jramos/isp-backbone-course
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add all 8 course modules with converted markdown links

Browse Source 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Garvis
2026-02-27 10:28:45 -07:00
parent 73dfd80247
commit 9fb54fcbd4
8 changed files with 867 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

129
modules/04-l3vpn.md Normal file
View File

@@ -0,0 +1,129 @@
# Module 4: L3VPN — Customer Isolation with VRFs
> **Course**: [ISP Backbone Lab Course](../README.md)
> **Previous**: [Module 3: iBGP](03-ibgp.md)
> **Next**: [Module 5: eBGP](05-ebgp.md)
---
## Network Diagram
![L3VPN End-to-End Flow](../diagrams/Module4_L3VPN_Flow.png)
*L3VPN end-to-end flow — CE→PE→MPLS Core→PE→CE with VRF isolation and dual label stack*
---
## The Business Problem
You're an ISP. Customer A and Customer B both use `10.0.0.0/8` internally (because of course they do). If you put both their routes in your global routing table, they collide. **VRFs solve this.**
## What Is a VRF?
A **VRF (Virtual Routing and Forwarding)** instance is a completely separate routing table on the same physical router. Think of it as running multiple virtual routers on one box.
Each VRF has:
- **Name** — just a label (e.g., "CUST_A")
- **Route Distinguisher (RD)** — Makes routes globally unique. 65000:100 + 10.0.0.0/8 becomes a unique VPNv4 route
- **Route Targets (RT)** — Controls which VRFs import/export routes. This is the magic that connects customer sites across the MPLS core
## How L3VPN Works End-to-End
1. **CE-CUST1** advertises `192.168.100.0/24` via eBGP to **PE-EDGE2**
2. **PE-EDGE2** puts this route into VRF `CUST_A`, adds RD `65000:100`, and exports with RT `65000:100`
3. The route is carried via **MP-BGP (VPNv4 address family)** to the Route Reflector
4. **P-CORE (RR)** reflects it to **PE-EDGE4**
5. **PE-EDGE4** sees RT `65000:100`, checks its VRF import policy, and imports it into VRF `CUST_A`
6. **CE-CUST2** now sees `192.168.100.0/24` and can reach Customer A's other site
7. **All transit through the core is MPLS-labeled** — P routers never see customer routes
## Lab 4 Config: L3VPN
**PE-EDGE2 (Customer A facing):**
```
! Create VRF
vrf definition CUST_A
rd 65000:100
address-family ipv4
route-target export 65000:100
route-target import 65000:100
exit-address-family
!
! Assign customer-facing interface to VRF
interface GigabitEthernet0/4
description TO CE-CUST1
vrf forwarding CUST_A
ip address 10.100.0.1 255.255.255.252
no shutdown
!
! BGP config for VRF
router bgp 65000
address-family ipv4 vrf CUST_A
neighbor 10.100.0.2 remote-as 65001
neighbor 10.100.0.2 activate
exit-address-family
```
**CE-CUST1 (Customer A):**
```
hostname CE-CUST1
!
interface Loopback0
ip address 192.168.100.1 255.255.255.255
!
interface GigabitEthernet0/0
description TO PE-EDGE2
ip address 10.100.0.2 255.255.255.252
no shutdown
!
router bgp 65001
bgp router-id 192.168.100.1
network 192.168.100.0 mask 255.255.255.0
neighbor 10.100.0.1 remote-as 65000
```
**PE-EDGE4 (Customer B / also imports CUST_A routes):**
```
vrf definition CUST_A
rd 65000:100
address-family ipv4
route-target export 65000:100
route-target import 65000:100
exit-address-family
!
interface GigabitEthernet0/4
description TO CE-CUST2
vrf forwarding CUST_A
ip address 10.100.1.1 255.255.255.252
no shutdown
!
router bgp 65000
address-family ipv4 vrf CUST_A
neighbor 10.100.1.2 remote-as 65002
neighbor 10.100.1.2 activate
exit-address-family
```
## Verification
```
show vrf ! VRFs configured
show ip route vrf CUST_A ! Customer A's routing table
show bgp vpnv4 unicast all ! All VPN routes across the core
show bgp vpnv4 unicast vrf CUST_A ! VPN routes for this specific customer
ping vrf CUST_A 192.168.100.1 source 10.100.1.1 ! Cross-core VPN connectivity
traceroute vrf CUST_A 192.168.100.1 ! Should show MPLS labels through core
```
## Understanding Check
1. What's the difference between RD and RT? (Common interview question!)
2. If Customer B also uses `192.168.100.0/24`, why doesn't it conflict?
3. What MPLS labels are used for VPN forwarding? (Hint: there are TWO labels — why?)
4. How would you give Customer A internet access in addition to their VPN?
---
> **Next Module**: [Module 5: eBGP — Peering with the World →](05-ebgp.md)