With Vivek Ruhil
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about MPLS L3VPN: concepts, terminology, control and data plane call flow with Cisco expert Vivek Ruhil.
MPLS Layer 3 VPNs use a peer-to-peer model that uses Border Gateway Protocol (BGP) to distribute VPN-related information. This highly scalable, peer-to-peer model allows enterprise subscribers to outsource routing information to service providers, resulting in significant cost savings and a reduction in operational complexity for enterprises. Service providers can then offer value-added services like Quality of Service (QoS) and Traffic Engineering, allowing network convergence that encompasses voice, video, and data.
Vivek Ruhil is a network consulting engineer who is currently serving as the Cisco consultant for Bharti. He has previously worked as a network consultant for planning, design, and implementation of service provider networks and has experience with projects ranging from VPNs (L3, L2, 6vPE) to multicast services. He has been associated with the networking industry for almost 10 years. He holds a bachelor of technology degree as well as CCDP and CCIP certifications.
Remember to use the rating system to let Vivek know if you have received an adequate response.
Vivek might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Service Provider sub-community discussion forum MPLS shortly after the event.
This event lasts through July 26, 2013. Visit this forum often to view responses to your questions and the questions of other community members.
Could you please guide me to know all the steps which are needed to configure L3VPN , L2VPN and VPLS services. Also any document which can guide all the available option which can go with each command mentioned in above steps.
Thank you in advance
In order to configure a L3VPN, below are the steps:
1. Configure a VRF, you will have to set an RD(Route Distinguisher), RT(Route Target).
ip vrf test
rd 1:1 <<<< Unless an RD is specified, the Cisco router doesn't activate the VRF.
route-target import 1:1 >>> You can have multiple such statements
route-target export 1:1 >>> You can have multiple such statements
2. Attach the VRF to a customer interface
ip vrf forwarding test
3. Configure Routing for Customer
address-family ipv4 vrf test
In case, the customer wants to use some other routing protocol, then after the customer choosen protocol is configured redistribute that protocol in BGP
address-family ipv4 vrf test
And that's it you are ready to offer L3VPN services to customers, ofcourse the infra has to be ready. Infra include, IGP, MPLS, MP-BGP.
For further information you can check the below link:
Goto "Connecting MPLS VPN Customers" Section.
For L2VPN and VPLS, since they are not part of this discussion scope I can point you to the link where the configuration for them is shared, please refer to the below link:
Do let me know if you need anything else.
Thank you very much for your help.
Could you please also let me know the SNMP MIBs (Cisco or Standard) which can provide me the details for L3VPN, L2VPN and VPLS configured in Cisco Routers (PE and P)
If I can get any sample output, it will be great.
These are standard technologies deployed now a days and almost all of the NMS platforms support basic MIBs.
You can view a list of MIBs per platform from the below link:
I like this one as this can give you all MIBs per IOS, per platform, per feature set:
In your L3VPN configuration example above, under the BGP part, you don't show any address-family vpnv4 statements. When is it required to have an address-family vpnv4 configured under BGP?
In my reply above I pasted the steps to create a L3vpn and stated that "ofcourse the infra has to be ready. Infra include, IGP, MPLS, MP-BGP."
To answer your next question, for L3VPN to work, below are the mandatory configurations
1. IGP (OSPF or ISIS) should be setup and working
After these basic infrastructure is ready, you can go ahead and start configuring L3 or L2 vpns.
I have uploaded a fairly descriptive presentation on L3VPNs which covers from basic to advance topics
You may also go through the same and in case any questions do let me know.
I have question about MPLS-VPN and Mcast
is it now recommend and better to used mLDP instead of RSVP signaled multicast and traditional gre-MDT ?
what is the most deployed technology and what is the recommended one for IPMPLSNGN ( I believe cisco now recommending mLDP ) !!
and is it better to provision differnt VPN/VRF and link for multicast to customers or can be combined over the same vpn/VRF and link of the unicast ?
mLDP is an interesting concept and I have personally deployed a customer network using mLDP. I would say it was practically only about selecting the right IOS . mLDP is an inbuilt function in the IOS and is straight-forward.
That being said, I would recommend that if there is a fairly new network being deployed for MVPN then we can definitely go ahead with mLDP as it brings the additional benefit that the operational staff doesn't have to be trained on another technology (PIM).
If you are already running MVPN with no problems, then I would say not to migrate unless there are problems being faced.
I couldn't understand the last question, could you please rephrase it ?
my last question was, if you provision MVPN to a customer and they have a unicast VPN normally as SP do you use one link to the CE or one link for mcast/mvpn and another one for unicast VPN ?
and my other question is if you are runing MVPN and wants to migrate the signaling to mLDP what is the simple way with minimum interruption that can be fallowed, e.g. I believe we can rung both without any issue get the control plan built then MP-BGP,C-Mcast and VPN can be migrate one by one ( not sure if this right approach !! )
one more question, what is the recommend/better to be used with mLDP for mapping flow to the LSP, BGP A-D,BGP c-mcast or PIM
Yes you can have unicast VPN in the same VRF as Multicast VRF and it works perfectly fine.
For migration, you will have to move VPN per VPN, I mean you cannot have a customer with one VRF using mLDP and the other VRF using MVPN. One VRF within the SP has to be on either mLDP or Multicast. And yes the migration activity is done the way you have described, move one by one.
For the signalling part, IOS only uses Static mapping to mLDP flow. IOS-XR does have the options listed above but the bext one in my opinion would be using BGP A-D, cause with mLDP we are trying to move away from Multicast.
Could you help me to get the link to understand LSP , how to configure them on Cisco Router, or with another vendor Router ?
LSP is Label Switched Path, you don't configure it. It is basically a path used by packets having similar characteristics mainly destination prefix source or the QOS value.
The below link provides a fairly good description
What does below command means I dont understand why EIGRP AS 1 is define under global EIGRP AS 65535 process example is :
router eigrp 65535
interface fa 0/1
EIGRP deployment as a PE-CE protocol is based on the address-family architecture, meaning, you define an address-family per vrf within one EIGRP process much like you do in BGP.
And, EIGRP uses AS number to identify the process. Now, if I was a PE router and I implement EIGRP with one AS then I will not be able to peer with multiple customers. Hence, I use this command "autonomous-system" under the address-family configuration mode to ensure that I match the EIGRP AS number as desired by the Customer.
So, in the above example, EIGRP 65535 is the AS number used by the Service Provider. But the end customer is using AS number as 1 and hence we set the autonomous-system to 1 so that the CE can see that this is the same process and the peering will be done.
I triyed to make mpls running under interfaces associated to vrf but it seems that it doesn't work, is there any limitation on this.
ip vrf forwarding test
ip add 220.127.116.11 255.255.255.0
ldp adjacency is successfully built and routes are exchanged but without labels !!
is there any other command I have to enter when service provider interfaces are in vrf?
I have always seen this type of a setup in CSC environment where one side is in VRF and the other is not and that works perfectly fine.
What you have here is a slightly different setup and I don't think this is a recommended way to achieve what you want to do, i.e. IPv6 over MPLS.
I was going through the other post that you have in the MPLS Forum, and there are three possibilities:
1. Have a GRE Tunnel between the two CE routers so that you can transport IPv6 over this transparently? Ofcourse, this is not scalable but if you want only two such sites to be connected than this is the way.
2. I would recommend that if you want IPv6 over MPLS the best is to implement 6PE.
To achieve 6PE, you have to establish three things:
a. Establish an IPv6 address-family session with the CE router.
b. Establish an MP-iBGP session between the PE routers with the "send-label" option to ensure that label for IPv6 prefixes are advertised to the other end.
c. Rest your MPLS network should be running and then you should be able to have this working.
3. In case, the requirement is to have multiple such customers then I would suggest to have the approach of 6vPE.
ok I understand AS1 of EIGRP define under address family ipv4 I got this point but still why we have to define globally EIGRP 65535 etc. if Service provider core is using OSPF and IS-IS so why EIGRP globally. why we can't just define EIGRP under VRF and address family ipv4?
EIGRP is enabled in the global level to let the router know that EIGRP process is to be initiated in the router, however, like you mentioned about EIGRP in global level, if you look closely there is no neighborship or for that matter even any configuration in the global level under EIGRP since we are running it only for CE and hence under the VRF.
Also, to answer the last question you have to first enable the feature and then only you can associate it with a VRF.
Hi Mr. Ruhil am desperately in need of your help in configuring a cisco 3620 series router for VPN
remote access with ios
flash:c3620-jk9s-mz.122-29.bin please help my boss is on me for this
can anyone send me the vpn configuration for this ios below
flash:c3620-jk9s-mz.122-29.bin. Cant setup a group profile or tunneling info
Could you please elaborate on your requirement ? Its not very clear on what you are trying to achieve.
If we have two L3 switches connected back to back, both running MPLS, and acting as P & PE at the same time, how can I see what labels are used to forward the prefixes?
When I do a "show mpls forwarding blah", all the prefixes are listed w/ "no label" as outgoing label.
Since the two P/PE nodes are connected back to back, would they still impose inner and outer labels when packets are forwarded, or only one label?
How do I see what that label is?
With this command you should be able to see the next hop label in normal scenario.
Yes even in this setup you would see label, and the value will be "pop label" on both the routers.
Can you print output of
show ip route
show mpls ldp nei
show mpls ldp bindings
I have problem with working of VRF with DLEP Protocoll and should ask: can you help me in this case, (while DLEP is rather not the Theme of this discussion)?
ip sla monitor 12
type echo protocol ipIcmpEcho 18.104.22.168 source-ipaddr 22.214.171.124
ip sla monitor schedule 12 life forever start-time now
track 12 rtr 12 reachability
track 12 rtr 12 state
what's the different between reachability and state?