Configuring a VPRN

• This module will offer an introduction to configuring a VPRN on the

Nokia 7750 SR platform.

• This module assumes the reader is familiar with the SR platform’s

service architecture.

• This module also assumes the reader is familiar with the following
concepts: LDP, MPLS, IGP, EGP.

• RFC 4364 - BGP/MPLS IP Virtual Private Networks (VPNs)

• https://tools.ietf.org/html/rfc4364
Sensitivity: Internal
 • Subscriber not shown – The end user.
• SAP (Service Access Point) not shown – The interface that connects the subscriber to
the Service Provider.
• Customer ID – A unique value used to group services together.
• Service ID – A unique value used to identify the service.
• SDP (Service Distribution Point) – A logical representation of the transport tunnel
emulating a direct connection to a far-end PE router.
• Transport Tunnel – The LSP used to transport service data; labels signaled by L-LDP.
• Service Tunnel – Represented by service labels; labels signaled by T-LDP or BGP-LU.
• Demultiplex – The act of decapsulating data arriving at the egress PE router;
Customer ID typically a ‘POP’ operation of MPLS.

Service Tunnel
(Demultiplex) (Signaled
SDP
via T-LDP or Transport
BGP-LU/MP-BGP) Tunnel
(Signaled
Service (e.g. VPWS, VPLS, VPRN) via
L-LDP,
RSVP-TE, or
Service Tunnel
(Signaled GRE)
Service ID SDP SDP
via T-LDP or
VCID BGP-LU/MP-BGP)

Sensitivity: Internal
 N6
N1
1/1/5:40 1/1/5:40
A Gi0/0.40
A
Gi0/0.40
VRF 1122 VRF 1122
192.168.1.1/31
1/1/5:41
SDP / MP-BGP 192.168.2.1/31
B 1/1/5:42
Gi0/0.41 C
VRF 2233 VPRN Service IDs: Gi0/0.42
VRF 3344
192.168.1.1/31 1/1/5:42
C SD 1122, 2233, 3344 G P 192.168.2.1/31
Gi0/0.42 P/ - B N6’s Routing Tables
VRF 3344 MP P
192.168.1.1/31 -BG / M VPRN Subscriber Prefix
P
N1’s Routing Tables
P SD 1122 A 192.168.1.0/31
VPRN Subscriber Prefix 1122 A 192.168.2.0/31
1122 A 192.168.1.0/31 3344 C 192.168.1.0/31

1122 A 192.168.2.0/31 3344 C 192.168.2.0/31

3344 C 192.168.3.0/31
2233 B 192.168.1.0/31
2233 B 192.168.3.0/31
3344 C 192.168.1.0/31 N7’s Routing Tables
1/1/5:41
3344 C 192.168.2.0/31 VPRN Subscriber Prefix

3344 C 192.168.3.0/31
Gi0/0.41 N7 1/1/5:42 2233 B 192.168.1.0/31
B VRF 2233
192.168.3.1/31 2233 B 192.168.3.0/31
3344 C 192.168.1.0/31

3344 C 192.168.2.0/31

Gi0/0.42 3344 C 192.168.3.0/31

C VRF 3344
Sensitivity: Internal 192.168.3.1/31
 Subscriber C’s Network
Gi0/0.42
192.168.2.1/31
Gi0/0.42
R1 192.168.1.1/31 Service Provider Loopback42 R2
98.98.98.1/24
Loopback42 IP/MPLS
151.42.1.1/24 (Virtual Router)
Subscriber Network (Los Angeles):
151.42.1.0/24 Subscriber Network (New York):
98.98.98.0/24
ASN: 65001
ASN: 65002

Subscriber Network (Dallas):

Gi0/0.42
24.137.88.0/24 192.168.3.1/31

R3 Loopback42
Sensitivity: Internal ASN: 65003 24.137.88.1/24
 VPRN Components
MP-BGP / Multiprotocol BGP – An enhancement of BGP-4 that allows different types of addresses (AFIs/SAFIs) to be distributed in
parallel. VPNv4 unicast traffic has an AFI of 1, and a SAFI of 128 (1/128).
• RFC 4760 - Multiprotocol Extensions for BGP-4; https://tools.ietf.org/html/rfc4760

BGP-LU / BGP Labeled Unicast – A MP-BGP extension used to distribute Service labels that are mapped to particular prefixes.
• RFC 3107 - Carrying Label Information in BGP-4; https://tools.ietf.org/html/rfc3107
• RFC 8277 - Using BGP to Bind MPLS Labels to Address Prefixes; https://tools.ietf.org/html/rfc8277

VRF / VPN Routing & Forwarding Table – The virtual routing table on the PE router that contains the customer’s prefixes for the VPRN.

VPNv4 Prefix – The combination of a customer’s prefix and their VRF’s Route Distinguisher.
• [Route Distinguisher] + [IPv4 Prefix] = [VPN-IPv4 / VPNv4 Prefix].

RD / Route Distinguisher – An additional string added to a customer’s prefixes so they can be distinguished from other prefixes within the
Service Provider network.
• Type 0 – ASN:Assigned Number:Prefix (e.g.: {0:7029:3344:151.41.3.1/32}).
• Type 1 – IPv4 Address:Assigned Number:Prefix (e.g.: {1:6.6.6.6:3344:151.41.3.1/32}).
• Type 2 – ASN:Assigned Number:Prefix (e.g.: {2:7029:3344:151.41.3.1/32}). Note: used explicitly to signal Multicast VPNs.

RT / Route Target – A BGP-4 extended community attached to VPNv4 prefixes that identifies which VPRN the prefix belongs to.
• Type 0x00: Two-Octet AS Specific Extended Community – ASN:Assigned Number (e.g.: 7029:3344).
• Type 0x01: IPv4 Address Specific Extended Community – IPv4 Address:Assigned Number (e.g.: 6.6.6.6:3344).
• RFC 4360 - BGP Extended Communities Attribute; https://tools.ietf.org/html/rfc4360
Sensitivity: Internal
 VPRN Components
CE<>PE UPDATE message PE<>PE UPDATE message PE<>CE UPDATE message

151.42.1.0/24 65000:3344:151.42.1.0/24, label 3344, target:65000:3344 151.42.1.0/24

N6
N1

C C
SDP / MP-BGP

Service Provider
IP/MPLS

1. CE-to-PE Routing 2. PE-to-PE Routing 3. PE-to-CE Routing

The CE router peers with and distributes The customer’s routes are distributed to the other The routes learned from other PE routers are
routes to the local PE router. PE routers using Multiprotocol BGP (MP-BGP). distributed to the local customer network.
Sensitivity: Internal
 Multiplex Demultiplex

Transport VPN Label: Customer Transport VPN Customer

Label: 101 3344 Payload Label: 505 Label: 3344 Payload

N1 N6 Customer
Payload

1/1/5:42 N2 N5 1/1/5:42
R1 R2
Gi0/0.42 Gi0/0.42

Customer
Payload

Transport VPN Customer Transport VPN Customer

Label: 202 Label: 3344 Payload Label: 404 Label: 3344 Payload

Sensitivity: Internal N3 N4
 VPRN Configuration (Underlying Policies and Protocols)
configure router policy-options begin Enters ‘edit’ mode via the CLI.

policy-statement “MP-BGP_TO_BGP” The name of our routing policy.

default-action reject The default-action for this policy.
entry 1 The specific entry in this policy.
from protocol bgp-vpn ‘from’ the MP-BGP protocol.
to protocol bgp ‘to’ the BGP4 protocol.

action accept The action for this entry.

/configure router policy-options commit Commit changes made to this policy.

configure service Enters the ‘service’ context.

sdp 17006 mpls create Creates the SDP “17006.”
far-end 6.6.6.6 Specifies a far-end of 6.6.6.6 (router N6).
ldp Instructs the SDP to use LDP-signaled LSPs.

sdp 17007 mpls create

far-end 7.7.7.7
ldp
Sensitivity: Internal
 VPRN Configuration: CE-to-PE (from the persepective of N1)

1. Configure the Customer ID. All of this subscriber’s

configure service customer 42 create services will be grouped by the Customer ID of “42.“
contact [email protected]
description "Subscriber C, Inc." 2. Configure the Service. Service ID “3344" will
phone 305-999-9999 represent the VPRN for the subscriber configured with
the Customer ID of “42.“ SR-OS now recognizes this
configure service vprn 3344 customer 42 create subscriber's VRF as “router 3344.”
autonomous-system 65000
route-distinguisher 65000:3344 3. Configure the ASN, RD, and RT.
vrf-target target:65000:3344
4. Bind the SAP. The logical router interface used to peer
interface "toR1-VRF3344" create with the CE will be called “toR1-VRF3344,” and utilize
address 192.168.1.0/31 physical port "1/1/5" with a service-delimiting vlan tag
sap 1/1/5:42 create of “42.“

bgp 5. Configure the CE-to-PE Protocol. In our example we

group "toR1-VRF3344“ utilize an external BGP neighborship to exchange
export “MP-BGP_TO_BGP” routes.
peer-as 65001 We also apply the “MP-BGP_TO_BGP” policy-
neighbor 192.168.1.1 statement as an export policy.

6. Bind the SDP. SDP “17006” is now bound to VPRN

spoke-sdp 17006 create
Sensitivity: Internal
“3344.”
 VPRN Configuration: PE-to-PE (from the persepective of N1)

1. Configure the Local ASN. We’ve arbitrarily chosen

AS7029 to be our routing domain’s Autonomous
configure router System Number.
autonomous-system 7029 2. Configure a Group. As a best-practice, the group
“MP-BGP_PEERS” will contain configuration for all of
bgp our MP-BGP peers.
group “MP-BGP_PEERS“ 3. Enable MP-BGP. Specify the vpn-ipv4 address family,
family vpn-ipv4 since we’ll be distributing VPNv4 prefixes.
peer-as 7029
neighbor 6.6.6.6 no shutdown 4. Configure the Peer ASN. Routers N6 and N7 will
neighbor 7.7.7.7 no shutdown form a full mesh of internal BGP neighborships with
N1, so all PEs will be in AS7029 (globally).

