Multiprotocol BGP MPLS VPN

A Multiprotocol Label Switching (MPLS) virtual private network (VPN) consists of a set of sites that are
interconnected by means of an MPLS provider core network. At each site, there are one or more customer
edge (CE) devices, which attach to one or more provider edge (PE) devices. PEs use the Multiprotocol-Border
Gateway Protocol (MP-BGP) to dynamically communicate with each other.

• Finding Feature Information, page 1

• Prerequisites for Multiprotocol BGP MPLS VPN, page 1
• Information About Multiprotocol BGP MPLS VPN, page 2
• How to Configure Multiprotocol BGP MPLS VPN, page 5
• Configuration Examples for Multiprotocol BGP MPLS VPN, page 12
• Additional References, page 13
• Feature Information for Multiprotocol BGP MPLS VPN, page 13

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Multiprotocol BGP MPLS VPN

Configure MPLS virtual private networks (VPNs) in the core.

MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S

1
 Multiprotocol BGP MPLS VPN
Information About Multiprotocol BGP MPLS VPN

Information About Multiprotocol BGP MPLS VPN

MPLS Virtual Private Network Definition
Before defining a Multiprotocol Label Switching virtual private network (MPLS VPN), you must define a
VPN in general. A VPN is:
• An IP-based network delivering private network services over a public infrastructure
• A set of sites that are allowed to communicate with each other privately over the Internet or other public
or private networks

Conventional VPNs are created by configuring a full mesh of tunnels or permanent virtual circuits (PVCs) to
all sites in a VPN. This type of VPN is not easy to maintain or expand, because adding a new site requires
changing each edge device in the VPN.
MPLS-based VPNs are created in Layer 3 and are based on the peer model. The peer model enables the service
provider and the customer to exchange Layer 3 routing information. The service provider relays the data
between the customer sites without the customer’s involvement.
MPLS VPNs are easier to manage and expand than conventional VPNs. When a new site is added to an MPLS
VPN, only the service provider’s edge device that provides services to the customer site needs to be updated.
The different parts of the MPLS VPN are described as follows:
• Provider (P) device—Device in the core of the provider network. P devices run MPLS switching, and
do not attach VPN labels to routed packets. The MPLS label in each route is assigned by the provider
edge (PE) device. VPN labels are used to direct data packets to the correct egress device.
• PE device—Device that attaches the VPN label to incoming packets based on the interface or subinterface
on which they are received. A PE device attaches directly to a customer edge (CE) device.
• Customer (C) device—Device in the ISP or enterprise network.
• CE device—Edge device on the network of the ISP that connects to the PE device on the network. A
CE device must interface with a PE device.

MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S

2
 Multiprotocol BGP MPLS VPN
How an MPLS Virtual Private Network Works

The figure below shows a basic MPLS VPN.

Figure 1: Basic MPLS VPN Terminology

How an MPLS Virtual Private Network Works

Multiprotocol Label Switching virtual private network (MPLS VPN) functionality is enabled at the edge of
an MPLS network. The provider edge (PE) device performs the following:
• Exchanges routing updates with the customer edge (CE) device.
• Translates the CE routing information into VPNv4 routes.
• Exchanges VPNv4 routes with other PE devices through the Multiprotocol Border Gateway Protocol
(MP-BGP).

The following sections describe how MPLS VPN works:

How Virtual Routing and Forwarding Tables Work in an MPLS Virtual Private Network
Each virtual private network (VPN) is associated with one or more virtual routing and forwarding (VRF)
instances. A VRF defines the VPN membership of a customer site attached to a PE device. A VRF consists
of the following components:
• An IP routing table
• A derived Cisco Express Forwarding table
• A set of interfaces that use the forwarding table
• A set of rules and routing protocol parameters that control the information that is included in the routing
table

MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S

3
 Multiprotocol BGP MPLS VPN
How an MPLS Virtual Private Network Works

A one-to-one relationship does not necessarily exist between customer sites and VPNs. A site can be a member
of multiple VPNs. However, a site can associate with only one VRF. A site’s VRF contains all the routes
available to the site from the VPNs of which it is a member.
Packet forwarding information is stored in the IP routing table and the Cisco Express Forwarding table for
each VRF. A separate set of routing and Cisco Express Forwarding tables is maintained for each VRF. These
tables prevent information from being forwarded outside a VPN, and they also prevent packets that are outside
a VPN from being forwarded to a device within the VPN.

