mpls-04
1 like376 views
The document describes the configuration of a Layer 3 VPN network with multiple VRF instances. Key steps include: 1. Configuring IP addresses, loopbacks and OSPF routing between core routers R1 through R5. 2. Establishing iBGP peering between R1, R3, and R5 to exchange VPN routing information. 3. Creating VRF instances VPN-MY on R1 and R3, and VPN-SG on R5, each with a unique RD and RT. 4. Connecting customer edge devices CE6 to R1, CE7 to R3, and CE8 to R5 through interfaces associated with the corresponding VRFs. 5.
![10. L3VPN RD and RT – Setup IP Address, Loopbacks & OSPF, iBGP, VPNV4, VRF, MPLS-LDP, RD/RT, MPLS
R2 10.0.0.2
R1 Penang 10.0.0.1
R3 KL 10.0.0.3
R4 10.0.0.4
Singapore R5 10.0.0.5
FA0/0
FA0/0FA0/1
FA0/1
FA0/0
FA0/0
FA0/1
FA0/1
CE6
CE7
What the MPLS will look like:
CE8
VPN-MY
RT999:111
VPN-SG
RT999:222
From previous class on MPLS-LDP and MPLS-XCONNECTS you
should be familiar with the concept of “Label Stacking”. The same
applies here.
What we must understand is that BGP Extended Communities will
“tell” us about the prefix but MPLS will do the actual forwarding.
CE8 R8#traceroute 30.0.0.2
Tracing the route to 30.0.0.2
1 40.0.0.1 12 msec 16 msec 20 msec
2 20.0.0.13 [MPLS: Labels 19/23 Exp 0] 80 msec 108
3 20.0.0.9 [MPLS: Labels 20/23 Exp 0] 100 msec 100
4 20.0.0.5 [MPLS: Labels 20/23 Exp 0] 100 msec 104
5 30.0.0.1 100 msec 84
6 30.0.0.2 128 msec 104
Label Stack
R5#show mpls forwarding-table vrf VPN-SG 30.0.0.2 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
None 23 30.0.0.0/30 0 Fa0/1 20.0.0.13
MAC/Encaps=14/22, MRU=1496, Tag Stack{19 23}
R5#show mpls forwarding-table vrf VPN-SG 30.0.0.6 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
None 22 30.0.0.4/30 0 Fa0/1 20.0.0.13
MAC/Encaps=14/22, MRU=1496, Tag Stack{17 22}
CE7 VPN-MY
R1#show mpls forwarding-table vrf VPN-MY 30.0.0.0 30 / Local Aggregate Label 23](https://image.slidesharecdn.com/2269b962-c400-4101-927e-9a54b8122c5e-160428020420/85/mpls-04-10-320.jpg)
mpls-04
- 1. 1. L3VPN RD and RT – Setup IP Address, Loopbacks & OSPF R2 10.0.0.2 R1 Penang 10.0.0.1 R3 KL 10.0.0.3 R4 10.0.0.4 Singapore R5 10.0.0.5 FA0/0 FA0/0FA0/1 FA0/1 FA0/0 FA0/0 FA0/1 FA0/1 R1 interface FastEthernet0/0 description R1-R2 ip address 20.0.0.1 255.255.255.252 R2 interface FastEthernet0/0 description R2-R1 ip address 20.0.0.2 255.255.255.252 interface FastEthernet0/1 description R2-R3 ip address 20.0.0.5 255.255.255.252 R4 interface FastEthernet0/0 description R4-R3 ip address 20.0.0.10 255.255.255.252 interface FastEthernet0/1 description R4-R5 ip address 20.0.0.13 255.255.255.252 R3 interface FastEthernet0/1 description R3-R2 ip address 20.0.0.6 255.255.255.252 interface FastEthernet0/0 description R3-R4 ip address 20.0.0.9 255.255.255.252 R5 interface FastEthernet0/1 description R5-R4 ip address 20.0.0.14 255.255.255.252 OSPF Configs R1-R5 router ospf 999 router-id 10.0.0.X log-adjacency-changes redistribute connected subnets network 0.0.0.0 255.255.255.255 area 0 NOTES Basically with this setup the “baseline” configurations can be said to be complete. Loopback are all reachable and all interfaces are talking. So make sure OSPF “talks” properly. We will do the following: 1. Setup IP's / Loopback / OSPF – this slide 2. Setup IBGP between selected routers ONLY * R1 ↔ R3 ↔ R5 3. Add CE6 ↔ R1 (Penang) 4. Add CE7 ↔ R3 (KL) 5. Add CE8 ↔ R5 (Singapore)
- 2. 2. L3VPN RD and RT – Setup IP Address, Loopbacks & OSPF, iBGP R2 10.0.0.2 R1 Penang 10.0.0.1 R3 KL 10.0.0.3 R4 10.0.0.4 Singapore R5 10.0.0.5 FA0/0 FA0/0FA0/1 FA0/1 FA0/0 FA0/0 FA0/1 FA0/1 NOTES Basically with this setup the “baseline” configurations can be said to be complete. Loopback are all reachable and all interfaces are talking. So make sure OSPF “talks” properly. We will do the following: 1. Setup IP's / Loopback / OSPF 2. Setup IBGP between selected routers ONLY * R1 ↔ R3 ↔ R5 3. Add CE6 ↔ R1 (Penang) 4. Add CE7 ↔ R3 (KL) 5. Add CE8 ↔ R5 (Singapore) R1 router bgp 999 bgp router-id 10.0.0.1 bgp log-neighbor-changes neighbor 10.0.0.3 remote-as 999 neighbor 10.0.0.3 update-source Loopback0 neighbor 10.0.0.5 remote-as 999 neighbor 10.0.0.5 update-source Loopback0 ! address-family ipv4 neighbor 10.0.0.3 activate neighbor 10.0.0.5 activate R3 router bgp 999 bgp router-id 10.0.0.3 bgp log-neighbor-changes neighbor 10.0.0.1 remote-as 999 neighbor 10.0.0.1 update-source Loopback0 neighbor 10.0.0.5 remote-as 999 neighbor 10.0.0.5 update-source Loopback0 ! address-family ipv4 neighbor 10.0.0.1 activate neighbor 10.0.0.5 activate R5 router bgp 999 bgp router-id 10.0.0.5 bgp log-neighbor-changes neighbor 10.0.0.1 remote-as 999 neighbor 10.0.0.1 update-source Loopback0 neighbor 10.0.0.3 remote-as 999 neighbor 10.0.0.3 update-source Loopback0 ! address-family ipv4 neighbor 10.0.0.1 activate neighbor 10.0.0.3 activate R2 & R4 does not require iBGP participation!
- 3. 3. L3VPN RD and RT – Setup IP Address, Loopbacks & OSPF, iBGP & VPNV4 & VRF R2 10.0.0.2 R1 Penang 10.0.0.1 R3 KL 10.0.0.3 R4 10.0.0.4 Singapore R5 10.0.0.5 FA0/0 FA0/0FA0/1 FA0/1 FA0/0 FA0/0 FA0/1 FA0/1 NOTES Basically with this setup the “baseline” configurations can be said to be complete. Loopback are all reachable and all interfaces are talking. So make sure OSPF “talks” properly. We will do the following: 1. Setup IP's / Loopback / OSPF 2. Setup IBGP between selected routers ONLY * R1 ↔ R3 ↔ R5 3. Add CE6 ↔ R1 (Penang) 4. Add CE7 ↔ R3 (KL) 5. Add CE8 ↔ R5 (Singapore) CE6 CE7 This is where it gets more interesting CE6 / CE7 will be VPN Customers CE6 ↔ R1 will have vrf VPN-MY RD 999:111 RT import 999:111 RT export 999:111 CE7 ↔ R3 will have vrf VPN-MY RD 999:111 RT import 999:111 RT export 999:111 BUT Preparation on (R1) & CE6 required! 1. Must setup router bgp 999 & special “address family vpnv4” 2. Under R1 router bgp 999 ! address-family vpnv4 neighbor 10.0.0.3 activate neighbor 10.0.0.3 send-community both neighbor 10.0.0.5 activate neighbor 10.0.0.5 send-community both 3. Must create “vrf” (R1) ip vrf VPN-MY rd 999:111 route-target export 999:111 route-target import 999:111 4. Must distribute vrf routes (R1) ! address-family ipv4 vrf VPN-MY redistribute connected 5. Make interface participate in vrf (R1) interface FastEthernet0/1 description R1-CE6 ip vrf forwarding VPN-MY ip address 30.0.0.1 255.255.255.252 Note: Carefully go through running-config of R1. I of course provide you guys with everything! Basically these are the ONLY 5 steps required to get your VRF/RD-RT working! You just need to make sure that your “baseline” ospf/ibgp works properly.
- 4. 4. L3VPN RD and RT – Setup IP Address, Loopbacks & OSPF, iBGP, VPNV4, VRF, Verify that it Works! R2 10.0.0.2 R1 Penang 10.0.0.1 R3 KL 10.0.0.3 R4 10.0.0.4 Singapore R5 10.0.0.5 FA0/0 FA0/0FA0/1 FA0/1 FA0/0 FA0/0 FA0/1 FA0/1 NOTES 1. Setup IP's / Loopback / OSPF 2. Setup IBGP between selected routers ONLY * R1 ↔ R3 ↔ R4 3. Add CE6 ↔ R1 (Penang) 4. Add CE7 ↔ R3 (KL) 5. Add CE8 ↔ R5 (Singapore) CE6 CE7 Focus on R1 ↔ CE6 Believe it or not, your VPN-MY to R1 → CE6 is already WORKING! R1#ping 30.0.0.1 Sending 5, 100-byte ICMP Echos to 30.0.0.1 ..... R1#show ip route 30.0.0.1 % Network not in table R1#ping vrf VPN-MY 30.0.0.1 Sending 5, 100-byte ICMP Echos to 30.0.0.1 !!!!! R1#show ip route vrf VPN-MY 30.0.0.1 Routing entry for 30.0.0.0/30 Known via "connected", distance 0, metric 0 (connected, via interface) Redistributing via bgp 999 Advertised by bgp 999 Routing Descriptor Blocks: * directly connected, via FastEthernet0/1 You can repeat the same on R3 ↔ CE7 BTW: don't forget to configure /30s on CE6 & CE7 plus a default route. CE6 interface FastEthernet0/1 description CE6-R1 ip address 30.0.0.2 255.255.255.252 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 30.0.0.1 name default-route Problems will start on the next-page! Access to Default Route Table reveals NONE. Expected Results! Access to VRF VPN-MY Table reveals 30.0.0.1/30 You access a DIFFERENT Table i.e. “VPN-MY”
- 5. 5. L3VPN RD and RT – Setup IP Address, Loopbacks & OSPF, iBGP, VPNV4, VRF, MPLS-LDP R2 10.0.0.2 R1 Penang 10.0.0.1 R3 KL 10.0.0.3 R4 10.0.0.4 Singapore R5 10.0.0.5 FA0/0 FA0/0FA0/1 FA0/1 FA0/0 FA0/0 FA0/1 FA0/1 NOTES 3. Add CE6 ↔ R1 (Penang) 4. Add CE7 ↔ R3 (KL) 5. Add CE8 ↔ R5 (Singapore) CE6 CE7 R1 ↔ CE6 & R3 ↔ CE7 ● BUT, does CE6 talk to CE7? ● Does VRF R1 VPN-MY talk to R3 VPN-MY? R1#ping vrf VPN-MY 30.0.0.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 30.0.0.5 ..... R1#show ip bgp vpnv4 vrf VPN-MY BGP table version is 7, local router ID is 10.0.0.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 999:111 (default for vrf VPN-MY) *> 30.0.0.0/30 0.0.0.0 0 32768 ? *>i30.0.0.4/30 10.0.0.3 0 100 0 ? R1#show ip route vrf VPN-MY 30.0.0.5 Routing entry for 30.0.0.4/30 Known via "bgp 999", distance 200, metric 0, type internal Last update from 10.0.0.3 01:43:54 ago Routing Descriptor Blocks: * 10.0.0.3 (Default-IP-Routing-Table), from 10.0.0.3, 01:43:54 ago Route metric is 0, traffic share count is 1 BGP vpnv4 tells me its THERE Ip route vrf tells me its THERE BUT still cannot reach? Problem is … mpls ip needs to be configure on every backbone interface. While BGP may TELL you about the routes, there is no TRANSPORT or Label coming from R2 & R3 R1 interface FastEthernet0/0 description R1-R2 ip address 20.0.0.1 255.255.255.252 mpls ip ←You NEED this! Talking? MPLS IP? MPLS IP? Talking?
- 6. 6. L3VPN RD and RT – Setup IP Address, Loopbacks & OSPF, iBGP, VPNV4, VRF, MPLS-LDP R2 10.0.0.2 R1 Penang 10.0.0.1 R3 KL 10.0.0.3 R4 10.0.0.4 Singapore R5 10.0.0.5 FA0/0 FA0/0FA0/1 FA0/1 FA0/0 FA0/0 FA0/1 FA0/1 NOTES 3. Add CE6 ↔ R1 (Penang) 4. Add CE7 ↔ R3 (KL) 5. Add CE8 ↔ R5 (Singapore) CE6 CE7 So what have we learnt so far? 1. Plain vanilla setup Loopbacks, IP Address etc 2. OSPF between R1 – R5 3. iBGP between R1, R3 & R5 ONLY 4. VPNV4 between R1 & R3 ONLY – Slide 3 5. VRF VPN-MY between R1 & R3 ONLY – Slide 3/4 Make interfaces participate Outgoing R1 → CE6 Outgoing R3 → CE7 6. Make backbone interfaces participate in MPLS – Slide 5 This will create connectivity between CE6 & CE7 which participates in the SAME VRF VPN-MY 7. We understand that while iBGP/VPNV4 may “tell” us about routes, we still MUST have MPLS-LDP to create the forward table for us or be the “transport” to achieve connectivity.
- 7. 7. L3VPN RD and RT – Setup IP Address, Loopbacks & OSPF, iBGP, VPNV4, VRF, MPLS-LDP, RD/RT R2 10.0.0.2 R1 Penang 10.0.0.1 R3 KL 10.0.0.3 R4 10.0.0.4 Singapore R5 10.0.0.5 FA0/0 FA0/0FA0/1 FA0/1 FA0/0 FA0/0 FA0/1 FA0/1 NOTES 3. Add CE6 ↔ R1 (Penang) 4. Add CE7 ↔ R3 (KL) 5. Add CE8 ↔ R5 (Singapore) CE6 CE7 What is RD/RT? Route Distinguisher Important, but automagically created if you don't specify it We usually specify it for convenience. Route Target Compose of IMPORT and EXPORT statement. Actual prefix's are identified by the RT. We are going to add R5 → CE8 now: ● Different & Distinct VRF VPN-SG ● Does not talk with other VRF VPN-MY ● Lets assume it is a different company altogether Very similar configs to R1 → CE6 / R3 → CE7 CE8 R5 ip vrf VPN-SG rd 999:222 route-target export 999:222 route-target import 999:222 ! interface FastEthernet0/0 description R5-CE8 ip vrf forwarding VPN-SG ip address 40.0.0.1 255.255.255.252 ! address-family ipv4 vrf VPN-SG redistribute connected R5#ping 40.0.0.1 Sending 5, 100-byte ICMP Echos to 40.0.0.1 ..... Success rate is 0 percent (0/5) R5#ping vrf VPN-SG 40.0.0.1 Sending 5, 100-byte ICMP Echos to 40.0.0.1 !!!!! R5#show bgp vpnv4 unicast rd 999:222 BGP table version is 11, local router ID is 10.0.0.5 Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 999:222 (default for vrf VPN-SG) *> 40.0.0.0/30 0.0.0.0 0 32768 ? Only one route is learnt vide VPNV4/BGP V P N M Y VPN-SG
- 8. 8. L3VPN RD and RT – Setup IP Address, Loopbacks & OSPF, iBGP, VPNV4, VRF, MPLS-LDP, RD/RT R2 10.0.0.2 R1 Penang 10.0.0.1 R3 KL 10.0.0.3 R4 10.0.0.4 Singapore R5 10.0.0.5 FA0/0 FA0/0FA0/1 FA0/1 FA0/0 FA0/0 FA0/1 FA0/1 NOTES 6. Connecting VPN-MY & VPN-SG CE6 CE7 Connecting VPN-MY ↔ VPN-SG Say VPN-MY has now bought up VPN-SG and would like to create seamless network integration between the two. In other words, take-over VPN-SG Option: Remove VPN-SG & substitute with VPN-MY & create new prefix OR IMPORT / EXPORT the route-targets! CE8 R1 ip vrf VPN-MY rd 999:111 route-target export 999:111 route-target import 999:111 route-target import 999:222 R5 ip vrf VPN-SG rd 999:222 route-target export 999:222 route-target import 999:222 route-target import 999:111 R3 ip vrf VPN-MY rd 999:111 route-target export 999:111 route-target import 999:111 NB: NO IMPORT Statement VPN-MY RT999:111 VPN-SG RT999:222 R5#show bgp vpnv4 unicast vrf VPN-SG BGP table version is 15, local router ID is 10.0.0.5 Network Next Hop Metric LocPrf Weight Route Distinguisher: 999:222 (default for vrf VPN-SG) *>i30.0.0.0/30 10.0.0.1 0 100 0 ? *>i30.0.0.4/30 10.0.0.3 0 100 0 ? *> 40.0.0.0/30 0.0.0.0 0 32768 ? R5#ping vrf VPN-SG 30.0.0.5 Sending 5, 100-byte ICMP Echos to 30.0.0.5 ..... Because R3 has NOT import RT999:222, BGP “TELLS” me its there, but MPLS won't carry the traffic for me. R3 must include “route-target import 999:222” to participate between VPN-MY ↔ VPN-SG
- 9. 9. L3VPN RD and RT – Setup IP Address, Loopbacks & OSPF, iBGP, VPNV4, VRF, MPLS-LDP, RD/RT R2 10.0.0.2 R1 Penang 10.0.0.1 R3 KL 10.0.0.3 R4 10.0.0.4 Singapore R5 10.0.0.5 FA0/0 FA0/0FA0/1 FA0/1 FA0/0 FA0/0 FA0/1 FA0/1 CE6 CE7 So what have we leant so far? CE8 VPN-MY RT999:111 VPN-SG RT999:222 1. Connected two single VRF with two sites VPN-MY → R1 → CE6 VPN-MY → R3 → CE7 2. Create exclusive VRF for Singapore/R5 VPN-SG → R5 → CE8 3. Integrated VRF VPN-MY ↔ VPN-SG 4. Looked at how BGP may tell you stuff/prefix but MORE may be required to get it to work – ie, import route-target 999:222 in R3 R5#show bgp vpnv4 unicast rd 999:222 Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 999:222 (default for vrf VPN-SG) *>i30.0.0.0/30 10.0.0.1 0 100 0 ? *>i30.0.0.4/30 10.0.0.3 0 100 0 ? *> 40.0.0.0/30 0.0.0.0 0 32768 ? R5#show bgp vpnv4 unicast rd 999:111 Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 999:111 *>i30.0.0.0/30 10.0.0.1 0 100 0 ? *>i30.0.0.4/30 10.0.0.3 0 100 0 ? Imported from route- target 999:111
- 10. 10. L3VPN RD and RT – Setup IP Address, Loopbacks & OSPF, iBGP, VPNV4, VRF, MPLS-LDP, RD/RT, MPLS R2 10.0.0.2 R1 Penang 10.0.0.1 R3 KL 10.0.0.3 R4 10.0.0.4 Singapore R5 10.0.0.5 FA0/0 FA0/0FA0/1 FA0/1 FA0/0 FA0/0 FA0/1 FA0/1 CE6 CE7 What the MPLS will look like: CE8 VPN-MY RT999:111 VPN-SG RT999:222 From previous class on MPLS-LDP and MPLS-XCONNECTS you should be familiar with the concept of “Label Stacking”. The same applies here. What we must understand is that BGP Extended Communities will “tell” us about the prefix but MPLS will do the actual forwarding. CE8 R8#traceroute 30.0.0.2 Tracing the route to 30.0.0.2 1 40.0.0.1 12 msec 16 msec 20 msec 2 20.0.0.13 [MPLS: Labels 19/23 Exp 0] 80 msec 108 3 20.0.0.9 [MPLS: Labels 20/23 Exp 0] 100 msec 100 4 20.0.0.5 [MPLS: Labels 20/23 Exp 0] 100 msec 104 5 30.0.0.1 100 msec 84 6 30.0.0.2 128 msec 104 Label Stack R5#show mpls forwarding-table vrf VPN-SG 30.0.0.2 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface None 23 30.0.0.0/30 0 Fa0/1 20.0.0.13 MAC/Encaps=14/22, MRU=1496, Tag Stack{19 23} R5#show mpls forwarding-table vrf VPN-SG 30.0.0.6 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface None 22 30.0.0.4/30 0 Fa0/1 20.0.0.13 MAC/Encaps=14/22, MRU=1496, Tag Stack{17 22} CE7 VPN-MY R1#show mpls forwarding-table vrf VPN-MY 30.0.0.0 30 / Local Aggregate Label 23
- 11. 11. L3VPN RD and RT – Setup IP Address, Loopbacks & OSPF, iBGP, VPNV4, VRF, MPLS-LDP, RD/RT R2 10.0.0.2 R1 Penang 10.0.0.1 R3 KL 10.0.0.3 R4 10.0.0.4 Singapore R5 10.0.0.5 FA0/0 FA0/0FA0/1 FA0/1 FA0/0 FA0/0 FA0/1 FA0/1 CE6 CE7 Thank you kjteoh at gmail.com 11/2/2016 – Put your NOTES here! CE8 VPN-MY RT999:111 VPN-SG RT999:222