MPLS VPN


Hi All !

I have decided to make the INE’s MPLS LAB a bit smaller and easier to “read” cause in the end all we need to learn is how to connect two, three or 50 offices/sites together and no matter how many you actually have to connect in the real world and in a lab the principle is ALWAYS the same !

Of course if you feel like you need a challenge and for that you need over 10 – 15 routers topology go for the FULL LAB and follow the series 🙂

so this is what we get (check out original post and you’ll see what I’ve done ):

mpls_vpn_screen

As you can see this is the short version of the FULL LAB and instead of 15 routers we only have 5 and trust me we only need 5 in order to learn MPLS VPNs I have also decided to keep ISIS running in the providers network however go ahead and set up any IGP you fancy instead

Connect all routers based on this file : NET_FILE

Copy and paste these initial configs : initial_configs

I have always understood a principle of MPLS VPNs but until about 5-6 months ago after having spent countless number of hours troubleshooting and configuring the technology I am confident I can face it in the CCIE LAB and the real world !

The idea is to break it all down and then it all becomes clear and easy ! When you take a look at below examples you will see that there’s not a lot to it , well of course the MPLS technology is not the easiest one to understand and configure out there but these basics will make all your nightmares disappear !

Using provided above topology go ahead and take a look how to configure various protocols with MPLS VPN (I assume you already understand the basics of this technology therefore I will not be explaining each configuration line)

CE_A2_REMOTE and CE_A1_HQ – customer routers.

PE2 , P and PE3  – provider routers

All below configs I have prepared only for CE_A2_REMOTE and PE2 and of course CE_A1_HQ and PE3 will have almost exact mirror of these configs with some tiny changes you should be able to spot right away

We need to set a very basic MPLS between provider routers and you will find it all in the provided initial configs files

====================================================================

STATIC ROUTING IN MPLS VPN

PROVIDER ROUTERS – PE ONLY

STEP 1
ip vrf CUST_A2
rd 1:1000
route-target export 1:1000
route-target import 1:1000

STEP 2
interface Ethernet0/0
ip vrf forwarding CUST_A2
ip address 150.1.31.5 255.255.255.252

STEP 3
ip route vrf CUST_A2 203.2.0.0 255.255.255.0 150.1.31.6

STEP 4
router bgp 1
neighbor 192.168.3.3 remote-as 1
neighbor 192.168.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 192.168.3.3 activate
neighbor 192.168.3.3 send-community both
exit-address-family
!
address-family ipv4 vrf CUST_A2
redistribute connected
redistribute static
exit-address-family

CUSTOMER ROUTERS

STEP 1
ip route 0.0.0.0 0.0.0.0 150.1.31.5

SETP 2
CE_A2_remote#ping 203.1.0.1 so 203.2.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.1.0.1, timeout is 2 seconds:
Packet sent with a source address of 203.1.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/18/19 ms

================================================================

RIP ROUTING IN MPLS VPN

PROVIDER ROUTERS – PE ONLY

STEP 1
ip vrf CUST_A2
rd 1:1000
route-target export 1:1000
route-target import 1:1000

STEP 2
interface Ethernet0/0
ip vrf forwarding CUST_A2
ip address 150.1.31.5 255.255.255.252

STEP 3
router rip
version 2
no auto-summary
address-family ipv4 vrf CUST_A2
redistribute bgp 1001 metric 2
network 150.1.0.0
no auto-summary
exit-address-family

router bgp 1001
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.3.3 remote-as 1001
neighbor 192.168.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 192.168.3.3 activate
neighbor 192.168.3.3 send-community both
exit-address-family
!
address-family ipv4 vrf CUST_A2
redistribute rip
exit-address-family

CUSTOMER ROUTERS

STEP 1
router rip
version 2
network 150.1.0.0
network 203.2.1.0
no auto-summary

SETP 2
CE_A2_remote#ping 203.1.1.1 so 203.1.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 203.1.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/18/19 ms

================================================================

OSPF ROUTING IN MPLS VPN

PROVIDER ROUTERS – PE ONLY

STEP 1
ip vrf CUST_A2
rd 1:1000
route-target export 1:1000
route-target import 1:1000

