MPLS – VPN Config Configuration uration Mitrabh Shukla National IP Manager
Objectives Upon completion of this chapter you will be able to: Describe MPLS VPN mechanisms Use the command line interface to configure a VPN Verify VPN functionality
For i nternal u
Objectives Upon completion of this chapter you will be able to: Describe MPLS VPN mechanisms Use the command line interface to configure a VPN Verify VPN functionality
For i nternal u
Agenda W hat is a VPN? How Do MPLS VPNs Work? W hat Are Some Scaling Techniques? How Do I Configure MPLS VPNs?
For i nternal u
What is a MPLS VPN? VPN A VPN A
VPN C
Provider Backbone
VPN B
VPN B VPN C
For i nternal u
MPLS-VPN Terminology
VPN A
VPN-Aware network
Site1
AS100
AS200
Provider Network P router
Border Router
PE router Site1
VPN A Customer Network Site CE router For i nternal u
Site2 Site2
VPN B
Agenda What is a VPN? How do MPLS VPNs Work?
• Control Plane • Forwarding Plane What Are Some MPLS VPN Scaling Techniques? How Do I Configure MPLS VPNs?
For i nternal u
What Makes MPLS VPNs Work?
VPN A
MP-iBGP sessions
CE
P
10.2.0.0 VPN B
P CE
PE
PE
CE
PE
PE
11.6.0.0
10.1.0.0
CE VPN B
P
P
• Five keys to MPLS VPNs functionality: • 1. MPLS Forwarding • 2. Separation of VPN Routes (VPN Routing and Forwarding Instances (VRF)) • 3. VPN Membership Selection (Route Target)
For i nternal u
VPN A 10.1.0.0
CE VPN B
VPN A 11.5.0.0
CE
10.2.0.0 VPN A
CE
• 4. IP Address Overlap (Route Distinguisher) • 5. VPN Route Distribution (MP-BGP for VPN-ipv4)
10.3.0.0
1. MPLS Forwarding
MPLS VPN Req Requirement uirement PE to PE Label Switched Path (LSP) VRF
P1 PE1
VRF
PE1’s perspective
P2
PE2
VRF
VRF PE2’s perspective
Global routing table entries to reach
Global routing table tabl e entries to reach
PE2 -> next-hop: P1, label: 50 P2 -> next-hop: next-ho p: P1, label: 65 P1 -> next-hop: interface, interfac e, label: pop
PE1 -> next-hop: nex t-hop: P2, label: 25 P1 -> next-hop: P2, label: 35 P2 -> next-hop: next -hop: interface, label: pop
For i nternal u
2. How How Are VPN Routes Kept Separate?
VPN Routing and Forwarding Instances (VRF) provides the separation VRF=Routing VRF =Routing Table Table for VPN Site-1
CE
Yellow
PE
VPN Backbone Back bone IGP (OSPF, (OSPF, IS-IS)
Site-1
CE
Green
VRF (VPN (VPN Routing Routin g and Forwarding) Assigned Assi gned a symbolic symbol ic name ip vrf green For i nternal u
Global Routi R outing ng Table Table
MPLS VPN Routing Requirements Customer routers (CE-routers) have to run standard IP routing software Provider core routers (P-routers) have no VPN routes Provider edge routers (PE-routers) have to support MPLS VPN and Internet routing
For i nternal u
MPLS VPN Routing (CE- Router Perspective)
CE - Router MPLS VPN Backbone
PE Router CE - Router
Customer routers run standard IP routing software and exchange routing updates with the PE-router
• EBGP, OSPF, RIPv2 , EIGRP or static routes are supported PE-router appears as another router in the customer’s network For i nternal u
MPLS VPN Routing PE-Router Perspective
PE-routers: • Exchange VPN routes with CE-routers via per-VPN routing protocols • Exchange core routes with P-routers and PE-routers via core IGP • Exchange VPNv4 routes with other PE-routers via multi- protocol IBGP sessions
For i nternal u
MPLS VPN Support for Internet Routing
PE-routers can run standard IPv4 BGP in the global routing table • Exchange Internet routes with other PE routers • CE-routers do not participate in Internet routing • P-routers do not need to participate in Internet routing
For i nternal u
MPLS VPN End-to-End Routing Information Flow (1/3)
PE-routers receive IPv4 routing updates from CE-routers and install them in the appropriate Virtual Routing and Forwarding (VRF) table
For i nternal u
MPLS VPN End-to-End Routing Information Flow (2/3)
PE-routers export VPN routes from VRF into MP-IBGP and propagate them as VPNv4 routes to other PErouters IBGP full mesh is needed between PE-routers For i nternal u
VRF CE Routing
and Sharing Site-1
CE to PE Routing
CE
Yellow
PE
EBGP, RIP, OSPF, Static
VPN Backbone IGP (OSPF, IS-IS)
Site-1
CE
Green
Site-1
1 Interface attached to VRF
Sharing
CE
Green
PE
VPN Backbone IGP
Same VPN
(OSPF, IS-IS)
Site-2
CE
Green
Multiple interfaces attached to VRF (Can NOT have multiple VRFs connected to 1 interface)
For i nternal u
VRF and Multiple Routing Instances
PE to CE Routing Processes
BGP
EIGRP
RIP
Static
Routing Contexts
VRF Routing Tables VRF Forwarding Tables
Routing processes support routing contexts (sub-processes within main process) Populate specific VPN routing table and FIBs (VRF) separate OSPF process for each VRF For i nternal u
OSPF
OSPF
What are MPLS VPN Extranets?
VPN A
VPN B Site4
VPN C Site1
Site5
Site2
Site3
Belonging to more than one VRF NOTE: A VRF is NOT a VPN • Terms sometime used interchangably but the are NOT the same
• VRF is the routing table • VPN is collection of sites that can access that table For i nternal u
3. How is VPN Membership Determined? VPN membership is based on filtering routes to be installed in VRF
• Route Target import/export filtering Route Target (RT) is a BGP Extended Community
• Used to constrain distribution of routing information • Identifier for VRFs that may receive set of routes tagged with given RT (route filtering) Based on RFC 2547
For i nternal u
What is a Route Target? Route Target (RT) is a BGP Extended Community
• Used to constrain distribution of routing information • Identifier for VRFs that may receive set of routes tagged with given RT (route filtering)
For i nternal u
What is a Route Distinguisher? Route Distinguisher:
• converts non-unique IP addresses into unique VPN-IPv4 addresses
• Not used for constrained distribution of routing information (route filtering) VPN-IPv4 addresses
• Must be globally unique • Route Distinguisher (RD) + IP address – RDs are assigned by a service provider
For i nternal u
4. How Can MPLS VPN Addresses Overlap?
VPN A
Same Addresses
CE
P
10.2.0.0 VPN B
VPN A
P CE
PE
PE
PE
10.1.0.0 CE VPN B
CE P
P
10.1.0.0 Route Distinguisher provides the separation
For i nternal u
VPN A
PE
CE
11.6.0.0 VPN B
VPN A 11.5.0.0
CE
10.2.0.0
CE
10.3.0.0
What is a Route Distinguisher? Route Distinguisher:
• converts non-unique IP addresses into unique VPN-IPv4 addresses (overlapping Private address)
• Not used for constrained distribution of routing information (route filtering) VPN-IPv4 addresses Route Distinguisher (RD) 64Bits + IP address = 96 Bits – RDs are assigned by a service provider – RDs should be globally unique
For i nternal u
5. How are VPN Routes Distributed?
MP-iBGP (PE to PE) to carry VPN-IPv4 Information VPN yellow
VPN yellow P1
CE1 Site-1
P2
PE1
PE2
Why MP-iBGP? • • • •
BGP supports large numbers of routes BGP is multi-protocol and scales BGP does not require directly connected peers BGP optional, transitive attributes
For i nternal u
CE2 Site-2
What is in an MP-BGP VPNv4 Update?
MP-iBGP (PE to PE) to carry VPN-IPv4 Information P1 PE1
P2 PE2
VPN-IPv4 update: RD1:Net1, Next-hop=PE1 SOO=Site1, RT=Yellow, Label=10 VPN-IPv4 update: RD2:Net1, Next-hop=PE1 SOO=Site1, RT=Green, Label=12 For i nternal u
What is in an MP-BGP Update? VPN-IPV4 address (96 bits)
• Route Distinguisher (RD) (64 bits) • IPv4 address (32bits) Extended Community
• Route target (RT) - required • Site of Origin (SOO) - optional – (prevents routing loops in multihomed CE topologies)
Any other standard BGP attribute (Ex. VPN Labels) A second label in the label stack
For i nternal u
Why MP-iBGP? MP-iBGP session VPN yellow
VPN yellow
Site-1 CE1
CE2 Site-2 P1 PE1
P2 PE2
BGP supports large numbers of routes BGP is multi-protocol and scales BGP does not require directly connected peers BGP has optional, transitive attributes For i nternal u
How Does the MPLS VPN Control Plane Work? VPN-B VRF Import routes with route-target 1:1
VPN-v4 update: RD:1:27:152.12.4.0/24 NH=PE1, RT=1:1, VPN Label=(29)
PE1
P1
LDP Update: Next hop=PE1 Label=(imp-null)
PE2
P2
LDP Update: Next hop=P1 Label=(41)
LDP Update: Next hop=P2 Label=(32)
MPLS LSP Foundation BGP, OSPF, RIP 152.12.4.0/24, NH=PE2
BGP, OSPF, RIP 152.12.4.0/24, NH=CE1 CE1
VPN B 152.12.4.0/24 For i nternal u
CE2
VPN B
How Does the MPLS VPN Forwarding Plane Work? ?????
MPLS forwarding table (LFIB) lookup for NH=PE1
LFIB lookup for label 29 = vrf VPN B
Penu ltimate Hop PoP (removal of LSP Label)
29 152.12.4.6
PE1
VRF lookup for 152.12.4.6 NH=CE1
LSP/MPLS Label VPN Label
Label Swap
41 29 152.12.4.6 P1
32 29 152.12.4.6 P2
PE2
Packet Forwarding Based on Stack of Labels
152.12.4.6
152.12.4.6
CE1
VPN B 152.12.4.0/24 For i nternal u
CE2
VPN B
VRF lookup for 152.12.4.6 NH=PE1 VPN Label=(29)
Agenda What is a VPN? How Do MPLS VPNs Work? What Are Some Scaling Techniques? How Do I Configure MPLS VPNs?
For i nternal u
Scaling MPLS-VPN Route Reflectors Green
Yellow
Yellow Yellow Green Yellow Green
Yellow Green
Use of Route Reflectors highly recommended Route Reflectors may be partitioned • Each RR store routes for a set of VPNs • Thus, no BGP router needs to store ALL VPN information
PEs will peer to RRs according to the VPNs they directly connect For i nternal u
MPLS-VPN Scaling BGP Automatic Route Filtering (ARF) Import RT=yellow VRFs for VPNs yellow green
VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Green, Label=XYZ
PE
MP-iBGP sessions
Import RT=green
VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Red, Label=XYZ
Each VRF has an import and export policy configured Policies use route-target attribute (extended community) PE receives MP-iBGP updates for VPN-IPv4 routes If route-target is equal to any of the import values configured in the PE, the update is accepted Otherwise, it is silently discarded For i nternal u
MPLS-VPN Scaling Route Refresh Import RT=yellow PE
Import RT=green
1. PE doesn’t have red routes (previously filtered out)
2. PE issues a Route-Refresh to all neighbors in order to ask for re-transmit
VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Red, Label=XYZ
Import RT=red 3. Neighbors re-send updates and “red” route -target is now accepted
Policy may change in the PE if VRF modifications are done
• New VRFs, removal of VRFs However, the PE may not have stored routing information which become useful after a change PE request a re-transmission of updates to neighbors
• Route-Refresh
For i nternal u
MPLS VPN Packet Forwarding
For i nternal u
VPN Packet Forwarding Across MPLS VPN Backbone
How will PE routers forward VPN packets across MPLS VPN backbone? Just forward pure IP packets???
• P-routers do not have VPN routes, packet is dropped on IP lookup. How about using MPLS for packet propagatio across backbone?
For i nternal u
VPN Packet Forwarding Across MPLS VPN Backbone
Label VPN packets with LDP label for egress PErouter, forward labeled packets across MPLS backbone?? • P-routers perform label switching, packet reaches egress PE-router. • However, egress PE-router does not know which VRF to use for packet lookup—packet is dropped.
How about using a label stack?
For i nternal u
VPN Packet Forwarding Across MPLS VPN Backbone
Label VPN packets with a label stack. • Use LDP label for egress PE-router as the top label • VPN label assigned by egress PE-router as the second label in the stack.
P-routers perform label switching, packet reaches egress PE-router. Egress PE-router performs lookup on the VPN label and forwards the packet toward the CE-router. For i nternal u
VPN Packet Forwarding Penultimate Hop Popping
Penultimate hop popping on the LDP label can be performed on the last P-router Egress PE-router performs only label lookup on VPN label, resulting in faster and simpler label lookup IP lookup is performed only once—in ingress PE router For i nternal u
VPN Label Propagation
How will the ingress PE-router get the second label in the label stack from the egress PE-router? Labels are propagated in MP-BGP VPNv4 routing updates. For i nternal u
VPN Label Propagation
For i nternal u
VPN Label Propagation
For i nternal u
Impacts of MPLS VPN Label Propagation The VPN label has to be assigned by the BGP nexthop BGP next-hop should not be changed in MP-IBGP update propagation • Do not use next-hop-self on confederation boundaries PE-router has to be BGP next-hop • Use next-hop-self on the PE-router Label has to be re-originated if the next-hop is changed • A new label is assigned every time the MP-BGP update crosses AS-boundary where the next-hop is changed For i nternal u
Impacts of MPLS VPN Packet Forwarding
VPN label is only understood by egress PE-router End-to-end Label Switched Path is required between ingress and egress PE-router BGP next-hops shall not be announced as BGP routes • LDP labels are not assigned to BGP routes BGP next-hops announced in IGP shall not be summarized in the core network • Summarization breaks LSP For i nternal u
Agenda What is a VPN? How Do MPLS VPNs Work? What Are Some Scaling Techniques? How Do I Configure MPLS VPNs?
1. 2. 3. 4. 5.
For i nternal u
Configure VRFs associate interfaces with VRFs Configure MP-iBGP routing Configure CE to PE routing Verify VPN operation
Configure VRF
Logical name of the VPN use something that makes sense
ip vrf rd route-target export route-target import The extended community string you will RECEIVE and put into your vrf The extended community string you will SEND with your routes Number to uniquely id the prefix value Convention is ASN:xxxx For i nternal u
Configure VRF
VPN red
E1/0
CE E2/0
VPN blue
PE
Create the VRFs on the PE Router
CE
vrf symbolic name PE1(config)#ip vrf red
PE1(config)#ip vrf blue
For i nternal u
Case sensitive
Configure RD
VPN red
E1/0
PE
CE E2/0
VPN blue
Create the VRFs on the PE Router
CE PE1(config)#ip vrf red PE1(config-vrf)#rd 100:10
ASN:variable or IP:variable PE1(config)#ip vrf blue PE1(config-vrf)#rd 100:20
For i nternal u
Configure Route Target
VPN red
E1/0
CE E2/0
VPN blue
PE
Create the VRFs on the PE Router
CE PE1(config)#ip vrf red PE1(config-vrf)#rd 100:10 PE1(config-vrf)#route-target import 100:1 PE1(config-vrf)#route-target export 100:1
RD to RT matching just makes it easy
PE1(config)#ip vrf blue PE1(config-vrf)#rd 100:20 PE1(config-vrf)#route-target import 100:2 PE1(config-vrf)#route-target export 100:2
shortcut if import and export are the same For i nternal u
VRF Options
VPN red
E1/0
CE E2/0
VPN blue
PE
Create the VRFs on the PE Router
CE PE1(config)#ip vrf red PE1(config-vrf)#description VPN for PE1(config-vrf)#rd 100:10 PE1(config-vrf)#route-target import PE1(config-vrf)#route-target export PE1(config-vrf)#maximum routes 2000
Online documentation CE1 100:1 100:1 warning-only
Protect your network and PE from saturation (scaling factor)
For i nternal u
Associate PE interfaces to VRFs
VPN red
E1/0
CE E2/0
VPN blue
PE
Configure interfaces to belong to the VRF
CE
PE1(config)#interface ethernet 2/0 PE1(config-if)#ip vrf forwarding blue PE1(config-if)#ip address 172.11.2.2 255.255.255.252 PE1(config)#interface ethernet 1/0 PE1(config-if)#ip vrf forwarding red PE1(config-if)#ip address 172.11.2.2 255.255.255.252
match vrf symbolic name For i nternal u
Common VRF Configuration Gotcha
Configuring an interface to the VRF: IP address must be removed from global routing table PE1(config)#interface ethernet 3/0 PE1(config-if)#ip vrf forwarding red % Interface Ethernet1/0 IP address 10.131.31.245 removed due to enabling VRF red PE1(config-if)#ip address 10.131.31.245 255.255.255.252
Also, can only assign 1 VRF to an interface For i nternal u
Configure MP-BGP Peering between PEs
PE2 PE2
PE1 MP-BGP
PE1
VPN Backbone IGP PE1(config)#router bgp 100 PE1(config-router)#neighbor 10.131.63.252 remote-as 100 PE1(config-router)#neighbor 10.131.63.252 desc MP-BGP to PE2 PE1(config-router)#neighbor 10.131.63.252 update-source Loopback0
standard BGP configuration entries apply Router config for VPNv4 prefixes PE1(config-router)#address-family vpnv4 PE1(config-router-af)#neighbor 10.131.63.252 activate PE1(config-router-af)#neighbor 10.131.63.252 send-community extended PE1(config-router-af)#exit-address-family
activate neighbor to advertise routes send extended community to id the VRF (default entry) For i nternal u
Configure VRF Routing Contexts
PE2 PE2
PE1 MP-BGP
PE1
VPN Backbone IGP
PE1(config-router)#address-family ipv4 vrf red PE1(config-router-af)#no auto-summary PE1(config-router-af)#no synchronization PE1(config-router-af)#exit-address-family PE1(config-router)#address-family ipv4 vrf blue PE1(config-router-af)#no auto-summary PE1(config-router-af)#no synchronization PE1(config-router-af)#exit-address-family
For i nternal u
The VRF is now operational The previous configuration creates the VRF and associated CEF and routing table VRF Implementation Considerations
• Many commands are now VRF context sensitive VPN Routes are not yet present The RD and import and export policies (RT) will be used to fill the VRF routing table with routes learned by the PE via MPBGP
For i nternal u
Example VRF Configuration
MPLS Core VPN1
VPN2
VPN1
VPN2
Site A
Site A
Site B
Site B
CE-1A
CE-2A
lo0 172.16.1.1/24 s0/0 172.16.2.1/30
lo0 s0172.16.1.1/24 172.16.2.1/30
s1/0 172.16.2.2/30
s1/1 172.16.2.2/30
PE-A lo0 200.200.0.11 P-A lo0 200.200.0.1
CE-1B lo0 s0172.17.1.1/24 172.17.2.1/30 s1/0 172.17.2.2/30
CE-2B
OSPF Area 0
lo0172.17.2.1/30 172.17.1.1/24 s0/0 s1/1 172.17.2.2/30
VPN1 RD 100:1
VPN2 RD 100:2 PE-B lo0 200.200.0.12
P-B lo0 200.200.0.2
PE-A(config)#ip vrf VPN1 PE-A(config-vrf)#rd 100:1 PE-A(config-vrf)#route-target export 100:10 PE-A(config-vrf)#route-target import 100:10
PE-A(config)#ip vrf VPN2 PE-A(config-vrf)#rd 100:2 PE-A(config-vrf)#route-target export 100:20 PE-A(config-vrf)#route-target import 100:20 For i nternal u
BGP AS100
Associate VRFs to Interfaces
For each interface participating in the VPN match vrf-symbolic-name
interface Serial1/0 ip vrf forwarding VPN1 ip address 172.16.2.2 255.255.255.252
For i nternal u
Example VRF Interface Configuration
MPLS Core VPN1
VPN2
VPN1
VPN2
Site A
Site A
Site B
Site B
CE-1A
CE-2A
lo0 172.16.1.1/24 s0/0 172.16.2.1/30 s1/0 172.16.2.2/30
S1/0
lo0 s0172.16.1.1/24 172.16.2.1/30 s1/1 172.16.2.2/30
CE-1B lo0 s0172.17.1.1/24 172.17.2.1/30 s1/0 172.17.2.2/30
lo0172.17.2.1/30 172.17.1.1/24 s0/0 s1/1 172.17.2.2/30
P-B lo0 200.200.0.2
PE-A(config)#interface Serial1/0 PE-A(config-if)#ip vrf forwarding VPN1 PE-A(config-if)#ip address 172.16.2.2 255.255.255.252
PE-A(config)#interface Serial1/1 PE-A(config-if)#ip vrf forwarding VPN2 PE-A(config-if)#ip address 172.16.2.2 255.255.255.252 For i nternal u
OSPF Area 0
VPN1 RD 100:1
VPN2 RD 100:2 PE-B lo0 200.200.0.12
PE-A lo0 200.200.0.11 P-A lo0 200.200.0.1
CE-2B
BGP AS100
Configure MP-BGP
AS number Router config for standard IP router bgp 100 Version 4 address prefixes address-family ipv4 vrf VPN1 no auto-summary no synchronization exit-address-family Router config for standard VPN address-family vpnv4 Version 4 address prefixes neighbor 200.200.0.12 activate neighbor 200.200.0.12 send-community extended neighbor 200.200.0.13 activate neighbor 200.200.0.13 send-community extended exit-address-family
Advertise Routes For i nternal u
extended community string to id the VRF
Example MP-BGP Configuration VPN1
VPN2
VPN1
VPN2
Site A
Site A
Site B
Site B
CE-1A
CE-2A
lo0 172.16.1.1/24 s0/0 172.16.2.1/30
lo0 s0172.16.1.1/24 172.16.2.1/30
s1/0 172.16.2.2/30
s1/1 172.16.2.2/30
CE-1B lo0 s0172.17.1.1/24 172.17.2.1/30 s1/0 172.17.2.2/30
PE-A lo0 200.200.0.11 P-A lo0 200.200.0.1
CE-2B lo0172.17.2.1/30 172.17.1.1/24 s0/0 s1/1 172.17.2.2/30
