MPLS VPN Notes

MPLS VPN

  • Terminologies;
    • CE router- Router in Customer network (C-network) which peers with service provider edge(PE- router) in Provider network (P-network)
  • P-routers are completely unaware of VPN. Only edge-routers(PE) are aware.

  • VPN prefix are propagated across MPLS VPN network by MP-BGP (Multi-protocol BGP).
  • RD(route distinguisher) is a variable to distinguish same routes from different customers. It is 64-bit field. Can be represented in As:nn or ip address:nn format.
  • RD : customer routes = VPNv4 prefix which is  96-bit field
  • A VRF can have only one RD configurable.
  • RT- Route Target. One of the BGP extended communities which is also 64-bit.
  • Export/import options are used.
    • All routes belong to the VRF are propagated (after redistribution) as VPNv4 routes with all export RT/s configured on that VRF.
    • A VPNv4 prefix can be downloaded to a VRF (after the RD is striped off) only if any one of the RTs in the VPNv4 matches the configured import RT.
    • Conditional routes with a particular RT can be achieved using “export-map” option.
    • We can still refine the download of VPNv4 routes to VRF table using “import-map” option. When any one of the RTs in VPNv4 matches the configured import RT *and* matched by import-map will be downloaded.
  • Prefixes are exchanged between CE and PE using any PE-CE routing protocols. These prefixes are carried inside the MPLS network via MP-BGP to other end PE-routers. Hence, iBGP session should be established between two PE-routers connecting customer sites.
  • Inside, MPLS VPN network, there would be two label stacks.
    • Top label – IGP label distributed by LDP. Used to switch packets in from ingress PE to egress PE.
    • VPN label – bottom label distributed via MP-BGP. Used at the egress PE router to know about to which VPN the packet belongs.
  • If TE in implemented in MPLS VPN network, three labels will be seen. Top label being TE label propagated via RSVP.
  • RR behavior in MPLS-VPN;
    • Reflects all the VPNv4 routes to RR clients without any modification.
    • Should accept all VPNv4 prefix (using RR-groups we can select which prefixes should be accepted using extended community access list.
    • Shouldn’t involve in forwarding traffic. Just reflect vpnv4 routes.
  • Use different RDs for a same customer, if a customer is multi-home to 2 different PE routers and those 2 PE routers are connected to same RR.
  • PE-CE Routing protocols;
    • Static routes
    • RIPv-2
    • OSPF
    • EIGRP
    • eBGP
  • PE1-CE1 routes are redistributed from PE1-CE1 routing protocol to MP-BGP. On the other end, make sure the redistribute from MP-BGP to PE2-CE2 routing protocol.  Also, follow above step for PE2-CE2 prefix so that 2-way communication is possible.
  • Static routes;
    • “ip route vrf <name>  <cust. n/w> <mask>  <CE router interface IP>”
    • “redistribute static” in BGP ipv4 vrf family.
  • RIPv2;
    • Under RIP configuration mode, use “address-family ipv4 vrf <name>” command.
    • Redistribute rip in BGP. RIP metric is copied to MP-BGP MED value.
  • OSPF;
    • Configure “router ospf <pid> vrf <name>” and configure a router-id.
    • Redistribute ospf into BGP  ipv4 vrf family.
    • If the OSPF pid on the other end  is same as configured on local, local routes are distributed as inter-area routes (LSA-3). Else LSA-type 5.
    • “sham  link” is used to prefer MPLS path in case of backdoor link between CE sites.
    • Down bit and domain tag are used to prevent routing loop.
  • EIGRP;
    • Configure “router eigrp x” on PE routers. Inside this  config mode, configure “address-family ipv4 vrf” command.
    • Need to configure AS number inside address-family.
    • All metrics, AS number are carried in EIGRP specific BGP extended communities.
    • No “down bit” is required as all metrics can be reproduced on other CE site. Best path is chosen.
    • The cost of EIGRP routes, traversing MPLS VPN backbone is 0.
    • If the remote-AS is same as AS in VPNv4 routes, EIGRP routes are reproduced as internal routes. Else, external routes.
    • SOO (site of origin) is used in EIGRP, if required. Configure a route-map with “set extcommunity soo” command and apply on the interface using “ip vrf sitemap <route-map name>”
  • BGP
    • Only, eBGP can be used as CE-PE routing protocol.
    • Automatic redistribution of eBGP to MPLS core iBGP and vice versa.
    • SOO is used, if required.
    • “allowas-in” is used on CE routers to accept BGP routes with its AS in AS_PATH.
      • It is used on PE routers in case of hub-spoke topology.
    • “as-override” option is used to replace the customer AS with Provider AS number. Need to use with SOO to avoid looping/sub-optimal routing.
  • Hub and spoke topology;
    • All spoke routers should communicate with hub router only.
    • No spoke-spoke communication.
    • Hub should communicate with all spoke
    • Used below options;
      • Two unique RTs
        • One attached to spoke routes such that those routes are alone imported in hub router.
        • One attached to hub routes such that those routes are alone imported in spoke router.
        • Unique RD per spoke site. In case, if two spoke sites connect to a same PE router, RD is the only way to distinguish.
    • Configure “allowas-in” on the PE router connecting to hub site.
  • ‘Ping vrf’ / ‘traceroute vrf’ commands.
  • Internet access to VPN sites
    • Have 2 links between CE and PE routers. One for VPN and another for Internet. Worst and costlier method.
    • Create a separate VPN for internet gateways and export the internet routes with particular RT. Customers who need internet access can import this RT.
    • Using global routing table in PE routers for customer internet access. Configure a static route in the VRF routing table pointing to global routing table default gateway.
    • “ip route vrf <name> 0.0.0.0/0  <internet gateway>  global
  • VRF-lite
    • VRF capability is extended to CE routers.
    • Need to make the link towards PE as VRF interface and configure CE-PE routing protocol.
    • Need to configure “capability vrf-lite” under OSPF process of CE router. When this command is enabled, the check on down bit/domain tag is disabled.
Advertisements
This entry was posted in mpls and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s