-
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&TFirst Published: November 21, 2012
Last Modified: March 15, 2013
Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan
Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800
553-NETS (6387)Fax: 408 527-0883
-
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN
THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE
BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY
KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITEDWARRANTY FOR THE ACCOMPANYING
PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED
WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF
YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED
WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an
adaptation of a program developed by the University of California,
Berkeley (UCB) as part of UCB's public domain versionof the UNIX
operating system. All rights reserved. Copyright 1981, Regents of
the University of California.
NOTWITHSTANDINGANYOTHERWARRANTYHEREIN, ALL DOCUMENT FILES AND
SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS"WITH ALL
FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES,
EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE
OFMERCHANTABILITY, FITNESS FORA PARTICULAR
PURPOSEANDNONINFRINGEMENTORARISING FROMACOURSEOFDEALING, USAGE, OR
TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY
INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING
OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR
ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in
this document are not intended to be actual addresses and phone
numbers. Any examples, command display output, networktopology
diagrams, and other figures included in the document are shown for
illustrative purposes only. Any use of actual IP addresses or phone
numbers in illustrative content is unintentionaland
coincidental.
Cisco and the Cisco logo are trademarks or registered trademarks
of Cisco and/or its affiliates in the U.S. and other countries. To
view a list of Cisco trademarks, go to this URL:
http://www.cisco.com/go/trademarks. Third-party trademarks
mentioned are the property of their respective owners. The use of
the word partner does not imply a partnershiprelationship between
Cisco and any other company. (1110R)
2012-2013 Cisco Systems, Inc. All rights reserved.
-
C O N T E N T S
C H A P T E R 1 MPLS Virtual Private Networks 1
Finding Feature Information 1
Prerequisites for MPLS Virtual Private Networks 1
Restrictions for MPLS Virtual Private Networks 2
Information About MPLS Virtual Private Networks 4
MPLS Virtual Private Network Definition 4
How an MPLS Virtual Private Network Works 5
How Virtual Routing and Forwarding Tables Work in an MPLS
Virtual Private
Network 5
How VPN Routing Information Is Distributed in an MPLS Virtual
Private Network 6
MPLS Forwarding 6
Major Components of an MPLS Virtual Private Network 6
Benefits of an MPLS Virtual Private Network 7
How to Configure MPLS Virtual Private Networks 9
Configuring the Core Network 9
Assessing the Needs of MPLS Virtual Private Network Customers
9
Configuring MPLS in the Core 10
Connecting the MPLS Virtual Private Network Customers 10
Defining VRFs on the PE Devices to Enable Customer Connectivity
10
Configuring VRF Interfaces on PE Devices for Each VPN Customer
12
Configuring Routing Protocols Between the PE and CE Devices
13
Configuring RIPv2 as the Routing Protocol Between the PE and CE
Devices 13
Configuring Static Routes Between the PE and CE Devices 15
Verifying the Virtual Private Network Configuration 17
Verifying Connectivity Between MPLS Virtual Private Network
Sites 17
Verifying IP Connectivity from CE Device to CE Device Across the
MPLS Core 17
Verifying That the Local and Remote CE Devices Are in the PE
Routing Table 18
Configuration Examples for MPLS Virtual Private Networks 19
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T iii
-
Example: Configuring an MPLS Virtual Private Network Using RIP
19
Example: Configuring an MPLS Virtual Private Network Using
Static Routes 20
Additional References 21
Feature Information for MPLS Virtual Private Networks 22
C H A P T E R 2 Multiprotocol BGP MPLS VPN 23
Finding Feature Information 23
Prerequisites for Multiprotocol BGP MPLS VPN 23
Information About Multiprotocol BGP MPLS VPN 24
MPLS Virtual Private Network Definition 24
How an MPLS Virtual Private Network Works 25
How Virtual Routing and Forwarding Tables Work in an MPLS
Virtual Private
Network 25
How VPN Routing Information Is Distributed in an MPLS Virtual
Private
Network 26
BGP Distribution of VPN Routing Information 26
Major Components of an MPLS Virtual Private Network 27
How to Configure Multiprotocol BGP MPLS VPN 27
Configuring Multiprotocol BGP Connectivity on the PE Devices and
Route Reflectors 27
Troubleshooting Tips 29
Configuring BGP as the Routing Protocol Between the PE and CE
Devices 30
Verifying the Virtual Private Network Configuration 31
Verifying Connectivity Between MPLS Virtual Private Network
Sites 32
Verifying IP Connectivity from CE Device to CE Device Across the
MPLS Core 32
Verifying That the Local and Remote CE Devices Are in the PE
Routing Table 32
Configuration Examples for Multiprotocol BGP MPLS VPN 34
Example: Configuring an MPLS Virtual Private Network Using BGP
34
Additional References 35
Feature Information for Multiprotocol BGP MPLS VPN 35
C H A P T E R 3 MPLS VPN OSPF PE and CE Support 37
Finding Feature Information 37
Prerequisites for MPLS VPN OSPF PE and CE Support 37
Information About MPLS VPN OSPF PE and CE Support 38
Overview of MPLS VPN OSPF PE and CE Support 38
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&Tiv
Contents
-
How to Configure MPLS VPN OSPF PE and CE Support 38
Configuring OSPF as the Routing Protocol Between the PE and CE
Devices 38
Verifying Connectivity Between MPLS Virtual Private Network
Sites 40
Verifying IP Connectivity from CE Device to CE Device Across the
MPLS Core 40
Verifying That the Local and Remote CE Devices Are in the PE
Routing Table 41
Configuration Examples for MPLS VPN OSPF PE and CE Support
42
Example: Configuring an MPLS VPN Using OSPF 42
Additional References 43
Feature Information for MPLS VPN OSPF PE and CE Support 43
C H A P T E R 4 MPLS VPN Support for EIGRP Between PE and CE
45
Finding Feature Information 45
Prerequisites for MPLS VPN Support for EIGRP Between PE and CE
46
Information About MPLS VPN Support for EIGRP Between PE and CE
46
Overview of MPLS VPN Support for EIGRP Between PE and CE 46
How to Configure MPLS VPN Support for EIGRP Between PE and CE
46
Configuring EIGRP as the Routing Protocol Between the PE and CE
Devices 46
Configuring EIGRP Redistribution in the MPLS VPN 49
Verifying Connectivity Between MPLS Virtual Private Network
Sites 51
Verifying IP Connectivity from CE Device to CE Device Across the
MPLS Core 51
Verifying That the Local and Remote CE Devices Are in the PE
Routing Table 52
Configuration Examples for MPLS VPN Support for EIGRP Between PE
and CE 53
Example: Configuring an MPLS VPN Using EIGRP 53
Additional References 54
Feature Information for MPLS VPN Support for EIGRP Between PE
and CE 54
C H A P T E R 5 IPv6 VPN over MPLS 57
Finding Feature Information 57
Prerequisites for IPv6 VPN over MPLS 58
Restrictions for IPv6 VPN over MPLS 58
Information About IPv6 VPN over MPLS 58
IPv6 VPN over MPLS Overview 58
Addressing Considerations for IPv6 VPN over MPLS 59
Basic IPv6 VPN over MPLS Functionality 59
IPv6 VPN Architecture Overview 59
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T v
Contents
-
IPv6 VPN Next Hop 60
MPLS Forwarding 60
6VPE over GRE Tunnels 61
VRF Concepts 61
IPv6 VPN Scalability 62
Advanced IPv6 MPLS VPN Functionality 62
Internet Access 62
Multiautonomous-System Backbones 63
Carrier Supporting Carriers 64
How to Configure IPv6 VPN over MPLS 65
Configuring a Virtual Routing and Forwarding Instance for IPv6
65
Binding a VRF to an Interface 68
Configuring a Static Route for PE-to-CE Routing 69
Configuring eBGP PE-to-CE Routing Sessions 70
Configuring the IPv6 VPN Address Family for iBGP 71
Configuring Route Reflectors for Improved Scalability 73
Configuring Internet Access 81
Configuring the Internet Gateway 81
Configuring iBGP 6PE Peering to the VPN PE 81
Configuring the Internet Gateway as the Gateway to the Public
Domain 83
Configuring eBGP Peering to the Internet 84
Configuring the IPv6 VPN PE 86
Configuring a Default Static Route from the VRF to the Internet
Gateway 86
Configuring a Static Route from the Default Table to the VRF
87
Configuring iBGP 6PE Peering to the Internet Gateway 88
Configuring a Multiautonomous-System Backbone for IPv6 VPN
89
Configuring the PE VPN for a Multiautonomous-System Backbone
91
Configuring iBGP IPv6 VPN Peering to a Route Reflector 91
Configuring IPv4 and Label iBGP Peering to a Route Reflector
93
Configuring the Route Reflector for a Multiautonomous-System
Backbone 95
Configuring Peering to the PE VPN 95
Configuring the Route Reflector 97
Configuring Peering to the Autonomous System Boundary Router
100
Configuring Peering to Another ISP Route Reflector 101
Configuring the ASBR 103
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&Tvi
Contents
-
Configuring Peering with Router Reflector RR1 103
Configuring Peering with the Other ISP ASBR2 105
Configuring CSC for IPv6 VPN 107
Configuration Examples for IPv6 VPN over MPLS 109
Examples: IPv6 VPN over MPLS Routing 109
Example: BGP IPv6 Activity Summary 109
Example: Dumping the BGP IPv6 Tables 109
Example: Dumping the IPv6 Routing Tables 109
Examples: IPv6 VPN over MPLS Forwarding 110
Example: PE-CE Connectivity 110
Examples: PE Imposition Path 111
Examples: PE Disposition Path 112
Examples: Label Switch Path 112
Examples: IPv6 VPN over MPLS VRF 113
Examples: VRF Information 113
Example: IPv6 VPN Configuration Using IPv4 Next Hop 113
Additional References 114
Feature Information for IPv6 VPN over MPLS 115
Glossary 116
C H A P T E R 6 Configuring Route Maps to Control the
Distribution of MPLS Labels Between Routers in an
MPLS VPN 119
Finding Feature Information 119
Restrictions for Using Route Maps with MPLS VPNs 120
Prerequisites for Using Route Maps with MPLS VPNs 120
Information About Route Maps in MPLS VPNs 120
How to Configure Route Maps in an MPLS VPN 120
Configuring a Route Map for Incoming Routes 120
Configuring a Route Map for Outgoing Routes 122
Applying the Route Maps to the MPLS VPN Edge Routers 124
Troubleshooting Tips 126
Configuration Examples for Route Maps in MPLS VPNs 127
Using a Route Map in an MPLS VPN Inter-AS Network Example
127
Using a Route Map in an MPLS VPN CSC Network Example 128
Additional References 129
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T vii
Contents
-
Feature Information for Route Maps in MPLS VPNs 130
C H A P T E R 7 Assigning an ID Number to an MPLS VPN 133
Finding Feature Information 133
Restrictions for MPLS VPN ID 133
Information About MPLS VPN ID 134
Introduction to MPLS VPN ID 134
Components of the MPLS VPN ID 134
Management Applications That Use MPLS VPN IDs 134
Dynamic Host Configuration Protocol 135
Remote Authentication Dial-In User Service 135
How to Configure an MPLS VPN ID 135
Specifying an MPLS VPN ID 135
Verifying the MPLS VPN ID Configuration 136
Configuration Examples for Assigning an ID Number to an MPLS VPN
138
Example: Specifying an MPLS VPN ID 138
Example: Verifying the MPLS VPN ID Configuration 138
Additional References 139
Feature Information for MPLS VPN ID 139
C H A P T E R 8 MPLS VPN Show Running VRF 141
Finding Feature Information 141
Prerequisites for MPLS VPN Show Running VRF 142
Restrictions for MPLS VPN Show Running VRF 142
Information About MPLS VPN Show Running VRF 142
Configuration Elements Displayed for MPLS VPN Show Running VRF
142
Display of VRF Routing Protocol Configuration 143
Display of Configuration Not Directly Linked to a VRF 143
Additional References 144
Feature Information for MPLS VPN Show Running VRF 144
Glossary 145
C H A P T E R 9 MPLS VPN Half-Duplex VRF 147
Finding Feature Information 147
Prerequisites for MPLS VPN Half-Duplex VRF 147
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&Tviii
Contents
-
Restrictions for MPLS VPN Half-Duplex VRF 148
Information About MPLS VPN Half-Duplex VRF 148
MPLS VPN Half-Duplex VRF Overview 148
Upstream and Downstream VRFs 149
Reverse Path Forwarding Check 150
How to Configure MPLS VPN Half-Duplex VRF 150
Configuring the Upstream and Downstream VRFs on the Spoke PE
Device 150
Associating a VRF with an Interface 152
Configuring the Downstream VRF for an AAA Server 153
Verifying the MPLS VPN Half-Duplex VRF Configuration 153
Configuration Examples for MPLS VPN Half-Duplex VRF 157
Examples: Configuring the Upstream and Downstream VRFs on the
Spoke PE Device 157
Example: Associating a VRF with an Interface 157
Example Configuring MPLS VPN Half-Duplex VRF Using Static CE-PE
Routing 158
Example: ConfiguringMPLSVPNHalf-DuplexVRFUsingRADIUSServer and
Static CE-PE
Routing 159
Example: Configuring MPLS VPN Half-Duplex VRF Using Dynamic
CE-PE Routing 160
Additional References 162
Feature Information for MPLS VPN Half-Duplex VRF 162
C H A P T E R 1 0 MPLS VPN VRF CLI for IPv4 and IPv6 VPNs
165
Finding Feature Information 165
Prerequisites for MPLS VPN VRF CLI for IPv4 and IPv6 VPNs
166
Restrictions for MPLS VPN VRF CLI for IPv4 and IPv6 VPNs 166
Information About MPLS VPN VRF CLI for IPv4 and IPv6 VPNs
166
VRF Concepts Similar for IPv4 and IPv6 MPLS VPNs 166
Single-Protocol VRF to Multiprotocol VRF Migration 166
Multiprotocol VRF Configuration Characteristics 167
How to Configure MPLS VPN VRF CLI for IPv4 and IPv6 VPNs 168
Configuring a VRF for IPv4 and IPv6 MPLS VPNs 168
Associating a Multiprotocol VRF with an Interface 171
Verifying the MPLS VPN VRF CLI for IPv4 and IPv6 VPNs
Configuration 172
Migrating from a Single-Protocol IPv4-Only VRF to a
Multiprotocol VRF Configuration 175
Configuration Examples for MPLS VPN VRF CLI for IPv4 and IPv6
VPNs 177
Example: Multiprotocol VRF Configuration Single Protocol with
Noncommon Policies 177
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T ix
Contents
-
Example: Multiprotocol VRF Configuration Multiprotocol with
Noncommon Policies 177
Example: Multiprotocol VRF Configuration Multiprotocol with
Common Policies 178
Example:MultiprotocolVRFConfigurationMultiprotocolwith Common
andNoncommon
Policies 178
Examples: Configuring a VRF for IPv4 and IPv6 VPNs 178
Example: Associating a Multiprotocol VRF with an Interface
179
Examples:Migrating from aSingle-Protocol
IPv4-OnlyVRFConfiguration to aMultiprotocol
VRF Configuration 179
Additional References 180
Feature Information for MPLS VPN VRF CLI for IPv4 and IPv6 VPNs
181
Glossary 183
C H A P T E R 1 1 MPLS VPN Route Target Rewrite 185
Finding Feature Information 185
Prerequisites for MPLS VPN Route Target Rewrite 186
Restrictions for MPLS VPN Route Target Rewrite 186
Information About MPLS VPN Route Target Rewrite 186
Route Target Replacement Policy 186
Route Maps and Route Target Replacement 188
How to Configure MPLS VPN Route Target Rewrite 188
Configuring a Route Target Replacement Policy 188
Applying the Route Target Replacement Policy 191
Associating Route Maps with Specific BGP Neighbors 192
Refreshing BGP Session to Apply Route Target Replacement Policy
194
Troubleshooting Tips 195
Verifying the Route Target Replacement Policy 195
Troubleshooting Your Route Target Replacement Policy 197
Configuration Examples for MPLS VPN Route Target Rewrite 199
Examples: Configuring Route Target Replacement Policies 199
Examples: Applying Route Target Replacement Policies 200
Examples: Associating Route Maps with Specific BGP Neighbor
200
Example: Refreshing the BGP Session to Apply the Route Target
Replacement
Policy 200
Additional References 201
Feature Information for MPLS VPN Route Target Rewrite 201
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&Tx
Contents
-
Glossary 202
C H A P T E R 1 2 MPLS VPN Per VRF Label 205
Finding Feature Information 205
Prerequisites for MPLS VPN Per VRF Label 205
Restrictions for MPLS VPN Per VRF Label 206
Information About MPLS VPN Per VRF Label 206
MPLS VPN Per VRF Label Functionality 206
How to Configure MPLS VPN Per VRF Label 207
Configuring the Per VRF Label Feature 207
Examples 208
Configuration Examples for MPLS VPN Per VRF Label 209
Example: No Label Mode Default Configuration 209
Example: Mixed Mode with Global Per-Prefix 211
Example: Mixed Mode with Global Per-VRF 212
Additional References 213
Feature Information for MPLS VPN Per VRF Label 214
C H A P T E R 1 3 MPLS VPN SNMP Notifications 217
Finding Feature Information 218
Prerequisites for MPLS VPN SNMP Notifications 218
Restrictions for MPLS VPN SNMP Notifications 218
Information About MPLS VPN SNMP Notifications 218
Cisco Implementation of MPLS VPN MIB 218
Capabilities Supported by MPLS VPN SNMP Notifications 219
Notification Generation Events for the MPLS VPN MIB 219
Notification Specification for MPLS-VPN-MIB 221
Monitoring the MPLS VPN SNMP Notifications 221
How to Configure the MPLS VPN SNMP Notifications 222
Configuring an SNMP Community 222
Configuring the Device to Send SNMP Traps 223
Configuring Threshold Values for MPLS VPN SNMP Notifications
225
Configuration Examples for MPLS VPN SNMP Notifications 227
Example: Configuring the Community 227
Example: Configuring the Device to Send SNMP Traps 227
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T xi
Contents
-
Example: Configuring Threshold Values for MPLS VPN SNMP
Notifications 228
Additional References 228
Feature Information for MPLS VPN SNMP Notifications 229
Glossary 230
C H A P T E R 1 4 Multi-VRF Selection Using Policy-Based Routing
233
Finding Feature Information 233
Prerequisites for Multi-VRF Selection Using Policy-Based Routing
234
Restrictions for Multi-VRF Selection Using Policy-Based Routing
234
Information About Multi-VRF Selection Using Policy-Based Routing
234
Policy Routing of VPN Traffic Based on Match Criteria 234
Policy-Based Routing set Commands 235
Policy-routing Packets for VRF Instances 235
Change of Normal Routing and Forwarding Behavior 236
Support of Inherit-VRF Inter-VRF and VRF-to-Global Routing
237
How to Configure Multi-VRF Selection Using Policy-Based Routing
238
Defining the Match Criteria for Multi-VRF Selection Using
Policy-Based Routing 238
ConfiguringMulti-VRFSelectionUsing Policy-BasedRoutingwith a
StandardAccess
List 238
ConfiguringMulti-VRF SelectionUsing Policy-BasedRoutingwith a
Named Extended
Access List 239
Configuring Multi-VRF Selection in a Route Map 240
ConfiguringMulti-VRF Selection Using Policy-Based Routing and IP
VRF Receive on the
Interface 243
Verifying the Configuration of Multi-VRF Selection Using
Policy-Based Routing 244
Configuration Examples for Multi-VRF Selection Using
Policy-Based Routing 246
Example: Defining the Match Criteria for Multi-VRF Selection
Using Policy-Based
Routing 246
Example: Configuring Multi-VRF Selection in a Route Map 247
Additional References 247
Feature Information for Multi-VRF Selection Using Policy-Based
Routing 248
