Saturday, 1 February 2020

MPLS/VPN


When designing MPLS Keep in mind about the MPLS Architecture.
1.       Virtual Routing Forwarding
2.       Route Distinguisher
3.       PE-CE routing
4.       Router Target
5.       Route Propagation through M-BGP.
6.       Redistribute from PE - MBGP and vise versa .

Virtual Routing Forwarding or it called as VRF.
1.       PE router has a VRF instance for each attached VPN
2.       Each VPN has it own routing table
3.       Separate CEF table per VPN.

To Create VRF
Here we are going to create VRF on PE Router (R1) for 2 attached VPN. One VRF name A and another VRF name B.

R1(config)#ip vrf A
R1(config)#ip vrf B

Here I have created 2 VRF per VPN. One VPN name called A and another one called B.
Now we need to assign the VRF interface facing/connected to the CE router.

R1(config)#int s1/0
R1(config-if)#ip vrf forwarding A
% Interface Serial1/0 IP address 11.0.0.2 removed due to enabling VRF A
R1(config-if)#ip add 11.0.0.2 255.255.255.252
R1(config-if)#no sh

R1(config)#int s1/1
R1(config-if)#ip vrf forwarding B
% Interface Serial1/1 IP address 11.0.0.6 removed due to enabling VRF B
R1(config-if)#ip add 11.0.0.6 255.255.255.252
R1(config-if)#no sh

Note:
Very important While you configure VRF interface make sure to make a note of interface ip address.
As when you configure VRF on interface the ip address will be removed.

As I told before each VPN have different CEF table.
R1#sh ip cef vrf A
Prefix              Next Hop             Interface
0.0.0.0/0           drop                 Null0 (default route handler entry)
0.0.0.0/32          receive
11.0.0.0/30         attached             Serial1/0
11.0.0.0/32         receive
11.0.0.2/32         receive
11.0.0.3/32         receive
224.0.0.0/24        receive
255.255.255.255/32  receive

R1#sh ip cef vrf B
Prefix              Next Hop             Interface
0.0.0.0/0           drop                 Null0 (default route handler entry)
0.0.0.0/32          receive
11.0.0.4/30         attached             Serial1/1
11.0.0.4/32         receive
11.0.0.6/32         receive
11.0.0.7/32         receive
224.0.0.0/24        receive
255.255.255.255/32  receive


To verify the VRF interface
R1#sh ip vrf interfaces
Interface              IP-Address      VRF                              Protocol
Se1/0                  11.0.0.2        A                                up
Se1/1                  11.0.0.6        B                                up

Now check the VRF routing table for each VPN.
R1#sh ip route vrf A
     11.0.0.0/30 is subnetted, 1 subnets
C       11.0.0.0 is directly connected, Serial1/0

R1#sh ip route vrf B
     11.0.0.0/30 is subnetted, 1 subnets
C       11.0.0.4 is directly connected, Serial1/1

Or we can use show ip route vrf * command to see all VRF routing table plus global routing table.
Now we should get all the CE prefix to vrf routing table respectively.

So we have done the first part now lets move to the second part. That is Route distinguisher
This RD is used to make IPv4 prefix unique. But why we are making IPv4 unique which is already unique isn't it? The reason is IPv4 prefix is unique but 2 company can use 2 same ip address scheme and it may overlap with each other we will see this later on.
After adding RD with our prefix now our prefix became VPNv4 prefix which is unique. Very simple huh :)
Ok now lets add RD for ever VRF/VPN.

Here for VRF A am going to use RD value 700:7 and for VRF B Rd will be using 800:8. Ok lets configure this.

R1(config)#ip vrf A
R1(config-vrf)#rd 700:7
R1(config)#ip vrf B
R1(config-vrf)#rd 800:8

We can verify the RD value.
R1#sh ip vrf
  Name                             Default RD          Interfaces
  A                                700:7               Se1/0
  B                                800:8               Se1/1

Same set we are going to do on PE(R4) router
R4#sh ip vrf interfaces
Interface              IP-Address      VRF                              Protocol
Se1/1                  11.0.0.9        A                                up
Se1/2                  11.0.0.13       B                                up
R4#sh ip vrf
  Name                             Default RD          Interfaces
  A                                500:5               Se1/1
  B                                600:6               Se1/2

To do this VRF support all routing method. Static route, IGP and BGP
Here we are going to see how to do enable RIP routing protocol between PE router (R1) and CE router (R7).

First On CE router is same like normal routing so enable RIP first on CE router.
R7(config)#router rip
R7(config-router)#ver 2
R7(config-router)#no auto-summary
R7(config-router)#net 70.0.0.0
R7(config-router)#net 11.0.0.0


Now on PE router (R1) we need special configuration. Don’t afraid its very simple lets have a look

R1(config)#router rip
R1(config-router)#address-family ipv4 vrf A
R1(config-router-af)#net 11.0.0.0
R1(config-router-af)#no auto-summary
R1(config-router-af)#ver 2
R1(config-router-af)#exit-address-family

That’s it simple isn't it? We are just mentioning Which VRF should take that RIP route. Now lets check the VRF A routing table.
R1#sh ip route vrf A
     70.0.0.0/24 is subnetted, 3 subnets
R       70.2.2.0 [120/1] via 11.0.0.1, 00:00:15, Serial1/0
R       70.1.1.0 [120/1] via 11.0.0.1, 00:00:15, Serial1/0
R       70.0.0.0 [120/1] via 11.0.0.1, 00:00:15, Serial1/0
     11.0.0.0/30 is subnetted, 1 subnets
C       11.0.0.0 is directly connected, Serial1/0

See got all the RIP updates from CE router (R7).

Hence same like between R1 and R8 router we are going to have EIGRP routing protocol.
Here's the trick one comes. On R8 its same like usual EIGRP lets configure on R8 first.

R8(config)#router eigrp 10
R8(config-router)#no auto-summary
R8(config-router)#net 80.0.0.0
R8(config-router)#net 11.0.0.0

Now on R1 we have to EIGRP process different and under that we should give the correct/matching process id which is given on CE router(R8).

R1(config)#router eigrp 100
R1(config-router)#address-family ipv4 vrf B
R1(config-router-af)#autonomous-system 10======> This command is very important friends.
R1(config-router-af)#network 11.0.0.0
R1(config-router-af)#no auto-summary
R1(config-router-af)#exit-address-family

Now lets a look on VRF B for R8 route in VRF B routing table.
R1#sh ip route vrf B
     80.0.0.0/24 is subnetted, 3 subnets
D       80.2.2.0 [90/2297856] via 11.0.0.5, 00:02:56, Serial1/1
D       80.1.1.0 [90/2297856] via 11.0.0.5, 00:02:56, Serial1/1
D       80.0.0.0 [90/2297856] via 11.0.0.5, 00:02:56, Serial1/1
     11.0.0.0/30 is subnetted, 1 subnets
C       11.0.0.4 is directly connected, Serial1/1

That’s it :) we have done PE-CE routing. Now lets have BGP on other side that is between PE(R4) and CE(R5) router.
On customer side the configuration going to be the same old methodology.

R5(config)#router bgp 500
R5(config-router)#neighbor 11.0.0.9 remote-as 200
R5(config-router)#network 50.0.0.0 mask 255.255.255.0
R5(config-router)#network 50.1.1.0 mask 255.255.255.0
R5(config-router)#network 50.2.2.0 mask 255.255.255.0


R4(config)#router bgp 200
R4(config-router)#address-family ipv4 VRF A
R4(config-router-af)#neighbor 11.0.0.10 remote-as 500
Here we got output saying as BGP peer UP.
*Dec 13 23:52:49.505: %BGP-5-ADJCHANGE: neighbor 11.0.0.10 vpn vrf A Up

Now verify the BGP neighborship we have diff commands.

