Tag Archives: MPLS

IPv6 over MPLS – 6PE/6VPE

Cisco, IPv6, MPLS, , ,
IPv6 over MPLS

We have a standard MPLS service provider network running with IPv4 IGP, LDP and MP-BGP. Now we want to connect customer’s IPv6 sites over MPLS service provider network. One option is to run IPv6 IGP, LDPv6 (LDP for IPv6 routes) and MP-BGP in service provider network. Currently LDPv6 is in draft stage.

Another approach is to maintain the MPLS network as it stands, but implement mechanisms on the PE routers that allow to transport IPv6 packets as normal labeled packets on the P routers. This is exactly what the 6PE and 6VPE solutions do.

Both 6PE and 6VPE exploit the fact that as long as a packet somehow can be forwarded along an LSP from ingress to egress PE, P routers do not care about anything but the transport label. When using a BGP route in an IPv4 MPLS VPN (or just IPv4 over MPLS), the top label is found by looking at the BGP next hop of the route. The ingress looks at this IPv4 next hop, finds the label associated with it, and by using this label, the packet will be forwarded to the egress PE.

The difference between 6PE and 6VPE is whether the IPv6 routes are in the global routing table or in VRFs. 6PE serves the same role as plain IPv4 over MPLS, and 6VPE is the equivalent of an MPLS VPN.

6PE Design
  • 6PE is defined in RFC4798
  • Service provider network is with IPv4 IGP, LDP and MP-BGP
  • Service provider core (P Routers) is BGP free and not running IPv6
  • PE routers are dual stack, running both IPv4 and IPv6
  • PE routers stores IPv6 routing information in global routing table from all IPv6 customers
6VPE Design
  • 6VPE is defined in RFC4659
  • Service provider network is with IPv4 IGP, LDP and MP-BGP
  • Service provider core is BGP free and not running IPv4
  • PE routers are dual stack, running both IPv4 and IPv6
  • PE routers stores IPv6 routing information in separate VRF for each IPv6 customer, providing MPLS VPN for IPv6

We will use following network topology to configure 6PE and 6VPE.

6PE Configuration
When using 6PE, a CE router is connected to an interface on the PE router, which is in the global IPv6 routing table. There is an MPLS network with BGP, an IGP and LDP between PE routers. The IGP and LDP only needs to be IPv4 capable. However, the BGP session need to be activated for the IPv6 unicast address family to make it possible to advertise IPv6 prefixes from PE to PE. Additionally, BGP needs to attach a label to each IPv6 prefix with the ‘send label’ command. 

R1 - PE1 Router

hostname R1
!
ip cef
ipv6 unicast-routing
ipv6 cef
!
interface Loopback0
 ip address 10.1.0.1 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.13.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 no ip address
 ipv6 address 2001:192:168:14::1/64
!
interface FastEthernet1/1
 no ip address
 ipv6 address 2001:172:16:15::1/64
!
router ospf 1
 router-id 10.1.0.1
!
router bgp 100
 bgp router-id 10.1.0.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.2 remote-as 100
 neighbor 10.1.0.2 update-source Loopback0
 neighbor 2001:172:16:15::5 remote-as 65005
 neighbor 2001:192:168:14::4 remote-as 65004
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
  redistribute connected
  neighbor 10.1.0.2 activate
  neighbor 10.1.0.2 send-label
  neighbor 2001:172:16:15::5 activate
  neighbor 2001:172:16:15::5 route-map CUST-XYZ out
  neighbor 2001:192:168:14::4 activate
  neighbor 2001:192:168:14::4 route-map CUST-ABC out
 exit-address-family
!
ipv6 prefix-list CUST-ABC seq 5 permit 2001:192::/32 le 64
!
ipv6 prefix-list CUST-XYZ seq 5 permit 2001:172::/32 le 64
!
route-map CUST-XYZ permit 10
 match ipv6 address prefix-list CUST-XYZ
!
route-map CUST-ABC permit 10
 match ipv6 address prefix-list CUST-ABC
!

R2 - PE2 Router

hostname R2
!
no ip domain lookup
ip cef
ipv6 unicast-routing
ipv6 cef
!
interface Loopback0
 ip address 10.1.0.2 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.23.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 no ip address
 ipv6 address 2001:192:168:26::2/64
!
interface FastEthernet1/1
 no ip address
 ipv6 address 2001:172:16:27::2/64
!
router ospf 1
 router-id 10.1.0.2
!
router bgp 100
 bgp router-id 10.1.0.2
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.1 remote-as 100
 neighbor 10.1.0.1 update-source Loopback0
 neighbor 2001:172:16:27::7 remote-as 65007
 neighbor 2001:192:168:26::6 remote-as 65006
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
  redistribute connected
  neighbor 10.1.0.1 activate
  neighbor 10.1.0.1 send-label
  neighbor 2001:172:16:27::7 activate
  neighbor 2001:172:16:27::7 route-map CUST-XYZ out
  neighbor 2001:192:168:26::6 activate
  neighbor 2001:192:168:26::6 route-map CUST-ABC out
 exit-address-family
!
ipv6 prefix-list CUST-ABC seq 5 permit 2001:192::/32 le 64
!
ipv6 prefix-list CUST-XYZ seq 5 permit 2001:172::/32 le 64
!
route-map CUST-XYZ permit 10
 match ipv6 address prefix-list CUST-XYZ
!
route-map CUST-ABC permit 10
 match ipv6 address prefix-list CUST-ABC
!

R3 - P Router

hostname R3
!
ip cef
!
interface Loopback0
 ip address 10.1.0.3 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.13.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 10.1.23.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
router ospf 1
 router-id 10.1.0.3
!

R4 - Customer ABC Site 1

hostname R4
!
ipv6 unicast-routing
ipv6 cef
!
interface FastEthernet0/0
 no ip address
 ipv6 address 2001:192:168:14::4/64
!
interface FastEthernet0/1
 no ip address
 ipv6 address 2001:192:168:4::4/64
!
router bgp 65004
 bgp router-id 4.4.4.4
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 2001:192:168:14::1 remote-as 100
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
  network 2001:192:168:4::/64
  neighbor 2001:192:168:14::1 activate
 exit-address-family
!

R5 - Customer XYZ Site 1

hostname R5
!
ipv6 unicast-routing
ipv6 cef
!
interface FastEthernet0/0
 no ip address
 ipv6 address 2001:172:16:15::5/64
!
interface FastEthernet0/1
 no ip address
 ipv6 address 2001:172:16:5::5/64
!
router bgp 65005
 bgp router-id 5.5.5.5
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 2001:172:16:15::1 remote-as 100
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
  network 2001:172:16:5::/64
  neighbor 2001:172:16:15::1 activate
 exit-address-family
!

R6 - Customer ABC Site 2

hostname R6
!
ipv6 unicast-routing
ipv6 cef
!
interface FastEthernet0/0
 no ip address
 ipv6 address 2001:192:168:26::6/64
!
interface FastEthernet0/1
 no ip address
 ipv6 address 2001:192:168:6::6/64
!
router bgp 65006
 bgp router-id 6.6.6.6
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 2001:192:168:26::2 remote-as 100
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
  network 2001:192:168:6::/64
  neighbor 2001:192:168:26::2 activate
 exit-address-family
!

R7 - Customer XYZ Site 2

hostname R7
!
ipv6 unicast-routing
ipv6 cef
!
interface FastEthernet0/0
 no ip address
 ipv6 address 2001:172:16:27::7/64
!
interface FastEthernet0/1
 no ip address
 ipv6 address 2001:172:16:7::7/64
!
router bgp 65007
 bgp router-id 7.7.7.7
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 2001:172:16:27::2 remote-as 100
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
  network 2001:172:16:7::/64
  neighbor 2001:172:16:27::2 activate
 exit-address-family
!
Verification
PE Router BGP Peering

!! -- PE1 (R1) has IPv6 BGP+Label peering with PE2 (R2) -- !!
!! -- PE1 (R1) has IPv6 BGP peering with CE4 (R4) -- !!
!! -- PE1 (R1) has IPv6 BGP peering with CE5 (R5) -- !!

R1#show bgp ipv6 unicast summary 
BGP router identifier 10.1.0.1, local AS number 100
BGP table version is 9, main routing table version 9
8 network entries using 1376 bytes of memory
8 path entries using 704 bytes of memory
6/6 BGP path/bestpath attribute entries using 816 bytes of memory
4 BGP AS-PATH entries using 96 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2992 total bytes of memory
BGP activity 8/0 prefixes, 8/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.1.0.2        4          100     179     181        9    0    0 02:21:48        4
2001:172:16:15::5
                4        65005     161     178        9    0    0 02:22:05        1
2001:192:168:14::4
                4        65004     163     176        9    0    0 02:22:03        1

The PE1 router will receive IPv6 routes with a label and a next hop of ::FFFF:10.1.0.2. This next hop is an “IPv4-mapped IPv6 address” and it tells the router that if it were to use that IPv6 BGP route, it should use the transport label for the IPv4 address 10.1.0.2.

Similarly, PE2 router will receive IPv6 routes with a label and a next hop of ::FFFF:10.1.0.1.

R1#show bgp ipv6 unicast
BGP table version is 9, local router ID is 10.1.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  2001:172:16:5::/64
                       2001:172:16:15::5
                                                0             0 65005 i
 *>i 2001:172:16:7::/64
                       ::FFFF:10.1.0.2          0    100      0 65007 i
 *>  2001:172:16:15::/64
                       ::                       0         32768 ?
 *>i 2001:172:16:27::/64
                       ::FFFF:10.1.0.2          0    100      0 ?
 *>  2001:192:168:4::/64
                       2001:192:168:14::4
                                                0             0 65004 i
 *>i 2001:192:168:6::/64
                       ::FFFF:10.1.0.2          0    100      0 65006 i
 *>  2001:192:168:14::/64
                       ::                       0         32768 ?
 *>i 2001:192:168:26::/64
                       ::FFFF:10.1.0.2          0    100      0 ?

R2#show bgp ipv6 unicast summary
BGP router identifier 10.1.0.2, local AS number 100
BGP table version is 9, main routing table version 9
8 network entries using 1376 bytes of memory
8 path entries using 704 bytes of memory
6/6 BGP path/bestpath attribute entries using 816 bytes of memory
4 BGP AS-PATH entries using 96 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2992 total bytes of memory
BGP activity 8/0 prefixes, 8/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.1.0.1        4          100     183     181        9    0    0 02:23:38        4
2001:172:16:27::7
                4        65007     165     176        9    0    0 02:23:51        1
2001:192:168:26::6
                4        65006     163     175        9    0    0 02:23:50        1

R2#show bgp ipv6 unicast        
BGP table version is 9, local router ID is 10.1.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>i 2001:172:16:5::/64
                       ::FFFF:10.1.0.1          0    100      0 65005 i
 *>  2001:172:16:7::/64
                       2001:172:16:27::7
                                                0             0 65007 i
 *>i 2001:172:16:15::/64
                       ::FFFF:10.1.0.1          0    100      0 ?
 *>  2001:172:16:27::/64
                       ::                       0         32768 ?
 *>i 2001:192:168:4::/64
                       ::FFFF:10.1.0.1          0    100      0 65004 i
 *>  2001:192:168:6::/64
                       2001:192:168:26::6
                                                0             0 65006 i
 *>i 2001:192:168:14::/64
                       ::FFFF:10.1.0.1          0    100      0 ?
 *>  2001:192:168:26::/64
                       ::                       0         32768 ?

