Cisco PnP - Revisited

I’ve gone over the Cisco PnP feature before. This time I will revisit the feature with focus on other areas. Specifically these cases will be discussed: PnP with Non-Vlan1 (conditionally) Re-use DHCP-assigned IP address on another interface PnP with an EtherChannel PnP With Non-Vlan1 (Conditionally) I briefly discussed this in my original post, but I ran in to a case where I actually wanted both a startup-vlan and the default of Vlan1.


This post will look at how QoS works in an MPLS environment. The default behaviour of MPLS QoS is shown. Next, I’ll explain and demontrate the three MPLS QoS DiffServ Models - Uniform, Pipe, and Short Pipe. As usual expect both configuration examples and wireshark captures. Do not expect fancy QoS policies as this post’s goal is to reveal the concepts of the technology rather than focus on QoS in itself.

Cisco PnP

One of the main reasons to buy a DNA Center is to be able to harvest the benefits of automation. Many people associate DNAC with deploying an SD-Access network. SDA has a lot of focus these days and Cisco pushes hard to get it out there, but DNAC has many other uses cases besides SDA. SDA is actually just an application that you can install on a DNAC. It isn’t even installed by default when deploying a DNAC.

Segment Routing Introduction

Segment Routing (SR) is also known as SPRING (Source Packet Routing in Networking). Two flavours of SR exist: SR with MPLS SRv6 (IPv6 Segment Routing Header (SRH)) I will only cover SR with MPLS in this post. If you know MPLS it will be fairly easy to learn about SR. If we quickly look at the name of the feature and break it down, it will make sense what its all about.


I’ll use the following topology: Terms Term Description CE Customer Edge PE Provider Edge U-PE User Provider Edge N-PE Network Provider Edge UNI User Network Interface VFI Virtual Forwarding Instance VFI is also called VSI (Virtual Switching Instance). Cisco uses the term VFI. Introduction VPLS is an MEF E-LAN service (MP2MP). H-VPLS (Hierarchical Virtual Private LAN Service) is a way to scale VPLS.

MPLS TE - Affinity

I’ll use the following topology: The basic idea about MPLS TE affinity is to add an attribute to a link and be able to include or exclude this link during path calculation. The concept is also known as link coloring. Affinity is configured on links using the mpls traffic-eng attribute-flags interface command. The values is expressed in a 32-bit hexadecimal number. By default a link has the number 0 (or 0x0).

uRPF – lesson learned (again!)

I am a huge fan of securing user facing interfaces. With a few knobs some attacks and mis-configurations are avoided. I like configuring an SVI like this: interface Vlan12 description Users ip address no ip redirects no ip proxy-arp ip verify unicast source reachable-via rx ICMP Redirects I like to disable sending ICMP redirects. This might cause a sub-optimal forwarding of packets, but I like the idea that my router which is the clients default gateway does the forwarding.

Unified MPLS

Also known as seamless MPLS, or hierarchical MPLS. It’s a way to scale to a very large network with multiple IGP domains. Let’s get started exploring this feature. I’ll use the below topology as we go along.Unified MPLS Topology What’s new here is the RFC 3107 BGP IPv4 + label and the fact that we have multiple IGP domains. In this topology we have both an OSPF domain to the left between R2-R3-R4.

Multicast VPN Extranet

This post talks about how you can do inter-VRF multicast using BGP VPNv4 multicast (SAFI 129). You might have seen this guide on Configuring Multicast VPN Extranet Support They suggest leaking unicast routes between VRFs which isn’t required for this to work. I’m using this topology to go through the configuration: Our source is R9 in VRF a which is configured as rosen draft on R10 and R12. The configuration hereof is plain:

FlexVPN with AnyConnect-EAP using ISE and ZBFW

So you might have stumbled upon the FlexVPN: AnyConnect IKEv2 Remote Access with AnyConnect-EAP  configuration guide which works OK for local user authentication and authorization. But if you try to follow the guide on how to configure authentication and authorization with a AAA server, it will not work! This post addresses the configuration of using AnyConnect IKEv2 for a IOS headend using ISE as AAA server for authentication and authorization.