MPLS L3VPN

  1. L3VPN
  2. Route distinguisher (RD)
  3. 6VPE
  4. MPLS over mGRE
  5. Route-leaking
  6. Route reflector
  7. Best-path external
  8. Local convergence

L3VPN

  • outer label (transport, S=0) is responsible for route to egress E-LSR
  • inner label (service, S=1) marks prefix from VRF
  • service label is allocated per prefix in VRF by default
  • modified NLRI:
    1. client prefixes may be the same or overlap
    2. new AFI/SAFI (1/128)
    3. NLRI = <RD>:<prefix> helps distinguish client prefixes
    4. RD 64 bit (VPNv4)
  • updates for VRFs absent from local device are dropped, saving RAM; does not apply to RR
  • when prefix is redistributed into VPNv4, PE create a new prefix from it, VPNv4 NLRI ⇒ no need for next-hop-self
  • RT:
    1. route-target
    2. format of RD, may be different from RD
    3. extended community (8 bytes)
    4. mark on the prefix, used for VRF import/export
  • LFIB is shared between VRFs
  • MPLS label is allocated when prefix is added to BGP VRF RIB, label is exchanged via BGP
(config)# ip vrf <NAME>
(config-vrf)# rd <ASN>:<num>
(config-vrf)# route-target import|export|both <RT>

; different next-hops for different VRF (e.g. tail for TE tunnels)
(config-vrf)# bgp next-hop <intf>

; per-vrf enables using 1 label for all prefixes for VRF, per-prefix by default
(config)# mpls label all-vrfs|vrf <NAME> protocol bgp-vpnv4 per-prefix|per-vrf 
(config-router)# address-family ipv4 vrf <NAME>
(config-router-af)# redistribute eigrp 1

; import period for VPNv4 VRF prefixes, 60s by default
(config-router-af)# bgp scan-time impotr <sec>  

(config-router)# address-family vpnv4

; IP-based, even if neighbour in peer-group
(config-router-af)# neighbor <IP> activate
(config-router-af)# neighbor <IP> send-community

; disables dropping NLRI for unused RT (e.g. Inter-AS VPN Option B)
(config-router)# no bgp default route-target filter 
# show ip bgp vpnv4 all [labels]

Route distinguisher (RD)

2 bytes 2 bytes 4 bytes
Type 0 ASN Value
Type 1 IP Value
Type 2 ASN Value

6VPE

  • BGP next-hop = IPv4-mapped IPv6

MPLS over mGRE

  • does not use NHRP (uses BGP for discovery) or LDP
  • spoke-to-spoke
  • VPNv4/v6, spokes – PE
  • MDT mcast (GRE)
(config)# l3vpn encapsulation ip <name>
            transport ipv4 source <intf>
            protocol gre key <n>
(config-route-map)# set ip next-hop encapsulate l3vpn <NAME>
(config-router-af)# neighbor <IP> route-map <MAP> in

Route-leaking

  • between VRF – RT, origin is preserved on import
  • between VRF and global:
    1. static routes
    2. EVN route-replicate
    3. PBR
    4. import/export map (ipv4 unicast map)
  • internet access:
    1. separate VRF
    2. route-leak
    3. dot1q/GRE
  • on importing from local VRF, route is eBGP
; by default tunnel endpoint are searched for in global VRF
(config-if)# tunnel vrf <NAME>
; on by default, permits setting interfaces from other VRFs as next-hop
(config)# ip route static inter-vrf

; next-hop in global VRF
(config)# ip route vrf <NAME> <prefix> <next-hop> global

; next-hop can be in another VRF
(config)# ip route <prefix> <next-hop>
; route-leak between VRF and global, permitted routes are not reexported into VPNv4, prefixes must be in BGP RIB (global/VRF)
(config-vrf)# import ipv4 unicast map <MAP>
(config-vrf)# export ipv4 unicast map <MAP>

; filtering prefixes between VRF
(config-vrf)# import map <MAP>
(config-vrf)# export map <MAP>

(config-vrf)# maximum routes <n> <threshold>
; sets RT on exporting
(config-map)# set extcommunity rt <RT>

Route reflector

  • receives all prefixes from the clients (including with unused RT)
  • load-sharing via RR group, distribution based on RT (e.g. odd/even)
(config)# ip extcommunity-list standard <NAME> permit|deny rt <RT>
; not needed on RR
(config-router)# no bgp default route-target filter

(config-router)# address-family vpnv4

; uses extcommunity-list for filtering
(config-router-af)# bgp rr-group <NAME>

; IP-only activation
(config-router-af)# neighbor <IP> activate

; parameters can be applied to group
(config-router-af)# neighbor <PEER route-reflector-client

Best-path external

  • allows announcing best eBGP path instead of bestpath
  • installs bext-external as backup in CEF and RIB (enables PIC) if next-hop is different from primary next-hop
  • per-prefix label allocation is required on backup PE (enables label forwarding), otherwise – routing loop because of IP forwarding
  • active-standby connection
  • multipath has more priority over backup eBGP
  • no support for L2VPN, NSF, RR
; global VRF, if in VPN AF – for all VRF, if in VRF AF – only for this specific VRF
(config-router)# bgp advertise-best-external

; does not enable best-external! part of Diverse path
(config-router)# neighbor <IP> advertise best-external

Local convergence

  • no support for IS-IS routes
  • IPv6 routes – only static and eBGP
  • pre-PIC technology
  • does not remove labels from LFIB for 5 mins after prefix is lost
  • selects locally a backup route, does not push it into FIB/RIB, uses for rerouting traffic
(config-vrf-af)# protection local-prefixes