Troubleshooting of MPLS VPN 2 Network

I am at service provider. A user complains on Link down issue for MPLS L2VPN Link. And i log-in to user connected PE router and run the below mentioned command.
sh mpls l2transport vc 3407
Local intf     Local circuit              Dest address    VC ID      Status
Gi0/2.3407     Eth VLAN 3407              202.148.199.106 3407       UP
Guide me in analysing the output and further troubleshooting. Define the parameters observed for o\p of a command.

Hi,
The P routers do not need VRFs or VPN labels because they are only transporting the packets towards the PEs. They do this by looking at the IGP label. This label is advertised by LDP. This is sometimes referred to as BGP free core. Although you will often have BGP running for other purposes on the P router.
Daniel Dib
CCIE #37149
Please rate helpful posts.

Similar Messages

  • Ask the Expert:Concepts, Configuration and Troubleshooting Layer 2 MPLS VPN – Any Transport over MPLS (AToM)

    With Vignesh R. P.
    Welcome to the Cisco Support Community Ask the Expert conversation.This is an opportunity to learn and ask questions about  concept, configuration and troubleshooting Layer 2 MPLS VPN - Any Transport over MPLS (AToM) with Vignesh R. P.
    Cisco Any Transport over MPLS (AToM) is a solution for transporting Layer 2 packets over an MPLS backbone. It enables Service Providers to supply connectivity between customer sites with existing data link layer (Layer 2) networks via a single, integrated, packet-based network infrastructure: a Cisco MPLS network. Instead of using separate networks with network management environments, service providers can deliver Layer 2 connections over an MPLS backbone. AToM provides a common framework to encapsulate and transport supported Layer 2 traffic types over an MPLS network core.
    Vignesh R. P. is a customer support engineer in the Cisco High Touch Technical Support center in Bangalore, India, supporting Cisco's major service provider customers in routing and MPLS technologies. His areas of expertise include routing, switching, and MPLS. Previously at Cisco he worked as a network consulting engineer for enterprise customers. He has been in the networking industry for 8 years and holds CCIE certification in the Routing & Switching and Service Provider tracks.
    Remember to use the rating system to let Vignesh know if you have received an adequate response. 
    Vignesh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Service Provider sub-community discussion forum shortly after the event. This event lasts through through September 21, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

    Hi Tenaro,
    AToM stands for Any Transport over MPLS and it is Cisco's terminology used for Layer 2 MPLS VPN or Virtual Private Wire Service. It is basically a Layer 2 Point-to-Point Service. AToM basically supports various Layer 2 protocols like Ethernet, HDLC, PPP, ATM and Frame Relay.
    The customer routers interconnect with the service provider routers at Layer 2. AToM eliminates the need for the legacy network from the service provider carrying these kinds of traffic and integrates this service into the MPLS network that already transports the MPLS VPN traffic.
    AToM is an open standards-based architecture that uses the label switching architecture of MPLS and can be integrated into any network that is running MPLS. The advantage to the customer is that they do not need to change anything. Their routers that are connecting to the service provider routers can still use the same Layer 2 encapsulation type as before and do not need to run an IP routing protocol to the provider edge routers as in the MPLS VPN solution.
    The service provider does not need to change anything on the provider (P) routers in the core of the MPLS network. The intelligence to support AToM sits entirely on the PE routers. The core label switching routers (LSRs) only switch labeled packets, whereas the edge LSRs impose and dispose of labels on the Layer 2 frames.
    Whereas pseudowire is a connection between the PE routers and emulates a wire that is carrying Layer 2 frames. Pseudowires use tunneling. The Layer 2 frames are encapsulated into a labeled (MPLS) packet. The result is that the specific Layer 2 service—its operation and characteristics—is emulated across a Packet Switched Network.
    Another technology that more or less achieves the result of AToM is L2TPV3. In the case of L2TPV3 Layer 2 frames are encapsulated into an IP packet instead of a labelled MPLS packet.
    Hope the above explanation helps you. Kindly revert incase of further clarification required.
    Thanks & Regards,
    Vignesh R P

  • How can I find the all path available for a MPLS VPN in SP network

    How can I find the all path available for a MPLS VPN in SP network between PE to PE and CE to CE?

    Hi There
    If we need to find all the available paths for a remote CE from a local PE it will depend upon whether its a RR or non-RR design. If the MP-iBGP deisgn is non-RR  the below vrf specific command
    sh ip bgp vpnv4 vrf "vrf_name"  will show us the MP-iBGP RT for that particular VPN. It will show us the next hop. Checking the route for same in the Global RT will show us the path(s) available for same ( load-balancing considered) .Then we can do a trace using the Local PE MP-iBGP loopback as source to remote PE's MP-iBGP loopback to get the physical Hops involved.
    However if the design is RR-based there might be complications involved when the RR is in the forwarding path ie we have NHS being set to RR-MP-iBGP loopback and the  trace using the Local PE MP-iBGP loopback as source to remote PE's MP-iBGP loopback will get us the physical Hops involved.
    If we have redundant RRs being used with NHS being set then the output of sh ip bgp vpnv4 vrf "vrf_name" will show us two different available paths for the remote CE destination but just one being used.
    RR-based design with no NHS being used will always to cater to single path for the remote CE detsination.
    So in any case the actual path used for the remote CE connectivity would be a single unless we are using load-balancing.
    Hope this helps you a bit on your requirement
    Thanks & Regards
    Vaibhava Varma

  • MPLS-VPN in Campus Network

    Hi,
              Can anyone advise me how to migrate a existing non-mpls (nortel/3com) network to an mpls network.
    Any pdf or doc file.
    Thanks,
    Noor

    Hi Noor,
    are you migrating to Cisco infrastructure ? if yes then with MPLS and VRFs you can archive a scalable network virtulization and label switching with MPLS/L3VPN and VRF lite
    see the bellow link for high level understanding
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns431/ns658/net_brochure0900aecd804a17db.html
    about how to migrate this is something you need to plan for example if you setup your core to support MPLS then you can start migrate PEs or departments that Support VRFs/VPN one by one to join the new MPLS core
    HTH
    if helpful Rate

  • MPLS/VPN network load balancing in the core

    Hi,
    I've an issue about cef based load-balancing in the MPLS core in MPLS/VPN environment. If you consider flow-based load balancing, the path (out interface) will be chosen based on source-destination IP address. What about in MPLS/VPN environment? The hash will be based on PE router src-dst loopback addresses, or vrf packet src-dst in P and PE router? The topology would be:
    CE---PE===P===PE---CE
    I'm interested in load balancing efficiency if I duplicate the link between P and PE routers.
    Thank you for your help!
    Gabor

    Hi,
    On the PE router you could set different types and 2 levels of load-balancing.
    For instance, in case of a DUAL-homed site, subnet A prefix for VPN A could be advertised in the VPN by PE1 or PE2.
    PE1 receives this prefix via eBGP session from CE1 and keep this route as best due to external state.
    PE2 receives this prefix via eBGP session from CE2 and keep this route as best due to external state.
                                 eBGP
                         PE1 ---------CE1
    PE3----------P1                          Subnet A
                         PE2----------CE2 /
                                eBGP
    Therefore from PE3 point of view, 2 routes are available assuming that IGP metric for PE3/PE1 is equal to PE3/PE2.
    The a 1rst level of load-sharing can be achieve thanks to the maximum-paths ibgp number command.
    2 MP-BGP routes are received on PE3:
    PE3->PE1->CE1->subnet A
    PE3->PE2->CE2->subnet A
    To use both routes you must set the number at 2 at least : maximum-paths ibgp 2
    But gess what, in the real world an MPLS backbone hardly garantee an equal IGP cost between 2 Egress PE for a given prefix.
    So it is often necessary to ignore the IGP metric by adding the "unequal-cost" keyword: maximum-paths unequal-cost ibgp 2
    By default the load-balancing is called "per-session": source and destination addresses are considered to choose the path and the outgoing interface avoiding reordering the packets on the target site. Overwise it is possible to use "per-packet" load-balancing.
    Then a 2nd load-sharing level can occur.
    For instance:
             __P1__PE1__CE1
    PE3           \/                   Subnet A
            \ __P2__PE2__CE2
    There is still 2 MP-BGP paths :
    PE3->P1->PE1->CE1->subnet A
    PE3->P1->PE2->CE2->subnet A
    But this time for 2 MP-BGP paths 4 IGP path are available:
    PE3->P1->PE1->CE1->subnet A
    PE3->P1->PE2->CE2->subnet A
    PE3->P2->PE1->CE1->subnet A
    PE3->P2->PE2->CE2->subnet A
    For a load-balancing to be active between those 4 paths, they must exist in the routing table thanks to the "maximum-path 4 "command in the IGP (ex OSPF) process.
    Therefore if those 4 paths are equal-cost IGP paths then a 2nd level load-balancing is achieved. the default behabior is the same source destination mechanism to selected the "per-session" path as mentionned before.
    On an LSP each LSR could use this feature.
    BR

  • MPLS vpn test lab

    I am trying to setup a basic lab. I have the following setup:-
    CE1->PE1->P1->PE2->CE2. I have attached the relevant configs.
    All the CE & PE routers are 2600's and the P1 router is a 7206VXR. I am running OSPF in the MPLS network between the PE & P routers. I am using ldp as the label distribution protocol. BGP is running between the CE & PE routers.
    I have a couple of questions:-
    1) Basic MPLS setup. I think this is working in that if i ping from the LAN side of the CE1 to the LAN side of the CE2 it works. The P1 router has no knowledge of these subnets. However a "sh mpls forwarding-table" command on the PE routers shows no bytes tag switched and yet if i do a "debug mpls packet" on the P1 router i can see the packets going through. If the P1 router doesn't know the LAN subnets then am i right to assume it must be label switching ?
    2) The configs attached are to test a VPN setup. I have the MPLS & VPN architectures book and i have gone through all the show commands to troubleshoot and it all looks right. The routes are in the vrf routing table, the mpls forwarding table looks okay but i cannot ping from CE1 to CE2.
    If i debug on the P1 router i can see the packets coming in with 2 labels as expected but i can't see them being transmitted.
    I have done some searching and know that 2600's are not officially supported but my understanding is that the features i need are on the routers. I have tried a number of different IOS versions but to no avail.
    Any help would be much appreciated
    Jon

    thanks for your responses
    1) yes it's a typo, i do have the "ip vrf forwarding NR_prod" on the fa0/0 interfaces on the PE routers.
    2) Basic mpls - i meant no VPN's etc. I have ospf between the PE & P routers. I have MP-BGP between PE1 & PE2. Between the PE & CE routers i am running standard BGP.
    3) All 2600 routers are 2621XM's. The IOS i am trying with is c2600-spservicesk9-mz.123-4.T4.bin altho i have also tried c2600-spservicesk9-mz.123-8.T10.bin and c2600-telco-mz.123-7.T12.bin.
    4) On the 7200 i'm running c7200-p-mz.123-16.bin and have also tried c7200-p-mz.124-5.bin
    5) The packet from PE1 comes into the P1 router labelled as 19/24. The mpls forwarding table on P1 has the entry
    19 Untagged 81.144.17.55/32 2137750 Fa0/1 172.16.1.6
    which is correct as far as i can see as this is PE2.
    I have included the sh mpls output from the P1 router and a sh ver of one of the PE routers ( they are both the same ).
    Once again, many thanks for your replies.

  • Traceroute issue- MPLS VPN on directly connected interfaces

    I have 2 Catalyst 6509 Switches that Im trying to bring up and MPLS VPN connection between.  The loopbacks can ping each other, as well as the directly connected interfaces (the interfaces travel through 2 switches, but no routing etc in between).  An OSPF neighbor relationship DOES come up, and the routing tables appear normal.  However, the MPLS VPN does NOT come up.  
    After further review, I found that the routing tables are correct on either side for the loopbacks (public addresses X’d out on first 3 octets):
    SWITCH A:
    Bryan-26th-CAT-2#sh ip route 10.255.2.2
    Routing entry for 10.255.2.2/32
      Known via "ospf 23532", distance 110, metric 2, type intra area
      Last update from X.X.X.70 on Vlan65, 00:10:25 ago
      Routing Descriptor Blocks:
      * X.X.X.70, from 10.255.2.2, 00:10:25 ago, via Vlan65
          Route metric is 2, traffic share count is 1
    SWITCH B:
    DAL-COLO-6509-1#sh ip route 10.255.2.3
    Routing entry for 10.255.2.3/32
      Known via "ospf 23532", distance 110, metric 2, type intra area
      Last update from X.X.X.69 on Vlan65, 02:26:50 ago
      Routing Descriptor Blocks:
      * X.X.X.69, from 10.255.2.3, 02:26:50 ago, via Vlan65
          Route metric is 2, traffic share count is 1
    This is exactly the same for the directly connected interfaces on VLAN65.  (X.X.X.69 and X.X.X.70).  The ARP cache also shows to be correct:
    SWITCH A:
    Bryan-26th-CAT-2#sh arp
    Protocol  Address          Age (min)  Hardware Addr   Type   Interface
    Internet  X.X.X.70           147   0009.b6a4.b800  ARPA   Vlan65
    Internet  X.X.X.69             -   001c.b144.5800  ARPA   Vlan65
    SWITCH B:
    DAL-COLO-6509-1#sh arp
    Protocol  Address          Age (min)  Hardware Addr   Type   Interface
    Internet  X.X.X.70             -   0009.b6a4.b800  ARPA   Vlan65
    Internet  X.X.X.69           141   001c.b144.5800  ARPA   Vlan65
    And once again, the OSPF Neighbor relationship does come up:
    SWITCH A:
    Bryan-26th-CAT-2# sh ip ospf neigh
    Neighbor ID     Pri   State           Dead Time   Address         Interface
    10.255.2.2        1   FULL/BDR        00:00:30    X.X.X.70     Vlan65
    SWITCH B:
    DAL-COLO-6509-1#sh ip ospf neig
    Neighbor ID     Pri   State           Dead Time   Address         Interface
    10.255.2.3        1   FULL/DR         00:00:33    X.X.X.69     Vlan65
    In the Troubleshooting MPLS VPN manuals- it shows to test trace routes.  All of our other connections like this the trace routes work fine.  In this case though, I cannot trace route not only between the loopback interfaces, but between the DIRECTLY CONNECTED interfaces.  I don’t know what this is.  It should simply be a one hop trace route.  I believe this is what is keeping the MPLS VPN from coming up.  Any ideas?  Here are the relevant OSPF configs and interface configs as well:
    SWITCH A:
    interface Vlan65
     description Connection to DAL-COLO-6509-2
     mtu 1580
     ip address X.X.X.69 255.255.255.252
     no ip redirects
     no ip unreachables
     ip pim sparse-dense-mode
     ip ospf mtu-ignore
     mpls label protocol ldp
     mpls ip
    router ospf 23532
     log-adjacency-changes
     redistribute connected subnets
     redistribute static subnets
     passive-interface default
     no passive-interface Vlan65
     network 10.255.2.3 0.0.0.0 area 0
     network X.X.X.69 0.0.0.0 area 0
    SWITCH B:
    interface Vlan65
     description Connection to Bryan-26th-CAT-2
     mtu 1580
     ip address X.X.X.70 255.255.255.252
     no ip redirects
     no ip unreachables
     ip pim sparse-dense-mode
     ip ospf mtu-ignore
     mpls label protocol ldp
     mpls ip
    router ospf 23532
     log-adjacency-changes
     redistribute connected subnets
     redistribute static subnets
     passive-interface default
     no passive-interface Vlan65
     network 10.255.2.2 0.0.0.0 area 0
     network X.X.X.70 0.0.0.0 area 0
    Any ideas would be appreciated.
    Thanks
    Greg

    Greg,
    Can you explain more about your issue?. When you say MPLS VPN is not coming up, do you mean the ping (or traffic) from CE connected to one 6509 is not traversing the MPLS cloud to otehr CE connected to remote 6509?.
    Do you have VRF enabled with respective RT import/export?. Do you have MP-BGP with VPNv4 AF enabled?.
    To confirm if basic MPLS is working fine, Can you check if you have LDP neighborship up and running?. Use "show mpls ldp neighbor" to see the session.
    Also do a "ping mpls ipv4 <remote-loopback> <mask>" and see if it works?.
    -Nagendra

