MPLS/BGP Layer-3 VPN (L3VPN)

Module Introduction

Before you start the hands-on part of this module, you should load the appropriate configuration and verify that the testbed is up and running by executing the corresponding robot file:

student@tour:~/trainings_resources/robot$ robot mpls_l3vpn/mpls_l3vpn_setup.robot

We use IS-IS as IGP for the examples and exercises in this module. The choice of IGP is not important for understanding and configuration of Layer-3 VPNs. However, if you prefer to run OSPF instead, you can alternatively load the setup using the -v igp:ospf knob:

student@tour:~/trainings_resources/robot$ robot -v igp:ospf mpls_l3vpn/mpls_l3vpn_setup.robot

In order to get a better understanding, the lab setup is shown in the picture below.

Figure 1. BGP/MPLS Layer-3 VPN Lab Setup

VPN Overview

A Virtual Private Network (VPN) is a network that allows secure connectivity between multiple locations across a shared infrastructure. Note, that secure does not necessarily mean encrypted. The parties being connected are called customers (or tenants in data centers).

Prior to BGP/MPLS-based VPNs, service providers implemented VPN services by an overlay of point-to-point connections using tunneling technologies like ATM, GRE or IPSec with the benefit of customers and service provider being well-isolated. However, the drawback of this approach is that a full mesh of tunnels is needed and that there is a significant encapsulation overhead.

BGP/MPLS-based Layer-3 VPNs (L3VPNs) are peer-to-peer VPNs, i.e., the service provider actively takes part in the customer routing allowing optimal routing between customer locations. In addition, there is no need to pre-provision a full-mesh of connections which simplifies the maintenance of the VPN and the addition of new locations.

Building Blocks

Figure 2. MPLS VPN Network Blueprint

An MPLS VPN has the following building blocks:

Customer Edge (CE) router is a non-MPLS router that resides on the customer site and interconnects with the PE router using a standard routing protocol, the most popular choice being BGP or static routing.
Customer (C) router is an internal router at the customer site.
Provider Edge (PE) router is an LER that interconnects with CE routers and maintains VPN routes for VPNs that are implemented on the PE router. The PE router exchanges routing information with the CE router.
Provider (P) router is an LSR that resides in the core of the network and does not maintain any VPN-related state, i.e., it does not take part in signaling of customer related routing information. P routers transparently forward VPN traffic along pre-established LSPs.
VPN site is a set of customer devices (CE routers and C routers) that is able to connect without traversing the service provider backbone. A site can be as simple as a single geographic location with a link to a PE router. A site can also be a network spanning multiple geographic locations. A VPN site is attached top at least on PE router, but can also be multihomed to multiple PE routers.
VPN Routing and Forwarding (VRF) table is a site-specific routing table maintained by a PE router in order to separate different VPN customers from each other. The VRF table contains routes learned from the attached CE routers as well as routes learned from remote PE routers.

There is no one-to-one correspondence between VPN and VRF. A VPN site always belongs to a single VRF. However, a VPN site may be a member of multiple VPNs.

Consider two CE routers CE1 and CE2, where CE1 is member of VPNBLUE and CE2 is member of both, VPNBLUE and VPNGREEN. Both CE routers are connected to the same PE router. Then CE1 and CE2 are attached to two different VRFs because the content of the routing tables associated with CE routers CE1 and CE2 are different.

Figure 3. MPLS VPNs, Sites and VRFs

A practical application is a central site VPN which hosts shared services for multiple VPNs, e.g., DNS or NTP servers.

Control Plane

The basic idea for implementing L3VPN is to use a stack of two MPLS labels. The outer label represents the LSP, i.e., the transport path between ingress PE router and egress PE router. The LSP can be signaled and setup using LDP or IS-IS SR, etc.

The inner label is a VPN service label that represents the VRF context on the PE router. This label is exchanged between the PE routers via Multiprotocol Extensions of BGP (MP-BGP).

To solve the problem of separating IP address space between different customers and to allow label distribution for the service, a new BGP sub-address family called labeled VPN address (SAFI 128) is introduced, i.e., AFI/SAFI 1/128 is used for IPv4 VPNs and 2/128 for IPv6 VPNs.

Do not mix 6PE using AFI/SAFI=2/4 with IPv6 VPN (also called 6VPE) using AFI/SAFI=2/128. The former one being an IPv6 Internet service across MPLS core network, while the later one being a IPv6-enabled VPN service.

A VPN IPv4 prefix is a 96-bit information that is composed of a 32-bit IPv4 prefix and a 64-bit route distinguisher (RD). As the name implies the route distinguisher is an identifier that helps to keep overlapping address space isolated by converting a IP prefix to a globally unique VPN identifier. In a similar way, a 128-bit IPv6 prefix is converted to a 224-bit VPNv6 prefix by adding the route distinguisher. There are three different ways how to encode a RD:

Type 0: 2-byte ASN and 4-byte assigned number, e.g., 65000:100
Type 1: 4-byte IPv4 address and 2-byte assigned number, e.g., 10.0.0.1:100
Type 2: 4-byte ASN and 2-byte assigned number, e.g., 4200000000:100

It is best practice to have a different route distinguisher per VRF.

When a PE router learns a prefix from the CE router, it stores the route in the VRF table as native IPv4 or IPv6 prefix. In addition, the route is converted to a VPNv4 or VPNv6 route by adding the route distinguisher.

As we have previously seen, a VRF can be a member of multiple VPNs. In addition, not all PE routers have all VRFs configured. Therefore, we need a mechanism to control route distribution. The route target (RT) is a BGP extended community attribute that performs both of these tasks. When a VPNv4 or VPNv6 route is advertised towards other PE routers, one or more route target communities are attached (exported) to the NLRI. On the other hand, a PE router only accepts (imports) a NLRI it receives if it carries certain route targets.

Figure 4. Route Target Community Export and Import

The diagram shows the import and export of route targets for a three VPNs. While VPNRED and VPNBLUE are strictly separated from each other (i.e., there is no import or export of routes between them), the VPNGREEN is a central site VPN offering shared services. This is achieved by using different route targets for import and export.

Also in some text books and examples the value of route distinguisher and route target are identical, it’s important to understand that both of these identifiers are completely different. The route distinguisher is part of the prefix itself (by converting IPv4 to VPNv4, respectively IPv6 to VPNv6), while the route target is a BGP extended community attribute attached to the NLRI.

Putting all the components together, PE routers exchange VPN-related routing information by sending BGP update messages containing MP_REACH_NLRI path attributes with appropriate address families. Route filtering is done via the attached route target communities.

Figure 5. BGP/MPLS Control Plane for L3VPN

Data Plane

A PE router receives an IPv4 or IPv6 packet on an interface that is associated with a VRF instance. It performs a route lookup in this specific routing table which is populated with route updates exchanged via MP-BGP. As a result, the PE router retrieves two information: a VPN service label that is pushed to the packet and a next hop address. The resolution of the next hop address via the IPv4 labeled-unicast routing table causes a push of a transport label. The packet with two labels is then send to the next hop. In general, there are multiple P routers along the LSP from ingress PE router to egress PE router which only perform label swapping of the outer transport label and eventually perform penultimate hop popping. The egress PE router receives a single labeled packet from the core network that contains the VPN service label. The lookup of this label in its MPLS routing table results in the label being removed and the packet resolved in the corresponding VRF table.

Figure 6. MPLS Data Plane for L3VPN

Configuring VRF Instance

The first step is to create a separate VPN routing instance for each customer. The configuration is done using the set instance <vrfname> syntax. In addition, interfaces between PE router and CE router need to be associated with the appropriate routing instance with the set interface <ifname> unit <unit> instance <vrfname> command.

Exercise 1: Instance Configuration

Configure two VRF routing instance named VPNRED and VPNBLUE. Both VPNs are dual-stack IPv4 and IPv6. Enable the corresponding address families and set route-distinguisher and route targets according the following table:

Instance	RD	Import RT IPv4	Export RT IPv4	Import RT IPv6	Export RT IPv6
VPNRED	192.168.0.1:100	100:4	100:4	100:6	100:6
VPNBLUE	192.168.0.1:101	101:4	101:4	101:6	101:6

Instance

Import RT IPv4

Export RT IPv4

Import RT IPv6

Export RT IPv6

VPNRED

192.168.0.1:100

100:4

100:6

VPNBLUE

192.168.0.1:101

101:4

101:6

Also configure the following interfaces:

Instance	Interface	Unit	VLAN	IPv4 Address	IPv6 Address
VPNRED	hostif-0/0/3	100	100	10.0.100.1/30
VPNRED	lo-0/0/0	100		10.0.0.101/32	fc00:abc::101/128
VPNBLUE	hostif-0/0/3	101	101	10.0.100.1/30
VPNBLUE	lo-0/0/0	100		10.0.0.101/32	fc00:abc::101/128

