The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure a basic Multiprotocol Label Switching (MPLS) VPN core network.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
Cisco IOS® Software Release which includes the MPLS VPN feature.
Any Cisco router from the 7200 series or higher supports P functionality.
The Cisco 2600, as well as any 3600 series or higher router supports PE functionality.
You can use any router that can exchange routing information with its PE router.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
To implement the MPLS feature, you must have a router from the range of Cisco 2600 or higher. To select the required Cisco IOS with MPLS feature, use the Software Research tool. Also check for the additional RAM and Flash memory required to run the MPLS feature in the routers. WIC-1T, WIC-2T, and serial interfaces can be used.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
These letters represent the different types of routers and switches used:
P
— Provider core router.
PE
— Provider Edge router.
CE
— Customer
Edge router.
C
— Customer
router.
Note: PE routers are the last hop in the provider network and these are the devices that connect directly to the CE routers which are not aware of the MPLS feature, as shown in the next diagram.
This diagram shows a typical configuration that illustrates the conventions outlined previously.
This document provides a sample configuration of a Multiprotocol Label Switching (MPLS) VPN when Border Gateway Protocol (BGP) is present on the Cisco client sites.
When used with MPLS, the VPN feature allows several sites to interconnect transparently through a service provider network. One Service Provider network can support several different IP VPNs. Each of these appears to its users as a private network, separate from all other networks. Within a VPN, each site can send IP packets to any other site in the same VPN.
Each VPN is associated with one or more Virtual Routing and Forwarding (VRF) instances. A VRF consists of an IP routing table, a derived Cisco Express Forwarding (CEF) table, and a set of interfaces that use this forwarding table. The router maintains a separate Routing Information Base (RIB) and CEF table for each VRF. Therefore, the information is not sent outside the VPN and allows the same subnet to be used in several VPNs and does not cause duplicate IP address problems. The router that uses Multiprotocol BGP (MP-BGP) distributes the VPN routing information with the MP-BGP extended communities.
This section provides the configuration examples and how they are implemented.
This document uses this network setup:
1. Verify that ip cef
is enabled on the routers where MPLS is required. For improved performance, use ip cef distributed
(where available).
2. Configure an IGP on the service provider core, either Open Shortest Path First (OSPF) or Intermediate System-to-Intermediate System (IS-IS) protocols are the recommended options, and advertise the Loopback0 from each P and PE routers.
3. After the service provider core routers are fully L3 reachable between their loopbacks, configure the command mpls ip
on each L3 interface between P and PE routers.
Note: The PE router interface that connects directly to the CE router does not require the mpls ip
command configuration.
Complete these steps on the PEs after MPLS has been set up (configuration of mpls ip
on the interfaces).
Create one VRF for each VPN connected with the vrf definition <VRF name>
command. Additional steps:
Specify the route distinguisher used for that VPN. The command rd <VPN route distinguisher>
is used to extend the IP address so that you can identify which VPN it belongs to.
vrf definition Client_A rd 100:110
Set up the import and export properties for the MP-BGP extended communities. These are used to filter the import and export process with the command route-target {import|export|both} <target VPN extended community>
as shown in the next output:
vrf definition Client_A rd 100:110 route-target export 100:1000 route-target import 100:1000 ! address-family ipv4 exit-address-family
vrf forwarding
command and set up the IP address.Pescara#show run interface GigabitEthernet0/1 Building configuration... Current configuration : 138 bytes ! interface GigabitEthernet0/1 vrf forwarding Client_A ip address 10.0.4.2 255.255.255.0 duplex auto speed auto media-type rj45 end
There are several ways to configure BGP, for example, you can configure PE routers as BGP neighbors or use a Route Reflector (RR) or Confederation methods. A Route Reflector is used in the next example, which is more scalable than the use of direct neighbors between PE routers:
Enter the address-family ipv4 vrf <VRF name>
command for each VPN present at this PE router. Next, carry out one or more of the next steps, as necessary:
If you use BGP to exchange routing information with the CE, configure and activate the BGP neighbors with the CE routers.
If you use a different dynamic routing protocol to exchange routing information with the CE, redistribute the routing protocols.
Note: Based on the PE-CE routing protocol you use, you can configure any dynamic routing protocols (EIGRP, OSPF or BGP) between PE and CE devices. If BGP is the protocol used to exchange routing information between PE and CE, there is no need to configure redistribution between protocols.
2. Enter the address-family vpnv4
mode, and complete the next steps:
Activate the neighbors, a VPNv4 neighbor session needs to be established between each PE router and the Route Reflector.
Specify that extended community must be used. This is mandatory.
This document uses these configurations to setup the MPLS VPN network example:
Pescara |
---|
hostname Pescara ! ip cef ! !--- VPN Client_A commands. vrf definition Client_A rd 100:110 route-target export 100:1000 route-target import 100:1000 |
Pesaro |
---|
hostname Pesaro ! ip cef |
Pomerol |
---|
hostname Pomerol ! ip cef ! interface Loopback0 ip address 10.10.10.3 255.255.255.255 ip router isis ! interface GigabitEthernet0/0 description link to Pesaro ip address 10.1.1.21 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 mpls ip ! interface GigabitEthernet0/1 description link to Pauillac ip address 10.1.1.6 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 mpls ip ! interface GigabitEthernet0/2 description link to Pulligny ip address 10.1.1.9 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 mpls ip ! router isis net 49.0001.0000.0000.0003.00 is-type level-2-only metric-style wide passive-interface Loopback0 ! end |
Pulligny |
---|
hostname Pulligny ! ip cef ! interface Loopback0 ip address 10.10.10.2 255.255.255.255 ip router isis ! interface GigabitEthernet0/0 description link to Pauillac ip address 10.1.1.2 255.255.255.252ip router isis duplex auto speed auto media-type rj45 mpls ip ! interface GigabitEthernet0/1 description link to Pomerol ip address 10.1.1.10 255.255.255.252ip router isis duplex auto speed auto media-type rj45 mpls ip ! interface GigabitEthernet0/3 no ip address shutdown duplex auto speed auto media-type rj45 ! router isis net 49.0001.0000.0000.0002.00 is-type level-2-only metric-style wide passive-interface Loopback0 ! router bgp 65000 bgp log-neighbor-changes neighbor 10.10.10.4 remote-as 65000 neighbor 10.10.10.4 update-source Loopback0 neighbor 10.10.10.6 remote-as 65000 neighbor 10.10.10.6 update-source Loopback0 ! address-family vpnv4 neighbor 10.10.10.4 activate neighbor 10.10.10.4 send-community both neighbor 10.10.10.4 route-reflector-client neighbor 10.10.10.6 activate neighbor 10.10.10.6 send-community both neighbor 10.10.10.6 route-reflector-client exit-address-family ! ! end |
Pauillac |
---|
hostname pauillac ! ip cef ! interface Loopback0 ip address 10.10.10.1 255.255.255.255 ip router isis ! interface GigabitEthernet0/0 description link to Pescara ip address 10.1.1.13 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 mpls ip ! interface GigabitEthernet0/1 description link to Pulligny ip address 10.1.1.5 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 mpls ip ! interface GigabitEthernet0/2 description link to Pomerol ip address 10.1.1.1 255.255.255.252 ip router isis duplex auto speed auto media-type rj45 mpls ip ! router isis net 49.0001.0000.0000.0001.00 is-type level-2-only metric-style wide passive-interface Loopback0 ! end |
CE-A1 | CE-A3 |
hostname CE-A1 ! ip cef ! interface GigabitEthernet0/0 ip address 10.0.4.1 255.255.255.0 duplex auto speed auto media-type rj45 ! router bgp 65002 bgp log-neighbor-changes redistribute connected neighbor 10.0.4.2 remote-as 65000 ! end |
hostname CE-A3 ! ip cef ! interface GigabitEthernet0/0 ip address 10.0.6.1 255.255.255.0 duplex auto speed auto media-type rj45 ! router bgp 65004 bgp log-neighbor-changes redistribute connected neighbor 10.0.6.2 remote-as 65000 ! end |
This section provides information you can use to confirm that the configuration works properly:
PE to CE Verification Commands
MPLS LDP Verification Commands
PE to PE/RR Verification Commands
This is a sample command output of the show ip vrf command.
Pescara#show ip vrf Name Default RD Interfaces Client_A 100:110 Gi0/1 Client_B 100:120 Gi0/2
This next is a sample command output of the show ip vrf interfaces command.
Pesaro#show ip vrf interfaces Interface IP-Address VRF Protocol Gi0/2 10.1.6.2 Client_A up Gi0/3 10.0.6.2 Client_A up Gi0/1 10.0.6.2 Client_B up
In this next sample, the show ip route vrf commands show the same prefix 10.0.6.0/24 in both the outputs. This is because the remote PE has the same network for two Cisco clients, CE_B2 and CE_A3, which is allowed in a typical MPLS VPN solution.
Pescara#show ip route vrf Client_A Routing Table: Client_A Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.0.4.0/24 is directly connected, GigabitEthernet0/1 L 10.0.4.2/32 is directly connected, GigabitEthernet0/1 B 10.0.6.0/24 [200/0] via 10.10.10.6, 11:11:11 B 10.1.6.0/24 [200/0] via 10.10.10.6, 11:24:16 Pescara# Pescara#show ip route vrf Client_B Routing Table: Client_B Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.0.4.0/24 is directly connected, GigabitEthernet0/2 L 10.0.4.2/32 is directly connected, GigabitEthernet0/2 B 10.0.6.0/24 [200/0] via 10.10.10.6, 11:26:05
When you run a traceroute between two sites, in this example two sites of Client_A (CE-A1 to CE-A3), it is possible to see the label stack used by the MPLS network (if it is configured to do so by mpls ip propagate-ttl ).
CE-A1#show ip route 10.0.6.1 Routing entry for 10.0.6.0/24 Known via "bgp 65002", distance 20, metric 0 Tag 65000, type external Last update from 10.0.4.2 11:16:14 ago Routing Descriptor Blocks: * 10.0.4.2, from 10.0.4.2, 11:16:14 ago Route metric is 0, traffic share count is 1 AS Hops 2 Route tag 65000 MPLS label: none CE-A1#
CE-A1#ping 10.0.6.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.6.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/9 ms CE-A1#
CE-A1#traceroute 10.0.6.1 probe 1 numeric Type escape sequence to abort. Tracing the route to 10.0.6.1 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.4.2 2 msec 2 10.1.1.13 [MPLS: Labels 20/26 Exp 0] 8 msec 3 10.1.1.6 [MPLS: Labels 21/26 Exp 0] 17 msec 4 10.0.6.2 [AS 65004] 11 msec 5 10.0.6.1 [AS 65004] 8 msec
Note: Exp 0
is an experimental field used for Quality of Service (QoS).
The next output shows the IS-IS and LDP adjacency established between the RR and some of the P routers in the Service Provider core network:
Pulligny#show isis neighbors Tag null: System Id Type Interface IP Address State Holdtime Circuit Id Pauillac L2 Gi0/0 10.1.1.1 UP 25 Pulligny.01 Pomerol L2 Gi0/1 10.1.1.9 UP 23 Pulligny.02 Pulligny# Pulligny#show mpls ldp neighbor Peer LDP Ident: 10.10.10.1:0; Local LDP Ident 10.10.10.2:0 TCP connection: 10.10.10.1.646 - 10.10.10.2.46298 State: Oper; Msgs sent/rcvd: 924/921; Downstream Up time: 13:16:03 LDP discovery sources: GigabitEthernet0/0, Src IP addr: 10.1.1.1 Addresses bound to peer LDP Ident: 10.1.1.13 10.1.1.5 10.1.1.1 10.10.10.1 Peer LDP Ident: 10.10.10.3:0; Local LDP Ident 10.10.10.2:0 TCP connection: 10.10.10.3.14116 - 10.10.10.2.646 State: Oper; Msgs sent/rcvd: 920/916; Downstream Up time: 13:13:09 LDP discovery sources: GigabitEthernet0/1, Src IP addr: 10.1.1.9 Addresses bound to peer LDP Ident: 10.1.1.6 10.1.1.9 10.10.10.3 10.1.1.21Related Information
Revision | Publish Date | Comments |
---|---|---|
2.0 |
19-Oct-2022 |
Recertification |
1.0 |
10-Dec-2001 |
Initial Release |