Sunday, 22 September 2019

Part 3 - Cisco MPLS L3VPN Lab

In the previous post we looked at the BGP and MPLS configuration.

Stage 1 - Build OSPF/ISIS Areas - COMPLETE
Stage 2 - Configure BGP, Create ASBRs/PEs, use RR via R7/R8 - COMPLETE
Stage 3 - Enable MPLS - COMPLETE
Stage 4 - Create InterAS OptC (multihop vpnv4 ebgp between RR lo)
Stage 5 - Connect CEs, CUST1=OSPF CUST2=BGP
Stage 6 - replace some routers with Juniper

Lets move on to configure the final stages ! So far what we have is a joined network at the same level via MPLS+BGP. The issue is, for us to create the Layer3 VPN tunnels, each AS needs to know about the VPNV4 destinations in the other AS, so that MPLS paths can be built for the MPLS traffic from the CE devices. The secret of this ? Connect the route-reflectors within each AS, and share routes. A few notes on this design:


. the next hop needs to remain unchanged when it is sent between the route-reflectors, to make sure the route reflectors do not become part of the data path
. add the VPNV4 family to the do the route-reflectors first, to make the config update easier
. ebgp multihop is required for the route-reflectors to be able to reach each other across the AS paths
. the ASBRs do NOT need VPNV4 configured on them, since they are not taking part in the VPNV4 process (they are simply forwarding traffic based on MPLS label), BUT the ASBRs do need a static route to address a fault in the XRv code that doesn't allocate the route correctly

The following shows us the peerings that we will now create:

Stage 4 - Create InterAS OptC

We need to peer the route-reflectors, and turn on the VPNV4 address family for all BGP peers.

R7
router bgp 21
 neighbor 8.8.8.8 remote-as 111
 neighbor 8.8.8.8 ebgp-multihop 255
 neighbor 8.8.8.8 update-source Loopback0
 address-family vpnv4
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.1 send-community extended
  neighbor 1.1.1.1 inherit peer-policy AS21
  neighbor 6.6.6.6 activate
  neighbor 6.6.6.6 send-community extended
  neighbor 6.6.6.6 inherit peer-policy AS21
  neighbor 8.8.8.8 activate
  neighbor 8.8.8.8 send-community both
  neighbor 8.8.8.8 next-hop-unchanged
 exit-address-family
!

R1
router bgp 21
 address-family vpnv4 unicast
 !
 neighbor 7.7.7.7
  address-family vpnv4 unicast
   next-hop-self
!

R2
router static
 address-family ipv4 unicast
  10.0.29.2/32 GigabitEthernet0/0/0/0
 !
!

R6
router bgp 21
!
 address-family vpnv4
  neighbor 7.7.7.7 activate
  neighbor 7.7.7.7 send-community extended
  neighbor 7.7.7.7 next-hop-self
 exit-address-family
 !


R8
router bgp 111
 neighbor 7.7.7.7 remote-as 21
 neighbor 7.7.7.7 ebgp-multihop 255
 neighbor 7.7.7.7 update-source Loopback0
 !
 !
 address-family vpnv4
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community extended
  neighbor 4.4.4.4 inherit peer-policy AS111
  neighbor 5.5.5.5 activate
  neighbor 5.5.5.5 send-community extended
  neighbor 5.5.5.5 inherit peer-policy AS111
  neighbor 7.7.7.7 activate
  neighbor 7.7.7.7 send-community both
  neighbor 7.7.7.7 next-hop-unchanged
 exit-address-family
!
!

R3
router static
 address-family ipv4 unicast
  10.0.103.2/32 GigabitEthernet0/0/0/2
 !
!

R4
router bgp 111
 address-family vpnv4 unicast
 !
 neighbor 8.8.8.8
  address-family vpnv4 unicast
   next-hop-self
  !
 !

R5
router bgp 111
 address-family vpnv4
  neighbor 8.8.8.8 activate
  neighbor 8.8.8.8 send-community extended
  neighbor 8.8.8.8 next-hop-self
 exit-address-family
 !

That's done ! Lets go have a look at the BGP output now on the route reflector:

R8# sh ip bgp all sum
For address family: IPv4 Unicast

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
3.3.3.3           4          111     102     123       58    0    0 01:27:10        8
4.4.4.4           4          111       9       32        58    0    0 00:05:11        0
5.5.5.5           4          111       6       20        58    0    0 00:01:32        0
7.7.7.7           4           21      10       10        43    0    0 00:00:26        5
9.9.9.9           4          111     115     136       58    0    0 01:27:21        6

For address family: VPNv4 Unicast

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
4.4.4.4           4          111       9      32        1    0    0 00:05:11        0
5.5.5.5           4          111       6      20        1    0    0 00:01:32        0
7.7.7.7           4           21      10      10        1    0    0 00:00:26        0

Looks good ! Now we have peering to the local AS PEs, as well as the other AS route reflector, via VPNv4.

Stage 5 - Connect CEs, CUST1=OSPF CUST2=BGP

Time to setup the VRFs on the PEs, and peer between the PE and CE devices, so that we can get traffic across the Inter-AS MPLS core between CEs.

We will setup the VRF and create the BGP/OSPF peering at the same time.

. for the OSPF peering, we will use process 1. 
. we need to redistribute from the OSPF/BGP peering into the VPNv4 BGP network, so we can transmit across the MPLS core.
. Route-Distinguisher and Route-Target need to be configured, which are specific to the CUST1/2 network peering (so that the PEs know which route-targets to import for that customer)

R1
vrf CUST1
 address-family ipv4 unicast
  import route-target
   100:100
  !
  export route-target
   100:100
  !
 !
!

 router ospf 1
 vrf CUST1
  router-id 1.1.1.1
  redistribute connected
  redistribute bgp 21
  address-family ipv4 unicast
  area 0
   interface GigabitEthernet0/0/0/3
   !
  !
 !
!

router bgp 21
 vrf CUST1
  rd 1:11
  address-family ipv4 unicast
   network 10.11.11.0/30
   redistribute ospf 1 match internal external nssa-external

!

R11
router ospf 1
 router-id 11.11.11.11
 network 0.0.0.0 255.255.255.255 area 0
!


R6
vrf definition CUST2
 rd 2:2
 route-target export 200:200
 route-target import 200:200
 !
 address-family ipv4
 exit-address-family
!

 interface GigabitEthernet3
 vrf forwarding CUST2
 ip address 10.22.22.1 255.255.255.252

!
 router bgp 21
 !
 address-family ipv4 vrf CUST2
  redistribute connected
  neighbor 10.22.22.2 remote-as 2
  neighbor 10.22.22.2 activate
  neighbor 10.22.22.2 send-community both
 exit-address-family


R12
router bgp 2
 bgp router-id 12.12.12.12
 bgp log-neighbor-changes
 neighbor 10.22.22.1 remote-as 21
 !
 address-family ipv4
  redistribute connected
  neighbor 10.22.22.1 activate
  neighbor 10.22.22.1 send-community both
  neighbor 10.22.22.1 allowas-in
 exit-address-family


R4

vrf CUST1
 address-family ipv4 unicast
  import route-target
   100:100
  !
  export route-target
   100:100
  !
 !
!

router ospf 1
 vrf CUST1
  router-id 4.4.4.4
  redistribute connected
  redistribute bgp 111
  address-family ipv4 unicast
  area 0
   interface GigabitEthernet0/0/0/0
   !
  !
 !
!

router bgp 111
 vrf CUST1
  rd 1:1
  address-family ipv4 unicast
   network 10.11.111.0/30
   redistribute ospf 1 match internal external nssa-external
  !
 !
!


R14
router ospf 1
 router-id 14.14.14.14
 network 0.0.0.0 255.255.255.255 area 0

!

R5
vrf definition CUST2
 rd 2:22
 route-target export 200:200
 route-target import 200:200
 !
 address-family ipv4
 exit-address-family

!
interface GigabitEthernet1
 vrf forwarding CUST2
 ip address 10.22.222.1 255.255.255.252

!
router bgp 111
 address-family ipv4 vrf CUST2
  redistribute connected
  neighbor 10.22.222.2 remote-as 2
  neighbor 10.22.222.2 activate
  neighbor 10.22.222.2 send-community both
 exit-address-family
!


R13
router bgp 2
 bgp router-id 13.13.13.13
 bgp log-neighbor-changes
 neighbor 10.22.222.1 remote-as 111
 !
 address-family ipv4
  redistribute connected
  neighbor 10.22.222.1 activate
  neighbor 10.22.222.1 send-community both
  neighbor 10.22.222.1 allowas-in
 exit-address-family
!


And we should now be configured ! Lets have a look at R13 and R14 routers, and see what the trace looks like across to their other CE's connected to the other AS:

R13# sh ip route

      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
B        10.22.22.0/30 [20/0] via 10.22.222.1, 00:06:28
C        10.22.222.0/30 is directly connected, GigabitEthernet0/0
L        10.22.222.2/32 is directly connected, GigabitEthernet0/0
      12.0.0.0/32 is subnetted, 1 subnets
B        12.12.12.12 [20/0] via 10.22.222.1, 00:06:28
      13.0.0.0/32 is subnetted, 1 subnets
C        13.13.13.13 is directly connected, Loopback0

R13# traceroute 12.12.12.12 source lo0
Type escape sequence to abort.
Tracing the route to 13.13.13.13
VRF info: (vrf in name/id, vrf out name/id)
  1 10.22.222.1 5 msec 4 msec 5 msec
  2 10.0.35.1 [MPLS: Labels 24004/23/27 Exp 0] 18 msec 16 msec 17 msec
  3 10.0.39.2 [MPLS: Labels 23/27 Exp 0] 19 msec 44 msec 71 msec
  4 10.0.29.1 [MPLS: Labels 24002/27 Exp 0] 30 msec 16 msec 16 msec
  5 10.22.22.1 [AS 21] [MPLS: Label 27 Exp 0] 16 msec 16 msec 17 msec
  6 10.22.22.2 [AS 21] 18 msec 18 msec *

R14# sh ip route
      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O E2     10.11.11.0/30 [110/1] via 10.11.111.1, 00:07:58, GigabitEthernet0/0
C        10.11.111.0/30 is directly connected, GigabitEthernet0/0
L        10.11.111.2/32 is directly connected, GigabitEthernet0/0
        11.0.0.0/32 is subnetted, 1 subnets
O IA     11.11.11.11 [110/2] via 10.11.111.1, 00:07:58, GigabitEthernet0/0
        14.0.0.0/32 is subnetted, 1 subnets
C        14.14.14.14 is directly connected, Loopback0

R14# traceroute 11.11.11.11 so lo0
Type escape sequence to abort.
Tracing the route to 11.11.11.11
VRF info: (vrf in name/id, vrf out name/id)
  1 10.11.111.1 4 msec 3 msec 2 msec
  2 10.0.49.2 [MPLS: Labels 16/24005/24016 Exp 0] 19 msec 17 msec 18 msec
  3 10.0.39.1 [MPLS: Labels 24005/24016 Exp 0] 21 msec 22 msec 19 msec
  4 10.0.103.2 [MPLS: Labels 16/24016 Exp 0] 20 msec 21 msec 81 msec
  5 10.0.110.1 [MPLS: Label 24016 Exp 0] 20 msec 19 msec 21 msec
  6 10.11.11.2 21 msec *  22 msec

Exactly what we were looking for ! At the start of each trace, there are 3 labels. One gets stripped as they cross the core eBGP peering, and then one final label is left to PHP (penultimate hop - second to last) to the destination.

So thats done. We now have a working Cisco based Inter-AS option C design. Feel free to play with this design and config - its great for testing and also learning on OSPF/ISIS databases and peering designs, as well as VPNv4 route traffic and VRFs.

You can download the complete Cisco config HERE

In the final post, we will have a quick look at changing some of the routers from Cisco to Juniper. You can jump to that post HERE.



No comments:

Post a Comment