cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2091
Views
15
Helpful
8
Replies
Pradeep H A
Beginner

MPLS VPN with multiple VRFs & PHP

Hi experts,

I am a beginner in MPLS VPNs & curious about IP packet forwarding happens with multiple VRFs. I have studied how MP-BGP & MPLS works with RD & RTs to create VPNs.

PE1-------------P1-------------P2------------P3-------------PE2

PE-1

=====

VRF-A

VRF-B

PE-2

=====

VRF-A

VRF-C

Suppose an IP Packet arrives at PE-1 on a VRF-A interface. It will be labeled to traverse the MPLS core to reach PE-2. But if that label will be popped at P3 due to PHP and the plain IP packet will be forwarded to PE-2. How will PE-2 know to which VRF the packet belongs?

Thanks a lot in advance

2 ACCEPTED SOLUTIONS

Accepted Solutions
Giuseppe Larosa
Hall of Fame Master

Hello Pradeep,

MPLS L3 VPN label advertised by MP BGP is used internally and it is never popped.

The external label is that of the LSP with destination PE2 loopback (called internal label by some authors) and this is the label affected by PHP.

This is given by the fact the BGP next-hop is the loopback address of PE2 by recursion.

MPLS frame for L3 VPN packet has the following aspect on wire:

MPLS external label |  BGP VPN label | IPv4 packet

This is called an MPLS label stack with depth = 2

The PHP action changes the MPLS frame into:

BGP VPN label | IPv4 packet

so only the most external label is popped.

So the BGP VPN label that PE2 has sent to all other PE devices in MP BGP is the discriminator for received traffic and PE2 can extract the IPv4 packet and can route it to the correct VRF with no issues.

Hope to help

Giuseppe

View solution in original post

Hello Pradeep,

1)  >> Why there isnt remote-as statement for any neighbors except for those  in the global routing process & ipv4 vrf VRF-1 address-family?

The neighbor ... remote-as command is used to declare what is the BGP AS number used by the neighbor.

The configuration of a PE node like the one you have examined is an example of multiprotocol BGP MP BGP.

In MP BGP we define the neighbors with neighbor ...remote-as in router BGP configuration. The various address families like ipv4  unicast, ipv4 multicast, vpnv4 represent different areas of interest.

Each BGP peer can be interested only in some specific address families and not in all of them

The key command to tell the router that a specific neighbor is interested in address-family X is

the neighbor .... activate

command.

With this command we instruct the local node in sending and receving updates named NLRI ( Network Layer Reachability information) for the specific address family X.

2)

Following what is written above in MP BGP we move from the sending and receving of only IPv4 NLRI to multiple address families.

A neighbor that is activated only for address family ipv4 means a neighbor that is interested only in exchanging routes of type IPv4 unicast. This neighbor is not a PE node with VRF defined over it, so there is no need to send to it VPNv4 NLRI information.

The commands used under router bgp that are neighbor remote-as and neighbor ... update-source are those commands that define the properties of the BGP session to the neighbor like remote AS number and what address to use as source for BGP packets to be sent to the neighbor.

So these commands under router bgp are not dependent on the specific address family they define the BGP session properties.

In MP BGP for a given neighbor in addition to the commands under router  bgp at least one address family has to be activated with the command neighbor activate.

In other words in each address family the configuration elements that are present in router bgp are inherited and we just need to tell the router if the specific neighbor has to be activated or not in that address-family and to send the BGP communities or BGP extended communities

Hope to help

Giuseppe

View solution in original post

8 REPLIES 8
Giuseppe Larosa
Hall of Fame Master

Hello Pradeep,

MPLS L3 VPN label advertised by MP BGP is used internally and it is never popped.

The external label is that of the LSP with destination PE2 loopback (called internal label by some authors) and this is the label affected by PHP.

This is given by the fact the BGP next-hop is the loopback address of PE2 by recursion.

MPLS frame for L3 VPN packet has the following aspect on wire:

MPLS external label |  BGP VPN label | IPv4 packet

This is called an MPLS label stack with depth = 2

The PHP action changes the MPLS frame into:

BGP VPN label | IPv4 packet

so only the most external label is popped.

So the BGP VPN label that PE2 has sent to all other PE devices in MP BGP is the discriminator for received traffic and PE2 can extract the IPv4 packet and can route it to the correct VRF with no issues.

Hope to help

Giuseppe

View solution in original post

That helped a lot Giuseppe...

But now I again get a couple of doubts...

1. Does all the IP packets & routes belonging to one VRF have the same BGP VPN label?

2. How can I check which BGP VPN label is assigned to what VRF on PE? What is the show command?

3. I asume BGP VPN labels are carried only in VPNV4 address-family updates & not in IPV4 address-family updates. Correct?

Hello Pradeep,

1)  default behaviour for Cisco implementation is to use a different label for each VRF IPv4 prefix a per VRF label can be configured at least in some platforms for scalability purposes

2)

show ip bgp vpnv4 labels

see

http://www.cisco.com/en/US/docs/ios-xml/ios/mpls/command/mp-s1.html#GUID-6D47C40E-95D0-49E2-A1A9-7BCBC3E9A13A

3)  Yes the BGP VPN label is an attribute of a VPNv4 NLRI

Hi  Giuseppe,

On one of our CE routers I noticed we have VRF lite configured. There is only one vrf configured with a RD & RT but mpls is not enabled & the vrf routes are being advertised as ipv4 address-family routes.