!! -- Verify BGP Label Assignments -- !!

R1#show bgp ipv6 unicast labels 
   Network          Next Hop      In label/Out label
   2001:172:16:5::/64
                    2001:172:16:15::5
                                    19/nolabel
   2001:172:16:7::/64
                    ::FFFF:10.1.0.2 nolabel/19
   2001:172:16:15::/64
                    ::              20/nolabel
   2001:172:16:27::/64
                    ::FFFF:10.1.0.2 nolabel/20
   2001:192:168:4::/64
                    2001:192:168:14::4
                                    22/nolabel
   2001:192:168:6::/64
                    ::FFFF:10.1.0.2 nolabel/22
   2001:192:168:14::/64
                    ::              21/nolabel
   2001:192:168:26::/64
                    ::FFFF:10.1.0.2 nolabel/21

R2#show bgp ipv6 unicast labels
   Network          Next Hop      In label/Out label
   2001:172:16:5::/64
                    ::FFFF:10.1.0.1 nolabel/19
   2001:172:16:7::/64
                    2001:172:16:27::7
                                    19/nolabel
   2001:172:16:15::/64
                    ::FFFF:10.1.0.1 nolabel/20
   2001:172:16:27::/64
                    ::              20/nolabel
   2001:192:168:4::/64
                    ::FFFF:10.1.0.1 nolabel/22
   2001:192:168:6::/64
                    2001:192:168:26::6
                                    22/nolabel
   2001:192:168:14::/64
                    ::FFFF:10.1.0.1 nolabel/21
   2001:192:168:26::/64
                    ::              21/nolabel

!! -- Customer ABC Site-2 LAN IPv6 network reachability from PE1-R1 via MPLS path -- !!

R1#show bgp ipv6 unicast 2001:192:168:6::/64
BGP routing table entry for 2001:192:168:6::/64, version 9
Paths: (1 available, best #1, table default)
  Advertised to update-groups:
     3         
  Refresh Epoch 5
  65006
    ::FFFF:10.1.0.2 (metric 3) from 10.1.0.2 (10.1.0.2)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      mpls labels in/out nolabel/22
R1#sh ipv6 cef 2001:192:168:6::/64 detail 
2001:192:168:6::/64, epoch 0, flags rib defined all labels
  recursive via 10.1.0.2 label 22
    nexthop 10.1.13.3 FastEthernet0/0 label 16

!! -- Ping/Traceroute from R4 Customer ABC Site-1 to Site-2 -- !!
!! -- via MPLS provider network -- !!

R4#show ipv6 route
IPv6 Routing Table - default - 7 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
       IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
C   2001:192:168:4::/64 [0/0]
     via FastEthernet0/1, directly connected
L   2001:192:168:4::4/128 [0/0]
     via FastEthernet0/1, receive
B   2001:192:168:6::/64 [20/0]
     via FE80::C803:31FF:FE5C:1C, FastEthernet0/0
C   2001:192:168:14::/64 [0/0]
     via FastEthernet0/0, directly connected
L   2001:192:168:14::4/128 [0/0]
     via FastEthernet0/0, receive
B   2001:192:168:26::/64 [20/0]
     via FE80::C803:31FF:FE5C:1C, FastEthernet0/0
L   FF00::/8 [0/0]
     via Null0, receive


R4#ping 2001:192:168:6::6 source 2001:192:168:4::4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:192:168:6::6, timeout is 2 seconds:
Packet sent with a source address of 2001:192:168:4::4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/93/104 ms

R4#traceroute 
Protocol [ip]: ipv6
Target IPv6 address: 2001:192:168:6::6
Source address: 2001:192:168:4::4
Insert source routing header? [no]: 
Numeric display? [no]: 
Timeout in seconds [3]: 
Probe count [3]: 
Minimum Time to Live [1]: 
Maximum Time to Live [30]: 
Priority [0]: 
Port Number [0]: 
Type escape sequence to abort.
Tracing the route to 2001:192:168:6::6

  1 2001:192:168:14::1 [AS 100] 72 msec 44 msec 24 msec
  2 ::FFFF:10.1.13.3 [MPLS: Labels 16/22 Exp 0] 92 msec 88 msec 88 msec
  3 2001:192:168:26::2 [AS 100] [MPLS: Label 22 Exp 0] 76 msec 56 msec 68 msec
  4 2001:192:168:26::6 [AS 100] 92 msec 96 msec 88 msec
6VPE Configuration
!! -- Only PE routers configuration will be changed -- !!
!! -- CE facing interface on PE router will be in a VRF -- !!

R1 - PE1 Router

hostname R1
!
vrf definition CUST-ABC
 rd 100:1
 !
 address-family ipv6
  route-target export 100:1
  route-target import 100:1
 exit-address-family
!
vrf definition CUST-XYZ
 rd 100:2
 !
 address-family ipv6
  route-target export 100:2
  route-target import 100:2
 exit-address-family
!
ip cef
ipv6 unicast-routing
ipv6 cef
!
interface Loopback0
 ip address 10.1.0.1 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.13.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 vrf forwarding CUST-ABC
 no ip address
 ipv6 address 2001:192:168:14::1/64
!
interface FastEthernet1/1
 vrf forwarding CUST-XYZ
 no ip address
 ipv6 address 2001:172:16:15::1/64
!
router ospf 1
 router-id 10.1.0.1
!
router bgp 100
 bgp router-id 10.1.0.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.2 remote-as 100
 neighbor 10.1.0.2 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv6
  neighbor 10.1.0.2 activate
  neighbor 10.1.0.2 send-community extended
 exit-address-family
 !
 address-family ipv6 vrf CUST-ABC
  redistribute connected
  neighbor 2001:192:168:14::4 remote-as 65004
  neighbor 2001:192:168:14::4 activate
 exit-address-family
 !
 address-family ipv6 vrf CUST-XYZ
  redistribute connected
  neighbor 2001:172:16:15::5 remote-as 65005
  neighbor 2001:172:16:15::5 activate
 exit-address-family
!

R2 - PE2 Router

hostname R2
!
vrf definition CUST-ABC
 rd 100:1
 !
 address-family ipv6
  route-target export 100:1
  route-target import 100:1
 exit-address-family
!
vrf definition CUST-XYZ
 rd 100:2
 !
 address-family ipv6
  route-target export 100:2
  route-target import 100:2
 exit-address-family
!
ip cef
ipv6 unicast-routing
ipv6 cef
!
interface Loopback0
 ip address 10.1.0.2 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.23.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 vrf forwarding CUST-ABC
 no ip address
 ipv6 address 2001:192:168:26::2/64
!
interface FastEthernet1/1
 vrf forwarding CUST-XYZ
 no ip address
 ipv6 address 2001:172:16:27::2/64
!
router ospf 1
 router-id 10.1.0.2
!
router bgp 100
 bgp router-id 10.1.0.2
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.1 remote-as 100
 neighbor 10.1.0.1 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv6
  neighbor 10.1.0.1 activate
  neighbor 10.1.0.1 send-community extended
 exit-address-family
 !
 address-family ipv6 vrf CUST-ABC
  redistribute connected
  neighbor 2001:192:168:26::6 remote-as 65006
  neighbor 2001:192:168:26::6 activate
 exit-address-family
 !
 address-family ipv6 vrf CUST-XYZ
  redistribute connected
  neighbor 2001:172:16:27::7 remote-as 65007
  neighbor 2001:172:16:27::7 activate
 exit-address-family
!
Verification
!! -- VRF status on PE Routers -- !!

R1#show vrf 
  Name                             Default RD          Protocols   Interfaces
  CUST-ABC                         100:1               ipv6        Fa1/0
  CUST-XYZ                         100:2               ipv6        Fa1/1

R2#show vrf 
  Name                             Default RD          Protocols   Interfaces
  CUST-ABC                         100:1               ipv6        Fa1/0
  CUST-XYZ                         100:2               ipv6        Fa1/1

!! -- BGP Peering on PE Routers -- !!
R1#show bgp vpnv6 unicast all summary 
BGP router identifier 10.1.0.1, local AS number 100
BGP table version is 13, main routing table version 13
8 network entries using 1536 bytes of memory
8 path entries using 736 bytes of memory
10/8 BGP path/bestpath attribute entries using 1440 bytes of memory
4 BGP AS-PATH entries using 96 bytes of memory
2 BGP extended community entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 3856 total bytes of memory
BGP activity 16/8 prefixes, 16/8 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.1.0.2        4          100      28      29       13    0    0 00:19:42        4
2001:172:16:15::5
                4        65005      29      30       13    0    0 00:22:35        1
2001:192:168:14::4
                4        65004      30      32       13    0    0 00:23:04        1

R2#show bgp vpnv6 unicast all summary 
BGP router identifier 10.1.0.2, local AS number 100
BGP table version is 13, main routing table version 13
8 network entries using 1536 bytes of memory
8 path entries using 736 bytes of memory
10/8 BGP path/bestpath attribute entries using 1440 bytes of memory
4 BGP AS-PATH entries using 96 bytes of memory
2 BGP extended community entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 3856 total bytes of memory
BGP activity 8/0 prefixes, 8/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.1.0.1        4          100      30      28       13    0    0 00:19:57        4
2001:172:16:27::7
                4        65007      25      28       13    0    0 00:18:58        1
2001:192:168:26::6
                4        65006      26      27       13    0    0 00:19:23        1

!! -- BGP Table on PE Routers -- !!

R1#show bgp vpnv6 unicast all
BGP table version is 13, local router ID is 10.1.0.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf CUST-ABC)
 *>  2001:192:168:4::/64
                       2001:192:168:14::4
                                                0             0 65004 i
 *>i 2001:192:168:6::/64
                       ::FFFF:10.1.0.2          0    100      0 65006 i
 *>  2001:192:168:14::/64
                       ::                       0         32768 ?
 *>i 2001:192:168:26::/64
                       ::FFFF:10.1.0.2          0    100      0 ?
Route Distinguisher: 100:2 (default for vrf CUST-XYZ)
 *>  2001:172:16:5::/64
                       2001:172:16:15::5
                                                0             0 65005 i
 *>i 2001:172:16:7::/64
                       ::FFFF:10.1.0.2          0    100      0 65007 i
 *>  2001:172:16:15::/64
                       ::                       0         32768 ?
 *>i 2001:172:16:27::/64
                       ::FFFF:10.1.0.2          0    100      0 ?

R2#show bgp vpnv6 unicast all
BGP table version is 13, local router ID is 10.1.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf CUST-ABC)
 *>i 2001:192:168:4::/64
                       ::FFFF:10.1.0.1          0    100      0 65004 i
 *>  2001:192:168:6::/64
                       2001:192:168:26::6
                                                0             0 65006 i
 *>i 2001:192:168:14::/64
                       ::FFFF:10.1.0.1          0    100      0 ?
 *>  2001:192:168:26::/64
                       ::                       0         32768 ?
Route Distinguisher: 100:2 (default for vrf CUST-XYZ)
 *>i 2001:172:16:5::/64
                       ::FFFF:10.1.0.1          0    100      0 65005 i
 *>  2001:172:16:7::/64
                       2001:172:16:27::7
                                                0             0 65007 i
 *>i 2001:172:16:15::/64
                       ::FFFF:10.1.0.1          0    100      0 ?
 *>  2001:172:16:27::/64
                       ::                       0         32768 ?

!! -- Customer IPv6 routes are not in Global RIB -- !!

