You are on page 1of 10

10/8/2015

CreatinganMPLSVPNPacketLife.net

CreatinganMPLSVPN
Bystretch|Monday,May16,2011at1:17a.m.UTC
Today we're going to look at the configuration required to create a basic MPLS VPN servicing two customers,
eachwithapresenceattwophysicalsites.Ifyou'reunfamiliarwiththeconceptsofMPLSswitchingandVRFson
CiscoIOS,youmaywanttocheckoutafewofmypastarticlesbeforecontinuing:
IntrotoVRFlite
InterVRFRoutingwithVRFLite
GettingtoknowMPLS
Ourlabtopologylookslikethis:

Asareview,recallthat
P(provider)routersareISPcorerouterswhichdon'tconnecttocustomerroutersandtypicallyrunonly
MPLS
PE(provideredge)routersconnecttocustomersitesandformtheedgeofaVPN
CE(customeredge)routersexistattheedgeofacustomersitetheyhavenoVPNawareness
anIGPrunningamongallPandPEroutersisusedtosupportLDPandBGPadjacencieswithinthe
providernetwork
MPBGPisrunonlyamongPErouters
data:text/htmlcharset=utf8,%3Ch1%20class%3D%22pageheader%22%20style%3D%22boxsizing%3A%20borderbox%3B%20fontsize%3A%2036px%3B

1/10

10/8/2015

CreatinganMPLSVPNPacketLife.net

anIGP(typically)isrunbetweeneachCErouteranditsupstreamPErouter
In our lab, OSPF is already in operation as the provider network IGP. OSPF processes have also been
preconfiguredontheCEroutershowever,theseOSPFtopologieswillremainseparatefromtheproviderOSPF.
TherearefivecoretasksweneedtoaccomplishtogetanMPLSVPNupandrunning:
1. EnableMPLSontheproviderbackbone.
2. CreateVRFsandassignroutedinterfacestothem.
3. ConfigureMPBGPbetweenthePErouters.
4. ConfigureOSPFbetweeneachPErouteranditsattachedCErouters.
5. Enablerouteredistributionbetweenthecustomersitesandthebackbone.
AlthoughplentyofCLIoutputsareshownbelow,youmaywanttograbthefinishedrouterconfigurationsifyou'd
liketoduplicatethelabonyourown.

EnableMPLS
First we need to enable MPLS on all PP and PPE links with the mpls ip interface command. MPLS
isnotenabled on any CEfacing interfaces CE routers do not run MPLS, just plain IP routing. LDP is enabled
automatically as the default label distribution protocol (versus Cisco's legacy TDP). LDP typically runs between
loopbackaddressesnotdirectlyreachablebyLDPpeers,whichiswhyit'simportanttoconfigureanIGPinthe
corebeforeenablingMPLS.
WecanverifytheconfigurationofMPLSinterfaceswith showmplsinterfaces .

P1(config)#interfacef0/1
P1(configif)#mplsip
P1(configif)#interfacef1/0
P1(configif)#mplsip
P1(configif)#doshowmplsinterfaces
InterfaceIPTunnelOperational
FastEthernet0/1Yes(ldp)NoYes
FastEthernet1/0Yes(ldp)NoYes

P2(config)#interfacef0/1
P2(configif)#mplsip
P2(configif)#interfacef1/0
P2(configif)#mplsip

PE1(config)#interfacef1/0
PE1(configif)#mplsip

PE2(config)#interfacef1/0
PE2(configif)#mplsip
data:text/htmlcharset=utf8,%3Ch1%20class%3D%22pageheader%22%20style%3D%22boxsizing%3A%20borderbox%3B%20fontsize%3A%2036px%3B

2/10

10/8/2015

CreatinganMPLSVPNPacketLife.net

LDPadjacenciescanbeverifiedwiththecommand showmplsldpneighbor :

P1#showmplsldpneighbor
PeerLDPIdent:10.0.0.2:0;LocalLDPIdent10.0.0.1:0
TCPconnection:10.0.0.2.4511410.0.0.1.646
State:Oper;Msgssent/rcvd:12/13;Downstream
Uptime:00:02:43
LDPdiscoverysources:
FastEthernet0/1,SrcIPaddr:10.0.9.2
AddressesboundtopeerLDPIdent:
10.0.9.210.0.9.910.0.0.2
PeerLDPIdent:10.0.0.3:0;LocalLDPIdent10.0.0.1:0
TCPconnection:10.0.0.3.2032710.0.0.1.646
State:Oper;Msgssent/rcvd:12/12;Downstream
Uptime:00:02:25
LDPdiscoverysources:
FastEthernet1/0,SrcIPaddr:10.0.9.6
AddressesboundtopeerLDPIdent:
10.0.9.610.0.0.3

