MPLS VPN – Part 2

for the sake of easier reference, I put our topology here and continue. Remember the requirements that emphasis on incapability of R3 router to run MPLS. So we need to create a tunnel between two PE routers, because these two routers don’t have direct access to each other.

What we are going to do is creating a tunnel between loopback interfaces of PE routers, assigning IP address on tunnel interfaces and enabling MPLS and changing the protocol from default to LDP. after that we must have our LDP neighborship in place. Just remember that, Cisco CEF must be enabled to MPLS to work. MPLS chooses a router-id for any router and this is the loopback interface with highest numerical IP address on router. You have the option to choose it manually by “mpls ldp router-id Loopback0 force” command. Notice that this IP address must be in a /32 format.

R2(config-router)#do sh run inter tun 24
Building configuration...

Current configuration : 150 bytes
!
interface Tunnel24
 ip address 24.24.24.2 255.255.255.0
 mpls label protocol ldp
 mpls ip
 tunnel source Loopback0
 tunnel destination 4.4.4.4
R4(config-router)#do sh run inter tun 24
Building configuration...

Current configuration : 150 bytes
!
interface Tunnel24
 ip address 24.24.24.4 255.255.255.0
 mpls label protocol ldp
 mpls ip
 tunnel source Loopback0
 tunnel destination 2.2.2.2
R4(config-router)#do sh mpls ldp neigh
    Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 4.4.4.4:0
        TCP connection: 2.2.2.2.646 - 4.4.4.4.60820
        State: Oper; Msgs sent/rcvd: 258/256; Downstream
        Up time: 03:35:27
        LDP discovery sources:
          Tunnel24, Src IP addr: 24.24.24.2
        Addresses bound to peer LDP Ident:
          23.23.23.2      2.2.2.2         24.24.24.2      

R2(config-router)#do sh mpls ldp nei
    Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 2.2.2.2:0
        TCP connection: 4.4.4.4.60820 - 2.2.2.2.646
        State: Oper; Msgs sent/rcvd: 256/259; Downstream
        Up time: 03:35:51
        LDP discovery sources:
          Tunnel24, Src IP addr: 24.24.24.4
        Addresses bound to peer LDP Ident:
          34.34.34.4      4.4.4.4         24.24.24.4      
R2(config-router)#

Next step is configuring BGP. But regarding our R3 that is incapable of MPLS and we don’t use BGP to exchange normal IPv4 prefixes in our case, then we don’t need to turn on BGP on R3 too, so enabling BGP between R2 and R4 should be enough.

router bgp 234
 no synchronization
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 234
 neighbor 4.4.4.4 update-source Loopback0
 no auto-summary
 

R4(config-router)#do sh run | beg router bgp
router bgp 234
 no synchronization
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 234
 neighbor 2.2.2.2 update-source Loopback0
 no auto-summary

here I’m going to discuss a trick. You see the BGP is established between loopback interfaces of PE routers. So what? That means when one of our PE routers (R2 e.g.) wants to send a BGP update message to another PE router, informs it to set the next-hop IP address equal to 2.2.2.2. after then when R4 wants to send a traffic to R2, will send it to the next-hop of 2.2.2.2 and this network is reachable through f0/0. At this point, R3 will take this message and drop it because it doesn’t know anything about BGP. For troubleshooting we must enable BGP and MPLS on R3 too or go for some work-around. This can be changing next-hop address on PE routers to the tunnel interface. Because our MPLS neighborship is established by tunnel interface created between PE routers, changing next-hop IP address to tunnel interface is our solution. For this purpose we need a route-map like this:

R4(config-router)#do sh route-map
route-map SET_NH, permit, sequence 10
  Match clauses:
  Set clauses:
    ip next-hop 24.24.24.2
  Policy routing matches: 0 packets, 0 bytes
R4(config-router)#

R2(config-router)#do sh route-map
route-map SET_NH, permit, sequence 10
  Match clauses:
  Set clauses:
    ip next-hop 24.24.24.4
  Policy routing matches: 0 packets, 0 bytes
R2(config-router)#

Whit this route-map, R4 will send packets to 24.24.24.2 through tunnel interface instead of 2.2.2.2 and R2 will send them to 24.24.24.4 instead of 4.4.4.4. This route-map will make our black hole to disappear because our packets will bypass R3.
MPLS VPN uses MP-BGP as its transport protocol. It means, two PE routers must use MP-BGP to advertise customer routes to each other. I hope you know the fundamentals of MP-BGP. So let’s jump into it now and apply our route-map to it.

R2(config-router)#do sh run | beg router bgp
router bgp 234
 no synchronization
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 234
 neighbor 4.4.4.4 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community both
  neighbor 4.4.4.4 route-map SET_NH in
 exit-address-family
R4(config-router)#do sh run | beg router bgp
router bgp 234
 no synchronization
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 234
 neighbor 2.2.2.2 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community both
  neighbor 2.2.2.2 route-map SET_NH in
 exit-address-family

let’s verify MP-BGP relationship:

R4(config-router)#do sh ip bgp vpnv4 all sum | beg Neigh
Neighbor        V    AS MsgRcvd MsgSent   
2.2.2.2         4   234     273     279    
R4(config-router)#

R2(config-router)#do sh ip bgp vpnv4 all sum | beg Neigh
Neighbor        V    AS MsgRcvd MsgSent  
4.4.4.4         4   234     280     274     
R2(config-router)#

And verification of MP-BGP table on PE routers:

R2(config-router)#do sh ip bgp vpnv4 all                
BGP table version is 34, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf A)
Route Distinguisher: 2:2 (default for vrf B)
R2(config-router)#

You see that the table is empty now. This is because our customer routes are inside our IGP routing table on PE routers and there is nothing to be published by MP-BGP. So what we need is redistributing IGP to BGP on one side and redistribute back into IGP on other side again. This might be a little bit confusing but straight forward process. I will begin by R2 and redistribute the contents of each VRF table to MP-BGP, then redistribute them back into IGPs on R4.

R2(config-router)#do sh run
router bgp 234
 address-family ipv4 vrf B
  redistribute eigrp 2
  no synchronization
 exit-address-family
 !
 address-family ipv4 vrf A
  redistribute eigrp 1
  no synchronization
 exit-address-family

first part is finished, so let’s go for R4 to redistribute MP-BGP routes back into IGP to make customer routers (R5 and R6) to learn HQ routes by IGP.

R4(config-router)#do sh run
router eigrp 100
 auto-summary
 !
 address-family ipv4 vrf A
  redistribute bgp 234 metric 100 1 100 100 1500
  network 46.0.0.0
  no auto-summary
  autonomous-system 46
 exit-address-family
!
router ospf 100 vrf B
 log-adjacency-changes
 redistribute bgp 234 subnets
 network 45.45.45.4 0.0.0.0 area 0

You should repeat this process on opposite side too. That will include redistributing IGP routes into MP-BGP on R4 and redistributing back MP-BGP into IGP on R2.

R4(config-router)#do sh run
router bgp 234
 address-family ipv4 vrf B
  redistribute ospf 100 vrf B 
  no synchronization
 exit-address-family
 !
 address-family ipv4 vrf A
  redistribute eigrp 46
  no synchronization
 exit-address-family
R2(config-router)#do sh run
router eigrp 100
 auto-summary
 !
 address-family ipv4 vrf B
  redistribute bgp 234 metric 100 1 100 100 1500
  network 100.1.2.2 0.0.0.0
  no auto-summary
  autonomous-system 2
 exit-address-family
 !
 address-family ipv4 vrf A
  redistribute bgp 234 metric 100 1 100 100 1500
  network 100.1.1.2 0.0.0.0
  no auto-summary
  autonomous-system 1
 exit-address-family

by now our goal should be met. We can verify this by investigating our routing table on PE and even customer routers.

R4(config-router)#do sh ip bgp vpnv4 all
BGP table version is 34, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf A)
*>i1.1.1.1/32       24.24.24.2          409600    100      0 ?
*> 6.6.6.6/32       46.46.46.6         2297856         32768 ?
*> 46.46.46.0/24    0.0.0.0                  0         32768 ?
*>i100.1.1.0/24     24.24.24.2               0    100      0 ?
Route Distinguisher: 2:2 (default for vrf B)
*>i1.1.1.2/32       24.24.24.2          409600    100      0 ?
*> 5.5.5.5/32       45.45.45.5              11         32768 ?
*> 45.45.45.0/24    0.0.0.0                  0         32768 ?
*>i100.1.2.0/24     24.24.24.2               0    100      0 ?
R4(config-router)#

On PE router (R2):

R2(config-router)#do sh ip bgp vpnv4 all
BGP table version is 34, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf A)
*> 1.1.1.1/32       100.1.1.1           409600         32768 ?
*>i6.6.6.6/32       24.24.24.4         2297856    100      0 ?
*>i46.46.46.0/24    24.24.24.4               0    100      0 ?
*> 100.1.1.0/24     0.0.0.0                  0         32768 ?
Route Distinguisher: 2:2 (default for vrf B)
*> 1.1.1.2/32       100.1.2.1           409600         32768 ?
*>i5.5.5.5/32       24.24.24.4              11    100      0 ?
*>i45.45.45.0/24    24.24.24.4               0    100      0 ?
*> 100.1.2.0/24     0.0.0.0                  0         32768 ?
R2(config-router)#

On customer router (R1):

R1(config-router)#do sh ip route vrf A

Routing Table: A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
     100.0.0.0/24 is subnetted, 1 subnets
C       100.1.1.0 is directly connected, FastEthernet0/0.1
     6.0.0.0/32 is subnetted, 1 subnets
D EX    6.6.6.6 [170/25625856] via 100.1.1.2, 01:47:00, FastEthernet0/0.1
     46.0.0.0/24 is subnetted, 1 subnets
D EX    46.46.46.0 [170/25625856] via 100.1.1.2, 01:47:01, FastEthernet0/0.1
R1(config-router)#
R1(config-router)#do sh ip route vrf B

Routing Table: B
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.2 is directly connected, Loopback1
     100.0.0.0/24 is subnetted, 1 subnets
C       100.1.2.0 is directly connected, FastEthernet0/0.2
     55.0.0.0/32 is subnetted, 2 subnets
     5.0.0.0/32 is subnetted, 1 subnets
D EX    5.5.5.5 [170/25625856] via 100.1.2.2, 01:47:15, FastEthernet0/0.2
     45.0.0.0/24 is subnetted, 1 subnets
D EX    45.45.45.0 [170/25625856] via 100.1.2.2, 01:47:16, FastEthernet0/0.2
R1(config-router)#

On customer router (R5):

R5(config)#do sh ip route  
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
O E2    1.1.1.2 [110/409600] via 45.45.45.4, 01:48:11, FastEthernet0/1
     100.0.0.0/24 is subnetted, 1 subnets
O E2    100.1.2.0 [110/1] via 45.45.45.4, 01:48:11, FastEthernet0/1
     55.0.0.0/32 is subnetted, 2 subnets
C       55.55.55.55 is directly connected, Loopback1
C       55.55.55.56 is directly connected, Loopback2
     5.0.0.0/32 is subnetted, 1 subnets
C       5.5.5.5 is directly connected, Loopback0
     45.0.0.0/24 is subnetted, 1 subnets
C       45.45.45.0 is directly connected, FastEthernet0/1
R5(config)#

On customer router (R6):

R6(config)#do sh ip route   
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
D EX    1.1.1.1 [170/26112256] via 46.46.46.4, 01:48:17, Serial0/0
     100.0.0.0/24 is subnetted, 1 subnets
D EX    100.1.1.0 [170/26112256] via 46.46.46.4, 01:48:20, Serial0/0
     6.0.0.0/32 is subnetted, 1 subnets
C       6.6.6.6 is directly connected, Loopback0
     46.0.0.0/24 is subnetted, 1 subnets
C       46.46.46.0 is directly connected, Serial0/0
R6(config)#

It’s the time for ping:

R6(config)#do ping 1.1.1.1 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 6.6.6.6 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/64/76 ms
R6(config)#
R5(config)#do ping 1.1.1.2 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 5.5.5.5 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/92/100 ms
R5(config)#

The last thing that I’m going to cover is about our OSPF external routes. If you remember, customer router R5 had some small branches and networks that were redistributed on R5. These networks are inside our PE router (R4) BGP table, but R2 and customer router R1 doesn’t see those. Why?

R1(config-router)#do sh ip route  vrf B 55.55.55.55
% Subnet not in table
R1(config-router)#
R1(config-router)#do sh ip route  vrf B 55.55.55.56
% Subnet not in table
R1(config-router)#

This is because our default behavior of protocols. When you redistribute OSPF into BGP, just internal OSPF routes are redistributed into BGP. For external routes to be redistributed into BGP you must specify them while redistributing, like this:

router bgp 234
address-family ipv4 vrf B
  redistribute ospf 100 vrf B match internal external 1 external 2
  no synchronization
 exit-address-family

with the command “match internal external 1 external 2” we determine that all of our OSPF routes must be redistributed into MP-BGP. Last thing to verify:

R1(config-router)#do sh ip route  vrf B 55.55.55.55
Routing entry for 55.55.55.55/32
  Known via "eigrp 2", distance 170, metric 25625856, type external
  Redistributing via eigrp 2
  Last update from 100.1.2.2 on FastEthernet0/0.2, 02:05:22 ago
  Routing Descriptor Blocks:
  * 100.1.2.2, from 100.1.2.2, 02:05:22 ago, via FastEthernet0/0.2
      Route metric is 25625856, traffic share count is 1
      Total delay is 1010 microseconds, minimum bandwidth is 100 Kbit
      Reliability 100/255, minimum MTU 1500 bytes
      Loading 100/255, Hops 1
R1(config-router)#do sh ip route  vrf B 55.55.55.56
Routing entry for 55.55.55.56/32
  Known via "eigrp 2", distance 170, metric 25625856, type external
  Redistributing via eigrp 2
  Last update from 100.1.2.2 on FastEthernet0/0.2, 02:05:34 ago
  Routing Descriptor Blocks:
  * 100.1.2.2, from 100.1.2.2, 02:05:34 ago, via FastEthernet0/0.2
      Route metric is 25625856, traffic share count is 1
      Total delay is 1010 microseconds, minimum bandwidth is 100 Kbit
      Reliability 100/255, minimum MTU 1500 bytes
      Loading 100/255, Hops 1

and ping:

R1(config-router)#do ping vrf B 55.55.55.55

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 55.55.55.55, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/84/104 ms
R1(config-router)#
R1(config-router)#do ping vrf B 55.55.55.56

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 55.55.55.56, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/92/116 ms
R1(config-router)#

Leave a Comment

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *

2,028 Spam Comments Blocked so far by Spam Free Wordpress

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>