Ok, this post is about basic configuration of MPLS and the basic MPLS VPNs theory so you can understand the HP Networking (HPN) A-Series (or commonly known as H3C series) configuration and maybe also with the theory other vendors configurations. I will into detail of the MPLS/MPLS VPN/BGP architecture and quickly go through the overall theory to and give HPN/H3C syntax reference at the end of this post. I quess this article can be used for vendor independent MPLS VPN introduction as well because configuration of HPN devices is quite properly separated.
Now a super quick theory lesson. MPLS has the ability to do end to end switched Label Switched Paths (LSPs) that are essentially a tunnel between to points. This natural tunnels in combination with virtualization on the end Provider Edge (PE router) can enable carriers to create one physical network and sell it virtalized to customers. The customers connect with their Customer Edge (CE router) and exchange routing information with virtual routing instances in the PE routers.
The diagram below is what we are going to be creating in this example. We will have CUSTOMER_A and CUSTOMER_B that we are going to route in different locations and the customer routing is completely virtualized so even if the customer will have a network addressing collision (both using private subnets) there will be no collision.
On the following diagram you can see a very basic scheme:
- HPN/H3C router capable of virtualization of routing and forwarding called “vpn-instance” (on Cisco called Virtual Routing and Forwarding or “VRF”)
- BGP-MultiProtocol (BGP-MP) extension running between PEs
- MPLS support (including stacking)
- MTU at minimum of 1508B (every MPLS label takes 4B, and you have to have two for MPSL VPN, one for forwarding and the other for Customer identification on the LSP)
The BGP-MP carries with itself and extended communities to be able to import/export routes between varios virtual vpn-instances (“VRF”s). One of the most important ones are Route Targets (RT). When you create a virtual vpn-instance, you usually assign it at least one import and one export RT. When a route is taken from this vpn-instance to the BGP-MP, the route is assigned the RT to the extended community of the route. Then this route comes to other PEs as a BGP update, it will be imported to all the vpn-instances that have the same RT assigned as import RT. You might correctly quess that in our example and typically you will simply create one import/export RT for every customer and use the same on every PE vpn-instance having this customer. The extended community is called Export and Import lists and can carry multiple RTs, the rules for import and export are:
Export list: All MBGP routes must carry export RT list.
Import list: When one export RT list match with import RT list, the route
could be added into the VPN instance.
As I mentioned, you can have customers that have a collision between each other subnetting, this is completely OK as they are separated by virtualization. The BGP process however handles this internally by getting additional 64bit identification called RouteDistinguisher (RD) and attaches this to every 32bit IPv4 address creating a unique 96bit address called VPNv4 address that is unique across all the virtualized vpn-instances/customers.
Inside BGP-MP update
Basically when all this information gets to and BGP-MP session, this is quick and simplified overview of what gets transported:
MP_REACH_NLRI: Address-family: VPN-IPv4 address family identificator next-hop: PE itself (usually a loopback) NLRI: Private network label: This is a 24bit long and the same as MPLS label used to identify the particular customer on this LSP between two PEs prefix: VPNv4 itself (64bit RD + ip prefix)
Also included are Import list and Export lists inside Extended_Communities of the BGP UPDATE that contain all the RTs.
Also this is how the Label will be redistributed for LSP by LD protocol and for MPLS VPN Labels by BGP-MP Protocol:
And at the end this is how the packets will be forwarded based on different MPLS labels and IPs:
HPN (H3C) MPLS VPN configuration example
For very good reasons, I will show here only configuration example for CUSTOMER_B Router R1 and PE1 routers. For PE to CE communication I chosen BGP in this example, if you want other protocols, you have to look to the configuration guides for them. Also basic MPLS must be activated for all PE and P devices that is shown in the beginning.
Basic MPLS configuration for P and PE devices
This part must be done on all MPLS routers in the provider network so that all LSP paths can be build.
To start basic MPLS forwarding + LDP on a H3C Router, you have to go through these steps:
- Configure a Label Switch Router ID (best loopback IP)
- Enable MPLS on the router as a whole
- Specify what traffic can trigger the LSP establishment
- Enable LDP at the Global level
- Enable LDP on the interfaces
In code syntax, this is it for the most general (ergo Cisco-like) configuration:
mpls lsr-id 192.168.1.1 mpls lsp-trigger all mpls ldp interface Ethernet 0/0 mpls mpls ldp
CUSTOMER_B Router R1 configuration (no MPLS here!)
interface Ethernet1/0 ip address 18.104.22.168 24 # interface LoopBack1 ip address 10.0.0.1 32 # bgp 65410 import-route direct undo synchronization group 100 external peer 22.214.171.124 group 100 as-number 100
In summary the configuration on the CE router is very basic, you can have a quick look at my previous article about BGP on HPN to learn a bit more about BGP configuration on HPN devices.
PE1 router BGP/MPLS VPN configuration
#Configure VPN Instance: RD and VPN Target ip vpn-instance CUSTOMER_B route-distinguisher 1:27 vpn-target 1:100 export-extcommunity vpn-target 1:100 import-extcommunity # interface Ethernet1/0 # Bind VPN Instance to interface ip binding vpn-instance CUSTOMER_B ip address 126.96.36.199 255.255.255.0 # interface LoopBack1 ip address 188.8.131.52 255.255.255.255 # bgp 100 import-route direct undo synchronization group 65410 external # PE to PE Configuration group 202 internal peer 184.108.40.206 group 202 peer 220.127.116.11 connect-interface LoopBack1 # PE to CE Configuration ipv4-family vpn-instance CUSTOMER_B import-route direct undo synchronization group 65410 external peer 18.104.22.168 group 65410 as-number 65410 # PE to PE Configuration for VPNv4 must be activated as by default ipv4-family vpnv4 peer 202 enable peer 22.214.171.124 group 202
The configuration omitted other customers but the configuration would be the same with only different interface/RD/RT/peers and I believe that from the information showed here you can create it without issue yourself.
In summary MPLS VPNs (Also called MPLS L3 VPNs because also L2 version was created afterwards) are a very, very … very common place both provider and data center environment solutions.