Basic VPN topology

Here is the simple VPN topology and the configuration;

Basically it follows the steps given in;

VPN steps

R0 and R6 are CE routers (customer ‘one’)

R1 and R7 are CE routers (customer ‘two’)

Customer ‘one’ is running OSPF and customer ‘two’ is running RIP between their sites.

Here R2 and R5 are PE routers.

R3 and R4 are P routers.

So, the basic configuration looks like;

R2#show run
Building configuration…

<snip>

!

ip vrf one   <<<< for customer “one”

rd 1:1

route-target export 11:11

route-target import 11:11

!

ip vrf two  <<<< for customer “two”

rd 2:2

route-target export 12:12

route-target import 12:12

!!

interface FastEthernet0/0

ip vrf forwarding one

ip address 12.1.1.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip vrf forwarding two

ip address 12.1.2.1 255.255.255.0

duplex auto

speed auto

!!

router ospf 2 vrf one  <<<< OSPF instance for customer “one”

log-adjacency-changes

redistribute bgp 1 subnets  <<<< redistributing MPLS-iBGP routes which matches import RT of vrf one

network 12.1.1.0 0.0.0.255 area 0

!

router ospf 1   <<<<< OSPF instance — IGP inside MPLS core

log-adjacency-changes

network 2.2.2.2 0.0.0.0 area 0

network 10.1.0.0 0.0.255.255 area 0

!

router rip

!

address-family ipv4 vrf two   <<<< RIP protocol for customer “two”

redistribute bgp 1 metric 6   <<<< redistributing MPLS-iBGP routes which matches import RT of vrf two with hop-count 6

network 12.0.0.0

no auto-summary

version 2

exit-address-family

!

router bgp 1

no synchronization

bgp log-neighbor-changes

neighbor 5.5.5.5 remote-as 1

neighbor 5.5.5.5 update-source Loopback0

no auto-summary

!

address-family vpnv4   <<<< Core SP (iBGP session with PE R5)

neighbor 5.5.5.5 activate

neighbor 5.5.5.5 send-community extended

exit-address-family

!

address-family ipv4 vrf two

redistribute rip  <<<< To redistribute vrf “two” RIP routes to iBGP

no synchronization

exit-address-family

!

address-family ipv4 vrf one

redistribute ospf 2 vrf one  <<<< To redistribute vrf “one” OSPF routes to iBGP

no synchronization

exit-address-family

!

mpls ldp router-id Loopback0 force

!

and on the other end R5;

R5#show run

Building configuration…

<snip>

ip cef

no ip domain lookup

!

!

ip vrf one

rd 1:1

route-target export 11:11

route-target import 11:11

!

ip vrf two

rd 2:2

route-target export 12:12

route-target import 12:12

!

interface Loopback0

ip address 5.5.5.5 255.255.255.255

!

interface FastEthernet0/0

ip address 10.1.3.2 255.255.255.0

duplex auto

speed auto

mpls ip

!

interface FastEthernet0/1

ip address 10.1.4.2 255.255.255.0

duplex auto

speed auto

mpls ip

!

interface FastEthernet1/0

ip vrf forwarding one

ip address 13.1.2.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet2/0

ip vrf forwarding two

ip address 13.1.1.1 255.255.255.0

duplex auto

speed auto

!

router ospf 2 vrf one

log-adjacency-changes

redistribute bgp 1 subnets

network 13.1.2.0 0.0.0.255 area 0

!

router ospf 1

log-adjacency-changes

network 5.5.5.5 0.0.0.0 area 0

network 10.1.0.0 0.0.255.255 area 0

!

router rip

version 2

!

address-family ipv4 vrf two

redistribute bgp 1 metric 5

network 13.0.0.0

no auto-summary

version 2

exit-address-family

!

router bgp 1

no synchronization

bgp log-neighbor-changes

neighbor 2.2.2.2 remote-as 1

neighbor 2.2.2.2 update-source Loopback0

no auto-summary

!

address-family vpnv4

neighbor 2.2.2.2 activate

neighbor 2.2.2.2 send-community extended

exit-address-family

!

address-family ipv4 vrf two

redistribute rip

no synchronization

exit-address-family

!

address-family ipv4 vrf one

redistribute ospf 2 vrf one

no synchronization

exit-address-family

!

R5#


OSPF configuration on R0,R6 and RIP configuration on R1 and R7 are basic IGP configuration.

R6 can ping R0’s Loopback IP via VPN;

R6#ping 100.100.100.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/48/92 ms

R6#show ip ro

R6#show ip route 100.100.100.100

Routing entry for 100.100.100.100/32

Known via “ospf 1”, distance 110, metric 3, type inter area

Last update from 13.1.2.1 on FastEthernet0/0, 00:32:17 ago

Routing Descriptor Blocks:

* 13.1.2.1, from 13.1.2.1, 00:32:17 ago, via FastEthernet0/0

Route metric is 3, traffic share count is 1

R6#

Note, the OSPF routes are learned via Summary LSA. Type-3. (as the other end uses OSFP, its policy is mapped via extended communities and advertise back to OSPF as type-3).

If we redistribute from some other IGP to MP-iBGP and then back to OSPF, prefix are redistributed as type-5 (E2)

R7 can ping R1s’ loopback IP via VPN.

R7#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/57/156 ms

R7#

Generally, SP might not have access to CE routers hence below PING test is originated from PE router R2 to R7s’ loopback IP;

R2#ping vrf two ip 7.7.7.7 repeat 10

Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:

!!!!!!!!!!

Success rate is 100 percent (10/10), round-trip min/avg/max = 8/34/72 ms

R2#

Advertisements
This entry was posted in mpls and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s