My Ethernet mind: MPLS-VPN and Dual DM-VPN networks

Using the following topology I will demonstrate how to configure SP network for MPLS-VPN and customer network for dual DM-VPN as I implemented for one of my customers.

This is the network topology:

Device Roles:

R1, R2, R3, R9, R10 and R11 are all customer routers, beside R3 all are also CE routers.

R4, R5, R7 and R8 - SP PE routers

R6 - SP P router

SP (Service Provider) network

Task 1: configure interfaces and IP addresses (internal)

Each router is configured with interface loopback 0 as the router number, for example R6:

interface Loopback0

ip address 6.6.6.6 255.255.255.255

Every WAN link (link between 2 routers) is configured with the following syntax:

10.1.X.Y.Z/24

Where X is the first router number, Y is the second router number and Z is the router number.

For example R4 to R6 link –

R4:

interface FastEthernet1/0

ip address 10.1.46.4 255.255.255.0

speed auto

duplex auto

R6:

interface FastEthernet2/0

ip address 10.1.46.6 255.255.255.0

speed auto

duplex auto

Task 2: configure MPLS

Pretty straight forward on all SP routers:

mpls label protocol ldp

mpls ldp router-id Loopback0 force

And on all SP network facing interfaces, R4 for example:

interface FastEthernet1/0

ip address 10.1.46.4 255.255.255.0

speed auto

duplex auto

mpls ip

Task 3: Configure IGP

OSPF is used as IGP in the SP network in order to advertise all routers loopback interface

R4:

router ospf 1

network 4.4.4.4 0.0.0.0 area 0

network 10.1.46.4 0.0.0.0 area 0

Also R6 as default information originator to avoid black holes:

router ospf 1

network 0.0.0.0 255.255.255.255 area 0

default-information originate always

Task 4: Configure iBGP

iBGP peering on the SP network is done using the loopback 0 IP address

R4:

router bgp 65006

bgp router-id 4.4.4.4

bgp log-neighbor-changes

neighbor 6.6.6.6 remote-as 65006

neighbor 6.6.6.6 update-source Loopback0

address-family ipv4

neighbor 6.6.6.6 activate

neighbor 6.6.6.6 next-hop-self

exit-address-family

And R6 which is P router is used as route-reflector:

router bgp 65006

bgp router-id 6.6.6.6

bgp log-neighbor-changes

neighbor IBGP peer-group

neighbor IBGP remote-as 65006

neighbor IBGP update-source Loopback0

neighbor 4.4.4.4 peer-group IBGP

neighbor 5.5.5.5 peer-group IBGP

neighbor 7.7.7.7 peer-group IBGP

neighbor 8.8.8.8 peer-group IBGP

address-family ipv4

neighbor IBGP route-reflector-client

neighbor 4.4.4.4 activate

neighbor 5.5.5.5 activate

neighbor 7.7.7.7 activate

neighbor 8.8.8.8 activate

exit-address-family

I also used peer-group to save some keystrokes

Task 5: Configure MP-BGP

MP-BGP for MPLS-VPN network

R4:

router bgp 65006

address-family vpnv4

neighbor 6.6.6.6 activate

neighbor 6.6.6.6 send-community both

neighbor 6.6.6.6 next-hop-self

exit-address-family

And R6 which is again the route-reflector:

address-family vpnv4

neighbor IBGP send-community both

neighbor IBGP route-reflector-client

neighbor 4.4.4.4 activate

neighbor 5.5.5.5 activate

neighbor 7.7.7.7 activate

neighbor 8.8.8.8 activate

exit-address-family

Task 6: Configure VRF (for ABC Company)

VRF for company ABC on each PE router (R4, R5, R7 and R8), in this example R4 configuration:

ip vrf ABC

rd 4:65006

route-target export 100:101

route-target import 100:101

route-target import 100:102

route-target import 100:103

Note that each router has its own RD and site RT, in this example R4 is connected to AS 65001 – customer data center and the RT are 101. This can be helpful if we would like to share or block traffic between the sites.

Task 7: Configure MP-BGP address family for VRF

BGP AFI for the VRF with the PE to CE routing protocol, in this case I used BGP, on each PE router.

Here is R4 as example:

address-family ipv4 vrf ABC

neighbor 10.1.14.1 remote-as 65001

neighbor 10.1.14.1 activate

neighbor 10.1.14.1 next-hop-self

neighbor 10.1.14.1 soft-reconfiguration inbound

neighbor 10.1.24.2 remote-as 65001

neighbor 10.1.24.2 activate

neighbor 10.1.24.2 next-hop-self

neighbor 10.1.24.2 soft-reconfiguration inbound

exit-address-family

Task 8: Configure interfaces and IP address (CE routers)

PE interfaces facing CE routers configuration, again on each PE router according to the IP addressing scheme.

R4:

interface FastEthernet2/0

ip vrf forwarding ABC

ip address 10.1.14.4 255.255.255.0

speed auto

duplex auto

interface FastEthernet1/1

ip vrf forwarding ABC

ip address 10.1.24.4 255.255.255.0

speed auto

duplex auto

In the case of R4 there are two interfaces facing CE routers, Fa1/1 and Fa2/0.

Once the SP network has configured we can move on to the customer network configuration…

ABC company network

Task 1: Configure interfaces and IP addresses

Each router with its own IP address scheme

R10 link to R8:

interface FastEthernet1/0

ip address 10.1.108.10 255.255.255.0

speed auto

duplex auto

Task 2: Configure eBGP

Each CE is peering with PE using eBGP

R10:

router bgp 65010

bgp log-neighbor-changes

network 10.10.10.10 mask 255.255.255.255

neighbor 10.1.108.8 remote-as 65006

neighbor 10.1.108.8 soft-reconfiguration inbound

All CE routers advertise only their loopback 0 interface and will receive only all other CE’s loopback 0 addresses.

The BGP overlay network is used to advertise only the loopback interfaces of all CE routers, there is no need for default route or any more other routes.

Task 3: Set higher preference for primary PE (on dual link sites)

On Data center and branch #2 site there are dual uplinks as for now for redundancy purposes in active/passive mode. Later on we could use them in active/active mode in order to double the bandwidth capacity.

R1:

router bgp 65001

bgp log-neighbor-changes

network 1.1.1.1 mask 255.255.255.255

neighbor EBGP peer-group

neighbor EBGP remote-as 65006

neighbor 10.1.14.4 peer-group EBGP

neighbor 10.1.15.5 peer-group EBGP

neighbor 10.1.15.5 weight 1500

I just used the BGP weight command in order to prefer routes from R5 else then R4.

Task 4: Configure IPSec profile

IPSec profile for DM-VPN tunnel protection, same configuration on all CE routers (R1, R2, R9, R10 and R11).

R1:

crypto isakmp policy 10

encr aes 256

hash sha256

authentication pre-share

crypto isakmp key cisco address 0.0.0.0

crypto ipsec transform-set MYSET esp-aes 256 esp-sha256-hmac

mode transport

crypto ipsec profile DMVPN

set transform-set MYSET

Task 5: Configure DM-VPN Hub

In the following lab I’m using dual DM-VPN (single Hub) which means that each spoke router will have two tunnels to two different DM-VPN networks – one on R1 and the second on R2 which are the hub routers.

R1 configuration:

interface Tunnel1

ip address 172.1.0.1 255.255.255.0

no ip redirects

no ip next-hop-self eigrp 1

no ip split-horizon eigrp 1

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp network-id 1001

ip nhrp holdtime 10

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 1

tunnel protection ipsec profile DMVPN

Note the tunnel key, NHRP network-id and authentication to keep things clear and prune to errors.

R2 configuration:

interface Tunnel2

ip address 172.2.0.2 255.255.255.0

no ip redirects

no ip next-hop-self eigrp 1

no ip split-horizon eigrp 1

ip nhrp authentication cisco

ip nhrp map multicast dynamic

ip nhrp network-id 2002

ip nhrp holdtime 10

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 2

tunnel protection ipsec profile DMVPN

Task 6: Configure DM-VPN Hub

DM-VPN spokes configuration on R9, R10 and R11:

interface Tunnel1

ip address 172.1.0.9 255.255.255.0

no ip redirects

ip nhrp authentication cisco

ip nhrp map 172.1.0.1 1.1.1.1

ip nhrp map multicast 1.1.1.1

ip nhrp network-id 1001

ip nhrp holdtime 10

ip nhrp nhs 172.1.0.1

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 1

tunnel protection ipsec profile DMVPN shared

interface Tunnel2

ip address 172.2.0.9 255.255.255.0

no ip redirects

ip nhrp authentication cisco

ip nhrp map 172.2.0.2 2.2.2.2

ip nhrp map multicast 2.2.2.2

ip nhrp network-id 2002

ip nhrp holdtime 10

ip nhrp nhs 172.2.0.2

tunnel source Loopback0

tunnel mode gre multipoint

tunnel key 2

tunnel protection ipsec profile DMVPN shared

Two tunnels, one for each hub for redundancy purposes.

Also note that all DM-VPN tunnels must be configured with a proper MTU setting else we will encounter problems with traffic traversing the tunnels.

The calculation is as follow:

20 bytes for IP header

24 bytes for GRE header

20 bytes for TCP header

34 for IPSec header

All in total = 98 bytes

So the maximum TCP segment size should be 1402 bytes while the maximum MTU is 1422 bytes.

So we need to configure the following commands on both hub and spokes routers:

interface Tunnel1

ip mtu 1420

ip tcp adjust-mss 1402

tunnel path-mtu-discovery

Task 7: Configure EIGRP

After the tunnels are up and running we can configure the IGP routing protocol for the customer network which in this case I used EIGRP.

R9:

router eigrp 1

network 172.1.0.9 0.0.0.0

network 172.2.0.9 0.0.0.0

network 192.168.91.1 0.0.0.0

network 192.168.92.1 0.0.0.0

network 192.168.93.1 0.0.0.0

Advertise all his internal networks and runs on the tunnels interfaces.

R1:

router eigrp 1

network 10.1.123.1 0.0.0.0

network 172.1.0.1 0.0.0.0

Runs on the tunnel interfaces and on his LAN segment (10.1.123.0/24)

R3 represent the LAN on the data center, which could be also customer firewall, runs EIGRP with default route advertisement to prevent black holes in the customer network:

R3:

router eigrp 1

network 0.0.0.0

network 10.1.123.3 0.0.0.0

network 192.168.31.1 0.0.0.0

network 192.168.32.1 0.0.0.0

ip route 0.0.0.0 0.0.0.0 Null0

Now let’s do some verifications and look on some outputs…

R6:

R6#sh ip bgp vpnv4 all

BGP table version is 17, local router ID is 6.6.6.6

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 4:65006

*>i 1.1.1.1/32 4.4.4.4 0 100 0 65001 i

*>i 2.2.2.2/32 4.4.4.4 0 100 0 65001 i

Route Distinguisher: 5:65006

*>i 1.1.1.1/32 5.5.5.5 0 100 0 65001 i

*>i 2.2.2.2/32 5.5.5.5 0 100 0 65001 i

Route Distinguisher: 7:65006

*>i 9.9.9.9/32 7.7.7.7 0 100 0 65009 i

*>i 11.11.11.11/32 7.7.7.7 0 100 0 65011 i

Route Distinguisher: 8:65006

*>i 9.9.9.9/32 8.8.8.8 0 100 0 65009 i

*>i 10.10.10.10/32 8.8.8.8 0 100 0 65010 i

Note that R6, although he is just a transit router, sees all the MP-BGP routes

R4 routing table for VRF ABC:

R4#show ip route vrf ABC

Routing Table: ABC

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets

B 1.1.1.1 [20/0] via 10.1.14.1, 05:26:36

2.0.0.0/32 is subnetted, 1 subnets

B 2.2.2.2 [20/0] via 10.1.24.2, 05:32:25

9.0.0.0/32 is subnetted, 1 subnets

B 9.9.9.9 [200/0] via 7.7.7.7, 05:09:07

10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks

C 10.1.14.0/24 is directly connected, FastEthernet2/0

L 10.1.14.4/32 is directly connected, FastEthernet2/0

C 10.1.24.0/24 is directly connected, FastEthernet1/1

L 10.1.24.4/32 is directly connected, FastEthernet1/1

B 10.10.10.10/32 [200/0] via 8.8.8.8, 05:09:02

11.0.0.0/32 is subnetted, 1 subnets

B 11.11.11.11 [200/0] via 7.7.7.7, 05:09:07

R1 DM-VPN status:

R1#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting

UpDn Time --> Up or Down Time for a Tunnel

==========================================================================

Interface: Tunnel1, IPv4 NHRP Details

Type:Hub, NHRP Peers:3,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 9.9.9.9 172.1.0.9 UP 04:34:49 D

1 10.10.10.10 172.1.0.10 UP 04:34:30 D

1 11.11.11.11 172.1.0.11 UP 04:13:49 D

All tunnels are in up state

R1 crypto state:

R1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

1.1.1.1 10.10.10.10 QM_IDLE 1005 ACTIVE

1.1.1.1 11.11.11.11 QM_IDLE 1006 ACTIVE

1.1.1.1 9.9.9.9 QM_IDLE 1004 ACTIVE

IPv6 Crypto ISAKMP SA

R1 routing table:

R1#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 10.1.123.3 to network 0.0.0.0

D* 0.0.0.0/0 [90/28160] via 10.1.123.3, 04:16:13, FastEthernet2/0

1.0.0.0/32 is subnetted, 1 subnets

C 1.1.1.1 is directly connected, Loopback0

3.0.0.0/32 is subnetted, 1 subnets

D 3.3.3.3 [90/156160] via 10.1.123.3, 04:16:14, FastEthernet2/0

9.0.0.0/32 is subnetted, 1 subnets

B 9.9.9.9 [20/0] via 10.1.15.5, 04:37:51

10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks

C 10.1.14.0/24 is directly connected, FastEthernet1/1

L 10.1.14.1/32 is directly connected, FastEthernet1/1

C 10.1.15.0/24 is directly connected, FastEthernet1/0

L 10.1.15.1/32 is directly connected, FastEthernet1/0

C 10.1.123.0/24 is directly connected, FastEthernet2/0

L 10.1.123.1/32 is directly connected, FastEthernet2/0

B 10.10.10.10/32 [20/0] via 10.1.15.5, 04:37:51

11.0.0.0/32 is subnetted, 1 subnets

B 11.11.11.11 [20/0] via 10.1.15.5, 04:37:51

172.1.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 172.1.0.0/24 is directly connected, Tunnel1

L 172.1.0.1/32 is directly connected, Tunnel1

172.2.0.0/24 is subnetted, 1 subnets

D 172.2.0.0 [90/26882560] via 10.1.123.2, 04:11:59, FastEthernet2/0

D 192.168.31.0/24 [90/156160] via 10.1.123.3, 04:18:26, FastEthernet2/0

D 192.168.32.0/24 [90/156160] via 10.1.123.3, 04:18:26, FastEthernet2/0

D 192.168.33.0/24 [90/156160] via 10.1.123.3, 04:16:14, FastEthernet2/0

D 192.168.91.0/24 [90/27008000] via 172.1.0.9, 02:32:05, Tunnel1

D 192.168.92.0/24 [90/27008000] via 172.1.0.9, 02:32:05, Tunnel1

D 192.168.93.0/24 [90/27008000] via 172.1.0.9, 02:32:05, Tunnel1

D 192.168.101.0/24 [90/27008000] via 172.1.0.10, 04:12:49, Tunnel1

D 192.168.102.0/24 [90/27008000] via 172.1.0.10, 04:12:42, Tunnel1

D 192.168.103.0/24 [90/27008000] via 172.1.0.10, 04:12:35, Tunnel1

D 192.168.111.0/24 [90/27008000] via 172.1.0.11, 04:11:49, Tunnel1

D 192.168.112.0/24 [90/27008000] via 172.1.0.11, 04:11:49, Tunnel1

D 192.168.113.0/24 [90/27008000] via 172.1.0.11, 04:11:49, Tunnel1

Note that R1 sees all customer internal networks through tunnel 1 and all loopbacks through R5 – the primary link.

Some reachability tests:

R1#tclsh

+>(tcl)#foreach X {

+>(tcl)#192.168.91.1

+>(tcl)#192.168.92.1

+>(tcl)#192.168.93.1

+>(tcl)#192.168.101.1

+>(tcl)#192.168.102.1

+>(tcl)#192.168.103.1

+>(tcl)#192.168.111.1

+>(tcl)#192.168.112.1

+>(tcl)#192.168.113.1} {ping $X rep 5}