Configure a Basic MPLS VPN

Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Background Information
Configuration
Network Diagram
Configuration Procedures
MPLS Configuration
Configure MP-BGP
Configurations
Verification
Related Information

Introduction
This document describes how to configure a Multiprotocol Label Switching (MPLS) VPN when
additional protocols are on the Cisco client site.

Prerequisites
Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

● P and PE Routers Cisco IOS® Software Release which includes the MPLS VPN feature.Any
Cisco router from the 7200 series or higher supports P functionality.The Cisco 2600, as well
as any 3600 series or higher router supports PE functionality.
● C and CE Routers You can use any router that can exchange routing information with its PE
router.
The information in this document was created from the devices in a specific lab environment. All of
the devices used in this document started with a cleared (default) configuration. If your network is
live, ensure that you understand the potential impact of any command.

Related Products
To implement the MPLS feature, you must have a router from the range of Cisco 2600 or higher.
To select the required Cisco IOS with MPLS feature, use the Software Research tool. Also check
for the additional RAM and Flash memory required to run the MPLS feature in the routers. WIC-
1T, WIC-2T, and serial interfaces can be used.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

These letters represent the different types of routers and switches used:

● P — Provider core router.

● PE — Provider Edge router.
● CE — Customer Edge router.
● C — Customer router.

Note: PE routers are the last hop in the provider network and these are the devices that
connect directly to the CE routers which are not aware of the MPLS feature, as shown in the
next diagram.

This diagram shows a typical configuration that illustrates the conventions outlined previously.

MPLS VPN
Network Diagram

Background Information
This document provides a sample configuration of a Multiprotocol Label Switching (MPLS) VPN
when Border Gateway Protocol (BGP) is present on the Cisco client site.

When used with MPLS, the VPN feature allows several sites to interconnect transparently through
a service provider network. One Service Provider network can support several different IP VPNs.
Each of these appears to its users as a private network, separate from all other networks. Within a
VPN, each site can send IP packets to any other site in the same VPN.
Each VPN is associated with one or more Virtual Routing and Forwarding (VRF) instances. A VRF
consists of an IP routing table, a derived Cisco Express Forwarding (CEF) table, and a set of
interfaces that use this forwarding table. The router maintains a separate Routing Information
Base (RIB) and CEF table for each VRF. Therefore, the information is not sent outside the VPN
and allows the same subnet to be used in several VPNs and does not cause duplicate IP address
problems. The router that uses Multiprotocol BGP (MP-BGP) distributes the VPN routing
information with the MP-BGP extended communities.

Configuration
This section provides the configuration examples and how they are implemented.

Network Diagram

This document uses this network setup:

Configuration Procedures

MPLS Configuration

1. Verify that ip cef is enabled on the routers where MPLS is required. For improved performance,
use ip cef distributed (where available).

2. Configure an IGP on the service provider core, either Open Shortest Path First (OSPF) or
Intermediate System-to-Intermediate System (IS-IS) protocols are the recommended options, and
advertise the Loopback0 from each P and PE routers.

3. After the service provider core routers are fully L3 reachable between their loopbacks, configure
the command mpls ip on each L3 interface between P and PE routers.

Note: The PE router interface that connects directly to the CE router does not require the
mpls ip command configuration.

Complete these steps on the PEs after MPLS has been set up (configuration of mpls ip on the
interfaces).

1. Create one VRF for each VPN connected with the vrf definition <VRF name> command. Additional
steps:Specify the correct route distinguisher used for that VPN. This command rd <VPN route
distinguisher> is used to extend the IP address so that you can identify which VPN it belongs
to.
vrf definition Client_A
rd 100:110
Set up the import and export properties for the MP-BGP extended communities. These are
used to filter the import and export process with the command route-target [import|export|both] <target
VPN extended community> as shown in the next output:
vrf definition Client_A
rd 100:110
route-target export 100:1000
route-target import 100:1000
!
address-family ipv4
exit-address-family
2. On the PE router, add the interfaces that connect the CE to the corresponding VRF.
Configure the forwarding details for the respective interfaces with the vrf forwarding command
and set up the IP address.

Pescara#show run interface GigabitEthernet0/1

Building configuration...

Current configuration : 138 bytes

!
interface GigabitEthernet0/1
vrf forwarding Client_A
ip address 10.0.4.2 255.255.255.0
duplex auto
speed auto
media-type rj45
end

Pescara#

Configure MP-BGP

There are several ways to configure BGP, for example, you can configure PE routers as BGP
neighbors or use a Route Reflector (RR) or Confederation methods. A Route Reflector is used in
the next example, which is more scalable than the use of direct neighbors between PE routers:

1. Enter the address-family ipv4 vrf <VRF name> command for each VPN present at this PE
router.Carry out one or more of the next steps, as necessary:If you use BGP to exchange
routing information with the CE, configure and activate the BGP neighbors with the CE
routers.If you use a different dynamic routing protocol to exchange routing information with
the CE, redistribute the routing protocols.
 Note: Based on the PE-CE routing protocol you use, you can configure any dynamic routing
protocols (EIGRP, OSPF or BGP) between PE and CE devices. If BGP is the protocol used
to exchange routing information between PE and CE, there is no need to configure
redistribution between protocols.

2. Enter the address-family vpnv4 mode, and complete the next steps:

● Activate the neighbors, a VPNv4 neighbor session needs to be established between each PE
router and the Route Reflector.
● Specify that extended community must be used. This is mandatory.

Configurations

This document uses these configurations to setup the MPLS VPN network example:

●Pescara (PE)
●Pesaro (PE)
●Pomerol (P)
●Pulligny (RR)
●Pauillac (P)
Pescara

hostname Pescara
!
ip cef
!

!--- VPN Client_A commands.

vrf definition Client_A

rd 100:110
route-target export 100:1000
route-target import 100:1000
! address-family ipv4 exit-address-family
!--- Enables the VPN routing and forwarding (VRF) routing table.
!--- Route distinguisher creates routing and forwarding tables for a VRF.
!--- Route targets creates lists of import and export extended communities for the specified VRF.

!--- VPN Client_B commands.

vrf definition Client_B rd 100:120 route-target export 100:2000 route-target import 100:2000 ! address-f
ipv4 exit-address-family
!
interface Loopback0 ip address 10.10.10.4 255.255.255.255 ip router isis
! interface GigabitEthernet0/1 vrf forwarding Client_A ip address 10.0.4.2 255.255.255.0 duplex auto spe
auto media-type rj45 ! interface GigabitEthernet0/2 vrf forwarding Client_B ip address 10.0.4.2 255.255.
duplex auto speed auto media-type rj45

!--- Associates a VRF instance with an interface or subinterface.

!--- GigabitEthernet0/1 and 0/2 use the same IP address, 10.0.4.2.
!--- This is allowed because they belong to two different customer VRFs.

!
interface GigabitEthernet0/0 description link to Pauillac ip address 10.1.1.14 255.255.255.252 ip router
duplex auto speed auto media-type rj45 mpls ip
!--- Enables MPLS on the L3 interface connecting to the P router

!
router isis net 49.0001.0000.0000.0004.00 is-type level-2-only metric-style wide passive-interface Loopb
!--- Enables IS-IS as the IGP in the provider core network

! router bgp 65000 bgp log-neighbor-changes

neighbor 10.10.10.2 remote-as 65000
neighbor 10.10.10.2 update-source Loopback0

!--- Adds an entry to the BGP or MP-BGP neighbor table.

!--- And enables BGP sessions to use a specific operational interface for TCP connections.

! address-family vpnv4 neighbor 10.10.10.2 activate neighbor 10.10.10.2 send-community both exit-address
family
!--- To enter address family configuration mode that use standard VPN version 4 address prefixes.
!--- Creates the VPNv4 neighbor session to the Route Reflector.
!--- And to send the community attribute to the BGP neighbor.

! address-family ipv4 vrf Client_A neighbor 10.0.4.1 remote-as 65002 neighbor 10.0.4.1 activate exit-add
family ! address-family ipv4 vrf Client_B neighbor 10.0.4.1 remote-as 65001 neighbor 10.0.4.1 activate e
address-family

!--- These are the eBGP sessions to each CE router belonging to different customers.
!--- The eBGP sessions are configured within the VRF address family
!
end
Pesaro

hostname Pesaro
!
ip cef
! vrf definition Client_A rd 100:110 route-target export 100:1000 route-target import 100:1000 ! address
family ipv4 exit-address-family !
vrf definition Client_B rd 100:120 route-target export 100:2000 route-target import 100:2000 ! address-f
ipv4 exit-address-family ! ip cef ! interface Loopback0 ip address 10.10.10.6 255.255.255.255
ip router isis
! interface GigabitEthernet0/0 description link to Pomerol ip address 10.1.1.22 255.255.255.252 ip route
isis duplex auto speed auto media-type rj45 mpls ip ! interface GigabitEthernet0/1 vrf forwarding Client
address 10.0.6.2 255.255.255.0 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/2 vrf
forwarding Client_A ip address 10.1.6.2 255.255.255.0 duplex auto speed auto media-type rj45 ! interface
GigabitEthernet0/3 vrf forwarding Client_A ip address 10.0.6.2 255.255.255.0 duplex auto speed auto medi
type rj45 ! router isis net 49.0001.0000.0000.0006.00 is-type level-2-only metric-style wide passive-
interface Loopback0 ! router bgp 65000 bgp log-neighbor-changes neighbor 10.10.10.2 remote-as 65000 neig
10.10.10.2 update-source Loopback0 ! address-family vpnv4 neighbor 10.10.10.2 activate neighbor 10.10.10
send-community both exit-address-family ! address-family ipv4 vrf Client_A neighbor 10.0.6.1 remote-as 6
neighbor 10.0.6.1 activate neighbor 10.1.6.1 remote-as 65004 neighbor 10.1.6.1 activate exit-address-fam
address-family ipv4 vrf Client_B neighbor 10.0.6.1 remote-as 65003 neighbor 10.0.6.1 activate exit-addre
family ! ! end
Pomerol

