Thursday, August 11, 2011

Configuring MPLS L3VPNs

Imagine Site A-1 is in Georgia, A-2 is in Illinois and A-3 is in New York. Full connectivity between all Site A-#s is required. What are our options? Well you can do a full mesh VPN and using the formula n(n-1)/2 where n is the # of sites you can see that we would need to build 6 static VPN tunnels -- needless to say static tunnels are time consuming and does not scale well. Or you can set up DMVPN (Cisco proprietary) which would lessen the work. Or as an ISP we can provide MPLS VPN and the customers wont have to do ANYTHING which is just way they usually like it. Customer site Site A-#s and Customer Site B-#s can all be VPN'd together appropriately and transparently using MPLS.


Consider the topology below.


Objective:
Configure R1 and R2 to support MPLS/OSPF/BGP
Configure the appropriate VRFs on R1 and R2
All Site A routers (R3, R4 and R7) should all be able to transparently ping all Site-A#s loopbacks
All Site B routers (R5 and R6) should all be able to transparently ping all Site-B#s loopbacks
Site A routers (R3, R4, R7) should not be able to ping Site B routers (R5 and R6) and vice-versa

Relevant configurations are posted below. So let's jump right into the complex world of MPLS!!

First thing we need to do is build the ISP MPLS CORE and let's assume that R1 and R2 are geographically dispersed but they are connected together via fiber.

Enable cef and mpls on R1 and R2.

R1#conf t
R1(config)#mpls ip
R1(config)#ip cef

R2#conf t
R2(config)#mpls ip
R2(config)#ip cef

Now let's create VRFs for Site A and Site B with a route distinguisher and route-target so we can control importing and exporting. We will save inter-vrf route leaking for another blogtorial :)

R1#sh run | sec ip vrf
ip vrf SITE_A
 rd 1:100
 route-target export 1:1000
 route-target import 1:1000
ip vrf SITE_B
 rd 1:200
 route-target export 1:2000
 route-target import 1:2000

R2#sh run | sec ip vrf
ip vrf SITE_A
 rd 1:100
 route-target export 1:1000
 route-target import 1:1000
ip vrf SITE_B
 rd 1:200
 route-target export 1:2000
 route-target import 1:2000

Next on our list is to get the interfaces configured with the proper VRFs and IP addresses. As you can see from the topology S1/0 on R1 and S1/0,S1/2 on R2 belong to Site-A. S1/1 on R1 and S1/1 on R2 belong to Site-B. 

R1#sh run int ser1/0
interface Serial1/0
 description Connected to R3
 ip vrf forwarding SITE_A
 ip address 10.1.1.1 255.255.255.0
 encapsulation ppp
 mpls ip

R1#sh run int se 1/1
interface Serial1/1
 description Connected to R6
 ip vrf forwarding SITE_B
 ip address 172.16.1.1 255.255.255.0
 encapsulation ppp
 mpls ip

R2#sh run int ser 1/0
interface Serial1/0
 description Connected to R4
 ip vrf forwarding SITE_A
 ip address 10.2.2.2 255.255.255.0
 encapsulation ppp
 mpls ip
 serial restart-delay 0
end

R2#sh run int se1/1
interface Serial1/1
 description Connected to R5
 ip vrf forwarding SITE_B
 ip address 172.16.2.2 255.255.255.0
 encapsulation ppp
 mpls ip
 serial restart-delay 0
end

R2#sh run int se1/2
interface Serial1/2
 description Connected to R7
 ip vrf forwarding SITE_A
 ip address 10.3.3.2 255.255.255.0
 encapsulation ppp
 mpls ip
 serial restart-delay 0
end

Next step on our list is to get all the remote routers (R3, R4, R5, R6, R7) ready. These can be CE (Customer Edge) or could just be CPE (Customer premise equipment). 

