Configuring a Basic MPLS PE Router

Problem

You want to configure a Provider Edge (PE) router to connect your MPLS core to a customer network.

Solution

To configure a PE router, you must set up connections to the MPLS core as well as to one or more customer networks. Further, to distribute customer VRF routing information to other PE routers, you must configure MP-BGP:

Router-PE1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-PE1(config)#ip cef
Router-PE1(config)#mpls ip
Router-PE1(config)#interface Serial0/0
Router-PE1(config-if)#description Connection to Router-P1
Router-PE1(config-if)#ip address 10.1.1.13 255.255.255.252
Router-PE1(config-if)#mpls ip
Router-PE1(config-if)#exit
Router-PE1(config)#interface Loopback0
Router-PE1(config-if)#ip address 10.0.0.2 255.255.255.255
Router-PE1(config-if)#exit
Router-PE1(config)#router ospf 99
Router-PE1(config-router)#router-id 10.0.0.2
Router-PE1(config-router)#network 10.0.0.0 0.255.255.255 area 0
Router-PE1(config-router)#exit
Router-PE1(config)#ip vrf NetworkA
Router-PE1(config-vrf)#rd 100:1
Router-PE1(config-vrf)#route-target export 100:1
Router-PE1(config-vrf)#route-target import 100:1
Router-PE1(config-vrf)#exit
Router-PE1(config)#ip vrf NetworkB
Router-PE1(config-vrf)#rd 100:2
Router-PE1(config-vrf)#route-target export 100:2
Router-PE1(config-vrf)#route-target import 100:2
Router-PE1(config-vrf)#exit
Router-PE1(config)#interface Ethernet0/0
Router-PE1(config-if)#description connection to customer A, site 1
Router-PE1(config-if)#ip vrf forwarding NetworkA
Router-PE1(config-if)#ip address 192.168.1.1 255.255.255.0
Router-PE1(config-if)#exit
Router-PE1(config)#interface Ethernet0/1
Router-PE1(config-if)#description connection to customer B, site 1
Router-PE1(config-if)#ip vrf forwarding NetworkB
Router-PE1(config-if)#ip address 192.168.11.1 255.255.255.0
Router-PE1(config-if)#exit
Router-PE1(config)#router bgp 100
Router-PE1(config-router)#bgp log-neighbor-changes
Router-PE1(config-router)#neighbor 10.0.0.3 remote-as 100
Router-PE1(config-router)#neighbor 10.0.0.3 update-source Loopback0
Router-PE1(config-router)#neighbor 10.0.0.4 remote-as 100
Router-PE1(config-router)#neighbor 10.0.0.4 update-source Loopback0
Router-PE1(config-router)#address-family ipv4 vrf NetworkA
Router-PE1(config-router-af)#no auto-summary
Router-PE1(config-router-af)#no synchronization
Router-PE1(config-router-af)#redistribute connected
Router-PE1(config-router-af)#exit-address-family
Router-PE1(config-router)#adress-family ipv4 vrf NetworkB
Router-PE1(config-router-af)#no auto-summary
Router-PE1(config-router-af)#no synchronization
Router-PE1(config-router-af)#redistribute connected
Router-PE1(config-router-af)#exit-address-family
Router-PE1(config-router)#address-family vpnv4
Router-PE1(config-router-af)#neighbor 10.0.0.3 activate
Router-PE1(config-router-af)#neighbor 10.0.0.3 send-community extended
Router-PE1(config-router-af)#neighbor 10.0.0.4 activate
Router-PE1(config-router-af)#neighbor 10.0.0.4 send-community extended
Router-PE1(config-router-af)#exit-address-family
Router-PE1(config-router)#exit
Router-PE1(config)#end
Router-PE1#

We will also show the configuration for the other two PE routers for reference:

Router-PE2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-PE2(config)#ip cef
Router-PE2(config)#mpls ip
Router-PE2(config)#interface FastEthernet0/0
Router-PE2(config-if)#no ip address
Router-PE2(config-if)#exit
Router-PE2(config)#interface FastEthernet0/0.1
Router-PE2(config-if)#description Connection to Router-P1
Router-PE2(config-if)#encapsulation dot1Q 10
Router-PE2(config-if)#ip address 10.1.2.4 255.255.255.0
Router-PE2(config-if)#mpls ip
Router-PE2(config-if)#exit
Router-PE2(config)#interface Loopback0
Router-PE2(config-if)#ip address 10.0.0.3 255.255.255.255
Router-PE2(config-if)#exit
Router-PE2(config)#router ospf 99
Router-PE2(config-router)#router-id 10.0.0.3
Router-PE2(config-router)#network 10.0.0.0 0.255.255.255 area 0
Router-PE2(config-router)#exit
Router-PE2(config)#ip vrf NetworkA
Router-PE2(config-vrf)#rd 100:1
Router-PE2(config-vrf)#route-target export 100:1
Router-PE2(config-vrf)#route-target import 100:1
Router-PE2(config-vrf)#exit
Router-PE2(config)#ip vrf NetworkB
Router-PE2(config-vrf)#rd 100:2
Router-PE2(config-vrf)#route-target export 100:2
Router-PE2(config-vrf)#route-target import 100:2
Router-PE2(config-vrf)#exit
Router-PE2(config)#interface FastEthernet0/0.2
Router-PE2(config-if)#description Connection to customer A, site 2
Router-PE2(config-if)#encapsulation dot1Q 102
Router-PE2(config-if)#ip address 192.168.3.1 255.255.255.0
Router-PE2(config-if)#mpls ip
Router-PE2(config-if)#exit
Router-PE2(config)#router bgp 100
Router-PE2(config-router)#bgp log-neighbor-changes
Router-PE2(config-router)#neighbor 10.0.0.2 remote-as 100
Router-PE2(config-router)#neighbor 10.0.0.2 update-source Loopback0
Router-PE2(config-router)#neighbor 10.0.0.3 remote-as 100
Router-PE2(config-router)#neighbor 10.0.0.3 update-source Loopback0
Router-PE2(config-router)#address-family ipv4 vrf NetworkA
Router-PE2(config-router-af)#no auto-summary
Router-PE2(config-router-af)#no synchronization
Router-PE2(config-router-af)#redistribute connected
Router-PE2(config-router-af)#exit-address-family
Router-PE2(config-router)#address-family vpnv4
Router-PE2(config-router-af)#neighbor 10.0.0.2 activate
Router-PE2(config-router-af)#neighbor 10.0.0.2 send-community extended
Router-PE2(config-router-af)#neighbor 10.0.0.4 activate
Router-PE2(config-router-af)#neighbor 10.0.0.4 send-community extended
Router-PE2(config-router-af)#exit-address-family
Router-PE2(config-router)#exit
Router-PE2(config)#end
Router-PE2#

The third PE router looks like this:

Router-PE3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-PE3(config)#ip cef
Router-PE3(config)#mpls ip
Router-PE3(config)#interface Serial0/0
Router-PE3(config-if)#description Connection to Router-P1
Router-PE3(config-if)#ip address 10.1.1.9 255.255.255.252
Router-PE3(config-if)#mpls ip
Router-PE3(config-if)#exit
Router-PE3(config)#interface Loopback0
Router-PE3(config-if)#ip address 10.0.0.3 255.255.255.255
Router-PE3(config-if)#exit
Router-PE3(config)#router ospf 99
Router-PE3(config-router)#router-id 10.0.0.3
Router-PE3(config-router)#network 10.0.0.0 0.255.255.255 area 0
Router-PE3(config-router)#exit
Router-PE3(config)#ip vrf NetworkA
Router-PE3(config-vrf)#rd 100:1
Router-PE3(config-vrf)#route-target export 100:1
Router-PE3(config-vrf)#route-target import 100:1
Router-PE3(config-vrf)#exit
Router-PE3(config)#ip vrf NetworkB
Router-PE3(config-vrf)#rd 100:2
Router-PE3(config-vrf)#route-target export 100:2
Router-PE3(config-vrf)#route-target import 100:2
Router-PE3(config-vrf)#exit
Router-PE3(config)#interface Ethernet0/0
Router-PE3(config-if)#description connection to customer A, site 3
Router-PE3(config-if)#ip vrf forwarding NetworkA
Router-PE3(config-if)#ip address 192.168.2.1 255.255.255.0
Router-PE3(config-if)#exit
Router-PE3(config)#interface Ethernet0/1
Router-PE3(config-if)#description connection to customer B, site 2
Router-PE3(config-if)#ip vrf forwarding NetworkB
Router-PE3(config-if)#ip address 192.168.10.1 255.255.255.0
Router-PE3(config-if)#exit
Router-PE3(config)#router bgp 100
Router-PE3(config-router)#bgp log-neighbor-changes
Router-PE3(config-router)#neighbor 10.0.0.2 remote-as 100
Router-PE3(config-router)#neighbor 10.0.0.2 update-source Loopback0
Router-PE3(config-router)#neighbor 10.0.0.4 remote-as 100
Router-PE3(config-router)#neighbor 10.0.0.4 update-source Loopback0
Router-PE3(config-router)#address-family ipv4 vrf NetworkA
Router-PE3(config-router-af)#no auto-summary
Router-PE3(config-router-af)#no synchronization
Router-PE3(config-router-af)#redistribute connected
Router-PE3(config-router-af)#exit-address-family
Router-PE3(config-router)#adress-family ipv4 vrf NetworkB
Router-PE3(config-router-af)#no auto-summary
Router-PE3(config-router-af)#no synchronization
Router-PE3(config-router-af)#redistribute connected
Router-PE3(config-router-af)#exit-address-family
Router-PE3(config-router)#address-family vpnv4
Router-PE3(config-router-af)#neighbor 10.0.0.2 activate
Router-PE3(config-router-af)#neighbor 10.0.0.2 send-community extended
Router-PE3(config-router-af)#neighbor 10.0.0.4 activate
Router-PE3(config-router-af)#neighbor 10.0.0.4 send-community extended
Router-PE3(config-router-af)#exit-address-family
Router-PE3(config-router)#exit
Router-PE3(config)#end
Router-PE3#

 

Discussion

This is a rather long configuration, but it divides up rather naturally into a few basic components.

First, we have configured the basic MPLS functionality:

Router-PE1(config)#ip cef
Router-PE1(config)#mpls ip
Router-PE1(config)#interface Serial0/0
Router-PE1(config-if)#description Connection to Router-P1
Router-PE1(config-if)#ip address 10.1.1.13 255.255.255.252
Router-PE1(config-if)#mpls ip
Router-PE1(config-if)#exit
Router-PE1(config)#interface Loopback0
Router-PE1(config-if)#ip address 10.0.0.2 255.255.255.255
Router-PE1(config-if)#exit
Router-PE1(config)#router ospf 99
Router-PE1(config-router)#router-id 10.0.0.2
Router-PE1(config-router)#network 10.0.0.0 0.255.255.255 area 0
Router-PE1(config-router)#exit

Notice that this section of configuration is extremely similar to how we configured the P router in Recipe 26.1.

The next chunk of the router's configuration defines the VPNs. We have created two customer networks called NetworkA and NetworkB. Let's look at the first of these in more detail:

Router-PE1(config)#ip vrf NetworkA
Router-PE1(config-vrf)#rd 100:1
Router-PE1(config-vrf)#route-target export 100:1
Router-PE1(config-vrf)#route-target import 100:1
Router-PE1(config-vrf)#exit

The first line defines the name of the VRF, in this case NetworkA. Then the rd command defines a " route descriptor" for this VRF. This is really just a numerical tag that MP-BGP will use when propagating the routes associated with this VPN.

The route-target commands then tell MP-BGP which route descriptors to share its routes with. There can only be one route descriptor in a VRF definition, but you can freely share routes among several different route targets. In most cases, however, you will actually want to keep the routes confined to a particular VRF, as we have done in the example.

The route descriptor value is a 48-bit number that is conventionally written in two different ways. We have written the value as 100:1, which is a 16-bit BGP Autonomous System Number (ASN), followed by an arbitrary 32-bit number identifying the client network. The other way to write this value is as a 32-bit dotted decimal value (like an IP address) followed by an arbitrary 16 bit valuefor example, 192.168.1.1:100.

MP-BGP then uses these values as a tag that it adds to the client routing prefixes. It's important to note that although it is a good idea to make these RD values meaningful, to MP-BGP they are just a sequence of bits. As long as they are consistent throughout your network, you can use whatever values are meaningful to you. It is not necessary, for example, to make the ASN identical with the BGP ASN, as we have done in this recipe. However, this is often a good practice, particularly if your MPLS network includes multiple ASNs that must be kept straight.

We note also that you can deliberately "leak" routes between VRFs as follows:

Router-PE1(config)#ip vrf NetworkA
Router-PE1(config-vrf)#rd 100:1
Router-PE1(config-vrf)#route-target export 100:1
Router-PE1(config-vrf)#route-target import 100:1
Router-PE1(config-vrf)#route-target export 100:2
Router-PE1(config-vrf)#route-target import 100:2
Router-PE1(config-vrf)#exit

This is sometimes used by service providers to ensure that their network management VLAN can access customer networks. However, most of the time you want to keep the VRFs separated.

Next we associate the VRF instances with physical interfaces:

Router-PE1(config)#interface Ethernet0/0
Router-PE1(config-if)#description connection to customer A, site 1
Router-PE1(config-if)#ip vrf forwarding NetworkA
Router-PE1(config-if)#ip address 192.168.1.1 255.255.255.0
Router-PE1(config-if)#exit

You should always input the IP address after the ip vrf forwarding command because the router will automatically delete any existing IP addresses when you assign the VRF to an interface.

The IP address in this case is part of the VRF for this customer network. Consequently, devices inside the customer network will be able to PING and route to this address. If this were a real customer and service provider, it would be critical to secure this interface to prevent users from using TELNET or other protocols to gain access to the provider network.

Note also that because two customers could well be using the same IP addresses, the ip vrf forwarding command allows you to configure overlapping or even duplicate IP addresses on the PE router, provided the interfaces with conflicting addresses belong to different VRFs.

Notice that we have created the same VRFs on all three PE routers, even though NetworkB only appears on two of them. This VRF is not assigned to any physical interface. You can see which interfaces are associated with each VRF:

Router-PE1#show ip vrf
 Name Default RD Interfaces
 NetworkA 100:1 Ethernet0/0
 NetworkB 100:2 Ethernet0/1
Router-PE1#

If a particular VRF is not assigned to any interface, this command will list it in the output but leave the interface column blank:

Router-PE2#show ip vrf
 Name Default RD Interfaces
 NetworkA 100:1 FastEthernet0/0.2
 NetworkB 100:2
Router-PE2#

The next section of the PE configuration shows the MP-BGP configuration:

Router-PE1(config)#router bgp 100
Router-PE1(config-router)#bgp log-neighbor-changes
Router-PE1(config-router)#neighbor 10.0.0.3 remote-as 100
Router-PE1(config-router)#neighbor 10.0.0.3 update-source Loopback0
Router-PE1(config-router)#neighbor 10.0.0.4 remote-as 100
Router-PE1(config-router)#neighbor 10.0.0.4 update-source Loopback0
Router-PE1(config-router)#address-family ipv4 vrf NetworkA
Router-PE1(config-router-af)#no auto-summary
Router-PE1(config-router-af)#no synchronization
Router-PE1(config-router-af)#redistribute connected
Router-PE1(config-router-af)#exit-address-family
Router-PE1(config-router)#adress-family ipv4 vrf NetworkB
Router-PE1(config-router-af)#no auto-summary
Router-PE1(config-router-af)#no synchronization
Router-PE1(config-router-af)#redistribute connected
Router-PE1(config-router-af)#exit-address-family
Router-PE1(config-router)#address-family vpnv4
Router-PE1(config-router-af)#neighbor 10.0.0.3 activate
Router-PE1(config-router-af)#neighbor 10.0.0.3 send-community extended
Router-PE1(config-router-af)#neighbor 10.0.0.4 activate
Router-PE1(config-router-af)#neighbor 10.0.0.4 send-community extended
Router-PE1(config-router-af)#exit-address-family
Router-PE1(config-router)#exit

First we define all of the BGP peer relationships in the usual way:

Router-PE1(config)#router bgp 100
Router-PE1(config-router)#neighbor 10.0.0.3 remote-as 100
Router-PE1(config-router)#neighbor 10.0.0.3 update-source Loopback0

The peer devices indicated are the other PE routers in this network. Since the Remote-AS indicated for each of the peers is the same as this router's BGP AS, they are all internal or iBGP peer relationships. IBGP peer relationships are required because MP-BGP distributes VRF information using extended BGP communities. If you need to break up your BGP network into more than one AS, you can do so, but you must take care to redistribute the VRF tables between the ASBR devices.

The other common way of handling the inherent scaling problems of large numbers of BGP peers in MPLS networks is to use Route Reflectors. We discuss Route Reflectors in Chapter 9.

For improved network stability, we prefer to identify all of our peer IP address with Loopback interfaces rather than physical interfaces. This way, if your PE router has multiple connection points into your MPLS core, a physical failure on one interface won't bring down the network.

Next we must tell MP-BGP about the VRF information that we want it to carry between the PE routers:

Router-PE1(config-router)#address-family ipv4 vrf NetworkA
Router-PE1(config-router-af)#no auto-summary
Router-PE1(config-router-af)#no synchronization
Router-PE1(config-router-af)#redistribute connected
Router-PE1(config-router-af)#exit-address-family

In this case, the only interface on this router is a member of the VRF that we have called NetworkA is Ethernet0/0, which has an IP address of 192.168.1.1/24. We chose to include this interface using the redistribute connected command. Usually in BGP networks we prefer to use a network command rather than redistributing connected routes because it will result in a better Origin code. However, MP-BGP doesn't treat redistributed routes in the same way, as we will see later in this chapter. Consequently, the redistribute connected command is actually the most convenient way of making sure that every interface associated with this VRF is automatically included in the routing table.

We note in passing that you exit from the address-family configuration block using the command exit-address-family rather than the simple exit command that Cisco usually uses for this purpose. The short form works, but the router will replace it with the long form in the configuration file. We don't know why this is.

Finally, the last section of the configuration example is necessary to allow MP-BGP to carry the VRF routing prefixes:

Router-PE1(config-router)#address-family vpnv4
Router-PE1(config-router-af)#neighbor 10.0.0.3 activate
Router-PE1(config-router-af)#neighbor 10.0.0.3 send-community extended
Router-PE1(config-router-af)#neighbor 10.0.0.4 activate
Router-PE1(config-router-af)#neighbor 10.0.0.4 send-community extended
Router-PE1(config-router-af)#exit-address-family

The critical command here is send-community extended, which tells MP-BGP to use extended communities.

You can verify basic MPLS connectivity for the connection between the PE and P routers by using the show mpls interfaces command, as we did in Recipe 26.1:

Router-PE1#show mpls interfaces
Interface IP Tunnel Operational
Serial0/0 Yes No Yes
Router-PE1#

And you can see the contents of your VRF tables as follows:

Router-PE1#show ip route vrf NetworkA
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

 10.0.0.0/32 is subnetted, 1 subnets
B 10.8.8.8 [200/4] via 10.0.0.4, 02:15:54
C 192.168.1.0/24 is directly connected, Ethernet0/0
B 192.168.2.0/24 [200/0] via 10.0.0.3, 02:16:08
B 192.168.3.0/24 [200/0] via 10.0.0.4, 02:15:54
Router-PE1#

It is sometimes useful to be able to do PING tests through a customer VLAN. You can do this from your PE routers, although you must take care to specify a source address that is also part of this VRF:

Router-PE1#ping vrf NetworkA 192.168.2.9 source 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.9, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms
Router-PE1#

In this case, the destination address is a CE router at a different site.

See Also

Recipe 26.1; Chapter 8; Chapter 9


Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net