MPLS – Layer 3 VPN configuration review on PE Routers, configuration of Provider Routers, and verification commands!

MPLS_Top1

Will be doing a very simple IGP setup using OSPFv2, MPLS, and doing some verification commands to demonstrate different ways to verify MPLS Bindings / LDP in action / Labels through the LSP (Label Switched Path).

However first upon booting up my lab I saw my Layer 3 VPN tunnel throw a console message, so want to do a semi-quick overview of the configurations on the Provider Edge routers that makes that Layer 3 VPN tunnel come up with nothing configured on R2-R4!

Overview of what configurations go into making a Layer 3 VPN on PE Routers!

I wanted to leave L3 VPNs for the end of my MPLS studies (and mostly will), but I got a console message that perfectly demonstrates that Layer 3 VPNs come up despite the complete lack of Layer 3 connectivity to the remote PE Router – Courtesy of VRF and mBGP on the PE Routers.

Again R2-R4 “Core” routers actually do not have an IGP or MPLS configured, only correct IP Addressing configured, so there is no actual L3 connectivity!

The following console output is from R5-PE while booting up:

*Nov 22 21:02:05.347: %SYS-5-CONFIG_I: Configured from memory by console
*Nov 22 21:02:05.839: %SYS-5-RESTART: System restarted —
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S6, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 08-Aug-14 04:05 by prod_rel_team
*Nov 22 21:02:15.439: %BGP-5-ADJCHANGE: neighbor 192.168.202.2 vpn vrf 102:Back Up
*Nov 22 21:02:21.851: %SYS-3-CPUHOG: Task is running for (2060)msecs, more than (2000)msecs (4/4),process = Crypto CA.

I don’t see the “Looped” customer Layer 3 VPN coming up on R5-PE, and R1-PE shows no console messages at all, and my VPN verification commands I know of currently don’t show me anything (though they are for site-to-site IPSec VPN tunnels which these are not):

R5-PE#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

R5-PE#sh cry ipsec sa
No SAs found
R5-PE#sh vpn ?
% Unrecognized command

Got kind of desparate with the “sh vpn ?” there but nothing shows with that output, however BGP is a different story:

R5-PE#sh bgp ipv4 unicast summ
BGP router identifier 5.5.5.5, local AS number 65536
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.1 4 65536 0 0 1 0 0 never Idle
R5-PE#

The Neighbor is 1.1.1.1, though the Rx/Tx = 0, Up/Down = Never, State = Idle (which means it is essentially dead), so the Layer 3 VPN is not active though it came ‘Up’.

This Layer 3 VPN is similar to a GRE Tunnel interface, which is a core topic of the current CCNP R/S, that GRE tunnel interfaces are stateless and will come Up/Up and remain that way unless brought down administratively or by an IGP Hold Timer.

The configs that allow for Layer 3 VPN to work on Provider Edge Routers

First I’ve updated the main Topology with all its IP’s to review the VPN configs against:

MPLS_EVE_All_IPs.png

I will go much more in depth, but I wanted a reference point for the configs I will just dump on here for contemplation, then move onto basic IGP / MPLS setup!

R1-PE Layer 3 VPN Configuration components

VRF:

vrf definition 101:Looped
rd 1.1.1.1:1
!
address-family ipv4
route-target export 1.1.1.1:101
route-target import 5.5.5.5:101
exit-address-family
!
vrf definition 102:Back
rd 1.1.1.1:2
!
address-family ipv4
route-target export 1.1.1.1:102
route-target import 5.5.5.5:102
exit-address-family

mBGP:

router bgp 65536
bgp log-neighbor-changes
neighbor 5.5.5.5 remote-as 65536
neighbor 5.5.5.5 update-source Loopback0
!
address-family vpnv4
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community extended
exit-address-family
!
address-family ipv4 vrf 101:Looped
redistribute ospf 101
exit-address-family
!
address-family ipv4 vrf 102:Back
redistribute eigrp 102
exit-address-family

R5-PE Layer 3 Configuration Components

VRF:

vrf definition 101:Looped
rd 5.5.5.5:1
!
address-family ipv4
route-target export 5.5.5.5:101
route-target import 1.1.1.1:101
exit-address-family
!
vrf definition 102:Back
rd 5.5.5.5:2
!
address-family ipv4
route-target export 5.5.5.5:102
route-target import 1.1.1.1:102
exit-address-family

mBGP:

router bgp 65536
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 65536
neighbor 1.1.1.1 update-source Loopback0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
neighbor 1.1.1.1 next-hop-self
exit-address-family
!
address-family ipv4 vrf 101:Looped
redistribute rip
exit-address-family
!
address-family ipv4 vrf 102:Back
neighbor 192.168.202.2 remote-as 65537
neighbor 192.168.202.2 activate
exit-address-family

Again I will only post the output as it relates to the IP Scheme at the top of this, I won’t go into how the configurations work until MPLS is covered pretty well, but wanted to throw this up to keep it handy for myself to review and understand the configurations.

