XR MPLS VPNv4 Configuration
Topology & Setup
This example consists of:
- 2 CEs, CE1 & CE2. Both connected to PE1 and PE2 respectively.
- PE1 and PE2 are connected to a P node.
- P node is connected to a route reflector RR.
CE and CE2 are both routed in VRF A.
- Provider’s network IGP is OSPF.
- CE to PE routing is BGP.
|
---|
The below digram depicts IP Loopback & Link IP addresses.
IGP configuration
On PE1, PE2,P and RR, OSPF is configured to include backbone interfaces and loopbacks in OSPF process LAB1 & area 0.
NB:
Only XR based configuration will be shown. IOS related examples can be found on: OSPF Configuration
RP/0/0/CPU0:PE1(config)#router ospf LAB1
RP/0/0/CPU0:PE1(config-ospf)#router-id 1.1.1.1
RP/0/0/CPU0:PE1(config-ospf)#address-family ipv4 unicast
RP/0/0/CPU0:PE1(config-ospf)#area 0
RP/0/0/CPU0:PE1(config-ospf-ar)#interface gigabitEthernet 0/0/0/1
RP/0/0/CPU0:PE1(config-ospf-ar)#interface loopback 0
MPLS LDP configuration
On PE1, PE2, and P MPLS LDP is configured (RR does not required MPLD LDP).
NB:
Only XR based configuration will be shown. IOS related examples can be found on: MPLS VPNv4 IOS
RP/0/0/CPU0:PE1(config)#mpls ldp
RP/0/0/CPU0:PE1(config-ldp)#router-id 1.1.1.1
RP/0/0/CPU0:PE1(config-ldp)#interface gigabitEthernet 0/0/0/1
RP/0/0/CPU0:PE1(config-ldp-if)#commi
IGP & LDP Validation
We run the following commands to establish:
- All Loopbacks are advertised (these will be used to later form iBGP sessions).
- LDP adjacency is present and labels propagated.
P#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
4.4.4.4 1 FULL/DR 00:00:39 10.3.4.4 GigabitEthernet0/3
2.2.2.2 1 FULL/DR 00:00:35 10.2.3.2 GigabitEthernet0/2
1.1.1.1 1 FULL/DR 00:00:32 10.1.3.1 GigabitEthernet0/1
P#
P#
P#sh ip route ospf | b Gateway of last resort is not set
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 10.1.3.1, 00:19:57, GigabitEthernet0/1
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/2] via 10.2.3.2, 00:19:23, GigabitEthernet0/2
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/2] via 10.3.4.4, 00:14:12, GigabitEthernet0/3
P#sh mpls ldp neighbor
Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 3.3.3.3:0
TCP connection: 1.1.1.1.646 - 3.3.3.3.12615
State: Oper; Msgs sent/rcvd: 19/19; Downstream
Up time: 00:07:53
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 10.1.3.1
Addresses bound to peer LDP Ident:
172.16.1.0 10.1.3.1 1.1.1.1
Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 3.3.3.3:0
TCP connection: 2.2.2.2.646 - 3.3.3.3.22273
State: Oper; Msgs sent/rcvd: 19/18; Downstream
Up time: 00:07:47
LDP discovery sources:
GigabitEthernet0/2, Src IP addr: 10.2.3.2
Addresses bound to peer LDP Ident:
10.2.3.2 2.2.2.2
P#
P#sh mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
16 Pop Label 1.1.1.1/32 0 Gi0/1 10.1.3.1
17 Pop Label 2.2.2.2/32 0 Gi0/2 10.2.3.2
18 No Label 4.4.4.4/32 0 Gi0/3 10.3.4.4
VRF configuration
On PE1, PE2, we configure our VRF A in following steps:
- Define VRF A
- Configure CE facing interfaces to be part of VRF A.
- Define VRF RD under BGP process. Note, this is different than for IOS, where rd is configured with VRF definition.
RP/0/0/CPU0:PE1(config)#vrf A
RP/0/0/CPU0:PE1(config-vrf)#address-family ipv4 unicast
RP/0/0/CPU0:PE1(config-vrf-af)#import route-target 100:1
RP/0/0/CPU0:PE1(config-vrf-af)#export route-target 100:1
RP/0/0/CPU0:PE1(config-vrf)#exi
RP/0/0/CPU0:PE1(config)#
RP/0/0/CPU0:PE1(config)#int gigabitEthernet 0/0/0/0
RP/0/0/CPU0:PE1(config-if)#vrf A
RP/0/0/CPU0:PE1(config-if)#ipv4 address 172.16.1.0/31
RP/0/0/CPU0:PE1(config-if)#commi
VPNv4 configuration
BGP sessions under address family VPNv4 must be established between PE1 & PE2. This can either be a direct session between the 2 nodes, or with using a route reflector as a scalable solution.
On PE1 and PE2, the configuration is a straight simple BGP config under VPNv4 AF. We can also use the same method on RR, however, I opted to use a Neighbour Group method.
