Configuring BGP/MPLS VPN

Contents

1Overview
1.1Virtual Private Networks
1.2VPN Topology
1.3Packet Labels
1.4Multiple VPN Contexts
1.5VPN-IPv4 Address Family
1.6IPv6 VPN Routes Over an IPv4 MPLS Core
1.7Route Distribution Among PE Routers by BGP
1.8PE-to-CE Route Distribution
1.9Route Target Attribute
1.10Site of Origin Attribute
1.11BGP/MPLS VPN over GRE
1.12GRE over MPLS
1.13Multihop eBGP Label Redistribution

2

Configuration and Operations Tasks
2.1Configuring a VPN-IPv4 Address Family for BGP Sessions Between PE Routers
2.2Configuring IPv4 VPN Address Family Attributes for a BGP Routing Instance
2.3Enable Transport of IPv6 Routes over an IPv4 MPLS Core
2.4Creating a New VPN Context
2.5Configuring a BGP Routing Instance in a VPN Context
2.6Configuring Multipath Load Balancing in a BGP/MPLS VPN
2.7Configuring the Next-Hop Reachability Check for VPN Routes
2.8Configuring Route Targets
2.9Configuring PE-to-CE Routing
2.10Identifying the Specific Site from Where a Route Has Originated
2.11Enabling Soft GRE Tunneling
2.12BGP/MPLS VPN Operations

3

Configuration Examples
3.1Backbone Connectivity
3.2PE-to-CE Route Distribution
3.3Different BGP/MPLS VPN Topologies
3.4IPv6 Routes Over an IPv4 MPLS Core
3.5GRE over MPLS
3.6BGP/MPLS VPN over GRE
3.7BGP Commands for BGP/MPLS VPN
3.8Multihop eBGP Label Redistribution

Reference List
Copyright

© Ericsson AB 2009–2010. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.

Disclaimer

The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.

Trademark List
SmartEdge is a registered trademark of Telefonaktiebolaget LM Ericsson.
NetOp is a trademark of Telefonaktiebolaget LM Ericsson.

1   Overview

This document provides an overview of the Border Gateway Protocol/Multiprotocol Label Switching Virtual Private Network (BGP/MPLS VPN) and describes the tasks and commands used to configure, monitor, troubleshoot, and administer BGP/MPLS VPN features on the SmartEdge® router.

1.1   Virtual Private Networks

In its most general definition, a Virtual Private Network (VPN) is a network in which customer connectivity among multiple remote sites is deployed across a shared central infrastructure, yet still provides the same access or security as a private network.

More specifically, a BGP/MPLS VPN is a collection of policies, and these policies control connectivity among a set of sites. A customer site is connected to the service provider network, often called a backbone, by one or more ports, where the service provider associates each port with a VPN context.

BGP/MPLS VPN allows you to implement a wide range of policies; for example, within a given VPN, you can allow every site to have a direct route to every other site (full mesh), or you can restrict certain pairs of sites from having direct routes to each other (partial mesh).

1.2   VPN Topology

A typical BGP/MPLS VPN topology consists of multiple customer sites connected to a service-provider network. Customer edge (CE) routers provide customer access to the service-provider network over a data link to one or more provider edge (PE) routers. The CE routers establish an adjacency with their directly connected PE routers, and the CE routers advertise IPv4 routes to the PE router. The CE routers also learn IPv4 routes from their PE routers. These IPv4 routes only become VPNv4 routes once they enter the provider backbone.

In the SmartEdge™ implementation, PE routers maintain a separate VPN context for each private network. Connections to CE routers are bound to the appropriate context. Access to the service provider core is through the local context in each PE router. Because the VPN runs from private VPN context to private VPN context, the customer can have visibility into the entire network, including the private context inside the SmartEdge router, without having any visibility into the public space or to other private contexts.

PE routers can be directly connected, or can be connected through provider (P) routers. P routers have no visibility into private networks; they simply provide connectivity from one PE router to another.

PE routers can exchange routing information with CE routers using static routing, Routing Information Protocol Version 2 (RIPv2), Open Shortest Path First (OSPF), or Border Gateway Protocol (BGP). PE routers maintain VPN routing information for the VPNs to which they are directly attached.

PE routers advertise VPN routes learned from CE routers across the service provider core by using Interior Border Gateway Protocol (iBGP). All iBGP features, including route reflectors, are available to ensure scalable iBGP connectivity across the service provider core. The PE routers use Label Distribution Protocol (LDP) or Resource Reservation Protocol (RSVP) to build label-switched paths (LSPs); the PE routers function as edge label-switching routers (LSRs), and each private network has its own set of LSPs. Multiprotocol Label Switching (MPLS) is then used to forward VPN data traffic across the provider’s backbone.

Figure 1   BGP/MPLS VPN Topology

An MPLS/BGP VPN has several components that must be operational for the VPN to function:

  1. The provider network routers—–PE and P routers—must run either OSPF or IS-IS to support LDP or RSVP. The link-state routing protocol discovers the paths from PE router-to-PE router, which is used by LDP, a signaling protocol to build LSPs
  2. PE routers configured as iBGP peers.
  3. Routes from the private networks are transported by the provider network, and are associated with a Forwarding Equivalence Class (FEC). BGP then assigns a next-hop and an additional VPN label to the FEC.

    For every IP prefix in the local VPN, BGP notifies the remote VPN sites the label to attach to traffic destined to that prefix. When that traffic arrives from the remote end, the PE sends it to the next-hop given by the nexthop-label mapping.

    LSPs are then built using LDP or RSVP; the PEs function as edge LSRs, with MPLS providing the label-switching intelligence to transport VPN data across the provider backbone. For information about RSVP and LDP, see the Configuring MPLS document.

1.3   Packet Labels

With BGP/MPLS VPNs, there are typically two labels in a packet: an Interior Gateway Protocol (IGP) label (tunnel label) and a VPN label. The IGP label is used in delivering the packet from an ingress PE router to the egress PE router, where the CE router is attached. The VPN label is used by the egress PE router to deliver the packet out of the interface connected to the proper CE router.

1.4   Multiple VPN Contexts

PE routers maintain a separate VPN context for each VPN connection. Each customer connection, such as a Frame Relay permanent virtual circuit (PVC), Asynchronous Transfer Mode (ATM) PVC, or virtual LAN (VLAN), is mapped to a specific VPN context. Multiple ports on a PE router can be associated with a single VPN context; however, it is the ability of PE routers to maintain multiple VPN contexts that supports the per-VPN segregation of routing information.

PE routers advertise VPN routes learned from CE routers using internal Border Gateway Protocol (iBGP). PE routers can maintain iBGP sessions to route reflectors as an alternative to a full mesh of iBGP sessions. Deploying multiple route reflectors enhances network scalability because it eliminates the need for any single network component to maintain all VPN routes.

MPLS is used to forward VPN data traffic across the provider’s backbone, the ingress PE router functions as the ingress label edge router (LER), and the egress PE router functions as the egress LER.

1.5   VPN-IPv4 Address Family

VPN customers often manage their own networks and use private IP addresses. If globally unique IP addresses are not used, the same IP Version 4 (IPv4) address can be used to identify different systems in different VPNs; however, BGP assumes that each IPv4 address it carries is globally unique, so routing problems can occur. BGP/MPLS VPNs solves this problem by converting duplicate IP addresses into globally unique addresses by using VPN-IPv4 address families.MBGP extensions allow BGP to carry routes from multiple address families. A VPN-IPv4 address is a 12-byte quantity, beginning with an 8-byte route distinguisher (RD), and ending with a 4-byte IPv4 address. If two VPNs use the same IPv4 address prefix, the PE routers translate these into unique VPN-IPv4 address prefixes, which ensures that if the same address is used in two different VPNs, it is possible to install two completely different routes to that address, one for each VPN.

Note:  
The RD contains no information about the origin of the route, or about the set of VPNs to which the route is to be distributed. The purpose of the RD is to allow you to create distinct routes to a common IPv4 address prefix.

A PE router must be configured to associate routes that lead to particular CE router with a particular RD. The PE router can be configured to associate all routes leading to the same CE router with the same RD, or it can be configured to associate different routes with different RDs, even if they lead to the same CE router.

1.6   IPv6 VPN Routes Over an IPv4 MPLS Core

In configurations where two IPV6 systems must communicate across an IPv4 MPLS network, the SmartEdge router enables tunneling of IPv6 VPN routes over an IPV4 MPLS core or soft-GRE tunnel.

Consider the following before enabling IPv6 VPN routes over an IPv4 MPLS core:

The following types of BGP routes are supported:

1.7   Route Distribution Among PE Routers by BGP

PE routers can distribute VPN-IPv4 routes to each other by means of an iBGP connection. When a PE router distributes a VPN-IPv4 route using BGP, it uses its own address as the BGP next hop. It also assigns and distributes an MPLS label. When the PE router processes a received packet that has this label at the top of the stack, the PE router pops the stack, and sends the packet directly to the site from to which the route leads. This usually means that it just sends the packet to the CE router from which it learned the route.

The MPLS label that is distributed by the PE router requires a label-switched path (LSP) between the router that installs a route and the BGP next hop of that route. That is, an MPLS LSP must be configured for VPN route distribution to operate.

1.8   PE-to-CE Route Distribution

PE routers attached to a particular VPN must learn the addresses from that VPN. The PE router translates these addresses into VPN-IPv4 addresses using a configured RD. The PE router then uses the VPN-IPv4 routes as input to BGP.

Possible CE-to-PE distribution methods include:

  1. Static routing can be used.
  2. CE and PE routers can be Routing Information Protocol (RIP) peers, and the CE router can use RIP to tell the PE router the set of address prefixes which are reachable at the CE router’s site.
  3. CE and PE routers can be OSPF peers. If the CE routers at the customer site contain more than one OSPF area, the PE-to-CE connection should be in area 0, and the CE and PE routers should be configured as area border routers (ABRs). If the CE routers at the customer site only contain a single OSPF area, then the PE-to-CE connection can be in that area, or area 0.
  4. CE and PE routers can be BGP peers, and the CE router can use eBGP to tell the PE router the set of address prefixes, which are at the CE router’s site.

1.9   Route Target Attribute

When a VPN-IPv4 route is created by a PE router, it is associated with one or more BGP extended community route target attributes. The route target attribute identifies a collection of sites to which a PE router distributes routes. A PE router uses this attribute to constrain the import of remote routes into its routing tables.

Before accepting routes that have been distributed by another PE router, each VPN context on a PE router is configured with an import route target policy. A PE router can only add a VPN-IPv4 route to a routing table for the VPN if the route target attribute carried with the route matches one of the import route targets on the PE router for the VPN.

1.10   Site of Origin Attribute

The site of origin attribute uniquely identifies the site from which the PE router learned the route. All routes learned from a particular site must be assigned the same site of origin attribute, even if a site has multiple connections to a single PE router, or is connected to multiple PE routers. Distinct site of origin attributes must be used for distinct sites.

The site of origin attribute is used to avoid routing loops in situations where multiple VPN sites using the AS override feature are internally connected.

1.11   BGP/MPLS VPN over GRE

Encapsulating packets via Generic Routing Encapsulation (GRE) from an ingress PE router to an egress PE router is called soft GRE tunneling. Soft GRE tunnels are not Interior Gateway Protocol (IGP) visible links, and routing adjacencies are not supported across these tunnels. As a result, soft GRE tunnels have little in common with traditional (hard) GRE tunnels. The tunnel exists only in the sense of GRE encapsulation and decapsulation.

Only the ingress PE router and the egress PE router need to support the soft GRE functionality, and the PE routers can span over multiple autonomous systems.

Using soft GRE tunnels to transport MPLS-encapsulated packets is called BGP/MPLS VPN over GRE, and is used to offer BGP/MPLS VPN service when a portion of a network does not have label switching enabled. BGP/MPLS VPN over GRE does not require preconfiguration of the remote GRE endpoint. These endpoints are the BGP next-hop addresses of the VPN routes and are learned dynamically via BGP.

1.12   GRE over MPLS

GRE over MPLS provides a way to establish a GRE tunnel over an MPLS LSP, allowing you to run applications, such as multicast, over the GRE tunnel. For GRE to work properly over MPLS, VPN contexts must be configured at both ends of the GRE tunnel.

To configure GRE over MPLS, you must perform the following tasks:

  1. Configure BGP/MPLS VPN at both ends of the GRE tunnel.
  2. Configure the GRE tunnel in the local VPN context. The tunnel remote IP address for the GRE tunnel must be an IP address in the remote VPN context.

For a detailed GRE over MPLS configuration example, see the Configuration Examples section.

1.13   Multihop eBGP Label Redistribution

The multihop eBGP label redistribution feature enables you to configure a VPN network that redistributes labeled IPv4 VPN routes between source and destination autonomous systems using eBGP redistribution of labeled IPv4 routes from a local autonomous system (AS) to a neighboring AS. Figure 2 displays the network topology for a typical multihop eBGP label redistribution configuration.

Figure 2   Typical Multihop eBGP Label Redistribution Network Topology

The autonomous system border routers (ASBRs) do not maintain or distribute IPv4 VPN routes. Instead, each ABSR must maintain labeled IPv4 routes to the PE routers within its AS. the routers use eBGP to distribute the routes to other autonomous systems. ASBRs in any transit AS must also use eBGP to forward the labeled routes. This creates a label-switched path from the ingress PE router to the egress PE router, allowing PE routers in different autonomous systems establish multihop eBGP connections to each other, and exchange VPN-IPv4 routes over those connections.

2   Configuration and Operations Tasks

Note:  
In this section, the command syntax in the task tables displays only the root command.

For information about troubleshooting L3VPNs, see the Troubleshooting L3VPNs document.

To configure BGP/MPLS VPNs, perform the tasks described in the following sections:

2.1   Configuring a VPN-IPv4 Address Family for BGP Sessions Between PE Routers

To configure a VPN-IPv4 address family for BGP sessions between PE routers, perform the tasks described in Table 1. The Notes column lists the configuration mode in which you enter commands.

Table 1    Configure a VPN-IPv4 Address Family for BGP Sessions Between PE Routers

Task

Root Command

Notes

Configure a BGP routing instance in the local context, and access BGP configuration mode.

router bgp

Enter this command in context configuration mode.


For detailed information about this command, see Configuring BGP.

Enable VPN-IPv4 prefixes for a BGP routing instance and enter BGP address family configuration mode.

address-family ipv4 vpn

Enter this command in BGP configuration mode.


This command cannot be used in non-local contexts.

Enable VPN-IPv4 prefixes for a specified BGP neighbor in an iBGP session, and to access BGP neighbor address family configuration mode.

address-family ipv4 vpn

Enter this command in BGP neighbor configuration mode.


This command cannot be used in non-local contexts.

Enable VPN-IPv4 prefixes for a specified BGP peer group, and to enter BGP peer group address family configuration mode.

address-family ipv4 vpn

Enter this command in BGP peer group configuration mode.


This command cannot be used in non-local contexts.

2.2   Configuring IPv4 VPN Address Family Attributes for a BGP Routing Instance

To configure the IPv4 address family attributes for a BGP routing instance, perform the tasks described in Table 2. Enter all commands in BGP address family configuration mode, unless otherwise noted.

Table 2    Configure IPv4 Address Family Attributes for a BGP Routing Instance

Task

Root Command

Notes

Specify the use of standard IP Version 4 (IPv4) multicast or unicast address prefixes for the BGP routing instance, and access BGP address family configuration mode.


address-family ipv4 (Multicast and Unicast)

Enter this command in BGP router configuration mode. Include the uni or nni keyword in the address-family ipv4 command.

Configure the administrative distance values for a BGP address family.

distance (BGP address family)

BGP uses distances to compare and prioritize routes. The lower the distance, the more preferred the route.

Enable route-flap statistics accounting for the BGP address family.

flap-statistics

 

Enable automatic VPN route-target filtering.

route-target filter

 

Assign a traffic index to routes installed for a BGP address family.

table-map

Traffic index counters are maintained on interfaces with traffic index accounting enabled.


For more information about BGP attribute-based accounting, see the Configuring BGP Attribute-Based Accounting section in Configuring Routing Policies.

Enable the triggering of immediate BGP best-path calculation on notification of a next-hop withdrawal by the RIB, and configure next-hop scan parameters.

router-id (contexts)

(1)


(1)  The nexthop triggered command is not available in NNI IPV4 mode.


2.3   Enable Transport of IPv6 Routes over an IPv4 MPLS Core

To enable transport of IPv6 routes over an IPv4 MPLS core, perform the tasks described in Table 3.

Table 3    Enable Transport of IPv6 Routes Over an IPv4 MPLS Core

#

Task

Root Command

Notes

1.

Specify the use of standard IPv6 unicast address prefixes for the neighbors in the BGP address family:

 

Enter context configuration mode.

context ctx-name

Replace ctx-name with the name of the context in which you want to enable IPv6 prefixes.

 

Configure a BGP routing instance in the VPN context and access BGP configuration mode.

router bgp

Enter this command in context configuration mode.


For detailed information about this command, see Configuring BGP.

 

Enables the transport of IPv6 routes over an MPLS IPv4 network.

address-family Ipv6 vpn

Be aware that MPLS must be enabled within the context or IPv6 packets cannot be tunneled over the IPv4 MPLS core.

 

Exit BGP address family configuration mode

exit

 
 

Enter BGP neighbor configuration mode for the specified IPv6 external BGP (eBGP) neighbor.

neighbor ipv6-addr external

Replace ipv6-addr with the IPv6 address of the external neighbor, in the form A:B:C:D:E:F:G.

 

Globally enable the IPv6 VPN address-family for BGP.

address-family Ipv6 vpn

 
 

Optional. Specifies the interface used for BGP peering.

update-source if-name

Replace if-name with the name of the interface to be used to bring up the BGP session.

 

Verify the configuration.

show bgp neighbor

 

2.

Configure the BGP routing instance in the appropriate VPN context:

 

Enter context configuration mode for a VPN context.

context ctx-name vpn-rd route-distinguisher

Replace ctx-name with the name of the VPN context in which you want to enable IPv6 prefixes.


Replace route-distinguisher with the VPN route distinguisher.

 

Configure a BGP routing instance in the VPN context and access BGP configuration mode.

router bgp vpn

Enter this command in context configuration mode.


For detailed information about this command, see Configuring BGP.

 

Specify the use of IPv6 unicast address prefixes for the BGP routing instance and enter BGP address family configuration mode.

address-family ipv6 unicast

Enter this command in BGP configuration mode.

 

Add a route target extended community to the export target list.

export route-target {ext-com | route-map route-map [ctx-name]}

This step exports IPV6 routes across the BGP VPN.


Use the ext-com argument to specify a route target extended community value to add to the export target list.


Use the route-map route-map [ctx-name] construct to specify a route map to be used for this VPN context.


 

Add a route target extended community to the imports target list.

import route-target


{ext-com | route-map route-map [ctx-name]}

This step imports IPV6 routes across the BGP VPN.

 

Optional. Redistributes routes learned through other routing protocols into the Border Gateway Protocol (BGP) routing domain.

redistribute

Redistributes IPv6 routes in other protocols (PSPF, RIPng, static IPv6)

3.

Configure external BGP peering to the CE:

 

Enter BGP neighbor configuration mode for the specified IPv6 external BGP (eBGP) neighbor.

neighbor ipv6-addr external

Replace ipv6-addr with the IPv6 address of the external neighbor, in the form A:B:C:D:E:F:G.

 

Optional. Configures the autonomous system number (ASN) of the external Border Gateway Protocol (eBGP) neighbor.

remote-as {asn | nn:nn}

Use the asn or nn:nnargument to specify with the ASN in integer or 4-byte integer format.

 

Specify the use of IPv6 unicast address prefixes for the neighbor and enter BGP address family configuration mode.

address-family ipv6 unicast

 
 

Verify your configuration.

show bgp route ipv6 unicast


show bgp route ipv6 vpn (local context only)

 

2.4   Creating a New VPN Context

To configure a new VPN context, perform the tasks described in Table 4. Enter all commands in global configuration mode.

Table 4    Configure a New VPN Context

Task

Root Command

Notes

Enable the multiple context feature.

service multiple-contexts

For more information about the service multiple-contexts command, see Configuring Contexts and Interfaces.

Create a new VPN context and enter context configuration mode.

context vpn-rd

You cannot create new contexts on the system unless you have enabled the multiple context feature using the service multiple-contexts command in global configuration mode.


Entering the full context vpn-rd command is required to configure a VPN context. Entering the command without the vpn-rd portion creates a context that will not be recognized as VPN-enabled.

2.5   Configuring a BGP Routing Instance in a VPN Context

To configure a BGP routing instance in a VPN context, perform the task described in Table 5. Enter the command in context configuration mode.

Table 5    Configure a BGP Routing Instance in a VPN Context

Task

Root Command

Notes

Configure a BGP routing instance in a VPN context and enter BGP configuration mode.

route-target filter

A BGP instance is always required within a VPN context for the following reasons:


  • Customer routes must be distributed into BGP so they can be advertised across the iBGP sessions that connect PE routers. Customer routes can be distributed into BGP either statically or from other active routing protocols.

  • Route targets must also be configured within BGP address family configuration mode.


BGP does not function properly in a VPN context until it is first configured in the local context. Even though an ASN is not used when configuring a BGP instance in a VPN context, this instance uses the ASN from the BGP instance in the local context for peering with CE routers.


When configuring BGP peering sessions within a VPN context, only external neighbor sessions can be configured, because peering in a VPN context must only be configured with CE routers. Also, the only permitted address family is IPv4 unicast, and peer groups cannot be configured.

2.6   Configuring Multipath Load Balancing in a BGP/MPLS VPN

To configure multipath load balancing in a BGP/MPLS VPN, perform the task described in Table 6. Enter the command in BGP router configuration mode.

Table 6    Configure Multipath Load Balancing in a BGP/MPLS VPN

Task

Root Command

Configure multipath load balancing using both eBGP and iBGP equal-cost paths in a BGP/MPLS VPN.

multi-paths eibgp

2.7   Configuring the Next-Hop Reachability Check for VPN Routes

To configure the next-hop reachability check for VPN routes, perform the task described in Table 7. Enter the command in BGP router configuration mode.

Table 7    Configure the Next-Hop Reachability Check for VPN Routes

Task

Root Command

Notes

Require the next hop of a BGP VPN path to be reachable through an MPLS LSP or a tunnel in order for a VPN route to be considered active.

next-hop-on-lsp

Use the no form of this command to enable a BGP VPN path to be considered active without requiring the next hop of a VPN path to be reachable through an MPLS LSP or a tunnel.


One common application for this command is when configuring a BGP route reflector that is not part of an MPLS network, but is used to reflect BGP VPN routes to its clients within that MPLS network. In this configuration, the next hops of the VPN paths may not be reachable through an MPLS LSP or a tunnel from the route reflector's point of view. To solve the problem, use the no form of the this command to disable the LSP or tunnel reachability check for the next hops, and therefore allow the BGP route reflector to correctly select the best paths and reflect the best paths to its clients.

2.8   Configuring Route Targets

To configure route targets, perform the tasks described in Table 8. Enter all commands in BGP address family configuration mode.

Table 8    Configure Route Targets

Task

Root Command

Notes

Create a list of export route target extended communities for a specified VPN context.

export route-target

Use the ext-com argument to configure a single route target extended community, or use the route-map route-map construct to configure an export route map for finer control over exported Border Gateway Protocol (BGP) routes. You can configure a single route target extended community, an export route map, or both. You can add multiple export route targets on the same line, or you can issue the command multiple times with individual route targets. Export route targets are sent as extended community attributes to other provider edge (PE) routers.


A route map allows you to filter routes or change attributes such as the export route target based on policy requirements. A route map may only be used when a target community value has not yet been configured. Use the optional ctx-name argument to reference a route-map in another context. If the optional ctx-name argument is not specified, then the route maps in the current context are referenced.


This command can only be used in VPN contexts.

Create a list of import route target extended communities for a specified VPN context.

import route-target

You can add multiple target communities on the same line, or you can issue the command multiple times with a single target as the parameter. BGP routes learned from other PE routers that carry a specific route target extended community are imported into all VPN contexts configured with that extended community as an import route target.


This command can only be used in VPN contexts.

Enable automatic BGP route target community filtering.

route-target filter

This command configures the local router, if it is not configured as a route reflector, to ignore all VPN routes received that are not imported into any VPN context.


You can control the number of IPv4 VPN routes that the local ASBR advertise to the remote ASBR by configuring a community for exportable routes on the inbound interface of the PE router, and configuring a community based filter on the outbound interface of the local ASBR to advertise only routes that match the community.

2.9   Configuring PE-to-CE Routing

To configure PE-to-CE routing, perform the tasks described in Table 9. Enter all commands in BGP router configuration mode, unless otherwise noted.

Table 9    Configure PE-to-CE Routing

Task

Root Command

Notes

Disable the AS_PATH loop detection by accepting a route advertisement that contains the local ASN in the AS_PATH attribute.

asloop-in

Because enabling the asloop-in command disables AS_PATH loop detection, it must only be used for specific applications that require this type of behavior, and in situations with strict network control; for example, the BGP/MPLS VPN hub-and-spoke configuration, in which a hub PE router may receive routes containing its own ASN from a hub CE router. To disable AS_PATH loop detection, use the asloop-in command on the exporting context of the hub PE router.


The asloop-in command is useful only when BGP is used for PE-to-CE routing.


For a CE router to send a route advertisement back to the PE router from which the route is learned, the CE router must be configured as a BGP peer with the PE router configured as a member of the peer group. By default, routes are not sent back to the neighbor AS from where they are received.

Replace all occurrences of a peer’s ASN in the AS_PATH attribute of a route with the local ASN, when advertising the route to the peer.

as-override

When multiple VPN sites share the same ASN, enabling the AS override feature allows routes originating from an AS to be accepted by a router residing in the same AS. By default, the receiving router rejects the received route advertisement if the AS_PATH attribute shows that the route originated from its own AS to prevent routing loops.


The as-override command is useful only when BGP is used for PE-to-CE routing.


Enabling the AS override feature may result in route loops. This feature should only be used for specific applications that require this type of behavior, and in situations with strict network control.


The as-override command can only be used in VPN contexts.

Enable an OSPF instance within a VPN context to treat redistributed BGP routes as VPN routes.

vpn

When a CE site is connected to multiple areas, the CE router’s connection to a PE router should be in area 0 to allow correct handling of summary link-state advertisements (LSAs).


The vpn command is useful only when OSPF is used for PE-to-CE routing.

2.10   Identifying the Specific Site from Where a Route Has Originated

To identify the specific site from where a route has originated, perform the task described in Table 10. Enter the command in BGP address family configuration mode.

Table 10    Identify the Specific Site from Where a Route Has Originated

Task

Root Command

Notes

Identify the specific site from where a route has originated.

route-origin

When routes are received by a PE router, the route’s route-origin attribute is checked against the route origin associated with the VPN for the receive site. Received routes are rejected if the route origin values are the same. This prevents the readvertisement of routes back to their originating sites.


This command is useful only when BGP is used for PE-to-CE routing.

2.11   Enabling Soft GRE Tunneling

To enable soft GRE tunneling, perform the task described in Table 11. Enter the command in context configuration mode.

Table 11    Enable Soft GRE Tunneling

Task

Root Command

Notes

Enable soft GRE tunneling on the specified context.

ip soft-gre

Using soft GRE tunnels to transport MPLS-encapsulated packets is called BGP/MPLS VPN over GRE, and is used to offer BGP/MPLS VPN service when a portion of a network does not have label switching enabled. BGP/MPLS VPN over GRE does not require a preconfiguration of the remote GRE endpoint. These endpoints are the BGP next-hop addresses of the VPN routes and are learned dynamically via BGP.

2.12   BGP/MPLS VPN Operations

To manage BGP/MPLS VPN functions, perform the appropriate tasks described in Table 12. Enter the show commands in any mode; enter the clear command (in exec mode).

Table 12    BGP/MPLS VPN Operations Tasks

Task

Root Command

Reset BGP IPv4 address connections, or apply new BGP routing policies to connections using VPN address prefixes without dropping the connections.

clear bgp ipv4 vpn

Display BGP attribute information for extended communities.

show bgp attribute extended-community

Display BGP routes for a specific route target extended community.

show bgp route ext-community route-target

Display information for BGP VPN-IPv4 prefix-based routes.

show bgp route ipv4 vpn

Display a summary report of BGP VPN-IPv4 routes in the BGP routing tables for all contexts.

show bgp route ipv4 vpn summary

Display Open Shortest Path First (OSPF) route information in a VPN context.

show ospf route vpn

Display VPN information and VPN redistributed route counts for all OSPF instances, or optionally, for a specific instance in a VPN context.

show ospf vpn


 Caution! 
Risk of dropped connection. A hard reset can impact network connectivity. When using any clear bgp command, the soft keyword for inbound only takes effect if the BGP neighbor supports the refresh capability. The soft keyword for outbound is a local matter, and does not require the capability. To see if a BGP neighbor supports the refresh capability, use the show bgp neighbor summary command (in exec mode). Specify the soft keyword if you do not want the BGP neighbor connection dropped. To reduce the risk, only use a hard reset as a last resort.

3   Configuration Examples

The following sections provide BGP/MPLS VPN configuration examples:

3.1   Backbone Connectivity

The backbone connectivity must be configured in the local context.

An IGP, such as OSPF, IS-IS, or LDP must be enabled on backbone links. By default the loopback interface IP address is used as both the router ID and LDP transport address, so it needs to be reachable. Furthermore, MPLS switching must be enabled on the backbone links.

The following configuration allows two routers carry BGP routes for VPN-IPv4 unicast addresses. A VPN-IPv4 unicast address is an 8- to 12-byte quantity, beginning with an 8-byte RD and ending with an IPv4 address.

Note:  
A VPN-IPv4 address family must be configured for the BGP PE peers. IPv4 unicast and multicast address families can be enabled for the same peers if needed.

The configuration for the PE1 router is:

[local]PE1#config

[local]PE1(config)#context local

[local]PE1(config-ctx)#interface loop1 loopback

[local]PE1(config-if)#ip address 1.1.1.1/32

[local]PE1(config-if)#isis router isis-backbone

[local]PE1(config-if)#isis passive-interface

[local]PE1(config-ctx)#interface backbone1

[local]PE1(config-if)#ip address 2.2.2.1/24

[local]PE1(config-if)#isis router isis-backbone

[local]PE1(config-ctx)#router isis ip-backbone

[local]PE1(config-isis)#net 49.2222.0010.0100.1001.00

[local]PE1(config-ctx)#router mpls

[local]PE1(config-mpls)#interface backbone1

[local]PE1(config-ctx)#router ldp

[local]PE1(config-ldp)#interface backbone1

[local]PE1(config-ctx)#router bgp 100

[local]PE1(config-bgp)#neighbor 1.1.1.2 internal

[local]PE1(config-bgp-neighbor)#update-source loop1

[local]PE1(config-bgp-neighbor)#next-hop-self

[local]PE1(config-bgp-neighbor)#address-family ipv4 vpn

[local]PE1(config)#port pos 6/1

[local]PE1(config-port)#bind interface backbone1 local

[local]PE1(config-port)#no shutdown

[local]PE1(config-port)#end

The configuration for the PE2 router is:

[local]PE2#config

[local]PE2(config)#context local

[local]PE2(config-ctx)#interface loop1 loopback

[local]PE2(config-if)#ip address 1.1.1.2/32

[local]PE2(config-if)#isis router isis-backbone

[local]PE2(config-if)#isis passive-interface

[local]PE2(config-ctx)#interface backbone1

[local]PE2(config-if)#ip address 2.2.2.2/24

[local]PE2(config-if)#isis router isis-backbone

[local]PE2(config-ctx)#router isis ip-backbone

[local]PE2(config-isis)#net 49.2222.0010.0100.1002.00

[local]PE2(config-ctx)#router mpls

[local]PE2(config-mpls)#interface backbone1

[local]PE2(config-ctx)#router ldp

[local]PE2(config-ldp)#interface backbone1

[local]PE2(config-ctx)#router bgp 100

[local]PE2(config-bgp)#neighbor 1.1.1.1 internal

[local]PE2(config-bgp-neighbor)#update-source loop1

[local]PE2(config-bgp-neighbor)#next-hop-self

[local]PE2(config-bgp-neighbor)#address-family ipv4 vpn

[local]PE2(config)#port pos 6/1

[local]PE2(config-port)#bind interface backbone1 local

[local]PE2(config-port)#no shutdown

[local]PE2(config-port)#end

3.2   PE-to-CE Route Distribution

PE-to-CE route distribution can be configured using any of the following techniques:

Please be aware that you must configure the service multiple-context command in order to configure a VPN context.

Note:  
This section does not include the configuration for the backbone connectivity in the local context.

3.2.1   VPN Using Static Routing

The configuration for the PE router is:

[local]PE#config

[local]PE(config)#service multiple-context

[local]PE(config)#context VPN1 vpn-rd 1.1.1.1:101

[local]PE(config-ctx)#interface 12/1

[local]PE(config-if)#ip address 10.10.1.1/24

[local]PE(config-if)#exit

[local]PE(config-ctx)#router bgp vpn



[local]PE(config-bgp-af)#export route-target 100:101

[local]PE(config-bgp-af)#import route-target 100:101

[local]PE(config-bgp-af)#redistribute static

[local]PE(config-bgp-af)#redistribute connected

[local]PE(config-bgp-af)#exit

[local]PE(config-bgp)#exit

[local]PE(config-ctx)#ip route 192.1.1.0/24 10.10.1.2

[local]PE(config-bgp)#exit

[local]PE(config)#port ethernet 12/1

[local]PE(config-port)#bind interface 12/1 VPN1

[local]PE(config-port)#no shutdown

[local]PE(config-port)#end

The configuration for the CE router is:

[local]CE#config

[local]CE(config)#context local

[local]CE(config-ctx)#interface loop1 loopback

[local]CE(config-if)#ip address 192.1.1.2/32

[local]CE(config-ctx)#interface 2/2

[local]CE(config-if)#ip address 10.10.1.2/24

[local]CE(config-ctx)#ip route 0.0.0.0/0 10.10.1.1

[local]CE(config)#port ethernet 2/2

[local]CE(config-port)#bind interface 2/2 local

[local]CE(config-port)#no shutdown

[local]CE(config-port)#end

3.2.2   VPN Using RIP

The configuration for the PE router is:

[local]PE#config

[local]PE(config)#service multiple-context

[local]PE(config)#context VPN1 vpn-rd 1.1.1.1:101

[local]PE(config-ctx)#interface 12/1 

[local]PE(config-if)#ip address 10.1.1.1/24

[local]PE(config-if)#rip router CE

[local]PE(config-ctx)#router rip CE

[local]PE(config-rip)#redistribute bgp 100

[local]PE(config-ctx)#router bgp vpn

[local]PE(config-bgp)#address-family ipv4 unicast

[local]PE(config-bgp-af)#export route-target 100:101

[local]PE(config-bgp-af)#import route-target 100:101

[local]PE(config-bgp-af)#redistribute rip CE

[local]PE(config-bgp-af)#redistribute connected 

[local]PE(config)#port ethernet 12/1

[local]PE(config-port)#bind interface 12/1 VPN1

[local]PE(config-port)#no shutdown

[local]PE(config-port)#end

The configuration for the CE router is:

[local]CE#config

[local]CE(config)#context local

[local]CE(config-ctx)#interface 2/2

[local]CE(config-if)#ip address 10.1.1.2/24

[local]CE(config-ctx)#router rip PE

[local]CE(config-rip)#redistribute connected

[local]CE(config)#port ethernet 2/2

[local]CE(config-port)#bind interface 2/2 local

[local]CE(config-port)#no shutdown

[local]CE(config-port)#end

3.2.3   VPN Using OSPF

The configuration for the PE router is:

[local]PE#config

[local]PE(config)#service multiple-context

[local]PE(config)#context VPN1 vpn-rd 1.1.1.1:101

[local]PE(config-ctx)#interface 12/1

[local]PE(config-if)#ip address 10.1.1.1/24

[local]PE(config-ctx)#router ospf 1

[local]PE(config-ospf)#vpn domain-id 5.5.5.5 domain-tag 0x00000001 local-as 100

[local]PE(config-ospf)#area 0.0.0.0

[local]PE(config-ospf)#interface 12/1

[local]PE(config-ospf-interface)#cost 100

[local]PE(config-ospf)#redistribute bgp 100 

[local]PE(config-ctx)#router bgp vpn

[local]PE(config-bgp)#address-family ipv4 unicast

[local]PE(config-bgp-af)#export route-target 100:101

[local]PE(config-bgp-af)#import route-target 100:101

[local]PE(config-bgp-af)#redistribute connected 

[local]PE(config-bgp-af)#redistribute ospf 

[local]PE(config)#port ethernet 12/1

[local]PE(config-port)#bind interface 12/1 VPN1

[local]PE(config-port)#no shutdown

[local]PE(config-port)#end

The configuration for the CE router is:

[local]CE#config

[local]CE(config)#context local

[local]CE(config-ctx)#interface 2/2

[local]CE(config-if)#ip address 10.1.1.2/24

[local]CE(config-ctx)#router ospf 1 

[local]CE(config-ospf)#area 0.0.0.0

[local]CE(config-ospf)#interface 2/2 

[local]CE(config-ospf-interface)#cost 100

[local]CE(config)#port ethernet 2/2

[local]CE(config-port)#bind interface 2/2 local

[local]CE(config-port)#no shutdown

[local]CE(config-port)#end

3.2.4   VPN Using eBGP

The configuration for the PE router is:

[local]PE#config

[local]PE(config)#service multiple-context

[local]PE(config)#context VPN1 vpn-rd 1.1.1.1:101

[local]PE(config-ctx)#interface 12/1

[local]PE(config-if)#ip address 10.1.1.1/24

[local]PE(config-ctx)#router bgp vpn

[local]PE(config-bgp)#address-family ipv4 unicast

[local]PE(config-bgp-af)#export route-target 100:101

[local]PE(config-bgp-af)#import route-target 100:101

[local]PE(config-bgp)#neighbor 10.1.1.2 external

[local]PE(config-bgp-neighbor)#remote-as 200

[local]PE(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE(config)#port ethernet 12/1

[local]PE(config-port)#bind interface 12/1 VPN1

[local]PE(config-port)#no shutdown

[local]PE(config-port)#end

The configuration for the CE router is:

[local]CE#config

[local]CE(config)#context local

[local]CE(config-ctx)#interface 2/2

[local]CE(config-if)#ip address 10.1.1.2/24

[local]CE(config-ctx)#router bgp 200

[local]CE(config-bgp)#address-family ipv4 unicast

[local]CE(config-bgp)#neighbor 10.1.1.1 external

[local]CE(config-bgp-neighbor)#remote-as 100

[local]CE(config-bgp-neighbor)#address-family ipv4 unicast

[local]CE(config)#port ethernet 2/2

[local]CE(config-port)#bind interface 2/2 local

[local]CE(config-port)#no shutdown

[local]CE(config-port)#end

3.3   Different BGP/MPLS VPN Topologies

The sections that follow provide configuration examples for typical BGP/MPLS VPNs, local imports, and hub-and-spoke VPNs.

Note:  
The examples shown in this section all assume eBGP is used for PE-to-CE router connectivity.

3.3.1   Typical BGP/MPLS VPN

The following example configures a typical BGP/MPLS VPN network configuration. Figure 3 shows the network topology for the configuration.

Figure 3   Typical BGP/MPLS VPN

The configuration for the CE1 router is:

[local]CE1#config

[local]CE1(config)#context local

[local]CE1(config-ctx)#interface 2/2

[local]CE1(config-if)#ip address 10.1.1.2/24

[local]CE1(config-ctx)#router bgp 200

[local]CE1(config-bgp)#address-family ipv4 unicast

[local]CE1(config-bgp)#neighbor 10.1.1.1 external

[local]CE1(config-bgp-neighbor)#remote-as 100

[local]CE1(config-bgp-neighbor)#address-family ipv4 unicast

[local]CE1(config)#port ethernet 2/2

[local]CE1(config-port)#bind interface 2/2 local

[local]CE1(config-port)#no shutdown

[local]CE1(config-port)#end

The configuration for the PE1 router is:

[local]PE1#config

[local]PE1(config)#service multiple-context

[local]PE1(config)#context local

[local]PE1(config-ctx)#interface loop1 loopback

[local]PE1(config-if)#ip address 1.1.1.2/32

[local]PE1(config-if)#isis router isis-backbone

[local]PE1(config-if)#isis passive-interface

[local]PE1(config-ctx)#interface backbone1

[local]PE1(config-if)#ip address 2.2.2.1/24

[local]PE1(config-if)#isis router isis-backbone

[local]PE1(config-ctx)#router isis ip-backbone

[local]PE1(config-isis)#net 49.2222.0010.0100.1001.00

[local]PE1(config-ctx)#router mpls

[local]PE1(config-mpls)#interface backbone1

[local]PE1(config-ctx)#router ldp

[local]PE1(config-ldp)#interface backbone1

[local]PE1(config-ctx)#router bgp 100

[local]PE1(config-bgp)#address-family ipv4 vpn

[local]PE1(config-bgp-af)#redistribute connected

[local]PE1(config-bgp)#neighbor 1.1.1.1 internal

[local]PE1(config-bgp-neighbor)#update-source loop1

[local]PE1(config-bgp-neighbor)#next-hop-self

[local]PE1(config-bgp-neighbor)#address-family ipv4 vpn

[local]PE1(config)#context VPN1 vpn-rd 1.1.1.2:100

[local]PE1(config-ctx)#interface 12/1

[local]PE1(config-if)#ip address 10.1.1.1/24

[local]PE1(config-ctx)#router bgp vpn

[local]PE1(config-bgp)#address-family ipv4 unicast

[local]PE1(config-bgp-af)#export route-target 100:101

[local]PE1(config-bgp-af)#import route-target 100:101

[local]PE1(config-bgp-af)#redistribute connected

[local]PE1(config-bgp)#neighbor 10.1.1.2 external

[local]PE1(config-bgp-neighbor)#remote-as 200

[local]PE1(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE1(config)#port ethernet 12/1

[local]PE1(config-port)#bind interface 12/1 VPN1

[local]PE1(config-port)#no shutdown

[local]PE1(config)#port pos 6/1

[local]PE1(config-port)#bind interface backbone1 local

[local]PE1(config-port)#no shutdown

[local]PE1(config-port)#end

The configuration for the P router is:

[local]P#config

[local]P(config)#context local

[local]P(config-ctx)#interface loop1 loopback

[local]P(config-if)#ip address 1.1.1.2/32

[local]P(config-if)#isis router isis-backbone

[local]P(config-if)#isis passive-interface

[local]P(config-ctx)#interface backbone1

[local]P(config-if)#ip address 2.2.2.2/24

[local]P(config-if)#isis router isis-backbone

[local]P(config-ctx)#router isis ip-backbone

[local]P(config-isis)#net 49.2222.0010.0100.1002.00

[local]P(config-ctx)#router mpls

[local]P(config-mpls)#interface backbone1

[local]P(config-ctx)#router ldp

[local]P(config-ldp)#interface backbone1

[local]P(config-ctx)#router bgp 100

[local]P(config-bgp)#neighbor 1.1.1.1 internal

[local]P(config-bgp-neighbor)#update-source loop1

[local]P(config-bgp-neighbor)#next-hop-self

[local]P(config-bgp-neighbor)#address-family ipv4 vpn

[local]P(config-bgp-peer-af)#route-reflector-client

[local]P(config-bgp)#neighbor 1.1.1.3 internal

[local]P(config-bgp-neighbor)#update-source loop1

[local]P(config-bgp-neighbor)#next-hop-self

[local]P(config-bgp-neighbor)#address-family ipv4 vpn

[local]P(config-bgp-peer-af)#route-reflector-client

[local]P(config)#port pos 6/1

[local]P(config-port)#bind interface backbone1 local

[local]P(config-port)#no shutdown

[local]P(config-port)#end

The configuration for the PE2 router is:

[local]PE2#config

[local]PE2(config)#service multiple-context

[local]PE2(config)#context local

[local]PE2(config-ctx)#interface loop1 loopback

[local]PE2(config-if)#ip address 1.1.1.3/32

[local]PE2(config-if)#isis router isis-backbone

[local]PE2(config-if)#isis passive-interface

[local]PE2(config-ctx)#interface backbone1

[local]PE2(config-if)#ip address 2.2.2.3/24

[local]PE2(config-if)#isis router isis-backbone

[local]PE2(config-ctx)#router isis ip-backbone

[local]PE2(config-isis)#net 49.2222.0010.0100.1003.00

[local]PE2(config-ctx)#router mpls

[local]PE2(config-mpls)#interface backbone1

[local]PE2(config-ctx)#router ldp

[local]PE2(config-ldp)#interface backbone1

[local]PE2(config-ctx)#router bgp 100

[local]PE2(config-bgp)#neighbor 1.1.1.2 internal

[local]PE2(config-bgp-neighbor)#update-source loop1

[local]PE2(config-bgp-neighbor)#next-hop-self

[local]PE2(config-bgp-neighbor)#address-family ipv4 vpn

[local]PE2(config)#context VPN1 vpn-rd 1.1.1.3:100

[local]PE2(config-ctx)#interface 12/2

[local]PE2(config-if)#ip address 11.1.1.1/24

[local]PE2(config-ctx)#router bgp vpn

[local]PE2(config-bgp)#address-family ipv4 unicast

[local]PE2(config-bgp-af)#export route-target 100:101

[local]PE2(config-bgp-af)#import route-target 100:101

[local]PE2(config-bgp-af)#redistribute connected

[local]PE2(config-bgp)#neighbor 11.1.1.2 external

[local]PE2(config-bgp-neighbor)#remote-as 300

[local]PE2(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE2(config)#port ethernet 12/2

[local]PE2(config-port)#bind interface 12/2 VPN1

[local]PE2(config-port)#no shutdown

[local]PE2(config)#port pos 6/1

[local]PE2(config-port)#bind interface backbone1 local

[local]PE2(config-port)#no shutdown

[local]PE2(config-port)#end

The configuration for the CE2 router is:

[local]CE2#config

[local]CE2(config)#context local

[local]CE2(config-ctx)#interface 2/2

[local]CE2(config-if)#ip address 11.1.1.2/24

[local]CE2(config-ctx)#router bgp 300

[local]CE2(config-bgp)#address-family ipv4 unicast

[local]CE2(config-bgp)#neighbor 11.1.1.2 external

[local]CE2(config-bgp-neighbor)#remote-as 100

[local]CE2(config-bgp-neighbor)#address-family ipv4 unicast

[local]CE2(config)#port ethernet 2/2

[local]CE2(config-port)#bind interface 2/2 local

[local]CE2(config-port)#no shutdown

[local]CE2(config-port)#end

3.3.2   Local Import

Two CE routers that belong to the same VPN site, and are also connected to the same PE router, are usually configured to be in the same VPN context on the PE router; however, local import can be used if the two CE routers have different import or export policies. The following example configures a local import network configuration. Figure 4 shows the network topology for the configuration.

Figure 4   Local Import Network Topology

The configuration for the CE1 router is:

[local]CE1#config

[local]CE1(config)#context local

[local]CE1(config-ctx)#interface 2/1

[local]CE1(config-if)#ip address 10.1.1.2/24

[local]CE1(config-ctx)#router bgp 200

[local]CE1(config-bgp)#address-family ipv4 unicast

[local]CE1(config-bgp)#neighbor 10.1.1.1 external

[local]CE1(config-bgp-neighbor)#remote-as 100

[local]CE1(config-bgp-neighbor)#address-family ipv4 unicast

[local]CE1(config)#port ethernet 2/1

[local]CE1(config-port)#bind interface 2/1 local

[local]CE1(config-port)#no shutdown

[local]CE1(config-port)#end

The configuration for the CE2 router is:

[local]CE2#config

[local]CE2(config)#context local

[local]CE2(config-ctx)#interface 2/2

[local]CE2(config-if)#ip address 11.1.1.2/24

[local]CE2(config-ctx)#router bgp 300

[local]CE2(config-bgp)#address-family ipv4 unicast

[local]CE2(config-bgp)#neighbor 11.1.1.1 external

[local]CE2(config-bgp-neighbor)#remote-as 100

[local]CE2(config-bgp-neighbor)#address-family ipv4 unicast

[local]CE2(config)#port ethernet 2/2

[local]CE2(config-port)#bind interface 2/2 local

[local]CE2(config-port)#no shutdown

[local]CE2(config-port)#end

The configuration for the PE router is:

[local]PE#config

[local]PE(config)#service multiple-context

[local]PE(config)#context local

[local]PE(config-ctx)#interface loop1 loopback

[local]PE(config-if)#ip address 1.1.1.1/32

[local]PE(config-if)#isis router isis-backbone

[local]PE(config-if)#isis passive-interface

[local]PE(config-ctx)#interface backbone1

[local]PE(config-if)#ip address 2.2.2.1/24

[local]PE(config-if)#isis router isis-backbone

[local]PE(config-ctx)#router isis ip-backbone

[local]PE(config-isis)#net 49.2222.0010.0100.1001.00

[local]PE(config-ctx)#router mpls

[local]PE(config-mpls)#interface backbone1

[local]PE(config-ctx)#router ldp

[local]PE(config-ldp)#interface backbone1

[local]PE(config-ctx)#router bgp 100

[local]PE(config-bgp)#neighbor 1.1.1.2 internal

[local]PE(config-bgp-neighbor)#update-source loop1

[local]PE(config-bgp-neighbor)#next-hop-self

[local]PE(config-bgp-neighbor)#address-family ipv4 vpn

[local]PE(config)#context VPN1 vpn-rd 1:1 

[local]PE(config-ctx)#interface 12/1

[local]PE(config-if)#ip address 10.1.1.1/24

[local]PE(config-ctx)#router bgp vpn

[local]PE(config-bgp)#address-family ipv4 unicast

[local]PE(config-bgp-af)#export route-target 100:101 100:102

[local]PE(config-bgp-af)#import route-target 100:101 100:102

[local]PE(config-bgp-af)#redistribute connected

[local]PE(config-bgp)#neighbor 10.1.1.2 external

[local]PE(config-bgp-neighbor)#remote-as 200

[local]PE(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE(config)#context vpn1 vpn-rd 1:1 

[local]PE(config-ctx)#interface 12/2

[local]PE(config-if)#ip address 11.1.1.1/24

[local]PE(config-ctx)#router bgp vpn

[local]PE(config-bgp)#address-family ipv4 unicast

[local]PE(config-bgp-af)#export route-target 100:101 100:103

[local]PE(config-bgp-af)#import route-target 100:101 100:103

[local]PE(config-bgp-af)#redistribute connected

[local]PE(config-bgp)#neighbor 11.1.1.2 external

[local]PE(config-bgp-neighbor)#remote-as 300

[local]PE(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE(config)#port ethernet 12/1

[local]PE(config-port)#bind interface 12/1 VPN1

[local]PE(config-port)#no shutdown

[local]PE(config)#port ethernet 12/2

[local]PE(config-port)#bind interface 12/2 VPN1

[local]PE(config-port)#no shutdown

[local]PE(config)#port pos 6/1

[local]PE(config-port)#bind interface backbone1 local

[local]PE(config-port)#no shutdown

[local]PE(config-port)#end

3.3.3   Hub-and-Spoke

Hub-and-Spoke topology allows all spoke sites to send their traffic towards a central site location for various different reasons; for example, authentication. The following example configures a Hub-and-Spoke network with two spoke sites and one hub site. Figure 5 shows the network topology for the configuration.

Figure 5   Hub and Spoke Network Topology

The configuration for the CE1 router is:

[local]CE1#config

[local]CE1(config)#context local

[local]CE1(config-ctx)#interface 2/1

[local]CE1(config-if)#ip address 10.1.1.2/24

[local]CE1(config-ctx)#router bgp 200

[local]CE1(config-bgp)#address-family ipv4 unicast

[local]CE1(config-bgp)#neighbor 10.1.1.1 external

[local]CE1(config-bgp-neighbor)#remote-as 100

[local]CE1(config-bgp-neighbor)#address-family ipv4 unicast

[local]CE1(config)#port ethernet 2/1

[local]CE1(config-port)#bind interface 2/1 local

[local]CE1(config-port)#no shutdown

[local]CE1(config-port)#end

The configuration for the PE1 router is:

[local]PE1#config

[local]PE1(config)#service multiple-context

[local]PE1(config)#context local

[local]PE1(config-ctx)#interface loop1 loopback

[local]PE1(config-if)#ip address 1.1.1.1/32

[local]PE1(config-if)#isis router isis-backbone

[local]PE1(config-if)#isis passive-interface

[local]PE1(config-ctx)#interface backbone1

[local]PE1(config-if)#ip address 2.2.2.1/24

[local]PE1(config-if)#isis router isis-backbone

[local]PE1(config-ctx)#router isis ip-backbone

[local]PE1(config-isis)#net 49.2222.0010.0100.1001.00

[local]PE1(config-ctx)#router mpls

[local]PE1(config-mpls)#interface backbone1

[local]PE1(config-ctx)#router ldp

[local]PE1(config-ldp)#interface backbone1

[local]PE1(config-ctx)#router bgp 100

[local]PE1(config-bgp)#neighbor 1.1.1.2 internal

[local]PE1(config-bgp-neighbor)#update-source loop1

[local]PE1(config-bgp-neighbor)#next-hop-self

[local]PE1(config-bgp-neighbor)#address-family ipv4 vpn

[local]PE1(config)#context VPN1 vpn-rd 1.1.1.2:101

[local]PE1(config-ctx)#interface 12/1

[local]PE1(config-if)#ip address 10.1.1.1/24

[local]PE1(config-ctx)#router bgp vpn

[local]PE1(config-bgp)#address-family ipv4 unicast

[local]PE1(config-bgp-af)#export route-target 1:1

[local]PE1(config-bgp-af)#import route-target 2:2 

[local]PE1(config-bgp-af)#redistribute connected

[local]PE1(config-bgp)#neighbor 10.1.1.2 external

[local]PE1(config-bgp-neighbor)#remote-as 200

[local]PE1(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE1(config)#port ethernet 12/1

[local]PE1(config-port)#bind interface 12/1 local

[local]PE1(config-port)#no shutdown

[local]PE1(config)#port pos 6/1

[local]PE1(config-port)#bind interface backbone1 local

[local]PE1(config-port)#no shutdown

[local]PE1(config-port)#end

The configuration for the Hub PE router is:

[local]PE#config

[local]PE(config)#service multiple-context

[local]PE(config)#context local

[local]PE(config-ctx)#interface loop1 loopback

[local]PE(config-if)#ip address 1.1.1.1/32

[local]PE(config-if)#isis router isis-backbone

[local]PE(config-if)#isis passive-interface

[local]PE(config-ctx)#interface backbone1

[local]PE(config-if)#ip address 2.2.2.2/24

[local]PE(config-if)#isis router isis-backbone

[local]PE(config-ctx)#router isis ip-backbone

[local]PE(config-isis)#net 49.2222.0010.0100.1002.00

[local]PE(config-ctx)#router mpls

[local]PE(config-mpls)#interface backbone1

[local]PE(config-ctx)#router ldp

[local]PE(config-ldp)#interface backbone1

[local]PE(config-ctx)#router bgp 100

[local]PE(config-bgp)#address-family ipv4 unicast

[local]PE(config-bgp)#neighbor 1.1.1.2 internal

[local]PE(config-bgp-neighbor)#update-source loop1

[local]PE(config-bgp-neighbor)#address-family ipv4 vpn

[local]PE(config-bgp)#neighbor 1.1.1.3 internal

[local]PE(config-bgp-neighbor)#update-source loop1

[local]PE(config-bgp-neighbor)#address-family ipv4 vpn

[local]PE(config)#context HUB-import vpn-rd 1.1.1.1:1

[local]PE(config-ctx)#interface 10/1

[local]PE(config-if)#ip address 8.1.1.1/24

[local]PE(config-ctx)#router bgp vpn

[local]PE(config-bgp)#address-family ipv4 unicast

[local]PE(config-bgp-af)#import route-target 1:1 

[local]PE(config-bgp-af)#redistribute connected

[local]PE(config-bgp)#neighbor 8.1.1.2 external

[local]PE(config-bgp-neighbor)#remote-as 400

[local]PE(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE(config)#context HUB-export vpn-rd 1.1.1.1:2

[local]PE(config-ctx)#interface 10/2

[local]PE(config-if)#ip address 9.1.1.1/24

[local]PE(config-ctx)#router bgp vpn

[local]PE(config-bgp)#address-family ipv4 unicast

[local]PE(config-bgp-af)#export route-target 2:2

[local]PE(config-bgp-af)#redistribute connected

[local]PE(config-bgp)#neighbor 9.1.1.2 external

[local]PE(config-bgp-neighbor)#remote-as 400

[local]PE(config-bgp-neighbor)#asloop-in 2

[local]PE(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE(config)#port ethernet 10/1

[local]PE(config-port)#bind interface 10/1 HUB-import

[local]PE(config-port)#no shutdown

[local]PE(config)#port ethernet 10/2

[local]PE(config-port)#bind interface 10/2 HUB-export

[local]PE(config-port)#no shutdown

[local]PE(config)#port pos 6/1

[local]PE(config-port)#bind interface backbone1 local

[local]PE(config-port)#no shutdown

[local]PE(config-port)#end
Note:  
The Hub PE router must have two connections to the Hub CE router, one connection in the import context, and another in the export context. Additionally, the Hub PE router’s exporting route target must be configured as an import route target on all spoke PE routers, and export route targets on the spoke PE routers must also be configured as import route targets on the Hub PE router. In this Hub-and-Spoke example, all spoke sites export 1:1 to the hub site, and hub site exports 2:2 to all spoke sites.

The configuration for the Hub CE router is:

[local]CE#config

[local]CE(config)#context local

[local]CE(config-ctx)#interface 3/1

[local]CE(config-if)#ip address 8.1.1.2/24

[local]CE(config-ctx)#interface 3/2

[local]CE(config-if)#ip address 9.1.1.2/24

[local]CE(config-ctx)#router bgp 400

[local]CE(config-bgp)#address-family ipv4 unicast

[local]CE(config-bgp)#peer-group HUB-pgrp external

[local]CE(config-peergroup)#address-family ipv4 unicast

[local]CE(config-bgp)#neighbor 8.1.1.1 external

[local]CE(config-bgp-neighbor)#remote-as 100

[local]CE(config-bgp-neighbor)#address-family ipv4 unicast

[local]CE(config-bgp)#neighbor 9.1.1.1 external

[local]CE(config-bgp-neighbor)#remote-as 100

[local]CE(config-bgp)#peer-group HUB-pgrp 

[local]CE(config)#port ethernet 3/1

[local]CE(config-port)#bind interface 3/1 local

[local]CE(config-port)#no shutdown

[local]CE(config)#port ethernet 3/2

[local]CE(config-port)#bind interface 3/2 local

[local]CE(config-port)#no shutdown

[local]CE(config-port)#end
Note:  
A peer group must be configured for the eBGP peers on the Hub CE router to send back advertisements received from the Hub PE router. By default, routes will not be advertised back to the Hub PE router.

The configuration for the PE2 router is:

[local]PE2#config

[local]PE2(config)#service multiple-context

[local]PE2(config)#context local

[local]PE2(config-ctx)#interface loop1 loopback

[local]PE2(config-if)#ip address 1.1.1.3/32

[local]PE2(config-if)#isis router isis-backbone

[local]PE2(config-if)#isis passive-interface

[local]PE2(config-ctx)#interface backbone1

[local]PE2(config-if)#ip address 2.2.2.3/24

[local]PE2(config-if)#isis router isis-backbone

[local]PE2(config-ctx)#router isis ip-backbone

[local]PE2(config-isis)#net 49.2222.0010.0100.1003.00

[local]PE2(config-ctx)#router mpls

[local]PE2(config-mpls)#interface backbone1

[local]PE2(config-ctx)#router ldp

[local]PE2(config-ldp)#interface backbone1

[local]PE2(config-ctx)#router bgp 100

[local]PE2(config-bgp)#neighbor 1.1.1.1 internal

[local]PE2(config-bgp-neighbor)#update-source loop1

[local]PE2(config-bgp-neighbor)#next-hop-self

[local]PE2(config-bgp-neighbor)#address-family ipv4 vpn

[local]PE2(config)#context VPN1 vpn-rd 1.1.1.3:101

[local]PE2(config-ctx)#interface 12/1

[local]PE2(config-if)#ip address 11.1.1.1/24

[local]PE2(config-ctx)#router bgp vpn

[local]PE2(config-bgp)#address-family ipv4 unicast

[local]PE2(config-bgp-af)#export route-target 1:1

[local]PE2(config-bgp-af)#import route-target 2:2 

[local]PE2(config-bgp-af)#redistributed connected

[local]PE2(config-bgp)#neighbor 11.1.1.2 external

[local]PE2(config-bgp-neighbor)#remote-as 300

[local]PE2(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE2(config)#port ethernet 12/1

[local]PE2(config-port)#bind interface 12/1 VPN1

[local]PE2(config-port)#no shutdown

[local]PE2(config)#port pos 6/1

[local]PE2(config-port)#bind interface backbone1 local

[local]PE2(config-port)#no shutdown

[local]PE2(config-port)#end

The configuration for the CE2 router is:

[local]CE2#config

[local]CE2(config)#context local

[local]CE2(config-ctx)#interface 3/1

[local]CE2(config-if)#ip address 11.1.1.2/24

[local]CE2(config-ctx)#router bgp 300

[local]CE2(config-bgp)#address-family ipv4 unicast

[local]CE2(config-bgp)#neighbor 11.1.1.1 external

[local]CE2(config-bgp-neighbor)#remote-as 100

[local]CE2(config-bgp-neighbor)#address-family ipv4 unicast

[local]CE2(config)#port ethernet 3/1

[local]CE2(config-port)#bind interface 3/1 local

[local]CE2(config-port)#no shutdown

[local]CE2(config-port)#end

3.4   IPv6 Routes Over an IPv4 MPLS Core

Figure 6 illustrates a configuration where the PE routers (PE-1 and PE-2) enable two IPV6 networks to exchange routes across a network that has an IPv4 MPLS core.

Figure 6   IPv6 Routes Over an MPLS Core

The following example enables router PE-1 to exchange routes from the IPv6 networks (called blue and red) over an IPv4 MPLS network.

First, enable OSPF routing on a the interface called trunk 1:

[local]PE1(config)#context local

[local]PE1(config-ctx)#router ospf 10

[local]PE1(config-ospf)#area 10.10.10.2

[local]PE1(config-ospf-area)#interface trunk1

Next, enable LDP on the interface called trunk1, so that the interface can be used to exchange Hello messages with neighbors and establish an LSP:

[local]PE1(config-ctx)#router ldp

[local]PE1(config-ldp)#interface trunk1

Specify the use of standard IPv6 unicast address prefixes for the neighbors in the BGP address family:

[local]PE1(config)#context local

[local]PE1(config-ctx)#router bgp 100

[local]PE1(config-bgp)#neighbor 10.10.10.2 internal

[local]PE1(config-bgp-neighbor)#address-family ipv6 vpn

[local]PE1(config-bgp-neighbor)#exit

[local]PE1(config-bgp)#exit

Enable MPLS on the interface called trunk1:

[local]PE1(config-ctx)#router mpls

[local]PE1(config-mpls)# interface trunk1

Specify the use of IPv6 unicast address prefixes for the BGP routing instance in a VPN context called blue. Use the export route-target and import route-target commands to add the route target extended community with the value 100:100 to the export and import target lists. Use the redistribute command to redistribute routes learned from OSPF protocols into the BGP VPN routing instance:

[local]PE1(config)#context blue vpn-rd 10.10.10.1:10

[local]PE1(config-ctx)#router bgp vpn

[local]PE1(config-bgp)#address-family ipv6 unicast

[local]PE1(config-bgp-af)#export route-target 100:100

[local]PE1(config-bgp-af)#import route-target 100:100

[local]PE1(config-bgp-af)#redistribute ospf 1

Enable OSPFv3 on the interface called blue-ce-pe. This is the interface that connects the blue CE network to PE1:

[local]PE1(config-ctx)#router ospf3 1

[local]PE1(config-ospf)#area 10.10.10.2

[local]PE1(config-ospf-area)#interface blue-ce-pe

Assign a primary IPv6 address (2001:24:32::1/48) to the interface called blue-ce:

[local]PE1(config-ctx)#interface blue-ce

[local]PE1(config-if)#ipv6 address 2001:24:32::1/48

Specify the use of IPv6 unicast address prefixes for the BGP routing instance in a VPN context called red. Use the export route-target and import route-target commands to add the route target extended community with the value 200:200 to the export and import target lists. Use the redistribute command to redistribute routes learned from other protocols into the BGP VPN routing instance:

[local]PE1(config)#context red vpn-rd 2.2.2.1:10

[local]PE1(config-ctx)#router bgp vpn

[local]PE1(config-bgp)#address-family ipv6 unicast

[local]PE1(config-bgp-af)#import route-target 200:200

[local]PE1(config-bgp-af)#export route-target 200:200

[local]PE1(config-bgp-af)#redistribute ospf 100

Enable OSPFv3 on the interface called red-ce-pe. This is the interface that connects the red CE network to PE1:

[local]PE1(config-ctx)#router ospf3 100

[local]PE1(config-ospf)#area 2.2.2.1

[local]PE1(config-ospf-area)#interface red-ce-pe

Assigns a primary IPv6 address (2001:24:32::1/48) to the interface called red-ce:

[local]PE1(config-ctx)#interface red-ce

[local]PE1(config-if)#ipv6 address 2001:24:32::1/48

Bind the relevant ports to the appropriate interfaces to bring up the connections and enable router CE-1 to transport IPv6 routes over the IPv4 MPLS network:

[local]PE1(config)#port ethernet 1/1

[local]PE1(config-port)#description trunk link

[local]PE1(config-port)#bind interface 1 local

[local]PE1(config)#port ethernet 2/2

[local]PE1(config-port)#description link-to-customer-blue-pe

[local]PE1(config-port)#bind interface blue-ce-pe

[local]PE1(config)#port ethernet 3/3

[local]PE1(config-port)#description link-to-customer-red-pe

[local]PE1(config-port)#bind interface red-pe-ce

3.5   GRE over MPLS

GRE over MPLS provides a way to establish a GRE tunnel over an MPLS LSP, allowing you to run applications, such as multicast, over the GRE tunnel. The following example configures BGP/MPLS VPNs on routers PE1 and PE2. The GRE tunnel, tun1, is created over MPLS by specifying the GRE peer relationship on both ends of the tunnel, which are represented by routers PE1 and PE2. For each GRE peer relationship specified, the remote IP address must be an IP address in the remote VPN context.

The configuration for the PE1 router is:

[local]PE1(config)#context local

[local]PE1(config-ctx)#interface lo1 loopback

[local]PE1(config-if)#ip address 2.2.2.2/32

[local]PE1(config-ctx)#interface toP

[local]PE1(config-if)#ip address 10.1.1.2/30

[local]PE1(config-if)#exit

[local]PE1(config-ctx)#router ospf 1

[local]PE1(config-ospf)#area 0.0.0.0

[local]PE1(config-ospf-area)#interface lo1

[local]PE1(config-ospf-interface)#passive

[local]PE1(config-ospf-area)#interface toP

[local]PE1(config-ospf-area)#exit

[local]PE1(config-ospf)#exit

[local]PE1(config-ctx)#router mpls

[local]PE1(config-mpls)#no propagate ttl ip-to-mpls

[local]PE1(config-mpls)#exit

[local]PE1(config-ctx)#router rsvp

[local]PE1(config-rsvp)#interface toP

[local]PE1(config-rsvp-if)#lsp lsp1

[local]PE1(config-rsvp-lsp)#ingress 2.2.2.2

[local]PE1(config-rsvp-lsp)#egress 3.3.3.3

[local]PE1(config-rsvp-lsp)#exit

[local]PE1(config-rsvp-if)#exit

[local]PE1(config-rsvp)#exit

[local]PE1(config-ctx)#router bgp 100

[local]PE1(config-bgp)#neighbor 3.3.3.3 internal

[local]PE1(config-bgp-neighbor)#update-source lo1

[local]PE1(config-bgp-neighbor)#address-family ipv4 unicast

[local]PE1(config-bgp-neighbor)#address-family ipv4 vpn

[local]PE1(config-bgp-neighbor)#exit

[local]PE1(config-bgp)#exit

[local]PE1(config-ctx)#exit

[local]PE1(config)#context vpn1 vpn-rd 2.2.2.2:1

[local]PE1(config-ctx)#no ip domain-lookup 

[local]PE1(config-ctx)#interface gre1

[local]PE1(config-if)#ip address 30.1.1.1/30

[local]PE1(config-ctx)#interface toCE1

[local]PE1(config-if)#ip address 100.1.1.1/24

[local]PE1(config-if)#exit

[local]PE1(config-ctx)#router bgp vpn

[local]PE1(config-bgp)#address-family ipv4 unicast

[local]PE1(config-bgp-af)#export route-target 100:1

[local]PE1(config-bgp-af)#import route-target 100:1

[local]PE1(config-bgp-af)#redistribute connected

[local]PE1(config-bgp-af)#exit

[local]PE1(config-bgp)#exit

[local]PE1(config-ctx)#exit

[local]PE1(config)tunnel gre tun1

[local]PE1(config-tunnel) peer-end-point local 100.2.1.1 remote 100.1.1.1 context local 

[local]PE1(config-tunnel)#end

[local]PE1(config-port)#no shutdown

[local]PE1(config-port)#end

The configuration for the PE2 router is:

[local]PE2(config)#context local

[local]PE2(config-ctx)#interface loop loopback

[local]PE2(config-if)#ip address 3.3.3.3/32

[local]PE2(config-ctx)#interface toP

[local]PE2(config-if)#ip address 10.1.2.2/30

[local]PE2(config-if)#exit

[local]PE2(config-ctx)#router ospf 1

[local]PE2(config-ospf)#area 0.0.0.0

[local]PE2(config-ospf-area)#interface loop

[local]PE2(config-ospf-interface)#passive

[local]PE2(config-ospf-area)#interface toP

[local]PE2(config-ospf-area)#exit

[local]PE2(config-ospf)#exit

[local]PE2(config-ctx)#router mpls

[local]PE2(config-mpls)#no propagate ttl ip-to-mpls

[local]PE2(config-mpls)#exit

[local]PE2(config-ctx)#router rsvp

[local]PE2(config-rsvp)#interface toP

[local]PE2(config-rsvp-if)#lsp lsp1 signaled

[local]PE2(config-rsvp-lsp)#ingress 3.3.3.3 

[local]PE2(config-rsvp-lsp)#egress 2.2.2.2 

[local]PE2(config-rsvp-lsp)#exit 

[local]PE2(config-rsvp-if)#exit 

[local]PE2(config-rsvp)#exit 

[local]PE2(config-ctx)#router bgp 100

[local]PE2(config-bgp)#neighbor 2.2.2.2 internal

[local]PE2(config-bgp-neighbor)#update-source loop

[local]PE2(config-bgp-neighbor)#address-family ipv4 unicast

[local]PE2(config-bgp-neighbor)#address-family ipv4 vpn

[local]PE2(config-bgp-neighbor)#exit

[local]PE2(config-bgp)#exit

[local]PE2(config-ctx)#exit

[local]PE2(config)#context vpn1 vpn-rd 3.3.3.3:1

[local]PE2(config-ctx)#no ip domain-lookup 

[local]PE2(config-ctx)#interface gre1

[local]PE2(config-if)#ip address 30.1.1.2/30

[local]PE2(config-ctx)#interface toCE1

[local]PE2(config-if)#ip address 100.2.1.1/24

[local]PE2(config-if)#exit

[local]PE2(config-ctx)#router bgp vpn

[local]PE2(config-bgp)#address-family ipv4 unicast

[local]PE2(config-bgp-af)#export route-target 100:1

[local]PE2(config-bgp-af)#import route-target 100:1

[local]PE2(config-bgp-af)#redistribute connected

[local]PE2(config-bgp-af)#exit

[local]PE2(config-bgp)#exit

[local]PE2(config-ctx)#exit

[local]PE2(config)#tunnel gre tun1


[local]PE2(config-tunnel)#peer-end-point local 100.2.1.1 remote 100.1.1.1 context local

[local]PE2(config-tunnel)#end

[local]PE2(config-port)#no shutdown

[local]PE2(config-port)#end

3.6   BGP/MPLS VPN over GRE

BGP/MPLS VPN over GRE provides a way to offer BGP/MPLS VPN service when a portion of a network does not have label switching enabled. For BGP/MPLS VPN over GRE to work, the PE routers must know how to handle GRE and label packets, and they must have MPLS enabled on the interface that receives GRE and label packets from the backbone.

Figure 7 shows the network topology for this BGP/MPLS VPN over GRE configuration example where both PE routes are within the same AS.

Figure 7   Basic BGP/MPLS VPN over GRE Network Topology

The configuration for the PE1 router is:

[local]PE1(config)#context local

[local]PE1(config-ctx)#interface loop loopback

[local]PE1(config-if)#ip address 1.1.1.1/32

[local]PE1(config-if)#exit

[local]PE1(config-ctx)#interface to_backbone

[local]PE1(config-if)#ip address 15.3.1.1/24

[local]PE1(config-if)#exit

[local]PE1(config-ctx)#interface t0

[local]PE1(config-if)#ip address 50.50.51.2/24

[local]PE1(config-if)#exit

[local]PE1(config-ctx)#router mpls

[local]PE1(config-mpls)#interface to_backbone

[local]PE1(config-mpls)#exit

[local]PE1(config-ctx)#router bgp 100

[local]PE1(config-bgp)#address-family ipv4 unicast

[local]PE1(config-bgp-af)#redistribute connected

[local]PE1(config-bgp-af)#exit

[local]PE1(config-bgp)#neighbor 2.2.2.2 internal

[local]PE1(config-bgp-neighbor)#update-source loop

[local]PE1(config-bgp-neighbor)#address-family ipv4 unicast

[local]PE1(config-bgp-neighbor)#address-family ipv4 vpn

[local]PE1(config-bgp-neighbor)#exit

[local]PE1(config-bgp)#exit

[local]PE1(config-ctx)#ip soft-gre source 1.1.1.1

[local]PE1(config-ctx)#exit

[local]PE1(config)#context vpn0 vpn-rd 100:200

[local]PE1(config-ctx)#interface to_ce1

[local]PE1(config-if)#ip address 10.31.0.2/24

[local]PE1(config-if)#exit

[local]PE1(config-ctx)#router bgp vpn

[local]PE1(config-bgp)#address-family ipv4 unicast

[local]PE1(config-bgp-af)#export route-target 4134:4000

[local]PE1(config-bgp-af)#import route-target 4134:4000

[local]PE1(config-bgp-af)#redistribute connected

[local]PE1(config-bgp-af)#exit

[local]PE1(config-bgp)#neighbor 10.31.0.1 external

[local]PE1(config-bgp-neighbor)#remote-as 4001

[local]PE1(config-bgp-neighbor)#update-source to_ce1

[local]PE1(config-bgp-neighbor)#address-family ipv4 unicast

The configuration for the PE2 router is:

[local]PE2(config)#context local

[local]PE2(config-ctx)#interface loop loopback

[local]PE2(config-if)#ip address 2.2.2.2/32

[local]PE2(config-if)#exit

[local]PE2(config-ctx)#interface to_backbone

[local]PE2(config-if)#ip address 16.3.1.1/24

[local]PE2(config-if)#exit

[local]PE2(config-ctx)#router mpls

[local]PE2(config-mpls)#interface to_backbone

[local]PE2(config-mpls)#exit

[local]PE2(config-ctx)#router bgp 100

[local]PE2(config-bgp)#address-family ipv4 unicast

[local]PE2(config-bgp-af)#redistribute connected

[local]PE2(config-bgp-af)#exit

[local]PE2(config-bgp)#neighbor 1.1.1.1 internal

[local]PE2(config-bgp-neighbor)#update-source loop

[local]PE2(config-bgp-neighbor)#address-family ipv4 unicast

[local]PE2(config-bgp-neighbor)#address-family ipv4 vpn

[local]PE2(config-bgp-neighbor)#exit

[local]PE2(config-bgp)#exit

[local]PE2(config-ctx)#ip soft-gre source 2.2.2.2

[local]PE2(config-ctx)#exit

[local]PE2(config)#context vpn0 vpn-rd 100:300

[local]PE2(config-ctx)#interface to_ce2

[local]PE2(config-if)#ip address 10.11.0.2/24

[local]PE2(config-if)#exit

[local]PE2(config-ctx)#router bgp vpn

[local]PE2(config-bgp)#address-family ipv4 unicast

[local]PE2(config-bgp-af)#export route-target 4134:4000

[local]PE2(config-bgp-af)#import route-target 4134:4000

[local]PE2(config-bgp-af)#redistribute connected

[local]PE2(config-bgp-af)#exit

[local]PE2(config-bgp)#neighbor 10.11.0.1 external

[local]PE2(config-bgp-neighbor)#remote-as 4001

[local]PE2(config-bgp-neighbor)#update-source to_ce2

[local]PE2(config-bgp-neighbor)#address-family ipv4 unicast

If BGP/MPLS VPN service spans multiple autonomous systems, there are two ways to exchange VPN routes between the VPN sites across the autonomous systems:

  1. Configure eBGP peering between the ASBRs, enable a VPN address family between the PE router and ASBR, and enable a VPN address family between the ASBRs. That is, within each AS, both IPv4 unicast and VPN routes are exchanged, and ASBRs are used to exchange VPN routes for interdomain routing.
  2. Configure multihop eBGP peering between the PE routers, and enable VPN address family between the PE routers to exchange VPN routes. The ASBR and PE routers on the backbone exchange only IPv4 unicast routes.

For both methods, the next-hop-unchanged option must be configured on the ASBRs in the VPN address family for the peer that is peering with the other ASBR to preserve the (next-hop, label) pair.

3.7   BGP Commands for BGP/MPLS VPN

Some BGP/MPLS VPN-related commands should only be used for specific situations. The following sections provide configuration examples that illustrate the correct use of the VPN-related commands, asloop-in, as-override, and route-origin:

3.7.1   Using the asloop-in Command

The asloop-in command is used to disable the AS_PATH loop detection by accepting a route advertisement which contains the local AS number in AS_PATH.

This command is useful for Hub-and-Spoke network topologies where routes containing a hub PE router’s ASN can be advertised to the same hub PE router as route advertisements are forwarded from one spoke to another.

This command should be configured for the hub CE neighbor in the export context on the hub PE router.

The configuration for the hub PE router is:

[local]PE#config

[local]PE(config)#context HUB-export vpn-rd 1.1.1.1:2

[local]PE(config-ctx)#interface 10/2

[local]PE(config-if)#ip address 9.1.1.1/24

[local]PE(config-ctx)#router bgp vpn

[local]PE(config-bgp)#address-family ipv4 unicast

[local]PE(config-bgp-af)#export route-target 2:2

[local]PE(config-bgp)#neighbor 9.1.1.2 external

[local]PE(config-bgp-neighbor)#remote-as 400

[local]PE(config-bgp-neighbor)#asloop-in 2

[local]PE(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE(config)#port ethernet 10/2

[local]PE(config-port)#bind interface 10/2 HUB-export

[local]PE(config-port)#no shutdown

[local]PE(config-port)#end

3.7.2   Using the as-override Command

The as-override command is used to replace all occurrences of the peer’s ASN in the AS_PATH attribute with the local ASN when advertising the route to the peer.

Assuming that both VPN sites for the CE1 and CE2 routers use the ASN 200, the as-override command must be configured for the CE peers on the PE routers before the route advertisements can be accepted by the CE routers at both sites.

Note:  
Backbone connectivity in the local context is not shown in the following example.

The configuration for the CE1 router is:

[local]CE1#config

[local]CE1(config)#context local

[local]CE1(config-ctx)#interface 2/1

[local]CE1(config-if)#ip address 10.1.1.2/24

[local]CE1(config-ctx)#router bgp 200

[local]CE1(config-bgp)#address-family ipv4 unicast

[local]CE1(config-bgp)#neighbor 10.1.1.1 external

[local]CE1(config-neighor)#remote-as 100

[local]CE1(configneighor)#address-family ipv4 unicast

[local]CE1(config)#port ethernet 2/1

[local]CE1(config-port)#bind interface 2/1 local

[local]CE1(config-port)#no shutdown

[local]CE1(config-port)#end

The configuration for the PE1 router is:

[local]PE1#config

[local]PE1(config)#service multiple-context

[local]PE1(config)#context VPN1 vpn-rd 1.1.1.2:101

[local]PE1(config-ctx)#interface 12/1

[local]PE1(config-if)#ip address 10.1.1.1/24

[local]PE1(config-ctx)#router bgp vpn

[local]PE1(config-bgp)#address-family ipv4 unicast

[local]PE1(config-bgp-af)#export route-target 1:1

[local]PE1(config-bgp-af)#import route-target 2:2 

[local]PE1(config-bgp)#neighbor 10.1.1.2 external

[local]PE1(config-bgp-neighbor)#remote-as 200

[local]PE1(config-bgp-neighbor)#as-override

[local]PE1(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE1(config)#port ethernet 12/1

[local]PE1(config-port)#bind interface 12/1 VPN1

[local]PE1(config-port)#no shutdown

[local]PE1(config-port)#end

The configuration for the PE2 router is:

[local]PE2#config

[local]PE2(config)#service multiple-context

[local]PE2(config)#context local

[local]PE2(config-ctx)#interface loop1 loopback

[local]PE2(config-if)#ip address 1.1.1.3/32

[local]PE2(config-ctx)#router bgp 100

[local]PE2(config-bgp)#neighbor 1.1.1.1 internal

[local]PE2(config-bgp-neighbor)#update-source loop1

[local]PE2(config-bgp-neighbor)#address-family ipv4 vpn

[local]PE2(config)#context VPN1 vpn-rd 1.1.1.3:101

[local]PE2(config-ctx)#interface 12/1

[local]PE2(config-if)#ip address 11.1.1.1/24

[local]PE2(config-ctx)#router bgp vpn

[local]PE2(config-bgp)#address-family ipv4 unicast

[local]PE2(config-bgp-af)#export route-target 1:1

[local]PE2(config-bgp-af)#import route-target 2:2 

[local]PE2(config-bgp)#neighbor 11.1.1.2 external

[local]PE2(config-bgp-neighbor)#remote-as 200

[local]PE2(config-bgp-neighbor)#as-override

[local]PE2(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE2(config)#port ethernet 12/1

[local]PE2(config-port)#bind interface 12/1 VPN1

[local]PE2(config-port)#no shutdown

[local]PE2(config-port)#end

The configuration for the CE2 router is:

[local]CE2#config

[local]CE2(config)#context local

[local]CE2(config-ctx)#interface 3/1

[local]CE2(config-if)#ip address 11.1.1.2/24

[local]CE2(config-ctx)#router bgp 200

[local]CE2(config-bgp)#address-family ipv4 unicast

[local]CE2(config-bgp)#neighbor 11.1.1.1 external

[local]CE2(config-bgp-neighbor)#remote-as 100

[local]CE2(config-bgp-neighbor)#address-family ipv4 unicast

[local]CE2(config)#port ethernet 3/1

[local]CE2(config-port)#bind interface 3/1 local

[local]CE2(config-port)#no shutdown

[local]CE2(config-port)#end

3.7.3   Using the route-origin Command

In the case of multiple sites sharing the same ASN, using an ASN alone is no longer adequate for AS loop detection. To prevent the readvertisement of routes back to its originating site, use the route-origin command to identify the site from where the routes originated.

The configuration for the PE1 router is:

[local]PE1#config

[local]PE1(config)#context VPN1 vpn-rd 1.1.1.2:101

[local]PE1(config-ctx)#router bgp vpn

[local]PE1(config-bgp)#address-family ipv4 unicast

[local]PE1(config-bgp-af)#route-origin 100:300

[local]PE1(config-bgp-af)#export route-target 1:1

[local]PE1(config-bgp-af)#import route-target 2:2 

[local]PE1(config-bgp-af)#redistribute connected

[local]PE1(config-bgp)#neighbor 10.1.1.2 external

[local]PE1(config-bgp-neighbor)#remote-as 200

[local]PE1(config-bgp-neighbor)#as-override

[local]PE1(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE1(config-bgp-af)#end

The configuration for the PE2 router is:

[local]PE2#config

[local]PE2(config)#context VPN1 vpn-rd 1.1.1.3:101

[local]PE2(config-ctx)#router bgp vpn

[local]PE2(config-bgp)#address-family ipv4 unicast

[local]PE2(config-bgp-af)#route-origin 100:400

[local]PE2(config-bgp-af)#export route-target 1:1

[local]PE2(config-bgp-af)#import route-target 2:2 

[local]PE2(config-bgp-af)#redistribute connected

[local]PE2(config-bgp)#neighbor 11.1.1.2 external

[local]PE2(config-bgp-neighbor)#remote-as 200

[local]PE2(config-bgp-neighbor)#as-override

[local]PE2(config-bgp-neighbor)#address-family ipv4 unicast 

3.8   Multihop eBGP Label Redistribution

Figure 8 shows the network topology for this multihop eBGP label redistribution configuration example, where:

Figure 8   Multihop eBGP Label Redistribution Network Topology

The PE2 router is configured to have the ASBR2 router as its iBGP neighbor and the PE1 router as its eBGP neighbor. It maintains and distributes labeled IPv4 routes with ASBR2 and IPv4 VPN routes with the PE1 router.

Note:  
To preserve VPN label next-hop information across the autonomous systems, the next-hop information for IPv4 VPN routes must not be changed on the local PE router when advertising to the remote PE router through multihop eBGP peering.

The configuration for the PE1 router:

[local]PE1#config

[local]PE1(config)#service multiple-contexts 

[local]PE1(config)#context local 

[local]PE1(config-ctx)#interface 3/10 

[local]PE1(config-if)#ip address 30.1.1.1/24 

[local]PE1(config-if)#exit 

[local]PE1(config-ctx)#interface lo1 loopback 

[local]PE1(config-if)#ip address 5.5.5.5/32 

[local]PE1(config-if)#exit 

[local]PE1(config-ctx)#router ospf 1 

[local]PE1(config-ospf)#area 0.0.0.0 

[local]PE1(config-ospf-area)#interface 3/10 

[local]PE1(config-ospf-if)#exit 

[local]PE1(config-ospf-area)#interface lo1 

[local]PE1(config-ospf-if)#exit 

[local]PE1(config-ospf)#exit 

[local]PE1(config-ctx)#router mpls

[local]PE1(config-mpls)#interface 3/10 

[local]PE1(config-mpls-if)#exit 

[local]PE1(config-mpls)#exit 

[local]PE1(config-ctx)#router ldp 

[local]PE1(config-ldp)#interface 3/10 

[local]PE1(config-ldp)#exit 

[local]PE1(config-ctx)#router bgp 400 

[local]PE1(config-bgp)#address-family ipv4 unicast 

[local]PE1(config-bgp-af)#exit 

[local]PE1(config-bgp)#address-family ipv4 vpn 

[local]PE1(config-bgp-af)#exit 

[local]PE1(config-bgp)#neighbor 2.2.2.2 external 

[local]PE1(config-bgp-neighbor)#remote-as 200 

[local]PE1(config-bgp-neighbor)#advertisement-interval 1 

[local]PE1(config-bgp-neighbor)#ebgp-multihop 10 

[local]PE1(config-bgp-neighbor)#update-source lo1 

[local]PE1(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE1(config-bgp-af)#exit 

[local]PE1(config-bgp-neighbor)#address-family ipv4 vpn 

[local]PE1(config-bgp-af)#next-hop-unchanged 

[local]PE1(config-bgp-af)#exit 

[local]PE1(config-bgp-neighbor)#exit 

[local]PE1(config-bgp)#neighbor 4.4.4.4 internal 

[local]PE1(config-bgp-neighbor)#advertisement-interval 1 

[local]PE1(config-bgp-neighbor)#update-source lo1 

[local]PE1(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE1(config-bgp-peer-af)#send label 

[local]PE1(config-bgp-peer-af)#exit 

[local]PE1(config-bgp-neighbor)#exit 

[local]PE1(config-bgp)#exit 

[local]PE1(config-ctx)#exit 

[local]PE1(config)#context vpn1 vpn-rd 2:2 

[local]PE1(config-ctx)#interface lo1 loopback 

[local]PE1(config-if)#ip address 55.55.55.55/32 

[local]PE1(config-if)#exit 

[local]PE1(config-ctx)#router bgp vpn 

[local]PE1(config-bgp)#address-family ipv4 unicast 

[local]PE1(config-bgp-af)#export route-target 2:2 

[local]PE1(config-bgp-af)#import route-target 2:2 

[local]PE1(config-bgp-af)#redistribute connected 

[local]PE1(config-bgp-af)#redistribute static 

[local]PE1(config-bgp-af)#exit 

[local]PE1(config-bgp)#exit 

[local]PE1(config-ctx)#exit 

[local]PE1(config)#card ether-12-port 3 

[local]PE1(config)#port ethernet 3/10 

[local]PE1(config-port)#no shutdown 

[local]PE1(config-port)#bind interface 3/10 local 

[local]PE1(config-port)#end 

The configuration for the ASBR1 router is:

[local]ASBR1#config 

[local]ASBR1(config)#service multiple-contexts 

[local]ASBR1(config)#context local 

[local]ASBR1(config-ctx)#no ip domain-lookup 

[local]ASBR1(config-ctx)#interface 3/2 

[local]ASBR1(config-if)#ip address 30.1.1.2/24 

[local]ASBR1(config-if)#exit 

[local]ASBR1(config-ctx)#interface 3/4 

[local]ASBR1(config-if)#ip address 40.1.1.1/24 

[local]ASBR1(config-if)#exit 

[local]ASBR1(config-ctx)#interface lo1 loopback 

[local]ASBR1(config-if)#ip address 4.4.4.4/32 

[local]ASBR1(config-if)#exit 

[local]ASBR1(config-ctx)#router ospf 1 

[local]ASBR1(config-ospf)#area 0.0.0.0 

[local]ASBR1(config-ospf-area)#interface lo1 

[local]ASBR1(config-ospf-if)#exit 

[local]ASBR1(config-ospf-area)#interface 3/2 

[local]ASBR1(config-ospf-if)#exit 

[local]ASBR1(config-ospf-area)#exit 

[local]ASBR1(config-ospf)#exit 

[local]ASBR1(config-ctx)#router mpls 

[local]ASBR1(config-mpls)#interface 3/2 

[local]ASBR1(config-mpls-if)#exit 

[local]ASBR1(config-mpls)#interface 3/4 

[local]ASBR1(config-mpls-if)#exit 

[local]ASBR1(config-mpls)#exit 

[local]ASBR1(config-ctx)#router ldp 

[local]ASBR1(config-ldp)#interface 3/2 

[local]ASBR1(config-ldp)#exit 

[local]ASBR1(config-ctx)#router bgp 400 

[local]ASBR1(config-bgp)#address-family ipv4 unicast 

[local]ASBR1(config-bgp-af)#redistribute ospf 1 

[local]ASBR1(config-bgp-af)#exit 

[local]ASBR1(config-bgp)#neighbor 5.5.5.5 internal 

[local]ASBR1(config-bgp-neighbor)#advertisement-interval 1 

[local]ASBR1(config-bgp-neighbor)#update-source lo1 

[local]ASBR1(config-bgp-neighbor)#next-hop-self 

[local]ASBR1(config-bgp-neighbor)#address-family ipv4 unicast 

[local]ASBR1(config-bgp-peer-af)#send label 

[local]ASBR1(config-bgp-peer-af)#exit 

[local]ASBR1(config-bgp-neighbor)#exit 

[local]ASBR1(config-bgp)#neighbor 40.1.1.2 external 

[local]ASBR1(config-bgp-neighbor)#remote-as 200 

[local]ASBR1(config-bgp-neighbor)#advertisement-interval 1 

[local]ASBR1(config-bgp-neighbor)#address-family ipv4 unicast 

[local]ASBR1(config-bgp-peer-af)#send label 

[local]ASBR1(config-bgp-peer-af)#exit 

[local]ASBR1(config-bgp-neighbor)#exit 

[local]ASBR1(config-bgp)#exit 

[local]ASBR1(config-ctx)#exit 

[local]ASBR1(config)#card ether-12-port 3 

[local]ASBR1(config)#port ethernet 3/2 

[local]ASBR1(config-port)#no shutdown 

[local]ASBR1(config-port)#bind interface 3/2 local 

[local]ASBR1(config-port)#exit 

[local]ASBR1(config)#port ethernet 3/4 

[local]ASBR1(config-port)#no shutdown 

[local]ASBR1(config-port)#bind interface 3/4 local 

[local]ASBR1(config-port)#end 

The configuration for the ASBR2 router is:

[local]ASBR2#config 

[local]ASBR2(config)#service multiple-contexts 

[local]ASBR2(config)#context local 

[local]ASBR2(config-ctx)#no ip domain-lookup 

[local]ASBR2(config-ctx)#interface 3/2 

[local]ASBR2(config-if)#ip address 40.1.1.2/24 

[local]ASBR2(config-if)#exit 

[local]ASBR2(config-ctx)#interface 3/4 

[local]ASBR2(config-if)#ip address 50.1.1.1/24 

[local]ASBR2(config-if)#exit 

[local]ASBR2(config-ctx)#interface lo1 loopback 

[local]ASBR2(config-if)#ip address 3.3.3.3/32 

[local]ASBR2(config-if)#exit 

[local]ASBR2(config-ctx)#router ospf 1 

[local]ASBR2(config-ospf)#area 0.0.0.0 

[local]ASBR2(config-ospf-area)#interface lo1 

[local]ASBR2(config-ospf-if)#exit 

[local]ASBR2(config-ospf-area)#interface 3/4 

[local]ASBR2(config-ospf-if)#exit 

[local]ASBR2(config-ospf-area)#exit 

[local]ASBR2(config-ospf)#exit 

[local]ASBR2(config-ctx)#router mpls 

[local]ASBR2(config-mpls)#interface 3/2 

[local]ASBR2(config-mpls-if)#exit 

[local]ASBR2(config-mpls)#interface 3/4 

[local]ASBR2(config-mpls-if)#exit 

[local]ASBR2(config-mpls)#exit 

[local]ASBR2(config-ctx)#router ldp 

[local]ASBR2(config-ldp)#interface 3/4 

[local]ASBR2(config-ldp)#exit 

[local]ASBR2(config-ctx)#router bgp 400 

[local]ASBR2(config-bgp)#address-family ipv4 unicast 

[local]ASBR2(config-bgp-af)#redistribute ospf 1 

[local]ASBR2(config-bgp-af)#exit 

[local]ASBR2(config-bgp)#neighbor 2.2.2.2 internal 

[local]ASBR2(config-bgp-neighbor)#advertisement-interval 1 

[local]ASBR2(config-bgp-neighbor)#update-source lo1 

[local]ASBR2(config-bgp-neighbor)#next-hop-self 

[local]ASBR2(config-bgp-neighbor)#address-family ipv4 unicast 

[local]ASBR2(config-bgp-peer-af)#send label 

[local]ASBR2(config-bgp-peer-af)#exit 

[local]ASBR2(config-bgp-neighbor)#exit 

[local]ASBR2(config-bgp)#neighbor 40.1.1.1 external 

[local]ASBR2(config-bgp-neighbor)#remote-as 200 

[local]ASBR2(config-bgp-neighbor)#advertisement-interval 1 

[local]ASBR2(config-bgp-neighbor)#address-family ipv4 unicast 

[local]ASBR2(config-bgp-peer-af)#send label 

[local]ASBR2(config-bgp-peer-af)#exit 

[local]ASBR2(config-bgp-neighbor)#exit 

[local]ASBR2(config-bgp)#exit 

[local]ASBR2(config-ctx)#exit 

[local]ASBR2(config)#card ether-12-port 3 

[local]ASBR2(config)#port ethernet 3/2 

[local]ASBR2(config-port)#no shutdown 

[local]ASBR2(config-port)#bind interface 3/2 local 

[local]ASBR2(config-port)#exit 

[local]ASBR2(config)#port ethernet 3/4 

[local]ASBR2(config-port)#no shutdown 

[local]ASBR2(config-port)#bind interface 3/4 local 

[local]ASBR2(config-port)#end 

The configuration for the PE2 router is:

[local]PE2#config

[local]PE2(config)#service multiple-contexts 

[local]PE2(config)#context local 

[local]PE2(config-ctx)#interface 3/10 

[local]PE2(config-if)#ip address 50.1.1.2/24 

[local]PE2(config-if)#exit 

[local]PE2(config-ctx)#interface lo1 loopback 

[local]PE2(config-if)#ip address 2.2.2.2/32 

[local]PE2(config-if)#exit 

[local]PE2(config-ctx)#router ospf 1 

[local]PE2(config-ospf)#area 0.0.0.0 

[local]PE2(config-ospf-area)#interface 3/10 

[local]PE2(config-ospf-if)#exit 

[local]PE2(config-ospf-area)#interface lo1 

[local]PE2(config-ospf-if)#exit 

[local]PE2(config-ospf)#exit 

[local]PE2(config-ctx)#router mpls

[local]PE2(config-mpls)#interface 3/10 

[local]PE2(config-mpls-if)#exit 

[local]PE2(config-mpls)#exit 

[local]PE2(config-ctx)#router ldp 

[local]PE2(config-ldp)#interface 3/10 

[local]PE2(config-ldp)#exit 

[local]PE2(config-ctx)#router bgp 400 

[local]PE2(config-bgp)#address-family ipv4 unicast 

[local]PE2(config-bgp-af)#exit 

[local]PE2(config-bgp)#address-family ipv4 vpn 

[local]PE2(config-bgp-af)#exit 

[local]PE2(config-bgp)#neighbor 5.5.5.5 external 

[local]PE2(config-bgp-neighbor)#remote-as 200 

[local]PE2(config-bgp-neighbor)#advertisement-interval 1 

[local]PE2(config-bgp-neighbor)#ebgp-multihop 10 

[local]PE2(config-bgp-neighbor)#update-source lo1 

[local]PE2(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE2(config-bgp-af)#exit 

[local]PE2(config-bgp-neighbor)#address-family ipv4 vpn 

[local]PE2(config-bgp-af)#next-hop-unchanged 

[local]PE2(config-bgp-af)#exit 

[local]PE2(config-bgp-neighbor)#exit 

[local]PE2(config-bgp)#neighbor 3.3.3.3 internal 

[local]PE2(config-bgp-neighbor)#advertisement-interval 1 

[local]PE2(config-bgp-neighbor)#update-source lo1 

[local]PE2(config-bgp-neighbor)#address-family ipv4 unicast 

[local]PE2(config-bgp-peer-af)#send label 

[local]PE2(config-bgp-peer-af)#exit 

[local]PE2(config-bgp-neighbor)#exit 

[local]PE2(config-bgp)#exit 

[local]PE2(config-ctx)#exit 

[local]PE2(config)#context vpn1 vpn-rd 2:2 

[local]PE2(config-ctx)#interface lo1 loopback 

[local]PE2(config-if)#ip address 55.55.55.55/32 

[local]PE2(config-if)#exit 

[local]PE2(config-ctx)#router bgp vpn 

[local]PE2(config-bgp)#address-family ipv4 unicast 

[local]PE2(config-bgp-af)#export route-target 2:2 

[local]PE2(config-bgp-af)#import route-target 2:2 

[local]PE2(config-bgp-af)#redistribute connected 

[local]PE2(config-bgp-af)#redistribute static 

[local]PE2(config-bgp-af)#exit 

[local]PE2(config-bgp)#exit 

[local]PE2(config-ctx)#exit 

[local]PE2(config)#card ether-12-port 3 

[local]PE2(config)#port ethernet 3/10 

[local]PE2(config-port)#no shutdown 

[local]PE2(config-port)#bind interface 3/10 local 

[local]PE2(config-port)#end 

Reference List

[1] Troubleshooting MPLS.
[2] General Troubleshooting Guide.
[3] Data Collection Guideline.