Author: Louis Lau

ENSARI VPN Technology


The ENSARI scope require to do three things


  1. Explain how MPLS work
  2. Explain how does MPLS L3 VPN work
  3. Able to configure DMVPN


For the MPLS, i try to follow this example for a brief setup


https://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/mpls/13733-mpls-vpn-basic.html


To start, i created a new project in CML, and pulled two iosv routers and established the configuration like below



I used OSPF to setup instead of IS-IS in the example. Once OSPF is up, i try to enable mpls in the root config >mpls ip and then try to find mpls ldp autoconfiguration, this command suppose to auto-matic configure all the IGP routing interface on the router. IGP routing protocol can be RIP, OSPF or IS-IS, i think EIGRP is also IGP. But i don;t know why mpls ldp autoconfiguration option is not available even after i type mpls ip. So instead, i try to enable mpls ip under the interface of G0/0



After both neighbor interfaces on iosv-0 and iosv-1 enabled mpls ip, the LDP neighbor relationship is established. The hello message are sending to a Multicast address 224.0.0.2, using UDP transport, at port 646 on both side, and the payload is LDP packet.



In the packet capture, can see some LDP Hello message sent between the two routers



LDP is a standardized protocol. It has different message types, Hello is one of them. As main objective of LDP is to let the MPLS-enabled router to route traffic based on Label tag instead of going through the internal routing table, LDP supports other message type apart from Hello. These other message type shall setup label and establish session etc. The two routers am setting up now, iosv-0 and iosv-1, are called P router. There are the core MPLS router or Label Switch Router (LSR) that only handle label path routing. The setup of the Label is done in the CE router via the PE router via MP-BGP. In the example in above Cisco link, the first step i guess is to let all the P and PE router are routable to each other loopback interfaces, and then establish the BGP AS 65000 network inside the core, because they are all AS 65000, they peer with each other using iBGP, I think only the PE routers need to join BGP AS 65000, and there is one P router act as a Route-Reflector which reflect all learnt BGP route from each PE to other PE router. These PE router using MP-BGP will advertise VPNv4 addresses from the VRF on the PE routers and carry the extended-community tag in the route advertisement, I guess the MPLS network will then automatically register the label path between two end part sharing the same community tag


So lets setup the third P router and the two PE routers now



I have configured iosv-2, iosv-3 and iosv-4 with those IP and setup the OSPF connection in these new routers so that each router can ping to each other loopback interface like below



And then i try to setup iBGP between iosv-3 and iosv-2 and iBGP between iosv-4 and iosv-2.


I first setup iosv-2 as BGP router AS 65000 and set it up to peer with 5.5.5.5 and 4.4.4.4 using iBGP via VPNv4.



The key in the configuration of BGP in iosv-2 is that, it is a Route Reflector which will allow route in PE router reflect to other PE router.


When we setup this BGP, we need to specify "update-source" to Loopback0, this is because by default, BGP will not try to use the loopback source to form BGP peer, we want this to be peer with the Loopback interface so we need to update the source to Loopback 0.


Secondly, i have enabled address-family vpnv4 and activate the relationship in vpnv4 family. We use vpnv4 because we are going to create some VRF on the PE router, and the VRF on the PE router shall export their routing table to iBGP with a particular prefix, and then iBGP will announce those route in VPNv4 by adding the RD in front of the prefix. And also the VRF shall set a route-target to export the route to a prefix, which shall be included in the extended community tag of the BGP route, this field in the extended community is crucial for setting up the MPLS label path. so we should include the send-community attribute in the VPNv4 configuration. Lastly, because iosv-2 act as a route-reflector for all PE routers to know route on another PE routers, we shall configure IOSv-2 as a route-reflector-client for each peer as shown above.


With this configuration, i can move to configure the PE router iosv-3 now


In iosv-3, the configuration of BGP is like below




In this configuration, iosv-3 is the PE router, it shall form iBGP peer with the Route-Reflector which is 3.3.3.3 in the configuration. And we shall join the same AS 65000 and use update-source to Loopback 0 so that it can establish the connection with iosv-2


And in iosv-4, it shall be similar.



The configuration of PE router for the BGP configuration in iosv-3 and iosv-4 is the same.


After that, do >show ip bgp summary should see the neighbor status is up with 3.3.3.3


The core iBGP configuration part should be completed by now.


Now we should create a vrf on iosv-3 and also cerate a vrf on iosv-4, and try to make these two vrf link together.


In iosv-3, i created a VRF called bank



In the definition, i have set this VRF with an RD 100:100, and set the route-target to import export 100:100.


And i created the same on iosv-4, the same VRF with same RD 100:100



And then in iosv-3, i have added interface 0/3 to vrf Bank and setup a IP 192.168.10.1/24



And then in iosv-4, i have added interface 0/3 to vrf Bank and setup a IP 192.168.20.1/24



And then in the BGP process, i have added the address family for vrf bank in iosv-3 and added the network 192.168.10.0 to include this network in BGP AS 65000



And then i enabled the BGP for vrf bank in iosv-4 too



And then the magic happened. When i show ip route vrf bank in iosv-3, i saw the route for 192.168.20.0 now



It says it learnt from BGP.


And i can ping to the other VRF bank on iosv-4



And when i am doing the ping, the capture on the link show it as TCP packet



And in iosv-0, which is the P router, the >show mpls label show some labels are formed



Well i think in ENSARI, we only need to know up to how to describe MPLS operation and have some idea about how to setup MPLS L3 VPN. The above example is a MPLS L3 VPN. And how these labels are actually assigned or even how to traffic engineer these label may be the scope for the Service Provider stream of exam.


Lastly, lets try to setup another VRF called government and see if they can use the same IP or not.


in iosv-3, i created this vrf government


Assigned g0/1 to vrf government and enable the iBGP 65000 for vrf government and advertise the new interface to peer



And then on iosv-4, do the same, but give the g0/1 192.168.30.1 IP instead and advertise 192.168.30.1 to the other side



Advertise 192.168.30.0



And now government vrf in one site can ping to other site



Site on iosv-3 has same ip range for vrf bank and vrf government but they will not conflict each other because the label path separated them and the traffic is encrypted them into different stream


(I think the route-leaking between VRF test in last note has helped my understanding of MPLS VPN configuration)


And then customer from the bank client can now connect to port G0/3 and establish the connectivity with another site. That is the role of the CE router. The CE router basically just a basic router. Sometimes the service is a L2VPN service, then the CE equipment on both site will have layer 2 access with each other, and then if it is like this Layer 3 configuration, the CE router can connect to different site office via Layer 3 routing, but the customer do not need to worry about the routing between site because it is already configured in the MPLS network.


When i initiate the ping between two sites, the ping actually run between iosv-0 and iosv-1, the router do not route based on the IP address, they route based on the label, and it won't go through the Route-Reflector because the Route Reflector is only reflecting route, the traffic does not need to go through the route-reflector because the PE router can reach the other PE router in the underlay network already and the LDP setup the path.






Next topic is DMVPN. DMVPN is cisco proprietary technology. It is used to form multiple tunnel from the HUB which is usually the head quarter, and connect the tunnel to multiple sites. Instead of creating multiple tunnel interface at the hub, we can create a multiple tunnel on one tunnel interface at the hub. And in normal tunnel, each site need to tunnel to the Hub site in order to connect to other site. But DMVPN tunnel allow the spoke sites to form tunnels between spoke sites on demand basis.


To test out the configuration, make the following simple topology.




The configuration sequence of DMVPN is


Hub site


Step 1, Configure iosv-1 (Hub) Tunnel 0 interface, enable mode as gre multipoint. GRE multipoint must also setup NHRP. Next Hop Routing Protocol is used to register the tunnel IP address mapping to the equipment public IP address, and the Hub is the server to hold these mapping. Spoke site shall register their tunnel ip address and the public ip address with this NHRP server. So in hub site, the configuration of the tunnel is like below



The hub site tunnel shall have an IP address. One of the good thing about mGRE is that it can carry multicast packet too, so we can put the tunnel interface into our routing instance like OSPF, and then we can setup OSPF between these tunnel sites. Will try on this configuration later.


In the above command, the minimal are


  1. setting up the tunnel ip address of the HUB which is 192.168.0.1.
  2. setting ip mtu size to 1416 (The MTU size must match, i tried not setting up MTU size and the debug nhrp shows a lot of error and the ping won't go through
  3. setting nhrp network-id, this is a must set. The network-id is used to register different domain if there are multiple nhrp server instance running
  4. tunnel source, we can set as the IP address, or we can set it to the Interface name. As DMVPN site usually have DHCP assigned address, putting the interface is a better approach.
  5. enable tunnel mode gre multipoint


We can set authentication key for nhrp by setting ip nhrp authentication [key], and we can also set a key in the tunnel using tunnel key



If we enabled DMVPN, we do not need to setup the destination, we only need to specify the source.


Spoke site


Step 2, is to set up the spoke site. The spoke site must also use gre multipoint mode to connect. I have tried to setup normal GRE tunnel but it can not connect to the hub site.


I think the spoke site configuration is a bit tricky and harder to understand.



For the minimal configuration of spoke site tunnel, we have to

  1. Set the tunnel IP address, it can be in the same subnet of the hub site, so that we can use multicast to setup the routing protocol say OSPF
  2. IP MTU size must match. We can not use the default. Both hub and spoke must set MTU size
  3. Set the ip nhrp map [Hub Server Internal IP] [Hub Server Public IP] This is the tricky part, i was thinking we shall specify it to map the spoke internal tunnel IP to the server. But the mapping of internal IP to NHRP server actually happen automatically. In here we specify the Internal IP and its Public IP address of the HUB site. (Not Spoke)
  4. Set the multicast to this Hub Internal Tunnel IP. (So ARP and mutlicast packet can be exchanged)
  5. Match the network-id of NHRP
  6. Setting the NHRP next hop server [Hub server internal IP], i tried to configure without this configuration, the two end point can not ping, and then i added this configuration, then i can ping, and then i remove this configuration, it can still ping. Seem this configuration must have for start but don't need this afterward? [If someone can explain to me the purpose of this configuration will be appreciated]
  7. Tunnel source specify to the Public Interface name, no need to set destination.
  8. Configure this as gre multipoint mode


After this, ping from tunnel ip of spoke and hub site are okay



Setting up other sites shall be the same


iosv-3 configuration is like below



iosv-4 configuration is like below



And spoke site can ping spoke site too.


And then i tried to setup the OSPF process over these DMVPN tunnel


The setup of tunnel in spoke site is like below



I have enabled the tunnel interface area 0, and then set the interface network type as broadcast.


And then on hub site.



On hub site, i also enabled ip ospf on the Tunnel 0 interface,



In hub site, i added the tunnel interface to area 0


And the OSPF has been established. But note that there is a Dead Timer expired and the OSPF go from Full to Down and then to Full again. I didn't really know what is happening. Maybe the ip segment size has some issue? I am not going to trouble shoot this and shall stop now.


And GRE has no encryption, we can encrypt the tunnel by adding "tunnel protect" with ipsec which i am not going to go through.


I barely finished the notes for MPLS and DMVPN in one day. The Layer 3 routing topic take me much longer time (mainly because i try to figure out what happen in vrf route leaking). This is like 55% of the exam scope, the other 45%, 20% is on Infrastructure security, 20% is on infrastructure service. I am not quite familiar with below topic


Infrastructure security

IPv6 traffic filtering

unicast reverse path forwarding

IPv6 first hop security feature


Infrastructure Service

trouble shoot SCP and tFTP

trouble shoot SNMP

trouble shoot using Cisco DNA (connectivity, device health, monitoring and network health)


But i would like to try an attempt of those practice question tomorrow and have a feel what kind of questions they will ask first.