3. OVerlapping VPN – Advance
Now in this section we’ll continue with our overlap VPN concept. Like if you remember in our previous sections we have seen some basic simple VPNs and using that basic simple VPN, we can make sure that the customer site A one can communicate with the customer side A two on both sides. Similarly, the customer B one can communicate with customer B two. And then we have seen a concept of overlap VPN. What if a customer maybe a customer A want to communicate with customer B? So I want to make sure that the routes exchange between customer A and B should happen. So what I can do is I can simply go to customer A routes customer A one and customer A two.
I can simply import the route target value of 500 because the customer B is using 500 colon two here and customer A is using 501 and similar way I can say customer B one and B two are going to import the routes of all customer A one. So if I say import a colon one on B one and B two, it will automatically import all the routes of customer A one and A two. But let’s take an example, let’s get into some of the little bit complex overlay VPNs. What if I want to exchange the routes between only selected sites? Now in my scenario, now in a previous scenario what we did, we made all the sites of customer A and B can communicate with each other.
But what if my requirement is the customer A one should exchange the routes with customer A two? That is again by default it’s happening because they belong to the same VPN, same customer sites. And I want to make sure that my customer A one also should exchange the routes with customer B two, that is customer B side two, but not with B one. So I don’t want to exchange the routes between customer A one and B one, but I want to exchange the route between customer A one and B two. So selected sites. So this is something more common because you may come across this kind of scenarios where you want to exchange the routes between selected sites of between two different customers. Now in this kind of scenarios, again we use the same kind of concept.
What we did, we have to import and export the same way like we did in the overall VPN. But this time if I go with the same concept of previous things, it’s not going to work. So we need to make some changes here. So if I just say, okay, so my requirement is a one should exchange the routes with B two. That’s the first thing. A one to B one, it should work. A one to A two is already working, but A one a one to B one, I don’t want to exchange the routes. So in this scenario you might be thinking okay, let’s import and export the values. Because we know that customer A one and A two are using the route target values of 501 and B one and B two are using the route target values of 502 as per our lapse. So I can simply go to router one.
Here, I can say A one on the A one, I’ll say import 500, which means it is not only going to import the route from B two. That is something what we want, but also it is going to import all the routes coming from P one. Also. This is something what we really don’t want. We don’t want this to happen because in the previous example we have seen that each customer, each side of the customer B want to exchange the route. Then we can simply add this command. Now if you want to make this possible. Now in this scenario, this something doesn’t work here. Because if I say import 502 on a one and a two on both the sides, it will not only import the routes from B one, it will also import the routes from sorry, this is B two and this is B one actually.
Okay? So it not only imports the route from B two, it also imports the route from B one as well, which I don’t want. So what’s the solution in this scenario? In this scenario, to overcome this, what we need to do is we need to use a new route target value. Okay? So we need to use a new route target value. So my requirement is let me write down once again, my requirement is I want to make sure that A one should exchange the routes with A two, which means they’re already exporting 501. And then I want to make sure that A one should also exchange the routes with the which is already exporting with 502. But I want to make sure that A one should not exchange the routes with B one. So I want to make sure that only one specific route, one specific customer site would exchange the routes.
Now in this scenario, what I’ll do is I’m going to configure a new route target value. So I’m going to say, okay, I will say router one is already exporting 501 and also importing 501. Now, once you do import export 501 automatically, this customer A one and A two will communicate with each other. The same thing is happening on A one as well as a two on the router one. Router three. Similar way, the customer B one and B two are importing and exporting 500 column two values, which means it allows the customer B one and B two to communicate with each other. Now finally, I want to make sure that the routes from customer A one and A two A one should communicate with this one and also A two also should communicate with B two.
That’s my requirement. So in this scenario, what I’ll do is I want to make sure that so we are just focusing on A one to B two. So in this scenario, what I’ll do is now on the router A one, that is on the router one, I’m going to export all the routes of customer A one with a new route target value. So we’re going to say export 500, which means on the router one, I’m going to say export 502 pile in twelve, which is a new route target value, which means these routes are also exported with another route target value of 502. And then I’m going to tell on this router that is on the router three under the VRF P one, sorry, B two, I’m going to say import 512. Now, this import value is only configured on the P two and it is not configured on the P one, which means, and this B one is not importing 501 and it’s not importing 512.
So which makes that the customer B two will only receive the route from customer A one as well as B one a two if you want. Because here I’m not exporting on A two because my requirement is not between A two and B two. That is not my requirements. So I want to make sure that only the communication should happen between A one and B two. So I’m exporting with a value of 512 and then I’m importing on the B two with a value of 512 on the other side. So this is going to make sure that all the routes exchange will exchange between A one and B two. So this is our requirement here. So I’m going to do the same kind of task here. So if we just get back to my task in my lab, configure the router one and router three, router three to ensure that site of A one can exchange the routes with not only A two, it should also exchange with B two but not with A one.
So let’s try to configure that. So what I’m doing here, the same thing. I’m exporting my values, exporting and importing with 512 and then the same thing I’m doing on the customer B two. So I’m going to do on A one as well as on the B two. So export import anyway, you have to do both because if you don’t do both the sites, it will only one way. So I’m exporting my values and the importing on the other side. Similarly, I’m exporting with 500 colon twelve here and then importing back on the other side as well. Let us practically verify this. So before I actually verify, I need to remove my configurations, which I did in my previous lab. If we just get back to the VRF configurations, what we did in our previous lab, we are actually importing finite column two also on the router A one because in the previous lab, if you remember, we have a communication of a customer A and B.
All the sites should exchange the routes. So I need to remove that configuration before I continue. I need to say Ipvrfa one. I need to say no route target 500 sorry, no import route target. I need to say no route target import. So this command little bit varies depending upon the iOS version. So I get confused with that. Let me check what is the exact command in this iOS version? I’m using Pvrf A need to simply say no, I go with this one. Okay, it’s already removed so no need to worry. But I had to remove from B one as well. I had to remove this one from B one. So I’ll copy this line and then I need to say Ipvr Python one and then I’m going to remove this one. Same thing I need to do on the router three as well just to make sure that it works.
Just like a normal simple VPN where side A one should communicate with A two, b one should communicate with B two, but it should not have any route exchange between A and B. That is the pre configurations you required to implement this lab. So I’m going to say A Hyphen two, I need to remove this one and then on the B two I need to remove 400 kw. So let me clear the BGP VPN V four for faster convergence I need to say clear IV BGP star VPN V four unicast let me try the same command on the Router three and router one. Okay, so I’ll give you some time for convergence. After some time the neighborship will come up and there will be exchange of the routes. And the pre requirement is you need to make sure that only the routes from customer A one can communicate with A two.
A two, that is fine. Six should be in one VPN and seven and eight should be a part of a separate VPN. So that is the final thing we need to have. So if I verify now show IP route VRF VPN. Sorry? Show IP BGP VPN v four VRFA one I should see only find six, which belongs to customer a one and a two. And if I verify B one, I should see only seven and eight a similar way. If I go and check on the Router three as well show IP BGP VPN v four VRF a hyphen two I should see only find six. Five is not coming. Actually I missed one command here as override. I configured as override on this side. Maybe I missed on router one. Let me troubleshoot this one. Okay, I did nothing, just verified clear IP BGP. I just cleared the BG process and then after some time I was able to see all the routes.
So now if I just get back and verify once again on the router one, I’ll try to verify the A routes on the customer A I should be able to see five and six similar way on the router B that is on the router one, customer B, I should be able to see seven and eight. Let’s do the same thing on the router three as well. The other p routers B two. That is I should be able to see seven and eight and then A two, I should be able to see five and six. So now customer A sites are able to communicate with customer A sites A one and A two are able to communicate with their own customer sites and B one and B two are able to communicate. Now, my requirement here is I want to make sure that customer A One should exchange the routes with customer B two.
So A one should communicate with A two as well as B two. So what we are doing, we are exporting with a new route target value. So I’ll go to router one and under the VRF A one. So I’ll say Ipvrf A one, I need to say route target export 400. That’s the new route target value I’m using. And then I’m also using route target import because opposite side we need to exchange the routes. I need to say import. That’s it. So if we just get back what I did, I just configured under the VRF route Target import and export 512. Same thing I need to do on the router three, but it has to be done under the VRF B Two. Because my requirement is A one should exchange the router with B two. So I need to say route target import 512 and then Route target export 512.
Now, once you make this possible, automatically the customer sites A one that is five five should be able to access eight eight which belongs to customer B Two, but I should not see there are any routes coming from coming from seven seven which is B one. Let’s try to verify. I’ll go to router one to verify this show IP route or I can say Show IP BGP VPN v four VRF A one. I should be able to see the route which is coming from B two. That is, you can see eight, but I but I cannot see seven which belongs to B one similar way, if I go and check on the router three, show IP BGP v Ten v Four. We are a b two. I should be able to see seven in eight which belongs to the same customer B B One and B two, but I can see the routes coming from A one.
But let’s say in future maybe I want to make sure that this customer B two should also extend the routes with A two as well. In that case, here also we need to do the same thing. We need to say export route target value of 512 and then we need to just add 500. Also this way we can ensure that the customer sites the exchange between the two different customers. But we are actually exchanging only selected routes. So whenever you are thinking of exchanging the routes between the two different customer sites and maybe only selected sites, in that case we need to export the route target values with a new route target value. So we need to expand a new tower target value and then we can actually use import and export options.
So let me just give a quick review how exactly it is going to work here. In this scenario, what we did, our customer A one is by default is exchanging the routes with customer A two with a route target value of 500 column one import export. And customer B one is able to exchange the routes with customer B two with a simple route target value, import export value of 500 column two on both the sides. But our requirement was to make sure that the routes exchange should happen between customer A one and only B two. Okay, so if I normally import 501 here, it is not only going to import customer A one also, it will import the customer A two routes also. Which exactly we don’t want a similar way.
If I say on the right A one, if I say import 500 colon two, it will not only import B two routes, it will also import B one routes. And again, I don’t want that. So I want to be more specific. A One should exchange the routes only with B two. So in this case, what we do is we are going to exporting exporting our values with a new route target value. At the same time we are importing on the other side import finite current twelve the same way. Here we have to export with a new route target value 512 and then importing again only on customer A one. Now this way we can make sure that only selected sites between the two different customers can actually exchange the routes. So when we assign these router values, it is going to exchange all the routes between the two different sites. If you want to specifically select specific sites, we can actually use something called export maps. Again, that is something at a different topic. Bye.
4. Layer 2 MPLS VPN – Overview
Layer two VPNs. Now in this section I am going to give you some basic overview of layer two VPN inside your MPLS. If you just get back to the previous concepts we have seen L Three VPNs. Now MPLS supports two kinds of VPNs. We have something called L three VPNs and L two VPNs. Now one of the major difference between L Three and L two VPNs is in L three VPNs. The service port is going to participate in the customer routing. But whereas in case of L two VPN, it is just providing the connectivity layer to connection between the customer sites. Let’s try to understand more in detail. Like if you just get back to the previous things, l Three VPNs, how they work. By default, the customer is going to advertise their own routes to the provider edge router.
And the provider edge router is going to maintain those customer routes in a separate routing table. We call them as VRF, VRF a Vrfp. And then he is going to propagate those routes through VPN, VPN as VPN, V, four routes on the other edge of the provider router. So it reaches the other end of the provider router. And then through redistribution again those routes will get advertised to the customer back again. Finally, you will be providing the reachability between customer to customer. Now here there is no direct routing between customer to customer. The routing takes place between the customer to provide its router and customer to provide its router.
And then through distribution they will be exchanged routes. This is the whole concept of L Three VPNs, what we have seen previously. Now in case of L Two VPNs, how it is going to be in case of L two VPN between the two different customers, the routing is going to take place only between the two different customers. Now, the service Boarder is not participating in any of the routing for the customer. Which means this providers router is not at all aware of any of the customer routes. There’s no routing between P to C required here. Now your packets, all the traffic, the layer to protocols is going to encapsulate all your payload over the MPLS. It’s more like a tunnel.
Now from this end to that end. Now the customer to customer, we have a logical connection between these two and they appear as if they are directed. Now logically they are connected. From router five is connecting to router one and router one is actually going to route five is connected to R One. R one to R three. There is a connection again through MPLS. Maybe in between you have many hops and then router three is providing the connection to router six. This is the exact physical connection. But when you see logically, router Phi seems to be directly connected to router six, directly through MPLS cloud.
Now here the service port is only providing the layer to connection between the two customer edge routers, but not actually taking any route from the customer out. It’s not participating any of the routing. So we have an end to end broadcast domain established. So any broadcast comes on the router file, it goes to Router Six. Now if I give showcb neighbor on the router file, physically it is connecting to Router One, but it will not show as a Router One, it is going to show as Router Six as a neighbor. So it’s more like a lease line connection between Router Five and Router Six. So that is the difference between that’s a major difference between L two VPNs and L three VPNs.
Now when L two VPNs are more applicable now if you want as for the requirement, you can either use L three VPNs to provide a connection between the two different customers and L two VPNs also can be used. Now l two VPNs are more applicable. Let’s say you might want to use L two VPN. So what is the advantage I get on l two VPNs over l three VPNs. So one of the main advantages, there is no custom P to C routing. So the Customer Service Board is not participating in any of the routing information between Customer to Customer. He’s just providing a layer to connection between the two endpoints. And one more advantage, let’s take an example.
If this router, the Customer router is not enabled with routing, maybe this customer router is not capable of doing routing. Maybe it’s a layer to switch which cannot understand the routing configurations in this case. Also I can provide a connection between these two devices via directly through the MPLS without actually doing any configuration any routing configurations between them. So in that scenario also we can use L two VPNs. Or let’s say an example, you might want to use L three VPN but the Service Board is only supporting for PGP as a P to C routing protocol and only supports OSPF. But maybe on the Customer side you might be using some Rip protocol where your Service Board is not providing a P two C routing using Rip.
In that case I can also go with L two VPN concept. It’s a very small concept when you compare with L three VPNs, but this is also one way of connecting the customer sides between the two ends. Now to make that possible, we actually use different distance set of protocols. We have something called L two, DPV Three protocol. Any transport over MPLS and then VPLs. Virtual Private Land service. So let me just give you some basic overview of these three protocols. So the first thing, we’ll start with L two DPV Three. Now the Customer to Customer it is going to provide a separate connection established. And then we are actually going to do some configuration on this interface.
From this interface to other interface which is facing towards the customer. We actually configure something called pseudo wire. A logical connection established between one end to another end. It’s more like a tunnel configuration but this the pseudo wire or the tunnel, whatever you say it’s going to establish based on the IP reachability. Now, in order to make this possible, the service portal backbone need not to be MPLS, it must be running IP reachability. So there should be an IP reachability which means it’s not mandatory that you should use MPLS. So without MPLS in fact you can use l two TPP three. But if it is MPLS also it doesn’t make difference because still we have a reachability from end to end through IP.
So it’s going to encapsulate your traffic over an IP network based on the IP reachability. Now, the good thing about this l two VPN is it supports any kind of layer to technology. Let’s say this interface is an Ethernet interface still you can configure l two VPNs. Maybe this interface is running frame relays. Still you can provide l two l two VPN configuration, it also supports the PPP or even you can have one side PPP running and other side is running frame relay. Still you can have a layer two VPN connection between these two pet pee routers. So in MLS terminal in this terminology we call as inter working concept still we can do that. So there is no need of MPLS MPLS running. The only thing we require is we need to have some IP to IP reach ability from this IP here maybe the loop back to loop back just like we do in the tunnels.
Now another protocol which can be used we call as Atom any transport over MPLS. Now this is something similar to LTP V three exactly the same almost. But the only difference is the traffic is tunneled over MPLS instead of IP which means we are going to create a logical connection we call as pseudo wire. It’s going to connect from the interface from the customer facing interface to another customer facing interface it is established and from end to end there should be a label switch path because it works more similar to your VPN label we use in l three VPNs and l three VPNs. Whenever you configure l three VPN between these two routers, it’s going to add one label called VPN label and based on that it will reach the other end of the P router.
Similar way in this scenario it is going to create one label called pseudo wire label. Based on that it is going to reach other end. But it’s mandatory that you must run MPLS inside the search for a core and there should be a label switch path end to end between the two peer routers. So as the only difference between Ltpv three and Atom but both are similar. Now again like Ltpv three you can run on any Ethernet link also on the frame relay. Also it can be PPP interface or it can be HDL’s interface it’s going to run on any kind of layer to connections between the P two C. Now there is one more concept. We have something called VPLs Virtual Private Land Service.
Now what we can do is we can actually provide a land service over the van. You can see the name itself. Says Virtual Private Land Service. Now actually in this kind of configurations VPLs, we’re actually sending our Ethernet tunnels the layer to traffic over MPLS. Now let’s take an example. I have a switch called Switch One which is connecting on the site one. And then I got a switch to connecting on maybe a different location. So both are in different locations, they are geographically in different locations, they may be in different countries. Now what I can do is I can have a spanning tree convergence, spanning tree convergence or it can be a VTP convergence between these two switches as if they are directly connected via cross cable. So we’re actually providing a LAN service over the van.
So this is something possible if you are using VPLs and that is something what MPLS can provide you. And the one more advantage we get with the VPLs is VPLs is actually multipoint tunnels when you compare with unlike Ldtb, V Three or Atom, they are point to point. Now we can have one more switch here. Let’s say switch three on a different side and we can have a spaniary convergence or PTP convergence or anything. The more the similar kind of things. What we do between the switches in a LAN, the same thing we can do between the different sites, the layer two convergence. So that is something VPLs is going to provide you. So all these concepts, whatever we discussed, these are all layer two VPN protocols.
The main concept of the layer two VPN protocols is providing a layer to connection between customer to customer site and they look as if they are directly connected. So if I go show CDP neighbor I can see the Router Five and Router Six as if they are directly connected via a specific cross cable or a serial back to back cable connected between them. But in physical they are not connecting directly, they are connecting through your MLS cloud. Again, the CDP is going to work if you, if you are using Ethernet or PPP seal interfaces. But if you’re using Frame Relay then CDP will not work. So you need to be a little bit careful with that. But again, the overall concept is to say that it’s more like a virtual point to point connection established between two or more different customers.