Configure a Basic MPLS VPN Network

Available Languages

Download Options

  • PDF     (331.6 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (367.9 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (189.0 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:November 14, 2022
Document ID:13733

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure a basic Multiprotocol Label Switching (MPLS) VPN core network. 

    Prerequisites

    Requirements

    There are no specific requirements for this document.

    Components Used

    The information in this document is based on these software and hardware versions:

    • P and PE Routers

      • Cisco IOS® Software Release which includes the MPLS VPN feature.

      • Any Cisco router from the 7200 series or higher supports P functionality.

      • The Cisco 2600, as well as any 3600 series or higher router supports PE functionality.

    • C and CE Routers

      • You can use any router that can exchange routing information with its PE router.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Related Products

    To implement the MPLS feature, you must have a router from the range of Cisco 2600 or higher. To select the required Cisco IOS with MPLS feature, use the Software Research tool. Also check for the additional RAM and Flash memory required to run the MPLS feature in the routers. WIC-1T, WIC-2T, and serial interfaces can be used.

    Conventions

    Refer to Cisco Technical Tips Conventions for more information on document conventions.

    These letters represent the different types of routers and switches used:

    • P  — Provider core router.

    • PE  — Provider Edge router.

    • CE  Customer Edge router.

    • C  Customer router.

    Note: PE routers are the last hop in the provider network and these are the devices that connect directly to the CE routers which are not aware of the MPLS feature, as shown in the next diagram.

    This diagram shows a typical configuration that illustrates the conventions outlined previously.

    MPLS VPN Network DiagramMPLS VPN Typical Network Diagram

    Background Information

    This document provides a sample configuration of a Multiprotocol Label Switching (MPLS) VPN when Border Gateway Protocol (BGP) is present on the Cisco client sites.

    When used with MPLS, the VPN feature allows several sites to interconnect transparently through a service provider network. One Service Provider network can support several different IP VPNs. Each of these appears to its users as a private network, separate from all other networks. Within a VPN, each site can send IP packets to any other site in the same VPN.

    Each VPN is associated with one or more Virtual Routing and Forwarding (VRF) instances. A VRF consists of an IP routing table, a derived Cisco Express Forwarding (CEF) table, and a set of interfaces that use this forwarding table. The router maintains a separate Routing Information Base (RIB) and CEF table for each VRF. Therefore, the information is not sent outside the VPN and allows the same subnet to be used in several VPNs and does not cause duplicate IP address problems. The router that uses Multiprotocol BGP (MP-BGP) distributes the VPN routing information with the MP-BGP extended communities.

    Configuration

    This section provides the configuration examples and how they are implemented.

    Network Diagram

    This document uses this network setup:

    Topology DiagramTopology Diagram

    Configuration Procedures

    MPLS Configuration

    1. Verify that  ip cef is enabled on the routers where MPLS is required. For improved performance, use ip cef distributed  (where available).

    2. Configure an IGP on the service provider core, either Open Shortest Path First (OSPF) or Intermediate System-to-Intermediate System (IS-IS) protocols are the recommended options, and advertise the Loopback0 from each P and PE routers.

    3. After the service provider core routers are fully L3 reachable between their loopbacks, configure the command  mpls ip on each L3 interface between P and PE routers.

    Note: The PE router interface that connects directly to the CE router does not require the mpls ip command configuration.

    Complete these steps on the PEs after MPLS has been set up (configuration of  mpls ip  on the interfaces).

    1. Create one VRF for each VPN connected with the vrf definition <VRF name> command. Additional steps:

      Specify the route distinguisher used for that VPN. The command rd <VPN route distinguisher> is used to extend the IP address so that you can identify which VPN it belongs to.

       vrf definition Client_A
  rd 100:110  

      Set up the import and export properties for the MP-BGP extended communities. These are used to filter the import and export process with the command route-target {import|export|both} <target VPN extended community> as shown in the next output:

      vrf definition Client_A
 rd 100:110
 route-target export 100:1000
 route-target import 100:1000
 !
 address-family ipv4
 exit-address-family 
    2. On the PE router, add the interfaces that connect the CE to the corresponding VRF. Configure the forwarding details for the respective interfaces with the vrf forwarding command and set up the IP address.
    Pescara#show run interface GigabitEthernet0/1
Building configuration...

Current configuration : 138 bytes
!
interface GigabitEthernet0/1
 vrf forwarding Client_A
 ip address 10.0.4.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
end

    Configure MP-BGP

    There are several ways to configure BGP, for example, you can configure PE routers as BGP neighbors or use a Route Reflector (RR) or Confederation methods. A Route Reflector is used in the next example, which is more scalable than the use of direct neighbors between PE routers:

    1. Enter the address-family ipv4 vrf <VRF name> command for each VPN present at this PE router. Next, carry out one or more of the next steps, as necessary:

      • If you use BGP to exchange routing information with the CE, configure and activate the BGP neighbors with the CE routers.

      • If you use a different dynamic routing protocol to exchange routing information with the CE, redistribute the routing protocols.

    Note: Based on the PE-CE routing protocol you use, you can configure any dynamic routing protocols (EIGRP, OSPF or BGP) between PE and CE devices. If BGP is the protocol used to exchange routing information between PE and CE, there is no need to configure redistribution between protocols.

    2. Enter the address-family vpnv4 mode, and complete the next steps:

    • Activate the neighbors, a VPNv4 neighbor session needs to be established between each PE router and the Route Reflector.

    • Specify that extended community must be used. This is mandatory.

    Configurations

    This document uses these configurations to setup the MPLS VPN network example:

    Pescara 
    hostname Pescara
!
ip cef
!

!--- VPN Client_A commands.

vrf definition Client_A
 rd 100:110
 route-target export 100:1000
 route-target import 100:1000  
     !
 address-family ipv4
 exit-address-family

    !--- Enables the VPN routing and forwarding (VRF) routing table.  
    !--- Route distinguisher creates routing and forwarding tables for a VRF. 
    !--- Route targets creates lists of import and export extended communities for the specified VRF. 
        

    !--- VPN Client_B commands.  

    vrf definition Client_B
 rd 100:120
 route-target export 100:2000
 route-target import 100:2000
 !
 address-family ipv4
 exit-address-family  
    ! 
    interface Loopback0
 ip address 10.10.10.4 255.255.255.255
 ip router isis  
    !
interface GigabitEthernet0/1
 vrf forwarding Client_A
 ip address 10.0.4.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 vrf forwarding Client_B
 ip address 10.0.4.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45  

    !--- Associates a VRF instance with an interface or subinterface. 
    !--- GigabitEthernet0/1 and 0/2 use the same IP address, 10.0.4.2. 
    !--- This is allowed because they belong to two different customer VRFs. 

    !
    interface GigabitEthernet0/0
 description link to Pauillac
 ip address 10.1.1.14 255.255.255.252
 ip router isis 
 duplex auto
 speed auto
 media-type rj45
 mpls ip

    !--- Enables MPLS on the L3 interface connecting to the P router


    router isis
 net 49.0001.0000.0000.0004.00
 is-type level-2-only
 metric-style wide
 passive-interface Loopback0

    !--- Enables IS-IS as the IGP in the provider core network 

    !
router bgp 65000
 bgp log-neighbor-changes  
     neighbor 10.10.10.2 remote-as 65000  
     neighbor 10.10.10.2 update-source Loopback0

    !--- Adds an entry to the BGP or MP-BGP neighbor table. 
    !--- And enables BGP sessions to use a specific operational interface for TCP connections.  

    !
 address-family vpnv4
  neighbor 10.10.10.2 activate
  neighbor 10.10.10.2 send-community both
 exit-address-family
  
    !--- To enter address family configuration mode that use standard VPN version 4 address prefixes.
    !--- Creates the VPNv4 neighbor session to the Route Reflector. 
    !--- And to send the community attribute to the BGP neighbor. 
     
    !
 address-family ipv4 vrf Client_A
  neighbor 10.0.4.1 remote-as 65002
  neighbor 10.0.4.1 activate
 exit-address-family
 !
 address-family ipv4 vrf Client_B
  neighbor 10.0.4.1 remote-as 65001
  neighbor 10.0.4.1 activate
 exit-address-family

    !--- These are the eBGP sessions to each CE router belonging to different customers.
    !--- The eBGP sessions are configured within the VRF address family

    end 
    Pesaro 
    hostname Pesaro
!
ip cef
    !
vrf definition Client_A
 rd 100:110
 route-target export 100:1000
 route-target import 100:1000
 !
 address-family ipv4
 exit-address-family
!     
    vrf definition Client_B
 rd 100:120
 route-target export 100:2000
 route-target import 100:2000
 !
 address-family ipv4
 exit-address-family
!
ip cef
!
interface Loopback0
 ip address 10.10.10.6 255.255.255.255  
     ip router isis 
    !
interface GigabitEthernet0/0
 description link to Pomerol
 ip address 10.1.1.22 255.255.255.252
 ip router isis 
 duplex auto
 speed auto
 media-type rj45
 mpls ip
!
interface GigabitEthernet0/1
 vrf forwarding Client_B
 ip address 10.0.6.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 vrf forwarding Client_A
 ip address 10.1.6.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/3
 vrf forwarding Client_A
 ip address 10.0.6.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
router isis
 net 49.0001.0000.0000.0006.00
 is-type level-2-only
 metric-style wide
 passive-interface Loopback0
!         
router bgp 65000
 bgp log-neighbor-changes
 neighbor 10.10.10.2 remote-as 65000
 neighbor 10.10.10.2 update-source Loopback0
 !
 address-family vpnv4
  neighbor 10.10.10.2 activate
  neighbor 10.10.10.2 send-community both
 exit-address-family
 !
 address-family ipv4 vrf Client_A
  neighbor 10.0.6.1 remote-as 65004
  neighbor 10.0.6.1 activate
  neighbor 10.1.6.1 remote-as 65004
  neighbor 10.1.6.1 activate
 exit-address-family
 !
 address-family ipv4 vrf Client_B
  neighbor 10.0.6.1 remote-as 65003
  neighbor 10.0.6.1 activate
 exit-address-family
!         
!         
end 
    Pomerol 
    hostname Pomerol
!
ip cef
!
interface Loopback0
 ip address 10.10.10.3 255.255.255.255
 ip router isis
!
interface GigabitEthernet0/0
 description link to Pesaro
 ip address 10.1.1.21 255.255.255.252
 ip router isis 
 duplex auto
 speed auto
 media-type rj45
 mpls ip
!
interface GigabitEthernet0/1
 description link to Pauillac
 ip address 10.1.1.6 255.255.255.252
 ip router isis 
 duplex auto
 speed auto
 media-type rj45
 mpls ip
!
interface GigabitEthernet0/2
 description link to Pulligny
 ip address 10.1.1.9 255.255.255.252
 ip router isis 
 duplex auto
 speed auto
 media-type rj45
 mpls ip
!
router isis
 net 49.0001.0000.0000.0003.00
 is-type level-2-only
 metric-style wide
 passive-interface Loopback0
!
end 
    Pulligny 
    hostname Pulligny
!
ip cef
!
interface Loopback0
 ip address 10.10.10.2 255.255.255.255
 ip router isis
!
interface GigabitEthernet0/0
 description link to Pauillac
 ip address 10.1.1.2 255.255.255.252ip router isis 
 duplex auto
 speed auto
 media-type rj45
 mpls ip
!
interface GigabitEthernet0/1
 description link to Pomerol
 ip address 10.1.1.10 255.255.255.252ip router isis 
 duplex auto
 speed auto
 media-type rj45
 mpls ip
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
router isis
 net 49.0001.0000.0000.0002.00
 is-type level-2-only
 metric-style wide
 passive-interface Loopback0
!
router bgp 65000
 bgp log-neighbor-changes
 neighbor 10.10.10.4 remote-as 65000
 neighbor 10.10.10.4 update-source Loopback0
 neighbor 10.10.10.6 remote-as 65000
 neighbor 10.10.10.6 update-source Loopback0
 !
 address-family vpnv4
  neighbor 10.10.10.4 activate
  neighbor 10.10.10.4 send-community both
  neighbor 10.10.10.4 route-reflector-client
  neighbor 10.10.10.6 activate
  neighbor 10.10.10.6 send-community both
  neighbor 10.10.10.6 route-reflector-client
 exit-address-family
!
!
end
 
    Pauillac 
    hostname pauillac
!
ip cef
!
interface Loopback0
 ip address 10.10.10.1 255.255.255.255
 ip router isis 
!
interface GigabitEthernet0/0
 description link to Pescara
 ip address 10.1.1.13 255.255.255.252
 ip router isis 
 duplex auto
 speed auto
 media-type rj45
 mpls ip
!
interface GigabitEthernet0/1
 description link to Pulligny 
 ip address 10.1.1.5 255.255.255.252
 ip router isis 
 duplex auto
 speed auto
 media-type rj45
 mpls ip
!
interface GigabitEthernet0/2
 description link to Pomerol
 ip address 10.1.1.1 255.255.255.252
 ip router isis 
 duplex auto
 speed auto
 media-type rj45
 mpls ip
!
router isis
 net 49.0001.0000.0000.0001.00
 is-type level-2-only
 metric-style wide
 passive-interface Loopback0
!
end 
    CE-A1 CE-A3 
    hostname CE-A1
!
ip cef
!
interface GigabitEthernet0/0
 ip address 10.0.4.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
router bgp 65002
 bgp log-neighbor-changes
 redistribute connected
 neighbor 10.0.4.2 remote-as 65000
!
end 
    		 
    hostname CE-A3
!
ip cef
!
interface GigabitEthernet0/0
 ip address 10.0.6.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
router bgp 65004
 bgp log-neighbor-changes
 redistribute connected
 neighbor 10.0.6.2 remote-as 65000
!         
end 

    Verification

    This section provides information you can use to confirm that the configuration works properly:

    PE to CE Verification Commands

    • show ip vrf  — Verifies that the correct VRF exists.
    • show ip vrf interfaces  — Verifies the activated interfaces.
    • show ip route vrf <VRF name>  —Verifies the routing information on the PE routers.
    • traceroute vrf  <VRF name> <IP address>  — Verifies the routing information on the PE routers.
    • show ip cef vrf <VRF name> <IP address> detail  — Verifies the routing information on the PE routers.

    MPLS LDP Verification Commands

    • show mpls interfaces
    • show mpls forwarding-table
    • show mpls ldp bindings
    • show mpls ldp neighbor  

    PE to PE/RR Verification Commands

    • show bgp vpnv4 unicast all summary 
    • show bgp vpnv4 unicast all neighbor <neighbor IP address> advertised-routes  - Verifies VPNv4 prefixes sent
    • show bgp vpnv4 unicast all neighbor <neighbor IP address> routes  - Verifies VPNv4 prefixes received

    This is a sample command output of the show ip vrf command.

    Pescara#show ip vrf
  Name                             Default RD            Interfaces
  Client_A                         100:110               Gi0/1
  Client_B                         100:120               Gi0/2

    This next is a sample command output of the  show ip vrf interfaces  command.

    Pesaro#show ip vrf interfaces 
Interface              IP-Address      VRF                              Protocol
Gi0/2                  10.1.6.2        Client_A                         up      
Gi0/3                  10.0.6.2        Client_A                         up      
Gi0/1                  10.0.6.2        Client_B                         up    

    In this next sample, the show ip route vrf commands show the same prefix 10.0.6.0/24 in both the outputs. This is because the remote PE has the same network for two Cisco clients, CE_B2 and CE_A3, which is allowed in a typical MPLS VPN solution.

    Pescara#show ip route vrf Client_A

Routing Table: Client_A
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.0.4.0/24 is directly connected, GigabitEthernet0/1
L        10.0.4.2/32 is directly connected, GigabitEthernet0/1
B        10.0.6.0/24 [200/0] via 10.10.10.6, 11:11:11
B        10.1.6.0/24 [200/0] via 10.10.10.6, 11:24:16
Pescara#

Pescara#show ip route vrf Client_B

Routing Table: Client_B
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C        10.0.4.0/24 is directly connected, GigabitEthernet0/2
L        10.0.4.2/32 is directly connected, GigabitEthernet0/2
B        10.0.6.0/24 [200/0] via 10.10.10.6, 11:26:05 

    When you run a traceroute between two sites, in this example two sites of Client_A (CE-A1 to CE-A3), it is possible to see the label stack used by the MPLS network (if it is configured to do so by mpls ip propagate-ttl ).

    CE-A1#show ip route 10.0.6.1
Routing entry for 10.0.6.0/24
  Known via "bgp 65002", distance 20, metric 0
  Tag 65000, type external
  Last update from 10.0.4.2 11:16:14 ago
  Routing Descriptor Blocks:
  * 10.0.4.2, from 10.0.4.2, 11:16:14 ago
      Route metric is 0, traffic share count is 1
      AS Hops 2
      Route tag 65000
      MPLS label: none
CE-A1#
    
CE-A1#ping 10.0.6.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.6.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/9 ms
CE-A1#
    
CE-A1#traceroute 10.0.6.1 probe 1 numeric
Type escape sequence to abort.
Tracing the route to 10.0.6.1
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.4.2 2 msec
  2 10.1.1.13 [MPLS: Labels 20/26 Exp 0] 8 msec
  3 10.1.1.6 [MPLS: Labels 21/26 Exp 0] 17 msec
  4 10.0.6.2 [AS 65004] 11 msec
  5 10.0.6.1 [AS 65004] 8 msec 

    Note: Exp 0 is an experimental field used for Quality of Service (QoS).

    The next output shows the IS-IS and LDP adjacency established between the RR and some of the P routers in the Service Provider core network:

    Pulligny#show isis neighbors 

Tag null:
System Id       Type Interface     IP Address      State Holdtime Circuit Id
Pauillac        L2   Gi0/0         10.1.1.1        UP    25       Pulligny.01        
Pomerol         L2   Gi0/1         10.1.1.9        UP    23       Pulligny.02        
Pulligny#

Pulligny#show mpls ldp neighbor 
    Peer LDP Ident: 10.10.10.1:0; Local LDP Ident 10.10.10.2:0
        TCP connection: 10.10.10.1.646 - 10.10.10.2.46298
        State: Oper; Msgs sent/rcvd: 924/921; Downstream
        Up time: 13:16:03
        LDP discovery sources:
          GigabitEthernet0/0, Src IP addr: 10.1.1.1
        Addresses bound to peer LDP Ident:
          10.1.1.13       10.1.1.5        10.1.1.1        10.10.10.1      
    Peer LDP Ident: 10.10.10.3:0; Local LDP Ident 10.10.10.2:0
        TCP connection: 10.10.10.3.14116 - 10.10.10.2.646
        State: Oper; Msgs sent/rcvd: 920/916; Downstream
        Up time: 13:13:09
        LDP discovery sources:
          GigabitEthernet0/1, Src IP addr: 10.1.1.9
        Addresses bound to peer LDP Ident:
          10.1.1.6        10.1.1.9        10.10.10.3      10.1.1.21        

    Related Information

    Revision History

    Revision Publish Date Comments
    2.0
    19-Oct-2022
    Recertification
    1.0
    10-Dec-2001
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Julio Jimenez
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco