Configuring MPLS Layer 3 VPNs

This chapter describes how to configure Multiprotocol Label Switching (MPLS) Layer 3 virtual private
networks (VPNs) on Cisco Nexus 9508 switches.
• Information About MPLS Layer 3 VPNs, on page 1
• Prerequisites for MPLS Layer 3 VPNs, on page 5
• Guidelines and Limitations for MPLS Layer 3 VPNs, on page 5
• Default Settings for MPLS Layer 3 VPNs, on page 6
• Configuring MPLS Layer 3 VPNs, on page 6

Information About MPLS Layer 3 VPNs

An MPLS Layer 3 VPN consists of a set of sites that are interconnected by an MPLS provider core network.
At each customer site, one or more customer edge (CE) routers or Layer 2 switches attach to one or more
provider edge (PE) routers. This section includes the following topics:
• MPLS Layer 3 VPN Definition
• How an MPLS Layer 3 VPN Works
• Components of MPLS Layer 3 VPNs
• Hub-and-Spoke Topology
• OSPF Sham-Link Support for MPLS VPN

MPLS Layer 3 VPN Definition

MPLS-based Layer 3 VPNs are based on a peer model that enables the provider and the customer to exchange
Layer 3 routing information. The provider relays the data between the customer sites without direct customer
involvement.
When you add a new site to an MPLS Layer 3 VPN, you must update the provider edge router that provides
services to the customer site.
MPLS Layer 3 VPNs include the following components:
• Provider (P) router—A router in the core of the provider network. P routers run MPLS switching and do
not attach VPN labels (an MPLS label in each route assigned by the PE router) to routed packets.

Configuring MPLS Layer 3 VPNs

1
 Configuring MPLS Layer 3 VPNs
How an MPLS Layer 3 VPN Works

• Provider edge (PE) router—A router that attaches the VPN label to incoming packets that are based on
the interface or subinterface on which they are received. A PE router attaches directly to a CE router.
• Customer edge (CE) router—An edge router on the network of the provider that connects to the PE router
on the network. A CE router must interface with a PE router.

Figure 1: Basic MPLS Layer 3 VPN Terminology

How an MPLS Layer 3 VPN Works

MPLS Layer 3 VPN functionality is enabled at the edge of an MPLS network. The PE router performs the
following tasks:
• Exchanges routing updates with the CE router
• Translates the CE routing information into VPN routes
• Exchanges Layer 3 VPN routes with other PE routers through the Multiprotocol Border Gateway Protocol
(MP-BGP)

Components of MPLS Layer 3 VPNs

An MPLS-based Layer 3 VPN network has three components:
1. VPN route target communities—A VPN route target community is a list of all members of a Layer 3 VPN
community. You must configure the VPN route targets for each Layer 3 VPN community member.
2. Multiprotocol BGP peering of VPN community PE routers—Multiprotocol BGP propagates VRF
reachability information to all members of a VPN community. You must configure Multiprotocol BGP
peering in all PE routers within a VPN community.
3. MPLS forwarding—MPLS transports all traffic between all VPN community members across a VPN
enterprise or service provider network.

Configuring MPLS Layer 3 VPNs

2
 Configuring MPLS Layer 3 VPNs
Hub-and-Spoke Topology

A one-to-one relationship does not necessarily exist between customer sites and VPNs. A site can be a member
of multiple VPNs. However, a site can associate with only one VRF. A customer-site VRF contains all the
routes that are available to the site from the VPNs of which it is a member.

Hub-and-Spoke Topology
A hub-and-spoke topology prevents local connectivity between subscribers at the spoke provider edge (PE)
routers and ensures that a hub site provides subscriber connectivity. Any sites that connect to the same PE
router must forward intersite traffic using the hub site. This topology ensures that the routing at the spoke
sites moves from the access-side interface to the network-side interface or from the network-side interface to
the access-side interface but never from the access-side interface to the access-side interface. A hub-and-spoke
topology allows you to maintain access restrictions between sites.
A hub-and-spoke topology prevents situations where the PE router locally switches the spokes without passing
the traffic through the hub site. This topology prevents subscribers from directly connecting to each other. A
hub-and-spoke topology does not require one VRF for each spoke.
Figure 2: Hub-and-Spoke Topology

As shown in the figure, a hub-and-spoke topology is typically set up with a hub PE that is configured with
two VRFs:
• VRF 2hub with a dedicated link connected to the hub customer edge (CE)
• VRF 2spokes with another dedicated link connected to the hub CE.

Interior Gateway Protocol (IGP) or external BGP (eBGP) sessions are usually set up through the hub PE-CE
links. The VRF 2hub imports all the exported route targets from all the spoke PEs. The hub CE learns all
routes from the spoke sites and readvertises them back to the VRF 2spoke of the hub PE. The VRF 2spoke
exports all these routes to the spoke PEs.
If you use eBGP between the hub PE and hub CE, you must allow duplicate autonomous system (AS) numbers
in the path which is normally prohibited. You can configure the router to allow this duplicate AS number at
the neighbor of VRF 2spokes of the hub PE and also for VPN address family neighbors at all the spoke PEs.
In addition, you must disable the peer AS number check at the hub CE when distributing routes to the neighbor
at VRF 2spokes of the hub PE.

Configuring MPLS Layer 3 VPNs

3
 Configuring MPLS Layer 3 VPNs
OSPF Sham-Link Support for MPLS VPN

OSPF Sham-Link Support for MPLS VPN

In a Multiprotocol Label Switching (MPLS) VPN configuration, you can use the Open Shortest Path First
(OSPF) protocol to connect customer edge (CE) devices to service provider edge (PE) devices in the VPN
backbone. Many customers run OSPF as their intrasite routing protocol, subscribe to a VPN service, and want
to exchange routing information between their sites using OSPF (during migration or on a permanent basis)
over an MPLS VPN backbone.
The benefits of the OSPF sham-link support for MPLS VPN are as follows:
• Client site connection across the MPLS VPN Backbone—A sham link ensures that OSPF client sites
that share a backdoor link can communicate over the MPLS VPN backbone and participate in VPN
services.
• Flexible routing in an MPLS VPN configuration—In an MPLS VPN configuration, the OSPF cost that
is configured with a sham link allows you to decide if OSPF client site traffic is routed over a backdoor
link or through the VPN backbone.

The figure below shows an example of how VPN client sites that run OSPF can connect over an MPLS VPN
backbone.

When you use OSPF to connect PE and CE devices, all routing information learned from a VPN site is placed
in the VPN routing and forwarding (VRF) instance that is associated with the incoming interface. The PE
devices that attach to the VPN use the Border Gateway Protocol (BGP) to distribute VPN routes to each other.
A CE device can learn the routes to other sites in the VPN by peering with its attached PE device. The MPLS
VPN super backbone provides an additional level of routing hierarchy to interconnect the VPN sites that are
running OSPF.
When OSPF routes are propagated over the MPLS VPN backbone, additional information about the prefix
in the form of BGP extended communities (route type, domain ID extended communities) is appended to the
BGP update. This community information is used by the receiving PE device to decide the type of link-state
advertisement (LSA) to be generated when the BGP route is redistributed to the OSPF PE-CE process. In this
way, internal OSPF routes that belong to the same VPN and are advertised over the VPN backbone are seen
as interarea routes on the remote sites.

Configuring MPLS Layer 3 VPNs

4
 Configuring MPLS Layer 3 VPNs
Prerequisites for MPLS Layer 3 VPNs

Prerequisites for MPLS Layer 3 VPNs

MPLS Layer 3 VPNs has the following prerequisites:
• Ensure that you have configured MPLS and Label Distribution Protocol (LDP) in your network. All
routers in the core, including the PE routers, must be able to support MPLS forwarding.
• Ensure that you have installed the correct license for MPLS and any other features you will be using
with MPLS.

Guidelines and Limitations for MPLS Layer 3 VPNs

MPLS Layer 3 VPNs have the following configuration guidelines and limitations:
• For notes on platform support see: Platform Support for Label Switching Features.
• You must enable MPLS IP forwarding on interfaces where the forwarding decisions are made based on
the labels of incoming packets. If a VPN label is allocated by per prefix mode, MPLS IP forwarding
must be enabled on the link between PE and CE.
• Because of the hardware limitation on the trap resolution, on Cisco Nexus 9508 switches with the
N9K-X9636C-R and N9K-X9636Q-R line cards, URPF may not be applied on supervisor bound packets
via inband.
• On Cisco Nexus 9508 switches with the N9K-X9636C-R and N9K-X9636Q-R line cards, RACL is
applied only to routed traffic so that the bridge traffic does not hit RACL. This applies to Multicast OSPF
control traffic.
• On Cisco Nexus 9508 switches with the N9K-X9636C-R and N9K-X9636Q-R line cards, Control Packets
with Explicit-NULL label is not prioritized when sending to support. This may result in control protocols
flapping when explicit-NULL is configured.
• Per-label statistics at a scale of 500K is not supported on Cisco Nexus 9508 switches with the
N9K-X9636C-R and N9K-X9636Q-R line cards because of the hardware limitation.
• ARP scaling on Cisco Nexus 9508 switches with the N9K-X9636C-R and N9K-X9636Q-R line cards
are limited to 64K if all the 64K MACs are different. This limitation also applies if there are several
Equal Cost Multiple Paths (ECMP) configured on the interface.
• Packets with MPLS Explicit-NULL may not be parsed correctly with default line card profile.
• MPLS Layer 3 VPNs support the following CE-PE routing protocols:
• BGP (IPv4 and IPv6)
• Enhanced Interior Gateway Protocol (EIGRP) (IPv4)
• Open Shortest Path First (OSPFv2).
• Routing Information Protocol (RIPv2)
Set statements in an import route map are ignored.

Configuring MPLS Layer 3 VPNs

5
 Configuring MPLS Layer 3 VPNs
Default Settings for MPLS Layer 3 VPNs

• The BGP minimum route advertisement interval (MRAI) value for all iBGP and eBGP sessions is zero
and is not configurable.
• In a high scale setup with many BGP routes getting redistributed into EIGRP, modify the EIGRP signal
timer to ensure that the EIGRP convergence time is higher than the BGP convergence time. This process
allows all the BGP routes to be redistributed into EIGRP, before EIGRP signals convergence.
• When OSPF is used as a protocol between PE and CE devices, the OSPF metric is preserved when routes
are advertised over the VPN backbone. The metric is used on the remote PE devices to select the correct
route. Do not modify the metric value when OSPF is redistributed to BGP and when BGP is redistributed
to OSPF. If you modify the metric value, routing loops might occur.

Default Settings for MPLS Layer 3 VPNs

Table 1: Default MPLS Layer 3 VPN Parameters

Parameters Default

L3VPN feature Disabled

L3VPN SNMP notifications Disabled

allowas-in (for a hub-and-spoke topology) 0

disable-peer-as-check (for a hub-and-spoke topology) Disabled

Configuring MPLS Layer 3 VPNs

About OSPF Domain IDs and Tags
You can set the domain_ID for an OSPF router instance within a VRF. In OSPF, Cisco NX-OS uses the
domain_ID and domain tag to control aspects of BGP route redistribution at the provider edge (PE) or customer
edge (CE).
• You can configure a primary and secondary domain_ID for the redistributed OSPF routes.
• OSPF also uses a domain tag to identify the OSPF process ID.

The Cisco NX-OS implementation of domain IDs and domain tags complies with RFC 4577.

Note The OSPF primary and secondary domain_IDs and the domain tag are available only when MPLS L3VPN
feature is enabled.

Configuring MPLS Layer 3 VPNs

6
 Configuring MPLS Layer 3 VPNs
Configuring OSPF at the PE and CE Boundary

Configuring OSPF at the PE and CE Boundary

By using, domain IDs and domain tags, you can configure NX-OS to redistribute OSPF routes into BGP
networks, and receive BGP redistributed routes into OSPF at the PE and CE boundary. See the following
topics:
• About OSPF Domain IDs and Tags, on page 6
• Configuring the OSPF Domain ID, on page 8
• Configuring the Secondary Domain ID, on page 8
• Configuring the OSPF Domain Tag, on page 7

Configuring the OSPF Domain Tag

The domain tag specifies the OSPF process instance number that NX-OS redistributes into BGP at the PE or
CE.

Before you begin

Make sure that MPLS and OSPFv2 are enabled.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the configuration terminal.
Example:
switch-1# configure terminal
Enter configuration commands, one per
line. End with CNTL/Z.
switch-1(config)#

Step 2 router ospf process-tag Enters router configuration mode to configure

the OSPF router instance. The process tag is an
Example:
alphanumeric string from 1 through 20
switch-1(config)# router ospf 101 characters that identifies the router.
switch-1(config-router)#

Step 3 vrf vrf-name Enter the specific VRF instance for OSPF. The
VRF name is an alphanumeric string from 1
Example:
through 32 characters that identifies the VRF.
switch-1(config-router)# vrf pubstest
switch-1(config-router-vrf)#

Step 4 ospf domain-tag as-number Sets the domain tag. The domain tag is an
alphanumeric string from 0 through
Example:
2147483647 that identifies the AS number.
switch-1(config-router-vrf)# domain-tag
9999
nxosv2(config-router-vrf)#

Configuring MPLS Layer 3 VPNs

7
 Configuring MPLS Layer 3 VPNs
Configuring the OSPF Domain ID

Configuring the OSPF Domain ID

You can set the domain_ID for an OSPF router instance within a VRF to control BGP route redistribution
into OSPF at the CE or PE.
To remove this feature, use the no domain-id command.

Before you begin

Both the MPLS L3VPN and OSPFv2 feature must be enabled to use the OSPF domain_ID feature.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the configuration terminal.
Example:
switch-1# configure terminal
Enter configuration commands, one per
line. End with CNTL/Z.
switch-1(config)#

Step 2 router ospf process-tag Enters router configuration mode to configure

the OSPF router instance. The process tag is an
Example:
alphanumeric string from 1 through 20
switch-1(config)# router ospf 101 characters that identifies the router.
switch-1(config-router)#

Step 3 vrf vrf-name Enter the specific VRF instance for OSPF. The
VRF name is an alphanumeric string from 1
Example:
through 32 characters that identifies the VRF.
switch-1(config-router)# vrf pubstest
switch-1(config-router-vrf)#

Step 4 domain-id { id | type domain-type value value Sets the domain_ID and additional parameters:
| Null }
• id specifies the domain ID in dotted
Example: decimal notation, for example, 1.2.3.4
switch-1(config-router-vrf)# domain-id
19.0.2.0
• type specifies the domain type in four-byte
notation, for example, 0005.
• value specifies the domain value in 6 bytes
of hexadecimal notation, for example,
0x0005.

You can use the Null argument to clear the

domain_ID.

Configuring the Secondary Domain ID

You can set a secondary domain_ID for an OSPF router instance within a VRF to control BGP route
redistribution into OSPF at the CE or PE.

Configuring MPLS Layer 3 VPNs

8
 Configuring MPLS Layer 3 VPNs
Configuring the Core Network

Use the domain-id Null command to unconfigure the domain_ID.

Before you begin

Make sure that OSPFv2 and MPLS features are enabled.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters the configuration terminal.
Example:
switch-1# configure terminal
Enter configuration commands, one per
line. End with CNTL/Z.
switch-1(config)#

Step 2 router ospf process-tag Enters router configuration mode to configure

the OSPF router instance. The process tag is an
Example:
alphanumeric string from 1 through 20
switch-1(config)# router ospf 101 characters that identifies the router.
switch-1(config-router)#

Step 3 vrf vrf-name Enters the specific VRF instance for OSPF. The
VRF name is an alphanumeric string from 1
Example:
through 32 characters that identifies the VRF.
switch-1(config-router)# vrf pubstest
switch-1(config-router-vrf)#

Step 4 domain-id { id | type domain-type value value Sets the domain_ID for the autonomous system.
| Null }
Example:
switch-1(config-router-vrf)# domain-id
19.0.2.0

Configuring the Core Network

Assessing the Needs of MPLS Layer 3 VPN Customers
You can identify the core network topology so that it can best serve MPLS Layer 3 VPN customers.
• Identify the size of the network:
• Identify the following to determine the number of routers and ports you need:
• How many customers do you need to support?
• How many VPNs are needed per customer?
• How many virtual routing and forwarding instances are there for each VPN?

• Determine which routing protocols you need in the core network.

• Determine if you need MPLS VPN high availability support.

Configuring MPLS Layer 3 VPNs

9
 Configuring MPLS Layer 3 VPNs
Configuring MPLS in the Core

Note MPLS VPN nonstop forwarding and graceful restart are supported on select
routers and Cisco NX-OS releases. You need to make sure that graceful restart
for BGP and LDP is enabled.

• Configure the routing protocols in the core network.

• Determine if you need BGP load sharing and redundant paths in the MPLS Layer 3 VPN core.

Configuring MPLS in the Core

To enable MPLS on all routers in the core, you must configure a label distribution protocol. You can use
either of the following as a label distribution protocol:
• MPLS Label Distribution Protocol (LDP).
• MPLS Traffic Engineering Resource Reservation Protocol (RSVP).

Configuring Multiprotocol BGP on the PE Routers and Route Reflectors

You can configure multiprotocol BGP connectivity on the PE routers and route reflectors.

Before you begin

• Ensure that graceful restart is enabled on all routers for BGP and LDP.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
switch# configure terminal
switch(config)#

Step 2 feature bgp Enables the BGP feature.

Example:
switch(config)# feature bgp
switch(config)#

Step 3 install feature-set mpls Installs the MPLS feature-set.

Example:
switch(config)# install feature-set mpls
switch(config)#

Step 4 feature-set mpls Enables the MPLS feature-set.

Example:
switch(config)# feature-set mpls
switch(config)#

Configuring MPLS Layer 3 VPNs

10
Configuring MPLS Layer 3 VPNs
Configuring Multiprotocol BGP on the PE Routers and Route Reflectors

Command or Action Purpose

Step 5 feature mpls l3vpn Enables the MPLS Layer 3 VPN feature.
Example:
switch(config)# feature mpls l3vpn
switch(config)#

Step 6 router bgp as - number Configures a BGP routing process and enters
router configuration mode. The as-number
Example:
argument indicates the number of an
switch(config)# router bgp 1.1 autonomous system that identifies the router
to other BGP routers and tags the routing
information. The AS number can be a 16-bit
integer or a 32-bit integer in the form of a
higher 16-bit decimal number and a lower
16-bit decimal number in xx.xx format.
Step 7 router-id ip-address (Optional) Configures the BGP router ID. This
IP address identifies this BGP speaker. This
Example:
command triggers an automatic notification
switch(config-router)# router-id and session reset for the BGP neighbor
192.0.2.255
sessions.
Step 8 neighbor ip-address remote-as Adds an entry to the iBGP neighbor table. The
as-number ip-address argument specifies the IP address
of the neighbor in dotted decimal notation.
Example:
switch(config-router)# neighbor
209.165.201.1 remote-as 1.1

switch(config-router-neighbor)#

Step 9 address-family { vpnv4 | vpnv6 } unicast Enters address family configuration mode for
configuring routing sessions, such as BGP,
Example:
that uses standard VPNv4 or VPNv6 address
switch(config-router-neighbor)# prefixes.
address-family vpnv4 unicast

switch(config-router-neighbor-af)#

Step 10 send-community extended Specifies that a communities attribute should

be sent to a BGP neighbor.
Example:
switch(config-router-neighbor-af)#
send-community extended

Step 11 show bgp { vpnv4 | vpnv6 } unicast (Optional) Displays information about BGP
neighbors neighbors.
Example:
switch(config-router-neighbor-af)# show
bgp vpnv4 unicast neighbors

Step 12 copy running-config startup-config (Optional) Copies the running configuration

to the startup configuration.
Example:

Configuring MPLS Layer 3 VPNs

11
 Configuring MPLS Layer 3 VPNs
Connecting the MPLS VPN Customers

Command or Action Purpose

switch(config-router-vrf)# copy
running-config startup-config

Connecting the MPLS VPN Customers

Defining VRFs on the PE Routers to Enable Customer Connectivity
You must create VRFs on the PE routers to enable customer connectivity. You configure route targets to
control which IP prefixes are imported into the customer VPN site and which IP prefixes are exported to the
BGP network. You can optionally use an import or export route map to provide more fine-grained control
over the IP prefixes that are imported into the customer VPN site or exported out of the VPN site. You can
use a route map to filter routes that are eligible for import or export in a VRF, based on the route target extended
community attributes of the route. The route map might, for example, deny access to selected routes from a
community that is on the import route target list.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
switch# configure terminal
switch(config)#

Step 2 install feature-set mpls Installs the MPLS feature-set.

Example:
switch(config)# install feature-set mpls
switch(config)#

Step 3 feature-set mpls Enables the MPLS feature-set.

Example:
switch(config)# feature-set mpls
switch(config)#

Step 4 feature-set mpls l3vpn Enables the MPLS Layer 3 VPN feature.
Example:
switch(config)# feature-set mpls l3vpn
switch(config)#

Step 5 vrf context vrf-name Defines the VPN routing instance by assigning
a VRF name and enters VRF configuration
Example:
mode. The vrf-name argument is any
switch(config)# vrf context vpn1 case-sensitive, alphanumeric string up to 32
switch(config-vrf)# characters.

Step 6 rd route-distinguisher Configures the route distinguisher. The

route-distinguisher argument adds an 8-byte
Example:
value to an IPv4 prefix to create a VPN IPv4

Configuring MPLS Layer 3 VPNs

12
Configuring MPLS Layer 3 VPNs
Defining VRFs on the PE Routers to Enable Customer Connectivity

Command or Action Purpose

switch(config-vrf)# rd 1.2:1 prefix. You can enter an RD in either of these
formats:
switch(config-vrf)#
• 16-bit or 32-bit AS number: your 32-bit
number, for example, 1.2:3
• 32-bit IP address: your 16-bit number, for
example, 192.0.2.1:1

Step 7 address-family { ipv4 | ipv6 } unicast Specifies the IPv4 address family type and
enters address family configuration mode.
Example:
switch(config-vrf)# address-family ipv4
unicast

switch(config-vrf-af-ipv4)#

Step 8 route-target { import | export } Specifies a route-target extended community

route-target-ext-community } for a VRF as follows:
Example: • The import keyword imports routing
switch(config-vrf-af-ipv4)# route-target information from the target VPN
import 1.0:1 extended community.
• The export keyword exports routing
information to the target VPN extended
community.
• The route-target-ext-community argument
adds the route-target extended community
attributes to the VRF's list of import or
export route-target extended communities.
You can enter the
route-target-ext-community argument in
either of these formats:
• 16-bit or 32-bit AS number: your
32-bit number, for example, 1.2:3
• 32-bit IP address: your 16-bit
number, for example, 192.0.2.1:1

Step 9 maximum routes max-routes [ threshold (Optional) Configures the maximum number
value ] [ reinstall ] of routes that can be stored in the VRF route
table. The max-routes range is from 1 to
Example:
4294967295. The threshold value range is from
switch(config-vrf-af-ipv4)# maximum 1 to 100.
routes 10000

Step 10 import [ vrf default max-prefix ] map (Optional) Configures an import policy for a
route-map VRF to import prefixes from the default VRF
as follows:
Example:

Configuring MPLS Layer 3 VPNs

13
 Configuring MPLS Layer 3 VPNs
Configuring VRF Interfaces on PE Routers for Each VPN Customer

Command or Action Purpose

switch(config-vrf-af-ipv4)# import vrf • The max-prefix range is from 1 to
default map vpn1-route-map
2147483647. The default is 1000 prefixes.
• The route-map argument specifies the
route map to be used as an import route
map for the VRF and can be any
case-sensitive, alphanumeric string up to
63 characters.

Step 11 show vrf vrf-name (Optional) Displays information about a VRF.

The vrf-name argument is any case-sensitive,
Example:
alphanumeric string up to 32 characters.
switch(config-vrf-af-ipv4)# show vrf
vpn1

Step 12 copy running-config startup-config (Optional) Copies the running configuration

to the startup configuration.
Example:
switch(config-router-vrf)# copy
running-config startup-config

Configuring VRF Interfaces on PE Routers for Each VPN Customer

You can associate a virtual routing and forwarding instance (VRF) with an interface or subinterface on the
PE routers.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
switch# configure terminal
switch(config)#

Step 2 interface type number Specifies the interface to configure and enters
interface configuration mode as follows:
Example:
switch(config)# interface Ethernet 5/0 • The type argument specifies the type of
interface to be configured.
switch(config-if)#
• The number argument specifies the port,
connector, or interface card number.

Step 3 vrf member vrf-name Associates a VRF with the specified interface
or subinterface. The vrf-name argument is the
Example:
name assigned to a VRF.
switch(config-if)# vrf member vpn1

Step 4 show vrf vrf-name interface (Optional) Displays information about interfaces
associated with a VRF. The vrf-name argument
Example:

Configuring MPLS Layer 3 VPNs

14
 Configuring MPLS Layer 3 VPNs
Configuring Routing Protocols Between the PE and CE Routers

Command or Action Purpose

switch(config-if)# show vrf vpn1 is any case-sensitive alphanumeric string up to
interface
32 characters.

Step 5 copy running-config startup-config (Optional) Copies the running configuration to

the startup configuration.
Example:
switch(config-router-vrf)# copy
running-config startup-config

Configuring Routing Protocols Between the PE and CE Routers

Configuring Static or Directly Connected Routes Between the PE and CE Routers
You can configure the PE router for PE-to-CE routing sessions that use static routes.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
switch# configure terminal
switch(config)#

Step 2 vrf context vrf-name Defines the VPN routing instance by assigning
a VRF name and enters VRF configuration
Example:
mode. The vrf-name argument is any
switch(config)# vrf context vpn1 case-sensitive, alphanumeric string up to 32
switch(config-vrf)# characters.

Step 3 { ip ipv6 } route prefix nexthop Defines static route parameters for every
PE-to-CE session. The prefix and nexthop are
Example:
as follows:
switch(config-vrf)# ip route
192.0.2.1/28 ethernet 2/1 • IPv4—in dotted decimal notation
• IPv6—in hex format.

Step 4 address-family { ipv4 | ipv6 } unicast Specifies the IPv4 address family type and
enters address family configuration mode.
Example:
switch(config-vrf)# address-family ipv4
unicast

switch(config-vrf-af)#

Step 5 feature bgp as - number Enables the BGP feature.

Example:
switch(config-vrf-af)# feature bgp

switch(config)#

Configuring MPLS Layer 3 VPNs

15
 Configuring MPLS Layer 3 VPNs
Configuring BGP as the Routing Protocol Between the PE and CE Routers

Command or Action Purpose

Step 6 router bgp as - number Configures a BGP routing process and enters
router configuration mode. The as-number
Example:
argument indicates the number of an
switch(config)# router bgp 1.1 autonomous system that identifies the router
to other BGP routers and tags the routing
information. The AS number can be a 16-bit
integer or a 32-bit integer in the form of a
higher 16-bit decimal number and a lower
16-bit decimal number in xx.xx format.

Step 7 vrf vrf-name Associates the BGP process with a VRF.

Example: The vrf-name argument is any case-sensitive,
switch(config-router)# vrf vpn1 alphanumeric string up to 32 characters.

switch(config--router-vrf)#

Step 8 address-family { ipv4 | ipv6 } unicast Specifies the IPv4 address family type and
enters address family configuration mode.
Example:
switch(config-vrf)# address-family ipv4
unicast

switch(config-vrf-af)#

Step 9 redistribute static route-map map-name Redistributes static routes into BGP.
Example: The map-name can be any case-sensitive,
switch(config-router-vrf-af)# alphanumeric string up to 63 characters.
redistribute static route-map StaticMap

Step 10 redistribute direct route-map map-name Redistributes directly connected routes into
BGP.
Example:
switch(config-router-vrf-af)# The map-name can be any case-sensitive,
redistribute direct route-map StaticMap alphanumeric string up to 63 characters.

Step 11 show { ipv4 | ipv6 } route vrf vrf-name (Optional) Displays information about routes.
Example: The vrf-name argument is any case-sensitive,
switch(config-router-vrf-af)# show ip alphanumeric string up to 32 characters.
ipv4 route vrf vpn1

Step 12 copy running-config startup-config (Optional) Copies the running configuration

to the startup configuration.
Example:
switch(config-router-vrf)# copy
running-config startup-config

Configuring BGP as the Routing Protocol Between the PE and CE Routers

You can use eBGP to configure the PE router for PE-to-CE routing sessions.

Configuring MPLS Layer 3 VPNs

16
Configuring MPLS Layer 3 VPNs
Configuring BGP as the Routing Protocol Between the PE and CE Routers

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
switch# configure terminal
switch(config)#

Step 2 feature bgp Enables the BGP feature.

Example:
switch(config)# feature bgp

switch(config)#

Step 3 router bgp as - number Configures a BGP routing process and enters
router configuration mode.
Example:
switch(config)# router bgp 1.1 The as-number argument indicates the number
of an autonomous system that identifies the
switch(config-router)# router to other BGP routers and tags the routing
information passed along. The AS number can
be a 16-bit integer or a 32-bit integer in the form
of a higher 16-bit decimal number and a lower
16-bit decimal number in xx.xx format.

Step 4 vrf vrf-name Associates the BGP process with a VRF.

Example: The vrf-name argument is any case-sensitive,
switch(config-router)# vrf vpn1 alphanumeric string up to 32 characters.

switch(config--router-vrf)#

Step 5 neighbor ip-addressremote-as as-number Adds an entry to the iBGP neighbor table. The
ip-address argument specifies the IP address of
Example:
the neighbor in dotted decimal notation. The
switch(config-router)# neighbor as-number argument specifies the autonomous
209.165.201.1 remote-as 1.1
system to which the neighbor belongs.
switch(config-router-neighbor)#

Step 6 address-family { ipv4 | ipv6 } unicast Enters address family configuration mode for
configuring routing sessions, such as BGP, that
Example:
use standard IPv4 or IPv6 address prefixes.
switch(config-vrf)# address-family ipv4
unicast

switch(config-vrf-af)#

Step 7 show bgp { vpnv4 | vpnv6 } unicast neighbors (Optional) Displays information about BGP
vrf vrf-name neighbors. The vrf-name argument is any
case-sensitive alphanumeric string up to 32
Example:
characters.
switch(config-router-neighbor-af)# show
bgp vpnv4 unicast neighbors

Configuring MPLS Layer 3 VPNs

17
 Configuring MPLS Layer 3 VPNs
Configuring RIPv2 Between the PE and CE Routers

Command or Action Purpose

Step 8 copy running-config startup-config (Optional) Copies the running configuration to
the startup configuration.
Example:
switch(config-router-vrf)# copy
running-config startup-config

Configuring RIPv2 Between the PE and CE Routers

You can use RIP to configure the PE router for PE-to-CE routing sessions.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
switch# configure terminal
switch(config)#

Step 2 feature rip Enables the RIP feature.

Example:
switch(config)# feature rip

switch(config)#

Step 3 router rip instance-tag Enables RIP and enters router configuration
mode.
Example:
switch(config)# router rip Test1 The instance-tag can be any case-sensitive,
alphanumeric string up to 20 characters.

Step 4 vrf vrf-name Associates the RIP process with a VRF.

Example: The vrf-name argument is any case-sensitive,
switch(config-router)# vrf vpn1 alphanumeric string up to 32 characters.

switch(config--router-vrf)#

Step 5 address-family ipv4 unicast Specifies the address family type and enters
address family configuration mode.
Example:
switch(config-router-vrf)# address-family
ipv4 unicast

switch(config-router-vrf-af)#

Step 6 redistribute { bgp as | direct | { egrip | ospf | Redistributes routes from one routing domain
rip } instance-tag | static } route-map into another routing domain.
map-name vrf-name
The as number can be a 16-bit integer or a
Example: 32-bit integer in the form of a higher 16-bit
switch(config-router-vrf-af)# show ip decimal number and a lower 16-bit decimal
rip vrf vpn1 number in xx.xx format. The instance-tag can

Configuring MPLS Layer 3 VPNs

18
 Configuring MPLS Layer 3 VPNs
Configuring OSPF Between the PE and CE Routers

Command or Action Purpose

be any case-sensitive alphanumeric string up to
20 characters.

Step 7 show ip rip vrf vrf-name (Optional) Displays information about RIP.
Example: The vrf-name argument is any case-sensitive,
switch(config-router-vrf-af)# show ip alphanumeric string up to 32 characters.
rip vrf vpn1

Step 8 copy running-config startup-config (Optional) Copies the running configuration to

the startup configuration.
Example:
switch(config-router-vrf)# copy
running-config startup-config

Configuring OSPF Between the PE and CE Routers

You can use OSPFv2 to configure the PE router for PE-to-CE routing sessions. You can optionally create an
OSPF sham link if you have OSPF back door links that are not part of the MPLS network.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
switch# configure terminal
switch(config)#

Step 2 feature ospf Enables the OSPF feature.

Example:
switch(config)# feature ospf

switch(config)#

Step 3 router ospf instance-tag Enables OSPF and enters router configuration
mode.
Example:
switch(config)# router ospf Test1 The instance-tag can be any case-sensitive,
alphanumeric string up to 20 characters.

Step 4 vrf vrf-name Enters router VRF configuration mode.

Example: The vrf-name argument is any case-sensitive,
switch(config-router)# vrf vpn1 alphanumeric string up to 32 characters.

switch(config--router-vrf)#

Step 5 area area-id sham-link source-address (Optional) Configures the sham link on the PE
destination-address interface within a specified OSPF area and
with the loopback interfaces specified by the
Example:
IP addresses as endpoints.
switch(config-router-vrf)# area 1
sham-link 10.2.1.1 10.2.1.2

Configuring MPLS Layer 3 VPNs

19
 Configuring MPLS Layer 3 VPNs
Configuring EIGRP Between the PE and CE Routers

Command or Action Purpose

You must configure the sham link at both PE
endpoints.

Step 6 address-family { ipv4 | ipv6 } unicast Specifies the address family type and enters
address family configuration mode.
Example:
switch(config-router)# address-family
ipv4 unicast

switch(config-router-vrf-af)#

Step 7 redistribute { bgp as | direct | { egrip | ospf Redistributes BGP into the EIGRP.
| rip } instance-tag | static } route-map
The autonomous system number of the BGP
map-name
network is configured in this step. BGP must
Example: be redistributed into EIGRP for the CE site to
switch(config-router-vrf-af)# accept the BGP routes that carry the EIGRP
redistribute bgp 1.0 route-map BGPMap information. A metric must also be specified
for the BGP network.
The map-name can be any case-sensitive,
alphanumeric string up to 63 characters.

Step 8 autonomous-system as-number (Optional) Specifies the autonomous system

number for this address family for the customer
Example:
site.
switch(config-router-vrf-af)#
The as-number argument indicates the number
autonomous-system 1.3 of an autonomous system that identifies the
router to other BGP routers and tags the
routing information passed along. The AS
number can be a 16-bit integer or a 32-bit
integer in the form of a higher 16-bit decimal
number and a lower 16-bit decimal number in
xx.xx format.

Step 9 show ip egrip vrf vrf-name (Optional) Displays information about EIGRP
in this VRF.
Example:
switch(config-router-vrf-af)# show ipv4 The vrf-name can be any case-sensitive,
eigrp vrf vpn1 alphanumeric string up to 32 characters

Step 10 copy running-config startup-config (Optional) Copies the running configuration

to the startup configuration.
Example:
switch(config-router-vrf)# copy
running-config startup-config

Configuring EIGRP Between the PE and CE Routers

You can configure the PE router to use Enhanced Interior Gateway Routing Protocol (EIGRP) between the
PE and CE routers to transparently connect EIGRP customer networks through an MPLS-enabled BGP core
network so that EIGRP routes are redistributed through the VPN across the BGP network as internal BGP
(iBGP) routes.

Configuring MPLS Layer 3 VPNs

20
Configuring MPLS Layer 3 VPNs
Configuring EIGRP Between the PE and CE Routers

Before you begin

You must configure BGP in the network core.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
switch# configure terminal
switch(config)#

Step 2 feature eigrp Enables the EIGRP feature.

Example:
switch(config)# feature eigrp
switch(config)#

Step 3 router eigrp instance-tag Configures an EIGRP instance and enters router
configuration mode.
Example:
switch(config)# router eigrp Test1 The instance-tag can be any case-sensitive,
alphanumeric string up to 20 characters.

Step 4 vrf vrf-name Enters router VRF configuration mode.

Example: The vrf-name argument is any case-sensitive,
switch(config-router)# vrf vpn1 alphanumeric string up to 32 characters.
switch(config-router-vrf)#

Step 5 address-family ipv4 unicast (Optional) Enters address family configuration

mode for configuring routing sessions that use
Example:
standard IPv4 address prefixes.
switch(config-router-vrf)# address-family
ipv4 unicast
switch(config-router-vrf-af)#

Step 6 redistribute bgp as-number route-map Redistributes routes from one routing domain
map-name into another routing domain.
Example: The as number can be a 16-bit integer or a
switch(config-router-vrf-af)# 32-bit integer in the form of a higher 16-bit
redistribute bgp 235354 route-map mtest1 decimal number and a lower 16-bit decimal
number in xx.xx format. The instance-tag can
be any case-sensitive alphanumeric string up to
20 characters

Step 7 show ip ospf instance-tag vrf vrf-name (Optional) Displays information about OSPF.
Example:
switch(config-router-vrf-af)# show ip
rip vrf vpn1

Step 8 copy running-config startup-config (Optional) Copies the running configuration to

the startup configuration.
Example:

Configuring MPLS Layer 3 VPNs

21
 Configuring MPLS Layer 3 VPNs
Configuring PE-CE Redistribution in BGP for the MPLS VPN

Command or Action Purpose

switch(config-router-vrf)# copy
running-config startup-config

Configuring PE-CE Redistribution in BGP for the MPLS VPN

You must configure BGP to distribute the PE-CE routing protocol on every PE router that provides MPLS
Layer 3 VPN services if the PE-CE protocol is not BGP.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
switch# configure terminal
switch(config)#

Step 2 feature bgp Enables the BGP feature.

Example:
switch(config)# feature bgp
switch(config)#

Step 3 router bgp instance-tag Configures a BGP routing process and enters
router configuration mode. The as-number
Example:
argument indicates the number of an
switch(config)# router bgp 1.1 autonomous system that identifies the router
switch(config-router)#
to other BGP routers and tags the routing
information passed along. The AS number can
be a 16-bit integer or a 32-bit integer in the
form of a higher 16-bit decimal number and a
lower 16-bit decimal number in xx.xx format.

Step 4 router id ip-address (Optional) Configures the BGP router ID. This
IP address identifies this BGP speaker. This
Example:
command triggers an automatic notification
switch(config-router)# router-id and session reset for the BGP neighbor
192.0.2.255 1
switch(config-router)# sessions.

Step 5 router id ip-address remote-as as-number Adds an entry to the BGP or multiprotocol
BGP neighbor table. The ip-address argument
Example:
specifies the IP address of the neighbor in
switch(config-router)# neighbor dotted decimal notation. The as-number
209.165.201.1 remote-as 1.2
switch(config-router-neighbor)# argument specifies the autonomous system to
which the neighbor belongs.

Step 6 update-source loopback [ 0 | 1 ] Specifies the source address of the BGP

session.
Example:
switch(config-router-neighbor)#
update-source loopback 0#

Configuring MPLS Layer 3 VPNs

22
Configuring MPLS Layer 3 VPNs
Configuring PE-CE Redistribution in BGP for the MPLS VPN

Command or Action Purpose

Step 7 address-family { ipv4 | ipv6 } unicast Enters address family configuration mode for
configuring routing sessions, such as BGP,
Example:
that use standard VPNv4 or VPNv6 address
switch(config-router-neighbor)# prefixes. The optional unicast keyword
address-family vpnv4
switch(config-router-neighbor-af)# specifies VPNv4 or VPNv6 unicast address
prefixes.

Step 8 send-community extended Specifies that a communities attribute should

be sent to a BGP neighbor.
Example:
switch(config-router-neighbor-af)#
send-community extended

Step 9 vrf vrf-name Enters router VRF configuration mode.

Example: The vrf-name argument is any case-sensitive,
switch(config-router-neighbor-af)# vrf alphanumeric string up to 32 characters.
vpn1
switch(config-router-vrf)#

Step 10 address-family { ipv4 | ipv6 } unicast Enters address family configuration mode for
configuring routing sessions that use standard
Example:
IPv4 or IPv6 address prefixes.
switch(config-router-vrf)#
address-family ipv4 unicast
switch(config-router-vrf-af)#

Step 11 redistribute { direct | { egrip | ospfv3 | Redistributes routes from one routing domain
ospfv3 |rip } instance-tag | static } into another routing domain. The as number
route-map map-name can be a 16-bit integer or a 32-bit integer in
the form of a higher 16-bit decimal number
Example:
and a lower 16-bit decimal number in xx.xx
switch(config-router-af-vrf)# format. The instance-tag can be any
redistribute eigrp Test2 route-map
EigrpMap case-sensitive, alphanumeric string up to 20
characters. The map-name can be any
case-sensitive alphanumeric string up to 63
characters.

Step 12 show bgp { ipv4 | ipv6 } unicast vrf vrf-name (Optional) Displays information about BGP.
The vrf-name argument is any case-sensitive,
Example:
alphanumeric string up to 32 characters.
switch(config-router--vrf-af)# show bgp
ipv4 unicast vrf vpn1vpn1

Step 13 copy running-config startup-config (Optional) Copies the running configuration

to the startup configuration.
Example:
switch(config-router-vrf)# copy
running-config startup-config

Configuring MPLS Layer 3 VPNs

23
 Configuring MPLS Layer 3 VPNs
Configuring a Hub-and-Spoke Topology

Configuring a Hub-and-Spoke Topology

Configuring VRFs on the Hub PE Router
You can configure hub and spoke VRFs on the hub PE router.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
switch# configure terminal
switch(config)#

Step 2 install feature-set mpls Installs the MPLS feature-set.

Example:
switch(config)# install feature-set mpls
switch(config)#

Step 3 feature-set mpls Enables the MPLS feature-set.

Example:
switch(config)# feature-set mpls
switch(config)#

Step 4 feature-set mpls l3vpn Enables the MPLS Layer 3 VPN feature.
Example:
switch(config)# feature-set mpls l3vpn
switch(config)#

Step 5 vrf context vrf-hub Defines the VPN routing instance for the PE
hub by assigning a VRF name and enters VRF
Example:
configuration mode. The vrf-hub argument is
switch(config)# vrf context 2hub any case-sensitive alphanumeric string up to
switch(config-vrf)# 32 characters.

Step 6 rd route-distinguisher Configures the route distinguisher. The

route-distinguisher argument adds an 8-byte
Example:
value to an IPv4 prefix to create a VPN IPv4
switch(config-vrf)# rd 1.2:1 prefix. You can enter an RD in either of these
switch(config-vrf)# formats:
• 16-bit or 32-bit AS number: your 32-bit
number, for example, 1.2:3
• 32-bit IP address: your 16-bit number, for
example, 192.0.2.1:1

Step 7 address-family { ipv4 | ipv6 } unicast Specifies the IPv4 address family type and
enters address family configuration mode.
Example:

Configuring MPLS Layer 3 VPNs

24
Configuring MPLS Layer 3 VPNs
Configuring VRFs on the Hub PE Router

Command or Action Purpose

switch(config-vrf)# address-family ipv4
unicast

switch(config-vrf-af-ipv4)#

Step 8 route-target { import | export } Specifies a route-target extended community

route-target-ext-community } for a VRF as follows:
Example: • The import keyword imports routing
switch(config-vrf-af-ipv4)# route-target information from the target VPN
import 1.0:1 extended community.
• The export keyword exports routing
information to the target VPN extended
community.
• The route-target-ext-community argument
adds the route-target extended community
attributes to the VRF's list of import or
export route-target extended communities.
You can enter the
route-target-ext-community argument in
either of these formats:
• 16-bit or 32-bit AS number: your
32-bit number, for example, 1.2:3
• 32-bit IP address: your 16-bit
number, for example, 192.0.2.1:1

Step 9 vrf context vrf-spoke Defines the VPN routing instance for the PE
spoke by assigning a VRF name and enters
Example:
VRF configuration mode. The vrf-spoke
switch(config-vrf-af-ipv4)# vrf context argument is any case-sensitive, alphanumeric
2spokes
string up to 32 characters.
switch(config-vrf)#

Step 10 address-family { ipv4 | ipv6 } unicast Specifies the IPv4 address family type and
enters address family configuration mode.
Example:
switch(config-vrf)# address-family ipv4
unicast

switch(config-vrf-af-ipv4)#

Step 11 route-target { import | export } Specifies a route-target extended community

route-target-ext-community } for a VRF as follows:
Example: • Creates a route-target extended
switch(config-vrf-af-ipv4)# route-target community for a VRF. The import
export 1:100 keyword imports routing information
from the target VPN extended
community. The export keyword exports
routing information to the target VPN

Configuring MPLS Layer 3 VPNs

25
 Configuring MPLS Layer 3 VPNs
Configuring eBGP on the Hub PE Router

Command or Action Purpose

extended community. The
route-target-ext-community argument
adds the route-target extended community
attributes to the VRF's list of import or
export route-target extended communities.
You can enter the
route-target-ext-community argument in
either of these formats:
• 16-bit or 32-bit AS number: your
32-bit number, for example, 1.2:3
• 32-bit IP address: your 16-bit
number, for example, 192.0.2.1:1

Step 12 show running-config vrf vrf-name (Optional) Displays the running configuration
for the VRF.
Example:
switch(config-vrf-af-ipv4)# show The vrf-name argument is any case-sensitive,
running-config vrf 2spokes alphanumeric string up to 32 characters.
.

Step 13 copy running-config startup-config (Optional) Copies the running configuration

to the startup configuration.
Example:
switch(config-router-vrf)# copy
running-config startup-config

Configuring eBGP on the Hub PE Router

You can use eBGP to configure PE-to-CE hub routing sessions.

Note If all CE sites are using the same BGP AS number, you must perform the following tasks:
• Configure either the BGP as-override command at the PE (hub) or the allowas-in command at the
receiving CE router.
• To advertise BGP routes learned from one ASN back to the same ASN, configure the
disable-peer-as-check command at the PE router to prevent loopback.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
switch# configure terminal
switch(config)#

Configuring MPLS Layer 3 VPNs

26
Configuring MPLS Layer 3 VPNs
Configuring eBGP on the Hub PE Router

Command or Action Purpose

Step 2 feature-set mpls Enables the MPLS feature-set.
Example:
switch(config)# feature-set mpls

Step 3 feature mpls l3vpn Enables the MPLS Layer 3 VPN feature.
Example:
switch(config)# feature mpls l3vpn

Step 4 feature bgp Enables the BGP feature.

Example:
switch(config)# feature bgp
switch(config)#

Step 5 router bgp as - number Configures a BGP routing process and enters
router configuration mode.
Example:
switch(config)# router bgp 1.1 The as-number argument indicates the number
switch(config-router)# of an autonomous system that identifies the
router to other BGP routers and tags the
routing information passed along. The AS
number can be a 16-bit integer or a 32-bit
integer in the form of a higher 16-bit decimal
number and a lower 16-bit decimal number in
xx.xx format.

Step 6 neighbor ip-address remote-as Adds an entry to the iBGP neighbor table.
as-number
• The ip-address argument specifies the IP
Example: address of the neighbor in dotted decimal
switch(config-router)# neighbor notation.
209.165.201.1 remote-as 1.2
switch(config-router-neighbor)# • The as-number argument specifies the
autonomous system to which the neighbor
belongs.

Step 7 address-family { ipv4 | ipv6 } unicast Specifies the IP address family type and enters
address family configuration mode.
Example:
switch(config-router-vrf-neighbor)#
address-family ipv4 unicast
switch(config-router-neighbor-af)#

Step 8 send-community extended (Optional) Configures BGP to advertise

extended community lists.
Example:
switch(config-router-neighbor-af)#
send-community extended

Configuring MPLS Layer 3 VPNs

27
 Configuring MPLS Layer 3 VPNs
Configuring eBGP on the Hub PE Router

Command or Action Purpose

Step 9 vrf vrf-hub Enters VRF configuration mode. The vrf-hub
argument is any case-sensitive, alphanumeric
Example:
string up to 32 characters.
switch(config-router-neighbor-af)# vrf
2hub
switch(config-router-vrf)#

Step 10 neighbor ip-address remote-as Adds an entry to the BGP or multiprotocol

as-number BGP neighbor table for this VRF.
Example: • The ip-address argument specifies the IP
switch(config-router-vrf)# neighbor address of the neighbor in dotted decimal
33.0.0.33 1 remote-as 150 notation.
switch(config-router-vrf-neighbor)#
• The as-number argument specifies the
autonomous system to which the neighbor
belongs.

Step 11 address-family { ipv4 | ipv6 } unicast Specifies the IP address family type and enters
address family configuration mode.
Example:
switch(config-router-vrf-neighbor)#
address-family ipv4 unicast
switch(config-router--vrf-neighbor-af)#

Step 12 as-override (Optional) Overrides the AS-number when

sending an update. If all BGP sites are using
Example:
the same AS number, of the following
switch(config-router-vrf-neighbor-af)# commands:
as-override
• Configure the BGP as-override command
at the PE (hub)
or
• Configure the allowas-in command at the
receiving CE router.

Step 13 vrf vrf-spoke Enters VRF configuration mode. The vrf-spoke

argument is any case-sensitive, alphanumeric
Example:
string up to 32 characters.
switch(config-router-vrf-neighbor-af)#
vrf 2spokes
switch(config-router-vrf)#

Step 14 neighbor ip-address remote-as as-number Adds an entry to the BGP or multiprotocol
BGP neighbor table for this VRF.
Example:
switch(config-router-vrf)# neighbor • The ip-address argument specifies the IP
33.0.0.33 1 remote-as 150 address of the neighbor in dotted decimal
switch(config-router-vrf-neighbor)# notation.
• The as-number argument specifies the
autonomous system to which the neighbor
belongs.

Configuring MPLS Layer 3 VPNs

28
 Configuring MPLS Layer 3 VPNs
Configuring eBGP on the Hub CE Router

Command or Action Purpose

Step 15 address-family { ipv4 | ipv6 } unicast Specifies the IP address family type and enters
address family configuration mode.
Example:
switch(config-router-vrf-neighbor)#
address-family ipv4 unicast
switch(config-router--vrf-neighbor-af)#

Step 16 allowas-in [ number ] (Optional) Allows duplicate AS numbers in

the AS path.
Example:
switch(config-router-vrf-neighbor-af)# Configure this parameter in the VPN address
allowas-in 3 family configuration mode at the PE spokes
and at the neighbor mode at the PE hub.

Step 17 show running-config bgp vrf-name (Optional) Displays the running configuration
for BGP.
Example:
switch(config-router-vrf-neighbor-af)#
show running-config bgp

Step 18 copy running-config startup-config (Optional) Copies the running configuration

to the startup configuration.
Example:
switch(config-router-vrf)# copy
running-config startup-config

Configuring eBGP on the Hub CE Router

You can use eBGP to configure PE-to-CE hub routing sessions.

Note If all CE sites are using the same BGP AS number, you must perform the following tasks:

• Configure either the as-override command at the PE (hub) or the allowas-in command at the receiving
CE router.
• Configure the disable-peer-as-check command at the CE router.
• To advertise BGP routes learned from one ASN back to the same ASN, configure the disable-peer-as-check
command at the PE router to prevent loopback.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
switch# configure terminal
switch(config)#

Configuring MPLS Layer 3 VPNs

29
 Configuring MPLS Layer 3 VPNs
Configuring eBGP on the Hub CE Router

Command or Action Purpose

Step 2 feature-set mpls Enables the MPLS feature-set.
Example:
switch(config)# feature-set mpls

Step 3 feature mpls l3vpn Enables the MPLS Layer 3 VPN feature.
Example:
switch(config)# feature mpls l3vpn

Step 4 feature bgp Enables the BGP feature.

Example:
switch(config)# feature bgp
switch(config)#

Step 5 router bgp as - number Configures a BGP routing process and enters
router configuration mode.
Example:
switch(config)# router bgp 1.1 The as-number argument indicates the number
switch(config-router)# of an autonomous system that identifies the
router to other BGP routers and tags the
routing information passed along. The AS
number can be a 16-bit integer or a 32-bit
integer in the form of a higher 16-bit decimal
number and a lower 16-bit decimal number in
xx.xx format.

Step 6 neighbor ip-addressremote-as as-number Adds an entry to the iBGP neighbor table.
Example: • The ip-address argument specifies the IP
switch(config-router)# neighbor address of the neighbor in dotted decimal
209.165.201.1 remote-as 1.2 notation.
switch(config-router-neighbor)# • The as-number argument specifies the
autonomous system to which the neighbor
belongs.

Step 7 address-family { ipv4 | ipv6 } unicast Specifies the IP address family type and enters
address family configuration mode.
Example:
switch(config-router-vrf-neighbor)#
address-family ipv4 unicast
switch(config-router-neighbor-af)#

Step 8 send-community extended (Optional) Configures BGP to advertise

extended community lists.
Example:
switch(config-router-neighbor-af)#
send-community extended

Configuring MPLS Layer 3 VPNs

30
Configuring MPLS Layer 3 VPNs
Configuring eBGP on the Hub CE Router

Command or Action Purpose

Step 9 vrf vrf-hub Enters VRF configuration mode. The vrf-hub
argument is any case-sensitive, alphanumeric
Example:
string up to 32 characters.
switch(config-router-neighbor-af)# vrf
2hub
switch(config-router-vrf)#

Step 10 neighbor ip-addressremote-as as-number Adds an entry to the BGP or multiprotocol

BGP neighbor table for this VRF.
Example:
switch(config-router-vrf)# neighbor • The ip-address argument specifies the IP
33.0.0.33 1 remote-as 150 address of the neighbor in dotted decimal
switch(config-router-vrf-neighbor)# notation.
• The as-number argument specifies the
autonomous system to which the neighbor
belongs.

Step 11 address-family { ipv4 | ipv6 } unicast Specifies the IP address family type and enters
address family configuration mode.
Example:
switch(config-router-vrf-neighbor)#
address-family ipv4 unicast
switch(config-router--vrf-neighbor-af)#

Step 12 as-override (Optional) Overrides the AS-number when

sending an update. If all BGP sites are using
Example:
the same AS number, of the following
switch(config-router-vrf-neighbor-af)# commands:
as-override
• Configure the BGP as-override command
at the PE (hub)
or
• Configure the allowas-in command at the
receiving CE router.

Step 13 vrf vrf-spoke Enters VRF configuration mode. The vrf-spoke

argument is any case-sensitive, alphanumeric
Example:
string up to 32 characters.
switch(config-router-vrf-neighbor-af)#
vrf 2spokes
switch(config-router-vrf)#

Step 14 neighbor ip-addressremote-as as-number Adds an entry to the BGP or multiprotocol

BGP neighbor table for this VRF.
Example:
switch(config-router-vrf)# neighbor • The ip-address argument specifies the IP
33.0.0.33 1 remote-as 150 address of the neighbor in dotted decimal
switch(config-router-vrf-neighbor)# notation.
• The as-number argument specifies the
autonomous system to which the neighbor
belongs.

Configuring MPLS Layer 3 VPNs

31
 Configuring MPLS Layer 3 VPNs
Configuring VRFs on the Spoke PE Router

Command or Action Purpose

Step 15 address-family { ipv4 | ipv6 } unicast Specifies the IP address family type and enters
address family configuration mode.
Example:
switch(config-router-vrf-neighbor)#
address-family ipv4 unicast
switch(config-router--vrf-neighbor-af)#

Step 16 allowas-in [ number ] (Optional) Allows duplicate AS numbers in

the AS path.
Example:
switch(config-router-vrf-neighbor-af)# Configure this parameter in the VPN address
allowas-in 3 family configuration mode at the PE spokes
and at the neighbor mode at the PE hub.

Step 17 show running-config bgp vrf-name (Optional) Displays the running configuration
for BGP.
Example:
switch(config-router-vrf-neighbor-af)#
show running-config bgp

Step 18 copy running-config startup-config (Optional) Copies the running configuration

to the startup configuration.
Example:
switch(config-router-vrf)# copy
running-config startup-config

Configuring VRFs on the Spoke PE Router

You can configure hub and spoke VRFs on the spoke PE router.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
switch# configure terminal
switch(config)#

Step 2 install feature-set mpls Installs the MPLS feature set.

Example:
switch(config)# install feature-set mpls
switch(config)#

Step 3 feature-set mpls Enables the MPLS feature-set.

Example:
switch(config)# feature-set mpls
switch(config)#

Step 4 feature-set mpls l3vpn Enables the MPLS Layer 3 VPN feature.
Example:

Configuring MPLS Layer 3 VPNs

32
Configuring MPLS Layer 3 VPNs
Configuring VRFs on the Spoke PE Router

Command or Action Purpose

switch(config)# feature-set mpls l3vpn
switch(config)#

Step 5 vrf context vrf-spoke Defines the VPN routing instance for the PE
spoke by assigning a VRF name and enters
Example:
VRF configuration mode. The vrf-spoke
switch(config)# vrf context spoke argument is any case-sensitive, alphanumeric
switch(config-vrf)# string up to 32 characters.

Step 6 rd route-distinguisher Configures the route distinguisher. The

route-distinguisher argument adds an 8-byte
Example:
value to an IPv4 prefix to create a VPN IPv4
switch(config-vrf)# rd 1.101 prefix. You can enter an RD in either of these
switch(config-vrf)# formats:
• 16-bit or 32-bit AS number: your 32-bit
number, for example, 1.2:3
• 32-bit IP address: your 16-bit number, for
example, 192.0.2.1:1

Step 7 address-family { ipv4 | ipv6 } unicast Specifies the IPv4 address family type and
enters address family configuration mode.
Example:
switch(config-vrf)# address-family ipv4
unicast

switch(config-vrf-af-ipv4)#

Step 8 route-target { import | export } Specifies a route-target extended community

route-target-ext-community } for a VRF as follows:
Example: • The import keyword imports routing
switch(config-vrf-af-ipv4)# route-target information from the target VPN
import 1.0:1 extended community.
• The export keyword exports routing
information to the target VPN extended
community.
• The route-target-ext-community argument
adds the route-target extended community
attributes to the VRF's list of import or
export route-target extended communities.
You can enter the
route-target-ext-community argument in
either of these formats:
• 16-bit or 32-bit AS number: your
32-bit number, for example, 1.2:3
• 32-bit IP address: your 16-bit
number, for example, 192.0.2.1:1

Configuring MPLS Layer 3 VPNs

33
 Configuring MPLS Layer 3 VPNs
Configuring eBGP on the Spoke PE Router

Command or Action Purpose

Step 9 show running-config vrf vrf-name (Optional) Displays the running configuration
for the VRF.
Example:
switch(config-vrf-af-ipv4)# show The vrf-name argument is any case-sensitive,
running-config vrf 2spokes alphanumeric string up to 32 characters.
.

Step 10 copy running-config startup-config (Optional) Copies the running configuration

to the startup configuration.
Example:
switch(config-router-vrf)# copy
running-config startup-config

Configuring eBGP on the Spoke PE Router

You can use eBGP to configure PE spoke routing sessions.

Note If all CE sites are using the same BGP AS number, you must perform the following tasks:
• Configure the allowas-in command at the perceiving spoke router.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
switch# configure terminal
switch(config)#

Step 2 feature-set mpls Enables the MPLS feature-set.

Example:
switch(config)# feature-set mpls

Step 3 feature mpls l3vpn Enables the MPLS Layer 3 VPN feature.
Example:
switch(config)# feature mpls l3vpn

Step 4 feature bgp Enables the BGP feature.

Example:
switch(config)# feature bgp
switch(config)#

Step 5 router bgp as - number Configures a BGP routing process and enters
router configuration mode.
Example:

Configuring MPLS Layer 3 VPNs

34
Configuring MPLS Layer 3 VPNs
Configuring eBGP on the Spoke PE Router

Command or Action Purpose

switch(config)# router bgp 100 The as-number argument indicates the number
switch(config-router)#
of an autonomous system that identifies the
router to other BGP routers and tags the
routing information passed along. The AS
number can be a 16-bit integer or a 32-bit
integer in the form of a higher 16-bit decimal
number and a lower 16-bit decimal number in
xx.xx format.

Step 6 neighbor ip-addressremote-as as-number Adds an entry to the iBGP neighbor table.
Example: • The ip-address argument specifies the IP
switch(config-router)# neighbor address of the neighbor in dotted decimal
63.63.0.63 remote-as 100 notation.
switch(config-router-neighbor)#
• The as-number argument specifies the
autonomous system to which the neighbor
belongs.

Step 7 address-family { ipv4 | ipv6 } unicast Specifies the IPv4 or IPv6 address family type
and enters address family configuration mode.
Example:
switch(config-router-vrf-neighbor)#
address-family ipv4 unicast
switch(config-router-neighbor-af)#

Step 8 allowas-in number (Optional) Allows an AS path with the PE

ASN for a specified number of times.
Example:
switch(config-router-vrf-neighbor-af)# • The range is from 1 to 10.
allowas-in 3
• If all BGP sites are using the same AS
number, configure the following
commands:

Note Configure the BGP as-override

command at the PE (hub) or
Configure the allowas-in
command at the receiving CE
router.
The as-number argument indicates the number
of an autonomous system that identifies the
router to other BGP routers and tags the
routing information passed along. The AS
number can be a 16-bit integer or a 32-bit
integer in the form of a higher 16-bit decimal
number and a lower 16-bit decimal number in
xx.xx format.

Step 9 send-community extended (Optional) Configures BGP to advertise

extended community lists.
Example:

Configuring MPLS Layer 3 VPNs

35
 Configuring MPLS Layer 3 VPNs
Configuring MPLS using Hardware Profile Command

Command or Action Purpose

switch(config-router-neighbor)#
send-community extended

Step 10 show running-config bgp (Optional) Displays the running configuration

for BGP.
Example:
switch(config-router-vrf-neighbor-af)#
show running-config bgp

Step 11 copy running-config startup-config (Optional) Copies the running configuration

to the startup configuration.
Example:
switch(config-router-vrf)# copy
running-config startup-config

Configuring MPLS using Hardware Profile Command

Beginning with release 7.0(3)F3(3), Cisco Nexus 9508 switches with N9K-X9636C-R, N9K-X9636C-RX,
and N9K-X9636Q-R line cards supports multiple hardware profiles. You can configure MPLS and/or VXLAN
using hardware profile configuration command in a switch. The hardware profile configuration command
invokes appropriate configuration files that are available on the switch. VXLAN is enabled by default

Before you begin

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
switch# configure terminal
switch(config)#

Step 2 feature bgp Enables the BGP feature.

Example:
switch(config)# feature bgp
switch(config)#

Step 3 hardware profile [ vxlan | mpls] module all Enables MPLS on all the switch modules. .
Example:
switch(config)# hardware profile mpls
module all

Step 4 show hardware profile module [ all | number] Displays the hardware profile of all the modules
or specific module.
Example:
switch(config)# show hardware profile
module all
switch(config)#

Configuring MPLS Layer 3 VPNs

36
Configuring MPLS Layer 3 VPNs
Configuring MPLS using Hardware Profile Command

Command or Action Purpose

Step 5 show module internal sw info | [ i | mpls] Displays the switch software information.
Example:
switch(config)# show module internal sw
info

Step 6 show running configuration | [ i | mpls] Displays the running configuration.

Example:
switch(config)# show module internal sw
info

Configuring MPLS Layer 3 VPNs

37
 Configuring MPLS Layer 3 VPNs
Configuring MPLS using Hardware Profile Command

Configuring MPLS Layer 3 VPNs

38