R1#show ipv6 route
IPv6 Routing Table - default - 1 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
       IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
L   FF00::/8 [0/0]
     via Null0, receive

R2#show ipv6 route
IPv6 Routing Table - default - 1 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       H - NHRP, I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
       IS - ISIS summary, D - EIGRP, EX - EIGRP external, NM - NEMO
       ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISP
L   FF00::/8 [0/0]
     via Null0, receive

!! -- MPLS VPN Labels on PE Routers -- !!

R1#sh mpls forwarding-table vrf CUST-ABC
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop    
Label      Label      or Tunnel Id     Switched      interface              
23         No Label   2001:192:168:14::/64[V]   \
                                       0             aggregate/CUST-ABC 
24         No Label   2001:192:168:4::/64[V]   \
                                       1922          Fa1/0      FE80::C805:19FF:FEAC:8

R1#sh mpls forwarding-table vrf CUST-XYZ
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop    
Label      Label      or Tunnel Id     Switched      interface              
25         No Label   2001:172:16:15::/64[V]   \
                                       0             aggregate/CUST-XYZ 
26         No Label   2001:172:16:5::/64[V]   \
                                       0             Fa1/1      FE80::C800:17FF:FE58:8

R2#sh mpls forwarding-table vrf CUST-ABC
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop    
Label      Label      or Tunnel Id     Switched      interface              
19         No Label   2001:192:168:26::/64[V]   \
                                       0             aggregate/CUST-ABC 
20         No Label   2001:192:168:6::/64[V]   \
                                       1374          Fa1/0      FE80::C801:17FF:FE58:8
  
R2#sh mpls forwarding-table vrf CUST-XYZ
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop    
Label      Label      or Tunnel Id     Switched      interface              
21         No Label   2001:172:16:7::/64[V]   \
                                       0             Fa1/1      FE80::C802:2BFF:FEF0:8
22         No Label   2001:172:16:27::/64[V]   \
                                       0             aggregate/CUST-XYZ 

!! -- Customer ABC Site-2 LAN IPv6 network reachability from PE1 -- !!

R1#show bgp vpnv6 unicast all 2001:192:168:6::/64        
BGP routing table entry for [100:1]2001:192:168:6::/64, version 7
Paths: (1 available, best #1, table CUST-ABC)
  Advertised to update-groups:
     1         
  Refresh Epoch 1
  65006
    ::FFFF:10.1.0.2 (metric 3) from 10.1.0.2 (10.1.0.2)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:100:1
      mpls labels in/out nolabel/20   <<<<< VPN Label

R1#show ipv6 cef vrf CUST-ABC 2001:192:168:6::/64 detail 
2001:192:168:6::/64, epoch 0, flags rib defined all labels
  recursive via 10.1.0.2 label 20    
    nexthop 10.1.13.3 FastEthernet0/0 label 16   <<<<< Transport Label

!! -- Ping/Traceroute from Customer ABC Site 1 to Site 2 LAN --!!

R4#ping 2001:192:168:6::6 source 2001:192:168:4::4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:192:168:6::6, timeout is 2 seconds:
Packet sent with a source address of 2001:192:168:4::4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/129/136 ms

R4#traceroute 
Protocol [ip]: ipv6
Target IPv6 address: 2001:192:168:6::6
Source address: 2001:192:168:4::4
Insert source routing header? [no]: 
Numeric display? [no]: 
Timeout in seconds [3]: 
Probe count [3]: 
Minimum Time to Live [1]: 
Maximum Time to Live [30]: 
Priority [0]: 
Port Number [0]: 
Type escape sequence to abort.
Tracing the route to 2001:192:168:6::6

  1 2001:192:168:14::1 [AS 100] 44 msec 40 msec 36 msec
  2 ::FFFF:10.1.13.3 [MPLS: Labels 16/20 Exp 0] 120 msec 136 msec 132 msec
  3  * 
    2001:192:168:26::2 108 msec 104 msec
  4 2001:192:168:26::6 [AS 100] 136 msec 128 msec 132 msec

*VPN Label = 20
*Transport Label = 16

 

2547oDMVPN – MPLS over DMVPN

DMVPN, MPLS, , , ,
2547oDMVPN – MPLS over DMVPN

BGP/MPLS VPN was initially defined in RFC2547, which was later obsoleted by RFC4367 and updated by some other RFCs.

2547oDMVPN is also known as MPLS VPN over DMVPN. This solution extends MPLS VPN to the branches. The branches in this deployment are connected to the hub through a Layer 3 SP service, a tunneled model using GRE is needed to extend MPLS to the branches. DMVPN provides two key advantages for extending MPLS VPNs to the branches, bulk encryption and a scalable overlay model. DMVPN allows the hub to have a single multipoint GRE tunnel interface to support large numbers of spokes. Cisco recommends that to seamlessly extend the enterprise MPLS Layer3 VPN network to the remote branches(Spokes), the DMVPN hub should be a P device to label switching packets between the hub and the branches.

The MPLS network requires packets to be label switched all the way between source PEs and destination PEs. Running MPLS over DMVPN tunnels makes the remote branch router a full function PE router, which means label imposition is done in the branch router and label switching must be performed all the way between spokes. This requirement make the direct spoke-spoke communication impossible due to the lack of a label allocation mechanism on the dynamically created spoke-spoke tunnels. However, label switching between spoke PE routers can easily be done if spoke-hub-spoke switching path is implemented. With this approach, the hub router act as a MPLS P router, maintains the LDP neighbor relationship, and exchanges label allocation information with all spoke routers. The hub router label switches the packets in-and-out the mGRE interface between the spokes. So we have to use DMVPN Phase 1 design for this deployment, where spoke-to-spoke traffic traverse the hub.

While this solution breaks the benefit of dynamically building spoke-to-spoke tunnels, it provides an acceptable and often more deterministic path for spoke-to-spoke communications and meets the segmentation requirement. It is a very attractive solution when the large enterprise needs to extend their MPLS-segmented data center or large campus to remote branches.

We will use following network topology for this discussion.

Configuration
R1 - PE1 Router

hostname R1
!
vrf definition CUST-ABC
 rd 100:65001
 !
 address-family ipv4
  route-target export 100:65001
  route-target import 100:65001
 exit-address-family
!
vrf definition CUST-XYZ
 rd 100:65002
 !
 address-family ipv4
  route-target export 100:65002
  route-target import 100:65002
 exit-address-family
!
ip cef
!
interface Loopback0
 ip address 10.0.0.1 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.10.15.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 10.10.14.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 vrf forwarding CUST-ABC
 ip address 172.16.18.1 255.255.255.0
!
interface FastEthernet1/1
 vrf forwarding CUST-XYZ
 ip address 172.16.19.1 255.255.255.0
!
router ospf 1
 router-id 10.0.0.1
!
router bgp 100
 bgp router-id 10.0.0.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.0.0.4 remote-as 100
 neighbor 10.0.0.4 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.0.0.4 activate
  neighbor 10.0.0.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUST-ABC
  redistribute connected
  neighbor 172.16.18.8 remote-as 65001
  neighbor 172.16.18.8 activate
  neighbor 172.16.18.8 as-override
 exit-address-family
 !
 address-family ipv4 vrf CUST-XYZ
  redistribute connected
  neighbor 172.16.19.9 remote-as 65002
  neighbor 172.16.19.9 activate
  neighbor 172.16.19.9 as-override
 exit-address-family
!

R2 - PE2 Router (DMVPN Spoke)

hostname R2
!
vrf definition CUST-ABC
 rd 100:65001
 !
 address-family ipv4
  route-target export 100:65001
  route-target import 100:65001
 exit-address-family
!
vrf definition CUST-XYZ
 rd 100:65002
 !
 address-family ipv4
  route-target export 100:65002
  route-target import 100:65002
 exit-address-family
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Loopback0
 ip address 10.0.0.2 255.255.255.255
 ip ospf 1 area 0
!
interface Tunnel0
 bandwidth 4096
 ip address 10.10.236.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.67.6
 ip nhrp map 10.10.236.6 1.1.67.6
 ip nhrp network-id 100
 ip nhrp nhs 10.10.236.6
 ip tcp adjust-mss 1360
 ip ospf 1 area 0
 mpls ip
 tunnel source FastEthernet0/0
 tunnel destination 1.1.67.6
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.27.2 255.255.255.0
!
interface FastEthernet1/0
 vrf forwarding CUST-ABC
 ip address 172.16.210.2 255.255.255.0
!
interface FastEthernet1/1
 vrf forwarding CUST-XYZ
 ip address 172.16.211.2 255.255.255.0
!
router ospf 1
 router-id 10.0.0.2
!
router bgp 100
 bgp router-id 10.0.0.2
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.0.0.4 remote-as 100
 neighbor 10.0.0.4 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.0.0.4 activate
  neighbor 10.0.0.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUST-ABC
  redistribute connected
  neighbor 172.16.210.10 remote-as 65001
  neighbor 172.16.210.10 activate
  neighbor 172.16.210.10 as-override
 exit-address-family
 !
 address-family ipv4 vrf CUST-XYZ
  redistribute connected
  neighbor 172.16.211.11 remote-as 65002
  neighbor 172.16.211.11 activate
  neighbor 172.16.211.11 as-override
 exit-address-family
!
ip route 0.0.0.0 0.0.0.0 1.1.27.7


R3 - PE3 Router (DMVPN Spoke)

hostname R3
!
vrf definition CUST-ABC
 rd 100:65001
 !
 address-family ipv4
  route-target export 100:65001
  route-target import 100:65001
 exit-address-family
!
vrf definition CUST-XYZ
 rd 100:65002
 !
 address-family ipv4
  route-target export 100:65002
  route-target import 100:65002
 exit-address-family
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Loopback0
 ip address 10.0.0.3 255.255.255.255
 ip ospf 1 area 0
!
interface Tunnel0
 bandwidth 4096
 ip address 10.10.236.3 255.255.255.0
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast 1.1.67.6
 ip nhrp map 10.10.236.6 1.1.67.6
 ip nhrp network-id 100
 ip nhrp nhs 10.10.236.6
 ip tcp adjust-mss 1360
 ip ospf 1 area 0
 mpls ip
 tunnel source FastEthernet0/0
 tunnel destination 1.1.67.6
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 1.1.37.3 255.255.255.0
!
interface FastEthernet1/0
 vrf forwarding CUST-ABC
 ip address 172.16.123.3 255.255.255.0
!
interface FastEthernet1/1
 vrf forwarding CUST-XYZ
 ip address 172.16.133.3 255.255.255.0
!
router ospf 1
 router-id 10.0.0.3
!
router bgp 100
 bgp router-id 10.0.0.3
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.0.0.4 remote-as 100
 neighbor 10.0.0.4 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.0.0.4 activate
  neighbor 10.0.0.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf CUST-ABC
  redistribute connected
  neighbor 172.16.123.12 remote-as 65001
  neighbor 172.16.123.12 activate
  neighbor 172.16.123.12 as-override
 exit-address-family
 !
 address-family ipv4 vrf CUST-XYZ
  redistribute connected
  neighbor 172.16.133.13 remote-as 65002
  neighbor 172.16.133.13 activate
  neighbor 172.16.133.13 as-override
 exit-address-family
!
ip route 0.0.0.0 0.0.0.0 1.1.37.7

R4 - P Router / BGP VPNv4 Route Reflector

hostname R4
!
ip cef
!
interface Loopback0
 ip address 10.0.0.4 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.10.14.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 10.10.45.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
router ospf 1
 router-id 10.0.0.4
!
router bgp 100
 bgp router-id 10.0.0.4
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor RR-CLIENTS peer-group
 neighbor RR-CLIENTS remote-as 100
 neighbor RR-CLIENTS update-source Loopback0
 neighbor 10.0.0.1 peer-group RR-CLIENTS
 neighbor 10.0.0.2 peer-group RR-CLIENTS
 neighbor 10.0.0.3 peer-group RR-CLIENTS
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor RR-CLIENTS send-community extended
  neighbor RR-CLIENTS route-reflector-client
  neighbor 10.0.0.1 activate
  neighbor 10.0.0.2 activate
  neighbor 10.0.0.3 activate
 exit-address-family
!

R5 - P Router

hostname R5
!
ip cef
!
interface Loopback0
 ip address 10.0.0.5 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.10.15.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 10.10.45.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 ip address 10.10.56.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
router ospf 1
 router-id 10.0.0.5
!

R6 - P Router / DMVPN HUB

hostname R6
!
ip cef
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key DmVpNpR3$h@r3dK3Y address 0.0.0.0        
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile PROTECT-GRE
 set transform-set TRANSFORM-SET 
!
interface Loopback0
 ip address 10.0.0.6 255.255.255.255
 ip ospf 1 area 0
!
interface Tunnel0
 bandwidth 4096
 ip address 10.10.236.6 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication NhRp@UtH
 ip nhrp map multicast dynamic
 ip nhrp network-id 100
 ip tcp adjust-mss 1360
 ip ospf network point-to-multipoint
 ip ospf hello-interval 10
 ip ospf 1 area 0
 mpls ip
 tunnel source FastEthernet0/1
 tunnel mode gre multipoint
 tunnel key 123
 tunnel protection ipsec profile PROTECT-GRE
!
interface FastEthernet0/0
 ip address 10.10.56.6 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 description To INTERNET
 ip address 1.1.67.6 255.255.255.0
!
router ospf 1
 router-id 10.0.0.6
!
ip route 0.0.0.0 0.0.0.0 1.1.67.7


R7 - Internet Router

hostname R7
!
interface FastEthernet0/0
 ip address 1.1.27.7 255.255.255.0
!
interface FastEthernet0/1
 ip address 1.1.37.7 255.255.255.0
!
interface FastEthernet1/0
 ip address 1.1.67.7 255.255.255.0
!

R8 - Customer ABC Site-1

hostname R8
!
interface FastEthernet0/0
 ip address 172.16.18.8 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.10.1 255.255.255.0
!
router bgp 65001
 no synchronization
 bgp router-id 172.16.18.8
 bgp log-neighbor-changes
 network 192.168.10.0
 neighbor 172.16.18.1 remote-as 100
 no auto-summary
!

R9 - Customer XYZ Site-1

hostname R9
!
interface FastEthernet0/0
 ip address 172.16.19.9 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.10.1 255.255.255.0
!
router bgp 65002
 no synchronization
 bgp router-id 172.16.19.9
 bgp log-neighbor-changes
 network 192.168.10.0
 neighbor 172.16.19.1 remote-as 100
 no auto-summary
!
R10 - Customer ABC Site-2

hostname R10
!
interface FastEthernet0/0
 ip address 172.16.210.10 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.20.1 255.255.255.0
!
router bgp 65001
 no synchronization
 bgp router-id 172.16.210.10
 bgp log-neighbor-changes
 network 192.168.20.0
 neighbor 172.16.210.2 remote-as 100
 no auto-summary
!

R11 - Customer XYZ Site-2

hostname R11
!
interface FastEthernet0/0
 ip address 172.16.211.11 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.20.1 255.255.255.0
!
router bgp 65002
 no synchronization
 bgp router-id 172.16.211.11
 bgp log-neighbor-changes
 network 192.168.20.0
 neighbor 172.16.211.2 remote-as 100
 no auto-summary
!

R12 - Customer ABC Site-3

hostname R12
!
interface FastEthernet0/0
 ip address 172.16.123.12 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.30.1 255.255.255.0
!
router bgp 65001
 no synchronization
 bgp router-id 172.16.123.12
 bgp log-neighbor-changes
 network 192.168.30.0
 neighbor 172.16.123.3 remote-as 100
 no auto-summary
!

R13 - Customer XYZ Site-3

hostname R13
!
interface FastEthernet0/0
 ip address 172.16.133.13 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.30.1 255.255.255.0
!
router bgp 65002
 no synchronization
 bgp router-id 172.16.133.13
 bgp log-neighbor-changes
 network 192.168.30.0
 neighbor 172.16.133.3 remote-as 100
 no auto-summary
!
Verification
# Verify DMVPN

!! -- DMVPN HUB - P Router -- !!
R6#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Hub, NHRP Peers:2, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.27.2            10.10.236.2    UP 00:05:14     D
     1 1.1.37.3            10.10.236.3    UP 00:05:10     D

!! -- DMVPN Spoke - PE2 Router -- !!
R2#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:1, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.67.6            10.10.236.6    UP 00:09:22     S

!! -- DMVPN Spoke - R3 PE3 Router -- !!
R3#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
======================================================================
Interface: Tunnel0, IPv4 NHRP Details 
Type:Spoke, NHRP Peers:1, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1 1.1.67.6            10.10.236.6    UP 00:10:28     S

# Verify BGP VPNv4 Peering 

!! -- BGP VPNv4 Route Reflector -- !!
R4#show bgp vpnv4 unicast all summary 
BGP router identifier 10.0.0.4, local AS number 100
BGP table version is 13, main routing table version 13
12 network entries using 2016 bytes of memory
12 path entries using 768 bytes of memory
4/4 BGP path/bestpath attribute entries using 576 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
2 BGP extended community entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 3456 total bytes of memory
BGP activity 12/0 prefixes, 12/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.0.0.1        4          100      19      27       13    0    0 00:11:49        4
10.0.0.2        4          100      19      27       13    0    0 00:11:36        4
10.0.0.3        4          100      19      27       13    0    0 00:11:33        4

# Verify network reachability b/w Customer ABC Sites

!! -- Customer ABC Site-1 -- !!
R8#show ip route | beg Gate
Gateway of last resort is not set

B    192.168.30.0/24 [20/0] via 172.16.18.1, 00:13:03
C    192.168.10.0/24 is directly connected, FastEthernet0/1
     172.16.0.0/24 is subnetted, 3 subnets
B       172.16.210.0 [20/0] via 172.16.18.1, 00:13:03
C       172.16.18.0 is directly connected, FastEthernet0/0
B       172.16.123.0 [20/0] via 172.16.18.1, 00:13:03
B    192.168.20.0/24 [20/0] via 172.16.18.1, 00:13:03

!! -- Customer ABC Site-2 -- !!
R10#show ip route | beg Gate
Gateway of last resort is not set

B    192.168.30.0/24 [20/0] via 172.16.210.2, 00:13:37
B    192.168.10.0/24 [20/0] via 172.16.210.2, 00:13:37
     172.16.0.0/24 is subnetted, 3 subnets
C       172.16.210.0 is directly connected, FastEthernet0/0
B       172.16.18.0 [20/0] via 172.16.210.2, 00:13:37
B       172.16.123.0 [20/0] via 172.16.210.2, 00:13:37
C    192.168.20.0/24 is directly connected, FastEthernet0/1

!! -- Customer ABC Site-3 -- !!
R12#show ip route | beg Gate
Gateway of last resort is not set

C    192.168.30.0/24 is directly connected, FastEthernet0/1
B    192.168.10.0/24 [20/0] via 172.16.123.3, 00:14:05
     172.16.0.0/24 is subnetted, 3 subnets
B       172.16.210.0 [20/0] via 172.16.123.3, 00:14:05
B       172.16.18.0 [20/0] via 172.16.123.3, 00:14:05
C       172.16.123.0 is directly connected, FastEthernet0/0
B    192.168.20.0/24 [20/0] via 172.16.123.3, 00:14:05

!! -- Traffic b/w Customer ABC Site 1 & Site 2 -- !!

R8#ping 192.168.20.1 source 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 220/264/296 ms

R8#traceroute 192.168.20.1 source 192.168.10.1
Type escape sequence to abort.
Tracing the route to 192.168.20.1

  1 172.16.18.1 64 msec 96 msec 64 msec
  2 10.10.15.5 [MPLS: Labels 22/27 Exp 0] 260 msec 292 msec 256 msec
  3 10.10.56.6 [MPLS: Labels 22/27 Exp 0] 248 msec 284 msec 276 msec
  4 172.16.210.2 [AS 100] [MPLS: Label 27 Exp 0] 300 msec 292 msec 260 msec
  5 172.16.210.10 [AS 100] 292 msec *  236 msec


!! -- Traffic b/w Customer ABC Site 1 & Site 3 -- !!

R8#ping 192.168.30.1 source 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 224/257/288 ms

R8#traceroute 192.168.30.1 source 192.168.10.1
Type escape sequence to abort.
Tracing the route to 192.168.30.1

  1 172.16.18.1 76 msec 80 msec 80 msec
  2 10.10.15.5 [MPLS: Labels 21/27 Exp 0] 256 msec 292 msec 328 msec
  3 10.10.56.6 [MPLS: Labels 23/27 Exp 0] 320 msec 316 msec 308 msec
  4 172.16.123.3 [AS 100] [MPLS: Label 27 Exp 0] 264 msec 380 msec 320 msec
  5 172.16.123.12 [AS 100] 244 msec *  260 msec


!! -- Traffic b/w Customer ABC Site 2 & Site 3 -- !!
!! -- This traffic is routed via MPLS over DMVPN --!!

R10#ping 192.168.30.1 source 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 268/320/356 ms

R10#traceroute 192.168.30.1 source 192.168.20.1
Type escape sequence to abort.
Tracing the route to 192.168.30.1

  1 172.16.210.2 72 msec 84 msec 40 msec
  2 10.10.236.6 [MPLS: Labels 23/27 Exp 0] 404 msec 372 msec 428 msec
  3 172.16.123.3 [AS 100] [MPLS: Label 27 Exp 0] 352 msec 340 msec 428 msec
  4 172.16.123.12 [AS 100] 396 msec *  412 msec

## How it is routed inside MPLS Network? 

- R2/PE router shows it is reachable via next-hop 10.0.0.3
- R2/PE router has received this update from Route Reflector 10.0.0.4
- MPLS VPN label is 27

R2#show ip route vrf CUST-ABC 192.168.30.0

Routing Table: CUST-ABC
Routing entry for 192.168.30.0/24
  Known via "bgp 100", distance 200, metric 0
  Tag 65001, type internal
  Last update from 10.0.0.3 00:22:01 ago
  Routing Descriptor Blocks:
  * 10.0.0.3 (default), from 10.0.0.4, 00:22:01 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 65001
      MPLS label: 27
      MPLS Flags: MPLS Required

- The next-hop IP 10.0.0.3 is reachable via Tunnel0 and MPLS label 23
- You can see this label in above traceroute output from R10 also.
- This traffic will go over DMVPN Tunnel to next-hop IP 10.10.236.6, which is DMVPN Hub Tunnel IP

R2#show ip route 10.0.0.3
Routing entry for 10.0.0.3/32
  Known via "ospf 1", distance 110, metric 49, type intra area
  Last update from 10.10.236.6 on Tunnel0, 00:33:19 ago
  Routing Descriptor Blocks:
  * 10.10.236.6, from 10.0.0.3, 00:33:19 ago, via Tunnel0
      Route metric is 49, traffic share count is 1

R2#show mpls forwarding-table 10.0.0.3        
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop    
Label      Label      or Tunnel Id     Switched      interface              
17         23         10.0.0.3/32      0             Tu0        point2point 

R2#show ip cef 10.0.0.3 detail 
10.0.0.3/32, epoch 0
  local label info: global/17
  1 RR source [no flags]
  nexthop 10.10.236.6 Tunnel0 label 23

- R6/P router don't have visibility to customer network.
- It just forward packets based on MPLS labels assigned to BGP source IPs of PE Routers
- R6 will "pop(remove)" the MPLS label and forward this packet to next-hop IP 10.10.236.3 (DMVPN Spoke R3 Tunnel IP).

R6#show ip route 192.168.30.0
% Network not in table

R6#show ip route 10.0.0.3
Routing entry for 10.0.0.3/32
  Known via "ospf 1", distance 110, metric 25, type intra area
  Last update from 10.10.236.3 on Tunnel0, 00:37:24 ago
  Routing Descriptor Blocks:
  * 10.10.236.3, from 10.0.0.3, 00:37:24 ago, via Tunnel0
      Route metric is 25, traffic share count is 1

R6#show mpls forwarding-table 10.0.0.3
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop    
Label      Label      or Tunnel Id     Switched      interface              
23         Pop Label  10.0.0.3/32      13312         Tu0        10.10.236.3 

R6#show ip cef 10.0.0.3 detail 
10.0.0.3/32, epoch 0
  local label info: global/23
  nexthop 10.10.236.3 Tunnel0

- R3/PE router shows this remote site network is reachable via BGP from 172.16.123.12 (Cust-ABC Site-3 R12 Router)

R3#show ip route vrf CUST-ABC 192.168.30.0

Routing Table: CUST-ABC
Routing entry for 192.168.30.0/24
  Known via "bgp 100", distance 20, metric 0
  Tag 65001, type external
  Last update from 172.16.123.12 00:42:02 ago
  Routing Descriptor Blocks:
  * 172.16.123.12, from 172.16.123.12, 00:42:02 ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 65001
      MPLS label: none

 

 

MPLS L3VPN Inter-AS Option B

MPLS, , ,

MPLS L3VPN Inter-AS Option B aka MPLS VPN Inter-AS with ASBRs Exchanging VPN-IPv4 Addresses, is similar to the previous Option A example with the exception that the Inter-AS link runs a single VPNv4 EBGP peering instead of multiple VRF aware IGP or BGP instances.

In this procedure, the PE routers use IBGP to redistribute labeled VPN-IPv4 routes either to an Autonomous System Border Router (ASBR), or to a route reflector of which an ASBR is a client.  The ASBR then uses EBGP to redistribute those labeled VPN-IPv4 routes to an ASBR in another AS, which in turn distributes them to the PE routers in that AS, or perhaps to another ASBR which in turn distributes them, and so on.

We will use following network topology to discuss this feature.

mpls-interas-optB

PE-CE Configuration with ISP-1
R7 (CE Router) - Customer A Site 1

## EIGRP is the PE-CE routing protocol used for this customer ##

interface FastEthernet0/0
 ip address 192.168.47.7 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.7.7 255.255.255.0
!
router eigrp 100
 network 192.168.0.0 0.0.255.255

R8 (CE Router) - Customer B Site 1

## OSPF is the PE-CE routing protocol used for this customer ##

interface FastEthernet0/0
 ip address 172.16.48.8 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 172.16.8.8 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
router ospf 1
 router-id 172.16.8.8

R4 (PE Router) - ISP 1

vrf definition Cust-A
 rd 101:201
 !
 address-family ipv4
  route-target export 101:201
  route-target import 101:201
 exit-address-family
!
vrf definition Cust-B
 rd 102:202
 !        
 address-family ipv4
  route-target export 102:202
  route-target import 102:202
 exit-address-family
!
interface Loopback0
 ip address 1.1.0.4 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 1.1.34.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 vrf forwarding Cust-A
 ip address 192.168.47.4 255.255.255.0
!
interface FastEthernet1/1
 vrf forwarding Cust-B
 ip address 172.16.48.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 100 area 0
!
router eigrp 1
 !
 address-family ipv4 vrf Cust-A autonomous-system 100
  default-metric 10000 100 255 1 1500
  redistribute bgp 100
  network 192.168.47.0
 exit-address-family
!
router ospf 100 vrf Cust-B
 router-id 172.16.48.4
 redistribute bgp 100 subnets
!
router ospf 1
 router-id 1.1.0.4
!
router bgp 100
 bgp router-id 1.1.0.4
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 1.1.0.1 remote-as 100
 neighbor 1.1.0.1 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 1.1.0.1 activate
  neighbor 1.1.0.1 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf Cust-A
  redistribute connected
  redistribute eigrp 100
 exit-address-family
 !
 address-family ipv4 vrf Cust-B
  redistribute connected
  redistribute ospf 100 match internal external 1 external 2
 exit-address-family
!    

R3 (P Router) - ISP 1

interface Loopback0
 ip address 1.1.0.3 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 1.1.13.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 1.1.34.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip  
!
router ospf 1
 router-id 1.1.0.3
!     

R1 (PE Router) - ISP 1 - ASBR connected to ISP 2

interface Loopback0
 ip address 1.1.0.1 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 1.1.13.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 12.12.12.1 255.255.255.0
 mpls bgp forwarding
!
router ospf 1
 router-id 1.1.0.1
!
router bgp 100
 bgp router-id 1.1.0.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 no bgp default route-target filter
 neighbor 1.1.0.4 remote-as 100
 neighbor 1.1.0.4 update-source Loopback0
 neighbor 12.12.12.2 remote-as 200
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 1.1.0.4 activate
  neighbor 1.1.0.4 send-community extended
  neighbor 1.1.0.4 next-hop-self
  neighbor 12.12.12.2 activate
  neighbor 12.12.12.2 send-community extended
 exit-address-family
!
PE-CE Configuration with ISP-2

Option B’s VPNv4 EBGP peering between the providers means that the VPNv4 Route Distinguisher and Route Target fields have global significance between the MPLS Service Providers.

R1(config-if)#router bgp 100
R1(config-router)#neighbor 12.12.12.2 remote-as 200
R1(config-router)#address-family vpnv4
R1(config-router-af)#neighbor 12.12.12.2 activate
R1(config-router-af)#
*Sep  1 21:48:01.247: %BGP-5-ADJCHANGE: neighbor 12.12.12.2 Up 
*Sep  1 21:48:01.251: RT: updating connected 12.12.12.2/32 (0x0):
    via 0.0.0.0 Fa0/1  1048578

*Sep  1 21:48:01.259: RT: add 12.12.12.2/32 via 0.0.0.0, connected metric [0/0]
R1(config-router-af)#
*Sep  1 21:48:01.459: %BGP_LMM-6-AUTOGEN1: The mpls bgp forwarding command has been configured on interface: FastEthernet0/1
R1(config-router-af)#

 

PE Routers R4 and R6 in both ISP-1 and ISP-2 respectively are configured with same Route Distinguisher and Route Target for Customer A & Customer B as agreed between both MPLS providers.

vrf definition Cust-A
 rd 101:201
 !
 address-family ipv4
  route-target export 101:201
  route-target import 101:201
 exit-address-family
!
vrf definition Cust-B
 rd 102:202
 !        
 address-family ipv4
  route-target export 102:202
  route-target import 102:202
 exit-address-family

R2 (PE Router) - ISP 2 - ASBR connected to ISP 1

interface Loopback0
 ip address 2.2.0.2 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 2.2.25.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 12.12.12.2 255.255.255.0
 mpls bgp forwarding
!
router ospf 1
 router-id 2.2.0.2
!
router bgp 200
 bgp router-id 2.2.0.2
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 no bgp default route-target filter
 neighbor 2.2.0.6 remote-as 200
 neighbor 2.2.0.6 update-source Loopback0
 neighbor 12.12.12.1 remote-as 100
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 2.2.0.6 activate
  neighbor 2.2.0.6 send-community extended
  neighbor 2.2.0.6 next-hop-self
  neighbor 12.12.12.1 activate
  neighbor 12.12.12.1 send-community extended
 exit-address-family
!

R5 (P Router) - ISP 2

interface Loopback0
 ip address 2.2.0.5 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 2.2.25.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 2.2.56.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip  
!
router ospf 1
 router-id 2.2.0.5

R6 (PE Router) - ISP 2

vrf definition Cust-A
 rd 101:201
 !
 address-family ipv4
  route-target export 101:201
  route-target import 101:201
 exit-address-family
!
vrf definition Cust-B
 rd 102:202
 !        
 address-family ipv4
  route-target export 102:202
  route-target import 102:202
 exit-address-family
!
interface Loopback0
 ip address 2.2.0.6 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 2.2.56.6 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 vrf forwarding Cust-A
 ip address 192.168.69.6 255.255.255.0
!
interface FastEthernet1/1
 vrf forwarding Cust-B
 ip address 172.16.106.6 255.255.255.0
 ip ospf network point-to-point
 ip ospf 200 area 0
!
!
router eigrp 1
 !
 address-family ipv4 vrf Cust-A autonomous-system 100
  default-metric 10000 100 255 1 1500
  redistribute bgp 200
  network 192.168.69.0
 exit-address-family
!
router ospf 200 vrf Cust-B
 router-id 172.16.106.6
 redistribute bgp 200 subnets
!
router ospf 1
!
router bgp 200
 bgp router-id 2.2.0.6
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 2.2.0.2 remote-as 200
 neighbor 2.2.0.2 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 2.2.0.2 activate
  neighbor 2.2.0.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf Cust-A
  redistribute connected
  redistribute eigrp 100
 exit-address-family
 !
 address-family ipv4 vrf Cust-B
  redistribute connected
  redistribute ospf 200 match internal external 1 external 2
 exit-address-family
!

R9 (CE Router) - Customer A Site 2

## EIGRP is the PE-CE routing protocol used for this customer ##

interface FastEthernet0/0
 ip address 192.168.69.9 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.9.9 255.255.255.0
!
router eigrp 100
 network 192.168.0.0 0.0.255.255

R10 (CE Router) - Customer B Site 2

## OSPF is the PE-CE routing protocol used for this customer ##

interface FastEthernet0/0
 ip address 172.16.106.10 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 172.16.10.10 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
router ospf 1
 router-id 172.16.10.10
Verification & Testing
R7#sh ip route | beg Gateway
Gateway of last resort is not set

      192.168.7.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.7.0/24 is directly connected, FastEthernet0/1
L        192.168.7.7/32 is directly connected, FastEthernet0/1
D     192.168.9.0/24 [90/33280] via 192.168.47.4, 00:46:10, FastEthernet0/0
      192.168.47.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.47.0/24 is directly connected, FastEthernet0/0
L        192.168.47.7/32 is directly connected, FastEthernet0/0
D     192.168.69.0/24 [90/30720] via 192.168.47.4, 00:46:10, FastEthernet0/0

Ping Customer-A Site 2 network

R7#ping 192.168.9.9 source 192.168.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.9.9, timeout is 2 seconds:
Packet sent with a source address of 192.168.7.7 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 232/240/248 ms

Traceroute Customer-A Site 2 network

R7#traceroute 192.168.9.9 source 192.168.7.7
Type escape sequence to abort.
Tracing the route to 192.168.9.9
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.47.4 28 msec 60 msec 56 msec
  2 1.1.34.3 [MPLS: Labels 302/109 Exp 0] 220 msec 208 msec 260 msec
  3 1.1.13.1 [MPLS: Label 109 Exp 0] 232 msec 240 msec 208 msec
  4 12.12.12.2 [MPLS: Label 206 Exp 0] 200 msec 256 msec 200 msec
  5 2.2.25.5 [MPLS: Labels 502/604 Exp 0] 196 msec 260 msec 244 msec
  6 192.168.69.6 [MPLS: Label 604 Exp 0] 208 msec 184 msec 228 msec
  7 192.168.69.9 256 msec *  204 msec

We can see from the above output there are three different LSP (Label Switch Path) are being used to provide end-to-end reachability.

LSP-1: From R4 to R1 using VPN Label 109

R4#sh bgp vpnv4 unicast vrf Cust-A 192.168.9.0
BGP routing table entry for 101:201:192.168.9.0/24, version 10
Paths: (1 available, best #1, table Cust-A)
  Not advertised to any peer
  Refresh Epoch 1
  200
    1.1.0.1 (metric 3) from 1.1.0.1 (1.1.0.1)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:101:201 0x8800:32768:0 0x8801:100:5120 
        0x8802:65281:25600 0x8803:65281:1500 0x8806:0:3232253193
      mpls labels in/out nolabel/109
      rx pathid: 0, tx pathid: 0x0

LSP-2: From R1 to R2 using VPN Label 206

R1#sh bgp vpnv4 unicast all 192.168.9.0
BGP routing table entry for 101:201:192.168.9.0/24, version 6
Paths: (1 available, best #1, no table)
  Advertised to update-groups:
     2         
  Refresh Epoch 1
  200
    12.12.12.2 from 12.12.12.2 (2.2.0.2)
      Origin incomplete, localpref 100, valid, external, best
      Extended Community: RT:101:201 0x8800:32768:0 0x8801:100:5120 
        0x8802:65281:25600 0x8803:65281:1500 0x8806:0:3232253193
      mpls labels in/out 109/206
      rx pathid: 0, tx pathid: 0x0


LSP-3: From R2 to R6 using VPN label 604

R2#sh bgp vpnv4 unicast all 192.168.9.0
BGP routing table entry for 101:201:192.168.9.0/24, version 3
Paths: (1 available, best #1, no table)
  Advertised to update-groups:
     1         
  Refresh Epoch 1
  Local
    2.2.0.6 (metric 3) from 2.2.0.6 (2.2.0.6)
      Origin incomplete, metric 30720, localpref 100, valid, internal, best
      Extended Community: RT:101:201 Cost:pre-bestpath:128:30720 
        0x8800:32768:0 0x8801:100:5120 0x8802:65281:25600 0x8803:65281:1500 
        0x8806:0:3232253193
      mpls labels in/out 206/604
      rx pathid: 0, tx pathid: 0x0

Finally unlabelled traffic from ISP 2 PE Router (R6) to CE Router (R9)

R6#sh bgp vpnv4 unicast vrf Cust-A 192.168.9.0
BGP routing table entry for 101:201:192.168.9.0/24, version 2
Paths: (1 available, best #1, table Cust-A)
  Advertised to update-groups:
     1         
  Refresh Epoch 1
  Local
    192.168.69.9 from 0.0.0.0 (2.2.0.6)
      Origin incomplete, metric 30720, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:101:201 Cost:pre-bestpath:128:30720 
        0x8800:32768:0 0x8801:100:5120 0x8802:65281:25600 0x8803:65281:1500 
        0x8806:0:3232253193
      mpls labels in/out 604/nolabel
      rx pathid: 0, tx pathid: 0x0
Similarly, end-to-end reachability can be verified for Customer B sites.

R8#sh ip route | beg Gateway
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
C        172.16.8.0/24 is directly connected, FastEthernet0/1
L        172.16.8.8/32 is directly connected, FastEthernet0/1
O E2     172.16.10.0/24 [110/1] via 172.16.48.4, 01:29:16, FastEthernet0/0
C        172.16.48.0/24 is directly connected, FastEthernet0/0
L        172.16.48.8/32 is directly connected, FastEthernet0/0
O E2     172.16.106.0/24 [110/1] via 172.16.48.4, 01:29:16, FastEthernet0/0

R8#ping 172.16.10.10 source 172.16.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.10, timeout is 2 seconds:
Packet sent with a source address of 172.16.8.8 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 184/227/260 ms

R8#traceroute 172.16.10.10 source 172.16.8.8
Type escape sequence to abort.
Tracing the route to 172.16.10.10
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.48.4 40 msec 40 msec 36 msec
  2 1.1.34.3 [MPLS: Labels 302/111 Exp 0] 204 msec 252 msec 252 msec
  3 1.1.13.1 [MPLS: Label 111 Exp 0] 240 msec 220 msec 220 msec
  4 12.12.12.2 [MPLS: Label 211 Exp 0] 248 msec 200 msec 232 msec
  5 2.2.25.5 [MPLS: Labels 502/606 Exp 0] 208 msec 256 msec 236 msec
  6 172.16.106.6 [MPLS: Label 606 Exp 0] 184 msec 232 msec 188 msec
  7 172.16.106.10 256 msec *  240 msec

R4#sh bgp vpnv4 unicast vrf Cust-B 172.16.10.0
BGP routing table entry for 102:202:172.16.10.0/24, version 12
Paths: (1 available, best #1, table Cust-B)
  Not advertised to any peer
  Refresh Epoch 1
  200
    1.1.0.1 (metric 3) from 1.1.0.1 (1.1.0.1)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:102:202 OSPF DOMAIN ID:0x0005:0x000000C80200 
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:172.16.106.6:0
      mpls labels in/out nolabel/111
      rx pathid: 0, tx pathid: 0x0

R1#sh bgp vpnv4 unicast all 172.16.10.0       
BGP routing table entry for 102:202:172.16.10.0/24, version 8
Paths: (1 available, best #1, no table)
  Advertised to update-groups:
     2         
  Refresh Epoch 1
  200
    12.12.12.2 from 12.12.12.2 (2.2.0.2)
      Origin incomplete, localpref 100, valid, external, best
      Extended Community: RT:102:202 OSPF DOMAIN ID:0x0005:0x000000C80200 
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:172.16.106.6:0
      mpls labels in/out 111/211
      rx pathid: 0, tx pathid: 0x0

R2#sh bgp vpnv4 unicast all 172.16.10.0
BGP routing table entry for 102:202:172.16.10.0/24, version 7
Paths: (1 available, best #1, no table)
  Advertised to update-groups:
     1         
  Refresh Epoch 1
  Local
    2.2.0.6 (metric 3) from 2.2.0.6 (2.2.0.6)
      Origin incomplete, metric 2, localpref 100, valid, internal, best
      Extended Community: RT:102:202 OSPF DOMAIN ID:0x0005:0x000000C80200 
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:172.16.106.6:0
      mpls labels in/out 211/606
      rx pathid: 0, tx pathid: 0x0

R6#sh bgp vpnv4 unicast vrf Cust-B 172.16.10.0
BGP routing table entry for 102:202:172.16.10.0/24, version 4
Paths: (1 available, best #1, table Cust-B)
  Advertised to update-groups:
     1         
  Refresh Epoch 1
  Local
    172.16.106.10 from 0.0.0.0 (2.2.0.6)
      Origin incomplete, metric 2, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:102:202 OSPF DOMAIN ID:0x0005:0x000000C80200 
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:172.16.106.6:0
      mpls labels in/out 606/nolabel
      rx pathid: 0, tx pathid: 0x0

 

MPLS L3VPN Inter-AS VPN Option A

MPLS, , , ,

If two sites of a MPLS L3VPN are connected to different Autonomous Systems (e.g., because the sites are connected to different SPs). The PE routers attached to that VPN will then not be able to maintain IBGP connections with each other, or with a common route reflector. Rather, there needs to be some way to use EBGP to distribute VPN-IPv4 addresses.

There are a number of different ways of handling this case, let’s discuss first option which is called option A or back-to-back VRF exchange.

In this procedure, a PE router in one AS attaches directly to a PE router in another.  The two PE routers will be attached by multiple sub-interfaces, at least one for each of the VPNs whose routes need to be passed from AS to AS.  Each PE will treat the other as if it were a CE router.  That is, the PEs associate each such sub-interface with a VRF, and use EBGP (or any PE/CE IGP) to distribute unlabeled IPv4 addresses to each other.

We will use following network topology to discuss this feature.

mpls-interas-optA

PE-CE Configuration with ISP-1
R7 (CE Router) - Customer A Site 1

## EIGRP is the PE-CE routing protocol used for this customer ##

interface FastEthernet0/0
 ip address 192.168.47.7 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.7.7 255.255.255.0
!
router eigrp 100
 network 192.168.0.0 0.0.255.255

R8 (CE Router) - Customer B Site 1

## OSPF is the PE-CE routing protocol used for this customer ##

interface FastEthernet0/0
 ip address 172.16.48.8 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 172.16.8.8 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
router ospf 1
 router-id 172.16.8.8

R4 (PE Router) - ISP 1

vrf definition Cust-A
 rd 100:1
 !
 address-family ipv4
  route-target export 100:1
  route-target import 100:1
 exit-address-family
!
vrf definition Cust-B
 rd 100:2
 !        
 address-family ipv4
  route-target export 100:2
  route-target import 100:2
 exit-address-family
!
interface Loopback0
 ip address 1.1.0.4 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 1.1.34.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 vrf forwarding Cust-A
 ip address 192.168.47.4 255.255.255.0
!
interface FastEthernet1/1
 vrf forwarding Cust-B
 ip address 172.16.48.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 100 area 0
!
router eigrp 1
 !
 address-family ipv4 vrf Cust-A autonomous-system 100
  default-metric 10000 100 255 1 1500
  redistribute bgp 100
  network 192.168.47.0
 exit-address-family
!
router ospf 100 vrf Cust-B
 router-id 172.16.48.4
 redistribute bgp 100 subnets
!
router ospf 1
 router-id 1.1.0.4
!
router bgp 100
 bgp router-id 1.1.0.4
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 1.1.0.1 remote-as 100
 neighbor 1.1.0.1 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 1.1.0.1 activate
  neighbor 1.1.0.1 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf Cust-A
  redistribute connected
  redistribute eigrp 100
 exit-address-family
 !
 address-family ipv4 vrf Cust-B
  redistribute connected
  redistribute ospf 100 match internal external 1 external 2
 exit-address-familyR3 (P Router) - ISP 1

interface Loopback0
 ip address 1.1.0.3 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 1.1.13.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 1.1.34.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip  
!
router ospf 1
 router-id 1.1.0.3

R1 (PE Router) - ISP 1 - ASBR connected to ISP 2

vrf definition Cust-A
 rd 100:1
 !
 address-family ipv4
  route-target export 100:1
  route-target import 100:1
 exit-address-family
!
vrf definition Cust-B
 rd 100:2
 !        
 address-family ipv4
  route-target export 100:2
  route-target import 100:2
 exit-address-family
!
interface Loopback0
 ip address 1.1.0.1 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 1.1.13.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 speed 100
 duplex full
 mpls ip
!
interface FastEthernet0/1
 no ip address
!
interface FastEthernet0/1.1
 encapsulation dot1Q 12
 vrf forwarding Cust-A
 ip address 12.12.12.1 255.255.255.0
!
interface FastEthernet0/1.2
 encapsulation dot1Q 21
 vrf forwarding Cust-B
 ip address 21.21.21.1 255.255.255.0
!   
router ospf 1
 router-id 1.1.0.1
!
router bgp 100
 bgp router-id 1.1.0.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 1.1.0.4 remote-as 100
 neighbor 1.1.0.4 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 1.1.0.4 activate
  neighbor 1.1.0.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf Cust-A
  neighbor 12.12.12.2 remote-as 200
  neighbor 12.12.12.2 activate
 exit-address-family
 !
 address-family ipv4 vrf Cust-B
  neighbor 21.21.21.2 remote-as 200
  neighbor 21.21.21.2 activate
 exit-address-family
!            
PE-CE Configuration with ISP-2

Both ASBR routers in ISP1 and ISP2 see each other as CE router and treat itself as PE router. RD (Route Distinguisher) value for each customer does not require to match in both ISP networks. Here, Both ISPs are using different RD (Route Distinguisher).

We have used BGP as PE-CE routing protocol here. Any IGP can be used as well.

R2 (PE Router) - ISP 2 - ASBR connected to ISP 1

vrf definition Cust-A
 rd 200:1
 !
 address-family ipv4
  route-target export 200:1
  route-target import 200:1
 exit-address-family
!
vrf definition Cust-B
 rd 200:2
 !        
 address-family ipv4
  route-target export 200:2
  route-target import 200:2
 exit-address-family
!
interface Loopback0
 ip address 2.2.0.2 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 2.2.25.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 no ip address
!
interface FastEthernet0/1.1
 encapsulation dot1Q 12
 vrf forwarding Cust-A
 ip address 12.12.12.2 255.255.255.0
!
interface FastEthernet0/1.2
 encapsulation dot1Q 21
 vrf forwarding Cust-B
 ip address 21.21.21.2 255.255.255.0
!
router ospf 1
 router-id 2.2.0.2
!
router bgp 200
 bgp router-id 2.2.0.2
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 2.2.0.6 remote-as 200
 neighbor 2.2.0.6 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 2.2.0.6 activate
  neighbor 2.2.0.6 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf Cust-A
  neighbor 12.12.12.1 remote-as 100
  neighbor 12.12.12.1 activate
 exit-address-family
 !
 address-family ipv4 vrf Cust-B
  neighbor 21.21.21.1 remote-as 100
  neighbor 21.21.21.1 activate
 exit-address-family


R5 (P Router) - ISP 2

interface Loopback0
 ip address 2.2.0.5 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 2.2.25.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 ip address 2.2.56.5 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip  
!
router ospf 1
 router-id 2.2.0.5

R6 (PE Router) - ISP 2

vrf definition Cust-A
 rd 200:1
 !
 address-family ipv4
  route-target export 200:1
  route-target import 200:1
 exit-address-family
!
vrf definition Cust-B
 rd 200:2
 !        
 address-family ipv4
  route-target export 200:2
  route-target import 200:2
 exit-address-family
!
interface Loopback0
 ip address 2.2.0.6 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 no ip address
!
interface FastEthernet0/1
 ip address 2.2.56.6 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 vrf forwarding Cust-A
 ip address 192.168.69.6 255.255.255.0
!
interface FastEthernet1/1
 vrf forwarding Cust-B
 ip address 172.16.106.6 255.255.255.0
 ip ospf network point-to-point
 ip ospf 200 area 0
!
!
router eigrp 1
 !
 address-family ipv4 vrf Cust-A autonomous-system 100
  default-metric 10000 100 255 1 1500
  redistribute bgp 200
  network 192.168.69.0
 exit-address-family
!
router ospf 200 vrf Cust-B
 router-id 172.16.106.6
 redistribute bgp 200 subnets
!
router ospf 1
 router-id 2.2.0.6
!
router bgp 200
 bgp router-id 2.2.0.6
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 2.2.0.2 remote-as 200
 neighbor 2.2.0.2 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 2.2.0.2 activate
  neighbor 2.2.0.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf Cust-A
  redistribute connected
  redistribute eigrp 100
 exit-address-family
 !
 address-family ipv4 vrf Cust-B
  redistribute connected
  redistribute ospf 200 match internal external 1 external 2
 exit-address-family


R9 (CE Router) - Customer A Site 2

## EIGRP is the PE-CE routing protocol used for this customer ##

interface FastEthernet0/0
 ip address 192.168.69.9 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.9.9 255.255.255.0
!
router eigrp 100
 network 192.168.0.0 0.0.255.255

R10 (CE Router) - Customer B Site 2

## OSPF is the PE-CE routing protocol used for this customer ##

interface FastEthernet0/0
 ip address 172.16.106.10 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 172.16.10.10 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
router ospf 1
 router-id 172.16.10.10
Verification & Testing
R7#sh ip route | beg Gateway
Gateway of last resort is not set

      192.168.7.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.7.0/24 is directly connected, FastEthernet0/1
L        192.168.7.7/32 is directly connected, FastEthernet0/1
D EX  192.168.9.0/24 [170/284160] via 192.168.47.4, 01:04:34, FastEthernet0/0
      192.168.47.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.47.0/24 is directly connected, FastEthernet0/0
L        192.168.47.7/32 is directly connected, FastEthernet0/0
D EX  192.168.69.0/24 [170/284160] via 192.168.47.4, 01:04:34, FastEthernet0/0

Ping Customer-A Site 2 network

R7#ping 192.168.9.9 source 192.168.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.9.9, timeout is 2 seconds:
Packet sent with a source address of 192.168.7.7 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 152/160/172 ms

Traceroute Customer-A Site 2 network

R7#traceroute 192.168.9.9 source 192.168.7.7
Type escape sequence to abort.
Tracing the route to 192.168.9.9
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.47.4 28 msec 36 msec 36 msec
  2 1.1.34.3 [MPLS: Labels 302/104 Exp 0] 88 msec 100 msec 88 msec
  3 12.12.12.1 [MPLS: Label 104 Exp 0] 64 msec 92 msec 60 msec
  4 12.12.12.2 116 msec 120 msec 92 msec
  5 2.2.25.5 [MPLS: Labels 501/604 Exp 0] 176 msec 168 msec 152 msec
  6 192.168.69.6 [MPLS: Label 604 Exp 0] 128 msec 140 msec 140 msec
  7 192.168.69.9 176 msec *  156 msec

We can see from the above output there are two different LSP (Label Switch Path) are being used to provide end-to-end reachability.

LSP-1: From R4 to R1 using VPN Label 104

R4#sh bgp vpnv4 unicast vrf Cust-A 192.168.9.0
BGP routing table entry for 100:1:192.168.9.0/24, version 10
Paths: (1 available, best #1, table Cust-A)
  Not advertised to any peer
  Refresh Epoch 1
  200
    1.1.0.1 (metric 3) from 1.1.0.1 (1.1.0.1)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:100:1
      mpls labels in/out nolabel/104
      rx pathid: 0, tx pathid: 0x0

The traffic between R1 & R2 is normal Unlabeled IPv4 traffic

R1#sh bgp vpnv4 unicast vrf Cust-A 192.168.9.0
BGP routing table entry for 100:1:192.168.9.0/24, version 10
Paths: (1 available, best #1, table Cust-A)
  Advertised to update-groups:
     3         
  Refresh Epoch 1
  200
    12.12.12.2 from 12.12.12.2 (2.2.0.2)
      Origin incomplete, localpref 100, valid, external, best
      Extended Community: RT:100:1
      mpls labels in/out 104/nolabel
      rx pathid: 0, tx pathid: 0x0

LSP-2: From R2 to R6 using VPN label 604

R2#sh bgp vpnv4 unicast vrf Cust-A 192.168.9.0
BGP routing table entry for 200:1:192.168.9.0/24, version 10
Paths: (1 available, best #1, table Cust-A)
  Advertised to update-groups:
     1         
  Refresh Epoch 1
  Local
    2.2.0.6 (metric 3) from 2.2.0.6 (2.2.0.6)
      Origin incomplete, metric 30720, localpref 100, valid, internal, best
      Extended Community: RT:200:1 Cost:pre-bestpath:128:30720 0x8800:32768:0 
        0x8801:100:5120 0x8802:65281:25600 0x8803:65281:1500 
        0x8806:0:3232253193
      mpls labels in/out nolabel/604
      rx pathid: 0, tx pathid: 0x0

Finally unlabelled traffic from ISP 2 PE Router (R6) to CE Router (R9)
 
R6#sh bgp vpnv4 unicast vrf Cust-A 192.168.9.0
BGP routing table entry for 200:1:192.168.9.0/24, version 3
Paths: (1 available, best #1, table Cust-A)
  Advertised to update-groups:
     1         
  Refresh Epoch 1
  Local
    192.168.69.9 from 0.0.0.0 (2.2.0.6)
      Origin incomplete, metric 30720, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:200:1 Cost:pre-bestpath:128:30720 0x8800:32768:0 
        0x8801:100:5120 0x8802:65281:25600 0x8803:65281:1500 
        0x8806:0:3232253193
      mpls labels in/out 604/nolabel
      rx pathid: 0, tx pathid: 0x0

Similarly, end-to-end reachability can be verified for Customer B sites.

R8#sh ip route | beg Gateway 
Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
C        172.16.8.0/24 is directly connected, FastEthernet0/1
L        172.16.8.8/32 is directly connected, FastEthernet0/1
O E2     172.16.10.0/24 [110/1] via 172.16.48.4, 01:33:51, FastEthernet0/0
C        172.16.48.0/24 is directly connected, FastEthernet0/0
L        172.16.48.8/32 is directly connected, FastEthernet0/0
O E2     172.16.106.0/24 [110/1] via 172.16.48.4, 01:33:51, FastEthernet0/0

R8#ping 172.16.10.10 source 172.16.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.10, timeout is 2 seconds:
Packet sent with a source address of 172.16.8.8 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 220/236/248 ms
R8#trace 172.16.10.10 source 172.16.8.8
Type escape sequence to abort.
Tracing the route to 172.16.10.10
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.48.4 32 msec 52 msec 64 msec
  2 1.1.34.3 [MPLS: Labels 302/106 Exp 0] 140 msec 140 msec 136 msec
  3 21.21.21.1 [MPLS: Label 106 Exp 0] 84 msec 104 msec 116 msec
  4 21.21.21.2 136 msec 152 msec 132 msec
  5 2.2.25.5 [MPLS: Labels 501/606 Exp 0] 248 msec 224 msec 232 msec
  6 172.16.106.6 [MPLS: Label 606 Exp 0] 208 msec 196 msec 192 msec
  7 172.16.106.10 236 msec *  240 msec


R4#sh bgp vpnv4 unicast vrf Cust-B 172.16.10.0
BGP routing table entry for 100:2:172.16.10.0/24, version 12
Paths: (1 available, best #1, table Cust-B)
  Not advertised to any peer
  Refresh Epoch 1
  200
    1.1.0.1 (metric 3) from 1.1.0.1 (1.1.0.1)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:100:2
      mpls labels in/out nolabel/106
      rx pathid: 0, tx pathid: 0x0

R1#sh bgp vpnv4 unicast vrf Cust-B 172.16.10.0
BGP routing table entry for 100:2:172.16.10.0/24, version 12
Paths: (1 available, best #1, table Cust-B)
  Advertised to update-groups:
     3         
  Refresh Epoch 1
  200
    21.21.21.2 from 21.21.21.2 (2.2.0.2)
      Origin incomplete, localpref 100, valid, external, best
      Extended Community: RT:100:2
      mpls labels in/out 106/nolabel
      rx pathid: 0, tx pathid: 0x0

R2#sh bgp vpnv4 unicast vrf Cust-B 172.16.10.0
BGP routing table entry for 200:2:172.16.10.0/24, version 12
Paths: (1 available, best #1, table Cust-B)
  Advertised to update-groups:
     2         
  Refresh Epoch 1
  Local
    2.2.0.6 (metric 3) from 2.2.0.6 (2.2.0.6)
      Origin incomplete, metric 2, localpref 100, valid, internal, best
      Extended Community: RT:200:2 OSPF DOMAIN ID:0x0005:0x000000C80200 
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:172.16.106.6:0
      mpls labels in/out nolabel/606
      rx pathid: 0, tx pathid: 0x0

R6#sh bgp vpnv4 unicast vrf Cust-B 172.16.10.0
BGP routing table entry for 200:2:172.16.10.0/24, version 7
Paths: (1 available, best #1, table Cust-B)
  Advertised to update-groups:
     1         
  Refresh Epoch 1
  Local
    172.16.106.10 from 0.0.0.0 (2.2.0.6)
      Origin incomplete, metric 2, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:200:2 OSPF DOMAIN ID:0x0005:0x000000C80200 
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:172.16.106.6:0
      mpls labels in/out 606/nolabel
      rx pathid: 0, tx pathid: 0x0

The major drawback of this design is scalability as it requires a separate VRF interface for each customer on ASBR PE Routers.

This issue is addressed in MPLS Inter-AS option B & C. We will discuss it later.

VRF Aware IPSEC VPN – Part 2

IPSEC, MPLS, Security, VPN, VRF, ,

In part 2, We will discuss the VRF Aware IPSec VPN when internet link is not configured under Global VRF and it belongs to a specific VRF which would be FVRF (Front Door VRF) in this scenario.

You must refer part 1 http://www.amolak.net/vrf-aware-ipsec-vpn-part-1/ of this discussion to understand the terminologies used. Also we will use the same network topology of part1.

Configuration:

R1 - PE and VRF Aware IPSec VPN Router

!! -- Create VRF named cust-a for Customer-A --!!
!! -- This is Inside VRF (I-VRF) --!!
vrf definition cust-a
 rd 123:1
 !
 address-family ipv4
  route-target export 123:1
  route-target import 123:1
 exit-address-family
!
!! -- Create VRF named cust-b for Customer-B --!!
!! -- This is Inside VRF (I-VRF) --!!
!
vrf definition cust-b
 rd 123:2
 !
 address-family ipv4
  route-target export 123:2
  route-target import 123:2
 exit-address-family
!
!! -- Create VRF named int-vrf for Internet Link --!!
!! -- This is Front Door VRF (F-VRF) --!!
!
vrf definition int-vrf
 rd 123:123
 !
 address-family ipv4
  route-target export 123:123
  route-target import 123:123
 exit-address-family
!
interface FastEthernet0/1
 vrf forwarding int-vrf
 ip address 1.1.14.1 255.255.255.0
!
!! -- Define ISAKMP Pre-shared key for both VPN Peers --!!
! 
crypto keyring internet-keyring vrf int-vrf 
  pre-shared-key address 1.1.47.7 key vpn1password
  pre-shared-key address 1.1.48.8 key vpn2password
!
!! -- Create ISAKMP Policy --!!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
!! -- Create ISAKMP Profile for both VPNs --!!
!
crypto isakmp profile vpn1
   vrf cust-a
   keyring internet-keyring
   match identity address 1.1.47.7 255.255.255.255 int-vrf
crypto isakmp profile vpn2
   vrf cust-b
   keyring internet-keyring
   match identity address 1.1.48.8 255.255.255.255 int-vrf
!
!
!! -- Create IPSec Transform-set for both VPNs --!!
!
crypto ipsec transform-set vpn1-TS esp-3des esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set vpn2-TS esp-3des esp-sha-hmac 
 mode tunnel
!
!
!! -- Create access-list to define the traffic to pass through --!!
!! -- the VPN tunnel --!!
!! -- access-list 101 is for Customer-1 traffic --!!
!! -- access-list 102 is for Customer-2 traffic --!!
!
access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 102 permit ip 172.16.6.0 0.0.0.255 172.16.8.0 0.0.0.255
!
!! -- Create Crypto MAP for both VPNs --!!
!
crypto map crypmap 1 ipsec-isakmp 
 set peer 1.1.47.7
 set transform-set vpn1-TS 
 set isakmp-profile vpn1
 match address 101
!
crypto map crypmap 2 ipsec-isakmp 
 set peer 1.1.48.8
 set transform-set vpn2-TS 
 set isakmp-profile vpn2
 match address 102
!
!! -- Apply Crypto MAP to Internet facing interface --!!
!
interface FastEthernet0/1
 vrf forwarding int-vrf
 ip address 1.1.14.1 255.255.255.0
 crypto map crypmap
!
!! -- Routing --!!
!! -- We have to import default route from VRF 'int-vrf' --!!
!! -- into Customer VRFs 'cust-a' and 'cust-b'--!!
!! -- Without this route import, both customer VRF has --!!
!! -- no idea how to reach internet and VPN peers --!!
!
vrf definition cust-a
 address-family ipv4
  route-target import 123:123
 exit-address-family
!
vrf definition cust-b
 address-family ipv4
  route-target import 123:123
 exit-address-family
!
!! -- Static route - VRF 'int-vrf' --!!
ip route vrf int-vrf 0.0.0.0 0.0.0.0 1.1.14.4
!! -- Static route - VRF 'cust-a' --!! 
ip route vrf cust-a 192.168.7.0 255.255.255.0 FastEthernet0/1 1.1.14.4
!! -- Static route - VRF 'cust-b' --!!
ip route vrf cust-b 172.16.8.0 255.255.255.0 FastEthernet0/1 1.1.14.4
!
!
!! -- Redistribute IPSec VPN routes into BGP --!!
!! -- MP-BGP will advertise it to PE-2 Router --!!
!! -- PE-2 Router will advertise those routes to Customers --!!
!
router bgp 123
 bgp router-id 10.1.0.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.2 remote-as 123
 neighbor 10.1.0.2 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.1.0.2 activate
  neighbor 10.1.0.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf cust-a
  redistribute static
 exit-address-family
 !
 address-family ipv4 vrf cust-b
  redistribute static
 exit-address-family
!
Verification:

R7 (Customer-A Site 1) can ping R5 (Customer-A Site-2) network

R7#ping 192.168.5.5 so 192.168.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.5, timeout is 2 seconds:
Packet sent with a source address of 192.168.7.7 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/129/140 ms

R8 (Customer-B Site 1) can ping R6 (Customer-B Site-2) network

R8#ping 172.16.6.6 so 172.16.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.6.6, timeout is 2 seconds:
Packet sent with a source address of 172.16.8.8 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/132/144 ms

Verify VPN Status on R1

R1#show crypto session detail 
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/1
Profile: vpn1
Uptime: 00:25:30
Session status: UP-ACTIVE     
Peer: 1.1.47.7 port 500 fvrf: int-vrf ivrf: cust-a
      Phase1_id: 1.1.47.7
      Desc: (none)
  IKEv1 SA: local 1.1.14.1/500 remote 1.1.47.7/500 Active 
          Capabilities:(none) connid:1001 lifetime:23:34:29
  IPSEC FLOW: permit ip 192.168.5.0/255.255.255.0 192.168.7.0/255.255.255.0 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 34 drop 0 life (KB/Sec) 4171386/2069
        Outbound: #pkts enc'ed 34 drop 0 life (KB/Sec) 4171386/2069

Interface: FastEthernet0/1
Profile: vpn2
Uptime: 00:25:07
Session status: UP-ACTIVE     
Peer: 1.1.48.8 port 500 fvrf: int-vrf ivrf: cust-b
      Phase1_id: 1.1.48.8
      Desc: (none)
  IKEv1 SA: local 1.1.14.1/500 remote 1.1.48.8/500 Active 
          Capabilities:(none) connid:1002 lifetime:23:34:52
  IPSEC FLOW: permit ip 172.16.6.0/255.255.255.0 172.16.8.0/255.255.255.0 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 14 drop 0 life (KB/Sec) 4267407/2092
        Outbound: #pkts enc'ed 14 drop 0 life (KB/Sec) 4267407/2092

Here, we can see Front Door VRF (FVRF) is 'int-vrf' and Inside VRF (IVRF) is 'cust-a' & 'cust-b' for Customer A and B respectively.
Here is the Full configuration of Router R1. There is no change in the configuration of all other devices. It is same as mentioned in part-1.

hostname R1
!
vrf definition cust-a
 rd 123:1
 !
 address-family ipv4
  route-target export 123:1
  route-target import 123:1
  route-target import 123:123
 exit-address-family
!
vrf definition cust-b
 rd 123:2
 !
 address-family ipv4
  route-target export 123:2
  route-target import 123:2
  route-target import 123:123
 exit-address-family
!
vrf definition int-vrf
 rd 123:123
 !
 address-family ipv4
  route-target export 123:123
  route-target import 123:123
 exit-address-family
!
crypto keyring internet-keyring vrf int-vrf 
  pre-shared-key address 1.1.47.7 key vpn1password
  pre-shared-key address 1.1.48.8 key vpn2password
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp profile vpn1
   vrf cust-a
   keyring internet-keyring
   match identity address 1.1.47.7 255.255.255.255 int-vrf
crypto isakmp profile vpn2
   vrf cust-b
   keyring internet-keyring
   match identity address 1.1.48.8 255.255.255.255 int-vrf
!
!
crypto ipsec transform-set vpn1-TS esp-3des esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set vpn2-TS esp-3des esp-sha-hmac 
 mode tunnel
!
!
!
crypto map crypmap 1 ipsec-isakmp 
 set peer 1.1.47.7
 set transform-set vpn1-TS 
 set isakmp-profile vpn1
 match address 101
crypto map crypmap 2 ipsec-isakmp 
 set peer 1.1.48.8
 set transform-set vpn2-TS 
 set isakmp-profile vpn2
 match address 102
!
interface Loopback0
 ip address 10.1.0.1 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 10.1.13.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
 speed 100
 duplex full
 mpls ip
!
interface FastEthernet0/1
 vrf forwarding int-vrf
 ip address 1.1.14.1 255.255.255.0
 speed 100
 duplex full
 crypto map crypmap
!
router ospf 1
 router-id 10.1.0.1
!
router bgp 123
 bgp router-id 10.1.0.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 10.1.0.2 remote-as 123
 neighbor 10.1.0.2 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.1.0.2 activate
  neighbor 10.1.0.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf cust-a
  redistribute static
 exit-address-family
 !
 address-family ipv4 vrf cust-b
  redistribute static
 exit-address-family
 !
 address-family ipv4 vrf int-vrf
  redistribute connected
  redistribute static
 exit-address-family
!
ip route vrf cust-a 192.168.7.0 255.255.255.0 FastEthernet0/1 1.1.14.4
ip route vrf cust-b 172.16.8.0 255.255.255.0 FastEthernet0/1 1.1.14.4
ip route vrf int-vrf 0.0.0.0 0.0.0.0 1.1.14.4
!
access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 102 permit ip 172.16.6.0 0.0.0.255 172.16.8.0 0.0.0.255
!
end