SIP Normalization Script for removing the Diversion Header

When we forward a call from one  phone to another or from one hunt group to a phone, the Diversion header gets added to the SIP messages.
Some of the SIP gateways or Voice mail systems doesnt have the ability pick the required Diversion header.  For example look at the below message, we are calling the operator(1408) and the operator forwards the calls to Vishnu on 1100  so the Diversion headers are added to it.
When the call is forwarded to the Voice mail system. The server looks at the latest Diversion that is 1408 and provides the voice mail of Operator, instead of Vishnu.
If there is no Voice Mail box exist for 1408 then the System will say "The person you have tried does not have a valid Voice mail box configured on this system"  error message.

INVITE sip:9997@172.17.8.6:5060 SIP/2.0
Via: SIP/2.0/TCP 172.16.8.4:5060;branch=
From: <sip:1112@172.16.8.4>;tag=470449ec-8a27-f7e4c9c946e7-30683727
To: <sip:9997@172.17.8.6>
Date: Thu, 11 Dec 2014 13:41:36 GMT
Call-ID: 6bcc2d80-48919f10-704b6-40810ac@172.16.8.4
Supported: timer,resource-priority,replaces
Min-SE:  1800
User-Agent: Cisco-CUCM10.5
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY
CSeq: 101 INVITE
Expires: 180
Allow-Events: presence, kpml
Supported: X-cisco-srtp-fallback
Supported: Geolocation
Call-Info: <sip:172.16.8.4:5060>;method="NOTIFY;Event=telephone-event;Duration=500"
Call-Info: <urn:x-cisco-remotecc:callinfo>;x-cisco-video-traffic-class=VIDEO_UNSPECIFIED
Cisco-Guid: 1808543104-0000065536-0000008029-0067637420
Session-Expires:  1800
Diversion: "Vishnu" <sip:1100@172.16.8.4>;reason=no-answer;privacy=off;screen=yes
Diversion: "Operator" <sip:1408@172.16.8.4>;reason=no-answer;privacy=off;screen=yes

So We need to need to configure the Voice mail server to pick the other Diversion .I.e 1100 instead of 1408
Cisco Unity connection or Microsoft Unified messaging has the option of selecting the Diversion header. But Microsoft Office 365 or any other voice mail servers doesnt have this option.

We need to remove the Extra Diversion from the SIP messages while sending out of the SIP trunk to the Voice mail server.
This can be acheived by using the SIP Normalization Script in the CUCM.
We need to create a Script in the CUCM server and assign it in the SIP trunk.
Step1: Login to Call manager.
Step2: Click Device --> Device Settings --> SIP Normalization Script
             Click Add New and add the below config and save the script  

Step 3: Then go to the  SIP truck.
              Click Device ---> Trunk and select the SIP trunk which goes to Voice mail server.
              Go to Normalization script section and select the UseLastDiversion script
              Save the Config.
              Reset the trunk.
After applying the script the script will remove the Lastbefore Diversion
So the output of SIP Message will look like below.

INVITE sip:9997@172.17.8.6:5060 SIP/2.0
Via: SIP/2.0/TCP 172.16.8.4:5060;branch=
From: <sip:1112@172.16.8.4>;tag=470449ec-8a27-f7e4c9c946e7-30683727
To: <sip:9997@172.17.8.6>
Date: Thu, 11 Dec 2014 13:41:36 GMT
Call-ID: 6bcc2d80-48919f10-704b6-40810ac@172.16.8.4
Supported: timer,resource-priority,replaces
Min-SE:  1800
User-Agent: Cisco-CUCM10.5
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY
CSeq: 101 INVITE
Expires: 180
Allow-Events: presence, kpml
Supported: X-cisco-srtp-fallback
Supported: Geolocation
Call-Info: <sip:172.16.8.4:5060>;method="NOTIFY;Event=telephone-event;Duration=500"
Call-Info: <urn:x-cisco-remotecc:callinfo>;x-cisco-video-traffic-class=VIDEO_UNSPECIFIED
Cisco-Guid: 1808543104-0000065536-0000008029-0067637420
Session-Expires:  1800
Diversion: "Vishnu" <sip:1100@172.16.8.4>;reason=no-answer;privacy=off;screen=yes


P.S: Use http://ipsubnetcalculator.net/  for calculating IP subnet mask Online

How to Install Cacti on Centos

This procedure explains the Cacti installation on Centos Server using Yum.


Step1: Install the dependencies.

[:vishnu:root@sandbox ~]# yum install mysql-server mysql php-mysql php-pear php-common php-gd php-devel php php-mbstring php-cli php-snmp php-pear-Net-SMTP php-mysql httpd

[:vishnu:root@sandbox ~]# yum install net-snmp-utils php-snmp net-snmp-libs


Step2: start mysqld and configure it

[:vishnu:root@sandbox ~]# service mysqld status
mysqld is stopped
[:vishnu:root@sandbox ~]# service mysqld start

Initializing MySQL database: Installing MySQL system tables...
OK
<<Output Suppressed>>
[ OK ]
Starting MySQL: [ OK ]
[:vishnu:root@sandbox ~]#
[:vishnu:root@sandbox ~]# /usr/bin/mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In <Output Omitted>
Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.
Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y
... Success!
By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MySQL
installation should now be secure.
Thanks for using MySQL!

Step3: Install Cacti

[:vishnu:root@sandbox ~]# yum install net-snmp-utils php-snmp net-snmp-libs
[:vishnu:root@sandbox ~]# yum install cacti

If cacti package is not available. Add the below repo to your machine and run the command again.
#vim /etc/yum.repos.d/dag.repo:
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
gpgkey=http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
enabled=1

Step4: Install Spine

Download the latest file from the cacti.net

tar xvzf cacti-spine-*.tar.gz
cd cacti-spine-*
./configure
make
sudo make install
Spine Path /usr/local/spine/bin/spine ​


Step5: Update the correct database details in /var/www/cacti/include/config.php

$database_type = "mysql";
$database_default = "cacti";
$database_hostname = "localhost";
$database_username = "cacti";
$database_password = "cacti";
$database_port = "3306";
$database_ssl = false;


Step6: Spine config: update the below variables in spine.conf file

###Copy the config file first
cp /usr/local/spine/etc/spine.conf.dist /usr/local/spine/etc/spine.conf

DB_Host localhost
DB_Database cacti
DB_User cacti
DB_Pass cacti
DB_Port 3306
DB_PreG 0

step:6 create a database called cacti in mysql
#mysql -u root -p
#mysqladmin --user=root create cacti
#mysql --user=root mysql
mysql# GRANT ALL ON cacti.* TO cactiuser@localhost IDENTIFIED BY 'somepassword';
mysql# flush privileges;​

Step:7 Correct the Folder permission:
cd /var/www/cacti/
chown -R cacti rra/ log/

Step:8 Edit the cacti.conf file and add the "allow from all" in it.

#vim /etc/httpd/conf.d/cacti.conf
Alias /cacti/ /var/www/cacti/
<Directory /var/www/cacti/>
DirectoryIndex index.php
Options -Indexes
AllowOverride all
order deny,allow
deny from all
allow from all
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc on
php_flag track_vars on
</Directory>

Step:9 reload httpd config file.
# service httpd reload


Step 10 point your browser to:
http://your-server/cacti


P.S: Use http://ipsubnetcalculator.net/  for calculating IP subnet mask Online

Shell Script to generate Reverse DNS file for Core links

This is Shell script i created which Collects the IPaddress details from the WAN routers using SNMP and creates the reverse DNS file for the same. Some times the reverse DNS of the links will be very helful for identifying and troubleshooting the link issue, without looking at your database.

Create a file called device_list in /var/named folder. Enter the device detail hostname or IP address from where you need to retrive the IP address details.

eg:
core1.pop1
core2.pop1
( or )
10.1.1.1
10.2.1.1

update the grep commands to include the links which you want reverse_dns 
=================================================
#!/bin/bash
#This is a script to generate reverse DNS file for core links

DEVICELIST=/var/named/device_list
ALIASFILE=/tmp/ifalias
ADDRESSFILE=/tmp/ipaddress
REVERSEDNS=/tmp/reverse_dns
COREDNSFILE=core-reverse.inc
TMPCOREDNS=/tmp/$COREDNSFILE
BINDBASE=/var/named/inc-reverse
POPFILE=$BINDBASE/reversedns

##Empty the files
echo > $ALIASFILE
echo > $ADDRESSFILE
echo > $REVERSEDNS
echo > $TMPCOREDNS

for  DEVICE in `cut -d " " -f 1 $POPLIST`
                       do echo "$DEVICE"
                snmpwalk -v2c -c a0xCOWTF^@gXhgphcxMX!  $DEVICE ifAlia | egrep 'pl2'| grep -v trunk | sed 's/-/ /g' | sed 's/::ifAlias./ /g' | sed 's/_/ /g' | cut -d ' ' -f 3,6,7,8,9,10 > $ALIASFILE  2>/dev/null
                sed -i 's/[^ ]*/'$DEVICE'/6' $ALIASFILE
                snmpwalk -v2c -c a0xCOWTF^@gXhgphcxMX!  $DEVICE ipAdEntIfIndex | sed 's/-/ /g' | sed 's/::ipAdEntIfIndex./ /g' | sed 's/_/ /g' | cut -d ' ' -f 3,6 > $ADDRESSFILE  2>/dev/null
                awk 'NR==FNR {a[$2]=$1;next} {$1=a[$1];print}' $ADDRESSFILE $ALIASFILE | sed 's/\./_/g' | sed 's/ /_/g' >> $REVERSEDNS
        done
done

sed -i '/^$/d' $REVERSEDNS
awk -F '_' '{print $4"\."$3"\t""\t""IN""\t""PTR""\t"$5"-"$6"-"$7"-"$8"-"$9"-"$10"\."$11}' $REVERSEDNS > $TMPCOREDNS


#Move the files to bind base
mv $COREDNS $BINDBASE
chown root:named ${POPFILE}
chmod 640 ${POPFILE}


P.S: Use http://ipsubnetcalculator.net/  for calculating IP subnet mask Online

How to Migrate/Move Cisco VPN Phones to Different CUCM and ASA

This document explains the procedure to migrate a VPN phone to a different call manager and ASA without taking the phone to office.

As per the Cisco documents we cannot make  VPN configuration changes to the phone when the phone is outside of corporate network. But sometimes the User might be there in a remote location  and  cannot be connected to corporate network.
This document will help you to solve those problem. This is a tested procedure.

Considering that there is a New ASA and New call manager is installed with different IP addresses and the phone needs to connected to these new devices.

Step 1: Export the Certificate from the Old ASA and Import it to the New ASA.

        Use the below command on the old ASA. Once entered, the ASA will output a key. 

                    crypto ca export <trust-point-name> pkcs12 <passphrase>

        Copy the output and save it in a file. Save the file with the extension as .pki

        Please copy the BEGIN PKCS12  and END PKCS12 also to the file.

        If you dont remember the passphrase of the old ASA. Then you can use the below command.

                crypto ca export <trust-point-name> identity-certificate

        The problem with the identity-certificate command is that this will not export the rsa keys. so you have to figure out a way to export the rsa keys also.

Step 2 :Import the CA Crtificate to new ASA.
         Enter the below command on the New ASA and this will ask you to enter the certificate. Paste the output from the old ASA to this New ASA (Paste the BEGIN PKCS12 and END PKCS12 line also.

                   crypto ca import <trust-point-name> pkcs12 <passphrase>

Step 3: Import the CA  Certificate to New CUCM.
        From Cisco Unified Communications Operating System Administration, choose Security > Certificate Management.
        Click Upload Certificate and from the certificate name pull-down-menu, choosr Phone-VPN-trust
        Click browse to choose the file you want to upload .
        The remaining configuration (Phone and Cucm) can be copy pasted from old devices. 
Please refer Cisco for more details

Step 4: Configure the VPN Phone Username/ Passowd in the New ASA
        Make sure the username and password matches the old ASA config.
                username vishnu password hRoasdasQoPWF/3 encrypted

Step 5 : Configure the Phones  in the New CUCM
        Configure the VPN Phones in the New CUCM and make sure the ssl vpn profile is assigned to it and it matches the old CUCM

Step 6: Change the TFTF Server in the VPN Phone Point to New CUCM
        Contact the Remote user and ask him to change the TFTP Server in the VPN Phone pointing to the New CUCM

• Click on Setting --> Network Configuration --> IPv4 Configuration --> TFTP Server 1 
  • type **# to unblock the access to edit the setting
  • click edit and type <New CUCM IP> and click Validate
• Click on Setting --> Network Configuration --> IPv4 Configuration --> TFTP Server 2
  • type **# to unblock the access to edit the setting
  • click edit and type <Nwe CUMP IP> and click Validate

         After Changing the Configuration VPN Disconnects and Connects again (No Password Asked). Wait for the Extension Number to Show up.

Step 7 : Delete the ITL File from the VPN Phone
        Next delete the ITL file.

• Click on Settings --> Security Configuration --> Trust list --> ITL File
• type **# to unblock the access to edit the setting
• click more --> erase

        Phone starts upgrading by taking the config from New CUCM. It takes minimum 2 hours to complete the UPgrade. This Upgrade time is totally detpends on the distance between the CUCM and VPN Phone(latency)

       Once the upgrade is done.You may need to Enable the VPN on the Phone again.

       At this point it will upgrade all over again but takes only 10 Minutes.

Step 8: Connects to the New ASA
       Once upgraded it pops up for the Username/password
       Enter the Username/Password
       Now it connects to the New ASA and updates its Locale and other files and disconnects from the VPN
       Again it pops up for the Username/Password. Enter the username/Password and wait for 10 Min. The phone connects to  US call manager.

Step 9: Migration Completed.

Configuring SSL/Anyconnect VPN phone in ASA and CUCM

Below are the Requirements for Configuring a VPN phone with CUCM

• ASA runs 8.2 or higher IOS version
• Anyconnect SSL VPN license 

Step1 : Create  Certificate on ASA and Upload it in CUCM

#crypto ca certificate chain localtrust

This will give you an output of the certificate, copy paste the output to an notepad file and save it as *.pem file
Upload this file to CUCM.

Step2 : ASA Configuration

# crypto ca trustpoint localtrust
# enrollment self
# fqdn sslvpn.test.com
# subject-name CN=sslvpn.test.com
# keypair sslvpnkeypair
# crl configure

#ip local pool vpnpool2 172.17.24.10-172.17.24.254 mask 255.255.255.0

#ssl trust-point localtrust outside
#webvpn
 enable outside
 no anyconnect-essentials
 svc image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
 svc enable
 tunnel-group-list enable

group-policy test-ssl-group internal
group-policy test-ssl-group attributes
 dns-server value 172.17.1.15
 vpn-tunnel-protocol svc
 default-domain value corp.test.com
 address-pools value vpnpool2

#tunnel-group test-ssl-group type remote-access
tunnel-group test-ssl-group general-attributes
 default-group-policy test-ssl-group
tunnel-group test-ssl-group webvpn-attributes
 group-alias SSLVPNClient enable
 group-url https://1.1.1.1/ enable


username vishnu password vishnu
username vishnu attributes
 service-type remote-access

Step3 : CUCM Configuration

Work in progress!!!!

CTI Route Point in VOIP

What is CTI route point and CTI port?

         CTI ports are like soft phones with extensions and CTI route points are like an Hunt group.
Normally this is used in IVR system. When the incoming call comes first it gets forwarded to the CTI route point which has an extension configured. That extension provides the IVR option to the user.
Based on the USer input the calls are forwarded to the CTI port which has the actual extension configured.

How to install Flow-tools and Flow-viewer on Centos 5.4

Installing Flow-tools and Flow-viewer on Centos 5.4

Make sure you have the gnu make package installed on your system.
you can check this by using the below command, if not installed install the same using yum install make

#  rpm -qa | grep make

Install dependencies, Download the dependecy package zlib and install it

# wget http://zlib.net/zlib-1.2.8.tar.gz
# tar -xvf zlib-1.2.8.tar.gz
# cd zlib-1.2.8
# ./configure
# make
# make install
# yum install tcp_wrappers

Installing flow-tools: Download Latest flow-tools from from https://code.google.com/p/flow-tools/

#  wget https://code.google.com/p/flow-tools/
# tar  -xjvf flow-tools-0.68.5.1.tar.bz2.
# cd flow-tools-0.68.5.1
# ./configure
# make
# make install


Install flow-viewer: Download the latest flow-viewer from http://sourceforge.net/projects/flowviewer/ and Move the flow-viewer files to cgi-bin directory of your server and install the dependencies

# untar FlowViewer_4.4.tar
# mv FlowViewer_4.4 /var/www/cgi-bin/flowviewer
# yum install gd-devel
# cpan GD
# /usr/bin/make install  -- OK
# cpan GD::Graph
# yum install rrdtool
# cd /var/www/cgi-bin/flowviewer/tools

Move flow-capture-table.conf to /etc/flow-capture-table.conf
Edit the file with the your router ip address and port number.

# mv /var/www/cgi-bin/flowviewer/tools/flowcapture_restart /etc/init.d/flowcapture

edit the /etc/init.d/flowcapture file and make sure the below paths are mentioned correctly and have the valid path.

# USER=root
# RRDTOOL_PATH=/usr/bin
# FLOW_CAPTURE_TABLE=/var/flow-tools/flow-capture-table.conf
# FLOW_CAPTURE_BIN=/usr/bin/flow-capture
# FLOW_CAPTURE_PID_DIR=/var/run/flow-capture.pid

# cd /var/www/cgi-bin/flowviewer/tools/
# mv flowtracker_restart /etc/init.d/flowtracker

Make sure the below paths are correct in the flowtracker file

FlowViewer=/var/www/cgi-bin/flowviewer
user=root
RRDTOOL_PATH=/usr/bin

Start the Flow-viewer and flow-tracker

# /etc/init.d/flow-capture start
# /etc/init.d/flow-tracker start

Point your web brouser to the below url (replace the ip address with your server ip).

https://192.168.1.1/cgi-bin/flowviewer/FlowViewer.cgi


You are done installing a great netflow tool. Enjoy!!!


P.S: Use http://ipsubnetcalculator.net/  for calculating IP subnet mask Online

Troubleshooting Voice Gateway incoming issue when using ISDN

If the incoming call is getting disconnected with the message "The call cannot be connected" then mostly it could be because of the IVR down issue.
To troubleshoot the same first enable the debug "debug isdn q931" on the voice gateway. See if you are seeing any cause for the call disconnection.


045951: Feb  4 02:38:28.074: ISDN Se0/0/0:23 Q931: SETUP pd = 8  callref = 0x1943
Bearer Capability i = 0x8090A2
Standard = CCITT
Transfer Capability = Speech 
Transfer Mode = Circuit
Transfer Rate = 64 kbit/s
Channel ID i = 0xA98381
Exclusive, Channel 1
Progress Ind i = 0x8283 - Origination address is non-ISDN 
Calling Party Number i = 0x1180, '919902384363'
Plan:ISDN, Type:International
Called Party Number i = 0xA1, '--------------'
Plan:ISDN, Type:National
045953: Feb  4 02:38:28.074: ISDN Se0/0/0:23 Q931: Received SETUP  callref = 0x9943 callID = 0x221B switch = primary-ni interface = User
045954: Feb  4 02:38:28.078: ISDN Se0/0/0:23 SERROR: process_pri_simple: NO name in GTD
 --More--         045955: Feb  4 02:38:28.082: ISDN Se0/0/0:23 Q921: User TX -> INFO sapi=0 tei=0, ns=29 nr=1
045956: Feb  4 02:38:28.082: ISDN Se0/0/0:23 Q931: CALL_PROC pd = 8  callref = 0x9943
Channel ID i = 0xA98381
Exclusive, Channel 1
045959: Feb  4 02:38:28.322: ISDN Se0/0/0:23 Q931: DISCONNECT pd = 8  callref = 0x9943
Cause i = 0x8081 - Unallocated/unassigned number


The above casue indicates that there is some issue with called party number.

Check where the incoing call lands:

Check the incoming calls translations configuration on done properly or not.
The easiest way to do this is enable "debug dialpeer" on the vgw and see if it through any errors.
or check the voice-port configuration for incoming call translation rule name using the "show run | sec voice-port <port number>"

voice-port 0/0/0:23
 translation-profile incoming pstn-in
 timeouts call-disconnect 5


Then check the translation-profile and respective translation rule for the pstn-in.
This will show you the extension number where the call lands after the translation. This may be your IVR system extension number.
check the status of your IVR system.


P.S: Use http://ipsubnetcalculator.net/  for calculating IP subnet mask Online

How to find the pixel points of an image

This is simple one but most of us will be searching for it all the time.
Finding the pixel point will be useful when you want to point some specific place in the image. This will be usefull in some apps like Cacti weathermap, or nagviz.
when you code the config for those app you can just mention the pixel values to create a point on the image.

To find the pixel of a image just open the image on ms paint (windows inbuilt app) and look at the status bar at last you will find the pixel of the particular point where your mouse exists.

Link Load Balancing using MPLS TE

Why MPLS TE?

There are multiple IGP  protocols which can do load sharing, but the condition is that both the links has to be connected on a single router. Even if we use  OSPF & ISIS, they can only do equal cost load balancing.
Eigrp can do unequal cost load balancing but practically it is not preferred to use in network because of its proprietary feature.

But  MPLS-TE can do unequal cost load balancing and also it can do load balancing with two links which are not connected on a single router. This protocol  was mainly designed for the purpose of load balancing.

MPLS - TE is supported by both the IGP (OSPF and ISIS). Hence you will need to have the IGP running in the network.

Configuring MPLS TE:

Consider the below topology  and assume that we are running  ISIS as routing protocol between the routers.
In ISIS protocol lower the metric is preferred. Hence the normal ISIS path is mentioned in blue line below.

We can use MPLS - TE tunnels from R1 to R3 to do the load balancing on both the links.
The Traffic Engineering tunnel T0 has to be configured with dynamic path and the Traffic Engineering  tunnel T1 has to be configured with explicit path mentioning the explicit path to go via R1-> R2->R4->R3.
Once the te tunnels are created and up the Traffic Engineering tunnels will take the IGP metric and will get added in the routing table. Say if the IGP between R1 and R3 has a metric of 100 the tunnels between R1 and R3 will use the same metric(We also can change this by using "tunnel mpls traffic-eng path-selection metric te" inside tunnel config). so now for POP-A to reach POP-B it has two routes one through Te0 and Te1.
When you have the Te tunnels up the physical path will not be shown in the routing table.
if Airtel link goes down the Te0 tunnel will go down and the traffic will go via T1 tunnel.

What happens when you have another POPs connects to POP-B.
For POP-A To reach POP-C or POP-D we might have already learned a route on R1 saying go via R3(learned via IGP), once the Te tunnels are up for those subnets also the traffic will flow through the Te tunnels.

Configuration of R1.

mpls traffic-eng tunnels
router isis core
   net 49.0000.0004.0000.0251.00
   metric-style wide
   fast-flood 10
   mpls traffic-eng router-id Loopback162
   mpls traffic-eng level-2

interface GigabitEthernet0/2/4
   description LINK_TO_R3_AIRTEL
   ip address 10.128.1.1 255.255.255.252
   ip router isis core
   mpls traffic-eng tunnels
   isis circuit-type level-2-only
   isis metric 100
   ip rsvp bandwidth

interface Tunnel0

  description TUNEL_TO_R3_VIA_AIRTEL

  ip unnumbered Loopback162

  tunnel mode mpls traffic-eng

  tunnel destination 10.1.1.3

  tunnel mpls traffic-eng autoroute announce

  tunnel mpls traffic-eng priority 1 1

  tunnel mpls traffic-eng bandwidth 100

  tunnel mpls traffic-eng path-option 1 dynamic

interface Tunnel1

  description TUNEL_TO_R3_VIA_TATA

  ip unnumbered Loopback162

  tunnel mode mpls traffic-eng

  tunnel destination 10.1.1.3

  tunnel mpls traffic-eng autoroute announce

  tunnel mpls traffic-eng priority 1 1

  tunnel mpls traffic-eng bandwidth 100

  tunnel mpls traffic-eng path-option 1 explicit name R2-R4-R3

ip explicit-path name R2-R4-R3 enable

 next-address  <R2 Ip address)

 next-address  <R4 IP address)

 next-address  <R3 IP address)

Please note MPLS TE tunnels are one way traffic , we have to configure the R3 also with the Tunnel configurations to get the reverse path also to do load balancing.

Advantages of using MPLS TE

• More Control on traffic
• Utilizing all the links in the network.
• You can have part of your network running MPLS te and other network 

Disadvantage of using MPLS TE

• It is not supported on Port channel interface.
• VRF interfaces are not supported.
• Cisco lower end routers and ISR's are not supported with this features