Today we're going to look at the configuration required to create a basic MPLS VPN servicing two customers, each with a presence at two physical sites. If you're unfamiliar with the concepts of MPLS switching and VRFs on Cisco IOS, you may want to check out a few of my past articles before continuing:
Our lab topology looks like this:
As a review, recall that
- P (provider) routers are ISP core routers which don't connect to customer routers and typically run only MPLS
- PE (provider edge) routers connect to customer sites and form the edge of a VPN
- CE (customer edge) routers exist at the edge of a customer site; they have no VPN awareness
- an IGP running among all P and PE routers is used to support LDP and BGP adjacencies within the provider network
- MP-BGP is run only among PE routers
- an IGP (typically) is run between each CE router and its upstream PE router
In our lab, OSPF is already in operation as the provider network IGP. OSPF processes have also been preconfigured on the CE routers; however, these OSPF topologies will remain separate from the provider OSPF.
There are five core tasks we need to accomplish to get an MPLS VPN up and running:
- Enable MPLS on the provider backbone.
- Create VRFs and assign routed interfaces to them.
- Configure MP-BGP between the PE routers.
- Configure OSPF between each PE router and its attached CE routers.
- Enable route redistribution between the customer sites and the backbone.
Enable MPLS
First we need to enable MPLS on all P-P and P-PE links with the mpls ip interface command. MPLS is notenabled on any CE-facing interfaces; CE routers do not run MPLS, just plain IP routing. LDP is enabled automatically as the default label distribution protocol (versus Cisco's legacy TDP). LDP typically runs between loopback addresses not directly reachable by LDP peers, which is why it's important to configure an IGP in the core before enabling MPLS.
We can verify the configuration of MPLS interfaces with show mpls interfaces.
P1(config)# interface f0/1
P1(config-if)# mpls ip
P1(config-if)# interface f1/0
P1(config-if)# mpls ip
P1(config-if)# do show mpls interfaces
Interface IP Tunnel Operational
FastEthernet0/1 Yes (ldp) No Yes
FastEthernet1/0 Yes (ldp) No Yes
P2(config)# interface f0/1
P2(config-if)# mpls ip
P2(config-if)# interface f1/0
P2(config-if)# mpls ip
PE1(config)# interface f1/0
PE1(config-if)# mpls ip
PE2(config)# interface f1/0
PE2(config-if)# mpls ip
LDP adjacencies can be verified with the command show mpls ldp neighbor:
P1# show mpls ldp neighbor
Peer LDP Ident: 10.0.0.2:0; Local LDP Ident 10.0.0.1:0
TCP connection: 10.0.0.2.45114 - 10.0.0.1.646
State: Oper; Msgs sent/rcvd: 12/13; Downstream
Up time: 00:02:43
LDP discovery sources:
FastEthernet0/1, Src IP addr: 10.0.9.2
Addresses bound to peer LDP Ident:
10.0.9.2 10.0.9.9 10.0.0.2
Peer LDP Ident: 10.0.0.3:0; Local LDP Ident 10.0.0.1:0
TCP connection: 10.0.0.3.20327 - 10.0.0.1.646
State: Oper; Msgs sent/rcvd: 12/12; Downstream
Up time: 00:02:25
LDP discovery sources:
FastEthernet1/0, Src IP addr: 10.0.9.6
Addresses bound to peer LDP Ident:
10.0.9.6 10.0.0.3
Create and Assign VRFs
Our next step is to create customer VRFs on our PE routers and assign the customer-facing interfaces to them. We need to assign each VRF a route distinguisher (RD) to uniquely identify prefixes as belonging to that VRF and one or more route targets (RTs) to specify how routes should be imported to and exported from the VRF.
We'll use a route distinguisher for each VRF in the form of <ASN>:<customer number>. For simplicity, we'll reuse the same value as both an import and export route target within each VRF (though we are free to choose a different or additional route targets if we prefer). VRF configuration must be performed on both PE routers.
PE1(config)# ip vrf Customer_A
PE1(config-vrf)# rd 65000:1
PE1(config-vrf)# route-target both 65000:1
PE1(config-vrf)# ip vrf Customer_B
PE1(config-vrf)# rd 65000:2
PE1(config-vrf)# route-target both 65000:2
PE2(config)# ip vrf Customer_A
PE2(config-vrf)# rd 65000:1
PE2(config-vrf)# route-target both 65000:1
PE2(config-vrf)# ip vrf Customer_B
PE2(config-vrf)# rd 65000:2
PE2(config-vrf)# route-target both 65000:2
The command route-target both is used as a shortcut for the two commands route-target import androute-target export, which appear separately in the running configuration.
Now we need to assign the appropriate interfaces to each VRF and reapply their IP addresses. (Assigning an interface to a VRF automatically wipes it of any configured IP addresses. Your version of IOS may or may not inform you of this when it happens.) The command show ip vrf interfaces can be used to verify interface VRF assignment and addressing.
PE1(config)# interface f0/0
PE1(config-if)# ip vrf forwarding Customer_A
% Interface FastEthernet0/0 IP address 10.0.1.1 removed due to enabling VRF Customer_A
PE1(config-if)# ip address 10.0.1.1 255.255.255.252
PE1(config-if)# interface f0/1
PE1(config-if)# ip vrf forwarding Customer_B
% Interface FastEthernet0/1 IP address 10.0.1.5 removed due to enabling VRF Customer_B
PE1(config-if)# ip address 10.0.1.5 255.255.255.252
PE1(config-if)# ^Z
PE1# show ip vrf interfaces
Interface IP-Address VRF Protocol
Fa0/0 10.0.1.1 Customer_A up
Fa0/1 10.0.1.5 Customer_B up
PE2(config)# interface f0/0
PE2(config-if)# ip vrf forwarding Customer_A
% Interface FastEthernet0/0 IP address 10.0.2.1 removed due to enabling VRF Customer_A
PE2(config-if)# ip address 10.0.2.1 255.255.255.252
PE2(config-if)# interface f0/1
PE2(config-if)# ip vrf forwarding Customer_B
% Interface FastEthernet0/1 IP address 10.0.2.5 removed due to enabling VRF Customer_B
PE2(config-if)# ip address 10.0.2.5 255.255.255.252
PE2(config-if)# ^Z
PE2# show ip vrf interfaces
Interface IP-Address VRF Protocol
Fa0/0 10.0.2.1 Customer_A up
Fa0/1 10.0.2.5 Customer_B up
This is where things start to get interesting. In order to advertise VRF routes from one PE router to the other, we must configure multiprotocol BGP (MP-BGP). MP-BGP is a little different from legacy BGP in that it supports multiple address families (e.g. IPv4 and IPv6) over a common BGP adjacency. It also supports the advertisement of VPN routes, which are longer than normal routes due to the addition of a 64-bit route distinguisher (which we assigned under VRF configuration).
MP-BGP runs only on the PE routers: P routers rely entirely on the provider IGP and MPLS to forward traffic through the provider network, and CE routers have no knowledge of routes outside their own VRF.
Minimal MP-BGP configuration is pretty straightforward. Both PE routers exist in BGP AS 65000.
PE1(config)# router bgp 65000
PE1(config-router)# neighbor 10.0.0.4 remote-as 65000
PE1(config-router)# neighbor 10.0.0.4 update-source loopback 0
PE1(config-router)# address-family vpnv4
PE1(config-router-af)# neighbor 10.0.0.4 activate
PE2(config)# router bgp 65000
PE2(config-router)# neighbor 10.0.0.3 remote-as 65000
PE2(config-router)# neighbor 10.0.0.3 update-source loopback 0
PE2(config-router)# address-family vpnv4
PE2(config-router-af)# neighbor 10.0.0.3 activate
If we look at the running configuration of the BGP process on either PE router, we notice that a bit more configuration than we provided has appeared:
PE1# show running-config | section router bgp
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor 10.0.0.4 remote-as 65000
neighbor 10.0.0.4 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 10.0.0.4 activate
neighbor 10.0.0.4 send-community extended
exit-address-family
!
address-family ipv4 vrf Customer_B
no synchronization
exit-address-family
!
address-family ipv4 vrf Customer_A
no synchronization
exit-address-family
In addition to our VPNv4 address family, address families for the two customer VRFs have been created automatically. Also, support for extended community strings has been added to the VPNv4 neighbor configuration.
Verify that the MP-BGP adjacency between PE1 and PE2 was formed successfully with the commandshow bgp vpnv4 unicast all summary:
PE1# show bgp vpnv4 unicast all summary
BGP router identifier 10.0.0.3, local AS number 65000
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.0.0.4 4 65000 12 12 1 0 0 00:06:05 0
Currently, there are no routes in the BGP table, because we have not specified anything to be advertised or redistributed, but we'll get to that after this next step.
We just configured MP-BGP between the two PE routers. Now, let's configure an IGP between each PE router and its attached CE routers to exchange routes with the customer sites. We're going to use OSPF for this lab, but we could just as easily use another IGP like EIGRP or RIP.
Single-area OSPF has already been configured on the CE routers; all CE interfaces are in area 0. Remember that although we're using OSPF between each of the CE routers and its upstream PE router, these OSPF processes are isolated from the provider OSPF topology. The overall routing topology will look like this:
The provider OSPF process has already been configured on the PE routers as process 1. We'll configure anadditional OSPF process for each CE router on each PE router. Each PE router will then have three OSPF processes total: one for the provider network, and one for each CE router. Whereas the provider OSPF process exists in the global routing table, the two CE processes will each be assigned to their respective customer VRFs.
PE1(config)# router ospf 2 vrf Customer_A
PE1(config-router)# router-id 10.0.1.1
PE1(config-router)# interface f0/0
PE1(config-if)# ip ospf 2 area 0
PE1(config-if)# router ospf 3 vrf Customer_B
PE1(config-router)# router-id 10.0.1.5
PE1(config-router)# interface f0/1
PE1(config-if)# ip ospf 3 area 0
PE2(config)# router ospf 2 vrf Customer_A
PE2(config-router)# router-id 10.0.2.1
PE2(config-router)# interface f0/0
PE2(config-if)# ip ospf 2 area 0
PE2(config-if)# router ospf 3 vrf Customer_B
PE2(config-router)# router-id 10.0.2.5
PE2(config-router)# interface f0/1
PE2(config-if)# ip ospf 3 area 0
We should see each PE router form an OSPF adjacency with both of its attached CE routers, and the customer routes should appear in the VRF tables on the PE routers.
PE1# show ip route vrf Customer_A
Routing Table: Customer_A
...
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
O 172.16.1.0/24 [110/11] via 10.0.1.2, 00:04:21, FastEthernet0/0
O 172.16.0.1/32 [110/11] via 10.0.1.2, 00:04:21, FastEthernet0/0
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.1.0 is directly connected, FastEthernet0/0
PE1# show ip route vrf Customer_B
Routing Table: Customer_B
...
172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
O 172.17.1.0/24 [110/11] via 10.0.1.6, 00:03:03, FastEthernet0/1
O 172.17.0.1/32 [110/11] via 10.0.1.6, 00:03:04, FastEthernet0/1
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.1.4 is directly connected, FastEthernet0/1
We're almost done! We have our MPLS and MP-BGP backbone up and running, and our CE routers are sending routes to our PE routers within their VRFs. The last step is to glue everything together by turning on route redistribution from the customer-side OSPF processes into MP-BGP and vice versa on the PE routers.
First we'll configure redistribution of CE routes in each VRF into MP-BGP. This is done under the BGP IPv4 address family for each VRF.
PE1(config)# router bgp 65000
PE1(config-router)# address-family ipv4 vrf Customer_A
PE1(config-router-af)# redistribute ospf 2
PE1(config-router-af)# address-family ipv4 vrf Customer_B
PE1(config-router-af)# redistribute ospf 3
PE2(config)# router bgp 65000
PE2(config-router)# address-family ipv4 vrf Customer_A
PE2(config-router-af)# redistribute ospf 2
PE2(config-router-af)# address-family ipv4 vrf Customer_B
PE2(config-router-af)# redistribute ospf 3
This enables redistribution of OSPF routes into BGP for transport across the provider network between the two sites. We can verify that the routes learned from the customer sites (the 172.16.0.0/16 and 172.17.0.0/16 networks) now appear in the BGP tables for their respective VRFs.
PE1# show ip bgp vpnv4 vrf Customer_A
...
