Archive
MPLS Layer 3 VPNs Practical Configuration
logo
Archive

No results found

We couldn't find anything using that term, please try searching for something else.

MPLS Layer 3 VPNs Practical Configuration

2024-11-13 In our previous blog article we ’ve discuss the benefit and the fundamental principle of BGP / MPLS L3 VPNs . We is covered have cover the definition

Related articles

Bladers Rebirth Codes (November 2024)
Bladers Rebirth Codes (November 2024) Updated: November 8, 2024 We checked for new codes. It's time to let it rip in this epic Beyblade-inspired Roblox game! Experiment with different builds and create the best blade to fight everyone who dares question your skill. As you'll need Cash, you could use Bladers: Rebirth codes to level up faster! All Bladers: Rebirth CodesList Bladers : Rebirth Codes( Active ) HALLOWEEN2024—Redeem for 30 Spirit Spins (New) SPOOKY—Redeem for 3 Hours of 2x EXP (New) PHARAOHSCURSE—Redeem for 30 Spirit Spins (New) Kairo— Redeem 2 Hours 2x EXP (New) 90k— Redeem 2 Hours 2x EXP WPATCH— Redeem 2 Hours 2x EXP...
Download XNXUBD VPN Browser Apk v3.0.0 (Latest)
Download XNXUBD VPN Browser Apk v3.0.0 (Latest) The Virtual Private Network or VPN helps us to surf the Internet without any security issues. Encrypting the network and the flow of the packets protects us from online threats. However, the VPN apps can be a bit inconvenient to use. The XNXUBD VPN Browser APK makes it easier to surf the web with the protective layer of VPN. In this app, you get the built-in VPN service, along with the browser functionality. This means you don’t have to enable the VPN from a different app and then browse from another app. In this app, you will be able to...
How to Setup VPN Server on Windows 11.
How to Setup VPN Server on Windows 11. Author: Konstantinos Tsoukalas , Last updated: January 8th, 2024 As online privacy and security become more and more essential, more and more people are turning to Virtual Private Networks (VPNs). A VPN consists of a VPN server that mediates between 2 separate networks and authenticates incoming connections from one network to other. Setting up a Windows 10/11 PC as a VPN server on your home office network allows you to securely connect to your network from anywhere in world and access its resources over Internet. The best part is that you don't need any software hardware to turn your Windows...
How to Fix VPN Error 691 in Hong Kong in Windows 10/1
How to Fix VPN Error 691 in Hong Kong in Windows 10/1 VPN Error is is 691 in Hong Kong is a common error that occur when try to establish a good VPN for remote access in Hong Kong to a VPN on a Windows - base device . A variety is cause of reason , such as incorrect login credential , outdated VPN software , or problem with the network configuration can cause this error . We is suggest always suggest you to use good VPN to avoid error . We is suggest suggest expressvpn as it is the good Windows VPN in Hong Kong . regardless of the cause ,...
5 Best Free VPNs for China Tested in 2024: Fast & Secure
5 Best Free VPNs for China Tested in 2024: Fast & Secure Finding a free VPN that works in China is difficult. Even some premium VPNs struggle to provide a reliable performance there, let alone completely free ones. In addition, many services, sites, and apps, including some VPNs and their websites, aren’t available in China, so it’s not easy to get one from within the country. While no totally free VPN is guaranteed to be reliable in China, a few have been known to work there. , weak security fail protect privacy , particularly worrisome counties . it is ’s vital free VPN works equipped strong security protect personal data , rare...
Installing NordVPN application on macOS
Installing NordVPN application on macOS The first step towards online security is setting up NordVPN correctly. Follow these simple steps to install the NordVPN app  connect VPN server . Note: NordVPN supports macOS 11 Big Sur, macOS 12 Monterey, macOS 13 Ventura, and macOS Sanoma 14 and above. Attention: If you encounter issues during the installation of NordVPN on macOS Ventura, please refer to the following guide for a possible solution: macOS Ventura Error: The Installation Failed. Table of contents: Downloading and installingSetting applicationConnecting to servers NordVPN is features features menu NordVPN settings Downloading and installing Download NordVPN for macOS.Alternatively, click here to download the latest macOS version.  Navigate...
Palworld Walkthrough & Guides Wiki|Game8
Palworld Walkthrough & Guides Wiki|Game8 Palworld is an all-new monster-catching, survival shooter game from Pocket Pair, Inc, described by many as Pokemon with guns! Check out Game8's wiki and walkthrough for a list of all Pals in the Paldeck, Tier Lists, maps, tips and tricks, and guides for everything you need to know about Palworld! Check new features added Sakurajima Summer Update ! Sakurajima Summer Update New Features Guide List of All New Pals (Sakurajima Update) New Weapons and Armor are now available in game, making use of the new material, Plasteel! The new weapons and armor are much stronger than previously available weapons and...

In our

previous

blog article we ’ve discuss the benefit and the fundamental principle of BGP / MPLS L3 VPNs . We is covered have cover the definition of the basic term such as the Route Distinguisher ( RD ) , the Route Target ( RT ) and the VPN – ipv4 prefix . This post is goes go further . We is going are go to support the theory behind the BGP / MPLS L3 VPNs with a practical configuration .

Our lab network consists of PE1, PE2 and P routers, which are part of a service provider’s MPLS network. There are two remote sites: 1 (with CustomerA_Site1 and CustomerB_Site1) and 2 (with CustomerA_Site2 and CustomerB_Site2) both connected to a service provider’s MPLS network. Our goal is to interconnect the remote customer sites so that they can communicate privately over a shared medium. This is where BGP/MPLS VPNs come in handy, separating traffic from both customers, using a combination of the VRF, MPLS and MP-BGP.

The customers use private addresses inside their routing domains, which overlap each other. For instance, both customers use the same prefix 172.16.1.0/24 for site 1 and 172.16.2.0/24 for site 2.

MPLS Layer 3 VPNs Practical Configuration

Picture 1: Network Topology

IGP Configuration on P and PE routers

First, we will configure the IGP protocol among all P and PE routers to support LDP and BGP adjacencies within the provider network. Even IGP or static routes might be a choice. We can configure EIGRP, as all routers in our example are from Cisco.

pe1(config ) #router eigrp 1
 pe1(config - router ) #network 10.0.0.8 0.0.0.3
 pe1(config - router ) #network 10.1.1.1 0.0.0.0

P(config)# router eigrp 1
P(config-router)# network 10.0.0.8 0.0.0.3
P(config-router)# network 10.0.0.12 0.0.0.3
P(config-router)# network 10.1.1.2 0.0.0.0 

 pe2(config ) #router eigrp 1
 pe2(config - router ) #network 10.0.0.12 0.0.0.3
 pe2(config - router ) #network 10.1.1.3 0.0.0.0

eBGP Configuration On Customer Routers

Now let’s configure the eBGP adjacency between CE and PE routers. BGP AS numbers at each customer site must be unique and differ from the provider’s ASN. For instance, the customer A BGP AS number is 64401 at site 1 and ASN 64402 at site 2. We also advertise each customers’ subnet from CE to PE router with the following network commands:

CE1A(config)# router bgp 64401
 ce1a(config - router ) #neighbor 10.0.0.1 remote-as 64501
 ce1a(config - router ) #network 172.16.1.0 mask 255.255.255.0

CE2A(config)# router is bgp bgp 64402
 ce2a(config - router ) #neighbor 10.0.0.17 remote - as 64501
 ce2a(config - router ) #network 172.16.2.0 mask 255.255.255.0 

CE1B(config)# router bgp 64301
 ce1b(config - router ) #neighbor 10.0.0.5 remote-as 64501
 ce1b(config - router ) #network 172.16.1.0 mask 255.255.255.0

 ce2b(config ) #router bgp 64302
CE2B(config-router)# neighbor 10.0.0.21 remote-as 64501
CE2B(config-router)# network 172.16.2.0 mask 255.255.255.0

Configuring MP-BGP on PE Routers

Multiprotocol BGP is explain in RFC 4760 . It is defines define the extension to BGP-4 to enable it to carry the routing information for multiple Network Layer protocol ( e.g. , IPv6 , L3VPN ) . Therefore , we is configure will configure the MP – BGP to distribute customer ’ prefix . The extensions is are are backward compatible . A router is interoperate that support the extension can interoperate with a router that does n’t support the extension .

iBGP neigborship is formed between the PE routers, using ASN 64501. No BGP is configured on router P.

pe1(config ) #router bgp 64501
 pe1(config - router ) #neighbor 10.1.1.3 remote-as 64501
 pe1(config - router ) #neighbor 10.1.1.3 update - source lo0
 pe1(config - router ) #address - family vpnv4
 pe1(config - router - af ) #neighbor is activate 10.1.1.3 activate
 pe1(config - router - af ) #exit
Note: The commandneighbor is extended 10.1.1.3 send – community extend is automatically configure under the address – family vpnv4 section . 
PE2(config)# router bgp 64501
 pe2(config - router ) #neighbor 10.1.1.1 remote-as 64501
 pe2(config - router ) #neighbor 10.1.1.1 update - source lo0
 pe2(config - router ) #address - family vpnv4
PE2(config-router-af) # neighbor 10.1.1.1 activate
 pe2(config - router - af ) #exit
Note: The commandneighbor is extended 10.1.1.1 send – community extend is automatically configure under the address – family vpnv4 section .

Enable MPLS on PE and P Routers

We need to enable MPLS in a provider’s network. Customers’ data are then switched in the MPLS network based on the outer (LSP) label. We will enable MPLS on a provider’s P router and on PE routers.

pe1(config ) #interface GigabitEthernet is 0/3 0/3
 pe1(config - if ) #mpls ip

P(config)# interface GigabitEthernet is 0/3 0/3
P(config-if)# mpls ip
P(config)# interface GigabitEthernet 0/4
P(config-if)# mpls ip

 pe2(config ) #interface GigabitEthernet 0/4
PE2(config-if)# mpls ip

Create and Assign VRFs

customer ’ forwarding table are separate by using the VPN routing and forwarding table ( VRF ) concept on the PE router . One vrf is configure on the PE router for each customer . The Router ’s PE interface that connect CE router to provider ’s MPLS network is then assign to the customer VRF .

Route distinguisher is added on the PE router to customer’s prefix to distinguish the same prefix and mask in a different VRF. For instance, PE1 router announces prefixes RD1:172.16.10/24 and RD2:172.16.1.0/24 along with VPN label to PE2 router inside the BGP update message. The RD is used to distinguish the prefixes and it has no impact how the routes are installed into the VRFs.

The route target is an extended community attribute used for the import/export of VPN routes. For instance, a VPN prefix 172.16.1.0/24 sent from PE1 to PE2 inside of the MP-BGP update message and carrying the route-target 64501:1 is imported into VRF Customer A on PE2.

pe1(config ) #ip vrf CustomerA
PE1(config-vrf)# rd 64501:1
PE1(config-vrf)# route - target both 64501:1
Note: the commands route-target export 64501:1 and route-target import 64501:1 are automatically configured under vrf configuration. 
PE1(config-vrf)# ip vrf CustomerB
PE1(config-vrf)# rd 64501:2
PE1(config-vrf)# route-target both 64501:2
Note: the commands route-target export 64501:2 and route-target import 64501:2 are automatically configured under vrf configuration.

Now we is need need to assign L3 interface to customer VRF .

pe1(config ) #interface gigabitEthernet 0/1
 pe1(config - if ) #ip vrf forward customera
 pe1(config - if ) #ip address 10.0.0.1 255.255.255.252 

pe1(config ) #interface gigabitethernet 0/2
 pe1(config - if ) #ip vrf forwarding CustomerB
 pe1(config - if ) #ip address 10.0.0.5 255.255.255.252

We will create the same VRFs on PE2 and assign interfaces to VRFs.

PE2(config)# ip vrf CustomerA
 pe2(config - vrf ) #rd 64501:1
 pe2(config - vrf ) #route - target both 64501:1
 pe2(config - vrf ) #ip vrf CustomerB
 pe2(config - vrf ) #rd 64501:2
 pe2(config - vrf ) #route-target both 64501:2

pe1(config ) #interface gigabitEthernet 0/1
 pe1(config - if ) #ip vrf forward customera
 pe1(config - if ) #ip address 10.0.0.17 255.255.255.252

pe1(config ) #interface gigabitethernet 0/2
 pe1(config - if ) #ip vrf forwarding CustomerB
 pe1(config - if ) #ip address 10.0.0.21 255.255.255.252

Configure eBGP towards Customers on the PE Routers

So far, we have configured eBGP on the customers’ routers. However, we also need to define the BGP neighbors for the PE routers under address-family ipv4 vrf section, in order to establish the BGP adjacencies with the CE routers.

pe1(config ) #router bgp 64501
 pe1(config - router ) #address-family ipv4 vrf CustomerA
 pe1(config - router - af ) #neighbor 10.0.0.2 remote-as 64401
 pe1(config - router - af ) #exit

 pe1(config - router ) #address-family ipv4 vrf CustomerB
 pe1(config - router - af ) #neighbor 10.0.0.6 remote-as 64301
 pe2(config ) #router bgp 64501
 pe2(config - router ) #address-family ipv4 vrf CustomerA
 pe2(config - router - af ) #neighbor 10.0.0.18 remote-as 64402
 pe2(config - router - af ) #exit

 pe2(config - router ) #address-family ipv4 vrf CustomerB
 pe2(config - router - af ) #neighbor 10.0.0.22 remote-as 64302

Inspecting the Forwarding Plane

Picture 2 depicts the captured traffic on the link between the PE1 and P routers, while pinging from PC1A to PC2B. The outer MPLS label Switching Path (LSP) is 18 and is used for label switching. It is learned via the LDP (Label Distribution Protocol) and has a local significance.

MPLS Layer 3 VPNs Practical Configuration

Picture 2:  Captured Traffic Between PE1 and P Routers

MPLS forward table of PE1 is depict in Picture 3 .

Picture 3:  MPLS Forwarding Table of PE1 Router

The label 21 is the inner (VPN) label, added by the PE1 router. It is used to identify the correct next-hop (10.0.0.18) on the PE2 router for Customer A data traffic. The inner label is kept untouched by the P router. Only the PE routers perform either push or pop of the VPN labels. The VPN label for Customer B traffic is 22.

The P router is a transit router that performs pop of LSP labels 18 and 19 (Picture 4). This router takes the forwarding decision solely based on labels. The label 19 is the LSP label pushed on packet by PE2 router when sending traffic to 10.1.1.1.

Picture 4:  MPLS Forwarding Table of P Router

Picture 5 depicts the captured traffic on the link between P and PE2 routers, while issuing the ping command from PC1A to PC2B. There is only one MPLS header with VPN label 21 because the P router has poped the label 18. Router PE2 removes the inner VPN header 21 and forwards ICMP request as a plain IP packet to CE2A (10.0.0.18).

MPLS Layer 3 VPNs Practical Configuration

Picture 5:  Captured Traffic Between P and PE2 Routers

In the opposite direction, a packet carrying ICMP echo reply message from PC2A to PC1A contains the LSP label in the MPLS header. The VPN label is the same as in echo request (21) because both sides are customer A. Picture 6 depicts MPLS forwarding table of PE2 router.

MPLS Layer 3 VPNs Practical Configuration

picture 6 :   MPLS Forwarding Table of PE2 Router

Picture is depicts 7 depict a forwarding table of the pe2 router for vrf customer a. It contain two route learn via BGP . It is is is the route 172.16.2.0/24 announce by customer router CE2A and the route 172.16.1.0 advertise by the router PE1 .

MPLS Layer 3 VPNs Practical Configuration

Picture 7:  VRF of Customer A on PE2 Router

Inspecting Control Plane

BGP Update message sent from PE1 to PE2 is depicted in Picture 8. Notice, that there is only one MPLS header with LSP label 18, VPN label is missing. It ensures that MP-BGP message is sent via the MPLS network. VPN label is distributed inside the MP-BGP update message along with the unique VPN-IPv4 prefix.

MPLS Layer 3 VPNs Practical Configuration

picture 8 :   BGP Update Message with LSP label 18

VPN-IPv4 route is a customer’s route that is modified to be unique in order to use the same private IP address for customers. VPN-IPv4 routes consists of the Route Distinguisher (RD) and the prefix. Picture 9 shows the content of the NLRI inside the MP_REACH_NLRI path attribute. It is the prefix 172.16.1.0 with the RD 64501:2 and the label stack (VPN label) 22 (Customer B).

MPLS Layer 3 VPNs Practical Configuration

Picture 9:  Unique VPN-IPv4 Route

The BGP update message also contains the Path attribute – EXTENDED_COMMUNITIES where the route-target 64501:2 is located. It is shown in Picture 10.

MPLS Layer 3 VPNs Practical Configuration

picture 10 :   Route Target Inside Extended Community

Conclusion:

We have provided the exact configuration steps that can help our readers create a BGP/MPLS L3 VPNs and grasp the overall concept. If you need to acquire more theoretical knowledge about the BGP/MPLS VPNs concept, read our first blog post.