Introduction:
This lab introduces you the required configuration commands and technology necessary to implement a simple MPLS-based VPN. This lab will also introduce you the route targets and virtual routing and forwarding (VRF) table route redistribution. You’ll learn how to configure a simple MPLS VPN using RIP as the CE routing protocol. In addition, in an actual network, you’ll learn the configuration, verification, and troubleshooting of a simple MPLS VPN.
Overview:
- First of all, it's important to understand MPLS VPNs packet switching. An MPLS VPN builds on the principles of standard MPLS. Packets enter an IP network and receive a VPN label and a standard label to traverse the service provider network. LSRs along the LSP between edge devices do not know about customer networks, and they use the standard label to label-switch packets. Once the packet arrives at the egress PE, the VPN label is used to direct the packet to the correct VPN. Customer routers require no MPLS functionality.
- First of all, it's important to understand MPLS VPNs packet switching. An MPLS VPN builds on the principles of standard MPLS. Packets enter an IP network and receive a VPN label and a standard label to traverse the service provider network. LSRs along the LSP between edge devices do not know about customer networks, and they use the standard label to label-switch packets. Once the packet arrives at the egress PE, the VPN label is used to direct the packet to the correct VPN. Customer routers require no MPLS functionality.
- Secondly, Multi-Protocol BGP (MP-BGP) is a requirement for the proper operation of MPLS VPNs. From a network design standpoint, an IGP runs in the service provider core, and BGP runs between edge routers. MP-BGP backbone is used to carry customer routes across the service provider backbone. To enable the edge routers to support MPLS VPNs, MP-BGP must be configured.
- Thirdly, a virtual routing and forwarding (VRF) table. A VRF is used by Cisco to implement the concept of virtual routers. A VRF is composed of an IP routing table, a CEF table, interfaces, and routing protocol rules and filters. Global routes are not in the VRF. Likewise, VRF routes are not in the global routing table.
- Finally, Route Distinguisher (RD) and Route Target (RT) can have the same values, but they serve very different purpose:
- Thirdly, a virtual routing and forwarding (VRF) table. A VRF is used by Cisco to implement the concept of virtual routers. A VRF is composed of an IP routing table, a CEF table, interfaces, and routing protocol rules and filters. Global routes are not in the VRF. Likewise, VRF routes are not in the global routing table.
- Finally, Route Distinguisher (RD) and Route Target (RT) can have the same values, but they serve very different purpose:
- The RD keeps IP prefixes from overlapping in MP-BGP.
- The RT is used to help differentiate VPN routes. There are 2 types of RT. When routes are redistributed from a routing context into MP-BGP, the export route target value is applied. To redistribute routes from MP-BGP back into the right VPN, the import route target value is read.
Note that routing context is a mechanism used to provide for separate isolated instances of a single routing protocol. For example, a single router may support many separate customers with a single instance of a routing protocol through the use of routing context.
Requirements:
1. Customer sites:
- A1, B1, A2, B2 (Non-MPLS-enabled routers): RIPv2.
- H/W: A1, B1, A2, B2 are Cisco Routers c3745.
- PE1, PE2 (Edge-LSRs): RIPv2, iBGP, MPLS: s0/0.
- P1, P2 (LSRs): RIPv2, MPLS: s0/0, s0/1.
- H/W: PE1, P1, P2, PE2 are Cisco Routers c3745.
Configuration
1. Customer sites:
- Customer A and B are overlapping address spaces.
- Customer A: A1 and A2 network are connected each other via service provider network.
- Customer B: B1 and B2 network are connected each other via service provider network.
- On A1 router:
A1#show running-config
Building configuration...
Current configuration : 2341 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname A1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$7LnD$0qutJY934WdeVsL.wl9q90
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
no ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 10.1.0.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 10.2.0.2 255.255.255.252
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
interface Serial0/4
no ip address
shutdown
clock rate 2000000
!
interface Serial0/5
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
no ip address
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
password console
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password telnet
login
!
!
end
- B1, A2, B2 routers are configured similarly.
2. Service provider sites:
a. Network edge (PE1, PE2):
- On PE1 router:
PE1#show running-config
Building configuration...
Current configuration : 3638 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$PrDN$pHsT2IKCMZjFBIyF8mAbW1
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
ip vrf vpn_a
rd 65000:1
route-target export 65000:1
route-target import 65000:1
!
ip vrf vpn_b
rd 65000:2
route-target export 65000:2
route-target import 65000:2
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
description ***Link to P1 router***
ip address 192.168.1.10 255.255.255.252
mpls ip
no fair-queue
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
description ***Link to customer A1 router***
ip vrf forwarding vpn_a
ip address 10.2.0.1 255.255.255.252
clock rate 2000000
!
interface Serial0/2
description ***Link to customer B2 router***
ip vrf forwarding vpn_b
ip address 10.2.0.1 255.255.255.252
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
interface Serial0/4
no ip address
shutdown
clock rate 2000000
!
interface Serial0/5
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
no ip address
!
router rip
version 2
network 192.168.1.0
no auto-summary
!
address-family ipv4 vrf vpn_b
redistribute bgp 65000 metric transparent
network 10.0.0.0
no auto-summary
version 2
exit-address-family
!
address-family ipv4 vrf vpn_a
redistribute bgp 65000 metric transparent
network 10.0.0.0
no auto-summary
version 2
exit-address-family
!
router bgp 65000
bgp log-neighbor-changes
neighbor 192.168.1.4 remote-as 65000
neighbor 192.168.1.4 update-source Loopback0
!
address-family ipv4
neighbor 192.168.1.4 activate
neighbor 192.168.1.4 next-hop-self
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 192.168.1.4 activate
neighbor 192.168.1.4 send-community both
exit-address-family
!
address-family ipv4 vrf vpn_b
redistribute rip
no synchronization
exit-address-family
!
address-family ipv4 vrf vpn_a
redistribute rip
no synchronization
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
password console
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password telnet
login
!
!
end
Verification:
a. Connectivity:
- On Customer A:
Check the connection between A1 router and A2 router.
A1#ping 10.3.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/37/60 ms
A1#telnet 10.3.0.2
Trying 10.3.0.2 ... Open
User Access Verification
Password:
A2>
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/40/68 ms
B1#telnet 10.3.0.2
Trying 10.3.0.2 ... Open
User Access Verification
Password:
B2>
- In addition, none of the customer (A1, B1, A2 and B2) routes show up on the Core routers (P1, and P2). The Core routers are only running the IGP (RIPv2) and know nothing about any of the customer subnets. The global routing table of the P1 router is as follows:
P1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
192.168.1.0/24 is variably subnetted, 7 subnets, 2 masks
C 192.168.1.8/30 is directly connected, Serial0/0
C 192.168.1.12/30 is directly connected, Serial0/1
R 192.168.1.1/32 [120/1] via 192.168.1.10, 00:00:11, Serial0/0
R 192.168.1.3/32 [120/1] via 192.168.1.13, 00:00:17, Serial0/1
C 192.168.1.2/32 is directly connected, Loopback0
R 192.168.1.4/32 [120/2] via 192.168.1.13, 00:00:17, Serial0/1
R 192.168.1.16/30 [120/1] via 192.168.1.13, 00:00:17, Serial0/1
- VRF routing table:
PE1#show ip route vrf vpn_a
Routing Table: vpn_a
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.2.0.0/30 is directly connected, Serial0/1
B 10.3.0.0/30 [200/0] via 192.168.1.4, 04:11:30
R 10.1.0.1/32 [120/1] via 10.2.0.2, 00:00:26, Serial0/1
B 10.4.0.1/32 [200/1] via 192.168.1.4, 04:11:30
PE1#show ip route vrf vpn_b
Routing Table: vpn_b
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.2.0.0/30 is directly connected, Serial0/2
B 10.3.0.0/30 [200/0] via 192.168.1.4, 04:11:47
R 10.1.0.1/32 [120/1] via 10.2.0.2, 00:00:06, Serial0/2
B 10.4.0.1/32 [200/1] via 192.168.1.4, 04:11:47
PE1#ping 10.2.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
This ping fails because a network for 10.2.0.2 is not in the PE1 POP router’s global routing table; instead it’s in a VRF.
PE1#ping vrf vpn_a 10.2.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/12 ms
PE1#ping vrf vpn_a ip 10.2.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/16 ms
- From A1 to A2:
A1#trace 10.3.0.2
Type escape sequence to abort.
Tracing the route to 10.3.0.2
1 10.2.0.1 32 msec 32 msec 28 msec
2 192.168.1.9 [MPLS: Labels 19/21 Exp 0] 116 msec 60 msec 32 msec
3 192.168.1.13 [MPLS: Labels 16/21 Exp 0] 92 msec 32 msec 32 msec
4 10.3.0.1 [MPLS: Label 21 Exp 0] 32 msec 32 msec 32 msec
5 10.3.0.2 32 msec 60 msec 28 msec
- From B1 to B2:
B1#trace 10.3.0.2
Type escape sequence to abort.
Tracing the route to 10.3.0.2
1 10.2.0.1 40 msec 32 msec 32 msec
2 192.168.1.9 [MPLS: Labels 19/23 Exp 0] 60 msec 60 msec 32 msec
3 192.168.1.13 [MPLS: Labels 16/23 Exp 0] 60 msec 60 msec 32 msec
4 10.3.0.1 [MPLS: Label 23 Exp 0] 32 msec 52 msec 28 msec
5 10.3.0.2 120 msec 60 msec 28 msec
2 192.168.1.9 [MPLS: Labels 19/21 Exp 0] 116 msec 60 msec 32 msec --> A labeled packet is switched from PE1 to P1 with MPLS label 19 and VPN label 21. What will happen at P1 router, let's check the P1's forwarding table.
P1#sh mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 192.168.1.3/32 0 Se0/1 point2point
17 Pop tag 192.168.1.16/30 0 Se0/1 point2point
18 Pop tag 192.168.1.1/32 7257 Se0/0 point2point
19 16 192.168.1.4/32 3825 Se0/1 point2point
A packet labeled 19 from PE1 router to P1 router will be switched out P1's s0/1 interface with outbound label 16.
3 192.168.1.13 [MPLS: Labels 16/21 Exp 0] 92 msec 32 msec 32 msec --> A labeled packet is switched from P1 to P2 with MPLS label 16 and VPN label 21. What will happen at P2 router, let's check the P2's forwarding table.
P2#sh mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 192.168.1.4/32 4939 Se0/1 point2point
17 18 192.168.1.1/32 9323 Se0/0 point2point
18 Pop tag 192.168.1.2/32 0 Se0/0 point2point
19 Pop tag 192.168.1.8/30 0 Se0/0 point2point
What happens to the packet? Well, from the P1 router, the packet is sent with a tag of 16. By observing the output of the show mpls forwarding-table command on the P2 router, you can see that an inbound labeled packet of 16 arriving at the P2 router has its label popped and is forwarded as unlabeled IP out interface Serial 0/1. So here at the P2 router, there is no routing, only switching of labeled, or tagged packets. You can think of Pop tag as meaning, "The next hop router needs to do a L3 lookup on the packet, so don't send this traffic as labeled, but instead send it as unlabeled IP traffic". Note that that when I said unlabeled IP packet in this case, it means it's an IP packet with VPN label.
4 10.3.0.1 [MPLS: Label 21 Exp 0] 32 msec 32 msec 32 msec --> A packet handed from P2 router to PE2. Based on VPN label 21, egress PE2 router can understand this packet belonging to customer A1. Because this is an IP packet, let's check the PE2's VRF routing table.
PE2#sh ip route vrf vpn_a
Routing Table: vpn_a
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
B 10.2.0.0/30 [200/0] via 192.168.1.1, 01:24:59
C 10.3.0.0/30 is directly connected, Serial0/1
B 10.1.0.1/32 [200/1] via 192.168.1.1, 01:24:59
R 10.4.0.1/32 [120/1] via 10.3.0.2, 00:00:58, Serial0/1
Obviously, the PE2 router is directly connected to A1 router via s0/1 (PE2's interface).
5 10.3.0.2 32 msec 60 msec 28 msec --> A2 router is the last hop and it is also directly connected to PE2 router as I have just mentioned.
1. Customer sites:
- Customer A and B are overlapping address spaces.
- Customer A: A1 and A2 network are connected each other via service provider network.
- Customer B: B1 and B2 network are connected each other via service provider network.
- On A1 router:
A1#show running-config
Building configuration...
Current configuration : 2341 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname A1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$7LnD$0qutJY934WdeVsL.wl9q90
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
no ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 10.1.0.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 10.2.0.2 255.255.255.252
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
interface Serial0/4
no ip address
shutdown
clock rate 2000000
!
interface Serial0/5
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
no ip address
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
password console
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password telnet
login
!
!
end
- B1, A2, B2 routers are configured similarly.
2. Service provider sites:
a. Network edge (PE1, PE2):
- On PE1 router:
PE1#show running-config
Building configuration...
Current configuration : 3638 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$PrDN$pHsT2IKCMZjFBIyF8mAbW1
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
ip vrf vpn_a
rd 65000:1
route-target export 65000:1
route-target import 65000:1
!
ip vrf vpn_b
rd 65000:2
route-target export 65000:2
route-target import 65000:2
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
description ***Link to P1 router***
ip address 192.168.1.10 255.255.255.252
mpls ip
no fair-queue
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
description ***Link to customer A1 router***
ip vrf forwarding vpn_a
ip address 10.2.0.1 255.255.255.252
clock rate 2000000
!
interface Serial0/2
description ***Link to customer B2 router***
ip vrf forwarding vpn_b
ip address 10.2.0.1 255.255.255.252
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
interface Serial0/4
no ip address
shutdown
clock rate 2000000
!
interface Serial0/5
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
no ip address
!
router rip
version 2
network 192.168.1.0
no auto-summary
!
address-family ipv4 vrf vpn_b
redistribute bgp 65000 metric transparent
network 10.0.0.0
no auto-summary
version 2
exit-address-family
!
address-family ipv4 vrf vpn_a
redistribute bgp 65000 metric transparent
network 10.0.0.0
no auto-summary
version 2
exit-address-family
!
router bgp 65000
bgp log-neighbor-changes
neighbor 192.168.1.4 remote-as 65000
neighbor 192.168.1.4 update-source Loopback0
!
address-family ipv4
neighbor 192.168.1.4 activate
neighbor 192.168.1.4 next-hop-self
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 192.168.1.4 activate
neighbor 192.168.1.4 send-community both
exit-address-family
!
address-family ipv4 vrf vpn_b
redistribute rip
no synchronization
exit-address-family
!
address-family ipv4 vrf vpn_a
redistribute rip
no synchronization
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
password console
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password telnet
login
!
!
end
- PE2 router is configured similarly.
b. Core Network(P1, P2):
- On P1 router:
P1#show running-config
Building configuration...
Current configuration : 2489 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname P1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$uj6I$Z5BD8vg85xjuAnv4noYA//
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 192.168.1.2 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
description ***Link to PE1 router***
ip address 192.168.1.9 255.255.255.252
mpls ip
no fair-queue
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
description ***Link to P2 router***
ip address 192.168.1.14 255.255.255.252
mpls ip
no fair-queue
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
interface Serial0/4
no ip address
shutdown
clock rate 2000000
!
interface Serial0/5
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
no ip address
!
router rip
version 2
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
password console
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password telnet
login
!
!
end
- P2 router is configured similarly.
Verification:
- On Customer A:
Check the connection between A1 router and A2 router.
A1#ping 10.3.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/37/60 ms
A1#telnet 10.3.0.2
Trying 10.3.0.2 ... Open
User Access Verification
Password:
A2>
- On Customer B:
Check the connection between B1 router and B2 router.
B1#ping 10.3.0.2Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/40/68 ms
B1#telnet 10.3.0.2
Trying 10.3.0.2 ... Open
User Access Verification
Password:
B2>
b. Routing table:
b1. On Customer Network:
- They are isolated from the service provider network. The client routers do not know any of the details of the service provider network. Notice in the following device output that no service provider routes are in the global routing tables for A1, B1, A2 and B2 router. The global routing table for A1 is as follows:
A1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.2.0.0/30 is directly connected, Serial0/0
R 10.3.0.0/30 [120/1] via 10.2.0.1, 00:00:02, Serial0/0
C 10.1.0.1/32 is directly connected, Loopback0
R 10.4.0.1/32 [120/2] via 10.2.0.1, 00:00:02, Serial0/0
b2. On Service Provider Network:
- The VRF routing table is well isolated from the global routing table on a PE router. Therefore, on the PE1 and PE2 POP routers, no customer (A1, B1, A2 and B2) routes show up in the global routing table. The global routing table of the PE1 POP router is as follows:
PE1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
192.168.1.0/24 is variably subnetted, 7 subnets, 2 masks
C 192.168.1.8/30 is directly connected, Serial0/0
R 192.168.1.12/30 [120/1] via 192.168.1.9, 00:00:21, Serial0/0
C 192.168.1.1/32 is directly connected, Loopback0
R 192.168.1.3/32 [120/2] via 192.168.1.9, 00:00:21, Serial0/0
R 192.168.1.2/32 [120/1] via 192.168.1.9, 00:00:21, Serial0/0
R 192.168.1.4/32 [120/3] via 192.168.1.9, 00:00:21, Serial0/0
R 192.168.1.16/30 [120/2] via 192.168.1.9, 00:00:21, Serial0/0
- In addition, none of the customer (A1, B1, A2 and B2) routes show up on the Core routers (P1, and P2). The Core routers are only running the IGP (RIPv2) and know nothing about any of the customer subnets. The global routing table of the P1 router is as follows:
P1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
192.168.1.0/24 is variably subnetted, 7 subnets, 2 masks
C 192.168.1.8/30 is directly connected, Serial0/0
C 192.168.1.12/30 is directly connected, Serial0/1
R 192.168.1.1/32 [120/1] via 192.168.1.10, 00:00:11, Serial0/0
R 192.168.1.3/32 [120/1] via 192.168.1.13, 00:00:17, Serial0/1
C 192.168.1.2/32 is directly connected, Loopback0
R 192.168.1.4/32 [120/2] via 192.168.1.13, 00:00:17, Serial0/1
R 192.168.1.16/30 [120/1] via 192.168.1.13, 00:00:17, Serial0/1
- VRF routing table:
PE1#show ip route vrf vpn_a
Routing Table: vpn_a
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.2.0.0/30 is directly connected, Serial0/1
B 10.3.0.0/30 [200/0] via 192.168.1.4, 04:11:30
R 10.1.0.1/32 [120/1] via 10.2.0.2, 00:00:26, Serial0/1
B 10.4.0.1/32 [200/1] via 192.168.1.4, 04:11:30
PE1#show ip route vrf vpn_b
Routing Table: vpn_b
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.2.0.0/30 is directly connected, Serial0/2
B 10.3.0.0/30 [200/0] via 192.168.1.4, 04:11:47
R 10.1.0.1/32 [120/1] via 10.2.0.2, 00:00:06, Serial0/2
B 10.4.0.1/32 [200/1] via 192.168.1.4, 04:11:47
In the routing table for vpn_a on the PE1 POP router, there are two BGP routes (B) and one RIP route (R). The RIP route in the output was learned from A1 and is the loopback of A1. The B routes are from the PE2 POP router (A2 RIP routes redistributed into MP-BGP and carried across the service provider backbone).
- Ping and Telnet from PE routers:
The quickest way to verify that the VRF is up and working is to do a ping from one customer router to another. However, It is not practical to assume that the service provider will always have access to customer routers. Therefore, extensions have been made to the standard ping and telnet commands.
PE1#ping 10.2.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
This ping fails because a network for 10.2.0.2 is not in the PE1 POP router’s global routing table; instead it’s in a VRF.
