 |
| MPLS L3VPN |
On this simulation we create LSP in each PE router.
Because R1/R2/R3 in same OSPF area, so it doesn't need to disable CSPF.
root@Olive# show r1 protocols
rsvp {
interface em1.12;
interface em1.13;
}
mpls {
label-switched-path r1-r2 {
to 2.2.2.2;
}
label-switched-path r1-r3 {
to 3.3.3.3;
}
interface em1.12;
interface em1.13;
}
root@Olive# show r2 protocols
rsvp {
interface em2.12;
interface em2.23;
}
mpls {
label-switched-path r2-r1 {
to 1.1.1.1;
}
label-switched-path r2-r3 {
to 3.3.3.3;
}
interface em2.12;
interface em2.23;
}
root@Olive# show r3 protocols
rsvp {
interface em1.23;
interface em2.13;
}
mpls {
label-switched-path r3-r1 {
to 1.1.1.1;
}
label-switched-path r3-r2 {
to 2.2.2.2;
}
interface em1.23;
interface em2.13;
}
RSVP Session Between PE.
root@Olive# run show rsvp session logical-system r1
Ingress RSVP: 2 sessions
To From State Rt Style Labelin Labelout LSPname
2.2.2.2 1.1.1.1 Up 0 1 FF - 3 r1-r2
3.3.3.3 1.1.1.1 Up 0 1 FF - 3 r1-r3
Total 2 displayed, Up 2, Down 0
Egress RSVP: 2 sessions
To From State Rt Style Labelin Labelout LSPname
1.1.1.1 3.3.3.3 Up 0 1 FF 3 - r3-r1
1.1.1.1 2.2.2.2 Up 0 1 FF 3 - r2-r1
Total 2 displayed, Up 2, Down 0
Transit RSVP: 0 sessions
Total 0 displayed, Up 0, Down 0
root@Olive# run show rsvp session logical-system r2
Ingress RSVP: 2 sessions
To From State Rt Style Labelin Labelout LSPname
1.1.1.1 2.2.2.2 Up 0 1 FF - 3 r2-r1
3.3.3.3 2.2.2.2 Up 0 1 FF - 3 r2-r3
Total 2 displayed, Up 2, Down 0
Egress RSVP: 2 sessions
To From State Rt Style Labelin Labelout LSPname
2.2.2.2 1.1.1.1 Up 0 1 FF 3 - r1-r2
2.2.2.2 3.3.3.3 Up 0 1 FF 3 - r3-r2
Total 2 displayed, Up 2, Down 0
Transit RSVP: 0 sessions
Total 0 displayed, Up 0, Down 0
root@Olive# run show rsvp session logical-system r3
Ingress RSVP: 2 sessions
To From State Rt Style Labelin Labelout LSPname
1.1.1.1 3.3.3.3 Up 0 1 FF - 3 r3-r1
2.2.2.2 3.3.3.3 Up 0 1 FF - 3 r3-r2
Total 2 displayed, Up 2, Down 0
Egress RSVP: 2 sessions
To From State Rt Style Labelin Labelout LSPname
3.3.3.3 1.1.1.1 Up 0 1 FF 3 - r1-r3
3.3.3.3 2.2.2.2 Up 0 1 FF 3 - r2-r3
Total 2 displayed, Up 2, Down 0
Transit RSVP: 0 sessions
Total 0 displayed, Up 0, Down 0
By default OSPF did not support TE,so it must enable TE in OSPF protocol.
root@Olive1# set r1 protocols ospf traffic-engineering
root@Olive1# set r2 protocols ospf traffic-engineering
root@Olive1# set r3 protocols ospf traffic-engineeringMPLS/VPN packet use inet-vpn NLRI for advertise, so it must enable VPNV4 family in BGP protocol.
root@Olive# show r1 protocols bgp group ibgp
type internal;
local-address 1.1.1.1;
neighbor 2.2.2.2 {
family inet {
unicast;
}
family inet-vpn {
unicast;
}
}
neighbor 3.3.3.3 {
family inet {
unicast;
}
family inet-vpn {
unicast;
}
}
root@Olive# show r2 protocols bgp group ibgp
type internal;
local-address 2.2.2.2;
neighbor 1.1.1.1 {
family inet {
unicast;
}
family inet-vpn {
unicast;
}
}
neighbor 3.3.3.3 {
family inet {
unicast;
}
family inet-vpn {
unicast;
}
}
root@Olive# show r3 protocols bgp group ibgp
type internal;
local-address 3.3.3.3;
neighbor 1.1.1.1 {
family inet {
unicast;
}
family inet-vpn {
unicast;
}
}
neighbor 2.2.2.2 {
family inet {
unicast;
}
family inet-vpn {
unicast;
}
}
Check VPNV4 neighbor or VPNV4 state in PE
root@Olive# run show bgp neighbor logical-system r1
Peer: 2.2.2.2+61392 AS 100 Local: 1.1.1.1+179 AS 100
Type: Internal State: Established Flags:
Last State: OpenConfirm Last Event: RecvKeepAlive
Last Error: None
Options:
Address families configured: inet-unicast inet-vpn-unicast
Local Address: 1.1.1.1 Holdtime: 90 Preference: 170
Number of flaps: 0
Peer ID: 2.2.2.2 Local ID: 1.1.1.1 Active Holdtime: 90
Keepalive Interval: 30 Peer index: 1
BFD: disabled, down
NLRI for restart configured on peer: inet-unicast inet-vpn-unicast
NLRI advertised by peer: inet-unicast inet-vpn-unicast
NLRI for this session: inet-unicast inet-vpn-unicast
Peer supports Refresh capability (2)
Restart time configured on the peer: 120
Stale routes from peer are kept for: 300
Restart time requested by this peer: 120
NLRI that peer supports restart for: inet-unicast inet-vpn-unicast
NLRI that restart is negotiated for: inet-unicast inet-vpn-unicast
NLRI of received end-of-rib markers: inet-unicast inet-vpn-unicast
NLRI of all end-of-rib markers sent: inet-unicast inet-vpn-unicast
Peer supports 4 byte AS extension (peer-as 100)
Now PE will have two BGP neighbor state, inet.0 and bgp.l3vpn.0
root@Olive# run show bgp summary logical-system r1
Groups: 1 Peers: 2 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 0 0 0 0 0 0
bgp.l3vpn.0 2 2 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
2.2.2.2 100 53 55 0 0 21:16 Establ
inet.0: 0/0/0/0
bgp.l3vpn.0: 1/1/1/0
3.3.3.3 100 53 56 0 0 21:17 Establ
inet.0: 0/0/0/0
bgp.l3vpn.0: 1/1/1/0
Still can not receive any VPN routes from another PE, and bgp.l3vpn.0 did not has any active routes, Because PE did not configure VPN customer yet.
Use routing-instance for VPN customer in PE, and each CE can belong to one VRF.
JUNOS use routing-instance for separate different VRF.
root@Olive# show r1 routing-instances
vpn-a {
instance-type vrf;
interface em1.16;
route-distinguisher 100:1;
vrf-table-label;
protocols {
ospf {
area 0.0.0.0 {
interface em1.16;
}
}
}
}
vpn-b {
instance-type vrf;
interface em1.17;
route-distinguisher 100:2;
vrf-table-label;
protocols {
ospf {
area 0.0.0.0 {
interface em1.17;
}
}
}
}
root@Olive# show r2 routing-instances
vpn-a {
instance-type vrf;
interface em2.24;
route-distinguisher 100:1;
vrf-table-label;
protocols {
ospf {
area 0.0.0.0 {
interface em2.24;
}
}
}
}
root@Olive# show r3 routing-instances
vpn-b {
instance-type vrf;
interface em2.35;
route-distinguisher 100:2;
vrf-table-label;
protocols {
ospf {
area 0.0.0.0 {
interface em2.35;
}
}
}
}
Commit and Check OSPF neighbor:
root@Olive# run show ospf neighbor instance all logical-system r1
Instance: master
Address Interface State ID Pri Dead
192.168.12.2 em1.12 Full 2.2.2.2 128 34
192.168.13.3 em1.13 Full 3.3.3.3 128 37
Instance: vpn-a
Address Interface State ID Pri Dead
192.168.16.6 em1.16 Full 6.6.6.6 128 38
Instance: vpn-b
Address Interface State ID Pri Dead
192.168.17.7 em1.17 Full 7.7.7.7 128 37
root@Olive# run show ospf neighbor instance all logical-system r2
Instance: master
Address Interface State ID Pri Dead
192.168.12.1 em2.12 Full 1.1.1.1 128 33
192.168.23.3 em2.23 Full 3.3.3.3 128 32
Instance: vpn-a
Address Interface State ID Pri Dead
192.168.24.4 em2.24 Full 4.4.4.4 128 31
root@Olive# run show ospf neighbor instance all logical-system r3
Instance: master
Address Interface State ID Pri Dead
192.168.23.2 em1.23 Full 2.2.2.2 128 32
192.168.13.1 em2.13 Full 1.1.1.1 128 34
Instance: vpn-b
Address Interface State ID Pri Dead
192.168.35.5 em2.35 Full 5.5.5.5 128 36
Command show route, It can not show vpn route table
To learn the VPN routes from the same VPN instance or different VPN instance must use RT in VPN instance.
In JUNOS VPN routing-instance we can use vrf-target or vrf-import and vrf-export policy
root@Olive# show r1 policy-options
policy-statement vpn-a-export {
term 1 {
from protocol ospf;
then {
community add vpn-a;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement vpn-a-import {
term 1 {
from {
protocol bgp;
community vpn-a;
}
then accept;
}
}
policy-statement vpn-b-export {
term 1 {
from protocol ospf;
then {
community add vpn-b;
accept;
}
}
term 2 {
then reject;
}
}
policy-statement vpn-b-import {
term 1 {
from {
protocol bgp;
community vpn-b;
}
then accept;
}
}
community vpn-a members target:100:1;
community vpn-b members target:100:2;
This community configuration define the RT attribute.
Now all PE's could learn the VPN routes, check bgp.l3vpn.0 routing table
root@Olive# run show bgp summary logical-system r1
Groups: 1 Peers: 2 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 0 0 0 0 0 0
bgp.l3vpn.0 2 2 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
2.2.2.2 100 81 83 0 0 34:02 Establ
inet.0: 0/0/0/0
bgp.l3vpn.0: 1/1/1/0
vpn-a.inet.0: 1/1/1/0
3.3.3.3 100 81 84 0 0 34:03 Establ
inet.0: 0/0/0/0
bgp.l3vpn.0: 1/1/1/0
vpn-b.inet.0: 1/1/1/0
Groups: 1 Peers: 2 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 0 0 0 0 0 0
bgp.l3vpn.0 2 2 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
2.2.2.2 100 81 83 0 0 34:02 Establ
inet.0: 0/0/0/0
bgp.l3vpn.0: 1/1/1/0
vpn-a.inet.0: 1/1/1/0
3.3.3.3 100 81 84 0 0 34:03 Establ
inet.0: 0/0/0/0
bgp.l3vpn.0: 1/1/1/0
vpn-b.inet.0: 1/1/1/0
Check the VPN routes from CE protocol OSPF
Instance[name].inet.0 route table will show the route from CE
root@Olive# run show route table vpn-a.inet.0 logical-system r1 protocol ospf vpn-a.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
6.6.6.6/32 *[OSPF/10] 00:26:48, metric 1
> to 192.168.16.6 via em1.16
224.0.0.5/32 *[OSPF/10] 00:38:22, metric 1
MultiRecv
root@Olive# run show route table vpn-b.inet.0 logical-system r1 protocol ospf
vpn-b.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
7.7.7.7/32 *[OSPF/10] 00:26:51, metric 1
> to 192.168.17.7 via em1.17
224.0.0.5/32 *[OSPF/10] 00:38:25, metric 1
MultiRecv
Check PE bgp.l3vpn.0 routes table
root@Olive# run show route table bgp.l3vpn.0 logical-system r1
bgp.l3vpn.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
100:1:4.4.4.4/32
*[BGP/170] 00:28:31, MED 1, localpref 100, from 2.2.2.2
AS path: I
> to 192.168.12.2 via em1.12, label-switched-path r1-r2
100:2:5.5.5.5/32
*[BGP/170] 00:28:27, MED 1, localpref 100, from 3.3.3.3
AS path: I
> to 192.168.13.3 via em1.13, label-switched-path r1-r3
The RD in every VPN route, RD(64bits)+IPV4(32bits) = 96bits, it's the VPNV4 address prefix length.
Check how to reach to another PE.
root@Olive# run show route table inet.3 logical-system r1
inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
2.2.2.2/32 *[RSVP/7/1] 00:30:58, metric 1
> to 192.168.12.2 via em1.12, label-switched-path r1-r2
3.3.3.3/32 *[RSVP/7/1] 00:30:58, metric 1
> to 192.168.13.3 via em1.13, label-switched-path r1-r3
R4 and R6 belong to the same VPN customer site, can learn r4 or r6’s VPN routes in PE, why CE did not learn VPN routes in each other ? Because BGP did not export VPN routes to IGP, Create policy to solve this problem.
root@Olive# show r1 policy-options
policy-statement bgp-to-vpn-a {
term 1 {
from {
protocol bgp;
community vpn-a;
}
then accept;
}
term 2 {
then reject;
}
}
policy-statement bgp-to-vpn-b {
term 1 {
from {
protocol bgp;
community vpn-b;
}
then accept;
}
term 2 {
then reject;
}
}
ospf {
export bgp-to-vpn-a;
area 0.0.0.0 {
interface em1.16;
}
}
[edit logical-systems]
root@Olive1# show r1 routing-instances vpn-b protocols
ospf {
export bgp-to-vpn-b;
area 0.0.0.0 {
interface em1.17;
}
}
Also same command policy configuration on r2 and r3
Commit and check CE routing table
root@Olive# run show route protocol ospf logical-system r4
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
6.6.6.6/32 *[OSPF/10] 00:38:39, metric 2
> to 192.168.24.2 via em1.24
224.0.0.5/32 *[OSPF/10] 00:50:27, metric 1
MultiRecv
root@Olive# run show route protocol ospf logical-system r5
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
7.7.7.7/32 *[OSPF/10] 00:38:42, metric 2
> to 192.168.35.3 via em1.35
224.0.0.5/32 *[OSPF/10] 00:50:29, metric 1
MultiRecv
root@Olive# run show route protocol ospf logical-system r6
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
4.4.4.4/32 *[OSPF/10] 00:38:43, metric 2
> to 192.168.16.1 via em2.16
224.0.0.5/32 *[OSPF/10] 00:50:30, metric 1
MultiRecv
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
6.6.6.6/32 *[OSPF/10] 00:38:39, metric 2
> to 192.168.24.2 via em1.24
224.0.0.5/32 *[OSPF/10] 00:50:27, metric 1
MultiRecv
root@Olive# run show route protocol ospf logical-system r5
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
7.7.7.7/32 *[OSPF/10] 00:38:42, metric 2
> to 192.168.35.3 via em1.35
224.0.0.5/32 *[OSPF/10] 00:50:29, metric 1
MultiRecv
root@Olive# run show route protocol ospf logical-system r6
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
4.4.4.4/32 *[OSPF/10] 00:38:43, metric 2
> to 192.168.16.1 via em2.16
224.0.0.5/32 *[OSPF/10] 00:50:30, metric 1
MultiRecv
root@Olive# run show route protocol ospf logical-system r7
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
5.5.5.5/32 *[OSPF/10] 00:40:21, metric 2
> to 192.168.17.1 via em2.17
224.0.0.5/32 *[OSPF/10] 00:52:08, metric 1
MultiRecv
root@Olive# run ping 6.6.6.6 source 4.4.4.4 logical-system r4 rapid
PING 6.6.6.6 (6.6.6.6): 56 data bytes
!!!!!
--- 6.6.6.6 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.348/3.356/7.524/2.211 ms
root@Olive# run ping 7.7.7.7 source 5.5.5.5 logical-system r5 rapid
PING 7.7.7.7 (7.7.7.7): 56 data bytes
!!!!!
--- 7.7.7.7 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.375/2.037/3.137/0.635 ms
root@Olive# run traceroute 4.4.4.4 source 6.6.6.6 logical-system r6
traceroute to 4.4.4.4 (4.4.4.4) from 6.6.6.6, 30 hops max, 40 byte packets
1 192.168.16.1 (192.168.16.1) 1.274 ms 0.529 ms 0.359 ms
2 4.4.4.4 (4.4.4.4) 0.643 ms 0.587 ms 0.954 ms
root@Olive# run traceroute 5.5.5.5 source 7.7.7.7 logical-system r7
traceroute to 5.5.5.5 (5.5.5.5) from 7.7.7.7, 30 hops max, 40 byte packets
1 192.168.17.1 (192.168.17.1) 0.383 ms 0.438 ms 0.256 ms
2 5.5.5.5 (5.5.5.5) 0.926 ms 0.685 ms 0.933 ms
To communicate between different VPN customers, add other customer’s RT community in routing-instance.
root@Olive# show r1 routing-instances
vpn-a {
instance-type vrf;
interface em1.16;
route-distinguisher 100:1;
vrf-import [ vpn-a-import vpn-b-import ];
vrf-export vpn-a-export;
vrf-table-label;
protocols {
ospf {
export bgp-to-vpn-a;
area 0.0.0.0 {
interface em1.16;
}
}
}
}
vpn-b {
instance-type vrf;
interface em1.17;
route-distinguisher 100:2;
vrf-import [ vpn-b-import vpn-a-import ];
vrf-export vpn-b-export;
vrf-table-label;
protocols {
ospf {
export bgp-to-vpn-b;
area 0.0.0.0 {
interface em1.17;
}
}
}
}
vpn-a {
instance-type vrf;
interface em1.16;
route-distinguisher 100:1;
vrf-import [ vpn-a-import vpn-b-import ];
vrf-export vpn-a-export;
vrf-table-label;
protocols {
ospf {
export bgp-to-vpn-a;
area 0.0.0.0 {
interface em1.16;
}
}
}
}
vpn-b {
instance-type vrf;
interface em1.17;
route-distinguisher 100:2;
vrf-import [ vpn-b-import vpn-a-import ];
vrf-export vpn-b-export;
vrf-table-label;
protocols {
ospf {
export bgp-to-vpn-b;
area 0.0.0.0 {
interface em1.17;
}
}
}
}
term 1 {
from {
protocol bgp;
community [ vpn-a vpn-b ];
}
then accept;
}
term 2 {
then reject;
}
root@Olive# show r1 policy-options policy-statement bgp-to-vpn-b
term 1 {
from {
protocol bgp;
community [ vpn-b vpn-a ];
}
then accept;
}
term 2 {
then reject;
}
Add another VPN-RT community in R2 and R3
root@Olive# show r2 policy-options community vpn-b
members target:100:2;
root@Olive# show r3 policy-options community vpn-a
members target:100:1;
members target:100:2;
root@Olive# show r3 policy-options community vpn-a
members target:100:1;
Now check routing table on CE
root@Olive# run show route protocol ospf logical-system r6
inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
4.4.4.4/32 *[OSPF/10] 00:05:27, metric 2
> to 192.168.16.1 via em2.16
5.5.5.5/32 *[OSPF/10] 00:05:27, metric 2
> to 192.168.16.1 via em2.16
192.168.24.0/24 *[OSPF/150] 00:05:27, metric 0, tag 3489661028
> to 192.168.16.1 via em2.16
192.168.35.0/24 *[OSPF/150] 00:05:27, metric 0, tag 3489661028
> to 192.168.16.1 via em2.16
224.0.0.5/32 *[OSPF/10] 00:06:43, metric 1
MultiRecv
