NextGenNetworking: MPLS/VPN

When designing MPLS Keep in mind about the MPLS Architecture.

1. Virtual Routing Forwarding

2. Route Distinguisher

3. PE-CE routing

4. Router Target

5. Route Propagation through M-BGP.

6. Redistribute from PE - MBGP and vise versa .

Virtual Routing Forwarding or it called as VRF.

1. PE router has a VRF instance for each attached VPN

2. Each VPN has it own routing table

3. Separate CEF table per VPN.

To Create VRF

Here we are going to create VRF on PE Router (R1) for 2 attached VPN. One VRF name A and another VRF name B.

R1(config)#ip vrf A

R1(config)#ip vrf B

Here I have created 2 VRF per VPN. One VPN name called A and another one called B.

Now we need to assign the VRF interface facing/connected to the CE router.

R1(config)#int s1/0

R1(config-if)#ip vrf forwarding A

% Interface Serial1/0 IP address 11.0.0.2 removed due to enabling VRF A

R1(config-if)#ip add 11.0.0.2 255.255.255.252

R1(config-if)#no sh

R1(config)#int s1/1

R1(config-if)#ip vrf forwarding B

% Interface Serial1/1 IP address 11.0.0.6 removed due to enabling VRF B

R1(config-if)#ip add 11.0.0.6 255.255.255.252

R1(config-if)#no sh

Note:

Very important While you configure VRF interface make sure to make a note of interface ip address.

As when you configure VRF on interface the ip address will be removed.

As I told before each VPN have different CEF table.

R1#sh ip cef vrf A

Prefix Next Hop Interface

0.0.0.0/0 drop Null0 (default route handler entry)

0.0.0.0/32 receive

11.0.0.0/30 attached Serial1/0

11.0.0.0/32 receive

11.0.0.2/32 receive

11.0.0.3/32 receive

224.0.0.0/24 receive

255.255.255.255/32 receive

R1#sh ip cef vrf B

Prefix Next Hop Interface

0.0.0.0/0 drop Null0 (default route handler entry)

0.0.0.0/32 receive

11.0.0.4/30 attached Serial1/1

11.0.0.4/32 receive

11.0.0.6/32 receive

11.0.0.7/32 receive

224.0.0.0/24 receive

255.255.255.255/32 receive

To verify the VRF interface

R1#sh ip vrf interfaces

Interface IP-Address VRF Protocol

Se1/0 11.0.0.2 A up

Se1/1 11.0.0.6 B up

Now check the VRF routing table for each VPN.

R1#sh ip route vrf A

11.0.0.0/30 is subnetted, 1 subnets

C 11.0.0.0 is directly connected, Serial1/0

R1#sh ip route vrf B

11.0.0.0/30 is subnetted, 1 subnets

C 11.0.0.4 is directly connected, Serial1/1

Or we can use show ip route vrf * command to see all VRF routing table plus global routing table.

Now we should get all the CE prefix to vrf routing table respectively.

So we have done the first part now lets move to the second part. That is Route distinguisher

This RD is used to make IPv4 prefix unique. But why we are making IPv4 unique which is already unique isn't it? The reason is IPv4 prefix is unique but 2 company can use 2 same ip address scheme and it may overlap with each other we will see this later on.

After adding RD with our prefix now our prefix became VPNv4 prefix which is unique. Very simple huh :)

Ok now lets add RD for ever VRF/VPN.

Here for VRF A am going to use RD value 700:7 and for VRF B Rd will be using 800:8. Ok lets configure this.

R1(config)#ip vrf A

R1(config-vrf)#rd 700:7

R1(config)#ip vrf B

R1(config-vrf)#rd 800:8

We can verify the RD value.

