Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
www.isaca.org/cisa
AdsbyGoogle
Today we're going to look at the configuration required to create a basic MPLS VPN servicing two customers, each with a
presenceattwophysicalsites.Ifyou'reunfamiliarwiththeconceptsofMPLSswitchingandVRFsonCiscoIOS,youmay
wanttocheckoutafewofmypastarticlesbeforecontinuing:
IntrotoVRFlite
InterVRFRoutingwithVRFLite
GettingtoknowMPLS
Ourlabtopologylookslikethis:
Asareview,recallthat
P(provider)routersareISPcorerouterswhichdon'tconnecttocustomerroutersandtypicallyrunonlyMPLS
PE(provideredge)routersconnecttocustomersitesandformtheedgeofaVPN
CE(customeredge)routersexistattheedgeofacustomersitetheyhavenoVPNawareness
anIGPrunningamongallPandPEroutersisusedtosupportLDPandBGPadjacencieswithintheprovidernetwork
MPBGPisrunonlyamongPErouters
packetlife.net/blog/2011/ma /16/creating-mpls-vpn/
1/14
05/04/2012
anIGP(typically)isrunbetweeneachCErouteranditsupstreamPErouter
Inourlab,OSPFisalreadyinoperationastheprovidernetworkIGP.OSPFprocesseshavealsobeenpreconfiguredonthe
CEroutershowever,theseOSPFtopologieswillremainseparatefromtheproviderOSPF.
TherearefivecoretasksweneedtoaccomplishtogetanMPLSVPNupandrunning:
1. EnableMPLSontheproviderbackbone.
2. CreateVRFsandassignroutedinterfacestothem.
3. ConfigureMPBGPbetweenthePErouters.
4. ConfigureOSPFbetweeneachPErouteranditsattachedCErouters.
5. Enablerouteredistributionbetweenthecustomersitesandthebackbone.
Although plenty of CLI outputs are shown below, you may want to grab the finished router configurations if you'd like to
duplicatethelabonyourown.
Enable MPLS
FirstweneedtoenableMPLSonallPPandPPElinkswiththemplsipinterfacecommand.MPLSisno enabledonany
CEfacing interfaces CE routers do not run MPLS, just plain IP routing. LDP is enabled automatically as the default label
distribution protocol (versus Cisco's legacy TDP). LDP typically runs between loopback addresses not directly reachable by
LDPpeers,whichiswhyit'simportanttoconfigureanIGPinthecorebeforeenablingMPLS.
WecanverifytheconfigurationofMPLSinterfaceswithshowmplsinterfaces.
P1(c fig)#interfacef0/1
P1(c figif)#mplsip
P1(c figif)#interfacef1/0
P1(c figif)#mplsip
P1(c figif)#doshowmplsinterfaces
I e faceIPT e O e a i a
Fa E he e 0/1Ye ( d )N Ye
Fa E he e 1/0Ye ( d )N Ye
P2(c
P2(c
P2(c
P2(c
fig)#interfacef0/1
figif)#mplsip
figif)#interfacef1/0
figif)#mplsip
PE1(c fig)#interfacef1/0
PE1(c figif)#mplsip
PE2(c fig)#interfacef1/0
PE2(c figif)#mplsip
LDPadjacenciescanbeverifiedwiththecommandshowmplsldpneighbor:
packetlife.net/blog/2011/ma /16/creating-mpls-vpn/
2/14
05/04/2012
P1#showmplsldpneighbor
Pee LDPIde :10.0.0.2:0L ca LDPIde 10.0.0.1:0
TCPc ec i :10.0.0.2.4511410.0.0.1.646
S a e:O e M g e / c d:12/13D
ea
U i e:00:02:43
LDPdi c e
ce :
Fa E he e 0/1,S cIPadd :10.0.9.2
Add e e b d ee LDPIde :
10.0.9.210.0.9.910.0.0.2
Pee LDPIde :10.0.0.3:0L ca LDPIde 10.0.0.1:0
TCPc ec i :10.0.0.3.2032710.0.0.1.646
S a e:O e M g e / c d:12/12D
ea
U i e:00:02:25
LDPdi c e
ce :
Fa E he e 1/0,S cIPadd :10.0.9.6
Add e e b d ee LDPIde :
10.0.9.610.0.0.3
PE1(c
PE1(c
PE1(c
PE1(c
PE1(c
PE1(c
fig)#ipvrfCustomer_A
fig f)#rd65000:1
fig f)#routetargetboth65000:1
fig f)#ipvrfCustomer_B
fig f)#rd65000:2
fig f)#routetargetboth65000:2
PE2(c
PE2(c
PE2(c
PE2(c
PE2(c
PE2(c
fig)#ipvrfCustomer_A
fig f)#rd65000:1
fig f)#routetargetboth65000:1
fig f)#ipvrfCustomer_B
fig f)#rd65000:2
fig f)#routetargetboth65000:2
PE1(c fig)#interfacef0/0
PE1(c figif)#ipvrfforwardingCustomer_A
%I e faceFa E he e 0/0IPadd e 10.0.1.1 e edd e e ab i gVRFC
PE1(c figif)#ipaddress10.0.1.1255.255.255.252
packetlife.net/blog/2011/ma /16/creating-mpls-vpn/
e _A
3/14
05/04/2012
PE1(c figif)#interfacef0/1
PE1(c figif)#ipvrfforwardingCustomer_B
%I e faceFa E he e 0/1IPadd e 10.0.1.5 e edd e e ab i gVRFC
e _B
PE1(c figif)#ipaddress10.0.1.5255.255.255.252
PE1(c figif)#^Z
PE1#showipvrfinterfaces
I e faceIPAdd e VRFP
c
Fa0/010.0.1.1C
e _A
Fa0/110.0.1.5C
e _B
PE2(c fig)#interfacef0/0
PE2(c figif)#ipvrfforwardingCustomer_A
%I e faceFa E he e 0/0IPadd e 10.0.2.1 e edd e e ab i gVRFC
e _A
PE2(c figif)#ipaddress10.0.2.1255.255.255.252
PE2(c figif)#interfacef0/1
PE2(c figif)#ipvrfforwardingCustomer_B
%I e faceFa E he e 0/1IPadd e 10.0.2.5 e edd e e ab i gVRFC
e _B
PE2(c figif)#ipaddress10.0.2.5255.255.255.252
PE2(c figif)#^Z
PE2#showipvrfinterfaces
I e faceIPAdd e VRFP
c
Fa0/010.0.2.1C
e _A
Fa0/110.0.2.5C
e _B
PE1(c
PE1(c
PE1(c
PE1(c
PE1(c
fig)#routerbgp65000
fig
e )#neighbor10.0.0.4remoteas65000
fig
e )#neighbor10.0.0.4updatesourceloopback0
fig
e )#addressfamilyvpnv4
fig
e af)#neighbor10.0.0.4activate
PE2(c
PE2(c
PE2(c
PE2(c
PE2(c
fig)#routerbgp65000
fig
e )#neighbor10.0.0.3remoteas65000
fig
e )#neighbor10.0.0.3updatesourceloopback0
fig
e )#addressfamilyvpnv4
fig
e af)#neighbor10.0.0.3activate
IfwelookattherunningconfigurationoftheBGPprocessoneitherPErouter,wenoticethatabitmoreconfigurationthanwe
providedhasappeared:
packetlife.net/blog/2011/ma /16/creating-mpls-vpn/
4/14
05/04/2012
PE1#showrunningconfig sectionrouterbgp
e bg 65000
ch i a i
bg g eighb cha ge
eighb 10.0.0.4 e ea 65000
eighb 10.0.0.4 da e
ceL bac 0
a
a
!
add e fa i
4
eighb 10.0.0.4ac i a e
eighb 10.0.0.4 e dc
i e e ded
e i add e fa i
!
add e fa i i 4 fC
e _B
ch i a i
e i add e fa i
!
add e fa i i 4 fC
e _A
ch i a i
e i add e fa i
InadditiontoourVPNv4addressfamily,addressfamiliesforthetwocustomerVRFshavebeencreatedautomatically.Also,
supportforextendedcommunitystringshasbeenaddedtotheVPNv4neighborconfiguration.
Verify that the MPBGP adjacency between PE1 and PE2 was formed successfully with the command showbgpvpnv4
unicastallsummary:
PE1#showbgpvpnv4unicastallsummary
BGP
e ide ifie 10.0.0.3, ca AS be 65000
BGP ab e e i i 1, ai
i g ab e e i 1
Neighb VASM gRc dM gSe Tb Ve I QO QU /D S a e/Pf Rcd
10.0.0.4465000121210000:06:050
Currently,therearenoroutesintheBGPtable,becausewehavenotspecifiedanythingtobeadvertisedorredistributed,but
we'llgettothatafterthisnextstep.
packetlife.net/blog/2011/ma /16/creating-mpls-vpn/
5/14
05/04/2012
PE1(c
PE1(c
PE1(c
PE1(c
PE1(c
PE1(c
PE1(c
PE1(c
fig)#routerospf2vrfCustomer_A
fig
e )#routerid10.0.1.1
fig
e )#interfacef0/0
figif)#ipospf2area0
figif)#routerospf3vrfCustomer_B
fig
e )#routerid10.0.1.5
fig
e )#interfacef0/1
figif)#ipospf3area0
PE2(c
PE2(c
PE2(c
PE2(c
PE2(c
PE2(c
PE2(c
PE2(c
fig)#routerospf2vrfCustomer_A
fig
e )#routerid10.0.2.1
fig
e )#interfacef0/0
figif)#ipospf2area0
figif)#routerospf3vrfCustomer_B
fig
e )#routerid10.0.2.5
fig
e )#interfacef0/1
figif)#ipospf3area0
WeshouldseeeachPErouterformanOSPFadjacencywithbothofitsattachedCErouters,andthecustomerroutesshould
appearintheVRFtablesonthePErouters.
PE1#showiproutevrfCustomer_A
packetlife.net/blog/2011/ma /16/creating-mpls-vpn/
6/14
05/04/2012
R i gTab e:C
...
e _A
e _B
PE1(c
PE1(c
PE1(c
PE1(c
PE1(c
fig)#routerbgp65000
fig
e )#addressfamilyipv4vrfCustomer_A
fig
e af)#redistributeospf2
fig
e af)#addressfamilyipv4vrfCustomer_B
fig
e af)#redistributeospf3
PE2(c
PE2(c
PE2(c
PE2(c
PE2(c
fig)#routerbgp65000
fig
e )#addressfamilyipv4vrfCustomer_A
fig
e af)#redistributeospf2
fig
e af)#addressfamilyipv4vrfCustomer_B
fig
e af)#redistributeospf3
ThisenablesredistributionofOSPFroutesintoBGPfortransportacrosstheprovidernetworkbetweenthetwosites.Wecan
verifythattherouteslearnedfromthecustomersites(the172.16.0.0/16and172.17.0.0/16networks)nowappearintheBGP
tablesfortheirrespectiveVRFs.
PE1#showipbgpvpnv4vrfCustomer_A
...
Ne
Ne H Me icL cP fWeigh Pa h
R eDi i g i he :65000:1(defa f fC
e _A)
*>10.0.1.0/300.0.0.0032768?
*>i10.0.2.0/3010.0.0.401000?
*>172.16.0.1/3210.0.1.21132768?
*>i172.16.0.2/3210.0.0.4111000?
packetlife.net/blog/2011/ma /16/creating-mpls-vpn/
7/14
05/04/2012
*>172.16.1.0/2410.0.1.21132768?
*>i172.16.2.0/2410.0.0.4111000?
PE1#showipbgpvpnv4vrfCustomer_B
...
Ne
Ne H Me icL cP fWeigh Pa h
R eDi i g i he :65000:2(defa f fC
e _B)
*>10.0.1.4/300.0.0.0032768?
*>i10.0.2.4/3010.0.0.401000?
*>172.17.0.1/3210.0.1.61132768?
*>i172.17.0.2/3210.0.0.4111000?
*>172.17.1.0/2410.0.1.61132768?
*>i172.17.2.0/2410.0.0.4111000?
The last step is to complete the redistribution in the opposite direction: from BGP into the customer OSPF processes. If
you're accustomed to route redistribution, there's nothing new here. (We don't have to specify any VRF information in the
redistributionstatementbecauseeachcustomerOSPFprocessisalreadyassignedtoaVRF.)
PE1(c
PE1(c
PE1(c
PE1(c
fig)#routerospf2
fig
e )#redistributebgp65000subnets
fig
e )#routerospf3
fig
e )#redistributebgp65000subnets
PE2(c
PE2(c
PE2(c
PE2(c
fig)#routerospf2
fig
e )#redistributebgp65000subnets
fig
e )#routerospf3
fig
e )#redistributebgp65000subnets
CE1A#showiproute
...
172.16.0.0/16i a iab b e ed,4 b e ,2 a
C172.16.1.0/24i di ec c ec ed,L bac 1
C172.16.0.1/32i di ec c ec ed,L bac 0
OIA172.16.2.0/24[110/21] ia10.0.1.1,00:03:50,Fa E he e 0/0
OIA172.16.0.2/32[110/21] ia10.0.1.1,00:03:50,Fa E he e 0/0
10.0.0.0/30i b e ed,2 b e
OIA10.0.2.0[110/11] ia10.0.1.1,00:03:50,Fa E he e 0/0
C10.0.1.0i di ec c ec ed,Fa E he e 0/0
CE2A#showiproute
...
172.16.0.0/16i a iab b e ed,4 b e ,2 a
OIA172.16.1.0/24[110/21] ia10.0.2.1,00:02:49,Fa E he e 0/0
OIA172.16.0.1/32[110/21] ia10.0.2.1,00:02:49,Fa E he e 0/0
C172.16.2.0/24i di ec c ec ed,L bac 1
packetlife.net/blog/2011/ma /16/creating-mpls-vpn/
8/14
05/04/2012
You may notice that OSPF routes sent between two sites belonging to the same customer appear as interarea routes.
Remember that although OSPF area 0 is being used at both sites, each site exists as a separate linkstate topology
connectedbytheMPLSVPN.
WeshouldbeabletopingfromoneCEroutertotheother.(Rememberthatwedon'tneedtospecifyaVRFwhendoingso
becauseCEroutershavenoknowledgethatthey'reinaVRF.)
CE1A#ping172.16.0.2
T ee ca e e e ce ab .
Se di g5,100b eICMPEch 172.16.0.2, i e i 2 ec d :
!!!!!
S cce a ei 100 e ce (5/5),
d i i /a g/ a =12/21/32
WecanperformatraceroutetoverifythepathtakenaswellastheMPLSlabelsusedtotraversetheprovidernetwork.
CE1A#traceroute172.16.0.2
T ee ca e e e ce ab .
T aci g he
e 172.16.0.2
110.0.1.14 ec4 ec8 ec
210.0.9.5[MPLS:Labe 19/22E 0]16 ec12 ec24 ec
310.0.9.2[MPLS:Labe 19/22E 0]24 ec20 ec16 ec
410.0.2.1[MPLS:Labe 22E 0]20 ec16 ec24 ec
510.0.2.216 ec*36 ec
Here'sapacketcaptureoftheabovetracerouteifyou'reinterestedinhowtheMPLSlabelinformationisreturned.Andagain,
herearethethefinishedrouterconfigurationsifyou'dliketoreplicatethelabyourself.
(ThankstoIvanPepelnjakofCiscoIOSHintshelpingrevisethisarticle!)
Abo heA ho
Jeremy Stretch is a freelance networking engineer,
instructor,andthemaintainerofPacketLife.net.He
currently lives in Fairfax, Virginia, on the edge of
the Washington, DC metro area. Although primarily
an R&S guy, he likes to get into everything, and
runs a free network training lab out of his basement for fun. You can
contacthimbyemailorfollowhimonTwitter.
PostedinMPLS,VPN
packetlife.net/blog/2011/ma /16/creating-mpls-vpn/
9/14
05/04/2012
Comments
Ace(guest)commentedonMonday,May16,2011at3:59a.m.UTC
Thanks...
Daniel(guest)commentedonMonday,May16,2011at6:14a.m.UTC
HiJeremy,
Goodpost.I'mhavingsomeproblemswiththissentence:
"We need to assign each VRF a route distinguisher (RD) to uniquely identify
prefixesasbelongingtothatVRFandoneormoreroutetargets(RTs)tospecify
howroutesshouldbeimportedtoandexportedfromtheVRF."
This could be due to english not being my native language but this sounds like
you'resayingthatRDdefinestheVPNandthisisnottrue.TheRDonlymakes
prefixes unique but does not in any way define the VPN, that's what the RT is
for.
I'msurprisedIvandidn'tcatchthisifhereadthearticle.Couldjustbea
misunderstandingfrommypartoryoushouldrewritethatsentence.
1111oneoneone(guest)commentedonMonday,May16,2011at7:31a.m.UTC
Anexcellentpost.ThanksJeremy.
AlaincommentedonMonday,May16,2011at8:53a.m.UTC
Stretch,Asalwaysthereisonlyonewordtodescribethispost:excellent!
Regards,
Alain
Trey(guest)commentedonMonday,May16,2011at1:12p.m.UTC
If you ever plan to implement IPv6, its much easier to add if you use "vrf
definition"insteadof"ipvrf"
fdefi i i f2
packetlife.net/blog/2011/ma /16/creating-mpls-vpn/
10/14
05/04/2012
d2:2
!
add e fa i i 4
e a ge e
2:2
e a ge i
2:2
e i add e fa i
Trey
Rob(guest)commentedonMonday,May16,2011at2:09p.m.UTC
thanks
stretchcommentedonMonday,May16,2011at3:12p.m.UTC
@Daniel:
Itmustbealanguagebarrierthing.ItsimplymeansthattheRDisusedtomake
routesunique(e.g.whencustomersuseoverlappingaddressspace).
Hussain(guest)commentedonMonday,May16,2011at5:20p.m.UTC
Manythanks!!
Bart(guest)commentedonMonday,May16,2011at6:30p.m.UTC
Yes, RD does nothing more than make the routes unique so that BGP will
distributethemcorrectly.
People often get confused about the RD because nearly all cisco examples I
have seen use the same RD on both PE routers, giving people the false
impressionthatthisisrequired.
YoucanjustaseasilyuseoneRDperVRFperPE.ThatswhatIusuallydoin
examplesjusttoremindpeoplethatRTandRDaretwodifferentthings.
me_rahawan82commentedonTuesday,May17,2011at11:39a.m.UTC
ThanksJeremy,Myhero
packetlife.net/blog/2011/ma /16/creating-mpls-vpn/
11/14
05/04/2012
reca(guest)commentedonTuesday,May17,2011at6:23p.m.UTC
...and sometimes you want to use only MPBGP and do not carry any prefixes
and then you add "no bgp default ipv4unicast" under the "router bgp 65001"
context.
Thanxforthisshortandconcisepost.
OmiPRcommentedonTuesday,May17,2011at8:15p.m.UTC
ThanksStretch!IthelpedmealotforMPLSconfigunderstanding!
alpi(guest)commentedonTuesday,May17,2011at9:38p.m.UTC
Hi,ireadyouryourpostsalmousttwoyearsandimustsayTHANKYOU.You
arethebest.
regards,
Alen
abulanovcommentedonWednesday,May18,2011at7:26a.m.UTC
UsingOSPFonPECEislimitedbyanumberofOSPFprocessesonPErouter.
Thereareonly32.Thatmeansyoucannotconnectmorethan30uniqueCEto
one
PE
(http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a0080094704.shtml#q46)
ThatswhyOSPFisn'tthebestchoisefor
ISISisnotsupportedthereatall.
amitabhacommentedonThursday,May19,2011at3:37a.m.UTC
THANK YOU for the post man. Hope you will discuss L2 VPN (Martini &
Kompella)soon....wearewaiting:)
yelfathi(guest)commentedonThursday,May19,2011at4:49p.m.UTC
packetlife.net/blog/2011/ma /16/creating-mpls-vpn/
12/14
05/04/2012
Goodintroductioniwilladdtworemarks:
checkipcefbeforeenablingmplsbecausemplsneedsit
creatededicatedloopbacksandforcethemplsrouteridtothem
Thoseavoidyoufrompotentialproblemsyouwillseeaftermorepractices:)
kammucommentedonSunday,May22,2011at2:54p.m.UTC
thankyousomuchJeremy..Itisanexcellentintroductoryconfigtounderstand
basicsofmpls.Youaregreat..!
Selasi(guest)commentedonMonday,June20,2011at7:07p.m.UTC
Thanks Jeremy. This example has really helped me understand the concept
evenfurther.WritingBGP+MPLSin3weeks.Wishmewell!
USvpn(guest)commentedonThursday,October6,2011at6:07a.m.UTC
Yournetworktopologylooksgreat.Thankyouforsharingthis.
AguestcommentedonFriday,November4,2011at2:35p.m.UTC
greatpostJeremy,
butmydoubtishowcanIimprovetheusingMPLSVPNs,
IamBrazilianandmyCBTisonthisissue,andI'mstill"raw"
regardingtheissue,Iwouldlikeyourhelp.
waleed143commentedonFriday,January13,2012at6:48p.m.UTC
dearJeremyStretch
Thanksforyourawesomescenario.but1thingismissing,iwasworkingonthis
topology for 4 to 5 hours but my VRF sites was not able to communicate with
eachotherandyousaidonthisscenariothat
13/14
05/04/2012
will generate automatically, but i didn't, then i contacted with my friend he told
thatputthatcommandmanuallythenitworked.
Sastrt(guest)commentedonTuesday,January24,2012at8:04p.m.UTC
Simplysupub!!!Thanksforyourpost...
pswolfwindcommentedonSaturday,March3,2012at3:47a.m.UTC
Lea eaCommen
packetlife.net/blog/2011/ma /16/creating-mpls-vpn/
14/14