PE-to-PE Troubleshooting in MPLS VPN Networks

End-to-end troubleshooting of MPLS VPN solutions is one of the more complex network troubleshooting tasks. On top of several sophisticated technologies and protocols used in MPLS VPN solutions, we have to deal with customer-to-provider interaction on the IP routing protocol level, which makes the troubleshooting efforts even more convoluted.

To minimize the impact of your customers on your troubleshooting efforts, you might want to start with the PE-to-PE troubleshooting. When used as the first step in your troubleshooting process, the PE-PE tests will bypass customer errors, intra-site customer routing problems, PE-CE interactions, and route redistribution issues.

read more add comment

Default Routing in NSSA Area

The RFC 3101 (OSPF NSSA Option) states:

In addition, an NSSA border router should originate a default LSA (IP network is 0.0.0.0/0) into the NSSA. Default routes are necessary because NSSAs do not receive full routing information and must have a default route in order to route to AS-external destinations.

I am pretty sure IOS inserted the type-7 default route into an NSSA area when the NSSA feature was introduced.

read more add comment

Are VLANs safe in DMZ environment?

The Thinking problem management! blog had an interesting article on The Leaky VLANs myth, quoting a test report from SANS Institute that documents how you can inject frames into other VLANs even if you're not connected to a trunk port. The report is eight years old (so one would hope this issue has been fixed in the meantime), but there's another question you should ask yourself is: what happens when you lose the configuration of the switch (and I've seen devices losing configuration after a power glitch). If you're using a router to perform L3 switching, no harm is done; a router with empty configuration forwards no packets. But if you're using a low-end switch, you're in deep trouble; by default, a switch forwards packets between all ports ... and if you use static IP addresses on all subnets, you won't even notice they're connected. If you want to be very safe, you're better off having a different set of switches for the inside and the outside zones of your firewall.

see 7 comments

Some DHCP clients do not use Client identifier option

A while ago I've documented how you can cope with DHCP clients that do not send Client identifier (DHCP option 61) in their DHCP Discover/Request messages, but some people are still trying to persuade me that the client-identifier pool configuration command should work. I really wanted to be sure I hadn't missed something, so I started Wireshark and captured the actual DHCP Discover packet generated by a Linux host:

 
As you can see, the DHCP packet does not contain the Client identifier option, so the DHCP server (the router) has nothing to compare the value of the client-identifier parameter with. The only parameter the DHCP server can use is the Client MAC address field in the DHCP Discover message, which is matched with the mac-address pool configuration command.
In contrast to the default Linux behavior, DHCP Discover messages generated by other platforms (for example, Windows or a Cisco router) include the Client identifier option:
 
see 1 comments
Sidebar