on 04-10-2024 07:47 AM
MPLS LAYER-3 VPN
Introduction
Virtual Routing and Forwarding (VRF)
MP-BGP (Multi-protocol BGP)
RD (Route Distinguisher)
RT (Route Target)
Transport and VPN Label
MPLS Layer-3 VPN Configuration
Introduction: First, Let's begin with What is MPLS LAYER-3 VPN? As already we know about MPLS, What is Layer-3 VPN ?
Layer-3:- The service provider will participate in routing with the customer. The customer will run OSPF, EIGRP, BGP or any other routing protocol with the service provider, these routes can be shared with other sites of the customer.
VPN:- routing information from one customer is completely separated from other customers and tunnelled over the service provider MPLS network.
Virtual Routing & Forwarding (VRF)
The first step is separating traffic from different customers. Instead of using a single global routing table, we use multiple routing tables. Each customer of the service provider will use a different VRF. Each customer will use a different VRF so the overlapping address space is no problem.
Now you might be wondering, why don’t we use VRFs everywhere instead of MPLS? Take a look at the following picture:
MP-BGP (Multi-Protocol BGP):
RD (Route Distinguisher)
To fix this issue, we will use a RD (Route Distinguisher). We will add something to the prefix of the customer so that it will become unique.
The RD is a 8 byte (64 bit) field. You can use any value you want but typically we use the ASN:NN format where ASN is the service provider’s AS number and NN is a number we pick that identifies the site of the customer.
The RD and the prefix combined is what we call a VPNv4 route. We now have a method to differentiate between the different prefixes of our customers. Here’s an example:
Let’s say that we use RD 123:10 for customer A and RD 123:20 for customer B. By adding these values, we have unique VPNv4 routes.How do we advertise these VPNv4 routes? That’s what we need MP-BGP for.
MP-BGP supports IPv4 unicast/multicast, IPv6 unicast/multicast and it has support for VPNv4 routes. To exchange VPNv4 routes, MP-BGP uses a new NLRI (Network Layer Reachability Information) format that has the following attributes: RD (Route Distinguisher), IPv4 prefix, Next Hop, VPN Label.
This is how PE routers exchange VPNv4 routes with each other. When a PE router learns these VPNv4 routes, what will it do with it? Take a look at the picture below: Our PE2 router has learned the two VPNv4 routes, one for each customer. You might think that the PE2 router will automatically export each VPNv4 route in the correct customer VRF but that’s not going to happen.
RT (Route Target)
We use something called a RT (Route Target) to decide in which VRF we import and export VPNv4 routes. The RT is a 8 byte value that uses the same format as the RD (ASN:NN). It's advertised between PE routers by using a BGP extended community value. For each VRF that we configure, we tell it what RTs we want to import and export. Here's an example:
Let me explain the picture above:
Both PE routers are configured to use a VRF called "CustA"for customer A. When PE1 receives a prefix from CE1, it will add RD 123:10 to it to create a unique VPNv4 route. PE1 is configured to add RT 123:1 to all VPNv4 routes for VRF CustA.
PE1 will advertise the VPNv4 route to PE2. PE2 is configured to export all VPNv4 routes that use RT 123:1 into VRF CustA. When PE2 receives the VPNv4 route, it will redistribute it into the VRF so that CE3 will learn the prefix.
In the picture below you can see that the PE routers are importing and exporting everything from customer A with RT value 123:1. This allows CE1 and CE3 to learn everything from each other. We do the same thing for customer B but we use RT 123:2 for VRF CustB
Transport and VPN Label:
Everything that we just discussed about the VRFs, MP-BGP, RD and RT occurs on the control plane. On the data plane, we still have a problem. In the below example, the CE1 router from the customer is sending an IP packet with source address 192.168.1.1 and destination 192.168.2.2 to the PE1 router.
The PE1 router will add a transport label to the IP packet and our MPLS packet will be label switched all the way to P3 which pops the label (penultimiate hop popping) so that PE2 receives the IP packet. In the header of this IP packet, there's nothing that will help PE2 decide where to forward it to.
To fix this problem, we will add a second label to the IP packet called the VPN label. Besides the RT, the PE1 router will also advertise a VPN label to the PE2 router. Take a look at the example below:
Here's what happens:
MPLS LAYER-3 VPN CONFIGURATION
In the following topology... we have five routers where AS 234 is the service provider. There’s one customer with two sites, AS 1 and AS 5. Our customer wants to exchange 1.1.1.1 /32 and 5.5.5.5 /32 between its sites using BGP.
