Saturday, January 22, 2011

MPLS VPN Configuration -1: Providing WAN connectivity for 2 customers

This blog is the first blog regarding MPLS VPN. The case is very simple, we have an ISP provider, in this diagram, the ISP provider is having the 2 routers pe1R and pe2R.


We have 2 customers, VPN-CUST-1 who has 2 sites connected to the MPLS network, and another customer VPN-CUST-2 who has 2 sites connected to the MPLS Network. The routing protocols are as the following diagram:
Configuration for VPN-CUST-1:


What we will do here is give connectivity for each customer between his sites.
We will go in the beginning through the IBGP neighbor relationship between both Provider edge routers (pe1R, pe2R). They will establish the IBGP neighbor relationship through their loopback interfaces lo0.
Let’s take a look at the configuration of interfaces of lo0 and Fa1/0 of each of the 2 routers:


pe2R:
interface Loopback0
ip address 150.15.20.20 255.255.255.0
interface FastEthernet0/1
ip address 172.200.12.2 255.255.255.0
duplex auto
speed auto


pe1R
interface Loopback0
ip address 150.15.10.10 255.255.255.0
interface FastEthernet0/0
ip address 172.200.12.1 255.255.255.0
duplex auto
speed auto



So we need first to allow the reacheability between loopback interfaces of each router. Let’s configure EIGRP for this role

pe2R:
router eigrp 21

network 150.15.20.0 0.0.0.25
network 172.200.12.0 0.0.0.255
no auto-summary


pe1R:
router eigrp 21
network 150.15.10.0 0.0.0.255
network 172.200.12.0 0.0.0.255

no auto-summary


Now we should be able to ping from pe1R using lo0 as the source to pe2R’s lo0

pe1R#ping 150.15.10.10 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.15.10.10, timeout is 2 seconds:
Packet sent with a source address of 150.15.10.10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
pe1R#


Enable MPLS on the inside interfaces of Provider routers

pe1R:
int Fa0/0
mpls ip

pe2R:

int Fa0/1
mpls ip

Now we have to create vrf Forwarding on the PE routers, then attach each vrf to the corresponding interface:
For VPN-CUST-1, we will assign a route distinguisher 1:1

For VPN-CUST-2, we will assign a route distinguisher 2:2
We will assign different route-target for Import and for Export. So for VPN-CUST-2, If we assign on 1st branch an export route target of 2:10 , and an import route-target of 2:1; on the the 2nd branch, we have to assign an export route-target of 2:1 and an import route-target 2:10. ( the routes that will be advertised (exported) from here, will be imported into the routing table there and vice-versa).
Take a look at the diagram to see the assignment of rd and route-targets.

pe1R
ip vrf VPN-CUST-1
rd 1:1
route-target export 1:1
route-target import 1:10
ip vrf VPN-CUST-2
rd 2:2
route-target export 2:1
route-target import 2:10
pe2R

ip vrf VPN-CUST-1
rd 1:1
route-target export 1:10
route-target import 1:1
ip vrf VPN-CUST-2
rd 2:2
route-target export 2:10
route-target import 2:1
Implementing BGP between both PE routers. Note that in this diagram, I have the 2 PEs routers directly connected. If there is some P routers in the middle, you need only to implement IBGP between the PE routers. it is not needed to add the P routers to IBGP configuration
The pe2R configuration:
router bgp 200
bgp log-neighbor-changes
neighbor 150.15.20.20 remote-as 200
neighbor 150.15.20.20 update-source Loopback0
!
address-family ipv4
no neighbor 150.15.20.20 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 150.15.20.20 activate
neighbor 150.15.20.20 send-community extended
exit-address-family

Note that we add the neighbor under the global configuration, then under the section of vpnv4, we activate this neighbor. As we need this BGP neighbor relationship to be established only for MPLS VPN network, so we deactivate the neighbor relationship for the address-family ipv4 . The send-community is entered by default on this IOS ... . This command allows the router to send the rd and route-target to the other neighbor .
The pe1R configuration:
router bgp 200
bgp log-neighbor-changes
neighbor 150.15.10.10 remote-as 200
neighbor 150.15.10.10 update-source Loopback0
!
address-family ipv4
no neighbor 150.15.10.10 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 150.15.10.10 activate
neighbor 150.15.10.10 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN-CUST-2
no synchronization
exit-address-family
!
address-family ipv4 vrf VPN-CUST-1
no synchronization
exit-address-family

You can see that address-family for both vrf are automatically created under the bgp section

In order to verify that the routers have established BGP neighbor relationship, you have to try:


pe1R#show ip bgp vpnv4 all sum
BGP router identifier 150.15.10.10, local AS number 200
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
150.15.20.20 4 200 2 2 0 0 0 00:00:05 0

pe1R#
If you use "show ip bgp summary" , you will not see any neighbor relationship, because under the address-family ipv4, we deactivated the neighbor

As we established the neighbor relationship between both PE routers, we need now to configure routing between each PE and CE, in order to allow the Customer sites to communicate to each others.
In BGP configuration, we must have an address-family for each customer. Let's see VPN-CUST-2.
We will configure ospf between pe1R and ce2R4, and rip between pe2R and ce2R6. You can configure even IBGP, or static routing.

pe1R - - - ce2R4
The interface and OSPF configuration on ce2R4: ( I added a loopback interface to create an additional subnet).


Ce2R4:
interface Loopback0
ip address 150.15.40.40 255.255.255.0
!
interface FastEthernet0
ip address 172.17.14.4 255.255.255.0
duplex auto
speed auto
router ospf 99
log-adjacency-changes
network 150.15.40.0 0.0.0.255 area 0
network 172.17.14.0 0.0.0.255 area 0


On router pe1R:

Interface configuration facing ce2R4:

interface FastEthernet0/1
ip vrf forwarding VPN-CUST-2
ip address 172.17.14.1 255.255.255.0
duplex auto
speed auto

OSPF configuration:
router ospf 99 vrf VPN-CUST-2
router-id 150.15.10.10
log-adjacency-changes
network 172.17.14.0 0.0.0.255 area 0

Now we should be able to ping from pe1R to ce2R4, using : "ping vrf VPN-CUST-2 150.15.40.40"
In OSPF you specify a process for a vrf. While in RIP and EIGRP, you specify an address-family for a vrf under the main process.
Let's take a look at the routing configuration between pe2R and ce2R6

ceR6 Configuration:

interface Loopback0
ip address 150.15.60.60 255.255.255.0
!
interface FastEthernet0
ip address 172.17.26.6 255.255.255.0
duplex auto
speed auto
router rip
version 2
network 150.15.0.0
network 172.17.0.0
no auto-summary

pe2R Configuration:
interface FastEthernet2/1
ip vrf forwarding VPN-CUST-2
ip address 172.17.26.2 255.255.255.0
duplex FULL
speed auto
router rip
version 2
!
address-family ipv4 vrf VPN-CUST-2
network 172.17.0.0
no auto-summary
exit-address-family

Now we should be able to ping between ceR6 and pe2R.

 pe2R#PING vrf VPN-CUST-2 150.15.60.60
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.15.60.60, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/190/280 ms
pe2R#


If we look at the routing table of ceR6 or vrf VPN-CUST-2 routing table in pe2R, we still not seeing the other side route.
Gateway of last resort is not set
172.17.0.0/24 is subnetted, 1 subnets
C 172.17.26.0 is directly connected, FastEthernet0
150.15.0.0/24 is subnetted, 1 subnets
C 150.15.60.0 is directly connected, Loopback0
ce2R6#

If we look at
pe2R#sh ip bgp vpnv4 vrf VPN-CUST-2

pe2R#
There is no route,

In pe1R

:router ospf 99 vrf VPN-CUST-2
redistribute bgp 200 subnets
router bgp 200
address-family ipv4 vrf VPN-CUST-2
redistribute ospf 99 vrf VPN-CUST-2

In pe2R:
router rip
address-family ipv4 vrf VPN-CUST-2
redistribute bgp 200 metric 2

router bgp 200
address-family ipv4 vrf VPN-CUST-2
redistribute rip

The routing should work properly between both branches of VPN-CUST-2

pe1R#sh ip route vrf VPN-CUST-2
Routing Table: VPN-CUST-2
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.17.0.0/24 is subnetted, 2 subnets
B 172.17.26.0 [200/0] via 150.15.20.20, 00:03:13
C 172.17.14.0 is directly connected, FastEthernet0/1
150.15.0.0/16 is variably subnetted, 2 subnets, 2 masks
O 150.15.40.40/32 [110/2] via 172.17.14.4, 00:00:18, FastEthernet0/1
B 150.15.60.0/24 [200/1] via 150.15.20.20, 00:03:13
pe1R#

ce2R6#SH IP route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.17.0.0/24 is subnetted, 2 subnets
C 172.17.26.0 is directly connected, FastEthernet0
R 172.17.14.0 [120/2] via 172.17.26.2, 00:00:08, FastEthernet0
150.15.0.0/16 is variably subnetted, 2 subnets, 2 masks
R 150.15.40.40/32 [120/2] via 172.17.26.2, 00:00:08, FastEthernet0
C 150.15.60.0/24 is directly connected, Loopback0
ce2R6#

ce2R6#ping 150.15.40.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.15.40.40, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 684/943/1776 ms
 
ce2R6#traceroute 150.15.40.40
Type escape sequence to abort.
Tracing the route to 150.15.40.40
1 172.17.26.2 32 msec 252 msec 276 msec
2 172.17.14.1 504 msec 544 msec 500 msec
3 172.17.14.4 684 msec 652 msec *
ce2R6#




Configuration of ce1R5:

interface Loopback5
ip address 150.15.50.50 255.255.255.0
end
 
interface FastEthernet0
ip address 192.168.15.5 255.255.255.0
speed auto
end
 
router eigrp 51
network 150.15.50.0 0.0.0.255
network 192.168.15.5 0.0.0.0
no auto-summary

Configuration of pe1R: interface FastEthernet1/0
ip vrf forwarding VPN-CUST-1
ip address 192.168.15.1 255.255.255.0
duplex auto
speed auto
end
 
router eigrp 21
network 150.15.10.0 0.0.0.255
network 172.200.12.0 0.0.0.255
no auto-summary
!
address-family ipv4 vrf VPN-CUST-1

autonomous-system 51
redistribute bgp 200 metric 100000 100 255 1 1500
network 192.168.15.1 0.0.0.0
no auto-summary


router bgp 200

address-family ipv4 vrf VPN-CUST-1
redistribute eigrp 51
no synchronization


. As you saw previously, that we used eigrp between as the internal routing protocol for the provider router. We are also using eigrp between the PE and CE routers for VPN-CUST-1. In order to do that, under the family of VPN-CUST-1, we have to specify another autonomous-system for that family.
Also for redistributing bgp into eigrp, we have to specify the metric
 

 
 
Configuration of ce1R7:

interface Loopback7
ip address 150.15.70.70 255.255.255.0
end
interface FastEthernet0
ip address 172.17.14.4 255.255.255.0
speed auto
end
router eigrp 72
network 150.15.70.0 0.0.0.255
network 172.17.14.0 0.0.0.255
no auto-summary

Configuration of pe2R:
interface FastEthernet2/0
ip vrf forwarding VPN-CUST-1
ip address 172.17.14.2 255.255.255.0
duplex auto
speed auto
end
 
router eigrp 21
network 150.15.20.0 0.0.0.255
network 172.200.12.0 0.0.0.255
no auto-summary
!
address-family ipv4 vrf VPN-CUST-1
redistribute bgp 200 metric 100000 100 255 1 1500
network 172.17.14.0 0.0.0.255
no auto-summary
autonomous-system 72

router bgp 200

address-family ipv4 vrf VPN-CUST-1
redistribute eigrp 72
no synchronization
exit-address-family
 
Let's try to see the routing tables than ping: pe1R#sh ip route vrf VPN-CUST-1
C 192.168.15.0/24 is directly connected, FastEthernet1/0
172.17.0.0/24 is subnetted, 1 subnets
B 172.17.14.0 [200/0] via 150.15.20.20, 00:23:06
150.15.0.0/24 is subnetted, 2 subnets
D 150.15.50.0 [90/156160] via 192.168.15.5, 00:24:16, FastEthernet1/0
B 150.15.70.0 [200/156160] via 150.15.20.20, 00:23:06
 

ce1R5#ping 150.15.70.70 source 150.15.50.50
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.15.70.70, timeout is 2 seconds:
Packet sent with a source address of 150.15.50.50
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 376/568/960 ms
As you saw in the diagram, the subnet 172.17.14.0 is used by the 2 customers. And specifically the ip address 172.17.14.4.
Now, each customer has access only to its own network

No comments:

Post a Comment