MPLS VPN Configuration
Table of Content
Enable MPLS
Before configuring VPN, MPLS must be configured in the backbone. In this example, our backbone consists of:
- Provider node or P node, this is our backbone core router.
- Provider Edge nodes or PE nodes, these are the nodes which connects to CEs and route from and to them.
- Customer Edge nodes or CEs, these are the customer devices connected to the service provider
In this topology, I am using a route reflector (RR) to avoid running BGP in my core. This is a common design in service providers networks, where only PE nodes run BGP.
To run MPLS, an IGP must be running in order to carry the labels. In our case, I have enabled OSPF in the backbone, so my next step would be to simply configure and validate MPLS is running at it should.
- On P node I will explicitly configure MPLS on interfaces facing P node.
- On PE1 and PE2 nodes I will configure MPLS under OSPF process to save time. In this case, MPLS will be auto enabled on each link running OSPF.
Note: There is no need to enable MPLS between P node Route reflector |
---|
On all 3 nodes, PE1, PE2 and P I will enabled the following syntax.
mpls ldp router-id loopback 0
PE1(config)#router ospf 10
PE1(config-router)#mpls ldp autoconfig
PE2(config)#router ospf 10
PE2(config-router)#mpls ldp autoconfig
P(config)#int gigabitEthernet 0/1
P(config-if)#mpls ip
P(config-if)#int gigabitEthernet 0/0
P(config-if)#mpls ip
To validate MPLS LDP is configured and operational, we run the following commands:
- sh mpls interfaces
- sh mpls ldp neighbor
- sh mpls forwarding-table
- sh mpls ldp bindings
There are more commands which can be used during troubleshooting, but the above 4 are most common when validating.
P#sh mpls interfaces
Interface IP Tunnel BGP Static Operational
GigabitEthernet0/1 Yes (ldp) No No No Yes
GigabitEthernet0/2 Yes (ldp) No No No Yes
P#sh mpls interfaces
Interface IP Tunnel BGP Static Operational
GigabitEthernet0/1 Yes (ldp) No No No Yes
GigabitEthernet0/2 Yes (ldp) No No No Yes
P#sh mpls ldp neighbor
Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 3.3.3.3:0
TCP connection: 4.4.4.4.51730 - 3.3.3.3.646
State: Oper; Msgs sent/rcvd: 14/15; Downstream
Up time: 00:06:06
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 10.3.4.4
Addresses bound to peer LDP Ident:
10.4.5.4 10.3.4.4 4.4.4.4
Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 3.3.3.3:0
TCP connection: 2.2.2.2.646 - 3.3.3.3.31695
State: Oper; Msgs sent/rcvd: 14/15; Downstream
Up time: 00:06:02
LDP discovery sources:
GigabitEthernet0/2, Src IP addr: 10.2.3.2
Addresses bound to peer LDP Ident:
10.1.2.2 10.2.3.2 2.2.2.2
P#sh mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
16 Pop Label 2.2.2.2/32 0 Gi0/2 10.2.3.2
17 Pop Label 4.4.4.4/32 0 Gi0/1 10.3.4.4
BGP VPNv4
Once MPLS is configured, we must configure BGP for VPNv4 Unicast. Here, RR will be our reflector for PE1 & PE2.
On RR, we will make use of “peer-group” to speed up the configuration and reduce repetitive lines.
Under BGP process, we define the peer-group then activate the neighbours.
RR(config)#router bgp 100 RR(config-router)#bgp router-id 6.6.6.6
RR(config-router)#no bgp default ipv4
RR(config-router)#neighbor CLIENT peer-group <——————Define the peer-group and common parameters
RR(config-router)#neighbor CLIENT remote-as 100
RR(config-router)#neighbor CLIENT update-source lo0
RR(config-router)#address-family vpnv4
RR(config-router-af)#neighbor CLIENT route-reflector-client
RR(config-router)#neighbor 2.2.2.2 peer-group CLIENT <——————Set 2.2.2.2 as peer-group client
RR(config-router)#neighbor 4.4.4.4 peer-group CLIENT <——————Set 4.4.4.4 as peer-group client
RR(config-router-af)#neighbor 2.2.2.2 activate <——————activate sessions
RR(config-router-af)#neighbor 4.4.4.4 activate
NOTE: The command "neighbor x.x.x.x send-community extended" has been added by default.Else, add it manually! |
---|
For PE1 & PE2, we peer with RR under address family VPNv4 Unicast as per below template.
PE2(config-router)# bgp router-id 4.4.4.4
PE2(config-router)# bgp log-neighbor-changes
PE2(config-router)# no bgp default ipv4-unicast
PE2(config-router)# neighbor 6.6.6.6 remote-as 100
PE2(config-router)# neighbor 6.6.6.6 update-source Loopback0
PE2(config-router)# !
PE2(config-router)# address-family ipv4
PE2(config-router-af)# exit-address-family
PE2(config-router)# !
PE2(config-router)# address-family vpnv4
PE2(config-router-af)# neighbor 6.6.6.6 activate
PE2(config-router-af)# neighbor 6.6.6.6 send-community extended
For validation, we can use:
RR#sh bgp vpnv4 unicast all summary
BGP router identifier 6.6.6.6, local AS number 100
BGP table version is 3, main routing table version 3
2 network entries using 312 bytes of memory
2 path entries using 168 bytes of memory
1/1 BGP path/bestpath attribute entries using 168 bytes of memory
1 BGP extended community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 672 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secsNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
2.2.2.2 4 100 153 153 3 0 0 02:12:51 0
4.4.4.4 4 100 147 149 3 0 0 02:10:43 0
VRF Configuration
Virtual Routing and Forwarding configuration starts by defining:
- VRF name
- Route Distinguisher RD
- Route Target RT
Our VRF name is BLUE, and we are using RD 10:100 and RT 10:100
On Both PE1 and PE2, we configure:
PE2(config)#ip vrf BLUE
PE2(config-vrf)# rd 10:100
PE2(config-vrf)# route-target export 10:100
PE2(config-vrf)# route-target import 10:100
We then configure IPv4 address and VRF forwarding on GE0/0 on both PE1 and PE2 facing the CE1 and CE2 respectively.
PE1(config)#int gi0/0
PE1(config-if)#ip vrf forwarding BLUE
PE1(config-if)#ip address 172.16.1.1 255.255.255.0
PE2(config)#int gi0/0
PE2(config-if)#ip vrf forwarding BLUE
PE2(config-if)#ip address 172.16.2.1 255.255.255.0
CE1 & CE2 interfaces are configured with IP addresses as normal. 172.16.1.10 /24 for CE1 and 172.61.2.10 /24
At this point we should able to ping from PE1 to CE1 and PE2 to CE2 as per below.
PE1#ping vrf BLUE 172.16.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/10/18 ms
Leave A Comment