To achieve this, we’ll have to do a couple of things:
Assume that all interface are configured with ip addresses according to the given topology
Step-1: Configure Service Provider Network with ospf and enable mpls
PE1(config)#router ospf 1
PE1(config-router)#network 192.168.23.0 0.0.0.255 area 0
PE1(config-router)#network 2.2.2.2 0.0.0.0 area 0
P(config)#router ospf 1
P(config-router)#network 192.168.23.0 0.0.0.255 area 0
P(config-router)#network 192.168.34.0 0.0.0.255 area 0
P(config-router)#network 3.3.3.3 0.0.0.0 area 0
PE2(config)#router ospf 1
PE2(config-router)#network 192.168.34.0 0.0.0.255 area 0
PE2(config-router)#network 4.4.4.4 0.0.0.0 area 0
Now,let’s enable LDP on all internal interfaces:
PE1(config)#interface FastEthernet 0/1
PE1(config-if)#mpls ip
P(config)#interface FastEthernet 0/0
P(config-if)#mpls ip
P(config)#interface FastEthernet 0/1
P(config-if)#mpls ip
PE2(config)#interface FastEthernet 0/0
PE2(config-if)#mpls ip
PE1# ping 4.4.4.4 source 2.2.2.2 (! ! ! ! !)
Step-2:- VRF on the PE routers
Since we want our customer routes separated from the service
provider’s routes, we’ll have to create some VRFs.Here’s how it’s done:
PE1(config)#ip vrf CUSTOMER
PE1(config-vrf)#rd 234:1
PE1(config-vrf)#route-target both 234:1
After creating the VRF globally, we have to assign the interface that is facing the customer to the VRF:
PE1(config)#interface FastEthernet 0/0
PE1(config-if)#ip vrf forwarding CUSTOMER
PE1(config-if)#ip address 192.168.12.2 255.255.255.0
PE2(config)#ip vrf CUSTOMER
PE2(config-vrf)#rd 234:1
PE2(config-vrf)#route-target export 234:1
PE2(config-vrf)#route-target import 234:1
PE2(config)#interface FastEthernet 0/1
PE2(config-if)#ip vrf forwarding CUSTOMER
PE2(config-if)#ip address 192.168.45.4 255.255.255.0
PE1#ping vrf CUSTOMER 192.168.12.1 (!!!!!)
Step-3:- IBGP Configuration on PE1 and PE2
PE1(config)#router bgp 234
PE1(config-router)#neighbor 4.4.4.4 remote-as 234
PE1(config-router)#neighbor 4.4.4.4 update-source loopback 0
PE1(config-router)#address-family vpnv4
PE1(config-router-af)#neighbor 4.4.4.4 activate
PE2(config)#router bgp 234
PE2(config-router)#neighbor 2.2.2.2 remote-as 234
PE2(config-router)#neighbor 2.2.2.2 update-source loopback 0
PE2(config-router)#address-family vpnv4
PE2(config-router-af)#neighbor 2.2.2.2 activate
The PE routers will only be used to exchange VPNv4 routes so we can disable the address-family for
IPv4 unicast. Here's how you can do this:
PE1(config)#router bgp 234
PE1(config-router)#address-family ipv4
PE1(config-router-af)#no neighbor 4.4.4.4 activate
PE2(config)#router bgp 234
PE2(config-router)#address-family ipv4
PE2(config-router-af)#no neighbor 2.2.2.2 activate
PE1/PE2#show run | section bgp
PE1/PE2#show bgp vpnv4 unicast all summary
Step-4:- EBGP on PE and CE
CE1(config)#router bgp 1
CE1(config-router)#neighbor 192.168.12.2 remote-as 234
CE1(config-router)#network 1.1.1.1 mask 255.255.255.255
CE2(config)#router bgp 5
CE2(config-router)#neighbor 192.168.45.4 remote-as 234
CE2(config-router)#network 5.5.5.5 mask 255.255.255.255
The configuration of the CE routers is straight forward, this is plain and simple eBGP.
Let's configure the PE routers: The interface that connects to the
CE1 router is assigned to the VRF.This means we'll have to create an address-family in BGP for this
VRF:
PE1(config)#router bgp 234
PE1(config-router)#address-family ipv4 vrf CUSTOMER
PE1(config-router-af)#neighbor 192.168.12.1 remote-as 1
PE2(config)#router bgp 234
PE2(config-router)#address-family ipv4 vrf CUSTOMER
PE2(config-router-af)#neighbor 192.168.45.5 remote-as 1
PE1/PE2# show bgp vpnv4 unicast vrf CUSTOMER summary
PE1/PE2# show bgp vpnv4 unicast vrf CUSTOMER
CE1# ping 5.5.5.5 source 1.1.1.1 (!!!!!)
CE1# traceroute 5.5.5.5 source 1.1.1.1
The traceroute command output proves that packet is labled switched in AS-234...
Source: https://networklessons.com/mpls/mpls-layer-3-vpn-explained
Thank you very much..!!
------------------------------------------The End ----------------------------------------------------
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: