MPLS VPN – Part 3

In this article I want to show you another MPLS VPN scenario with BGP running as PE-CE protocol. We are free to use any protocol between PE and CE routers, depending on situations. Normally these situations are decided after talking to customers. Anyway, suppose that we, as SP network, and customer have agreed upon running BGP between PE and CE routers. The requirements are as follows:

- Customer A owns its AS number (AS #1), customer B owns its AS number too (AS #2)
- Customers A and B have 2 offices and they run same AS number throughout their offices.
- Customers A and B have some networks that are internal and must not seen by other customers or global BGP routers. Besides, there are some networks that are global and should be reachable by all customers and even global BGP network.
- Each customer runs BGP with SP network.
- SP network runs OSPF internally and R4 should be configured as RR.
- List of Customer A networks that are internal: loop0 and loop1 on R1 and R7
- List of Customer A networks that are global: loop2 on R1 and R7
- List of Customer B networks that are internal: loop0 and loop1 on R2 and R6
- List of Customer B networks that are global: loop2 and loop3 on R2 and R6

Considering the requirements, each customer has global prefixes to publish in addition to its own internal networks. In BGP we don’t have an option to publish global and internal VRF-based networks simultaneously on one physical (or logical) interface; that means BGP cannot distribute both of global and VFR networks by one update message which is sent through one physical (or logical) interface to a neighbor. Because of this limitation, we should create second link and establish another BGP neighborship with that neighbor in which global prefixes go through first link and VRF networks go through second one. Let’s begin our configuration on customer A’s first office (R1). First we need to create a VRF. Because this router will act as CE router, then we will not need to run MPLS on it and our scenario should be implemented as VRF-Lite.

ip vrf A
 rd 1:1
!       
interface Loopback0
 ip vrf forwarding A
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
 ip vrf forwarding A
 ip address 1.1.1.2 255.255.255.255
!         
interface Loopback2
 ip address 1.1.1.4 255.255.255.255

As discussed above, we need two links between R1 and R3. This can be another physical interface or virtual logical interface.

R1(config-router)#do sh run
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no keepalive
 clock rate 2000000
!         
interface Serial0/0.1 point-to-point
 ip address 13.13.13.1 255.255.255.0
frame-relay interface-dlci 100   
!         
interface Serial0/0.2 point-to-point
 ip vrf forwarding A
 ip address 133.133.133.1 255.255.255.0
frame-relay interface-dlci 200   

Creating subinterfaces on P2P links, like PPP and HDLC is not possible, so we can enable FR on serial interface and then we will be able to create subinterfaces. For the links to come up, you must disable FR keepalive messages and put the same DLCI number on both ends of a link, as you see above. You can verify assignments by various show commands:

R1(config-router)#do sh ip inter br 
Interface                  IP-Address      OK? Status     Protocol  
Serial0/0                  unassigned      YES up         up      
Serial0/0.1                13.13.13.1      YES up         up      
Serial0/0.2                133.133.133.1   YES up         up      
Loopback0                  1.1.1.1         YES up         up      
Loopback1                  1.1.1.2         YES up         up      
Loopback2                  1.1.1.4         YES up         up      
R1(config-router)#
R1(config-router)#do sh ip vrf
  Name                           Default RD       Interfaces
  A                                1:1                 Lo0
                                                         Lo1
                                                         Se0/0.2
R1(config-router)#

The configuration of customer A’s another router (R7) is same as R1:

R7(config-router)#do sh run
ip vrf A
 rd 1:1
!
interface Loopback0
 ip vrf forwarding A
 ip address 7.7.7.7 255.255.255.255
!
interface Loopback1
 ip vrf forwarding A
 ip address 7.7.7.8 255.255.255.255
!
interface Loopback2
 ip address 7.7.7.9 255.255.255.255
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no keepalive
 clock rate 2000000
!         
interface Serial0/0.1 point-to-point
 ip address 57.57.57.7 255.255.255.0
 frame-relay interface-dlci 100   
!         
interface Serial0/0.2 point-to-point
 ip vrf forwarding A
 ip address 157.157.157.7 255.255.255.0
 frame-relay interface-dlci 200   

and verification:

R7(config-router)#do sh ip vrf
  Name                           Default RD        Interfaces
  A                                1:1                 Se0/0.2
                                                         Lo0
                                                         Lo1

This process should be repeated on customer B offices too, but instead of serial interface, we have used Ethernet ports.

R2(config-router)#do sh run
ip vrf B
 rd 2:2
interface Loopback0
 ip vrf forwarding B
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback1
 ip vrf forwarding B
 ip address 2.2.2.3 255.255.255.255
!
interface Loopback2
 ip address 2.2.2.4 255.255.255.255
!
interface Loopback3
 ip address 2.2.2.5 255.255.255.255
!         
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!         
interface FastEthernet0/0.1
 encapsulation dot1Q 100
 ip address 23.23.23.2 255.255.255.0
!         
interface FastEthernet0/0.2
 encapsulation dot1Q 200
 ip vrf forwarding B
 ip address 123.123.123.2 255.255.255.0
R6(config-router)#do sh run
ip vrf B
 rd 2:2
!
interface Loopback0
 ip vrf forwarding B
 ip address 6.6.6.6 255.255.255.255
!
interface Loopback1
 ip vrf forwarding B
 ip address 6.6.6.7 255.255.255.255
!
interface Loopback2
 ip address 6.6.6.8 255.255.255.255
!         
interface Loopback3
 ip address 6.6.6.9 255.255.255.255
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.1
 encapsulation dot1Q 100
 ip address 56.56.56.6 255.255.255.0
!
interface FastEthernet0/1.2
 encapsulation dot1Q 200
 ip vrf forwarding B
 ip address 156.156.156.6 255.255.255.0

All assignments are done successfully. Now it’s the BGP time, first for customer A:

R1(config-router)#do sh run | sec bgp
router bgp 1
 bgp log-neighbor-changes
 neighbor 13.13.13.3 remote-as 345
 !
 address-family ipv4
  neighbor 13.13.13.3 activate
  no auto-summary
  synchronization
  network 1.1.1.4 mask 255.255.255.255
 exit-address-family

Usually the configuration for global BGP is done under mail BGP router configuration mode, but in the output of “show run” command, the commands are listed under IPv4 address-family configuration mode. Also by default, IPv4 address family neighbors are activated by default and there is no need to run “neighbor x activate” command. The BGP configuration for VRF should be implemented by VRF address families. Unlike using other IGP protocols in MPLS/VPN scenarios, there is no need to redistribute BGP VRF routes into BGP global table and this is done by default by routing process. So the overall configuration of BGP on R1 should be like this:

R1(config-router)#do sh run | sec bgp
router bgp 1
 bgp log-neighbor-changes
 neighbor 13.13.13.3 remote-as 345
 !
 address-family ipv4
  neighbor 13.13.13.3 activate
  no auto-summary
  synchronization
  network 1.1.1.4 mask 255.255.255.255
 exit-address-family
 !
 address-family ipv4 vrf A
  neighbor 133.133.133.3 remote-as 345
  neighbor 133.133.133.3 activate
  no synchronization
  network 1.1.1.1 mask 255.255.255.255
  network 1.1.1.2 mask 255.255.255.255
exit-address-family

You see that advertising networks is done under address families. It means, networks that should be advertised into global routing table, is distributed under IPv4 address family and networks that will be advertised into a customer’s BGP table, should be distributed under that customer’s BGP address family. The configuration of R7, another customer A’s router is as same as R1 too:

R7(config-router)#do sh run | sec bgp
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 network 7.7.7.9 mask 255.255.255.255
 neighbor 57.57.57.5 remote-as 345
 no auto-summary
 !
 address-family ipv4 vrf A
  neighbor 157.157.157.5 remote-as 345
  neighbor 157.157.157.5 activate
  no synchronization
  network 7.7.7.7 mask 255.255.255.255
  network 7.7.7.8 mask 255.255.255.255
 exit-address-family

Now we need to move to PE routers. On R3, our first PE router, we need to create 2 virtual links, as we did on customer CE routers, then creating respective VRFs and assigning interfaces.