R3#sh run int ser1/0
interface Serial1/0
 description Connected to R1
 ip address 10.1.1.3 255.255.255.0
 encapsulation ppp
 serial restart-delay 0
end


R3#sh run int loopback 0
interface Loopback0
 description Loopback emulating a LAN
 ip address 192.168.3.3 255.255.255.0
end

R4#sh run int ser 1/0
interface Serial1/0
 description Connected to R2
 ip address 10.2.2.4 255.255.255.0
 encapsulation ppp
 serial restart-delay 0
end

R4#sh run int loopback 0
interface Loopback0
 description Loopback emulating a LAN
 ip address 192.168.4.4 255.255.255.0
end

R5#sh run int ser 1/0
interface Serial1/0
 description Connected to R2
 ip address 172.16.2.5 255.255.255.0
 encapsulation ppp
 serial restart-delay 0
end

R5#sh run int loopback 0
interface Loopback0
 description Loopback emulating a LAN
 ip address 192.168.5.5 255.255.255.0
end

R6#sh run int ser 1/0
interface Serial1/0
 description Connected to R1
 ip address 172.16.1.6 255.255.255.0
 encapsulation ppp
 serial restart-delay 0
end

R6#sh run int loopback 0
interface Loopback0
 description Loopback emulating a LAN
 ip address 192.168.6.6 255.255.255.0
end

R7#sh run int ser 1/0
interface Serial1/0
 description Connected to R2
 ip address 10.3.3.7 255.255.255.0
 encapsulation ppp
 serial restart-delay 0
end

R7#sh run int loopback 0
interface Loopback0
 description Loopback emulating a LAN
 ip address 192.168.7.7 255.255.255.0
end

Alright, now that we got our MPLS core, interfaces up let's get MP-BGP configured so we can finally see it all come together. 

First let's get R1 and R2 configured then we will do the rest of the routers. NOTE: Occasionally the remote routers wont support BGP in that case deploy a CE router to connect to CPE and either use static routing or IGP (OSPF, EIGRP etc) and use BGP between CE and the PE (Provider Edge). 

R1#sh run | sec bgp
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 neighbor 1.1.1.2 remote-as 1
 neighbor 1.1.1.2 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
  neighbor 1.1.1.2 activate
  neighbor 1.1.1.2 send-community both
 exit-address-family
 !
 address-family ipv4 vrf SITE_B
  redistribute connected
  neighbor 172.16.1.6 remote-as 65006
  neighbor 172.16.1.6 activate
  no synchronization
 exit-address-family
 !
 address-family ipv4 vrf SITE_A
  redistribute connected
  neighbor 10.1.1.3 remote-as 65003
  neighbor 10.1.1.3 activate
  no synchronization
 exit-address-family

R2#sh run | sec bgp
router bgp 1
 no synchronization
 bgp log-neighbor-changes
 neighbor 1.1.1.1 remote-as 1
 neighbor 1.1.1.1 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.1 send-community both
 exit-address-family
 !
 address-family ipv4 vrf SITE_B
  redistribute connected
  neighbor 172.16.2.5 remote-as 65005
  neighbor 172.16.2.5 activate
  no synchronization
 exit-address-family
 !
 address-family ipv4 vrf SITE_A
  redistribute connected
  neighbor 10.2.2.4 remote-as 65004
  neighbor 10.2.2.4 activate
  neighbor 10.3.3.7 remote-as 65007
  neighbor 10.3.3.7 activate
  no synchronization
 exit-address-family
R2#


Now let's finish up the configurations on the remote routers. 

R3#sh run | sec bgp
router bgp 65003
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 neighbor 10.1.1.1 remote-as 1
 no auto-summary

R4#sh run | sec bgp
router bgp 65004
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 neighbor 10.2.2.2 remote-as 1
 no auto-summary

R5#sh run | sec bgp
router bgp 65005
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 neighbor 172.16.2.2 remote-as 1
 no auto-summary

R6#sh run | sec bgp
router bgp 65006
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 neighbor 172.16.1.1 remote-as 1
 no auto-summary

R7#sh run | sec bgp
router bgp 65007
 no synchronization
 bgp log-neighbor-changes
 redistribute connected
 neighbor 10.3.3.2 remote-as 1
 no auto-summary


Whew!! That's it. Now let's verify. 

show mpls forwarding-table vrf SITE_A and SITE_B
Make sure all the VRFs are up and the correct interfaces are associated with it.



Verify MP-BGP.

Let's see if R3 on Site A-1 can ping A-2 and A-3 and verify if we are indeed using MPLS also see if we have connectivity with Site B-#s.

Notice traceroute shows MPLS tags :) and I can now ping Site B-#
At this point we now are talking between sites using MPLS. Scaling with MPLS is easy, all we have to do is bring up another interface get it in the right VRF and BGP. All other sites dynamically learn the routes. We will save inter-vrf route leaking, route leaking between global routing table and vrfs for another blogtorial. 

Full router configurations are below.

R1
R2
R3
R4
R5
R6
R7

Many more articles to come so stay tuned and "Join this site" on the right :)