MPLS L3VPN

MPLS L3VPN, sederhananya kita ambil dari 3 huruf terakhir yaitu VPN. Seperti halnya VPN, di L3VPN kita bisa membuat private network dilewatkan melalui MPLS Backbone. MPLS L3VPN bekerja di Layer 3. Ada beberapa yang perlu diketahui dalam L3VPN itu sendiri:

CE : Customer Edge, customer dari MPLS L3VPN
– PE : Provider Edge, menghubungkan ke CE
– P : Provider, berada di tengah2 MPLS, hanya menjalankan IGP + MPLS saja.

Lalu apa saja sih yang dibutuhkan untuk membuat MPLS L3VPN ini?
– IGP Dynamic/Static Route : buat ngehubungin semua router yang ada di MPLS Backbone.
– MPLS+BGP : BGP buat peering sekaligus nganterin informasi route dari-dan-ke masing2 PE. Di BGP buat peering IPv4 + VPNv4
– VRF : Kunci pokok untuk MPLS L3VPN, sebagai pusat kendali dari-dan-ke apa yang akan dikirimkan ke PE lain dan yang akan diterima oleh CE kita.

Kemudian untuk apa saja yang bisa di deliver dari PE menuju CE atau katakanlah sebagai koneksivitas antar PE-CE itu ada banyak, kita bisa menggunakan IGP maupun BGP seperti halnya kita melakukan konfigurasi routing biasanya.

Oke sekarang kita akan coba konfigurasikan MPLS L3VPN sesuai topologi berikut.

Berikut kita akan bikin 3 VRF yang dimana masing2 CE berbeda Site. Misalkan CE1 yang berada di jakarta minta dihubunkan ke Router miliknya yang berada di Surabaya yaitu CE4 kemudian si ISP_A ini daripada ngulur kabel/bikin jalur baru mending dia sewa link yang udah ada buat ngehubungin dia ke router yang ada di Surabaya.

Now for the first step we have to configure the IGP. Disini kita pakai OSPF atau bisa juga pakai yang lain

PE1(config)#router ospf 1
PE1(config-router)#network 1.1.1.1 0.0.0.0 area 0
PE1(config-router)#network 12.12.12.1 0.0.0.0 area 0

P(config)#router ospf 1
P(config-router)#network 2.2.2.2 0.0.0.0 area 0
P(config-router)#network 12.12.12.2 0.0.0.0 area 0
P(config-router)#network 23.23.23.2 0.0.0.0 area 0

PE2(config)#router ospf 1
PE2(config-router)#network 3.3.3.3 0.0.0.0 area 0
PE2(config-router)#network 23.23.23.3 0.0.0.0 area 0

Verifikasi pastikan semua router sudah terdapat di tabel routing

PE1#sh ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
+ – replicated route, % – next hop overrideGateway of last resort is not set1.0.0.0/32 is subnetted, 1 subnets
C        1.1.1.1 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O        2.2.2.2 [110/11] via 12.12.12.2, 00:02:37, Ethernet0/0
3.0.0.0/32 is subnetted, 1 subnets
O        3.3.3.3 [110/21] via 12.12.12.2, 00:01:22, Ethernet0/0
12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        12.12.12.0/24 is directly connected, Ethernet0/0
L        12.12.12.1/32 is directly connected, Ethernet0/0
23.0.0.0/24 is subnetted, 1 subnets
O        23.23.23.0 [110/20] via 12.12.12.2, 00:02:37, Ethernet0/0
PE1#

PE1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/15/71 ms
PE1#

Second Step, kita aktifin MPLS. Diaktifin pada interface yang mengarah ke router lain (P/PE) tapi jangan diaktifin di interface loopback dan yang mengarah ke CE.

PE1(config)#mpls label protocol ldp
PE1(config)#mpls ldp router-id lo0 force
PE1(config)#int e0/0
PE1(config-if)#mpls ip

P(config)#mpls label protocol ldp
P(config)#mpls ldp router-id lo0 force
P(config)#int e0/0
P(config-if)#mpls ip
P(config-if)#int e0/1
P(config-if)#mpls ip

PE2(config)#mpls label protocol ldp
PE2(config)#mpls ldp router-id lo0 force
PE2(config)#int e0/0
PE2(config-if)#mpls ip

Verifikasi pastikan mpls ldp neighbor sudah establish

P#sh mpls ldp neigh
Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0
TCP connection: 1.1.1.1.646 – 2.2.2.2.39293
State: Oper; Msgs sent/rcvd: 9/9; Downstream
Up time: 00:01:08
LDP discovery sources:
Ethernet0/0, Src IP addr: 12.12.12.1
Addresses bound to peer LDP Ident:
12.12.12.1 1.1.1.1
Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 2.2.2.2:0
TCP connection: 3.3.3.3.24711 – 2.2.2.2.646
State: Oper; Msgs sent/rcvd: 8/8; Downstream
Up time: 00:00:34
LDP discovery sources:
Ethernet0/1, Src IP addr: 23.23.23.3
Addresses bound to peer LDP Ident:
23.23.23.3 3.3.3.3
P#

Third Step, kita konfigurasikan BGP. Konfigurasi BGP cukup di antar PE router saja sedangkan untuk P router cukup diaktifkan IGP saja.

PE1(config)#router bgp 100
PE1(config-router)#address-family ipv4
PE1(config-router-af)#neigh 3.3.3.3 remote-as 100
PE1(config-router-af)#neigh 3.3.3.3 update-so lo0
PE1(config-router-af)#neigh 3.3.3.3 activate

PE2(config)#router bgp 100
PE2(config-router)#address-family ipv4
PE2(config-router-af)#neigh 1.1.1.1 remote-as 100
PE2(config-router-af)#neigh 1.1.1.1 update-so lo0
PE2(config-router-af)#neigh 1.1.1.1 activate

Verifikasi

PE1#sh ip bgp summ
BGP router identifier 1.1.1.1, local AS number 100
BGP table version is 1, main routing table version 1Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
3.3.3.3 4 100 77 76 1 0 0 00:58:45 0
PE1#

Fourth Step, kita konfigurasikan MP-BGP. MP-BGP ini sebagai “penuker” informasi/prefix antar PE, menuker informasi yang sesuai pada VRF.

PE1(config)#router bgp 100
PE1(config-router)#address-family vpnv4
PE1(config-router-af)#neigh 3.3.3.3 activate

PE2(config)#router bgp 100
PE2(config-router)#address-family vpnv4
PE2(config-router-af)#neigh 1.1.1.1 activate

Verifikasi

PE1#sh bgp vpnv4 uni all summ
BGP router identifier 1.1.1.1, local AS number 100
BGP table version is 1, main routing table version 1Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
3.3.3.3 4 100 25 25 1 0 0 00:16:56 0
PE1#

Fifth Step, kita konfigurasikan VRF. VRF ini sebagai pusat kontrol apa yang akan disampaikan dan apa yang bakalan di terima oleh/ke router PE lain. Ada beberapa point yang ada di VRF.
Apa sih yang ada di VRF ini
– RD : Route Distinguisher, ini sebagai identifikasi masing2 VRF untuk VPNv4 nantinya. Perlu juga diketahui dalam 1 router PE kita bisa bikin beberapa VRF, nah disini yang membedakan VRF satu dengan VRF yang lain adalah RD ini nanti.
– RT : Route Target, ini sebagai penentu mana route yang bakal di export dan juga mana route yang bakal di import kedalam network VRF kita. Lagiii, dalam Route Target itu ada
a. Route-target export : route yang bakal di kirimkan
b. Route-target import : route yang bakal di terima
– Address-family : Ada address-family ipv4 dan address-family ipv6, menentukan apa yang akan diaktifkan di VRF ini nanti. Dikonfigurasikan di masing2 PE.

VRF A
PE1(config)#vrf definition A
PE1(config-vrf)#rd 1:1
PE1(config-vrf)#route-target import 1:1
PE1(config-vrf)#route-target export 1:1
PE1(config-vrf)#address-family ipv4

PE2(config)#vrf definition A
PE2(config-vrf)#rd 1:1
PE2(config-vrf)#route-target import 1:1
PE2(config-vrf)#route-target export 1:1
PE2(config-vrf)#address-family ipv4

VRF B
PE1(config)#vrf definition B
PE1(config-vrf)#rd 2:2
PE1(config-vrf)#route-target both 2:2 <- agar lebih singkat kita bisa langsung pakai command route-target both maka akan otomatis generate export dan import 2:2
PE1(config-vrf)#address-family ipv4

PE2(config)#vrf definition B
PE2(config-vrf)#rd 2:2
PE2(config-vrf)#route-target both 2:2
PE2(config-vrf)#address-family ipv4

VRF C
PE1(config)#vrf definition C
PE1(config-vrf)#rd 3:3
PE1(config-vrf)#route-target both 3:3
PE1(config-vrf)#address-family ipv4

PE2(config)#vrf definition C
PE2(config-vrf)#rd 3:3
PE2(config-vrf)#route-target both 3:3
PE2(config-vrf)#address-family ipv4

Selanjutnya coba kita bikin interface loopback1-2-3 pada masing2 PE.

PE1(config)#int lo1
PE1(config-if)#vrf forwarding A
PE1(config-if)#ip addr 11.11.11.1 255.255.255.255
PE1(config-if)#int lo2
PE1(config-if)#vrf forwarding B
PE1(config-if)#ip addr 11.11.11.2 255.255.255.255
PE1(config-if)#int lo3
PE1(config-if)#vrf forwarding C
PE1(config-if)#ip addr 11.11.11.3 255.255.255.255

PE2(config)#int lo1
PE2(config-if)#vrf forwarding A
PE2(config-if)#ip addr 33.33.33.1 255.255.255.255
PE2(config-if)#int lo2
PE2(config-if)#vrf forwarding B
PE2(config-if)#ip addr 33.33.33.2 255.255.255.255
PE2(config-if)#int lo3
PE2(config-if)#vrf forwarding C
PE2(config-if)#ip addr 33.33.33.3 255.255.255.255

Kemudian di advertise ke BGP VRF.

PE1(config)#router bgp 100
PE1(config-router)#address-family ipv4 vrf A
PE1(config-router-af)#network 11.11.11.1 mask 255.255.255.255
PE1(config-router-af)#address-family ipv4 vrf B
PE1(config-router-af)#network 11.11.11.2 mask 255.255.255.255
PE1(config-router-af)#address-family ipv4 vrf C
PE1(config-router-af)#network 11.11.11.3 mask 255.255.255.255

PE2(config)#router bgp 100
PE2(config-router)#address-family ipv4 vrf A
PE2(config-router-af)#network 33.33.33.1 mask 255.255.255.255
PE2(config-router-af)#address-family ipv4 vrf B
PE2(config-router-af)#network 33.33.33.2 mask 255.255.255.255
PE2(config-router-af)#address-family ipv4 vrf C
PE2(config-router-af)#network 33.33.33.3 mask 255.255.255.255

Verifikasi ketika kita show bgp vpnv4 maka akan terlihat 13 prefix yang berarti “tuker2” prefix dari ketiga VRF sudah berhasil

PE1#sh bgp vpnv4 uni all summ
BGP router identifier 1.1.1.1, local AS number 100
BGP table version is 10, main routing table version 10
6 network entries using 1008 bytes of memory
6 path entries using 384 bytes of memory
6/6 BGP path/bestpath attribute entries using 864 bytes of memory
3 BGP extended community entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2328 total bytes of memory
BGP activity 6/0 prefixes, 6/0 paths, scan interval 60 secsNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
3.3.3.3 4 100 49 49 10 0 0 00:33:47 3
PE1#

Verifikasi, cek pada masing2 PE pastikan loopback vrf pada PE lain terdapat di tabel routing dan pastikan bisa di ping menggunakan source vrf loopback

PE1#sh ip route vrf A

Routing Table: A
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
+ – replicated route, % – next hop override

Gateway of last resort is not set

11.0.0.0/32 is subnetted, 1 subnets
C 11.11.11.1 is directly connected, Loopback1
33.0.0.0/32 is subnetted, 1 subnets
B 33.33.33.1 [200/0] via 3.3.3.3, 00:01:41

PE1#sh ip route vrf B

Routing Table: B
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
+ – replicated route, % – next hop override

Gateway of last resort is not set

11.0.0.0/32 is subnetted, 1 subnets
C 11.11.11.2 is directly connected, Loopback2
33.0.0.0/32 is subnetted, 1 subnets
B 33.33.33.2 [200/0] via 3.3.3.3, 00:01:36

PE1#sh ip route vrf C

Routing Table: C
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
+ – replicated route, % – next hop override

Gateway of last resort is not set

11.0.0.0/32 is subnetted, 1 subnets
C 11.11.11.3 is directly connected, Loopback3
33.0.0.0/32 is subnetted, 1 subnets
B 33.33.33.3 [200/0] via 3.3.3.3, 00:01:31
PE1#

PE1#ping vrf A 33.33.33.1 so lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/6 ms
PE1#ping vrf B 33.33.33.2 so lo2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.2, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/11 ms
PE1#ping vrf C 33.33.33.3 so lo3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.3, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms
PE1#

Sixth Step, ngehubungin PE ke CE pada bab ini kita akan pisah ke postingan selanjutnya soalnya terlalu panjang kalo dibahas biar lebih rapih 😛

VRF A Read Here
VRF B Read Here
VRF C Read Here

	Randy Mukti on Visa Dubai Tanpa Maskapai Emir…
	Amaro on Understanding Security Zone, S…
	nika on Visa Dubai Tanpa Maskapai Emir…
	Mm on Lab51. MPLS VPN
	Ymam on Super Lab OSPF-BGP-MPLS

Catatan Randy

Randy Mukti's thinking words. Engineer is not just to do all the time at work, it's about life, love, and happiness.

MPLS L3VPN

Leave a Reply Cancel reply

Rate this:

Share this:

Like this:

Related

Leave a Reply Cancel reply