The topology used for Cisco MPLS lab has been slightly modified to work on MPLS L3VPNs, one of the possible use of MPLS technology.
MPLS L3VPNs provide isolation for customers of the same network. This is made possible thanks to VRF (Virtual Routing and Forwarding) which are virtual and isolated routing tables.
– A working MPLS network
We will implement the following technologies:
– MP-BGP between RR1 and all the PEs,
– VRFs for each customers on the PEs,
– a routing protocol for PE-CE communication.
Route reflector configuration
To switch to new BGP address-family configuration style, use the bgp upgrade-cli command
Route reflector: a route reflector is an iBGP functionality that permits to avoid iBGP full mesh by reflecting routes from one peer to another. More info here.
Peer group: a peer group enables two things: group all prefix updates in one BGP UPDATE message and reduce the BGP configuration.
VPNV4: a specific types of prefixes that combines a route distinguisher identifying the VRF and an IPv4 prefix.
router bgp 65000 bgp router-id 22.214.171.124 bgp log-neighbor-changes neighbor RRCLIENT peer-group neighbor RRCLIENT remote-as 65000 neighbor RRCLIENT update-source Loopback0 neighbor 126.96.36.199 peer-group RRCLIENT neighbor 188.8.131.52 peer-group RRCLIENT neighbor 184.108.40.206 peer-group RRCLIENT neighbor 220.127.116.11 peer-group RRCLIENT ! address-family ipv4 no synchronization neighbor RRCLIENT route-reflector-client neighbor RRCLIENT soft-reconfiguration inbound neighbor 18.104.22.168 activate neighbor 22.214.171.124 activate neighbor 126.96.36.199 activate neighbor 188.8.131.52 activate no auto-summary exit-address-family ! address-family vpnv4 neighbor RRCLIENT send-community both neighbor RRCLIENT route-reflector-client neighbor 184.108.40.206 activate neighbor 220.127.116.11 activate neighbor 18.104.22.168 activate neighbor 22.214.171.124 activate exit-address-family
PE1 configuration example
route distinguisher (rd): identifier corresponding to a VRFs
route-target (rt): indicates how routes are exchanged (transmitted as extended communities)
ip vrf B description VRF Customer B rd 65000:1 route-target export 65000:1 route-target import 65000:1 ! ip vrf C description VRF Customer C rd 65000:2 route-target export 65000:2 route-target import 65000:2
VRFs on interfaces
interface FastEthernet0/0.10 encapsulation dot1Q 10 ip vrf forwarding B ip address 126.96.36.199 255.255.255.0 ! interface FastEthernet0/0.11 encapsulation dot1Q 11 ip vrf forwarding C ip address 188.8.131.52 255.255.255.0
router eigrp 65000 auto-summary ! address-family ipv4 vrf C redistribute bgp 65000 metric 1 1 1 1 1 network 0.0.0.0 auto-summary autonomous-system 11 exit-address-family ! address-family ipv4 vrf B redistribute bgp 65000 metric 1 1 1 1 1 network 0.0.0.0 no auto-summary autonomous-system 10 exit-address-family ! router bgp 65000 bgp router-id 184.108.40.206 bgp log-neighbor-changes neighbor 220.127.116.11 remote-as 65000 neighbor 18.104.22.168 update-source Loopback0 ! address-family ipv4 vrf C redistribute eigrp 11 no synchronization exit-address-family ! address-family ipv4 vrf B redistribute eigrp 10 no synchronization exit-address-family
On ACPE1, traditional EIGRP:
router eigrp 10 network 0.0.0.0 no auto-summary
Verification on BCPE1
BCPE1#sh ip route 22.214.171.124/32 is subnetted, 1 subnets C 126.96.36.199 is directly connected, Loopback0 188.8.131.52/24 is subnetted, 1 subnets D EX 184.108.40.206 [170/2560025856] via 220.127.116.11, 00:01:11, FastEthernet0/0 18.104.22.168/32 is subnetted, 1 subnets D EX 22.214.171.124 [170/2560025856] via 126.96.36.199, 00:01:11, FastEthernet0/0 188.8.131.52/24 is subnetted, 1 subnets C 184.108.40.206 is directly connected, FastEthernet0/0 BCPE1#ping 220.127.116.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 18.104.22.168, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 84/84/88 ms
We can check on CCPE1 that customers B’s routes are not reachable
CCPE1#sh ip route 22.214.171.124/24 is subnetted, 1 subnets C 126.96.36.199 is directly connected, FastEthernet0/0 188.8.131.52/24 is subnetted, 1 subnets C 184.108.40.206 is directly connected, Loopback0 220.127.116.11/24 is subnetted, 1 subnets D EX 18.104.22.168 [170/2560002816] via 22.214.171.124, 00:02:35, FastEthernet0/0 126.96.36.199/24 is subnetted, 1 subnets D EX 188.8.131.52 [170/2560002816] via 184.108.40.206, 00:02:35, FastEthernet0/0
Examine the packet (BCPE1 to BCPE4)
As usual, the packet is switched and left unmodified until it reaches the PE router.
The packet enter the PE router:
PE1#sh ip route vrf B Routing Table: B ... 220.127.116.11/32 is subnetted, 1 subnets D 18.104.22.168 [90/156160] via 22.214.171.124, 01:47:46, FastEthernet0/0.10 126.96.36.199/24 is subnetted, 1 subnets B 188.8.131.52 [200/0] via 184.108.40.206, 00:09:26 220.127.116.11/32 is subnetted, 1 subnets B 18.104.22.168 [200/156160] via 22.214.171.124, 00:09:26 126.96.36.199/24 is subnetted, 1 subnets C 188.8.131.52 is directly connected, FastEthernet0/0.10
The MPLS VPN tag (39):
PE1#show ip bgp vpnv4 all labels | i 184.108.40.206 220.127.116.11 nolabel/39 18.104.22.168/24 22.214.171.124 nolabel/38 126.96.36.199/24 188.8.131.52 nolabel/40 184.108.40.206/24 220.127.116.11 nolabel/41
The next-hop is 18.104.22.168, however 22.214.171.124 is not reachable from the PE RT, but is present in the MPLS LFIB (27)
PE1#sh mpls forwarding-table | i 126.96.36.199 Local Outgoing Prefix Bytes tag Outgoing Next Hop 30 27 188.8.131.52/32 0 Fa0/1 184.108.40.206
P1 swap the outer tag used for MPLS switching (27 to 26)
P1#sh mpls forwarding-table | i 220.127.116.11 27 26 18.104.22.168/32 70630 Fa2/0 22.214.171.124
P2 remove the outer tag (Penutilmate Hop Popping, PHP). This operation is done one hop before the PE router. Only the VPN tag remains.
P2#sh mpls forwarding-table | i 126.96.36.199 26 Pop tag 188.8.131.52/32 199791 Fa2/0 184.108.40.206
The packet is then oriented to the right interface on the PE router:
PE4#sh ip bgp vpnv4 all labels Network Next Hop In label/Out label Route Distinguisher: 65000:1 (B) 220.127.116.11/32 18.104.22.168 nolabel/38 22.214.171.124/24 126.96.36.199 nolabel/39 188.8.131.52/32 184.108.40.206 39/nolabel 220.127.116.11/24 0.0.0.0 38/aggregate(B) PE4#sh ip route vrf B eigrp 18.104.22.168/32 is subnetted, 1 subnets D 22.214.171.124 [90/156160] via 126.96.36.199, 02:21:57, FastEthernet0/1.12
PE1#sh ip vrf ? WORD VPN Routing/Forwarding instance name brief Brief VPN Routing/Forwarding instance information detail Detailed VPN Routing/Forwarding instance information id Show VPN Routing/Forwarding VPN-ID information interfaces Show VPN Routing/Forwarding interface information | Output modifiers PE1#sh ip route vrf X PE1#sh ip bgp vpnv4 ? all Display information about all VPNv4 NLRIs rd Display information for a route distinguisher vrf Display information for a VPN Routing/Forwarding instance PE1#sh ip bgp vpnv4 vrf B ? A.B.C.D IP prefix /, e.g., 188.8.131.52/8 A.B.C.D Network in the BGP routing table to display cidr-only Display only routes with non-natural netmasks community Display routes matching the communities community-list Display routes matching the community-list dampening Display detailed information about dampening extcommunity-list Display routes matching the extcommunity-list filter-list Display routes conforming to the filter-list inconsistent-as Display only routes with inconsistent origin ASs labels Display BGP labels for prefixes neighbors Detailed information on TCP and BGP neighbor connections oer-paths Display all oer controlled paths paths Path information peer-group Display information on peer-groups pending-prefixes Display prefixes pending deletion prefix-list Display routes matching the prefix-list quote-regexp Display routes matching the AS path "regular expression" regexp Display routes matching the AS path regular expression replication Display replication status of update-group(s) rib-failure Display bgp routes that failed to install in the routing table (RIB) route-map Display routes matching the route-map
Route target extended community
PE1#sh ip bgp vpnv4 all 184.108.40.206/32 BGP routing table entry for 65000:1:220.127.116.11/32, version 22 Paths: (1 available, best #1, table B) Flag: 0x820 Not advertised to any peer Local 18.104.22.168 (metric 4) from 22.214.171.124 (126.96.36.199) Origin incomplete, metric 156160, localpref 100, valid, internal, best Extended Community: RT:65000:1 Cost:pre-bestpath:128:156160 0x8800:32768:0 0x8801:12:130560 0x8802:65281:25600 0x8803:65281:1500 Originator: 188.8.131.52, Cluster list: 184.108.40.206 mpls labels in/out nolabel/34
Download the configurations here.
RFCs 4364 : http://tools.ietf.org/html/rfc4364