hostname Pomerol
!
ip cef
!
interface Loopback0
ip address 10.10.10.3 255.255.255.255
ip router isis
!
interface GigabitEthernet0/0
description link to Pesaro
ip address 10.1.1.21 255.255.255.252
ip router isis
 duplex auto
speed auto
media-type rj45
mpls ip
!
interface GigabitEthernet0/1
description link to Pauillac
ip address 10.1.1.6 255.255.255.252
ip router isis
duplex auto
speed auto
media-type rj45
mpls ip
!
interface GigabitEthernet0/2
description link to Pulligny
ip address 10.1.1.9 255.255.255.252
ip router isis
duplex auto
speed auto
media-type rj45
mpls ip
!
router isis
net 49.0001.0000.0000.0003.00
is-type level-2-only
metric-style wide
passive-interface Loopback0
!
end
Pulligny

hostname Pulligny
!
ip cef
!
interface Loopback0
ip address 10.10.10.2 255.255.255.255
ip router isis
!
interface GigabitEthernet0/0
description link to Pauillac
ip address 10.1.1.2 255.255.255.252ip router isis
duplex auto
speed auto
media-type rj45
mpls ip
!
interface GigabitEthernet0/1
description link to Pomerol
ip address 10.1.1.10 255.255.255.252ip router isis
duplex auto
speed auto
media-type rj45
mpls ip
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router isis
 net 49.0001.0000.0000.0002.00
is-type level-2-only
metric-style wide
passive-interface Loopback0
!
router bgp 65000
bgp log-neighbor-changes
neighbor 10.10.10.4 remote-as 65000
neighbor 10.10.10.4 update-source Loopback0
neighbor 10.10.10.6 remote-as 65000
neighbor 10.10.10.6 update-source Loopback0
!
address-family vpnv4
neighbor 10.10.10.4 activate
neighbor 10.10.10.4 send-community both
neighbor 10.10.10.4 route-reflector-client
neighbor 10.10.10.6 activate
neighbor 10.10.10.6 send-community both
neighbor 10.10.10.6 route-reflector-client
exit-address-family
!
!
end

Pauillac

hostname pauillac
!
ip cef
!
interface Loopback0
ip address 10.10.10.1 255.255.255.255
ip router isis
!
interface GigabitEthernet0/0
description link to Pescara
ip address 10.1.1.13 255.255.255.252
ip router isis
duplex auto
speed auto
media-type rj45
mpls ip
!
interface GigabitEthernet0/1
description link to Pulligny
ip address 10.1.1.5 255.255.255.252
ip router isis
duplex auto
speed auto
media-type rj45
mpls ip
!
interface GigabitEthernet0/2
description link to Pomerol
ip address 10.1.1.1 255.255.255.252
ip router isis
duplex auto
speed auto
media-type rj45
mpls ip
!
router isis
net 49.0001.0000.0000.0001.00
is-type level-2-only
 metric-style wide
passive-interface Loopback0
!
end
CE-A1 CE-A3

hostname CE-A1 hostname CE-A3

! !
ip cef ip cef
! !
interface GigabitEthernet0/0 interface GigabitEthernet0/0
ip address 10.0.4.1 ip address 10.0.6.1
255.255.255.0 255.255.255.0
duplex auto duplex auto
speed auto speed auto
media-type rj45 media-type rj45
! !
router bgp 65002 router bgp 65004
bgp log-neighbor-changes bgp log-neighbor-changes
redistribute connected redistribute connected
neighbor 10.0.4.2 remote-as neighbor 10.0.6.2 remote-as
65000 65000
! !
end end

Verification
This section provides information you can use to confirm that the configuration works properly:

PE to CE Verification Commands

● — Verifies that the correct VRF exists.

show ip vrf
show ip vrf interfaces — Verifies the activated interfaces.
●

show ip route vrf <VRF name> —Verifies the routing information on the PE routers.
●

traceroute vrf <VRF name> <IP address> — Verifies the routing information on the PE routers.
●

show ip cef vrf <VRF name> <IP address> detail — Verifies the routing information on the PE routers.
●

MPLS LDP Verification Commands

● show mpls interfaces

● show mpls forwarding-table
● show mpls ldp bindings
● show mpls ldp neighbor
PE to PE/RR Verification Commands

● show bgp vpnv4 unicast all summary

● - Verifies VPNv4 prefixes sent
show bgp vpnv4 unicast all neighbor <neighbor IP address> advertised-routes
●show bgp vpnv4 unicast all neighbor <neighbor IP address> routes - Verifies VPNv4 prefixes received
This is a sample command output of the show ip vrf command.

Pescara# show ip vrf

Name Default RD Interfaces
Client_A 100:110 Gi0/1
Client_B 100:120 Gi0/2

This next is a sample command output of the show ip vrf interfaces command.
 Pesaro#show ip vrf interfaces
Interface IP-Address VRF Protocol
Gi0/2 10.1.6.2 Client_A up
Gi0/3 10.0.6.2 Client_A up
Gi0/1 10.0.6.2 Client_B up

In this next sample, the show ip route vrf commands show the same prefix 10.0.6.0/24 in both the
outputs. This is because the remote PE has the same network for two Cisco clients, CE_B2 and
CE_A3, which is allowed in a typical MPLS VPN solution.

Pescara#show ip route vrf Client_A

Routing Table: Client_A

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.0.4.0/24 is directly connected, GigabitEthernet0/1
L 10.0.4.2/32 is directly connected, GigabitEthernet0/1
B 10.0.6.0/24 [200/0] via 10.10.10.6, 11:11:11
B 10.1.6.0/24 [200/0] via 10.10.10.6, 11:24:16
Pescara#

Pescara#show ip route vrf Client_B

Routing Table: Client_B

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 10.0.4.0/24 is directly connected, GigabitEthernet0/2
L 10.0.4.2/32 is directly connected, GigabitEthernet0/2
B 10.0.6.0/24 [200/0] via 10.10.10.6, 11:26:05

When you run a traceroute between two sites, in this example two sites of Client_A (CE-A1 to CE-
A3), it is possible to see the label stack used by the MPLS network (if it is configured to do so by
mpls ip propagate-ttl ).

CE-A1#show ip route 10.0.6.1

Routing entry for 10.0.6.0/24
 Known via "bgp 65002", distance 20, metric 0
Tag 65000, type external
Last update from 10.0.4.2 11:16:14 ago
Routing Descriptor Blocks:
* 10.0.4.2, from 10.0.4.2, 11:16:14 ago
Route metric is 0, traffic share count is 1
AS Hops 2
Route tag 65000
MPLS label: none
CE-A1#
CE-A1#ping 10.0.6.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to
10.0.6.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip
min/avg/max = 7/8/9 ms CE-A1#
CE-A1#traceroute 10.0.6.1 probe 1 numeric Type escape sequence to abort. Tracing the
route to 10.0.6.1 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.4.2 2 msec 2
10.1.1.13 [MPLS: Labels 20/26 Exp 0] 8 msec 3 10.1.1.6 [MPLS: Labels 21/26 Exp 0] 17
msec 4 10.0.6.2 [AS 65004] 11 msec 5 10.0.6.1 [AS 65004] 8 msec

Note: Exp 0 is an experimental field used for Quality of Service (QoS).

The next output shows the IS-IS and LDP adjacency established between the RR and some of the
P routers in the Service Provider core network:

Pulligny#show isis neighbors

Tag null:
System Id Type Interface IP Address State Holdtime Circuit Id
Pauillac L2 Gi0/0 10.1.1.1 UP 25 Pulligny.01
Pomerol L2 Gi0/1 10.1.1.9 UP 23 Pulligny.02
Pulligny#

Pulligny#show mpls ldp neighbor

Peer LDP Ident: 10.10.10.1:0; Local LDP Ident 10.10.10.2:0
TCP connection: 10.10.10.1.646 - 10.10.10.2.46298
State: Oper; Msgs sent/rcvd: 924/921; Downstream
Up time: 13:16:03
LDP discovery sources:
GigabitEthernet0/0, Src IP addr: 10.1.1.1
Addresses bound to peer LDP Ident:
10.1.1.13 10.1.1.5 10.1.1.1 10.10.10.1
Peer LDP Ident: 10.10.10.3:0; Local LDP Ident 10.10.10.2:0
TCP connection: 10.10.10.3.14116 - 10.10.10.2.646
State: Oper; Msgs sent/rcvd: 920/916; Downstream
Up time: 13:13:09
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 10.1.1.9
Addresses bound to peer LDP Ident:
10.1.1.6 10.1.1.9 10.10.10.3 10.1.1.21

Related Information
● MPLS Command Reference
● Technical Support & Documentation - Cisco Systems