Basic VPN Question

David Imrie · ‎04-06-2012

HI

I was wondering if someone could explain a VPN concept to me.

I have been taught to create VPNS by creating a VRF on the PE router which exchanges information with BGP.

IF my CE router is using a further 2 interfaces and each wishes to independantly access different VPNs via the PE, but still want to be able to access each other. how is this acheived?

I'm working with an MPLS, OSPF, IP based network.

Basic toptology attached

andrew.prince · ‎04-07-2012

David,

Surely since you are creating VRF's - you have been using Route Distinguishers?????

David Imrie · ‎04-07-2012

Yes? As i understand it the RD is a unique identifier for the vrf instance.

the example I have is

ip vrf VPN1

rd 999:1

route-target both 64999:1

router bgp 64999

no bgp default ipv4-unicast

neighbor 10.10.10.11 remote-as 64999

neighbor 10.10.10.11 update source fa0/0

address-family vpnv4

neighbor 10.10.10.11 activate

it then goes on to set up rip and redistribute the BGP entries via rip.

My question is that if i only want some subnets/interfaces on the router attached to this PE router to access the VPN how do i do that? do i use access lists of some kind? as both interfaces on the client router will be able to route to the vpn with this setup, which I dont want.

andrew.prince · ‎04-07-2012

This is lab right - you are not trying to do this on a production network?

David Imrie · ‎04-07-2012

yes.. i am just learning in GNS3

andrew.prince · ‎04-07-2012

Use your favourite search engine for "vrf route leaking"

Hth.

derekwalker · ‎04-07-2012

Hi David

The principle of VPNs (although I would recommend using the term L3VPN to avoid confusion with IPSec oriented VPNS) is the separation of routing information from different customers. This is done with VPN Routing Forwarding (VRF) instances using route distinguished (RD); to make a prefix unique and route-targets (extended BGP communities) to identify which of those prefixes will be installed into the customer specific Forwarding Information Base (FIB) aka routing table.

In its simplistic form, a different customer will have a different route-target community and separate route-distingishers, but it's possible to create very complicated hub-spoke, partial mesh L3VPNs with VRF route-maps.

Regards

Derek

Sent from Cisco Technical Support iPhone App

David Imrie · ‎04-07-2012

Thanks for the help guys. I think I am failing somewhere when it comes to basic undestanding of seting up VRF or BGP though as I cant get a simple point to point link to share routing info,

Can anyone tell me what I am doing wong looking at my router configs?

---------------------------------------

ROUTER PE1:

--------------------------------------

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname PE1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

!

ip cef

no ip domain lookup

!

ip vrf 2_ADM_PAY

rd 999:1

route-target export 64999:1

route-target import 64999:1

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

ip vrf forwarding 2_ADM_PAY

ip address 10.1.1.2 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.1.1 255.255.255.252

duplex auto

speed auto

mpls label protocol ldp

mpls ip

!

router ospf 1

log-adjacency-changes

network 1.1.1.1 0.0.0.0 area 0

network 192.168.1.0 0.0.0.255 area 0

!

router rip

version 2

network 10.0.0.0

no auto-summary

!

address-family ipv4 vrf 2_ADM_PAY

redistribute bgp 64999 metric 1

no auto-summary

exit-address-family

!

router bgp 64999

no bgp default ipv4-unicast

bgp log-neighbor-changes

neighbor 4.4.4.4 remote-as 64999

neighbor 4.4.4.4 update-source Loopback0

!

address-family vpnv4

neighbor 4.4.4.4 activate

neighbor 4.4.4.4 send-community extended

exit-address-family

!

address-family ipv4 vrf 2_ADM_PAY

redistribute rip metric 1

no synchronization

exit-address-family

!

no ip http server

no ip http secure-server

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

login

!

end

-----------------------------------------------

Router PE2:

----------------------------------------------

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname PE2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

!

ip cef

no ip domain lookup

!

ip vrf 2_ADM_PAY

rd 999:1

route-target export 64999:1

route-target import 64999:1

!

interface Loopback0

ip address 4.4.4.4 255.255.255.255

!

interface FastEthernet0/0

ip vrf forwarding 2_ADM_PAY

ip address 10.1.1.6 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.1.9 255.255.255.252

duplex auto

speed auto

mpls label protocol ldp

mpls ip

!

router ospf 1

log-adjacency-changes

network 4.4.4.4 0.0.0.0 area 0

network 192.168.1.0 0.0.0.255 area 0

!

router rip

version 2

!

address-family ipv4 vrf 2_ADM_PAY

redistribute bgp 64999 metric 1

network 10.0.0.0

no auto-summary

exit-address-family

!

router bgp 64999

no bgp default ipv4-unicast

bgp log-neighbor-changes

neighbor 1.1.1.1 remote-as 64999

neighbor 1.1.1.1 update-source Loopback0

!

address-family vpnv4

neighbor 1.1.1.1 activate

neighbor 1.1.1.1 send-community extended

exit-address-family

!

address-family ipv4 vrf 2_ADM_PAY

redistribute rip metric 1

no synchronization

exit-address-family

!

no ip http server

no ip http secure-server

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

login

!

end

andrew.prince · ‎04-07-2012

David - basically your config is wrong in a few places. When I was learning to configure MPBGP/VRF/MPLS for the first time, I took a stepped approach and it worked for me, I did the below steps......

1) Get basic OSPF working with both sides seeing the Loopbacks.

2) Get LDP working from end to end - confirm with label debugs.

3) Get basic BGP working.

4) Configure the VRF's to the local interfaces only - confirm the VRF routing tables.

5) Configure the VRF routing protocol.

6) Configure the MPBGP.

Then see where you are.

Hope this is helpfull.

derekwalker · ‎04-07-2012

I'm only able to ready he PE1 configuration correctly, but based on that, move the network statement under router rip to the VRF address family, this will enable RIP on the VRF specific interface. Another recommendation, but not critical is to have redistribute connected in BGP address-family VRF as well.

Sent from Cisco Technical Support iPhone App

David Imrie · ‎04-07-2012

Thanks.

I found that it worked once I added 10.0.0.0 under the address family.

I'm still completely clueless how to have multiplt vpns terminating at different points on the same site though.

derekwalker · ‎04-08-2012

To have another L3VPN/customer on the same PE all you need is another interface where that customer connects and you build another specific VRF for them.

See below, the important items:

1. New VRF Name, RD and RT values

2. New f0/3 interface

3. Same routing parameters but all under a new address-family

4. The interface IP address is identical to the previous VRF, this is deliberate to show that different VRFs/customers can have duplicate addressing.

ip vrf customer3

rd 999:3

route-target export 64999:3

route-target import 64999:3

!

interface FastEthernet0/3

ip vrf forwarding customer3

ip address 10.1.1.2 255.255.255.252

!

router rip

address-family ipv4 vrf customer3

redistribute bgp 64999 metric 1

network 10.0.0.0

no auto-summary

exit-address-family

!

router bgp 64999

address-family ipv4 vrf customer3

redistribute rip metric 1

no synchronization

exit-address-family

Hope this helps

Sent from Cisco Technical Support iPhone App

David Imrie · ‎04-15-2012

Is multiple vrfs not the technique known as VRF lite? I have been asked to complete this exercise without using "Mpls lite" though I'm sure my tutor meant VRF-lite