Contents

Multiprotocol BGP MPLS VPN

A Multiprotocol Label Switching (MPLS) virtual private network (VPN) consists of a set of sites that are interconnected by means of an MPLS provider core network. At each site, there are one or more customer edge (CE) devices, which attach to one or more provider edge (PE) devices. PEs use the Multiprotocol-Border Gateway Protocol (MP-BGP) to dynamically communicate with each other.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Multiprotocol BGP MPLS VPN

Configure MPLS virtual private networks (VPNs) in the core.

Information About Multiprotocol BGP MPLS VPN

MPLS Virtual Private Network Definition

Before defining a Multiprotocol Label Switching virtual private network (MPLS VPN), you must define a VPN in general. A VPN is:

  • An IP-based network delivering private network services over a public infrastructure
  • A set of sites that are allowed to communicate with each other privately over the Internet or other public or private networks

Conventional VPNs are created by configuring a full mesh of tunnels or permanent virtual circuits (PVCs) to all sites in a VPN. This type of VPN is not easy to maintain or expand, because adding a new site requires changing each edge device in the VPN.

MPLS-based VPNs are created in Layer 3 and are based on the peer model. The peer model enables the service provider and the customer to exchange Layer 3 routing information. The service provider relays the data between the customer sites without the customer’s involvement.

MPLS VPNs are easier to manage and expand than conventional VPNs. When a new site is added to an MPLS VPN, only the service provider’s edge device that provides services to the customer site needs to be updated.

The different parts of the MPLS VPN are described as follows:

  • Provider (P) device—Device in the core of the provider network. P devices run MPLS switching, and do not attach VPN labels to routed packets. The MPLS label in each route is assigned by the provider edge (PE) device. VPN labels are used to direct data packets to the correct egress device.
  • PE device—Device that attaches the VPN label to incoming packets based on the interface or subinterface on which they are received. A PE device attaches directly to a customer edge (CE) device.
  • Customer (C) device—Device in the ISP or enterprise network.
  • CE device—Edge device on the network of the ISP that connects to the PE device on the network. A CE device must interface with a PE device.

The figure below shows a basic MPLS VPN.

Figure 1. Basic MPLS VPN Terminology

How an MPLS Virtual Private Network Works

Multiprotocol Label Switching virtual private network (MPLS VPN) functionality is enabled at the edge of an MPLS network. The provider edge (PE) device performs the following:

  • Exchanges routing updates with the customer edge (CE) device.
  • Translates the CE routing information into VPNv4 routes.
  • Exchanges VPNv4 routes with other PE devices through the Multiprotocol Border Gateway Protocol (MP-BGP).

The following sections describe how MPLS VPN works:

How Virtual Routing and Forwarding Tables Work in an MPLS Virtual Private Network

Each virtual private network (VPN) is associated with one or more virtual routing and forwarding (VRF) instances. A VRF defines the VPN membership of a customer site attached to a PE device. A VRF consists of the following components:

  • An IP routing table
  • A derived Cisco Express Forwarding table
  • A set of interfaces that use the forwarding table
  • A set of rules and routing protocol parameters that control the information that is included in the routing table

A one-to-one relationship does not necessarily exist between customer sites and VPNs. A site can be a member of multiple VPNs. However, a site can associate with only one VRF. A site’s VRF contains all the routes available to the site from the VPNs of which it is a member.

Packet forwarding information is stored in the IP routing table and the Cisco Express Forwarding table for each VRF. A separate set of routing and Cisco Express Forwarding tables is maintained for each VRF. These tables prevent information from being forwarded outside a VPN, and they also prevent packets that are outside a VPN from being forwarded to a device within the VPN.

How VPN Routing Information Is Distributed in an MPLS Virtual Private Network

The distribution of virtual private network (VPN) routing information is controlled through the use of VPN route target communities, implemented by Border Gateway Protocol (BGP) extended communities. VPN routing information is distributed as follows:

  • When a VPN route that is learned from a customer edge (CE) device is injected into BGP, a list of VPN route target extended community attributes is associated with it. Typically the list of route target community extended values is set from an export list of route targets associated with the virtual routing and forwarding (VRF) instance from which the route was learned.
  • An import list of route target extended communities is associated with each VRF. The import list defines route target extended community attributes that a route must have in order for the route to be imported into the VRF. For example, if the import list for a particular VRF includes route target extended communities A, B, and C, then any VPN route that carries any of those route target extended communities—A, B, or C—is imported into the VRF.

BGP Distribution of VPN Routing Information

A provider edge (PE) device can learn an IP prefix from the following sources:

  • A customer edge (CE) device by static configuration
  • A Border Gateway Protocol (BGP) session with the CE device
  • A Routing Information Protocol (RIP) exchange with the CE device

The IP prefix is a member of the IPv4 address family. After the PE device learns the IP prefix, the PE converts it into a VPN-IPv4 prefix by combining it with an 8-byte route distinguisher (RD). The generated prefix is a member of the VPN-IPv4 address family. It uniquely identifies the customer address, even if the customer site is using globally nonunique (unregistered private) IP addresses. The route distinguisher used to generate the VPN-IPv4 prefix is specified by a configuration command associated with the virtual routing and forwarding (VRF) instance on the PE device.

BGP distributes reachability information for VPN-IPv4 prefixes for each VPN. BGP communication occurs at two levels:

  • Within an IP domains, known as an autonomous system (interior BGP [IBGP])
  • Between autonomous systems (external BGP [EBGP])

PE-PE or PE-RR (route reflector) sessions are IBGP sessions, and PE-CE sessions are EBGP sessions. In an Enhanced Interior Gateway Routing Protocol (EIGRP) PE-CE environment, when an EIGRP internal route is redistributed into BGP by one PE, and then back into EIGRP by another PE, the originating router ID for the route is set to the router ID of the second PE, replacing the original internal router ID.

BGP propagates reachability information for VPN-IPv4 prefixes among PE devices by means of the BGP multiprotocol extensions (refer to RFC 2283, Multiprotocol Extensions for BGP-4), which define support for address families other than IPv4. Using the extensions ensures that the routes for a given VPN are learned only by other members of that VPN, enabling members of the VPN to communicate with each other.

Major Components of an MPLS Virtual Private Network

An Multiprotocol Label Switching (MPLS)-based virtual private network (VPN) has three major components:

  • VPN route target communities—A VPN route target community is a list of all members of a VPN community. VPN route targets need to be configured for each VPN community member.
  • Multiprotocol BGP (MP-BGP) peering of VPN community provider edge (PE) devices—MP-BGP propagates virtual routing and forwarding (VRF) reachability information to all members of a VPN community. MP-BGP peering must be configured on all PE devices within a VPN community.
  • MPLS forwarding—MPLS transports all traffic between all VPN community members across a VPN service-provider network.

A one-to-one relationship does not necessarily exist between customer sites and VPNs. A given site can be a member of multiple VPNs. However, a site can associate with only one VRF. A customer-site VRF contains all the routes available to the site from the VPNs of which it is a member.

How to Configure Multiprotocol BGP MPLS VPN

Configuring Multiprotocol BGP Connectivity on the PE Devices and Route Reflectors

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    router bgp as-number

    4.    no bgp default ipv4-unicast

    5.    neighbor {ip-address | peer-group-name} remote-as as-number

    6.    neighbor {ip-address | peer-group-name} activate

    7.    address-family vpnv4 [unicast]

    8.    neighbor {ip-address | peer-group-name} send-community extended

    9.    neighbor {ip-address | peer-group-name} activate

    10.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 router bgp as-number


    Example:
    Device(config)# router bgp 100
     

    Configures a Border Gateway Protocol (BGP) routing process and enters router configuration mode.

    • The as-number argument indicates the number of an autonomous system that identifies the device to other BGP devices and tags the routing information passed along. The range is 0 to 65535. Private autonomous system numbers that can be used in internal networks are 64512 to 65535.
     
    Step 4 no bgp default ipv4-unicast


    Example:
    Device(config-router)# no bgp default ipv4-unicast
     

    (Optional) Disables the IPv4 unicast address family on all neighbors.

    • Use the no bgp default ipv4-unicast command if you are using this neighbor for Multiprotocol Label Switching (MPLS) routes only.
     
    Step 5 neighbor {ip-address | peer-group-name} remote-as as-number


    Example:
    Device(config-router)# neighbor 10.0.0.1 remote-as 100
     

    Adds an entry to the BGP or multiprotocol BGP neighbor table.

    • The ip-address argument specifies the IP address of the neighbor.
    • The peer-group-name argument specifies the name of a BGP peer group.
    • The as-number argument specifies the autonomous system to which the neighbor belongs.
     
    Step 6 neighbor {ip-address | peer-group-name} activate


    Example:
    Device(config-router)# neighbor 10.0.0.1 activate
     

    Enables the exchange of information with a neighboring BGP device.

    • The ip-address argument specifies the IP address of the neighbor.
    • The peer-group-name argument specifies the name of a BGP peer group.
     
    Step 7 address-family vpnv4 [unicast]


    Example:
    Device(config-router)# address-family vpnv4
     

    Enters address family configuration mode for configuring routing sessions, such as BGP, that use standard VPNv4 address prefixes.

    • The optional unicast keyword specifies VPNv4 unicast address prefixes.
     
    Step 8 neighbor {ip-address | peer-group-name} send-community extended


    Example:
    Device(config-router-af)# neighbor 10.0.0.1 send-community extended
     

    Specifies that a communities attribute should be sent to a BGP neighbor.

    • The ip-address argument specifies the IP address of the BGP-speaking neighbor.
    • The peer-group-name argument specifies the name of a BGP peer group.
     
    Step 9 neighbor {ip-address | peer-group-name} activate


    Example:
    Device(config-router-af)# neighbor 10.0.0.1 activate
     

    Enables the exchange of information with a neighboring BGP device.

    • The ip-address argument specifies the IP address of the neighbor.
    • The peer-group-name argument specifies the name of a BGP peer group.
     
    Step 10 end


    Example:
    Device(config-router-af)# end
     

    (Optional) Exits to privileged EXEC mode.

     

    Troubleshooting Tips

    You can enter a show ip bgp neighbor command to verify that the neighbors are up and running. If this command is not successful, enter a debug ip bgp ip-address events command, where ip-address is the IP address of the neighbor.

    Configuring BGP as the Routing Protocol Between the PE and CE Devices

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    router bgp as-number

      4.    address-family ipv4 [multicast | unicast | vrf vrf-name]

      5.    neighbor {ip-address | peer-group-name} remote-as as-number

      6.    neighbor {ip-address | peer-group-name} activate

      7.    exit-address-family

      8.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 router bgp as-number


      Example:
      Device(config)# router bgp 100
       

      Configures a Border Gateway Protocol (BGP) routing process and enters router configuration mode.

      • The as-number argument indicates the number of an autonomous system that identifies the device to other BGP devices and tags the routing information passed along. The range is 0 to 65535. Private autonomous system numbers that can be used in internal networks range from 64512 to 65535.
       
      Step 4 address-family ipv4 [multicast | unicast | vrf vrf-name]


      Example:
      Device(config-router)# address-family ipv4 vrf vpn1
       

      Specifies the IPv4 address family type and enters address family configuration mode.

      • The multicast keyword specifies IPv4 multicast address prefixes.
      • The unicast keyword specifies IPv4 unicast address prefixes.
      • The vrf vrf-name keyword and argument specify the name of the VRF to associate with subsequent IPv4 address family configuration mode commands.
       
      Step 5 neighbor {ip-address | peer-group-name} remote-as as-number


      Example:
      Device(config-router-af)# neighbor 10.0.0.1 remote-as 200
       

      Adds an entry to the BGP or multiprotocol BGP neighbor table.

      • The ip-address argument specifies the IP address of the neighbor.
      • The peer-group-name argument specifies the name of a BGP peer group.
      • The as-number argument specifies the autonomous system to which the neighbor belongs.
       
      Step 6 neighbor {ip-address | peer-group-name} activate


      Example:
      Device(config-router-af)# neighbor 10.0.0.1 activate
       

      Enables the exchange of information with a neighboring BGP device.

      • The ip-address argument specifies the IP address of the neighbor.
      • The peer-group-name argument specifies the name of a BGP peer group.
       
      Step 7 exit-address-family


      Example:
      Device(config-router-af)# exit-address-family
       

      Exits address family configuration mode.

       
      Step 8 end


      Example:
      Device(config-router)# end
       

      (Optional) Exits to privileged EXEC mode.

       

      Verifying the Virtual Private Network Configuration

      A route distinguisher must be configured for the virtual routing and forwarding (VRF) instance, and Multiprotocol Label Switching (MPLS) must be configured on the interfaces that carry the VRF. Use the show ip vrf command to verify the route distinguisher (RD) and interface that are configured for the VRF.

      SUMMARY STEPS

        1.    show ip vrf


      DETAILED STEPS
      show ip vrf

      Displays the set of defined VRF instances and associated interfaces. The output also maps the VRF instances to the configured route distinguisher.


      Verifying Connectivity Between MPLS Virtual Private Network Sites

      To verify that the local and remote customer edge (CE) devices can communicate across the Multiprotocol Label Switching (MPLS) core, perform the following tasks:

      Verifying IP Connectivity from CE Device to CE Device Across the MPLS Core

      SUMMARY STEPS

        1.    enable

        2.    ping [protocol] {host-name | system-address}

        3.    trace [protocol] [destination]

        4.    show ip route [ip-address [mask] [longer-prefixes]] | protocol [process-id]] | [list [access-list-name | access-list-number]


      DETAILED STEPS
        Step 1   enable

        Enables privileged EXEC mode.

        Step 2   ping [protocol] {host-name | system-address}

        Diagnoses basic network connectivity on AppleTalk, Connectionless-mode Network Service (CLNS), IP, Novell, Apollo, Virtual Integrated Network Service (VINES), DECnet, or Xerox Network Service (XNS) networks. Use the ping command to verify the connectivity from one CE device to another.

        Step 3   trace [protocol] [destination]

        Discovers the routes that packets take when traveling to their destination. The trace command can help isolate a trouble spot if two devices cannot communicate.

        Step 4   show ip route [ip-address [mask] [longer-prefixes]] | protocol [process-id]] | [list [access-list-name | access-list-number]

        Displays the current state of the routing table. Use the ip-address argument to verify that CE1 has a route to CE2. Verify the routes learned by CE1. Make sure that the route for CE2 is listed.


        Verifying That the Local and Remote CE Devices Are in the PE Routing Table

        SUMMARY STEPS

          1.    enable

          2.    show ip route vrf vrf-name [prefix]

          3.    show ip cef vrf vrf-name [ip-prefix]


        DETAILED STEPS
          Step 1   enable

          Enables privileged EXEC mode.

          Step 2   show ip route vrf vrf-name [prefix]

          Displays the IP routing table associated with a virtual routing and forwarding (VRF) instance. Check that the loopback addresses of the local and remote customer edge (CE) devices are in the routing table of the provider edge (PE) devices.

          Step 3   show ip cef vrf vrf-name [ip-prefix]

          Displays the Cisco Express Forwarding forwarding table associated with a VRF. Check that the prefix of the remote CE device is in the Cisco Express Forwarding table.


          Configuration Examples for Multiprotocol BGP MPLS VPN

          Example: Configuring an MPLS Virtual Private Network Using BGP

          PE Configuration

          CE Configuration

          ip vrf vpn1
           rd 100:1
           route-target export 100:1
           route-target import 100:1
          !
          ip cef
          mpls ldp router-id Loopback0 force
          mpls label protocol ldp
          !
          interface Loopback0
           ip address 10.0.0.1 255.255.255.255
          !
          interface FastEthernet0/0/0
           ip vrf forwarding vpn1
           ip address 192.0.2.3 255.255.255.0
           no cdp enable
          !
          interface FastEthernet1/1/0
          ip address 192.0.2.2 255.255.255.0
          mpls label protocol ldp
          mpls ip
          !
          router ospf 100
          network 10.0.0. 0.0.0.0 area 100
          network 192.0.2.1 255.255.255.0 area 100
          !
          router bgp 100
           no synchronization
           bgp log-neighbor changes
           neighbor 10.0.0.3 remote-as 100
           neighbor 10.0.0.3 update-source Loopback0
          no auto-summary
           !        
          address-family vpnv4
           neighbor 10.0.0.3 activate
           neighbor 10.0.0.3 send-community extended
           bgp scan-time import 5
           exit-address-family
           !        
          address-family ipv4 vrf vpn1
           redistribute connected
           neighbor 198.51.100.1 remote-as 200
           neighbor 198.51.100.1 activate
           neighbor 198.51.100.1 as-override
           neighbor 198.51.100.1 advertisement-interval 5
           no auto-summary
           no synchronization
           exit-address-family
          ip cef
          mpls ldp router-id Loopback0 force
          mpls label protocol ldp
          !
          interface Loopback0
           ip address 10.0.0.9 255.255.255.255
          !
          interface FastEthernet0/0
           ip address 198.51.100.1 255.255.255.0
           no cdp enable
          !
          router bgp 200
           bgp log-neighbor-changes
           neighbor 198.51.100.2 remote-as 100
           !        
          address-family ipv4
           redistribute connected
           neighbor 198.51.100.2 activate
           neighbor 198.51.100.2 advertisement-interval 5
           no auto-summary
           no synchronization
           exit-address-family

          Additional References

          Related Documents

          Related Topic

          Document Title

          Cisco IOS commands

          Cisco IOS Master Command List, All Releases

          Description of commands associated with MPLS and MPLS applications

          Cisco IOS Multiprotocol Label Switching Command Reference

          Configuring MPLS virtual private networks

          “MPLS Virtual Private Networks” module in the MPLS Layer 3 VPNs Configuration Guide

          Standards and RFCs

          RFC

          Title

          RFC 2283

          Multiprotocol Extensions for BGP-4

          RFC 2547

          BGP/MPLS VPNs

          Technical Assistance

          Description

          Link

          The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

          http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

          Feature Information for Multiprotocol BGP MPLS VPN

          The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

          Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

          Table 1 Feature Information for Multiprotocol BGP MPLS VPN

          Feature Name

          Releases

          Feature Information

          Multiprotocol BGP MPLS VPN

          12.0(11)ST

          12.2(9)S

          12.2(17b)SXA

          12.2(27)SBB

          12.3(8)T

          15.2(1)S

          Cisco IOS XE Release 2.1

          Cisco IOS XE Release 3.5S

          An MPLS VPN consists of a set of sites that are interconnected through the MPLS provider core network. At each site, there are one or more CEs, which attach to one or more PEs. The Multiprotocol BGP MPLS VPN feature allows PEs to use the MP-BGP to dynamically communicate with each other.

          In Cisco IOS Release 12.0(11)ST, this feature was introduced.

          In Cisco IOS Release 12.2(9)S, 12.2(17b)SXA, 12.2(27)SBB, 12.3(8)T, and 15.2(1)S, this feature was integrated.

          In Cisco IOS XE Release 2.1, this feature was implemented on Cisco ASR 1000 Series Routers.

          In Cisco IOS XE Release 3.5S, support was added for the Cisco ASR 903 Router.

          No commands were introduced or modified.


          Multiprotocol BGP MPLS VPN

          Contents

          Multiprotocol BGP MPLS VPN

          A Multiprotocol Label Switching (MPLS) virtual private network (VPN) consists of a set of sites that are interconnected by means of an MPLS provider core network. At each site, there are one or more customer edge (CE) devices, which attach to one or more provider edge (PE) devices. PEs use the Multiprotocol-Border Gateway Protocol (MP-BGP) to dynamically communicate with each other.

          Finding Feature Information

          Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

          Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

          Prerequisites for Multiprotocol BGP MPLS VPN

          Configure MPLS virtual private networks (VPNs) in the core.

          Information About Multiprotocol BGP MPLS VPN

          MPLS Virtual Private Network Definition

          Before defining a Multiprotocol Label Switching virtual private network (MPLS VPN), you must define a VPN in general. A VPN is:

          • An IP-based network delivering private network services over a public infrastructure
          • A set of sites that are allowed to communicate with each other privately over the Internet or other public or private networks

          Conventional VPNs are created by configuring a full mesh of tunnels or permanent virtual circuits (PVCs) to all sites in a VPN. This type of VPN is not easy to maintain or expand, because adding a new site requires changing each edge device in the VPN.

          MPLS-based VPNs are created in Layer 3 and are based on the peer model. The peer model enables the service provider and the customer to exchange Layer 3 routing information. The service provider relays the data between the customer sites without the customer’s involvement.

          MPLS VPNs are easier to manage and expand than conventional VPNs. When a new site is added to an MPLS VPN, only the service provider’s edge device that provides services to the customer site needs to be updated.

          The different parts of the MPLS VPN are described as follows:

          • Provider (P) device—Device in the core of the provider network. P devices run MPLS switching, and do not attach VPN labels to routed packets. The MPLS label in each route is assigned by the provider edge (PE) device. VPN labels are used to direct data packets to the correct egress device.
          • PE device—Device that attaches the VPN label to incoming packets based on the interface or subinterface on which they are received. A PE device attaches directly to a customer edge (CE) device.
          • Customer (C) device—Device in the ISP or enterprise network.
          • CE device—Edge device on the network of the ISP that connects to the PE device on the network. A CE device must interface with a PE device.

          The figure below shows a basic MPLS VPN.

          Figure 1. Basic MPLS VPN Terminology

          How an MPLS Virtual Private Network Works

          Multiprotocol Label Switching virtual private network (MPLS VPN) functionality is enabled at the edge of an MPLS network. The provider edge (PE) device performs the following:

          • Exchanges routing updates with the customer edge (CE) device.
          • Translates the CE routing information into VPNv4 routes.
          • Exchanges VPNv4 routes with other PE devices through the Multiprotocol Border Gateway Protocol (MP-BGP).

          The following sections describe how MPLS VPN works:

          How Virtual Routing and Forwarding Tables Work in an MPLS Virtual Private Network

          Each virtual private network (VPN) is associated with one or more virtual routing and forwarding (VRF) instances. A VRF defines the VPN membership of a customer site attached to a PE device. A VRF consists of the following components:

          • An IP routing table
          • A derived Cisco Express Forwarding table
          • A set of interfaces that use the forwarding table
          • A set of rules and routing protocol parameters that control the information that is included in the routing table

          A one-to-one relationship does not necessarily exist between customer sites and VPNs. A site can be a member of multiple VPNs. However, a site can associate with only one VRF. A site’s VRF contains all the routes available to the site from the VPNs of which it is a member.

          Packet forwarding information is stored in the IP routing table and the Cisco Express Forwarding table for each VRF. A separate set of routing and Cisco Express Forwarding tables is maintained for each VRF. These tables prevent information from being forwarded outside a VPN, and they also prevent packets that are outside a VPN from being forwarded to a device within the VPN.

          How VPN Routing Information Is Distributed in an MPLS Virtual Private Network

          The distribution of virtual private network (VPN) routing information is controlled through the use of VPN route target communities, implemented by Border Gateway Protocol (BGP) extended communities. VPN routing information is distributed as follows:

          • When a VPN route that is learned from a customer edge (CE) device is injected into BGP, a list of VPN route target extended community attributes is associated with it. Typically the list of route target community extended values is set from an export list of route targets associated with the virtual routing and forwarding (VRF) instance from which the route was learned.
          • An import list of route target extended communities is associated with each VRF. The import list defines route target extended community attributes that a route must have in order for the route to be imported into the VRF. For example, if the import list for a particular VRF includes route target extended communities A, B, and C, then any VPN route that carries any of those route target extended communities—A, B, or C—is imported into the VRF.

          BGP Distribution of VPN Routing Information

          A provider edge (PE) device can learn an IP prefix from the following sources:

          • A customer edge (CE) device by static configuration
          • A Border Gateway Protocol (BGP) session with the CE device
          • A Routing Information Protocol (RIP) exchange with the CE device

          The IP prefix is a member of the IPv4 address family. After the PE device learns the IP prefix, the PE converts it into a VPN-IPv4 prefix by combining it with an 8-byte route distinguisher (RD). The generated prefix is a member of the VPN-IPv4 address family. It uniquely identifies the customer address, even if the customer site is using globally nonunique (unregistered private) IP addresses. The route distinguisher used to generate the VPN-IPv4 prefix is specified by a configuration command associated with the virtual routing and forwarding (VRF) instance on the PE device.

          BGP distributes reachability information for VPN-IPv4 prefixes for each VPN. BGP communication occurs at two levels:

          • Within an IP domains, known as an autonomous system (interior BGP [IBGP])
          • Between autonomous systems (external BGP [EBGP])

          PE-PE or PE-RR (route reflector) sessions are IBGP sessions, and PE-CE sessions are EBGP sessions. In an Enhanced Interior Gateway Routing Protocol (EIGRP) PE-CE environment, when an EIGRP internal route is redistributed into BGP by one PE, and then back into EIGRP by another PE, the originating router ID for the route is set to the router ID of the second PE, replacing the original internal router ID.

          BGP propagates reachability information for VPN-IPv4 prefixes among PE devices by means of the BGP multiprotocol extensions (refer to RFC 2283, Multiprotocol Extensions for BGP-4), which define support for address families other than IPv4. Using the extensions ensures that the routes for a given VPN are learned only by other members of that VPN, enabling members of the VPN to communicate with each other.

          Major Components of an MPLS Virtual Private Network

          An Multiprotocol Label Switching (MPLS)-based virtual private network (VPN) has three major components:

          • VPN route target communities—A VPN route target community is a list of all members of a VPN community. VPN route targets need to be configured for each VPN community member.
          • Multiprotocol BGP (MP-BGP) peering of VPN community provider edge (PE) devices—MP-BGP propagates virtual routing and forwarding (VRF) reachability information to all members of a VPN community. MP-BGP peering must be configured on all PE devices within a VPN community.
          • MPLS forwarding—MPLS transports all traffic between all VPN community members across a VPN service-provider network.

          A one-to-one relationship does not necessarily exist between customer sites and VPNs. A given site can be a member of multiple VPNs. However, a site can associate with only one VRF. A customer-site VRF contains all the routes available to the site from the VPNs of which it is a member.

          How to Configure Multiprotocol BGP MPLS VPN

          Configuring Multiprotocol BGP Connectivity on the PE Devices and Route Reflectors

          SUMMARY STEPS

            1.    enable

            2.    configure terminal

            3.    router bgp as-number

            4.    no bgp default ipv4-unicast

            5.    neighbor {ip-address | peer-group-name} remote-as as-number

            6.    neighbor {ip-address | peer-group-name} activate

            7.    address-family vpnv4 [unicast]

            8.    neighbor {ip-address | peer-group-name} send-community extended

            9.    neighbor {ip-address | peer-group-name} activate

            10.    end


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 enable


            Example:
            Device> enable
             

            Enables privileged EXEC mode.

            • Enter your password if prompted.
             
            Step 2 configure terminal


            Example:
            Device# configure terminal
             

            Enters global configuration mode.

             
            Step 3 router bgp as-number


            Example:
            Device(config)# router bgp 100
             

            Configures a Border Gateway Protocol (BGP) routing process and enters router configuration mode.

            • The as-number argument indicates the number of an autonomous system that identifies the device to other BGP devices and tags the routing information passed along. The range is 0 to 65535. Private autonomous system numbers that can be used in internal networks are 64512 to 65535.
             
            Step 4 no bgp default ipv4-unicast


            Example:
            Device(config-router)# no bgp default ipv4-unicast
             

            (Optional) Disables the IPv4 unicast address family on all neighbors.

            • Use the no bgp default ipv4-unicast command if you are using this neighbor for Multiprotocol Label Switching (MPLS) routes only.
             
            Step 5 neighbor {ip-address | peer-group-name} remote-as as-number


            Example:
            Device(config-router)# neighbor 10.0.0.1 remote-as 100
             

            Adds an entry to the BGP or multiprotocol BGP neighbor table.

            • The ip-address argument specifies the IP address of the neighbor.
            • The peer-group-name argument specifies the name of a BGP peer group.
            • The as-number argument specifies the autonomous system to which the neighbor belongs.
             
            Step 6 neighbor {ip-address | peer-group-name} activate


            Example:
            Device(config-router)# neighbor 10.0.0.1 activate
             

            Enables the exchange of information with a neighboring BGP device.

            • The ip-address argument specifies the IP address of the neighbor.
            • The peer-group-name argument specifies the name of a BGP peer group.
             
            Step 7 address-family vpnv4 [unicast]


            Example:
            Device(config-router)# address-family vpnv4
             

            Enters address family configuration mode for configuring routing sessions, such as BGP, that use standard VPNv4 address prefixes.

            • The optional unicast keyword specifies VPNv4 unicast address prefixes.
             
            Step 8 neighbor {ip-address | peer-group-name} send-community extended


            Example:
            Device(config-router-af)# neighbor 10.0.0.1 send-community extended
             

            Specifies that a communities attribute should be sent to a BGP neighbor.

            • The ip-address argument specifies the IP address of the BGP-speaking neighbor.
            • The peer-group-name argument specifies the name of a BGP peer group.
             
            Step 9 neighbor {ip-address | peer-group-name} activate


            Example:
            Device(config-router-af)# neighbor 10.0.0.1 activate
             

            Enables the exchange of information with a neighboring BGP device.

            • The ip-address argument specifies the IP address of the neighbor.
            • The peer-group-name argument specifies the name of a BGP peer group.
             
            Step 10 end


            Example:
            Device(config-router-af)# end
             

            (Optional) Exits to privileged EXEC mode.

             

            Troubleshooting Tips

            You can enter a show ip bgp neighbor command to verify that the neighbors are up and running. If this command is not successful, enter a debug ip bgp ip-address events command, where ip-address is the IP address of the neighbor.

            Configuring BGP as the Routing Protocol Between the PE and CE Devices

            SUMMARY STEPS

              1.    enable

              2.    configure terminal

              3.    router bgp as-number

              4.    address-family ipv4 [multicast | unicast | vrf vrf-name]

              5.    neighbor {ip-address | peer-group-name} remote-as as-number

              6.    neighbor {ip-address | peer-group-name} activate

              7.    exit-address-family

              8.    end


            DETAILED STEPS
               Command or ActionPurpose
              Step 1 enable


              Example:
              Device> enable
               

              Enables privileged EXEC mode.

              • Enter your password if prompted.
               
              Step 2 configure terminal


              Example:
              Device# configure terminal
               

              Enters global configuration mode.

               
              Step 3 router bgp as-number


              Example:
              Device(config)# router bgp 100
               

              Configures a Border Gateway Protocol (BGP) routing process and enters router configuration mode.

              • The as-number argument indicates the number of an autonomous system that identifies the device to other BGP devices and tags the routing information passed along. The range is 0 to 65535. Private autonomous system numbers that can be used in internal networks range from 64512 to 65535.
               
              Step 4 address-family ipv4 [multicast | unicast | vrf vrf-name]


              Example:
              Device(config-router)# address-family ipv4 vrf vpn1
               

              Specifies the IPv4 address family type and enters address family configuration mode.

              • The multicast keyword specifies IPv4 multicast address prefixes.
              • The unicast keyword specifies IPv4 unicast address prefixes.
              • The vrf vrf-name keyword and argument specify the name of the VRF to associate with subsequent IPv4 address family configuration mode commands.
               
              Step 5 neighbor {ip-address | peer-group-name} remote-as as-number


              Example:
              Device(config-router-af)# neighbor 10.0.0.1 remote-as 200
               

              Adds an entry to the BGP or multiprotocol BGP neighbor table.

              • The ip-address argument specifies the IP address of the neighbor.
              • The peer-group-name argument specifies the name of a BGP peer group.
              • The as-number argument specifies the autonomous system to which the neighbor belongs.
               
              Step 6 neighbor {ip-address | peer-group-name} activate


              Example:
              Device(config-router-af)# neighbor 10.0.0.1 activate
               

              Enables the exchange of information with a neighboring BGP device.

              • The ip-address argument specifies the IP address of the neighbor.
              • The peer-group-name argument specifies the name of a BGP peer group.
               
              Step 7 exit-address-family


              Example:
              Device(config-router-af)# exit-address-family
               

              Exits address family configuration mode.

               
              Step 8 end


              Example:
              Device(config-router)# end
               

              (Optional) Exits to privileged EXEC mode.

               

              Verifying the Virtual Private Network Configuration

              A route distinguisher must be configured for the virtual routing and forwarding (VRF) instance, and Multiprotocol Label Switching (MPLS) must be configured on the interfaces that carry the VRF. Use the show ip vrf command to verify the route distinguisher (RD) and interface that are configured for the VRF.

              SUMMARY STEPS

                1.    show ip vrf


              DETAILED STEPS
              show ip vrf

              Displays the set of defined VRF instances and associated interfaces. The output also maps the VRF instances to the configured route distinguisher.


              Verifying Connectivity Between MPLS Virtual Private Network Sites

              To verify that the local and remote customer edge (CE) devices can communicate across the Multiprotocol Label Switching (MPLS) core, perform the following tasks:

              Verifying IP Connectivity from CE Device to CE Device Across the MPLS Core

              SUMMARY STEPS

                1.    enable

                2.    ping [protocol] {host-name | system-address}

                3.    trace [protocol] [destination]

                4.    show ip route [ip-address [mask] [longer-prefixes]] | protocol [process-id]] | [list [access-list-name | access-list-number]


              DETAILED STEPS
                Step 1   enable

                Enables privileged EXEC mode.

                Step 2   ping [protocol] {host-name | system-address}

                Diagnoses basic network connectivity on AppleTalk, Connectionless-mode Network Service (CLNS), IP, Novell, Apollo, Virtual Integrated Network Service (VINES), DECnet, or Xerox Network Service (XNS) networks. Use the ping command to verify the connectivity from one CE device to another.

                Step 3   trace [protocol] [destination]

                Discovers the routes that packets take when traveling to their destination. The trace command can help isolate a trouble spot if two devices cannot communicate.

                Step 4   show ip route [ip-address [mask] [longer-prefixes]] | protocol [process-id]] | [list [access-list-name | access-list-number]

                Displays the current state of the routing table. Use the ip-address argument to verify that CE1 has a route to CE2. Verify the routes learned by CE1. Make sure that the route for CE2 is listed.


                Verifying That the Local and Remote CE Devices Are in the PE Routing Table

                SUMMARY STEPS

                  1.    enable

                  2.    show ip route vrf vrf-name [prefix]

                  3.    show ip cef vrf vrf-name [ip-prefix]


                DETAILED STEPS
                  Step 1   enable

                  Enables privileged EXEC mode.

                  Step 2   show ip route vrf vrf-name [prefix]

                  Displays the IP routing table associated with a virtual routing and forwarding (VRF) instance. Check that the loopback addresses of the local and remote customer edge (CE) devices are in the routing table of the provider edge (PE) devices.

                  Step 3   show ip cef vrf vrf-name [ip-prefix]

                  Displays the Cisco Express Forwarding forwarding table associated with a VRF. Check that the prefix of the remote CE device is in the Cisco Express Forwarding table.


                  Configuration Examples for Multiprotocol BGP MPLS VPN

                  Example: Configuring an MPLS Virtual Private Network Using BGP

                  PE Configuration

                  CE Configuration

                  ip vrf vpn1
                   rd 100:1
                   route-target export 100:1
                   route-target import 100:1
                  !
                  ip cef
                  mpls ldp router-id Loopback0 force
                  mpls label protocol ldp
                  !
                  interface Loopback0
                   ip address 10.0.0.1 255.255.255.255
                  !
                  interface FastEthernet0/0/0
                   ip vrf forwarding vpn1
                   ip address 192.0.2.3 255.255.255.0
                   no cdp enable
                  !
                  interface FastEthernet1/1/0
                  ip address 192.0.2.2 255.255.255.0
                  mpls label protocol ldp
                  mpls ip
                  !
                  router ospf 100
                  network 10.0.0. 0.0.0.0 area 100
                  network 192.0.2.1 255.255.255.0 area 100
                  !
                  router bgp 100
                   no synchronization
                   bgp log-neighbor changes
                   neighbor 10.0.0.3 remote-as 100
                   neighbor 10.0.0.3 update-source Loopback0
                  no auto-summary
                   !        
                  address-family vpnv4
                   neighbor 10.0.0.3 activate
                   neighbor 10.0.0.3 send-community extended
                   bgp scan-time import 5
                   exit-address-family
                   !        
                  address-family ipv4 vrf vpn1
                   redistribute connected
                   neighbor 198.51.100.1 remote-as 200
                   neighbor 198.51.100.1 activate
                   neighbor 198.51.100.1 as-override
                   neighbor 198.51.100.1 advertisement-interval 5
                   no auto-summary
                   no synchronization
                   exit-address-family
                  ip cef
                  mpls ldp router-id Loopback0 force
                  mpls label protocol ldp
                  !
                  interface Loopback0
                   ip address 10.0.0.9 255.255.255.255
                  !
                  interface FastEthernet0/0
                   ip address 198.51.100.1 255.255.255.0
                   no cdp enable
                  !
                  router bgp 200
                   bgp log-neighbor-changes
                   neighbor 198.51.100.2 remote-as 100
                   !        
                  address-family ipv4
                   redistribute connected
                   neighbor 198.51.100.2 activate
                   neighbor 198.51.100.2 advertisement-interval 5
                   no auto-summary
                   no synchronization
                   exit-address-family

                  Additional References

                  Related Documents

                  Related Topic

                  Document Title

                  Cisco IOS commands

                  Cisco IOS Master Command List, All Releases

                  Description of commands associated with MPLS and MPLS applications

                  Cisco IOS Multiprotocol Label Switching Command Reference

                  Configuring MPLS virtual private networks

                  “MPLS Virtual Private Networks” module in the MPLS Layer 3 VPNs Configuration Guide

                  Standards and RFCs

                  RFC

                  Title

                  RFC 2283

                  Multiprotocol Extensions for BGP-4

                  RFC 2547

                  BGP/MPLS VPNs

                  Technical Assistance

                  Description

                  Link

                  The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

                  http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

                  Feature Information for Multiprotocol BGP MPLS VPN

                  The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

                  Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

                  Table 1 Feature Information for Multiprotocol BGP MPLS VPN

                  Feature Name

                  Releases

                  Feature Information

                  Multiprotocol BGP MPLS VPN

                  12.0(11)ST

                  12.2(9)S

                  12.2(17b)SXA

                  12.2(27)SBB

                  12.3(8)T

                  15.2(1)S

                  Cisco IOS XE Release 2.1

                  Cisco IOS XE Release 3.5S

                  An MPLS VPN consists of a set of sites that are interconnected through the MPLS provider core network. At each site, there are one or more CEs, which attach to one or more PEs. The Multiprotocol BGP MPLS VPN feature allows PEs to use the MP-BGP to dynamically communicate with each other.

                  In Cisco IOS Release 12.0(11)ST, this feature was introduced.

                  In Cisco IOS Release 12.2(9)S, 12.2(17b)SXA, 12.2(27)SBB, 12.3(8)T, and 15.2(1)S, this feature was integrated.

                  In Cisco IOS XE Release 2.1, this feature was implemented on Cisco ASR 1000 Series Routers.

                  In Cisco IOS XE Release 3.5S, support was added for the Cisco ASR 903 Router.

                  No commands were introduced or modified.