Previous Section  < Day Day Up >  Next Section

Option 1: Inter-Provider VPN Using Back-to-Back VRF Method

The VRF-to-VRF approach is the simplest method for allowing MPLS VPN providers to exchange VPN routing information for CE sites in different MPLS domains. In this approach, the border provider edge (PE) routers residing in different autonomous systems function as ASBRs. These ASBRs are interconnected either via a single link consisting of logical subinterfaces or via multiple physical links. VRFs are configured on the ASBRs to collect VPN client routes. Each subinterface or interface connected between the ASBRs is dedicated to a single client VRF. The single client VRF can run eBGP, RIPv2, EIGRP, OSPF, or static routing to distribute the VPN routes to its adjacent peer. The use of eBGP is, however, the most common in back-to-back VRF method because eBGP scales best to this type of application, retaining the type of the route and offering better policy, scalability, and security mechanisms. In this method, the LSP paths in adjacent MPLS VPN autonomous systems are interconnected using the IP forwarding mechanism between the AS border routers.

Figure 7-4 shows an MPLS VPN network where sites in VPN-A and VPN-B are geographically dispersed. Site 1 and Site 2 in VPN-A have CE Routers CE1-A and CE2-A, which respectively connect to PE Routers PE1-AS1 and PE1-AS2, located in Service Provider 1 and Service Provider 2. Site 1 and Site 2 in VPN-B have CE Routers CE1-B and CE2-B, which respectively connect to PE Routers PE1-AS1 and PE1-AS2 located in Service Provider 1 and Service Provider 2.

Figure 7-4. Back-to-Back VRF Method

[View full size image]


Service Provider 1 uses BGP AS 1 and Service Provider 2 uses BGP AS 2. PE1-ASBR1-AS1 and PE2-ASBR2-AS2 are ASBR routers that are connected by multiple subinterfaces. The interfaces are associated with a given VRF (Cust_A for VPN-A and Cust_B for VPN-B). Conventional routing is configured between MPLS VPN sites to distribute IPv4 routes to its peers. Therefore, the ASBR Router PE2-ASBR1-AS1 treats the other ASBR Router PE2-ASBR2-AS2 as if it was a CE router; similarly, PE2-ASBR2-AS2 also treats the PE1-ASBR1-AS1 as a CE router. This approach enhances the usability of MPLS VPN backbones; however, it also introduces greater complexity because it requires dedicated VPN links between the adjacent ASBRs. The VPN routing information that is passed between the two ASBR routers, PE2-ASBR1-AS1 and PE2-ASBR2-AS2, is in IPv4 format.

Control Plane Forwarding in Option 1

In the back-to-back VRF method, the ASBRs use the IP forwarding mechanism to interconnect the LSP path between the two different MPLS VPN entities. Figure 7-5 shows the path taken by the control packet for 172.16.10.0/24 originating from CE1-A to CE2-A.

Figure 7-5. Control Plane Forwarding in Back-to-Back VRF Method

[View full size image]


Note

In this chapter, the control plane operation for VPN and LDP (IGP) label distribution is shown to occur simultaneously. This is done to provide more clarity to the entire operation and does not imply that they occur together. LDP label distribution can occur independent of the VPN label distribution.


Data Forwarding in Option 1

The data forwarding path originates from the 172.16.20.0 network (assuming the source is 172.16.20.1/24) with the traffic destined to 172.16.10.0 network (assuming the destination is 172.16.10.1). The source and destination are located on two different MPLS VPN provider networks. Figure 7-6 traces the path of the data packet from the source to the destination.

Figure 7-6. Data Forwarding in Back-to-Back VRF Method

[View full size image]


Configuring Back-to-Back VRF Method

In this chapter, the configuration steps will be shown for routers that are responsible for Inter-AS operations. The configuration for back-to-back VRF method on the ASBR routers is similar to any configuration on a PE router providing VPN services:

Step 1.
Configure VRF on the PE ASBR routers—Configure VRF and its parameters on the PE ASBR Routers PE2-ASBR1-AS1 and PE2-ASBR2-AS2. Example 7-1 shows the configuration procedure to enable VRF Cust_A on the PE ASBR routers. Similarly, configure Cust_B VRF and associate that VRF to the second subinterface S1/0.200.

Example 7-1. VRF Creation and Forwarding on PE ASBR Routers
PE2-ASBR1-AS1(config)#ip vrf Cust_A

PE2-ASBR1-AS1(config-vrf)#  rd 1:100

PE2-ASBR1-AS1(config-vrf)#  route-target export 1:100

PE2-ASBR1-AS1(config-vrf)#  route-target import 1:100

PE2-ASBR1-AS1(config-vrf)#interface Serial1/0.100 point-to-point

PE2-ASBR1-AS1(config-subif)#  description connected to Cust_A PE2-AS

PE2-ASBR1-AS1(config-subif)# ip vrf forwarding Cust_A

PE2-ASBR1-AS1(config-subif)# ip address 172.16.3.1 255.255.255.252

PE2-ASBR1-AS1(config-subif)# frame-relay interface-dlci 100

_______________________________________________________________________

PE2-ASBR2-AS2(config)#ip vrf Cust_A

PE2-ASBR2-AS2(config-vrf)#  rd 2:100

PE2-ASBR2-AS2(config-vrf)#  route-target export 2:100

PE2-ASBR2-AS2(config-vrf)#  route-target import 2:100

PE2-ASBR2-AS2(config-vrf)#interface Serial1/0.100 point-to-point

PE2-ASBR2-AS2(config-subif)# description connected to Cust_A PE2-ASBR1-AS1

PE2-ASBR2-AS2(config-subif)# ip vrf forwarding Cust_A

PE2-ASBR2-AS2(config-subif)# ip address 172.16.3.2 255.255.255.252

PE2-ASBR2-AS2(config-subif)# frame-relay interface-dlci 100

Step 2.
Enable per VRF PE-CE routing protocol—In this step, you enable per VRF routing protocol on ASBR routers. In this case, you will use eBGP PE-CE routing on the PE and ASBR routers, as shown in Example 7-2.

Example 7-2. Enable per VRF PE-CE Routing Protocol
PE2-ASBR1-AS1(config)#router bgp 1

PE2-ASBR1-AS1(config-router)# address-family ipv4 vrf Cust_A

PE2-ASBR1-AS1(config-router-af)# neighbor 172.16.3.2 remote-as 2

PE2-ASBR1-AS1(config-router-af)# neighbor 172.16.3.2 activate

PE2-ASBR1-AS1(config-router-af)# no auto-summary

PE2-ASBR1-AS1(config-router-af)# no synchronization

PE2-ASBR1-AS1(config-router-af)# exit-address-family

PE2-ASBR1-AS1(config-router)#address-family ipv4 vrf Cust_B

PE2-ASBR1-AS1(config-router-af)# neighbor 192.168.3.2 remote-as 2

PE2-ASBR1-AS1(config-router-af)# neighbor 192.168.3.2 activate

PE2-ASBR1-AS1(config-router-af)# no auto-summary

PE2-ASBR1-AS1(config-router-af)# no synchronization

PE2-ASBR1-AS1(config-router-af)# exit-address-family

_____________________________________________________________________

PE2-ASBR2-AS2(config)# router bgp 2

PE2-ASBR2-AS2(config-router)# address-family ipv4 vrf Cust_A

PE2-ASBR2-AS2(config-router-af)# neighbor 172.16.3.1 remote-as 1

PE2-ASBR2-AS2(config-router-af)# neighbor 172.16.3.1 activate

PE2-ASBR2-AS2(config-router-af)# no auto-summary

__________________________________________________________________________

PE2-ASBR2-AS2(config-router-af)# no synchronization

PE2-ASBR2-AS2(config-router-af)# exit-address-family

PE2-ASBR2-AS2(config-router)#address-family ipv4 vrf Cust_B

PE2-ASBR2-AS2(config-router-af)# neighbor 192.168.3.1 remote-as 1

PE2-ASBR2-AS2(config-router-af)# neighbor 192.168.3.1 activate

PE2-ASBR2-AS2(config-router-af)# no auto-summary

PE2-ASBR2-AS2(config-router-af)# no synchronization

PE2-ASBR2-AS2(config-router-af)# exit-address-family

CE CE1-A and CE2-A Configuration for Option 1

Example 7-3 shows the configurations on Customer A CE routers.

Example 7-3. CE CE1-A and CE2-A Configuration
hostname CE1-A

!

interface Ethernet0/0

 description Customer A Site 1 network

 ip address 172.16.10.1 255.255.255.0

!

interface Serial1/0

 description connected to PE1-AS1

 ip address 172.16.1.2 255.255.255.252

 !

router bgp 65001

no synchronization

bgp log-neighbor-changes

network 172.16.10.0 mask 255.255.255.0

neighbor 172.16.1.1 remote-as 1

no auto-summary

__________________________________________________________________________

hostname CE2-A

!

interface Ethernet0/0

 description Customer A Site 2 network

 ip address 172.16.20.1 255.255.255.0

!

interface Serial1/0

 description connected to PE1-AS2

 ip address 172.16.2.2 255.255.255.252

!

router bgp 65002

 no synchronization

 bgp log-neighbor-changes

 network 172.16.20.0 mask 255.255.255.0

 neighbor 172.16.2.1 remote-as 2

 no auto-summary

Example 7-4 shows the configurations on Customer B CE routers.

Example 7-4. CE CE1-B and CE2-B Configuration
hostname CE1-B

!

interface Ethernet0/0

 description Customer B Site 1 network

 ip address 192.168.10.1 255.255.255.0

 no keepalive

!

interface Serial1/0

 description connected to PE1-AS1

 ip address 192.168.1.2 255.255.255.252

!

router bgp 65001

 no synchronization

 bgp log-neighbor-changes

 network 192.168.10.0

 neighbor 192.168.1.1 remote-as 1

 no auto-summary

hostname CE2-B

!

interface Ethernet0/0

 description Customer B Site 2 network

 ip address 192.168.20.1 255.255.255.0

 no keepalive

!

interface Serial1/0

 description connected to PE1-AS2

 ip address 192.168.2.2 255.255.255.252

!

router bgp 65001

 no synchronization

 bgp log-neighbor-changes

 network 192.168.20.0

 neighbor 192.168.2.1 remote-as 2

 no auto-summary

Provider Router, PE, and PE ASBR Router Configurations for Option 1

Example 7-5 shows final configuration on the PE1, PE2, and P1 routers.

Example 7-5. Provider, PE, and ASBR Router Configurations
hostname PE1-AS1

!

ip cef

!

ip vrf Cust_A

 rd 1:100

 route-target export 1:100

 route-target import 1:100

!

ip vrf Cust_B

 rd 1:101

 route-target export 1:101

 route-target import 1:101

!

mpls ldp router-id Loopback0

!

interface Loopback0

 ip address 10.10.10.101 255.255.255.255

!

interface Serial0/0

 description connected to P1-AS1

 ip address 10.10.10.1 255.255.255.252

 mpls ip

!

interface Serial1/0

 description connected to Cust_A CE1-A

 ip vrf forwarding Cust_A

 ip address 172.16.1.1 255.255.255.252

!

interface Serial2/0

 description connected to Cust_B CE1-B

 ip vrf forwarding Cust_B

 ip address 192.168.1.1 255.255.255.252

!

router ospf 1

 router-id 10.10.10.101

 network 10.0.0.0 0.255.255.255 area 0

!

router bgp 1

 no synchronization

 neighbor 10.10.10.200 remote-as 1

 neighbor 10.10.10.200 update-source Loopback0

 no auto-summary

 !

 address-family vpnv4

 neighbor 10.10.10.200 activate

 neighbor 10.10.10.200 send-community extended

 exit-address-family

 !

 address-family ipv4 vrf Cust_B

 neighbor 192.168.1.2 remote-as 65001

 neighbor 192.168.1.2 activate

 neighbor 192.168.1.2 as-override

 no auto-summary

 no synchronization

 exit-address-family

 !

 address-family ipv4 vrf Cust_A

 neighbor 172.16.1.2 remote-as 65001

 neighbor 172.16.1.2 activate

 no auto-summary

 no synchronization

 exit-address-family

__________________________________________________________________________

hostname PE2-AS1-ASBR1

!

ip cef

!

ip vrf Cust_A

 rd 1:100

 route-target export 1:100

 route-target import 1:100

!

ip vrf Cust_B

 rd 1:101

 route-target export 1:101

 route-target import 1:101

!

mpls ldp router-id Loopback0

!

interface Loopback0

 ip address 10.10.10.102 255.255.255.255

!

interface Serial0/0

 description connected to P1-AS1

 ip address 10.10.10.5 255.255.255.252

 mpls ip

!

interface Serial1/0

 no ip address

 encapsulation frame-relay

!

interface Serial1/0.100 point-to-point

 description connected to Cust_A PE2-AS2-ASBR2

 ip vrf forwarding Cust_A

 ip address 172.16.3.1 255.255.255.252

 frame-relay interface-dlci 100

!

interface Serial1/0.200 point-to-point

 description connected to Cust_B PE2-AS2-ASBR2

 ip vrf forwarding Cust_B

 ip address 192.168.3.1 255.255.255.252

 frame-relay interface-dlci 200

!

router ospf 1

 router-id 10.10.10.102

 network 10.0.0.0 0.255.255.255 area 0

!

router bgp 1

 no synchronization

 neighbor 10.10.10.200 remote-as 1

 neighbor 10.10.10.200 update-source Loopback0

 no auto-summary

 !

 address-family vpnv4

 neighbor 10.10.10.200 activate

 neighbor 10.10.10.200 send-community extended

 exit-address-family

 !

 address-family ipv4 vrf Cust_B

 neighbor 192.168.3.2 remote-as 2

 neighbor 192.168.3.2 activate

 no auto-summary

 no synchronization

 exit-address-family

 !

 address-family ipv4 vrf Cust_A

 neighbor 172.16.3.2 remote-as 2

 neighbor 172.16.3.2 activate

 no auto-summary

 no synchronization

 exit-address-family

__________________________________________________________________________

hostname P1-AS1-RR

!

ip cef

!

mpls ldp router-id Loopback0

!

interface Loopback0

 ip address 10.10.10.200 255.255.255.255

!

interface Serial0/0

 description connected to PE1-AS1

 ip address 10.10.10.2 255.255.255.252

 mpls ip

!

interface Serial1/0

 description connected to PE2-AS1-ASBR1

 ip address 10.10.10.6 255.255.255.252

 mpls ip

!

router ospf 1

 router-id 10.10.10.200

 log-adjacency-changes

 network 10.0.0.0 0.255.255.255 area 0

!

router bgp 1

 no bgp default ipv4-unicast

 neighbor 10.10.10.101 remote-as 1

 neighbor 10.10.10.101 update-source Loopback0

 neighbor 10.10.10.102 remote-as 1

 neighbor 10.10.10.102 update-source Loopback0

 !

 address-family vpnv4

 neighbor 10.10.10.101 activate

 neighbor 10.10.10.101 send-community extended

 neighbor 10.10.10.101 route-reflector-client

 neighbor 10.10.10.102 activate

 neighbor 10.10.10.102 send-community extended

 neighbor 10.10.10.102 route-reflector-client

 exit-address-family

__________________________________________________________________________

hostname P1-AS2-RR

!

ip cef

!

mpls ldp router-id Loopback0

!

interface Loopback0

 ip address 10.20.20.200 255.255.255.255

!

interface Serial0/0

 description connected to PE2-AS2-ASBR2

 ip address 10.20.20.6 255.255.255.252

 mpls ip

!

interface Serial1/0

 description connected to PE1-AS2

 ip address 10.20.20.2 255.255.255.252

 mpls ip

!

router ospf 2

 router-id 10.20.20.200

 log-adjacency-changes

 network 10.0.0.0 0.255.255.255 area 0

!

router bgp 2

 no bgp default ipv4-unicast

 neighbor 10.20.20.101 remote-as 2

 neighbor 10.20.20.101 update-source Loopback0

 neighbor 10.20.20.102 remote-as 2

 neighbor 10.20.20.102 update-source Loopback0

 !

 address-family vpnv4

 neighbor 10.20.20.101 activate

 neighbor 10.20.20.101 send-community extended

 neighbor 10.20.20.101 route-reflector-client

 neighbor 10.20.20.102 activate

 neighbor 10.20.20.102 send-community extended

 neighbor 10.20.20.102 route-reflector-client

 exit-address-family

__________________________________________________________________________

hostname PE2-AS2-ASBR2

!

ip cef

!

ip vrf Cust_A

 rd 2:100

 route-target export 2:100

 route-target import 2:100

!

ip vrf Cust_B

 rd 2:101

 route-target export 2:101

 route-target import 2:101

!

frame-relay switching

!

mpls ldp router-id Loopback0

!

interface Loopback0

 ip address 10.20.20.102 255.255.255.255

!

interface Serial0/0

 description connected to P1-AS2

 ip address 10.20.20.5 255.255.255.252

 mpls ip

!

interface Serial1/0

 no ip address

 encapsulation frame-relay

 frame-relay intf-type dce

!

interface Serial1/0.100 point-to-point

 description connected to Cust_A PE2-AS1-ASBR1

 ip vrf forwarding Cust_A

 ip address 172.16.3.2 255.255.255.252

 frame-relay interface-dlci 100

!

interface Serial1/0.200 point-to-point

 description connected to Cust_B PE2-AS1-ASBR1

 ip vrf forwarding Cust_B

 ip address 192.168.3.2 255.255.255.252

 frame-relay interface-dlci 200

!

router ospf 2

 router-id 10.20.20.102

 network 10.0.0.0 0.255.255.255 area 0

!

router bgp 2

 no synchronization

 neighbor 10.20.20.200 remote-as 2

 neighbor 10.20.20.200 update-source Loopback0

 no auto-summary

 !

 address-family vpnv4

 neighbor 10.20.20.200 activate

 neighbor 10.20.20.200 send-community extended

 exit-address-family

 !

 address-family ipv4 vrf Cust_B

 neighbor 192.168.3.1 remote-as 1

 neighbor 192.168.3.1 activate

 no auto-summary

 no synchronization

 exit-address-family

 !

 address-family ipv4 vrf Cust_A

 neighbor 172.16.3.1 remote-as 1

 neighbor 172.16.3.1 activate

 no auto-summary

 no synchronization

 exit-address-family

__________________________________________________________________________

hostname PE1-AS2

!

ip cef

!

ip vrf Cust_A

 rd 2:100

 route-target export 2:100

 route-target import 2:100

!

ip vrf Cust_B

 rd 2:101

 route-target export 2:101

 route-target import 2:101

!

mpls ldp router-id Loopback0

!

interface Loopback0

 ip address 10.20.20.101 255.255.255.255

!

interface Serial0/0

 description connected to P1-AS2

 ip address 10.20.20.1 255.255.255.252

 mpls ip

!

interface Serial1/0

 description connected to Cust_A CE2-A

 ip vrf forwarding Cust_A

 ip address 172.16.2.1 255.255.255.252

!

interface Serial2/0

 description connected to Cust_B CE2-B

 ip vrf forwarding Cust_B

 ip address 192.168.2.1 255.255.255.252

!

router ospf 2

 router-id 10.20.20.101

 network 10.0.0.0 0.255.255.255 area 0

!

router bgp 2

 no synchronization

 neighbor 10.20.20.200 remote-as 2

 neighbor 10.20.20.200 update-source Loopback0

 no auto-summary

 !

 address-family vpnv4

 neighbor 10.20.20.200 activate

 neighbor 10.20.20.200 send-community extended

 exit-address-family

 !

 address-family ipv4 vrf Cust_B

 neighbor 192.168.2.2 remote-as 65001

 neighbor 192.168.2.2 activate

 neighbor 192.168.2.2 as-override

 no auto-summary

 no synchronization

 exit-address-family

 !

 address-family ipv4 vrf Cust_A

 neighbor 172.16.2.2 remote-as 65002

 neighbor 172.16.2.2 activate

 no auto-summary

 no synchronization

 exit-address-family

Verifying Option 1

The steps to verify back-to-back VRF operation are

Step 1.
Verify control plane operation?a class="docLink" href="#ch07fig07">Figure 7-7 shows the control plane traffic traversing AS 1 and AS 2. The control plane traffic is demonstrated for the 172.16.10.0/24 update sent by CE1-A to CE2-A.

Figure 7-7. Control Plane Forwarding in AS1 Using Back-to-Back VRF Method

[View full size image]


Step 2.
Verify data forwarding in back-to-back VRF method?a class="docLink" href="#ch07fig08">Figure 7-8 shows the data plane forwarding that takes place for a packet sourced from 172.16.20.1 to 172.16.10.1.

Figure 7-8. Data Plane Forwarding in Back-to-Back VRF Method

[View full size image]


Step 3.
Verify end-to-end connectivity via ping—Verify end-to-end connectivity between CE1-B and CE2-B by issuing a ping from CE1-B to network 172.16.20.1/24 on CE2-B and vice versa. Example 7-6 shows the result of the ping operation.

Example 7-6. Verify End-to-End Connectivity
CE1-A#ping 172.16.20.1 source 172.16.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.20.1, timeout is 2 seconds:

Packet sent with a source address of 172.16.10.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 140/140/140 ms

__________________________________________________________________________

CE1-B#ping 192.168.20.1 source 192.168.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 132/138/140 ms

    Previous Section  < Day Day Up >  Next Section