-
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15SFirst Published: November 05, 2012
Last Modified: March 29, 2013
Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan
Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800
553-NETS (6387)Fax: 408 527-0883
-
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN
THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE
BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY
KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITEDWARRANTY FOR THE ACCOMPANYING
PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED
WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF
YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED
WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an
adaptation of a program developed by the University of California,
Berkeley (UCB) as part of UCB's public domain versionof the UNIX
operating system. All rights reserved. Copyright © 1981, Regents of
the University of California.
NOTWITHSTANDINGANYOTHERWARRANTYHEREIN, ALL DOCUMENT FILES AND
SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS"WITH ALL
FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES,
EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE
OFMERCHANTABILITY, FITNESS FORA PARTICULAR
PURPOSEANDNONINFRINGEMENTORARISING FROMACOURSEOFDEALING, USAGE, OR
TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY
INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING
OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR
ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in
this document are not intended to be actual addresses and phone
numbers. Any examples, command display output, networktopology
diagrams, and other figures included in the document are shown for
illustrative purposes only. Any use of actual IP addresses or phone
numbers in illustrative content is unintentionaland
coincidental.
Cisco and the Cisco logo are trademarks or registered trademarks
of Cisco and/or its affiliates in the U.S. and other countries. To
view a list of Cisco trademarks, go to this URL:
http://www.cisco.com/go/trademarks. Third-party trademarks
mentioned are the property of their respective owners. The use of
the word partner does not imply a partnershiprelationship between
Cisco and any other company. (1110R)
© 2012-2013 Cisco Systems, Inc. All rights reserved.
http://www.cisco.com/go/trademarkshttp://www.cisco.com/go/trademarks
-
C O N T E N T S
C H A P T E R 1 MPLS Virtual Private Networks 1
Finding Feature Information 1
Prerequisites for MPLS Virtual Private Networks 1
Restrictions for MPLS Virtual Private Networks 2
Information About MPLS Virtual Private Networks 4
MPLS Virtual Private Network Definition 4
How an MPLS Virtual Private Network Works 5
How Virtual Routing and Forwarding Tables Work in an MPLS
Virtual Private
Network 5
How VPN Routing Information Is Distributed in an MPLS Virtual
Private Network 6
MPLS Forwarding 6
Major Components of an MPLS Virtual Private Network 6
Benefits of an MPLS Virtual Private Network 7
How to Configure MPLS Virtual Private Networks 9
Configuring the Core Network 9
Assessing the Needs of MPLS Virtual Private Network Customers
9
Configuring MPLS in the Core 10
Connecting the MPLS Virtual Private Network Customers 10
Defining VRFs on the PE Devices to Enable Customer Connectivity
10
Configuring VRF Interfaces on PE Devices for Each VPN Customer
12
Configuring Routing Protocols Between the PE and CE Devices
13
Configuring RIPv2 as the Routing Protocol Between the PE and CE
Devices 13
Configuring Static Routes Between the PE and CE Devices 15
Verifying the Virtual Private Network Configuration 17
Verifying Connectivity Between MPLS Virtual Private Network
Sites 17
Verifying IP Connectivity from CE Device to CE Device Across the
MPLS Core 17
Verifying That the Local and Remote CE Devices Are in the PE
Routing Table 18
Configuration Examples for MPLS Virtual Private Networks 19
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
iii
-
Example: Configuring an MPLS Virtual Private Network Using RIP
19
Example: Configuring an MPLS Virtual Private Network Using
Static Routes 20
Additional References 21
Feature Information for MPLS Virtual Private Networks 22
C H A P T E R 2 Multiprotocol BGP MPLS VPN 23
Finding Feature Information 23
Prerequisites for Multiprotocol BGP MPLS VPN 23
Information About Multiprotocol BGP MPLS VPN 24
MPLS Virtual Private Network Definition 24
How an MPLS Virtual Private Network Works 25
How Virtual Routing and Forwarding Tables Work in an MPLS
Virtual Private
Network 25
How VPN Routing Information Is Distributed in an MPLS Virtual
Private
Network 26
BGP Distribution of VPN Routing Information 26
Major Components of an MPLS Virtual Private Network 27
How to Configure Multiprotocol BGP MPLS VPN 27
Configuring Multiprotocol BGP Connectivity on the PE Devices and
Route Reflectors 27
Troubleshooting Tips 29
Configuring BGP as the Routing Protocol Between the PE and CE
Devices 30
Verifying the Virtual Private Network Configuration 31
Verifying Connectivity Between MPLS Virtual Private Network
Sites 32
Verifying IP Connectivity from CE Device to CE Device Across the
MPLS Core 32
Verifying That the Local and Remote CE Devices Are in the PE
Routing Table 32
Configuration Examples for Multiprotocol BGP MPLS VPN 34
Example: Configuring an MPLS Virtual Private Network Using BGP
34
Additional References 35
Feature Information for Multiprotocol BGP MPLS VPN 35
C H A P T E R 3 MPLS VPN OSPF PE and CE Support 37
Finding Feature Information 37
Prerequisites for MPLS VPN OSPF PE and CE Support 37
Information About MPLS VPN OSPF PE and CE Support 38
Overview of MPLS VPN OSPF PE and CE Support 38
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15Siv
Contents
-
How to Configure MPLS VPN OSPF PE and CE Support 38
Configuring OSPF as the Routing Protocol Between the PE and CE
Devices 38
Verifying Connectivity Between MPLS Virtual Private Network
Sites 40
Verifying IP Connectivity from CE Device to CE Device Across the
MPLS Core 40
Verifying That the Local and Remote CE Devices Are in the PE
Routing Table 41
Configuration Examples for MPLS VPN OSPF PE and CE Support
42
Example: Configuring an MPLS VPN Using OSPF 42
Additional References 43
Feature Information for MPLS VPN OSPF PE and CE Support 43
C H A P T E R 4 MPLS VPN Support for EIGRP Between PE and CE
45
Finding Feature Information 45
Prerequisites for MPLS VPN Support for EIGRP Between PE and CE
46
Information About MPLS VPN Support for EIGRP Between PE and CE
46
Overview of MPLS VPN Support for EIGRP Between PE and CE 46
How to Configure MPLS VPN Support for EIGRP Between PE and CE
46
Configuring EIGRP as the Routing Protocol Between the PE and CE
Devices 46
Configuring EIGRP Redistribution in the MPLS VPN 49
Verifying Connectivity Between MPLS Virtual Private Network
Sites 51
Verifying IP Connectivity from CE Device to CE Device Across the
MPLS Core 51
Verifying That the Local and Remote CE Devices Are in the PE
Routing Table 52
Configuration Examples for MPLS VPN Support for EIGRP Between PE
and CE 53
Example: Configuring an MPLS VPN Using EIGRP 53
Additional References 54
Feature Information for MPLS VPN Support for EIGRP Between PE
and CE 54
C H A P T E R 5 IPv6 VPN over MPLS 57
Finding Feature Information 57
Prerequisites for IPv6 VPN over MPLS 58
Restrictions for IPv6 VPN over MPLS 58
Information About IPv6 VPN over MPLS 58
IPv6 VPN over MPLS Overview 58
Addressing Considerations for IPv6 VPN over MPLS 59
Basic IPv6 VPN over MPLS Functionality 59
IPv6 VPN Architecture Overview 59
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
v
Contents
-
IPv6 VPN Next Hop 60
MPLS Forwarding 60
6VPE over GRE Tunnels 61
VRF Concepts 61
IPv6 VPN Scalability 62
Advanced IPv6 MPLS VPN Functionality 62
Internet Access 62
Multiautonomous-System Backbones 63
Carrier Supporting Carriers 64
How to Configure IPv6 VPN over MPLS 65
Configuring a Virtual Routing and Forwarding Instance for IPv6
65
Binding a VRF to an Interface 68
Configuring a Static Route for PE-to-CE Routing 69
Configuring eBGP PE-to-CE Routing Sessions 70
Configuring the IPv6 VPN Address Family for iBGP 71
Configuring Route Reflectors for Improved Scalability 73
Configuring Internet Access 81
Configuring the Internet Gateway 81
Configuring iBGP 6PE Peering to the VPN PE 81
Configuring the Internet Gateway as the Gateway to the Public
Domain 83
Configuring eBGP Peering to the Internet 84
Configuring the IPv6 VPN PE 86
Configuring a Default Static Route from the VRF to the Internet
Gateway 86
Configuring a Static Route from the Default Table to the VRF
87
Configuring iBGP 6PE Peering to the Internet Gateway 88
Configuring a Multiautonomous-System Backbone for IPv6 VPN
89
Configuring the PE VPN for a Multiautonomous-System Backbone
91
Configuring iBGP IPv6 VPN Peering to a Route Reflector 91
Configuring IPv4 and Label iBGP Peering to a Route Reflector
93
Configuring the Route Reflector for a Multiautonomous-System
Backbone 95
Configuring Peering to the PE VPN 95
Configuring the Route Reflector 97
Configuring Peering to the Autonomous System Boundary Router
100
Configuring Peering to Another ISP Route Reflector 101
Configuring the ASBR 103
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15Svi
Contents
-
Configuring Peering with Router Reflector RR1 103
Configuring Peering with the Other ISP ASBR2 105
Configuring CSC for IPv6 VPN 107
Configuration Examples for IPv6 VPN over MPLS 109
Examples: IPv6 VPN over MPLS Routing 109
Example: BGP IPv6 Activity Summary 109
Example: Dumping the BGP IPv6 Tables 109
Example: Dumping the IPv6 Routing Tables 109
Examples: IPv6 VPN over MPLS Forwarding 110
Example: PE-CE Connectivity 110
Examples: PE Imposition Path 111
Examples: PE Disposition Path 112
Examples: Label Switch Path 112
Examples: IPv6 VPN over MPLS VRF 113
Examples: VRF Information 113
Example: IPv6 VPN Configuration Using IPv4 Next Hop 113
Additional References 114
Feature Information for IPv6 VPN over MPLS 115
Glossary 116
C H A P T E R 6 Assigning an ID Number to an MPLS VPN 119
Finding Feature Information 119
Restrictions for MPLS VPN ID 119
Information About MPLS VPN ID 120
Introduction to MPLS VPN ID 120
Components of the MPLS VPN ID 120
Management Applications That Use MPLS VPN IDs 120
Dynamic Host Configuration Protocol 121
Remote Authentication Dial-In User Service 121
How to Configure an MPLS VPN ID 121
Specifying an MPLS VPN ID 121
Verifying the MPLS VPN ID Configuration 122
Configuration Examples for Assigning an ID Number to an MPLS VPN
124
Example: Specifying an MPLS VPN ID 124
Example: Verifying the MPLS VPN ID Configuration 124
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
vii
Contents
-
Additional References 125
Feature Information for MPLS VPN ID 125
C H A P T E R 7 MPLS VPN Half-Duplex VRF 127
Finding Feature Information 127
Prerequisites for MPLS VPN Half-Duplex VRF 127
Restrictions for MPLS VPN Half-Duplex VRF 128
Information About MPLS VPN Half-Duplex VRF 128
MPLS VPN Half-Duplex VRF Overview 128
Upstream and Downstream VRFs 129
Reverse Path Forwarding Check 130
How to Configure MPLS VPN Half-Duplex VRF 130
Configuring the Upstream and Downstream VRFs on the Spoke PE
Device 130
Associating a VRF with an Interface 132
Configuring the Downstream VRF for an AAA Server 133
Verifying the MPLS VPN Half-Duplex VRF Configuration 133
Configuration Examples for MPLS VPN Half-Duplex VRF 137
Examples: Configuring the Upstream and Downstream VRFs on the
Spoke PE Device 137
Example: Associating a VRF with an Interface 137
Example Configuring MPLS VPN Half-Duplex VRF Using Static CE-PE
Routing 138
Example: Configuring MPLS VPN Half-Duplex VRF Using RADIUS
Server and Static
CE-PE Routing 139
Example: Configuring MPLS VPN Half-Duplex VRF Using Dynamic
CE-PE Routing 140
Additional References 142
Feature Information for MPLS VPN Half-Duplex VRF 142
C H A P T E R 8 MPLS VPN Show Running VRF 145
Finding Feature Information 145
Prerequisites for MPLS VPN Show Running VRF 146
Restrictions for MPLS VPN Show Running VRF 146
Information About MPLS VPN Show Running VRF 146
Configuration Elements Displayed for MPLS VPN Show Running VRF
146
Display of VRF Routing Protocol Configuration 147
Display of Configuration Not Directly Linked to a VRF 147
Additional References 148
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15Sviii
Contents
-
Feature Information for MPLS VPN Show Running VRF 148
Glossary 149
C H A P T E R 9 MPLS VPN VRF CLI for IPv4 and IPv6 VPNs 151
Finding Feature Information 151
Prerequisites for MPLS VPN VRF CLI for IPv4 and IPv6 VPNs
152
Restrictions for MPLS VPN VRF CLI for IPv4 and IPv6 VPNs 152
Information About MPLS VPN VRF CLI for IPv4 and IPv6 VPNs
152
VRF Concepts Similar for IPv4 and IPv6 MPLS VPNs 152
Single-Protocol VRF to Multiprotocol VRF Migration 152
Multiprotocol VRF Configuration Characteristics 153
How to Configure MPLS VPN VRF CLI for IPv4 and IPv6 VPNs 154
Configuring a VRF for IPv4 and IPv6 MPLS VPNs 154
Associating a Multiprotocol VRF with an Interface 157
Verifying the MPLS VPN VRF CLI for IPv4 and IPv6 VPNs
Configuration 158
Migrating from a Single-Protocol IPv4-Only VRF to a
Multiprotocol VRF Configuration 161
Configuration Examples for MPLS VPN VRF CLI for IPv4 and IPv6
VPNs 163
Example: Multiprotocol VRF Configuration Single Protocol with
Noncommon Policies 163
Example: Multiprotocol VRF Configuration Multiprotocol with
Noncommon Policies 163
Example: Multiprotocol VRF Configuration Multiprotocol with
Common Policies 164
Example: Multiprotocol VRF Configuration Multiprotocol with
Common and Noncommon
Policies 164
Examples: Configuring a VRF for IPv4 and IPv6 VPNs 164
Example: Associating a Multiprotocol VRF with an Interface
165
Examples: Migrating from a Single-Protocol IPv4-Only VRF
Configuration to aMultiprotocol
VRF Configuration 165
Additional References 166
Feature Information for MPLS VPN VRF CLI for IPv4 and IPv6 VPNs
167
Glossary 169
C H A P T E R 1 0 MPLS VPN BGP Local Convergence 171
Finding Feature Information 171
Prerequisites for MPLS VPN BGP Local Convergence 172
Restrictions for MPLS VPN BGP Local Convergence 172
Information About MPLS VPN BGP Local Convergence 173
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
ix
Contents
-
How Link Failures Are Handled with BGP 173
How Links Are Handled with the MPLS VPN BGP Local Convergence
Feature 173
How Link Failures Are Detected 174
How to Configure MPLS VPN BGP Local Convergence 175
Configuring MPLS VPN BGP Local Convergence with IPv4 175
Configuring MPLS VPNBGP Local Convergence with IPv6 176
Examples 178
Troubleshooting Tips 178
Configuration Examples for MPLS VPN BGP Local Convergence
179
Examples: MPLS VPN BGP Local Convergence 179
Examples: MPLS VPN BGP Local Convergence for 6VPE 6PE 181
Additional References 184
Feature Information for MPLS VPN BGP Local Convergence 185
C H A P T E R 1 1 MPLS VPN Route Target Rewrite 187
Finding Feature Information 187
Prerequisites for MPLS VPN Route Target Rewrite 188
Restrictions for MPLS VPN Route Target Rewrite 188
Information About MPLS VPN Route Target Rewrite 188
Route Target Replacement Policy 188
Route Maps and Route Target Replacement 190
How to Configure MPLS VPN Route Target Rewrite 190
Configuring a Route Target Replacement Policy 190
Applying the Route Target Replacement Policy 193
Associating Route Maps with Specific BGP Neighbors 194
Refreshing BGP Session to Apply Route Target Replacement Policy
196
Troubleshooting Tips 197
Verifying the Route Target Replacement Policy 197
Troubleshooting Your Route Target Replacement Policy 199
Configuration Examples for MPLS VPN Route Target Rewrite 201
Examples: Configuring Route Target Replacement Policies 201
Examples: Applying Route Target Replacement Policies 202
Examples: Associating Route Maps with Specific BGP Neighbor
202
Example: Refreshing the BGP Session to Apply the Route Target
Replacement
Policy 202
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15Sx
Contents
-
Additional References 203
Feature Information for MPLS VPN Route Target Rewrite 203
Glossary 204
C H A P T E R 1 2 MPLS VPN Per VRF Label 207
Finding Feature Information 207
Prerequisites for MPLS VPN Per VRF Label 207
Restrictions for MPLS VPN Per VRF Label 208
Information About MPLS VPN Per VRF Label 208
MPLS VPN Per VRF Label Functionality 208
How to Configure MPLS VPN Per VRF Label 209
Configuring the Per VRF Label Feature 209
Examples 210
Configuration Examples for MPLS VPN Per VRF Label 211
Example: No Label Mode Default Configuration 211
Example: Mixed Mode with Global Per-Prefix 213
Example: Mixed Mode with Global Per-VRF 214
Additional References 215
Feature Information for MPLS VPN Per VRF Label 216
C H A P T E R 1 3 Multi-VRF Selection Using Policy-Based Routing
219
Finding Feature Information 219
Prerequisites for Multi-VRF Selection Using Policy-Based Routing
220
Restrictions for Multi-VRF Selection Using Policy-Based Routing
220
Information About Multi-VRF Selection Using Policy-Based Routing
220
Policy Routing of VPN Traffic Based on Match Criteria 220
Policy-Based Routing set Commands 221
Policy-routing Packets for VRF Instances 221
Change of Normal Routing and Forwarding Behavior 222
Support of Inherit-VRF Inter-VRF and VRF-to-Global Routing
223
How to Configure Multi-VRF Selection Using Policy-Based Routing
224
Defining the Match Criteria for Multi-VRF Selection Using
Policy-Based Routing 224
Configuring Multi-VRF Selection Using Policy-Based Routing with
a Standard Access
List 224
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
xi
Contents
-
ConfiguringMulti-VRF SelectionUsing Policy-BasedRoutingwith a
Named Extended
Access List 225
Configuring Multi-VRF Selection in a Route Map 226
ConfiguringMulti-VRF Selection Using Policy-Based Routing and IP
VRF Receive on the
Interface 229
Verifying the Configuration of Multi-VRF Selection Using
Policy-Based Routing 230
Configuration Examples for Multi-VRF Selection Using
Policy-Based Routing 232
Example: Defining the Match Criteria for Multi-VRF Selection
Using Policy-Based
Routing 232
Example: Configuring Multi-VRF Selection in a Route Map 233
Additional References 233
Feature Information for Multi-VRF Selection Using Policy-Based
Routing 234
Glossary 236
C H A P T E R 1 4 MPLS VPN VRF Selection Using Policy-Based
Routing 237
Finding Feature Information 237
Prerequisites for MPLS VPN VRF Selection Using Policy-Based
Routing 238
Restrictions for MPLS VPN VRF Selection Using Policy-Based
Routing 238
Information About MPLS VPN VRF Selection Using Policy-Based
Routing 238
Introduction to MPLS VPN VRF Selection Using Policy-Based
Routing 238
Policy-Based Routing Set Clauses Overview 239
Match Criteria for Policy-Based Routing VRF Selection Based on
Packet Length 239
How to Configure MPLS VPN VRF Selection Using Policy-Based
Routing 240
Configuring Policy-Based Routing VRF Selection with a Standard
Access List 240
Configuring Policy-Based Routing VRF Selection with a Named
Access List 241
Configuring Policy-Based Routing VRF Selection in a Route Map
242
Configuring Policy-Based Routing on the Interface 244
Configuring IP VRF Receive on the Interface 245
Verifying the Configuration of the MPLS VPN VRF Selection Using
Policy-Based
Routing 246
Configuration Examples for MPLS VPN VRF Selection Using
Policy-Based Routing 247
Example: Defining Policy-Based Routing VRF Selection in an
Access List 247
Examples: Verifying VRF Selection Using Policy-Based Routing
248
Example: Verifying Match Criteria 248
Example: Verifying Route-Map Configuration 248
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15Sxii
Contents
-
Example: Verifying Policy-Based Routing VRF Selection Policy
249
Additional References 249
Feature Information for MPLS VPN VRF Selection Using
Policy-Based Routing 249
C H A P T E R 1 5 VRF Aware System Message Logging 251
Finding Feature Information 251
Prerequisites for VRF Aware System Message Logging 252
Restrictions for VRF Aware System Message Logging 252
Information About VRF Aware System Message Logging 252
VRF Aware System Message Logging Benefit 252
VRF Aware System Message Logging on a Provider Edge Device in an
MPLS VPN
Network 252
VRF Aware System Message Logging on a Customer Edge Device with
VRF-Lite
Configured 253
Message Levels for Logging Commands 254
How to Configure and Verify VRF Aware System Message Logging
254
Configuring a VRF on a Routing Device 254
Associating a VRF with an Interface 256
Configuring VRF Aware System Message Logging on a Routing Device
258
Verifying VRF Aware System Message Logging Operation 260
Configuration Examples for VRF Aware System Message Logging
261
Example: Configuring a VRF on a Routing Device 261
Example: Associating a VRF with an Interface 262
Examples: Configuring VRF Aware System Message Logging on a
Routing Device 262
Additional References 262
Feature Information for VRF Aware System Message Logging 263
Glossary 264
C H A P T E R 1 6 MPLS VPN 6VPE per VRF Label 267
Finding Feature Information 267
Prerequisites for the MPLS VPN 6VPE per VRF Label Feature
268
Restrictions for the MPLS VPN 6VPE per VRF Label Feature 268
Information About the MPLS VPN 6VPE per VRF Label Feature
268
MPLS VPN 6VPE per VRF Label Functionality 268
How to Configure the MPLS VPN 6VPE per VRF Label Feature 269
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
xiii
Contents
-
Configuring the MPLS VPN 6VPE per VRF Label Feature 269
Examples 270
Troubleshooting Tips 271
Configuration Examples for MPLS VPN 6VPE per VRF Label 271
Examples: 6VPE No Label Mode Default Configuration 271
Additional References 272
Feature Information for MPLS VPN 6VPE per VRF Label 273
C H A P T E R 1 7 Multi-VRF Support 275
Finding Feature Information 275
Prerequisites for Multi-VRF Support 275
Restrictions for Multi-VRF Support 276
Information About Multi-VRF Support 276
How the Multi-VRF Support Feature Works 276
How Packets Are Forwarded in a Network Using the Multi-VRF
Support Feature 277
Considerations When Configuring the Multi-VRF Support Feature
278
How to Configure Multi-VRF Support 278
Configuring VRFs 278
Configuring BGP as the Routing Protocol 281
Configuring PE-to-CE MPLS Forwarding and Signaling with BGP
283
Configuring a Routing Protocol Other than BGP 285
Configuring PE-to-CE MPLS Forwarding and Signaling with LDP
286
Configuration Examples for Multi-VRF Support 287
Example: Configuring Multi-VRF Support on the PE Device 288
Example: Configuring Multi-VRF Support on the CE Device 289
Additional References 290
Feature Information for Multi-VRF Support 291
C H A P T E R 1 8 BGP Best External 293
Finding Feature Information 293
Prerequisites for BGP Best External 294
Restrictions for BGP Best External 294
Information About BGP Best External 295
BGP Best External Overview 295
What the Best External Route Means 295
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15Sxiv
Contents
-
BGP Best External Feature Operation 295
Configuration Modes for Enabling BGP Best External 296
How to Configure BGP Best External 297
Configuring the BGP Best External Feature 297
Verifying the BGP Best External Feature 299
Configuration Examples for BGP Best External 302
Example: Configuring the BGP Best External Feature 302
Additional References 303
Feature Information for BGP Best External 304
C H A P T E R 1 9 BGP PIC Edge for IP and MPLS-VPN 307
Finding Feature Information 307
Prerequisites for BGP PIC 308
Restrictions for BGP PIC 308
Information About BGP PIC 308
Benefits of the BGP PIC Edge for IP and MPLS-VPN Feature 308
How BGP Converges Under Normal Circumstances 309
How BGP PIC Improves Convergence 309
BGP Fast Reroute's Role in the BGP PIC Feature 310
How a Failure Is Detected 311
How BGP PIC Achieves Subsecond Convergence 311
How BGP PIC Improves Upon the Functionality of MPLS VPN–BGP
Local Convergence 312
Configuration Modes for Enabling BGP PIC 312
BGP PIC Scenarios 312
IP PE-CE Link and Node Protection on the CE Side (Dual PEs)
312
IP PE-CE Link and Node Protection on the CE Side (Dual CEs and
Dual PE Primary and
Backup Nodes) 313
IP MPLS PE-CE Link Protection for the Primary or
Backup-Alternate Path 315
IP MPLS PE-CE Node Protection for Primary or Backup-Alternate
Path 316
Cisco Express Forwarding Recursion 317
How to Configure BGP PIC 318
Configuring BGP PIC 318
Configuration Examples for BGP PIC 321
Example: Configuring BGP PIC 321
Example: Displaying Backup Alternate Paths for BGP PIC 322
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
xv
Contents
-
Additional References 324
Feature Information for BGP PIC 325
C H A P T E R 2 0 MPLS over GRE 327
Finding Feature Information 327
Prerequisites for MPLS VPN L3VPN over GRE 327
Restrictions for MPLS VPN 3VPN over GRE 328
Information About MPLS VPN L3VPN over GRE 328
Overview of MPLS VPN L3VPN over GRE 328
PE-to-PE Tunneling 328
P-to-PE Tunneling 329
P-to-P Tunneling 329
How to Configure MPLS VPN L3VPN over GRE 330
Configuring the MPLS over GRE Tunnel Interface 330
Configuration Examples for MPLS VPN L3VPN over GRE 332
Example: Configuring a GRE Tunnel That Spans a non-MPLS Network
332
Example: MPLS Configuration with MPLS VPN L3VPN over GRE 332
Additional References 333
Feature Information for MPLS VPN L3VPN over GRE 334
C H A P T E R 2 1 Dynamic Layer 3 VPNs with Multipoint GRE
Tunnels 337
Finding Feature Information 337
Prerequisites for Dynamic L3 VPNs with mGRE Tunnels 338
Restrictions for Dynamic L3 VPNs with mGRE Tunnels 338
Information About Dynamic L3 VPNs with mGRE Tunnels 338
Overview of Dynamic L3 VPNs with mGRE Tunnels 338
Layer 3 mGRE Tunnels 338
Interconnecting Provider Edge Devices Within an IP Network
339
Packet Transport Between IP and MPLS Networks 339
BGP Next Hop Verification 340
How to Configure L3 VPN mGRE Tunnels 340
Creating the VRF and mGRE Tunnel 340
Setting Up BGP VPN Exchange 343
Enabling the MPLS VPN over mGRE Tunnels and Configuring an L3VPN
Encapsulation
Profile 345
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15Sxvi
Contents
-
Defining the Address Space and Specifying Address Resolution for
MPLS VPNs over
mGRE 348
What to Do Next 353
Configuration Examples for Dynamic L3 VPNs Support Using mGRE
Tunnels 355
Configuring Layer 3 VPN mGRE Tunnels Example 355
Additional References 356
Feature Information for Dynamic L3 VPNs with mGRE Tunnels
358
C H A P T E R 2 2 MPLS VPN 6VPE Support Over IP Tunnels 359
Finding Feature Information 359
Information About MPLS VPN 6VPE Support Over IP Tunnels 359
MPLS Forwarding 359
6VPE over GRE Tunnels 360
Additional References 360
Feature Information for MPLS VPN 6VPE Support Over IP Tunnels
361
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
xvii
Contents
-
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15Sxviii
Contents
-
C H A P T E R 1MPLS Virtual Private Networks
An MPLS Virtual Private Network (VPN) consists of a set of sites
that are interconnected by means of aMultiprotocol Label Switching
(MPLS) provider core network. At each customer site, one or more
customeredge (CE) devices attach to one or more provider edge (PE)
devices. This module explains how to create anMPLS VPN.
• Finding Feature Information, page 1
• Prerequisites for MPLS Virtual Private Networks, page 1
• Restrictions for MPLS Virtual Private Networks, page 2
• Information About MPLS Virtual Private Networks, page 4
• How to Configure MPLS Virtual Private Networks, page 9
• Configuration Examples for MPLS Virtual Private Networks, page
19
• Additional References, page 21
• Feature Information for MPLS Virtual Private Networks, page
22
Finding Feature InformationYour software release may not support
all the features documented in this module. For the latest caveats
andfeature information, see Bug Search Tool and the release notes
for your platform and software release. Tofind information about
the features documented in this module, and to see a list of the
releases in which eachfeature is supported, see the feature
information table at the end of this module.
Use Cisco Feature Navigator to find information about platform
support and Cisco software image support.To access Cisco Feature
Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is
not required.
Prerequisites for MPLS Virtual Private Networks• Make sure that
you have installed Multiprotocol Label Switching (MPLS), Label
Distribution Protocol(LDP), and Cisco Express Forwarding in your
network.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
1
https://tools.cisco.com/bugsearch/searchhttp://www.cisco.com/go/cfn
-
• All devices in the core, including the provider edge (PE)
devices, must be able to support Cisco ExpressForwarding and MPLS
forwarding. See the “Assessing the Needs of the MPLS Virtual
Private NetworkCustomers” section.
• Cisco Express Forwarding must be enabled on all devices in the
core, including the PE devices. Forinformation about how to
determine if Cisco Express Forwarding is enabled, see the
“Configuring BasicCisco Express Forwarding” module in the Cisco
Express Forwarding Configuration Guide.
Restrictions for MPLS Virtual Private NetworksWhen static routes
are configured in aMultiprotocol Label Switching (MPLS) orMPLS
virtual private network(VPN) environment, some variations of the ip
route and ip route vrf commands are not supported. Thesevariations
of the commands are not supported in software releases that support
the Tag Forwarding InformationBase (TFIB). The TFIB cannot resolve
prefixes when the recursive route over which the prefixes
traveldisappears and then reappears. However, the command
variations are supported in releases that support theMPLS
Forwarding Infrastructure (MFI). For details about the supported
releases, see theMultiprotocol LabelSwitching Command Reference.
Use the following guidelines when configuring static routes.
Supported Static Routes in an MPLS Environment
The following ip route command is supported when you configure
static routes in an MPLS environment:
• ip route destination-prefix mask interface
next-hop-address
The following ip route commands are supported when you configure
static routes in an MPLS environmentand configure load sharing with
static nonrecursive routes and a specific outbound interface:
• ip route destination-prefix mask interface1 next-hop1
• ip route destination-prefix mask interface2 next-hop2
Unsupported Static Routes in an MPLS Environment That Uses the
TFIB
The following ip route command is not supported when you
configure static routes in anMPLS environment:
• ip route destination-prefix mask next-hop-address
The following ip route command is not supported when you
configure static routes in an MPLS environmentand enable load
sharing where the next hop can be reached through two paths:
• ip route destination-prefix mask next-hop-address
The following ip route commands are not supported when you
configure static routes in anMPLS environmentand enable load
sharing where the destination can be reached through two next
hops:
• ip route destination-prefix mask next-hop1
• ip route destination-prefix mask next-hop2
Use the interface an next-hop arguments when specifying static
routes.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15S2
MPLS Virtual Private NetworksRestrictions for MPLS Virtual
Private Networks
-
Supported Static Routes in an MPLS VPN Environment
The following ip route vrf commands are supported when you
configure static routes in an MPLS VPNenvironment, and the next hop
and interface are in the same VRF:
• ip route vrf vrf-name destination-prefix mask
next-hop-address
• ip route vrf vrf-name destination-prefix mask interface
next-hop-address
• ip route vrf vrf-name destination-prefix mask interface1
next-hop1
• ip route vrf vrf-name destination-prefix mask interface2
next-hop2
The following ip route vrf commands are supported when you
configure static routes in an MPLS VPNenvironment, and the next hop
is in the global table in theMPLS cloud in the global routing
table. For example,these commands are supported when the next hop
is pointing to the Internet gateway.
• ip route vrf vrf-name destination-prefix mask next-hop-address
global
• ip route vrf vrf-name destination-prefix mask interface
next-hop-address (This command is supportedwhen the next hop and
interface are in the core.)
The following ip route commands are supported when you configure
static routes in an MPLS VPNenvironment and enable load sharing
with static nonrecursive routes and a specific outbound
interface:
• ip route destination-prefix mask interface1 next-hop1
• ip route destination-prefix mask interface2 next-hop2
Unsupported Static Routes in an MPLS VPN Environment That Uses
the TFIB
The following ip route command is not supported when you
configure static routes in an MPLS VPNenvironment, the next hop is
in the global table in theMPLS cloud within the core, and you
enable load sharingwhere the next hop can be reached through two
paths:
• ip route vrf destination-prefix mask next-hop-address
global
The following ip route commands are not supported when you
configure static routes in an MPLS VPNenvironment, the next hop is
in the global table in theMPLS cloud within the core, and you
enable load sharingwhere the destination can be reached through two
next hops:
• ip route vrf destination-prefix mask next-hop1 global
• ip route vrf destination-prefix mask next-hop2 global
The following ip route vrf commands are not supported when you
configure static routes in an MPLS VPNenvironment, and the next hop
and interface are in the same VRF:
• ip route vrf vrf-name destination-prefix mask next-hop1
vrf-name destination-prefix mask next-hop1
• ip route vrf vrf-name destination-prefix mask next-hop2
Supported Static Routes in an MPLS VPN Environment Where the
Next Hop Resides in the Global Table onthe CE Device
The following ip route vrf command is supported when you
configure static routes in an MPLS VPNenvironment, and the next hop
is in the global table on the customer edge (CE) side. For example,
the following
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
3
MPLS Virtual Private NetworksRestrictions for MPLS Virtual
Private Networks
-
command is supported when the destination prefix is the CE
device’s loopback address, as in external BorderGateway Protocol
(EBGP) multihop cases.
• ip route vrf vrf-name destination-prefix mask interface
next-hop-address
The following ip route commands are supported when you configure
static routes in an MPLS VPNenvironment, the next hop is in the
global table on the CE side, and you enable load sharing with
staticnonrecursive routes and a specific outbound interface:
• ip route destination-prefix mask interface1 nexthop1
• ip route destination-prefix mask interface2 nexthop2
Information About MPLS Virtual Private Networks
MPLS Virtual Private Network DefinitionBefore defining a
Multiprotocol Label Switching virtual private network (MPLS VPN),
you must define aVPN in general. A VPN is:
• An IP-based network delivering private network services over a
public infrastructure
• A set of sites that are allowed to communicate with each other
privately over the Internet or other publicor private networks
Conventional VPNs are created by configuring a full mesh of
tunnels or permanent virtual circuits (PVCs) toall sites in a VPN.
This type of VPN is not easy to maintain or expand, because adding
a new site requireschanging each edge device in the VPN.
MPLS-based VPNs are created in Layer 3 and are based on the peer
model. The peer model enables the serviceprovider and the customer
to exchange Layer 3 routing information. The service provider
relays the databetween the customer sites without the customer’s
involvement.MPLSVPNs are easier to manage and expand than
conventional VPNs.When a new site is added to anMPLSVPN, only the
service provider’s edge device that provides services to the
customer site needs to be updated.The different parts of the MPLS
VPN are described as follows:
• Provider (P) device—Device in the core of the provider
network. P devices run MPLS switching, anddo not attach VPN labels
to routed packets. The MPLS label in each route is assigned by the
provideredge (PE) device. VPN labels are used to direct data
packets to the correct egress device.
• PE device—Device that attaches the VPN label to incoming
packets based on the interface or subinterfaceon which they are
received. A PE device attaches directly to a customer edge (CE)
device.
• Customer (C) device—Device in the ISP or enterprise
network.
• CE device—Edge device on the network of the ISP that connects
to the PE device on the network. ACE device must interface with a
PE device.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15S4
MPLS Virtual Private NetworksInformation About MPLS Virtual
Private Networks
-
The figure below shows a basic MPLS VPN.
Figure 1: Basic MPLS VPN Terminology
How an MPLS Virtual Private Network WorksMultiprotocol Label
Switching virtual private network (MPLS VPN) functionality is
enabled at the edge ofan MPLS network. The provider edge (PE)
device performs the following:
• Exchanges routing updates with the customer edge (CE)
device.
• Translates the CE routing information into VPNv4 routes.
• Exchanges VPNv4 routes with other PE devices through the
Multiprotocol Border Gateway Protocol(MP-BGP).
The following sections describe how MPLS VPN works:
How Virtual Routing and Forwarding Tables Work in an MPLS
Virtual Private NetworkEach virtual private network (VPN) is
associated with one or more virtual routing and forwarding
(VRF)instances. A VRF defines the VPN membership of a customer site
attached to a PE device. A VRF consistsof the following
components:
• An IP routing table
• A derived Cisco Express Forwarding table
• A set of interfaces that use the forwarding table
• A set of rules and routing protocol parameters that control
the information that is included in the routingtable
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
5
MPLS Virtual Private NetworksHow an MPLS Virtual Private Network
Works
-
A one-to-one relationship does not necessarily exist between
customer sites and VPNs. A site can be a memberof multiple VPNs.
However, a site can associate with only one VRF. A site’s VRF
contains all the routesavailable to the site from the VPNs of which
it is a member.
Packet forwarding information is stored in the IP routing table
and the Cisco Express Forwarding table foreach VRF. A separate set
of routing and Cisco Express Forwarding tables is maintained for
each VRF. Thesetables prevent information from being forwarded
outside a VPN, and they also prevent packets that are outsidea VPN
from being forwarded to a device within the VPN.
How VPN Routing Information Is Distributed in an MPLS Virtual
Private NetworkThe distribution of virtual private network (VPN)
routing information is controlled through the use of VPNroute
target communities, implemented by Border Gateway Protocol (BGP)
extended communities. VPNrouting information is distributed as
follows:
• When a VPN route that is learned from a customer edge (CE)
device is injected into BGP, a list of VPNroute target extended
community attributes is associated with it. Typically the list of
route targetcommunity extended values is set from an export list of
route targets associated with the virtual routingand forwarding
(VRF) instance from which the route was learned.
• An import list of route target extended communities is
associated with each VRF. The import list definesroute target
extended community attributes that a route must have in order for
the route to be importedinto the VRF. For example, if the import
list for a particular VRF includes route target extendedcommunities
A, B, and C, then any VPN route that carries any of those route
target extendedcommunities—A, B, or C—is imported into the VRF.
MPLS ForwardingBased on routing information stored in the
virtual routing and forwarding (VRF) IP routing table and VRFCisco
Express Forwarding table, packets are forwarded to their
destination usingMultiprotocol Label Switching(MPLS).
A provider edge (PE) device binds a label to each customer
prefix learned from a customer edge (CE) deviceand includes the
label in the network reachability information for the prefix that
it advertises to other PEdevices. When a PE device forwards a
packet received from a CE device across the provider network, it
labelsthe packet with the label learned from the destination PE
device. When the destination PE device receives thelabeled packet,
it pops the label and uses it to direct the packet to the correct
CE device. Label forwardingacross the provider backbone is based on
either dynamic label switching or traffic engineered paths. A
customerdata packet carries two levels of labels when traversing
the backbone:
• The top label directs the packet to the correct PE device.
• The second label indicates how that PE device should forward
the packet to the CE device.
Major Components of an MPLS Virtual Private
NetworkAnMultiprotocol Label Switching (MPLS)-based virtual private
network (VPN) has three major components:
• VPN route target communities—A VPN route target community is a
list of all members of a VPNcommunity. VPN route targets need to be
configured for each VPN community member.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15S6
MPLS Virtual Private NetworksMajor Components of an MPLS Virtual
Private Network
-
• Multiprotocol BGP (MP-BGP) peering of VPN community provider
edge (PE) devices—MP-BGPpropagates virtual routing and forwarding
(VRF) reachability information to all members of a VPNcommunity.
MP-BGP peering must be configured on all PE devices within a VPN
community.
• MPLS forwarding—MPLS transports all traffic between all VPN
community members across a VPNservice-provider network.
A one-to-one relationship does not necessarily exist between
customer sites and VPNs. A given site can be amember of multiple
VPNs. However, a site can associate with only one VRF. A
customer-site VRF containsall the routes available to the site from
the VPNs of which it is a member.
Benefits of an MPLS Virtual Private NetworkMultiprotocol Label
Switching virtual private networks (MPLS VPNs) allow service
providers to deployscalable VPNs and build the foundation to
deliver value-added services, such as the following:
Connectionless Service
A significant technical advantage of MPLSVPNs is that they are
connectionless. The Internet owes its successto its basic
technology, TCP/IP. TCP/IP is built on a packet-based,
connectionless network paradigm. Thismeans that no prior action is
necessary to establish communication between hosts, making it easy
for twoparties to communicate. To establish privacy in a
connectionless IP environment, current VPN solutionsimpose a
connection-oriented, point-to-point overlay on the network. Even if
it runs over a connectionlessnetwork, a VPN cannot take advantage
of the ease of connectivity and multiple services available
inconnectionless networks. When you create a connectionless VPN,
you do not need tunnels and encryptionfor network privacy, thus
eliminating significant complexity.
Centralized Service
Building VPNs in Layer 3 allows delivery of targeted services to
a group of users represented by a VPN. AVPN must give service
providers more than a mechanism for privately connecting users to
intranet services.It must also provide a way to flexibly deliver
value-added services to targeted customers. Scalability is
critical,because customers want to use services privately in their
intranets and extranets. Because MPLS VPNs areseen as private
intranets, you may use new IP services such as:
• Multicast
• Quality of service (QoS)
• Telephony support within a VPN
• Centralized services including content and web hosting to a
VPN
You can customize several combinations of specialized services
for individual customers. For example, aservice that combines IP
multicast with a low-latency service class enables video
conferencing within anintranet.
Scalability
If you create a VPN using connection-oriented, point-to-point
overlays, Frame Relay, or ATM virtualconnections (VCs), the VPN’s
key deficiency is scalability. Specifically, connection-oriented
VPNs withoutfully meshed connections between customer sites are not
optimal. MPLS-based VPNs, instead, use the peermodel and Layer 3
connectionless architecture to leverage a highly scalable VPN
solution. The peer model
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
7
MPLS Virtual Private NetworksBenefits of an MPLS Virtual Private
Network
-
requires a customer site to peer with only one provider edge
(PE) device as opposed to all other customeredge (CE) devices that
are members of the VPN. The connectionless architecture allows the
creation of VPNsin Layer 3, eliminating the need for tunnels or
VCs.
Other scalability issues of MPLS VPNs are due to the
partitioning of VPN routes between PE devices andthe further
partitioning of VPN and Interior Gateway Protocol (IGP) routes
between PE devices and provider(P) devices in a core network.
• PE devices must maintain VPN routes for those VPNs who are
members.
• P devices do not maintain any VPN routes.
This increases the scalability of the provider’s core and
ensures that no one device is a scalability bottleneck.
Security
MPLS VPNs offer the same level of security as
connection-oriented VPNs. Packets from one VPN do notinadvertently
go to another VPN.
Security is provided in the following areas:
• At the edge of a provider network, ensuring packets received
from a customer are placed on the correctVPN.
• At the backbone, VPN traffic is kept separate. Malicious
spoofing (an attempt to gain access to a PEdevice) is nearly
impossible because the packets received from customers are IP
packets. These IPpackets must be received on a particular interface
or subinterface to be uniquely identified with a VPNlabel.
Ease of Creation
To take full advantage of VPNs, customers must be able to easily
create new VPNs and user communities.BecauseMPLSVPNs are
connectionless, no specific point-to-point connectionmaps or
topologies are required.You can add sites to intranets and
extranets and form closed user groups. Managing VPNs in this
mannerenables membership of any given site in multiple VPNs,
maximizing flexibility in building intranets andextranets.
Flexible Addressing
To make a VPN service more accessible, customers of a service
provider can design their own addressingplan, independent of
addressing plans for other service provider customers. Many
customers use privateaddress spaces, as defined in RFC 1918, and do
not want to invest the time and expense of converting topublic IP
addresses to enable intranet connectivity. MPLS VPNs allow
customers to continue to use theirpresent address spaces without
network address translation (NAT) by providing a public and private
view ofthe address. A NAT is required only if two VPNs with
overlapping address spaces want to communicate. Thisenables
customers to use their own unregistered private addresses, and
communicate freely across a publicIP network.
Integrated QoS Support
QoS is an important requirement for many IP VPN customers. It
provides the ability to address two fundamentalVPN
requirements:
• Predictable performance and policy implementation
• Support for multiple levels of service in an MPLS VPN
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15S8
MPLS Virtual Private NetworksBenefits of an MPLS Virtual Private
Network
-
Network traffic is classified and labeled at the edge of the
network before traffic is aggregated according topolicies defined
by subscribers and implemented by the provider and transported
across the provider core.Traffic at the edge and core of the
network can then be differentiated into different classes by drop
probabilityor delay.
Straightforward Migration
For service providers to quickly deploy VPN services, use a
straightforward migration path. MPLS VPNs areunique because you can
build them over multiple network architectures, including IP, ATM,
Frame Relay,and hybrid networks.
Migration for the end customer is simplified because there is no
requirement to support MPLS on the CEdevice and no modifications
are required to a customer’s intranet.
How to Configure MPLS Virtual Private Networks
Configuring the Core Network
Assessing the Needs of MPLS Virtual Private Network
CustomersBefore you configure a Multiprotocol Label Switching
virtual private network (MPLS VPN), you need toidentify the core
network topology so that it can best serveMPLSVPN customers.
Perform this task to identifythe core network topology.
SUMMARY STEPS
1. Identify the size of the network.2. Identify the routing
protocols in the core.3. Determine if you need MPLS VPN High
Availability support.4. Determine if you need Border Gateway
Protocol (BGP) load sharing and redundant paths in the MPLS
VPN core.
DETAILED STEPS
PurposeCommand or Action
Identify the following to determine the number of devices and
ports thatyou need:
Identify the size of the network.Step 1
• How many customers do you need to support?
• How many VPNs are needed per customer?
• How many virtual routing and forwarding instances are there
foreach VPN?
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
9
MPLS Virtual Private NetworksHow to Configure MPLS Virtual
Private Networks
-
PurposeCommand or Action
Determine which routing protocols you need in the core
network.Identify the routing protocols in the core.Step 2
MPLSVPNNonstop Forwarding and Graceful Restart are supported
onselect devices and Cisco software releases. Contact Cisco Support
forthe exact requirements and hardware support.
Determine if you need MPLS VPN HighAvailability support.
Step 3
For configuration steps, see the “Load Sharing MPLS VPN
Traffic”feature module in theMPLS Layer 3 VPNs Inter-AS and
CSCConfiguration Guide.
Determine if you need Border GatewayProtocol (BGP) load sharing
and redundantpaths in the MPLS VPN core.
Step 4
Configuring MPLS in the CoreTo enable Multiprotocol Label
Switching (MPLS) on all devices in the core, you must configure
either of thefollowing as a label distribution protocol:
• MPLS Label Distribution Protocol (LDP). For configuration
information, see the “MPLS LabelDistribution Protocol (LDP)” module
in theMPLS Label Distribution Protocol Configuration Guide.
• MPLS Traffic Engineering Resource Reservation Protocol (RSVP).
For configuration information, seethe “MPLS Traffic Engineering and
Enhancements” module in theMPLS Traffic Engineering PathCalculation
and Setup Configuration Guide.
Connecting the MPLS Virtual Private Network Customers
Defining VRFs on the PE Devices to Enable Customer
ConnectivityUse this procedure to define a virtual routing and
forwarding (VRF) configuration for IPv4. To define a VRFfor IPv4
and IPv6, see the “Configuring a Virtual Routing and Forwarding
Instance for IPv6" section in the“IPv6 VPN over MPLS" module in
theMPLS Layer 3 VPNs Configuration Guide.
SUMMARY STEPS
1. enable2. configure terminal3. ip vrf vrf-name4. rd
route-distinguisher5. route-target {import | export | both}
route-target-ext-community6. import map route-map7. exit
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15S10
MPLS Virtual Private NetworksConnecting the MPLS Virtual Private
Network Customers
-
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enableStep 1
Example:
Device> enable
• Enter your password if prompted.
Enters global configuration mode.configure terminal
Example:
Device# configure terminal
Step 2
Defines the virtual private network (VPN) routing instance by
assigning avirtual routing and forwarding (VRF) name and enters VRF
configurationmode.
ip vrf vrf-name
Example:
Device(config)# ip vrf vpn1
Step 3
• The vrf-name argument is the name assigned to a VRF.
Creates routing and forwarding tables.rd route-distinguisherStep
4
Example:Device(config-vrf)# rd 100:1
• The route-distinguisher argument adds an 8-byte value to an
IPv4prefix to create a VPN IPv4 prefix. You can enter a route
distinguisher(RD) in either of these formats:
• 16-bit AS number:your 32-bit number, for example, 101:3
• 32-bit IP address:your 16-bit number, for example,
10.0.0.1:1
Creates a route-target extended community for a VRF.route-target
{import | export | both}route-target-ext-community
Step 5
• The import keyword imports routing information from the target
VPNextended community.
Example:
Device(config-vrf)# route-targetimport 100:1
• The export keyword exports routing information to the target
VPNextended community.
• The both keyword imports routing information from and
exportsrouting information to the target VPN extended
community.
• The route-target-ext-community argument adds the
route-targetextended community attributes to the VRF’s list of
import, export, orboth route-target extended communities.
(Optional) Configures an import route map for a VRF.import map
route-mapStep 6
Example:
Device(config-vrf)# import mapvpn1-route-map
• The route-map argument specifies the route map to be used as
animport route map for the VRF.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
11
MPLS Virtual Private NetworksConnecting the MPLS Virtual Private
Network Customers
-
PurposeCommand or Action
(Optional) Exits to global configuration mode.exit
Example:
Device(config-vrf)# exit
Step 7
Configuring VRF Interfaces on PE Devices for Each VPN CustomerTo
associate a virtual routing and forwarding (VRF) instance with an
interface or subinterface on the provideredge (PE) devices, perform
this task.
SUMMARY STEPS
1. enable2. configure terminal3. interface type number4. ip vrf
forwarding vrf-name5. end
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enableStep 1
Example:
Device> enable
• Enter your password if prompted.
Enters global configuration mode.configure terminal
Example:
Device# configure terminal
Step 2
Specifies the interface to configure and enters
interfaceconfiguration mode.
interface type number
Example:
Device(config)# interface FastEthernet1/0/0
Step 3
• The type argument specifies the type of interface to
beconfigured.
• The number argument specifies the port, connector, orinterface
card number.
Associates a VRF with the specified interface or subinterface.ip
vrf forwarding vrf-nameStep 4
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15S12
MPLS Virtual Private NetworksConnecting the MPLS Virtual Private
Network Customers
-
PurposeCommand or Action
Example:
Device(config-if)# ip vrf forwarding vpn1
• The vrf-name argument is the name assigned to a VRF.
(Optional) Exits to privileged EXEC mode.end
Example:
Device(config-if)# end
Step 5
Configuring Routing Protocols Between the PE and CE
DevicesConfigure the provider edge (PE) device with the same
routing protocol that the customer edge (CE) deviceuses. You can
configure the Border Gateway Protocol (BGP), Routing Information
Protocol version 2 (RIPv2),or static routes between the PE and CE
devices.
Configuring RIPv2 as the Routing Protocol Between the PE and CE
Devices
SUMMARY STEPS
1. enable2. configure terminal3. router rip4. version {1 | 2}5.
address-family ipv4 [multicast | unicast | vrf vrf-name]6. network
ip-address7. redistribute protocol [process-id] {level-1 |
level-1-2 | level-2} [as-number] [metric metric-value]
[metric-type type-value] [match {internal | external 1 |
external 2}] [tag tag-value] [route-mapmap-tag][subnets]
8. exit-address-family9. end
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enableStep 1
Example:
Device> enable
• Enter your password if prompted.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
13
MPLS Virtual Private NetworksConnecting the MPLS Virtual Private
Network Customers
-
PurposeCommand or Action
Enters global configuration mode.configure terminal
Example:
Device# configure terminal
Step 2
Enables the Routing Information Protocol (RIP).router rip
Example:
Device(config)# router rip
Step 3
Specifies RIP version used globally by the device.version {1 |
2}
Example:
Device(config-router)# version 2
Step 4
Specifies the IPv4 address family type and enters addressfamily
configuration mode.
address-family ipv4 [multicast | unicast | vrf vrf-name]
Example:
Device(config-router)# address-family ipv4 vrfvpn1
Step 5
• Themulticast keyword specifies IPv4 multicastaddress
prefixes.
• The unicast keyword specifies IPv4 unicast
addressprefixes.
• The vrf vrf-name keyword and argument specifies thename of the
VRF to associate with subsequent IPv4address family configuration
mode commands.
Enables RIP on the PE-to-CE link.network ip-address
Example:
Device(config-router-af)# network 192.168.7.0
Step 6
Redistributes routes from one routing domain into anotherrouting
domain.
redistribute protocol [process-id] {level-1 | level-1-2|
level-2} [as-number] [metric metric-value]
Step 7
[metric-type type-value] [match {internal | external• For the
RIPv2 routing protocol, use the redistributebgp as-number
command.
1 | external 2}] [tag tag-value] [route-map
map-tag][subnets]
Example:
Device(config-router-af)# redistribute bgp 200
Exits address family configuration mode.exit-address-family
Example:
Device(config-router-af)# exit-address-family
Step 8
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15S14
MPLS Virtual Private NetworksConnecting the MPLS Virtual Private
Network Customers
-
PurposeCommand or Action
(Optional) Exits to privileged EXEC mode.end
Example:
Device(config-router)# end
Step 9
Configuring Static Routes Between the PE and CE Devices
SUMMARY STEPS
1. enable2. configure terminal3. ip route vrf vrf-name4.
address-family ipv4 [multicast | unicast | vrf vrf-name]5.
redistribute protocol [process-id] {level-1 | level-1-2 | level-2}
[as-number] [metric metric-value]
[metric-type type-value] [match {internal | external 1 |
external 2}] [tag tag-value] [route-mapmap-tag][subnets]
6. redistribute protocol [process-id] {level-1 | level-1-2 |
level-2} [as-number] [metric metric-value][metric-type type-value]
[match {internal | external 1 | external 2}] [tag tag-value]
[route-mapmap-tag][subnets]
7. exit-address-family8. end
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enableStep 1
Example:
Device> enable
• Enter your password if prompted.
Enters global configuration mode.configure terminal
Example:
Device# configure terminal
Step 2
Defines static route parameters for every
provideredge-to-customer edge (PE-to-CE) session and enters
routerconfiguration mode.
ip route vrf vrf-name
Example:
Device(config)# ip route vrf 200
Step 3
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
15
MPLS Virtual Private NetworksConnecting the MPLS Virtual Private
Network Customers
-
PurposeCommand or Action
Specifies the IPv4 address family type and enters address
familyconfiguration mode.
address-family ipv4 [multicast | unicast | vrfvrf-name]
Step 4
Example:
Device(config-router)# address-family ipv4 vrfvpn1
• Themulticast keyword specifies IPv4 multicast
addressprefixes.
• The unicast keyword specifies IPv4 unicast
addressprefixes.
• The vrf vrf-name keyword and argument specify the nameof the
VRF to associate with subsequent IPv4 addressfamily configuration
mode commands.
Redistributes routes from one routing domain into anotherrouting
domain.
redistribute protocol [process-id] {level-1 | level-1-2|
level-2} [as-number] [metric metric-value]
Step 5
[metric-type type-value] [match {internal | external• To
redistribute virtual routing and forwarding (VRF) staticroutes into
the VRFBorder Gateway Protocol (BGP) table,use the redistribute
static command.
1 | external 2}] [tag tag-value] [route-map
map-tag][subnets]
Example:
Device(config-router-af)# redistribute static
See the command reference page for information about
otherarguments and keywords.
Redistributes routes from one routing domain into anotherrouting
domain.
redistribute protocol [process-id] {level-1 | level-1-2|
level-2} [as-number] [metric metric-value]
Step 6
[metric-type type-value] [match {internal | external• To
redistribute directly connected networks into the VRFBGP table, use
the redistribute connected command.
1 | external 2}] [tag tag-value] [route-map
map-tag][subnets]
Example:
Device(config-router-af)# redistributeconnected
Exits address family configuration mode.exit-address-family
Example:
Device(config-router-af)# exit-address-family
Step 7
(Optional) Exits to privileged EXEC mode.end
Example:
Device(config-router)# end
Step 8
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15S16
MPLS Virtual Private NetworksConnecting the MPLS Virtual Private
Network Customers
-
Verifying the Virtual Private Network ConfigurationA route
distinguisher must be configured for the virtual routing and
forwarding (VRF) instance, andMultiprotocol Label Switching (MPLS)
must be configured on the interfaces that carry the VRF. Use
theshow ip vrf command to verify the route distinguisher (RD) and
interface that are configured for the VRF.
SUMMARY STEPS
1. show ip vrf
DETAILED STEPS
show ip vrfDisplays the set of defined VRF instances and
associated interfaces. The output also maps the VRF instances to
theconfigured route distinguisher.
Verifying Connectivity Between MPLS Virtual Private Network
SitesTo verify that the local and remote customer edge (CE) devices
can communicate across the MultiprotocolLabel Switching (MPLS)
core, perform the following tasks:
Verifying IP Connectivity from CE Device to CE Device Across the
MPLS Core
SUMMARY STEPS
1. enable2. ping [protocol] {host-name | system-address}3. trace
[protocol] [destination]4. show ip route [ip-address [mask]
[longer-prefixes]] | protocol [process-id]] | [list
[access-list-name |
access-list-number]
DETAILED STEPS
Step 1 enableEnables privileged EXEC mode.
Step 2 ping [protocol] {host-name | system-address}Diagnoses
basic network connectivity on AppleTalk, Connectionless-mode
Network Service (CLNS), IP, Novell, Apollo,Virtual
IntegratedNetwork Service (VINES), DECnet, or XeroxNetwork Service
(XNS) networks. Use the ping commandto verify the connectivity from
one CE device to another.
Step 3 trace [protocol] [destination]
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
17
MPLS Virtual Private NetworksVerifying the Virtual Private
Network Configuration
-
Discovers the routes that packets take when traveling to their
destination. The trace command can help isolate a troublespot if
two devices cannot communicate.
Step 4 show ip route [ip-address [mask] [longer-prefixes]] |
protocol [process-id]] | [list [access-list-name |
access-list-number]Displays the current state of the routing table.
Use the ip-address argument to verify that CE1 has a route to CE2.
Verifythe routes learned by CE1. Make sure that the route for CE2
is listed.
Verifying That the Local and Remote CE Devices Are in the PE
Routing Table
SUMMARY STEPS
1. enable2. show ip route vrf vrf-name [prefix]3. show ip cef
vrf vrf-name [ip-prefix]
DETAILED STEPS
Step 1 enableEnables privileged EXEC mode.
Step 2 show ip route vrf vrf-name [prefix]Displays the IP
routing table associated with a virtual routing and forwarding
(VRF) instance. Check that the loopbackaddresses of the local and
remote customer edge (CE) devices are in the routing table of the
provider edge (PE) devices.
Step 3 show ip cef vrf vrf-name [ip-prefix]Displays the Cisco
Express Forwarding forwarding table associated with a VRF. Check
that the prefix of the remote CEdevice is in the Cisco Express
Forwarding table.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15S18
MPLS Virtual Private NetworksVerifying Connectivity Between MPLS
Virtual Private Network Sites
-
Configuration Examples for MPLS Virtual Private Networks
Example: Configuring an MPLS Virtual Private Network Using RIPCE
ConfigurationPE Configuration
ip cefmpls ldp router-id Loopback0 forcempls label protocol
ldp!interface Loopback0ip address 10.0.0.9 255.255.255.255
!interface FastEthernet0/0/0ip address 192.0.2.1 255.255.255.0no
cdp enable
router ripversion 2timers basic 30 60 60 120redistribute
connectednetwork 10.0.0.0network 192.0.2.0no auto-summary
ip vrf vpn1rd 100:1route-target export 100:1route-target import
100:1!ip cefmpls ldp router-id Loopback0 forcempls label protocol
ldp!interface Loopback0ip address 10.0.0.1
255.255.255.255!interface FastEthernet0/0/0ip vrf forwarding vpn1ip
address 192.0.2.3 255.255.255.0no cdp enableinterface
FastEthernet1/1/0ip address 192.0.2.2 255.255.255.0mpls label
protocol ldpmpls ip!router ripversion 2timers basic 30 60 60
120!address-family ipv4 vrf vpn1version 2redistribute bgp 100
metric transparentnetwork 192.0.2.0distribute-list 20 inno
auto-summaryexit-address-family!router bgp 100no synchronizationbgp
log-neighbor changesneighbor 10.0.0.3 remote-as 100neighbor
10.0.0.3 update-source Loopback0no auto-summary!address-family
vpnv4neighbor 10.0.0.3 activateneighbor 10.0.0.3 send-community
extendedbgp scan-time import 5exit-address-family!address-family
ipv4 vrf vpn1redistribute connectedredistribute ripno
auto-summaryno synchronizationexit-address-family
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
19
MPLS Virtual Private NetworksConfiguration Examples for MPLS
Virtual Private Networks
-
Example: Configuring an MPLS Virtual Private Network Using
Static RoutesCE ConfigurationPE Configuration
ip cef!interface Loopback0ip address 10.0.0.9
255.255.255.255!interface FastEthernet0/0/0ip address 192.0.2.2
255.255.0.0no cdp enable!ip route 10.0.0.9 255.255.255.255
192.0.2.33ip route 198.51.100.0 255.255.255.0 192.0.2.33
ip vrf vpn1rd 100:1route-target export 100:1route-target import
100:1
!ip cefmpls ldp router-id Loopback0 forcempls label protocol
ldp!interface Loopback0ip address 10.0.0.1 255.255.255.255
!interface FastEthernet0/0/0ip vrf forwarding vpn1ip address
192.0.2.3 255.255.255.0no cdp enable
!interface FastEthernet1/1/0ip address 192.168.0.1
255.255.0.0mpls label protocol ldpmpls ip!router ospf 100network
10.0.0. 0.0.0.0 area 100network 192.168.0.0 255.255.0.0 area
100!router bgp 100no synchronizationbgp log-neighbor
changesneighbor 10.0.0.3 remote-as 100neighbor 10.0.0.3
update-source Loopback0
no auto-summary!
address-family vpnv4neighbor 10.0.0.3 activateneighbor 10.0.0.3
send-community extendedbgp scan-time import
5exit-address-family!
address-family ipv4 vrf vpn1redistribute connectedredistribute
staticno auto-summaryno synchronizationexit-address-family
!ip route vrf vpn1 10.0.0.9 255.255.255.255192.0.2.2ip route vrf
vpn1 192.0.2.0 255.255.0.0192.0.2.2
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15S20
MPLS Virtual Private NetworksExample: Configuring an MPLS
Virtual Private Network Using Static Routes
-
Additional ReferencesRelated Documents
Document TitleRelated Topic
Cisco IOS Master Command List, All ReleasesCisco IOS
commands
Cisco IOSMultiprotocol Label Switching CommandReference
Description of commands associated withMPLS andMPLS
applications
“Configuring Basic Cisco Express Forwarding”module in the Cisco
Express ForwardingConfiguration Guide
Configuring Cisco Express Forwarding
“Load Sharing MPLS VPN Traffic” module in theMPLS Layer 3 VPNs
Inter-AS and CSCConfigurationGuide
Border Gateway Protocol (BGP) load sharing
“MPLS Label Distribution Protocol (LDP)” modulein theMPLS Label
Distribution ProtocolConfiguration Guide
Configuring LDP
“"MPLS Traffic Engineering and Enhancements”module in theMPLS
Traffic Engineering PathCalculation and Setup Configuration
Guide
Configuring MPLS Traffic Engineering ResourceReservation
Protocol (RSVP)
“IPv6 VPN over MPLS” module in theMPLS Layer3 VPNs Configuration
Guide
IPv6 VPN over MPLS
Technical Assistance
LinkDescription
http://www.cisco.com/cisco/web/support/index.htmlThe Cisco
Support and Documentation websiteprovides online resources to
download documentation,software, and tools. Use these resources to
install andconfigure the software and to troubleshoot and
resolvetechnical issues with Cisco products and technologies.Access
to most tools on the Cisco Support andDocumentation website
requires a Cisco.com user IDand password.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
21
MPLS Virtual Private NetworksAdditional References
http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.htmlhttp://www.cisco.com/en/US/docs/ios-xml/ios/mpls/command/mp-cr-book.htmlhttp://www.cisco.com/en/US/docs/ios-xml/ios/mpls/command/mp-cr-book.htmlhttp://www.cisco.com/support
-
Feature Information for MPLS Virtual Private NetworksThe
following table provides release information about the feature or
features described in this module. Thistable lists only the
software release that introduced support for a given feature in a
given software releasetrain. Unless noted otherwise, subsequent
releases of that software release train also support that
feature.
Use Cisco Feature Navigator to find information about platform
support and Cisco software image support.To access Cisco Feature
Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is
not required.
Table 1: Feature Information for MPLS Virtual Private
Networks
Feature InformationReleasesFeature Name
The MPLS Virtual PrivateNetworks feature allows a set ofsites
that to be interconnected bymeans of a Multiprotocol LabelSwitching
(MPLS) provider corenetwork. At each customer site, oneor more
customer edge (CE)devices attach to one or moreprovider edge (PE)
devices.
In Cisco IOS Release 15.4(1)S,support was added for the CiscoASR
901S Router.
12.0(5)T
12.0(11)ST
12.0(21)ST
12.0(22)S
12.1(5)T
12.2(8)T
12.2(17b)SXA
12.2(27)SBB
12.3(2)T
15.4(1)S
MPLS Virtual Private Networks
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15S22
MPLS Virtual Private NetworksFeature Information for MPLS
Virtual Private Networks
http://www.cisco.com/go/cfn
-
C H A P T E R 2Multiprotocol BGP MPLS VPN
A Multiprotocol Label Switching (MPLS) virtual private network
(VPN) consists of a set of sites that areinterconnected by means of
an MPLS provider core network. At each site, there are one or more
customeredge (CE) devices, which attach to one or more provider
edge (PE) devices. PEs use theMultiprotocol-BorderGateway Protocol
(MP-BGP) to dynamically communicate with each other.
• Finding Feature Information, page 23
• Prerequisites for Multiprotocol BGP MPLS VPN, page 23
• Information About Multiprotocol BGP MPLS VPN, page 24
• How to Configure Multiprotocol BGP MPLS VPN, page 27
• Configuration Examples for Multiprotocol BGP MPLS VPN, page
34
• Additional References, page 35
• Feature Information for Multiprotocol BGP MPLS VPN, page
35
Finding Feature InformationYour software release may not support
all the features documented in this module. For the latest caveats
andfeature information, see Bug Search Tool and the release notes
for your platform and software release. Tofind information about
the features documented in this module, and to see a list of the
releases in which eachfeature is supported, see the feature
information table at the end of this module.
Use Cisco Feature Navigator to find information about platform
support and Cisco software image support.To access Cisco Feature
Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is
not required.
Prerequisites for Multiprotocol BGP MPLS VPNConfigure MPLS
virtual private networks (VPNs) in the core.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
23
https://tools.cisco.com/bugsearch/searchhttp://www.cisco.com/go/cfn
-
Information About Multiprotocol BGP MPLS VPN
MPLS Virtual Private Network DefinitionBefore defining a
Multiprotocol Label Switching virtual private network (MPLS VPN),
you must define aVPN in general. A VPN is:
• An IP-based network delivering private network services over a
public infrastructure
• A set of sites that are allowed to communicate with each other
privately over the Internet or other publicor private networks
Conventional VPNs are created by configuring a full mesh of
tunnels or permanent virtual circuits (PVCs) toall sites in a VPN.
This type of VPN is not easy to maintain or expand, because adding
a new site requireschanging each edge device in the VPN.
MPLS-based VPNs are created in Layer 3 and are based on the peer
model. The peer model enables the serviceprovider and the customer
to exchange Layer 3 routing information. The service provider
relays the databetween the customer sites without the customer’s
involvement.MPLSVPNs are easier to manage and expand than
conventional VPNs.When a new site is added to anMPLSVPN, only the
service provider’s edge device that provides services to the
customer site needs to be updated.The different parts of the MPLS
VPN are described as follows:
• Provider (P) device—Device in the core of the provider
network. P devices run MPLS switching, anddo not attach VPN labels
to routed packets. The MPLS label in each route is assigned by the
provideredge (PE) device. VPN labels are used to direct data
packets to the correct egress device.
• PE device—Device that attaches the VPN label to incoming
packets based on the interface or subinterfaceon which they are
received. A PE device attaches directly to a customer edge (CE)
device.
• Customer (C) device—Device in the ISP or enterprise
network.
• CE device—Edge device on the network of the ISP that connects
to the PE device on the network. ACE device must interface with a
PE device.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15S24
Multiprotocol BGP MPLS VPNInformation About Multiprotocol BGP
MPLS VPN
-
The figure below shows a basic MPLS VPN.
Figure 2: Basic MPLS VPN Terminology
How an MPLS Virtual Private Network WorksMultiprotocol Label
Switching virtual private network (MPLS VPN) functionality is
enabled at the edge ofan MPLS network. The provider edge (PE)
device performs the following:
• Exchanges routing updates with the customer edge (CE)
device.
• Translates the CE routing information into VPNv4 routes.
• Exchanges VPNv4 routes with other PE devices through the
Multiprotocol Border Gateway Protocol(MP-BGP).
The following sections describe how MPLS VPN works:
How Virtual Routing and Forwarding Tables Work in an MPLS
Virtual Private NetworkEach virtual private network (VPN) is
associated with one or more virtual routing and forwarding
(VRF)instances. A VRF defines the VPN membership of a customer site
attached to a PE device. A VRF consistsof the following
components:
• An IP routing table
• A derived Cisco Express Forwarding table
• A set of interfaces that use the forwarding table
• A set of rules and routing protocol parameters that control
the information that is included in the routingtable
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
25
Multiprotocol BGP MPLS VPNHow an MPLS Virtual Private Network
Works
-
A one-to-one relationship does not necessarily exist between
customer sites and VPNs. A site can be a memberof multiple VPNs.
However, a site can associate with only one VRF. A site’s VRF
contains all the routesavailable to the site from the VPNs of which
it is a member.
Packet forwarding information is stored in the IP routing table
and the Cisco Express Forwarding table foreach VRF. A separate set
of routing and Cisco Express Forwarding tables is maintained for
each VRF. Thesetables prevent information from being forwarded
outside a VPN, and they also prevent packets that are outsidea VPN
from being forwarded to a device within the VPN.
How VPN Routing Information Is Distributed in an MPLS Virtual
Private NetworkThe distribution of virtual private network (VPN)
routing information is controlled through the use of VPNroute
target communities, implemented by Border Gateway Protocol (BGP)
extended communities. VPNrouting information is distributed as
follows:
• When a VPN route that is learned from a customer edge (CE)
device is injected into BGP, a list of VPNroute target extended
community attributes is associated with it. Typically the list of
route targetcommunity extended values is set from an export list of
route targets associated with the virtual routingand forwarding
(VRF) instance from which the route was learned.
• An import list of route target extended communities is
associated with each VRF. The import list definesroute target
extended community attributes that a route must have in order for
the route to be importedinto the VRF. For example, if the import
list for a particular VRF includes route target extendedcommunities
A, B, and C, then any VPN route that carries any of those route
target extendedcommunities—A, B, or C—is imported into the VRF.
BGP Distribution of VPN Routing InformationA provider edge (PE)
device can learn an IP prefix from the following sources:
• A customer edge (CE) device by static configuration
• A Border Gateway Protocol (BGP) session with the CE device
• A Routing Information Protocol (RIP) exchange with the CE
device
The IP prefix is a member of the IPv4 address family. After the
PE device learns the IP prefix, the PE convertsit into a VPN-IPv4
prefix by combining it with an 8-byte route distinguisher (RD). The
generated prefix is amember of the VPN-IPv4 address family. It
uniquely identifies the customer address, even if the customersite
is using globally nonunique (unregistered private) IP addresses.
The route distinguisher used to generatethe VPN-IPv4 prefix is
specified by a configuration command associatedwith the virtual
routing and forwarding(VRF) instance on the PE device.
BGP distributes reachability information for VPN-IPv4 prefixes
for each VPN. BGP communication occursat two levels:
• Within an IP domains, known as an autonomous system (interior
BGP [IBGP])
• Between autonomous systems (external BGP [EBGP])
PE-PE or PE-RR (route reflector) sessions are IBGP sessions, and
PE-CE sessions are EBGP sessions. In anEnhanced Interior Gateway
Routing Protocol (EIGRP) PE-CE environment, when an EIGRP internal
routeis redistributed into BGP by one PE, and then back into EIGRP
by another PE, the originating router ID forthe route is set to the
router ID of the second PE, replacing the original internal router
ID.
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release
15S26
Multiprotocol BGP MPLS VPNHow an MPLS Virtual Private Network
Works
-
BGP propagates reachability information for VPN-IPv4 prefixes
among PE devices by means of the BGPmultiprotocol extensions (refer
to RFC 2283,Multiprotocol Extensions for BGP-4), which define
support foraddress families other than IPv4. Using the extensions
ensures that the routes for a given VPN are learnedonly by other
members of that VPN, enabling members of the VPN to communicate
with each other.
Major Components of an MPLS Virtual Private
NetworkAnMultiprotocol Label Switching (MPLS)-based virtual private
network (VPN) has three major components:
• VPN route target communities—A VPN route target community is a
list of all members of a VPNcommunity. VPN route targets need to be
configured for each VPN community member.
• Multiprotocol BGP (MP-BGP) peering of VPN community provider
edge (PE) devices—MP-BGPpropagates virtual routing and forwarding
(VRF) reachability information to all members of a VPNcommunity.
MP-BGP peering must be configured on all PE devices within a VPN
community.
• MPLS forwarding—MPLS transports all traffic between all VPN
community members across a VPNservice-provider network.
A one-to-one relationship does not necessarily exist between
customer sites and VPNs. A given site can be amember of multiple
VPNs. However, a site can associate with only one VRF. A
customer-site VRF containsall the routes available to the site from
the VPNs of which it is a member.
How to Configure Multiprotocol BGP MPLS VPN
Configuring Multiprotocol BGP Connectivity on the PE Devices and
RouteReflectors
SUMMARY STEPS
1. enable2. configure terminal3. router bgp as-number4. no bgp
default ipv4-unicast5. neighbor {ip-address | peer-group-name}
remote-as as-number6. neighbor {ip-address | peer-group-name}
activate7. address-family vpnv4 [unicast]8. neighbor {ip-address |
peer-group-name} send-community extended9. neighbor {ip-address |
peer-group-name} activate10. end
MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S
27
Multiprotocol BGP MPLS VPNMajor Components of an MPLS Virtual
Private Network
-
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enableStep 1
Example:
Device> enable
• Enter your password if prompted.
Enters global configuration mode.configure terminal
Example:
Device# configure terminal
Step 2
Configures a Border Gateway Protocol (BGP) routing process and
entersrouter configuration mode.
router bgp as-number
Example:
Device(config)# router bgp 100
Step 3
• The as-number argument indicates the number of an
autonomoussystem that identifies the device to other BGP devices
and tagsthe routing information passed along. The range is 0 to
65535.Private autonomous system numbers that can be used in
internalnetworks are 64512 to 65535.
(Optional) Disables the IPv4 unicast address family on all
neighbors.no bgp default ipv4-unicastStep 4
Example:
Device(config-router)# no bgp defaultipv4-unicast
• Use the no bgp default ipv4-unicast command if you are
usingthis neighbor for Multiprotocol Label Switching (MPLS)
routesonly.
Adds an entry to the BGP or multiprotocol BGP neighbor
table.neighbor {ip-address | peer-group-name}remote-as
as-number
Step 5
• The ip-address argument specifies the IP address of the
neighbor.
Example:
Device(config-router)# neighbor 10.0.0.1remote-as 100
• The peer-group-name argument specifies the name of a BGP
peergroup.
• The as-number argument specifies the autonomous system towhich
the neighbor belongs.
Enables the exchange of information with a neighboring BGP
device.neighbor {ip-address | peer-group-name}activate
Step 6
• The ip-address argument specifies the IP address of the
neighbor.
Example:
Device