Sunday, May 19, 2013

MPLS L3VPN Internet Access



Issue

In the above topology we have two VRFs, MSSK which connects R1 and R5 to the service provider backbone, and VRF ABC which connects R7 to the service provider core
The aim is to enable these customers to gain internet access which is represented by R8 loopback 0 interface, R8 is located in AS#1
R3 will be VPNV4 router reflector for the three PE routers and BGP is the PE-CE routing protocol

Configuration


R1

R1#sh run int f1/0
interface FastEthernet1/0
 ip address 172.1.12.1 255.255.255.0
 speed 100
 duplex full

R1#sh run int lo0
interface Loopback0
 ip address 172.16.1.1 255.255.255.255

R1#sh run | sec router bgp
router bgp 200
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 172.1.12.2 remote-as 100
 !
 address-family ipv4
  network 172.16.1.1 mask 255.255.255.255
  neighbor 172.1.12.2 activate
 exit-address-family

R2

R2#sh run int f1/0
interface FastEthernet1/0
 ip address 192.1.23.2 255.255.255.0
 ip router isis 1
 speed 100
 duplex full

R2#sh run int f1/1
interface FastEthernet1/1
 vrf forwarding MSSK
 ip address 172.1.12.2 255.255.255.0
 speed 100
 duplex full

R2#sh run int lo0
interface Loopback0
 ip address 2.2.2.2 255.255.255.255

R2#sh run | sec vrf def
vrf definition MSSK
 rd 100:1
 route-target export 100:1
 route-target import 100:1
 !
 address-family ipv4
 exit-address-family
R2#sh run | sec router bgp
router bgp 100
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 3.3.3.3 remote-as 100
 neighbor 3.3.3.3 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 3.3.3.3 activate
  neighbor 3.3.3.3 send-community both
 exit-address-family
 !
 address-family ipv4 vrf MSSK
  neighbor 172.1.12.1 remote-as 200
  neighbor 172.1.12.1 activate
  neighbor 172.1.12.1 send-community both
  neighbor 172.1.12.1 as-override
 exit-address-family
R2#sh run | sec router isis
 ip router isis 1
router isis 1
 net 49.0001.0000.0000.0002.00
 is-type level-2-only
 passive-interface Loopback0
 mpls ldp autoconfig

R3

R3#sh run int f1/0
interface FastEthernet1/0
 ip address 192.1.23.3 255.255.255.0
 ip nat inside
 ip router isis 1
 speed 100
 duplex full

R3#sh run int f1/1
interface FastEthernet1/1
 ip address 192.1.34.3 255.255.255.0
 ip nat inside
 ip router isis 1
 speed 100
 duplex full

R3#sh run int f2/0
interface FastEthernet2/0
 ip address 192.1.36.3 255.255.255.0
 ip nat inside
 ip router isis 1
 speed 100
 duplex full

R3#sh run int f2/1
interface FastEthernet2/1
 ip address 192.1.38.3 255.255.255.0
 ip nat outside
 speed 100
 duplex full

R3#sh run int lo0
interface Loopback0
 ip address 3.3.3.3 255.255.255.255

R3#sh run | sec router isis
router isis 1
 net 49.0001.0000.0000.0003.00
 is-type level-2-only
 passive-interface Loopback0
 mpls ldp autoconfig

R3#sh run | sec router bgp
router bgp 100
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 2.2.2.2 remote-as 100
 neighbor 2.2.2.2 update-source Loopback0
 neighbor 4.4.4.4 remote-as 100
 neighbor 4.4.4.4 update-source Loopback0
 neighbor 6.6.6.6 remote-as 100
 neighbor 6.6.6.6 update-source Loopback0
 neighbor 192.1.38.8 remote-as 1
 !
 address-family ipv4
  network 212.118.0.0
  network 212.118.1.0
  neighbor 192.1.38.8 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community both
  neighbor 2.2.2.2 route-reflector-client
  neighbor 2.2.2.2 next-hop-self
  neighbor 4.4.4.4 activate
  neighbor 4.4.4.4 send-community both
  neighbor 4.4.4.4 route-reflector-client
  neighbor 4.4.4.4 next-hop-self
  neighbor 6.6.6.6 activate
  neighbor 6.6.6.6 send-community both
  neighbor 6.6.6.6 route-reflector-client
  neighbor 6.6.6.6 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf ABC
  network 0.0.0.0
 exit-address-family
 !
 address-family ipv4 vrf MSSK
  network 0.0.0.0
 exit-address-family

R3#sh run | sec vrf def
vrf definition ABC
 rd 200:1
 route-target export 200:1
 route-target import 200:1
 !
 address-family ipv4
 exit-address-family
vrf definition MSSK
 rd 100:1
 route-target export 100:1
 route-target import 100:1
 !
 address-family ipv4
 exit-address-family

R3#sh run | inc nat
ip nat pool MSSK_POOL 212.118.0.0 212.118.0.255 prefix-length 24
ip nat pool ABC_POOL 212.118.1.0 212.118.1.255 prefix-length 24
ip nat inside source list RFC pool ABC_POOL vrf ABC
ip nat inside source list RFC pool MSSK_POOL vrf MSSK

R3#sh run | sec ip access
ip access-list standard RFC
 permit 10.0.0.0 0.255.255.255
 permit 172.16.0.0 0.15.255.255
 permit 192.168.0.0 0.0.255.255

ip route 212.118.0.0 255.255.255.0 Null0
ip route 212.118.1.0 255.255.255.0 Null0
ip route vrf MSSK 0.0.0.0 0.0.0.0 192.1.38.8 global
ip route vrf ABC 0.0.0.0 0.0.0.0 192.1.38.8 global



R4

R4#sh run int f1/0
interface FastEthernet1/0
 ip address 192.1.34.4 255.255.255.0
 ip router isis 1
 speed 100
 duplex full

R4#sh run int f1/1
interface FastEthernet1/1
 vrf forwarding MSSK
 ip address 172.1.45.4 255.255.255.0
 speed 100
 duplex full

R4#sh run int lo0
interface Loopback0
 ip address 4.4.4.4 255.255.255.255

R4#sh run | sec router isis
router isis 1
 net 49.0001.0000.0000.0004.00
 is-type level-2-only
 passive-interface Loopback0
 mpls ldp autoconfig

R4#sh run | sec router bgp
router bgp 100
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 3.3.3.3 remote-as 100
 neighbor 3.3.3.3 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 3.3.3.3 activate
  neighbor 3.3.3.3 send-community both
 exit-address-family
 !
 address-family ipv4 vrf MSSK
  neighbor 172.1.45.5 remote-as 200
  neighbor 172.1.45.5 activate
  neighbor 172.1.45.5 send-community both
  neighbor 172.1.45.5 as-override
 exit-address-family

R5

R5#sh run int f1/0
interface FastEthernet1/0
 ip address 172.1.45.5 255.255.255.0
 speed 100
 duplex full

R5#sh run int lo0
interface Loopback0
 ip address 172.16.5.5 255.255.255.255

R5#sh run | sec router bgp
router bgp 200
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 172.1.45.4 remote-as 100
 !
 address-family ipv4
  network 172.16.5.5 mask 255.255.255.255
  neighbor 172.1.45.4 activate
 exit-address-family

R6

R6#sh run int f1/0
interface FastEthernet1/0
 ip address 192.1.36.6 255.255.255.0
 ip router isis 1
 speed 100
 duplex full

R6#sh run int f1/1
interface FastEthernet1/1
 vrf forwarding ABC
 ip address 172.1.67.6 255.255.255.0
 speed 100
 duplex full

R6#sh run int lo0
interface Loopback0
 ip address 6.6.6.6 255.255.255.255

R6#sh run | sec router isis
router isis 1
 net 49.0001.0000.0000.0006.00
 is-type level-2-only
 passive-interface Loopback0
 mpls ldp autoconfig
R6#sh run | sec vrf def
vrf definition ABC
 rd 200:1
 route-target export 200:1
 route-target import 200:1
 !
 address-family ipv4
 exit-address-family

R6#sh run | sec router bgp
router bgp 100
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 3.3.3.3 remote-as 100
 neighbor 3.3.3.3 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 3.3.3.3 activate
  neighbor 3.3.3.3 send-community both
 exit-address-family
 !
 address-family ipv4 vrf ABC
  neighbor 172.1.67.7 remote-as 300
  neighbor 172.1.67.7 activate
  neighbor 172.1.67.7 send-community both
 exit-address-family

R7

R7#sh run int f1/0
interface FastEthernet1/0
 ip address 172.1.67.7 255.255.255.0
 speed 100
 duplex full

R7#sh run int lo0
interface Loopback0
 ip address 192.168.7.7 255.255.255.255

R7#sh run | sec router bgp
router bgp 300
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 172.1.67.6 remote-as 100
 !
 address-family ipv4
  network 192.168.7.7 mask 255.255.255.255
  neighbor 172.1.67.6 activate
 exit-address-family

R8

R8#sh run int f1/0
interface FastEthernet1/0
 ip address 192.1.38.8 255.255.255.0
 speed 100
 duplex full

R8#sh run int lo0
interface Loopback0
 ip address 8.8.8.8 255.255.255.255

R8#sh run | sec router bgp
router bgp 1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 192.1.38.3 remote-as 100
 !
 address-family ipv4
  network 8.8.8.8 mask 255.255.255.255
  neighbor 192.1.38.3 activate
 exit-address-family

Verification

R1#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/20 ms

R5#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms

R7#ping 8.8.8.8 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.7.7
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/24 ms

R3#sh ip nat translations   
Pro Inside global      Inside local       Outside local      Outside global
icmp 212.118.0.2:2     172.16.1.1:2       8.8.8.8:2          8.8.8.8:2
--- 212.118.0.2        172.16.1.1         ---                ---
icmp 212.118.0.3:1     172.16.5.5:1       8.8.8.8:1          8.8.8.8:1
--- 212.118.0.3        172.16.5.5         ---                ---
icmp 212.118.1.2:1     192.168.7.7:1      8.8.8.8:1          8.8.8.8:1
--- 212.118.1.2        192.168.7.7        ---                ---

R1#sh ip bgp
BGP table version is 4, local router ID is 172.16.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          172.1.12.2                             0 100 i
 *>  172.16.1.1/32    0.0.0.0                  0         32768 i
 *>  172.16.5.5/32    172.1.12.2                             0 100 100 i

R5#sh ip bgp
BGP table version is 4, local router ID is 172.16.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          172.1.45.4                             0 100 i
 *>  172.16.1.1/32    172.1.45.4                             0 100 100 i
 *>  172.16.5.5/32    0.0.0.0                  0         32768 i

R7#sh ip bgp
BGP table version is 3, local router ID is 192.168.7.7
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  0.0.0.0          172.1.67.6                             0 100 i
 *>  192.168.7.7/32   0.0.0.0                  0         32768 i
Posted by at No comments:
Subscribe to: Posts (Atom)