The topology used for Cisco MPLS lab has been slightly modified to work on MPLS L3VPNs, one of the possible use of MPLS technology.
MPLS L3VPNs provide isolation for customers of the same network. This is made possible thanks to VRF (Virtual Routing and Forwarding) which are virtual and isolated routing tables.
– A working MPLS network
We will implement the following technologies:
– MP-BGP between RR1 and all the PEs,
– VRFs for each customers on the PEs,
– a routing protocol for PE-CE communication.
Route reflector configuration
To switch to new BGP address-family configuration style, use the bgp upgrade-cli command
Route reflector: a route reflector is an iBGP functionality that permits to avoid iBGP full mesh by reflecting routes from one peer to another. More info here.
Peer group: a peer group enables two things: group all prefix updates in one BGP UPDATE message and reduce the BGP configuration.
VPNV4: a specific types of prefixes that combines a route distinguisher identifying the VRF and an IPv4 prefix.
router bgp 65000 bgp router-id 188.8.131.52 bgp log-neighbor-changes neighbor RRCLIENT peer-group neighbor RRCLIENT remote-as 65000 neighbor RRCLIENT update-source Loopback0 neighbor 184.108.40.206 peer-group RRCLIENT neighbor 220.127.116.11 peer-group RRCLIENT neighbor 18.104.22.168 peer-group RRCLIENT neighbor 22.214.171.124 peer-group RRCLIENT ! address-family ipv4 no synchronization neighbor RRCLIENT route-reflector-client neighbor RRCLIENT soft-reconfiguration inbound neighbor 126.96.36.199 activate neighbor 188.8.131.52 activate neighbor 184.108.40.206 activate neighbor 220.127.116.11 activate no auto-summary exit-address-family ! address-family vpnv4 neighbor RRCLIENT send-community both neighbor RRCLIENT route-reflector-client neighbor 18.104.22.168 activate neighbor 22.214.171.124 activate neighbor 126.96.36.199 activate neighbor 188.8.131.52 activate exit-address-family
PE1 configuration example
route distinguisher (rd): identifier corresponding to a VRFs
route-target (rt): indicates how routes are exchanged (transmitted as extended communities)
ip vrf B description VRF Customer B rd 65000:1 route-target export 65000:1 route-target import 65000:1 ! ip vrf C description VRF Customer C rd 65000:2 route-target export 65000:2 route-target import 65000:2
VRFs on interfaces
interface FastEthernet0/0.10 encapsulation dot1Q 10 ip vrf forwarding B ip address 184.108.40.206 255.255.255.0 ! interface FastEthernet0/0.11 encapsulation dot1Q 11 ip vrf forwarding C ip address 220.127.116.11 255.255.255.0
router eigrp 65000 auto-summary ! address-family ipv4 vrf C redistribute bgp 65000 metric 1 1 1 1 1 network 0.0.0.0 auto-summary autonomous-system 11 exit-address-family ! address-family ipv4 vrf B redistribute bgp 65000 metric 1 1 1 1 1 network 0.0.0.0 no auto-summary autonomous-system 10 exit-address-family ! router bgp 65000 bgp router-id 18.104.22.168 bgp log-neighbor-changes neighbor 22.214.171.124 remote-as 65000 neighbor 126.96.36.199 update-source Loopback0 ! address-family ipv4 vrf C redistribute eigrp 11 no synchronization exit-address-family ! address-family ipv4 vrf B redistribute eigrp 10 no synchronization exit-address-family
On ACPE1, traditional EIGRP:
router eigrp 10 network 0.0.0.0 no auto-summary
Verification on BCPE1
BCPE1#sh ip route 188.8.131.52/32 is subnetted, 1 subnets C 184.108.40.206 is directly connected, Loopback0 220.127.116.11/24 is subnetted, 1 subnets D EX 18.104.22.168 [170/2560025856] via 22.214.171.124, 00:01:11, FastEthernet0/0 126.96.36.199/32 is subnetted, 1 subnets D EX 188.8.131.52 [170/2560025856] via 184.108.40.206, 00:01:11, FastEthernet0/0 220.127.116.11/24 is subnetted, 1 subnets C 18.104.22.168 is directly connected, FastEthernet0/0 BCPE1#ping 22.214.171.124 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 126.96.36.199, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 84/84/88 ms
We can check on CCPE1 that customers B’s routes are not reachable
CCPE1#sh ip route 188.8.131.52/24 is subnetted, 1 subnets C 184.108.40.206 is directly connected, FastEthernet0/0 220.127.116.11/24 is subnetted, 1 subnets C 18.104.22.168 is directly connected, Loopback0 22.214.171.124/24 is subnetted, 1 subnets D EX 126.96.36.199 [170/2560002816] via 188.8.131.52, 00:02:35, FastEthernet0/0 184.108.40.206/24 is subnetted, 1 subnets D EX 220.127.116.11 [170/2560002816] via 18.104.22.168, 00:02:35, FastEthernet0/0
Examine the packet (BCPE1 to BCPE4)
As usual, the packet is switched and left unmodified until it reaches the PE router.
The packet enter the PE router:
PE1#sh ip route vrf B Routing Table: B ... 22.214.171.124/32 is subnetted, 1 subnets D 126.96.36.199 [90/156160] via 188.8.131.52, 01:47:46, FastEthernet0/0.10 184.108.40.206/24 is subnetted, 1 subnets B 220.127.116.11 [200/0] via 18.104.22.168, 00:09:26 22.214.171.124/32 is subnetted, 1 subnets B 126.96.36.199 [200/156160] via 188.8.131.52, 00:09:26 184.108.40.206/24 is subnetted, 1 subnets C 220.127.116.11 is directly connected, FastEthernet0/0.10
The MPLS VPN tag (39):
PE1#show ip bgp vpnv4 all labels | i 18.104.22.168 22.214.171.124 nolabel/39 126.96.36.199/24 188.8.131.52 nolabel/38 184.108.40.206/24 220.127.116.11 nolabel/40 18.104.22.168/24 22.214.171.124 nolabel/41
The next-hop is 126.96.36.199, however 188.8.131.52 is not reachable from the PE RT, but is present in the MPLS LFIB (27)
PE1#sh mpls forwarding-table | i 184.108.40.206 Local Outgoing Prefix Bytes tag Outgoing Next Hop 30 27 220.127.116.11/32 0 Fa0/1 18.104.22.168
P1 swap the outer tag used for MPLS switching (27 to 26)
P1#sh mpls forwarding-table | i 22.214.171.124 27 26 126.96.36.199/32 70630 Fa2/0 188.8.131.52
P2 remove the outer tag (Penutilmate Hop Popping, PHP). This operation is done one hop before the PE router. Only the VPN tag remains.
P2#sh mpls forwarding-table | i 184.108.40.206 26 Pop tag 220.127.116.11/32 199791 Fa2/0 18.104.22.168
The packet is then oriented to the right interface on the PE router:
PE4#sh ip bgp vpnv4 all labels Network Next Hop In label/Out label Route Distinguisher: 65000:1 (B) 22.214.171.124/32 126.96.36.199 nolabel/38 188.8.131.52/24 184.108.40.206 nolabel/39 220.127.116.11/32 18.104.22.168 39/nolabel 22.214.171.124/24 0.0.0.0 38/aggregate(B) PE4#sh ip route vrf B eigrp 126.96.36.199/32 is subnetted, 1 subnets D 188.8.131.52 [90/156160] via 184.108.40.206, 02:21:57, FastEthernet0/1.12
PE1#sh ip vrf ? WORD VPN Routing/Forwarding instance name brief Brief VPN Routing/Forwarding instance information detail Detailed VPN Routing/Forwarding instance information id Show VPN Routing/Forwarding VPN-ID information interfaces Show VPN Routing/Forwarding interface information | Output modifiers PE1#sh ip route vrf X PE1#sh ip bgp vpnv4 ? all Display information about all VPNv4 NLRIs rd Display information for a route distinguisher vrf Display information for a VPN Routing/Forwarding instance PE1#sh ip bgp vpnv4 vrf B ? A.B.C.D IP prefix /, e.g., 220.127.116.11/8 A.B.C.D Network in the BGP routing table to display cidr-only Display only routes with non-natural netmasks community Display routes matching the communities community-list Display routes matching the community-list dampening Display detailed information about dampening extcommunity-list Display routes matching the extcommunity-list filter-list Display routes conforming to the filter-list inconsistent-as Display only routes with inconsistent origin ASs labels Display BGP labels for prefixes neighbors Detailed information on TCP and BGP neighbor connections oer-paths Display all oer controlled paths paths Path information peer-group Display information on peer-groups pending-prefixes Display prefixes pending deletion prefix-list Display routes matching the prefix-list quote-regexp Display routes matching the AS path "regular expression" regexp Display routes matching the AS path regular expression replication Display replication status of update-group(s) rib-failure Display bgp routes that failed to install in the routing table (RIB) route-map Display routes matching the route-map
Route target extended community
PE1#sh ip bgp vpnv4 all 18.104.22.168/32 BGP routing table entry for 65000:1:22.214.171.124/32, version 22 Paths: (1 available, best #1, table B) Flag: 0x820 Not advertised to any peer Local 126.96.36.199 (metric 4) from 188.8.131.52 (184.108.40.206) Origin incomplete, metric 156160, localpref 100, valid, internal, best Extended Community: RT:65000:1 Cost:pre-bestpath:128:156160 0x8800:32768:0 0x8801:12:130560 0x8802:65281:25600 0x8803:65281:1500 Originator: 220.127.116.11, Cluster list: 18.104.22.168 mpls labels in/out nolabel/34
Download the configurations here.
RFCs 4364 : http://tools.ietf.org/html/rfc4364