Static routing in MPLS VPN is one of several methods used to establish connectivity between the Provider Edge (PE) and Customer Edge (CE) routers. In PE-CE routing, options include static routes, RIP, OSPF, EIGRP, and BGP. This lesson focuses on configuring static routes between PE and CE routers—ideal for smaller networks or simple topologies. Dynamic routing options will be discussed in upcoming lessons.

PE-CE Routing in MPLS VPN: Static

This topology is used to demonstrate static routing between PE and CE routers in an MPLS VPN environment. We have two customers—Customer A and Customer B—each with their own internal networks. For each customer, a loopback interface is configured to represent internal connectivity. These loopback networks will be reachable from the PE routers via VRF static routing.

Static Routing between PE and CE routers in MPLS VPN
Static Routing between PE and CE routers in MPLS VPN
PE1(config)#ip route vrf A 172.16.11.0 255.255.255.0 ethernet 0/1 172.16.1.2
PE1(config)#
PE1(config)#do ping vrf A 172.16.11.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.11.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms

PE2(config)#ip route vrf A 172.16.12.0 255.255.255.0 ethernet 0/1 172.16.2.2
PE2(config)#ip route vrf B 172.16.14.0 255.255.255.0 ethernet 0/2 172.16.4.2
PE2(config)#
PE2(config)#do ping vrf A 172.16.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms
PE2(config)#do ping vrf B 172.16.14.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.14.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

PE3(config)#ip route vrf B 172.16.13.0 255.255.255.0 ethernet 0/1 172.16.3.2
PE3(config)#do ping vrf B 172.16.13.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms

It is a good practice to verify that customer static routes are reachable within their respective VRFs by performing ping tests scoped to the VRF.

The static routes are then advertised across the MPLS core using BGP. This can be achieved either by redistributing static routes into BGP or by explicitly advertising them using the BGP network command. In this lesson, we demonstrate both approaches:

  • For Customer A, we use the “redistribute static” command.

  • For Customer B, we use the “network” command.

PE1(config)#router bgp 65001
PE1(config-router)#address-family ipv4 vrf A
PE1(config-router-af)#redistribute static
PE1(config-router-af)#

PE2(config)#router bgp 65001
PE2(config-router)#address-family ipv4 vrf A
PE2(config-router-af)#redistribute static
PE2(config-router-af)#

PE3(config)#router bgp 65001
PE3(config-router)# address-family ipv4 vrf B
PE3(config-router-af)#network 172.16.13.0 mask 255.255.255.0
PE3(config-router-af)#

PE2(config)#router bgp 65001
PE2(config-router)#address-family ipv4 vrf B
PE2(config-router-af)#network 172.16.14.0 mask 255.255.255.0

Each CE router is configured with a single default route pointing to its corresponding PE router.

A1#show running-config interface ethernet 0/0
Building configuration...

Current configuration : 66 bytes
!
interface Ethernet0/0
 ip address 172.16.1.2 255.255.255.0
end

A1#show runn | inc ip route
ip route 0.0.0.0 0.0.0.0 172.16.1.1
A1#

The MPLS backbone remains consistent with what has been presented in previous lessons—it uses OSPF as the IGP and has MPLS enabled throughout. Two separate VRFs are configured:

  • VRF A with route-target 1:100

  • VRF B with route-target 1:200

BGP with the VPNv4 address family is configured between the PE routers to exchange VPN routes across the MPLS core.

PE1#show running-config | sec router bgp
router bgp 65001
 bgp log-neighbor-changes
 neighbor 10.10.10.2 remote-as 65001
 neighbor 10.10.10.2 update-source Loopback0
 neighbor 10.10.10.3 remote-as 65001
 neighbor 10.10.10.3 update-source Loopback0
 !
 address-family vpnv4
  neighbor 10.10.10.2 activate
  neighbor 10.10.10.2 send-community both
  neighbor 10.10.10.2 next-hop-self
  neighbor 10.10.10.3 activate
  neighbor 10.10.10.3 send-community both
  neighbor 10.10.10.3 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf A
  redistribute connected
  redistribute static
 exit-address-family
!
!
PE1#show running-config | sec ip vrf
ip vrf A
 rd 1:100
 route-target export 1:100
 route-target import 1:100
!
PE1#  show running-config int eth0/1
Building configuration...

Current configuration : 87 bytes
!
interface Ethernet0/1
 ip vrf forwarding A
 ip address 172.16.1.1 255.255.255.0

PE2(config)#do sh runn | sec router bgp
router bgp 65001
 bgp log-neighbor-changes
 neighbor 10.10.10.1 remote-as 65001
 neighbor 10.10.10.1 update-source Loopback0
 neighbor 10.10.10.3 remote-as 65001
 neighbor 10.10.10.3 update-source Loopback0
 !
 address-family vpnv4
  neighbor 10.10.10.1 activate
  neighbor 10.10.10.1 send-community both
  neighbor 10.10.10.1 next-hop-self
  neighbor 10.10.10.3 activate
  neighbor 10.10.10.3 send-community both
  neighbor 10.10.10.3 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf A
  redistribute connected
  redistribute static
 exit-address-family
 !
 address-family ipv4 vrf B
  network 172.16.14.0 mask 255.255.255.0
  redistribute connected
 exit-address-family
!
!
PE2(config)#do sh runn | sec ip vrf
ip vrf A
 rd 1:100
 route-target export 1:100
 route-target import 1:100
ip vrf B
 rd 1:200
 route-target export 1:200
 route-target import 1:200
!
!
PE2(config)#do sh runn int eth0/1
Building configuration...

Current configuration : 87 bytes
!
interface Ethernet0/1
 ip vrf forwarding A
 ip address 172.16.2.1 255.255.255.0
end

PE2(config)#do sh runn int eth0/2
Building configuration...

Current configuration : 87 bytes
!
interface Ethernet0/2
 ip vrf forwarding B
 ip address 172.16.4.1 255.255.255.0
end

Verifying connectivity over an MPLS VPN with static routing between PE-CE

Before testing connectivity, we can verify the BGP table within the VPNv4 address family to ensure that the routes to the networks behind the CE routers are present.

PE1#show ip bgp vpnv4 all
BGP table version is 17, local router ID is 10.10.10.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:100 (default for vrf A)
 *>  172.16.1.0/24    0.0.0.0                  0         32768 ?
 *>i 172.16.2.0/24    10.10.10.2               0    100      0 ?
 *>  172.16.11.0/24   172.16.1.2               0         32768 ?
 *>i 172.16.12.0/24   10.10.10.2               0    100      0 ?

PE3#show ip bgp vpnv4 all
BGP table version is 17, local router ID is 10.10.10.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
              x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:200 (default for vrf B)
 *>  172.16.3.0/24    0.0.0.0                  0         32768 ?
 *>i 172.16.4.0/24    10.10.10.2               0    100      0 ?
 *>  172.16.13.0/24   172.16.3.2               0         32768 i
 *>i 172.16.14.0/24   10.10.10.2               0    100      0 i

As shown, the networks 172.16.11.0/24 and 172.16.12.0/24 appear in the BGP table for VRF A, while 172.16.13.0/24 and 172.16.14.0/24 are listed in the BGP table for VRF B.

Once confirmed, we can proceed to test connectivity between the loopback interfaces of Customer A and Customer B to verify that everything is functioning as expected.

A1(config)#do ping 172.16.12.1 source 172.16.11.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.12.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.11.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms
!
A1#traceroute 172.16.12.1 source 172.16.11.1
Type escape sequence to abort.
Tracing the route to 172.16.12.1
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.1.1 0 msec 4 msec 2 msec
  2 10.0.1.10 [MPLS: Labels 20/16 Exp 0] 3 msec 3 msec 6 msec
  3 172.16.2.1 [MPLS: Label 16 Exp 0] 6 msec 7 msec 5 msec
  4 172.16.2.2 5 msec 6 msec 5 msec
A1#

B1#traceroute 172.16.14.1 source 172.16.13.1
Type escape sequence to abort.
Tracing the route to 172.16.14.1
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.3.1 5 msec 5 msec 6 msec
  2 10.0.3.10 [MPLS: Labels 20/24 Exp 0] 1 msec 5 msec 1 msec
  3 172.16.4.1 [MPLS: Label 24 Exp 0] 0 msec 5 msec 0 msec
  4 172.16.4.2 1 msec 2 msec 0 msec
B1#

End-to-End MPLS VPN Setup with Static Routing 

hostname P
!
ip cef
!
mpls label protocol ldp
!
interface Loopback0
 ip address 10.10.10.10 255.255.255.255
!
interface Ethernet0/1
 ip address 10.0.1.10 255.255.255.0
 mpls ip
!
interface Ethernet0/2
 ip address 10.0.2.10 255.255.255.0
 mpls ip
!
interface Ethernet0/3
 ip address 10.0.3.10 255.255.255.0
 mpls ip
!
router ospf 1
 network 10.0.0.0 0.255.255.255 area 0
!
mpls ldp router-id Loopback0

hostname PE1
!
ip vrf A
 rd 1:100
 route-target export 1:100
 route-target import 1:100
!
ip cef
!
mpls label protocol ldp
!
interface Loopback0
 ip address 10.10.10.1 255.255.255.255
!
interface Ethernet0/0
 ip address 10.0.1.1 255.255.255.0
 mpls ip
!
interface Ethernet0/1
 ip vrf forwarding A
 ip address 172.16.1.1 255.255.255.0
!
router ospf 1
 network 10.0.0.0 0.255.255.255 area 0
!
router bgp 65001
 bgp log-neighbor-changes
 neighbor 10.10.10.2 remote-as 65001
 neighbor 10.10.10.2 update-source Loopback0
 neighbor 10.10.10.3 remote-as 65001
 neighbor 10.10.10.3 update-source Loopback0
 !
 address-family vpnv4
  neighbor 10.10.10.2 activate
  neighbor 10.10.10.2 send-community both
  neighbor 10.10.10.2 next-hop-self
  neighbor 10.10.10.3 activate
  neighbor 10.10.10.3 send-community both
  neighbor 10.10.10.3 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf A
  redistribute connected
  redistribute static
 exit-address-family
!
ip route vrf A 172.16.11.0 255.255.255.0 Ethernet0/1 172.16.1.2
!
mpls ldp router-id Loopback0

hostname PE2
!
ip vrf A
 rd 1:100
 route-target export 1:100
 route-target import 1:100
!
ip vrf B
 rd 1:200
 route-target export 1:200
 route-target import 1:200
!
ip cef
!
mpls label protocol ldp
!
interface Loopback0
 ip address 10.10.10.2 255.255.255.255
!
interface Ethernet0/0
 ip address 10.0.2.2 255.255.255.0
 mpls ip
!
interface Ethernet0/1
 ip vrf forwarding A
 ip address 172.16.2.1 255.255.255.0
!
interface Ethernet0/2
 ip vrf forwarding B
 ip address 172.16.4.1 255.255.255.0
!
router ospf 1
 network 10.0.0.0 0.255.255.255 area 0
!
router bgp 65001
 bgp log-neighbor-changes
 neighbor 10.10.10.1 remote-as 65001
 neighbor 10.10.10.1 update-source Loopback0
 neighbor 10.10.10.3 remote-as 65001
 neighbor 10.10.10.3 update-source Loopback0
 !
 address-family vpnv4
  neighbor 10.10.10.1 activate
  neighbor 10.10.10.1 send-community both
  neighbor 10.10.10.1 next-hop-self
  neighbor 10.10.10.3 activate
  neighbor 10.10.10.3 send-community both
  neighbor 10.10.10.3 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf A
  redistribute connected
  redistribute static
 exit-address-family
 !
 address-family ipv4 vrf B
  network 172.16.14.0 mask 255.255.255.0
  redistribute connected
 exit-address-family
!
ip route vrf A 172.16.12.0 255.255.255.0 Ethernet0/1 172.16.2.2
ip route vrf B 172.16.14.0 255.255.255.0 Ethernet0/2 172.16.4.2
!
mpls ldp router-id Loopback0

hostname PE3
!
ip vrf B
 rd 1:200
 route-target export 1:200
 route-target import 1:200
!
ip cef
!
mpls label protocol ldp
!
interface Loopback0
 ip address 10.10.10.3 255.255.255.255
!
interface Ethernet0/0
 ip address 10.0.3.3 255.255.255.0
 mpls ip
!
interface Ethernet0/1
 ip vrf forwarding B
 ip address 172.16.3.1 255.255.255.0
!
router ospf 1
 network 10.0.0.0 0.255.255.255 area 0
!
router bgp 65001
 bgp log-neighbor-changes
 neighbor 10.10.10.1 remote-as 65001
 neighbor 10.10.10.1 update-source Loopback0
 neighbor 10.10.10.2 remote-as 65001
 neighbor 10.10.10.2 update-source Loopback0
 !
 address-family vpnv4
  neighbor 10.10.10.1 activate
  neighbor 10.10.10.1 send-community both
  neighbor 10.10.10.1 next-hop-self
  neighbor 10.10.10.2 activate
  neighbor 10.10.10.2 send-community both
  neighbor 10.10.10.2 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf B
  network 172.16.13.0 mask 255.255.255.0
  redistribute connected
 exit-address-family
!
ip route vrf B 172.16.13.0 255.255.255.0 Ethernet0/1 172.16.3.2
!
mpls ldp router-id Loopback0
Back to: MPLS & MPLS VPN Fundamental (in Progress) > PE-CE Routing in MPLS VPN

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment