350-501 SPCOR Cisco CCNP Service Provider – MPLS Layer 3 VPN part 4

6. VPNv4 Peering – PE-PE Routers

So in this section, we’ll continue with our VPN. MPLS l three VPN configurations. Like what we did in our previous scenarios is we have configured IGP inside the service portal network and then we also enable LDP inside the second step. And then we have configured P to C routing. I think we used static and default combinations. Sorry. Third step, we created a VRF and assign the interface facing towards the customer under the VRF. And then the fourth step we have configured P to C routing between the router one and router five. We’re using static and default combinations. But if you want we can also use any of the routing protocol. Now the next step, we want to ensure that the customer LAN on site One must be able to communicate with the customer LAN on the site Two.

And to make that possible, there are two more configurations. In that we are going to see one of the configurations how to configure VPN V Four peering between P to P. Now we need to configure VPN V Four peering between both the provider edge routers. It’s more like a tunnel. Now to configure that, you can see these are the commands which we need to configure. If you see the configuration commands, it’s more similar to your normal BGP configurations. But there is a difference because we are going to use a family VPN before unicast here. So let me explain to you what are the commands. So before I get into the commands, I want to explain you what are the different kinds of address family implementations or different kinds of BGP implementations we can have.

Now, when we talk about BGP, that’s what we call as multi protocols BGP. It’s going to support multiple address families or multiple BGP implementations. Out of all those we have something called IPV Four BGP which we generally use the most commonly used, the default. We can say the default BGP. What we use is an IPV Four BGP. And similar way you can also use IPV six BGP. Now when I say IPV Six BGP we are going to use the same kind of VGP what we use the normal VGP for IPV Six. Addressing the similar way. We also have something called VPN v four BGP. VPN v six BGP also now whenever I say VPN V four or VPN V six we need to understand we are talking about MPLS. VPNs concept MPLS L three, VPNs Now, which means whenever I say VPN V Four, it’s more like an implementation of MPLS over IPV Four or for IP version four customers.

And when I say VPN v six we are providing MPLS VPNs for IPV six customers. So in this section we are going to see how to configure VPN before pairing. Okay? So which means we are not using normal BGP. We are only using VPN V four here. Okay? So that’s the reason we have a command here we call as Address family. When you use cushion mark after this address family, probably you’ll find multiple options depending upon the iOS versions. So now to configure VPN v. Four tunnel or VPN v. Four peering? We just need to configure an IBGP pairing between these two routers. And that IBGP pairing, it’s recommended always to use the loop back interfaces of Router One and Router Three. So in my scenario, I’m going to use the loop back zero IP. On the router one it will be Eleven one and on the router three it will be 13 One.

Okay, so what is the command I’m using? These two commands neighbor 13 One. Remote s is 500. That is Router Three in my same autonomous system number. And then I’m going to change the update source command. Now this is similar to your normal BGP because always whenever you’re appearing with any address other than connected interface or exit interface, we need to change the source address to that particular interface. So I’m going to say Update Source Command. So these two commands are more similar to your normal BGP. But there is one command over here, this command no BGP default IPV Four Unicast. Now what is the use of this command? Now, this command is optional.

Now when I’m saying optional means it’s not mandatory to configure, but it is recommended command. And the reason for that is whenever you enable PGP, whenever I give a command called Router BGP 500, automatically it is going to run the normal PGP. The default PGP is going to run. But in my scenario, I’m not going to run the default PGP. I’m only running the Vpnv Four BGP. Here. It’s not a normal PGP. It’s a VPN V four BGP. Which means I want to disable this default PGP. So to disable that, what I need to do is I need to give a command called no BGP default IPV Four Unicast means I’m saying that disable the IPV Four BGP, which by default it runs. So if you don’t give this command, what happens is now between these two routers it is going to run, it is going to form VPN V Four Peering.

Why? Because we are going to activate some more commands for that and it’s going to run also IPV Four Peering. But you may not be using this IP Four. Suppose, let’s say if you are also using IPV Four, probably you don’t need to give this command. But in my scenario, I’m not running IPV Four. I’m running only VPN V Four. Pinning? Now, if you don’t have any use for IPV Four, so it’s better to disable that. So that’s what I’m doing. Or else it will run two different kinds of BGP implementations. And again it’s going to add some extra overhead because automatically the routes will be exchanged through BGP. So it’s going to send periodic messages, TCP connections. So I don’t want to do that. So it’s something recommended. So I’m going to disable the normal PGP no BCP default IP for unicast.

And after that the next commands you can see. So we discuss these three commands and the next command will be, we need to get into Address Family VPN V Four Unicast. Now, when I say address family VPN v four unicast means I’m going to implement some extra configurations. Now, these commands will be like global commands. It will apply for all kinds of BGP implementations. So when I say specifically Address family IPV Four Unicast, which means I want to use specific commands only for VPN V Four, not for everyone. Now, for that, what I need to do is the first command will be we need to say activate, activate the neighbor. Now, if I don’t view activate, what happens? The neighborship will not come.

And the reason for that is by default, I said IPV for BGP by default enable. But the remaining BGPS, they are not by default enabled. So you need to enable or activate them manually. Manually we need to activate them. That’s the reason. If you want to run IPV Six BGP, then we need to go to Address Family IPV Six Unicast and we have to say Neighbor and whatever the neighbor and activate command. And if you want to activate VPN V Four neighborship, then you have to give the same command whatever I’m using here. Similar way, if you are using VPN V Six. Also we need to send neighbor whatever the neighbor IP address. And we had to say activate. Now, any other neighbors. If you are forming other than IPV Four, we need to compulsory say Activate.

Okay? Now, let’s take an example. You have given no BGP default IPV for unicast. And I did that because I want to run VPN before pairing. Maybe in the future you also want to run IPV Four. Now, what I need to do that, there are two possible solutions. Either you disable this sorry, enable this backing in, which is not recommended. Instead, what I can do is I can go to Uttrus family IPV for Unicast and I can say neighbor whatever the neighbor and you can say Activate. So it’s always recommended to activate IPV Four also under the utters Family. Because when when you when you when you say BGP default IP for Unicast, it’s going to activate IPV for each and every neighbor and probably in the production networks in a service portal scenarios, we might not be running IPV for everywhere.

So we are running only in two, three neighbors. Now, on that two or three specific neighbors, we can go and activate it. Now, this is something you need to remember, especially when you are doing some multiple BGP implementations as per the scenario. So here I don’t have any other things. I just have okay, so let us move on. Now, what we have so activate command is something we need to give manually for any other VPN V Four, any other MPGP implementations except IPV four. And you have to give for IPV four. Also if you are using this command, no BGP default IPV four unicast. So activate command is mandatory. And there are two more commands you can see here the first command, let us try to understand the next command which is send community extended.

Now if you remember we have discussed something called route target value. Now by default, all the routes coming under the VRF will be carried from one P to another P in the form of an extended community attribute called route target value. And also you know that by default BGP is not going to carry the community information along with the BGP update. Now we want to ensure that whenever the route is coming from VRF, I want to ensure that these information means whatever the routes it should carry with this route target information. Because based on that route target value only it is going to decide what route target value it is going to import or export.

Okay? So if you want to propagate the extended community information, that is route target value information, it’s mandatory for you to give this command send community extended or both because by default it’s an extended kind of community. This is something which is important. If you don’t give this command, then probably you will come across a scenario where the routes may not be exchanged. So that is something which is going to affect, but it’s not going to affect the neighborship, but it will affect definitely the exchange of the routes. And there’s one more command called Next option. Now it’s important for you to ensure that whatever the route is coming from the customer edge, it will receive on the other edge of the router. And the Next Stop address has to be eleven one.

Okay, if the next stop is not eleven one because now the traffic or the packets moving from one end to another end, whenever you configure VPN V four, it is going to add one label. Now we call that as VPN label and this particular loop back has to be a Rhode Island and you should have a label, a proper label here. Okay? So we need to ensure that we also have a Next Stop address has to be the Next Stop routers and it should not be anything other than that. So to ensure that the Next Stop button is our next BGP peer or VPN V Four peer, we have to give a command called Next Stop Sir. Similar way on the router three, we have to configure the same commands but we just need to change the IP address has to be eleven one.

Let me just quickly configure these things on the router One and router three, the VPN V Four pairing. And then I’ll show you the basic verifications on how to verify. So I’ll start with router one. On the router one, we need to go to router BGP 500, any autonomous system number. And if you verify show IP BGP. I don’t have any BGP running, so I’m going to do it from the blank. And I’ll say router BGP 500. And then the first thing I’ll do is I’ll disable IPV for unicorn. This is something recommended but not compulsory. And then I’m going to say Neighbor 13 one, which is router three. But before you do this, always ensure that you are able to ping between those low back interfaces.

If you’re not able to ping, in that case, if there is no unicast message sent, then definitely it will not form the neighborship. The basic things, what we have learned in our PGP labs. So I’m going to say Neighbor 13 One, remote is and what the remote is 500 and then update source, changing the source address and utter’s family. If you use question mark here, you’ll find IPV four, IPV. Six, Vpnv four. Now this iOS doesn’t support Vpnv Six. Even some of the iOS you’ll find Address family IPV four multicast. Also you have in that probably, let me check, unique as multicast, cut off options. Okay, so as of now, I need to get into VPN V Four because I am going to confirm VPN V Four peering between the outer one and Router Three unicast. And I have to activate that.

This is something mandatory. If you don’t give active command, the neighbor ship will not get activated. It will not send any messages on the other end, whatever, the neighbor letting messages. Now, once you activate, we need to ensure that we also send the community information, that is route target information along with the VPN V Four routes. And at the same time we need to say 31, next option, change the next stop behavior. Now, these are the commands, what I configured on the router one. Now, if I go to my Router three and all the commands are same, except I need to change the IP address. So I had to just replace three one with eleven one just to save my time. I’m doing this, but you can also type the same thing.

So I’m going to router three and I’m going to configure on the router three. So no beachbd four, active Vinicas neighbor Eleven one, remote is 500. Then update source low back zero. And what’s the next command we need to get into Address Family VPN V Four unicast. And then we need to say activate, send Community Extended or both. And then next option. So just remember, like, there are three commands we need to assign in the normal mode and three commands inside your Address family Vpnv Four. Now, once you do this verification, we need to give you a command called show IP BGP VPN V Four All Summary. Now, this command is equivalent to your IPGP show. Ipbgb Summary command. Now you can see show IP BGP VPN v four all summary.

So you can see the neighborship is up, but the zero routes are exchanged because we did not configure any distribution. That’s the reason. There is one more step remaining. If I verify show IV BGP summary, you can see the normal BGP is not running. But if I enable back that command, what is the command? BGP default BGP default IPV for unicast, it is going to run normal BGP along with vanv for BGP. So in our scenario we don’t really require that. So that’s the reason I’m not going with that command. So verification vpnv for all summary okay, if you remove the summary you can see the routes. But as of now, I don’t see any routes here. Okay, now there’s one more point we need to keep in mind whenever you are configuring VPN V four.

Now whatever the loop back we are using in our scenario, we are going to pay between router one and router three and we are using loopback zero interface. And the IP address on that loop back zero interface is 110 zero one and the loop back zero on the router three is 13 one. Now there’s one more important point is this particular loop back, it has to be either 32, so it’s not exactly slash 32. You need to keep in mind that whenever you’re advertising this low back inside your IGP, okay? So when you’re redising IGP the by default it’s going to add the label here and the label inside the OSPF. Generally if you talk about OSPF by default, even though you configure slash 24, when the OSPF advertises any loadback interface, it is going to advertise us with slash 32.

That is a default behavior in OSPF, especially when you are using OSPF inside the service portal network. Now there will be a mismatch of slash value, which means it will also affect your label binding information. So in this kind of scenarios it will definitely affect your it’s not going to affect your VPN V four neighborship, but it will affect your reachable tissues will come in this kind of scenarios. So to overcome this, it’s always recommended to ensure that we are using slash 32 as a loop back, which I’m using in my scenario. Or we have one more solution to advertise with exact mask because by default OSPF will not rodize the loop backs with exact mask. It always rodizes with 32. For that we can also use a command called interface loopback zero IP OSP of network point to point command.

So if you refer my workbook, I have explained much more in detail here. By default, OSPF will advertise the loop back interfaces as 32 no matter whatever the mask is configured on that interface. Now this is going to lead to some issues where LDP is creating a labels for the next stops and it is always going to look for the exact mask on that interface. Now, if there is a mismatch in the label in our routing table, it’s going to affect some reach. You will find some reachable issues in this kind of scenarios. Now, either we can use the loop back with a slash 32 mask or make sure that the loop back used in IBGP peering should be error as with exact mask. There are two possible solutions.

Either we can use the loop back as slash 32 or you can configure one command called Iposphere network point to point. Now, this is something most of the time we generally ignore these things and we end up doing some lot of troubleshooting and we realize that everything is working fine. But when you are using VPN V four, this is one small thing we need to keep in mind whenever we are conferring OSP up as our IGP protocol and rest of the things is same. Now, verification is the same command show IP BGP PNV four all summary but as of now you don’t see the routes. But definitely we’ll verify in our next step where we’ll see how to configure redistribution.

7. VPNv4 Redistribution under VRF

We are into the last step of MPLS L three VPN configurations after. Now we have already finished all the five steps above listed here we have already configured inside the service protocol, IDP protocol and then LDP pairing. And then we also created some BRFS PE to C routing we did by using static and default combinations. And then we have also configured VPN V four pairing between the PE routers. Now, finally, I want to ensure that my customer site this is a router file site one, which is a one should be able to communicate with a two. So the only thing we need to configure is redistribution. Now, why we need to redistribution because normally here if you remember, we have configured static routing between P to C on site one and also we have configured static and D for routing on site two also.

And then we have a BGP configuration VPN before peering between them. Now, the final step is combining these three parts. Now we need to combine these three parts into one part. That is whatever the routes coming from customer side, they are coming through static and we need to ensure that these routes get registered into BGP. Now, when you do that automatically whatever the routes coming from the customer end they will be eroded through Vpnv four routes as a VPN V four routes along with that extended community route target value information and the reach on the other end of the provider edge. And then here already we configured import option if you remember import 501 and based on that import, these routes will be automatically sent over the VRF and then that’s how they communicate here.

So to configure redistribution, let us go to router one on the router one. Now here we have to configure redistribution. It has to be one side generally. Now the redistribution, it varies depending upon the type of the protocol we are using on PE to C. Let’s take an example. If you are using rip on this side and by default always it will be BGP here in order to send the routes from one end to another end, first you have to distribute rip into BGP and then BGP into rip here. Let’s say if I’m using rip here and vice versa, which means again you have to do it opposite side, rip into BGP and BGP into rip again in order to exchange the routes between two different sides. But in case if you are using static and default routings, we do only one side redistribution because in general we already have a default route here and we don’t have any redistribution into static.

So in this section, as we are using static and default combinations on the customer ends p two C, we are going to do only one very distribution. Let us see how to do that. And that redistribution has to be done under the VRF. Remember that. So we need to go to router BGP 500 on the router one and address family IPV four VRF a one. So to get into the address family that is inside the VRF, we need to give this command. So this way we go under the VRF in the BGP mode just like we used IP route VRF, name of the VRF to get into VRF configurations of static routing. Similar to that in case of VGP, if you want to go inside your VRF configuration specific VRF, this is the command we use. And then now once you configure anything under this address family it’s going to apply all these configurations to that specific VRF only.

And if you configure anything in the normal global router mode it’s going to apply for the normal PGP which you are running inside the service portal network. Now here we want to do redistribution of customer routes which are under the VRF. So it’s mandatory you have to go under the VRF. So redistribution on the provider edge routers we always do under the VRF. And then I need to say redistribute static and redistribute connected. Now, redistribute connected is recommended command because here if I don’t you redistribute connected normally what happens is it’s going to redistribute only the routes learned from static. But sometimes you may do some troubleshooting by using this interface. As from here to here we ping instead of pinging from LAN interfaces.

So we are just trying to redistribute our connected interface also which is something by default. It’s not going to redistribute the connected interfaces. Done. So it’s only one very distribution here because we are using static and the same thing we need to do on the router, router three. So before I do that on the router three, let’s go to router three and verify the routing table on the router three. If I could show IP route, we are at a two now you can see I’m able to learn the route coming from router five from the router file. That is five five. It’s getting advertised. It’s learned by router one through static routing. And then this static routing was redistributed into PGP which means this route will, will come up to here. Okay, I can see this 50 five learned through PGP via eleven dot zero zero one.

That is router one. That is your next stop. Okay? But on the router three, router one you don’t see the route. And the reason is we did only one side distribution. So if you try to verify on the router one we don’t see the route here, six we don’t see because we did not configure redistribution on this side. So once you configure redistribution on this side also you automatically will be able to see this route coming on router one VRF routing table learned through BGP. No similar way the route from here will be learned on the other end of the provider edge router through BGP. Now this is something, it’s good to verify this step by step configuration, it’s going to ensure that you are actually going to configure the correct commands. So I’m going to configure the same on the router three.

Also what is the command router BGP 500 address, family IPV for VRF a two. Then I’m going to say redistribute connected, redistribute static. Done. So now let’s try to verify. So if you are working in a service for network and you want to verify whether the customer routes are coming or not, I generally use this commands show IPGP VPN V four, all summary. Now through that VPN V four you can see I’m receiving two prefixes and if I remove that summary, I’m able to see all the routes which are coming with the Rd value of 500 column one and they are into VRF routing table. That is a two is the DVRF routing table and you can see five dot network is coming from router one and 15 dot network which is the connector interface between router one and router five.

And whatever the routes coming from here they are actually all are distributed routes. You can see question mark. So this way we can verify, even I can verify into my VRF routing table. This is one more way of verifying the routes. Now finally, if I go to the customer side, last time when I was trying to ping I was not able to communicate and the reason for that is I did not configure a distribution. So now we did configure it, we did some redistribution here. If you verify in your routing table or router file, we don’t have anything, we just have a default route because it makes a little bit complicated for to configure to each end of his route for the destination. So we just use simply default route on the customer sides.

So now if I try to ping six six from source interface or just connect interface I can see I’m able to ping from router five to router six. And if I try to trace six three six you can see now it goes to router one. You can see here which means it first reaches router one. Now router one is going to send to four four one which is four one is here and then it’s going to route three, that is one 7216 three and then finally reaches the destination. And in between you can see it’s a label switch because it is inside the service portal, it’s going to forward the packet based on the label switch path and finally you can able to communicate.

Now if you see the steps here, whatever the steps we configured, if you miss configure any of these steps, it’s really very difficult for you to figure out where the problem is. But if you configure all these things properly, you’ll definitely see the communication happens. Now these are the six common steps we use to configure most of the LAthree VPNs when it comes to complex networks. You might have some extra additions or extra configurations but this is the standard steps which we use for MPLS VPN configuration and when it comes to different laps, the lapse which you are going to see in the next we are going to just modify this step.

The fourth step will change because just now we use static and default combinations probably even in case of the customer and P, two C routing. If you don’t use Rap the configurations will be different and the behavior will be slightly different. And also the OSP of EHRP BGP, like whenever you are going to change the protocol for routing between P to C the behavior or the configuration will slightly change but apart from that it’s going to be the same and then also it will change. The redistribution also will slightly change. Just the configuration will change but the entire flow of configurations will be simple just like this. So we need to remember these six steps step by step and you need to ensure that all the things should work.