Date created: Friday, September 11, 2015 1:46:22 PM. Last modified: Sunday, January 22, 2017 10:31:08 AM

Multi VRF over ADSL using GRE

Example of using GRE tunnels to route multiple VRF-lite BGP sessions over a single ADSL PPP session, with dedicated GRE concentrators to terminate the GRE tunnels on, instead of the LNS routers themselves.

In this scenario with dedicated GRE concentrators PPP sessions coming into the LNS routers (inside an L2TP tunnel) are terminated in a VRF called "GRE" which is acts as a transport VPN across the provider core for GRE tunnels between CPEs and the GRE concentrator routers. To provide predictable routing any CPE PPP session that is load-balanced by the wholesale providers LAC/BRAS onto LNS1 always routes to GRE concentrator router GRE1 and any CPE PPP session that is terminated on LNS2 always routes to GRE2. Both GRE concentrators have a mirror configuration of the other with the same loopback IP address (inside the GRE VRF), customer GRE tunnels inside the same customer VRFs (same RTs, different RDs), GRE tunnel end-point IPs, and customer eBGP sessions.

LNS Failure:

In the event that an LNS fails (assume that the example CPE is currently connected to LNS1), after the PPP sessions has timed out and dropped (due to the dialer PPP timeout config on the CPE), the LAC will timeout the L2TP tunnel to LNS1 (due to the L2TP no-session timeout, even if the CPE tries to renegotiate the PPP session during this time the L2TP incoming call request negotiation will fail between the LAC to LNS1 so the L2TP no-session timer is still counting down). Eventually the CPE will restart the PPP session to the LAC and the LAC will now open up a new L2TP tunnel to LNS2 (if one doesn't currently exit, or forward the session as a new "call" over the existing tunnel if one does exist), LNS2 will then terminate the L2TP tunnel and terminate the PPP session inside the GRE VRF.

Now the CPE will be able to re-establish its GRE tunnels but unknowingly it will now be communicating with router GRE2, and on top of those tunnels bring up the VRF-lite eBGP sessions. GRE2 will now originate the customer prefixes into the provider network giving connectivity between PE1 and the CPE in both VPNs, "MGMT" and "CUST1”.

GRE Concentrator Failure:

In the event that a GRE router fails (assume that the example CPE is currently connected to LNS1 thus its management "MGMT" and customer "CUST1" GRE VPNs are currently terminating on router GRE1), LNS1 is advertising the customer prefixes (CPE Loopback0 and Loopback1) used to establish the GRE tunnels to GRE2 as well as GRE1 however the BGP Local-Pref is lowered on the advertisements to GRE2. GRE1 and GRE2 are both route reflector clients of each other. Under normal working conditions when GRE1 is up, LNS1 sends the customer prefixes to GRE1 with a higher Local-Pre (which is more preferred) and lower Local-Pref to GRE2 (less preferred). GRE1 is then route reflecting those routes to GRE2 with a higher Local-Pref so GRE2 sees the best routes to the CPE via GRE1 and not LNS1, as long as GRE1 is up.

However GRE1 is re-writing the next hop address on the reflected client routes to GRE2 to a black hole address. This means that as long as GRE1 is up, GRE2 can't communicate with the CPE because the preferred route learnt from GRE1 points to a next hop IP via null interface destination. When GRE1 fails GRE2 will only be receiving the customer routes via LNS1 so the customer tunnels will then move over to GRE2, the next-hop is not being re-written so between LNS1 and GRE2.

Items of note:

MTU end-to-end needs planning:
 - CPE MTU 1500 = TCP MSS 1414 bytes
 - LAC to LNS minimum MTU = 1544
 - LNS to GRE minimum MTU = 1504

 Failover for the end user is dependant on the following timeouts being tuned:
 - PPP session time out "ppp timeout idle 20" not dialer interface timeout "dialer idle-timeout 0"
 - L2TP no-session timeout on VPDN group "l2tp tunnel timeout no-session 10"
 - BGP hello and hold timers between CPE and GRE concentrators "timers 3 10"

Failure impact on device load:
 - An LNS router failure means the load doubles on the remaining LNS router and GRE concentrator
 - When an LNS is restored after a failure all sessions remain on the unaffected LNS and companion GRE router until they are moved back (either by natural churn or manual intervention)
 - A GRE concentrator failure means the load remains the same on the two LNS routers but doubles on the remaining GRE concentrator
 - When a GRE concentrator is restored after a failure users connected via it's companion LNS would be re-routed instantly causing disruption as no GRE tunnels or BGP sessions will be active on this GRE concentrator, the users will have to wait for BGP to time out then re-establish

