EIGRP Wide Metric Calculation

EIGRP Wide Metric Calculation
EIGRP Wide Metric Calculation

The EIGRP Metric has confounded many network experts who are trying to understand the protocol. The goal of this post is to define the Eigrp metric and show how to Eigrp wide metric calculation work.

EIGRP is a Cisco-developed routing protocol that dates back to the 1980s. As a result, Cisco was the sole vendor with the authority to implement the protocol. Until Cisco published the specification as an IETF draught in 1998. 

The ability to include many various factors while computing a route's cost, or metric, is one of EIGRP's key advantages. EIGRP is one of the few routing protocols that can calculate costs based on any combination of bandwidth, load, delay, and reliability.

What exactly are EIGRP Wide Metrics?


What exactly are EIGRP Wide Metrics

EIGRP calculates a composite cost metric based on bandwidth, latency, dependability, load, and K values. This metric has a flaw in that it does not scale for high-bandwidth links. 

In EIGRP topologies, the EIGRP Wide Metrics feature provides 64-bit metric calculations and RIB scaling. Only EIGRP-named mode setups provide 64-bit computations. 32-bit computations are used in EIGRP classic mode settings.

This topic explains how wide metric computation works quite well.

How does EIGRP calculate the metric?


Any routing protocol relies on metric calculation to function properly. The measure for a path is calculated by EIGRP using many criteria. By default, bandwidth and latency are used in metric calculations, but they can also include interface load and reliability. 

By default, EIGRP determines the optimum path to a remote network based on line bandwidth and delay. The ability to include many various factors while computing a route's cost, or metric, is one of EIGRP's key advantages.

EIGRP is one of the few routing protocols that can calculate costs based on any combination of bandwidth, load, delay, and reliability. The EIGRP metric calculation uses a delay value in tens of microseconds. Simply divide the DLY in the show interface command by 10 to get the Delay value.

Reported Distance

The metric describing the best route to access a network is known as the feasible distance (FD). In the routing table, that route will be shown. The metric given by an adjacent router for a particular route is known as reported distance (RD). In other words, it is the metric of the neighboring router's path to the network.

Bandwidth

In EIGRP, bandwidth is defined as the maximum amount of data that can be transmitted. To get the bandwidth value for the EIGRP metric, divide 10,000,000 by the bandwidth (in kbps) of the slowest link along the path to the destination network.
Delay is a cumulative measurement, unlike bandwidth, which denotes the "weakest link."

What is Delay in EIGRP

The overall delay in the path, measured in tens of microseconds (s), is called delay. The EIGRP formula is based on the IGRP metric formula, with the exception that the output is increased by 256 to make the metric 32 bits instead of 24 bits.

Reliability

A route's dependability metric is just a snapshot of the route's current reliability at the time it was last promoted. Remember that the EIGRP metric is retaken from the IGRP protocol, which was a timer-driven protocol. EIGRP, on the other hand, is an event-driven protocol.

EIGRP Load

Everyone studying EIGRP specifics is familiar with the "famous" composite metric formula, but the advice to keep the K values intact (or at least leave K2 and K5 at zero) or risk EIGRP's inability to adapt to changing load scenarios is rarely acknowledged.

IGRP, the forerunner to EIGRP, used the same vector metric and a very similar composite metric formula, but it was a real-time distance vector protocol (like RIP) that broadcast its routing information at regular intervals. It was fair to include interface load and dependability in the composite metric calculation because they were regularly conveyed throughout the network.

Formulas and K-Values

Each of these characteristics is controlled by a K-value. Each of these K-values allows one of the aforementioned attributes to be considered, as well as the scale on which the attribute is evaluated.

     K1 = Bandwidth  
     K2 = Load       
     K3 = Delay      
     K4 & K5 = Reliability

Each of these numbers is employed in a Composite Metric calculation devised by EIGRP.

EIGRP Metric:


256 * { K1*BW + [(K2*BW)/(256-load)] + (K3*delay) } * { K5/(reliability+K4) }

The K values are numbers ranging from 0 to 255. You can customize each value based on what you want to factor into the cost calculation for each route. 

You can set the relevant K-value to Zero in your routing domain if you don't want to examine one of the properties listed above. Set the relevant K-value to one if you want to consider an attribute.

You can scale how heavily a given number is regarded because the K-values can be any value between 0 and 255. 

Set the K1 value to 2, and the K3 value to 1, for example, if you want Bandwidth to be deemed twice as significant as Delay. Set K1 to 2 and K3 to 3 if you want to consider Bandwidth and Delay in a 2:3 ratio. 

This is why EIGRP's cost comparison is so flexible: you can choose which qualities to compare and how relevant each attribute is to your routing domain.

It should be emphasized, however, that two routers must have to match K-values before they may be EIGRP neighbors. This makes sense since if one router prioritizes Delay while the other prioritizes Bandwidth, they may argue about the optimum approach to a destination network.

Wide metrics use 64-bit values instead of 32-bit values. It works only in Named Mode not in Classic Mode because the K6 value is required in Wide metric calculation. K6 is used to measure Jitter, energy, or other future attributes. A simplified topology is shown here to show-

How does the Eigrp wide metric calculation work?

To check the K6 value, run the below command

#show ip protocols

Metric weight K1=1, K2=0, K3=1, K4=0, K5=0 K6=0

EIGRP Wide metric Formula:

Throughput = 65536 * 10^7 / minimum bandwidth across all links in the path

Latency =        65536 * total delay (in picoseconds) / 10^6

Composite metric = Throughput + Latency


Configuration for R1, R2 & R3

R1#conf t
R1(config)#interface f0/0
R1(config-if)#ip address 155.1.79.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#exit

Forming Neighborship:

R1#conf t
R1(config)#router eigrp MYKEY
R1(config-router)#ad
R1(config-router)#address-family ipv4 unicast autonomous-system 10
R1(config-router-af)#network 155.1.79.0 0.0.0.255
       
R1#sh ip eigrp topology 155.1.67.0/24

EIGRP-IPv4 VR(MYKEY) Topology Entry for AS(10)/ID(155.1.79.1) for 155.1.67.0/24
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 19660800, RIB is 153600
  Descriptor Blocks:

  155.1.79.2 (FastEthernet0/0), from 155.1.79.2, Send flag is 0x0
      Composite metric is (19660800/13107200), route is Internal
      Vector metric:
        Minimum bandwidth is 100000 Kbit
        Total delay is 200000000 picoseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 1
        Originating router is 155.1.79.2

R2 Configuration

R2#conf t
R2(config)#interface f0/0
R2(config-if)#ip address 155.1.79.2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#exit

R2(config)#interface f2/0
R2(config-if)#ip address 155.1.67.1 255.255.255.0
R2(config-if)#no shut 
R2(config-if)#exit

Forming Neighborship

R2(config)#router eigrp MYKEY
R2(config-router)#address-family ipv4 unicast autonomous-system 10
R2(config-router-af)#network 155.1.67.0 0.0.0.255

R3 Configuration

R3(config)#interface f0/0
R3(config-if)#ip address 155.1.67.2 255.255.255.0
R3(config-if)#no shut
R3(config-if)#exit

R3(config)#router eigrp MYKEY
R3(config-router)#address-family ipv4 unicast autonomous-system 10
R3(config-router-af)#network 155.1.67.0 0.0.0.255   

Wild Metric Calculation for the route 155.1.67.0/24 from R1

Throughput = 65536 * 10^7 / 100000 = 6553600

Latency =        65536 *200000000 / 10^6 = 13107200

Wild Metric = Throughput + Latency = 6553600+13107200 = 19660800

(minimum bandwidth across all links in the path=100000 kbps, Total delay=200000000 picoseconds)

FAQs: EIGRP Wide Metric Calculation

Q: How do I configure bandwidth in EIGRP?

Ans: We can use the IP bandwidth-percent Eigrp command to set this to a lower value to prevent EIGRP from flooding your interface(s). EIGRP traffic will then be queued and rate-limited by the router. On serial interfaces, Cisco router IOS will use a default bandwidth of 1544kbps.

Q: What exactly is K6 in EIGRP?

Ans: K6 was introduced with Wide Metric support and is used to enable Extended Attributes, which can be used to reflect a higher aggregate metric than those with lower energy usage. In the scope of this document, there are currently two Extended Attributes defined: jitter and energy.

Q: What exactly is an offset list in EIGRP?

Ans: An offset list is a mechanism for increasing incoming and outgoing metrics for routes discovered using EIGRP or the Routing Information Protocol (RIP). Only distance vector routing protocols use offset lists. An offset list can optionally be limited by specifying an access list or an interface.

Q: Is load balancing enabled by default in EIGRP?

Ans: EIGRP by default supports equal-cost load balancing across four links. Equal-cost means that multiple routes must share the same metric in order for the router to load balance across equal-cost links.

That's all.

Explore More:




Networks Devices and Their Functions

Networks Devices and Their Functions

Networking-Devices


In the digital era, people around the world are connected just because of networking devices. These devices play a vital role in communication and provide an online platform for people to get in touch with other people across the globe. 

They can communicate through the internet, social media, and other modes of communication like cell phones, laptops, etc. It’s enough to mention It's all possible due to networking devices only.

The base of social media is the internet, even smartphones have networking equipment fitted to them. Some of the big networking companies have made it possible towards connecting people around the globe. Let's know some basic networks devices and their functions that are widely used in many organizations. 

Also read - What Is A Home Router?

What is Hub in Networking

Hub-in-networking

A hub is a networking device that is used to connect multiple Ethernet devices together. Hub has several ports that are used to connect two or more Ethernet devices together. It is a Layer 1 device and uses twisted-pair cabling to connect devices.  

Basically, a hub does nothing it just provides a path for the data signals. In addition, a hub does not perform any error checking and re-transmits any data packets or frames it receives on all its connected devices regardless of whether the data package is destined for the particular device. 

Hubs typically do not filter data that introduces congestion within the network.  Some important points should be mentioned here.

  • No routing and no MAC table available
  • 1 broadcast domain per device
  • 1 collision domain per device
  • HUB can not create VLAN
  • It is a Layer 1 (Physical Layer) Device

The Function of Bridge in Networking

In simple words, a bridge is a networking device that is used to connect multiple communication networks or network segments. It works at the Data link layer (Layer 2) of the OSI model. Ethernet bridge provides interconnection with other bridge networks that use the same protocol. Bridges forward data based on a MAC address (physical address). 

Bridges works at the Network Access Layer or data link layer in the TCP/IP model. In networking terms, a bridge filters and forwards packets based on physical address. Bridges are unable to read a specific IP address. It only works based on MAC addresses. Bridges are no longer used in modern LANs. 

Types of Bridges in Networking 

Generally, there are 3 types of bridges used in networking.

Source route type bridge is designed by the Tech giant IBM and used in token ring networks. The source route bridge determines the path between two host machines uses the frame's MAC destination address to direct it by the source routing algorithm. It learns its bridging information embedded within the frame.

Transparent bridges its name suggest the devices on the network are uninformed of its presence.  It does nothing except forward or blocking data packets based on physical address. It connects network segments with other bridges using similar media to make all routing decisions. All operations are transparent to devices connected to the network.

A transnational bridge in networking can be used to connect two different networks like Ethernet to Token Ring. It forward frames between LANs that utilize different network protocols. 

When a host wants to communicate with another host in a different network like a token to an Ethernet network, it transmits the frame (token ring frame) that the bridge receives, and rebuilds in Ethernet format. The bridge then transmits the frame to the destination host.

  • No routing but the MAC table is available
  • 1 broadcast domain per device
  • 1 collision domain per port
  • The bridge can not create Vlan
  • It is a Layer 2 (Data Link Layer) Device
  • Bridges are more expensive than the repeaters and hubs.

Switch In Networking

Switches-in-networking

Switches form the backbone of any network. The switch is an intelligent device and is widely used in modern networks. Ethernet switches or LAN switches are used to interconnect multiple networking devices together such as computers, printers, and wireless access points, and allow for exchanging data packets. 

A switch provides wired connections to routers, servers, desktop computers, printers wireless access points, and some IoT devices. A switch operates on both the data link layer (layer 2) and network layer (layer 3) of the OSI model. Layer 2 switch determines the path by looking at the physical device address (or MAC address) while the network switch performs based on the IP routing table and provides the shortest path for the destination host. 

Switches maintain their own MAC  tables. The switch has multiple ports for plugging in network cables. There are 4-port, 8-port, 16-port 32-ports, 48 ports, and 52 ports switches available in the market. 

  • No routing but the MAC table is available
  • 1 broadcast domain per device
  • 1 collision domain per port
  • The switch can create VLAN
  • It is a Layer 2 (Data Link Layer) Device


What is a Router and how does it work


We are all relying on a router for an Internet connection. Routers are responsible for maintaining data flow between different networks and for keeping internal networks connected to the Internet. 

A router is a Layer 3 device that is used to connect two different network segments and provide communication between them. Each router maintains its own routing table and determines the best path. it routes the data packets to their intended IP addresses. 

The router reads a packet's header to determine the destination address, then checks the routing table and provides the best path to that destination. It allows multiple devices to connect to the Internet simultaneously. Router exchange data between LAN and WAN. Generally, routers are operated at the gateways of networks.

  • Maintain Routing table and manage traffic
  • ARP table uses the IP address to determine the physical (MAC) address of the gateway.
  • 1 broadcast domain per port
  • 1 collision domain per port
  • L3 Device (Network Layer)


Different types of Routers

According to the application category, there are five major types of routers on the market. Wired routers, wireless routers, core routers, edge routers, and VPN routers are all types of routers. When deciding on a router, the following basic information is provided to assist you in making the best decision.

Wired Routers 

Older routers that receive and deliver data packets via both ends of a cable connection are known as wired routers. A wired router connects to a PC through a cable. One port receives Internet packets via modem, while the other connects to a computer and distributes the processed packets. The Ethernet broadband router is one of the most used wired routers. 

Typically, wired routers are made box-shaped, and use an Ethernet cable to connect to a modem for receiving Internet data packets. There are many ports in the router. One port allows the router to connect to a modem while another set of ports allows connecting the other devices for distributing data packets within the network. 

Such routers support the network address translation (NAT) method to connect internal devices to the WAN. It uses  Dynamic Host Configuration Protocol (DHCP) to assign an IP address to the devices connected to the networks. 

Wireless routers are more advanced because they use radio waves to deliver data to computers and other electrical devices. 

Wireless Routers 

Like a wired router, a wireless router uses an Ethernet cable to connect directly to a modem for receiving data packets. However, instead of using another set of cables for distributing Internet data packets, uses one or more wireless antennas. 

A wireless router is distinguished from a wired router. It is common in offices, homes, and other public places. Wireless routers, like wired routers, receive data packets over wired broadband, convert the binary-code packets into radio signals picked up by electronic devices, and then convert them back into previous packets. 

Wireless signals, as opposed to wired routers, are the medium through which packets are sent to electronic devices. The routers convert the data packets into radio signals, which the antennas broadcast wirelessly. Unlike wired connection, the wireless router establishes wireless LAN (WLAN) which is known as WiFi. So, as long as your device is within range of the signal, all you need to do to access the Internet is enter a specific ID and password. 

The WiFi network, with which we are all too familiar, is the most widely used wireless router. There is no limit to the number of users who can connect to the network with passwords, assuming your router is strong enough. Wireless routers are popular in the market due to their ease of use and high load capacity. To protect a wireless network, wireless routers provide MAC address filtering and (WPA) security.

Virtual Routers 

Unlike a wired or wireless router, a virtual router is a software application that uses Virtual Router Redundancy Protocol (VRRP) and performs the same function as a standard hardware router. It becomes active when a physical router fails or is disabled for some reason. A VPN router is similar to a standard Gigabit router that has VPN client software installed on it. VPN protects every device that connects to the VPN router. VPN routers, whether in your home, office or business, can provide a variety of VPN benefits to all devices.

Edge Routers 

In simple words, an edge router communicates with both external routers and core routers. Edge routers operate at the edge of a network and use the Border Gateway Protocol - BGP to exchange data from other networks.  Edge routers sit at network intersections, distributing packets across various networks and allowing several networks to speak with one another. The core router, on the other hand, is connected to the same network and handles huge data transfers quickly.

As the name implies, an edge router is located at the network's edge or boundary and distributes packets across multiple networks, but not within the same network. It is typically linked to the network of an Internet service provider (ISP) or another organization. Their job is to keep your network connected to other networks smoothly, and they can be wired or wireless routers. The edge router can communicate with the core router as well.

Core Routers 

Unlike the routers used within SOHO networks, Core routers operate at the core of a network and it is used by large corporations and businesses that manage a high volume of data packets within their network. Core routers do not communicate with external networks.  In contrast to edge routers, core routers distribute packets within the same network rather than across multiple networks. It is in charge of large data transfers and operates on the Internet's backbone. It is capable of achieving high-speed communication interface transmission for a wide range of communication interfaces, allowing all IP packets to move at full speed. 

Because core routers can connect distributed routers from multiple large enterprises or community locations in some cases, high performance is a must.

Wrapping up the article

I hope you are now familiar with the different Networks Devices available in the market. It will help you when choosing the correct network device through this analysis of the characteristics and pertinent information.



Dynamic Multipoint-VPN - Definition and Practical Guide

Dynamic Multipoint-VPN - Definition and Practical Guide
DM-VPN


Cisco DMVPN can be used to encrypt traffic between the organization and numerous partner sites, guaranteeing network segmentation by preventing spoke-to-spoke transmission even through the hub.

What is Dynamic Multipoint - VPN?


DMVPN or Dynamic Multipoint VPN is a Cisco solution that provides site-to-site VPN tunnels over the public WAN. It allows two different branch locations to communicate with each other over a secure tunnel. DMVPN provides scalable VPNs that are easy to implement and manage.

DMVPN works in combination with generic routing encapsulation (GRE) for tunneling, IPsec to provide a secure overlay network, and Next Hop Resolution Protocol (NHRP).

As we know multipoint GRE over IPsec works fine for fewer sites however the number of VPN gateways increases the more challenges and configurations will be required.

We'll go through each component's purpose and function in-depth, assuming the reader has a general concept of what DMVPN is and a solid knowledge of IPsec/CEF. In this post, we'll go over three stages of DMVPN evolution.

1) Hub and Spoke Phase 1 (mGRE hub, p2p GRE spokes)
2) Hub and Spoke with Spoke-to-Spoke tunnels (Phase 2) (mGRE everywhere)

A separate post will be necessary to cover DMVPN Phase 3. This is due to major modifications to NHRP resolution logic (NHRP redirects and shortcuts), which are better shown when the prior two stages are well understood. However, there will be some hints concerning Phase 3 in this post.

GRE Multipoint


Let's start with the most fundamental DMVPN construction block: the multipoint GRE tunnel. GRE tunnels are typically point-to-point, however, mGRE expands on this concept by allowing tunnels to have many destinations.

This may appear reasonable if the tunnel destination address is multicast. The tunnel might be used to successfully transport the same information (for example, a video stream) to various locations on top of a multicast-enabled network. 

In fact, Cisco IOS uses mGRE for Multicast VPN implementation in this way. If tunnel endpoints need to exchange unicast packets, a specific glue is needed to map tunnel IP addresses to endpoint routers' physical or real IP addresses. As we'll see later, this adhesive is known as NHRP.

It's worth noting that if you source multiple mGRE tunnels from the same interface (for example, Loopback0) of a single router, GRE can use a special "multiplexor" field in the tunnel header to distinguish them. 

This is known as the "tunnel key," and it can be defined under tunnel configuration. In fact, until IOS 12.3(14)T or 12.3(11)T3, the use of a "tunnel key" was required – the mGRE tunnel would not start until the key was configured. You can configure a tunnel without the key since the aforementioned versions.


Next Hop Resolution Protocol (NHRP)


Now, let's get to the part of DMVPN that truly makes it dynamic - NHRP. RFC 2332 defined the protocol quite some time ago to create a routing optimization scheme within NBMA (non-broadcast multiple access) networks such as ATM, Frame-Relay, and SMDS. The general idea was to use SVC (switched virtual circuits) to create temporary shortcuts in the NBMA cloud that were not fully meshed. NHRP performs a similar function to ARP in that it resolves L3 to L2 addresses, but it does so in a more efficient manner, making it suitable for partially meshed NBMA clouds that support dynamic layer 2 connections.

Next Hop Resolution Protocol (NHRP) Phase 1


NHRP Phase 1 is used by mGRE to notify the hub of dynamically appearing spokes. Initially, you configure each spoke with the hub's IP address as the NHS server. The spoke's tunnel mode, on the other hand, is a GRE (regular point-to-point) tunnel with a fixed destination IP that equals the physical address of the hub. 

The spokes can only connect to the hub and other spoke networks across the hub. The advantage of Phase 1 is that it simplifies hub router configuration by eliminating the need for static NHRP mapping for each new spoke.

Because all packets pass through the hub, almost any dynamic routing protocol would aid in achieving reachability. The hub only needs to advertise a default route to the spokes, while the spokes should dynamically advertise their subnets to the hub. 

It's probably a good idea to run EIGRP on the hub and summarise all subnets to 0.0.0.0/0, effectively sending a default route to all spokes (if the spokes do not use any other default route, e.g. from their ISPs). Configure spokes as EIGRP stubs and advertise the networks to which they are connected. RIP could be configured in a similar way by simply configuring GRE tunnels on spokes as passive interfaces.

Split-horizon must be disabled on the hub mGRE interface for EIGRP and RIP to exchange subnets from spoke to spoke. The point-to-multipoint network type should be used on all GRE and mGRE interfaces in OSPF. Configure the hub to use IP OSPF database filter-all out, as well as static default routes via spoke tunnel interfaces or static specific routes for corporate networks.

DMVPN Configuration - Phase 1, 2, 3


A DMVPN is powered by VPN routers and firewall concentrators. The spokes do not use a permanent VPN connection; instead, they communicate via a centralized hub-and-spoke model that can implement VPN protection and granular access controls as needed. DMVPN also supports IPsec encryption.

DMVPN is a point-to-multipoint Layer 3 overlay VPN that allows direct spoke-to-spoke communications, depending on the DMVPN design (Phase 1, Phase 2, or Phase 3).

Integrating IPsec with DMVPN


Isn't there something we've forgotten about DMVPN Phase 1/Phase 2? That is IPsec, one of the components that ensure the confidentiality and integrity of mGRE/NHRP. In comparison to the complexity of NHRP operations, IPsec integration is now simple.

First, the hub must understand how to use IKE to authenticate all of the spokes. The most scalable method is to use X.509 certificates and PKI, but for the sake of simplicity, we will simply use the same pre-shared key across all routers. 

To accept IKE negotiation requests from any other dynamic peer, we must configure the routers with a wild-card pre-shared key.

Because the hub has no idea what the IP addresses of the connecting peers are, we need dynamic crypto maps in IPsec Phase 2. Fortunately, Cisco IOS includes a cute feature called IPsec profiles, which is intended for use with tunnel interfaces. The profile connects to a tunnel interface and automatically considers all traffic leaving the tunnel to be IPsec Phase 2 traffic. 

The IPsec profile's IPsec phase proxy identities are the tunnel's source and destination host IP addresses. Because mGRE already provides tunnel encapsulation, it makes sense to use IPSec transport mode with it. Furthermore, IOS only supports some features, such as NAT traversal with IPSec transport mode.

Configuration -

In this configuration, I have used 7200 series routers. So let's begin configuration. I have made this diagram using GNS3. Before configuring dmvpn, all routers should interact with one another. IP OSPF 1 area o is used in this configuration. 




dmvpn


Router 5-

interface FastEthernet0/0
 ip address 172.16.1.4 255.255.255.0
 ip ospf 1 area 0

interface FastEthernet2/0
 ip address 172.16.31.4 255.255.255.0
 ip ospf 1 area 0
     
interface FastEthernet3/0
 ip address 172.16.41.4 255.255.255.0
 ip ospf 1 area 0
 


Hub Configuration (R4):-

HUB#sh ip int br
Interface                   IP-Address      OK? Method Status                Protocol
FastEthernet0/0        10.7.7.7          YES NVRAM  up                      up      
FastEthernet2/0        172.16.1.7      YES NVRAM  up                    up      

HUB#conf t
HUB(config)#interface f2/0
HUB(config-if)#ip ospf 1 area 0
HUB(config-if)#exit

Tunnel Configuration

HUB#conf t
HUB(config)#interface tunnel 100
HUB(config-if)#ip address 192.168.1.1 255.255.255.0
HUB(config-if)#no ip redirects 
HUB(config-if)#no ip split-horizon eigrp 1
HUB(config-if)#ip nhrp authentication cisco
HUB(config-if)#ip nhrp network-id 1
HUB(config-if)#ip nhrp map  multicast dynamic 
HUB(config-if)#tunnel source f2/0
HUB(config-if)#tunnel mode gre multipoint 

HUB(config-if)#router eigrp 1
HUB(config-router)#network 10.7.7.7 0.0.0.0
HUB(config-router)#network 192.168.1.0 0.0.0.255 

HUB(config-router)#do show ip nhrp

192.168.1.2/32 via 192.168.1.2
   Tunnel100 created 00:00:50, expire 01:59:10
   Type: dynamic, Flags: unique registered used 
   NBMA address: 172.16.31.6 

HUB#trace 10.5.5.5

Type escape sequence to abort.
Tracing the route to 10.5.5.5
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.1.3 368 msec 472 msec 500 msec

HUB#sh dmvpn 
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel100, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 172.16.31.6         192.168.1.2    UP 00:14:25     D
     1 172.16.41.5         192.168.1.3    UP 00:03:33     D


SPOKE1-

interface FastEthernet0/0
 ip address 10.6.6.6 255.255.255.0
!         
interface FastEthernet2/0
 ip address 172.16.31.6 255.255.255.0
 ip ospf 1 area 0

  interface Tunnel100

 ip address 192.168.1.2 255.255.255.0
 ip nhrp authentication cisco
 ip nhrp map multicast 172.16.1.7
 ip nhrp map 192.168.1.1 172.16.1.7
 ip nhrp network-id 1
 ip nhrp nhs 192.168.1.1
 tunnel source FastEthernet2/0
 tunnel destination 172.16.1.7

 router eigrp 1
 network 10.6.6.6 0.0.0.0
 network 192.168.1.0

SPOKE2-

interface FastEthernet2/0
 ip address 172.16.41.5 255.255.255.0
 ip ospf 1 area 0
!         
interface FastEthernet3/0
 ip address 10.5.5.5 255.255.255.0

interface Tunnel100
 ip address 192.168.1.3 255.255.255.0
 ip nhrp authentication cisco
 ip nhrp map multicast 172.16.1.7
 ip nhrp map 192.168.1.1 172.16.1.7
 ip nhrp network-id 1
 ip nhrp nhs 192.168.1.1
 tunnel source FastEthernet2/0
 tunnel destination 172.16.1.7

 router eigrp 1
 network 10.5.5.5 0.0.0.0
 network 192.168.1.0

Useful commands;-
show dmvpn
show dmvpn detail
show ip nhrp
show ip nhrp brief

---------------------------------------------Phase 3-----------------------------------------------------------

Tunnel Configuration

HUB#sh ip int br
Interface                   IP-Address      OK? Method Status                Protocol
FastEthernet0/0        10.7.7.7          YES NVRAM  up                      up      
FastEthernet2/0        172.16.1.7      YES NVRAM  up                    up      

HUB#conf t
HUB(config)#interface f2/0
HUB(config-if)#ip ospf 1 area 0
HUB(config-if)#exit

HUB#conf t
HUB(config)#interface tunnel 100
HUB(config-if)#ip address 192.168.1.1 255.255.255.0
HUB(config-if)#ip nhrp redirect
HUB(config-if)#no ip split-horizon eigrp 1
HUB(config-if)#ip nhrp authentication cisco
HUB(config-if)#ip nhrp network-id 1
HUB(config-if)#ip nhrp map  multicast dynamic 
HUB(config-if)#tunnel source f2/0
HUB(config-if)#tunnel mode gre multipoint 

HUB(config-if)#router eigrp 1
HUB(config-router)#network 10.7.7.7 0.0.0.0
HUB(config-router)#network 192.168.1.0 0.0.0.255 


SPOKE1-

interface FastEthernet0/0
 ip address 10.6.6.6 255.255.255.0
!         
interface FastEthernet2/0
 ip address 172.16.31.6 255.255.255.0
 ip ospf 1 area 0

  interface Tunnel100

 ip address 192.168.1.2 255.255.255.0
 ip nhrp authentication cisco
 ip nhrp map multicast 172.16.1.7
 ip nhrp map 192.168.1.1 172.16.1.7
 ip nhrp network-id 1
ip nhrp shortcut
 ip nhrp nhs 192.168.1.1
 tunnel source FastEthernet2/0
 tunnel destination 172.16.1.7

 router eigrp 1
 network 10.6.6.6 0.0.0.0
 network 192.168.1.0

SPOKE2-

interface FastEthernet2/0
 ip address 172.16.41.5 255.255.255.0
 ip ospf 1 area 0
!         
interface FastEthernet3/0
 ip address 10.5.5.5 255.255.255.0

interface Tunnel100
 ip address 192.168.1.3 255.255.255.0
 ip nhrp authentication cisco
 ip nhrp map multicast 172.16.1.7
 ip nhrp map 192.168.1.1 172.16.1.7
 ip nhrp network-id 1
ip nhrp shortcut
 ip nhrp nhs 192.168.1.1
 tunnel source FastEthernet2/0
 tunnel destination 172.16.1.7

 router eigrp 1
 network 10.5.5.5 0.0.0.0
 network 192.168.1.0

FAQs: Dynamic Multipoint-VPN

Q: What is the distinction between SSL VPN and remote access VPN?

Ans: An IPsec VPN allows connections between an authorized remote host and any system inside the enterprise perimeter, whereas an SSL VPN allows connections only between approved remote hosts and particular services available within the enterprise perimeter.

Q: SSL or VPN, which is more secure?

Ans: When a user logs into the network, SSL takes the lead in terms of security. SSL VPNs operate by gaining access to certain apps, but IPsec users are treated as full network members. As a result, SSL makes it easy to restrict user access.

Q: Is DMVPN only available from Cisco?

Ans: This is a Cisco-only protocol. You may simply scale your company network using the Dynamic Multipoint Virtual Point Network functionality. DMVPN with IPSec is used by even tiny businesses.

In this post "Dynamic Multipoint-VPN - Definition and Practical Guide", if you have any queries or suggestions please feel free to write. Thank You.

MPLS + MPLS VPN Configuration Step by Step

MPLS + MPLS VPN Configuration Step by Step
Have you ever ordered something from a distant retailer online and then tracked the package as it made strange and seemingly illogical stops all over the country?

This is similar to how IP routing works on the Internet. When an internet router receives an IP packet, it contains no information other than the destination IP address. There are no instructions on how to get that packet to its destination or how to treat it along the way.

Each router must make a separate forwarding decision for each packet based solely on the network-layer header. As a result, every time a packet arrives at a router, the router must "consider" where to send the packet next. The router accomplishes this by making use of complex routing tables.

Multi-protocol label switching is a method of ensuring reliable connections for real-time applications. MPLS is a technique, not a service; it can provide everything from IP VPNs to metro Ethernet. It's costly, so with the introduction of SD-WAN, businesses are attempting to figure out how to optimize its use in comparison to less expensive connections like the internet.

What exactly does MPLS stand for?


When discussing telecommunications protocols, the term "Multiprotocol Label Switching" (MPLS) is frequently used. MPLS is a protocol or procedure that is used to shape network traffic flows and increase network node speed. MPLS (Multiprotocol Label Switching) is a data forwarding technology that increases network speed and controls network traffic flow. Instead of requiring complex lookups in a routing table at each stop, MPLS directs data through a path via labels.

What exactly is an MPLS network, and how does it work?


MPLS converts a routed network to something more akin to a switched network and provides information transfer speeds not available in a traditional IP-routed network. Paths are established for specific source-destination pairs rather than forwarding packets hop by hop. MPLS does not include any built-in encryption. It is simply a traffic routing mechanism that simulates private lines by directing packets along predetermined labeled paths within the network – while still allowing shared network elements.

Why do we require MPLS?


MPLS provides sophisticated traffic engineering options, allowing traffic to be routed via non-standard paths. This can reduce latency (the time it takes to send/receive data). It also reduces congestion on the paths that were previously avoided due to traffic engineering.

Components OF MPLS


The use of "tunnels" created by MPLS labeling is critical to the success of MPLS and the L3 MPLS VPN. Tunneling in the cloud of a service provider has numerous advantages:

  • Only the edge points (ingress and egress) must comprehend the meaning of the inner network information (prefixes); core routers simply switch traffic based on labels.
  • You can easily and explicitly redirect tunnel traffic.
  • Tunnels within tunnels can be built.
  • The tunnel is less susceptible to data spoofing.
  • The overhead associated with MPLS is relatively low (4 bytes per MPLS header)

Different Types of MPLS


MPLS VPNs are classified into three types: Layer 2 VPNs, Layer 2 circuits, and Layer 3 VPNs. Certain components are shared by all MPLS VPNs: The provider's network's provider edge (PE) routers connect to the customer edge (CE) routers at customer sites.

Why is MPLS more efficient than IP routing?


MPLS is much faster than traditional IP Routing because it uses the label concept to allow packet forwarding (rather than switching). This type of forwarding is more efficient because it does not overload the CPU.

Where does MPLS come into play?


In contrast to other network protocols that route traffic based on source and destination addresses, MPLS routes traffic based on predefined "labels." MPLS has been used by businesses to connect remote branch offices that require access to data or applications stored in the organization's data center or corporate headquarters.

What distinguishes MPLS from the Internet?


MPLS is a private network connection that connects data centers and branch offices. MPLS is typically outsourced, with service providers ensuring network performance, quality, and availability. Because of the latency introduced by distance and the limited bandwidth available via MPLS, the Internet is slower.

Why is MPLS so costly?


MPLS has limited bandwidth and requires longer lead times.
Not only are bandwidth upgrades prohibitively expensive, but they are also not always feasible. MPLS is also restricted and inefficient due to long installation and upgrades lead times.

Is MPLS more efficient than VPN?


There are, however, some trends. MPLS is traditionally designed to be faster than a VPN. Because each individual router does not need to perform an IP lookup, the labeling function in MPLS could theoretically speed up an internet connection.

What is superior to MPLS?


MPLS can be expensive in terms of bandwidth, whereas SD-WAN protects your network from vulnerabilities that MPLS cannot. The short answer is that SD-WAN provides improved visibility, availability, performance, and flexibility. This is why the industry has seen an increase in interest in SD-WAN over the last few years.

MPLS Advantages And Disadvantages


It necessitates WAN optimization to streamline delivery, which adds to the cost of an already expensive solution. It takes a long time to deploy, especially if the offices are spread across multiple states or countries.

Scalability, performance, better bandwidth utilization, reduced network congestion, and a better end-user experience are all advantages of MPLS.

MPLS does not provide encryption, but it is a virtual private network that is isolated from the public Internet. As a result, MPLS is regarded as a secure mode of transport. Furthermore, it is not vulnerable to denial-of-service attacks, which may affect pure IP-based networks.

On the negative side, MPLS was designed for organizations with multiple remote branch offices geographically dispersed across the country or the world, with the majority of traffic directed to enterprise data centers.

Today, businesses have shifted much of their traffic to and from cloud providers, rendering MPLS obsolete.

When businesses migrate to the cloud, the MPLS-based hub-and-spoke model becomes inefficient because it routes traffic through the headquarters (hubs) of the companies, which act as central choke points. Sending traffic directly to the cloud is more efficient. Furthermore, the increased use of cloud services, video, and mobile apps has increased bandwidth requirements, and MPLS services are difficult to scale on demand.

For its time, MPLS was a great innovation, but there are newer technologies that better address today's network architectures. SD-WANs (software-defined wide-area networks) are designed.

SD-WAN vs MPLS


Many network professionals regard MPLS and SD-WAN as either-or options, but the reality is that both have a place in a modern WAN. SD-WANs may one day replace MPLS, but that is decades away. Businesses already have hybrid computing, storage, and applications, so it stands to reason that networks will be hybrid as well.

SD-WAN is the WAN implementation of Software Defined Networking (SDN) concepts. This entails the installation of SD-WAN edge devices that use rules and policies to route traffic along the best path.

SD-WAN is a transport-independent overlay capable of routing any type of traffic, including MPLS. The benefit of SD-WAN is that an enterprise WAN-traffic architect can sit in a centralized location and easily apply policies to all WAN devices.

In contrast, with MPLS, predetermined routes must be painstakingly provisioned, and once the fixed circuits are in place, making changes is not as simple as a point-and-click operation.

However, once an MPLS network is in place, it guarantees real-time traffic performance. Although SD-WAN can route traffic along the most efficient path, there are no guarantees of performance once those IP packets reach the open Internet.

Going forward, the most prudent strategy will be to offload as much MPLS traffic as possible to the public Internet while continuing to use MPLS for time-sensitive applications that require guaranteed delivery. Nobody wants to be in the crosshairs when the CEO's monthly video conference with branch office employees cuts out in the middle of a sentence.

MPLS VPN Configuration Step by Step -


MPLS-VPN-Configuration


I have configured MPLS-VPN using GNS3. The steps are follows: 

Step 1 - Assigning IP address and full connectivity between PE, R3, and PE:

PE 1 

interface Loopback0

 ip address 1.1.1.1 255.255.255.255

 ip ospf 1 area 0

interface FastEthernet0/0

 ip address 10.0.0.1 255.255.255.0

 ip ospf 1 area 0

R3 ---

ip address 4.4.4.4 255.255.255.255

 ip ospf 1 area 0

interface FastEthernet0/0

 ip address 10.0.0.4 255.255.255.0

 ip ospf 1 area 0

interface FastEthernet2/0

 ip address 10.0.1.4 255.255.255.0


 ip ospf 1 area 0


PE 2-

interface Loopback0

 ip address 3.3.3.3 255.255.255.255

 ip ospf 1 area 0

interface FastEthernet0/0

 ip address 10.0.1.3 255.255.255.0

 ip ospf 1 area 0


Step 2 -  Enabling MPLS on PE AND P routers: common commands, mpls ip or mpls ldp autoconfig.

You have to apply mpls ip on all interfaces or mpls ldp autoconfig under each ospf it will enable mpls on all interfaces.

 router ospf 1

 mpls ldp autoconfig

To check mpls interfaces #sh mpls interface 

To verify ldp neighbor #sh mpls ldp neighbor

You can run trace command to check whether ldp is running.


Step 3 - Enabling MP-BGP on PE routers using vpnv4  address family

PE 1: 

router bgp 1

 neighbor 3.3.3.3 remote-as 1

 neighbor 3.3.3.3 update-source Loopback0

   address-family vpnv4

  neighbor 3.3.3.3 activate

PE 2:

router bgp 1

neighbor 1.1.1.1 remote-as 1

 neighbor 1.1.1.1 update-source Loopback0

 address-family vpnv4

  neighbor 1.1.1.1 activate

To verify the BGP session between PE routers run #sh bgp vpnv4 unicast all summary.

--------------------------------------------VRF started------------------------------------------------------

Step 4 - Added two more routers (customer sites) R7 AND R8, created VRF "RED"

ip vrf RED

 rd 4:4

 route-target export 4:4

 route-target import 4:4

Step 5 - Assigned interfaces f2/0 and f2/0 of PE routers into VRF and ip addresses, configured OSPF 2

R7: 

int lo0

ip add 7.7.7.7 255.255.255.255 

ip ospf 2 area 2 

int f0/0

ip add 192.168.1.7 255.255.255.0 

ip ospf 2 area 2

no shut 

R8-

interface Loopback0

 ip address 8.8.8.8 255.255.255.255

 ip ospf 2 area 2

!         

interface FastEthernet0/0

 ip address 192.168.2.8 255.255.255.0


 ip ospf 2 area 2


PE1-

interface FastEthernet2/0

 ip vrf forwarding RED

 ip address 192.168.1.2 255.255.255.0

 ip ospf 2 area 2


PE2-

  interface FastEthernet2/0

 ip vrf forwarding RED

 ip address 192.168.2.4 255.255.255.0

 ip ospf 2 area 2


R2, R3, R4 form are running OSPF with all loopbacks 32 address and have full connectivity. 

R2 and R4 are peering with MP-BGP. MPLS LDP is enabled on all the internal interfaces of R2,R3,R4 except external interfaces. 

The external interfaces have been placed into a VRF (RED) and then customer site routers have been joined to VRF (RED)

The final step to get full connectivity redistribute the routes in OSPF on R2 and R4 into MP-BGP and MP-BGP into OSPF.

Redistribute the OSPF routes from R7 into BGP in the VRF RED on PE1, the OSPF routes from R8 into MP-BGP in the VRF RED on PE2 and then the routes in MP-BGP in PE1 and PE2 back out to OSPF.

Redistribute OSPF into MP-BGP on R2

router bgp 1

address-family ipv4 vrf RED 

redistribute ospf 2

Redistribute OSPF into MP-BGP on R4

router bgp 1

address-family ipv4 vrf RED 

redistribute ospf 2

Redistribute MP-BGP into OSPF on R2

router ospf 2 

redistribute bgp 1 subnets 

Redistribute MP-BGP into OSPF on R4

router ospf 2 

redistribute bgp 1 subnets

See the results: 

R8#trace 7.7.7.7

Type escape sequence to abort.

Tracing the route to 7.7.7.7

VRF info: (vrf in name/id, vrf out name/id)

  1 192.168.2.4 368 msec 252 msec 360 msec

  2 10.0.1.4 [MPLS: Labels 17/19 Exp 0] 1148 msec 1404 msec 1332 msec

  3 192.168.1.2 [MPLS: Label 19 Exp 0] 804 msec 1344 msec 724 msec

  4 192.168.1.7 1152 msec 1488 msec 1380 msec


R7#trace 8.8.8.8

Type escape sequence to abort.

Tracing the route to 8.8.8.8

VRF info: (vrf in name/id, vrf out name/id)

  1 192.168.1.2 428 msec 356 msec 304 msec

  2 10.0.0.4 [MPLS: Labels 16/17 Exp 0] 1784 msec 1200 msec 1460 msec

  3 192.168.2.4 [MPLS: Label 17 Exp 0] 812 msec 888 msec 700 msec

  4 192.168.2.8 1584 msec 1260 msec 924 msec

We can see the above outcome that packets are going over the MPLS and be label switched not routed.

Useful Commands:


#sh mpls ldp binding

#sh mpls forwarding-table

#sh mpls ldp discovery

#sh mpls ldp neighbor

#config#mpls ip

#sh mpls label range

#ip cef to enable cef on interfaces

#mpls label protocols

#sh ip vrf detail

#sh ip route vrf vrf-name

#sh ip vrf interface

#ping vrf vr-name ip-address

#sh ip bgp vpnv4 all summary for mpbgp

#sh ip bgp vpnv4 all for mpbgp

I hope, you have liked this post "MPLS VPN Configuration Step by Step". I look forward to your valuable feedback.