cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5466
Views
100
Helpful
26
Replies

Ask the Expert: Configuring and Troubleshooting MPLS VPN

ciscomoderator
Community Manager
Community Manager

Welcome to this Cisco Support Community Ask the Expert conversation.  This is an opportunity to learn and any ask questions about how to configure and troubleshoot MPLS VPN to Vinit Jain.

Ask questions from Tuesday September 15, to Friday September 25, 2015

Multiprotocol Label Switching (MPLS) virtual private network (VPN) is a cost-effective solution that provides backbone connectivity and other related services to end customers without compromising customer privacy. Because MPLS provides protocol-independent forwarding, MPLS VPN can be implemented to utilize the existing MPLS infrastructure to provide the service. Ever since RFC4364, many service providers now offer VPN services to their customers, using a technique in which customer edge routers are routing peers of provider edge routers. The Multiprotocol Border Gateway Protocol (MP-BGP) is used to distribute customers’ routes across the providers’ IP backbone network, and MPLS is used to tunnel customer packets across the providers’ backbone.

 

Vinit will be helping you with all your queries on all of the above.

Vinit Jain presented at  Cisco Live in June 2015 on Troubleshooting BGP 
Click here for More Information

 

Vinit Jain is a technical lead with the High-Touch Technical Support (HTTS) team supporting customers in areas of routing, MPLS, TE, IPv6, and multicast. He also supports a wide variety of platform issues such as high CPU; memory leaks; Cisco IOS, IOS XE, and IOS XR Software; and NxOS code base. He has delivered training within Cisco on various technologies as well as platform troubleshooting topics. He has also written a workbook about Cisco IOS XR Software fundamentals on the Cisco Support Community. Vinit holds CCIE certification (no. 22854) in R&S, Service Provider, Data Center and Security, as well as multiple certifications on programming and databases.

 

Find other  https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

 

     

26 Replies 26

They were indeed Internet prefixes which we don't need to routes through our tunnels .

Somehow they started getting labeld , once I upgrade the IOS and reloaded the router, problem cleared.

Below you have the memory log entries I got yesterday after adjusting the MPLS label range to 200000.

I think you definitely right about  limiting the advertisement of labels.

 

894786: Sep 17 15:40:21.397 UTC: %SYS-2-MALLOCFAIL: Memory allocation of 65536 bytes failed from 0x31B87CF, alignment 0
 894785: Sep 17 15:40:16.190 UTC: %LSD-4-LABEL_RESOURCE: label range 16-100000 exhausted    
 -Traceback= 19D735Fz 31D6AEFz 31E230Ez 31E22DEz 18C9BF4z 18C9444z 1904196z 190393Az 19038D7z
 894784: Sep 17 15:39:58.319 UTC: %SYS-2-CFORKMEM: Process creation of Exec failed (no memory). -Process= "TTY Background", ipl= 0, pid= 58
[Message Details] -Traceback= 19D735Fz 31B0304z 31A886Az 31ACD5Ez 31B87CFz 31B924Dz 3FC0C3Cz 3F75A40z 3F759E7z 3F7581Ez 3F794DBz 3F7887Dz 3FA0ED5z 3FAC4C5z 3FAC06Bz 3FABC88z
-Process= "Tag Control", ipl= 0, pid= 431
 Alternate Pool: None Free: 0 Cause: No Alternate pool
 Pool: Processor Free: 394014700 Cause: Memory fragmentation
 894783: Sep 17 15:39:51.255 UTC: %SYS-2-MALLOCFAIL: Memory allocation of 65536 bytes failed from 0x31B87CF, alignment 0

 

Regarding the GR Recovery , this is all we get in the log but like you said I don't think this caused the

888136: Sep 14 21:49:34.794 UTC: %LDP-5-GR: GR session 91.103.22.14:0 (inst. 6): interrupted--recovery pending
 888138: Sep 14 21:49:38.882 UTC: %LDP-5-GR: GR session 91.103.22.14:0 (inst. 5): starting graceful recovery

 

Vinit, I will be on holiday as from Sunday, I really thank you for the assistance. and wish you all the best.

Have a nice weekend.

Said

I increased the mpls label range and got memory errors. couldn't save the config anymore and had to undo the change.

I'm now back to previous situation but with latest IOS:  c3900e-universalk9-mz.SPA.153-3.M6.bin  

 

Not sure how to fix this mpls label range.

Can you share the below output:

- show mem statistics

I actually want to see how much memory is available on the router.

Thanks
--Vinit

quick question: Did you increase the label range to 1M? I dont think it will be a good idea to do that on 3900 series platform. 

Thanks
--Vinit

I tried to increase the the label range to 200000 but got memory issues.

Now is back to 100000.

 

This is my memory status

 

sho mem stat
                Head    Total(b)     Used(b)     Free(b)   Lowest(b)  Largest(b)
Processor   200AE680   1552116256   697472996   854643260   832424312   832065908
      I/O    D5AE680   313524224    89315980   224208244   224208244   224183292

Can you also share the error that you received.

Thanks

Thanks
--Vinit

Rolf Fischer
Level 9
Level 9

Hello Vinit,

thank you for this great opportunity!

Some weeks ago this question was posted here in the MPLS section:

https://supportforums.cisco.com/discussion/12543036/ospf-sham-link-dmvpn-question

I found it interesting enough to set up a simplified gns3 lab, just with a direct OSPF point-to-multipoint backup-link instead of a DMVPN. As we know, the OPSF point-to-multipoint network type advertises a hostroute instead of the interface's real subnetmask and the network-ID in the corresponding Router-LSAs. These LSAs are exchanged between the PEs via MPLS and the hostroutes are installed in the neighboring PE's routing-tables, but no labels are received for those /32-prefixes, only for the corresponding subnet, because that's the only routing-table entry of the neighboring PE. That's (I guess) why packets destined to the point-to-multipoint interface cannot be forwarded via MPLS in this scenario.

So I couldn't find a better solution than filtering out the hostroutes locally by distribute-lists - just what the original poster did.

I guess it is a very uncommon design to have a backup-link with OSPF point-to-multipoint interfaces between PEs but I'd really like to know if you could provide with a better way to solve this problem.

Thanks,

Rolf

Hello Rolf

I agree with your last statement that its very un-common to see a backup link with OSPF P2M interfaces. Let me do some testing before i get back to you with some definite answer.

Regards

Vinit

Thanks
--Vinit

useridcisco
Level 1
Level 1

Hello Vinit

How would you encrypt customer traffic traversing a plain ISP MPLS backbone? What'd be the options other than IPSec? And which the main problems one would encounter?

I dont really think its a good idea to encrypt the customer traffic in the ISP Core as there will already be overhead of labels (IGP as well as VPN label). Thus adding another ipsec header maximum data size that can be transmitted from the ISP core. I have personally not seen any deployment of ISP core using IPSec. The customer data is already secure as its going as a vpnv4 update and to decode the packet, they will have to look inside the mpls packet itself.

Though customer can encrypt their traffic between CE to CE using ipsec which is the most preferred design but again, the only challenge will be the maximum data size that can be transferred across the ipsec tunnel. If the CE device has Jumbo MTU and same is the case with ISP then it would be better (atleast for the applications which send packets with higher segment size and with DF bit set).

Hope this answers your question.

Regards

Vinit

Thanks
--Vinit

I meant only CE-CE. Are there other alternatives to IPSec that I'm not aware of?

Yes, you can try using Remote Access services or Dial up services. Those are secure mechanisms as well.

Thanks
--Vinit
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: