02-13-2014 09:58 AM
Hi everyone,
I am trying to build a real life topology. My goal is to exchange private routes between 2 MPLS provider via the public internet without leaking the private routes to public internet. So the router in the top right corner should be able to ping the router below and ISP routers should not know about private routes.
The interfaces of ATnT_PE_PE and SWC_PE_PE toward to ISP are in VRF INET. I estabilished a BGP ipv4 VRF INET session between two MPLS providers, the connectivity is fine however when i filter the private routes on ISP this movement brakes the connectivity.
How can i get it working?
I will post the configs of two Service provider EDGE routers:
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
ip vrf INET
rd 100:100
route-target export 100:100
route-target import 100:100
route-target import 1:1
!
ip vrf OCH
rd 1:1
route-target export 1:1
route-target import 1:1
route-target import 100:100
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface Tunnel0
no ip address
tunnel source Serial1/0
tunnel destination 20.0.0.1
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip vrf forwarding INET
ip address 40.0.0.2 255.255.255.252
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
interface Serial1/1
ip address 10.0.0.1 255.255.255.252
ip nat inside
ip virtual-reassembly
mpls ip
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 1
log-adjacency-changes
network 10.0.0.1 0.0.0.0 area 0
network 10.1.1.1 0.0.0.0 area 0
!
router bgp 200
bgp router-id 40.0.0.2
bgp log-neighbor-changes
neighbor 10.3.3.3 remote-as 200
neighbor 10.3.3.3 update-source Loopback0
!
address-family ipv4
neighbor 10.3.3.3 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 10.3.3.3 activate
neighbor 10.3.3.3 send-community both
exit-address-family
!
address-family ipv4 vrf OCH
no synchronization
exit-address-family
!
address-family ipv4 vrf INET
neighbor 20.0.0.1 remote-as 100
neighbor 20.0.0.1 ebgp-multihop 10
neighbor 20.0.0.1 activate
neighbor 20.0.0.1 send-community both
neighbor 40.0.0.1 remote-as 1
neighbor 40.0.0.1 activate
no synchronization
network 40.0.0.0 mask 255.255.255.252
exit-address-family
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 10 permit 172.16.0.0 0.0.255.255
access-list 10 permit 172.17.0.0 0.0.255.255
access-list 10 permit 172.18.0.0 0.0.255.255
access-list 10 permit 172.19.0.0 0.0.255.255
access-list 10 permit 172.20.0.0 0.0.255.255
access-list 10 permit 172.21.0.0 0.0.255.255
access-list 10 permit 172.22.0.0 0.0.255.255
access-list 10 permit 172.23.0.0 0.0.255.255
access-list 10 permit 172.24.0.0 0.0.255.255
access-list 10 permit 172.25.0.0 0.0.255.255
access-list 10 permit 172.26.0.0 0.0.255.255
access-list 10 permit 172.27.0.0 0.0.255.255
access-list 10 permit 172.28.0.0 0.0.255.255
access-list 10 permit 172.29.0.0 0.0.255.255
access-list 10 permit 172.30.0.0 0.0.255.255
access-list 10 permit 172.31.0.0 0.0.255.255
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 10 permit any
!
!
!
!
mpls ldp router-id Loopback0
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ATnT_PE_PE
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
ip vrf INET
rd 100:100
route-target export 100:100
route-target import 100:100
route-target import 1:1
!
ip vrf OCH
rd 1:1
route-target export 1:1
route-target import 1:1
route-target import 100:100
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
ip address 10.4.4.4 255.255.255.255
!
interface Tunnel0
no ip address
tunnel source Serial1/2
tunnel destination 40.0.0.2
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 10.0.14.4 255.255.255.0
ip router isis
ip nat inside
ip virtual-reassembly
mpls ip
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
ip vrf forwarding INET
ip address 20.0.0.1 255.255.255.252
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router isis
net 00.0000.0000.0004.00
passive-interface Loopback0
!
router bgp 100
bgp log-neighbor-changes
neighbor 10.3.3.3 remote-as 100
neighbor 10.3.3.3 update-source Loopback0
neighbor 10.11.11.11 remote-as 100
neighbor 10.11.11.11 update-source Loopback0
neighbor 10.22.22.22 remote-as 100
neighbor 10.22.22.22 update-source Loopback0
!
address-family ipv4
neighbor 10.3.3.3 activate
neighbor 10.11.11.11 activate
neighbor 10.22.22.22 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 10.3.3.3 activate
neighbor 10.3.3.3 send-community both
neighbor 10.3.3.3 route-reflector-client
neighbor 10.11.11.11 activate
neighbor 10.11.11.11 send-community both
neighbor 10.11.11.11 route-reflector-client
neighbor 10.22.22.22 activate
neighbor 10.22.22.22 send-community both
neighbor 10.22.22.22 route-reflector-client
exit-address-family
!
address-family ipv4 vrf OCH
no synchronization
exit-address-family
!
address-family ipv4 vrf INET
neighbor 20.0.0.2 remote-as 1
neighbor 20.0.0.2 activate
neighbor 40.0.0.2 remote-as 200
neighbor 40.0.0.2 ebgp-multihop 10
neighbor 40.0.0.2 activate
neighbor 40.0.0.2 send-community both
no synchronization
network 20.0.0.0 mask 255.255.255.252
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 10 permit 172.16.0.0 0.0.255.255
access-list 10 permit 172.17.0.0 0.0.255.255
access-list 10 permit 172.18.0.0 0.0.255.255
access-list 10 permit 172.19.0.0 0.0.255.255
access-list 10 permit 172.20.0.0 0.0.255.255
access-list 10 permit 172.21.0.0 0.0.255.255
access-list 10 permit 172.22.0.0 0.0.255.255
access-list 10 permit 172.23.0.0 0.0.255.255
access-list 10 permit 172.24.0.0 0.0.255.255
access-list 10 permit 172.25.0.0 0.0.255.255
access-list 10 permit 172.26.0.0 0.0.255.255
access-list 10 permit 172.27.0.0 0.0.255.255
access-list 10 permit 172.28.0.0 0.0.255.255
access-list 10 permit 172.29.0.0 0.0.255.255
access-list 10 permit 172.30.0.0 0.0.255.255
access-list 10 permit 172.31.0.0 0.0.255.255
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 10 permit any
!
!
!
route-map FILTER deny 10
match ip address 10
!
route-map FILTER permit 20
!
!
mpls ldp router-id Loopback0
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
02-13-2014 11:00 AM
Hi Istvan,
I see that ISP RED and ISP PURPLE are using different AS numbers, are they two different ISPs or are they the one ISP divided by public internet in your scenario?
If they are two different ISPs, you should consider using one of Inter-AS MPLS VPN solution.
If they are one ISP, why don't you use same AS number?
Also, lets say that green area is the third ISP, a big one. I would purchase Layer2 link between both edge routers in RED and PURPLE area.
It is hard to help you aby further, because you did not provide enough information.
Best Regards
Please rate all helpful posts and close solved questions
02-16-2014 11:57 AM
Hi,
I the ISPs are 2 different ones in the green area. I will implement either a l2 VPN solution or CSC (B2B VRF or so on).
Thanks anyway!
02-18-2014 12:11 PM
Hi Istvan
Looking at your design, it looks like you are trying to have a LAN based connectivity between sites since you have installed switches. L2VPN based solution like EoMPLS or VPLS would be a good option. If the Switches are acting as L3 devices then you can go for CSC.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide