Sunday, March 26, 2017

MPLS L3 VPN

As a network engineer I was always had a personal interest in service provider technologies.  Working in an enterprise network for many years now, and being a customer of service provider offerings such as MPLS, I wanted to know how this all worked from their perspective.  So building a MPLS lab was the way to go.  Here’s my experience.

Since there were many great tutorials on explaining the technology behind MPLS and how to configure MPLS L3VPN’s, I didn’t want to re-invent the wheel.  Therefore some previous knowledge and understanding of IGP/BGP routing, VRF’s, Route Distinguishers and Route Targets are required.

This post will primarily concentrate on the operational viewpoint of a MPLS based L3VPN, such as verifying the underlay routing, PE's MP-BGP routing and MPLS label exchange as implemented on Cisco IOS.


Lab Environment

  • VMWare ESXi 6.5 (standalone)
  • (11) CSR1000v: Version 03.16.05.S
    • Used default vCPU setting of 1
    • Used default RAM at 4Gb

Diagram & Topology


  • Infrastructure Information
    • Provider Core (P Routers) IP Address Space: 10.0.0.0/24
    • Provider Edge (PE Routers) IP Address Space: 10.1.1.0/24
    • Customer Edge (CE Routers) IP Address Space: 10.2.2.0/24
    • All link addressed in /30’s 
    • All loopback addressed in /32’s
    • OSPF as Core IGP routing protocol, all in Area0
    • MP-BGP as Provider Edge routing protocol peering to Route Reflector
    • Route Reflector does not run MPLS/LDP
    • (2) Customers
      • CUSTOMER A
        • BGP as PE to CE Routing Protocol
        • Site A LAN IP Address: 172.16.1.0/24
        • Site B LAN IP Address: 172.16.2.0/24
        • VRF: CUSTOMER_A
        • Route Distinguisher: 2345:1
      • CUSTOMER B
        • EIGRP as PE to CE Routing Protocol
        • Site A LAN IP Address: 192.168.1.0/24
        • Site B LAN IP Address: 192.168.2.0/24
        • VRF: CUSTOMER_B
        • Route Distinguisher: 2345:2


Configurations

P_R01

version 15.5
service timestamps debug datetime localtime show-timezone year
service timestamps log datetime localtime show-timezone year
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname P_R01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16000
no logging console
enable secret 5 <removed>
!
no aaa new-model
!
ip vrf MGMT
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
mpls label range 100 199
mpls label protocol ldp
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9QZHTYO474F
!
spanning-tree extend system-id
!
username admin secret 5 <removed>
!
redundancy
!
!
!
!
!
cdp run
!

!
!
!
!
!
!
!
!
!
!
!
!






!
!
interface Loopback0
 description RID
 ip address 1.1.1.1 255.255.255.255
 ip ospf 100 area 0
!
interface GigabitEthernet1
 mtu 9216
 no ip address
 negotiation auto
!
interface GigabitEthernet1.10
 description TO P_R02
 encapsulation dot1Q 10
 ip address 10.0.0.1 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 ip ospf cost 10
 mpls ip
!
interface GigabitEthernet1.11
 description TO P_R03
 encapsulation dot1Q 11
 ip address 10.0.0.5 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 mpls ip
!
interface GigabitEthernet1.12
 description TO P_R04
 encapsulation dot1Q 12
 ip address 10.0.0.9 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 ip ospf cost 5
 mpls ip
!
interface GigabitEthernet1.20
 description TO PE_R05
 encapsulation dot1Q 20
 ip address 10.1.1.1 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 ip ospf cost 10
 mpls ip
!
interface GigabitEthernet2
 mtu 9216
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet3
 mtu 9216
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet4
 description MANAGEMENT
 ip vrf forwarding MGMT
 ip address 10.1.1.221 255.255.255.0
 negotiation auto
!
router ospf 100
 router-id 1.1.1.1
 passive-interface default
 no passive-interface GigabitEthernet1.10
 no passive-interface GigabitEthernet1.11
 no passive-interface GigabitEthernet1.12
 no passive-interface GigabitEthernet1.20
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet4
ip route vrf MGMT 0.0.0.0 0.0.0.0 10.1.1.254 name MGMT_DEFAULT
!
!
mpls ldp router-id Loopback0
!
!
control-plane
!
 !
 !
 !
 !
!
!
!
!
!
line con 0
 logging synchronous
 stopbits 1
line vty 0
 exec-timeout 60 0
 logging synchronous
 login local
line vty 1
 exec-timeout 60 0
 logging synchronous
 login local
 length 0
line vty 2 4
 exec-timeout 60 0
 logging synchronous
 login local
!
ntp server pool.ntp.org
!
end

P_R02

version 15.5
service timestamps debug datetime localtime show-timezone year
service timestamps log datetime localtime show-timezone year
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname P_R02
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16000
no logging console
enable secret 5 <removed>
!
no aaa new-model
!
ip vrf MGMT
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
mpls label range 200 299
mpls label protocol ldp
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 924FCRJXFST
!
spanning-tree extend system-id
!
username admin secret 5 <removed>
!
redundancy
!
!
!
!
!
cdp run
!

!
!
!
!
!
!
!
!
!
!
!
!






!
!
interface Loopback0
 description RID
 ip address 2.2.2.2 255.255.255.255
 ip ospf 100 area 0
!
interface GigabitEthernet1
 mtu 9216
 no ip address
 negotiation auto
!
interface GigabitEthernet1.10
 description TO P_R01
 encapsulation dot1Q 10
 ip address 10.0.0.2 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 ip ospf cost 10
 mpls ip
!
interface GigabitEthernet1.13
 description TO P_R04
 encapsulation dot1Q 13
 ip address 10.0.0.13 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 mpls ip
!
interface GigabitEthernet1.14
 description TO P_R03
 encapsulation dot1Q 14
 ip address 10.0.0.17 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 ip ospf cost 4
 mpls ip
!
interface GigabitEthernet1.22
 description TO PE_R06
 encapsulation dot1Q 22
 ip address 10.1.1.9 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 ip ospf cost 10
 mpls ip
!
interface GigabitEthernet2
 mtu 9216
 no ip address
 shutdown
 negotiation auto
 cdp enable
!
interface GigabitEthernet3
 mtu 9216
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet4
 description MANAGEMENT
 ip vrf forwarding MGMT
 ip address 10.1.1.222 255.255.255.0
 negotiation auto
!
router ospf 100
 router-id 2.2.2.2
 passive-interface default
 no passive-interface GigabitEthernet1.10
 no passive-interface GigabitEthernet1.13
 no passive-interface GigabitEthernet1.14
 no passive-interface GigabitEthernet1.22
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet4
ip route vrf MGMT 0.0.0.0 0.0.0.0 10.1.1.254 name MGMT_DEFAULT
!
!
mpls ldp router-id Loopback0
!
!
control-plane
!
 !
 !
 !
 !
!
!
!
!
!
line con 0
 logging synchronous
 stopbits 1
line vty 0
 exec-timeout 60 0
 logging synchronous
 login local
line vty 1
 exec-timeout 60 0
 logging synchronous
 login local
 length 0
line vty 2 4
 exec-timeout 60 0
 logging synchronous
 login local
!
ntp server pool.ntp.org
!
end

P_R03

version 15.5
service timestamps debug datetime localtime show-timezone year
service timestamps log datetime localtime show-timezone year
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname P_R03
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16000
no logging console
enable secret 5 <removed>
!
no aaa new-model
!
ip vrf MGMT
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
mpls label range 300 399
mpls label protocol ldp
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 96FVXC7EF6B
!
spanning-tree extend system-id
!
username admin secret 5 <removed>
!
redundancy
!
!
!
!
!
cdp run
!

!
!
!
!
!
!
!
!
!
!
!
!






!
!
interface Loopback0
 description RID
 ip address 3.3.3.3 255.255.255.255
 ip ospf 100 area 0
!
interface GigabitEthernet1
 mtu 9216
 no ip address
 negotiation auto
!
interface GigabitEthernet1.11
 description TO P_R01
 encapsulation dot1Q 11
 ip address 10.0.0.6 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 mpls ip
!
interface GigabitEthernet1.14
 description TO P_R02
 encapsulation dot1Q 14
 ip address 10.0.0.18 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 ip ospf cost 4
 mpls ip
!
interface GigabitEthernet1.15
 description TO P_R04
 encapsulation dot1Q 15
 ip address 10.0.0.21 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 mpls ip
!
interface GigabitEthernet1.16
 description TO RR_R11
 encapsulation dot1Q 16
 ip address 10.0.0.101 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
!
interface GigabitEthernet1.21
 description TO PE_R05
 encapsulation dot1Q 21
 ip address 10.1.1.5 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 mpls ip
!
interface GigabitEthernet2
 mtu 9216
 no ip address
 shutdown
 negotiation auto
 cdp enable
!
interface GigabitEthernet3
 mtu 9216
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet4
 description MANAGEMENT
 ip vrf forwarding MGMT
 ip address 10.1.1.223 255.255.255.0
 negotiation auto
!
router ospf 100
 router-id 3.3.3.3
 passive-interface default
 no passive-interface GigabitEthernet1.11
 no passive-interface GigabitEthernet1.14
 no passive-interface GigabitEthernet1.15
 no passive-interface GigabitEthernet1.16
 no passive-interface GigabitEthernet1.21
!
!
virtual-service csr_mgmt
!         
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet4
ip route vrf MGMT 0.0.0.0 0.0.0.0 10.1.1.254 name MGMT_DEFAULT
!
!
mpls ldp router-id Loopback0
!
!
control-plane
!
 !
 !
 !
 !
!
!
!
!
!
line con 0
 logging synchronous
 stopbits 1
line vty 0
 exec-timeout 60 0
 logging synchronous
 login local
line vty 1
 exec-timeout 60 0
 logging synchronous
 login local
 length 0
line vty 2 4
 exec-timeout 60 0
 logging synchronous
 login local
!
ntp server pool.ntp.org
!
end

P_R04

version 15.5
service timestamps debug datetime localtime show-timezone year
service timestamps log datetime localtime show-timezone year
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname P_R04
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16000
no logging console
enable secret 5 <removed>
!
no aaa new-model
!
ip vrf MGMT
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
mpls label range 400 499
mpls label protocol ldp
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9SABOZQASS5
!
spanning-tree extend system-id
!
username admin secret 5 <removed>
!
redundancy
!
!
!
!
!
cdp run
!

!
!
!
!
!
!
!
!
!
!
!
!






!
!
interface Loopback0
 description RID
 ip address 4.4.4.4 255.255.255.255
 ip ospf 100 area 0
!
interface GigabitEthernet1
 mtu 9216
 no ip address
 negotiation auto
!
interface GigabitEthernet1.12
 description TO P_R01
 encapsulation dot1Q 12
 ip address 10.0.0.10 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 ip ospf cost 5
 mpls ip
!
interface GigabitEthernet1.13
 description TO P_R02
 encapsulation dot1Q 13
 ip address 10.0.0.14 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 mpls ip
!
interface GigabitEthernet1.15
 description TO P_R03
 encapsulation dot1Q 15
 ip address 10.0.0.22 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 mpls ip
!
interface GigabitEthernet1.17
 description TO RR_R11
 encapsulation dot1Q 17
 ip address 10.0.0.105 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
!
interface GigabitEthernet1.23
 description TO PE_R06
 encapsulation dot1Q 23
 ip address 10.1.1.13 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 mpls ip
!
interface GigabitEthernet2
 mtu 9216
 no ip address
 shutdown
 negotiation auto
 cdp enable
!
interface GigabitEthernet3
 mtu 9216
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet4
 description MANAGEMENT
 ip vrf forwarding MGMT
 ip address 10.1.1.224 255.255.255.0
 negotiation auto
!
router ospf 100
 router-id 4.4.4.4
 passive-interface default
 no passive-interface GigabitEthernet1.12
 no passive-interface GigabitEthernet1.13
 no passive-interface GigabitEthernet1.15
 no passive-interface GigabitEthernet1.17
 no passive-interface GigabitEthernet1.23
!
!
virtual-service csr_mgmt
!         
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet4
ip route vrf MGMT 0.0.0.0 0.0.0.0 10.1.1.254 name MGMT_DEFAULT
!
!
mpls ldp router-id Loopback0
!
!
control-plane
!
 !
 !
 !
 !
!
!
!
!
!
line con 0
 logging synchronous
 stopbits 1
line vty 0
 exec-timeout 60 0
 logging synchronous
 login local
line vty 1
 exec-timeout 60 0
 logging synchronous
 login local
 length 0
line vty 2 4
 exec-timeout 60 0
 logging synchronous
 login local
!
ntp server pool.ntp.org
!
end

RR_R11

version 15.5
service timestamps debug datetime localtime show-timezone year
service timestamps log datetime localtime show-timezone year
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname RR_R11
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 <removed>
!
no aaa new-model
!
ip vrf MGMT
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9MAI8IJPDHE
!
spanning-tree extend system-id
!
username admin secret 5 <removed>
!         
redundancy
!
!
!
!
!
cdp run
!

!
!
!
!
!
!
!
!
!
!
!
!






!
!
interface Loopback0
 description RID
 ip address 11.11.11.11 255.255.255.255
 ip ospf network point-to-point
 ip ospf 100 area 0
!
interface GigabitEthernet1
 mtu 9216
 no ip address
 negotiation auto
!
interface GigabitEthernet1.16
 description TO P_R03
 encapsulation dot1Q 16
 ip address 10.0.0.102 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
!
interface GigabitEthernet1.17
 description TO P_R04
 encapsulation dot1Q 17
 ip address 10.0.0.106 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
!
interface GigabitEthernet2
 no ip address
 shutdown
 negotiation auto
 cdp enable
!
interface GigabitEthernet3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet4
 description MANAGEMENT
 ip vrf forwarding MGMT
 ip address 10.1.1.231 255.255.255.0
 negotiation auto
!
router ospf 100
 router-id 11.11.11.11
 passive-interface default
 no passive-interface GigabitEthernet1.16
 no passive-interface GigabitEthernet1.17
!
router bgp 2345
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor PE_R05 peer-group
 neighbor PE_R05 remote-as 2345
 neighbor PE_R05 description TO PE R05
 neighbor PE_R05 update-source Loopback0
 neighbor PE_R05 timers 7 21
 neighbor PE_R06 peer-group
 neighbor PE_R06 remote-as 2345
 neighbor PE_R06 description TO PE R06
 neighbor PE_R06 update-source Loopback0
 neighbor PE_R06 timers 7 21
 neighbor 5.5.5.5 peer-group PE_R05
 neighbor 6.6.6.6 peer-group PE_R05
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor PE_R05 send-community both
  neighbor PE_R05 route-reflector-client
  neighbor PE_R06 send-community both
  neighbor PE_R06 route-reflector-client
  neighbor 5.5.5.5 activate
  neighbor 6.6.6.6 activate
 exit-address-family
!
!
virtual-service csr_mgmt
!         
ip forward-protocol nd
!
ip bgp-community new-format
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet4
ip route vrf MGMT 0.0.0.0 0.0.0.0 10.1.1.254 name MGMT_DEFAULT
!
!
!
!
control-plane
!
 !
 !
 !
 !
!
!
!
!
!
line con 0
 logging synchronous
 stopbits 1
line vty 0
 exec-timeout 60 0
 logging synchronous
 login local
line vty 1
 exec-timeout 60 0
 logging synchronous
 login local
 length 0
line vty 2 4
 exec-timeout 60 0
 logging synchronous
 login local
!
ntp server pool.ntp.org
!
end

PE_R05

version 15.5
service timestamps debug datetime localtime show-timezone year
service timestamps log datetime localtime show-timezone year
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname PE_R05
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16000
no logging console
enable secret 5 <removed>
!
no aaa new-model
!
ip vrf CUSTOMER_A
 rd 2345:1
 route-target export 2345:1
 route-target import 2345:1
!
ip vrf CUSTOMER_B
 rd 2345:2
 route-target export 2345:2
 route-target import 2345:2
!
ip vrf MGMT
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
mpls label range 500 599
mpls label protocol ldp
multilink bundle-name authenticated
!
!
!
!         
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9FS47AJTJH5
!
spanning-tree extend system-id
!
username admin secret 5 <removed>
!
redundancy
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!
!
!






!
!
interface Loopback0
 description RID
 ip address 5.5.5.5 255.255.255.255
 ip ospf 100 area 0
!
!
interface GigabitEthernet1
 mtu 9216
 no ip address
 negotiation auto
!
interface GigabitEthernet1.20
 description TO P_R01
 encapsulation dot1Q 20
 ip address 10.1.1.2 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 ip ospf cost 10
 mpls ip
!
interface GigabitEthernet1.21
 description TO P_R03
 encapsulation dot1Q 21
 ip address 10.1.1.6 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 mpls ip
!
interface GigabitEthernet1.30
 description TO CE_R20
 encapsulation dot1Q 30
 ip vrf forwarding CUSTOMER_A
 ip address 10.2.2.1 255.255.255.252
!
interface GigabitEthernet1.31
 description TO CE_R08
 encapsulation dot1Q 31
 ip vrf forwarding CUSTOMER_B
 ip address 10.2.2.5 255.255.255.252
!
interface GigabitEthernet2
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet4
 description MANAGEMENT
 ip vrf forwarding MGMT
 ip address 10.1.1.225 255.255.255.0
 negotiation auto
!
!
router eigrp 65535
 !
 address-family ipv4 vrf CUSTOMER_B autonomous-system 65100
  default-metric 100000 10 255 1 1500
  redistribute bgp 2345
  network 10.2.2.4 0.0.0.3
 exit-address-family
!
router ospf 100
 router-id 5.5.5.5
 passive-interface default
 no passive-interface GigabitEthernet1.20
 no passive-interface GigabitEthernet1.21
!
router bgp 2345
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor RR peer-group
 neighbor RR remote-as 2345
 neighbor RR description ROUTE REFLECTOR - R11
 neighbor RR update-source Loopback0
 neighbor RR timers 7 21
 neighbor 11.11.11.11 peer-group RR
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor RR send-community both
  neighbor 11.11.11.11 activate
 exit-address-family
 !
 address-family ipv4 vrf CUSTOMER_A
  neighbor CUSTOMER_A peer-group
  neighbor CUSTOMER_A remote-as 65000
  neighbor CUSTOMER_A description CUSTOMER A
  neighbor CUSTOMER_A timers 7 21
  neighbor CUSTOMER_A send-community both
  neighbor CUSTOMER_A soft-reconfiguration inbound
  neighbor 10.2.2.2 peer-group CUSTOMER_A
  neighbor 10.2.2.2 activate
 exit-address-family
 !
 address-family ipv4 vrf CUSTOMER_B
  redistribute eigrp 65100
 exit-address-family
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
ip bgp-community new-format
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet4
ip route vrf MGMT 0.0.0.0 0.0.0.0 10.1.1.254 name MGMT_DEFAULT
!
!
!
mpls ldp router-id Loopback0
!
!
control-plane
!
 !
 !
 !        
 !
!
!
!
!
!
line con 0
 logging synchronous
 stopbits 1
line vty 0
 exec-timeout 60 0
 logging synchronous
 login local
line vty 1
 exec-timeout 60 0
 logging synchronous
 login local
 length 0
line vty 2 4
 exec-timeout 60 0
 logging synchronous
 login local
!
ntp server pool.ntp.org
!
end

PE_R06

version 15.5
service timestamps debug datetime localtime show-timezone year
service timestamps log datetime localtime show-timezone year
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname PE_R06
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16000
no logging console
enable secret 5 <removed>
!
no aaa new-model
!
ip vrf CUSTOMER_A
 rd 2345:1
 route-target export 2345:1
 route-target import 2345:1
!
ip vrf CUSTOMER_B
 rd 2345:2
 route-target export 2345:2
 route-target import 2345:2
!
ip vrf MGMT
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
mpls label range 600 699
mpls label protocol ldp
multilink bundle-name authenticated
!
!
!
!         
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9MNAZJ2VHAE
!
spanning-tree extend system-id
!
username admin secret 5 <removed>
!
redundancy
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!
!
!






!
!
interface Loopback0
 description RID
 ip address 6.6.6.6 255.255.255.255
 ip ospf 100 area 0
!
interface GigabitEthernet1
 mtu 9216
 no ip address
 negotiation auto
!
interface GigabitEthernet1.22
 description TO P_R02
 encapsulation dot1Q 22
 ip address 10.1.1.10 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 ip ospf cost 10
 mpls ip
!
interface GigabitEthernet1.23
 description TO P_R04
 encapsulation dot1Q 23
 ip address 10.1.1.14 255.255.255.252
 ip ospf network point-to-point
 ip ospf 100 area 0
 mpls ip
!
interface GigabitEthernet1.32
 description TO CE_R21
 encapsulation dot1Q 32
 ip vrf forwarding CUSTOMER_A
 ip address 10.2.2.9 255.255.255.252
!
interface GigabitEthernet1.33
 description TO CE_R10
 encapsulation dot1Q 33
 ip vrf forwarding CUSTOMER_B
 ip address 10.2.2.13 255.255.255.252
!
interface GigabitEthernet2
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet4
 description MANAGEMENT
 ip vrf forwarding MGMT
 ip address 10.1.1.226 255.255.255.0
 negotiation auto
!
!
router eigrp 65535
 !
 address-family ipv4 vrf CUSTOMER_B autonomous-system 65100
  default-metric 100000 10 255 1 1500
  redistribute bgp 2345
  network 10.2.2.12 0.0.0.3
 exit-address-family
!
router ospf 100
 router-id 6.6.6.6
 passive-interface default
 no passive-interface GigabitEthernet1.22
 no passive-interface GigabitEthernet1.23
!
router bgp 2345
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor RR peer-group
 neighbor RR remote-as 2345
 neighbor RR description ROUTE REFLECTOR - R11
 neighbor RR update-source Loopback0
 neighbor RR timers 7 21
 neighbor 11.11.11.11 peer-group RR
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor RR send-community both
  neighbor 11.11.11.11 activate
 exit-address-family
 !
 address-family ipv4 vrf CUSTOMER_A
  neighbor CUSTOMER_A peer-group
  neighbor CUSTOMER_A remote-as 65001
  neighbor CUSTOMER_A description CUSTOMER A
  neighbor CUSTOMER_A timers 7 21
  neighbor CUSTOMER_A send-community both
  neighbor CUSTOMER_A soft-reconfiguration inbound
  neighbor 10.2.2.10 peer-group CUSTOMER_A
  neighbor 10.2.2.10 activate
 exit-address-family
 !
 address-family ipv4 vrf CUSTOMER_B
  redistribute eigrp 65100
 exit-address-family
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
ip bgp-community new-format
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet4
ip route vrf MGMT 0.0.0.0 0.0.0.0 10.1.1.254 name MGMT_DEFAULT
!
!
mpls ldp router-id Loopback0
!
!
control-plane
!
 !
 !
 !        
 !
!
!
!
!
!
line con 0
 logging synchronous
 stopbits 1
line vty 0
 exec-timeout 60 0
 logging synchronous
 login local
line vty 1
 exec-timeout 60 0
 logging synchronous
 login local
 length 0
line vty 2 4
 exec-timeout 60 0
 logging synchronous
 login local
!
ntp server pool.ntp.org
!
end

CE_R20

version 15.5
service timestamps debug datetime localtime show-timezone year
service timestamps log datetime localtime show-timezone year
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname CE_R20
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16000
no logging console
enable secret 5 <removed>
!
no aaa new-model
!
ip vrf MGMT
!
!
!
!
!
!
!
!
!
!
!



no ip domain lookup
ip domain name domain.local
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9FUE7F8MZLE
!
spanning-tree extend system-id
!
username admin secret 5 <removed>
!
redundancy
!
!
!
!
!
cdp run
!

!
!
!
!
!
!
!
!
!
!
!
!






!
!
interface Loopback0
 description RID
 ip address 20.20.20.20 255.255.255.255
!
interface Loopback100
 description LAN
 ip address 172.16.1.254 255.255.255.0
!
interface GigabitEthernet1
 no ip address
 negotiation auto
 cdp enable
!
interface GigabitEthernet1.30
 description TO PE_R05 - L3 MPLS
 encapsulation dot1Q 30
 ip address 10.2.2.2 255.255.255.252
!
interface GigabitEthernet2
 no ip address
 negotiation auto
 cdp enable
!
interface GigabitEthernet3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet4
 description MANAGEMENT
 ip vrf forwarding MGMT
 ip address 10.1.1.240 255.255.255.0
 negotiation auto
!
router bgp 65000
 bgp router-id 20.20.20.20
 bgp log-neighbor-changes
 neighbor PE peer-group
 neighbor PE remote-as 2345
 neighbor PE description TO SP PE
 neighbor PE timers 7 21
 neighbor 10.2.2.1 peer-group PE
 !
 address-family ipv4
  network 172.16.1.0 mask 255.255.255.0
  neighbor PE send-community both
  neighbor PE route-map CE_2_PE out
  neighbor 10.2.2.1 activate
 exit-address-family
!
!
virtual-service csr_mgmt
!
no ip forward-protocol nd
!
ip bgp-community new-format
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet4
ip route vrf MGMT 0.0.0.0 0.0.0.0 10.1.1.254 name MGMT_DEFAULT
ip ssh time-out 60
!
!
ip prefix-list LAN seq 5 permit 172.16.1.0/24
!
!
route-map CE_2_PE permit 10
 match ip address prefix-list LAN
 set community 65000:20
!
!
!
control-plane
!
 !
 !
 !
 !
!
!
!
!
line con 0
 logging synchronous
 stopbits 1
line vty 0
 exec-timeout 60 0
 logging synchronous
 login local
 transport input telnet ssh
line vty 1
 exec-timeout 60 0
 logging synchronous
 login local
 length 0
 transport input telnet ssh
line vty 2 4
 exec-timeout 60 0
 logging synchronous
 login local
 transport input telnet ssh
!
ntp server pool.ntp.org
!
end

CE_R21

version 15.5
service timestamps debug datetime localtime show-timezone year
service timestamps log datetime localtime show-timezone year
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname CE_R21
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16000
no logging console
enable secret 5 <removed>
!
no aaa new-model
!
ip vrf MGMT
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip domain name domain.local
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9Q6LH763AKK
!
spanning-tree extend system-id
!
username admin secret 5 $1$IoyB$YoNxs.twmBlRHiSMbjBGx/
!
redundancy
!
!
!
!
!
cdp run
!

!
!
!
!
!
!
!
!
!
!
!
!






!
!
interface Loopback0
 description RID
 ip address 21.21.21.21 255.255.255.255
!
interface Loopback100
 description LAN
 ip address 172.16.2.254 255.255.255.0
!
interface GigabitEthernet1
 no ip address
 negotiation auto
 cdp enable
!
interface GigabitEthernet1.32
 description TO PE_R06 - L3 MPLS
 encapsulation dot1Q 32
 ip address 10.2.2.10 255.255.255.252
!
interface GigabitEthernet2
 no ip address
 shutdown
 negotiation auto
 cdp enable
!
interface GigabitEthernet3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet4
 description MANAGEMENT
 ip vrf forwarding MGMT
 ip address 10.1.1.241 255.255.255.0
 negotiation auto
!
router bgp 65001
 bgp router-id 21.21.21.21
 bgp log-neighbor-changes
 neighbor PE peer-group
 neighbor PE remote-as 2345
 neighbor PE description TO SP PE
 neighbor PE timers 7 21
 neighbor 10.2.2.9 peer-group PE
 !
 address-family ipv4
  network 172.16.2.0 mask 255.255.255.0
  neighbor PE send-community both
  neighbor PE route-map CE_2_PE out
  neighbor 10.2.2.9 activate
 exit-address-family
!
!
virtual-service csr_mgmt
!
no ip forward-protocol nd
!
ip bgp-community new-format
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet4
ip route vrf MGMT 0.0.0.0 0.0.0.0 10.1.1.254 name MGMT_DEFAULT
ip ssh time-out 60
!
!
ip prefix-list LAN seq 5 permit 172.16.2.0/24
!
!
route-map CE_2_PE permit 10
 match ip address prefix-list LAN
 set community 65001:21
!
!
!
control-plane
!
 !
 !
 !
 !
!
!
!
!
!
line con 0
 logging synchronous
 stopbits 1
line vty 0
 exec-timeout 60 0
 logging synchronous
 login local
 transport input telnet ssh
line vty 1
 exec-timeout 60 0
 logging synchronous
 login local
 length 0
 transport input telnet ssh
line vty 2 4
 exec-timeout 60 0
 logging synchronous
 login local
 transport input telnet ssh
!
ntp server pool.ntp.org
!
end

CE_R08

version 15.5
service timestamps debug datetime localtime show-timezone year
service timestamps log datetime localtime show-timezone year
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname CE_R08
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16000
no logging console
enable secret 5 <removed>
!
no aaa new-model
!
ip vrf MGMT
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 90L8F9BD5RL
!
spanning-tree extend system-id
!         
username admin secret 5 <removed>
!
redundancy
!
!
!
!
!
cdp run
!

!
!
!
!
!
!
!
!
!
!
!
!






!
!
interface Loopback0
 description RID
 ip address 8.8.8.8 255.255.255.255
!
interface Loopback100
 description LAN
 ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet1
 no ip address
 negotiation auto
!
interface GigabitEthernet1.31
 description TO PE_R05 - MPLS L3
 encapsulation dot1Q 31
 ip address 10.2.2.6 255.255.255.252
!
interface GigabitEthernet2
 no ip address
 shutdown
 negotiation auto
 cdp enable
!
interface GigabitEthernet3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet4
 description MANAGEMENT
 ip vrf forwarding MGMT
 ip address 10.1.1.228 255.255.255.0
 negotiation auto
!
!
router eigrp 65100
 network 10.2.2.4 0.0.0.3
 network 192.168.1.0
 passive-interface default
 no passive-interface GigabitEthernet1.31
 eigrp router-id 8.8.8.8
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet4
ip route vrf MGMT 0.0.0.0 0.0.0.0 10.1.1.254 name MGMT_DEFAULT
!
!
!
!
control-plane
!
 !
 !
 !
 !
!
!
!
!
!
line con 0
 logging synchronous
 stopbits 1
line vty 0
 exec-timeout 60 0
 logging synchronous
 login local
line vty 1
 exec-timeout 60 0
 logging synchronous
 login local
 length 0
line vty 2 4
 exec-timeout 60 0
 logging synchronous
 login local
!
ntp server pool.ntp.org
!
end

CE_R10

version 15.5
service timestamps debug datetime localtime show-timezone year
service timestamps log datetime localtime show-timezone year
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname CE_R10
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16000
no logging console
enable secret 5 <removed>
!
no aaa new-model
!
ip vrf MGMT
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9SION991GD6
!
spanning-tree extend system-id
!         
username admin secret 5 <removed>
!
redundancy
!
!
!
!
!
cdp run
!

!
!
!
!
!
!
!
!
!
!
!
!






!
!
interface Loopback0
 description RID
 ip address 10.10.10.10 255.255.255.255
!
interface Loopback100
 description LAN
 ip address 192.168.2.254 255.255.255.0
!
interface GigabitEthernet1
 no ip address
 negotiation auto
!
interface GigabitEthernet1.33
 description TO PE_R06 - MPLS L3
 encapsulation dot1Q 33
 ip address 10.2.2.14 255.255.255.252
!
interface GigabitEthernet2
 no ip address
 shutdown
 negotiation auto
 cdp enable
!
interface GigabitEthernet3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet4
 description MANAGEMENT
 ip vrf forwarding MGMT
 ip address 10.1.1.230 255.255.255.0
 negotiation auto
!
!
router eigrp 65100
 network 10.2.2.12 0.0.0.3
 network 192.168.2.0
 passive-interface default
 no passive-interface GigabitEthernet1.33
 eigrp router-id 10.10.10.10
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet4
ip route vrf MGMT 0.0.0.0 0.0.0.0 10.1.1.254 name MGMT_DEFAULT
!
!
!
!
control-plane
!
 !
 !
 !
 !
!
!
!
!
!
line con 0
 logging synchronous
 stopbits 1
line vty 0
 exec-timeout 60 0
 logging synchronous
 login local
line vty 1
 exec-timeout 60 0
 logging synchronous
 login local
 length 0
line vty 2 4
 exec-timeout 60 0
 logging synchronous
 login local
!
ntp server pool.ntp.org
!
end




Testing Results

Test results are simple pings & traceroutes between sites within each customer network to verify full reachability.


Customer A: SiteA to SiteB

CE_R20#ping 172.16.2.254 source lo100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.254, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/9 ms

CE_R20#traceroute 172.16.2.254 source lo100
Type escape sequence to abort.
Tracing the route to 172.16.2.254
VRF info: (vrf in name/id, vrf out name/id)
  1 10.2.2.1 4 msec 5 msec 5 msec
  2 10.1.1.5 [MPLS: Labels 320/630 Exp 0] 8 msec 8 msec 8 msec
  3 10.0.0.22 [MPLS: Labels 420/630 Exp 0] 26 msec 36 msec 32 msec
  4 10.2.2.9 [MPLS: Label 630 Exp 0] 20 msec 20 msec 20 msec
  5 10.2.2.10 20 msec *  7 msec

CE_R20#sh ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
B        172.16.2.0/24 [20/0] via 10.2.2.1, 00:00:44

CE_R20#sh ip bgp 172.16.2.0
BGP routing table entry for 172.16.2.0/24, version 12
Paths: (1 available, best #1, table default)
  Not advertised to any peer
  Refresh Epoch 1
  2345 65001
    10.2.2.1 from 10.2.2.1 (5.5.5.5)
      Origin IGP, localpref 100, valid, external, best
      Community: 65001:21
      Extended Community: RT:2345:1
      rx pathid: 0, tx pathid: 0x0




Customer A: SiteB to SiteA

CE_R21#ping 172.16.1.254 source lo100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.254, timeout is 2 seconds:
Packet sent with a source address of 172.16.2.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/9 ms

CE_R21#traceroute 172.16.1.254 source lo100
Type escape sequence to abort.
Tracing the route to 172.16.1.254
VRF info: (vrf in name/id, vrf out name/id)
  1 10.2.2.9 3 msec 3 msec 4 msec
  2 10.1.1.13 [MPLS: Labels 419/530 Exp 0] 7 msec 7 msec 9 msec
  3 10.0.0.21 [MPLS: Labels 319/530 Exp 0] 31 msec 31 msec 30 msec
  4 10.2.2.1 [MPLS: Label 530 Exp 0] 22 msec 19 msec 19 msec
  5 10.2.2.2 22 msec *  8 msec

CE_R21#sh ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
B        172.16.1.0/24 [20/0] via 10.2.2.9, 00:36:16

CE_R21#sh ip bgp 172.16.1.0
BGP routing table entry for 172.16.1.0/24, version 12
Paths: (1 available, best #1, table default)
  Not advertised to any peer
  Refresh Epoch 1
  2345 65000
    10.2.2.9 from 10.2.2.9 (6.6.6.6)
      Origin IGP, localpref 100, valid, external, best
      Community: 65000:20
      Extended Community: RT:2345:1
      rx pathid: 0, tx pathid: 0x0



Customer B: SiteA to SiteB

CE_R08#ping 192.168.2.254 source lo100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.254, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/11 ms

CE_R08#traceroute 192.168.2.254 source lo100
Type escape sequence to abort.
Tracing the route to 192.168.2.254
VRF info: (vrf in name/id, vrf out name/id)
  1 10.2.2.5 3 msec 4 msec 3 msec
  2 10.1.1.5 [MPLS: Labels 320/628 Exp 0] 8 msec 6 msec 15 msec
  3 10.0.0.22 [MPLS: Labels 420/628 Exp 0] 31 msec 30 msec 43 msec
  4 10.2.2.13 [MPLS: Label 628 Exp 0] 20 msec 20 msec 20 msec
  5 10.2.2.14 20 msec *  7 msec

CE_R08#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D        10.2.2.12/30 [90/3072] via 10.2.2.5, 18:40:26, GigabitEthernet1.31
D     192.168.2.0/24 [90/131072] via 10.2.2.5, 02:20:39, GigabitEthernet1.31

CE_R08#sh ip eig topology 192.168.2.0/24
EIGRP-IPv4 Topology Entry for AS(65100)/ID(8.8.8.8) for 192.168.2.0/24
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 131072
  Descriptor Blocks:
  10.2.2.5 (GigabitEthernet1.31), from 10.2.2.5, Send flag is 0x0
      Composite metric is (131072/130816), route is Internal
      Vector metric:
        Minimum bandwidth is 1000000 Kbit
        Total delay is 5020 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 2
        Originating router is 10.10.10.10



Customer B: SiteB to SiteA

CE_R10#ping 192.168.1.254 source lo100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/11 ms

CE_R10#traceroute 192.168.1.254 source lo100
Type escape sequence to abort.
Tracing the route to 192.168.1.254
VRF info: (vrf in name/id, vrf out name/id)
  1 10.2.2.13 4 msec 3 msec 4 msec
  2 10.1.1.13 [MPLS: Labels 419/528 Exp 0] 7 msec 7 msec 9 msec
  3 10.0.0.21 [MPLS: Labels 319/528 Exp 0] 26 msec 30 msec 38 msec
  4 10.2.2.5 [MPLS: Label 528 Exp 0] 21 msec 19 msec 21 msec
  5 10.2.2.6 19 msec *  7 msec

CE_R10#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D        10.2.2.4/30 [90/3072] via 10.2.2.13, 18:44:24, GigabitEthernet1.33
D     192.168.1.0/24 [90/131072] via 10.2.2.13, 02:25:36, GigabitEthernet1.33

CE_R10#sh ip eigrp topology 192.168.1.0/24
EIGRP-IPv4 Topology Entry for AS(65100)/ID(10.10.10.10) for 192.168.1.0/24
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 131072
  Descriptor Blocks:
  10.2.2.13 (GigabitEthernet1.33), from 10.2.2.13, Send flag is 0x0
      Composite metric is (131072/130816), route is Internal
      Vector metric:
        Minimum bandwidth is 1000000 Kbit
        Total delay is 5020 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 2
        Originating router is 8.8.8.8



Verification Tasks

From a high level, this diagram highlights the different components in a MPLS L3VPN network.  As we verify the lab, we will take a look at each one.

The list below outlines the verification tasks.
  1. Backbone infrastructure verification
    1. IGP/OSPF peering and routes learned
  2. MPLS LDP verification
    1. LDP enabled on interfaces
    2. LDP discovery between interfaces
    3. LDP neighbors
    4. MPLS forwarding tables
  3. L3VPN verification
    1. VRF's, Route Distinguishers and Route Rargets
    2. MP-BGP backbone peering (PE to RR)
    3. PE to CE peering (BGP & EIGRP)
    4. MP-BGP VPNv4 NLRI
  4. Packet Walk



Backbone Infrastructure Verification

Using OSPF as the underlay IGP, we verify all Provider routers (P routers) and Provider Edge routers (PE routers) are peering correctly.  Routing the loopback address is standard best practice and is an important infrastructure redundancy concept for the peering of OSPF, LDP and MP-BGP.


Core Routers IGP peering


P_R01#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
5.5.5.5           0   FULL/  -        00:00:37    10.1.1.2        GigabitEthernet1.20
4.4.4.4           0   FULL/  -        00:00:33    10.0.0.10       GigabitEthernet1.12
3.3.3.3           0   FULL/  -        00:00:33    10.0.0.6        GigabitEthernet1.11
2.2.2.2           0   FULL/  -        00:00:32    10.0.0.2        GigabitEthernet1.10

P_R02#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
6.6.6.6           0   FULL/  -        00:00:36    10.1.1.10       GigabitEthernet1.22
3.3.3.3           0   FULL/  -        00:00:34    10.0.0.18       GigabitEthernet1.14
4.4.4.4           0   FULL/  -        00:00:33    10.0.0.14       GigabitEthernet1.13
1.1.1.1           0   FULL/  -        00:00:37    10.0.0.1        GigabitEthernet1.10

P_R03#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
5.5.5.5           0   FULL/  -        00:00:31    10.1.1.6        GigabitEthernet1.21
11.11.11.11       0   FULL/  -        00:00:39    10.0.0.102      GigabitEthernet1.16
4.4.4.4           0   FULL/  -        00:00:39    10.0.0.22       GigabitEthernet1.15
2.2.2.2           0   FULL/  -        00:00:36    10.0.0.17       GigabitEthernet1.14
1.1.1.1           0   FULL/  -        00:00:38    10.0.0.5        GigabitEthernet1.11

P_R04#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
6.6.6.6           0   FULL/  -        00:00:34    10.1.1.14       GigabitEthernet1.23
11.11.11.11       0   FULL/  -        00:00:34    10.0.0.106      GigabitEthernet1.17
3.3.3.3           0   FULL/  -        00:00:35    10.0.0.21       GigabitEthernet1.15
2.2.2.2           0   FULL/  -        00:00:32    10.0.0.13       GigabitEthernet1.13
1.1.1.1           0   FULL/  -        00:00:34    10.0.0.9        GigabitEthernet1.12



PE Routers IGP peering

PE_R05#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           0   FULL/  -        00:00:39    10.1.1.5        GigabitEthernet1.21
1.1.1.1           0   FULL/  -        00:00:37    10.1.1.1        GigabitEthernet1.20

PE_R06#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.4           0   FULL/  -        00:00:30    10.1.1.13       GigabitEthernet1.23
2.2.2.2           0   FULL/  -        00:00:31    10.1.1.9        GigabitEthernet1.22



Route Reflector IGP peering

RR_R11#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.4           0   FULL/  -        00:00:35    10.0.0.105      GigabitEthernet1.17
3.3.3.3           0   FULL/  -        00:00:38    10.0.0.101      GigabitEthernet1.16



IGP Route Table



P1's IGP route table (OSPF).  As mentioned before, the routes that really matter are the loopback addresses from Provider core (P), Provider Edge (PE) and Route Reflector (RR).

P_R01#sh ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
O        2.2.2.2 [110/4] via 10.0.0.6, 1w6d, GigabitEthernet1.11
      3.0.0.0/32 is subnetted, 1 subnets
O        3.3.3.3 [110/2] via 10.0.0.6, 1w6d, GigabitEthernet1.11
      4.0.0.0/32 is subnetted, 1 subnets
O        4.4.4.4 [110/3] via 10.0.0.6, 1w6d, GigabitEthernet1.11
      5.0.0.0/32 is subnetted, 1 subnets
O        5.5.5.5 [110/3] via 10.0.0.6, 5d19h, GigabitEthernet1.11
      6.0.0.0/32 is subnetted, 1 subnets
O        6.6.6.6 [110/4] via 10.0.0.6, 5d19h, GigabitEthernet1.11
      10.0.0.0/8 is variably subnetted, 16 subnets, 2 masks
O        10.0.0.12/30 [110/3] via 10.0.0.6, 1w6d, GigabitEthernet1.11
O        10.0.0.16/30 [110/5] via 10.0.0.6, 1w6d, GigabitEthernet1.11
O        10.0.0.20/30 [110/2] via 10.0.0.6, 1w6d, GigabitEthernet1.11
O        10.0.0.100/30 [110/2] via 10.0.0.6, 1w6d, GigabitEthernet1.11
O        10.0.0.104/30 [110/3] via 10.0.0.6, 1w6d, GigabitEthernet1.11
O        10.1.1.4/30 [110/2] via 10.0.0.6, 1w6d, GigabitEthernet1.11
O        10.1.1.8/30 [110/13] via 10.0.0.6, 1w6d, GigabitEthernet1.11
O        10.1.1.12/30 [110/3] via 10.0.0.6, 1w6d, GigabitEthernet1.11
      11.0.0.0/32 is subnetted, 1 subnets
O        11.11.11.11 [110/3] via 10.0.0.6, 1w6d, GigabitEthernet1.11




MPLS LDP Verification

LDP is the necessary protocol for label exchange and is required for all routers participating in the MPLS network (i.e., P and PE routers).  P routers are also known as the Label Switch Routers (LSR) whereas the PE routers are known as the Label Edge Router (LER).  The path between LERs via the LSRs is refereed to as the Label Switch Path (LSP).



The outputs below verifies LDP peering and operational status on the LERs and LSRs.  Please note that the Route Reflector does not have MPLS/LDP enabled on its interfaces.  The RR is for MP-BGP peering and route exchange only, not MPLS tag switching.


MPLS Interfaces (Provider Routers)

P_R01#sh mpls interfaces
Interface              IP            Tunnel   BGP Static Operational
GigabitEthernet1.10    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.11    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.12    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.20    Yes (ldp)     Yes      No  No     Yes  

P_R02#sh mpls interfaces
Interface              IP            Tunnel   BGP Static Operational
GigabitEthernet1.10    Yes (ldp)     Yes      No  No     Yes        
GigabitEthernet1.13    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.14    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.22    Yes (ldp)     Yes      No  No     Yes

P_R03#sh mpls interfaces
Interface              IP            Tunnel   BGP Static Operational
GigabitEthernet1.11    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.14    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.15    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.21    Yes (ldp)     Yes      No  No     Yes  

P_R04#sh mpls interfaces
Interface              IP            Tunnel   BGP Static Operational
GigabitEthernet1.12    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.13    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.15    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.23    Yes (ldp)     Yes      No  No     Yes



MPLS Interfaces (Provider Routers)

P_R01#sh mpls interfaces
Interface              IP            Tunnel   BGP Static Operational
GigabitEthernet1.10    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.11    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.12    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.20    Yes (ldp)     Yes      No  No     Yes  

P_R02#sh mpls interfaces
Interface              IP            Tunnel   BGP Static Operational
GigabitEthernet1.10    Yes (ldp)     Yes      No  No     Yes        
GigabitEthernet1.13    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.14    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.22    Yes (ldp)     Yes      No  No     Yes

P_R03#sh mpls interfaces
Interface              IP            Tunnel   BGP Static Operational
GigabitEthernet1.11    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.14    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.15    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.21    Yes (ldp)     Yes      No  No     Yes  

P_R04#sh mpls interfaces
Interface              IP            Tunnel   BGP Static Operational
GigabitEthernet1.12    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.13    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.15    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.23    Yes (ldp)     Yes      No  No     Yes



MPLS Interfaces (Provider Edge Routers)

PE_R05#sh mpls interfaces
Interface              IP            Tunnel   BGP Static Operational
GigabitEthernet1.20    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.21    Yes (ldp)     Yes      No  No     Yes

PE_R06#sh mpls interfaces
Interface              IP            Tunnel   BGP Static Operational
GigabitEthernet1.22    Yes (ldp)     Yes      No  No     Yes       
GigabitEthernet1.23    Yes (ldp)     Yes      No  No     Yes



MPLS LDP Discovery

The MPLS discovery command verifies that the interface is up and is sending LDP Discovery Hello messages.  LDP has been enabled on the physical interfaces but will use its loopback addresses as discovery source.

P_R01#sh mpls ldp discovery
 Local LDP Identifier:
    1.1.1.1:0
    Discovery Sources:
    Interfaces:
        GigabitEthernet1.10 (ldp): xmit/recv
            LDP Id: 2.2.2.2:0
        GigabitEthernet1.11 (ldp): xmit/recv
            LDP Id: 3.3.3.3:0
        GigabitEthernet1.12 (ldp): xmit/recv
            LDP Id: 4.4.4.4:0
        GigabitEthernet1.20 (ldp): xmit/recv
            LDP Id: 5.5.5.5:0

P_R02#sh mpls ldp discovery
 Local LDP Identifier:
    2.2.2.2:0
    Discovery Sources:
    Interfaces:
        GigabitEthernet1.10 (ldp): xmit/recv
            LDP Id: 1.1.1.1:0
        GigabitEthernet1.13 (ldp): xmit/recv
            LDP Id: 4.4.4.4:0
        GigabitEthernet1.14 (ldp): xmit/recv
            LDP Id: 3.3.3.3:0
        GigabitEthernet1.22 (ldp): xmit/recv
            LDP Id: 6.6.6.6:0

P_R03#sh mpls ldp discovery
 Local LDP Identifier:
    3.3.3.3:0
    Discovery Sources:
    Interfaces:
        GigabitEthernet1.11 (ldp): xmit/recv
            LDP Id: 1.1.1.1:0
        GigabitEthernet1.14 (ldp): xmit/recv
            LDP Id: 2.2.2.2:0
        GigabitEthernet1.15 (ldp): xmit/recv
            LDP Id: 4.4.4.4:0
        GigabitEthernet1.21 (ldp): xmit/recv
            LDP Id: 5.5.5.5:0

P_R04#sh mpls ldp discovery
 Local LDP Identifier:
    4.4.4.4:0
    Discovery Sources:
    Interfaces:
        GigabitEthernet1.12 (ldp): xmit/recv
            LDP Id: 1.1.1.1:0
        GigabitEthernet1.13 (ldp): xmit/recv
            LDP Id: 2.2.2.2:0
        GigabitEthernet1.15 (ldp): xmit/recv
            LDP Id: 3.3.3.3:0
        GigabitEthernet1.23 (ldp): xmit/recv
            LDP Id: 6.6.6.6:0

PE_R05#sh mpls ldp discovery
 Local LDP Identifier:
    5.5.5.5:0
    Discovery Sources:
    Interfaces:
        GigabitEthernet1.20 (ldp): xmit/recv
            LDP Id: 1.1.1.1:0
        GigabitEthernet1.21 (ldp): xmit/recv
            LDP Id: 3.3.3.3:0

PE_R06#sh mpls ldp discovery
 Local LDP Identifier:
    6.6.6.6:0
    Discovery Sources:
    Interfaces:
        GigabitEthernet1.22 (ldp): xmit/recv
            LDP Id: 2.2.2.2:0
        GigabitEthernet1.23 (ldp): xmit/recv
            LDP Id: 4.4.4.4:0



MPLS LDP Neighbors

The MPLS LDP Neighbor command verifies the LDP session has been established. As seen here, the LDP neighbor adjacency has been established using their loopback addresses (see TCP connection). For brevity, we will look at only one Provider router and one Provider Edge router.

P1's LDP neighbors to P2, P3, P4 and PE5

P_R01#sh mpls ldp neighbor
    Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 1.1.1.1:0
        TCP connection: 2.2.2.2.14950 - 1.1.1.1.646
        State: Oper; Msgs sent/rcvd: 13738/13727; Downstream
        Up time: 1w1d
        LDP discovery sources:
          GigabitEthernet1.10, Src IP addr: 10.0.0.2
        Addresses bound to peer LDP Ident:
          2.2.2.2         10.0.0.2        10.0.0.13       10.0.0.17      
          10.1.1.9        
    Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 1.1.1.1:0
        TCP connection: 3.3.3.3.27304 - 1.1.1.1.646
        State: Oper; Msgs sent/rcvd: 13741/13738; Downstream
        Up time: 1w1d
        LDP discovery sources:
          GigabitEthernet1.11, Src IP addr: 10.0.0.6
        Addresses bound to peer LDP Ident:
          3.3.3.3         10.0.0.6        10.0.0.18       10.0.0.21      
          10.0.0.101      10.1.1.5       
    Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 1.1.1.1:0
        TCP connection: 4.4.4.4.32558 - 1.1.1.1.646
        State: Oper; Msgs sent/rcvd: 13740/13737; Downstream
        Up time: 1w1d
        LDP discovery sources:
          GigabitEthernet1.12, Src IP addr: 10.0.0.10
        Addresses bound to peer LDP Ident:
          4.4.4.4         10.0.0.10       10.0.0.14       10.0.0.22      
          10.0.0.105      10.1.1.13      
    Peer LDP Ident: 5.5.5.5:0; Local LDP Ident 1.1.1.1:0
        TCP connection: 5.5.5.5.39868 - 1.1.1.1.646
        State: Oper; Msgs sent/rcvd: 1757/1752; Downstream
        Up time: 1d00h
        LDP discovery sources:
          GigabitEthernet1.20, Src IP addr: 10.1.1.2
        Addresses bound to peer LDP Ident:
          5.5.5.5         10.1.1.2        10.1.1.6 

PE5’s LDP neighbors to P1 and P3

PE_R05#sh mpls ldp neighbor
    Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 5.5.5.5:0
        TCP connection: 1.1.1.1.646 - 5.5.5.5.39868
        State: Oper; Msgs sent/rcvd: 3341/3344; Downstream
        Up time: 1d23h
        LDP discovery sources:
          GigabitEthernet1.20, Src IP addr: 10.1.1.1
        Addresses bound to peer LDP Ident:
          1.1.1.1         10.0.0.1        10.0.0.5        10.0.0.9       
          10.1.1.1       
    Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 5.5.5.5:0
        TCP connection: 3.3.3.3.646 - 5.5.5.5.24464
        State: Oper; Msgs sent/rcvd: 3344/3346; Downstream
        Up time: 1d23h
        LDP discovery sources:
          GigabitEthernet1.21, Src IP addr: 10.1.1.5
        Addresses bound to peer LDP Ident:
          3.3.3.3         10.0.0.6        10.0.0.18       10.0.0.21      
          10.0.0.101      10.1.1.5  



MPLS Forwarding Tables

The MPLS forwarding table, otherwise known as the label forwarding information base (LFIB), is the router's repository for the labels exchanged with its LDP peers.  It contains the label operation to perform on the incoming or outgoing packet (Push, Swap or POP).

The following diagram shows an example of where each operation occurs as a packet travels between CEs (left to right) through the provider network.



The outputs below looks at the MPLS forwarding table for P1 and PE5.  It shows its label operation, egress interface and next-hop IP.  The packet walk section will look at the forwarding table in more detail.

P_R01#sh mpls forwarding-table
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop   
Label      Label      or Tunnel Id     Switched      interface             
100        301        2.2.2.2/32       0             Gi1.11     10.0.0.6   
101        Pop Label  3.3.3.3/32       0             Gi1.11     10.0.0.6   
102        302        4.4.4.4/32       0             Gi1.11     10.0.0.6   
103        305        10.0.0.12/30     0             Gi1.11     10.0.0.6   
104        Pop Label  10.0.0.16/30     0             Gi1.11     10.0.0.6   
105        Pop Label  10.0.0.20/30     0             Gi1.11     10.0.0.6   
106        Pop Label  10.0.0.100/30    0             Gi1.11     10.0.0.6   
107        306        10.0.0.104/30    0             Gi1.11     10.0.0.6   
108        Pop Label  10.1.1.4/30      0             Gi1.11     10.0.0.6   
109        308        10.1.1.8/30      0             Gi1.11     10.0.0.6   
110        309        10.1.1.12/30     0             Gi1.11     10.0.0.6   
118        318        11.11.11.11/32   0             Gi1.11     10.0.0.6   
119        319        5.5.5.5/32       0             Gi1.11     10.0.0.6   
120        320        6.6.6.6/32       0             Gi1.11     10.0.0.6

PE_R05#sh mpls forwarding-table
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop   
Label      Label      or Tunnel Id     Switched      interface             
500        300        1.1.1.1/32       0             Gi1.21     10.1.1.5   
501        301        2.2.2.2/32       0             Gi1.21     10.1.1.5   
502        Pop Label  3.3.3.3/32       0             Gi1.21     10.1.1.5   
503        302        4.4.4.4/32       0             Gi1.21     10.1.1.5   
504        320        6.6.6.6/32       0             Gi1.21     10.1.1.5   
505        303        10.0.0.0/30      0             Gi1.21     10.1.1.5   
506        Pop Label  10.0.0.4/30      0             Gi1.21     10.1.1.5   
507        304        10.0.0.8/30      0             Gi1.21     10.1.1.5   
508        305        10.0.0.12/30     0             Gi1.21     10.1.1.5   
509        Pop Label  10.0.0.16/30     0             Gi1.21     10.1.1.5   
510        Pop Label  10.0.0.20/30     0             Gi1.21     10.1.1.5   
511        Pop Label  10.0.0.100/30    0             Gi1.21     10.1.1.5   
512        306        10.0.0.104/30    0             Gi1.21     10.1.1.5   
513        308        10.1.1.8/30      0             Gi1.21     10.1.1.5   
514        309        10.1.1.12/30     0             Gi1.21     10.1.1.5   
521        318        11.11.11.11/32   0             Gi1.21     10.1.1.5   
525        No Label   192.168.1.0/24[V]   \
                                       0             Gi1.31     10.2.2.6   
526        No Label   10.2.2.4/30[V]   0             aggregate/CUSTOMER_B
530        No Label   172.16.1.0/24[V] 4894          Gi1.30     10.2.2.2   




L3VPN Verification

Below are the various elements required in configuring a L3VPN network.


VRF’s, Route Distinguishers (RD) and Route Targets (RT)

Here are some good informational slides on VRF’s, RD and RT.


VRF's are the virtualized routing containers which houses a Customer's L3 information.  This allows multiple customers to be isolated at the Provider Edge network.

A Route Distinguisher simply provides a mechanism to make all Customers route unique in the Provider network.  This prevents any issues of having overlapping IPv4 addresses.


A Route Target is additional information attached to a customer route to identify what VPN (or VRF) its a part of.  VRFs read the RTs to determine if it should import or export the route. 





Showing the VRF details will display the RD’s per VRF (i.e., customers) and their import/export Route Target (RT) values.  RT are used so each PE know which VPN routes can be transferred in or out of their respective VRF’s.

PE_R05#sh ip vrf detail
VRF CUSTOMER_A (VRF Id = 1); default RD 2345:1; default VPNID <not set>
  Old CLI format, supports IPv4 only
  Flags: 0xC
  Interfaces:
    Gi1.30                 
Address family ipv4 unicast (Table ID = 0x1):
  Flags: 0x0
  Export VPN route-target communities
    RT:2345:1              
  Import VPN route-target communities
    RT:2345:1              
  No import route-map
  No global export route-map
  No export route-map
  VRF label distribution protocol: not configured
  VRF label allocation mode: per-prefix

VRF CUSTOMER_B (VRF Id = 2); default RD 2345:2; default VPNID <not set>
  Old CLI format, supports IPv4 only
  Flags: 0xC
  Interfaces:
    Gi1.31                 
Address family ipv4 unicast (Table ID = 0x2):
  Flags: 0x0
  Export VPN route-target communities
    RT:2345:2              
  Import VPN route-target communities
    RT:2345:2              
  No import route-map
  No global export route-map
  No export route-map
  VRF label distribution protocol: not configured
  VRF label allocation mode: per-prefix



MP-BGP Backbone Peering between PE and RR

MP-BGP is the engine that propagates and exchanges all customer VPN routes in the Provider network.  It is an essential element for L3VPNs to function.  Provider Edge routers are responsible in sharing this information among other PE routers using MP-BGP.  These BGP peerings must be fully meshed but best practice usually dictates the use of Route Reflectors.

MP-BGP peerings are configured under the VPNv4 address-family.  This address family enables PEs to understand VPNv4 prefixes, which contain VPN specific information such as RDs and RTs.



PE to RR peering

PE_R05#sh ip bgp vpnv4 all summary
BGP router identifier 5.5.5.5, local AS number 2345
BGP table version is 39, main routing table version 39
6 network entries using 1536 bytes of memory
7 path entries using 840 bytes of memory
7/6 BGP path/bestpath attribute entries using 1848 bytes of memory
1 BGP rrinfo entries using 40 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
2 BGP community entries using 48 bytes of memory
5 BGP extended community entries using 1024 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 5384 total bytes of memory
1 received paths for inbound soft reconfiguration
BGP activity 14/8 prefixes, 19/12 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.2.2.2        4        65000   25744   25753       39    0    0 2d00h           1
11.11.11.11     4         2345   25762   25781       39    0    0 2d00h           3

PE_R06#sh ip bgp vpnv4 all summary
BGP router identifier 6.6.6.6, local AS number 2345
BGP table version is 38, main routing table version 38
6 network entries using 1536 bytes of memory
7 path entries using 840 bytes of memory
7/6 BGP path/bestpath attribute entries using 1848 bytes of memory
1 BGP rrinfo entries using 40 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
2 BGP community entries using 48 bytes of memory
5 BGP extended community entries using 1024 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 5384 total bytes of memory
1 received paths for inbound soft reconfiguration
BGP activity 14/8 prefixes, 19/12 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.2.2.10       4        65001   25792   25781       38    0    0 2d00h           1
11.11.11.11     4         2345   25815   25809       38    0    0 2d00h           3



RR peering to PE

RR_R11#sh ip bgp vpnv4 all summary
BGP router identifier 11.11.11.11, local AS number 2345
BGP table version is 35, main routing table version 35
6 network entries using 1536 bytes of memory
6 path entries using 720 bytes of memory
6/6 BGP path/bestpath attribute entries using 1584 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
2 BGP community entries using 48 bytes of memory
5 BGP extended community entries using 1024 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 4960 total bytes of memory
BGP activity 17/11 prefixes, 19/13 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
5.5.5.5         4         2345   25839   25819       35    0    0 2d00h           3
6.6.6.6         4         2345   25826   25833       35    0    0 2d00h           3

A quick look at the VPN route table on the RR will show that it doesn’t know anything about the VRF’s configured on the PE routers.  It will only understand VPNv4 prefixes and will rely on RD to maintain prefix uniqueness.

RR_R11#sh ip bgp vpnv4 all
BGP table version is 31, local router ID is 11.11.11.11
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 2345:1
 *>i 172.16.1.0/24    5.5.5.5                  0    100      0 65000 i
 *>i 172.16.2.0/24    6.6.6.6                  0    100      0 65001 i
Route Distinguisher: 2345:2
 *>i 10.2.2.4/30      5.5.5.5                  0    100      0 ?
 *>i 10.2.2.12/30     6.6.6.6                  0    100      0 ?
 *>i 192.168.1.0      5.5.5.5             130816    100      0 ?
 *>i 192.168.2.0      6.6.6.6             130816    100      0 ?



PE to CE Routing Protocol

When configuring a L3VPN, there is the option to use an additional routing protocol between the Customer Edge (CE) device and PE.  This routing protocol is not related to the MP-BGP peering discussed earlier, however MP-BGP does play a role in how it embeds PE-CE routing protocol information into MP-BGP VPNv4 routes as they are exchanged between the PEs.

Here is a look at the PE-CE routing protocol peerings and the prefixes that were learned.  For brevity, I will use PE5’s peering to both customer CEs.  Customer A uses eBGP while Customer B uses EIGRP for their PE-CE protocols.

PE5’s eBGP peering to CE20 (10.2.2.2).  We learned 1 prefix from the CE for Customer A.

PE_R05#sh ip bgp vpnv4 vrf CUSTOMER_A summary
BGP router identifier 5.5.5.5, local AS number 2345
BGP table version is 35, main routing table version 35
2 network entries using 512 bytes of memory
3 path entries using 360 bytes of memory
7/6 BGP path/bestpath attribute entries using 1848 bytes of memory
1 BGP rrinfo entries using 40 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
2 BGP community entries using 48 bytes of memory
5 BGP extended community entries using 1024 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 3880 total bytes of memory
1 received paths for inbound soft reconfiguration
BGP activity 14/8 prefixes, 17/10 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.2.2.2        4        65000   21725   21728       35    0    0 1d16h           1

PE5’s eBGP route learned from CE20.

PE_R05#sh ip bgp vpnv4 vrf CUSTOMER_A neighbors 10.2.2.2 routes
BGP table version is 39, local router ID is 5.5.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 2345:1 (default for vrf CUSTOMER_A)
 *>  172.16.1.0/24    10.2.2.2                 0             0 65000 i

Total number of prefixes 1

PE5’s EIGRP peering to CE8 (10.2.2.6).  We learned 1 prefix from the CE for Customer B.

PE_R05#sh ip eigrp vrf CUSTOMER_B neighbors detail
EIGRP-IPv4 Neighbors for AS(65100) VRF(CUSTOMER_B)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   10.2.2.6                Gi1.31                   13 1d16h       1   100  0  9
   Version 20.0/2.0, Retrans: 1, Retries: 0, Prefixes: 1
   Topology-ids from peer - 0
   Topologies advertised to peer:   base

Max Nbrs: 0, Current Nbrs: 0

PE5’s EIGRP route learned from CE8.

PE_R05#sh ip route vrf CUSTOMER_B eigrp

Routing Table: CUSTOMER_B
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

D     192.168.1.0/24 [90/130816] via 10.2.2.6, 1d01h, GigabitEthernet1.31



MP-BGP VPNv4 NLRI

Below we look at the MP-BGP VPNv4 NLRI in more detail for a particular prefix (BGP PE-CE). We can see the entry has the RD prepended to the IPv4 prefix.  It also contains the Route Target and MPLS labels.