Glossary 250
C H A P T E R 1 5 MPLS VPN VRF Selection Based on a Source IP
Address 251
Finding Feature Information 251
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&Txii
Contents
-
Prerequisites for MPLS VPN VRF Selection Based on a Source IP
Address 252
Restrictions for MPLS VPN VRF Selection Based on a Source IP
Address 253
Information About MPLS VPN VRF Selection Based on a Source IP
Address 253
VRF Selection Process 253
VRF Selection Examples 254
VRF Selection is a Unidirectional Feature 256
Conditions Under Which VRF Selection Becomes Bidirectional
257
Advantages of VRF Selection over Per-Interface IP VPN
Configuration 257
Benefits of MPLS VPN VRF Selection Based on a Source IP Address
258
How to Configure MPLS VPN VRF Selection Based on a Source IP
Address 258
Configuring VRF Selection 258
Establishing IP Static Routes for a VRF Instance 260
Verifying VRF Selection 261
Troubleshooting Tips 261
Configuration Examples for MPLS VPN VRF Selection Based on a
Source IP Address 262
Example: Enabling MPLS VPNs 262
Example: Creating a VRF Routing Table 262
Example: Defining VRF Selection Entries 262
Example: Defining IP Static Routes for a VRF 263
Example: Configuring an Interface for VRF Selection 263
Example: Configuring a BGP Device for VRF Selection 263
Example: Configuring a VRF to Eliminate Unnecessary Packet
Forwarding 263
Additional References 264
Feature Information for MPLS VPN VRF Selection Based on a Source
IP Address 264
C H A P T E R 1 6 MPLS VPN VRF Selection Using Policy-Based
Routing 267
Finding Feature Information 267
Prerequisites for MPLS VPN VRF Selection Using Policy-Based
Routing 268
Restrictions for MPLS VPN VRF Selection Using Policy-Based
Routing 268
Information About MPLS VPN VRF Selection Using Policy-Based
Routing 268
Introduction to MPLS VPN VRF Selection Using Policy-Based
Routing 268
Policy-Based Routing Set Clauses Overview 269
Match Criteria for Policy-Based Routing VRF Selection Based on
Packet Length 269
How to Configure MPLS VPN VRF Selection Using Policy-Based
Routing 270
Configuring Policy-Based Routing VRF Selection with a Standard
Access List 270
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T xiii
Contents
-
Configuring Policy-Based Routing VRF Selection with a Named
Access List 271
Configuring Policy-Based Routing VRF Selection in a Route Map
272
Configuring Policy-Based Routing on the Interface 274
Configuring IP VRF Receive on the Interface 275
Verifying the Configuration of the MPLS VPN VRF Selection Using
Policy-Based
Routing 276
Configuration Examples for MPLS VPN VRF Selection Using
Policy-Based Routing 277
Example: Defining Policy-Based Routing VRF Selection in an
Access List 277
Examples: Verifying VRF Selection Using Policy-Based Routing
278
Example: Verifying Match Criteria 278
Example: Verifying Route-Map Configuration 278
Example: Verifying Policy-Based Routing VRF Selection Policy
279
Additional References 279
Feature Information for MPLS VPN VRF Selection Using
Policy-Based Routing 279
C H A P T E R 1 7 MPLS VPN BGP Local Convergence 281
Finding Feature Information 281
Prerequisites for MPLS VPN BGP Local Convergence 282
Restrictions for MPLS VPN BGP Local Convergence 282
Information About MPLS VPN BGP Local Convergence 283
How Link Failures Are Handled with BGP 283
How Links Are Handled with the MPLS VPN BGP Local Convergence
Feature 283
How Link Failures Are Detected 284
How to Configure MPLS VPN BGP Local Convergence 285
Configuring MPLS VPN BGP Local Convergence with IPv4 285
Configuring MPLS VPNBGP Local Convergence with IPv6 286
Examples 288
Troubleshooting Tips 288
Configuration Examples for MPLS VPN BGP Local Convergence
289
Examples: MPLS VPN BGP Local Convergence 289
Examples: MPLS VPN BGP Local Convergence for 6VPE 6PE 291
Additional References 294
Feature Information for MPLS VPN BGP Local Convergence 295
C H A P T E R 1 8 Multi-VRF Support 297
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&Txiv
Contents
-
Finding Feature Information 297
Prerequisites for Multi-VRF Support 297
Restrictions for Multi-VRF Support 298
Information About Multi-VRF Support 298
How the Multi-VRF Support Feature Works 298
How Packets Are Forwarded in a Network Using the Multi-VRF
Support Feature 299
Considerations When Configuring the Multi-VRF Support Feature
300
How to Configure Multi-VRF Support 300
Configuring VRFs 300
Configuring BGP as the Routing Protocol 303
Configuring PE-to-CE MPLS Forwarding and Signaling with BGP
305
Configuring a Routing Protocol Other than BGP 307
Configuring PE-to-CE MPLS Forwarding and Signaling with LDP
308
Configuration Examples for Multi-VRF Support 309
Example: Configuring Multi-VRF Support on the PE Device 310
Example: Configuring Multi-VRF Support on the CE Device 311
Additional References 312
Feature Information for Multi-VRF Support 313
C H A P T E R 1 9 MPLS VPN per Customer Edge (CE) Label 315
Finding Feature Information 315
Prerequisites for MPLS VPN per CE Label 315
Restrictions for MPLS VPN per CE Label 316
Information About MPLS VPN per CE Label 317
MPLS VPN per CE Label Functionality 317
How to Configure MPLS VPN per CE Label 317
Configuring the per CE Label Feature 317
Configuration Examples for MPLS VPN per CE Label 318
Examples: MPLS VPN per CE Label 318
Additional References 319
Feature Information for MPLS VPN per CE Label 320
C H A P T E R 2 0 IPv6 VRF Aware System Message Logging 321
Finding Feature Information 321
Prerequisites for IPv6 VRF Aware System Message Logging 321
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T xv
Contents
-
Restrictions for IPv6 VRF Aware System Message Logging 322
Information About IPv6 VRF Aware System Message Logging 322
Benefits of VRF Aware System Message Logging 322
VRF Aware System Message Logging on a Provider Edge Device in an
MPLS VPN
Network 322
VRF Aware System Message Logging on a Customer Edge Device with
VRF-Lite
Configured 323
Message Levels for Logging Commands 324
How to Configure IPv6 VRF Aware System Message Logging 324
Configuring VRF on a Routing Device 324
Associating a VRF with an Interface 325
Configuring VRF as a Source Interface for Logging on a Routing
Device 327
Verifying IPv6 VRF Aware System Message Logging 328
Configuration Examples for IPv6 VRF Aware System Message Logging
329
Example: Configuring VRF on a Routing Device 329
Example: Associating a VRF with an Interface 329
Example: Configuring VRF as a Source Interface for Logging on a
Routing Device 329
Additional References for IPv6 VRF Aware System Message Logging
330
Feature Information for IPv6 VRF Aware System Message Logging
330
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&Txvi
Contents
-
C H A P T E R 1MPLS Virtual Private Networks
An MPLS Virtual Private Network (VPN) consists of a set of sites
that are interconnected by means of aMultiprotocol Label Switching
(MPLS) provider core network. At each customer site, one or more
customeredge (CE) devices attach to one or more provider edge (PE)
devices. This module explains how to create anMPLS VPN.
Finding Feature Information, page 1
Prerequisites for MPLS Virtual Private Networks, page 1
Restrictions for MPLS Virtual Private Networks, page 2
Information About MPLS Virtual Private Networks, page 4
How to Configure MPLS Virtual Private Networks, page 9
Configuration Examples for MPLS Virtual Private Networks, page
19
Additional References, page 21
Feature Information for MPLS Virtual Private Networks, page
22
Finding Feature InformationYour software release may not support
all the features documented in this module. For the latest caveats
andfeature information, see Bug Search Tool and the release notes
for your platform and software release. Tofind information about
the features documented in this module, and to see a list of the
releases in which eachfeature is supported, see the feature
information table at the end of this module.
Use Cisco Feature Navigator to find information about platform
support and Cisco software image support.To access Cisco Feature
Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is
not required.
Prerequisites for MPLS Virtual Private Networks Make sure that
you have installed Multiprotocol Label Switching (MPLS), Label
Distribution Protocol(LDP), and Cisco Express Forwarding in your
network.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T 1
-
All devices in the core, including the provider edge (PE)
devices, must be able to support Cisco ExpressForwarding and MPLS
forwarding. See the Assessing the Needs of the MPLS Virtual Private
NetworkCustomers section.
Cisco Express Forwarding must be enabled on all devices in the
core, including the PE devices. Forinformation about how to
determine if Cisco Express Forwarding is enabled, see the
Configuring BasicCisco Express Forwarding module in the Cisco
Express Forwarding Configuration Guide.
Restrictions for MPLS Virtual Private NetworksWhen static routes
are configured in aMultiprotocol Label Switching (MPLS) orMPLS
virtual private network(VPN) environment, some variations of the ip
route and ip route vrf commands are not supported. Thesevariations
of the commands are not supported in software releases that support
the Tag Forwarding InformationBase (TFIB). The TFIB cannot resolve
prefixes when the recursive route over which the prefixes
traveldisappears and then reappears. However, the command
variations are supported in releases that support theMPLS
Forwarding Infrastructure (MFI). For details about the supported
releases, see theMultiprotocol LabelSwitching Command Reference.
Use the following guidelines when configuring static routes.
Supported Static Routes in an MPLS Environment
The following ip route command is supported when you configure
static routes in an MPLS environment:
ip route destination-prefix mask interface next-hop-address
The following ip route commands are supported when you configure
static routes in an MPLS environmentand configure load sharing with
static nonrecursive routes and a specific outbound interface:
ip route destination-prefix mask interface1 next-hop1
ip route destination-prefix mask interface2 next-hop2
Unsupported Static Routes in an MPLS Environment That Uses the
TFIB
The following ip route command is not supported when you
configure static routes in anMPLS environment:
ip route destination-prefix mask next-hop-address
The following ip route command is not supported when you
configure static routes in an MPLS environmentand enable load
sharing where the next hop can be reached through two paths:
ip route destination-prefix mask next-hop-address
The following ip route commands are not supported when you
configure static routes in anMPLS environmentand enable load
sharing where the destination can be reached through two next
hops:
ip route destination-prefix mask next-hop1
ip route destination-prefix mask next-hop2
Use the interface an next-hop arguments when specifying static
routes.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T2
MPLS Virtual Private NetworksRestrictions for MPLS Virtual
Private Networks
-
Supported Static Routes in an MPLS VPN Environment
The following ip route vrf commands are supported when you
configure static routes in an MPLS VPNenvironment, and the next hop
and interface are in the same VRF:
ip route vrf vrf-name destination-prefix mask
next-hop-address
ip route vrf vrf-name destination-prefix mask interface
next-hop-address
ip route vrf vrf-name destination-prefix mask interface1
next-hop1
ip route vrf vrf-name destination-prefix mask interface2
next-hop2
The following ip route vrf commands are supported when you
configure static routes in an MPLS VPNenvironment, and the next hop
is in the global table in theMPLS cloud in the global routing
table. For example,these commands are supported when the next hop
is pointing to the Internet gateway.
ip route vrf vrf-name destination-prefix mask next-hop-address
global
ip route vrf vrf-name destination-prefix mask interface
next-hop-address (This command is supportedwhen the next hop and
interface are in the core.)
The following ip route commands are supported when you configure
static routes in an MPLS VPNenvironment and enable load sharing
with static nonrecursive routes and a specific outbound
interface:
ip route destination-prefix mask interface1 next-hop1
ip route destination-prefix mask interface2 next-hop2
Unsupported Static Routes in an MPLS VPN Environment That Uses
the TFIB
The following ip route command is not supported when you
configure static routes in an MPLS VPNenvironment, the next hop is
in the global table in theMPLS cloud within the core, and you
enable load sharingwhere the next hop can be reached through two
paths:
ip route vrf destination-prefix mask next-hop-address global
The following ip route commands are not supported when you
configure static routes in an MPLS VPNenvironment, the next hop is
in the global table in theMPLS cloud within the core, and you
enable load sharingwhere the destination can be reached through two
next hops:
ip route vrf destination-prefix mask next-hop1 global
ip route vrf destination-prefix mask next-hop2 global
The following ip route vrf commands are not supported when you
configure static routes in an MPLS VPNenvironment, and the next hop
and interface are in the same VRF:
ip route vrf vrf-name destination-prefix mask next-hop1 vrf-name
destination-prefix mask next-hop1
ip route vrf vrf-name destination-prefix mask next-hop2
Supported Static Routes in an MPLS VPN Environment Where the
Next Hop Resides in the Global Table onthe CE Device
The following ip route vrf command is supported when you
configure static routes in an MPLS VPNenvironment, and the next hop
is in the global table on the customer edge (CE) side. For example,
the following
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T 3
MPLS Virtual Private NetworksRestrictions for MPLS Virtual
Private Networks
-
command is supported when the destination prefix is the CE
devices loopback address, as in external BorderGateway Protocol
(EBGP) multihop cases.
ip route vrf vrf-name destination-prefix mask interface
next-hop-address
The following ip route commands are supported when you configure
static routes in an MPLS VPNenvironment, the next hop is in the
global table on the CE side, and you enable load sharing with
staticnonrecursive routes and a specific outbound interface:
ip route destination-prefix mask interface1 nexthop1
ip route destination-prefix mask interface2 nexthop2
Information About MPLS Virtual Private Networks
MPLS Virtual Private Network DefinitionBefore defining a
Multiprotocol Label Switching virtual private network (MPLS VPN),
you must define aVPN in general. A VPN is:
An IP-based network delivering private network services over a
public infrastructure
A set of sites that are allowed to communicate with each other
privately over the Internet or other publicor private networks
Conventional VPNs are created by configuring a full mesh of
tunnels or permanent virtual circuits (PVCs) toall sites in a VPN.
This type of VPN is not easy to maintain or expand, because adding
a new site requireschanging each edge device in the VPN.
MPLS-based VPNs are created in Layer 3 and are based on the peer
model. The peer model enables the serviceprovider and the customer
to exchange Layer 3 routing information. The service provider
relays the databetween the customer sites without the customers
involvement.
MPLSVPNs are easier to manage and expand than conventional
VPNs.When a new site is added to anMPLSVPN, only the service
providers edge device that provides services to the customer site
needs to be updated.
The different parts of the MPLS VPN are described as
follows:
Provider (P) deviceDevice in the core of the provider network. P
devices run MPLS switching, anddo not attach VPN labels to routed
packets. The MPLS label in each route is assigned by the
provideredge (PE) device. VPN labels are used to direct data
packets to the correct egress device.
PE deviceDevice that attaches the VPN label to incoming packets
based on the interface or subinterfaceon which they are received. A
PE device attaches directly to a customer edge (CE) device.
Customer (C) deviceDevice in the ISP or enterprise network.
CE deviceEdge device on the network of the ISP that connects to
the PE device on the network. ACE device must interface with a PE
device.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T4
MPLS Virtual Private NetworksInformation About MPLS Virtual
Private Networks
-
The figure below shows a basic MPLS VPN.
Figure 1: Basic MPLS VPN Terminology
How an MPLS Virtual Private Network WorksMultiprotocol Label
Switching virtual private network (MPLS VPN) functionality is
enabled at the edge ofan MPLS network. The provider edge (PE)
device performs the following:
Exchanges routing updates with the customer edge (CE)
device.
Translates the CE routing information into VPNv4 routes.
Exchanges VPNv4 routes with other PE devices through the
Multiprotocol Border Gateway Protocol(MP-BGP).
The following sections describe how MPLS VPN works:
How Virtual Routing and Forwarding Tables Work in an MPLS
Virtual Private NetworkEach virtual private network (VPN) is
associated with one or more virtual routing and forwarding
(VRF)instances. A VRF defines the VPN membership of a customer site
attached to a PE device. A VRF consistsof the following
components:
An IP routing table
A derived Cisco Express Forwarding table
A set of interfaces that use the forwarding table
A set of rules and routing protocol parameters that control the
information that is included in the routingtable
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T 5
MPLS Virtual Private NetworksHow an MPLS Virtual Private Network
Works
-
A one-to-one relationship does not necessarily exist between
customer sites and VPNs. A site can be a memberof multiple VPNs.
However, a site can associate with only one VRF. A sites VRF
contains all the routesavailable to the site from the VPNs of which
it is a member.
Packet forwarding information is stored in the IP routing table
and the Cisco Express Forwarding table foreach VRF. A separate set
of routing and Cisco Express Forwarding tables is maintained for
each VRF. Thesetables prevent information from being forwarded
outside a VPN, and they also prevent packets that are outsidea VPN
from being forwarded to a device within the VPN.
How VPN Routing Information Is Distributed in an MPLS Virtual
Private NetworkThe distribution of virtual private network (VPN)
routing information is controlled through the use of VPNroute
target communities, implemented by Border Gateway Protocol (BGP)
extended communities. VPNrouting information is distributed as
follows:
When a VPN route that is learned from a customer edge (CE)
device is injected into BGP, a list of VPNroute target extended
community attributes is associated with it. Typically the list of
route targetcommunity extended values is set from an export list of
route targets associated with the virtual routingand forwarding
(VRF) instance from which the route was learned.
An import list of route target extended communities is
associated with each VRF. The import list definesroute target
extended community attributes that a route must have in order for
the route to be importedinto the VRF. For example, if the import
list for a particular VRF includes route target extendedcommunities
A, B, and C, then any VPN route that carries any of those route
target extendedcommunitiesA, B, or Cis imported into the VRF.
MPLS ForwardingBased on routing information stored in the
virtual routing and forwarding (VRF) IP routing table and VRFCisco
Express Forwarding table, packets are forwarded to their
destination usingMultiprotocol Label Switching(MPLS).
A provider edge (PE) device binds a label to each customer
prefix learned from a customer edge (CE) deviceand includes the
label in the network reachability information for the prefix that
it advertises to other PEdevices. When a PE device forwards a
packet received from a CE device across the provider network, it
labelsthe packet with the label learned from the destination PE
device. When the destination PE device receives thelabeled packet,
it pops the label and uses it to direct the packet to the correct
CE device. Label forwardingacross the provider backbone is based on
either dynamic label switching or traffic engineered paths. A
customerdata packet carries two levels of labels when traversing
the backbone:
The top label directs the packet to the correct PE device.
The second label indicates how that PE device should forward the
packet to the CE device.
Major Components of an MPLS Virtual Private
NetworkAnMultiprotocol Label Switching (MPLS)-based virtual private
network (VPN) has three major components:
VPN route target communitiesA VPN route target community is a
list of all members of a VPNcommunity. VPN route targets need to be
configured for each VPN community member.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T6
MPLS Virtual Private NetworksMajor Components of an MPLS Virtual
Private Network
-
Multiprotocol BGP (MP-BGP) peering of VPN community provider
edge (PE) devicesMP-BGPpropagates virtual routing and forwarding
(VRF) reachability information to all members of a VPNcommunity.
MP-BGP peering must be configured on all PE devices within a VPN
community.
MPLS forwardingMPLS transports all traffic between all VPN
community members across a VPNservice-provider network.
A one-to-one relationship does not necessarily exist between
customer sites and VPNs. A given site can be amember of multiple
VPNs. However, a site can associate with only one VRF. A
customer-site VRF containsall the routes available to the site from
the VPNs of which it is a member.
Benefits of an MPLS Virtual Private NetworkMultiprotocol Label
Switching virtual private networks (MPLS VPNs) allow service
providers to deployscalable VPNs and build the foundation to
deliver value-added services, such as the following:
Connectionless Service
A significant technical advantage of MPLSVPNs is that they are
connectionless. The Internet owes its successto its basic
technology, TCP/IP. TCP/IP is built on a packet-based,
connectionless network paradigm. Thismeans that no prior action is
necessary to establish communication between hosts, making it easy
for twoparties to communicate. To establish privacy in a
connectionless IP environment, current VPN solutionsimpose a
connection-oriented, point-to-point overlay on the network. Even if
it runs over a connectionlessnetwork, a VPN cannot take advantage
of the ease of connectivity and multiple services available
inconnectionless networks. When you create a connectionless VPN,
you do not need tunnels and encryptionfor network privacy, thus
eliminating significant complexity.
Centralized Service
Building VPNs in Layer 3 allows delivery of targeted services to
a group of users represented by a VPN. AVPN must give service
providers more than a mechanism for privately connecting users to
intranet services.It must also provide a way to flexibly deliver
value-added services to targeted customers. Scalability is
critical,because customers want to use services privately in their
intranets and extranets. Because MPLS VPNs areseen as private
intranets, you may use new IP services such as:
Multicast
Quality of service (QoS)
Telephony support within a VPN
Centralized services including content and web hosting to a
VPN
You can customize several combinations of specialized services
for individual customers. For example, aservice that combines IP
multicast with a low-latency service class enables video
conferencing within anintranet.
Scalability
If you create a VPN using connection-oriented, point-to-point
overlays, Frame Relay, or ATM virtualconnections (VCs), the VPNs
key deficiency is scalability. Specifically, connection-oriented
VPNs withoutfully meshed connections between customer sites are not
optimal. MPLS-based VPNs, instead, use the peermodel and Layer 3
connectionless architecture to leverage a highly scalable VPN
solution. The peer model
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T 7
MPLS Virtual Private NetworksBenefits of an MPLS Virtual Private
Network
-
requires a customer site to peer with only one provider edge
(PE) device as opposed to all other customeredge (CE) devices that
are members of the VPN. The connectionless architecture allows the
creation of VPNsin Layer 3, eliminating the need for tunnels or
VCs.
Other scalability issues of MPLS VPNs are due to the
partitioning of VPN routes between PE devices andthe further
partitioning of VPN and Interior Gateway Protocol (IGP) routes
between PE devices and provider(P) devices in a core network.
PE devices must maintain VPN routes for those VPNs who are
members.
P devices do not maintain any VPN routes.
This increases the scalability of the providers core and ensures
that no one device is a scalability bottleneck.
Security
MPLS VPNs offer the same level of security as
connection-oriented VPNs. Packets from one VPN do notinadvertently
go to another VPN.
Security is provided in the following areas:
At the edge of a provider network, ensuring packets received
from a customer are placed on the correctVPN.
At the backbone, VPN traffic is kept separate. Malicious
spoofing (an attempt to gain access to a PEdevice) is nearly
impossible because the packets received from customers are IP
packets. These IPpackets must be received on a particular interface
or subinterface to be uniquely identified with a VPNlabel.
Ease of Creation
To take full advantage of VPNs, customers must be able to easily
create new VPNs and user communities.BecauseMPLSVPNs are
connectionless, no specific point-to-point connectionmaps or
topologies are required.You can add sites to intranets and
extranets and form closed user groups. Managing VPNs in this
mannerenables membership of any given site in multiple VPNs,
maximizing flexibility in building intranets andextranets.
Flexible Addressing
To make a VPN service more accessible, customers of a service
provider can design their own addressingplan, independent of
addressing plans for other service provider customers. Many
customers use privateaddress spaces, as defined in RFC 1918, and do
not want to invest the time and expense of converting topublic IP
addresses to enable intranet connectivity. MPLS VPNs allow
customers to continue to use theirpresent address spaces without
network address translation (NAT) by providing a public and private
view ofthe address. A NAT is required only if two VPNs with
overlapping address spaces want to communicate. Thisenables
customers to use their own unregistered private addresses, and
communicate freely across a publicIP network.
Integrated QoS Support
QoS is an important requirement for many IP VPN customers. It
provides the ability to address two fundamentalVPN
requirements:
Predictable performance and policy implementation
Support for multiple levels of service in an MPLS VPN
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T8
MPLS Virtual Private NetworksBenefits of an MPLS Virtual Private
Network
-
Network traffic is classified and labeled at the edge of the
network before traffic is aggregated according topolicies defined
by subscribers and implemented by the provider and transported
across the provider core.Traffic at the edge and core of the
network can then be differentiated into different classes by drop
probabilityor delay.
Straightforward Migration
For service providers to quickly deploy VPN services, use a
straightforward migration path. MPLS VPNs areunique because you can
build them over multiple network architectures, including IP, ATM,
Frame Relay,and hybrid networks.
Migration for the end customer is simplified because there is no
requirement to support MPLS on the CEdevice and no modifications
are required to a customers intranet.
How to Configure MPLS Virtual Private Networks
Configuring the Core Network
Assessing the Needs of MPLS Virtual Private Network
CustomersBefore you configure a Multiprotocol Label Switching
virtual private network (MPLS VPN), you need toidentify the core
network topology so that it can best serveMPLSVPN customers.
Perform this task to identifythe core network topology.
SUMMARY STEPS
1. Identify the size of the network.2. Identify the routing
protocols in the core.3. Determine if you need MPLS VPN High
Availability support.4. Determine if you need Border Gateway
Protocol (BGP) load sharing and redundant paths in the MPLS
VPN core.
DETAILED STEPS
PurposeCommand or Action
Identify the following to determine the number of devices and
ports thatyou need:
Identify the size of the network.Step 1
How many customers do you need to support?
How many VPNs are needed per customer?
How many virtual routing and forwarding instances are there
foreach VPN?
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T 9
MPLS Virtual Private NetworksHow to Configure MPLS Virtual
Private Networks
-
PurposeCommand or Action
Determine which routing protocols you need in the core
network.Identify the routing protocols in the core.Step 2
MPLSVPNNonstop Forwarding and Graceful Restart are supported
onselect devices and Cisco software releases. Contact Cisco Support
forthe exact requirements and hardware support.
Determine if you need MPLS VPN HighAvailability support.
Step 3
For configuration steps, see the Load Sharing MPLS VPN
Trafficfeature module in theMPLS Layer 3 VPNs Inter-AS and
CSCConfiguration Guide.
Determine if you need Border GatewayProtocol (BGP) load sharing
and redundantpaths in the MPLS VPN core.
Step 4
Configuring MPLS in the CoreTo enable Multiprotocol Label
Switching (MPLS) on all devices in the core, you must configure
either of thefollowing as a label distribution protocol:
MPLS Label Distribution Protocol (LDP). For configuration
information, see the MPLS LabelDistribution Protocol (LDP) module
in theMPLS Label Distribution Protocol Configuration Guide.
MPLS Traffic Engineering Resource Reservation Protocol (RSVP).
For configuration information, seethe MPLS Traffic Engineering and
Enhancements module in theMPLS Traffic Engineering PathCalculation
and Setup Configuration Guide.
Connecting the MPLS Virtual Private Network Customers
Defining VRFs on the PE Devices to Enable Customer
ConnectivityUse this procedure to define a virtual routing and
forwarding (VRF) configuration for IPv4. To define a VRFfor IPv4
and IPv6, see the Configuring a Virtual Routing and Forwarding
Instance for IPv6" section in theIPv6 VPN over MPLS" module in
theMPLS Layer 3 VPNs Configuration Guide.
SUMMARY STEPS
1. enable2. configure terminal3. ip vrf vrf-name4. rd
route-distinguisher5. route-target {import | export | both}
route-target-ext-community6. import map route-map7. exit
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T10
MPLS Virtual Private NetworksConnecting the MPLS Virtual Private
Network Customers
-
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enableStep 1
Example:
Device> enable
Enter your password if prompted.
Enters global configuration mode.configure terminal
Example:
Device# configure terminal
Step 2
Defines the virtual private network (VPN) routing instance by
assigning avirtual routing and forwarding (VRF) name and enters VRF
configurationmode.
ip vrf vrf-name
Example:
Device(config)# ip vrf vpn1
Step 3
The vrf-name argument is the name assigned to a VRF.
Creates routing and forwarding tables.rd route-distinguisherStep
4
Example:Device(config-vrf)# rd 100:1
The route-distinguisher argument adds an 8-byte value to an
IPv4prefix to create a VPN IPv4 prefix. You can enter a route
distinguisher(RD) in either of these formats:
16-bit AS number:your 32-bit number, for example, 101:3
32-bit IP address:your 16-bit number, for example,
10.0.0.1:1
Creates a route-target extended community for a VRF.route-target
{import | export | both}route-target-ext-community
Step 5
The import keyword imports routing information from the target
VPNextended community.
Example:
Device(config-vrf)# route-targetimport 100:1
The export keyword exports routing information to the target
VPNextended community.
The both keyword imports routing information from and
exportsrouting information to the target VPN extended
community.
The route-target-ext-community argument adds the
route-targetextended community attributes to the VRFs list of
import, export, orboth route-target extended communities.
(Optional) Configures an import route map for a VRF.import map
route-mapStep 6
Example:
Device(config-vrf)# import mapvpn1-route-map
The route-map argument specifies the route map to be used as
animport route map for the VRF.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T 11
MPLS Virtual Private NetworksConnecting the MPLS Virtual Private
Network Customers
-
PurposeCommand or Action
(Optional) Exits to global configuration mode.exit
Example:
Device(config-vrf)# exit
Step 7
Configuring VRF Interfaces on PE Devices for Each VPN CustomerTo
associate a virtual routing and forwarding (VRF) instance with an
interface or subinterface on the provideredge (PE) devices, perform
this task.
SUMMARY STEPS
1. enable2. configure terminal3. interface type number4. ip vrf
forwarding vrf-name5. end
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enableStep 1
Example:
Device> enable
Enter your password if prompted.
Enters global configuration mode.configure terminal
Example:
Device# configure terminal
Step 2
Specifies the interface to configure and enters
interfaceconfiguration mode.
interface type number
Example:
Device(config)# interface FastEthernet1/0/0
Step 3
The type argument specifies the type of interface to
beconfigured.
The number argument specifies the port, connector, orinterface
card number.
Associates a VRF with the specified interface or subinterface.ip
vrf forwarding vrf-nameStep 4
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T12
MPLS Virtual Private NetworksConnecting the MPLS Virtual Private
Network Customers
-
PurposeCommand or Action
Example:
Device(config-if)# ip vrf forwarding vpn1
The vrf-name argument is the name assigned to a VRF.
(Optional) Exits to privileged EXEC mode.end
Example:
Device(config-if)# end
Step 5
Configuring Routing Protocols Between the PE and CE
DevicesConfigure the provider edge (PE) device with the same
routing protocol that the customer edge (CE) deviceuses. You can
configure the Border Gateway Protocol (BGP), Routing Information
Protocol version 2 (RIPv2),or static routes between the PE and CE
devices.
Configuring RIPv2 as the Routing Protocol Between the PE and CE
Devices
SUMMARY STEPS
1. enable2. configure terminal3. router rip4. version {1 | 2}5.
address-family ipv4 [multicast | unicast | vrf vrf-name]6. network
ip-address7. redistribute protocol [process-id] {level-1 |
level-1-2 | level-2} [as-number] [metric metric-value]
[metric-type type-value] [match {internal | external 1 |
external 2}] [tag tag-value] [route-mapmap-tag][subnets]
8. exit-address-family9. end
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enableStep 1
Example:
Device> enable
Enter your password if prompted.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T 13
MPLS Virtual Private NetworksConnecting the MPLS Virtual Private
Network Customers
-
PurposeCommand or Action
Enters global configuration mode.configure terminal
Example:
Device# configure terminal
Step 2
Enables the Routing Information Protocol (RIP).router rip
Example:
Device(config)# router rip
Step 3
Specifies RIP version used globally by the device.version {1 |
2}
Example:
Device(config-router)# version 2
Step 4
Specifies the IPv4 address family type and enters addressfamily
configuration mode.
address-family ipv4 [multicast | unicast | vrf vrf-name]
Example:
Device(config-router)# address-family ipv4 vrfvpn1
Step 5
Themulticast keyword specifies IPv4 multicastaddress
prefixes.
The unicast keyword specifies IPv4 unicast addressprefixes.
The vrf vrf-name keyword and argument specifies thename of the
VRF to associate with subsequent IPv4address family configuration
mode commands.
Enables RIP on the PE-to-CE link.network ip-address
Example:
Device(config-router-af)# network 192.168.7.0
Step 6
Redistributes routes from one routing domain into anotherrouting
domain.
redistribute protocol [process-id] {level-1 | level-1-2|
level-2} [as-number] [metric metric-value]
Step 7
[metric-type type-value] [match {internal | external For the
RIPv2 routing protocol, use the redistributebgp as-number
command.
1 | external 2}] [tag tag-value] [route-map
map-tag][subnets]
Example:
Device(config-router-af)# redistribute bgp 200
Exits address family configuration mode.exit-address-family
Example:
Device(config-router-af)# exit-address-family
Step 8
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T14
MPLS Virtual Private NetworksConnecting the MPLS Virtual Private
Network Customers
-
PurposeCommand or Action
(Optional) Exits to privileged EXEC mode.end
Example:
Device(config-router)# end
Step 9
Configuring Static Routes Between the PE and CE Devices
SUMMARY STEPS
1. enable2. configure terminal3. ip route vrf vrf-name4.
address-family ipv4 [multicast | unicast | vrf vrf-name]5.
redistribute protocol [process-id] {level-1 | level-1-2 | level-2}
[as-number] [metric metric-value]
[metric-type type-value] [match {internal | external 1 |
external 2}] [tag tag-value] [route-mapmap-tag][subnets]
6. redistribute protocol [process-id] {level-1 | level-1-2 |
level-2} [as-number] [metric metric-value][metric-type type-value]
[match {internal | external 1 | external 2}] [tag tag-value]
[route-mapmap-tag][subnets]
7. exit-address-family8. end
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enableStep 1
Example:
Device> enable
Enter your password if prompted.
Enters global configuration mode.configure terminal
Example:
Device# configure terminal
Step 2
Defines static route parameters for every
provideredge-to-customer edge (PE-to-CE) session and enters
routerconfiguration mode.
ip route vrf vrf-name
Example:
Device(config)# ip route vrf 200
Step 3
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T 15
MPLS Virtual Private NetworksConnecting the MPLS Virtual Private
Network Customers
-
PurposeCommand or Action
Specifies the IPv4 address family type and enters address
familyconfiguration mode.
address-family ipv4 [multicast | unicast | vrfvrf-name]
Step 4
Example:
Device(config-router)# address-family ipv4 vrfvpn1
Themulticast keyword specifies IPv4 multicast
addressprefixes.
The unicast keyword specifies IPv4 unicast addressprefixes.
The vrf vrf-name keyword and argument specify the nameof the VRF
to associate with subsequent IPv4 addressfamily configuration mode
commands.
Redistributes routes from one routing domain into anotherrouting
domain.
redistribute protocol [process-id] {level-1 | level-1-2|
level-2} [as-number] [metric metric-value]
Step 5
[metric-type type-value] [match {internal | external To
redistribute virtual routing and forwarding (VRF) staticroutes into
the VRFBorder Gateway Protocol (BGP) table,use the redistribute
static command.
1 | external 2}] [tag tag-value] [route-map
map-tag][subnets]
Example:
Device(config-router-af)# redistribute static
See the command reference page for information about
otherarguments and keywords.
Redistributes routes from one routing domain into anotherrouting
domain.
redistribute protocol [process-id] {level-1 | level-1-2|
level-2} [as-number] [metric metric-value]
Step 6
[metric-type type-value] [match {internal | external To
redistribute directly connected networks into the VRFBGP table, use
the redistribute connected command.
1 | external 2}] [tag tag-value] [route-map
map-tag][subnets]
Example:
Device(config-router-af)# redistributeconnected
Exits address family configuration mode.exit-address-family
Example:
Device(config-router-af)# exit-address-family
Step 7
(Optional) Exits to privileged EXEC mode.end
Example:
Device(config-router)# end
Step 8
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T16
MPLS Virtual Private NetworksConnecting the MPLS Virtual Private
Network Customers
-
Verifying the Virtual Private Network ConfigurationA route
distinguisher must be configured for the virtual routing and
forwarding (VRF) instance, andMultiprotocol Label Switching (MPLS)
must be configured on the interfaces that carry the VRF. Use
theshow ip vrf command to verify the route distinguisher (RD) and
interface that are configured for the VRF.
SUMMARY STEPS
1. show ip vrf
DETAILED STEPS
show ip vrfDisplays the set of defined VRF instances and
associated interfaces. The output also maps the VRF instances to
theconfigured route distinguisher.
Verifying Connectivity Between MPLS Virtual Private Network
SitesTo verify that the local and remote customer edge (CE) devices
can communicate across the MultiprotocolLabel Switching (MPLS)
core, perform the following tasks:
Verifying IP Connectivity from CE Device to CE Device Across the
MPLS Core
SUMMARY STEPS
1. enable2. ping [protocol] {host-name | system-address}3. trace
[protocol] [destination]4. show ip route [ip-address [mask]
[longer-prefixes]] | protocol [process-id]] | [list
[access-list-name |
access-list-number]
DETAILED STEPS
Step 1 enableEnables privileged EXEC mode.
Step 2 ping [protocol] {host-name | system-address}Diagnoses
basic network connectivity on AppleTalk, Connectionless-mode
Network Service (CLNS), IP, Novell, Apollo,Virtual
IntegratedNetwork Service (VINES), DECnet, or XeroxNetwork Service
(XNS) networks. Use the ping commandto verify the connectivity from
one CE device to another.
Step 3 trace [protocol] [destination]
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T 17
MPLS Virtual Private NetworksVerifying the Virtual Private
Network Configuration
-
Discovers the routes that packets take when traveling to their
destination. The trace command can help isolate a troublespot if
two devices cannot communicate.
Step 4 show ip route [ip-address [mask] [longer-prefixes]] |
protocol [process-id]] | [list [access-list-name |
access-list-number]Displays the current state of the routing table.
Use the ip-address argument to verify that CE1 has a route to CE2.
Verifythe routes learned by CE1. Make sure that the route for CE2
is listed.
Verifying That the Local and Remote CE Devices Are in the PE
Routing Table
SUMMARY STEPS
1. enable2. show ip route vrf vrf-name [prefix]3. show ip cef
vrf vrf-name [ip-prefix]
DETAILED STEPS
Step 1 enableEnables privileged EXEC mode.
Step 2 show ip route vrf vrf-name [prefix]Displays the IP
routing table associated with a virtual routing and forwarding
(VRF) instance. Check that the loopbackaddresses of the local and
remote customer edge (CE) devices are in the routing table of the
provider edge (PE) devices.
Step 3 show ip cef vrf vrf-name [ip-prefix]Displays the Cisco
Express Forwarding forwarding table associated with a VRF. Check
that the prefix of the remote CEdevice is in the Cisco Express
Forwarding table.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T18
MPLS Virtual Private NetworksVerifying Connectivity Between MPLS
Virtual Private Network Sites
-
Configuration Examples for MPLS Virtual Private Networks
Example: Configuring an MPLS Virtual Private Network Using RIPCE
ConfigurationPE Configuration
ip cefmpls ldp router-id Loopback0 forcempls label protocol
ldp!interface Loopback0ip address 10.0.0.9
255.255.255.255!interface FastEthernet0/0/0ip address 192.0.2.1
255.255.255.0no cdp enablerouter ripversion 2timers basic 30 60 60
120redistribute connectednetwork 10.0.0.0network 192.0.2.0no
auto-summary
ip vrf vpn1rd 100:1route-target export 100:1route-target import
100:1!ip cefmpls ldp router-id Loopback0 forcempls label protocol
ldp!interface Loopback0ip address 10.0.0.1
255.255.255.255!interface FastEthernet0/0/0ip vrf forwarding vpn1ip
address 192.0.2.3 255.255.255.0no cdp enableinterface
FastEthernet1/1/0ip address 192.0.2.2 255.255.255.0mpls label
protocol ldpmpls ip!router ripversion 2timers basic 30 60 60
120!address-family ipv4 vrf vpn1version 2redistribute bgp 100
metric transparentnetwork 192.0.2.0distribute-list 20 inno
auto-summaryexit-address-family!router bgp 100no synchronizationbgp
log-neighbor changesneighbor 10.0.0.3 remote-as 100neighbor
10.0.0.3 update-source Loopback0no auto-summary!address-family
vpnv4neighbor 10.0.0.3 activateneighbor 10.0.0.3 send-community
extendedbgp scan-time import 5exit-address-family!address-family
ipv4 vrf vpn1redistribute connectedredistribute ripno
auto-summaryno synchronizationexit-address-family
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T 19
MPLS Virtual Private NetworksConfiguration Examples for MPLS
Virtual Private Networks
-
Example: Configuring an MPLS Virtual Private Network Using
Static RoutesCE ConfigurationPE Configuration
ip cef!interface Loopback0ip address 10.0.0.9
255.255.255.255!interface FastEthernet0/0/0ip address 192.0.2.2
255.255.0.0no cdp enable!ip route 10.0.0.9 255.255.255.255
192.0.2.33ip route 198.51.100.0 255.255.255.0 192.0.2.33
ip vrf vpn1rd 100:1route-target export 100:1route-target import
100:1!ip cefmpls ldp router-id Loopback0 forcempls label protocol
ldp!interface Loopback0ip address 10.0.0.1
255.255.255.255!interface FastEthernet0/0/0ip vrf forwarding vpn1ip
address 192.0.2.3 255.255.255.0no cdp enable!interface
FastEthernet1/1/0ip address 192.168.0.1 255.255.0.0mpls label
protocol ldpmpls ip!router ospf 100network 10.0.0. 0.0.0.0 area
100network 192.168.0.0 255.255.0.0 area 100!router bgp 100no
synchronizationbgp log-neighbor changesneighbor 10.0.0.3 remote-as
100neighbor 10.0.0.3 update-source Loopback0no
auto-summary!address-family vpnv4neighbor 10.0.0.3 activateneighbor
10.0.0.3 send-community extendedbgp scan-time import
5exit-address-family!address-family ipv4 vrf vpn1redistribute
connectedredistribute staticno auto-summaryno
synchronizationexit-address-family!ip route vrf vpn1 10.0.0.9
255.255.255.255192.0.2.2ip route vrf vpn1 192.0.2.0
255.255.0.0192.0.2.2
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T20
MPLS Virtual Private NetworksExample: Configuring an MPLS
Virtual Private Network Using Static Routes
-
Additional ReferencesRelated Documents
Document TitleRelated Topic
Cisco IOS Master Command List, All ReleasesCisco IOS
commands
Cisco IOSMultiprotocol Label Switching CommandReference
Description of commands associated withMPLS andMPLS
applications
Configuring Basic Cisco Express Forwardingmodule in the Cisco
Express ForwardingConfiguration Guide
Configuring Cisco Express Forwarding
Load Sharing MPLS VPN Traffic module in theMPLS Layer 3 VPNs
Inter-AS and CSCConfigurationGuide
Border Gateway Protocol (BGP) load sharing
MPLS Label Distribution Protocol (LDP) modulein theMPLS Label
Distribution ProtocolConfiguration Guide
Configuring LDP
"MPLS Traffic Engineering and Enhancementsmodule in theMPLS
Traffic Engineering PathCalculation and Setup Configuration
Guide
Configuring MPLS Traffic Engineering ResourceReservation
Protocol (RSVP)
IPv6 VPN over MPLS module in theMPLS Layer3 VPNs Configuration
Guide
IPv6 VPN over MPLS
Technical Assistance
LinkDescription
http://www.cisco.com/cisco/web/support/index.htmlThe Cisco
Support and Documentation websiteprovides online resources to
download documentation,software, and tools. Use these resources to
install andconfigure the software and to troubleshoot and
resolvetechnical issues with Cisco products and technologies.Access
to most tools on the Cisco Support andDocumentation website
requires a Cisco.com user IDand password.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T 21
MPLS Virtual Private NetworksAdditional References
-
Feature Information for MPLS Virtual Private NetworksThe
following table provides release information about the feature or
features described in this module. Thistable lists only the
software release that introduced support for a given feature in a
given software releasetrain. Unless noted otherwise, subsequent
releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform
support and Cisco software image support.To access Cisco Feature
Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is
not required.
Table 1: Feature Information for MPLS Virtual Private
Networks
Feature InformationReleasesFeature Name
The MPLS Virtual PrivateNetworks feature allows a set ofsites
that to be interconnected bymeans of a Multiprotocol LabelSwitching
(MPLS) provider corenetwork. At each customer site, oneor more
customer edge (CE)devices attach to one or moreprovider edge (PE)
devices.
12.0(5)T
12.1(5)T
12.2(8)T
12.3(2)T
MPLS Virtual Private Networks
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T22
MPLS Virtual Private NetworksFeature Information for MPLS
Virtual Private Networks
-
C H A P T E R 2Multiprotocol BGP MPLS VPN
A Multiprotocol Label Switching (MPLS) virtual private network
(VPN) consists of a set of sites that areinterconnected by means of
an MPLS provider core network. At each site, there are one or more
customeredge (CE) devices, which attach to one or more provider
edge (PE) devices. PEs use theMultiprotocol-BorderGateway Protocol
(MP-BGP) to dynamically communicate with each other.
Finding Feature Information, page 23
Prerequisites for Multiprotocol BGP MPLS VPN, page 23
Information About Multiprotocol BGP MPLS VPN, page 24
How to Configure Multiprotocol BGP MPLS VPN, page 27
Configuration Examples for Multiprotocol BGP MPLS VPN, page
34
Additional References, page 35
Feature Information for Multiprotocol BGP MPLS VPN, page 35
Finding Feature InformationYour software release may not support
all the features documented in this module. For the latest caveats
andfeature information, see Bug Search Tool and the release notes
for your platform and software release. Tofind information about
the features documented in this module, and to see a list of the
releases in which eachfeature is supported, see the feature
information table at the end of this module.
Use Cisco Feature Navigator to find information about platform
support and Cisco software image support.To access Cisco Feature
Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is
not required.
Prerequisites for Multiprotocol BGP MPLS VPNConfigure MPLS
virtual private networks (VPNs) in the core.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T 23
-
Information About Multiprotocol BGP MPLS VPN
MPLS Virtual Private Network DefinitionBefore defining a
Multiprotocol Label Switching virtual private network (MPLS VPN),
you must define aVPN in general. A VPN is:
An IP-based network delivering private network services over a
public infrastructure
A set of sites that are allowed to communicate with each other
privately over the Internet or other publicor private networks
Conventional VPNs are created by configuring a full mesh of
tunnels or permanent virtual circuits (PVCs) toall sites in a VPN.
This type of VPN is not easy to maintain or expand, because adding
a new site requireschanging each edge device in the VPN.
MPLS-based VPNs are created in Layer 3 and are based on the peer
model. The peer model enables the serviceprovider and the customer
to exchange Layer 3 routing information. The service provider
relays the databetween the customer sites without the customers
involvement.
MPLSVPNs are easier to manage and expand than conventional
VPNs.When a new site is added to anMPLSVPN, only the service
providers edge device that provides services to the customer site
needs to be updated.
The different parts of the MPLS VPN are described as
follows:
Provider (P) deviceDevice in the core of the provider network. P
devices run MPLS switching, anddo not attach VPN labels to routed
packets. The MPLS label in each route is assigned by the
provideredge (PE) device. VPN labels are used to direct data
packets to the correct egress device.
PE deviceDevice that attaches the VPN label to incoming packets
based on the interface or subinterfaceon which they are received. A
PE device attaches directly to a customer edge (CE) device.
Customer (C) deviceDevice in the ISP or enterprise network.
CE deviceEdge device on the network of the ISP that connects to
the PE device on the network. ACE device must interface with a PE
device.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T24
Multiprotocol BGP MPLS VPNInformation About Multiprotocol BGP
MPLS VPN
-
The figure below shows a basic MPLS VPN.
Figure 2: Basic MPLS VPN Terminology
How an MPLS Virtual Private Network WorksMultiprotocol Label
Switching virtual private network (MPLS VPN) functionality is
enabled at the edge ofan MPLS network. The provider edge (PE)
device performs the following:
Exchanges routing updates with the customer edge (CE)
device.
Translates the CE routing information into VPNv4 routes.
Exchanges VPNv4 routes with other PE devices through the
Multiprotocol Border Gateway Protocol(MP-BGP).
The following sections describe how MPLS VPN works:
How Virtual Routing and Forwarding Tables Work in an MPLS
Virtual Private NetworkEach virtual private network (VPN) is
associated with one or more virtual routing and forwarding
(VRF)instances. A VRF defines the VPN membership of a customer site
attached to a PE device. A VRF consistsof the following
components:
An IP routing table
A derived Cisco Express Forwarding table
A set of interfaces that use the forwarding table
A set of rules and routing protocol parameters that control the
information that is included in the routingtable
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T 25
Multiprotocol BGP MPLS VPNHow an MPLS Virtual Private Network
Works
-
A one-to-one relationship does not necessarily exist between
customer sites and VPNs. A site can be a memberof multiple VPNs.
However, a site can associate with only one VRF. A sites VRF
contains all the routesavailable to the site from the VPNs of which
it is a member.
Packet forwarding information is stored in the IP routing table
and the Cisco Express Forwarding table foreach VRF. A separate set
of routing and Cisco Express Forwarding tables is maintained for
each VRF. Thesetables prevent information from being forwarded
outside a VPN, and they also prevent packets that are outsidea VPN
from being forwarded to a device within the VPN.
How VPN Routing Information Is Distributed in an MPLS Virtual
Private NetworkThe distribution of virtual private network (VPN)
routing information is controlled through the use of VPNroute
target communities, implemented by Border Gateway Protocol (BGP)
extended communities. VPNrouting information is distributed as
follows:
When a VPN route that is learned from a customer edge (CE)
device is injected into BGP, a list of VPNroute target extended
community attributes is associated with it. Typically the list of
route targetcommunity extended values is set from an export list of
route targets associated with the virtual routingand forwarding
(VRF) instance from which the route was learned.
An import list of route target extended communities is
associated with each VRF. The import list definesroute target
extended community attributes that a route must have in order for
the route to be importedinto the VRF. For example, if the import
list for a particular VRF includes route target extendedcommunities
A, B, and C, then any VPN route that carries any of those route
target extendedcommunitiesA, B, or Cis imported into the VRF.
BGP Distribution of VPN Routing InformationA provider edge (PE)
device can learn an IP prefix from the following sources:
A customer edge (CE) device by static configuration
A Border Gateway Protocol (BGP) session with the CE device
A Routing Information Protocol (RIP) exchange with the CE
device
The IP prefix is a member of the IPv4 address family. After the
PE device learns the IP prefix, the PE convertsit into a VPN-IPv4
prefix by combining it with an 8-byte route distinguisher (RD). The
generated prefix is amember of the VPN-IPv4 address family. It
uniquely identifies the customer address, even if the customersite
is using globally nonunique (unregistered private) IP addresses.
The route distinguisher used to generatethe VPN-IPv4 prefix is
specified by a configuration command associatedwith the virtual
routing and forwarding(VRF) instance on the PE device.
BGP distributes reachability information for VPN-IPv4 prefixes
for each VPN. BGP communication occursat two levels:
Within an IP domains, known as an autonomous system (interior
BGP [IBGP])
Between autonomous systems (external BGP [EBGP])
PE-PE or PE-RR (route reflector) sessions are IBGP sessions, and
PE-CE sessions are EBGP sessions. In anEnhanced Interior Gateway
Routing Protocol (EIGRP) PE-CE environment, when an EIGRP internal
routeis redistributed into BGP by one PE, and then back into EIGRP
by another PE, the originating router ID forthe route is set to the
router ID of the second PE, replacing the original internal router
ID.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T26
Multiprotocol BGP MPLS VPNHow an MPLS Virtual Private Network
Works
-
BGP propagates reachability information for VPN-IPv4 prefixes
among PE devices by means of the BGPmultiprotocol extensions (refer
to RFC 2283,Multiprotocol Extensions for BGP-4), which define
support foraddress families other than IPv4. Using the extensions
ensures that the routes for a given VPN are learnedonly by other
members of that VPN, enabling members of the VPN to communicate
with each other.
Major Components of an MPLS Virtual Private
NetworkAnMultiprotocol Label Switching (MPLS)-based virtual private
network (VPN) has three major components:
VPN route target communitiesA VPN route target community is a
list of all members of a VPNcommunity. VPN route targets need to be
configured for each VPN community member.
Multiprotocol BGP (MP-BGP) peering of VPN community provider
edge (PE) devicesMP-BGPpropagates virtual routing and forwarding
(VRF) reachability information to all members of a VPNcommunity.
MP-BGP peering must be configured on all PE devices within a VPN
community.
MPLS forwardingMPLS transports all traffic between all VPN
community members across a VPNservice-provider network.
A one-to-one relationship does not necessarily exist between
customer sites and VPNs. A given site can be amember of multiple
VPNs. However, a site can associate with only one VRF. A
customer-site VRF containsall the routes available to the site from
the VPNs of which it is a member.
How to Configure Multiprotocol BGP MPLS VPN
Configuring Multiprotocol BGP Connectivity on the PE Devices and
RouteReflectors
SUMMARY STEPS
1. enable2. configure terminal3. router bgp as-number4. no bgp
default ipv4-unicast5. neighbor {ip-address | peer-group-name}
remote-as as-number6. neighbor {ip-address | peer-group-name}
activate7. address-family vpnv4 [unicast]8. neighbor {ip-address |
peer-group-name} send-community extended9. neighbor {ip-address |
peer-group-name} activate10. end
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T 27
Multiprotocol BGP MPLS VPNMajor Components of an MPLS Virtual
Private Network
-
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enableStep 1
Example:
Device> enable
Enter your password if prompted.
Enters global configuration mode.configure terminal
Example:
Device# configure terminal
Step 2
Configures a Border Gateway Protocol (BGP) routing process and
entersrouter configuration mode.
router bgp as-number
Example:
Device(config)# router bgp 100
Step 3
The as-number argument indicates the number of an
autonomoussystem that identifies the device to other BGP devices
and tagsthe routing information passed along. The range is 0 to
65535.Private autonomous system numbers that can be used in
internalnetworks are 64512 to 65535.
(Optional) Disables the IPv4 unicast address family on all
neighbors.no bgp default ipv4-unicastStep 4
Example:
Device(config-router)# no bgp defaultipv4-unicast
Use the no bgp default ipv4-unicast command if you are usingthis
neighbor for Multiprotocol Label Switching (MPLS) routesonly.
Adds an entry to the BGP or multiprotocol BGP neighbor
table.neighbor {ip-address | peer-group-name}remote-as
as-number
Step 5
The ip-address argument specifies the IP address of the
neighbor.
Example:
Device(config-router)# neighbor 10.0.0.1remote-as 100
The peer-group-name argument specifies the name of a BGP
peergroup.
The as-number argument specifies the autonomous system towhich
the neighbor belongs.
Enables the exchange of information with a neighboring BGP
device.neighbor {ip-address | peer-group-name}activate
Step 6
The ip-address argument specifies the IP address of the
neighbor.
Example:
Device(config-router)# neighbor 10.0.0.1activate
The peer-group-name argument specifies the name of a BGP
peergroup.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T28
Multiprotocol BGP MPLS VPNConfiguring Multiprotocol BGP
Connectivity on the PE Devices and Route Reflectors
-
PurposeCommand or Action
Enters address family configuration mode for configuring
routingsessions, such as BGP, that use standard VPNv4 address
prefixes.
address-family vpnv4 [unicast]
Example:
Device(config-router)# address-familyvpnv4
Step 7
The optional unicast keyword specifies VPNv4 unicast
addressprefixes.
Specifies that a communities attribute should be sent to a BGP
neighbor.neighbor {ip-address | peer-group-name}send-community
extended
Step 8
The ip-address argument specifies the IP address of
theBGP-speaking neighbor.
Example:
Device(config-router-af)# neighbor10.0.0.1 send-community
extended
The peer-group-name argument specifies the name of a BGP
peergroup.
Enables the exchange of information with a neighboring BGP
device.neighbor {ip-address | peer-group-name}activate
Step 9
The ip-address argument specifies the IP address of the
neighbor.
Example:
Device(config-router-af)# neighbor10.0.0.1 activate
The peer-group-name argument specifies the name of a BGP
peergroup.
(Optional) Exits to privileged EXEC mode.end
Example:
Device(config-router-af)# end
Step 10
Troubleshooting TipsYou can enter a show ip bgp neighbor command
to verify that the neighbors are up and running. If thiscommand is
not successful, enter a debug ip bgp ip-address events command,
where ip-address is the IPaddress of the neighbor.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15M&T 29
Multiprotocol BGP MPLS VPNConfiguring Multiprotocol BGP
Connectivity on the PE Devices and Route Reflectors
-
Configuring BGP as the Routing Protocol Between the PE and CE
Devices
SUMMARY STEPS
1. enable2. configure terminal3. router bgp as-number4.
address-family ipv4 [multicast | unicast | vrf vrf-name]5. neighbor
{ip-address | peer-group-name} remote-as as-number6. neighbor
{ip-address | peer-group-name} activate7. exit-address-family8.
end
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enableStep 1
Example:
Device> e