R1#sh ip vrf

Name Default RD Interfaces

A 700:7 Se1/0

B 800:8 Se1/1

Same set we are going to do on PE(R4) router

R4#sh ip vrf interfaces

Interface IP-Address VRF Protocol

Se1/1 11.0.0.9 A up

Se1/2 11.0.0.13 B up

R4#sh ip vrf

Name Default RD Interfaces

A 500:5 Se1/1

B 600:6 Se1/2

To do this VRF support all routing method. Static route, IGP and BGP

Here we are going to see how to do enable RIP routing protocol between PE router (R1) and CE router (R7).

First On CE router is same like normal routing so enable RIP first on CE router.

R7(config)#router rip

R7(config-router)#ver 2

R7(config-router)#no auto-summary

R7(config-router)#net 70.0.0.0

R7(config-router)#net 11.0.0.0

Now on PE router (R1) we need special configuration. Don’t afraid its very simple lets have a look

R1(config)#router rip

R1(config-router)#address-family ipv4 vrf A

R1(config-router-af)#net 11.0.0.0

R1(config-router-af)#no auto-summary

R1(config-router-af)#ver 2

R1(config-router-af)#exit-address-family

That’s it simple isn't it? We are just mentioning Which VRF should take that RIP route. Now lets check the VRF A routing table.

R1#sh ip route vrf A

70.0.0.0/24 is subnetted, 3 subnets

R 70.2.2.0 [120/1] via 11.0.0.1, 00:00:15, Serial1/0

R 70.1.1.0 [120/1] via 11.0.0.1, 00:00:15, Serial1/0

R 70.0.0.0 [120/1] via 11.0.0.1, 00:00:15, Serial1/0

11.0.0.0/30 is subnetted, 1 subnets

C 11.0.0.0 is directly connected, Serial1/0

See got all the RIP updates from CE router (R7).

Hence same like between R1 and R8 router we are going to have EIGRP routing protocol.

Here's the trick one comes. On R8 its same like usual EIGRP lets configure on R8 first.

R8(config)#router eigrp 10

R8(config-router)#no auto-summary

R8(config-router)#net 80.0.0.0

R8(config-router)#net 11.0.0.0

Now on R1 we have to EIGRP process different and under that we should give the correct/matching process id which is given on CE router(R8).

R1(config)#router eigrp 100

R1(config-router)#address-family ipv4 vrf B

R1(config-router-af)#autonomous-system 10======> This command is very important friends.

R1(config-router-af)#network 11.0.0.0

R1(config-router-af)#no auto-summary

R1(config-router-af)#exit-address-family

Now lets a look on VRF B for R8 route in VRF B routing table.

R1#sh ip route vrf B

80.0.0.0/24 is subnetted, 3 subnets

D 80.2.2.0 [90/2297856] via 11.0.0.5, 00:02:56, Serial1/1

D 80.1.1.0 [90/2297856] via 11.0.0.5, 00:02:56, Serial1/1

D 80.0.0.0 [90/2297856] via 11.0.0.5, 00:02:56, Serial1/1

11.0.0.0/30 is subnetted, 1 subnets

C 11.0.0.4 is directly connected, Serial1/1

That’s it :) we have done PE-CE routing. Now lets have BGP on other side that is between PE(R4) and CE(R5) router.

On customer side the configuration going to be the same old methodology.

R5(config)#router bgp 500

R5(config-router)#neighbor 11.0.0.9 remote-as 200

R5(config-router)#network 50.0.0.0 mask 255.255.255.0

R5(config-router)#network 50.1.1.0 mask 255.255.255.0

R5(config-router)#network 50.2.2.0 mask 255.255.255.0

R4(config)#router bgp 200

R4(config-router)#address-family ipv4 VRF A

R4(config-router-af)#neighbor 11.0.0.10 remote-as 500

Here we got output saying as BGP peer UP.

*Dec 13 23:52:49.505: %BGP-5-ADJCHANGE: neighbor 11.0.0.10 vpn vrf A Up

Now verify the BGP neighborship we have diff commands.