RR_R11#sh ip bgp vpnv4 rd 2345:1 172.16.1.0/24
BGP routing table entry for 2345:1:172.16.1.0/24, version 30
Paths: (1 available, best #1, no table)
  Advertised to update-groups:
     1        
  Refresh Epoch 1
  65000, (Received from a RR-client)
    5.5.5.5 (metric 3) (via default) from 5.5.5.5 (5.5.5.5)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Community: 65000:20
      Extended Community: RT:2345:1
      mpls labels in/out nolabel/530
      rx pathid: 0, tx pathid: 0x0

However, looking at an EIGRP CE-PE NLRI get a little more interesting.  Besides the usual Route Target and MPLS labels embedded into the NLRI, we can see MP-BGP has also encoded the EIGRP protocol specific attributes into its extended communities.  It includes variables such as ASN, route metric and MTU.  

RR_R11#sh ip bgp vpnv4 rd 2345:2 192.168.1.0/24
BGP routing table entry for 2345:2:192.168.1.0/24, version 35
Paths: (1 available, best #1, no table)
  Advertised to update-groups:
     1        
  Refresh Epoch 1
  Local, (Received from a RR-client)
    5.5.5.5 (metric 3) (via default) from 5.5.5.5 (5.5.5.5)
      Origin incomplete, metric 130816, localpref 100, valid, internal, best
      Extended Community: RT:2345:2 Cost:pre-bestpath:128:130816
        0x8800:32768:0 0x8801:65100:128256 0x8802:65281:2560 0x8803:65281:1514
        0x8806:0:134744072
      mpls labels in/out nolabel/525
      rx pathid: 0, tx pathid: 0x0

PE_R05#sh ip route vrf CUSTOMER_B 192.168.1.0

Routing Table: CUSTOMER_B
Routing entry for 192.168.1.0/24
  Known via "eigrp 65100", distance 90, metric 130816, type internal
  Redistributing via eigrp 65100, bgp 2345
  Advertised by bgp 2345
  Last update from 10.2.2.6 on GigabitEthernet1.31, 3d04h ago
  Routing Descriptor Blocks:
  * 10.2.2.6, from 10.2.2.6, 3d04h ago, via GigabitEthernet1.31
      Route metric is 130816, traffic share count is 1
      Total delay is 5010 microseconds, minimum bandwidth is 1000000 Kbit
      Reliability 255/255, minimum MTU 1514 bytes
      Loading 1/255, Hops 1


The table below defines each value in more detail.



Packet Walk

Now that we understand the infrastructure components, and what it does, we can put this all together and do an example step by step packet walk from CE20 to CE21 for Customer A.  This will demonstrate a full understanding of how the Service Provider is routing and switching the packet end to end.

Traceroute

Tracing from CE20 shows the path throughout the network to CE21.

CE_R20#traceroute 172.16.2.254 source lo100
Type escape sequence to abort.
Tracing the route to 172.16.2.254
VRF info: (vrf in name/id, vrf out name/id)
  1 10.2.2.1 4 msec 3 msec 4 msec
  2 10.1.1.5 [MPLS: Labels 320/630 Exp 0] 8 msec 7 msec 7 msec
  3 10.0.0.22 [MPLS: Labels 420/630 Exp 0] 28 msec 30 msec 32 msec
  4 10.2.2.9 [MPLS: Label 630 Exp 0] 20 msec 19 msec 21 msec
  5 10.2.2.10 20 msec *  9 msec


Packet Walk Diagram


MPLS Operation


Packet Walk MPLS Operation Diagram



CE20 sends traffic to CE21.  CE20 does an IP route table lookup for destination 172.16.2.0/24 and is directed to next-hop 10.2.2.1 (PE5).  Normal routing is taking place here and no MPLS label is used. Packet is forward to 10.2.2.1.

CE_R20#sh ip route 172.16.2.0
Routing entry for 172.16.2.0/24
  Known via "bgp 65000", distance 20, metric 0
  Tag 2345, type external
  Last update from 10.2.2.1 1d07h ago
  Routing Descriptor Blocks:
  * 10.2.2.1, from 10.2.2.1, 1d07h ago
      Route metric is 0, traffic share count is 1
      AS Hops 2
      Route tag 2345
      MPLS label: none

Packet arrives on PE5 and does an IP route lookup under VRF CUSTOMER_A for destination 172.16.2.0/24.  It's directed to next-hop 6.6.6.6 and from an IP routing perspective it’s only 1 hop away even though it is multiple hops within the MPLS network. A VPN MPLS (inner) label of 630 is imposed/pushed.  This label is used to identify which VPN (i.e., VRF) this prefix belongs to.

PE_R05#sh ip route vrf CUSTOMER_A 172.16.2.0

Routing Table: CUSTOMER_A
Routing entry for 172.16.2.0/24
  Known via "bgp 2345", distance 200, metric 0
  Tag 65001, type internal
  Last update from 6.6.6.6 1d06h ago
  Routing Descriptor Blocks:
  * 6.6.6.6 (default), from 11.11.11.11, 1d06h ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 65001
      MPLS label: 630
      MPLS Flags: MPLS Required

As MPLS is required, PE5 consults its MPLS forwarding table.  To reach 6.6.6.6, we must push the LSP (outer) label of 320 and send to next-hop 10.1.1.5 (P3).  At this point, we have a full MPLS label stack of {630,320}.

PE_R05#sh mpls forwarding-table 6.6.6.6
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop   
Label      Label      or Tunnel Id     Switched      interface             
504        320        6.6.6.6/32       0             Gi1.21     10.1.1.5 


Note: The MPLS LDP binding database will show how this decision was made.  The LER uses the underlay IGP route table to determine which LSR to use and therefore what label to push. Since the IGP route for 6.6.6.6 points to P3 (lowest cost), the MPLS LDP binding will select LSR with id 3.3.3.3 with label 320.

PE_R05#sh ip route 6.6.6.6
Routing entry for 6.6.6.6/32
  Known via "ospf 100", distance 110, metric 4, type intra area
  Last update from 10.1.1.5 on GigabitEthernet1.21, 5d01h ago
  Routing Descriptor Blocks:
  * 10.1.1.5, from 6.6.6.6, 5d01h ago, via GigabitEthernet1.21
      Route metric is 4, traffic share count is 1

PE_R05#sh mpls ldp bindings 6.6.6.6 255.255.255.255
  lib entry: 6.6.6.6/32, rev 12
        local binding:  label: 504
        remote binding: lsr: 3.3.3.3:0, label: 320
        remote binding: lsr: 1.1.1.1:0, label: 120


Packet arrives on P3 and consults its MPLS forwarding table.  For label 320, the next operation is to swap with label 420 and send to its next-hop of 10.0.0.22 (P4).

P_R03#sh mpls forwarding-table labels 320       
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop   
Label      Label      or Tunnel Id     Switched      interface             
320        420        6.6.6.6/32       9636          Gi1.15     10.0.0.22 

Packet arrives on P4 and consults its MPLS forwarding table.  For label 420 we pop the label off and send to its next-hop 10.1.1.14 (PE6).  This LSR pops the label off here due to Penultimate Hop Popping (PHP) behavior.

P_R04#sh mpls forwarding-table labels 420
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop   
Label      Label      or Tunnel Id     Switched      interface             
420        Pop Label  6.6.6.6/32       1132182       Gi1.23     10.1.1.14  



Note: PHP is an efficiency mechanism in MPLS networks and is the default behavior in IOS.  It allows the last LSR router in the LSP to pop the label.  This saves resources on LER because it eliminates the need to perform a label lookup and only needs to do an IP lookup to the destination network.



When PHP is used, the “implicit-null” label is used in the binding database.

P_R04#sh mpls ldp bindings 6.6.6.6 32     
  lib entry: 6.6.6.6/32, rev 56
        local binding:  label: 420
        remote binding: lsr: 1.1.1.1:0, label: 120
        remote binding: lsr: 3.3.3.3:0, label: 320
        remote binding: lsr: 6.6.6.6:0, label: imp-null
        remote binding: lsr: 2.2.2.2:0, label: 220


Packet arrives on PE6 and does a MPLS forwarding lookup on the inner (VPN) label (630) to determine which VPN it belongs to (Customer A).

PE_R06#sh mpls forwarding-table labels 630 detail 
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop    
Label      Label      or Tunnel Id     Switched      interface              
630        No Label   172.16.2.0/24[V] 323390        Gi1.32     10.2.2.10   
        MAC/Encaps=18/18, MRU=9220, Label Stack{}
        000C29F12BDA000C298D7AB2810000200800 
        VPN route: CUSTOMER_A
        No output feature configured

PE6 does an IP route lookup under Customer A's VRF and forwards traffic to CE21 via 10.2.2.10.

PE_R06#sh ip route vrf CUSTOMER_A 172.16.2.0

Routing Table: CUSTOMER_A
Routing entry for 172.16.2.0/24
  Known via "bgp 2345", distance 20, metric 0
  Tag 65001, type external
  Last update from 10.2.2.10 1d07h ago
  Routing Descriptor Blocks:
  * 10.2.2.10, from 10.2.2.10, 1d07h ago
      Route metric is 0, traffic share count is 1
      AS Hops 1
      Route tag 65001
      MPLS label: none



Conclusion

MPLS has always been a favorite technology of mine and I'm glad I had an opportunity to build, configure and understand it. I plan on building on this lab to learn other technologies, such as MPLS Traffic Engineering, QoS, VPLS and VPWS.



References

Configuration Tutorials:




MPLS Information: