Lab Solution – MPLS Lab #2

On September 9, 2010, in CCIE, by Darren

Sometimes its so hard to simply find the time to do what I promised. I hope this will spur up some conversation. I still stress that you should always try to do the lab without my help first. This will ensure you learn how to do it properly. Also remember that there are always multiple ways to do certain labs, so don’t take my solution as gospel.

This solution is for the lab I posted here: http://mellowd.co.uk/ccie/?p=527

  • CPE1 and CPE5 belong to Customer1
  • CPE2 and CPE6 belong to Customer2
  • Both customers are running OSPF as their IGP’s
  • The loopbacks as shown in the topology must be advertised into OSPF. Cutomer1 should be able to ping all loopbacks in their networks and Customer2 should be able to ping everything in theirs.
  • Both customers are now running a project together, and need 2 of their offices connected. CPE1 from Customer1 should be able to communicate with CPE6 from Customer2 and vice-versa
  • It’s essential that CPE2 and CPE5 are NOT able to get to all loopbacks. ONLY CPE1 and CPE6 should be able to communicate with each other. This new configuration should not break the previous VPN’s in place
  • Do this without using any ACL’s, Prefix-lists, Route-maps or the like

We start by doing a regular MPLS VPN config – The same for which we did for the first MPLS VPN lab. All the MPLS-specific config is here:

CPE1 

interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 10.1.1.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 0

CPE2: 

interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.1.2.1 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 10.1.2.0 0.0.0.255 area 0
 network 172.16.1.0 0.0.0.255 area 0

CPE5: 

interface Loopback0
 ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.1.3.1 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 10.1.3.0 0.0.0.255 area 0
 network 192.168.2.0 0.0.0.255 area 0

CPE6: 

interface Loopback0
 ip address 172.16.2.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.1.4.1 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 10.1.4.0 0.0.0.255 area 0
 network 172.16.2.0 0.0.0.255 area 0

Now for the 2 AR Routers:

ip cef
ip vrf CUS1
 rd 400:1
 route-target export 400:1
 route-target import 400:1

ip vrf CUS2
 rd 400:2
 route-target export 400:2
 route-target import 400:2

interface FastEthernet0/0
 ip vrf forwarding CUS1
 ip address 10.1.1.2 255.255.255.0

interface FastEthernet2/0
 ip vrf forwarding CUS2
 ip address 10.1.2.2 255.255.255.0

router ospf 2 vrf CUS1
redistribute bgp 400 metric 10 subnets
 network 10.1.1.0 0.0.0.255 area 0

router ospf 3 vrf CUS2
 redistribute bgp 400 metric 10 subnets
 network 10.1.2.0 0.0.0.255 area 0

router bgp 400
 bgp log-neighbor-changes
 neighbor 10.255.255.7 remote-as 400
 neighbor 10.255.255.7 update-source Loopback0

 address-family vpnv4
  neighbor 10.255.255.7 activate
  neighbor 10.255.255.7 send-community extended
 
 
 address-family ipv4 vrf CUS2
  redistribute ospf 3 vrf CUS2 metric 10
  no synchronization
 
 address-family ipv4 vrf CUS1
  redistribute ospf 2 vrf CUS1 metric 10
  no synchronization

A similar config is on AR3. (I’m not going to post it here otherwise this post will just get to big)

Let’s now concentrate on CPE1. The initial requirements were to allow CPE1 and CPE5 to speak to each other. Currently CPE1 has the following routing table:

CPE1#sh ip route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 2 subnets
O IA    10.1.3.0 [110/11] via 10.1.1.2, 00:01:20, FastEthernet0/0
C       10.1.1.0 is directly connected, FastEthernet0/0
C    192.168.1.0/24 is directly connected, Loopback0
     192.168.2.0/32 is subnetted, 1 subnets
O IA    192.168.2.1 [110/11] via 10.1.1.2, 00:01:20, FastEthernet0/0

Can CPE1 ping the loopback subnet on CPE5? It sure can!

CPE1#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/112/156 ms

Can CPE1 ping CPE6? No it can’t (as expected at this point)

CPE1#ping 172.16.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

We are now told that we need CPE1 and CPE6 to be able to speak to each other for a project. CPE2 and CPE5 need to be left out of this completely. We need to do this without using any ACL’s or the like.

There is a simple way of doing this. It’s called Extranet MPLS VPN. In the configuration above, each customer is given a route target. We can create a third route-target and have both CPE1 and CPE6 join that third route-target. We then simply don’t add CPE2 and CPE6 to that same route-target.

Let’s add it on AR1 and AR3:

AR1(config)#ip vrf CUS1
AR1(config-vrf)#route-target both 400:100
AR3(config)#ip vrf CUS2
AR3(config-vrf)#route-target both 400:100

If I now check the routing table on CPE1 I see the following:

CPE1#sh ip route

Gateway of last resort is not set

     172.16.0.0/32 is subnetted, 1 subnets
O E2    172.16.2.1 [110/10] via 10.1.1.2, 00:00:21, FastEthernet0/0
     10.0.0.0/24 is subnetted, 3 subnets
O IA    10.1.3.0 [110/11] via 10.1.1.2, 00:08:41, FastEthernet0/0
C       10.1.1.0 is directly connected, FastEthernet0/0
O E2    10.1.4.0 [110/10] via 10.1.1.2, 00:00:21, FastEthernet0/0
C    192.168.1.0/24 is directly connected, Loopback0
     192.168.2.0/32 is subnetted, 1 subnets
O IA    192.168.2.1 [110/11] via 10.1.1.2, 00:08:41, FastEthernet0/0

Can CPE1 now ping CPE6′s loopback subnet?

CPE1#ping 172.16.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/69/92 ms

It works :) – We now need to be sure that CPE2 and CPE5 still cannot see any of this.

CPE2#sh ip route

Gateway of last resort is not set

     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C       172.16.1.0/24 is directly connected, Loopback0
O IA    172.16.2.1/32 [110/11] via 10.1.2.2, 22:04:42, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.2.0 is directly connected, FastEthernet0/0
O IA    10.1.4.0 [110/11] via 10.1.2.2, 22:05:56, FastEthernet0/0

As expected, it cannot ping anywhere in Customer1′s network:

CPE2#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
CPE2#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Job done. :D

0 Comments
Leave A Response

Tagged with:  

© 2009-2013 Darren O'Connor All Rights Reserved