This post is about BGP/MPLS VPN functionality. The basic terminology will be described and scenario with two customers will be configured.
Saying shortly, the main idea behind BGP/MPLS VPN solutions is to interconnect customers localisations through MPLS backbone - with ensuring that the specific customers networks are not accessible for different organisations.
This is the network topology, which will be used in the article :
We have two customers in the scenario:
- Customer_1, which owns the routers R1 and R6
- Customer_2, which owns the routers R2 and R7
There is no cryptography involved - in this scenario VPN means that specific networks/routes are private.
This is the network topology, which will be used in the article :
We have two customers in the scenario:
- Customer_1, which owns the routers R1 and R6
- Customer_2, which owns the routers R2 and R7
Customer_1 need that the loopback interfaces from R1 and R6 will be able to communicate with each other.
Customer_2 need that the loopback interfaces from R2 and R7 will be able to communicate with each other.
Devices which belongs to Customer_1 should not be able to communicate with the devices which belongs to the Customer_2 (the networks/routes are private for the customers).
Customer_1 and Customer_2 devices are connected to the MPLS backone.
R1, R2, R6, R7 - are called Customer's Edge routers (CE routers).
R3, R5 - are called Provider's Edge routers (PE routers)
R4 - is called P router
R3, R5 - are called Provider's Edge routers (PE routers)
R4 - is called P router
The configuration is based on Cisco devices (IOS).
The ip addresses are configured on the devices according to the network diagram.
Between R3, R4 and R5 OSPF is configured (all devices in area 0). Loopback interfaces of R3 and R5 are added to the OSPF. The mpls with default settings is launched on R3, R4 and R5 (basic mpls information can be found here : MPLS - Basics)
Corresponding R3 configuration :
| interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface FastEthernet2/0 ip address 10.1.34.3 255.255.255.0 mpls ip ! router ospf 1 network 3.3.3.3 0.0.0.0 area 0 network 10.1.34.3 0.0.0.0 area 0 |
Corresponding R4 configuration :
| ! interface FastEthernet0/0 ip address 10.1.34.4 255.255.255.0 mpls ip ! interface FastEthernet1/0 ip address 10.1.45.4 255.255.255.0 mpls ip ! router ospf 1 network 10.1.34.4 0.0.0.0 area 0 network 10.1.45.4 0.0.0.0 area 0 |
Corresponding R5 configuration :
| ! interface Loopback0 ip address 5.5.5.5 255.255.255.255 ! interface FastEthernet0/0 ip address 10.1.45.5 255.255.255.0 mpls ip ! router ospf 1 network 5.5.5.5 0.0.0.0 area 0 network 10.1.45.5 0.0.0.0 area 0 |
Routing table and LFIB information from R4 :
| R4#show ip route | begin Gateway Gateway of last resort is not set 3.0.0.0/32 is subnetted, 1 subnets O 3.3.3.3 [110/2] via 10.1.34.3, 02:29:51, FastEthernet0/0 5.0.0.0/32 is subnetted, 1 subnets O 5.5.5.5 [110/2] via 10.1.45.5, 02:29:51, FastEthernet1/0 10.0.0.0/24 is subnetted, 2 subnets C 10.1.45.0 is directly connected, FastEthernet1/0 C 10.1.34.0 is directly connected, FastEthernet0/0 R4#show mpls forwarding-table Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 16 Pop tag 3.3.3.3/32 19327 Fa0/0 10.1.34.3 17 Pop tag 5.5.5.5/32 22687 Fa1/0 10.1.45.5 |
On router's R3 and R5 two vrf instances were configured (basic information about VRF can be found here: VRF - Basics):
- vr_1 for Customer_1 ; RD 65001:1- vr_2 for Customer_2 ; RD 65002:1
Interfaces were bind to the proper vrf instances:
- on R3 - Fa0/0 with vr_1 ; Fa1/0 with vr_2
- on R5 - Fa1/0 with vr_1 ; Fa2/0 with vr_2
Corresponding R3 configuration :
| ! ip vrf vr_1 rd 65001:1 ! ip vrf vr_2 rd 65002:1 ! interface FastEthernet0/0 ip vrf forwarding vr_1 ip address 10.1.13.3 255.255.255.0 ! interface FastEthernet1/0 ip vrf forwarding vr_2 ip address 10.1.23.3 255.255.255.0 |
Corresponding R5 configuration :
| ! ip vrf vr_1 rd 65001:1 ! ip vrf vr_2 rd 65002:1 ! interface FastEthernet1/0 ip vrf forwarding vr_1 ip address 10.1.56.5 255.255.255.0 ! interface FastEthernet2/0 ip vrf forwarding vr_2 ip address 10.1.57.5 255.255.255.0 |
At this moment R1 and R6 which belongs to the Customer_1 are unable to communicate with each other (R2 and R7 from Customer_2 also).
At the beginning - let's start setting up BGP/MPLS VPN between R1 and R6 (communication between R2 and R7 will be done next):
These are the steps required to enable communication between R1 and R6 :
These are the steps required to enable communication between R1 and R6 :
1.Set up OSPF between R1 and R3 (having in mind that vrf instances are present on R3)
2.Set up OSPF between R5 and R6 (having in mind that vrf instances are present on R5)
3.Set up BGP on R3 and redistributing OSPF routes (from vrf instance vr_1) into it
4.Set up BGP on R5 and redistributing OSPF routes (from vrf instance vr_1) into it
5.Set up proper BGP neighborship between R3 and R5
6.Exporting/Importing routes from vr_1 on R3
7.Exporting/Importing routes from vr_1 on R5
8.On R3 redistributing proper routes from BGP into OSPF (vrf instance vr_1)
9.On R5 redistributing proper routes from BGP into OSPF (vrf instance vr_1)
1.Set up OSPF between R1 and R3 (having in mind that vrf instances are present on R3)
Added configuration to R1 :
| ! router ospf 1 network 1.1.1.1 0.0.0.0 area 0 network 10.1.13.1 0.0.0.0 area 0 ! |
Added configuration to R3 :
| ! router ospf 2 vrf vr_1 network 10.1.13.3 0.0.0.0 area 0 |
After configuration proper route from R1 is present on R3 (in vrf instance vr_1) :
| R3#show ip route vrf vr_1 | begin Gateway Gateway of last resort is not set 1.0.0.0/32 is subnetted, 1 subnets O 1.1.1.1 [110/2] via 10.1.13.1, 00:01:17, FastEthernet0/0 10.0.0.0/24 is subnetted, 1 subnets C 10.1.13.0 is directly connected, FastEthernet0/0 |
2.Set up OSPF between R5 and R6 (having in mind that vrf instances are present on R5)
Added configuration to R6 :
| ! router ospf 1 network 6.6.6.6 0.0.0.0 area 0 network 10.1.56.6 0.0.0.0 area 0 |
Added configuration to R5 :
| ! router ospf 2 vrf vr_1 network 10.1.56.5 0.0.0.0 area 0 |
After configuration proper route from R6 is present on R5 (in vrf instance vr_1) :
| R5#show ip route vrf vr_1 | begin Gateway Gateway of last resort is not set 6.0.0.0/32 is subnetted, 1 subnets O 6.6.6.6 [110/2] via 10.1.56.6, 00:01:47, FastEthernet1/0 10.0.0.0/24 is subnetted, 1 subnets C 10.1.56.0 is directly connected, FastEthernet1/0 |
3.Set up BGP on R3 and redistributing OSPF routes (from vrf instance vr_1) into it
Added configuration to R3 :
| ! router bgp 65003 no synchronization no auto-summary ! address-family ipv4 vrf vr_1 redistribute ospf 2 vrf vr_1 no synchronization |
At this moment routes from R1 are present in BGP on R3:
| R3#show ip bgp vpnv4 all | begin Network Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:1 (default for vrf vr_1) *> 1.1.1.1/32 10.1.13.1 2 32768 ? *> 10.1.13.0/24 0.0.0.0 0 32768 ? |
4.Set up BGP on R5 and redistributing OSPF routes (from vrf instance vr_1) into it
Added configuration to R5 :
| router bgp 65003 no synchronization no auto-summary ! address-family ipv4 vrf vr_1 redistribute ospf 2 vrf vr_1 no synchronization ! |
At this moment routes from R6 are present in BGP on R5:
| R5#show ip bgp vpnv4 all | begin Network Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:1 (default for vrf vr_1) *> 6.6.6.6/32 10.1.56.6 2 32768 ? *> 10.1.56.0/24 0.0.0.0 0 32768 ? |
5.Set up proper BGP neighborship between R3 and R5
Added configuration to R3 :
| ! router bgp 65003 neighbor 5.5.5.5 remote-as 65003 neighbor 5.5.5.5 update-source Loopback0 ! address-family vpnv4 neighbor 5.5.5.5 activate neighbor 5.5.5.5 send-community extended |
Added configuration to R5 :
| ! router bgp 65003 neighbor 3.3.3.3 remote-as 65003 neighbor 3.3.3.3 update-source Loopback0 ! address-family vpnv4 neighbor 3.3.3.3 activate neighbor 3.3.3.3 send-community extended |
At this moment, R3 and R5 are "prepared" to exchange routes from vrf instance vr_1 (but at this point exchange is not taking place yet).
6.Exporting/Importing routes from vr_1 on R3
Added configuration to R3 :
| ! ip vrf vr_1 route-target export 65001:1 route-target import 65001:1 |
7.Exporting/Importing routes from vr_1 on R5
Added configuration to R5 :
| ! ip vrf vr_1 route-target export 65001:1 route-target import 65001:1 |
At this moment (after completing steps 6 and 7) - routes are exchanged between BGP neighbors R3 and R5 (routes from vrf instance vr_1).
| R3#show ip bgp vpnv4 all | begin Network Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:1 (default for vrf vr_1) *> 1.1.1.1/32 10.1.13.1 2 32768 ? *>i6.6.6.6/32 5.5.5.5 2 100 0 ? *> 10.1.13.0/24 0.0.0.0 0 32768 ? *>i10.1.56.0/24 5.5.5.5 0 100 0 ? |
| R5#show ip bgp vpnv4 all | begin Network Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 65001:1 (default for vrf vr_1) *>i1.1.1.1/32 3.3.3.3 2 100 0 ? *> 6.6.6.6/32 10.1.56.6 2 32768 ? *>i10.1.13.0/24 3.3.3.3 0 100 0 ? *> 10.1.56.0/24 0.0.0.0 0 32768 ? |
Added configuration to R3 :
| router ospf 2 vrf vr_1 redistribute bgp 65003 subnets |
After this configuration, on R1 - routes to the R6 networks are present :
| R1#show ip route | begin Gateway Gateway of last resort is not set 1.0.0.0/32 is subnetted, 1 subnets C 1.1.1.1 is directly connected, Loopback0 6.0.0.0/32 is subnetted, 1 subnets O IA 6.6.6.6 [110/3] via 10.1.13.3, 02:44:44, FastEthernet0/0 10.0.0.0/24 is subnetted, 2 subnets C 10.1.13.0 is directly connected, FastEthernet0/0 O IA 10.1.56.0 [110/2] via 10.1.13.3, 02:44:44, FastEthernet0/0 |
9.On R5 redistributing proper routes from BGP into OSPF (vrf instance vr_1)
Added configuration to R5 :
| router ospf 2 vrf vr_1 redistribute bgp 65003 subnets |
After this configuration, on R6 - routes to the R1 networks are present :
| R6#show ip route | begin Gateway Gateway of last resort is not set 1.0.0.0/32 is subnetted, 1 subnets O IA 1.1.1.1 [110/3] via 10.1.56.5, 02:45:11, FastEthernet0/0 6.0.0.0/32 is subnetted, 1 subnets C 6.6.6.6 is directly connected, Loopback0 10.0.0.0/24 is subnetted, 2 subnets O IA 10.1.13.0 [110/2] via 10.1.56.5, 02:45:11, FastEthernet0/0 C 10.1.56.0 is directly connected, FastEthernet0/0 |
Verification :
Let's test communication between R1 loopback and R6 loopback :
| R1#ping 6.6.6.6 source 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 236/299/392 ms |
So now - we can proceed to the next point - setting up MPLS/BGP VPN between R2 and R7.
To set up BGP/MPLS VPN between R2 and R7 - these are the neccesary steps (additional to the configuration from MPLS/BGP VPN between R1 and R6):
2.Set up OSPF between R5 and R7 (having in mind that vrf instances are present on R5)
3.Set up BGP on R3 and redistributing OSPF routes (from vrf instance vr_2) into it
4.Set up BGP on R5 and redistributing OSPF routes (from vrf instance vr_2) into it
5.Exporting/Importing routes from vr_2 on R3
6.Exporting/Importing routes from vr_2 on R5
7.On R3 redistributing proper routes from BGP into OSPF (vrf instance vr_2)
8.On R5 redistributing proper routes from BGP into OSPF (vrf instance vr_2)
Note:
Proper BGP neighborship between R3 and R5 have been prepared in previous scenario (step 5 from MPLS/BGP VPN between R1 and R6).
Additional configuration for each device is shown in summary form :
Added configuration to R2 :
| ! router ospf 1 network 2.2.2.2 0.0.0.0 area 0 network 10.1.23.2 0.0.0.0 area 0 |
Added configuration to R3 :
| ! ip vrf vr_2 route-target export 65002:1 route-target import 65002:1 ! router ospf 3 vrf vr_2 redistribute bgp 65003 subnets network 10.1.23.3 0.0.0.0 area 0 ! router bgp 65003 address-family ipv4 vrf vr_2 redistribute ospf 3 vrf vr_2 no synchronization |
Added configuration to R5 :
| ip vrf vr_2 route-target export 65002:1 route-target import 65002:1 ! router ospf 3 vrf vr_2 redistribute bgp 65003 subnets network 10.1.57.5 0.0.0.0 area 0 ! router bgp 65003 address-family ipv4 vrf vr_2 redistribute ospf 3 vrf vr_2 no synchronization |
Added configuration to R7 :
| ! router ospf 1 network 7.7.7.7 0.0.0.0 area 0 network 10.1.57.7 0.0.0.0 area 0 |
So let's try ping from R2 loopback to the R7 loopback :
| R2#ping 7.7.7.7 source 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds: Packet sent with a source address of 2.2.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 216/256/328 ms |
The objectives from the scenario were accomplished :
- loopback interfaces from R1 and R6 are able to communicate with each other (Customer_1)
- loopback interfaces from R2 and R7 are able to communicate with each other (Customer_2)
- devices from Customer_1 are unable to communicate with devices from Customer_2Notes:
- the MPLS backbone (R4 in this example) does not have information about Customers internal networks
- Customer_1 and Customer_2 devices are unaware of each others networks
No comments:
Post a Comment