I guess I should start first things first. With VRFs (Virtual Routing and Forwarding), there can multiple instances of separate tables to exist on the same routers. Each ones of these VRF is independent and provides separation for these networks. Since they are separate routing tables, VRFs allow for overlapping space. Look at the topology I have been using.

There are 2 VRFs configured in this topology, RED and BLUE. Each VRF has a east and west router in there. VRFs would allow the PE routers (west and east) to have isolated routing tables for each customer. Therefore, is both BLUE and RED are using the 10.0.0.0/8 address space. Not a problem. Each /8 network is part of a different VRF and traffic will remain isolated between sites.

Now, the PE routers needs to exchange information to the CEs can communicate. Welcome to the service of MPLS VPN. Here are a few items which need to be known for MPLS VPN.

For MPLS VPN, a RD (route distinguisher) of 64 bits is prepended to the customer’s 32 bit ipv4 address to create what is known as a VPNv4 route ( 96 bits ). RDs are only locally significant to a router, but since its part of the VPNv4 route it does have global significance.

RT (route target) is a 64 byte extended BGP community attached to a VPNv4 route. There can be multiple RTs attached to a single route, but can not exceed the packet size of 4096. These RT are used to import and export VNPv4 routes into and out of VRFs.  RT can be filtered both inbound and outbound for route control. Examples to come.

RD and RTs are usually in the format of ASN:nn or IPADDRESS:nn  where nn equals any number.

One other item I wanted to mention is the labels.  With MPLS VPN, there are 2 labels in the label stack. There is a top label which is used to switch the packets through the MPLS network. This is often called the LDP label and is the next hop of the BGP route, usually the loopback from the peering sessions. The bottom label is the VPN label is used to separate the outgoing interface on the PE router. This is propagated with M-BGP.

M-BGP (Multiprotocol Extensions for BGP-4) is defined in RFC 2858. The RFC introduces two new BGP attributes MP_REACH_NLRI or MP_UNREACH_NLRI. These new attributes contain an AFI (Address Family Identifier) and SAFI (Subsequent Address Family Identifier). The AFI carries the identity of the Network Layer Protocol and the SAFI provides additional information about the type of NLRI.

- AFIs can be either IPv4 or IPv6.

- SAFIs can be either Unicast, Multicast, Unicast and Multicast, MPLS Label, MPLS Labled VPN.

To start the configuration, lets make sure our LSP is working between PE_WEST and PE_WEST. For brevity, I am only going to go from WEST->EAST, but I verified both ways.

PE_WEST#traceroute 200.200.200.200

Type escape sequence to abort.
Tracing the route to 200.200.200.200

1 10.10.11.2 [MPLS: Label 25 Exp 0] 36 msec 24 msec 20 msec
2 10.13.13.3 [MPLS: Label 25 Exp 0] 16 msec 48 msec 20 msec
3 10.30.33.10 16 msec 52 msec *

PE_WEST#show mpls forwarding-table 200.200.200.200
Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop
Label  Label or VC   or Tunnel Id      Switched      interface
26     25            200.200.200.200/32   \
0             Fa2/0      10.10.11.2
25            200.200.200.200/32   \
0             Fa2/1      10.20.22.2

P1#show mpls forwarding-table 200.200.200.200
Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop
Label  Label or VC   or Tunnel Id      Switched      interface
25     25            200.200.200.200/32   \
950           Fa1/1      10.13.13.3

P3#show mpls forwarding-table 200.200.200.200
Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop
Label  Label or VC   or Tunnel Id      Switched      interface
25     Pop Label     200.200.200.200/32   \
0             Fa1/1      10.30.33.10

Now, let’s get M-BGP set up and ready to go.

PE_WEST(config)#router bgp 100
PE_WEST(config-router)#neighbor 200.200.200.200 remote-as 100
PE_WEST(config-router)#neighbor 200.200.200.200 update-source lo0

PE_EAST(config)#router bgp 100
PE_EAST(config-router)#neighbor 100.100.100.100 remote-as 100
PE_EAST(config-router)#neighbor 100.100.100.100 update-source lo0

PE_WEST(config-router)#address-family vpnv4 unicast
PE_WEST(config-router-af)#neighbor 200.200.200.200 activate
PE_WEST(config-router-af)#neighbor 200.200.200.200 send-community both

PE_EAST(config-router)#address-family vpnv4 unicast
PE_EAST(config-router-af)#neighbor 100.100.100.100 activate
PE_EAST(config-router-af)#neighbor 100.100.100.100 send-community both

Look at the config afterwards and you’ll notice now the router bgp process is broken down to address family. Under the main router bgp process is all the connection information, and under the address family’s are the specifics for that family. Remember to active the neighbor of each address family you want to use. The ipv4 vrf address families are created as well, as these will be needed for PE/CE routing.

router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 200.200.200.200 remote-as 100
neighbor 200.200.200.200 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 200.200.200.200 activate
neighbor 200.200.200.200 send-community both
exit-address-family
!
address-family ipv4 vrf RED
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf BLUE
no auto-summary
no synchronization
exit-address-family

Check to make sure the vpnv4 address family is working between BGP peers.

PE_WEST#show bgp vpnv4 unicast all summary
BGP router identifier 100.100.100.100, local AS number 100
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
200.200.200.200 4   100    1076    1076        1    0    0 00:00:10        0

Now time to set up from PE-CE routing.