Welcome to INE’s

P re s e nta tion of:

Introduction to MP LS VP Ns

www.ine .com
 Course Agenda
» Time: 9am to 3pm (PST) 12/17 and 12/18
» Breaks
» This class is being recorded.
» Q&A

Copyright © www.ine.com
 Welcome to INE’s
P re s e nta tion of:
Introduction to MP LS VP Ns

www.ine .com
 Course Prerequisites
» Prerequisite Knowledge
» Q&A
• [email protected]
• Twitter.com/keithbogart1

Copyright © www.ine.com
 Course Agenda
» Lab Components / Topology
» MPLS Basics – Review
» History of MPLS VPNs
» MPLS VPN Terminology
» Review of VRFs
» High-Level Walkthrough of MPLS VPNs
Copyright © www.ine.com
 Course Agenda (2)
» Usage of BGP within MPLS VPNs
» How MPLS VPNs utilize Labels
» Configuration
• Initializating the backbone with IGPs and BGP
• Enabling MPLS LDP
• Configuring and applying VRFs.
• Configuring Routing Protocols between CEs and PEs
» Additional MPLS VPN Features
• BGP Cost Attribute
• Site of Origin
Copyright © www.ine.com
 MPLS VPN
La b Compone nts

www.ine .com
 Lab Topology

Copyright © www.ine.com
MPLS Review

www.ine .com
 MPLS within the Enterprise

» Basic Requirements
• CEF on all routers
• IGP running on all routers
• Label Distribution Protocol (LDP) activated on
interfaces
Only one (1) la be l a pplie d to P DUs

Copyright © www.ine.com
 MPLS within the Enterprise - Benefits

» Hiding of Core Topology

» QoS Differentiation
» Shorter Forwarding Lookup Time

Copyright © www.ine.com
 MPLS within the Enterprise - Drawbacks

» Traffic directed to ISP (unlabeled) will be

treated best-effort.
» NAT required if private addressing between
customer sites.
» How to achieve privacy between locations
within the same company?

Copyright © www.ine.com
 MPLS VPNs
Ea rly His tory a nd Be ne fits

www.ine .com
 Early Years
» Customer Desires:
• Dedicated Links between sites
• Always Up
• Privacy (data won’t go to unexpected locations)
» How was it achieved?
• P2P Circuits
• Overlay VPNs
• Scaling the network = Cost Prohibitive
Copyright © www.ine.com
 Invention of MPLS VPNs
» Dedicated Links and “Always Up”
• MPLS VPN’s provide Permanent “Virtual” Circuits like
Frame-Relay…but using standard Internet connections.
» Privacy?
• MPLS VPNs encryption
• Privacy achieved via:
• Customer usage of Private IP addressing OR Duplicate IP
prefixes
• VRFs ensure nobody else’s traffic can reach customer sites.
Copyright © www.ine.com
 Benefits of MPLS VPNs
» Peer-to-Peer VPNs (not Overlay)
» No need to pay for both;
• Dedicated P2P Circuits between sites
• Separate Internet connections.
» Today’s physical links used for MPLS VPN
traffic typically much faster than dedicated P2P
links.
» Usage of MPLS QoS
Copyright © www.ine.com
MPLS VPN Terminology

www.ine .com
 MPLS VPN Terminology

» CE Routers
» PE Routers
» P Routers

Copyright © www.ine.com
VRFs – A Re vie w

www.ine .com
 VRFs…a review

»What they are.

»Why they are needed.
»How to configure them.
»IGPs and BGP must be explicitly
configured to run within VRFs.

Copyright © www.ine.com
MPLS VPN Functionality
Ove rvie w

www.ine .com
 MPLS VPN Functionality - Overview

4
CE-A1 P1 P3 CE-A2
VRF-A VRF-A
1
PE-1 PE-2
VRF-B
VRF-B
P2
CE-B1 CE-B2

Copyright © www.ine.com
 MPLS VPN Functionality – Overview (2)

5
CE-A1 P1 P3 CE-A2
VRF-A VRF-A

PE-1 PE-2
VRF-B
VRF-B
P2
CE-B1 CE-B2

Copyright © www.ine.com
 MPLS VPN Functionality – Overview (3)

Destination
Net-X
= Net-X 8
7
CE-A1 P1 P3 CE-A2
VRF-A VRF-A

PE-1 PE-2
VRF-B
VRF-B
P2
CE-B1 CE-B2

Copyright © www.ine.com
Usage of BGP within
MP LS VP Ns

www.ine .com
 BGP Route Propagation

» Normal BGP;
• Multiple paths to a prefix?
• Only best path advertised to BGP peers.
» MPLS VPNs = Identical prefixes re-used between
different customers (Public or Private)
» How to get BGP to see these as unique/different
prefixes?

Copyright © www.ine.com
 Route Distinguishers

» Route Distinguisher (RD) = Allow BGP to advertise

multiple instances of the same prefix to a peer.
» Value Prepended to IPv4/IPv6 route
» Resulting prefix (RD + IP prefix) = VPNv4 route.
» Each VRF must have a unique RD value.
» Now the same prefix (learned from different VRFs)
looks differently to BGP.
Copyright © www.ine.com
 Route Distinguishers -Functionality
» How it’s done?
• CE routes placed into VRF
• Redistributed into BGP as “VPNv4” routes (or VPNv6)
and appended with Route Distinguisher
• Now, each route looks different
• All VPNv4 prefixes advertised to all iBGP peers

Copyright © www.ine.com
 Route Distinguishers – Details & Configuration
» RD = 64-bits in length
» Configured as xx:yy within VRF
• XX can be either an IPv4 address or ASN
• YY is the VPN identifier (can be whatever you want)

Copyright © www.ine.com
 Receiving VPNv4 Prefixes

» PE routers that receive VPNv4 prefixes must not

place these into the global routing table but into
customer VRFs.
» When incoming BGP VPNv4 route received, to
which VRF does it belong?
• RD removed to reveal IPv4 or IPv6 prefix.
• BGP update inspected for presence of BGP Communities

Copyright © www.ine.com
 Which VRF?

» MPLS VPNs utilize special, reserved Extended

BGP Communities
» These Extended Communities are matched up
with the VRFs to which they belong (are
imported).
» These Extended Communities are known as
“Route Targets”.
Copyright © www.ine.com
 BGP Standard Communities – A Review
» Numerical value (i.e. “tag”) applied via configuration to a BGP
update.
» Not used in Best-Path Selection.
» Standard communities
• 32-bits
• Some numbers pre-defined as well-known
• Most numbers are not defined…up to you.

Copyright © www.ine.com
 BGP Extended Communities
» MPLS VPNs make extensive use of Extended
Communities
» Extended Communities = 64-bits long
• Typically used for special purposes and have well-known, reserved
meanings.
» First byte within Extended Community is like a type-code.
• MPLS VPN routers (PE routers) look for Extended Communities identified as
“Route Target” by the “type” value within the community.
• Other Extended Communities used within MPLS VPNS for special purposes,
like to prevent routing loops, etc.
Copyright © www.ine.com
 Export and Import

» Route Targets (RT) used by BGP within MPLS VPNs to

ensure routes placed into appropriate VPNs (VRFs).
» Manually configured
» BGP must be configured to know:
• What Route Target value to append to an outgoing iBGP
update? = EXPORT RT
• What Route Target to look for when receiving incoming iBGP
update to match to a VRF? = IMPORT RT

Copyright © www.ine.com
 Import and Export Association

PE-1

PE-2

Copyright © www.ine.com
 VRF Configuration Summary
» Route Distinguishers must be configured to
allow BGP process on router to advertise
VPNv4 prefixes
» Route Targets must also be configured to:
• Match incoming VPNv4 routes to appropriate VRF
(import)
• Append to outgoing VPNv4 routes so remote BGP peer
can match these routes to correct VPN (i.e. VRF)
(export)
Copyright © www.ine.com
 VRF Verification Commands
» Show ip vrf
» Show ip vrf detail
» Show ip vrf interfaces
» Show ip protocols vrf <name>
» Show ip route vrf <name>

Copyright © www.ine.com
How does MPLS fit into
MP LS VP Ns ?

www.ine .com
 Why do we need Labels?

» MPLS needed for several critical reasons:

• Allows packets received on VRF-enabled interfaces to be
forwarded on non-VRF interfaces.
• Allows flexibility in IP addressing of Customer Sites.
• Provides capability of PE router that receives the IP packets
to match them up to correct VRF.
• Can distinguish MPLS traffic from normal IP (internet) traffic
and provide differentiated services.

Copyright © www.ine.com
 Labeling Traffic
» Two-label stack
• Outer Label (LDP-generated)
• Inner Label (VPN Label; BGP-generated)
» Critical: PE routers must be able to reach each
other via:
• IGP
• LDP
» PHP still occurs with MPLS VPNs
Copyright © www.ine.com
Configuring the MPLS
Ba ckbone

www.ine .com
 Configuring the MPLS Backbone

» Ensure CEF is running on all SP routers.

» Configure IGP between all SP routers.
• Confirm IGP Peering
• Confirm IGP Route Distribution

» Enable MPLS (LDP) on appropriate links.

• Confirm LDP peering
• Confirm Label Advertisement

Copyright © www.ine.com
 MPLS VPNs:
Configuring BGP

www.ine .com
 Initial BGP Configuration Tasks

» BGP can be used on PE routers to perform three

separate tasks, only ONE of which is mandatory
for MPLS VPNs:
• Exchanging VPNv4 prefixes between PE routers
(mandatory)
• Exchanging IPv4/v6 prefixes (i.e. Internet routes)
between PE routers (Optional)
• Exchanging IPv4/v6 prefixes with CE routers (Optional)
Copyright © www.ine.com
 BGP Configuration Steps
» Step-1: Configure iBGP peering between PE
routers.
• Optional: “no bgp default ipv4-unicast”
» Step-2: Configure appropriate “address-family”
modes within BGP process.
• Address-family vpnv4
• Address-family ipv4 vrf <name>

Copyright © www.ine.com
 BGP: Address-Family VPNv4
» BGP peers must negotiate capabilities
• BGP Open message used for this.
» VPNv4 NLRI not a capability by default.
Router bgp 1234
!
address-family vpnv4
neighbor x.x.x.x activate
neighbor x.x.x.x next-hop-self (optional)
neighbor x.x.x.x send-community [standard | extended | both] (optional)

Copyright © www.ine.com
BGP: Address-Family IP VRF
» BGP will not advertise IGP routes in VRFs by default
» Must redistribute IGP VRF routes into BGP
» VRF must have an RD in order to:
• Allow redistribution into BGP
• Create VPNv4 prefixes.
Router bgp 1234
!
address-family ipv4 vrf <name>
redistribute <igp protocol>
or…
network x.x.x.x mask y.y.y.y
neighbor <CE IP address> activate (only for eBGP CE peers)
Copyright © www.ine.com
 Configuring Routing
be twe e n CE a nd P E route rs
(S ta tic Routing)

www.ine .com
 PE to CE reachability: Static Routes

» ip rout e vrf <name> x.x.x.x y.y.y.y 1.1.1.1

» Show ip rout e vrf <name> st at ic

Router bgp <asn>
!
address-family ipv4 vrf <name>
redistribute static
Copyright © www.ine.com
 Providing Global Internet Connectivity to CE
» There may be times when a single CE-to-PE
connection needs to provide both MPLS VPN
connectivity as well as Global Internet Connectivity.
» CE needs a globally unique, routable address.
• Can still maintain private networks through use of NAT on CE
side.
» Must inject default, global route into VRF
» Must ensure global internet has route to return
traffic.
Copyright © www.ine.com
Global Routing and MPLS VPN
2.2.2.1 VRF-A
3.3.3.3
2.2.0.0/16 Fast0/0
CE-A1 3.3.3.1 Internet
2.2.2.2 PE-1
EIGRP 100 OSPF 1

ip route vrf VRF-A 0.0.0.0 0.0.0.0 3.3.3.1 global

ip route 2.2.0.0 255.255.0.0 FastEthernet0/0 2.2.2.1
!
Router eigrp 100
address-family ipv4 vrf VRF-A autonomous-system 100
network 2.0.0.0
redistribute static metric 10000 1 255 1 1500
!
Router ospf 1
network 3.3.3.0 0.0.0.255 area 0
redistribute static subnets
Copyright © www.ine.com
 Configuring Routing
be twe e n CE a nd P E route rs
(RIP )

www.ine .com
 Routing between PE and CE: RIP

» Only RIPv2 can be used.

» Must create an “address-family ipv4 vrf” within RIP
process.
» Must redistribute BGP into RIP
» iBGP carries RIP metric inside BGP MED
• If end-to-end RIP, can specify “transparent” in redistribute
statement of RIP.
• Otherwise specify a metric in “redistribute bgp” command.
Copyright © www.ine.com
 Routing between PE and CE: RIP

Copyright © www.ine.com
 CE-to-PE using RIP: Verification
» Received RIP from CE?
• Show ip rip database vrf <name>
» Local VRF RIP routes injected into BGP table?
• Show ip bgp vpnv4 vrf <name>
» Remote PE router received those iBGP routes?
• Show ip bgp vpnv4 all
• Show ip bgp vpnv4 all <prefix/mask>
» Verifying the MPLS Label Stack:
• show ip cef vrf <name> <prefix>
Copyright © www.ine.com
 Configuring Routing
be twe e n CE a nd P E route rs
(EIGRP )

www.ine .com
 CE-to-PE Routing: EIGRP

» Must configure a global EIGRP process.

• This only used if EIGRP routing required on links participating
in global routing table.
» Address-family ipv4 vrf <name> autonomous-
system <number>
• Allows PE to have different EIGRP ASNs between different
customers.
• MUST supply ASN as part of address-family command.

Copyright © www.ine.com
 CE-to-PE Routing: EIGRP Metrics

» Still required to redistribute BGP into EIGRP address-

family mode.
• Must specify metrics in EIGRP “redistribute” command.
• If all customer sites running EIGRP, original CE EIGRP metrics
preserved in BGP communities.

Copyright © www.ine.com
 CE-to-PE Routing: EIGRP Verification

» show ip eigrp vrf <name> t opology <prefix>/ <mask>

» show ip eigrp vrf <name> neighbor
» show ip eigrp vrf <name> int erfaces

Copyright © www.ine.com
 Configuring Routing
be twe e n CE a nd P E route rs
(OS P F)

www.ine .com
 CE-to-PE Routing: OSPF Overview

» OSPF is not configured within an “address-

family” but rather the “vrf” keyword is part of the
OSPF Process.
» Redistributing OSPF into BGP process (ingress PE):
• “match” keyword important in redistribute statement
• BGP will only redistribute OSPF Intra-Area and Inter-Area
routes (i.e. “internal”) routes by default.

Copyright © www.ine.com
 Redistributing OSPF into BGP

Copyright © www.ine.com
 OSPF SuperBackbone!!!

» OSPF on PE router operates as a “SuperBackbone”

by default .

» The behavior of the Superbackbone gives PE

routers, special OSPF capabilities to preserve much
of OSPF’s functionality as a Link-State Protocol.

Copyright © www.ine.com
 Superbackbone - Functionality

» PE router redistributing iBGP back into OSPF…what

OSPF LSA type to create?
• BGP Extended Communities answer this question.
• Extended Communities carry original OSPF LSA type.
» PE router behaves like an ABR connected to Area-0
• PE router advertises itself (in Router LSA) as an ABR.
• This allows PE router to perform OSPF summarization or
filtering if needed as redistribution into iBGP occurs.

Copyright © www.ine.com
 Superbackbone – Functionality (2)

» Routes redistributed from BGP int o OSPF appear as

inter-area summary routes (Type-3 LSA) or as
external routes (based on their original LSA type) in
other areas.
• Route s from Are a 0 a t one s ite a ppe a r a s inte ra re a route s in
Are a 0 a t a nothe r s ite .
» OSPF Cost value copied into BGP MED.
» Extended Communities preserve other OSPF
information
Copyright © www.ine.com
 OSPF-to-iBGP and Extended Communities

» Extended Communities preserve other OSPF

information
• OSPF Domain-ID
• OSPF Route-Type
• OSPF Route-ID (of ingress PE router)

Copyright © www.ine.com
 OSPF Domain-ID Extended Community
» Derived from OSPF Process-ID
» Added to outbound iBGP update by ingress PE
router.
» Egress PE router compares value to its own
Domain-ID
• If different, all iBGP routes redistributed into OSPF as
Externals
• If the same, next BGP Community inspected.
Copyright © www.ine.com
 OSPF Route-Type Extended Community
» BGP Extended Community of “Route-Type”
provides the following information:
• Original OSPF area of received LSA
• OSPF LSA Type when received by ingress PE
• OSPF “Options” field.
• OSPF Router-ID of ingress PE router.

Copyright © www.ine.com
 OSPF Route-Type (Example)

Copyright © www.ine.com
 CE-to-PE OSPF: Verification
» All the normal ospf “show” commands but
remember to include the process-id (no need, or
support for, including any “VRF” keywords)
» If configured as: ip ospf 5 vrf Customer-A
» Then “show” commands would (examples);
• Show ip ospf 5 neighbor
• Show ip ospf 5 database
• etc
Copyright © www.ine.com
 Configuring Routing
be twe e n CE a nd P E route rs
(BGP )

www.ine .com
 CE-to-PE Routing: BGP

» Should be external BGP between CE and PE

» PE routers should use “next-hop-self” when
advertising CE-learned prefixes.
» Use “address-family ipv4 vrf <name>” on PE’s.
• Activate CE eBGP peer.
• Apply any other BGP features needed between CE and PE.

Copyright © www.ine.com
 CE-to-PE Routing: BGP Example

CE-A1 1.1.1.11 P1
VRF PE-1 PE-2 VRF-A CE-A2
BGP ASN 100 Customer BGP ASN 300
BGP ASN 1234
Loop0
133.133.133.3

Copyright © www.ine.com
 CE-to-PE Routing: BGP Verification

» Remember, CE is not a “normal” neighbor

configured beneath the regular global BGP
process.
• show ip bgp vpnv4 all neighbors
• show ip bgp vpnv4 vrf <name> summary
• show ip bgp vpnv4 <name> <prefix>/<mask>

Copyright © www.ine.com
 Preventing BGP/Routing DoS Attacks

» CE peer could try to overwhelm PE router

resources by sending hundreds-of-thousands-of-
prefixes.
» Two methods to prevent this:
• Set a max number of BGP prefixes allowed from peer
• Set a max number of routes allowed in VRF

Copyright © www.ine.com
 Limiting Incoming BGP Prefixes From CE

» neighbor ip-address maximum-prefix maximum

[threshold] [warning-only]
– Threshold specifies percentage of max before a syslog is
generated (default – 75%)
– If CE router exceeds the maximum…peering is destroyed.
– “Warning-only” prevents the killing of the peering but the
BGP table can still fillup.

Copyright © www.ine.com
 Establishing VRF Route Limits

» Per-VRF command:
(config-vrf)#maximum routes <limit> {warn-threshold | warn-only}

• The limit parameter is the route limit for the VRF.

• The warn-threshold parameter is the percentage value over which
a warning message is sent to syslog.
• The warn-only option creates a syslog error message when the
maximum number of routes exceeds the threshold.
• Syslog messages generated by this command are
rate-limited.
Copyright © www.ine.com
 BGP AS-Override

1.1.3.11

Rout er bgp 1234 Rout er bgp 1234

! !
Address-family ipv4 vrf Cust omer Address-family ipv4 vrf VRF-A
Neighbor 1.1.1.11 remot e-as 100 Neighbor 1.1.3.11 remot e-as 100
Neighbor 1.1.1.11 as-override Neighbor 1.1.3.11 as-override

Copyright © www.ine.com
Additional MPLS VPN Features:
BGP Cos t

www.ine .com
 BGP Cost Attribute

» Purpose: if multiple iBGP updates received carrying the

same prefix, this attribute can be used to select the
bestpath.
» Extended Community inserted into all EIGRP routes that
were redistributed into iBGP.
• Other protocols (eg RIP) may also have a cost value applied but
attribute must be manually-configured/inserted via a Route-Map.

(config-route-map)#set extcommunity cost <value>

Copyright © www.ine.com
 BGP Cost Attribute: Components
» Received iBGP prefix with lowest Cost selected as the
best path.
» This extended community has three sub-components
 POI (Point of Insertion)
 Community-ID
 Cost Value

Copyright © www.ine.com
 BGP Cost Attribute: Point of Insertion

» Value that indicates to receiving router at which point in

the BGP Best-Path Algorithm to process this attribute.
» iBGP automatically inserts the BGP Cost attribute into
VPNv4 routes carrying redistributed EIGRP prefixes.
• POI is set to “pre-bestpath” in this case
• This means the BGP Cost attribute must be evaluate
BEFORE the best-path selection algorithm.
• If Route-Map is used, default POI = IGP

Copyright © www.ine.com
 BGP Cost Attribute: Community-ID

» A value that allows the first level of manual

control.
» If two iBGP updates contain the same prefix
and same POI, the lowest Community-ID value
will win.
» For redistributed EIGRP routes, EIGRP internal
routes will be preferred over EIGRP external
routes.
Copyright © www.ine.com
 BGP Cost Attribute: Community-ID (2)
» When “cost” community is applied against an EIGRP
route (redistributed into VPNv4) the community-ID
numbers will be:
• 128 = EIGRP Internal
• 129 = EIGRP External
» For other IGPs which require manual configuration
of Cost via a Route-Map, you must manually specify
the community-ID.
• Value range is 0 – 255
Copyright © www.ine.com
 BGP Cost Attribute: Cost value
» If attribute was automatically applied to a
redistributed EIGRP route, then the cost-value
will contain the EIGRP Distance.
» Otherwise, if manually applied via a route-map,
you must specify what “cost value” you wish.
• Range of values: (0-4,294,967,295)

Copyright © www.ine.com
Additional MPLS VPN Features:
S ite of Origin (S oO)

www.ine .com
 Site of Origin (SoO)

» Purpose: To prevent potential routing loops.

» Updates received with matching SoO value on
VRF interface are filtered.
» SoO values need to be different on different PE
routers within the same VPN.

Copyright © www.ine.com
 Site of Origin (SoO) Configuration

Route-Map INE permit 10

Set extcommunity soo 200:2
!
Interface FastEthernet0/0
description Connects to CE-A1
ip vrf forwarding Customer
ip vrf sitemap INE

Copyright © www.ine.com
 Site of Origin – Verification (1)
» On PE: show ip bgp vpnv4 all <prefix>

Copyright © www.ine.com
 Site of Origin – Verification (2)
» On CE router: sho ip eigrp topology <prefix>/<mask>

Copyright © www.ine.com
Thank you!

www.ine .com