MPLS VPN with OSPF

Here is the lab from MPLS implementation book how to set up MPLS VPN using OSPF between CE and PE routers.

Download the GNS3 file to practice from here.
Download the completed GNS3 file from here.

In Peer 1, configure OSPF to connect to Atlanta (PE1)


router ospf 1
 network 192.168.1.1 0.0.0.0 area 1
 network 192.168.3.5 0.0.0.0 area 0
-------------------------------

In Peer 2,


Peer2(config)#router ospf 1
Peer2(config-router)# network 192.168.2.1 0.0.0.0 area 1
Peer2(config-router)# network 192.168.3.10 0.0.0.0 area 0
---------------------------------


Altanta (PE1)


Atlanta(config)#int s0/0
Atlanta(config-if)#mpls ip
Atlanta(config-if)#

-----------------------------

Core router,

Core(config)#int s0/1

Core(config-if)#mpls ip

Core(config-if)#int s0/0

Core(config-if)#mpls ip

------------------------------

Raleigh (PE2) router,

Raleigh(config)#int s1/3

Raleigh(config-if)#mpls ip

---------------------------------

Configure IGP (RIP - v2) in MPLS network as follow.

router rip

 version 2

 network 204.134.83.0

-------------

MPLS LDP neighbours are up as follows in Core router.

Core(config-router)#

*Mar  1 00:33:43.787: %LDP-5-NBRCHG: LDP Neighbor 204.134.83.1:0 (1) is UP

Core(config-router)#

*Mar  1 00:33:53.147: %LDP-5-NBRCHG: LDP Neighbor 204.134.83.3:0 (2) is UP

Core(config-router)#

-----------------------------

Checking MPLS neighbour in Atlanta as follow;

Atlanta#sh mpls ldp neighbor

    Peer LDP Ident: 204.134.83.2:0; Local LDP Ident 204.134.83.1:0

        TCP connection: 204.134.83.2.55476 - 204.134.83.1.646

        State: Oper; Msgs sent/rcvd: 10/9; Downstream

        Up time: 00:01:05

        LDP discovery sources:

          Serial0/0, Src IP addr: 204.134.83.6

        Addresses bound to peer LDP Ident:

          204.134.83.9    204.134.83.6    204.134.83.2

----------------------

In Core router,

Core#sh mpls ldp neighbor

    Peer LDP Ident: 204.134.83.1:0; Local LDP Ident 204.134.83.2:0

        TCP connection: 204.134.83.1.646 - 204.134.83.2.55476

        State: Oper; Msgs sent/rcvd: 10/11; Downstream

        Up time: 00:01:50

        LDP discovery sources:

          Serial0/1, Src IP addr: 204.134.83.5

        Addresses bound to peer LDP Ident:

          204.134.83.5    192.168.3.6     204.134.83.1

    Peer LDP Ident: 204.134.83.3:0; Local LDP Ident 204.134.83.2:0

        TCP connection: 204.134.83.3.23917 - 204.134.83.2.646

        State: Oper; Msgs sent/rcvd: 10/10; Downstream

        Up time: 00:01:41

        LDP discovery sources:

          Serial0/0, Src IP addr: 204.134.83.10

        Addresses bound to peer LDP Ident:

          192.168.3.9     204.134.83.10   204.134.83.3

--------------------------------------

MPLS forwarding table in Core router is as follow;

Core#sh mpls forwarding-table

Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop

tag    tag or VC   or Tunnel Id      switched   interface

16     Pop tag     204.134.83.1/32   0          Se0/1      point2point

17     Pop tag     204.134.83.3/32   0          Se0/0      point2point

---------------------------

Configure IBGP between two PE routers (Atlanta and Raleigh) as follows;

Atlanta(config)#router bgp 65000

Atlanta(config-router)# no synchronization

Atlanta(config-router)# bgp log-neighbor-changes

Atlanta(config-router)# neighbor 204.134.83.3 remote-as 65000

Atlanta(config-router)# neighbor 204.134.83.3 update-source Loopback0

Atlanta(config-router)# neighbor 204.134.83.3 next-hop-self

Atlanta(config-router)# no auto-summary

Atlanta(config-router)#

------------------------------------

Raleigh(config)#router bgp 65000

Raleigh(config-router)# no synchronization

Raleigh(config-router)# bgp log-neighbor-changes

Raleigh(config-router)# neighbor 204.134.83.1 remote-as 65000

Raleigh(config-router)# neighbor 204.134.83.1 update-source Loopback0

Raleigh(config-router)# neighbor 204.134.83.1 next-hop-self

Raleigh(config-router)# no auto-summary

------------------

IBGP is up message will see in console as follows;

Raleigh(config-router)#

*Mar  1 00:39:18.179: %BGP-5-ADJCHANGE: neighbor 204.134.83.1 Up

----------------------

Now, it's time to configure VRF routing.

