Saturday, August 8, 2015

Frame-Mode MPLS


Introduction:

This lab introduces you how to build a frame-mode MPLS network step by step. To really understand MPLS, you need a solid understanding of Layer 3 routing. This lab also provides some basic routing protocols as RIPv2 and BGP (iBGP,eBGP). More importantly, you'll learn how to configure, verify and troubleshoot a simple MPLS in frame-mode.

Overview:

To understand how frame-mode MPLS works, it is neccessary to graps some basic concepts of MPLS.

  • MPLS label stack: The MPLS label stack is a total of 32 bits. The label itself is 20 bits. The label stack is placed between the Layer 2 header and the Layer 3 payload and is referred to as a shim header.
  • MPLS architecture: The MPLS architecture is divided into two planes: control and forwarding. The control plane is responsible for binding labels to routes, or more specifically, to FECs. The forwarding plane (also known as the data plane) operates like a big cache by maintaining the FIB and LFIB. The control plane builds the bindings and the forwarding plane actually uses those bindings to switch packets. Don’t forget, CEF must be enabled for MPLS to work.
  • MPLS operation: Packets enter the service provider network as unlabeled IP. An edge-LSR imposes a label and forwards the newly labeled packet to the next LSR along an LSP. Each LSR along the LSP label-switches the packet. The next-to-last router in the path pops the label through a mechanism called penultimate hop popping.
  • MPLS applications: First of all, MPLS changes network design by eliminating the need for an overlay. Performance is improved because packets are switched instead of routed. QoS can be implemented end to end by having an edge-LSR classify packets and map a value to the Experimental (EXP) field of the MPLS label stack. Traffic engineering is made possible through label stacking and traffic-engineered tunnels.
Requirements:

1. Customer sites:
  • Peer1 and Peer2 (Non-MPLS-enabled routers): BGP.
  • H/W: Peer1 and Peer2 are Cisco Routers c3745.
2.  Service Provider sites: 
  • Atlanta, Raleigh (Edge-LSRs): RIPv2, BGP, MPLS: s0/0, s0/3 for Atlanta and Raleigh router respectively.
  • Core (LSRs): RIPv2, MPLS: s0/0, s0/1.
  • H/W: Atlanta, Core, and Raleigh are Cisco Routers c3745.
Configuration

1. Customer sites:

- Customers including Peer1 and Peer2 are connected each other via service provider network.

- On Peer1 router:

Peer1#show running-config
Building configuration...

Current configuration : 2453 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Peer1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$LbLV$J5dewPBIGzBhoRLXHc3ZB1
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
no ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 192.168.3.5 255.255.255.252
 no fair-queue
 clock rate 2000000
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/2
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/3
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/4
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/5
 no ip address
 shutdown
 clock rate 2000000
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
 no ip address
!
router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 neighbor 192.168.3.6 remote-as 65000
 no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 password console
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 password telnet
 login
!
!
end

- Peer2 router is configured similarly.

2. Service provider sites:

 a. Network edge (Atlanta, Raleigh):

-  On Atlanta router:

Atlanta#show running-config
Building configuration...

Current configuration : 2697 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Atlanta
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Pz1z$08P6j51mxrlM5OHcGHUc8.
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
 ip address 204.134.83.1 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 description ***Link to Core router****
 ip address 204.134.83.5 255.255.255.252
 mpls ip
 no fair-queue
 clock rate 2000000
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 description ***Link to Peer1****
 ip address 192.168.3.6 255.255.255.252
 clock rate 2000000
!
interface Serial0/2
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/3
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/4
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/5
 no ip address
 shutdown
 clock rate 2000000
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
 no ip address
!
router rip
 version 2
 network 204.134.83.0
!
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 neighbor 192.168.3.5 remote-as 65001
 neighbor 204.134.83.3 remote-as 65000
 neighbor 204.134.83.3 update-source Loopback0
 neighbor 204.134.83.3 next-hop-self
 no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 password console
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 password telnet
 login
!
!
end

- Raleigh router is configured similarly.

b. Core Network(Core router):

- On Core router:

Core#show running-config
Building configuration...

Current configuration : 2479 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Core
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$89de$B7vQleRf2j/qaB.AGvejF0
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
 ip address 204.134.83.2 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 description ***Link to Raleigh POP router***
 ip address 204.134.83.9 255.255.255.252
 mpls ip
 no fair-queue
 clock rate 2000000
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 description ***Link to Atlanta POP router***
 ip address 204.134.83.6 255.255.255.252
 mpls ip
 clock rate 2000000
!
interface Serial0/2
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/3
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/4
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/5
 no ip address
 shutdown
 clock rate 2000000
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
 no ip address
!
router rip
 version 2
 network 204.134.83.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 password console
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 password telnet
 login
!
!
end

Verification:

- On Customer sites:

 Check the connection between Peer1 router and Peer2 router.

Peer1#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/16/52 ms

Peer1#telnet 192.168.2.1
Trying 192.168.2.1 ... Open


User Access Verification

Password:
Peer2>

Peer2#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/20/28 ms

Peer2#telnet 192.168.1.1
Trying 192.168.1.1 ... Open


User Access Verification

Password:
Peer1>

- On service provider sites:

Check the connectivity between Atlanta router and Raleigh router:

Atlanta#ping 204.134.83.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.134.83.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/12 ms

Good jobs! Now, check the connectivity between Atlanta router and Peer2 router:

Atlanta#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 Yup! what's going on?  Why is Peer1 able to ping Peer2, but Atlanta router can't?

Troubleshooting:

Well, to know the answer for this situation, it is required to deal with routing protocols and which routes are known by network devices.

  - Peer1's routing table:

Peer1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     192.168.1.0/32 is subnetted, 1 subnets
C       192.168.1.1 is directly connected, Loopback0
     192.168.2.0/32 is subnetted, 1 subnets
B       192.168.2.1 [20/0] via 192.168.3.6, 01:38:48
     192.168.3.0/30 is subnetted, 2 subnets
B       192.168.3.8 [20/0] via 192.168.3.6, 01:38:48
C       192.168.3.4 is directly connected, Serial0/0

  Peer1 can ping Peer2 because there is a BGP route to get Peer2 with a next hop address 192.168.3.6 which is s0/1 interface of Atlanta router. Now, take a look on Atlanta's routing table.

Atlanta#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     204.134.83.0/24 is variably subnetted, 5 subnets, 2 masks
R       204.134.83.8/30 [120/1] via 204.134.83.6, 00:00:01, Serial0/0
C       204.134.83.1/32 is directly connected, Loopback0
R       204.134.83.3/32 [120/2] via 204.134.83.6, 00:00:01, Serial0/0
R       204.134.83.2/32 [120/1] via 204.134.83.6, 00:00:01, Serial0/0
C       204.134.83.4/30 is directly connected, Serial0/0
     192.168.1.0/32 is subnetted, 1 subnets
B       192.168.1.1 [20/0] via 192.168.3.5, 04:34:34
     192.168.2.0/32 is subnetted, 1 subnets
B       192.168.2.1 [200/0] via 204.134.83.3, 02:00:57
     192.168.3.0/30 is subnetted, 2 subnets
B       192.168.3.8 [200/0] via 204.134.83.3, 02:00:57
C       192.168.3.4 is directly connected, Serial0/1

Obviously, the packet destined from Peer 1 to Peer 2 arrives at the Atlanta POP router. Does the Atlanta POP router have a path to get to the loopback of Peer 2 (192.168.2.1)? Yes. There’s a BGP route to 192.168.2.1 with a next hop address of 204.134.83.3 (Raleigh).

How does the Atlanta POP router get the packet to the Raleigh POP router?

 It sends it as a labeled packet, or a tagged packet. Indeed, let's take a look on the Atlanta's forwarding table:

Atlanta#show mpls forwarding-table

Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     204.134.83.2/32   0          Se0/0      point2point
17     Pop tag     204.134.83.8/30   0          Se0/0      point2point
18     17          204.134.83.3/32   0          Se0/0      point2point

To get Raleigh router, what is the outbound label? 17. What is the outbound interface? Serial 0/0. What is the neighboring device connected via Serial 0/0? The Core router. Now, let's check the Releigh router's routing table.

Core#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     204.134.83.0/24 is variably subnetted, 5 subnets, 2 masks
C       204.134.83.8/30 is directly connected, Serial0/0
R       204.134.83.1/32 [120/1] via 204.134.83.5, 00:00:13, Serial0/1
R       204.134.83.3/32 [120/1] via 204.134.83.10, 00:00:08, Serial0/0
C       204.134.83.2/32 is directly connected, Loopback0
C       204.134.83.4/30 is directly connected, Serial0/1

Does the Core router have a route in its routing table to forward a packet to Peer 2 (192.168.2.1)? No. Without MPLS, or tag switching, the packet would be dropped right here. The Core router only knows about the IGP (RIP in this example) routes. The Core router does not forward the packet, but instead it does label switching. The output of the Core router's forwading table is as follows:

Core#show mpls forwarding-table

Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     204.134.83.1/32   2915       Se0/1      point2point
17     Pop tag     204.134.83.3/32   3038       Se0/0      point2point

What happens to the packet? Well, from the Atlanta POP router, the packet is sent with a tag of 17. By observing the output of the show mpls forwarding-table command on the Core router, you can see that an inbound labeled packet of 17 arriving at the Core router has its label popped and is forwarded as unlabeled IP out interface Serial 0/0. So here at the Core router, there is no routing, only switching of labeled, or tagged packets. You can think of Pop tag as meaning, "The next hop router needs to do a L3 lookup on the packet, so don't send this traffic as labeled, but instead send it as unlabeled IP traffic".
Now let’s move on to the Raleigh POP router. An unlabeled IP packet arrives destined for network 192.168.2.1. The Raleigh POP router’s routing table is as follows:

Raleigh#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     204.134.83.0/24 is variably subnetted, 5 subnets, 2 masks
C       204.134.83.8/30 is directly connected, Serial0/3
R       204.134.83.1/32 [120/2] via 204.134.83.9, 00:00:27, Serial0/3
C       204.134.83.3/32 is directly connected, Loopback0
R       204.134.83.2/32 [120/1] via 204.134.83.9, 00:00:27, Serial0/3
R       204.134.83.4/30 [120/1] via 204.134.83.9, 00:00:27, Serial0/3
     192.168.1.0/32 is subnetted, 1 subnets
B       192.168.1.1 [200/0] via 204.134.83.1, 03:55:53
     192.168.2.0/32 is subnetted, 1 subnets
B       192.168.2.1 [20/0] via 192.168.3.10, 06:29:41
     192.168.3.0/30 is subnetted, 2 subnets
C       192.168.3.8 is directly connected, Serial0/1
B       192.168.3.4 [200/0] via 204.134.83.1, 03:55:54

Does the Raleigh POP router have a path to get to the loopback (192.168.2.1) of Peer 2? Yes, there’s a BGP route to 192.168.2.1. What is the outbound interface? Serial 0/1.The packet arrives on Peer 2. Peer 2 needs to send a response to the ping. The routing table of Peer 2 is as follows:

Peer2#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     192.168.1.0/32 is subnetted, 1 subnets
B       192.168.1.1 [20/0] via 192.168.3.9, 04:02:13
     192.168.2.0/32 is subnetted, 1 subnets
C       192.168.2.1 is directly connected, Loopback0
     192.168.3.0/30 is subnetted, 2 subnets
C       192.168.3.8 is directly connected, Serial0/0
B       192.168.3.4 [20/0] via 192.168.3.9, 04:02:13

Does the Peer 2 router have a path to get back to Peer 1? Yes. The entire process you just observed will now be repeated in reverse.

To sum up the path from Peer1 to Peer2:

Peer1#traceroute 192.168.2.1

Type escape sequence to abort.
Tracing the route to 192.168.2.1

  1 192.168.3.6 16 msec 16 msec 0 msec
  2 204.134.83.6 [MPLS: Label 17 Exp 0] 12 msec 0 msec 0 msec
  3 204.134.83.10 4 msec 28 msec 8 msec
  4 192.168.3.10 [AS 65002] 12 msec 12 msec 4 msec

The L3 unlabeled packet from Peer1 handed to Atlanta router (192.168.3.6). The Atlanta router doesn't route instead it switches the packet out its interface with label 17 to Core router (204.134.83.6). The inbound labeled packet of 17 arriving at the Core router has its label popped and is forwarded as unlabeled IP out Serial 0/0 interface  to Raleigh router (204.134.83.10). This L3 unlabeld packet handed from Raleigh router to Peer2 (192.168.3.10).

 What if you are on the Atlanta POP router and you try a ping to Peer 2 (192.168.2.1)?

Atlanta#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

It fails as we knew in the verification section. Why does this ping fail? Because the source address (204.134.83.5) is unknown to Peer 2. Observe the traceroute command as executed on the Atlanta POP router:

Atlanta#traceroute 192.168.2.1

Type escape sequence to abort.
Tracing the route to 192.168.2.1

  1 204.134.83.6 [MPLS: Label 17 Exp 0] 0 msec 0 msec 0 msec
  2 204.134.83.10 0 msec 0 msec 0 msec
  3  *  *  *
  4  *  *  *
How far does the traceroute command get? Only to the Raleigh POP router. Peer 2 has no way to respond to the source.

Let’s illustrate by changing how the ping command is used. This time I’m going to source the ping from an interface that Peer 2 knows about:

Atlanta#ping

Protocol [ip]:
Target IP address: 192.168.2.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.3.6
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.6
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Peer 2 knows about the 192.168.3.4 network including source IP address 192.168.3.6. Take a look at Peer 2’s routing table:

Peer2#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     192.168.1.0/32 is subnetted, 1 subnets
B       192.168.1.1 [20/0] via 192.168.3.9, 04:36:24
     192.168.2.0/32 is subnetted, 1 subnets
C       192.168.2.1 is directly connected, Loopback0
     192.168.3.0/30 is subnetted, 2 subnets
C       192.168.3.8 is directly connected, Serial0/0
B       192.168.3.4 [20/0] via 192.168.3.9, 04:36:24

Confused yet? The best way to test to make sure that everything works is to do a ping from one CE device to another CE device in this case is from Peer1 to Peer2. If it works, then MPLS or tag switching is enabled and working properly. If the ping fails, you don’t have a complete LSP through the service provider network. Let me show you what a failure looks like. I’ve disabled label switching on the Core router, which means that there isn’t a complete LSP between the Atlanta and Raleigh POP routers.

Core#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Core(config)#no ip cef

Let’s ping from Peer 1 to the loopback (192.168.2.1) of Peer 2.

Peer1#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Peer1#traceroute 192.168.2.1

Type escape sequence to abort.
Tracing the route to 192.168.2.1

  1 192.168.3.6 16 msec 0 msec 0 msec
  2  *  *  *
  3  *  *  *

It fails, right? Right! There is no LSP between the Atlanta and Raleigh POP routers

How far does the packet get? Only to the Atlanta POP router. Let’s enable label switching on the Core router and try the ping command again from Peer 1 to the loopback (192.168.2.1) of Peer 2. 

Core(config)#ip cef

Peer1#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/10/44 ms

Now that label switching has been enabled again on the Core router, everything works because there is an end-to-end LSP between the Atlanta and Raleigh POP routers.

Peer1#traceroute 192.168.2.1

Type escape sequence to abort.
Tracing the route to 192.168.2.1

  1 192.168.3.6 20 msec 0 msec 0 msec
  2 204.134.83.6 [MPLS: Label 17 Exp 0] 0 msec 8 msec 8 msec
  3 204.134.83.10 4 msec 12 msec 0 msec
  4 192.168.3.10 [AS 65002] 16 msec 0 msec 0 msec

Obviously, by executing traceroute command from customer sites we can see all the service provider devices. From service provider's perspective, this is non-secure practice. We need to hide service provider devices to customers by executing the no mpls ip propagate-ttl on every device in the service provider network. Once this command is enabled on each and every service provider router, a client only sees the ingress and egress PE routers (Atlanta and Raleigh router), not all the P devices (Core router).

Atlanta#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Atlanta(config)#no mpls ip propagate-ttl

Core#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Core(config)#no mpls ip propagate-ttl

Raleigh#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Raleigh(config)#no mpls ip propagate-ttl

Now, The output of the traceroute command on Peer 1 to the loopback of Peer 2 is as follows:

Peer1#trace 192.168.2.1

Type escape sequence to abort.
Tracing the route to 192.168.2.1

  1 192.168.3.6 0 msec 0 msec 0 msec
  2 204.134.83.10 24 msec 0 msec 0 msec
  3 192.168.3.10 [AS 65002] 4 msec 28 msec 0 msec

What’s missing from the traceroute output without the no mpls ip propagate-ttl command? The Core router. To return the network to its original configuration, you need to use the mpls ip propagate-ttl command.

Conclusions:

Frame-mode MPLS label distribution is called independent control with unsolicited downstream. 
When a new FEC appears on an LSR, a label is immediately bound to it. This is called independent control. Once a new label is bound to the FEC, the LSR tells its neighbors about it without them having to ask. This is called unsolicited downstream. You have learned about how frame-mode MPLS works as well its configuration, verification and troubleshooting. Moreover, you also learned how to hide service provider devices to customer sites for the security purpose.

Thursday, August 6, 2015

MPLS VPNs and RIP


Introduction:

 This lab introduces you the required configuration commands and technology necessary to implement a simple MPLS-based VPN. This lab will also introduce you the route targets and virtual routing and forwarding (VRF) table route redistribution. You’ll learn how to configure a simple MPLS VPN using RIP as the CE routing protocol. In addition, in an actual network, you’ll learn the configuration, verification, and troubleshooting of a simple MPLS VPN.











Overview: 

- First of all, it's important to understand MPLS VPNs packet switching. An MPLS VPN builds on the principles of standard MPLS. Packets enter an IP network and receive a VPN label and a standard label to traverse the service provider network. LSRs along the LSP between edge devices do not know about customer networks, and they use the standard label to label-switch packets. Once the packet arrives at the egress PE, the VPN label is used to direct the packet to the correct VPN. Customer routers require no MPLS functionality.
- Secondly, Multi-Protocol BGP (MP-BGP) is a requirement for the proper operation of MPLS VPNs. From a network design standpoint, an IGP runs in the service provider core, and BGP runs between edge routers. MP-BGP backbone is used to carry customer routes across the service provider backbone. To enable the edge routers to support MPLS VPNs, MP-BGP must be configured.
- Thirdly, a virtual routing and forwarding (VRF) table. A VRF is used by Cisco to implement the concept of virtual routers. A VRF is composed of an IP routing table, a CEF table, interfaces, and routing protocol rules and filters. Global routes are not in the VRF. Likewise, VRF routes are not in the global routing table.
- Finally, Route Distinguisher (RD) and Route Target (RT) can have the same values, but they serve very different purpose:
  • The RD keeps IP prefixes from overlapping in MP-BGP.
  • The RT is used to help differentiate VPN routes. There are 2 types of RT. When routes are redistributed from a routing context into MP-BGP, the export route target value is applied. To redistribute routes from MP-BGP back into the right VPN, the import route target value is read.
Note that routing context is a mechanism used to provide for separate isolated instances of a single routing protocol. For example, a single router may support many separate customers with a single instance of a routing protocol through the use of routing context.

Requirements:

1.  Customer sites:
  •  A1, B1, A2, B2 (Non-MPLS-enabled routers): RIPv2.
  •  H/W: A1, B1, A2, B2 are Cisco Routers c3745.
2.  Service Provider sites: 
  • PE1, PE2 (Edge-LSRs): RIPv2, iBGP, MPLS: s0/0.
  • P1, P2 (LSRs): RIPv2, MPLS: s0/0, s0/1.
  • H/W: PE1, P1, P2, PE2 are Cisco Routers c3745.
Configuration

1. Customer sites:

- Customer A and B are overlapping address spaces.
- Customer A: A1 and A2 network are connected each other via service provider network.
- Customer B: B1 and B2 network are connected each other via service provider network.

- On A1 router:
A1#show running-config
Building configuration...

Current configuration : 2341 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname A1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$7LnD$0qutJY934WdeVsL.wl9q90
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
no ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
 ip address 10.1.0.1 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 10.2.0.2 255.255.255.252
 clock rate 2000000
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/2
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/3
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/4
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/5
 no ip address
 shutdown
 clock rate 2000000
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
 no ip address
!
router rip
 version 2
 network 10.0.0.0
 no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 password console
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 password telnet
 login
!
!
end

- B1, A2, B2 routers are configured similarly.

2. Service provider sites:

 a. Network edge (PE1, PE2):

-  On PE1 router:
PE1#show running-config
Building configuration...

Current configuration : 3638 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$PrDN$pHsT2IKCMZjFBIyF8mAbW1
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
ip vrf vpn_a
 rd 65000:1
 route-target export 65000:1
 route-target import 65000:1
!
ip vrf vpn_b
 rd 65000:2
 route-target export 65000:2
 route-target import 65000:2
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 description ***Link to P1 router***
 ip address 192.168.1.10 255.255.255.252
 mpls ip
 no fair-queue
 clock rate 2000000
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 description ***Link to customer A1 router***
 ip vrf forwarding vpn_a
 ip address 10.2.0.1 255.255.255.252
 clock rate 2000000
!
interface Serial0/2
 description ***Link to customer B2 router***
 ip vrf forwarding vpn_b
 ip address 10.2.0.1 255.255.255.252
 clock rate 2000000
!
interface Serial0/3
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/4
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/5
 no ip address
 shutdown
 clock rate 2000000
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
 no ip address
!
router rip
 version 2
 network 192.168.1.0
 no auto-summary
 !
 address-family ipv4 vrf vpn_b
  redistribute bgp 65000 metric transparent
  network 10.0.0.0
  no auto-summary
  version 2
 exit-address-family
 !
 address-family ipv4 vrf vpn_a
  redistribute bgp 65000 metric transparent
  network 10.0.0.0
  no auto-summary
  version 2
 exit-address-family
!
router bgp 65000
 bgp log-neighbor-changes
 neighbor 192.168.1.4 remote-as 65000
 neighbor 192.168.1.4 update-source Loopback0
 !
 address-family ipv4
  neighbor 192.168.1.4 activate
  neighbor 192.168.1.4 next-hop-self
  no auto-summary
  no synchronization
 exit-address-family
 !
 address-family vpnv4
  neighbor 192.168.1.4 activate
  neighbor 192.168.1.4 send-community both
 exit-address-family
 !
 address-family ipv4 vrf vpn_b
  redistribute rip
  no synchronization
 exit-address-family
 !
 address-family ipv4 vrf vpn_a
  redistribute rip
  no synchronization
 exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 password console
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 password telnet
 login
!
!
end

- PE2 router is configured similarly.

b. Core Network(P1, P2):

- On P1 router:
P1#show running-config
Building configuration...

Current configuration : 2489 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname P1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$uj6I$Z5BD8vg85xjuAnv4noYA//
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface Loopback0
 ip address 192.168.1.2 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 description ***Link to PE1 router***
 ip address 192.168.1.9 255.255.255.252
 mpls ip
 no fair-queue
 clock rate 2000000
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 description ***Link to P2 router***
 ip address 192.168.1.14 255.255.255.252
 mpls ip
 no fair-queue
 clock rate 2000000
!
interface Serial0/2
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/3
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/4
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/5
 no ip address
 shutdown
 clock rate 2000000
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface FastEthernet3/0
!
interface FastEthernet3/1
!
interface FastEthernet3/2
!
interface FastEthernet3/3
!
interface FastEthernet3/4
!
interface FastEthernet3/5
!
interface FastEthernet3/6
!
interface FastEthernet3/7
!
interface FastEthernet3/8
!
interface FastEthernet3/9
!
interface FastEthernet3/10
!
interface FastEthernet3/11
!
interface FastEthernet3/12
!
interface FastEthernet3/13
!
interface FastEthernet3/14
!
interface FastEthernet3/15
!
interface Vlan1
 no ip address
!
router rip
 version 2
 network 192.168.1.0
 no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 password console
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 password telnet
 login
!
!
end

- P2 router is configured similarly.

Verification:

a. Connectivity:

- On Customer A:

  Check the connection between A1 router and A2 router.

A1#ping 10.3.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/37/60 ms

A1#telnet 10.3.0.2
Trying 10.3.0.2 ... Open


User Access Verification

Password:
A2>
- On Customer B:
Check the connection between B1 router and B2 router.
B1#ping 10.3.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/40/68 ms
B1#telnet 10.3.0.2
Trying 10.3.0.2 ... Open


User Access Verification

Password:
B2>

b. Routing table:

    b1. On Customer Network:

- They are isolated from the service provider network. The client routers do not know any of the details of the service provider network. Notice in the following device output that no service provider routes are in the global routing tables for A1, B1, A2 and B2 router. The global routing table for A1 is as follows:


A1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C       10.2.0.0/30 is directly connected, Serial0/0
R       10.3.0.0/30 [120/1] via 10.2.0.1, 00:00:02, Serial0/0
C       10.1.0.1/32 is directly connected, Loopback0
R       10.4.0.1/32 [120/2] via 10.2.0.1, 00:00:02, Serial0/0

   b2. On Service Provider Network:

- The VRF routing table is well isolated from the global routing table on a PE router. Therefore, on the PE1 and PE2 POP routers, no customer (A1, B1, A2 and B2) routes show up in the global routing table. The global routing table of the PE1 POP router is as follows:

PE1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     192.168.1.0/24 is variably subnetted, 7 subnets, 2 masks
C       192.168.1.8/30 is directly connected, Serial0/0
R       192.168.1.12/30 [120/1] via 192.168.1.9, 00:00:21, Serial0/0
C       192.168.1.1/32 is directly connected, Loopback0
R       192.168.1.3/32 [120/2] via 192.168.1.9, 00:00:21, Serial0/0
R       192.168.1.2/32 [120/1] via 192.168.1.9, 00:00:21, Serial0/0
R       192.168.1.4/32 [120/3] via 192.168.1.9, 00:00:21, Serial0/0
R       192.168.1.16/30 [120/2] via 192.168.1.9, 00:00:21, Serial0/0

- In addition, none of the customer (A1, B1, A2 and B2) routes show up on the Core routers (P1, and P2). The Core routers are only running the IGP (RIPv2) and know nothing about any of the customer subnets. The global routing table of the P1 router is as follows:

P1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     192.168.1.0/24 is variably subnetted, 7 subnets, 2 masks
C       192.168.1.8/30 is directly connected, Serial0/0
C       192.168.1.12/30 is directly connected, Serial0/1
R       192.168.1.1/32 [120/1] via 192.168.1.10, 00:00:11, Serial0/0
R       192.168.1.3/32 [120/1] via 192.168.1.13, 00:00:17, Serial0/1
C       192.168.1.2/32 is directly connected, Loopback0
R       192.168.1.4/32 [120/2] via 192.168.1.13, 00:00:17, Serial0/1
R       192.168.1.16/30 [120/1] via 192.168.1.13, 00:00:17, Serial0/1

- VRF routing table:

PE1#show ip route vrf vpn_a

Routing Table: vpn_a
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C       10.2.0.0/30 is directly connected, Serial0/1
B       10.3.0.0/30 [200/0] via 192.168.1.4, 04:11:30
R       10.1.0.1/32 [120/1] via 10.2.0.2, 00:00:26, Serial0/1
B       10.4.0.1/32 [200/1] via 192.168.1.4, 04:11:30

PE1#show ip route vrf vpn_b

Routing Table: vpn_b
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C       10.2.0.0/30 is directly connected, Serial0/2
B       10.3.0.0/30 [200/0] via 192.168.1.4, 04:11:47
R       10.1.0.1/32 [120/1] via 10.2.0.2, 00:00:06, Serial0/2
B       10.4.0.1/32 [200/1] via 192.168.1.4, 04:11:47

 In the routing table for vpn_a on the PE1 POP router, there are two BGP routes (B) and one RIP route (R). The RIP route in the output was learned from A1 and is the loopback of A1. The B routes are from the PE2 POP router (A2 RIP routes redistributed into MP-BGP and carried across the service provider backbone).

- Ping and Telnet from PE routers:

 The quickest way to verify that the VRF  is up and working is to do a ping from one customer router to another. However, It is not practical to assume that the service provider will always have access to customer routers. Therefore, extensions have been made to the standard ping and telnet commands.

PE1#ping 10.2.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

This ping fails because a network for 10.2.0.2 is not in the PE1 POP router’s global routing table; instead it’s in a VRF.

PE1#ping vrf vpn_a 10.2.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/12 ms

PE1#ping vrf vpn_a ip 10.2.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/16 ms

PE1#telnet 10.1.0.1
Trying 10.1.0.1 ...
% Destination unreachable; gateway or host down

PE1#telnet 10.1.0.1 /vrf vpn_a
Trying 10.1.0.1 ... Open


User Access Verification

Password:
A1>

Troubleshooting:

- From A1 to A2:

A1#trace 10.3.0.2

Type escape sequence to abort.
Tracing the route to 10.3.0.2

  1 10.2.0.1 32 msec 32 msec 28 msec
  2 192.168.1.9 [MPLS: Labels 19/21 Exp 0] 116 msec 60 msec 32 msec
  3 192.168.1.13 [MPLS: Labels 16/21 Exp 0] 92 msec 32 msec 32 msec
  4 10.3.0.1 [MPLS: Label 21 Exp 0] 32 msec 32 msec 32 msec
  5 10.3.0.2 32 msec 60 msec 28 msec

- From B1 to B2:

B1#trace 10.3.0.2

Type escape sequence to abort.
Tracing the route to 10.3.0.2

  1 10.2.0.1 40 msec 32 msec 32 msec
  2 192.168.1.9 [MPLS: Labels 19/23 Exp 0] 60 msec 60 msec 32 msec
  3 192.168.1.13 [MPLS: Labels 16/23 Exp 0] 60 msec 60 msec 32 msec
  4 10.3.0.1 [MPLS: Label 23 Exp 0] 32 msec 52 msec 28 msec
  5 10.3.0.2 120 msec 60 msec 28 msec

- There are 5 hops for a packet traversing from A1 to A2 as well as B1 to B2. The path from A1 to A2 is as follows:

1 10.2.0.1 32 msec 32 msec 28 msec -->  This is the first hop which is PE1 router. This router is directly connected to A1 via its s0/1. PE1 router also creates VPN label 21 for a packet from customer A1 to distinguish the traffic from A1 with others. This value won't change when the packet traverses through service provider routers. Moreover, PE1 router also creates MPLS label 19 used to switch the packet to P1 router via s0/0 interface. Indeed, let's take a look on PE1's VRF routing table and forwarding table.

PE1#show ip route vrf vpn_a

Routing Table: vpn_a
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C       10.2.0.0/30 is directly connected, Serial0/1
B       10.3.0.0/30 [200/0] via 192.168.1.4, 04:11:30
R       10.1.0.1/32 [120/1] via 10.2.0.2, 00:00:26, Serial0/1
B       10.4.0.1/32 [200/1] via 192.168.1.4, 04:11:30

Obviously, the packet destined from A1 to A2 arrives at the PE1 POP router. Does the PE1 POP router have a path to get to the s0/0 interface of A2 (10.3.0.2)? Yes. There’s a BGP route to 10.3.0.0 network with a next hop address of 192.168.1.4 (PE2).


How does the PE1 router get the packet to the PE2 POP router?

 It sends it as a labeled packet, or a tagged packet. Indeed, let's take a look on the PE1's forwarding table:

PE1#sh mpls forwarding-table
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     192.168.1.2/32    0          Se0/0      point2point
17     16          192.168.1.3/32    0          Se0/0      point2point
18     Pop tag     192.168.1.12/30   0          Se0/0      point2point
19     17          192.168.1.16/30   0          Se0/0      point2point
20     19          192.168.1.4/32    0          Se0/0      point2point
21     Untagged    10.1.0.1/32[V]    520        Se0/1      point2point
22     Aggregate   10.2.0.0/30[V]    19879
23     Untagged    10.1.0.1/32[V]    0          Se0/2      point2point
24     Aggregate   10.2.0.0/30[V]    24826

From PE1 router standpoint, it takes untagged or unlabeled traffic coming from its s0/1 interface which is A1 router, then tagged this packet with VPN label 21. Moreover, PE1 router also switches this packet out its s0/0 interface with outbound label 19.

To deeply uderstand how egress PE router can distinguish which route from which customer destined to it. Let's execute some useful commands:

PE1#sh ip vrf brief
  Name                             Default RD          Interfaces
  vpn_a                            65000:1             Se0/1
  vpn_b                            65000:2             Se0/2

PE1#sh ip bgp vpnv4 all
BGP table version is 17, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65000:1 (default for vrf vpn_a)
*> 10.1.0.1/32      10.2.0.2                 1         32768 ?
*> 10.2.0.0/30      0.0.0.0                  0         32768 ?
*>i10.3.0.0/30      192.168.1.4              0    100      0 ?
*>i10.4.0.1/32      192.168.1.4              1    100      0 ?
Route Distinguisher: 65000:2 (default for vrf vpn_b)
*> 10.1.0.1/32      10.2.0.2                 1         32768 ?
*> 10.2.0.0/30      0.0.0.0                  0         32768 ?
*>i10.3.0.0/30      192.168.1.4              0    100      0 ?
*>i10.4.0.1/32      192.168.1.4              1    100      0 ?

2 192.168.1.9 [MPLS: Labels 19/21 Exp 0] 116 msec 60 msec 32 msec --> A labeled packet is switched from PE1 to P1 with MPLS label 19 and VPN label 21. What will happen at P1 router, let's check the P1's forwarding table.

P1#sh mpls forwarding-table

Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     192.168.1.3/32    0          Se0/1      point2point
17     Pop tag     192.168.1.16/30   0          Se0/1      point2point
18     Pop tag     192.168.1.1/32    7257       Se0/0      point2point
19     16          192.168.1.4/32    3825       Se0/1      point2point

A packet labeled 19 from PE1 router to P1 router will be switched out P1's s0/1 interface with outbound label 16.

3 192.168.1.13 [MPLS: Labels 16/21 Exp 0] 92 msec 32 msec 32 msec --> A labeled packet is switched from P1 to P2 with MPLS label 16 and VPN label 21. What will happen at P2 router, let's check the P2's forwarding table.

P2#sh mpls forwarding-table

Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
16     Pop tag     192.168.1.4/32    4939       Se0/1      point2point
17     18          192.168.1.1/32    9323       Se0/0      point2point
18     Pop tag     192.168.1.2/32    0          Se0/0      point2point
19     Pop tag     192.168.1.8/30    0          Se0/0      point2point

What happens to the packet? Well, from the P1 router, the packet is sent with a tag of 16. By observing the output of the show mpls forwarding-table command on the P2 router, you can see that an inbound labeled packet of 16 arriving at the P2 router has its label popped and is forwarded as unlabeled IP out interface Serial 0/1. So here at the P2 router, there is no routing, only switching of labeled, or tagged packets. You can think of Pop tag as meaning, "The next hop router needs to do a L3 lookup on the packet, so don't send this traffic as labeled, but instead send it as unlabeled IP traffic". Note that that when I said unlabeled IP packet in this case, it means it's an IP packet with VPN label.

4 10.3.0.1 [MPLS: Label 21 Exp 0] 32 msec 32 msec 32 msec --> A packet handed from P2 router to PE2. Based on VPN label 21, egress PE2 router can understand this packet belonging to customer A1. Because this is an IP packet, let's check the PE2's VRF routing table.

 PE2#sh ip route vrf vpn_a

Routing Table: vpn_a
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
B       10.2.0.0/30 [200/0] via 192.168.1.1, 01:24:59
C       10.3.0.0/30 is directly connected, Serial0/1
B       10.1.0.1/32 [200/1] via 192.168.1.1, 01:24:59
R       10.4.0.1/32 [120/1] via 10.3.0.2, 00:00:58, Serial0/1

Obviously, the PE2 router is directly connected to A1 router via s0/1 (PE2's interface).

5 10.3.0.2 32 msec 60 msec 28 msec -->  A2 router is the last hop and it is also directly connected to PE2 router as I have just mentioned.

Conclusions

- VPNs emerged as an alternative to dedicated point-to-point links. VPNs deliver the same benefits of dedicated point-to-point links but without the high cost. There are many technologies that are used to support overlay VPNs. From a Layer 1 perspective, VPNs can be implemented with SONET, T1, E1, ISDN, etc. From a Layer 2 perspective, VPNs can be implemented with Frame Relay, ATM, X.25, etc. From a Layer 3 perspective, IP tunneling technologies such as IPSec and GRE can be used to implement a VPN. Then, peer-to-peer VPNs were introduced. The biggest difference between peer-to-peer VPNs and traditional VPNs is that in a peer-to-peer VPN, a customer and a service provider exchange routing information. The two ways to implement peer-to-peer VPNs are dedicated router and shared router. MPLS-based VPNs offer the same privacy and security as traditional VPNs. In addiation, Overlapping address spaces, intranets, extranets, and even hub-and-spoke topologies are supported in an MPLS VPN.