Tuesday, January 31, 2012

MPLS LAYER 3 VPNS

MPLS LAYER 3 VPNS
---------------------
Combines teh logic of mpls tunnels with seperation of layer 3 routing information
PE's learn customer routes from CE's
PE's advertise CE routes to other PE via BGP
BGP next hop point to mpls tunnels
 e.g loopback of PE routers
How MPLS L3VPN WORK
--------------------
MPLS L3VPN have 2 basic components
 - Seperation of customer routing information
    - Virtual Routing + Forwarding (VRF) instance
    - Customer have different "virtual" routing table
 - Exchange of customer routing information
   - MP-BGP over the mpls network
   - Traffic is label switched towards BGP next hop

Virtual ROuting & Forwarding
-----------------------------
Each VRF has it own routing table
   - show ip route vrf [name|*]
   - show ip route
VRF + global routes are seperate
   - implies address can overlap in different vrf's
   - implies vrf can't talk to each other because they have no routes to each other
VRF with out mpls is consider VRF lite

A route distingusher is an attribute that is assigned which keeps overlapping routes globally
unique in the mpls table

ip vrf a
rd 1:1
ip vrf b
rd 1:1
int fa0/0.49
ip vrf forwarding A
ip address 10.1.49.4 255.255.255.0
int fa0/0.103
ip vrf forwarding B
ip address 10.164.48.2 255.255.255.0

When we are troubleshooting we need to use vrf aware commands

Verification is now routing table specfic ping 1.2.3.4 this means 1.2.3.4 in the global
routing table
FOr a vrf table we need
ping vrf "id" 1.2.3.4
tracert vrf "id" 1.2.3.4
telnet vrf "id" 1.2.3.4

VRF Aware Routing
-----------------
Routing inside a vrf can be through
  - VRF aware static routes
  - VRF aware IGP's (ospf,rip,eigrp,ISIS
  - MP-BGP
  - Policy Routing

VRF LITE VS MPLS VPNS
----------------------
In vrf lite all devices in the transit must carry all routes
  - same as normal IP routing logic
In MPLS vpns only PE routers need customer routes
Accomplised through vpnv4 route
   - RD+Prefix makes VPN globally unique
MPLS VPN Label
   - PE routers exchange label for each customer route via VPNV4. (Which VRF the routes are for)
Transport Label
   - Label toward PE BGP next Hop (Which PE the route is coming from so when dataplane traffic is
                                   going over which PE should it go to)

Route Distingusher makes prefixes unique. So if we are recieving routes from both CUstomer
A and customer B They may be using overlapping routes like say 10.0.0.0/24 what is to
distingush customer a 10.0.0.0/24 from customer b. That is what the route distingusher sole
purpose is. We assign a unique route distingusher for each customer and this is prepended to
the prefix recieved making them globally unique
Router Target is another seperate attribute. It is a extended BGP community. This attribute
is use to define VPN membership.
For example customer A site 1 send in routes via EIGRP to the PE router. The PE router
assigns the relevant route distingusher and route-targer and redistributes into MUltiprotocl
BGP this then sent to other PE routers. The route target tells the other PE which vrf table
these recieved routes are for. SO they check this and then redistribute into relevant VRF.
LAB
---

OK we look at creating a few vrf on r1

ok so i have created vrf A
r1(config)#ip vrf A
r1(config-vrf)#rd 110:10
i will assign to int connected to fa0/0.16 link connecting to r6
r1(config-vrf)#int fa0/0.16
r1(config-subif)#ip vrf forwarding A
% Interface FastEthernet0/0.16 IP address 155.0.2.1 removed due to enabling VRF A
r1(config-subif)#ip a
*Mar  1 00:27:34.711: %OSPF-5-ADJCHG: Process 200, Nbr 6.6.6.6 on FastEthernet0/0.16 from FULL to DOWN, Neighbor Down: Interface down or deta
r1(config-subif)#ip address 155.0.2.1 255.255.255.0
r1(config-subif)#


r1#sh ip ro
*Mar  1 00:29:47.731: %SYS-5-CONFIG_I: Configured from console by consoleute
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
     155.0.0.0/24 is subnetted, 2 subnets
C       155.0.3.0 is directly connected, FastEthernet0/0.12
C       155.0.5.0 is directly connected, FastEthernet0/0.13

we notice the route 155.0.2.0 is no longer in the global routing table

it is in the vrf table

r1#sh ip route vrf A
Routing Table: A
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     155.0.0.0/24 is subnetted, 1 subnets
C       155.0.2.0 is directly connected, FastEthernet0/0.16


r1(config)#ip vrf B
r1(config-vrf)#rd 111:11
r1(config-vrf)#int fa0/0.13
r1(config-subif)#ip vrf forwarding B
% Interface FastEthernet0/0.13 IP address 155.0.5.1 removed due to enabling VRF B
r1(config-subif)#ip address 155.0.5.1 255.255.255.0
r1(config-subif)#exit
notice below 155.0.5.0 has been removed from the global routing table

r1#sh ip rou
*Mar  1 00:35:40.475: %SYS-5-CONFIG_I: Configured from console by consolete
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
     155.0.0.0/24 is subnetted, 1 subnets
C       155.0.3.0 is directly connected, FastEthernet0/0.12

if i try ping 155.0.5.1 which is directly connected interface
r1#ping 155.0.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.0.5.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r1#

I need to view the vrf aware commands
r1#sh ip route vrf B
Routing Table: B
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     155.0.0.0/24 is subnetted, 1 subnets
C       155.0.5.0 is directly connected, FastEthernet0/0.13
r1#


r1#ping vrf B 155.0.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.0.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
r1#
r1#

The point is we are segregating the interfaces from each other


Posted by at

2 comments:

  1. AnonymousAugust 25, 2015 at 1:20 PM

    Cool solution.Good blog.
    top10-bestvpn.com

    ReplyDelete
  2. UnknownSeptember 20, 2015 at 4:42 AM

    Thank for mpls layer 3 configuration.These scripts works fine.Good solution for VPN clients.
    10webhostingservice

    ReplyDelete

Subscribe to: Post Comments (Atom)