Now that we have our MPLS Network with P (Provider) and PE (Provider Edge) routers, we can configure a basic MPLS VPN between two sites. This section is not intended to be a complete MPLS VPN study, only an example of setting a basic VPN. For further details on MPLS VPNs, we recommend MPLS VPN Architectures, published by Cisco Press. We start from our MPLS network, where we are running OSPF (Open Shortest Path First) as the Interior Gateway Protocol (IGP). We physically connect two CE (Customer Edge) routers to two PE routers. We chose the two RPM cards in slot 10 of the MGX-8250 and the MGX-8850 as PE routers. The topology is shown in Figure 7-1. Figure 7-1. Basic MPLS VPNConfiguring the VPN Routing ForwardingA VPN routing and forwarding instance has its own routing context that includes the IP routing table, protocols and variables, a Cisco Express Forwarding (CEF) table used for forwarding, and interfaces, as well as rules to control the import and export of routes from and to the VPN routing table. We start by creating the VPN Routing Forwarding (VRF) and assigning a route distinguisher (RD) to it. The RD solves the problem of overlapping IP addresses, making the VPNv4 addresses globally unique by prepending the RD to the IPv4 address. An RD does not represent a VPN; it identifies a VRF. The key concept is not to think of a VRF as a VPN. One or more VRFs can be associated with a VPN. We also specify import and export route targets (MP-BGP extended community, which in essence identify networks belonging to a VPN or VPN membership), allowing the insertion of routes into a VRF. Finally, we assign that VRF to the interfaces facing the CEs. Please see Example 7-1. Example 7-1. Creating and Assigning VPN Routing ForwardingPE_m8850_RPM#conf t Enter configuration commands, one per line. End with CNTL/Z. PE_m8850_RPM(config)#ip vrf River PE_m8850_RPM(config-vrf)#rd 100:27 PE_m8850_RPM(config-vrf)#route-target both 100:27 PE_m8850_RPM(config-vrf)#exit PE_m8850_RPM(config)#interface fastEthernet 1/1 PE_m8850_RPM(config-if)#ip vrf forwarding River PE_m8850_RPM(config-if)#ip address 192.168.1.1 255.255.255.248 PE_m8850_RPM(config-if)#no shut PE_m8850_RPM(config-if)#^Z PE_m8850_RPM# Note that we assign the Fast Ethernet (FE) IP address after assigning a VRF to an interface. This is done because an existing IP address is removed when the interface command ip vrf forwarding {VRF Name} is entered. That IP address is now a connected route in the VRF river, not in the global routing table. We do the same with the other provider edge router. As shown in Example 7-2, we also configure the CE interfaces: Example 7-2. Configuring CE InterfacesCE_1#conf t Enter configuration commands, one per line. End with CNTL/Z. CE_1(config)#interface FastEthernet 0/0 CE_1(config-if)#ip address 192.168.1.2 255.255.255.248 CE_1(config-if)#^Z CE_1# You can see that the CEs are not VPN-aware. They do not have any special configuration. Configuring Multiprotocol iBGPThe next step in basic MPLS VPN configuration is to configure a multiprotocol iBGP session between the PEs. Multiprotocol BGP (MP-BGP) is BGP supporting address families other than IPv4 addresses. We will use AS 100 in this example. After configuring the iBGP neighbor, we also configure the VPNv4 address family so that the iBGP neighbors exchange 96-bit VPNv4 prefixes (64-bit RD + 32-bit IPv4 prefixes). See Example 7-3. NOTE VPNv4 prefixes are exchanged only between PE routers. Example 7-3. Configuring MP-iBGPPE_m8850_RPM#conf t Enter configuration commands, one per line. End with CNTL/Z. PE_m8850_RPM(config)#router bgp 100 PE_m8850_RPM(config-router)#neighbor 172.27.1.129 remote-as 100 PE_m8850_RPM(config-router)#neighbor 172.27.1.129 update-source loopback 0 PE_m8850_RPM(config-router)#address-family vpnv4 PE_m8850_RP(config-router-af)#neighbor 172.27.1.129 activate PE_m8850_RP(config-router-af)#neighbor 172.27.1.129 send-community extended PE_m8850_RP(config-router-af)#neighbor 172.27.1.129 next-hop-self PE_m8850_RP(config-router-af)#exit-address-family PE_m8850_RPM(config-router)#end PE_m8850_RPM# Within the VPNv4 address family, we configure extended communities in order to send route targets. Other extended communities are Site of Origin (SoO) and OSPF route type. We also configure next-hop-self to disable next-hop processing on the VPNv4 address family for MP-iBGP, because we will be running eBGP on a PE-CE link. If we do not disable next-hop processing of BGP updates, we could be causing a black hole when the IP address of a CE (in a VPN) running eBGP becomes a VPNv4 BGP next hop. Again we perform the corresponding configuration in the other PE. NOTE In this case we are directly configuring a BGP neighbor. In large networks the iBGP sessions among all PE routers should be accomplished by using route reflectors for scalability. We can check that the session is up as shown in Example 7-4. Example 7-4. MP-iBGP Summary PE_m8250_RPMB_10#show ip bgp vpnv4 all summary BGP router identifier 172.27.1.129, local AS number 100 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.27.1.132 4 100 20 20 1 0 0 00:09:44 0 PE_m8250_RPMB_10# Many optimizations can be made to the BGP protocol to improve its convergence. These optimizations are beyond the scope of this section. However, one is worth mentioning given its simplicity and improvements. By default, iBGP sessions use a maximum data segment of 536 bytes, which limits the amount of data it can transport in a single packet. This limit is defined as the TCP Maximum Segment Size (MSS), which is the largest packet that TCP can send. The command show ip bgp neighbors includes the status of the underlying TCP connection. This can also be seen with show tcp. Refer to Example 7-5: Example 7-5. Checking the BGP Maximum Data SegmentPE_m8850_RPM#show ip bgp neighbors | i Datagrams Datagrams (max data segment is 536 bytes): PE_m8850_RPM# The MSS default of 536 bytes means that TCP segments the data in the transmit queue into 536-byte chunks before passing packets to the IP layer. Transmission Control Protocol (TCP) path Maximum Transmission Unit (MTU) discovery (defined in RFC 1191 and RFC 1435) can be configured in all PE routers using the global command ip tcp path-mtu-discovery to dynamically increase the maximum BGP data segment (MSS) and to include more advertisements in one packet. Please refer to Example 7-6. This reduces TCP/IP overhead and speeds BGP convergence. TCP path MTU discovery finds the smallest MTU size among all the links between the endpoints of the TCP session, which in our example is 4470 bytes of all ATM links: Example 7-6. Enabling TCP Path MTU DiscoveryPE_m8850_RPM#conf t Enter configuration commands, one per line. End with CNTL/Z. PE_m8850_RPM(config)#ip tcp path-mtu-discovery PE_m8850_RPM(config)#^Z PE_m8850_RPM#show ip bgp neighbors | i Datagrams Datagrams (max data segment is 4430 bytes): PE_m8850_RPM# The new maximum data segment value of 4430 bytes is the default ATM MTU of 4470 bytes minus 40 bytes of IP and TCP header. Configuring the PE-CE Running Static RoutingYou have several options for routing protocols between the PE and CE routers. RIPv2, OSPF, eBGP, EIGRP, and static are some of those. In this case we demonstrate static routing in one PE-CE link and eBGP in the other. Static is the simplest case. The CE configuration consists only of configuring a static default route. We start by adding a loopback interface in the CE_2 router, as seen in Example 7-7: Example 7-7. CE Static Routing ConfigurationCE_2(config)#interface loopback 0 CE_2(config-if)#ip address 10.2.1.1 255.255.255.255 CE_2(config-if)#exit CE_2(config)#ip route 0.0.0.0 0.0.0.0 Ethernet 0 In concept, the PE configuration is the same as in a non-MPLS VPN environment, except that the configuration applies to the VRF context. This is shown in Example 7-8. We will add a VRF static route. Then we need to redistribute this static route into the IPv4 address family so that it is propagated to the MP-iBGP peers. We also redistribute the connected VRF interfaces so that the remote CE can reach the IP address of the PE-CE link (192.1.1.8/29): Example 7-8. PE VRF Static Routing ConfigurationPE_m8250_RPMB_10# PE_m8250_RPMB_10#conf t Enter configuration commands, one per line. End with CNTL/Z. PE_m8250_RPMB_10(config)#ip route vrf River 10.2.0.0 255.255.0.0 192.168.1.10 PE_m8250_RPMB_10(config)#router bgp 100 PE_m8250_RPMB_(config-router)#address-family ipv4 vrf River PE_m8250_RP(config-router-af)#redistribute connected PE_m8250_RP(config-router-af)#redistribute static PE_m8250_RP(config-router-af)#^Z PE_m8250_RPMB_10# NOTE Per-VRF parameters are configured in the routing contexts (address-family ipv4 vrf {VRF Name} or ip route vrf {VRF Name} for static routing). All non-BGP per-VRF routes are redistributed into the per-VRF BGP context to be propagated by MP-BGP to other PEs. We can check that both the connected and the static are in the PE VRF routing context table using show ip route vrf {VRF Name}, as shown in Example 7-9: Example 7-9. Checking the VRF Routing Table PE_m8250_RPMB_10#show ip route vrf River Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/16 is subnetted, 1 subnets S 10.2.0.0 [1/0] via 192.168.1.10 192.168.1.0/29 is subnetted, 1 subnets C 192.168.1.8 is directly connected, Ethernet1/1 PE_m8250_RPMB_10# The remote PE has learned these VRF routes through iBGP. We will use show ip bgp vpnv4 as well as show ip route vrf. See Example 7-10: Example 7-10. Checking PE VPNv4 PrefixesPE_m8850_RPM#show ip bgp vpnv4 vrf River summary BGP router identifier 172.27.1.132, local AS number 100 BGP table version is 5, main routing table version 5 2 network entries and 2 paths using 370 bytes of memory 1 BGP path attribute entries using 60 bytes of memory 1 BGP extended community entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP activity 2/0 prefixes, 2/0 paths, scan interval 15 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.27.1.129 4 100 32 30 5 0 0 00:19:56 2 PE_m8850_RPM# PE_m8850_RPM#show ip route vrf River Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/16 is subnetted, 1 subnets B 10.2.0.0 [200/0] via 172.27.1.129, 00:00:37 192.168.1.0/29 is subnetted, 2 subnets B 192.168.1.8 [200/0] via 172.27.1.129, 00:01:37 C 192.168.1.0 is directly connected, FastEthernet1/1 PE_m8850_RPM# We can also check the VRF CEF forwarding table with the command show mpls forwarding-table vrf {VRF Name}. Configuring the PE-CE Running eBGPNow it's time to configure the eBGP PE-CE link. In the CE, the BGP private ASN is 65027. We start by configuring a loopback interface in CE_1. We then configure BGP and add the 10.1.0.0/16 network to indicate to BGP that the network originates on this router. CE_1 generates a network entry for 10.1.0.0/16. See Example 7-11: Example 7-11. CE eBGP ConfigurationCE_1#conf t Enter configuration commands, one per line. End with CNTL/Z. CE_1(config)#interface loopback 0 CE_1(config-if)#ip address 10.1.1.1 255.255.255.255 CE_1(config-if)#exit CE_1(config)#router bgp 65027 CE_1(config-router)#no auto-summary CE_1(config-router)#neighbor 192.168.1.1 remote-as 100 CE_1(config-router)#network 10.1.0.0 mask 255.255.0.0 CE_1(config-router)#redistribute static CE_1(config-router)#exit CE_1(config)#ip route 10.1.0.0 255.255.0.0 null 0 We need the static route to a null interface to get CE_1 to generate 10.1.0.0/16. This is because that static route generates a matching entry in the CE_1 routing table and therefore can be sent in BGP updates. We now configure the PE portion. In this case also, the PE-CE IP routing configuration should go into the IPv4 address family (routing context) for the VRF we are configuring. VRF-specific eBGP neighbors are configured under the address-family, and MP-BGP neighbors are configured in the BGP routing process. The routes to the CEs should be installed in the VRF routing table and not anywhere else. In general, CE neighbors need to be specified within the per-VRF context and not global BGP. All non-BGP per-VRF routes have to be redistributed into a per-VRF context to be propagated by MP-BGP to other PE routers. This is shown in Example 7-12: Example 7-12. PE VRF eBGP ConfigurationPE_m8850_RPM#conf t Enter configuration commands, one per line. End with CNTL/Z. PE_m8850_RPM(config)#router bgp 100 PE_m8850_RPM(config-router)#address-family ipv4 vrf River PE_m8850_RP(config-router-af)#redistribute connected PE_m8850_RP(config-router-af)#neighbor 192.168.1.2 remote-as 65027 PE_m8850_RP(config-router-af)#neighbor 192.168.1.2 activate PE_m8850_RP(config-router-af)#^Z PE_m8850_RPM# Again, it is important here to redistribute connected so that remote CEs can reach the PE-CE link's IP address. That address will be the next hop for the propagated CE routes. At this point, as shown in Example 7-13, we can check the summary of BGP VPNv4 for our VRF to verify that both iBGP and eBGP neighbors are up. Example 7-13. Checking VRF VPNv4 SummaryPE_m8850_RPM#show ip bgp vpnv4 vrf River summary BGP router identifier 172.27.1.132, local AS number 100 BGP table version is 11, main routing table version 11 5 network entries and 5 paths using 925 bytes of memory 6 BGP path attribute entries using 360 bytes of memory 1 BGP AS-PATH entries using 24 bytes of memory 1 BGP extended community entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP activity 9/30 prefixes, 9/4 paths, scan interval 15 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.27.1.129 4 100 48 54 11 0 0 00:02:58 2 192.168.1.2 4 65027 16 20 11 0 0 00:02:44 2 PE_m8850_RPM# We can also check the details of the BGP VPNv4 table for the VRF river using the command show ip bgp vpnv4 vrf {VRF Name}. See Example 7-14: Example 7-14. Checking the VRF BGP VPNv4 Table PE_m8850_RPM# PE_m8850_RPM#show ip bgp vpnv4 vrf River BGP table version is 11, local router ID is 172.27.1.132 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:27 (default for vrf River) *> 10.1.0.0/16 192.168.1.2 0 0 65027 i *>i10.2.0.0/16 172.27.1.129 0 100 0 ? *> 192.168.1.0/29 0.0.0.0 0 32768 ? *>i192.168.1.8/29 172.27.1.129 0 100 0 ? PE_m8850_RPM# Here we see how 10.1.0.0/16 is learned from the CE with eBGP and 10.2.0.0/16 is learned from the remote PE through iBGP. We also see why it is important to redistribute connected in the IPv4 address family for the VRF, because 192.168.1.2 is the next hop. Finally, we can check the VRF routing table using show ip route vrf. See Example 7-15: Example 7-15. Checking the VRF Routing Information Base PE_m8850_RPM# PE_m8850_RPM#show ip route vrf River Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 1 masks B 10.2.0.0/16 [200/0] via 172.27.1.129, 00:02:50 B 10.1.0.0/16 [20/0] via 192.168.1.2, 00:01:21 192.168.1.0/29 is subnetted, 2 subnets B 192.168.1.8 [200/0] via 172.27.1.129, 00:02:50 C 192.168.1.0 is directly connected, FastEthernet1/1 PE_m8850_RPM# From each PE we can ping both CEs and the CEs between each other. This connectivity test is shown in Example 7-16. Example 7-16. VPN Connectivity TestPE_m8850_RPM#ping vrf River 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms PE_m8850_RPM#ping vrf River 10.2.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.2.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms PE_m8850_RPM# From the PEs we need to use the vrf form of the ping command, because those are VRF destinations (as opposed to global destinations). As a final note, the global routing table in the PE routers has not changed since we began configuring MPLS VPNs. As shown in Example 7-17, the global routing table is only populated by the IGP in the MPLS network, which is OSPF in our case, plus the connected prefixes. In other words, VRF routes are not included in the global routing table. Example 7-17. Checking the PE Global Routing Table E_m8250_RPMB_10#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 172.27.0.0/32 is subnetted, 9 subnets O 172.27.1.132 [110/26] via 172.27.1.1, 1d20h, Switch1.1 O 172.27.1.133 [110/27] via 172.27.1.1, 1d20h, Switch1.1 O 172.27.1.128 [110/2] via 172.27.1.128, 1d20h, Switch1.2 C 172.27.1.129 is directly connected, Loopback0 O 172.27.1.130 [110/4] via 172.27.1.1, 1d20h, Switch1.1 O 172.27.1.131 [110/32] via 172.27.1.1, 1d20h, Switch1.1 O 172.27.1.1 [110/2] via 172.27.1.1, 1d20h, Switch1.1 O 172.27.1.2 [110/3] via 172.27.1.1, 1d20h, Switch1.1 O 172.27.1.3 [110/25] via 172.27.1.1, 1d20h, Switch1.1 PE_m8250_RPMB_10# |