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65000:1 (default for vrf Customer_A)
*> 10.0.1.0/30 0.0.0.0 0 32768 ?
*>i10.0.2.0/30 10.0.0.4 0 100 0 ?
*> 172.16.0.1/32 10.0.1.2 11 32768 ?
*>i172.16.0.2/32 10.0.0.4 11 100 0 ?
*> 172.16.1.0/24 10.0.1.2 11 32768 ?
*>i172.16.2.0/24 10.0.0.4 11 100 0 ?
PE1# show ip bgp vpnv4 vrf Customer_B
...
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65000:2 (default for vrf Customer_B)
*> 10.0.1.4/30 0.0.0.0 0 32768 ?
*>i10.0.2.4/30 10.0.0.4 0 100 0 ?
*> 172.17.0.1/32 10.0.1.6 11 32768 ?
*>i172.17.0.2/32 10.0.0.4 11 100 0 ?
*> 172.17.1.0/24 10.0.1.6 11 32768 ?
*>i172.17.2.0/24 10.0.0.4 11 100 0 ?
The last step is to complete the redistribution in the opposite direction: from BGP into the customer OSPF processes. If you're accustomed to route redistribution, there's nothing new here. (We don't have to specify any VRF information in the redistribution statement because each customer OSPF process is already assigned to a VRF.)
PE1(config)# router ospf 2
PE1(config-router)# redistribute bgp 65000 subnets
PE1(config-router)# router ospf 3
PE1(config-router)# redistribute bgp 65000 subnets
PE2(config)# router ospf 2
PE2(config-router)# redistribute bgp 65000 subnets
PE2(config-router)# router ospf 3
PE2(config-router)# redistribute bgp 65000 subnets
Testing and Confirmation
If has gone well, we should now have end-to-end connectivity between the CE routers within each VRF. Both routers for each customer should now have complete routing tables. Here are customer A's routes:
CE1A# show ip route
...
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.16.1.0/24 is directly connected, Loopback1
C 172.16.0.1/32 is directly connected, Loopback0
O IA 172.16.2.0/24 [110/21] via 10.0.1.1, 00:03:50, FastEthernet0/0
O IA 172.16.0.2/32 [110/21] via 10.0.1.1, 00:03:50, FastEthernet0/0
10.0.0.0/30 is subnetted, 2 subnets
O IA 10.0.2.0 [110/11] via 10.0.1.1, 00:03:50, FastEthernet0/0
C 10.0.1.0 is directly connected, FastEthernet0/0
CE2A# show ip route
...
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
O IA 172.16.1.0/24 [110/21] via 10.0.2.1, 00:02:49, FastEthernet0/0
O IA 172.16.0.1/32 [110/21] via 10.0.2.1, 00:02:49, FastEthernet0/0
C 172.16.2.0/24 is directly connected, Loopback1
C 172.16.0.2/32 is directly connected, Loopback0
10.0.0.0/30 is subnetted, 2 subnets
C 10.0.2.0 is directly connected, FastEthernet0/0
O IA 10.0.1.0 [110/11] via 10.0.2.1, 00:02:49, FastEthernet0/0
You may notice that OSPF routes sent between two sites belonging to the same customer appear as inter-area routes. Remember that although OSPF area 0 is being used at both sites, each site exists as a separate link-state topology connected by the MPLS VPN.
We should be able to ping from one CE router to the other. (Remember that we don't need to specify a VRF when doing so because CE routers have no knowledge that they're in a VRF.)
CE1A# ping 172.16.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/21/32 ms
We can perform a traceroute to verify the path taken as well as the MPLS labels used to traverse the provider network.
CE1A# traceroute 172.16.0.2
Type escape sequence to abort.
Tracing the route to 172.16.0.2
1 10.0.1.1 4 msec 4 msec 8 msec
2 10.0.9.5 [MPLS: Labels 19/22 Exp 0] 16 msec 12 msec 24 msec
3 10.0.9.2 [MPLS: Labels 19/22 Exp 0] 24 msec 20 msec 16 msec
4 10.0.2.1 [MPLS: Label 22 Exp 0] 20 msec 16 msec 24 msec
5 10.0.2.2 16 msec * 36 msec
