Configuring MPLS L3VPN on Switch


I. Network requirements

  • CE 1 and CE 3 belong to VPN 1, while CE 2 and CE 4 belong to VPN 2.
  •  VPN 1 uses VPN target attributes 111:1, while VPN 2 uses VPN target attributes 222:2. Users of different VPNs cannot access each other.
  •  PEs and the P device support MPLS.

II. Network diagram
III. Configuration procedure
1) Configure IGP on the MPLS backbone, enabling the PEs and the P device to communicate

# Configure PE 1.

<PE1> system-view
[PE1] interface loopback 0
[PE1-LoopBack0] ip address 1.1.1.9 32
[PE1-LoopBack0] quit
[PE1] interface vlan-interface 3
[PE1-Vlan-interface3] ip address 172.1.1.1 24
[PE1- Vlan-interface3] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit

# Configure the P device.

<P> system-view
[P] interface loopback 0
[P-LoopBack0] ip address 2.2.2.9 32
[P-LoopBack0] quit
[P] interface vlan-interface 3
[P-Vlan-interface3] ip address 172.1.1.2 24
[P- Vlan-interface3] quit
[P] interface vlan-interface 1
[P-Vlan-interface1] ip address 172.2.1.1 24
[P-Vlan-interface1] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit

# Configure PE 2.

<PE2> system-view
[PE2] interface loopback 0
[PE2-LoopBack0] ip address 3.3.3.9 32
[PE2-LoopBack0] quit
[PE2] interface vlan-interface 1
[PE2-Vlan-interface1] ip address 172.2.1.2 24
[PE2-Vlan-interface1] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit

After you complete the above configurations, OSPF adjacency should be established between PE 1, P, and PE 2. Issuing the display ospf peer command, you can see that the adjacency status is Full. Issuing the display ip routing-table command, you can see that the PEs have learned the loopback route of each other. The following takes PE 1 as an example:

[PE1] display ip routing-table

Routing Tables: Public
Destinations : 9 Routes : 9
Destination/Mask    Proto      Pre   Cost   NextHop     Interface
1.1.1.9/32                 Direct      0       0      127.0.0.1    InLoop0
2.2.2.9/32                 OSPF     10       1      172.1.1.2    Vlan3
3.3.3.9/32                 OSPF     10       2      172.1.1.2    Vlan3
127.0.0.0/8               Direct      0        0      127.0.0.1    InLoop0
127.0.0.1/32             Direct      0        0      127.0.0.1    InLoop0
172.1.1.0/24             Direct      0        0      172.1.1.1    Vlan3
172.1.1.1/32             Direct      0        0      127.0.0.1    InLoop0
172.1.1.2/32             Direct      0        0      172.1.1.2    Vlan3
172.2.1.0/24             OSPF     10        1      172.1.1.2   Vlan3

[PE1] display ospf peer verbose

OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 172.1.1.1(Vlan-interface3)'s neighbors
Router ID: 172.1.1.2 Address: 172.1.1.2 GR State: Normal
State: Full Mode:Nbr is Master Priority: 1
DR: None  BDR: None  MTU: 1500
Dead timer due in 38 sec
Neighbor is up for 00:02:44
Authentication Sequence: [ 0 ]

2) Configure MPLS basic capability and MPLS LDP on the MPLS backbone to establish LDP LSPs

# Configure PE 1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlan-interface 3
[PE1-Vlan-interface3] mpls
[PE1-Vlan-interface3] mpls ldp
[PE1-Vlan-interface3] quit

# Configure the P device.

[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlan-interface 3
[P-Vlan-interface3] mpls
[P-Vlan-interface3] mpls ldp
[P-Vlan-interface3] quit
[P] interface vlan-interface 1
[P-Vlan-interface1] mpls
[P-Vlan0interface1] mpls ldp
[P-Vlan-interface1] quit

# Configure PE 2.

[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface vlan-interface 1
[PE2-Vlan-interface1] mpls
[PE2-Vlan-interface1] mpls ldp
[PE2-Vlan-interface1] quit

After you complete the above configurations, LDP sessions should be established between PE 1, P, and PE 2. Issuing the display mpls ldp session command, you can see that the Session State field has a value of Operational. Issuing the display mpls ldp lsp command, you can see that the LSPs established by LDP. The following takes PE 1 as an example:

[PE1] display mpls ldp session

LDP Session(s) in Public Network
----------------------------------------------------------------
Peer-ID Status LAM SsnRole FT MD5 KA-Sent/Rcv
---------------------------------------------------------------
2.2.2.9:0 Operational DU Passive Off Off 5/5
---------------------------------------------------------------
LAM : Label Advertisement Mode FT : Fault Tolerance
[PE1] display mpls ldp lsp
LDP LSP Information
------------------------------------------------------------------
SN DestAddress/Mask In/OutLabel Next-Hop In/Out-Interface
------------------------------------------------------------------
1 1.1.1.9/32 3/NULL 127.0.0.1 Vlan-interface3/InLoop0
2 2.2.2.9/32 NULL/3 172.1.1.2 -------/Vlan-interface3
3 3.3.3.9/32 NULL/1024 172.1.1.2 -------/Vlan-interface3
------------------------------------------------------------------
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale

3) Configure VPN instances on PEs to allow CEs to access

# Configure PE 1.

[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] route-distinguisher 100:1
[PE1-vpn-instance-vpn1] vpn-target 111:1
[PE1-vpn-instance-vpn1] quit
[PE1] ip vpn-instance vpn2
[PE1-vpn-instance-vpn2] route-distinguisher 100:2
[PE1-vpn-instance-vpn2] vpn-target 222:2
[PE1-vpn-instance-vpn2] quit
[PE1] interface vlan-interface 1
[PE1-Vlan-interface1] ip binding vpn-instance vpn1
[PE1-Vlan-interface1] ip address 10.1.1.2 24
[PE1-Vlan-interface1] quit
[PE1] interface vlan-interface 2
[PE1-Vlan-interface2] ip binding vpn-instance vpn2
[PE1-Vlan-interface2] ip address 10.2.1.2 24
[PE1-Vlan-interface2] quit

# Configure PE 2.

[PE2] ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] route-distinguisher 200:1
[PE2-vpn-instance-vpn1] vpn-target 111:1
[PE2-vpn-instance-vpn1] quit
[PE2] ip vpn-instance vpn2
[PE2-vpn-instance-vpn2] route-distinguisher 200:2
[PE2-vpn-instance-vpn2] vpn-target 222:2
[PE2-vpn-instance-vpn2] quit
[PE2] interface vlan-interface 2
[PE2-Vlan-interface2] ip binding vpn-instance vpn1
[PE2-Vlan-interface2] ip address 10.3.1.2 24
[PE2-Vlan-interface2] quit
[PE2] interface vlan-interface 3
[PE2-Vlan-interface3] ip binding vpn-instance vpn2
[PE2-Vlan-interface3] ip address 10.4.1.2 24
[PE2-Vlan-interface3] quit

# Configure IP addresses for the CEs as required in Figure. The detailed configuration steps are omitted.
After completing the above configurations, you can issue the display ip vpn-instance command on the PEs to view the configuration of the VPN instance. The PEs should be capable of pinging their respective CEs. The following takes PE 1 and CE 1 as an example:

[PE1] display ip vpn-instance

Total VPN-Instances configured : 2
VPN-Instance Name RD Create Time
vpn1 100:1 2006/08/13 09:32:45
vpn2 100:2 2006/08/13 09:42:59
[PE1] ping -vpn-instance vpn1 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=56 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=4 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=4 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=52 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=3 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/23/56 ms

4) Establish EBGP peer relationship between PEs and CEs to allow VPN routes to be injected

# Configure CE 1.

<CE1> system-view
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit

Note:
The configurations for the other three CEs are similar to the above. The detailed configuration steps are omitted.

# Configure PE 1.

[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
[PE1-bgp] ipv4-family vpn-instance vpn2
[PE1-bgp-vpn2] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpn2] import-route direct
[PE1-bgp-vpn2] quit
[PE1-bgp] quit

Note:
The configurations for PE 2 are similar to those for PE 1. The detailed configuration steps are omitted.

After completing the above configuration, if you issue the display bgp vpnv4 vpn-instance peer command on the PEs, you should see that BGP peer relationship has been established between PE and CE, and has reached the state of Established. The following takes PE 1 and CE 1 as an example:

[PE1] display bgp vpnv4 vpn-instance vpn1 peer

BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer        V   AS     MsgRcvd MsgSent  OutQ  PrefRcv Up/Down   State
10.1.1.1  4  65410      11               9          0             1       00:06:37   Established

5) Configure MP-IBGP peers between PEs

# Configure PE 1.

[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 0
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit

# Configure PE 2.

[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 0
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit

After completing the above configuration, if you issue the display bgp peer command or the display bgp vpnv4 all peer command on the PEs, you should see that BGP peer relationship has been established between the PEs, and has reached the state of Established.

[PE1] display bgp peer

BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer      V  AS    MsgRcvd  MsgSent   OutQ  PrefRcv Up/Down     State
3.3.3.9  4  100          2              6               0           0      00:00:12    Established

6) Verify your configurations

Issuing the display ip routing-table vpn-instance command on the PEs, you should see the routes to the CEs. The following takes PE 1 as an example:

[PE1] display ip routing-table vpn-instance vpn1

Routing Tables: vpn1
Destinations : 3 Routes : 3
Destination/Mask Proto Pre Cost NextHop Interface
10.1.1.0/24 Direct 0 0 10.1.1.2 Vlan1
10.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0
10.3.1.0/24 BGP 255 0 3.3.3.9 NULL0

[PE1] display ip routing-table vpn-instance vpn2

Routing Tables: vpn2
Destinations : 3 Routes : 3
Destination/Mask Proto Pre Cost NextHop Interface
10.2.1.0/24 Direct 0 0 10.2.1.2 Vlan2
10.2.1.2/32 Direct 0 0 127.0.0.1 InLoop0
10.4.1.0/24 BGP 255 0 3.3.3.9 NULL0

CEs of the same VPN should be capable of pinging each other, whereas those of different VPNs should not. For example, CE 1 should be capable of pinging CE 3 (10.3.1.1), but should not be capable of pinging CE 4 (10.4.1.1):

[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms
--- 10.3.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms

[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.4.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss



No comments:

Post a Comment

Subscribe to: Post Comments (Atom)