MPLS VPN


Hi All !

I have decided to make the INE’s MPLS LAB a bit smaller and easier to “read” cause in the end all we need to learn is how to connect two, three or 50 offices/sites together and no matter how many you actually have to connect in the real world and in a lab the principle is ALWAYS the same !

Of course if you feel like you need a challenge and for that you need over 10 – 15 routers topology go for the FULL LAB and follow the series 🙂

so this is what we get (check out original post and you’ll see what I’ve done ):

mpls_vpn_screen

As you can see this is the short version of the FULL LAB and instead of 15 routers we only have 5 and trust me we only need 5 in order to learn MPLS VPNs I have also decided to keep ISIS running in the providers network however go ahead and set up any IGP you fancy instead

Connect all routers based on this file : NET_FILE

Copy and paste these initial configs : initial_configs

I have always understood a principle of MPLS VPNs but until about 5-6 months ago after having spent countless number of hours troubleshooting and configuring the technology I am confident I can face it in the CCIE LAB and the real world !

The idea is to break it all down and then it all becomes clear and easy ! When you take a look at below examples you will see that there’s not a lot to it , well of course the MPLS technology is not the easiest one to understand and configure out there but these basics will make all your nightmares disappear !

Using provided above topology go ahead and take a look how to configure various protocols with MPLS VPN (I assume you already understand the basics of this technology therefore I will not be explaining each configuration line)

CE_A2_REMOTE and CE_A1_HQ – customer routers.

PE2 , P and PE3  – provider routers

All below configs I have prepared only for CE_A2_REMOTE and PE2 and of course CE_A1_HQ and PE3 will have almost exact mirror of these configs with some tiny changes you should be able to spot right away

We need to set a very basic MPLS between provider routers and you will find it all in the provided initial configs files

====================================================================

STATIC ROUTING IN MPLS VPN

PROVIDER ROUTERS – PE ONLY

STEP 1
ip vrf CUST_A2
rd 1:1000
route-target export 1:1000
route-target import 1:1000

STEP 2
interface Ethernet0/0
ip vrf forwarding CUST_A2
ip address 150.1.31.5 255.255.255.252

STEP 3
ip route vrf CUST_A2 203.2.0.0 255.255.255.0 150.1.31.6

STEP 4
router bgp 1
neighbor 192.168.3.3 remote-as 1
neighbor 192.168.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 192.168.3.3 activate
neighbor 192.168.3.3 send-community both
exit-address-family
!
address-family ipv4 vrf CUST_A2
redistribute connected
redistribute static
exit-address-family

CUSTOMER ROUTERS

STEP 1
ip route 0.0.0.0 0.0.0.0 150.1.31.5

SETP 2
CE_A2_remote#ping 203.1.0.1 so 203.2.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.1.0.1, timeout is 2 seconds:
Packet sent with a source address of 203.1.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/18/19 ms

================================================================

RIP ROUTING IN MPLS VPN

PROVIDER ROUTERS – PE ONLY

STEP 1
ip vrf CUST_A2
rd 1:1000
route-target export 1:1000
route-target import 1:1000

STEP 2
interface Ethernet0/0
ip vrf forwarding CUST_A2
ip address 150.1.31.5 255.255.255.252

STEP 3
router rip
version 2
no auto-summary
address-family ipv4 vrf CUST_A2
redistribute bgp 1001 metric 2
network 150.1.0.0
no auto-summary
exit-address-family

router bgp 1001
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.3.3 remote-as 1001
neighbor 192.168.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 192.168.3.3 activate
neighbor 192.168.3.3 send-community both
exit-address-family
!
address-family ipv4 vrf CUST_A2
redistribute rip
exit-address-family

CUSTOMER ROUTERS

STEP 1
router rip
version 2
network 150.1.0.0
network 203.2.1.0
no auto-summary

SETP 2
CE_A2_remote#ping 203.1.1.1 so 203.1.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 203.1.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/18/19 ms

================================================================

OSPF ROUTING IN MPLS VPN

PROVIDER ROUTERS – PE ONLY

STEP 1
ip vrf CUST_A2
rd 1:1000
route-target export 1:1000
route-target import 1:1000

STEP 2
interface Ethernet0/0
ip vrf forwarding CUST_A2
ip address 150.1.31.5 255.255.255.252

STEP 3
router ospf 1 vrf CUST_A2
redistribute bgp 1001 subnets
network 150.1.32.1 0.0.0.0 area 0

router bgp 1001
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.3.3 remote-as 1001
neighbor 192.168.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 192.168.3.3 activate
neighbor 192.168.3.3 send-community both
exit-address-family
!
address-family ipv4 vrf CUST_A2
redistribute ospf 1
exit-address-family

CUSTOMER ROUTERS

STEP 1
router ospf 1
network 150.1.32.2 0.0.0.0 area 0
network 203.2.0.1 0.0.0.0 area 0

STEP 2
CE_A2_remote#ping 203.1.0.1 so 203.2.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.1.0.1, timeout is 2 seconds:
Packet sent with a source address of 203.1.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/18/19 ms

================================================================

EIGRP ROUTING IN MPLS VPN

PROVIDER ROUTERS – PE ONLY

STEP 1
ip vrf CUST_A2
rd 1:1000
route-target export 1:1000
route-target import 1:1000

STEP 2
interface Ethernet0/0
ip vrf forwarding CUST_A2
ip address 150.1.31.5 255.255.255.252

STEP 3
router eigrp 1
address-family vrf CUST_A
no auto
autonomous-system 100 (THIS COMMAND IS NECESSARY IF PE AND CE ROUTERS ARE NOT IN THE SAME AS)
redistribute bgp 1001 metric 1 1 1 1 1
network 150.1.32.0

router bgp 1001
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.3.3 remote-as 1001
neighbor 192.168.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 192.168.3.3 activate
neighbor 192.168.3.3 send-community both
exit-address-family
!
address-family ipv4 vrf CUST_A
redistribute eigrp 100
exit-address-family

CUSTOMER ROUTERS

STEP 1
router eigrp 100
network 150.1.32.0
network 203.2.0.0

STEP 2
CE_A2_remote#ping 203.1.0.1 so 203.2.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.2.0.1, timeout is 2 seconds:
Packet sent with a source address of 203.1.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/18/19 ms

================================================================

BGP ROUTING IN MPLS VPN

PROVIDER ROUTERS – PE ONLY

STEP 1
ip vrf CUST_A2
rd 1:1000
route-target export 1:1000
route-target import 1:1000

STEP 2
interface Ethernet0/0
ip vrf forwarding CUST_A2
ip address 150.1.31.5 255.255.255.252

STEP 3
ip route vrf CUST_A 203.2.1.0 255.255.255.0 150.1.32.2

STEP 4
router bgp 1001
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.3.3 remote-as 1001
neighbor 192.168.3.3 update-source Loopback0
!
address-family vpnv4
neighbor 192.168.3.3 activate
neighbor 192.168.3.3 send-community both
exit-address-family
!
address-family ipv4 vrf CUST_A
redistribute static
neighbor 150.1.32.2 remote-as 300
neighbor 150.1.32.2 activate
exit-address-family

CUSTOMER ROUTERS

STEP 1
router bgp 300
neighbor 150.1.32.1 remote-as 1001

STEP 2
CE_A2_remote#ping 203.1.0.1 so 203.2.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.2.0.1, timeout is 2 seconds:
Packet sent with a source address of 203.1.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18/18/19 ms

 

================================================

I must say that with BGP MPLS VPNs you can go really crazy where you can use allowas-in ,  as-override to avoid loops and many more commands but like I mentioned before this post is to show you that to obtain a basic connectivity between two offices is not a rocket science and seems like MPLS VPNs are actually really easy !

Now have a look and see how many steps on each device repeat itself and how many you actually have to change ! 🙂

Of course you can use different route targets , route distinguishers , loopbacks , networks , when redistribution statics or connected into BGP you can use ACL’s , route-map to filter and so on but the whole idea and the principle stays the same , all very easy !

Now when you feel confident then go ahead and build the FULL LAB , start your INE videos and practise more !

 

Enjoy !

Tom

Advertisements

About ccie4all
Hello, and welcome to the first post of my CCIE blog This blog has got one simple goal and that is to improve our skills in Cisco Networking field so we can become best engineers on a job market. Wordpress Blog https://ccie4all.wordpress.com/ information about the changes made to Gns3 BGP , MPLS and R&S CCIE labs. In order to access and download all provided materials and receive important updates from Gns3 BGP , MPLS and R&S CCIE labs under GNS3 tab in the main header please go ahead and subscribe to https://ccie4all.wordpress.com/ ! All other posts have not been affected and can be accessed at any given time. Enjoy ! Tom

2 Responses to MPLS VPN

  1. sudeepgoyal says:

    Hi Tom. I am a beginger and your post was helpful with MPLS VPN configuration. I also wrote a post on Mpls Basics

    • ccie4all says:

      Hello Sudeepgoyal,

      Awesome! Really good thorough explanation , great post !

      MPLS in the end is not that bad 🙂

      Best
      Tom

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: