Basic MPLS VPN Lab

This lab was taken from gns3vault.com. Click here to go to the lab page.

Goal

  1. Configure a loopback0 interface on each router:
    • HQ: 1.1.1.1 /25
    • SP1: 2.2.2.2 /25
    • SP2: 3.3.3.3 /25
    • SP3: 4.4.4.4 /25
    • BRANCH: 5.5.5.5 /25
  2. Configure OSPF Area 0 at the provider side (Router P, PE1 and PE2).
  3. Advertise the loopback interfaces as well in OSPF.
  4. Ensure you have full reachability in the OSPF domain.
  5. Configure MPLS on all physical interfaces in the service provider domain, do not configure MPLS on physical interfaces pointing towards the customer.
  6. Force MPLS to use the loopback interface as router-id.
  7. Configure VRF "customer" on PE1 and PE3 as following:
    • RD 100:1
    • Route-target both 1:100
  8. On router PE1 and PE3 add the interfaces pointing towards the customer to the VRF you just created.
  9. Ensure you can ping from within the VRF, try this as following on PE1:
    • ping vrf customer 192.168.12.1
  10. Configure EIGRP AS 100 on router HQ and Branc# Advertise the loopbacks as wel# Disable EIGRP auto-summary.
  11. Configure EIGRP on router PE1 and PE3 for the correct VRF "customer".
  12. Ensure you have established a EIGRP neighbor relationship between Router HQ and PE1, and between PE3 and Branch.
  13. See if you have learned routes by using "show ip route vrf customer".
  14. Configure BGP AS 1 between Router PE1 and PE3, make sure updates are sources from the loopback interface.
  15. Configure the correct BGP address families and make sure communities are sent between neighbors.
  16. Redistribute EIGRP into BGP, use the correct address-family for the VRF "customer".
  17. Redistribute the information from BGP back into EIGRP, use the following metrics:
    • bandwidth: 64kbps
    • delay: 1000
    • reliability: 255
    • load: 1
    • MTU: 1500
  18. Ensure you have full connectivity between router HQ and Branc# You should see each other's EIGRP routes that have been carried over the service provider's MPLS backbone.
  19. Optional: Replace the Customer's EIGRP with OSPF / RIP or BGP and achieve the same result.

Topology

Configuration

1

HQ(config)#int l0
HQ(config-if)#ip add 1.1.1.1 255.255.255.128

PE1(config)#int l0PE1(config-if)#ip add 2.2.2.2 255.255.255.128
PE1(config-if)#ip ospf network point-to-point

PE2(config)#int l0PE2(config-if)#ip add 3.3.3.3 255.255.255.128
PE2(config-if)#ip ospf network point-to-point

P(config)#int l0
P(config-if)#ip add 4.4.4.4 255.255.255.128
P(config-if)#ip ospf network point-to-point 

BRANCH(config)#int l0
BRANCH(config-if)#ip add 5.5.5.5 255.255.255.128

2 and 3

PE1(config)#router ospf 1
PE1(config-router)#net 192.168.23.2 0.0.0.0 area 0
PE1(config-router)#net 2.2.2.2 0.0.0.0 area 0

P(config)#router ospf 1
P(config-router)#net 3.3.3.3 0.0.0.0 area 0
P(config-router)#net 192.168.23.3 0.0.0.0 area 0
P(config-router)#net 192.168.34.3 0.0.0.0 area 0

PE2(config)#router ospf 1
PE2(config-router)#net 4.4.4.4 0.0.0.0 area 0
PE2(config-router)#net 192.168.34.4 0.0.0.0 area 0

4

PE1#ping 3.3.3.3 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/23/32 ms

PE1#ping 4.4.4.4 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/41/64 ms

P#ping 4.4.4.4 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/24/36 ms

Pings are successful between all loopbacks.

5

PE1(config)#mpls ip
PE1(config)#int f0/0
PE1(config-if)#mpls ip

P(config)#mpls ip
P(config)#int f0/0
P(config-if)#mpls ip
P(config)#int f0/0 
P(config-if)#mpls ip

PE2(config)#mpls ip
PE2(config)#int f1/0
PE2(config-if)#mpls ip

The following command confirms that all Provider routes have been assigned MPLS labels.

P#sh mpls ldp bindings
  tib entry: 2.2.2.0/24, rev 12
        remote binding: tsr: 2.2.2.2:0, tag: imp-null
  tib entry: 2.2.2.2/32, rev 2
        local binding:  tag: 16
        remote binding: tsr: 4.4.4.4:0, tag: 16
  tib entry: 3.3.3.0/24, rev 4
        local binding:  tag: imp-null
  tib entry: 3.3.3.3/32, rev 13
        remote binding: tsr: 2.2.2.2:0, tag: 16
        remote binding: tsr: 4.4.4.4:0, tag: 17
  tib entry: 4.4.4.0/24, rev 15
        remote binding: tsr: 4.4.4.4:0, tag: imp-null
  tib entry: 4.4.4.4/32, rev 6
        local binding:  tag: 17
        remote binding: tsr: 2.2.2.2:0, tag: 17
[...]

The two labels for routes 2.2.2.0/24 and 4.4.4.0/24 show a label of implicit null, which signals that the next router is directly connected to the respective routes.

6

P(config)#mpls ldp router-id l0
PE1(config)#mpls ldp router-id l0
PE2(config)#mpls ldp router-id l0

7

PE1(config)#ip vrf customer
PE1(config-vrf)# rd 100:1
PE1(config-vrf)# route-target both 1:100

This config is identical on both devices. The route distinguisher is used to tell the difference between possible overlapping routes from two different customers. The route-targets are used to correctly identify which routes belong to this customer. When the routes are pulled from BGP into the peering routing protocol, only routes tagged with the 1:100 route target will be pulled by vrf customer.

8

PE1(config)#int f1/0
PE1(config-if)#ip vrf forwarding customer
% Interface FastEthernet1/0 IP address 192.168.12.2 removed due to enabling VRF customer
PE1(config-if)#ip add 192.168.12.2 255.255.255.0

PE2(config)#int f0/0
PE2(config-if)#ip vrf forwarding customer
% Interface FastEthernet0/0 IP address 192.168.45.4 removed due to enabling VRF customer
PE2(config-if)#ip add 192.168.45.4 255.255.255.0

Assigning an interface to a VRF removes the IP address from the interface. IOS prints a notification about this as well.

9

PE1#ping vrf customer 192.168.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/36 ms

This commands tells the router to try and ping the address 192.168.12.1 using the routing information of the customer vrf.

10

HQ(config)#router eigrp 10
HQ(config-router)#net 1.1.1.1 0.0.0.0
HQ(config-router)#net 192.168.12.1 0.0.0.0
HQ(config-router)#no auto

Branch(config)#router eigrp 10
Branch(config-router)#net 5.5.5.5 0.0.0.0
Branch(config-router)#net 192.168.45.5 0.0.0.0
Branch(config-router)#no auto

11 and 12

PE1(config)#router eigrp 1
PE1(config-router)#address-family ipv4 vrf customer
PE1(config-router-af)#autonomous-system 10
PE1(config-router-af)#no auto
PE1(config-router-af)#net 192.168.12.2 0.0.0.0

PE2(config)#router eigrp 1
PE2(config-router)#address-family ipv4 vrf customer
PE2(config-router-af)#autonomous-system 10
PE2(config-router-af)#no auto
PE2(config-router-af)#net 192.168.45.4 0.0.0.0

EIGRP AS 1 is an instance for the general routing table of the router. Under this process, we create the VPN virtual and forwarding instance of EIGRP. It works just like a normal EIGRP config, but it requires the autonomous-system to be set manually. The AS must match the one on the other side of the link (on routers HQ/Branch, AS 10).

13

PE1#sh ip route vrf customer
[...]
C    192.168.12.0/24 is directly connected, FastEthernet1/0
     1.0.0.0/24 is subnetted, 1 subnets
D       1.1.1.0 [90/156160] via 192.168.12.1, 00:04:18, FastEthernet1/0

This is the routing table of the customer VRF on PE1. It has learned the loopback from HQ.

14

PE1(config)#router bgp 1
PE1(config-router)#neighbor 4.4.4.4 remote-as 1
PE1(config-router)#neighbor 4.4.4.4 next-hop-self
PE1(config-router)#neighbor 4.4.4.4 update-source l0

PE2(config)#router bgp 1
PE2(config-router)#neighbor 2.2.2.2 remote-as 1
PE2(config-router)#neighbor 2.2.2.2 next-hop-self
PE2(config-router)#neighbor 2.2.2.2 update-source l0

15

PE1(config)#router bgp 1
PE1(config-router)#address-family vpnv4
PE1(config-router-af)#neighbor 4.4.4.4 activate
PE1(config-router-af)#neighbor 4.4.4.4 send-community both

PE2(config)#router bgp 1
PE2(config-router)#address-family vpnv4
PE2(config-router-af)#neighbor 2.2.2.2 activate
PE2(config-router-af)#neighbor 2.2.2.2 send-community both

This gives BGP the VPN capabilities that are required for MPLS VPN's. It provides all the extended community functionality for the Route Distinguisher and Route Target.

16

PE1(config)#router bgp 1
PE1(config-router)#address-family ipv4 vrf customer
PE1(config-router-af)#redistribute eigrp 10

PE2(config)#router bgp 1
PE2(config-router)#address-family ipv4 vrf customer
PE2(config-router-af)#redistribute eigrp 10

The routes are now redistributed from EIGRP into BGP.

PE1#sh ip route vrf customer

[...]
C    192.168.12.0/24 is directly connected, FastEthernet1/0
     1.0.0.0/24 is subnetted, 1 subnets
D       1.1.1.0 [90/156160] via 192.168.12.1, 00:13:41, FastEthernet1/0
B    192.168.45.0/24 [200/0] via 4.4.4.4, 00:02:41
     5.0.0.0/24 is subnetted, 1 subnets
B       5.5.5.0 [200/156160] via 4.4.4.4, 00:02:41

PE1 has now learned the BGP routes transfered from PE2. The 5.5.5.0/24 and 192.168.45.0/24 are both accessible through 4.4.4.4, PE2's subnet. The only thing left is to pull the new routes from BGP into the routing protocol used to peer with the customer.

17

PE1(config)#router eigrp 1
PE1(config-router)#address-family ipv4 vrf customer
PE1(config-router-af)#redistribute bgp 1 metric 64 1000 255 1 1500

PE2(config)#router eigrp 1
PE2(config-router)#address-family ipv4 vrf customer
PE2(config-router-af)#redistribute bgp 1 metric 64 1000 255 1 1500

18

All routes appear on HQ.

[...]C    192.168.12.0/24 is directly connected, FastEthernet0/0
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
D    192.168.45.0/24 [90/30720] via 192.168.12.2, 00:10:33, FastEthernet0/0
     5.0.0.0/24 is subnetted, 1 subnets
D       5.5.5.0 [90/158720] via 192.168.12.2, 00:10:33, FastEthernet0/0

Pings are successful:

HQ#ping 5.5.5.5 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/83/120 ms

19

OSPF Peering:

PE1(config)#router ospf 10 vrf customer
PE1(config-router)#net 192.168.12.2 0.0.0.0 area 2
PE1(config-router)#redistribute bgp 1 subnets
PE1(config)#router bgp 1
PE1(config-router)#address-family ipv4 vrf customer
PE1(config-router-af)#redistrbute ospf 10

OSPF needs a completely new process for a vrf instance and it is specified with the router command. Everything else is just basic OSPF. The routes must be redistributed in and from BGP.

BGP Peering:

HQ(config)#router bgp 2
HQ(config-router)#neighbor 192.168.12.2 remote-as 1
HQ(config-router)#network 1.1.1.1 mask 255.255.255.0

PE1(config)#router bgp 1
PE1(config-router)#address-family ipv4 vrf customer
PE1(config-router-af)#neighbor 192.168.12.1 remote-as 2
PE1(config-router-af)#neighbor 192.168.12.1 activate

This configuration is injecting the routes directly into BGP, so there is no need for redistribution.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License