R4#sh bgp vpnv4 unicast vrf A summary
BGP router identifier 4.4.4.4, local AS number 200
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
11.0.0.10       4   500       6       6        1    0    0 00:02:08        0

R4#sh bgp vpnv4 unicast vrf A
BGP table version is 4, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 500:5 (default for vrf A)
*> 50.0.0.0/24      11.0.0.10                0             0 500 i
*> 50.1.1.0/24      11.0.0.10                0             0 500 i
*> 50.2.2.0/24      11.0.0.10                0             0 500 i

R4#sh bgp vpnv4 unicast all
BGP table version is 4, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 500:5 (default for vrf A)
*> 50.0.0.0/24      11.0.0.10                0             0 500 i
*> 50.1.1.0/24      11.0.0.10                0             0 500 i
*> 50.2.2.0/24      11.0.0.10                0             0 500 i

R4#sh ip route vrf A
     50.0.0.0/24 is subnetted, 3 subnets
B       50.2.2.0 [20/0] via 11.0.0.10, 00:00:32
B       50.1.1.0 [20/0] via 11.0.0.10, 00:01:03
B       50.0.0.0 [20/0] via 11.0.0.10, 00:01:34
     11.0.0.0/30 is subnetted, 1 subnets
C       11.0.0.8 is directly connected, Serial1/1


R4#sh bgp vpnv4 unicast all
BGP table version is 4, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 500:5 (default for vrf A)============> This indicate that BGP gonna add this Rd value
*> 50.0.0.0/24      11.0.0.10                0             0 500 I                   on every prefix.
*> 50.1.1.0/24      11.0.0.10                0             0 500 i
*> 50.2.2.0/24      11.0.0.10                0             0 500 I

R4#sh bgp vpnv4 unicast all 50.1.1.0/24
BGP routing table entry for 500:5:50.1.1.0/24, version 3==========> This became our VPNv4 prefix
Paths: (1 available, best #1, table A)
  Not advertised to any peer
  500
    11.0.0.10 from 11.0.0.10 (50.2.2.1)
      Origin IGP, metric 0, localpref 100, valid, external, best
      mpls labels in/out 22/nolabel



Now lets do the 4th step that is Route Propagation through M-BGP But before that for BGP peer between PE routers. In MPLS that’s the main advantage MPLS cloud can run with BGP core free no need to have BGP on every router.

To do this We need to form BGP peers between PE routers. Here am going to have iBGP peer with R1 and R4.

MPLS cloud have a BGP AS 200.

R1(config)#router bgp 200
R1(config-router)#neighbor 4.4.4.4 remote-as 200
R1(config-router)#neighbor 4.4.4.4 update-source loopback 0

Check the iBGP peers.
R1#sh ip bgp summary
BGP router identifier 1.1.1.1, local AS number 200
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
4.4.4.4         4   200       5       5        1    0    0 00:02:06        0

R1#sh ip bgp neighbors | in IP
    Address family IPv4 Unicast: advertised and received
 For address family: IPv4 Unicast =======> By default BGP support only IPv4 unicast address family
IP Precedence value : 6
To deactivate the ipv4 unicast capability negotiation we can use
R1(config-router)#no bgp default ipv4-unicast
Or
R1(config-router)#address-family ipv4 unicat
R1(config-router-af)#no neighbor x.x.x.x activate

To enable M-BGP we have to enable VPNv4 unicast capability between the peers.

R1(config)#router bg 200
R1(config-router)#address-family vpnv4
R1(config-router-af)#neighbor 4.4.4.4 activate



R4(config)#router bgp 200

*Dec 14 01:43:07.540: %BGP-3-NOTIFICATION: received from neighbor 1.1.1.1 2/7(unsupported/disjoint capability) 0 bytes

R4(config-router)#address-family vpnv4
R4(config-router-af)#neighbor 1.1.1.1 activate

R1#sh ip bgp ne | in Add
    Address family IPv4 Unicast: advertised and received
    Address family VPNv4 Unicast: advertised and received

Now next we created a unique prefix but still it doesn’t know from which VPN which prefix came to define this we have route target
Route target will tell the router which prefix should be installed in which VRF table.

VRF
Router(E)
Export
Import
Router(I)
A
R7
7:7
5:5
R5
A
R5
5:5
7:7
R7
B
R8
8:8
6:6
R6
B
R6
6:6
8:8
R8

R1#sh ip vrf detail
VRF A; default RD 700:7; default VPNID <not set>
  Interfaces:
    Se1/0
  Connected addresses are not in global routing table
  Export VPN route-target communities
    RT:7:7
  Import VPN route-target communities
    RT:5:5
  No import route-map
  No export route-map
  VRF label distribution protocol: not configured
VRF B; default RD 800:8; default VPNID <not set>
  Interfaces:
    Se1/1
  Connected addresses are not in global routing table
  Export VPN route-target communities
    RT:8:8
  Import VPN route-target communities
    RT:6:6
  No import route-map
  No export route-map
  VRF label distribution protocol: not configured




Now the last process Redistribution.

Note: I removed the BGP part on R4 and R5 as I got confused and not able to solve my issues surely ill look it this and ill update you later.

R1(config)#router bgp 200
R1(config-router)#address-family ipv4 vrf A
R1(config-router-af)#redistribute rip

R1(config)#router rip
R1(config-router)#address-family ipv4 vrf A
R1(config-router-af)#redistribute bgp 200 metric 7

Now lets check the CE routing table.

R7#sh ip route rip
     50.0.0.0/24 is subnetted, 3 subnets
R       50.2.2.0 [120/7] via 11.0.0.2, 00:00:01, Serial1/0
R       50.1.1.0 [120/7] via 11.0.0.2, 00:00:01, Serial1/0
R       50.0.0.0 [120/7] via 11.0.0.2, 00:00:01, Serial1/0
     11.0.0.0/30 is subnetted, 2 subnets
R       11.0.0.8 [120/7] via 11.0.0.2, 00:00:01, Serial1/0


Transparent command will take the actual rip metric in MED and another CE router able to use this info.

Now lets ping from R5 to R7.

R5#ping 70.0.0.1
Sending 5, 100-byte ICMP Echos to 70.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 172/192/208 ms

Now lets trace route this
R5#traceroute 70.0.0.1
  1 11.0.0.9 64 msec 52 msec 56 msec
  2 10.0.0.9 [MPLS: Labels 16/24 Exp 0] 224 msec 188 msec 176 msec
  3 10.0.0.5 [MPLS: Labels 17/24 Exp 0] 232 msec 116 msec 212 msec
  4 11.0.0.2 [MPLS: Label 24 Exp 0] 180 msec 132 msec 188 msec
  5 11.0.0.1 176 msec *  184 msec

Here 24 VPN label and its in the bottom label stack and 16 is MPLS label.  Lets check hop by hop  .

Step1:        R5 send the packet normal ip packet.
        
R5#sh ip route 70.0.0.1
Routing entry for 70.0.0.0/24
  Known via "rip", distance 120, metric 2
  Redistributing via rip
  Last update from 11.0.0.9 on Serial1/0, 00:00:08 ago
  Routing Descriptor Blocks:
  * 11.0.0.9, from 11.0.0.9, 00:00:08 ago, via Serial1/0
      Route metric is 2, traffic share count is 1

R5#sh ip route 11.0.0.9
Routing entry for 11.0.0.8/30
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Redistributing via rip
  Advertised by rip
  Routing Descriptor Blocks:
  * directly connected, via Serial1/0
      Route metric is 0, traffic share count is 1
By recursive lookup R5 find the next hop and exit interface.

Step2:        R4 receive it and make that packet as MPLS/VPN packet.
                   
