Thursday, May 14, 2009

Layer 3 VPN using mGRE

In early deployment, Peer-to-Peer VPN (Layer3) involves a very complex design if the backbone is not MPLS cloud. Now with the introduction of mGRE (Multipoint GRE) support for RFC2547, it is a simple task to deploy Layer 3 VPN over IP backbone.


Multipoint GRE tunnel will be configured on all PE routers and MP-BGP will be used to propagate VPN routing information between PE routers. The advertised next hop in VPNv4 address will trigger the tunnel endpoint discovery.


This feature is useful when the Enterprise or Service Provider would like to deploy Layer3 VPN without MPLS enabled on their internal cloud.



In the above diagram, R6 and R4 are CE routers that belong to same VPN (COKE). R5 and R1 are PE routers interconnected with R3 as P router. MPLS is not enabled in ISP cloud.


Layer3 VPN mGRE Configuration:


Step1: Create VRF for each Customer and assign the customer facing interface to specified VRFs. Configure MP-BGP to advertise VPNv4 addresses on PE routers.


R1#sh run

hostname R1

!

ip cef

ip vrf COKE

rd 100:1

route-target export 100:1

route-target import 100:1

interface Loopback0

ip address 150.1.1.1 255.255.255.255

no ip directed-broadcast

!

interface Serial2/0

bandwidth 45000

no ip address

no ip directed-broadcast

encapsulation frame-relay

serial restart-delay 0

no frame-relay inverse-arp

!

interface Serial2/0.13 point-to-point

bandwidth 45000

ip address 150.1.13.1 255.255.255.0

no ip directed-broadcast

snmp trap link-status

frame-relay interface-dlci 103

ip rsvp bandwidth

!

interface Serial2/1

ip vrf forwarding COKE

ip address 10.1.14.1 255.255.255.0

no ip directed-broadcast

serial restart-delay 0

router ospf 1

router-id 150.1.1.1

log-adjacency-changes

network 150.1.0.0 0.0.255.255 area 0

!

router rip

version 2

no auto-summary

!

address-family ipv4 vrf COKE

version 2

redistribute bgp 1 metric 1

network 10.0.0.0

no auto-summary

exit-address-family

!

router bgp 1

no bgp default ipv4-unicast

bgp log-neighbor-changes

neighbor 150.1.5.5 remote-as 1

neighbor 150.1.5.5 update-source Loopback0

!

address-family vpnv4

neighbor 150.1.5.5 activate

neighbor 150.1.5.5 send-community extended

exit-address-family

!

address-family ipv4 vrf COKE

redistribute rip

no synchronization

exit-address-family

tag-switching tdp router-id Loopback0 force

end

R1#

R5#show run

hostname R5

ip cef

ip vrf COKE

rd 100:1

route-target export 100:1

route-target import 100:1

interface Loopback0

ip address 150.1.5.5 255.255.255.255

!

interface FastEthernet0/1

ip vrf forwarding COKE

ip address 10.1.56.5 255.255.255.0

no ip directed-broadcast

ip pim sparse-mode

duplex half

speed auto

!

interface Serial2/0

bandwidth 45000

no ip address

no ip directed-broadcast

encapsulation frame-relay

serial restart-delay 0

no frame-relay inverse-arp

!

interface Serial2/0.35 point-to-point

bandwidth 45000

ip address 150.1.35.5 255.255.255.0

no ip directed-broadcast

snmp trap link-status

frame-relay interface-dlci 513

router ospf 1

router-id 150.1.5.5

log-adjacency-changes

network 150.1.0.0 0.0.255.255 area 0

!

router rip

version 2

no auto-summary

!

address-family ipv4 vrf COKE

version 2

redistribute bgp 1 metric 1

network 10.0.0.0

no auto-summary

exit-address-family

!

router bgp 1

no bgp default ipv4-unicast

bgp log-neighbor-changes

neighbor 150.1.1.1 remote-as 1

!

address-family vpnv4

neighbor 150.1.1.1 activate

neighbor 150.1.1.1 send-community extended

exit-address-family

address-family ipv4 vrf COKE

redistribute rip

no synchronization

exit-address-family

!

tag-switching tdp router-id Loopback0 force

end

R5#


Note: The above configuration shows that there is no MPLS enabled in any PE routers.


Step2: Configure a new VRF for mGRE tunnel. Create mGRE Tunnel and assign the Tunnel interface to the new VRF on all PE routers.


R1(config)#ip vrf l3vpn ! Create a new VRF for mGRE tunnel

R1(config-vrf)#rd 100:100

R1(config-vrf)#exit

R1(config)#router bgp 1

R1(config-router)#address-family ipv4 vrf l3vpn

R1(config-router-af)#exit

R1(config-router)#exit

R1(config)#interface tunnel 125

R1(config-if)#tunnel mode gre multipoint l3vpn ! Specifies the tunnel mode as multipoint GRE

R1(config-if)#tunnel source loopback0

R1(config-if)#ip vrf forwarding l3vpn ! Assign the tunnel to VRF

R1(config-if)# ip address 150.1.1.1 255.255.255.255

R1(config-if)#tunnel key 125

R1(config-if)#end

R1#


Only one mGRE tunnel interface on a PE router is more than enough to serve many VPN customers.


Note: Similar configuration has to be done all PE routers.


Step3: Configure a static default route pointing to mGRE tunnel interface on mGRE VRF on all PE routers.


R1(config)#ip route vrf l3vpn 0.0.0.0 0.0.0.0 Tunnel125

R1(config)#


Step4: Configure a route-map to resolve the BGP next hop from specified VRF routing table and assign the route-map to all BGP VPNv4 updates from other PE routers.


R1(config)#route-map GRE permit 10

R1(config-route-map)# set ip next-hop in-vrf l3vpn

R1(config-route-map)#exit

R1(config-router)#address-family vpnv4

R1(config-router-af)#neighbor 150.1.2.2 route-map GRE in

R1(config-router-af)#end

R1#clear ip bgp * in

R1#


By default, the BGP next hop will be resolved from global routing table which will send the VPN packet directly to P router without GRE encapsulation. As P routers don’t have VPN routes in their routing table, the VPN packet will be dropped. To avoid this, we specify the PE router to resolve the BGP nexthop from mGRE VPN using the route-map. The mGRE VPN routing table will have a static default route pointing to tunnel interface. mGRE uses the BGP nexthop for tunnel endpoint discovery and will GRE encapsulate the VPN packet with source as loopback address and destination as other end PE’s loopback address and send to P router.


Verification:


R1#show tunnel endpoint tunnel125

Tunnel125 running in multi-GRE/IP mode

RFC2547/L3VPN Tunnel endpoint discovery is active on Tu125

Transporting l3vpn traffic to all routes recursing through "l3vpn"

Endpoint 150.1.2.2 via destination 150.1.2.2

Key 125

Endpoint 150.1.5.5 via destination 150.1.5.5

Key 125

Tunnel Endpoint Process Active

MGRE L3VPN Summary

Active Tunnel: Tunnel125, Key 125

L2tpv3 L3VPN Summary

Active Tunnel None: Current receive session 0

L2TPv3 cookie mismatch counters: 0

R1#


R1#show ip bgp vpnv4 all 150.1.6.6

BGP routing table entry for 100:1:150.1.6.6/32, version 44

Paths: (1 available, best #1, table COKE)

Flag: 0x820

Not advertised to any peer

Local

150.1.5.5 (metric 5) (via l3vpn) from 150.1.5.5 (150.1.5.5)

Origin incomplete, metric 1, localpref 100, valid, internal, best

Extended Community: RT:100:1

Connector Attribute: count=1

type 1 len 12 value 100:1:150.1.35.5

mpls labels in/out nolabel/24

R1#


R1#show ip cef vrf COKE 150.1.6.6

150.1.6.6/32, version 40, epoch 0, cached adjacency 150.1.5.5

0 packets, 0 bytes

tag information set, all rewrites owned

local tag: VPN route head

fast tag rewrite with Tu125, 150.1.5.5, tags imposed {24}

via 150.1.5.5, 0 dependencies, recursive

next hop 150.1.5.5, Tunnel125 via 150.1.5.5/32 (l3vpn)

valid cached adjacency

tag rewrite with Tu125, 150.1.5.5, tags imposed {24}

R1#


R4#ping 150.1.6.6 ! Ping R6 loopback address

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.6.6, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 200/338/492 ms

R4#

5 comments:

  1. Hi. I like your configuration, congratulations. To be honest tho, after it was working I wondered what the benefit is given the whole point of the l3vpn encapsulation was to avoid GRE in the first place. Anyhow, it was good challenge, thank you

    (http://www.cisco.com/en/US/docs/ios/interface/configuration/guide/ir_mplsvpnomgre.html)

    ReplyDelete
  2. Hello,

    I am trying to run a lab on Implementation of L3VPN over L2TPV3 with Gns3 using Cisco 7200 Routers. Can someone please advise me which Cisco IOS to use specially to run the command " tunnel mode l3vpn l2tpv3 multipoint '' ?

    Thank you

    ReplyDelete
  3. Good ones.Thanks a lot for you job.
    Cool schemas and configuration for layer 3 VPN.
    It works fine.
    10webhostingservice

    ReplyDelete