I used INEs SPv3 Inter AS Topology for this, the reason is that the topology makes sense from a learning perspective. I'll walk you through the several individual steps that are needed to get this very involved configuration operational. Currently, I have this configuration operational and I have to say, after getting hung up on several steps, there is learning curve to this design.
I also am using VIRL 1.0.26 for this setup. I connect R1 through R12 on G2 to an IOSv L2 managed switch, configuring all the VLANs and setting all ports as trunks.
So, with any MPLS L3 design there are several steps, I'll cover the Intra AS ones first and then add the Inter AS steps so you can see the difference.
Intra AS design:
1. IGP, you need to have IGP operational and the PE devices need to be advertising their /32 loopbacks into IGP. A good test is to trace from PE1 to PE2 sourcing off of PE1s loopback. If you can reach it your in good shape.
2. LDP, you need LDP up and operational to build the LSP or label switch paths between the PEs. The /32 loopback is what will become the next hop for the LSP once LDP is enabled.
3. BGP VPNv4, this is how updates from PE1 will be advertised to PE2. LDP only builds the LSPs between PEs, VPNv4 is what actually advertised NLRI between the PEs.
4. VRFs, this is used to separate Customer 1 from Customer 2. Ideally 1 VRF per customer as a VRF is new routing table with a RD (Route Distinguisher - to make the route globally unique) and RT (Route Target - to determine which PEs can send and receive VPN traffic).
5. PE-CE Routing, this can be as basic as a static route to as complicated and OSPF. BGP is what I have seen as the most commonly deployed, ideally you would use BGP as the PE-CE routing protocol and not an IGP as IGP required redistribution mutually with BGP to exchange routing info. BGP doesn't need to redistribute the traffic.
Inter AS design:
1. IGP
2. LDP
3. BGP VPNv4
4. VRFs
5. PE-CE Routing
6. PE-PE Back to Back VRF exchange - AKA ASBR to ASBR VRF Exchange. Basically what's happening is you configure the PE to PE connection exactly like you would a PE to CE connection. The only difference is that instead of a CE router, your connecting to another PE. You peer with the other provider on a per VRF basis, if you have 200 customers, you have 200 separate VRF peerings with that provider for customers paying for Inter AS connectivity.
The design I have working right now is IGP as the PE to CE and PE to PE VRF exchange. Since all IGPs are IPv4 VRF aware capable, it makes it easy to set this up. I used BGP VPNv4 between the PEs and used a VPNv4 route reflector to reflect routes. Making it ideal to scale with. A common misunderstanding is that in order to have L3 VPN you need IPv4 unicast iBGP working, not the case, VPNv4 alone gets the job done.
I commonly group the configurations together to make deployments that much simpler. The first is IGP and LDP together. MPLS is configured under the IGP routing process and is applied to any interface IGP is enabled on. On IOS XR, you can enable mpls ldp auto config under the routing process, but you still have to enable the MPLS LDP globally.
IOS
R1 - sh run | sec isis
router isis 1
net 49.0000.0000.0000.0001.00
metric-style wide
mpls ldp autoconfig
IOS XR
router ospf 1
mpls ldp auto-config
area 0
interface Loopback0
!
interface GigabitEthernet0/0/0/0.619
!
mpls ldp
Once that is up and running, we need to verify basic LDP forwarding:
IOS
R1#sh mpls forwarding-table | ex No Label
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
16 Pop Label 3.3.3.3/32 0 Gi2.13 20.1.3.3
18 Pop Label 20.2.3.0/24 0 Gi2.13 20.1.3.3
19 Pop Label 20.3.4.0/24 0 Gi2.13 20.1.3.3
20 17 2.2.2.2/32 0 Gi2.13 20.1.3.3
21 18 4.4.4.4/32 0 Gi2.13 20.1.3.3
IOS XR
RP/0/0/CPU0:XR1#sh mpls forwarding | ex Unlabelled
Fri Jun 3 08:28:20.135 UTC
Local Outgoing Prefix Outgoing Next Hop Bytes
Label Label or ID Interface Switched
------ ----------- ------------------ ------------ --------------- ------------
24000 Pop 6.6.6.6/32 Gi0/0/0/0.619 20.6.19.6 70842
24001 Pop 20.5.6.0/24 Gi0/0/0/0.619 20.6.19.6 0
24002 Pop 20.6.20.0/24 Gi0/0/0/0.619 20.6.19.6 0
24003 18 5.5.5.5/32 Gi0/0/0/0.619 20.6.19.6 2906
24004 19 20.20.20.20/32 Gi0/0/0/0.619 20.6.19.6 33916
24005 Aggregate A: Per-VRF Aggr[V] A 0
24008 Aggregate C: Per-VRF Aggr[V] C 0
24009 Aggregate B: Per-VRF Aggr[V] B 0
Now it's time to setup the VRFs and apply them to the interfaces, I used the same VRF naming convention on all PEs, :
IOS
R1
ip vrf A
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip vrf B
rd 100:2
route-target export 100:2
route-target import 100:2
!
ip vrf C
rd 100:3
route-target export 100:3
route-target import 100:3
IOS XR
RP/0/0/CPU0:XR1#sh run vrf
Fri Jun 3 08:31:29.982 UTC
vrf A
address-family ipv4 unicast
import route-target
100:1
!
export route-target
100:1
!
!
!
vrf B
address-family ipv4 unicast
import route-target
100:2
!
export route-target
100:2
!
!
!
vrf C
address-family ipv4 unicast
import route-target
100:3
!
export route-target
100:3
BGP VPNv4 is up next, I'll show you 2 PEs, 1 is a regular PE and the other is a PE and a RR:
IOS
R1
router bgp 1
!
template peer-session VPNv4
remote-as 1
update-source Loopback0
exit-peer-session
!
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 2.2.2.2 inherit peer-session VPNv4
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
R2 - PE and RR
router bgp 1
template peer-policy VPNv4
route-reflector-client
exit-peer-policy
!
template peer-session VPNv4
remote-as 1
update-source Loopback0
exit-peer-session
!
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 1.1.1.1 inherit peer-session VPNv4
neighbor 4.4.4.4 inherit peer-session VPNv4
!
address-family ipv4
exit-address-family
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
neighbor 1.1.1.1 inherit peer-policy VPNv4
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community extended
neighbor 4.4.4.4 inherit peer-policy VPNv4
exit-address-family
R2#sh bgp vpnv4 unicast all summary
BGP router identifier 2.2.2.2, local AS number 1
<brevity>
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.1 4 1 411 416 22 0 0 06:05:42 9
4.4.4.4 4 1 405 419 22 0 0 06:04:54 4
As you can see, R1 (1.1.1.1) and R4 (4.4.4.4) are advertising routes. This is because I already had PE-CE routing configured.
IOS XR
XR1
router bgp 2
address-family vpnv4 unicast
!
neighbor 20.20.20.20
remote-as 2
update-source Loopback0
address-family vpnv4 unicast
XR2 - PE and RR
RP/0/0/CPU0:XR2#sh run router bgp
Fri Jun 3 08:38:20.473 UTC
router bgp 2
address-family vpnv4 unicast
!
neighbor 5.5.5.5
remote-as 2
update-source Loopback0
address-family vpnv4 unicast
route-reflector-client
!
!
neighbor 19.19.19.19
remote-as 2
update-source Loopback0
address-family vpnv4 unicast
route-reflector-client
RP/0/0/CPU0:XR2#sh bgp vpnv4 unicast summary
Fri Jun 3 08:38:57.521 UTC
BGP router identifier 20.20.20.20, local AS number 2
BGP scan interval 60 secs
Process RcvTblVer bRIB/RIB LabelVer ImportVer SendTblVer StandbyVer
Speaker 28 28 28 28 28 0
Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd
5.5.5.5 0 2 325 299 28 0 0 04:47:56 4
19.19.19.19 0 2 283 290 28 0 0 04:34:06 9
Now to configure PE-CE routing:
IOS
R2
router bgp 1
address-family ipv4 vrf B
neighbor 40.2.7.7 remote-as 7
neighbor 40.2.7.7 activate
R2#sh bgp vpnv4 unicast all summary
BGP router identifier 2.2.2.2, local AS number 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
40.2.7.7 4 7 662 664 22 0 0 09:57:55 2
IOS XR
XR2
RP/0/0/CPU0:XR2#sh run router ospf
Fri Jun 3 08:41:30.290 UTC
router ospf 1
!
!
vrf A
redistribute bgp 2
area 0
interface GigabitEthernet0/0/0/0.820
RP/0/0/CPU0:XR2#sh route vrf A
Fri Jun 3 08:41:56.389 UTC
Gateway of last resort is not set
O 8.8.8.8/32 [110/2] via 10.8.20.8, 04:53:57, GigabitEthernet0/0/0/0.820
Now that all of that is put together, it's time to see the PE to PE exchange. I'll copy in all the configurations at the bottom so you'll have them
IOS
R1
R1#sh run | sec bgp
router bgp 1
address-family ipv4 vrf A
redistribute ospf 2
exit-address-family
!
address-family ipv4 vrf B
redistribute eigrp 1
exit-address-family
!
address-family ipv4 vrf C
redistribute rip metric 2
exit-address-family
R1# sh run | sec eigrp
router eigrp 1
!
address-family ipv4 vrf B autonomous-system 1
redistribute bgp 1 metric 1000000 1 255 1 1500
network 200.200.200.0
eigrp router-id 1.1.1.1
exit-address-family
redistribute eigrp 1
R1# sh run | sec ospf
router ospf 2 vrf A
router-id 11.11.11.11
capability vrf-lite
redistribute bgp 1 subnets
network 100.100.100.0 0.0.0.255 area 0
redistribute ospf 2
One key thing about OSPF in a PE-CE or PE-PE configuration is that the Downward bit or the DN is set on the CE by the PE to prevent the CE from advertising the route back to the same or a different PE device. You an override this loop prevention technique with capability vrf-lite in IOS. This allows the LSA to get installed in the RIB
R1# sh run | sec rip
router rip
!
address-family ipv4 vrf C
redistribute bgp 1 metric 1
network 33.0.0.0
no auto-summary
version 2
exit-address-family
redistribute rip metric 2
IOS XR
XR1
RP/0/0/CPU0:XR1#sh run router bgp
Fri Jun 3 08:44:27.079 UTC
router bgp 2
!
!
vrf A
rd 100:1
address-family ipv4 unicast
redistribute ospf 1
!
!
vrf B
rd 100:2
address-family ipv4 unicast
redistribute eigrp 1
!
!
vrf C
rd 100:3
address-family ipv4 unicast
redistribute rip metric 2
RP/0/0/CPU0:XR1#sh run router ospf
Fri Jun 3 08:44:53.677 UTC
!
!
vrf A
disable-dn-bit-check
redistribute bgp 2
area 0
interface GigabitEthernet0/0/0/0.100
One key thing about OSPF in a PE-CE or PE-PE configuration is that the Downward bit or the DN is set on the CE by the PE to prevent the CE from advertising the route back to the same or a different PE device. You an override this loop prevention technique with disable dn bit check in IOS XR. This allows the LSA to get installed in the RIB
RP/0/0/CPU0:XR1#sh run router rip
Fri Jun 3 08:48:30.002 UTC
router rip
vrf C
interface GigabitEthernet0/0/0/0.300
!
redistribute bgp 2
RP/0/0/CPU0:XR1#sh run router eigrp
Fri Jun 3 08:48:44.631 UTC
router eigrp 1
vrf B
address-family ipv4
autonomous-system 1
redistribute bgp 2
interface GigabitEthernet0/0/0/0.200
So now to check the Each customer starting with A then B then C
R10
R10#sh ip route ospf
8.0.0.0/32 is subnetted, 1 subnets
O E2 8.8.8.8 [110/3] via 10.4.10.4, 04:04:26, GigabitEthernet2.410
10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
O E2 10.8.20.0/24 [110/2] via 10.4.10.4, 04:04:26, GigabitEthernet2.410
100.0.0.0/24 is subnetted, 1 subnets
O E2 100.100.100.0 [110/1] via 10.4.10.4, 04:21:52, GigabitEthernet2.410
R8
R8#sh ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 10.255.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
O E2 10.4.10.0/24 [110/1] via 10.8.20.20, 03:55:07, GigabitEthernet2.820
O E2 10.10.10.10/32 [110/1] via 10.8.20.20, 03:55:07, GigabitEthernet2.820
100.0.0.0/24 is subnetted, 1 subnets
O IA 100.100.100.0 [110/2] via 10.8.20.20, 03:55:07, GigabitEthernet2.820
Now lets trace R8 to R10 sourcing from R8's looback.
R8#traceroute 10.10.10.10 source 8.8.8.8 num
Type escape sequence to abort.
Tracing the route to 10.10.10.10
VRF info: (vrf in name/id, vrf out name/id)
1 10.8.20.20 15 msec 5 msec 6 msec
2 20.6.20.6 [MPLS: Labels 17/24007 Exp 0] 48 msec 36 msec 95 msec
3 20.6.19.19 [MPLS: Label 24007 Exp 0] 59 msec 37 msec 48 msec
4 100.100.100.1 39 msec 42 msec 37 msec
5 20.1.3.3 [MPLS: Labels 18/23 Exp 0] 94 msec 65 msec 69 msec
6 10.4.10.4 [MPLS: Label 23 Exp 0] 63 msec 72 msec 58 msec
7 10.4.10.10 70 msec * 83 msec
VRF B
R7#sh ip route bgp
11.0.0.0/32 is subnetted, 1 subnets
B 11.11.11.11 [20/0] via 40.2.7.2, 03:02:56
40.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
B 40.5.11.0/24 [20/0] via 40.2.7.2, 03:02:56
B 200.200.200.0/24 [20/0] via 40.2.7.2, 03:03:44
R11#sh ip route eigrp
7.0.0.0/32 is subnetted, 1 subnets
D EX 7.7.7.7 [170/3328] via 40.5.11.5, 03:03:13, GigabitEthernet2.511
40.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D EX 40.2.7.0/24 [170/3328] via 40.5.11.5, 03:03:13, GigabitEthernet2.511
D 200.200.200.0/24 [90/3072] via 40.5.11.5, 03:03:33, GigabitEthernet2.511
R11#traceroute 7.7.7.7 source 11.11.11.11 numeric
Type escape sequence to abort.
Tracing the route to 7.7.7.7
VRF info: (vrf in name/id, vrf out name/id)
1 40.5.11.5 19 msec 10 msec 10 msec
2 20.5.6.6 [MPLS: Labels 17/24010 Exp 0] 41 msec 48 msec 33 msec
3 20.6.19.19 [MPLS: Label 24010 Exp 0] 69 msec 42 msec 68 msec
4 200.200.200.1 41 msec 36 msec 44 msec
5 20.1.3.3 [MPLS: Labels 17/22 Exp 0] 119 msec 57 msec 61 msec
6 40.2.7.2 [MPLS: Label 22 Exp 0] 65 msec 102 msec 58 msec
7 40.2.7.7 73 msec * 89 msec
VRF C
R9#sh ip route rip
12.0.0.0/32 is subnetted, 1 subnets
R 12.12.12.12 [120/1] via 30.4.9.4, 00:00:23, GigabitEthernet2.49
30.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
R 30.5.12.0/24 [120/1] via 30.4.9.4, 00:00:23, GigabitEthernet2.49
33.0.0.0/24 is subnetted, 1 subnets
R 33.33.33.0 [120/1] via 30.4.9.4, 00:00:23, GigabitEthernet2.49
R12#sh ip route rip
9.0.0.0/32 is subnetted, 1 subnets
R 9.9.9.9 [120/1] via 30.5.12.5, 00:00:29, GigabitEthernet2.512
30.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
R 30.4.9.0/24 [120/1] via 30.5.12.5, 00:00:29, GigabitEthernet2.512
33.0.0.0/24 is subnetted, 1 subnets
R 33.33.33.0 [120/1] via 30.5.12.5, 00:00:29, GigabitEthernet2.512
R12#traceroute 9.9.9.9 source 12.12.12.12 num
Type escape sequence to abort.
Tracing the route to 9.9.9.9
VRF info: (vrf in name/id, vrf out name/id)
1 30.5.12.5 19 msec 13 msec 10 msec
2 20.5.6.6 [MPLS: Labels 17/24012 Exp 0] 45 msec 53 msec 44 msec
3 20.6.19.19 [MPLS: Label 24012 Exp 0] 51 msec 48 msec 39 msec
4 33.33.33.1 47 msec 52 msec 46 msec
5 20.1.3.3 [MPLS: Labels 18/24 Exp 0] 97 msec 89 msec 71 msec
6 30.4.9.4 [MPLS: Label 24 Exp 0] 62 msec 63 msec 66 msec
7 30.4.9.9 90 msec * 85 msec
One thing you see on every trace output is the following:
Hop1 - PE-CE connection - routed via IP
Hop2 - MPLS forwarded from PE to PE
Hop3 - PHP process kicks in removing outer transport label - 1 label stack
Hop4 - PE to PE connection - routed via IP
Hop5 - MPLS forwarded from PE to PE
Hop6 - PHP process kicks in removing outer transport label - 1 label stack
Hop7 - PE-CE connection - routed via IP
The LSPs are not maintained end to end as you can see. But reachability is there and we can get from Site to site easily.
Overall a pretty fun lab to go through. The main thing to keep in mind is this design is probably the easiest transition but it doesn't scale well. You'll see what I mean as we hit Option B, C and A/B then Carrier Supporting Carrier.
Config Link:
No comments:
Post a Comment