MPLS VPN - CE configuration with static routing

Answered Question
Jan 10th, 2010
User Badges:

Dear Friends,


Kindly I need your valuable help.


I have to connect 10 branches to my HQ over MPLS-VPN. The Telco has provided the Link and the configuration, now i have to configure and connect the routers at each 10 offices. I am using static routing and the design is hub&spoke method only, all the branches want to connect  to the HQ.


Do i need to do anything other than adding the static route and redistributing the staitc routes to the bgp on the routers?


I have some branches with DSL type of connection, some are with MALC and some are with VSAT, Telco has provided their configureation based on that, is there any difference on the configuration which I should do for these different connections? or on all the routers does it require the static route and redistribution only?


I need your valuable input on the same, appreciate your early response.


Thank and Regards


Sunny

Correct Answer by Giuseppe Larosa about 7 years 6 months ago

Hello Sunny,


>> for bgp i have different AS numbers used in some branches (not only 65089 some places 64803 is the AS number) hope no issue.


this is not a problem


your three possible setups look like fine


Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (8 ratings)
Loading.
Jon Marshall Sun, 01/10/2010 - 13:14
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

jacob.samuel wrote:


Dear Friends,


Kindly I in need your valuable help.


I have to connect 10 branches to my HQ over MPLS-VPN. The Telco has provided the Link and the CE configuration, now i have to configure and connect the routers at each 10 offices. I am using static routing and the design is hub&spoke method only, all the branches want to connect  to the HQ.


Do i need to do anything other than adding the static route and redistributing the staitc routes to the bgp on the routers?


I have some branches with DSL type of connection, some are with MALC and some are with VSAT, Telco has provided their configureation based on that, is there any difference on the configuration which I should do for these different connections? or on all the routers does it require the static route and redistribution only?


I need your valuable input on the same, appreciate your early response.


Thank and Regards


Sunny


Sunny


In a standard setup like this you need to


1) redistribute BGP into your internal routing protocol at each site. Note that if you only have one router at each site then you don't need to redistribute BGP because the routes will be on that one router. But if you have other routers in your spoke sites they need to learn of the BGP routes so they will need redistribuitng


2) As you say you need to advertise your spoke sites networks into BGP. You can redistribute statics into BGP or you can just use the "network" command under your BGP config ie.


router bgp 65222

network 192.168.5.0 mask 255.255.255.0

etc.. for all local networks


note that if you use the "network .." entries then the entry must be in the routing table with the same subnet mask so from the example above you would need to see in a "sh ip route" on the CE device


ip route 192.168.5.0 255.255.255.0


That should do it.


Jon

amar_5664 Sun, 01/10/2010 - 15:17
User Badges:

Hi Sunny,


As you mentioned you will be using static routing, could you please confirm is static routing used for all sites on PE-CE link.


1) If you have decided to use static routing on PE-CE link then on the CE you just configure the static networks with next-hop of your telco PE interface. As PE-CE link is static nothing fancy is required on CE as telco would be redistributing those routes on their PE for your VPN.


2) If some of your sites are using dynamic routing (BGP) with PE, then on CE configure networks that you want to advertise from that site.


3) If you have dynamic routing on LAN as well as PE-CE then use redistribution on CE.


Regards

AP

Jacob Samuel Sun, 01/10/2010 - 19:20
User Badges:

Dear Jon/Amer


PE-CE would be BGP only caz i have the configurations from Telco with BGP. I mean to say internally i would be using the static routing only (for example-

my network at HQ is-192.168.0.0 255.255.128.0

at each site am using /24 network starting from 192.168.200.x/24, 192.168.201.x/24 ............................. 192.168.209.x/24




In this i am at the 2 point Amer have mentioned right? and in my main router at HQ - i should mention

ip route 192.168.0.0 255.255.128.0 and all branches (ie branch 1, should mentione 192.168.200.x/24 only right???


Or in HQ Router do i need to mention the static route for each branhces(as like normal static routing) and need to redistribute that to BGP (ie-

ip route 192.168.200.0 255.255.255.0

ip route 192.168.201.0 255.255.255.0

...

...

...

ip route 192.168.209.0 255.255.255.0


and in

!

router bgp 64370

redistribute static

neighbor ....

..

...


!


Or


at HQ like this


router bgp 64370

network 192.168.0.0 255.255.128.0

neighbor ....


and branhces


ip route 0.0.0.0 0.0.0.0

and

redistribute static or redistribute connected


At branches if i put a default route pointing to the bgp neighbor ( ip roue 0 0 there would be any issue? caz the branch user will be accessing the internet through HQ.


sorry if i am making you all confused since this  is the first time i am doing this


thanks for the understanding



regards


Sunny

Jacob Samuel Mon, 01/11/2010 - 03:41
User Badges:

hi all


follwoing is the IOS image running on my Cisco 2811 Router.


Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(3i)

c2800nm-advsecurityk9-mz.124-3i.bin


when i put the bgp command am getting teh following error-


router bgp 65089
Protocol not in this image


what could be the problem ? can anyone help in this please.


regards

Jacob

Giuseppe Larosa Mon, 01/11/2010 - 04:08
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Jacob,


this means that you need a different IOS image. A change of feature set implies to pay a fee, money for feature upgrade.


also the configurations you have proposed are not correct:


if you use BGP you learn prefixes from BGP neighbor and you need to advertise local routes to the BGP neighbor.


The notes from Jon and Amer about the need to have in IP routing table an entry corresponding to the network command is referred to local site specific routes that your router needs to advertise to the service provider PE router.

If the remote site is simple the local site specific routes can be simply connected interfaces on branch router.

If there is more then one L3 device in branch office you may have already static routes on your device pointing to internal site specific routes.


All you need when BGP will be supported is to use the network command under router bgp for local site specific routes on each site.


Alternatively, you can speak with service provider to use static routing as PE-CE routing protocol to avoid the additional fee for feature set upgrade on your routers.

In that case each remote router will have a default static route pointing to PE node and service provider needs to configure at each site specific static routes for your site IP prefixes.


that is similar to the static routes you have proposed.


Hope to help

Giuseppe

Jacob Samuel Tue, 01/12/2010 - 21:23
User Badges:

HI Guisee / Jon/ Amer,


Thanks for the details. I have upgraded the IOS with advipservices and the bgp protocol is resolved now.


The remote site is small there are very few PC's on the LAN and connect to the Router as the Gateway, there is not other L3 device in the LAN. But in HQ i have different devices as like you mentioned, i have a static route for my local network (192.168.0.0 255.255.128.0) pointing to my inside network on the Router. I am just pasting the config could you please verify the same -


Branche 1-

!

interface FastEthernet0/0

description *** Telco MPLS VPN Link ***

ip address 172.31.x.x 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.x.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

shutdown

clock rate 2000000

!

router bgp 64xxx

no synchronization

bgp log-neighbor-changes

redistribute connected

neighbor 172.31.xx.xx remote-as 65xxx

no auto-summary

---------------------------------------------------------------------------

HQ


interface FastEthernet0/0

ip address 192.168.x.x 255.255.255.248

no ip redirects

duplex auto

speed auto

standby ip 192.168.x.x

standby priority 110

standby preempt

standby track FastEthernet0/1

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.3166

encapsulation dot1Q 3166

ip address 172.31.xx.xxx 255.255.255.252

!

router eigrp 100

network 192.168.0.0 0.0.127.255

no auto-summary

!

router bgp 650xx

no synchronization

bgp log-neighbor-changes

network 192.168.0.0 mask 255.255.128.0

neighbor 172.31.xx.xxx remote-as 65000

no auto-summary

!

ip route 192.168.0.0 255.255.128.0 192.168.96.1


---------------------------------------------------------

NOT USED REDISTRIBUTE STATIC OR REDISTRIBUTE CONNECTED HERE


--------------------


Appreciate your valuable response


thanks and regards


Sunny




NO STATIC ROUTE ENTRY IS IN THE BRANCHES, DO I NEED TO ADD ?


---------------------------------------------

Jon Marshall Wed, 01/13/2010 - 01:07
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

jacob.samuel wrote:


HI Guisee / Jon/ Amer,


Thanks for the details. I have upgraded the IOS with advipservices and the bgp protocol is resolved now.


The remote site is small there are very few PC's on the LAN and connect to the Router as the Gateway, there is not other L3 device in the LAN. But in HQ i have different devices as like you mentioned, i have a static route for my local network (192.168.0.0 255.255.128.0) pointing to my inside network on the Router. I am just pasting the config could you please verify the same -


Branche 1-

!

interface FastEthernet0/0

description *** Telco MPLS VPN Link ***

ip address 172.31.x.x 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.x.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

shutdown

clock rate 2000000

!

router bgp 64xxx

no synchronization

bgp log-neighbor-changes

redistribute connected

neighbor 172.31.xx.xx remote-as 65xxx

no auto-summary

---------------------------------------------------------------------------

HQ


interface FastEthernet0/0

ip address 192.168.x.x 255.255.255.248

no ip redirects

duplex auto

speed auto

standby ip 192.168.x.x

standby priority 110

standby preempt

standby track FastEthernet0/1

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.3166

encapsulation dot1Q 3166

ip address 172.31.xx.xxx 255.255.255.252

!

router eigrp 100

network 192.168.0.0 0.0.127.255

no auto-summary

!

router bgp 650xx

no synchronization

bgp log-neighbor-changes

network 192.168.0.0 mask 255.255.128.0

neighbor 172.31.xx.xxx remote-as 65000

no auto-summary

!

ip route 192.168.0.0 255.255.128.0 192.168.96.1


---------------------------------------------------------

NOT USED REDISTRIBUTE STATIC OR REDISTRIBUTE CONNECTED HERE


--------------------


Appreciate your valuable response


thanks and regards


Sunny




NO STATIC ROUTE ENTRY IS IN THE BRANCHES, DO I NEED TO ADD ?


---------------------------------------------


Sunny


At the branch sites you will need to advertise the branch network into BGP otherwise HQ will not know about it. So from your above example -


Branch 1


router bgp 64xxx

network 192.168.x.0 mask 255.255.255.0


At the HQ site you will need to redistribute the BGP learned routes into EIGRP -


HQ site


router eigrp 100

redistribute BGP 650xx metric 10000 100 255 1 1500


Jon

Giuseppe Larosa Wed, 01/13/2010 - 02:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Jon, Sunny


on branch Sunny  is using redistribute connected under router bgp and this is fine (no other L3 device is present on branch)


On HQ router Sunny has added a static route for the whole network:


ip route 192.168.0.0 255.255.128.0 net-hop-ip-address


then Sunny has made a network command with mask 255.255.128.0.


to build an always on aggregate the static route should point to null0


ip route 192.168.0.0 255.255.128.0 null0


This is a way to build an aggregate address hiding component routes.


redistributing EIGRP into BGP can be useful if the detail of component routes is desired and if he wants to advertise the real state of each EIGRP route in HQ site.


I recommend static route to null0 to create a stable aggregate route for all HQ site or as Jon has suggested redistribution of EIGRP into BGP at HQ router.


Hope to help

Giuseppe

Jon Marshall Wed, 01/13/2010 - 04:53
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Giuseppe


On branch Sunny  is using redistribute connected under router bgp and this is fine (no other L3 device is present on branch)


Good spot, i missed that one !


Jon

Jacob Samuel Wed, 01/13/2010 - 08:42
User Badges:

Hi Jon/Giusee/Amer


Thanks a lot for the update.


Jon i was thinking to use a dynamic routing protocol at the HQ, thats why can see the eigrp entry. Later i decide not to go for the complication and went for the static routing and removed eigrp. If i just need to add redistribute the eigrp in to the BGP and if it will not make much complication then as Giusee also suggested i can think about putting eigrp back. Is there any thing which i need to take care additionally if i go for EIGRP at HQ? do i need to redistribute the bgp also in to eigp or not? expecting your kind suggestion.


Giusee, i didnt get the point of null 0 interface on this, could you please clarify me, for null interface i just need to create a interface null 0 command on config mode only right? a static route pointing to null interface means it will drop the traffic right, then why do i need a static route entry there? what is the problem if i remove the static route entry now?


thanks a lot and appreciate your valuable input on the same.


regards

Sunny

Giuseppe Larosa Wed, 01/13/2010 - 08:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sunny,

null0 is a logical interface that exists on every cisco router you don't need to create it.


It is a sort of waste bin and it can be used for example to create an aggregate address to be advertised in BGP.


a packet matching a static route to null0 is silently discarded (waste bin).


It is a form/tool of routing loop avoidance when creating aggregate or summary routes.


For example EIGRP creates a route to null0 automatically when using ip summary-address eigrp command in interface mode.

Also OSPF has the concept of discard route.


The idea is : a summary route that is always on is created to be advertised in BGP. if from branch arrives a packet that is for an unknown subnet in EIGRP domain HQ site the packet is silenty discarded without the risk of sending the packet back to a branch router.


This can be seen as a best practice.


About EIGRP and BGP at HQ site:

it may be wise to redistribute BGP into EIGRP, specially if another router is the exit point to internet and a default route cannot be injected into EIGRP domain by HQ WAN router.


be aware that for redistributing BGP into EIGRP you need a seed metric and for this default-metric command is needed


router eigrp 1

default-metric 10000 1000 255 1 1500

red bgp xx

no auto-summary


To avoid mutual bidirectional redistribution the static route to null0 can be handy: in this way there is no need to redistribute EIGRP into BGP.


Hope to help

Giuseppe

Jon Marshall Wed, 01/13/2010 - 09:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sunny


I totally agree with Giuseppe on the use of EIGRP and redistribution at HQ  and in fact we used this setup in the last place i worked.


Basically you want to redistribute BGP into EIGRP so HQ knows about all the remote sites. You then use a "network ..." statement under BGP at HQ to advertise HQ subnet(s) to the remote sites. And you add a static route to null0 to match your summarised network statement.


Doing the above avoids mutual redistribution which would only complicate things and is not really needed in your setup.


Jon

Jacob Samuel Wed, 01/13/2010 - 13:41
User Badges:

Dear Giusee/Jon,


Thanks a lot for the detailed descriptions.


I have another point to mention, which i think i mentioned before. The branch users will be connecting to internet through the same link to HQ. At HQ i have 2 mb internet link. In this case i need to publish a specific route for the branches and a default route that is connecting to the internet router / firewall to forward the internet request from the users at Branches. If i go for EIGRP is there any problem i could find in porviding internet to the branch users?


thanks amd regards


Sunny

Giuseppe Larosa Wed, 01/13/2010 - 13:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sunny,

in this case in BGP you need to advertise a default route 0.0.0.0 that represent internet for the branch sites.


For this on HQ WAN router


ip route 0.0.0.0 0.0.0.0 Fw-ipaddress (if they have an IP subnet in common)


router bgp xx

network 0.0.0.0



If you follow previous indications EIGRP will contain external routes representing branch offices so no problem about this.

If firewall does take part in EIGRP it requires static routes for the branch routes pointing to an EIGRP speaking  router.


NAT rules have to be updated to include branch routes.


Hope to help

Giuseppe

Jacob Samuel Thu, 01/14/2010 - 00:49
User Badges:

Dear Giusee/Jon/Amer,


Thanks a lot for the updates. Finally am just adding teh configuration with three scenario - with static, with eigrp and eigrp with bgp. please cross check and let me know if am making any mistake in the config.




HQ Config with static route



router bgp 65089

no synchronization

bgp log-neighbor-changes

network 192.168.0.0 mask 255.255.128.0

neighbor 172.31.99.125 remote-as 65000

no auto-summary

!

ip route 192.168.0.0 255.255.128.0 192.168.96.1 (later will change the next-hop to null0)

!

 

  

====================



HQ Config with EIGRP without Internet


 

router eigrp 100

default-metric 10000 1000 255 1 1500

network 192.168.0.0 0.0.127.255

redistribute bgp 65089

no auto-summary

!

router bgp 65089

no synchronization

bgp log-neighbor-changes

network 192.168.0.0 mask 255.255.128.0

neighbor 172.31.99.125 remote-as 65000

no auto-summary

!

ip route 192.168.0.0 255.255.128.0 192.168.96.1 (later will change the next-hop to null0)

 

 

==============

 

HQ Config with EIGRP and Internet

router eigrp 100

default-metric 10000 1000 255 1 1500

network 192.168.0.0 0.0.127.255

redistribute bgp 65089

no auto-summary

!

router bgp 65089

no synchronization

bgp log-neighbor-changes

network 0.0.0.0

neighbor 172.31.99.125 remote-as 65000

no auto-summary

!

ip route 0.0.0.0 0.0.0.0 192.168.96.1



for bgp i have different AS numbers used in some branches (not only 65089 some places 64803 is the AS number) hope no issue.


once again thanks a lotttt...



thanks and regards


Sunny

Correct Answer
Giuseppe Larosa Thu, 01/14/2010 - 02:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sunny,


>> for bgp i have different AS numbers used in some branches (not only 65089 some places 64803 is the AS number) hope no issue.


this is not a problem


your three possible setups look like fine


Hope to help

Giuseppe

Jacob Samuel Thu, 01/14/2010 - 08:45
User Badges:

Dear Giusee/Jon/Amer


Thanks a lot for the support... I connected 2 of my branch offices (over VSAT) with the HQ today. Some other sites also i tried to connect but the telco has to activate the line.


As of now i am connecting the sites using static route at HQ, once the basic connectivity is tested i would go for EIGRP at the HQ.


Giusee, i have noticed 2 things today after the testing-


1) if i remove the static route (192.18.0.0 255.255.128.0 192.168.96.1) pointing to my LAN in the HQ router, and put the static route pointing to null 0(192.18.0.0 255.255.128.0 null0) i am not able to reach the LAN of my HQ from Branches.


2) i connected the sites which are using VSAT and the speed of the link 128 Kbps at both site. I tried to ping some servers and even the Lan interface of the HQ, it is pinging but the response  time was huge (1600 to 1700 ms).


any clue what could be the isssue???


Thanks a lottt....


Regards


Sunny

Giuseppe Larosa Thu, 01/14/2010 - 11:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sunny,

thanks for your kind remarks

1)  without EIGRP you would need more specific routes using  the ip next-hop of 192.168.96.1 or the static to null0 would be a black hole. So the static to null0 is a good companion for EIGRP specific routes. Without EIGRP the use of next-hop 192.168.96.1 or more specific routes using next-hop 192.168.96.1 is a necessary step. Sorry if I have been unclear about this.


2) VSAT: satellite links are high delay. 1700 msec can be appropriate for the technology involved. We have some backups using satellite links and they show similar delays.

Consider 500 msec is propagation delay to reach a geostationary satellite (36000 km far from earth) one way.


However, VSAT may be using satellite that are not geostationary.


According to this link they declare 250 msec one way delay in one direction.


http://www.tgi.gl/uk/Services/VSAT/FAQs/VSATFAQ.htm




Hope to help

Giuseppe

Actions

This Discussion