6VPE: IPv6 over MPLS VPN

6VPE: IPv6 over MPLS VPN

An IPv6 VPN is connected over an IPv6 interface or sub-interface to the Service Provider (SP) backbone via a PE router. The site can be both IPv4 and IPv6 capable. Each IPv6 VPN has its own address space which means a given address denotes different systems in different VPNs. This is achieved via a new address family- VPN-IPv6 or VPNv6 address-family which prepends a Route Distinguisher (RD) to the IP address.

A VPNv6 address is a 24-byte quantity beginning with a 8-byte RD and ending with a 16-byte IPv6 address. When a site is IPv4 and IPv6 capable, the same RD can be used for the advertisement of IPv4 and IPv6 addresses.

Network topology:

The PE-CE links are IPv6 capable. The MPLS VPN network is IPv4 enabled. 6VPE routers are dual-stack routers.

CE Configuration

CE1 router:
ipv6 unicast-routing
ipv6 cef
!
interface Serial 0/0
 ipv6 address 2001:1::1/124
!
interface Loopback 0
 ipv6 address ABCD::1/128
!
CE2 router:
ipv6 unicast-routing
ipv6 cef
!
interface Serial 0/0
 ipv6 address 2001:2::1/124
!
interface Loopback 0
 ipv6 address ABCD::2/128
!

6VPE Configuration

6VPE1 router:
ipv6 unicast-routing
ipv6 cef
!
mpls label protocol ldp
mpls ldp router-id Loopback 0 force
!
!----- The VRF is defined with vrf definition <vrf-name> and is made IPv6 aware --------!
!
vrf definition CUST1
 rd 1:1
 !
 address-family ipv6
 route-target import 1:1
 route-target export 1:1
 exit-address-family
!
interface Serial 0/0
 vrf forwarding CUST1
 ipv6 address 2001:1::2/124
!
interface Loopback 0
 ip address 1.1.1.1 255.255.255.255
 ip ospf 1 area 0
!
6VPE2 router:
ipv6 unicast-routing
ipv6 cef
!
mpls label protocol ldp
mpls ldp router-id Loopback 0 force
!
vrf definition CUST1
 rd 1:1
 !
 address-family ipv6
 route-target import 1:1
 route-target export 1:1
 exit-address-family
!
interface Serial 0/0
 vrf forwarding CUST1
 ipv6 address 2001:2::2/124
!
interface Loopback 0
 ip address 3.3.3.3 255.255.255.255
 ip ospf 1 area 0
!

MP-BGP Configuration:

Address-family VPNv6 is configured on 6VPE routers for iBGP connection. There is eBGP connection between 6VPE and CE routers.

MP-BGP Configuration on CE1 & 6VPE1

CE1 router:
router bgp 65101
 neighbor 2001:1::2 remote-as 100
 !
 address-family ipv6
 neighbor 2001:1::2 activate
 network ABCD::1/128
 exit-address-family
!
6VPE1 router:
router bgp 100
 neighbor 3.3.3.3 remote-as 100
 neighbor 3.3.3.3 update-source Loopback 0
 !
 address-family vpnv6
 neighbor 3.3.3.3 activate
 exit-address-family
 !
 address-family ipv6 vrf CUST1
 neighbor 2001:1::1 remote-as 65101
 neighbor 2001:1::1 activate
 redistribute connected
 exit-address-family
!

MP-BGP Configuration on CE2 and 6VPE2

CE2 router:
router bgp 65102
 neighbor 2001:2::2 remote-as 100
 !
 address-family ipv6
 neighbor 2001:2::2 activate
 network ABCD::2/128
 exit-address-family
!
6VPE2 router:
router bgp 100
 neighbor 1.1.1.1 remote-as 100
 neighbor 1.1.1.1 update-source Loopback 0
 !
 address-family vpnv6
 neighbor 1.1.1.1 activate
 exit-address-family
 !
 address-family ipv6 vrf CUST1
 neighbor 2001:2::1 remote-as 65102
 neighbor 2001:2::1 activate
 redistribute connected
 exit-address-family
!

BGP Capability Negotiation:

The MP-BGP are used to advertise the IPv6 VPN routes in the MP_REACH NLRI. The AFI/SAFI used is 2/128. AFI=2 for IPv6 and SAFI=128 for MPLS labeled VPNv6.

debug ip bgp

21:10:10.387: BGP: 3.3.3.3 went from Active to OpenSent
21:10:10.391: BGP: 3.3.3.3 sending OPEN, version 4, my as: 100, holdtime 180 seconds
21:10:10.395: BGP: 3.3.3.3 send message type 1, length (incl. header) 61
21:10:10.579: BGP: 3.3.3.3 rcv message type 1, length (excl. header) 42
21:10:10.579: BGP: 3.3.3.3 rcv OPEN, version 4, holdtime 180 seconds
21:10:10.583: BGP: 3.3.3.3 rcv OPEN w/ OPTION parameter len: 32
21:10:10.583: BGP: 3.3.3.3 rcvd OPEN w/ optional parameter type 2 (Capability) len 6
21:10:10.583: BGP: 3.3.3.3 OPEN has CAPABILITY code: 1, length 4
21:10:10.587: BGP: 3.3.3.3 OPEN has MP_EXT CAP for afi/safi: 1/1
21:10:10.587: BGP: 3.3.3.3 rcvd OPEN w/ optional parameter type 2 (Capability) len 6
21:10:10.587: BGP: 3.3.3.3 OPEN has CAPABILITY code: 1, length 4
21:10:10.587: BGP: 3.3.3.3 OPEN has MP_EXT CAP for afi/safi: 2/128
21:10:10.591: BGP: 3.3.3.3 rcvd OPEN w/ optional parameter type 2 (Capability) len 2
21:10:10.591: BGP: 3.3.3.3 OPEN has CAPABILITY code: 128, length 0
21:10:10.591: BGP: 3.3.3.3 OPEN has ROUTE-REFRESH capability(old) for all address-families
21:10:10.591: BGP: 3.3.3.3 rcvd OPEN w/ optional parameter type 2 (Capability) len 2
21:10:10.595: BGP: 3.3.3.3 OPEN has CAPABILITY code: 2, length 0
21:10:10.595: BGP: 3.3.3.3 OPEN has ROUTE-REFRESH capability(new) for all address-families
21:10:10.595: BGP: 3.3.3.3 rcvd OPEN w/ optional parameter type 2 (Capability) len 6
21:10:10.595: BGP: 3.3.3.3 OPEN has CAPABILITY code: 65, length 4
21:10:10.599: BGP: 3.3.3.3 OPEN has 4-byte ASN CAP for: 100
BGP: 3.3.3.3 rcvd OPEN w/ remote AS 100, 4-byte remote AS 100
21:10:10.599: BGP: 3.3.3.3 went from OpenSent to OpenConfirm
21:10:10.603: BGP: 3.3.3.3 went from OpenConfirm to Established
21:10:10.603: %BGP-5-ADJCHANGE: neighbor 3.3.3.3 Up
21:10:11.547: %BGP-5-ADJCHANGE: neighbor 2001:1::1 vpn vrf CUST1 Up
6VPE1# show bgp vpnv6 unicast all neighbors
BGP neighbor is 3.3.3.3,  remote AS 100, internal link
  BGP version 4, remote router ID 3.3.3.3
  BGP state = Established, up for 00:05:32
  Last read 00:00:30, last write 00:00:20, hold time is 180, keepalive interval is 60 seconds
  Neighbor capabilities:
    Route refresh: advertised and received(new)
    New ASN Capability: advertised and received
    Address family IPv4 Unicast: advertised and received
    Address family VPNv6 Unicast: advertised and received
    !
    !---output ommitted
    !
BGP neighbor is 2001:1::1,  vrf CUST1,  remote AS 65101, external link
  BGP version 4, remote router ID 10.210.0.1
  BGP state = Established, up for 00:05:54
  Last read 00:00:54, last write 00:00:43, hold time is 180, keepalive interval is 60 seconds
  Neighbor capabilities:
    Route refresh: advertised and received(new)
    New ASN Capability: advertised
    Address family IPv6 Unicast: advertised and received
    !
    !---output ommitted
    !

Since the IPv6 VPN traffic is to be transported to the BGP speaker using IPv4 tunneling, the BGP speaker advertises to its peer a next-hop network address field containing a VPNv6 address- the 8-byte RD is set to 0, while the 16-byte IPv6 address is the IPv4-mapped IPv6 address of the advertising BGP speaker.

BGP Next-Hop address

6VPE2# show bgp vpnv6 unicast vrf CUST1
BGP table version is 30, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 1:1 (default for vrf CUST1)
*>i2001:1::/124     ::FFFF:1.1.1.1           0    100      0 ?
*> 2001:2::/124     ::                       0         32768 ?
*>iABCD::1/128      ::FFFF:1.1.1.1           0    100      0 65101 i
*> ABCD::2/128      2001:2::1                0             0 65102 i
6VPE2# show bgp vpnv6 unicast vrf CUST1 ABCD::1/128
BGP routing table entry for [1:1]ABCD::1/128, version 30
Paths: (1 available, best #1, table CUST1)
  Advertised to update-groups:
        2
  65101
    ::FFFF:1.1.1.1 (metric 3) from 1.1.1.1 (1.1.1.1)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:1:1
      mpls labels in/out nolabel/20

Notice that the RD of VPNv6 prefixes is printed between []. This is done to differentiate between RD and IPv6 address.

Label imposition:

When a 6VPE router receives a packet from an attached CE router, it looks up the packet IPv6 destination address in the VRF table corresponding to that CE router. This enables it to find a VPNv6 route. The VPNv6 route has an associated MPLS label (top label) and an associated BGP Next Hop label (bottom label).

Label imposition

6VPE2# show bgp vpnv6 unicast vrf CUST1 ABCD::1/128
BGP routing table entry for [1:1]ABCD::1/128, version 30
Paths: (1 available, best #1, table CUST1)
  Advertised to update-groups:
        2
  65101
    ::FFFF:1.1.1.1 (metric 3) from 1.1.1.1 (1.1.1.1)
      Origin IGP, metric 0, localpref 100, valid, internal, best
      Extended Community: RT:1:1
      mpls labels in/out nolabel/20
6VPE2# show ip cef 1.1.1.1
1.1.1.1/32
  nexthop 10.2.2.1 FastEthernet2/0 label 16
6VPE2# show ipv6 cef vrf CUST1 ABCD::1/128 detail
ABCD::1/128, epoch 0
  recursive via 1.1.1.1 label 20
    nexthop 10.2.2.1 FastEthernet2/0 label 16

IPv6 Prefixes advertised to CE routers:

The show ipv6 route bgp command displays the BGP routes learnt by the router.

IPv6 prefixes

CE1# show ipv6 route bgp
IPv6 Routing Table - 6 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route, M - MIPv6
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
       D - EIGRP, EX - EIGRP external
B   2001:2::/124 [20/0]
     via FE80::C808:17FF:FE2C:0, Serial0/0
B   ABCD::2/128 [20/0]
     via FE80::C808:17FF:FE2C:0, Serial0/0
CE2# show ipv6 route bgp
IPv6 Routing Table - 6 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route, M - MIPv6
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
       D - EIGRP, EX - EIGRP external
B   2001:1::/124 [20/0]
     via FE80::C809:14FF:FEB4:0, Serial0/0
B   ABCD::1/128 [20/0]
     via FE80::C809:14FF:FEB4:0, Serial0/0

The following packet capture indicates the labels imposed on the ICMPv6 packet when a PING is initialized from CE2 router to ABCD::1/128.