PE1#ping vrf vpn_a 10.2.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/12 ms
PE1#ping vrf vpn_a ip 10.2.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/16 ms
PE1#telnet 10.1.0.1
Trying 10.1.0.1 ...
% Destination unreachable; gateway or host down
PE1#telnet 10.1.0.1 /vrf vpn_a
Trying 10.1.0.1 ... Open
User Access Verification
Password:
A1>
Troubleshooting:
- From A1 to A2:
A1#trace 10.3.0.2
Type escape sequence to abort.
Tracing the route to 10.3.0.2
1 10.2.0.1 32 msec 32 msec 28 msec
2 192.168.1.9 [MPLS: Labels 19/21 Exp 0] 116 msec 60 msec 32 msec
3 192.168.1.13 [MPLS: Labels 16/21 Exp 0] 92 msec 32 msec 32 msec
4 10.3.0.1 [MPLS: Label 21 Exp 0] 32 msec 32 msec 32 msec
5 10.3.0.2 32 msec 60 msec 28 msec
- From B1 to B2:
B1#trace 10.3.0.2
Type escape sequence to abort.
Tracing the route to 10.3.0.2
1 10.2.0.1 40 msec 32 msec 32 msec
2 192.168.1.9 [MPLS: Labels 19/23 Exp 0] 60 msec 60 msec 32 msec
3 192.168.1.13 [MPLS: Labels 16/23 Exp 0] 60 msec 60 msec 32 msec
4 10.3.0.1 [MPLS: Label 23 Exp 0] 32 msec 52 msec 28 msec
5 10.3.0.2 120 msec 60 msec 28 msec
- There are 5 hops for a packet traversing from A1 to A2 as well as B1 to B2. The path from A1 to A2 is as follows:
1 10.2.0.1 32 msec 32 msec 28 msec --> This is the first hop which is PE1 router. This router is directly connected to A1 via its s0/1. PE1 router also creates VPN label 21 for a packet from customer A1 to distinguish the traffic from A1 with others. This value won't change when the packet traverses through service provider routers. Moreover, PE1 router also creates MPLS label 19 used to switch the packet to P1 router via s0/0 interface. Indeed, let's take a look on PE1's VRF routing table and forwarding table.
PE1#show ip route vrf vpn_a
Routing Table: vpn_a
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.2.0.0/30 is directly connected, Serial0/1
B 10.3.0.0/30 [200/0] via 192.168.1.4, 04:11:30
R 10.1.0.1/32 [120/1] via 10.2.0.2, 00:00:26, Serial0/1
B 10.4.0.1/32 [200/1] via 192.168.1.4, 04:11:30
Obviously, the packet destined from A1 to A2 arrives at the PE1 POP router. Does the PE1 POP router have a path to get to the s0/0 interface of A2 (10.3.0.2)? Yes. There’s a BGP route to 10.3.0.0 network with a next hop address of 192.168.1.4 (PE2).
To deeply uderstand how egress PE router can distinguish which route from which customer destined to it. Let's execute some useful commands:
How does the PE1 router get the packet to the PE2 POP router?
It sends it as a labeled packet, or a tagged packet. Indeed, let's take a look on the PE1's forwarding table:
PE1#sh mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 192.168.1.2/32 0 Se0/0 point2point
17 16 192.168.1.3/32 0 Se0/0 point2point
18 Pop tag 192.168.1.12/30 0 Se0/0 point2point
19 17 192.168.1.16/30 0 Se0/0 point2point
20 19 192.168.1.4/32 0 Se0/0 point2point
21 Untagged 10.1.0.1/32[V] 520 Se0/1 point2point
22 Aggregate 10.2.0.0/30[V] 19879
23 Untagged 10.1.0.1/32[V] 0 Se0/2 point2point
24 Aggregate 10.2.0.0/30[V] 24826
From PE1 router standpoint, it takes untagged or unlabeled traffic coming from its s0/1 interface which is A1 router, then tagged this packet with VPN label 21. Moreover, PE1 router also switches this packet out its s0/0 interface with outbound label 19.
From PE1 router standpoint, it takes untagged or unlabeled traffic coming from its s0/1 interface which is A1 router, then tagged this packet with VPN label 21. Moreover, PE1 router also switches this packet out its s0/0 interface with outbound label 19.
To deeply uderstand how egress PE router can distinguish which route from which customer destined to it. Let's execute some useful commands:
PE1#sh ip vrf brief
Name Default RD Interfaces
vpn_a 65000:1 Se0/1
vpn_b 65000:2 Se0/2
PE1#sh ip bgp vpnv4 all
BGP table version is 17, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65000:1 (default for vrf vpn_a)
*> 10.1.0.1/32 10.2.0.2 1 32768 ?
*> 10.2.0.0/30 0.0.0.0 0 32768 ?
*>i10.3.0.0/30 192.168.1.4 0 100 0 ?
*>i10.4.0.1/32 192.168.1.4 1 100 0 ?
Route Distinguisher: 65000:2 (default for vrf vpn_b)
*> 10.1.0.1/32 10.2.0.2 1 32768 ?
*> 10.2.0.0/30 0.0.0.0 0 32768 ?
*>i10.3.0.0/30 192.168.1.4 0 100 0 ?
*>i10.4.0.1/32 192.168.1.4 1 100 0 ?
P1#sh mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 192.168.1.3/32 0 Se0/1 point2point
17 Pop tag 192.168.1.16/30 0 Se0/1 point2point
18 Pop tag 192.168.1.1/32 7257 Se0/0 point2point
19 16 192.168.1.4/32 3825 Se0/1 point2point
A packet labeled 19 from PE1 router to P1 router will be switched out P1's s0/1 interface with outbound label 16.
3 192.168.1.13 [MPLS: Labels 16/21 Exp 0] 92 msec 32 msec 32 msec --> A labeled packet is switched from P1 to P2 with MPLS label 16 and VPN label 21. What will happen at P2 router, let's check the P2's forwarding table.
P2#sh mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 192.168.1.4/32 4939 Se0/1 point2point
17 18 192.168.1.1/32 9323 Se0/0 point2point
18 Pop tag 192.168.1.2/32 0 Se0/0 point2point
19 Pop tag 192.168.1.8/30 0 Se0/0 point2point
4 10.3.0.1 [MPLS: Label 21 Exp 0] 32 msec 32 msec 32 msec --> A packet handed from P2 router to PE2. Based on VPN label 21, egress PE2 router can understand this packet belonging to customer A1. Because this is an IP packet, let's check the PE2's VRF routing table.
PE2#sh ip route vrf vpn_a
Routing Table: vpn_a
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
B 10.2.0.0/30 [200/0] via 192.168.1.1, 01:24:59
C 10.3.0.0/30 is directly connected, Serial0/1
B 10.1.0.1/32 [200/1] via 192.168.1.1, 01:24:59
R 10.4.0.1/32 [120/1] via 10.3.0.2, 00:00:58, Serial0/1
Obviously, the PE2 router is directly connected to A1 router via s0/1 (PE2's interface).
5 10.3.0.2 32 msec 60 msec 28 msec --> A2 router is the last hop and it is also directly connected to PE2 router as I have just mentioned.
Conclusions
- VPNs emerged as an alternative to dedicated point-to-point links. VPNs deliver the same benefits of dedicated point-to-point links but without the high cost. There are many technologies that are used to support overlay VPNs. From a Layer 1 perspective, VPNs can be implemented with SONET, T1, E1, ISDN, etc. From a Layer 2 perspective, VPNs can be implemented with Frame Relay, ATM, X.25, etc. From a Layer 3 perspective, IP tunneling technologies such as IPSec and GRE can be used to implement a VPN. Then, peer-to-peer VPNs were introduced. The biggest difference between peer-to-peer VPNs and traditional VPNs is that in a peer-to-peer VPN, a customer and a service provider exchange routing information. The two ways to implement peer-to-peer VPNs are dedicated router and shared router. MPLS-based VPNs offer the same privacy and security as traditional VPNs. In addiation, Overlapping address spaces, intranets, extranets, and even hub-and-spoke topologies are supported in an MPLS VPN.
No comments:
Post a Comment