Guest

Cisco IOS Software Releases 12.2 SB

MPLS VPN Half-Duplex VRF

  • Viewing Options

  • PDF (317.1 KB)
  • Feedback
MPLS VPN Half-Duplex VRF

Table Of Contents

MPLS VPN Half-Duplex VRF

Contents

Prerequisites for Configuring MPLS VPN Half-Duplex VRF

Restrictions for MPLS VPN Half-Duplex VRF

Information about Configuring MPLS VPN Half-Duplex VRF

Overview

Upstream and Downstream VRFs

Reverse Path Forwarding Check

How to Configure MPLS VPN Half-Duplex VRF

Configuring the Upstream and Downstream VRFs on the Spoke PE Router

Associating VRFs

Configuring the Downstream VRF for an AAA Server

Verifying the Configuration

Configuration Examples for MPLS VPN Half-Duplex VRF

Configuring the Upstream and Downstream VRFs on the Spoke PE Router: Example

Associating VRFs: Examples

Configuring MPLS VPN Half-Duplex VRF: Example using Static CE-PE Routing

Configuring MPLS VPN Half-Duplex VRF: Example using RADIUS Server and Static CE-PE Routing

Configuring MPLS VPN Half-Duplex VRF: Example using Dynamic CE-PE Routing

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance


MPLS VPN Half-Duplex VRF


This module explains how to ensure that virtual private network (VPN) clients that connect to the same provider edge (PE) router at the edge of the Multiprotocol (MPLS) Virtual Private Network (VPN) use the hub site. This feature prevents the VPN clients from communicating directly with each other by bypassing the hub site. This feature also provides scalable hub-and-spoke connectivity for subscribers of an MPLS VPN service by removing the requirement of one VRF per spoke.

Feature Module History

This module was first published on May 2, 2005, and was most recently updated on May 23, 2006.

Feature Name
Releases
Feature Configuration Information

MPLS VPN: Half Duplex VRF Support

12.3(6)

12.3(11)T

This feature ensures that VPN clients that connect to the same PE router at the edge of the MPLS VPN use the hub site to communicate.

Configuring Scalable Hub-and-Spoke MPLS VPNs

12.2(28)SB

The feature was integrated into the SB train.

MPLS VPN Half-Duplex VRF

12.2(28)SB2

Support for dynamic routing protocols was added.

For the Cisco 10000 series routers, see the "Half-Duplex VRF" section of the "Configuring Multiprotocol Label Switching" chapter in the Cisco 10000 Series Router Broadband Aggregation, Leased-Line, and MPLS Configuration Guide at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/aggr/10000/swconfig/cfggdes/bba/dffsrv.htm#wp1065648


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Prerequisites for Configuring MPLS VPN Half-Duplex VRF

Restrictions for MPLS VPN Half-Duplex VRF

Information about Configuring MPLS VPN Half-Duplex VRF

How to Configure MPLS VPN Half-Duplex VRF

Configuration Examples for MPLS VPN Half-Duplex VRF

Additional References

Prerequisites for Configuring MPLS VPN Half-Duplex VRF

You must have a working MPLS core network.

Restrictions for MPLS VPN Half-Duplex VRF

The following are not supported on interfaces configured with MPLS VPN Half-Duplex VRF:

Multicast

Carrier-Supporting-Carrier

Inter-Autonomous System

Information about Configuring MPLS VPN Half-Duplex VRF

To configure this feature, you need to understand the following concepts:

Overview

Upstream and Downstream VRFs

Reverse Path Forwarding Check

For information about this feature on the Cisco 10000 series routers, see the "Half-Duplex VRF" section of the "Configuring Multiprotocol Label Switching" chapter in the Cisco 10000 Series Router Broadband Aggregation, Leased-Line, and MPLS Configuration Guide at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/aggr/10000/swconfig/cfggdes/bba/dffsrv.htm#wp1065648

Overview

This feature prevents local connectivity between subscribers at the spoke provider edge (PE) router and ensures that a hub site instead provides the subscriber connectivity. Any sites that connect to the same PE router must forward intersite traffic using the hub site. This ensures that the routing done at the spoke site moves from the access-side interface to the network-side interface or from the network-side interface to the access-side interface, but never directly from one access-side interface to another access-side interface.

Therefore, this feature prevents situations where the spoke PE router would locally switch the spokes without passing the traffic through the hub site. Thus, subscribers are prevented from directly connecting to each other.

This feature eases configuration by removing an earlier requirement of one VRF per spoke. In earlier releases, when spokes connected to the same PE router, each spoke was configured in a separate VRF to ensure that the traffic between the spokes traversed the central link between the wholesale service provider and the ISP. However, this solution was not scalable. When many spokes connected to the same PE router, configuration of VRFs for each spoke became quite complex and greatly increased memory usage. This was especially true in large-scale environments that supported high-density remote access to Layer 3 VPNs.

Initially, these improvements were implemented in broadband and remote access situations using only static routing among the spokes. Now this feature is also available for standard VPN contexts (including PPPoX and 802.1q VLANs)—employing dynamic routing, numbered IP addresses, and Layer 2 encapsulations.

Figure 1 shows a sample hub-and-spoke topology.

Figure 1 Hub-and-Spoke Topology

Upstream and Downstream VRFs

This feature uses two unidirectional VRFs to forward IP traffic between the spokes and the hub PE router:

The upstream VRF forwards IP traffic from the spokes toward the hub PE router. This VRF typically contains only a default route but might also contain summary routes and several default routes. The default route points to the interface on the hub PE router that connects to the upstream ISP. The router dynamically learns about the default route from the routing updates that the hub PE router or home gateway sends.


Note Although the upstream VRF is typically populated from the hub, it is possible also to have a separate local upstream interface on the spoke PE for a different local service that would not be required to go through the hub: for example, a local DNS or game server service.


The downstream VRF forwards traffic from the hub PE router back to the spokes. This VRF can contain:

Point-to-Point Protocol (PPP) peer routes for the spokes and per-user static routes received from the Authentication, Authorization, and Accounting (AAA) server or from the DHCP server

Routes imported from the hub PE router

BGP, OSPF, RIP, or EiGRP dynamic routes for the spokes.

The spoke PE router redistributes routes from the downstream VRF into Multiprotocol Border Gateway Protocol (MP-BGP). That router typically advertises a summary route across the MPLS core for the connected spokes. The VRF configured on the hub PE router imports the advertised summary route.

Reverse Path Forwarding Check

The unicast Reverse Path Forwarding (RPF) check ensures that an IP packet which enters a router uses the correct inbound interface. This feature supports unicast RPF check on the spoke-side interfaces. Because different VRFs are used for downstream and upstream forwarding, the RPF mechanism ensures that source address checks occur in the downstream VRF.

Unicast RPF is not on by default. You need to enable it, an described in Configuring Unicast Reverse Path Forwarding.

How to Configure MPLS VPN Half-Duplex VRF

This section contains the following procedures:

Configuring the Upstream and Downstream VRFs on the Spoke PE Router (required)

Associating VRFs (required)

Configuring the Downstream VRF for an AAA Server (optional)

Verifying the Configuration (optional)

To configure this feature on the Cisco 10000 series routers, see the "Half-Duplex VRF" section of the "Configuring Multiprotocol Label Switching" chapter in the Cisco 10000 Series Router Broadband Aggregation, Leased-Line, and MPLS Configuration Guide at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/aggr/10000/swconfig/cfggdes/bba/dffsrv.htm#wp1065648

Configuring the Upstream and Downstream VRFs on the Spoke PE Router

To configure the upstream and downstream VRFs on the PE router or on the spoke PE router, use the following procedure.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip vrf vrf-name

4. rd route-distinguisher

5. route-target {import | export | both} route-target-ext-community

6. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip vrf vrf-name

Example:

Router(config)# ip vrf U

Enters VRF configuration mode and defines the VRF instance by assigning a VRF name.

Step 4 

rd route-distinguisher

Example:

Router(config-vrf)# rd 1:0

Creates routing and forwarding tables.

Step 5 

route-target {import | export | both} route-target-ext-community

Example:

Router(config-vrf)# route-target import 1:0

Creates a list of import and export route target communities for the specified VRF.

The import keyword is required to create an upstream VRF. The upstream VRF is used to import the default route from the hub PE router.

The export keyword is required to create a downstream VRF. The downstream VRF is used to export the routes of all subscribers of a given service that the VRF serves.

Step 6 

exit

Example:

Router(config-vrf)# exit

Returns to global configuration mode.

Associating VRFs

After you define and configure the VRFs on the PE routers, associate each VRF with the following:

Interface or subinterface

In the case of broadband or remote-access, a virtual template interface

The virtual template interface is used to create and configure a virtual access interface (VAI).

To associate a VRF, enter the following commands on the PE router.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

or

interface virtual-template number

4. ip vrf forwarding vrf-name1 [downstream vrf-name2]

5. ip address ip-address mask

or

ip unnumbered type number

6. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface type number

Example:

Router(config)# interface POS3/0/1



OR

interface virtual-template number

Example:

Router(config)# interface virtual-template 1

[For standard VPN situations]: Moves configuration to a spoke-CE-facing interface or subinterface, and enters interface configuration mode.






[For broadband or remote access situations]: Creates a virtual template interface that can be configured and applied dynamically in creating spoke-CE-facing virtual access interfaces, and enters interface configuration mode.

Step 4 

ip vrf forwarding vrf-name1 [downstream vrf-name2]

Example:

Router(config-if)# ip vrf forwarding vpn1 downstream D

Associates the interface, subinterface, or virtual template interface with the VRF you specify.

The vrf-name1 argument is the name of the VRF associated with the interface, subinterface, or virtual template interface.

The vrf-name2 argument is the name of the downstream VRF into which the peer and per-user routes are installed. [If an AAA server is used, it provides the VRF membership; you do not need to configure the VRF members on virtual templates.]

Step 5 

ip address number mask

Example:

Router(config-if)# ip address 10.0.0.1 255.0.0.0



OR

ip unnumbered type number

Example:

Router(config-if)# ip unnumbered Loopback1

[For standard VPN situations]: Enables IP processing on the specified interface.








[For broadband or remote access situations]: Enables IP processing on an interface without assigning it an explicit IP address. The type and number arguments are the type and number of another interface on which this router has an assigned IP address. That other interface cannot be unnumbered.

Step 6 

exit

Example:

Router(config-if)# exit

Returns to global configuration mode.

Configuring the Downstream VRF for an AAA Server

To configure the downstream VRF for an AAA (RADIUS) server in broadband or remote access situations, enter the following Cisco attribute value:

lcp:interface-config=ip vrf forwarding U downstream D

In standard VPN situations, enter instead the following Cisco attribute value:

ip:vrf-id=U downstream D

Verifying the Configuration

To verify the configuration, perform the following steps.

SUMMARY STEPS

1. show ip vrf [brief | detail | interfaces | id] [vrf-name] [output-modifiers]

2. show ip route vrf vrf-name

3. show running-config [interface type number]

DETAILED STEPS


Step 1 show ip vrf [brief | detail | interfaces | id] [vrf-name] [output-modifiers]

Use this command to display information about all of the VRFs configured on the router, including the downstream VRF for each associated interface or VAI.

Router# show ip vrf
  Name 			Default RD 				Interfaces
  Down 			100:1 				POS3/0/3 [D]
							POS3/0/1  [D]
			100:3				Loopback2
                    			 				Virtual-Access3 [D] 
                      							Virtual-Access4 [D] 
  
	Up 		100:2 				POS3/0/3
							POS3/0/1
			100:4 				Virtual-Access3
                      							Virtual-Access4

show ip vrf detail vrf-name

Use this command to display detailed information about the VRF you specify, including all interfaces, subinterfaces and VAIs associated with the VRF.

If you do not specify a value for vrf-name, detailed information about all of the VRFs configured on the router appears.

The following example shows how to display detailed information for the VRF called vrf1, in a broadband or remote access case.

Router# show ip vrf detail vrf1 

VRF D; default RD 2:0; default VPNID <not set>
  Interfaces:
         Loopback2           Virtual-Access3 [D]  Virtual-Access4 [D]
  Connected addresses are not in global routing table
  Export VPN route-target communities
    RT:2:0                 
  Import VPN route-target communities
    RT:2:1                 
  No import route-map
  No export route-map
VRF U; default RD 2:1; default VPNID <not set>
  Interfaces:
    Virtual-Access3          Virtual-Access4         
  Connected addresses are not in global routing table
  No Export VPN route-target communities
  Import VPN route-target communities
    RT:2:1                 
  No import route-map
  No export route-map

The following example shows the vrf detail in a standard VPN situation.

Router# show ip vrf detail
VRF Down; default RD 100:1; default VPNID <not set> VRF Table ID = 1
  Description: import only from hub-pe
  Interfaces:
    Pos3/0/3 [D]        Pos3/0/1:0.1 [D]       
  Connected addresses are not in global routing table
  Export VPN route-target communities
    RT:100:0                
  Import VPN route-target communities
    RT:100:1                
  No import route-map
  No export route-map
  VRF label distribution protocol: not configured 
	VRF Up; default RD 100:2; default VPNID <not set> VRF Table ID = 2
  Interfaces:
    Pos3/0/1            Pos3/0/3           
  Connected addresses are not in global routing table
  No Export VPN route-target communities
  Import VPN route-target communities
    RT:100:1                
  No import route-map
  No export route-map
  VRF label distribution protocol: not configured

Step 2 show ip route vrf vrf-name

Use this command to display the IP routing table for the VRF you specify, and information about the per-user routes installed in the downstream VRF.

The following example shows how to display the routing table for the downstream VRF named D, in a broadband or remote access situation.

Router# show ip route vrf D 

Routing Table: D
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS interarea
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

	10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
U 		10.0.0.2/32 [1/0] via 2.8.1.1
S 		10.0.0.0/8 is directly connected, Null0
U 		10.0.0.5/32 [1/0] via 2.8.1.2
C 		10.8.1.2/32 is directly connected, Virtual-Access4
C 		10.8.1.1/32 is directly connected, Virtual-Access3

The following example shows how to display the routing table for the downstream VRF named Down, in a standard VPN situation.

Router# show ip route vrf Down 
Routing Table: Down
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.13.13.13 to network 0.0.0.0

C 	10.2.0.0/8 is directly connected, Pos3/0/3            
     10.3.0.0/32 is subnetted, 1 subnets
B       10.4.16.16 [200/0] via 10.13.13.13, 1w3d
B 	10.6.0.0/8 [200/0] via 10.13.13.13, 1w3d
C 	10.0.0.0/8 is directly connected, Pos3/0/1          
	10.7.0.0/16 is subnetted, 1 subnets
B 		10.7.0.0 [20/0] via 10.0.0.2, 1w3d
     10.0.6.0/32 is subnetted, 1 subnets
B       10.0.6.14 [20/0] via 10.0.0.2, 1w3d
     10.8.0.0/32 is subnetted, 1 subnets
B       10.8.15.15 [20/0] via 34.0.0.2, 1w3d
B*   0.0.0.0/0 [200/0] via 13.13.13.13, 1w3d

The following example shows how to display the routing table for the upstream VRF named U in a broadband or remote access situation.

Router# show ip route vrf U 

Routing Table: U
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS interarea
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 192.168.0.20 to network 0.0.0.0

	10.0.0.0/32 is subnetted, 1 subnets
C 		10.0.0.8 is directly connected, Loopback2
B*   0.0.0.0/0 [200/0] via 192.168.0.20, 1w5d

The following example shows how to display the routing table for the upstream VRF named Up in a standard VPN situation.

Router# show ip route vrf Up 
Routing Table: Up
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.13.13.13 to network 0.0.0.0

	10.2.0.0/32 is subnetted, 1 subnets
C 		10.2.0.1 is directly connected, Pos3/0/3             
     10.3.0.0/32 is subnetted, 1 subnets
B       10.3.16.16 [200/0] via 10.13.13.13, 1w3d
B 	10.6.0.0/8 [200/0] via 10.13.13.13, 1w3d
	10.0.0.0/32 is subnetted, 1 subnets
C 		10.0.0.1 is directly connected, Pos3/0/1         
B*   0.0.0.0/0 [200/0] via 10.13.13.13, 1w3d

Step 3 show running-config [interface type number]

Use this command to display information about the interface, subinterface or VAI you specify, including information about the associated upstream and downstream VRFs.

The following example shows how to display information about the subinterface named POS3/0/1.

Router# show running-config interface POS3/0/1

Building configuration...

Current configuration : 4261 bytes
!
interface POS3/0/1
ip vrf forwarding Up downstream Down
ip address 10.0.0.1 255.0.0.0
end

The following example shows how to display information about the interface named virtual-access 4.

Router# show running-config interface virtual-access 4

Building configuration...

Current configuration : 92 bytes
!
interface Virtual-Access4
 ip vrf forwarding U downstream D
 ip unnumbered Loopback2
end


Configuration Examples for MPLS VPN Half-Duplex VRF

This section provides the following configuration examples:

Configuring the Upstream and Downstream VRFs on the Spoke PE Router: Example

Associating VRFs: Examples

Configuring MPLS VPN Half-Duplex VRF: Example using Static CE-PE Routing

Configuring MPLS VPN Half-Duplex VRF: Example using RADIUS Server and Static CE-PE Routing

Configuring MPLS VPN Half-Duplex VRF: Example using Dynamic CE-PE Routing

Configuring the Upstream and Downstream VRFs on the Spoke PE Router: Example

The following example configures an upstream VRF named U:

Router> enable 
Router# configure terminal 
Router(config)# ip vrf U 
Router(config-vrf)# rd 1:0 
Router(config-vrf)# route-target import 1:0 

The following example configures a downstream VRF named D:

Router> enable
Router# configure terminal 
Router(config)# ip vrf D 
Router(config-vrf)# rd 1:8   
Router(config-vrf)# route-target export 1:100 

Associating VRFs: Examples

The following example associates the VRF named Up with the POS3/0/1 subinterface and specifies the downstream VRF named Down:

Router> enable 
Router# configure terminal 
Router(config)# interface POS3/0/1
Router(config-if)# ip vrf forwarding Up downstream Down
Router(config-if)# ip address 10.0.0.1 255.0.0.0

The following example associates the VRF named U with the virtual-template 1 interface and specifies the downstream VRF named D:

Router> enable 
Router# configure terminal 
Router(config)# interface virtual-template 1 
Router(config-if)# ip vrf forwarding U downstream D
Router(config-if)# ip unnumbered Loopback1 


Configuring MPLS VPN Half-Duplex VRF: Example using Static CE-PE Routing

This example uses the hub-and-spoke topology shown in Figure 2 with local authentication (that is, the RADIUS server is not used).

Figure 2 Sample Topology

ip vrf D 
 rd 1:8 
 route-target export 1:100 
! 
ip vrf U 
 rd 1:0 
 route-target import 1:0 
! 
ip cef 
vpdn enable 
! 
vpdn-group U 
 accept-dialin 
  protocol pppoe 
  virtual-template 1 
! 
interface Loopback2 
 ip vrf forwarding U 
 ip address 10.0.0.8 255.255.255.255 
! 
interface ATM2/0 
 description Mze ATM3/1/2 
 no ip address 
 no atm ilmi-keepalive 
 pvc 0/16 ilmi 
! 
 pvc 3/100 
  protocol pppoe 
!
pvc 3/101 
  protocol pppoe
!
interface Virtual-Template1
 ip vrf forwarding U downstream D
 ip unnumbered Loopback2 
 peer default ip address pool U-pool 
 ppp authentication chap 

Configuring MPLS VPN Half-Duplex VRF: Example using RADIUS Server and Static CE-PE Routing

The following example shows how to connect two Point-to-Point Protocol over Ethernet (PPPoE) clients to a single VRF pair on the spoke PE router named Lipno. Although both PPPoE clients are configured in the same VRF, all communication occurs using the hub PE router. Half-duplex VRFs are configured on the spoke PE. The client configuration is downloaded to the spoke PE from the RADIUS server.

This example uses the hub-and-spoke topology shown in Figure 2.


Note The wholesale provider can forward the user authentication request to the corresponding ISP. If the ISP authenticates the user, the wholesale provider appends the VRF information to the request that goes back to the PE router.


aaa new-model
!
aaa group server radius R
 server 10.0.20.26 auth-port 1812 acct-port 1813
!
aaa authentication ppp default group radius
aaa authorization network default group radius
!
ip vrf D
 description Downstream VRF - to spokes
 rd 1:8   
 route-target export 1:100
!
ip vrf U
 description Upstream VRF - to hub
 rd 1:0
 route-target import 1:0
!
ip cef    
vpdn enable
!         
vpdn-group U
 accept-dialin
  protocol pppoe
  virtual-template 1
!
interface Loopback2
 ip vrf forwarding U
 ip address 10.0.0.8 255.255.255.255
!
interface ATM2/0
  pvc 3/100 
  protocol pppoe
 ! 
pvc 3/101 
  protocol pppoe
 !
interface virtual-template 1
 no ip address
 ppp authentication chap
!
router bgp 1
 no synchronization
 neighbor 172.16.0.34 remote-as 1
 neighbor 172.16.0.34 update-source Loopback0
 no auto-summary
 !
address-family vpnv4
  neighbor 172.16.0.34 activate
  neighbor 172.16.0.34 send-community extended
  auto-summary
  exit-address-family
 !
address-family ipv4 vrf U
  no auto-summary
  no synchronization
  exit-address-family
! 
address-family ipv4 vrf D
  redistribute static
  no auto-summary
  no synchronization
  exit-address-family 
!
ip local pool U-pool 10.8.1.1 2.8.1.100
ip route vrf D 10.0.0.0 255.0.0.0 Null0
!
radius-server host 10.0.20.26 auth-port 1812 acct-port 1813
radius-server key cisco

Configuring MPLS VPN Half-Duplex VRF: Example using Dynamic CE-PE Routing

The following example shows how to use OSPF to dynamically advertise the routes on the Spoke sites.

This example uses the hub-and-spoke topology shown in Figure 2.

Creating the VRFs

ip vrf Down
rd 100:1
route-target export 100:0
!
ip vrf Up
 rd 100:2
 route-target import 100:1
!         

Enabling MPLS

mpls ldp graceful-restart
mpls ldp router-id Loopback0 force
mpls label protocol ldp
!         

Configuring BGP: towards Core

router bgp 100
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 bgp graceful-restart restart-time 120
 bgp graceful-restart stalepath-time 360
 bgp graceful-restart
 neighbor 10.13.13.13 remote-as 100
 neighbor 10.13.13.13 update-source Loopback0
 !        
 address-family vpnv4
 neighbor 10.13.13.13 activate
 neighbor 10.13.13.13 send-community extended
 bgp scan-time import 5
 exit-address-family

Configuring BGP: towards Edge

address-family ipv4 vrf Up
no auto-summary
no synchronization
exit-address-family
!        
address-family ipv4 vrf Down
redistribute ospf 1000 vrf Down
no auto-summary
no synchronization
exit-address-family
!         

Spoke PE's Core-facing Interfaces and Processes

interface Loopback0
 ip address 10.11.11.11 255.255.255.255
!
interface POS3/0/2
 ip address 10.0.1.1 255.0.0.0
 mpls label protocol ldp
 mpls ip  
!
router ospf 100
 log-adjacency-changes
 auto-cost reference-bandwidth 1000
 nsf enforce global
 redistribute connected subnets
 network 10.11.11.11 0.0.0.0 area 100
 network 10.0.1.0 0.255.255.255 area 100
!

Spoke PE's Edge-facing Interfaces and Processes

interface Loopback100
 ip vrf forwarding Down
 ip address 10.22.22.22 255.255.255.255
!         
interface POS3/0/1
 ip vrf forwarding Up downstream Down
 ip address 10.0.0.1 255.0.0.0
!         
interface POS3/0/3
 ip vrf forwarding Up downstream Down
 ip address 10.2.0.1 255.0.0.0
! 
router ospf 1000 vrf Down
 router-id 10.22.22.22
 log-adjacency-changes
 auto-cost reference-bandwidth 1000
 nsf enforce global
 redistribute connected subnets
 redistribute bgp 100 metric-type 1 subnets
 network 10.22.22.22 0.0.0.0 area 300
 network 10.0.0.0 0.255.255.255 area 300
 network 10.2.0.0 0.255.255.255 area 300
 default-information originate
!         

Additional References

The following sections provide references related to MPLS VPNs.

Related Documents

Related Topic
Document Title

Basic MPLS VPNs

Configuring MPLS Layer 3 VPNs

Configuring Scalable Hub-and-Spoke MPLS VPNs

MPLS VPN route maps

Configuring Route Maps to Control the Distribution of MPLS Labels Between Routers in an MPLS VPN

MPLS VPN load sharing

Load Sharing MPLS VPN Traffic

MPLS VPN MIBs

Monitoring MPLS VPNs with MIBs

Directing MPLS VPN traffic

Directing MPLS VPN Traffic Using Policy-Based Routing

Directing MPLS VPN Traffic Using a Source IP Address

VPN ID

Assigning an ID Number to a VPN

Dialer applications with MPLS VPNs

Dialing to Destinations with the Same IP Address for MPLS VPNs

MPLS VPNs and OSPF

Ensuring That MPLS VPN Clients Using OSPF Communicate over the MPLS VPN Backbone Instead of Through Backdoor Links


Standards

Standard
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIB
MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

RFC 2547

BGP/MPLS VPNs


Technical Assistance

Description
Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport