MPLS - BGP L3 VPN

With CCIE version 4 coming round the corner in October i thought i would turn my attention to some of the new topics on the syllabus. Here i look at MPLS VPNS and in the post i configure an MPLS L3 VPN.

There are 3 customers: A, B and C. These are connected across the shared MPLS infrastructure. The goal is to allow each customer to see their partner sites routes, and their routes only, across the MPLS cloud.

In this post i do not plan to look at the detailed workings of MPLS VPNS but rather just detail the steps necessary to build and configure.

In the MPLS cloud, BGP peering to the customer sites is implemented. The IGP routing protocol in the PE network is OSPF. The config i used to achieve this is layed out below.

First step is to define the customer VRFS and i apply the following config on each of the PE routers.

ip vrf CUSTA
rd 1:1
route-target export 1:1
route-target import 1:1
!
ip vrf CUSTB
rd 2:2
route-target export 2:2
route-target import 2:2
!
ip vrf CUSTC
rd 3:3
route-target export 3:3
route-target import 3:3

Second step is to apply the vrf config to the customer facing interfaces on the PE routers. At each step i verify my config with the show ip vrf command.


PE1(config-if)#DO SIIB
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 13.0.0.1 YES NVRAM up up
Serial2/0 10.0.0.2 YES manual up up
Serial2/1 10.0.0.6 YES NVRAM up up
Serial2/2 10.0.0.10 YES NVRAM up up


PE1(CONFIG)#int s2/0
PE1(config-if)#ip vrf forwarding CUSTA
% Interface Serial2/0 IP address 10.0.0.2 removed due to enabling VRF CUSTA
PE1(config-if)#ip address 10.0.0.2 255.255.255.252
PE1(config)#int s2/1
PE1(config-if)#ip vrf forwarding CUSTB
% Interface Serial2/1 IP address 10.0.0.6 removed due to enabling VRF CUSTB
PE1(config-if)#ip address 10.0.0.6 255.255.255.252
PE1(config-if)#int s2/2
PE1(config-if)#ip vrf forwarding CUSTC
% Interface Serial2/2 IP address 10.0.0.10 removed due to enabling VRF CUSTC
PE1(config-if)#ip address 10.0.0.10 255.255.255.252

PE1#s ip vrf
Name Default RD Interfaces
CUSTA 1:1 Se2/0
CUSTB 2:2 Se2/1
CUSTC 3:3 Se2/2


PE2#siib
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 13.0.0.2 YES NVRAM up up
Serial2/0 12.0.0.2 YES NVRAM up up
Serial2/1 12.0.0.6 YES NVRAM up up


PE2(config)#int s2/0
PE2(config-if)#ip vrf for
PE2(config-if)#ip vrf forwarding CUSTA
% Interface Serial2/0 IP address 12.0.0.2 removed due to enabling VRF CUSTA
PE2(config-if)#ip address 12.0.0.2 255.255.255.252
PE2(config-if)#int s2/1
PE2(config-if)#ip vrf forwarding CUSTC
% Interface Serial2/1 IP address 12.0.0.6 removed due to enabling VRF CUSTC
PE2(config-if)#ip address 12.0.0.6 255.255.255.252
PE2(config-if)#do s ip vrf
Name Default RD Interfaces
CUSTA 1:1 Se2/0
CUSTB 2:2
CUSTC 3:3 Se2/1


PE3#siib
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 13.0.0.3 YES manual up up
Serial2/0 11.0.0.2 YES NVRAM up up
Serial2/1 11.0.0.6 YES NVRAM up up

PE3(config-vrf)#int s2/0
PE3(config-if)#ip vrf forwarding CUSTB
% Interface Serial2/0 IP address 11.0.0.2 removed due to enabling VRF CUSTB
PE3(config-if)#ip address 11.0.0.2 255.255.255.252
PE3(config-if)#int s2/1
PE3(config-if)#ip vrf forwarding CUSTC
% Interface Serial2/1 IP address 11.0.0.6 removed due to enabling VRF CUSTC
PE3(config-if)#ip address 11.0.0.6 255.255.255.252
PE3(config-if)#DO S IP VRF
Name Default RD Interfaces
CUSTA 1:1
CUSTB 2:2 Se2/0
CUSTC 3:3 Se2/1


The 3rd step is to configure the PE to CE BGP adjacencies. N.B. The CE to PE adjacencies are standard BGP config and i do not detail here. To keep the output down i have detailed the config required on PE1 only, as the config on the other PE routers is very similar.

router bgp 1000
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.0.1 remote-as 1
neighbor 10.0.0.5 remote-as 2
neighbor 10.0.0.9 remote-as 3

address-family ipv4 vrf CUSTC
neighbor 10.0.0.9 remote-as 3
neighbor 10.0.0.9 activate

address-family ipv4 vrf CUSTB
neighbor 10.0.0.5 remote-as 2
neighbor 10.0.0.5 activate

address-family ipv4 vrf CUSTA
neighbor 10.0.0.1 remote-as 1
neighbor 10.0.0.1 activate

The 4th step is to configure the PE to PE adjacencies. Again i have detailed PE1 config only here

PE1
router bgp 1000
neighbor 13.0.0.2 remote-as 1000
neighbor 13.0.0.3 remote-as 1000
!
address-family vpnv4
neighbor 13.0.0.2 activate
neighbor 13.0.0.2 send-community extended
neighbor 13.0.0.3 activate
neighbor 13.0.0.3 send-community extended
exit-address-family

The 5th step is to enable mpls in the provide network.
On PE1, PE2 and PE3

conf t
mpls ip
int fa0/0
mpls ip


For verification

PE1#s ip bgp vpnv4 all sum | beg Neigh
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.0.0.1 4 1 46 49 24 0 0 00:17:01 2
10.0.0.5 4 2 6 6 24 0 0 00:01:33 2
10.0.0.9 4 3 5 4 19 0 0 00:00:43 2
101.101.101.101 4 1000 30 32 24 0 0 00:17:31 2
102.102.102.102 4 1000 31 34 24 0 0 00:17:19 2

PE1#s ip bgp vpnv4 *
BGP table version is 30, local router ID is 100.100.100.100
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUSTA)
*> 1.1.1.0/24 10.0.0.1 0 0 1 ?
r> 10.0.0.0/30 10.0.0.1 0 0 1 ?
*>i12.0.0.0/30 101.101.101.101 0 100 0 7 ?
*>i102.102.102.0/24 101.101.101.101 0 100 0 7 ?
Route Distinguisher: 2:2 (default for vrf CUSTB)
*> 2.2.2.0/24 10.0.0.5 0 0 2 ?
*>i4.4.4.0/24 102.102.102.102 0 100 0 4 ?
r> 10.0.0.4/30 10.0.0.5 0 0 2 ?
*>i11.0.0.0/30 102.102.102.102 0 100 0 4 ?
Route Distinguisher: 3:3 (default for vrf CUSTC)
*> 3.3.3.0/24 10.0.0.9 0 0 3 ?
*>i5.5.5.0/24 102.102.102.102 0 100 0 5 ?
*>i6.6.6.0/24 101.101.101.101 0 100 0 6 ?
r> 10.0.0.8/30 10.0.0.9 0 0 3 ?
*>i11.0.0.4/30 102.102.102.102 0 100 0 5 ?
*>i12.0.0.4/30 101.101.101.101 0 100 0 6 ?



Finally i examine the routing tables on peer customer sites to check routes have been shared. Here i dump the Customer A routing tables

CUSTA1>s ip route

1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
7.0.0.0/24 is subnetted, 1 subnets
B 7.7.7.0 [20/0] via 10.0.0.2, 00:30:23
10.0.0.0/30 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Serial2/0
12.0.0.0/30 is subnetted, 1 subnets
B 12.0.0.0 [20/0] via 10.0.0.2, 00:37:16

CUSTA2#sir
1.0.0.0/24 is subnetted, 1 subnets
B 1.1.1.0 [20/0] via 12.0.0.2, 00:37:54
7.0.0.0/24 is subnetted, 1 subnets
C 7.7.7.0 is directly connected, Loopback0
10.0.0.0/30 is subnetted, 1 subnets
B 10.0.0.0 [20/0] via 12.0.0.2, 00:37:54
12.0.0.0/30 is subnetted, 1 subnets
C 12.0.0.0 is directly connected, Serial2/0


I ping across the cloud

For Customer C
CUSTC3>ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 544/1161/1684 ms
CUSTC3>ping 6.6.6.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 624/1000/1700 ms

For Customer B
CUSTB2>p 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 692/1121/1388 ms

CUSTA1#ping 7.7.7.7

For customer A
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
!!!!!
Success rate is 60 percent (5/5), round-trip min/avg/max = 792/1004/1228 ms