Author: Calin
Calin is a network engineer, with more than 20 years of experience in
designing, installing, troubleshooting, and maintaining large enterprise WAN and LAN networks.
Cisco: The basics about VRF implementation
VRF, meaning Virtual Routing and Forwarding, is a technology implemented in the IP network routers that allows multiple instances of a routing table to exist on the same router in the same time. Since each VRF is independent, the same IP subnet can exist in 2 different VRFs. Basically you can overlap one IP address in 2 VRFs but without conflicting with each other. Even this is possible, I would not suggest doing so, unless you have a very good reason to do it.
Another meaning of VRF is VPN Routing and Forwarding which is a key element in Cisco’s MPLS (Multiprotocol Label Switching) VPN technology. Internet service providers often take advantage of VRF to create separate virtual private networks (VPNs) for customers. Some advantages of using this technology is than an ISP can provision scalable IP MPLS VPN services, generate reports (e.g. audit for services), Service Level Agreements (SLA) contracts and more…
To summarize, virtual networks enable administrators to split a physical link into multiple virtual links completely isolated one from the others. Typically, a virtual network will be dedicated to traffic from a specific application or from a specific users / customers.
Now that we clarify the basic of what is and how it works, let’s see where is VRF used the most. As you maybe guess already, this is in the MPLS VPN environment, due to the fact that in today’s business granularity is very important and VRF help network engineers to isolate and provide security for its customers in an ISP environment or to separate services in an Intranet environment. As you probably already know, MPLS functionality is based on P (Provider) routers, PE (Provider edge) routers and CE (Customer edge) routers. Each of these routers must be configured in order for MPLS to work within an enterprise’s architecture. I describe a little bit the MPLS technology, so you can understand better the topology presented below and then following configuration example:
As you can see from the topology, one PE router can hold and manage multiple virtual routing table, one for each customer that an ISP have. If you are running in a private environment (e.g. Intranet), you can use MPLS VPN to separate services (e.g. office, development…) The basic functionality is the same and I’ll show you below how to implement VRFs.
The actual configuration of VRFs is not a complicate task to achieve. There are two main components to a VRF: The route distinguisher(RD) and the route target(RT).
The route distinguisher (RD) is a number which help identify a VPN in a provider’s network and allow for overlapping IP space.
The route target (RT) indicates the VPN membership of a route and allows VPN routes to be imported or exported into or out of your VRFs. The RT functions a little like a routing policy — determining how routes are distributed throughout the particular VPN.
The RD / RT is a 8-byte (64-bits) number which can be written down as follow:
– 16-bit AS number: your 32-bit number
(e.g.) 65000:100
or
–32-bit IP address: your 16-bit number
(e.g) 192.168.0.1:10
Usually the first method is used more often.
For some very basic VRF configuration follow the steps:
1. Enters VRF configuration mode and assigns a VRF name.
Router(config)#ip vrf vrf-name
2. Creates a VPN route distinguisher (RD) following one of the 16bit-ASN:32bit-number or 32bit-IP:16bit-number explained above
Router(config-vrf)#rd route-distinguisher
3. Creates a list of import and/or export route target communities for the specified VRF.
Router(config-vrf)# route-target {import | export | both} route-distinguisher
4. (Optional step) Associates the specified route map with the VRF.
Router(config-vrf)# import map route-map
5. Specifies an interface and enters interface configuration mode.
Router(config)# interface type number
6. Associates a VRF with an interface or subinterface.
Router(config-vrf)# ip vrf forwarding vrf-name
To check your configuration, you can use ping or traceroute tools under Cisco CLI, but remember that you have to use “vrf vrf-name” parameter:
Router# ping vrf vrf-name IP-address
Also you can check the virtual routing table:
Router# show ip route vrf vrf-name
In some of the following posts, I will present a VRF implementation following a real environment topology, but until then I hope you understood the basics of VRF functionality. It’s not hard to implement (from case to case it might be due to local topologies and technology) but it can help you to have a more granular connections and makes troubleshooting more easy, especially in the environments which have a lot of IP addresses under management.
Cisco IOS Software BGP 4-Byte AS Number Vulnerabilities
Recent versions of Cisco IOS Software support RFC4893 (“BGP Support for Four-octet AS Number Space”) and contain two remote denial of service (DoS) vulnerabilities when handling specific Border Gateway Protocol (BGP) updates.
These vulnerabilities affect only devices running Cisco IOS Software with support for four-octet AS number space (here after referred to as 4-byte AS number) and BGP routing configured.The device is vulnerable if it is running affected Cisco IOS version and has BGP configured, regardless of whether the device is configured with a 2 or 4 byte AS number under the router bgp configuration command
The first vulnerability could cause an affected device to reload when processing a BGP update that contains autonomous system (AS) path segments made up of more than one thousand autonomous systems.
The second vulnerability could cause an affected device to reload when the affected device processes a malformed BGP update that has been crafted to trigger the issue.
Cisco has released free software updates to address these vulnerabilities.
No workarounds are available for the first vulnerability.
A workaround is available for the second vulnerability. For the second vulnerability, configuring “bgp maxas-limit [value]” on the affected device does mitigate this vulnerability. Cisco is recommends using a conservative value of 100 to mitigate this vulnerability.
This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtm
Cisco has a new partner for IP-based smart grid buildout initiative
Some months ago Cisco announced it’s plans to provide network infrastructure to utility companies and their customers to manage power supplies and energy consumption. Now, Cisco found a partner in a Switzerland based company called Landis+Gyr (L+G).
Landis+Gyr is the leading global provider of integrated energy management products tailored to energy company needs and unique in its ability to deliver true end-to-end advanced metering solutions. Landis+Gyr operates in more than 30 countries across five continents, and employs over 5,000 people with the sole mission of helping the world manage energy better. For more information please visit www.landisgyr.com.
Together with it’s partner, Cisco is looking to supply utilities with an IP network, from the power generation facilities to the home. The partnership is intended to deliver solutions based on Landis+Gyr’s expertise in advanced metering infrastructure and applications as well as Cisco’s experience in defining the architecture of an end-to-end networking and security solution.
Landis+Gyr’s and Cisco’s collaboration aims to capitalize on the strengths of open standards, such as IP, allowing for greater ease of deployment and scalability, as well as optimized efficiency of communications networks. The two companies plan to work on future architectures in the areas of smart metering, the utility data center, and wireless and fixed last-mile communications with the objective to ensure interoperability across Cisco’s and Landis+Gyr’s smart grid solutions.
According to L+G, their product Gridstream, helps you maximize the effectiveness of your energy management assets through the seamless integration and flow of technology and information. Whether you need the latest smart metering and network technology or personal energy management tools, Gridstream gives you access to a complete range of advanced multi-energy products and systems.
If you take this and associate it with Cisco’s IP based solution, you obtain one excellent product which can communicate remotely based on the most used protocol in the world. For Cisco, and not only, this seems to be a new “gold mine” which will generate a large amount of income since today’s global direction is to reduce functional costs, such as energy in this case.
Source: Landisgyr.com
Cisco HealthPresence
For sure, many of you heard about Cisco TelePresence, but how many of us know about another new project from Cisco, called HealthPresence? The most basic description is that what TelePresence does for business environment, HealthPresence does it for the medical industry.
From the HealtPresence product FactSheet: “Cisco HealthPresence creates a live, “face-to-face visit” experience over the network for clinicians and patients, even though they might be hundreds of miles apart. The visit is enhanced by the availability of physical and diagnostic information (such as vital signs) generated from a variety of medical devices integrated with Cisco HealthPresence. Cisco HealthPresence is based on market-ready, advanced networking technologies. Using the network as a platform, Cisco HealthPresence combines state-of-the-art video, audio, and medical information to create an experience similar to an in-person visit to a doctor or health specialist.
Cisco HealthPresence can be located in a variety of places, including office buildings, shopping malls, community centers, hotels, or schools, thus offering convenient and timely access to healthcare services.”
Below you can see how Cisco’s CTO Padmasree Warrior and Sean Curtis, Technical Marketing, demonstrate new innovative healthpresence solutions that Cisco is developing that build on existing Cisco products and technologies:
[flashvideo filename=https://ipnet.xyz/vid/cisco/healthpresence_warrior_072809_350.flv width=400 height=329 image=https://ipnet.xyz/vid/cisco/healthpresence_warrior_072809_350.jpg /]
If you are wondering when this project will become a realistic alternative to the “trip” to hospital then find out that a trial is already in place in a real medical environment. The Scottish Centre for Telehealth and Cisco collaborate on the first HealthPresence pilot based at Aberdeen Royal Infirmary in Scotland. Upon a successful outcome of this program, further trials may be planned in Scotland and around the world:
[flashvideo filename=https://ipnet.xyz/vid/cisco/telehealth_070909_350.flv width=400 height=329 image=https://ipnet.xyz/vid/cisco/telehealth_070909_350.jpg /]
Is this the future of medical investigation and research? I guess for now we can only wait to see if this solution can really overtake the classic travel to doctor.
Source: Cisco.com