EXTREME VALIDATED DESIGN
Extreme MPLS based IXP solution Extreme MPLS based IXP solution
9035424-01 April 2018
© 2018, Extreme Networks, Inc. All Rights Reserved.
Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks please see www.extremenetworks.com/company/legal/trademarks. Specifications and product availability are subject to change without notice.
© 2017, Brocade Communications Systems, Inc. All Rights Reserved.
Brocade, the B-wing symbol, and MyBrocade are registered trademarks of Brocade Communications Systems, Inc., in the United States and in other countries. Other brands, product names, or service names mentioned of Brocade Communications Systems, Inc. are listed at http://www.brocade.com/en/legal/brocade-Legal- intellectual-property/brocade-legal-trademarks.html. Other marks may belong to third parties.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.
The authors and Brocade Communications Systems, Inc. assume no liability or responsibility to any person or entity with respect to the accuracy of this document or any loss, cost, liability, or damages arising from the information contained herein or the computer programs that accompany it.
The product described by this document may contain open source software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.
2 Extreme MPLS-based IXP Solution 9035424-01
Contents
Contents ...... 3 Figures ...... 5 Preface ...... 6 Extreme Validated Designs ...... 6 Purpose of This Document...... 6 Target Audience ...... 6 About the Authors ...... 6 Document History ...... 6 About Extreme ...... 7 Introduction ...... 8 Terminology ...... 8 IXP exchange network design ...... 9 IXP exchange ...... 9 IXP reference architecture ...... 11 Attachment circuits (AC) ...... 11 Pseudo-wires (PW)...... 11 Tunnels ...... 11 IXP Design Requirements ...... 12 Customer Edge ...... 12 Backbone ...... 12 High Availability ...... 12 Load Balancing ...... 12 Rate Limiting and traffic policing ...... 12 Security ...... 13 Manageability ...... 13 Monitoring ...... 13 IXP implementation ...... 14 Routing ...... 15 OSPF ...... 16 IS-IS ...... 20 Attachment Circuit (AC) ...... 23 Switching (802.1q, QinQ, Tag manipulation) ...... 24 Attachment Circuit MCT (Multi-Chassis Trunking) ...... 26 AC MCT for MLX VPLS ...... 26 AC MCT for SLX VPLS ...... 30 Pseudo-wire (PW) ...... 35 Create interfaces...... 35 Configure RSVP-TE LSP ...... 39 Configure MPLS LDP LSP ...... 43 PW load balancing ...... 44 SLX-OS MPLS process restart ...... 46 VPLS/VLL instance - Bridge Domain (SLX)/VPLS/VLL instance (MLX) ...... 47
3 Extreme MPLS-based IXP Solution 9035424-01
VPLS instance/bridge domain setup ...... 48 Pseudo wire type (VC mode) options ...... 51 Multiple COS based LSPs ...... 53 VPLS attributes...... 57 VPLS/VLL load balancing ...... 57 Rate limiting on the AC interfaces ...... 62 Rate limiting ...... 62 BUM (Broadcast/Unknown Unicast/Multicast) control ...... 66 Security features ...... 68 Access lists (ACLs) ...... 68 Layer 2 access list ...... 69 Layer 3 access list ...... 70 ACL options ...... 70 ARP guard ...... 74 Port MAC security (SLX-OS) ...... 75 Management (user accounts, telnet, SSH, LLDP, SNMP, NTP, Python) ...... 77 User Accounts and Passwords ...... 77 Management access (Serial port/Telnet/SSH, web, snmp) ...... 78 SNMP ...... 80 NETCONF ...... 83 NTP ...... 84 LLDP ...... 85 Python event-management and scripting ...... 87 Monitoring ...... 87 Logging ...... 87 Sflow ...... 88 OAM (CFM, Y.1731) ...... 90 IXP Case Studies ...... 91 Customer connectivity ...... 91 Core design ...... 93 Managing and monitoring ...... 95 Hardware Matrix...... 95 References ...... 96 Appendix—Configuration of the Nodes/Validation topology ...... 97 MLX1 ...... 97 MLX2 ...... 101 MLX3 ...... 104 SLX1 ...... 107 SLX2 ...... 112 SLX3 ...... 116
4 Extreme MPLS-based IXP Solution 9035424-01
Figures
Figure 1 IXP infrastructure ...... 10 Figure 2 IXP reference architecture ...... 11 Figure 3 Network topology ...... 15 Figure 4 IGP topology example ...... 16 Figure 5 AC - Attachment Circuit ...... 23 Figure 6 MLX AC MCT ...... 26 Figure 7 SLX AC MCT ...... 30 Figure 8 IXP PW – pseudo wire example ...... 35 Figure 9 VPLS topology ...... 47 Figure 10 VPLS load balancing ...... 57 Figure 11 IXP MLPA ...... 91 Figure 12 IXP BPA ...... 92 Figure 13 IXP dual homing ...... 92 Figure 14 IXP double tagging ...... 93 Figure 15 IXP PE mesh ...... 94 Figure 16 IXP with P routers ...... 94 Figure 17 Network topology details ...... 97
5 Extreme MPLS-based IXP Solution 9035424-01
Preface
Extreme Validated Designs Helping customers consider, select, and deploy network solutions for current and planned needs is our mission. Extreme Validated Designs offer a fast track to success by accelerating that process.
Validated designs are repeatable reference network architectures that have been engineered and tested to address specific use cases and deployment scenarios. They document systematic steps and best practices that help administrators, architects, and engineers plan, design, and deploy physical and virtual network technologies. Leveraging these validated network architectures accelerates deployment speed, increases reliability and predictability, and reduces risk.
Extreme Validated Designs incorporate network and security principles and technologies across the ecosystem of service provider, data center, campus, and wireless networks. Each Extreme Validated Design provides a standardized network architecture for a specific use case, incorporating technologies and feature sets across Extreme products and partner offerings.
All Extreme Validated Designs follow best-practice recommendations and allow for customer-specific network architecture variations that deliver additional benefits. The variations are documented and supported to provide ongoing value, and all Extreme Validated Designs are continuously maintained to ensure that every design remains supported as new products and software versions are introduced.
By accelerating time-to-value, reducing risk, and offering the freedom to incorporate creative, supported variations, these validated network architectures provide a tremendous value-add for building and growing a flexible network infrastructure.
Purpose of This Document This Extreme validated design provides guidance for designing and implementing IXP (Internet Exchange Provider) network using Extreme hardware and software. The design practices documented here follow the best-practice recommendations, but there are variations to the design that are supported as well.
Target Audience This document is written for Extreme systems engineers, partners, and customers who design, implement, and support IXP. It assumes that the reader has a good understanding of IP/MPLS routing and L2 switching features.
About the Authors Tomasz Kalkowski: Principal Software Engineer
Special thanks to Steve Austin for valuable comments and suggestions.
Document History
Date Part Number Description March 2018 9035424 Initial release.
April 2018 9035424-01 Rebranded to Extreme Networks.
6 Extreme MPLS-based IXP Solution 9035424-01
About Extreme Networks Extreme Networks® (NASDAQ: EXTR) networking solutions help the world’s leading organizations transition smoothly to a world where applications and information reside anywhere. This vision is designed to deliver key business benefits such as unmatched simplicity, non-stop networking, application optimization, and investment protection.
Innovative Ethernet and storage networking solutions for data center, campus, and service provider networks help reduce complexity and cost while enabling virtualization and cloud computing to increase business agility.
To help ensure a complete solution, Extreme Networks partners with world-class IT companies and provides comprehensive education, support, and professional services offerings. (www.ExtremeNetworks.com)
7 Extreme MPLS-based IXP Solution 9035424-01
Introduction
An IXP (Internet Exchange Point) is a crucial part of the Internet, providing physical switching and routing infrastructure through which internet providers connect their networks and exchange traffic. By connecting their networks using IXP instead of direct peering, internet providers benefit from having a single connection to exchange traffic with multiple partners, reducing cost and infrastructure needs.
This Extreme validated design document is about building such IXPs using MPLS transport. It provides information about the design and implementation of the exchange points using Extreme platforms based on NetIron and SLX-OS operating systems. The configuration examples provided are fully validated and should be viewed as an Extreme best practices for building IXPs.
This document covers IXP overall architecture, services overview and validated case studies. The main focus is the implementation and maintenance of the forwarding part of the IXP using L2VPN VPLS/VLL tunneling architecture. In order to keep the document focused on the MPLS-based solution, some sections provide a high-level overview of the features used in IXP networks; the reader should refer to the official documentation for more details and options.
In this document, red text boxes contain configuration examples, green contain available options, and blue contain show commands that are useful to verify and debug configured features.
This document and the examples it contains are based on the NetIron 6.0.00e (used on MLX-e platform) and SLX-OS 17r.1.01a (used on ExtremeRouting SLX 9850 devices) releases. For the latest available release please refer to the Extreme
Terminology
Term Description AC Attachment Circuit ARP Address Resolution Protocol. AS Autonomous System. ASN Autonomous System Number. BGP Border Gateway Protocol. BLPA Bilateral Peering Agreement eBGP External Border Gateway Protocol.
ECMP Equal Cost Multi -Path. iBGP Internal Border Gateway Protocol.
IP Internet Protocol. IXP Internet Exchange Point LIF Logical Interface MCT Multi Chassis Trunk MLPA Multilateral Peering Agreement PW Pseudo wire VLAN Virtual Local Area Network. VPLS Virtual Private Lan Service VLL Virtual Leased Line
8 Extreme MPLS-based IXP Solution 9035424-01
IXP exchange network design
IXP exchange A formal definition of an Internet Exchange Point (IXP) is provided by the Euro-IX association, and can be found at: https://euro-ix.net/ixps/what-is- ixp/.
IXPs are a key infrastructure within the Internet to allow for high quality exchange of IP traffic between connected members. The most common deployment model is in the form of an Ethernet Exchange, i.e. one or more ASs connected to an IXP exchange routing information and Internet traffic via IXP L2 tunneling infrastructure.
eBGP is the only routing protocol that customers use and are allowed to use to exchange reachability information amongst each other across the IXP. Following the exchange of prefixes via eBGP is the exchange of traffic as a result of applied routing policy and the BGP best path selection algorithm. IXP can be part of the control plane BGP prefixes exchange, or it can just provide connectivity between providers and not be part of the exchange. Network providers can exchange traffic through BLPA (Bilateral Peering Agreement) and/or MLPA (Multilateral Peering Agreement):
• MLPA (Multilateral Peering Agreement) - Shared L2 domain where multiple participants can exchange traffic with each other. Usually participants peer a BGP Route Server, which is part of IXP to avoid full mesh peering between all participants.
• BPA (Bilateral Peering Agreement) - Point-to-point L2 domain between two IXP participants.
For MLPA, IXP provides Route Server infrastructure, which reflects BGP routes to all connected providers. Route Servers used to reflect routes between participants are technically and hierarchically no different from any other router connected to the IXP, with the following exceptions:
• Even though the Route Server does need a dedicated BGP-AS to peer with interested members, it does not include its own AS in updates it sends to the peers.
• Typically, complex BGP-community models are in place to allow for the implementation of routing policy, i.e. more granular control over what routes are being exchanged between two peers.
• Following standard eBGP-procedures, Route Server does not modify the BGP-next-hop attribute, so as the prefixes between two members are exchanged indirectly via the Route Server, the actual traffic flows directly between the routers originating the prefixes.
Since many IXPs use the Route Server to simplify the exchange of BGP prefixes between service providers, it is critical to achieve high availability of such servers. Typical scenario includes two or more identical Route Server instances based on the same or different implementations.
In order to operate the IXP platform, additional services are required, such as a customer portal to provide information including, but not limited to, statistics, mailing lists, technical information, maintenance and self-service (e.g. change of the own peering router’s MAC-address). Those services are typically run by the IXP on servers in their own AS behind a dedicated peering router, that are technically identical to all other members’ routers.
Though operating the IXP at L2 provides a clear demarcation to the members and simplifies operations in many ways, it also means that IXP operators need to provide a scalable, resilient, flexible architecture applicable to arbitrary topologies – today predominantly MPLS L2VPNs – and also secure the edge of their platform against known issues specific to L2, such as network loops, broadcast/unknown unicast storms and ARP spoofing. This is achieved by a combination of ingress and egress security policy applied on each member port that reflects the services connected to and the data exchanged across the platform. Main IXP building blocks are presented below.
9 Extreme MPLS-based IXP Solution 9035424-01
Figure 1 IXP infrastructure
The customer’s CE device can connect directly to an IXP’s PE or through a partner (CIX – Commercial Internet Exchange) who provides the L2 connectivity between the customer and IXP infrastructure. If the customer connects directly to IXP network, the typical connection is tagged with 802.1Q VLANs. When the connection occurs though a partner, the most common connection scenario is using double tagging or 802.1ad, also known as “QinQ”.
10 Extreme MPLS-based IXP Solution 9035424-01
IXP reference architecture As described in the network design section, the main objective of the Ethernet exchange IXP is to tunnel L2 traffic between different Autonomous Systems. Figure 2 shows the main components of the end-to-end traffic tunneling.
Figure 2 IXP reference architecture
Attachment circuits (AC) The Attachment Circuit is the connection between customer edge device (CE) and IXP provider edge router (PE). It can be a physical Ethernet port, a logical Ethernet port, port-channel or some other type of protocol able to carry customer L2 frames. Currently Extreme NetIron and SLX-OS based devices support Ethernet interfaces with untagged/tagged/double tagged traffic from the customer edge devices. In addition, ACs can use LACP based port-channel interfaces (LAG/Port Channel).
Pseudo-wires (PW) Pseudo-wire is an emulation of the various types of services over a packet network. The most common service carried by the PW in IXP is the L2 Ethernet connection. It can emulate P2P connection for VLL (Virtual Leased Line) service or p2mp using VPLS (Virtual Private LAN Service). For VPLS, multiple PWs might be needed to connect PEs in a full mesh topology. Different types of tunnels can be used to build PW.
Tunnels Transport tunnels are setup between PE devices in the packet network and are used to build PWs. Different packet technologies can be used for tunnel setup, for example MPLS, GRE, L2TP, VXLAN or IPsec tunnels. This document will focus on the MPLS based tunnels as this is currently the most common way of providing IXP services.
11 Extreme MPLS-based IXP Solution 9035424-01
IXP Design Requirements IXP solutions need to cover a wide range of requirements. Some of the most important aspects of the typical IXP network design are described below. More detailed explanation of the requirements are covered in the subsequent sections of this document.
Customer Edge Customers are connected to the IXP PE routers using ACs (Attachment Circuits) that forward L2 frames. Tagged, double tagged and untagged frames are used. Traffic received from the ACs is usually filtered/rate limited. Customer can be single or dual homed for redundancy purpose.
Backbone The IXP backbone consists of PE and P routers. Smaller providers usually prefer to have a mesh of PE devices; bigger networks add dedicated P devices in the core, connecting attached PE routers. Reachability between all backbone devices is established using L3 IGP protocols like OSPF/IS-IS. Customer traffic is forwarded through the backbone using P2P or P2MP L2 tunneling technologies like VPLS/VLL. Other tunneling technologies, such as VXLAN or GRE tunnels, are possible, but they are out of scope for this document.
High Availability One of the most important aspect of the IXP networks is the ability to maintain continuous operation without traffic loss. There are several components of high availably:
• Optical redundancy – widely used on IXP space, for both the connection between PE and CE devices and for routes within the IXP networks between P/PE devices. This topic is outside the scope of this document.
• Interface redundancy – having multiple links between the devices.
• Hardware redundancy – using redundant modules and chassis with no single point of failure
• Control plane redundancy – using Active-Active control protocols such MCT/MLAG for CPE connections, and LSP load balancing internally within the IXP network
• GR (Graceful restart)/NSR (Non Stop Routing) – preventing traffic loss during control plane failure.
Load Balancing Load balancing is used to increase bandwidth of the links connecting two devices, and to provide link redundancy in case of partial link failure. There are multiple levels of load balancing in the core of the IXP network:
• LAG/port channel load balancing
• MPLS LSP based on LDP/RSVP TE load balancing
Rate Limiting and traffic policing The purpose of rate limiting is to control the amount of traffic sent to or received from the customer network. Rate limiting features can be configured as:
• L2 port/VLAN/bridge domain base rate limiting: limits amount of bandwidth used by the physical port or LAG/port-channel interface
• BUM (Broadcast, Unicast, Unknown Unicast), also referred to as storm control: limits the amount of unnecessary BUM traffic
12 Extreme MPLS-based IXP Solution 9035424-01
Security IXP networks should be protected from malicious traffic and unauthorized access to the network. PE routers implement a set of features controlling traffic received from the client devices. They can be grouped as follows:
• Access control lists (ACL) to permit or deny traffic based on set of predefined rules. Traffic can be matched against source or destination MAC address (L2 ACL), ether types or various IP packet fields like IP source/destination address, TCP/UDP port etc.
• Port MAC security (SLX-OS) allows control of the MAC table by allowing only predefined number of MAC addresses to be learned by the forwarding table.
• ARP guard (NetIron) - The ARP guard feature uses ACL-like, CLI parameters (which include VLAN ID, source MAC address and source IP address) to build a table of allowed IP addresses on the link on which this feature is enabled.
• Management security. User accounts and passwords to login to the system. This includes user’s access levels to the device as well as AAA (Authentication, Authorization and Accounting) using locally stored as well as remote servers.
Manageability Network management covers a wide area of features used to administer and manage network devices. The following features are needed in order to use IXP networks effectively:
• Device management – used to configure and verify various aspects of the IXP devices. The common protocols used for device management are CLI/NETCONF/SNMP
• Device access (Telnet/SSH) – used to login to the device remotely
• File transfer protocols (SCP/SFTP/FTP/TFTP)
• NTP (Network Time Protocol) – used to synchronize clocks between network devices
Monitoring
• Statistics – to verify control and data plane behavior
• Sflow (sampled flow) – to provide continuous traffic statistics. Packets with the samples are sent to an external device for analysis.
• Logging – to log events happening on the device. It can be stored locally or sent to an external Syslog server
• OAM (Operation and Maintenance)
13 Extreme MPLS-based IXP Solution 9035424-01
IXP implementation
This section presents a detailed description of the IXP network implementation, including all necessary features using MLX and SLX platforms running NetIron and SLX-OS respectively. It includes the configuration steps, options, and the show commands used to verify the behavior of the features.
The following steps are needed to configure IXP services:
• Enable core routing connectivity
Configure one of the IGP protocols (OSPF or IS-IS)
• Configure AC (Attachment Circuit)
AC can be physical or based on logical interface. SLX supports physical Ethernet ports or port-channels. For the MLX, physical Ethernet ports are available as well as LAGs.
• Configure PW (pseudo-wire)
PW can be built using tunnels based on RSVP-TE or LDP protocol with physical or bundle interfaces (LAG/port-channel).
• Configure VPLS/VLL instance
This step is to configure VPLS/VLL service using previously defined PW and ACs
• Configure rate limiting on the AC interfaces
Rate limiting is used to limit the amount of traffic allowed on the AC.
• Configure security features (ACL, port mac security)
This feature is used to prevent receiving traffic from unauthorized customers.
• Configure management features
Used for access, configuration and maintenance of the devices
• Configure monitoring services
This step allows providers to get information about the network status.
Note: For the SLX-OS based platforms ensure that the TCAM profile is set to Layer 2 optimized by using the hardware configuration “profile tcam layer2-optimised-1” command.
All examples used in this document will be based on the topology shown below. It consists of a mix of MLX and SLX boxes in the core network, with real and simulated CE devices connected to it.
14 Extreme MPLS-based IXP Solution 9035424-01
Figure 3 Network topology
Routing To achieve reachability in the core network, IGP protocols have to be configured. Currently, both NetIron and SLX-OS support OSPF and IS-IS IGPs. The main configuration CLIs for both protocols are shown below. Detailed implementation and features used by the IXP providers can vary based on the needs and scale.
IXP IGP recommended settings:
- Single area/level
- Configure IP router-id
- Use of the point-to-point interfaces to avoid an DR and backup DR election on the directly connected links
- Configure authentication (MD5 preferred)
- Use NSR – Non Stop Routing (preferable) or GR – Graceful Restart (default) for minimal traffic outage during control plane failures. The choice depends on specific network design. GR requires all the neighboring routers to support it. For NSR, the device needs redundant MMs but its advantage is that the neighbor routers are not aware of the control plane being down during transition to standby MM.
- Enable Bidirectional Forwarding Detection (BFD) for fast convergence and to detect unidirectional link issues, which can lead to blackholing of traffic.
- Enable event logging
The main configuration blocks needed to run the basic IGP services are shown below. For more detailed information please refer to “SLX-OS Layer 3 configuration guide” and “Netiron Routing Configuration Guide”.
15 Extreme MPLS-based IXP Solution 9035424-01
OSPF The following example shows OSPF basic configuration between two routers connected via LAG/Port-channel interface. Enabled features:
- MD5 authentication
- BFD (Bidirectional Forwarding Detection)
- NSR - NSR and GR are mutually exclusive (for SLX-OS, since GR is enabled by default it must be explicitly disabled before configuring NSR)
- auto-cost reference-bandwidth so that 1, 10, 100gig links are costed appropriately by default
Figure 4 IGP topology example
16 Extreme MPLS-based IXP Solution 9035424-01
NetIron/SLX-OS OSPF configuration commands:
MLX1 OSPF SLX3 OSPF
lag "MLX1-SLX3" dynamic id 15 vlan 15 ports ethernet 1/1 ethernet 1/4 router-interface Ve 15 primary-port 1/1 ! deploy ip router-id 10.10.10.5 ! ! vlan 15 router ospf tagged ethe 1/1 ethe 1/4 log adjancency router-interface ve 15 area 0 ! auto-cost reference-bandwidth 1000000 ip router-id 10.10.10.1 no graceful-restart ! nonstop-routing router ospf bfd area 0 Enables vfd on all int. ! bfd all-interfaces interface Loopback 1 auto-cost reference-bandwidth 10000000 ip ospf area 0 nonstop-routing ip address 10.10.10.5/32 log adjacency no shutdown ! ! interface loopback 1 interface Ve 15 ip ospf area 0 ip ospf area 0 ip address 10.10.10.1/32 ip ospf md5-authentication key-id 22 key !
17 Extreme MPLS-based IXP Solution 9035424-01
MLX NetIron OSPF show commands:
MLX1#sho ip ospf neighbor router-id 10.10.10.5
Port Address Pri State Neigh Address Neigh ID Ev Opt Cnt v15 172.16.15.1 1 FULL/DR 172.16.15.5 10.10.10.5 5 66 0
telnet@MLX1#sho ip ospf interface ve 15
ve 15 admin up, oper up, ospf enabled, state up IP Address 172.16.15.1, Area 0 BFD is enabled Database Filter: Not Configured State BDR, Pri 1, Cost 1, Options ------E-, Type broadcast Events 3 Timers(sec): Transmit 1, Retrans 5, Hello 10, Dead 40 DR: Router ID 10.10.10.5 Interface Address 172.16.15.5 BDR: Router ID 10.10.10.1 Interface Address 172.16.15.1 Packets Received Packets Sent Hello 475 440 Database 3 4 LSA Req 0 0 LSA Upd 29 23 LSA Ack 14 29 Packet Errors: None Neighbor Count = 1, Adjacent Neighbor Count= 1 Neighbor: 172.16.15.5 [id 10.10.10.5] (DR) Authentication-Key: None MD5 Authentication: Key ********, Key-Id 22, Auth-change-wait-time 300 LDP-SYNC: Disabled, State: -
MLX1#sho ip ospf config Router OSPF: Enabled
Nonstop Routing: Enabled Graceful Restart: Disabled Graceful Restart Helper: Enabled Graceful Restart Time: 120 Graceful Restart Notify Time: 0
Redistribution: Disabled Default OSPF Metric: 10 OSPF Auto-cost Reference Bandwidth: Disabled Default Passive Interface: Disabled OSPF Redistribution Metric: Type2
OSPF External LSA Limit: 14447047
OSPF Database Overflow Interval: 0
RFC 1583 Compatibility: Disabled
Router id: 10.10.10.1 BFD: Enabled BFD HoldoverInterval: 0 Interface State Change Trap: Enabled Virtual Interface State Change Trap: Enabled Neighbor State Change Trap: Enabled Virtual Neighbor State Change Trap: Enabled Interface Configuration Error Trap: Enabled Virtual Interface Configuration Error Trap: Enabled Interface Authentication Failure Trap: Enabled Virtual Interface Authentication Failure Trap: Enabled Interface Receive Bad Packet Trap: Enabled Virtual Interface Receive Bad Packet Trap: Enabled Interface Retransmit Packet Trap: Disabled Virtual Interface Retransmit Packet Trap: Disabled Originate LSA Trap: Disabled Originate MaxAge LSA Trap: Disabled Link State Database Overflow Trap: Disabled Link State Database Approaching Overflow Trap: Disabled
OSPF Area currently defined: Area-ID Area-Type Cost Prefix List In Prefix List Out 0 normal 0
18 Extreme MPLS-based IXP Solution 9035424-01
MLX1#sho bfd BFD State: ENABLED Version: 1 Use PBIF Assist: Y SH setup delay 180 MH setup delay 0 Current Registered Protocols: isis/0 ospf/0 All Sessions: Current: 1 Maximum Allowed: 250 Maximum Exceeded Count: 0 Maximum TX/RX Sessions Allowed on LP: 80 Maximum Session Exceeded Count for LPs: 0 LP Tx/Rx Sessions LP Tx/Rx Sessions LP Tx/Rx Sessions LP Tx/Rx Sessions 1 1/1 2 0/0 3 0/0 4 0/0 5 0/0 6 0/0 7 0/0 8 0/0 BFD Enabled ports count: 1 Port MinTx MinRx Mult Sessions ve 15 200 200 3 1
MLX1#sho bfd neighbor Total Entries:1 R:RXRemote(Y:Yes/N:No)H:Hop(S:Single/M:Multi) NeighborAddress State Interface Holddown Interval R/H 172.16.15.5 UP ve 15 600000 200000 Y/S
SLX OSPF show commands:
SLX3# show ip ospf neighbor router-id 10.10.10.1
Port Address Pri State Neigh Address Neigh ID Ev Opt Cnt Ve 15 172.16.15.5 1 FULL/BDR 172.16.15.1 10.10.10.1 5 66 0
SLX3# show ip ospf interface ve 15
Ve 15 admin up, oper up IP Address 172.16.15.5, Area 0 BFD is enabled Database Filter: Not Configured State DR, Pri 1, Cost 1, Options ------E-, Type broadcast Events 47 Timers(sec): Transmit 1, Retrans 5, Hello 10, Dead 40 DR: Router ID 10.10.10.5 Interface Address 172.16.15.5 BDR: Router ID 10.10.10.1 Interface Address 172.16.15.1 Neighbor Count = 1, Adjacent Neighbor Count= 1 Neighbor: 172.16.15.1 [id 10.10.10.1] (BDR) Authentication-Key: None MD5 Authentication: Key ********, Key-Id 22 , Auth-change-wait-time 300 LDP-SYNC: Disabled, State: -
SLX3# sho ip ospf OSPF Version Version 2 Router Id 10.10.10.5 ASBR Status No ABR Status No (0) Redistribute Ext Routes from Initial SPF schedule delay 0 (msecs) Minimum hold time for SPFs 0 (msecs) Maximum hold time for SPFs 0 (msecs) External LSA Counter 0 External LSA Checksum Sum 0 Originate New LSA Counter 166 Rx New LSA Counter 13451 External LSA Limit 14913080 Administrative Distance - External Routes: 110 - Intra Area Routes: 110 - Inter Area Routes: 110 Database Overflow Interval 0 Database Overflow State : NOT OVERFLOWED RFC 1583 Compatibility : Disabled NSSA Translator: Enabled Nonstop Routing: Enabled Graceful Restart Disabled Graceful Restart Helper Enabled Graceful Restart Time 120 BFD Enabled BFD HoldoverInterval 0 LDP-SYNC: Not globally enabled Interfaces with LDP-SYNC enabled: None
19 Extreme MPLS-based IXP Solution 9035424-01
SLX BFD
SLX3# sho bfd BFD State: ENABLED, Version: 1 Supported Protocols: isis, tunnel, ospf, ospf6 All Sessions: Current: 2 Max Allowed: 250 Max Exceeded Count: 0 Agent Sessions: Max Allowed on LC: 200 Max Exceeded Count for LCs: 0
Port MinTx MinRx Mult Sessions ======ve15 200 200 3 1 ve35 200 200 3 1
SLX3# show bfd neighbors Flags: * indicates State is inconsistent across the cluster OurAddr NeighAddr State Int ======172.16.15.5 172.16.15.1 UP ve15
IS-IS The following example shows IS-IS configuration and show commands with the following features enabled:
- MD5 authentication
- NSR - NSR and GR are mutually exclusive so GR has to be disabled
- BFD
The same 2 routers (MLX1 and SLX3) that were used for the OSPF case are used for the following example.
20 Extreme MPLS-based IXP Solution 9035424-01
MLX1 ISIS SLX3 ISIS
lag "MLX1-SLX3" dynamic id 15 vlan 15 ports ethernet 1/1 ethernet 1/4 router-interface Ve 15 primary-port 1/1 ! deploy ip router-id 10.10.10.5 ! ! vlan 15 router isis tagged ethe 1/1 ethe 1/4 net 49.0001.0100.1001.0005.00 router-interface ve 15 auth-mode md5 level-1 ! auth-key level-1
MLX NetIron IS-IS show commands
MLX1#sho isis neighbor Total number of IS-IS Neighbors: 1 System Id Interface SNPA State Holdtime Type Pri StateChgeTime Protocol SLX3 ve 15 768e.f808.0001 UP 15 ISL1 64 0 :1 :52:59 ISIS
21 Extreme MPLS-based IXP Solution 9035424-01
MLX1#sho isis IS-IS Routing Protocol Operation State: Enabled IS-Type: Level-1 System ID: 0100.1001.0001 Manual area address(es): 49.0001 Level-1-2 Database State: On Administrative Distance: 115 Maximum Paths: 4 Default redistribution metric: 0 Default link metric for level-1: 0 (conf)/ 10 (adv) Default link metric for level-2: 0 (conf)/ 10 (adv) Protocol Routes redistributed into IS-IS: None Number of Routes redistributed into IS-IS: 0 Level-1 Auth-mode: MD5 Level-1 Auth-key: "$UyEtLStzVUA=" Level-2 Auth-mode: None Metric Style Supported for Level-1: Narrow Metric Style Supported for Level-2: Narrow Graceful-Restart Helper support enabled IS-IS Partial SPF Optimizations: Enabled Timers: L1 SPF: Max-wait 5s Init-wait 5000ms Second-wait 5000ms L2 SPF: Max-wait 5s Init-wait 5000ms Second-wait 5000ms L1 SPF is not scheduled L2 SPF is not scheduled PSPF: Max-wait 5000ms Init-wait 2000ms Second-wait 5000ms PSPF is not scheduled LSP: max-lifetime 1200s, refresh-interval 900s, gen-interval 10s retransmit-interval 5s, lsp-interval 33ms SNP: csnp-interval 10s, psnp-interval 2s Global Hello Padding : Enabled Global Hello Padding For Point to Point Circuits: Enabled Ptpt Three Way HandShake Mechanism: Enabled BGP Ipv4 Converged: FALSE, Ipv6 Converged: FALSE IS-IS Traffic Engineering Support: Disabled No ISIS Shortcuts Configured BFD: Enabled, BFD HoldoverInterval: 0 NSR: Enabled NSR State: Normal Standby MP: Inactive Sync State: Enabled LDP-SYNC: Not globally enabled Interfaces with IPv4 IS-IS configured: ve 15 loopback 1 Interfaces with LDP-SYNC enabled:
SLX IS-IS show commands
SLX3# show isis neighbors Total number of IS-IS Neighbors: 1 System Id Interface SNPA State Holdtime Type Pri StateChgeTime Protocol MLX1 Ve 15 0024.38a6.7f00 UP 30 ISL1 64 0 :1 :55:27 ISIS
22 Extreme MPLS-based IXP Solution 9035424-01
SLX3# sho isis IS-IS Routing Protocol Operation State: Enabled IS-Type: Level-1 System Id: 0100.1001.0005 Manual area address(es): 49.0001 Level-1-2 Database State: On Administrative Distance 115 Maximum Paths 8 Default redistribution metric 0 Default link metric for level-1 0 (conf)/ 10 (adv) Default link metric for level-2 0 (conf)/ 10 (adv) Protocol Routes Redistributed into IS-IS: None Number of Routes Redistributed into IS-IS: 0 Level-1 Auth-mode: MD5 Level-1 Auth-key: $UyEtLStzVUA= Level-2 Auth-mode: None Metric Style Supported for Level-1: Narrow Metric Style Supported for Level-2: Narrow Graceful-Restart Helper Support: Enabled ISIS Partial SPF Optimizations: Enabled Timers: L1 SPF: Max-wait 5s Init-wait 5000ms Second-wait 5000ms L2 SPF: Max-wait 5s Init-wait 5000ms Second-wait 5000ms L1 SPF is not scheduled L2 SPF is not scheduled PSPF: Max-wait 5000ms Init-wait 2000ms Second-wait 5000ms PSPF is not scheduled LSP: max-lifetime 1200s refresh-interval 900s gen-interval 10s retransmit-interval 5s, lsp-interval 33ms SNP: csnp-interval 10s psnp-interval 2s Global Hello Padding: Enabled Global Hello Padding For Point to Point Circuits: Enabled Ptpt Three Way HandShake Mechanism: Enabled BGP Ipv4 Converged: False BGP Ipv6 Converged: False IS-IS Traffic Engineering Support: Disabled No ISIS Shortcuts Configured BFD: Enabled, BFD HoldoverInterval: 0 NSR: Enabled LDP-SYNC: Not Globally Enabled
Attachment Circuit (AC) Attachment circuits connect IXP edge routers with the customer equipment (CE). Examples of configuring AC interfaces with CE is shown for MLX1 and SLX1 routers below.
Figure 5 AC - Attachment Circuit
23 Extreme MPLS-based IXP Solution 9035424-01
Switching (802.1q, QinQ, Tag manipulation) L2 traffic received from the CE can be single (802.1q), double tagged (802.1ad – QinQ) or untagged. In the following configuration, vlan 100, 101 and 102 accept tagged, double tagged and untagged traffic respectively. In addition to physical interfaces both platforms allow LAG/port-channel interfaces to be used as ACs.
MLX1 SLX1
lag "lag-client-CE1" dynamic id 10 interface Ethernet 1/2 ports ethernet 1/5 switchport primary-port 1/5 switchport mode trunk deploy switchport trunk trunk-no-default-native ! sflow enable interface ethernet 1/2 no shutdown Single tag enable logical-interface ethernet 1/2.100 ! vlan 100 interface ethernet 1/5 ! enable logical-interface ethernet 1/2.101 ! vlan 101 inner-vlan 111 Double tag router mpls ! ! logical-interface ethernet 1/2.102 vpls 100 100 untagged vlan 102 Untagged vpls-peer 10.10.10.3 load-balance ! vlan 100 Single tag ! tagged ethe 1/2 interface Ethernet 1/1 vlan 101 inner-vlan 111 channel-group 10 mode active type standard tagged ethe 1/2 Double tag lacp timeout long vlan 102 no shutdown untagged ethe 1/2 ! Port channel interface ! Untagged interface Port-channel 10 vpls 10 10 switchport vpls-peer 10.10.10.3 10.10.10.4 switchport mode trunk-no-default-native vlan 10 no shutdown tagged ethe 1/5 logical-interface port-channel 10.10 vlan 10 ! LAG interface bridge-domain 100 p2mp vc-id 100 peer 10.10.10.1 logical-interface ethernet 1/2.102 logical-interface ethernet 1/2.101 logical-interface ethernet 1/2.100 pw-profile default bpdu-drop-enable local-switching
24 Extreme MPLS-based IXP Solution 9035424-01
MLX and SLX AC related show commands
MLX1#sho mpls vpls id 100 VPLS 100, Id 100, Max mac entries: 8192 Total vlans: 3, Tagged ports: 1 (1 Up), Untagged ports 1 (1 Up) IFL-ID: 4096 Vlan 100 L2 Protocol: NONE Tagged: ethe 1/2 Vlan 101 inner-vlan 111 L2 Protocol: NONE Tagged: ethe 1/2 Vlan 102 L2 Protocol: NONE Untagged: ethe 1/2 VC-Mode: Raw Total VPLS peers: 3 (3 Operational) Peer address: 10.10.10.2, State: Operational, Uptime: 21 sec Tnnl in use: tnl0(2048)[RSVP] Peer Index:0 Local VC lbl: 983048, Remote VC lbl: 983044 Local VC MTU: 9190, Remote VC MTU: 1500 Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05) Peer address: 10.10.10.3, State: Operational, Uptime: 5 hr 3 min Tnnl in use: tnl1(2050)[RSVP] Peer Index:1 Local VC lbl: 983049, Remote VC lbl: 983046 Local VC MTU: 9190, Remote VC MTU: 1500 Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05) Peer address: 10.10.10.4, State: Operational, Uptime: 4 hr 51 min Tnnl in use: tnl2(2280)[RSVP] Peer Index:2 Local VC lbl: 983050, Remote VC lbl: 983043 Local VC MTU: 9190, Remote VC MTU: 1500 Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05) CPU-Protection: OFF Local Switching: Enabled Extended Counter: ON Multicast Snooping: Disabled
SLX1# show bridge-domain 100 Bridge-domain 100 ------Bridge-domain Type: MP, VC-ID: 100 MCT Enabled: FALSE Description: Number of configured end-points: 6, Number of Active end-points: 6 VE if-indx: 0, Local switching: TRUE, bpdu-drop-enable: TRUE MAC Withdrawal: Disabled PW-profile: default, mac-limit: 0 VLAN: 0, Tagged ports: 0(0 up), Un-tagged ports: 1 (1 up) Tagged Ports: Un-tagged Ports: eth1/2.102 VLAN: 100, Tagged ports: 1(1 up), Un-tagged ports: 0 (0 up) Tagged Ports: eth1/2.100 Un-tagged Ports: VLAN: 101, Tagged ports: 1(1 up), Un-tagged ports: 0 (0 up) Tagged Ports: eth1/2.101 Un-tagged Ports: Total VPLS peers: 3 (3 Operational):
VC id: 100, Peer address: 10.10.10.1, State: Operational, uptime: 5 hr 6 min 20 sec Load-balance: False, Cos Enabled: False, Tunnel cnt: 1 rsvp SLX1-MLX1 (cos_enable:False cos_value:0) Assigned LSPs count:0 Assigned LSPs: Local VC lbl: 983046, Remote VC lbl: 983049, Local VC MTU: 1500, Remote VC MTU: 9190, Local VC-Type: 5, Remote VC-Type: 5 Local PW preferential Status: Active, Remote PW preferential Status: Active ….
25 Extreme MPLS-based IXP Solution 9035424-01
Attachment Circuit MCT (Multi-Chassis Trunking) Multi Chassis Trunking (MCT) in the IXP environment allows an MCT client (CE router) to be connected to multiple MCT peers (PE devices) which appear as one logical chassis via standard LAG/Port Channel interfaces. It provides PE redundancy and allows for L2 multipath. This feature is supported by both NetIron and SLX-OS in the context of VPLS/VLL, although the implementation is different for both platforms.
SLX-OS implementation uses BGP EVPN protocol to send control traffic between the MCT peers. It is based on the Multiprotocol-BGP (MP-BGP) EVPN extension, as specified in RFC 7432. For NetIron, Cluster Communication Protocol (CCP) – a proprietary protocol – is used to send control information between MCT peers. In both implementations, a direct link can be configured between the peers, but it is not necessary, as the control path can be established using P routers.
For more information about MCT, please refer to “Extreme SLX-OS layer 2 Configuration Guide” and “Extreme NetIron Switching Configuration Guide”. Below examples are focused on the basic MCT functionality for VPLS/VLL.
AC MCT for MLX VPLS
Figure 6 MLX AC MCT
MCT VPLS related configuration for MLX1, MLX2 is presented below, followed by show commands. CE device need to be configured with the standard LACP based LAG.
26 Extreme MPLS-based IXP Solution 9035424-01
MLX1 MCT LAG towards core MLX2 MCT LAG towards CE1
lag "MLX1-MLX3" dynamic id 16 lag "lag-client-CE1" dynamic id 10 ports ethernet 1/3 ethernet 1/6 ports ethernet 1/1 primary-port 1/3 primary-port 1/1 LAG towards CE1 deploy deploy ! ! lag "lag-client-CE1" dynamic id 10 vlan 26 ports ethernet 1/5 tagged ethe 1/4 primary-port 1/5 router-interface ve 26 deploy ! ! ip router-id 10.10.10.2 vlan 16 ! tagged ethe 1/3 ethe 1/6 interface loopback 1 router-interface ve 16 ip ospf area 0 ! ip address 10.10.10.2/32 Towards core ip router-id 10.10.10.1 ! ! interface ethernet 1/4 interface loopback 1 enable ip ospf area 0 ! ip address 10.10.10.1/32 interface ve 26 ! ip ospf area 0 interface ve 16 ip ospf network point-to-point ip ospf area 0 ip address 172.16.26.2/28 ip ospf network point-to-point ! ip address 172.16.16.1/28 router mpls ! router mpls policy traffic-eng ospf policy traffic-eng ospf mpls-interface ve26
mpls-interface ve16 lsp MLX2-SLX1 to 10.10.10.3 lsp MLX1-SLX1 tunnel-interface 23 to 10.10.10.3 enable tunnel-interface 13 enable vpls 10 10 cluster-peer 10.10.10.1 vpls 10 10 vpls-peer 10.10.10.3 cluster-peer 10.10.10.2 vlan 10 vpls-peer 10.10.10.3 tagged ethe 1/1 vlan 10 ! tagged ethe 1/5 cluster "C1" 1 ! rbridge-id 102 cluster "C1" 1 l2vpn-peer 10.10.10.1 rbridge-id 101 rbridge-id 101 deploy l2vpn-peer 10.10.10.2 rbridge-id 102 client "CE1-vlan10" deploy rbridge-id 10 client "CE1-vlan10" client-interface ethernet 1/1 rbridge-id 10 deploy client-interface ethernet 1/5 deploy
27 Extreme MPLS-based IXP Solution 9035424-01
MLX MCT related show commands
CER1#sho lag Total number of LAGs : 1, 100/40g : 0 Total number of deployed LAGs : 1, 100/40g : 0 Total number of trunks created : 1 (63 available), 100/40g : 0 (0 available) LACP System Priority / ID :1 / 748e.f8a6.36c1 LACP Long timeout :90, default: 90 LACP Short timeout :3, default: 3
=== LAG "MCT-lag" ID 1 (dynamic Deployed) === LAG Configuration: Ports: e 2/2 to 2/3 Port Count: 2 Primary Port: 2/2 Trunk Type: hash-based forward_all_protocol: Disabled LACP Key: 100
Deployment: Trunk ID 1, Active Primary 2/2, base fid: 0x0000
Port Link Port-State Dupl Speed Trunk Tag Priori MAC Name Type 2/2 Up Forward Full 10G 1 Yes level0 748e.f8a6.36c1 default-port 2/3 Up Forward Full 10G 1 Yes level0 748e.f8a6.36c1 default-port
Port [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope] 2/2 1 1 100 Yes L Agg Syn Col Dis No No Ope 2/3 1 1 100 Yes L Agg Syn Col Dis No No Ope
MLX1#sho cluster
Cluster C1 1 ======Rbridge Id: 101, Session Vlan: 0 Cluster State: Deploy Client Isolation Mode: Loose Configured Member Vlan Range: Active Member Vlan Range: Total Clients Configured : 1 ( Deployed Clients: 1)
L2VPN Peer Info: ------Peer IP: 10.10.10.2, Peer Rbridge Id: 102 KeepAlive Interval: 300 , Hold Time: 900 Node KeepAlive Interval: 2000 , Hold Time: 6000 l2vpn-revertible-timer 300 Peer State: CCP Up (Up Time: 5 days:20 hr:17 min:43 sec)
Client Info: ------Name Rbridge-id Config Port Trunk FSM-State CE1-vlan10 10 Deployed 1/5 10 Up
MLX1#sho cluster ccp peer
Cluster Name : C1 Cluster ID: 1 PEER IP ADDRESS STATE UP TIME ------10.10.10.2 OPERATIONAL 5 days:20 hr:17 min:53 sec
MLX1#sho mpls vpls Num Num Ports Num Peers CPU VC Name Id Vlans Ports Up Peers Up IFL-ID Prot Mode ======10 10 1 1 1 3 3 n/a OFF RAW 100 100 3 1 1 3 2 4096 OFF RAW
28 Extreme MPLS-based IXP Solution 9035424-01
MLX1#sho mpls vpls id 10 VPLS 10, Id 10, Max mac entries: 8192 Total vlans: 1, Tagged ports: 1 (1 Up), Untagged ports 0 (0 Up) IFL-ID: n/a Vlan 10 L2 Protocol: NONE Tagged: ethe 1/5 VC-Mode: Raw Total VPLS peers: 3 (3 Operational) Cluster-Peer address: 10.10.10.2, State: Operational, Uptime: 140 hr 9 min Tnnl in use: tnl0(2389)[RSVP] Peer Index:0 Local VC lbl: 983049, Remote VC lbl: 983042 Local VC MTU: 9190, Remote VC MTU: 1500 Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05) Peer address: 10.10.10.3, State: Operational, Uptime: 138 hr 34 min Tnnl in use: tnl1(2406)[RSVP] Peer Index:1 Local VC lbl: 983053, Remote VC lbl: 983046 Local VC MTU: 9190, Remote VC MTU: 1500 Local PW preferential Status:Active, Remote PW preferential Status:Active Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05) Peer address: 10.10.10.4, State: Operational, Uptime: 140 hr 9 min Tnnl in use: tnl2(2390)[RSVP] Peer Index:2 Local VC lbl: 983051, Remote VC lbl: 983040 Local VC MTU: 9190, Remote VC MTU: 1500 Local PW preferential Status:Active, Remote PW preferential Status:Standby Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05) CPU-Protection: OFF Local Switching: Enabled Extended Counter: ON Multicast Snooping: Disabled Cluster-peer: enabled, Role:Active State: VPLS_MCT_STATE_OPER VRRP MCT-Vpls Aware: Disable
29 Extreme MPLS-based IXP Solution 9035424-01
AC MCT for SLX VPLS
Figure 7 SLX AC MCT
MCT related configuration for SLX1, SLX2 is presented below, followed by show commands.
Configuration comments:
• With MCT configuration, the peer IP configured under the cluster must patch the MCT peer’s router-id.
• peer-interface
• Auto LSP can be created via directly connected interface or through P routers. Auto LSP is supported for RSVP only (no LDP support at this point).
• peer
• CE device need to be configured with the standard LACP based LAG.
30 Extreme MPLS-based IXP Solution 9035424-01
SLX1 MCT SLX2 MCT ! ! vlan 36 vlan 46 router-interface Ve 36 router-interface Ve 46 ! ! ip router-id 10.10.10.3 ip router-id 10.10.10.4 ! ! router bgp router bgp local-as 100 local-as 100 neighbor 10.10.10.4 remote-as 100 neighbor 10.10.10.3 remote-as 100 neighbor 10.10.10.4 update-source loopback 1 neighbor 10.10.10.3 update-source loopback 1 address-family ipv4 unicast address-family ipv4 unicast ! ! address-family l2vpn evpn address-family l2vpn evpn neighbor 10.10.10.4 encapsulation mpls neighbor 10.10.10.3 encapsulation mpls neighbor 10.10.10.4 activate neighbor 10.10.10.3 activate ! ! interface Loopback 1 interface Loopback 1 ip address 10.10.10.3/32 ip address 10.10.10.4/32 no shutdown no shutdown ! ! interface Ve 36 interface Ve 46 ip ospf area 0 ip ospf area 0 ip ospf network point-to-point ip ospf network point-to-point ip address 172.16.36.3/28 ip address 172.16.46.4/28 no shutdown no shutdown ! ! interface Ethernet 1/1 interface Ethernet 3/8:1 channel-group 10 mode active type standard channel-group 10 mode active type standard lacp timeout long lacp timeout long no shutdown no shutdown ! PC towards CE2 ! PC towards CE2 interface Port-channel 10 interface Port-channel 10 switchport switchport switchport mode trunk-no-default-native switchport mode trunk-no-default-native no shutdown no shutdown logical-interface port-channel 10.10 logical-interface port-channel 10.10 vlan 10 vlan 10 ! PC towards core ! PC towards core interface Port-channel 36 interface Port-channel 46 switchport switchport switchport mode trunk-no-default-native switchport mode trunk-no-default-native switchport trunk allowed vlan add 36 switchport trunk allowed vlan add 46 no shutdown no shutdown ! ! bridge-domain 10 p2mp bridge-domain 10 p2mp vc-id 10 vc-id 10 peer 10.10.10.1 peer 10.10.10.1 peer 10.10.10.2 peer 10.10.10.2 logical-interface port-channel 10.10 logical-interface port-channel 10.10 pw-profile default pw-profile default local-switching local-switching ! ! cluster C1 1 cluster C1 1 member bridge-domain add 10 member bridge-domain add 10 peer-interface Ve 36 peer-interface Ve 46 peer 10.10.10.4 peer 10.10.10.3 client-isolation strict client-isolation strict deploy deploy client CE2-vlan10 10 client CE2-vlan10 10 client-interface Port-channel 10 client-interface Port-channel 10 esi a:a:1:1 esi a:a:1:1 deploy deploy ! ! client-pw client-pw esi 01:02:03:04 esi 01:02:03:04 deploy deploy ! ! router mpls router mpls mpls-interface ve 36 mpls-interface ve 46 RSVP LSP to MCT peer ! RSVP LSP to MCT peer ! lsp SLX1-SLX2 lsp SLX2-SLX1 to 10.10.10.4 to 10.10.10.3 enable enable 31 Extreme MPLS-based IXP Solution 9035424-01
SLX MCT related show commands
CER2#sho lag Total number of LAGs : 1, 100/40g : 0 Total number of deployed LAGs : 1, 100/40g : 0 Total number of trunks created : 1 (63 available), 100/40g : 0 (0 available) LACP System Priority / ID :1 / 748e.f8a6.31c1 LACP Long timeout :90, default: 90 LACP Short timeout :3, default: 3
=== LAG "MCT-lag" ID 1 (dynamic Deployed) === LAG Configuration: Ports: e 2/1 e 2/4 Port Count: 2 Primary Port: 2/1 Trunk Type: hash-based forward_all_protocol: Disabled LACP Key: 100
Deployment: Trunk ID 1, Active Primary 2/4, base fid: 0x0000
Port Link Port-State Dupl Speed Trunk Tag Priori MAC Name Type 2/1 Up Forward Full 10G 1 Yes level0 748e.f8a6.31c1 default-port 2/4 Up Forward Full 10G 1 Yes level0 748e.f8a6.31c1 default-port
Port [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope] 2/1 1 1 100 Yes L Agg Syn Col Dis No No Ope 2/4 1 1 100 Yes L Agg Syn Col Dis No No Ope
SLX1# show cluster member bridge-domain BD-ID Mcast-label(Lo/Re) Unicast-label(Lo/Re) Forwarding state ------10 821258/ 821258 804874/ 0 Up
SLX1# sho cluster 1 Cluster C1 1 ======Cluster State: Deployed Client Isolation Mode: Strict Configured Member Vlan Range: Active Member Vlan Range: Configured Member BD Range: 10 Active Member BD Range: 10 No. of Peers: 1 No. of Clients: 2
Peer Info: ======Peer IP: 10.10.10.4, State: Up Peer Interface: Vlan 36
Client Info: ======Name Id ESI Interface Local/Remote State ------CE2-vlan10 10 a:a:1:1:0:0:0:0:0 Port-channel 10 Up / Up Client-PW 34816 1:2:3:4:0:0:0:0:0 PW Up / Up
32 Extreme MPLS-based IXP Solution 9035424-01
SLX1# sho bridge-domain 10 Bridge-domain 10 ------Bridge-domain Type: MP, VC-ID: 10 MCT Enabled: TRUE Description: Number of configured end-points: 4, Number of Active end-points: 3 VE if-indx: 0, Local switching: TRUE, bpdu-drop-enable: TRUE MAC Withdrawal: Disabled PW-profile: default, mac-limit: 0 VLAN: 10, Tagged ports: 1(1 up), Un-tagged ports: 0 (0 up) Tagged Ports: po10.10 Un-tagged Ports: Total VPLS peers: 2 (2 Operational):
VC id: 10, Peer address: 10.10.10.1, State: Operational, uptime: 12 min 48 sec Load-balance: False, Cos Enabled: False, Tunnel cnt: 1 rsvp SLX1-MLX1 (cos_enable:False cos_value:0) Assigned LSPs count:0 Assigned LSPs: Local VC lbl: 983049, Remote VC lbl: 983053, Local VC MTU: 1500, Remote VC MTU: 9190, Local VC-Type: 5, Remote VC-Type: 5 Local PW preferential Status: Active, Remote PW preferential Status: Active
VC id: 10, Peer address: 10.10.10.2, State: Operational, uptime: 12 min 48 sec Load-balance: False, Cos Enabled: False, Tunnel cnt: 1 rsvp SLX1-MLX2 (cos_enable:False cos_value:0) Assigned LSPs count:0 Assigned LSPs: Local VC lbl: 983048, Remote VC lbl: 983043, Local VC MTU: 1500, Remote VC MTU: 1500, Local VC-Type: 5, Remote VC-Type: 5 Local PW preferential Status: Active, Remote PW preferential Status: Standby
SLX1# show port-channel 10 LACP Aggregator: Po 10 Aggregator type: Standard Admin Key: 3010 - Oper Key 3010 Partner System ID - 0x0001,74-8e-f8-a6-31-c1 Partner Oper Key 0100 Number of Ports: 1 Member ports: Link: Eth 1/1 (0xC202000) sync: 1 *
SLX1# show bgp evpn summary BGP4 Summary Router ID: 10.10.10.3 Local AS Number: 100 Confederation Identifier: not configured Confederation Peers: Maximum Number of IP ECMP Paths Supported for Load Sharing: 1 Number of Neighbors Configured: 1, UP: 1 Number of Routes Installed: 0 Number of Routes Advertising to All Neighbors: 0 (0 entries) Number of Attribute Entries Installed: 0 '+': Data in InQueue '>': Data in OutQueue '-': Clearing '*': Update Policy 'c': Group change 'p': Group change Pending 'r': Restarting 's': Stale '^': Up before Restart '<': EOR waiting Neighbor Address AS# State Time Rt:Accepted Filtered Sent ToSend 10.10.10.4 100 ESTAB 2d23h0m 0 0 0 0
33 Extreme MPLS-based IXP Solution 9035424-01
MCT auto LSP show commands
SLX1# sho mpls lsp Note: LSPs marked with * are taking a Secondary Path LSP To Admin Oper Tunnel Up/Dn Retry Active Name Address State State Intf Times Num Path MCT_10.10.10.4_ 10.10.10.4 UP UP tnl5 1 0 -- 1207959588
SLX1# sho mpls lsp name MCT_10.10.10.4_1207959588 LSP MCT_10.10.10.4_1207959588, to 10.10.10.4 From: 10.10.10.3, admin: UP, status: UP, tunnel interface(primary path): tnl5 Times primary LSP goes up since enabled: 1 Metric: 0 Primary path: None, up: yes, active: yes Maximum retries: None, no. of retries: 0 Setup priority: 7, hold priority: 0 Max rate: 0 kbps, mean rate: 0 kbps, max burst: 0 bytes Soft preemption enabled: no CSPF-computation-mode configured: te-metric(global) Constraint-based routing enabled: no Path calculated using constraint-based routing: no Path calculated using interface constraint: no Recorded routes: Protection codes/Rtr Id flags: P: Local N: Node B: Bandwidth I: InUse R: RtrId 172.16.36.6 -> 172.16.46.4 Active Path: Tunnel interface: tnl5, outbound interface: Ve 36 Tunnel index: 5, Tunnel instance: 1, Out label: 2063
SLX1# show mpls rsvp session Codes: DI:Ingress Detour DT:Transit Detour DM:Merged Detour DE:Egress Detour BI:Ingress Backup BM: Merged Backup BE:Egress Backup RP:Repaired Session BYI: Bypass Ingress
Total Number of such sessions are: 8
Ingress RSVP: 4 session(s) To From St Style Lbl_In Lbl_Out Out_If LSPname 10.10.10.1 10.10.10.3 Up FF - 2051 Ve 35 SLX1-MLX1 10.10.10.2 10.10.10.3 Up FF - 2054 Ve 35 SLX1-MLX2 10.10.10.4 10.10.10.3 Up FF - 2052 Ve 35 SLX1-SLX2 10.10.10.4 10.10.10.3 Up FF - 2283 Ve 36 MCT_10.10. 10.4_12079 59588
Egress RSVP: 4 session(s) To From St Style Lbl_In Lbl_Out Out_If LSPname 10.10.10.3 10.10.10.2 Up FF 3 - - MLX2-SLX1 10.10.10.3 10.10.10.1 Up FF 3 - - MLX1-SLX1 10.10.10.3 10.10.10.4 Up FF 3 - - SLX2-SLX1 10.10.10.3 10.10.10.4 Up FF 3 - - MCT_10.10. 10.3_12079 59598
34 Extreme MPLS-based IXP Solution 9035424-01
Pseudo-wire (PW) Pseudo-wires can be implemented using LDP or RSVP-TE tunnels. Before this step, IGP protocol must be configured to provide IP connectivity between the routers. Basic configuration needed to setup VPLS/VLL PW is shown below. For more detailed information and additional options please refer to the “Extreme SLX-OS Multi-Protocol Label Switching (MPLS) Configuration Guide” and “Extreme NetIron Multiprotocol Label Switching (MPLS) Configuration Guide”.
The following figure shows the details of the PW topology used in the examples below.
Figure 8 IXP PW – pseudo wire example
Create interfaces To create PW, the following interfaces need to be configured:
• Virtual interfaces (ve15/ve35) – this interface is used to directly connect two routers. Both side of the connection are part of the same IP subnet.
• Loopbacks – used to terminate MPLS Tunnels. Loopback interfaces are used as they are always up regardless of the state of the connected interfaces adding stability to the tunnels.
• Link Aggregation Groups LAG (MLX)/Port Channel (SLX) – based on IEEE 802.3ad link aggregation: enables grouping of Ethernet interfaces to form a single link layer interface. Aggregating multiple links between physical interfaces creates a single logical point-to-point trunk link or a LAG
• “default-max-frame-size 9216” is recommended to globally set the frame size
VE and loopback interfaces must be advertised by the IGP protocol. In the example below, they are part of OSPF.
35 Extreme MPLS-based IXP Solution 9035424-01
MLX1 SLX1
lag "MLX1-SLX3" dynamic id 15 vlan 35 ports ethernet 1/1 ethernet 1/4 router-interface Ve 35 primary-port 1/1 ! deploy interface Loopback 1 ! ip ospf area 0 vlan 15 ip address 10.10.10.3/32 tagged ethe 1/1 ethe 1/4 no shutdown router-interface ve 15 ! ! interface Ve 35 interface loopback 1 ip ospf area 0 ip ospf area 0 ip ospf md5-authentication key-id 22 key ip address 10.10.10.1/32
36 Extreme MPLS-based IXP Solution 9035424-01
SLX3
vlan 15 router-interface Ve 15 ! vlan 35 router-interface Ve 35 ! interface Loopback 1 ip ospf area 0 ip address 10.10.10.5/32 no shutdown ! interface Ve 15 ip ospf area 0 ip ospf md5-authentication key-id 22 key
37 Extreme MPLS-based IXP Solution 9035424-01
Show commands MLX:
MLX1#sho lag id 15 Total number of LAGs : 3, 100/40g : 0 Total number of deployed LAGs : 3, 100/40g : 0 Total number of trunks created : 3 (125 available), 100/40g : 0 (8 available) LACP System Priority / ID :1 / 0024.38a6.7f00 LACP Long timeout :90, default: 90 LACP Short timeout :3, default: 3
=== LAG "MLX1-SLX3" ID 15 (dynamic Deployed) === LAG Configuration: Ports: e 1/1 e 1/4 Port Count: 2 Primary Port: 1/1 Trunk Type: hash-based LACP Key: 101
Deployment: Trunk ID 15, Active Primary 1/1, base fid: 0x0810
Port Link Port-State Dupl Speed Trunk Tag Priori MAC Name Type 1/1 Up Forward Full 10G 15 Yes level0 0024.38a6.7f00 default-port 1/4 Up Forward Full 10G 15 Yes level0 0024.38a6.7f00 default-port
Port [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope] 1/1 1 1 101 Yes L Agg Syn Col Dis No No Ope 1/4 1 1 101 Yes L Agg Syn Col Dis No No Ope
MLX1#sho int ve 15 Ve15 is up, line protocol is up Type is Vlan (Vlan Id: 15) Hardware is Virtual Ethernet, address is 0024.38a6.7f00 (bia 0024.38a6.7f00) No port name Vlan id: 15 Internet address is 172.16.15.1/28, IP MTU 1500 bytes, encapsulation ethernet Configured BW 0 kbps
Show commands SLX:
SLX3# show port-channel 35 LACP Aggregator: Po 35 Aggregator type: Standard Admin Key: 0035 - Oper Key 0035 Partner System ID - 0x8000,76-8e-f8-04-e0-00 Partner Oper Key 0035 Number of Ports: 2 Member ports: Link: Eth 3/2 (0xC604100) sync: 1 Link: Eth 3/3 (0xC606100) sync: 1 *
38 Extreme MPLS-based IXP Solution 9035424-01
Configure RSVP-TE LSP The first example of the PW is based on the RSVP-TE tunnel. MPLS enabled interfaces need to be enabled with OSPF traffic engineering LSA (Link State Advertisement) generation. These LSAs, called OSPF-TE LSAs, contain information about MPLS traffic engineering enabled interfaces and their parameters, for example bandwidth reservation, and are flooded throughout the network. For IS-IS, the protocol generates IS-IS Link State Protocol (LSP) data units also containing traffic engineering related information. Like the OSPF-TE LSAs, those IS-IS LSPs are flooded through the network, so each device participating in the RSVP-TE has information about the topology of the entire network stored in the Traffic Engineering database (TED).
Configuring RSVP-TE LSP requires the following steps:
• Specify path (optional) - a path is a list of router hops that specifies a route across an MPLS domain. It is configured separately from LSP and can be used by multiple LSPs. If the LSP is configured without specifying a path, only TED information together with user specified attributes are used by CSPF (Constrained Shortest Path First) to calculate the path.
• Create LSP – Label Switch Path consists of an actual path of MPLS routers through a network (might be configured separately), as well as the characteristics of the path, including bandwidth allocations and routing metrics.
• FRR (Fast Reroute) – this is a protection mechanism to provide fast traffic recovery after link or router failures. The example below shows just simple FRR protection. There are multiple options for FRR configuration but they are not within the scope of this document. For more information please refer to the corresponding MPLS configuration guides.
NetIron and SLX-OS LSP configuration steps are shown below.
MLX1 SLX1
router mpls router mpls policy policy traffic-eng ospf Enabling MPLS on the int traffic-engineering ospf area 0 ingress-tunnel-accounting Enabling MPLS on the int mpls-interface ve15 Path creation (optional) ! mpls-interface ve 35 path MLX1-SLX1 ! Path creation (optional) strict 10.10.10.5 path SLX1-MLX1 strict 10.10.10.3 hop 10.10.10.5 strict hop 10.10.10.1 strict lsp MLX1-SLX1 RSVP-TE LSP definition ! to 10.10.10.3 lsp SLX1 -MLX1 primary MLX1-SLX1 to 10.10.10.1 RSVP-TE LSP definition frr primary-path SLX1-MLX1 tunnel-interface 2 frr enable ! enable
Show commands MLX:
MLX1#sho mpls interface brief Number of MPLS interfaces: 2 Number of LDP enabled MPLS interfaces: 0 Interface AdminGrp Admin Oper MaxBW MaxResvBW BypsLSPcnt LDP_en ve15 0x00000000 Up Up 20000000 20000000 0 NO ve16 0x00000000 Up Up 20000000 20000000 0 NO
39 Extreme MPLS-based IXP Solution 9035424-01
MLX1#sho mpls rsvp interface ve 15 G = Interface is using Global config for Refresh Reduction, Reliable Messaging L = Interface is using Local config for Refresh Reduction, Reliable Messaging D = Refresh Reduction, Reliable Messaging is exclusively disabled on Interface Num of OutSegs Num of Interface State MD5 RelMsg Bundle SRefresh Act/Inact/Resv Preempts/softPrmpt ve15 Up OFF OFF OFF OFF 3/0/0 0/0
MPLS TE flooding thresholds in use Default UP thresholds : 15 30 45 60 75 80 85 90 95 96 97 98 99 100 Default DOWN thresholds : 99 98 97 96 95 90 85 80 75 60 45 30 15
Hello-interval: 0 sec, Hello-tolerance: 0 (Hello Inactive, Global configuration)
Protocol Stats Total Since Last Clear Packet Type Sent Received Sent Received Path 1749 2029 1749 2029 Resv 2023 1751 2023 1751 PathErr 1 0 1 0 RevErr 5 0 5 0 PathTear 2 6 2 6 ResvTear 0 1 0 1 ResvConf 0 0 0 0 Bundle 0 0 0 0 Ack 0 0 0 0 SumRefresh 0 0 0 0 Hello 0 0 0 0
Error Total Since last clear Rcv pkt unknown type 0 0 Rcv MD5 Auth Errors 0 0 Pkt with MsgId drop 0 0 Pkt with SRef drop 0 0 ERR_NACK 0 0
Active BIs: 0 Inactive BIs: 0 Duplicate preempt dropped 0 P2MP Capable : Yes
MLX1#sho mpls ted database 10.10.10.1 This Router is 10.10.10.1 Global Link Gen 59
Area 0 NodeID: 10.10.10.1, Type: Router Type: P2P, To: 10.10.10.5, Local: 172.16.15.1, Remote: 172.16.15.5, Gen 22 Type: P2P, To: 10.10.10.6, Local: 172.16.16.1, Remote: 172.16.16.6, Gen 54
MLX1#sho mpls rsvp sess wide Codes: DI:Ingress Detour DT:Transit Detour DM:Merged Detour DE:Egress Detour BI:Ingress Backup BM: Merged Backup BE:Egress Backup RP:Repaired Session BYI: Bypass Ingress
Total Number of such sessions are: 6
Ingress RSVP: 3 session(s) To From St Style Lbl_In Lbl_Out Out_If LSPname 10.10.10.2 10.10.10.1 Up FF - 2048 ve15 MLX1-MLX2 10.10.10.3 10.10.10.1(DI) Up SE - 2421 ve16 MLX1-SLX1 10.10.10.3 10.10.10.1 Up SE - 2069 ve15 MLX1-SLX1 10.10.10.4 10.10.10.1 Up FF - 2049 ve15 MLX1-SLX2
Transit RSVP: 0 session(s)
Egress RSVP: 3 session(s) To From St Style Lbl_In Lbl_Out Out_If LSPname 10.10.10.1 10.10.10.2 Up FF 3 - - MLX2-MLX1 10.10.10.1 10.10.10.3 Up SE 3 - - SLX1-MLX1 10.10.10.1 10.10.10.3(DE) Up SE 3 - - SLX1-MLX1 10.10.10.1 10.10.10.4 Up FF 3 - - SLX2-MLX1
40 Extreme MPLS-based IXP Solution 9035424-01
MLX1#sho mpls rsvp neighbor RSVP neighbors learnt: 2
Address Interface State Last_Change HelloTx/Rx RR/MsgID d:h:m:s Count Support 172.16.15.5 ve15 - - 0/0 N/Y 172.16.16.6 ve16 - - 0/0 N/Y
Show commands SLX:
SLX1# show mpls interface Number of MPLS interfaces: 2 Number of LDP enabled MPLS interfaces: 0 Interface AdminGrp Admin Oper MaxBW MaxResvBW BypsLSPcnt LDP_en Ve 35 0x00000000 Up Up 199999995 199999995 0 NO Ve 36 0x00000000 Up Up 199999995 199999995 0 NO
SLX1# show mpls rsvp interface G = Interface is using Global config for Refresh Reduction, Reliable Messaging L = Interface is using Local config for Refresh Reduction, Reliable Messaging D = Refresh Reduction, Reliable Messaging is exclusively disabled on Interface
Num of OutSegs Num of Interface State MD5 RelMsg Bundle SRefresh Act/Inact/Resv Preempts/softPrmpt Ve 35 Up OFF OFF OFF OFF 3/0/0 0/0 Ve 36 Up OFF OFF OFF OFF 1/1/0 0/0
SLX1# show mpls te database node 10.10.10.3 Node Id: (10.10.10.3), Type: Router P2P Link: From: 10.10.10.3 To: 10.10.10.5, Local: 172.16.35.3, Remote: 172.16.35.5, LSA Id: 16777225, Gen:20079 P2P Link: From: 10.10.10.3 To: 10.10.10.6, Local: 172.16.36.3, Remote: 172.16.36.6, LSA Id: 16777227, Gen:20081
SLX1# show mpls rsvp session wide Codes: DI:Ingress Detour DT:Transit Detour DM:Merged Detour DE:Egress Detour BI:Ingress Backup BM: Merged Backup BE:Egress Backup RP:Repaired Session BYI: Bypass Ingress
Total Number of such sessions are: 8
Ingress RSVP: 4 session(s) To From St Style Lbl_In Lbl_Out Out_If LSPname 10.10.10.1 10.10.10.3(DI) Up SE - 2423 Ve 36 SLX1-MLX1 10.10.10.1 10.10.10.3 Up SE - 2070 Ve 35 SLX1-MLX1 10.10.10.2 10.10.10.3 Up FF - 2051 Ve 35 SLX1-MLX2 10.10.10.4 10.10.10.3 Up FF - 2412 Ve 36 MCT_10.10.10.4_1207959588 10.10.10.4 10.10.10.3 Up FF - 2052 Ve 35 SLX1-SLX2
Egress RSVP: 4 session(s) To From St Style Lbl_In Lbl_Out Out_If LSPname 10.10.10.3 10.10.10.2 Up FF 3 - - MLX2-SLX1 10.10.10.3 10.10.10.4 Up FF 3 - - SLX2-SLX1 10.10.10.3 10.10.10.4 Up FF 3 - - MCT_10.10.10.3_1207959598 10.10.10.3 10.10.10.1 Up SE 3 - - MLX1-SLX1 10.10.10.3 10.10.10.1(DE) Up SE 3 - - MLX1-SLX1
SLX1# show mpls rsvp neighbor RSVP neighbors learnt: 2
Address Interface State Last_Change HelloTx/Rx RR/MsgID d:h:m:s Count Support 172.16.35.5 Ve 35 - - -/- N/Y 172.16.36.6 Ve 36 - - -/- N/Y
41 Extreme MPLS-based IXP Solution 9035424-01
Configure MPLS LDP LSP Another option for PW tunnels is MPLS LDP LSP. It is based on dynamically created LSPs using Label Distribution Protocol (LDP). For minimizing control plane outages, GR (Graceful Restart) is supported. LDP GR is based on RFC 3478 (Graceful Restart mechanism for Label Distribution Protocol) and it requires that all neighboring routers support it.
MLX1 SLX1
router mpls router mpls ! ! ldp ldp graceful-restart graceful-restart ! ! mpls-interface ve15 mpls-interface ve 35 ldp-enable Enable LDP per interface ldp-enable Enable LDP on the
! interface
Show commands MLX:
MLX1#sho mpls ldp interface Total number of LDP interfaces : 1 Label-space Nbr Hello Next Interface ID Count Interval Hello ve15 0 1 5 1 sec
MLX1#sho mpls ldp peer Number of LDP peers: 1 Number of LDP peers with operational session: 1
Peer LDP ID State 10.10.10.5:0 Operational
MLX1#sho mpls ldp session Number of link LDP sessions: 1 Number of Operational link LDP sessions: 1 Number of targeted LDP sessions: 0 Number of Operational targeted LDP sessions: 0
Peer LDP ID State Adj Used My Role Max Hold Time Left 10.10.10.5:0 Operational Link Passive 36 30
MLX1#sho mpls ldp neighbor Number of link neighbors: 1 Number of targeted neighbors: 1
Nbr Transport Interface Nbr LDP ID Max Hold Time Left 10.10.10.5 ve15 10.10.10.5:0 15 11 10.10.10.5 (targeted) 10.10.10.5:0 45 36
Show commands SLX:
SLX2# sho mpls ldp interface Total number of LDP interfaces : 1 Nbr Hello Hello Next Interface Count Timeout Interval Hello Ve 35 1 15 5 2
42 Extreme MPLS-based IXP Solution 9035424-01
SLX2# sho mpls ldp peer Number of LDP peers: 1 Number of LDP peers with operational session: 1
Peer LDP ID State 10.10.10.5:0 Operational
SLX2# sho mpls ldp session Number of link LDP sessions: 1 Number of Operational link LDP sessions: 1 Number of targeted LDP sessions: 0 Number of Operational targeted LDP sessions: 0
Peer LDP ID State Adj Used My Role Max Hold Time Left 10.10.10.5:0 Operational Link Active 36 31
SLX2# show mpls ldp neighbor Number of link neighbors: 1 Number of targeted neighbors: 1
Nbr Transport Interface Nbr LDP ID Max Hold Time Left 10.10.10.5 Ve 35 10.10.10.5:0 15 14 10.10.10.5 (targeted) 10.10.10.5:0 45 36
PW load balancing PW Load balancing is used to distribute traffic among all available paths between source and destination. Load balancing can be achieved on multiple levels. This section describes LAG/Port Channel load balancing as well as LDP ECMP. Please refer to VPLS/VLL load balancing section of this document for further load balancing options.
LAG/Port Channel load balancing
The Extreme devices share the traffic load evenly across the ports in LAG group. Hash-based load sharing algorithms are used to distribute traffic. They use various L2 and L3 fields of the forwarding packets to ensure even distribution of the as well as preventing packet reordering. Two types of LAG load sharing are supported:
- Hash Based Load Sharing – each flow is assigned an index, and packets from each flow are sent using the same path. Supported on SLX-OS and NetIron. This type of load balancing is enabled by default.
- Per-Packet Load Sharing – in this case, every packet of every flow is sent to the available LAG port in a round-robin fashion. This option is available in NetIron only. As packet reordering can happen in some situations, this option should not be used for an IXP environment.
For a detailed description of the SLX-OS algorithm, please refer to link aggregation section of “Extreme SLX-OS layer 2 Configuration Guide”. To configure SLX-OS hash options, use “lag hash” CLI.
For NetIron, please refer to Link Aggregation section of “NetIron Switching Configuration Guide”.
MLX NetIron options and show commands:
MLX1(config-lag-MLX1-SLX1)#trunk-type ? hash-based Hash based (default) per-packet Per packet
43 Extreme MPLS-based IXP Solution 9035424-01
MLX1(config)#load-balance ? force-l4-hashing Force the use of L4 headers for trunk/ECMP hash calculations (IPv4/v6) hash-diversify Specify Trunk/ECMP Hash Diversification options hash-rotate Control the rotation of the ECMP hash mask Mask header fields for trunk/ECMP hash calculations speculate-mpls-enet Use L2 header for trunk index calculation (LSR and L2VPN PHP packets) speculate-mpls-ip Use IP header for trunk index calculation (LSR and L3VPN PHP packets) symmetric Symmetric fields for trunk hash calculations
MLX1#sho load-balance 3 Speculate MPLS Ethernet option is enabled on -
All Network Processors
Speculate MPLS IP option is enabled on -
All Network Processors
Force L4 hashing option is enabled on -
No Network Processors
Mask IPv4 options -
Mask Source address is enabled on – ..
SLX-OX hashing configuration example, options and show commands:
lag hash hdr-count 3 lag hash speculate-mpls enable lag hash rotate 12
SLX2(config-Port-channel-16)# load-balance-type ? Possible completions: hash-based Hash based load balancing
SLX2(config)# lag hash ? Possible completions: bos Include/Exclude BOS label hdr-count Number of headers to be considered for LAG hashing hdr-start Define where to start picking headers for the key generation normalize Enable/Disable using the same hash in both directions of a flow pwctrlword Include/Exclude PW control word in hashing rotate Hash Rotate speculate-mpls Enable MPLS speculate or Ethernet/IP srcport Include/Exclude Source port
44 Extreme MPLS-based IXP Solution 9035424-01
SLX2# show port-channel load-balance Header parameters Ethernet Mask: sa-mac da-mac etype vlan ip: src-ip dst-ip protocol src-l4-port dst-l4-port ipv6: ipv6-src-ip ipv6-dst-ip ipv6-next-hdripv6-src-l4-port ipv6-dst-l4-port mpls: label1 label2 label3
Hash Settings hdr-start:FWD, hdr-count:1, bos-start:0, bos-skip:0, skip-cw:0 normalize:0, rotate:3, include_src_port:0, Disable: L2 0, ipv4 0, ipv6 0, mpls 0
mpls_speculate:Enabled
load-balance-type hash-based
LDP ECMP (Equal Cost Multipath)
LDP ECMP enables forwarding traffic across LDP tunnels with multiple paths. Traffic sent over such tunnels is load-balanced based on hash algorithm. The algorithm takes into account the information from the packets such as MAC address, IP address, TCP and UDP ports. LDP ECMP can be done on the transit LSRs (when the router act as a P device) as well on the LER. NetIron supports both; SLX-OS only supports the transit option in the tested 17r.x release.
MLX
router mpls ! ldp load-sharing 8 ! mpls-interface ve16 ldp-enable
mpls-interface ve161 ldp-enable !
SLX-OS MPLS process restart SLX-OS supports MPLS “cold” process restart. After an MPLS process crash, the system does not fail-over to the standby MM, which affects all processes, but restarts just a single MPLS process instead. VPLS and VLL services are disrupted during this time. When the process is restarted, control protocols like LDP or RSVP-TE resend all necessary information only after that will all MPLS services resume. NetIron OS used by MLX does not support this feature.
MPLS process restart can be disabled using “no process-restart mpls” command. This is recommended when LDP GR is used for faster convergence. For the SLX-OS 17.1.x, GR for RSVP protocol is not supported, in this case enabling process restart is recommended. Also, systems with single MM should have the MPLS process restart enabled.
45 Extreme MPLS-based IXP Solution 9035424-01
VPLS/VLL instance - Bridge Domain (SLX)/VPLS/VLL instance (MLX) A VPLS (Virtual Private LAN Service) provides transparent point-to-multipoint (p2mp) L2 service between IXP PE devices. It creates a broadcast domain which is able to emulate Ethernet LAN network. VLL (Virtual Leased Line) provides point-to-point connectivity between two access devices.
SLX-OX introduces the concept of Bridge Domain (BD). It is a broadcast domain containing a set of logical interfaces. It provides the capability to have any-to-any switching, and can contain heterogeneous interfaces types for Switching and L2VPN technologies. Bridge Domain is available in SLX-OS only and is configured on the PE devices.
BD can host various types of interfaces like AC end-points, VPLS as well as VLL end points, and can switch packets between any of these types of endpoints.
Examples of BDM capable services:
• Local VPLS: will only have AC end-points.
• VPLS: will contain AC endpoints and PW’s LIF’s (logical interfaces)
• VLL: one AC end point and one PW end point.
• Local VLL: will have 2 AC end points.
• VX LAN: AC end points and VTEP’s (future releases)
For NetIron, VPLS service setup is part of MPLS configuration. The user creates a VPLS instance by entering VPLS configuration statements on two or more PE routers. The endpoints of a VPLS instance are associated by having the same VPLS Virtual Circuit Identifier (VPLS ID) on each PE router.
Figure 9 VPLS topology
46 Extreme MPLS-based IXP Solution 9035424-01
VPLS instance/bridge domain setup In the following example, VPLS and VLL examples are shown for NetIron and SLX-OS. In the testbed example, VPLS domain spans all 4 PE routers and VLL is configured between MLX1 and SLX1.
For NetIron VPLS-local switching is enabled by default even though its shown in the configuration; for of SLX-OS local-switching is added by default while bridge-domain is created.
MLX1 SLX1
vll 200 200 pw-profile default vll-peer 10.10.10.3 ! vlan 200 pw-profile vll-tag tagged e 1/2 vc-mode tag ! bridge-domain 100 p2mp vpls 100 100 vc-id 100 vpls-peer 10.10.10.2 load-balance peer 10.10.10.1 vlan 100 peer 10.10.10.2 tagged ethe 1/2 peer 10.10.10.4 vlan 101 inner-vlan 111 statistics tagged ethe 1/2 logical-interface ethernet 1/2.102 vlan 102 logical-interface ethernet 1/2.101 untagged ethe 1/2 logical-interface ethernet 1/2.100 pw-profile default bpdu-drop-enable local-switching ! bridge-domain 200 p2p vc-id 200 peer 10.10.10.1 logical-interface ethernet 1/2.200 pw-profile vll-tag
47 Extreme MPLS-based IXP Solution 9035424-01
NetIron VPLS/VLL show commands:
MLX1#sho mpls vll * - Active VLL Peer; U - UP; D - DOWN Vll-Peer Vll-Peer MCT Name VC-ID End-Point (State) (State) state ------200 200 tag vlan 200 e 1/2(U) 10.10.10.3(U)* -- None
MLX1#sho mpls vll det VLL 200, VC-ID 200, VLL-INDEX 1
End-point : tagged vlan 200 e 1/2 End-Point state : Up MCT state : None IFL-ID : -- Local VC type : tag Local VC MTU : 9190 COS : -- Extended Counters: Enabled
Vll-Peer : 10.10.10.3 State : UP Remote VC type : tag Remote VC MTU : 1540 Local label : 851968 Remote label : 851968 Local group-id : 0 Remote group-id: 0 load balance : Not enable Tunnel LSP : MLX1-SLX1 (tnl1) MCT Status TLV : -- LSPs assigned : No LSPs assigned
telnet@MLX1#sho mpls vpls Num Num Ports Num Peers CPU VC Name Id Vlans Ports Up Peers Up IFL-ID Prot Mode ======10 10 1 1 1 3 3 n/a OFF RAW 100 100 3 1 1 3 3 4096 OFF RAW
MLX1#sho mpls vpls id 100 VPLS 100, Id 100, Max mac entries: 8192 Total vlans: 3, Tagged ports: 1 (1 Up), Untagged ports 1 (1 Up) IFL-ID: 4096 Vlan 100 L2 Protocol: NONE Tagged: ethe 1/2 Vlan 101 inner-vlan 111 L2 Protocol: NONE Tagged: ethe 1/2 Vlan 102 L2 Protocol: NONE Untagged: ethe 1/2 VC-Mode: Raw Total VPLS peers: 3 (3 Operational) Peer address: 10.10.10.2, State: Operational, Uptime: 53 min Tnnl in use: tnl0(2048)[RSVP] Peer Index:0 Local VC lbl: 983046, Remote VC lbl: 983051 Local VC MTU: 9190, Remote VC MTU: 1500 Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05) Peer address: 10.10.10.3, State: Operational, Uptime: 35 min Tnnl in use: tnl1(2069)[RSVP] Peer Index:1 Local VC lbl: 983050, Remote VC lbl: 983054 Local VC MTU: 9190, Remote VC MTU: 1500 Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05) Peer address: 10.10.10.4, State: Operational, Uptime: 1 hr 55 min Tnnl in use: tnl2(2049)[RSVP] Peer Index:2 Local VC lbl: 983048, Remote VC lbl: 983054 Local VC MTU: 9190, Remote VC MTU: 1500 Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05) CPU-Protection: OFF Local Switching: Enabled Extended Counter: ON Multicast Snooping: Disabled
48 Extreme MPLS-based IXP Solution 9035424-01
SLX-OS VPLS/VLL show commands:
SLX1# show bridge-domain 200 Bridge-domain 200 ------Bridge-domain Type: P2P, VC-ID: 200 MCT Enabled: FALSE Description: Number of configured end-points: 2, Number of Active end-points: 2 VE if-indx: 0, Local switching: FALSE, bpdu-drop-enable: FALSE MAC Withdrawal: Disabled PW-profile: vll-tag, mac-limit: 0 VLAN: 200, Tagged ports: 1(1 up), Un-tagged ports: 0 (0 up) Tagged Ports: eth1/2.200 Un-tagged Ports: Total VLL peers: 1 (1 Operational):
VC id: 200, Peer address: 10.10.10.1, State: Operational, uptime: 35 min 54 sec Load-balance: False, Cos Enabled: False, Tunnel cnt: 1 rsvp SLX1-MLX1 (cos_enable:False cos_value:0) Assigned LSPs count:0 Assigned LSPs: Local VC lbl: 851968, Remote VC lbl: 851968, Local VC MTU: 1540, Remote VC MTU: 9190, Local VC-Type: 4, Remote VC-Type: 4 Local PW preferential Status: Active, Remote PW preferential Status: Active
49 Extreme MPLS-based IXP Solution 9035424-01
SLX1# show bridge-domain 100 Bridge-domain 100 ------Bridge-domain Type: MP, VC-ID: 100 MCT Enabled: FALSE Description: Number of configured end-points: 6, Number of Active end-points: 6 VE if-indx: 0, Local switching: TRUE, bpdu-drop-enable: TRUE MAC Withdrawal: Disabled PW-profile: default, mac-limit: 0 VLAN: 0, Tagged ports: 0(0 up), Un-tagged ports: 1 (1 up) Tagged Ports: Un-tagged Ports: eth1/2.102 VLAN: 100, Tagged ports: 1(1 up), Un-tagged ports: 0 (0 up) Tagged Ports: eth1/2.100 Un-tagged Ports: VLAN: 101, Tagged ports: 1(1 up), Un-tagged ports: 0 (0 up) Tagged Ports: eth1/2.101 Un-tagged Ports: Total VPLS peers: 3 (3 Operational):
VC id: 100, Peer address: 10.10.10.1, State: Operational, uptime: 36 min 12 sec Load-balance: False, Cos Enabled: False, Tunnel cnt: 1 rsvp SLX1-MLX1 (cos_enable:False cos_value:0) Assigned LSPs count:0 Assigned LSPs: Local VC lbl: 983054, Remote VC lbl: 983050, Local VC MTU: 1500, Remote VC MTU: 9190, Local VC-Type: 5, Remote VC-Type: 5 Local PW preferential Status: Active, Remote PW preferential Status: Active
VC id: 100, Peer address: 10.10.10.2, State: Operational, uptime: 54 min 33 sec Load-balance: False, Cos Enabled: False, Tunnel cnt: 1 rsvp SLX1-MLX2 (cos_enable:False cos_value:0) Assigned LSPs count:0 Assigned LSPs: Local VC lbl: 983050, Remote VC lbl: 983052, Local VC MTU: 1500, Remote VC MTU: 1500, Local VC-Type: 5, Remote VC-Type: 5 Local PW preferential Status: Active, Remote PW preferential Status: Active
VC id: 100, Peer address: 10.10.10.4, State: Operational, uptime: 1 hr 57 min 8 sec Load-balance: False, Cos Enabled: False, Tunnel cnt: 1 rsvp MCT_10.10.10.4_1207959588 (cos_enable:False cos_value:0) Assigned LSPs count:0 Assigned LSPs: Local VC lbl: 983052, Remote VC lbl: 983055, Local VC MTU: 1500, Remote VC MTU: 1500, Local VC-Type: 5, Remote VC-Type: 5 Local PW preferential Status: Active, Remote PW preferential Status: Active
Pseudo wire type (VC mode) options When configuring VPLS end point, the user needs to specify correct VC-mode, which needs to be the same on both end of the connections. The following modes are supported:
- Raw (VC-mode 0x5) – When this mode is in effect, the VLAN tag information in the original payload is not carried across the MPLS cloud. In raw mode, the VLAN priority (Class of Service) of the original (incoming) packets is lost once the packets are sent through the cloud.
- Tagged (VC-mode 0x4) - When tagged mode is enabled, the VLAN tag information in the original payload is carried across the MPLS cloud. In VPLS tagged mode, the VLAN priority of the original (incoming) packets is carried across the MPLS cloud to remote peers.
- Raw-pass-through - Using the raw pass through option enables the user to configure the VC mode to interoperate between third party devices. The raw pass through option allows the user to:
• Select the raw-pass-through mode which behaves like a tagged mode when all endpoints are configured as tagged endpoints.
• Select the raw mode, which behaves like an untagged mode when all endpoints are configured as untagged endpoints.
50 Extreme MPLS-based IXP Solution 9035424-01
• Select raw mode when all endpoints are configured as untagged endpoints, even though the peers continue to signal the PW VC -type as raw mode.
By default, NetIron and SLX-OS set the PW VPLS mode to Raw; other modes can be configured as shown below.
NetIron show commands:
MLX1
telnet@Eq-Mlx2(config-mpls-vpls-vlan_100)#vc-mode ? raw-pass-through Set vc-mode to raw-pass-through tagged Set vc-mode to tagged
MLX1
MLX1#sho mpls vpls id 100 VPLS 100, Id 100, Max mac entries: 8192 Total vlans: 3, Tagged ports: 1 (1 Up), Untagged ports 1 (1 Up) IFL-ID: 4096 Vlan 100 L2 Protocol: NONE Tagged: ethe 1/2 Vlan 101 inner-vlan 111 L2 Protocol: NONE Tagged: ethe 1/2 Vlan 102 L2 Protocol: NONE Untagged: ethe 1/2 VC-Mode: Raw Total VPLS peers: 3 (3 Operational) Peer address: 10.10.10.2, State: Operational, Uptime: 47 hr 31 min Tnnl in use: tnl0(2048)[RSVP] Peer Index:0 Local VC lbl: 983048, Remote VC lbl: 983044 Local VC MTU: 9190, Remote VC MTU: 1500 Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05) Peer address: 10.10.10.3, State: Operational, Uptime: 23 hr 0 min Tnnls in use (load balance): Candidate count:1 (only 1st 8 is displayed): tnl1(2065)[RSVP] Peer Index:1 Local VC lbl: 983053, Remote VC lbl: 983063 Local VC MTU: 9190, Remote VC MTU: 1500 Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05) Peer address: 10.10.10.4, State: Operational, Uptime: 52 hr 22 min Tnnl in use: tnl2(2280)[RSVP] Peer Index:2 Local VC lbl: 983050, Remote VC lbl: 983043 Local VC MTU: 9190, Remote VC MTU: 1500 Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05) CPU-Protection: OFF Local Switching: Enabled Extended Counter: ON Multicast Snooping: Disabled
SLX-OS show commands:
SLX
Eq-SLX5(config-pw-profile-test)# vc-mode ? Possible completions: raw Raw Mode raw-passthrough Raw-passthrough Mode tag Tag Mode
51 Extreme MPLS-based IXP Solution 9035424-01
SLX1# show bridge-domain 100 Bridge-domain 100 ------Bridge-domain Type: MP, VC-ID: 100 MCT Enabled: FALSE Description: Number of configured end-points: 6, Number of Active end-points: 6 VE if-indx: 0, Local switching: TRUE, bpdu-drop-enable: TRUE MAC Withdrawal: Disabled PW-profile: default, mac-limit: 0 VLAN: 0, Tagged ports: 0(0 up), Un-tagged ports: 1 (1 up) Tagged Ports: Un-tagged Ports: eth1/2.102 VLAN: 100, Tagged ports: 1(1 up), Un-tagged ports: 0 (0 up) Tagged Ports: eth1/2.100 Un-tagged Ports: VLAN: 101, Tagged ports: 1(1 up), Un-tagged ports: 0 (0 up) Tagged Ports: eth1/2.101 Un-tagged Ports: Total VPLS peers: 3 (3 Operational):
VC id: 100, Peer address: 10.10.10.1, State: Operational, uptime: 23 hr 2 min 40 sec Load-balance: True, Cos Enabled: False, Tunnel cnt: 1 rsvp SLX1-MLX1 (cos_enable:False cos_value:0) Assigned LSPs count:0 Assigned LSPs: Local VC lbl: 983063, Remote VC lbl: 983053, Local VC MTU: 1500, Remote VC MTU: 9190, Local VC-Type: 5, Remote VC-Type: 5 Local PW preferential Status: Active, Remote PW preferential Status: Active ...
Multiple COS based LSPs When multiple LSPs are configured between two VPLS end points, the user can specify which ones will be used first. We use COS values to specify the priority of the particular LSP. Let’s consider the following scenario with 3 LSPs:
- LDP based with cos 0 (default value cannot be changed at this point)
- RSVP-TE with cos 1
- RSVP-TE with cos 2
52 Extreme MPLS-based IXP Solution 9035424-01
MLX1 SLX1
router mpls bridge-domain 100 p2mp vc-id 100 policy peer 10.10.10.1 cos 1 traffic-eng ospf peer 10.10.10.2 peer 10.10.10.4 path MLX1_SLX1 statistics strict 10.10.10.5 logical-interface ethernet 1/2.102 strict 10.10.10.3 logical-interface ethernet 1/2.101 logical-interface ethernet 1/2.100 mpls-interface ve15 pw-profile default ldp-enable bpdu-drop-enable local-switching lsp MLX1_SLX2 ! to 10.10.10.3 router mpls cos 2 policy primary MLX1_SLX1 traffic-engineering ospf area 0 tunnel-interface 1 ! enable mpls-interface ve 35 ldp-enable lsp MLX1_SLX1_2 ! to 10.10.10.3 path SLX1_MLX1 cos 1 hop 10.10.10.5 strict primary MLX1_SLX1 hop 10.10.10.1 strict tunnel-interface 2 ! enable lsp SLX1_MLX1 ! to 10.10.10.1 vpls 100 100 cos 1 primary-path SLX1_MLX1 vpls-peer 10.10.10.2 10.10.10.3 10.10.10.4 cos 2 vlan 100 enable tagged ethe 1/2 ! vlan 101 inner-vlan 111 lsp SLX1_MLX1_2 tagged ethe 1/2 to 10.10.10.1 vlan 102 primary-path SLX1_MLX1 untagged ethe 1/2 cos 1 enable
To select LSP on SLX-OS:
- Configure “peer 10.10.10.1 cos x” under Bridge Domain where x specifies the highest COS value of the LSP tunnel which can be used to send traffic to the peer
- Set the desired COS values for the LSP tunnels
In the presented example, LSP SLX1_MLX1 will be used first, followed by SLX1_MLX1_2. If both RSVP tunnels are unavailable, LDP LSP will be used as a last resort. If we change peer cos value to 1 “peer 10.10.10.1 cos 1” then only SLX2_MLX1_2 will be available, followed by LDP LSP. SLX2_MLX1 will not be considered at all.
For NetIron, the user can optionally specify a Class of Service (CoS) setting for the VPLS instance. When a CoS value is set, the device selects a tunnel LSP that also has the CoS value when one is available. When no tunnel LSP with this CoS value is available, the device selects a tunnel LSP with the highest configured CoS value (although never higher than the CoS setting for the VPLS instance).
In following NetIron example, we have three different signaled paths to the peer end-point (two RSVP based and one LDP).
53 Extreme MPLS-based IXP Solution 9035424-01
MLX1#sho mpls forwarding R: RSVP, L: LDP, S: Static Total number of MPLS forwarding entries: 3 Dest-prefix In-lbl Out-lbl Out-intf Sig Next-hop Type 1 10.10.10.6/32 - 3 ve16 L 172.16.16.6 - 2 10.10.10.6/32 - 3 ve16 R 172.16.16.6 - 3 10.10.10.6/32 - 3 ve16 R 172.16.16.6 -
MLX1# sho mpls rsvp session wide Codes: DI:Ingress Detour DT:Transit Detour DM:Merged Detour DE:Egress Detour BI:Ingress Backup BM: Merged Backup BE:Egress Backup RP:Repaired Session BYI: Bypass Ingress
Total Number of such sessions are: 8
Ingress RSVP: 4 session(s) To From St Style Lbl_In Lbl_Out Out_If LSPname 10.10.10.2 10.10.10.1 Up FF - 2079 ve15 MLX1-MLX2 10.10.10.3 10.10.10.1 Up FF - 2080 ve15 MLX1-SLX1 10.10.10.3 10.10.10.1 Up FF - 2081 ve15 MLX1-SLX1-2 10.10.10.4 10.10.10.1 Up FF - 2432 ve16 MLX1-SLX2
When “vpls 100 100 cos 2” is configured, the tunnel with cos 2 (MLX1_SLX2) is used.
MLX1#sho mpls vpls id 100 VPLS 100, Id 100, Cos 2, Max mac entries: 8192 Total vlans: 3, Tagged ports: 1 (1 Up), Untagged ports 1 (1 Up) IFL-ID: 4096 Vlan 100 L2 Protocol: NONE Tagged: ethe 1/2 Vlan 101 inner-vlan 111 L2 Protocol: NONE Tagged: ethe 1/2 Vlan 102 L2 Protocol: NONE Untagged: ethe 1/2 VC-Mode: Raw Total VPLS peers: 3 (3 Operational) … Peer address: 10.10.10.3, State: Operational, Uptime: 5 sec Tnnl in use: tnl1(2080)[RSVP] Peer Index:1 Local VC lbl: 983057, Remote VC lbl: 983062 Local VC MTU: 9190, Remote VC MTU: 1500 Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05)
When “vpls 100 100 cos 1”is configured, tunnel MLX1_SLX2-2 is chosen instead.
telnet@MLX1(config-mpls-vpls-100-vlan-102)#sho mpls vpls id 100 VPLS 100, Id 100, Cos 1, Max mac entries: 8192 Total vlans: 3, Tagged ports: 1 (1 Up), Untagged ports 1 (1 Up) IFL-ID: 4096 Vlan 100 L2 Protocol: NONE Tagged: ethe 1/2 Vlan 101 inner-vlan 111 L2 Protocol: NONE Tagged: ethe 1/2 Vlan 102 L2 Protocol: NONE Untagged: ethe 1/2 VC-Mode: Raw Total VPLS peers: 3 (3 Operational) … Peer address: 10.10.10.3, State: Operational, Uptime: 6 sec Tnnl in use: tnl2(2081)[RSVP] Peer Index:1 Local VC lbl: 983054, Remote VC lbl: 983062 Local VC MTU: 9190, Remote VC MTU: 1500 Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05)
In the SLX-OS we also have 3 forwarding paths (2 RSVP based and one LDP)
54 Extreme MPLS-based IXP Solution 9035424-01
SLX2# show mpls forwarding R: RSVP, L: LDP, S: Static Total number of MPLS forwarding entries: 3 Dest-prefix In-lbl Out-lbl Out-intf Sig Next-hop Type 1 10.10.10.1/32 - 3 Ve 16 R 172.16.16.1 - 2 10.10.10.1/32 - 3 Ve 16 R 172.16.16.1 - 3 10.10.10.1/32 - 3 Ve 16 L 172.16.16.1 -
When the BD is configured with “peer 10.10.10.1 cos 2” the SLX1_MLX1 tunnel is chosen:
SLX1 # show bridge-domain 100 Bridge-domain 100 ------Bridge-domain Type: MP, VC-ID: 100 MCT Enabled: FALSE Description: Number of configured end-points: 6, Number of Active end-points: 6 VE if-indx: 0, Local switching: TRUE, bpdu-drop-enable: TRUE MAC Withdrawal: Disabled PW-profile: default, mac-limit: 0 VLAN: 0, Tagged ports: 0(0 up), Un-tagged ports: 1 (1 up) Tagged Ports: Un-tagged Ports: eth1/2.102 VLAN: 100, Tagged ports: 1(1 up), Un-tagged ports: 0 (0 up) Tagged Ports: eth1/2.100 Un-tagged Ports: VLAN: 101, Tagged ports: 1(1 up), Un-tagged ports: 0 (0 up) Tagged Ports: eth1/2.101 Un-tagged Ports: Total VPLS peers: 3 (3 Operational):
VC id: 100, Peer address: 10.10.10.1, State: Operational, uptime: 8 min 12 sec Load-balance: False, Cos Enabled: True, Tunnel cnt: 1 rsvp SLX1-MLX1 (cos_enable:True cos_value:2) Assigned LSPs count:0 Assigned LSPs: Local VC lbl: 983059, Remote VC lbl: 983056, Local VC MTU: 1500, Remote VC MTU: 9190, Local VC-Type: 5, Remote VC-Type: 5 Local PW preferential Status: Active, Remote PW preferential Status: Active
After changing peer configuration to “peer 10.10.10.1 cos 1”, the SLX1_MLX1-2 tunnel is preferred:
SLX1# sho bridge-domain 100 Bridge-domain 100 ------Bridge-domain Type: MP, VC-ID: 100 MCT Enabled: FALSE Description: Number of configured end-points: 6, Number of Active end-points: 6 VE if-indx: 0, Local switching: TRUE, bpdu-drop-enable: TRUE MAC Withdrawal: Disabled PW-profile: default, mac-limit: 0 VLAN: 0, Tagged ports: 0(0 up), Un-tagged ports: 1 (1 up) Tagged Ports: Un-tagged Ports: eth1/2.102 VLAN: 100, Tagged ports: 1(1 up), Un-tagged ports: 0 (0 up) Tagged Ports: eth1/2.100 Un-tagged Ports: VLAN: 101, Tagged ports: 1(1 up), Un-tagged ports: 0 (0 up) Tagged Ports: eth1/2.101 Un-tagged Ports: Total VPLS peers: 3 (3 Operational):
VC id: 100, Peer address: 10.10.10.1, State: Operational, uptime: 4 sec Load-balance: False, Cos Enabled: True, Tunnel cnt: 1 rsvp SLX1-MLX1-2 (cos_enable:True cos_value:1) Assigned LSPs count:0 Assigned LSPs: Local VC lbl: 983060, Remote VC lbl: 983056, Local VC MTU: 1500, Remote VC MTU: 9190, Local VC-Type: 5, Remote VC-Type: 5 Local PW preferential Status: Active, Remote PW preferential Status: Active
55 Extreme MPLS-based IXP Solution 9035424-01
VPLS attributes The following PW attributes can be configured on both MLX and SLX platforms:
- MTU size– specifies the maximum MTU size for a VPLS PW (recommended value is 9190)
- MTU enforcement (SLX-OS only) - Enforce an MTU check during PW signaling
- VC mode (PW VLAN Tag manipulation)
For SLX-OS, configuration of the parameters is done through the pw-profile command. For NetIron, it is part of the VPLS instance. For more information about configuring VPLS parameters please refer to the documentation.
MLX1 SLX1
Enforce mtu check router mpls pw-profile pw_example during PW signalling vpls vlan_100 100 mtu 9190 vc-mode tagged mtu-enforce true vpls-peer 10.10.10.3 vc-mode tag vpls-mtu 9190 ! vlan 100 bridge-domain 100 p2mp tagged ethe 1/2 vc-id 100 vlan 101 inner-vlan 111 peer 10.10.10.1 cos 2 tagged ethe 1/2 logical-interface ethernet 1/2.100 vlan 102 pw-profile pw_example untagged ethe 1/2
VPLS/VLL load balancing In a VPLS/VLL instance, traffic from one peer to another is forwarded over an MPLS LSP. When more than one LSP exists from the device to a remote peer, multiple LSPs can be used to load balance traffic between the end points. This applies only to the unicast traffic as broadcast and unknown unicast traffic is always sent over a single tunnel LSP. In below example there are two paths configured between MLX2 and SLX2 and VPLS is configured to load balance traffic between them using separate LSPs. NetIron supports up to 8 LSPs.SLX-OS supports up to 16 LSPs.
Figure 10 VPLS load balancing
56 Extreme MPLS-based IXP Solution 9035424-01
Two strict MPLS paths using different core router are configured on both sides of VPLS tunnel. These paths are then used to create two LSPs between the VPLS peers.
MLX2 SLX2
router mpls bridge-domain 100 p2mp Load balancing policy vc-id 100 toward VPLS peer traffic-eng ospf peer 10.10.10.1 peer 10.10.10.2 load-balance mpls-interface ve25 peer 10.10.10.3 logical-interface ethernet 3/8:4.100 mpls-interface ve26 pw-profile default bpdu-drop-enable path 2_5_4 local-switching strict 10.10.10.5 ! strict 10.10.10.4 router mpls policy path 2_6_4 traffic-engineering ospf area 0 strict 10.10.10.6 ! strict 10.10.10.4 mpls-interface ve 45 ! lsp MLX2-SLX-254 mpls - interface ve 46 to 10.10.10.4 ! primary 2_5_4 path 4_5_2 tunnel-interface 254 hop 10.10.10.5 strict enable hop 10.10.10.2 strict ! lsp MLX2-SLX-264 path 4_6_2 to 10.10.10.4 hop 10.10.10.6 strict primary 2_6_4 hop 10.10.10.2 strict tunnel-interface 264 ! enable lsp SLX2-MLX2-452 to 10.10.10.2 vpls 100 100 primary - path 4_5_2 vpls-peer 10.10.10.1 10.10.10.3 enable vpls-peer 10.10.10.4 load-balance ! vlan 100 lsp SLX2-MLX2-462 tagged ethe 1/3 Load balancing to 10.10.10.2 toward VPLS peer primary-path 4_6_2
enable
NetIron VPLS load balancing show commands:
MLX2#sho mpls lsp wide Note: LSPs marked with * are taking a Secondary Path Admin Oper Tunnel Up/Dn Retry Active Name To State State Intf Times No. Path MLX2-MLX1 10.10.10.1 UP UP tnl0 8 0 -- MLX2-SLX-254 10.10.10.4 UP UP tnl3 1 0 2_5_4 MLX2-SLX-264 10.10.10.4 UP UP tnl2 1 0 2_6_4 MLX2-SLX1 10.10.10.3 UP UP tnl1 12 0 --
57 Extreme MPLS-based IXP Solution 9035424-01
MLX2#sho mpls rsvp session wide Codes: DI:Ingress Detour DT:Transit Detour DM:Merged Detour DE:Egress Detour BI:Ingress Backup BM: Merged Backup BE:Egress Backup RP:Repaired Session BYI: Bypass Ingress
Total Number of such sessions are: 10
Ingress RSVP: 4 session(s) To From St Style Lbl_In Lbl_Out Out_If LSPname 10.10.10.1 10.10.10.2 Up FF - 2053 ve25 MLX2-MLX1 10.10.10.3 10.10.10.2 Up FF - 2054 ve25 MLX2-SLX1 10.10.10.4 10.10.10.2 Up FF - 2068 ve25 MLX2-SLX-254 10.10.10.4 10.10.10.2 Up FF - 2420 ve26 MLX2-SLX-264
Transit RSVP: 2 session(s) To From St Style Lbl_In Lbl_Out Out_If LSPname 10.10.10.4 10.10.10.3 Up FF 2049 2408 ve26 SLX1-SLX2 10.10.10.4 10.10.10.1 Up FF 2048 2407 ve26 MLX1-SLX2
Egress RSVP: 4 session(s) To From St Style Lbl_In Lbl_Out Out_If LSPname 10.10.10.2 10.10.10.1 Up FF 3 - - MLX1-MLX2 10.10.10.2 10.10.10.3 Up FF 3 - - SLX1-MLX2 10.10.10.2 10.10.10.4 Up FF 3 - - SLX2-MLX2-452 10.10.10.2 10.10.10.4 Up FF 3 - - SLX2-MLX2-462
MLX2# sho mpls vpls id 100 VPLS 100, Id 100, Max mac entries: 2048 Total vlans: 1, Tagged ports: 1 (1 Up), Untagged ports 0 (0 Up) IFL-ID: n/a Vlan 100 L2 Protocol: NONE Tagged: ethe 1/3 VC-Mode: Raw Total VPLS peers: 3 (3 Operational) Peer address: 10.10.10.1, State: Operational, Uptime: 5 min Tnnl in use: tnl0(2053)[RSVP] Peer Index:0 Local VC lbl: 983051, Remote VC lbl: 983046 Local VC MTU: 1500, Remote VC MTU: 9190 Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05) Peer address: 10.10.10.3, State: Operational, Uptime: 5 min Tnnl in use: tnl1(2054)[RSVP] Peer Index:1 Local VC lbl: 983052, Remote VC lbl: 983050 Local VC MTU: 1500, Remote VC MTU: 1500 Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05) Peer address: 10.10.10.4, State: Operational, Uptime: 5 min Tnnls in use (load balance): Candidate count:2 (only 1st 8 is displayed): tnl3(2068)[RSVP] tnl2(2420)[RSVP] Peer Index:2 Local VC lbl: 983053, Remote VC lbl: 983040 Local VC MTU: 1500, Remote VC MTU: 1500 Local VC-Type: Ethernet(0x05), Remote VC-Type: Ethernet(0x05) CPU-Protection: OFF Local Switching: Enabled Extended Counter: ON Multicast Snooping: Disabled
MLX2#sho mpls forwarding 10.10.10.4 Dest-prefix In-lbl Out-lbl Out-intf Sig Next-hop Type 1 10.10.10.4/32 - 2420 ve26 R 172.16.26.6 - 2 10.10.10.4/32 - 2068 ve25 R 172.16.25.5 -
58 Extreme MPLS-based IXP Solution 9035424-01
SLX-OS VPLS load balancing show commands:
SLX2# show mpls lsp wide Note: LSPs marked with * are taking a Secondary Path LSP To Admin Oper Tunnel Up/Dn Retry Active Name Address State State Intf Times Num Path MCT_10.10.10.3_1207959598 10.10.10.3 UP UP tnl4 14 0 -- SLX2-MLX1 10.10.10.1 UP UP tnl1 1 0 -- SLX2-MLX2-452 10.10.10.2 UP UP tnl8 1 0 4_5_2 SLX2-MLX2-462 10.10.10.2 UP UP tnl9 1 0 4_6_2 SLX2-SLX1 10.10.10.3 UP UP tnl2 16 0 --
SLX2# show mpls rsvp session wide Codes: DI:Ingress Detour DT:Transit Detour DM:Merged Detour DE:Egress Detour BI:Ingress Backup BM: Merged Backup BE:Egress Backup RP:Repaired Session BYI: Bypass Ingress
Total Number of such sessions are: 10
Ingress RSVP: 5 session(s) To From St Style Lbl_In Lbl_Out Out_If LSPname 10.10.10.1 10.10.10.4 Up FF - 2418 Ve 46 SLX2-MLX1 10.10.10.2 10.10.10.4 Up FF - 2066 Ve 45 SLX2-MLX2-452 10.10.10.2 10.10.10.4 Up FF - 2419 Ve 46 SLX2-MLX2-462 10.10.10.3 10.10.10.4 Up FF - 2062 Ve 45 SLX2-SLX1 10.10.10.3 10.10.10.4 Up FF - 2414 Ve 46 MCT_10.10.10.3_1207959598
Egress RSVP: 5 session(s) To From St Style Lbl_In Lbl_Out Out_If LSPname 10.10.10.4 10.10.10.3 Up FF 3 - - MCT_10.10.10.4_1207959588 10.10.10.4 10.10.10.2 Up FF 3 - - MLX2-SLX-254 10.10.10.4 10.10.10.3 Up FF 3 - - SLX1-SLX2 10.10.10.4 10.10.10.1 Up FF 3 - - MLX1-SLX2 10.10.10.4 10.10.10.2 Up FF 3 - - MLX2-SLX-264
SLX2# show bridge-domain 100 Bridge-domain 100 ------Bridge-domain Type: MP, VC-ID: 100 MCT Enabled: FALSE Description: Number of configured end-points: 4, Number of Active end-points: 4 VE if-indx: 0, Local switching: TRUE, bpdu-drop-enable: TRUE MAC Withdrawal: Disabled PW-profile: default, mac-limit: 0 VLAN: 100, Tagged ports: 1(1 up), Un-tagged ports: 0 (0 up) Tagged Ports: eth3/8:4.100 Un-tagged Ports: Total VPLS peers: 3 (3 Operational):
…
VC id: 100, Peer address: 10.10.10.2, State: Operational, uptime: 6 min 56 sec Load-balance: True, Cos Enabled: False, Tunnel cnt: 2 rsvp SLX2-MLX2-452 (cos_enable:False cos_value:0) rsvp SLX2-MLX2-462 (cos_enable:False cos_value:0) Assigned LSPs count:0 Assigned LSPs: Local VC lbl: 983040, Remote VC lbl: 983053, Local VC MTU: 1500, Remote VC MTU: 1500, Local VC-Type: 5, Remote VC-Type: 5 Local PW preferential Status: Active, Remote PW preferential Status: Active …
SLX2# show mpls forwarding 10.10.10.2 R: RSVP, L: LDP, S: Static Total number of MPLS forwarding entries: 2 Dest-prefix In-lbl Out-lbl Out-intf Sig Next-hop Type 1 10.10.10.2/32 - 2419 Ve 46 R 172.16.46.6 - 2 10.10.10.2/32 - 2066 Ve 45 R 172.16.45.5 -
59 Extreme MPLS-based IXP Solution 9035424-01
Rate limiting on the AC interfaces Rate limiting The Rate limiting feature controls the amount of bandwidth consumed by an individual port. Only one inbound and one outbound policy map can be applied to a port. Control protocols are not rate limited by this feature unless explicitly specified in the NetIron case (see configuration below). For port channel, rate-limiting is applied to each LAG member port.
NetIron allows configuration of port rate limit directly, using policy-map and access-lists. L2 and L3 access-lists rate limiting is supported. Using access- lists allows the user to rate limit traffic that only matches the permitted condition. Deny traffic is not policed unless explicitly configured. In the configuration example below, three rate-limiting options are shown: direct, policy-map based and using access-group. For more information, please refer to “Extreme NetIron QoS and Traffic Management Configuration Guide”
SLX-OX only allows policy based rate limiting. Policed traffic is identified using class-maps. They are applied to policy-maps, and the following rate limiting options are allowed in the context of VPLS/VLL:
- Port based – applied using the default class map, is applicable to all traffic and may be used for ingress and egress service policies.
- ACL based - rate limits the L2 traffic that matches the permit conditions in L2 ACLs. Please refer to L2 ACL FFS for the options available under mac access-list. This option works only with the layer2-optimised-1 TCAM profile.
- Bridge domain based – applies to a specific logical interfaces (LIFs) and can be used for ingress direction only.
Note: SLX-OS VLAN based rate limiting is not supported when bounded to VPLS/VLL endpoint.
Bridge domain and ACL based policies can be configured globally using the “qos service-policy
NetIron rate limit configuration:
- direct rate limiting
interface ethernet 1/2 Average rate enable rate-limit input 99992032 100000 ! Max Burst size
60 Extreme MPLS-based IXP Solution 9035424-01
- policy based rate limiting
policy-map test-rl cir 99992032 cbs 100000 eir 993568 ebs 10000000 excess-dp 2 ! interface ethernet 1/2 enable rate-limit input policy-map test-rl
- access list based rate limiting
Optional, allows to rate limit Optional, ACl denied control packets interface ethernet 1/2 packets are dropped enable rate-limit strict-acl rate-limit input access-group 400 policy-map test-rl include-control ! ! access-list 400 permit 0000.814e.2d3 ffff.ffff.ffff any any etype any !
MLX show commands:
MLX1#show rate-limit interface 1/2
interface e 1/2 rate-limit input policy-map test-rl
MLX1#show policy-map test-rl
policy-map test-rl cir 99992032 bps cbs 100000 bytes eir 993568 bps ebs 10000000 bytes excess-dp 2
MLX1#show rate-limit counters
interface e 1/2 rate-limit input policy-map test-rl Committed Bytes Fwd: 1095437700 Drop: 437838660 bytes Excess(re-marked) Pkt Fwd: 16093840 Total: 1549370200 bytes
61 Extreme MPLS-based IXP Solution 9035424-01
SLX rate limit configuration:
- port based
class-map default ! policy-map policy_class_default class default police cir 100000000 cbs 10000 eir 100000000 ebs 20000 ! interface Ethernet 1/2 service-policy in policy_class_default switchport switchport mode trunk-no-default-native no shutdown logical-interface ethernet 1/2.100 vlan 100
- Bridge domain based
class-map bd-100 match bridge-domain 100 ! policy-map policy_bd100 class bd-100 police cir 100000000 cbs 10000 eir 50000000 ebs 20000 ! interface Ethernet 1/2 service-policy in policy_bd100 switchport switchport mode trunk-no-default-native no shutdown logical-interface ethernet 1/2.100 vlan 100 ! qos service-policy in policy_bd100
62 Extreme MPLS-based IXP Solution 9035424-01
- ACL based ACL based policies bound to VPLS/VLL interfaces need this TCAM profile
hardware profile tcam layer2-optimised-1 ! mac access-list extended mac_acl seq 10 permit any any vlan-tag-format single-tagged vlan 100 count seq 20 permit any any vlan-tag-format double-tagged outer-vlan 101 inner-vlan 111 count seq 30 permit any any vlan-tag-format untagged vlan 1 count ! class-map class_acl match access-group mac_acl ! policy-map policy_acl class class_acl police cir 100000000 cbs 10000 eir 100000000 ebs 20000 ! ! interface Ethernet 1/2 service-policy in policy_acl switchport switchport mode trunk-no-default-native no shutdown logical-interface ethernet 1/2.100 vlan 100 ! logical-interface ethernet 1/2.101 vlan 101 inner-vlan 111 ! logical-interface ethernet 1/2.102 untagged vlan 1
SLX show commands:
SLX1# show policy-map system
Ingress Direction : Policy-Map policy_acl Class class_acl matches 5 packets 336 bytes Police cir 100000000 cbs 10000 Stats: Operational cir:99844000 cbs:10000 eir:0 ebs:0 Conform Byte:336 Exceed Byte:0 Violate Byte:0
SLX1# show policy-map detail policy_acl
Policy-Map policy_acl Class class_acl Police cir 100000000 cbs 10000
Bound To: Eth 1/2(in)
SLX1# show policy-map interface ethernet 1/2
Ingress Direction : Policy-Map policy_acl Class class_acl matches 108695527 packets 13043463240 bytes Police cir 100000000 cbs 10000 Stats: Operational cir:99844000 cbs:10000 eir:0 ebs:0 Conform Byte:13043463240 Exceed Byte:0 Violate Byte:0
63 Extreme MPLS-based IXP Solution 9035424-01
BUM (Broadcast/Unknown Unicast/Multicast) control BUM control feature prevents CPU from being flooded by the broadcast, unknown unicast, and multicast packets. It controls traffic in the ingress direction only. Each traffic rate type can be controlled separately. When the BUM traffic exceeds predefined values, ports can be shutdown automatically or/and a warning log message can be generated. After a port is shut down, it has to be manually un-shut for further operation. The implementation of BUM storm control is very similar in Netiron and SLX-OS, but some options are slightly different.
NetIron – BUM traffic average rate can be configured in bits/sec only. In addition, a maximum burst size (bits) must be set. The Alert option enables log message generation, and has two watermark thresholds: maximum and minimum. Alert messages are generated every time the thresholds are crossed. The “include-control” option in NetIron only allows counting of control packets against the BUM rate (default value is OFF). Another feature protecting against excessive BUM traffic is global CPU BUM limiting. Its configured under vpls-policy and sets the VPLS BUM traffic limits. This feature is available in NetIron only.
SLX-OS – Rate limit can be set in bps or as a percentage of the interface capacity. The “Monitor” option is similar to NetIron, but it has only a single threshold, and a syslog message is generated when the traffic rate crosses it in either direction. Port is shut down if the rate exceeds the limit during the 1st 10s of the sampling window.
For LAG ports, BUM rate limiting needs to be enabled on each LAG member port.
NetIron configuration: Max burst - bits
MLX Max watermark - Average rate - bits/s Port shut time - min bits/s ! interface ethernet 1/2 enable rate-limit input broadcast multicast 97728 10000 include-control shutdown 3 alert 80000 10000 rate-limit input unknown-unicast 97728 10000 alert 80000 10000
router mpls Min watermark – BUM limits in pps bits/s vpls-policy cpu-broadcast-limit 50000 cpu-multicast-limit 50000 cpu-unknown-unicast-limit 50000
NetIron show commands:
MLX1#sho rate-limit interface 1/2 interface e 1/2 rate-limit input unknown-unicast 97728 10000 alert 80000 10000 rate-limit input broadcast multicast 97728 10000 include-control shutdown 3 alert 80000 10000
MLX1#sho rate-limit counters int 1/2 interface e 1/2 rate-limit input unknown-unicast 97728 10000 alert 80000 10000 port: Drop: 3540 bytes rate-limit input broadcast multicast 97728 10000 include-control shutdown 3 alert 80000 10000 port: Drop: 128540 bytes
MLX1#sho rate-limit counters bum-drop interface e 1/2 rate-limit input unknown-unicast 97728 10000 alert 80000 10000 port: Drop: 3540 bytes rate-limit input broadcast multicast 97728 10000 include-control shutdown 3 alert 80000 10000 port: Drop: 128540 bytes
64 Extreme MPLS-based IXP Solution 9035424-01
SLX-OS configuration:
SLX
! interface Ethernet 1/2 switchport switchport mode trunk switchport trunk tag native-vlan storm-control ingress broadcast limit-bps 1000000000 monitor storm-control ingress multicast limit-percent 1 shutdown storm-control ingress unknown-unicast limit-bps 10000000 no shutdown logical-interface ethernet 1/2 vlan 100
SLX-OS show commands:
SLX1(conf-if-eth-1/2)# do show storm-control interface ethernet 1/2 Interface Type Rate (bps) Conformed Violated Total Et 1/2 broadcast 1000000000 0 0 0
Et 1/2 multicast 100000000 23810 128 23938
Et 1/2 unknown-unicast 10000000 0 0 0
65 Extreme MPLS-based IXP Solution 9035424-01
Security features For more detailed information about security features, please refer to “Extreme SLX Security Configuration Guide” and “Extreme NetIron Security Configuration Guide”.
Access lists (ACLs) Access list are security features used to permit or deny traffic entering the network based on specific parameters. Packets or frames are compared with the specified ACL rules, and either forwarded or dropped. ACLs can be used for L2 and L3 (IPv4 or IPv6) traffic. Layer 2 (MAC) ACLs filter traffic based on the MAC header files. Layer 3 ACLs use the IP address of the packets to filter traffic. IXP networks mostly use L2 based ACLs to control customer traffic. L3 ACLs are mainly used for management purposes.
A typical IXP will have an L2 ACL on each AC (Attachment Circuit), which allows only the single customer source MAC address to enter the network. An L2 ACL that permits only the source MAC address plus specific ethertypes of ARP, IPv4, and IPv6 are common. Also, to allow for IPv6 neighbor discovery, an additional entry is needed to permit sending to the 0180.c200.0002 destination MAC address.
Regarding the range of filtering options, there are two types of ACL:
∙ Standard ACLs — Permit or deny traffic according to the source address only.
∙ Extended ACLs — Permit or deny traffic according to source and destination addresses, as well as other parameters. For example, in an extended ACL, you can also filter by one or more of the following:
– Port name or number
– Protocol, for example TCP or UDP
– TCP flags
The following examples focus on the ingress AC (Attachment Circuits) interfaces. L2, L3 ACLs will be shown, followed by examples of the additional options supported on both types of ACLs.
66 Extreme MPLS-based IXP Solution 9035424-01
Layer 2 access list
MLX1 SLX1
interface ethernet 1/1 mac access-list standard test_01 enable seq 100 permit host 0000.1559.10a3 mac access-group test_01 in seq 101 permit host 0000.814e.2d37 ! seq 120 deny host 0000.814e.2d38 router mpls ! ! interface Ethernet 1/2 vpls vlan_100 100 switchport vpls-peer 10.10.10.3 switchport mode trunk-no-default-native vlan 100 mac access-group test_01 in tagged ethe 1/1 no shutdown vlan 101 inner-vlan 200 logical-interface ethernet 1/2.100 tagged ethe 1/1 vlan 100 vlan 102 ! untagged ethe 1/1 logical-interface ethernet 1/2.101 ! vlan 101 inner-vlan 111 acl-policy ! enable-acl-counter logical-interface ethernet 1/2.102 ! untagged vlan 1 ! ! mac access-list test_01 logical-interface ethernet 1/2.200 permit 0000.814e.2d35 ffff.ffff.ffff any any etype any vlan 200 permit 0000.814e.2d39 ffff.ffff.ffff any any etype any ! deny 0010.814e.2d3a ffff.ffff.ffff any any etype any
Show commands MLX:
MLX2#sho access-list l2 test_l2
L2 MAC Access List test_l2 : 2 entries 20: deny 0010.9400.0009 ffff.ffff.ffff any any etype any log 30: permit 0010.9400.0007 ffff.ffff.ffff any any etype any log
Show commands SLX:
SLX2# show access-list mac test_01 int eth 1/56:1 in mac access-list test_01 on Ethernet 1/56:1 at Ingress (From User-ACL) seq 100 permit host 0010.9400.0002 count (Active) seq 110 permit host 0010.9400.0004 count (Active) seq 120 permit host 0010.9400.0006 count (Active)
67 Extreme MPLS-based IXP Solution 9035424-01
Layer 3 access list
NOTE: NetIron - IPv4 and IPv6 inbound ACLs are not supported on VPLS, VLL or VLL-Local endpoints.
SLX ACL statistics
! ip access-list standard test_l3 ACL logs seq 10 permit host 192.85.110.5 count log seq 20 deny any count mirror copy-sflow ! ACL sflow interface Ethernet 1/2 switchport switchport mode trunk-no-default-native ip access-group test_l3_in in ACL mirroring no shutdown logical-interface ethernet 3/1.110 vlan 110 ! logical-interface ethernet 3/1.111 vlan 111 ! !
SLX1# show access-list ip test_l3 in ip access-list test_l3 on Ethernet 3/1 at Ingress (From User-ACL) seq 10 permit host 192.85.110.5 count log copy-sflow (Active) seq 20 deny any count log copy-sflow (Active)
ACL options
ACL Log ACL logs show detailed information about permitted and denied traffic. ACL logs have the following features:
- Supported for all ACL types (MAC, IPv4, and IPv6)
- Supported for incoming network traffic only
- Supported for all user interfaces (but not on management interfaces) on which ACLs can be applied
- May be CPU-intensive
To use the ACL logs feature on the SLX platform, a buffer must first be configured using the “debug access-list-log buffer” command. The following example shows the information about packets permitted and denied by the IPv4 standard access-list attached to the AC interface.
68 Extreme MPLS-based IXP Solution 9035424-01
SLX1# debug access-list-log buffer circular packet-count 200
SLX1# show access-list-log buffer Frames Logged on interface Eth 3/1 : ------Frame Received Time : Mon Apr 24 2017 21:57:35 Ethernet, SrcMAC : 0010.9400.0008, DstMAC: 0010.9400.0007 Tag Protocol ID : 0x8100 Priority : 7 VlanID : 110 Ethtype : 0x800 Internet proto,SrcIP : 192.85.110.5, DstIP: 192.85.110.2 Interface : Eth 3/1 Type of service : 192 Length : 106 Identification : 38426 Fragmentation : 00 0 TTL : 255 protocol : 253 Checksum : 09 c7 Payload type : Unknown
packet(s) repeated : 4 Ingress Permit Logged ------
Frame Received Time : Mon Apr 24 2017 21:57:35 Ethernet, SrcMAC : 0010.9400.000a, DstMAC: 0010.9400.0009 Tag Protocol ID : 0x8100 Priority : 0 VlanID : 111 Ethtype : 0x800 Internet proto,SrcIP : 192.85.111.5, DstIP: 192.85.111.2 Interface : Eth 3/1 Type of service : 192 Length : 106 Identification : 31374 Fragmentation : 00 0 TTL : 255 protocol : 253 Checksum : 95 e0 Payload type : Unknown
packet(s) repeated : 6 Ingress Deny Logged
MLX supports ACL deny logging for L2 inbound ACLs (permit logging does not create any log events). To start using the feature, the ACL must have the log option configured and interface needs to be configured with the ‘enable-deny-logging’.
MLX
! interface ethernet 1/4 enable mac access-group test_l2 in mac access-group enable-deny-logging [hw-drop] ! mac access-list test_l2 deny 0010.9400.0009 ffff.ffff.ffff any any etype any log permit 0010.9400.0007 ffff.ffff.ffff any any etype any !
To reduce CPU load, the hw-drop option can be used: the packet counts for denied traffic will only account for the first packet in each time cycle, and the rest of the packets are dropped in hardware. ACL logging messages are sent to syslog.
MLX# SYSLOG: <14>Apr 27 12:11:28 MLX2 MAC ACL test_l2 denied 1 packets on port 1/4 [SA:0010.9400.0009, DA:0010.9400.000a, Type:IPv4, VLAN:111]
69 Extreme MPLS-based IXP Solution 9035424-01
ACL count SLX-OS
When an access list rule is configured with the ‘count’ option, the user can access statistics for that rule. It shows the number of packets/frames permitted or denied for each rule.
SLX
! ip access-list standard test_l3 seq 10 permit host 192.85.110.5 count log seq 20 deny any count log !
SLX1# show statistics access-list ip test_l3 in ip access-list test_l3 on Ethernet 3/1 at Ingress (From User-ACL) seq 10 permit host 192.85.110.5 count log (26807756 frames) seq 20 deny any count log (26803897 frames)
To enable ACL accounting on the MLX platform, ‘enable-acl-counter’ must be configured in the acl-policy:
MLX
! acl-policy enable-acl-counter !
MLX2#sho access-list accounting ethernet 1/4 in l2
L2 ACL Accounting Information:
Inbound: ACL test_l2 0: deny 0010.9400.0009 ffff.ffff.ffff any any etype any log Hit count: (1 sec) 421986 (1 min) 25338301 (5 min) 126691507 (accum) 249835051 1: permit 0010.9400.0007 ffff.ffff.ffff any any etype any log Hit count: (1 sec) 421986 (1 min) 25338301 (5 min) 126691507 (accum) 249835038
Mirroring ACL-based mirroring creates copies of the packets and sends them to a mirrored port. Mirroring can be enabled only in ACLs that are applied to physical interfaces, and applies only to extended ACLs. In the example below, the ACL applied to the Ethernet 3/1 is mirrored to Ethernet 3/10.
NOTE: MLX – mirroring and copy-sflow can’t be configured at the same time
70 Extreme MPLS-based IXP Solution 9035424-01
MLX L2 ACL
interface ethernet 1/1 ACL mirror enable destination mac access-group test_01 in acl-mirror-port ethernet 1/10 !
mac access-list test_01 permit 0010.9400.0001 ffff.ffff.ffff any any etype any permit 0010.9400.0003 ffff.ffff.ffff any any etype any mirror permit 0010.9400.0005 ffff.ffff.ffff any any etype any permit 0010.9400.0005 ffff.ffff.ffff any any etype any mirror
SLX L3 ACL
! ip access-list extended test_l3_ext seq 10 permit ip host 192.85.110.5 any mirror seq 20 deny ip any any mirror ! interface Ethernet 3/1 switchport switchport mode trunk-no-default-native qos cos-traffic-class all-zero-map ip access-group test_l3_ext in no shutdown logical-interface ethernet 3/1.110 vlan 11 ! logical-interface ethernet 3/1.111 ACL mirror vlan 111 destination ! ! acl-mirror source ethernet 3/1 destination ethernet 3/10
ACL sflow Packets hitting each rule in the ACLs can be sent to an sflow collector. To enable this feature on the SLX-OS platform, each ACL clause must have the “copy-sflow” keyword added to the end.
SLX
! ip access-list standard test_l3 seq 10 permit host 192.85.110.5 copy-sflow seq 20 deny any count copy-sflow !
71 Extreme MPLS-based IXP Solution 9035424-01
SLX1# sho sflow sFlow services are: disabled sFlow null0 sampling: enabled Global default sampling rate: 2048 pkts Global default counter polling interval: 20 secs Collector server address Vrf-Name Sflow datagrams sent ------
ACL based samples collected (permit): 10803733 ACL based samples collected (deny): 7829 VxLAN Visibility samples collected: 0
MLX supports copy-sflow only for the L3 ACLs; since IP inbound ACLs are not supported on VPLS/VLL endpoints, it will not be covered here.
ARP guard In the IXP environment BGP routers from different clients uses arp protocol to resolve IP address of the BGP peers. The ARP guard feature uses an ACL- like parameters to build a table of allowed IP addresses which can send arp packets on the link. Those ARP packets that do not match the entries in the ACL will be dropped and those which match will be forwarded based on normal forwarding routines. For more information about this feature please refer to “Extreme NetIron QoS and Traffic Management”.
MLX1 ! interface ethernet 1/2 enable no route-only mac access-group test_l2 in mac access-group enable-deny-logging arp-guard test_arp_guard log ! arp-guard-access-list test_arp_guard permit any 192.85.110.2 any permit any 192.85.111.2 0010.9400.0007 !
NOTE: ARP-Guard is not supported under route-only interface
SLX1
mac access-list extended mac_acl seq 10 permit any any vlan-tag-format single-tagged vlan 100 count seq 20 permit any any vlan-tag-format double-tagged outer-vlan 101 inner-vlan 111 count seq 30 permit any any vlan-tag-format untagged vlan 1 count ! arp access-list arp_acl permit ip host 192.168.100.3 mac host 0000.1559.10a3 ! interface Ethernet 1/2 switchport switchport mode trunk-no-default-native mac access-group mac_acl in ip arp inspection filter arp_acl no shutdown logical-interface ethernet 1/2.100 vlan 100 !
72 Extreme MPLS-based IXP Solution 9035424-01
MLX1#sho arp-guard statistics eth 1/2 Port Vlan-id Total_Arp_pkts_captured Total_Arp_pkts_forwarded Total_Arp_pkts_dropped 1/2 110 1 1 0 1/2 111 0 0 0
MLX1#sho arp-guard port-bindings all Arp-Guard Port Bindings:
Arp-Guard : test_arp_guard Number of Ports : 1 Ethe 1/2 Log : Enabled Num of violations : Default
SLX1# show access-list mac mac_acl interface ethernet 1/2 in mac access-list mac_acl on Ethernet 1/2 at Ingress (From User-ACL) seq 10 permit any any vlan-tag-format single-tagged vlan 100 count (Active) seq 20 permit any any vlan-tag-format double-tagged outer-vlan 101 inner-vlan 111 count (Active) seq 30 permit any any vlan-tag-format untagged vlan 1 count (Active)
SLX1# show arp access-list arp_acl ARP access list arp_acl permit ip host 192.168.100.3 mac host 0000.1559.10a3
SLX1# show statistics access-list mac mac_acl int eth 1/2 in mac access-list mac_acl on Ethernet 1/2 at Ingress (From User-ACL) seq 10 permit any any vlan-tag-format single-tagged vlan 100 count (9839952701 frames) seq 20 permit any any vlan-tag-format double-tagged outer-vlan 101 inner-vlan 111 count (256 frames) seq 30 permit any any vlan-tag-format untagged vlan 1 count (10 frames)
Port MAC security (SLX-OS) Port MAC security feature allows you to configure the device to learn a limited number of secure MAC addresses on an interface. The interface forwards only packets with source MAC addresses that match these secure addresses. If device receives the packet with unknown source address it’s considered as security violation and the following actions are taken place:
• Raslog message is generated
• Packets with unknown MAC address are dropped (allowing packets from secure addresses) or the interface is shut down for a predefined amount of time
The secure MAC addresses can be specified statically or learned dynamically. A security violation occurs when the maximum limit for the number of secure MAC addresses allowed on the interface is exceeded. There are three types of secure MAC addresses that are used in port MAC security:
• Static MAC address – manually configured using “switchport port-security mac-address’ command
• Dynamic MAC address – secure MAC addresses learned dynamically (up to the configured limit). After port goes down those addresses are deleted.
• Sticky Mac address – dynamically learned addresses which are added automatically as static. Those addresses, similar to the static ones, persist after the port goes down.
Only dynamic and sticky mac addresses are used for checking threshold value of number of mac entries learned. Number of dynamically learned mac + number of Sticky Mac <= Max mac configured on. There is no limit for secure static macs.
This feature is not supported by NetIron on the VPLS interfaces. Secure MAC addresses can be set up manually or they can be learn dynamically. In the example below there is one static MAC configured and one sticky address was added after dynamically learned from incoming traffic. As the max allowable addresses is configured to 1 the next stream with different MAC will be dropped.
73 Extreme MPLS-based IXP Solution 9035424-01
Note: The vlan id display in the running configuration represents the system internal VLAN value, not the packet VLAN. This will be changed in future releases.
SLX
interface Ethernet 1/2 switchport Static MAC addresses switchport mode trunk switchport port-security switchport port-security max 1 8292 is system internal switchport port-security mac-address 0000.00eb.aaaa vlan 100 value of vlan 100 switchport port-security sticky switchport port-security sticky mac-address 0000.1559.10a3 vlan 8292 switchport port-security shutdown-time 1 switchport trunk tag native-vlan mac access-group test_01 in Sticky MAC addresses no shutdown logical-interface ethernet 1/2 vlan 100 ! !
MAC port security options:
SLX2(conf-if-eth-1/56:1)# switchport port-security ? Possible completions:
Show output after number of MAC addresses was exceeded.
SLX1 # do show port-security Secure MaxSecureAddr CurrentAddr StaticSec Violated Action Sticky Port (count) (count) (count) Eth 1/2 1 0 0 No Shutdown Yes
SLX1# do show port-security interface ethernet 1/2 Port Security : Enabled Port Status : Down (Security Violated) Violation Mode : Shutdown Violated : Yes Sticky Enabled : Yes Maximum MAC addresses : 1 Total MAC addresses : 0 Configured MAC addresses : 0 Last violation time : Tue Jan 30 16:44:50 2018 Shutdown time (in Minutes) : 1
SLX1(config)# do show port-security addresses Secure Mac Address Table ------Vlan Mac-address Type Ports 100 0000.00eb.aaaa Secure-Static Eth 1/2 100 0000.1559.10a3 Secure-Sticky Eth 1/2
74 Extreme MPLS-based IXP Solution 9035424-01
Management (user accounts, telnet, SSH, LLDP, SNMP, NTP, Python) This section presents an overview of the available management features. This document will cover high lever options and simple configurations of frequently used manageability options. For more detailed information about management, please refer to the NetIron and SLX-OS management guides.
User Accounts and Passwords NetIron allows the setting of separate telnet and management privilege levels access. Separate passwords have to be set to access those features. By default, there are no telnet restrictions. The User has to set the username/password to restrict telnet access to the CLI of the box.
To restrict the management privilege access (to configure and monitor the device), a user account must be created. Those user accounts can be used to access the console, telnet, ssh, snmp and web management. Accounts are protected by passwords. You can set the password for each of the following management privilege levels:
- Super User level (0) - Allows complete read-and-write access to the system. This is generally for system administrators, and is the only management privilege level that allows you to configure passwords.
- Port Configuration level (4) - Allows read-and-write access for specific ports but not for global (system wide) parameters.
- Read Only level (5) - Allows access to the Privileged EXEC mode and CONFIG mode of the CLI but only with read access.
Each user can have time restrictions for the amount of time the user account and password are valid. External AAA servers such as RADIUS or TACACS+ can be used to further secure the device. For aaa authentication please refer to the security configuration guides.
NetIron configuration example for creating telnet access and different users.
MLX1 Enables local user authentication
! aaa authentication enable default local Telnet password enable telnet password
username User_test privilege 4 password ..... username User_test expires 10 set-time 1516665809 username User_test access-time 10:0:0 to 20:0:0 !
SLX uses role based access control, so, even for telnet, a user and password must be used.. User accounts specify various access restrictions to the device for different users. Each created account contains a username and role. The role describes what commands a particular user can execute after login to the device. There are two default roles:
- Admin – has access to all commands on the device
- User – can execute show commands and subset of operational commands
In addition to the above default settings, user defined roles can be created. Also, each account can have time restrictions, which confines operating the device to a certain time, as well as setting the password expiration time. Each user account is protected by the password. Passwords can be configured with different strength, password encryption, and account lockout policy. Strength of the password depends on the characters used, length of the password as well as max-retry number which describes number of failed access attempts. There are 8 different password encryption levels and encryption is enabled by default. Account lockout disables user access after a configured amount of failed attempts. The password policies and user accounts restrictions apply to local device authentication and authorization only. External AAA servers such as RADIUS or TACACS+ can be used to further secure the device. For the aaa operation please refer to the security configuration guide.
75 Extreme MPLS-based IXP Solution 9035424-01
SLX-OS example of creating custom rules, new account, password policies and alias.
SLX1
role name User_test desc Test user roles ! rule 10 action accept operation read-write role User_test rule 10 command configure rule 11 action accept operation read-write role User_test rule 11 command clear logging rule 12 action accept operation read-write role User_test rule 12 command show ip route ! username User_Test password
Management access (Serial port/Telnet/SSH, web, snmp) Connection to the managed device can be achieved via console port or telnet/SSH protocol using management Ethernet port or the in-band port belonging to either the mgmt-vrf or default-vrf instance. You can use any account login present in the local device database or on a configured authentication, authorization, and accounting (AAA) server for authentication.
The access restrictions are implemented differently between NetIron and SLX-OS (please also refer to “User account and password” sections). Below key differences and high level examples of configuration are shown. For more information please refer to “Extreme NetIron Security Configuration Guide” and “Extreme SLX-OS Security Configuration Guide”.
In the NetIron controlling access to the device using management functions (Telnet, SSH, console port as well as SNMP and Web access) can be restricted using the following methods:
- ACLs
- Allowing from specific IP addresses.
- Allowing access to a specific VLAN.
76 Extreme MPLS-based IXP Solution 9035424-01
NetIron examples of telnet, ssh, web-access and snmp configurations are presented below:
MLX1
! telnet access-group 10 telnet timeout 240 telnet login-timeout 10 telnet login-retries 5 telnet server telnet server enable vlan
! Restricting SNMP access using ACL snmp-server snmp-server community
! ip ssh client 10.21.10.23 Restricting SNMP access to ssh access-group 10 specified IP address ssh vlan 10 ! access-list 10 deny host 10.100.1.1 log access-list 10 permit any log !
SLX-OS uses a different approach to provide secure access to the device. Any account login present in the local device database or on a configured authentication, authorization, and accounting (AAA) server for authentication can be used to access SLX-OS device by console port, telnet or ssh. By default, SSH and Telnet services are associated and started on mgmt-vrf and default-vrf.
For added security management interfaces should be protected using ACL.
SLX-OS example of telnet, ssh, http:
SLX1
! telnet server use-vrf default-vrf telnet server use-vrf mgmt-vrf ! ssh server key rsa 2048 ssh server key ecdsa 256 ssh server key dsa ssh server use-vrf default-vrf ssh server use-vrf mgmt-vrf ! http server use-vrf default-vrf http server use-vrf mgmt-vrf ! interface Management 1 no tcp burstrate ACL protected interface no shutdown ip access-group
77 Extreme MPLS-based IXP Solution 9035424-01
SNMP SNMP (Simple Network Management Protocol) is a set of protocols used to manage network devices. SNMP manager, usually part of the network management system (NMS), is used to monitor and configure devices using messages called PDUs (Protocol Data Units). Every monitored device in the network runs SNMP agent which communicates with the the SNMP manager, and as collects and stores data in the local database, MIB (Management Information Base).
Multiple versions of the protocol are supported: version 1 (SNMPv1), version 2 (SNMPv2) and version 3 (SNMPv3).
- SNMPv1 and SNMPv2 use community strings associated to SNMP groups. The group maps the user to MIB objects called SNMP views. The views restrict the access of the MIB OIDs.
- SNMPv3 provides additional security through authenticated users associated with groups to restrict the access of MIBs for SNMP requests through SNMP views.
Configuration of NetIron and SLX-OS is similar, although there are some differences in implementation. In NetIron all traps are enabled by default, user can disable specific traps if necessary. Also community values are encrypted by default. By configuring “enable password-display” user can see the communities using “show snmp server” command. SLX-OX does not have this capability at this time.
Both operating Systems use views and groups concepts:
- SNMP views are named groups of MIB objects that you can associate with groups to limit access by community strings and users for viewing and modifying the SNMP statistics and system configuration. With SNMP views, you can create or remove the access to a MIB object for inclusion or exclusion from viewing from user access.
- SNMP groups map the SNMP user for SNMPv3 and the community for the SNMPv1 and SNMPv2 to SNMP views.
NetIron SNMP v2 configuration example:
MLX1 SNMPv2 1.3.6.1 SNMP view with the MIB restrictions enable password-display ! snmp-server snmp-server view view_example internet included snmp-server community 2
78 Extreme MPLS-based IXP Solution 9035424-01
NetIron SNMP v3 configuration example:
MLX1 SNMPv3
! snmp-server snmp-server view view_example internet included snmp-server community 2 $U2kyXj1k rw view view_example snmp-server contact "1.2.3.4" no snmp-server enable traps ospf snmp-server location "SJC building" snmp-server trap-source loopback 1 snmp-server host 10.12.193.2 version v3 auth user_v3 snmp-server group SNMPv3_group1 v3 auth read view_example snmp-server user user_v3 SNMPv3_group v3 encrypted auth md5
NetIron SNMP show commands:
MLX2#sho snmp server Status: Enabled Contact: "1.2.3.4" Location: "SJC building" Community(rw): public Max Ifindex per module: 20 Traps Cold start: Enable Link up: Enable Link down: Enable Authentication: Enable Power supply failure: Enable Fan failure: Enable
MLX2#sho snmp user username = user_v3 acl id = 0 group = SNMPv3_group security model = v3 group ipv6 acl name = none authtype = md5 authkey = cb6f9d2ba45114de1557f3981c74cbf4 privtype = none
MLX2#sho snmp group groupname = SNMPv2_group1 security model = v2c security level = none ACL id = 0 IPv6 ACL name:
79 Extreme MPLS-based IXP Solution 9035424-01
MLX2#sho snmp traffic SNMP Statistics 79062 received, 596 sent
Receive Statistics 0 bad versions, 7 bad community names 0 bad community uses, 0 asn parse errors, 0 memory errors 0 too bigs, 0 no such names, 0 bad values 0 read onlys, 0 general errors, 0 total request variables 0 total set variables, 0 get requests, 0 get next requests 0 get bulk requests, 0 set requests, 0 get responses, 0 traps 0 ACL drops
Transmit Statistics 0 too bigs, 0 no such names, 0 bad values 0 general errors, 0 get requests, 0 get next requests 0 set requests, 0 get responses, 596 traps, 0 reports
SLX-OS SNMP v2 configuration example:
SLX1 SNMPv2 ! snmp-server contact "1.2.3.4" snmp-server location "SJC Builing" snmp-server sys-descr "Brocade Router" Trap host with associated community snmp-server enable trap snmp-server community
SLX-OS SNMP v3 configuration example:
SLX1 SNMPv3 ! snmp-server contact "Phone number" SNMP user with authentication restrictions snmp-server location "SJC Builing" snmp-server sys-descr "Brocade BR-SLX9850-4 Router" snmp-server enable trap snmp-server user user_v3 groupname SNMPv3_group auth md5 auth-password
SNMP group
80 Extreme MPLS-based IXP Solution 9035424-01
NETCONF NETCONF (The Network Configuration Protocol) is a network management protocol which provides the ability to manage network devices, retrieve configuration and operational state data as well as upload and manipulate configurations. NETCONF uses a client/server architecture in which remote procedure calls (RPCs) manipulate the modeled data across a secure transport, such as Secure Shell version 2 (SSHv2). SLX-OS NETCONF server is enabled by default. For NetIron, the NETCONF server has to be explicitly configured. For more information please refer to “Extreme NetIron Management Configuration Guide” and “Extreme SLX-OS NETCONF Operations Guide”.
NetIron NETCONF configuration:
MLX1
netconf server netconf hello-timeout 650 netconf idle-timeout 4000 !
MLX1
! MLX1#sho netconf server NETCONF server status: Enabled, Port: 830, Transport: SSH Start Time: Jan 25 13:59:48 Max allowed sessions: 1, Active sessions: 0 Hello timeout: 650 seconds, Idle timeout: 4000 seconds Server statistics: In sessions : 1 In bad hellos : 0 Dropped sessions : 0 In too big rpcs : 0 In rpcs : 0 In bad rpcs : 0 Out rpcs : 0 Out rpc errors : 0 Out too big rpcs : 0
MLX1# show netconf session Session Id: 1 SSH session Id: 1 Username: lab Login time: Feb 7 21:28:47 Client Ip Address: 10.120.73.112 Privilege Level:
SLX-OS NETCONF show commands:
SLX1
SLX1# show netconf-state statistics netconf-state statistics netconf-start-time 2018-01-17T19:00:26+00:00 netconf-state statistics in-bad-hellos 0 netconf-state statistics in-sessions 0 netconf-state statistics dropped-sessions 0 netconf-state statistics in-rpcs 0 netconf-state statistics in-bad-rpcs 0 netconf-state statistics out-rpc-errors 0 netconf-state statistics out-notifications 0 ! SLX1# show netconf-state sessions netconf-state sessions session 7 transport cli-console username admin source-host 127.0.0.1 login-time 2018-01-17T11:03:02-08:00
81 Extreme MPLS-based IXP Solution 9035424-01
NTP NTP (Network Time Protocol) is used to maintain uniform time across the network. It uses an external source of time which is synchronized with all the devices. It’s recommended that each device in the network is synchronized with at least one external clock.
MLX1 SLX1
clock timezone us pacific clock timezone America/Los_Angeles ! ! ntp ntp source-ip chassis-ip authenticate ntp server 10.18.120.1 use-vrf mgmt-vrf authentication-key key-id 20 md5 2
MLX NTP options and show commands:
MLX1
telnet@MLX1(config-ntp)#? access-control NTP access-contrl configuration authenticate Enable/disable authentication authentication-key Authentication key disable Disable the NTP master Configure the master clock ntp-interface NTP interface commands peer Configure ntp server server Configure ntp server source-interface Specify source interface
MLX1
MLX1#sho ntp associations associations Show NTP Associations telnet@MLX1#sho ntp associations address ref clock st when poll reach delay offset disp *~10.18.120.1 10.31.2.81 3 15 64 1 0.550 -0.0022 187.66 * synced, # selected, + candidate, - outlayer, x falseticker, ~ configured
MLX1#sho ntp status Clock is synchronized, stratum 4, reference clock is 10.18.120.1 precision is 2**-16 reference time is DE111C02.80000000 (18:27:13.1661564981 Pacific Mon Jan 22 2018) clock offset is -0.0022 msec, root delay is 14.4438 msec root dispersion is 8139.9983 msec, peer dispersion is 101.1165 msec system poll interval is 64, last clock update was 27 sec ago NTP server mode is enabled, NTP client mode is enabled NTP master mode is disabled, NTP master stratum is 8 NTP is not in panic mode
SLX NTP show commands:
SLX1
SLX1# sho ntp status active ntp server is 10.18.120.1
82 Extreme MPLS-based IXP Solution 9035424-01
LLDP The IEEE 802.1AB Link Layer Discovery Protocol (LLDP) works on the data-link layer, is used to discover L2 network topologies with devices running different network layer protocols in the same LAN segments. Information between the devices is exchanged periodically using LLDP protocol frames and stored in the MIB. Look at the configuration examples with the show commands below.
NetIron LLDP configuration:
MLX3
lldp enable ports ethe 1/1 to 1/8 lldp run !
MLX3(config)#lldp ? advertise Control advertising of information enable Enable LLDP on interfaces, SNMP notifications max-neighbors-per-port Specify the maximum number of neighbors per port max-total-neighbors Specify the maximum number of total neighbors reinit-delay Specify the minimum time between port reinitializations run Enable LLDP globally snmp-notification-interval Specify the minimum time between lldpRemTablesChange traps transmit-delay Specify the minimum time between LLDP transmissions transmit-hold Specify the hold time multiplier for transmit TTL transmit-interval Specify the interval between regular LLDP transmissions
MLX3#sho lldp neighbors Total number of LLDP neighbors on all ports: 4 Lcl Port Chassis ID Port ID Port Description System Name 1/2 0024.38a6.7f00 0024.38a6.7f05 10GigabitEthernet1/6 MLX1 1/3 0024.38a6.7f00 0024.38a6.7f02 10GigabitEthernet1/3 MLX1 1/5 768e.f804.e000 Ethernet 1/3 Eth 1/3 SLX1 1/7 768e.f804.e000 Ethernet 1/4 Eth 1/4 SLX1
MLX3#sho lldp statistics Last neighbor change time: 10 minutes 55 seconds ago
Neighbor entries added : 42 Neighbor entries deleted : 38 Neighbor entries aged out : 30 Neighbor advertisements dropped : 0
Port Tx Pkts Rx Pkts Rx Pkts Rx Pkts Rx TLVs Rx TLVs Neighbors Total Total w/Errors Discarded Unrecognz Discarded Aged Out 1/1 5876 0 0 0 0 0 0 1/2 138606 132731 0 0 0 0 3 1/3 138661 138658 0 0 0 0 4 1/4 138598 83864 0 0 0 0 5 1/5 60497 60463 335 0 0 335 14 1/6 5217 5223 0 0 0 0 4 1/7 160 164 0 0 0 0 0 1/8 0 0 0 0 0 0 0
83 Extreme MPLS-based IXP Solution 9035424-01
MLX3#sho lldp local-info ports ethernet 1/2 Local port: 1/2 + Chassis ID (MAC address): 0024.38a6.7a00 + Port ID (MAC address): 0024.38a6.7a01 + Time to live: 120 seconds + System name : "MLX3" + Port description : "10GigabitEthernet1/2" + System capabilities : bridge, router Enabled capabilities: router + 802.3 MAC/PHY : auto-negotiation supported, but disabled Operational MAU type : 10GigBaseSR + Link aggregation: not capable + Maximum frame size: 1548 octets + Port VLAN ID: 1 + Management address (IPv4): 10.10.10.6
SLX LLDP configuration:
SLX1
protocol lldp description Router SLX1 hello 45 multiplier 6 advertise optional-tlv management-address advertise optional-tlv system-capabilities system-name SLX1 system-description SLX1 EVD testbed !
SLX1(config)# protocol lldp SLX1(conf-lldp)# ? Possible completions: advertise The Advertise TLV configuration. describe Display transparent command information description The User description disable Disable LLDP do Run an operational-mode command hello The Hello Transmit interval. help Provide help information mode The LLDP mode. multiplier The Timeout Multiplier no Negate a command or set its defaults profile The LLDP Profile table. pwd Display current mode path system-description The System Description. system-name The System Name top Exit to top level and optionally run command
SLX1# show lldp neighbors Local Port Dead Interval Remaining Life Remote Port ID Remote Port Descr Chassis ID Tx Rx System Name Eth 1/3 120 92 0024.38a6.7a04 10GigabitEthernet1/5 0024.38a6.7a00 15196 15192 MLX3 Eth 1/4 120 96 0024.38a6.7a06 10GigabitEthernet1/7 0024.38a6.7a00 152 140 MLX3 Eth 2/2 120 90 Ethernet 3/2 Eth 3/2 768e.f808.0000 15191 882 SLX3
84 Extreme MPLS-based IXP Solution 9035424-01
SLX1# show lldp statistics LLDP Interface statistics for Eth 1/1 Frames transmitted: 15194 Frames Aged out: 0 Frames Discarded: 0 Frames with Error: 0 Frames Recieved: 0 TLVs discarded: 0 TLVs unrecognized: 0 ….
SLX1# show lldp interface ethernet 2/ LLDP information for Eth 2/1 State: Enabled Mode: Receive/Transmit Advertise Transmitted: 45 seconds Hold time for advertise: 270 seconds Tx Delay Timer: 1 seconds Transmit TLVs: Chassis ID Port ID TTL Port Description System Name System Capabilities Management Address
Python event-management and scripting A Python language interpreter is installed in SLX-OS. It enables users to access a Python shell or to launch Python scripts. It can also be used to define event handlers that run such scripts automatically upon specified conditions. The Python shell is accessible for the admin users. To access Python shell, use the “python” cli. For more information and script examples please refer to “Extreme SLX-OS Management Configuration Guide”.
Monitoring
Logging NetIron and SLX-OS provide different logging features. Below is the high-level overview.
NetIron provides traditional syslog messages stored in the syslog buffer, which can be access using “show logging” command. Messages can be further forwarded to external syslog server (up to 6 devices are configurable). Be default only 100 messages are stored. It’s recommended to set “logging buffered 5000”. For more information on NetIron logging, refer the “NetIron Administration Guide”.
SLX-OS logging infrastructures is different than NetIron OS. The key components are:
• RASLog - messages used to save system events related to configuration changes or system error conditions. They have four different levels of severity as well as 5 different types of messages. To show logged messages “show logging raslog” is used.
• RASTrace - captures low level info which can be used for debugging or troubleshooting issues. “rasdecode” command is used to decode the traces collected. Module ID (-m) and display count (-n) parameters must be provided.
• AuditLog - messages are classified into three types: DCM Configuration (DCMCFG), Firmware (FIRMWARE), and Security (SECURITY). DCMCFG audits all the configuration changes in DB. FIRMWARE audit the events occurring during firmware download process. SECURITY audit any user-initiated security event for all management interfaces.
• Syslog - The syslog protocol allow devices to send event notification messages across IP networks to event message collectors, also known as syslog servers.
For more information on SLX-OS logging messages, refer to the “SLX-OS Message Reference”.
85 Extreme MPLS-based IXP Solution 9035424-01
Sflow Sflow (Sampled Flow) is the industry standard used for collecting statistics for high speed interfaces. The solution consists of sflow agent and collector. The sflow agent resides in the device forwarding traffic. It probes the flow samples and sends them inside sflow datagrams to the external collector when data can be processed.
In SLX-OS, sflow can be used per port as well as per flow (ACL based). Sflow is supported on the physical Ethernet ports only. For the port-channel interfaces, sflow can be enabled on the individual channel links.
For MLX NetIron inbound ACLs cannot be applied if the interfaces are VPLS end points so only per port sflow is supported.
For ACL sflow related information please refer to the ACL section of this document.
MLX SLX
sflow destination 10.125.12.13 6330 ! ! sflow enable interface ethernet 1/2 sflow collector 10.125.12.13 6330 use-vrf mgmt-vrf enable ! Packets matching access sflow forwarding interface Ethernet 1/2 list are send to sflow sflow sample 8192 switchport ! switchport mode trunk-no-default-native packet sampling rate: mac access-group test_sflow in Interface count polling interval: <512 – 1048576>, default 2048) sflow enable <1-65535> (default = 20) sflow polling-interval 40 sflow sample-rate 1024 Packet sampling rate: no shutdown ! <1-100000> (default = 2048) mac access-list standard test_sflow seq 10 permit 0010.9400.0002 ffff.ffff.ffff copy- sflow
MLX sflow global options:
MLX1(config)#sflow ? agent Set sFlow agent interface destination Set sFlow datagrams export destination enable Enable sFlow services management-vrf-disable Disable management VRF on sFlow null0-sampling Enable sFlow Null0 Sampling On All Slots polling-interval Set interface counters polling-interval sample Set sample rate sflow-header-ethernet Use actual destination MAC address instead of the next-hop MAC address source Set sFlow source interface
86 Extreme MPLS-based IXP Solution 9035424-01
MLX1#sho sflow
sFlow services are enabled. sFlow management VRF is enabled. sFlow management VRF name is default-vrf.
sFlow agent IP address: 10.10.10.1 sFlow agent IPV6 address: unspecified sFlow source IP address: unspecified, UDP 8888 sFlow source IPv6 address: unspecified, UDP 8888 Collector IP 10.125.12.13, UDP 6330 Polling interval is 20 seconds. Configured default sampling rate: 1 per 2048 packets. 0 UDP packets exported 200 sFlow samples collected. 39 sFlow management-vrf UDP packets dropped 0 ACL sFlow samples collected. sFlow ports Global Sample Rate Port Sample Rate Hardware Sample Rate 1/1 2048 1024 1024
sflow-header-ethernet is disabled.
MLX1#sho sflow stat sFlow ports Flow Samples count Acl Samples Count 1/1 130 0
SLX-OS Sflow global options (they can be overwritten on the port level):
SLX2(config)# sflow ? Possible completions: collector Sflow Collector Configuration enable Enable global sflow polling-interval Interface counter polling interval sample-rate Interface sampling rate source-interface Set sFlow sourceIP interface
SLX2# sho sflow all sFlow services are: enabled sFlow null0 sampling: enabled Global default sampling rate: 2048 pkts Global default counter polling interval: 20 secs Collector server address Vrf-Name Sflow datagrams sent ------10.125.12.13:6330 mgmt-vrf 4301 fdd1:a123:b123:c123:112:1:1:2:5566 mgmt-vrf 0
ACL based samples collected (permit): 2842 ACL based samples collected (deny): 0 VxLAN Visibility samples collected: 0
sFlow info for interface Ethernet 1/56:1 ------Port based sflow services are: enabled Configured sampling rate: 1024 pkts Actual sampling rate: 1024 pkts Sflow samples collected on port Counter polling interval: 40 secs Sflow samples collected: 17417 Counter samples collected : 161
sFlow ACL Stats for LC1 ------ACL based samples collected (permit): 2842 Samples collected based on ACL ACL based samples collected (deny): 0
sFlow VxLAN Visibility Stats for LC1 ------VxLAN samples collected: 0
87 Extreme MPLS-based IXP Solution 9035424-01
OAM (CFM, Y.1731) Operations, Administration and Maintenance (OAM) is a set of tools, processes and standards use to manage and maintain networks. Two standards are currently supported by SLX-OS/NetIron software:
• IEEE 802.1ag – CFM (connectivity fault management)
• Y.1731 – Fault management and performance monitoring
Note: The 17r.1.01a SLX-OS release supports VPLS only;VLL will be supported in the future. Netiron 6.00e only supports VPLS.
802.1ag (CFM – Connectivity Fault Management)801.1ag (CFM) is an IEEE standard which defines protocols and practices for OAM (operations, administrate and maintenance) within LANs. CFM defines set of protocols used for end-to-end transport fault management. It provides the following capabilities:
• Fault detection and notification using Continuity Check Protocol
• Fault verification and isolation using Loopback and Linktrace protocol
• Path discovery using Linktrace protocol
Y.1731
Y-1731 is an ITU-T recommendation with the superset of the 802.1ag features. In addition to CFM Y.1731 provides performance monitoring capabilities. The following functions are supported:
• Frame Loss Ratio
• Frame Delay
• Frame Delay Variation
Performance monitoring capabilities of the Y.1731 will be available in the future SLX-OX release.
MLX SLX
cfm-enable cfm-enable domain-name coresite id 1 level 4 domain-name coresite id 1 level 4 ma-name ma_1 id 1 vpls-id 100 priority 3 ma-name ma_1 id 1 vpls-id 100 priority 3 mep 1 up vlan 100 port ethe 1/10 mep 1 up vlan 100 port ethe 1/10
88 Extreme MPLS-based IXP Solution 9035424-01
IXP Case Studies
Customer connectivity As presented in the design section of this document, IXP exchanges provide two types of service: MLPA (Multilateral Peering Agreement) and BPA (Bilateral Peering Agreement). In the MLPA case, all participating customers exchange traffic using a single L2 domain. Each customer connected to PE router has designated VLAN tag which is being used to send traffic. PE device removes the tag and forwards untagged frames to the L2 domain between PEs (internally assigned tag can be also used to forward MLPA traffic within the core). This is done using VPLS p2mp feature. If IXP supports IPv6, there should be 2 L2 domains: one for IPV4 and one for IPV6, each having a separate set of VLAN tags. In the BPA, case customers are directly connected using VLL service. They are assigned a separate tag and use it within the network. Below figures show the concepts of MLPA and BPA in the IXP environment.
Figure 11 IXP MLPA
89 Extreme MPLS-based IXP Solution 9035424-01
Figure 12 IXP BPA
Dual homing/MCT
For redundancy purposes, CE routers can be connected to the IXP provider edge PE routers using LAG/Port Channels. In the following example, CE3 and CE4 customer routers are connected to two PE routers running MCT (Multi Chassis Trunking) protocol. In this scenario, if one of the PEs fails, traffic is rerouted to the second PE in the MCT pair.
Figure 13 IXP dual homing
90 Extreme MPLS-based IXP Solution 9035424-01
Double tagging
By using double tagging, directly connected IXP networks (CIX) can service multiple customers of its own. IXP provider assigns different tags to the participants, and the CIX routers do not need to manipulate tags originated from the end customers. IXP PE routers after receiving double tagged packets remove/replace the tags and forward the frames to the appropriate L2 domains.
Figure 14 IXP double tagging
Rate limiting
To restrict amount of incoming traffic and protect network from overloading, rate limiting on all incoming interfaces should be configured.
Security
To protect IXP network from excessive or malicious traffic, each PE device should have the following features enabled:
• Disable dynamic MAC learning
• Configure static MAC address of the adjacent customer router
• Filter incoming traffic using ACLs permitting only ARP/IPv6 ND, IPV4/IPV6 and LACP traffic
• Permit incoming traffic from specified MAC addresses only using ARP guard in NetIron and Port MAC security in SLX-OS
• Turn on BUM control on the ingress interfaces
Core design PE mesh
91 Extreme MPLS-based IXP Solution 9035424-01
For small IXP networks, a full mesh of PE routers is frequently used. In such scenario, all edge routers, depending on the connectivity, can act as PE or P devices but each device in the network has customers attached to it.
Figure 15 IXP PE mesh
Multiple LSP connections over P routers
For bigger IXP networks, maintaining full mesh PE connectivity is complicated. In such cases, a core network is introduced with a layer of P routers. This allows better bandwidth utilization and provides multiple redundant paths between each pair of PE routers. An example of such topology is shown below.
Figure 16 IXP with P routers
LDP vs RSVP TE
92 Extreme MPLS-based IXP Solution 9035424-01
NetIron and SLX-OS both support RSVP-TE and LDP based LSPs. The majority of the IXP networks use the RSVP TE as the control, mostly for the traffic engineering capabilities, but LDP can be also used. There are certain features available in both protocols which can determine which one to use. Please refer to the PW creation section of this document for details.
Managing and monitoring Managing and monitoring the network is crucial part of the IXP operation. The following protocols should be used to obtain status of the devices:
• SSH for connectivity to the devices. ACL is recommended on the management interface to restrict access to the system
• User accounts with strong passwords
• LLDP on all devices for easy neighbor discovery
• NTP protocol with at least two source clock sources for clock synchronization
• Configuring and monitoring the device can be done using CLI, SNMP or NETCONF
• Syslog server should be configured to store login messages from the entire network
• Sflow is recommended to monitor statistics on the interfaces
Hardware Matrix TABLE 1 Platforms Used in This Validated Design
Places in the Network Extreme Platform Recommended Software Version PE/P - SLX1, SLX2, SLX3 SLX 9850 17r.1.01ad
PE/P – MLX1, MLX2, MLX3 MLXe-8 and MLXe-4 6.0.0e
93 Extreme MPLS-based IXP Solution 9035424-01
References
[1] Extreme SLX-OS Command Reference, 17r.1.01a - https://documentation.extremenetworks.com/slxos/SW/17rx/53-1005155- 03_CmdRefSlxOS_17r.1.01a_CG_Oct2017.pdf
[2] Extreme SLX-OS Management Configuration Guide, 17r.1.01 - https://documentation.extremenetworks.com/slxos/SW/17rx/53- 1005159-02_MgmtSlxOS_17r.1.01_CG_Jun2017.pdf
[3] Extreme SLX-OS Security Configuration Guide, 17r.1.01 https://documentation.extremenetworks.com/slxos/SW/17rx/53-1005166-02_SecSlxOS_17r.1.01_CG_Jun2017.pdf
[4] Extreme SLX-OS NETCONF Operations Guide, 17r.1.01 https://documentation.extremenetworks.com/slxos/SW/17rx/53-1005163-02_NETCONFSlxOS_17r.1.01_CG_Jun2017.pdf
[5] Extreme SLX-OS Command Reference Version 17r.1.01a http://documentation.extremenetworks.com/slxos/SW/17rx/53-1005155-03_CmdRefSlxOS_17r.1.01a_CG_Oct2017.pdf
[6] Extreme SLX-OS Multi-Protocol Label Switching MPLS Configuration Guide Version 17r.1.01 http://documentation.extremenetworks.com/slxos/SW/17rx/53-1005162-01_MPLSSlxOS_17r.1.01_CG_May2017.pdf
[7] Extreme SLX-OS Layer 3 Configuration Guide Version 17r.1.01 http://documentation.extremenetworks.com/slxos/SW/17rx/53-1005158-01_L3SlxOS_17r.1.01_CG_May2017.pdf
[8] Extreme SLX-OS Layer 2 Configuration Guide Version 17r.1.01 http://documentation.extremenetworks.com/slxos/SW/17rx/53-1005157-01_L2SlxOS_17r.1.01_CG_May2017.pdf
[9] Extreme NetIron Command Line Interface CLI Reference Guide Version 06.0.00c http://documentation.extremenetworks.com/netiron/SW/60x/53-1004199-07_CmdRefNetIron_06.0.00c_CRG_Dec2017.pdf
[10] Extreme NetIron Security Configuration Guide Version 06.0.00b http://documentation.extremenetworks.com/netiron/SW/60x/53-1004213-03_SecurityNetIron_06.0.00b_CG_Dec2016.pdf
[11] Extreme NetIron Switching Configuration Guide Version 06.0.00b http://documentation.extremenetworks.com/netiron/SW/60x/53-1004211-04_SwitchingNetIron_06.0.00b_CG_Dec2016.pdf
[12] Extreme NetIron Management Configuration Guide Version 6.0.00a http://documentation.extremenetworks.com/netiron/SW/60x/53-1004196-03_MgmtNetIron_6.0.00a_CG_Jul2016.pdf
[13] Extreme SLX-OS Layer 3 Configuration Guide Version 17r.1.01 http://documentation.extremenetworks.com/slxos/SW/17rx/53-1005158-01_L3SlxOS_17r.1.01_CG_May2017.pdf
94 Extreme MPLS-based IXP Solution 9035424-01
Appendix—Configuration of the Nodes/Validation topology
This appendix includes the basic relevant configurations of the nodes in an MPLS based IXP network used in this document. Some detailed features configuration are not included. Please refer to the sections of this document for further information.
Figure 17 Network topology details
MLX1
ver V6.0.0eT163 module 1 br-mlx-8-port-10g-x ! ! ! lag "MLX1-MLX3" dynamic id 16 ports ethernet 1/3 ethernet 1/6 primary-port 1/3 deploy ! lag "MLX1-SLX3" dynamic id 15 ports ethernet 1/1 ethernet 1/4 primary-port 1/1 deploy ! lag "lag-client-CE1" dynamic id 10 ports ethernet 1/5 primary-port 1/5 deploy ! ! ! ! ! !
95 Extreme MPLS-based IXP Solution 9035424-01
! no spanning-tree ! ! vlan 1 name DEFAULT-VLAN no untagged ethe 1/2 ethe 1/5 ! vlan 15 tagged ethe 1/1 ethe 1/4 router-interface ve 15 ! vlan 16 tagged ethe 1/3 ethe 1/6 router-interface ve 16 !
! ! ! default-max-frame-size 9216 aaa authentication login default local ! ! clock timezone us Pacific ! ! ntp authenticate authentication-key key-id 20 md5 2 $UyEtLStzVUA= server 10.18.120.1 ! ! cam-partition profile multi-service-4 enable password-display logging host 10.18.244.50 logging console telnet server username User_test password 8 $1$yg3..l.1$OtaEkjIFdtv2TeVXVEwzM. username User_test history $1$hR/..5B1$adiszoS76gLD9zIyFF1ER1 ip route 0.0.0.0/0 10.18.120.1 ! ! ! ! ! ! ! ! ! ! ! ip router-id 10.10.10.1 ! ! ! ! ! snmp-server snmp-server community 2 $U2kyXj1k ro hostname MLX1 ! router ospf area 0 bfd all-interfaces nonstop-routing log all ! router isis net 49.0001.0100.1001.0001.00 auth-mode md5 level-1 auth-key 2 "$UyEtLStzVUA=" level-1
96 Extreme MPLS-based IXP Solution 9035424-01
bfd all-interfaces is-type level-1 log adjacency nonstop-routing address-family ipv4 unicast exit-address-family
address-family ipv6 unicast exit-address-family
! ! ! ! ! ! policy-map test-rl cir 99992032 cbs 100000 eir 993568 ebs 10000000 excess-dp 2 ! interface loopback 1 ip ospf area 0 ip router isis ip address 10.10.10.1/32 ! ! interface management 1 ip address 10.18.121.2/22 enable ! interface ethernet 1/1 enable ! interface ethernet 1/2 enable rate-limit input unknown-unicast 97728 10000 alert 80000 10000 ! interface ethernet 1/3 enable ! interface ethernet 1/5 enable ! interface ve 15 bfd interval 200 min-rx 200 multiplier 3 ip ospf area 0 ip ospf md5-authentication key-id 22 key 2 $UyEtLStzVUA= ip ospf network point-to-point ip ospf bfd ip router isis ip address 172.16.15.1/28 isis bfd isis point-to-point ! interface ve 16 ip ospf area 0 ip ospf md5-authentication key-id 22 key 2 $UyEtLStzVUA= ip ospf network point-to-point ip ospf bfd ip address 172.16.16.1/28 ! ! ! router mpls
policy traffic-eng ospf
ldp graceful-restart
path MLX1-SLX1
97 Extreme MPLS-based IXP Solution 9035424-01
strict 10.10.10.5 strict 10.10.10.3
mpls-interface ve15
mpls-interface ve16
lsp MLX1-MLX2 to 10.10.10.2 tunnel-interface 1 enable
lsp MLX1-SLX1 to 10.10.10.3 primary MLX1-SLX1 cos 2 tunnel-interface 2 enable
lsp MLX1-SLX1-2 to 10.10.10.3 primary MLX1-SLX1 cos 1 tunnel-interface 22 enable
lsp MLX1-SLX2 to 10.10.10.4 tunnel-interface 3 enable
vll 200 200 vll-peer 10.10.10.3 vlan 200 tagged e 1/2
vpls 10 10 cluster-peer 10.10.10.2 vpls-peer 10.10.10.3 10.10.10.4 vlan 10 tagged ethe 1/5
vpls 100 100 cos 2 vpls-peer 10.10.10.2 10.10.10.3 10.10.10.4 vlan 100 tagged ethe 1/2 vlan 101 inner-vlan 111 tagged ethe 1/2 vlan 102 untagged ethe 1/2
! cluster "C1" 1 rbridge-id 101 l2vpn-peer 10.10.10.2 rbridge-id 102 deploy client "CE1-vlan10" rbridge-id 10 client-interface ethernet 1/5 deploy ! ! access-list 2 permit host 10.24.85.129 ! ip access-list standard public permit any log ! access-list 400 permit 0000.814e.2d35 ffff.ffff.ffff any any etype any
98 Extreme MPLS-based IXP Solution 9035424-01
access-list 400 permit 0000.814e.2d35 ffff.ffff.ffff any any etype any ! mac access-list test_01 permit 0000.814e.2d35 ffff.ffff.ffff any any etype any permit 0000.814e.2d39 ffff.ffff.ffff any any etype any deny 0010.814e.2d3a ffff.ffff.ffff any any etype any permit 0000.814e.2d35 ffff.ffff.ffff any any etype any permit 0000.814e.2d39 ffff.ffff.ffff any any etype any deny 0010.814e.2d3a ffff.ffff.ffff any any etype any ! ! lldp enable ports ethe 1/1 to 1/3 ethe 1/5 ethe 1/7 to 1/8 lldp run ! ! ! ! ! alias sr=show run end
MLX2
ver V6.0.0eT163 module 1 ni-mlx-8-port-10g-m module 2 br-mlx-2-port-100g-cfp2 module 5 br-mlx-24-port-1gf-x ! ! ! lag "lag-client-CE1" dynamic id 10 ports ethernet 1/1 primary-port 1/1 deploy ! ! ! ! ! !
! no spanning-tree ! ! vlan 1 name DEFAULT-VLAN no untagged ethe 1/1 ethe 1/3 ! vlan 25 tagged ethe 1/2 router-interface ve 25 ! vlan 26 tagged ethe 1/4 router-interface ve 26 !
! ! ! no route-only aaa authentication enable default local ! ! enable password-display enable super-user-password 8 $1$F54..H61$EfTi6M0PcnIMcvO7c1zMk/ enable port-config-password 8 $1$Da/..ug5$M505Wx5uYAkXzqlZzvich1 enable read-only-password 8 $1$lJ5..S.2$QnzSG4P5HIiwkyc9NpS7z.
99 Extreme MPLS-based IXP Solution 9035424-01
logging console telnet access-group 10 telnet timeout 240 telnet login-timeout 10 telnet login-retries 5 telnet server username User_test password 8 $1$tP1..Ui0$x0wRef7t9/vfsJMqRRpZV0 username User_test history $1$P35..mv.$MBNx0sBD8a42E8x8brlBQ/ username User_test1 privilege 4 password 8 $1$KZ2..Ov/$FBFQ7hYrRLlogVnj0.eSt0 username admin password 8 $1$XG4..DT.$iNA.DJKDmPgwTsutr.Y0y1 web access-group 10 ip route 10.0.0.0/8 10.18.120.1 ! ! ! ! ! ! ! ! ! ! ! ip router-id 10.10.10.2 ! ! ! ! ! snmp-server snmp-server view view_example internet included snmp-server view view_example mgmt included snmp-server community 2 $U2kyXj1k rw view view_example snmp-server contact "1.2.3.4" no snmp-server enable traps ospf snmp-server location "SJC building" snmp-server trap-source loopback 1 snmp-server host 10.12.193.2 version v2c 2 $U2kyXj1k snmp-server host 10.12.193.2 version v3 auth user_v3 snmp-server group SNMPv2_group1 v2c read view_example snmp-server group SNMPv3_group1 v3 auth read view_example snmp-server user user_v3 SNMPv3_group v3 encrypted auth md5 cb6f9d2ba45114de1557f3981c74cbf4 hostname MLX2 ssh access-group 10 ssh vlan 10 ! router ospf area 0 bfd all-interfaces nonstop-routing log all ! ! ! ! ! ! interface loopback 1 ip ospf area 0 ip address 10.10.10.2/32 ! ! interface management 1 ip address 10.18.121.3/22 enable ! interface ethernet 1/1 enable ! interface ethernet 1/2 enable
100 Extreme MPLS-based IXP Solution 9035424-01
! interface ethernet 1/3 enable ! interface ethernet 1/4 enable ! interface ve 25 bfd interval 200 min-rx 200 multiplier 3 ip ospf area 0 ip ospf md5-authentication key-id 22 key 2 $UyEtLStzVUA= ip ospf network point-to-point ip ospf bfd ip address 172.16.25.2/28 ! interface ve 26 bfd interval 200 min-rx 200 multiplier 3 ip ospf area 0 ip ospf md5-authentication key-id 22 key 2 $UyEtLStzVUA= ip ospf network point-to-point ip ospf bfd ip address 172.16.26.2/28 ! ! ! router mpls
policy traffic-eng ospf
path 2_5_4 strict 10.10.10.5 strict 10.10.10.4
path 2_6_4 strict 10.10.10.6 strict 10.10.10.4
mpls-interface ve25
mpls-interface ve26
lsp MLX2-MLX1 to 10.10.10.1 tunnel-interface 21 enable
lsp MLX2-SLX-254 to 10.10.10.4 primary 2_5_4 tunnel-interface 254 enable
lsp MLX2-SLX-264 to 10.10.10.4 primary 2_6_4 tunnel-interface 264 enable
lsp MLX2-SLX1 to 10.10.10.3 tunnel-interface 23 enable
vpls 10 10 cluster-peer 10.10.10.1 vpls-peer 10.10.10.3 10.10.10.4 vlan 10 tagged ethe 1/1
101 Extreme MPLS-based IXP Solution 9035424-01
vpls 100 100 vpls-peer 10.10.10.1 10.10.10.3 vpls-peer 10.10.10.4 load-balance vlan 100 tagged ethe 1/3
! cluster "C1" 1 rbridge-id 102 l2vpn-peer 10.10.10.1 rbridge-id 101 deploy client "CE1-vlan10" rbridge-id 10 client-interface ethernet 1/1 deploy ! ! access-list 10 deny host 10.100.1.1 log access-list 10 permit any log ! access-list 25 deny host 10.157.22.98 access-list 25 deny 10.157.23.0 0.0.0.255 access-list 25 permit any ! ! lldp enable ports ethe 1/1 to 1/8 ethe 2/1 to 2/2 ethe 5/1 to 5/24 lldp run ! ! ! ! ! end
MLX3 ver V6.0.0eT163 module 1 ni-mlx-8-port-10g-m module 3 br-mlx-2-port-100g-cfp2 module 5 br-mlx-2-port-100g-cfp2 ! ! ! lag "MLX1-MLX3" dynamic id 16 ports ethernet 1/2 to 1/3 primary-port 1/2 deploy ! lag "MLX3-SLX1" dynamic id 36 ports ethernet 3/1 to 3/2 primary-port 3/1 deploy ! lag "MLX3-SLX2" dynamic id 46 ports ethernet 5/1 to 5/2 primary-port 5/1 deploy ! ! ! ! ! !
! no spanning-tree !
102 Extreme MPLS-based IXP Solution 9035424-01
! vlan 1 name DEFAULT-VLAN ! vlan 16 tagged ethe 1/2 to 1/3 router-interface ve 16 ! vlan 26 tagged ethe 1/4 router-interface ve 26 ! vlan 36 tagged ethe 3/1 to 3/2 router-interface ve 36 ! vlan 46 tagged ethe 5/1 to 5/2 router-interface ve 46 !
! ! system-max trunk-num 64 ! ! aaa authentication login default local ! ! system-init tm-credit-size credit_1024b logging console telnet server username User_test password ..... ip route 10.0.0.0/8 10.18.120.1 ! ! ! ! ! ! ! ! ! ! ! ip router-id 10.10.10.6 ! ! ! ! ! snmp-server snmp-server community ..... rw snmp-server max-ifindex-per-module 64 hostname MLX3 ! netconf server ! router ospf area 0 bfd all-interfaces nonstop-routing log all ! ! ! ! ! ! interface loopback 1 ip ospf area 0 ip address 10.10.10.6/32 !
103 Extreme MPLS-based IXP Solution 9035424-01
! interface management 1 ip address 10.18.121.37/22 enable ! interface ethernet 1/2 enable ! interface ethernet 1/4 enable ! interface ethernet 3/1 enable ! interface ethernet 5/1 enable ! interface ve 16 ip ospf area 0 ip ospf md5-authentication key-id 22 key 2 $UyEtLStzVUA= ip ospf network point-to-point ip ospf bfd ip address 172.16.16.6/28 ! interface ve 26 bfd interval 200 min-rx 200 multiplier 3 ip ospf area 0 ip ospf md5-authentication key-id 22 key 2 $UyEtLStzVUA= ip ospf network point-to-point ip ospf bfd ip address 172.16.26.6/28 ! interface ve 36 ip ospf area 0 ip ospf md5-authentication key-id 22 key 2 $UyEtLStzVUA= ip ospf network point-to-point ip ospf bfd ip address 172.16.36.6/28 ! interface ve 46 ip ospf area 0 ip ospf md5-authentication key-id 22 key 2 $UyEtLStzVUA= ip ospf network point-to-point ip ospf bfd ip address 172.16.46.6/28 ! ! ! router mpls
policy traffic-eng ospf
mpls-interface ve16
mpls-interface ve26
mpls-interface ve36
mpls-interface ve46
! ! ! lldp enable ports ethe 1/1 to 1/2 ethe 1/4 to 1/8 lldp run !
104 Extreme MPLS-based IXP Solution 9035424-01
! ! ! ! end
SLX1
root enable alias-config alias sr show run ! chassis virtual-ip 10.18.123.202/22 clock timezone America/Los_Angeles arp access-list arp_acl permit ip host 192.168.100.3 mac host 0000.1559.10a3 ! ha process-restart mpls no process-restart bgp no process-restart isis no process-restart ospfv2 no process-restart ospfv3 ! hardware profile tcam layer2-optimised-1 profile lag default profile counters default ! http server use-vrf default-vrf http server use-vrf mgmt-vrf linecard 1 LC72X10G linecard 2 LC36X100G ntp source-ip chassis-ip ntp authentication-key 20 md5 $9$BwrsDbB+tABWGWpINOVKoQ== ntp server 10.18.120.1 use-vrf mgmt-vrf ! pw-profile vll-tag mtu 1540 vc-mode tag ! logging raslog console INFO logging auditlog class SECURITY logging auditlog class CONFIGURATION logging auditlog class FIRMWARE logging syslog-facility local LOG_LOCAL7 logging syslog-client localip CHASSIS_IP switch-attributes chassis-name SLX9850-4 switch-attributes host-name SLX1 no support autoupload enable support ffdc snmp-server contact "Phone number" snmp-server location "SJC Builing" snmp-server sys-descr "Brocade BR-SLX9850-4 Router" snmp-server enable trap snmp-server user user_v3 groupname SNMPv3_group auth md5 auth-password "nxYmUG29dUDIzlJgcPtp+Q==\n" encrypted snmp-server v3host 10.12.193.2 user_v3 severity-level Critical ! snmp-server view ALLMIBOIDS 1 included snmp-server view view_example 1.3.6.1 included snmp-server group SNMPv3_group1 v3 write view_example notify view_example ! line vty exec-timeout 0 ! threshold-monitor Buffer limit 70 vrf mgmt-vrf address-family ipv4 unicast
105 Extreme MPLS-based IXP Solution 9035424-01
ip route 0.0.0.0/0 10.18.120.1 ! address-family ipv6 unicast ! ! ssh server key rsa 2048 ssh server key ecdsa 256 ssh server key dsa ssh server use-vrf default-vrf ssh server use-vrf mgmt-vrf telnet server use-vrf default-vrf telnet server use-vrf mgmt-vrf role name User_test desc Test user roles role name admin desc Administrator role name user desc User aaa authentication login local aaa accounting exec default start-stop none aaa accounting commands default start-stop none rule 10 action accept operation read-write role User_test rule 10 command configure rule 11 action accept operation read-write role User_test rule 11 command clear logging rule 12 action accept operation read-write role User_test rule 12 command telnet service password-encryption username User_Test password "BwrsDbB+tABWGWpINOVKoQ==\n" encryption-level 7 role User_test desc "Test user account" expire 2018-01-30 access-time 0800 to 1900 username admin password "BwrsDbB+tABWGWpINOVKoQ==\n" encryption-level 7 role admin desc Administrator username user password "BwrsDbB+tABWGWpINOVKoQ==\n" encryption-level 7 role user desc User mac access-list extended mac_acl seq 10 permit any any vlan-tag-format single-tagged vlan 100 count seq 20 permit any any vlan-tag-format double-tagged outer-vlan 101 inner-vlan 111 count seq 30 permit any any vlan-tag-format untagged vlan 1 count ! vlan 1 ! vlan 10 router-interface Ve 10 ! vlan 35 router-interface Ve 35 ! vlan 36 router-interface Ve 36 ! protocol lldp description Router SLX1 hello 45 multiplier 6 advertise optional-tlv management-address advertise optional-tlv system-capabilities system-name SLX1 system-description SLX1 EVD testbed ! vlan dot1q tag native ip router-id 10.10.10.3 class-map bd-100 match bridge-domain 100 ! class-map cee ! class-map class_acl match access-group mac_acl ! class-map class_vlan100 match vlan 100 ! class-map default ! policy-map policy_acl
106 Extreme MPLS-based IXP Solution 9035424-01
class class_acl police cir 100000000 cbs 10000 ! ! policy-map policy_bd100 class bd-100 police cir 50000000 cbs 10000 eir 50000000 ebs 20000 ! ! policy-map policy_class_default class default police cir 100000000 cbs 10000 eir 100000000 ebs 20000 ! ! no protocol vrrp no protocol vrrp-extended ip dhcp relay information option router bgp local-as 100 neighbor 10.10.10.4 remote-as 100 neighbor 10.10.10.4 update-source loopback 1 address-family ipv4 unicast ! address-family ipv6 unicast ! address-family l2vpn evpn neighbor 10.10.10.4 encapsulation mpls neighbor 10.10.10.4 activate ! ! router ospf log all area 0 bfd ! interface Loopback 1 ip ospf area 0 ip address 10.10.10.3/32 no shutdown ! interface Ve 10 ip dhcp relay address 201.1.1.1 ip address 101.1.1.1/24 no shutdown ! interface Ve 35 ip ospf area 0 ip ospf md5-authentication key-id 22 key $9$BwrsDbB+tABWGWpINOVKoQ== ip ospf network point-to-point ip ospf bfd ip address 172.16.35.3/28 no shutdown ! interface Ve 36 ip ospf area 0 ip ospf md5-authentication key-id 22 key $9$BwrsDbB+tABWGWpINOVKoQ== ip ospf network point-to-point ip ospf bfd ip address 172.16.36.3/28 no shutdown ! interface Management 1 no tcp burstrate no shutdown vrf forwarding mgmt-vrf no ip address dhcp ip address 10.18.121.25/22 ! interface Management 2 no tcp burstrate no shutdown vrf forwarding mgmt-vrf
107 Extreme MPLS-based IXP Solution 9035424-01
no ip address dhcp ip address 10.18.121.45/22 ! interface Ethernet 1/1 channel-group 10 mode active type standard lacp timeout long no shutdown ! interface Ethernet 1/2 switchport switchport mode trunk-no-default-native mac access-group mac_acl in ip arp inspection filter arp_acl no shutdown logical-interface ethernet 1/2.100 vlan 100 ! logical-interface ethernet 1/2.101 vlan 101 inner-vlan 111 ! logical-interface ethernet 1/2.102 untagged vlan 1 ! logical-interface ethernet 1/2.200 vlan 200 ! ! interface Ethernet 2/2 channel-group 35 mode active type standard lacp timeout long no shutdown ! interface Ethernet 2/3 channel-group 35 mode active type standard lacp timeout long no shutdown ! interface Ethernet 2/5 channel-group 36 mode active type standard lacp timeout long no shutdown ! interface Ethernet 2/6 channel-group 36 mode active type standard lacp timeout long no shutdown ! interface Port-channel 10 switchport switchport mode trunk-no-default-native no shutdown logical-interface port-channel 10.10 vlan 10 ! ! interface Port-channel 35 switchport switchport mode trunk-no-default-native switchport trunk allowed vlan add 35 no shutdown ! interface Port-channel 36 switchport switchport mode trunk-no-default-native switchport trunk allowed vlan add 36 no shutdown ! bridge-domain 10 p2mp vc-id 10 peer 10.10.10.1 peer 10.10.10.2
108 Extreme MPLS-based IXP Solution 9035424-01
statistics logical-interface port-channel 10.10 pw-profile default bpdu-drop-enable local-switching ! bridge-domain 100 p2mp vc-id 100 peer 10.10.10.1 cos 1 peer 10.10.10.2 peer 10.10.10.4 statistics logical-interface ethernet 1/2.102 logical-interface ethernet 1/2.101 logical-interface ethernet 1/2.100 pw-profile default bpdu-drop-enable local-switching ! bridge-domain 200 p2p vc-id 200 peer 10.10.10.1 logical-interface ethernet 1/2.200 pw-profile vll-tag ! cluster C1 1 member bridge-domain add 10 peer-interface Ve 36 peer 10.10.10.4 client-isolation strict deploy client CE2-vlan10 10 client-interface Port-channel 10 esi a:a:1:1 deploy ! client-pw esi 01:02:03:04 deploy ! ! router mpls policy traffic-engineering ospf area 0 ingress-tunnel-accounting ! ldp graceful-restart ! ! mpls-interface ve 35 ! mpls-interface ve 36 ! path SLX1-MLX1 hop 10.10.10.5 strict hop 10.10.10.1 strict ! lsp SLX1-MLX1 to 10.10.10.1 primary-path SLX1-MLX1 cos 2 frr ! enable ! lsp SLX1-MLX1-2 to 10.10.10.1 primary-path SLX1-MLX1 cos 1 frr !
109 Extreme MPLS-based IXP Solution 9035424-01
enable ! lsp SLX1-MLX2 to 10.10.10.2 enable ! lsp SLX1-SLX2 to 10.10.10.4 enable ! !
SLX2 clock timezone America/Los_Angeles ha process-restart mpls no process-restart bgp no process-restart isis no process-restart ospfv2 no process-restart ospfv3 ! hardware profile tcam default profile lag default profile counters default port-group 3/1 mode 100g ! port-group 3/2 mode 40g ! connector 3/8 breakout mode 4x10g ! ! http server use-vrf default-vrf http server use-vrf mgmt-vrf linecard 2 LC72X10G linecard 3 LC36X100G logging raslog console INFO logging syslog-server 10.18.244.50 use-vrf mgmt-vrf ! logging auditlog class SECURITY logging auditlog class CONFIGURATION logging auditlog class FIRMWARE logging syslog-facility local LOG_LOCAL7 logging syslog-client localip CHASSIS_IP switch-attributes chassis-name SLX9850-8 switch-attributes host-name SLX2 no support autoupload enable support ffdc lag hash hdr-count 3 lag hash rotate 15 snmp-server sys-descr "Brocade BR-SLX9850-8 Router" snmp-server enable trap ! line vty exec-timeout 0 ! threshold-monitor Buffer limit 70 vrf mgmt-vrf address-family ipv4 unicast ip route 0.0.0.0/0 10.18.120.1 ! address-family ipv6 unicast ! ! ssh server key rsa 2048
110 Extreme MPLS-based IXP Solution 9035424-01
ssh server key ecdsa 256 ssh server key dsa ssh server use-vrf default-vrf ssh server use-vrf mgmt-vrf telnet server use-vrf default-vrf telnet server use-vrf mgmt-vrf role name admin desc Administrator role name user desc User aaa authentication login local aaa accounting exec default start-stop none aaa accounting commands default start-stop none service password-encryption username admin password "BwrsDbB+tABWGWpINOVKoQ==\n" encryption-level 7 role admin desc Administrator username user password "BwrsDbB+tABWGWpINOVKoQ==\n" encryption-level 7 role user desc User mac access-list extended mac1 ! vlan 1 ! vlan 45 router-interface Ve 45 ! vlan 46 router-interface Ve 46 ! protocol lldp system-description Brocade BR-SLX9850-8 Router ! vlan dot1q tag native ip router-id 10.10.10.4 class-map cee ! class-map default ! no protocol vrrp no protocol vrrp-extended router bgp local-as 100 neighbor 10.10.10.3 remote-as 100 neighbor 10.10.10.3 update-source loopback 1 address-family ipv4 unicast ! address-family ipv6 unicast ! address-family l2vpn evpn neighbor 10.10.10.3 encapsulation mpls neighbor 10.10.10.3 activate ! ! router ospf log all area 0 no graceful-restart nonstop-routing bfd ! interface Loopback 1 ip ospf area 0 ip address 10.10.10.4/32 no shutdown ! interface Ve 45 ip ospf area 0 ip ospf md5-authentication key-id 22 key $9$BwrsDbB+tABWGWpINOVKoQ== ip ospf network point-to-point ip ospf bfd ip address 172.16.45.4/28 no shutdown ! interface Ve 46 ip ospf area 0 ip ospf md5-authentication key-id 22 key $9$BwrsDbB+tABWGWpINOVKoQ== ip ospf network point-to-point
111 Extreme MPLS-based IXP Solution 9035424-01
ip ospf bfd ip address 172.16.46.4/28 no shutdown ! interface Management 1 no tcp burstrate no shutdown vrf forwarding mgmt-vrf no ip address dhcp ip address 10.18.121.22/22 ! interface Management 2 no tcp burstrate no shutdown vrf forwarding mgmt-vrf no ip address dhcp ip address 10.18.121.42/22 ! interface Ethernet 3/2 channel-group 45 mode active type standard lacp timeout long no shutdown ! interface Ethernet 3/3 channel-group 45 mode active type standard lacp timeout long no shutdown ! interface Ethernet 3/4 channel-group 46 mode active type standard lacp timeout long no shutdown ! interface Ethernet 3/5 channel-group 46 mode active type standard lacp timeout long no shutdown ! interface Ethernet 3/8:1 channel-group 10 mode active type standard lacp timeout long no shutdown ! interface Ethernet 3/8:4 switchport switchport mode trunk-no-default-native no shutdown logical-interface ethernet 3/8:4.100 vlan 100 ! ! interface Port-channel 10 switchport switchport mode trunk-no-default-native no shutdown logical-interface port-channel 10.10 vlan 10 ! ! interface Port-channel 45 switchport switchport mode trunk-no-default-native switchport trunk allowed vlan add 45 no shutdown ! interface Port-channel 46 switchport switchport mode trunk-no-default-native switchport trunk allowed vlan add 46 no shutdown !
112 Extreme MPLS-based IXP Solution 9035424-01
bridge-domain 10 p2mp vc-id 10 peer 10.10.10.1 peer 10.10.10.2 statistics logical-interface port-channel 10.10 pw-profile default bpdu-drop-enable local-switching ! bridge-domain 100 p2mp vc-id 100 peer 10.10.10.1 peer 10.10.10.2 load-balance peer 10.10.10.3 logical-interface ethernet 3/8:4.100 pw-profile default bpdu-drop-enable local-switching ! cluster C1 1 member bridge-domain add 10 peer-interface Ve 46 peer 10.10.10.3 client-isolation strict deploy client CE2-vlan10 10 client-interface Port-channel 10 esi a:a:1:1 deploy ! client-pw esi 01:02:03:04 deploy ! ! router mpls policy traffic-engineering ospf area 0 ! mpls-interface ve 45 ! mpls-interface ve 46 ! path 4_5_2 hop 10.10.10.5 strict hop 10.10.10.2 strict ! path 4_6_2 hop 10.10.10.6 strict hop 10.10.10.2 strict ! lsp SLX2-MLX1 to 10.10.10.1 enable ! lsp SLX2-MLX2-452 to 10.10.10.2 primary-path 4_5_2 enable ! lsp SLX2-MLX2-462 to 10.10.10.2 primary-path 4_6_2 enable ! lsp SLX2-SLX1 to 10.10.10.3 enable ! !
113 Extreme MPLS-based IXP Solution 9035424-01
SLX3 clock timezone America/Los_Angeles ha process-restart mpls no process-restart bgp no process-restart isis no process-restart ospfv2 no process-restart ospfv3 ! hardware profile tcam default profile lag default profile counters default ! http server use-vrf default-vrf http server use-vrf mgmt-vrf linecard 2 LC72X10G linecard 3 LC36X100G logging raslog console INFO logging auditlog class SECURITY logging auditlog class CONFIGURATION logging auditlog class FIRMWARE logging syslog-facility local LOG_LOCAL7 logging syslog-client localip CHASSIS_IP switch-attributes chassis-name SLX9850-8 switch-attributes host-name SLX3 no support autoupload enable support ffdc snmp-server sys-descr "Brocade BR-SLX9850-8 Router" snmp-server enable trap ! line vty exec-timeout 0 ! threshold-monitor Buffer limit 70 vrf mgmt-vrf address-family ipv4 unicast ip route 0.0.0.0/0 10.18.120.1 ! address-family ipv6 unicast ! ! ssh server key rsa 2048 ssh server key ecdsa 256 ssh server key dsa ssh server use-vrf default-vrf ssh server use-vrf mgmt-vrf telnet server use-vrf default-vrf telnet server use-vrf mgmt-vrf role name admin desc Administrator role name user desc User aaa authentication login local aaa accounting exec default start-stop none aaa accounting commands default start-stop none service password-encryption username admin password "BwrsDbB+tABWGWpINOVKoQ==\n" encryption-level 7 role admin desc Administrator username user password "BwrsDbB+tABWGWpINOVKoQ==\n" encryption-level 7 role user desc User vlan 1 ! vlan 15 router-interface Ve 15 ! vlan 25 router-interface Ve 25 ! vlan 35 router-interface Ve 35 ! vlan 45
114 Extreme MPLS-based IXP Solution 9035424-01
router-interface Ve 45 ! protocol lldp system-description Brocade BR-SLX9850-8 Router ! vlan dot1q tag native ip router-id 10.10.10.5 class-map cee ! class-map default ! no protocol vrrp no protocol vrrp-extended router isis net 49.0001.0100.1001.0005.00 auth-mode md5 level-1 auth-key level-1 $9$BwrsDbB+tABWGWpINOVKoQ== bfd is-type level-1 log adjacency nonstop-routing address-family ipv4 unicast ! ! router ospf log all area 0 no graceful-restart nonstop-routing bfd ! interface Loopback 1 ip ospf area 0 ip router isis ip address 10.10.10.5/32 no shutdown ! interface Ve 15 ip ospf area 0 ip ospf md5-authentication key-id 22 key $9$BwrsDbB+tABWGWpINOVKoQ== ip ospf network point-to-point ip ospf bfd ip router isis ip address 172.16.15.5/28 isis point-to-point isis bfd no shutdown ! interface Ve 25 ip ospf area 0 ip ospf md5-authentication key-id 22 key $9$BwrsDbB+tABWGWpINOVKoQ== ip ospf network point-to-point ip ospf bfd ip address 172.16.25.5/28 no shutdown ! interface Ve 35 ip ospf area 0 ip ospf md5-authentication key-id 22 key $9$BwrsDbB+tABWGWpINOVKoQ== ip ospf network point-to-point ip ospf bfd ip address 172.16.35.5/28 no shutdown ! interface Ve 45 ip ospf area 0 ip ospf md5-authentication key-id 22 key $9$BwrsDbB+tABWGWpINOVKoQ== ip ospf network point-to-point ip ospf bfd ip address 172.16.45.5/28 no shutdown !
115 Extreme MPLS-based IXP Solution 9035424-01
interface Management 1 no tcp burstrate no shutdown vrf forwarding mgmt-vrf no ip address dhcp ip address 10.18.121.23/22 ! interface Management 2 no tcp burstrate no shutdown vrf forwarding mgmt-vrf no ip address dhcp ! interface Ethernet 2/2 switchport switchport mode trunk-no-default-native switchport trunk allowed vlan add 25 no shutdown ! interface Ethernet 2/4 channel-group 15 mode active type standard lacp timeout long no shutdown ! interface Ethernet 2/8 channel-group 15 mode active type standard lacp timeout long no shutdown ! interface Ethernet 3/2 channel-group 35 mode active type standard lacp timeout long no shutdown ! interface Ethernet 3/3 channel-group 35 mode active type standard lacp timeout long no shutdown ! interface Ethernet 3/4 channel-group 45 mode active type standard lacp timeout long no shutdown ! interface Ethernet 3/5 channel-group 45 mode active type standard lacp timeout long no shutdown ! interface Port-channel 15 switchport switchport mode trunk-no-default-native switchport trunk allowed vlan add 15 no shutdown ! interface Port-channel 35 switchport switchport mode trunk-no-default-native switchport trunk allowed vlan add 35 no shutdown ! interface Port-channel 45 switchport switchport mode trunk-no-default-native switchport trunk allowed vlan add 45 no shutdown ! router mpls policy traffic-engineering ospf area 0 !
116 Extreme MPLS-based IXP Solution 9035424-01
mpls-interface ve 15 ! mpls-interface ve 25 ! mpls-interface ve 35 ! mpls-interface ve 45 ! !
117 Extreme MPLS-based IXP Solution 9035424-01