MPLS RIP L3 VPN

image

configurations

R1

interface FastEthernet0/0
 ip address 10.1.12.1 255.255.255.0
interf loopback 0
ip add 1.1.1.1 255.255.255.0

R2

iinterface Loopback0
ip address 2.2.2.2 255.255.255.255

interface FastEthernet0/0
 ip address 10.1.12.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.1.23.2 255.255.255.0
 duplex auto
 speed auto

R3

interface FastEthernet0/0
 ip address 10.1.23.3 255.255.255.0
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.1.34.3 255.255.255.0
 duplex auto
 speed auto

R4

interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.1.45.4 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.1.34.4 255.255.255.0
 duplex auto
 speed auto

R5

interface FastEthernet0/0
 ip address 10.1.45.5 255.255.255.0
 duplex auto
 speed auto

The goal is to run mpls within the  ISP network and we also want to run RIP with Customer A CE routers (R1 and R5)

we will run OSPF inside the mpls network

let’s start with configuring OSPF between R2, R3 and R4

R2

R2(config)#router ospf 1
R2(config-router)#network 10.1.23.2 0.0.0.0 area 0
R2(config-router)#network 2.2.2.0 0.0.0.255 area 0

R3

R3(config)#router osp 1
R3(config-router)#network 0.0.0.0 0.0.0.0 area 0

R4

R4(config)#router ospf 1
R4(config-router)#network 4.4.4.0 0.0.0.255 area 0
R4(config-router)#network 10.1.34.0 0.0.0.255 area 0

So now we should have our IGP running on all our ISP network

we need to turn on mpls on these routers

R2(config)#interf f0/1
R2(config-if)#mpls ip

R3(config)#interf f0/0
R3(config-if)#mpls ip
R3(config)#interf f0/1
R3(config-if)#mpls ip

R4(config)#interf f0/1
R4(config-if)#mpls ip 

Now let’s check the LDP neighbors on these routers

R2

R2(config)#do sh mpls ldp ne
    Peer LDP Ident: 10.1.34.3:0; Local LDP Ident 10.1.23.2:0
        TCP connection: 10.1.34.3.21083 - 10.1.23.2.646
        State: Oper; Msgs sent/rcvd: 14/13; Downstream
        Up time: 00:06:56
        LDP discovery sources:
          FastEthernet0/1, Src IP addr: 10.1.23.3
        Addresses bound to peer LDP Ident:
          10.1.23.3       10.1.34.3     

R3

R3(config-if)#do sh mpls ldp ne
    Peer LDP Ident: 10.1.23.2:0; Local LDP Ident 10.1.34.3:0
        TCP connection: 10.1.23.2.646 - 10.1.34.3.21083
        State: Oper; Msgs sent/rcvd: 14/15; Downstream
        Up time: 00:07:12
        LDP discovery sources:
          FastEthernet0/0, Src IP addr: 10.1.23.2
        Addresses bound to peer LDP Ident:
          10.1.12.2       10.1.23.2      
   Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 10.1.34.3:0
        TCP connection: 4.4.4.4.646 - 10.1.34.3.63944
        State: Oper; Msgs sent/rcvd: 13/14; Downstream
        Up time: 00:06:42
        LDP discovery sources:
          FastEthernet0/1, Src IP addr: 10.1.34.4
        Addresses bound to peer LDP Ident:
          10.1.45.4       10.1.34.4       4.4.4.4       

R4

R4(config-if)#do sh mpls ldp nei
    Peer LDP Ident: 10.1.34.3:0; Local LDP Ident 4.4.4.4:0
        TCP connection: 10.1.34.3.52025 - 4.4.4.4.646
        State: Oper; Msgs sent/rcvd: 330/324; Downstream
        Up time: 04:40:42
        LDP discovery sources:
          FastEthernet0/1, Src IP addr: 10.1.34.3
        Addresses bound to peer LDP Ident:
          10.1.23.3       10.1.34.3      

Now we need to enable BGP on the PE routers (R2 and R4)

R4

R4(config-router-af)#do sh run | sec router bgp 100
router bgp 100
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 100
 neighbor 2.2.2.2 update-source Loopback0
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family

R2

R2(config-router)#do sh run | sec router bgp 100
router bgp 100
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 4.4.4.4 remote-as 100
 neighbor 4.4.4.4 update-source Loopback0
 !
 address-family vpnv4
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community extended
 exit-address-family

Note: we have used this no bgp default ipv4-unicast command under the BGP configuration to stop the BGP from activating the ipv4 unicast peers automatically and we have to activate them manually under the vpnv4 unicast address family manually. let’s check the BGP peers

R2

R2(config)#do sh bgp vpn un all summ
BGP router identifier 10.1.23.2, local AS number 100
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
4.4.4.4         4   100     586     585        1    0    0 09:41:49        0

R4

R4(config)#do sh bgp vpn un all summ
BGP router identifier 4.4.4.4, local AS number 100
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
2.2.2.2         4   100     587     587        1    0    0 09:43:46        0

we now need to create the VRFs on both R2 and R4 and run RIP with R1 and R5

R1

R1(config)#router rip      
R1(config-router)#no auto-summary
R1(config-router)#version 2
R1(config-router)#network 10.0.0.0  
R1(config-router)#network 1.0.0.0 

R2

R2(config)#ip vrf CUST_A
R2(config-vrf)#rd 100:1
R2(config-vrf)#exit
R2(config)#interf
R2(config)#interface f0/0
R2(config-if)#ip vrf forwarding CUST_A
% Interface FastEthernet0/0 IP address 10.1.12.2 removed due to enabling VRF CUST_A
R2(config-if)#ip address 10.1.12.2 255.255.255.0
R2(config)# router rip
R2(config-router)#address-family ipv4 vrf CUST_A
R2(config-router-af)#no auto-summary
R2(config-router-af)#version 2
R2(config-router-af)#network 10.0.0.0

R4

R4(config)#ip vrf CUST_A
R4(config-vrf)#rd 100:1
R4(config-router)#interf f0/0
R4(config-if)#ip vrf forwarding CUST_A 
% Interface FastEthernet0/0 IP address 10.1.45.4 removed due to enabling VRF CUST_A
R4(config-if)#ip address 10.1.45.4 255.255.255.0
R4(config)#router rip
R4(config-router)#address-family ipv4 vrf CUST_A
R4(config-router-af)#no aut
R4(config-router-af)#ver 2
R4(config-router-af)#net 10.0.0.0

R5

R5(config)#router rip
R5(config-router)#no auto-summary
R5(config-router)#ver 2
R5(config-router)#network 5.0.0.0
R5(config-router)#network 10.0.0.0

so on R2 and R4 we have created the VRF and identified a RD

RD is 64 bit that PEs prepend to the 32 bit prefixes in particular VRF to make it unique 96 bit prefix. RD is only local an doesn’t have to match on different PEs but they need to be locally different to avoid overlapping issues

Also note how the IP address of interfaces f0/0 on both R2 and R4 were removed when we assigned them to the new VRF CUST_A this basically because the router is moving these IP addresses to the VPNV4 table rather than the global routing table.

From customer’s point of view RIP configuration didn’t change  and you configure RIP as we we always do, however on PEs the RIP need to be configured under address family so we keep routing table separate for different customers

our next step will be configuring the BGP-MP on the PE routers and mutual redistribute between RIP and the BGP-MP

on both R2 and R4

(config)#router bgp 100
(config-router)#address-family ipv4 vrf CUST_A
(config-router-af)#redistribute rip
(config)#router rip
(config-router)#address-family ipv4 vrf CUST_A
(config-router-af)#redistribute bgp metric 1 

let’s check the BGP on R2 for that VRF

R2(config)#do sh bgp vpn un vrf CUST_A
BGP table version is 5, local router ID is 10.1.23.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf CUST_A)
*> 1.1.1.0/24       10.1.12.1                1         32768 ?
*> 10.1.12.0/24     0.0.0.0                  0         32768 ?

so we see that RIP is getting redistributed correctly into BGP but we are note receiving any routes from R4, in order for us to start receiving routes from other PEs we need to IMPORT/EXPORT Route Targets

Route Targets  control which routes will be imported on the far side PE, for a given VRF.

so let’s try this on both R2 and R4

(config)#ip vrf CUST_A
(config-vrf)#route-target import 100:1
(config-vrf)#route-target export 100:

route-target import: import the route from BGP-MP into the specific VRF

route-target export: Export the route from the VRF to BGP-MP

so now let’s check the routing table on R1 and R5

R1

R1#sh ip route rip
   5.0.0.0/24 is subnetted, 1 subnets
R       5.5.5.0 [120/1] via 10.1.12.2, 00:00:17, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
R       10.1.45.0 [120/1] via 10.1.12.2, 00:00:17, FastEthernet0/0

R5

R5#sh ip route rip
     1.0.0.0/24 is subnetted, 1 subnets
R       1.1.1.0 [120/1] via 10.1.45.4, 00:00:17, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
R       10.1.12.0 [120/1] via 10.1.45.4, 00:00:17, FastEthernet0/0

And we can confirm with a ping from R1 to R5

R1#ping 5.5.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/103/120 ms
R1#tra
R1#traceroute 5.5.5.5

Type escape sequence to abort.
Tracing the route to 5.5.5.5

  1 10.1.12.2 44 msec 44 msec 24 msec
  2 10.1.23.3 [MPLS: Labels 19/19 Exp 0] 132 msec 68 msec 80 msec
  3 10.1.45.4 [MPLS: Label 19 Exp 0] 96 msec 64 msec 56 msec
  4 10.1.45.5 112 msec *  88 msec

Comments

Post a Comment

Popular posts from this blog

IPv6 EIGRP

Image
In this post we will try to configure IPv6 EIGRP see the different options for the protocol and how these options are almost identical to the IPv4 version of EIGRP configuration R1 ipv6 unicast-routing interface lo0 ipv6 address 2001:1:1::1/64 interface FastEthernet0/0   ipv6 address FE80::1 link-local   ipv6 address FC00:1:12::1/64 ! interface FastEthernet0/1   ipv6 address FE80::1 link-local   ipv6 address FC00:1:13::1/64 !          R2 ipv6 unicast-routing interface lo0 ipv6 address 2001:2:2::2/64 interface FastEthernet0/0   ipv6 address FE80::2 link-local   ipv6 address FC00:1:12::2/64 ! interface FastEthernet0/1   ipv6 address FE80::2 link-local   ipv6 address FC00:1:23::2/64 R3 ipv6 unicast-routing interface lo0 ipv6 address 2001:3:3::3/64 interface lo1 ipv6 address 2001:3:4::3/64 interface lo2 ipv6 address 2001:3:5::3/64 interface FastEthernet0/0   ipv6 address FE80::3 link-...
Read more

BPDU Filter vs BPDU Guard

        Today we will try to explore the difference between these 2 options, BPDU guard and BPDU filter We know that BPDU are used to communicate between switches in L2 networks  to ensure loop free topology. BPDU Guard is used to protect our access (or trunks incase of servers) ports from receiving undesired BPDU packets, this feature is helpful in enforcing your network boundary in access layer BPDU Guard can be enabled on global configuration as well as under the interface configuration BPDU Filter on the other hand is used to filter BPDU packets outbound when configured  in global configuration (after sending 11 BPDU out ) and will filter BPDU inbound/outbound when configured under the interface level To better understand these two features, let’s use this simple topology R1 is connected to SW1 through F0/0 to have R1 send and receive BPDU we will simple configure bridging group 1 on the router and we will join the bridge group when desired to...
Read more

Private VLANS and protected ports

Image
In this post we will try to learn two layer 2 technologies, private vlans and protected ports Private vlans is used to segregate the layer 2 domain within the same vlan so we don’t waste any IP addresses, think about as sub-vlans within the same vlan that share the same layer 3 address. These sub-vlans can be of two kinds                      1- Community 2- Isolated The difference between community and isolated sub-vlans that hosts within community vlan can communicate together however hosts within isolated vlans con’t communicate to each others, also note that hosts from different community vlans can’t communicate/isolated vlans can’t communicate together. The question is how these hosts in community/isolated vlans communicate to the outside world, and the answer is they communicate through the promiscuous port which is part of parent vlan but this port is allowed to communicat...
Read more