Complete MPLS Layer 3 VPN Using BGP PE-CE Routing, VRF and VPNv4 MP-BGP
MPLS Layer 3 VPN is one of the most widely deployed technologies in enterprise WAN, telecom provider networks and cloud infrastructures. This guide demonstrates how to build MPLS VPN using:
- VPNv4 MP-BGP
- VRF
- PE-CE BGP Routing
- Route Distinguishers
- Route Targets
- AS Override
- Allowas-in
๐ก What You Will Learn
- How VPNv4 MP-BGP works
- How VRFs isolate customer routes
- How PE-CE BGP routing works
- How AS Override solves loop prevention issues
- How Allowas-in works
- How customer routes travel across MPLS backbones
- How route redistribution works in MPLS VPN
Table of Contents
- 1. MPLS VPN Introduction
- 2. VPNv4 MP-BGP Configuration
- 3. VRF Cust-A Configuration
- 4. BGP Between R1 and R5
- 5. BGP Between R4 and R8
- 6. AS Override Explained
- 7. VRF Cust-B Configuration
- 8. BGP Between R1 and R6
- 9. BGP Between R4 and R7
- 10. Allowas-in Explained
- 11. MPLS and BGP Mathematics
- 12. Verification Commands
- 13. Troubleshooting
1. MPLS VPN Introduction
MPLS stands for Multi Protocol Label Switching. MPLS uses labels instead of traditional routing lookups for packet forwarding.
MPLS Components
| Component | Purpose |
|---|---|
| PE Router | Connects customers to provider network |
| P Router | Core MPLS forwarding router |
| CE Router | Customer edge router |
| VRF | Virtual routing table |
| MP-BGP | Exchanges VPN routes |
MPLS Label Forwarding
$$ Incoming\ Label \rightarrow Swap \rightarrow Outgoing\ Label $$2. VPNv4 MP-BGP Neighbor Relationship
MP-BGP exchanges VPNv4 routes between PE routers.
R1 Configuration
Basic Example:
router bgp ASN neighbor PE remote-as ASN address-family vpnv4 neighbor activate
R1
router bgp 1000
neighbor 4.4.4.4 remote-as 1000
neighbor 4.4.4.4 update-source loopback0
address-family vpnv4
neighbor 4.4.4.4 activate
R4 Configuration
R4
router bgp 1000
neighbor 1.1.1.1 remote-as 1000
neighbor 1.1.1.1 update-source loopback0
address-family vpnv4
neighbor 1.1.1.1 activate
VPNv4 Route Formula
$$ VPNv4 = RD + IPv4Prefix $$Example:
$$ 1000:1 : 10.5.5.0/24 $$๐ Why Use Loopbacks?
Loopbacks provide stable BGP sessions because physical interface failures do not immediately terminate peerings if alternate paths exist.
3. VRF Cust-A Configuration
VRFs isolate customer routing tables.
R1 Configuration
vrf definition Cust-A
rd 1000:1
address-family ipv4
route-target both 1000:1
interface e0/1
vrf forwarding Cust-A
ip address 192.1.15.1 255.255.255.0
no shutdown
R4 Configuration
vrf definition Cust-A
rd 1000:1
address-family ipv4
route-target both 1000:1
interface e0/2
vrf forwarding Cust-A
ip address 192.1.48.4 255.255.255.0
no shutdown
Route Target Logic
$$ Import = Matching\ RouteTarget $$4. BGP Between R1 and R5 for Cust-A
R5 acts as the CE router using BGP AS 65005.
R1 Configuration
Configuration Example:
router bgp 1000 address-family ipv4 vrf Cust-A neighbor x.x.x.x remote-as y
router bgp 1000
address-family ipv4 vrf Cust-A
neighbor 192.1.15.5 remote-as 65005
R5 Configuration
router bgp 65005
network 10.5.5.0 mask 255.255.255.0
neighbor 192.1.15.1 remote-as 1000
๐ Why Use BGP Between PE and CE?
BGP is highly scalable and ideal for enterprise WAN deployments. It allows policy control, route filtering and scalable route exchange.
5. BGP Between R4 and R8 for Cust-A
R4 Configuration
router bgp 1000
address-family ipv4 vrf Cust-A
neighbor 192.1.48.8 remote-as 65008
R8 Configuration
router bgp 65008
network 10.8.8.0 mask 255.255.255.0
neighbor 192.1.48.4 remote-as 1000
6. AS Override Explained
AS Override solves a common MPLS VPN problem where customer sites use the same AS number.
Problem Scenario
Both R5 and R8 use AS 65001.
BGP loop prevention rejects routes containing its own AS number.
$$
If\ LocalAS \in ASPath \rightarrow RejectRoute
$$
Solution: AS Override
PE routers replace the customer AS with provider AS before advertising routes.
R1 Configuration
router bgp 1000
address-family ipv4 vrf Cust-A
neighbor 192.1.15.5 as-override
R4 Configuration
router bgp 1000
address-family ipv4 vrf Cust-A
neighbor 192.1.48.8 as-override
๐ How AS Override Works
Normally:
65001 1000
After AS Override:
1000 1000
Customer routers no longer see their own AS number and accept routes.
7. VRF Cust-B Configuration
R1 Configuration
vrf definition Cust-B
rd 1000:2
address-family ipv4
route-target both 1000:2
interface e0/2
ip vrf forwarding Cust-B
ip address 192.1.16.1 255.255.255.0
no shutdown
R4 Configuration
vrf definition Cust-B
rd 1000:2
address-family ipv4
route-target both 1000:2
interface e0/1
ip vrf forwarding Cust-B
ip address 192.1.47.4 255.255.255.0
no shutdown
8. BGP Between R1 and R6 for Cust-B
R1 Configuration
router bgp 1000
address-family ipv4 vrf Cust-B
neighbor 192.1.16.6 remote-as 65002
R6 Configuration
router bgp 65002
network 10.6.6.0 mask 255.255.255.0
neighbor 192.1.16.1 remote-as 1000
9. BGP Between R4 and R7 for Cust-B
R4 Configuration
router bgp 1000
address-family ipv4 vrf Cust-B
neighbor 192.1.47.7 remote-as 65002
R7 Configuration
router bgp 65002
network 10.7.7.0 mask 255.255.255.0
neighbor 192.1.47.4 remote-as 1000
10. Allowas-in Explained
Allowas-in allows BGP routers to accept routes containing their own AS number.
Problem
Both R6 and R7 use AS 65002.
BGP loop prevention rejects received routes.
$$
If\ LocalAS \in ASPath \rightarrow Reject
$$
Solution: allowas-in
Allowas-in disables this protection for specific neighbors.
R6 Configuration
router bgp 65002
neighbor 192.1.16.1 allowas-in
R7 Configuration
router bgp 65002
neighbor 192.1.47.4 allowas-in
๐ Difference Between AS Override and Allowas-in
| Feature | Purpose |
|---|---|
| AS Override | PE modifies AS path |
| Allowas-in | CE accepts own AS in AS path |
11. MPLS and BGP Mathematics
BGP Path Selection Formula
$$
BestPath = HighestWeight + HighestLocalPreference + ShortestASPath
$$
VPN Route Formula
$$
VPNRoute = RD + IPv4Prefix
$$
AS Path Length
$$
ASPathLength = Number\ of\ AS\ Entries
$$
Bandwidth Formula
$$
Bandwidth = \frac{Data}{Time}
$$
Latency Formula
$$
Latency = Queuing + Serialization + Propagation + Processing
$$
12. Verification Commands
Verify VPNv4 Neighbors
show bgp vpnv4 unicast all summary
Verify VRFs
show vrf
Verify Customer Routes
show ip route vrf Cust-A
Verify BGP Table
show bgp vpnv4 unicast all
Verify CE Neighbor Relationships
show ip bgp summary
Expected Output
R1#show bgp vpnv4 unicast all Route Distinguisher: 1000:1 *> 10.5.5.0/24 *> 10.8.8.0/24
13. Troubleshooting MPLS VPN with BGP
Problem 1: VPNv4 Neighbor Down
- Loopback reachability issue
- Missing update-source
- Incorrect AS number
- Neighbor activation missing
Problem 2: CE Routes Missing
- BGP neighbor down
- Network statement missing
- VRF assignment incorrect
Problem 3: Same AS Route Rejection
- Configure as-override
- Configure allowas-in
Useful Debug Commands
debug ip bgp debug ip routing show bgp vpnv4 unicast all
14. End-to-End Route Flow
- R5 advertises customer routes using BGP
- R1 learns routes inside VRF Cust-A
- R1 converts routes into VPNv4 format
- MP-BGP advertises routes to R4
- R4 imports routes using Route Targets
- R4 advertises routes to R8
- R8 learns remote customer routes
$$
CE \rightarrow PE \rightarrow MPBGP \rightarrow PE \rightarrow CE
$$
Related Data Centre Networking Articles
- Complete Cisco Nexus BGP Authentication Guide
- Complete Cisco Nexus VXLAN EVPN Configuration Guide
- Complete Cisco Nexus OSPF Configuration Guide
- Cisco Nexus vPC and LACP Configuration Guide
15. Final Learning Summary
๐ฏ Key Takeaways
- MP-BGP exchanges VPNv4 routes between PE routers
- VRFs isolate customer routing tables
- BGP PE-CE routing provides scalability
- AS Override solves same-AS routing problems
- Allowas-in allows CE routers to accept routes with their own AS
- Route Targets determine VPN membership
- MPLS VPN scales enterprise WAN deployments
16. Final Thoughts
MPLS Layer 3 VPN using PE-CE BGP is widely deployed in enterprise WAN and telecom networks. Understanding VPNv4, VRF, AS Override and Allowas-in is critical for advanced networking certifications and real-world deployments.
This lab demonstrated:
- VPNv4 MP-BGP configuration
- VRF deployment
- BGP PE-CE routing
- AS Override implementation
- Allowas-in implementation
- Route propagation across MPLS VPN
No comments:
Post a Comment