mpls nsn training day 2 vpn pa
DESCRIPTION
Mpls Nsn Training VPNTRANSCRIPT
MPLS – VPN Configuration
Mitrabh Shukla
National IP Manager
2 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Objectives
Upon completion of this chapter you will be able to:
Describe MPLS VPN mechanisms
Use the command line interface to configure a VPN
Verify VPN functionality
3 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Agenda
What is a VPN?
How Do MPLS VPNs Work?
What Are Some Scaling Techniques?
How Do I Configure MPLS VPNs?
4 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Provider
Backbone
VPN C
VPN CVPN B
VPN B
VPN A
VPN A
What is a MPLS VPN?
5 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
AS100
Site2Site2
AS200
MPLS-VPN Terminology
VPN A
VPN A
VPN B
Provider Network
Customer Network
CE router
Site
PE router
P router Border Router
VPN-Aware network
Site1
Site1
6 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Agenda
What is a VPN?
How do MPLS VPNs Work?
• Control Plane
• Forwarding Plane
What Are Some MPLS VPN Scaling Techniques?
How Do I Configure MPLS VPNs?
7 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
What Makes MPLS VPNs Work?
P P
PP
PE
PECE
CE
CE
CE
PE
PE
CE
CE
CE MP-iBGP sessionsVPN A
11.5.0.0
VPN A
10.1.0.0
VPN B
10.3.0.0
VPN B
10.2.0.0
VPN B
10.1.0.0
VPN A
11.6.0.0
VPN A
10.2.0.0
• Five keys to MPLS VPNs functionality:
• 1. MPLS Forwarding
• 2. Separation of VPN Routes (VPN Routing and Forwarding Instances (VRF))
• 3. VPN Membership Selection (Route Target)
• 4. IP Address Overlap (Route Distinguisher)
• 5. VPN Route Distribution (MP-BGP for VPN-ipv4)
8 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
PE1 PE2P1 P2
1. MPLS Forwarding
Global routing table entries to reach
PE1 -> next-hop: P2, label: 25
P1 -> next-hop: P2, label: 35
P2 -> next-hop: interface, label: pop
Global routing table entries to reach
PE2 -> next-hop: P1, label: 50
P2 -> next-hop: P1, label: 65
P1 -> next-hop: interface, label: pop
MPLS VPN Requirement
PE to PE Label Switched Path (LSP)
VRF
VRFVRF
VRF
PE1’s perspective PE2’s perspective
9 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Site-1
Green
Site-1
Yellow
2. How Are VPN Routes Kept Separate?
PECE
CE
VPN Backbone IGP
(OSPF, IS-IS)
Global Routing TableVRF (VPN Routing and Forwarding)
Assigned a symbolic name
ip vrf green
VPN Routing and Forwarding Instances (VRF) provides the separation
VRF=Routing Table for VPN
10 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS VPN Routing Requirements
Customer routers (CE-routers) have to run standard IP routing software
Provider core routers (P-routers) have no VPN routes
Provider edge routers (PE-routers) have to support MPLS VPN and Internet routing
11 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS VPN Routing (CE- Router Perspective)
Customer routers run standard IP routing software and exchange routing updates with the PE-router
• EBGP, OSPF, RIPv2 , EIGRP or static routes are supported
PE-router appears as another router in the customer’s network
CE - Router
CE - Router
PE Router
MPLS VPN Backbone
12 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS VPN RoutingPE-Router Perspective
PE-routers:
• Exchange VPN routes with CE-routers via per-VPN routing protocols
• Exchange core routes with P-routers and PE-routers via core IGP
• Exchange VPNv4 routes with other PE-routers via multi- protocol IBGP sessions
13 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS VPN Support forInternet Routing
PE-routers can run standard IPv4 BGP in the global routing table
• Exchange Internet routes with other PE routers
• CE-routers do not participate in Internet routing
• P-routers do not need to participate in Internet routing
14 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS VPN End-to-EndRouting Information Flow (1/3)
PE-routers receive IPv4 routing updates from CE-routers and install them in the appropriate Virtual Routing and Forwarding (VRF) table
15 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS VPN End-to-EndRouting Information Flow (2/3)
PE-routers export VPN routes from VRF into MP-IBGP and propagate them as VPNv4 routes to other PE-routers
IBGP full mesh is needed between PE-routers
16 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VRF CE Routing
PE
EBGP, RIP, OSPF, Static
Site-1
Green
Site-1
YellowCE
CE
VPN Backbone IGP
(OSPF, IS-IS)
CE to PE Routing
1 Interface attached to VRF
PE
Site-2
Green
Site-1
Green CE
CE
VPN Backbone IGP
(OSPF, IS-IS)
Sharing
Multiple interfaces attached to VRF
(Can NOT have multiple VRFs connected to 1 interface)
and Sharing
Animated
Same VPN
17 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
17
StaticBGP RIPPE to CE Routing
Processes
Routing
Contexts
VRF Routing
Tables
VRF Forwarding
Tables
VRF and Multiple Routing Instances
Routing processes support routing contexts(sub-processes within main process)
Populate specific VPN routing table and FIBs (VRF)
separate OSPF process for each VRF
EIGRP OSPF OSPF
18 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VPN B VPN CVPN A
What are MPLS VPN Extranets?
Belonging to more than one VRF
NOTE: A VRF is NOT a VPN
• Terms sometime used interchangably but the are NOT the same
• VRF is the routing table
• VPN is collection of sites that can access that table
Site2
Site4
Site3
Site1 Site5
19 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
3. How is VPN Membership Determined?
VPN membership is based on filtering routes to be installed in VRF
• Route Target import/export filtering
Route Target (RT) is a BGP Extended Community
• Used to constrain distribution of routing information
• Identifier for VRFs that may receive set of routes tagged with given RT (route filtering)
Based on RFC 2547
20 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
20
What is a Route Target?
Route Target (RT) is a BGP Extended Community
• Used to constrain distribution of routing information
• Identifier for VRFs that may receive set of routes tagged with given RT (route filtering)
21 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
What is a Route Distinguisher?
Route Distinguisher:
• converts non-unique IP addresses into unique VPN-IPv4 addresses
• Not used for constrained distribution of routing information (route filtering)
VPN-IPv4 addresses
• Must be globally unique
• Route Distinguisher (RD) + IP address
– RDs are assigned by a service provider
22 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
4. How Can MPLS VPN Addresses Overlap?
Route Distinguisher provides the separation
Same Addresses
P P
PP
PE
PECE
CE
CE
PE
PE
CE
CE
VPN A
10.1.0.0
VPN B
10.3.0.0
CEVPN A
11.5.0.0
VPN B
10.2.0.0
VPN B
10.1.0.0
VPN A
11.6.0.0
CEVPN A
10.2.0.0
23 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
What is a Route Distinguisher?
Route Distinguisher:
• converts non-unique IP addresses into unique VPN-IPv4 addresses (overlapping Private address)
• Not used for constrained distribution of routing information (route filtering)
VPN-IPv4 addressesRoute Distinguisher (RD) 64Bits + IP address = 96 Bits
– RDs are assigned by a service provider
– RDs should be globally unique
24 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MP-iBGP (PE to PE)
to carry VPN-IPv4 Information
PE1 PE2
P1 P2
Why MP-iBGP?
• BGP supports large numbers of routes
• BGP is multi-protocol and scales
• BGP does not require directly connected peers
• BGP optional, transitive attributes
VPN yellow
Site-2CE2
VPN yellow
Site-1CE1
5. How are VPN Routes Distributed?
25 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
PE1 PE2
P1 P2
What is in an MP-BGP VPNv4 Update?
MP-iBGP (PE to PE)
to carry VPN-IPv4 Information
VPN-IPv4 update:
RD1:Net1, Next-hop=PE1
SOO=Site1, RT=Yellow, Label=10
VPN-IPv4 update:
RD2:Net1, Next-hop=PE1
SOO=Site1, RT=Green, Label=12
26 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
What is in an MP-BGP Update?
VPN-IPV4 address (96 bits)
• Route Distinguisher (RD) (64 bits)
• IPv4 address (32bits)
Extended Community
• Route target (RT) - required
• Site of Origin (SOO) - optional– (prevents routing loops in multihomed CE topologies)
Any other standard BGP attribute (Ex. VPN Labels)
A second label in the label stack
27 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
PE1 PE2
P1 P2
Why MP-iBGP?
BGP supports large numbers of routes
BGP is multi-protocol and scales
BGP does not require directly connected peers
BGP has optional, transitive attributes
MP-iBGP session
VPN yellow
Site-2CE2
VPN yellow
Site-1 CE1
28 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VPN-B VRFImport routes with
route-target 1:1
VPN BVPN B
152.12.4.0/24
How Does the MPLS VPN Control Plane Work?
BGP, OSPF, RIP152.12.4.0/24,
NH=CE1
VPN-v4 update:RD:1:27:152.12.4.0/24
NH=PE1, RT=1:1,VPN Label=(29)
CE1
PE1 P1
CE2
PE2P2
BGP, OSPF, RIP152.12.4.0/24,
NH=PE2
LDP Update:Next hop=PE1
Label=(imp-null)
LDP Update:Next hop=P1Label=(41)
LDP Update:Next hop=P2Label=(32)
Animated
MPLS LSP Foundation
29 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VPN BVPN B
152.12.4.0/24
How Does the MPLS VPNForwarding Plane Work?
CE1
P1
CE2
PE2P2
152.12.4.6
29 152.12.4.641
152.12.4.6
Packet Forwarding Based on Stack of Labels
29 152.12.4.6
Penultimate Hop PoP
(removal of LSP Label)
Animated
VRF lookupfor 152.12.4.6
NH=PE1VPN Label=(29)
PE1
LFIB lookup for label 29= vrf VPN B
29 152.12.4.6
VPN Label
32
LSP/MPLS Label
MPLS forwarding table (LFIB)lookup for NH=PE1
VRF lookupfor 152.12.4.6
NH=CE1
Label Swap
?????
30 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Agenda
What is a VPN?
How Do MPLS VPNs Work?
What Are Some Scaling Techniques?
How Do I Configure MPLS VPNs?
31 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Scaling MPLS-VPN
Use of Route Reflectors highly recommended
Route Reflectors may be partitioned
• Each RR store routes for a set of VPNs
• Thus, no BGP router needs to store ALL VPN information
PEs will peer to RRs according to the VPNs they directly connect
GreenRoute Reflectors
Yellow
Green
YellowGreen
Green
Yellow
Yellow
Yellow
32 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS-VPN ScalingBGP Automatic Route Filtering (ARF)
Each VRF has an import and export policy configured
Policies use route-target attribute (extended community)
PE receives MP-iBGP updates for VPN-IPv4 routes
If route-target is equal to any of the import values configured in the PE, the update is accepted
Otherwise, it is silently discarded
PE
MP-iBGP sessions
Import RT=yellow
Import RT=green VPN-IPv4 update:RD:Net1, Next-hop=PE-X
SOO=Site1, RT=Red, Label=XYZ
VPN-IPv4 update:RD:Net1, Next-hop=PE-X
SOO=Site1, RT=Green, Label=XYZVRFs for VPNs
yellowgreen
33 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS-VPN ScalingRoute Refresh
Policy may change in the PE if VRF modifications are done
• New VRFs, removal of VRFsHowever, the PE may not have stored routing information which become useful after a change
PE request a re-transmission of updates to neighbors
• Route-Refresh
PE
Import RT=yellow
Import RT=green
Import RT=red
1. PE doesn’t have red routes (previously filtered out)
2. PE issues a Route-Refresh to all neighbors in order to ask for
re-transmit
3. Neighbors re-send updates and “red” route-target is now accepted
VPN-IPv4 update:RD:Net1, Next-hop=PE-X
SOO=Site1, RT=Green, Label=XYZ
VPN-IPv4 update:RD:Net1, Next-hop=PE-X
SOO=Site1, RT=Red, Label=XYZ
34 © Nokia Siemens Networks MPLS / António Santos / 04-06-2009
For internal use
MPLS VPN Packet Forwarding
35 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VPN Packet Forwarding AcrossMPLS VPN Backbone
How will PE routers forward VPN packets across MPLS VPN backbone?
Just forward pure IP packets???
• P-routers do not have VPN routes, packet is dropped on IP lookup.
How about using MPLS for packet propagation across backbone?
36 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VPN Packet Forwarding AcrossMPLS VPN Backbone
Label VPN packets with LDP label for egress PE-router, forward labeled packets across MPLS backbone??
• P-routers perform label switching, packet reaches egress PE-router.
• However, egress PE-router does not know which VRF to use for packet lookup—packet is dropped.
How about using a label stack?
37 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VPN Packet Forwarding AcrossMPLS VPN Backbone
Label VPN packets with a label stack.
• Use LDP label for egress PE-router as the top label
• VPN label assigned by egress PE-router as the second label in the stack.
P-routers perform label switching, packet reaches egress PE-router.
Egress PE-router performs lookup on the VPN label and forwards the packet toward the CE-router.
38 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VPN Packet ForwardingPenultimate Hop Popping
Penultimate hop popping on the LDP label can be performed on the last P-router
Egress PE-router performs only label lookup on VPN label, resulting in faster and simpler label lookup
IP lookup is performed only once—in ingress PE router
39 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VPN Label Propagation
How will the ingress PE-router get the second label in the label stack from the egress PE-router?
Labels are propagated in MP-BGP VPNv4 routing updates.
40 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VPN Label Propagation
41 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
VPN Label Propagation
42 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Impacts of MPLS VPN LabelPropagation
The VPN label has to be assigned by the BGP next-hop
BGP next-hop should not be changed in MP-IBGP update propagation
• Do not use next-hop-self on confederation boundaries
PE-router has to be BGP next-hop
• Use next-hop-self on the PE-router
Label has to be re-originated if the next-hop is changed
• A new label is assigned every time the MP-BGP update crosses AS-boundary where the next-hop is changed
43 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Impacts of MPLS VPN PacketForwarding
VPN label is only understood by egress PE-router
End-to-end Label Switched Path is required between ingress and egress PE-router
BGP next-hops shall not be announced as BGP routes
• LDP labels are not assigned to BGP routes
BGP next-hops announced in IGP shall not be summarized in the core network
• Summarization breaks LSP
44 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Agenda
What is a VPN?
How Do MPLS VPNs Work?
What Are Some Scaling Techniques?
How Do I Configure MPLS VPNs?
1. Configure VRFs
2. associate interfaces with VRFs
3. Configure MP-iBGP routing
4. Configure CE to PE routing
5. Verify VPN operation
45 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
The extended community string you will RECEIVE and put into your vrf
Configure VRF
Number to uniquely id the prefix valueConvention is ASN:xxxx
The extended community string you will SEND with your routes
Logical name of the VPNuse something that makes sense
route-target import <community>
route-target export <community>
rd <route-distinguisher-value>
ip vrf <vrf-symbolic-name>
46 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Configure VRF
Create the VRFs on the
PE Router
PE
VPN blue
CE
VPN red
CE
E1/0
E2/0
PE1(config)#ip vrf red
PE1(config)#ip vrf blue
vrf symbolic name
Case sensitive
47 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Configure RD
Create the VRFs on the
PE Router
PE
VPN blue
CE
VPN red
CE
E1/0
E2/0
PE1(config)#ip vrf red
PE1(config-vrf)#rd 100:10
PE1(config)#ip vrf blue
PE1(config-vrf)#rd 100:20
ASN:variableor
IP:variable
48 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
PE1(config)#ip vrf red
PE1(config-vrf)#rd 100:10
PE1(config-vrf)#route-target import 100:1
PE1(config-vrf)#route-target export 100:1
PE1(config)#ip vrf blue
PE1(config-vrf)#rd 100:20
PE1(config-vrf)#route-target import 100:2
PE1(config-vrf)#route-target export 100:2
Configure Route Target
Create the VRFs on the
PE Router
PE
VPN blue
CE
VPN red
CE
E1/0
E2/0
<both> shortcut if import and export are the same
RD to RT matching just makes it easy
49 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
PE1(config)#ip vrf red
PE1(config-vrf)#description VPN for CE1
PE1(config-vrf)#rd 100:10
PE1(config-vrf)#route-target import 100:1
PE1(config-vrf)#route-target export 100:1
PE1(config-vrf)#maximum routes 2000 warning-only
VRF Options
Create the VRFs on the
PE Router
PE
VPN blue
CE
VPN red
CE
E1/0
E2/0
Online documentation
Protect your network and PE from saturation (scaling factor)
50 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Associate PE interfaces to VRFs
Configure interfaces to
belong to the VRF
PE1(config)#interface ethernet 2/0
PE1(config-if)#ip vrf forwarding blue
PE1(config-if)#ip address 172.11.2.2 255.255.255.252
PE1(config)#interface ethernet 1/0
PE1(config-if)#ip vrf forwarding red
PE1(config-if)#ip address 172.11.2.2 255.255.255.252
PE
VPN blue
CE
VPN red
CE
E1/0
E2/0
match vrf symbolic name
51 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Common VRF Configuration Gotcha
PE1(config)#interface ethernet 3/0
PE1(config-if)#ip vrf forwarding red
% Interface Ethernet1/0 IP address 10.131.31.245 removed due to
enabling VRF red
PE1(config-if)#ip address 10.131.31.245 255.255.255.252
Configuring an interface to the VRF: IP
address must be removed from global
routing table
Also,
can only assign 1 VRF to an interface
52 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Configure MP-BGP Peering between PEs
PE2
PE2
VPN BackboneIGP
PE1
PE1MP-BGP
standard BGP configuration entries apply
activate neighbor to advertise routes
send extended community to id the VRF (default entry)
Router config for VPNv4 prefixes
PE1(config)#router bgp 100
PE1(config-router)#neighbor 10.131.63.252 remote-as 100
PE1(config-router)#neighbor 10.131.63.252 desc MP-BGP to PE2
PE1(config-router)#neighbor 10.131.63.252 update-source Loopback0
PE1(config-router)#address-family vpnv4
PE1(config-router-af)#neighbor 10.131.63.252 activate
PE1(config-router-af)#neighbor 10.131.63.252 send-community extended
PE1(config-router-af)#exit-address-family
53 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Configure VRF Routing Contexts
PE2
PE2
VPN BackboneIGP
PE1
PE1MP-BGP
PE1(config-router)#address-family ipv4 vrf red
PE1(config-router-af)#no auto-summary
PE1(config-router-af)#no synchronization
PE1(config-router-af)#exit-address-family
PE1(config-router)#address-family ipv4 vrf blue
PE1(config-router-af)#no auto-summary
PE1(config-router-af)#no synchronization
PE1(config-router-af)#exit-address-family
54 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
The VRF is now operational
The previous configuration creates the VRF and associated CEF and routing table
VRF Implementation Considerations
• Many commands are now VRF context sensitive
VPN Routes are not yet present
The RD and import and export policies (RT) will be used to fill the VRF routing table with routes learned by the PE via MP-BGP
55 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Example VRF Configuration
PE-A(config)#ip vrf VPN1
PE-A(config-vrf)#rd 100:1
PE-A(config-vrf)#route-target export 100:10
PE-A(config-vrf)#route-target import 100:10
PE-A(config)#ip vrf VPN2
PE-A(config-vrf)#rd 100:2
PE-A(config-vrf)#route-target export 100:20
PE-A(config-vrf)#route-target import 100:20
P-A lo0 200.200.0.1
MPLS Core
BGP AS100
OSPF Area 0
VPN1 RD 100:1
VPN2 RD 100:2PE-A lo0 200.200.0.11
s0 172.16.2.1/30s0/0 172.16.2.1/30
PE-B lo0 200.200.0.12
P-B lo0 200.200.0.2
s0/0 172.17.2.1/30
s1/0 172.17.2.2/30 s1/1 172.17.2.2/30
s0 172.17.2.1/30
VPN2
Site B
CE-2B
lo0 172.17.1.1/24
VPN1
Site B
CE-1B
lo0 172.17.1.1/24
s1/1 172.16.2.2/30s1/0 172.16.2.2/30
VPN2
Site A
CE-2A
lo0 172.16.1.1/24
VPN1
Site A
CE-1A
lo0 172.16.1.1/24
56 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Associate VRFs to Interfaces
For each interface participating in the VPN
interface Serial1/0
ip vrf forwarding VPN1
ip address 172.16.2.2 255.255.255.252
match vrf-symbolic-name
57 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Example VRF Interface Configuration
PE-A(config)#interface Serial1/0
PE-A(config-if)#ip vrf forwarding VPN1
PE-A(config-if)#ip address 172.16.2.2 255.255.255.252
PE-A(config)#interface Serial1/1
PE-A(config-if)#ip vrf forwarding VPN2
PE-A(config-if)#ip address 172.16.2.2 255.255.255.252
P-A lo0 200.200.0.1
MPLS Core
BGP AS100
OSPF Area 0
VPN1 RD 100:1
VPN2 RD 100:2PE-A lo0 200.200.0.11
s0 172.16.2.1/30s0/0 172.16.2.1/30
PE-B lo0 200.200.0.12
P-B lo0 200.200.0.2
s0/0 172.17.2.1/30
s1/0 172.17.2.2/30 s1/1 172.17.2.2/30
s0 172.17.2.1/30
VPN2
Site B
CE-2B
lo0 172.17.1.1/24
VPN1
Site B
CE-1B
lo0 172.17.1.1/24
s1/1 172.16.2.2/30s1/0 172.16.2.2/30
VPN2
Site A
CE-2A
lo0 172.16.1.1/24
VPN1
Site A
CE-1A
lo0 172.16.1.1/24 S1/0
58 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
router bgp 100
address-family ipv4 vrf VPN1
no auto-summary
no synchronization
exit-address-family
address-family vpnv4
neighbor 200.200.0.12 activate
neighbor 200.200.0.12 send-community extended
neighbor 200.200.0.13 activate
neighbor 200.200.0.13 send-community extended
exit-address-family
Configure MP-BGP
AS number
Router config for standard IP Version 4 address prefixes
Router config for standard VPN Version 4 address prefixes
Advertise Routes extended community string to id the VRF
59 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Example MP-BGP Configuration
MPLS Core
BGP AS100
OSPF Area 0
VPN1 RD 100:1
VPN2 RD 100:2
P-A lo0 200.200.0.1
PE-A lo0 200.200.0.11
s0 172.16.2.1/30s0/0 172.16.2.1/30
PE-B lo0 200.200.0.12
P-B lo0 200.200.0.2
s0/0 172.17.2.1/30
s1/0 172.17.2.2/30 s1/1 172.17.2.2/30
s0 172.17.2.1/30
VPN2
Site B
CE-2B
lo0 172.17.1.1/24
VPN1
Site B
CE-1B
lo0 172.17.1.1/24
s1/1 172.16.2.2/30s1/0 172.16.2.2/30
VPN2
Site A
CE-2A
lo0 172.16.1.1/24
VPN1
Site A
CE-1A
lo0 172.16.1.1/24
PE-A(config)#router bgp 100
PE-A(config-router)#no synchronization
PE-A(config-router)#no bgp default ipv4-unicast
PE-A(config-router)#bgp log-neighbor-changes
PE-A(config-router)#neighbor 200.200.0.12 remote-as 100
PE-A(config-router)#neighbor 200.200.0.12 update-source Loopback0
PE-A(config-router)#no auto-summary
PE-A(config-router)#address-family ipv4 vrf VPN1
PE-A(config-router-af)#no auto-summary
PE-A(config-router-af)#no synchronization
PE-A(config-router-af)#exit-address-family
PE-A(config-router)#address-family ipv4 vrf VPN2
PE-A(config-router-af)#no auto-summary
PE-A(config-router-af)#no synchronization
PE-A(config-router-af)#exit-address-family
PE-A(config-router)#address-family vpnv4
PE-A(config-router-af)#neighbor 200.200.0.12 activate
PE-A(config-router-af)#neighbor 200.200.0.12 send-community extended
PE-A(config-router-af)#exit-address-family
60 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Configure Route Advertisements
CE configip route 0.0.0.0 0.0.0.0 172.16.2.2
PE configip route vrf VPN1 172.16.1.0 255.255.255.0 172.16.2.1
ip route vrf VPN2 172.16.1.0 255.255.255.0 172.16.2.1
router bgp 100
address-family ipv4 vrf VPN1
network 172.16.1.0 mask 255.255.255.0
network 172.16.2.0 mask 255.255.255.252
exit-address-family
Define static routes at CE and PE
Define BGP routes at PE
61 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Example Routing Configuration
P-A lo0 200.200.0.1
MPLS Core
BGP AS100
OSPF Area 0
VPN1 RD 100:1
VPN2 RD 100:2PE-A lo0 200.200.0.11
s0 172.16.2.1/30s0/0 172.16.2.1/30
PE-B lo0 200.200.0.12
P-B lo0 200.200.0.2
s0/0 172.17.2.1/30
s1/0 172.17.2.2/30 s1/1 172.17.2.2/30
s0 172.17.2.1/30
VPN2
Site B
CE-2B
lo0 172.17.1.1/24
VPN1
Site B
CE-1B
lo0 172.17.1.1/24
s1/1 172.16.2.2/30s1/0 172.16.2.2/30
VPN2
Site A
CE-2A
lo0 172.16.1.1/24
VPN1
Site A
CE-1A
lo0 172.16.1.1/24
PE-A(config)#ip route vrf VPN1 172.16.1.0 255.255.255.0 172.16.2.1
PE-A(config)#ip route vrf VPN2 172.16.1.0 255.255.255.0 172.16.2.1
PE-A(config)#router bgp 100
PE-A(config-router)#address-family ipv4 vrf VPN1
PE-A(config-router-af)#network 172.16.1.0 mask 255.255.255.0
PE-A(config-router-af)#network 172.16.2.0 mask 255.255.255.252
PE-A(config-router-af)#exit-address-family
PE-A(config-router)#address-family ipv4 vrf VPN2
PE-A(config-router-af)#network 172.16.1.0 mask 255.255.255.0
PE-A(config-router-af)#network 172.16.2.0 mask 255.255.255.252
PE-A(config-router-af)#exit-address-family
CE-1A(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2
62 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
MPLS VPN Verification Steps
Verify the VRFs • show ip vrf [{detail|interfaces}]
Verify routing Information • show ip route vrf [detail] [vrf-name] [interfaces]
• show ip bgp neighbors
• show ip bgp vpnv4 all
• show ip bgp vpnv4 vrf VRF-name
• show ip bgp vpnv4 vrf VRF-name [ip-address]
Verify Labels • show ip bgp vpnv4 all [labels/tags]
• show ip cef vrf [detail]
63 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Ping, Traceroute, Telnet Caveats
Ping and Traceroute in MPLS VPN network only succeed if end-to-end path is successful
Good verification if successful but NOT for troubleshooting
Ping/Traceroute Command Syntax• traceroute VRF [vrf-name] ip-address
• ping VRF [vrf-name] ip-address
Telnet Command Syntax • telnet ip-address /vrf [vrf-name]
64 © Nokia Siemens Networks MPLS / Mitrabh Shukla
For internal use
Chapter Summary
You should now be able to:
Describe MPLS VPN mechanisms
Use the command line interface to configure a VPN
Verify VPN functionality