Implementing MPLS Layer 3 VPN Backbones

Implementing MPLS Layer 3 VPN Backbones
MPLS Layer 3 VPNs
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—2-1
Objectives
• Describe VRF
• Enable VRF
• Enable MP-BGP
Virtual Routing and Forwarding
Layer 3 MPLS VPNs
• Customers connect to service provider via IP
• Service provider uses MPLS to forward packets between edge routers
• Service provider enables any-to-any connectivity between sites
belonging to the same VPN
• Service provider uses virtual routers to isolate customer routing
information
• Customers can use any addressing inside their VPN
IP IP
Site 1 Site 3
IP
+
MPLS
Site 2 IP IP Site 4
VPNA
VRF Table
• A VRF is the routing and forwarding instance for a set of sites with
identical connectivity requirements.
• Data structures associated with a VRF are as follows:
- IP routing table
- Cisco Express Forwarding table
- Set of rules and routing protocol parameters (routing protocol contexts)
- List of interfaces that use the VRF
• Other information associated with a VRF is as follows:
- Route distinguisher
- Set of import and export route targets
Need for Routing Protocol Contexts
10.1.1.0/24 • There are two backbones with
overlapping addresses.
RIP
VPN A
CE-A MPLS VPN
RIP Backbone
PE Router
VPN B CE-B Address Conflict
10.1.1.0/24 • RIP is running in both VPNs.
• RIP in VPN A has to be different from

RIP in VPN B.
• Cisco IOS Software supports only
one RIP process per router.
VPN-Aware Routing Protocols
Routing context = routing protocol run in one VRF
• Supported by VPN-aware routing protocols: External BGP (EBGP),
EIGRP, OSPF, RIPv2, IS-IS, static routes
• Implemented as several instances of a single routing process
(EIGRP, EBGP, RIPv2, IS-IS) or as several routing processes (OSPF)
• Independent per-instance router variables for each instance
VRF Table
• Contains routes that should be available to a particular set of sites
• Analogous to standard Cisco IOS Software routing table; supports same
set of mechanisms
• VPN interfaces (physical interface, subinterfaces, logical interfaces)
assigned to VRFs:
- Many interfaces per VRF
- Each interface assignable to only one VRF
BGP Route Propagation—Outbound
PE Router
VRF-A Routing Table BGP Routing
Process
Backbone
VRF-B Routing Table Multiprotocol
BGP
Instance for VRF-A
CE-BGP-A
Instance for VRF-B
CE-BGP-B
• Two VPNs are attached to the same PE router.

• Each VPN is represented by a VRF.
BGP Route Propagation—Outbound (Cont.)
PE Router
Process
Backbone
BGP
Instance for VRF-A
CE-BGP-A
Instance for VRF-B
CE-BGP-B
• BGP-speaking CE routers announce their prefixes to the PE router via BGP.

• The instance of the BGP process associated with the VRF of the PE-CE interface collects
the routes and inserts them into the VRF routing table.
BGP Route Propagation—Outbound (Cont.)
PE Router
Process
Backbone
BGP
Instance for VRF-A
CE-BGP-A
Instance for VRF-B
CE-BGP-B
• The route distinguishers are prepended during the route export to the BGP routes from the
VRF instance of the BGP process to convert them into VPNv4 prefixes. Route targets are
attached to these prefixes.
• VPNv4 prefixes are propagated to other PE routers.
BGP Route Propagation—Inbound
PE Router
Process
Backbone
BGP
Instance for VRF-A
CE-BGP-A
Instance for VRF-B
CE-BGP-B
• VPNv4 prefixes are received from other PE routers.

• The VPNv4 prefixes are inserted into the proper VRF routing tables based
on their route targets and the import route targets configured in VRFs.
• The route distinguisher is removed during this process.
BGP Route Propagation—Inbound (Cont.)
PE Router
Process
Backbone
BGP
Instance for VRF-A
CE-BGP-A
Instance for VRF-B
CE-BGP-B
• Routes are received from backbone MP-BGP and imported into a VRF.
• IPv4 routes are forwarded to EBGP CE neighbors attached to
that VRF.
BGP Route Propagation Example
PE Router
RD: 1:100 Imp. RT: 1:100 Process
172.16.10.0/24
Backbone
BGP
1:100 172.16.10.0/24
172.16.10.0/24 RT: 1:100
Instance for VRF-A
172.16.10.0/24
CE-BGP-A
Instance for VRF-B
CE-BGP-B
Non-BGP Route Propagation—Outbound
PE Router
RIP Routing Process
Instance for VRF-A Process
CE-RIP-A Backbone
Instance for VRF-B VRF-B Routing Table Multiprotocol
BGP
CE-RIP-B
Instance for VRF-A
Instance for VRF-B
• RIP-speaking CE routers announce their prefixes to the PE router via RIP.

• The instance of the RIP process associated with the VRF of the PE-CE interface
collects the routes and inserts them into the VRF routing table.
Non-BGP Route Propagation—Outbound (Cont.)
PE Router
RIP Routing Process
CE-RIP-A Backbone
BGP
CE-RIP-B
Instance for VRF-A
Instance for VRF-B
• The RIP routes entered in the VRF routing table are redistributed into BGP
for further propagation into the MPLS VPN backbone.
• Redistribution between RIP and BGP has to be configured for proper
MPLS VPN operation.
Non-BGP Route Propagation—Inbound
PE Router
RIP Routing Process
CE-RIP-A Backbone
BGP
CE-RIP-B
Instance for VRF-A
Instance for VRF-B
• The RIP routes entered in the VRF routing table are redistributed into BGP
for further propagation into the MPLS VPN backbone.
• Redistribution between RIP and BGP has to be configured for proper
MPLS VPN operation.
Non-BGP Route Propagation—Inbound (Cont.)
PE Router
RIP Routing Process
CE-RIP-A Backbone
BGP
CE-RIP-B
Instance for VRF-A
Instance for VRF-B
• Routes redistributed from BGP into a VRF instance of RIP are sent to RIP-speaking CE
routers.
Non-BGP Route Propagation Example
PE Router
RIP Routing Process
172.16.10.0/24 VRF-A Routing Table BGP Routing
Instance for VRF-A RD: 1:100 Imp. RT: Process
172.16.10.0/24 1:100 172.16.10.0/24
CE-RIP-A Backbone
BGP
CE-RIP-B
1:100 172.16.10.0/24
RT: 1:100
Instance for VRF-A
172.16.10.0/24
Instance for VRF-B
Enabling VRF
Enabling VRF (Cisco IOS and IOS XE Software)
Create a VRF table. Router(config)# ip vrf vrf-name
Assign an RD to the VRF. Router(config-vrf)# rd route-distinguisher

Router(config-vrf)# route-target export RT
Specify export and import route
targets. Router(config-vrf)# route-target import RT
Configure a VPN ID (optional). Router(config-vrf)# vpn id oui:vpn-index
Assign interfaces to VRFs. Router(config-if)# ip vrf forwarding vrf-name
Enabling VRF (Cisco IOS XR Software)
Create a VRF table. RP/0/RP0/CPU0:router(config)# vrf vrf-name
Enter VRF address

family configuration RP/0/RP0/CPU0:router(config-vrf)# address-family ipv4 unicast
mode for the IPv4
address family.
Specify import route RP/0/RP0/CPU0:router(config-vrf-af)# import route-target [as-
targets. number:nn | ip-address:nn]
Specify export route RP/0/RP0/CPU0:router(config-vrf-af)# export route-target [as-

targets. number:nn | ip-address:nn]
Assign interfaces RP/0/RP0/CPU0:router(config-if)# vrf vrf-name

to VRFs.
Creating VRF Tables
Router(config)#
Cisco IOS and ip vrf vrf-name
IOS XE
RP/0/RP0/CPU0:router(config)#
Cisco IOS XR vrf vrf-name
• This command creates a new VRF or enters configuration of an

existing VRF.
• VRF names are case-sensitive.
• VRF names have only local significance.
Assigning RDs
• This command assigns a route distinguisher to a VRF.
• A VRF is not operational unless you configure an RD.
• You can use the ASN:nn or A.B.C.D:nn format for RD.
• Each VRF in a PE router must have a unique RD.
Cisco IOS and IOS XE configuration

RD is configured under VRF configuration area
Router(config)#ip vrf vrf-name

Router(config-vrf)#rd route-distinguisher
Cisco IOS XR configuration

RD is configured under BGP configuration area
Router(config)#router bgp AS
Router(config-bgp)#vrf vrf-name
Router(config-bgp-vrf)#rd route-distinguisher
VRF Address Family Configuration
RP/0/RP0/CPU0:router(config-vrf)#
address-family ipv4 unicast
• Cisco IOS XR Software only

• This command allows you to enter VRF address family configuration
mode for the IPv4 address family
Specifying Export and Import RTs
Router(config-vrf)#
route-target export RT
• Specifies an RT to be attached to every route exported from this
VRF to Multiprotocol Border Gateway Protocol
• Allows specification of many export RTs—all to be attached to
every exported route
Router(config-vrf)#
route-target import RT
• Specifies an RT to be used as an import filter. (Only routes
matching the RT are imported into the VRF.)
• Allows specification of many import RTs. (Any route where at least
one RT attached to the route matches any import RT is imported
into the VRF.)
Because of implementation issues, in Cisco IOS Release 12.4(T) and earlier, at least
one export route target must also be an import route target of the same VRF.
Specifying Export and Import RTs (Cisco IOS XR
Software)
RP/0/RP0/CPU0:router(config-vrf-af)#
export route-target [as-number:nn | ip-address:nn]
• Allows specification of many export RTs—all to be attached to every
exported route
RP/0/RP0/CPU0:router(config-vrf-af)#
import route-target [as-number:nn | ip-address:nn]
• Allows specification of many import RTs. (Any route where at least one RT
attached to the route matches any import RT is imported into the VRF.)
What Is a VPN ID?
• A VPN identifier (VPN ID) allows you to identify VPNs by an ID number.
- Not used to control distribution of routing information
- Not used to associate IP addresses with VPN IDs in routing updates
- Is stored on the VRF structure for a VPN
• Has the following elements:
- OUI (three-octet hexadecimal number)
- A VPN index (four-octet hexadecimal number identifying the VPN within the
company)
• Configure all PE routers that belong to the same VPN with the same
VPN ID.
• Make the VPN ID unique to the service provider network.
Configuring VPN IDs
Router(config)#
ip vrf vrf-name
• Creates a VRF routing table and a Cisco Express Forwarding table
and enters VRF configuration mode
Router(config-vrf)#
vpn id oui:vpn-index
• Assigns the VPN ID to the VRF
Assigning an Interface to a VRF Table
Router(config-if)#
Cisco IOS and ip vrf forwarding vrf-name
IOS XE
RP/0/RP0/CPU0:router(config-if)#
Cisco IOS XR vrf vrf-name
• This command associates an interface with the specified VRF.

• The existing IP address is removed from the interface when the
interface is put into the VRF—the IP address must be reconfigured.
• Cisco Express Forwarding switching must be enabled on the interface.
MPLS VPN Network Example
MPLS VPN Backbone
CE-A1 AS 64500 CE-A2
IOS
and IOS XE IOS XR
CE-B1 CE-B2
PE-X PE-Y
vrf Customer_A
address-family ipv4 unicast
ip vrf Customer_A import route-target 64500:11
rd 6111:11 export route-target 64500:11
route-target both 64500:11 !
! vrf Customer_B
ip vrf Customer_B address-family ipv4 unicast
rd 6111:12 import route-target 64500:12
route-target both 64500:12 export route-target 64500:12
! !
interface GigabitEthernet1/0/0 interface GigabitEthernet0/0/0/0
ip vrf forwarding Customer_A vrf Customer_A
ip address 10.1.0.1 255.255.255.252 ipv4 address 10.1.0.1 255.255.255.252
! !
interface GigabitEthernet1/1/0 interface GigabitEthernet0/0/0/2
ip vrf forwarding Customer_B vrf Customer_B
ip address 10.2.0.1 255.255.255.252 ipv4 address 10.2.0.5 255.255.255.252
VRF-Lite
• “VRF-Lite” equals “VRF without the need to run MPLS between the PE
and CE.”
• VRF-Lite is a feature that enables a service provider to support two or
more VPNs.
• VRF-Lite includes these devices: CE, PE, and routers in a service
provider network.
• VRF-Lite interfaces must be Layer 3 interfaces.
• Multiple customers can share one CE, and only one physical link is used
between the CE and the PE.
VRF-Lite: VRF and Interface Configuration
CE and PE
VRF-Lite
Routers
VRF Configuration
fa1/0 ip vrf VPN-1
VPN-1
rd 64500:1
route-target both 64500:1
!
fa3/0 fa1/0 ip vrf VPN-2
VPN-2 rd 64500:2
fa1/1 route-target both 64500:2
interface fastethernet1/0 interface fastethernet1/0.10

ip vrf forwarding VPN-1 ip vrf forwarding VPN-1
ip address 10.0.1.1 255.255.255.0 ip address 192.168.1.2 255.255.255.0
! !
interface fastethernet1/1 interface fastethernet1/0.20
ip vrf forwarding VPN-2 ip vrf forwarding VPN-2
ip address 10.0.2.1 255.255.255.0 ip address 192.168.2.2 255.255.255.0
!
interface fastethernet3/0.10
ip vrf forwarding VPN-1
ip address 192.168.1.1 255.255.255.0
!
interface fastethernet3/0.20
ip vrf forwarding VPN-2
ip address 192.168.2.1 255.255.255.0
VRF-Lite: PE-CE Connections Using BGP
VRF-Lite
Routers
router ospf 101 vrf VPN-1 VPN-1 fa1/0
network 10.0.1.0 255.255.255.0 area 0
redistribute bgp 64500 subnets
!
router ospf 102 vrf VPN-2 fa3/0 fa1/0
network 10.0.2.0 255.255.255.0 area 0 VPN-2 fa1/1
redistribute bgp 64500 subnets
!
router bgp 64500 router bgp 64500
address-family ipv4 vrf VPN-1 address-family ipv4 vrf VPN-1
neighbor 192.168.1.2 remote-as 64500 neighbor 192.168.1.1 remote-as 64500
neighbor 192.168.1.2 activate neighbor 192.168.1.1 activate
redistribute ospf 101 !
! address-family ipv4 vrf VPN-2
address-family ipv4 vrf VPN-2 neighbor 192.168.2.1 remote-as 64500
neighbor 192.168.2.2 remote-as 64500 neighbor 192.168.2.1 activate
neighbor 192.168.2.2 activate !
redistribute ospf 102 interface fastethernet1/0.10
! ip vrf forwarding VPN-1
interface fastethernet3/0.10 ip address 192.168.1.2 255.255.255.0
ip vrf forwarding VPN-1 !
ip address 192.168.1.1 255.255.255.0 interface fastethernet1/0.20
! ip vrf forwardingip VPN-2
interface fastethernet3/0.20 ip address 192.168.2.2 255.255.255.0
ip vrf forwardingip VPN-2 !
ip address 192.168.2.1 255.255.255.0
!
Enabling MP-BGP
MP-BGP
MP-BGP
PE P P PE
MPLS Backbone
• Layer 3 MPLS VPNs are implemented using MP-BGP to exchange VPN

routing information.
• MP-BGP is BGP version 4 with extensions to support other protocols
and applications:
- Layer 3 MPLS VPNs
- Virtual Private LAN Services (VPLS) using BGP autodiscovery
MP-BGP Configuration Tasks
MP-BGP
BGP BGP
PE P P PE
MPLS Backbone
• MP-BGP must be configured on edge routers only.

• Support for MPLS VPNs must be enabled.
• Steps required:
- Add address family vpnv4
- Activate neighbor in address family vpnv4
• Optional configuration settings
BGP Address Families
• The BGP process in an MPLS VPN-enabled router performs three
separate tasks:
- Global BGP routes (Internet routing) are exchanged as in a traditional BGP
setup.
- VPNv4 prefixes are exchanged through MP-BGP.
- VPN routes are exchanged with CE routers through per-VRF External Border
Gateway Protocol sessions or through route redistribution.
• Address families (routing protocol contexts) are used to configure these
three tasks in the same BGP process.
Configuring BGP Address Families (Cisco IOS
and IOS XE Software)
Router(config)#
router bgp as-number
• Selects global BGP routing process
Router(config-router)#
address-family vpnv4
• Selects configuration of VPNv4 prefix exchanges under MP-BGP
sessions
address-family ipv4 vrf vrf-name
• Selects configuration of per-VRF PE-CE EBGP parameters
Configuring BGP Address Families (Cisco IOS XR
Software)
RP/0/RP0/CPU0:router(config) #
• Selects global BGP routing process
RP/0/RP0/CPU0:router(config-bgp) #
address-family vpnv4 unicast
• Configures VPNv4 prefix
BGP Neighbors
• MP-BGP neighbors are configured under the BGP routing process:
- These neighbors need to be activated for each global address family that they
support.
- Per-address-family parameters can be configured for these neighbors.
• VRF-specific BGP neighbors are configured under corresponding
address families.
Configuring MP-IBGP on Cisco IOS and IOS XE
Software
Router(config)#
neighbor ip-address remote-as as-number
neighbor ip-address update-source interface-type
interface-number
• All MP-BGP neighbors have to be configured under the global BGP
routing configuration.
• MP-IBGP sessions have to run between loopback interfaces.
• This command starts configuration of MP-BGP routing for VPNv4 route
exchange.
• The parameters that apply only to MP-BGP exchange of VPNv4 routes
between already configured IBGP neighbors are configured under this
address family.
Configuring MP-IBGP on Cisco IOS and IOS XE
Software (Cont.)
Router(config-router-af)#
neighbor ip-address activate
• The BGP neighbor defined under BGP router configuration has to
be activated for VPNv4 route exchange.
neighbor ip-address next-hop-self
• The next-hop-self keyword can be configured on the MP-IBGP
session for MPLS VPN configuration if EBGP is being run with a
CE neighbor.
Configuring MP-IBGP on Cisco IOS XR Software
RP/0/RP0/CPU0:router(config) #
neighbor ip-address remote-as as-number
• Configures a neighbor and assigns it a remote autonomous system number
RP/0/RP0/CPU0:router(config-bgp-nbr) #
address-family vpnv4 unicast
• Enters address family configuration mode for the VPNv4 address family.
MP-BGP Community Propagation
neighbor ip-address send-community [standard | extended
| both]
• This command with the extended option is enabled by default by Cisco

IOS Software after the BGP neighbor has been activated for VPNv4
route exchange.
• The command can be used to enable propagation of standard BGP
communities attached to VPNv4 prefixes.
• Usage guidelines:
– Extended BGP communities attached to VPNv4 prefixes have to be
exchanged between MP-BGP neighbors for proper MPLS VPN
operation.
– To propagate standard BGP communities between MP‑BGP
neighbors, use the both option.
Disabling IPv4 Route Exchange
no bgp default ipv4-unicast
• Cisco IOS and IOS XE Software only

• The exchange of IPv4 routes between BGP neighbors is enabled by
default. Every configured neighbor will also receive IPv4 routes.
• This command disables the default exchange of IPv4 routes. Neighbors
that need to receive IPv4 routes have to be activated for IPv4 route
exchange.
• Use this command when the same router carries Internet and VPNv4
routes and you do not want to propagate Internet routes to some PE
neighbors.
Disabling IPv4 Route Exchange (Cont.)
• Neighbor 172.16.32.14 receives only Internet routes.
• Neighbor 172.16.32.15 receives only VPNv4 routes.
• Neighbor 172.16.32.27 receives Internet and VPNv4 routes.
router bgp 65173

no bgp default ipv4-unicast
neighbor 172.16.32.14 remote-as 65173
! Activate IPv4 route exchange
address-family ipv4
neighbor 172.16.32.14 activate
! Step#2 – VPNv4 route exchange
Configuring MP-IBGP: Example
MPLS VPN Backbone

CE-X1 CE-Y1
AS 64500
CE-X2 PE-Site-X PE-Site-Y CE-Y2
CE-X3 IOS XR IOS and IOS XE CE-Y3
interface loopback 0 interface loopback 0

ipv4 address 172.16.1.2 255.255.255.255 ip address 172.16.1.1 255.255.255.255
! !
router bgp 64500 router bgp 64500
address-family vpnv4 unicast neighbor 172.16.1.2 remote-as 64500
! neighbor 172.16.1.2 update-source loopback 0
neighbor 172.16.1.1 !
remote-as 64500 address-family vpnv4
update-source Loopback0 neighbor 172.16.1.2 activate
address-family vpnv4 unicast neighbor 172.16.1.2 next-hop-self
next-hop-self neighbor 172.16.1.2 send-community both
Summary
• A VRF table is a routing and forwarding instance that associates
additional attributes such as RD, import RT, and export RT to routing
entries.
• “VRF-Lite” equals “VRF without the need to run MPLS.”
• MP-BGP is responsible for allocating labels for VPN routes and
advertising them to other edge routers when using MPLS.

Implementing MPLS Layer 3 VPN Backbones

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Implementing MPLS Layer 3 VPN Backbones

Uploaded by

Copyright:

Available Formats

Implementing MPLS Layer 3 VPN Backbones

MPLS Layer 3 VPNs

10.1.1.0/24 • RIP is running in both VPNs.

• RIP in VPN A has to be different from

Instance for VRF-A

• Two VPNs are attached to the same PE router.

Instance for VRF-A

• BGP-speaking CE routers announce their prefixes to the PE router via BGP.

Instance for VRF-A

Instance for VRF-A

• VPNv4 prefixes are received from other PE routers.

Instance for VRF-A

Instance for VRF-A

Instance for VRF-B

• RIP-speaking CE routers announce their prefixes to the PE router via RIP.

Instance for VRF-A

Instance for VRF-B

Instance for VRF-A

Instance for VRF-B

Instance for VRF-A

Instance for VRF-B

Instance for VRF-B

Create a VRF table. Router(config)# ip vrf vrf-name

Assign an RD to the VRF. Router(config-vrf)# rd route-distinguisher

Configure a VPN ID (optional). Router(config-vrf)# vpn id oui:vpn-index

Assign interfaces to VRFs. Router(config-if)# ip vrf forwarding vrf-name

Create a VRF table. RP/0/RP0/CPU0:router(config)# vrf vrf-name

Enter VRF address

Specify export route RP/0/RP0/CPU0:router(config-vrf-af)# export route-target [as-

Assign interfaces RP/0/RP0/CPU0:router(config-if)# vrf vrf-name

• This command creates a new VRF or enters configuration of an

Cisco IOS and IOS XE configuration

Router(config)#ip vrf vrf-name

Cisco IOS XR configuration

address-family ipv4 unicast

• Cisco IOS XR Software only

• This command associates an interface with the specified VRF.

interface fastethernet1/0 interface fastethernet1/0.10

• Layer 3 MPLS VPNs are implemented using MP-BGP to exchange VPN

• MP-BGP must be configured on edge routers only.

• This command with the extended option is enabled by default by Cisco

• Cisco IOS and IOS XE Software only

router bgp 65173

MPLS VPN Backbone

CE-X2 PE-Site-X PE-Site-Y CE-Y2

CE-X3 IOS XR IOS and IOS XE CE-Y3

interface loopback 0 interface loopback 0

You might also like