configuration example- route-reflectors implementation in mpls vpn
DESCRIPTION
Configuration Example- Route-Reflectors Implementation in MPLS VPNTRANSCRIPT
Configuration Example- Route-Reflectors Implementation in MPLS VPN
VERSION 4
o Introduction: o BGP route reflectors: o How MPLS will work without RR: o How MPLS will work after adding RR: o Configuration Example:
MPLS VPN Data Plan: MPLS VPN Control Plan:
o Verification:
Introduction:
We know that BGP has strong rules to prevent routing loops. This rule states that any route received from an iBGP neighbor must not be advertised to any other iBGP neighbor.
This loop prevention mechanism induces a requirement that all iBGP routers in the network should be connected in logical full mesh topology to allow for routing information propagation throughout the network. However, full mesh connectivity has never been a scalable solution especially in large networks.
Two mechanisms were introduced to solve the scalability problem, by eliminating the need for the full mesh and in the same time keep the network loop free. The first was BGP confederations and the second was BGP route reflectors
In this document you will understand concept behind Implementing Route-Reflectors in MPLS VPN
BGP route reflectors:
A route reflector is BGP router that is allowed to break the iBGP loop avoidance rule. Route reflectors can advertise updates received from an iBGP peer to another iBGP peer under specific conditions.
By breaking the rules, route reflectors are used to eliminate the full mesh requirement and allow for building iBGP networks that scale easily and cleanly.
How MPLS will work without RR:
The below diagram shows a typical MPLS VPN-based network where there is no RR and whenever you introduced new PE, each existing PE in the service provider network will require an additional BGP neighbor command associating it to the new PE. In BGP, updates received by a peer in an AS are not allowed to be forwarded to another peer within the same AS. Therefore, a BGP network must be fully meshed, with all peers adjacent to one another, as far as BGP routing updates are concerned. If the number of PEs becomes substantial enough to make this operation impractical that is, adding neighbor commands in every PE.
How MPLS will work after adding RR:
When you add RRs, the PEs would only require neighbors defined for each RR. Any updates would be sent to the RR alone. The RRs are then responsible for propagating information received from PEs to all other PEs. Each time a PE is added, a neighbor statement pointing to the RR needs to be added on the new PE router, and on the RR, a neighbor statement pointing to the PE must be added.
Configuration Example:
In below scenario, PE1, PE2 are Provider edge routers facing towards customer end CE1 and CE2 respectivly.RR1 and RR2 routers are used only as a VPNv4 RR. These routers will forward both control and data plane forwarding for VPN sites only.
All interfaces are already configured as shown in basic configuration:
CE1 CE2 PE1 PE2 RR1 RR2
hostname CE1
!
ip cef
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.252
!
hostname CE2
!
ip cef
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 172.16.1.5 255.255.255.252
!
hostname PE1
!
ip cef
!
interface Loopback0
ip address 10.1.1.3 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.252
!
interface FastEthernet0/1
ip address 192.168.1.
hostname PE2
!
ip cef
!
interface Loopback0
ip address 10.1.1.4 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.13 255.255.255.252
!
interface FastEthernet0/1
ip address 192.168.1.
hostname RR1
!
ip cef
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.252
!
interface FastEthernet0/1
ip address 192.168.1.
hostname RR2
!
ip cef
!
interface Loopback0
ip address 10.1.1.2 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.14 255.255.255.252
!
interface FastEthernet0/1
ip address 192.168.1.
5 255.255.255.252
!
interface FastEthernet1/0
ip address 172.16.1.2 255.255.255.252
!
10 255.255.255.252
!
interface FastEthernet1/0
ip address 172.16.1.6 255.255.255.252
!
9 255.255.255.252
!
6 255.255.255.252
!
We will step by step configure all routers in the topolgy.
MPLS VPN Data Plan:
Configure OSPF Back bone IGP and enable MPLS on the interface:
PE1(config)#int fa0/0
PE1(config-if)#ip os 1 ar 0
PE1(config-if)#mpls ip
PE1(config-if)#int fa0/1
PE1(config-if)#ip os 1 ar 0
PE1(config-if)#mpls ipPE1(config-if)#int lo 0
PE1(config-if)#ip os 1 ar 0
PE1(config-if)#exit
PE2(config)#int fa0/0
PE2(config-if)#ip os 1 ar 0
PE2(config-if)#mpls ip
PE2(config-if)#int fa0/1
PE2(config-if)#ip os 1 ar 0
PE2(config-if)#mpls ipPE2(config-if)#int lo0
PE2(config-if)#ip os 1 ar 0
PE2(config-if)#exit
RR1(config)#int fa0/0
RR1(config-if)#ip os 1 ar 0
RR1(config-if)#mpls ip
RR1(config-if)#int fa0/1
RR1(config-if)#ip os 1 ar 0
RR1(config-if)#mpls ip
RR1(config-if)#int lo0
RR1(config-if)#ip os 1 ar 0
RR1(config-if)#exit
RR2(config)#int fa0/0
RR2(config-if)#ip os 1 ar 0
RR2(config-if)#mpls ip
RR2(config-if)#int fa0/1
RR2(config-if)#ip os 1 ar 0
RR2(config-if)#mpls ip
RR2(config-if)#int lo0
RR2(config-if)#ip os 1 ar 0
RR2(config-if)#exit
MPLS VPN Control Plan:
Step1:Configure VRF and Associated interfaces
Define VRF Cust_A, Route Distinguishers (RD) and Route Targets (RT) on PE Routers PE1 and PE2 and apply on VRF on Physical interface facing customer.
PE1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PE1(config)#ip vrf Cust_A
PE1(config-vrf)# description Customer-A
PE1(config-vrf)# rd 1:100
PE1(config-vrf)# route-target export 1:100
PE1(config-vrf)# route-target import 1:100
PE1(config-vrf)#exit
PE1(config)#int fa1/0
PE1(config-if)#ip vrf forwarding Cust_A
PE2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PE2(config)#ip vrf Cust_A
PE2(config-vrf)# description Customer-A
PE2(config-vrf)# rd 1:100
PE2(config-vrf)# route-target export 1:100
PE2(config-vrf)# route-target import 1:100
PE2(config-vrf)#exit
PE2(config)#int fa1/0
PE2(config-if)#ip vrf forwarding Cust_A
PE2(config-if)#exit
Step2:Configuring IGP between PE and CE
Configure OSPF with process number 100 under VRF on Both PE1 and PE2
PE1(config)#router ospf 100 vrf Cust_A
PE1(config-router)# log-adjacency-changes
PE1(config-router)# network 0.0.0.0 255.255.255.255 area 1
PE1(config-router)#exit
PE2(config)#router ospf 100 vrf Cust_A
PE2(config-router)# log-adjacency-changes
PE2(config-router)# network 0.0.0.0 255.255.255.255 area 1
PE2(config-router)#exit
Enable OSPF on CE1 and CE2 facing PE1 and PE2 respectively
CE1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CE1(config)#int lo 0
CE1(config-if)# ip ospf 100 area 1
CE1(config-if)#int fa0/0
CE1(config-if)# ip ospf 100 area 1
CE1(config-if)#exit
CE2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CE2(config)#int lo 0
CE2(config-if)# ip ospf 100 area 1
CE2(config-if)#int fa0/0
CE2(config-if)# ip ospf 100 area 1
CE2(config-if)#exit
Step3:Configuring redistribution between PE-CE IGP and MP-BGP
PE1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PE1(config)#router ospf 100 vrf Cust_A
PE1(config-router)# redistribute bgp 1 subnets
PE1(config-router)#exit
PE1(config)#router bgp 1
PE1(config-router)#address-family ipv4 vrf Cust_A
PE1(config-router-af)#redistribute os 100 vrf Cust_A match internal ex 1 ex 2
PE1(config-router-af)#end
PE2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PE2(config)#router ospf 100 vrf Cust_A
PE2(config-router)# redistribute bgp 1 subnets
PE2(config-router)#exit
PE2(config)#router bgp 1
PE2(config-router)#address-family ipv4 vrf Cust_A
PE2(config-router-af)#redistribute os 100 vrf Cust_A match internal ex 1 ex 2
PE2(config-router-af)#end
Step4: Configuring MP-BGP between PEs:
In this step you have to configure MP-BGP session with RR and RR will forward VPNv4 routes from one PE to Other. Here RR1 and RR2
are not only responsible for MPLS data plane but also act as Route reflector Only for VPNv4 Prefixes.
PE1 and PE2 configuration:
PE1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PE1(config)#router bgp 1
PE1(config-router)# neighbor 10.1.1.1 remote-as 1
PE1(config-router)# neighbor 10.1.1.1 update-source Loopback0
PE1(config-router)# neighbor 10.1.1.2 remote-as 1
PE1(config-router)# neighbor 10.1.1.2 update-source Loopback0
PE1(config-router)# address-family vpnv4
PE1(config-router-af)# neighbor 10.1.1.1 activate
PE1(config-router-af)# neighbor 10.1.1.1 send-community both
PE1(config-router-af)# neighbor 10.1.1.2 activate
PE1(config-router-af)# neighbor 10.1.1.2 send-community both
PE1(config-router-af)# exit-address-family
PE1(config-router)#exit
PE2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PE2(config)#router bgp 1
PE2(config-router)# neighbor 10.1.1.1 remote-as 1
PE2(config-router)# neighbor 10.1.1.1 update-source Loopback0
PE2(config-router)# neighbor 10.1.1.2 remote-as 1
PE2(config-router)# neighbor 10.1.1.2 update-source Loopback0
PE2(config-router)# address-family vpnv4
PE2(config-router-af)# neighbor 10.1.1.1 activate
PE2(config-router-af)# neighbor 10.1.1.1 send-community both
PE2(config-router-af)# neighbor 10.1.1.2 activate
PE2(config-router-af)# neighbor 10.1.1.2 send-community both
PE2(config-router-af)# exit-address-family
PE2(config-router)#exit
Configuring RR1 and RR2:
RR1(config)#router bgp 1
RR1(config-router)#neighbor RR1 peer-group
RR1(config-router)#neighbor RR1 remote-as 1
RR1(config-router)#address-family vpnv4
RR1(config-router-af)#neighbor 10.1.1.3 peer-group RR1
RR1(config-router-af)#neighbor 10.1.1.4 peer-group RR1
RR1(config-router-af)#neighbor RR1 route-reflector-client
RR1(config-router-af)#end
RR2(config)#router bgp 1
RR2(config-router)#neighbor RR2 peer-group
RR2(config-router)#neighbor RR2 remote-as 1
RR2(config-router)#address-family vpnv4
RR2(config-router-af)#neighbor 10.1.1.3 peer-group RR2
RR2(config-router-af)#neighbor 10.1.1.4 peer-group RR2
RR2(config-router-af)#neighbor RR2 route-reflector-client
RR2(config-router-af)#end
Another key point to note is that the peer groups need not be activated under the VPNv4 address-family. They are automatically activated when peer-group parameters are defined.
Verification:
Step1:Verify peer group information:
RR1#show ip bgp peer-group RR1
BGP peer-group is RR1, remote AS 1
BGP version 4
Default minimum time between advertisement runs is 0 seconds
For address family: IPv4 Unicast
BGP neighbor is RR1, no member
Index 0, Offset 0, Mask 0x0
Update messages formatted 0, replicated 0
Number of NLRIs in the update sent: max 0, min 0
For address family: VPNv4 Unicast
BGP neighbor is RR1, peer-group internal, members:
10.1.1.3 10.1.1.4
Index 0, Offset 0, Mask 0x0
Route-Reflector Client
Update messages formatted 0, replicated 0
Number of NLRIs in the update sent: max 0, min 0
RR2#show ip bgp peer-group RR2
BGP peer-group is RR2, remote AS 1
BGP version 4
Default minimum time between advertisement runs is 0 seconds
For address family: IPv4 Unicast
BGP neighbor is RR2, no member
Index 0, Offset 0, Mask 0x0
Update messages formatted 0, replicated 0
Number of NLRIs in the update sent: max 0, min 0
For address family: VPNv4 Unicast
BGP neighbor is RR2, peer-group internal, members:
10.1.1.3 10.1.1.4
Index 0, Offset 0, Mask 0x0
Route-Reflector Client
Update messages formatted 0, replicated 0
Number of NLRIs in the update sent: max 0, min 0
Step2:Verify BGP VPNv4 routing table on RR1 and RR2 shows that RR1/RR2 and PE1 receive the routes as expected:
RR1#sh ip bgp vpnv4 al | be Ne
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:100
*>i1.1.1.1/32 10.1.1.3 2 100 0 ?
*>i2.2.2.2/32 10.1.1.4 2 100 0 ?
*>i172.16.1.0/30 10.1.1.3 0 100 0 ?
*>i172.16.1.4/30 10.1.1.4 0 100 0 ?
RR2#sh ip bgp vpnv4 al | be Ne
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:100
*>i1.1.1.1/32 10.1.1.3 2 100 0 ?
*>i2.2.2.2/32 10.1.1.4 2 100 0 ?
*>i172.16.1.0/30 10.1.1.3 0 100 0 ?
*>i172.16.1.4/30 10.1.1.4 0 100 0 ?
PE1#sh ip bgp vpnv4 al | be Ne
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:100 (default for vrf Cust_A)
*> 1.1.1.1/32 172.16.1.1 2 32768 ?
* i2.2.2.2/32 10.1.1.4 2 100 0 ?
*>i 10.1.1.4 2 100 0 ?
*> 172.16.1.0/30 0.0.0.0 0 32768 ?
* i172.16.1.4/30 10.1.1.4 0 100 0 ?
*>i 10.1.1.4 0 100 0 ?
PE2#sh ip bgp vpnv4 al | be Ne
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1:100 (default for vrf Cust_A)
* i1.1.1.1/32 10.1.1.3 2 100 0 ?
*>i 10.1.1.3 2 100 0 ?
*> 2.2.2.2/32 172.16.1.5 2 32768 ?
* i172.16.1.0/30 10.1.1.3 0 100 0 ?
*>i 10.1.1.3 0 100 0 ?
*> 172.16.1.4/30 0.0.0.0 0 32768 ?
Step3:Verify end to end connectivity:
CE1#ping 2.2.2.2 so lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/66/80 ms
CE1#traceroute 2.2.2.2 so lo 0
Type escape sequence to abort.
Tracing the route to 2.2.2.2
1 172.16.1.2 36 msec 36 msec 32 msec
2 192.168.1.6 [MPLS: Labels 20/21 Exp 0] 64 msec 68 msec 72 msec
3 172.16.1.6 [MPLS: Label 21 Exp 0] 60 msec 48 msec 40 msec
4 172.16.1.5 80 msec * 100 msec