For more information and demo, watch these 2 videos.
RR VPNv4 Configuration:
RP/0/0/CPU0:RR(config)#router bgp 100
RP/0/0/CPU0:RR(config-bgp)#bgp router-id 4.4.4.4
RP/0/0/CPU0:RR(config-bgp)#address-family vpnv4 unicast
RP/0/0/CPU0:RR(config-bgp-af)#exit
RP/0/0/CPU0:RR(config-bgp)#neighbor-group LAB1_Clients
RP/0/0/CPU0:RR(config-bgp-nbrgrp)#remote-as 100
RP/0/0/CPU0:RR(config-bgp-nbrgrp)#update-source loopback 0
RP/0/0/CPU0:RR(config-bgp-nbrgrp)#address-family vpnv4 unicast
RP/0/0/CPU0:RR(config-bgp-nbrgrp-af)#route-reflector-client
RP/0/0/CPU0:RR(config-bgp-nbrgrp-af)#exit
RP/0/0/CPU0:RR(config-bgp-nbrgrp)#exit
RP/0/0/CPU0:RR(config-bgp)#neighbor 1.1.1.1
RP/0/0/CPU0:RR(config-bgp-nbr)#use neighbor-group LAB1_Clients
RP/0/0/CPU0:RR(config-bgp)#neighbor 2.2.2.2
RP/0/0/CPU0:RR(config-bgp-nbr)#use neighbor-group LAB1_Clients
RP/0/0/CPU0:RR(config-bgp-nbr)#commi
PE1 & PE2 VPNv4 Configuration:
RP/0/0/CPU0:PE1(config)#router bgp 100
RP/0/0/CPU0:PE1(config-bgp)#neighbor 4.4.4.4
RP/0/0/CPU0:PE1(config-bgp-nbr)#remote-as 100
RP/0/0/CPU0:PE1(config-bgp-nbr)#update-source loopback 0
RP/0/0/CPU0:PE1(config-bgp-nbr)#address-family vpnv4 unicast
RP/0/0/CPU0:PE1(config-bgp-nbr-af)#commi
RP/0/0/CPU0:PE1(config)#router bgp 100
RP/0/0/CPU0:PE1(config-bgp)#bgp router-id 1.1.1.1
RP/0/0/CPU0:PE1(config-bgp)#address-family vpnv4 unicast
RP/0/0/CPU0:PE1(config-bgp-af)#ex
RP/0/0/CPU0:PE1(config-bgp)#vrf A
RP/0/0/CPU0:PE1(config-bgp-vrf)#rd 100:1
RP/0/0/CPU0:PE1(config-bgp-vrf)#address-family ipv4 unicast
RP/0/0/CPU0:PE1(config-bgp-vrf-af)#commi
BGP VPNv4 Validation
On RR, we validate that 2 sessions are established towards PE1 and PE2, under VPNv4 AF.
Below, we clearly see 2 sessions established, but with zero prefixes received. This will change once we configure peering between PE and CE nodes on the next step.
RP/0/0/CPU0:RR#sh bgp vpnv4 unicast summary
Mon May 15 14:00:49.328 UTC
BGP router identifier 4.4.4.4, local AS number 100
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0x0 RD version: 0
BGP main routing table version 1
BGP NSR Initial initsync version 1 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs
BGP is operating in STANDALONE mode.
Process RcvTblVer bRIB/RIB LabelVer ImportVer SendTblVer StandbyVer
Speaker 1 1 1 1 1 0
Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd
1.1.1.1 0 100 13 13 1 0 0 00:10:19 0
2.2.2.2 0 100 2 2 0 0 0 00:00:01 0
PE to CE BGP configuration
This will be a plain BGP configuration between nodes, under IPv4 Unicast address family. There will be no need to redistribute CE learnt routes, as we using BGP as the PE-CE protocol.
#### CE1 CONFIGURATION ###
##########################
CE1(config)#router bgp 65001
CE1(config-router)# bgp router-id 10.10.10.10
CE1(config-router)# bgp log-neighbor-changes
CE1(config-router)# no bgp default ipv4-unicast
CE1(config-router)# neighbor 172.16.1.0 remote-as 100
CE1(config-router)# !
CE1(config-router)# address-family ipv4
CE1(config-router-af)# network 10.10.10.10 mask 255.255.255.255
CE1(config-router-af)# neighbor 172.16.1.0 activate
#### PE1 CONFIGURATION ###
##########################
RP/0/0/CPU0:PE1(config)#router bgp 100
RP/0/0/CPU0:PE1(config-bgp)#address-family ipv4 unicast
RP/0/0/CPU0:PE1(config-bgp-af)#exit
RP/0/0/CPU0:PE1(config-bgp)#vrf A
RP/0/0/CPU0:PE1(config-bgp-vrf)#address-family ipv4 unicast
RP/0/0/CPU0:PE1(config-bgp-vrf-af)#exit
RP/0/0/CPU0:PE1(config-bgp-vrf)#neighbor 172.16.1.1
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr)#address-family ipv4 unicast
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr)#remote-as 65001
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr)#
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr)#
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr)#commi
When checking if BGP session is up between CE1 and PE1, we notice that it is, but with an exclamation point beside the prefixes received.
RP/0/0/CPU0:PE1#sh bgp vrf A summary
Mon May 15 15:26:43.255 UTC
BGP VRF A, state: Active
BGP Route Distinguisher: 100:1
VRF ID: 0x60000001
BGP router identifier 1.1.1.1, local AS number 100
Non-stop routing is enabled
BGP table state: Active
Table ID: 0xe0000010 RD version: 2
BGP main routing table version 2
BGP NSR Initial initsync version 2 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP is operating in STANDALONE mode.
Process RcvTblVer bRIB/RIB LabelVer ImportVer SendTblVer StandbyVer
Speaker 2 2 2 2 2 0
Some configured eBGP neighbors (under default or non-default vrfs)
do not have both inbound and outbound policies configured for IPv4 Unicast
address family. These neighbors will default to sending and/or
receiving no routes and are marked with '!' in the output below.
Use the 'show bgp neighbor ' command for details.
Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd
172.16.1.1 0 65001 5 3 2 0 0 00:00:10 0!
When configuring eBGP in Cisco XR, a policy inbound and outbound must ALWAYS be added. |
---|
eBGP Route Policy configuration
Let’s add an RPL and keep it loose, i.e a policy which accepts all prefixes and attributes. In out example, we will call “PASS” and use it in both directions.
RPL PASS will then be added under VRF neighbour.
RP/0/0/CPU0:PE1(config)#route-policy PASS
RP/0/0/CPU0:PE1(config-rpl)#pass
RP/0/0/CPU0:PE1(config-rpl)#end-policy
RP/0/0/CPU0:PE1(config)#commi
!
##############################
Under BGP VRF process
##############################
RP/0/0/CPU0:PE1(config-bgp-vrf-af)# neighbor 172.16.1.1
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr)# remote-as 65001
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr)# address-family ipv4 unicast
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr-af)#route-policy PASS in
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr-af)#route-policy PASS out
RP/0/0/CPU0:PE1(config-bgp-vrf-nbr-af)#commi
##################################
Now we received a prefix from CE1
##################################
Process RcvTblVer bRIB/RIB LabelVer ImportVer SendTblVer StandbyVer
Speaker 3 3 3 3 3 0
Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd
172.16.1.1 0 65001 17 14 3 0 0 00:10:22 1
Same configuration is applied on CE2 and PE1. Note that on CE2, we used AS65002 to avoid BGP denying prefixes from CE1 as they share the same AS.
In the event you wish to use the same AS number on your CEs, you must add the “allow-as in” command (see below)
RP/0/0/CPU0:PE2(config-bgp-vrf)#neighbor 192.168.1.1
RP/0/0/CPU0:PE2(config-bgp-vrf-nbr)#address-family ipv4 un
RP/0/0/CPU0:PE2(config-bgp-vrf-nbr-af)#allowas-in ?
<1-10> Number of occurences of AS number
At this point, CE1 & CE 2 have exchanged prefixes, as can be validated with a CE to CE ping, then there additional commands.
CE1#sh bgp ipv4 unicast
BGP table version is 3, local router ID is 10.10.10.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.10.10.10/32 0.0.0.0 0 32768 i
*> 20.20.20.20/32 172.16.1.0 0 100 65002 i
CE1#
CE1#
CE1#
CE1#ping 20.20.20.20 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/21 ms
RP/0/0/CPU0:RR#sh bgp vpnv4 unicast
Tue May 16 05:38:23.243 UTC
BGP router identifier 4.4.4.4, local AS number 100
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0x0 RD version: 0
BGP main routing table version 3
BGP NSR Initial initsync version 1 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs
Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100:1
*>i10.10.10.10/32 1.1.1.1 0 100 0 65001 i
*>i20.20.20.20/32 2.2.2.2 0 100 0 65002 i
Processed 2 prefixes, 2 paths
RP/0/0/CPU0:PE1#sh route vrf A
Tue May 16 05:59:24.927 UTC
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR, l - LISP
A - access/subscriber, a - Application route
M - mobile route, r - RPL, t - Traffic Engineering, (!) - FRR Backup path
Gateway of last resort is not set
B 10.10.10.10/32 [20/0] via 172.16.1.1, 00:47:44
B 20.20.20.20/32 [200/0] via 2.2.2.2 (nexthop in vrf default), 00:21:30
C 172.16.1.0/31 is directly connected, 00:49:49, GigabitEthernet0/0/0/0
L 172.16.1.0/32 is directly connected, 00:49:49, GigabitEthernet0/0/0/0
MPLS VPN on IOS XR video
Watch this video for full demo.
Leave A Comment