CHAPTER 7: MPLS VPN

MPLS VPN Model:

• The PE routers have direct connection with CE routers and run routing
protocol or static routing between them.
• In MPLS VPN, both P and PE routers run MPLS, CE routers need not run
MPLS.
• The CE router does not peer with remote CE, infact, it only peers with the PE
router (PE routers in case of multihomed).
• The customer IP packets are labeled in the service provider network to achieve
a private VPN for each customer. The P routers are completely unaware of the
customer routes.
• The VPN routes are only known to the edge routers. So BGP is not needed on
P routers.

Architectural overview of MPLS VPN:

The basic building block of MPLS VPN architecture are VRF, route distinguisher,
router targets, route propagation through MP-BGP and forwarding of labels.

1) Virtual Routing Forwarding VRF:

• A virtual routing/forwarding is a VPN routing and forwarding instance. It is

the combination of VPN routing table, VRF CEF table and associated routing
protocols on the PE router.
• A PE router has all the VRF instances of the customers connected to it.

2) Route Distinguisher RD:

• The VPN prefixes are propagated through the MPLS VPN network using MP-
BGP but these prefixes should be unique.
• So each prefix received from the customer receives a unique identifier (the
RD) to distinguish the same prefix from different customers.
• The vpnv4 prefix is derived by combining the RD and the IPv4 prefix. MP-
BGP carries these vpnv4 prefixes between the PE routers.
 • An RD is a 64-bit field and each VRF instance should have an RD attached to
it.
• An RD can be one of two formats: ASN:nn (most preferred) or IP-
address:nn.

3) Route Targets RT:

• An RT is a BGP extended community that indicates which routes should be

imported from MP-BGP into the VRF. Exporting an RT means that the
exported vpnv4 routes receive a BGP extended community- the RT.
• If the RTs dont match, the prefix is rejected.
• A prefix can have multiple RTs added to it. To find a match, atleast one RT
(extended community) should match.

4) VPNv4 routes propagation in MPLS VPN network:

• The PE router receives IPv4 routes from the CE router using IGP/ eBGP.
These IPv4 routes are put into the VRF table according to the VRF instance
configured on the interface on which these routes are received.
• The PE router appends the RD to these IPv4 prefixes and converts them to
vpnv4 prefixes. These vpnv4 routes are put into MP-BGP using redistribution.
• BGP advertises these vpnv4 routes to all its PE neighbors after adding the RTs
(export RT) using iBGP.
• At remote PE router, the RD is removed from vpnv4 prefixes to make them
IPv4 prefixes.
• The IPv4 prefixes are inserted into VRF routing tables on the remote PE
router.
• Using IGP/ eBGP, the IPv4 routes are advertised to the remote CE router.

5) Packet forwarding in an MPLS VPN network:

• In MPLS VPN network, all customer packets are forwarded using two labels-
the top label as IGP label and the bottom label as VPN label.
• The IGP label is the label advertised by the downstream router in the service
provider network. This label corresponds to the next-hop. This label is
advertised by LDP and the P routers use this label to switch packets.
• The VPN label is the label advertised by the egress PE router to the ingress PE
router indicating to which VRF table this packet would belong to. Essentially,
the VPN label indicates the next-hop CE router that this packet belongs to.

BGP Multiprotocol Extensions and Capabilities:

When a BGP speaker sends an OPEN message to its peers, it can include all the
capabilities it can support. The BGP peers can do the same. Either the capabilities
match on both speakers or a BGP notification message is sent indicating what
capabilities are not supported.
Multiprotocol Extensions of BGP-4 has two new attributes: Multiprotocol NLRI
reachable and Multiprotocol NLRI unreachable. These attributes advertise or
withdraw routes.

These attributes hold two fields: Address Family Identifier (AFI= 2 bytes) and
Subsequent Address Family Identifier (SAFI= 1 byte). For IPv4, the AFI=1. For IPv6,
the AFI=2.

The SAFI numbers and their description are-

1 = NLRI for unicast forwarding

2 = NLRI for multicast forwarding
3 = NLRI for unicast and multicast forwarding
4 = NLRI for IPv4 and label forwarding
128 = NLRI for labeled VPN forwarding

To support Multiprotocol behavior of BGP, the BGP routing process has the concept
of address family. The four address families currently supported are IPv4, IPv6,
vpnv4 and vpnv6.

Label distribution can be piggybacked in the BGP Update Message by using the BGP-
4 Multiprotocol Extensions attribute. The label is encoded into the NLRI field of the
attribute, and the SAFI field (value=4) is used to indicate that the NLRI contains the
label.

The NLRI is encoded as one or more triples of the form <length, label, prefix>.

Length- The Length field indicates the length in bits of the address prefix plus the
label(s).

Label- The Label field carries one or more labels. Each label is encoded as 3 octets,
where higher-order 20 bits contain the label value and lower-order 1 bit is the bottom-
of-stack bit.

Prefix- The Prefix field contains the address prefixes followed by enough trailing bits
to make the end of the field fall on an octet boundary.

The debug ip bgp command should show AFI/SAFI compatibility values negotiated
between BGP neighbors. For MPLS VPN, AFI/SAFI values 1/1, 1/4 and 1/128 values
should be agreed upon by BGP neighbors.
The show ip bgp neighbor <ip-address> command should also show Neighbor
Capabilities.

BGP Route Reflector RR:

• In order to avoid full-mesh BGP neighbor relationship in the service provider

network, the concepts of route reflectors and confederations was introduced in
BGP.
• All BGP speakers form neighbor relationship with the RR and hence need not
form relationships with other BGP speakers.
• The RR forwards all traffic to its clients. In MPLS VPN network, the RR
forwards/ reflects all the vpnv4 prefixes which carry labels.
• RRs do not reject vpnv4 prefixes that do not match import RTs. All routes are
stored in the bgp table since the RR does not know which routes the PE
routers will reject.
• RR groups can be configured to split the load of reflecting the vpnv4 prefixes
among different RRs.
• To configure RR group, use
bgp rr-group <group_no> command under address-family vpnv4. The
extended community specifies the RTs.
• Each member only matches a particular set of RTs to split the load.

BGP Multipath:
By default, BGP only selects a single best path and installs in the routing table. BGP
Multipath is a BGP feature whereby the selection process still selects a best path but
allows multiple paths to be installed in the routing table.

Different types of BGP Multipaths are-

iBGP multipath- installation of two or more internal BGP paths
eBGP multipath- installation of two or more external BGP paths
eiBGP multipath- installation of one or more internal and one or more
external BGP paths

Example of BGP Multipath with Multiple RDs:

If ingress PE1 and PE2 routers advertise CE (multihomed to PE1 and PE2) routes
with same RD, the RR installs only the best path in its routing table and then
advertises only that best path to the egress PE3 router.
When PE1 and PE2 routers advertise the vpnv4 routes with different RD to the RR,
these routes are considered different and hence, the RR installs both routes into its
routing table. Further advertises both vpnv4 routes to PE3 router.
If PE3 router is configured with BGP Multipath iBGP feature, it installs both vpnv4
routes.

PE3 router:

router bgp 100

bgp log-adjacency-changes
!
address-family ipv4 vrf cust-one
maximum-paths ibgp 2 import 2
exit-address-family
!

The import keyword indicates how many routes can be imported from one VRF to
another.

PE-CE routing protocols:

NOTE: Both CE1 and CE2 routers belong to CUST_ONE (part of one customer).
1) Static routing:

CE1 router: CE2 router:

interface fastethernet 0/0 interface fastethernet 0/0

ip address 172.16.1.1 255.255.255.252 ip address 172.16.2.2 255.255.255.252
! !
ip route 0.0.0.0 0.0.0.0 172.16.1.2 ip route 0.0.0.0 0.0.0.0 172.16.2.1
! !

PE1 router: PE2 router:

mpls label protocol ldp mpls label protocol ldp

mpls ldp router-id loopback 0 force mpls ldp router-id loopback 0 force
! !
ip vrf CUST_ONE ip vrf CUST_ONE
rd 1:1 rd 1:1
route-target export 1:1 route-target export 1:1
route-target import 1:1 route-target import 1:1
! !
interface loopback 0 interface loopback 0
ip address 1.1.1.1 255.255.255.255 ip address 4.4.4.4 255.255.255.255
ip ospf 1 area 0 ip ospf 1 area 0
! !
interface fastethernet 0/0 interface fastethernet 0/1
ip vrf forwarding CUST_ONE ip vrf forwarding CUST_ONE
ip address 172.16.1.2 255.255.255.252 ip address 172.16.2.1 255.255.255.252
! !
interface fastethernet 0/1 interface fastethernet 0/0
ip address 10.1.1.1 255.255.255.252 ip address 10.2.2.2 255.255.255.252
mpls ip mpls ip
ip ospf 1 area 0 ip ospf 1 area 0
! !
ip route vrf CUST_ONE 192.168.1.0 ip route vrf CUST_ONE 192.168.2.0
255.255.255.0 172.16.1.1 255.255.255.0 172.16.2.2
! !
router bgp 100 router bgp 100
neighbor 4.4.4.4 remote-as 100 neighbor 1.1.1.1 remote-as 100
neighbor 4.4.4.4 update-source loopback 0 neighbor 1.1.1.1 update-source loopback 0
! !
address-family vpnv4 address-family vpnv4
neighbor 4.4.4.4 activate neighbor 1.1.1.1 activate
neighbor 4.4.4.4 send-community both neighbor 1.1.1.1 send-community both
exit-address-family exit-address-family
! !
address-family ipv4 vrf CUST_ONE address-family ipv4 vrf CUST_ONE
redistribute connected redistribute connected
redistribute static redistribute static
exit-address-family exit-address-family
! !

2) RIPv2 routing:

CE1 router:

router rip
version 2
network 172.16.0.0
 network 192.168.1.0 ! internal network
no auto-summary
!

PE1 router:

router rip
no auto-summary
address-family ipv4 vrf CUST_ONE
network 172.16.0.0
redistribute bgp 100
default-metric 3 (by default, the redistributed metric is 2)
version 2
exit-address-family
!
router bgp 100
!
address-family ipv4 vrf CUST_ONE
redistribute rip
redistribute connected
exit-address-family
!

3) OSPF routing:

• When OSPF is used as the PE-CE routing protocol, the MPLS VPN network
becomes the Super Backbone. Hence, all the customer OSPF routes (LSA
Type 1, 2 or 3) become interarea (IA- LSA Type 3) routes when they reach at
the remote sites. The external routes (LSA Type 5) routes remain external
routes at the remote sites.
• Hence, the PE routers become ABR and ASBR.
• If the customer sites have a backdoor link, all the internal OSPF routes will be
advertised without change- in essence, all intraarea routes are advertised as
intraarea. So, when the routes are received from the MPLS VPN backbone,
they are interarea routes and will not be preferred over intraarea routes. To
avoid this, a feature called sham-link was introduced.

CE1 router:

router ospf 42
network 172.16.1.0 0.0.0.3 area 0
!

PE1 router:

router ospf 42 vrf CUST_ONE

router-id 1.1.1.1
network 172.16.1.0 0.0.0.3 area 0
redistribute bgp 100 metric 10 subnets
!
router bgp 100
!
address-family ipv4 vrf CUST_ONE
redistribute connected
redistribute ospf 42 vrf CUST_ONE metric 10 match internal external 1
external 2
exit-address-family
!
• When customer OSPF routes are redistributed into MP-BGP, the PE router
uses the OSPF metric to set BGP MED.
• When MP-BGP redistributes routes into OSPF at remote end, it copies the
MED as metric for OSPF routes (internal &/or external). The default-metric
command or the metric value in redistribute command, overrides MED.

The above output shows that the MPLS VPN network is a MPLS VPN
Superbackbone.
The output shows that the OSPF route (172.16.2.0) received from remote CE2 router
is Interarea route denoted by IA.

This output shows BGP extended communities for OSPF- OSPF RT, OSPF Domain-
id and OSPF Router-id.
OSPF RT is OSPF route type. 0.0.0.0 is area 0, 2 is OSPF route-type and 0 is option.

Sham link and its configuration:

Configure a separate /32 address on the PE routers so that OSPF packets can be sent
over the MPLS VPN backbone.
• The /32 address must belong to the vrf
• The /32 address should be advertised by iBGP, not OSPF.
• Associate the sham-link with an existing OSPF area
The link between R3 and R5 is the backdoor link. If the sham-link is not configured
between PE routers R0 and R1, the backdoor link will be preferred over MPLS VPN
network all the time.

The IP address 10.10.1.1/32 should be advertised by iBGP.

Down bit and Domain tag:

• The down bit is the bit that is set in the Options field of an OSPF LSA Type-3
• If an OSPF route has been advertised by a PE router into an OSPF area, the
down bit is set.
• Another PE router in the same area will not redistribute this route into MP-
iBGP if the down bit is set. The PE router does not even include the route for
SPF calculation. This can avoid routing loops.

• The domain tag has the same purpose as the down bit but for OSPF external
routes (LSA Type-5).
• If another PE router receives the route with domain-tag set to a value and if
that value matches the configured domain-tag, it will not redistribute the route
into iBGP.
• The ASN of BGP is encoded into the tag of OSPF external routes in the least
significant 16 bits.
• The domain tag can be configured using
domain-tag <tag-value> under OSPF router vrf configuration mode.

4) EIGRP routing:
 • When EIGRP is redistributed into BGP at the PE router, all EIGRP routes can
become external routes at the remote site according to usual behaviour.
• In order to alleviate this problem, as much EIGRP information is passed into
BGP extended communities. This information helps to reconstruct EIGRP
routes at the remote end.

CE1 router:

router eigrp 1
network 172.16.1.0 0.0.0.3
no auto-summary

PE1 router:

router eigrp 1
no auto-summary
!
address-family ipv4 vrf CUST1
network 172.16.1.0 0.0.0.3
no auto-summary
redistribute bgp 100 metric 1500 100 255 1 1500
autonomous-system 33
exit-address-family
!
The output shows BGP extended communities-

Cost:pre-bestpath:128:2169856- It is the cost community with pre-bestpath that is

set during the redistribution of EIGRP into BGP. The Point Of Insertion POI is the
place in the BGP selection process where BGP considers cost-community in best path
selection process. The pre-bestpath POI indicates that cost-community be considered
before any regular BGP parameters.

The cost-community ID is either 128 or 129. 128 is for EIGRP internal routes and
129 is for EIGRP external routes. Internal routes are selected over external routes.

The value is the EIGRP composite metric value set on the PE router that redistributes
EIGRP into BGP. Routes with lower metric values are selected over higher values.

5) eBGP routing:

• If the customer sites have different AS numbers, then BGP can operate with
default behaviour.
• However, if the customer sites have same AS numbers, then BGP cannot
operate with default behaviour as the customer routers will drop routes that
have their own AS number in AS-path attribute (a measure of avoiding routing
loops).
• There are two ways BGP can be adapted to provide correct routing-

1) AS Override:

Here, the PE router replaces the customer AS number with the AS number of the
service provider.

To configure AS override on PE routers, use

neighbor <CE-ip-address> override command.

2) allowas-in:

Here, the PE router allows the multiple occurrences of the same AS number in the
AS-path. This allows an update to pass through the service provider network more
than once without BGP rejecting the update.

To configure allowas-in on PE routers, use

neighbor allowas-in <number> command. The number can be from 1-10
which means the update can pass through the router that many times before being
denied.
Hub and Spoke Topology with eBGP:

PE2 router:

ip vrf from_spokes
rd 1:3
route-target import 100:100
!
ip vrf to_spokes
rd 1:4
route-target export 200:200
!
interface fa 0/0.10
encapsulation dot1q 10
ip vrf forwarding from_spokes
ip address 172.16.3.1 255.255.255.252
!
interface fa 0/0.20
encapsulation dot1q 20
ip vrf forwarding to_spokes
ip address 172.16.4.1 255.255.255.252
!
router bgp 100
!
address-family ipv4 vrf from_spokes
neighbor 172.16.3.2 remote-as 65003
neighbor 172.16.3.2 activate
redistribute connected
exit-address-family
!
address-family ipv4 vrf to_spokes
neighbor 172.16.4.2 remote-as 65003
neighbor 172.16.4.2 activate
neighbor 172.16.4.2 allowas-in 10 ! range is 1-10
 redistribute connected
exit-address-family
!

It can be depicted from the output of PE1 router below that it learns the prefix of
PE3 router 172.16.2.0/30 from PE2 router (2.2.2.2) where the HUB router is
connected. Hence, the spoke-to-spoke communication occurs through the HUB router.

Without the allowas-in command, the routes are not advertised to the spoke routers
since the SP AS number is already in the AS-path attribute. Hence, the PE2 router
will reject them when it comes from the HUB router.
MPLS VPN with Internet Access with Static routing:

CE1 router:

interface loopback 0
ip address 11.1.1.1 255.255.255.255
!
interface fastethernet 0/0
ip address 172.16.1.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!

PE1 router:

router bgp 100

neighbor 2.2.2.2 remote-as 100 ! PE2 router
neighbor 2.2.2.2 update-source loopback 0
neighbor 2.2.2.2 next-hop-self
neighbor 3.3.3.3 remote-as 100 !PE3 router
neighbor 3.3.3.3 update-source loopback 0
neighbor 3.3.3.3 next-hop-self
redistribute static (network command can also be used instead)
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community both
exit-address-family
!
address-family ipv4 vrf CUST1
redistribute connected
redistribute static (network command can also be used instead)
 exit-address-family
!
!
!!! static route towards customer for global routing table with outbound interface and
next-hop IP address (because the outbound interface is multi-access Ethernet)

ip route 11.1.1.1 255.255.255.255 fastethernet 0/0 172.16.1.2

!!! static route towards customer for VPN sites

ip route vrf CUST1 11.1.1.1 255.255.255.255 fastethernet 0/0 172.16.1.2

!!! static route towards the Internet Gateway Router IGW for customer sites

ip route vrf CUST1 0.0.0.0 0.0.0.0 fastethernet 1/0 192.168.1.1 global

!
From CE1 router, pings to IGW is successful only with source IP address of 11.1.1.1

Since Fastethernet 0/0 on PE1 router is a vrf interface for CUST1, this interface does
not show up in global routing table as Connected. But the static route is still present in
the global routing table even though the next-hop and outbound interface are not
present (they belong to the vrf).
Because there is no redistribution between IPv4 and vpnv4, a method is needed to
allow the PE router to resolve the next-hop for the IGW IP address (192.168.1.1) from
within the VRF. This is done using global keyword. The global keyword specifies
that the next-hop address of the static route be resolved using the global routing table
rather than VRF table.

Multi-VRF (aka VRF-lite) using OSPF:

• With Multi-VRF, two or more customers can share the same CE and only one
physical link is used between the CE and the PE.
• The shared CE maintains separate VRF tables for each customer, and routes
packets for each customer based on that customer’s own routing table.
• FINANCE VRF should not be able to communicate with MGMT VFR.
• The VRF functionality is extended to CE routers. MPLS is not enabled on CE
routers though, only VRF.
• Overlapping IP addresses can be used for different VRFs.

FINANCE router:

ip vrf FINANCE
rd 1:1
route-target both 1:1
!
interface fastethernet 0/0
ip vrf forwarding FINANCE
ip address 172.16.1.0 255.255.255.0
!
router ospf 10 vrf FINANCE
network 172.16.1.0 0.0.0.255 area 0
capability vrf-lite !disables down bit and domain tag checks
!

PE1 router:

ip vrf FINANCE
rd 1:1
route-target both 1:1
!
ip vrf MGMT
rd 1:2
route-target both 1:2
!
interface fastethernet 0/0.10
encapsulation dot1q 10
ip vrf forwarding FINANCE
ip address 172.16.1.1 255.255.255.0
!
interface fastethernet 0/0.20
encapsulation dot1q 20
ip vrf forwarding MGMT
ip address 172.16.2.1 255.255.255.0
!
router ospf 10 vrf FINANCE
network 172.16.1.0 0.0.0.255 area 0
redistribute bgp 100 metric 10 subnets
!
router ospf 20 vrf MGMT
network 172.16.2.0 0.0.0.255 area 0
redistribute bgp 100 metric 10 subnets
!
router bgp 100
!
address-family ipv4 vrf FINANCE
redistribute ospf 10 vrf FINANCE metric 10 match internal
exit-address-family
!
address-family ipv4 vrf MGMT
redistribute ospf 20 vrf MGMT metric 10 match internal
 exit-address-family
!

The PE router does two types of checks when OSPF is run between PE and CE. These
checks are down bit (internal routes) and domain tag (external routes). These checks
are to avoid routing loops. If the PE router receives internal (interarea and intraarea)
routes with down bit set, those routes are rejected. Similarly, if the external routes
received by PE router have domain tag and if the value matches the one configured on
PE router, it discards those routes.

With Multi-VRF CE functionality, the CE router acts as a PE router and performs

these two checks. For OSPF to function properly, these checks should be disabled on
CE routers. If these checks are not disabled using capability vrf-lite command under
OSPF process on CE routers, they will not receive any remote routes for the same
VRF.

Inter-AS MPLS VPN using MP-EBGP VPNv4:

PE1 router: PE2 router:

mpls label protocol ldp mpls label protocol ldp

mpls ldp router-id Loopback 0 force mpls ldp router-id Loopback 0 force
! !
ip vrf CUST1 ip vrf CUST1
rd 1:1 rd 1:1
route-target both 1:1 route-target both 1:1
! !
interface Loopback 0 interface Loopback 0
ip address 1.1.1.1 255.255.255.255 ip address 4.4.4.4 255.255.255.255
ip ospf 1 area 0 ip ospf 1 area 0
! !
interface serial 0/0 interface serial 0/0
ip vrf forwarding CUST1 ip vrf forwarding CUST1
ip address 172.16.1.1 255.255.255.252 ip address 172.16.2.1 255.255.255.252
! !
interface fastethernet 0/0 interface fastethernet 0/0
ip address 10.1.1.1 255.255.255.252 ip address 10.2.2.2 255.255.255.252
ip ospf 1 area 0 ip ospf 1 area 0
mpls ip mpls ip
! !
router bgp 100 router bgp 200
neighbor 2.2.2.2 remote-as 100 neighbor 3.3.3.3 remote-as 200
neighbor 2.2.2.2 update-source Loopback 0 neighbor 3.3.3.3 update-source Loopback 0
! !
address-family vpnv4 address-family vpnv4
neighbor 2.2.2.2 activate neighbor 3.3.3.3 activate
neighbor 2.2.2.2 send-community both neighbor 3.3.3.3 send-community both
exit-address-family exit-address-family
! !
address-family ipv4 vrf CUST1 address-family ipv4 vrf CUST1
redistribute connected redistribute connected
exit-address-family exit-address-family
! !

PE1_ASBR router: PE2_ASBR router:

mpls label protocol ldp mpls label protocol ldp

mpls ldp router-id Loopback 0 force mpls ldp router-id Loopback 0 force
! !
interface Loopback 0 interface Loopback 0
ip address 2.2.2.2 255.255.255.255 ip address 3.3.3.3 255.255.255.255
ip ospf 1 area 0 ip ospf 1 area 0
! !
interface fastethernet 0/1 interface fastethernet 0/0
ip address 192.168.1.1 255.255.255.252 ip address 192.168.1.2 255.255.255.252
! !
router bgp 100 router bgp 200
neighbor 1.1.1.1 remote-as 100 neighbor 4.4.4.4 remote-as 100
neighbor 1.1.1.1 update-source Loopback 0 neighbor 4.4.4.4 update-source Loopback 0
neighbor 192.168.1.2 remote-as 200 neighbor 192.168.1.1 remote-as 100
neighbor 192.168.1.2 password cisco neighbor 192.168.1.1 password cisco
no bgp default route-target filter no bgp default route-target filter
! !
address-family vpnv4 address-family vpnv4
neighbor 1.1.1.1 activate neighbor 4.4.4.4 activate
neighbor 1.1.1.1 send-community both neighbor 4.4.4.4 send-community both
neighbor 1.1.1.1 next-hop-self neighbor 4.4.4.4 next-hop-self
neighbor 192.168.1.2 activate neighbor 192.168.1.1 activate
neighbor 192.168.1.2 send-community both neighbor 192.168.1.1 send-community both
exit-address-family exit-address-family
! !
Carrier Supporting Carrier (Hierarchical VPNs):

R0 router: R7 router:

interface Loopback0 interface Loopback0

ip address 11.1.1.1 255.255.255.255 ip address 12.1.1.1 255.255.255.255
! !
interface Serial0/0 interface Serial0/0
ip address 172.16.1.2 255.255.255.252 ip address 172.16.2.2 255.255.255.252
! !
ip route 0.0.0.0 0.0.0.0 172.16.1.1 ip route 0.0.0.0 0.0.0.0 172.16.2.1
! !

R1 router: R6 router:

ip vrf CUST1 ip vrf CUST1

rd 1:1 rd 1:1
route-target export 1:1 route-target export 1:1
route-target import 1:1 route-target import 1:1
! !
mpls label protocol ldp mpls label protocol ldp
mpls ldp router-id Loopback0 force mpls ldp router-id Loopback0 force
! !
interface Loopback0 interface Loopback0
ip address 1.1.1.1 255.255.255.255 ip address 6.6.6.6 255.255.255.255
ip ospf 1 area 0 ip ospf 1 area 0
! !
interface Serial0/0 interface Serial0/0
ip vrf forwarding CUST1 ip vrf forwarding CUST1
ip address 172.16.1.1 255.255.255.252 ip address 172.16.2.1 255.255.255.252
! !
interface Serial0/1 interface Serial0/1
ip address 10.1.1.1 255.255.255.252 ip address 10.2.2.2 255.255.255.252
ip ospf 1 area 0 ip ospf 1 area 0
mpls ip mpls ip
! !
router bgp 65100 router bgp 65100
neighbor 6.6.6.6 remote-as 65100 neighbor 1.1.1.1 remote-as 65100
neighbor 6.6.6.6 update-source Loopback0 neighbor 1.1.1.1 update-source Loopback0
! !
 address-family vpnv4 address-family vpnv4
neighbor 6.6.6.6 activate neighbor 1.1.1.1 activate
neighbor 6.6.6.6 send-community extended neighbor 1.1.1.1 send-community extended
exit-address-family exit-address-family
! !
address-family ipv4 vrf CUST1 address-family ipv4 vrf CUST1
redistribute connected redistribute connected
redistribute static redistribute static
exit-address-family exit-address-family
! !
ip route vrf CUST1 11.1.1.1 255.255.255.255 ip route vrf CUST1 12.1.1.1 255.255.255.255
172.16.1.2 172.16.2.2
! !

R2 router: R5 router:

mpls label protocol ldp mpls label protocol ldp

mpls ldp router-id Loopback0 force mpls ldp router-id Loopback0 force
! !
interface Loopback0 interface Loopback0
ip address 2.2.2.2 255.255.255.255 ip address 5.5.5.5 255.255.255.255
ip ospf 1 area 0 ip ospf 1 area 0
! !
interface FastEthernet0/0 interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.252 ip address 192.168.2.2 255.255.255.252
ip ospf 1 area 0 ip ospf 1 area 0
! !
interface Serial0/0 interface Serial0/0
ip address 10.1.1.2 255.255.255.252 ip address 10.2.2.1 255.255.255.252
ip ospf 1 area 0 ip ospf 1 area 0
mpls ip mpls ip
! !
router ospf 1 router ospf 1
redistribute bgp 65100 metric 10 subnets redistribute bgp 65100 metric 10 subnets
! !
router bgp 65100 router bgp 65100
redistribute ospf 1 metric 10 match internal redistribute ospf 1 metric 10 match internal
external 1 external 2 external 1 external 2
neighbor 192.168.1.2 remote-as 100 neighbor 192.168.2.1 remote-as 100
neighbor 192.168.1.2 send-label neighbor 192.168.2.1 send-label
! !

R3 router: R4 router:

ip vrf C_CUST1 ip vrf C_CUST1

rd 1:2 rd 1:2
route-target export 1:2 route-target export 1:2
route-target import 1:2 route-target import 1:2
! !
mpls label protocol ldp mpls label protocol ldp
mpls ldp router-id Loopback0 force mpls ldp router-id Loopback0 force
! !
interface Loopback0 interface Loopback0
ip address 3.3.3.3 255.255.255.255 ip address 4.4.4.4 255.255.255.255
ip ospf 2 area 0 ip ospf 2 area 0
! !
interface FastEthernet0/0 interface FastEthernet0/0
ip vrf forwarding C_CUST1 ip vrf forwarding C_CUST1
ip address 192.168.1.2 255.255.255.252 ip address 192.168.2.1 255.255.255.252
! !
interface Serial0/0 interface Serial0/0
ip address 20.1.1.1 255.255.255.252 ip address 20.1.1.2 255.255.255.252
ip ospf 2 area 0 ip ospf 2 area 0
mpls ip mpls ip
! !
router bgp 100 router bgp 100
neighbor 4.4.4.4 remote-as 100 neighbor 3.3.3.3 remote-as 100
neighbor 4.4.4.4 update-source Loopback0 neighbor 3.3.3.3 update-source Loopback0
! !
address-family vpnv4 address-family vpnv4
neighbor 4.4.4.4 activate neighbor 3.3.3.3 activate
neighbor 4.4.4.4 send-community extended neighbor 3.3.3.3 send-community extended
exit-address-family exit-address-family
! !
address-family ipv4 vrf C_CUST1 address-family ipv4 vrf C_CUST1
redistribute connected redistribute connected
neighbor 192.168.1.1 remote-as 65100 neighbor 192.168.2.2 remote-as 65100
neighbor 192.168.1.1 activate neighbor 192.168.2.2 activate
neighbor 192.168.1.1 as-override neighbor 192.168.2.2 as-override
neighbor 192.168.1.1 send-label neighbor 192.168.2.2 send-label
exit-address-family exit-address-family
! !

HSRP Support for MPLS VPNs:

CE1 router: CE2 router:

interface Loopback 0 interface Loopback 0

ip address 11.1.1.1 255.255.255.255 ip address 12.1.1.1 255.255.255.255
ip ospf 42 area 0 ip ospf 42 area 0
! !
interface fastethernet 0/0 interface fastethernet 0/0
ip address 172.16.1.2 255.255.255.0 ip address 172.16.2.2 255.255.255.0
ip ospf 42 area 0 ip ospf 42 area 0
! !

PE1 router: PE2 router:

interface Loopback 0 interface Loopback 0

ip address 1.1.1.1 255.255.255.255 ip address 2.2.2.2 255.255.255.255
ip ospf 1 area 0 ip ospf 1 area 0
! !
mpls label protocol ldp mpls label protocol ldp
mpls ldp router-id Loopback 0 force mpls ldp router-id Loopback 0 force
! !
ip vrf CUST1 ip vrf CUST1
rd 1:1 rd 1:1
route-target both 1:1 route-target both 1:1
! !
interface fastethernet 0/0 interface fastethernet 0/0
ip vrf forwarding CUST1 ip vrf forwarding CUST1
ip address 172.16.1.3 255.255.255.0 ip address 172.16.1.4 255.255.255.0
ip ospf 42 area 0 ip ospf 42 area 0
standby 10 ip 172.16.1.1 standby 10 ip 172.16.1.1
standby 10 preempt standby 10 preempt
standby 10 priority 105 !
standby 10 track fastethernet 0/1 interface fastethernet 0/1
! ip address 10.2.2.1 255.255.255.252
interface fastethernet 0/1 ip ospf 1 area 0
ip address 10.1.1.1 255.255.255.252 mpls ip
ip ospf 1 area 0 !
mpls ip router ospf 1
! redistribute bgp 100 metric 10 subnets
router ospf 1 !
redistribute bgp 100 metric 10 subnets router bgp 100
! neighbor 3.3.3.3 remote-as 100
router bgp 100 neighbor 3.3.3.3 update-source Loopback 0
neighbor 3.3.3.3 remote-as 100 !
neighbor 3.3.3.3 update-source Loopback 0 address-family vpnv4
! neighbor 3.3.3.3 activate
address-family vpnv4 neighbor 3.3.3.3 send-community both
neighbor 3.3.3.3 activate exit-address-family
neighbor 3.3.3.3 send-community both !
exit-address-family address-family ipv4 vrf CUST1
! redistribute ospf 42 vrf CUST1 metric 10 match
address-family ipv4 vrf CUST1 internal
redistribute ospf 42 vrf CUST1 metric 10 match exit-address-family
internal !
exit-address-family
!

PE3 router:

interface Loopback 0
ip address 3.3.3.3 255.255.255.255
ip ospf 1 area 0
!
mpls label protocol ldp
mpls ldp router-id Loopback 0 force
!
ip vrf CUST1
rd 1:1
route-target both 1:1
!
interface fastethernet 1/0
ip vrf forwarding CUST1
ip address 172.16.2.1 255.255.255.252
ip ospf 42 area 0
!
interface fastethernet 0/0
ip address 10.1.1.2 255.255.255.252
ip ospf 1 area 0
mpls ip
!
interface fastethernet 0/1
ip address 10.2.2.2 255.255.255.252
ip ospf 1 area 0
mpls ip
!
router ospf 1
redistribute bgp 100 metric 10 subnets
!
router bgp 100
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source Loopback 0
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 update-source Loopback 0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community both
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
exit-address-family
!
address-family ipv4 vrf CUST1
redistribute ospf 42 vrf CUST1 metric 10 match internal
exit-address-family
!

VRF Selection using Source IP Address:

• Traffic from CE1 router should be only forwarded to ISP1. CE1 router
interface is associated to VPN1 VRF.
• Traffic from CE2 router should be only forwarded to ISP2. CE2 router
interface is associated to VPN2 VRF.
• Traffic that does not match any source IP address is forwarded to Null 0
interface; meaning dropped.

CE1 router: CE2 router:

interface serial 0/0 interface serial 0/0

ip address 172.16.1.1 255.255.255.252 ip address 172.17.1.1 255.255.255.252
! !
ip route 0.0.0.0 0.0.0.0 172.16.1.2 ip route 0.0.0.0 0.0.0.0 172.17.1.2
! !
PE1 router: PE2 router:

mpls label protocol ldp mpls label protocol ldp

mpls ldp router-id Loopback 0 force mpls ldp router-id Loopback 0 force
! !
interface Loopback 0 interface Loopback 0
ip address 1.1.1.1 255.255.255.255 ip address 2.2.2.2 255.255.255.255
ip ospf 1 area 0 ip ospf 1 area 0
! !
ip vrf VPN1 ip vrf VPN2
rd 1:1 rd 1:2
route-target both 1:1 route-target both 1:2
! !
ip vrf VPN2 interface serial 1/0
rd 1:2 ip vrf forwarding VPN2
route-target both 1:2 ip address 172.17.1.5 255.255.255.252
! !
ip vrf VRF_DROP interface Fastethernet 0/0
rd 99:99 ip address 10.1.1.2 255.255.255.252
route-target both 99:99 ip ospf 1 area 0
! mpls ip
vrf selection source 172.16.1.0 255.255.255.252 vrf !
VPN1 router bgp 100
! neighbor 1.1.1.1 remote-as 100
vrf selection source 172.17.1.0 255.255.255.252 neighbor 1.1.1.1 update-source Loopback 0
vrf VPN2 !
! address-family vpnv4
vrf selection source 0.0.0.0 0.0.0.0 vrf VRF_DROP neighbor 1.1.1.1 activate
! neighbor 1.1.1.1 send-community both
interface serial 1/0 exit-address-family
ip vrf select source !
ip vrf receive VPN1 address-family ipv4 vrf VPN2
ip vrf receive VPN2 redistribute connected
ip vrf receive VRF_DROP exit-address-family
ip address 172.16.1.2 255.255.255.252 !
!
interface serial 1/1
ip vrf select source
ip vrf receive VPN1
ip vrf receive VPN2
ip vrf receive VRF_DROP
ip address 172.17.1.2 255.255.255.252
!
ip route vrf VRF_DROP 0.0.0.0 0.0.0.0 Null 0
!
interface serial 2/0
ip vrf forwarding VPN1
ip address 172.16.1.5 255.255.255.252
!
interface Fastethernet 0/0
ip address 10.1.1.1 255.255.255.252
ip ospf 1 area 0
mpls ip
!
router bgp 100
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 update-source Loopback 0
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
exit-address-family
!
address-family ipv4 vrf VPN1
redistribute connected
exit-address-family
 !
address-family ipv4 vrf VPN2
redistribute connected
exit-address-family
!

Few commands to note-

1) ip vrf receive <vrf-name>- to add all the IP addresses that are associated with an
interface into a VRF table. These IP addresses will be inserted as “Connected” routes
and will appear as “receive” entries in the CEF table.

2) ip vrf select source- to enable the VRF Selection feature on a particular interface
or sub-interface.

3) vrf selection source <source-ip-address> <source-ip-mask> vrf <vrf-name>- to

populate a single source IP address or a range of source IP addresses to a VRF
Selection table.

GRE Tunnel with VRF:

CE1(R0) router: CE2 (R1) router:

interface Loopback0 interface FastEthernet0/0

ip address 15.1.1.1 255.255.255.255 ip address 10.1.1.2 255.255.255.252
ip ospf 42 area 0 !
! interface FastEthernet0/1
interface Tunnel0 ip address 10.2.2.1 255.255.255.252
ip address 192.168.1.1 255.255.255.252 !
tunnel source FastEthernet0/0 router ospf 2
tunnel destination 10.2.2.2 network 10.1.1.0 0.0.0.3 area 0
! network 10.2.2.0 0.0.0.3 area 0
interface FastEthernet0/0 !
ip address 10.1.1.1 255.255.255.252
!
router ospf 42
network 192.168.1.0 0.0.0.3 area 0
!
router ospf 2
network 10.1.1.0 0.0.0.3 area 0
!
PE1(R2) router: PE2 (R3) router:

ip vrf Blue ip vrf Blue

rd 1:1 rd 1:1
route-target export 1:1 route-target export 1:1
route-target import 1:1 route-target import 1:1
! !
ip vrf Green ip vrf Green
rd 1:2 rd 1:2
route-target export 1:2 route-target export 1:2
route-target import 1:2 route-target import 1:2
! !
interface Loopback0 interface Loopback0
ip address 1.1.1.1 255.255.255.255 ip address 2.2.2.2 255.255.255.255
ip ospf 1 area 0 ip ospf 1 area 0
! !
interface Tunnel0 interface FastEthernet0/0
ip vrf forwarding Green ip address 172.16.1.2 255.255.255.252
ip address 192.168.1.2 255.255.255.252 ip ospf 1 area 0
tunnel source FastEthernet0/0 mpls ip
tunnel destination 10.1.1.1 !
tunnel vrf Blue interface FastEthernet0/1
! ip vrf forwarding Blue
interface FastEthernet0/0 ip address 10.3.3.1 255.255.255.252
ip vrf forwarding Blue !
ip address 10.2.2.2 255.255.255.252 interface FastEthernet1/0
! ip vrf forwarding Green
interface FastEthernet0/1 ip address 10.4.4.1 255.255.255.252
ip address 172.16.1.1 255.255.255.252 !
ip ospf 1 area 0 router ospf 42 vrf Green
mpls ip redistribute bgp 100 metric 10 subnets
! network 10.4.4.0 0.0.0.3 area 0
router ospf 42 vrf Green !
redistribute bgp 100 metric 10 subnets router ospf 2 vrf Blue
network 192.168.1.0 0.0.0.3 area 0 redistribute bgp 100 metric 10 subnets
! network 10.3.3.0 0.0.0.3 area 0
router ospf 2 vrf Blue !
redistribute bgp 100 metric 10 subnets router bgp 100
network 10.2.2.0 0.0.0.3 area 0 neighbor 1.1.1.1 remote-as 100
! neighbor 1.1.1.1 update-source Loopback0
router bgp 100 no auto-summary
neighbor 2.2.2.2 remote-as 100 !
neighbor 2.2.2.2 update-source Loopback0 address-family vpnv4
! neighbor 1.1.1.1 activate
address-family vpnv4 neighbor 1.1.1.1 send-community extended
neighbor 2.2.2.2 activate exit-address-family
neighbor 2.2.2.2 send-community extended !
exit-address-family address-family ipv4 vrf Green
! redistribute ospf 42 vrf Green metric 10 match
address-family ipv4 vrf Green internal
redistribute ospf 42 vrf Green metric 10 match exit-address-family
internal !
exit-address-family address-family ipv4 vrf Blue
! redistribute ospf 2 vrf Blue metric 10 match
address-family ipv4 vrf Blue internal
redistribute ospf 2 vrf Blue metric 10 match exit-address-family
internal !
exit-address-family
!
The following output on CE1 (R0) router shows that it has received the remote
10.4.4.0/30 and it is reachable via the GRE tunnel.

The output on PE1 router shows that 10.3.3.0/30 belongs to vrf Blue while
10.4.4.0/30 and 192.168.1.0/30 (GRE tunnel prefix) belongs to vrf Green.

Successful ping from PE2 router to CE1 loopback

Successful ping from PE2 router to CE1 fa 0/0 interface that belongs to vrf Blue

The routing table on CE4 router shows that 15.1.1.1/32 of CE1 router is available.
BGP Route-Reflection with ORF Capability:

• To filter the updates at the PE-routers so that they are not sent toward route
reflectors that do not need them, and also to make this dynamic so that
extensive filtering configuration is not necessary on the PE routers.
• Using the ORF capability, each route reflector is preconfigured with a list of
route targets that it will accept for reflection to any PE-clients.

PE1 router: PE2 router:

ip vrf CUST1 ip vrf CUST2

rd 1:1 rd 2:2
route-target both 1:1 route-target both 2:2
! !
interface Loopback0 interface Loopback0
ip address 1.1.1.1 255.255.255.255 ip address 3.3.3.3 255.255.255.255
ip ospf 1 area 0 ip ospf 1 area 0
! !
interface serial 0/0 interface serial 0/0
ip vrf forwarding CUST1 ip vrf forwarding CUST2
ip address 172.16.1.1 255.255.255.252 ip address 172.17.1.1 255.255.255.252
! !
interface FastEthernet0/0 interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.252 ip address 10.2.2.1 255.255.255.252
ip ospf 1 area 0 ip ospf 1 area 0
! !
router bgp 100 router bgp 100
neighbor 5.5.5.5 remote-as 100 neighbor 5.5.5.5 remote-as 100
 neighbor 5.5.5.5 update-source Loopback 0 neighbor 5.5.5.5 update-source Loopback 0
! !
address-family vpnv4 address-family vpnv4
neighbor 5.5.5.5 activate neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community both neighbor 5.5.5.5 send-community both
neighbor 5.5.5.5 capability orf prefix-list send neighbor 5.5.5.5 capability orf prefix-list send
neighbor 5.5.5.5 prefix-list CUST1_ROUTES neighbor 5.5.5.5 prefix-list CUST2_ROUTES
in in
exit-address-family exit-address-family
! !
address-family ipv4 vrf CUST1 address-family ipv4 vrf CUST2
redistribute connected redistribute connected
exit-address-family exit-address-family
! !
ip prefix-list CUST1_ROUTES seq 5 permit ip prefix-list CUST2_ROUTES seq 5 permit
172.16.2.0/30 172.17.2.0/30
! !

PE3 router: Route_Reflector router:

ip vrf CUST1 interface Loopback0

rd 1:1 ip address 5.5.5.5 255.255.255.255
route-target both 1:1 ip ospf 1 area 0
! !
ip vrf CUST2 interface serial 0/0
rd 2:2 ip address 10.2.2.6 255.255.255.252
route-target both 2:2 !
! router bgp 100
interface Loopback0 neighbor 1.1.1.1 remote-as 100
ip address 4.4.4.4 255.255.255.255 neighbor 1.1.1.1 update-source Loopback 0
ip ospf 1 area 0 neighbor 3.3.3.3 remote-as 100
! neighbor 3.3.3.3 update-source Loopback 0
interface serial 0/0 neighbor 4.4.4.4 remote-as 100
ip vrf forwarding CUST1 neighbor 4.4.4.4 update-source Loopback 0
ip address 172.17.1.1 255.255.255.252 !
! address-family vpnv4
interface serial 0/1 neighbor 1.1.1.1 activate
ip vrf forwarding CUST2 neighbor 1.1.1.1 capability orf prefix-list
ip address 172.17.2.1 255.255.255.252 receive
! neighbor 1.1.1.1 route-reflector-client
neighbor 3.3.3.3 activate
interface FastEthernet0/0 neighbor 3.3.3.3 capability orf prefix-list
ip address 10.3.3.2 255.255.255.252 receive
ip ospf 1 area 0 neighbor 3.3.3.3 route-reflector-client
! neighbor 4.4.4.4 activate
router bgp 100 neighbor 4.4.4.4 capability orf prefix-list
neighbor 5.5.5.5 remote-as 100 receive
neighbor 5.5.5.5 update-source Loopback 0 neighbor 4.4.4.4 route-reflector-client
! bgp rr-group 1
address-family vpnv4 exit-address-family
neighbor 5.5.5.5 activate !
neighbor 5.5.5.5 send-community both ip extcommunity-list 1 permit rt 1:1 rt 1:2
neighbor 5.5.5.5 capability orf prefix-list send !
neighbor 5.5.5.5 prefix-list CUST_ROUTES in
exit-address-family
!
address-family ipv4 vrf CUST1
redistribute connected
exit-address-family
!
address-family ipv4 vrf CUST2
redistribute connected
exit-address-family
!
ip prefix-list CUST_ROUTES seq 5 permit
172.16.1.0/30
ip prefix-list CUST_ROUTES seq 15 permit
172.17.1.0/30
!

The following output shows that the Route_Reflector router receives all the prefixes
connected to PE routers PE1, PE2 and PE3.

This output shows that PE1 router is receiving one prefix from the Route_Reflector
router.

And that prefix is 172.16.2.0/30 as it has specified only that prefix to be received from
the Route_Reflector router using ORF capability.

It shows successful ping from PE1 router to the CUST1 prefix on PE3 router.
However, the traceroute output shows that the packets are sent directly through
P_Router rather than the Route-Reflector router.

BGP Confederation with Multiple IGP environment:

PE1 router: PE2 router:

ip vrf CUST1 ip vrf CUST2

rd 1:1 rd 2:2
route-target both 1:1 route-target both 2:2
! !
interface Loopback0 interface Loopback0
ip address 1.1.1.1 255.255.255.255 ip address 4.4.4.4 255.255.255.255
ip ospf 65001 area 0 ip ospf 65002 area 0
! !
interface serial 0/0 interface serial 0/0
ip vrf forwarding CUST1 ip vrf forwarding CUST2
ip address 172.16.1.1 255.255.255.252 ip address 172.17.1.1 255.255.255.252
! !
router bgp 65001 router bgp 65002
bgp confederation identifier 100 bgp confederation identifier 100
neighbor 2.2.2.2 remote-as 65001 neighbor 3.3.3.3 remote-as 65002
neighbor 2.2.2.2 update-source Loopback 0 neighbor 3.3.3.3 update-source Loopback 0
! !
address-family vpnv4 address-family vpnv4
neighbor 2.2.2.2 activate neighbor 3.3.3.3 activate
 neighbor 2.2.2.2 send-community both neighbor 3.3.3.3 send-community both
exit-address-family exit-address-family
! !
address-family ipv4 vrf CUST1 address-family ipv4 vrf CUST2
redistribute connected redistribute connected
exit-address-family exit-address-family
! !

P1 router: P2 router:

interface Loopback0 interface Loopback0

ip address 2.2.2.2 255.255.255.255 ip address 3.3.3.3 255.255.255.255
ip ospf 65001 area 0 ip ospf 65002 area 0
! !
router bgp 65001 router bgp 65002
no bgp default route-target filter no bgp default route-target filter
bgp confederation identifier 100 bgp confederation identifier 100
bgp confederation peers 65002 65003 bgp confederation peers 65001 65003
neighbor 1.1.1.1 remote-as 65001 neighbor 4.4.4.4 remote-as 65002
neighbor 1.1.1.1 update-source Loopback 0 neighbor 4.4.4.4 update-source Loopback 0
neighbor 192.168.1.2 remote-as 65002 neighbor 192.168.1.1 remote-as 65001
neighbor 192.168.2.2 remote-as 65003 neighbor 192.168.2.6 remote-as 65003
! !
address-family vpnv4 address-family vpnv4
neighbor 1.1.1.1 activate neighbor 4.4.4.4 activate
neighbor 1.1.1.1 send-community both neighbor 4.4.4.4 send-community both
neighbor 192.168.1.2 activate neighbor 192.168.1.1 activate
neighbor 192.168.1.2 next-hop-self neighbor 192.168.1.1 next-hop-self
neighbor 192.168.2.2 activate neighbor 192.168.2.6 activate
neighbor 192.168.2.2 next-hop-self neighbor 192.168.2.6 next-hop-self
exit-address-family exit-address-family
! !
router ospf 65001 router ospf 65002
redistribute connected subnets redistribute connected subnets
! !

PE3 router: P3 router:

ip vrf CUST1 interface Loopback0

rd 1:1 ip address 6.6.6.6 255.255.255.255
route-target both 1:1 ip ospf 65003 area 0
! !
ip vrf CUST2 router bgp 65003
rd 2:2 bgp confederation identifier 100
route-target both 2:2 bgp confederation peers 65001 65002
! neighbor 7.7.7.7 remote-as 65003
interface Loopback0 neighbor 7.7.7.7 update-source Loopback 0
ip address 7.7.7.7 255.255.255.255 neighbor 192.168.2.1 remote-as 65001
ip ospf 65003 area 0 neighbor 192.168.2.5 remote-as 65002
! !
interface serial 0/0 address-family vpnv4
ip vrf forwarding CUST1 neighbor 7.7.7.7 activate
ip address 172.17.1.1 255.255.255.252 neighbor 7.7.7.7 send-community both
! neighbor 192.168.2.1 activate
interface serial 0/1 neighbor 192.168.2.1 next-hop-self
ip vrf forwarding CUST2 neighbor 192.168.2.5 activate
ip address 172.17.2.1 255.255.255.252 neighbor 192.168.2.5 next-hop-self
! exit-address-family
router bgp 65003 !
bgp confederation identifier 100 router ospf 65003
 neighbor 6.6.6.6 remote-as 65003 redistribute connected subnets
neighbor 6.6.6.6 update-source Loopback 0 !
!
address-family vpnv4
neighbor 6.6.6.6 activate
neighbor 6.6.6.6 send-community both
exit-address-family
!
address-family ipv4 vrf CUST1
redistribute connected
exit-address-family
!
address-family ipv4 vrf CUST2
redistribute connected
exit-address-family
!

The following output shows that the PE3 router has received VPNv4 routes from PE1
and PE2 routers. The AS path shows the sub-AS in parenthesis

Network Management of Customer links using Export-map:

PE1 router: PE2 router:

ip vrf CUST1 ip vrf CUST1

rd 1:1 rd 1:1
route-target import 1:1 route-target import 1:1
export map CUST1_Routes export map CUST1_Routes
! !
interface Loopback0 interface Loopback0
ip address 1.1.1.1 255.255.255.255 ip address 2.2.2.2 255.255.255.255
ip ospf 1 area 0 ip ospf 1 area 0
! !
interface serial 0/0 interface serial 0/0
ip vrf forwarding CUST1 ip vrf forwarding CUST1
ip address 172.16.1.1 255.255.255.252 ip address 172.16.2.1 255.255.255.252
! !
access-list 1 permit 172.16.1.0 0.0.0.3 access-list 1 permit 172.16.2.0 0.0.0.3
access-list 2 permit any access-list 2 permit any
! !
route-map CUST1_Routes permit 10 route-map CUST1_Routes permit 10
match ip address 1 match ip address 1
set extcommunity rt 100:100 set extcommunity rt 100:100
! !
route-map CUST1_Routes permit 20 route-map CUST1_Routes permit 20
match ip address 2 match ip address 2
set extcommunity rt 1:1 set extcommunity rt 1:1
! !
router bgp 100 router bgp 100
neighbor 2.2.2.2 remote-as 100 neighbor 1.1.1.1 remote-as 65003
neighbor 2.2.2.2 update-source Loopback 0 neighbor 1.1.1.1 update-source Loopback 0
neighbor 3.3.3.3 remote-as 100 neighbor 3.3.3.3 remote-as 100
neighbor 3.3.3.3 update-source Loopback 0 neighbor 3.3.3.3 update-source Loopback 0
! !
address-family vpnv4 address-family vpnv4
neighbor 2.2.2.2 activate neighbor 1.1.1.1 activate
neighbor 2.2.2.2 send-community both neighbor 1.1.1.1 send-community both
neighbor 3.3.3.3 activate neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community both neighbor 3.3.3.3 send-community both
exit-address-family exit-address-family
! !
address-family ipv4 vrf CUST1 address-family ipv4 vrf CUST1
redistribute connected redistribute connected
exit-address-family exit-address-family
! !

NMS_Router:

ip vrf Net_Mgmt
rd 100:100
route-target import 100:100
!
interface Loopback 0
ip address 3.3.3.3 255.255.255.255
ip ospf 1 area 0
!
router bgp 100
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source Loopback 0
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 update-source Loopback 0
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community both
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
exit-address-family
!

The following output shows normal MPLS VPN operation where PE1 router receives
172.16.2.0/30 prefix from PE2 router.
The following is taken from NMS_Router which shows that it is receiving the
customer link in its Net_Mgmt VRF table. It only shows 172.16.1.0/30 as during the
time of implementation, the Export-map was configured on only PE1 router.

The following output clearly shows that the NMS_Router accepts customer routers
with only RT as 100:100. Hence, the export-map works on the PE1 router.
MPLS VPN over DMVPN (aka 2547oDMVPN):

• In MPLS VPN, the top label represents the route across the backbone to the
egress PE router. This label is called the “backbone route label”.
• The bottom label is always the “VPN route label” which is not seen until the
packet reaches it point of egress.
• Use of PE-PE IPSec in 2547 VPN specifies the procedure to replace the
backbone route label with IPSec encapsulation. In other words, the LSP is
replaced by an IPSec tunnel. In effect, this creates an MPLS in IPSec
encapsulation, in which the VPN route label is carried across the backbone in
IPSec encapsulation. The MPLS label stack will contain only one label in the
stack.
• The approach uses an MPLS-in-IP or MPLS-in-GRE encapsulation to turn an
MPLS packet back into IP packet. This creates an IP or GRE tunnel between
the ingress and egress PE routers.
• And finally, it uses IPSec Transport mode to secure the IP or GRE tunnels.
• Thus, MPLS packets gets send through an IPSec-secured IP or GRE tunnel.

PE1 router: PE3 router:

crypto isakmp policy 10 crypto isakmp policy 10

encryption des encryption des
authentication pre-share authentication pre-share
hash md5 hash md5
group 2 group 2
! !
crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0 crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0
! !
crypto ipsec transform-set TS esp-des esp-md5- crypto ipsec transform-set TS esp-des esp-md5-
hmac hmac
! !
crypto ipsec profile PROFILE crypto ipsec profile PROFILE
set transform-set TS set transform-set TS
! !
ip vrf CUST1 ip vrf CUST1
rd 1:1 rd 1:1
route-target both 1:1 route-target both 1:1
! !
ip vrf CUST2 interface Fastethernet 0/0
rd 2:2 ip address 10.2.2.2 255.255.255.252
route-target both 2:2 ip ospf 1 area 0
! !
interface Fastethernet 0/0 interface Loopback 1
ip address 10.1.1.1 255.255.255.252 ip vrf forwarding CUST1
ip ospf 1 area 0 ip address 192.168.3.1 255.255.255.255
! !
interface Loopback 1 interface Tunnel 0
ip vrf forwarding CUST1 ip address 192.168.1.2 255.255.255.0
ip address 192.168.5.1 255.255.255.255 tunnel mode gre multipoint
! tunnel source fastethernet 0/0
interface Loopback 2 tunnel protection ipsec profile PROFILE
ip vrf forwarding CUST2 mpls ip
ip address 192.168.2.1 255.255.255.255 ip nhrp nhs 192.168.1.1
! ip nhrp map multicast dynamic
interface Tunnel 0 ip nhrp map multicast 10.1.1.1
ip address 192.168.1.1 255.255.255.0 ip nhrp map 192.168.1.1 10.1.1.1
tunnel mode gre multipoint ip nhrp authentication cisco
tunnel source fastethernet 0/0 ip nhrp network-id 1234
tunnel protection ipsec profile PROFILE ip nhrp holdtime 450
mpls ip !
ip nhrp authentication cisco router bgp 100
ip nhrp map multicast dynamic neighbor 192.168.1.1 remote-as 100
ip nhrp network-id 1234 neighbor 192.168.1.1 update-source Tunnel 0
ip nhrp holdtime 450 !
! address-family vpnv4
router bgp 100 neighbor 192.168.1.1 activate
neighbor 192.168.1.2 remote-as 100 neighbor 192.168.1.1 send-community both
neighbor 192.168.1.2 update-source Tunnel 0 !
neighbor 192.168.1.3 remote-as 100 address-family ipv4 vrf CUST1
neighbor 192.168.1.3 update-source Tunnel 0 redistribute connected
! exit-address-family
address-family vpnv4 !
neighbor 192.168.1.2 activate
neighbor 192.168.1.2 send-community both
neighbor 192.168.1.3 activate
neighbor 192.168.1.3 send-community both
exit-address-family
!
address-family ipv4 vrf CUST1
redistribute connected
exit-address-family
!
address-family ipv4 vrf CUST2
redistribute connected
exit-address-family
!

PE4 router:

crypto isakmp policy 10

encryption des
authentication pre-share
hash md5
group 2
!
crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS esp-des esp-md5-hmac
!
crypto ipsec profile PROFILE
set transform-set TS
!
ip vrf CUST2
rd 2:2
route-target both 2:2
!
interface Fastethernet 0/0
ip address 10.1.1.6 255.255.255.252
ip ospf 1 area 0
!
interface Loopback 1
ip vrf forwarding CUST2
ip address 192.168.4.1 255.255.255.255
!
interface Tunnel 0
ip address 192.168.1.3 255.255.255.0
tunnel mode gre multipoint
tunnel source fastethernet 0/0
tunnel protection ipsec profile PROFILE
mpls ip
ip nhrp nhs 192.168.1.1
ip nhrp map multicast dynamic
ip nhrp map multicast 10.1.1.1
ip nhrp map 192.168.1.1 10.1.1.1
ip nhrp authentication cisco
ip nhrp network-id 1234
ip nhrp holdtime 450
!
router bgp 100
neighbor 192.168.1.1 remote-as 100
neighbor 192.168.1.1 update-source Tunnel 0
!
address-family vpnv4
neighbor 192.168.1.1 activate
neighbor 192.168.1.1 send-community both
!
address-family ipv4 vrf CUST2
redistribute connected
exit-address-family
!

The following output is taken from PE1 router which shows that it is receiving
VPNv4 routes.
It shows that the route 192.168.3.1/32 received from PE3 router has been assigned a
VPN label.

The output from PE4 router shows that it has only one IPSec session i.e. with the PE1
router.

When PE4 router tries to ping the tunnel IP address of PE3 router (here, or send
traffic to PE3 router), it then dynamically creates an IPSec session with the PE3 router
instead of going through PE1 router.