Install GNS3<\/strong><\/h2>\n\n\n\nI searched several pages to find out how to do it now a days. It seems it is mainly managed by python. This is what I had to do for Debian 10 (Testing)<\/p>\n\n\n\n
sudo aptitude install dynamips\nsudo pip3 install gns3-server\nsudo pip3 install gns3-gui\nsudo pip3 install PyQt5==5.9.2\ngns3<\/pre>\n\n\n\nOnce I managed to run the program, I found some other issues. <\/p>\n\n\n\n
First, you need to get the software to simulate the routers. I searched for recommended images for running MPLS and it seems c7200-adventerprisek9-mz.124-24.T2 was a good one. If you search for that, it will not be difficult to find somewhere to download it.<\/p>\n\n\n\n
How do you install Cisco IOS images:<\/p>\n\n\n\n
https:\/\/www.computernetworkingnotes.com\/ccna-study-guide\/how-to-add-install-or-import-ios-in-gns3.html<\/a><\/p>\n\n\n\nAfter that, I tested if the image worked and found another issue. I needed something called “ubridge”. You can get it here:<\/p>\n\n\n\n
https:\/\/github.com\/GNS3\/ubridge<\/a><\/p>\n\n\n\nAnd finally, you needd to reboot<\/p>\n\n\n\n
It took me a while but at the end I could create a lab with several routers, power them up and login to them. <\/p>\n\n\n\n
As well, I modified GNS3 to use “terminator” as default terminal when connecting to the devices. That was handy.<\/p>\n\n\n\n
There are many things you can configure with GNS3. Like a basic linux host to test (Alpine). I installed it as I think it will be usefull in the future:<\/p>\n\n\n\n
https:\/\/docs.gns3.com\/appliances\/alpine-linux.html<\/a><\/p>\n\n\n\nThere are many more things you can configure but for what I want, this is enough.<\/p>\n\n\n\n
MPLS L3VPN<\/h2>\n\n\n\n
So once we have aworking GNS3 environment, we can get our hands dirty and create our MPLS L3VPN lab.<\/p>\n\n\n\n
This is the diagram:<\/p>\n\n\n\n![\"\"](\"https:\/\/blog.thomarite.uk\/wp-content\/uploads\/2020\/04\/mpls-l3vpn-basic.png\")
<\/figure>\n\n\n\nWe are going to simulate a Service Provider (SP) network that is formed by SP1, SP2 and SP3. The customer network CUST-A is formed by HQ and Branch:<\/p>\n\n\n\n
- SP1 and SP3 will be PE routers (they will manage the L3VPN) (PE = Provider Edge)<\/li>
- SP2 will be just a P router (doesnt have visibility of any L3VPN, just handle labels) (P = Provider)<\/li>
- HQ and BRANCH are CPE routers (Customer Provider Edge). They interact with PE.<\/li><\/ul>\n\n\n\n
The SP network uses OSPF (area0 – backbone area) as IGP to build the iBGP full mesh (as100)<\/p>\n\n\n\n
CUST-A is connected to our SP network in different locations. Internally is running its own routing and both locations are in the same OSPF area 10. So the prefixes learned in HQ and Branch should be seen as Inter-Area (IA). This is quite important.<\/p>\n\n\n\n
So, lets get step by step:<\/p>\n\n\n\n
1- IP addressing<\/h3>\n\n\n\n
We need to configure the IP connectivity in all links<\/p>\n\n\n\n
SP1\n---\n!\ninterface Loopback0\n ip address 10.0.1.1 255.255.255.255\n!\ninterface GigabitEthernet1\/0\n description to SP2-P\n ip address 10.0.12.1 255.255.255.0\n!\ninterface FastEthernet0\/0\n description to HQ\n ip address 172.16.100.254 255.255.255.0\n!\n\n\nSP2\n---\n!\ninterface Loopback0\n ip address 10.0.2.1 255.255.255.255\n!\ninterface GigabitEthernet1\/0\n description to SP1-PE\n ip address 10.0.12.2 255.255.255.0\n!\ninterface GigabitEthernet2\/0\n description to SP3-PE\n ip address 10.0.23.2 255.255.255.0\n!\n\nSP3\n---\n!\ninterface Loopback0\n ip address 10.0.3.1 255.255.255.255\n!\ninterface GigabitEthernet1\/0\n description to SP2-P\n ip address 10.0.23.1 255.255.255.0\n!\ninterface FastEthernet0\/0\n description to BRANCH\n ip address 172.16.200.254 255.255.255.0\n!\n\nHQ\n---\n!\ninterface Loopback0\n ip address 172.16.10.1 255.255.255.0\n!\ninterface FastEthernet0\/0\n description to SP1-PE\n ip address 172.16.100.1 255.255.255.0\n!\n\nBRANCH\n---\n!\ninterface Loopback0\n ip address 172.16.20.1 255.255.255.0\n!\ninterface FastEthernet0\/0\n description to SP3-PE\n ip address 172.16.200.1 255.255.255.0\n!<\/pre>\n\n\n\nVerify you can ping each directly connected router:<\/p>\n\n\n\n
HQ#ping 172.16.100.254\n\nType escape sequence to abort.\nSending 5, 100-byte ICMP Echos to 172.16.100.254, timeout is 2 seconds:\n!!!!!\nSuccess rate is 100 percent (5\/5), round-trip min\/avg\/max = 12\/16\/20 ms\nHQ#\n\n<\/pre>\n\n\n\n2- Routing in SP<\/h3>\n\n\n\n
We are going to configure OSPF (area 0 – backbone) as IGP in our SP network. We only want the SP loopbacks and backbone links in OSPF.<\/p>\n\n\n\n
SP1\n---\nrouter ospf 1\n network 10.0.1.0 0.0.0.255 area 0\n network 10.0.12.0 0.0.0.255 area 0\n\nSP2\n---\nrouter ospf 1\n network 10.0.2.0 0.0.0.255 area 0\n network 10.0.12.0 0.0.0.255 area 0\n network 10.0.23.0 0.0.0.255 area 0\n\nSP3\n---\nrouter ospf 1\n network 10.0.3.0 0.0.0.255 area 0\n network 10.0.23.0 0.0.0.255 area 0<\/pre>\n\n\n\nVerify that OSFP comes up in all expected links. If SP2 has two neighbors, all good:<\/p>\n\n\n\n
SP2#show ip ospf neighbor \n\nNeighbor ID Pri State Dead Time Address Interface\n10.0.3.1 1 FULL\/DR 00:00:36 10.0.23.1 GigabitEthernet2\/0\n10.0.1.1 1 FULL\/DR 00:00:34 10.0.12.1 GigabitEthernet1\/0\nSP2#\n<\/pre>\n\n\n\n3- MPLS in SP<\/h3>\n\n\n\n
Now we are going to configure MPLS in SP. We are going to use LDP for label distribution. The configuration is pretty easy, just enable LDP using Lo0 as router ID and configure mpls only in backbone links.<\/p>\n\n\n\n
SP1\n---\nmpls ldp router-id Loopback0 force\n!\ninterface GigabitEthernet1\/0\n description to SP2-P\n mpls ip\n!\n\nSP2\n---\nmpls ldp router-id Loopback0 force\n!\ninterface GigabitEthernet1\/0\n description to SP1-PE\n mpls ip\n!\ninterface GigabitEthernet2\/0\n description to SP3-PE\n mpls ip\n!\n\nSP3\n---\nmpls ldp router-id Loopback0 force\n!\ninterface GigabitEthernet1\/0\n description to SP2-P\n mpls ip\n!\n\n<\/pre>\n\n\n\nCheck that LDP neighbors come up. If SP2 has two, all good.<\/p>\n\n\n\n
SP2#show mpls ldp neighbor \n Peer LDP Ident: 10.0.1.1:0; Local LDP Ident 10.0.2.1:0\n\tTCP connection: 10.0.1.1.646 - 10.0.2.1.61226\n\tState: Oper; Msgs sent\/rcvd: 17\/18; Downstream\n\tUp time: 00:08:34\n\tLDP discovery sources:\n\t GigabitEthernet1\/0, Src IP addr: 10.0.12.1\n Addresses bound to peer LDP Ident:\n 10.0.12.1 10.0.1.1 \n Peer LDP Ident: 10.0.3.1:0; Local LDP Ident 10.0.2.1:0\n\tTCP connection: 10.0.3.1.31845 - 10.0.2.1.646\n\tState: Oper; Msgs sent\/rcvd: 16\/17; Downstream\n\tUp time: 00:08:04\n\tLDP discovery sources:\n\t GigabitEthernet2\/0, Src IP addr: 10.0.23.1\n Addresses bound to peer LDP Ident:\n 10.0.23.1 10.0.3.1 \nSP2#\n<\/pre>\n\n\n\n4- Configure a L3VPN – VRF<\/h3>\n\n\n\n
For SP, you need each customer in a VRF so you can isolate them and the customer can use any IP addressing schema. You need to make those IP prefixes unique inside SP if you want to exchange them via a routing protocol. For doing that, you need to create VPNV4 addresses that are a combination of the customer IP prefix and a RD (Router Distinguisher – 8 bytes). Each VRF has a RD and is locally significant, you could configure each PE with CUST-A using a different RD, but as best practive we keep the same RD per VRF. Having each VRF with a different RD, eachc customer cand use the same private IP prefix but to the SP eyes, after building the VPNV4, the customer prefixes will be diffierent and there will no be leaking (if you dont configure it). For exporting\/importing prefixes in a VRF, we use RT (Route Target). And that is defined during the VRF creating too. Keep in mind that we only define VRFs in PE routers (SP1 and SP3). The P routers (SP2) dont need to know. In our case we are going to use RD 100:1 and RT 1:100.<\/p>\n\n\n\n
SP1\n---\n!\nip vrf CUST-A\n rd 100:1\n route-target export 1:100\n route-target import 1:100\n!\n\nSP3\n---\n!\nip vrf CUST-A\n rd 100:1\n route-target export 1:100\n route-target import 1:100\n!<\/pre>\n\n\n\nThe config above says that for each VPNv4 prefix we export from CUST-A VRF we add RT 1:100. And for any VPNv4 prefix with RT:1:00 learned by the router (more about this later in point 6) we will import it in CUST-A VRF.<\/p>\n\n\n\n
Now we can configure the links to customers in their own VRF:<\/p>\n\n\n\n
SP1\n---\n!\ninterface FastEthernet0\/0\n description to HQ\n ip vrf forwarding CUST-A\n ip address 172.16.100.254 255.255.255.0\n!\n\nSP3\n---\n!\ninterface FastEthernet0\/0\n description to BRANCH\n ip vrf forwarding CUST-A\n ip address 172.16.200.254 255.255.255.0\n!<\/pre>\n\n\n\nNow, let’s check if we keep the IP connectivity with CUST-A from our PE routers.<\/p>\n\n\n\n
SP1#ping vrf CUST-A 172.16.100.1 \n\nType escape sequence to abort.\nSending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:\n!!!!!\nSuccess rate is 100 percent (5\/5), round-trip min\/avg\/max = 16\/21\/32 ms\nSP1#<\/pre>\n\n\n\nKeep in mind, that for CUST-A, all this is transparent.<\/p>\n\n\n\n
5- Customer Routing<\/h3>\n\n\n\n
So now, we want our customer devices to exchange routes because they want reach each other (if not, why do you want a network \ud83d\ude42 We are going to use OSPF in area 10 as routing protocol between CUST-A and SP. But SP is already using OSFP??? Yes, but keep in mind that we are using VRFs, and the OSPF implementation will be in the customer VRF. It will not interact with the SP OSPF Area 0. So we need to configure OSPF in the interfaces connecting to SP and interfaces we want to advertise (Lo0). And again, our SP2 (P) doesnt need to know anything about this.<\/p>\n\n\n\n
HQ\n!\nrouter ospf 1\n log-adjacency-changes\n network 172.16.10.0 0.0.0.255 area 10\n network 172.16.100.0 0.0.0.255 area 10\n!\n\nBRANCH\n!\nrouter ospf 1\n log-adjacency-changes\n network 172.16.20.0 0.0.0.255 area 10\n network 172.16.200.0 0.0.0.255 area 10\n\nSP1\n!\nrouter ospf 10 vrf CUST-A\n network 172.16.100.0 0.0.0.255 area 10\n!\n\nSP3\n!\nrouter ospf 10 vrf CUST-A\n network 172.16.200.0 0.0.0.255 area 10\n!<\/pre>\n\n\n\nCheck that OSPF between CUST-A devices and SP comes up, and you are learning the CUST-A prefixes:<\/p>\n\n\n\n
SP1#show ip ospf neighbor \n\nNeighbor ID Pri State Dead Time Address Interface\n10.0.2.1 1 FULL\/BDR 00:00:36 10.0.12.2 GigabitEthernet1\/0\n172.16.10.1 1 FULL\/BDR 00:00:38 172.16.100.1 FastEthernet0\/0\nSP1#\nSP1#show ip route vrf CUST-A\n\nRouting Table: CUST-A\nCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP\n D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area \n N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2\n E1 - OSPF external type 1, E2 - OSPF external type 2\n i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2\n ia - IS-IS inter area, * - candidate default, U - per-user static route\n o - ODR, P - periodic downloaded static route\n\nGateway of last resort is not set\n\n 172.16.0.0\/16 is variably subnetted, 3 subnets, 2 masks\nO 172.16.10.1\/32 [110\/2] via 172.16.100.1, 00:38:48, FastEthernet0\/0\nC 172.16.100.0\/24 is directly connected, FastEthernet0\/0\nSP1#\n<\/pre>\n\n\n\nIn the output above, you will see that SP1 has two OSPF neighbors, one to SP2 (OSPF area 0 – backbone) and one to HQ (CUST-A VRF). As well, you will see that SP1 is learning Lo0 prefix from HQ via OSPF.<\/p>\n\n\n\n
6- BGP<\/h3>\n\n\n\n
Now we have routing between SP1-HQ and SP3-BRANCH. But we dont have communication between HQ-BRANCH yet. And this is the goal at the end of the day.<\/p>\n\n\n\n
So now, we need our PE routers to exchange the customer prefixes. We are going to use BGP\/MP-BGP. <\/p>\n\n\n\n
As we are in the same AS100 (Autonomous System) we are going to use iBGP (internal BGP). Following best practices, we are going to build our full mesh iBGP on loopbacks. iBGP relays on a IGP, and that is already configured via OSPF in our network.<\/p>\n\n\n\n
SP1\n!\nrouter bgp 100\n neighbor 10.0.3.1 remote-as 100\n neighbor 10.0.3.1 update-source Loopback0\n\nSP3\n!\nrouter bgp 100\n neighbor 10.0.1.1 remote-as 100\n neighbor 10.0.1.1 update-source Loopback0<\/pre>\n\n\n\nCheck that BGP comes up between SP1-SP3<\/p>\n\n\n\n
SP1#show ip bgp summary \nBGP router identifier 10.0.1.1, local AS number 100\nBGP table version is 1, main routing table version 1\n\nNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up\/Down State\/PfxRcd\n10.0.3.1 4 100 53 53 1 0 0 00:50:08 0\nSP1#\n<\/pre>\n\n\n\nSo we have BGP between our PE routers. Now we need to configure the exchange of those VPNv4 routes so CUST-A devices can learn prefixes from its own network.<\/p>\n\n\n\n
SP1\n!\nrouter bgp 100\n address-family vpnv4\n neighbor 10.0.3.1 activate\n neighbor 10.0.3.1 send-community both\n exit-address-family\n\nSP3\n!\nrouter bgp 100\n address-family vpnv4\n neighbor 10.0.1.1 activate\n neighbor 10.0.1.1 send-community both\n exit-address-family<\/pre>\n\n\n\nThe above part is the MP-BGP part (MultiProtocol-BGP). Inside our BGP connection between SP1-SP3 we have enabled a type of exchange of prefixes for vpnv4. <\/p>\n\n\n\n
But, we dont have VPNv4 prefixes yet.<\/p>\n\n\n\n
SP1#show ip bgp vpnv4 all \nBGP table version is 7, local router ID is 10.0.1.1\nStatus codes: s suppressed, d damped, h history, * valid, > best, i - internal,\n r RIB-failure, S Stale\nOrigin codes: i - IGP, e - EGP, ? - incomplete\n\n Network Next Hop Metric LocPrf Weight Path\nSP1#\n<\/pre>\n\n\n\nBecause they need to be in the BGP table first. We have routing between PE-CE (ospf area 10) but we dont have any kind of redistribution between OSPF-BGP. Let’s do that:<\/p>\n\n\n\n
SP1\n!\nrouter ospf 10 vrf CUST-A\n redistribute bgp 100 subnets\n!\nrouter bgp 100\n address-family ipv4 vrf CUST-A\n redistribute ospf 10 vrf CUST-A\n exit-address-family\n!\n\nSP3\n!\nrouter ospf 10 vrf CUST-A\n redistribute bgp 100 subnets\n!\nrouter bgp 100\n address-family ipv4 vrf CUST-A\n redistribute ospf 10 vrf CUST-A\n exit-address-family\n!<\/pre>\n\n\n\nLet’s check again our VPNv4 table:<\/p>\n\n\n\n
SP1#show ip bgp vpnv4 all \nBGP table version is 9, local router ID is 10.0.1.1\nStatus codes: s suppressed, d damped, h history, * valid, > best, i - internal,\n r RIB-failure, S Stale\nOrigin codes: i - IGP, e - EGP, ? - incomplete\n\n Network Next Hop Metric LocPrf Weight Path\nRoute Distinguisher: 100:1 (default for vrf CUST-A)\n*> 172.16.10.1\/32 172.16.100.1 2 32768 ?\n*>i172.16.20.1\/32 10.0.3.1 2 100 0 ?\n*> 172.16.100.0\/24 0.0.0.0 0 32768 ?\n*>i172.16.200.0\/24 10.0.3.1 0 100 0 ?\nSP1#\n<\/pre>\n\n\n\nSo now, we can see in SP1 the prefixes from HQ and BRANCH routers!<\/p>\n\n\n\n
Now, let’s check the CUST-A routing table from SP1 and HQ:<\/p>\n\n\n\n
SP1#show ip route vrf CUST-A\n\nRouting Table: CUST-A\nCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP\n D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area \n N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2\n E1 - OSPF external type 1, E2 - OSPF external type 2\n i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2\n ia - IS-IS inter area, * - candidate default, U - per-user static route\n o - ODR, P - periodic downloaded static route\n\nGateway of last resort is not set\n\n 172.16.0.0\/16 is variably subnetted, 4 subnets, 2 masks\nB 172.16.200.0\/24 [200\/0] via 10.0.3.1, 01:08:19\nB 172.16.20.1\/32 [200\/2] via 10.0.3.1, 00:01:33\nO 172.16.10.1\/32 [110\/2] via 172.16.100.1, 01:15:49, FastEthernet0\/0\nC 172.16.100.0\/24 is directly connected, FastEthernet0\/0\nSP1#\n\n\nHQ#show ip route \nCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP\n D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area \n N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2\n E1 - OSPF external type 1, E2 - OSPF external type 2\n i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2\n ia - IS-IS inter area, * - candidate default, U - per-user static route\n o - ODR, P - periodic downloaded static route\n\nGateway of last resort is not set\n\n 172.16.0.0\/16 is variably subnetted, 4 subnets, 2 masks\nO IA 172.16.200.0\/24 [110\/2] via 172.16.100.254, 01:07:09, FastEthernet0\/0\nO IA 172.16.20.1\/32 [110\/3] via 172.16.100.254, 00:00:22, FastEthernet0\/0\nC 172.16.10.0\/24 is directly connected, Loopback0\nC 172.16.100.0\/24 is directly connected, FastEthernet0\/0\nHQ#\nHQ#\n<\/pre>\n\n\n\nSo from SP1, we can see that is learning BRANCH 172.16.200.0\/24 and 172.16.20.1\/32 via iBGP (from SP3 loopback 10.0.3.1). The 172.16.10.1\/32 (HQ loopback) via OSPF.<\/p>\n\n\n\n
From HQ, we see it is learning BRANCH Prefixes too and they come up as O IA. This is very important, and it is material for another post about OSPF Down-Bit.<\/p>\n\n\n\n
7- Conclusion<\/h3>\n\n\n\n
We have IP connectivity between our CUST-A devices across a MPLS L3VPN<\/p>\n\n\n\n
HQ#ping 172.16.20.1 \n\nType escape sequence to abort.\nSending 5, 100-byte ICMP Echos to 172.16.20.1, timeout is 2 seconds:\n!!!!!\nSuccess rate is 100 percent (5\/5), round-trip min\/avg\/max = 44\/76\/156 ms\nHQ#\nHQ#traceroute 172.16.20.1 \n\nType escape sequence to abort.\nTracing the route to 172.16.20.1\n\n 1 172.16.100.254 16 msec 8 msec 12 msec\n 2 10.0.12.2 [MPLS: Labels 17\/20 Exp 0] 72 msec 40 msec 60 msec\n 3 172.16.200.254 [MPLS: Label 20 Exp 0] 52 msec 8 msec 60 msec\n 4 172.16.200.1 40 msec 52 msec 40 msec\nHQ#\n<\/pre>\n\n\n\nWe have built a MPLS L3VPN from the bottom up. There are many points that can be explained with much more detail but that wasnt the goal. Just wanted to build this MPLS network so I can do some hands-on troubleshooting and review a couple of concepts.<\/p>\n\n\n\n
Ideally, at some point, I would like to build a MPLS Segment Routing GNS3 networks.<\/p>\n\n\n\n
More to come hopefully.<\/p>\n","protected":false},"excerpt":{"rendered":"
When I was studying CCNP back in 2009, I found a lab for MPLS that was fantastic. It showed how to buid a MPLS L3VPN network from scratch. I managed to build that in my laptop with GNS3 at that time. Now I want to review some MPLS features so I decided to install GNS3 … Continue reading “GNS3: Basic MPLS L3VPN and OSPF in PE-CE routing”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-79","post","type-post","status-publish","format-standard","hentry","category-networks"],"_links":{"self":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts\/79","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/comments?post=79"}],"version-history":[{"count":4,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts\/79\/revisions"}],"predecessor-version":[{"id":135,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts\/79\/revisions\/135"}],"wp:attachment":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/media?parent=79"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/categories?post=79"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/tags?post=79"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Once I managed to run the program, I found some other issues. <\/p>\n\n\n\n