1. In this kind of configuration I guess we cannot advertise the vrf routes as vpnv4 address-family since mpls is not enabled. right?

2. What is the use of RD when we using ipv4 address-family routes since RD are only used to convert ipv4 to vpnv4 addresses?

Hello Pradeep,

the VRF lite is a subset of full featured PE, it provide the capability to segregate networks in different VRFs but it misses the MPLS forwarding plane.

A logical dedicated topology has to be built to provide an exit point to each VRF. This is done with a different Vlan based subinterface or FR subinterface to the real PE node.

1)  in this case the router bgp process can be configured with one address family for each defined VRF. Within each VRF one or more standard BGP eBGP sessions can be setup towards the PE nodes

router bgp 65000

address-family ipv4 vrf VRF-NAME1

neigh x.x.x.x remote-as y.y.y.y

redistribute connected

no sync

2)

In  IOS when we configure a VRF a RD has to be provided it is mandatory also in the case of VRF lite.

In VRF lite the use of route targets is allowed to build forms of inter VRF communication that require configuration of the BGP process and of address-families associated to the VRFs even in cases when no external eBGP session is configured.

In other terms a VRF lite is a multi VRF device that is a device that is shared between different end customers that is able to provide logical separation between different customer networks using VRFs.

Hope to help

Giuseppe

Hi Giuseppe,

On one of our PEs I find this type of configuration:

router bgp ABC

----------output omitted---------

neighbor a.a.a.a remote-as ABC

neighbor a.a.a.a update-source Loopback0

----------output omitted---------

!

address-family ipv4

----------output omitted---------

neighbor b.b.b.b activate

neighbor b.b.b.b route-map deny_all out

----------output omitted---------

!

address-family ipv4 mdt

neighbor c.c.c.c activate

neighbor c.c.c.c send-community extended

----------output omitted---------

!

address-family vpnv4

neighbor d.d.d.d activate

neighbor d.d.d.d send-community both

neighbor d.d.d.d prefix-list deny_all_outbound_routes out

----------output omitted---------

!

address-family ipv4 vrf VRF-1

redistribute connected

redistribute static

neighbor e.e.e.e remote-as XYZ

neighbor e.e.e.e activate

neighbor e.e.e.e inherit peer-policy IPFR

neighbor e.e.e.e route-map TO_UNMANAGED_CUST out

----------output omitted---------

1.  Why there isnt remote-as statement for any neighbors except for those  in the global routing process & ipv4 vrf VRF-1 address-family?

2. Address-family ipv4 vrf VRF-1 is for peering with CE routers in that VRF

    Address-family vpnv4 is for peering with other PE routers

     Then why some neighbors are configured just under "address-family ipv4"  without any vrf mentioned & also what about the neighbors declared  directly under the router bgp statement? what is the difference between  the updates sent to these neighbors?

Thanks a lot in advance!

Hello Pradeep,

1)  >> Why there isnt remote-as statement for any neighbors except for those  in the global routing process & ipv4 vrf VRF-1 address-family?

The neighbor ... remote-as command is used to declare what is the BGP AS number used by the neighbor.

The configuration of a PE node like the one you have examined is an example of multiprotocol BGP MP BGP.

In MP BGP we define the neighbors with neighbor ...remote-as in router BGP configuration. The various address families like ipv4  unicast, ipv4 multicast, vpnv4 represent different areas of interest.

Each BGP peer can be interested only in some specific address families and not in all of them

The key command to tell the router that a specific neighbor is interested in address-family X is

the neighbor .... activate

command.

With this command we instruct the local node in sending and receving updates named NLRI ( Network Layer Reachability information) for the specific address family X.

2)

Following what is written above in MP BGP we move from the sending and receving of only IPv4 NLRI to multiple address families.

A neighbor that is activated only for address family ipv4 means a neighbor that is interested only in exchanging routes of type IPv4 unicast. This neighbor is not a PE node with VRF defined over it, so there is no need to send to it VPNv4 NLRI information.

The commands used under router bgp that are neighbor remote-as and neighbor ... update-source are those commands that define the properties of the BGP session to the neighbor like remote AS number and what address to use as source for BGP packets to be sent to the neighbor.

So these commands under router bgp are not dependent on the specific address family they define the BGP session properties.

In MP BGP for a given neighbor in addition to the commands under router  bgp at least one address family has to be activated with the command neighbor activate.

In other words in each address family the configuration elements that are present in router bgp are inherited and we just need to tell the router if the specific neighbor has to be activated or not in that address-family and to send the BGP communities or BGP extended communities

Hope to help

Giuseppe

View solution in original post

Hi Giuseppe,

Thanks a lot.

Your quick & comprehensive updates have helped me improve my understanding of MPLS & MP-BGP to a great extent.