Today let's continue with the Third Part of our MPLS VPN Series. Today we will be spending some time building the Edge Of The Network.
Let't take a close look at the topology:
We are going to build Two VPNs here. One will be called as VPN - BLUE and other as VPN - RED. Each VPN will represent one Customer and as ISP we don't want that. So we need to ensure that VPN - BLUE routes can't be seen by VPN - RED and vice versa.
To meet this requirement, MPLS supports a feature known as VRF (Virtual Routing & Forwarding). Each VRF is just like a Virtual Instance which by default doesn't talk to other VRF. This also allows customers to use over lapping network addresses.
So let's hope on to CLI to see things in action:
So here is the initial configuration for all customer routers:
Let't take a close look at the topology:
We are going to build Two VPNs here. One will be called as VPN - BLUE and other as VPN - RED. Each VPN will represent one Customer and as ISP we don't want that. So we need to ensure that VPN - BLUE routes can't be seen by VPN - RED and vice versa.
To meet this requirement, MPLS supports a feature known as VRF (Virtual Routing & Forwarding). Each VRF is just like a Virtual Instance which by default doesn't talk to other VRF. This also allows customers to use over lapping network addresses.
So let's hope on to CLI to see things in action:
So here is the initial configuration for all customer routers:
R4
===
!
en
!
conf t
!
no ip do lo
!
int lo0
ip add 4.4.4.4 255.255.255.255
exit
!
int f0/0
ip add 14.14.14.4 255.255.255.0
no shut
exit
!
end
wr
!
####################################
R5
===
!
en
!
conf t
!
no ip do lo
!
int lo0
ip add 5.5.5.5 255.255.255.255
exit
!
int f0/0
ip add 15.15.15.5 255.255.255.0
no shut
exit
!
int f1/0
ip add 58.58.58.5 255.255.255.0
no shut
exit
!
end
!
wr
!
####################################
R8
===
!
en
!
conf t
!
no ip do lo
!
int lo0
ip add 8.8.8.8 255.255.255.255
exit
!
int f0/0
ip add 18.18.18.8 255.255.255.0
no sh
exit
!
int f1/0
ip add 58.58.58.8 255.255.255.0
no sh
exit
!
end
!
wr
!
####################################
R6
===
!
en
!
conf t
!
no ip do lo
!
int lo0
ip add 6.6.6.6 255.255.255.255
exit
!
int f0/0
ip add 36.36.36.6 255.255.255.0
no sh
exit
!
end
!
wr
!
####################################
R7
===
!
en
!
conf t
!
no ip do lo
!
int lo0
ip add 7.7.7.7 255.255.255.255
exit
!
int f0/0
ip add 37.37.37.7 255.255.255.0
no sh
exit
!
end
!
wr
!
####################################
Some quick verification, Of course Never hurts ;-)
R4#sh ip int b | e una|do
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 14.14.14.4 YES manual up up
Loopback0 4.4.4.4 YES manual up up
R5#sh ip int b | e una|do
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 15.15.15.5 YES manual up up
FastEthernet1/0 58.58.58.5 YES manual up up
Loopback0 5.5.5.5 YES manual up up
R8#sh ip int b | e una|do
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 18.18.18.8 YES manual up up
FastEthernet1/0 58.58.58.8 YES manual up up
Loopback0 8.8.8.8 YES manual up up
R6#sh ip int b | e una|do
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 36.36.36.6 YES manual up up
Loopback0 6.6.6.6 YES manual up up
R7#sh ip int b | e una|do
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 37.37.37.7 YES manual up up
Loopback0 7.7.7.7 YES manual up up
####################################
Let's roll out the connectivity from ISP side now using VRFs.
R1
===
R1(config)#ip vrf BLUE
R1(config-vrf)#rd 500:1
R1(config-vrf)#route-target both 500:1
R1(config-vrf)#exit
R1(config)#int f1/0
R1(config-if)#ip add 14.14.14.1 255.255.255.0
R1(config-if)#ip vrf forwarding BLUE
% Interface FastEthernet1/0 IP address 14.14.14.1 removed due to enabling VRF BLUE
You see, router removed the IP Address from the interface. So we need to put it back.
R1(config-if)#ip add 14.14.14.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
So moral of story : Always check the IP Address before putting VRF on interface. What I always do myself is to run command " sh run int " and than I jump on interface and configure VRF.
Let's ping R4 now :
R1#ping 14.14.14.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.14.14.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Oops...We still don't have connectivity. Really ? ;-)
Actually since now VRF is configured on interface now, we need to run VRF aware ping now:
R1#ping vrf BLUE 14.14.14.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 14.14.14.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/31/64 ms
Now what is RD & RT:
Let's configure VRF - RED now:
R1(config)#ip vrf RED
R1(config-vrf)#rd 500:2
R1(config-vrf)#route-target both 500:2
R1(config-vrf)#exit
R1(config)#int f2/0
R1(config-if)#ip vrf forwarding RED
R1(config-if)#ip add 15.15.15.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#int f3/0
R1(config-if)#ip vrf forwarding RED
R1(config-if)#ip add 18.18.18.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
Let's verify the connectivity:
R1#ping vrf RED 15.15.15.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.15.15.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/31/56 ms
R1#ping vrf RED 18.18.18.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 18.18.18.8, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/42/52 ms
Let's setup rest of VRFs quickly:
R3(config)#ip vrf RED
R3(config-vrf)#rd 500:2
R3(config-vrf)#route-target both 500:2
R3(config-vrf)#exit
R3(config)#int f1/0
R3(config-if)#ip vrf forwarding RED
R3(config-if)#ip add 36.36.36.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#end
R3#ping vrf RED 36.36.36.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 36.36.36.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/38/64 ms
R3(config)#ip vrf BLUE
R3(config-vrf)#rd 500:1
R3(config-vrf)#route-target both 500:1
R3(config-vrf)#exit
R3(config)#int f2/0
R3(config-if)#ip vrf forwarding BLUE
R3(config-if)#ip add 37.37.37.3 255.255.255.0
R3(config-if)#no sh
R3(config-if)#end
R3#ping vrf BLUE 37.37.37.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 37.37.37.7, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/41/80 ms
So far so good. We will setup VRF aware IGP routing for VPN BLUE in next Post along with BGP, MPBGP & Redistribution.
Stay Tuned....
HTH...
Deepak Arora
Evil CCIE
thanks Deepak every time u post something new to learn nd so many ppl wait for ur stuff............i would like to know why u make P router as RR in your topology its simple one so i don't think its require RR to advertise IBGP routes to next IBGP peer...................pls if m wrong put your comment
ReplyDeleteDoes the next lab is available.I dont see the tag.Correct me if i am wrong
ReplyDelete