One of the main reasons to buy a DNA Center is to be able to harvest the benefits of automation. Many people associate DNAC with deploying an SD-Access network. SDA has a lot of focus these days and Cisco pushes hard to get it out there, but DNAC has many other uses cases besides SDA. SDA is actually just an application that you can install on a DNAC. It isn’t even installed by default when deploying a DNAC. This post will address a feature of DNAC that has been around for some time now. It used to be one of the main reasons why you’d use APIC-EM and now we’re lucky that it has been migrated and redesigned for DNAC. The feature is PnP (Plug’n Play). Let’s have a look at the benefits and workings of this awesome feature.

Segment Routing (SR) is also known as SPRING (Source Packet Routing in Networking). Two flavours of SR exist:

• SR with MPLS
• SRv6 (IPv6 Segment Routing Header (SRH))

I will only cover SR with MPLS in this post.

If you know MPLS it will be fairly easy to learn about SR. If we quickly look at the name of the feature and break it down, it will make sense what its all about.

I’ll use the following topology:

Terms

VFI is also called VSI (Virtual Switching Instance). Cisco uses the term VFI.

Introduction

VPLS is an MEF E-LAN service (MP2MP).

H-VPLS (Hierarchical Virtual Private LAN Service) is a way to scale VPLS. The issue with VPLS is that it requires a full mesh of PWs (pseudowires) between PEs. This doesn’t scale. In order to address this shortcoming, two types of PEs exist with H-VPLS: U-PE and N-PE. The User facing PE (U-PE) is the router connecting to the CE and the N-PE. Network facing PE peers with U-PEs and N-PEs. The U-PE only need to have a PW to the N-PE. But the N-PE still needs a full mesh of PWs to all other N-PEs, and also a PW to each U-PE.

I’ll use the following topology:

The basic idea about MPLS TE affinity is to add an attribute to a link and be able to include or exclude this link during path calculation. The concept is also known as link coloring.

Affinity is configured on links using the mpls traffic-eng attribute-flags <0x0-0xFFFFFFFF> interface command. The values is expressed in a 32-bit hexadecimal number. By default a link has the number 0 (or 0x0).

I am a huge fan of securing user facing interfaces. With a few knobs some attacks and mis-configurations are avoided. I like configuring an SVI like this:

interface Vlan12
 description Users
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip verify unicast source reachable-via rx

ICMP Redirects

I like to disable sending ICMP redirects. This might cause a sub-optimal forwarding of packets, but I like the idea that my router which is the clients default gateway does the forwarding.

Also known as seamless MPLS, or hierarchical MPLS. It’s a way to scale to a very large network with multiple IGP domains. Let’s get started exploring this feature.

I’ll use the below topology as we go along.

What’s new here is the RFC 3107 BGP IPv4 + label and the fact that we have multiple IGP domains. In this topology we have both an OSPF domain to the left between R2-R3-R4. Also to the right we have ISIS between R4-R5-R6.

This post talks about how you can do inter-VRF multicast using BGP VPNv4 multicast (SAFI 129).

You might have seen this guide on Cisco.com
Configuring Multicast VPN Extranet Support

They suggest leaking unicast routes between VRFs which isn’t required for this to work.

I’m using this topology to go through the configuration:

So you might have stumbled upon the FlexVPN: AnyConnect IKEv2 Remote Access with AnyConnect-EAP  configuration guide which works OK for local user authentication and authorization. But if you try to follow the guide on how to configure authentication and authorization with a AAA server, it will not work!

Label Distribution Protocol (LDP) is one of the protocols that can be used for MPLS to distribute labels. Other protocols are RSVP-TE, BGP, and IGPs (ISIS and OSPF). This short post addresses LDP and how it works.

I’m using two routers to talk about LDP in this post. R2 and R3 that are connected like this:

Configuration

LDP is very simple to configure. It is basically just one command needed.

mVPN Profile 0 is the original way of doing mVPN when we had no extensions to LDP. This means we need PIM in the underlay – the SP core. Specifically the profile is called:

Profile 0 Default MDT - GRE - PIM C-mcast Signaling

Topology

I’ll use the following topology to go through and explain the concepts and workings of Rosen Draft with Data MDT.