MPLS/VPN over L2TPv3 multipoint tunnels

From IPFlow Netflow Collector

Table of contents
1 Introduction
2 Topology
3 IOS configurations
4 Verifying tunnels
5 Routing table and LFIB
6 Packet analysis
[edit]

Introduction

MPLS VPNs over IP Tunnels (http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/csgl3vpn.html) allows you to deploy MPLS/VPN over an IP core which is not MPLS enabled, replacing MPLS by L2TPv3 multipoint tunnels.

The tunnel endpoints and the tunnel attributes are exchanged through a "tunnel" BGP SAFI.


[edit]

Topology

Image:Mplsvpn_l2tpv3m_2.png

Cisco IOS image: 12.0(33)S, Service Provider


[edit]

IOS configurations

P routers (not MPLS enabled):

  • P1 (http://www.ipflow.utc.fr/configs/MPLSVPN_L2TPV3M/P1.cfg)
  • P2 (http://www.ipflow.utc.fr/configs/MPLSVPN_L2TPV3M/P2.cfg)
  • P3 (http://www.ipflow.utc.fr/configs/MPLSVPN_L2TPV3M/P3.cfg)


PE routers:

  • PE1 (http://www.ipflow.utc.fr/configs/MPLSVPN_L2TPV3M/PE1.cfg)
  • PE2 (http://www.ipflow.utc.fr/configs/MPLSVPN_L2TPV3M/PE2.cfg)
  • PE3 (http://www.ipflow.utc.fr/configs/MPLSVPN_L2TPV3M/PE3.cfg)


CE routers:

  • CE1 (http://www.ipflow.utc.fr/configs/MPLSVPN_L2TPV3M/CE1.cfg)
  • CE2 (http://www.ipflow.utc.fr/configs/MPLSVPN_L2TPV3M/CE2.cfg)


[edit]

Verifying tunnels 

PE1#sh tunnel endpoints 
 Tunnel0 running in Multi-L2TPv3 (L3VPN) mode
  RFC2547/L3VPN Tunnel endpoint discovery is active on Tu0
  Transporting l3vpn traffic to all routes recursing through "RIV"

 Endpoint 10.10.1.2 via destination 10.10.1.2
  Session 1025, High Cookie 0x0D28F8ED Low Cookie 0x8CD3DAF1
 Endpoint 10.10.1.3 via destination 10.10.1.3
  Session 1025, High Cookie 0x693EA1DA Low Cookie 0x0D631034

 Tunnel Endpoint Process Active
 MGRE L3VPN Summary
   Active Tunnel: None
 L2tpv3 L3VPN Summary
   Active Tunnel: Tunnel0 Current receive Session 1025, 
                              High Cookie 0xB17CECF4 Low Cookie 0x1550FB17
   L2TPv3 cookie mismatch counters: 0

PE2#sh tunnel endpoints    
 Tunnel0 running in Multi-L2TPv3 (L3VPN) mode
  RFC2547/L3VPN Tunnel endpoint discovery is active on Tu0
  Transporting l3vpn traffic to all routes recursing through "RIV"

 Endpoint 10.10.1.1 via destination 10.10.1.1
  Session 1025, High Cookie 0xB17CECF4 Low Cookie 0x1550FB17
 Endpoint 10.10.1.3 via destination 10.10.1.3
  Session 1025, High Cookie 0x693EA1DA Low Cookie 0x0D631034

 Tunnel Endpoint Process Active
 MGRE L3VPN Summary
   Active Tunnel: None
 L2tpv3 L3VPN Summary
   Active Tunnel: Tunnel0 Current receive Session 1025, 
                              High Cookie 0x0D28F8ED Low Cookie 0x8CD3DAF1
   L2TPv3 cookie mismatch counters: 0


The tunnel cookies (64-bit ID) are exchanged through BGP: 

PE1#sh ip bgp ipv4 tunnel  
BGP table version is 4, local router ID is 10.10.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.10.1.1/32     0.0.0.0                  0         32768 ?
*>i10.10.1.2/32     10.10.1.2                0    100      0 ?
*>i10.10.1.3/32     10.10.1.3                0    100      0 ?

PE1#sh ip bgp ipv4 tunnel 10.10.1.2
BGP routing table entry for 10.10.1.2/32, version 3
Paths: (1 available, best #1, table IPv4-Tunnel-BGP-Table)
  Not advertised to any peer
  Local
    10.10.1.2 (metric 4) from 10.10.1.2 (10.10.1.2)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      SAFI Specific Attribute: ssacount=1
       type L2TP (transitive), len 16
        pref 0,flags 0x0,session 1025,cookielen 8,cookie 0xD28F8ED 0x8CD3DAF1


[edit]

Routing table and LFIB

We check on PE1 how is handled 100.2.1.2 (in VPN1), which is an IP address of CE2. 

PE1#sh ip cef vrf VPN1 100.2.1.2
100.2.1.0/30, version 16, epoch 0, cached adjacency 10.10.1.2
0 packets, 0 bytes
  tag information set, all rewrites owned
    local tag: VPN route head
    fast tag rewrite with Tu0, 10.10.1.2, tags imposed {67}
  via 10.10.1.2, 0 dependencies, recursive
    next hop 10.10.1.2, Tunnel0 via 10.10.1.2/32 (RIV)
    valid cached adjacency
    tag rewrite with Tu0, 10.10.1.2, tags imposed {67}


The LFIB of PE2 is: 

PE2#sh mpls for   
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop    
tag    tag or VC   or Tunnel Id      switched   interface              
32     Untagged    10.0.0.0/30       0          Fa1/0      10.0.2.1     
33     Untagged    10.0.0.8/30       0          Fa1/0      10.0.2.1     
34     Untagged    10.10.0.2/32      0          Fa1/0      10.0.2.1     
35     Untagged    10.0.0.4/30       0          Fa1/0      10.0.2.1     
36     Untagged    10.0.1.0/30       0          Fa1/0      10.0.2.1     
37     Untagged    10.0.3.0/30       0          Fa1/0      10.0.2.1     
38     Untagged    10.10.0.1/32      0          Fa1/0      10.0.2.1     
39     Untagged    10.10.0.3/32      0          Fa1/0      10.0.2.1     
64     Untagged    10.10.1.1/32      0          Fa1/0      10.0.2.1     
65     Untagged    10.10.1.3/32      0          Fa1/0      10.0.2.1     
66     Aggregate   100.0.1.2/32[V]   520                                
67     Aggregate   100.2.1.0/30[V]   1456                               
68     Aggregate   100.0.2.2/32[V]   520                                
69     Aggregate   100.0.3.2/32[V]   0


[edit]

Packet analysis

We start a ping from CE1 (100.1.1.2) to CE2 (100.2.1.2). The capture is done on PE1-P1 link.

Image:Wireshark-mvl2m.png


We recognize the tunnel IDs (0x0D28F8ED,0x8CD3DAF1) for PE2: 

PE1#sh tunnel endpoints 
[...]
 Endpoint 10.10.1.2 via destination 10.10.1.2
  Session 1025, High Cookie 0x0D28F8ED Low Cookie 0x8CD3DAF1
[...]


The MPLS header is 0x000431FE, 0x00043 (67) being the MPLS label.

Retrieved from "http://www.ipflow.utc.fr/index.php/MPLS/VPN_over_L2TPv3_multipoint_tunnels"