Route Distinguisher and Route Target

Route Distinguisher

Main purpose of RD is to make a prefix unique to a VPN. Which prefix belongs to which VPN? When the router receives a bgp update regarding a vpn prefix, it ask this question to he prefix and finds the answer in RD value inside of MP_NLRI of bgp update message.

Think about a PE device which has lots of VPN customers configured. And 2 of the customers are using the same prefix for their sites. So when this router receives this prefix from it's route reflector, how does it knows in which VPN it belongs to? Because each VPN on the PE are configured with a unique RD value, the router decide which VPN according to the RD. If the RD value of the bgp update is 65000:1 then it's the update of vrf custA.

vrf custA
 rd 65000:100

vrf custB
 rf 65000:200

Route Target

Main purpose of RT is to share routes between VPNs and import/export the routes inside VPNs. RT value is actually an extended community.

With export, vrf custA prefixes on this router are exported with RT 65000:500. This actually means that this router is going to advertise vrf custA prefixes with an extended community of 65000:500.

vrf custA
 rd 65000:100
 route-target export 65000:500

With import, the vrf custA is going to import the routes exported from other vrfs with an RD value of 65000:500. We always want all instances of a vrf accross the network must learn all prefixes belongs to that vrf on all routers. So vrfs are usually configures as below, both with import and export statements. 

custA vrf is going to export it's own routes with RD 65000:500 and going to import the routes exported from other vrfs with RD 65000:500.

vrf custA
 rd 65000:100
 route-target export 65000:500
 route-target import 65000:500

The capture below shows the RD and RT values. They can be same or not it's up to you. Usually This is why they are confused so much!

Let's think you have a monitoring vrf. In order to monitor the customers routes, you need to know them. Because your monitoring servers should reach to customer routes and customer devices should also answer to the packets from monitoring servers. Server is sending icmp packets and customer devices are sending back a icmp reply to it, basic monitoring. You can success this by configuring a different vrf.

We need to import vrf monitor routes to customer vrfs, we did it. Now we can see the monitoring server routes in vrf custA and custB. We also need to import customers routes to vrf monitor. We can do it by configuring additional imports under monitor vrf for each customer RT. (import 65000:500 and 65000:600) But this is not a good way. When you have new customers, you always need to configure the RDs under monitor vrf. So it's better to use an another RT different then import.

With this solution, the customers can reach to monitor vrf and monitor vrf can reach to customers. But the customers cannot learn their routes.

ip vrf monitor
 rd 65000:300
 route-target export 65000:999
 route-target import 65000:666

ip vrf custA
 rd 65000:100
 route-target export 65000:500
 route-target import 65000:500
 route-target import 65000:999
 route-target export 65000:666
!
ip vrf custB
 rd 65000:200
 route-target export 65000:600
 route-target import 65000:600
 route-target import 65000:999
 route-target export 65000:666
!

BGP4 AFI/SAFI Numbers and Captures of BGP Updates

Below are the BGP4 AFI/SAFI numbers. Also there are lots of SAFI numbers but these are the commonly used ones.

• IPv4 (AFI/SAFI 1/1)
• VPNv4 (AFI/SAFI 1/128)
• VPNv6 with v4-mapped nhops (AFI/SAFI 2/128)
• 6PE with v4-mapped nhops (AFI/SAFI 2/4)

So, how this information is useful? 

When you configure MP-BGP (means that you configure BGP to carry network layer reachability information for address families other than unicast IPv4) BGP installs the MP-BGP routes into different routing tables. Each routing table is identified by the AFI and a SAFI).

SAFI field value	Description	Reference
1	NLRI used for unicast forwarding.	RFC 2858
2	NLRI used for multicast forwarding.	RFC 2858
3	NLRI used for both unicast and multicast forwarding.	RFC 2858
4	NLRI with MPLS labels.	RFC 3107
64	Tunnel SAFI.	draft-nalawade-kapoor-tunnel- safi -01.txt
65	Virtual Private LAN Service (VPLS).	—
66	BGP MDT SAFI	draft-nalawade-idr-mdt-safi-00.txt
128	MPLS-labeled VPN address	RFC-ietf-l3vpn-rfc2547bis-03.txt

Below are the wireshark captures of the bgp updates messages of different AFI/SAFI.

IPv4 EXAMPLE (AFI/SAFI 1/1) 

6PE EXAMPLE (AFI/SAFI 2/4)

You can see the AFI/SAFI numbers, NLRI prefix-label information, and next-hop information inside of the MP_REACH_NLRI attribute.

VPNv4 EXAMPLE (AFI/SAFI 1/128)

Most Basic IBGP Rule

Most Basic IBGP Rule

IBGP routes learned from an ibgp peer, is not advertised to any other ibgp peer. Consider the picture below, good picture. JIf router C receives prefix from router A, it never advertises it to router B.

Of cource this is valid when all peers are configured as non-client environment, which is the default. But don’t forget if you are talking about a route reflector topology, rr advertises ibgp routes to it’s other clinets. “Clinet” keyword is so important here. I also would like to clarify the client and non-client confusion in route reflector topologies.

If prefix is received from a non-client, it’s advertised to only clients.

If prefix is received from a client, it’s advertised to both clients and non-clients.

To be more basic, the only “not advertised prefix” case is;

If prefix is received from non-client , it’s not advertised to non-client. All other is advertised J

                  +-------+        +-------+
                  |       |        |       |
                  | RTR-A |        | RTR-B |
                  |       |        |       |
                  +-------+        +-------+
                        \            /
                    IBGP \   ASX    / IBGP
                          \        /
                           +-------+
                           |       |
                           | RTR-C |
                           |       |
                           +-------+

Digital Attack Map of Arbor and Google Ideas

Arbor networks which is the provider of DDoS and threat protection solutions, and google ideas have a useful project called “Digital Attack Map”.

http://www.digitalattackmap.com/

Actually the information is already available on Arbor’s webpage through its Atlas system.. But of course virtualization of this raw data into a map is perfect!

Enjoy it!

IPv6 Subnet Calculation

IPv6 address formatting is sometimes very difficult. But website www.dnskey.net is making it easier. There are lots of web pages but this one is the simplest and very fast. If you want to divide your /32 subnet to /35s just write your prefix and submit!

Below is the output of /32 prefix divided into /35 subnets.

------------------------------------------------------
Prefix entered  => 2001:0DB8::/32 
Correct /32 prefix =>      2001:0DB8:0000:0000:/32
Subnet mask            =>      FFFF:FFFF:0000:0000:
You want /35 from =>      2001:0DB8:0000:0000:/32
Number of /35 subnets =>   8 
------------------------------------------------------
/35 prefixes 
------------------------------------------------------
2001:0DB8:0000:0000::/35  
2001:0DB8:2000:0000::/35  
2001:0DB8:4000:0000::/35  
2001:0DB8:6000:0000::/35  
2001:0DB8:8000:0000::/35  
2001:0DB8:A000:0000::/35  
2001:0DB8:C000:0000::/35  
2001:0DB8:E000:0000::/35  

ASR9000 / IOS-XR Netflow Configuration

ASR9k / XR netflow configuration consists of three different section, sampler_map, monitor_map and exporter_map. You take a sample of traffic according to your sampler_map then process it with some different parameters like caching/table sizes in you motior map and last you export it with your exported map. Of course you need to add something under interface.

You can basicly configure these like below.

sampler-map sampler_map_netflow

 random 1 out-of 1000 

Sampling frequency which indicates how often the device takes a sample of the frames regardless they are forwarded or not. When you check flow data with some cache commands you can see if it’s forwarded or DroppedAcl etc. That’s pretty good to learn what happened to the packets. 1 out of 1000 or 500 is enough, of course depends on you traffic characteristic or collector mem.

flow monitor-map monitor_map_netflow

 record ipv4

 exporter exporter_map_netflow

 exporter exporter_map_netflow_2 //you can configure more than one exporter map so that you can send data to multiple flow server destinations.

 cache timeout active 30 // that means, if a flow is active for a long time, router will export it after 30 seconds otherwise it’ll wait for 1800 seconds which is the default.So you don’t have to wait 30 min to see the active traffic flow in your collector.

flow exporter-map exporter_map_netflow

 version v9

 !

 transport udp 9996

 source Loopback0

 destination <flow_collector_ip>

And the last one is interface configuration. You can both configure ingress or egress but the recommended is to configure ingress on all interfaces of the router.

interface tex/x

flow ipv4 monitor monitor_map_netflow sampler sampler_map_netflow ingress

ASR9000 Flow Cache Command

The best practice is to check flow data on you flow server application. But sometimes you don’t need a flow server! Especially during troubleshooting. You can also check it from device cache. Because the device caches the data according to timers before exporting it to the server.

It's so basic and useful.

show flow monitor <monitor_map> cache location <location_lc>

And all other show commands are below

show flow exporter-map ..

show flow monitor-map ..

show sampler-map ..

show processes memory location <0/0/CPU0> | inc nfsvr

show flow monitor .. cache internal location <0/0/CPU0>

show flow exporter .. location <0/1/CPU0>

show flow platform producer statistics location <0/0/CPU0>

show flow platform nfea policer np <np_num> loc <node-id>

show controller np ports all location <0/Y/CPU0>

show controller np count np<number> loc <0/Y/CPU0>