MPLS - Complex MPLS VPN with OSPF
Complex MPLS VPN with OSPF
A Complex MPLS (Multiprotocol Label Switching) VPN with OSPF (Open Shortest Path First) involves the integration of two powerful networking technologies to provide secure and scalable communication across multiple geographically dispersed sites. In this scenario, OSPF is employed as the interior gateway protocol to exchange routing information within the MPLS-based VPN infrastructure. OSPF dynamically establishes and maintains routing tables, facilitating efficient and adaptive routing decisions within the VPN. The MPLS framework ensures the secure transport of data between the Provider Edge (PE) routers, enabling the creation of isolated Virtual Private Networks (VPNs) for different customers or network segments. Complex MPLS VPNs with OSPF offer robust solutions for large enterprises or service providers seeking a scalable and flexible network architecture. The combination of MPLS VPNs and OSPF enhances the efficiency, security, and manageability of interconnecting diverse networks within a complex infrastructure.
Lab:
Disclaimer
This Configuration Guide is designed to assist members to enhance their skills in particular technology area. While every effort has been made to ensure that all material is as complete and accurate as possible, the enclosed material is presented on an “as is” basis. Neither the authors nor Forum assume any liability or responsibility to any person or entity with respect to loss or damages incurred from the information contained in this guide. This configuration guide was developed by Forum. Any similarities between material presented in this configuration guide and any other material is completely coincidental. IOS used: c7200-p-mz.120-32.S.bin
Task 1: BASIC OSPF and MPLS setup
Configure OSPF and MPLS on all PE-routers and P-router
Step 1: Configure following on respective P and PE routers:
PE2 Router Initial Config:
hostname PE2
!
ip cef
mpls label protocol ldp
no tag-switching ip propagate-ttl
!
interface Loopback0
ip address 192.168.3.2 255.255.255.255
!
interface FastEthernet1/0
description **link_to_P**
ip address 192.168.3.18 255.255.255.252
tag-switching ip
no shutdown
!
interface Serial2/0
description **link_to_A2**
ip address 150.1.31.5 255.255.255.252
no shutdown
!
interface Serial2/1
description **link_to_B1**
ip address 150.1.32.1 255.255.255.252
no shutdown
!
interface Serial2/2
description **link_to_A1**
ip address 150.1.31.9 255.255.255.252
no shutdown
!
router ospf 64
log-adjacency-changes
network 192.168.0.0 0.0.255.255 area 0
!
end
PE3 Router Initial Config:
hostname PE3
!
ip cef
mpls label protocol ldp
no tag-switching ip propagate-ttl
!
interface Loopback0
ip address 192.168.3.3 255.255.255.255
!
interface FastEthernet0/0
description **link_to_P**
ip address 192.168.3.13 255.255.255.252
tag-switching ip
no shutdown
!
interface Serial2/0
description **link_to_B1**
ip address 150.1.32.9 255.255.255.252
no shutdown
!
interface Serial2/1
description **link_to_A1**
ip address 150.1.31.1 255.255.255.252
no shutdown
!
interface Serial2/2
description **link_to_B2**
ip address 150.1.32.5 255.255.255.252
no shutdown
!
router ospf 64
log-adjacency-changes
network 192.168.0.0 0.0.255.255 area 0
!
end
P Router Config:
hostname P
!
ip cef
mpls label protocol ldp
no tag-switching ip propagate-ttl
!
interface Loopback0
ip address 192.168.3.5 255.255.255.255
!
interface FastEthernet0/0
description **link_to_PE3**
ip address 192.168.3.14 255.255.255.252
tag-switching ip
no shutdown
!
interface FastEthernet1/0
description **link_to_PE2**
ip address 192.168.3.17 255.255.255.252
tag-switching ip
no shutdown
!
router ospf 64
log-adjacency-changes
network 192.168.0.0 0.0.255.255 area 0
!
end
A2 Router Initial Config:
hostname A2
!
interface Loopback0
ip address 203.1.0.2 255.255.255.255
!
interface Loopback1
ip address 203.1.2.1 255.255.255.0
!
interface Serial2/0
ip address 150.1.31.6 255.255.255.252
clock rate 64000
no shutdown
!
end
B1 Router Initial Config:
hostname B1
!
interface Loopback0
ip address 203.2.0.1 255.255.255.255
!
interface Loopback1
ip address 203.2.1.1 255.255.255.0
!
interface Serial2/0
ip address 150.1.32.10 255.255.255.252
clock rate 64000
no shutdown
!
interface Serial2/1
ip address 150.1.32.2 255.255.255.252
clock rate 64000
no shutdown
!
end
A1 Router Initial Config:
hostname A1
!
interface Loopback0
ip address 203.1.1.1 255.255.255.0
!
interface Loopback1
ip address 203.1.0.1 255.255.255.255
!
interface Serial2/1
ip address 150.1.31.2 255.255.255.252
clock rate 64000
no shutdown
!
interface Serial2/2
ip address 150.1.31.10 255.255.255.252
clock rate 64000
no shutdown
!
end
B2 Router Initial Config:
hostname B2
!
interface Loopback0
ip address 203.2.0.2 255.255.255.255
!
interface Loopback1
ip address 203.2.2.1 255.255.255.0
!
interface Serial2/2
ip address 150.1.32.6 255.255.255.252
clock rate 64000
no shutdown
!
end
Task 2: Configure Multi-protocol BGPConfigure multi-protocol BGP between provider-edge (PE) routers.
Step 1: Enable BGP sessions on all PE routers in your Service Provider backbone.
Step 2: Activate VPNv4 BGP sessions between all PE routers in your Service Provider backbone.
Configure the following on PE2 router:
PE2(config)#
router bgp 3
neighbor 192.168.3.3 remote-as 3
neighbor 192.168.3.3 update-source Loopback0
!
address-family ipv4
no auto-summary
no synchronization
neighbor 192.168.3.3 activate
network 192.168.3.2 mask 255.255.255.255
exit-address-family
!
address-family vpnv4
neighbor 192.168.3.3 activate
neighbor 192.168.3.3 send-community extended
exit-address-family
Configure following on PE3 router:
PE3(config)#
router bgp 3
bgp log-neighbor-changes
neighbor 192.168.3.2 remote-as 3
neighbor 192.168.3.2 update-source Loopback0
!
address-family ipv4
no auto-summary
no synchronization
neighbor 192.168.3.2 activate
network 192.168.3.3 mask 255.255.255.255
exit-address-family
!
address-family vpnv4
neighbor 192.168.3.2 activate
neighbor 192.168.3.2 send-community extended
exit-address-family
Task 3: Design your VPN SolutionCreate the virtual private network (VRF) on provider edge (PE2)
PE2(config)#
ip vrf a
rd 3:1
route-target both 3:1
!
ip vrf a_central
rd 3:11
route-target both 3:1
route-target both 3:30
!
ip vrf b_central
rd 3:21
route-target both 3:2
route-target both 3:30
Create the virtual private network (VRF) on provider edge (PE3):
PE3(config)#
ip vrf a_central
rd 3:11
route-target both 3:1
route-target both 3:30
!
ip vrf b
rd 3:2
route-target both 3:2
!
ip vrf b_central
rd 3:21
route-target both 3:2
route-target both 3:30
Task 4: Create VRFs for A2, B1, A1 and B2Attach the provider edge-to-customer edge (PE-CE) link to the newly created VRFs with the following commands on PE2:
PE2(config)#
interface Serial2/0
ip vrf forwarding a
ip address 150.1.31.5 255.255.255.252
!
interface Serial2/1
ip vrf forwarding b_central
ip address 150.1.32.1 255.255.255.252
!
interface Serial2/2
ip vrf forwarding a_central
ip address 150.1.31.9 255.255.255.252
Note: “ip vrf forwarding name” command removes the IP address from interface, so IP address need to be re-configured.
Attach the PE-CE link to the newly created VRFs with the following commands on PE3:
PE3(config)#
interface Serial2/0
ip vrf forwarding b_central
ip address 150.1.32.9 255.255.255.252
!
interface Serial2/1
ip vrf forwarding a_central
ip address 150.1.31.1 255.255.255.252
!
interface Serial2/2
ip vrf forwarding b
ip address 150.1.32.5 255.255.255.252
Task 5: Configure OSPF on CE Routers
The following commands need to be entered on the A2 router:
A2(config)#
router ospf 3
network 0.0.0.0 255.255.255.255 area 0
The following commands need to be entered on the B1 router:
B1(config)#
router ospf 3
network 0.0.0.0 255.255.255.255 area 0
The following commands need to be entered on the A1 router:
A1(config)#
router ospf 3
network 0.0.0.0 255.255.255.255 area 0
The following commands need to be entered on the B2 router:
B2(config)#
router ospf 3
network 0.0.0.0 255.255.255.255 area 0
Task 6: Configure new VRFs for A2, B1, A1, B2 on PE routers
The following commands need to be entered on PE2:
PE2(config)#
Page8
router ospf 3 vrf a_central
log-adjacency-changes
redistribute bgp 3 subnets
network 150.1.0.0 0.0.255.255 area 0
!
router ospf 4 vrf b_central
log-adjacency-changes
redistribute bgp 3 subnets
network 150.1.0.0 0.0.255.255 area 0
!
router ospf 7 vrf a
log-adjacency-changes
redistribute bgp 3 subnets
network 150.1.0.0 0.0.255.255 area 0
The following commands need to be entered on PE3 router:
PE3(config)#
router ospf 4 vrf b_central
log-adjacency-changes
redistribute bgp 3 subnets
network 150.1.0.0 0.0.255.255 area 0
!
router ospf 3 vrf a_central
log-adjacency-changes
redistribute bgp 3 subnets
network 150.1.0.0 0.0.255.255 area 0
!
router ospf 6 vrf b
log-adjacency-changes
redistribute bgp 3 subnets
network 150.1.0.0 0.0.255.255 area 0
Task 7: Redistribute vrf – ospf in BGP Routing Protocol
The following commands need to be entered on PE2:
PE2(config)#
router bgp 3
bgp log-neighbor-changes
neighbor 192.168.3.3 remote-as 3
neighbor 192.168.3.3 update-source Loopback0
!
address-family ipv4 vrf b_central
redistribute ospf 4 vrf b_central
no synchronization
exit-address-family
!
address-family ipv4 vrf a_central
redistribute ospf 3 vrf a_central
no synchronization
exit-address-family
!
address-family ipv4 vrf a
redistribute ospf 7 vrf a
no synchronization
exit-address-family
The following commands need to be entered on PE3 router:
PE3(config)#
router bgp 3
bgp log-neighbor-changes
neighbor 192.168.3.2 remote-as 3
neighbor 192.168.3.2 update-source Loopback0
!
address-family ipv4 vrf b_central
redistribute ospf 4 vrf b_central
no synchronization
exit-address-family
!
address-family ipv4 vrf b
redistribute ospf 6 vrf b
no synchronization
exit-address-family
!
address-family ipv4 vrf a_central
redistribute ospf 3 vrf a_central
no synchronization
exit-address-family
Verification:
Step 1: Verify the OSPF adjacency on A2, B1, A1, B2 and on PE2, PE3. Use the “show ip ospf neighbor” command. You should get a printout similar to the one below:PE3#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.3.5 1 FULL/DR 00:00:39 192.168.3.14 FastEthernet0/0
203.2.2.1 0 FULL/ - 00:00:35 150.1.32.6 Serial2/2
203.1.1.1 0 FULL/ - 00:00:35 150.1.31.2 Serial2/1
203.2.1.1 0 FULL/ - 00:00:35 150.1.32.10 Serial2/0
Step 2: Check the OSPF topology database on A1.
Use the “show ip ospf database” command. You should see router link states (resulting from OSPF connectivity between the PE and the CE router) and type-5 external link states.
A1#show ip ospf database
OSPF Router with ID (203.1.1.1) (Process ID 3)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link Count
150.1.31.1 150.1.31.1 253 0x80000002 0x5ABC 2
150.1.31.9 150.1.31.9 283 0x80000002 0xFAFB 2
203.1.1.1 203.1.1.1 253 0x80000003 0x3057 6
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Link Count
150.1.31.4 150.1.31.1 199 0x80000001 0x264A 3489660931
150.1.31.4 150.1.31.9 216 0x80000001 0xF572 3489660931
150.1.32.0 150.1.31.1 153 0x80000002 0xFA18 3489660931
150.1.32.0 150.1.31.9 216 0x80000001 0x1358 3489660931
150.1.32.8 150.1.31.1 153 0x80000002 0xF079 3489660931
150.1.32.8 150.1.31.9 216 0x80000001 0x7C87 3489660931
203.1.0.2 150.1.31.1 199 0x80000001 0xD058 3489660931
203.1.0.2 150.1.31.9 216 0x80000001 0xA080 3489660931
203.1.2.1 150.1.31.1 199 0x80000001 0xC463 3489660931
203.1.2.1 150.1.31.9 216 0x80000001 0x948B 3489660931
203.2.0.1 150.1.31.1 199 0x80000001 0xCE5A 3489660931
203.2.0.1 150.1.31.9 218 0x80000001 0x9E82 3489660931
203.2.1.1 150.1.31.1 200 0x80000001 0xC364 3489660931
203.2.1.1 150.1.31.9 218 0x80000001 0x938C 3489660931
Step 3: Inspect individual link-state advertisement (LSA) on the CE router
Use “show ip ospf database type prefix” command and verify the settings of the down bit.
A1#sh ip ospf database external 150.1.31.4
OSPF Router with ID (203.1.1.1) (Process ID 3)
Type-5 AS External Link States
Routing Bit Set on this LSA
LS age: 859
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 150.1.31.4 (External Network Number )
Advertising Router: 150.1.31.1
LS Seq Number: 80000001
Checksum: 0x264A
Length: 36
Network Mask: /30
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 1
Forward Address: 0.0.0.0
External Route Tag: 3489660931
Routing Bit Set on this LSA
LS age: 877
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 150.1.31.4 (External Network Number )
Advertising Router: 150.1.31.9
LS Seq Number: 80000001
Checksum: 0xF572
Length: 36
Network Mask: /30
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 1
Forward Address: 0.0.0.0
External Route Tag: 3489660931
Step 4: Inspect the BGP routes on the PE routersand identify the OSPF specific attributes and their meaning.
Use the “show ip bgp vpnv4 vrf name prefix” command, which will produce a printout similar to the one below:
PE3#show ip bgp vpnv4 vrf a_central 203.2.0.1
BGP routing table entry for 3:11:203.2.0.1/32, version 75
Paths: (1 available, best #1, table a_central)
Not advertised to any peer
Local, imported path from 3:21:203.2.0.1/32
150.1.32.10 (via b_central) from 0.0.0.0 (192.168.3.3)
Origin incomplete, metric 49, localpref 100, weight 32768, valid, external, best
Extended Community: RT:3:2 RT:3:30 OSPF DOMAIN ID:0x0005:0x000000040200
OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:150.1.32.9:512
Step 5: Inspect the OSPF routes on the PE routers and verify that the OSPF routes announced by other PE routers are not used (as indicated by the routing bit not set printout).
Step 6: Verify connectivity across VPN by using ping and trace commands on the CE routers and ping vrf and trace vrf commands on the PE routers.