Little Blog!: 2015-08-02

Saturday, August 8, 2015

Frame-Mode MPLS

Introduction:

This lab introduces you how to build a frame-mode MPLS network step by step. To really understand MPLS, you need a solid understanding of Layer 3 routing. This lab also provides some basic routing protocols as RIPv2 and BGP (iBGP,eBGP). More importantly, you'll learn how to configure, verify and troubleshoot a simple MPLS in frame-mode.

Overview:

To understand how frame-mode MPLS works, it is neccessary to graps some basic concepts of MPLS.

MPLS label stack: The MPLS label stack is a total of 32 bits. The label itself is 20 bits. The label stack is placed between the Layer 2 header and the Layer 3 payload and is referred to as a shim header.
MPLS architecture: The MPLS architecture is divided into two planes: control and forwarding. The control plane is responsible for binding labels to routes, or more specifically, to FECs. The forwarding plane (also known as the data plane) operates like a big cache by maintaining the FIB and LFIB. The control plane builds the bindings and the forwarding plane actually uses those bindings to switch packets. Don’t forget, CEF must be enabled for MPLS to work.
MPLS operation: Packets enter the service provider network as unlabeled IP. An edge-LSR imposes a label and forwards the newly labeled packet to the next LSR along an LSP. Each LSR along the LSP label-switches the packet. The next-to-last router in the path pops the label through a mechanism called penultimate hop popping.
MPLS applications: First of all, MPLS changes network design by eliminating the need for an overlay. Performance is improved because packets are switched instead of routed. QoS can be implemented end to end by having an edge-LSR classify packets and map a value to the Experimental (EXP) field of the MPLS label stack. Traffic engineering is made possible through label stacking and traffic-engineered tunnels.

Requirements:

1. Customer sites:

Peer1 and Peer2 (Non-MPLS-enabled routers): BGP.
H/W: Peer1 and Peer2 are Cisco Routers c3745.

2. Service Provider sites:

Atlanta, Raleigh (Edge-LSRs): RIPv2, BGP, MPLS: s0/0, s0/3 for Atlanta and Raleigh router respectively.
Core (LSRs): RIPv2, MPLS: s0/0, s0/1.
H/W: Atlanta, Core, and Raleigh are Cisco Routers c3745.

Configuration

1. Customer sites:

- Customers including Peer1 and Peer2 are connected each other via service provider network.

- On Peer1 router:

Peer1#show running-config
Building configuration...

Current configuration : 2453 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Peer1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$LbLV$J5dewPBIGzBhoRLXHc3ZB1
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
no ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 192.168.3.5 255.255.255.252
no fair-queue
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
interface Serial0/4
no ip address
shutdown
clock rate 2000000
!
interface Serial0/5
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
no ip address
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor 192.168.3.6 remote-as 65000
no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
password console
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password telnet
login
!
!
end

- Peer2 router is configured similarly.

2. Service provider sites:

a. Network edge (Atlanta, Raleigh):

- On Atlanta router:

Atlanta#show running-config
Building configuration...

Current configuration : 2697 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Atlanta
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Pz1z$08P6j51mxrlM5OHcGHUc8.
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 204.134.83.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
description ***Link to Core router****
ip address 204.134.83.5 255.255.255.252
mpls ip
no fair-queue
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
description ***Link to Peer1****
ip address 192.168.3.6 255.255.255.252
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
interface Serial0/4
no ip address
shutdown
clock rate 2000000
!
interface Serial0/5
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
no ip address
!
router rip
version 2
network 204.134.83.0
!
router bgp 65000
no synchronization
bgp log-neighbor-changes
neighbor 192.168.3.5 remote-as 65001
neighbor 204.134.83.3 remote-as 65000
neighbor 204.134.83.3 update-source Loopback0
neighbor 204.134.83.3 next-hop-self
no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
password console
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password telnet
login
!
!
end

- Raleigh router is configured similarly.

b. Core Network(Core router):

- On Core router:

Core#show running-config
Building configuration...

Current configuration : 2479 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Core
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$89de$B7vQleRf2j/qaB.AGvejF0
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 204.134.83.2 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
description ***Link to Raleigh POP router***
ip address 204.134.83.9 255.255.255.252
mpls ip
no fair-queue
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
description ***Link to Atlanta POP router***
ip address 204.134.83.6 255.255.255.252
mpls ip
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
interface Serial0/4
no ip address
shutdown
clock rate 2000000
!
interface Serial0/5
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
no ip address
!
router rip
version 2
network 204.134.83.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
password console
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password telnet
login
!
!
end

Verification:

- On Customer sites:

Check the connection between Peer1 router and Peer2 router.

Peer1#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/16/52 ms

Peer1#telnet 192.168.2.1

Trying 192.168.2.1 ... Open

User Access Verification

Password:

Peer2>

Peer2#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/20/28 ms

Peer2#telnet 192.168.1.1

Trying 192.168.1.1 ... Open

User Access Verification

Password:

Peer1>

- On service provider sites:

Check the connectivity between Atlanta router and Raleigh router:

Atlanta#ping 204.134.83.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 204.134.83.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/12 ms

Good jobs! Now, check the connectivity between Atlanta router and Peer2 router:

Atlanta#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Yup! what's going on? Why is Peer1 able to ping Peer2, but Atlanta router can't?

Troubleshooting:

Well, to know the answer for this situation, it is required to deal with routing protocols and which routes are known by network devices.

- Peer1's routing table:

Peer1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/32 is subnetted, 1 subnets
C 192.168.1.1 is directly connected, Loopback0
192.168.2.0/32 is subnetted, 1 subnets
B 192.168.2.1 [20/0] via 192.168.3.6, 01:38:48
192.168.3.0/30 is subnetted, 2 subnets
B 192.168.3.8 [20/0] via 192.168.3.6, 01:38:48
C 192.168.3.4 is directly connected, Serial0/0

Peer1 can ping Peer2 because there is a BGP route to get Peer2 with a next hop address 192.168.3.6 which is s0/1 interface of Atlanta router. Now, take a look on Atlanta's routing table.

Atlanta#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

204.134.83.0/24 is variably subnetted, 5 subnets, 2 masks

R 204.134.83.8/30 [120/1] via 204.134.83.6, 00:00:01, Serial0/0

C 204.134.83.1/32 is directly connected, Loopback0

R 204.134.83.3/32 [120/2] via 204.134.83.6, 00:00:01, Serial0/0

R 204.134.83.2/32 [120/1] via 204.134.83.6, 00:00:01, Serial0/0

C 204.134.83.4/30 is directly connected, Serial0/0

192.168.1.0/32 is subnetted, 1 subnets

B 192.168.1.1 [20/0] via 192.168.3.5, 04:34:34

192.168.2.0/32 is subnetted, 1 subnets

B 192.168.2.1 [200/0] via 204.134.83.3, 02:00:57

192.168.3.0/30 is subnetted, 2 subnets

B 192.168.3.8 [200/0] via 204.134.83.3, 02:00:57

C 192.168.3.4 is directly connected, Serial0/1

Obviously, the packet destined from Peer 1 to Peer 2 arrives at the Atlanta POP router. Does the Atlanta POP router have a path to get to the loopback of Peer 2 (192.168.2.1)? Yes. There’s a BGP route to 192.168.2.1 with a next hop address of 204.134.83.3 (Raleigh).

How does the Atlanta POP router get the packet to the Raleigh POP router?

It sends it as a labeled packet, or a tagged packet. Indeed, let's take a look on the Atlanta's forwarding table:

Atlanta#show mpls forwarding-table

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

16 Pop tag 204.134.83.2/32 0 Se0/0 point2point

17 Pop tag 204.134.83.8/30 0 Se0/0 point2point

18 17 204.134.83.3/32 0 Se0/0 point2point

To get Raleigh router, what is the outbound label? 17. What is the outbound interface? Serial 0/0. What is the neighboring device connected via Serial 0/0? The Core router. Now, let's check the Releigh router's routing table.

Core#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

204.134.83.0/24 is variably subnetted, 5 subnets, 2 masks
C 204.134.83.8/30 is directly connected, Serial0/0
R 204.134.83.1/32 [120/1] via 204.134.83.5, 00:00:13, Serial0/1
R 204.134.83.3/32 [120/1] via 204.134.83.10, 00:00:08, Serial0/0
C 204.134.83.2/32 is directly connected, Loopback0
C 204.134.83.4/30 is directly connected, Serial0/1

Does the Core router have a route in its routing table to forward a packet to Peer 2 (192.168.2.1)? No. Without MPLS, or tag switching, the packet would be dropped right here. The Core router only knows about the IGP (RIP in this example) routes. The Core router does not forward the packet, but instead it does label switching. The output of the Core router's forwading table is as follows:

Core#show mpls forwarding-table

Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 204.134.83.1/32 2915 Se0/1 point2point
17 Pop tag 204.134.83.3/32 3038 Se0/0 point2point

What happens to the packet? Well, from the Atlanta POP router, the packet is sent with a tag of 17. By observing the output of the show mpls forwarding-table command on the Core router, you can see that an inbound labeled packet of 17 arriving at the Core router has its label popped and is forwarded as unlabeled IP out interface Serial 0/0. So here at the Core router, there is no routing, only switching of labeled, or tagged packets. You can think of Pop tag as meaning, "The next hop router needs to do a L3 lookup on the packet, so don't send this traffic as labeled, but instead send it as unlabeled IP traffic".
Now let’s move on to the Raleigh POP router. An unlabeled IP packet arrives destined for network 192.168.2.1. The Raleigh POP router’s routing table is as follows:

Raleigh#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

204.134.83.0/24 is variably subnetted, 5 subnets, 2 masks
C 204.134.83.8/30 is directly connected, Serial0/3
R 204.134.83.1/32 [120/2] via 204.134.83.9, 00:00:27, Serial0/3
C 204.134.83.3/32 is directly connected, Loopback0
R 204.134.83.2/32 [120/1] via 204.134.83.9, 00:00:27, Serial0/3
R 204.134.83.4/30 [120/1] via 204.134.83.9, 00:00:27, Serial0/3
192.168.1.0/32 is subnetted, 1 subnets
B 192.168.1.1 [200/0] via 204.134.83.1, 03:55:53
192.168.2.0/32 is subnetted, 1 subnets
B 192.168.2.1 [20/0] via 192.168.3.10, 06:29:41
192.168.3.0/30 is subnetted, 2 subnets
C 192.168.3.8 is directly connected, Serial0/1
B 192.168.3.4 [200/0] via 204.134.83.1, 03:55:54

Does the Raleigh POP router have a path to get to the loopback (192.168.2.1) of Peer 2? Yes, there’s a BGP route to 192.168.2.1. What is the outbound interface? Serial 0/1.The packet arrives on Peer 2. Peer 2 needs to send a response to the ping. The routing table of Peer 2 is as follows:

Peer2#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/32 is subnetted, 1 subnets

B 192.168.1.1 [20/0] via 192.168.3.9, 04:02:13

192.168.2.0/32 is subnetted, 1 subnets

C 192.168.2.1 is directly connected, Loopback0

192.168.3.0/30 is subnetted, 2 subnets

C 192.168.3.8 is directly connected, Serial0/0

B 192.168.3.4 [20/0] via 192.168.3.9, 04:02:13

Does the Peer 2 router have a path to get back to Peer 1? Yes. The entire process you just observed will now be repeated in reverse.

To sum up the path from Peer1 to Peer2:

Peer1#traceroute 192.168.2.1

Type escape sequence to abort.
Tracing the route to 192.168.2.1

1 192.168.3.6 16 msec 16 msec 0 msec
2 204.134.83.6 [MPLS: Label 17 Exp 0] 12 msec 0 msec 0 msec
3 204.134.83.10 4 msec 28 msec 8 msec
4 192.168.3.10 [AS 65002] 12 msec 12 msec 4 msec

The L3 unlabeled packet from Peer1 handed to Atlanta router (192.168.3.6). The Atlanta router doesn't route instead it switches the packet out its interface with label 17 to Core router (204.134.83.6). The inbound labeled packet of 17 arriving at the Core router has its label popped and is forwarded as unlabeled IP out Serial 0/0 interface to Raleigh router (204.134.83.10). This L3 unlabeld packet handed from Raleigh router to Peer2 (192.168.3.10).

What if you are on the Atlanta POP router and you try a ping to Peer 2 (192.168.2.1)?

Atlanta#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

It fails as we knew in the verification section. Why does this ping fail? Because the source address (204.134.83.5) is unknown to Peer 2. Observe the traceroute command as executed on the Atlanta POP router:

Atlanta#traceroute 192.168.2.1

Type escape sequence to abort.
Tracing the route to 192.168.2.1

1 204.134.83.6 [MPLS: Label 17 Exp 0] 0 msec 0 msec 0 msec
2 204.134.83.10 0 msec 0 msec 0 msec
3 * * *
4 * * *

How far does the traceroute command get? Only to the Raleigh POP router. Peer 2 has no way to respond to the source.

Let’s illustrate by changing how the ping command is used. This time I’m going to source the ping from an interface that Peer 2 knows about:

Atlanta#ping

Protocol [ip]:
Target IP address: 192.168.2.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.3.6
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.6
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Peer 2 knows about the 192.168.3.4 network including source IP address 192.168.3.6. Take a look at Peer 2’s routing table:

Peer2#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/32 is subnetted, 1 subnets
B 192.168.1.1 [20/0] via 192.168.3.9, 04:36:24
192.168.2.0/32 is subnetted, 1 subnets
C 192.168.2.1 is directly connected, Loopback0
192.168.3.0/30 is subnetted, 2 subnets
C 192.168.3.8 is directly connected, Serial0/0
B 192.168.3.4 [20/0] via 192.168.3.9, 04:36:24

Confused yet? The best way to test to make sure that everything works is to do a ping from one CE device to another CE device in this case is from Peer1 to Peer2. If it works, then MPLS or tag switching is enabled and working properly. If the ping fails, you don’t have a complete LSP through the service provider network. Let me show you what a failure looks like. I’ve disabled label switching on the Core router, which means that there isn’t a complete LSP between the Atlanta and Raleigh POP routers.

Core#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Core(config)#no ip cef

Let’s ping from Peer 1 to the loopback (192.168.2.1) of Peer 2.

Peer1#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Peer1#traceroute 192.168.2.1

Type escape sequence to abort.

Tracing the route to 192.168.2.1

1 192.168.3.6 16 msec 0 msec 0 msec

2 * * *

3 * * *

It fails, right? Right! There is no LSP between the Atlanta and Raleigh POP routers

How far does the packet get? Only to the Atlanta POP router. Let’s enable label switching on the Core router and try the ping command again from Peer 1 to the loopback (192.168.2.1) of Peer 2.

Core(config)#ip cef

Peer1#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/10/44 ms

Now that label switching has been enabled again on the Core router, everything works because there is an end-to-end LSP between the Atlanta and Raleigh POP routers.

Peer1#traceroute 192.168.2.1

Type escape sequence to abort.

Tracing the route to 192.168.2.1

1 192.168.3.6 20 msec 0 msec 0 msec

2 204.134.83.6 [MPLS: Label 17 Exp 0] 0 msec 8 msec 8 msec

3 204.134.83.10 4 msec 12 msec 0 msec

4 192.168.3.10 [AS 65002] 16 msec 0 msec 0 msec

Obviously, by executing traceroute command from customer sites we can see all the service provider devices. From service provider's perspective, this is non-secure practice. We need to hide service provider devices to customers by executing the no mpls ip propagate-ttl on every device in the service provider network. Once this command is enabled on each and every service provider router, a client only sees the ingress and egress PE routers (Atlanta and Raleigh router), not all the P devices (Core router).

Atlanta#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Atlanta(config)#no mpls ip propagate-ttl

Core#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Core(config)#no mpls ip propagate-ttl

Raleigh#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Raleigh(config)#no mpls ip propagate-ttl

Now, The output of the traceroute command on Peer 1 to the loopback of Peer 2 is as follows:

Peer1#trace 192.168.2.1

Type escape sequence to abort.

Tracing the route to 192.168.2.1

1 192.168.3.6 0 msec 0 msec 0 msec

2 204.134.83.10 24 msec 0 msec 0 msec

3 192.168.3.10 [AS 65002] 4 msec 28 msec 0 msec

What’s missing from the traceroute output without the no mpls ip propagate-ttl command? The Core router. To return the network to its original configuration, you need to use the mpls ip propagate-ttl command.

Conclusions:

Frame-mode MPLS label distribution is called independent control with unsolicited downstream.

When a new FEC appears on an LSR, a label is immediately bound to it. This is called independent control. Once a new label is bound to the FEC, the LSR tells its neighbors about it without them having to ask. This is called unsolicited downstream. You have learned about how frame-mode MPLS works as well its configuration, verification and troubleshooting. Moreover, you also learned how to hide service provider devices to customer sites for the security purpose.

Thursday, August 6, 2015

MPLS VPNs and RIP

Introduction:

This lab introduces you the required configuration commands and technology necessary to implement a simple MPLS-based VPN. This lab will also introduce you the route targets and virtual routing and forwarding (VRF) table route redistribution. You’ll learn how to configure a simple MPLS VPN using RIP as the CE routing protocol. In addition, in an actual network, you’ll learn the configuration, verification, and troubleshooting of a simple MPLS VPN.

Overview:

- First of all, it's important to understand MPLS VPNs packet switching. An MPLS VPN builds on the principles of standard MPLS. Packets enter an IP network and receive a VPN label and a standard label to traverse the service provider network. LSRs along the LSP between edge devices do not know about customer networks, and they use the standard label to label-switch packets. Once the packet arrives at the egress PE, the VPN label is used to direct the packet to the correct VPN. Customer routers require no MPLS functionality.

- Secondly, Multi-Protocol BGP (MP-BGP) is a requirement for the proper operation of MPLS VPNs. From a network design standpoint, an IGP runs in the service provider core, and BGP runs between edge routers. MP-BGP backbone is used to carry customer routes across the service provider backbone. To enable the edge routers to support MPLS VPNs, MP-BGP must be configured.
- Thirdly, a virtual routing and forwarding (VRF) table. A VRF is used by Cisco to implement the concept of virtual routers. A VRF is composed of an IP routing table, a CEF table, interfaces, and routing protocol rules and filters. Global routes are not in the VRF. Likewise, VRF routes are not in the global routing table.
- Finally, Route Distinguisher (RD) and Route Target (RT) can have the same values, but they serve very different purpose:

The RD keeps IP prefixes from overlapping in MP-BGP.
The RT is used to help differentiate VPN routes. There are 2 types of RT. When routes are redistributed from a routing context into MP-BGP, the export route target value is applied. To redistribute routes from MP-BGP back into the right VPN, the import route target value is read.

Note that routing context is a mechanism used to provide for separate isolated instances of a single routing protocol. For example, a single router may support many separate customers with a single instance of a routing protocol through the use of routing context.

Requirements:

1. Customer sites:

A1, B1, A2, B2 (Non-MPLS-enabled routers): RIPv2.
H/W: A1, B1, A2, B2 are Cisco Routers c3745.

2. Service Provider sites:

PE1, PE2 (Edge-LSRs): RIPv2, iBGP, MPLS: s0/0.
P1, P2 (LSRs): RIPv2, MPLS: s0/0, s0/1.
H/W: PE1, P1, P2, PE2 are Cisco Routers c3745.

Configuration

1. Customer sites:

- Customer A and B are overlapping address spaces.
- Customer A: A1 and A2 network are connected each other via service provider network.
- Customer B: B1 and B2 network are connected each other via service provider network.

- On A1 router:
A1#show running-config
Building configuration...

Current configuration : 2341 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname A1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$7LnD$0qutJY934WdeVsL.wl9q90
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
no ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 10.1.0.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
ip address 10.2.0.2 255.255.255.252
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
interface Serial0/4
no ip address
shutdown
clock rate 2000000
!
interface Serial0/5
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
no ip address
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
password console
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password telnet
login
!
!
end

- B1, A2, B2 routers are configured similarly.

2. Service provider sites:

a. Network edge (PE1, PE2):

- On PE1 router:
PE1#show running-config
Building configuration...

Current configuration : 3638 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$PrDN$pHsT2IKCMZjFBIyF8mAbW1
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
ip vrf vpn_a
rd 65000:1
route-target export 65000:1
route-target import 65000:1
!
ip vrf vpn_b
rd 65000:2
route-target export 65000:2
route-target import 65000:2
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
description ***Link to P1 router***
ip address 192.168.1.10 255.255.255.252
mpls ip
no fair-queue
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
description ***Link to customer A1 router***
ip vrf forwarding vpn_a
ip address 10.2.0.1 255.255.255.252
clock rate 2000000
!
interface Serial0/2
description ***Link to customer B2 router***
ip vrf forwarding vpn_b
ip address 10.2.0.1 255.255.255.252
clock rate 2000000
!
interface Serial0/3
no ip address
shutdown
clock rate 2000000
!
interface Serial0/4
no ip address
shutdown
clock rate 2000000
!
interface Serial0/5
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
no ip address
!
router rip
version 2
network 192.168.1.0
no auto-summary
!
address-family ipv4 vrf vpn_b
redistribute bgp 65000 metric transparent
network 10.0.0.0
no auto-summary
version 2
exit-address-family
!
address-family ipv4 vrf vpn_a
redistribute bgp 65000 metric transparent
network 10.0.0.0
no auto-summary
version 2
exit-address-family
!
router bgp 65000
bgp log-neighbor-changes
neighbor 192.168.1.4 remote-as 65000
neighbor 192.168.1.4 update-source Loopback0
!
address-family ipv4
neighbor 192.168.1.4 activate
neighbor 192.168.1.4 next-hop-self
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 192.168.1.4 activate
neighbor 192.168.1.4 send-community both
exit-address-family
!
address-family ipv4 vrf vpn_b
redistribute rip
no synchronization
exit-address-family
!
address-family ipv4 vrf vpn_a
redistribute rip
no synchronization
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
password console
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password telnet
login
!
!
end

- PE2 router is configured similarly.

b. Core Network(P1, P2):

- On P1 router:

P1#show running-config

Building configuration...

Current configuration : 2489 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname P1

boot-start-marker

boot-end-marker

enable secret 5 $1$uj6I$Z5BD8vg85xjuAnv4noYA//

no aaa new-model

memory-size iomem 5

no ip icmp rate-limit unreachable

ip cef

no ip domain lookup

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip tcp synwait-time 5

interface Loopback0

ip address 192.168.1.2 255.255.255.255

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

interface Serial0/0

description ***Link to PE1 router***

ip address 192.168.1.9 255.255.255.252

mpls ip

no fair-queue

clock rate 2000000

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

interface Serial0/1

description ***Link to P2 router***

ip address 192.168.1.14 255.255.255.252

mpls ip

no fair-queue

clock rate 2000000

interface Serial0/2

no ip address

shutdown

clock rate 2000000

interface Serial0/3

no ip address

shutdown

clock rate 2000000

interface Serial0/4

no ip address

shutdown

clock rate 2000000

interface Serial0/5

no ip address

shutdown

clock rate 2000000

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

interface Serial2/0

no ip address

shutdown

serial restart-delay 0

interface Serial2/1

no ip address

shutdown

serial restart-delay 0

interface Serial2/2

no ip address

shutdown

serial restart-delay 0

interface Serial2/3

no ip address

shutdown

serial restart-delay 0

interface FastEthernet3/0

interface FastEthernet3/1

interface FastEthernet3/2

interface FastEthernet3/3

interface FastEthernet3/4

interface FastEthernet3/5

interface FastEthernet3/6

interface FastEthernet3/7

interface FastEthernet3/8

interface FastEthernet3/9

interface FastEthernet3/10

interface FastEthernet3/11

interface FastEthernet3/12

interface FastEthernet3/13

interface FastEthernet3/14

interface FastEthernet3/15

interface Vlan1

no ip address

router rip

version 2

network 192.168.1.0

no auto-summary

ip forward-protocol nd

no ip http server

no ip http secure-server

no cdp log mismatch duplex

control-plane

line con 0

exec-timeout 0 0

privilege level 15

password console

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

password telnet

end

- P2 router is configured similarly.

Verification:

a. Connectivity:

- On Customer A:

Check the connection between A1 router and A2 router.

A1#ping 10.3.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/37/60 ms

A1#telnet 10.3.0.2
Trying 10.3.0.2 ... Open

User Access Verification

Password:
A2>

- On Customer B:

Check the connection between B1 router and B2 router.

B1#ping 10.3.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/40/68 ms
B1#telnet 10.3.0.2
Trying 10.3.0.2 ... Open

User Access Verification

Password:
B2>

b. Routing table:

b1. On Customer Network:

- They are isolated from the service provider network. The client routers do not know any of the details of the service provider network. Notice in the following device output that no service provider routes are in the global routing tables for A1, B1, A2 and B2 router. The global routing table for A1 is as follows:

A1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.2.0.0/30 is directly connected, Serial0/0

R 10.3.0.0/30 [120/1] via 10.2.0.1, 00:00:02, Serial0/0

C 10.1.0.1/32 is directly connected, Loopback0

R 10.4.0.1/32 [120/2] via 10.2.0.1, 00:00:02, Serial0/0

b2. On Service Provider Network:

- The VRF routing table is well isolated from the global routing table on a PE router. Therefore, on the PE1 and PE2 POP routers, no customer (A1, B1, A2 and B2) routes show up in the global routing table. The global routing table of the PE1 POP router is as follows:

PE1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 7 subnets, 2 masks

C 192.168.1.8/30 is directly connected, Serial0/0

R 192.168.1.12/30 [120/1] via 192.168.1.9, 00:00:21, Serial0/0

C 192.168.1.1/32 is directly connected, Loopback0

R 192.168.1.3/32 [120/2] via 192.168.1.9, 00:00:21, Serial0/0

R 192.168.1.2/32 [120/1] via 192.168.1.9, 00:00:21, Serial0/0

R 192.168.1.4/32 [120/3] via 192.168.1.9, 00:00:21, Serial0/0

R 192.168.1.16/30 [120/2] via 192.168.1.9, 00:00:21, Serial0/0

- In addition, none of the customer (A1, B1, A2 and B2) routes show up on the Core routers (P1, and P2). The Core routers are only running the IGP (RIPv2) and know nothing about any of the customer subnets. The global routing table of the P1 router is as follows:

P1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 7 subnets, 2 masks
C 192.168.1.8/30 is directly connected, Serial0/0
C 192.168.1.12/30 is directly connected, Serial0/1
R 192.168.1.1/32 [120/1] via 192.168.1.10, 00:00:11, Serial0/0
R 192.168.1.3/32 [120/1] via 192.168.1.13, 00:00:17, Serial0/1
C 192.168.1.2/32 is directly connected, Loopback0
R 192.168.1.4/32 [120/2] via 192.168.1.13, 00:00:17, Serial0/1
R 192.168.1.16/30 [120/1] via 192.168.1.13, 00:00:17, Serial0/1

- VRF routing table:

PE1#show ip route vrf vpn_a

Routing Table: vpn_a
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.2.0.0/30 is directly connected, Serial0/1
B 10.3.0.0/30 [200/0] via 192.168.1.4, 04:11:30
R 10.1.0.1/32 [120/1] via 10.2.0.2, 00:00:26, Serial0/1
B 10.4.0.1/32 [200/1] via 192.168.1.4, 04:11:30

PE1#show ip route vrf vpn_b

Routing Table: vpn_b
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.2.0.0/30 is directly connected, Serial0/2
B 10.3.0.0/30 [200/0] via 192.168.1.4, 04:11:47
R 10.1.0.1/32 [120/1] via 10.2.0.2, 00:00:06, Serial0/2
B 10.4.0.1/32 [200/1] via 192.168.1.4, 04:11:47

In the routing table for vpn_a on the PE1 POP router, there are two BGP routes (B) and one RIP route (R). The RIP route in the output was learned from A1 and is the loopback of A1. The B routes are from the PE2 POP router (A2 RIP routes redistributed into MP-BGP and carried across the service provider backbone).

- Ping and Telnet from PE routers:

The quickest way to verify that the VRF is up and working is to do a ping from one customer router to another. However, It is not practical to assume that the service provider will always have access to customer routers. Therefore, extensions have been made to the standard ping and telnet commands.

PE1#ping 10.2.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

This ping fails because a network for 10.2.0.2 is not in the PE1 POP router’s global routing table; instead it’s in a VRF.

PE1#ping vrf vpn_a 10.2.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/12 ms

PE1#ping vrf vpn_a ip 10.2.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/16 ms

PE1#telnet 10.1.0.1

Trying 10.1.0.1 ...

% Destination unreachable; gateway or host down

PE1#telnet 10.1.0.1 /vrf vpn_a

Trying 10.1.0.1 ... Open

User Access Verification

Password:

A1>

Troubleshooting:

- From A1 to A2:

A1#trace 10.3.0.2

Type escape sequence to abort.
Tracing the route to 10.3.0.2

1 10.2.0.1 32 msec 32 msec 28 msec
2 192.168.1.9 [MPLS: Labels 19/21 Exp 0] 116 msec 60 msec 32 msec
3 192.168.1.13 [MPLS: Labels 16/21 Exp 0] 92 msec 32 msec 32 msec
4 10.3.0.1 [MPLS: Label 21 Exp 0] 32 msec 32 msec 32 msec
5 10.3.0.2 32 msec 60 msec 28 msec

- From B1 to B2:

B1#trace 10.3.0.2

Type escape sequence to abort.
Tracing the route to 10.3.0.2

1 10.2.0.1 40 msec 32 msec 32 msec
2 192.168.1.9 [MPLS: Labels 19/23 Exp 0] 60 msec 60 msec 32 msec
3 192.168.1.13 [MPLS: Labels 16/23 Exp 0] 60 msec 60 msec 32 msec
4 10.3.0.1 [MPLS: Label 23 Exp 0] 32 msec 52 msec 28 msec
5 10.3.0.2 120 msec 60 msec 28 msec

- There are 5 hops for a packet traversing from A1 to A2 as well as B1 to B2. The path from A1 to A2 is as follows:

1 10.2.0.1 32 msec 32 msec 28 msec --> This is the first hop which is PE1 router. This router is directly connected to A1 via its s0/1. PE1 router also creates VPN label 21 for a packet from customer A1 to distinguish the traffic from A1 with others. This value won't change when the packet traverses through service provider routers. Moreover, PE1 router also creates MPLS label 19 used to switch the packet to P1 router via s0/0 interface. Indeed, let's take a look on PE1's VRF routing table and forwarding table.

PE1#show ip route vrf vpn_a

Routing Table: vpn_a

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.2.0.0/30 is directly connected, Serial0/1

B 10.3.0.0/30 [200/0] via 192.168.1.4, 04:11:30

R 10.1.0.1/32 [120/1] via 10.2.0.2, 00:00:26, Serial0/1

B 10.4.0.1/32 [200/1] via 192.168.1.4, 04:11:30

Obviously, the packet destined from A1 to A2 arrives at the PE1 POP router. Does the PE1 POP router have a path to get to the s0/0 interface of A2 (10.3.0.2)? Yes. There’s a BGP route to 10.3.0.0 network with a next hop address of 192.168.1.4 (PE2).

How does the PE1 router get the packet to the PE2 POP router?

It sends it as a labeled packet, or a tagged packet. Indeed, let's take a look on the PE1's forwarding table:

PE1#sh mpls forwarding-table

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

16 Pop tag 192.168.1.2/32 0 Se0/0 point2point

17 16 192.168.1.3/32 0 Se0/0 point2point

18 Pop tag 192.168.1.12/30 0 Se0/0 point2point

19 17 192.168.1.16/30 0 Se0/0 point2point

20 19 192.168.1.4/32 0 Se0/0 point2point

21 Untagged 10.1.0.1/32[V] 520 Se0/1 point2point

22 Aggregate 10.2.0.0/30[V] 19879

23 Untagged 10.1.0.1/32[V] 0 Se0/2 point2point

24 Aggregate 10.2.0.0/30[V] 24826

From PE1 router standpoint, it takes untagged or unlabeled traffic coming from its s0/1 interface which is A1 router, then tagged this packet with VPN label 21. Moreover, PE1 router also switches this packet out its s0/0 interface with outbound label 19.

To deeply uderstand how egress PE router can distinguish which route from which customer destined to it. Let's execute some useful commands:

PE1#sh ip vrf brief

Name Default RD Interfaces

vpn_a 65000:1 Se0/1

vpn_b 65000:2 Se0/2

PE1#sh ip bgp vpnv4 all

BGP table version is 17, local router ID is 192.168.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 65000:1 (default for vrf vpn_a)

*> 10.1.0.1/32 10.2.0.2 1 32768 ?

*> 10.2.0.0/30 0.0.0.0 0 32768 ?

*>i10.3.0.0/30 192.168.1.4 0 100 0 ?

*>i10.4.0.1/32 192.168.1.4 1 100 0 ?

Route Distinguisher: 65000:2 (default for vrf vpn_b)

*> 10.1.0.1/32 10.2.0.2 1 32768 ?

*> 10.2.0.0/30 0.0.0.0 0 32768 ?

*>i10.3.0.0/30 192.168.1.4 0 100 0 ?

*>i10.4.0.1/32 192.168.1.4 1 100 0 ?

2 192.168.1.9 [MPLS: Labels 19/21 Exp 0] 116 msec 60 msec 32 msec --> A labeled packet is switched from PE1 to P1 with MPLS label 19 and VPN label 21. What will happen at P1 router, let's check the P1's forwarding table.

P1#sh mpls forwarding-table

Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 192.168.1.3/32 0 Se0/1 point2point
17 Pop tag 192.168.1.16/30 0 Se0/1 point2point
18 Pop tag 192.168.1.1/32 7257 Se0/0 point2point
19 16 192.168.1.4/32 3825 Se0/1 point2point

A packet labeled 19 from PE1 router to P1 router will be switched out P1's s0/1 interface with outbound label 16.

3 192.168.1.13 [MPLS: Labels 16/21 Exp 0] 92 msec 32 msec 32 msec --> A labeled packet is switched from P1 to P2 with MPLS label 16 and VPN label 21. What will happen at P2 router, let's check the P2's forwarding table.

P2#sh mpls forwarding-table

Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 192.168.1.4/32 4939 Se0/1 point2point
17 18 192.168.1.1/32 9323 Se0/0 point2point
18 Pop tag 192.168.1.2/32 0 Se0/0 point2point
19 Pop tag 192.168.1.8/30 0 Se0/0 point2point

What happens to the packet? Well, from the P1 router, the packet is sent with a tag of 16. By observing the output of the show mpls forwarding-table command on the P2 router, you can see that an inbound labeled packet of 16 arriving at the P2 router has its label popped and is forwarded as unlabeled IP out interface Serial 0/1. So here at the P2 router, there is no routing, only switching of labeled, or tagged packets. You can think of Pop tag as meaning, "The next hop router needs to do a L3 lookup on the packet, so don't send this traffic as labeled, but instead send it as unlabeled IP traffic". Note that that when I said unlabeled IP packet in this case, it means it's an IP packet with VPN label.

4 10.3.0.1 [MPLS: Label 21 Exp 0] 32 msec 32 msec 32 msec --> A packet handed from P2 router to PE2. Based on VPN label 21, egress PE2 router can understand this packet belonging to customer A1. Because this is an IP packet, let's check the PE2's VRF routing table.

PE2#sh ip route vrf vpn_a

Routing Table: vpn_a
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
B 10.2.0.0/30 [200/0] via 192.168.1.1, 01:24:59
C 10.3.0.0/30 is directly connected, Serial0/1
B 10.1.0.1/32 [200/1] via 192.168.1.1, 01:24:59
R 10.4.0.1/32 [120/1] via 10.3.0.2, 00:00:58, Serial0/1

Obviously, the PE2 router is directly connected to A1 router via s0/1 (PE2's interface).

5 10.3.0.2 32 msec 60 msec 28 msec --> A2 router is the last hop and it is also directly connected to PE2 router as I have just mentioned.

Conclusions

- VPNs emerged as an alternative to dedicated point-to-point links. VPNs deliver the same benefits of dedicated point-to-point links but without the high cost. There are many technologies that are used to support overlay VPNs. From a Layer 1 perspective, VPNs can be implemented with SONET, T1, E1, ISDN, etc. From a Layer 2 perspective, VPNs can be implemented with Frame Relay, ATM, X.25, etc. From a Layer 3 perspective, IP tunneling technologies such as IPSec and GRE can be used to implement a VPN. Then, peer-to-peer VPNs were introduced. The biggest difference between peer-to-peer VPNs and traditional VPNs is that in a peer-to-peer VPN, a customer and a service provider exchange routing information. The two ways to implement peer-to-peer VPNs are dedicated router and shared router. MPLS-based VPNs offer the same privacy and security as traditional VPNs. In addiation, Overlapping address spaces, intranets, extranets, and even hub-and-spoke topologies are supported in an MPLS VPN.

Little Blog!

Menu

Saturday, August 8, 2015

Frame-Mode MPLS

Thursday, August 6, 2015

MPLS VPNs and RIP

Archive

Total Pageviews

Weather