Finally onto configuring MPLS fairly quickly on the Core Provider network!

That got very off track, but fortunately MPLS is incredibly easy to configure, and both PE routers are fully configured for MPLS / OSPF so these routers should light right up as I run through the configs quick.

Configuration of the IGP OSPF for Layer 3 IP Connectivity:

R2-P#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2-P(config)#router ospf 1
R2-P(config-router)# log-adjacency-changes
R2-P(config-router)# network 10.0.0.0 0.255.255.255 area 0
R2-P(config-router)#
*Nov 22 21:34:32.047: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
R2-P(config-router)#
*Nov 22 21:35:15.895: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet1/0 from LOADING to FULL, Loading Done
R2-P(config-router)#


R3-P#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3-P(config)#router ospf 1
R3-P(config-router)# log-adjacency-changes
R3-P(config-router)# network 10.0.0.0 0.255.255.255 area 0
R3-P(config-router)#
*Nov 22 21:45:42.347: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet1/0 from LOADING to FULL, Loading Done
R3-P(config-router)#
*Nov 22 21:45:59.095: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet2/0 from LOADING to FULL, Loading Done
R3-P(config-router)#


R4-P#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4-P(config)#router ospf 1
R4-P(config-router)# log-adjacency-changes
R4-P(config-router)# network 10.0.0.0 0.255.255.255 area 0
R4-P(config-router)#
*Nov 22 21:34:42.699: %OSPF-5-ADJCHG: Process 1, Nbr 5.5.5.5 on FastEthernet0/0 from LOADING to FULL, Loading Done
R4-P(config-router)#
*Nov 22 21:35:23.055: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on FastEthernet2/0 from LOADING to FULL, Loading Done
R4-P(config-router)#

Perfection!

Of course always verify connectivity, for this I use a traceroute from R5-PE’s loopback 5.5.5.5 for the SRC and R1-PE’s loopback for 1.1.1.1 as the DST:

R5-PE#traceroute 1.1.1.1 source 5.5.5.5
Type escape sequence to abort.
Tracing the route to 1.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.45.0.4 60 msec 52 msec 44 msec
2 10.34.0.3 48 msec 48 msec 48 msec
3 10.23.0.2 72 msec 72 msec 76 msec
4 10.12.0.1 92 msec * 68 msec
R5-PE#

We have full connectivity, so onto the MPLS configuration of the Core routers

The Topology we are aiming for with MPLS Labels is as follows:

MPLS_Top1

This is configured in 3 easy steps:

  • Configuring the label range manually on each Core router (PE’s already configured)
  • Enable MPLS globally
  • Enable MPLS per interface so LDP advertises to that neighbor

Lets do it:

R2-P(config)#mpls label range 200 299
R2-P(config)#
R2-P(config)#mpls ip
R2-P(config)#int fa0/0
R2-P(config-if)#mpls ip
R2-P(config-if)#int fa1/0
*Nov 22 21:41:51.251: %LDP-5-NBRCHG: LDP Neighbor 1.1.1.1:0 (1) is UP
R2-P(config-if)#mpls ip
R2-P(config-if)#


R3-P(config)#mpls label range 300 399
R3-P(config)#mpls ip
R3-P(config)#int fa1/0
R3-P(config-if)#mpls ip
*Nov 22 21:53:31.767: %LDP-5-NBRCHG: LDP Neighbor 2.2.2.2:0 (1) is UP
R3-P(config-if)#int fa2/0
R3-P(config-if)#mpls ip
R3-P(config-if)#


R4-P(config)#mpls label range 400 499
R4-P(config)#mpls ip
R4-P(config)#int fa2/0
R4-P(config-if)#mpls ip
*Nov 22 21:43:58.395: %LDP-5-NBRCHG: LDP Neighbor 3.3.3.3:0 (1) is UP
R4-P(config-if)#int fa0/0
R4-P(config-if)#mpls ip
R4-P(config-if)#
*Nov 22 21:44:02.035: %LDP-5-NBRCHG: LDP Neighbor 5.5.5.5:0 (2) is UP
R4-P(config-if)#

All routers are now:

  • Fully OSPF Adjacent
  • Fully MPLS Adjacent (if that is how you say it in MPLS?)
  • Layer 3 VPN will now work as R1 and R5 can talk through the Core routers

Now that MPLS is humming on top of the Layer 3 OSPF network, I will try another traceroute to make sure we still have connectivity:

R5-PE#traceroute 1.1.1.1 source 5.5.5.5
Type escape sequence to abort.
Tracing the route to 1.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.45.0.4 [MPLS: Label 400 Exp 0] 76 msec 48 msec 76 msec
2 10.34.0.3 [MPLS: Label 300 Exp 0] 72 msec 72 msec 180 msec
3 10.23.0.2 [MPLS: Label 200 Exp 0] 40 msec 20 msec 28 msec
4 10.12.0.1 48 msec * 56 msec
R5-PE#

smiley.jpg

Looks like we’re doing some Label Switching to the Destination now instead of pure IP Forwarding! (Until the PHP hop R2 where it POPs the MPLS label off the packet!)

Note that each hop does report back the IP Information, as a traceroute reports back both the Label and IP of each Hop exept the PHP Hop, as the IP Packet arrives with no MPLS Label to report back to the Source of R5-PE.

(If you are unsure what PHP / POP MPLS Label operations are, refer to my previous post)

That is quite literally it, and I am about at the end of what my body can take for sitting in front of my lab for today, but wanted to throw out some verifications here quick to check out the binding tables, how to look at specific bindings, etc.

MPLS Verification commands for local and remote Label Bindings

Aside from traceroute which is an awesome troubleshooting command for any connectivity tests, there are some others for finding the label bindings of neighbors routers, and what label the local router has dynamically bound to IP destinations.

Remember that LDP only talks between directly connected LSR’s, so each LSR will only have its directly connected neighbors in the binding table, whereas say Layer 3 IGP’s a single routers will learn about every route within the routing domain to make forwarding decisions (which is why MPLS is much more efficient)!

So our Topology is now full of LSR’s with LDP singing as illustrated here:

MPLS_Top2

Lets take a look at “R2-P” here for an example of local / remote label bindings table:

R2-P#sh mpls forwarding-table
Local        Outgoing                 Prefix             Bytes Label          Outgoing     Next Hop
Label        Label or Tunnel         Id                  Switched             interface
200            Pop Label                  1.1.1.1/32            2869                     Fa0/0           10.12.0.1
201            Pop Label                  3.3.3.3/32              0                         Fa1/0           10.23.0.3
202            302                              4.4.4.4/32               0                         Fa1/0           10.23.0.3
203            303                              5.5.5.5/32            3045                      Fa1/0           10.23.0.3
204            Pop Label                 10.34.0.0/24           0                         Fa1/0            10.23.0.3
205            305                              10.45.0.0/24           0                         Fa1/0            10.23.0.3
R2-P#

That table formats horribly, so won’t be demonstrating that again in this post, but note that any destination IP’s that are one Hop away have the “Pop Label” as the outgoing label, where as remote IP Networks several Hops away have #’s like 302, 303, etc.

It also shows the traffic that’s been Label Switched, Outgoing Interface (everything basically points out Fa1/0 to R3, and none of the CE Router networks appear because ONLY PE Routers Talk to CE Routers!

R2-P# sh mpls interfaces
Interface                    IP          Tunnel   BGP   Static   Operational
FastEthernet0/0   Yes (ldp)      No         No     No          Yes
FastEthernet1/0   Yes (ldp)      No         No     No          Yes
R2-P#

Shows us the MPLS enabled interfaces, any interface with LDP running is what makes this router an LSR, and allows it to create labels to switch amongst its neighbors.

To hone in on a specific routes Local and Remote labels:

R2-P#sh mpls ip binding 5.5.5.5 ?
<0-32> Mask length
A.B.C.D Destination mask

R2-P#sh mpls ip binding 5.5.5.5 32
5.5.5.5/32
in label: 203
out label: 104 lsr: 1.1.1.1:0
out label: 303 lsr: 3.3.3.3:0
R2-P#

Comparing these entries to the “mpls forward-table” entries, we can match up the labels to make sense of “if this routers gets label X then forward with Label Y” layout of all these different verification commands and their table entries.

That is it for this article, got a little off track, but I often get on labbing tangents

Next I really need to dig into LDP as I’ve now burnt the video into my brain falling asleep with the video on my smartphone with earbuds in (MPLS videos are like sleep venom), so once I am able to prop myself up in front of the lab I will review LDP.

Until next time! 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s