STEP 2
interface Ethernet0/0
ip vrf forwarding CUST_A2
ip address 150.1.31.5 255.255.255.252

STEP 3
router ospf 1 vrf CUST_A2
redistribute bgp 1001 subnets
network 150.1.32.1 0.0.0.0 area 0

router bgp 1001
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.3.3 remote-as 1001
neighbor 192.168.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 192.168.3.3 activate
neighbor 192.168.3.3 send-community both
exit-address-family
!
address-family ipv4 vrf CUST_A2
redistribute ospf 1
exit-address-family

CUSTOMER ROUTERS

STEP 1
router ospf 1
network 150.1.32.2 0.0.0.0 area 0
network 203.2.0.1 0.0.0.0 area 0

STEP 2
CE_A2_remote#ping 203.1.0.1 so 203.2.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.1.0.1, timeout is 2 seconds:
Packet sent with a source address of 203.1.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/18/19 ms

================================================================

EIGRP ROUTING IN MPLS VPN

PROVIDER ROUTERS – PE ONLY

STEP 1
ip vrf CUST_A2
rd 1:1000
route-target export 1:1000
route-target import 1:1000

STEP 2
interface Ethernet0/0
ip vrf forwarding CUST_A2
ip address 150.1.31.5 255.255.255.252

STEP 3
router eigrp 1
address-family vrf CUST_A
no auto
autonomous-system 100 (THIS COMMAND IS NECESSARY IF PE AND CE ROUTERS ARE NOT IN THE SAME AS)
redistribute bgp 1001 metric 1 1 1 1 1
network 150.1.32.0

router bgp 1001
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.3.3 remote-as 1001
neighbor 192.168.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 192.168.3.3 activate
neighbor 192.168.3.3 send-community both
exit-address-family
!
address-family ipv4 vrf CUST_A
redistribute eigrp 100
exit-address-family

CUSTOMER ROUTERS

STEP 1
router eigrp 100
network 150.1.32.0
network 203.2.0.0

STEP 2
CE_A2_remote#ping 203.1.0.1 so 203.2.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.2.0.1, timeout is 2 seconds:
Packet sent with a source address of 203.1.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/18/19 ms

================================================================

BGP ROUTING IN MPLS VPN

PROVIDER ROUTERS – PE ONLY

STEP 1
ip vrf CUST_A2
rd 1:1000
route-target export 1:1000
route-target import 1:1000

STEP 2
interface Ethernet0/0
ip vrf forwarding CUST_A2
ip address 150.1.31.5 255.255.255.252

STEP 3
ip route vrf CUST_A 203.2.1.0 255.255.255.0 150.1.32.2

STEP 4
router bgp 1001
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.3.3 remote-as 1001
neighbor 192.168.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 192.168.3.3 activate
neighbor 192.168.3.3 send-community both
exit-address-family
!
address-family ipv4 vrf CUST_A
redistribute static
neighbor 150.1.32.2 remote-as 300
neighbor 150.1.32.2 activate
exit-address-family

CUSTOMER ROUTERS

STEP 1
router bgp 300
neighbor 150.1.32.1 remote-as 1001

STEP 2
CE_A2_remote#ping 203.1.0.1 so 203.2.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.2.0.1, timeout is 2 seconds:
Packet sent with a source address of 203.1.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/18/19 ms

 

================================================

I must say that with BGP MPLS VPNs you can go really crazy where you can use allowas-in ,  as-override to avoid loops and many more commands but like I mentioned before this post is to show you that to obtain a basic connectivity between two offices is not a rocket science and seems like MPLS VPNs are actually really easy !

Now have a look and see how many steps on each device repeat itself and how many you actually have to change ! 🙂

Of course you can use different route targets , route distinguishers , loopbacks , networks , when redistribution statics or connected into BGP you can use ACL’s , route-map to filter and so on but the whole idea and the principle stays the same , all very easy !

Now when you feel confident then go ahead and build the FULL LAB , start your INE videos and practise more !

 

Enjoy !

Tom

Advertisements