Previous Section  < Day Day Up >  Next Section

Implementing Layer 3 VPNs over L2TPv3 Tunnels

Layer 3 VPNs can be implemented in conjunction with L2TPv3 tunnels. The solution lends itself to implementation where the SP does not implement MPLS transport mechanism in the core to forward packets. Implementation of L2TPv3 tunnels creates a tunnel network as an overlay to the IP backbone, which interconnects the PE routers to transport VPN traffic. The multipoint tunnel uses BGP to distribute VPNv4 information between PE routers. The advertised next hop in BGP VPNv4 triggers tunnel endpoint discovery. Dynamic L3 VPN implementation over multipoint L2TPv3 tunnels provides the ability for multiple service providers to cooperate and offer a joint VPN service with traffic tunneled directly from the ingress PE router at one service provider directly to the egress PE router at a different service provider site.

When implementing dynamic L3VPNs over L2TPv3 tunnels, the addition of new remote VPN peers is simplified because only the new router needs to be configured. The new address is learned dynamically and propagated to the other nodes in the network.

In Figure 10-9, Customer A routers CE1-A, CE2-A, and CE3-A are to be connected using dynamic Layer 3 VPN over L2TPv3 tunnels by the service provider routers PE1-AS1, PE2-AS1, and PE3-AS1. Static PE to CE is configured for the Customer A CE routers. In addition, no MPLS is configured in the core transport network, and all traffic between Customer A sites is propagated using L2TPv3 tunnels between the PE routers in the SP network.

Figure 10-9. Topology for L3VPN Over L2TPv3 Tunnels

[View full size image]


Figure 10-9 shows the base configuration of devices prior to the implementation of L3VPN over L2TPv3 tunnels. All configurations on the PE routers are the same as in the case of regular static PE to CE configurations. The only difference is that no MPLS is enabled on the core interfaces, and L2TPv3 tunnels are configured to enable route propagation between PE routers that belong to Customer A.

Configuring L3VPN over L2TPv3 Tunnels

Figure 10-10 shows the configuration flowchart for the PE routers in addition to the configuration shown in Figure 10-9. The steps shown in the flowchart are explained here:

Step 1.
Configure an additional VRF that will be used to transport mGRE.

Step 2.
Configure a tunnel interface and assign the tunnel interface as part of the mGRE associated VRF. Configure an IP address and a tunnel mode to be l3vpn l2tpv3 multipoint.

Step 3.
Configure a default route for the mGRE VRF pointing to the tunnel interface.

Step 4.
Configure route-map to set the next-hop resolution to the L2TPv3 VRF.

Step 5.
Associate the route-map inbound for VPNv4 routes learned from MP-BGP neighbors.

Step 6.
Configure the IPV4 tunnel SAFI for the MP-BGP peers. Configuration of this SAFI allows BGP to advertise the tunnel endpoints and SAFI-specific attributes (which contain the tunnel type and the tunnel capabilities) between the PE routers.

Figure 10-10. L3VPN Over L2TPv3 Configuration Flowchart

[View full size image]


Figure 10-11 shows the L3VPN over L2TPv3 tunnels configuration for PE1-AS1, PE2-AS1, and PE3-AS1 routers. The highlighted portion depicts the important configuration steps with relation to implementation of L3VPN over L2TPv3 tunnels.

Figure 10-11. Layer 3 VPN Over L2TPv3 Configuration

[View full size image]


Verification for L3VPN over L2TPv3 Tunnels

The following steps outline the verification steps for implementation of L3VPN over L2TPv3 tunnels:

Step 1.
Verify the tunnel's operational state using the show tunnel endpoints command on the PE routers, as shown in Example 10-12.

Example 10-12. Verify Tunnel Endpoints of L2TPv3 Tunnel
PE1-AS1#show tunnel endpoints

 Tunnel0 running in Multi-L2TPv3 (L3VPN) mode

  RFC2547/L3VPN Tunnel endpoint discovery is active on Tu0

  Transporting l3vpn traffic to all routes recursing through "l3vpn_l2tpv3"



 Endpoint 10.10.10.102 via destination 10.10.10.102

  Session 1025, High Cookie 0x4C9DDF2F Low Cookie 0xA82C4E76

 Endpoint 10.10.10.103 via destination 10.10.10.103

  Session 1025, High Cookie 0xC2689B74 Low Cookie 0x1A58AE6C



 Tunnel Endpoint Process Active

 MGRE L3VPN Summary

   Active Tunnel: None

 L2tpv3 L3VPN Summary

   Active Tunnel Tunnel0: Current receive session 1025

   L2TPv3 cookie mismatch counters: 0

________________________________________________________________

PE2-AS1#show tunnel endpoints

 Tunnel0 running in Multi-L2TPv3 (L3VPN) mode

  RFC2547/L3VPN Tunnel endpoint discovery is active on Tu0

  Transporting l3vpn traffic to all routes recursing through "l3vpn_l2tpv3"



 Endpoint 10.10.10.101 via destination 10.10.10.101

  Session 1025, High Cookie 0x0DB50E05 Low Cookie 0x44281295

 Endpoint 10.10.10.103 via destination 10.10.10.103

  Session 1025, High Cookie 0xC2689B74 Low Cookie 0x1A58AE6C



 Tunnel Endpoint Process Active

 MGRE L3VPN Summary

   Active Tunnel: None

 L2tpv3 L3VPN Summary

   Active Tunnel Tunnel0: Current receive session 1025

   L2TPv3 cookie mismatch counters: 0

________________________________________________________________

PE3-AS1#show tunnel endpoints

 Tunnel0 running in Multi-L2TPv3 (L3VPN) mode

  RFC2547/L3VPN Tunnel endpoint discovery is active on Tu0

  Transporting l3vpn traffic to all routes recursing through "l3vpn_l2tpv3"



 Endpoint 10.10.10.101 via destination 10.10.10.101

  Session 1025, High Cookie 0x0DB50E05 Low Cookie 0x44281295

 Endpoint 10.10.10.102 via destination 10.10.10.102

  Session 1025, High Cookie 0x4C9DDF2F Low Cookie 0xA82C4E76

 Tunnel Endpoint Process Active

 MGRE L3VPN Summary

   Active Tunnel: None

 L2tpv3 L3VPN Summary

   Active Tunnel Tunnel0: Current receive session 1025

   L2TPv3 cookie mismatch counters: 0

Step 2.
Verify that routes are received on the Customer A VRF using the L2TPv3 L3VPN VRF, as shown in Example 10-13.

Example 10-13. Verify Routes in Customer A VRF
PE1-AS1#show ip route vrf CustA bgp

     172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks

B       172.16.2.0/30 [200/0] via 10.10.10.102 (l3vpn_l2tpv3), 00:29:24

B       172.16.3.0/30 [200/0] via 10.10.10.103 (l3vpn_l2tpv3), 00:24:20

B       172.16.100.2/32 [200/0] via 10.10.10.102 (l3vpn_l2tpv3), 00:20:53

B       172.16.100.3/32 [200/0] via 10.10.10.103 (l3vpn_l2tpv3), 00:20:23

________________________________________________________________

PE2-AS1#show ip route vrf CustA bgp

     172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks

B       172.16.1.0/30 [200/0] via 10.10.10.101 (l3vpn_l2tpv3), 00:23:00

B       172.16.3.0/30 [200/0] via 10.10.10.103 (l3vpn_l2tpv3), 00:23:00

B       172.16.100.1/32 [200/0] via 10.10.10.101 (l3vpn_l2tpv3), 00:23:00

B       172.16.100.3/32 [200/0] via 10.10.10.103 (l3vpn_l2tpv3), 00:21:00

________________________________________________________________

PE3-AS1#show ip route vrf CustA bgp

     172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks

B       172.16.1.0/30 [200/0] via 10.10.10.101 (l3vpn_l2tpv3), 00:00:21

B       172.16.2.0/30 [200/0] via 10.10.10.102 (l3vpn_l2tpv3), 00:28:40

B       172.16.100.1/32 [200/0] via 10.10.10.101 (l3vpn_l2tpv3), 00:00:21

B       172.16.100.2/32 [200/0] via 10.10.10.102 (l3vpn_l2tpv3), 00:27:24

Step 3.
Verify reachability between the CE routers using pings, as illustrated in Example 10-14.

Example 10-14. Verify Reachability Using Pings
CE1-A#ping 172.16.100.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.100.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms

CE1-A#ping 172.16.100.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.100.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/36 ms

Final Configurations for L3VPN over L2TPv3 Tunnels for PE Routers

Example 10-15 shows the final configuration of the PE routers for the implementation of L3VPN over L2TPv3 tunnels. For configurations of the CE routers and the P1-AS1 router, refer to Figure 10-9.

Example 10-15. Configurations for PE Routers
hostname PE1-AS1

!

ip cef

ip vrf CustA

 rd 100:1

 route-target export 100:1

 route-target import 100:1

!

ip vrf l3vpn_l2tpv3

 rd 100:100

!

interface Loopback0

 ip address 10.10.10.101 255.255.255.255

!

interface Tunnel0

 ip vrf forwarding l3vpn_l2tpv3

 ip address 172.16.1.101 255.255.255.255

 tunnel source Loopback0

 tunnel mode l3vpn l2tpv3 multipoint

!

interface Serial0/0

 ip address 10.10.10.1 255.255.255.252

!

interface Serial1/0

 description connection to CE1-A

 ip vrf forwarding CustA

 ip address 172.16.1.1 255.255.255.252

!

router ospf 100

 network 10.0.0.0 0.255.255.255 area 0

!

router bgp 1

 no synchronization

 neighbor 10.10.10.102 remote-as 1

 neighbor 10.10.10.102 update-source Loopback0

 neighbor 10.10.10.103 remote-as 1

 neighbor 10.10.10.103 update-source Loopback0

 no auto-summary

 !

 address-family ipv4 tunnel

 neighbor 10.10.10.102 activate

 neighbor 10.10.10.103 activate

 exit-address-family

 !

 address-family vpnv4

 neighbor 10.10.10.102 activate

 neighbor 10.10.10.102 send-community extended

 neighbor 10.10.10.102 route-map vpn_l2tpv3 in

 neighbor 10.10.10.103 activate

 neighbor 10.10.10.103 send-community extended

 neighbor 10.10.10.103 route-map vpn_l2tpv3 in

 exit-address-family

 !

 address-family ipv4 vrf CustA

 redistribute connected

 redistribute static

 no auto-summary

 no synchronization

 exit-address-family

!

ip route vrf CustA 172.16.100.1 255.255.255.255 172.16.1.2

ip route vrf l3vpn_l2tpv3 0.0.0.0 0.0.0.0 Tunnel0

!

route-map vpn_l2tpv3 permit 10

 set ip next-hop in-vrf l3vpn_l2tpv3

________________________________________________________________

hostname PE2-AS1

!

ip cef

ip vrf CustA

 rd 100:1

 route-target export 100:1

 route-target import 100:1

!

ip vrf l3vpn_l2tpv3

 rd 100:100

!

interface Loopback0

 ip address 10.10.10.102 255.255.255.255

!

interface Tunnel0

 ip vrf forwarding l3vpn_l2tpv3

 ip address 172.16.1.102 255.255.255.255

 tunnel source Loopback0

 tunnel mode l3vpn l2tpv3 multipoint

!

interface Serial0/0

 ip address 10.10.10.5 255.255.255.252

!

interface Serial1/0

 description connection to CE2-A

 ip vrf forwarding CustA

 ip address 172.16.2.1 255.255.255.252

!

router ospf 100

 network 10.0.0.0 0.255.255.255 area 0

!

router bgp 1

 no synchronization

 neighbor 10.10.10.101 remote-as 1

 neighbor 10.10.10.101 update-source Loopback0

 neighbor 10.10.10.103 remote-as 1

 neighbor 10.10.10.103 update-source Loopback0

 no auto-summary

 !

 address-family ipv4 tunnel

 neighbor 10.10.10.101 activate

 neighbor 10.10.10.103 activate

 exit-address-family

 !

 address-family vpnv4

 neighbor 10.10.10.101 activate

 neighbor 10.10.10.101 send-community extended

 neighbor 10.10.10.101 route-map vpn_l2tpv3 in

 neighbor 10.10.10.103 activate

 neighbor 10.10.10.103 send-community extended

 neighbor 10.10.10.103 route-map vpn_l2tpv3 in

 exit-address-family

 !

 address-family ipv4 vrf CustA

 redistribute connected

 redistribute static

 no auto-summary

 no synchronization

 exit-address-family

!

ip route vrf CustA 172.16.100.2 255.255.255.255 172.16.2.2

ip route vrf l3vpn_l2tpv3 0.0.0.0 0.0.0.0 Tunnel0

!

route-map vpn_l2tpv3 permit 10

 set ip next-hop in-vrf l3vpn_l2tpv3

________________________________________________________________

hostname PE3-AS1

!

ip cef

ip vrf CustA

 rd 100:1

 route-target export 100:1

 route-target import 100:1

!

ip vrf l3vpn_l2tpv3

 rd 100:100

!

interface Loopback0

 ip address 10.10.10.103 255.255.255.255

!

interface Tunnel0

 ip vrf forwarding l3vpn_l2tpv3

 ip address 172.16.1.103 255.255.255.255

 tunnel source Loopback0

 tunnel mode l3vpn l2tpv3 multipoint

!

interface Serial0/0

 ip address 10.10.10.9 255.255.255.252

!

interface Serial1/0

 description connection to CE1-A

 ip vrf forwarding CustA

 ip address 172.16.3.1 255.255.255.252

!

router ospf 100

 network 10.0.0.0 0.255.255.255 area 0

!

router bgp 1

 no synchronization

 neighbor 10.10.10.101 remote-as 1

 neighbor 10.10.10.101 update-source Loopback0

 neighbor 10.10.10.102 remote-as 1

 neighbor 10.10.10.102 update-source Loopback0

 no auto-summary

 !

 address-family ipv4 tunnel

 neighbor 10.10.10.101 activate

 neighbor 10.10.10.102 activate

 exit-address-family

 !

 address-family vpnv4

 neighbor 10.10.10.101 activate

 neighbor 10.10.10.101 send-community extended

 neighbor 10.10.10.101 route-map vpn_l2tpv3 in

 neighbor 10.10.10.102 activate

 neighbor 10.10.10.102 send-community extended

 neighbor 10.10.10.102 route-map vpn_l2tpv3 in

 exit-address-family

!

 address-family ipv4 vrf CustA

 redistribute connected

 redistribute static

 no auto-summary

 no synchronization

 exit-address-family

!

ip route vrf CustA 172.16.100.3 255.255.255.255 172.16.3.2

ip route vrf l3vpn_l2tpv3 0.0.0.0 0.0.0.0 Tunnel0

!

route-map vpn_l2tpv3 permit 10

 set ip next-hop in-vrf l3vpn_l2tpv3

    Previous Section  < Day Day Up >  Next Section