143
IS-IS
Reachability Information all the routers have same Link (Sub-domain) Only default route
State Database. is sent from the Level 2 to Level
1 with ATT bit
NO, L1-L2 routers stops
YES, inside a level (Sub-domain),
topology information, one level
Topology Information all the routers have same Link
(Sub-domain) topology is not
State Database.
known by the other level
Good. Every router has the same
topology information: Which Hard, it requires MPLS TE
MPLS Traffic Engineering router is connected to which, extension or Path Computation
and the metric between them Element
and so on
More nodes, more LSPs makes
Easier than Multi Level IS-IS it harder to troubleshoot,
Troubleshooting
design compared to Single Level/Flat
IS-IS design
Stuff Experience Not well known Not well Known
IPv6 Support YES YES
L1-L2 router (similar to OSPF
Additional Nodes None
ABR)
QoS Support Good, no difference Good, no difference
Multicast Support Good, no difference Good, no difference
Less, routers only keep topology
More, every router needs to keep information of their Level (Sub-
Resource Requiremnent both reachability and topology domain), but not the reachability
informationn inside IS-IS domain information of the entire IS-IS
domain
OrhanErgun.net
144
OrhanErgun.net
145
IS-IS
as well.
Question 1:
What happens if P3-P4 link fails?
Question 2:
Do you need to know the level of IS-IS network to provide a solution?
Question 3:
What would be your design recommendation to ensure high-
availability on this network?
Answer 1:
If any link fails in the MPLS networks, IGP will not converge on the
failed link before getting green light from the LDP.
Also, if P3-P4 link fails in the topology shown above,
P1-P2-P4 link is used. If the link returns and if IGP converges before
LDP comes together, P3 cannot create a label for the prefixes; it sends the
OrhanErgun.net
146
Answer 2:
It doesn’t matter which IS-IS Level (L1 or L2) is used to provide a
solution for this problem.
Here the question is see if you know the solution already.
This type of question will be asked in the CCDE Practical exam and
the task domain will be analyzing the design.
Answer 3:
If IGP-LDP synchronization feature is enables, P3 and P4 signal their
neighbor not to P3-P4 link unless LDP converges. IGP signals the other
nodes in the routing domain for BGP convergence in exactly the same
way. OSPF Case Study 5 showed IGP-BGP synchronization.
With OSPF max-metric router-lsa and IS-IS overload bit, OSPF
Chapter 4
and IS-IS signals the other node in the IGP domain for BGP converge.
Protocol interaction is for optimal routing design. If overlay protocols
do not follow the underlay protocols or physical topology suboptimal
routing, blackholes, or routing or forwarding loops can occur.
In order to avoid issues, synchronization should be enabled.
So far in this class you have seen, STP-FHRP, IGP–BGP, and IGP-
MPLS interactions within the case studies.
More case studies regarding interactions for different technologies
will be provided in later sessions.
OrhanErgun.net
147
Design
OSPF IS-IS
Requirement
Scalability 2 tier hierarchy, less scalable 2 tier hierarchy, less scalable
Working on Full Mesh works well with Mesh Group Works well with Mesh Group
Ring is hard for the routing
Working on Ring Topology protocols, in the case of a failure, Same as OSPF
micro loop occurs
Works poorly, it requires a lot of
Working on Hub and Spoke Same as OSPF
tuning
Fast Rerote Support YES, IP FRR YES, IP FRR
Suitable on WAN YES YES
Same as OSPF, but since IS-IS
DCs are full mesh, and full
runs on layer 2, it is used as the
mesh operation requires a lot
controlpoint for many overlay
Suitable on Datacenter of tuning. Instead, in large scale
technologies such as OTV,
data centers, Layer 2 protocols os
Fabricpath, TRILL, SPB, in the
BGP is used
datacenter
Suitable on the Internet Edge
NO, it is designed as an IGP NO, it is designed as an IGP
between two AS
Standard Protocol YES, IETF Standard YES, IETF Standard
Not well known, although it is
common in the Service Provider
Stuff Experience Very well Known
IS-IS
Network, it is not used in the
Enterprise Networks
Overlay tunnel Support YES Doesn’t support IP tunnels
MPLS Traffic Engineering
YES, with CSPF YES, with CSPF
Support
Security Less secure More secure since it is on layer 2
NO, it lacks IPSEC, it could still
be implemented as GRE over
Suitable as Enterprise IGP YES
IPSEC, since GRE supports IP,
and non-IP protocols
Definitely, IS-IS was actually
Suitable as Service Provider
YES invented to be used in large scale
IGP
service provider networks
Complexity Complex, it has 11 types of LSAs Easy, there are only two levels
Policy Support Good Good
SPF requires more processing SPF requires more processing
power compared to DUAL power, compared to DUAL
Resource Requirement
algorithm, but in 2016, it is not algorithm, but in 2016, it iis not
an issue for most routers. an issue for most of the routers
Extendibility Not good Good, thanks to TLV support
YES, it doesn’t require a new
YES, but it requires new
IPv6 Support protocol, IPv6 is implemented
protocol, OSPFv3
with the new TLVs only
Default Convergence Slow Slow
Training Cost Cheap Cheap
Troubleshooting Easy Very Easy
OrhanErgun.net
148
Design
OSPF IS-IS
Requirement
Good protection,LSA Sequence
Good protection, LSP sequence
numbers inside an area and
numbers inside of a level, and
Routing Loop for the multi area design, all
Up/Down bit between two levels
non-backbone areas have to be
in the multi-level IS-IS design
connected to the backbone area
than OSPF in general. Also thanks to the TLV structure of IS-IS, when
additional features are needed, IS-IS is easily extendable.
Since the majority of service providers historically use IS-IS for their
core IGP routing protocol, Fastnet decided to migrate their IGP from
OSPF to IS-IS.
Please provide a migration plan for Fastnet for smooth transition.
Fastnet will plan all of their activity during a maintenance window. Fastnet
has been using flat OSPF design, but they want flexible IS-IS design which
will allow Fastnet to migrate to multi-level IS-IS in the future.
Below are the steps for the migration. A “ship in the night” approach
will be used. Both routing protocols will be running on the network at the
same time during migration.
1. Verify OSPF configuration and operation
2. Deploy IS-IS over entire network
3. Set OSPF admin distance to be higher than IS-IS
4. Check for leftovers in OSPF
OrhanErgun.net
149
IS-IS
the resource requirements on the routers and allows easier migration
to multi-level IS-IS.
• Deploy both IPv4 and IPv6.
• Deploy IS-IS passive interface at the edge links; these links
should be carried in IBGP. Prefix suppression can be used to carry
infrastructure links in IBGP, but these are not a requirement of
Fastnet.
• Make sure the IS-IS LSDB is consistent with OSPF routing table.
3. Set OSPF admin distance to be higher than IS-IS.
• Increase the AD of OSPF across the entire network.
4. Check OSPF leftovers.
• In this step all the prefixes in the routing table should be learned
by IS-IS. If there are any OSPF prefixes, we should find out why
they are there. You can compare the “show IP OSPF neighbor” with
“show IS-IS neighbor”; should be the same number of neighbors for
both.
• If the number is not the same, fix the problem
OrhanErgun.net
150
There are three IS-IS areas in the topology. Router levels are shown as
well. Router A and B are the internal IS-IS L1 routers.
Internal routers always chooses the smallest metric which is advertised
by their L1L2 router in Multi Level/Multi Area IS-IS design.
In the below topology since Router A only knows the topology
information for its area, and the left L1L2 router advertises the Router
B with the smaller metric, blue path is chosen for Router A to B traffic.
Obviously total metric of blue path is smaller (10+5+5) than blue one
(5+5+5+5+5+5) but still blue path is used for the Router A to B traffic.
One solution to this problem is to leaked the Router B information on
both L1L2 routers of the Router A’s area.
OrhanErgun.net
151
IS-IS
IS-IS B lackholing and L ink L evel P lacement
C ase S tudy
In the illustrated topology for simplicity only one of the regions of
the company is shown.
Level 1 routers use L1L2 routers to reach to the rest of the network.
What would happen if the link between Router A and Router C fails?
OrhanErgun.net
Chapter 4
152
OrhanErgun.net
153
When Router A to Router C link fails, the traffic from L1L2 router
flows through the other L1 router. This creates suboptimal traffic flow,
but it is tolerated since the faulty link is repaired after some time.
The L1 router (Router B in this topology) might have performance
and bandwidth issues since it was handling half of the traffic before the
failure. The solution is to connect a direct link between the L1L2 routers
as shown in the below topology.
IS-IS
Question
Which IS-IS level new link between L1L2 should the L1L2 routers be
placed into?
It should be the L1L2 link. If it was only L2, Router C would learn all
the prefixes of Router A from Router B as L1 LSP and from direct link
as L2 LSP. Since L1 is preferred over L2, a suboptimal path is still used.
The best solution is to place the direct inter-L1L2 link into L1L2.
• If Level 1 domain is partitioned in the IS-IS network, it can be
connected over the Level 2 backbone.
• This concept is known as Virtual Link. Virtual Link is used in OSPF
as well.
• In our case study, Area 20 is partitioned. In order to connect the Level
1 domain and provide full reachability between L1 routers of Area 20,
virtual link/adjacency is created over Level 2 backbone.
OrhanErgun.net
154
OrhanErgun.net
155
Quesiton 1:
Which OSPF Area is similar to IS-IS Level 1 sub domain?
A. Backbone area
B. Stub Area
C. Totally Stub Area
D. Totally NSSA Area
Answer 1:
Answer of this question is D. Because IS-IS level 1 domain allows
route redistribution and only the default route is sent from the L2 domain.
This was explained in the IS-IS chapter.
IS-IS
Question 2:
If two IS-IS devices are connected to an Ethernet switch. Which
below option provides fastest down detection to the IGP process?
A. Tuned IS-IS LSP timers
B. BFD
C. Tuned IS-IS SPF Timers
D. IS-IS Hello timers
Answer 2:
Tuning LSP and SPF timers can improve the convergence of IS-IS in
case of a failure but they don’t provide fast failure detection.
Reducing the hello timers can provide shorter failure detection time
but cannot be tuned as much as BFD. Also since there is an Ethernet
switch in between, port-failure event cannot trigger remote port interface
down event. BFD is a best solution, especially if there is a node, which
prevents end-to-end failure signaling between two devices.
Question 3:
OrhanErgun.net
156
Answer 3:
As it was explained in the IS-IS chapter, it uses to signal the other
routers so the node is not used as transit. If node would be eligible to
be used as primary path, blackhole would occur since BGP and IGP
converges times are not the same.
IGP should wait BGP before staring to accept network traffic.
That’s why; answer of this question is B.
Chapter 4
Question 4:
Which of the below mechanisms are used to slow down the
distribution of topology information caused by a rapid link flaps in IS-IS?
(Choose Two)
A. ISPF
B. Partial SPF
C. Exponential Back Off
D. LSA Throttling
E. SPF Throttling
Answer 4:
Exponential back off mechanism is used in OSPF and IS-IS to protect
the routing system from the rapid link flaps. Also LSA throttling timers
can be tuned to protect the routing system from these types of failures.
But LSA throttling timers tuning also will affect on convergence
so careful monitoring is necessary if there is IS-IS fast convergence
requirement in design.
That’s why the correct answer of this question is C and D.
Question 5:
OrhanErgun.net
157
Answer 5:
Unequal cost load balancing is not supported in IS-IS. Even if you
leak the prefixes it won’t work. ECMP is done by hop by hop. Even L2
prefixes are not leaked into the L1 domain; still internal L1 domain routers
can do the ECMP towards L1-L2 routers if there is more than one L1-L2
router. But L1-L2 routers may not do ECMP. Thus Option C is incorrect.
IS-IS
When MPLS PE is inside L1 domain, LDP cannot assign a label to
the PE loopbacks since the remote loopbacks are not known. Internal L1
routers only learn default route as it was explained in the IS-IS chapter.
And whenever optimal routing is required, of there is available, more
specific information can help for that.
Correct answer of this question is A and B.
Question 6:
How many level of hierarchy is supported by IS-IS?
A. One
B. Two
C. Three
D. As many as possible
Answer 6:
IS-IS supports two level of hierarchy. Hierarchy is common network
design term, which is used to identify the logical boundaries.
OrhanErgun.net
158
IS-IS Level 1 and IS-IS Level 2 domains provide maximum two levels
of hierarchy. Level 2 IS-IS domain is similar to Backbone area in OSPF,
Level 1 IS-IS domain is similar to Totally NSSA area in OSPF.
Question 7:
If some prefixes are leaked from the IS-IS level 2 domain into level 1
domain, how IS-IS prevents those prefixes to be advertised back in Level
2 domain?
A. Route tag should be used
B. ATT bit prevents prefixes to be advertised back in Level 2
domain
C. U/D bit is used to prevent prefixes to be advertised back in
Level 2 domain
D. They wouldn’t be advertised back in Level 2 domain anyway
Chapter 4
Answer 7:
If some reason some prefixes are leaked from Level 2 into level 1,
U/D bit in IS-IS prevents those prefixes to be advertised back into IS-IS
level 2 domain. This is an automatic process, doesn’t require configuration.
It is a loop prevention mechanism in IS-IS route leaking.
That’s why the answer of this question is C.
Question 8:
Which below mechanism is used in IS-IS full mesh topologies to
reduce the LSP flooding?
A. Elect a DIS and Backup DIS
B. Use IS-IS Mesh Group
C. Use DR and BDR
D. Deploy Multi Level IS-IS design
Answer 8:
Full mesh topology could be in any level, either Level 1 or Level 2
in multi level design. Thus having Multi level design won’t help for LSP
OrhanErgun.net
159
Question 9:
If an IS-IS router is connected to three links and redistributing 100
EIGRP prefixes into the domain, and the design is flat/single level IS-IS
design, how many IS-IS LSP is seen in the domain?
A. 100 IS-IS LSP
B. 3 IS-IS LSP
C. 300 IS-IS LSP
IS-IS
D. 1 IS-IS LSP
Answer 9:
There will be different TLVs for internal and external routes but there
will be only 1 IS-IS LSP for the domain. If there would be multi level IS-
IS design two LSP would be seen but since the question says that it is a
flat/single level deployment, there will be only 1 IS-IS LSP, either L1 or
L2.
That’s why the correct answer is D.
Question 10:
Which below statements are correct for IS-IS design?
A. Topology information is not advertised between IS-IS levels
B. Starting with Flat/Single Level 2 IS-IS design makes the
possible future IS-IS deployment easier
C. IS-IS level 2 route is preferred over level 1 route in IS-IS
D. IS-IS uses DIS and Backup DIS on the multi access links.
OrhanErgun.net
160
Answer 10:
There is no backup DIS in IS-IS, thus Option D is incorrect.
IS-IS level 1 routes are preferred over IS-IS level 2 routes. Similar to
OSPF intra area routes preferred over Inter Area routes. Thus option C
is incorrect as well.
Correct answer of this question is A and B.
Books
White, R. (2003). IS-IS: Deployment in IP Networks, Addison-Wesley.
Chapter 4
Videos
Ciscolive Session –BRKRST–2338
Podcast
http://packetpushers.net/show-89-ospf-vs-is-is-smackdown-where-
you-can-watch-their-eyes-reload/
OrhanErgun.net
161
Chapter 5
EIGRP
EIGRP
the feasibility condition. These are the backup routers.
• Feasible successors are placed in EIGRP topology table.
• Reported distance is the feasible distance of the neighboring router.
OrhanErgun.net
162
From Router A’s point of view, Router B and Router C are the Equal
Chapter 5
Cost routers, so both ABD and ACD path can be used. Router A installs
both Router B and Router C in not only EIGRP topology table, but also
in the routing table.
EIGRP
EIGRP RFC 7868
OrhanErgun.net
164
thousands of spokes nodes, most probably almost at the same time. This
process would put a lot of burdens on the input queue and CPU of the
Hub routers.
EIGRP Stub will be explained in more detail later in the chapter. Also
case study will be provided.
OrhanErgun.net
165
In the below diagrams, how EIGRP prefixes are learned by the routers,
then how EIGRP routers advertises the prefixes are shown.
EIGRP
OrhanErgun.net
Chapter 5
166
OrhanErgun.net
167
EIGRP is best in Hub and Spoke and Mesh topologies, but is not
good at Rings. See the below examples.
EIGRP
OrhanErgun.net
168
EIGRP STUB
EIGRP Stub allows the router to not be queried, so the router does
not advertise routes to peer if the route is learned from another peer.
EIGRP Stub is the most important feature in large-scale EIGRP
design.
Chapter 5
OrhanErgun.net
169
EIGRP
The summarization metric is received from the route, which has the
lowest metric. If that route goes down, metric changes so summarization
effect to upstream will be lost.
You can create a loopback interface within the summary address
range with a lower metric than any other route in the summary, but the
problem with this approach is if all the routes fail in that summary range
but loopback stays, then a blackhole occurs.
When this problem occurs within the EIGRP named mode you can
use summary-metric so that you can statically state the metric you want
to use.
OrhanErgun.net
170
Question 1:
Should the customer use same EIGRP AS on the DMVPN network
and its office LAN? What is the problem with that design?
Answer 1:
No they should not.
Since the customer’s requirement is to use MPLS VPN as primary
path, if the customer runs same EIGRP AS on LAN and over DMVPN,
OrhanErgun.net
171
EIGRP
Answer 3:
Remember what the customer’s expectation was for the links; they to
use MPLS VPN for all their applications as a primary path.
So the answer is yes, it satisfies the customer’s requirements. If the
customer uses different EIGRP AS on LAN and DMVPN, with metric
adjustment MPLS VPN path can be used as primary with the metric
arrangement.
Question 4:
What happens if the primary MPLS VPN link goes down?
Answer 4:
Traffic from remote office to the datacenter goes through Switch-R1-
DMVPN path. Since those will not be known through MPLS VPN when
it fails, only DMVPN link is used from the datacenter. DMVPN link is
used as primary if a failure happens.
Question 5:
What happens when the failed MPLS VPN link comes back?
Answer 5:
R2 receives the datacenter prefixes over MPLS VPN path via EBGP
and from R1 via EIGRP. Once the link comes back, datacenter prefixes
OrhanErgun.net
172
will still be received via DMVPN and MPLS VPN and appear on the
office switch as an EIGRP external.
Since metric was arranged previously to make MPLS VPN path
primary, no further action is required.
This is the tricky part: if using Cisco switches or those from another
vendor that takes BGP weight attribute into consideration for best path
selection, then redistributed prefixes weight would be higher than the
prefixes which are received through MPLS VPN, so R2 uses Switch-R1
DMVPN path which violates the customer’s expectations.
Chapter 5
OrhanErgun.net
173
EIGRP
Yes - IP FRR and Feasible
Fast Reroute Support Yes - IP FRR
Successor
Suitable on WAN Yes Yes
Suitable on Datacenter DCs are full mesh. So, No DCs are full mesh so no
Suitable on Internet Edge No it is designed as an IGP No, it is designed as an IGP
No, there is a draft but lack of
Standard Protocol Yes IETF Standard
Stub feature
Stuff Experince Very well known Well known
Overlay Tunnel Support Yes Yes
MPLS Traffic Engineering
Yes with CSPF No
Support
Security Less secure Less secure
Suitable as Enterprise IGP Yes Yes
Suitable as Service Provider No, it doesn't support Traffic
Yes
IGP Engineering
Complexity Easy Easy
Policy Support Good Not so Good
SPF requires more processing DUAL doesn't need much
Resource Requirement
power power
Extendibility Not good Good, thanks to TLV support
IPv6 Support Yes Yes
Default Convergece Slow Fast with Feasible Successor
Training Cost Cheap Cheap
OrhanErgun.net
174
Design
OSPF EIGRP
Requirement
Troubleshooting Easy Easy
Routing Loop Good protection Open to race condition
They know that EIGRP is the best IGP for large-scale DMVPN
design, but recently they had some issues with their WAN network.
Question 1:
What additional information do you need from Haleo to address their
issue?
• Datacenter network topology?
• Which routing protocol Haleo is using?
• Encryption method of Haleo?
• Routing configuration?
• WAN Network Topology?
Answer 1:
Let’s look at the options.
Datacenter Network topology: We don’t need this information
since in the background information, we are told that the problem is on
the WAN network.
Which routing protocol Haleo is using: We don’t need this because
well in the background information we are told that it is EIGRP.
Encryption method: Nothing is said about encryption; we can’t
OrhanErgun.net
175
assume that they are using encryption over DMVPN network since
DMVPN doesn’t require encryption.
Routing configuration: We know that Haleo is using EIGRP, but
we don’t know if they have EIGRP Stub on the edges or whether split
horizon is disabled on the hub, so we need to know their EIGRP features.
WAN network topology: We need WAN network topology since
we don’t know how many routers are in the branches, how they are
connected. The background information only mentions that Haleo is
using two hub routers.
Email:
Dear Designer,
We are using EIGRP. EIGRP Stub has been enabled on all remote branches
per your suggestion.
Some critical branch offices have two routers and there is a 1 Gbps Ethernet
handoff from each router to only one hub router in the datacenter. I am sending our
DMVPN network diagram at the attachment. For simplicity, I have shared only a
EIGRP
couple of sites, but the rest of the sites are connected in the same way, i.e., either one 1
router 2 links or 2 routers 2 links to the datacenter.
Hub and Spoke Case Study Customer
Topology
OrhanErgun.net
176
Question 2:
Based on the information provided, what might be the problem? How
it can be solved?
Chapter 5
Since the spoke routers are running as EIGRP Stub, they don’t send
the prefixes which are learned from each other to the hubs. If the link
between hub and the spoke sites which have two routers fails the router is
isolated from the rest of the network
Spokes in the spoke site 1 send their network to each other. So
192.168.0.0/24 and 192.168.1.0/24 is learned by both spokes, but since
they are EIGRP Stub, they don’t send the learned routes to the hub. If the
Hub and Spoke link failed in Spoke Site 1, 192.168.0.0/24 network will
not be reachable anymore.
Same thing for Spoke Site 3, since that site also has two routers and
EIGRP Stub is enabled. The solution is to enable EIGRP Stub leaking.
In DMVPN it is good to send summary or default route to the spokes by
the hubs. Spokes should send the routes which they learn from each other
to the hub and also should send the routes which they learn from the hub
to each other. In this way, sites, which have more than one router, which
has EIGRP Stub configuration, do not have an issue in case of any failure.
EIGRP
OrhanErgun.net
Chapter 5
178
CE1 sends EIGRP queries to PE1 and CE2 asking its loopback prefix;
network is using MPLS VPN as primary path.
PE1 prefers the prefix via CE1; since it learns the prefix from the CE1
it assumes that there is no alternate path. PE1 doesn’t send queries further
and replies with prefix unreachable to CE1.When PE1 stops learning
CE’1 loopbacks from EIGRP, it removes it from its BGP table as well
(EIGRP to MP-BGP redistribution).
When PE1 removes the prefix from its BGP routing table it sends a
BGP withdrawal to the PE2. PE1 previously sent an EIGRP query to the
CE2, and CE2 propagated it.
Here the EIGRP race condition can be a big issue.
Depending on the arrival of EIGRP query and the BGP withdrawal
message to the BGP, persistent routing loop can occur. If BGP withdrawal
over the MPLS VPN backbone via MP-BGP comes faster than EIGRP
query through CE1–CE2 and eventually to the PE2, everything is fine.
Because PE2 removes the prefix from BGP table and stops redistributing
OrhanErgun.net
179
EIGRP
OrhanErgun.net
180
Question 1:
Which below technology provides similar functionality with EIGRP
Feasible Successor?
A. ISPF
B. Partial SPF
C. Loop Free Alternate Fast reroute
D. OSPF Stub Areas
E. IS-IS Level 1 domain
Answer 1:
Although EIGRP convergence was not explained in the EIGRP
Chapter 5
Question 2:
How many levels of hierarchy is supported in EIGRP?
A. One
B. Two
C. Three
D. Unlimited
Answer 2:
Unlike OSPF and IS-IS, there is no limit in EIGRP. OSPF and IS-IS
OrhanErgun.net
181
Question 3:
In the below topology R3 is configured as EIGRP Stub. If the link
between R1 and R2 fails, which below statements are true for the below
topology? (Choose Two)
EIGRP
Answer 3:
As it was explained in the EIGRP Stub section in this chapter, when
OrhanErgun.net
182
Question 4:
Which below option is considered as loop free path in EIGRP?
A. If reported distance is less than feasible distance
B. If reported distance is same as the feasible distance
C. If reported distance is higher than feasible distance
Chapter 5
Answer 4:
In order a path to be chosen as loop free alternate which means satisfy
the EIGRP feasibility condition as it was explain in the EIGRP chapter
of the book, reported distance has to be less than feasible distance. That’s
why the answer of the question is A.
Question 5:
What happens if the backup path satisfies the feasibility condition?
(Choose Two)
A. It is placed in link state database
B. It is advertised to the neighbors
C. It is placed in the topology table
D. It can be used as unequal cost path
E. It is placed in the routing table
OrhanErgun.net
183
Answer 5:
EIGRP database is called Topology database. Link state database is
used in link state protocols.
If backup path satisfies feasibility condition, it is placed in topology
table, not in routing table. If it would be best path (successor) or equal
cost path, it would be placed in routing table. But since question says,
backup path, it is only placed in EIGRP topology database.
Since it is not the best path, it is not advertised to the neighbors.
With ‘ variance’ command, it can be used as unequal cost path and can
be placed in the routing table.
That’s why answer of this question is C and D.
Question 6:
Which below statements are true for EIGRP Summarization?
(Choose Two)
A. EIGRP Auto-summarization is on by default for all the
EIGRP
Internal and External routes
B. EIGRP Route summarization can reduce the query domain
which helps for convergence
C. EIGRP Route Summarization can reduce the query domain
which can prevent Stuck in Active problem
D. Summarization cannot be done at each hop in EIGRP
Answer 6:
Summarization can be done at each hop in EIGRP. This is different
than OSPF and IS-IS. Auto-Summarization is not enabled for all the
routes by default in EIGRP. Summarization helps to reduce query
domain boundary, which in turn help for convergence, SIA problem,
troubleshooting and so on.
That’s why the answer of this question is B and C.
Question 7:
Which below statement is true for EIGRP queries? (Choose Two)
A. EIGRP queries always send
OrhanErgun.net
184
Answer 7:
If EIGRP Stub is configured, as it was explained before, EIGRP
query is not sent. With summarization and filtering still EIGRP query is
sent. EIGRP query domain size affects scalability. If the query domain
size is reduced, scalability increases.
That’s why answer if this question is B and E.
Question 8:
Why passive interface should be enabled on the access/customer
Chapter 5
ports?
A. To prevent injecting the customer prefixes to the network
B. To reduce the size of the routing table
C. For the fast convergence
D. For higher availability
Answer 8:
Passive interface should be used on all hosts, access and customer
ports. Otherwise security attack can happen and prefixes can be injected
into the routing domain. It doesn’t provide faster convergence. And the
reason to disable routing protocols on the customer/access ports is not
to reduce routing table size.
That’s why the answer of this question is A.
Question 9:
If the path in the network will be changed by changing the EIGRP
attribute, which below statement would you recommend as a network
designer?
A. Bandwidth should be changed
OrhanErgun.net
185
Answer 9:
PBR is not an EIGRP attribute. Reliability is not used for EIGRP
path selection. Bandwidth and Delay attributes are used for EIGRP path
selection and metric is calculated based on these two parameters.
But, since bandwidth can be used by many applications such as QoS,
RSVP-TE and so on it should be changed, otherwise other things in the
network can change too.
Also since the minimum bandwidth is used for path calculation,
changing bandwidth can affect entire network design. Not only the path,
which we want.
On the other hand, delay is additive and changing it can only affect the
path, which we want.
EIGRP
That’s why the answer of this question is B.
Question 10:
When EIGRP is used as MPLS VPN PE-CE routing protocol, which
below mechanism helps for loop prevention even if there is a backdoor
link?
A. Up/Down bit
B. Sham link
C. Site of Origin
D. Split Horizon
Answer 10:
EIGRP Site of Origin is used to prevent loop even if there is a
backdoor link. Backdoor link causes race condition in MPLS VPN
topologies and it can create sub optimal routing and routing loop.
It will be explained in the MPLS VPN section in the MPLS chapter
in detail.
That’s why answer of this question is C.
OrhanErgun.net
186
Books
Pepelnjak, I. (2000). EIGRP Network Design Solutions, Cisco Press
Core.
Videos
Ciscolive Session–BRKRST -2336
Podcast
http://packetpushers.net/show-144-open-eigrp-with-russ-white-cis-
cos-donnie-savage/
Articles
http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/eigrp-
Chapter 5
stb.html
http://www.cisco.com/c/en/us/td/docs/ios/xml/ios/iproute/_eigrp/
configuration/xe-3s/ire/xe/3s-book/ire-ipfrr.html
OrhanErgun.net
187
Chapter 6
VPN DESIGN
VPN DESIGN
• GRE
• mGRE
• IPSEC
• DMVPN
• GETVPN
• LISP
VPN Theory
Virtual Private Network is the logical entity, which is created over a
physical infrastructure. It can be setup over another private network such
as MPLS or public network such as Internet
All VPN technologies add extra byte to the packet or frame, which
increases the overall MTU so the network links should be accommodated
to handle bigger MTU values.
VPN technologies work based on encapsulation and decapsulation.
For example GRE, mGRE and DMVPN encapsulate IP packets into
another IP packet, VPLS and EVPN encapsulates Layer 2 frame into an
MPLS packets.
OrhanErgun.net
188
You can run routing protocols over some VPN technologies but not
all VPN technologies allow you to run routing protocols.
In order to support routing over tunnel, tunnel endpoints should be
aware from each other.
For example MPLS Traffic Engineer tunnels don’t support routing
protocols to run over, since the LSPs are unidirectional which mean
Head-end and Tail-end routers are not associated. This will be explained
in detail in MPLS chapter.
All VPN technologies except IPSEC and LISP, in our list, supports
routing protocols to run over.
GRE
GRE tunnels are by far most common tunneling technology. Very
easy to setup, troubleshoot and operate. But in large scale deployment,
configuring GRE tunnels become cumbersome.
Chapter 6
OrhanErgun.net
189
• GRE add 24 bytes to the IP Packet. 4 byte GRE header and 20 bytes
new IP header is added; this increases MTU size of the IP packet.
Careful planning on the interface MTU is necessary.
• GRE doesn’t come by default with encryption so in order to encrypt
the packet; IPSEC should be enabled over GRE tunnel.
VPN DESIGN
mGRE – Multipoint GRE
• mGRE tunnels, allow multiple destinations such as multiple spoke
sites to be grouped into a single multipoint interface.
• mGRE is a multipoint bidirectional GRE tunnel
• Uses only 1 IP subnet so routing table of the routers are reduced
which is good for the convergence, troubleshooting and device
performance.
• Remote endpoint address is not configured that’s why it requires
additional mechanisms for tunnel end point discovery. These
additional mechanisms can be BGP or NHRP. When it is used with
NHRP, solution is called DMVPN which we will see later in detail
• Supports IPSEC and routing protocols to run on top.
• Supports IPv6 and non-IP protocols.
• Don’t require a manually configured GRE tunnel that’s why
configuration complexity is reduced greatly.
• Suitable for full mesh topology such as spoke to spoke tunnels.
OrhanErgun.net
190
IPSEC
IPSEC provides secure transmission of packets at the IP layer (Not
Layer2). For Layer 2 encryption MACSEC is used. With IPSEC packets
are authenticated and encrypted.
Chapter 6
OrhanErgun.net
191
DMVPN
DMVN is Point to Multipoint and Multipoint to Multipoint tunneling
technology. It reduces the configuration in full mesh topologies greatly.
Cisco proprietary technology but the multi point to multipoint automatic
tunneling concept is supported by many vendors.
VPN DESIGN
• DMVPN Works based on two standard technologies; NHRP and
mGRE (Multipoint GRE).
• NHRP is used to map NBMA/Underlay address to the Tunnel/
Overlay address.
• mGRE tunnel interface doesn’t require manual tunnel destination
configuration.
• Local address/LAN subnets are advertised over the overlay tunnels
(DMVPN tunnels) through the routing protocols.
OrhanErgun.net
Chapter 6
192
• Spoke to Hub tunnels are always up. They are permanent tunnels as it
can be seen from the above picture.
• Spoke to Spoke tunnels are on demand tunnels and if there is no
traffic between the spokes, they are teared down.
• Hub site IP address has to be Static and should be known by every
spoke.
• Spoke IP addresses can be dynamic and they are registered to the
HUB by NHRP protocol. In real life deployment, spoke sites can
receive Public IP address from the dynamic pool of the Internet
Service Provider.
• Multicast is not natively supported in DMVPN, Multicast is supported
via ingress replication and done at the HUB, thus Multicast support
of DMVPN can create scalability problem in Large scale design,
especially at the Hub site.
• Per tunnel QoS is supported in DMVPN, this prevent hub to over
utilized the spoke bandwidth.
OrhanErgun.net
193
• All routing protocols, except IS-IS, can run over DMVPN. IS-IS
cannot run since; DMVPN only support IP protocols and IS-IS
works based on Layer 2.
• DMVPN invented by Cisco but other vendors provide the capability
with different name, Cisco’s implementation is not compatible with
the other vendors.
• IPSEC is optional in DMVPN and can be implemented as native
point to point IPSEC or with GETVPN (Group key)
• DMVPN can carry IPv4 and IPv6 unicast and multicast packets over
the overlay tunnels.
• DMVPN also can work over IPv4 and IPv6 private and public
infrastructure transport such as Internet or MPLS VPN.
• There are three phases of DMVPN, Phase 1, Phase 2 and Phase 3.
• In all the DMVPN Phases, overlay routing protocol control packets
VPN DESIGN
pass through the HUB. There is no spoke to spoke control plane
traffic. So routing protocol traffic always go through the HUB.
DMVPN Phase 1
• Spokes use Point to Point GRE but Hub uses a multipoint GRE
tunnel.
• mGRE tunnel interface simplifies configuration greatly on
the Hub.
• Spokes have to specify the tunnel destination manually as Hub since
they run P2P GRE tunnel not mGRE tunnel in DMVPN Phase 1.
• Summarization is allowed from the Hub down to the spokes. The
Hub can only send default route as well since Hub does not preserve
the remote spokes next hop in Phase 1.
• Hub changes the IGP next hop to itself hence spoke to spoke traffic
always passes through the Hub. There is no spoke to spoke tunnel in
DMVPN Phase 1.
• Spoke to spoke tunnel cannot be created, that’s why DMVPN phase
1 doesn’t provide full mesh connectivity.
OrhanErgun.net
194
DMVPN Phase 2
• Spoke to spoke dynamic on demand tunnels are first introduced in
DMVPN Phase 2.
• In contrast to Phase 1, mGRE (Multipoint GRE, not Multicast)
interface is used in Phase 2 on the Spokes.
• Thus, spokes don’t require tunnel destination configuration under the
tunnel interface and tunnel mode is configured as ” Multipoint Gre”.
• Spoke to spoke traffic doesn’t have to go through the HUB. Spokes
can trigger on demand tunnel between them.
• The biggest disadvantage of Phase 2 is, each spoke has to have all the
Remote – LAN subnets of each other since the Hub, preserves the
Chapter 6
DMVPN Phase 3
• Spoke to spoke dynamic tunnels are allowed in DMVPN Phase 3 as
well.
• Spokes don’t have to have the next hop of each other’s private
addresses.
• An NHRP redirect message is sent to the spokes to trigger spoke to
OrhanErgun.net
195
GETVPN
VPN DESIGN
• Uses an IPSEC Tunnel mode.
• GETVPN is Cisco proprietary protocol but the concept of any to any
IPSEC is supported by the other vendors with the different names as
well.
• Can run over private network only, can not run over Public Internet
due to IP header preservation.
In the below picture, GETVPN header is shown. You can see that it is
very similar to IPSEC tunnel mode but the outside IP header is preserved.
This is different from regular IPSEC tunnel mode, which uses different
IP header after ESP header.
OrhanErgun.net
196
OrhanErgun.net
197
One of the common questions from the customers in real life as well
as in the design exam is GETVPN to DMVPN comparison. From menu
design criteria, you should know the pros and cons of each technology.
VPN DESIGN
DMVPN vs. GETVPN Comparison
Below comparison chart provides the detail overview of these two
overlay VPN technologies from the design point of view.
Network designers should know the pros and cons of the technologies,
protocol alternatives and their capabilities from the design point of view.
Design
DMVPN GETVPN
Requirement
Much more scalable than
Scalability Scalable
DMVPN
Permanent hub and spoke It works perfectly if the
Working on Full Mesh tunnels and on demand spoke underlying routing architecture is
topology to spoke tunnels, it works but full mesh topology, GET VPN
limited scalability needs underlay routing
Working on Hub and Spoke Works very well Works very well
Suitable on private WAN Yes Yes
No. GETVPN cannot run over
Suitable over Public Internet Yes Public Internet because of IP
header preservation
To setup the Mgre tunnels uses
underlay routing, for the private It uses underlay routing to create
End point discovery
address discovery uses NHRP VPN, there is no overlay tunnels
(Next hop Resolution Protocol)
OrhanErgun.net
198
Design
DMVPN GETVPN
Requirement
It is tunnelles VPN, uses
Yes, it uses Mgre(Multi Point
Tunnel Requirement underlaying routing to encrypt
GRE) tunnels to create overlays
the data between endpoints
No,Cisco proprietary but Juniper
Standard Protocol No,Cisco proprietary also supports the same idea with
Group VPN feature
Stuff Experince Not well known Not well known
Except IS-IS other routing It is tunnelles VPN so routing
protocols are supported, IS-IS protocols cannot run on top
Overlay Routing Protocol
runs on top of Layer 2 but of GETVPN but it requires
Support
only IP protocols can run over underlaying routing protocols to
DMVPN setup the communication
Required Protocols NHRP and Mgre GDOI and ESP
Good, it uses underlaying
Good, can support per tunnel
network's QoS architecture,in
QoS which uses shaping on the
QoS Support addtion to queuing,shaping at the
DMVPN Hub to protect capacity
GET VPN Group Members to
and SLA
protect SLA is enabled
Native multicast support.
Multicast replication is done in
Chapter 6
OrhanErgun.net
199
VPN DESIGN
• There is also attempt to provide MAC in IP encapsulation in LISP, it
is still an IETF draft. This can be the LISP use case in the Datacenter.
OTV uses MAC in IP encapsulation and commonly used Cisco VPN
technology for the Datacenter Interconnect use case.
• There is an Experimental RFC (RFC 6830) on LISP but it has been
invented by Cisco.
• Similar to DNS infrastructure. Mapping Database keeps the host to
gateway mapping information.
• Host space is called EID (Endpoint Identifier) and its gateway is
called RLOC (Routing Locator). RLOC IP addresses are learned
through underlaying routing infrastructure. But routing protocols
don’t advertise EID space. EID spaces are learned from the Mapping
Database whenever they are needed.
• EID space is similar to Local IP subnet and RLOC space is similar to
NBMA address in DMVPN. You can remember them probably easier
in this comparison.
• There are many LISP use cases. Most interesting LISP use cases
are VM Mobility in the Datacenter, BGP Traffic Engineering at the
Internet Edge and IPv6 transition (IPv6 over IPv4 or IPv4 over IPv6
infrastructure).
OrhanErgun.net
200
Below table summarizes the similarities and the differences of all the
VPN technologies, which have been discussed in this chapter in great
detail.
Network designers should know the pros and cons of the technologies,
protocol alternatives and their capabilities from the design point of view.
Many design requirements are given in the below table and the
explanation is shared for each of the technology.
OrhanErgun.net
Design
GRE mGRE IPSEC DMVPN GETVPN
Requirement
Scalable for routing but
Scalable,one tunnel
Not scalable. Point to Not scalable,point to not scalable for IPSEC.
Scalability interface for multiple Very scalable technology
point technology point technology DMVPN is used with
tunnel endpoint
IPSEC in general
It works perfectly if
Permanent hub and spoke
the underlying routing
It works but not scalable It works but not scalable tunnels and on demand
Working on Full Mesh It works very well on full architecture is full mesh
if there are too many if there are too many spoke to spoke tunnels,
topology mesh topology topology, GET VPN
devices to connect devices to connect it works but limited
needs underlay routing
scalability
protocol
It woks but require too
much processing power
It works but require too
Working on Hub and Yes, it is suitable on Hub on the Hub site from the
Yes works well much processing power Works very well
Spoke and Spoke IPSEC point of view, for
on the Hub site
the routing works very
well
Suitable on private
Yes Yes Yes Yes Yes
WAN
No. GETVPN cannot
Suitable over Public run over Public Internet
Yes Yes Yes Yes
Internet because of IP header
preservation
To setup the Mgre tunnels
uses underlay routing,
Tunnel Source and Tunnel destination is not It uses underlay routing
for the private address
End point discovery Destination needs to be specified manually,it is Manual configuration to create VPN, there is no
discovery uses NHRP
manually defined automatic overlay tunnels
(Next hop Resolution
Protocol)
It is tunnelles VPN, uses
Yes, it uses Mgre(Multi
Yes,Point to Point tunnel underlaying routing to
Tunnel Requirement Yes tunnel is required Yes tunnel is required Point GRE) tunnels to
is required encrypt the data between
create overlays
endpoints
Design
GRE mGRE IPSEC DMVPN GETVPN
Requirement
No,Cisco proprietary but
Juniper also supports the
Standard Protocol Yes Yes Yes No,Cisco proprietary
same idea with Group
VPN feature
Stuff Experince Very well known Well known Very well known Not well known Not well known
Except IS-IS other It is tunnelles VPN so
routing protocols are routing protocols cannot
Overlay Routing Protocol Can run over all routing Can run over all routing Can run over all routing supported, IS-IS runs on run on top of GETVPN
Support protocols protocols protocols top of Layer 2 but only but it requires underlaying
IP protocols can run over routing protocols to setup
DMVPN the communication
GRE tunnel and IP Multipoint GRE tunnel
IP reachability between
Required Protocols reachability between end and IP reachability NHRP and Mgre GDOI and ESP
end points,IKE and ESP
points between end points
Good, it uses underlaying
Good, can support per network's QoS
tunnel QoS which uses architecture,in addtion
Supports with TOS byte
QoS Support Very well.Flexible QoS Well shaping on the DMVPN to queuing,shaping at
preservation
Hub to protect capacity the GET VPN Group
and SLA Members to protect SLA
is enabled
Native multicast support.
Multicast replication is
done in the network,
Multicast over the tunnel
doesn't need Hub device
is handled at the DMVPN
to replicate. Multicast
Multicast Support Yes Yes No Hub. Hub replicates
MDTs (Source , Shared)
multicast traffic which is
are used in the traditional
not efficiend
way, so multicast handling
of GETVPN is much
better than DMVPN
Design
GRE mGRE IPSEC DMVPN GETVPN
Requirement
No No Yes,point to point IPSEC Point to Point IPSEC SA Multipoint to Multipoint
Security
Sas IPSEC SA
Resource Requirement More Less More More Less
204
Question 1:
Which below statements are true for DMVPN? (Choose Two)
A. DMVPN can work over IPv6
B. IPv6 can work over DMVPN
C. OSPF and IS-IS as link state protocols can run over DMVPN
D. DMVPN cannot run over Internet since there may not be
static Public IP address at every spoke sites
Answer 1:
As it was mentioned in this chapter, DMVPN can work over IPv4 and
IPv6 and both IPv4 and IPv6 can run over on top of DMVPN.
Chapter 6
Question 2:
Which below statements are true for GRE tunnels? (Choose Three)
A. Any routing protocols can run on top of GRE tunnels
B. Multicast can run on top of GRE tunnels
C. GRE tunnels are multi point to multi point tunnels
D. Non-IP protocols are supported over GRE tunnels
E. From the processing point of view, for the devices, GRE
encapsulation and decapsulation is harder than IPSEC
encryption/decryption
Answer 2:
Any routing protocols can run on top of GRE tunnels including IS-
IS. Multicast can run as well.
OrhanErgun.net
205
Question 3:
Which below option is true for GETVPN over DMVPN for Internet
deployment?
VPN DESIGN
security risk
D. GETVPN doesn’t bring extra scalability since DMVPN
already provides it
Answer 3:
GETVPN and DMVPN can work together. Thus Option A is
incorrect. GETVPN cannot work over Internet, that’s true but question
is asking specific deployment, which is GETVPN over DMVPN that can
work over Internet. That’s why Option B is incorrect.
GETVPN brings scalability for the IPSEC part when it is used
together with DMVPN.
Only correct option is C since GETVPN key servers would be placed
on a public place which is a security risk.
Question 4:
Which below statement is true for IPSEC VPN? (Choose Two)
OrhanErgun.net
206
Answer 4:
Multicast and Routing protocols cannot run over IPSEC tunnels.
IPSEC tunnels are point-to-point tunnels.
There is no LISP tunnels thus IPSEC cannot run over LISP tunnels
but wording could be IPSEC can run with LISP and there is real world
deployment with LISP and GETVPN (Multi Point IPSEC).
That’s why the correct answer of this question is A and B.
Question 5
Which below option is important in GRE tunnel deployment?
Chapter 6
(Choose Two)
A. GRE Tunnel endpoints shouldn’t be learned over the tunnel
B. GRE tunnel endpoints are manually configured
C. IPSEC is enable by default on GRE tunnels
D. Tunnel destination address is learned through an
Authoritative server
Answer 5:
Tunnel destination address is not learned through an Authoritative
server in GRE tunnels. This is done in LISP for example. IPSEC is not
enabled by default with GRE tunnels.
One of the most important design considerations in GRE tunnels;
tunnel end point address/destination address shouldn’t be learned over
the tunnel. Otherwise tunnel comes up and goes down. It flaps.
Another correct answer is B, because GRE tunnels are manual tunnels,
which require manual tunnel destination configuration.
Thus the correct answer of this question is A and B.
Question 6:
OrhanErgun.net
207
Answer 6:
DMVPN is a Cisco preparatory solution that cannot interoperate with
the other vendor VPN solutions. It only supports IP tunneling as it was
explained in the VPN chapter. Thus IS-IS is not supported over DMVPN.
DMVPN supports multicast but replication is done at the Hub. It is
not Native Multicast as it is the case in GETVPN.
VPN DESIGN
DMVPN can run over IPv6 transport and Hub and Spoke, Partial
Mesh and Full mesh topologies can be created with DMVPN as explained
in the VPN chapter.
That’s why the correct answer of this question is C, D and E.
Question 7:
Which below options are true for DMVPN vs. GETVPN comparison?
(Choose Three)
A. IPSEC scalability point of view GETVPN is much better
than DMVPN
B. DMVPN provides multi point to multipoint topology but
GETVPN cannot
C. DMVPN is a tunnel based technology but GETVPN is
tunnelless technology
D. DMVPN is Cisco preparatory technology but GETVPN is
standard based
E. DMVPN can run over Internet but GETVPN cannot.
Answer 7:
OrhanErgun.net
208
Question 8:
Which below statements are true for the GETVPN? (Choose Three)
A. It is a tunnelless technology
B. It uses GDOI for key distribution
C. Multicast replication is done at the HUB
Chapter 6
Answer 8:
GETVPN is tunnelless technology but routing protocols cannot run
over GETVPN. GETVPN runs over routing protocol. So it is not an
underlay VPN mechanism. It uses GDOI for the key distribution as it was
explained in the VPN chapter.
Multicast is native in GETVPN so there is no HUB Multicast
replication as it is the case in DMVPN.
It cannot run over Public Internet due to IP header preservation.
That’s why the correct answer of this question is A, B and D.
Question 9:
Which below statements are true for LISP? (Choose Three)
A. LISP is an MAC in MAC encapsulation mechanism.
B. LISP can encapsulate IPv6 in IPv4
OrhanErgun.net
209
Answer 9:
LISP is an IP in IP encapsulation mechanism, which allows IP mobility.
It can encapsulate IPv6 in IPv4 packets and vice versa.
It doesn’t come with IPSEC encryption by default.
That’s why the correct answer of this question is B, C and D.
Question 10:
Which below statements are true for DMVPN Phases? (Choose Four)
A. DMVPN Phase 1 supports spoke to spoke dynamic tunnels
VPN DESIGN
B. DMVPN Phase 1 uses permanent point to point GRE
tunnels on the spokes
C. DMVPN Phase 2 requires IP next hop preservation
D. DMVPN Phase 3 allows summarization
E. Only DMVPN Phase 2 and Phase 3 supports dynamic spoke
to spoke tunnels thus full mesh topology can be created
Answer 10:
DMVPN Phase 1 doesn’t support spoke-to-spoke dynamic tunnels. It
uses point-to-point permanent GRE tunnels on the spoke. Hub still uses
mGRE tunnels though.
DMVPN Phase 2 requires IP next hop reservation. Hub doesn’t
change the IP next hop to itself.
DMVPN Phase 3 allows summarization.
And only DMVPN Phase 2 and Phase 3 supports dynamic spoke-to-
spoke tunnels, which allow full-mesh topology to be created.
That’s why the answer of this question is B, C, D and E.
OrhanErgun.net
210
Chapter 7
IPV6 design
T his chapter will start with basic IPv6 definition. Then below
sections will be covered:
• IPv6 Business Drivers
• IPv6 Address Types
• IPv6 Routing Protocols Overview
• IPv6 Design and Deployment Methodology
• IPv6 Transition Mechanisms
Chapter 7
OrhanErgun.net
211
What is IPv6?
IPv6 DESIGN
OrhanErgun.net
212
Business Continuity
This business driver is applicable to any type of networks. Especially
in the Enterprise networks, starting IPv6 design at the Internet Edge
provides business continuity. Customers can reach to e-commerce website
of the Company and business don’t miss the opportunity. This approach
is also called ‘ Thin Edge ‘. Thin edge IPv6 deployment method shows
highest observed growth in the Enterprises.
Also there will be more IP address need in the Enterprise networks
with the emerging applications such Internet Of Things (IOT).
The network today enables all enterprise business transactions. As
enterprises move into emerging markets to expand their business, the
network needs to grow, and more IP addresses need to be allocated.
Easier Network Mergers and Acquisitions
When one company acquires or merges with another, this often causes
a conflict or “collision” in the RFC 1918 IPv4 private address space.
For example, one company might run a 192.x.x.x address space, and
the company it acquires might also use this same address space.
Many companies deploy a NAT overlap pool for a period of time,
where both companies communicate with each other over a non-
overlapping address space such as 10.x.x.x.
This allows the hosts at both companies to communicate until one of
OrhanErgun.net
213
IPv6 DESIGN
developments in verticals such as energy management, power distribution,
and other utility advancements, have matured and grown in size to the
point of applying pressure to existing technologies, products, and IPv4.
The evolution of technologies in SmartGrid, broadband cable, and
mobile operators now require more and more devices to connect to the
Internet.
Regardless of the use case or technology, all these maturing
technologies and use cases either already or soon will depend on IP as
their means of communication. IPv4 cannot support these demands, and
IPv6 is the way forward for each of these areas of development.
OrhanErgun.net
214
IPv6 DESIGN
In OSPFv3, topology information is not carried in Router LSA.
This brings scalability to network design because, unlike OSPFv2, if
new loopback interface is added or new subnet is added to the network,
routers in the network don’t run Full SPF.
In OSPFv2, even creating a loopback interface would cause all the
routers in the network to run full SPF, which is resource intensive task,
especially for the low-end devices.
In the below OSPFv2 vs. OSPFv3 comparison table, you will see
almost all similarities and the differences between the two protocols.
This table should be know by not only the network designers but also
any network engineers, exam takers and those who consider to deploy
IPv6 in their network.
Design
OSPFv2 OSPFv3
Requirement
Better since Router and Network
LSA doesn't contain prefix
Scalability Good
information but only topology
information
Working on Full Mesh Works well with mesh group Works well with mesh group
Works poorly, require a lot of
Working on Hub and Spoke Works bad requires tuning
tuning
OrhanErgun.net
216
Design
OSPFv2 OSPFv3
Requirement
Yes - IP FRR but limited
Fast Reroute Support Yes - IP FRR
platform support
Suitable on WAN Yes Yes
Suitable on Datacenter DCs are full mesh. So, Not well DCs are full mesh so Not well
Suitable on Internet Edge No it is designed as an IGP No it is designed as an IGP
Standard Protocol Yes IETF Standard Yes IETF Standard
Links LSA (Type 8 ) is used for
adjaceny formation and link local
scope only, Inter-Area-Prefix
New LSAs None LSA (Type9) which is one of the
biggest enhancement since it is
used to carry prefix information
only,inside an area
Same but with IPv6 addresses.
Transport Multicast, 224.0.0.5 and 224.0.0.6
Multicast. FF02::5 and FF02::6
Inside an area reachability
Inside an Area, Router and information is carried in Intra
Network LSA carries the Area Prefix LSA (Type9) which is
Reachability info handeling reachability information,between new LSA type, inter area prefixes
areas reachability info is carried are still carried in Type 3 LSA but
Chapter 7
OrhanErgun.net
217
Design
OSPFv2 OSPFv3
Requirement
IPv4 Support Yes Yes
Even slower if multiple address
Default Convergece Slow
families are used
Harder,requires understanding
IPv6 addressing, after that it is
Troubleshooting Easy
same packet types, LSA, LSU,
DBD
Same as OSPFv2. Inter area
Inter area prefixes should be
prefixes should be received from
received from ABR,all non-
Routing Loop ABR,all non-backbone areas
backbone areas should be
should be connected to the
connected to the backbone area
backbone area
IPv6 DESIGN
IPv6 deployment can be done in many ways. In this section, most
common deployment methodology will be explained.
This is not a migration methodology from IPv4 to IPv6 but steps will
explain how to deploy IPv6 on any type of networks.
If some feature or mechanism is only applicable for specific business
type, it will be highlighted.
Prior to IPv6 deployment on the network infrastructure, some jobs
need to be completed first.
First three tasks in the below should be completed before doing IPv6
related technical tasks such as Routing Protocol configuration, Transition
mechanism deployment and so on.
OrhanErgun.net
218
MPLS Transport:
6PE and 6VPE are the best strategies for the MPLS based backbone
infrastructure. These will be explained later in this chapter in detail.
1. Network Readiness Assessment:
• You should check whether your infrastructure is ready for IPv6.
• What can run IPv6 today and what needs to be upgraded?
OrhanErgun.net
219
IPv6 DESIGN
2. Network Optimization and Garbage Collection
• If you finish the second step that is Network Readiness assessment
which mean the network is ready for IPv6. But before starting
technical IPv6 tasks, we may want to optimize our existing network.
Network optimization mean, checking the best practices for the
technologies, looking for optimal routing, removing unused features,
securing the infrastructure and so on.
If you are starting RIPv2, you may want to migrate it to other protocol
for example.
IPv4 might have been deployed on the network for many years and
you probably haven’t looked for the optimization.
IPv6 deployment is a good time to optimize the existing network so
IPv6 can work on a clean infrastructure.
We should avoid the mistakes that have been done in IPv4.
3. IPv6 Address Procurement
IPv6 addresses can be received either from ISPs (Local Internet
Registries) or RIR (Regional Internet Registries)
Regional Internet Registries (ARIN, APNIC, RIPE and so on) assign
/32 to the Service Providers. This provides 65k /48 subnets. If company
requires more, they can get as well.
OrhanErgun.net
220
If the IPv6 address space is received from the ISPs, allocation policy
in general is /48. This provides 65k /64 subnets.
Multihoming issue in IPv4 is the same in IPv6.
If the Enterprise Company is looking for multihoming, address space
should be received from the RIR to avoid readdressing and other issues.
When the prefixes are received from the RIR, those prefixes are called
Provider Independent (PI) prefixes. It is also known as PI space.
4. IPv6 Addressing Plan
When creating an IPv6 addressing plan, there are couple things need
to be considered by every business
• Scalable plan should be created
• Assigning IPv6 addresses at the Nibble boundary
• BCP (Best Current Practices) should be known
• Address space can be distributed based on function
Chapter 7
Let’s take a look at why assigning IPv6 address at the nibble boundary
is important.
Assigning an IPv6 addresses at the Nibble Boundary
IPv6 offers network engineers more flexible addressing plan.
OrhanErgun.net
221
IPv6 DESIGN
particular POP location.
There are Infrastructure addressing part and the Customer/end user
part in the IPv6 addressing.
In the Service provider network, Infrastructure is Core backbone,
POP locations, Datacenter and so on. Customer IPv6 addressing depends
on the business. Some Service Providers can have Broadband, Cable
modem, Business customers and so on.
Let’s look at Service Provider IPv6 addressing plan.
Service Provider IPv6 Addressing Plan:
Service Providers receive /32 from the RIR (Regional Internet
Registries)
Different Service Providers may have different allocation policy. As
you will see in the below examples, one Service Provider may assign /48
for whole the infrastructure, another SP can assign one /48 per region.
It depends on the Service Providers size and geographical distribution.
OrhanErgun.net
222
Backbone Interfaces:
• One /48 is allocated for the whole backbone
• This provides 65k subnets
• Some multi national companies can assign /48 per region
• Between region summarization provides scalability
Local Area Networks:
• /64 per LAN is assigned
• Some networks in real life assign /96 as well.
Point-to-Point Links:
Chapter 7
• Best practice is using /127 for the point to point links as per RFC
6164
• Many operators are reserving /64 but assigning /127 for the point to
point links
OrhanErgun.net
223
IPv6 DESIGN
• /64 is for the very small network.
• /56 is for the Small to medium businesses (/56 provides 256 subnets)
• /48 is for the Enterprises (/48 provides 65k subnets)
• Similar to Customer to SP point-to-point links addresses, Customer
Addresses shouldn’t be carried in the SP IGP. Those prefixes should
be carried in BGP. IGP is not designed to carry millions of prefixes.
• The Service Provider shouldn’t assign customer IPv6 addresses per
POP basis. Because Customers might be moving and allocating IPv6
address per Region basis for the Customers make more sense.
OrhanErgun.net
224
OrhanErgun.net
225
The organization can represent its services and content over both the
existing IPv4 connection and the new IPv6 connection.
When the model is selected by the business, all the necessary interfaces
should be configured according the IPv6 address plan, which has been
done in the earlier stage.
Routing protocols are configured.
Don’t forget that OSPFv2 don’t support IPv6. OSPFv3 supports
both IPv4 and IPv6.
Depending on the selected Model, IPv6 transition technology will be
put in place.
Let’s take a look at most common IPv6 transition technologies.
IPv6 DESIGN
The only available public IP addresses are IPv6 addresses. But vast
majority of the content is still working on IPv4. How IPv6 users can
connect to the IPv4 world and How IPv4 users can reach to the IPv6
content. This is accomplished with the IPv6 transition technologies.
Probably the IPv6 transition technologies is a misleading term.
Because; IPv4 infrastructure is not removed with these technologies.
Thus probably the IPv6 integration technologies is a better term.
But still throughout this section I will be using IPv6 transition
technologies.
There are three types of IPv6 Transition Technology.
1. Dual Stack
• IPv6 + IPv4
The entire infrastructure is running both IPv4 and IPv6.
2. Tunnels
• IPV6 - IPv4 – IPv6
• IPv4 – IPv6 – IPv4
Two IPv6 islands communicate over IPv4 part of the network or two
IPv4 islands communicate over IPv6 part of the network.
3. Translation
OrhanErgun.net
226
OrhanErgun.net
227
In the above picture, on the left v6 host, which is in the IPv6 network,
wants to communicate with v4 host, which is in the IPv4 network.
When IPv6 host wants to communicate with the ipv4 host, it sends a
DNS query. This query passed through the DNS64. DNS64 then queries
send this query to the authoritative DNS server, which is in the IPv4
world.
Authoritative DNS server sends an ‘ A ‘ record back.
DNS64 translate this A record into a AAAA record which is IPv4
address. It embeds IPv4 ‘ A ‘ record in to and IPv4 prefix that is assigned
to DNS64. Resulting IPv6 address is called IPv6 Synthetized address.
Then packet goes to the NAT64 device; it can use the embedded IPv4
address inside the IPv6 address (AAAA from the DNS), removes the
IPv6 part and create a stateful mapping table.
In this model, IPv6 host thinks that it communicates with the IPv6
device (DNS64), and v4 host thinks that it communicates with the IPv4
device (Authoritative IPv4 DNS server).
IPv6 DESIGN
Stateful IPv6 translation mechanism problems:
OrhanErgun.net
228
Manual Tunnels:
For any type of tunnel, tunnel endpoints should be known and
reachable. In Manual Tunnels, Tunnel endpoints are manually configured.
They are mostly used for permanent site-to-site connectivity.
IP-in-IP and GRE are the manual tunnels.
6PE and 6VPE, which are the MPLS based tunneling methods are
also considered as Manual Tunneling technologies.
Chapter 7
Automatic Tunnels:
Commonly used for transient connectivity. They could be site-to-site
or host-to-host tunnels.
Within Automatic Tunnels, there must be an an automatic way to find
to tunnel end points.
Every Automatic tunneling solution either encapsulates IPv4 tunnel
endpoints in IPv6 Address or it consults an Authoritative server for the
tunnel endpoints. (Remember LISP?).
Embedded Tunnel Endpoints Automatic IPv6 Tunneling Mechanisms:
1. 6to 4 Tunnels
OrhanErgun.net
229
IPv6 DESIGN
∗ In order to reach the outside world, 6to4 relay router is needed.
∗ ISPs cannot use their IPv6 address pool for the Tunneling.
OrhanErgun.net
230
3. Dual Stack
Dual stack is possibly the simplest IPv6 transition mechanism to
implement. Every interface, applications and host runs IPv6 and IPv4 at
the same time.
Dual stack operation is driven by DNS.
If destination address comes from DNS in an A record only, then
communication is done via IPv4.
If destination address from DNS in a AAAA record only, then
communication is done via IPv6.
If both A and AAAA record return, most of the applications prefer
Chapter 7
IPv6.
But the biggest problem in Dual Stack is, if there is no more IPv4
addresses available, how every interface can have IPv4 as well? Especially
for the Service Provider networks!
Common solution for this issue by many of the companies is CGN
(Carrier Grade NAT), which is also known as LSN (Large Scale NAT).
Carrier Grade NAT is doing NAT44 operation in large scale, in the
Service provider network.
Service provider instead of assigning Public IPv4 address to each
customer, they assign IPv4 private address.
In CGN, globally unique IPv4 address pool moves from customer
edge to more centralized location in the Service Provider network.
There are three CGN architectures.
Three Carrier Grade NAT solutions:
1. NAT444
2. NAT464
3. DS-Lite
OrhanErgun.net
231
1. NAT 444
This solution uses three IPv4 layers.
Customers IPv4 private space is NATed to Service Provider assigned
IPv4 private space first.
Then second NAT44 operation is done from Service Provider assigned
IPv4 private address space to Service Provider IPv4 public address.
In this solution there are two layers of NAT44. One on the customer
CPE another on the Service Provider network. Potential problem is many
application which may work through one layer of NAT, will not work in
two layers of NAT.
Second problem is Service Provider IPv4 private address space can
conflict with the Customer IPv4 address space.
2. NAT464
Due to potential address conflict between customer and the Service
IPv6 DESIGN
Provider private IPv4 address spaces, another solution proposed by IETF
was NAT464.
In this solution, Customer IPv4 private address space is NATed from
IPv4 private to IPv6 address. On the customer CPE NAT 64 operation
is needed.
Second NAT in this solution would be on the Service Provider
network. Second NAT would be also NAT64.
This solution requires two times NAT64 operation and nobody
implemented it.
OrhanErgun.net
232
handset and the applications inside handset, CPE modem and many other
devices.
As you can see, it is not just about network routers that IPv6 capable
but everything in the network that needs to support IPv6.
Actually the easiest part is to enable IPv6 dual-stack on the routers.
Hardest two parts of the IPv6 dual-stack deployment are the applications
and the CPEs.
CPE is a term used in the Service Provider networks, which define
the devices in the customer location.
For example, ADSL modem is a CPE for the broadband service.
Since there might be millions of ADSL modem which need to support
IPv6, imagine the size of the deployment, and time to complete these
types of deployments, especially if hardware needs to be replaced.
Also since with Dual-Stack, in addition to IPv4, you will have IPv6 as
well, memory and CPU requirements will be much more compare to IPv6
only network or other IPv6 transition technologies.
IPv6 DESIGN
Thus, you change the routers with the bigger ones (Scale-UP) generally,
which is good for the networking vendors (Juniper, Alcatel, Cisco etc.).
It wouldn’t be wrong if I say that this is one of the reasons they are
advertising that dual-stack is the best approach for IPv6 design.
If you think that dual-stack is hard if not impossible for many of this
network just because the scale of the deployment, you are wrong. There
are other things.
With CGN, IPv4 private addresses are shared among many customers
and those shared addresses are NATed at the CGN node twice.
OrhanErgun.net
235
There will be always some applications, which run IPv4 only; in this
case you have to use a Translator.
I am talking about IPv6 to IPv4 translator and vice versa. So dual-
stack may not be possible because fancy – free a lot of applications don’t
support IPv6 today. (Most common example is Skype and some VOIP
applications)
Common solution for translating IPv6 to IPv4 is NAT 64 + DNS 64
which was explained earlier in this chapter.
NAT-PT was the early version of IPv6 to IPv4 translator but there
were security problems such as DNSSEC thus NAT-PT is obsolete now.
NAT 64 + DNS 64 is good for translating v6 to v4 so IPv6 only host
can reach IPv4 only host but wait, that’s not all yet either.
How you will support an application, which doesn’t rely on DNS?
Skype is very common applications, which uses hard coded IPv4
addresses and doesn’t rely on DNS.
NAT 64 + DNS 64 cannot be a solution for that. Just because of these
IPv6 DESIGN
types of applications, companies that enabled dual-stack everywhere,
place a translation at the host device.
For example, Mobile operators use 464XLAT on the handheld devices
to support IPv4 application.
NAT46 is performed at the handset (Smart phone, tablet, etc.) by
providing dummy IPv4 address to the application, and performing 4 to 6
NAT at the handset.
For example T-Mobile in U.S deployed 464XLAT to support IPv6
only devices to run over IPv6 only network.
OrhanErgun.net
236
Conclusion:
There will always be a need to use all these transition mechanisms
together in the network. Dual-Stack is the hardest to support IPv6
transition method among all the others by the large-scale companies and
the IPv6 to IPv4 translation technologies breaks most of the applications.
Tunnelling is a solution to support IPv6 over IPv4 network and can
be the interim solution until dual-stack is enabled on all the nodes and
links.
Our end goal shouldn’t be IPv6 dual-stack! Our goal is to have an
IPv6 only network and remove IPv4 completely. This can be only
achieved with networking vendors, Service Providers, Operating System
manufacturer, application developers, website owners, CDN companies
and many others.
Otherwise CGN or Trade-market (Buying IPv4 public address from
Chapter 7
the other companies) type of interim solution only buy a time and those
solutions will be expensive for the companies day by day without IPv6.
There are companies, which has IPv6 only network today!
OrhanErgun.net
237
Question 1:
Fictitious Service Provider company has been planning IPv6 access
for their residential broadband customers. Which solutions below don’t
require access node changes in the Service Provider domain? (Choose
Three)
A. CGN
B. 6rd
C. 6to4
D. D. IPSEC
E. DS-Lite
Dual Stack
IPv6 DESIGN
F.
Answer 1:
IPSEC is not an option. Dual Stack requires IPv6 support in addition
to IPv4 everywhere.
DS-Lite require IPv6 access nodes.
6rd and 6to4 are the IPv6 tunnelling mechanisms over IPv4 Service
Provider infrastructure.
6rd and 6to4 don’t require access node upgrade such as DSLAM, in
the case of residential broadband upgrade.
But both 6to4 and 6rd still require CPE upgrade on the customer site.
CGN (LSN) doesn’t require access node upgrade as well; most of the
residential equipment already supports NAT44.
Thus the answer of this question is A, B and C.
Question 2:
Which below mechanisms allow asymmetric IPv6 routing design?
A. 6rd
B. 6to4
OrhanErgun.net
238
C. NAT 64 +DNS 64
D. D. DS-Lite
Answer 2:
Asymmetric routing is possible with the stateless mechanisms only.
6rd is the stateless tunnelling mechanisms.
NAT64 + DNS 64 can be stateful or stateless, thus they are not the
correct answer. DS-Lite has CGN component, which is always stateful.
That’s why answer of this question is A, 6rd.
Question 3:
What is the biggest cost component during IPv6 transition design?
A. CPE
B. Access Nodes
Chapter 7
C. Core Nodes
D. Training
E. Application Development
Answer 3:
Biggest cost component is CPE (Customer Premises Equipment).
In case IPv6 is not supported on the CPE, enabling it on software
requires operational expenses, changing the hardware requires both
operational and capital expenses.
If Service Provider needs to change CPE for 10 Million customers
and every CPE cost only 50$, 500million $ is required only for CAPEX.
That’s why answer of this question is A, CPE.
Question 4:
Which below options might be a possible problems with NAT 64 +
DNS 64 design? (Choose Three)
A. It may not support IPv4 only applications such as Skype
OrhanErgun.net
239
Answer 4:
As they have been explained in the IPv6 chapter, NAT64+DNS64
may not support IPv4 only applications such as Skype. Duplicate DNS
entries can come if company has more than one DNS and Stateful NAT
64 + DNS 64 makes routing design harder.
Thus the correct answer of this question is A, B and E.
Question 5:
IPv6 DESIGN
If IPv6 only node will reach to IPv4 only content, which below
mechanism is used?
A. A. 6rd tunneling
B. B. Dual Stack
C. C. Translation
D. D. Host to Host tunnelling
Answer 5:
Translation mechanism is needed. Tunnelling cannot solve the
problem.
Question 6:
Which below options are used as IPv6 transition mechanisms?
(Choose Three)
A. Dual-Stack
A. B. Edge to Core Ipv6 design approach
B. C. Tunneling
OrhanErgun.net
240
C. D. Translation
D. E. IPv6 Neighbor Discovery
Answer 6:
As it is explained in detail in the IPv6 chapter, Dual-Stack, Tunneling
and the Translation are the IPv6 transition mechanisms.
That’s why, answer of this question is A, C and D.
Question 7:
Which subnet mask length is used in IPv6 on point-to-point links for
consistency?
A. A. /56
B. B. /64
C. C. /96
Chapter 7
D. D. /126
E. E. /127
Answer 7:
/64 is used in IPv6 on point-to-point links for consistency.
Although there was discussions around its usage and some people
considered initially that it was wasting of address space, general design
recommendation is using /64 or /127 for point to point links and using
/64 everywhere including point to point link provides consistency.
Question 8:
Which IPv6 design method consumes more resources on the network
nodes?
A. Dual-Stack
B. Tunneling mechanisms
C. Translation mechanisms
OrhanErgun.net
241
Answer 8:
Dual Stack on the network nodes consumes more CPU and more
memory compare to tunnelling and the translation mechanisms, which
are used for IPv6 transition.
That’s why; the answer of this question is A, Dual-stack.
Question 9:
What does Dual-Stack mean?
A. A. Enabling IPv6 and IPv4 on all the networking nodes
B. B. Enabling IPv6 and IPv4 on all the networking nodes and
the links
IPv6 DESIGN
C. C. Enabling IPv6 and IPv4 on all the networking nodes,
links, hosts and applications
D. D. Enabling IPv6 and IPv4 on the core, aggregation and
access network nodes.
Answer 9:
Dual stack is providing both IPv4 and IPv6 connectivity to all the
networking nodes, links, hosts and applications. That’s why; answer of
this question is C.
Question 10:
Fictitious Service Provider company requires more Public IPv4
addresses but due to IPv4 exhaustion they couldn’t receive from the RIRs.
What is the option for them to continue providing IPv4 services without
enabling IPv6 on CPE, access and core network?
A. Carrier Grade NAT
B. DS-Lite
C. NAT64 + DNS64
OrhanErgun.net
242
D. 6rd
E. 6to4
Answer 10:
IPv4 exhaustion problem requires Carrier Grade NAT solution,
which share public IPv4 addresses among multiple users by using NAT
44 on the CPE and NAT 44 on the SP domain. It is also called double
NAT, Large Scale NAT, Dual NAT 44 or NAT444.
That’s why answer of this question is A, Carrier Grade NAT.
Question 11:
Which below terms are used interchangeably for Carrier Grade NAT
(CGN)? (Choose Three)
A. LSN
B. Double NAT
Chapter 7
Answer 11:
LSN (Large Scale NAT), Double NAT, NAT 444 are used
interchangeably for CGN. Thus, the answer of this question is A, B and
E.
Question 12:
Which below options are used as an IPv6 over IPv4 tunnelling
mechanism? (Choose Two).
A. 6to4
B. 6rd
C. NAT 64 + DNS64
D. DS-Lite
E. MAP-E
F. 464xlat
OrhanErgun.net
243
Answer 12:
Out of given options, IPv6 tunnelling mechanisms are 6to4 and 6rd.
Remaining ones is used for IPv4 tunnelling. IPv4 service is tunneled over
IPv6.
That’s why; answer of this question is A and B.
Question 13:
What are the problems with Carrier Grade NAT IPv6 design? (Choose
four)
A. Some applications doesn’t work behind CGN
B. If the users behind same LSN, stateful devices might drop
traffic, thus require traffic go through CGN node even if
the traffic between nodes which are behind same LSN
C. IP address overlapping if Customer uses same private
IPv6 DESIGN
address range with the Service Provider
D. It requires IPv6 on the CPE nodes, thus CPEs have to be
upgraded
E. Since it is stateful, asymmetric traffic is not allowed.
F. Since it is stateless, asymmetric traffic is not allowed.
Answer 13:
Some applications doesn’t work behind CGN
If the users behind
same LSN, stateful devices might drop traffic, thus require traffic go
through CGN node even if the traffic between nodes which are behind
same LSN
IP address overlapping if Customer uses same private address
range with the Service Provider
. Since it is stateful, asymmetric traffic is
not allowed.
Correct answer of this question is A, B, C and E.
Question 14:
What are the problems with dual stack IPv6 design? (Choose Three)
A. It consumes more memory and CPU on the networking
nodes compare to tunnelling and translation mechanisms
OrhanErgun.net
244
Answer 14:
It consumes more memory and CPU on the networking nodes
compare to tunnelling and translation mechanisms. It doesn’t solve IPv4
address exhaustion problems. CPEs and hosts still require IPv4 address.
Host private address is NATed to the CPE public IPv4 address (NAT44)
It
requires IPv6 support on all the CPE and Access nodes, which are the
most cost associated components.
That’s why; answer of this question is A, B and C.
Chapter 7
Question 15:
What is the best IPv6 design method for MPLS Layer 3 VPN service?
A. Dual Stack
B. NAT 64 + DNS 64
C. 6rd
D. 6VPE
E. 6PE
Answer 15:
Best IPv6 design method for MPLS Layer 3 VPN service is 6VPE.
Question 16:
Which options are the IPv6 Automated Tunneling mechanisms?
(Choose Three)
OrhanErgun.net
245
A. 6rd
B. 6over4
C. 6to4
D. Tunnel Brokers
E. NAT-PT
F. GRE Tunnels
Answer 16:
6rd, 6to4 and 6over4 are the automated IPv6 tunnelling mechanisms.
6over4 requires multicast on the network thus it is deprecated.
In all three mechanisms IPv4 addresses embedded in the IPv6 address.
Tunnel broker is a semi-automated mechanism. The Authoritative
server provides tunnel destination address. NAT-PT is a translation
IPv6 DESIGN
mechanism and because of security issues it is deprecated.
GRE Tunnels are manual tunnelling mechanism.
That’s why the answer of this question is; A, B and C.
Question 17:
Service Provider Company wants to implement DPI (Deep Packet
Inspection) node in the network. Which below method would create a
problem?
A. Tunneling
B. Dual-Stack
C. Native IPv4
D. Translation
E.
Answer 17:
Most of the DPI devices cannot work with the IPv6 tunnelling
mechanisms. Thus using them with the DPI element can create a problem.
There is no problem with the other options. Correct answer is Option A.
OrhanErgun.net
246
Question 18:
Enterprise Company implemented QoS on their network. Which
below IPv6 design option method doesn’t work well with QoS?
A. Dual Stack
B. Translation
C. IPv6 only
D. Tunneling
Answer 18:
Ipv6 tunnelling mechanisms don’t work well with the QoS.
Question 19:
Which below options are used for host to host IPv6 tunnelling?
A. ISATAP
Chapter 7
B. 6to4
C. 6rd
D. Teredo
E. IPv6 DAD
Answer 19:
ISATAP and the Teredo are used for host to host or host to router
tunnelling.
Question 20:
Enterprise Company wants to have an experience with the IPv6.
They have 50 IT Lab facilities and want to access IPv6 application in the
datacenter. They don’t have currently IPv6 on their network and they
want to have an access immediately from the labs to the applications
Where would they start enabling IPv6?
A. Network Core first and IT labs should enable IPv6
B. No need for IPv6 on the network, they can use translation
OrhanErgun.net
247
Answer 20:
As it is explained in the IPv6 chapter, they are looking for Edge to
the Core model. IT labs should be enabled IPv6 and tunnel to the DC.
Answer of this question is C.
Question 21:
Which mechanism can be used to deploy IPv6 services in an IPv4
only backbone?
IPv6 DESIGN
B. 6PE in the backbone network
C. 6RD on CPEs and 6RD BRs at the Edge of the network
D. DS-Lite at the Edge of the network
Answer 21:
Since in the requirement it is said that, IPv4 only backbone, NAT64,
6PE and DS-Lite cannot be a solution.
Because NAT64 requires IPv6 only network or Dual Stack, 6PE
requires MPLS network and DS-Lite requires IPv6 only network.
Yes, NAT64 could be place at the Internet edge and the best place
for NAT64 deployment is Internet edge according to RFC 7269, in this
question, requirement says that IPv4 only network. That’s why; answer of
this question is C.
Question 22:
E-commerce company want to enable IPv6 on their network as soon
as possible. Where would be the best place for them to start and which
solution would you recommend?
OrhanErgun.net
248
Answer 22:
In the requirement it is said that E-commerce Company and they
want to enable IPv6 as fast as possible. Dual stack is very time consuming
if not impossible.
Also, since the business is E-commerce, in general, IPv6 business case
for the E-commerce companies is IPv6 presence.
If Happy Eye balls enabled at the customer sites, or IPv6 only users will
reach to their site, it is important to have IPv6 presence for E-commerce
companies.
Thus Starting from the Internet Edge and enabling NAT 64
+ DNS 64 is the best for the given company and the requirements.
Chapter 7
Question 23:
Which below options are critical as an IPv6 First Hop Security
features? (Choose Three)
A. A. Suppressing excessive Multicast neighbor discovery
messages
B. B. ARP Inspection
C. C. Limiting IPv6 Router advertisement
D. D. Preventing rogue DHCPv6 assignments
E. E. Broadcast control mechanism
Answer 23:
There is no ARP in IPv6. So ARP inspection is unrelated.
There is no Broadcast in IPv6 as it is explained in the IPv6 chapter,
thus Option E is wrong as well. Remaining all three features are critical
IPv6 First Hop Security features.
That’s why; answer of this question is A, C and D.
OrhanErgun.net
249
Question 24:
Enterprise Company implemented dual stack network. It took a lot
of time them to implement dual stack on all their networking nodes, links,
applications, hosts and operating system. Although their network is 100
% dual stack, they only see 25 % IPv6 Internet traffic on their network.
What might be the possible problem?
A. Some of their link for the Internet may not be IPv6 enabled
B. Content which their users try to access is not enabled IPv6
C. Operating system of their users might prefer IPv4 over
IPv6
D. They might have Happy Eye Balls enabled and IPv6 might
have priority
IPv6 DESIGN
Answer 24:
Because either content, which their users try to access, is not enabled
IPv6 or Operating system of their users might prefer IPv4 to IPv6.
Answer of this question is B and C.
Question 25:
Which below protocols are used in IPv6 Multicast?
A. MLD
B. Auto-RP
C. MSDP
D. Embedded RP
E. Anycast RP
Answer 25:
MSDP and Auto-RP is not supported in IPv6 Multicast. MLD,
Embedded RP and Anycast RP are the IPv6 Multicast features.
MLD is equivalent of IGMP Snooping in IPv4 and whenever there
are layer 2 switches in IPv6 Multicast design, MLD should be enabled for
optimal resource usage.
OrhanErgun.net
250
Chapter 8
Border Gateway Protocol
BGP).
If BGP is used inside an autonomous system with the same AS
number between the BGP nodes, then the connection is called IBGP
(Internal BGP).
BGP Theory
Before starting BGP Theory, EBGP, IBGP and more advanced topics,
some basic BGP definitions should be clear.
OrhanErgun.net
251
BGP
• router bgp 1000
• no bgp default ipv4-unicast
• neighbor x.x.x.x remote-as 100
• address-family vpnv4 unicast
• neighbor x.x.x.x activate
• neighbor x.x.x.x send-community extended
OrhanErgun.net
252
In the above topology, when CE1 wants to reach CE2 at the other
side of the network, the packet reaches to either R1 or R2. If there are no
tunneling mechanisms such as MPLS, GRE, or any other mechanisms, R1
or R2 makes IP destination-based lookup and sends packets to R3 or R4.
If the prefixes behind CE2 are learned by BGP, all the routers have to
do an IP destination-based lookup to see if there is a route for the CE2
prefixes in the routing table from BGP.
Every router – R1, R2, R3, R4, R5, and R6 – has to run BGP.
If any Layer 3 overlay tunnelling technology runs in the network, then
the routers in the middle, which are R3 and R4, do not have to keep the
CE1 and CE2 prefixes.
R3 and R4 keep only the routing information of the edge nodes. As
a result, R3 and R4 are used for reachability between R1, R2, R5, and R6.
Since MPLS is a tunnelling mechanism that provides Layer 2 or Layer
3 overlay, if MPLS is used in the network, intermediate devices, which are
R3 and R4, do not have to run BGP.
R1, R2, R5, and R6 are called edge nodes, and R3 and R4 are known
as core nodes.
That’s why you can have BGP free core network if MPLS is used in
OrhanErgun.net
253
the networks.
BGP Free core means, Core nodes of the network doesn’t have to
enable BGP.
BGP
attribute. Also, there are some intermediary steps, which are not used
commonly. Below is the BGP best path selection criteria list to keep in
mind as a designer.
OrhanErgun.net
254
for IPv6 based on the CIDR reports (IPv4 CIDR report and IPv6 CIDR
report).
When you have a BGP connection with the ISP, you can receive only
default route, partial route (Customer routes of your ISP), default free zone
route (full BGP routing table), DFZ + default routes, DFZ + Customer
routes, DFZ+ default route, and DFZ + partial route (Customer routes
of your ISP). In sum, you have many options to choose from.
Actually, your preference entirely depends on your BGP policy. For
instance, if the network traffic is between your users and the servers inside
your ISP or if it is between your users and the servers inside the Customer
datacenter of your ISP, you don’t want this traffic to go through the
suboptimal path.
Let’s see the below topologies to understand how suboptimal routing
is created with the wrong BGP policy.
OrhanErgun.net
255
BGP
In the above figure, the Customer is connected to the two Internet
Service Providers, which are linked to the same upstream Service Provider,
SP3.
The Customer is receiving only default route, thus increasing the
local preference on SP2 BGP connection. The Customer wants to reach
78.100.120.0/24 network, which is the Customer of SP1.
The connection will be optimal if the Customer reaches
78.100.120.0/24 network over SP1 link directly. Nonetheless, since the
Customer increases the local preference for the default route over SP2
link – for each prefix – only SP2 link is used.
And the traffic flow between the Customer and the 78.100.120.0/24
network is Customer- SP2 – SP3 – SP1. SP2 uses its upstream Service
Provider that is SP3.
OrhanErgun.net
256
BGP Egress Path Selection with Default Route and Peering between SPs
In the above Figure, there is a peering link between the SP1 and SP2.
Chapter 8
The Customer is still receiving only default route and using BGP local
preference 150 (by default 100 on SP1 connection) over SP2. What’s
more, the Customer wants to reach 78.100.120.0/24 network, which is
the Customer of SP1.
In this traffic, the flow would be Customer-SP2-SP1.
The peering link between SP1 and SP2 prevents the packets from
being sent from SP2 to SP3.
By default, SP2 prefers peering link over upstream link because of
cost reduction. This is almost always the case in real life BGP design of
the Service Providers and will be explain in detail in the BGP Peering
section of this chapter.
But the traffic flow, from the Customer point of view, is still suboptimal
because it is supposed to be directly between the Customer and SP1, not
between SP2 and SP1.
Let’s examine the last topology to see whether the partial routing can
avoid suboptimal BGP routing.
OrhanErgun.net
257
BGP
To simplify the concept, let’s assume that we are receiving
78.100.120.0/24 network, including the default route, from SP1.
The Customer still uses BGP Local Preference 150 over SP2 link and
BGP Local Preference 100 for the default route. The Customer doesn’t
change BGP local preference for the partial routes; rather, the Customer
uses BGP Local Preference 100 for the 78.100.120.0/24 as well.
But since the longest match routing is evaluated and chosen over
the local preference (Remember BGP Best Path Selection steps), the
Customer selects SP1 as the best path for the 78.100.120.0/24 network.
The remaining networks are reached through the SP2.
Receiving DFZ, which is full Internet routing table, allows network
administrators to have optimal path if there are multiple ISPs or multiple
links. Nonetheless, this benefit is not free.
In sum, the more the routes, the more the processing power. BGP
routers, which have full internet routing table, requires much more
memory and CPU compared to BGP routers which have only the default
route or default + partial routes.
OrhanErgun.net
258
EBGP
EBGP is used between two different autonomous systems. Loop
prevention in EBGP is done by the AS path attribute, which is why it
is a mandatory BGP attribute. If BGP node sees its own AS path in the
incoming BGP update message, BGP message is rejected.
BGP traffic engineering sends and receives the network traffic based
on customer business and technical requirements. For example, link
capacities might be different; one link might be more stable than the other
or the costs of the links might be different. In all of these cases, customer
may want to optimize their incoming and outgoing traffic.
For BGP outgoing traffic local preference attribute is commonly
used. BGP inbound traffic engineering can be achieved in multiple ways:
∗ MED (BGP external metric attribute)
∗ AS-path prepending
∗ BGP community attribute
Chapter 8
OrhanErgun.net
259
BGP
In the above figure, there is no MPLS service in the network. What’s
more, R1 and R2 are running IBGP with R3.
And R3 is running EBGP with its upstream Service Provider.
When R3 sends the BGP prefix to R1 and R2, BGP next hop is
unchanged.
The link between R3 and the Internet is set as BGP next hop. In other
words, if you examine the BGP routing table of R1 and R2, the next hop
of the BGP prefixes coming from the Internet is R3-Internet link.
Further, routers need to find IGP (OSPF, IS-IS, EIGRP) next-hop
in order to send the packets to the destination. The link between R3 and
Internet (External link) is not known by the IGP protocol.
That link can be redistributed to IGP or it can be set as IGP passive
interface. If you don’t want to see external routes in your IGP, then BGP
next hop can be set to router’s loopback, an internal route.
In order to set the next hop to router’s loopback, you can create a
route map on R3 to set the next hop as its loopback interface, or you
can set BGP next hop independently and create IBGP session between
Router’s loopbacks. BGP sources interface in this case are R1, R2, and
R3’s loopback.
OrhanErgun.net
260
As you can see, if there is no MPLS VPN service, the prefixes – which
are received from EBGP – are advertised to IBGP neighbor without
changing the next hop. If the external link is not wanted in the network,
manual operation is required on the edge router to set the next hop to it.
Important to know that, if external link is not set as next-hop, in
case that link failure, traffic is black holed. (Dropped at that router) until
BGP control plane is converged. BGP PIC Edge solves this problem by
installing an alternate route in the forwarding table. BGP PIC concept will
be explained later in this chapter.
Let’s take a look at MPLS VPN network and see how BGP next-hop
operation is handled.
Chapter 8
In the above figure, basic MPLS network and its components are
shown. MPLS Layer 3 VPN requires PE router to be the routing neighbor
with the CE routers. It can be static route, RIP, EIGRP, OSPF, IS-IS, or
BGP.
IP prefixes are received from the CE routers and PE appends RD
(Route Distinguisher) to the IP prefixes. And a completely new VPN
prefixes are created. (IPv4+RD=VPNv4)
PE routers re-originate all the customer prefixes regardless of its
origin, static redistribution, and PE-CE OSPF/IS-IS/EIGRP/BGP as
well advertising all MP-IBGP peers by setting the BGP next-hop to it. As
for the IP network, you don’t need to do the manual operation.
OrhanErgun.net
261
Also there can be forth model, which requires shifting traffic between
links with any of the three options such as pushing traffic away from over
utilized links.
Let’s look at each option in detail.
BGP
1. Primary/Backup BGP Design Model
OrhanErgun.net
262
OrhanErgun.net
263
In the above figure, Load Sharing BGP Internet edge design model
is shown. In this model, all available links are loaded. The goal is to load
the links as evenly as possible without negative impact on traffic flows.
Common use case of this model is to squeeze as much bandwidth out of
multiple links as possible. This is often the case where larger links are cost
prohibitive such as for small companies or locations where circuit cost is
high.
In this model, default route is received from the upstream ISPs.
Inbound traffic is manipulated by dividing IP subnets of the company
and making particular more specific route announcements across different
links in addition to the aggregate announcement.
In the above figure, /24 are the more specific routers and /23 is the
aggregate. Aggregate announcement is sent because in case one of the
links fail, remaining link can receive the traffic of the failed link.
Outbound traffic is manipulated by equal cost static default routes.
If one of the links is more utilized, Hot Potato routing is done for better
utilization. Hot, Cold and Mashed Potato routing will be explained later
in this chapter.
BGP
3. Best Path BGP Design Model
OrhanErgun.net
264
In the above figure, Load Sharing BGP Internet edge design model
is shown.
In this model, rather than having default route, full Internet routing
table is received from all available uplinks. Having full Internet routing
table provides ability to send the traffic to the most optimal exit point or
closest exit point.
In the previous design model that is Load Sharing Design Model,
default route was received from the Service Providers and if necessary,
more specific prefixes were created in the routine table. More
configurations is necessary in that model but having smaller routing table
gives an ability to use lower end devices at the Internet edge. This model
requires full Internet routing table, which means more Memory and the
processing power but allows utilizing the best path without doing too
much configuration.
In all of the above models, when there is congestion on the link or
some of the links, some amount of traffic might be shifted to less utilized
ones. This might be the case even in the Primary/Backup model.
Chapter 8
Shifting traffic from the more utilized link to the less utilized link
is called Traffic Dialing. Inbound traffic is shifted to the backup link or
underutilized links by advertising some, but not all, destinations as more
preferred across the links to be utilized.
These destinations will be more preferred due to being more specific,
having a higher local-preference, shorter AS-path, or lower MED value,
etc. Out bound traffic is pushed away from the over utilized links by
increasing the IGP distance to the over utilized links for some sources.
(Hot Potato Routing) Outbound traffic can also be shifted away from the
over utilized links by depreferencing some inbound BGP paths associated
with the over utilized links.
Let’s have a look at how AS-path prepending is used in BGP Best
Path design model for inbound path manipulation.
OrhanErgun.net
265
BGP
In the above figure, R1 and R4 are the Internet Gateway Routers in
AS 100, which is connected to AS 200.
When R2 receives prefixes from R1, it sends to R3 with BGP AS, ‘AS
100’. When R3 sends a BGP update to its EBGP neighbor which is R4, it
prepends AS 200 and the AS-Path is seen by the R4 as ‘ 200 100 ‘
When you examine BGP tables, at the left, always last AS is seen. At
the right of the AS-Path, originator BGP AS is seen.
When R4 receives a BGP update from R3, since its own BGP AS,
which is AS 100, is in the as-path (200 100), R4 doesn’t accept the BGP
update. In some scenarios you may need R4 to accept the prefixes though.
For example in MPLS L3 VPN.
If EBGP were used as PE-CE protocol in MPLS L3 VPN, R4 and R1
would need to accept the prefixes from each other.
There are two ways two overcome the issue. Either on the Service
provider site, BGP as-override feature or at the customer site (In this
example, R1 and R4) BGP allow-as features are used.
What is BGP As-path prepending?
BGP As-path prepending is used to influence inbound traffic to the
company. Outbound traffic is usually done via BGP local preference
OrhanErgun.net
266
OrhanErgun.net
267
Internal BGP speakers will receive the prefixes from primary path as
BGP AS 200, from backup BGP AS 200 200 200 200 as prepended, thus
they will choose the shorter AS Path and will use it. In this topology BGP
MED could be used as well since Customer AS 200 is connected to only
one service provider, which is AS 100.
Don’t forget that BGP as-path prepending will not affect outbound
traffic from the customer to the Service Provider. So if local preference
is not implemented, backup link is still used to send the traffic from
customer to the Internet. But from Internet to the company traffic is
handled by BGP As-Path Prepending. (Inbound Traffic manipulation).
What are the challenges which BGP as-path prepending cannot
handle and what are the solutions for incoming BGP path manipulation?
There are some challenges with BGP As-Path Prepending when it is
used in multi-homed BGP setup.
BGP
OrhanErgun.net
268
local pref 90 towards peering link and local pref 80 towards upstream ISP.
With this knowledge we can understand why customer of AS 30
would still use customer link for 10.0.10.0/24 prefix although customer
wants that link to be used as backup.
Customer is sending that prefix with AS-path attribute and service
provider implements local pref for that prefix. Since local preference
attribute is more important in the BGP best path selection process, if
the traffic comes to any of the BGP routers of AS 30, it is sent through
customer link. Not through BGP peering link with AS 10 or any upstream
provider of AS 30.
This problem can be solved with BGP community. If Customer
sends 10.0.10.0/24 prefix with the BGP community which effects local
preference value of AS 30, link between customer and AS 30 is not used
anymore.
Customer could send the community as 30:70, which reduces the local
pref to 70 for the customer, prefixes over the customer BGP session, AS
30 would start to use BGP peer link to reach to 10.0.10.0/24 prefix.
OrhanErgun.net
269
BGP
This is memory-intensive, since you keep those prefixes in BGP RIB-
IN database in addition to BGP RIB database. By contrast, BGP route
refresh works in a different way to accomplish the same task. Filter is
still applied for the incoming or outgoing prefixes. However, they are
not kept in a separate database. They are either taken into the BGP RIB
database or ignored, making memory consumption more efficient.
Don’t forget that router memories are expensive!
Community attribute is sent over the BGP session by the customer to
the service provider. Upon receiving the prefixes ISP takes action for their
predefined communities.
ISPs publish their supported community attribute values. For example,
they can say that if a customer sends prefixes with the attached 5000:110
community then local preference 110 is applied towards that circuit.
OrhanErgun.net
270
BGP Peering
BGP Peering is an agreement between different Service Providers.
It is an EBGP neighborship between different Service Providers to send
BGP traffic between them without paying upstream Service Provider.
To understand BGP peering, first we must understand how networks
are connected to each other on the Internet. The Internet is a collection
of many individual networks, which interconnect with each other under
the common goal of ensuring global reachability between any two points.
Chapter 8
OrhanErgun.net
271
BGP
• May also be a Telco-delivered circuit as well.
Done at the exchange point. Commonly referred as IX.
the ports. A private peer is typically the optimal choice for two networks
exchanging a large volume of traffic.
For example, if two networks exchange 10 Gbps of traffic with
each other, it is probably cheaper and easier to provide a dedicated 10
GE between them, rather than have them each pay for another 10 GE
exchange port.
Many networks maintain a mix of public and private peers. When
we talk about service provider network interconnections in real life, we
mostly use a tier definition.
Chapter 8
OrhanErgun.net
273
BGP
OrhanErgun.net
274
IBGP
IBGP is used inside an autonomous system. In order to prevent
routing loop, IBGP requires BGP nodes to have full mesh interconnections
amongst them. Full-mesh IBGP sessions may create configuration
complexity and resource problems due to a high number of BGP sessions
in large-scale BGP deployment.
Route reflectors and confederations can be used to reduce the
sessions on each router. The number of sessions and configurations can
be reduced by the route reflectors and confederations, but they both have
important design considerations.
• Confederations divide the autonomous system to smaller sub-
autonomous systems.
• Confederations give the ability to have EBGP rules between Sub-ASs.
BGP
Also, inside each Sub-AS a different IGP can be used. Merging a
company’s scenarios is easier with confederation than route reflectors.
BGP Confederation
OrhanErgun.net
276
Prefix p/24 is sent from the RR client to three of the RRs. Route
reflector has full mesh among them. They send the prefixes to each other.
BGP route reflector cluster is the collection of BGP route reflectors and
route reflector clients. The RR uses Cluster ID for loop prevention. RR
clients don’t know which cluster they belong to.
In the above picture, instead of P router, if we had a BGP route
reflector then PE3 wouldn’t receive the backup path. Because route
reflectors hide the paths, select the best path and advertise only the best
path to the route reflector clients.
OrhanErgun.net
277
BGP
route reflector does not create a cluster list.
If the route is sent to EBGP peer, RR removes the cluster list
information.
If the route is received from EBGP peer, RR does not create a cluster
list attribute.
Cluster list is used for loop prevention by only the route reflectors.
Route reflector clients do not use cluster list attribute, so they do not
know to which cluster they belong.
If RR receives the routes with the same cluster ID, it is discarded.
Let’s start with the basic topology.
OrhanErgun.net
278
OrhanErgun.net
279
Since, the routes cannot be learned from R2 (the same cluster ID),
if physical link is up and IBGP session goes down between R1 and R4,
networks behind R4 will not be reachable either, but if you have BGP
neighborship between loopbacks and physical topology is redundant, the
chance of IBGP session going down is very hard.
Note: Having redundant physical links in a network design is a
common best practice. That’s why below topology is a more realistic one.
What if we add a physical link between R1-R4 and R2-R3?
BGP
Figure-2 Route Reflector uses same cluster-ID, physical cross-connection is added
between the RR and RR clients
OrhanErgun.net
280
OrhanErgun.net
281
BGP Shadow Route Reflectors to send more than one best path
Shadow Route reflectors. There are two route reflectors; one route
reflector sends best path, the second one calculates the second best and
sends the second best path.
BGP
In the topology above, path P1 and P2 is learned by both RR1 and
RR2. Customer sends lower MED on path P2 to use their links active/
standby. In order to send both paths to the RRs, BGP best external is
enabled on PE1 and PE2, thus RR1 and RR2 receives both P1 and P2
paths. Since BGP MED is lower from the P2 path, RR1 and RR2 choose
PE2 as best exit. Only PE2 is advertised as best path towards R3.
By deploying RR2, we can send the second best which is path from
PE1 towards PE3. Shadow route reflector deployments don’t require
MPLS in the network.
Shadow sessions: Second IBGP session can be created between RRs
and PE. PE is used here as a general term for edge BGP node. Shadow
RR and shadow sessions design don’t require MPLS in the network.
On the above topology, second sessions can be created between RR1,
RR2, and PE3. Over the second IBGP session, second best can be sent.
This session is called a shadow route reflector session.
OrhanErgun.net
282
BGP Add-Path
With shadow RR or shadow sessions, there are secondary IBGP
sessions between RR and PEs. But the same behavior can be achieved with
BGP Add-Path without an extra IBGP session between Route Reflector
and the Route reflector clients.
BGP Add-path uses path-identifier to distinguish the different next
hops over one IBGP session.
In BGP, if multiple paths are sent over the same BGP session, the last
one is kept since it is seen as the latest update. When using VPN route
reflectors, you can use multiple route reflectors for different prefixes if
scalability is a concern. Based on route targets, we can use route reflector
Group-1 to serve odd route target values and route reflector Group-2 to
serve even route target values.
In this solution, PEs send all the RT values to both route reflector
groups. They receive and process all the prefixes, but based on odd/even
ownership they filter out the unwanted ones. However, processing the
prefixes which will be filtered anyway is not efficient.
Chapter 8
OrhanErgun.net
Design BGP Shadow MPLS Unique RD
BGP Add Path BGP Shadow RR
Requirement Sessions per PE per VRF
Best in MPLS No No No Yes
One session per Route reflectos.
One session per next-hop. Only One IBGP session between
If there is only one more
How many IBGP Session One IBGP session, Path IDs are one RR but multiple separate VPN RR and RR Client,
Shadow RR which sends second
between RR and RR-Client different for different next-hop IBGP session is required different RDs make the same IP
best path, two IBGP sessions on
between RR and RR Client prefixes unique
the RR Client, one for each RR
Better than Shadow RR because
doesn't requre separate Route Same as Add-path, doesn't
Worst, requires separate RR and
Resource Requirement Best reflector, worse than ADD path require extra IBGP session or
IBGP session per next-hop
because require extra IBGP Route Reflector
session per next-hop
Easiest because there is
Very hard,all Route Reflectors no upgrade on any device.
Migration of existing Route Easy, only Route Reflector code Easy,only Route Reflector code
and clients need to be upgraded Only unique/separate Route
Reflectors needs to be upgraded needs to be upgraded
to support Add-path Distinguisher needs to be
configured on the Pes per VRF
Standard Protocol Yes IETF Standard Yes IETF Standard Yes IETF Standard Yes IETF Standard
Stuff Experince Not well known Not well known Not well known Known
Hard,default behaviour of BGP
which is advertising only one
Troubleshooting best path is changing. Operation Easy Easy Easy
stuff needs to learn new
troubleshooting skill
IPv6 Support Yes Yes Yes Yes
Easy, only one IBGP session Easiest,only the consideration
Hard, one IBGP session per Hard, one IBGP session per
Provisioning between Route reflector and the is to have unique RD per VRF
next-hop next-hop
client per PE
BGP Add-Path vs. BGP Shadow RR vs BGP Shadow Sessions vs. Unique RD per VRF per PE Design Comparison
284
BGP Route Reflector logical topology should follow physical topology in IP backbones
OrhanErgun.net
285
BGP
If someone tosses you a hot potato, do you want to hold it a long
time? If you like pain maybe the answer is yes – but how many of us
like pain? In the same way, hot potatoes are very applicable to the IBGP
design. When a service provider receives a packet, if the destination
is another service provider, they don’t want to keep the traffic in their
network long time.
Why? The answer lies in simple economics, including the different
types of peering relationships between providers. Before going further
into an explanation and design cases for hot, cold and mash potatoes, let’s
take a look what are these arrangements.
Service providers can be grouped as Tier 1, 2, or 3 depending on their
topology, traffic, and the geographically separation of their networks.
This concept was explained earlier in this chapter.
If a service provider receives a service and/or connection from a
provider at a higher tier, this arrangement is called a transit relationship. A
tier 2 SP is upstream the service provider of Tier 3 SP, and tier 2 SP gets
their service and/or connection from Tier1 provider.
Tier 1 providers have their own transmission facilities, connecting
geographically separated regions.
Service providers pay to transit traffic to a service provider at a
OrhanErgun.net
286
different tier; tier 2 providers pay tier 1 provider for transit, and tier 3
providers pay tier 2 providers for transit, etc. Along the same tier, or among
providers that exchange about an equal amount of traffic, providers create
settlement free peering relationships. How does all of this relate to hot
potato routing?
Service providers don’t want to keep their customer traffic in their
network if they can push it off onto another provider’s network, especially
if it’s the destination is reachable through a peering connection for which
they don’t pay the other provider, so they will move the traffic quickly out
of their network into a peering provider’s network.
This is hot potato routing. Hot potato routing aims to bring traffic to
the closest exit point from where it enters the network.
I will use the below figure to explain some of the concepts. In AS1,
there are 2 Route reflectors, which can be in same or different clusters.
Route Reflector clustering design will be explained in this chapter.
Chapter 8
OrhanErgun.net
287
If R5 or R6, in AS2, are sending the prefix with a MED attribute set,
AS1 should remove the MED for the incoming prefixes to get hot potato
routing.
Different vendor BGP implementations may vary for using the MED
attribute although latest RFC defines if the MED is not set from the
sender AS, then receiving AS handle as minimum possible value.
This can remove the inconsistency.
But to get hot potato routing, the network designer needs to move
beyond BGP metrics, and work with the internal topology of the provider’s
network. Inside an AS, three type of BGP topology can exist.
BGP Full mesh, confederation or route reflector. Full mesh IBGP
topologies where the MED is ignored will naturally choose the exit point
closest to the entrance point. For route reflector topologies, the closer
the RRs to the EBGP speakers along the edge of the network, the more
accurately traffic will follow the IGP metrics, so the closer the AS will
come to achieving optimal hot potato routing.
Service providers, especially when their BGP topologies get bigger,
implement route reflector or confederations. Route reflectors increase
BGP
scaling by hiding alternate paths from their clients, which involves a set
of tradeoffs.
Instead of having every potential exit point from the AS, any given
EBGP speaker will now only have the set of exit points the RR sends the
optimal exit points from the RR’s perspective. But this best path may not
be the best path to exit from the domain from the internal IBGP device
point of view; it is the best path from the route reflector point of view.
Traditional BGP works like this, there is couple paper out there about
path-state vector, the idea is sending the policy information more than
one hop away and overcome the BGP slow converge issue. (Here I am
comparing the speed with the IGP protocol, not full mesh vs. route
reflector in BGP.). But even with that idea, route reflector best path
selection and advertisement behavior doesn’t change.
Three different proposals have been put forward which can be used
to resolve this problem: BGP add paths, diverse path, and computing the
best path from the client’s point of view. Add path and diverse path can
be used to send more than one exit point to internal BGP speaker. But
with these approaches, idea is to send more than one best path, which
is seen by the RR to the internal IBGP speaker. (Add Path and Diverse
Path/Shadow RR was explained earlier in this chapter.)
IBGP speaker holds these path, can be installed into the RIB if
OrhanErgun.net
288
OrhanErgun.net
289
can be easily remove from the BGP update depends on the agreement
between the Service Providers.
Google, Facebook, and Akamai bring their cache engines and servers
to IXP (Internet exchange point) or directly into the service provider
network to avoid hot potato routing to their network. This is actually
good for end users, providers, and Google, while reducing the value of
the services transit providers well. When their cache engine is closer to the
actual users, service providers can better control the traffic and use best
exit to reach to content.
Hot and cold potato routing sends the traffic either exit closest to the
entry, or the exit, closest to the actual destination.
Route reflectors can be deployed to avoid operational concern, avoid
keeping the routing states in each BGP devices.
Route reflectors also need to be fully meshed to allow prefix distribution
inside an AS, and in some topologies, Hierarchical BGP Route reflection
can be created as second level hierarchy.
BGP
Full-Mesh IBGP vs. BGP Route Reflectors
vs. BGP Confederation Design Comparison
Below table summarizes the similarities and the differences of these
three IBGP design models in great detail.
Network designers should know the pros and cons of the technologies,
protocol alternatives and their capabilities from the design point of view.
Although BGP Route Reflectors are most widely deployed in large-
scale networks, still there are some BGP confederation deployments in
real life as well.
OrhanErgun.net
Design BGP Route BGP
Full Mesh IBGP
Requirement Reflector Confederation
Least, between each BGP node High since there is only one IBGP
Medium since it requires Route
there is an IBGP session, number session on the RR client, if there
Scalability Reflector inside each Sub AS for
of session and configuration is are two RRs, two sessions per RR
scalability
highest client
Point to point between Sub Ases,
Hub and Spoke between Route Hub and Spoke RR- RR client in
Logical Topology Full Mesh
Reflectors and the RR Clients Sub AS or Full mesh IBGP inside
Sub AS
Resource Requirement Highest Lowest Medium
Depends on Full mesh IBGP or RR
All available next-hops are sent thus Only one best path is sent by RR
inside Sub AS, if full mesh all the
Number of Next Hop highest resource consumption on to RR Clients. Thuslowest resource
available paths, if RR is used, then
the BGP routers. consumption among other options
only one best path is sent
Between Sub Ases EBGP rules
No loop since all the BGP routers Cluster List and Originator ID are apply,if Sub AS sees it's own AS
Loop Prevention
direct IBGP peer used for loop prevention number in the AS path, packet is
dropped
Migration from Full Mesh IBGP
Migration from Full Mesh IBGP is
Migration from Full Mesh No is hard compare to BGP Route
easy compare to Confederation
Reflectors
Standard Protocol Yes Yes Yes
Design BGP Route BGP
Full Mesh IBGP
Requirement Reflector Confederation
Definitely yes and there is no
problem.One of the advantages
Technically Yes but running same Technically Yes but running same of BGP Confederation,compare
Different IGP inside an AS IGP is the best practice inside an IGP is the best practice inside an to BGP RR design. Inside an each
AS AS Sub AS, different IGP can run,
IGP topologies are not extended
between SUB Ases
Small scale environment most Large scale environment most
Commonly Used Not very common
common common
All the available path are known Route Reflectors only advertise best Depends.Inside Sub AS if Full
Path Visibility by the IBGP routers. Highest level path to RR client, path visibility is Mesh IBGP, it is best, if RR is
visibility worst running, worst.
Hard since it requires too much Medium. Worse than Route
Provisioning Very easy, one IBGP session per RR
configuration Reflector.
IPv6 Support Yes Yes Yes
Worst since RR adds extra
Fastest since all IBGP routers
convergence time and the RR Depends.If Full Mesh IBGP then
Default Convergence connected directly,second best path
clients know only the best path fast, if RR inside an AS, then slow.
is already known by the routers
when RR is deployed
Yes but hard to manage since Inter-
MPLS VPN support Yes Yes
AS VPN operation is required
Full-Mesh IBGP vs. BGP Route Reflectors vs. BGP Confederation Design Models Comparison
292
OrhanErgun.net
293
BGP
BGP Hot and Cold Potato Routing
In this diagram, egress traffic from AS 200 is the green arrow, since SF
path is shorter IGP distance. Ingress traffic to AS 200 from AS 100 is the
blue arrow, since NYC connection from AS 100 is shorter IGP distance
(40 vs. 200).
AS 200 is complaining about the performance and they are looking
for a solution to fix the problem behavior. What would you suggest to AS
200?
• Customer AS 200 should force AS100 for cold potato routing. Since
they are customers, their service providers have to do cold potato
routing for them.
• By forcing for cold potato routing, AS 100 has to carry the Web content
traffic to the closest exit point to AS 200, which is San Francisco.
That’s why AS 200 is sending its prefixes from SF with lower MED
than NYC as depicted below.
OrhanErgun.net
Chapter 8
294
In the above figure, there are two Service Providers, SP1 and SP2.
They have three peering connections in different places.
OrhanErgun.net
295
BGP
Coordinated Routing Traffic Pattern over Peering Links
OrhanErgun.net
296
In the above figure, R1, R2, R3, R4, R5 and RR (Route Reflector)
belongs to AS 100, R6 and R7 belongs to AS 200.
There are two EBGP connections between ASBRs of the Service
Providers.
Everybody told you so far that BGP converges slow because BGP is
good for scalability not for the fast convergence, right?
But that is wrong too.
If BGP relies on control plane to converge of course it will be slow
since the default timers are long (BGP MRAI, BGP Scanner and so on,
although you don’t need to rely on them as I will explain now).
OrhanErgun.net
297
BGP
the prefixes to the Route Reflector, Route Reflector will run best path
selection and advertise them to the R1, and R1 will run best path selection
and place the prefixes to the RIB.
How IBGP routers learn that R4 is failed?
There are two mechanisms for that. They will either wait for the BGP
Scanner time (60 seconds in most implementation) to check whether the
BGP next hop for the BGP prefixes are still up, or the newer approach is
BGP Next Hop tracking (Almost all vendors support it).
With BGP next hop tracking, BGP next hop prefixes are registered to
the IGP route watch process, so as soon as IGP detects the BGP next hop
failure, BGP process is informed.So R1 learned the R4 failure through
IGP. Then R1 has to delete all the BGP prefixes, which are learned from
R4. If it is full Internet routing table, it is very time consuming process as
you can imagine.
In the absence of already calculated backup path, BGP will rely on
control plane convergence so of course it will take time. But you don’t
have to rely on that. I recommend many service providers to start consider
BGP PIC for their Internet and VPN services.
OrhanErgun.net
298
In the routers routing table there is always a recursion for the BGP
prefixes. So for the 192.168.0.0/24 subnet the next hop would be 10.0.0.1,
if the next-hop self is enabled, otherwise since IBGP doesn’t change BGP
next hop by default when the prefixes are received from an EBGP peer,
5.5.5.5 would be a next hop.
But in order to forward the traffic, router need to resolve immediate
next hop and layer 2 encapsulation.
So for the 10.0.0.1 or 5.5.5.5, R1 selects either 172.16.0.1 or 172.16.1.1.
Or R1 can do the ECMP (Equal Cost Multipath).
In the many vendors FIB implementation, BGP prefixes resolve
immediate IGP next hop. Cisco’s CEF implementation works in this
way too. This is not necessarily a bad thing though. It provides better
throughput since the router doesn’t have to do double/aggregate lookup.
But from the fast convergence point of view, we need a hierarchical data
plane (Hierarchical FIB). With the BGP PIC, both PIC Core and PIC Edge
solutions, you will have hierarchical data plane so for the 192.168.0.0/24
you will have 10.0.0.1 or 5.5.5.5 as the next hop in the FIB (Same as RIB).
Chapter 8
For the 10.0.0.1 and 5.5.5.5 you will have another FIB entry which
points to the IGP next hops, which is 172.16.0.1 and 172.16.1.1. These
IGP next hops can be used as load shared or active/standby manner.
BGP PIC Core helps to hide IGP failure, from the BGP process. If
the links between R1-R2 or R2-R3 fails, or as a device, R2 or R3 fails, R1
starts to use backup IGP next hop immediately.
Since the BGP next hop doesn’t change and only the IGP path
changes, recovery time will be based on IGP convergence. For the BGP
PIC Core you don’t have to have multiple IBGP next hop. BGP PIC Core
can handle core IGP link and node failures.
BGP PIC Edge on the other hand, provides sub second BGP fast
recovery in the case of Edge link or node failure.
OrhanErgun.net
299
In order BGP PIC Edge to work, edge IBGP devices (Ingress PEs
BGP
and ASBRs) need to support BGP PIC and also they need to receive
backup BGP next hop.
In the above topology, R1 is the ingress PE, R4 and R5 are the ASBR
nodes. Route Reflector is shown in the data path but it is not recommended
in real network design. Unfortunately backup next hop is not sent when
BGP Route Reflector is introduced since RR selects and advertises only
the best path for the given prefix. For example, in the above topology, R6
and R7 both sends, 192.168.0.0/24 network but R1 can learn from the RR
only one exit point (BGP next-hop), either R4 or R5.
There are many ways to send more than one best path from BGP
RR as we have seen earlier in this chapter. But let’s assume, R1 learns the
192.168.0.0/24 prefix from R4 and R5 by using one of those ways.
OrhanErgun.net
300
In case R4-46 link fails and R4 doesn’t set next-hop to itself (No next-
hop self). In that case, link between R4 and r6 is advertised to the IGP.
When R4-R6 link fails, R1 learns the failure from the IGP. BGP Next-hop
tracking feature helps here. IGP protocols register to the BGP Next-hop
tracking process.
When R1 learns the link failure between R4-R6, it immediately
changes the BGP next hop for the 192.168.0.0/24 prefix to the R5. This
switchover is done in less than a second regardless of the number of
prefixes. Which mean even though you have million of BGP prefixes
which need to be updated, still sub second convergence. (In this example
for the simplicity only 192.168.0.0/24 prefix)
BGP PIC edge in case of edge link fails and ASBR set’s next-
hop self
When R4 sets BGP next hop to it self (It is done by setting the
loopback as next-hop), since the loopback interface won’t go down, even
though R1 learns the link failure (if the R4-R6 link is redistributed into
IGP) from IGP, it doesn’t trigger BGP next-hop tracking to fails the BGP
next hop, because BGP next hop for the 192.168.0.0/24 prefix is not the
Chapter 8
OrhanErgun.net
301
BGP
BGP Best External is used in Active Standby BGP Topologies
generally but not limited with that.
BGP Best External feature helps BGP to converge much faster by
sending external BGP prefixes, which wouldn’t normally be sent if they
are not overall BGP best path.
There are BGP best internal, BGP best external and BGP Overall
best path.
BGP Best external in active-standby scenarios can be used in MPLS
VPN, Internet Business Customers, EBGP Peering Scenarios, Hierarchical
large scale Service Provider backbone and many others.
OrhanErgun.net
Chapter 8
302
install prefixes with its external path into the RIB and FIB.
Now let’s enable BGP best external on R2.
When BGP best external is enabled on R2, although overall best path
in BGP comes from IBGP neighbor, which is R3, R2 would send its best
external path. Since R2 has only 1 external path, R2 would send its path
to both R3 and R1.
Here is the trick. Implementations don’t install best external path
into the RIB and FIB of the routers unless BGP PIC is enabled. (Some
vendors enable BGP PIC by default when BGP best external is enabled,
Ex: Cisco)
BGP
case R3 external link fails, R3 would start to send the traffic towards R2
because prefixes would be installed in RIB and FIB with the backup flag.
You can think that this solves the issue. You think that in the case of
primary link fails; secondary link immediately is used without packet loss.
Actually No.
If its pure IP network then microloop occurs. Because when R3 starts
sending the traffic towards R2 (BGP PIC is enabled), R2 doesn’t know
yet that external link of R3 failed. R2 sends the traffic back to R3 and R3
sends it back to R2 because both does the IP lookup for the BGP prefix.
In MPLS VPN it is solved if the VPN label allocation is done per
prefix or per CE since R2 and R3 in that case wouldn’t do the IP lookup
but based on inner (VPN) label, they would start to send the traffic
towards customer. If VPN allocation is done per VRF, then in that case if
two CEs are connected to R2, R2 has to do the IP lookup to distinguish
the correct CE and because of IP lookup, R2 would send the traffic back
to R3 and microloop would occur again.
So BGP best external and PIC in IP network will suffer from
microloop but instead of loosing seconds or minutes for waiting BGP to
convergence, when IGP is tuned, microloop can be resolved in less than a
second, because R2 would be notified about the R3’s external link failure
as fast as possible.
OrhanErgun.net
304
Now let’s look at the other example to see how BGP best external
works and how it will help for the convergence. Also this example shows
that you may not need BGP Add-path, BGP Shadow RRs/Shadow
Sessions to send more than one path from Route Reflector in the specific
topologies.
Chapter 8
Above topology was common in the past and still is used in some
Service Provider networks. Pop and Core architecture is shown, without
MPLS in the core. POP has Route Reflectors in the data path. For
redundancy there are more than one Route Reflector. And the routes are
summarized at the Core to POP boundary.
In the above figure, for the simplicity there are only 3 POPs, which are
connected to the Core network is shown. Each pop has two RRs, which
have full mesh IBGP sessions between them. In the core, there is PE,
which is connected to the customer and ASBR, which is connected to
upstream provider and receive BGP prefix. In the POP there is full mesh
IBGP session as well.
OrhanErgun.net
305
Note that, there would be second level Hierarchy in the Core as well,
because when the number of POP locations grow, required full mesh
IBGP sessions between RRs would be too much.
For a given prefix, in this picture, we have two paths. Path1 from
POP1 and Path 2 from POP3.
BGP best external in this topology can be enabled on two places. It
can be enabled on the ASBRs and also Route Reflectors.
Let’s assume Local preference is set to 200 on ASBR in Pop1 and 100
on ASBR in Pop3. This makes ASBR in Pop1 is the overall BGP best path
for the prefix. If BGP best external is enabled only on the ASBRs but
not on the Router Reflectors, then Route Reflectors in POP 1 and POP2
doesn’t receive the best external path, which is Path 2 from POP3.
But POP3 RR3-A and RR3-B does receive overall best path which is
Path 1 and best external path which is Path 2 because simply the ASBR
in POP3 sends best external path to its RR which is RR3-A and RR3-B.
In this topology, BGP Add-path could be used to send best external
path from RR3-A and RR3-B to the POP 1 and POP2 Route Reflectors.
But the problem with BGP Add-path, it requires every PE, ASBRs and
BGP
Route Reflector software and hardware upgrade.
Instead, BGP Best External is enabled on Route Reflector as well.
This allows RR3-A and RR3-B to send best external path, which is Path
2 to POP1 and POP2 RRs. When we have overall best path and the BGP
Best External path on the RRs, in case overall best path goes down,
network convergence is greatly increased, especially when BGP PIC is
used together with BGP best external on ASBRs and RRs.
For example, if traffic comes from POP2 that doesn’t have ASBR and
needs to go to the prefix, RR2-A and RR2-B will have two paths in this
case. One is overall best path which is Path1 and another is best external
path which is Path2.
Both paths would be installed in RRs RIB and FIB (BGP PIC is
enabled in addition to BGP best external). In case Path 1 fails, since best
external path is already in the RIB and FIB, BGP PIC would just changed
the pointer to the best external BGP path and you wouldn’t even lose
packet.
• BGP best external is especially useful with BGP PIC and some vendors
enable BGP PIC by default when the BGP best external is enabled.
• If you will use BGP best external in the network, test before
deployment because your vendor implementation might be slightly
different.
• BGP best external can be enabled at the Edge of network such as at
the ASBR but as well as on the RRs.
• Depends on the topology, BGP best external and BGP PIC would be
just enough to send more than one path without BGP Add-path or
other mechanisms
• With BGP best external and BGP PIC, for certain topologies, you can
have sub second convergence
• BGP best external was already specified in the original BGP RFC but
never implemented by the vendors but now it is popular again.
Chapter 8
OrhanErgun.net
Design
OSPF IS-IS EIGRP BGP
Requirement
Scalablability 2 tier hierarchy , less scalable 2 tiers hierarchy , less scalable Support many tiers and scalable Most scalable routing protocol
Works very poorly, and there is Works very poorly, but RR
Working on Full Mesh Works well with mesh group Works well with mesh group
no mesh group removes the requirement
Not good if ring is big due to
Working on a Ring Topology Its okay Its okay Good with Route Reflector
query domain
Works poorly, require a lot of Works very well. It requires IBGP works very well with
Working on Hub and Spoke Works bad requires tuning
tuning minimum tuning Route Reflector
Yes - IP FRR and Feasible Requires BGP PIC + NHT +
Fast Reroute Support Yes - IP FRR Yes - IP FRR
Successor Best external + Add-Path
Yes, but in very large scale or
Suitable on WAN Yes Yes Yes
when policy is needed
Yes, in large scale DC and it is
Suitable on Datacenter DCs are full mesh. So, No DCs are full mesh so No DCs are full mesh so no
not uncommon
Yes, it is designed to be an Inter
Suitable on Internet Edge No it is designed as an IGP No it is designed as an IGP No, it is designed as an IGP
domain protocol
No, there is a draft but lack of
Standard Protocol Yes IETF Standard Yes IETF Standard Yes, IETF Standar
Stub feature
Stuff Experince Very well known Not well known Well known Not well known
Overlay Tunnel Support Yes Doesn't support IP tunnels Yes Yes
MPLS Traffic Engineering
Yes with CSPF Yes, with CSPF No No
Support
Security Less secure More secure since it is on layer2 Less secure Secure since it runs on TCP
Yes No, it lacks Ipsec Yes Not exactly, very large scale
Suitable as Enterprise IGP
networks only
Suitable as Service Provider Yes Definitely No, it doesn't support Traffic Maybe in the datacenter but not
IGP Engineering as an IGP
Complexity Easy Easy Easy Complex
Design
OSPF IS-IS EIGRP BGP
Requirement
Policy Support Good Good Not so Good Very good
SPF requires more processing SPF requires more processing DUAL doesn't need much power Requires a lot of RAM and
Resource Requirement
power power decent CPU
Not good Good, thanks to TLV support Good, thanks to TLV support Very good, it supports 20 +
Extendibility
address families
IPv6 Support Yes Yes Yes Yes
Default Convergece Slow Slow Fast with Feasible Successor Very slow
Training Cost Cheap Cheap Cheap Moderate
Troubleshooting Easy Very easy Easy Moderate
Routing Loop Good protection Good protection Open to race condition Good protection
EIGRP vs. OSPF vs. IS-IS vs. BGP Design Comparison
309
Question 1:
How can you achieve this?
BGP
OrhanErgun.net
310
Prepending will (usually) force inbound traffic from AS 10 to take primary link.
Chapter 8
The customer purchased a new link from the second service provider
which uses AS number 30 and decommissioned one of its links from
the old service provider. The customer wants to use the second service
provider link as a backup link. They learned the AS-path prepending trick
from early experience.
OrhanErgun.net
311
BGP
Question 2:
Is there a problem with this design?
Question 3:
If there is a problem, how can it be solved?
Answer
There is a problem with the design since the customer wants to use
the second service provider as a backup. AS-path prepending in this way
is often used as a form of load balancing
However, AS 30 will send traffic to backup link, because it prefers
customer routes due to higher local preference that service providers use
the customer link rather than the peer link. Local preference is considered
before AS-path length, so AS-path prepending is not affected in this
design.
The solution is to use communities.
OrhanErgun.net
312
Question 4:
What if the customer uses second service provider link as primary
and the old provider as secondary with the second provider peering
Chapter 8
OrhanErgun.net
313
Question 5:
What happens if primary link fails?
BGP
Question 6:
What happens when the primary link comes back?
When the primary link comes back, both paths are used for incoming
traffic, because Provider A continues to choose to send to Provider C
OrhanErgun.net
314
OrhanErgun.net
315
Solution 1:
IBGP over direct physical link. Best option, but can be costly. Budget
might be concern, also deployment might take longer compared to other
solutions.
BGP
IBGP over direct physical link
Solution 2:
IBGP over GRE tunnels between the datacenters. Fastest option and
does not require service provider interaction.
It should be used as a short-term solution.
OrhanErgun.net
316
OrhanErgun.net
317
BGP
OrhanErgun.net
318
The requirements say that traffic from DC1 should come back to
DC1 directly. Firewalls drop all asymmetric traffic.
If the users are accessing DC1 servers it should go back from the
DC1. Typically, servers use DC switch as default gateway. DC switches
receive default route redistributed to their IGP from BGP by the IGW.
IGP cost is used to reach to the closest IGW by the DC switches.
Incoming traffic always a problem when there is a stateful device in
the path.
In the above topology if traffic comes to DC1 it has to go back from
DC1 and vice versa, it is not only for asymmetric flow on the firewalls,
load balancers, etc., but also to avoid a bottleneck. If traffic destined for
DC1 comes to DC2, it has to go through direct physical internet link to
DC1, this adds additional latency and consumes unnecessary bandwidth.
Question 2:
How can the company achieve symmetrical traffic flow so they don’t
Chapter 8
OrhanErgun.net
319
Question 1:
Which of the below option is the reason to run IBGP? (Choose Two)
A. It is used for the reachability between PE devices in MPLS
network
B. It is used to carry EBGP prefixes inside an Autonomous
System
C. It is used with Route Reflectors for the scalability reason in
large scale networks
D. It is used to prevent failures outside your network from
impacting your internal network operation
Answer 1:
BGP
One of the correct answers of this question is to carry EBGP prefixes
inside an Autonomous system.
IGP is used for the reachability between PE devices in an MPLS
network.
Option C is valid but not the correct answer, because; question is
asking the reasons, not the best practices.
Option D is one of the correct answers as well because with IBGP,
internal network is protected from the outside failures by separating the
local failure domains.
That’s why; answers of this question are B and D.
Question 2:
Which of the below options are true for the BGP Route Reflectors?
(Choose Three)
A. Route Reflectors provide scalability in large scale network
design
B. Route Reflectors hide the available paths
C. Route Reflectors selects and advertise only the best path to
OrhanErgun.net
320
Answer 2:
Route reflectors as explained in the BGP chapter, are used to improve
scalability of the BGP design in large-scale deployments.
Route reflectors hide the available path information by selecting and
advertising only the best path to the clients.
Thus the correct answer of this question is A, B and C.
Option D is wrong because, Route Reflectors should follow the
physical topology in an IP backbone, it cannot be placed everywhere,
careful planning is required. Otherwise forwarding loop occurs as it was
explained in one of the case studies in the BGP chapter.
Question 3:
Chapter 8
Answer 3:
Origin is not used commonly for the BGP path manipulation. Weight
is Cisco preparatory and it is only local to the routers. It shouldn’t be used
for path manipulation.
BGP path manipulation was explained in detail in BGP chapter.
Answer of this question is A, C and D.
Question 4:
Which of the below options is used in the Public Internet Exchange
Points to reduce configuration overhead on the BGP devices?
OrhanErgun.net
321
Answer 4:
There is nothing called BGP Map Servers. In the Public Internet
Exchange points BGP Route Servers are used to reduce configuration
overhead. They improve scalability. Very similar to Route Reflectors but
Route Reflectors are used in IBGP, not in the Public Exchange Points.
That’s why answer of this question is C.
Question 5:
Which below options are true for the BGP Confederation? (Choose
Three)
A. It is done by creating Sub-Autonomous system
BGP
B. It is easier to migrate from full-mesh IBGP, compare to
BGP Route Reflectors
C. Between Sub Autonomous Systems mostly EBGP rules
apply
D. Compare to BGP Route Reflector design, it is less commonly
deployed in the networks.
Answer 5:
From the migration point of view, Full mesh IBGP to BGP
Confederation is harder, compare to BGP Route Reflectors. Thus Option
B is invalid.
All the other options are correct thus the answer of this question is
A, C and D.
Question 6:
Which below option is used for inbound BGP path manipulation?
A. Local Preference
OrhanErgun.net
322
B. MED
C. As-Path prepending
D. Community
E. Hot Potato Routing
Answer 6:
Hot Potato Routing and Local Preference are used for Outbound
BGP Path manipulation as explained in the BGP chapter in detail.
MED should be used if there is only one upstream ISP but still it
is used for inbound path manipulation. AS-Path prepending and the
communities are used for the multihoming connections as well.
That’s why; answer of this question is B, C and D.
Question 7:
Chapter 8
A. Implementing BFD
B. Implementing BGP PIC Core and Edge
C. Implementing BGP Route Reflectors
D. Implementing IGP FRR
Answer 7:
They should implement BGP PIC features to protect BGP from the
link or node failure. Especially Edge node failures, even if MPLS Traffic
Engineering or IP FRR deployed, couldn’t be recovered in sub second.
Since BGP PIC convergence is mostly depends on IGP convergence
as well, deploying IGP FRR (Fat Reroute) provides a necessary
infrastructure for the BGP PIC. They should be deployed together. BFD
is just a failure detection mechanism. IGP Convergence is depends on
OrhanErgun.net
323
Question 8:
What does MP-BGP (Multi Protocol BGP) mean?
A. BGP implementation which can converge less than a second
B. BGP implementation which is used in Service Provider
networks
C. BGP implementation which can carry multiple BGP
Address Families
D. BGP implementation which is used in Enterprise Networks
Answer 8:
MP-BGP (Multi Protocol BGP) as explained in the BGP chapter,
BGP
is the BGP implementation, which can carry multiple Address Families.
BGP in 2016, can carry more than 20 different Address Families such as
IPv4 Unicast, IPv6 Unicast, IPv4 Multicast, L2 VPN, L3VPN, Flowspec
and so on.
That’s; why; answer of this question is C.
Question 9:
What does Hot Potato Routing mean?
A. Sending the traffic to the most optimum exit for the
neighboring AS
B. Sending the traffic to the closest exit to the neighboring AS
C. By coordinating with the neighboring AS, sending traffic to
the closest exit point
D. It is the other name of BGP Multipath
Answer 9:
Hot Potato Routing means, sending the traffic to the closest exist point
OrhanErgun.net
324
Question 10:
With which below options, internal BGP speaker can receive more
than one best path even if BGP Route Reflectors are deployed? (Choose
Three)
A. BGP Shadow RR
B. BGP Shadow Sessions
C. BGP Add-path
Chapter 8
D. BGP Confederation
E. BGP Multipath
Answer 10:
As it was explained in the BGP Route Reflectors section of the
BGP chapter, Shadow Sessions, Shadow RR and BGP Add-path design
provides more than best path to the internal BGP speaker even if BGP
Route Reflectors are deployed.
BGP Multipath requires more than one best path and all the path
attributes to be the same. Thus it requires one of the above mechanisms.
BGP Confederation doesn’t provide this functionality.
That’s why; answer of this question is A, B and C.
Question 11:
Which below option is recommended to send more than one best
path to the VPN PEs in the MPLS VPN deployment if VPN Route
Reflectors are deployed?
A. BGP Add-path
B. BGP Shadow RR
OrhanErgun.net
325
Answer 11:
BGP Add-path, BGP Shadow RR and Sessions deployments are
suitable for the IP backbones.
If there is an MPLS backbone, configuring unique RD per VRF per
PE is best and recommended design option since there is no software or
hardware upgrade, no additional BGP sessions and so on.
That’s why the answer of this question is D.
Question 12:
What are the reasons to send more than one BGP best path in IP and
MPLS deployment? (Choose Four)
A. BGP Multipath
BGP
B. BGP Fast Reroute
C. BGP Multihop
D. Preventing Routing Oscillation
E. Optimal BGP routing
Answer 12:
As it is explained in the BGP chapter, there are many reasons to send
more than one BGP best path in both IP and MPLS deployments.
These are; avoiding routing oscillations, BGP Multipathing, Fast
convergence/Fast Reroute and Optimal Routing.
Sometimes for the optimal routing, just sending more than one BGP
best path is not enough but may require all available paths though.
That’s why, answer of this question is A, B, D and E.
Question 13:
What is the drawback of sending more than one BGP best path in
BGP?
OrhanErgun.net
326
Answer 13:
Sending more than one BGP best path requires more memory, CPU,
network bandwidth, thus more resource usage in the network.
As a rule of thumb, whenever more information is sent, it consumes
more resource, may provide optimal routing, better high availability, better
convergence.
All other options are wrong, except Option A.
Question 14:
Chapter 8
What below options are the advantages of Full Mesh IBGP design
compare to BGP Route Reflector design? (Choose Four)
A. It can provide more optimal routing compare to Route
Reflector design
B. It can provide faster routing convergence compare to Route
Reflector design
C. It provides better resource usage compare to Route Reflector
design
D. It can provide better protection against route churn
E. Multipath information is difficult to propagate in a route
reflector topologies
Answer 14:
Although there are advantages of using BGP Route Reflectors, there
are many drawbacks as well. Probably it is more harmful than deploying
Full Mesh IBGP if the requirement is optimal routing, faster convergence
and avoiding route churns.
Sending multiple paths is difficult since it requires Shadow Sessions,
RR or Add-path deployments in Route Reflector topologies.
OrhanErgun.net
327
Full Mesh IBGP design consumes more device and network resources
and requires more configurations on the devices compare to Route
Reflector design.
That’s why the answer of this question is A, B, D and E.
Question 15:
In the below topology IP backbone is shown. R2 is the RR client of
R4 and R3 is the RR client of R1.
What is the next hop of R2 and R3 for the 70.70.0.0/24 prefix?
BGP
A. R1 is the next hop of R2, R4 is the next hop of R3
B. R1 is the next hop of R3, R4 is the next hop of R2
C. R2 is the next hop of R3, R3 is the next hop of R2
D. R4 is the next hop of both R2 and R3
Answer 15:
Since it is given as IP backbone, IP destination based lookup is done
for the BGP prefixes.
Sine BGP prefixes require recursion and IGP next hop needs to be
found for the BGP prefixes, R2’s and R3’s IGP next hops for the BGP
prefixes should be found.
On R2, For the BGP next hop of 70.70.0.0/24 BGP prefix is R4. R2
can only reach R4 through R3.
OrhanErgun.net
328
Thus, R2’s IGP next hop is R3. It applies for the R3.
R2’s IGP next hop is R3 and R3’s IGP next hop is R2. That’s why the
answer of this question is C.
Please note that in this topology BGP Route Reflectors don’t follow
the physical topology, which is against to BGP Route Reflector design
requirement in IP networks.
That’s why, in this design between R2 and R3, routing loop occurs.
Correct design is R2 should be the Route Reflector client of R1 and
R3 should be the Route Reflector client of R4.
Question 16:
What can be the problem with BGP design in the Enterprise if there
are more than one datacenter?
A. Convergence is very slow
B. Asymmetric routing issues if there are stateful devices
Chapter 8
Answer 16:
All the options are wrong except Option B.
Asymmetric can be a problem in Enterprise design, which has stateful
devices as it was explained in the BGP chapter. Because stateful devices
require symmetric routing for the flow information and firewalls, load
balancers, IDS/IPS are common elements at the Internet edge or within
the datacenters in Enterprise design.
In the Service Providers, CGN (LSN) is deployed to overcome IPv4
exhaustion problem as it was explained in IPv6 chapter. These nodes also
require symmetric routing.
Answer of this question is B.
Question 17:
Which below option is true for the VPN Route Reflectors in MPLS
deployments? (Choose Two)
OrhanErgun.net
329
Answer 17:
VPN Route reflector can be deployed in the centralized placed and
they have more flexible placement advantage compare to the IP Route
Reflector.
The reason is there is no IP destination based lookup in the MPLS
networks. Thus there is no layer 3 routing loop problem as in the case of
IP Route Reflector which was explained in the Answer 15.
It is not best practice to deploy IP and VPN services on the same
BGP
node. Reason will be explained in Answer 18.
VPN RR, similar to IP RR, cannot always provide most optimal path
to their clients. Because they selects the BGP best path from their point
view, not from their clients point of view.
That’s why the answer of this question is A and B.
Question 18:
What can be the problem with using IP and VPN Route Reflector on
the same device? (Choose Two)
A. Attack for the Internet service can affect VPN Customers
B. Attack for the VPN service can affect Internet Customers
C. Scalability of the Route Reflectors are reduced
D. They have to participate in the IGP process
Answer 18:
When a Route Reflector is used for more than one service, it is called
Multi Service Route Reflector. The problem of using Internet and VPN
OrhanErgun.net
330
Question 19:
In the below topology there are two datacenters of the Service Provider.
If the requirement were to provide closest exit for the Route Reflector
Chapter 8
A. In West DC
B. In East DC
C. Doesn’t matter the placement
D. Both in East and West DC
OrhanErgun.net
331
Answer 19:
Route Reflectors should be placed in both East and West DC.
Otherwise Route Reflector would choose the best path from their point
of view and would send the best path to the Route Reflector Clients from
their best path.
If RR would be placed in West DC, all BGP RR Clients in East DC
would choose the West DC IGW (Internet Gateways) as exit point and
vice versa.
Thus the correct answer of this question is D.
Question 20:
Which below options are true for the BGP PIC deployment? (Choose
Two)
A. BGP PIC can provide sub second convergence even if there
are millions of prefixes in the routing table
B. BGP edge devices don’t have to receive more than one best
BGP
path for BGP PIC Edge to work
C. BGP PIC Edge can protect both from Edge link and Node
failure
D. BGP PIC has to work with BGP Add-Path
Answer 20:
BGP edge nodes have to receive more than one best path for BGP
PIC Edge operation. This was explained in the BGP chapter in detail.
BGP Add-Path is one of the mechanisms, which is used to send multiple
paths even RR is deployed in the network.
But BGP Add-Path is not mandatory for BGP PIC.
BGP PIC Edge can protect from both Edge link and node failures
and can provide sub second convergence even if there are millions of
prefixes.
That’s why the correct answer of this question is A and C.
OrhanErgun.net
332
Books
Zhang, R. (2003). BGP Design and Implementation, Cisco Press.
Videos
https://www.nanog.org/meetings/nanog38/presentations/dragnet.mp4
https://www.youtube.com/watch?v=txiNFyvWjQ
Articles
https://www.nanog.org/meetings/nanog51/presentations/Sunday/
NANOG51.Talk3.peering-nanog51.pdf
http://ripe61.ripe.net/presentations/150-ripe-bgp-diverse-paths.pdf
https://www.nanog.org/meetings/nanog48/presentations/Tuesday/
Raszuk_To_AddPaths_N48.pdf
Chapter 8
OrhanErgun.net
333
Chapter 9
Multicast
MULTICAST
The server has to send three copies of stream for three receivers in
unicast. Server sends one copy and network replicates the traffic to its
intended receivers in multicast.
Multicast works on UDP, not TCP. That’s why there is no error
control or congestion avoidance, it is purely best effort. Receiver can
OrhanErgun.net
334
OrhanErgun.net
335
MULTICAST
TTL of link local address multicast is 1. They are used in the local
link. OSPF, EIGRP, etc. uses addresses from this range.
IANA reserved address scope ; 224.0.1.0-224.0.1.255
This address range is used for the networking applications such as
NTP, 224.0.1.1 TTL is greater than 1. Administratively scoped multicast
addresses; 239.0.0.0 – 239.255.255.255. This address range is reserved for
use in the domain. Equivalent to RFC 1918 private address space. There
is 32/1 Overlapping between IP Multicast IP and Mac Addresses.
• 224.1.1.1
• 224.129.1.1
• 225.1.1.1
• 238.1.1.1
• 238.129.1.1
• 239.1.1.1
• 239.129.1.1
All above address uses same multicast MAC address, which is
0100.5e01.0101
OrhanErgun.net
336
OrhanErgun.net
337
MULTICAST
Shared tree is created between the rendezvous point and the receiver only in PIM
ASM; still there is shortest-path tree between the source and rendezvous point in
PIM ASM.
Shortest-path tree uses more memory but provides optimal path from the source to all
receivers, therefore minimizing delay.
Shared tree uses less memory because there are not separate multicast
states for each source for the given multicast group address. However, it
OrhanErgun.net
338
may create suboptimal routing for some receivers. That’s why shared tree
may introduce extra delay.
OrhanErgun.net
339
MULTICAST
PIM-SSM is a source specific multicast. It does not require a
rendezvous point, because sources are known by the receivers. Receivers
create a shortest-path tree towards the source root of the tree is the
sender. If SSM is enabled, only (S,G) entries are seen in the multicast
routing table.
IANA reserves 232/8 Class D multicast address range for PIM-SSM
but it’s not enough to use this address range though.
Requires IGMPv3 at the source or IGMPv2 to v3 mapping on the
first-hop routers. Source specific multicast is most suitable for one-to-
many applications. IPTV is an example of a one-to-many application.
OrhanErgun.net
340
OrhanErgun.net
PIM - ASM/Any Source PIM - SSM/Source PIM - Bidir/
Design Requirement
Multicast Specific Multicast Bidirectional PIM
Worst. Routers have to keep every Very scalable since the flows always
Moderate since the routers keep (S,G)
source-multicast group pair state in on shared tree which means routers
state after SPT transition. Even before
the multicast routing table. Thus SSM only keep (*,G) multicast entry in their
Scalablability Shortest Path Tree transition, always
consumes a lot of router resources and multicast routing table. That’s why it
Shortest Parth Tree is created between
sitatution get worse if there are more is used in many to many application
Sources and RPs
source and multople groups design.
Not so suitable, PIM Bidir is designed
It is suitable but Randevous Points Best.It is designed for One to for many to many multicast application
Suitable for One to Many Engineering is a disadvantage. IPTV is Many applications. Source address traffic. Sender and Receiver both can
Applications one of the one to many applications information should be known by the send and receive multicast traffic at the
which PIM ASM can be used receivers though same time. It is best for many to many
application traffic pattern
Moderate.Before the SPT
transition,receivers and senders
communicate through Randevous
Its optimal flow since source is known
Point. When receiver discovers the Not good since all the traffic always
Optimal Traffic Flow and IGP best path is used to reach to
sources, they join the shortest path tree have to pass through Randevous Point
the sources
and they don't use Randevous Point
anymore but until SPT transition traffic
may flow suboptimaly
Yes during SPT transition, receivers
Duplicate Multicast Traffic gets multiple coipes of same Multicast No, there is no duplicate No,there is no duplicate
traffic
Fast Reroute Support Yes - IP FRR and Multicast only FRR Yes - IP FRR and Multicast only FRR Yes - IP FRR and Multicast only FRR
Less known, especially Phantom RP
Stuff Experince Well known Well known
operation for the load balancing
Designated Forwarder is elected per
Loop Avoidance Its done via RPF Check Its done via RPF Check
subnet
More secure because receivers
Less secure since all the sources can Less secure, same reason as the PIM
Security specifically states which source and
send to any multicast group ASM
group pair thet are interested in
PIM - ASM/Any Source PIM - SSM/Source PIM - Bidir/
Design Requirement
Multicast Specific Multicast Bidirectional PIM
Complex since it requires randevous
Easy, it requires source information Complex since it requires Randevous
point, Anycast RP for the Randevous
only. There is no Randevous Point point, Phantom RP for the redundancy,
Complexity point redundancy, Randevous point
in Source Specific Multicast, no RP RP Engineering for the optimal
engineering for the optimal multicast
Engineering , no Anycast RP multicast routing
routing
Moderate among other options since
routers have to keep (*,G) state
Worst.In PIM SSM all the routers every
between the hosts and the RP and
source-group address state. Thus it Best since PIM Bidir enabled routers
(S,G) state between source and the
Resource Requirement requires more memory and cpu on the only keep (*,G) states. Only shared tree
RP. (*,G) state can be thought as a
devices, there is no (*,G) state in PIM is used in Bidirectional PIM.
summarization in the IP routing. After
SSM, only (S,G)
the SPT transition, still (S,G) state
though
Troubleshooting Easy Very easy Easy
PIM ASM vs. PIM SSM vs. PIM Bidir Multicast Deployment Models Comparison
343
Solution:
Solution can be provided with Automatic Multicast Tunneling (AMT)
RFC 7450.
MULTICAST
AMT (Automatic Multicast Tunneling) protocol is an IETF attempt
to encapsulate multicast traffic in unicast packets and deliver multicast
traffic from the source to the intended receivers.
Receivers network may not provide Multicast but this tunneling
protocol allows Multicast traffic to be received over Unicast only network.
AMT discovery messages are sent to the Anycast address. In our case
study, a service provider of Terrano supports multicast, so they can send
the PIM messages.
(S,G) join to the content provider. Service provider needs to have
AMT Relay software on their router.
AMT messages are unicast messages. Multicast traffic is encapsulated
in unicast packets. Terrano can receive multicast content at this point,
because end-to-end tree is built.
OrhanErgun.net
344
OrhanErgun.net
345
Question 1:
Which below technology is used between Multicast host and the first
hop default gateway of the host?
A. PIM Snooping
B. PIM Any source Multicast
C. IGMP
D. Rendezvous Point
Answer 1:
IGMP is used between the multicast host and its default gateway.
MULTICAST
Answer is C.
Question 2:
Which below statement is true for PIM Sparse mode? (Choose Three)
A. Multicast traffic always has to go through RP
B. If there is no backup RP and RP fails new Multicast sources
cannot be discovered
C. RP is used for Source Discovery
D. Anycast RP is one of the redundancy mechanisms in PIM
Sparse Mode
E. There is no RP in Any Source Multicast
Answer 2:
As it was mentioned in the multicast chapter, RP is used for source
discovery. If there is no backup RP and RP fails, new multicast sources
cannot be discovered.
Multicast Traffic only in PIM Bidir always has to go through RP, in
PIM ASM it doesn’t have to.
Anycast RP is one of the redundancy mechanisms in PIM Sparse
OrhanErgun.net
346
Question 3:
Which below statements are true for IP Multicast design? (Choose
Three)
A. There is overlap between Multicast IP and MAC addresses
B. Most optimal multicast routing is achieved with PIM SSM
C. Least resource intensive Multicast deployment model is
PIM Bidir
D. Phantom RP is the load balancing mechanism in PIM Bidir
E. Any Source Multicast RP doesn’t require Rendezvous Point
Chapter 9
Answer 3:
Phantom RP is used in PIM Bidir but it doesn’t support load
balancing.
Most Optimal routing is achieved with PIM SSM because the
three uses always the shortest IGP path. There is no need to send the
traffic towards RP.
Least resource intensive Multicast deployment model
is PIM Bidir because there is only (*,G) multicast entries are kept in
Multicast routing table. In ASM, after SPT switchover traffic continues
over the shortest path.
And as it was explained before there is overlap
between the Multicast IP addresses and the MAC addresses.
Any Source
Multicast requires Rendezvous Point thus Option E is incorrect.
That’s
why the correct answer of this question is A, B and C.
Question 4:
If the requirement is not to use Rendezvous point, which of the
below options provide most efficient IP Multicast deployment?
A. Deploy PIM SSM and implement IGMPv2
B. Deploy PIM SSM and implement IGMPv3
C. Deploy Anycast RP
D. Deploy Bidirectional PIM
OrhanErgun.net
347
Answer 4:
In Anycast RP, Bidirectional PIM and Any Source Multicast, there is
always an RP.
Only valid solutions could be A and B but since in the Option A it
says that IGMPv2, and Source Specific multicast although doesn’t have an
RP, requires IGMPv3
That’s why the correct answer of this question is Option B.
Question 5:
Which of the below solutions provide RP redundancy in case of
failure in IPv4 Multicast?
A. Embedded RP
MULTICAST
B. MSDP Anycast RP
C. Auto RP
D. BSR
E. PIM SSM
Answer 5:
There is no RP in PIM SSM.
Embedded RP is not in IPv4 Multicast. Auto RP and BSR is used to
teach RP to the Multicast routers.
That’s why the correct answer of this question is MSDP Anycast RP,
which is used in PIM ASM only.
Question 6:
Which below Multicast PIM Sparse Mode deployment model provide
one to many multicast traffic and can work with IGMPv2?
A. PIM ASM
B. PIM SSM
C. PIM Dense
OrhanErgun.net
348
D. PIM Bidir
E. IGMPv3
Answer 6:
PIM SSM and PIM ASM can provide one to many application traffic
pattern but PIM SSM requires IGMP v3. That’s why the correct answer
is PIM ASM, Option A.
Question 7:
Which below Multicast technology provide any to any connectivity?
A. IGMP
B. PIM SSM
C. PIM Bidir
D. Anycast RP
Chapter 9
Answer 7:
Any to any connectivity for the applications is provided by the PIM
Bidir (Bidirectional PIM) as it was explained in the Multicast chapter in
detail.
That’s why the correct answer of this question is C.
Question 8:
How redundancy is achieved in PIM Bidir?
A. MSDP is configured between two RPs
B. Phantom RP is used and the two RP IP address is advertised
with different subnet masks
C. Static multicast routing table entries are configured on the
RPs
D. Phantom RP is used and the two RP IP address is advertised
with the same subnet masks
Answer 8:
As it was explained in the Multicast chapter, Phantom RP concept is
OrhanErgun.net
349
used in PIM Bidir for the redundancy. It doesn’t provide load balancing
but only the redundancy can be achieved.
Two Rendezvous Points (RP) are configured and different subnet
mask is advertised for the RP IP address.
That’s why the correct answer of this question is B.
Question 9:
Which below technologies are used in IPv6 multicast?
A. IGMP Snooping
B. MLD
C. Embedded RP
D. PIM Auto RP
E. DVMRP
MULTICAST
Answer 9:
PIM Auto RP is Cisco preparatory and not supported in IPv6.
DVMRP was one of the layer 3 multicast routing protocols that was
not implemented in IPv4 and not supported in IPv6.
Instead of IGMP, there is MLD in IPv6 between multicast host and
the first hop multicast gateway.
Embedded RP is used for embedding RP IPv6 address as part of the
multicast group address.
That’s why the answer of this question is B and C.
Question 10:
If both IPv4 and IPv6 Multicast will be enabled on the campus
network. Which multicast protocols should be enabled on the access
switches? (Choose Two)
A. PIM Bidir
B. IGMP Snooping
C. MLD
D. Any Source Multicast
OrhanErgun.net
350
Answer 10:
On access switches, layer 3 multicast protocols are not enabled. On
the first hop multicast routers, IGMP to PIM conversion are made. But
IGMP Snooping in IPv4 and MLD (Multicast Listener Discovery) in IPv6
is critical for efficiency in IP multicast deployments.
That’s’ why answer of this question is B and C.
Chapter 9
OrhanErgun.net
351
Videos
Ciscolive Session-BRKIPM-1261: Speaker Beau Williamson
Podcasts
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/
multicast-enterprise/whitepaper_c11-474791.html
http://packetpushers.net/community-show-multicast-design-deploy-
ment-considerations-beau-williamson-orhan-ergun
MULTICAST
Articles
https://tools.ietf.org/html/rfc7450
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/
ip-multicast/whitepaper_c11508498.html
https://www.juniper.net/techpubs/en_US/release-independent/nce/
information-products/topic-collections/nce/bidirectional-pim-config-
uring-bidirectional-pim.pdf
http://www.juniper.net/documentation/en_US_junos13.3/topics/con-
cept/multicast-anycast-rp-mapping.html
http://d2zmdbbm9ferqf.cloudfront.net/2015/usa/pdf/BRKIPM-1261.
pdf
OrhanErgun.net
352
Chapter 10
Quality of Service (QoS)
network and that the network would reserve the required bandwidth for
the user during a conversation.
Think of this as on-demand circuit switching, each flow of each
user would be remembered by the network. This clearly would create a
resource problem (CPU, memory , bandwidth) on the network, and thus
it was never widely adopted.
The second QoS Approach is Diffserv (Differentiated Services).
Diffserv doesn’t require reservation; instead flows are aggregated and
placed into classes. Each and every node can be controlled by the network
operator to treat differently for the aggregated flows.
Diffserv is a more scalable approach compared to Intserv.
If traffic exceeds the CIR or PIR and if it will be marked down, follow
standard-based marking values. For example, if the application class for
conforming traffic is AF31, exceeding traffic should be marked down
with AF32 and violating traffic should be marked down with AF33.
OrhanErgun.net
353
IP Routing 6 CS6 48 6
Voice 5 EF 46 5
Quality of Service
Streaming Video 4 CS4 32 4
Locally Defined
3 Cs3 24 3
Mission Critical Data
Best Effort 0 0 0 0
Recommended Application to PHB Marking Deployment
OrhanErgun.net
354
Best-Effort Data
The best-effort class is the default class for all data traffic. An
application will be removed from the default class only if it has been
selected for preferential or deferential treatment.
Quality of Service
Best-effort traffic should be marked to DSCP 0. Adequate bandwidth
should be assigned to the best-effort class as a whole, because the majority
of applications will default to this class; reserve at least 25% of bandwidth
for best-effort traffic.
B ulk D ata
The bulk data class is intended for applications that are relatively non-
interactive and drop-insensitive and that typically span their operations
over a long period of time as background occurrences.
Such applications include the following:
• FTP
• E-mail
• Backup operations
• Database synchronizing or replicating operations
• Content distribution
• Any other type of background operation
Bulk data traffic should be marked to DSCP AF11; excess bulk data
OrhanErgun.net
356
Transactional/Interactive Data
The transactional/interactive data class, also referred to simply as
transactional data, is a combination of two similar types of applications:
transactional data client-server applications and interactive messaging
applications.
Transaction is a foreground operation; the user waits for the operation
to complete before proceeding.
E-mail is not considered a transactional data client-server application,
as most e-mail operations occur in the background and users do not usually
notice even several hundred millisecond delays in mail spool operations.
Transactional data traffic should be marked to DSCP AF21; excess
Chapter 10
Real time, Best Effort, Critical Data, and Scavenger Queuing Rule: Four
Classes of QoS Deployment
OrhanErgun.net
357
Quality of Service
basically delays packets to ensure that the traffic rate for a class doesn’t
exceed the defined rate.
Congestion management deals with the front of the queues and the
Congestion avoidance mechanisms handles the end of the queues.
MPLS QoS
MPLS QoS is done based on MPLS EXP bits. EXP bits are 3 bits.
QoS tools; classification, marking, policing, shaping, and queening works
similar to IP QoS. When the packet receives from the IP domain, packet
is tunneled throughout the MPLS network.
DSCP bits are mapped to the EXP bits on the Ingress PE in the
MPLS network and tunneled up to the Egress PE.
There are three MPLS QoS Tunnelling mechanisms.
• Uniform Mode
• Short Pipe
• Pipe (Also known as Long-Pipe)
As a network designer Understanding the different MPLS tunneling
modes and their affects on Customer QoS policy is very important.
OrhanErgun.net
358
Uniform Mode
Uniform mode is generally used when the customer and SP share the
same Diffserv domain, which would be the case if customer creates its
MPLS network. The first three bits of the DSCP field are mapped to the
MPLS EXP bits on the ingress PE
If a policer or other mechanism remarks the MPLS EXP value, new
value is copied to lower level EXP bits. At the egress PE, MPLS EXP
value is used to remark the customer DSCP value.
Short Pipe Mode
It is used when customer and SP are in different Diffserv domains.
This mode is useful when the SP wants to enforce its own Diffserv policy
but the customer wants its Diffserv information to be preserved across
the MPLS domain. The Ingress PE sets the MPLS EXP value based on
the SP Quality of Service policy.
If remarking is necessary, it is done on the MPLS EXP bits of the
labels but not on the DSCP bits of the customers IP packet.
On the Egress PE, the queuing is done based on the DSCP marking
Chapter 10
OrhanErgun.net
Design Requirement Uniform Mode Short Pipe Pipe
Yes,the changes in the core of the No,Customer won't have control of No,Customer won't have control of EXP
Suitable for Customer Managed
network is reflected to the IP DSCP or EXP to DSCP mapping,DSCP doesn't to DSCP mapping,DSCP doesn't change
MPLS VPN
Presedence change end to end end to end
Too much on the Eggress PE since
Service Provider has to know all the
Resource Requirement Normal Normal
Customers QoS architecture and
configure the Egress PE accordingly
No,If EXP changes in the core it is
End to End Customer QoS setting Yes,Customer DSCP is preserved Yes Customer DSCP is preserved
copied to the DSCP at the Egress PE
Yes,Explict Null label (Label 0 for IPv4,
Special MPLS Label Requirement No No Label 2 for IPv6) is sent by the Egress PE
to the Penultimate Router
Yes,since the DSCP information can
No,Customer QoS marking is
change in the SP core,egress PE copies No,Customer QoS marking is preserved.
Requires QoS Remarking on the preserved. If it comes to Ingress PE as
EXP bit to the DSCP at the Egress If it comes to Ingress PE as DSCP EF, it
remote CE DSCP EF, it is sent by the Egress PE
PE.Receiving CE needs to remark the is sent by the Egress PE as EF as well
as EF as well
DSCP
Alternative name Unified MPLS QoS Tunneling Short Pipe MPLS QoS Tunneling Long Pipe MPLS QoS Tunneling
Standard Implementation Yes IETF Standard Yes IETF Standard Yes IETF Standard
For the initial DSCP to EXP mapping
and also SP has to know each and
Customer-Service Provider For the initial DSCP to EXP mapping For the initial DSCP to EXP mapping
every customer's QoS requirement
Interaction only only
to arrange egress scheduling and
dropping strategy on the Egress Pe
E-LSP and L-LSP support Yes Yes Yes
Uniform vs. Short-Pipe vs. Pipe MPLS QoS Tunneling Modes Comparison
360
OrhanErgun.net
361
Quality of Service
OrhanErgun.net
362
OrhanErgun.net
363
Quality of Service
Policing is deployed together with classification/marking but you
don’t need to deploy QoS tools on the other nodes so those classification
and marking will be locally make sense. This tool is also used for the Call
Admission Control purpose.
Imagine you have 200Mb links and each Telepresence flow requires
45mb traffic. You can place 4 calls onto the link. If 5th call is setup, all
other 4 calls suffer as well since packets has to be dropped. ( 45 * 5 - 200
- buffer size)
Another Quality of Service tools is queuing; and in particular it is used
whenever there is an oversubscription. Oversubscription can be between
the nodes (On the links) or within the nodes.
If the congestion is within the node, queuing in the ingress direction
is applied to protect some traffic (maybe real time) from the Head of Line
Blocking in the switching fabric of the node. Or in the egress direction,
between the nodes to protect selective traffic.
The problem is if there is enough traffic, buffers ( queue ) will get
full and eventually all the traffic will be dropped no matter what queuing
method ( LLQ, WFQ, CBWFW ) is used.
So if you try to design end-to-end Quality of Service by enable
queuing to cover all possible oversubscription in the network you fail.
When the congestion happens, some flows will just die couple
milliseconds after another.
The design tradeoff here is to add more bandwidth vs. engineering all
possible congestion points. I am not talking only the initial QoS design
OrhanErgun.net
364
phase but the complexity brought by the QoS in the design as well.
Network Operator need to manage understand, troubleshoot QoS
during steady state and in the case of failure as well.
Bandwidth is getting cheaper and cheaper everyday but the complexity
of Quality of Service will stay there forever. So do you still think that you
need an end-to-end QoS deployment?
Chapter 10
OrhanErgun.net
365
Question 1:
Which below statements are true for QoS design?
A. Classification and marking should be done at every hop
B. Classification and marking should be done as close to the
sources as possible
C. Instead of DSCP based marking COS based marking is
recommended for end to end QoS design
D. Quality of Service increases availability bandwidth capacity
Quality of Service
Answer 1:
QoS doesn’t increase available capacity. It is used to manage fairness
between the applications for current capacity.
Classification and marking should be deployed as close to the sources
as possible, not at every hop.
And Instead of COS, DSCP based marking should be deployed to
prevent mapping throughout the network.
That’s why the answer of this question is B.
Question 2:
Which below option is true for the Congestion Avoidance mechanisms?
A. When it is enabled, router marks the packets based on some
criteria
B. When it is enabled, router classify the packets
C. When it is enabled, router handles the possible congestion
by using RED or WRED
D. When it is enabled, router can place the important traffic
into the LLQ
OrhanErgun.net
366
Answer 2:
As it was explained in the QoS chapter, congestion avoidance
mechanisms are different than congestion management mechanisms.
Congestion avoidance mechanism coordinates the front of the queues
and a congestion avoidance mechanism handles the tail of the queues.
RED and WRED are the congestion avoidance mechanisms. And
when it is enabled, router handles the possible congestion by using one of
these mechanisms. Other options are related with classification, marking
and queuing.
Only the correct answer of this question is Option C.
Question 3:
What should be the one-way latency for the Voice traffic in QoS
design?
A. Less than 1 second
Chapter 10
Answer 3:
As a general design rule of thumb, one way latency which is also
known as mouth to ear latency for the Voice traffic should be less than
150ms.
That’s why the answer of this question is C.
Question 4:
Which are the options are important in Voice over IP design? (Choose
Three)
A. Delay
B. Echo
C. Packet Loss
D. Variance in delay
E. CDR records
OrhanErgun.net
367
Answer 4:
For the Voice traffic, as it was explained in the QoS chapter of the
book, Packet loss, latency and the jitter is most critical performance
indicators.
Latency is also known as delay and Variance in delay is known as Jitter.
CDR (Call detail record) is log information, which is not critical in
Voice design as the others.
That’s why the correct answer of this question is A, C and D.
Question 5:
Which below QoS mechanism is commonly deployed on the Service
Provider ingress PE device for their customer traffic?
A. Policing
Quality of Service
B. Shaping
C. WRED
D. MPLS Traffic Engineering
Answer 5:
On the customer site shaping is deployed and the Service Provider
commonly deploy Policing. Exceeding traffic can be either dropped, pass
normally but it is charged extra or markdown and threated worse.
Question 6:
Which of the below statements are true for the Voice Traffic in QoS
design? (Choose Two)
A. Voice traffic should be marked with EF, DSCP 46
B. Voice traffic sensitive to packet loss, jitter and delay
C. Voice traffic should be placed in Best Effort Queue
D. For the voice traffic queue, WRED should be enabled
E. Voice requires one way latency less than 2 seconds
OrhanErgun.net
368
Answer 6:
Voice traffic should be marked with EF, DSCP 46. It is sensitive to
packet loss, jitter and delay.
It should be placed in LLQ (Low Latency Queue) not the best effort.
WRED should be enabled for the TCP based application, not for the
voice traffic.
It requires one-way latency to be less than 150ms, not 2 seconds.
The correct answers of this questions are A and B.
Question 7:
Enterprise Company receives Gigabit Ethernet physical link from the
local Service Provider. But the Committed Information Rate is 250Mbps.
Which QoS mechanism Enterprise Company should deploy to ensure
low packet loss toward the Service Provider?
A. Priority Queening
Chapter 10
B. WRED
C. Marking
D. Policing
E. Shaping
Answer 7:
When the customer receives a service from the actual physical link
speed, they can send more traffic than the committed information rate
(Actual service bandwidth).
In this case common action on the Service Provider networks is to
police the traffic.
The Service Provider might drop customer critical traffic unless
Customer doesn’t do the Shaping at their site. Correct answer of this
question is shaping which is Option E.
Question 8:
Which below options are true for the QoS design? (Choose Two)
A. MPLS QoS is done based on EXP bits
OrhanErgun.net
369
Answer 8:
MPLS QoS is done based on 3 bits EXP field. IP DSCP uses 6 bits
of IP TOS byte (8 bits)
Marking and Classification should be done as close to the sources as
possible. If mapping is necessary for example between PE-CE in MPLS
deployments, then at the WAN edge is also remarking can be done. But
Quality of Service
not at every hop.
Queening is enabled only when the interface utilization reaches
100%. Not 80! Queening should be enabled even in the LAN to protect
the applications from the micro burst. For the best QoS design, LAN
shouldn’t be missed and QoS should be deployed on the LAN as well.
That’s why the correct answer of this question is A and B.
Question 9:
Which below statements are true for the MPLS QoS tunneling
models? (Choose Three)
A. There are two types of tunneling models; uniform mode
and non-uniform modes
B. There are three types of tunneling models; uniform mode,
short-pipe and pipe modes
C. Pipe model is known as Long-pipe modes as well
D. With uniform modes customer may need to remark their
traffic at the remote site
E. Short-pipe modes requires MPLS between the customer
and the Service Provider
OrhanErgun.net
370
Answer 9:
There are three types of tunneling models; uniform mode, short-pipe
and pipe modes. Pipe mode is also known as long pipe mode.
With uniform mode customer QoS policy may require remarking at
the remote site.
None of the three modes require MPLS between customer and the
Service Provider.
That’s why the answer of this question is B, C and D.
Question 10:
Which below options are true for the MPLS QoS deployment?
(Choose Two)
A. Classification and marking is done on the P devices.
B. It requires MPLS between PE and CE
C. With Short-Pipe MPLS QoS tunneling mode, queening is
Chapter 10
Answer 10:
Classification and marking is done on the PE devices.
It doesn’t require MPLS between PE and ce
With Short-Pipe MPLS QoS Tunneling mode, queening is done at the
Egress PE based on the customer QoS policy.
Policing is done on the Ingress PE to drop or remark exceeding
customer traffic.
That’s why the correct answer of this question is C and E.
OrhanErgun.net
371
Videos
Ciscolive Session-BRKCRS-2501
https://www.youtube.com/watch?v=6UJZBeK_JCs
Articles
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_
and_MAN/QoS_SRND/QoS-SRND-Book/QoSIntro.html
http://ww.cisco.com/c/en/us/td/docs/solutions/Enterprise/Video/qos-
mrn.pdf
Quality of Service
http://orhanergun.net/2015/06/do-you-really-need-quality-of-service/
http://d2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKCRS-2501.
pdf
https://ripe65.ripe.net/presentations/67-2012-09-25-qos.pdf
OrhanErgun.net
372
chapter 11
MPLS
• In this chapter:
• MPLS Theory will be explained very briefly, basic concepts in MPLS
which will be applicable to all of its applications will be mentioned.
• MPLS Applications such as Layer 2 and Layer 3 VPNs, Inter-AS
MPLS VPN Deployment Options, Carrier Supporting Carrier
Architecture, Seamless MPLS, MPLS Transport Profile and MPLS
Traffic Engineering will be explained in detail. Comparison tables will
be provided whenever is applicable from the design point of view.
• Many Case Studies will be provided to better understand the concepts
in a holistic manner.
• So many MPLS design questions will be provided and answers
will be shared at the end of the chapter. These questions will be
complementary to the topics in the chapter and will be useful in real
life MPLS design as well as CCDE Written and Practical exams.
OrhanErgun.net
373
MPLS Theory
MPLS
MPLS APPLICATIONS
Important MPLS applications/services for the network designers are
listed below.
All that will be explained in this chapter.
• Layer 2 MPLS VPN
• Layer 3 MPLS VPN
• Inter-AS MPLS VPNs
• Carrier Supporting Carrier
• MPLS Traffic Engineering
• Seamless MPLS
• MPLS Transport Profile (MPLS-TP)
MPLS infrastructure can have all of the above MPLS application/
services at the same time.
You can provide protection for Layer 2 and Layer 3 VPN customers
OrhanErgun.net
374
MPLS Advantages
As an Encapsulation and VPN mechanism, MPLS brings many
benefits to the IP networks.
Below list shows the benefits of MPLS. MPLS as a very mature VPN
technology has many benefits. Below are the some of the important use
case of MPLS technology and will explained in great detail throughout
this chapter.
• Faster packet processing with MPLS compare to IP
Initially MPLS invented to provide faster packet processing compare
to IP based lookup. With MPLS instead of doing IP destination based
lookup, label-switching operation is done. Smaller MPLS header compare
to IP header is processed and provides performance benefit. Although
today nobody enables MPLS for this reason, this was the initial reason for
MPLS as I stated above.
• BGP Free Core with MPLS
Without MPLS, if BGP is running on the network, it needs to run on
every device on the path. MPLS removed this need, less protocol means,
simpler network and easier maintenance.
• Hiding service specific information (customer prefixes, etc.) from the
OrhanErgun.net
375
MPLS
• Traffic Engineering
MPLS with the RSVP-TE provides traffic engineering capability
which allows better capacity usage and guaranteed SLA for the desired
service. MPLS Traffic Engineering are explained with the many articles
on the website in detail.
• Fast Reroute
With RSVP-TE, MPLS provides MPLS Traffic Engineering Fast
Reroute Link and Node Protection. RSVP-TE is one option but with
LDP, LFA and Remote LFA can be setup if RSVP-TE is not used in
the network. MPLS Traffic Engineering Fast Reroute can protected the
important service in any kind of topology and provides generally less
than a 50msec protection.
On the other hand, IP FRR mechanisms require highly meshed
topology to provide full coverage in the case of failures.
When LDP is used without RSVP-TE, solution is also called as IP
Fast Reroute. There was CR-LDP (Constrained based) draft but since it is
deprecated I don’t mention here.
MPLS doesn’t bring security by default. If security is needed then
IPSEC should run on top of that. Best IPSEC solution for the MPLS
OrhanErgun.net
376
MPLS
MPLS Layer 2 VPN Service Types:
There are mainly two services in MPLS Layer 2 VPN. These are
VPWS and VPLS.
VPWS is also known as EoMPLS (Ethernet Over MPLS). In Cisco
books, you can see it as ATOM (Any Transport over MPLS) as well.
OrhanErgun.net
378
VPWS can carry almost all Layer 2 payloads as can be seen from the
above diagram.
VPLS can carry Ethernet frames only. There is an attempt in the IETF
for the other Layer 2 payloads over VPLS though.
In VPWS, PE devices learn only VLAN information if the VC type is
VLAN. If the VC type is Ethernet, then the PE device doesn’t keep any
state. VLAN is not learned as well.
Chapter 11
There is only one egress point for the VPWS service at the other end
of the pseudo-wire, thus PE device doesn’t have to keep MAC Address
to PW binding.
PE device doesn’t have to learn MAC address of the customer in
VPWS (EoMPLS) MPLS Layer 2 VPN service. This provides scalability.
OrhanErgun.net
379
VPLS Topology
MPLS
It is used to identify the VPLS domain of the Customer.
As depicted in the above topology, point-to -point pseudo-wire
is created between the PE devices for the VPWS (EoMPLS, point-to-
point service). In order to have VPLS service full-mesh of point-to-point
pseudo-wire is created between all the PEs, which has a membership in
the same VPN.
OrhanErgun.net
380
OrhanErgun.net
381
EVPN
EVPN is a next-generation VPLS. In VPLS customer MAC addresses
are learned through data plane. Source MAC addresses are recorded based
on source address from both AC (attachment circuit) and pseudo-wire. In
VPLS, active-active flow-based load balancing is not possible.
Customer can be dual-homed to the same or different PEs of service
provider, but either those links can be used as active/standby for all
VLANs or VLAN-based load-balancing can be achieved. EVPN can
support active active flow-based load-balancing so same VLAN can be
used on both PE devices actively. This provides faster convergence in
customer link, PE link, or node failure scenarios.
MPLS
OrhanErgun.net
382
OrhanErgun.net
383
BGP into customer VRF. MPLS Layer 3 VPN by default provides any-to-
any connectivity (multipoint-to-multipoint) between the VPN customer
sites. If the customer wants to have hub-and-spoke topology, route target
community can provide flexibility.
MPLS
point of view.
OrhanErgun.net
Design
EoMPLS VPLS MPLS L3 VPN
Requirement
Not scalable compare
Scalability for the Very Scalable architecture Very scalable architecture for
to VPLS and MPLS L3
Customer for the layer 2 service the layer 3 service
VPN
Same as EoMPLS if
Scalability for the BGP Auto Discovery is
Not good
Service Provider not used, if BGP AD is
used,better than EoMPLS
Service Type Carries Layer 2 frames Carries Layer 2 Frames Carries Layer 3 IP packets
Vey good with the MPBGP
VPN Route Reflectors but
Scalability is very bad for It works very well for the RT Constraints should be
Working on Full Mesh
full mesh topology full mesh topology used to hide unnecessary
information from the
unintended PE devices
Works quite well but if
the number os sites too Better than EoMPLS for Requires extra configuration
Working on Hub and much, scalability for both both the Service Provider on the Service Provider
Spoke customer and service and Customer from the side but it is doable and
provider becomes an scalability point of view commonly used
issue
Suitable as WAN
Yes but not scalable Yes it is very scalable Yes it is very scalable
technology
Design
EoMPLS VPLS MPLS L3 VPN
Requirement
It is originally designed as It can be used as Layer 3
It is suitable but if
Datacenter Interconnect datacenter interconnect
Suitable as DCI there are so many sites
Technology,it is most technology but cannot
technology to interconnect, it's
suitable one among all provide layer 2 extension
scalability is not good
these three options thus not good as DCI
Who controls the
Customer Customer Service Provider
Backbone Routing
Standard Protocol Yes IETF Standard Yes IETF Standard Yes IETF Standard
Service Provider Stuff
Not well known Limited knowledge Well known
Experince
VPLS provides LAN
In theory any routing
emulation so allows layer
All routing protocols can protocol can run as PE-CE
Routing Protocol 2 to be streched over the
be enabled over Ethernet but most Service Provider
Support customer locations.Any
over MPLS Service only provides BGP and
routing protocol can run
Static Routing
over VPLS service
MPLS Traffic
Yes Yes Yes
Engineering Support
Same as Frame Relay, Same as Frame
Same as Frame Relay,doesn't
Security doesn't provide IPSEC by Relay,doesn't provide
provide IPSEC by default
default IPSEC by default
Design
EoMPLS VPLS MPLS L3 VPN
Requirement
Service Provider should
offer, otherwise Customer
has to create overlays to
Multicast Support Yes Yes
carry Multicast traffic, that’s
why Multicast support may
nor be good
Best technology for GETVPN,it provides GETVPN,it provides GETVPN,it provides
IPSEC excellent scalability excellent scalability excellent scalability
Bad since the PE devices
Worst since the PE
have to keep the routing
devices have to keep
Best since the PE devices tables of the customer but
Resource Requirement all the MAC addresses
don't have to keep the since the IP addresses can be
for the Service Provider of the customer and
customer MAC addresses aggregated, some sites may
MAC addresses are not
not need entire routing table
aggregatable
of the customer
More, it requires either Layer
Resource Requirement Basic,it requires only layer Basic,It requires only layer
3 switch or Router at the
for the Customer 2 switch 2 switch
customer site
Yes, Service Provider is Yes,Service Provider is Yes with 6vPE technology it
IPv6 Support transparent for the IPv4 transparent for the IPv4 provides IPv6 supports for
and IPv6 packets and IPv6 packets the VPN customers
Design
EoMPLS VPLS MPLS L3 VPN
Requirement
With H-VPLS full mesh Route Reflector for the
Hierarchy None PW requirement is MPBGP sessions between
avoided PE devices
OSPF Down Bit,IS-IS Up/
In the core split horizon
Down Bit, EIGRP Site of
It is only point to point, prevents loop. If traffic
Loop Prevention Origin prevents loop when
there is no chance to loop comes from PW it is not
CE is multihomed to the
sent back to another PW
MPLS L3 VPN PE
EoMPLS vs. VPLS vs. MPLS L3 VPN Design Comparison
388
OrhanErgun.net
389
MPLS
MPLS VPN R esiliency
Customers needing to have increased resiliency may want to have two
MPLS connections from two different service providers. Primary and
secondary VPNs are same type of VPN in general, so if the primary is
Layer 2 VPN, since this is the operational model that the customer wants
to use, secondary link from the other provider also is chosen as Layer 2
VPN.If Layer 3 VPN is received from one service provider, second link
from the second provider is also received as Layer 3 VPN. Of course,
neither MPLS Layer2 VPN nor Layer 3 VPN have to have MPLS VPN
as a backup, but the Internet or any other transport can be a backup for
the Customer.
The table below shows the selection criteria for choosing single vs.
dual providers.
OrhanErgun.net
390
OrhanErgun.net
391
MPLS
three datacenters, and 174 branch offices across the country, Orefe wants
to have OSPF routing protocol with their service provider.
Kelcomm is the service provider that provides an MPLS VPN service
to Orefe. Unlike other service providers, that only provide BGP and static
routing to their MPLS Layer 3 VPN customers, Kelcomm agreed to run
OSPF with Orefe.
Orefe has a VPN link between its two headquarters. They will keep
that link as an alternate to MPLS VPN. In case the MPLS link fails, best
effort VPN link over the Internet will be used as a backup.
• Explain the traffic flow between Orefe’s two headquarters.
• What might be the possible problems? How could those problems
possibly be avoided?
Both headquarters are in OSPF Area 1, as is the backdoor VPN link.
The topology is seen below. If OSPF is used as a PE-CE protocol in
MPLS Layer 3 VPN environment routes are received as Type 3 LSAs over
the MPLS backbone if the domain ID is the same. If they are different
then the routers are received as OSPF Type 5 LSAs. If domain ID is not
set exclusively, then process ID is used as domain ID by default.
OrhanErgun.net
392
As it can be seen from the above picture, the backdoor VPN link
(best-effort no-service guarantee) is used as primary. Customer does not
want that because they pay for guaranteed SLA so they want to use MPLS
Chapter 11
With the OSPF Sham-link, PE2 will send OSPF Type 1 LSA towards
CE2. With only metric manipulation, MPLS backbone can be made
preferable.
OrhanErgun.net
393
Another approach would place the PE-CE link into Area 0. For the
headquarters, Orefe would have already put those links in Area 0. If
multi-area design is required, then Orefe should place the branch offices
in a non-backbone area.
Once PE-CE links are placed in Area 0, then the backdoor link should
be placed in different area. This makes CE1 and CE2 an ABR. Prefixes
are received over backdoor link as Type 3.
Without Sham-link they are also received as Type 3 (assuming domain
ID, process ID match between PEs), and then with metric manipulation,
MPLS backbone can be made preferable.
MPLS
Dubai via primary MPLS L3 VPN link.
Orko’s availability is important, so secondary connections to the
datacenter are provided via DMVPN over the Internet.
Orko is working with a single service provider. MPLS and Internet
circuit terminate on the same router.
In order to have better policy control and for scalability reasons; Orko
decided to run BGP with its service provider over the MPLS circuit.
Orko doesn’t have public ASN and its service provider provides its
private AS 500.
Orko uses unique AS number 500 on every locations, including its
datacenter. In the datacenter, Orko has two MPLS circuit for redundancy
and they are terminated on different routers.
• Would this solution work with BGP as a PE-CE routing protocol?
What can be done to make the solution work?
• What are the possible risks and how they can be mitigated?
Since Orko is running BGP everywhere and it uses unique AS numbers,
BGP loop prevention mechanism doesn’t allow the BGP prefixes with the
same AS in the AS-path.
The solution wouldn’t work unless service provider implements AS-
OrhanErgun.net
394
PE3.
PE3 advertises these prefixes to PE4. Service provider configures
BGP AS Override on its PE toward Orko’s PE-CE link. This creates a
problem on the PE4 to CE3. Since prefixes come as “AS 10, 10” , CE 3
would allow locally originated prefixes from the MPLS backbone, thus
creating a BGP routing loop
If BGP AS override or allow-AS is configured it creates a routing
loop at the multi-homed site. One solution to this problem can be with
BGP site-of-origin (SoO).
OrhanErgun.net
395
SoO 10:500 is set on the PE3-CE3 and PE3-CE4 links. When the
PE4 receive the prefixes from PE3, it doesn’t advertise the prefixes to
CE3. SoO 10:500 is set on the PE1-CE1 and SoO 10:500 is set on the
PE2-CE2 links.
MPLS
SEAMLESS MPLS
Seamless MPLS provides the architectural baseline for creating a
scalable, resilient, and manageable network infrastructure.
Seamless MPLS architecture can be used to create large-scale MPLS
networks.
It reduces the operational touch points for service creation.
Seamless MPLS architecture is best suited to the very large scale
Service Provider or Mobile Operator networks that have 1000s or 10s of
thousands access nodes and very large aggregation networks.
IP traffic increases rapidly due to video, cloud, mobile Internet,
multimedia services and so on. To cope with the growth rate of IP Traffic,
capacity should be increased but at the same time operational simplicity
should be maintained.
Since there might be 1000s to 10s of thousands of devices in the
Access, Aggregation and Core network of large Service Providers or
Mobile Operators; extending MPLS into the Access networks comes with
the main problems:
• Large flat routing designs adversely affect the stability and convergence
time of the IGP.
OrhanErgun.net
396
OrhanErgun.net
397
MPLS
OrhanErgun.net
398
Labeled BGP Access with Flat Aggregation and Core Seamless MPLS model
OrhanErgun.net
399
MPLS
OrhanErgun.net
400
OrhanErgun.net
401
MPLS
Labeled BGP Aggregation and Core with IGP Redistribution into Access Network
OrhanErgun.net
402
Three models defined in RFC 2547 for Inter-AS MPLS VPNs. Inter-
AS Option A is the first. It is also known as 10A.There is also fourth
Inter-AS MPLS VPN deployment option which has been invented by
Cisco. It is known as Option AB (A.K.A Option D). Option AB will be
explained in this chapter as well.
OrhanErgun.net
403
MPLS
OrhanErgun.net
404
The PE routers that connect the two providers are also known as
ASBR (Autonomous System Boundary Router). (PE3 in AS10 and PE4
in AS20). In Inter AS Option A; ASBR router in one Autonomous
System attaches directly to an ASBR router in another Autonomous
System.
The two ASBR routers connected through multiple sub-interface or
physical interfaces. They connect two Autonomous Systems to each other.
In addition, those sub interfaces associate with the VRF table. For
each customer, service providers could use separate physical connection,
instead of sub interface.
However, doing that would not produce optimal result for resource
utilization.
PE routers connected to the CE devices (Customer device) run MP-
IBGP, either through full mesh or through RR (Route Reflector).
In Inter AS Option A, ASBR routers have to keep all the VRFs
of Inter-as MPLS service customers. This can create memory
and CPU problem on the ASBRs. In other Inter-AS MPLS VPN
Chapter 11
Inter AS Option A does not require MPLS at the ASBRs unlike the
other Inter AS options.
Since we need to have a separate VRF and sub interface for each
customer VPN, separate routing protocol configuration and dealing with
redistribution for each customer VPN is operationally cumbersome, thus
Inter-AS Option a is hard to scale if there too much Inter-AS MPLS VPN
customers.
Among all other Inter AS options since there is only IP routing between
the AS and there is no information sharing between the Autonomous
Systems, Option A is considered as most secure Inter-AS MPLS VPN
deployment option.
In addition, it is the easiest option to implement between the
Autonomous Systems because Option A does not require control plane
mechanism, except routing protocol, between the service provider ASBRs;
such as LDP, BGP+Label (BGP LU) or BGP-VPNv4. Those protocols
will be required in other Inter-AS MPLS VPN deployment options.
Since only IP traffic passes (Not MPLS) between the service providers
and there is separate physical or sub-interface per VPN, most granular
MPLS
QoS implementation is achieved with Option A. (Per sub-interface and
IP DSCP vs. MPLS EXP)
For all Inter AS Options, it is very common that customers have
to trust to the service provider for data integrity, confidentiality, and
availability.
MPLS does not encrypt the packets but if the design requirement is
to have an encryption, they should deploy an IPSEC.
Last but not least, since there is no internal routing information
shared between the service providers, Inter-AS Option A is seen as the
most secure amongst all the Inter-AS VPNs.
OrhanErgun.net
406
OrhanErgun.net
407
MPLS
only reflects the route to the ASBR.
ASBR does not place MP-BGP prefixes (Customer prefixes) into
VRF, since it does not have to keep VRF table but customer prefixes are
maintained in the VPNv4 BGP table in Inter AS Option B.
By changing the next hop, ASBR from SP-A sends VPNv4 prefixes
through MP-BGP session to SP-B ASBR.
SP-B ASBR sends the customer prefixes to its local route reflector.
Route reflector in the SP-B domain reflects the prefixes as is, send to
the PE that is connected to Customer A2 location. SP-B PE sets the next
hop again and sends the prefixes to the customer A2 router.
As shown in the service provider domains, there are three LSP.
Because whenever BGP next hop changes, LSP is terminated at the point
where the next hop is changed, and new VPN label is assigned on that
router for all the VPN prefixes.
Inter AS Option B does not require LDP or IGP protocols between
the Autonomous Systems; thus service providers do not need to know the
internal addressing structure of each other.
Similar to Inter AS Option A, you do not need to redistribute VPN
prefixes at the ASBR.
Route reflectors store all the VPN routing information for each
OrhanErgun.net
408
OrhanErgun.net
409
In the above figure, there are two service providers: service provider
A and service provider B.
Service Provider A:
MPLS
Service provider A has two customers: customer A and B
For scaling purposes, all the provider-edge routers run VPNv4 BGP
session with VPNv4 route reflector.
Service provider B:
Service provider B has two customers: customer A and B.
A and B are the companies which require Inter AS MPLS VPN service.
Service provider B runs IS-IS internally (It could run other IGP
protocols as well for sure). PE-CE routing protocols are enabled on the
VRF; thus service provider A has two separate VRF table.
For scaling purposes, all the provider-edge routers run VPNv4 BGP
session with VPNv4 route reflector.
Inter AS Option C runs VPNv4 BGP session between the Route
Reflectors of the Service Providers.
ASBR PEs know the loopback address of Route reflector through
OSPF in the Service Provider A network, through IS-IS in the Service
Provider B network.
Since the VPNv4 EBGP neighborship is set up between VPNv4 RR
of the service providers in Inter-AS Option C, the next hop for the VPN
route is the route reflector.
OrhanErgun.net
410
OrhanErgun.net
411
MPLS
without advertising the Infrastructure prefixes (Internal prefixes) of the
Service Providers to each other in Inter-AS MPLS VPNs?
OrhanErgun.net
412
Answer is the Inter-AS Option AB. As you can see from the above
figure, on the ASBRs, separate sub-interface is created per VRF.
This provides data plane isolation. QoS configuration can be applied
per customer. As customers traffic are isolated via VRFs, better security is
achieved as well compare to the single interface.
The difference between Inter-AS Option AB and the Inter-AS Option
A is, customer prefixes is advertised through the single EBGP session
between the ASBRs in Option AB.
There is no separate EBGP session per VRF between the ASBRs as
in the case of Inter-AS Option A.
Control plane traffic that is the routing advertisement and other
routing protocol packets are sent through the single EBGP connection
over the Global routing table.
Customer data plane traffic is sent as IP traffic without MPLS
encapsulation.
Uses Case of Inter-AS MPLS VPN Option AB:
Chapter 11
• When the customer requires an MPLS VPN service from the two
service providers with strict QoS SLA and the number of Inter-AS
MPLS VPN customer is too much between the two service providers,
it can be used.
• At least, initially it is created for these reasons but in my opinion real
applicability would be the migration from Inter-AS Option A to Inter-
AS Option B. During the migration from Option A to Option B,
Inter-AS Option AB can be used as transition solution.
Question 1:
Which VPN solution would be best to address this problem so that
the agreement can go forward?
OrhanErgun.net
413
Answer 1:
Among the available Inter-AS MPLS VPN options, Option B and
Option C are the most suitable ones because of the number of expected
VPN customers. However, Option C requires internal routing information
such as PE and VPN RR addresses to be leaked between the service
providers.
So the best solution based on these requirements is Inter- AS MPLS
Option B
Question 2:
Based on the provided simplified network topologies of the two
service providers, please select the protocols, which need to be used on
the devices that have a check box next to them.
MPLS
Answer 2:
Below is the answer of the second question.
OrhanErgun.net
Chapter 11
414
OrhanErgun.net
Option A Option B Option C
Less scalable, due to VRF and sub Scalable since VRF doesn't have to be Very scalable since doesn’t have to have VRF
Scalablability interface configuration requirement for provisioned on the ASBR and no need and VPN information on the ASBRs, VPN
each customer VPN to have separe VRF per customer information is kept on the Router Reflectors
Worst.All the PE loopback subnets and the
Secure since only interlink between Route Reflector subnets need to be leaked
Most secure since routing information is ASBR is leaked between domains if between two Autonomous Systems.Thus,
Secure
not shared between the domains next-hop self is not implemented on the Option C is preferred between the two AS
local ASBR of the same company , not between two
different companies.
Same as Option B, 3 EXP bit for every
Only MPLS EXP bits and one link for
Quality of Service support Most flexible but hard to manage customer but easy to manage compare to
every customer
Option A
It requires MPLS VPN, route reflector
Easy to understand, reduces training Moderate,MPLS VPN operation needs knowledge so training cost would be
Stuff Experince
cost to be understood high and hard to find already experienced
engineers
MPLS between Carriers No Yes Yes
Complexity Easy Hard to implement and understand Most complex
Best. ASBRs doesn't have to keep VRF or
Moderate,ASBR doesn't keep VRF VPN information for all the customers.
VRF,VPN and BGP info on the ASBR
information of all the customers but If ASBR also a PE, then it only keeps
Resource Requirement on the ASBR thats why require too much resource on
still VPN routing table is kept for the all VRFrouting table and the VPN route
the ASBR
customers on the ASBR information for the directly connected
customers.
Default Convergece in case of a Slow, VRF, RIB, FIB , LFIB needs to Very fasy due to only LDP adjacency
Fast, only LFIB needs to convergece
ASBR failure convergce between ASBRs
Hard, requires MPLS VPN, Route reflector
Troubleshooting Easy Moderate
and good routing knowledge
Option A Option B Option C
Only interlink between two domains are
Yes Pprovider Edge router loopbacks and
Redistribution Yes for each customer VRF redistributed if the next-hop self is not
Route Reflector subnets
implemented on the local ASBR
Requires MPLS between ASBRs and Same as Option B additionaly, since it is
Not suitable if there is time constraint
VPN configuration on the ASBRs but required to leak internal routing information
for the operation each and every
there is no configuration for each and between two AS, Option C is suitable for
Merger&Acqusition customer VRF needs to be provisiones
every customer thus operation can the same conpany's different administrative
thus it requires very long time for the
be much faster compare to Option A domain.Thats why it is very suitable for the
migration
migration company merger design
Inter-AS MPLS VPN Options Comparison
417
MPLS
OrhanErgun.net
418
table (at the time of this writing it is over 520K prefixes) then BGP already
is the only way.
A BGP session is created between Smallnet and Biggercom.
Smallnet is NOT advertised over the BGP session’s prefixes. Instead,
loopback interfaces of Smallnet route reflectors or PEs are advertised.
IBGP session is created between the Smallnet route reflectors and
customer prefixes of Smallnet are advertised and received over this BGP
session. One big design caveat for CsC architecture is that between the
customer carrier and backbone carrier MPLS has to be enabled. So
between Smallnet and Biggercom network, MPLS and BGP are enabled.
The purpose of MPLS is to hide the customer prefixes of Smallnet from
Biggercom.
If MPLS were not enabled on the link between Smallnet and
Biggercom, Biggercom would have to do IP destination lookup on the
incoming IP packet containing the customer prefixes of Smallnet. Since
Biggercom doesn’t have a clue about the customers of Smallnet, the
packet would be dropped.
Chapter 11
OrhanErgun.net
419
Reverse tunnels must also be created, but this time R6 is used as the
headend and R2 as the tailend. The tailend has no configuration.
If return tunnel is not created, return traffic follows the IGP shortest
path, not MPLS Traffic Engineering tunnels.
MPLS
Four steps are required for MPLS traffic engineering to take place:
• Link-state protocols carry link attributes in their link-state
advertisements (LSAs).
• Based on the constraints defined, the traffic path is calculated with the
help of Constrained Shortest Path First (CSPF) algorithm.
• The path is signaled by Resource Reservation Protocol (RSVP).
• Traffic is then sent to the MPLS traffic engineering tunnel.
Let’s take a look these steps in detail:
1. By default, link-state protocols send only connected interface
addresses and metric information to their neighbors. Based on this
information, the Shortest Path First (SPF) algorithm creates a tree and
builds the topology of the network. MPLS traffic engineering allows us to
add some constraints. In the above figure, let’s assume the R2-R5 link is
5 Mbit/s; R5-R6 is 10 Mbit/s; and all the interfaces between the bottom
routers are 6 Mbit/s.
If we want to set up a 6-Mbit/s tunnel, SPF will not even take the R2-
R5-R6 path into consideration, because the link from R2 to R5 does not
OrhanErgun.net
420
OrhanErgun.net
421
OrhanErgun.net
422
In the above figure, there are two paths you could take to get from
Router 2 (R2) to Router 6 (R6):
Chapter 11
OrhanErgun.net
423
MPLS
there is no free lunch, of course.
Traditionally, voice and video traffic were carried over circuit-based
TDM links. These applications are very delay and loss sensitive, so we
need to design our packet-switching networks to ensure that they are
adequately supported.
MPLS traffic engineering and quality of service (QoS) can both
be used -- either alone or together -- to accomplish this goal. These
technologies are sometimes confused, but they are independent subjects
and not exclusive.
Reservation for the traffic engineering tunnels, however, is made on
the control planes of devices.
As an example, you can have a 100 Mbit/s link between point A and
point B. Assume you reserve bandwidth for two Label Switch Paths with
60 Mbit/s and 40 Mbit/s link requirements.
From the Point A, 80 Mbit/s of traffic can be sent over the 60
Mbit/s signaled LSP.
Since, by default, MPLS traffic engineering tunnels are not aware of
the data plane actions, 20 Mbit/s of traffic exceeding the limit will be
dropped.
OrhanErgun.net
424
OrhanErgun.net
425
Based on the EXP bit in the label stack, traffic can be classified and
sent to an LSP that is QoS-enabled for protection.
Autoroute and forwarding adjacency, on the other hand, are dynamic
methods to send traffic into traffic engineering LSPs.
MPLS Traffic Engineering Autoroute
By default, the shortest path is used for the destination prefix, and
next-hop resolution is done for the next direct connection. When the
autoroute feature is implemented, the next hop automatically becomes
the destination address of the tunnel tailend (Tunnel destination).
The drawback of this approach is there is no traffic classification or
separation, so all the traffic -- regardless of importance -- is sent through
the LSP. Once MPLS traffic engineering is enabled and Autoroute is used,
traffic can be inserted only from the ingress node (label-switched router).
Any LSR other than the ingress point is unable to insert traffic into the
traffic engineering LSP. Thus autoroute can only affect the path selection
of the ingress LSR.
MPLS Traffic Engineering Forwarding adjacency
Once we enable this feature, any MPLS traffic engineering tunnel is
MPLS
seen as a “point-to-point link” from the interior gateway protocol point
of view. Even though traffic engineering tunnels are unidirectional, the
protocol running over an LSP in one direction should operate in the same
way on the return path in a point-to-point configuration.
3. MPLS Traffic Engineering Fast Reroute
Before explaining how fast reroute is used in the context of MPLS
traffic engineering, you’ll need to understand the basics of fast reroute.
In the below figure, there are two paths between Router 2 (R2) and
Router 6 (R6).
If we assume that Open Shortest Path First (OSPF) is used in this
topology, then based on end-to-end total link cost, the R2-R5-R6 path
would be chosen.
The information for the R2-R3-R4-R6 link is also kept in the OSPF
link-state database table.
If the R2-R5-R6 path fails, the SPF algorithm runs on every router in
the same area, and R2 selects R3 as the next hop. It puts this information
into the routing table, and if the router supports separated control and
data planes, the routing information is distributed into a forwarding
information base as well.
OrhanErgun.net
426
OrhanErgun.net
427
MPLS
If the R2-R5 link fails and we need to protect that link, we call that
link protection. Backup and pre-signaled paths can be created between
R2-R3 and R5, so that if the R2-R5 link fails, traffic is automatically
redirected to the backup path. Because the failure is local to R2, it is called
local protection.
It’s also possible for R5 to fail. In this case, the R2-R3-R5 path will not
work, so we need to bypass R5 completely. An R2-R3-R4-R6 pre-signaled
OrhanErgun.net
428
path could be created for node protection purposes, because in this case,
we want to protect the node, rather than the link.
Below figure summarizes MPLS Traffic Engineering Fast Reroute
Link Protection operation.
Chapter 11
OrhanErgun.net
429
Most failures are a link failure in the networks. Node failure is less
common compares to link failure. Thus, many networks only enable link
protection. MPLS Traffic Engineering Fast Reroute can cover all the
failure scenarios. An IP Fast reroute technology such as LFA (Loop Free
Alternate) requires high-mesh topologies to find an alternate path, which
will be programmed in the data plane.
If the topology is a ring, then LFA cannot work. It requires a tunnel
to the PQ node. Remote LFA is another IP fast reroute technology, which
allows to be created a tunnel from the PLR to the PQ node.
There are more Fast Reroute Protection mechanisms beside MPLS
Traffic Engineering. In the below section these mechanisms are briefly
introduced.
MPLS
does not run MPLS, but they are also considering enabling MPLS towards
aggregation first and then to the access networks.
Recently, they reconsidered the core network availability and they
decided to enable MPLS Fast Reroute between all edge devices in their
core network.
Due to the limited size of edge devices, full-mesh RSVP-TE LSP is
not a problem for Maynet, but a protection mechanism suggested by their
transport team has serious concern.
They would like your opinion about the issue and ask the following
questions.
• What is MPLS Traffic Engineering Path Protection?
• What are the pros and cons of having MPLS Path Protection?
• Why is the transport department suggesting MPLS TE FRR Path
protection instead of local protection technologies?
Please compare the two architectures and highlight the similarities and
differences for Maynet to decide the final architecture.
MPLS Traffic Engineering Fast Reroute is a local protection mechanism
where the nodes local to the failure react to the failure. Control plane
OrhanErgun.net
430
convergence follows the data plane fast reroute protection and if a more
optimal path is found, new LSP is signaled in a MBB (make before break)
manner.
Fast reroute backup LSP can protect multiple primary LSP, thus in
the MPLS Traffic Engineering chapter, it is showed as 1:N protection. By
contrast, path protection is a 1:1 protection schema where the one backup
LSP only protects one primary LSP.
There are two drawbacks of path protection:
• Backup LSP waits idle and can only carry traffic if the primary LSP
fails. This conflicts with MPLS Traffic Engineering, since the idea
behind MPLS Traffic Engineering is to optimize traffic usage and cost
saving.
Chapter 11
As depicted in the above picture, the green path is a backup path and
it cannot pass through any devices or links that primary LSP passes.
• The second biggest drawback of having MPLS Traffic Engineering
path protection as opposed to local protection with the link or node
protection is the number of LSPs.
Since one backup LSP is created for each primary LSP, the number of
RSVP-TE LSPs will be almost double compared to 1:N local protection
mechanisms. In the transport networks SONET/SDH, OTN, MPLS-TP
all have linear protection schema which are very similar to MPLS Traffic
Engineering Path Protection.
OrhanErgun.net
431
MPLS
is inevitably a period of disruption to the delivery of traffic until the
network reconverges on the new topology. Fast reaction is essential for
the failed element. There are two approaches for the fast reaction: Fast
convergence and fast reroute. When a local failure occur four steps are
necessary for the convergence.
1. Failure detection
2. Failure propagation
3. New information process
4. Update new route into RIB/FIB
5. For fast convergence, these steps may need to be tuned.
Tuning of these steps and the recommendation was provided in the
OSPF chapter of the book.
Although the RIB/FIB update is hardware dependent, the network
operator can configure all other steps. One thing always needs to be kept
in mind; Fast convergence and fast reroute can affect network stability.
Unlike fast convergence, for the fast reroute, routes are precomputed
and preprogrammed into the router RIB/FIB. Additional, an alternate is
found, if possible, and pre-installed into the RIB/FIB. As soon as the local
failure is detected, the PLR (Point of Local Repair) switches the routes
to use the alternate path. This preserves the traffic while the normal
OrhanErgun.net
432
Assume all the link cost is the same and link-state protocol is used,
in the above figure, if R1-R2 link fails, to reach the destination networks
which are behind R2; R1 needs to find a way to send a packet.
When R1-R2 link fails, for the IP and MPLS networks, if R1 sends a
packet to R3, since all the link cost is the same, R3’s next-hop for the R2 is
OrhanErgun.net
433
R1. This is called micro-loop. Until R3 learns of the failure and computes
its new primary next-hop R5, packets are looped in between R1 and R3.
This is can cause a congestion on the link.
Loop free alternate mechanism looks for the alternate path for the
R1 to send a packet to R2 when R1-R2 link fails. In order mechanism to
work, R1 runs additional SPFs from its neighbor point of view by using
CSPF. It is obvious that R1 cannot use R3 as its alternate next-hop. All
other five mechanisms can solve this issue with the different ways. This
is the drawback of LFA – there may not be either node or link protection
because it is very topology dependent. Some small topologies (RFC6571)
can work very well.
If somehow R3 would know that packet is coming from its primary
next-hop and it should send the packet to its alternate next-hop then
packet could reach to R2 through R1-R3-R5-R6-R4-R2. This is called
U-turn alternate since packet is sent back to R3 from R1 without causing
a micro-loop.
Mechanism to work, R3 either explicitly marked or implicitly learns
that packet is coming from its primary next hop. Also R3 needs to have
loop-free node-protecting alternate path. Loop-free alternate traffic is
MPLS
sent to a neighbor who will not send it back. In U-turn alternate, traffic
is sent to a neighbor who will send it to a neighbor’s alternate instead of
back.
The other three mechanisms rely on tunnels. Before going further
explanation, it is important to understand some general concepts.
First, there is Remote LFA. The basic concept is to find a node that
the PLR can reach without going through the failure point and where
that node can also reach the destination (or a proxy for the destination)
without going through the failure point. Then the PLR can tunnel traffic
to this node and it will reach the destination without going across the
failure point.
To find this node, there are two steps. First, the PLR determines all
nodes that it can reach without going through the primary next-hop. This
set of nodes is called the extended P-space. Either the PLR’s shortest path
to these nodes avoids the primary next-hop or the PLR has a neighbor
whose shortest path to these nodes avoids the primary next-hop.
• For example, the set of routers that can be reached from R1 without
traversing R1-R2 is called the extended P-space of R1 with respect to
the link R1-R2.
Second, the set of routers from which the node R2 can be reached,
OrhanErgun.net
434
OrhanErgun.net
435
MPLS
Lastly, the third tunneling mechanism is Not-Via that can also
guarantee protection for link, node, and SRLG failures. To accomplish
this, each router is given additional IP addresses with extra semantics.
• For instance, R2 would have an address that means “R2 but not via
R1-R2”. To find the next-hop for “R2 but not via R1-R2”, each router
would remove R1-R2 from the network graph and then compute an
SPF. The computation can be optimized with ISPF, but many ISPFs
can be needed (per failure-point).
The alternate from R1 to R2 would thus involve tunneling the packet
by adding a header that had a destination address of “R2 but not via R1-
R2”. The path from R1 to “R2 but not via R1-R2” is R1-R3-R5-R6-R4-R2.
Because of the special semantics of the Not-Via address, R3 knows that it
shouldn’t use R1-R2 link to reach R2 and it sends the packets to R5.
OrhanErgun.net
436
in great detail. Network designers should know the pros and cons of the
technologies, protocol alternatives and their capabilities from the design
point of view.
Design
IP FRR MPLS TE FRR
Requirement
Less Scalable, Uses
RSVP for label
distribution and
tunnel creation,
Scalability More Scalable
RSVP is soft state and
refreshing the tunnel
state is resource
intensive
Works very well
Works very well since
because if the
IP FRR mechanisms
Working on Full constraints are met
need topology to be
Mesh TE FRR can find an
highly meshed to find
Chapter 11
OrhanErgun.net
437
Design
IP FRR MPLS TE FRR
Requirement
Link Protection Yes Yes
Node Protection Yes Yes
Path Protection No Yes
Complexity Easy Complex
SRLG Protection No Yes
Very old technology,
used in many ISP,
Very new technology,
VPN-SP, Mobile
Maturity not commonly used
SP and some large
by the industry
Enterprise networks
for years
IP, It uses IPv4 or IPv4 routing control
Control Plane IPv6 routing control plane and RSVP-TE
Protocols plane only for it's is used as a control
operation plane
Resource
MPLS
Minimum Too much
Requirement
IPv6 Support Yes No
Generally bad. If
the topology highly
meshed it is good, It can cover
otherwise finding every topology,
Coverage a repair/alternate ring,square,partial-
path is very hard, mesh, full-mesh can
link metrics should be covered %100
be arranged very
carefully
If there are multiple
If there are multiple
Load Balancing repair/backup node,
repair/backup node,
over the backup multiple tunnels need
traffic can be shared
path to be created for load
between them
sharing
Training Cost Cheap Moderate
Troubleshooting Easy Hard
OrhanErgun.net
438
Design
IP FRR MPLS TE FRR
Requirement
Finds a node which
won't send the traffic
back via Reverse It uses MPLS in the
SPF. Reverse SPF dataplane, receives
allows the node to a label over the
Routing Loop calculate the SPF for protection tunnel.
its neighbor point of Creating a loop in
view, same concept is MPLS is almost
used in BGP Optimal impossible
Route Reflector
placement as well
MPLS TE FRR vs. IP FRR Comparison
Chapter 11
OrhanErgun.net
439
Question 1:
Which datacenter interconnect solution is most appropriate for this
company and why?
A. OTV
B. LISP
C. EoMPLS
D. TRILL
MPLS
E. Fabricpath
F. VPLS
Answer 1:
The company is looking for a standard-based Layer 2 DCI solution.
We know that they are looking for Layer 2 extension since they have
applications that require non-IP heartbeat.
Since OTV and FabricPath are Cisco-specific solutions, they cannot
be used. Also, FabricPath is not recommended for use as a DCI solution.
LISP is not a L2 extension protocol.
EoMPLS could be used, but since company has a lot of datacenters,
it is not scalable.
TRILL is not recommended as a DCI solution
The best option for the given parameters is VPLS.
Question 2: The company sent their topology as it is shown below.
Is there a solution to minimize the effect of specific VLANs in case their
DC interconnect switch and the service provider link goes down?
OrhanErgun.net
Chapter 11
440
OrhanErgun.net
441
Answer 1:
MPLS VPNs and the MPLS Traffic Engineering are the applications
of MPLS. They were not the initial purpose of MPLS.
By the time these capabilities are invented and used in MPLS.
MPLS
MPLS is an encapsulation/tunneling mechanism. It is not a routing
protocol. That’s why it is not an alternative to the routing protocols.
MPLS provides virtualization with the MPLS VPNs but MPLS VPNs
are not the initial purpose of inventing the MPLS.
Initial purpose of the MPLS was to avoid IP destination-based lookup
and increase the performance of the routers. Thus the correct answer of
this question is ‘ A ‘.
Question 2 :
Which of the options below are the characteristics of MPLS Layer 2
VPN service?
A. MPLS Layer 2 VPN allows carrying of Layer 2 information
over service provider backbone.
B. Layer 2 VPN can provide point-to-point type of connectivity
between customer sites.
C. It is used to carry Layer 3 routing information of the
customers over the service providers.
D. It is used for datacenter interconnect.
OrhanErgun.net
442
Answer 2:
MPLS Layer 2 VPNs doesn’t carry layer 3 routing between the
customer sites. All the other options are correct for MPLS Layer 2 VPN
service.
Question 3 :
Which of the below statements describe MPLS Layer 3 VPN service?
A. Service Provider network is transparent to routing of the
customer
B. It offloads routing between sites of the customer to the
Service Provider
Chapter 11
Answer 3:
MPLS Layer 3 VPN is a peer-to-peer service. Customer and the
Service Provider are the routing peers. Service Provider controls the WAN
routing of the customer. Thus SP network is not transparent to routing
of the customer. Customer routing is offloaded to the Service Provider
in MPLS Layer 3 VPN. Thus the correct answer of this question is ‘ B’.
Network convergence time is not improved with MPLS Layer 3 VPN.
In fact, convergence is much better with MPLS Layer 2 VPN.
The Service Providers can support OSPF as a PE-CE routing protocol
but it is not the most common protocol. In fast Static Routing and the
BGP is the most common routing protocols with MPLS Layer 3 VPN
service.
Question 4 :
Enterprise Company is using MPLS Layer 3 VPN for their Wide Area
Network connections.
OrhanErgun.net
443
MPLS
Answer 4:
Correct answer is Point A: EIGRP, Point B: EIGRP+MPLS+IS-
IS+MP-BGP+Redistribution+VRF, Point C: MPLS+IS-IS.
PE router has to support customer routing as well as infrastructure
routing. Customer routing protocol for this question is EIGRP. Service
Provider is using IS-IS.
That’s why on the PE and P devices IS-IS has to be enabled.
Also on the PE, EIGRP should run as well. VRF has to be enabled on
the PE and redistribution from EIGRP into IS-IS and IS-IS into EIGRP
is necessary.
MPLS has to be enabled on both PE and P devices.
MP-BGP is only necessary on the PE devices. MPLS VPN removed
the need of BGP in the core.
Question 5 :
Which below option depicts Inter-AS MPLS VPNs Option B
deployment?
OrhanErgun.net
444
A .
B .
Chapter 11
C.
OrhanErgun.net
445
D.
Answer 5:
Picture A shows Inter-AS MPLS VPN Option A that is back-to-back
VRF option.
Picture B is very close to Inter-AS MPLS VPN Option B, but it is not
correct since ASBRs between two AS in Option B have VPN connection.
Picture B shows IPV4 +LABEL, there is no such an option in Inter-
MPLS
AS MPLS VPNs
Picture C shows Inter-AS MPLS VPN Option B. Thus the correct
answer of this question is ‘ C’.
Picture D shows Inter-AS MPLS VPN Option C.
Question 6 :
Service Provider Company due to their customer growth, re-evaluating
their addressing plans. They want to ensure that their Enterprise MPLS
Layer 3 VPN customer address space don’t overlap on their PE device.
Which below option SP Company should use to avoid overlapping
address space from the customers?
Answer 6:
As a network designer always you should look for the most easiest
and elegance option.
NAT could be an option to avoid overlapping address space if this is
the requirement but it would be too complex.
Can you achieve the same result with any alternative technology? You
should always ask yourself this question.
Per customer, assigning a unique/different RD values create different
VPN prefixes even the customer IP addresses are the same. So you can
avoid overlapping address space issue by using different RD values on the
PE devices.
Correct answer of this question is Option C.
Question 7 :
Enterprise Company has 6 datacenters. Between the datacenters,
they have non-IP clustering heartbeat traffic. They are looking scalable
Chapter 11
Answer 7:
Company is looking for standard based Layer 2 DCI (Datacenter
Interconnect) solution.
We understand that they are looking for Layer 2 extension since they
have an applications which requires non-IP heartbeat traffic.
OrhanErgun.net
447
Question 8 :
MPLS
Which below option is correct for Rosen GRE Multicast in MPLS
Layer 3 VPN service?
A. Multicast traffic is carried over GRE tunnels
B. Unicast Traffic is carried over GRE tunnels
C. LDP is used for control plane for Rosen GRE in the Service
Provider network
D. Multicast Traffic is carried over LDP LSP
E. GRE tunnels are created between the customer sites.
Answer 8:
In Rosen GRE Multicast approach, GRE tunnels are created in the
Service Provider network. Not in the customer network. Thus Answer E
is incorrect.
Multicast traffic of the customer is carried over GRE tunnels of the
Service Provider. LDP is not used for Multicast control plane.
Unicast transport/tunnel LSP can be used for Unicast but not for
Multicast. Thus the correct answer of this question is ‘ A’.
OrhanErgun.net
448
Question 9 :
Fictitious Service Provider Company runs MPLS Traffic Engineering
on their network. They protect both MPLS Layer 2 and Layer 3 VPN
service customers with MPLS Traffic Engineering Fast Reroute.
Company has chosen to deploy local protection rather than Path
protection since they know that local protection can provide better fast
reroute time in case of failure.
They deployed full mesh link and node protection LSPs.
Which one of the below failure scenarios Service Provider Company
can cover?
A. PE-CE link failure
B. CE node failure
C. PE node failure
D. P node failure
E. P to P link failure
Chapter 11
F. PE to P link failure
Answer 9:
In the question, it is given that company is doing MPLS Traffic
Engineering Local protection. As it is explained in the MPLS chapter, two
of the Local protection mechanisms are Link and Node protection.
With Link and Node protection, edge device failure and edge link
failures cannot be protected. This failure could be covered with BGP
PIC Edge feature but question is specifically asking about MPLS Traffic
Engineering link and node protection.
P node failure, PE to P link and P-to-P link failure scenarios can be
protected with TE FRR backup LSPs since none of them are the edge
failure case.
Question 10:
Which of the options below are used in the MPLS header?
A. 20 bits MPLS label space.
B. Link cost
OrhanErgun.net
449
Answer 10:
Link cost and protocol number is not in the MPLS header.
There are MPLS Label, TTL and the EXP fields in the MPLS header.
Label field is 20 bits, EXP is 3 bits and TTL is 8 bits long.
But in the question TTL field is shown as 12 bits in Option C. Thus
that is wrong.
Correct answer of this question is A and D.
Question 11:
What are the characteristics of the below topology? (Choose all that
apply)
MPLS
sites
G. IS-IS is used to advertise MAC addresses between the sites
Answer 11:
In order to give correct answer to this question, you should understand
the topology first. In the picture, VPLS architecture is shown.
VPLS uses data plane learning. MAC Address information from the
customer site is learned through data plane. There is no MAC address
advertisement through the control plane. EVPN does that though.
Also in the network core, MAC addresses are learned through
data plane. Routing protocols; BGP or IS-IS are not used to
advertise MAC address information.
Spanning tree is not used
in the network core. Split horizon is enabled in the network core.
If the traffic is received from the PW, it is not sent back to another PW
since full-mesh point-to-point PW has to be enabled between the VPN
Sites.
Chapter 11
Question 12:
When designing an IS-IS network with MPLS, when is route leaking
required from Level 2 to Level 1 sub domain?
A. If PE loopback will be carried in BGP
B. If PE devices in the L1 sub domain
C. If there is more than one L1-L2 router
D. If there are low end devices in the L1 sub domain
Answer 12:
When designing an IS-IS network, the problem with MPLS is, PE
devices loopback IP addresses are not sent into IS-IS L1 domain.
In IS-IS L1 domain, internal routers only receive ATT (Attached) bit
from the L1-L2 router. This bit is used for default route purpose.
In order to have MPLS Layer 3 VPN, PE devices should be able to
reach each other and MPLS LDP LSP should be setup end to end.
OrhanErgun.net
451
Question 13:
Which option below can be used as a PE-CE routing protocol in
MPLS Layer 3 VPN? (Choose all that apply).
A. IS-IS
B. BGP
C. PIM
D. HSRP
OSPF
MPLS
E.
F. Static Route
Answer 13:
PIM and HSRP are not routing protocols. They cannot be used as
PE-CE routing protocol in the context of MPLS Layer 3 VPNS.
OSPF, IS-IS, RIP, EIGRP, BGP and static routing, all of them are
supported as MPLS VPN PE-CE routing protocol in theory. In practice,
most of the Service Providers only provide Static Routing and BGP.
But in the question, it says, which protocols can be used !
Thus the correct answer of this question is ‘A’, ‘B’, ‘E’, and ‘F’.
Question 14:
In an MPLS VPN, which below option is correct if the unique/
different RD and same RT is configured on the PE devices for a particular
VPN?
A. Routes are rejected by the remote PEs.
B. Routes are accepted by the remote PEs and doesn’t consume
OrhanErgun.net
452
extra resources
C. Routes are accepted by the remote PEs and consume extra
resources
D. They cannot be send from the Local PE since RD and RT
should be the same across PE devices in a particular VPN
Answer 14:
For a particular VPN different RD and RT values can be configured.
Local PEs advertise the routes and remote PEs accept these routes.
But the routes consume extra resources on the PEs since they are
different VPN prefixes. When RD values append to the IP prefixes, VPN
prefix is created. RD value is used to create different VPN prefixes in an
MPLS VPN environment. Thus the correct answer of this question is ‘
C’.
Chapter 11
Question 15:
What is the reason of using unique/different RD per VRF per PE in
an MPLS VPN environment?
A. It is not good practice to use unique RD per VRF per PE.
B. It is used to send different VPN prefix to the VPN RR
C. It is used to send same VPN prefix to the VPN RR
D. It is used for scalability purpose
Answer 15:
Unique RD is a common approach in MPLS VPN environment.
It is a best practice because with unique RD per VRF per PE, VPN
RR (Route Reflector) can receive more than one BGP next hops for a
given VPN site from the local PEs and the remote PEs can receive more
than one best path from the VPN RR.
These paths can be used for Hot Potato (Optimal routing), fast reroute
and the Multipath purposes.
OrhanErgun.net
453
Question 16:
European Service Provider Company recently acquired smaller
Service provider in Dubai. They want to merge two MPLS VPN via the
Internet.
They want solution to be deployed very quickly so they can start
utilizing end-to-end MPLS service for their customer.
Which below technologies can satisfy all the given requirements
above?
A. MPLS over GETVPN
B. MPLS over GRE
C. MPLS VPWS
D. MPLS VPLS
E. MPLS over L2TPv3
F. MPLS over IPv6
MPLS
Answer 16:
Important two points in this question are, solution should be over
Internet and should be deployed quickly.
GETVPN cannot run over Internet due to IP Header Preservation.
MPLS over GETVPN cannot be an answer.
IPv6 is not a tunneling mechanism, which MPLS can run over. Thus
MPLS over IPv6 is not an answer.
VPWS and WPLS could be setup if between two service providers
deploy long haul link between their core devices, but this is not an Internet
based solution and requires too much time for provision.
Only remaining solution, which can run over Internet and quickly
deployable are MPLS over GRE and MPLS over L2TPv3.
Question 17
What are the two possible options to create MPLS Layer 2 VPN
pseudowire?
A. Martini Draft, LDP signalled pseudowires
B. Segment Routing
OrhanErgun.net
454
C. BGP EVPN
D. Rosen GRE Draft
E. Kompella Draft, BGP signalled pseudowires
Answer 17:
Two different methods to create MPLS Layer 2 VPNs are Kompella
and Martini methods.
As it is explained in the MPLS chapter, Kompella method uses BGP
for psedowire signaling and LDP for transport LSP. Martini method uses
LDP for both pseudowire signaling and transport LSP.
Rosen GRE is a Multicast application on MPLS VPN network and
not used for Layer 2 VPN.
BGP EVPN is used to advertise MAC address information of the
customer between the PEs, so it provides MPLS Layer 2 VPN as well.
But since question is asking MPLS Layer 2 VPN pseudowire creation and
Chapter 11
Question 18:
Which below options are correct for MPLS TP (MPLS Transport
Profile) as a transport mechanism? (Choose all that apply)
A. MPLS TP requires routing control plane
B. MPLS TP requires Penultimate Hop Popping
C. MPLS TP is a newer packet transport mechanism which
replaces SONET/SDH
D. MPLS TP brings extra OAM capability to MPLS OAM.
E. MPLS TP benefits from ECMP (Equal Cost Multi Path) for
better link utilization
F. MPLS TP uses Label 13 (GAL) for OAM purpose
Answer 18:
MPLS TP as it is explained in the MPLS chapter is a newer packet
transport mechanism that replaces SONET/SDH. Today there are many
OrhanErgun.net
455
Question 19:
Enterprise Company receives an MPLS Layer 2 VPN service from the
Service Provider. Enterprise topology is Hub and Spoke.
With which devices do the Enterprise spoke routes form an IGP
adjacency?
A. Hub CE Routers
B. Other Spoke CE routers
C. Hub PE routers
D. Spoke PE routers
MPLS
Answer 19:
Question is looking whether you know the MPLS Layer 2 VPN
behavior. In an MPLS Layer 2 VPN, CE routers form an IGP adjacency
with each other. Not with the PE routers.
Thus option C and D is wrong.
Also since in the question, it is given that The Company’s topology
is Hub and Spoke, spoke shouldn’t form and IGP adjacency with each
other.
That’s why; the answer of this question is ‘ A’, Hub CE routers.
Question 20:
Which of the below options are the results of having MPLS in
the network? (Choose all that apply)
A. BGP Free Core
B. Hiding service specific information (customer prefixes, etc.)
from the core
OrhanErgun.net
456
Answer 17:
MPLS removes the need of BGP in the core. P devices don’t know
the customer information.
They don’t keep layer 2 or layer 3 information of the customer. This
provides scalability for the core but it is not enough to say that overall
scalability of the network increases with MPLS.
If question would say, scalability of the core it could be correct.
MPLS doesn’t bring security by default. If security is needed then
IPSEC should run on top of that. Best IPSEC solution for the MPLS
VPNs is GETVPN since it provides excellent scalability.
Without MPLS, network could convergence fast as well. MPLS TE
Chapter 11
FRR is a fast reroute mechanism, which can provide sub 200msec data
plane convergence for the MPLS encapsulated traffic.
Same data plane fast reroute convergence can be provided with IP
FRR mechanisms such as LFA, Remote LFA or Topology Independent
LFA.
Thus the correct answer of this question is A, B and C.
Question 21:
If customer is looking to carry Layer 2 traffic with the encryption,
which below options can be chosen?
A. VPLS
B. EoMPLS
C. GET VPN
D. MACsec 802.1AE
E. IPSEC
F. L2tpv3
OrhanErgun.net
457
Answer 21:
Question is looking for a technology, which provides Layer 2 VPN
and encryption.
VPLS, EoMPLS and L2TPv3 is used to provide Layer 2 VPN service
across Layer 3 infrastructure.
VPLS and EoMPLS does this with MPLS, L2TPv3 doesn’t require
MPLS but accomplished it over IP.
But none of them support encryption.
Only the correct answer of this question is MACsec, which is ‘ D’.
Question 22:
Which of the below options can be used to extend VRFs across a
Campus network IF there are not much VRFs (Choose all that apply)
A. 802.1q Trunk
B. GRE tunnels
CDP
MPLS
C.
D. RSVP-TE
E. LDP LSPs
Answer 22:
If there are not much VRF, there is no scalability concern. LDP LSPs
could be setup to carry if there are too many VRFs.
Since this is given in the question as a requirement, best and easiest
options are 802.1q trunks and GRE tunnels to carry VRF across a campus
network.
Question 23:
Which of the below options are correct for the Inter-AS MPLS VPN
Option A?
A. It provides the most flexible QoS deployment compared to
other Inter-AS MPLS VPN options.
B. It is least secure Inter-AS option.
OrhanErgun.net
458
Answer 23:
Inter-AS Option A provides most flexible QoS deployment since there
are separate interfaces per customer. It is the most secure VPN option
since there is no information sharing between Autonomous Systems.
It is least scalable VPN option since requires per customer
configuration and ASBRs keep too much information compare to other
Inter-AS VPN options.
Inter-AS MPLS VPN Options comparison charts provided too
much information on pros and cons of each of the method in the MPLS
Chapter.
Chapter 11
Question 23:
Enterprise Company is using OSPF on their network and has Frame
Relay transport. They want to receive MPLS VPN service as well and
continue with OSPF as a PE-CE protocol. They have received a good
SLA for the MPLS VPN service from the Service Provider thus they want
to use for their all traffic MPLS VPN link.
Which below feature MPLS VPN Service Provider should enable to
ensure in steady state always MPLS VPN link is used?
A. OSPF Super backbone
B. OSPF Sham link
C. OSPF Virtual link
D. MP-BGP (Multi Protocol BGP)
E. Multi area OSPF
OrhanErgun.net
459
Answer 24:
As it is explained in the MPLS Chapter, when OSPF is used as a PE-
CE routing protocol, if there are backdoor link, backdoor link can be
used if Service Provider doesn’t setup OSPF sham link.
When OSPF is used as a PE-CE protocol, service provider backbone
is called Super backbone and it is unrelated with the question. Only the
way of ensuring MPLS VPN link to be used as a primary link is OSPF
Sham link.
Question 25:
Which of the terms below are used to define a label that provides
reachability from one PE to another PE in MPLS networks? (Choose all
that apply)
A. Topmost Label
B. Transport Label
C. Outer Label
MPLS
D. VC Label
E. VPN Label
F. Tunnel Label
Answer 25:
Topmost label, Transport label, Outer label and Tunnel label are used
to define end-to-end LSP between the PE devices.
They can be used interchangeably since they define the same thing.
With this reachability MPLS Layer 2 and Layer 3 VPN, MPLS Traffic
Engineering tunnels are created.
Question 26:
Which below attributes are carried in link state protocol messages
in MPLS Traffic Engineering for constrained based path computation?
(Choose all that apply).
A. Link bandwidth
B. Link delay
OrhanErgun.net
460
C. Link utilization
D. Link jitter
E. Link affinity/color
Answer 26:
For constrained based computation purpose, link reserved bandwidth,
unreserved, used and unused bandwidth are carried in the protocol
messages. OSPF and IS-IS carries this information. OSPF does this with
Opaque LSAs; IS-IS carries with TLV 22, 135.
Link delay and jitter information is not carried. Link affinity (A.K.A
coloring) information is carried for Shared Risk Link Group purpose.
Links which use same fiber conduit, same transport equipment or even
same building can be avoided and disjoint LSPs can be setup.
Link utilization is the dataplane information and it cannot be carry.
Routers can act locally and change the LSP status if the utilization
increases on the link, by configuring ‘ Auto-bandwidth ‘ feature but link
Chapter 11
Question 27:
Which below options provide Control Plane MAC address
advertisement for MPLS Layer 2 VPNs?
A. EVPN
B. VPLS
C. EoMPLS
D. BGP L3VPN
E. PBB EVPN
F. VXLAN EVPN
Answer 27:
Only EVPN provides Layer 2 MAC advertisement through control
plane. VPLS does Layer 2 VPN through dataplane.
BGP L3 VPN is used for Layer 3 prefixes not for the MAC addresses.
OrhanErgun.net
461
Question 28:
What are the requirements to run MPLS Traffic Engineering in the
network with constraint based SPF?
A. Extensions to routing protocols
B. RSVP
C. LDP
D. D. BFD
E. BGP
Answer 28:
MPLS Traffic Engineering can be enabled either in a distributed or
MPLS
centralized manner.
If TE LSPs will be computed at the centralize location with the offline
MPLS TE tools, link state routing protocols are not required.
CSPF is not
used as well.
If there is no offline tool to compute the MPLS TE topology, routers
should run link state routing protocols and CSPF (Constraint based SPF)
should be enabled.
CSPF can access to the TED (Traffic Engineering Database) with the
help of routing protocol extensions.
Also RSVP has to be enabled on the every link which MPLS TE are
required.
Since in the question, it is said that it will be used with constraint
based SPF, we need routing protocol extensions and only OSPF and IS-IS
can provide it.
LDP, BGP or BFD is not required to run MPLS TE, BFD can help
fast failure detection though.
Correct answer of this question is A and B.
OrhanErgun.net
462
Question 29:
Service Provider creates a network design that runs MPLS in its WAN
backbone, using IS-IS as the infrastructure IGP routing protocol.
What would be two effects of additionally implementing MPLS-TE?
(Choose all that apply)
A. For the sub second convergence MPLS TE FRR is required
B. MPLS Traffic Engineering and IS-IS cannot be used together
C. MPLS Traffic Engineering overcome the problems in Multi
Level IS-IS design
D. MPLS Traffic Engineering is required to create backup path
independently from the IS-IS
E. To route different MPLS QoS classes through different
path, MPLS Traffic Engineering is required
Chapter 11
Answer 29:
For the sub second convergence MPLS Traffic Engineering is not
required if the IGP protocol is IS-IS. IS-IS can be tuned as it is shown in
the IS-IS chapter to convergence in sub second. Option A is incorrect.
MPLS Traffic Engineering works best with IS-IS and OSPF, thus
Option B is incorrect.
MPLS Traffic Engineering doesn’t solve the Multi Level IS-IS traffic
engineering issue. Actually it creates.
Because; MPLS TE requires topology information. But in Multi Level
IS-IS design, topology information is not sent between Levels.
Thus Option C is incorrect as well.
MPLS Traffic Engineering allows backup path to be used. This is
explained with the Fish diagram in MPLS Chapter.
Also different MPLS QoS classes can be routed through different
paths with MPLS Traffic Engineering at the Headend router.
The correct answer of this question is D and E.
Question 30:
Enterprise Company wants to upgrade their legacy Frame Relay WAN
circuits to MPLS. Based on the below migration steps, can you choose the
OrhanErgun.net
463
MPLS
OrhanErgun.net
464
Answer 30:
In the migration questions, first step should be choosing the transit
site. Some amount of time, any particular site will have both Frame Relay
and MPLS VPN connections.
Second step should be arranging a new circuit at the transit site and
configure the required protocol at the transit site.
After that remote site circuit one by one can be enabled and their
configuration can be done. MPLS service is preferred over legacy service.
This site reaches to the sites that have not been converged, through the
transit site.
QoS and security operation is done after routing protocol configuration
at the remote site.
When one site is finished, legacy circuit is removed and next remote
site provisioning starts.
When all the remote sites are migrated to the MPLS, Transit site legacy
circuit is removed as well.
Chapter 11
OrhanErgun.net
465
Books
Guichard, J. (2005). Definitive MPLS Network Designs, Cisco Press.
Minei, I. (2011). MPLS-Enabled Applications: Emerging Developments
and New Technologies, Wiley.
Videos
Ciscolive Session-BRKRST-2021 Ciscolive Session – BRKMPL-2100
https://www.youtube.com/watch?v=DcBtot5u_Dk
https://www.nanog.org/meetings/nanog37/presentations/mpls.mp4
https://www.youtube.com/watch?v=p_Wmtyh4kS0
https://www.nanog.org/meetings/nanog33/presentations/l2-vpn.mp4
Articles
http://orhanergun.net/2015/02/carrier-supporting-carrier-csc
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise
MPLS
http://orhanergun.net/2015/06/advanced-carrier-supporting-carri-
er-design/
http://d2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKMPL-2100.
pdf
OrhanErgun.net
466
Chapter 12
CCDE Practical Scenario
SpeedNet Telecom
Background Documentation
SpeedNet Background Information
SpeedNet Telecom is a US Service Provider Company, which was
founded in 1990. Company started their business with the Residential Wire
line Dial up customers. They had Metropolitan Wireless infrastructure in
Rural Areas in the beginning. When the Broadband become mainstream,
they started to deploy DSLAMs in every major cities throughout U.S
Beginning of 2000, SpeedNet started to deliver Metro Ethernet
service as well. They deployed 1000 CPE devices throughout U.S and
started to provide MPLS VPN Services for the Business Customers. They
upgraded their Core backbone uplinks two times in the past. Although
inside the POPs they have 10Gbps and 40Gbps uplinks, their all POPs
are connected through minimum 2x10Gbps.
OrhanErgun.net
467
speednet Telecom
network since they rely on 50% rule on their core network. So if any of
the redundant links fail, remaining link doesn’t become congested. When
the overall bandwidth requirement exceeds 50% of the link capacity, they
upgrade the link capacity.
Their IGP is flat ISIS L1. They are running BGP as external protocol
and they are also providing BGP as a PE-CE protocol to their MPLS
L3 VPN customer due to the corporate network security policy and the
operational challenges with the other protocols.
Services provided to clients:
Residential Internet Access
L3VPN for Business Customers
L2VPN VPLS for Business Customers
L2VPN VPWS for Business Customers
MPLS NNI (Inter-AS Connections with some providers)
Metropolitan Wireless
SpeedNet is using a TCP based home built application, as their CRM.
It is very sensitive to any kind of delay and drops.
There’s also a billing system that primarily using IPFIX to communicate
with networking HW and their Corporate File Exchange protocol is NFS.
SpeedNet doesn’t have currently Multicast on their network but their
all Layer 2 switches support IGMP Snooping and MLD, and their routers
support all Multicast Routing protocols.
OrhanErgun.net
468
Full mesh GRE tunnels connect all these smaller SPs, which Hypercom
acquired, over the Internet.
Hypercom is using single area OSPF in their network. Their network
is very stable and they don’t have any resource issue with their routers.
They don’t have any plan to design a multi area OSPF.
They did an IPv6 readiness assessment last year and checked whether
all their IPv4 features are supported with IPv6 software and hardware and
their networking and applications team are totally ready for IPv6.
So far Hypercom was providing only the Internet service to their
residential broadband customers.
OrhanErgun.net
469
speednet Telecom
SpeedNet Telecom Core Network Diagram
OrhanErgun.net
470
OrhanErgun.net
471
Email 1
As we have mentioned previously, Hypercom made three acquisitions
few years ago. Unfortunately, they could not keep their promises to main
investors so they have just sold the company to SpeedNet. Two network
will be merged but first thing to do is analyzing which kind of information
we are still missing before we proceed with merging both SpeedNet and
Hypercom networks.
There may not need for some POP and Datacenters when
merge of two networks are completed because Hypercom POP and DC
operational costs are too low compare to SpeedNet.
Main concern and top priority is that merged network should be able to
speednet Telecom
provide all of current SpeedNet MPLS customers.
Answer 1:
IP address information is already provided in the background
documentation that’s why you shouldn’t ask it again.
In the CCDE exam, if information is provided already, you can’t ask
it again. This is an analyzing the design type question.
IGP routing is given as IS-IS Flat Level 1 design, so you don’t need to
OrhanErgun.net
472
Answer 2:
IPv4 Addressing scheme of Hypercom is not provided, in order to
understand whether there is conflict for the merged network, we need to
learn IP addressing of Hypercom.
IGP routing information was provided so you cannot ask it again.
BGP architecture should be learned as well. We don’t know how their
Internal and External BGP is setup. Do they have full mesh IBGP, Route
Reflector design or Confederation?
OrhanErgun.net
473
Email 2
This is some of the information we have been able to get for you:
• SpeedNet BGP architecture is single AS in their network. Each POP
location has separate BGP RR for Internet and VPN services.
speednet Telecom
• We decided to continue with the existing POPs and DCs for now. In
the future we can reevaluate but currently we will not redesign any
physical location.
Hypercom backbone uplink between the POPs is 2x10G links. They
are considering to connect the POPs via direct links since there is too
much overhead with GRE tunnels and they don’t want to see GRE
tunnels on their network.
• Hypercom is using 10.10.0.0/16, 10.0.0.0/16, 172.16.0.0/18 and
172.22.0.0/16 IP addressing blocks
• Hypercom has currently full mesh IBGP peering at the moment.
Answer 3:
There is no known problem with the current IS-IS design. Detailed
answer will be provided in the subsequent answers.
OrhanErgun.net
474
Answer 5:
There is no need currently. SpeedNet’s main concern and top priority
is to extend their MPLS services as it is given in the initial background
information.
Providing an Inter-AS MPLS VPN services don’t require to use
common IGP, although using common IGP would provide additional
benefits; especially in the MPLS network. But this can be decided after the
first phase of merge; right now there is no need.
OrhanErgun.net
475
Answer 6:
Classical problem of BGP Route Reflector is path visibility. If you
have more than one exit point from the domain for the same prefix, BGP
RR selects the best path from its point of view and sends all the BGP RR
speednet Telecom
clients.
That’s why Option A is one of the correct answers. Less number of
total path means might cause sub optimal routing from some BGP RR
clients. Thus Option E is the other correct answer.
BGP RR doesn’t put additional burden into the control plane. It
actually removes the load from the full-mesh IBGP design.
BGP Route Reflector placement, best practices and the design
recommendations were explained in the BGP Chapter of the book.
That’s why answer of this question is A and E.
OrhanErgun.net
476
Answer 7:
Except BGP PIC, all the option is used to send more than one BGP
path to the BGP speaker. In order BGP PIC to function properly, one of
the above options is used.
In the exam they don’t ask as ‘ Choose All that apply ‘ but instead,
they ask as ‘ Choose Two ‘, ‘ Choose Three ‘ and so on. Number of
options that they want will be given.
Additional information: In the MPLS VPN network, using unique
RD per PE provides same functionality. That’s why to send more than
one path for a given customer prefix, unique RD per PE is the best option
in MPLS VPN network.
Chapter 12
OrhanErgun.net
477
Email 3
One of our customers asked us about the best way to provide
connectivity between their HQs and the remote sites. Could you help us
out?
8. Please fill in the table below
speednet Telecom
Answer 8:
In the exam, you will not fill the blank. But they may provide you an
already filled table and you choose the correct option or you may select
the correct option from the drop-down menu.
OrhanErgun.net
478
Email 4
Chapter 12
Answer 10:
Using tactial MPLS traffic engineering. Their problem is Routing
metric. They cannot use their free capacity. Because IGP routing protocols
chooses the shortest path.
You don’t need QoS, GRE tunnel or PBR and so on. If IGP metric is
carefully chosen and still there are links, which are not used, MPLS Traffic
Engineering allows you to utilize the available bandwidth efficiently.
Strategic and the tactical MPLS Traffic Engineering approaches was
explained in the MPLS chapter in detail.
speednet Telecom
11. What about permanent solution?
Answer 11:
Using Strategic MPLS Traffic engineering. Since it seems that they
cannot use their available uplinks because IGP is only utilizing Shortest
Path, Strategic MPLS Traffic Engineering helps them in the long term to
provide guaranteed services and better capacity usage.
Details of the Strategic and Tactical MPLS Traffic Engineering
approaches were provided in the MPLS chapter of the book.
In order to understand why Tactical MPLS Traffic Engineering has
been chosen as short term and Strategic MPLS Traffic Engineering for
OrhanErgun.net
480
the long term solution, please read MPLS Traffic Engineering section of
MPLS chapter.
Email 5
It seems that MPLS Traffic Engineering Strategic Approach can
provide us a better capacity management. Can you help us to setup MPLS
Traffic Engineering on our network?
Also we will have series of questions for you regarding MPLS Traffic
Engineering. We have been also told to provide QoS all across the
new network within the next couple of months. We need your expert
recommendations.
Answer 12:
LDP, MP-BGP, VRF and Send-label (BGP + Label/RFC 3107) are
not required for MPLS Traffic Engineering.
MPLS TE tunnels are unidirectional tunnel. If traffic will be placed
in MPLS TE tunnels, unidirectional tunnels should be created in two
directions.
Answer of this question is option B, D, E, G.
OrhanErgun.net
481
Email 6
We created an MPLS tunnels, RSVP and other necessary extensions
are in place but unfortunately our traffic doesn’t go through the TE
tunnels.
Once you help to get the traffic into the MPLS TE tunnels one
little thing will left.
speednet Telecom
IntServ and DiffServ QoS. As a company policy, we allow YouTube and
Gaming applications but we prefer to limit this traffic on our network.
Yes productivity is good but we are selling our bandwidth capacity as
you know!.
Answer 13:
If Multicast is setup in the network and unicast traffic would pass
over the TE tunnels, Multicast could follow it. But SpeedNet doesn’t say
OrhanErgun.net
482
that they have a problem with Multicast, actually they didn’t say anything
about Multicast yet.
TE tunnels don’t need to be advertised as a link into the routing
protocol in order to IGP take MPLS TE link in the SPF calculation. This
is done through forwarding adjacency and could be one of the solutions
for the problem of putting traffic into the MPLS TE tunnel but since
the Option C says that ‘ TE tunnel links must be advertised into the IGP
protocol’ this statement is wrong.
SpeedNet even doesn’t create reverse uni-directional tunnel, traffic
would follow the MPLS TE tunnel in one direction. Return traffic could
follow the IGP shortest path. SpeedNet cannot place the traffic into the
TE tunnel at all; nothing is said about one direction.
That’s why the answer is Option B. Routing table should show that
the destination behind the MPLS TE tail- end should be seen from the
tunnel interface. This can be done via many methods. (Static route, PBR,
CBTS, Auto Route, Forwarding Adjacency)
Thus, Option B is the correct answer.
Chapter 12
A. Yes, it’s possible but its not a good idea to run both IntServ
and DiffServ in the same network
B. No, there’s no specific restrictions and they can both run in
the same network
Answer 14:
Answer is Option A. It is possible but since both are two different
approaches for QoS design as they were explained in the QoS chapter of
the book, they shouldn’t be used on the same network together.
15. We are considering several QoS models. Which one is the
best fit for us?
A. 1 PQ, 3 BQ
B. 1 PQ, 4 BQ
C. 3BQ
OrhanErgun.net
483
D. 5BQ
E. 3PQ, 1BQ
Answer 15:
SpeedNet was provided their application profile in the background
document as well as in Email 6. Based on the given information of course:
Voice and Video conferencing should go to the PQ, SAP and HR
applications are business critical, thus they should be placed into the same
queue but separate than bulk traffic.
NFS and FTP are the bulk traffic; we can place them into the same
queue. But different bandwidth queue than business critical traffic.
Since Company is allowing gaming/entertaining application, which
should go to the scavenger queue, and the rest of the traffic should go to
the best effort.
speednet Telecom
That’s why we need 1 PQ and 4 BQ.
Email 7
All our users have a problem accessing to cloud gaming application
we have deployed recently and it looks like the somewhere in our network,
but we are not sure where. We need your help to identify the problem!
Answer 16:
Answer is closer to the application since all the users have a problem
OrhanErgun.net
484
Email 8
A. Inter-AS Option A
B. Inter-AS Option B
C. Inter-AS Option C
D. Redistributing the prefixes of two networks to each other
Answer 17:
Since there is overlapping IP addresses between SpeedNet and
Hypercom that’s why we cannot leak the internal prefixes, so Option C
cannot be chosen.
Option A cannot be chosen either since it is stated in the email that
lots of request is coming for the Inter-AS service.
Very detailed explanation for the Inter-AS MPLS VPNs have been
provided in the MPLS Chapter of the book.
Answer is Option B.
OrhanErgun.net
485
Answer 18:
It fits SpeedNet scalability needs. It is not the most secure option.
Inter-AS Option A is the most secure Inter-AS MPLS VPN solution.
It is not the easiest to configure, Inter-AS Option A is the easiest one
but when the number of Inter-AS MPLS customer grows, it doesn’t scale.
Inter-AS MPLS Option B doesn’t provide end-to-end LSP, only Inter-
AS Option C does.
speednet Telecom
Answer is B.
OrhanErgun.net
486
Answer 19:
Answer should be as below. Please note that there is no Customer
IGP on the PE devices since in the scenario you are told that as the
company policy they just want to provide BGP as a PE-CE protocol.
Chapter 12
OrhanErgun.net
487
Email 9
One of our lead architect came up with new IP addressing scheme
that new network is going to migrate to within the next 6 months. And
Hypercom Full Mesh IBGP is migrated to Route Reflector topology. RRs
will be placed in the centralized location, they will not be used as inline
RR.
It gives us opportunity to use Inter-AS Option C.
speednet Telecom
OrhanErgun.net
488
Answer 20:
OrhanErgun.net
489
Answer 21:
It is not the only option, which can support 6VPE. It is not the easiest
way to deploy Inter-AS MPLS service.
Option A is the easiest as it is explained before. It is not the most
secure Inter-AS MPLS VPN solution. Option A is the most secure one.
Correct answer is B.
speednet Telecom
Email 10
Hi Mr. Designer,
As you know we have MPLS Layer 3 VPN, Internet, Point to point
MPLS VPN and VPLS customers. Especially for the VPLS customers,
when we want to add a new site to the current VPLS of the customers, it
is operationally very hard for us to touch every PE of the customer.
We afraid that this will be a bigger problem for the merged network
since we want to span the VPLS and our other services throughout the
merged network. But especially for the VPLS issue, we want to have an
immediate solution.
Please note that we have an LDP-based VPLS in our network and the
Hypercom network doesn’t have VPLS at all currently.
Can you help us to fix our operational problem?
merged network
B. Their existing gear don’t have a capability to keep the state
of merged network
C. They want to reduce the operational touch point for the
existing services, especially VPLS
D. They don’t know whether VPLS service can be extended
over the Inter-AS links
Answer 22:
As it is given in the email, SpeedNet wants to reduce the operational
touch point for the existing services, especially VPLS.
In the CCDE Practical exam, most important thing is to answer the
question based on the given requirements. Requirements are given in the
initial background documentations and in the emails.
Chapter 12
Answer is Option C.
Answer 23:
Replacing VPLS with EVPN or PBB-EVPN is not an option since
they want immediate solution and we are don’t know whether their devices
support EVPN or PBB-EVPN.
BGP Auto Discovery reduces their operational tasks by advertising
the VPLS membership information. And we know that BGP is already
used on their networks.
Answer is Option E.
OrhanErgun.net
491
Answer 24:
Most granular QoS is achieved with Inter-AS Option A since there is
separate physical or logical link per customer VPN. With the other option,
same link(s) is used for all the Inter-AS customers.
speednet Telecom
Answer is Inter-AS Option A.
26. Is there any problem for LDP and BGP based VPLS to support
end-to-end VPLS?
A. Yes
B. No
Answer 26:
Correct answer is No.
With adding interconnect nodes between the LDP-VPLS and BGP-
VPLS domains, end-to-end VPLS service is created.
OrhanErgun.net
492
Email 11
One of our customers is asking whether we can provide IPv6 L3
VPN services for them. We have not been thinking about it, but as our
assessment all our networking nodes support IPv6
27. Which technology will help SpeedNet to meet the
requirements above?
A. 6PE
B. DMVPN
C. 6vPE
D. NAT64
E. NAT46
Answer 27:
Chapter 12
Answer 28:
Correct answer is Option E. IPv4 transport is used to create 6VPE.
LDPv6 or IPv6 transports are not needed.
OrhanErgun.net
493
Email 12
In the future, we are planning to expand to EMEA region. Our
management has found one of the small local service providers in UK
that they are going to acquire within the next several months. We are
looking for a cost effective short-term solution for acquisition to extend
MPLS VPN services between the two networks.
We also need a good design and migration plan for a long-term
solution if this acquisition goes well. We don’t have a budget issue for long
haul links. As we are planning to provide different value added services
for our customers, both short-term and long-term solutions must support
end-to-end QoS and Multicast.
speednet Telecom
29. What is the fastest short-term solution to connect current
SpeedNet network and a new one in the UK?
A. Use L2VPN from another MPLS Service Provider to
connect current SpeedNet network and a new one with
MPLS and QoS over that L2VPN
B. Use L3VPN from another MPLS Service Provider to
connect current SpeedNet network and a new one with
MPLS and QoS over that L3VPN
C. Build GRE tunnels over Internet and run MPLS and the
necessary services on top of it
D. Order dedicated circuits
Answer 29:
Answer is Option C. It is the fastest solution to extend their VPNs,
although there might be a lot of problem with GRE tunnels.
OrhanErgun.net
494
Answer 30:
It doesn’t require separate overlay tunnels per customer.
Multicast routing is supported over GRE tunnels. But it is not secure
since it is over the Public Internet. IPSEC can run on top of that but it
was not mentioned in the question.
It is not reliable and there is no SLA since the Internet is best effort.
QoS is not under control of the SpeedNet because of the above
reason, Internet is best effort and if there is any congestion throughout
the path, there is no SLA for QoS.
Chapter 12
OrhanErgun.net
495
Chapter 13
CCDE PRACTICAL SCENARIO
MAG Energy
speednet Telecom
the multiple-choice questions, partial scoring applies in the real exam.
Passing score is 80 in the CCDE Practical exam.
Throughout this scenario, you will receive multiple emails, similar to
real exam.
Emails will provide extra bit of information and will redirect you to
new set of problems. The purpose of this demo to show you what kind
of questions you may encounter in the CCDE Practical exam, how you
should approach the questions and how should be your design mindset.
Document 1
Company Profile:
MAG Energy (MAG-E) is an energy broker and middleman between
Energy Providers and their customers located in the United States.
MAG-E has been in business for just over 10 years. The company and
its network were built organically, only as the needs of the business
increased. Historically, the primary source of revenue has been deploying
Site Devices at customer locations. While this primary method has been
effective over the years, it has not been efficient from both a monetary
and time to deployment standpoint. For the short term, MAG-E has
purchased a manufacturing plant in Boise Idaho to bring all Site Device
manufacturing in house to significantly reduce the overall cost of each Site
Device. As for the long term, the Executive team is currently researching
OrhanErgun.net
496
different SaaS solutions that would replace the current Site Device model.
Power Usage / Reduction Event Process:
MAG-E is a middleman between Energy Providers and the Enterprise
Customers of the Energy Provider. For example, the energy provider
would first work with MAG-E to negotiate a contract for power reduction
in the energy provider’s area of responsibility. Once the contract is
finalized, MAG-E works with Enterprise customers of the energy provider
to negotiate a child contract for a reduction in power usage. Common
Enterprise customers are grocery stores, pharmacies, retail stores, farms
and silos, and factories.
An Event is when the energy provider has a high amount of power
usage that they cannot maintain. When this occurs, the energy provider
will initiate the Event by calling the Support Line at MAG-E, which starts
the internal process within MAG-E to engage all child contracts to comply
with the reduction in power. Traditionally, these Events happen more in
the summer seasons when the temperatures are very high which causes a
high power usage state with all of the Air Conditioners being turned on.
Chapter 12
Some Event responses are automatic with the deployed Site Device
turning a system off and on as needed while other Event responses are
manual, requiring MAG-E to contact the child customer to manually
lower their power usage by shutting equipment down.
Site Profiles:
MAG-E currently has two Data Centers, one located in Boston,
MA and the other located in Dallas, TX. The primary DC in Boston
has 2000 servers, while the Dallas DC has 1400 servers. MAG-E is
headquartered out of Boston, MA. In Boston there is an Event Support
Center staffed with 500 users that process all of the Events placed by the
Energy Providers. In addition to the Event Support Center Staff, the
Boston location has 3000 more employees. In Boise Idaho, there is the
newly acquired manufacturing plant that consists of 1000 employees and
another separate legacy remote office that consists of 50 employees. The
rest of the US network consists of 57 office locations that range from five
users to one hundred users.
Site Devices:
MAG-E’s innovative Site Devices have been the bread and butter for
their business since the beginning. Over the years, there have been 3
different Site Device model series; the S, X, and E. The S series was the
pioneer of Site Devices but were limited in functionality as they could
OrhanErgun.net
497
only push data back to the servers in Boston and Dallas. The S series
also lacked common security best practices such as SSH support and AES
support. The second generation of Site Devices was the X model series.
With the X series, some significant improvements were implemented.
The majority of these improvements was around security of the Site
Device and the Energy data, by integrating AES and SSH support.
MAG-E wanted to significantly improve data efficiency that the current
Site Device series lacked by implementing a data pull operation. This last
and final series of Site Devices was the E series. The E Series has now
become the Spearhead of the business. The E series was developed with
both a push and pull data method that could function independently and
concurrently. MAG-E has a total of ~2,000 Site Devices deployed today.
S Series Deployed X Series Deployed E Series Deployed
S1 402 X1 53 E1 131
S2 238 X2 18 E2 106
speednet Telecom
S3 157 X3 102 E3 23
S4 318 X4 378 E4 53
MAG-E’s Network:
MAG-E’s US WAN currently uses a single MPLS L3VPN provider
network from Level 3. The two data centers have two routers connecting
to the MPLS L3VPN network over 200mb/s Ethernet circuits. The
headquarter location also has two routers connecting to the MPLS L3VPN
network but over 50mb/s Ethernet circuits. All other office locations have
a single router with a single connection to the MPLS L3VPN network with
bandwidth ranging from 1.5mb/s to 50mb/s, depending on the needs of
the office locations. The manufacture plant in Boise, Idaho was brought
into the MPLS L3VPN network over a single 10mb/s Ethernet circuit.
There are two Level 3 Gigabit Ethernet Circuits connecting the two data
centers together and there is a single 10GB dark fiber connection between
the Boson data center and the Boston headquarters.
Site Device connectivity is terminated in MAG-E’s production DMZ.
The most popular termination method currently implemented is via
private cellular networks. All private cellular networks being used have
a dedicated hub router in the production DMZ where all traffic for that
cellular provider is provided. For this termination method, a dedicated
router with a 3G/4G card is deployed alongside the Site Device.
The next termination method is via site to site VPNs between a
OrhanErgun.net
498
OrhanErgun.net
499
Corporate Applications:
• MAG-E currently runs VoIP, IM, Video, and Email internally. These
applications are used by all employees of MAG-E but VoIP is
specifically critical to the Event Support Center Staff as they cannot
act on an Event if they cannot call an Enterprise Customer.
Diagram 1
MAG-E WAN Diagram
speednet Telecom
Diagram 2
MAG-E Site Device Termination Internet Option
Diagram 3
MAG-E Site Device Termination Site to Site IPSEC VPN Option
OrhanErgun.net
500
Diagram 4
MAG-E Site Device Termination Private Cellular Network Option
Chapter 12
Document 2
From: bob_murphy@mag-e.com
To: Network_Designer
Subject: SAAS Acquisition & Immediate need!
Designer,
The Board will be finalizing the Acquisition of Canada Energy (CAN-ENG)
by the end of the week. I need you to clear your schedule ASAP as this is going to be a
huge project which I am going to need some significant help. From the little information
I have been given today, CAN-ENG has 2,000 employees geographically dispersed
across Canada in 37 office locations. CAN-ENG has one data center located in
Vancouver and one headquarters located in Montreal. CAN-ENG’s Energy Eye,
OrhanErgun.net
501
SAAS application, lives in Vancouver. For the short term, we will be setting up
Site to Site VPNs between MAG-E’s Boston HQ and CAN-ENG’s Montreal
HQ, and between MAG-E’s Dallas DC and CAN-ENG’s Vancouver DC. I’m
looking to you to design a long term solution.
The board wants CAN-ENG integrated ASAP so that all MAG-E and
CAN-ENG applications can be used from all locations.
In addition to the above, we have an immediate need to develop a new Site Device
termination solution. In the past, you’ve heard me complain about this customer
before, and this request is no different. To say it nicely, this Enterprise Customer is a
primadonna but we have to play nice because this is a 50 Million dollar contract for us.
This customer will not use NAT/PAT or static IP Addresses. They will not change
their subnets or configure any VPNs on their hardware. We need you to design a
solution that meets these needs and also keeps the Site Devices secure. We need to keep
future scalability in mind. Cost shouldn’t be a concern but let’s not go hog wild now.
Good luck Designer, I know you will do us proud!
speednet Telecom
Dr. Bob Murphy
VP of Network Infrastructure, MAG-E
Diagram 5
MAG-E and CAN-ENG Site to Site IPSEC VPN
Question 1)
What is the most important design issue with the short term integration
plan between MAG-E and CAN-ENG (Choose 1)?
A. A) There is no design issue and this design is a good long
OrhanErgun.net
502
term solution
B. B) This design does not follow redundancy/resiliency best
practices
C. C) There are a number of bandwidth saturation issues with
the different circuits
D. D) There is no guaranty that all applications from both
companies will properly function
E. E) This design does not meet the time requirement the
customer is requiring
Question 2
Which of the following items will you need from MAG-E to create a
successful network design for the new Site Device termination solution
(Choose 3)?
Chapter 12
Question 3
If you requested IP Addressing Scheme, which is the best reason to
request IP Addressing Scheme (choose 1)?
A. Route summarization
B. IP address scaling
C. Customer needing to change subnets
D. IP address overlap
E. I did not request IP Addressing Scheme
Question 4
What information is needed to properly design the CAN-ENG
OrhanErgun.net
503
Document 3
From: bob_murphy@mag-e.com
To: Network_Designer
Subject: New Network Security Policy – Encryption Requirements
speednet Telecom
Designer,
We at MAG-E have recently updated our Network Security policy per the
recent Government regulations placed on Energy Data. All data on the wire must
be encrypted no matter if it’s our own wire, leased wire, or over the internet. We are
highly out of compliance with this on our current MPLS L3VPN Cloud and could
use some assistance with migrating to a new design that will comply with this new policy.
In addition to that, CAN-ENG is also not in compliance with this security policy.
Question 5
Which of the following proposed network solution will meet MAG-
E’s new encryption requirements for the new Site Device Termination
solution? (Choose all that apply)?
A. DMVPN
B. GETVPN
OrhanErgun.net
504
Question 6
Which of the following proposed network solution will meet all
MAG-E’s requirements for the new Site Device Termination solution
(Choose 1)?
A. DMVPN
B. GETVPN
C. Full Mesh IPSEC VPNs
D. Hub and Spoke IPSEC VPNs
E. VPLS
Chapter 12
Question 7a
If you selected DMVPN, which option below is the best reason why
(Choose 1)?
A. Running EIGRP is needed on hub and spoke networks
B. A solution that supports encryption is needed per the new
security policy implemented.
C. A solution that is highly scalable is needed per the
requirements.
D. I did not selected this option
Question 7b
If you selected GETVPN, which option below is the best reason why
(Choose 1)?
A. Running EIGRP is needed on hub and spoke networks
B. A solution that supports encryption is needed per the new
security policy implemented.
OrhanErgun.net
505
Question 7c
If you selected Full Mesh IPSEC VPNs, which option below is the
best reason why (Choose 1)?
Running EIGRP is needed on hub and spoke networks
A solution that supports encryption is needed per the new
security policy implemented.
A solution that is highly scalable is needed per the requirements.
I did not selected this option
speednet Telecom
Question 7d
If you selected Hub and Spoke IPSEC VPNs, which option below is
the best reason why (Choose 1)?
A. Running EIGRP is needed on hub and spoke networks
B. A solution that supports encryption is needed per the new
security policy implemented.
C. A solution that is highly scalable is needed per the
requirements.
D. I did not selected this option
Question 7e
If you selected VPLS, which option below is the best reason why
(Choose 1)?
A. Running EIGRP is needed on hub and spoke networks
B. A solution that supports encryption is needed per the new
security policy implemented.
C. A solution that is highly scalable is needed per the
requirements.
OrhanErgun.net
506
Document 4
From: bob_murphy@mag-e.com
To: Network_Designer
Subject: New Site Device Termination Solution
Designer,
As you have seen with our network in the past, we use RFC 1918 addressing.
Our Boston data center uses 10.0.0.0/11, and our Dallas data center uses
10.120.0.0/11. All of our remote office locations currently fit in the 172.16.0.0/12
block in different /22 increments. The 192.168.50.0/24 and 192.168.51.0/24 are
reserved networks for our Production DMZ and are used for translating overlapping
Chapter 12
customer subnets in regards to deployed Site Devices. If there isn’t a subnet overlap
with a customer’s network, then we just dynamically route for the customer’s network in
our own network. As you can imagine, this leads to a lot of random networks in our
routing table that are not our networks but we do need to access them to connect to the
Site Devices at the customer locations. Our applications use the following IP addresses:
Time Projected
OrhanErgun.net
507
Device Count
Today 1,979
3 yrs 2,714
5 yrs 3,418
7 yrs 3,827
10 yrs 4,285
speednet Telecom
I have no Network, CPU or memory utilization reports that would be of
importance.
Dr. Bob Murphy
VP of Network Infrastructure, MAG-E
Question 8
Based on the new requirements which solution should MAG-E
implement for the New Site Device Termination Solution?
A. GETVPN
B. DMVPN
Question 9a
Why is GETVPN the best option?
A. It fulfills the encryption requirement
B. It fulfills the spoke to spoke traffic pattern requirement
Question 9b
Why is DMVPN the best option?
OrhanErgun.net
508
Document 5
From: bob_murphy@mag-e.com
To: Network_Designer
Subject: New Site Device Termination Solution # 2
Designer,
Thank you for your help thus far. I know it’s been a rocky road and I can
Chapter 12
definitely promise you it’s only going to get rockier. As for the New Site Device
Termination Solution that you have been working on in your sleep, we are going to
implement DMVPN but I still need your help selecting which DMVPN design to
implement.
Question 10
Which DMVPN phase and routing protocol combination can meet
the requirements (Check all that apply)?
EIGRP OSPF BGP RIP ISIS
DMVPN
Phase 1
DMVPN
Phase 2
DMVPN
Phase 3
OrhanErgun.net
509
Question 11
Which DMVPN implementation is the best design given the
requirements (Choose 1)?
A. DMVPN Phase 3 with EIGRP
B. DMVPN Phase 2 with OSPF
C. DMVPN Phase 1 with BGP
D. DMVPN Phase 1 with EIGRP
E. DMVPN Phase 3 with ISIS
F. DMVPN Phase 2 with RIP
Question 12
Please place the following implementation tasks regarding the new
speednet Telecom
Site Device Termination solution in the correct order.
A. Protect the mGRE tunnel with IPSEC
B. Configure DMVPN on the spoke routers
C. Configure EIGRP routing between DMVPN mGRE
Tunnels
D. Deploy new spoke routers at Site Device Locations
E. Deploy new hub routers at Dallas and Boston DCs
F. Create FVRF on hub routers
G. Configure DMVPN on the hub routers
H. Create FVRF on spoke routers
Question 13
Which of the following information is needed to create a valid network
design for the merger of between MAG-E and CAN-ENG (Choose 3)?
A. MAG-E QoS information
B. CAN-ENG QoS information
C. MAG-E Subnet information
D. CAN-ENG Subnet information
OrhanErgun.net
510
Diagram 6
CAN-ENG WAN Site to Site IPSEC VPN Diagram
Question 14
mary concern if CAN-ENG were to continue with a hub and spoke
of IPSEC Tunnels over the internet for its WAN connectivity (Choose
1)?
A. Over Subscription of Circuits
B. Performance of applications
C. Security of energy data
D. Control Plane instability
Question 15
If we were to replace the hub and spoke IPSEC Tunnels that CAN-
ENG is using with another technology which technologies below best
OrhanErgun.net
511
Document 6
speednet Telecom
From: bob_murphy@mag-e.com
To: Network_Designer
Subject: QoS Design
Designer,
Surprisingly, neither company has implemented much QoS as of yet. The only
QoS that is implemented is in the MAG-E network for Voice and Video related
traffic. All Voice and Video is configured with the EF DSCP value and placed in a
LLQ with 33% of the bandwidth. The rest of the applications in both companies
are configured for Best Effort.
This is a fairly big issue so I would like to make sure we implement a valid QoS
design ASAP. I would like to keep our Queue count simple with only 4 queues:
Realtime (EF), Control (CS3), Transactional Data (AF21), and Best Effort (DF)
but still manage to include all of the different applications that both companies have.
Regarding the CAN-ENG WAN discussion we had earlier, we have decided
to move CAN-ENG from Site to site VPNs to our current MPLS L3VPN.
We need to make sure this migration goes over very smoothly and with very little
interruption. During this migration we would also like to remove any single points of
failures in the DC and HQ locations for the CAN-ENG network.
OrhanErgun.net
512
Question 16
Before we go any further, I need help determining all of the QoS
related information for the following application QoS matrix. Please
check each box that applies for each application, for the DSCP field please
place the DSCP value needed for that application in this design?
Question 17
Chapter 12
OrhanErgun.net
513
B. Diagram B
speednet Telecom
C. Diagram C
OrhanErgun.net
514
D. Diagram D
Chapter 12
Question 18
Place the following tasks in the order that they should occur to
properly migrate the CAN-ENG WAN to MPLS L3VPN.
A. Configure PE-CE routing protocol at DC and HQ, and
redistribute
B. Deploy new WAN router at DC and HQ
C. Decommission all Site to Site VPNs
D. Provision and connect new MPLS L3VPN circuits at each
location
E. Configure PE-CE routing protocol at each remote location,
and redistribute
F. Deploy new WAN router at each remote location
G. Deploy QoS design on all WAN routers.
OrhanErgun.net
515
Document 7
From: bob_murphy@mag-e.com
To: Network_Designer
Subject: WAN Migration Complete
Designer,
The WAN Migration is completed! We do have one major issue that needs to be
addressed. We can no longer access the MAG-E-ETC resource from anywhere in the
network. We need this resolved before Monday morning or somethings going to hit the
fan if you can smell what I am cooking?!?!
In addition to the above, we just got hit with a nasty data privacy lawsuit. We
speednet Telecom
were unaware of some of the new Data separation requirements between Energy
Data, Finance Data, and HR Data. As you know, we do not currently segregate
our data at all, everyone can access everything. Well these suit and tie nutcases just
determined that we cannot continue like this so we need to come up with a solution that
allows full separation of data between departments, customers and site devices across all
office locations. Keep in mind that most office locations have a small number of people
from each department in the office. Each department needs to collaborate, within the
department, across different offices at any given time. We would prefer that their traffic
would take the most direct path to each other that is possible.
Question 19
What is the best possible reason why the MAG-E-ETC application is
no longer accessible throughout the network?
A. Duplicate IP addresses with the Energy Eye Application in
CAN-ENG
B. Traffic is no longer allowed via an infrastructure ACL on
the core
C. Missing a dynamic route for the MAG-E-ETC subnet
D. Subnet overlap
OrhanErgun.net
516
Question 20
What solution below would be the quickest way to resolve the issue
with the MAG-E-ETC application?
A. Advertise a host route for 10.2.0.100
B. Configure NAT for 10.2.0.0/16 to an unused /16 subnet
C. Configure NAT for 10.0.0.0/11 to an unused /11 subnet
D. Advertise a host route for 10.2.0.18
E. Change the IP address of the MAG-E-ETC to another IP
in the 10.0.0.0/11 range.
Question 21
Chapter 12
What solution below would be the most efficient way to resolve the
issue with the MAG-E-ETC application?
A. Advertise a host route for 10.2.0.100
B. Configure NAT for 10.2.0.0/16 to an unused /16 subnet
C. Configure NAT for 10.0.0.0/11 to an unused /11 subnet
D. Advertise a host route for 10.2.0.18
E. Change the IP address of the MAG-E-ETC to another IP
in the 10.0.0.0/11 range.
Question 22
Which solutions below are capable of meeting the Data separation
requirements, assuming that each option below also includes VRF-Lite
(Choose all that apply)?
A. L2TPv3
B. VPLS
C. MPLSoDMVPN
D. GETVPN
OrhanErgun.net
517
E. VXLAN
Question 23
Which solution below meets all of the requirements, assuming that
each option below also includes VRF-Lite (Choose 1)?
A. L2TPv3
B. VPLS
C. MPLSoDMVPN
D. GETVPN
E. VXLAN
speednet Telecom
OrhanErgun.net
518
Question 1
What is the most important design issue with the short-term
integration plan between MAG-E and CAN-ENG (Choose 1)?
A. There is no design issue and this design is a good long term
solution
B. This design does not follow redundancy/resiliency best
practices
C. There are a number of bandwidth saturation issues with the
different circuits
D. There is no guaranty that all applications from both
Chapter 13
Question 2
Which of the following items will you need from MAG-E to create a
successful network design for the new Site Device termination solution
(Choose 3)?
A. Network Security Policy
MAG Energy
B. IP Addressing Scheme
C. Expected Growth Increase
D. Network Utilization Reports
E. Memory/CPU Utilization Reports
OrhanErgun.net
520
Question 3
If you requested IP Addressing Scheme, which is the best reason to
request IP Addressing Scheme (choose 1)?
A. Route summarization
B. IP address scaling
C. Customer needing to change subnets
D. IP address overlap
E. I did not request IP Addressing Scheme
MAG Energy
they will not change their subnets.
E. If you didn’t choose IP Addressing Scheme in the previous
question, you might have thought this was the correct answer
but this should have made you think about why it would be
important enough to choose IP Addressing Scheme. Even
if you got the previous question incorrect you still could
have gotten this question correct. With that stated, this is
an incorrect option.
Question 4
What information is needed to properly design the CAN-ENG
Energy Eye integration with MAG-E (Choose 1)?
A. QoS values for application traffic
B. Encryption requirements
C. Application IP address
D. CAN-ENG’s Routing protocol
option.
D. CAN-ENG’s routing protocol is not necessarily information
we need specifically for the Energy Eye application. This is
an incorrect answer.
Question 5
Which of the following proposed network solution will meet MAG-
E’s new encryption requirements for the new Site Device Termination
solution? (Choose all that apply)?
A. DMVPN
B. GETVPN
C. Full Mesh of IPSEC VPNs
D. Hub and Spoke IPSEC VPNs
A. VPLS
OrhanErgun.net
523
correct option.
B. Yes GETVPN supports the new Encryption requirements
in the new Network Security Policy in Document 3. This is
a correct option.
C. Yes Full Mesh IPSEC VPNs supports the new Encryption
requirements in the new Network Security Policy in
Document 3. This is a correct option.
D. Yes Hub and Spoke IPSEC VPNs supports the new
Encryption requirements in the new Network Security
Policy in Document 3. This is a correct option.
E. VPLS does not support the new Encryption requirements
in the new Network Security Policy in Document 3. This is
an incorrect answer.
MAG Energy
Question 6
Which of the following proposed network solution will meet all
MAG-E’s current requirements for the new Site Device Termination
solution (Choose 1)?
A. DMVPN
B. GETVPN
C. Full Mesh IPSEC VPNs
D. Hub and Spoke IPSEC VPNs
E. VPLS
OrhanErgun.net
524
is a correct option.
C. The Full Mesh IPSEC VPNs solution does not meet the
scalability requirement from Document 2, “We need to
keep future scalability in mind”. This is an incorrect option.
D. The Hub and Spoke IPSEC VPNs solution does not meet
the scalability requirement from Document 2, “We need to
keep future scalability in mind”. This is an incorrect option.
E. VPLS does not support the new Encryption requirements
in the new Network Security Policy in Document 3. This is
an incorrect answer.
Question 7a
A. If you selected DMVPN, which option below is the best
reason why (Choose 1)?
Chapter 13
OrhanErgun.net
525
Question 7b
If you selected GETVPN, which option below is the best reason why
(Choose 1)?
A. Running EIGRP is needed on hub and spoke networks
B. A solution that supports encryption is needed per the new
security policy implemented.
C. A solution that is highly scalable is needed per the
requirements.
D. I did not selected this option
MAG Energy
B. While encryption is a requirement and GETVPN supports
it, it is not the best option given. All other options in question
6 support Encryption so we need to compare something
else here instead of encryption. This is an incorrect option.
C. Scalability of the solution is the determining factor here that
rules out some of these options. This is the correct option.
D. This is an incorrect option.
Question 7c)
If you selected Full Mesh IPSEC VPNs, which option below is the
best reason why (Choose 1)?
A. Running EIGRP is needed on hub and spoke networks
B. A solution that supports encryption is needed per the new
security policy implemented.
C. A solution that is highly scalable is needed per the
requirements.
D. I did not selected this option
Detailed Answer Breakdown:
A. This is an incorrect option.
OrhanErgun.net
526
Question 7d
If you selected Hub and Spoke IPSEC VPNs, which option below is
the best reason why (Choose 1)?
A. Running EIGRP is needed on hub and spoke networks
B. A solution that supports encryption is needed per the new
security policy implemented.
C. A solution that is highly scalable is needed per the
requirements.
D. ) I did not selected this option
Chapter 13
Question 7e
If you selected VPLS, which option below is the best reason why
(Choose 1)?
A. Running EIGRP is needed on hub and spoke networks
B. A solution that supports encryption is needed per the new
security policy implemented.
C. A solution that is highly scalable is needed per the
requirements.
D. I did not selected this option
Detailed Answer Breakdown:
OrhanErgun.net
527
Question 8
Based on the new requirements which solution should MAG-E
implement for the New Site Device Termination Solution?
A. GETVPN
B. DMVPN
MAG Energy
support the Spoke-to-Spoke traffic pattern requirement in
Document 4. This is an incorrect option.
B. DMVPN is the correct answer because it does supports the
Spoke-to-Spoke traffic pattern requirement in Document 4.
This is the correct option.
Question 9a
Why is GETVPN the best option?
A. It fulfills the encryption requirement
B. It fulfills the spoke to spoke traffic pattern requirement
Question 9b)
Why is DMVPN the best option?
OrhanErgun.net
528
Question 10)
Which DMVPN phase and routing protocol combination can meet
the requirements (Check all that apply)?
Chapter 13
Question 11)
Which DMVPN implementation is the best design given the
requirements (Choose 1)?
A. DMVPN Phase 3 with EIGRP
B. DMVPN Phase 2 with OSPF
C. DMVPN Phase 1 with BGP
D. DMVPN Phase 1 with EIGRP
OrhanErgun.net
529
MAG Energy
an incorrect option.
C. DMVPN Phase 1 is ruled out with any routing protocol
because we need spoke-to-spoke tunnels and DMVPN
Phase 1 does not support this. This is not a correct answer.
D. DMVPN Phase 1 is ruled out with any routing protocol
because we need spoke-to-spoke tunnels and DMVPN
Phase 1 does not support this. This is an incorrect option.
E. ISIS is not supported over DMVPN because it’s not an IP
protocol. This is an incorrect option.
F. DMVPN Phase 2 is ruled out with any routing protocol
because we would need to implement some sort of
summarization to reduce the number of routes being
advertised and we cannot do this in DMVPN Phase 2. With
DMVPN Phase 2, all spokes must learn all routes. This is
an incorrect option.
Question 12
Please place the following implementation tasks regarding the new
Site Device Termination solution in the correct order.
OrhanErgun.net
530
Question 13
Which of the following information is needed to create a valid network
design for the merger of between MAG-E and CAN-ENG (Choose 3)?
A. MAG-E QoS information
B. CAN-ENG QoS information
C. MAG-E Subnet information
D. CAN-ENG Subnet information
E. MAG-E WAN Network Diagram
F. CAN-ENG WAN Network Diagram
OrhanErgun.net
531
MAG Energy
option.
D. We have already been given CAN-ENG’s subnet information
so there is no need for us to ask for it. This is an incorrect
option.
E. We have already been given MAG-E’s WAN Network
Diagram so there is no need for us to ask for it. This is an
incorrect option.
F. To successfully develop a network design we need to have
the CAN-ENG WAN Network Diagram. Without the
CAN-ENG WAN Network Diagram, we would have no
information on how the CAN-ENG network is setup
currently to then come up with a new design to merge the
two environments. This is a correct option.
Question 14
What would be a primary concern if CAN-ENG were to continue
with a hub and spoke of IPSEC Tunnels over the Internet for its WAN
connectivity (Choose 1)?
A. Over Subscription of Circuits
OrhanErgun.net
532
B. Performance of applications
C. Security of energy data
D. Control Plane instability
OrhanErgun.net
533
Question 15
If we were to replace the hub and spoke IPSEC Tunnels that CAN-
ENG is using with another technology which technologies below best
meet the requirements (Choose 2)?
A. Provision a second MPLS L3VPN network for all Canada
location and bridge both MPLS L3VPNs together at the
DCs.
B. Implement VPLS to replace the current WAN
MAG Energy
C. Deploy a hub and spoke network of L2TPv3 connections
D. Implement LISP to replace the current WAN
E. Add the CON-ENG network into the current MPLS L3
VPN network
OrhanErgun.net
534
Question 16
Before we go any further, I need help determining all of the QoS
related information for the following application QoS matrix. Please
check each box that applies for each application, for the DSCP field please
place the DSCP value needed for that application in this design?
Detailed Answer Breakdown:
OrhanErgun.net
535
Question 17
Which of the following CAN-ENG MPLS L3VPN designs meets the
requirements (Choose 1)?
A. Diagram A
MAG Energy
B. Diagram B
OrhanErgun.net
536
C. Diagram C
Chapter 13
D. Diagram D
OrhanErgun.net
537
MAG Energy
Question 18
Place the following tasks in the order that they should occur to
properly migrate the CAN-ENG WAN to MPLS L3VPN.
A. Configure PE-CE routing protocol at DC and HQ, and
redistribute
B. Deploy new WAN router at DC and HQ
C. Decommission all Site to Site VPNs
D. Provision and connect new MPLS L3VPN circuits at each
location
E. Configure PE-CE routing protocol at each remote location,
and redistribute
F. Deploy new WAN router at each remote location
G. Deploy QoS design on all WAN routers.
OrhanErgun.net
538
Question 19
What is the best possible reason why the MAG-E-ETC application is
no longer accessible throughout the network?
A. Duplicate IP addresses with the Energy Eye Application in
CAN-ENG
B. Traffic is no longer allowed via an infrastructure ACL on
the core
Chapter 13
Question 20
What solution below would be the quickest way to resolve the issue
with the MAG-E-ETC application?
A. Advertise a host route for 10.2.0.100
B. Configure NAT for 10.2.0.0/16 to an unused /16 subnet
MAG Energy
C. Configure NAT for 10.0.0.0/11 to an unused /11 subnet
D. Advertise a host route for 10.2.0.18
E. Change the IP address of the MAG-E-ETC to another IP
in the 10.0.0.0/11 range.
Question 21
What solution below would be the most efficient way to resolve the
issue with the MAG-E-ETC application?
A. Advertise a host route for 10.2.0.100
B. Configure NAT for 10.2.0.0/16 to an unused /16 subnet
C. Configure NAT for 10.0.0.0/11 to an unused /11 subnet
D. Advertise a host route for 10.2.0.18
E. Change the IP address of the MAG-E-ETC to another IP
in the 10.0.0.0/11 range.
OrhanErgun.net
541
MAG Energy
routing issue with MAG-E-ETC. By advertising a host
route for 10.2.0.18, it will allow all traffic to MAG-E-ETC
take presentence over the summary route from CAN-ENG.
This was the short term / quickest option but is not a longer-
term solution. This is an incorrect option.
E. Changing the IP address of the MAG-E-ETC application
would not be a good idea as the customer would have to
repoint all site devices to the new IP Address and this would
require physically touching each site device, which would
take a very long time and would cost a lot of money. This
is an incorrect option.
Question 22
A. Which solutions below are capable of meeting the Data
separation requirements, assuming that each option below
also includes VRF-Lite (Choose all that apply)?
B. L2TPv3
C. VPLS
D. MPLSoDMVPN
OrhanErgun.net
542
E. GETVPN
F. VXLAN
Question 23
Which solution below meets all of the requirements, assuming that
each option below also includes VRF-Lite (Choose 1)?
A. L2TPv3
Chapter 13
B. VPLS
C. MPLSoDMVPN
D. GETVPN
E. VXLAN
OrhanErgun.net
543
MAG Energy
incorrect option.
OrhanErgun.net
544
Appendix
Network Complexity
As you will see later in this topic, if you want to have robust network you
need some amount of complexity.
People refuse to have network complexity and believe that network
complexity is bad. But this is wrong!
Every network needs complexity and network complexity is good!
OrhanErgun.net
545
In the figure above, the router in the middle is connected to the
edge router. Obviously it is not redundant. If we want to design resilient
network, we add second router (figure-b), which creates network
complexity but provides resiliency through redundancy.
In order to provide resiliency we needed a complexity. But this is a
necessary complexity. There is an unnecessary complexity, which we need
to separate from the necessary one as I depicted above.
Simple example for the unnecessary complexity is adding a 3 OSPF
ABR in the picture-1.
Assume that we are running flat OSPF network as in the picture a and
b, state information is kept exactly identical on every node in the domain.
Through layering, complexity can be decreased. In the figure-c, there
is an area routing, so multiple area is created to allow summarization of
reachability information. Thus state in the devices can be kept smaller so
limiting the control plane state might reduce complexity.
But there are tradeoffs here. In order to reduce the control plane
states on those devices, summarization needs to be configured on the
Appendix
ABRs, which increases configuration and management complexity.
Although this task can be automated through management systems,
someone needs to operate the management systems, so management
complexity is not avoided but shifted from operators to management
systems.
In this example, placing a second router and then creating multiple
OSPF areas allow us to achieve many network design goal.
Resiliency (through redundancy, scaling through layering/hierarchy).
These are the parameters of robustness.
John Doyle who is a lead scientist of the Network complexity area
states that;
Reliability is robustness to component failures.
Efficiency is robustness to resource scarcity.
Scalability is robustness to changes to the size and complexity of the
system as whole.
Modularity is robustness to structure component rearrangements
Evolvability is robustness of lineages to changes on longtime scales.
Robust Yet Fragile is very important paradigm and helps us to
understand the network complexity.
OrhanErgun.net
546
OrhanErgun.net
547
Appendix
• Network devices, such as routers, switches, optical equipment, etc.
This includes components in those devices, such as CPUs, memory,
ASICs, etc.
• Links between devices.
• External links, to customers and other service providers.
• Support hardware, such as power supplies, heating, cooling, etc.
• Operating systems.
• Device configurations.
• Network state tables, such as routing tables, ARP tables, etc.
The management system consists of:
• Hardware used for the management systems, and the network
connecting them.
• Operating systems of these management systems
• Software for management, provisioning, etc.
• Operational procedures.
OrhanErgun.net
548
OrhanErgun.net
549
Appendix
processes for their operation.
These protocol interactions create a complexity in your networks.
Example for this, you run OSPF or IS-IS as a link state protocols and
for the fast reroute you might be running MPLS TE-FRR. To be able to
provide it, you need to run not only OSPF or IS-IS but also RSVP and
most probably LDP as well.
It is of course relative but BGP is not a complex protocol for me and
probably for those who read this article up to here. But policy interaction
between BGP peers create BGP wedgies(RFC 4264) and policy violations
due to data plane vs. control plane mismatch.
So the complexity here comes from conflicting policy configuration
used on two different Autonomous Systems although you understand
many thing about BGP.(Small amount of input (policy in BGP) creates
large amount of output in complex networks)
Unpredictable: In a complex network, effect of a local change would
be an unpredictable on the global network.
Don’t you have a configuration on your routers or firewall, which even
you don’t know why they are there but you can’t touch them since you
cannot predict what, can happen if you remove them.
Predictability is critical for the security.
OrhanErgun.net
550
complex.
Ideally the front line/layer 1 or 2 engineers should resolve many of
the issues.
We can visualize network complexity as a cube. It is shown in the
below picture.
The overall complexity of a network is composed of three vectors: the
complexity of the physical network, of the network management, and of
the human operator. The volume of the cube represents the complexity
of the overall network.
Most of the networks including Enterprises and Service providers
had a second complexity model, which is shown below, in the beginning
of the Internet. Small physical network, less network management but
mostly operated by humans.
Large service providers today attempt to lower the dependencies of
human operators, and instead use sophisticated management systems.
An example complexity cube could look like illustrated in the first figure.
Overall complexity of today’s networks, illustrated by the volume of the
cube, has increased over the years.
OrhanErgun.net
551
Appendix
Today with the SDN idea, we target to remove the complexity from the
operator and shifting to network management systems. Also centralizing
control plane to the logically centralized but physically still distributed
place.
This is not a totally bad idea in my opinion since it provides a coherency.
We don’t configure the networks, we configure the routers !
We try to configure the many routers, switches etc. and wait the result
to be a coherent. But at the end we face all kind of loops, micro loops,
broadcast storms, routing churns, and policy violations.
Network management systems reduce the effect of those by knowing
the entire topology, intend of the policy and configure the results to entire
network.
OrhanErgun.net
552
OrhanErgun.net
553
Conclusions:
Appendix
• Network design is about managing the tradeoffs between different
design goals.
• Not all network design has to be scalable, fast convergence, maximum
resiliency characteristics and so on.
• Complexity can be shifted between physical network, operators and
network management systems and overall complexity is reduced by
taking the human factor away. Complexity cube is a good idea to
understand this.SDN helps to reduce overall network complexity by
taking some responsibility from the human operators.
• Network design follows Robust Yet Fragile paradigm. Robustness
requires complexity.
• Don’t try the fancy,bleeding edge technologies just to show that you
are smart !
• System complexity is not the same as network complexity. System
complexity should be thought as the combination of the edges
(hosts,servers,virtual servers etc) and the network core.
OrhanErgun.net
554
SEGMENT ROUTING
Segment routing refers to a source routing mechanism that provides
Traffic Engineering, Fast Reroute, and MPLS VPNS without LDP or
RSVP-TE.
As you are reading this post, you will learn everything about segment
routing. With some extension to the existing protocols, this source routing
mechanism will assist you to solve all the complex problems related to
Traffic Engineering, Fast Reroute, and MPLS VPNS.
With RSVP-TE, you can use MPLS to create BGP free core, VPN
services (layer 2 and layer 3), and traffic engineering capability.
What is Segment Routing ?
Segment Routing is one of the ways of implementing source routing
mechanism.
I implore you not to confuse source routing with policy based routing
(PBR), they are totally different.
With Segment routing, end-to-end path is pushed to the ingress node
Appendix
and the subsequent nodes just apply the instructions. With PBR, if path
will be different than the routing table, each and every node as hop by hop
fashion should be configured.
Segment routing can be compared with the MPLS Traffic Engineering
since both protocols can route the traffic explicitly.
While the source is an edge node, it can be a server, a top of rack
switch, a virtual switch, or an edge router. Source allows service chaining,
and its entire path can be exposed to ingress/head end router.
What does segment means ?
Segment is the component path that allows the packets to travel, a
task specified by the user.
For instance, you could direct a component travelling from firewall X
to go to router A, and then to router B. Yes, you can do that.
In fact, service chaining can be achieved with Segment Routing.
Even though Segment Routing uses IP control plane, it employs
MPLS data plane in its operation. Segment ID is equivalent to MPLS
label, and segment list is exposed to label stack.
Some extensions of OSPF and IS-IS are necessary for the Segment
Routing because segment/label moves within the link state IGP protocol
messages.
OrhanErgun.net
555
Appendix
MPLS VPN Label Operation (Control and Dataplane)
The diagram above has two labels: core label, also known as transport,
tunnel or topmost label. In MPLS layer 2 or layer 3 VPN operations, the
topmost label moves from PE1 loopback to PE2 loopback. While the
topmost label provides an edge-to-edge reachability, LDP, RSV, or BGP
allows core/transport label.
In the context of MPLS VPN, LDP is the most commonly used label
distribution protocol.
If you want to use MPLS Traffic Engineering architecture, then you
need to enable RSVP-TE for label distribution. And of course, LDP and
RSVP can coexist in the network.
VPN label is provided by BGP, specifically Multi-protocol BGP.
PE routers change BGP next hop as their loopback addresses to the
VPN prefixes. Also, core/transport label is used to reach the BGP next
hop.
PE1 pushes two labels: the red label and the blue label. Sent by P1 to
PE1 via LDP, red label – which is the core/transport label – is changed
at every hop.
The red label is removed at P2 if PE2 sends an implicit null label, a
OrhanErgun.net
556
Node/Prefix SID is sent via either IS-IS or OSPF LSP and LSAs.
All the Segment Routing enabled routers receive and learn Node/
Prefix SID from one another.
To assist you to understand this topic, I will explain MPLS Layer 3
VPN operation as well as segment routing.
Through MP-BGP, PE1 still receives a VPN label for the CE2 prefixes.
BGP next hop is PE2 loopback. PE2 loopback uses label 100 in the
IS-IS sub-TLV or OSPF Opaque LSA.
PE1 assumes label 100 as a core / transport label, and so too does the
outer label consider label 2000 the inner VPN label.
P1 does not change the core/transport label; rather, it sends the
packet to the P2.
If P2 receives an implicit null label from PE2, P2 does PHP
(Penultimate Hop Popping). In sum, only the VPN label is sent to the
PE2.
Without using LDP but by using IGP, MPLS VPN service is provided.
Segment Routing does not require LDP for the transport tunnel because
it uses IGP for the label advertisement.
Please note that Segment Routing eliminates to use LDP only for the
transport label operation.
If you setup MPLS layer 2 VPN for the PW label, you will use either
Appendix
LDP or BGP because Segment Routing does not provide such capability.
PW (Pseudowire) can be signaled via LDP or RSVP. LDP signaled
pseudowire is also known as Martini pseudowire, while BGP signaled
pseudowire is also known as Kompella pseudowire.
So, if you provide layer 2 VPN service with Segment Routing, you
will notice two labels: transport label provided by the IGP to reach the
correct PE; and LDP or BGP assigned label for the end customer AC
(Attachment circuit) identification in the remote PE.
OrhanErgun.net
558
• You can use Segment Routing to provide MPLS VPN service without
using LDP for the transport label distribution.
• Segment Routing reduces memory and CPU requirements in the
network.
• Segment Routing is totally different technology than PBR (Policy
Based Routing).
• Segment Routing requires OSPF or IS-IS and sends MPLS labels
within these protocols update packets.
• Segment Routing provides Traffic Engineering without having soft
state RSVP-TE protocol on your network. Soft state protocols require
a lot of processing power. Although Segment Routing does not have
permission control, you can use routers to specify, for instance, 50Mbs
LSP path for traffic A and 30 Mbps for traffic B using centralized
controller, a process that allows you to use traffic engineering.
• Segment Routing provides Fast Reroute without RSVP-TE, and you
do not need to have thousands of forwarding state in the network, as
it uses IP FRR technology, specifically Topology Independent LFA.
(TI-LFA)
OrhanErgun.net
559
• Segment Routing has many use cases. Segment routing can be used
together with MPLS VPN, Traffic Engineering, and Fast Reroute even
though Dual Plane topologies are other use cases for the operators.
• With Traffic Engineering, you can have ECMP capability, a task that
is very difficult to achieve with MPLS Traffic Engineering (You need
to create multiple parallel LSPs).
• There are other use cases such as Egress peering engineering. Today,
this can be achieved by the complex BGP policy or LISP. Segment
routing is another way of doing BGP Egress peer engineering (BGP
EPE).
• Major vendors – including Alcatel, Ericson, and Juniper – support
segment Routing.
• If you have devices not supported Segment Routing but only LDP,
you can use Segment Routing to interwork with the LDP enabled
devices. Segment Routing Mapping Server provides interworking
functionality.
Appendix
• Segment Routing with the help of controller such as PCE (Path
Computation Element) can be used for Centralized Traffic
Engineering, which provides better Global Path Optimization, and
enhanced services such as bandwidth calendaring and complete
disjoint paths. Although these features are not done only by Segment
Routing (MPLS TE with centralized controller provides the similar
functionalities), Segment Routing LSPs can be signaled or instantiated
via the controller as well.
OrhanErgun.net
560
CARRIER ETHERNET
Appendix
called Carrier Ethernet Transport.
So in this case, Customer’s Ethernet frame is carried over Provider’s
Ethernet infrastructure with the Resiliency, OAM, Bandwidth guarantee,
Traffic Engineering, QoS and other Carrier Ethernet feature supports.
OrhanErgun.net
562
OrhanErgun.net