MPLS VPN basics – Getting it all started.
I guess I should start first things first. With VRFs (Virtual Routing and Forwarding), there can multiple instances of separate tables to exist on the same routers. Each ones of these VRF is independent and provides separation for these networks. Since they are separate routing tables, VRFs allow for overlapping space. Look at the topology I have been using.
There are 2 VRFs configured in this topology, RED and BLUE. Each VRF has a east and west router in there. VRFs would allow the PE routers (west and east) to have isolated routing tables for each customer. Therefore, is both BLUE and RED are using the 10.0.0.0/8 address space. Not a problem. Each /8 network is part of a different VRF and traffic will remain isolated between sites.
Now, the PE routers needs to exchange information to the CEs can communicate. Welcome to the service of MPLS VPN. Here are a few items which need to be known for MPLS VPN.
For MPLS VPN, a RD (route distinguisher) of 64 bits is prepended to the customer’s 32 bit ipv4 address to create what is known as a VPNv4 route ( 96 bits ). RDs are only locally significant to a router, but since its part of the VPNv4 route it does have global significance.
RT (route target) is a 64 byte extended BGP community attached to a VPNv4 route. There can be multiple RTs attached to a single route, but can not exceed the packet size of 4096. These RT are used to import and export VNPv4 routes into and out of VRFs. RT can be filtered both inbound and outbound for route control. Examples to come.
RD and RTs are usually in the format of ASN:nn or IPADDRESS:nn where nn equals any number.
One other item I wanted to mention is the labels. With MPLS VPN, there are 2 labels in the label stack. There is a top label which is used to switch the packets through the MPLS network. This is often called the LDP label and is the next hop of the BGP route, usually the loopback from the peering sessions. The bottom label is the VPN label is used to separate the outgoing interface on the PE router. This is propagated with M-BGP.
M-BGP (Multiprotocol Extensions for BGP-4) is defined in RFC 2858. The RFC introduces two new BGP attributes MP_REACH_NLRI or MP_UNREACH_NLRI. These new attributes contain an AFI (Address Family Identifier) and SAFI (Subsequent Address Family Identifier). The AFI carries the identity of the Network Layer Protocol and the SAFI provides additional information about the type of NLRI.
- AFIs can be either IPv4 or IPv6.
- SAFIs can be either Unicast, Multicast, Unicast and Multicast, MPLS Label, MPLS Labled VPN.
To start the configuration, lets make sure our LSP is working between PE_WEST and PE_WEST. For brevity, I am only going to go from WEST->EAST, but I verified both ways.
PE_WEST#traceroute 220.127.116.11 Type escape sequence to abort. Tracing the route to 18.104.22.168 1 10.10.11.2 [MPLS: Label 25 Exp 0] 36 msec 24 msec 20 msec 2 10.13.13.3 [MPLS: Label 25 Exp 0] 16 msec 48 msec 20 msec 3 10.30.33.10 16 msec 52 msec * PE_WEST#show mpls forwarding-table 22.214.171.124 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 26 25 126.96.36.199/32 \ 0 Fa2/0 10.10.11.2 25 188.8.131.52/32 \ 0 Fa2/1 10.20.22.2 P1#show mpls forwarding-table 184.108.40.206 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 25 25 220.127.116.11/32 \ 950 Fa1/1 10.13.13.3 P3#show mpls forwarding-table 18.104.22.168 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 25 Pop Label 22.214.171.124/32 \ 0 Fa1/1 10.30.33.10
Now, let’s get M-BGP set up and ready to go.
PE_WEST(config)#router bgp 100 PE_WEST(config-router)#neighbor 126.96.36.199 remote-as 100 PE_WEST(config-router)#neighbor 188.8.131.52 update-source lo0 PE_EAST(config)#router bgp 100 PE_EAST(config-router)#neighbor 100.100.100.100 remote-as 100 PE_EAST(config-router)#neighbor 100.100.100.100 update-source lo0 PE_WEST(config-router)#address-family vpnv4 unicast PE_WEST(config-router-af)#neighbor 184.108.40.206 activate PE_WEST(config-router-af)#neighbor 220.127.116.11 send-community both PE_EAST(config-router)#address-family vpnv4 unicast PE_EAST(config-router-af)#neighbor 100.100.100.100 activate PE_EAST(config-router-af)#neighbor 100.100.100.100 send-community both
Look at the config afterwards and you’ll notice now the router bgp process is broken down to address family. Under the main router bgp process is all the connection information, and under the address family’s are the specifics for that family. Remember to active the neighbor of each address family you want to use. The ipv4 vrf address families are created as well, as these will be needed for PE/CE routing.
router bgp 100 no synchronization bgp log-neighbor-changes neighbor 18.104.22.168 remote-as 100 neighbor 22.214.171.124 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 126.96.36.199 activate neighbor 188.8.131.52 send-community both exit-address-family ! address-family ipv4 vrf RED no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf BLUE no auto-summary no synchronization exit-address-family
Check to make sure the vpnv4 address family is working between BGP peers.
PE_WEST#show bgp vpnv4 unicast all summary BGP router identifier 100.100.100.100, local AS number 100 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 184.108.40.206 4 100 1076 1076 1 0 0 00:00:10 0
Now time to set up from PE-CE routing.
|Print article||This entry was posted by packetpundit on June 23, 2011 at 7:43 am, and is filed under Uncategorized. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.|