When designing MPLS
Keep in mind about the MPLS Architecture.
1. Virtual Routing Forwarding
2. Route Distinguisher
3. PE-CE routing
4. Router Target
5. Route Propagation through M-BGP.
6. Redistribute from PE - MBGP and vise versa .
Virtual Routing Forwarding or it called as VRF.
1. PE router has a VRF instance for each attached VPN
2. Each VPN has it own routing table
3. Separate CEF table per VPN.
To Create VRF
Here we are going to create VRF on PE Router (R1) for
2 attached VPN. One VRF name A and another VRF name B.
R1(config)#ip vrf A
R1(config)#ip vrf B
Here I have created 2 VRF per VPN. One VPN name called
A and another one called B.
Now we need to assign the VRF interface
facing/connected to the CE router.
R1(config)#int s1/0
R1(config-if)#ip vrf forwarding A
% Interface Serial1/0 IP address 11.0.0.2 removed due
to enabling VRF A
R1(config-if)#ip add 11.0.0.2 255.255.255.252
R1(config-if)#no sh
R1(config)#int s1/1
R1(config-if)#ip vrf forwarding B
% Interface Serial1/1 IP address 11.0.0.6 removed due
to enabling VRF B
R1(config-if)#ip add 11.0.0.6 255.255.255.252
R1(config-if)#no sh
Note:
Very important While you configure VRF interface make
sure to make a note of interface ip address.
As when you configure VRF on interface the ip address
will be removed.
As I told before each VPN have different CEF table.
R1#sh ip cef vrf A
Prefix
Next Hop Interface
0.0.0.0/0
drop Null0 (default route handler entry)
0.0.0.0/32
receive
11.0.0.0/30
attached Serial1/0
11.0.0.0/32
receive
11.0.0.2/32
receive
11.0.0.3/32
receive
224.0.0.0/24
receive
255.255.255.255/32
receive
R1#sh ip cef vrf B
Prefix
Next Hop Interface
0.0.0.0/0
drop Null0
(default route handler entry)
0.0.0.0/32
receive
11.0.0.4/30
attached Serial1/1
11.0.0.4/32
receive
11.0.0.6/32
receive
11.0.0.7/32
receive
224.0.0.0/24
receive
255.255.255.255/32
receive
To verify the VRF interface
R1#sh ip vrf interfaces
Interface
IP-Address VRF Protocol
Se1/0
11.0.0.2 A up
Se1/1
11.0.0.6 B up
Now check the VRF routing table for each VPN.
R1#sh ip route vrf A
11.0.0.0/30
is subnetted, 1 subnets
C 11.0.0.0
is directly connected, Serial1/0
R1#sh ip route vrf B
11.0.0.0/30
is subnetted, 1 subnets
C 11.0.0.4
is directly connected, Serial1/1
Or we can use show ip route vrf * command to see all
VRF routing table plus global routing table.
Now we should get all the CE prefix to vrf routing
table respectively.
So we have done the first part now lets move to the
second part. That is Route distinguisher
This RD is used to make IPv4 prefix unique. But why we
are making IPv4 unique which is already unique isn't it? The reason is IPv4
prefix is unique but 2 company can use 2 same ip address scheme and it may
overlap with each other we will see this later on.
After adding RD with our prefix now our prefix became
VPNv4 prefix which is unique. Very simple huh :)
Ok now lets add RD for ever VRF/VPN.
Here for VRF A am going to use RD value 700:7 and for
VRF B Rd will be using 800:8. Ok lets configure this.
R1(config)#ip vrf A
R1(config-vrf)#rd 700:7
R1(config)#ip vrf B
R1(config-vrf)#rd 800:8
We can verify the RD value.
R1#sh ip vrf
Name Default RD Interfaces
A 700:7 Se1/0
B 800:8 Se1/1
Same set we are going to do on PE(R4) router
R4#sh ip vrf interfaces
Interface
IP-Address VRF Protocol
Se1/1
11.0.0.9 A up
Se1/2
11.0.0.13 B up
R4#sh ip vrf
Name Default RD Interfaces
A 500:5 Se1/1
B 600:6 Se1/2
To do this VRF support all routing method. Static
route, IGP and BGP
Here we are going to see how to do enable RIP routing
protocol between PE router (R1) and CE router (R7).
First On CE router is same like normal routing so
enable RIP first on CE router.
R7(config)#router rip
R7(config-router)#ver 2
R7(config-router)#no auto-summary
R7(config-router)#net 70.0.0.0
R7(config-router)#net 11.0.0.0
Now on PE router (R1) we need special configuration.
Don’t afraid its very simple lets have a look
R1(config)#router rip
R1(config-router)#address-family ipv4 vrf A
R1(config-router-af)#net 11.0.0.0
R1(config-router-af)#no auto-summary
R1(config-router-af)#ver 2
R1(config-router-af)#exit-address-family
That’s it simple isn't it? We are just mentioning
Which VRF should take that RIP route. Now lets check the VRF A routing table.
R1#sh ip route vrf A
70.0.0.0/24
is subnetted, 3 subnets
R 70.2.2.0
[120/1] via 11.0.0.1, 00:00:15, Serial1/0
R 70.1.1.0
[120/1] via 11.0.0.1, 00:00:15, Serial1/0
R 70.0.0.0
[120/1] via 11.0.0.1, 00:00:15, Serial1/0
11.0.0.0/30
is subnetted, 1 subnets
C 11.0.0.0
is directly connected, Serial1/0
See got all the RIP updates from CE router (R7).
Hence same like between R1 and R8 router we are going
to have EIGRP routing protocol.
Here's the trick one comes. On R8 its same like usual
EIGRP lets configure on R8 first.
R8(config)#router eigrp 10
R8(config-router)#no auto-summary
R8(config-router)#net 80.0.0.0
R8(config-router)#net 11.0.0.0
Now on R1 we have to EIGRP process different and under
that we should give the correct/matching process id which is given on CE
router(R8).
R1(config)#router eigrp 100
R1(config-router)#address-family ipv4 vrf B
R1(config-router-af)#autonomous-system 10======>
This command is very important friends.
R1(config-router-af)#network 11.0.0.0
R1(config-router-af)#no auto-summary
R1(config-router-af)#exit-address-family
Now lets a look on VRF B for R8 route in VRF B routing
table.
R1#sh ip route vrf B
80.0.0.0/24
is subnetted, 3 subnets
D 80.2.2.0 [90/2297856] via 11.0.0.5,
00:02:56, Serial1/1
D 80.1.1.0
[90/2297856] via 11.0.0.5, 00:02:56, Serial1/1
D 80.0.0.0
[90/2297856] via 11.0.0.5, 00:02:56, Serial1/1
11.0.0.0/30
is subnetted, 1 subnets
C 11.0.0.4
is directly connected, Serial1/1
That’s it :) we have done PE-CE routing. Now lets have
BGP on other side that is between PE(R4) and CE(R5) router.
On customer side the configuration going to be the
same old methodology.
R5(config)#router bgp 500
R5(config-router)#neighbor 11.0.0.9 remote-as 200
R5(config-router)#network 50.0.0.0 mask 255.255.255.0
R5(config-router)#network 50.1.1.0 mask 255.255.255.0
R5(config-router)#network 50.2.2.0 mask 255.255.255.0
R4(config)#router bgp 200
R4(config-router)#address-family ipv4 VRF A
R4(config-router-af)#neighbor 11.0.0.10 remote-as 500
Here we got output saying as BGP peer UP.
*Dec 13 23:52:49.505: %BGP-5-ADJCHANGE: neighbor
11.0.0.10 vpn vrf A Up
Now verify the BGP neighborship we have diff commands.
R4#sh bgp vpnv4 unicast vrf A summary
BGP router identifier 4.4.4.4, local AS number 200
BGP table version is 1, main routing table version 1
Neighbor
V AS MsgRcvd MsgSent TblVer
InQ OutQ Up/Down State/PfxRcd
11.0.0.10
4 500 6
6 1
0 0 00:02:08 0
R4#sh bgp vpnv4 unicast vrf A
BGP table version is 4, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, *
valid, > best, i - internal,
r
RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 500:5 (default for vrf A)
*> 50.0.0.0/24
11.0.0.10 0 0 500 i
*> 50.1.1.0/24
11.0.0.10 0 0 500 i
*> 50.2.2.0/24
11.0.0.10 0 0 500 i
R4#sh bgp vpnv4 unicast all
BGP table version is 4, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, *
valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 500:5 (default for vrf A)
*> 50.0.0.0/24
11.0.0.10 0 0 500 i
*> 50.1.1.0/24
11.0.0.10 0
0 500 i
*> 50.2.2.0/24
11.0.0.10 0 0 500 i
R4#sh ip route vrf A
50.0.0.0/24
is subnetted, 3 subnets
B 50.2.2.0
[20/0] via 11.0.0.10, 00:00:32
B 50.1.1.0
[20/0] via 11.0.0.10, 00:01:03
B 50.0.0.0
[20/0] via 11.0.0.10, 00:01:34
11.0.0.0/30
is subnetted, 1 subnets
C 11.0.0.8
is directly connected, Serial1/1
R4#sh bgp vpnv4 unicast all
BGP table version is 4, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, *
valid, > best, i - internal,
r
RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 500:5 (default for vrf A)============> This indicate that BGP gonna add
this Rd value
*> 50.0.0.0/24
11.0.0.10 0 0 500 I on every prefix.
*> 50.1.1.0/24
11.0.0.10 0 0 500 i
*> 50.2.2.0/24
11.0.0.10 0 0 500 I
R4#sh bgp vpnv4 unicast all 50.1.1.0/24
BGP routing table entry for 500:5:50.1.1.0/24, version 3==========> This became our
VPNv4 prefix
Paths: (1 available, best #1, table A)
Not advertised
to any peer
500
11.0.0.10
from 11.0.0.10 (50.2.2.1)
Origin
IGP, metric 0, localpref 100, valid, external, best
mpls
labels in/out 22/nolabel
Now lets do the 4th step that is Route Propagation
through M-BGP But before that for BGP peer between PE routers. In MPLS that’s
the main advantage MPLS cloud can run with BGP core free no need to have BGP on
every router.
To do this We need to form BGP peers between PE routers.
Here am going to have iBGP peer with R1 and R4.
MPLS cloud have a BGP AS 200.
R1(config)#router bgp 200
R1(config-router)#neighbor 4.4.4.4 remote-as 200
R1(config-router)#neighbor 4.4.4.4 update-source
loopback 0
Check the iBGP peers.
R1#sh ip bgp summary
BGP router identifier 1.1.1.1, local AS number 200
BGP table version is 1, main routing table version 1
Neighbor
V AS MsgRcvd MsgSent TblVer
InQ OutQ Up/Down State/PfxRcd
4.4.4.4
4 200 5
5 1 0 0
00:02:06 0
R1#sh ip bgp neighbors | in IP
Address family
IPv4 Unicast: advertised and received
For address
family: IPv4 Unicast =======> By default BGP support only IPv4 unicast
address family
IP Precedence value : 6
To deactivate the ipv4 unicast capability negotiation
we can use
R1(config-router)#no bgp default ipv4-unicast
Or
R1(config-router)#address-family ipv4 unicat
R1(config-router-af)#no neighbor x.x.x.x activate
To enable M-BGP we have to enable VPNv4 unicast
capability between the peers.
R1(config)#router bg 200
R1(config-router)#address-family vpnv4
R1(config-router-af)#neighbor 4.4.4.4 activate
R4(config)#router bgp 200
*Dec 14 01:43:07.540: %BGP-3-NOTIFICATION: received
from neighbor 1.1.1.1 2/7(unsupported/disjoint capability) 0 bytes
R4(config-router)#address-family vpnv4
R4(config-router-af)#neighbor 1.1.1.1 activate
R1#sh ip bgp ne | in Add
Address
family IPv4 Unicast: advertised and received
Address
family VPNv4 Unicast: advertised and received
Now next we created a unique prefix but still it
doesn’t know from which VPN which prefix came to define this we have route
target
Route target will tell the router which prefix should
be installed in which VRF table.
VRF
|
Router(E)
|
Export
|
Import
|
Router(I)
|
A
|
R7
|
7:7
|
5:5
|
R5
|
A
|
R5
|
5:5
|
7:7
|
R7
|
B
|
R8
|
8:8
|
6:6
|
R6
|
B
|
R6
|
6:6
|
8:8
|
R8
|
R1#sh ip vrf detail
VRF A; default RD 700:7; default VPNID <not set>
Interfaces:
Se1/0
Connected
addresses are not in global routing table
Export VPN
route-target communities
RT:7:7
Import VPN
route-target communities
RT:5:5
No import
route-map
No export
route-map
VRF label
distribution protocol: not configured
VRF B; default RD 800:8; default VPNID <not set>
Interfaces:
Se1/1
Connected
addresses are not in global routing table
Export VPN
route-target communities
RT:8:8
Import VPN
route-target communities
RT:6:6
No import
route-map
No export
route-map
VRF label
distribution protocol: not configured
Now the last process Redistribution.
Note: I removed the BGP part on R4 and R5 as I got
confused and not able to solve my issues surely ill look it this and ill update
you later.
R1(config)#router bgp 200
R1(config-router)#address-family ipv4 vrf A
R1(config-router-af)#redistribute rip
R1(config)#router rip
R1(config-router)#address-family ipv4 vrf A
R1(config-router-af)#redistribute bgp 200 metric 7
Now lets check the CE routing table.
R7#sh ip route rip
50.0.0.0/24
is subnetted, 3 subnets
R 50.2.2.0
[120/7] via 11.0.0.2, 00:00:01, Serial1/0
R 50.1.1.0
[120/7] via 11.0.0.2, 00:00:01, Serial1/0
R 50.0.0.0
[120/7] via 11.0.0.2, 00:00:01, Serial1/0
11.0.0.0/30
is subnetted, 2 subnets
R 11.0.0.8
[120/7] via 11.0.0.2, 00:00:01, Serial1/0
Transparent command will take the actual rip metric in
MED and another CE router able to use this info.
Now lets ping from R5 to R7.
R5#ping 70.0.0.1
Sending 5, 100-byte ICMP Echos to 70.0.0.1, timeout is
2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip
min/avg/max = 172/192/208 ms
Now lets trace route this
R5#traceroute 70.0.0.1
1 11.0.0.9 64
msec 52 msec 56 msec
2 10.0.0.9 [MPLS:
Labels 16/24 Exp 0] 224 msec 188 msec 176 msec
3 10.0.0.5 [MPLS:
Labels 17/24 Exp 0] 232 msec 116 msec 212 msec
4 11.0.0.2 [MPLS:
Label 24 Exp 0] 180 msec 132 msec 188 msec
5 11.0.0.1 176
msec * 184 msec
Here 24 VPN label and its in the bottom label stack
and 16 is MPLS label. Lets check hop by
hop .
Step1: R5
send the packet normal ip packet.
R5#sh ip route 70.0.0.1
Routing entry for 70.0.0.0/24
Known via
"rip", distance 120, metric 2
Redistributing
via rip
Last update
from 11.0.0.9 on Serial1/0, 00:00:08 ago
Routing
Descriptor Blocks:
* 11.0.0.9,
from 11.0.0.9, 00:00:08 ago, via Serial1/0
Route
metric is 2, traffic share count is 1
R5#sh ip route 11.0.0.9
Routing entry for 11.0.0.8/30
Known via
"connected", distance 0, metric 0 (connected, via interface)
Redistributing
via rip
Advertised by
rip
Routing
Descriptor Blocks:
* directly
connected, via Serial1/0
Route metric
is 0, traffic share count is 1
By recursive lookup R5 find the next hop and exit
interface.
Step2: R4
receive it and make that packet as MPLS/VPN packet.
R4#sh bgp v un vrf A 70.0.0.1
BGP routing table entry for 500:5:70.0.0.0/24, version
16
Paths: (1 available, best #1, table A)
Not advertised
to any peer
Local,
imported path from 700:7:70.0.0.0/24
1.1.1.1
(metric 193) from 1.1.1.1 (1.1.1.1)==============> This will be the MPLS
next hop
Origin
incomplete, metric 1, localpref 100, valid, internal, best
Extended
Community: RT:7:7
mpls
labels in/out nolabel/24 =============> This is VPN label it will be added.
Now R4 check the LFIB table to route MPLS packet to the
destination.
R4#sh mpls forwarding-table 1.1.1.1
Local
Outgoing Prefix Bytes tag Outgoing
Next Hop
tag tag or
VC or Tunnel Id switched
interface
18 16
1.1.1.1/32 0 Se1/0 point2point
Now R4 will add another label 16 and send the mpls
packet to R3.
Step3: Now R3
receive the MPLS packet and check the LFIB table for incoming mpls label 16
R3#sh mpls forwarding-table labels 16
Local
Outgoing Prefix Bytes tag Outgoing
Next Hop
tag tag or
VC or Tunnel Id switched
interface
16 17
1.1.1.1/32 286110 Se1/0
point2point
Step4:
Now R2 receive the MPLS packet and check the LFIB table for incoming
mpls label 17
R2#sh mpls forwarding-table la 17
Local
Outgoing Prefix Bytes tag Outgoing
Next Hop
tag tag or
VC or Tunnel Id switched
interface
17 Pop tag
1.1.1.1/32 529649 Se1/0
point2point
R2 will pop the tag because of PHP (Penultimate Hop
Popping) and remove the MPLS label 17 and pass it to R1 but still it has MPLS
VPN label 24 don’t forget.
Step 5:
Now R1 will check and send the packet to the customer CE router R7
R1#sh bgp vpnv4 unicast vrf A 70.0.0.1
BGP routing table entry for 700:7:70.0.0.0/24, version
13
Paths: (1 available, best #1, table A)
Advertised to
update-groups:
1
Local
11.0.0.1
from 0.0.0.0 (1.1.1.1)
Origin
incomplete, metric 1, localpref 100, weight 32768, valid, sourced, best
Extended
Community: RT:7:7
mpls labels
in/out 24/nolabel
Or
R1#sh mpls forwarding-table
Findings:
1)Without RT import bgp will not add the VPNv4 preffix
to other BGP neighbor. To disable RT check feature <no bgp default
router-target filter>
2) In iBGP you should always have a loopback as a bgp
neighbor IP. Because if you are using directly connected
Interface means via mpls it will not be reachable.
3)Even though we redistribute the VPNv4 prefix in the correct vrf, Routes will not be
redistributed until the route-import/export configured.
R4(config)#router
bgp 200
R4(config-router)#neighbor
1.1.1.1 remote-as 200
R4(config-router)#neighbor
1.1.1.1 update-source loopback 0
R4#sh ip vrf de
VRF A; default RD
500:5; default VPNID <not set>
Interfaces:
Se1/1
Connected addresses are not in global routing
table
Export VPN route-target communities
RT:5:5
Import VPN route-target communities
RT:7:7
No import route-map
No export route-map
VRF label distribution protocol: not
configured
VRF B; default RD
600:6; default VPNID <not set>
Interfaces:
Se1/2
Connected addresses are not in global routing
table
Export VPN route-target communities
RT:6:6
Import VPN route-target communities
RT:8:8
No import route-map
No export route-map
VRF label distribution protocol: not
configured
R4(config)#router
bgp 200
R4(config-router)#address-family
ipv4 vrf A
R4(config-router-af)#redistribute
rip
R4(config)#router
rip
R4(config-router)#address-family
ipv4 vrf A
R4(config-router-af)#redistribute
bgp 200 metric transparent
R5#sh ip route rip
70.0.0.0/24 is subnetted, 3 subnets
R 70.2.2.0 [120/2] via 11.0.0.9, 00:00:12,
Serial1/0
R 70.1.1.0 [120/2]
via 11.0.0.9, 00:00:12, Serial1/0
R 70.0.0.0 [120/2] via 11.0.0.9, 00:00:12,
Serial1/0
11.0.0.0/30 is subnetted, 2 subnets
R 11.0.0.0 [120/1]
via 11.0.0.9, 00:00:12, Serial1/0
No comments:
Post a Comment