Ciscos, BGP, L2TPV3 pseudowires and loopback IPs
A simpler question(s) than it sounds: Customer just brought up their first BGP session at a new location. It is up fine with a full routing table, the second provider hookup is a few weeks away. The provider allocated a /24 (x.x.1.0/24) for the network and a /30 for the PTP connection (x.x.129.172/30). For the initial setup, I did not configure a loopback, I just put x.x.129.174 on the WAN interface and set up the neighbor as x.x.129.173. It's working fine. We will need to set up a L2TPV3 tunnel to their old location (single homed, no BGP on that side). Upon initial reading of Cisco docs to do this, we will need a routable IP on a loopback interface for starters. Using one from the /24 LAN is out unless we subnet it, which we don't want to do. So the question is, can I just "move" the PTP IP address x.x.129.174 from the WAN interface to the loopback like this? interface Loopback0 ip address x.x.129.174 255.255.255.252 (that's the mask we're using on the WAN- Cisco's loopback examples show .255) interface WAN1 (actually a gigether) ip unnumbered loopback0 (or no ip addr?) neighbor x.x.128.173 update-source Loopback0 Does this look even close to right? Or do we need another, single routabe IP from the provider for the loopback? Also, I am assuming we don't need separate loopback interfaces for BGP as for the Bridge/Tunnel. What about when the second provider comes up? A second or third loopback to nail up their WAN IP? ***OR*** is there a way to put their WAN I/F IP on the loopback and take it off their LAN Ether...and then do IP unnum loop0 on the LAN? TIA, James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
e.
We will need to set up a L2TPV3 tunnel to their old location (single homed, no BGP on that side). Upon initial reading of Cisco docs to do this, we will need a routable IP on a loopback interface for starters.
I'm pretty sure this is just a recommendation based on good practise (routeability to endpoints), I'm sure since you are not multihomed you can just use "ip local interface WAN1" and be done with it, I seem to remember doing something similar in an l2tpv3 pw class and it working.
Using one from the /24 LAN is out unless we subnet it, which we don't want to do.
So the question is, can I just "move" the PTP IP address x.x.129.174 from the WAN interface to the loopback like this?
interface Loopback0 ip address x.x.129.174 255.255.255.252 (that's the mask we're using on the WAN- Cisco's loopback examples show .255)
interface WAN1 (actually a gigether) ip unnumbered loopback0 (or no ip addr?)
neighbor x.x.128.173 update-source Loopback0
No, if you were to do this you should get a new transfer network, you can't have the same address on two interfaces (and in fact, you should really be stealing an address from your internal /24 which doesn't require any re-subnetting (if you are happy for this address to be unreachable) and it should have a /32 mask... -- David Freedman Group Network Engineering Claranet Group
David Freedman wrote:
e.
We will need to set up a L2TPV3 tunnel to their old location (single homed, no BGP on that side). Upon initial reading of Cisco docs to do this, we will need a routable IP on a loopback interface for starters.
I'm pretty sure this is just a recommendation based on good practise (routeability to endpoints), I'm sure since you are not multihomed you can just use "ip local interface WAN1" and be done with it, I seem to remember doing something similar in an l2tpv3 pw class and it working.
Using one from the /24 LAN is out unless we subnet it, which we don't want to do.
So the question is, can I just "move" the PTP IP address x.x.129.174 from the WAN interface to the loopback like this?
interface Loopback0 ip address x.x.129.174 255.255.255.252 (that's the mask we're using on the WAN- Cisco's loopback examples show .255)
interface WAN1 (actually a gigether) ip unnumbered loopback0 (or no ip addr?)
neighbor x.x.128.173 update-source Loopback0
No, if you were to do this you should get a new transfer network, you can't have the same address on two interfaces (and in fact, you should really be stealing an address from your internal /24 which doesn't require any re-subnetting (if you are happy for this address to be unreachable) and it should have a /32 mask...
That's not correct. From a VZ IP circuit that I have: interface Loopback0 ip address x.x.x.x 255.255.255.255 (actual assigned mask is 255.255.255.252) interface Serial0/0/0 bandwidth 1536 ip unnumbered Loopback0 ip route 0.0.0.0 0.0.0.0 Serial0/0/0 Works great for me across ~50 sites. -Dave
On Wed, 10 Nov 2010, Dave Temkin wrote:
From a VZ IP circuit that I have:
interface Loopback0 ip address x.x.x.x 255.255.255.255 (actual assigned mask is 255.255.255.252)
interface Serial0/0/0 bandwidth 1536 ip unnumbered Loopback0
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
Works great for me across ~50 sites.
Apparently, cisco will not allow this to be done on an Ethernet interface, even if it is acting as a WAN interface. You get this: Point-to-point (non-multi-access) interfaces only James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
On 11/11/2010 12:50 PM, James Smallacombe wrote:
Point-to-point (non-multi-access) interfaces only
Yeah, it's evil. I don't see a cisco equiv to state it's point to point (you can tell ISIS it is, but not define the interface as such). However, I'm not sure of the limitations or associated problems, you might try: FastEthernet0/0.1 encap dot1q 1 native ip unnumbered loopback1 ! Haven't tested it, but it utilizes the access code in IOS for subscriber management using vlans. As long as you have a route pointing out the interface, it will allow the traffic to go through. Jack
Agreed: We used to use L2TPv3 tunnels fairly often to provide nailed-up private VLAN services to clients when we could only procure a Layer 3 circuit from another provider. They're pretty simple to set up and work reliably, although you may need to maintain both ends of the L2TPv3 at approximately matching IOS versions... at one point we had a perfectly working customer, then I upgraded a router at one end of the tunnel, and they suddenly had major, unexplainable packet loss all through the day. After I upgraded the other end, it returned to working fine. But yeah, you don't really need a loopback. We routinely terminated the tunnels on the WAN address closest to the Internet. I think the only time I had to introduce a loopback was when one router was a tunnel terminator for two far-end locations, and when I tried to configure the second peer it complained at me. Also one time I wanted to have two parallel tunnels between the same source and destination routers (which is perfectly fine, because it has a tunnel discriminator number that keeps the two customers' traffic separate), except I also wanted to do some fancy QoS prioritization on one of them. By the time the traffic hits the WAN interface, the tunnel discriminator is buried too far down in the packet to use any "match" statements in the QoS, so I made one of the tunnels have a separate L2TPv3 endpoint on each router, and then I could just match on destination IP address. But that was a weird edge case. Most of the time we just used the outside Internet address, either T1 or Ethernet. Email me back privately if you want me to dig up the configs out of our CatTools archive. -- Jeff Saxe Blue Ridge InternetWorks Charlottesville, VA ________________________________________ From: David Freedman [david.freedman@uk.clara.net] Sent: Wednesday, November 10, 2010 1:22 PM To: nanog@nanog.org Subject: Re: Ciscos, BGP, L2TPV3 pseudowires and loopback IPs e.
We will need to set up a L2TPV3 tunnel to their old location (single homed, no BGP on that side). Upon initial reading of Cisco docs to do this, we will need a routable IP on a loopback interface for starters.
I'm pretty sure this is just a recommendation based on good practise (routeability to endpoints), I'm sure since you are not multihomed you can just use "ip local interface WAN1" and be done with it, I seem to remember doing something similar in an l2tpv3 pw class and it working.
Using one from the /24 LAN is out unless we subnet it, which we don't want to do.
So the question is, can I just "move" the PTP IP address x.x.129.174 from the WAN interface to the loopback like this?
interface Loopback0 ip address x.x.129.174 255.255.255.252 (that's the mask we're using on the WAN- Cisco's loopback examples show .255)
interface WAN1 (actually a gigether) ip unnumbered loopback0 (or no ip addr?)
neighbor x.x.128.173 update-source Loopback0
No, if you were to do this you should get a new transfer network, you can't have the same address on two interfaces (and in fact, you should really be stealing an address from your internal /24 which doesn't require any re-subnetting (if you are happy for this address to be unreachable) and it should have a /32 mask... -- David Freedman Group Network Engineering Claranet Group
We will need to set up a L2TPV3 tunnel to their old location (single homed, no BGP on that side). Upon initial reading of Cisco docs to do this, we will need a routable IP on a loopback interface for starters.
Also, like any other tunnel, beware of MTU issues, these are so routinely forgotten :) -- David Freedman Group Network Engineering Claranet Group
It is L2TPv3 I think that Sprint is using for there "MPLS" offer and Sprint Link Frame Service. -----Original Message----- From: Jeff Saxe [mailto:jsaxe@briworks.com] Sent: Thursday, November 11, 2010 7:29 AM To:; James Smallacombe Subject: RE: Ciscos, BGP, L2TPV3 pseudowires and loopback IPs Agreed: We used to use L2TPv3 tunnels fairly often to provide nailed-up private VLAN services to clients when we could only procure a Layer 3 circuit from another provider. They're pretty simple to set up and work reliably, although you may need to maintain both ends of the L2TPv3 at approximately matching IOS versions... at one point we had a perfectly working customer, then I upgraded a router at one end of the tunnel, and they suddenly had major, unexplainable packet loss all through the day. After I upgraded the other end, it returned to working fine. But yeah, you don't really need a loopback. We routinely terminated the tunnels on the WAN address closest to the Internet. I think the only time I had to introduce a loopback was when one router was a tunnel terminator for two far-end locations, and when I tried to configure the second peer it complained at me. Also one time I wanted to have two parallel tunnels between the same source and destination routers (which is perfectly fine, because it has a tunnel discriminator number that keeps the two customers' traffic separate), except I also wanted to do some fancy QoS prioritization on one of them. By the time the traffic hits the WAN interface, the tunnel discriminator is buried too far down in the packet to use any "match" statements in the QoS, so I made one of the tunnels have a separate L2TPv3 endpoint on each router, and then I could just match on destination IP address. But that was a weird edge case. Most of the time we just used the outside Internet address, either T1 or Ethernet. Email me back privately if you want me to dig up the configs out of our CatTools archive. -- Jeff Saxe Blue Ridge InternetWorks Charlottesville, VA ________________________________________ From: David Freedman [david.freedman@uk.clara.net] Sent: Wednesday, November 10, 2010 1:22 PM To: nanog@nanog.org Subject: Re: Ciscos, BGP, L2TPV3 pseudowires and loopback IPs e.
We will need to set up a L2TPV3 tunnel to their old location (single homed, no BGP on that side). Upon initial reading of Cisco docs to do
this, we will need a routable IP on a loopback interface for starters.
I'm pretty sure this is just a recommendation based on good practise (routeability to endpoints), I'm sure since you are not multihomed you can just use "ip local interface WAN1" and be done with it, I seem to remember doing something similar in an l2tpv3 pw class and it working.
Using one from the /24 LAN is out unless we subnet it, which we don't want to do.
So the question is, can I just "move" the PTP IP address x.x.129.174 from the WAN interface to the loopback like this?
interface Loopback0 ip address x.x.129.174 255.255.255.252 (that's the mask we're using on the WAN- Cisco's loopback examples show .255)
interface WAN1 (actually a gigether) ip unnumbered loopback0 (or no ip addr?)
neighbor x.x.128.173 update-source Loopback0
No, if you were to do this you should get a new transfer network, you can't have the same address on two interfaces (and in fact, you should really be stealing an address from your internal /24 which doesn't require any re-subnetting (if you are happy for this address to be unreachable) and it should have a /32 mask... -- David Freedman Group Network Engineering Claranet Group
With the latest IOS you MUST use loopback addresses or the Tunnel will not form, regardless of the class settings especially if using a L3 router temination device(s). SRR --- On Thu, 11/11/10, Jeff Saxe <jsaxe@briworks.com> wrote:
From: Jeff Saxe <jsaxe@briworks.com> Subject: RE: Ciscos, BGP, L2TPV3 pseudowires and loopback IPs To: "nanog@nanog.org" <nanog@nanog.org>, "James Smallacombe" <up@3.am> Date: Thursday, November 11, 2010, 4:29 AM Agreed: We used to use L2TPv3 tunnels fairly often to provide nailed-up private VLAN services to clients when we could only procure a Layer 3 circuit from another provider. They're pretty simple to set up and work reliably, although you may need to maintain both ends of the L2TPv3 at approximately matching IOS versions... at one point we had a perfectly working customer, then I upgraded a router at one end of the tunnel, and they suddenly had major, unexplainable packet loss all through the day. After I upgraded the other end, it returned to working fine.
But yeah, you don't really need a loopback. We routinely terminated the tunnels on the WAN address closest to the Internet. I think the only time I had to introduce a loopback was when one router was a tunnel terminator for two far-end locations, and when I tried to configure the second peer it complained at me. Also one time I wanted to have two parallel tunnels between the same source and destination routers (which is perfectly fine, because it has a tunnel discriminator number that keeps the two customers' traffic separate), except I also wanted to do some fancy QoS prioritization on one of them. By the time the traffic hits the WAN interface, the tunnel discriminator is buried too far down in the packet to use any "match" statements in the QoS, so I made one of the tunnels have a separate L2TPv3 endpoint on each router, and then I could just match on destination IP address.
But that was a weird edge case. Most of the time we just used the outside Internet address, either T1 or Ethernet. Email me back privately if you want me to dig up the configs out of our CatTools archive.
-- Jeff Saxe Blue Ridge InternetWorks Charlottesville, VA
________________________________________ From: David Freedman [david.freedman@uk.clara.net] Sent: Wednesday, November 10, 2010 1:22 PM To: nanog@nanog.org Subject: Re: Ciscos, BGP, L2TPV3 pseudowires and loopback IPs
e.
We will need to set up a L2TPV3 tunnel to their old
location (single
homed, no BGP on that side). Upon initial reading of Cisco docs to do this, we will need a routable IP on a loopback interface for starters.
I'm pretty sure this is just a recommendation based on good practise (routeability to endpoints), I'm sure since you are not multihomed you can just use "ip local interface WAN1" and be done with it, I seem to remember doing something similar in an l2tpv3 pw class and it working.
Using one from the /24 LAN is out unless we subnet it, which we don't want to do.
So the question is, can I just "move" the PTP IP address x.x.129.174 from the WAN interface to the loopback like this?
interface Loopback0 ip address x.x.129.174 255.255.255.252 (that's the mask we're using on
the WAN- Cisco's loopback examples show .255)
interface WAN1 (actually a gigether) ip unnumbered loopback0 (or no
ip addr?)
neighbor x.x.128.173 update-source Loopback0
No, if you were to do this you should get a new transfer network, you can't have the same address on two interfaces (and in fact, you should really be stealing an address from your internal /24 which doesn't require any re-subnetting (if you are happy for this address to be unreachable) and it should have a /32 mask...
--
David Freedman Group Network Engineering Claranet Group
participants (7)
-
Dave Temkin -
David Freedman -
Jack Bates -
James Smallacombe -
Jeff Saxe -
Ryan Finnesey -
Seth