Atlanta(config)#ip vrf peer_vpn

Atlanta(config-vrf)#rd 50:1

Atlanta(config-vrf)#route-target both 50:1

----------------

Raleigh(config)#ip vrf peer_vpn

Raleigh(config-vrf)#rd 50:1

Raleigh(config-vrf)#route-target both 50:1

---------------

Try to associate the interface connected to CE1 (Peer1) with vrf peer_vpn as follow; IP address defined in s0/1 will removed due to VRF and need to configure again.

Atlanta(config)#int s0/1

Atlanta(config-if)#ip vrf forwarding peer_vpn

% Interface Serial0/1 IP address 192.168.3.6 removed due to enabling VRF peer_vpn

Atlanta(config-if)#ip address 192.168.3.6 255.255.255.252

------------------

Raleigh(config)#int s0/1

Raleigh(config-if)#ip vrf forwarding peer_vpn

% Interface Serial0/1 IP address 192.168.3.9 removed due to enabling VRF peer_vpn

Raleigh(config-if)#ip address 192.168.3.9 255.255.255.252

---------------------------

Activate VPNV4 between PE1 and PE2 as follow inside BGP configuration.

Atlanta(config)#router bgp 65000

Atlanta(config-router)# address-family vpnv4

Atlanta(config-router-af)#neighbor 204.134.83.3 activate

*Mar  1 00:50:16.979: %BGP-5-ADJCHANGE: neighbor 204.134.83.3 Down Address family activated

Atlanta(config-router-af)#neighbor 204.134.83.3 send-community both

-----------------------------------------------

Raleigh(config)#router bgp 65000

Raleigh(config-router)# address-family vpnv4

Raleigh(config-router-af)#  neighbor 204.134.83.1 activate

Raleigh(config-router-af)#  neighbor 204.134.83.1 send-community both

Raleigh(config-router-af)#

*Mar  1 00:51:38.747: %BGP-5-ADJCHANGE: neighbor 204.134.83.1 Down Address family activated

Raleigh(config-router-af)#

*Mar  1 00:51:40.855: %BGP-5-ADJCHANGE: neighbor 204.134.83.1 Up

------------------------------------

Redistribution between MPLS IBGP (Core) and CE router's OSPF back to core as follows;

First, let's do restribution from BGP to CE's OSPF network.

----

Atlanta(config)#router ospf 1 vrf peer_vpn

Atlanta(config-router)#redistribute bgp 65000 subnets

Atlanta(config-router)#network 192.168.3.6 0.0.0.0 area 0

Atlanta(config-router)#

*Mar  1 00:57:26.567: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.10.1 on Serial0/1 from LOADING to FULL, Loading Done

----------------------------------

Raleigh(config)#router ospf 1 vrf peer_vpn

Raleigh(config-router)#redistribute bgp 65000 subnets

Raleigh(config-router)#network 192.168.3.9 0.0.0.0 area 0

Raleigh(config-router)#

*Mar  1 01:00:01.031: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.2.1 on Serial0/1 from LOADING to FULL, Loading Done

-------------------------------------

Finally, redistribute from OSPF to MPLS BGP as follows.

Atlanta(config)#router bgp 65000

Atlanta(config-router)#address-family ipv4 vrf peer_vpn

Atlanta(config-router-af)#redistribute ospf 1 vrf peer_vpn

Atlanta(config-router-af)#no sync

Atlanta(config-router-af)#no synchronization

-------------------------------

Raleigh(config)#router bgp 65000

Raleigh(config-router)#address-family ipv4 vrf peer_vpn

Raleigh(config-router-af)#redistribute ospf 1 vrf peer_vpn

Raleigh(config-router-af)#no synchronization

---------------------------------

Let's check in CE1 router (Peer1) whether it can reach to other end Peer2.

Peer1#sh ip route

     192.168.10.0/32 is subnetted, 1 subnets

C       192.168.10.1 is directly connected, Loopback1

C    192.168.1.0/24 is directly connected, Loopback0

     192.168.2.0/32 is subnetted, 1 subnets

O IA    192.168.2.1 [110/129] via 192.168.3.6, 00:00:27, Serial0/0

     192.168.3.0/30 is subnetted, 2 subnets

O IA    192.168.3.8 [110/65] via 192.168.3.6, 00:00:27, Serial0/0

C       192.168.3.4 is directly connected, Serial0/0

----------------------------

Ping to 192.168.2.1 from Peer1 can reach to MPLS network as follow;

Peer1#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/33/64 ms

Peer1#

--------------------------

Checking vrf routeing table in Atlanta (PE1) as follow;

Atlanta#sh ip route vrf peer_vpn

     192.168.1.0/32 is subnetted, 1 subnets

O IA    192.168.1.1 [110/65] via 192.168.3.5, 00:11:37, Serial0/1

     192.168.2.0/32 is subnetted, 1 subnets

B       192.168.2.1 [200/65] via 204.134.83.3, 00:03:30

     192.168.3.0/30 is subnetted, 2 subnets

B       192.168.3.8 [200/0] via 204.134.83.3, 00:03:30

C       192.168.3.4 is directly connected, Serial0/1

--------------------------------------

But, in core router, it's only appearing IGP route as follow.

Core#sh ip route

     204.134.83.0/24 is variably subnetted, 5 subnets, 2 masks

C       204.134.83.8/30 is directly connected, Serial0/0

R       204.134.83.1/32 [120/1] via 204.134.83.5, 00:00:04, Serial0/1

R       204.134.83.3/32 [120/1] via 204.134.83.10, 00:00:03, Serial0/0

C       204.134.83.2/32 is directly connected, Loopback0

C       204.134.83.4/30 is directly connected, Serial0/1

-----------------------------------------

What about in PE2 router (Raleigh),

Raleigh#sh ip route vrf peer_vpn

     192.168.1.0/32 is subnetted, 1 subnets

B       192.168.1.1 [200/65] via 204.134.83.1, 00:08:29

     192.168.2.0/32 is subnetted, 1 subnets

O IA    192.168.2.1 [110/65] via 192.168.3.10, 00:12:21, Serial0/1

     192.168.3.0/30 is subnetted, 2 subnets

C       192.168.3.8 is directly connected, Serial0/1

B       192.168.3.4 [200/0] via 204.134.83.1, 00:08:29

--------------------------------------------------------------------------------

Let's traceroute from CE1 to CE2;

Peer1#traceroute 192.168.2.1

Type escape sequence to abort.

Tracing the route to 192.168.2.1

  1 192.168.3.6 4 msec 16 msec 4 msec

  2 204.134.83.6 [MPLS: Labels 17/19 Exp 0] 4 msec 36 msec 4 msec

  3 192.168.3.9 [MPLS: Label 19 Exp 0] 24 msec 32 msec 4 msec

  4 192.168.3.10 20 msec *  48 msec

--------------------------------------------------

Check the ldp in Core network.

Core#sh mpls forwarding-table

Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop

tag    tag or VC   or Tunnel Id      switched   interface

16     Pop tag     204.134.83.1/32   7587       Se0/1      point2point

17     Pop tag     204.134.83.3/32   5020       Se0/0      point2point

-------------------------------------------------

Raleigh#sh mpls forwarding-table

Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop

tag    tag or VC   or Tunnel Id      switched   interface

16     16          204.134.83.1/32   0          Se1/3      point2point

17     Pop tag     204.134.83.2/32   0          Se1/3      point2point

18     Pop tag     204.134.83.4/30   0          Se1/3      point2point

19     Untagged    192.168.2.1/32[V] 1144       Se0/1      point2point

20     Aggregate   192.168.3.8/30[V] 0

------------------------------------------------------

Here is the brief, Core route don't know both 192.168.1.x and 2.x network. It only use label and tag in MPLS network.

From Peer2 to Peer1, check as follow.

Peer2#traceroute 192.168.1.1

  1 192.168.3.9 4 msec 28 msec 4 msec

  2 204.134.83.9 [MPLS: Labels 16/19 Exp 0] 24 msec 24 msec 24 msec

  3 192.168.3.6 [MPLS: Label 19 Exp 0] 28 msec 20 msec 4 msec

  4 192.168.3.5 24 msec *  40 msec

Linux iptables routing (SNAT, MASQUERADE, DNAT) using with three CentOS Sun Virtual Guests

I am playing ip routing in Linux using CentOS OS with Sun VirtualBox after learning routing with Cisco router.
If you are interested in Linux routing using iptables with VirtualBox, please keep reading.

Check below diagram before start.

First download Sun VirtualBOX CentOS 5.7 base image from http://sourceforge.net/projects/virtualboximage/files/CentOS/5.7/CentOS-5.7-i386.7z/download
Username is root and password is reverse.

Extract 7zip file into folder. Double click the "CentOS 5.7" virtualbox definition file which will load the image file in Sun VirtualBox OS.

Before loading the OS, change network adapter type from "NAT" to "Internal" to separate from Host to Guest OSs.

Here are the configuration of three network cards from CentOS1
Configure eth0 as Internal Network and it will connect to CentOS2's eth0.


cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
HWADDR=08:00:27:AE:36:99
ONBOOT=yes
HOSTNAME=centos57
IPADDR=192.168.10.1
NETMASK=255.255.255.0
---------------
Configure eth1 as "NAT" as this will be connect to Host OS and then to Internet.

 cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
BOOTPROTO=dhcp
HWADDR=08:00:27:42:79:DF
ONBOOT=yes
HOSTNAME=centos57
--------------------
Configure eth2 as "Host Only" as this will be connected to Host OS for testing DNAT.

cat /etc/sysconfig/network-scripts/ifcfg-eth2
DEVICE=eth2
BOOTPROTO=dhcp
HWADDR=08:00:27:73:EE:17
ONBOOT=yes
HOSTNAME=centos57


---------------------------------------------
Routing table of CentOS1 will be as below.


# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.20.0    192.168.10.2    255.255.255.0   UG    0      0        0 eth0
10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.56.0    0.0.0.0         255.255.255.0   U     0      0        0 eth2
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
0.0.0.0         10.0.3.2        0.0.0.0         UG    0      0        0 eth1
--------------
The default route is 10.0.3.2 which is the NAT (network adaptor)'s default gateway. The IP address of eth1 (to Internet) is getting IP from VirtualBox's DHCP server and it's 10.0.3.15 as below.


eth0      Link encap:Ethernet  HWaddr 08:00:27:AE:36:99
          inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:519 errors:0 dropped:0 overruns:0 frame:0
          TX packets:394 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:61152 (59.7 KiB)  TX bytes:58765 (57.3 KiB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:42:79:DF
          inet addr:10.0.3.15  Bcast:10.0.3.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:178 errors:0 dropped:0 overruns:0 frame:0
          TX packets:198 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:46726 (45.6 KiB)  TX bytes:15718 (15.3 KiB)

eth2      Link encap:Ethernet  HWaddr 08:00:27:73:EE:17
          inet addr:192.168.56.101  Bcast:192.168.56.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:405 errors:0 dropped:0 overruns:0 frame:0
          TX packets:291 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:41142 (40.1 KiB)  TX bytes:42926 (41.9 KiB)
------------------------------
Create iptables file in /etc/sysconfig directory as follow for NATing


*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
-A POSTROUTING -s 192.168.20.0/24 -j SNAT -o eth1 --to-source 10.0.3.15
-A POSTROUTING -s 192.168.10.0/24 -j SNAT -o eth1 --to-source 10.0.3.15
COMMIT
---------------------------
Two tables; filter and nat have created as above. Filtering table allow all from inbound, outbound and forwarding.
For NAT table, add two POSTROUTING to do NATing 192.168.10.x and 192.168.20.x using destination address of eth1 (10.0.3.15)
-----------------------------
Load next CentOS2 in VirtualBox with the following configuration.


 cat /etc/sysconfig/network-scripts/ifcfg-eth0
# Intel Corporation 82540EM Gigabit Ethernet Controller
DEVICE=eth0
BOOTPROTO=static
HWADDR=08:00:27:64:2F:C0
ONBOOT=yes
HOSTNAME=centos57-min2
IPADDR=192.168.20.1
NETMASK=255.255.255.0
GATEWAY=192.168.10.1
--------------------
cat /etc/sysconfig/network-scripts/ifcfg-eth1
# Intel Corporation 82540EM Gigabit Ethernet Controller
DEVICE=eth1
BOOTPROTO=static
HWADDR=08:00:27:37:B1:CF
ONBOOT=yes
HOSTNAME=centos57-min2
IPADDR=192.168.10.2
NETMASK=255.255.255.0
GATEWAY=192.168.10.1
-----------------------
Enable IP forwarding as below. IP forwarding need to able to route packet from CentOS3 to CentOS1 to Internet through CentOS2.


