Tuesday, March 24, 2009

Mpls Lab #3: playing with MPLS VPN

Hi all,
after a week of serious hardware issues ;-( it's now time to start a mpls vpn lab (see my previous post about basic mpls vpn lab )

Here as usual the topology:



Main goals:

1) configure point-to-point links on all routers
2) configure ospf area 0 and area 1 on ISP routers
3) configure MP-BGP on isp routers using R7 and R8 as Route Reflectors
4) provide connectivity to CUST-A sites using bgp as 64550 (enable multipath for 2R12 site)
5) provide connectivity to CUST-B sites using ospf area 0, sites are connected with a backup link (so configure it as "sham" link)
6) configure ISP-1 and ISP-2 to originate default route and some prefixes to ISP (play with VRFs!)


Let's go through the tasks:
1) configure point-to-point links on all routers
nothing to say... just the usual ip address configuration

2) configure ospf area 0 and area 1 on ISP routers
nice to prepare the ospf areas for traffic engineering, just enablig the "opaque areas"
eg on R8:

mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
!
router ospf 1
mpls ldp sync
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
router-id 10.0.0.8
log-adjacency-changes
network 10.0.0.8 0.0.0.0 area 0
network 172.16.0.10 0.0.0.0 area 1
network 172.16.0.14 0.0.0.0 area 0
network 172.16.0.21 0.0.0.0 area 0


note that you can specify only a single mpls traffic-eng area on most IOS images, altrough inter-area MPLS TE is possible, see rfc-4105.
Use the Cisco Feature Navigator to find an IOS images that supports "MPLS Traffic Engineering (TE) - Interarea Tunnels" for your platform.

3) configure MP-BGP on isp routers using R7 and R8 as Route Reflectors
don't forget to activate the vpnv4 address family (or you will pay it with 1 hour troubleshooting, trying to know why routes aren't propagated into vrfs ,-) )

Pod1-R8#sh run | section include router bgp
router bgp 65000
no synchronization
bgp cluster-id 65000
bgp log-neighbor-changes
neighbor ISP peer-group
neighbor ISP remote-as 65000
neighbor ISP update-source Loopback0
neighbor ISP route-reflector-client
neighbor ISP send-community both
neighbor ISP send-label
neighbor 10.0.0.2 peer-group ISP
neighbor 10.0.0.3 peer-group ISP
neighbor 10.0.0.4 peer-group ISP
neighbor 10.0.0.7 remote-as 65000
neighbor 10.0.0.7 update-source Loopback0
neighbor 10.0.0.7 send-community both
neighbor 10.0.0.7 send-label
no auto-summary
!
address-family vpnv4
neighbor ISP send-community both
neighbor ISP route-reflector-client
neighbor 10.0.0.2 activate
neighbor 10.0.0.3 activate
neighbor 10.0.0.4 activate
neighbor 10.0.0.7 activate
neighbor 10.0.0.7 send-community extended
exit-address-family
!

Same configuration on R7, note the configuration of "bgp cluster-id 65000" to avoid loops announcing prefixes to RR7 -> RRC -> RR8.

4) provide connectivity to CUST-A sites using bgp as 64550 (enable multipath for 2R12 site)
first create a vrf named "CUST-A" and add the phisical or logical interfaces:
Pod1-R7#sh run | section inc vrf
ip vrf CUST-A
rd 65000:11
route-target export 65000:11
route-target import 65000:11
route-target import 65000:12
!
Pod1-R7#sh run int fa 0/1
!
interface FastEthernet0/1
ip vrf forwarding CUST-A
ip address 192.168.0.73 255.255.255.252
duplex auto
speed auto
end
!
!
Pod1-R2#sh run | sec inc vrf
ip vrf CUST-A
rd 65000:10
route-target export 65000:10
route-target import 65000:10
route-target import 65000:12
!
Pod1-R2#sh run int fa 0/0
!
interface FastEthernet0/0
ip vrf forwarding CUST-A
ip address 192.168.0.65 255.255.255.252
duplex auto
speed auto
end
!
!
Pod1-R3#sh run | sec inc vrf CUST-A
ip vrf CUST-A
rd 65000:12
route-target export 65000:12
route-target import 65000:12
route-target import 65000:10
route-target import 65000:11
!
Pod1-R3#sh run int fa 0/0
!
interface FastEthernet0/0
description R3 <-> 2R11 CUST-A
ip vrf forwarding CUST-A
ip address 192.168.0.69 255.255.255.252
duplex auto
speed auto
end
To avoid loops, I have set differents RD on the three PE, importing only the rd(s) of the other CE side...
You must also enable as-override on PE routers R7 -R2 and R3 to avoid customer A routers rejecting prefixes with their own AS number in the path.
Pod1-R2#sh run | sec inc router bgp
router bgp 65000
address-family ipv4 vrf CUST-A
neighbor 192.168.0.66 remote-as 64550
neighbor 192.168.0.66 activate
neighbor 192.168.0.66 send-community both
neighbor 192.168.0.66 as-override
maximum-paths eibgp 2
no synchronization
exit-address-family

It's a little tricky the use of maximum-paths on PE routers.. just read the "BGP Multipath Load Sharing for Both eBGP and iBGP in an MPLS-VPN" document on Cisco site.
You can enable maximum-paths only under ipv4 address-family, so the use of different rd permit the propagation of multiple paths through the RR as vpnv4 prefixes.

5) provide connectivity to CUST-B sites using ospf area 0, sites are also connected with a backup link (so configure a sham link through the mpls vpn..)
Sham link is clearly explained in the "OSPF Sham-Link Support for MPLS VPN" document

When you configure ospf area 0 for CUST-B you will notice a routing table like this:
Pod2-R10#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 9 subnets, 3 masks
O 10.0.10.0/24 [110/2] via 10.0.0.9, 00:00:08, Vlan20
C 10.0.0.8/30 is directly connected, Vlan20
O 10.0.0.0/30 [110/2] via 10.0.0.9, 00:00:08, Vlan20
C 10.0.0.4/30 is directly connected, Vlan25
C 10.0.30.0/30 is directly connected, Loopback0
O 10.0.20.0/24 [110/2] via 10.0.0.9, 00:00:09, Vlan20
C 10.0.40.0/30 is directly connected, Loopback1

This is exacly the unwanted routing table, the two CUST-B routers are using the backup "direct" link instead of the provider's mpls vpn.
On both the PE you have to configure a loopback with a /32 address and route it only in mp-bgp, then you can configure the ospf "sham link" and the ospf costs.

the final configuration on PE routers is:
Pod1-R3#sh run 
!
interface Loopback100
ip vrf forwarding CUST-B
ip address 10.0.0.13 255.255.255.255
end
!
router ospf 100 vrf CUST-B
router-id 10.0.0.5
log-adjacency-changes
area 0 sham-link 10.0.0.13 10.0.0.14 cost 20
redistribute bgp 65000 metric 10 subnets
network 10.0.0.5 0.0.0.0 area 0
!
router bgp 65000
address-family ipv4 vrf CUST-B
redistribute ospf 100 vrf CUST-B
no synchronization
network 10.0.0.13 mask 255.255.255.255
!
!
Pod1-R2#sh run
!
interface Loopback100
ip vrf forwarding CUST-B
ip address 10.0.0.14 255.255.255.255
end
!
router ospf 100 vrf CUST-B
router-id 10.0.0.1
log-adjacency-changes
area 0 sham-link 10.0.0.14 10.0.0.13 cost 20
redistribute bgp 65000 metric 10 subnets
network 10.0.0.1 0.0.0.0 area 0
!
router bgp 65000
address-family ipv4 vrf CUST-B
redistribute ospf 100 vrf CUST-B
no synchronization
network 10.0.0.14 mask 255.255.255.255
!

You must configure a higher ospf cost for the backup link than the cost of the sham link in order to prefer the isp link to the backup link.
Pod2-R10#sh ip route | beg Gate
Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 9 subnets, 3 masks
O 10.0.10.0/24 [110/23] via 10.0.0.5, 00:12:04, Vlan25
C 10.0.0.8/30 is directly connected, Vlan20
O E2 10.0.0.14/32 [110/10] via 10.0.0.5, 00:12:04, Vlan25
O E2 10.0.0.13/32 [110/10] via 10.0.0.5, 00:12:04, Vlan25
O 10.0.0.0/30 [110/22] via 10.0.0.5, 00:12:04, Vlan25
C 10.0.0.4/30 is directly connected, Vlan25
C 10.0.30.0/30 is directly connected, Loopback0
O 10.0.20.0/24 [110/23] via 10.0.0.5, 00:12:04, Vlan25
C 10.0.40.0/30 is directly connected, Loopback1
Pod2-R10#


Note that on PE you will see the sham link with:

Pod1-R3#sh ip ospf sham-links
Sham Link OSPF_SL1 to address 10.0.0.14 is up
Area 0 source address 10.0.0.13
Run as demand circuit
DoNotAge LSA allowed. Cost of using 20 State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Hello due in 00:00:04
Adjacency State FULL (Hello suppressed)
Index 2/2, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec

Pod1-R3#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
10.0.0.8 1 FULL/BDR 00:00:34 172.16.0.10 Vlan8
10.0.0.2 1 FULL/BDR 00:00:39 172.16.0.5 Vlan6
10.0.0.1 0 FULL/ - - 10.0.0.14 OSPF_SL1
10.0.30.1 1 FULL/BDR 00:00:36 10.0.0.6 FastEthernet0/1



6) configure ISP-1 and ISP-2 to originate default route and some prefixes to ISP (play with VRFs!)
For this last task, I preferred to configure different rd for the ISP-1 and ISP-2 links, then i imported in the various customers vrfs.

1 comment:

pierky said...

Hi, nice post, and nice blog too!
I'll take a closer look tonight...