I guess I should start first things first. With VRFs (Virtual Routing and Forwarding), there can multiple instances of separate tables to exist on the same routers. Each ones of these VRF is independent and provides separation for these networks. Since they are separate routing tables, VRFs allow for overlapping space. Look at the topology I have been using.

There are 2 VRFs configured in this topology, RED and BLUE. Each VRF has a east and west router in there. VRFs would allow the PE routers (west and east) to have isolated routing tables for each customer. Therefore, is both BLUE and RED are using the address space. Not a problem. Each /8 network is part of a different VRF and traffic will remain isolated between sites.

Now, the PE routers needs to exchange information to the CEs can communicate. Welcome to the service of MPLS VPN. Here are a few items which need to be known for MPLS VPN.

For MPLS VPN, a RD (route distinguisher) of 64 bits is prepended to the customer’s 32 bit ipv4 address to create what is known as a VPNv4 route ( 96 bits ). RDs are only locally significant to a router, but since its part of the VPNv4 route it does have global significance.

RT (route target) is a 64 byte extended BGP community attached to a VPNv4 route. There can be multiple RTs attached to a single route, but can not exceed the packet size of 4096. These RT are used to import and export VNPv4 routes into and out of VRFs.  RT can be filtered both inbound and outbound for route control. Examples to come.

RD and RTs are usually in the format of ASN:nn or IPADDRESS:nn  where nn equals any number.

One other item I wanted to mention is the labels.  With MPLS VPN, there are 2 labels in the label stack. There is a top label which is used to switch the packets through the MPLS network. This is often called the LDP label and is the next hop of the BGP route, usually the loopback from the peering sessions. The bottom label is the VPN label is used to separate the outgoing interface on the PE router. This is propagated with M-BGP.

M-BGP (Multiprotocol Extensions for BGP-4) is defined in RFC 2858. The RFC introduces two new BGP attributes MP_REACH_NLRI or MP_UNREACH_NLRI. These new attributes contain an AFI (Address Family Identifier) and SAFI (Subsequent Address Family Identifier). The AFI carries the identity of the Network Layer Protocol and the SAFI provides additional information about the type of NLRI.

- AFIs can be either IPv4 or IPv6.

- SAFIs can be either Unicast, Multicast, Unicast and Multicast, MPLS Label, MPLS Labled VPN.

To start the configuration, lets make sure our LSP is working between PE_WEST and PE_WEST. For brevity, I am only going to go from WEST->EAST, but I verified both ways.


Type escape sequence to abort.
Tracing the route to

1 [MPLS: Label 25 Exp 0] 36 msec 24 msec 20 msec
2 [MPLS: Label 25 Exp 0] 16 msec 48 msec 20 msec
3 16 msec 52 msec *

PE_WEST#show mpls forwarding-table
Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop
Label  Label or VC   or Tunnel Id      Switched      interface
26     25     \
0             Fa2/0
25     \
0             Fa2/1

P1#show mpls forwarding-table
Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop
Label  Label or VC   or Tunnel Id      Switched      interface
25     25     \
950           Fa1/1

P3#show mpls forwarding-table
Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop
Label  Label or VC   or Tunnel Id      Switched      interface
25     Pop Label   \
0             Fa1/1

Now, let’s get M-BGP set up and ready to go.

PE_WEST(config)#router bgp 100
PE_WEST(config-router)#neighbor remote-as 100
PE_WEST(config-router)#neighbor update-source lo0

PE_EAST(config)#router bgp 100
PE_EAST(config-router)#neighbor remote-as 100
PE_EAST(config-router)#neighbor update-source lo0

PE_WEST(config-router)#address-family vpnv4 unicast
PE_WEST(config-router-af)#neighbor activate
PE_WEST(config-router-af)#neighbor send-community both

PE_EAST(config-router)#address-family vpnv4 unicast
PE_EAST(config-router-af)#neighbor activate
PE_EAST(config-router-af)#neighbor send-community both

Look at the config afterwards and you’ll notice now the router bgp process is broken down to address family. Under the main router bgp process is all the connection information, and under the address family’s are the specifics for that family. Remember to active the neighbor of each address family you want to use. The ipv4 vrf address families are created as well, as these will be needed for PE/CE routing.

router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor remote-as 100
neighbor update-source Loopback0
no auto-summary
address-family vpnv4
neighbor activate
neighbor send-community both
address-family ipv4 vrf RED
no auto-summary
no synchronization
address-family ipv4 vrf BLUE
no auto-summary
no synchronization

Check to make sure the vpnv4 address family is working between BGP peers.

PE_WEST#show bgp vpnv4 unicast all summary
BGP router identifier, local AS number 100
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd 4   100    1076    1076        1    0    0 00:00:10        0

Now time to set up from PE-CE routing.