MPLS VPN

VPN (Virtual Private Network)

Two Types of VPN

• Layer 3 VPN (Routing)

• Layer 2 VPN (Layer 2 connectivity)

VPN Models:

• Overlay Model
• Peer to Peer Model

Overlay Model:

Service provider provides virtual point-to-point links(tunnel) between customer sites.

e.g. GRE, DMVPN, IPsec – Layer 3 VPN

x.25, Frame Relay, ATM – Layer 2 VPN

Peer to Peer Model:

Service provider participates in the customer routing.

e.g. ACLs (shared router), Split routing (dedicated router) – Layer 3 VPN

MPLS VPN – Layer 2/ Layer3 VPN

MPLS VPN
• Forward packets based on labels instead of IP
• Combines the best of both Overlay and Peer-to-Peer model
• Requirement of MPLS VPN:
❖ VRF (Virtual Router Forwarding),
❖ RD (Router-Distinguisher),
❖ RT(Router-Target),
❖ MP-BGP (support vpnv4 unicast)

RD (Router-Distinguisher)

• Used to keep all prefixes in the BGP table unique.

• Locally significant to a router(each VRF in PE router must have a unique RD)
• VRF is not operation without RD.
• Has 64-bit value and can use below format:
o ASN:nn
o A.B.C.D:nn

VPN IPv4 Address - 96bits

RT(Router-Target)

• Used to control the distribution and import/export of routes between different VPNs
within a service provider's network.
• There are two types of Route Targets:
o Import Route Target (RT-import): Specifies which VPNs can import and use
specific routes received from other VPNs.
o Export Route Target (RT-export): Specifies the VPN membership of routes that
should be advertised and exported to other VPNs.
 MPLS Layer-3 VPN Lab

1.Create the ISIS at MPLS core network (R3,R4,R5 and R6)

Router isis MPLS

Net 49.0000.0000.0000.000x.00

is-type level-2-only

metric-style wide

interface range e0/0-1, loopback 0

ip router isis MPLS

2.Enable the MPLS at core network (R3,R4,R5 and R6)

mpls label protocol ldp

mpls ldp router-id loopback 0

router isis MPLS

mpls ldp autoconfig

3.Creat the VRF on R3 and R6

ip vrf CE1
rd 65000:1

route-target export 65000:1

route-target import 65000:1

ip vrf CE2

rd 65000:2

route-target export 65000:2

route-target import 65000:2

interface Ethernetx/x

ip vrf forwarding CEx

ip address x..x.x.x x.x.x.x

Verification:

4. Config the MP-BGP on R3 and R6

router bgp 65000

no bgp default ipv4-unicast

neighbor x.x.x.x remote-as 65000

neighbor x.x.x.x update-source Loopback0

address-family vpnv4

neighbor x.x.x.x activate

address-family ipv4 vrf CE1

address-family ipv4 vrf CE2

5. Using static route and redistribute the static route on bgp at R3

ip route vrf CE1 100.0.0.0 255.255.255.0 10.0.0.14

ip route vrf CE2 200.0.0.0 255.255.255.0 10.0.0.18

router bgp 65000

address-family ipv4 vrf CE1

 redistribute connected

redistribute static

address-family ipv4 vrf CE2

redistribute connected

redistribute static

Verification:

5. Using static route and redistribute the static route on BGP at R6

ip route vrf CE1 101.0.0.0 255.255.255.0 10.0.0.22

ip route vrf CE2 201.0.0.0 255.255.255.0 10.0.0.26

router bgp 65000

address-family ipv4 vrf CE1

redistribute connected

redistribute static

address-family ipv4 vrf CE2

redistribute connected

redistribute static
 Verification vrf:

R3#show ip route vrf CE2 bgp

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

B 10.0.0.24/30 [200/0] via 6.6.6.6, 00:12:01

B 201.0.0.0/24 [200/0] via 6.6.6.6, 00:12:04

R3#show ip route vrf CE1 bgp

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

B 10.0.0.20/30 [200/0] via 6.6.6.6, 00:11:15

101.0.0.0/24 is subnetted, 1 subnets

B 101.0.0.0 [200/0] via 6.6.6.6, 00:11:18

 Verification MPLS:

V =VPN

Outer Label

Inner Label

Ping Result at CE1 and CE2: