I have a confession to make – While studying MPLS I largely overlooked the configuration of the Provider Edge because of its complexity and ease of breaking all routing (and probably reversing time).
I intentionally used my MPLS Lab for ENARSI 300-410 study with new IP Schemes / CE Protocols to challenge my knowledge of MPLS, and now its time to take apart the running configuration of R1-PE (we’ll leave R5-PE out of this if we can) to understand its components that makes MPLS L3 VPN and change it to fit my ENARSI Lab!
First things first I will display the ENTIRE running config for R1-PE
Keep in mind this running-config was for this Topology (with one “Extranet” config):
Current configuration : 2538 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1-PE
!
boot-start-marker
boot-end-marker
!
!
vrf definition 101:Looped
rd 1.1.1.1:1
!
address-family ipv4
route-target export 1.1.1.1:101
route-target import 5.5.5.5:101
exit-address-family
!
vrf definition 102:Back
rd 1.1.1.1:2
!
address-family ipv4
route-target export 1.1.1.1:102
route-target import 5.5.5.5:102
exit-address-family
!
!
no aaa new-model
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
mpls label range 100 199
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip ospf 1 area 0
!
interface FastEthernet0/0
mac-address 0000.1111.1111
ip address 10.12.0.1 255.255.255.0
duplex full
mpls ip
!
interface FastEthernet1/0
description connection to Looped site 1
mac-address 0000.1111.1111
vrf forwarding 101:Looped
ip address 172.16.101.1 255.255.255.252
ip ospf 101 area 101
duplex full
!
interface FastEthernet2/0
description Connection to Back site 1
mac-address 0000.1111.1111
vrf forwarding 102:Back
ip address 172.16.101.1 255.255.255.252
duplex full
!
interface FastEthernet3/0
no ip address
shutdown
duplex full
!
interface FastEthernet4/0
no ip address
shutdown
duplex full
!
interface FastEthernet5/0
no ip address
shutdown
duplex full
!
interface FastEthernet6/0
no ip address
shutdown
duplex full
!
!
router eigrp 1
!
address-family ipv4 vrf 102:Back autonomous-system 102
redistribute bgp 65536 metric 1 1 1 1 1
network 172.16.0.0
exit-address-family
!
router ospf 101 vrf 101:Looped
redistribute bgp 65536 subnets
network 172.16.0.0 0.0.15.255 area 101
!
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
!
router bgp 65536
bgp log-neighbor-changes
neighbor 5.5.5.5 remote-as 65536
neighbor 5.5.5.5 update-source Loopback0
!
address-family vpnv4
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community extended
exit-address-family
!
address-family ipv4 vrf 101:Looped
redistribute ospf 101
exit-address-family
!
address-family ipv4 vrf 102:Back
redistribute eigrp 102
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route vrf 101:Looped 10.10.10.0 255.255.255.0 172.16.101.2
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
no domain-lookup
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
logging synchronous
login
no domain-lookup
!
!
end
Now trying to piece those highlighted portions together to make sense of them
I guess I can cross off the “VRF-Lite” requirement for the ENARSI after this 🙂
The first clear concept you see is VRF IPv4 Address-Family Import / Export:
vrf definition 101:Looped <– VRF 101:Looped is created
rd 1.1.1.1:1 <— Route Distinguisher configured to ID this traffic for VPN Transport
!
address-family ipv4 <—— Go into “address-family ipv4” config to define route targets
route-target export 1.1.1.1:101 <— Route Target “Exports” to mBGP for L3 VPN Transport
route-target import 5.5.5.5:101 <— Route Target “Imports” this traffic from VPN to VRF
So I came across an eye opening discovery using CLI help with VRF:
R1-PE(config)#vrf def ?
WORD VRF name
R1-PE(config)#vrf def 101?
101:Looped WORD
That is the first time I’ve seen my own manual configs show up in CLI help as an option, I was a bit surprised to see that, but it helps to explain one crucial point:
When doing Import / Export, with the current configuration, R1-PE considers the VRF Definition of 101 to mean 101:Looped which helps to explain why the entire VRF name is not used in other configurations we see.
On the interfaces we see “vrf forwarding (VRF)” which simply tells the interface it is routing using the VRF Routing Table defined rather than the Global Routing table.
I don’t remember the static route highlighted, and cannot see what purpose it serves, so I can’t comment on why that is there.
