MPLS VPN Configuration


Enable MPLS

Before configuring VPN, MPLS must be configured in the backbone. In this example, our backbone consists of:

  • Provider node or P node, this is our backbone core router.
  • Provider Edge nodes or PE nodes, these are the nodes which connects to CEs and route from and to them.
  • Customer Edge nodes or CEs, these are the customer devices connected to the service provider

In this topology, I am using a route reflector (RR) to avoid running BGP in my core. This is a common design in service providers networks, where only PE nodes run BGP.

MPLS VPN Configuration

To run MPLS, an IGP must be running in order to carry the labels. In our case, I have enabled OSPF in the backbone, so my next step would be to simply configure and validate MPLS is running at it should.

  1. On P node I will explicitly configure MPLS on interfaces facing P node.
  2. On PE1 and PE2 nodes I will configure MPLS under OSPF process to save time. In this case, MPLS will be auto enabled on each link running OSPF.

Note: There is no need to enable MPLS between P node Route reflector

On all 3 nodes, PE1, PE2 and P I will enabled the following syntax.

mpls ldp router-id loopback 0
PE1(config)#router ospf 10
PE1(config-router)#mpls ldp autoconfig
PE2(config)#router ospf 10
PE2(config-router)#mpls ldp autoconfig
P(config)#int gigabitEthernet 0/1
P(config-if)#mpls ip
P(config-if)#int gigabitEthernet 0/0 
P(config-if)#mpls ip

To validate MPLS LDP is configured and operational, we run the following commands:

  • sh mpls interfaces
  • sh mpls ldp neighbor
  • sh mpls forwarding-table
  • sh mpls ldp bindings

There are more commands which can be used during troubleshooting, but the above 4 are most common when validating.

P#sh mpls interfaces
Interface IP Tunnel BGP Static Operational
GigabitEthernet0/1 Yes (ldp) No No No Yes
GigabitEthernet0/2 Yes (ldp) No No No Yes
P#sh mpls interfaces
Interface IP Tunnel BGP Static Operational
GigabitEthernet0/1 Yes (ldp) No No No Yes
GigabitEthernet0/2 Yes (ldp) No No No Yes
P#sh mpls ldp neighbor 
Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 3.3.3.3:0
TCP connection: 4.4.4.4.51730 - 3.3.3.3.646
State: Oper; Msgs sent/rcvd: 14/15; Downstream
Up time: 00:06:06
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 10.3.4.4
Addresses bound to peer LDP Ident:
10.4.5.4 10.3.4.4 4.4.4.4 
Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 3.3.3.3:0
TCP connection: 2.2.2.2.646 - 3.3.3.3.31695
State: Oper; Msgs sent/rcvd: 14/15; Downstream
Up time: 00:06:02
LDP discovery sources:
GigabitEthernet0/2, Src IP addr: 10.2.3.2
Addresses bound to peer LDP Ident:
10.1.2.2 10.2.3.2 2.2.2.2
P#sh mpls forwarding-table 
Local Outgoing Prefix Bytes Label Outgoing Next Hop 
Label Label or Tunnel Id Switched interface 
16 Pop Label 2.2.2.2/32 0 Gi0/2 10.2.3.2 
17 Pop Label 4.4.4.4/32 0 Gi0/1 10.3.4.4

BGP VPNv4

Once MPLS is configured, we must configure BGP for VPNv4 Unicast. Here, RR will be our reflector for PE1 & PE2.
On RR, we will make use of “peer-group” to speed up the configuration and reduce repetitive lines.

Under BGP process, we define the peer-group then activate the neighbours.

RR(config)#router bgp 100 RR(config-router)#bgp router-id 6.6.6.6 
RR(config-router)#no bgp default ipv4 
RR(config-router)#neighbor CLIENT peer-group <——————Define the peer-group and common parameters
RR(config-router)#neighbor CLIENT remote-as 100
RR(config-router)#neighbor CLIENT update-source lo0
RR(config-router)#address-family vpnv4
RR(config-router-af)#neighbor CLIENT route-reflector-client

RR(config-router)#neighbor 2.2.2.2 peer-group CLIENT <——————Set 2.2.2.2 as peer-group client
RR(config-router)#neighbor 4.4.4.4 peer-group CLIENT <——————Set 4.4.4.4 as peer-group client

RR(config-router-af)#neighbor 2.2.2.2 activate <——————activate sessions
RR(config-router-af)#neighbor 4.4.4.4 activate 
NOTE: The command "neighbor x.x.x.x send-community extended" has been added by default.Else, add it manually!

For PE1 & PE2, we peer with RR under address family VPNv4 Unicast as per below template.

PE2(config-router)# bgp router-id 4.4.4.4
PE2(config-router)# bgp log-neighbor-changes
PE2(config-router)# no bgp default ipv4-unicast
PE2(config-router)# neighbor 6.6.6.6 remote-as 100
PE2(config-router)# neighbor 6.6.6.6 update-source Loopback0
PE2(config-router)# !
PE2(config-router)# address-family ipv4
PE2(config-router-af)# exit-address-family
PE2(config-router)# !
PE2(config-router)# address-family vpnv4
PE2(config-router-af)# neighbor 6.6.6.6 activate
PE2(config-router-af)# neighbor 6.6.6.6 send-community extended

For validation, we can use:

RR#sh bgp vpnv4 unicast all summary
BGP router identifier 6.6.6.6, local AS number 100
BGP table version is 3, main routing table version 3
2 network entries using 312 bytes of memory
2 path entries using 168 bytes of memory
1/1 BGP path/bestpath attribute entries using 168 bytes of memory
1 BGP extended community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 672 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secsNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
2.2.2.2 4 100 153 153 3 0 0 02:12:51 0
4.4.4.4 4 100 147 149 3 0 0 02:10:43 0

VRF Configuration

Virtual Routing and Forwarding configuration starts by defining:

  1. VRF name
  2. Route Distinguisher RD
  3. Route Target RT

Our VRF name is BLUE, and we are using RD 10:100 and RT 10:100

On Both PE1 and PE2, we configure:

PE2(config)#ip vrf BLUE
PE2(config-vrf)# rd 10:100
PE2(config-vrf)# route-target export 10:100
PE2(config-vrf)# route-target import 10:100

We then configure IPv4 address and VRF forwarding on GE0/0 on both PE1 and PE2 facing the CE1 and CE2 respectively.

PE1(config)#int gi0/0 
PE1(config-if)#ip vrf forwarding BLUE 
PE1(config-if)#ip address 172.16.1.1 255.255.255.0
PE2(config)#int gi0/0 
PE2(config-if)#ip vrf forwarding BLUE 
PE2(config-if)#ip address 172.16.2.1 255.255.255.0

CE1 & CE2 interfaces are configured with IP addresses as normal. 172.16.1.10 /24 for CE1 and 172.61.2.10 /24

At this point we should able to ping from PE1 to CE1 and PE2 to CE2 as per below.

PE1#ping vrf BLUE 172.16.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/10/18 ms