CreateandAssignVRFs
OurnextstepistocreatecustomerVRFsonourPEroutersandassignthecustomerfacinginterfacestothem.
We need to assign each VRF a route distinguisher (RD) to uniquely identify prefixes as belonging to that VRF
andoneormoreroutetargets(RTs)tospecifyhowroutesshouldbeimportedtoandexportedfromtheVRF.
We'll use a route distinguisher for each VRF in the form of <ASN>:<customer number>. For simplicity, we'll
reusethesamevalueasbothanimportandexportroutetargetwithineachVRF(thoughwearefreetochoose
adifferentoradditionalroutetargetsifweprefer).VRFconfigurationmustbeperformedonbothPErouters.

PE1(config)#ipvrfCustomer_A
PE1(configvrf)#rd65000:1
PE1(configvrf)#routetargetboth65000:1
PE1(configvrf)#ipvrfCustomer_B
PE1(configvrf)#rd65000:2
PE1(configvrf)#routetargetboth65000:2

PE2(config)#ipvrfCustomer_A
PE2(configvrf)#rd65000:1
PE2(configvrf)#routetargetboth65000:1
PE2(configvrf)#ipvrfCustomer_B
PE2(configvrf)#rd65000:2
PE2(configvrf)#routetargetboth65000:2

The

command

routetarget

both

is

used

as

shortcut

for

the

two

commands routetarget import and routetarget export , which appear separately in the running
data:text/htmlcharset=utf8,%3Ch1%20class%3D%22pageheader%22%20style%3D%22boxsizing%3A%20borderbox%3B%20fontsize%3A%2036px%3B

3/10

10/8/2015

CreatinganMPLSVPNPacketLife.net

configuration.
Now we need to assign the appropriate interfaces to each VRF and reapply their IP addresses. (Assigning an
interface to a VRF automatically wipes it of any configured IP addresses. Your version of IOS may or may not
informyouofthiswhenithappens.)Thecommand showipvrfinterfaces canbeusedtoverifyinterfaceVRF
assignmentandaddressing.

PE1(config)#interfacef0/0
PE1(configif)#ipvrfforwardingCustomer_A
%InterfaceFastEthernet0/0IPaddress10.0.1.1removedduetoenablingVRFCustomer_A
PE1(configif)#ipaddress10.0.1.1255.255.255.252
PE1(configif)#interfacef0/1
PE1(configif)#ipvrfforwardingCustomer_B
%InterfaceFastEthernet0/1IPaddress10.0.1.5removedduetoenablingVRFCustomer_B
PE1(configif)#ipaddress10.0.1.5255.255.255.252
PE1(configif)#^Z
PE1#showipvrfinterfaces
InterfaceIPAddressVRFProtocol
Fa0/010.0.1.1Customer_Aup
Fa0/110.0.1.5Customer_Bup

PE2(config)#interfacef0/0
PE2(configif)#ipvrfforwardingCustomer_A
%InterfaceFastEthernet0/0IPaddress10.0.2.1removedduetoenablingVRFCustomer_A
PE2(configif)#ipaddress10.0.2.1255.255.255.252
PE2(configif)#interfacef0/1
PE2(configif)#ipvrfforwardingCustomer_B
%InterfaceFastEthernet0/1IPaddress10.0.2.5removedduetoenablingVRFCustomer_B
PE2(configif)#ipaddress10.0.2.5255.255.255.252
PE2(configif)#^Z
PE2#showipvrfinterfaces
InterfaceIPAddressVRFProtocol
Fa0/010.0.2.1Customer_Aup
Fa0/110.0.2.5Customer_Bup

ConfigureMPBGPonthePERouters
Thisiswherethingsstarttogetinteresting.InordertoadvertiseVRFroutesfromonePEroutertotheother,we
must configure multiprotocol BGP (MPBGP). MPBGP is a little different from legacy BGP in that it supports
multipleaddressfamilies(e.g.IPv4andIPv6)overacommonBGPadjacency.Italsosupportstheadvertisement
ofVPNroutes,whicharelongerthannormalroutesduetotheadditionofa64bitroutedistinguisher(whichwe
assignedunderVRFconfiguration).
MPBGP runs only on the PE routers: P routers rely entirely on the provider IGP and MPLS to forward traffic
throughtheprovidernetwork,andCEroutershavenoknowledgeofroutesoutsidetheirownVRF.
MinimalMPBGPconfigurationisprettystraightforward.BothPEroutersexistinBGPAS65000.
data:text/htmlcharset=utf8,%3Ch1%20class%3D%22pageheader%22%20style%3D%22boxsizing%3A%20borderbox%3B%20fontsize%3A%2036px%3B

4/10

10/8/2015

CreatinganMPLSVPNPacketLife.net

PE1(config)#routerbgp65000
PE1(configrouter)#neighbor10.0.0.4remoteas65000
PE1(configrouter)#neighbor10.0.0.4updatesourceloopback0
PE1(configrouter)#addressfamilyvpnv4
PE1(configrouteraf)#neighbor10.0.0.4activate

PE2(config)#routerbgp65000
PE2(configrouter)#neighbor10.0.0.3remoteas65000
PE2(configrouter)#neighbor10.0.0.3updatesourceloopback0
PE2(configrouter)#addressfamilyvpnv4
PE2(configrouteraf)#neighbor10.0.0.3activate

If we look at the running configuration of the BGP process on either PE router, we notice that a bit more
configurationthanweprovidedhasappeared:

PE1#showrunningconfig|sectionrouterbgp
routerbgp65000
nosynchronization
bgplogneighborchanges
neighbor10.0.0.4remoteas65000
neighbor10.0.0.4updatesourceLoopback0
noautosummary
!
addressfamilyvpnv4
neighbor10.0.0.4activate
neighbor10.0.0.4sendcommunityextended
exitaddressfamily
!
addressfamilyipv4vrfCustomer_B
nosynchronization
exitaddressfamily
!
addressfamilyipv4vrfCustomer_A
nosynchronization
exitaddressfamily

In addition to our VPNv4 address family, address families for the two customer VRFs have been created
automatically. Also, support for extended community strings has been added to the VPNv4 neighbor
configuration.
Verify that the MPBGP adjacency between PE1 and PE2 was formed successfully with the
command showbgpvpnv4unicastallsummary :

PE1#showbgpvpnv4unicastallsummary
BGProuteridentifier10.0.0.3,localASnumber65000
BGPtableversionis1,mainroutingtableversion1
data:text/htmlcharset=utf8,%3Ch1%20class%3D%22pageheader%22%20style%3D%22boxsizing%3A%20borderbox%3B%20fontsize%3A%2036px%3B

5/10

10/8/2015

CreatinganMPLSVPNPacketLife.net

NeighborVASMsgRcvdMsgSentTblVerInQOutQUp/DownState/PfxRcd
10.0.0.4465000121210000:06:050

Currently, there are no routes in the BGP table, because we have not specified anything to be advertised or
redistributed,butwe'llgettothatafterthisnextstep.

ConfigurePECEOSPF
We just configured MPBGP between the two PE routers. Now, let's configure an IGP between each PE router
anditsattachedCErouterstoexchangerouteswiththecustomersites.We'regoingtouseOSPFforthislab,but
wecouldjustaseasilyuseanotherIGPlikeEIGRPorRIP.
Singlearea OSPF has already been configured on the CE routers all CE interfaces are in area 0. Remember
that although we're using OSPF between each of the CE routers and its upstream PE router, these OSPF
processesareisolatedfromtheproviderOSPFtopology.Theoverallroutingtopologywilllooklikethis:

The provider OSPF process has already been configured on the PE routers as process 1. We'll configure
anadditionalOSPF process for each CE router on each PE router. Each PE router will then have three OSPF
processestotal:onefortheprovidernetwork,andoneforeachCErouter.WhereastheproviderOSPFprocess
existsintheglobalroutingtable,thetwoCEprocesseswilleachbeassignedtotheirrespectivecustomerVRFs.

data:text/htmlcharset=utf8,%3Ch1%20class%3D%22pageheader%22%20style%3D%22boxsizing%3A%20borderbox%3B%20fontsize%3A%2036px%3B

6/10

10/8/2015

CreatinganMPLSVPNPacketLife.net

PE1(config)#routerospf2vrfCustomer_A
PE1(configrouter)#routerid10.0.1.1
PE1(configrouter)#interfacef0/0
PE1(configif)#ipospf2area0
PE1(configif)#routerospf3vrfCustomer_B
PE1(configrouter)#routerid10.0.1.5
PE1(configrouter)#interfacef0/1
PE1(configif)#ipospf3area0

PE2(config)#routerospf2vrfCustomer_A
PE2(configrouter)#routerid10.0.2.1
PE2(configrouter)#interfacef0/0
PE2(configif)#ipospf2area0
PE2(configif)#routerospf3vrfCustomer_B
PE2(configrouter)#routerid10.0.2.5
PE2(configrouter)#interfacef0/1
PE2(configif)#ipospf3area0

WeshouldseeeachPErouterformanOSPFadjacencywithbothofitsattachedCErouters,andthecustomer
routesshouldappearintheVRFtablesonthePErouters.

PE1#showiproutevrfCustomer_A
RoutingTable:Customer_A
...
172.16.0.0/16isvariablysubnetted,2subnets,2masks
O172.16.1.0/24[110/11]via10.0.1.2,00:04:21,FastEthernet0/0
O172.16.0.1/32[110/11]via10.0.1.2,00:04:21,FastEthernet0/0
10.0.0.0/30issubnetted,1subnets
C10.0.1.0isdirectlyconnected,FastEthernet0/0
PE1#showiproutevrfCustomer_B
RoutingTable:Customer_B
...
172.17.0.0/16isvariablysubnetted,2subnets,2masks
O172.17.1.0/24[110/11]via10.0.1.6,00:03:03,FastEthernet0/1
O172.17.0.1/32[110/11]via10.0.1.6,00:03:04,FastEthernet0/1
10.0.0.0/30issubnetted,1subnets
C10.0.1.4isdirectlyconnected,FastEthernet0/1

ConfigureRouteRedistribution
We'realmostdone!WehaveourMPLSandMPBGPbackboneupandrunning,andourCEroutersaresending
routes to our PE routers within their VRFs. The last step is to glue everything together by turning on route
redistributionfromthecustomersideOSPFprocessesintoMPBGPandviceversaonthePErouters.
data:text/htmlcharset=utf8,%3Ch1%20class%3D%22pageheader%22%20style%3D%22boxsizing%3A%20borderbox%3B%20fontsize%3A%2036px%3B

7/10

10/8/2015

CreatinganMPLSVPNPacketLife.net

First we'll configure redistribution of CE routes in each VRF into MPBGP. This is done under the BGP IPv4
addressfamilyforeachVRF.

PE1(config)#routerbgp65000
PE1(configrouter)#addressfamilyipv4vrfCustomer_A
PE1(configrouteraf)#redistributeospf2
PE1(configrouteraf)#addressfamilyipv4vrfCustomer_B
PE1(configrouteraf)#redistributeospf3

PE2(config)#routerbgp65000
PE2(configrouter)#addressfamilyipv4vrfCustomer_A
PE2(configrouteraf)#redistributeospf2
PE2(configrouteraf)#addressfamilyipv4vrfCustomer_B
PE2(configrouteraf)#redistributeospf3

ThisenablesredistributionofOSPFroutesintoBGPfortransportacrosstheprovidernetworkbetweenthetwo
sites. We can verify that the routes learned from the customer sites (the 172.16.0.0/16 and 172.17.0.0/16
networks)nowappearintheBGPtablesfortheirrespectiveVRFs.

PE1#showipbgpvpnv4vrfCustomer_A
...
NetworkNextHopMetricLocPrfWeightPath
RouteDistinguisher:65000:1(defaultforvrfCustomer_A)
*>10.0.1.0/300.0.0.0032768?
*>i10.0.2.0/3010.0.0.401000?
*>172.16.0.1/3210.0.1.21132768?
*>i172.16.0.2/3210.0.0.4111000?
*>172.16.1.0/2410.0.1.21132768?
*>i172.16.2.0/2410.0.0.4111000?
PE1#showipbgpvpnv4vrfCustomer_B
...
NetworkNextHopMetricLocPrfWeightPath
RouteDistinguisher:65000:2(defaultforvrfCustomer_B)
*>10.0.1.4/300.0.0.0032768?
*>i10.0.2.4/3010.0.0.401000?
*>172.17.0.1/3210.0.1.61132768?
*>i172.17.0.2/3210.0.0.4111000?
*>172.17.1.0/2410.0.1.61132768?
*>i172.17.2.0/2410.0.0.4111000?

The last step is to complete the redistribution in the opposite direction: from BGP into the customer OSPF
processes.Ifyou'reaccustomedtorouteredistribution,there'snothingnewhere.(Wedon'thavetospecifyany
VRFinformationintheredistributionstatementbecauseeachcustomerOSPFprocessisalreadyassignedtoa
VRF.)

data:text/htmlcharset=utf8,%3Ch1%20class%3D%22pageheader%22%20style%3D%22boxsizing%3A%20borderbox%3B%20fontsize%3A%2036px%3B

8/10

10/8/2015

CreatinganMPLSVPNPacketLife.net

PE1(config)#routerospf2
PE1(configrouter)#redistributebgp65000subnets
PE1(configrouter)#routerospf3
PE1(configrouter)#redistributebgp65000subnets

PE2(config)#routerospf2
PE2(configrouter)#redistributebgp65000subnets
PE2(configrouter)#routerospf3
PE2(configrouter)#redistributebgp65000subnets

TestingandConfirmation
If has gone well, we should now have endtoend connectivity between the CE routers within each VRF. Both
routersforeachcustomershouldnowhavecompleteroutingtables.HerearecustomerA'sroutes:

CE1A#showiproute
...
172.16.0.0/16isvariablysubnetted,4subnets,2masks
C172.16.1.0/24isdirectlyconnected,Loopback1
C172.16.0.1/32isdirectlyconnected,Loopback0
OIA172.16.2.0/24[110/21]via10.0.1.1,00:03:50,FastEthernet0/0
OIA172.16.0.2/32[110/21]via10.0.1.1,00:03:50,FastEthernet0/0
10.0.0.0/30issubnetted,2subnets
OIA10.0.2.0[110/11]via10.0.1.1,00:03:50,FastEthernet0/0
C10.0.1.0isdirectlyconnected,FastEthernet0/0

CE2A#showiproute
...
172.16.0.0/16isvariablysubnetted,4subnets,2masks
OIA172.16.1.0/24[110/21]via10.0.2.1,00:02:49,FastEthernet0/0
OIA172.16.0.1/32[110/21]via10.0.2.1,00:02:49,FastEthernet0/0
C172.16.2.0/24isdirectlyconnected,Loopback1
C172.16.0.2/32isdirectlyconnected,Loopback0
10.0.0.0/30issubnetted,2subnets
C10.0.2.0isdirectlyconnected,FastEthernet0/0
OIA10.0.1.0[110/11]via10.0.2.1,00:02:49,FastEthernet0/0

YoumaynoticethatOSPFroutessentbetweentwositesbelongingtothesamecustomerappearasinterarea
routes. Remember that although OSPF area 0 is being used at both sites, each site exists as a separate link
statetopologyconnectedbytheMPLSVPN.
We should be able to ping from one CE router to the other. (Remember that we don't need to specify a VRF
whendoingsobecauseCEroutershavenoknowledgethatthey'reinaVRF.)
data:text/htmlcharset=utf8,%3Ch1%20class%3D%22pageheader%22%20style%3D%22boxsizing%3A%20borderbox%3B%20fontsize%3A%2036px%3B

9/10

10/8/2015

CreatinganMPLSVPNPacketLife.net

CE1A#ping172.16.0.2
Typeescapesequencetoabort.
Sending5,100byteICMPEchosto172.16.0.2,timeoutis2seconds:
!!!!!
Successrateis100percent(5/5),roundtripmin/avg/max=12/21/32ms

WecanperformatraceroutetoverifythepathtakenaswellastheMPLSlabelsusedtotraversetheprovider
network.

CE1A#traceroute172.16.0.2
Typeescapesequencetoabort.
Tracingtherouteto172.16.0.2
110.0.1.14msec4msec8msec
210.0.9.5[MPLS:Labels19/22Exp0]16msec12msec24msec
310.0.9.2[MPLS:Labels19/22Exp0]24msec20msec16msec
410.0.2.1[MPLS:Label22Exp0]20msec16msec24msec
510.0.2.216msec*36msec

Here's a packet capture of the above traceroute if you're interested in how the MPLS label information is
returned.Andagain,herearethethefinishedrouterconfigurationsifyou'dliketoreplicatethelabyourself.
(ThankstoIvanPepelnjakofCiscoIOSHintshelpingrevisethisarticle!)

data:text/htmlcharset=utf8,%3Ch1%20class%3D%22pageheader%22%20style%3D%22boxsizing%3A%20borderbox%3B%20fontsize%3A%2036px%3

10/10