Instance

Interface

Unit

VLAN

IPv4 Address

IPv6 Address

VPNRED

hostif-0/0/3

100

10.0.100.1/30

VPNRED

lo-0/0/0

100

10.0.0.101/32

fc00:abc::101/128

VPNBLUE

hostif-0/0/3

101

10.0.100.1/30

VPNBLUE

lo-0/0/0

100

10.0.0.101/32

fc00:abc::101/128

Click to reveal the answer

cfg> set instance VPNBLUE route-distinguisher 192.168.0.1:101
cfg> set instance VPNBLUE address-family ipv4 unicast route-target import target:101:4
cfg> set instance VPNBLUE address-family ipv4 unicast route-target export target:101:4
cfg> set instance VPNBLUE address-family ipv6 unicast route-target import target:101:6
cfg> set instance VPNBLUE address-family ipv6 unicast route-target export target:101:6
cfg> set instance VPNRED route-distinguisher 192.168.0.1:100
cfg> set instance VPNRED address-family ipv4 unicast route-target import target:100:4
cfg> set instance VPNRED address-family ipv4 unicast route-target export target:100:4
cfg> set instance VPNRED address-family ipv6 unicast route-target import target:100:6
cfg> set instance VPNRED address-family ipv6 unicast route-target export target:100:6
cfg> set interface hostif-0/0/3 unit 100 instance VPNRED
cfg> set interface hostif-0/0/3 unit 100 vlan 100
cfg> set interface hostif-0/0/3 unit 100 address ipv4 10.0.100.1/30
cfg> set interface hostif-0/0/3 unit 101 instance VPNBLUE
cfg> set interface hostif-0/0/3 unit 101 vlan 101
cfg> set interface hostif-0/0/3 unit 101 address ipv4 10.0.100.1/30
cfg> set interface lo-0/0/0 unit 100 instance VPNRED
cfg> set interface lo-0/0/0 unit 100 address ipv4 10.0.0.101/32
cfg> set interface lo-0/0/0 unit 100 address ipv6 fc00:abc::101/128
cfg> set interface lo-0/0/0 unit 101 instance VPNBLUE
cfg> set interface lo-0/0/0 unit 101 address ipv4 10.0.0.101/32
cfg> set interface lo-0/0/0 unit 101 address ipv6 fc00:abc::101/128
cfg> commit

We can check whether the VRF routing instance is active or not using the show instance command:

cfg> show instance VPNRED detail
Instance: VPNRED
  Router ID: 10.0.0.101
  Instance ID: 3
  State: Active
  AFI        SAFI             State
  ipv4       unicast          Active
  ipv6       unicast          Active

The VRF instance is a IPv4 and/or IPv6 unicast instance. There is no labeled-unicast within the instance.

Next, we can verify that the interfaces are associated with the correct VRF instance:

cfg> show interface address instance VPNRED
Interface              Instance            IPv4 Address             IPv4 Primary   IPv6 Address
lo-0/0/0/100           VPNRED              10.0.0.101/32            True           fc00:abc::101/128
hostif-0/0/3/100       VPNRED              10.0.100.1/30            True           fe80::65:7877:1fff:fec0:3/128

Finally, let’s have a look at the VRF routing table:

cfg> show route instance VPNRED
Instance: VPNRED, AFI: ipv4, SAFI: unicast
Prefix/Label                             Source            Pref    Next Hop                                 Interface
10.0.0.101/32                            direct            0       10.0.0.101                               lo-0/0/0/100
10.0.100.1/32                            direct            0       10.0.100.1                               hostif-0/0/3/100
10.0.100.0/30                            direct            0       10.0.100.0                               hostif-0/0/3/100
10.0.100.2/32                            arp-nd            6       10.0.100.2                               hostif-0/0/3/100
Instance: VPNRED, AFI: ipv6, SAFI: unicast
Prefix/Label                             Source            Pref    Next Hop                                 Interface
fc00:abc::101/128                        direct            0       fc00:abc::101                            lo-0/0/0/100

So far, there are only the directly connected interfaces in the routing tables as we have neither configured the PE-PE routing, nor the PE-CE routing.

Configuring BGP for VPNv4/VPNv6

The MP-BGP session between PE routers is configured in the default instance and shared between all VRF instance. Depending on the design of the network, there is the option to either configure a full-mesh of BGP sessions between PE routers or to use a route reflector to improve scalability.

Exercise 2: MP-BGP Configuration

Configure internal BGP session to routers R5 (192.168.0.5) and R6 (192.168.0.6). The AS number is 65000. The supported address families are ipv4 vpn-unicast and ipv6 vpn-unicast.

Click to reveal the answer

cfg> set instance default protocol bgp hostname R1
cfg> set instance default protocol bgp local-as 65000
cfg> set instance default protocol bgp router-id 192.168.0.1
cfg> set instance default protocol bgp address-family ipv4 vpn-unicast
cfg> set instance default protocol bgp address-family ipv6 vpn-unicast
cfg> set instance default protocol bgp peer ipv4 192.168.0.5 192.168.0.1 peer-group INTERN
cfg> set instance default protocol bgp peer ipv4 192.168.0.6 192.168.0.1 peer-group INTERN
cfg> set instance default protocol bgp peer-group INTERN remote-as 65000
cfg> set instance default protocol bgp peer-group INTERN address-family ipv4 vpn-unicast
cfg> set instance default protocol bgp peer-group INTERN address-family ipv6 vpn-unicast
cfg> show bgp peer
Instance: default
  Peer                                     Remote AS    State         Up/Down Time               PfxRcvd              PfxSent
  R5                                       65000        Established   0d:00h:00m:09s             10                   0
  R6                                       65000        Established   0d:00h:00m:11s             10                   0

Now that we have BGP sessions up and running, let’s take another look at the VRF instance routing table:

cfg> show route instance VPNRED
Instance: VPNRED, AFI: ipv4, SAFI: unicast
Prefix/Label                             Source            Pref    Next Hop                                 Interface
10.0.0.101/32                            direct            0       10.0.0.101                               lo-0/0/0/100
10.0.100.1/32                            direct            0       10.0.100.1                               hostif-0/0/3/100
10.0.100.0/30                            direct            0       10.0.100.0                               hostif-0/0/3/100
10.0.100.2/32                            arp-nd            6       10.0.100.2                               hostif-0/0/3/100
Instance: VPNRED, AFI: ipv6, SAFI: unicast
Prefix/Label                             Source            Pref    Next Hop                                 Interface
fc00:abc::101/128                        direct            0       fc00:abc::101                            lo-0/0/0/100

Although a couple of prefixes have been learned via BGP, none was installed into the VRF table. The reason is that the communication between the default routing instance and the VRF instance is implemented by BGP and there is no BGP running in the VRF instances.

Exercise 3: Instance BGP Configuration

Configure BGP in instance VPNRED (ASN 65100) and VPNBLUE (ASN65101) and enable the IPv4 unicast and IPv6 unicast address family. Also set the instance router-id to the IPv4 address of the corresponding loopback interface.

Click to reveal the answer

cfg> set instance VPNRED protocol bgp local-as 65100
cfg> set instance VPNRED protocol bgp router-id 10.0.0.101
cfg> set instance VPNRED protocol bgp address-family ipv4 unicast
cfg> set instance VPNRED protocol bgp address-family ipv6 unicast
cfg> set instance VPNBLUE protocol bgp local-as 65101
cfg> set instance VPNBLUE protocol bgp router-id 10.0.0.101
cfg> set instance VPNBLUE protocol bgp address-family ipv4 unicast
cfg> set instance VPNBLUE protocol bgp address-family ipv6 unicast
cfg> commit
cfg> show route instance VPNRED
Instance: VPNRED, AFI: ipv4, SAFI: unicast
Prefix/Label                             Source            Pref    Next Hop                                 Interface
10.0.0.2/32                              bgp               200     192.168.0.5                              hostif-0/0/1/0
10.0.0.3/32                              bgp               200     192.168.0.6                              hostif-0/0/2/0
10.0.0.101/32                            direct            0       10.0.0.101                               lo-0/0/0/100
10.0.0.105/32                            bgp               200     192.168.0.5                              hostif-0/0/1/0
10.0.0.106/32                            bgp               200     192.168.0.6                              hostif-0/0/2/0
10.0.100.1/32                            direct            0       10.0.100.1                               hostif-0/0/3/100
10.0.100.0/30                            direct            0       10.0.100.0                               hostif-0/0/3/100
10.0.100.2/32                            arp-nd            6       10.0.100.2                               hostif-0/0/3/100
10.0.100.4/30                            bgp               200     192.168.0.5                              hostif-0/0/1/0
10.0.100.8/30                            bgp               200     192.168.0.6                              hostif-0/0/2/0

The attempt to verify the connectivity with a ping fails because we have not advertised any of our own interface addresses.

cfg> ping 10.0.0.105 source-ip 10.0.0.101 instance VPNRED count 3
Statistics: 3 sent, 0 received, 100% packet loss

Exercise 4: Redistribute Interfaces into VRF Routing

Configure redistribution of direct interface for both VRF instances VPNRED and VPNBLUE, and for both address families. Verify that connectivity works between PE routers.

Click to reveal the answer

cfg> set instance VPNBLUE protocol bgp address-family ipv4 unicast redistribute direct
cfg> set instance VPNBLUE protocol bgp address-family ipv6 unicast redistribute direct
cfg> set instance VPNRED protocol bgp address-family ipv4 unicast redistribute direct
cfg> set instance VPNRED protocol bgp address-family ipv6 unicast redistribute direct
cfg> ping 10.0.0.105 source-ip 10.0.0.101 instance VPNRED count 3
68 bytes from 10.0.0.105: icmp_seq=1 ttl=64 time=4.8185 ms
68 bytes from 10.0.0.105: icmp_seq=2 ttl=64 time=7.5846 ms
68 bytes from 10.0.0.105: icmp_seq=3 ttl=64 time=.8377 ms
Statistics: 3 sent, 3 received, 0% packet loss

Configuring PE-CE Routing

Routing information between PE router and CE router can be exchanged using standard routing protocols that run within the VRF instance, e.g., OSPF, BGP, or static routing. All of these configuration work exactly like in the default instance. Remember, that all routing exchange with the other PE routers happen via BGP which means that the PE-CE routing protocol must be redistributed into the instance VRF BGP protocol - similar to the direct interfaces. The advantage of using BGP of a PE-CE routing protocol is that you do not explicitly need to redistribute it.

Exercise 5: Instance BGP Configuration

Configure internal BGP as PE-CE routing protocol for both VRF instances VPNRED and VPNBLUE and both address families. The peer address is the directly connected address on the PE-CE interface (i.e., 10.0.100.2 in both VRFs).

Click to reveal the answer

cfg> set instance VPNRED protocol bgp router-id 10.0.0.101
cfg> set instance VPNRED protocol bgp peer ipv4 10.0.100.2 10.0.100.1 peer-group CE1
cfg> set instance VPNRED protocol bgp peer-group CE1 remote-as 65100
cfg> set instance VPNRED protocol bgp peer-group CE1 address-family ipv4 unicast
cfg> set instance VPNRED protocol bgp peer-group CE1 address-family ipv6 unicast
cfg> set instance VPNBLUE protocol bgp router-id 10.0.0.101
cfg> set instance VPNBLUE protocol bgp peer ipv4 10.0.100.2 10.0.100.1 peer-group CE1
cfg> set instance VPNBLUE protocol bgp peer-group CE1 remote-as 65101
cfg> set instance VPNBLUE protocol bgp peer-group CE1 address-family ipv4 unicast
cfg> set instance VPNBLUE protocol bgp peer-group CE1 address-family ipv6 unicast
cfg> show bgp peer instance VPNRED
Instance: VPNRED
  Peer                                     Remote AS    State         Up/Down Time               PfxRcvd              PfxSent
  CE1                                      65100        Established   0d:00h:00m:16s             3                    13

Let’s check whether the connectivity to the CE router works:

cfg> show bgp rib-in ipv4 unicast instance VPNRED
Instance: VPNRED, AFI: ipv4, SAFI: unicast
 Hostname: Local, Peer IP: 0.0.0.0, Source IP: None, Received routes: 2
    Prefix                              Next Hop                            MED        Local Preference  AS Path    Status
    10.0.100.0/30                                                           0          100               -          Valid
    10.0.0.101/32                                                           0          100               -          Valid
 Hostname: CE1, Peer IP: 10.0.100.2, Source IP: 10.0.100.1, Received routes: 2
    Prefix                              Next Hop                            MED        Local Preference  AS Path    Status
    10.0.100.0/30                       10.0.100.2                          -          100               -          Valid
    10.0.0.1/32                         10.0.100.2                          -          100               -          Valid
cfg> ping 10.0.0.101 source-ip 10.0.0.101 instance VPNRED count 3
68 bytes from 10.0.0.101: icmp_seq=1 ttl=64 time=3.1430 ms
68 bytes from 10.0.0.101: icmp_seq=2 ttl=64 time=2.1142 ms
68 bytes from 10.0.0.101: icmp_seq=3 ttl=64 time=1.0979 ms
Statistics: 3 sent, 3 received, 0% packet loss

Summary

This module outlined the building blocks of BGP/MPLS-based Layer-3 VPNs. You should be familiar with concept of route distinguishers and route targets and how they are used in the BGP control plane. In addition, you should be able to setup a simple L3VPN and configure PE-CE connections.

If you have completed the exercise, you can check the results by executing

student@tour:~/trainings_resources/robot$ robot mpls_l3vpn/mpls_l3vpn_verify.robot