Problem
You want to configure a Provider Edge (PE) router to connect your MPLS core to a customer network.
Solution
To configure a PE router, you must set up connections to the MPLS core as well as to one or more customer networks. Further, to distribute customer VRF routing information to other PE routers, you must configure MP-BGP:
Router-PE1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router-PE1(config)#ip cef Router-PE1(config)#mpls ip Router-PE1(config)#interface Serial0/0 Router-PE1(config-if)#description Connection to Router-P1 Router-PE1(config-if)#ip address 10.1.1.13 255.255.255.252 Router-PE1(config-if)#mpls ip Router-PE1(config-if)#exit Router-PE1(config)#interface Loopback0 Router-PE1(config-if)#ip address 10.0.0.2 255.255.255.255 Router-PE1(config-if)#exit Router-PE1(config)#router ospf 99 Router-PE1(config-router)#router-id 10.0.0.2 Router-PE1(config-router)#network 10.0.0.0 0.255.255.255 area 0 Router-PE1(config-router)#exit Router-PE1(config)#ip vrf NetworkA Router-PE1(config-vrf)#rd 100:1 Router-PE1(config-vrf)#route-target export 100:1 Router-PE1(config-vrf)#route-target import 100:1 Router-PE1(config-vrf)#exit Router-PE1(config)#ip vrf NetworkB Router-PE1(config-vrf)#rd 100:2 Router-PE1(config-vrf)#route-target export 100:2 Router-PE1(config-vrf)#route-target import 100:2 Router-PE1(config-vrf)#exit Router-PE1(config)#interface Ethernet0/0 Router-PE1(config-if)#description connection to customer A, site 1 Router-PE1(config-if)#ip vrf forwarding NetworkA Router-PE1(config-if)#ip address 192.168.1.1 255.255.255.0 Router-PE1(config-if)#exit Router-PE1(config)#interface Ethernet0/1 Router-PE1(config-if)#description connection to customer B, site 1 Router-PE1(config-if)#ip vrf forwarding NetworkB Router-PE1(config-if)#ip address 192.168.11.1 255.255.255.0 Router-PE1(config-if)#exit Router-PE1(config)#router bgp 100 Router-PE1(config-router)#bgp log-neighbor-changes Router-PE1(config-router)#neighbor 10.0.0.3 remote-as 100 Router-PE1(config-router)#neighbor 10.0.0.3 update-source Loopback0 Router-PE1(config-router)#neighbor 10.0.0.4 remote-as 100 Router-PE1(config-router)#neighbor 10.0.0.4 update-source Loopback0 Router-PE1(config-router)#address-family ipv4 vrf NetworkA Router-PE1(config-router-af)#no auto-summary Router-PE1(config-router-af)#no synchronization Router-PE1(config-router-af)#redistribute connected Router-PE1(config-router-af)#exit-address-family Router-PE1(config-router)#adress-family ipv4 vrf NetworkB Router-PE1(config-router-af)#no auto-summary Router-PE1(config-router-af)#no synchronization Router-PE1(config-router-af)#redistribute connected Router-PE1(config-router-af)#exit-address-family Router-PE1(config-router)#address-family vpnv4 Router-PE1(config-router-af)#neighbor 10.0.0.3 activate Router-PE1(config-router-af)#neighbor 10.0.0.3 send-community extended Router-PE1(config-router-af)#neighbor 10.0.0.4 activate Router-PE1(config-router-af)#neighbor 10.0.0.4 send-community extended Router-PE1(config-router-af)#exit-address-family Router-PE1(config-router)#exit Router-PE1(config)#end Router-PE1#
We will also show the configuration for the other two PE routers for reference:
Router-PE2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router-PE2(config)#ip cef Router-PE2(config)#mpls ip Router-PE2(config)#interface FastEthernet0/0 Router-PE2(config-if)#no ip address Router-PE2(config-if)#exit Router-PE2(config)#interface FastEthernet0/0.1 Router-PE2(config-if)#description Connection to Router-P1 Router-PE2(config-if)#encapsulation dot1Q 10 Router-PE2(config-if)#ip address 10.1.2.4 255.255.255.0 Router-PE2(config-if)#mpls ip Router-PE2(config-if)#exit Router-PE2(config)#interface Loopback0 Router-PE2(config-if)#ip address 10.0.0.3 255.255.255.255 Router-PE2(config-if)#exit Router-PE2(config)#router ospf 99 Router-PE2(config-router)#router-id 10.0.0.3 Router-PE2(config-router)#network 10.0.0.0 0.255.255.255 area 0 Router-PE2(config-router)#exit Router-PE2(config)#ip vrf NetworkA Router-PE2(config-vrf)#rd 100:1 Router-PE2(config-vrf)#route-target export 100:1 Router-PE2(config-vrf)#route-target import 100:1 Router-PE2(config-vrf)#exit Router-PE2(config)#ip vrf NetworkB Router-PE2(config-vrf)#rd 100:2 Router-PE2(config-vrf)#route-target export 100:2 Router-PE2(config-vrf)#route-target import 100:2 Router-PE2(config-vrf)#exit Router-PE2(config)#interface FastEthernet0/0.2 Router-PE2(config-if)#description Connection to customer A, site 2 Router-PE2(config-if)#encapsulation dot1Q 102 Router-PE2(config-if)#ip address 192.168.3.1 255.255.255.0 Router-PE2(config-if)#mpls ip Router-PE2(config-if)#exit Router-PE2(config)#router bgp 100 Router-PE2(config-router)#bgp log-neighbor-changes Router-PE2(config-router)#neighbor 10.0.0.2 remote-as 100 Router-PE2(config-router)#neighbor 10.0.0.2 update-source Loopback0 Router-PE2(config-router)#neighbor 10.0.0.3 remote-as 100 Router-PE2(config-router)#neighbor 10.0.0.3 update-source Loopback0 Router-PE2(config-router)#address-family ipv4 vrf NetworkA Router-PE2(config-router-af)#no auto-summary Router-PE2(config-router-af)#no synchronization Router-PE2(config-router-af)#redistribute connected Router-PE2(config-router-af)#exit-address-family Router-PE2(config-router)#address-family vpnv4 Router-PE2(config-router-af)#neighbor 10.0.0.2 activate Router-PE2(config-router-af)#neighbor 10.0.0.2 send-community extended Router-PE2(config-router-af)#neighbor 10.0.0.4 activate Router-PE2(config-router-af)#neighbor 10.0.0.4 send-community extended Router-PE2(config-router-af)#exit-address-family Router-PE2(config-router)#exit Router-PE2(config)#end Router-PE2#
The third PE router looks like this:
Router-PE3#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router-PE3(config)#ip cef Router-PE3(config)#mpls ip Router-PE3(config)#interface Serial0/0 Router-PE3(config-if)#description Connection to Router-P1 Router-PE3(config-if)#ip address 10.1.1.9 255.255.255.252 Router-PE3(config-if)#mpls ip Router-PE3(config-if)#exit Router-PE3(config)#interface Loopback0 Router-PE3(config-if)#ip address 10.0.0.3 255.255.255.255 Router-PE3(config-if)#exit Router-PE3(config)#router ospf 99 Router-PE3(config-router)#router-id 10.0.0.3 Router-PE3(config-router)#network 10.0.0.0 0.255.255.255 area 0 Router-PE3(config-router)#exit Router-PE3(config)#ip vrf NetworkA Router-PE3(config-vrf)#rd 100:1 Router-PE3(config-vrf)#route-target export 100:1 Router-PE3(config-vrf)#route-target import 100:1 Router-PE3(config-vrf)#exit Router-PE3(config)#ip vrf NetworkB Router-PE3(config-vrf)#rd 100:2 Router-PE3(config-vrf)#route-target export 100:2 Router-PE3(config-vrf)#route-target import 100:2 Router-PE3(config-vrf)#exit Router-PE3(config)#interface Ethernet0/0 Router-PE3(config-if)#description connection to customer A, site 3 Router-PE3(config-if)#ip vrf forwarding NetworkA Router-PE3(config-if)#ip address 192.168.2.1 255.255.255.0 Router-PE3(config-if)#exit Router-PE3(config)#interface Ethernet0/1 Router-PE3(config-if)#description connection to customer B, site 2 Router-PE3(config-if)#ip vrf forwarding NetworkB Router-PE3(config-if)#ip address 192.168.10.1 255.255.255.0 Router-PE3(config-if)#exit Router-PE3(config)#router bgp 100 Router-PE3(config-router)#bgp log-neighbor-changes Router-PE3(config-router)#neighbor 10.0.0.2 remote-as 100 Router-PE3(config-router)#neighbor 10.0.0.2 update-source Loopback0 Router-PE3(config-router)#neighbor 10.0.0.4 remote-as 100 Router-PE3(config-router)#neighbor 10.0.0.4 update-source Loopback0 Router-PE3(config-router)#address-family ipv4 vrf NetworkA Router-PE3(config-router-af)#no auto-summary Router-PE3(config-router-af)#no synchronization Router-PE3(config-router-af)#redistribute connected Router-PE3(config-router-af)#exit-address-family Router-PE3(config-router)#adress-family ipv4 vrf NetworkB Router-PE3(config-router-af)#no auto-summary Router-PE3(config-router-af)#no synchronization Router-PE3(config-router-af)#redistribute connected Router-PE3(config-router-af)#exit-address-family Router-PE3(config-router)#address-family vpnv4 Router-PE3(config-router-af)#neighbor 10.0.0.2 activate Router-PE3(config-router-af)#neighbor 10.0.0.2 send-community extended Router-PE3(config-router-af)#neighbor 10.0.0.4 activate Router-PE3(config-router-af)#neighbor 10.0.0.4 send-community extended Router-PE3(config-router-af)#exit-address-family Router-PE3(config-router)#exit Router-PE3(config)#end Router-PE3#
Discussion
This is a rather long configuration, but it divides up rather naturally into a few basic components.
First, we have configured the basic MPLS functionality:
Router-PE1(config)#ip cef Router-PE1(config)#mpls ip Router-PE1(config)#interface Serial0/0 Router-PE1(config-if)#description Connection to Router-P1 Router-PE1(config-if)#ip address 10.1.1.13 255.255.255.252 Router-PE1(config-if)#mpls ip Router-PE1(config-if)#exit Router-PE1(config)#interface Loopback0 Router-PE1(config-if)#ip address 10.0.0.2 255.255.255.255 Router-PE1(config-if)#exit Router-PE1(config)#router ospf 99 Router-PE1(config-router)#router-id 10.0.0.2 Router-PE1(config-router)#network 10.0.0.0 0.255.255.255 area 0 Router-PE1(config-router)#exit
Notice that this section of configuration is extremely similar to how we configured the P router in Recipe 26.1.
The next chunk of the router's configuration defines the VPNs. We have created two customer networks called NetworkA and NetworkB. Let's look at the first of these in more detail:
Router-PE1(config)#ip vrf NetworkA Router-PE1(config-vrf)#rd 100:1 Router-PE1(config-vrf)#route-target export 100:1 Router-PE1(config-vrf)#route-target import 100:1 Router-PE1(config-vrf)#exit
The first line defines the name of the VRF, in this case NetworkA. Then the rd command defines a " route descriptor" for this VRF. This is really just a numerical tag that MP-BGP will use when propagating the routes associated with this VPN.
The route-target commands then tell MP-BGP which route descriptors to share its routes with. There can only be one route descriptor in a VRF definition, but you can freely share routes among several different route targets. In most cases, however, you will actually want to keep the routes confined to a particular VRF, as we have done in the example.
The route descriptor value is a 48-bit number that is conventionally written in two different ways. We have written the value as 100:1, which is a 16-bit BGP Autonomous System Number (ASN), followed by an arbitrary 32-bit number identifying the client network. The other way to write this value is as a 32-bit dotted decimal value (like an IP address) followed by an arbitrary 16 bit valuefor example, 192.168.1.1:100.
MP-BGP then uses these values as a tag that it adds to the client routing prefixes. It's important to note that although it is a good idea to make these RD values meaningful, to MP-BGP they are just a sequence of bits. As long as they are consistent throughout your network, you can use whatever values are meaningful to you. It is not necessary, for example, to make the ASN identical with the BGP ASN, as we have done in this recipe. However, this is often a good practice, particularly if your MPLS network includes multiple ASNs that must be kept straight.
We note also that you can deliberately "leak" routes between VRFs as follows:
Router-PE1(config)#ip vrf NetworkA Router-PE1(config-vrf)#rd 100:1 Router-PE1(config-vrf)#route-target export 100:1 Router-PE1(config-vrf)#route-target import 100:1 Router-PE1(config-vrf)#route-target export 100:2 Router-PE1(config-vrf)#route-target import 100:2 Router-PE1(config-vrf)#exit
This is sometimes used by service providers to ensure that their network management VLAN can access customer networks. However, most of the time you want to keep the VRFs separated.
Next we associate the VRF instances with physical interfaces:
Router-PE1(config)#interface Ethernet0/0 Router-PE1(config-if)#description connection to customer A, site 1 Router-PE1(config-if)#ip vrf forwarding NetworkA Router-PE1(config-if)#ip address 192.168.1.1 255.255.255.0 Router-PE1(config-if)#exit
|
The IP address in this case is part of the VRF for this customer network. Consequently, devices inside the customer network will be able to PING and route to this address. If this were a real customer and service provider, it would be critical to secure this interface to prevent users from using TELNET or other protocols to gain access to the provider network.
Note also that because two customers could well be using the same IP addresses, the ip vrf forwarding command allows you to configure overlapping or even duplicate IP addresses on the PE router, provided the interfaces with conflicting addresses belong to different VRFs.
Notice that we have created the same VRFs on all three PE routers, even though NetworkB only appears on two of them. This VRF is not assigned to any physical interface. You can see which interfaces are associated with each VRF:
Router-PE1#show ip vrf Name Default RD Interfaces NetworkA 100:1 Ethernet0/0 NetworkB 100:2 Ethernet0/1 Router-PE1#
If a particular VRF is not assigned to any interface, this command will list it in the output but leave the interface column blank:
Router-PE2#show ip vrf Name Default RD Interfaces NetworkA 100:1 FastEthernet0/0.2 NetworkB 100:2 Router-PE2#
The next section of the PE configuration shows the MP-BGP configuration:
Router-PE1(config)#router bgp 100 Router-PE1(config-router)#bgp log-neighbor-changes Router-PE1(config-router)#neighbor 10.0.0.3 remote-as 100 Router-PE1(config-router)#neighbor 10.0.0.3 update-source Loopback0 Router-PE1(config-router)#neighbor 10.0.0.4 remote-as 100 Router-PE1(config-router)#neighbor 10.0.0.4 update-source Loopback0 Router-PE1(config-router)#address-family ipv4 vrf NetworkA Router-PE1(config-router-af)#no auto-summary Router-PE1(config-router-af)#no synchronization Router-PE1(config-router-af)#redistribute connected Router-PE1(config-router-af)#exit-address-family Router-PE1(config-router)#adress-family ipv4 vrf NetworkB Router-PE1(config-router-af)#no auto-summary Router-PE1(config-router-af)#no synchronization Router-PE1(config-router-af)#redistribute connected Router-PE1(config-router-af)#exit-address-family Router-PE1(config-router)#address-family vpnv4 Router-PE1(config-router-af)#neighbor 10.0.0.3 activate Router-PE1(config-router-af)#neighbor 10.0.0.3 send-community extended Router-PE1(config-router-af)#neighbor 10.0.0.4 activate Router-PE1(config-router-af)#neighbor 10.0.0.4 send-community extended Router-PE1(config-router-af)#exit-address-family Router-PE1(config-router)#exit
First we define all of the BGP peer relationships in the usual way:
Router-PE1(config)#router bgp 100 Router-PE1(config-router)#neighbor 10.0.0.3 remote-as 100 Router-PE1(config-router)#neighbor 10.0.0.3 update-source Loopback0
The peer devices indicated are the other PE routers in this network. Since the Remote-AS indicated for each of the peers is the same as this router's BGP AS, they are all internal or iBGP peer relationships. IBGP peer relationships are required because MP-BGP distributes VRF information using extended BGP communities. If you need to break up your BGP network into more than one AS, you can do so, but you must take care to redistribute the VRF tables between the ASBR devices.
