** This topic is a sequel to MPLS Study Note [Part 1] and its intended to be a brief intro to MPLS VPNs **

## What is MPLS VPNs ? ##

As per Cisco`s definition: Introduction to Cisco MPLS VPN Technology

A virtual private network (VPN) is a network in which customer connectivity to multiple sites is deployed on a shared infrastructure with the same administrative policies as a private network.The path between two systems in a VPN, and the characteristics of that path, may also be determined (wholly or partially) by policy. Whether a system in a particular VPN is allowed to communicate with systems not in the same VPN is also a matter of policy.

In MPLS VPN, a VPN generally consists of a set of sites that are interconnected by means of an MPLS provider core network, but it is also possible to apply different policies to different systems that are located at the same site. Policies can also be applied to systems that dial in; the chosen policies would be based on the dial-in authentication processes.

A given set of systems can be in one or more VPNs. A VPN can consist of sites (or systems) that are all from the same enterprise (intranet), or from different enterprises (extranet); it may consist of sites (or systems) that all attach to the same service provider backbone, or to different service provider backbones.

## MPLS VPNs Basics ##

Note: Our main focus is the Layer 3 VPNs

1. MPLS VPN Types

1.1. Overlay [Layer 2 VPNs]
1.1.1. The Service Provider gives the customer a virtual circuits and the customer have full control over them and the Service Provider doesn’t interfere with the customers routes
1.1.2. Designs: Hub & Spoke – Redundant Hub & Spoke – Partial Mesh – Full Mesh

1.2 Peer-To-Peer [Layer 3 VPNs]
1.2.1 The Service Provider peers with the customer and learns all his routes then exchanges the learned routes between the customer sites

2. How Layer 3 MPLS VPNs work
2.1. PE router peers with the CE
2.2. PE router exchange routes with the CE using static routes or dynamic routing protocol
2.3. PE routers have a virtual routing and forwarding (VRF) instance for each customer to keep customers routes and traffic separated
2.4. Routes from the customer are inserted into the VRf table according to the customer VRF configured under the customer interface
2.5. Customer routes are propagated via MP-BGP between PEs
2.6. Different customers can have overlapping subnets and VPNs are the one separating and handling them

3. MPLS VPNs Components
3.1. Customer Network
3.2. CEs
3.3. PE routers (Ingress/Egress LSRs – VRFs – PE/CE Routing)
3.4. Provider Network (MPLS Enabled)
3.5. P routers

4. Virtual Routing and Forwarding – VRFs
4.1. VRFs are for maintaining and separating customer routes
4.2. PEs can have multiple VRFs
4.3.  VRFs are identified by Route Targets (RT) and Route Distinguisher (RD)
4.4. Each VRF has its own CEF table
4.5. Interfaces are assigned to a VRF and unassigned interfaces are for the global routing table

5. Route Distinguisher (RD)
5.1. Distinguishes globally in MP-BGP between customers overlapping networks
5.2. Its 64-bit perpended by the PE to the customer routes
5.3. Routes with an RD are VPNv4 Routes and exchanged using iBGP (MP-BGP)

6. Route Targets (RT)
6.1. whenever a route is redistributed from the VRF into BGP, the Export-RT is perpended to it (as extended BGP community attribute)
6.2. to import a VPNv4 route into a VRF, the Export-RT of the route must match the Import-RT of the VRF
6.3. it allow complex sharing of routes

7. Basic MPLS VPN Implementation steps
7.1. establish PE-To-PE iBGP neighboring
7.2. enable PEs to support VPNv4
7.3. create VRF per customer
7.3.1. VRF Name: locally (PE) significant and its case sensitive
7.3.2. RD
7.3.3. Export RT: used when redistributing from the VRF into the MP-BGP
7.3.4. Import RT: used when deciding which route to import from the MP-BGP into the VRF
7.4. Create a BGP Address Family for the VRF
7.5.  set the PE-CE communication (Static/Dynamic Routing Protocol)

[toggle title_open="Example" title_closed="Example" hide="no" border="yes" style="default" excerpt_length="0" read_more_text="Read More" read_less_text="Read Less" include_excerpt_html="no"]!
router bgp 3
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor 1.1.1.1 remote-as 3
neighbor 1.1.1.1 update-source Loopback0
neighbor 1.1.1.1 next-hop-self
neighbor 3.3.3.3 remote-as 3
neighbor 3.3.3.3 update-source Loopback0
neighbor 3.3.3.3 next-hop-self
no auto-summary
 !
address-family vpnv4
 neighbor 1.1.1.1 activate
 neighbor 1.1.1.1 send-community extended
 neighbor 3.3.3.3 activate
 neighbor 3.3.3.3 send-community extended
 exit-address-family
 !
ip vrf a
 rd 3:1
 route-target export 3:1
 route-target import 3:1
 !
address-family ipv4 vrf a
 no synchronization
 redistribute static
 exit-address-family
 ![/toggle]

 ## Complex MPLS VPNs ##

1. Overlapping VPNs
1.1. Definition: When 2 customers [2 different VRFs] decides to share routes between two specific sites [i.e. HQs], also each HQ should be able to talk to its branches and not the other customer branches

1.2. Implementation Guide
1.2.1. create two new VRFs [one for each HQ] with a new Route-Distinguisher and new Route-Target for both of the VRFs.
1.2.2. each VRF will have RTs of its own branches and the RT used to communicate with the other HQ

[toggle title_open="Example" title_closed="Example" hide="no" border="yes" style="default" excerpt_length="0" read_more_text="Read More" read_less_text="Read Less" include_excerpt_html="no"]!
ip vrf a
rd 3:1
route-target export 3:1
route-target import 3:1
!
ip vrf b
rd 3:2
route-target export 3:2
route-target import 3:2
!
ip vrf a-central
 rd 3:11
 route-target export 3:1
 route-target export 3:30
 route-target import 3:1
 route-target import 3:30
!
ip vrf b-central
rd 3:22
route-target export 3:2
route-target export 3:30
route-target import 3:2
route-target import 3:30
![/toggle]

2. Centralized Services VPNs
2.1. Definition:
2.1.1. When you need to provide access to a central site for different customers VPNs/VRFs and in the same time the different customers shouldn’t talk to each others.
2.1.2. Central service site can talk with all customers VPNs
2.1.3. All other VPNs can talk to the central service VPN only
2.1.4. Remote sites in different VPNs shouldn’t talk to each other

2.2. Implementation
2.2.1. create a VPN/VRF for the centralized service site [vrf central-service-site]
2.2.2. create an Export-RT [i.e. 3:55] for the [central-service-site] VRF to be used as an Import-RT for the VPNs/VRFs that you want to provide them the central service
2.2.3. create an additional Export-RT [i.e. 3:66] at each VPN/VRF that you want to provide the central service to be used as an Import-RT for the [central-service] VRF.
NOTE: if you used the same RT for import and export different customer sites will be ables to see each other routes.

[toggle title_open="Example" title_closed="Example" hide="no" border="yes" style="default" excerpt_length="0" read_more_text="Read More" read_less_text="Read Less" include_excerpt_html="no"]!
ip vrf central-service-site
 rd 3:11
 route-target export 3:55
 route-target import 3:66
!
ip vrf a
 rd 3:1
 route-target export 3:1
 route-target export 3:66
 route-target import 3:1
 route-target import 3:55
!
ip vrf b
 rd 3:2
 route-target export 3:2
 route-target export 3:66
 route-target import 3:2
 route-target import 3:55
![/toggle]

## PE-CE Routing ##

1. eBGP
1.1. PE Side
1.1.1. under the BGP global process create an address-family for the customer VRF
1.1.2. under the vrf address-family of the global BGP process configure eBGP neighbor
1.2. CE Side
1.2.1. configure eBGP neighborship
1.2.2. advertise the customer networks

[toggle title_open="Example" title_closed="Example" hide="no" border="yes" style="default" excerpt_length="0" read_more_text="Read More" read_less_text="Read Less" include_excerpt_html="no"]PE Side
!
router bgp 3
!
 address-family ipv4 vrf a
 no synchronization
 redistribute connected
 neighbor 150.1.31.2 remote-as 65031
 neighbor 150.1.31.2 activate
 exit-address-family
CE Side
!
router bgp 65031
 no synchronization
 bgp log-neighbor-changes
 network 203.1.0.0 mask 255.255.0.0
 neighbor 150.1.31.1 remote-as 3
 no auto-summary
![/toggle]

2. RIP
2.1. PE Side
2.1.1. under the RIP global process create an address-family for the customer VRF
2.1.2. under the address-family of the global RIP process configure RIP parameters
2.1.3. under the vrf address-family of the global RIP process redistribute BGP routes into RIP
2.1.4. under the BGP global process create an address-family for the customer VRF
2.1.5. under the address-family of the global BGP process redistribute RIP routes into BGP
Note: regarding enabling RIP, if the network command enables RIP for multiple interfaces its per VRF only
2.2. CE Side
2.2.1. configure RIP parameters

[toggle title_open="Example" title_closed="Example" hide="no" border="yes" style="default" excerpt_length="0" read_more_text="Read More" read_less_text="Read Less" include_excerpt_html="no"]PE Side
!
router rip
!
address-family ipv4 vrf a
redistribute bgp 3 metric 5
network 150.1.0.0
no auto-summary
version 2
exit-address-family
!
router bgp 3
!
address-family ipv4 vrf a
no synchronization
redistribute rip
exit-address-family
!
CE Side
!
router rip
version 2
network 150.1.0.0
network 203.1.0.0
network 203.1.2.0
no auto-summary
![/toggle]

3. EIGRP
3.1. PE Side
3.1.1. under the EIGRP global process create an address-family for the customer VRF
3.1.2. under the vrf address-family of the global EIGRP process configure EIGRP parameters
3.1.3. under the vrf address-family of the global EIGRP process configure customer EIGRP AS
3.1.4. under the BGP global process create an address-family for the customer VRF
3.1.5. under the address-family of the global BGP process redistribute EIGRP routes into BGP
3.2. CE Side
3.2.1. Configure EIGRP AS 10

[toggle title_open="Example" title_closed="Example" hide="no" border="yes" style="default" excerpt_length="0" read_more_text="Read More" read_less_text="Read Less" include_excerpt_html="no"]PE Side

!
router eigrp 1
 !
 address-family ipv4 vrf b
 redistribute bgp 3 metric 1 1 1 1 1
 network 150.1.0.0
 autonomous-system 10
 exit-address-family
 !
!
router bgp 3
 !
 address-family ipv4 vrf b
 no synchronization
 redistribute eigrp 10
 exit-address-family
 !
CE Side
!
router rip
 version 2
 network 150.1.0.0
 network 203.1.0.0
 network 203.1.2.0
 no auto-summary
!
[/toggle]

4. OSPF

4.1. PE Side
4.1.1. create a separate OSPF process per VRF
4.1.2. under the OSPF VRF Process configure the OSPF parameters
4.1.3. under the BGP global process create an address-family for the customer VRF
4.1.4. under the address-family of the global BGP process redistribute OSPF routes into BGP
4.2. CE Side
4.2.1. configure OSPF

[toggle title_open="Example" title_closed="Example" hide="no" border="yes" style="default" excerpt_length="0" read_more_text="Read More" read_less_text="Read Less" include_excerpt_html="no"]PE Side
!
router ospf 2 vrf c
 log-adjacency-changes
 redistribute bgp 3 subnets
 network 150.1.32.4 0.0.0.3 area 0
!
router bgp 3
 !
 address-family ipv4 vrf c
 no synchronization
 redistribute ospf 2 vrf c
 exit-address-family
 !
CE Side
!
router ospf 1
 log-adjacency-changes
 network 150.1.32.4 0.0.0.3 area 0
 network 203.2.0.2 0.0.0.0 area 0
 network 203.2.2.0 0.0.0.255 area 0
![/toggle]

Notes:
– From the vrf perspective, redistributing into BGP is considered exporting and the reverse is vice versa
– Route-Targets comes into play in case of redistribution to/from VRF/MP-BGP
– When importing into the VRF the Import-RT is used to match all routes from the MP-BGP to be imported into the VRF

HTH
Abdullah Medhat Salah