First, you need to get the software to simulate the routers. I searched for recommended images for running MPLS and it seems c7200-adventerprisek9-mz.124-24.T2 was a good one. If you search for that, it will not be difficult to find somewhere to download it.<\/p>\n\n\n\n
How do you install Cisco IOS images:<\/p>\n\n\n\n
https:\/\/www.computernetworkingnotes.com\/ccna-study-guide\/how-to-add-install-or-import-ios-in-gns3.html<\/a><\/p>\n\n\n\n After that, I tested if the image worked and found another issue. I needed something called “ubridge”. You can get it here:<\/p>\n\n\n\n https:\/\/github.com\/GNS3\/ubridge<\/a><\/p>\n\n\n\n And finally, you needd to reboot<\/p>\n\n\n\n It took me a while but at the end I could create a lab with several routers, power them up and login to them. <\/p>\n\n\n\n As well, I modified GNS3 to use “terminator” as default terminal when connecting to the devices. That was handy.<\/p>\n\n\n\n There are many things you can configure with GNS3. Like a basic linux host to test (Alpine). I installed it as I think it will be usefull in the future:<\/p>\n\n\n\n https:\/\/docs.gns3.com\/appliances\/alpine-linux.html<\/a><\/p>\n\n\n\n There are many more things you can configure but for what I want, this is enough.<\/p>\n\n\n\n So once we have aworking GNS3 environment, we can get our hands dirty and create our MPLS L3VPN lab.<\/p>\n\n\n\n This is the diagram:<\/p>\n\n\n\n We are going to simulate a Service Provider (SP) network that is formed by SP1, SP2 and SP3. The customer network CUST-A is formed by HQ and Branch:<\/p>\n\n\n\n The SP network uses OSPF (area0 – backbone area) as IGP to build the iBGP full mesh (as100)<\/p>\n\n\n\n CUST-A is connected to our SP network in different locations. Internally is running its own routing and both locations are in the same OSPF area 10. So the prefixes learned in HQ and Branch should be seen as Inter-Area (IA). This is quite important.<\/p>\n\n\n\n So, lets get step by step:<\/p>\n\n\n\n We need to configure the IP connectivity in all links<\/p>\n\n\n\n Verify you can ping each directly connected router:<\/p>\n\n\n\n We are going to configure OSPF (area 0 – backbone) as IGP in our SP network. We only want the SP loopbacks and backbone links in OSPF.<\/p>\n\n\n\n Verify that OSFP comes up in all expected links. If SP2 has two neighbors, all good:<\/p>\n\n\n\n Now we are going to configure MPLS in SP. We are going to use LDP for label distribution. The configuration is pretty easy, just enable LDP using Lo0 as router ID and configure mpls only in backbone links.<\/p>\n\n\n\n Check that LDP neighbors come up. If SP2 has two, all good.<\/p>\n\n\n\n For SP, you need each customer in a VRF so you can isolate them and the customer can use any IP addressing schema. You need to make those IP prefixes unique inside SP if you want to exchange them via a routing protocol. For doing that, you need to create VPNV4 addresses that are a combination of the customer IP prefix and a RD (Router Distinguisher – 8 bytes). Each VRF has a RD and is locally significant, you could configure each PE with CUST-A using a different RD, but as best practive we keep the same RD per VRF. Having each VRF with a different RD, eachc customer cand use the same private IP prefix but to the SP eyes, after building the VPNV4, the customer prefixes will be diffierent and there will no be leaking (if you dont configure it). For exporting\/importing prefixes in a VRF, we use RT (Route Target). And that is defined during the VRF creating too. Keep in mind that we only define VRFs in PE routers (SP1 and SP3). The P routers (SP2) dont need to know. In our case we are going to use RD 100:1 and RT 1:100.<\/p>\n\n\n\n The config above says that for each VPNv4 prefix we export from CUST-A VRF we add RT 1:100. And for any VPNv4 prefix with RT:1:00 learned by the router (more about this later in point 6) we will import it in CUST-A VRF.<\/p>\n\n\n\n Now we can configure the links to customers in their own VRF:<\/p>\n\n\n\n Now, let’s check if we keep the IP connectivity with CUST-A from our PE routers.<\/p>\n\n\n\n Keep in mind, that for CUST-A, all this is transparent.<\/p>\n\n\n\n So now, we want our customer devices to exchange routes because they want reach each other (if not, why do you want a network \ud83d\ude42 We are going to use OSPF in area 10 as routing protocol between CUST-A and SP. But SP is already using OSFP??? Yes, but keep in mind that we are using VRFs, and the OSPF implementation will be in the customer VRF. It will not interact with the SP OSPF Area 0. So we need to configure OSPF in the interfaces connecting to SP and interfaces we want to advertise (Lo0). And again, our SP2 (P) doesnt need to know anything about this.<\/p>\n\n\n\n Check that OSPF between CUST-A devices and SP comes up, and you are learning the CUST-A prefixes:<\/p>\n\n\n\n In the output above, you will see that SP1 has two OSPF neighbors, one to SP2 (OSPF area 0 – backbone) and one to HQ (CUST-A VRF). As well, you will see that SP1 is learning Lo0 prefix from HQ via OSPF.<\/p>\n\n\n\n Now we have routing between SP1-HQ and SP3-BRANCH. But we dont have communication between HQ-BRANCH yet. And this is the goal at the end of the day.<\/p>\n\n\n\n So now, we need our PE routers to exchange the customer prefixes. We are going to use BGP\/MP-BGP. <\/p>\n\n\n\n As we are in the same AS100 (Autonomous System) we are going to use iBGP (internal BGP). Following best practices, we are going to build our full mesh iBGP on loopbacks. iBGP relays on a IGP, and that is already configured via OSPF in our network.<\/p>\n\n\n\n Check that BGP comes up between SP1-SP3<\/p>\n\n\n\n So we have BGP between our PE routers. Now we need to configure the exchange of those VPNv4 routes so CUST-A devices can learn prefixes from its own network.<\/p>\n\n\n\n The above part is the MP-BGP part (MultiProtocol-BGP). Inside our BGP connection between SP1-SP3 we have enabled a type of exchange of prefixes for vpnv4. <\/p>\n\n\n\n But, we dont have VPNv4 prefixes yet.<\/p>\n\n\n\n Because they need to be in the BGP table first. We have routing between PE-CE (ospf area 10) but we dont have any kind of redistribution between OSPF-BGP. Let’s do that:<\/p>\n\n\n\n Let’s check again our VPNv4 table:<\/p>\n\n\n\n So now, we can see in SP1 the prefixes from HQ and BRANCH routers!<\/p>\n\n\n\n Now, let’s check the CUST-A routing table from SP1 and HQ:<\/p>\n\n\n\n So from SP1, we can see that is learning BRANCH 172.16.200.0\/24 and 172.16.20.1\/32 via iBGP (from SP3 loopback 10.0.3.1). The 172.16.10.1\/32 (HQ loopback) via OSPF.<\/p>\n\n\n\n From HQ, we see it is learning BRANCH Prefixes too and they come up as O IA. This is very important, and it is material for another post about OSPF Down-Bit.<\/p>\n\n\n\n We have IP connectivity between our CUST-A devices across a MPLS L3VPN<\/p>\n\n\n\n We have built a MPLS L3VPN from the bottom up. There are many points that can be explained with much more detail but that wasnt the goal. Just wanted to build this MPLS network so I can do some hands-on troubleshooting and review a couple of concepts.<\/p>\n\n\n\n Ideally, at some point, I would like to build a MPLS Segment Routing GNS3 networks.<\/p>\n\n\n\n More to come hopefully.<\/p>\n","protected":false},"excerpt":{"rendered":" When I was studying CCNP back in 2009, I found a lab for MPLS that was fantastic. It showed how to buid a MPLS L3VPN network from scratch. I managed to build that in my laptop with GNS3 at that time. Now I want to review some MPLS features so I decided to install GNS3 … Continue reading “GNS3: Basic MPLS L3VPN and OSPF in PE-CE routing”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-79","post","type-post","status-publish","format-standard","hentry","category-networks"],"_links":{"self":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts\/79","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/comments?post=79"}],"version-history":[{"count":4,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts\/79\/revisions"}],"predecessor-version":[{"id":135,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts\/79\/revisions\/135"}],"wp:attachment":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/media?parent=79"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/categories?post=79"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/tags?post=79"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}MPLS L3VPN<\/h2>\n\n\n\n
<\/figure>\n\n\n\n1- IP addressing<\/h3>\n\n\n\n
SP1\n---\n!\ninterface Loopback0\n ip address 10.0.1.1 255.255.255.255\n!\ninterface GigabitEthernet1\/0\n description to SP2-P\n ip address 10.0.12.1 255.255.255.0\n!\ninterface FastEthernet0\/0\n description to HQ\n ip address 172.16.100.254 255.255.255.0\n!\n\n\nSP2\n---\n!\ninterface Loopback0\n ip address 10.0.2.1 255.255.255.255\n!\ninterface GigabitEthernet1\/0\n description to SP1-PE\n ip address 10.0.12.2 255.255.255.0\n!\ninterface GigabitEthernet2\/0\n description to SP3-PE\n ip address 10.0.23.2 255.255.255.0\n!\n\nSP3\n---\n!\ninterface Loopback0\n ip address 10.0.3.1 255.255.255.255\n!\ninterface GigabitEthernet1\/0\n description to SP2-P\n ip address 10.0.23.1 255.255.255.0\n!\ninterface FastEthernet0\/0\n description to BRANCH\n ip address 172.16.200.254 255.255.255.0\n!\n\nHQ\n---\n!\ninterface Loopback0\n ip address 172.16.10.1 255.255.255.0\n!\ninterface FastEthernet0\/0\n description to SP1-PE\n ip address 172.16.100.1 255.255.255.0\n!\n\nBRANCH\n---\n!\ninterface Loopback0\n ip address 172.16.20.1 255.255.255.0\n!\ninterface FastEthernet0\/0\n description to SP3-PE\n ip address 172.16.200.1 255.255.255.0\n!<\/pre>\n\n\n\n
HQ#ping 172.16.100.254\n\nType escape sequence to abort.\nSending 5, 100-byte ICMP Echos to 172.16.100.254, timeout is 2 seconds:\n!!!!!\nSuccess rate is 100 percent (5\/5), round-trip min\/avg\/max = 12\/16\/20 ms\nHQ#\n\n<\/pre>\n\n\n\n
2- Routing in SP<\/h3>\n\n\n\n
SP1\n---\nrouter ospf 1\n network 10.0.1.0 0.0.0.255 area 0\n network 10.0.12.0 0.0.0.255 area 0\n\nSP2\n---\nrouter ospf 1\n network 10.0.2.0 0.0.0.255 area 0\n network 10.0.12.0 0.0.0.255 area 0\n network 10.0.23.0 0.0.0.255 area 0\n\nSP3\n---\nrouter ospf 1\n network 10.0.3.0 0.0.0.255 area 0\n network 10.0.23.0 0.0.0.255 area 0<\/pre>\n\n\n\n
SP2#show ip ospf neighbor \n\nNeighbor ID Pri State Dead Time Address Interface\n10.0.3.1 1 FULL\/DR 00:00:36 10.0.23.1 GigabitEthernet2\/0\n10.0.1.1 1 FULL\/DR 00:00:34 10.0.12.1 GigabitEthernet1\/0\nSP2#\n<\/pre>\n\n\n\n
3- MPLS in SP<\/h3>\n\n\n\n
SP1\n---\nmpls ldp router-id Loopback0 force\n!\ninterface GigabitEthernet1\/0\n description to SP2-P\n mpls ip\n!\n\nSP2\n---\nmpls ldp router-id Loopback0 force\n!\ninterface GigabitEthernet1\/0\n description to SP1-PE\n mpls ip\n!\ninterface GigabitEthernet2\/0\n description to SP3-PE\n mpls ip\n!\n\nSP3\n---\nmpls ldp router-id Loopback0 force\n!\ninterface GigabitEthernet1\/0\n description to SP2-P\n mpls ip\n!\n\n<\/pre>\n\n\n\n
SP2#show mpls ldp neighbor \n Peer LDP Ident: 10.0.1.1:0; Local LDP Ident 10.0.2.1:0\n\tTCP connection: 10.0.1.1.646 - 10.0.2.1.61226\n\tState: Oper; Msgs sent\/rcvd: 17\/18; Downstream\n\tUp time: 00:08:34\n\tLDP discovery sources:\n\t GigabitEthernet1\/0, Src IP addr: 10.0.12.1\n Addresses bound to peer LDP Ident:\n 10.0.12.1 10.0.1.1 \n Peer LDP Ident: 10.0.3.1:0; Local LDP Ident 10.0.2.1:0\n\tTCP connection: 10.0.3.1.31845 - 10.0.2.1.646\n\tState: Oper; Msgs sent\/rcvd: 16\/17; Downstream\n\tUp time: 00:08:04\n\tLDP discovery sources:\n\t GigabitEthernet2\/0, Src IP addr: 10.0.23.1\n Addresses bound to peer LDP Ident:\n 10.0.23.1 10.0.3.1 \nSP2#\n<\/pre>\n\n\n\n
4- Configure a L3VPN – VRF<\/h3>\n\n\n\n
SP1\n---\n!\nip vrf CUST-A\n rd 100:1\n route-target export 1:100\n route-target import 1:100\n!\n\nSP3\n---\n!\nip vrf CUST-A\n rd 100:1\n route-target export 1:100\n route-target import 1:100\n!<\/pre>\n\n\n\n
SP1\n---\n!\ninterface FastEthernet0\/0\n description to HQ\n ip vrf forwarding CUST-A\n ip address 172.16.100.254 255.255.255.0\n!\n\nSP3\n---\n!\ninterface FastEthernet0\/0\n description to BRANCH\n ip vrf forwarding CUST-A\n ip address 172.16.200.254 255.255.255.0\n!<\/pre>\n\n\n\n
SP1#ping vrf CUST-A 172.16.100.1 \n\nType escape sequence to abort.\nSending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:\n!!!!!\nSuccess rate is 100 percent (5\/5), round-trip min\/avg\/max = 16\/21\/32 ms\nSP1#<\/pre>\n\n\n\n
5- Customer Routing<\/h3>\n\n\n\n
HQ\n!\nrouter ospf 1\n log-adjacency-changes\n network 172.16.10.0 0.0.0.255 area 10\n network 172.16.100.0 0.0.0.255 area 10\n!\n\nBRANCH\n!\nrouter ospf 1\n log-adjacency-changes\n network 172.16.20.0 0.0.0.255 area 10\n network 172.16.200.0 0.0.0.255 area 10\n\nSP1\n!\nrouter ospf 10 vrf CUST-A\n network 172.16.100.0 0.0.0.255 area 10\n!\n\nSP3\n!\nrouter ospf 10 vrf CUST-A\n network 172.16.200.0 0.0.0.255 area 10\n!<\/pre>\n\n\n\n
SP1#show ip ospf neighbor \n\nNeighbor ID Pri State Dead Time Address Interface\n10.0.2.1 1 FULL\/BDR 00:00:36 10.0.12.2 GigabitEthernet1\/0\n172.16.10.1 1 FULL\/BDR 00:00:38 172.16.100.1 FastEthernet0\/0\nSP1#\nSP1#show ip route vrf CUST-A\n\nRouting Table: CUST-A\nCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP\n D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area \n N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2\n E1 - OSPF external type 1, E2 - OSPF external type 2\n i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2\n ia - IS-IS inter area, * - candidate default, U - per-user static route\n o - ODR, P - periodic downloaded static route\n\nGateway of last resort is not set\n\n 172.16.0.0\/16 is variably subnetted, 3 subnets, 2 masks\nO 172.16.10.1\/32 [110\/2] via 172.16.100.1, 00:38:48, FastEthernet0\/0\nC 172.16.100.0\/24 is directly connected, FastEthernet0\/0\nSP1#\n<\/pre>\n\n\n\n
6- BGP<\/h3>\n\n\n\n
SP1\n!\nrouter bgp 100\n neighbor 10.0.3.1 remote-as 100\n neighbor 10.0.3.1 update-source Loopback0\n\nSP3\n!\nrouter bgp 100\n neighbor 10.0.1.1 remote-as 100\n neighbor 10.0.1.1 update-source Loopback0<\/pre>\n\n\n\n
SP1#show ip bgp summary \nBGP router identifier 10.0.1.1, local AS number 100\nBGP table version is 1, main routing table version 1\n\nNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up\/Down State\/PfxRcd\n10.0.3.1 4 100 53 53 1 0 0 00:50:08 0\nSP1#\n<\/pre>\n\n\n\n
SP1\n!\nrouter bgp 100\n address-family vpnv4\n neighbor 10.0.3.1 activate\n neighbor 10.0.3.1 send-community both\n exit-address-family\n\nSP3\n!\nrouter bgp 100\n address-family vpnv4\n neighbor 10.0.1.1 activate\n neighbor 10.0.1.1 send-community both\n exit-address-family<\/pre>\n\n\n\n
SP1#show ip bgp vpnv4 all \nBGP table version is 7, local router ID is 10.0.1.1\nStatus codes: s suppressed, d damped, h history, * valid, > best, i - internal,\n r RIB-failure, S Stale\nOrigin codes: i - IGP, e - EGP, ? - incomplete\n\n Network Next Hop Metric LocPrf Weight Path\nSP1#\n<\/pre>\n\n\n\n
SP1\n!\nrouter ospf 10 vrf CUST-A\n redistribute bgp 100 subnets\n!\nrouter bgp 100\n address-family ipv4 vrf CUST-A\n redistribute ospf 10 vrf CUST-A\n exit-address-family\n!\n\nSP3\n!\nrouter ospf 10 vrf CUST-A\n redistribute bgp 100 subnets\n!\nrouter bgp 100\n address-family ipv4 vrf CUST-A\n redistribute ospf 10 vrf CUST-A\n exit-address-family\n!<\/pre>\n\n\n\n
SP1#show ip bgp vpnv4 all \nBGP table version is 9, local router ID is 10.0.1.1\nStatus codes: s suppressed, d damped, h history, * valid, > best, i - internal,\n r RIB-failure, S Stale\nOrigin codes: i - IGP, e - EGP, ? - incomplete\n\n Network Next Hop Metric LocPrf Weight Path\nRoute Distinguisher: 100:1 (default for vrf CUST-A)\n*> 172.16.10.1\/32 172.16.100.1 2 32768 ?\n*>i172.16.20.1\/32 10.0.3.1 2 100 0 ?\n*> 172.16.100.0\/24 0.0.0.0 0 32768 ?\n*>i172.16.200.0\/24 10.0.3.1 0 100 0 ?\nSP1#\n<\/pre>\n\n\n\n
SP1#show ip route vrf CUST-A\n\nRouting Table: CUST-A\nCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP\n D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area \n N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2\n E1 - OSPF external type 1, E2 - OSPF external type 2\n i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2\n ia - IS-IS inter area, * - candidate default, U - per-user static route\n o - ODR, P - periodic downloaded static route\n\nGateway of last resort is not set\n\n 172.16.0.0\/16 is variably subnetted, 4 subnets, 2 masks\nB 172.16.200.0\/24 [200\/0] via 10.0.3.1, 01:08:19\nB 172.16.20.1\/32 [200\/2] via 10.0.3.1, 00:01:33\nO 172.16.10.1\/32 [110\/2] via 172.16.100.1, 01:15:49, FastEthernet0\/0\nC 172.16.100.0\/24 is directly connected, FastEthernet0\/0\nSP1#\n\n\nHQ#show ip route \nCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP\n D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area \n N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2\n E1 - OSPF external type 1, E2 - OSPF external type 2\n i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2\n ia - IS-IS inter area, * - candidate default, U - per-user static route\n o - ODR, P - periodic downloaded static route\n\nGateway of last resort is not set\n\n 172.16.0.0\/16 is variably subnetted, 4 subnets, 2 masks\nO IA 172.16.200.0\/24 [110\/2] via 172.16.100.254, 01:07:09, FastEthernet0\/0\nO IA 172.16.20.1\/32 [110\/3] via 172.16.100.254, 00:00:22, FastEthernet0\/0\nC 172.16.10.0\/24 is directly connected, Loopback0\nC 172.16.100.0\/24 is directly connected, FastEthernet0\/0\nHQ#\nHQ#\n<\/pre>\n\n\n\n
7- Conclusion<\/h3>\n\n\n\n
HQ#ping 172.16.20.1 \n\nType escape sequence to abort.\nSending 5, 100-byte ICMP Echos to 172.16.20.1, timeout is 2 seconds:\n!!!!!\nSuccess rate is 100 percent (5\/5), round-trip min\/avg\/max = 44\/76\/156 ms\nHQ#\nHQ#traceroute 172.16.20.1 \n\nType escape sequence to abort.\nTracing the route to 172.16.20.1\n\n 1 172.16.100.254 16 msec 8 msec 12 msec\n 2 10.0.12.2 [MPLS: Labels 17\/20 Exp 0] 72 msec 40 msec 60 msec\n 3 172.16.200.254 [MPLS: Label 20 Exp 0] 52 msec 8 msec 60 msec\n 4 172.16.200.1 40 msec 52 msec 40 msec\nHQ#\n<\/pre>\n\n\n\n