What is MPLS Traffic Engineering-Autotunnel Primary and Backup [one-hop RSPV-TE tunnels] ?

Primary one-hop autotunnel-Enables a router to dynamically create one-hop primary tunnels on all interfaces that have been configured with MPLS TE tunnels.
Backup autotunnel-Enables a router to dynamically build backup tunnels.
If no backup tunnels exist, the following types of backup tunnels are created:
•Next hop (NHOP)
•Next-next hop (NNHOP)

Benefits
•Backup tunnels are built automatically, eliminating the need for users to preconfigure each backup tunnel and then assign the backup tunnel to the protected interface.
•The dynamic creation of one-hop primary tunnels eliminates the need to configure an MPLS TE tunnel with the Fast Reroute (FRR) option for the tunnel to be protected.
•Protection is expanded; FRR does not protect IP traffic that is not using the TE tunnel or Label Distribution Protocol (LDP) labels that are not using the TE tunnel.

Reference Link

 

What are the Metholds to Deploy MPLS-TE ?

Tactical = Manual
As needed to clear up congestion.
LSP Path calculation is done using automatic computations based on IGP TE extensions.

Strategic = Auto
Mesh of TE tunnels between a level of routers.
LSP Path calculation is done using offline pre-computations and explicit route programming.

Reference Link

 

DiffServ Tunneling Modes

Uniform
In Uniform mode, packets are treated uniformly in the IP and MPLS networks; that is, the IP Precedence
value and the MPLS EXP bits always are identical.

Pipe
• The QoS tunnel goes from the ingress CE router through the PE router to the egress CE router.
• The egress PE router removes the label entry and forwards packets as IP, but QoS is done on the output
interface based on the MPLS EXP field received by the egress PE router.
• The service provider does not overwrite the IP Precedence value in the service provider’s network.

Short Pipe
• The QoS tunnel goes from the ingress PE router to the egress PE router.
• The egress PE router transmits packets as IP and QoS is done on the output interface based on the IP
DSCP or IP Precedence value.
• The service provider does not overwrite the DSCP or IP Precedence value in the service provider’s
network

Reference Link

What is DiffServ Aware MPLS-TE ?

DiffServ-aware Traffic Engineering enables service providers to perform separate admission control and separate route computation for discrete subsets of traffic (for example, voice and data traffic).

MPLS TE and DiffServ can be deployed simultaneously in a given network, they remain unaware of each other so that MPLS TE performs constraint-based routing and admission control on a aggregate basis across all DiffServ classes.

DiffServ-aware MPLS Traffic Engineering is a n extension to MPLS TE to make it aware of DiffServ. It allows the benefits of contraint-based routing and admission control to be applied seprarately, and hence more accurately to different
classess of services.

**CSPF calculation is performed from the headend router based on the constraints defined in the tunnel definition and requirements. This calculation is performed by the IGP in use, either OSPF or IS-IS.

What is Overlay VPN ?

Before I go ahead and answer what is overlay VPN, let’s look at the definition what overlay means.

Overlay:
Something laid as a covering over something else.

Let put this definition in Network terms.
Overlay VPN:
Customer network / topology build on top of service provider network / topology [Covering Service Provider Topology].

Example:
DMVP build on top of Internet.

L3 Overlay VPN = eg. OTV / L3TPv3
L3 Overlay VPN = eg. DMVPN / IPSec / GRE

Note:
Overlay solution is not scale-able in comparison to network-based solution.
**MPLS Layer 3 or Layer 2 VPN is network-based [Peer-to-Peer] solution.

What is a Tunnel ?

Yes, simple enough-but it’s often easy to create a simple definition that’s simply wrong.

Tunneling involves three level’s of definitions:

1. From a packet’s perspective, a tunnel is created when one packet is encapsulated into another packet at an equal or higher level.
2. From the data plane’s perspective, tunnels allow the forwarding of traffic to destinations only some of the devices along the path know how to reach.
3. From the control plan perspective, tunneling involves the deployment of a second control plane, combined with breaking the network into multiple vertical failure domains.

Reference Link

Cisco ASA AnyConnect / SSL – Authenticate using RSA token & Active Directory combined

Step 1
 Configure AAA for RSA & Active Directory
 !
 aaa-server RSA_RADIUS protocol radius
 aaa-server RSA_RADIUS (INSIDE) host 10.10.10.10
 key *****
 aaa-server RSA_RADIUS (INSIDE) host 10.10.10.11
 key *****
 !
 aaa-server AD_TESTAD protocol nt
 aaa-server AD_TESTAD (INSIDE) host 20.20.20.20
 nt-auth-domain-controller 20.20.20.20
 aaa-server AD_TESTAD (INSIDE) host 20.20.20.21
 nt-auth-domain-controller 20.20.20.21
 !
 Step 2
 Configure tunnel-group for RSA and Active Directory Authentication
 !
 tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group RSA_RADIUS
 authentication-server-group (INSIDE) RSA_RADIUS
 secondary-authentication-server-group AD_TESTAD use-primary-username
 secondary-authentication-server-group (INSIDE) AD_TESTAD use-primary-username
 !