XR MPLS VPNv4 Configuration


Topology & Setup

This example consists of:

  • 2 CEs, CE1 & CE2. Both connected to PE1 and PE2 respectively.
  • PE1 and PE2 are connected to a P node.
  • P node is connected to a route reflector RR.

CE and CE2 are both routed in VRF A.

  • Provider’s network IGP is OSPF.
  • CE to PE routing is BGP.
  • PE1, PE2 & RR are XR based nodes.
  • CE1, CE2 and P are IOS based.

The below digram depicts IP Loopback & Link IP addresses.

MPLS-VPNv4 Cisco XR Configuration

IGP configuration

On PE1, PE2,P and RR, OSPF is configured to include backbone interfaces and loopbacks in OSPF process LAB1 & area 0.

NB:
Only XR based configuration will be shown. IOS related examples can be found on: OSPF Configuration

RP/0/0/CPU0:PE1(config)#router ospf LAB1
RP/0/0/CPU0:PE1(config-ospf)#router-id 1.1.1.1
RP/0/0/CPU0:PE1(config-ospf)#address-family ipv4 unicast 
RP/0/0/CPU0:PE1(config-ospf)#area 0
RP/0/0/CPU0:PE1(config-ospf-ar)#interface gigabitEthernet 0/0/0/1
RP/0/0/CPU0:PE1(config-ospf-ar)#interface loopback 0

MPLS LDP  configuration

On PE1, PE2, and P MPLS LDP is configured (RR does not required MPLD LDP).

NB:
Only XR based configuration will be shown. IOS related examples can be found on: MPLS VPNv4 IOS

RP/0/0/CPU0:PE1(config)#mpls ldp            
RP/0/0/CPU0:PE1(config-ldp)#router-id 1.1.1.1   
RP/0/0/CPU0:PE1(config-ldp)#interface gigabitEthernet 0/0/0/1
RP/0/0/CPU0:PE1(config-ldp-if)#commi

IGP & LDP Validation

We run the following commands to establish:

  • All Loopbacks are advertised (these will be used to later form iBGP sessions).
  • LDP adjacency is present and labels propagated.
P#sh ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.4           1   FULL/DR         00:00:39    10.3.4.4        GigabitEthernet0/3
2.2.2.2           1   FULL/DR         00:00:35    10.2.3.2        GigabitEthernet0/2
1.1.1.1           1   FULL/DR         00:00:32    10.1.3.1        GigabitEthernet0/1
P#
P#
P#sh ip route ospf | b Gateway of last resort is not set
Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/2] via 10.1.3.1, 00:19:57, GigabitEthernet0/1
      2.0.0.0/32 is subnetted, 1 subnets
O        2.2.2.2 [110/2] via 10.2.3.2, 00:19:23, GigabitEthernet0/2
      4.0.0.0/32 is subnetted, 1 subnets
O        4.4.4.4 [110/2] via 10.3.4.4, 00:14:12, GigabitEthernet0/3
P#sh mpls ldp neighbor 
    Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 3.3.3.3:0
        TCP connection: 1.1.1.1.646 - 3.3.3.3.12615
        State: Oper; Msgs sent/rcvd: 19/19; Downstream
        Up time: 00:07:53
        LDP discovery sources:
          GigabitEthernet0/1, Src IP addr: 10.1.3.1
        Addresses bound to peer LDP Ident:
          172.16.1.0      10.1.3.1        1.1.1.1         
    Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 3.3.3.3:0
        TCP connection: 2.2.2.2.646 - 3.3.3.3.22273
        State: Oper; Msgs sent/rcvd: 19/18; Downstream
        Up time: 00:07:47
        LDP discovery sources:
          GigabitEthernet0/2, Src IP addr: 10.2.3.2
        Addresses bound to peer LDP Ident:
          10.2.3.2        2.2.2.2         
P#
P#sh mpls forwarding-table 
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop    
Label      Label      or Tunnel Id     Switched      interface              
16         Pop Label  1.1.1.1/32       0             Gi0/1      10.1.3.1    
17         Pop Label  2.2.2.2/32       0             Gi0/2      10.2.3.2    
18         No Label   4.4.4.4/32       0             Gi0/3      10.3.4.4    

VRF configuration

On PE1, PE2, we configure our VRF A in following steps:

  1. Define VRF A
  2. Configure CE facing interfaces to be part of VRF A.
  3. Define VRF RD under BGP process. Note, this is different than for IOS, where rd is configured with VRF definition.
RP/0/0/CPU0:PE1(config)#vrf A
RP/0/0/CPU0:PE1(config-vrf)#address-family ipv4 unicast 
RP/0/0/CPU0:PE1(config-vrf-af)#import route-target 100:1
RP/0/0/CPU0:PE1(config-vrf-af)#export route-target 100:1
RP/0/0/CPU0:PE1(config-vrf)#exi
RP/0/0/CPU0:PE1(config)#
RP/0/0/CPU0:PE1(config)#int gigabitEthernet 0/0/0/0
RP/0/0/CPU0:PE1(config-if)#vrf A  
RP/0/0/CPU0:PE1(config-if)#ipv4 address 172.16.1.0/31
RP/0/0/CPU0:PE1(config-if)#commi   

VPNv4  configuration

BGP sessions under address family VPNv4 must be established between PE1 & PE2. This can either be a direct session between the 2 nodes, or with using a route reflector as a scalable solution.

On PE1 and PE2, the configuration is a straight simple BGP config under VPNv4 AF. We can also use the same method on RR, however, I opted to use a Neighbour Group method.

For more information and demo, watch these 2 videos.

RR VPNv4 Configuration:

RP/0/0/CPU0:RR(config)#router bgp 100
RP/0/0/CPU0:RR(config-bgp)#bgp router-id 4.4.4.4
RP/0/0/CPU0:RR(config-bgp)#address-family vpnv4  unicast
RP/0/0/CPU0:RR(config-bgp-af)#exit
RP/0/0/CPU0:RR(config-bgp)#neighbor-group LAB1_Clients
RP/0/0/CPU0:RR(config-bgp-nbrgrp)#remote-as 100
RP/0/0/CPU0:RR(config-bgp-nbrgrp)#update-source loopback 0
RP/0/0/CPU0:RR(config-bgp-nbrgrp)#address-family vpnv4 unicast 
RP/0/0/CPU0:RR(config-bgp-nbrgrp-af)#route-reflector-client 
RP/0/0/CPU0:RR(config-bgp-nbrgrp-af)#exit
RP/0/0/CPU0:RR(config-bgp-nbrgrp)#exit
RP/0/0/CPU0:RR(config-bgp)#neighbor 1.1.1.1
RP/0/0/CPU0:RR(config-bgp-nbr)#use neighbor-group LAB1_Clients 
RP/0/0/CPU0:RR(config-bgp)#neighbor 2.2.2.2                
RP/0/0/CPU0:RR(config-bgp-nbr)#use neighbor-group LAB1_Clients 
RP/0/0/CPU0:RR(config-bgp-nbr)#commi

PE1 & PE2 VPNv4 Configuration:

RP/0/0/CPU0:PE1(config)#router bgp 100
RP/0/0/CPU0:PE1(config-bgp)#neighbor 4.4.4.4
RP/0/0/CPU0:PE1(config-bgp-nbr)#remote-as 100
RP/0/0/CPU0:PE1(config-bgp-nbr)#update-source loopback 0
RP/0/0/CPU0:PE1(config-bgp-nbr)#address-family vpnv4 unicast 
RP/0/0/CPU0:PE1(config-bgp-nbr-af)#commi
RP/0/0/CPU0:PE1(config)#router bgp 100
RP/0/0/CPU0:PE1(config-bgp)#bgp router-id 1.1.1.1
RP/0/0/CPU0:PE1(config-bgp)#address-family vpnv4 unicast 
RP/0/0/CPU0:PE1(config-bgp-af)#ex
RP/0/0/CPU0:PE1(config-bgp)#vrf A                
RP/0/0/CPU0:PE1(config-bgp-vrf)#rd 100:1
RP/0/0/CPU0:PE1(config-bgp-vrf)#address-family ipv4 unicast 
RP/0/0/CPU0:PE1(config-bgp-vrf-af)#commi

BGP VPNv4 Validation

On RR, we validate that 2 sessions are established towards PE1 and PE2, under VPNv4 AF.
Below, we clearly see 2 sessions established, but with zero prefixes received. This will change once we configure peering between PE and CE nodes on the next step.

RP/0/0/CPU0:RR#sh bgp vpnv4 unicast summary 
Mon May 15 14:00:49.328 UTC
BGP router identifier 4.4.4.4, local AS number 100
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0x0   RD version: 0
BGP main routing table version 1
BGP NSR Initial initsync version 1 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs

BGP is operating in STANDALONE mode.


Process       RcvTblVer   bRIB/RIB   LabelVer  ImportVer  SendTblVer  StandbyVer
Speaker               1          1          1          1           1           0

Neighbor        Spk    AS MsgRcvd MsgSent   TblVer  InQ OutQ  Up/Down  St/PfxRcd
1.1.1.1           0   100      13      13        1    0    0 00:10:19          0
2.2.2.2           0   100       2       2        0    0    0 00:00:01          0

PE to CE  BGP configuration

This will be a plain BGP configuration between nodes, under IPv4 Unicast address family. There will be no need to redistribute CE learnt routes, as we using BGP as the PE-CE protocol.

#### CE1 CONFIGURATION ###
##########################
CE1(config)#router bgp 65001
CE1(config-router)# bgp router-id 10.10.10.10
CE1(config-router)# bgp log-neighbor-changes
CE1(config-router)# no bgp default ipv4-unicast
CE1(config-router)# neighbor 172.16.1.0 remote-as 100
CE1(config-router)# !
CE1(config-router)# address-family ipv4
CE1(config-router-af)#  network 10.10.10.10 mask 255.255.255.255
CE1(config-router-af)#  neighbor 172.16.1.0 activate
#### PE1 CONFIGURATION ###
##########################
RP/0/0/CPU0:PE1(config)#router bgp 100              
RP/0/0/CPU0:PE1(config-bgp)#address-family ipv4 unicast 
RP/0/0/CPU0:PE1(config-bgp-af)#exit
RP/0/0/CPU0:PE1(config-bgp)#vrf A
RP/0/0/CPU0:PE1(config-bgp-vrf)#address-family ipv4 unicast 
RP/0/0/CPU0:PE1(config-bgp-vrf-af)#exit
RP/0/0/CPU0:PE1(config-bgp-vrf)#neighbor 172.16.1.1
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr)#remote-as 65001
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr)#
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr)#
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr)#commi

When checking if BGP session is up between CE1 and PE1, we notice that it is, but with an exclamation point beside the prefixes received.

RP/0/0/CPU0:PE1#sh bgp vrf A summary   
Mon May 15 15:26:43.255 UTC
BGP VRF A, state: Active
BGP Route Distinguisher: 100:1
VRF ID: 0x60000001
BGP router identifier 1.1.1.1, local AS number 100
Non-stop routing is enabled
BGP table state: Active
Table ID: 0xe0000010   RD version: 2
BGP main routing table version 2
BGP NSR Initial initsync version 2 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0

BGP is operating in STANDALONE mode.


Process       RcvTblVer   bRIB/RIB   LabelVer  ImportVer  SendTblVer  StandbyVer
Speaker               2          2          2          2           2           0

Some configured eBGP neighbors (under default or non-default vrfs)
do not have both inbound and outbound policies configured for IPv4 Unicast
address family. These neighbors will default to sending and/or
receiving no routes and are marked with '!' in the output below.
Use the 'show bgp neighbor ' command for details.

Neighbor        Spk    AS MsgRcvd MsgSent   TblVer  InQ OutQ  Up/Down  St/PfxRcd
172.16.1.1        0 65001       5       3        2    0    0 00:00:10          0!
When configuring eBGP in Cisco XR, a policy inbound and outbound must ALWAYS be added.

eBGP Route Policy configuration

Let’s add an RPL and keep it loose, i.e a policy which accepts all prefixes and attributes. In out example, we will call “PASS” and use it in both directions.
RPL PASS will then be added under VRF neighbour.

RP/0/0/CPU0:PE1(config)#route-policy PASS
RP/0/0/CPU0:PE1(config-rpl)#pass 
RP/0/0/CPU0:PE1(config-rpl)#end-policy 
RP/0/0/CPU0:PE1(config)#commi
!
##############################
Under BGP VRF process
##############################

RP/0/0/CPU0:PE1(config-bgp-vrf-af)#  neighbor 172.16.1.1
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr)#   remote-as 65001
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr)#   address-family ipv4 unicast
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr-af)#route-policy PASS in
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr-af)#route-policy PASS out
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr-af)#commi
##################################
Now we received a prefix from CE1
##################################
Process       RcvTblVer   bRIB/RIB   LabelVer  ImportVer  SendTblVer  StandbyVer
Speaker               3          3          3          3           3           0

Neighbor        Spk    AS MsgRcvd MsgSent   TblVer  InQ OutQ  Up/Down  St/PfxRcd
172.16.1.1        0 65001      17      14        3    0    0 00:10:22          1

Same configuration is applied on CE2 and PE1. Note that on CE2, we used AS65002 to avoid BGP denying prefixes from CE1 as they share the same AS.
In the event you wish to use the same AS number on your CEs, you must add the “allow-as in” command (see below)

RP/0/0/CPU0:PE2(config-bgp-vrf)#neighbor 192.168.1.1
RP/0/0/CPU0:PE2(config-bgp-vrf-nbr)#address-family ipv4 un
RP/0/0/CPU0:PE2(config-bgp-vrf-nbr-af)#allowas-in ?
<1-10> Number of occurences of AS number

At this point, CE1 & CE 2 have exchanged prefixes, as can be validated with a CE to CE ping, then there additional commands.

CE1#sh bgp ipv4 unicast    
BGP table version is 3, local router ID is 10.10.10.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
              t secondary path, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>   10.10.10.10/32   0.0.0.0                  0         32768 i
 *>   20.20.20.20/32   172.16.1.0                             0 100 65002 i
CE1#
CE1#
CE1#
CE1#ping 20.20.20.20 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.10 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/21 ms
RP/0/0/CPU0:RR#sh bgp vpnv4 unicast 
Tue May 16 05:38:23.243 UTC
BGP router identifier 4.4.4.4, local AS number 100
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0x0   RD version: 0
BGP main routing table version 3
BGP NSR Initial initsync version 1 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1
*>i10.10.10.10/32     1.1.1.1                  0    100      0 65001 i
*>i20.20.20.20/32     2.2.2.2                  0    100      0 65002 i

Processed 2 prefixes, 2 paths
RP/0/0/CPU0:PE1#sh route vrf A
Tue May 16 05:59:24.927 UTC

Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
       U - per-user static route, o - ODR, L - local, G  - DAGR, l - LISP
       A - access/subscriber, a - Application route
       M - mobile route, r - RPL, t - Traffic Engineering, (!) - FRR Backup path

Gateway of last resort is not set

B    10.10.10.10/32 [20/0] via 172.16.1.1, 00:47:44
B    20.20.20.20/32 [200/0] via 2.2.2.2 (nexthop in vrf default), 00:21:30
C    172.16.1.0/31 is directly connected, 00:49:49, GigabitEthernet0/0/0/0
L    172.16.1.0/32 is directly connected, 00:49:49, GigabitEthernet0/0/0/0

MPLS VPN on IOS XR video

Watch this video for full demo.