Little Blog!: MPLS VPNs and OSPF

Introduction:

This lab discusses OSPF as the dynamic routing protocol used between CE and PE routers. OSPF is a well-established protocol that is used by both service providers and enterprises. Moreover, there are a lot of routing protocols implemented in this lab. Not only will you learn RIPv2, MP-BGP but also you will learn Multi-Areas OSPF routing protocol and how it is implemented in the MPLS VPN network.

Overview:

- This lab requires you to have a solid understanding of L3 routing protocols: RIPv2, OSPF, MP-BGP, route distinguish, route target and virtual routing and forwarding (VRF). It's more beneficial if you have already read the MPLS VPNs and RIP before reading this lab.

- OSPF Router Type:

Backbone router: In OSPF, Area 0 is the backbone area. Any router that has an interface configured for Area 0 is called a backbone router.

Internal router: Any router that has all its interfaces configured for a single area is said to be an internal router.

Area border router (ABR): is a router that has interfaces configured for two or more areas. For example, a router with Serial 0/0 in Area 0 and Serial 0/1 in Area 1 is an ABR.

Autonomous system boundary router (ASBR): is a router that has at least one interface in the OSPF domain and one interface connecting to an external network. An example of an external network might be a connection to another AS running RIP.

R1: Backbone router/ASBR.

R2, R3: Internal router/Backbone router.

R4, R5: Backbone router/ABR.

R5, R6, R7, R8, R9: Internal router.

- Link State Advertisements (LSAs):

LSA is used to exchange routing information between other OSPF-enabled routers. There are 5 main types:

- OSPF and standard BGP interaction:

An OSPF network is separated by the service provider’s standard BGP backbone. LSA Type 1 or Type 2 routes from Site 1 are redistributed into BGP by a service provider router (PE1) that appears as an ASBR. PE2, an ASBR, redistributes the route from Site 1 back into OSPF and advertises

it to Site 2 as an LSA Type 5.

- OSPF and OSPF super backbone interaction:

In the OSPF hierarchy, all areas had to connect directly to the backbone area (Area 0). The MP-IBGP backbone, functioning as the super-backbone, replaces the Area 0 requirement, meaning that all areas connect to the super backbone instead of to the Area 0 backbone. Without the super-backbone, PE routers appear as ASBRs. Now, with the super-backbone, PE routers appear as ABRs. Remember that ASBRs advertise LSA Type 5 routes and ABRs advertise LSA Type 3 routes

- Why is OSPF super backbone important?

Site 1 and Site 2 are connected to the service provider. In addition, they have an alternate connection through Frame Relay just in case the service provider network is unavailable. The key is that internal (O) routes are always preferred over external (O E2) routes. Let me explain. Site 1 generates an OSPF route for the network 10.1.0.0/16. The OSPF route is redistributed into BGP and arrives at Site 2 as an external route (O E2). In addition, Site 2 learns of the route through OSPF across the alternate Frame Relay connection, resulting in an internal route (O) in the routing table. Since the primary connection is through the service provider and the alternate connection is there just in case, it’s safe to assume that the service provider connection is the fastest. Which way do you want the traffic to travel? Through the fastest connection, which is the service provider network. However, the traffic always traverses through alternate Frame Relay connection in this case. Now, OSPF super backbone is implemented. From Site 1, network 10.1.0.0/16 is advertised to PE1 and Site 2 through the alternate connection. The route, received by PE1, will be received by Site 2 as an inter-area route (O IA). The route received from Site 1 across the alternate connection is an internal route (O).

Now, with OSPF super backbone concepts in mind, can you identify the router types and LSA types in our lab?

- How does service provider handle the routes?

To prevent routing loops, the down bit is set when routes are redistributed from MP-BGP into OSPF. The down bit prevents routing loops because when a PE router sees the down bit set, it does not redistribute the route back into MP-BGP. If the down bit is removed as it travels through the customer’s network, the tag field, containing the originating BGP AS number, is used to prevent loops. To ensure proper routing, a learned route with the down bit results in the routing bit (only on the PE router) being set. With the routing bit set, the PE router does not use the route, even if it is the best path as dictated by OSPF.

Requirements:

1. Customer sites:

A1, B1, A2, B2 (Non-MPLS-enabled routers): OSPF 1: s0/0-area 0 and L0-area 1.
H/W: A1, B1, A2, B2 are Cisco Routers c3745.

2. Service Provider sites:

PE1, PE2 (Edge-LSRs): RIPv2; OSPF 101: vrf vpn_a , OSPF 102: vrf vpn_b; BGP AS 65000, MPLS: s0/0 and s0/3.
P1, P2, P3, P4 (LSRs): RIPv2, MPLS: s0/0 and s0/1.
H/W: PE1, P1, P2, P3, P4, PE2 are Cisco Routers c3745.

Configuration

1. Customer sites:

- Customer A and B are overlapping address spaces.
- Customer A: A1 and A2 network are connected each other via service provider network.
- Customer B: B1 and B2 network are connected each other via service provider network.

- On A1 router:

A1#show running-config

Building configuration...

Current configuration : 2442 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname A1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$7LnD$0qutJY934WdeVsL.wl9q90
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
no ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 10.1.0.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
description ***Link to PE1 router***
ip address 10.2.0.2 255.255.255.252
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
interface Serial0/4
no ip address
shutdown
clock rate 2000000
!
interface Serial0/5
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
no ip address
!
router ospf 1
log-adjacency-changes
no auto-cost
network 10.1.0.1 0.0.0.0 area 1
network 10.2.0.0 0.0.0.3 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
password console
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password telnet
login
!
!
end

- B1, A2, B2 routers are configured similarly.

2. Service provider sites:

a. Network edge (PE1, PE2):

- On PE1 router:

PE1#show running-config

Building configuration...

Current configuration : 3694 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$PrDN$pHsT2IKCMZjFBIyF8mAbW1
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
ip vrf vpn_a
rd 65000:1
route-target export 65000:1
route-target import 65000:1
!
ip vrf vpn_b
rd 65000:2
route-target export 65000:2
route-target import 65000:2
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
description ***Link to P1 router***
ip address 192.168.1.10 255.255.255.252
mpls ip
no fair-queue
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
description ***Link to customer A1 router***
ip vrf forwarding vpn_a
ip address 10.2.0.1 255.255.255.252
clock rate 2000000
!
interface Serial0/2
description ***Link to customer B2 router***
ip vrf forwarding vpn_b
ip address 10.2.0.1 255.255.255.252
clock rate 2000000
!
interface Serial0/3
description ***Link to P3 router***
ip address 192.168.1.21 255.255.255.252
mpls ip
clock rate 2000000
!
interface Serial0/4
no ip address
shutdown
clock rate 2000000
!
interface Serial0/5
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
no ip address
!
router ospf 101 vrf vpn_a
router-id 10.99.1.1
log-adjacency-changes
redistribute bgp 65000 metric 10 subnets
network 10.2.0.0 0.0.0.3 area 0
!
router ospf 102 vrf vpn_b
router-id 10.99.1.2
log-adjacency-changes
redistribute bgp 65000 metric 10 subnets
network 10.2.0.0 0.0.0.3 area 0
!
router rip
version 2
network 192.168.1.0
no auto-summary
!
router bgp 65000
bgp log-neighbor-changes
neighbor 192.168.1.4 remote-as 65000
neighbor 192.168.1.4 update-source Loopback0
!
address-family ipv4
no neighbor 192.168.1.4 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 192.168.1.4 activate
neighbor 192.168.1.4 send-community both
exit-address-family
!
address-family ipv4 vrf vpn_b
redistribute ospf 102 vrf vpn_b
no synchronization
exit-address-family
!
address-family ipv4 vrf vpn_a
redistribute ospf 101 vrf vpn_a
no synchronization
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
password console
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password telnet
login
!
!
end

- PE2 router is configured similarly.

b. Core Network (P1, P2, P3, P4):

- On P1 router:

P1#show running-config

Building configuration...

Current configuration : 2489 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname P1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$uj6I$Z5BD8vg85xjuAnv4noYA//
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 192.168.1.2 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
description ***Link to PE1 router***
ip address 192.168.1.9 255.255.255.252
mpls ip
no fair-queue
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
description ***Link to P2 router***
ip address 192.168.1.14 255.255.255.252
mpls ip
no fair-queue
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
interface Serial0/4
no ip address
shutdown
clock rate 2000000
!
interface Serial0/5
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
no ip address
!
router rip
version 2
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
password console
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password telnet
login
!
!
end

- P2, P3, P4 routers are configured similarly.

Verification:

a. Connectivity:

- On Customer A:

Check the connection between A1 router and A2 router.

A1#ping 10.4.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/11/40 ms

A1#telnet 10.4.0.1

Trying 10.4.0.1 ... Open

User Access Verification

Password:
A2>

A2#ping 10.1.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/12/44 ms

A2#telnet 10.1.0.1

Trying 10.1.0.1 ... Open

User Access Verification

Password:
A1>

- On Customer B:

Check the connection between B1 router and B2 router.

B1#ping 10.4.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.4.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/18/72 ms

B1#telnet 10.4.0.1

Trying 10.4.0.1 ... Open

User Access Verification

Password:

B2>

B2#ping 10.1.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/14/52 ms

B2#telnet 10.1.0.1

Trying 10.1.0.1 ... Open

User Access Verification

Password:

B1>

b. Routing table:

b1. On Customer Network:

- They are isolated from the service provider network. The client routers do not know any of the details of the service provider network. Notice in the following device output that no service provider routes are in the global routing tables for A1, B1, A2 and B2 router. The global routing table for A1 is as follows:

A1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.2.0.0/30 is directly connected, Serial0/0
O IA 10.3.0.0/30 [110/1572] via 10.2.0.1, 00:38:35, Serial0/0
C 10.1.0.1/32 is directly connected, Loopback0
O IA 10.4.0.1/32 [110/1572] via 10.2.0.1, 00:38:35, Serial0/0

b2. On Service Provider Network:

- The VRF routing table is well isolated from the global routing table on a PE router. Therefore, on the PE1 and PE2 POP routers, no customer (A1, B1, A2 and B2) routes show up in the global routing table. The global routing table of the PE1 POP router is as follows:

PE1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 12 subnets, 2 masks
C 192.168.1.8/30 is directly connected, Serial0/0
R 192.168.1.12/30 [120/1] via 192.168.1.9, 00:00:40, Serial0/0
C 192.168.1.1/32 is directly connected, Loopback0
R 192.168.1.3/32 [120/2] via 192.168.1.9, 00:00:40, Serial0/0
R 192.168.1.2/32 [120/1] via 192.168.1.9, 00:00:40, Serial0/0
R 192.168.1.5/32 [120/1] via 192.168.1.22, 00:00:15, Serial0/3
R 192.168.1.4/32 [120/3] via 192.168.1.22, 00:00:15, Serial0/3
[120/3] via 192.168.1.9, 00:00:41, Serial0/0
R 192.168.1.6/32 [120/2] via 192.168.1.22, 00:00:16, Serial0/3
R 192.168.1.24/30 [120/1] via 192.168.1.22, 00:00:16, Serial0/3
R 192.168.1.28/30 [120/2] via 192.168.1.22, 00:00:16, Serial0/3
R 192.168.1.16/30 [120/2] via 192.168.1.9, 00:00:41, Serial0/0
C 192.168.1.20/30 is directly connected, Serial0/3

- In addition, none of the customer (A1, B1, A2 and B2) routes show up on the Core routers (P1, P2, P3 and P4). The Core routers are only running the IGP (RIPv2) and know nothing about any of the customer subnets. The global routing table of the P1 router is as follows:

P1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 12 subnets, 2 masks

C 192.168.1.8/30 is directly connected, Serial0/0

C 192.168.1.12/30 is directly connected, Serial0/1

R 192.168.1.1/32 [120/1] via 192.168.1.10, 00:00:06, Serial0/0

R 192.168.1.3/32 [120/1] via 192.168.1.13, 00:00:04, Serial0/1

C 192.168.1.2/32 is directly connected, Loopback0

R 192.168.1.5/32 [120/2] via 192.168.1.10, 00:00:06, Serial0/0

R 192.168.1.4/32 [120/2] via 192.168.1.13, 00:00:04, Serial0/1

R 192.168.1.6/32 [120/3] via 192.168.1.13, 00:00:07, Serial0/1

[120/3] via 192.168.1.10, 00:00:09, Serial0/0

R 192.168.1.24/30 [120/2] via 192.168.1.10, 00:00:09, Serial0/0

R 192.168.1.28/30 [120/2] via 192.168.1.13, 00:00:07, Serial0/1

R 192.168.1.16/30 [120/1] via 192.168.1.13, 00:00:07, Serial0/1

R 192.168.1.20/30 [120/1] via 192.168.1.10, 00:00:11, Serial0/0

- VRF routing table:

PE1#sh ip route vrf vpn_a

Routing Table: vpn_a
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.2.0.0/30 is directly connected, Serial0/1
B 10.3.0.0/30 [200/0] via 192.168.1.4, 00:45:18
O IA 10.1.0.1/32 [110/65] via 10.2.0.2, 00:46:18, Serial0/1
B 10.4.0.1/32 [200/65] via 192.168.1.4, 00:45:18

PE1#sh ip route vrf vpn_b

Routing Table: vpn_b

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.2.0.0/30 is directly connected, Serial0/2

B 10.3.0.0/30 [200/0] via 192.168.1.4, 00:47:05

O IA 10.1.0.1/32 [110/65] via 10.2.0.2, 00:48:06, Serial0/2

B 10.4.0.1/32 [200/65] via 192.168.1.4, 00:47:05

In the routing table for vpn_a on the PE1 POP router, there are two BGP routes (B) and one OSPF inter-area route (O IA). The OSPF route in the output was learned from A1 and is the loopback of A1. The B routes are from the PE2 POP router (A2 OSPF routes redistributed into MP-BGP and carried across the service provider backbone).

- Ping and Telnet from PE routers:

The quickest way to verify that the VRF is up and working is to do a ping from one customer router to another. However, It is not practical to assume that the service provider will always have access to customer routers. Therefore, extensions have been made to the standard ping and telnet commands.

PE1#ping 10.1.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

PE1#ping vrf vpn_a 10.1.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/16 ms

PE1#telnet 10.1.0.1

Trying 10.1.0.1 ...
% Destination unreachable; gateway or host down

PE1#telnet 10.1.0.1 /vrf vpn_a

Trying 10.1.0.1 ... Open

User Access Verification

Password:
A1>

Why can't PE1 router ping A1 router directly?

Well, because PE1 maintains the routing tables for the customers separately with the global routing table.

Troubleshooting:

- From A1 to A2:

A1#trace 10.4.0.1

Type escape sequence to abort.
Tracing the route to 10.4.0.1

1 10.2.0.1 4 msec 24 msec 4 msec
2 192.168.1.9 [MPLS: Labels 24/26 Exp 0] 84 msec 4 msec 56 msec
3 192.168.1.13 [MPLS: Labels 18/26 Exp 0] 16 msec 8 msec 4 msec
4 10.3.0.1 [MPLS: Label 26 Exp 0] 20 msec 0 msec 4 msec
5 10.3.0.2 52 msec 32 msec 8 msec

- There are 5 hops for a packet traversing from A1 to A2 router. The path from A1 to A2 router is as follows:

1 10.2.0.1 4 msec 24 msec 4 msec --> This is the first hop which is PE1 router. This router is directly connected to A1 via its s0/1. PE1 router also creates VPN label 26 for a packet from customer A1 to distinguish the traffic from A1 with others. This value won't change when the packet traverses through service provider routers. Moreover, PE1 router also creates MPLS label 24 used to switch the packet to P1 router via s0/0 interface. Indeed, let's take a look on PE1's VRF routing table and forwarding table.

PE1#sh ip route vrf vpn_a

Routing Table: vpn_a
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.2.0.0/30 is directly connected, Serial0/1
B 10.3.0.0/30 [200/0] via 192.168.1.4, 00:45:18
O IA 10.1.0.1/32 [110/65] via 10.2.0.2, 00:46:18, Serial0/1
B 10.4.0.1/32 [200/65] via 192.168.1.4, 00:45:18

Obviously, the packet destined from A1 to A2 arrives at the PE1 POP router. Does the PE1 POP router have a path to get to the lookback interface of A2 (10.4.0.1)? Yes. There’s a BGP route to 10.4.0.1 network with a next hop address of 192.168.1.4 (PE2).

How does the PE1 router get the packet to the PE2 POP router?

It sends it as a labeled packet, or a tagged packet. Indeed, let's take a look on the PE1's forwarding table:

PE1#sh mpls forwarding-table

Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 192.168.1.2/32 0 Se0/0 point2point
17 16 192.168.1.3/32 0 Se0/0 point2point
18 Pop tag 192.168.1.12/30 0 Se0/0 point2point
19 17 192.168.1.16/30 0 Se0/0 point2point
20 Pop tag 192.168.1.5/32 0 Se0/3 point2point
21 16 192.168.1.6/32 0 Se0/3 point2point
22 Pop tag 192.168.1.24/30 0 Se0/3 point2point
23 17 192.168.1.28/30 0 Se0/3 point2point
24 24 192.168.1.4/32 0 Se0/3 point2point
24 192.168.1.4/32 0 Se0/0 point2point
25 Untagged 10.1.0.1/32[V] 0 Se0/1 point2point
26 Aggregate 10.2.0.0/30[V] 1752
27 Untagged 10.1.0.1/32[V] 0 Se0/2 point2point
28 Aggregate 10.2.0.0/30[V] 0

From PE1 router standpoint, it takes untagged or unlabeled traffic coming from its s0/1 interface which is A1 router, then tagged this packet with VPN label 26. Moreover, PE1 router also switches this packet out its s0/0 interface with outbound label 24.

2 192.168.1.9 [MPLS: Labels 24/26 Exp 0] 84 msec 4 msec 56 msec --> A labeled packet is switched from PE1 to P1 with MPLS label 24 and VPN label 26. What will happen at P1 router, let's check the P1's forwarding table.

P1#show mpls forwarding-table

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

16 Pop tag 192.168.1.3/32 0 Se0/1 point2point

17 Pop tag 192.168.1.16/30 0 Se0/1 point2point

18 Pop tag 192.168.1.1/32 9570 Se0/0 point2point

19 20 192.168.1.5/32 0 Se0/0 point2point

20 20 192.168.1.6/32 0 Se0/1 point2point

21 192.168.1.6/32 0 Se0/0 point2point

21 Pop tag 192.168.1.20/30 0 Se0/0 point2point

22 22 192.168.1.24/30 0 Se0/0 point2point

23 23 192.168.1.28/30 0 Se0/1 point2point

24 18 192.168.1.4/32 5970 Se0/1 point2point

A packet labeled 24 from PE1 router to P1 router will be switched out P1's s0/1 interface with outbound label 18.

3 192.168.1.13 [MPLS: Labels 18/26 Exp 0] 16 msec 8 msec 4 msec -> A labeled packet is switched from P1 to P2 with MPLS label 18 and VPN label 26. What will happen at P2 router, let's check the P2's forwarding table.

P2#show mpls forwarding-table

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

16 Pop tag 192.168.1.2/32 0 Se0/0 point2point

17 Pop tag 192.168.1.8/30 0 Se0/0 point2point

18 Pop tag 192.168.1.4/32 5739 Se0/1 point2point

19 20 192.168.1.5/32 0 Se0/1 point2point

19 192.168.1.5/32 0 Se0/0 point2point

20 21 192.168.1.6/32 0 Se0/1 point2point

21 21 192.168.1.20/30 0 Se0/0 point2point

22 23 192.168.1.24/30 0 Se0/1 point2point

23 Pop tag 192.168.1.28/30 0 Se0/1 point2point

24 18 192.168.1.1/32 10499 Se0/0 point2point

What happens to the packet? Well, from the P1 router, the packet is sent with a tag of 18. By observing the output of the show mpls forwarding-table command on the P2 router, you can see that an inbound labeled packet of 18 arriving at the P2 router has its label popped and is forwarded as unlabeled IP out interface Serial 0/1. So here at the P2 router, there is no routing, only switching of labeled, or tagged packets. You can think of Pop tag as meaning, "The next hop router needs to do a L3 lookup on the packet, so don't send this traffic as labeled, but instead send it as unlabeled IP traffic". Note that that when I said unlabeled IP packet in this case, it means it's an IP packet with VPN label.

4 10.3.0.1 [MPLS: Label 26 Exp 0] 20 msec 0 msec 4 msec --> A packet handed from P2 router to PE2. Based on VPN label 26, egress PE2 router can understand this packet belonging to customer A1. Because this is an IP packet, let's check the PE2's VRF routing table.

PE2#sh ip route vrf vpn_a

Routing Table: vpn_a

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

B 10.2.0.0/30 [200/0] via 192.168.1.1, 01:20:28

C 10.3.0.0/30 is directly connected, Serial0/1

B 10.1.0.1/32 [200/65] via 192.168.1.1, 01:20:28

O IA 10.4.0.1/32 [110/65] via 10.3.0.2, 01:21:14, Serial0/1

Obviously, there is an OSPF route to get from PE2 to A1 router via 10.3.0.2 (A1's s0/0).

5 10.3.0.2 52 msec 32 msec 8 msec --> 10.3.0.2 is the IP address of A2's s0/0 and this is also the last hop.

Now, your homework is to analyze the traffic from B1 router to B2 router with the traceroute as below:

B1#trace 10.3.0.2

Type escape sequence to abort.
Tracing the route to 10.3.0.2

1 10.2.0.1 4 msec 4 msec 28 msec
2 192.168.1.22 [MPLS: Labels 24/27 Exp 0] 32 msec 0 msec 4 msec
3 192.168.1.26 [MPLS: Labels 20/27 Exp 0] 24 msec 0 msec 0 msec
4 10.3.0.1 [MPLS: Label 27 Exp 0] 0 msec 40 msec 4 msec
5 10.3.0.2 20 msec 28 msec 0 msec

Conclusions

In this lab, you have learned OSPF router types, LSA types, the importance of OSPF super backbone for a surviable network and how the service provider manipulate the routes. You also learned how to implement Multi-Area OSPF in MPLS VPNs including configuration, verification and troubleshooting.

Little Blog!

Menu

Wednesday, August 12, 2015

MPLS VPNs and OSPF

No comments:

Post a Comment

Archive

Total Pageviews

Weather