Configuring a Simple MPLS VPN 205
MPLS-based VPNs offer the same privacy and security as traditional VPNs, but without the worries. Overlapping address spaces, intranets, extranets, and even hub-and-spoke topologies are supported in an MPLS VPN.
Configuring a Simple MPLS VPN
Chapter 5 explained most, but not all, of what is required to set up an MPLS VPN. In this chapter, I’ll expand on what you learned in Chapter 5 about MPLS VPN configuration. To start with, let’s revisit the simple service provider network illustrated in Figure 6.1.
F I G U R E 6 . 1 A simple service provider network
10.1.0.0/16 10.1.0.0/16
Customer B1 |
|
|
|
|
|
Customer A1 |
|||
|
|
|
Serial 0 |
|
|
|
|
||
10.2.0.2/16 |
|
Serial 0 10.2.0.2/16 |
|||||||
10.2.0.1/16 |
|
|
10.2.0.1/16 |
||||||
Serial 0/2 |
|
|
Serial 0/1 |
||||||
|
|
|
|
|
|
PE1 |
|||
|
|
Serial 0/0 |
|
192.168.1.1 |
|
||||
|
|
|
|
|
|
192.168.1.10 |
|||
|
|
Serial 0/0 |
|
|
|
|
|
||
|
|
|
|
|
|
P1 |
|||
|
|
Serial 0/1 |
|
|
|
|
|
||
|
|
Serial 0/0 |
|
|
|
|
|
||
|
|
|
|
|
|
P2 |
|||
|
|
Serial 0/1 |
|
|
|
|
|
||
|
|
Serial 0/0 |
|
|
|
|
|
||
Serial 0/2 |
|
|
PE2 |
||||||
|
|
||||||||
|
|
Serial 0/1 |
|||||||
10.3.0.1/16 |
|
|
10.3.0.1/16 |
||||||
10.3.0.2/16 |
|
|
|
10.3.0.2/16 |
|||||
Customer B2 |
|
|
|
|
|
Customer A2 |
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10.4.0.0 |
|
|
10.4.0.0 |
||||||
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
206 Chapter 6 MPLS VPNs and RIP
Table 6.1 lists the IP addresses and interfaces of all the service provider network devices in Figure 6.1.
T A B L E 6 . 1 Service Provider IP Addressing
Device |
Serial 0/0 |
Serial 0/1 |
Loopback 0 |
|
|
|
|
PE1 |
192.168.1.10 |
|
192.168.1.1 |
P1 |
192.168.1.9 |
192.168.1.14 |
192.168.1.2 |
P2 |
192.168.1.13 |
192.168.1.18 |
192.168.1.3 |
PE2 |
192.168.1.17 |
|
192.168.1.4 |
|
|
|
|
As you can see in Figure 6.1, the network has grown a bit. Table 6.2 lists the IP addresses and interfaces of the new PE devices in Figure 6.1.
T A B L E 6 . 2 PE Customer Link Addressing
Device |
Serial 0/1 |
Serial 0/2 |
Mask |
|
|
|
|
PE1 |
10.2.0.1 |
10.2.0.1 |
/16 |
PE2 |
10.3.0.1 |
10.3.0.1 |
/16 |
|
|
|
|
Table 6.3 lists the IP addresses and interfaces of all the customer devices in Figure 6.1.
T A B L E 6 . 3 PE Customer Link Addressing
Device |
Serial 0 |
Ethernet0 |
Mask |
|
|
|
|
Customer A1 |
10.2.0.2 |
10.1.0.1 |
/16 |
Customer A2 |
10.3.0.2 |
10.4.0.1 |
/16 |
Customer B1 |
10.2.0.2 |
10.1.0.1 |
/16 |
Customer B2 |
10.3.0.2 |
10.4.0.1 |
/16 |
|
|
|
|
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
Configuring a Simple MPLS VPN 207
For the sake of this discussion, let’s say that MPLS and MP-IBGP are configured already. Since the MP-BGP backbone is already in place, you only need to concentrate on configuring the VPNs.
From a business standpoint, you need to configure a simple VPN for Customer A and Customer B. Customer A has two sites (Customer A1 and Customer A2), and Customer B has two sites (Customer B1 and Customer B2).
Chapter 5 introduced the concepts of VRFs and route distinguishers, so let’s set up a VRF and configure the route distinguishers on PE1 for Customer A and Customer B using the following commands:
PE1#config t
PE1(config)#ip vrf vpn_a
PE1(config-vrf)#rd 1:1
PE1(config-vrf)#exit
PE1(config)#ip vrf vpn_b
PE1(config-vrf)rd 1:2
Use the following commands to set up the VRFs and configure the route distinguishers on PE2 for both customers:
PE2#config t
PE2(config)#ip vrf vpn_a
PE2(config-vrf)#rd 1:1
PE2(config-vrf)#exit
PE2(config)#ip vrf vpn_b
PE2(config-vrf)rd 1:2
If the preceding syntax doesn’t ring any bells, go back and re-read Chapter 5.
That’s pretty much where we left things in Chapter 5. The next section explains how to configure interfaces to be part of a VRF.
Configuring VRF Interfaces
After you’ve created the VRF and configured the route distinguisher, interfaces must be added to the VRF. You’re probably thinking to yourself, “Add the interface to the VRF?” If you remember back to Chapter 5, a VRF is like a virtual router.
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
208 Chapter 6 MPLS VPNs and RIP
When you execute the show ip route command, you always see the connected interfaces in the global routing table. Since a VRF is a virtual routing table, the interfaces need to be in it. In Figure 6.1, Serial 0/1 connects to Customer A1 and Serial 0/2 connects to Customer B1. These interfaces need to be added to their particular VRF.
So on PE1, to put Serial 0/1 in Customer A’s VRF (vpn_a), you use the ip vrf forwarding command. The configuration for Customer A is as follows:
PE1#config t
PE1(config)#interface serial 0/1
PE1(config-if)#ip vrf forwarding vpn_a
After the interface is placed in a VRF, it loses its IP address configuration. The
IP address will need to be reconfigured.
PE1(config-if)#ip address 10.2.0.1 mask 255.255.0.0
The interface that used to be present in the global routing table is now associated with a VRF. To verify that the Serial 0/1 interface is now associated with the VRF, use the show ip route vrf vpn_a connected command. The output from this command is as follows:
PE1#show ip route vrf vpn_a connected
C10.2.0.1 is directly connected, Serial0/1
MPLS VPN security can be negated with misconfiguration. Make sure the
right interface is in the right VRF.
The same process needs to be repeated on PE1 for Customer B (vpn_b) using the following commands:
PE1#config t
PE1(config)#interface serial 0/2
PE1(config-if)#ip vrf forwarding vpn_b
PE1(config-if)#ip address 10.2.0.1 mask 255.255.0.0
Verify that the Serial 0/2 interface is now associated with the VRF using the show ip route vrf vpn_b connected command as follows:
PE1#show ip route vrf vpn_b connected
C 10.2.0.1 is directly connected, Serial0/2
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |