Tuesday, 16 July 2013

basic configuration of MPLS VPN


Introduction

This document provides a sample configuration of a Multiprotocol Label Switching (MPLS) VPN when Border Gateway Protocol (BGP) or Routing Information Protocol (RIP) is present on the customer's site.
When used with MPLS, the VPN feature allows several sites to interconnect transparently through a service provider's network. One service provider network can support several different IP VPNs. Each of these appears to its users as a private network, separate from all other networks. Within a VPN, each site can send IP packets to any other site in the same VPN.
Each VPN is associated with one or more VPN routing or forwarding instances (VRFs). A VRF consists of an IP routing table, a derived Cisco express forwarding (CEF) table, and a set of interfaces that use this forwarding table.
The router maintains a separate routing and CEF table for each VRF. This prevents information being sent outside the VPN and allows the same subnet to be used in several VPNs without causing duplicate IP address problems.
The router using Multiprotocol BGP (MP-BGP) distributes the VPN routing information using the MP-BGP extended communities.
For more information about the propagation of updates through a VPN, refer to these documents:

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:
P and PE Routers
  • Cisco IOS® Software Release 12.2(6h) includes the MPLS VPN feature.
  • Any Cisco router from the 7200 series or higher supports P functionality. The Cisco 2691, as well as any 3640 series or higher router supports PE functionality.
C and CE Routers
  • You can use any router that can exchange routing information with its PE router.
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.

Related Products

To implement the MPLS feature, you must have a router from the range of Cisco 2600 or higher. To select the required Cisco IOS with MPLS feature, use the Software Advisor (registered customers only) . Also check for the additional RAM and Flash memory required to run the MPLS feature in the routers. WIC-1T, WIC-2T, and serial interfaces can be used.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.
The letters below represent the different types of routers and switches used.
  • P—Provider's core router.
  • PE—Provider's edge router.
  • CE—Customer's edge router.
  • C—Customer's router.
This diagram shows a typical configuration illustrating the conventions outlined above.
mplsvpn.gif

Configure

In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool (registered customers only) to find more information on the commands used in this document.

Network Diagram

This document uses this network setup:
new_mpls_vpn_basic1.gif

Configuration Procedures

Refer to MPLS Virtual Private Networks for more information.

Enabling ip cef

Use this procedure in order to enable ip cef . For improved performance, use ip cef distributed (where available). Complete these steps on the PEs after MPLS has been set up (configuring tag-switching ip on the interfaces).
  1. Create one VRF for each VPN connected using the ip vrf <VPN routing/forwarding instance name> command.
    When doing this:
    • Specify the correct route distinguisher used for that VPN. This is used to extend the IP address so that you can identify which VPN it belongs to.
      
      rd <VPN route distinguisher>
      
      
    • Set up the import and export properties for the MP-BGP extended communities. These are used for filtering the import and export process.
      
      route-target [export|import|both] <target VPN extended community>
      
      
  2. Configure the forwarding details for the respective interfaces using the ip vrf forwarding <VPN routing/forwarding instance name> command and remember to set up the IP address after doing this.
  3. Depending on the PE-CE routing protocol you are using, you can configure static routes or routing protocols (RIP, Open Shortest Path First [OSPF], or BGP) between PE and CE. Detailed configurations are available on the MPLS over ATM Support page.

Configuring MP-BGP

Configure MP-BGP between the PE routers. There are several ways to configure BGP, such as using the route reflector or confederation methods. The method used here—direct neighbor configuration—is the simplest and the least scalable.
  1. Declare the different neighbors.
  2. Enter the address-family ipv4 vrf <VPN routing/forwarding instance name> command for each VPN present at this PE router.
    Carry out one or more of the following steps, as necessary:
    • Redistribute the static routing, RIP, or OSPF information.
    • Redistribute connected routing information.
    • Activate BGP neighboring with the CE routers.
  3. Enter the address-family vpnv4 mode, and complete the following steps:
    • Activate the neighbors.
    • Specify that extended community must be used. This is mandatory.

Configurations

This document uses these configurations:
Pescara
Current configuration:
!
version 12.2
!
hostname Pescara
!
ip cef
!


!--- Customer A commands.

ip vrf Customer_A

!--- Enables the VPN routing and forwarding (VRF) routing table.
!--- This command can be used in global or 
!--- router configuration mode. 

 rd 100:110

!--- Route distinguisher creates routing and forwarding 
!--- tables for a VRF.

 route-target export 100:1000

!--- Creates lists of import and export route-target extended 
!--- communities for the specified VRF.

 route-target import 100:1000
!


!--- Customer B commands.

ip vrf Customer_B
 rd 100:120
 route-target export 100:2000
 route-target import 100:2000
!
interface Loopback0
 ip address 10.10.10.4 255.255.255.255
 ip router isis


!--- Customer A commands.

interface Loopback101
ip vrf forwarding Customer_A

!--- Associates a VRF instance with an interface or subinterface.

 ip address 200.0.4.1 255.255.255.0

!--- Loopback101 and 102 use the same IP address, 200.0.4.1. 
!--- This is allowed because they belong to two 
!--- different customers' VRFs. 

 no ip directed-broadcast
!


!--- Customer B commands.

interface Loopback102
 ip vrf forwarding Customer_B
 ip address 200.0.4.1 255.255.255.0

!--- Loopback101 and 102 use the same IP address, 200.0.4.1. 
!--- This is allowed because they belong to two 
!--- different customers' VRFs.
 
 no ip directed-broadcast
!
interface Serial2/0
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 no fair-queue
!
interface Serial2/0.1 point-to-point
 description link to Pauillac
 bandwidth 512
 ip address 10.1.1.14 255.255.255.252
 no ip directed-broadcast
 ip router isis 
 tag-switching ip
 frame-relay interface-dlci 401   
!
router isis 
 net 49.0001.0000.0000.0004.00
 is-type level-1
!         
router bgp 100
 bgp log-neighbor-changes

!--- Enables logging of BGP neighbor resets.

 neighbor 10.10.10.6 remote-as 100

!--- Adds an entry to the BGP or multiprotocol BGP neighbor table.

 neighbor 10.10.10.6 update-source Loopback0

!--- Enables BGP sessions to use a specific operational 
!--- interface for TCP connections.

!
 

!--- Customer A and B commands.

 address-family vpnv4

!--- To enter address family configuration mode 
!--- for configuring routing sessions, such as BGP, 
!--- that use standard VPN version 4 address prefixes.

 neighbor 10.10.10.6 activate
 neighbor 10.10.10.6 send-community both
 
!--- Sends the community attribute to a BGP neighbor.

 exit-address-family
 !


!--- Customer B commands.

 address-family ipv4 vrf Customer_B

!--- To enter address family configuration mode 
!--- for configuring routing sessions, such as BGP, 
!--- that use standard VPN version 4 address prefixes.

 redistribute connected
 no auto-summary
 no synchronization
 exit-address-family
 !
 

!--- Customer A commands.

 address-family ipv4 vrf Customer_A
 redistribute connected
 no auto-summary
 no synchronization
 exit-address-family
!
ip classless
!
end

Pesaro
Current configuration:
!
version 12.1
!
hostname Pesaro
!


!--- Customer A commands.

ip vrf Customer_A
 rd 100:110
 route-target export 100:1000
 route-target import 100:1000
!


!--- Customer B commands.

ip vrf Customer_B
 rd 100:120
 route-target export 100:2000
 route-target import 100:2000
!
ip cef

!
interface Loopback0
 ip address 10.10.10.6 255.255.255.255
 ip router isis 


!--- Customer A commands.

interface Loopback101
 ip vrf forwarding Customer_A
 ip address 200.0.6.1 255.255.255.0
!


!--- Customer B commands.

interface Loopback102
 ip vrf forwarding Customer_B
 ip address 200.0.6.1 255.255.255.0
!


!--- Customer A commands.

interface Loopback111
 ip vrf forwarding Customer_A
 ip address 200.1.6.1 255.255.255.0
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no ip mroute-cache
 random-detect
!
interface Serial0/0.1 point-to-point
 description link to Pomerol
 bandwidth 512
 ip address 10.1.1.22 255.255.255.252
 ip router isis 
 tag-switching ip
 frame-relay interface-dlci 603   
!
router isis 
 net 49.0001.0000.0000.0006.00
 is-type level-1
!
router bgp 100
 neighbor 10.10.10.4 remote-as 100
 neighbor 10.10.10.4 update-source Loopback0
 !


!--- Customer B commands.

 address-family ipv4 vrf Customer_B
 redistribute connected
 no auto-summary
 no synchronization
 exit-address-family
 !


!--- Customer A commands.

 address-family ipv4 vrf Customer_A
 redistribute connected
 no auto-summary
 no synchronization
 exit-address-family
 !


!--- Customer A and B commands.

 address-family vpnv4
 neighbor 10.10.10.4 activate
 neighbor 10.10.10.4 send-community both
 exit-address-family
!
ip classless
!         
end

Pomerol
Current configuration:
!
version 12.0
!
hostname Pomerol
!
ip cef

!
interface Loopback0
 ip address 10.10.10.3 255.255.255.255
 ip router isis 

!
interface Serial0/1
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 random-detect
!
interface Serial0/1.1 point-to-point
 description link to Pauillac
 ip address 10.1.1.6 255.255.255.252
 no ip directed-broadcast
 ip router isis 
 tag-switching mtu 1520
 tag-switching ip 
 frame-relay interface-dlci 301   
!
interface Serial0/1.2 point-to-point
 description link to Pulligny
 ip address 10.1.1.9 255.255.255.252
 no ip directed-broadcast
 ip router isis 
 tag-switching ip
 frame-relay interface-dlci 303   
!
interface Serial0/1.3 point-to-point
 description link to Pesaro
 ip address 10.1.1.21 255.255.255.252
 no ip directed-broadcast
 ip router isis 
 tag-switching ip

 frame-relay interface-dlci 306   
!
router isis 
 net 49.0001.0000.0000.0003.00
 is-type level-1
!
ip classless
!
end

Pulligny
Current configuration:
!
version 12.1
!
hostname Pulligny
!
!
ip cef

!
!
interface Loopback0
 ip address 10.10.10.2 255.255.255.255
!
interface Serial0/1
 no ip address
 encapsulation frame-relay
 random-detect
!
interface Serial0/1.1 point-to-point
 description link to Pauillac
 ip address 10.1.1.2 255.255.255.252
 ip router isis 
 tag-switching ip 
 frame-relay interface-dlci 201   
!
interface Serial0/1.2 point-to-point
 description link to Pomerol
 ip address 10.1.1.10 255.255.255.252
 ip router isis 
 tag-switching ip 
 frame-relay interface-dlci 203   
!
router isis 
 passive-interface Loopback0
 net 49.0001.0000.0000.0002.00
 is-type level-1
!
ip classless
!
end

Pauillac
!
version 12.1
!
hostname pauillac
!
ip cef

!
interface Loopback0
 ip address 10.10.10.1 255.255.255.255
 ip router isis  
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no ip mroute-cache
 tag-switching ip
 no fair-queue
!
interface Serial0/0.1 point-to-point
 description link to Pomerol
 bandwith 512
 ip address 10.1.1.1 255.255.255.252
 ip router isis 
 tag-switching ip 
 frame-relay interface-dlci 102   
!
interface Serial0/0.2 point-to-point
 description link to Pulligny ip address 10.1.1.5 255.255.255.252

 ip router isis 
 tag-switching ip 
 frame-relay interface-dlci 103   
!
interface Serial0/0.3 point-to-point
 description link to Pescara
 bandwidth 512
 ip address 10.1.1.13 255.255.255.252
 ip router isis 
 tag-switching ip 
 frame-relay interface-dlci 104   
!
router isis 
 net 49.0001.0000.0000.0001.00
 is-type level-1
!
ip classless
!
end

Verify

This section provides information you can use to confirm your configuration is working properly.
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.
  • show ip vrf —Verifies that the correct VRF exists.
  • show ip vrf interfaces—Verifies the activated interfaces.
  • show ip route vrf Customer_A—Verifies the routing information on the PE routers.
  • traceroute vrf Customer_A 200.0.6.1—Verifies the routing information on the PE routers.
  • show ip bgp vpnv4 tag—Verifies the BGP.
  • show ip cef vrf Customer_A 200.0.6.1 detail—Verifies the routing information on the PE routers.
More commands are detailed in the MPLS VPN Solution Troubleshooting Guide.
The following is sample command output of the show ip vrf command.
Pescara#show ip vrf 
  Name                             Default RD          Interfaces
  Customer_A                       100:110             Loopback101
  Customer_B                       100:120             Loopback102
The following is sample command output of the show ip vrf interfaces command.
Pesaro#show ip vrf interfaces 
Interface              IP-Address      VRF                              Protocol
Loopback101            200.0.6.1       Customer_A                       up      
Loopback111            200.1.6.1       Customer_A                       up      
Loopback102            200.0.6.1       Customer_B                       up      
The following show ip route vrf commands show the same prefix 200.0.6.0/24 in both the outputs. This is because the remote PE has the same network for two customers, Customer_A and Customer_B, which is allowed in a typical MPLS VPN solution.
Pescara#show ip route vrf Customer_A
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR

Gateway of last resort is not set

C    200.0.4.0/24 is directly connected, Loopback101
B    200.0.6.0/24 [200/0] via 10.10.10.6, 05:10:11
B    200.1.6.0/24 [200/0] via 10.10.10.6, 04:48:11
 
Pescara#show ip route vrf Customer_B
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
    i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
    * - candidate default, U - per-user static route, o - ODR       
    P - periodic downloaded static route
     
Gateway of last resort is not set
C 200.0.4.0/24 is directly connected, Loopback102
 
B 200.0.6.0/24 [200/0] via 10.10.10.6, 00:03:24
By running a traceroute between two sites of Customer_A, it is possible to see the label stack used by the MPLS network (if it is configured to do so by mpls ip ttl ...).
Pescara#traceroute vrf Customer_A 200.0.6.1

Type escape sequence to abort.
Tracing the route to 200.0.6.1

  1 10.1.1.13 [MPLS: Labels 20/26 Exp 0] 400 msec 276 msec 264 msec
  2 10.1.1.6 [MPLS: Labels 18/26 Exp 0] 224 msec 460 msec 344 msec
  3 200.0.6.1 108 msec *  100 msec
Note:  Exp 0 is an experimental field used for Quality of Service (QoS).

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

No comments: