Configuring L3VPN Service over OSPF SR-MPLS BE
Segment Routing

Configuring L3VPN Service over OSPF SR-MPLS BE

Felipe Medeiros Felipe Medeiros

Felipe Medeiros

Network Engineer - HCIE Datacom Written | 2xHCIP Datacom & Security | Fortinet FCP

发布日期: 2024年3月30日
+ 关注

After sometime without posting any stuff here, I'm back with some segment-routing content, now trying to understand this protocol for the HCIE Studies, I decided to do some labbing to feel and understand how is it when we come to the CLI.

To be very honest, the implementation is not so complicated but we have to pay attention and understand well the concepts arround this protocol, first of all, why do we need to use it?

The Segment Routing protocol is implemented based on the MPLS forwarding plane and it brings more capacity expansion to mpls networks and simplifies the management of the control plane because we don't need to use LDP or RSVP, we just need to configure an IGP protocol and enable mpls in the box.

So here is the topology used for this configuration:

Topology
Topology

The main goal here is to configure a L3VPN between the CE1 and the CE2 using the Segment Routing protocol to forward it in the backbone plane.

I used OSPF as IGP Protocol and here is the configuration for the underlay IGP protocol:

Ospf Configuration

So above we can check that for the ospf configuration there is not so much secrets. But.... we can also see that there are some new commands:

Segment Routing enable Commands 
segment-routing // First enable segment-routing on system-view
ospf 1 
segment-routing mpls // In ospf view enable the segment-routing for mpls
segment-routing global-block 16000 23999 
frr // Enable fast reroute for a fast switchover to the secondary path
 loop-free-alternate 
 ti-lfa enable

After we can configure the sid index for the loopback interface. 

[~P1-LoopBack1]dis this
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
 ospf enable 1 area 0.0.0.0
 ospf prefix-sid index 20
#
return
[~P1-LoopBack1]

It's good to mention that is very important to enable the "ti-lfa" function, because it will provide link and node protection for the Segment Routing tunnels, this way the traffic can be switched to another backup bath, minimizing the traffic loss. Not every time the FRR LFA function will provide fast switchover, specially in very large networks.

I have also to comment about the "prefix-sid", this is very important because the idea of the SR protocol is to provide routing segments, and the prefix-sid is how the SR compute the paths to where the traffic will be forwarded.

So...with the configuration above we have already segment routing working and we can configure the L3VPN normally.

We can check the SR with the following commands:

领英推荐

Above we can check that the SR tunnels are UP, and we can also ping the sr path until the PE2.

After the vpn is configured we can finally see that the CE1 can normally ping the CE2:

In the backbone network we can also see the Customer router into the vpn-instance:

Above we can note the two CE's loopbacks.

I will put here the hole configuration for this lab and thanks for your reading time. 

[~P1]display current-configuration 
!Software Version V800R011C00SPC607B607
!Last configuration was updated at 2024-03-30 00:26:14+00:00
#
sysname P1
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
 #
 ipv4-family
#
segment-routing
#
interface Ethernet1/0/0
 description DIR-PE1
 undo shutdown
 ip address 172.16.1.2 255.255.255.0
 ospf enable 1 area 0.0.0.0
 mpls
 undo dcn
 undo dcn mode vlan
#
interface Ethernet1/0/1
 description DIR-PE2
 undo shutdown
 ip address 172.17.1.1 255.255.255.0
 ospf enable 1 area 0.0.0.0
 mpls
 undo dcn
 undo dcn mode vlan
#
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
 ospf enable 1 area 0.0.0.0
 ospf prefix-sid index 20
#
interface NULL0
#
ospf 1 router-id 2.2.2.9
 opaque-capability enable
 segment-routing mpls
 segment-routing global-block 16000 23999
 frr
  loop-free-alternate
  ti-lfa enable
 area 0.0.0.0
  network 2.2.2.9 0.0.0.0
  network 172.16.1.0 0.0.0.255
  network 172.17.1.0 0.0.0.255
#
return
[~P1]         
[P2]disp current-configuration 
!Software Version V800R011C00SPC607B607
!Last configuration was updated at 2024-03-29 23:04:17+00:00
#
sysname P2
#
mpls lsr-id 4.4.4.9
#
mpls
#
mpls ldp
 #
 ipv4-family
#
segment-routing
#
interface Ethernet1/0/0
 description DIR-PE2
 undo shutdown
 ip address 172.19.1.1 255.255.255.0
 ospf enable 1 area 0.0.0.0
 mpls
 mpls ldp
 undo dcn
 undo dcn mode vlan
#
interface Ethernet1/0/1
 description DIR-PE1
 undo shutdown
 ip address 172.18.1.2 255.255.255.0
 ospf enable 1 area 0.0.0.0
 mpls
 mpls ldp
 undo dcn
 undo dcn mode vlan
#
interface LoopBack1
 ip address 4.4.4.9 255.255.255.255
 ospf enable 1 area 0.0.0.0
 ospf prefix-sid index 40
#
interface NULL0
#
ospf 1 router-id 4.4.4.9
 opaque-capability enable
 segment-routing mpls
 segment-routing global-block 16000 23999
 frr
  loop-free-alternate
  ti-lfa enable
 area 0.0.0.0
  network 4.4.4.9 0.0.0.0
  network 172.18.1.0 0.0.0.255
  network 172.19.1.0 0.0.0.255
#
[P2]         
[PE1]disp current-configuration 
!Software Version V800R011C00SPC607B607
!Last configuration was updated at 2024-03-30 00:27:13+00:00
#
sysname PE1
#
ip vpn-instance vpna
 ipv4-family
  route-distinguisher 100:1
  tnl-policy p1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
 #
 ipv4-family
#
segment-routing
#
interface Ethernet1/0/0
 description DIR-P1
 undo shutdown
 ip address 172.16.1.1 255.255.255.0
 ospf enable 1 area 0.0.0.0
 mpls
 undo dcn
 undo dcn mode vlan
#
interface Ethernet1/0/1
 description DIR-P2
 undo shutdown
 ip address 172.18.1.1 255.255.255.0
 ospf enable 1 area 0.0.0.0
 mpls
 undo dcn
 undo dcn mode vlan
#
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
 ospf enable 1 area 0.0.0.0
 ospf prefix-sid index 10
#
interface NULL0
#
bgp 100
 peer 3.3.3.9 as-number 100
 peer 3.3.3.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 3.3.3.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 3.3.3.9 enable
 #
 ipv4-family vpn-instance vpna
  peer 10.1.1.1 as-number 65410
#
ospf 1 router-id 1.1.1.9
 opaque-capability enable
 segment-routing mpls
 segment-routing global-block 16000 23999
 frr
  loop-free-alternate
  ti-lfa enable
 area 0.0.0.0
  network 1.1.1.9 0.0.0.0
  network 172.16.1.0 0.0.0.255
  network 172.18.1.0 0.0.0.255
#
return
[PE1]          
[PE2]display current-configuration 
!Software Version V800R011C00SPC607B607
!Last configuration was updated at 2024-03-29 23:16:01+00:00
#
sysname PE2
#
ip vpn-instance vpna
 ipv4-family
  route-distinguisher 200:1
  tnl-policy p1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
 #
 ipv4-family
#
segment-routing
#
interface Ethernet1/0/0
 description DIR-P2
 undo shutdown
 ip address 172.19.1.2 255.255.255.0
 ospf enable 1 area 0.0.0.0
 mpls
 mpls ldp
 undo dcn
 undo dcn mode vlan
#
interface Ethernet1/0/1
 description DIR-P1
 undo shutdown
 ip address 172.17.1.2 255.255.255.0
 ospf enable 1 area 0.0.0.0
 mpls
 mpls ldp
 undo dcn
 undo dcn mode vlan
#
interface Ethernet1/0/9
 description DIR-CE2
 undo shutdown
 ip binding vpn-instance vpna
 ip address 10.2.1.2 255.255.255.0
 undo dcn mode vlan
#
interface GigabitEthernet0/0/0
 undo shutdown
#
interface LoopBack1
 ip address 3.3.3.9 255.255.255.255
 ospf enable 1 area 0.0.0.0
 ospf prefix-sid index 30
#
interface NULL0
#
bgp 100
 peer 1.1.1.9 as-number 100
 peer 1.1.1.9 connect-interface LoopBack1
 #
 ipv4-family unicast
  undo synchronization
  peer 1.1.1.9 enable
 #
 ipv4-family vpnv4
  policy vpn-target
  peer 1.1.1.9 enable
 #
 ipv4-family vpn-instance vpna
  peer 10.2.1.1 as-number 65420
#
ospf 1 router-id 3.3.3.9
 opaque-capability enable
 segment-routing mpls
 segment-routing global-block 16000 23999
 frr
  loop-free-alternate
  ti-lfa enable
 area 0.0.0.0
  network 3.3.3.9 0.0.0.0
  network 172.17.1.0 0.0.0.255
  network 172.19.1.0 0.0.0.255
#
return        
<CE1>display current-configuration 
[V200R003C00]
#
 sysname CE1
#
interface GigabitEthernet0/0/0
 ip address 10.1.1.1 255.255.255.0 
#
interface LoopBack1
 ip address 10.11.1.1 255.255.255.255 
#
bgp 65410
 peer 10.1.1.2 as-number 100 
 #
 ipv4-family unicast
  undo synchronization
  network 10.11.1.1 255.255.255.255 
  peer 10.1.1.2 enable
#
return
<CE1>         
<CE2>disp current-configuration 
[V200R003C00]
#
 sysname CE2
#
interface GigabitEthernet0/0/0
 description DIR-PE2
 ip address 10.2.1.1 255.255.255.0 
#
interface LoopBack1
 ip address 10.22.2.2 255.255.255.255 
#
bgp 65420
 peer 10.2.1.2 as-number 100 
 #
 ipv4-family unicast
  undo synchronization
  network 10.22.2.2 255.255.255.255 
  peer 10.2.1.2 enable
#
return
<CE2>

#huawei #router #segment-routing #mpls #ospf #bgp #ldp #network

Wallace Andrade

CTO | Hexa Networks

10 个月

Nice work, man! SR é muito interessante, mas é uma pena n?o ser suportado na maior parte dos equipamentos que vemos nos provedores brasileiros.
回复
1 次回应
查看更多评论

要查看或添加评论,请登录

Felipe Medeiros的更多文章

社区洞察

其他会员也浏览了