R4#sh bgp v un vrf A 70.0.0.1
BGP routing table entry for 500:5:70.0.0.0/24, version 16
Paths: (1 available, best #1, table A)
  Not advertised to any peer
  Local, imported path from 700:7:70.0.0.0/24
    1.1.1.1 (metric 193) from 1.1.1.1 (1.1.1.1)==============> This will be the MPLS next hop
      Origin incomplete, metric 1, localpref 100, valid, internal, best
      Extended Community: RT:7:7
      mpls labels in/out nolabel/24 =============> This is VPN label it will be added.

Now R4 check the LFIB table to route MPLS packet to the destination.
R4#sh mpls forwarding-table 1.1.1.1
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
18     16          1.1.1.1/32        0          Se1/0      point2point

Now R4 will add another label 16 and send the mpls packet to R3.

Step3:  Now R3 receive the MPLS packet and check the LFIB table for incoming mpls label 16

R3#sh mpls forwarding-table labels 16
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     17          1.1.1.1/32        286110     Se1/0      point2point

Step4:         Now R2 receive the MPLS packet and check the LFIB table for incoming mpls label 17

R2#sh mpls forwarding-table la 17
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
17     Pop tag     1.1.1.1/32        529649     Se1/0      point2point

R2 will pop the tag because of PHP (Penultimate Hop Popping) and remove the MPLS label 17 and pass it to R1 but still it has MPLS VPN label 24 don’t forget.

Step 5:       Now R1 will check and send the packet to the customer CE router R7

R1#sh bgp vpnv4 unicast vrf A 70.0.0.1
BGP routing table entry for 700:7:70.0.0.0/24, version 13
Paths: (1 available, best #1, table A)
  Advertised to update-groups:
     1
  Local
    11.0.0.1 from 0.0.0.0 (1.1.1.1)
      Origin incomplete, metric 1, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:7:7
      mpls labels in/out  24/nolabel
Or
R1#sh mpls forwarding-table

Findings:
1)Without RT import bgp will not add the VPNv4 preffix to other BGP neighbor. To disable RT check feature <no bgp default router-target filter>
2) In iBGP you should always have a loopback as a bgp neighbor IP. Because if you are using directly connected
Interface means via mpls it will not be reachable.
3)Even though we redistribute the VPNv4  prefix in the correct vrf, Routes will not be redistributed until the route-import/export configured.
R4(config)#router bgp 200
R4(config-router)#neighbor 1.1.1.1 remote-as 200
R4(config-router)#neighbor 1.1.1.1 update-source loopback 0

R4#sh ip vrf de
VRF A; default RD 500:5; default VPNID <not set>
  Interfaces:
    Se1/1
  Connected addresses are not in global routing table
  Export VPN route-target communities
    RT:5:5
  Import VPN route-target communities
    RT:7:7
  No import route-map
  No export route-map
  VRF label distribution protocol: not configured
VRF B; default RD 600:6; default VPNID <not set>
  Interfaces:
    Se1/2
  Connected addresses are not in global routing table
  Export VPN route-target communities
    RT:6:6
  Import VPN route-target communities
    RT:8:8
  No import route-map
  No export route-map
  VRF label distribution protocol: not configured

R4(config)#router bgp 200
R4(config-router)#address-family ipv4 vrf A
R4(config-router-af)#redistribute rip

R4(config)#router rip
R4(config-router)#address-family ipv4 vrf A
R4(config-router-af)#redistribute bgp 200 metric transparent

R5#sh ip route rip
     70.0.0.0/24 is subnetted, 3 subnets
R       70.2.2.0 [120/2] via 11.0.0.9, 00:00:12, Serial1/0
R       70.1.1.0 [120/2] via 11.0.0.9, 00:00:12, Serial1/0
R       70.0.0.0 [120/2] via 11.0.0.9, 00:00:12, Serial1/0
     11.0.0.0/30 is subnetted, 2 subnets
R       11.0.0.0 [120/1] via 11.0.0.9, 00:00:12, Serial1/0

No comments:

Post a Comment