Configure a Basic MPLS VPN Network

Contents
Introduction
Prerequisites
Requirements

Components Used

Conventions

Background Information
Configuration
Network Diagram

MPLS Configuration Procedures

Configure MPLS in the Core Network
Configure MP-BGP

Configurations

Verification
Related Information

Introduction
This document describes how to configure a basic Multiprotocol Label Switching (MPLS) VPN core
network.

Prerequisites
Requirements

Cisco recommends that you have knowledge of these topics:

• Knowledge of Basic IP Routing

• Knowledge of Cisco IOS® Command Line Interface (CLI)

Components Used

The information in this document is based on these software and hardware versions:

P and PE Routers

• Any Cisco router from the Aggregation Services Router (ASR) and Integrated Services Router
(ISR) series or other higher end routers supports P and PE functionality.

C and CE Routers

• You can use any router that can exchange routing information with its PE router.

The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, ensure
that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

These letters represent the different types of routers and switches used:

• P — Provider router

• PE — Provider Edge router

• CE — Customer Edge router

• C — Customer router

Note: PE routers are the last hop in the provider network. These devices connect directly to the CE
routers, which are customer-owned devices that interface with the service provider network but do not
participate in MPLS operations.

Background Information
MPLS is a high-performance network technology that directs data from one node to another using short path
labels instead of long network addresses. This approach speeds up and shapes traffic flows across enterprise
and service provider networks. MPLS assigns labels to packets, which are used by Label Switching Routers
(LSR), or P routers, to make forwarding decisions. Label Edge Routers (LER), or PE routers, at the network
edge add and remove these labels.

MPLS uses Forwarding Equivalence Classes (FECs) to group packets that are forwarded in the same
manner, and the Label Distribution Protocol (LDP) to distribute label mappings between routers. This
ensures a consistent view of label bindings across the network.

The benefits of MPLS include improved performance, scalability, traffic engineering capabilities, and
support for Quality of Service (QoS). It is protocol-agnostic, making it a versatile solution for various
network environments. MPLS is widely used to create scalable and secure Virtual Private Networks (VPNs),
manage and optimize traffic flows, and support the convergence of different types of traffic (for example
data, voice, and video) onto a single network infrastructure.

This document provides a sample configuration of an MPLS VPN network where Border Gateway Protocol
(BGP) is used between PE (Provider Edge) and CE (Customer Edge) routers. When used with MPLS, the
VPN feature allows several sites to interconnect transparently through a service provider network. One
service provider network can support several different IP VPNs, each appearing to its users as a private
network, separate from all other networks. Within a VPN, each site can send IP packets to any other site in
the same VPN.

Each VPN is associated with one or more Virtual Routing and Forwarding (VRF) instances. A VRF consists
of an IP routing table, a derived Cisco Express Forwarding (CEF) table, and a set of interfaces that use this
forwarding table. The router maintains a separate Routing Information Base (RIB) and CEF table for each
VRF. This ensures that information is not sent outside the VPN, allowing the same subnet to be used in
several VPNs without causing duplicate IP address problems. The router that uses Multiprotocol BGP (MP-
BGP) distributes the VPN routing information with the MP-BGP extended communities.
Configuration
This section provides the configuration examples and how they are implemented.

Network Diagram

This document uses this network setup, this diagram shows a typical configuration that illustrates the
conventions outlined previously.:

MPLS Topology

MPLS Configuration Procedures

Configure MPLS in the Core Network

1. Verify that ip cef is enabled on the routers where MPLS is required (CEF is enabled by default on latest
software releases).

2. Configure an Interior Gateway Protocol (IGP) on the service provider core, either Open Shortest Path
First (OSPF) or Intermediate System-to-Intermediate System (IS-IS) protocols are the recommended
options, and advertise the Loopback0 from each P and PE routers.

3. After the service provider core routers are fully Layer 3 (L3) reachable between their loopbacks,
configure the command mpls ip on each L3 interface between P and PE routers or use the mpls ldp
autoconfig command to enable LDP on each interface that is running the OSPF or IS-IS process.

Note: The PE router interface that connects directly to the CE router does not require the mpls ip
command configuration.

After the mpls ip configuration has been added to the interfaces, complete the next steps on the PE routers:
4. Create one VRF for each VPN connected with the vrf definition <VRF name> command. Additional steps:

Specify the route distinguisher used for that VPN. The command rd <VPN route distinguisher> is used to extend
the IP address so that you can identify which VPN it belongs to.

vrf definition Client_A

rd 100:110

Set up the import and export properties for the MP-BGP extended communities. These are used to filter the
import and export process with the command route-target {import|export|both} <target VPN extended
community> as shown in the next output:

vrf definition Client_A

rd 100:110
route-target export 100:1000
route-target import 100:1000
!
address-family ipv4
exit-address-family

5. On the PE router, add the interfaces that connect the CE to the corresponding VRF. Configure the
forwarding details for the respective interfaces with the vrf forwarding command and set up the IP address.

<#root>
PE-1#

show run interface GigabitEthernet0/1

Building configuration...

Current configuration : 138 bytes

!
interface GigabitEthernet0/1

vrf forwarding Client_A

ip address 10.0.4.2 255.255.255.0

duplex auto
speed auto
media-type rj45
end

Configure MP-BGP

There are several ways to configure BGP, for example, you can configure PE routers as BGP neighbors or
use a Route Reflector (RR) or Confederation methods. A Route Reflector is used in the next example, which
is more scalable than the use of full mesh neighbors between PE routers:
1. Enter the address-family ipv4 vrf <VRF name> command for each VPN present at this PE router. Next,
carry out one or more of the next steps, as necessary:

• If you use BGP to exchange routing information with the CE, configure and activate the BGP
neighbors with the CE routers.

• If you use a different dynamic routing protocol to exchange routing information with the CE,
redistribute the routing protocols.

Note: Based on the PE-CE routing protocol you use, you can configure any dynamic routing protocols
(EIGRP, OSPF or BGP) between PE and CE devices. If BGP is the protocol used to exchange routing
information between PE and CE, there is no need to configure redistribution between protocols.

2. Under router bgp hierarchy, enter the address-family vpnv4 mode, and complete the next steps:

• Activate the neighbors, a VPNv4 neighbor session needs to be established between each PE router and
the Route Reflector.

• Specify that extended community must be used. This is mandatory.

Configurations

This document uses these configurations to setup the MPLS VPN network example:

• PE-1 (PE)

• PE-2 (PE)

• P-2 (P)

• RR (RR)

• P-1 (P)

PE-1

<#root>
hostname PE-1
!
ip cef
!

!--- VPN Client_A commands.

vrf definition Client_A

rd 100:110
route-target export 100:1000
route-target import 100:1000
!
address-family ipv4
exit-address-family

!--- Enables the VPN routing and forwarding (VRF) routing table.
!--- Route distinguisher creates routing and forwarding tables for a VRF.

!--- Route targets creates lists of import and export extended communities for the specified VRF.

!--- VPN Client_B commands.

vrf definition Client_B

rd 100:120
route-target export 100:2000
route-target import 100:2000
!
address-family ipv4
exit-address-family
!
interface Loopback0
ip address 10.10.10.4 255.255.255.255
ip router isis
!
interface GigabitEthernet0/1
vrf forwarding Client_A
ip address 10.0.4.2 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
vrf forwarding Client_B
ip address 10.0.4.2 255.255.255.0
duplex auto
speed auto
media-type rj45

!--- Associates a VRF instance with an interface or subinterface.

!--- GigabitEthernet0/1 and 0/2 use the same IP address, 10.0.4.2.

!--- This is allowed because they belong to two different customer VRFs.

!
interface GigabitEthernet0/0
description link to P-1
ip address 10.1.1.14 255.255.255.252
ip router isis
duplex auto
speed auto
media-type rj45
mpls ip

!--- Enables MPLS on the L3 interface connecting to the P router

!
router isis
net 49.0001.0000.0000.0004.00
is-type level-2-only
metric-style wide
passive-interface Loopback0

!--- Enables IS-IS as the IGP in the provider core network

!
router bgp 65000
bgp log-neighbor-changes
neighbor 10.10.10.2 remote-as 65000
neighbor 10.10.10.2 update-source Loopback0

!--- Adds an entry to the BGP or MP-BGP neighbor table.

!--- And enables BGP sessions to use a specific operational interface for TCP connections.

!
address-family vpnv4
neighbor 10.10.10.2 activate
neighbor 10.10.10.2 send-community both
exit-address-family

!--- To enter address family configuration mode that use standard VPN version 4 address prefixes.

!--- Creates the VPNv4 neighbor session to the Route Reflector.

!--- And to send the community attribute to the BGP neighbor.

!
address-family ipv4 vrf Client_A
neighbor 10.0.4.1 remote-as 65002
neighbor 10.0.4.1 activate
exit-address-family
!
address-family ipv4 vrf Client_B
neighbor 10.0.4.1 remote-as 65001
neighbor 10.0.4.1 activate
exit-address-family

!--- These are the eBGP sessions to each CE router belonging to different customers.

!--- The eBGP sessions are configured within the VRF address family
!
end

PE-2

hostname PE-2
!
ip cef
!
vrf definition Client_A
rd 100:110
route-target export 100:1000
route-target import 100:1000
!
address-family ipv4
exit-address-family
!
vrf definition Client_B
rd 100:120
route-target export 100:2000
route-target import 100:2000
!
address-family ipv4
exit-address-family
!
ip cef
!
interface Loopback0
ip address 10.10.10.6 255.255.255.255
ip router isis
!
interface GigabitEthernet0/0
description link to P-2
ip address 10.1.1.22 255.255.255.252
ip router isis
duplex auto
speed auto
media-type rj45
mpls ip
!
interface GigabitEthernet0/1
vrf forwarding Client_B
ip address 10.0.6.2 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
vrf forwarding Client_A
ip address 10.1.6.2 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
vrf forwarding Client_A
ip address 10.0.6.2 255.255.255.0
duplex auto
 speed auto
media-type rj45
!
router isis
net 49.0001.0000.0000.0006.00
is-type level-2-only
metric-style wide
passive-interface Loopback0
!
router bgp 65000
bgp log-neighbor-changes
neighbor 10.10.10.2 remote-as 65000
neighbor 10.10.10.2 update-source Loopback0
!
address-family vpnv4
neighbor 10.10.10.2 activate
neighbor 10.10.10.2 send-community both
exit-address-family
!
address-family ipv4 vrf Client_A
neighbor 10.0.6.1 remote-as 65004
neighbor 10.0.6.1 activate
neighbor 10.1.6.1 remote-as 65004
neighbor 10.1.6.1 activate
exit-address-family
!
address-family ipv4 vrf Client_B
neighbor 10.0.6.1 remote-as 65003
neighbor 10.0.6.1 activate
exit-address-family
!
!
end

P-2

hostname P-2
!
ip cef
!
interface Loopback0
ip address 10.10.10.3 255.255.255.255
ip router isis
!
interface GigabitEthernet0/0
description link to PE-2
ip address 10.1.1.21 255.255.255.252
ip router isis
duplex auto
speed auto
media-type rj45
mpls ip
!
interface GigabitEthernet0/1
description link to P-1
ip address 10.1.1.6 255.255.255.252
ip router isis
duplex auto
speed auto
media-type rj45
 mpls ip
!
interface GigabitEthernet0/2
description link to RR
ip address 10.1.1.9 255.255.255.252
ip router isis
duplex auto
speed auto
media-type rj45
mpls ip
!
router isis
net 49.0001.0000.0000.0003.00
is-type level-2-only
metric-style wide
passive-interface Loopback0
!
end

RR

hostname RR
!
ip cef
!
interface Loopback0
ip address 10.10.10.2 255.255.255.255
ip router isis
!
interface GigabitEthernet0/0
description link to P-1
ip address 10.1.1.2 255.255.255.252ip router isis
duplex auto
speed auto
media-type rj45
mpls ip
!
interface GigabitEthernet0/1
description link to P-2
ip address 10.1.1.10 255.255.255.252ip router isis
duplex auto
speed auto
media-type rj45
mpls ip
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router isis
net 49.0001.0000.0000.0002.00
is-type level-2-only
metric-style wide
passive-interface Loopback0
!
router bgp 65000
bgp log-neighbor-changes
 neighbor 10.10.10.4 remote-as 65000
neighbor 10.10.10.4 update-source Loopback0
neighbor 10.10.10.6 remote-as 65000
neighbor 10.10.10.6 update-source Loopback0
!
address-family vpnv4
neighbor 10.10.10.4 activate
neighbor 10.10.10.4 send-community both
neighbor 10.10.10.4 route-reflector-client
neighbor 10.10.10.6 activate
neighbor 10.10.10.6 send-community both
neighbor 10.10.10.6 route-reflector-client
exit-address-family
!
!
end

P-1

hostname P-1
!
ip cef
!
interface Loopback0
ip address 10.10.10.1 255.255.255.255
ip router isis
!
interface GigabitEthernet0/0
description link to PE-1
ip address 10.1.1.13 255.255.255.252
ip router isis
duplex auto
speed auto
media-type rj45
mpls ip
!
interface GigabitEthernet0/1
description link to RR
ip address 10.1.1.5 255.255.255.252
ip router isis
duplex auto
speed auto
media-type rj45
mpls ip
!
interface GigabitEthernet0/2
description link to P-2
ip address 10.1.1.1 255.255.255.252
ip router isis
duplex auto
speed auto
media-type rj45
mpls ip
!
router isis
net 49.0001.0000.0000.0001.00
is-type level-2-only
metric-style wide
passive-interface Loopback0
!
end

CE-A1 CE-A3

hostname CE-A1 hostname CE-A3

! !
ip cef ip cef
! !
interface GigabitEthernet0/0 interface GigabitEthernet0/0
ip address 10.0.4.1 255.255.255.0 ip address 10.0.6.1 255.255.255.0
duplex auto duplex auto
speed auto speed auto
media-type rj45 media-type rj45
! !
router bgp 65002 router bgp 65004
bgp log-neighbor-changes bgp log-neighbor-changes
redistribute connected redistribute connected
neighbor 10.0.4.2 remote-as 65000 neighbor 10.0.6.2 remote-as 65000
! !
end end

Verification
This section provides information you can use to confirm that the configuration works properly:

PE to CE Verification Commands

• show ip vrf — Verifies that the correct VRF exists.

• show ip vrf interfaces — Verifies the activated interfaces.
• show ip route vrf <VRF name> —Verifies the routing information on the PE routers.
• traceroute vrf <VRF name> <IP address> — Verifies the routing information on the PE routers.
• show ip cef vrf <VRF name> <IP address> detail — Verifies the routing information on the PE
routers.

MPLS LDP Verification Commands

• show mpls interfaces

• show mpls forwarding-table
• show mpls ldp bindings
• show mpls ldp neighbor

PE to PE/RR Verification Commands

• show bgp vpnv4 unicast all summary

• show bgp vpnv4 unicast all neighbor <neighbor IP address> advertised-routes - Verifies VPNv4
prefixes sent
• show bgp vpnv4 unicast all neighbor <neighbor IP address> routes - Verifies VPNv4 prefixes
received

This is a sample command output of the show ip vrf command.

 <#root>
PE-1#

show ip vrf

Name Default RD Interfaces

Client_A 100:110 Gi0/1
Client_B 100:120 Gi0/2

This next is a sample command output of the show ip vrf interfaces command.

<#root>
PE-2#

show ip vrf interfaces

Interface IP-Address VRF Protocol

Gi0/2 10.1.6.2 Client_A up
Gi0/3 10.0.6.2 Client_A up
Gi0/1 10.0.6.2 Client_B up

In this next sample, the show ip route vrf commands show the same prefix 10.0.6.0/24 in both the outputs.
This is because the remote PE has the same network for two Cisco clients, CE_B2 and CE_A3, which is
allowed in a typical MPLS VPN solution.

<#root>
PE-1#

show ip route vrf Client_A

Routing Table: Client_A

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.0.4.0/24 is directly connected, GigabitEthernet0/1
L 10.0.4.2/32 is directly connected, GigabitEthernet0/1
B 10.0.6.0/24 [200/0] via 10.10.10.6, 11:11:11
B 10.1.6.0/24 [200/0] via 10.10.10.6, 11:24:16
PE-1#

PE-1#
 show ip route vrf Client_B

Routing Table: Client_B

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 10.0.4.0/24 is directly connected, GigabitEthernet0/2
L 10.0.4.2/32 is directly connected, GigabitEthernet0/2
B 10.0.6.0/24 [200/0] via 10.10.10.6, 11:26:05

When you run a traceroute between two sites, in this example two sites of Client_A (CE-A1 to CE-A3), it is
possible to see the label stack used by the MPLS network (if it is configured to do so by mpls ip propagate-
ttl ).

<#root>
CE-A1#

show ip route 10.0.6.1

Routing entry for 10.0.6.0/24

Known via "bgp 65002", distance 20, metric 0
Tag 65000, type external
Last update from 10.0.4.2 11:16:14 ago
Routing Descriptor Blocks:
* 10.0.4.2, from 10.0.4.2, 11:16:14 ago
Route metric is 0, traffic share count is 1
AS Hops 2
Route tag 65000
MPLS label: none
CE-A1#

CE-A1#

ping 10.0.6.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.6.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/9 ms
CE-A1#

CE-A1#

traceroute 10.0.6.1 probe 1 numeric

Type escape sequence to abort.

Tracing the route to 10.0.6.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.4.2 2 msec
 2 10.1.1.13 [MPLS: Labels 20/26 Exp 0] 8 msec
3 10.1.1.6 [MPLS: Labels 21/26 Exp 0] 17 msec
4 10.0.6.2 [AS 65004] 11 msec
5 10.0.6.1 [AS 65004] 8 msec

Note: Exp 0 is an experimental field used for Quality of Service (QoS).

The next output shows the IS-IS and LDP adjacency established between the RR and some of the P routers
in the Service Provider core network:

<#root>
RR#

show isis neighbors

Tag null:
System Id Type Interface IP Address State Holdtime Circuit Id
P-1 L2 Gi0/0 10.1.1.1 UP 25 RR.01
P-2 L2 Gi0/1 10.1.1.9 UP 23 RR.02
RR#

RR#

show mpls ldp neighbor

Peer LDP Ident: 10.10.10.1:0; Local LDP Ident 10.10.10.2:0

TCP connection: 10.10.10.1.646 - 10.10.10.2.46298
State: Oper; Msgs sent/rcvd: 924/921; Downstream
Up time: 13:16:03
LDP discovery sources:
GigabitEthernet0/0, Src IP addr: 10.1.1.1
Addresses bound to peer LDP Ident:
10.1.1.13 10.1.1.5 10.1.1.1 10.10.10.1
Peer LDP Ident: 10.10.10.3:0; Local LDP Ident 10.10.10.2:0
TCP connection: 10.10.10.3.14116 - 10.10.10.2.646
State: Oper; Msgs sent/rcvd: 920/916; Downstream
Up time: 13:13:09
LDP discovery sources:
GigabitEthernet0/1, Src IP addr: 10.1.1.9
Addresses bound to peer LDP Ident:
10.1.1.6 10.1.1.9 10.10.10.3 10.1.1.21

Related Information
• MPLS Command Reference
• Technical Support & Documentation - Cisco Systems
• Verify MPLS Layer 3 VPN Forwarding