Cisco MPLS VPN

By | May 6, 2012

In this post we will cover MPLS VPN using the following digram.

We have a customer with 2 different sites. We need to creat an MPLS VPN so that site A and site B can share routes. We will be using EIGRP between the 2 sites and between the CE and PE. We will be running OSFP in our provider network. We will need to run multi protocol BGP between PE1 and PE2. The first thing to do is to create the loopback interfaces and set up OSPF on our provider routers.

PE1
!
interface Loopback1
 ip address 2.2.2.2 255.255.255.0
 ip ospf network point-to-point
!
router ospf 1
 network 2.2.2.0 0.0.0.255 area 0
 network 192.168.23.0 0.0.0.255 area 0
!
P
!
interface Loopback1
 ip address 3.3.3.3 255.255.255.0
 ip ospf network point-to-point
!
router ospf 1
 network 3.3.3.0 0.0.0.255 area 0
 network 192.168.23.0 0.0.0.255 area 0
 network 192.168.34.0 0.0.0.255 area 0
!
PE2
!
interface Loopback1
 ip address 4.4.4.4 255.255.255.0
 ip ospf network point-to-point
!
router ospf 1
 network 4.4.4.0 0.0.0.255 area 0
 network 192.168.34.0 0.0.0.255 area 0
!

Now we have configured OSPF in our provider network we need to enable MPLS.

PE1
!
interface FastEthernet0/1
 ip address 192.168.23.2 255.255.255.0
 mpls ip
!
P
!
interface FastEthernet0/0
 ip address 192.168.23.3 255.255.255.0
 mpls ip
!
interface FastEthernet0/1
 ip address 192.168.34.3 255.255.255.0
 mpls ip
!
PE2
!
interface FastEthernet0/1
 ip address 192.168.34.4 255.255.255.0
 mpls ip
!

Now we are running MPLS Frame mode using LDP on our service provider network. Its now time to create a VRF for the Customer . Virtual route forwarding (VRF) is basically like having another routing table. Each of these tables are private and are not shared with each other. You can have multiple instances of VRF’s running on your router.

PE1
!
ip vrf CUS
 rd 100:1
 route-target export 1:100
 route-target import 1:100
!
PE2
!
ip vrf CUS
 rd 100:1
 route-target export 1:100
 route-target import 1:100
!

The rd (route distinguisher) is a ways of distinguishing between different customer routes. Route Target allows you to export routes from a VRF and import them in to a different VRF. Route Targets are added as a tag to the BGP NLRI in the BGP community. Now we have created the VRF we need to add them to the correct interface

PE1
!
interface FastEthernet0/0
 ip vrf forwarding CUS
 ip address 192.168.12.2 255.255.255.0
!
PE2
!
interface FastEthernet0/0
 ip vrf forwarding CUS
 ip address 192.168.45.4 255.255.255.0
!

Now we need to configure EIGRP on the CE routers

CE1A
!
router eigrp 100
 network 1.1.1.0 0.0.0.255
 network 192.168.12.0
 no auto-summary
!
CE1B
!
router eigrp 100
 network 5.5.5.0 0.0.0.255
 network 192.168.45.0
 no auto-summar
!

Now we have set up EIGRP on the CE routers we need to configure EIGRP on the PE routers. We need to do this under the VRF process using the address-family command.

PE1
!
router eigrp 1
 auto-summary
 !
 address-family ipv4 vrf CUS
  network 192.168.12.0
  no auto-summary
  autonomous-system 100
 exit-address-family
!
PE2
!
router eigrp 1
 auto-summary
 !
 address-family ipv4 vrf CUS
  network 192.168.45.0
  no auto-summary
  autonomous-system 100
 exit-address-family
!

Now we have configured EIGRP on the PE routers and the CE routers its now time to check the connections

We can see that the ping to CE1A has failed. If we remember that we are using a VRF and the VRF process is separate from the global routing table. Therefore if we simply need to ping it using the correct VRF (ping VRF <vrf name>).

We can now see that the ping to CE1A has been successful and we have reachability. Its now time to configure BGP for the PE routers.

PE1
!
router bgp 6500
neighbor 4.4.4.4 remote-as 6500
neighbor 4.4.4.4 update-source Loopback1
no auto-summary
!
address-family vpnv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community both
exit-address-family
!
PE2
!
router bgp 6500
 no synchronization
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 6500
 neighbor 2.2.2.2 update-source Loopback1
 no auto-summary
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community both
 exit-address-family
 !

We now have setup BGP between the PE routers. We have also configured BGP to send the Community under the VPNv4 process. We now need to redistribute EIGRP routes into BGP and BGP back into EIGRP. This is done under the address family section of BGP and EIGRP.

PE1
!
router eigrp 1
 !
 address-family ipv4 vrf CUS
  redistribute bgp 6500 metric 1500 4000 200 12 1500
 exit-address-family
!
router bgp 6500
 !
 address-family ipv4 vrf CUS
  redistribute eigrp 100
 exit-address-family
!
PE2
!
router eigrp 1
 !
 address-family ipv4 vrf CUS
  redistribute bgp 6500 metric 1500 4000 255 150 1500
 exit-address-family
!
router bgp 6500
 !
 address-family ipv4 vrf CUS
  redistribute eigrp 100
 exit-address-family
!

Now we have redistributed the routes we now need to check if CE1A has the routes to get to router CE1B’s loopback.

We can see we have learnt 2 EIGRP routes from our neighbour. Now we will try a ping to the loopback address 5.5.5.5 that is on CE1B.

We can see we have a 100% success rate. Now we will check the routing table of the P router to make sure this VRF is private.

We can see the P router does not have a route to the 5.5.5.0 network and it can get there via a ping. Lets to a traceroute from the CE1A router to the CE1B router to see how the packets are going across.

We can see as the route goes across the network it has 2 labels put on it. The first is the label for the provider network (16) and the second is the label for the VPN(19). We can see this on the PE1 router

To get the 5.5.5.0 network we need to at labels 16 and 19. Having a look at the forwarding table on PE1 we can see that the tag 16 is for the loopback of PE2

We have successfully created and verified an MPLS VPN.