I’ll use the following topology: Terms Term Description CE Customer Edge PE Provider Edge U-PE User Provider Edge N-PE Network Provider Edge UNI User Network Interface VFI Virtual Forwarding Instance VFI is also called VSI (Virtual Switching Instance). Cisco uses the term VFI. Introduction VPLS is an MEF E-LAN service (MP2MP). H-VPLS (Hierarchical Virtual Private LAN Service) is a way to scale VPLS.

MPLS TE - Affinity

I’ll use the following topology: The basic idea about MPLS TE affinity is to add an attribute to a link and be able to include or exclude this link during path calculation. The concept is also known as link coloring. Affinity is configured on links using the mpls traffic-eng attribute-flags interface command. The values is expressed in a 32-bit hexadecimal number. By default a link has the number 0 (or 0x0).

uRPF – lesson learned (again!)

I am a huge fan of securing user facing interfaces. With a few knobs some attacks and mis-configurations are avoided. I like configuring an SVI like this: interface Vlan12 description Users ip address no ip redirects no ip proxy-arp ip verify unicast source reachable-via rx ICMP Redirects I like to disable sending ICMP redirects. This might cause a sub-optimal forwarding of packets, but I like the idea that my router which is the clients default gateway does the forwarding.

Unified MPLS

Also known as seamless MPLS, or hierarchical MPLS. It’s a way to scale to a very large network with multiple IGP domains. Let’s get started exploring this feature. I’ll use the below topology as we go along.Unified MPLS Topology What’s new here is the RFC 3107 BGP IPv4 + label and the fact that we have multiple IGP domains. In this topology we have both an OSPF domain to the left between R2-R3-R4.

Multicast VPN Extranet

This post talks about how you can do inter-VRF multicast using BGP VPNv4 multicast (SAFI 129). You might have seen this guide on Cisco.com Configuring Multicast VPN Extranet Support They suggest leaking unicast routes between VRFs which isn’t required for this to work. I’m using this topology to go through the configuration: Our source is R9 in VRF a which is configured as rosen draft on R10 and R12. The configuration hereof is plain:

FlexVPN with AnyConnect-EAP using ISE and ZBFW

So you might have stumbled upon the FlexVPN: AnyConnect IKEv2 Remote Access with AnyConnect-EAP  configuration guide which works OK for local user authentication and authorization. But if you try to follow the guide on how to configure authentication and authorization with a AAA server, it will not work! This post addresses the configuration of using AnyConnect IKEv2 for a IOS headend using ISE as AAA server for authentication and authorization.


Label Distribution Protocol (LDP) is one of the protocols that can be used for MPLS to distribute labels. Other protocols are RSVP-TE, BGP, and IGPs (ISIS and OSPF). This short post addresses LDP and how it works. I’m using two routers to talk about LDP in this post. R2 and R3 that are connected like this: Configuration LDP is very simple to configure. It is basically just one command needed.

mVPN – Profile 0 aka. “Rosen Draft”

mVPN Profile 0 is the original way of doing mVPN when we had no extensions to LDP. This means we need PIM in the underlay – the SP core. Specifically the profile is called: Profile 0 Default MDT - GRE - PIM C-mcast Signaling Topology I’ll use the following topology to go through and explain the concepts and workings of Rosen Draft with Data MDT. Default MDT MDT (Multicast Distribution Tree) is referring to the SPs global environment – the underlay.

Ubuntu netplan static IP address

It has been a few years since I last touched a Linux box. Tonight I decided to install an Ubuntu Server and wanted to give it a static IP address. As I went to /etc/network and wanted to edit the interfaces file, I realised that things have changed. Now you configure the NICs using netplan. So I fired up putty after reading some examples on how to do this and got hit by this error when trying to apply the configuration:

Deploy ASAv using Ovftool

If you ever get stuck with the “A required disk image was missing” error when deploying an OVA directly on an ESXi host, you might want to check this out – ASAv specific, but should work for other OVAs like I wrote about regarding� Deploy ISE PoV 2.3 OVA using ovftool First of all you download the ASAv from CCO and unzip it. Second you create a text file with the command to deploy the OVA on the ESXi host.