A look at Auto-Tunnel Mesh Groups
In this post I would like to give a demonstration of using the Auto-Tunnel Mesh group feature.
As you may know, manual MPLS-TE tunnels are first and foremost unidirectional, meaning that if you do them between two PE nodes, you have to do a tunnel in each direction with the local PE node being the headend.
Now imagine if your network had 10 PE routers and you wanted to do a full mesh between them, this can become pretty burdensome and error-prone.
Thankfully there’s a method to avoid doing this manual configuration and instead rely on your IGP to signal its willingness to become part of a TE “Mesh”. Thats what the Auto-Tunnel Mesh Group feature is all about!
In my small SP setup, I only have 3 PE devices, namely PE-1, PE-2 and PE-3. I also only have one P node, called P-1.
However small this setup is, its enough to demonstrate the power of the Auto-Tunnel mesh functionality.
Beyond that, I have setup a small MPLS L3 VPN service for customer CUST-A, which has a presence on all 3 PE nodes. The VPNv4 address-family is using a RR which for this purpose is P-1.
We are running OSPF as the IGP of choice. This means that our Mesh membership will be signaled using Opaque LSA’s, which I will show you later on.
The goal of the lab is to use the Auto-Tunnel mesh functionality to create a full mesh of tunnels between my PE nodes and use this exclusively for label switching and to do so with a general template that would scale to many more PE devices than just the 3 in this lab.
The very first thing you want to do is to enable MPLS-TE both globally and on your interfaces. We can verify this on PE-2:
PE-2:
mpls traffic-eng tunnels ! interface GigabitEthernet2 ip address 10.2.100.2 255.255.255.0 negotiation auto mpls traffic-eng tunnels !
The second thing you want to do is to enable the mesh-feature globally using the following command as configured on PE-2 as well:
PE-2:
mpls traffic-eng auto-tunnel mesh
Starting off with MPLS-TE, we need to make sure our IGP is actually signaling this to begin with. I have configured MPLS-TE on the area 0 which is the only area in use in our topology:
PE-2:
router ospf 1 network 0.0.0.0 255.255.255.255 area 0 mpls traffic-eng router-id Loopback0 mpls traffic-eng area 0 mpls traffic-eng mesh-group 100 Loopback0 area 0
Dont get hung up on the last configuration line. I will explain this shortly. However notice the “mpls traffic-eng area 0” and “mpls traffic-eng router-id loopback0”. After those two lines are configured, you should be able to retrieve information on the MPLS-TE topology as seen from your IGP:
PE-2:
PE-2#sh mpls traffic-eng topology brief My_System_id: 2.2.2.2 (ospf 1 area 0) Signalling error holddown: 10 sec Global Link Generation 22 IGP Id: 1.1.1.1, MPLS TE Id:1.1.1.1 Router Node (ospf 1 area 0) Area mg-id's: : mg-id 100 1.1.1.1 : link[0]: Broadcast, DR: 10.1.100.100, nbr_node_id:8, gen:14 frag_id: 2, Intf Address: 10.1.100.1 TE metric: 1, IGP metric: 1, attribute flags: 0x0 SRLGs: None IGP Id: 2.2.2.2, MPLS TE Id:2.2.2.2 Router Node (ospf 1 area 0) link[0]: Broadcast, DR: 10.2.100.100, nbr_node_id:9, gen:19 frag_id: 2, Intf Address: 10.2.100.2 TE metric: 1, IGP metric: 1, attribute flags: 0x0 SRLGs: None IGP Id: 3.3.3.3, MPLS TE Id:3.3.3.3 Router Node (ospf 1 area 0) Area mg-id's: : mg-id 100 3.3.3.3 : link[0]: Broadcast, DR: 10.3.100.100, nbr_node_id:11, gen:22 frag_id: 2, Intf Address: 10.3.100.3 TE metric: 1, IGP metric: 1, attribute flags: 0x0 SRLGs: None IGP Id: 10.1.2.2, MPLS TE Id:22.22.22.22 Router Node (ospf 1 area 0) link[0]: Broadcast, DR: 10.1.100.100, nbr_node_id:8, gen:17 frag_id: 3, Intf Address: 10.1.100.100 TE metric: 10, IGP metric: 10, attribute flags: 0x0 SRLGs: None link[1]: Broadcast, DR: 10.2.100.100, nbr_node_id:9, gen:17 frag_id: 4, Intf Address: 10.2.100.100 TE metric: 10, IGP metric: 10, attribute flags: 0x0 SRLGs: None link[2]: Broadcast, DR: 10.3.100.100, nbr_node_id:11, gen:17 frag_id: 5, Intf Address: 10.3.100.100 TE metric: 10, IGP metric: 10, attribute flags: 0x0 SRLGs: None IGP Id: 10.1.100.100, Network Node (ospf 1 area 0) link[0]: Broadcast, Nbr IGP Id: 10.1.2.2, nbr_node_id:5, gen:13 link[1]: Broadcast, Nbr IGP Id: 1.1.1.1, nbr_node_id:6, gen:13 IGP Id: 10.2.100.100, Network Node (ospf 1 area 0) link[0]: Broadcast, Nbr IGP Id: 10.1.2.2, nbr_node_id:5, gen:18 link[1]: Broadcast, Nbr IGP Id: 2.2.2.2, nbr_node_id:1, gen:18 IGP Id: 10.3.100.100, Network Node (ospf 1 area 0) link[0]: Broadcast, Nbr IGP Id: 10.1.2.2, nbr_node_id:5, gen:21 link[1]: Broadcast, Nbr IGP Id: 3.3.3.3, nbr_node_id:7, gen:21
The important thing to notice here is that we are indeed seeing the other routers in the network, all the PE devices as well as the P device.
Now to the last line of configuration under the router ospf process:
PE-2:
"mpls traffic-eng mesh-group 100 Loopback0 area 0"
What this states is that we would like to use the Auto-Tunnel Mesh group feature, with this PE node being a member of group 100, using loopback0 for communication on the tunnel and running within the area 0.
This by itself only handles the signaling, but we also want to deploy a template in order to create the individual tunnel interfaces. This is done in the following manner:
PE-2:
interface Auto-Template100 ip unnumbered Loopback0 tunnel mode mpls traffic-eng tunnel destination mesh-group 100 tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic
Using the Auto-Template100 interface, we, as we would also do in manual TE, specify our loopback address, the tunnel mode and the path option. Note that here we are simply following the IGP, which sort of defeats the purpose of many MPLS-TE configurations. But with our topology there is no path diversity so it wouldnt matter anyways.
Also, the autoroute announce command is used to force traffic into the tunnels.
The important thing is the “tunnel destination mesh-group 100” which ties this configuration snippet into the OSPF one.
After everything is setup, you should see some dynamic tunnels being created on each PE node:
PE-2:
PE-2#sh ip int b | incl up GigabitEthernet1 100.100.101.100 YES manual up up GigabitEthernet2 10.2.100.2 YES manual up up Auto-Template100 2.2.2.2 YES TFTP up up Loopback0 2.2.2.2 YES manual up up Tunnel64336 2.2.2.2 YES TFTP up up Tunnel64337 2.2.2.2 YES TFTP up up
Lets verify the current RIB configuration after this step:
PE-2:
PE-2#sh ip route | beg Gateway Gateway of last resort is not set 1.0.0.0/32 is subnetted, 1 subnets O 1.1.1.1 [110/12] via 1.1.1.1, 00:29:13, Tunnel64336 2.0.0.0/32 is subnetted, 1 subnets C 2.2.2.2 is directly connected, Loopback0 3.0.0.0/32 is subnetted, 1 subnets O 3.3.3.3 [110/12] via 3.3.3.3, 00:28:48, Tunnel64337 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.1.100.0/24 [110/11] via 10.2.100.100, 00:29:13, GigabitEthernet2 C 10.2.100.0/24 is directly connected, GigabitEthernet2 L 10.2.100.2/32 is directly connected, GigabitEthernet2 O 10.3.100.0/24 [110/11] via 10.2.100.100, 00:29:13, GigabitEthernet2 22.0.0.0/32 is subnetted, 1 subnets O 22.22.22.22 [110/2] via 10.2.100.100, 00:29:13, GigabitEthernet2
Very good. We can see that in order to reach 1.1.1.1/32 which is PE-1’s loopback, we are indeed routing through one of the dynamic tunnels.
The same goes for 3.3.3.3/32 towards PE-3’s loopback.
PE-2:
PE-2#traceroute 1.1.1.1 so loo0 Type escape sequence to abort. Tracing the route to 1.1.1.1 VRF info: (vrf in name/id, vrf out name/id) 1 10.2.100.100 [MPLS: Label 17 Exp 0] 16 msec 22 msec 22 msec 2 10.1.100.1 25 msec * 19 msec
We can see that traffic towards that loopback is indeed being label-switched. And just to make it obvious, let me make sure we are not using LDP 🙂
PE-2:
PE-2#sh mpls ldp neighbor PE-2#
On P-1, it being the midpoint of our LSP’s, we would expect 6 unidirectional tunnels in total:
P-1:
P-1#sh mpls for Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 16 Pop Label 3.3.3.3 64336 [6853] \ 472 Et2/0 10.1.100.1 17 Pop Label 2.2.2.2 64336 [2231] \ 2880 Et2/0 10.1.100.1 18 Pop Label 1.1.1.1 64336 [4312] \ 2924 Et2/1 10.2.100.2 19 Pop Label 1.1.1.1 64337 [4962] \ 472 Et2/2 10.3.100.3 20 Pop Label 2.2.2.2 64337 [6013] \ 562 Et2/2 10.3.100.3 21 Pop Label 3.3.3.3 64337 [4815] \ 0 Et2/1 10.2.100.2
Exactly what we expected.
The following is the output of the command: “show ip ospf database opaque-area” on PE-2. I have cut it down to the relevant opaque-lsa part (we are using 2 types, one for the general MPLS-TE and one for the Mesh-Group feature):
LS age: 529 Options: (No TOS-capability, DC) LS Type: Opaque Area Link Link State ID: 4.0.0.0 Opaque Type: 4 Opaque ID: 0 Advertising Router: 1.1.1.1 LS Seq Number: 80000002 Checksum: 0x5364 Length: 32 Capability Type: Mesh-group Length: 8 Value: 0000 0064 0101 0101 LS age: 734 Options: (No TOS-capability, DC) LS Type: Opaque Area Link Link State ID: 4.0.0.0 Opaque Type: 4 Opaque ID: 0 Advertising Router: 2.2.2.2 LS Seq Number: 80000002 Checksum: 0x6748 Length: 32 Capability Type: Mesh-group Length: 8 Value: 0000 0064 0202 0202 LS age: 701 Options: (No TOS-capability, DC) LS Type: Opaque Area Link Link State ID: 4.0.0.0 Opaque Type: 4 Opaque ID: 0 Advertising Router: 3.3.3.3 LS Seq Number: 80000002 Checksum: 0x7B2C Length: 32 Capability Type: Mesh-group Length: 8 Value: 0000 0064 0303 0303
I have highlighted the interesting parts, which is the Advertising Router and the value of the TLV, those starting with 0000 0064, which is in fact the membership of “100” being signaled across the IGP area.
Okay, all good i hear you say, but lets do an end-to-end test from the CE devices in Customer CUST-A’s domain:
R1:
R1#sh ip route | beg Gateway Gateway of last resort is not set 10.0.0.0/32 is subnetted, 3 subnets C 10.1.1.1 is directly connected, Loopback0 B 10.2.2.2 [20/0] via 100.100.100.100, 00:37:46 B 10.3.3.3 [20/0] via 100.100.100.100, 00:37:36 100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 100.100.100.0/24 is directly connected, FastEthernet0/0 L 100.100.100.1/32 is directly connected, FastEthernet0/0
So we are learning the routes on the customer side (through standard IPv4 BGP).
R1:
R1#ping 10.2.2.2 so loo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds: Packet sent with a source address of 10.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/72/176 ms R1#ping 10.3.3.3 so loo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds: Packet sent with a source address of 10.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/48 ms
We have reachability! – What about traceroute:
R1:
R1#traceroute 10.2.2.2 so loo0 Type escape sequence to abort. Tracing the route to 10.2.2.2 1 100.100.100.100 28 msec 20 msec 12 msec 2 10.1.100.100 [MPLS: Labels 18/17 Exp 0] 44 msec 136 msec 60 msec 3 100.100.101.100 [MPLS: Label 17 Exp 0] 28 msec 32 msec 12 msec 4 100.100.101.3 28 msec 32 msec 24 msec R1#traceroute 10.3.3.3 so loo0 Type escape sequence to abort. Tracing the route to 10.3.3.3 1 100.100.100.100 48 msec 16 msec 8 msec 2 10.1.100.100 [MPLS: Labels 19/17 Exp 0] 48 msec 12 msec 52 msec 3 100.100.102.100 [MPLS: Label 17 Exp 0] 16 msec 28 msec 36 msec 4 100.100.102.4 68 msec 56 msec 48 msec
Just what we would expect from our L3 MPLS VPN service. A transport label (this time through MPLS-TE) and a VPN label as signaled through MP-BGP.
To round it off, I have attached the following from a packet capture on P-1’s interface toward PE-1 and then re-issued the ICMP-echo from R1’s loopback toward R2’s loopback adress:
With that, I hope its been informative for you. Thanks for reading!
References:
http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/gsmeshgr.html
Configurations: