cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
554
Views
0
Helpful
2
Replies

MPLS VPN Customer to Customer

ubsaccount
Level 1
Level 1

I have been practicing this lab and can't seem to get the tunnel up am I missing something?  Customer R3  can ping Customer R4 but when I do a packet sniff packets are not showing ESP packets being sent.

When I do show mpls interface is shows the tunnel is down

R1

ip vrf BLUE
rd 400:1
route-target export 400:1
route-target import 400:2

interface Loopback0
ip address 10.10.10.1 255.255.255.255
ip ospf 65001 area 0
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
ip ospf 65001 area 0
duplex half
mpls ip
!
interface Ethernet1/0
ip vrf forwarding BLUE
ip address 172.168.2.1 255.255.255.0
duplex half
!
!
router ospf 400
router-id 10.10.10.1
log-adjacency-changes
!
router bgp 400
bgp router-id 10.10.10.1
bgp log-neighbor-changes
neighbor 11.11.11.1 remote-as 400
neighbor 11.11.11.1 update-source Loopback0
!
address-family ipv4
neighbor 11.11.11.1 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 11.11.11.1 activate
neighbor 11.11.11.1 send-community extended
exit-address-family
!
address-family ipv4 vrf BLUE
redistribute connected
neighbor 172.168.2.2 remote-as 500
neighbor 172.168.2.2 activate
no synchronization
exit-address-family


R2
ip vrf RED
rd 400:2
route-target export 400:2
route-target import 400:1

!
!
interface Loopback0
ip address 11.11.11.1 255.255.255.255
ip ospf 65001 area 0
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
ip ospf 65001 area 0
duplex half
mpls ip
!
interface Ethernet1/0
ip vrf forwarding RED
ip address 172.168.1.1 255.255.255.0
duplex half
!
!
router ospf 65001
router-id 11.11.11.1
log-adjacency-changes
!
router bgp 400
bgp router-id 11.11.11.1
bgp log-neighbor-changes
neighbor 10.10.10.1 remote-as 400
neighbor 10.10.10.1 update-source Loopback0
!
address-family ipv4
neighbor 10.10.10.1 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 10.10.10.1 activate
neighbor 10.10.10.1 send-community extended
exit-address-family
!
address-family ipv4 vrf RED
redistribute connected
neighbor 172.168.1.2 remote-as 500
neighbor 172.168.1.2 activate
no synchronization
exit-address-family
!


R3

!
interface Loopback0
ip address 3.3.3.3 255.255.255.255

!
interface Ethernet1/0
ip address 172.168.2.2 255.255.255.0
duplex half
!
router bgp 500
bgp router-id 3.3.3.3
bgp log-neighbor-changes
neighbor 172.168.2.1 remote-as 400
!
address-family ipv4
redistribute connected
neighbor 172.168.2.1 activate
no auto-summary
no synchronization
exit-address-family

!R4
!

interface Loopback0
ip address 4.4.4.4 255.255.255.255

interface Ethernet1/0
ip address 172.168.1.2 255.255.255.0
duplex half
!

router bgp 500
bgp router-id 4.4.4.4
bgp log-neighbor-changes
neighbor 172.168.1.1 remote-as 400
!
address-family ipv4
redistribute connected
neighbor 172.168.1.1 activate
no auto-summary
no synchronization
exit-address-family

1 Accepted Solution

Accepted Solutions

Victor Acevedo
Cisco Employee
Cisco Employee

Hello Ubsaccount,

I am not sure I am following - are you expecting to see ESP "encrypted packets" between Customer 3 and Customer 4? If so, there is nothing in your configuration that specifies that. I am not sure about what tunnel you are referring to.

MPLS L3VPNs do not have to use encryption, and if the 'VPN' word is through you off, there are many ways of configuring VPN's which do not have to do with actual encryption. In this MPLS L3VPN scenario, it is a VPN because we are isolating this customers traffic from other customers using VRF's. No need for encryption, but you can add encryption between this transaction, but that would be up to your CE devices to setup that tunnel. 

Thanks,

Victor Hugo Acevedo

View solution in original post

2 Replies 2

Victor Acevedo
Cisco Employee
Cisco Employee

Hello Ubsaccount,

I am not sure I am following - are you expecting to see ESP "encrypted packets" between Customer 3 and Customer 4? If so, there is nothing in your configuration that specifies that. I am not sure about what tunnel you are referring to.

MPLS L3VPNs do not have to use encryption, and if the 'VPN' word is through you off, there are many ways of configuring VPN's which do not have to do with actual encryption. In this MPLS L3VPN scenario, it is a VPN because we are isolating this customers traffic from other customers using VRF's. No need for encryption, but you can add encryption between this transaction, but that would be up to your CE devices to setup that tunnel. 

Thanks,

Victor Hugo Acevedo

Thanks Victor you are correct! :)  I was expecting to see ESP packets .  Thank you.