Detailed MTU Calculation:

Note: *In this example using GNS3 for testing, PPPoE is being used so in production ADSL would be using PPPoA*

Note: *The end to end MTU is tested using ICMP ping with df-bit set*

CPE to LAC:
14 byte of Ethernet headers
6 bytes of PPPoE headers
2 bytes of PPP headers
20 bytes of IPv4 headers
4 bytes of GRE headers
20 bytes of IPv4 headers
8 bytes of ICMP headers
Total Headers = 74 bytes of header on the wire
Total Headers = 60 bytes of headers to transport (exclude Ethernet)
Total Headers = 56 bytes of headers to transport (exclude Ethernet and if using PPPoA on ADSL instead of PPPoE on Ethernet)

1444 bytes of ICMP payload
Total = 74+1444 = 1518 bytes on the wire (when using PPPoE IOS is allowing 1518 bytes on the wire before fragmentation is needed?)
Total = 60+1444 = 1504 bytes on the wire (exclude Ethernet)
Total = 56+1444 = 1500 bytes on the wire (exclude Ethernet and when using PPPoa/ADSL)

A CPE with a 1500 byte ADSL MTU can transport a maximum 1444 bytes ICMP of data due to the 56 bytes of end-user headers, over ADSL.

LAC to LNS:
-----------------------Provider headers
14 bytes of Ethernet headers
4 byte MPLS transport label (assume the provider is running an MPLS core)
4 byte MPLS VPN label (assume the provider is running an MPLS core)
20 bytes of IPv4 headers
8 bytes of UDP headers
8 bytes of L2TP headers
-----------------------Customer headers
4 bytes of PPP headers
20 bytes of IPv4 headers
4 bytes of GRE headers
20 bytes of IPv4 headers
8 bytes of ICMP headers

Total Headers = 114 bytes of headers on the wire
Total Headers = 100 bytes of headers to transport (exclude Ethernet)

1444 bytes of end user ICMP payload
Total = 114+1444 = 1558 bytes on the wire
Total = 100+1444 = 1544 bytes on the wire (exclude Ethernet)

Another way to calculate this, the provider needs 44 bytes of headers excluding Ethernet, the end user 1500 byte packet (56 bytes of headers and 1444 bytes of payload) + provider 44 bytes of overhead requires a 1544 byte MTU between LAC and LNS routers.

LNS to GRE:
-----------------------Provider headers
14 bytes of Ethernet headers
4 byte MPLS transport label (assume the provider is running an MPLS core)
4 byte MPLS VPN label (assume the provider is running an MPLS core)
-----------------------Customer headers
20 bytes of IPv4 headers
4 bytes of GRE headers
20 bytes of IPv4 headers
8 bytes of ICMP headers

Total Headers = 74 bytes of headers on the wire
Total Headers = 60 bytes of headers (exclude Ethernet)

1444 bytes of end user ICMP payload
Total = 74+1444 = 1518 bytes on the wire
Total = 60+1444 = 1504 bytes on the wire (exclude Ethernet)

Another way to calculate this, the provider has 8 bytes of headers excluding Ethernet, the end user 1496 byte packet (52 bytes of header and 1444 bytes of payload) + provider 8 bytes of overhead requires a 1504 byte MTU between LNS and GRE routers.

Adjust for TCP and ATM framing:
When using TCP a further 12 bytes on the 8 byte ICMP header is required so with TCP the maximum segment size is 1444-12=1432. The MSS must be adjusted to 1432 globally with "ip tcp mss 1432" or on the dialer interface with "ip tcp adjust-mss 1432".

However to keep a packet received on the LAN and destined for the WAN, in line with the ADSL ATM frame sizes to reduce additional frames and padding the TCP MSS could be adjusted as follows (assuming a 1500 byte LAN MTU):

1500 / 48 (ATM cell size) = 31 (whole ATM cells with remainder)
31 * 48 = 1488 bytes
1488 - 8 byte trailer = 1480 bytes
1480 - 2 bytes PPP = 1478 bytes MTU that exactly fills 31 ATM cells.

1478 - (20 bytes IPv4 + 4 bytes GRE + 20 bytes IPv4 + 20 bytes TCP) = 1414 byte TCP MSS

ip tcp mss 1414
or
ip tcp adjust-mss 1414

 

Configurations:

! CPE
ip vrf CUST1
 rd 172.16.10.1:61
 route-target export 65001:61
 route-target import 65001:61
!
ip vrf MGMT
 rd 172.16.10.1:51
 route-target export 65001:51
 route-target import 65001:51
!
interface Loopback0
 ip address 172.16.10.1 255.255.255.255
!
interface Loopback1
 ip address 172.16.10.2 255.255.255.255
!
interface Tunnel51
 description Management Tunnel
 ip vrf forwarding MGMT
 ip address 172.16.51.2 255.255.255.252
 ip tcp adjust-mss 1414
 tunnel source Loopback0
 tunnel destination 10.0.50.1
!
interface Tunnel61
 description Customer Traffic Tunnel
 ip vrf forwarding CUST1
 ip address 172.16.61.2 255.255.255.252
 ip tcp adjust-mss 1414
 tunnel source Loopback1
 tunnel destination 10.0.50.1
!
interface FastEthernet0/0
 description Link to LAC
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 ppp authentication chap callin
 ppp pap sent-username test@example.net password 0 testpassword
 ppp ipcp route default
 ppp timeout idle 20
!
router bgp 65001
 bgp router-id 172.16.10.1
 bgp log-neighbor-changes
 !
 address-family ipv4 vrf CUST1
  redistribute connected
  neighbor 172.16.61.1 remote-as 65000
  neighbor 172.16.61.1 timers 3 10
  neighbor 172.16.61.1 activate
  neighbor 172.16.61.1 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf MGMT
  redistribute connected
  neighbor 172.16.51.1 remote-as 65000
  neighbor 172.16.51.1 timers 3 10
  neighbor 172.16.51.1 activate
  neighbor 172.16.51.1 next-hop-self
 exit-address-family
! LAC
vpdn enable
vpdn multihop
vpdn search-order domain  
!
vpdn-group test
 request-dialin
  protocol l2tp
  domain example.net
 initiate-to ip 192.0.2.1
 initiate-to ip 192.0.2.5
 local name l2tp-tunnel
 no l2tp tunnel authentication
 l2tp tunnel timeout no-session 10
!
bba-group pppoe global
 virtual-template 1
!
interface FastEthernet0/0
 description link to LNS1
 ip address 192.0.2.2 255.255.255.252
 mtu 2000
!
interface FastEthernet0/1
 description Link to LNS2
 ip address 192.0.2.6 255.255.255.252
 mtu 2000
!
interface FastEthernet1/0
 description Link to CPE
 no ip address
 pppoe enable group global
!
interface Virtual-Template1
 no ip address
 no ip redirects
 no ip proxy-arp
 no logging event link-status
 no peer default ip address
 ntp disable
 no keepalive
 ppp authentication pap callin
! LNS1
ip vrf GRE
 rd 10.0.0.1:50
 route-target export 65000:50
 route-target import 65000:50
!
ip dhcp excluded-address vrf GRE 192.168.0.0 192.168.0.99
ip dhcp excluded-address vrf GRE 192.168.0.200 192.168.0.254
!
ip dhcp pool test-pool
 vrf GRE
 network 192.168.0.0 255.255.255.0
!
ip domain name example.net
!
mpls label protocol ldp
vpdn enable
!
vpdn-group test
 accept-dialin
  protocol l2tp
  virtual-template 1
 terminate-from hostname l2tp-tunnel
 local name tunnel-gw
 no l2tp tunnel authentication
!
username test@example.net password 0 testpassword
!
bba-group pppoe global
 virtual-template 1
!
interface Loopback0
 ip address 10.0.0.1 255.255.255.255
!
interface Loopback50
 ip vrf forwarding GRE
 ip address 10.0.50.2 255.255.255.255
!
interface FastEthernet0/0
 description Link to LAC
 ip address 192.0.2.1 255.255.255.252
 mtu 2000
!
interface FastEthernet0/1
 description Link to GRE1
 ip address 192.0.2.9 255.255.255.252
 mtu 2000
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 description Link to LNS2
 ip address 192.0.2.17 255.255.255.252
 mtu 2000
 ip ospf 1 area 0
 mpls ip
!
interface Virtual-Template1
 ip vrf forwarding GRE
 ip unnumbered Loopback50
 no ip redirects
 no ip proxy-arp
 peer default ip address dhcp-pool test-pool
 ppp authentication chap pap
!
router ospf 1
 router-id 10.0.0.1
 passive-interface default
 no passive-interface FastEthernet0/1
 no passive-interface FastEthernet1/0
 network 10.0.0.1 0.0.0.0 area 0
!
router bgp 65000
 template peer-session PE
  timers 3 10
 exit-peer-session
 !
 bgp router-id 10.0.0.1
 bgp log-neighbor-changes
 neighbor 10.0.0.2 remote-as 65000
 neighbor 10.0.0.2 inherit peer-session PE
 neighbor 10.0.0.2 description LNS2
 neighbor 10.0.0.2 update-source Loopback0
 neighbor 10.0.0.3 remote-as 65000
 neighbor 10.0.0.3 inherit peer-session PE
 neighbor 10.0.0.3 description GRE1
 neighbor 10.0.0.3 update-source Loopback0
 neighbor 10.0.0.4 remote-as 65000
 neighbor 10.0.0.4 inherit peer-session PE
 neighbor 10.0.0.4 description GRE2
 neighbor 10.0.0.4 update-source Loopback0
 !
 address-family ipv4
  no neighbor 10.0.0.2 activate
  no neighbor 10.0.0.3 activate
  no neighbor 10.0.0.4 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.0.0.2 activate
  neighbor 10.0.0.2 send-community extended
  neighbor 10.0.0.2 next-hop-self
  neighbor 10.0.0.2 route-map GRE-ROUTES-TO-LNS2 out
  neighbor 10.0.0.3 activate
  neighbor 10.0.0.3 send-community extended
  neighbor 10.0.0.3 next-hop-self
  neighbor 10.0.0.4 activate
  neighbor 10.0.0.4 send-community extended
  neighbor 10.0.0.4 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf GRE
  redistribute static
 exit-address-family
!
ip extcommunity-list expanded GRE-ROUTES permit 65000:50
ip bgp-community new-format
!
ip route vrf GRE 172.16.10.1 255.255.255.255 192.168.0.100
ip route vrf GRE 172.16.10.2 255.255.255.255 192.168.0.100
!
route-map GRE-ROUTES-TO-GRE1 permit 10
 match extcommunity GRE-ROUTES
!
route-map GRE-ROUTES-TO-GRE2 permit 10
 match extcommunity GRE-ROUTES
 set local-preference 50
!
route-map GRE-ROUTES-TO-LNS2 deny 10
 match extcommunity GRE-ROUTES
!
mpls ldp router-id Loopback0 force
! LNS2
ip vrf GRE
 rd 10.0.0.2:50
 route-target export 65000:50
 route-target import 65000:50
!
ip dhcp excluded-address vrf GRE 192.168.0.0 192.168.0.199
!
ip dhcp pool test-pool
 vrf GRE
 network 192.168.0.0 255.255.255.0
!
ip domain name example.net
!
mpls label protocol ldp
vpdn enable
!
vpdn-group test
 accept-dialin
  protocol l2tp
  virtual-template 1
 terminate-from hostname l2tp-tunnel
 local name tunnel-gw
 no l2tp tunnel authentication
!
username test@example.net password 0 testpassword
!
bba-group pppoe global
 virtual-template 1
!
interface Loopback0
 ip address 10.0.0.2 255.255.255.255
!
interface Loopback50
 ip vrf forwarding GRE
 ip address 10.0.50.2 255.255.255.255
!
interface FastEthernet0/0
 description Link to LAC
 ip address 192.0.2.5 255.255.255.252
 mtu 2000
!
interface FastEthernet0/1
 description Link to GRE2
 ip address 192.0.2.13 255.255.255.252
 mtu 2000
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 description Link to LNS1
 ip address 192.0.2.18 255.255.255.252
 mtu 2000
 ip ospf 1 area 0
 mpls ip
!
interface Virtual-Template1
 ip vrf forwarding GRE
 ip unnumbered Loopback50
 no ip redirects
 no ip proxy-arp
 peer default ip address dhcp-pool test-pool
 ppp authentication chap pap
!
router ospf 1
 router-id 10.0.0.2
 passive-interface default
 no passive-interface FastEthernet0/1
 no passive-interface FastEthernet1/0
 network 10.0.0.2 0.0.0.0 area 0
!
router bgp 65000
 template peer-session PE
  timers 3 10
 exit-peer-session
 !
 bgp router-id 10.0.0.2
 bgp log-neighbor-changes
 neighbor 10.0.0.1 remote-as 65000
 neighbor 10.0.0.1 inherit peer-session PE
 neighbor 10.0.0.1 description LNS1
 neighbor 10.0.0.1 update-source Loopback0
 neighbor 10.0.0.3 remote-as 65000
 neighbor 10.0.0.3 inherit peer-session PE
 neighbor 10.0.0.3 description GRE1
 neighbor 10.0.0.3 update-source Loopback0
 neighbor 10.0.0.4 remote-as 65000
 neighbor 10.0.0.4 inherit peer-session PE
 neighbor 10.0.0.4 description GRE2
 neighbor 10.0.0.4 update-source Loopback0
 !
 address-family ipv4
  no neighbor 10.0.0.1 activate
  no neighbor 10.0.0.3 activate
  no neighbor 10.0.0.4 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.0.0.1 activate
  neighbor 10.0.0.1 send-community extended
  neighbor 10.0.0.1 next-hop-self
  neighbor 10.0.0.1 route-map GRE-ROUTES-TO-LNS1 out
  neighbor 10.0.0.3 activate
  neighbor 10.0.0.3 send-community extended
  neighbor 10.0.0.3 next-hop-self
  neighbor 10.0.0.4 activate
  neighbor 10.0.0.4 send-community extended
  neighbor 10.0.0.4 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf GRE
  redistribute static
 exit-address-family
!
ip extcommunity-list expanded GRE-ROUTES permit 65000:50
ip bgp-community new-format
!
ip route vrf GRE 172.16.10.1 255.255.255.255 192.168.0.200
ip route vrf GRE 172.16.10.2 255.255.255.255 192.168.0.200
!
route-map GRE-ROUTES-TO-LNS1 deny 10
 match extcommunity GRE-ROUTES
!
route-map GRE-ROUTES-TO-LNS1 permit 20
!
route-map GRE-ROUTES-TO-GRE1 permit 10
 match extcommunity GRE-ROUTES
 set local-preference 50
!
route-map GRE-ROUTES-TO-GRE2 permit 10
 match extcommunity GRE-ROUTES
!
mpls ldp router-id Loopback0 force
! GRE1
ip vrf CUST1
 rd 10.0.0.3:61
 route-target export 65001:61
 route-target import 65001:61
!
ip vrf GRE
 rd 10.0.0.3:50
 route-target export 65000:50
 route-target import 65000:50
!
ip vrf MGMT
 rd 10.0.0.3:51
 route-target export 65001:51
 route-target import 65001:51
!
mpls label protocol ldp
!
interface Loopback0
 ip address 10.0.0.3 255.255.255.255
!
interface Loopback50
 ip vrf forwarding GRE
 ip address 10.0.50.1 255.255.255.255
!
interface Tunnel51
 description CPE1 - Management Tunnel
 ip vrf forwarding MGMT
 ip address 172.16.51.1 255.255.255.252
 ip tcp adjust-mss 1414
 tunnel source Loopback50
 tunnel destination 172.16.10.1
 tunnel vrf GRE
!
interface Tunnel61
 description CPE1 - Customer Traffic Tunnel
 ip vrf forwarding CUST1
 ip address 172.16.61.1 255.255.255.252
 ip tcp adjust-mss 1414
 tunnel source Loopback50
 tunnel destination 172.16.10.2
 tunnel vrf GRE
!
interface FastEthernet0/0
 description Link to GRE2
 ip address 192.0.2.21 255.255.255.252
 mtu 2000
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 description Link to LNS1
 ip address 192.0.2.10 255.255.255.252
 mtu 2000
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 description Link to PE1
 ip address 192.0.2.25 255.255.255.252
 mtu 2000
 ip ospf 1 area 0
 mpls ip
!
router ospf 1
 passive-interface default
 no passive-interface FastEthernet0/0
 no passive-interface FastEthernet0/1
 no passive-interface FastEthernet1/0
 network 10.0.0.3 0.0.0.0 area 0
!
router bgp 65000
 template peer-policy CPE
  next-hop-self
 exit-peer-policy
 !
 template peer-session CPE
  timers 3 10
 exit-peer-session
 !
 template peer-session PE
  timers 3 10
 exit-peer-session
 !
 bgp router-id 10.0.0.3
 bgp log-neighbor-changes
 neighbor 10.0.0.1 remote-as 65000
 neighbor 10.0.0.1 inherit peer-session PE
 neighbor 10.0.0.1 description LNS1
 neighbor 10.0.0.1 update-source Loopback0
 neighbor 10.0.0.2 remote-as 65000
 neighbor 10.0.0.2 inherit peer-session PE
 neighbor 10.0.0.2 description LNS2
 neighbor 10.0.0.2 update-source Loopback0
 neighbor 10.0.0.4 remote-as 65000
 neighbor 10.0.0.4 inherit peer-session PE
 neighbor 10.0.0.4 description GRE2
 neighbor 10.0.0.4 update-source Loopback0
 neighbor 10.0.0.5 remote-as 65000
 neighbor 10.0.0.5 inherit peer-session PE
 neighbor 10.0.0.5 description PE1
 neighbor 10.0.0.5 update-source Loopback0
 !
 address-family ipv4
  no neighbor 10.0.0.1 activate
  no neighbor 10.0.0.2 activate
  no neighbor 10.0.0.4 activate
  no neighbor 10.0.0.5 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.0.0.1 activate
  neighbor 10.0.0.1 send-community extended
  neighbor 10.0.0.1 next-hop-self
  neighbor 10.0.0.1 route-map PRIMARY-LNS-IN in
  neighbor 10.0.0.1 route-map PRIMARY-LNS-OUT out
  neighbor 10.0.0.2 activate
  neighbor 10.0.0.2 send-community extended
  neighbor 10.0.0.2 next-hop-self
  neighbor 10.0.0.2 route-map BACKUP-LNS-IN in
  neighbor 10.0.0.2 route-map BACKUP-LNS-OUT out
  neighbor 10.0.0.4 activate
  neighbor 10.0.0.4 send-community extended
  neighbor 10.0.0.4 route-reflector-client
  neighbor 10.0.0.4 route-map GRE-ROUTES-TO-GRE2 out
  neighbor 10.0.0.5 activate
  neighbor 10.0.0.5 send-community extended
  neighbor 10.0.0.5 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf CUST1
  neighbor 172.16.61.2 remote-as 65001
  neighbor 172.16.61.2 inherit peer-session CPE
  neighbor 172.16.61.2 activate
  neighbor 172.16.61.2 inherit peer-policy CPE
  neighbor 172.16.61.2 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf GRE
  redistribute connected
 exit-address-family
 !
 address-family ipv4 vrf MGMT
  neighbor 172.16.51.2 remote-as 65001
  neighbor 172.16.51.2 inherit peer-session CPE
  neighbor 172.16.51.2 activate
  neighbor 172.16.51.2 inherit peer-policy CPE
 exit-address-family
!
ip extcommunity-list expanded GRE-ROUTES permit 65000:50
ip bgp-community new-format
!
ip route 6.6.6.6 255.255.255.255 Null0
!
ip prefix-list GRE-LOOPBACKS seq 10 permit 10.0.50.1/32
!
route-map GRE-ROUTES-TO-GRE2 permit 10
 match extcommunity GRE-ROUTES
 set ip next-hop 6.6.6.6
!
route-map GRE-ROUTES-TO-GRE2 deny 20
!
route-map BACKUP-LNS-OUT permit 10
 match ip address prefix-list GRE-LOOPBACKS
 match extcommunity GRE-ROUTES
 set local-preference 50
!
route-map BACKUP-LNS-OUT permit 20
!
route-map PRIMARY-LNS-IN permit 10
 match extcommunity GRE-ROUTES
 set local-preference 100
!
route-map PRIMARY-LNS-IN permit 20
!
route-map PRIMARY-LNS-OUT permit 10
 match ip address prefix-list GRE-LOOPBACKS
 match extcommunity GRE-ROUTES
 set local-preference 100
!
route-map PRIMARY-LNS-OUT permit 20
!
route-map BACKUP-LNS-IN permit 10
 match extcommunity GRE-ROUTES
 set local-preference 50
!
route-map BACKUP-LNS-IN permit 20
!
mpls ldp router-id Loopback0 force
! GRE2
ip vrf CUST1
 rd 10.0.0.4:61
 route-target export 65001:61
 route-target import 65001:61
!
ip vrf GRE
 rd 10.0.0.4:50
 route-target export 65000:50
 route-target import 65000:50
!
ip vrf MGMT
 rd 10.0.0.4:51
 route-target export 65001:51
 route-target import 65001:51
!
mpls label protocol ldp
!
interface Loopback0
 ip address 10.0.0.4 255.255.255.255
!
interface Loopback50
 ip vrf forwarding GRE
 ip address 10.0.50.1 255.255.255.255
!
interface Tunnel51
 description CPE1 - Management Tunnel
 ip vrf forwarding MGMT
 ip address 172.16.51.1 255.255.255.252
 ip tcp adjust-mss 1414
 tunnel source Loopback50
 tunnel destination 172.16.10.1
 tunnel vrf GRE
!
interface Tunnel61
 description CPE1 - Customer Traffic Tunnel
 ip vrf forwarding CUST1
 ip address 172.16.61.1 255.255.255.252
 ip tcp adjust-mss 1414
 tunnel source Loopback50
 tunnel destination 172.16.10.2
 tunnel vrf GRE
!
interface FastEthernet0/0
 description Link to GRE1
 ip address 192.0.2.22 255.255.255.252
 mtu 2000
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet0/1
 description Link to LNS2
 ip address 192.0.2.14 255.255.255.252
 mtu 2000
 ip ospf 1 area 0
 mpls ip
!
interface FastEthernet1/0
 description Link to PE1
 ip address 192.0.2.29 255.255.255.252
 mtu 2000
 ip ospf 1 area 0
 mpls ip
!
router ospf 1
 router-id 10.0.0.4
 passive-interface default
 no passive-interface FastEthernet0/0
 no passive-interface FastEthernet0/1
 no passive-interface FastEthernet1/0
 network 10.0.0.4 0.0.0.0 area 0
!
router bgp 65000
 template peer-policy CPE
  next-hop-self
 exit-peer-policy
 !
 template peer-session CPE
  timers 3 10
 exit-peer-session
 !
 template peer-session PE
  timers 3 10
 exit-peer-session
 !
 bgp router-id 10.0.0.4
 bgp log-neighbor-changes
 neighbor 10.0.0.1 remote-as 65000
 neighbor 10.0.0.1 inherit peer-session PE
 neighbor 10.0.0.1 description LNS1
 neighbor 10.0.0.1 update-source Loopback0
 neighbor 10.0.0.2 remote-as 65000
 neighbor 10.0.0.2 inherit peer-session PE
 neighbor 10.0.0.2 description LNS2
 neighbor 10.0.0.2 update-source Loopback0
 neighbor 10.0.0.3 remote-as 65000
 neighbor 10.0.0.3 inherit peer-session PE
 neighbor 10.0.0.3 description GRE1
 neighbor 10.0.0.3 update-source Loopback0
 neighbor 10.0.0.5 remote-as 65000
 neighbor 10.0.0.5 inherit peer-session PE
 neighbor 10.0.0.5 description PE1
 neighbor 10.0.0.5 update-source Loopback0
 !
 address-family ipv4
  no neighbor 10.0.0.1 activate
  no neighbor 10.0.0.2 activate
  no neighbor 10.0.0.3 activate
  no neighbor 10.0.0.5 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.0.0.1 activate
  neighbor 10.0.0.1 send-community extended
  neighbor 10.0.0.1 next-hop-self
  neighbor 10.0.0.1 route-map BACKUP-LNS-IN in
  neighbor 10.0.0.1 route-map BACKUP-LNS-OUT out
  neighbor 10.0.0.2 activate
  neighbor 10.0.0.2 send-community extended
  neighbor 10.0.0.2 next-hop-self
  neighbor 10.0.0.2 route-map PRIMARY-LNS-IN in
  neighbor 10.0.0.2 route-map PRIMARY-LNS-OUT out
  neighbor 10.0.0.3 activate
  neighbor 10.0.0.3 send-community extended
  neighbor 10.0.0.3 route-reflector-client
  neighbor 10.0.0.3 route-map GRE-ROUTES-TO-GRE1 out
  neighbor 10.0.0.5 activate
  neighbor 10.0.0.5 send-community extended
  neighbor 10.0.0.5 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf CUST1
  neighbor 172.16.61.2 remote-as 65001
  neighbor 172.16.61.2 inherit peer-session CPE
  neighbor 172.16.61.2 activate
  neighbor 172.16.61.2 inherit peer-policy CPE
  neighbor 172.16.61.2 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf GRE
  redistribute connected
 exit-address-family
 !
 address-family ipv4 vrf MGMT
  neighbor 172.16.51.2 remote-as 65001
  neighbor 172.16.51.2 inherit peer-session CPE
  neighbor 172.16.51.2 activate
  neighbor 172.16.51.2 inherit peer-policy CPE
 exit-address-family
!
ip extcommunity-list expanded GRE-ROUTES permit 65000:50
ip bgp-community new-format
!
ip route 6.6.6.6 255.255.255.255 Null0
!
ip prefix-list GRE-LOOPBACKS seq 10 permit 10.0.50.1/32
!
route-map GRE-ROUTES-TO-GRE1 permit 10
 match extcommunity GRE-ROUTES
 set ip next-hop 6.6.6.6
!
route-map GRE-ROUTES-TO-GRE1 deny 20
!
route-map BACKUP-LNS-OUT permit 10
 match ip address prefix-list GRE-LOOPBACKS
 match extcommunity GRE-ROUTES
 set local-preference 50
!
route-map BACKUP-LNS-OUT permit 20
!
route-map PRIMARY-LNS-IN permit 10
 match extcommunity GRE-ROUTES
 set local-preference 100
!
route-map PRIMARY-LNS-OUT permit 10
 match ip address prefix-list GRE-LOOPBACKS
 match extcommunity GRE-ROUTES
 set local-preference 100
!
route-map PRIMARY-LNS-OUT permit 20
!
route-map BACKUP-LNS-IN permit 10
 match extcommunity GRE-ROUTES
 set local-preference 50
!
mpls ldp router-id Loopback0 force
! PE1
ip vrf CUST1
 rd 10.0.0.5:61
 route-target export 65001:61
 route-target import 65001:61
!
ip vrf MGMT
 rd 10.0.0.5:51
 route-target export 65001:51
 route-target import 65001:51
!
mpls label protocol ldp
!
interface Loopback0
 ip address 10.0.0.5 255.255.255.255
!
interface Loopback51
 ip vrf forwarding MGMT
 ip address 10.0.51.1 255.255.255.255
!
interface Loopback61
 ip vrf forwarding CUST1
 ip address 10.0.61.1 255.255.255.255
!
interface FastEthernet0/0
 description Link to GRE1
 ip address 192.0.2.26 255.255.255.252
 mtu 2000
 mpls ip
!
interface FastEthernet0/1
 description Link to GRE2
 ip address 192.0.2.30 255.255.255.252
 mtu 2000
 ip ospf 1 area 0
 mpls ip
!
router ospf 1
 router-id 10.0.0.5
 passive-interface default
 no passive-interface FastEthernet0/0
 no passive-interface FastEthernet0/1
 network 10.0.0.5 0.0.0.0 area 0
!
router bgp 65000
 template peer-session PE
  timers 3 10
 exit-peer-session
 !
 bgp router-id 10.0.0.5
 bgp log-neighbor-changes
 neighbor 10.0.0.3 remote-as 65000
 neighbor 10.0.0.3 inherit peer-session PE
 neighbor 10.0.0.3 description GRE1
 neighbor 10.0.0.3 update-source Loopback0
 neighbor 10.0.0.4 remote-as 65000
 neighbor 10.0.0.4 inherit peer-session PE
 neighbor 10.0.0.4 description GRE2
 neighbor 10.0.0.4 update-source Loopback0
 !
 address-family ipv4
  no neighbor 10.0.0.3 activate
  no neighbor 10.0.0.4 activate
 exit-address-family
 !
 address-family vpnv4
  neighbor 10.0.0.3 activate
  neighbor 10.0.0.3 send-community extended
  neighbor 10.0.0.3 next-hop-self
  neighbor 10.0.0.4 activate
  neighbor 10.0.0.4 send-community extended
  neighbor 10.0.0.4 next-hop-self
 exit-address-family
 !
 address-family ipv4 vrf CUST1
  redistribute connected
 exit-address-family
 !
 address-family ipv4 vrf MGMT
  redistribute connected
 exit-address-family
!
mpls ldp router-id Loopback0 force