Edit  /etc/sysctl.conf and change net.ipv4.ip_forward=0 to 1.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
--------------
Routing table of CentOS2 will be looks like below.


Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
0.0.0.0         192.168.10.1    0.0.0.0         UG    0      0        0 eth1
------------------------------
Create another CentOS3 as follow.


eth0      Link encap:Ethernet  HWaddr 08:00:27:88:81:74
          inet addr:192.168.20.2  Bcast:192.168.20.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1655 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2028 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:194793 (190.2 KiB)  TX bytes:217249 (212.1 KiB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:59:A8:F0
          inet addr:192.168.30.1  Bcast:192.168.30.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1140 (1.1 KiB)  TX bytes:210 (210.0 b)
---------------

 cat /etc/sysconfig/network-scripts/ifcfg-eth0
# Intel Corporation 82540EM Gigabit Ethernet Controller
DEVICE=eth0
BOOTPROTO=static
HWADDR=08:00:27:88:81:74
ONBOOT=yes
HOSTNAME=centos57-min2
IPADDR=192.168.20.2
NETMASK=255.255.255.0
GATEWAY=192.168.20.1
-----------------------------

cat /etc/sysconfig/network-scripts/ifcfg-eth1
# Intel Corporation 82540EM Gigabit Ethernet Controller
DEVICE=eth1
BOOTPROTO=static
HWADDR=08:00:27:59:A8:F0
ONBOOT=yes
HOSTNAME=centos57-min2
IPADDR=192.168.30.1
NETMASK=255.255.255.0
--------------------------
Routing table will be looks like below.


Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.30.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
0.0.0.0         192.168.20.1    0.0.0.0         UG    0      0        0 eth0


--------------
Ping to 192.168.10.2 and 192.168.10.1. Ping to 192.168.10.2 will get replies but will failed in 192.168.10.1 as CentOS1 doesn't know about 192.168.20.x network yet.

This can be done by adding the permanent routing in CentOS1 as follow.

To reach to 192.168.20.x network from CentOS1, create a file called route-eth0 and add the below line.

192.168.20.0/24 via 192.168.10.2

Save and restart the "network" service.
Try to ping from CentOS3 to 192.168.10.1. Ping will success and able to reach Internet as well.

Tracerouteing to Internet will get through as below.


traceroute www.google.com
traceroute to www.google.com (74.125.235.48), 30 hops max, 40 byte packets
 1  192.168.20.1 (192.168.20.1)  1.429 ms  1.218 ms  0.922 ms
 2  192.168.10.1 (192.168.10.1)  2.296 ms  2.220 ms  2.163 ms



-------------------
In CentOS1, try to replace the following two NAT rules (comment out) with the new one as below.


-A POSTROUTING -s 192.168.20.0/24 -j SNAT -o eth1 --to-source 10.0.3.15
-A POSTROUTING -s 192.168.10.0/24 -j SNAT -o eth1 --to-source 10.0.3.15

Replace with;

-A POSTROUTING -o eth1 -j MASQUERADE

Save and restart iptables "service iptables restart". Check whether CentOS3 still able to ping Internet or not. MASQUERADE will allow all internal private IP address by NATing and get through Internet. But, it's not recommend to use if there are two or more Internet facing interfaces as it will use only first one. For more info, please read in http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch03_:_Linux_Networking
---------------------
To test DNAT, we have added third network interface in CentOS1 called eth2 (192.168.56.x).
The point is if your PC (host) browse to the IP address (192.168.56.101) which is the IP address of eth2, it will redirect to the IP address of CentOS3 which will be loading as web server.

To do this, install http server in CentOS3 as follow.
yum install httpd

After all completed, change the configuration as follow.

nano -w /etc/httpd/conf/httpd.conf
Change the value Listen localhost:80 to
Listen 192.168.20.2:80
Restart the httpd service.

Add the following rule under NAT table of CentOS1's iptable.

-A PREROUTING -d 192.168.56.101 -j DNAT -i eth2 --to-destination 192.168.20.2
Restart the iptables in CentOS1.

Try to browse http://192.168.56.101 from your PC's browser and you will see the website loaded in CentOS3.