PE-B lo0 200.200.0.12 P-B lo0 200.200.0.2
MPLS Core BGP AS100
PE-A(config)#router bgp 100
OSPF Area 0
PE-A(config-router)#no synchronization PE-A(config-router)#no bgp default ipv4-unicast PE-A(config-router)#bgp log-neighbor-changes
VPN1 RD 100:1
PE-A(config-router)#neighbor 200.200.0.12 remote-as 100
VPN2 RD 100:2
PE-A(config-router)#neighbor 200.200.0.12 update-source Loopback0 PE-A(config-router)#no auto-summary PE-A(config-router)#address-family ipv4 vrf VPN1 PE-A(config-router-af)#no auto-summary PE-A(config-router-af)#no synchronization PE-A(config-router-af)#exit-address-family PE-A(config-router)#address-family ipv4 vrf VPN2 PE-A(config-router-af)#no auto-summary PE-A(config-router-af)#no synchronization PE-A(config-router-af)#exit-address-family PE-A(config-router)#address-family vpnv4 PE-A(config-router-af)#neighbor 200.200.0.12 activate PE-A(config-router-af)#neighbor 200.200.0.12 send-community extended For i nternal u
PE-A(config-router-af)#exit-address-family
Configure Route Advertisements
CE config ip route 0.0.0.0 0.0.0.0 172.16.2.2
PE config
Define static routes at CE and PE
ip route vrf VPN1 172.16.1.0 255.255.255.0 172.16.2.1 ip route vrf VPN2 172.16.1.0 255.255.255.0 172.16.2.1 router bgp 100 address-family ipv4 vrf VPN1 network 172.16.1.0 mask 255.255.255.0 network 172.16.2.0 mask 255.255.255.252 exit-address-family
Define BGP routes at PE
For i nternal u
Example Routing Configuration
CE-1A(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2 MPLS Core VPN1
VPN2
VPN1
VPN2
Site A
Site A
Site B
Site B
CE-1A
CE-2A
CE-1B
CE-2B
lo0 172.16.1.1/24 s0/0 172.16.2.1/30
lo0 s0172.16.1.1/24 172.16.2.1/30
s1/0 172.16.2.2/30
s1/1 172.16.2.2/30
lo0 s0172.17.1.1/24 172.17.2.1/30 s1/0 172.17.2.2/30
PE-A lo0 200.200.0.11
BGP AS100 OSPF Area 0
lo0172.17.2.1/30 172.17.1.1/24 s0/0 s1/1 172.17.2.2/30
VPN1 RD 100:1
VPN2 RD 100:2 PE-B lo0 200.200.0.12
lo0 200.200.0.1 lo0 200.200.0.2 PE-A(config)#ip P-A route vrf VPN1 172.16.1.0 P-B 255.255.255.0 172.16.2.1
PE-A(config)#ip route vrf VPN2 172.16.1.0 255.255.255.0 172.16.2.1 PE-A(config)#router bgp 100 PE-A(config-router)#address-family ipv4 vrf VPN1 PE-A(config-router-af)#network 172.16.1.0 mask 255.255.255.0 PE-A(config-router-af)#network 172.16.2.0 mask 255.255.255.252 PE-A(config-router-af)#exit-address-family PE-A(config-router)#address-family ipv4 vrf VPN2 PE-A(config-router-af)#network 172.16.1.0 mask 255.255.255.0 PE-A(config-router-af)#network 172.16.2.0 mask 255.255.255.252 PE-A(config-router-af)#exit-address-family
For i nternal u
MPLS VPN Verification Steps Verify the VRFs •
show ip vrf [{detail|interfaces}]
Verify routing Information • • •
• •
show show show show show
ip ip ip ip ip
route vrf [detail] [vrf-name] [interfaces] bgp neighbors bgp vpnv4 all bgp vpnv4 vrf VRF-name bgp vpnv4 vrf VRF-name [ip-address]
Verify Labels • •
show ip bgp vpnv4 all [labels/tags] show ip cef vrf [detail]
For i nternal u
Ping, Traceroute, Telnet Caveats Ping and Traceroute in MPLS VPN network only succeed if end-to-end path is successful Good verification if successful but NOT for troubleshooting Ping/Traceroute Command Syntax • •
traceroute VRF [vrf-name] ip-address ping VRF [vrf-name] ip-address
Telnet Command Syntax •
telnet ip-address / vrf [vrf-name]
For i nternal u