  • Performance end to end testing and comparison between MPLS VPN and VPLS VPN

    Hi,
    I am student of MSc Network Security and as for my project which is " Comparison between MPLS L3 VPN and VPLS VPN, performance monitoring by end to end testing " I have heard a lot of buzz about VPLS as becoming NGN, I wanted to exppore that and produce a comparison report of which technology is better. To accomplish this I am using GNS3, with respect to the MPLS L3 VPN lab setup that is not a problem but I am stuck at the VPLS part how to setup that ? I have searched but unable to find any cost effective mean, even it is not possible in the university lab as we dont have 7600 series
    I would appreciate any support, guidence, advice.
    Thanks
    Shahbaz

    Hi Shahbaz,
    I am not completely sure I understand your request.
    MPLS VPN and VPLS are 2 technologies meant to address to different needs, L3 VPN as opposed as L2 VPN. Not completely sure how you would compare them in terms of performance. Would you compare the performance of a F1 racing car with a Rally racing car?
    From the ISP point of view there is little difference (if we don't want to consider the specific inherent peculiarities of each technology) , as in the very basic scenarios we can boil down to the following basic operations for both:
    Ingress PE impose 2 labels (at least)
    Core Ps swap top most MPLS label
    Egress PE removes last label exposing underlying packet or frame.
    So whether the LSRs deal with underlying L2 frames or L3 IP packets there is no real difference in terms of performance (actually the P routers don't even notice any difference).
    About simulators, I am not aware of anyone able to simulate a L2 VPN (AtoM or VPLS).
    Riccardo

  • GRE with VRF on MPLS/VPN

    Hi.
    Backbone network is running MPLS/VPN.
    I have one VRF (VRF-A) for client VPN network.
    One requirement is to configure another VRF (VRF-B) for this client for a separate public VRF connection.
    Sub-interfacing not allowed on CE-to-PE due to access provider limitation.
    So GRE is our option.
    CE config:
    Note: CE is running on global. VRF-A is configured at PE.
    But will add VRF-B here for the  requirement.
    interface Tunnel0
      ip vrf forwarding VRF-B
    ip address 10.12.25.22 255.255.255.252
    tunnel source GigabitEthernet0/1
    tunnel destination 10.12.0.133
    PE1 config:
    interface Tunnel0
    ip vrf forwarding VRF-B
    ip address 10.12.25.21 255.255.255.252
    tunnel source Loopback133
    tunnel destination 10.12.26.54
    tunnel vrf VRF-A
    Tunnel works and can ping point-to-point IP address.
    CE LAN IP for VRF-B  is configured as static route at PE1
    PE1:
    ip route vrf VRF-B 192.168.96.0 255.255.255.0 Tunnel0 10.12.25.22
    But from PE2 which is directly connected to PE1 (MPLS/LDP running), connectivity doesnt works.
    From PE2:
    - I can ping tunnel0 interface of PE1
    - I cant ping tunnel0 interface of CE
    Routing is all good and present in the routing table.
    From CE:
    - I can ping any VRF-B loopback interface of PE1
    - But not VRF-B loopback interfaces PE2 (even if routing is all good)
    PE1/PE2 are 7600 SRC3/SRD6.
    Any problem with 7600 on this?
    Need comments/suggestions.

    Hi Allan,
    what is running between PE1 and PE2 ( what I mean is any routing protocol).
    If No, then PE2 has no ways of knowing GRE tunnel IP prefixes and hence I suppose those will not be in its CEF table...
    If Yes, then check are those Prefixes available in LDP table...
    Regards,
    Smitesh

  • Redundant access from MPLS VPN to global routing table

    Several our customers have MPLS VPNs deployed over our infrastructure. Part of them requires access to Internet (global routing table in our case).
    As I'm not aware of any methods how to dynamicaly import/export routes between VRF/Global routing tables, at the moment there are static routes configured - one inside VRF pointing to global next hop, another one in global routing table, pointing to interface inside VRF.
    Task is to configure redundant access to Internet. By redundancy I mean using several exit points (primary and backup), what physically represents separate boxes.
    Here comes tricky part - both global static routes (on both boxes, meaning) are valid and reachable in all cases - no matter if specific prefix is reachable in VRF or not. What I'd like to achieve is that specific static route becomes valid only if specific prefix is reachable inside VRF. Yea, sounds like dynamic routing :), I know
    OK, hope U got the idea. Any solutions/recommendations ? Running all Internet routing inside VRF isn't an option, at least for now :(

    Hi Andris,
    I did not mean to have a VRF on the CE. The CE would have both PVCs in the global routing table - his ONLY routing table in fact. One PVC would be used to announce routes into the customer specific VPN (VRF configured on the PE). The other PVC would allow for internet access through the PE (global IP routing table on the PE).
    dot1q will be ok as well.
    This way the CE can be a normal BGP peer to the PE, i.e. there is no MPLS VPN involved here. This allows all options of customer-ISP connectivity.
    Example:
    PE config:
    interface Serial0/0
    encapsulation frame-relay
    interface Serial0/0.1 point-to-point
    description customer VPN access
    ip vrf customer
    ip address 10.1.1.1 255.255.255.252
    interface Serial0/0.2 point-to-point
    description customer Internet access
    ip address 192.168.1.1 255.255.255.252
    router rip
    address-family ipv4 vrf customer
    version 2
    network 10.0.0.0
    no auto-summary
    redistribute bgp 65000 metric 5
    router bgp 65000
    neighbor 192.168.1.2 remote-as 65001
    address-family ipv4 vrf customer
    redistribute rip
    CE config:
    interface Serial0/0
    encapsulation frame-relay
    interface Serial0.1 point-to-point
    description VPN access
    ip address 10.1.1.2 255.255.255.252
    interface Serial0.2 point-to-point
    description Internet access
    ip address 192.168.1.2 255.255.255.252
    router bgp 65001
    neighbor 192.168.1.1 remote-as 65000
    router rip
    version 2
    network 10.0.0.0
    no auto-summary
    Of course you can replace RIP with whatever is suitable for you. And don´t sue me when you do not apply required BGP filters for internet access... ;-)
    The other option ("mini internet") would be feasible as well. Just make sure your BGP filters are NEVER messed up and additionally apply a limit on the numbers of prefixes in your VRF mini-internet.
    Regards
    Martin

  • Overlapping addresses in MPLS VPN

    I know that you can have overlapping addresses in a MPLS VPN and that route distiguisher is used for distiguishing them, by converting IPv4 to VPNv4.
    My question is that if an IP range of a Branch A overlapps with IP range of branch B of the same VPN, How could a host in Branch A ping any host in Branch B, if they are in a same subnet? I mean, how could the router (CE) know to forward it to PE ? if the range is directly connected (to CE).
    I will apreciate any help

    Within a VPN the normal IP routing rules apply, eg. if you have 2 networks that overlap within a VPN you need to use NAT in one of the CE routers.
    Hth,
    Niels

  • MPLS for small network

    In the past we have always had point to point links between our 3 remote offices and our corporate office. We're now switching to a MPLS network for all four sites.
    We currently use Cisco 1721 routers for our WAN. What protocol should we use for routing across this new MPLS network? I'm also looking for a document what else I may need to configure for this MPLS design on the router itself.
    We will have 1721 routers at all sites.

    Hi,
    for you as a customer the most appropriate picture is: The MPLS VPN behaves like one single IP router interconnecting your sites.
    In your case just consider your 4 1721 being connected to one ISP router. There is no MPLS specific config needed on your 1721, MPLS is only within your ISP network.
    This means: you send IP routing updates from one site to the "MPLS IP router simulator" and the updates will be sent further on to the other 3 1721. You forward an IP packet to the "MPLS IP router simulator" and it forwards it as IP packet to one of your other 3 1721.
    If you are not dual homed or using backups then RIP would address all your needs. Also static routing might be suitable and the most simple aproach in your scenario.
    Hope this helps! Please rate all posts.
    Regards, Martin

  • MPLS VPN L3 BGP to Customer CPE

    Hello,
    I am learning how to setup MPLS VPN L3. I am running OSPF in the MPLS Core and have configured MP-BGP between PE. I am running BGP between the PE and CPE in my lab, and I can see redistributed routes from the CPE in the vrf routing table for that customer on the PE router. My question is how to reditribute the vrf routes into my MPLS core to transmit the traffic to the customer other site on the same vpn. Below is what my config looks like.
    PE
    ip vrf customerA
    rd 100:101
    route-target export both 100:1000
    int fa0/0
    ip vrf forwarding customerA
    ip address x.x.x.x x.x.x.x
    router ospf 1
    loopback  in area0
    networks in area0
    router bgp 65000
    neighbor to other PE routers in AS 65000 (MPLS Network)
    address family vpn4
    neighbor other PE routers activate
    neighbor other PE routers send community
    ip address ipv4 vrf customerA
    neighbor to customerA in AS 55000
    CPE
    router ospf 1
    loopback in area 0
    networks in area 0
    router bgp 55000
    neighbor to PE router in AS 65000
    redistribute ospf 1

    Hi
    You dont have to redistribute your routes into mpls core. The vpnv4 bgp session that you have has already sent your ce routes to the remote pe router, provided you have the vrf configured on the other end.
    For more detaiked explanation please check a presentation available in the current running Ask The Expert event in the support community.

  • Filtering methods inside a VRF in MPLS VPN

    Hi,
    we have a network with MPLS VPN and several VRFs involved.
    Inside a certain VRF I need to avoid that two particular networks can talk to each other.
    Can you give me a hint of what can be a solution to implement this ?
    Thanks
    Regards
    Marco

    Hi Marco,
    To prevent connectivity between two networks where a MPLS VPN is involved you can apply the same methods as in a "normal" router network. Just think of the complete MPLS VPN (PE to PE) as being one big "router simulator".
    You could either implement ACLs on the interfaces connecting to the PE or filter routing updates between sites - depending on your topology. When filtering routing updates seems the way to go, you should also have a look into selective import or export. With the help of a route-map one can selectively insert single networks into a VPN by selectively attaching route-targets to BGP updates.
    Regards, Martin

  • Configuring MPLS VPN using static routing

    Hi,
    I am managed to set up a BGP/MPLS VPN in a laboratory using CS3620 routers running IOS 12.2(3) with ISIS. I am thinking of using static routes among the PE and P routers instead of a IGP. Does anyone know if Cisco routers supports static configuration of LSP? I have tried but could not get it work.

    You can very well run MPLS with static routing in the core, as in Cisco we have to meet 2 criterias to have a MPLS forwarding Table.
    1) Creating the LIB
    This thing lies in having LDP neighborship netween two peers and you have Label bindings.
    This is irrespective of what is the best next hop to reach the advertising peers LDP_ID.
    2) Creating the LFIB
    Now after considering all the Label bindings, the LDP_ID which can be reached out an interface
    as a next hop, those Label bindings get installed in the LFIB.
    So considering the above two points, we have to be careful in static routes
    only for interfaces like Ethernet (Multiaccess Segments).
    As in CEF when you give a static route pointing to an Ethernet Interface, CEF creates a
    GLean Adjacency (Meaning there could be multiple hosts as the next hop on this segement, and it will glean for the right next-hop)
    Now you may observe that when you give a static route only pointing to an Ethernet interface,
    you LDP adjacency may come up and you may exchange the bindings with each other. But the Label Forarding Table is not created. This is bcos of this being a Multiaccess interface. And you have
    Glean For it. If its a Normal WAN interface like Serial or POS, then there is no problem of
    GLean and you would have a Valid Cached Adjacency.
    So to avoid probelems with Ethernet interfaces you can simply specify the next-hop-ip address.
    For Eg: ip route 10.10.31.250 255.255.255.255 10.10.31.226 (Without the Interface)
    ip route 10.10.31.250 255.255.255.255 fa0/0 10.10.31.226 (Or with the Interface)
    Only Difference in both is in the first one it has to do a recursive lookup for the outgoing interface. Otherwise both work well. And you can have static routes in your network
    running MPLS.
    And doing this CEF would would work as it should and you would have a Valid Cached Adjacency.
    So this is applicable for Cisco devices which use CEF, including 6500 with SUP720.
    HTH-Cheers,
    Swaroop

Maybe you are looking for