The (Unofficial) CCNP-SP Study Guide
  • About
    • About the Author
    • About This Study Guide
  • MPLS
    • LDP
      • LDP Transport Address
      • LDP Conditional Advertisement
      • LDP Authentication
      • LDP/IGP Sync
      • LDP Session Protection
    • MPLS-TE
      • MPLS-TE Basics, Pt. 1 (TED)
      • MPLS-TE Basics, Pt.2 (RSVP)
      • MPLS-TE Basics, Pt.3 (CSPF)
      • MPLS-TE Basics, Pt.4 (Routing)
      • MPLS-TE Fast Reroute (FRR)
      • MPLS-TE with OSPF
    • Unified MPLS
    • Segment Routing
      • Introduction, Theory Pt.1
      • Introduction, Lab (OSPF) Pt.2
      • Introduction, Lab (ISIS) Pt. 3
      • Multi-Area/Level Segment Routing
      • Segment Routing using BGP
      • Migrating LDP to SR
      • LDP/SR Interworking
      • TI-LFA Pt. 1 (Theory)
      • TI-LFA Pt. 2 (Implementation)
      • TI-LFA Pt. 3 (Node and SRLG Protection)
      • SR-TE Pt. 1 (Overview)
      • SR-TE Pt. 2 (Creating an SR-TE Policy)
      • SR-TE Pt. 3 (Using a PCE)
      • SR-TE Pt. 4 (Automated Steering)
      • SR-TE Pt. 5 (On-Demand Nexthop)
      • SR-TE Pt. 6 (Flex Algo)
    • MPLS OAM
      • Classic Traceroute Behavior in MPLS Networks
      • LSP Ping
      • LSP Traceroute
  • Routing
    • BGP
      • BGP Synchronization
      • BGP Load Sharing (Multipath)
      • An Intuitive Look at Path Attributes
      • AS Path Prepending on XE and XR
      • RPL
    • BGP Security
      • BGP TTL Security, Pt. 1
      • BGP TTL Security, Pt. 2 (IOS-XE)
      • BGP TTL Security, Pt. 3 (IOS-XR)
      • BGP MD5 Authentication
      • BGP Maximum Prefixes
      • BGP RFD (Route Flap Dampening)
      • RTBH
      • Flowspec
      • BGPsec
    • L3VPN
      • An In-Depth Look at RD and RT, Pt. 1
      • An In-Depth Look at RD and RT, Pt. 2
      • An In-Depth Look at RD and RT, Pt. 3
      • An In-Depth Look at RD and RT, Pt. 4
      • Inter-AS L3VPN Pt. 1, Overview
      • Inter-AS L3VPN Pt. 2, Option A
      • Inter-AS L3VPN Pt. 3, Option B
      • Inter-AS L3VPN Pt. 4, Option C
      • CSC (Carrier Supporting Carrier)
      • PE NAT
    • OSPF
      • Type 7 to Type 5 Translation
      • OSPF Authentication
      • Troubleshooting OSPF Adjacencies
      • OSPFv3 LSA Types
      • OSPFv3 LSAs Example (Single Area)
    • ISIS
      • The Potential for Asymmetric Routing with Multi-Area ISIS
      • Interarea Routing is Distance-Vector
      • Basic ISIS - LSPDB
      • Multitopology
      • What is the role of CLNS and CLNP in ISIS?
      • Troubleshooting ISIS Adjacencies
    • IPv6 Transition
      • Overview
      • NAT64
      • 6to4
      • 6RD (IPv6 Rapid Deployment)
      • DS Lite (Dual Stack Lite)
      • MAP (Mapping of Address and Port)
      • Tunneling IPv6 Dynamic Routing Protocols over IPv4
    • Multicast
      • Introduction
      • IP and MAC Addressing
      • Tree Formation and Packet Forwarding
      • IGMP
      • PIM-DM (Dense Mode)
      • PIM-SM (Sparse Mode)
      • PIM-SM SPT Switchover
      • PIM-SM Tunnel Interfaces
      • PIM DR and the Assert Message
      • PIM-SM RP Discovery
      • PIM-BiDir
      • PIM-SSM (Source-Specific Multicast)
      • Interdomain Multicast (PIM-SM)
      • IPv6 Multicast
      • mVPN Introduction
      • mVPN Profile 0
      • mVPN Profile 1
      • Multicast Routing on IOS-XR
  • L2VPN & Ethernet
    • IOS-XE Ethernet Services
      • Service Instances
      • E-Line
      • E-LAN (VPLS)
      • E-Tree
      • E-Access
      • VPLS with BGP Autodiscovery
      • Martini/Kompella Circuits
    • EVPN
      • Introduction to EVPN
      • Learning EVPN VXLAN First
      • E-Line (EVPN VPWS)
      • E-Line (EVPN VPWS) on IOS-XR
      • E-Line (EVPN VPWS) Multi-Homed
      • E-LAN (EVPN Single-Homed)
    • Carrier Ethernet
      • 802.1ah (MAC-in-MAC)
      • 802.3ah (Ethernet OAM)
      • 802.1ag (CFM)
      • Cisco REP (Resilient Ethernet Protocol)
      • ITU G.8032 ERPS (Ethernet Ring Protection Switching)
  • Security
    • CoPP (Control Plane Policing)
    • LPTS (Local Packet Transport Services)
  • Misc
    • QoS
      • QoS Introduction (Part 1)
      • QoS Tools Overview and QoS Models (Part 2)
      • QoS Classification and Marking (Part 3)
      • QoS Queuing/Congestion Management (Part 4)
      • QoS Shaping and Policing (Part 5)
      • QoS for IPv6
      • MPLS QoS Basics
      • MPLS QoS Modes
      • MPLS TE QoS (DS-TE)
      • MPLS TE CBTS/PBTS
    • Automation and Assurance
      • NSO
      • NSO Command Cheat Sheet
      • Intro to YANG/NETCONF
      • YANG In-Depth
      • NETCONF In-Depth
      • RESTCONF
      • Model-Driven Telemetry
      • Automation Tool Comparison
      • Netflow
      • SNMP
    • Virtualization
      • NFV (Network Function Virtualization)
      • OpenStack
    • Transport
      • xPON
      • SONET/SDH
      • WDM
      • 4G and 5G RAN
    • High Availability (HA)
      • NSF/GR
      • NSR
      • NSF/NSR Whitepapers
      • BFD
      • Link Aggregation on IOS-XE
      • Link Aggregation on IOS-XR
    • IOS Software Overview
  • Labs
    • Lab Challenges
      • How to Use These Labs
      • Basic LDP
      • Advanced LDP
      • BGP Security
      • Unified MPLS
      • BGP Fundamentals
      • Ethernet Services
      • L3VPN Extranet
      • Multicast
      • Inter-area OSPF
      • ISIS
      • MPLS-TE
      • Control Plane Policing
      • QoS
Powered by GitBook
On this page
  1. Labs
  2. Lab Challenges

L3VPN Extranet

PreviousEthernet ServicesNextMulticast

Last updated 2 years ago

Lab file

Startup configs

IP addressing, IGP, Segment Routing, and BGP on the CEs is already configured.

The objective is to configure three L3VPN services, and allow the PARNTER1 L3VPN to have access to the loopbacks of each customer router. Additionally, each customer L3VPN service should have access to the 192.0.2.0/24 network. The idea is that the partner needs to manage these separate customers. So the partner needs reachability into the customer L3VPNs.

NAT is already configured on the customer CEs. The R2 customer routers will be NATed to 10.255.255.X and should be able to ping 192.0.2.2.

You will need to configure BGP on the provider network, but throughout this entire exercise you should not need to make any changes to customer routers.

The routing table of each CE should appear as follows:

CUSTOMER1_R1#show ip route bgp | be Gateway
Gateway of last resort is not set

B     192.0.2.0/24 [20/0] via 100.64.0.1, 00:16:40

CUSTOMER2_R1#show ip route bgp | be Gateway
Gateway of last resort is not set

B     192.0.2.0/24 [20/0] via 100.64.0.1, 00:16:05

PARTNER1_R1#show ip route bgp | be Gateway
Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 3 subnets
B        10.255.255.1 [20/0] via 100.64.0.1, 00:16:23
B        10.255.255.2 [20/0] via 100.64.0.1, 00:16:23

R2 of each customer should be able to ping 192.0.2.2:

CUSTOMER1_R2#ping 192.0.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 11/22/65 ms

CUSTOMER2_R2#ping 192.0.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms

Answers

First you must run iBGP inside the service provider network. You can simply run iBGP between PE1 and PE3, creating a BGP-free core. You will need to peer with each CE. They are all 100.64.0.2 with remote-as 65000. On PE3_XR you will need a route-policy that passes all routes received and advertised because these are eBGP neighbors (i.e. route-policy PASS in/out).

Next you will need to import PARTNER1 routes into the customer VRFs and import the customer 10.255.255.X/32 loopbacks into the PARTNER1 VRF. To do this you import 10:10 into each customer VRF, and import 1:1 and 2:2 into the PARTNER1 VRF.

The problem is that we must filter the routes that are imported so we don’t get the LAN routes. On PE1 you can use an import map such as this:

vrf definition CUSTOMER1
 rd 1:1
 route-target export 1:1
 route-target import 1:1
 route-target import 10:10
 !
 address-family ipv4
  import map PARTNER1_IMPORT_MAP
 exit-address-family
!
route-map CUSTOMER1_RM permit 10 
 match ip address prefix-list PARTNER_SUBNET
 match extcommunity 1
route-map CUSTOMER1_RM permit 20 
 match extcommunity 2
route-map CUSTOMER1_RM deny 30
!
ip prefix-list PARTNER1_PREFIX seq 5 permit 192.0.2.0/24
!
ip extcommunity-list 1 permit rt 10:10
ip extcommunity-list 2 permit rt 1:1
  • The logic of the route-map is that only the partner subnet is imported with RT 10:10, then any route with RT 1:1 is imported, and anything else is denied.

On PE3_XR you will need a route-policy such as this:

vrf CUSTOMER2
 address-family ipv4 unicast
  import route-policy PARTNER1_EXTRANET
  import route-target
   2:2
   10:10
  !
  export route-target
   2:2
!
route-policy PARTNER1_EXTRANET
  if extcommunity rt matches-any (10:10) then
    if destination in (192.0.2.0/24) then
      pass
    else
      drop
    endif
  endif
  pass
end-policy

I will leave it to you to figure out the route-policy for routes imported into the PARTNER1 VRF.

Finally, you will notice that none of these imported routes are accepted by the CEs. This is because they all use AS 65000 so they reject the route due to loop avoidance. You can use as-override on each CE neighbor to change the AS path from 100 65000 i to 100 100 i

59KB
Challenge - L3VPN Extranet.yaml
24KB
l3vpn_extranet_initial_configs.zip
archive