The other common way of handling the inherent scaling problems of large numbers of BGP peers in MPLS networks is to use Route Reflectors. We discuss Route Reflectors in Chapter 9.
For improved network stability, we prefer to identify all of our peer IP address with Loopback interfaces rather than physical interfaces. This way, if your PE router has multiple connection points into your MPLS core, a physical failure on one interface won't bring down the network.
Next we must tell MP-BGP about the VRF information that we want it to carry between the PE routers:
Router-PE1(config-router)#address-family ipv4 vrf NetworkA Router-PE1(config-router-af)#no auto-summary Router-PE1(config-router-af)#no synchronization Router-PE1(config-router-af)#redistribute connected Router-PE1(config-router-af)#exit-address-family
In this case, the only interface on this router is a member of the VRF that we have called NetworkA is Ethernet0/0, which has an IP address of 192.168.1.1/24. We chose to include this interface using the redistribute connected command. Usually in BGP networks we prefer to use a network command rather than redistributing connected routes because it will result in a better Origin code. However, MP-BGP doesn't treat redistributed routes in the same way, as we will see later in this chapter. Consequently, the redistribute connected command is actually the most convenient way of making sure that every interface associated with this VRF is automatically included in the routing table.
We note in passing that you exit from the address-family configuration block using the command exit-address-family rather than the simple exit command that Cisco usually uses for this purpose. The short form works, but the router will replace it with the long form in the configuration file. We don't know why this is.
Finally, the last section of the configuration example is necessary to allow MP-BGP to carry the VRF routing prefixes:
Router-PE1(config-router)#address-family vpnv4 Router-PE1(config-router-af)#neighbor 10.0.0.3 activate Router-PE1(config-router-af)#neighbor 10.0.0.3 send-community extended Router-PE1(config-router-af)#neighbor 10.0.0.4 activate Router-PE1(config-router-af)#neighbor 10.0.0.4 send-community extended Router-PE1(config-router-af)#exit-address-family
The critical command here is send-community extended, which tells MP-BGP to use extended communities.
You can verify basic MPLS connectivity for the connection between the PE and P routers by using the show mpls interfaces command, as we did in Recipe 26.1:
Router-PE1#show mpls interfaces Interface IP Tunnel Operational Serial0/0 Yes No Yes Router-PE1#
And you can see the contents of your VRF tables as follows:
Router-PE1#show ip route vrf NetworkA Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/32 is subnetted, 1 subnets B 10.8.8.8 [200/4] via 10.0.0.4, 02:15:54 C 192.168.1.0/24 is directly connected, Ethernet0/0 B 192.168.2.0/24 [200/0] via 10.0.0.3, 02:16:08 B 192.168.3.0/24 [200/0] via 10.0.0.4, 02:15:54 Router-PE1#
It is sometimes useful to be able to do PING tests through a customer VLAN. You can do this from your PE routers, although you must take care to specify a source address that is also part of this VRF:
Router-PE1#ping vrf NetworkA 192.168.2.9 source 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.9, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms Router-PE1#
In this case, the destination address is a CE router at a different site.
See Also
Recipe 26.1; Chapter 8; Chapter 9
Router Configuration and File Management
Router Management
User Access and Privilege Levels
TACACS+
IP Routing
RIP
EIGRP
OSPF
BGP
Frame Relay
Handling Queuing and Congestion
Tunnels and VPNs
Dial Backup
NTP and Time
DLSw
Router Interfaces and Media
Simple Network Management Protocol
Logging
Access-Lists
DHCP
NAT
First Hop Redundancy Protocols
IP Multicast
IP Mobility
IPv6
MPLS
Security
Appendix 1. External Software Packages
Appendix 2. IP Precedence, TOS, and DSCP Classifications
Index