R3(config-router)#do sh run
ip vrf A
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!         
ip vrf B  
 rd 2:2   
 route-target export 2:2
 route-target import 2:2
!         
router bgp 345
 bgp log-neighbor-changes
 neighbor 13.13.13.1 remote-as 1
 neighbor 23.23.23.2 remote-as 2
 neighbor 34.34.34.4 remote-as 345
 !
 address-family ipv4
  neighbor 13.13.13.1 activate
  neighbor 23.23.23.2 activate
  neighbor 34.34.34.4 activate
  neighbor 34.34.34.4 next-hop-self
  no auto-summary
  no synchronization
 exit-address-family
 !        
 address-family ipv4 vrf B
  neighbor 123.123.123.2 remote-as 2
  neighbor 123.123.123.2 activate
  no synchronization
 exit-address-family
 !
 address-family ipv4 vrf A
  neighbor 133.133.133.1 remote-as 1
  neighbor 133.133.133.1 activate
  no synchronization
 exit-address-family

Because R3 and R5 are PE routers and we will configure VPNv4 between them, we will need to determine respective RTs on VRFs too. This is not a need on VRF-Lite portion of configuration, so we did not use any RTs between CEs and PEs. Like previous post about MPLS VPNs, our scenario is simple L3VPN and values of RTs and RDs is the same. According to requirements, we have to configure R4 as RR, so we did not enable IPv4 BGP between R3 and R5. At this point, our BGP neighborship between R3 and CE routers (R1 and R2) must come up.

R3(config-router)#do sh ip bgp vpnv4 vrf A sum | beg Neighbor
Neighbor        V    AS MsgRcvd MsgSent   InQ OutQ Up/Down  State/PfxRcd
133.133.133.1   4     1     273     280     0    0 02:34:41         1

R3(config-router)#do sh ip bgp vpnv4 vrf B sum | beg Neighbor
Neighbor        V    AS MsgRcvd MsgSent   InQ OutQ Up/Down  State/PfxRcd
123.123.123.2   4     2     260     260     0    0 02:35:02         2

You see that R3 have got one prefix from R1 (customer A or VRF A) and two prefixes from R2 (customer B or VRF B).

R3(config-router)#do sh ip bgp vpnv4 vrf A | beg Network
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf A)
*> 1.1.1.1/32       133.133.133.1            0             0 1 i
*> 1.1.1.2/32       133.133.133.1            0             0 1 i
R3(config-router)#
R3(config-router)#do sh ip bgp vpnv4 vrf B | beg Network
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 2:2 (default for vrf B)
*> 2.2.2.2/32       123.123.123.2            0             0 2 i
*> 2.2.2.3/32       123.123.123.2            0             0 2 i
R3(config-router)#

And we should be able to ping customer networks on R3:

R3(config-router)#do ping vrf A 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/22/48 ms
R3(config-router)#
R3(config-router)#
R3(config-router)#do ping vrf B 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/36 ms
R3(config-router)#

The whole process must be repeated on R5, another PE router, and CE routers, R6 and R7. First CE routers:

R6(config-router)#do sh run | sec bgp
router bgp 2
 no synchronization
 bgp log-neighbor-changes
 network 6.6.6.8 mask 255.255.255.255
 network 6.6.6.9 mask 255.255.255.255
 neighbor 56.56.56.5 remote-as 345
 no auto-summary
 !
 address-family ipv4 vrf B
  neighbor 156.156.156.5 remote-as 345
  neighbor 156.156.156.5 activate
  no synchronization
  network 6.6.6.6 mask 255.255.255.255
  network 6.6.6.7 mask 255.255.255.255
 exit-address-family
R2(config-router)#do sh run | sec bgp
router bgp 2
 no synchronization
 bgp log-neighbor-changes
 network 2.2.2.4 mask 255.255.255.255
 network 2.2.2.5 mask 255.255.255.255
 neighbor 23.23.23.3 remote-as 345
 no auto-summary
 !
 address-family ipv4 vrf B
  neighbor 23.23.23.3 remote-as 345
  neighbor 23.23.23.3 activate
  neighbor 123.123.123.3 remote-as 345
  neighbor 123.123.123.3 activate
  no synchronization
  network 2.2.2.2 mask 255.255.255.255
  network 2.2.2.3 mask 255.255.255.255
 exit-address-family

And our PE router, R5:

R5(config-router)#do sh run
ip vrf A
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
ip vrf B
 rd 2:2
 route-target export 2:2
 route-target import 2:2
!
router bgp 345
 bgp log-neighbor-changes
 neighbor 45.45.45.4 remote-as 345
 neighbor 56.56.56.6 remote-as 2
 neighbor 57.57.57.7 remote-as 1
 !
 address-family ipv4
  neighbor 45.45.45.4 activate
  neighbor 45.45.45.4 next-hop-self
  neighbor 56.56.56.6 activate
  neighbor 57.57.57.7 activate
  no auto-summary
  no synchronization
 exit-address-family
!
 address-family ipv4 vrf B
  neighbor 156.156.156.6 remote-as 2
  neighbor 156.156.156.6 activate
  no synchronization
 exit-address-family
 !
 address-family ipv4 vrf A
  neighbor 157.157.157.7 remote-as 1
  neighbor 157.157.157.7 activate
  no synchronization
 exit-address-family

Let’s verify BGP tables on R5 too:

R5(config-router)#do sh ip bgp vpnv4 vrf A sum | beg Neighbor
Neighbor        V    AS MsgRcvd MsgSent   InQ OutQ Up/Down  State/PfxRcd
157.157.157.7   4     1     265     269     0    0 02:52:53          2
R5(config-router)#do sh ip bgp vpnv4 vrf B sum | beg Neighbor
Neighbor        V    AS MsgRcvd MsgSent   InQ OutQ Up/Down  State/PfxRcd
156.156.156.6   4     2     257     258     0    0 02:53:07          2
R5(config-router)#do sh ip bgp vpnv4 vrf A | beg Network     
   Network          Next Hop         Metric Weight Path
Route Distinguisher: 1:1 (default for vrf A)
*> 7.7.7.7/32       157.157.157.7         0      0 1 i
*> 7.7.7.8/32       157.157.157.7         0      0 1 i
R5(config-router)#do sh ip bgp vpnv4 vrf B | beg Network
   Network          Next Hop         Metric Weight Path
Route Distinguisher: 2:2 (default for vrf B)
*> 6.6.6.6/32       156.156.156.6         0      0 2 i
*> 6.6.6.7/32       156.156.156.6         0      0 2 
i

And global IPv4 BGP tables on R3 and R5:

R5(config-router)#do sh ip bgp 

   Network          Next Hop          Metric  Weight Path
*> 6.6.6.8/32       56.56.56.6             0       0 2 i
*> 6.6.6.9/32       56.56.56.6             0       0 2 i
*> 7.7.7.9/32       57.57.57.7             0       0 1 i
R3(config-router)#do sh ip bgp 

   Network          Next Hop          Metric Weight Path
*> 1.1.1.4/32       13.13.13.1             0      0 1 i
*> 2.2.2.4/32       23.23.23.2             0      0 2 i
*> 2.2.2.5/32       23.23.23.2             0      0 2 i

I’ll post the remaining portion ASAP.

Leave a Comment

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *

1,993 Spam Comments Blocked so far by Spam Free Wordpress

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>