Saturday, June 16, 2012

Building MPLS Layer 3 VPN Series Part 3 - Building The Edge

Today let's continue with the Third Part of our MPLS VPN Series. Today we will be spending some time building the Edge Of The Network.


Let't take a close look at the topology:






We are going to build Two VPNs here. One will be called as VPN - BLUE and other as VPN - RED. Each VPN will represent one Customer and as ISP we don't want that. So we need to ensure that VPN - BLUE routes can't be seen by VPN - RED and vice versa.


To meet this requirement, MPLS supports a feature known as VRF (Virtual Routing & Forwarding). Each VRF is just like a Virtual Instance which by default doesn't talk to other VRF. This also allows customers to use over lapping network addresses.


So let's hope on to CLI to see things in action:


So here is the initial configuration for all customer routers:



R4
===

!
en
!
conf t
!
no ip do lo
!
int lo0
 ip add 4.4.4.4 255.255.255.255
 exit
!
int f0/0
 ip add 14.14.14.4 255.255.255.0
 no shut
 exit
!
end
wr
!

####################################

R5
===

!
en
!
conf t
!
no ip do lo
!
int lo0
 ip add 5.5.5.5 255.255.255.255
 exit
!
int f0/0
 ip add 15.15.15.5 255.255.255.0
 no shut
 exit
!
int f1/0
 ip add 58.58.58.5 255.255.255.0
 no shut 
 exit
!
end
!
wr
!

####################################

R8
===

!
en
!
conf t
!
no ip do lo
!
int lo0
 ip add 8.8.8.8 255.255.255.255
 exit
!
int f0/0
 ip add 18.18.18.8 255.255.255.0
 no sh
 exit
!
int f1/0
 ip add 58.58.58.8 255.255.255.0
 no sh
 exit
!
end
!
wr
!

####################################

R6
===

!
en
!
conf t
!
no ip do lo
!
int lo0
 ip add 6.6.6.6 255.255.255.255
 exit
!
int f0/0
 ip add 36.36.36.6 255.255.255.0
 no sh
 exit
!
end
!
wr
!

####################################


R7
===


!
en
!
conf t
!
no ip do lo
!
int lo0
 ip add 7.7.7.7 255.255.255.255
 exit
!
int f0/0
 ip add 37.37.37.7 255.255.255.0
 no sh
 exit
!
end
!
wr
!

####################################

Some quick verification, Of course Never hurts ;-)


R4#sh ip int b | e una|do
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            14.14.14.4      YES manual up                    up
Loopback0                      4.4.4.4         YES manual up                    up


R5#sh ip int b | e una|do
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            15.15.15.5      YES manual up                    up
FastEthernet1/0            58.58.58.5      YES manual up                    up
Loopback0                      5.5.5.5         YES manual up                    up


R8#sh ip int b | e una|do
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            18.18.18.8      YES manual up                    up
FastEthernet1/0            58.58.58.8      YES manual up                    up
Loopback0                      8.8.8.8         YES manual up                    up

R6#sh ip int b | e una|do
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            36.36.36.6      YES manual up                    up
Loopback0                      6.6.6.6         YES manual up                    up

R7#sh ip int b | e una|do
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            37.37.37.7      YES manual up                    up
Loopback0                      7.7.7.7         YES manual up                    up

####################################

Let's roll out the connectivity from ISP side now using VRFs.

R1
===

R1(config)#ip vrf BLUE
R1(config-vrf)#rd 500:1
R1(config-vrf)#route-target both 500:1
R1(config-vrf)#exit

R1(config)#int f1/0
R1(config-if)#ip add 14.14.14.1 255.255.255.0
R1(config-if)#ip vrf forwarding BLUE
% Interface FastEthernet1/0 IP address 14.14.14.1 removed due to enabling VRF BLUE

You see, router removed the IP Address from the interface. So we need to put it back.

R1(config-if)#ip add 14.14.14.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit

So moral of story : Always check the IP Address before putting VRF on interface. What I always do myself is to run command " sh run int  " and than I jump on interface and configure VRF.

Let's ping R4 now :

R1#ping 14.14.14.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.14.14.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Oops...We still don't have connectivity. Really ? ;-)

Actually since now VRF is configured on interface now, we need to run VRF aware ping now:

R1#ping vrf BLUE 14.14.14.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.14.14.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/31/64 ms

Now what is RD & RT:



Let's configure VRF - RED now:

R1(config)#ip vrf RED
R1(config-vrf)#rd 500:2
R1(config-vrf)#route-target both 500:2
R1(config-vrf)#exit


R1(config)#int f2/0
R1(config-if)#ip vrf forwarding RED
R1(config-if)#ip add 15.15.15.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit


R1(config)#int f3/0
R1(config-if)#ip vrf forwarding RED
R1(config-if)#ip add 18.18.18.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit

Let's verify the connectivity:

R1#ping vrf RED 15.15.15.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/31/56 ms

R1#ping vrf RED 18.18.18.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 18.18.18.8, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/42/52 ms

Let's setup rest of VRFs quickly:

R3(config)#ip vrf RED
R3(config-vrf)#rd 500:2
R3(config-vrf)#route-target both 500:2
R3(config-vrf)#exit


R3(config)#int f1/0
R3(config-if)#ip vrf forwarding RED
R3(config-if)#ip add 36.36.36.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#end


R3#ping vrf RED 36.36.36.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 36.36.36.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/38/64 ms


R3(config)#ip vrf BLUE
R3(config-vrf)#rd 500:1
R3(config-vrf)#route-target both 500:1
R3(config-vrf)#exit


R3(config)#int f2/0
R3(config-if)#ip vrf forwarding BLUE
R3(config-if)#ip add 37.37.37.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#end


R3#ping vrf BLUE 37.37.37.7

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 37.37.37.7, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/41/80 ms


So far so good. We will setup VRF aware IGP routing for VPN BLUE in next Post along with BGP, MPBGP & Redistribution.

Stay Tuned....

HTH...
Deepak Arora
Evil CCIE
Posted by at
Labels:

2 comments:

Praveen said...

thanks Deepak every time u post something new to learn nd so many ppl wait for ur stuff............i would like to know why u make P router as RR in your topology its simple one so i don't think its require RR to advertise IBGP routes to next IBGP peer...................pls if m wrong put your comment

June 18, 2012 at 9:56 AM
Anonymous said...

Does the next lab is available.I dont see the tag.Correct me if i am wrong

September 5, 2013 at 9:16 AM

Post a Comment

Subscribe to: Post Comments (Atom)