IP Addresses are like the following format (ex:- 192.168.xy.x/24 where x and y are router numbers starting from left bottom CE1 as the Router 1, PE1 as the router 2, P-CORE as the router 3 etc..)
CE1: E0/0 - 192.168.12.1/24
PE1:
E0/0 - 192.168.12.2/24
E0/1 - 192.168.23.2/24
P-CORE:
E0/0 - 192.168.23.3/24
E0/1 - 192.168.34.3/24
PE2:
E0/0 - 192.168.34.4/24
E0/1 - 192.168.45.4/24
CE2: E0/0 - 192.168.45.5/24
SP-CORE in the diagram is the ISP network which runs MPLS. PE stands for Provider Edge and CE stands for Customer Edge. Green circles represent 2 sites of the same customer.
Let's Assume ISP's BGP AS is 100 and Customer's AS is 200.
Following loop back interfaces are also configured in the routers.
CE1 Loopback 0 : 1.1.1.1/24 P-CORE Loopback 0 : 3.3.3.3/24
PE1 Loopback 0 : 2.2.2.2/32
PE2 Loopback 0 : 4.4.4.4/32
CE2 Loopback 0 : 5.5.5.5/24
For iBGP peerings which exchange VPNv4 routes must source from /32 loopback interface. This is a special limitation because this loopback address becomes the BGP next hop address for VPNv4 routes and it guarantees the Label Switch Path terminates on a router (not a network segment).
Final result of the VPN must be that CE1 and CE2 must exchange their Loopback interface routes with each other.
Following are the steps.
1. Configure IGP in SP-CORE
2. Configure MPLS in SP-CORE
3. Configure VRFs on PE routers
4. Configure iBGP between PE routers
5. Configure eBGP between PE and CE routers
1. Configure IGP in SP-CORE
Let's use OSPF. It can be any IGP but because it is well known and comply better with MPLS, let's go with it..
PE1(config)#router ospf 100
PE1(config-router)#network 2.2.2.0 0.0.0.255 area 0
PE1(config-router)#network 192.168.23.0 0.0.0.255 area 0
P-CORE(config)#router ospf 100
P-CORE(config-router)#network 3.3.3.0 0.0.0.255 area 0
P-CORE(config-router)#network 192.168.23.0 0.0.0.255 area 0
P-CORE(config-router)#network 192.168.34.0 0.0.0.255 area 0
PE2(config)#router ospf 100
PE2(config-router)#network 4.4.4.0 0.0.0.255 area 0
PE2(config-router)#network 192.168.34.0 0.0.0.255 area 0
2. Configure MPLS in SP-CORE
Because we took OSPF, only 1 command under the OSPF process configures MPLS..
PE1(config)#router ospf 100
PE1(config-router)#mpls ldp autoconfig
P-CORE(config)#router ospf 100
P-CORE(config-router)#mpls ldp autoconfig
PE2(config)#router ospf 100
PE2(config-router)#mpls ldp autoconfig
3. Configure VRFs on PE routers
Let's create the vrf CUSTOMER-01 for this customer and assign a Route Distinguisher of 100:1
This route distinguisher is required to identify routes from which VRF when configuring multi-protocol BGP address families later..
Route Targets should also be configured in order for routes to be imported and exported at PE ends.
PE1(config)#ip vrf CUSTOMER-01
PE1(config-vrf)#rd 100:1
PE1(config-vrf)#route-target export 1:1
PE1(config-vrf)#route-target import 2:2
PE1(config-vrf)#route-target export 1:1
PE1(config-vrf)#route-target import 2:2
PE2(config)#ip vrf CUSTOMER-01
PE2(config-vrf)#rd 100:1
PE2(config-vrf)#route-target import 1:1
PE2(config-vrf)#route-target export 2:2
PE2(config-vrf)#route-target import 1:1
PE2(config-vrf)#route-target export 2:2
Also the interfaces connecting to the customer routers must be assigned to the vrf..
PE1(config)#int e0/0
PE1(config-if)#ip vrf forwarding CUSTOMER-01
PE2config)#int e0/1
PE2(config-if)#ip vrf forwarding CUSTOMER-01
4. Configure iBGP between PE routers
iBGP is used to exchange the routes between the PE routers. Let's create the neighbor relationship 1st using straight forward plain BGP commands..
PE1(config-vrf)#router bgp 100
PE1(config-router)#neighbor 4.4.4.4 remote-as 100
PE1(config-router)#neighbor 4.4.4.4 update-source l0
PE2(config)#router bgp 100
PE2(config-router)#neighbor 2.2.2.2 remote-as 100
PE2(config-router)#neighbor 2.2.2.2 update-source l0
If everything went well, you will see iBGP neighbors coming up. In order for customer routes to go through the MPLS core, they should be VPNv4 routes which has it's own address-family.
Let's create this address family and activate the address-family for the iBGP neighbor.
PE1(config-router)#address-family vpnv4 unicast
PE1(config-router-af)#neighbor 4.4.4.4 activate
PE2(config-router)#address-family vpnv4 unicast
PE2(config-router-af)#neighbor 2.2.2.2 activate
Now the BGP configuration will look like the following..
As you can see, extended-community will be sent automatically when we enable a VPNv4 address family.
This command should be there in order MPLS L3 VPN to work.
Now if you view the BGP table of the vrf CUSTOMER-01 you would notice that the next-hop is changed to 4.4.4.4 which is not normal for iBGP updates. Normally iBGP neighbors don't update the next-hop ip and that is why we use next-hop-self command. In VPNv4 routing, this is an exception as the next hop should be where the tunnel ends/starts.
Since the neighbor relationship between the PE routers is automatically created for IPv4 address-family and because it is not needed in SP-CORE we should stop IPv4 route exchange with the iBGP neighbor. Following configuration will do it.
PE1(config)#router bgp 100
PE1(config-router)# address-family ipv4
PE1(config-router-af)#no neighbor 4.4.4.4 activate
PE2(config)#router bgp 100
PE2(config-router)# address-family ipv4
PE2(config-router-af)#no neighbor 2.2.2.2 activate
Now the BGP configuration will look like this..
5. Configure eBGP between PE and CE routers
Now the last thing to configure is the eBGP peers between customer edge and provider edge routers.
For the PE routers, these routes should come from an IPv4 address family defined for a vrf.
PE1(config)#router bgp 100
PE1(config-router)#address-family ipv4 vrf CUSTOMER-01
PE1(config-router-af)#neighbor 192.168.12.1 remote-as 200
PE2(config-vrf)#router bgp 100
PE2(config-router)#address-family ipv4 vrf CUSTOMER-01
PE2(config-router-af)#neighbor 192.168.45.5 remote-as 200
Now let's configure eBGP on CE routers. Because this VPN is between 2 locations of the same customer, the BGP AS is same. So have to overrule the BGP loop prevention mechanism of rejecting routes from same AS by entering special command allowas-in.
CE1(config)#router bgp 200
CE1(config-router)#neighbor 192.168.12.2 remote-as 100
CE1(config-router)#network 1.1.1.0 mask 255.255.255.0
CE1(config-router)#neighbor 192.168.12.2 allowas-in
CE2(config)#router bgp 200
CE2(config-router)#neighbor 192.168.45.4 remote-as 100
CE2(config-router)#network 5.5.5.0 mask 255.255.255.0
CE2(config-router)#neighbor 192.168.45.4 allowas-in
If everything went well, you will see iBGP neighbors coming up. In order for customer routes to go through the MPLS core, they should be VPNv4 routes which has it's own address-family.
Let's create this address family and activate the address-family for the iBGP neighbor.
PE1(config-router)#address-family vpnv4 unicast
PE1(config-router-af)#neighbor 4.4.4.4 activate
PE2(config-router)#address-family vpnv4 unicast
PE2(config-router-af)#neighbor 2.2.2.2 activate
Now the BGP configuration will look like the following..
This command should be there in order MPLS L3 VPN to work.
Now if you view the BGP table of the vrf CUSTOMER-01 you would notice that the next-hop is changed to 4.4.4.4 which is not normal for iBGP updates. Normally iBGP neighbors don't update the next-hop ip and that is why we use next-hop-self command. In VPNv4 routing, this is an exception as the next hop should be where the tunnel ends/starts.
Since the neighbor relationship between the PE routers is automatically created for IPv4 address-family and because it is not needed in SP-CORE we should stop IPv4 route exchange with the iBGP neighbor. Following configuration will do it.
PE1(config)#router bgp 100
PE1(config-router)# address-family ipv4
PE1(config-router-af)#no neighbor 4.4.4.4 activate
PE2(config)#router bgp 100
PE2(config-router)# address-family ipv4
PE2(config-router-af)#no neighbor 2.2.2.2 activate
Now the BGP configuration will look like this..
5. Configure eBGP between PE and CE routers
Now the last thing to configure is the eBGP peers between customer edge and provider edge routers.
For the PE routers, these routes should come from an IPv4 address family defined for a vrf.
PE1(config)#router bgp 100
PE1(config-router)#address-family ipv4 vrf CUSTOMER-01
PE1(config-router-af)#neighbor 192.168.12.1 remote-as 200
PE2(config-vrf)#router bgp 100
PE2(config-router)#address-family ipv4 vrf CUSTOMER-01
PE2(config-router-af)#neighbor 192.168.45.5 remote-as 200
Now let's configure eBGP on CE routers. Because this VPN is between 2 locations of the same customer, the BGP AS is same. So have to overrule the BGP loop prevention mechanism of rejecting routes from same AS by entering special command allowas-in.
CE1(config)#router bgp 200
CE1(config-router)#neighbor 192.168.12.2 remote-as 100
CE1(config-router)#network 1.1.1.0 mask 255.255.255.0
CE1(config-router)#neighbor 192.168.12.2 allowas-in
CE2(config)#router bgp 200
CE2(config-router)#neighbor 192.168.45.4 remote-as 100
CE2(config-router)#network 5.5.5.0 mask 255.255.255.0
CE2(config-router)#neighbor 192.168.45.4 allowas-in
No comments:
Post a Comment