R4#sh bgp vpnv4 unicast vrf A summary

BGP router identifier 4.4.4.4, local AS number 200

BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

11.0.0.10 4 500 6 6 1 0 0 00:02:08 0

R4#sh bgp vpnv4 unicast vrf A

BGP table version is 4, local router ID is 4.4.4.4

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 500:5 (default for vrf A)

*> 50.0.0.0/24 11.0.0.10 0 0 500 i

*> 50.1.1.0/24 11.0.0.10 0 0 500 i

*> 50.2.2.0/24 11.0.0.10 0 0 500 i

R4#sh bgp vpnv4 unicast all

BGP table version is 4, local router ID is 4.4.4.4

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 500:5 (default for vrf A)

*> 50.0.0.0/24 11.0.0.10 0 0 500 i

*> 50.1.1.0/24 11.0.0.10 0 0 500 i

*> 50.2.2.0/24 11.0.0.10 0 0 500 i

R4#sh ip route vrf A

50.0.0.0/24 is subnetted, 3 subnets

B 50.2.2.0 [20/0] via 11.0.0.10, 00:00:32

B 50.1.1.0 [20/0] via 11.0.0.10, 00:01:03

B 50.0.0.0 [20/0] via 11.0.0.10, 00:01:34

11.0.0.0/30 is subnetted, 1 subnets

C 11.0.0.8 is directly connected, Serial1/1

R4#sh bgp vpnv4 unicast all

BGP table version is 4, local router ID is 4.4.4.4

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 500:5 (default for vrf A)============> This indicate that BGP gonna add this Rd value

*> 50.0.0.0/24 11.0.0.10 0 0 500 I on every prefix.

*> 50.1.1.0/24 11.0.0.10 0 0 500 i

*> 50.2.2.0/24 11.0.0.10 0 0 500 I

R4#sh bgp vpnv4 unicast all 50.1.1.0/24

BGP routing table entry for 500:5:50.1.1.0/24, version 3==========> This became our VPNv4 prefix

Paths: (1 available, best #1, table A)

Not advertised to any peer

500

11.0.0.10 from 11.0.0.10 (50.2.2.1)

Origin IGP, metric 0, localpref 100, valid, external, best

mpls labels in/out 22/nolabel

Now lets do the 4th step that is Route Propagation through M-BGP But before that for BGP peer between PE routers. In MPLS that’s the main advantage MPLS cloud can run with BGP core free no need to have BGP on every router.

To do this We need to form BGP peers between PE routers. Here am going to have iBGP peer with R1 and R4.

MPLS cloud have a BGP AS 200.

R1(config)#router bgp 200

R1(config-router)#neighbor 4.4.4.4 remote-as 200

R1(config-router)#neighbor 4.4.4.4 update-source loopback 0

Check the iBGP peers.

R1#sh ip bgp summary

BGP router identifier 1.1.1.1, local AS number 200

BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

4.4.4.4 4 200 5 5 1 0 0 00:02:06 0

R1#sh ip bgp neighbors | in IP

Address family IPv4 Unicast: advertised and received

For address family: IPv4 Unicast =======> By default BGP support only IPv4 unicast address family

IP Precedence value : 6

To deactivate the ipv4 unicast capability negotiation we can use

R1(config-router)#no bgp default ipv4-unicast

R1(config-router)#address-family ipv4 unicat

R1(config-router-af)#no neighbor x.x.x.x activate

To enable M-BGP we have to enable VPNv4 unicast capability between the peers.

R1(config)#router bg 200

R1(config-router)#address-family vpnv4

R1(config-router-af)#neighbor 4.4.4.4 activate

R4(config)#router bgp 200

*Dec 14 01:43:07.540: %BGP-3-NOTIFICATION: received from neighbor 1.1.1.1 2/7(unsupported/disjoint capability) 0 bytes

R4(config-router)#address-family vpnv4

R4(config-router-af)#neighbor 1.1.1.1 activate

R1#sh ip bgp ne | in Add

Address family IPv4 Unicast: advertised and received

Address family VPNv4 Unicast: advertised and received

Now next we created a unique prefix but still it doesn’t know from which VPN which prefix came to define this we have route target

Route target will tell the router which prefix should be installed in which VRF table.

VRF	Router(E)	Export	Import	Router(I)
A	R7	7:7	5:5	R5
A	R5	5:5	7:7	R7
B	R8	8:8	6:6	R6
B	R6	6:6	8:8	R8

R1#sh ip vrf detail

VRF A; default RD 700:7; default VPNID <not set>

Interfaces:

Se1/0

Connected addresses are not in global routing table

Export VPN route-target communities

RT:7:7

Import VPN route-target communities

RT:5:5

No import route-map

No export route-map

VRF label distribution protocol: not configured

VRF B; default RD 800:8; default VPNID <not set>

Interfaces:

Se1/1

Connected addresses are not in global routing table

Export VPN route-target communities

RT:8:8

Import VPN route-target communities

RT:6:6

No import route-map

No export route-map

VRF label distribution protocol: not configured

Now the last process Redistribution.

Note: I removed the BGP part on R4 and R5 as I got confused and not able to solve my issues surely ill look it this and ill update you later.

R1(config)#router bgp 200

R1(config-router)#address-family ipv4 vrf A

R1(config-router-af)#redistribute rip

R1(config)#router rip

R1(config-router)#address-family ipv4 vrf A

R1(config-router-af)#redistribute bgp 200 metric 7

Now lets check the CE routing table.

R7#sh ip route rip

50.0.0.0/24 is subnetted, 3 subnets

R 50.2.2.0 [120/7] via 11.0.0.2, 00:00:01, Serial1/0

R 50.1.1.0 [120/7] via 11.0.0.2, 00:00:01, Serial1/0

R 50.0.0.0 [120/7] via 11.0.0.2, 00:00:01, Serial1/0

11.0.0.0/30 is subnetted, 2 subnets

R 11.0.0.8 [120/7] via 11.0.0.2, 00:00:01, Serial1/0

Transparent command will take the actual rip metric in MED and another CE router able to use this info.

Now lets ping from R5 to R7.

R5#ping 70.0.0.1

Sending 5, 100-byte ICMP Echos to 70.0.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 172/192/208 ms

Now lets trace route this

R5#traceroute 70.0.0.1

1 11.0.0.9 64 msec 52 msec 56 msec

2 10.0.0.9 [MPLS: Labels 16/24 Exp 0] 224 msec 188 msec 176 msec

3 10.0.0.5 [MPLS: Labels 17/24 Exp 0] 232 msec 116 msec 212 msec

4 11.0.0.2 [MPLS: Label 24 Exp 0] 180 msec 132 msec 188 msec

5 11.0.0.1 176 msec * 184 msec

Here 24 VPN label and its in the bottom label stack and 16 is MPLS label. Lets check hop by hop .

Step1: R5 send the packet normal ip packet.

R5#sh ip route 70.0.0.1

Routing entry for 70.0.0.0/24

Known via "rip", distance 120, metric 2

Redistributing via rip

Last update from 11.0.0.9 on Serial1/0, 00:00:08 ago

Routing Descriptor Blocks:

* 11.0.0.9, from 11.0.0.9, 00:00:08 ago, via Serial1/0

Route metric is 2, traffic share count is 1

R5#sh ip route 11.0.0.9

Routing entry for 11.0.0.8/30

Known via "connected", distance 0, metric 0 (connected, via interface)

Redistributing via rip

Advertised by rip

Routing Descriptor Blocks:

* directly connected, via Serial1/0

Route metric is 0, traffic share count is 1

By recursive lookup R5 find the next hop and exit interface.

Step2: R4 receive it and make that packet as MPLS/VPN packet.

R4#sh bgp v un vrf A 70.0.0.1

BGP routing table entry for 500:5:70.0.0.0/24, version 16

Paths: (1 available, best #1, table A)

Not advertised to any peer

Local, imported path from 700:7:70.0.0.0/24

1.1.1.1 (metric 193) from 1.1.1.1 (1.1.1.1)==============> This will be the MPLS next hop

Origin incomplete, metric 1, localpref 100, valid, internal, best

Extended Community: RT:7:7

mpls labels in/out nolabel/24 =============> This is VPN label it will be added.

Now R4 check the LFIB table to route MPLS packet to the destination.

R4#sh mpls forwarding-table 1.1.1.1

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

18 16 1.1.1.1/32 0 Se1/0 point2point

Now R4 will add another label 16 and send the mpls packet to R3.

Step3: Now R3 receive the MPLS packet and check the LFIB table for incoming mpls label 16

R3#sh mpls forwarding-table labels 16

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

16 17 1.1.1.1/32 286110 Se1/0 point2point

Step4: Now R2 receive the MPLS packet and check the LFIB table for incoming mpls label 17

R2#sh mpls forwarding-table la 17

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

17 Pop tag 1.1.1.1/32 529649 Se1/0 point2point

R2 will pop the tag because of PHP (Penultimate Hop Popping) and remove the MPLS label 17 and pass it to R1 but still it has MPLS VPN label 24 don’t forget.

Step 5: Now R1 will check and send the packet to the customer CE router R7

R1#sh bgp vpnv4 unicast vrf A 70.0.0.1

BGP routing table entry for 700:7:70.0.0.0/24, version 13

Paths: (1 available, best #1, table A)

Advertised to update-groups:

Local

11.0.0.1 from 0.0.0.0 (1.1.1.1)

Origin incomplete, metric 1, localpref 100, weight 32768, valid, sourced, best

Extended Community: RT:7:7

mpls labels in/out 24/nolabel

R1#sh mpls forwarding-table

Findings:

1)Without RT import bgp will not add the VPNv4 preffix to other BGP neighbor. To disable RT check feature <no bgp default router-target filter>

2) In iBGP you should always have a loopback as a bgp neighbor IP. Because if you are using directly connected

Interface means via mpls it will not be reachable.

3)Even though we redistribute the VPNv4 prefix in the correct vrf, Routes will not be redistributed until the route-import/export configured.

R4(config)#router bgp 200

R4(config-router)#neighbor 1.1.1.1 remote-as 200

R4(config-router)#neighbor 1.1.1.1 update-source loopback 0

R4#sh ip vrf de

VRF A; default RD 500:5; default VPNID <not set>

Interfaces:

Se1/1

Connected addresses are not in global routing table

Export VPN route-target communities

RT:5:5

Import VPN route-target communities

RT:7:7

No import route-map

No export route-map

VRF label distribution protocol: not configured

VRF B; default RD 600:6; default VPNID <not set>

Interfaces:

Se1/2

Connected addresses are not in global routing table

Export VPN route-target communities

RT:6:6

Import VPN route-target communities

RT:8:8

No import route-map

No export route-map

VRF label distribution protocol: not configured

R4(config)#router bgp 200

R4(config-router)#address-family ipv4 vrf A

R4(config-router-af)#redistribute rip

R4(config)#router rip

R4(config-router)#address-family ipv4 vrf A

R4(config-router-af)#redistribute bgp 200 metric transparent

R5#sh ip route rip

70.0.0.0/24 is subnetted, 3 subnets

R 70.2.2.0 [120/2] via 11.0.0.9, 00:00:12, Serial1/0

R 70.1.1.0 [120/2] via 11.0.0.9, 00:00:12, Serial1/0

R 70.0.0.0 [120/2] via 11.0.0.9, 00:00:12, Serial1/0

11.0.0.0/30 is subnetted, 2 subnets

R 11.0.0.0 [120/1] via 11.0.0.9, 00:00:12, Serial1/0

NextGenNetworking

Saturday 1 February 2020

MPLS/VPN

No comments:

Post a Comment