7/26/2021 MPLS over FlexVPN

Get Full Access to our 731 Cisco Lessons Now Start $1 Trial

Search … 

You are here: Home » MPLS

MPLS over FlexVPN 

Lesson Contents Course Contents

1. Configuration MPLS

1.1. Hub1
1.1.1. IKEv2 Keyring  Unit 1: Introduction

1.1.2. IKEv2 Authorization Policy  Unit 2: LDP (Label Distribution Protocol)

1.1.3. IKEv2 Profile  Unit 3: MPLS VPN

1.1.4. IPSec Profile VRFs (Virtual Routing and Forwarding)
1.1.5. Dynamic VTI MPLS L3 VPN Explained
1.1.6. VRF
MPLS L3 VPN Configuration
1.1.7. MP-BGP
MPLS L3 VPN BGP Allow AS in
1.2. Spoke1
MPLS L3 VPN BGP AS Override
1.2.1. IKEv2 Keyring
MPLS L3 VPN PE-CE RIP
1.2.2. IKEv2 Authorization Policy
1.2.3. IKEv2 Profile MPLS L3 VPN PE-CE EIGRP

1.2.4. IPSec Profile MPLS L3 VPN PE-CE OSPF

1.2.5. Static VTI MPLS L3 VPN PE-CE OSPF Default Route

1.2.6. Dynamic VTI MPLS L3 VPN PE-CE OSPF Global Default

1.2.7. VRF Route

MPLS L3 VPN PE-CE OSPF Sham Link

With MPLS over FlexVPN, we combine the advantages of FlexVPN and MPLS. FlexVPN VRF Lite Route Leaking

allows us to create a secure hub and spoke network where direct spoke-to-spoke traffic MPLS VPN Extranet Route Leaking

is possible because of NHRP. By using VRFs and MPLS, we can have overlapping MPLS VPN VRF Export Map

addresses in customer networks. MPLS VPN VRF Import Map

MPLS over FlexVPN

MPLS over FlexVPN is a good choice if you want to extend your MPLS network securely  Unit 4: MPLS L2 Encapsulation
over the Internet.  Unit 5: IPv6 MPLS

We require the following components to run MPLS over FlexVPN:

IKEv2 and IPSec: to create security associations and encrypt our traffic.
NHRP: to make direct spoke-to-spoke traffic possible. A difference with DMVPN is
that we only use NHRP for redirection. Spoke routers don’t register themselves
with the hub router.
MPLS: for label switching. We don’t use LDP. There are two main reasons not to
use LDP:
When we use LDP to distribute transport labels, it has to establish a
neighbor adjacency with every LDP neighbor. There will be quite some
overhead when you have many remote peers.
LDP keepalive will keep the spoke-to-spoke tunnels active, even if there
is no traffic between the spoke routers.
MPLS Forwarding Infrastructure (MFI): Manages the MPLS data structures we
use for forwarding. Cisco replaced the Label Forwarding Information Base (LFIB)

https://networklessons.com/mpls/mpls-over-flexvpn 1/9
7/26/2021 MPLS over FlexVPN

with the MFI on recent IOS and IOS XE images. NHRP is an application that calls MFI
for label management. Get Full Access to our 731 Cisco Lessons Now Start $1 Trial
MP-BGP: Distributes overlay labels for the prefixes on different VRFs.

Let me give you a walkthrough of how these different components work together when
we run MPLS over FlexVPN. Take a look at the following topology:

Here is our starting point:

We use VRF “CUSTOMER” on the GigabitEthernet 0/1 interfaces of the spoke

routers.
We use MP-BGP to advertise labels for the networks in each VRF:
The spoke routers advertise the /24 network on their GigabitEthernet 0/1
interface.
The hub router advertises a 10.0.0.0/8 summary route so the spoke routers
know how to reach each others networks.

Here’s how it works:

1. The spoke routers establish IKEv2 and IPSec security associations with the hub
router.
2. The routers install an implicit null label for the tunnel interfaces. We use an
implicit null label because the remote tunnel interface is always only one hop
away.
3. MP-BGP exchanges labels for the prefixes in each VRF.
4. CE1 (10.1.1.101) sends an IP packet to CE2 (10.2.2.102).
5. Spoke1 receives the IP packet, adds the label that matches the summary route
from the hub, encapsulates the IP packet with GRE, and forwards it through the
tunnel interface to the hub router.
6. The hub router decrypts the IP packet and looks up the required label to reach
10.2.2.102.
7. The hub router adds the label that matches the 10.2.2.0/24 network, encapsulates
the IP packet with GRE, and sends the packet to the spoke2 router.
8. The hub router also sends an NHRP redirect packet to the spoke1 router and adds
the label that matches the 10.1.1.0/24 prefix where the IP packet originated from.
9. The spoke1 router receives and processes the NHRP redirect packet which triggers
an NHRP resolution request.
10. The spoke1 router creates an NHRP mapping entry and associates it with VRF
“CUSTOMER” for the 10.2.2.0/24 prefix.
11. The spoke1 router sends an NHRP resolution request to the hub router. The NHRP
resolution request includes a request ID which we later need when we receive an
NHRP resolution reply.
12. The hub router receives the NHRP resolution request, looks up the label for
10.2.2.0/24, and forwards the NHRP resolution request to the spoke2 router.
13. The spoke2 router receives the NHRP resolution request and creates a virtual-
access interface.
14. The spoke2 router initiates an IKEv2 and IPSec SA with the spoke1 router.

https://networklessons.com/mpls/mpls-over-flexvpn 2/9
7/26/2021 MPLS over FlexVPN

15. NHRP installs the route for the spoke1 router’s virtual-access interface IP address.
Get
16. The spoke2 router sends an Full resolution
NHRP Access to reply
our 731 Cisco
to the Lessons
spoke1 Now
router Start
using the $1 Trial
virtual-access interface.
17. The NHRP resolution reply from the spoke2 router includes:
1. The label that the spoke1 router can use to send IP packets over the spoke-
to-spoke tunnel. NHRP gets this label from the MPLS Forwarding
Infrastructure (MFI).
2. An implicit null label for the IP address of the spoke2 router’s virtual-access
interface.
18. The spoke1 router receives the NHRP resolution reply on its virtual-access
interface. The NHRP resolution reply includes the request ID that the spoke1 router
added in the NHRP resolution request. This is how the spoke1 router knows to
which VRF the NHRP resolution reply belongs.
19. The spoke1 router looks up the NHRP entry in the NHRP cache and inserts a route
in the VRF routing table.
20. The spoke1 and spoke2 can now label switch packets directly using their virtual-
access interfaces for the VRF.

If you want to see the above explanation in action, try the debug nhrp

command on your routers.

1. Configuration
Let’s dive into the configuration. Most of the configurations are similar to what we did in
the FlexVPN spoke-to-spoke pool and BGP lesson. Let’s use the topology I showed you
before:

I will focus on the configuration parts that we haven’t seen before. I’m using IOSv Version
15.9(3)M2 on all routers.

Configurations
Want to take a look for yourself? Here you will find the startup configuration of each
device.

CE1

https://networklessons.com/mpls/mpls-over-flexvpn 3/9
7/26/2021 MPLS over FlexVPN

hostname CE1

Get Full Access to our 731 Cisco Lessons Now Start $1 Trial
!

ip cef

interface GigabitEthernet0/0

ip address 10.1.1.101 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.1.1

end

CE2
hostname CE2

ip cef

interface GigabitEthernet0/0

ip address 10.2.2.102 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.2.2.2

end

Hub1
hostname Hub1

interface Loopback0

ip address 172.16.1.254 255.255.255.255

interface GigabitEthernet0/0

ip address 192.168.1.254 255.255.255.0

end

Spoke1
hostname Spoke1

interface Loopback0

ip address 172.16.1.1 255.255.255.255

interface GigabitEthernet0/0

ip address 192.168.1.1 255.255.255.0

end

Spoke2

https://networklessons.com/mpls/mpls-over-flexvpn 4/9
7/26/2021 MPLS over FlexVPN

hostname Spoke2

Get Full Access to our 731 Cisco Lessons Now Start $1 Trial
!

interface Loopback0

ip address 172.16.1.2 255.255.255.255

interface GigabitEthernet0/0

ip address 192.168.1.2 255.255.255.0

end

1.1. Hub1
Let’s start with the hub router.

1.1.1. IKEv2 Keyring

We need a keyring with an entry for our spoke routers:

Hub1(config)#crypto ikev2 keyring KEYRING

Hub1(config-ikev2-keyring)#peer SPOKE_ROUTERS

Hub1(config-ikev2-keyring-peer)#address 0.0.0.0 0.0.0.0

Hub1(config-ikev2-keyring-peer)#pre-shared-key local CISCO

Hub1(config-ikev2-keyring-peer)#pre-shared-key remote CISCO

1.1.2. IKEv2 Authorization Policy

In the IKEv2 authorization policy, we advertise our tunnel IP address through IKEv2:

