Cisco PnP

One of the main reasons to buy a DNA Center is to be able to harvest the benefits of automation. Many people associate DNAC with deploying an SD-Access network. SDA has a lot of focus these days and Cisco pushes hard to get it out there, but DNAC has many other uses cases besides SDA. SDA is actually just an application that you can install on a DNAC. It isn’t even installed by default when deploying a DNAC.

Segment Routing Introduction

Segment Routing (SR) is also known as SPRING (Source Packet Routing in Networking). Two flavours of SR exist: SR with MPLS SRv6 (IPv6 Segment Routing Header (SRH)) I will only cover SR with MPLS in this post. If you know MPLS it will be fairly easy to learn about SR. If we quickly look at the name of the feature and break it down, it will make sense what its all about.


I’ll use the following topology: Terms Term Description CE Customer Edge PE Provider Edge U-PE User Provider Edge N-PE Network Provider Edge UNI User Network Interface VFI Virtual Forwarding Instance VFI is also called VSI (Virtual Switching Instance). Cisco uses the term VFI. Introduction VPLS is an MEF E-LAN service (MP2MP). H-VPLS (Hierarchical Virtual Private LAN Service) is a way to scale VPLS.

MPLS TE - Affinity

I’ll use the following topology: The basic idea about MPLS TE affinity is to add an attribute to a link and be able to include or exclude this link during path calculation. The concept is also known as link coloring. Affinity is configured on links using the mpls traffic-eng attribute-flags interface command. The values is expressed in a 32-bit hexadecimal number. By default a link has the number 0 (or 0x0).

uRPF – lesson learned (again!)

I am a huge fan of securing user facing interfaces. With a few knobs some attacks and mis-configurations are avoided. I like configuring an SVI like this: interface Vlan12 description Users ip address no ip redirects no ip proxy-arp ip verify unicast source reachable-via rx ICMP Redirects I like to disable sending ICMP redirects. This might cause a sub-optimal forwarding of packets, but I like the idea that my router which is the clients default gateway does the forwarding.

Unified MPLS

Also known as seamless MPLS, or hierarchical MPLS. It’s a way to scale to a very large network with multiple IGP domains. Let’s get started exploring this feature. I’ll use the below topology as we go along.Unified MPLS Topology What’s new here is the RFC 3107 BGP IPv4 + label and the fact that we have multiple IGP domains. In this topology we have both an OSPF domain to the left between R2-R3-R4.

Multicast VPN Extranet

This post talks about how you can do inter-VRF multicast using BGP VPNv4 multicast (SAFI 129). You might have seen this guide on Configuring Multicast VPN Extranet Support They suggest leaking unicast routes between VRFs which isn’t required for this to work. I’m using this topology to go through the configuration: Our source is R9 in VRF a which is configured as rosen draft on R10 and R12. The configuration hereof is plain:

FlexVPN with AnyConnect-EAP using ISE and ZBFW

So you might have stumbled upon the FlexVPN: AnyConnect IKEv2 Remote Access with AnyConnect-EAP  configuration guide which works OK for local user authentication and authorization. But if you try to follow the guide on how to configure authentication and authorization with a AAA server, it will not work! This post addresses the configuration of using AnyConnect IKEv2 for a IOS headend using ISE as AAA server for authentication and authorization.


Label Distribution Protocol (LDP) is one of the protocols that can be used for MPLS to distribute labels. Other protocols are RSVP-TE, BGP, and IGPs (ISIS and OSPF). This short post addresses LDP and how it works. I’m using two routers to talk about LDP in this post. R2 and R3 that are connected like this: Configuration LDP is very simple to configure. It is basically just one command needed.

mVPN – Profile 0 aka. “Rosen Draft”

mVPN Profile 0 is the original way of doing mVPN when we had no extensions to LDP. This means we need PIM in the underlay – the SP core. Specifically the profile is called: Profile 0 Default MDT - GRE - PIM C-mcast Signaling Topology I’ll use the following topology to go through and explain the concepts and workings of Rosen Draft with Data MDT. Default MDT MDT (Multicast Distribution Tree) is referring to the SPs global environment – the underlay.