5. Configure the Neighbors. We specify router N6

(6.6.6.6) and N7 (7.7.7.7) as neighbors of N1.

Sensitivity: Internal
 VPRN Configuration: PE-to-CE (from the persepective of N6)

1. Configure the Customer ID. All of this subscriber’s

configure service customer 42 create services will be grouped by the Customer ID of “42.“
contact [email protected]
description "Subscriber C, Inc." 2. Configure the Service. Service ID “3344" will
phone 305-999-9999 represent the VPRN for the subscriber configured with
the Customer ID of “42.“ SR-OS now recognizes this
configure service vprn 3344 customer 42 create subscriber's VRF as “router 3344.”
autonomous-system 65000
route-distinguisher 65000:3344 3. Configure the ASN, RD, and RT.
vrf-target target:65000:3344
4. Bind the SAP. The logical router interface used to peer
interface "toR2-VRF3344" create with the CE will be called “toR1-VRF3344,” and utilize
address 192.168.2.0/31 physical port "1/1/5" with a service-delimiting vlan tag
sap 1/1/5:42 create of “42.“

bgp 5. Configure the CE-to-PE Protocol. In our example we

group "toR2-VRF3344“ utilize an external BGP neighborship to exchange
export “MP-BGP_TO_BGP” routes.
peer-as 65002 We also apply the “MP-BGP_TO_BGP” policy-
neighbor 192.168.2.1 statement as an export policy.

6. Bind the SDP. SDP “17001” is now bound to VPRN

spoke-sdp 17001 create
Sensitivity: Internal
“3344.”
 VPRN Design
R1 (AS65001) N1 (AS7029)
VRF RD RT Interface VPRN ASN RD RT Interface
1122 65001:1122 65001:1122 Gi0/0.40 192.168.1.1/31 1122 65000 65000:1122 65000:1122 toR1-VRF3344 192.168.1.0/31
Loopback40 151.40.1.1/24
2233 65001:2233 65001:2233 Gi0/0.41 192.168.1.1/31 2233 65000 65000:2233 65000:2233 toR1-VRF2233 192.168.1.0/31
Loopback41 151.41.1.1/24
3344 65001:3344 65001:3344 Gi0/0.42 192.168.1.1/31 3344 65000 65000:3344 65000:3344 toR1-VRF3344 192.168.1.0/31
Loopback42 151.42.1.1/24

R2 (AS65002) N6 (AS7029)
VRF RD RT Interface VPRN ASN RD RT Interface
1122 65002:1122 65002:1122 Gi0/0.40 192.168.2.1/31 1122 65000 65000:1122 65000:1122 toR2-VRF1122 192.168.2.0/31
Loopback40 151.40.2.1/24
3344 65002:3344 65002:3344 Gi0/0.42 192.168.2.1/31 3344 65000 65000:3344 65000:3344 toR2-VRF3344 192.168.2.0/31
Loopback42 98.98.98.1/24

R3 (AS65003) N7 (AS7029)
VRF RD RT Interface VPRN ASN RD RT Interface
2233 65003:2233 65003:2233 Gi0/0.41 192.168.3.1/31 2233 65000 65000:2233 65000:2233 toR3-VRF2233 192.168.3.0/31
Loopback41 151.41.3.1/24
3344 65003:3344 65003:3344 Gi0/0.42 192.168.3.1/31 3344 65000 65000:3344 65000:3344 toR3-VRF3344 192.168.3.0/31
Loopback42 24.137.88.1/24
Sensitivity: Internal
 MP-BGP (7029 <> 7029)

BGP4
(65000 <> 65001)

IS-IS (49.00) BGP4

(65000 <> 65002)

BGP4
(65000 <> 65003)
Sensitivity: Internal
 Goals
• VPRN Underlying Requirements
• Configure a routing policy on each PE (N1, N6, N7) that will allow routes to be redistributed from MP-BGP into BGP4.
• Configure a full mesh of SDPs (T-LDP tunnels) between the PEs.

• CE-to-PE Routing
• Configure each CE to distribute a public IPv4 system address to the PE via eBGP.
• Each address MUST be in a separate broadcast domain.
• Configure a VPRN service for the subscriber on each PE.

• PE-to-PE Routing
• Configure a full mesh of MP-BGP (VPNv4 Unicast) neighborships between the PEs.

• PE-to-CE Routing
• Configure each CE to distribute a public IPv4 system address to the PE via eBGP.
• Configure a VPRN service for the subscriber on each PE.

• Verification
• Confirm IPv4 prefixes are being distributed from the CE to the PE.
• Confirm IPv4 prefixes are being converted into VPNv4 prefixes by the PE.
• Confirm VPNv4 prefixes are being redistributed to each PE with the appropriate RD.
• Confirm VPNv4 prefixes are being converted back into IPv4 prefixes, and redistributed from the PEs to the CEs.
Sensitivity: Internal