How VPN Routing Information Is Distributed in an MPLS Virtual Private Network

The distribution of virtual private network (VPN) routing information is controlled through the use of VPN
route target communities, implemented by Border Gateway Protocol (BGP) extended communities. VPN
routing information is distributed as follows:
• When a VPN route that is learned from a customer edge (CE) device is injected into BGP, a list of VPN
route target extended community attributes is associated with it. Typically the list of route target
community extended values is set from an export list of route targets associated with the virtual routing
and forwarding (VRF) instance from which the route was learned.
• An import list of route target extended communities is associated with each VRF. The import list defines
route target extended community attributes that a route must have in order for the route to be imported
into the VRF. For example, if the import list for a particular VRF includes route target extended
communities A, B, and C, then any VPN route that carries any of those route target extended
communities—A, B, or C—is imported into the VRF.

BGP Distribution of VPN Routing Information

A provider edge (PE) device can learn an IP prefix from the following sources:
• A customer edge (CE) device by static configuration
• A Border Gateway Protocol (BGP) session with the CE device
• A Routing Information Protocol (RIP) exchange with the CE device

The IP prefix is a member of the IPv4 address family. After the PE device learns the IP prefix, the PE converts
it into a VPN-IPv4 prefix by combining it with an 8-byte route distinguisher (RD). The generated prefix is a
member of the VPN-IPv4 address family. It uniquely identifies the customer address, even if the customer
site is using globally nonunique (unregistered private) IP addresses. The route distinguisher used to generate
the VPN-IPv4 prefix is specified by a configuration command associated with the virtual routing and forwarding
(VRF) instance on the PE device.
BGP distributes reachability information for VPN-IPv4 prefixes for each VPN. BGP communication occurs
at two levels:
• Within an IP domains, known as an autonomous system (interior BGP [IBGP])
• Between autonomous systems (external BGP [EBGP])

PE-PE or PE-RR (route reflector) sessions are IBGP sessions, and PE-CE sessions are EBGP sessions. In an
Enhanced Interior Gateway Routing Protocol (EIGRP) PE-CE environment, when an EIGRP internal route
is redistributed into BGP by one PE, and then back into EIGRP by another PE, the originating router ID for
the route is set to the router ID of the second PE, replacing the original internal router ID.

MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S

4
 Multiprotocol BGP MPLS VPN
Major Components of an MPLS Virtual Private Network

BGP propagates reachability information for VPN-IPv4 prefixes among PE devices by means of the BGP
multiprotocol extensions (refer to RFC 2283, Multiprotocol Extensions for BGP-4), which define support for
address families other than IPv4. Using the extensions ensures that the routes for a given VPN are learned
only by other members of that VPN, enabling members of the VPN to communicate with each other.

Major Components of an MPLS Virtual Private Network

An Multiprotocol Label Switching (MPLS)-based virtual private network (VPN) has three major components:
• VPN route target communities—A VPN route target community is a list of all members of a VPN
community. VPN route targets need to be configured for each VPN community member.
• Multiprotocol BGP (MP-BGP) peering of VPN community provider edge (PE) devices—MP-BGP
propagates virtual routing and forwarding (VRF) reachability information to all members of a VPN
community. MP-BGP peering must be configured on all PE devices within a VPN community.
• MPLS forwarding—MPLS transports all traffic between all VPN community members across a VPN
service-provider network.

A one-to-one relationship does not necessarily exist between customer sites and VPNs. A given site can be a
member of multiple VPNs. However, a site can associate with only one VRF. A customer-site VRF contains
all the routes available to the site from the VPNs of which it is a member.

How to Configure Multiprotocol BGP MPLS VPN

Configuring Multiprotocol BGP Connectivity on the PE Devices and Route
Reflectors
SUMMARY STEPS

1. enable
2. configure terminal
3. router bgp as-number
4. no bgp default ipv4-unicast
5. neighbor {ip-address | peer-group-name} remote-as as-number
6. neighbor {ip-address | peer-group-name} activate
7. address-family vpnv4 [unicast]
8. neighbor {ip-address | peer-group-name} send-community extended
9. neighbor {ip-address | peer-group-name} activate
10. end

MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S

5
 Multiprotocol BGP MPLS VPN
Configuring Multiprotocol BGP Connectivity on the PE Devices and Route Reflectors

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 router bgp as-number Configures a Border Gateway Protocol (BGP) routing process and enters
router configuration mode.
Example: • The as-number argument indicates the number of an autonomous
Device(config)# router bgp 100 system that identifies the device to other BGP devices and tags
the routing information passed along. The range is 0 to 65535.
Private autonomous system numbers that can be used in internal
networks are 64512 to 65535.

Step 4 no bgp default ipv4-unicast (Optional) Disables the IPv4 unicast address family on all neighbors.
• Use the no bgp default ipv4-unicast command if you are using
Example: this neighbor for Multiprotocol Label Switching (MPLS) routes
Device(config-router)# no bgp default only.
ipv4-unicast

Step 5 neighbor {ip-address | peer-group-name} Adds an entry to the BGP or multiprotocol BGP neighbor table.
remote-as as-number
• The ip-address argument specifies the IP address of the neighbor.
Example: • The peer-group-name argument specifies the name of a BGP peer
group.
Device(config-router)# neighbor 10.0.0.1
remote-as 100 • The as-number argument specifies the autonomous system to
which the neighbor belongs.

Step 6 neighbor {ip-address | peer-group-name} Enables the exchange of information with a neighboring BGP device.
activate
• The ip-address argument specifies the IP address of the neighbor.
Example: • The peer-group-name argument specifies the name of a BGP peer
group.
Device(config-router)# neighbor 10.0.0.1
activate

MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S

6
 Multiprotocol BGP MPLS VPN
Configuring Multiprotocol BGP Connectivity on the PE Devices and Route Reflectors

Command or Action Purpose

Step 7 address-family vpnv4 [unicast] Enters address family configuration mode for configuring routing
sessions, such as BGP, that use standard VPNv4 address prefixes.
Example: • The optional unicast keyword specifies VPNv4 unicast address
Device(config-router)# address-family prefixes.
vpnv4

Step 8 neighbor {ip-address | peer-group-name} Specifies that a communities attribute should be sent to a BGP neighbor.
send-community extended
• The ip-address argument specifies the IP address of the
BGP-speaking neighbor.
Example:
• The peer-group-name argument specifies the name of a BGP peer
Device(config-router-af)# neighbor
10.0.0.1 send-community extended group.

Step 9 neighbor {ip-address | peer-group-name} Enables the exchange of information with a neighboring BGP device.
activate
• The ip-address argument specifies the IP address of the neighbor.
Example: • The peer-group-name argument specifies the name of a BGP peer
group.
Device(config-router-af)# neighbor
10.0.0.1 activate

Step 10 end (Optional) Exits to privileged EXEC mode.

Example:
Device(config-router-af)# end

Troubleshooting Tips
You can enter a show ip bgp neighbor command to verify that the neighbors are up and running. If this
command is not successful, enter a debug ip bgp ip-address events command, where ip-address is the IP
address of the neighbor.

MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S

7
 Multiprotocol BGP MPLS VPN
Configuring BGP as the Routing Protocol Between the PE and CE Devices

Configuring BGP as the Routing Protocol Between the PE and CE Devices

SUMMARY STEPS

1. enable
2. configure terminal
3. router bgp as-number
4. address-family ipv4 [multicast | unicast | vrf vrf-name]
5. neighbor {ip-address | peer-group-name} remote-as as-number
6. neighbor {ip-address | peer-group-name} activate
7. exit-address-family
8. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 router bgp as-number Configures a Border Gateway Protocol (BGP) routing process and enters
router configuration mode.
Example: • The as-number argument indicates the number of an autonomous
Device(config)# router bgp 100 system that identifies the device to other BGP devices and tags the
routing information passed along. The range is 0 to 65535. Private
autonomous system numbers that can be used in internal networks
range from 64512 to 65535.

Step 4 address-family ipv4 [multicast | unicast | Specifies the IPv4 address family type and enters address family
vrf vrf-name] configuration mode.
• The multicast keyword specifies IPv4 multicast address prefixes.
Example:
• The unicast keyword specifies IPv4 unicast address prefixes.
Device(config-router)# address-family
ipv4 vrf vpn1 • The vrf vrf-name keyword and argument specify the name of the
VRF to associate with subsequent IPv4 address family configuration
mode commands.

MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S

8
 Multiprotocol BGP MPLS VPN
Verifying the Virtual Private Network Configuration

Command or Action Purpose

Step 5 neighbor {ip-address | peer-group-name} Adds an entry to the BGP or multiprotocol BGP neighbor table.
remote-as as-number
• The ip-address argument specifies the IP address of the neighbor.
Example: • The peer-group-name argument specifies the name of a BGP peer
group.
Device(config-router-af)# neighbor
10.0.0.1 remote-as 200 • The as-number argument specifies the autonomous system to which
the neighbor belongs.

Step 6 neighbor {ip-address | peer-group-name} Enables the exchange of information with a neighboring BGP device.
activate
• The ip-address argument specifies the IP address of the neighbor.
Example: • The peer-group-name argument specifies the name of a BGP peer
group.
Device(config-router-af)# neighbor
10.0.0.1 activate

Step 7 exit-address-family Exits address family configuration mode.

Example:
Device(config-router-af)#
exit-address-family

Step 8 end (Optional) Exits to privileged EXEC mode.

Example:
Device(config-router)# end

Verifying the Virtual Private Network Configuration

A route distinguisher must be configured for the virtual routing and forwarding (VRF) instance, and
Multiprotocol Label Switching (MPLS) must be configured on the interfaces that carry the VRF. Use the
show ip vrf command to verify the route distinguisher (RD) and interface that are configured for the VRF.

SUMMARY STEPS

1. show ip vrf

DETAILED STEPS

show ip vrf
Displays the set of defined VRF instances and associated interfaces. The output also maps the VRF instances to the
configured route distinguisher.

MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S

9
 Multiprotocol BGP MPLS VPN
Verifying Connectivity Between MPLS Virtual Private Network Sites

Verifying Connectivity Between MPLS Virtual Private Network Sites

To verify that the local and remote customer edge (CE) devices can communicate across the Multiprotocol
Label Switching (MPLS) core, perform the following tasks:

Verifying IP Connectivity from CE Device to CE Device Across the MPLS Core

SUMMARY STEPS

1. enable
2. ping [protocol] {host-name | system-address}
3. trace [protocol] [destination]
4. show ip route [ip-address [mask] [longer-prefixes]] | protocol [process-id]] | [list [access-list-name |
access-list-number]

DETAILED STEPS

Step 1 enable
Enables privileged EXEC mode.

Step 2 ping [protocol] {host-name | system-address}

Diagnoses basic network connectivity on AppleTalk, Connectionless-mode Network Service (CLNS), IP, Novell, Apollo,
Virtual Integrated Network Service (VINES), DECnet, or Xerox Network Service (XNS) networks. Use the ping command
to verify the connectivity from one CE device to another.

Step 3 trace [protocol] [destination]

Discovers the routes that packets take when traveling to their destination. The trace command can help isolate a trouble
spot if two devices cannot communicate.

Step 4 show ip route [ip-address [mask] [longer-prefixes]] | protocol [process-id]] | [list [access-list-name | access-list-number]
Displays the current state of the routing table. Use the ip-address argument to verify that CE1 has a route to CE2. Verify
the routes learned by CE1. Make sure that the route for CE2 is listed.

Verifying That the Local and Remote CE Devices Are in the PE Routing Table

SUMMARY STEPS

1. enable
2. show ip route vrf vrf-name [prefix]
3. show ip cef vrf vrf-name [ip-prefix]

MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S

10
 Multiprotocol BGP MPLS VPN
Verifying Connectivity Between MPLS Virtual Private Network Sites

DETAILED STEPS

Step 1 enable
Enables privileged EXEC mode.

Step 2 show ip route vrf vrf-name [prefix]

Displays the IP routing table associated with a virtual routing and forwarding (VRF) instance. Check that the loopback
addresses of the local and remote customer edge (CE) devices are in the routing table of the provider edge (PE) devices.

Step 3 show ip cef vrf vrf-name [ip-prefix]

Displays the Cisco Express Forwarding forwarding table associated with a VRF. Check that the prefix of the remote CE
device is in the Cisco Express Forwarding table.

MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S

11
 Multiprotocol BGP MPLS VPN
Configuration Examples for Multiprotocol BGP MPLS VPN

Configuration Examples for Multiprotocol BGP MPLS VPN

Example: Configuring an MPLS Virtual Private Network Using BGP
PE Configuration CE Configuration

ip vrf vpn1 ip cef

rd 100:1 mpls ldp router-id Loopback0 force
route-target export 100:1 mpls label protocol ldp
route-target import 100:1 !
! interface Loopback0
ip cef ip address 10.0.0.9 255.255.255.255
mpls ldp router-id Loopback0 force !
mpls label protocol ldp interface FastEthernet0/0
! ip address 198.51.100.1 255.255.255.0
interface Loopback0 no cdp enable
ip address 10.0.0.1 255.255.255.255 !
! router bgp 200
interface FastEthernet0/0/0 bgp log-neighbor-changes
ip vrf forwarding vpn1 neighbor 198.51.100.2 remote-as 100
ip address 192.0.2.3 255.255.255.0 !
no cdp enable address-family ipv4
! redistribute connected
interface FastEthernet1/1/0 neighbor 198.51.100.2 activate
ip address 192.0.2.2 255.255.255.0 neighbor 198.51.100.2 advertisement-interval
mpls label protocol ldp 5
mpls ip no auto-summary
! no synchronization
router ospf 100 exit-address-family
network 10.0.0. 0.0.0.0 area 100
network 192.0.2.1 255.255.255.0 area 100
!
router bgp 100
no synchronization
bgp log-neighbor changes
neighbor 10.0.0.3 remote-as 100
neighbor 10.0.0.3 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 10.0.0.3 activate
neighbor 10.0.0.3 send-community extended
bgp scan-time import 5
exit-address-family
!
address-family ipv4 vrf vpn1
redistribute connected
neighbor 198.51.100.1 remote-as 200
neighbor 198.51.100.1 activate
neighbor 198.51.100.1 as-override
neighbor 198.51.100.1 advertisement-interval
5
no auto-summary
no synchronization
exit-address-family

MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S

12
 Multiprotocol BGP MPLS VPN
Additional References

Additional References
Related Documents

Related Topic Document Title

Cisco IOS commands Cisco IOS Master Command List, All Releases

Description of commands associated with MPLS and Cisco IOS Multiprotocol Label Switching Command
MPLS applications Reference

Configuring MPLS virtual private networks “MPLS Virtual Private Networks” module in the
MPLS Layer 3 VPNs Configuration Guide

Standards and RFCs

RFC Title
RFC 2283 Multiprotocol Extensions for BGP-4

RFC 2547 BGP/MPLS VPNs

Technical Assistance

Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.

Feature Information for Multiprotocol BGP MPLS VPN

The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S

13
 Multiprotocol BGP MPLS VPN
Feature Information for Multiprotocol BGP MPLS VPN

Table 1: Feature Information for Multiprotocol BGP MPLS VPN

Feature Name Releases Feature Information

Multiprotocol BGP MPLS VPN 12.0(11)ST An MPLS VPN consists of a set of
sites that are interconnected
12.2(9)S
through the MPLS provider core
12.2(17b)SXA network. At each site, there are one
12.2(27)SBB or more CEs, which attach to one
or more PEs. The Multiprotocol
12.3(8)T BGP MPLS VPN feature allows
15.2(1)S PEs to use the MP-BGP to
dynamically communicate with
Cisco IOS XE Release 2.1
each other.
Cisco IOS XE Release 3.5S
In Cisco IOS Release 12.0(11)ST,
this feature was introduced.
In Cisco IOS Release 12.2(9)S,
12.2(17b)SXA, 12.2(27)SBB,
12.3(8)T, and 15.2(1)S, this feature
was integrated.
In Cisco IOS XE Release 2.1, this
feature was implemented on Cisco
ASR 1000 Series Routers.
In Cisco IOS XE Release 3.5S,
support was added for the Cisco
ASR 903 Router.
No commands were introduced or
modified.

MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15S

14