MPLS VPN Extranet Route Leaking – Network Professional Member Site

MPLS supports intranet and extranet VPNs:

MPLS Intranet VPN: this is a VPN where we connect the headquarters, remote sites, branch offices, etc. from a single company.
MPLS Extranet VPN: this is a VPN where we extend connectivity from a company to other parties like customers, suppliers, or partners.

Let me show you a quick example to explain this:

In the topology above, we have a simple MPLS VPN PE-CE topology from a provider that has two customers:

Customer Red
Customer Blue

Each customer has two sites. On our PE routers, we use the following configuration for our VRFs:

PE1#show run | begin ip vrf
ip vrf BLUE
 rd 2:2
 route-target export 2:2
 route-target import 2:2
!
ip vrf RED
 rd 1:1
 route-target export 1:1
 route-target import 1:1

PE2#show run | begin ip vrf
ip vrf BLUE
 rd 2:2
 route-target export 2:2
 route-target import 2:2
!
ip vrf RED
 rd 1:1
 route-target export 1:1
 route-target import 1:1

Here’s what you see above:

VRF RED uses route-target 1:1 to import and export its routes.
VRF BLUE uses route-target 2:2 to import and export its routes.

With the configuration above, both customers are only able to communicate with their own sites. It’s impossible to send traffic from RED to BLUE or vice versa. This is what we call an MPLS intranet VPN.

Does this mean it’s impossible for customers RED and BLUE to communicate with each other at all?

This is no problem at all…the only thing we have to do is leak some routes from one VRF to another. This allows the different sites to learn about each others’ routes and they will be able to communicate with each other. This is called an MPLS VPN Extranet (Route Leaking).

Configuration

Let’s see how this works. To demonstrate this, I will use the topology I just showed you and we will leak some routes between customer site RED-CE1 and BLUE-CE2. Here it is:

This is a basic MPLS VPN PE CE setup with two VRFs. We use OSPF as the PE-CE routing protocol.

Configurations
B-CE1
B-CE2
P
PE1
PE2
R-CE1
R-CE2

Want to take a look for yourself? Here you will find the startup configuration of each device.

Right now, we have an intranet VPN so each customer only sees their own routes. Here are customer RED’s routes:

RED-CE1#show ip route ospf

      6.0.0.0/32 is subnetted, 1 subnets
O IA     6.6.6.6 [110/3] via 192.168.13.3, 00:16:14, GigabitEthernet0/1
O IA  192.168.56.0/24 [110/2] via 192.168.13.3, 00:16:14, GigabitEthernet0/1

RED-CE2#show ip route ospf

      1.0.0.0/32 is subnetted, 1 subnets
O IA     1.1.1.1 [110/3] via 192.168.56.5, 00:16:37, GigabitEthernet0/1
O IA  192.168.13.0/24 [110/2] via 192.168.56.5, 00:16:37, GigabitEthernet0/1

And here we have customer BLUE’s routes:

BLUE-CE1#show ip route ospf

      7.0.0.0/32 is subnetted, 1 subnets
O IA     7.7.7.7 [110/3] via 192.168.23.3, 00:16:52, GigabitEthernet0/1
O IA  192.168.57.0/24 [110/2] via 192.168.23.3, 00:16:52, GigabitEthernet0/1

BLUE-CE2#show ip route ospf

      2.0.0.0/32 is subnetted, 1 subnets
O IA     2.2.2.2 [110/3] via 192.168.57.5, 00:17:10, GigabitEthernet0/1
O IA  192.168.23.0/24 [110/2] via 192.168.57.5, 00:17:10, GigabitEthernet0/1

If I want to let RED-CE1 and BLUE-CE2 talk with each other, I’ll have to export and import some routes. I’ll use a new route-target (1:2) for this. Let’s do this step-by-step…first, let’s export the routes from VRF RED on PE1:

Unit 1: Introduction
- Introduction to MPLS
- MPLS Labels and Devices
Unit 2: LDP (Label Distribution Protocol)
- MPLS LDP (Label Distribution Protocol)
- MPLS LDP Label Filtering
Unit 3: MPLS VPN
Unit 4: MPLS L2 Encapsulation
- AToM (Any Transport over MPLS)
Unit 5: IPv6 MPLS
- IPv6 over MPLS 6PE/6VPE
Unit 6: MPLS Traffic Engineering (TE)