MPLS Lab 003 CE-PE Routing Using Redistribute Connected

Image requirements:
VIRL: IOSv 15.7
EVE-NG: Cisco vIOS Router vios-15.6
GNS3: vios-adventerprisek9-m.vmdk.SPA.156-2.T




Description:
After the successful implementation and testing of L3 MPLS VPN core infrastructure, ISP is ready to start to interconnect customers networks, very first customer will be connected in this lab, you as lead network engineer will be responsible for the installation of the VPN service, the customer will share only its point-to-point networks connecting CE routers to the MPLS cloud because the CE routers on both sides will use IPsec tunnel to exchange data. 



Topology:


Download Lab: VIRL | EVE-NG | GNS3





Scenario:
The first customer is ready to use our L3 MPLS VPN service, now, that network technicians have installed the equipment and connected customer's devices to the ISP offices you need to configure CE-PE routing between client's CE routers and ISP's PE routers. Additionally, you will assist the customer in implementing an IPsec tunnel to securely route the client's traffic over the ISP network.




Part 1. Establish the VPN connection over the MPLS cloud.


Lab Tasks:
1. PE2 side. Configure new VRF named CE1, RD 1500:1500, configure under AF IPV4 the RT Export and Import 1500:1500
2. PE2 side. Configure interface G0/3, place it into CE1 VRF, re-assign IPv4 address according to the topology. (Before assigning the g0/3 interface to the CE1 VRF, make sure to check the IPv4 address because placing interface in the VRF wipes out the current IP configuration.
3. PE2 side. Configure MP-BGP IPV4 address-family for CE1 VRF then redistribute connected and save PE2 configuration. 
4. PE4 side. Configure new VRF named CE1, RD 1500:1500, configure under AF IPV4 the RT Export and Import 1500:1500
5. PE4 side. Configure interface G0/3, place it into CE1 VRF, re-assign IPv4 address according to the topology.
6. PE4 side. Configure MP-BGP IPV4 address-family for CE1 VRF then redistribute connected and save PE4 configuration.  
7. Verify that there is connectivity between G0/3 interfaces of PE2 and PE4 routers.
8. Configure the static route on the CE1-A router to the /30 network between PE4 and CE1-B. 
9. Configure the static route on the CE1-B router to the /30 network between PE2 and CE1-A. 
10. Verify connectivity between CE1-A and CE1-B routers.


Lab procedure:

Task1: Configuring CE1 VRF on the PE2 router.
PE2(config)#vrf definition CE1
PE2(config-vrf)#rd 1500:1500
PE2(config-vrf)#address-family ipv4 unicast
PE2(config-vrf-af)#route-target export 1500:1500
PE2(config-vrf-af)#route-target import 1500:1500
PE2(config-vrf-af)#



Task2: On the router PE2 place interface G0/3 into VRF CE1 then reassign IP address. 
Verify what is the current IP address of G0/3 interface:
PE2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.255.2.230 YES TFTP up up
GigabitEthernet0/1 10.0.1.6 YES TFTP up up
GigabitEthernet0/2 10.0.3.6 YES TFTP up up
GigabitEthernet0/3 10.150.0.2 YES TFTP up up
Loopback0 10.100.0.12 YES TFTP up up
Loopback1000 172.16.255.1 YES TFTP up up
Loopback2000 172.16.255.2 YES TFTP up up
Loopback3000 172.16.255.3 YES TFTP up up
PE2#

Then proceed to configuration:
PE2(config)#interface g0/3
PE2(config-if)#vrf forwarding CE1
PE2(config-if)#ip address 10.150.0.2 255.255.255.252
PE2(config-if)#

Verify if PE2 is able to ping CE1-A from the CE1 VRF routing instance.
PE2#ping vrf CE1 10.150.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.150.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/2/3 ms
PE2#



Task3: Configure BGP to redistribute the CE1 VRF networks into the VPNv4 BGP table.
PE2(config)#router bgp 64500
PE2(config-router)#address-family ipv4 unicast vrf CE1
PE2(config-router-af)#redistribute connected
PE2(config-router-af)#exit
PE2(config-router)#exit
PE2(config)#

Verify VPNv4 BGP table: 
PE2#show bgp vpnv4 unicast vrf CE1
BGP table version is 11, local router ID is 10.100.0.12
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1500:1500 (default for vrf CE1)
*> 10.150.0.0/30 0.0.0.0 0 32768 ?
PE2#



Task4: Configuring CE1 VRF on the PE4 router.
PE4(config)#vrf definition CE1
PE4(config-vrf)#rd 1500:1500
PE4(config-vrf)#address-family ipv4 unicast
PE4(config-vrf-af)#route-target export 1500:1500
PE4(config-vrf-af)#route-target import 1500:1500
PE4(config-vrf-af)#



Task5: On the router PE4 place interface G0/3 into VRF CE1 then reassign IP address. 
PE4(config)#interface g0/3
PE4(config-if)#vrf forwarding CE1
PE4(config-if)#ip address 10.150.0.6 255.255.255.252
PE4(config-if)#

Verify if PE4 is able to ping CE1-B from the CE1 VRF routing instance. 
PE4#ping vrf CE1 10.150.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.150.0.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/2/3 ms



Task6: Configure BGP to redistribute the CE1 VRF networks into the VPNv4 BGP table.
PE4(config)#router bgp 64500
PE4(config-router)#address-family ipv4 unicast vrf CE1
PE4(config-router-af)#redistribute connected
PE4(config-router-af)#exit
PE4(config-router)#exit
PE4(config)#

Verify VPNv4 BGP table: 
PE4#show bgp vpnv4 unicast vrf CE1
BGP table version is 7, local router ID is 10.100.0.14
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 1500:1500 (default for vrf CE1)
*>i 10.150.0.0/30 10.100.0.12 0 100 0 ?
*> 10.150.0.4/30 0.0.0.0 0 32768 ?
Now the VPNv4 BGP table contains both sides' networks.



Task7: Verify that there is connectivity between G0/3 interfaces of PE2 and PE4 routers.
PE2#ping vrf CE1 10.150.0.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.150.0.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/7 ms
PE2#
Router PE2 is able to reach the router's PE4 g0/3 interface IP address. 



Task8: Configure the static route on the CE1-A router to the /30 network between PE4 and CE1-B. 
CE1-A(config)#ip route 10.150.0.4 255.255.255.252 10.150.0.2



Task9: Configure the static route on the CE1-B router to the /30 network between PE2 and CE1-A. 
CE1-B(config)#ip route 10.150.0.0 255.255.255.252 10.150.0.6



Task10: Verify connectivity between CE1-A and CE1-B routers. 
CE1-A#ping 10.150.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.150.0.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/8/10 ms
CE1-A#



Part2: Assist the customer with the implementation of IPsec, and LAN-to-LAN Routing using static routes. 


Lab Tasks:
1. Configure IPsec tunnel between routers CE1-A and CE1-B. 
2. Configure Static route to move the IP traffic between customer's LAN networks on the router CE1-A
3. Configure Static route to move the IP traffic between customer's LAN networks on the router CE1-B
4. Verify connectivity between LAN networks. 


Lab Procedure:


Task1: Configuring IPsec tunnel.


Step1: Enable CE1-A side: 
Create IPsec policy:
CE1-A(config)#crypto isakmp policy 10
CE1-A(config-isakmp)#hash sha
CE1-A(config-isakmp)#authentication pre-share
CE1-A(config-isakmp)#group 24
CE1-A(config-isakmp)#lifetime 86400
CE1-A(config-isakmp)#encryption aes 256
CE1-A(config-isakmp)# exit


Configure IPsec key and allow the key exchange only with CE1-B router:
CE1-A(config)#crypto isakmp key l3-mpls-vpn address 10.150.0.5


Configure IPsec transform-set to encrypt header and payload:
CE1-A(config)#crypto ipsec transform-set SECURE_MPLS_VPN esp-aes 256 esp-sha-hmac
CE1-A(cfg-crypto-trans)#mode tunnel


Configure ACL to permit all traffic:
CE1-A(config)#access-list 100 permit ip any any


Configure IPsec crypto-map:
CE1-A(config)#crypto map MPLS_VPN 1 ipsec-isakmp
CE1-A(config-crypto-map)#match address 100
CE1-A(config-crypto-map)#set peer 10.150.0.5
CE1-A(config-crypto-map)#set transform-set SECURE_MPLS_VPN
CE1-A(config-crypto-map)#exit


The final step is to assign the IPsec crypto-map to the interface:
CE1-A(config)#interface g0/1
CE1-A(config-if)#crypto map MPLS_VPN
CE1-A(config-if)#end


Step2: Repeat mirror configuration on the CE1-B.


Step3: Verify IPsec operation:
Ping, the remote destination to place some traffic on the IPsec tunnel then you can verify IPsec with "show crypto ipsec sa" command to see packets counter.
CE1-B#ping 10.150.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.150.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 10/11/12 ms
CE1-B#

CE1-B#show crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: MPLS_VPN, local addr 10.150.0.5
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.150.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.150.0.5, remote crypto endpt.: 10.150.0.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0xE57B3A86(3850058374)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xD6875A81(3599194753)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: MPLS_VPN
sa timing: remaining key lifetime (k/sec): (4212224/3384)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE57B3A86(3850058374)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: MPLS_VPN
sa timing: remaining key lifetime (k/sec): (4212224/3384)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:

outbound pcp sas:



Task2: Configure Static routing on the router CE1-A to route LAN-to-LAN traffic.
 CE1-A(config)#ip route 10.160.0.0 255.255.255.0 10.150.0.5



Task3: Configure Static routing on the router CE1-B to route LAN-to-LAN traffic.
CE1-B(config)#ip route 10.155.0.0 255.255.255.0 10.150.0.1



Task4: Verify connectivity between LAN networks. 
Ping from CE1-A 10.160.0.1 using loopback0 as the source:
CE1-A#ping 10.160.0.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.160.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.155.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/10 ms
CE1-A#



Summary:
In this lab, ISP got its first customer connected, CE-PE routing has been implemented successfully using redistribution of connected networks, the customer did not need to share all of its IP networks with ISP for LAN-to-LAN communication to occur, by using IPsec now all traffic over MPLS cloud is encrypted. From a troubleshooting point of view, the high complexity is introduced and to identify the problem when there is no connectivity between the customer's LAN networks, you need to view this entire topology as a collection of technologies sitting on top of each other, and taking piece by piece you need to review each component individually to apply right troubleshooting strategy. Starting from the bottom the very first part is the physical infrastructure itself, then you got the IP layer where IS-IS routing protocol working to insure that LDP will properly assign labels to the PE routers' loopback interfaces, then MP-BGP plays its role to interconnect in full mesh logical topology PE routers, address-family VPNv4 has to be enabled to share clients' networks across the MPLS cloud between provider edge nodes. Additionally, VRF with its own complex structure of route distinguisher, export, and import route-targets brings complicating configuration where mistakes could inevitable outcome and that just only provider side. Further, at the customer locations, there are other technologies to take care of, including IPsec tunnel and static routing.

Comments

Popular Posts