hello and welcome to I means webinar for the basic n 3 VPN implementation with the PCU routing protocol as PGP for some of you who do not know me I am Roberto sunny I'm a full-time instructor when a tiny have about 5 CZ icc and box which security points collaboration and service provider now in this video or in this webinar in fact we are basically going to be talking about the need for n 3 VPN and what are the prerequisites to to build a successful l3 VPN we would not be talking about every VPN with intern is because of obviously time constraint but we will talk about implementing and free VPN with a single e infrastructure or singing service provider so if you look at VDP MPLS and 3 VPNs it's basically an alternative to IPSec VPN IPSec Vivien's requires you to configure full mesh it does give you protection over a shared infrastructure but when you build n 3 VPNs or a shared infrastructure this would be an alternate choice it basically solves the problem of scalability because think about how many side to side VPNs you would have to do the advantage of building in l3 VPN would be scalability because now I could have multiple providers or intact multiple customers connecting to a provider and take over the shared infrastructure and connecting remote sites adding a new median or a new customer or a new branch often does not really require much configuration the only change that people probably have to do would be on psi which is the provider edge the customer just runs maybe a routing protocol with the provider it could be a spear that could be spanked routes it could be bioscience it could be energy RV or it could be B to B most probably the customer would normally run either default route to an ISP or HP I don't really see customer running like a no SPF with provider now obviously for us to build this l3 VPN what are the prerequisites what should we do what should we configure within the highest key infrastructure to support or allow customers to connect which are probably perfectly separate so the goal components required to build their three VPNs the first thing is that the ISP should have some kind of an eye GPU running within his infrastructure which normally would be the case most of our being ice-creams would run either OSPF or eius eius I don't see a igr be being run within the XP it's either going to be must be M or is is so you should have some kind of an IDP running within the infrastructure of the service provider that's the first thing we should have some kind of an MPLS so that akka stone get dropped because we would never have BGP on every browser within the highest infrastructure you would never have B to get all the balance it probably happy to be on the edge the PE rather thing from the Evonik PTP but you would not be having VDP on thousands of routers within the infrastructure so we should have either MPLS or maybe segment routing within the icefield first fracture the third prerequisite would be to establish a BGP neighbor shape between all the PE routers now again this could be like a which again would not be the case normally you would have reflectors will have all the peeves peering with a router factor which could be a central point and however in our design we would not be doing that it's going to be a pretty basic implementation of a tree VPN they would just have to pee-pee routers so so we need a BGP neighbor ship between the two PD routers now what kind of an address family would be need or what kind of a BGP neighbor ship we would need between our two Billy routers the first one would be maybe an ipv4 address family b2b neighbor ship which could be used to exchange global routing table and we would have a VPN v4 neighbor ship to exchange routes which which are not in the global routing table but maybe in a VRS so BGP has to be configured obviously we would need to configure the ahrefs to segregate the customer because we don't want customers to be in this global routing table think about why you would need to do that imagine if you have overlapping networks that say if customer a as is advertising through the provider 192 168 1.0 and at the same time customer B is also advertised in the same network so you don't want that to be in the global tables you'd have to separate or segregate at different customers so we would create the ahrefs on the PE to second get different customers and then obviously we run a PVC evolving protocol like I said it could be OSPF it could be PIH erp it could be real it could be eius eius could be static routes or could be bgp with the customer obviously in your CC is service provider you would probably be tested for PGP as the pece or maybe was Kiev you would not be tested for EIG RP in the new blueprint so in our case in this webinar we would be running BGP between the PE and the C the last thing that we need is redistribution we do need to configure redistribution if your pece was maybe nigp maybe I was running OSPF with the customer I think that case yes I would need redistribution to redistribute the OSPF yarn routes into BGP so that I can send those routes to the remote PE now obviously a few things that you will need to keep in mind when you create the V RFS would be me require a route distinguisher so a router extinguisher is basically a 64 bit tag it's basically a tag value which when when when the PE receives the routes from the customer he inserts that tag which is 64 bit 8 bytes and the prefix is tagged with that purpose to assure it has to be unique for every customer so you cannot have to we are EPS having the same route this temperature so think about it like let's say if customer a is advertising 192 168 1.0 and customer B is also advertising the same thing when the remote B gets the route how does he know that this route belongs to customer a or customer B how can he segregate those routes that's done with the route distribution so obviously we still need a few more things we still need to enable extended communities because we would have to import those routes from which I'm basically learning from BGP I would need to import those routes into the customers routing table so I need our targets also so these are the basic prerequisites that you need that you should think about when you build an n3 BPM obviously interest acquires a few more things depending on how you're connecting the remote service provider let's say there were two ISPs which were connecting to customers in that case you probably have option A or B or C or carrier as a public area so it depends on that obviously if he would not be doing that right now so these are your basic prerequisites that you should always think about so let's look at our topology that we would be working on so here I have customer a and customer B and let's pull this out so I have customer me here I have customer B here and let's go and change this all right and I have customer B here which is down now lot of porn is an iOS XZ r r7 and r8 which again customers there are iOS XE and I speed is also running iOS XE except for XR one and exact you so all of these routers are basically I was exceed the commands are a big bit different between the X Z and X are but concept is still the same so here Radha too is going to act as a PE XR 1 is also going to act as a PE exam 2 would be customer n or custom edge and what a one would be the custom edge but a 7 would be the customer edge and it would be customer edge router 3 4 5 & 6 they would not be PE routers they are not running BGP they would only be running an ITP and maybe a Payless or in second bottom so these these routers would be called as P routers which are basically not running BGP so this is going to be our infrastructure which we would be building or configuring we will also be looking at troubleshooting like when I actually build the MPLS we look at why would be not formed maybe an LTP neighbor how can troubleshoot where is the problem we would look at all those things now as of right now nothing has been pre-configured except for IP addressing IP addressing has been pre-configured and Oh SPF we didn't an isp infrastructure has been pre-configured the customers are not running anything only an IP address has been configured the B ear others I'm the only been configured with OSPF internally not towards the customer side so I only have a West bf internally within the ice-cream for a structure at this point of time so let's let's in fact start building this maybe build the BGP neighbor ship between the customer and bar 2 and X 2 and X R 1 and maybe 7 + 2 + 8 + XR 1 now even if I build the BGP neighbor shape and let's say if father - and exact one they are forming maybe a pee-pee Envy for neighbor or if my customer is at the global routing table then ipv4 neighbor ship my customer would have the control plane information to all the routes from exa - would be given to XR one excited one would give the route to router to matter - would pass those routes to learn one so from control plane perspective yes they have the routes in the barricade but if rather one does a ping to exert - that's not going to work because obviously aren't free and are 4 5 & 6 they're not running BGP so they would do a routing Liga and they're not running will you beat so they would drop the packet so I need some kind of a mechanism where something like VBA where run a 3 4 5 6 they don't do or routing lookup but they do something else so and that's exactly what what's going to happen with MPLS so with MPLS what what's going to happen is that each router within the highest field thrust structure they would establish LDP Navy ship LDP is my label distribution protocol what exactly are labels labels are dekat labels as a representation for a prefect so one label equals one prefix it's obviously unique on the same router but it could be same between two routers so it's not unique between routers but it has to be unique for every prefix on the same router so so think about it like this if r2 advertises the customer routes to his BGP neighbor it has to transit are three four five and six right it cannot just jump all the it has to physically transmitted through three four five six now when three gets the packet if are to encapsulate the packet with maybe an MPLS label in that case r3 would do a label number right he would not do a robbing lookup and that's exactly what we want so like I said earlier that and three people is that kind of a VPN but it's not ideal saying we use PGP and we use a pls for that so now our labels advertise think about it like a GP it for example was VF so for me to give you a route what's the first thing we do you and me should establish an image right you wouldn't even form OSPF adjacency and then i would advertise a route to you you would put that route in your database and then in your routing table and then your data plane uses the routing table to come back to me so I advertise to you similarly here all the routers 2 & 3 3 & 4 4 & 5 5 & 6 6 + XR 1 they all will establish neighbor here which is called as le being efficient they will establish and live in a mission once they establish the membership they will start exchanging labels representing a prefix so first you and meaning need to form LEP adjacency then I will send you a label for my prefix and you need to use that label to come to me and exactly what we would have to build so if you remember the prerequisites the first thing was ISP should have some kind of an high GPA running internally which we have at this point of time the second thing was okay do we have MPLS running at this point of time within the ISP now so let's from that let's first build MPLS let's get our isp infrastructure ready to establish NDP Navy ship to start exchanging labels I'll also explain to you how the labels are advertised and how the MPLS forwarding table is built so what I'm going to do is I will configure MPLS on within the high speed infrastructure and let's start with Rotter tube which is my PE router so I'm going to start with two and go all the way to 3 4 5 6 and X are 1 so what's the first thing that we need for MPLS set should be namely which which I believe is by default but you should have the habit of actually doing that because sometimes maybe in the lab exam some troubleshooting perspective they may disable that so have the habit of starting off from here the next thing what I'm going to do is define MPLS label protocol as LDPE that's the second thing so I'm going to use LDP which uses port six four six one thing that you should keep in mind is that for LDP neighbor ship to establish you must ensure that your router ID is reachable otherwise you would not you would not have anything ambition coming up okay so so what I'm going to do right now is I will configure my router ID to be my new back so if you look at my routing table right now show IP route OSPF I do have the routes of within the isp infrastructure i have three four five six so round three is 3.3 got three got 3 4 is 4 4 4 4 5 5 5 5 6 6 6 6 + XR 1 is 19 19 1990 r2 is 2.2 . - gotcha so I would say MPLS LDP your router ID would be look back 0 you must use the rubber ID should basically be reachable it must be a reachable addressed unlike OSPF you know in OSPF the router ID could just be any interest it doesn't need to be a reachable address but in LDP it must be a reachable address and in fact show you by configuring a new loopback or some may be on some other router and showing you that how my LD be neighbors ship would get affected because of the loopback or the router ID not being reachable so the first thing would be enable self-insure you configure MPLS router ID be able protocol that's again optional and there's something that I always do which is MPLS label range I like doing this because it just becomes easier to troubleshoot when I do a trace route or a pain it just becomes easier because I would see the labels and I know that the label is from a certain router so from a lab exam perspective it really makes sense maybe in production you may not be able to do this but because you may have thousands of routers but in the lab exam you'll probably have like 30 or 40 or 50 routers so you can definitely do this and you you will never have routes more than 500 so what I'd only do is I define a unique labelled range for every router so let's say for our two I would say two thousand one or maybe two thousand two to 999 so that's a unique labelled range for Roger to the next thing that I would do would be to activate MPLS on my interface now I could do this in two ways I could go to my interface if you look at my interface videos gig 1.23 so I could go to my interface and say MPLS IP so this is one way of activating MPLS on my interface again what if I have 20 interfaces in that case it becomes a tedious task for me to go and enable MPLS on every interface so another way could be since I'm running OSPF as the IGP within the ice beam for structure what I could do is go and OSPF and say MPLS LDP Auto config this activates a BLS for all interfaces which has OSPF enabled so if I do a short pls interface now you would see that I have MPLS enabled on gig 1.23 so one way could be I go to my interface and give the command MPLS IP another way could be I just go under OSPF or iose eyes and say MPLS LDP or a config this activates a pls on all the interfaces whichever interface has OSPF roaming will have MPLS in it so now I have a pls running on one or two let's now configure router 3 which is my P router what's the first thing we do we enable self again it's enabled by default but have the habit of doing that you don't want the waste 20 minutes of your time in the lab exam thinking about why is it not working and then you realize that Oh Seth was disabled so just have the habit of doing that start from here configure your label protocol as LDP label router ID of range in fact 3000 to 399 so I am giving a unique LDP range for our free and then MPLS LDP router ID as back zero let's now go to our SPF 1 and say mpls l DB autoconfig this activates a BLS on all its interfaces which has OSPF enabled so now I have MPLS towards r2 and towards our for remember for you to establish this NDB neighbor ship for you to establish this you must have a lipid on both the sides something like west pierre you and me would not form voice gave adjacency if i activate was given you know we both need to activate MPLS only then you and me would form LDP adjacency with each other so now I have my MPLS running let's now go to a 4 and configure router for so again I be self distributed MPLS label protocol NDP MPLS NDP route ready loop at zero and MPLS label range four thousand two four nine nine nine now again this label range it should be enough for the amount of routes that you have and maybe about thirty percent more don't give a really low value because it's one prefix one label it's one as to one ratio and let's go now to OS Kiev and say MPLS LDP Oracle fake so I should establish adjacency with our a3 the next thing that I would do would be configure five so I have my MPLS dating protocol as LDP label range would be five thousand to five nine nine nine and mpls LDP you route right es with back zero Radha who SPF one MPLS LDP or a conveyor next we have our six and then we have X r1 which is going to be left so I be safe and MPLS label protocol and EP MPLS le père RIT loopback zero an MPLS label range between 6000 to six nine nine nine lastly enabled OSPF or enable ATP so MPLS NDP article fee you don't really need to do other than figure on all the routers you could do mix-and-match it doesn't really matter you could have what happen figure one router you could have MPLS IP on the interface the point is that you should have MPLS enabled on both the sides of the link only then you can establish NTP neighbor ship the last router that I have within the ISP so I've configure two three four five and six the next thing left or the last one left within the ISP would be XR one and you never enable MPLS towards the customer side MPLS is only within the ISP infrastructure so now I have exam 1 for X are one the commands are a bit different so you don't really have to rename itself so the first command would be MPLS NDP and then we define the router ID which again should be reachable address less to 19 19 19 19 and let's enable address family ipv4 and finally activate MPLS so that's going to be interface so this is something like MPLS IP on iOS XE if you do want to do Auto config you can still do what it can take the same way you could go back to Rada OSPF one and get the command MPLS LDP or I could say so that command is pretty much the same however if you are using Auto config you still have to do MPLS LDP and address family you still have to do that you don't really need to do interface because if you're doing or contain you don't need to do that so the interface would be so interface would be gig zero zero zero dot six one nine in fact what I should do is before I give this interface before activate it because you should always define the label range first because if I don't define the label range then exam one would I would allocate a label starting from sixteen and I would have to probably clear my and pls NTP neighbor shape or reboot the router so maybe I'm going to go back exit out and give c'mon MPLS labeled range and let's define a unique range 19,000 to 1999 go back to MPLS nvp and give the command an interfacer 0.61 9 which is towards r6 finally hit commit which activates MPLS on my interface towards r6 and I should see a message coming up which says ADP neighbor ship has come up so now I have MPNs running on all the routers within the isp infrastructure if you remember I told you that you you a neighbor ship would not farm if your router ID was not reachable let's confirm that let's go back to any one router maybe r3 and I will go and create a new Lubeck let's create two back one and this little back would not be advertising OSPF so let me first check my OSPF show run section bar OSPF in fact i have network 0 0 0 i'll change that so that I don't have MPLS oil tank West PF on the new loopback I'll remove this and let's do Network 20.000 0.255 dot 255 dot 255 area 0 and network 3.3.4 3 aliens 0 so now I have OSPF only on my internal network and my new back let's now do let's create that new loop back let's give an IP address 33 33 33 33 so this route back is not running west EF now it's not running OS gear let's go and change my route writing MPLS l DB router ID to beat you back one and in fact let's do a force there's no preemption so you even if you keep the command and pls LTP about ready look back one it would not take effect unless you clear your MPLS MVP neighbor check all reboot the router but if you do force it it actually changes your already immediately it's something like you doing your clear I POS PA process so now if you see my router ID is due back one did mine in LDP neighbor she did it come up I don't have any neighbors I do not have any neighbors what's the reason because the router ID is not reachable so I would not be able to form the neighbors so now I have two choices either I advertise that look back in OSPF or I changed my transport mechanism for LDP to use another move back but my running would still be you backward if you look at let's say a router five if I do I'll show an pls LDP neighbor on what-a-phile look at my rod ready when already is five five five five my DCP connection is on the road riding that's why it must be reachable so do is either advertise that look back in OSPF or maybe I could go to my interface and give the command MPLS LDP discovery transport address would be the interface and same thing 434 use the transfer address as the interface my LDP neighbor ship should come up now so what's going to happen is that my router ID is still going to be loopback one but my TCP connection is going to be on my physical interface I could give my due back one all back zero also here instead of specifying interface I could get Luke back zero so if I do a show every NS LDP neighbor you would see that my router ID is still 33 33 33 33 but my TCP connection is from rock to rock ready to the physical interface okay it's no physical interface because I change the transport to be my physical interface by default it uses the route ready as the transport that's why your router ID must be reachable it has to be reachable another thing it's a fact pretty easy more straight forward to actually troubleshoot an NDP neighbor shemesh oh yeah you could go and to a show and be LS l DP neighbor but imagine if you have like 100 routers I cannot go to 100 routers and to a show MPLS LD be neighbors do I have my neighbor there should be a better way to identify where the problem is so for example let me go back to this diagram and I will I will maybe disable MPLS here on this link just this late okay and we try and identify how can we identify Wednesday where is the break between two routers where my MPLS is broken how can I identify that so let's go back to router sakes in fact if I go to my PE run right now and do a trace route to 19 19 19 19 which is the remote people sourcing from my loopback I should see MPLS end-to-end so I have an MPLS here I haven't Payless here yeah yeah I don't see MPLS here because PHP happens which is your penultimate of popping so it happened at hour six but right now my in Venus is not broken everything is okay let me go back to our six and go to my interface six one nine and say MPLS LDP ITB Auto config let's disable that so on that interface on that specific interface I'm not running MPLS the reason I had to give this command was because I was using Oracle fake so when you use Oracle thing it activates MPLS on all interfaces which has OSPF burning so if you want to disable on a certain interface the command would be no MPLS LD p igb or a config so that interface now I'm not running MPLS so if I do enjoy BLS interface you would see that I'm only running MPLS towards are fact not towards exam one obviously if I go back to our to now and to a trace route you would see that I still see everything okay here if you see I still see everything okay six thousand four and then PHP but is there a break in MPLS yes there is an LD P neighbor ship which is broken between 6 and xr1 maybe I could do a ping and let's do opinion pls ipv4 - 19 19 19 19 - five five two five five two five five two five five sourcing from 2.2 that to the - warhorse what do I see I see the flag as B what does B say B says unlabeled output interface and it tells you that the packet was okay reply was received packet was okay all the way up to 20 dot v dot 6.6 which is our six so up till our six everything was okay absolutely no problem but outbound interface of our six does not have MPLS which you can see here that unlabeled output interface so you see it's pretty easy to identify a break in your MPLS by just doing a ping MPLS and you would know where the break is just directly jump to that router and fix you and pls so I could directly go to r6 and fix that let's go back to interface big 1.61 9 maybe I could do an MPLS IP here or I could remove the IDP on a config so now that I have MPLS up and running again if I go back to 2 and try the trace route I should see ping so now I know that PE to be e-everything is okay so my eyes be infrastructure is successfully configured for MPLS so this was the second core requirement one was running IGP which we already had pre-configured and the second was running MPLS now how are these labels advertised which we need to understand if I do a traceroute I can see all these labels right 3007 I know it's from our three four thousand four I know it's from our four because I gave a unique range so just becomes easier to troubleshoot and you look at the labels I know it's from our for this one is from our five it just becomes easier so how are these labels are actually advertised it's in fact see if we can draw a diagram maybe let's say I have Robert to here point that I have a customer here rather one I have rather to here I have three I have four five six and eggs are one and then the customer exactly so this was my ISP which was running no SPF and MPLS I should have a bgp evpn v4 neighbor ship this would be BGP VP and v4 customer may run whatever maybe he runs ipv4 BGP this would be IP v4 BGP and let's look at how these labels actually advertise so I'm going to draw the MPLS flowering table and explain how the the labels are advertised and then how the data plane uses that later so I have my routers here these are my robbers I have local label I have outgoing level I have the prefix okay seems like something is wrong okay so I have my prefix and interface and find me next hop this would be router to router 3 router four out of five r6 and eggs are one okay now now my BGP neighbor ship between two and six r2 and in fact xr1 this neighbor ship should be between xr1 so it's all the way here so my BGP Navy ship between 2 and X are one there is another prerequisite that you would need your neighbor shake you must be on the move back it should not be on the physical interface it should be under new back because otherwise your penultimate hop popping would happen one half earlier that's why your neighbor ship must be on on the loopback so let's assume that our two and X are one-way establishing BGP neighbor on the loopback so r2 is going to advertise a label representing his Lubeck he would advertise a unique label for that leap back and that label because this loopback is directly connected to our to our to advertisers a special Navy which is called as implicit null the label number is three so he advertises a special label to his neighbor through LD be that this is a directly connected interface of mine there is known there is it's a special label which I'm giving you which is called as it was it not so whatever he advertises he puts that here and that's going to be blank which basically means that it's a implicit label may be number three for the prefix 2.2 not 2.2 which is the loopback of r2 when r3 gets this special label he puts that in the out column and the special label was implicit null which basically means top level now the meaning of top label is removed just the topmost layer just the topmost layer remove just the top layer and whatever's inside forward that ahead so he puts that pop pop label here for the prefix - da - da - da - on which interface did he receive the advertisement of the label on gig 1.23 from which neighbor from maybe 20 to 3.2 which is r2 now r3 has to advertise that prefix or a label for that prefix to his neighbor which is r4 is that loopback - da - da - da - is it directly connected to our - or to our free no right so he could not send an implicit knowledge he he has to advertise a Lamy for it let's say he advertises 3001 he puts that here and had what to his neighbor r4 which comes here again - da - da - da - on gate 1.34 from 23.4 dot three our four does exactly the same thing he advertises a unique label for that prefix to his neighbor r5 which goes here this is the same this is gig 1.45 from 20.3 or in fact this is 4.5 dot for excuse me and then r5 advertisers to his neighbor this is the same gig 1.50 in fact this was 34 + 5 is 45 this is 56 xx dot v dot 6.5 and 6 will say let's say 6,000 won to his neighbor like exact one 6000 won this would be gig 0 - you're better at 0.6 1/9 20.6 start 19.6 now eggs are one will also create a label for the prefix maybe 19,000 won but that label here is irrelevant because there's no neighbor behind XR 1 at this point of time in the future if a new LDP neighbor ship comes behind eggs are 1 then he would advertise 90,000 1 - that favor but at this point of time as for this diagram it's irrelevant so this is from a control plane perspective now from a data plane perspective so exact - he has learned the routes of R 1 through B right because r1 advertises where the gp2 r2 r2 advertisers to xl/1x r1 gives the rock-like sarchie so let's say exact to does a ping to r1 is their MPLS between exam 1 and exact to know so he sends an IP packet because exam one receives an IP packet what is helium he does alerting Luca directly a routing yoga do I have routes to r1 yes learn through bgp my next hop is 2.2 dot - that you to reach to God - I must use IGP OSPF and followed the packet to r6 however on the link to between X R 1 and R 6 there is MPLS enabled so I cannot send an IP packet I must encapsulate the packet so now XR 1 does an emptiness look up that to reach the destination R 1 my next hop was 2.2 to reach to God - I must encapsulate the packet with a label 6001 and forward to our 6 so now XR 1 encapsulate and forwards an MPLS labelled packet 6,001 what does r6 do does he do a rod in the cup no because he received an MPLS packet MPLS labeled packet so he does an MPLS lookup if I receive a labeled packet which is 6001 what do I do I swapped the label with 5001 and found out this interface to this neighbor so r6 swaps the label and forwards to 5 and this would still be IP and this would be five thousand one hour five does it stack in the same thing swaps the level IP 4001 r4 does the same thing I peed this would be three thousand one when r3 gets an MPLS label packet three thousand one what does he see he sees that okay if I received three thousand one I should do a pop label top level means remove the topmost layer and followed whatever's inside to the neighbor so now he does a pop lemon and forwards IP packet to r2 and r2 doesn't roaring look up and forwards an IP packet to customer now this is when there is no VPN v4 everybody is in the global routing table excuse me but what if I want to segregate the customer so maybe I go now this time I go and put this customer in vrf a and I put this in we are at a now since the customers are in the VRS now which is not in the global routing table - and eggs are one need to establish VPN v4 named bishop only then they can exchange routes or VPN labels so in this case what's going to happen my MPLS label is my transport layer and my VPN label is the label which is below the transport layer so my basically my VPN later if you look at the VPN label it is 96 bits because it consists of route distinguisher which is 64-bit and ipv4 prefix which is 32-bit so totally 96 bits so what's going to happen the VB enemy is not advertised through LDP so our two would never advertise a VPN label - art free because our tree is not his VPN v4 neighbor he only has r2 only has one VPN v4 neighbor which is XR 1 so our two would advertise a VPN v4 label a VPN label representing the prefix of the customer so he would basically and let's say he puts choo-choo-choo-choo and you would see V here P indicates VPN label and this is going to be outgoing label would be no label the meaning of no label is removing all the layers and forward IP packet to customer the prefix would be customers running table 1.1.1 but one interface is gig 1.12 10.1.1.1 and this VPN label is not advertised through NDP it is advertised through PGP so our two advertises directly to XR 1 through PGP so only XR one would see two two two two four the prefix 1.1.1 one and obviously his next hop would be - da - da - da - and this would be king zero zero zero zero 19 you would not see in fact you would not see this in this would be in the BGP label table it's not in the MPLS flowering table if I do I'll show him be in the following table you would not see this this is in the BGP table so now how is the packet flow going to be again what's going to happen the difference is going to be here so customer sends an IP packet to XR 1 because an exam 1 receives the packet on a vrf enable interface he must tag the traffic with the label with with the widget of remote PE has advertised to him what's the destination exam 1 is exact - is trying to reach 1 1 1 1 to reach 1 1 1 1 XR 1 knows that our - had instructed him and if you want to send packets to my customer you must encapsulate with a VPN label called 2.2 - 2 - so now XR 1 encapsulated suede - 2 - 2 which is my BPM label however r2 is not directly connected he must transit through our 6 5 4 & 3 so there has to be an MPLS named transport label on top of that which is going to be 6000 won that's my 6000 won here and finally it goes to our six our 6 swaps the label so IP remains the same VPN remains the same this would change to 5,000 won same thing happens here IP so B 2 2 2 2 and this would be four thousand one same thing happens on our 3 IP - two - two and three thousand one when our tree gets it what does he see if I receive three thousand one what do I do pop Leibel remove the topmost layer so he removes just the topmost layer and forwards a VPN labeled packet to the remote PE are two so our two gets two two two two so now our who does a lookup in his table linens MPLS table when he sees that if I received a VPN enabled packet do no label and forward our Disick defense to this customer and he follows an IP packet to customer so this is the scenario happening behind the scenes when I have MPLS running and I have VPN v4 so let's now go to back to our routers and start building the l3 VPN so the first thing that I would do would be I would start with the customer customer is going to be running BGP as per the diagram the customer is running BGP s120 on our one that's one VD P so router bgp 120 neighbor is going to be my isp 10.1 dot 2.2 remote ESS 100 and let's advertise all my routes we distribute connected let's also configure in fact our tuna excuse me on aren't you there are a few things that I would need before I build BGP so so think about these as steps always remember these steps step number one once you configure OSPF internally in the highest key infrastructure and MPLS is done then for l3 VPN the first step should be to create a routing daemon for the customer if I do a show IP route vrf star this is my global routing table there is one more routing table right now which is pre-configured called management but they're my two routing tables global routing table and some vrf which is freaking together so the step number one should be to create a routing table for the customer that's done we I P BRF now I could do an IP BRF or I could do vrf definition the difference is that IP we are F only supports ipv4 and we are off definition is address family based support ipv4 and ipv6 so I could do a VR of definition let's say a that's my first routing table now every routing table should have a unique identifier which is my route distinguisher so Rd let's use one calling one usually you would want to use the service providers a s number and then and any number representing the customer so normally you would use because I'm configuring r2 which is the ISP I would do 100 : 1 on 1 of 1 indicates r1 and hundred is my audience but it doesn't really matter you can use whatever you want let's exit out let's create one more PRF definition B and give Rob distinguished as 2 : 2 so now I have two routing tables created let's verify that show IP route vrf star this is my global routing table and then I have the I should have the bottom table of customer B now I don't see that my routing table did not get created the reason it was not created is because I used the command vrf definition which is address family base I did not activate that rest family if I give I be BRF then I don't need to define address family because it's only an ipv4 but the RF definition is address family base so I do need to activate address family so let's go back to vrf definition a and give address family ipv4 and exit out I don't need to activate it less from the ipv6 I'm not running ipv6 let's do the same thing for B once I do this and if I look back at my routing table it should be created now I should see Robin devil a which you can see here and routing table for B there's nothing inside it at this point of time but I have created my routing table that's my step number one creating a unique routing table for every customer let's do exactly the same thing on exam one so we'll do simultaneously on both the rabbits both materials so on exam one I'll create the very table also now here the command is vrf a and then address family ipv4 unicast and if you look at the route distinguisher that's not there it's not under my address family if I exit out under the vrf my route distinguisher it's not there because the route distinguished would be basically defined inside PGP so the concept is the same you still require a route distinguisher but you don't configure this under the vrf you can figure this on the BGP it takes it out and let's create B and address family ipv4 exit out and let's do a commit so if I do a show IB rod VR rap star I don't see how in fact let's do a so there are no routes I don't see any routes in the routing table because I haven't added any interface but I did create my routing table so step one is always creating the routing table so all I did was show run BRF I just need two routing tables a and B for both my customers let's go back to our two now and do step number two so step number two is moving the customer facing interface from the global routing table to the respective routing table to the vrf routing table right now my customer facing interface is in the global routing table which you can see here show IP route connected that's my interface connecting the customer that is in the global routing table right now so step number two is moving that interface from global to vrf a so that's going to be by going back to my interface and giving the command vrf forwarding a and we give your IP address same thing I would do for the custom of be so interface big 1.27 PRF forwarding P and IP address would be this one so step number two is done where I have moved the customer from the global routing table to their respective racket let's verify that if I do a show IP route we are off star I should not find the customer phasing interface in the global routing table it's no more in the global routing table which you can see here the only connective interface I have is the back and the link to our tree if I look at a routing table is Oren table should have one link in one two and these routing table should have one link which is ten to seven so step number two is done let's do exactly the same thing on exam one so here my customer facing interface is this is for B and this is for a which is asked for my diagram this is a and this is B so let's do a config T it fails gig 0 0 0 0 dot 1920 that's my customer a facing interface now unlike iOS XE when I give the command vrf forwarding a it automatically removes the IP address and I have to we give the IP address in iOS X R it does not remove the ipv4 address so if I give vrf a and try and do a commit it would fail because the ipv4 address is not removed so you should do a no ipv4 address first then do vrf a and then we give your IP address same thing i would do for get 0 0 0.819 I would do a no then b RF b and then we give my IP address and we can do commit so if i done this no idea for address and my committee would fail and if I do uh if I check my configs it's going to be basically showing me that the ipv4 address was not accepted so you would need to basically remove your ipv4 address and then add the RFA so step number two is done on my book might be ease r2 and exam one step number three is routing protocol with customer what's my routing protocol with the customer it's VDP so running BGP with the customer let's go back to two and run vgp with the customer right now I have no VDP running so router bgp 100 is my neighbor in the global routing table no because I have moved the customer facing interface from the global routing table to we are of a right so that should be an address family ipv4 vrf a and then give your neighbor statement never telling one-to-one remote ears would be 120 I should establish a bgp neighbor ship with my customer so if you look at my bgp config right now the only thing that I have is VDP with the customer I have no BBB between my Pease yet so step number three was running VDP with the customer let's do the same thing one exam one so router bgp in fact on exam one we would need to do a few more things before I run BGP because because in ebgp neighbor ship I need an RP la route policy to at least allow all the rough because by default any routes learned from that neighbor would be rejected so I would need an RP L so but establish the PGP neighbour I don't need to not be able to accept the routes I would need an ARP here so let's not create that right now maybe I'll just say gotta be DP hundred activate the address family ipv4 X Arab and then we can say vrf a here is where I would give my route distinguisher I'd say 1 : 1 and I should activate address family inside the vrf also and the neighbor would be 1019 training training remote dais would be 120 and that should be enough that's to a commit so it says that it's something failed let's look at show configuration fail it says BGP detected the warning condition that the parent FS family has not been initialized so let's exit out into a show run router bgp exit out and address family ipv4 unicast and we are a I should see through our VDP 100 and something that best family I just did a commit fast and let's create the BRF a I guess I'll need the VPN v4 also I shouldn't need this depends on the version also let's go and do at activate VPN v4 also [Music] we can't we are a so if I look at my config now show run router bgp all I have done how to activate VPN before also for Bioethics are for it to accept discman and let's go and define my neighbor now so neighbor would be ten nineteen twenty twenty remote is 120 and commit so I should establish PEP the neighbor that's my config I should establish PDP neighbor shape with exact to I still haven't configured exact to so let's in fact do that also so router b2b 120 and the dress family ipv4 let's do our redistribute connected neighbor ten nineteen twenty nineteen remote is 100 and activate address family ipv4 in aghast I'm not putting my rpm at this point of time so if I look at my customer PGP that's my VDP on my exact to which is the customer so he's running a normal ipv4 pdb neighbor ship with the service for Anna but XR one is is running a via ref enabled BGP and I had to enable VPN beef or to establish that neighbor ship so if I do I'll show bgp ipv4 in fact let's to PTP vrf a and that's to unicast summary my neighbor ship is up my neighbor ship with him is up but obviously I'm not receiving any routes the routes are going to get filtered because I do not have an RPM so we come back to that so step number three is done well the PE and Cee are running BGP with each other r2 is an IR s XE he should not have a problem he should have learned customer routes so if I do if I look at this he's not about the customer Artem has no problem he learns about the customer but exam 1 and X r2 would not learn about each other's routes or they would not learn routes because the routes get filtered by default on OS X are it requires a route policy only then he will accept EBT routes you only require not policy for ebgp not for I will be so maybe we can add the route policy right now so we are done with step number 3 so maybe we could do that let's create a really basic route policy let's name this pass and say pass end policy and go back to router bgp 100 and go back to VRS a and neighbor was 10 19 20 trainee and inside my address family ipv4 unicast I would give route policy pass in mountain and a receiver UPS or when I send routes its do a commit can you show you my router bgp config so if you see now under my neighbor under my dress family I have said use this route policy pass which means accept routes from him and sending routes so if I go back and do a show BGP vrf a and I should have BGP routes learn from the customer in fact I don't have a I have not configured exact to with about policy so he's not going to be sending any routes right now so I would need an RV alone xr2 also so Rob policy pass in and out so sure run router bgp I have an RPL configure and I'm Lee distributing all the routes so he should be sending these routes show BP ipv4 unica's these two routes he should be sending to the customer to the service provider I have two routes learned from the customer so step number three is done so I'll repeat that step number one was creating the routing table step number two was moving the customer facing interface into the respective routing table and step number three was learning routes from the customer so that could be through OSPF would be through sighs yeah ERP static routes or DDP we are using VDP so now both the bees are learning customer routes now both the bees should exchange those routes correct they should exchange those routes before I move to step number four we should configure customer be also so I believe one or two I did not configure a customer P so I will add that too so address family ipv4 vrf be neighbor would be ten to seven seven ammonia's would be I believe in is 78 and that should be enough on our - and on our seven we configure BGP just a normal ipv4 BGP about ten to seven - Ramone es-100 and readers to be connected so our two should be learning from both the customers through bgp so going back to show me the pvp envy for unicast all you should be learning from both the customers let's do a summary just to seek my BGP neighbor ship came out so I don't see any routes being learned let's do a show rather section ERF that UPS okay let's look at 7:00 show BGP ipv4 unicast so he should be advertising these two routes to router to now he got it so I should see in my VPN v4 so I have two routes of customer a two rounds of customer B same thing on XR 1 I'll configure the second neighbor ship also so all I need to do is go back under router bgp 100 we are b rd would be 2 : 2 and address family will be 10 not believe it is 8 . 19.8 remote es would be semi 8 and then the route policy so sure run router bgp that's my BRB it should establish pdb name ship at our age [Music] let's verify with show PTP vrf a has 32 routes and v should have two routes learn from the customer takes a bit of time but it should come in and then we can move on to step number four which is going to be allowing both the bees to exchange routes with each other now for for the peeve out up to and xr1 for them to exchange routes they should be VP and V for neighbors right now they're not named us at all do I need an ipv4 new mission you don't need that for this design because my customers I in in the vrf a and B there are no routes in the global barring table but yes if I had global routing table if I want to exchange that as well as my PRF routes then I would need to membership ipv4 devotion to exchange global routing table and VPN v4 named Bishop to exchange customer asks so let's go back and verify so now I have two rods from the customer so step number three is done let's move on to step number four which was establishing a VPN before neighbor ship between the two peeves so router bgp 100 neighbor so b now this neighbor ship should always be on the loopback it should never be on the physical interface otherwise your penultimate hop popping would happen earlier so that's going to be due back 19 19 19 19 the morass would be I believe 100 they were 19 19 19 19 updates those look like 0 and address family VPN v4 neighbor activate so this would enable two neighbor ship between X r1 and r2 it would enable VPN v4 neighbor ship and ipv4 neighbor ship also ipv4 address family is enabled by default unless I go and give the command no me DB default ipv4 unicast if I disable that then I have to go to address travel itv4 and give activate command to enable an ipv4 address family but by default it's enabled so I would establish two neighbor shape with XR 1 ipv4 also and VPN v4 also let's go back to exam one and do exactly the same thing so router bgp 100 and give command neighbor to 2.2 that 2.2 remor es would be 100 update source would be look back 0 so use the loopback as the communication interface and and finally enabled address family VPN v4 unicast and that should be enough so sure run router bgp you would see that I have my VPN it was already enabled earlier globally I have my VPN v4 neighbor ship with that neighbor if I want ID before so I can give address family I pay before also if I do want to activate ipv4 also I have I don't need that for our design because I have no routes in the global routing table so I best time the ipv4 unicast and commit so if I look at PDP now for I have for this neighbor I have both the addressed families so going back to our - I have neighbor she was tough with the remote PE if I do a show BGP ipv4 Eureka summary I have ipv4 neighbor ship with XR 1 and show BD PvP NV for unicast all submarine I have VPN v4 neighbor ship also with XR 1 so step number 4 is done now there's one last step left one last step that would be to enable extended communities now what's happening here is this to a debug in fact let's do a debug bgp evpn v for unicast updates and let's do a clear I'll be VDP star soft so I received routes from this this neighbor right but those routes look at this this part this is my route distinguisher and the prefix of the customer a so learn from exam one well it was denied do you do extended community not supported see the route distinguish are only distinguishes them round okay this route is for customer a or for customer be using the wrong extinguisher but what do I do with those routes I need to tell my router that when you learn these routes put them in the routing table of the customer which basically means I need to support extended communities which is your route targets I have no route packets configured at this point of time so going back to shore on section vrf definition excuse me let's go back here and go to maybe my address family ipv4 and give the command route target's war let's give any random number 121 in the one that's not need to be same like the route distinguisher and let's do the same thing for B and let's give this as 78 : same year now whatever I export the remote PE should import whatever here is what i should import if you see now I should accept the routes learn from the customer let's do a show bgp evpn before unicast all so I have both my customers I still haven't learn the remote Pease routes because I haven't configured them via the route targets on exam 1 so let's go back to XR 1 go to vrf a under your address family ipv4 and give your import route targets as I think was 120 : 120 and export through out targets as 120 : 120 same thing I would do for VAR FB and this would be savvier : Soviet export route targets same yet colons ahead and commit so if any one show run vrf you should see that I have my important export which is step number 5 and if I look back it out to now he should be accepting those routes which you can see here that now I have two routes learned from that car from that PE and Toras done from that again PE for customer P which means VAR a one should have all the four outs in his VDP table he should have but he doesn't yet but the B has all the four routes so customer a has all the rods customer B has all the routes from the bees perspective let's look at example one [Music] you B has all the four outs and a has all the four outs so from the bees perspective they both have all the routes of all the customers but does the customer have the routes the customer is not getting those routes why is that let's do a debug people I PvP updates and let's do a clearer IP b TP star soft so R to the PE the service provider is sending me those route which I can see here I he is sending in those routes but r1 denied those routes because the a s park contains onus if I look at the diagram carefully customer a xr2 and Radovan the both are running the same s120 right what does the a s bathroom say that if I receive an update which contains my own ears discard that update so Rada one even though our two sends him the route for a one discards those routes because it contains its own ears which you can see in the debug that it contains my own ears how do I fix this there are two ways to fix this one could be the service provider could fix this with the a s override command or the customer could fix it so let's try this service provider fixing this so I am going to go back to r2 and go back to my BGP under address family ipv4 or we are of a and give the command neighbor 10 one two one when you give route to this neighbor do an es override same thing for V RFP when you give routes to 7/7 doing the in fact that's not the way it so what I hear let's not do it here we do the other method customer will fix it so what is override does is the ISP will replace the customers a s with his own anus so if I look back at our one now show IP VDP he should have the routes now in his VDP table he should accept the routes which he did and look at the BGP table look at the a s 500 pace hundred earlier it was hundred space 120 that's why our one wasn't accepting it but because I gave the a s override command the ISP you've replaces the customers a s with his own a s so that our one does not see 120 and that's why our one accepts it obviously I have to do the same thing on XR 1 so that exact two receives the route so here I would go back to router bgp 100 go back to vrf a and under my neighbor 10 19 20 19 I think it was 20 and here go to address family ipv4 unicast and give the command is override commit so the concept is still the same it's just the command you define that differently than an iOS XE one side of this exact to should have those routes in his video became which he has and look at the a spot it's community a hundred the ISP has replaced the customers a s with his own ears now obviously customer B would also have the same issue right because the yes contains his holiness so another way to fix it would be the ISP does not do any s all right but I tell the customer to accept routes which contains his own ears that's something that you should never do that's kind of dangerous so you should not do that but let's try doing that I will go to 7:00 and I am right now not accepting routes that contain my own ears so I'll go back to be TP 78 neighbor 10 to 72 and yet I would say allow is him so allow routes that contain my own ears this is something that the customer would do you should not do this because now you are allowing routes to come in which contains my own ears this could cause an issue perspective this is another way to fix it same thing I did borrow our aid router VDP 78 labor and a 1919 allow yes so i BG 'tv so I should now accept routes that contain my own s most of the times the service provider himself up to the a s override if he is connecting to branch offices which belong to the same EAS you should not do and allow a sin let's do a debug IP BBP updates when IPTV star soft and see if I'm receiving the routes it looks like I am NOT sitting routes on our eighth from exact one but he is something to exert to and he's receiving from our one own so let's do a show round we are up just to see if I have important spot which is okay and on to children's section BRF I think I gave this clips okay yep it looks good let's check one around policy show run rather BUP so it seems like my eggs are one is not sending rods to our aid missile test us with maybe with rr1 so you remember when I did when I configure that it free VPN if you remember that when I was throwing that thing you should see two labels right you should see a VPN label and if you see an MPLS label so if I look at our two and do when that eggs are one and they were show and realize forwarding table these are all my transport levels and look at the label for this customer 20 20 20 20 which is the customer's route it shows us V we indicates that it's a VPN label who is advertising that it is advertised through bgp if i look at our to show am real as powering table I should not see that label for 20 20 20 I should not see it here I was a label number it was 19 0 1 0 so if I look on our tools it doesn't exist here in the MPLS state if i do a show bgp evpn v for unicast all labels you would see that for 20 20 I have received outgoing label is 19 0 10 so this comes through bgp so if i look back at our one now into a trace route for in fact next to a pink first thing to 20 20 20 20 sources like 0 my thing works and if i do a trace route to 20 20 20 20 sourcing from the back zero look at the label stack so i tea packet came from customer there's no label then r2 sent to our three a VPN label packet and an MPLS transport label our dream sent to our four he never changed the VPN maybe he only stood as swapping for the transport label to four thousand four four seven two five five thousand four five seven two six six thousand for our six does a penultimate hop popping which means to move to a pop label to move the topmost layer and he forwards a VPN labeled packet there's no MPLS label now so near VPN label packet to exam 1 exam one does no label which means removes everything and sends an IV packet to the customer so this was basic l3 VPN implementation and I hope you guys enjoyed the webinar I will now answer some of the questions that you guys have all right so I see some questions the BEP reachability command you could do a ping NPLs to verify mpls issues so if definitely be broken somewhere equal to opinion LS or go to a traceroute many ways to identify PE to PE reach ability the video is going to be available I believe you should receive an email with a link to the video [Music] so ayran from perspective of the mpls I was talking from perspective of the control plane where we are first going to advertise labels so it goes from our to towards examine and your data plane uses that MPLS routing table does that make sense because the thing is that it's like me giving you the routes first so when we are building the MPLS public table see control plane and data plane they're always in opposite direction so I give you routes you build the table and then your data plane uses that tape to come back to me so when I was doing the MPLS forwarding table I was I was actually drawing that thing out it was from the controlling perspective a how the ambulance forwarding table its period and then the data plane uses that so so when I do a ping I was doing a ping from exact to going to exam one and using the realistic you the steps required for the steps required for building and three VPN is you must ensure that MPLS and igb is running within the highest B infrastructure then you must have your wiring they recreated so vrf should be created for each customer you shouldn't move the customer facing interface into the respective routing table and you should have a me easy.you routing protocol which could be anything could be OSPF could be BGP could be a static round as long as you learn the routes from the customer and then you establish a VPN v4 neighbor ship between the two V's so that they can exchange routes and finally it was where we enable extended communities which was important for our targets so whatever I export you have to import I see and the question can I have any protocol can I have RSVP'd so of IDPs you can i OS X our needs to use is override correct with the I need to use the AES override because he would not send it because it's different behavior from iOS X Z versus X our allow ASM doesn't work on XR you you then I see another question is customer B now receiving routes from ve the customer was B was not receiving rods from the PE because it was an X are worse as an exceed exert was not support allow es in so I must do as override which I had not done that's why he was not receiving the routes I see the question what's the difference between control peon and Terraplane control planner is like like for example routes when I give you routes that's control plane information OSPF information is control plane information we need to obtain that's data plane can you extend the label range after you assign them yes you can so I could go and change my label range but they would not take effect I have to remove MPLS or reboot the router I have to remove MPLS and then change the range and then again it should take the new one otherwise you can reboot the router you all right so you guys should receive an email with the video for this it has been recorded and you should receive a video like an email which contains the link for that I hope you guys enjoyed and thank you for attending the webinar
