- Configuring MPLS Layer 3 VPNs
- Information About MPLS Layer 3 VPNs
- MPLS Layer 3 VPN Definition
- How an MPLS Layer 3 VPN Works
- Components of MPLS Layer 3 VPNs
- Hub-and-Spoke Topology
- OSPF Sham-Link Support for MPLS VPN
- Prerequisites for MPLS Layer 3 VPNs
- Guidelines and Limitations for MPLS Layer 3 VPNs
- Default Settings for MPLS Layer 3 VPNs
- Configuring MPLS Layer 3 VPNs
- About OSPF Domain IDs and Tags
- Configuring OSPF at the PE and CE Boundary
- Configuring the OSPF Domain Tag
- Configuring the OSPF Domain ID
- Configuring the Secondary Domain ID
- Configuring the Core Network
- Assessing the Needs of MPLS Layer 3 VPN Customers
- Configuring MPLS in the Core
- Configuring Multiprotocol BGP on the PE Routers and Route Reflectors
- Connecting the MPLS VPN Customers
- Defining VRFs on the PE Routers to Enable Customer Connectivity
- Configuring VRF Interfaces on PE Routers for Each VPN Customer
- Configuring Routing Protocols Between the PE and CE Routers
- Configuring Static or Directly Connected Routes Between the PE and CE Routers
- Configuring BGP as the Routing Protocol Between the PE and CE Routers
- Configuring RIPv2 Between the PE and CE Routers
- Configuring OSPF Between the PE and CE Routers
- Configuring EIGRP Between the PE and CE Routers
- Configuring PE-CE Redistribution in BGP for the MPLS VPN
- Configuring a Hub-and-Spoke Topology
- Configuring VRFs on the Hub PE Router
- Configuring eBGP on the Hub PE Router
- Configuring eBGP on the Hub CE Router
- Configuring VRFs on the Spoke PE Router
- Configuring eBGP on the Spoke PE Router
- Configuring MPLS using Hardware Profile Command
This chapter describes how to configure Multiprotocol Label Switching (MPLS) Layer 3 Virtual Private Networks (VPNs) on Cisco Nexus 9508 switches.
Information About MPLS Layer 3 VPNs
An MPLS Layer 3 VPN consists of a set of sites that are interconnected by an MPLS provider core network. At each customer site, one or more customer edge (CE) routers or Layer 2 switches attach to one or more provider edge (PE) routers. This section includes the following topics:
-
MPLS Layer 3 VPN Definition
-
How an MPLS Layer 3 VPN Works
-
Components of MPLS Layer 3 VPNs
-
Hub-and-Spoke Topology
-
OSPF Sham-Link Support for MPLS VPN
MPLS Layer 3 VPN Definition
MPLS-based Layer 3 VPNs are based on a peer model that enables the provider and the customer to exchange Layer 3 routing information. The provider relays the data between the customer sites without direct customer involvement.
When you add a new site to an MPLS Layer 3 VPN, you must update the provider edge router that provides services to the customer site.
MPLS Layer 3 VPNs include the following components:
-
Provider (P) router—A router in the core of the provider network. P routers run MPLS switching and do not attach VPN labels (an MPLS label in each route assigned by the PE router) to routed packets.
-
Provider edge (PE) router—A router that attaches the VPN label to incoming packets that are based on the interface or subinterface on which they are received. A PE router attaches directly to a CE router.
-
Customer edge (CE) router—An edge router on the network of the provider that connects to the PE router on the network. A CE router must interface with a PE router.
![Cisco Nexus 9000 Series NX-OS Label Switching Configuration Guide, Release 9.3(x) - Configuring MPLS Layer 3 VPNs [Cisco Nexus 9000 Series Switches] (1)](https://i0.wp.com/www.cisco.com/c/dam/en/us/td/i/100001-200000/100001-110000/103001-104000/103875.jpg "Cisco Nexus 9000 Series NX-OS Label Switching Configuration Guide, Release 9.3(x) - Configuring MPLS Layer 3 VPNs [Cisco Nexus 9000 Series Switches] (1)")
How an MPLS Layer 3 VPN Works
MPLS Layer 3 VPN functionality is enabled at the edge of an MPLS network. The PE router performs the following tasks:
-
Exchanges routing updates with the CE router
-
Translates the CE routing information into VPN routes
-
Exchanges Layer 3 VPN routes with other PE routers through the Multiprotocol Border Gateway Protocol (MP-BGP)
Components of MPLS Layer 3 VPNs
An MPLS-based Layer 3 VPN network has three components:
-
VPN route target communities—A VPN route target community is a list of all members of a Layer 3 VPN community. You must configure the VPN route targets for each Layer 3 VPN community member.
-
Multiprotocol BGP peering of VPN community PE routers—Multiprotocol BGP propagates VRF reachability information to all members of a VPN community. You must configure Multiprotocol BGP peering in all PE routers within a VPN community.
-
MPLS forwarding—MPLS transports all traffic between all VPN community members across a VPN enterprise or service provider network.
A one-to-one relationship does not necessarily exist between customer sites and VPNs. A site can be a member of multiple VPNs. However, a site can associate with only one VRF. A customer-site VRF contains all the routes that are available to the site from the VPNs of which it is a member.
Hub-and-Spoke Topology
A hub-and-spoke topology prevents local connectivity between subscribers at the spoke provider edge (PE) routers and ensures that a hub site provides subscriber connectivity. Any sites that connect to the same PE router must forward intersite traffic using the hub site. This topology ensures that the routing at the spoke sites moves from the access-side interface to the network-side interface or from the network-side interface to the access-side interface but never from the access-side interface to the access-side interface. A hub-and-spoke topology allows you to maintain access restrictions between sites.
A hub-and-spoke topology prevents situations where the PE router locally switches the spokes without passing the traffic through the hub site. This topology prevents subscribers from directly connecting to each other. A hub-and-spoke topology does not require one VRF for each spoke.
![Cisco Nexus 9000 Series NX-OS Label Switching Configuration Guide, Release 9.3(x) - Configuring MPLS Layer 3 VPNs [Cisco Nexus 9000 Series Switches] (2)](https://i0.wp.com/www.cisco.com/c/dam/en/us/td/i/200001-300000/230001-240000/236001-237000/236342.eps/_jcr_content/renditions/236342.jpg "Cisco Nexus 9000 Series NX-OS Label Switching Configuration Guide, Release 9.3(x) - Configuring MPLS Layer 3 VPNs [Cisco Nexus 9000 Series Switches] (2)")
As shown in the figure, a hub-and-spoke topology is typically set up with a hub PE that is configured with two VRFs:
-
VRF 2hub with a dedicated link connected to the hub customer edge (CE)
-
VRF 2spokes with another dedicated link connected to the hub CE.
Interior Gateway Protocol (IGP) or external BGP (eBGP) sessions are usually set up through the hub PE-CE links. The VRF 2hub imports all the exported route targets from all the spoke PEs. The hub CE learns all routes from the spoke sites and readvertises them back to the VRF 2spoke of the hub PE. The VRF 2spoke exports all these routes to the spoke PEs.
If you use eBGP between the hub PE and hub CE, you must allow duplicate autonomous system (AS) numbers in the path which is normally prohibited. You can configure the router to allow this duplicate AS number at the neighbor of VRF 2spokes of the hub PE and also for VPN address family neighbors at all the spoke PEs. In addition, you must disable the peer AS number check at the hub CE when distributing routes to the neighbor at VRF 2spokes of the hub PE.
OSPF Sham-Link Support for MPLS VPN
In a Multiprotocol Label Switching (MPLS) VPN configuration, you can use the Open Shortest Path First (OSPF) protocol to connect customer edge (CE) devices to service provider edge (PE) devices in the VPN backbone. Many customers run OSPF as their intrasite routing protocol, subscribe to a VPN service, and want to exchange routing information between their sites using OSPF (during migration or on a permanent basis) over an MPLS VPN backbone.
The benefits of the OSPF sham-link support for MPLS VPN are as follows:
-
Client site connection across the MPLS VPN Backbone—A sham link ensures that OSPF client sites that share a backdoor link can communicate over the MPLS VPN backbone and participate in VPN services.
-
Flexible routing in an MPLS VPN configuration—In an MPLS VPN configuration, the OSPF cost that is configured with a sham link allows you to decide if OSPF client site traffic is routed over a backdoor link or through the VPN backbone.
The figure below shows an example of how VPN client sites that run OSPF can connect over an MPLS VPN backbone.
![Cisco Nexus 9000 Series NX-OS Label Switching Configuration Guide, Release 9.3(x) - Configuring MPLS Layer 3 VPNs [Cisco Nexus 9000 Series Switches] (3)](https://i0.wp.com/www.cisco.com/c/dam/en/us/td/i/000001-100000/70001-75000/70001-71000/70390.ps/_jcr_content/renditions/70390.jpg "Cisco Nexus 9000 Series NX-OS Label Switching Configuration Guide, Release 9.3(x) - Configuring MPLS Layer 3 VPNs [Cisco Nexus 9000 Series Switches] (3)")
When you use OSPF to connect PE and CE devices, all routing information learned from a VPN site is placed in the VPN routing and forwarding (VRF) instance that is associated with the incoming interface. The PE devices that attach to the VPN use the Border Gateway Protocol (BGP) to distribute VPN routes to each other. A CE device can learn the routes to other sites in the VPN by peering with its attached PE device. The MPLS VPN super backbone provides an additional level of routing hierarchy to interconnect the VPN sites that are running OSPF.
When OSPF routes are propagated over the MPLS VPN backbone, additional information about the prefix in the form of BGP extended communities (route type, domain ID extended communities) is appended to the BGP update. This community information is used by the receiving PE device to decide the type of link-state advertisem*nt (LSA) to be generated when the BGP route is redistributed to the OSPF PE-CE process. In this way, internal OSPF routes that belong to the same VPN and are advertised over the VPN backbone are seen as interarea routes on the remote sites.
Prerequisites for MPLS Layer 3 VPNs
MPLS Layer 3 VPNs has the following prerequisites:
-
Ensure that you have configured MPLS and Label Distribution Protocol (LDP) in your network. All routers in the core, including the PE routers, must be able to support MPLS forwarding.
-
Ensure that you have installed the correct license for MPLS and any other features you will be using with MPLS.
Guidelines and Limitations for MPLS Layer 3 VPNs
MPLS Layer 3 VPNs have the following configuration guidelines and limitations:
-
You can configure MPLS Layer 3 VPN (LDP) on Cisco Nexus 3600-R and Cisco Nexus 9504 and 9508 platform switches with the N9K-X9636C-RX, N9K-X9636C-R, N9K-X96136YC-R, and N9K-X9636Q-R line cards.
-
Ensure that MPLS IP forwarding is not enabled on the interface which terminates tunnel endpoint, as it is not supported.
-
You must enable MPLS IP forwarding on interfaces where the forwarding decisions are made based on the labels of incoming packets. If a VPN label is allocated by per prefix mode, MPLS IP forwarding must be enabled on the link between PE and CE.
-
Because of the hardware limitation on the trap resolution on Cisco Nexus 9508 platform switches with the N9K-X9636C-R and N9K-X9636Q-R line cards, uRPF may not be applied on supervisor bound packets via in-band.
-
On Cisco Nexus 9500 platform switches with the -R series line cards, RACL is applied only to routed traffic so that the bridge traffic does not hit RACL. This applies to all Multicast OSPF control traffic.
-
On Cisco Nexus 9500 platform switches with the -R series line cards, Control Packets with Explicit-NULL label is not prioritized when sending to SUP. This may result in control protocols flapping when explicit-NULL is configured.
-
Per-label statistics at a scale of 500K is not supported on Cisco Nexus 9500 platform switches with the -R series line cards because of the hardware limitation.
-
ARP scaling on Cisco Nexus 9500 platform switches with the -R series line cards is limited to 64K if all the 64K MACs are different. This limitation also applies if there are several Equal Cost Multiple Paths (ECMP) configured on the interface.
-
Packets with MPLS Explicit-NULL may not be parsed correctly with default line card profile.
-
MPLS Layer 3 VPNs support the following CE-PE routing protocols:
-
BGP (IPv4 and IPv6)
-
Enhanced Interior Gateway Protocol (EIGRP) (IPv4)
-
Open Shortest Path First (OSPFv2)
-
Routing Information Protocol (RIPv2)
-
-
Set statements in an import route map are ignored.
-
The BGP minimum route advertisem*nt interval (MRAI) value for all iBGP and eBGP sessions is zero and is not configurable.
-
In a high scale setup with many BGP routes getting redistributed into EIGRP, modify the EIGRP signal timer to ensure that the EIGRP convergence time is higher than the BGP convergence time. This process allows all the BGP routes to be redistributed into EIGRP, before EIGRP signals convergence.
-
MPLS Layer 3 VPNs are supported on M3 Series modules.
-
When OSPF is used as a protocol between PE and CE devices, the OSPF metric is preserved when routes are advertised over the VPN backbone. The metric is used on the remote PE devices to select the correct route. Do not modify the metric value when OSPF is redistributed to BGP and when BGP is redistributed to OSPF. If you modify the metric value, routing loops might occur.
-
MPLS Traffic Engineering (RSVP) is not supported on Cisco Nexus 9508 platform switches with the N9K-X9636C-R and N9K-X9636Q-R line cards, .
-
Beginning Cisco NX-OS Release 9.3(1), the behavior of the BGP pre-best path point of insertion (POI) is changed. In this release, the NX-OS RPM, BGP, and HMM software use a single cost community ID (either 128 for internal routes or 129 for external routes) to identify a BGP VPNv4 route as an EIGRP originated route. Only the routes that have the pre-best path value set to cost community ID 128 or 129 are installed in the URIB along with the cost extcommunity. Any non-EIGRP originated route carrying the above described cost community ID would be installed in URIB along with pre-best path cost community. As a result, URIB would use this cost to identify the better route between the route learnt via the iBGP and backdoor-EIGRP instead of the admin distance.
Only the routes that have the pre-best path value set to cost community ID 128 or 129 are installed in the URIB along with the cost extcommunity.
Default Settings for MPLS Layer 3 VPNs
| Parameters | Default |
|---|---|
| L3VPN feature | Disabled |
| L3VPN SNMP notifications | Disabled |
| allowas-in (for a hub-and-spoke topology) | |
| disable-peer-as-check (for a hub-and-spoke topology) | Disabled |
Configuring MPLS Layer 3 VPNs
About OSPF Domain IDs and Tags
You can set the domain_ID for an OSPF router instance within a VRF. In OSPF, Cisco NX-OS uses the domain_ID and domain tag to control aspects of BGP route redistribution at the provider edge (PE) or customer edge (CE).
-
You can configure a primary and secondary domain_ID for the redistributed OSPF routes.
-
OSPF also uses a domain tag to identify the OSPF process ID.
The Cisco NX-OS implementation of domain IDs and domain tags complies with RFC 4577.
![Cisco Nexus 9000 Series NX-OS Label Switching Configuration Guide, Release 9.3(x) - Configuring MPLS Layer 3 VPNs [Cisco Nexus 9000 Series Switches] (4)](https://i0.wp.com/www.cisco.com/content/dam/en/us/td/i/templates/note.gif "Cisco Nexus 9000 Series NX-OS Label Switching Configuration Guide, Release 9.3(x) - Configuring MPLS Layer 3 VPNs [Cisco Nexus 9000 Series Switches] (4)") Note | |
Configuring OSPF at the PE and CE Boundary
By using, domain IDs and domain tags, you can configure NX-OS to redistribute OSPF routes into BGP networks, and receive BGP redistributed routes into OSPF at the PE and CE boundary. See the following topics:
-
About OSPF Domain IDs and Tags
-
Configuring the OSPF Domain ID
-
Configuring the Secondary Domain ID
-
Configuring the OSPF Domain Tag
Configuring the OSPF Domain Tag
The domain tag specifies the OSPF process instance number that NX-OS redistributes into BGP at the PE or CE.
Before you begin
Make sure that MPLS and OSPFv2 are enabled.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters the configuration terminal. |
| Step2 | router ospf process-tag Example: | Enters router configuration mode to configure the OSPF router instance. The process tag is an alphanumeric string from 1 through 20 characters that identifies the router. |
| Step3 | vrf vrf-name Example: | Enter the specific VRF instance for OSPF. The VRF name is an alphanumeric string from 1 through 32 characters that identifies the VRF. |
| Step4 | ospf domain-tag as-number Example: | Sets the domain tag. The domain tag is an alphanumeric string from 0 through 2147483647 that identifies the AS number. |
Configuring the OSPF Domain ID
You can set the domain_ID for an OSPF router instance within a VRF to control BGP route redistribution into OSPF at the CE or PE.
To remove this feature, use the no domain-id command.
Before you begin
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters the configuration terminal. |
| Step2 | router ospf process-tag Example: | Enters router configuration mode to configure the OSPF router instance. The process tag is an alphanumeric string from 1 through 20 characters that identifies the router. |
| Step3 | vrf vrf-name Example: | Enter the specific VRF instance for OSPF. The VRF name is an alphanumeric string from 1 through 32 characters that identifies the VRF. |
| Step4 | domain-id { id | type domain-type value value | Null } Example: | Sets the domain_ID and additional parameters:
You can use the Null argument to clear the domain_ID. |
Configuring the Secondary Domain ID
You can set a secondary domain_ID for an OSPF router instance within a VRF to control BGP route redistribution into OSPF at the CE or PE.
Use the domain-id Null command to unconfigure the domain_ID.
Before you begin
Make sure that OSPFv2 and MPLS features are enabled.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters the configuration terminal. |
| Step2 | router ospf process-tag Example: | Enters router configuration mode to configure the OSPF router instance. The process tag is an alphanumeric string from 1 through 20 characters that identifies the router. |
| Step3 | vrf vrf-name Example: | Enters the specific VRF instance for OSPF. The VRF name is an alphanumeric string from 1 through 32 characters that identifies the VRF. |
| Step4 | domain-id { id | type domain-type value value | Null } Example: | Sets the domain_ID for the autonomous system. |
Configuring the Core Network
Assessing the Needs of MPLS Layer 3 VPN Customers
You can identify the core network topology so that it can best serve MPLS Layer 3 VPN customers.
-
Identify the size of the network:
-
Identify the following to determine the number of routers and ports you need:
-
How many customers do you need to support?
-
How many VPNs are needed per customer?
-
How many virtual routing and forwarding instances are there for each VPN?
-
-
Determine which routing protocols you need in the core network.
-
Determine if you need MPLS VPN high availability support.
![Cisco Nexus 9000 Series NX-OS Label Switching Configuration Guide, Release 9.3(x) - Configuring MPLS Layer 3 VPNs [Cisco Nexus 9000 Series Switches] (5)](data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw== "Cisco Nexus 9000 Series NX-OS Label Switching Configuration Guide, Release 9.3(x) - Configuring MPLS Layer 3 VPNs [Cisco Nexus 9000 Series Switches] (5)")
Note
MPLS VPN nonstop forwarding and graceful restart are supported on select routers and Cisco NX-OS releases. You need to make sure that graceful restart for BGP and LDP is enabled.
-
Configure the routing protocols in the core network.
-
Determine if you need BGP load sharing and redundant paths in the MPLS Layer 3 VPN core.
Configuring MPLS in the Core
To enable MPLS on all routers in the core, you must configure a label distribution protocol. You can use either of the following as a label distribution protocol:
-
MPLS Label Distribution Protocol (LDP).
-
MPLS Traffic Engineering Resource Reservation Protocol (RSVP).
Configuring Multiprotocol BGP on the PE Routers and Route Reflectors
You can configure multiprotocol BGP connectivity on the PE routers and route reflectors.
Before you begin
-
Ensure that graceful restart is enabled on all routers for BGP and LDP.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | feature bgp Example: | |
| Step3 | install feature-set mpls Example: | Installs the MPLS feature-set. |
| Step4 | feature-set mpls Example: | Enables the MPLS feature-set. |
| Step5 | feature mpls l3vpn Example: | |
| Step6 | router bgp as - number Example: | |
| Step7 | router-id ip-address Example: | |
| Step8 | neighbor ip-address remote-as as-number Example: | |
| Step9 | address-family { vpnv4 | vpnv6 } unicast Example: | |
| Step10 | send-community extended Example: | |
| Step11 | show bgp { vpnv4 | vpnv6 } unicast neighbors Example: | |
| Step12 | copy running-config startup-config Example: | |
Connecting the MPLS VPN Customers
Defining VRFs on the PE Routers to Enable Customer Connectivity
You must create VRFs on the PE routers to enable customer connectivity. You configure route targets to control which IP prefixes are imported into the customer VPN site and which IP prefixes are exported to the BGP network. You can optionally use an import or export route map to provide more fine-grained control over the IP prefixes that are imported into the customer VPN site or exported out of the VPN site. You can use a route map to filter routes that are eligible for import or export in a VRF, based on the route target extended community attributes of the route. The route map might, for example, deny access to selected routes from a community that is on the import route target list.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | install feature-set mpls Example: | Installs the MPLS feature-set. |
| Step3 | feature-set mpls Example: | Enables the MPLS feature-set. |
| Step4 | feature-set mpls l3vpn Example: | Enables the MPLS Layer 3 VPN feature. |
| Step5 | vrf context vrf-name Example: | Defines the VPN routing instance by assigning a VRF name and enters VRF configuration mode. The vrf-name argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step6 | rd route-distinguisher Example: | Configures the route distinguisher. The route-distinguisher argument adds an 8-byte value to an IPv4 prefix to create a VPN IPv4 prefix. You can enter an RD in either of these formats:
|
| Step7 | address-family { ipv4 | ipv6 } unicast Example: | Specifies the IPv4 address family type and enters address family configuration mode. |
| Step8 | route-target { import | export } route-target-ext-community } Example: | Specifies a route-target extended community for a VRF as follows:
|
| Step9 | maximum routes max-routes [ threshold value ] [ reinstall ] Example: | (Optional) Configures the maximum number of routes that can be stored in the VRF route table. The max-routes range is from 1 to 4294967295. The threshold value range is from 1 to 100. |
| Step10 | import [ vrf default max-prefix ] map route-map Example: | (Optional) Configures an import policy for a VRF to import prefixes from the default VRF as follows:
|
| Step11 | show vrf vrf-name Example: | (Optional) Displays information about a VRF. The vrf-name argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step12 | copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring VRF Interfaces on PE Routers for Each VPN Customer
You can associate a virtual routing and forwarding instance (VRF) with an interface or subinterface on the PE routers.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | interface type number Example: | Specifies the interface to configure and enters interface configuration mode as follows:
|
| Step3 | vrf member vrf-name Example: | Associates a VRF with the specified interface or subinterface. The vrf-name argument is the name assigned to a VRF. |
| Step4 | show vrf vrf-name interface Example: | (Optional) Displays information about interfaces associated with a VRF. The vrf-name argument is any case-sensitive alphanumeric string up to 32 characters. |
| Step5 | copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring Routing Protocols Between the PE and CE Routers
Configuring Static or Directly Connected Routes Between the PE and CE Routers
You can configure the PE router for PE-to-CE routing sessions that use static routes.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | vrf context vrf-name Example: | Defines the VPN routing instance by assigning a VRF name and enters VRF configuration mode. The vrf-name argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step3 | { ip ipv6 } route prefix nexthop Example: | Defines static route parameters for every PE-to-CE session. The prefix and nexthop are as follows:
|
| Step4 | address-family { ipv4 | ipv6 } unicast Example: | Specifies the IPv4 address family type and enters address family configuration mode. |
| Step5 | feature bgp as - number Example: | Enables the BGP feature. |
| Step6 | router bgp as - number Example: | Configures a BGP routing process and enters router configuration mode. The as-number argument indicates the number of an autonomous system that identifies the router to other BGP routers and tags the routing information. The AS number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format. |
| Step7 | vrf vrf-name Example: | Associates the BGP process with a VRF. The vrf-name argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step8 | address-family { ipv4 | ipv6 } unicast Example: | Specifies the IPv4 address family type and enters address family configuration mode. |
| Step9 | redistribute static route-map map-name Example: | Redistributes static routes into BGP. The map-name can be any case-sensitive, alphanumeric string up to 63 characters. |
| Step10 | redistribute direct route-map map-name Example: | Redistributes directly connected routes into BGP. The map-name can be any case-sensitive, alphanumeric string up to 63 characters. |
| Step11 | show { ipv4 | ipv6 } route vrf vrf-name Example: | (Optional) Displays information about routes. The vrf-name argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step12 | copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring BGP as the Routing Protocol Between the PE and CE Routers
You can use eBGP to configure the PE router for PE-to-CE routing sessions.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | feature bgp Example: | Enables the BGP feature. |
| Step3 | router bgp as - number Example: | Configures a BGP routing process and enters router configuration mode. The as-number argument indicates the number of an autonomous system that identifies the router to other BGP routers and tags the routing information passed along. The AS number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format. |
| Step4 | vrf vrf-name Example: | Associates the BGP process with a VRF. The vrf-name argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step5 | neighbor ip-addressremote-as as-number Example: | Adds an entry to the iBGP neighbor table. The ip-address argument specifies the IP address of the neighbor in dotted decimal notation. The as-number argument specifies the autonomous system to which the neighbor belongs. |
| Step6 | address-family { ipv4 | ipv6 } unicast Example: | Enters address family configuration mode for configuring routing sessions, such as BGP, that use standard IPv4 or IPv6 address prefixes. |
| Step7 | show bgp { vpnv4 | vpnv6 } unicast neighbors vrf vrf-name Example: | (Optional) Displays information about BGP neighbors. The vrf-name argument is any case-sensitive alphanumeric string up to 32 characters. |
| Step8 | copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring RIPv2 Between the PE and CE Routers
You can use RIP to configure the PE router for PE-to-CE routing sessions.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | feature rip Example: | |
| Step3 | router rip instance-tag Example: | Enables RIP and enters router configuration mode. The instance-tag can be any case-sensitive, alphanumeric string up to 20 characters. |
| Step4 | vrf vrf-name Example: | The vrf-name argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step5 | address-family ipv4 unicast Example: | |
| Step6 | redistribute { bgp as | direct | { egrip | ospf | rip } instance-tag | static } route-map map-name vrf-name Example: | The as number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format. The instance-tag can be any case-sensitive alphanumeric string up to 20 characters. |
| Step7 | show ip rip vrf vrf-name Example: | The vrf-name argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step8 | copy running-config startup-config Example: | |
Configuring OSPF Between the PE and CE Routers
You can use OSPFv2 to configure the PE router for PE-to-CE routing sessions. You can optionally create an OSPF sham link if you have OSPF back door links that are not part of the MPLS network.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | feature ospf Example: | Enables the OSPF feature. |
| Step3 | router ospf instance-tag Example: | Enables OSPF and enters router configuration mode. The instance-tag can be any case-sensitive, alphanumeric string up to 20 characters. |
| Step4 | vrf vrf-name Example: | Enters router VRF configuration mode. The vrf-name argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step5 | area area-id sham-link source-address destination-address Example: | (Optional) Configures the sham link on the PE interface within a specified OSPF area and with the loopback interfaces specified by the IP addresses as endpoints. You must configure the sham link at both PE endpoints. |
| Step6 | address-family { ipv4 | ipv6 } unicast Example: | Specifies the address family type and enters address family configuration mode. |
| Step7 | redistribute { bgp as | direct | { egrip | ospf | rip } instance-tag | static } route-map map-name Example: | Redistributes BGP into the EIGRP. The autonomous system number of the BGP network is configured in this step. BGP must be redistributed into EIGRP for the CE site to accept the BGP routes that carry the EIGRP information. A metric must also be specified for the BGP network. The map-name can be any case-sensitive, alphanumeric string up to 63 characters. |
| Step8 | autonomous-system as-number Example: | (Optional) Specifies the autonomous system number for this address family for the customer site. The as-number argument indicates the number of an autonomous system that identifies the router to other BGP routers and tags the routing information passed along. The AS number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format. |
| Step9 | show ip egrip vrf vrf-name Example: | (Optional) Displays information about EIGRP in this VRF. The vrf-name can be any case-sensitive, alphanumeric string up to 32 characters |
| Step10 | copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring EIGRP Between the PE and CE Routers
You can configure the PE router to use Enhanced Interior Gateway Routing Protocol (EIGRP) between the PE and CE routers to transparently connect EIGRP customer networks through an MPLS-enabled BGP core network so that EIGRP routes are redistributed through the VPN across the BGP network as internal BGP (iBGP) routes.
Before you begin
You must configure BGP in the network core.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | feature eigrp Example: | |
| Step3 | router eigrp instance-tag Example: | Configures an EIGRP instance and enters router configuration mode. The instance-tag can be any case-sensitive, alphanumeric string up to 20 characters. |
| Step4 | vrf vrf-name Example: | Enters router VRF configuration mode. The vrf-name argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step5 | address-family ipv4 unicast Example: | (Optional) Enters address family configuration mode for configuring routing sessions that use standard IPv4 address prefixes. |
| Step6 | redistribute bgp as-number route-map map-name Example: | Redistributes routes from one routing domain into another routing domain. The as number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format. The instance-tag can be any case-sensitive alphanumeric string up to 20 characters |
| Step7 | show ip ospf instance-tag vrf vrf-name Example: | (Optional) Displays information about OSPF. |
| Step8 | copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring PE-CE Redistribution in BGP for the MPLS VPN
You must configure BGP to distribute the PE-CE routing protocol on every PE router that provides MPLS Layer 3 VPN services if the PE-CE protocol is not BGP.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | feature bgp Example: | Enables the BGP feature. |
| Step3 | router bgp instance-tag Example: | Configures a BGP routing process and enters router configuration mode. The as-number argument indicates the number of an autonomous system that identifies the router to other BGP routers and tags the routing information passed along. The AS number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format. |
| Step4 | router id ip-address Example: | (Optional) Configures the BGP router ID. This IP address identifies this BGP speaker. This command triggers an automatic notification and session reset for the BGP neighbor sessions. |
| Step5 | router id ip-address remote-as as-number Example: | Adds an entry to the BGP or multiprotocol BGP neighbor table. The ip-address argument specifies the IP address of the neighbor in dotted decimal notation. The as-number argument specifies the autonomous system to which the neighbor belongs. |
| Step6 | update-source loopback [ 0 | 1 ] Example: | Specifies the source address of the BGP session. |
| Step7 | address-family { ipv4 | ipv6 } unicast Example: | Enters address family configuration mode for configuring routing sessions, such as BGP, that use standard VPNv4 or VPNv6 address prefixes. The optional unicast keyword specifies VPNv4 or VPNv6 unicast address prefixes. |
| Step8 | send-community extended Example: | Specifies that a communities attribute should be sent to a BGP neighbor. |
| Step9 | vrf vrf-name Example: | Enters router VRF configuration mode. The vrf-name argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step10 | address-family { ipv4 | ipv6 } unicast Example: | Enters address family configuration mode for configuring routing sessions that use standard IPv4 or IPv6 address prefixes. |
| Step11 | redistribute { direct | { egrip | ospfv3 | ospfv3 |rip } instance-tag | static } route-map map-name Example: | Redistributes routes from one routing domain into another routing domain. The as number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format. The instance-tag can be any case-sensitive, alphanumeric string up to 20 characters. The map-name can be any case-sensitive alphanumeric string up to 63 characters. |
| Step12 | show bgp { ipv4 | ipv6 } unicast vrf vrf-name Example: | (Optional) Displays information about BGP. The vrf-name argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step13 | copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring a Hub-and-Spoke Topology
Configuring VRFs on the Hub PE Router
You can configure hub and spoke VRFs on the hub PE router.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | install feature-set mpls Example: | Installs the MPLS feature-set. |
| Step3 | feature-set mpls Example: | Enables the MPLS feature-set. |
| Step4 | feature-set mpls l3vpn Example: | Enables the MPLS Layer 3 VPN feature. |
| Step5 | vrf context vrf-hub Example: | Defines the VPN routing instance for the PE hub by assigning a VRF name and enters VRF configuration mode. The vrf-hub argument is any case-sensitive alphanumeric string up to 32 characters. |
| Step6 | rd route-distinguisher Example: | Configures the route distinguisher. The route-distinguisher argument adds an 8-byte value to an IPv4 prefix to create a VPN IPv4 prefix. You can enter an RD in either of these formats:
|
| Step7 | address-family { ipv4 | ipv6 } unicast Example: | Specifies the IPv4 address family type and enters address family configuration mode. |
| Step8 | route-target { import | export } route-target-ext-community } Example: | Specifies a route-target extended community for a VRF as follows:
|
| Step9 | vrf context vrf-spoke Example: | Defines the VPN routing instance for the PE spoke by assigning a VRF name and enters VRF configuration mode. The vrf-spoke argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step10 | address-family { ipv4 | ipv6 } unicast Example: | Specifies the IPv4 address family type and enters address family configuration mode. |
| Step11 | route-target { import | export } route-target-ext-community } Example: | Specifies a route-target extended community for a VRF as follows:
|
| Step12 | show running-config vrf vrf-name Example: | (Optional) Displays the running configuration for the VRF. The vrf-name argument is any case-sensitive, alphanumeric string up to 32 characters. . |
| Step13 | copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring eBGP on the Hub PE Router
You can use eBGP to configure PE-to-CE hub routing sessions.
Note | If all CE sites are using the same BGP AS number, you must perform the following tasks:
|
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | feature-set mpls Example: | Enables the MPLS feature-set. |
| Step3 | feature mpls l3vpn Example: | Enables the MPLS Layer 3 VPN feature. |
| Step4 | feature bgp Example: | Enables the BGP feature. |
| Step5 | router bgp as - number Example: | Configures a BGP routing process and enters router configuration mode. The as-number argument indicates the number of an autonomous system that identifies the router to other BGP routers and tags the routing information passed along. The AS number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format. |
| Step6 | neighbor ip-address remote-as as-number Example: | Adds an entry to the iBGP neighbor table.
|
| Step7 | address-family { ipv4 | ipv6 } unicast Example: | Specifies the IP address family type and enters address family configuration mode. |
| Step8 | send-community extended Example: | (Optional) Configures BGP to advertise extended community lists. |
| Step9 | vrf vrf-hub Example: | Enters VRF configuration mode. The vrf-hub argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step10 | neighbor ip-address remote-as as-number Example: | Adds an entry to the BGP or multiprotocol BGP neighbor table for this VRF.
|
| Step11 | address-family { ipv4 | ipv6 } unicast Example: | Specifies the IP address family type and enters address family configuration mode. |
| Step12 | as-override Example: | (Optional) Overrides the AS-number when sending an update. If all BGP sites are using the same AS number, of the following commands:
|
| Step13 | vrf vrf-spoke Example: | Enters VRF configuration mode. The vrf-spoke argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step14 | neighbor ip-address remote-as as-number Example: | Adds an entry to the BGP or multiprotocol BGP neighbor table for this VRF.
|
| Step15 | address-family { ipv4 | ipv6 } unicast Example: | Specifies the IP address family type and enters address family configuration mode. |
| Step16 | allowas-in [ number ] Example: | (Optional) Allows duplicate AS numbers in the AS path. Configure this parameter in the VPN address family configuration mode at the PE spokes and at the neighbor mode at the PE hub. |
| Step17 | show running-config bgp vrf-name Example: | (Optional) Displays the running configuration for BGP. |
| Step18 | copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring eBGP on the Hub CE Router
You can use eBGP to configure PE-to-CE hub routing sessions.
Note | |
-
Configure either the as-override command at the PE (hub) or the allowas-in command at the receiving CE router.
-
Configure the disable-peer-as-check command at the CE router.
-
To advertise BGP routes learned from one ASN back to the same ASN, configure the disable-peer-as-check command at the PE router to prevent loopback.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | feature-set mpls Example: | Enables the MPLS feature-set. |
| Step3 | feature mpls l3vpn Example: | Enables the MPLS Layer 3 VPN feature. |
| Step4 | feature bgp Example: | Enables the BGP feature. |
| Step5 | router bgp as - number Example: | Configures a BGP routing process and enters router configuration mode. The as-number argument indicates the number of an autonomous system that identifies the router to other BGP routers and tags the routing information passed along. The AS number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format. |
| Step6 | neighbor ip-addressremote-as as-number Example: | Adds an entry to the iBGP neighbor table.
|
| Step7 | address-family { ipv4 | ipv6 } unicast Example: | Specifies the IP address family type and enters address family configuration mode. |
| Step8 | send-community extended Example: | (Optional) Configures BGP to advertise extended community lists. |
| Step9 | vrf vrf-hub Example: | Enters VRF configuration mode. The vrf-hub argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step10 | neighbor ip-addressremote-as as-number Example: | Adds an entry to the BGP or multiprotocol BGP neighbor table for this VRF.
|
| Step11 | address-family { ipv4 | ipv6 } unicast Example: | Specifies the IP address family type and enters address family configuration mode. |
| Step12 | as-override Example: | (Optional) Overrides the AS-number when sending an update. If all BGP sites are using the same AS number, of the following commands:
|
| Step13 | vrf vrf-spoke Example: | Enters VRF configuration mode. The vrf-spoke argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step14 | neighbor ip-addressremote-as as-number Example: | Adds an entry to the BGP or multiprotocol BGP neighbor table for this VRF.
|
| Step15 | address-family { ipv4 | ipv6 } unicast Example: | Specifies the IP address family type and enters address family configuration mode. |
| Step16 | allowas-in [ number ] Example: | (Optional) Allows duplicate AS numbers in the AS path. Configure this parameter in the VPN address family configuration mode at the PE spokes and at the neighbor mode at the PE hub. |
| Step17 | show running-config bgp vrf-name Example: | (Optional) Displays the running configuration for BGP. |
| Step18 | copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring VRFs on the Spoke PE Router
You can configure hub and spoke VRFs on the spoke PE router.
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | install feature-set mpls Example: | Installs the MPLS feature set. |
| Step3 | feature-set mpls Example: | Enables the MPLS feature-set. |
| Step4 | feature-set mpls l3vpn Example: | Enables the MPLS Layer 3 VPN feature. |
| Step5 | vrf context vrf-spoke Example: | Defines the VPN routing instance for the PE spoke by assigning a VRF name and enters VRF configuration mode. The vrf-spoke argument is any case-sensitive, alphanumeric string up to 32 characters. |
| Step6 | rd route-distinguisher Example: | Configures the route distinguisher. The route-distinguisher argument adds an 8-byte value to an IPv4 prefix to create a VPN IPv4 prefix. You can enter an RD in either of these formats:
|
| Step7 | address-family { ipv4 | ipv6 } unicast Example: | Specifies the IPv4 address family type and enters address family configuration mode. |
| Step8 | route-target { import | export } route-target-ext-community } Example: | Specifies a route-target extended community for a VRF as follows:
|
| Step9 | show running-config vrf vrf-name Example: | (Optional) Displays the running configuration for the VRF. The vrf-name argument is any case-sensitive, alphanumeric string up to 32 characters. . |
| Step10 | copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring eBGP on the Spoke PE Router
You can use eBGP to configure PE spoke routing sessions.
Note | If all CE sites are using the same BGP AS number, you must perform the following tasks:
|
Procedure
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. | ||
| Step2 | feature-set mpls Example: | Enables the MPLS feature-set. | ||
| Step3 | feature mpls l3vpn Example: | Enables the MPLS Layer 3 VPN feature. | ||
| Step4 | feature bgp Example: | Enables the BGP feature. | ||
| Step5 | router bgp as - number Example: | Configures a BGP routing process and enters router configuration mode. The as-number argument indicates the number of an autonomous system that identifies the router to other BGP routers and tags the routing information passed along. The AS number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format. | ||
| Step6 | neighbor ip-addressremote-as as-number Example: | Adds an entry to the iBGP neighbor table.
| ||
| Step7 | address-family { ipv4 | ipv6 } unicast Example: | Specifies the IPv4 or IPv6 address family type and enters address family configuration mode. | ||
| Step8 | allowas-in number Example: | (Optional) Allows an AS path with the PE ASN for a specified number of times.
The as-number argument indicates the number of an autonomous system that identifies the router to other BGP routers and tags the routing information passed along. The AS number can be a 16-bit integer or a 32-bit integer in the form of a higher 16-bit decimal number and a lower 16-bit decimal number in xx.xx format. | ||
| Step9 | send-community extended Example: | (Optional) Configures BGP to advertise extended community lists. | ||
| Step10 | show running-config bgp Example: | (Optional) Displays the running configuration for BGP. | ||
| Step11 | copy running-config startup-config Example: | (Optional) Copies the running configuration to the startup configuration. |
Configuring MPLS using Hardware Profile Command
Beginning with release 7.0(3)F3(3), Cisco Nexus 9508 switches with N9K-X9636C-R, N9K-X9636C-RX, and N9K-X9636Q-R line cards supports multiple hardware profiles. You can configure MPLS and/or VXLAN using hardware profile configuration command in a switch. The hardware profile configuration command invokes appropriate configuration files that are available on the switch. VXLAN is enabled by default
Before you begin
Procedure
| Command or Action | Purpose | |
|---|---|---|
| Step1 | configure terminal Example: | Enters global configuration mode. |
| Step2 | feature bgp Example: | Enables the BGP feature. |
| Step3 | hardware profile [ vxlan | mpls] module all Example: | Enables MPLS on all the switch modules. . |
| Step4 | show hardware profile module [ all | number] Example: | Displays the hardware profile of all the modules or specific module. |
| Step5 | show module internal sw info | [ i | mpls] Example: | Displays the switch software information. |
| Step6 | show running configuration | [ i | mpls] Example: | Displays the running configuration. |
![Cisco Nexus 9000 Series NX-OS Label Switching Configuration Guide, Release 9.3(x) - Configuring MPLS Layer 3 VPNs [Cisco Nexus 9000 Series Switches] (2024)](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/h8AAvMB+NzmkbcAAAAASUVORK5CYII=)