Hub1(config)#aaa new-model

Hub1(config)#aaa authorization network FLEXVPN_LOCAL local

Hub1(config)#crypto ikev2 authorization policy IKEV2_AUTHORIZATION

Hub1(config-ikev2-author-policy)#route set interface

1.1.3. IKEv2 Profile

Let’s create an IKEv2 profile:

Hub1(config)#crypto ikev2 profile IKEV2_PROFILE

Hub1(config-ikev2-profile)#match identity remote fqdn domain FLEXVPN.LAB

Hub1(config-ikev2-profile)#identity local fqdn HUB.FLEXVPN.LAB

Hub1(config-ikev2-profile)#authentication remote pre-share

Hub1(config-ikev2-profile)#authentication local pre-share

Hub1(config-ikev2-profile)#keyring local KEYRING

Hub1(config-ikev2-profile)#aaa authorization group psk list

FLEXVPN_LOCAL IKEV2_AUTHORIZATION

Hub1(config-ikev2-profile)#virtual-template 1

1.1.4. IPSec Profile

Let’s configure the IPSec profile:

Hub1(config-ikev2-profile)#crypto ipsec profile IPSEC_PROFILE

Hub1(ipsec-profile)#set ikev2-profile IKEV2_PROFILE

https://networklessons.com/mpls/mpls-over-flexvpn 5/9
7/26/2021 MPLS over FlexVPN

1.1.5. Dynamic VTI

Get Full Access to our 731 Cisco Lessons Now Start $1 Trial
The dynamic VTI interface on the hub is slightly different. We have to add the mpls nhrp
command here which enables label switching without LDP:

Hub1(config)#interface Virtual-Template1 type tunnel

Hub1(config-if)#ip unnumbered Loopback0

Hub1(config-if)#ip nhrp network-id 1

Hub1(config-if)#ip nhrp redirect

Hub1(config-if)#mpls nhrp

Hub1(config-if)#tunnel protection ipsec profile IPSEC_PROFILE

1.1.6. VRF
Let’s create a VRF for our customer:

Hub1(config)#vrf definition CUSTOMER

Hub1(config-vrf)#rd 1:1

Hub1(config-vrf)#route-target export 1:1

Hub1(config-vrf)#route-target import 1:1

Hub1(config-vrf)#address-family ipv4

1.1.7. MP-BGP
We use MP-BGP to advertise our VPN routes. First, I’ll add a static route in the VRF:

Hub1(config)#ip route vrf CUSTOMER 10.0.0.0 255.0.0.0 Null0

Now we can configure MP-BGP.  I’ll create a peer group for my spoke routers so I don’t
have to configure them one by one. We enable the VPNv4 address-family and advertise
the static route in the VRF:

Hub1(config)#router bgp 1

Hub1(config-router)#bgp router-id 172.16.1.254

Hub1(config-router)#bgp listen range 172.16.1.0/24 peer-group

FLEXVPN_SPOKES

Hub1(config-router)#neighbor FLEXVPN_SPOKES peer-group

Hub1(config-router)#neighbor FLEXVPN_SPOKES remote-as 1

Hub1(config-router)#neighbor FLEXVPN_SPOKES transport connection-mode

passive

Hub1(config-router)#neighbor FLEXVPN_SPOKES update-source Loopback0

Hub1(config-router)#address-family vpnv4

Hub1(config-router-af)#neighbor FLEXVPN_SPOKES activate

Hub1(config-router-af)#neighbor FLEXVPN_SPOKES send-community both

Hub1(config-router-af)#exit-address-family

Hub1(config-router)#address-family ipv4 vrf CUSTOMER

Hub1(config-router-af)#network 10.0.0.0

Hub1(config-router-af)#exit-address-family

This completes the configuration of the hub router.

1.2. Spoke1
Let’s configure the spoke router.

https://networklessons.com/mpls/mpls-over-flexvpn 6/9
7/26/2021 MPLS over FlexVPN

1.2.1. IKEv2 Keyring

Get Full Access to our 731 Cisco Lessons Now Start $1 Trial
Let’s create the IKEv2 keyring where we specify the hub and spoke2 router:

Spoke1(config)#crypto ikev2 keyring KEYRING

Spoke1(config-ikev2-keyring)#peer HUB1

Spoke1(config-ikev2-keyring-peer)#address 192.168.1.254

Spoke1(config-ikev2-keyring-peer)#pre-shared-key local CISCO

Spoke1(config-ikev2-keyring-peer)#pre-shared-key remote CISCO

Spoke1(config-ikev2-keyring-peer)#peer SPOKE2

Spoke1(config-ikev2-keyring-peer)#address 192.168.1.2

Spoke1(config-ikev2-keyring-peer)#pre-shared-key local CISCO

Spoke1(config-ikev2-keyring-peer)#pre-shared-key remote CISCO

1.2.2. IKEv2 Authorization Policy

We create an IKEv2 authorization policy so we can advertise the tunnel IP address
through IKEv2:

Spoke1(config)#aaa new-model

Spoke1(config)#aaa authorization network FLEXVPN_LOCAL local

Spoke1(config)#crypto ikev2 authorization policy IKEV2_AUTHORIZATION

Spoke1(config-ikev2-author-policy)#route set interface

1.2.3. IKEv2 Profile

We need an IKEv2 profile:

Spoke1(config)#crypto ikev2 profile IKEV2_PROFILE

Spoke1(config-ikev2-profile)#match identity remote fqdn HUB.FLEXVPN.LAB

Spoke1(config-ikev2-profile)#match identity remote fqdn

SPOKE2.FLEXVPN.LAB

Spoke1(config-ikev2-profile)# dentity local fqdn SPOKE1.FLEXVPN.LAB

Spoke1(config-ikev2-profile)#authentication remote pre-share

Spoke1(config-ikev2-profile)#authentication local pre-share

Spoke1(config-ikev2-profile)#keyring local KEYRING

Spoke1(config-ikev2-profile)#aaa authorization group psk list

FLEXVPN_LOCAL IKEV2_AUTHORIZATION

1.2.4. IPSec Profile

We create the IPSec profile:

Spoke1(config)#crypto ipsec profile IPSEC_PROFILE

Spoke1(ipsec-profile)#set ikev2-profile IKEV2_PROFILE

1.2.5. Static VTI

Our static VTI requires the mpls nhrp command so that we can label switch on the
tunnel interface which connects to the hub:

https://networklessons.com/mpls/mpls-over-flexvpn 7/9
7/26/2021 MPLS over FlexVPN

Spoke1(config)#interface Tunnel0

Get Full Access to our 731 Cisco Lessons Now Start $1 Trial
Spoke1(config-if)#ip unnumbered Loopback0

Spoke1(config-if)#ip nhrp network-id 1

Spoke1(config-if)#ip nhrp shortcut virtual-template 1

Spoke1(config-if)#mpls nhrp

Spoke1(config-if)#tunnel source GigabitEthernet0/0

Spoke1(config-if)#tunnel destination 192.168.1.254

Spoke1(config-if)#tunnel protection ipsec profile IPSEC_PROFILE

1.2.6. Dynamic VTI

The dynamic VTI also requires the mpls nhrp command so that we can label switch with
other spoke routers:

Spoke1(config)#interface Virtual-Template1 type tunnel

Spoke1(config-if)#ip unnumbered Loopback0

Spoke1(config-if)#ip nhrp network-id 1

Spoke1(config-if)#ip nhrp shortcut virtual-template 1

Spoke1(config-if)#mpls nhrp

Spoke1(config-if)#tunnel source GigabitEthernet0/0

Spoke1(config-if)#tunnel protection ipsec profile IPSEC_PROFILE

1.2.7. VRF
We create the VRF “CUSTOMER” globally and enable the VRF on our GigabitEthernet0/1
interface:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

 Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
 Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
 Full Access to our 731 Lessons. More Lessons Added Every Week!
 Content created by Rene Molenaar (CCIE #41726)

Give Membership a try - it's just $1 ►

491 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!

You may cancel your monthly membership at any time.

No Questions Asked!

« Previous Lesson

MPLS VPN VRF Import Map

Next Lesson
AToM (Any Transport over
MPLS)
»
 Tags: IKE, IPSec, VPN

https://networklessons.com/mpls/mpls-over-flexvpn 8/9
7/26/2021 MPLS over FlexVPN

 Ask a question or start a discussion by visiting our Community Forum

Get Full Access to our 731 Cisco Lessons Now Start $1 Trial

© 2013 - 2021 NetworkLessons.com Disclaimer Privacy Policy Support About

https://networklessons.com/mpls/mpls-over-flexvpn 9/9