MPLS Layer 3 VPN Configuration

(Andrew P) #41

This topic can become less confusing if you think about what is going on in the control plane vs the data plane. The RTs are used in the control plane to associate ROUTES with VRFs. The VPN label is used in the data plane to associate PACKETS with VRFs.

Check out this great article that talks about why RDs, RTs, and VPN Labels are all needed:

(Marek O) #42

Andrew- thank you, it all makes sense now!
The link you shared is also awesome but it melted my brain until I realised the guy forgot to mention that R6 and R7 BOTH advertise route :wink:

(Networklessons Admin) split this topic #43

19 posts were merged into an existing topic: MPLS Layer 3 VPN Configuration

(Mohammad Hasanuz Zaman) #44

Dear Rene,
I have encountered following log message when setting this up. Can you confirm if we need to make the Loopback Interfaces as /32 s across the MPLS core ?

*Jan 15 01:49:04.853: %BGP-4-VPNV4NH_MASK: Nexthop may not be reachable from neigbor - not /32 mask

(Rene Molenaar) #45

This error occurs if you have a loopback interface with a subnet mask that is not /32 and that is advertised in OSPF.

OSPF will always advertise a loopback as a /32 (network type LOOPBACK). LDP however, looks at the actual subnet mask of the interface so there will be a mismatch between LDP and your routing table.

To fix this, you have two options:

* Change the network type of your loopback interface to ip ospf network-point-to-point so that OSPF advertises the actual subnet mask of the interface.


* Change the subnet mask of the loopback interface to /32.


(Mohammad Hasanuz Zaman) #48

Hi Rene,
When we give a trace from a Non-MPLS device and its travel thru a MPLS network.So, how Device know about the MPLS path IP and label from output …

CE1#traceroute source loopback 0
Type escape sequence to abort.
Tracing the route to
VRF info: (vrf in name/id, vrf out name/id)
  1 0 msec 0 msec 4 msec
  **2 [MPLS: Labels 17/19 Exp 0] 0 msec 0 msec 4 msec**
  **3 [MPLS: Label 19 Exp 0] 0 msec 0 msec 4 msec**
  4 0 msec 0 msec *

So from the output how CE1 informed the IP and with the label value 17 , 19 respectively.I want to know the discovering process deeply. please assist me in your clear text .Thx

I know how Traceroute works normally but In MPLS domain I cant understand .


(Lazaros Agapides) #49

Hello Mohammad

An excellent and very in depth explanation of how traceroute and MPLS function can be found in this Cisco documentation. It includes information about the elements found within the frame headers and how these are translated and outputted in the traceroute output as label values.

I hope this has been helpful!


(Moussa Molobaly D) #50

Thanks a lot Andrew.

(Mohammad Hasanuz Zaman) #51

Hi Rene,
Please see the bold output below …

CE1#traceroute source loopback 0
Type escape sequence to abort.
Tracing the route to
VRF info: (vrf in name/id, vrf out name/id)
  1 0 msec 0 msec 4 msec
  2 [MPLS: Labels 17/19 Exp 0] 0 msec 0 msec 4 msec
  **3 [MPLS: Label 19 Exp 0] 0 msec 0 msec 4 msec**
  4 0 msec 0 msec *

why its showing instead of . As we know it should show exit interface IP . Is there logic behind this ??? Please make me clear .Thx


(Lazaros Agapides) #52

Hello Mohammad.

Hmm, that may be a typo. I will get @ReneMolenaar to look at that…



(Rene Molenaar) #53

@Zaman.rubd @lagapides

The output is correct, keep in mind that MPLS traceroute works a bit different than regular IP traceroute:

I think they show the IP address of the remote PE router in the VRF on purpose, instead of the interface that connects to the P router. The IP address of the PE router in the VRF is reachable from the CE1 router, making it useful for troubleshooting.

(Evan d) #55

Hi. Thanks for the lesson. It helped me learn something about MPLS.
One question though. What if I want to connect another 2 CE routers, and wants to add more VRF? I’ve tried adding new address-family ipv4 vrf to existing BGP process in PE1 and PE2, and redistribute the new routing protocol by adding it to address-family ipv4 vrf and all just like in the lesson, but to no success. The new router still can’t ping successfully.

What’s needed to add new networks to the MPLS VPN? I maybe haven’t understood it all completely.

(Rene Molenaar) #56

Hello Evan,

If you want to add a second customer that is separated from the first one then you need to add:

  • second VRF
  • second RD
  • second IGP process for the VRF
  • second BGP address-family for the VRF

Take a look at the startup configurations in this lesson. That’s exactly what you are looking for:

It’s MPLS VPN with two customers in two VRFs.

Hope this helps!


(Ivan A) #57

Hi. I’m really helped with this topic. Thanks a lot. Now a new question popped up in my mind.
How if I want to have redundancy in the MPLS? I mean, if one of the line in the MPLS backbone is down, the whole CE traffic is down too. If I must add a new node to the MPLS backbone, how would the configuration be so it has redundant links?
I appreciate for the help. Thanks.

(Rene Molenaar) #58

Hello Ivan,

You could use a topology like this:

In that example, I have redundant P and PE routers but I didn’t use MPLS there. What you need for MPLS VPN is:

  • The P routers only run an IGP and MPLS on the interfaces so that’s straight-forward.
  • The PE routers require a full mesh of iBGP for the VPN routes but you could also use a route-reflector instead. Both interfaces that connect to the customer are in the same VRF.

If you can configure a MPLS VPN topology without redundancy then it’s easy to add redundancy, there are no extra commands. If you have trouble with this, let me know and I’ll share the configs when I get back from my holiday (next Wednesday) :slight_smile:


(Ivan A) #59

Thanks for the answer, Rene. I’ll look to that and try the configuration in the meantime.
Anyway, is there any chance of using protocols like VRRP, GLBP, or FHRP in MPLS?

(Lazaros Agapides) #60

Hello Ivan.

According to Cisco:

VRRP is supported on Ethernet, Fast Ethernet, Bridge Group Virtual Interface (BVI), and Gigabit Ethernet interfaces, and on Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs), VRF-aware MPLS VPNs, and VLANs.

Similarly, GLBP can also be used for MPLS implementations as well.

HSRP, FRRP and GLBP are all protocols that fall into the category of First Hop Redundancy Protocols (FHRP).

I hope this has been helpful!


(Ivan A) #61

I’ve got another question. Besides using the configuration from the lesson you shared, is there any other strategies to have redundancy on MPLS backbone? Like using BFD or any other strategies?

(Rene Molenaar) #62

Hi Ivan,

There are a couple of things. In MPLS VPN, you have to think of:

  • IGP
  • LDP
  • BGP

For your IGP, you can use BFD but also something like fast reroute:

For BGP, there are a couple of things you can do. For example:

Hope this helps :slight_smile:


(Ivan A) #63

Hi, Thanks again, Rene. By the way. Is the fast reroute you shared above is the same with MPLS Traffic Engineering fast reroute or is it different?

I’m also facing trouble with the BGP PIC config. Really hope for you to share the configs you mentioned above. Thanks in advance.

Anyway, I also noticed that the OSPF LFA you shared above is only available to a few high end routers… Is there an alternative to that other than BFD?