cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8442
Views
12
Helpful
27
Replies

ASK THE EXPERT : Introduction to MPLS VPN

ciscomoderator
Community Manager
Community Manager

Read the bioWith Nagendra Kumar

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to get an update on MPLS VPN from Cisco subject matter expert Nagendra Kumar. During the event you can ask questions on the common terminology, configuration, and best practices in setting up MPLS VPN networks. Nagendra is a customer support engineer in the Cisco High Touch Technical Support center in Bangalore, India, supporting Cisco's major service provider customers in routing and MPLS technologies. His areas of expertise include routing, switching, MPLS, and multicast. Previously at Cisco he worked as a technical marketing engineer for ISR platforms. He has been in the networking industry for 8 years and holds CCIE certification (#20987) in the Routing & Switching and Service Provider tracks.

Remember to use the rating system to let Nagendra know if you have received an adequate response.

You can also review the Live Webcast Video by Nagendra who gave the presentation.

Nagendra might not be able to answer each question due to the volume expected  during this event. Remember that you can continue the conversation on  the the Service Provider discussion forum shortly after the event. This event lasts through August 26, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

27 Replies 27

unnamed77
Beginner
Beginner

Hello! I am write to you from Russia. Please help me, because i dont know why my cisco router didn't received certificat from a Windows Server 2008 r2 CA

Log from Cisco:

cisco1841Surgut(config)#crypto pki authenticate subca01

000129: Aug 19 17:57:13.056 GMT: CRYPTO_PKI: pki request queued properly
000130: Aug 19 17:57:13.056 GMT: CRYPTO_PKI: Sending CA Certificate Request:
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=subca01 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: sngst-ca


000131: Aug 19 17:57:13.056 GMT: CRYPTO_PKI: locked trustpoint subca01, refcount is 1
000132: Aug 19 17:57:13.060 GMT: CRYPTO_PKI: http connection opened
000133: Aug 19 17:57:13.060 GMT: CRYPTO_PKI: Sending HTTP message

% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

cisco1841Surgut(config)#
000134: Aug 19 17:57:13.060 GMT: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: sngst-ca


000135: Aug 19 17:57:13.064 GMT: CRYPTO_PKI: unlocked trustpoint subca01, refcount is 0
000136: Aug 19 17:57:13.064 GMT: CRYPTO_PKI: locked trustpoint subca01, refcount is 1
000137: Aug 19 17:57:13.808 GMT: CRYPTO_PKI: unlocked trustpoint subca01, refcount is 0
000138: Aug 19 17:57:13.808 GMT: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 200 OK
Content-Length: 4289
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/7.5
Date: Fri, 19 Aug 2011 11:57:13 GMT
Connection: close

Content-Type indicates we have received CA and RA certificates.

000139: Aug 19 17:57:13.808 GMT: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=subca01)

000140: Aug 19 17:57:13.812 GMT: CRYPTO_PKI: status = 0x722(E_SIGNATURE_ALG_NOT_SUPPORTED : signature algorithm not supported): crypto_certc_pkcs7_extract_certs_and_crls failed
000141: Aug 19 17:57:13.812 GMT: CRYPTO_PKI: status = 0x722(E_SIGNATURE_ALG_NOT_SUPPORTED : signature algorithm not supported): crypto_pkcs7_extract_ca_cert returned
000142: Aug 19 17:57:13.812 GMT: CRYPTO_PKI: Unable to read CA/RA certificates.
000143: Aug 19 17:57:13.812 GMT: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
000144: Aug 19 17:57:13.812 GMT: CRYPTO_PKI: transaction GetCACert completed
cisco1841Surgut(config)#

This is part of the config with regards to the certificates:

Building configuration...

Current configuration : 22062 bytes
!
! Last configuration change at 14:42:48 GMT Mon Aug 22 2011 by admin
!
version 15.1
no service pad

!
crypto pki token default removal timeout 0
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
crypto pki trustpoint TP-self-signed-3129615703
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3129615703
revocation-check none
rsakeypair TP-self-signed-3129615703
!
crypto pki trustpoint S1
enrollment terminal
serial-number none
fqdn cisco1841Surgut.xxx.local
ip-address none
password
revocation-check crl
rsakeypair cisco1841Surgut.xxx.local
!
crypto pki trustpoint subca01
enrollment mode ra
enrollment url http://xxx/certsrv/mscep/mscep.dll
ip-address none
password 7 08036D685F4D203636535B210E797C0D6666003224335358720F00070C2C5B394F
revocation-check none
rsakeypair CP-RSAKey-1313751490188 2048 2048
!
!
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain TP-self-signed-3129615703
certificate self-signed 01
xxx
quit
crypto pki certificate chain S1
crypto pki certificate chain subca01
!
!

!
!
!
crypto key pubkey-chain rsa
addressed-key xxx
address xxx
key-string
xxx
quit
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
authentication rsa-encr
crypto isakmp key xxx address xxx
!
!

!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA5
set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA3
reverse-route
!
crypto dynamic-map VPN-USER-MAP 50
set transform-set VPN-TRANSFORM
match address 115
!
!
end

cisco1841Surgut#

Hi Fedor,

Inorder to get the right expert's attention, May I ask you to post the query in security forum?. Below is the link,

https://supportforums.cisco.com/community/netpro/security

HTH,

Nagendra

ashish
Beginner
Beginner

Hi Nagendra,

I couldnt join the presentation, is it still available.

Thanks

Ashish

Hi Ashish,

The video recording will be available soon. Please keep tracking the forum.

HTH,

Nagendra

Hi Ashish,

The video is now available.

https://supportforums.cisco.com/videos/2622

HTH,

Nagendra

sg_network
Beginner
Beginner

Hi Nagendra,

One of our enterprise customer like to convert IPv4 to MPLS as their entriprise core.

What is best pratice / method to migrate? One big migration or phase by phase?

Also what is default Qos setting for MPLS and Is default setting is enough to preserve EF and call signal during MPLS core transit...

thanks,

John

Hi John

Actually MPLS is used by service providers but in case of enterprise want to use MPLS, they can use the vrf lite or if they are getting the connectivity from SP, in that case the migration is very easy because no need to change in enterprise.

The things which you need to understand is below mentioned:-

1. Which routing protcol you would like to run with SP?

2. Exiting IGP?

3. IPv6

4. For QOS you need to ask your SP and they will provide you the class details and mapping.

regards

shivlu Jain

Chetan Kumar Ress
Enthusiast
Enthusiast
Hi

I was going through sham-link RFC & i found some thing intresting & but confusing.

I had simulated the LAB for sham link & checked that we won't require redistribution between MPBGP & OSPF when we are using sham-link just we need to configure ospf with vrf & shamlink . Becasue sham-link treat itself as a point to point link with unnumbered interface.



4.2.7.4.  Routing and Forwarding on Sham Links

   If a PE determines that the next hop interface for a particular route
   is a sham link, then the PE SHOULD NOT redistribute that route into
   BGP as a VPN-IPv4 route.

   Any other route advertised in an LSA that is transmitted over a sham
   link MUST also be redistributed (by the PE flooding the LSA over the
   sham link) into BGP.  This means that if the preferred (OSPF) route
   for a given address prefix has the sham link as its next hop
   interface, then there will also be a "corresponding BGP route", for
   that same address prefix, installed in the VRF.

My Question :

Can some one clear me that if i configured sham-link then do we require redistibution between OSPF to MPBGP for route propogation ?

And

If redistrubution is not requried then what is the meaning of below statement.

   Any other route advertised in an LSA that is transmitted over a sham
   link MUST also be redistributed (by the PE flooding the LSA over the
   sham link) into BGP

Hi Chetan,

My Question :

Can some one clear me that if i configured sham-link then do we require redistibution between OSPF to MPBGP for route propogation ?

Even with OSPF sham link, we still need to redistribute OSPF into BGP. With Sham link established, the LSAs will be exchanged between PE devices but they dont have a way to signal the labels. So even though, CE devices will see the prefixes as intra-area in RIB, packet forwarding will fail at data plane. This is due to the fact that required label will not be exchanged between PE devices.

And

If redistrubution is not requried then what is the meaning of below statement.

   Any other route advertised in an LSA that is transmitted over a sham
   link MUST also be redistributed (by the PE flooding the LSA over the
   sham link) into BGP

As mentioned above, OSPF redistribution into BGP is required to have label signalling between PE devices.

HTH,

Nagendra

sean_evershed
Rising star
Rising star

Hi,

Do you know when the webcast you presented be available to download as a PDF?

Thanks

Sean

Hi Sean,

The PDF is available in below link,

https://supportforums.cisco.com/docs/DOC-17930

You can also watch the video in below link,

https://supportforums.cisco.com/videos/2622

HTH,

Nagendra

yue cheng
Beginner
Beginner

hi,

  In ldp header ,there is a string call ldp indentifer take 48 bit, it compose 32bit ip add and 16bit amount  of lable(i think that the number ldp can advertise is 2^16 ). But, in mpls header ,the lable range is 2^20-16.is there any collision?

Hi Yue,

LDP Identifier (48 bits) comprises of 32 bit "LDP Router ID" and 16 bits of "label space". It is not the filed where actual label will be advertised, but to inform neighbors about what label space the local LDP router is going to use. Is it per-interface space or per-platform space.

Actual label will be advertised in Label TLV whcih is of size 32 bits.

HTH,

Nagendra

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers