Upload
jerry-felix
View
271
Download
18
Embed Size (px)
Citation preview
Confide
ntial
SmartEdge M
ulti-Service Edge
Router
MPLS L3 VPN
Reference seos5.0.7.2
2C
onfide
ntial
Redback Networks Inc.
Legal Notices
Co
pyri
gh
t ©
20
01
-200
5,
Red
ba
ck N
etw
ork
s In
c. A
ll R
igh
ts R
ese
rve
d.
Re
db
ack is a
reg
iste
red
tra
dem
ark
of
Red
back N
etw
ork
s In
c.
Sm
art
Ed
ge,
Su
bscrib
er
Ma
na
gem
en
t S
yste
m,
an
d N
etO
pa
re t
rad
em
ark
s o
f R
edb
ack N
etw
ork
s I
nc.
All
oth
er
bra
nd
s o
r na
mes a
re t
he p
rope
rty o
f th
eir
re
sp
ective
ow
ne
rs.
All
sta
tem
en
ts, spe
cific
atio
ns, re
com
me
nda
tion
s, a
nd
tech
nic
al in
form
atio
n c
onta
ine
d in
th
is m
anu
al, d
ocum
enta
tio
n, a
nd/o
r a
ccom
pan
yin
g s
oftw
are
(“M
ate
ria
ls”)
are
cu
rren
t o
r p
lan
ned
as o
f th
e d
ate
of p
ublic
atio
n o
fth
is d
ocu
me
nt.
Th
ey a
re b
elie
ve
d t
o b
e a
ccu
rate
as o
f th
e tim
e o
f th
is w
riting
and
are
pre
sen
ted w
ith
ou
t w
arr
an
ty o
f
an
y k
ind
, e
xp
resse
d o
r im
plie
d.
In
an
eff
ort
to
co
ntin
uo
usly
im
pro
ve
th
e p
rodu
ct a
nd a
dd
fea
ture
s,
Red
back N
etw
ork
s In
c. ("
Re
db
ack")
re
se
rve
s th
e r
igh
t to
ch
ang
e a
ny
sp
ecific
ation
s c
onta
ine
d in
th
ese
Ma
teri
als
with
out
prio
r no
tice
of a
ny k
ind
.
Th
ese
Ma
teri
als
are
pro
vid
ed
fo
r u
se
on
ly w
ith
Re
dba
ck’s
pro
du
cts
or
se
rvic
es p
urc
ha
sed
fro
m R
ed
back o
r its a
uth
ori
ze
d r
eselle
r, a
nd
inclu
de
tra
de
se
cre
ts, cop
yri
gh
ted
info
rma
tio
n, a
nd
co
nfid
ential in
form
ation
of
Re
dba
ck.
Th
e a
uth
ori
ze
d u
se
r o
f th
ese
Ma
teri
als
ag
rees n
ot
to d
isclo
se
or
co
py t
he
se M
ate
ria
ls w
ith
ou
t th
e w
ritt
en
con
sen
t
of
Re
db
ack, a
nd
ag
ree
s n
ot to
use t
hese
Ma
teri
als
oth
er
than
with
Re
dba
ck’s
pro
du
cts
or
se
rvic
es.
License Agreement
CA
RE
FU
LL
Y R
EA
D T
HE
FO
LL
OW
ING
TE
RM
S A
ND
CO
ND
ITIO
NS
. B
Y U
SIN
G T
HE
MA
TE
RIA
LS
AN
D/O
R I
NS
TA
LL
ING
AN
D U
SIN
G R
ED
BA
CK
SO
FT
WA
RE
, Y
OU
AR
E
AG
RE
EIN
G T
O B
E B
OU
ND
BY
TH
ES
E T
ER
MS
AN
D C
ON
DIT
ION
S.
IF Y
OU
DO
NO
T A
GR
EE
TO
TH
ES
E T
ER
MS
AN
D C
ON
DIT
ION
S,
DO
NO
T U
SE
TH
ES
E M
AT
ER
IAL
S.
Su
bje
ct
to t
he
te
rms a
nd
co
nditio
ns o
f th
is A
gre
em
en
t, R
edba
ck g
ran
ts to
th
e o
rig
ina
l e
nd
use
r o
f th
e p
rod
ucts
("L
ice
nsee
") a
pe
rson
al, n
on
exclu
siv
e a
nd
no
ntr
an
sfe
rable
lice
nse
to u
se
the
Ma
teri
als
sole
ly f
or
you
r in
tern
al use
. I
f th
e M
ate
ria
ls inclu
de
Red
back s
oft
wa
re (
“So
ftw
are
”),
Re
db
ack g
ran
ts t
o L
ice
nsee
a n
one
xclu
siv
e a
nd
no
ntr
an
sfe
rab
le lic
ense
to
use
th
e S
oft
wa
re f
or
wh
ich L
ice
nsee
has p
aid
th
e r
eq
uir
ed lic
ense f
ees,
in o
bje
ct
co
de f
orm
only
, in
acco
rdan
ce
with
th
e t
erm
s a
nd
co
nd
itio
ns o
f
this
ag
ree
me
nt sole
ly in
co
nnection
with
the
use
of
Re
db
ack e
qu
ipm
en
t, o
n a
sin
gle
ha
rdw
are
cha
ssis
, o
r o
n a
sin
gle
ce
ntr
al p
rocessin
g u
nit,
as a
pp
lica
ble
, o
wn
ed
or
lea
sed
by L
ice
nse
e. If
Lic
en
se
e h
as p
urc
ha
sed
a m
ulti-
use
r lic
ense
, th
en
, sub
ject
to t
he
te
rms a
nd
co
nd
itio
ns o
f th
is A
gre
em
en
t, L
ice
nse
e is g
ran
ted
a n
on
exclu
siv
e a
nd
no
ntr
an
sfe
rab
le lic
ense
to
allo
w t
he
nu
mb
er
of
sim
ultan
eou
s u
se
rs a
uth
orize
d u
nd
er
such
lic
ense
an
d fo
r w
hic
h L
ice
nsee
ha
s p
aid
the
req
uire
d lic
en
se
fe
e t
o u
se
the
So
ftw
are
.
Lic
en
se
e a
gre
es n
ot
to m
ake
an
y c
op
ies o
f th
e S
oft
wa
re o
r th
e D
ocu
me
nta
tion
, in
wh
ole
or
in p
art
, o
the
r th
an
on
e c
op
y f
or
arc
hiv
al pu
rposes o
nly
. L
icense
e a
gre
es n
ot to
mo
dify,
tra
nsla
te,
reve
rse e
ng
ine
er,
de
-co
mp
ile,
dis
asse
mb
le,
or
cre
ate
de
riva
tive
wo
rks b
ase
d o
n th
e S
oft
wa
re,
exce
pt
to t
he
exte
nt
tha
t th
e s
uch
lim
ita
tio
n is p
rohib
ite
d b
y
ap
plic
ab
le la
w.
Lic
ensee
ag
ree
s to
take
re
aso
nab
le s
tep
s t
o s
afe
gu
ard
co
pie
s o
f th
e S
oft
wa
re a
ga
inst d
isclo
su
re, co
pyin
g o
r use
by u
nau
tho
rize
d p
ers
on
s, a
nd
to
ta
ke
rea
so
nab
le s
tep
s to
en
su
re tha
t th
e p
rovis
ion
s o
f th
is lic
ense a
re n
ot
vio
late
d b
y L
icen
se
e's
em
plo
ye
es o
r a
gen
ts.
Lic
en
se
e a
gre
es th
at a
sp
ects
of
the
Ma
teri
als
co
nstitu
te t
rade
secre
ts a
nd
/or
co
pyri
ghte
d m
ate
ria
l o
f R
ed
back o
r its s
upp
liers
. L
ice
nse
e s
ha
ll n
ot d
isclo
se
, p
rovid
e,
or
oth
erw
ise
make
ava
ilab
le s
uch t
rad
e s
ecre
ts o
r cop
yri
gh
ted
ma
teria
l to
an
y t
hird
pa
rty w
ith
ou
t th
e w
ritt
en
con
sen
t of
Re
db
ack.
Page 1
-2
3C
onfide
ntial
All
rig
ht,
title
an
d in
tere
st in
and
to
th
e M
ate
rials
, in
clu
din
ga
ll in
telle
ctu
al p
rope
rty r
ights
th
ere
in, sha
ll re
ma
in th
e p
rope
rty o
f R
edb
ack o
r its s
up
plie
rs, sub
ject
on
ly t
o th
e
limite
d lic
ense
gra
nte
d to
Lic
en
see
. T
his
lic
ense
is n
ot a
sa
le a
nd
do
es n
ot
tra
nsfe
r to
Lic
ense
e a
ny t
itle
or
ow
ne
rship
in
or
to t
he
Ma
teri
als
or
an
y p
ate
nt, c
op
yrig
ht,
tra
de
se
cre
t, t
rad
e n
am
e, tr
ade
ma
rk o
r o
the
r p
rop
rie
tary
or
inte
llectu
al p
rope
rty r
ights
re
late
d th
ere
to.
Th
is a
gre
em
en
t sha
ll con
tinu
e in
effe
ct
until te
rmin
ate
d h
ere
un
de
r. T
his
ag
reem
ent
sh
all
term
ina
te a
uto
ma
tica
lly o
n L
icense
e's
fa
ilure
to
co
mp
ly w
ith
any o
f th
e
pro
vis
ions h
ere
in,
inclu
din
g a
ny a
tte
mp
t to
tra
nsfe
r th
is lic
en
se
or
the
Soft
wa
re o
r D
ocu
me
nta
tion
. U
pon
an
y t
erm
ina
tio
n,
Lic
ense
e s
ha
ll p
rom
ptly d
estr
oy o
r re
turn
to
Re
db
ack a
ll cop
ies o
f th
e S
oftw
are
an
d D
ocu
me
nta
tion
, in
clu
din
g a
ll o
rig
ina
l a
nd
arc
hiv
al co
pie
s.
No
refu
nd
s s
hall
be
giv
en
fo
r such
re
turn
ed
ma
teri
als
. N
otw
ith
sta
nd
ing
an
y t
erm
ination
of th
is L
icen
se,
the
rig
hts
an
d o
blig
ation
s r
ela
tin
g to
title
, w
arr
an
ty,
term
ina
tio
n a
nd
lim
ita
tio
n o
f lia
bili
ty,
as w
ell
as a
ny o
the
r p
rovis
ion
s w
hic
h s
urv
ive
by
the
ir te
rms, sh
all
su
rviv
e t
erm
ina
tio
n:
Th
e S
oft
wa
re a
nd D
ocu
men
tatio
n a
re p
rovid
ed
with
Re
str
icte
d R
ights
. U
se
, d
uplic
atio
n, o
r dis
clo
su
re b
y t
he
Go
ve
rnm
en
t is
su
bje
ctto
restr
ictio
ns a
s s
et fo
rth
in
su
bp
ara
gra
ph
(c)
(1)
(ii)
of
Th
e R
igh
ts in
Te
ch
nic
al D
ata
an
d C
om
pute
r S
oft
wa
re c
lau
se
at D
FA
RS
25
2.2
27
-70
13
or
su
bpa
rag
rap
hs (
c)
(1)
an
d (
2)
of
the
Co
mm
erc
ial
Co
mp
ute
r S
oft
wa
re--
Re
str
icte
d R
ights
at
48
CF
R 5
2.2
27
-19
, a
s a
pplic
ab
le.
Ma
nu
factu
rer
is R
ed
back N
etw
ork
s In
c., 3
00
Ho
lge
rW
ay,
Sa
n J
ose
, C
alif
orn
ia 9
513
4.
Lic
en
se
e m
ay n
ot
assig
n o
r tr
an
sfe
r a
ny o
f its r
igh
ts o
r de
lega
te a
ny o
f its o
blig
atio
ns u
nd
er
this
ag
reem
en
t. N
o d
ela
y,
failu
reo
r w
aiv
er
by e
ith
er
pa
rty to e
xe
rcis
e a
ny
rig
ht o
r re
me
dy u
nd
er
this
ag
ree
me
nt sh
all
op
era
te to
wa
ive
an
y e
xe
rcis
e o
f su
ch
rig
ht o
r re
med
y o
r a
ny o
the
r rig
ht
or
rem
ed
y.
Th
is a
gre
em
en
t sha
ll be
go
ve
rne
d b
y a
nd
co
nstr
ue
d in
acco
rdan
ce w
ith
th
e la
ws o
f th
e S
tate
of C
alif
orn
iaw
ith
ou
t re
ga
rd to
co
nflic
t o
f la
ws p
rin
cip
les a
nd w
ith
ou
t re
ga
rd t
o t
he 1
98
0 U
.N.
Con
ve
ntio
n o
n C
on
tra
cts
for
the
In
tern
ation
al S
ale
of
Goo
ds. If
an
y p
rovis
ion in
th
is a
gre
em
en
t sh
all
be
fo
und
or
be
he
ld to
be
in
valid
or
un
en
forc
eab
le, th
en
the
me
anin
g o
f sa
id p
rovis
ion
sh
all
be
co
nstr
ued
, to
the
exte
nt
feasib
le, so
as to
ren
de
r th
e p
rovis
ion
enfo
rce
able
, a
nd t
he r
em
ain
de
r o
f th
is a
gre
em
en
t sh
all
rem
ain
in
full
forc
e a
nd
effe
ct.
Th
is a
gre
em
en
t
co
nstitu
tes t
he
en
tire
ag
ree
men
t b
etw
ee
n L
ice
nsee
and
Re
db
ack w
ith
resp
ect
to t
he
su
bje
ct
ma
tte
r o
f th
is a
gre
em
en
t.
Lic
en
se
e s
hall
ma
inta
in a
nd
rep
rod
uce
all
cop
yri
gh
t a
nd
oth
er
pro
prie
tary
no
tices o
n a
ll co
pie
s o
f th
e M
ate
ria
ls in t
he s
am
e f
orm
an
d m
an
ne
r th
at
su
ch n
otices a
re
inclu
de
d.
Neithe
r th
e n
am
e o
f a
ny t
hird
pa
rty S
oft
wa
re d
eve
lop
er
no
r th
e n
am
es o
f its c
on
trib
uto
rs m
ay b
e u
se
d to
en
do
rse
or
pro
mo
te p
rodu
cts
de
rive
d fro
m th
is
so
ftw
are
with
ou
t spe
cific
prio
r w
ritt
en
pe
rmis
sio
n o
f su
ch t
hird
pa
rty.
Lim
itation of Liability and Damages
TH
E F
OL
LO
WIN
G L
IMIT
AT
ION
OF
LIA
BIL
ITY
AN
D D
AM
AG
ES
AP
PL
IES
TO
AL
LH
AR
DW
AR
E,
SO
FT
WA
RE
AN
D M
AT
ER
IAL
S S
OL
D,
LIC
EN
SE
D O
R O
TH
ER
WIS
E
DIS
TR
IBU
TE
D B
Y R
ED
BA
CK
OR
IT
S R
ES
EL
LE
RS
.
AL
L M
AT
ER
IAL
S A
RE
PR
OV
IDE
D “
AS
IS
”.
IN N
O E
VE
NT
SH
AL
L R
ED
BA
CK
, IT
S S
UP
PL
IER
S O
R I
TS
DIS
TR
IBU
TO
RS
BE
LIA
BL
E F
OR
AN
Y I
ND
IRE
CT
, S
PE
CIA
L,
INC
IDE
NT
AL
OR
CO
NS
EQ
UE
NT
IAL
DA
MA
GE
, IN
CL
UD
ING
WIT
HO
UT
LIM
ITA
TIO
NL
OS
S O
F D
AT
A,
LO
ST
PR
OF
ITS
OR
CO
ST
OF
CO
VE
R,
AR
ISIN
G F
RO
M T
HE
US
E O
F T
HE
HA
RD
WA
RE
, S
OF
TW
AR
E O
R M
AT
ER
IAL
S O
R A
NY
DE
FE
CT
IN
TH
E H
AR
DW
AR
E,
SO
FT
WA
RE
OR
MA
TE
RIA
LS
, H
OW
EV
ER
CA
US
ED
AN
D O
N A
NY
TH
EO
RY
OF
LIA
BIL
ITY
. T
HIS
LIM
ITA
TIO
N S
HA
LL
AP
PL
Y E
VE
N I
F R
ED
BA
CK
, IT
S S
UP
PL
IER
S O
R I
TS
DIS
TR
IBU
TO
R S
HA
LL
HA
VE
BE
EN
AD
VIS
ED
OF
TH
E
PO
SS
IBIL
ITY
OF
AN
Y S
UC
H D
AM
AG
E.
IN P
AR
TIC
UL
AR
, B
UT
WIT
HO
UT
LIM
ITA
TIO
N,
RE
DB
AC
K,
ITS
SU
PP
LIE
RS
AN
D I
TS
DIS
TR
IBU
TO
RS
SH
AL
L H
AV
E N
O
LIA
BIL
ITY
FO
R T
HE
LO
SS
OF
AN
Y I
NF
OR
MA
TIO
N S
TO
RE
D O
R C
OM
MU
NIC
AT
ED
OR
AT
TE
MP
TE
D T
O B
E S
TO
RE
D O
R C
OM
MU
NIC
AT
ED
WIT
HIN
AN
Y R
ED
BA
CK
SY
ST
EM
US
ING
TH
E H
AR
DW
AR
E O
R S
OF
TW
AR
E.
TH
E M
AX
IMU
M A
GG
RE
GA
TE
LIA
BIL
ITY
OF
RE
DB
AC
K A
ND
IT
S S
UP
PL
IER
S F
OR
AN
Y C
LA
IM A
RIS
ING
OU
T O
F U
SE
OF
TH
E H
AR
DW
AR
E,
SO
FT
WA
RE
OR
MA
TE
RIA
LS
OR
AN
Y D
EF
EC
T I
N T
HE
HA
RD
WA
RE
, S
OF
TW
AR
E O
R M
AT
ER
IAL
S,
ON
AN
Y A
ND
AL
L T
HE
OR
IES
OF
LIA
BIL
ITY
, IN
CL
UD
ING
WIT
HO
UT
LIM
ITA
TIO
N
NE
GL
IGE
NC
E B
Y R
ED
BA
CK
, S
HA
LL
IN
ALL
EV
EN
TS
BE
LIM
ITE
D T
O R
ET
UR
N O
F T
HE
AM
OU
NT
S A
CT
UA
LL
Y P
AID
TO
RE
DB
AC
K F
OR
TH
E D
EF
EC
TIV
E
HA
RD
WA
RE
OR
SO
FT
WA
RE
, L
ES
S R
EA
SO
NA
BL
E D
EP
RE
CIA
TIO
N.
Page 2
-2
Redback Networks Inc.
Legal Notices
Confide
ntial
Welcome
Redback SmartEdge
MPLS L3 VPN course m
odule
5C
onfide
ntial
Meals / breaks
Class Hours
Logistics
Phones
Parking
Smoking
Rest Rooms
Local Emergencies
Fire Exits
Network Connectivity
6C
onfide
ntial
Lets introduce
Please introduce yourself in a few words
–Who are you?
–What’s you experience so far with Redback?
–What do you expect from this course?
Is there something really urgent back at work which
could cause you to drop out once in a while?
7C
onfide
ntial
Documents available during the course
Student handout (yours to keep and use)
–Use them for your notes
–If you find something weird, please notify the trainer. W
e
will either confirm
its useful weirdness or make a note to
fix it for the next training ☺ ☺☺☺
Product Manuals (yours to use)
–Use them during the training to find m
ore details
–If you find something weird in the m
anuals, notify the
trainer
8C
onfide
ntial
Why Product Manuals?
Use them during the course to learn m
ore on
parameters and to explore options
We think they are pretty cool and we hope you start
appreciating them as well
During this training we will talk about a preferred
sequence on configuration. The m
anuals and
chapters follow the same sequence. We will come
back to this later during the hands-on sessions
When you finish the course, you are back to real life
again and then the m
anuals m
ight be very valuable
to you
9C
onfide
ntial
The m
anuals explained
Docum
enta
tion R
oa
dm
ap
–In
clu
de
s a
very
han
dy F
ea
ture
Loca
tor
Co
nfig
ura
tion G
uid
es
–B
asic
Syste
m C
on
fig
ura
tion
Gu
ide
–R
ou
tin
g P
roto
co
ls C
on
fig
ura
tio
n G
uid
e
–P
ort
s, C
ircu
its, an
d T
un
ne
ls C
on
fig
ura
tio
n g
uid
e
Opera
tions G
uid
es
–B
asic
Syste
m O
pe
ratio
ns G
uid
e
–R
ou
tin
g P
roto
co
ls O
pera
tion
s G
uid
e
–P
ort
s, C
ircu
its, an
d T
un
ne
ls O
pera
tio
ns G
uid
e
10
Confide
ntial
My wishes for this course
You to be happy and satisfied with the course
Positive Energy, interaction and dialogs
Sharing of project experience where appropriate
Last but not least > FUN
That I don’t forget the coffee breaks this tim
e
Confide
ntial
Redback SmartEdge
MPLS L3 VPN m
odule
Agenda
12
Confide
ntial
Agenda 1-3
Introduction
MPLS 101
Put things in place within the SmartEdge
MPLS L3 VPN lab topology
Configuration flow diagram
–Configure MPLS transport / backbone
–Configure VPN context
Configure IP backbone connectivity
–Flow diagram IP backbone
Configure OSPF backbone infrastructure
–Flow diagram OSPF backbone infrastructure
–Verification IP connectivity
13
Confide
ntial
Agenda 2-3
Configure MPLS and LDP (outer label)
–Flow diagram MPLS and LDP (outer label)
–LSP Verification
Configure L3 VPN (inner label)
–Flow diagram L3 VPN (I-BGP / inner label)
–iBGPsetup for inner labeldistribution
–Verification L3 VPN (inner label)
Configure VPN context
–VPN Route Distribution
–Verification VPN context
Configure CE Router connection
–PE to CE IP connectivity
–Verification of CE Router connection
–Emulation of customer LANs connected to CEs
14
Confide
ntial
Agenda 3-3
End to end packet flow walk through verification
LSP scalability
–Filtering FECswithin LDP (1-2)
CE using OSPF
Confide
ntial
MPLS 101
16
Confide
ntial
Introduction
This course has been designed to help you to configure and
monitor MPLS L3 VPN’son the SmartEdge
Using m
ultiple context you will build a routing netw
ork
containing m
ultiple routers as well MPLS PE functionality
This course does not pretend to train you on how routing
protocols are designed or which bits one can set in the routing
updates packets
To establish a neutral reference point we have summarized
main MPLS L3 VPN associated elements in the next slides
The pre-requisite for this course is that all students attended
the OSPF and BGP course m
odule
17
Confide
ntial
Why MPLS?
MPLS is well defined and agreed technology
–FirstIETF W
orkingGroupmeeting in 1997
It addresses 2 m
ajor challenges within IP networks
–QoS
–MPLS provides predictable paths for IP traffic
–Very sim
ilar to ATM pvc
–Predictable paths allow for traffic engineering and enables
netw
ork for triple play services
–VPN
–providers can separate customers netw
orks by just adding
MPLS label in front of IP packet
–Customers can even use overlapping IP spaces as IP is not
exposed into providers backbone
18
Confide
ntial
MPLS functions and roles
Customer Equipment (CE) sends IP packets to PE Router
Provider Edge (PE) router takes IP packets, labels them and sends
them to P router (push)
Provider (P) router switches packets based on labels to destination
(swap)
Penultim
ate P Router removes outer label before sending to PE router
(PHP
PE router pops the inner label and forw
ards packet to VPN
And of course same approach opposite direction
pop
php
sw
ap
push
PE
PP
PE
CE
19
Confide
ntial
IP Packets and MPLS labels
On the PE router each destination prefix is assigned:
–Outer label assigned by M
PLS LDP or RSVP protocol
–How to reach destination Provider Edge router
–Label processed by each M
PLS router in path
–IGP infrastructure is used by M
PLS LDP or RSVP
–Inner label assigned by I-BGP betw
een two Provider Edge
Routers
–Ensures prefixes remain unique within PE Routers
–Label processed by PE routers only
Each P router learns outer label values associated
with a path betw
een two PE routers based on M
PLS
LDP or RSVP protocol
–End to end this is referred to as Label Switch Path (LSP)
20
Confide
ntial
MPLS LSP
Creates a unique path betw
een two Provider Edge Routers
Path is established using LDP or RSVP
The outer label has local significance and will change each hop
Each MPLS router maintains switch table containing ingress
and egress label mapping
PE
PP
PE
CE
Label Switch Path (LSP)
40.1
.2.1
40.1
.1.1
Inne
r la
be
lO
ute
r la
bel
MPLS: 300MPLS: 888IP S:40.1.1.1 D: 40.1.2.1
MPLS: 300
MPLS: 400
MPLS: 500
MPLS: 888
MPLS: 888
MPLS: 888
21
Confide
ntial
Put things in place within the SmartEdge
1.
RD will make VPN
address prefixes
unique
2.
RT will act as
import/export filter
VPN routes
3.
VPN’ssharing the
same RT will share
their prefix
inform
ation
Special Extension BGP
will carry:
1.
RD/RT
2.
Inner Label
3.
Own loopback as
next hop for route
1.
Outer label will be attached/removed
at the “port level”
•Outer label -> LDP/RSVP
2.
Inner label will de attached/removed
inside the system
•Inner label -> IBGP
local
vpn1 vpn-rd 500:1
BGP VPN
Port
1/1
LS
P
IGP
BG
P
MP
LS
LD
P C
on
tro
l P
lane
Import
/
Export
RT
22
Confide
ntial
End to end signaling described
1) CE-1 advertises it routes to the
VPN-1 Context
3) PE-1 (Context local) advertises the
routes to PE-2 using IBGP plus:
•Selecting the Inner MPLS label
•Including its loopback as BGP next
hop for the route(s)
•VPN-IPv4 address family RD tag
•VPN-IPv4 address family RT tag
4) PE-2 (Context local) receives
the advertisements from PE-1
5) Determ
ines if it should install
the routes for Context VPN-1
using:
•VPN-IPv4 address family RD
tag
•VPN-IPv4 address family RT
tag
6) If m
atch found; route is
advertised to CE-2
CE-1
VPN-1
local
PE-1
2) VPN-1 Context creates local route
for CE-1 address prefixes
To P
E-2
CE-2
VPN-1
local
PE-2
To P
E-1
23
Confide
ntial
Exchanging packets between CE-1 and CE-2
CE-1
VPN-1
local
PE-1
To P
E-2
CE-2
VPN-1
local
PE-2
To P
E-1
1) Establishment of
LSP (label switch
path) betw
een the PE-
1 and PE-2
2) Use LDP or RSVP
as label mechanism
(or static ☺ ☺☺☺
)
3) A packet arrives from CE-2
4) Route lookup on VPN-1 is perform
ed
5) Advertised Inner label is found (from PE-1)
6) Advertised BGP next hop is found (From
PE-1)
7) Outgoing interface for LSP is determ
ined
8) The initial outgoing label is determ
ined
(using LDP or RSVP)
9) Packet is ready for transport
10) Before arrival at
PE-1 PHP is
perform
ed. Removing
the outer label
11) Within PE-1 the
inner label connects
the packet to VPN-1
12) Inner label is
removed from packet.
4) Native IPv4 packet
is within VPN-1
Confide
ntial
MPLS L3 VPN lab topology
25
Confide
ntial
Introduction class exercise
You will have exciting tim
e to configure and verify
the SmartEdge as M
PLS PE router
Your SmartEdge PE router will connect to a M
PLS
backbone netw
ork (P Routers) as well a remote PE
router
This will provide functions such as push, swap, pop
and php to be verified
Each SmartEdge PE router will connect to the M
PLS
backbone using unique VLAN’s
To emulate Customer Equipment (CE) routers we will
use a cable loopback on each SmartEdge
–Norm
ally this would be an external router at customer
premises
26
Confide
ntial
local
MPLS L3 VPN lab topology
VPN
CE
P1 r
oute
rP
2 r
oute
rP
E r
oute
r
Tra
in-1
Tra
in-5
…..
loopback
100.1
.1.1
1
local
VPN
CE
local
local
local
VPN
CE
loopback
100.1
.1.1
2
loopback
100.1
.1.1
0
VPN
CE
Exis
ting M
PLS
netw
ork
Stu
dent’s
Sm
art
Edge
27
Confide
ntial
VPN1
CE1
local
Eth
5/1
Eth
5/2
Eth
1/1
SmartEdge port m
apping & connectivity
Tra
in-1
P-r
oute
rs
Back to
back
cable
Confide
ntial
Configuration flow diagram
MPLS L3 VPN
29
Confide
ntial
Configuration flow diagram
In the following slides we will explain the
recommended configuration flow for MPLS
The reference flow diagram follows the student
hands-on exercises as m
uch as possible
The reference flow diagram does not include port /
circuit configuration
–This to sim
plify the flow diagram
–This to decouple layer 2 from layer 3 configuration
–This allows customers to use any type of layer 2
infrastructure with this recommended configuration flow
Summary:
–The flow diagram addresses layer three (3) only
30
Confide
ntial
Configure MPLS transport / backbone
1.
Connection to IP
backbone
2.
Loopback for
routing
instances
3.
Context wide
router-id
reference
4.
OSPF routing
instance for
infrastructure
5.
MPLS instance
6.
LDP instance
7.
I-BGP routing
instance
Local
Local
1
context local
Interface backbone
ipaddress 1.1.1.1/30
1
Next Hop discovery
(by m
eans of IGP routing)
router ospf<instance>
area 0.0.0.0
interface PE-loop
interface backbone
4
4
6
router LDP
interface PE-loop
interface backbone
6
Signaling plane (LDP)
Forw
arding plane (MPLS LSP)
5
5
router MPLS
interface PE-loop
interface backbone
router BGP <ASN>
address-family ipv4 unicast
neighbor 100.1.1.10 internal
update source PE-loop
address-family ipv4 unicast
address-family ipv4 vpn
7
7L3 Routing (I-BGP)
Student’s
SmartEdge
MPLS Transport/Backbone
router-id 100.1.1.1
3
3
interface PE-loop loopback
ipaddress 100.1.1.1/24
2
2
31
Confide
ntial
Configure VPN context
Local
Local
vpn1-CE
redistribute connected
6
6
4
router bgpvpn
address-family ipv4 unicast
4
1 context VPN1 vpn-rd 100:10
interface vpn1-CE
ipaddress 10.1.1.1/30
1
VPN1 vpn-
rd 100:10
CE
Student’s
SmartEdge
MPLS L3 VPN
interface loopback loopback
ipaddress 2.2.2.1/32
2
2
VPN1
VPN1
VP
N1
VP
N1
export route-target 100:10
import route target 100:10
5
53
router-id 2.2.2.1
3
1.
VPN Context &
Connection to CE
router
2.
Loopback for
routing instances
3.
Context wide
router-id reference
4.
BGP VPN instance
5.
RT export / import
6.
Redistribute CE
netw
ork into VPN
Confide
ntial
Configure IP backbone connectivity
33
Confide
ntial
Flow diagram IP backbone
1.
Connection to IP
backbone
Local
Local
1
context local
Interface backbone
ipaddress 1.1.1.1/30
1
Student’s
SmartEdge
34
Confide
ntial
CE
1
CE
2
local
con
text
loca
l
inte
rfa
ce
ba
ckbo
ne
ipadd
ress [1-5].
1.1
.1/3
0
po
rt e
th 1
/1
no
shu
t
en
cap
su
lation
do
t1q
do
t1q p
vc[11-15]
bin
d in
terf
ace
ba
ckbo
ne
loca
l
PE Configuration
Configuration IP backbone connection
Train-x to P1 circuit & address m
apping
local
VPN 2
VPN 1
Tra
in-1
(PE
)
CE
1
CE
2
local
local
VPN 2
VPN 1
PE
route
rP
1 r
oute
r
local
P2
route
r
local
5.1.1.2/30
15
5.1.1.1/3-
Train-5
4.1.1.2/30
14
4.1.1.1/30
Train-4
13
12
11
VLAN Circuit
3.1.1.2/30
2.1.1.2/30
1.1.1.2/30
Next-hop
3.1.1.1/30
Train-3
2.1.1.1/30
Train-2
1.1.1.1/30
Train-1
Backbone
address
PE
1.1.1.0/30
.1.2
VLAN 11
1
Confide
ntial
Configure OSPF backbone
infrastructure
36
Confide
ntial
Flow diagram OSPF backbone infrastructure
1.
Connection to IP
backbone
2.
Loopback for
routing instances
3.
Context wide router-
id reference
4.
IGP routing instance
for infrastructure
Local
Local
1
context local
Interface backbone
ipaddress 1.1.1.1/30
1
Next Hop discovery
(by m
eans of IGP routing)
router ospf<instance>
area 0.0.0.0
interface PE-loop
interface backbone
4
4
Student’s
SmartEdge
router-id 100.1.1.1
3
3
interface PE-loop loopback
ipaddress 100.1.1.1/24
2
2
37
Confide
ntial
CE
1
CE
2
local
Configuration OSPF backbone connectivity
local
VPN 2
VPN 1
Tra
in-1
(P
E)
CE
1
CE
2
local
local
VPN 2
VPN 1
PE
route
rP
1 r
oute
r
local
P2 r
oute
r
local
1.1.1.0/30
.1.2
VLAN 11
Router ID’s
in OSPF netw
ork
100.1.1.10
PE
100.1.1.12
P2 Router
100.1.1.11
P1 Router
Router ID
Router
OSPF configuration
con
text
loca
l
inte
rfa
ce
PE
-lo
op
loopb
ack
ipadd
ress 1
00
.1.1
.[1-5
]/32
2
We c
onfigu
red
con
text
wid
e r
ou
ter-
id.
It w
ill b
e a
pp
lied
to
every
ro
ute
r in
sta
nce
configu
red
.
It w
ill a
ssu
re c
on
sis
tent
rou
ter-
id a
cro
ss O
SP
F,
BG
P,
LD
P
an
d M
PL
S
rou
ter-
id 1
00
.1.1
.[1
-5]
3
rou
ter
ospf
1
are
a 0
.0.0
.0
inte
rfa
ce
PE
-loop
inte
rfa
ce
ba
ckb
one
4
Confide
ntial
Verification IP connectivity
39
Confide
ntial
Verification of IP connectivity(1-2)
You should be able to ping P1, P2 and egress PE
You can verify routing on the other end by using
source IP option.
[local]Redback#ping
100.1.1.10 source 100.1.1.1
PING 100.1.1.10 (100.1.1.10): source 100.1.1.1, 36 data bytes,
timeout is 1 second
!!!!!
----100.1.1.10 PING Statistics----
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev
= 1.623/1.992/2.638/0.382 ms
[local]Redback#ping
100.1.1.11 source 100.1.1.1
PING 100.1.1.11 (100.1.1.11): source 100.1.1.1, 36 data bytes,
timeout is 1 second
!!!!!
----100.1.1.11 PING Statistics----
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev
= 1.732/2.274/3.099/0.561 ms
[local]Redback#ping
100.1.1.12 source 100.1.1.1
PING 100.1.1.12 (100.1.1.12): source 100.1.1.1, 36 data bytes,
timeout is 1 second
!!!!!
----100.1.1.12 PING Statistics----
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev
= 1.692/2.110/3.196/0.614 ms
40
Confide
ntial
Verification of IP connectivity (2-2)
Let’s check the path to the egress PE
[local]Redback#traceroute100.1.1.10
se_tracerouteto 100.1.1.10 (100.1.1.10), 30 hops max, 40 byte packets
1 1.1.1.2 (1.1.1.2) 3.445 ms 3.155 ms 2.573 ms
2 10.1.2.2 (10.1.2.2) 2.516 ms 3.040 ms 2.742 ms
3 100.1.1.10 (100.1.1.10) 3.558 ms 4.182 ms 4.128 ms
[local]Redback#
P1 router
P2 router
Egress PE
41
Confide
ntial
Suppose ping did not work (1-3
)
Check if interfaces are up
[local]Redback#showipinterface brief
Wed Jun 27 12:29:17 2007
Name Address MTU State Bindings
PE-loop 100.1.1.1/32 1500 Up (Loopback)
backbone 1.1.1.1/30 1500 Up dot1q1/1
vlan-id 11
mgmt 10.1.1.106/24 1500 Up ethernet7/1
[local]Redback#
42
Confide
ntial
Suppose ping did not work (2-3)
Check if routing is correct
[local]Redback#showiproute
Type Network Next Hop Dist Metric UpTime
Interface
> O 1.1.1.0/30 5.1.1.2 110 2 00:02:45 backbone
> O 2.1.1.0/30 5.1.1.2 110 2 00:02:45 backbone
> O 3.1.1.0/30 5.1.1.2 110 2 00:02:45 backbone
> O 4.1.1.0/30 5.1.1.2 110 2 00:02:45 backbone
> C 5.1.1.0/30 0 0 00:03:01 backbone
> C 10.1.1.0/24 0 0 01:09:12 mgmt
> O 10.1.2.0/30 5.1.1.2 110 2 00:02:45 backbone
> O 10.1.2.4/30 5.1.1.2 110 3 00:02:45 backbone
> O 10.1.2.8/30 5.1.1.2 110 101 00:02:45 backbone
> O 100.1.1.1/32 5.1.1.2 110 3 00:02:45 backbone
> O 100.1.1.2/32 5.1.1.2 110 3 00:02:45 backbone
> O 100.1.1.3/32 5.1.1.2 110 3 00:02:45 backbone
> O 100.1.1.4/32 5.1.1.2 110 3 00:02:45 backbone
> C 100.1.1.5/32 0 0 00:03:10 PE-loop
> O 100.1.1.10/32 5.1.1.2 110 4 00:02:45 backbone
> O 100.1.1.11/32 5.1.1.2 110 2 00:02:45 backbone
> O 100.1.1.12/32 5.1.1.2 110 3 00:02:45 backbone
[local]Redback#
43
Confide
ntial
Suppose ping did not work (3-3)
Check OSPF neighbor
[local]Redback#showospfneighbor
---OSPF Neighbors for Instance 1/Router ID 100.1.1.5 ---
NeighborID
NeighborAddressPriState DR-State IntfAddress
TimeLeft
100.1.1.11 5.1.1.2 1 ExStart
DR 5.1.1.1 38
[local]Redback#showospfneighbor
---OSPF Neighbors for Instance 1/Router ID 100.1.1.5 ---
NeighborID
NeighborAddressPriState DR-State IntfAddress
TimeLeft
100.1.1.11 5.1.1.2 1 Full
DR 5.1.1.1 32
[local]Redback#
Initializing neighbor
Neighbor ready
44
Confide
ntial
Summary verification
[loca
l]R
edb
ack# show bind
–To verify port/circuit is bound to appropriate interface
within context
[loca
l]R
edb
ack# ping <address>
–To verify routing
[loca
l]R
edb
ack# traceroute
<address>
–To verify routing
[loca
l]R
edb
ack# Show ospfdatabase
–To verify neighbor adjacency is established
[loca
l]R
edb
ack# Show iproute
–To verify route table
Confide
ntial
Configure MPLS and LDP (outer
label)
46
Confide
ntial
Flow diagram MPLS and LDP (outer label)
1.
Connection to IP
backbone
2.
Loopback for
routing
instances
3.
Context wide
router-id
reference
4.
OSPF routing
instance for
infrastructure
5.
MPLS instance
6.
LDP instance
Local
Local
1
context local
Interface backbone
ipaddress 1.1.1.1/30
1
Next Hop discovery
(by m
eans of IGP routing)
router ospf<instance>
area 0.0.0.0
interface PE-loop
interface backbone
4
4
6
router LDP
interface PE-loop
interface backbone
6
Signaling plane (LDP)
Forw
arding plane (MPLS LSP)
5
5
router MPLS
interface PE-loop
interface backbone
Student’s
SmartEdge
MPLS Transport/Backbone
router-id 100.1.1.1
3
3
interface PE-loop loopback
ipaddress 100.1.1.1/24
2
2
47
Confide
ntial
CE
1
CE
2
local
Configuration LSP Setup (Outer Label)
local
VPN 2
VPN 1
Tra
in-1
(P
E)
CE
1
CE
2
local
local
VPN 2
VPN 1
PE
route
rP
1 r
oute
r
local
P2 r
oute
r
local
1.1.1.0/30
.1.2
VLAN 11
5ro
ute
r ld
p
inte
rfa
ce
Ba
ckbon
e
inte
rfa
ce
PE
-loop
MPLS & LDP Configuration
con
text
loca
l
rou
ter
mp
ls
no
pro
pa
ga
te t
tlip
-to
-mp
ls
no
pro
pa
ga
te t
tlm
pls
-to
-ip
inte
rfa
ce
PE
-loop
inte
rfa
ce
Ba
ckbo
ne
These s
ett
ings a
re n
eeded for
som
e furt
her
exerc
ises.
Don’t w
orr
y a
bout th
em
now
, w
e w
ill c
om
e
back to it la
ter
4
Confide
ntial
Verification M
PLS and LDP
Outer label
49
Confide
ntial
LSP Verification
[local]Train-1#ping mpls
ldp
100.1.1.10/32 1 debug
Got a ping query type 1 context 0x40080001 timeout 1 count 1
Ping will be sent for LDP IPV4 FEC 100.1.1.10/32
cct
255/255:1023:63/0/0/0, adj
id 0x230001f, top label 0x8000a
Adjacency ID: 0x230001f Flags: 0x1 Exp/TTL: 0xcff
Sending 1 100-byte MPLS echos
to LDP 100.1.1.10/32, source 100.1.1.1,
timeout is 1 second, send interval is 0 msec:
Sending ping 1 at sec: 20142 usec: 131964 len
68
Received MPLS ping REPLY from 10.1.2.6, len
32
Processing LSP response, error code 0 subcode
0
!Received ping 1 sent sec: 20142 usec: 131964 at sec: 20142 usec: 137040
----
MPLS PING Statistics----
1 packets transmitted, 1 packets received no error, 0.0% packet loss/error
round-trip min/avg/max/stddev
= 5.076/5.076/5.076/0.000 ms
[local]Train-1# show mpls
lsp
Codes : S -
MPLS-Static, R -
RSVP, L -
LDP, B -
BGP
Type Endpoint Direct Next-hop Out Label Adjacency Id
L 2.1.1.0/30 1.1.1.2 3 0x2300011
L 3.1.1.0/30 1.1.1.2 3 0x2300013
L 4.1.1.0/30 1.1.1.2 3 0x2300015
L 5.1.1.0/30 1.1.1.2 3 0x2300017
L 10.1.2.0/30 1.1.1.2 3 0x2300019
L 10.1.2.4/30 1.1.1.2 524297 0x230001b
L 10.1.2.8/30 1.1.1.2 3 0x230001d
L 100.1.1.10/32 1.1.1.2 524298 0x230001f
L 100.1.1.11/32 1.1.1.2 3 0x2300021
L 100.1.1.12/32 1.1.1.2 524299 0x2300023
524298 = 0x8000a
decimal
hex
50
Confide
ntial
Suppose MPLS ping did not work
Let’s see if there are any LSPscreated
[local]Redback#showmplslsp
Codes : S -MPLS-Static, R -RSVP, L -LDP, B -BGP
Type Endpoint Direct Next-hop Out Label Adjacency Id
L 1.1.1.0/30 5.1.1.2 3 0x300011
L 2.1.1.0/30 5.1.1.2 3 0x300013
L 3.1.1.0/30 5.1.1.2 3 0x300015
L 4.1.1.0/30 5.1.1.2 3 0x300017
L 10.1.2.0/30 5.1.1.2 3 0x300019
L 10.1.2.4/30 5.1.1.2 524297 0x30001b
L 10.1.2.8/30 5.1.1.2 3 0x30001d
L 100.1.1.1/32 5.1.1.2 524300 0x30001f
L 100.1.1.2/32 5.1.1.2 524301 0x300021
L 100.1.1.3/32 5.1.1.2 524302 0x300023
L 100.1.1.4/32 5.1.1.2 524303 0x300025
L 100.1.1.10/32 5.1.1.2 524298 0x300027
L 100.1.1.11/32 5.1.1.2 3 0x300029
L 100.1.1.12/32 5.1.1.2 524299 0x30002b
Note: Check if there is LSP for 100.1.1.10. We
will investigate this output in details later.
51
Confide
ntial
Suppose there are no LSP’s(1-2)
Is M
PLS enabled and up?
[local]Redback#showmplsinterface
---All MPLS Interfaces ---
Inst Address/Mask Name Enabled State Bound to
1 100.1.1.1/32 PE-loop Yes Up Loopback
1 1.1.1.1/30 backbone Yes Up 1/1vlan-id 11
[local]Redback#
Is LDP enabled and up?
[local]Redback#showldpinterface
Flag:
B -Bound, U -Up, D -Deleted, S -Stale, E -Hold expired
T -Bind Stale L -Loopback
Interface Local Addr
Flag RemoteLSRId
HoldExpr
PE-loop 100.1.1.1/32 BUL
backbone 1.1.1.1/30 BU 100.1.1.11:0
12
52
Confide
ntial
Suppose there are no LSP’s(2-2)
Is there operational LDP neighbor?
[local]Redback#showldpneighbor
PeerFlags: A -LocalActiveOpen, D -Deleted, R -Reseting, E -OpenExtraDelay
N -OpenNoDelay, P -SetMD5Passwd, T -RetainRoute, F -FlushState
X -ExplicitNullEnabled, C -ExplicitNullStatusChanging
G -Graceful Restart Supported, L -Session Life Extended
SHld-Session HoldtimeLeft, HHld-Hello HoldtimeLeft
NeighborAddr
LDP Identifier State Flag SHldHHldInterface
100.1.1.11
100.1.1.11:0
Oper
G 63 12 backbone
53
Confide
ntial
Suppose there is no LSP for 100.1.1.10
LDP is responsible for FEC distribution across the
netw
ork
We can check which FECsLDP has learned
[local]Redback#showldpbinding
> active binding, Local/In -local/input label binding
From -source of remote label, Remote/Out -remote/output label binding
Prefix/FEC Learned-From Local/In Remote/Out Interface
> 10.1.2.0/30 100.1.1.11:0 524295 3 backbone
> 10.1.2.4/30 100.1.1.11:0 524296 524297 backbone
> 10.1.2.8/30 100.1.1.11:0 524297 3 backbone
> 100.1.1.1/32 100.1.1.11:0 524298 524300 backbone
> 100.1.1.2/32 100.1.1.11:0 524299 524301 backbone
> 100.1.1.3/32 100.1.1.11:0 524300 524302 backbone
> 100.1.1.4/32 100.1.1.11:0 524301 524303 backbone
> 100.1.1.5/32 local 3
100.1.1.11:0 524304
> 100.1.1.10/32 100.1.1.11:0 524302 524298 backbone
> 100.1.1.11/32 100.1.1.11:0 524303 3 backbone
> 100.1.1.12/32 100.1.1.11:0 524304 524299 backbone
54
Confide
ntial
Summary verification
[loca
l]R
edb
ack# ping m
plsldp100.1.1.10/32
–Perform
MPLS LDP ping
[loca
l]R
edb
ack# show m
plslsp
–To verify lsp
[loca
l]R
edb
ack# show M
PLS interface
–To verify interface
[loca
l]R
edb
ack# Show ldpinterface
–To verify interface
[loca
l]R
edb
ack# Show ldpneighbor
–To verify neighbor
[loca
l]R
edb
ack# Show ldpbinding
–Verify fecto label binding
Confide
ntial
Configure L3 VPN (inner label)
56
Confide
ntial
Flow diagram L3 VPN (I-BGP / inner label)
1.
Connection to IP
backbone
2.
Loopback for
routing
instances
3.
Context wide
router-id
reference
4.
OSPF routing
instance for
infrastructure
5.
MPLS instance
6.
LDP instance
7.
I-BGP routing
instance
Local
Local
1
context local
Interface backbone
ipaddress 1.1.1.1/30
1
Next Hop discovery
(by m
eans of IGP routing)
router ospf<instance>
area 0.0.0.0
interface PE-loop
interface backbone
4
4
6
router LDP
interface PE-loop
interface backbone
6
Signaling plane (LDP)
Forw
arding plane (MPLS LSP)
5
5
router MPLS
interface PE-loop
interface backbone
router BGP <ASN>
address-family ipv4 unicast
neighbor 100.1.1.10 internal
update source PE-loop
address-family ipv4 unicast
address-family ipv4 vpn
7
7L3 Routing (I-BGP)
Student’s
SmartEdge
MPLS Transport/Backbone
router-id 100.1.1.1
3
3
interface PE-loop loopback
ipaddress 100.1.1.1/24
2
2
57
Confide
ntial
CE
1
CE
2
local
iBGPsetup for inner labeldistribution
local
VPN 2
VPN 1
Tra
in-1
(PE
)
CE
1
CE
2
local
local
VPN 2
VPN 1
PE
route
rP
1 r
oute
r
local
P2
route
r
local
1.1.1.0/30
.1.2
VLAN 11
i-BGP Configuration Student
con
text
loca
l
rou
ter
bgp
100
add
ress-f
am
ily ip
v4 v
pn
ne
ighb
or
10
0.1
.1.1
0in
tern
al
upd
ate
-sou
rce
PE
-lo
op
add
ress-f
am
ily ip
v4
vp
n
7
con
text
loca
l
rou
ter
bgp
100
add
ress-f
am
ily ip
v4 v
pn
ne
igh
bo
r 1
00
.1.1
.1 in
tern
al
upd
ate
-sou
rce
PE
-lo
op
add
ress-f
am
ily ip
v4
vp
n
I-BGP configuration PE Router
The PE router in MPLS netw
ork
supports neighbors for 100.1.1.x.
Where x = 1-5
Confide
ntial
Verification L3 VPN (inner label)
59
Confide
ntial
BGP verification
[local]Redback#showbgpneighbor summary
BGP router identifier: 100.1.1.5, local AS number: 100
Neighbors Configured: 1, Established: 0
Neighbor AS MsgRcvdMsgSent
InQOutQRst
Up/Down State
100.1.1.10 100 0 0 0 0 1 00:00:08 Idle
CapSent
: refresh 4byteAS unicastvpnrestart
[local]Redback#showbgpneighbor summary
BGP router identifier: 100.1.1.5, local AS number: 100
Neighbors Configured: 1, Established: 1
Neighbor AS MsgRcvdMsgSent
InQOutQRst
Up/Down State
100.1.1.10 100 24 4 0 0 1 00:00:02 Established
CapSent
: refresh 4byteAS unicastvpnrestart
CapRcvd
: refresh 4byteAS restart unicastvpn
unicast
: rcvd: 0 imported: 0 active: 0 history: 0 dampened: 0 sent: 0
vpn
: rcvd: 0 imported: 0 active: 0 history: 0 dampened: 0 sent: 0
BGP session not established
BGP session established but no routes
exchanged yet (there are no VPN contexts)
Confide
ntial
Status quo
61
Confide
ntial
Summary of steps so far
You have configured all configuration required to get MPLS and
L3 VPN established
This is really a one tim
e configuration you would perform
within context local
Future extension of PE neighbors would require new BGP
neighbor establishment (step 7) and nothing m
ore
Customer connections will not be bound into context local
For customers special contexts need to be created which
specify the Route Distinguisher (RD) within the SmartEdge
This is the last part of configuration required to complete MPLS
L3 VPN configuration
Confide
ntial
Configure VPN context
63
Confide
ntial
Configure VPN context
Local
Local
vpn1-CE
redistribute connected
6
6
4
router bgpvpn
address-family ipv4 unicast
4
1 context VPN1 vpn-rd 100:10
interface vpn1-CE
ipaddress 10.1.1.1/30
1
VPN1 vpn-
rd 100:10
CE
Student’s
SmartEdge
MPLS L3 VPN
interface loopback loopback
ipaddress 2.2.2.1/32
2
2
VPN1
VPN1
VP
N1
VP
N1
export route-target 100:10
import route target 100:10
5
53
router-id 2.2.2.1
3
1.
VPN Context &
Connection to CE
router
2.
Loopback for
routing instances
3.
Context wide
router-id reference
4.
BGP VPN instance
5.
RT export / import
6.
Redistribute CE
netw
ork into VPN
64
Confide
ntial
CE
1
CE
2
local
VPN Route Distribution
local
VPN 2
VPN 1
Tra
in-1
(P
E)
CE
1
CE
2
local
local
VPN 2
VPN 1
PE
route
rP
1 r
oute
r
local
P2 r
oute
r
local
1.1.1.0/30
.1.2
VLAN 11
con
text
SE
1-V
PN
1 v
pn-r
d 1
00
:vpn_
ID
inte
rfa
ce
loopb
ack loop
ba
ck
ipadd
ress 2
.2.2
.2/3
2
rou
ter
bgp
vp
n
add
ress-f
am
ily ip
v4 u
nic
ast
exp
ort
ro
ute
-ta
rge
t 1
00
:vpn_
ID
impo
rt r
ou
te-t
arg
et 1
00
:vpn_
ID
red
istr
ibu
te c
onn
ecte
d
VPN configuration PE Router
Train-x to vpnID m
apping
50
Train-5
40
Train-4
30
Train-3
20
Train-2
10
Train-1
vpn_ID
PE
VPN Configuration student
1con
text
VP
N1
vp
n-r
d 1
00
:vp
n_
ID
inte
rfa
ce
vp
n1
-CE
ipadd
ress 1
0.1
.1.1
/30
inte
rfa
ce
loopba
ck loopb
ack
ipadd
ress 2
.2.2
.1/3
22
rou
ter-
id 2
.2.2
.13
rou
ter
bgp
vp
n
add
ress-f
am
ily ip
v4 u
nic
ast
exp
ort
ro
ute
-ta
rge
t 10
0:v
pn_
ID
impo
rt r
ou
te-t
arg
et
10
0:v
pn_
ID
4
red
istr
ibu
te c
onn
ecte
d5
Confide
ntial
Verification VPN context
66
Confide
ntial
Verification of VPN connectivity
We can check connectivity to remote PE router / VPN
context using its loopback address 2.2.2.2
[local]Redback#contextVPN1
[VPN1]Redback#ping 2.2.2.2
PING 2.2.2.2 (2.2.2.2): source 2.2.2.1, 36 data bytes,
timeout is 1 second
!!!!!
----2.2.2.2 PING Statistics----
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev= 1.792/2.325/2.842/0.496 ms
Note: 2.2.2.1 has been used as source IP.
Sucessfullping verifies correct routing on
remote PE VPN context.
67
Confide
ntial
Suppose ping did not work
Let’s check routing table in context VPN1
[VPN1]Redback#show iproute
Codes: C -connected, S -static, S dv-dvsr, R -RIP, e B -EBGP, i B -IBGP
O -OSPF, O3 -OSPFv3, IA -OSPF(v3) inter-area,
N1 -OSPF(v3) NSSA external type 1, N2 -OSPF(v3) NSSA external type 2
E1 -OSPF(v3) external type 1, E2 -OSPF(v3) external type 2
i -IS-IS, L1 -IS-IS level-1, L2 -IS-IS level-2, N -NAT
IPH -IP Host, SUB A -Subscriber address, SUB S -Subscriber static
A -Derived Default
> -Active Route, * -LSP
Type Network Next Hop Dist Metric UpTime
Interface
> C 2.2.2.1/32 0 0 15:48:44 loopback
> i B 2.2.2.2/32 100.1.1.10 200 0 15:47:49
> C 10.1.1.0/30 0 0 15:48:44 vpn1-CE
> i B 10.1.1.4/30 100.1.1.10 200 0 15:47:49
> S 40.1.1.0/24 10.1.1.2 1 0 15:48:43 vpn1-CE
> i B 40.1.2.0/24 100.1.1.10 200 0 15:47:49
[VPN1]Redback#
68
Confide
ntial
There is no prefix 2.2.2.2/32 in VPN1 routing table
2.2.2.2/32 should be distributed through iBGP
We need to verify BGP routing table in context local
[local]Redback#showbgproute
Address Family: ipv4 unicast
BGP table version is 0, local router ID is 100.1.1.1
Status codes: d damped, h history, > best, i internal
Origin codes: i -IGP, e -EGP, ? -incomplete
[local]Redback#
Why is BGP table empty?
We checked wrong table (unicastinstead of vpn).
BGP keeps separate tables for different address
families.
69
Confide
ntial
BGP route table related to VPN
[local]Redback#showbgproute ipv4 vpn
Address Family: ipv4 vpn
BGP table version is 201, local router ID is 100.1.1.5
Status codes: d damped, h history, > best, i internal
Origin codes: i -IGP, e -EGP, ? -incomplete
VPN RD: 100:50
Network Next Hop Metric LocPrf
Weight Path
> 2.2.2.1/32 0.0.0.0 0 100 32768 ?
>i 2.2.2.2/32
100.1.1.10 0 100 100?
>i 10.1.1.4/30 100.1.1.10 0 100 100?
>i 40.1.2.0/24 100.1.1.10 0 100 100?
[local]Redback#
Prefixes announced by remote M
PLS PE
70
Confide
ntial
Checking the path for VPN packets (1-2)
Let’s try traceroute
for egress VPN
[local]Redback#contextVPN1
[VPN1]Redback#traceroute 2.2.2.2
se_tracerouteto 2.2.2.2 (2.2.2.2), 30 hops max, 40 byte packets
1 2.2.2.2 (2.2.2.2) 4.633 ms 4.029 ms 3.571 ms
[VPN1]Redback#
Why is there only one hop? W
hat has happened with
P1 and P2 routers?
71
Confide
ntial
Checking the path for VPN packets (2-2)
IP packet sent by traceroute
is being encapsulated into MPLS
packet on PE router.
P1 and P2 routers don’t check IP header
They only look into MPLS header
We can prove it by sending IP packet with TTL=1.
–Tim
e To Live = 1 m
eans that given packet m
ust not be forw
arded
by IP router receiveingit
[local]Redback#contextVPN1
[VPN1]Redback#ping 2.2.2.2 ttl1
PING 2.2.2.2 (2.2.2.2): source 2.2.2.1, 36 data bytes,
timeout is 1 second
!!!!!
----2.2.2.2 PING Statistics----
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev= 1.802/2.316/2.789/0.478 ms
[VPN1]Redback#
72
Confide
ntial
Summary verification
[loca
l]R
edb
ack# ping <address> ttl1
–To verify connectivity to remote end address within VPN
context
[loca
l]R
edb
ack# show iproute
–To verify i-bgproutes / prefixes reachable via remote VPN
context
[loca
l]R
edb
ack# show bgproute
–To verify routes as delivered by i-bgp(empty table)
[loca
l]R
edb
ack# Show bgproute ipv4 vpn
–To verify routes as delivered through vpn(populated table)
Confide
ntial
Configure CE Router connection
74
Confide
ntial
VPN1 IP Configuration
PE to CE IP connectivity
con
text
CE
1
inte
rfa
ce
ba
ckbo
ne
ipadd
ress 1
0.1
.1.2
/30
po
rt e
the
rne
t5
/2
no
shu
t
en
cap
su
lation
do
t1q
do
t1q
pvc
20
bin
d in
terf
ace
ba
ckbon
eC
E1
con
text
VP
N1
vp
n-r
d 1
00
:vp
n_
ID
inte
rfa
ce
vpn1
-CE
ipadd
ress 1
0.1
.1.1
/30
po
rt e
the
rne
t5
/1
no
shu
t
en
cap
su
lation
do
t1q
do
t1q
pvc
20
bin
d in
terf
ace
vp
n1
-CE
VP
N1
CE1 IP Configuration
local
VPN
CET
rain
-1
75
Confide
ntial
Ba
ckbo
ne
P R
ou
ters
student PE addresses:
IP addresses on both sides of VPN
10.1.1.1/30
vpn1-CE
2.2.2.1/32
loopback
IP address
interface
CE
1
CE
2
local
local
VPN 2
VPN 1
CE
1
CE
2
local
local
VPN 2
VPN 1
PE
route
rT
rain
-1 (
PE
)
10.1.1.2/30
backbone
IP address
interface
context VPN1
context CE1
egress PE addresses:
10.1.1.5/30
vpn1-CE
2.2.2.2/32
loopback
IP address
interface
10.1.1.6/30
backbone
IP address
interface
context VPN1
context CE1
Confide
ntial
Verification of CE Router
connection
77
Confide
ntial
Verifying CE connection(1-2
)
Let’s check if CE1 can reach VPN1 loopback
[CE1]Redback#ping 2.2.2.1
PING 2.2.2.1 (2.2.2.1): 36 data bytes,
timeout is 1 second
.....
----2.2.2.1 PING Statistics----
5 packets transmitted, 0 packets received, 100.0% packet loss
[CE1]Redback#
Is backbone interface up?
[CE1]Redback#show ipinterface brief
Wed Jun 27 14:35:21 2007
Name Address MTU State Bindings
backbone 10.1.1.2/30 1500 Up dot1q5/2 vlan-id 20
[CE1]Redback#
78
Confide
ntial
Verifying CE connection (2-2)
Is directly connected IP reachable?
CE1]Redback#ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1): source 10.1.1.2, 36 data bytes,
timeout is 1 second
!!!!!
----10.1.1.1 PING Statistics----
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev= 1.821/2.314/3.596/0.768 ms
Is routing table ok.?
[CE1]Redback#show iproute
Type Network Next Hop Dist Metric UpTime
Interface
> C 10.1.1.0/30 0 0 16:52:36 backbone
[CE1]Redback#
There is no route for 2.2.2.1
–We will add default route on the next slide
79
Confide
ntial
Ba
ckbo
ne
P R
ou
ters
con
text
CE
1
inte
rfa
ce
CE
-LA
N
ipad
dre
ss 4
0.1
.1.1
/24
ipro
ute
0.0
.0.0
/0 1
0.1
.1.1
po
rt e
the
rne
t5
/2
do
t1q p
vc
30
bin
d in
terf
ace
CE
-LA
N C
E1
CE1Config (CE1context):
Emulation of customer LANs connected to CEs
LAN1 40.1.1.0/24
LAN2 40.1.2.0/24
Interface CE-LAN would connect
customers netw
ork (LAN1 40.1.1.0/24)
in real life.
There is no real network connected to
this interface in the lab.
Egress CE emulates LAN2 netw
ork –
40.1.2.0/24
CE
1
CE
2
local
local
VPN 2
VPN 1
CE
1
CE
2
local
local
VPN 2
VPN 1
PE
route
rT
rain
-1(P
E)
80
Confide
ntial
Verifying connectivity between customer LAN
networks (1-3)
Let’s ping LAN interface on egress CE 40.1.2.1 from
customer’s ingress router (context CE1)
[CE1]Redback#ping 40.1.2.1
PING 40.1.2.1 (40.1.2.1): source 10.1.1.2, 36 data bytes,
timeout is 1 second
!!!!!
----40.1.2.1 PING Statistics----
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev= 1.775/2.367/2.893/0.543 ms
Let’s verify if egress CE can reach LAN connected to
ingress CE.
[CE1]Redback#ping 40.1.2.1 source 40.1.1.1
PING 40.1.2.1 (40.1.2.1): source 40.1.1.1, 36 data bytes,
timeout is 1 second
.....
----40.1.2.1 PING Statistics----
5 packets transmitted, 0 packets received, 100.0% packet loss
81
Confide
ntial
Verifying connectivity between customer LAN
networks (2-3)
Why is 40.1.1.1/ not reachable from egress CE?
Let’s check VPN1’s routing table.
[VPN1]Redback#show iproute
Type Network Next Hop Dist Metric UpTime
Interface
> C 2.2.2.1/32 0 0 17:49:23 loopback
> i B 2.2.2.2/32 100.1.1.10 200 0 17:48:28
> C 10.1.1.0/30 0 0 17:49:23 vpn1-CE
> i B 10.1.1.4/30 100.1.1.10 200 0 17:48:28
> i B 40.1.2.0/24 100.1.1.10 200 0 17:48:28
[VPN1]Redback#
VPN1 is not aware of LAN netw
ork behind CE.
We need to add static route.
–We also need to inform
BGP about it.
82
Confide
ntial
Ba
ckbo
ne
P R
ou
ters
PE Config (VPN context):
Adding route to PE VPN context
LAN1 40.1.1.0/24
LAN2 40.1.2.0/24
CE
CE
local
local
VPN 2
VPN 1
CE
CE
local
local
VPN 2
VPN 1
PE
route
rT
rain
-1(P
E)
con
text
VP
N1
vp
n-r
d 1
00
:vp
n_
ID
ipro
ute
40
.1.1
.0/2
4 1
0.1
.1.2
rou
ter
bgp
vp
n
add
ress-f
am
ily ip
v4
un
ica
st
exp
ort
rou
te-t
arg
et 1
00
:vp
n_
ID
impo
rt r
ou
te-t
arg
et 1
00
:vp
n_
ID
red
istr
ibu
te c
on
ne
cte
d
red
istr
ibu
te s
tatic
Train-x to vpnID m
apping
50
Train-5
40
Train-4
30
Train-3
20
Train-2
10
Train-1
vpn_ID
PE
83
Confide
ntial
Verifying connectivity between customer LAN
networks(3-3)
Let’s try one m
ore tim
e
[CE1]Redback#ping 40.1.2.1 source 40.1.1.1
PING 40.1.2.1 (40.1.2.1): source 40.1.1.1, 36 data bytes,
timeout is 1 second
!!!!!
----40.1.2.1 PING Statistics----
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev= 1.751/2.359/2.919/0.539 ms
[CE1]Redback#
Confide
ntial
End to end packet flow walk
through verification
85
Confide
ntial
What are we going to do?
We will follow a ping packet from CE1 router at
customer premise A down to CE at location B.
Destination address of the packet is 40.1.2.1 and
source 40.1.1.1
We will check routers on the way and analyze their
actions.
Lets start at CE1
Ba
ckbo
ne
P R
ou
ters
LAN1 40.1.1.0/24
LAN2 40.1.2.0/24
CE
1
CE
2
local
local
VPN 2
VPN 1
CE
1
CE
2
local
local
VPN 2
VPN 1
PE
route
rT
rain
-1 (
PE
)
site A
site B
ping 40.1.2.1 source 40.1.1.1
86
Confide
ntial
CE1 router (emulated by context CE1)
For CE1 situation is very sim
ple
It only knows default route
It will send IP packet over interface backbone
towards ingress PE router
[CE1]Redback#ping 40.1.2.1 source 40.1.1.1
[CE1]Redback#show iproute
Gateway of last resort is 10.1.1.1 to network 0.0.0.0
Type Network Next Hop Dist Metric UpTime
Interface
> S 0.0.0.0/0 10.1.1.1 1 0 3d17h backbone
> C 10.1.1.0/30 0 0 3d17h backbone
> C 40.1.1.0/24 0 0 3d17h CE-LAN
IP D
: 40.1
.2.1
S:4
0.1
.1.1
87
Confide
ntial
Ingress PE –context VPN1
40.1.2.0/24 is available through 100.1.1.10
Is 100.1.1.10 reachable from VPN1?
[VPN1]Redback#show iproute
Type Network Next Hop Dist Metric UpTime
Interface
> C 2.2.2.1/32 0 0 3d17h loopback
> i B 2.2.2.2/32 100.1.1.10 200 0 22:42:08
> C 10.1.1.0/30 0 0 3d17h vpn1-CE
> i B 10.1.1.4/30 100.1.1.10 200 0 22:42:08
> S 40.1.1.0/24 10.1.1.2 1 0 3d17h vpn1-CE
> i B 40.1.2.0/24 100.1.1.10
200 0 22:42:08
[VPN1]Redback#ping 100.1.1.10
PING 100.1.1.10 (100.1.1.10): 36 data bytes,
timeout is 1 second
.....
----100.1.1.10 PING Statistics----
5 packets transmitted, 0 packets received, 100.0% packet loss
88
Confide
ntial
How to reach next hop from context VPN1
[VPN1]Redback#show iproute 40.1.2.0/24 detail
Best match Routing entry for 40.1.2.0/24 is 40.1.2.0/24 , version 24
Route Uptime 20:19:07
Paths: total 1, best path count 1
Path information :
Active path :
Known via bgp100, type-Internal BGP, distance 200, metric 0,
Tag 0, Next-hop 100.1.1.10, NH-ID 0x31B00002
Label 589826
Resolve NH-ID 0x31b00002 of context 2 on 0x31e0000a of context 1
NH-ID 0x31B00002 (100.1.1.10) is resolved on NH-ID 0x31E0000A
NH-ID 0x31E0000A (LSP) (AdjID: 0x300023) (1.1.1.2) is resolved on
Interface backbone
[VPN1]Redback#show context all
Context Name Context ID VPN-RD Description
------------------------------------------------------------------------------
local 0x40080001
VPN1 0x40080002 100:10
CE1 0x40080003
VPN2 0x40080004 100:11
CE2 0x40080005
[VPN1]Redback#
89
Confide
ntial
Why is there a label (589826) included in route entry?
Hint for an answer can be found on the other side of
backbone netw
ork.
Please connect to egressPE
–telnet 100.1.1.10 redback/redback
Labels in context VPN1
[VPN1]Redback#show iproute 40.1.2.0/24
Best match Routing entry for 40.1.2.0/24 is 40.1.2.0/24 , version 24
Route Uptime 20:19:07
Paths: total 1, best path count 1
Path information :
Active path :
Known via bgp100, type-Internal BGP, distance 200, metric 0,
Tag 0, Next-hop 100.1.1.10, NH-ID 0x31B00002
Label 589826
90
Confide
ntial
Whatinterfacesare
configuredon egressPE
[local]PE#show
ipinterface brief all | begin SE1-CE1
Context :SE1-CE1
Context id : 0x4008000d
------------------------------------------------------------------
Tue Jun 26 10:15:30 2007
Name Address MTU State Bindings
LAN 40.1.2.1/24
1500 Up dot1q 2/1 vlan-id 41
Context :SE2-CE1
Context id : 0x4008000f
------------------------------------------------------------------
Tue Jun 26 10:15:30 2007
Name Address MTU State Bindings
LAN 40.1.2.1/24
1500 Up dot1q 2/1 vlan-id 42
Context :SE3-CE1
Context id : 0x40080010
------------------------------------------------------------------
Tue Jun 26 10:15:30 2007
Name Address MTU State Bindings
LAN 40.1.2.1/24
1500 Up dot1q 2/1 vlan-id 43
Context :SE4-CE1
Context id : 0x40080011
------------------------------------------------------------------
Tue Jun 26 10:15:30 2007
Name Address MTU State Bindings
LAN 40.1.2.1/24
1500 Up dot1q 2/1 vlan-id 44
Context :SE5-CE1
Context id : 0x40080012
------------------------------------------------------------------
Tue Jun 26 10:15:30 2007
Name Address MTU State Bindings
LAN
40.1.2.1/24
1500 Up dot1q 2/1 vlan-id 45
91
Confide
ntial
How does PE recognize correct context?
Egress PE has 5 contexts with the same IP address –
40.1.2.1
What would happen if it received IP packet with
destination IP 40.1.2.1?
It wouldn’t forw
ard it to 5 contexts at the same
time…
This is where M
PLS and ”inner label”come to play
SmartEdgeassigns unique label to each VPN
context in order to differentiate them.
Packets with the same destination IP are forw
arded
to correct VPN context based on the M
PLS label.
92
Confide
ntial
Labels associated with each VPN context
[local]PE#showbgproute ipv4 vpnlabels | grepoptions '-E' 'VPN|Net|40.1.2.0'
VPN RD: 100:10
Network Next Hop RcvLabel AllocLabel
40.1.2.0/24 10.1.1.6 nolabel
589826
VPN RD: 100:20
Network Next Hop RcvLabel AllocLabel
40.1.2.0/24 10.1.1.6 nolabel
589827
VPN RD: 100:30
Network Next Hop RcvLabel AllocLabel
40.1.2.0/24 10.1.1.6 nolabel
589828
VPN RD: 100:40
Network Next Hop RcvLabel AllocLabel
40.1.2.0/24 10.1.1.6 nolabel
589832
VPN RD: 100:50
Network Next Hop RcvLabel AllocLabel
40.1.2.0/24 10.1.1.6 nolabel
589833
[local]PE#
93
Confide
ntial
Label distribution
Labels assigned by each PE are locally significant
They need to be distributed to all PE routers
This is what iBGPis used for –label redistribution
Lets compare outputs from both PEs
94
Confide
ntial
Labels associated with each VPN context
[local]PE#shbgproute ipv4 vpnlabels | grepopt '-E' 'VPN|Net|40.1.2.0'
VPN RD: 100:10
Network Next Hop RcvLabel AllocLabel
40.1.2.0/24 10.1.1.6 nolabel
589826
[VPN1]Redback#show iproute 40.1.2.0/24
Active path :
Known via bgp100, type-Internal BGP, distance 200, metric 0,
Tag 0, Next-hop 100.1.1.10, NH-ID 0x31B00002
Label 589826
MPLS: 589826
IP D
: 40.1
.2.1
S:4
0.1
.1.1
Ingress PE learned via iBGPthat it has to use label 589826 in
order to reach VPN RD 100:10 on egress PE
Context VPN1 will add ”inner label”to IP packet and m
ove it to
context local as next hop is available from there
95
Confide
ntial
Ingress PE –context local
Context local is responsible for finding MPLS LSP to
the next hop PE router –100.1.1.10
It will use label 524298 as ”outer label”and will send
mpls
packet to P1 router (1.1.1.2)
[local]Redback#showmplslsp| grep
options'-E' '100.1.1.10|Type'
Type Endpoint Direct Next-hop Out Label Adjacency Id
L 100.1.1.10/32 1.1.1.2 524298 0x300023
[local]Redback#
MPLS: 589826
IP D
: 40.1
.2.1
S:4
0.1
.1.1
MPLS: 524298
96
Confide
ntial
P1 router
P1 doesn’t know netw
ork 40.1.2.1/24
but it knows what to do with label 524298
[local]P1#show iproute | grep40
[local]P1#
MPLS: 589826
IP D
: 40.1
.2.1
S:4
0.1
.1.1
MPLS: 524299
Please connect to P1 router
telnet 100.1.1.11 redback/redback
[local]P1#show mplslabel-mapping | grepoptions '-E' 'Type|524298‘
Type In Label Action Direct Next hop Out Label Adjacency Id
L 524298 swap 10.1.2.2 524299
0x1300011
[local]P1#
P1 will swap the incoming label with 524299and
send packet to P2 (10.1.2.2)
MPLS: 589826
IP D
: 40.1
.2.1
S:4
0.1
.1.1
MPLS: 524298
97
Confide
ntial
P2 router
P2 doesn’t know netw
ork 40.1.2.1/24 either
but it knows what to do with label 524299
[local]P2#show iproute | grep40
[local]P2#
MPLS: 589826
IP D
: 40.1
.2.1
S:4
0.1
.1.1
Please connect to P2 router
telnet 100.1.1.12 redback/redback
[local]P2#show mplslabel-mapping | grepoptions '-E' 'Type|524298'
Type In Label Action Direct Next hop Out Label Adjacency Id
L 524299
php
10.1.2.6 3 0x130001e
[local]P2#
P2 removes outer label (to reduce M
PLS related
work on PE) andsendspacketto egressPE
–This action is called Penultim
ate Hop Popping (PHP)
98
Confide
ntial
Egress PE –context local
PE needs to find out the destination context first.
MPLS: 589826
IP D
: 40.1
.2.1
S:4
0.1
.1.1
[local]PE#shbgproute ipv4 vpnlabels | grepopt '-E' 'VPN|Net|589826'
VPN RD: 100:10
Network Next Hop RcvLabel AllocLabel
40.1.2.0/24 10.1.1.6 nolabel
589826
VPN RD: 100:11
Network Next Hop RcvLabel AllocLabel
2.2.2.1/32 100.1.1.1 589826 nolabel
10.1.1.0/30 100.1.1.1 589826 nolabel
Label 589826 has been allocated to VPN RD 100:10
–Please note that another PE (100.1.1.1) uses the same label
for VPN RD 100:11.
–There is no conflict since labels are only locally significant
99
Confide
ntial
Egress PE –context local
Which context has VPN RD 100:10
MPLS: 589826
IP D
: 40.1
.2.1
S:4
0.1
.1.1
[local]PE#showcontext all | grepoptions '-E' '100:10|Context|--'
Context Name Context ID VPN-RD Description
------------------------------------------------------------------------------
SE1-VPN1
0x40080003 100:10
[local]PE#
After label removal packet will be forw
arded to
context SE1-VPN1
IP D
: 40.1
.2.1
S:4
0.1
.1.1
100
Confide
ntial
Egress PE –context SE1-VPN1
Context SE1-VPN1 receives plain IP packet
It does very sim
ple route lookup
[SE1-VPN1]PE#show iproute
Type Network Next Hop Dist Metric UpTime
Interface
> i B 2.2.2.1/32 100.1.1.1 200 0 03:28:08
> C 2.2.2.2/32 0 0 5d02h loopback
> i B 10.1.1.0/30 100.1.1.1 200 0 03:28:08
> C 10.1.1.4/30 0 0 1d05h vpn1-CE
> i B 40.1.1.0/24 100.1.1.1 200 0 03:28:08
> S 40.1.2.0/24 10.1.1.6 1 0 1d05h
vpn1-CE
IP D
: 40.1
.2.1
S:4
0.1
.1.1
101
Confide
ntial
Egress CE1 router
Context SE[1-5]-CE1 on egress PE emulates CE1
router
40.1.2.1 is the address of one of interfaces so CE1
will respond to ping
[SE1-CE1]PE#show ipinterface brief
Tue Jun 26 19:15:24 2007
Name Address MTU State Bindings
LAN 40.1.2.1/24
1500 Up dot1q 2/1 vlan-id 41
backbone 10.1.1.6/30 1500 Up dot1q2/2 vlan-id 31
[SE1-CE1]PE#
IP D
: 40.1
.2.1
S:4
0.1
.1.1
102
Confide
ntial
Exercise
Follow the return path of the same packet.
Useful commands
–show iproute
–show bgproute ipv4 vpn
–show m
plslabel-mapping
–show m
plslsp
–traceroute
–ping m
plsldp
103
Confide
ntial
Reverse path trace
[SE1-CE1]PE#traceroute 40.1.1.1
se_tracerouteto 40.1.1.1 (40.1.1.1), 30 hops max, 40 byte packets
1 10.1.1.5 (10.1.1.5) 2.453 ms 2.932 ms 1.820 ms
2 10.1.2.5 (10.1.2.5) 2.739 ms 2.426 ms 2.901 ms
MplsLabel: 524291MplsExpBits: 0 TTL: 1
MplsLabel: 589825 MplsExpBits: 0 TTL: 1
3 10.1.2.1 (10.1.2.1) 2.453 ms 2.448 ms 1.881 ms
MplsLabel: 524300MplsExpBits: 0 TTL: 1
MplsLabel: 589825 MplsExpBits: 0 TTL: 2
4 1.1.1.1 (1.1.1.1) 3.505 ms 3.498 ms 2.904 ms
MplsLabel: 589825MplsExpBits: 0 TTL: 1
5 40.1.1.1 (40.1.1.1) 4.666 ms 3.512 ms 3.904 ms
[SE1-CE1]PE#
Oute
r la
bels
Inner
lab
el
Confide
ntial
LSP creation
105
Confide
ntial
LSP list on ingressPE
There is a LSP for each FEC (Forw
arding
Equivalence Class) in our network
How did PE learn about them?
[local]Redback#showmplslsp
Codes : S -MPLS-Static, R -RSVP, L -LDP, B -BGP
Type Endpoint Direct Next-hop Out Label Adjacency Id
L 1.1.1.0/30 5.1.1.2 3 0x300011
L 2.1.1.0/30 5.1.1.2 3 0x300013
L 3.1.1.0/30 5.1.1.2 3 0x300015
L 4.1.1.0/30 5.1.1.2 3 0x300017
L 10.1.2.0/30 5.1.1.2 3 0x300019
L 10.1.2.4/30 5.1.1.2 524297 0x30001b
L 10.1.2.8/30 5.1.1.2 3 0x30001d
L 100.1.1.1/32 5.1.1.2 524300 0x30001f
L 100.1.1.2/32 5.1.1.2 524301 0x300021
L 100.1.1.3/32 5.1.1.2 524302 0x300023
L 100.1.1.4/32 5.1.1.2 524303 0x300025
L 100.1.1.10/32 5.1.1.2 524298 0x300027
L 100.1.1.11/32 5.1.1.2 3 0x300029
L 100.1.1.12/32 5.1.1.2 524299 0x30002b
106
Confide
ntial
LDP operations
Each MPLS node announces its FEC/label pairs to LDP
neighbors
Neighbor assigns label to this FEC and announces new
FEC/label pair to all LDP neighbors
–remember MPLS labels are of local significance
The same is repeated for every FEC connected to each node
As a result each MPLS node knows label expected by its
neighbors for every FEC in backbone netw
ork.
–This helps to speed up convergence after link failure
PE
P1
P2
PE
100.1.1.1/32 = FEC1
FEC1/ label 3
FEC1/ label 125
FEC1/ label 368
FEC1 / label 125
Label 3 has a
special meaning.
It asks P1 to
perform
PHP
FEC
label
100.1.1.1/32
125
100.1.1.1/32
368
107
Confide
ntial
Checking FEC/label mappings
[local]PE#show
ldp
binding
> active binding, Local/In -
local/input label binding
From -
source of remote label, Remote/Out -
remote/output label binding
Prefix/FEC Learned-From Local/In Remote/Out Interface
1.1.1.0/30 100.1.1.11:0 524292 3
> 10.1.1.0/24 local 3
100.1.1.12:0 3
100.1.1.11:0 3
> 10.1.2.0/30 100.1.1.12:0 524297 3
backbone-2
100.1.1.11:0 3
> 10.1.2.4/30 local 3
100.1.1.12:0 3
100.1.1.11:0 524297
> 10.1.2.8/30 local 3
100.1.1.12:0 524297
100.1.1.11:0 3
100.1.1.1/32 100.1.1.11:0 524299 524299
> 100.1.1.12:0 524298
backbone-2
> 100.1.1.10/32 local 3
100.1.1.12:0 524299
100.1.1.11:0 524298
100.1.1.11/32 100.1.1.11:0 524298 3
> 100.1.1.12:0 524300
backbone-2
> 100.1.1.12/32 100.1.1.12:0 524300 3
backbone-2
100.1.1.11:0 524300
[local]PE#
This output comes from egress PE. Some entries have been removedto
sim
plify output.
108
Confide
ntial
LDP and IGP (OSPF in our case)
As you could see egress PE has two labels for FEC
100.1.1.1/32
How does it know which one to use?
LDP doesn’t take any routing decisions –it relies on
IGP.
PE router will find the best path for 100.1.1.1/32
through OSPF
Once it knows interface packet needs to go out, it
will add label learned from LDB neighbor connected
to this interface
Usually FEC advertisement is lim
ited to loopback
addresses of PE routers
–It greatly reduces amount of LSPscreated
Confide
ntial
Filtering FEC’s
within LDP
110
Confide
ntial
LSP scalability
As you could see the number of FEC/label pairs created is quite
high even in such a small netw
ork as ours.
Imagine what will happen in real network
Usually operators prefer to lim
it the number of FEC/label pairs
–It reduces number of LSPscreated
Ingress PE only needs LSP connecting to egress PE loopback
FEC –It doesn’t need to send M
PLS packets with P1 or P2 as
destination
–It also doesn’t need to send MPLS packets to any interface IP
address
We need to instruct LDP to ignore some FEC/label pairs
111
Confide
ntial
Filtering FECswithin LDP (1-2)
There are 2 actions to take
Lim
it number of FECsannounced by ingress PE
–The only important FEC is PE’s loopback –100.1.1.x/32
Filter out unwanted FECsreceived from neighbors
We will use IP prefix list for filtering
It would be nice what happens when we configure
filters so lets turn on some debug:
[local]Redback#termmonitor
[local]Redback#debugldpmessage label
[local]Redback#
112
Confide
ntial
Ba
ckbo
ne
P R
ou
ters
PE Config (local context):
Filtering FECswithin LDP (2-2)
CE
1
CE
2
local
local
VPN 2
VPN 1
CE
1
CE
2
local
local
VPN 2
VPN 1
PE
route
rT
rain
-1(P
E)
conte
xt lo
cal
ippre
fix-lis
tld
p-i
n
seq
10 p
erm
it100.1
.1.1
0/3
2
seq
20 d
en
yan
y
ippre
fix-lis
tld
p-o
ut
seq
10 p
erm
it100.1
.1.1
/32
seq
20 d
eny
an
y
route
r ld
p
label-b
indin
g p
refix-lis
t ld
p-in in
label-b
indin
g p
refix-lis
t ld
p-o
ut out
inte
rface P
E-loop
inte
rface b
ackbone
113
Confide
ntial
Debugoutput
[local]Redback#Jun28 12:48:16: %LDP-7-LABEL: Bestpath1.1.1.0/30 new ver40,
path cnt2, nhcnt1, active nh0.0.0.0, (ldp_policy_in_change_walker)
Jun 28 12:48:16: %LDP-7-LABEL: Bestpath2.1.1.0/30 new ver41, path cnt1, nh
cnt0, active nhnone, path different (ldp_policy_in_change_walker)
100.1.1.11: send LABEL WITHDRAW: 2.1.1.0/30 -> 524292
100.1.1.11: send LABEL WITHDRAW: 3.1.1.0/30 -> 524293
100.1.1.11: send LABEL WITHDRAW: 4.1.1.0/30 -> 524294
100.1.1.11: send LABEL WITHDRAW: 5.1.1.0/30 -> 524295
100.1.1.11: send LABEL WITHDRAW: 10.1.2.0/30 -> 524296
100.1.1.11: send LABEL WITHDRAW: 10.1.2.4/30 -> 524297
100.1.1.11: send LABEL WITHDRAW: 10.1.2.8/30 -> 524298
100.1.1.11: send LABEL WITHDRAW: 100.1.1.11/32 -> 524299
100.1.1.11: send LABEL WITHDRAW: 100.1.1.12/32 -> 524300
Jun 28 12:48:16: [0001]: %LDP-7-LABEL: 100.1.1.11 send LABEL MAP msg: 262
bytes
100.1.1.11: send LABEL WITHDRAW: 1.1.1.0/30 -> 3
100.1.1.11: send LABEL WITHDRAW: 10.1.1.0/24 -> 3
100.1.1.11: send LABEL WITHDRAW: 100.1.1.10/32 -> 524291
Jun 28 12:48:16: [0001]: %LDP-7-LABEL: 100.1.1.11 send LABEL MAP msg: 93
bytes
Some entries have been removed to sim
plify output.
LocalFECs
114
Confide
ntial
Verification of LSP number
[local]Redback#showmplslsp
Codes : S -MPLS-Static, R -RSVP, L -LDP, B -BGP
Type Endpoint Direct Next-hop Out Label Adjacency Id
L 100.1.1.10/32 1.1.1.2 524298 0x300013
[local]Redback#showldpbinding
> active binding, Local/In -local/input label binding
From -source of remote label, Remote/Out -remote/output label binding
Prefix/FEC Learned-From Local/In Remote/Out Interface
> 1.1.1.0/30 local 3
> 10.1.1.0/24 local 3
> 100.1.1.1/32 local 3
> 100.1.1.10/32 100.1.1.11:0 524291 524298 backbone
[local]Redback#
115
Confide
ntial
LDP log
[local]Redback#showldplog
Num Entries: 17, Start: 0, End: 16, Max: 8192, Entry Size: 44
0 Jun 26 21:47:58.116 STR LDP internal log initialized. Max n
1 Jun 26 21:47:58.116 STR umber of log entries is 8192. Log e
2 Jun 26 21:47:58.116 STR ntrysize is 44. Total memory consu
3 Jun 26 21:47:58.116 STRE mption360K.
4 Jun 26 21:47:58.679 STRE switch callback! flag = 2
5 Jun 26 21:48:01.802 STRE LDP state Initializing
6 Jun 26 21:48:09.680 STRE RIB ALIVE
7 Jun 26 21:48:10.112 STRE RIB regist40080001 success
8 Jun 26 21:48:21.718 STRE LDP state Calculating Bestpath
9 Jun 26 21:48:21.718 STRE LDP state Converging
10 Jun 26 21:48:21.725 STRE LDP state Downloading Label
11 Jun 26 21:48:21.738 STRE LDP state Normal
12 Jun 26 21:48:37.305 STRE LM ALIVE
13 Jun 26 21:48:37.392 STRE LM RegistSuccess
14 Jun 26 21:49:01.245 PEER 100.1.1.11 state changed from None to Init
15 Jun 26 21:49:01.291 PEER 100.1.1.11 state changed from Init to OpenRcv
16 Jun 26 21:49:01.295 PEER 100.1.1.11 UP
[local]Redback#
Confide
ntial
CE to PE using OSPF
117
Confide
ntial
Configure a second VPN
context VPN2 vpn-rd 100:vpn_ID
(11,21,31,41,51)
–Interface vpn2-CE
–address 10.1.1.1/30
–Redistribute ospf
–PE to CE connection based on pos ports5/1-5/2 using
dot1qpvc30
context CE2
–Interface backbone
–address 10.1.1.2/30
–Local LANinterface LAN
–address 50.1.1.1/24
Use the verification steps as learned before
Introduction class exercise
118
Confide
ntial
Ba
ckbo
ne
P R
ou
ters
Class Exercise #2
CE
1
CE
2
local
local
VPN 2
VPN 1
CE
1
CE
2
local
local
VPN 2
VPN 1
PE
route
rT
rain
-1(P
E)
conte
xt V
PN
2vpn-r
d 1
00:v
pn_ID
inte
rface loopback loopback
ipaddre
ss 2
.2.2
.1/3
2
inte
rface
vpn2-C
E
ipaddre
ss
10.1
.1.1
/30
route
r bgp
vpn
addre
ss-f
am
ily ipv4 u
nic
ast
export
route
-targ
et 100:v
pn_ID
import
route
-targ
et 100:v
pn_ID
redis
trib
ute
connecte
d
redis
trib
ute
ospf
1
PE Configuration (VPN2 context)
conte
xt S
E1-V
PN
2vpn-r
d 1
00:1
1
inte
rface loopback loopback
ipaddre
ss 2
.2.2
.2/3
2
route
r bgp
vpn
addre
ss-f
am
ily ipv4 u
nic
ast
export
route
-targ
et 100:1
1
import
route
-targ
et 100:1
1
redis
trib
ute
connecte
d
redis
trib
ute
ospf
1
conte
xt S
E2-V
PN
1 v
pn-r
d 1
00:2
1
……
.
PE router configuration
Train-x to vpnID m
apping
51
Train-5
41
Train-4
31
Train-3
21
Train-2
11
Train-1
vpn_ID
PE
119
Confide
ntial
Ba
ckbo
ne
P R
ou
ters
Class Exercise #2
CE
1
CE
2
local
local
VPN 2
VPN 1
CE
1
CE
2
local
local
VPN 2
VPN 1
PE
route
rT
rain
-1(P
E)
PE Configuration (VPN2 context)
PE router configuration
conte
xt V
PN
2 v
pn-r
d 1
00:v
pn_ID
route
r ospf1
vpn
local-as 1
00
are
a 0
.0.0
.0
inte
rface v
pn2-C
E
cost 100
redis
trib
ute
bgp
100
port
eth
ern
et
5/1
dot1
q p
vc
40
bin
d inte
rface
vpn2-C
EV
PN
2
conte
xt S
E1-V
PN
2 v
pn-r
d 1
00:1
1
route
r ospf1
vpn
local-as 1
00
are
a 0
.0.0
.0
inte
rface v
pn2-C
E
cost 100
redis
trib
ute
bgp
100
conte
xt S
E2-V
PN
2 v
pn-r
d 1
00:2
1
……
……
..
Train-x to vpnID m
apping
51
Train-5
41
Train-4
31
Train-3
21
Train-2
11
Train-1
vpn_ID
PE
120
Confide
ntial
Ba
ckbo
ne
P R
ou
ters
Class Exercise #2
CE
1
CE
2
local
local
VPN 2
VPN 1
CE
1
CE
2
local
local
VPN 2
VPN 1
PE
route
rT
rain
-1(P
E)
CE Configuration (CE2 context)
PE router configuration
conte
xt C
E2
inte
rface L
AN
ipaddre
ss 5
0.1
.1.1
/24
inte
rface b
ackbone
ipaddre
ss 1
0.1
.1.2
/30
port
eth
ern
et
5/2
dot1
q p
vc
40
bin
d inte
rface
backbone
CE
2
dot1
q p
vc
50
bin
d inte
rface
LA
N C
E2
conte
xt S
E1-C
E2
inte
rface C
E-L
AN
ipaddre
ss 5
0.1
.2.1
/24
inte
rface b
ackbone
ipaddre
ss 1
0.1
.1.6
/30
conte
xt S
E2-C
E2
…..
121
Confide
ntial
Ba
ckbo
ne
P R
ou
ters
Class Exercise #2
CE
1
CE
2
local
local
VPN 2
VPN 1
CE
1
CE
2
local
local
VPN 2
VPN 1
PE
route
rT
rain
-1(P
E)
CE Configuration (CE2 context)
conte
xt C
E2
route
r ospf1
are
a 0
.0.0
.0
inte
rface L
AN
inte
rface b
ackbone
cost 100
122
Confide
ntial
Verification
Utilize what's learned in previous case to verify
connectivity betw
een LAN netw
orks connected to
ingress and egress CE
Confide
ntial
Thank you ☺ ☺☺☺
We hope you enjoyed this course !
Please fill in evaluation form
Please sign course roster