Mpls Nsn Training Day 2 Vpn Pa

MPLS – VPN Config Configuration uration Mitrabh Shukla National IP Manager  Objectives Upon completion of this chapter you will be able to: Describe MPLS VPN mechanisms Use the command line interface to configure a VPN Verify VPN functionality For i nternal u Objectives Upon completion of this chapter you will be able to: Describe MPLS VPN mechanisms Use the command line interface to configure a VPN Verify VPN functionality For i nternal u Agenda W hat is a VPN? How Do MPLS VPNs Work? W hat Are Some Scaling Techniques? How Do I Configure MPLS VPNs? For i nternal u What is a MPLS VPN? VPN A VPN A VPN C Provider Backbone VPN B VPN B VPN C For i nternal u MPLS-VPN Terminology VPN A VPN-Aware network Site1 AS100 AS200 Provider Network P router  Border Router  PE router  Site1 VPN A Customer Network Site CE router  For i nternal u Site2 Site2 VPN B Agenda What is a VPN? How do MPLS VPNs Work? • Control Plane • Forwarding Plane What Are Some MPLS VPN Scaling Techniques? How Do I Configure MPLS VPNs? For i nternal u What Makes MPLS VPNs Work? VPN A MP-iBGP sessions CE P 10.2.0.0 VPN B P CE PE PE CE PE PE 11.6.0.0 10.1.0.0 CE VPN B P P • Five keys to MPLS VPNs functionality: • 1. MPLS Forwarding • 2. Separation of VPN Routes (VPN Routing and Forwarding Instances (VRF)) • 3. VPN Membership Selection (Route Target) For i nternal u VPN A 10.1.0.0 CE VPN B VPN A 11.5.0.0 CE 10.2.0.0 VPN A CE • 4. IP Address Overlap (Route Distinguisher) • 5. VPN Route Distribution (MP-BGP for VPN-ipv4) 10.3.0.0 1. MPLS Forwarding MPLS VPN Req Requirement uirement PE to PE Label Switched Path (LSP) VRF P1 PE1 VRF PE1’s perspective P2 PE2 VRF VRF PE2’s perspective Global routing table entries to reach Global routing table tabl e entries to reach PE2 -> next-hop: P1, label: 50 P2 -> next-hop: next-ho p: P1, label: 65 P1 -> next-hop: interface, interfac e, label: pop PE1 -> next-hop: nex t-hop: P2, label: 25 P1 -> next-hop: P2, label: 35 P2 -> next-hop: next -hop: interface, label: pop For i nternal u 2. How How Are VPN Routes Kept Separate? VPN Routing and Forwarding Instances (VRF) provides the separation VRF=Routing VRF =Routing Table Table for VPN Site-1 CE Yellow PE VPN Backbone Back bone IGP (OSPF, (OSPF, IS-IS) Site-1 CE Green VRF (VPN (VPN Routing Routin g and Forwarding)  Assigned  Assi gned a symbolic symbol ic name ip vrf green For i nternal u Global Routi R outing ng Table Table MPLS VPN Routing Requirements Customer routers (CE-routers) have to run standard IP routing software Provider core routers (P-routers) have no VPN routes Provider edge routers (PE-routers) have to support MPLS VPN and Internet routing For i nternal u MPLS VPN Routing (CE- Router Perspective) CE - Router  MPLS VPN Backbone PE Router  CE - Router  Customer routers run standard IP routing software and exchange routing updates with the PE-router  • EBGP, OSPF, RIPv2 , EIGRP or static routes are supported PE-router appears as another router in the customer’s network For i nternal u MPLS VPN Routing PE-Router Perspective PE-routers: • Exchange VPN routes with CE-routers via per-VPN routing protocols • Exchange core routes with P-routers and PE-routers via core IGP • Exchange VPNv4 routes with other PE-routers via multi- protocol IBGP sessions For i nternal u MPLS VPN Support for  Internet Routing PE-routers can run standard IPv4 BGP in the global routing table • Exchange Internet routes with other PE routers • CE-routers do not participate in Internet routing • P-routers do not need to participate in Internet routing For i nternal u MPLS VPN End-to-End Routing Information Flow (1/3) PE-routers receive IPv4 routing updates from CE-routers and install them in the appropriate Virtual Routing and Forwarding (VRF) table For i nternal u MPLS VPN End-to-End Routing Information Flow (2/3) PE-routers export VPN routes from VRF into MP-IBGP and propagate them as VPNv4 routes to other PErouters IBGP full mesh is needed between PE-routers For i nternal u VRF CE Routing and Sharing Site-1 CE to PE Routing CE Yellow PE EBGP, RIP, OSPF, Static VPN Backbone IGP (OSPF, IS-IS) Site-1 CE Green Site-1 1 Interface attached to VRF Sharing CE Green PE VPN Backbone IGP Same VPN (OSPF, IS-IS) Site-2 CE Green Multiple interfaces attached to VRF (Can NOT have multiple VRFs connected to 1 interface) For i nternal u VRF and Multiple Routing Instances PE to CE Routing Processes BGP EIGRP RIP Static Routing Contexts VRF Routing Tables VRF Forwarding Tables Routing processes support routing contexts (sub-processes within main process) Populate specific VPN routing table and FIBs (VRF) separate OSPF process for each VRF For i nternal u OSPF OSPF What are MPLS VPN Extranets? VPN A VPN B Site4 VPN C Site1 Site5 Site2 Site3 Belonging to more than one VRF NOTE: A VRF is NOT a VPN • Terms sometime used interchangably but the are NOT the same • VRF is the routing table • VPN is collection of sites that can access that table For i nternal u 3. How is VPN Membership Determined? VPN membership is based on filtering routes to be installed in VRF • Route Target import/export filtering Route Target (RT) is a BGP Extended Community • Used to constrain distribution of routing information • Identifier for VRFs that may receive set of routes tagged with given RT (route filtering) Based on RFC 2547 For i nternal u What is a Route Target? Route Target (RT) is a BGP Extended Community • Used to constrain distribution of routing information • Identifier for VRFs that may receive set of routes tagged with given RT (route filtering) For i nternal u What is a Route Distinguisher? Route Distinguisher: • converts non-unique IP addresses into unique VPN-IPv4 addresses • Not used for constrained distribution of routing information (route filtering) VPN-IPv4 addresses • Must be globally unique • Route Distinguisher (RD) + IP address  – RDs are assigned by a service provider  For i nternal u 4. How Can MPLS VPN Addresses Overlap? VPN A Same Addresses CE P 10.2.0.0 VPN B VPN A P CE PE PE PE 10.1.0.0 CE VPN B CE P P 10.1.0.0 Route Distinguisher provides the separation For i nternal u VPN A PE CE 11.6.0.0 VPN B VPN A 11.5.0.0 CE 10.2.0.0 CE 10.3.0.0 What is a Route Distinguisher? Route Distinguisher: • converts non-unique IP addresses into unique VPN-IPv4 addresses (overlapping Private address) • Not used for constrained distribution of routing information (route filtering) VPN-IPv4 addresses Route Distinguisher (RD) 64Bits + IP address = 96 Bits  – RDs are assigned by a service provider   – RDs should be globally unique For i nternal u 5. How are VPN Routes Distributed? MP-iBGP (PE to PE) to carry VPN-IPv4 Information VPN yellow VPN yellow P1 CE1 Site-1 P2 PE1 PE2 Why MP-iBGP? • • • • BGP supports large numbers of routes BGP is multi-protocol and scales BGP does not require directly connected peers BGP optional, transitive attributes For i nternal u CE2 Site-2 What is in an MP-BGP VPNv4 Update? MP-iBGP (PE to PE) to carry VPN-IPv4 Information P1 PE1 P2 PE2 VPN-IPv4 update: RD1:Net1, Next-hop=PE1 SOO=Site1, RT=Yellow, Label=10 VPN-IPv4 update: RD2:Net1, Next-hop=PE1 SOO=Site1, RT=Green, Label=12 For i nternal u What is in an MP-BGP Update? VPN-IPV4 address (96 bits) • Route Distinguisher (RD) (64 bits) • IPv4 address (32bits) Extended Community • Route target (RT) - required • Site of Origin (SOO) - optional  – (prevents routing loops in multihomed CE topologies)  Any other standard BGP attribute (Ex. VPN Labels)  A second label in the label stack For i nternal u Why MP-iBGP? MP-iBGP session VPN yellow VPN yellow Site-1 CE1 CE2 Site-2 P1 PE1 P2 PE2 BGP supports large numbers of routes BGP is multi-protocol and scales BGP does not require directly connected peers BGP has optional, transitive attributes For i nternal u How Does the MPLS VPN Control Plane Work? VPN-B VRF Import routes with route-target 1:1 VPN-v4 update: RD:1:27:152.12.4.0/24 NH=PE1, RT=1:1, VPN Label=(29) PE1 P1 LDP Update: Next hop=PE1 Label=(imp-null) PE2 P2 LDP Update: Next hop=P1 Label=(41) LDP Update: Next hop=P2 Label=(32) MPLS LSP Foundation BGP, OSPF, RIP 152.12.4.0/24, NH=PE2 BGP, OSPF, RIP 152.12.4.0/24, NH=CE1 CE1 VPN B 152.12.4.0/24 For i nternal u CE2 VPN B How Does the MPLS VPN Forwarding Plane Work? ????? MPLS forwarding table (LFIB) lookup for NH=PE1 LFIB lookup for label 29 = vrf VPN B Penu ltimate Hop PoP (removal of LSP Label) 29 152.12.4.6 PE1 VRF lookup for 152.12.4.6 NH=CE1 LSP/MPLS Label VPN Label Label Swap 41 29 152.12.4.6 P1 32 29 152.12.4.6 P2 PE2 Packet Forwarding Based on Stack of Labels 152.12.4.6 152.12.4.6 CE1 VPN B 152.12.4.0/24 For i nternal u CE2 VPN B VRF lookup for 152.12.4.6 NH=PE1 VPN Label=(29) Agenda What is a VPN? How Do MPLS VPNs Work? What Are Some Scaling Techniques? How Do I Configure MPLS VPNs? For i nternal u Scaling MPLS-VPN Route Reflectors Green Yellow Yellow Yellow Green Yellow Green Yellow Green Use of Route Reflectors highly recommended Route Reflectors may be partitioned • Each RR store routes for a set of VPNs • Thus, no BGP router needs to store ALL VPN information PEs will peer to RRs according to the VPNs they directly connect For i nternal u MPLS-VPN Scaling BGP Automatic Route Filtering (ARF) Import RT=yellow VRFs for VPNs yellow green VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Green, Label=XYZ PE MP-iBGP sessions Import RT=green VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Red, Label=XYZ Each VRF has an import and export policy configured Policies use route-target attribute (extended community) PE receives MP-iBGP updates for VPN-IPv4 routes If route-target is equal to any of the import values configured in the PE, the update is accepted Otherwise, it is silently discarded For i nternal u MPLS-VPN Scaling Route Refresh Import RT=yellow PE Import RT=green 1. PE doesn’t have red routes (previously filtered out) 2. PE issues a Route-Refresh to all neighbors in order to ask for re-transmit VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Red, Label=XYZ Import RT=red 3. Neighbors re-send updates and “red” route -target is now accepted Policy may change in the PE if VRF modifications are done • New VRFs, removal of VRFs However, the PE may not have stored routing information which become useful after a change PE request a re-transmission of updates to neighbors • Route-Refresh For i nternal u MPLS VPN Packet Forwarding For i nternal u VPN Packet Forwarding Across MPLS VPN Backbone How will PE routers forward VPN packets across MPLS VPN backbone? Just forward pure IP packets??? • P-routers do not have VPN routes, packet is dropped on IP lookup. How about using MPLS for packet propagatio across backbone? For i nternal u VPN Packet Forwarding Across MPLS VPN Backbone Label VPN packets with LDP label for egress PErouter, forward labeled packets across MPLS backbone?? • P-routers perform label switching, packet reaches egress PE-router. • However, egress PE-router does not know which VRF to use for packet lookup—packet is dropped. How about using a label stack? For i nternal u VPN Packet Forwarding Across MPLS VPN Backbone Label VPN packets with a label stack. • Use LDP label for egress PE-router as the top label • VPN label assigned by egress PE-router as the second label in the stack. P-routers perform label switching, packet reaches egress PE-router. Egress PE-router performs lookup on the VPN label and forwards the packet toward the CE-router. For i nternal u VPN Packet Forwarding Penultimate Hop Popping Penultimate hop popping on the LDP label can be performed on the last P-router  Egress PE-router performs only label lookup on VPN label, resulting in faster and simpler label lookup IP lookup is performed only once—in ingress PE router  For i nternal u VPN Label Propagation How will the ingress PE-router get the second label in the label stack from the egress PE-router? Labels are propagated in MP-BGP VPNv4 routing updates. For i nternal u VPN Label Propagation For i nternal u VPN Label Propagation For i nternal u Impacts of MPLS VPN Label Propagation The VPN label has to be assigned by the BGP nexthop BGP next-hop should not be changed in MP-IBGP update propagation • Do not use next-hop-self on confederation boundaries PE-router has to be BGP next-hop • Use next-hop-self on the PE-router  Label has to be re-originated if the next-hop is changed •  A new label is assigned every time the MP-BGP update crosses AS-boundary where the next-hop is changed For i nternal u Impacts of MPLS VPN Packet Forwarding VPN label is only understood by egress PE-router  End-to-end Label Switched Path is required between ingress and egress PE-router  BGP next-hops shall not be announced as BGP routes • LDP labels are not assigned to BGP routes BGP next-hops announced in IGP shall not be summarized in the core network • Summarization breaks LSP For i nternal u Agenda What is a VPN? How Do MPLS VPNs Work? What Are Some Scaling Techniques? How Do I Configure MPLS VPNs? 1. 2. 3. 4. 5. For i nternal u Configure VRFs associate interfaces with VRFs Configure MP-iBGP routing Configure CE to PE routing Verify VPN operation Configure VRF Logical name of the VPN use something that makes sense ip vrf rd route-target export  route-target import  The extended community string you will RECEIVE and put into your vrf  The extended community string you will SEND with your routes Number to uniquely id the prefix value Convention is ASN:xxxx For i nternal u Configure VRF VPN red E1/0 CE E2/0 VPN blue PE Create the VRFs on the PE Router  CE vrf symbolic name PE1(config)#ip vrf red PE1(config)#ip vrf blue For i nternal u Case sensitive Configure RD VPN red E1/0 PE CE E2/0 VPN blue Create the VRFs on the PE Router  CE PE1(config)#ip vrf red PE1(config-vrf)#rd 100:10  ASN:variable or  IP:variable PE1(config)#ip vrf blue PE1(config-vrf)#rd 100:20 For i nternal u Configure Route Target VPN red E1/0 CE E2/0 VPN blue PE Create the VRFs on the PE Router  CE PE1(config)#ip vrf red PE1(config-vrf)#rd 100:10 PE1(config-vrf)#route-target import 100:1 PE1(config-vrf)#route-target export 100:1 RD to RT matching  just makes it easy PE1(config)#ip vrf blue PE1(config-vrf)#rd 100:20 PE1(config-vrf)#route-target import 100:2 PE1(config-vrf)#route-target export 100:2 shortcut if import and export are the same For i nternal u VRF Options VPN red E1/0 CE E2/0 VPN blue PE Create the VRFs on the PE Router  CE PE1(config)#ip vrf red PE1(config-vrf)#description VPN for PE1(config-vrf)#rd 100:10 PE1(config-vrf)#route-target import PE1(config-vrf)#route-target export PE1(config-vrf)#maximum routes 2000 Online documentation CE1 100:1 100:1 warning-only Protect your network and PE from saturation (scaling factor) For i nternal u Associate PE interfaces to VRFs VPN red E1/0 CE E2/0 VPN blue PE Configure interfaces to belong to the VRF CE PE1(config)#interface ethernet 2/0 PE1(config-if)#ip vrf forwarding blue PE1(config-if)#ip address 172.11.2.2 255.255.255.252 PE1(config)#interface ethernet 1/0 PE1(config-if)#ip vrf forwarding red PE1(config-if)#ip address 172.11.2.2 255.255.255.252 match vrf symbolic name For i nternal u Common VRF Configuration Gotcha Configuring an interface to the VRF: IP address must be removed from global routing table PE1(config)#interface ethernet 3/0 PE1(config-if)#ip vrf forwarding red % Interface Ethernet1/0 IP address 10.131.31.245 removed due to enabling VRF red PE1(config-if)#ip address 10.131.31.245 255.255.255.252  Also, can only assign 1 VRF to an interface For i nternal u Configure MP-BGP Peering between PEs PE2 PE2 PE1 MP-BGP PE1 VPN Backbone IGP PE1(config)#router bgp 100 PE1(config-router)#neighbor 10.131.63.252 remote-as 100 PE1(config-router)#neighbor 10.131.63.252 desc MP-BGP to PE2 PE1(config-router)#neighbor 10.131.63.252 update-source Loopback0 standard BGP configuration entries apply Router config for VPNv4 prefixes PE1(config-router)#address-family vpnv4 PE1(config-router-af)#neighbor 10.131.63.252 activate PE1(config-router-af)#neighbor 10.131.63.252 send-community extended PE1(config-router-af)#exit-address-family activate neighbor to advertise routes send extended community to id the VRF (default entry) For i nternal u Configure VRF Routing Contexts PE2 PE2 PE1 MP-BGP PE1 VPN Backbone IGP PE1(config-router)#address-family ipv4 vrf red PE1(config-router-af)#no auto-summary PE1(config-router-af)#no synchronization PE1(config-router-af)#exit-address-family PE1(config-router)#address-family ipv4 vrf blue PE1(config-router-af)#no auto-summary PE1(config-router-af)#no synchronization PE1(config-router-af)#exit-address-family For i nternal u The VRF is now operational The previous configuration creates the VRF and associated CEF and routing table VRF Implementation Considerations • Many commands are now VRF context sensitive VPN Routes are not yet present The RD and import and export policies (RT) will be used to fill the VRF routing table with routes learned by the PE via MPBGP For i nternal u Example VRF Configuration MPLS Core VPN1 VPN2 VPN1 VPN2 Site A Site A Site B Site B CE-1A CE-2A lo0 172.16.1.1/24 s0/0 172.16.2.1/30 lo0 s0172.16.1.1/24 172.16.2.1/30 s1/0 172.16.2.2/30 s1/1 172.16.2.2/30 PE-A lo0 200.200.0.11 P-A lo0 200.200.0.1 CE-1B lo0 s0172.17.1.1/24 172.17.2.1/30 s1/0 172.17.2.2/30 CE-2B OSPF Area 0 lo0172.17.2.1/30 172.17.1.1/24 s0/0 s1/1 172.17.2.2/30 VPN1 RD 100:1 VPN2 RD 100:2 PE-B lo0 200.200.0.12 P-B lo0 200.200.0.2 PE-A(config)#ip vrf VPN1 PE-A(config-vrf)#rd 100:1 PE-A(config-vrf)#route-target export 100:10 PE-A(config-vrf)#route-target import 100:10 PE-A(config)#ip vrf VPN2 PE-A(config-vrf)#rd 100:2 PE-A(config-vrf)#route-target export 100:20 PE-A(config-vrf)#route-target import 100:20 For i nternal u BGP AS100 Associate VRFs to Interfaces For each interface participating in the VPN match vrf-symbolic-name interface Serial1/0 ip vrf forwarding VPN1 ip address 172.16.2.2 255.255.255.252 For i nternal u Example VRF Interface Configuration MPLS Core VPN1 VPN2 VPN1 VPN2 Site A Site A Site B Site B CE-1A CE-2A lo0 172.16.1.1/24 s0/0 172.16.2.1/30 s1/0 172.16.2.2/30 S1/0 lo0 s0172.16.1.1/24 172.16.2.1/30 s1/1 172.16.2.2/30 CE-1B lo0 s0172.17.1.1/24 172.17.2.1/30 s1/0 172.17.2.2/30 lo0172.17.2.1/30 172.17.1.1/24 s0/0 s1/1 172.17.2.2/30 P-B lo0 200.200.0.2 PE-A(config)#interface Serial1/0 PE-A(config-if)#ip vrf forwarding  VPN1 PE-A(config-if)#ip address 172.16.2.2 255.255.255.252 PE-A(config)#interface Serial1/1 PE-A(config-if)#ip vrf forwarding  VPN2 PE-A(config-if)#ip address 172.16.2.2 255.255.255.252 For i nternal u OSPF Area 0 VPN1 RD 100:1 VPN2 RD 100:2 PE-B lo0 200.200.0.12 PE-A lo0 200.200.0.11 P-A lo0 200.200.0.1 CE-2B BGP AS100 Configure MP-BGP  AS number  Router config for standard IP router bgp 100 Version 4 address prefixes address-family ipv4 vrf VPN1 no auto-summary no synchronization exit-address-family Router config for standard VPN address-family vpnv4 Version 4 address prefixes neighbor 200.200.0.12 activate neighbor 200.200.0.12 send-community extended neighbor 200.200.0.13 activate neighbor 200.200.0.13 send-community extended exit-address-family  Advertise Routes For i nternal u extended community string to id the VRF Example MP-BGP Configuration VPN1 VPN2 VPN1 VPN2 Site A Site A Site B Site B CE-1A CE-2A lo0 172.16.1.1/24 s0/0 172.16.2.1/30 lo0 s0172.16.1.1/24 172.16.2.1/30 s1/0 172.16.2.2/30 s1/1 172.16.2.2/30 CE-1B lo0 s0172.17.1.1/24 172.17.2.1/30 s1/0 172.17.2.2/30 PE-A lo0 200.200.0.11 P-A lo0 200.200.0.1 CE-2B lo0172.17.2.1/30 172.17.1.1/24 s0/0 s1/1 172.17.2.2/30 PE-B lo0 200.200.0.12 P-B lo0 200.200.0.2 MPLS Core BGP AS100 PE-A(config)#router bgp 100 OSPF Area 0 PE-A(config-router)#no synchronization PE-A(config-router)#no bgp default ipv4-unicast PE-A(config-router)#bgp log-neighbor-changes VPN1 RD 100:1 PE-A(config-router)#neighbor 200.200.0.12 remote-as 100 VPN2 RD 100:2 PE-A(config-router)#neighbor 200.200.0.12 update-source Loopback0 PE-A(config-router)#no auto-summary PE-A(config-router)#address-family ipv4 vrf VPN1 PE-A(config-router-af)#no auto-summary PE-A(config-router-af)#no synchronization PE-A(config-router-af)#exit-address-family PE-A(config-router)#address-family ipv4 vrf VPN2 PE-A(config-router-af)#no auto-summary PE-A(config-router-af)#no synchronization PE-A(config-router-af)#exit-address-family PE-A(config-router)#address-family vpnv4 PE-A(config-router-af)#neighbor 200.200.0.12 activate PE-A(config-router-af)#neighbor 200.200.0.12 send-community extended For i nternal u PE-A(config-router-af)#exit-address-family Configure Route Advertisements CE config ip route 0.0.0.0 0.0.0.0 172.16.2.2 PE config Define static routes at CE and PE ip route vrf VPN1 172.16.1.0 255.255.255.0 172.16.2.1 ip route vrf VPN2 172.16.1.0 255.255.255.0 172.16.2.1 router bgp 100 address-family ipv4 vrf VPN1 network 172.16.1.0 mask 255.255.255.0 network 172.16.2.0 mask 255.255.255.252 exit-address-family Define BGP routes at PE For i nternal u Example Routing Configuration CE-1A(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2 MPLS Core VPN1 VPN2 VPN1 VPN2 Site A Site A Site B Site B CE-1A CE-2A CE-1B CE-2B lo0 172.16.1.1/24 s0/0 172.16.2.1/30 lo0 s0172.16.1.1/24 172.16.2.1/30 s1/0 172.16.2.2/30 s1/1 172.16.2.2/30 lo0 s0172.17.1.1/24 172.17.2.1/30 s1/0 172.17.2.2/30 PE-A lo0 200.200.0.11 BGP AS100 OSPF Area 0 lo0172.17.2.1/30 172.17.1.1/24 s0/0 s1/1 172.17.2.2/30 VPN1 RD 100:1 VPN2 RD 100:2 PE-B lo0 200.200.0.12 lo0 200.200.0.1 lo0 200.200.0.2 PE-A(config)#ip P-A route vrf VPN1 172.16.1.0 P-B 255.255.255.0 172.16.2.1 PE-A(config)#ip route vrf VPN2 172.16.1.0 255.255.255.0 172.16.2.1 PE-A(config)#router bgp 100 PE-A(config-router)#address-family ipv4 vrf VPN1 PE-A(config-router-af)#network 172.16.1.0 mask 255.255.255.0 PE-A(config-router-af)#network 172.16.2.0 mask 255.255.255.252 PE-A(config-router-af)#exit-address-family PE-A(config-router)#address-family ipv4 vrf VPN2 PE-A(config-router-af)#network 172.16.1.0 mask 255.255.255.0 PE-A(config-router-af)#network 172.16.2.0 mask 255.255.255.252 PE-A(config-router-af)#exit-address-family For i nternal u MPLS VPN Verification Steps Verify the VRFs • show ip vrf [{detail|interfaces}] Verify routing Information • • • • • show show show show show ip ip ip ip ip route vrf [detail] [vrf-name] [interfaces] bgp neighbors bgp vpnv4 all bgp vpnv4 vrf VRF-name bgp vpnv4 vrf VRF-name [ip-address] Verify Labels • • show ip bgp vpnv4 all [labels/tags] show ip cef vrf [detail] For i nternal u Ping, Traceroute, Telnet Caveats Ping and Traceroute in MPLS VPN network only succeed if end-to-end path is successful Good verification if successful but NOT for troubleshooting Ping/Traceroute Command Syntax • • traceroute VRF [vrf-name] ip-address ping VRF [vrf-name] ip-address Telnet Command Syntax •  telnet ip-address /  vrf [vrf-name] For i nternal u
View more...
   EMBED

Share

Preview only show first 6 pages with water mark for full document please download

Transcript

MPLS – VPN Configuration

Mitrabh Shukla
National IP Manager

Objectives
Upon completion of this chapter you will be able to:
Describe MPLS VPN mechanisms
Use the command line interface to configure a VPN
Verify VPN functionality

For internal use
2
© Nokia Siemens Networks

MPLS / Mitrabh Shukla

Agenda
What is a VPN?
How Do MPLS VPNs Work?
What Are Some Scaling Techniques?
How Do I Configure MPLS VPNs?

For internal use
3
© Nokia Siemens Networks

MPLS / Mitrabh Shukla

What is a MPLS VPN? VPN A VPN A VPN C Provider Backbone VPN B VPN B VPN C For internal use 4 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

MPLS-VPN Terminology VPN A VPN-Aware network Site1 AS100 Provider Network P router AS200 Border Router PE router Site1 VPN A Customer Network Site CE router For internal use 5 © Nokia Siemens Networks Site2 Site2 VPN B MPLS / Mitrabh Shukla .

Agenda What is a VPN? How do MPLS VPNs Work? • Control Plane • Forwarding Plane What Are Some MPLS VPN Scaling Techniques? How Do I Configure MPLS VPNs? For internal use 6 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

0 CE 10.0.0 10. VPN Route Distribution (MP-BGP for VPN-ipv4) For internal use 7 © Nokia Siemens Networks VPN A MPLS / Mitrabh Shukla 10.What Makes MPLS VPNs Work? VPN A MP-iBGP sessions CE P 10.6.0.0. MPLS Forwarding • 2.0.1.0. Separation of VPN Routes (VPN Routing and Forwarding Instances (VRF)) • 3. VPN Membership Selection (Route Target) • 4.1.0 P • Five keys to MPLS VPNs functionality: • 1.0 CE VPN B CE VPN B P 10.2. IP Address Overlap (Route Distinguisher) • 5.0.0.3.2.0 VPN B CE P 11.0 .5.0 CE PE VPN A PE CE VPN A PE PE 11.

1. MPLS Forwarding

MPLS VPN Requirement

PE to PE Label Switched Path (LSP)
VRF

P1
PE1

VRF

P2
PE2

VRF

VRF
PE2’s perspective

PE1’s perspective
Global routing table entries to reach

Global routing table entries to reach

PE2 -> next-hop: P1, label: 50
P2 -> next-hop: P1, label: 65
P1 -> next-hop: interface, label: pop

PE1 -> next-hop: P2, label: 25
P1 -> next-hop: P2, label: 35
P2 -> next-hop: interface, label: pop

For internal use
8
© Nokia Siemens Networks

MPLS / Mitrabh Shukla

2. How Are VPN Routes Kept Separate?

VPN Routing and Forwarding Instances (VRF)
provides the separation
VRF=Routing Table for VPN
Site-1

CE

Yellow

PE

VPN Backbone IGP
(OSPF, IS-IS)

Site-1

CE

Green

VRF (VPN Routing and Forwarding)
Assigned a symbolic name
ip vrf green
For internal use
9
© Nokia Siemens Networks

MPLS / Mitrabh Shukla

Global Routing Table

MPLS VPN Routing Requirements
Customer routers (CE-routers) have to run standard IP routing
software
Provider core routers (P-routers) have no VPN routes
Provider edge routers (PE-routers) have to support MPLS VPN
and Internet routing

For internal use
10
© Nokia Siemens Networks

MPLS / Mitrabh Shukla

Router Perspective) CE .Router MPLS VPN Backbone PE Router CE . EIGRP or static routes are supported PE-router appears as another router in the customer’s network For internal use 11 © Nokia Siemens Networks MPLS / Mitrabh Shukla .Router Customer routers run standard IP routing software and exchange routing updates with the PE-router • EBGP.MPLS VPN Routing (CE. OSPF. RIPv2 .

protocol IBGP sessions For internal use 12 © Nokia Siemens Networks MPLS / Mitrabh Shukla .MPLS VPN Routing PE-Router Perspective PE-routers: • Exchange VPN routes with CE-routers via per-VPN routing protocols • Exchange core routes with P-routers and PE-routers via core IGP • Exchange VPNv4 routes with other PE-routers via multi.

MPLS VPN Support for Internet Routing PE-routers can run standard IPv4 BGP in the global routing table • Exchange Internet routes with other PE routers • CE-routers do not participate in Internet routing • P-routers do not need to participate in Internet routing For internal use 13 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

MPLS VPN End-to-End Routing Information Flow (1/3) PE-routers receive IPv4 routing updates from CE-routers and install them in the appropriate Virtual Routing and Forwarding (VRF) table For internal use 14 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

MPLS VPN End-to-End Routing Information Flow (2/3) PE-routers export VPN routes from VRF into MP-IBGP and propagate them as VPNv4 routes to other PErouters IBGP full mesh is needed between PE-routers For internal use 15 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

Static VPN Backbone IGP (OSPF. RIP. IS-IS) Site-1 CE Green 1 Interface attached to VRF Sharing Site-1 CE Green PE VPN Backbone IGP Same VPN (OSPF. IS-IS) Site-2 CE Green Multiple interfaces attached to VRF (Can NOT have multiple VRFs connected to 1 interface) For internal use 16 © Nokia Siemens Networks MPLS / Mitrabh Shukla Animated .VRF CE Routing and Sharing Site-1 CE to PE Routing CE Yellow PE EBGP. OSPF.

VRF and Multiple Routing Instances PE to CE Routing Processes BGP EIGRP RIP Static Routing Contexts VRF Routing Tables VRF Forwarding Tables Routing processes support routing contexts (sub-processes within main process) Populate specific VPN routing table and FIBs (VRF) separate OSPF process for each VRF For internal use 17 © Nokia Siemens Networks MPLS / Mitrabh Shukla OSPF OSPF .

What are MPLS VPN Extranets? VPN A VPN B Site4 VPN C Site1 Site5 Site2 Site3 Belonging to more than one VRF NOTE: A VRF is NOT a VPN • Terms sometime used interchangably but the are NOT the same • VRF is the routing table • VPN is collection of sites that can access that table For internal use 18 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

3. How is VPN Membership Determined? VPN membership is based on filtering routes to be installed in VRF • Route Target import/export filtering Route Target (RT) is a BGP Extended Community • Used to constrain distribution of routing information • Identifier for VRFs that may receive set of routes tagged with given RT (route filtering) Based on RFC 2547 For internal use 19 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

What is a Route Target? Route Target (RT) is a BGP Extended Community • Used to constrain distribution of routing information • Identifier for VRFs that may receive set of routes tagged with given RT (route filtering) For internal use 20 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

What is a Route Distinguisher? Route Distinguisher: • converts non-unique IP addresses into unique VPN-IPv4 addresses • Not used for constrained distribution of routing information (route filtering) VPN-IPv4 addresses • Must be globally unique • Route Distinguisher (RD) + IP address – RDs are assigned by a service provider For internal use 21 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

0 VPN B P CE PE PE PE 11.1.0 Route Distinguisher provides the separation For internal use 22 © Nokia Siemens Networks VPN A PE CE VPN A VPN A 11.0 .0.0 CE 10.0.2.0.0 10. How Can MPLS VPN Addresses Overlap? VPN A Same Addresses CE P 10.6.0.0 CE MPLS / Mitrabh Shukla 10.5.3.0.1.0.0 CE VPN B CE VPN B P P 10.0.2.4.

What is a Route Distinguisher? Route Distinguisher: • converts non-unique IP addresses into unique VPN-IPv4 addresses (overlapping Private address) • Not used for constrained distribution of routing information (route filtering) VPN-IPv4 addresses Route Distinguisher (RD) 64Bits + IP address = 96 Bits – RDs are assigned by a service provider – RDs should be globally unique For internal use 23 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

transitive attributes For internal use 24 © Nokia Siemens Networks MPLS / Mitrabh Shukla VPN yellow CE2 Site-2 .5. How are VPN Routes Distributed? MP-iBGP (PE to PE) to carry VPN-IPv4 Information VPN yellow CE1 Site-1 P1 PE1 P2 PE2 Why MP-iBGP? • • • • BGP supports large numbers of routes BGP is multi-protocol and scales BGP does not require directly connected peers BGP optional.

Label=12 For internal use 25 © Nokia Siemens Networks MPLS / Mitrabh Shukla . RT=Green. Label=10 VPN-IPv4 update: RD2:Net1.What is in an MP-BGP VPNv4 Update? MP-iBGP (PE to PE) to carry VPN-IPv4 Information P1 PE1 P2 PE2 VPN-IPv4 update: RD1:Net1. Next-hop=PE1 SOO=Site1. RT=Yellow. Next-hop=PE1 SOO=Site1.

VPN Labels) A second label in the label stack For internal use 26 © Nokia Siemens Networks MPLS / Mitrabh Shukla .optional – (prevents routing loops in multihomed CE topologies) Any other standard BGP attribute (Ex.What is in an MP-BGP Update? VPN-IPV4 address (96 bits) • Route Distinguisher (RD) (64 bits) • IPv4 address (32bits) Extended Community • Route target (RT) .required • Site of Origin (SOO) .

Why MP-iBGP? MP-iBGP session VPN yellow Site-1 CE1 VPN yellow CE2 Site-2 P1 PE1 P2 PE2 BGP supports large numbers of routes BGP is multi-protocol and scales BGP does not require directly connected peers BGP has optional. transitive attributes For internal use 27 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

12. RIP 152.4.0/24.How Does the MPLS VPN Control Plane Work? VPN-B VRF Import routes with route-target 1:1 VPN-v4 update: RD:1:27:152. RT=1:1.4. OSPF.0/24 NH=PE1. NH=CE1 CE1 VPN B 152.0/24 For internal use 28 © Nokia Siemens Networks MPLS / Mitrabh Shukla CE2 VPN B Animated . VPN Label=(29) PE1 P1 LDP Update: Next hop=PE1 Label=(imp-null) PE2 P2 LDP Update: Next hop=P1 Label=(41) LDP Update: Next hop=P2 Label=(32) MPLS LSP Foundation BGP. NH=PE2 BGP.4. OSPF.12.12.0/24.4.12. RIP 152.

12.4.6 CE1 VPN B 152.12.6 152.6 NH=CE1 LSP/MPLS Label VPN Label Label Swap 32 29 152.12.12.12.4.4.6 NH=PE1 VPN Label=(29) MPLS / Mitrabh Shukla CE2 VPN B Animated .4.6 P2 PE2 Packet Forwarding Based on Stack of Labels 152.4.12.4.6 P1 VRF lookup for 152.How Does the MPLS VPN Forwarding Plane Work? ????? MPLS forwarding table (LFIB) lookup for NH=PE1 Penultimate Hop PoP (removal of LSP Label) LFIB lookup for label 29 = vrf VPN B 29 152.6 PE1 41 29 152.12.0/24 For internal use 29 © Nokia Siemens Networks VRF lookup for 152.4.4.12.

Agenda What is a VPN? How Do MPLS VPNs Work? What Are Some Scaling Techniques? How Do I Configure MPLS VPNs? For internal use 30 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

no BGP router needs to store ALL VPN information PEs will peer to RRs according to the VPNs they directly connect For internal use 31 © Nokia Siemens Networks MPLS / Mitrabh Shukla .Scaling MPLS-VPN Route Reflectors Green Yellow Yellow Yellow Green Yellow Yellow Green Green Use of Route Reflectors highly recommended Route Reflectors may be partitioned • Each RR store routes for a set of VPNs • Thus.

it is silently discarded For internal use 32 © Nokia Siemens Networks MPLS / Mitrabh Shukla . the update is accepted Otherwise. Next-hop=PE-X SOO=Site1. Label=XYZ Each VRF has an import and export policy configured Policies use route-target attribute (extended community) PE receives MP-iBGP updates for VPN-IPv4 routes If route-target is equal to any of the import values configured in the PE.MPLS-VPN Scaling BGP Automatic Route Filtering (ARF) Import RT=yellow VRFs for VPNs yellow green VPN-IPv4 update: RD:Net1. RT=Red. RT=Green. Next-hop=PE-X SOO=Site1. Label=XYZ PE MP-iBGP sessions Import RT=green VPN-IPv4 update: RD:Net1.

Next-hop=PE-X SOO=Site1. Neighbors re-send updates and “red” route-target is now accepted Policy may change in the PE if VRF modifications are done • New VRFs. the PE may not have stored routing information which become useful after a change PE request a re-transmission of updates to neighbors • Route-Refresh For internal use 33 © Nokia Siemens Networks MPLS / Mitrabh Shukla . PE doesn’t have red routes (previously filtered out) 2. PE issues a Route-Refresh to all neighbors in order to ask for re-transmit VPN-IPv4 update: RD:Net1. RT=Red. Next-hop=PE-X SOO=Site1. RT=Green. removal of VRFs However. Label=XYZ Import RT=red 3. Label=XYZ VPN-IPv4 update: RD:Net1.MPLS-VPN Scaling Route Refresh Import RT=yellow PE Import RT=green 1.

MPLS VPN Packet Forwarding For internal use 34 © Nokia Siemens Networks MPLS / António Santos / 04-06-2009 .

How about using MPLS for packet propagation across backbone? For internal use 35 © Nokia Siemens Networks MPLS / Mitrabh Shukla .VPN Packet Forwarding Across MPLS VPN Backbone How will PE routers forward VPN packets across MPLS VPN backbone? Just forward pure IP packets??? • P-routers do not have VPN routes. packet is dropped on IP lookup.

forward labeled packets across MPLS backbone?? • P-routers perform label switching. • However. egress PE-router does not know which VRF to use for packet lookup—packet is dropped. packet reaches egress PE-router. How about using a label stack? For internal use 36 © Nokia Siemens Networks MPLS / Mitrabh Shukla .VPN Packet Forwarding Across MPLS VPN Backbone Label VPN packets with LDP label for egress PErouter.

P-routers perform label switching. For internal use 37 © Nokia Siemens Networks MPLS / Mitrabh Shukla . packet reaches egress PE-router. • Use LDP label for egress PE-router as the top label • VPN label assigned by egress PE-router as the second label in the stack.VPN Packet Forwarding Across MPLS VPN Backbone Label VPN packets with a label stack. Egress PE-router performs lookup on the VPN label and forwards the packet toward the CE-router.

VPN Packet Forwarding Penultimate Hop Popping Penultimate hop popping on the LDP label can be performed on the last P-router Egress PE-router performs only label lookup on VPN label. resulting in faster and simpler label lookup IP lookup is performed only once—in ingress PE router For internal use 38 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

VPN Label Propagation How will the ingress PE-router get the second label in the label stack from the egress PE-router? Labels are propagated in MP-BGP VPNv4 routing updates. For internal use 39 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

VPN Label Propagation For internal use 40 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

VPN Label Propagation For internal use 41 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

Impacts of MPLS VPN Label Propagation The VPN label has to be assigned by the BGP nexthop BGP next-hop should not be changed in MP-IBGP update propagation • Do not use next-hop-self on confederation boundaries PE-router has to be BGP next-hop • Use next-hop-self on the PE-router Label has to be re-originated if the next-hop is changed • A new label is assigned every time the MP-BGP update crosses AS-boundary where the next-hop is changed For internal use 42 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

Impacts of MPLS VPN Packet Forwarding VPN label is only understood by egress PE-router End-to-end Label Switched Path is required between ingress and egress PE-router BGP next-hops shall not be announced as BGP routes • LDP labels are not assigned to BGP routes BGP next-hops announced in IGP shall not be summarized in the core network • Summarization breaks LSP For internal use 43 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

Configure VRFs 2. Verify VPN operation For internal use 44 © Nokia Siemens Networks MPLS / Mitrabh Shukla . Configure MP-iBGP routing 4.Agenda What is a VPN? How Do MPLS VPNs Work? What Are Some Scaling Techniques? How Do I Configure MPLS VPNs? 1. Configure CE to PE routing 5. associate interfaces with VRFs 3.

Configure VRF Logical name of the VPN use something that makes sense ip vrf <vrf-symbolic-name> rd <route-distinguisher-value> route-target export <community> route-target import <community> The extended community string you will RECEIVE and put into your vrf The extended community string you will SEND with your routes Number to uniquely id the prefix value Convention is ASN:xxxx For internal use 45 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

Configure VRF VPN red CE VPN blue CE E1/0 PE E2/0 Create the VRFs on the PE Router vrf symbolic name PE1(config)#ip vrf red PE1(config)#ip vrf blue For internal use 46 © Nokia Siemens Networks MPLS / Mitrabh Shukla Case sensitive .

Configure RD VPN red CE VPN blue CE E1/0 PE E2/0 Create the VRFs on the PE Router PE1(config)#ip vrf red PE1(config-vrf)#rd 100:10 ASN:variable or IP:variable PE1(config)#ip vrf blue PE1(config-vrf)#rd 100:20 For internal use 47 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

Configure Route Target VPN red CE E1/0 PE E2/0 VPN blue CE Create the VRFs on the PE Router PE1(config)#ip vrf red PE1(config-vrf)#rd 100:10 PE1(config-vrf)#route-target import 100:1 PE1(config-vrf)#route-target export 100:1 RD to RT matching just makes it easy PE1(config)#ip vrf blue PE1(config-vrf)#rd 100:20 PE1(config-vrf)#route-target import 100:2 PE1(config-vrf)#route-target export 100:2 <both> shortcut if import and export are the same For internal use 48 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

VRF Options VPN red CE VPN blue CE E1/0 PE E2/0 Create the VRFs on the PE Router Online documentation PE1(config)#ip vrf red PE1(config-vrf)#description VPN for PE1(config-vrf)#rd 100:10 PE1(config-vrf)#route-target import PE1(config-vrf)#route-target export PE1(config-vrf)#maximum routes 2000 CE1 100:1 100:1 warning-only Protect your network and PE from saturation (scaling factor) For internal use 49 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

255.2.252 PE1(config)#interface ethernet 1/0 PE1(config-if)#ip vrf forwarding red PE1(config-if)#ip address 172.11.255.Associate PE interfaces to VRFs VPN red CE E1/0 PE E2/0 VPN blue CE Configure interfaces to belong to the VRF PE1(config)#interface ethernet 2/0 PE1(config-if)#ip vrf forwarding blue PE1(config-if)#ip address 172.255.2 255.255.252 match vrf symbolic name For internal use 50 © Nokia Siemens Networks MPLS / Mitrabh Shukla .11.2.2 255.

245 255.255. can only assign 1 VRF to an interface For internal use 51 © Nokia Siemens Networks MPLS / Mitrabh Shukla .255.131.31.245 removed due to enabling VRF red PE1(config-if)#ip address 10.Common VRF Configuration Gotcha Configuring an interface to the VRF: IP address must be removed from global routing table PE1(config)#interface ethernet 3/0 PE1(config-if)#ip vrf forwarding red % Interface Ethernet1/0 IP address 10.31.252 Also.131.

252 activate PE1(config-router-af)#neighbor 10.131.131.131.252 desc MP-BGP to PE2 PE1(config-router)#neighbor 10.252 remote-as 100 PE1(config-router)#neighbor 10.Configure MP-BGP Peering between PEs PE2 PE2 PE1 MP-BGP PE1 VPN Backbone IGP PE1(config)#router bgp 100 PE1(config-router)#neighbor 10.63.63.63.131.63.252 update-source Loopback0 standard BGP configuration entries apply Router config for VPNv4 prefixes PE1(config-router)#address-family vpnv4 PE1(config-router-af)#neighbor 10.252 send-community extended PE1(config-router-af)#exit-address-family activate neighbor to advertise routes send extended community to id the VRF (default entry) For internal use 52 © Nokia Siemens Networks MPLS / Mitrabh Shukla .131.63.

Configure VRF Routing Contexts PE2 PE2 PE1 MP-BGP PE1 VPN Backbone IGP PE1(config-router)#address-family ipv4 vrf red PE1(config-router-af)#no auto-summary PE1(config-router-af)#no synchronization PE1(config-router-af)#exit-address-family PE1(config-router)#address-family ipv4 vrf blue PE1(config-router-af)#no auto-summary PE1(config-router-af)#no synchronization PE1(config-router-af)#exit-address-family For internal use 53 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

The VRF is now operational The previous configuration creates the VRF and associated CEF and routing table VRF Implementation Considerations • Many commands are now VRF context sensitive VPN Routes are not yet present The RD and import and export policies (RT) will be used to fill the VRF routing table with routes learned by the PE via MPBGP For internal use 54 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

200.16.2 PE-A(config)#ip vrf VPN1 PE-A(config-vrf)#rd 100:1 PE-A(config-vrf)#route-target export 100:10 PE-A(config-vrf)#route-target import 100:10 PE-A(config)#ip vrf VPN2 PE-A(config-vrf)#rd 100:2 PE-A(config-vrf)#route-target export 100:20 PE-A(config-vrf)#route-target import 100:20 For internal use 55 © Nokia Siemens Networks MPLS / Mitrabh Shukla VPN1 RD 100:1 .2.2.1/24 s0/0 172.0.1/30 172.2.12 P-B lo0 200.16.1/30 s1/1 172.17.200.16.17.0.0.16.200.1 lo0172.17.1/24 s0/0 s1/1 172.2/30 VPN2 RD 100:2 PE-B lo0 200.17.2.Example VRF Configuration MPLS Core VPN1 VPN2 VPN1 VPN2 Site A Site A Site B Site B BGP AS100 CE-1A CE-2A CE-1B CE-2B OSPF Area 0 lo0 172.2.1.1.2/30 s1/0 172.200.1.1.16.1/30 s1/0 172.2.17.17.0.1/24 172.1/24 172.2/30 lo0 s0172.2/30 PE-A lo0 200.1/30 lo0 s0 172.2.11 P-A lo0 200.2.16.

16.252 For internal use 56 © Nokia Siemens Networks MPLS / Mitrabh Shukla .255.2.Associate VRFs to Interfaces For each interface participating in the VPN match vrf-symbolic-name interface Serial1/0 ip vrf forwarding VPN1 ip address 172.2 255.255.

1/24 172.17.1.2/30 S1/0 lo0 s0172.2.255.200.17.16.1/30 s1/0 172.16.2.2.Example VRF Interface Configuration MPLS Core VPN1 VPN2 VPN1 VPN2 Site A Site A Site B Site B BGP AS100 CE-1A CE-2A CE-1B CE-2B OSPF Area 0 lo0 172.16.17.255.2.255.0.1/30 s1/0 172.2/30 lo0 s0 172.16.1.0.1.1/30 s1/1 172.1/30 172.17.200.16.2 PE-A(config)#interface Serial1/0 PE-A(config-if)#ip vrf forwarding VPN1 PE-A(config-if)#ip address 172.1/24 s0/0 s1/1 172.2.16.2 255.255.0.2.2.2.252 For internal use 57 © Nokia Siemens Networks MPLS / Mitrabh Shukla VPN1 RD 100:1 VPN2 RD 100:2 PE-B lo0 200.2/30 P-B lo0 200.200.2 255.12 PE-A lo0 200.1.0.16.2.2/30 .16.1/24 172.200.252 PE-A(config)#interface Serial1/1 PE-A(config-if)#ip vrf forwarding VPN2 PE-A(config-if)#ip address 172.11 P-A lo0 200.2.17.1 lo0172.17.1/24 s0/0 172.

12 neighbor 200.0.200.200.13 neighbor 200.0.13 exit-address-family Advertise Routes For internal use 58 © Nokia Siemens Networks MPLS / Mitrabh Shukla Router config for standard IP Version 4 address prefixes VPN1 Router config for standard VPN Version 4 address prefixes activate send-community extended activate send-community extended extended community string to id the VRF .0.200.200.0.12 neighbor 200.Configure MP-BGP AS number router bgp 100 address-family ipv4 vrf no auto-summary no synchronization exit-address-family address-family vpnv4 neighbor 200.

17.200.0.1.200.1/24 s0/0 s1/1 172.11 P-A lo0 200.17.0.1.1/30 s1/1 172.200.12 remote-as 100 PE-A(config-router)#neighbor 200.17.0.2.200.200.0.12 update-source Loopback0 PE-A(config-router)#no auto-summary PE-A(config-router)#address-family ipv4 vrf VPN1 PE-A(config-router-af)#no auto-summary PE-A(config-router-af)#no synchronization PE-A(config-router-af)#exit-address-family PE-A(config-router)#address-family ipv4 vrf VPN2 PE-A(config-router-af)#no auto-summary PE-A(config-router-af)#no synchronization PE-A(config-router-af)#exit-address-family PE-A(config-router)#address-family vpnv4 PE-A(config-router-af)#neighbor 200.1/30 s1/0 172.1/24 172.12 send-community extended For internal usePE-A(config-router-af)#exit-address-family 59 © Nokia Siemens Networks MPLS / Mitrabh Shukla MPLS Core BGP AS100 OSPF Area 0 VPN1 RD 100:1 VPN2 RD 100:2 .17.1.2/30 lo0 s0172.2.2 PE-A(config)#router bgp 100 PE-A(config-router)#no synchronization PE-A(config-router)#no bgp default ipv4-unicast PE-A(config-router)#bgp log-neighbor-changes PE-A(config-router)#neighbor 200.200.16.17.0.12 activate PE-A(config-router-af)#neighbor 200.12 P-B lo0 200.2/30 lo0172.1 lo0 s0 172.17.200.1/24 172.16.16.2.1.2.200.0.2/30 PE-B lo0 200.1/24 s0/0 172.Example MP-BGP Configuration VPN1 VPN2 VPN1 VPN2 Site A Site A Site B Site B CE-1A CE-2A CE-1B CE-2B lo0 172.16.0.1/30 172.2.16.2.16.0.1/30 s1/0 172.2/30 PE-A lo0 200.2.2.

1.2.2.2.16.16.255.255.0 172.252 exit-address-family Define BGP routes at PE For internal use 60 © Nokia Siemens Networks MPLS / Mitrabh Shukla .255.2.16.0 172.0.0 255.1 ip route vrf VPN2 172.0 network 172.16.0 172.16.2 Define static routes at CE and PE ip route vrf VPN1 172.255.0 255.1.Configure Route Advertisements CE config ip route 0.0.255.0 mask 255.0 mask 255.255.255.0 0.0.255.1 PE config router bgp 100 address-family ipv4 vrf VPN1 network 172.1.16.0.16.

255.2/30 VPN1 RD 100:1 VPN2 RD 100:2 PE-B lo0 200.255.1/30 s1/1 172.1.2 PE-A(config)#ip P-A route vrf VPN1 172.16.2.252 PE-A(config-router-af)#exit-address-family PE-A(config-router)#address-family ipv4 vrf VPN2 PE-A(config-router-af)#network 172.200.255.2.16.0 0.0 mask 255.255.0.1 PE-A(config)#router bgp 100 PE-A(config-router)#address-family ipv4 vrf VPN1 PE-A(config-router-af)#network 172.1/24 s0/0 s1/1 172.200.2.2/30 s1/0 172.16.255.0.16.16.2.255.0.0.1.17.200.255.2.255.16.0.0 172.1/24 172.1.16.2.17.1 PE-A(config)#ip route vrf VPN2 172.1.0 PE-A(config-router-af)#network 172.0P-B 255.0.12 lo0 200.2.16.1.16.1.0 mask 255.2.16.11 lo0172.16.2.16.0.252 ForPE-A(config-router-af)#exit-address-family internal use 61 © Nokia Siemens Networks MPLS / Mitrabh Shukla .17.1/24 172.17.255.2/30 PE-A lo0 200.16.17.0 mask 255.2/30 lo0 s0172.1/30 s1/0 172.1/30 172.1/24 s0/0 172.255.1.255.16.2.0.2.1/30 lo0 s0 172.16.Example Routing Configuration CE-1A(config)#ip route 0.2.200.0 255.0 PE-A(config-router-af)#network 172.0 172.0 172.2 MPLS Core VPN1 VPN2 VPN1 VPN2 Site A Site A Site B Site B BGP AS100 CE-1A CE-2A CE-1B CE-2B OSPF Area 0 lo0 172.17.1.255.2.0 mask 255.1 lo0 200.

MPLS VPN Verification Steps Verify the VRFs • show ip vrf [{detail|interfaces}] Verify routing Information • • • • • show show show show show ip ip ip ip ip route vrf [detail] [vrf-name] [interfaces] bgp neighbors bgp vpnv4 all bgp vpnv4 vrf VRF-name bgp vpnv4 vrf VRF-name [ip-address] Verify Labels • show ip bgp vpnv4 all [labels/tags] • show ip cef vrf [detail] For internal use 62 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

Traceroute.Ping. Telnet Caveats Ping and Traceroute in MPLS VPN network only succeed if end-to-end path is successful Good verification if successful but NOT for troubleshooting Ping/Traceroute Command Syntax • traceroute VRF [vrf-name] ip-address • ping VRF [vrf-name] ip-address Telnet Command Syntax • telnet ip-address /vrf [vrf-name] For internal use 63 © Nokia Siemens Networks MPLS / Mitrabh Shukla .

Chapter Summary You should now be able to: Describe MPLS VPN mechanisms Use the command line interface to configure a VPN Verify VPN functionality For internal use 64 © Nokia Siemens Networks MPLS / Mitrabh Shukla .