Reviewing the IGP configuration on the PE to customer sites and how it works
router eigrp 1
!
address-family ipv4 vrf 102:Back autonomous-system 102
redistribute bgp 65536 metric 1 1 1 1 1
network 172.16.0.0
exit-address-family
!
router ospf 101 vrf 101:Looped
redistribute bgp 65536 subnets
network 172.16.0.0 0.0.15.255 area 101
!
First, EIGRP does not have a “vrf” mode you can just go into like other protocols, its a pain in the butt and makes you configure normal EIGRP and go into Address-Family IPv4 to get VRF routing commands as shown above – A good thing to remember with VRFs is EIGRP makes you configure an AF to configure VRF routing with it.
Then there is OSPF which is not a pain in the butt, simply create “router ospf 1 vrf (VRF)” and away you go creating a separate routing table, and the best part is the other side DOES NOT need to be aware at all of the VRF!
I was surprised by that, all CE’s were configured as normal as could be, while all PE IGP configuration was done via VRF’s / individual route tables for that customer!
One other common command we see with all our VRF enabled IGP’s:
redistribute bgp 65536 subnets
This redistributes any routes learned over the MPLS L3 VPN to be redistributed into their local IGP instance, which on the PE is a VRF, but between two ends its like two directly connected routers sending an update for a newly add network to EIGRP or OSPF.
Dissecting the mBGP configuration that makes all this magic work between PE’s
This is all part of a single BGP configuration of BGP AS 65536, I’ll step through the different sections of the configuration and what they do for the L3 VPN for the MPLS.
router bgp 65536
bgp log-neighbor-changes
neighbor 5.5.5.5 remote-as 65536
neighbor 5.5.5.5 update-source Loopback0
Absolutely standard iBGP neighbor configuration using Loopback0 as an update-source.
address-family vpnv4
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community extended
exit-address-family
“address-family vpn4” is unique to BGP as shown here:
R1-PE(config)#router eigrp 1
R1-PE(config-router)#address-family ?
ipv4 Address Family IPv4
R1-PE(config-router)#exit
R1-PE(config)#router eigrp NamedMode ?
<cr>
Nothing.
R1-PE(config)#router eigrp NamedMode
R1-PE(config-router)#address-family ?
ipv4 Address family IPv4
ipv6 Address family IPv6
Nothing!
Getting back to it now that we’re in AF vpnv4 mode for BGP:
address-family vpnv4
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community extended
exit-address-family
neighbor 5.5.5.5 activate brings the VPN “Up” whether its reachable or not, so no static route is needed (or is generally needed in an MPLS network) for the VPN to form.
The “send-community extended” is also specific to VPNv4, as BGP will do “send-community” with defined groups or “communities” of BGP Peers, but defining “extended” is telling this BGP instance to send any networks Redistributed into it over the VPN:
address-family ipv4 vrf 101:Looped
redistribute ospf 101
exit-address-family
!
address-family ipv4 vrf 102:Back
redistribute eigrp 102
Note – You go into BGP AF mode to define the exact VRF and Redistribute its subnets into BGP for Transport, which match the VRF Route Targets, and to go one step further…
One closer look at VRF Route Targets before finishing this one up
R1-PE VRF
!
vrf definition 101:Looped
rd 1.1.1.1:1
!
address-family ipv4
route-target export 1.1.1.1:101
route-target import 5.5.5.5:101
exit-address-family
!
vrf definition 102:Back
rd 1.1.1.1:2
!
address-family ipv4
route-target export 1.1.1.1:102
route-target import 5.5.5.5:102
exit-address-family
!
This VRF definition is configured on R5-PE across the MPLS Network for its 2 customers:
R5-PE
!
vrf definition 101:Looped
rd 5.5.5.5:1
!
address-family ipv4
route-target export 5.5.5.5:101
route-target import 1.1.1.1:101
exit-address-family
!
vrf definition 102:Back
rd 5.5.5.5:2
!
address-family ipv4
route-target export 5.5.5.5:102
route-target import 1.1.1.1:102
exit-address-family
!
This is saying anything local (5.5.5.5 on R5) Export to the VPN, anything remote (1.1.1.1 on R5) Import from BGP to the VRF instance to be routed to its CE Router / Customer!
Now explaining all that, and actually doing it tomorrow will be a different thing!
I will maybe create another post when reconfiguring this to reinforce the VRF / BGP / MPLS VPN concepts for the ENARSI, and probably should post most of the lab configuration, as redundant as it feels from my ROUTE studies 🙂
Anyways that was quite the session, done for the night, Loopy out!
The DEVNET GRIND! 