Cisco Real World Problems

How to configure MPLS L3VPN PE-CE BGP on FMC

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30

⚡ At a glance

Why this matters in the real world

PE-CE BGP is the bread-and-butter routing protocol on every MPLS L3VPN edge I've turned up. On a FMC (Firepower Management Center) sitting as the security management, BGP between the PE (Provider Edge) and CE (Customer Edge) carries the VRF prefixes that ride MP-BGP across the SP core. Get the VRF, RD, RT, and BGP address-family combination wrong and you end up with prefixes that are 'accepted, not installed'. the most expensive %BGP-5 log line in any NOC. I've turned up PE-CE BGP for an Indian bank with 87 branches and a Comsys Mumbai integrator, and what you'll read below is the exact config I push every time.

I'm Sai. I've been doing Cisco core + edge work for production networks across India and the Gulf for the last 11 years, mostly through partners like Redington and Comsys Mumbai. This guide is what I'd hand a fresh L2 engineer who has to turn this up on a FMC (Firepower Management Center) this week. It's not a feature overview, there's a Cisco config guide for that. It's the version that survives a TAC review and a production change-window.

What you actually need before you start

The config that actually works

Below is the minimal correct config. Don't paste it blind, substitute the loopback addresses, RD, and RT values your design calls for. On a FMC (Firepower Management Center) the CLI is the same as any IOS XE box; the GUI in Catalyst Center can drive the same change but I prefer CLI for first-time turn-ups.

! VRF and PE-CE BGP on the PE
ip vrf CUST_A
 rd 65001:100
 route-target export 65001:100
 route-target import 65001:100
!
interface GigabitEthernet0/0/1
 ip vrf forwarding CUST_A
 ip address 192.168.10.1 255.255.255.252
!
router bgp 65001
 address-family ipv4 vrf CUST_A
  neighbor 192.168.10.2 remote-as 65010
  neighbor 192.168.10.2 activate
  neighbor 192.168.10.2 send-community both
  neighbor 192.168.10.2 as-override
  neighbor 192.168.10.2 soft-reconfiguration inbound
 exit-address-family
!
! Verify
show ip bgp vpnv4 vrf CUST_A summary
show ip bgp vpnv4 vrf CUST_A neighbors 192.168.10.2 received-routes
show ip route vrf CUST_A

You want to see %BGP-5-ADJCHANGE: neighbor 192.168.10.2 vpn vrf CUST_A Up in the log. If it cycles between Active and Idle, 90% of the time it's a missing activate under the address-family or the CE isn't sending Open with the right AS. Less obvious: a TCP MSS mismatch on a GRE or DMVPN underlay. clamp MSS to 1360 on the SVI.

Verification, the part most engineers skip

Running the config without verification is how you get paged at 2 AM. Capture the output of every show command below, both before and after. Diff them. If you can't explain a difference, you've found a side-effect.

! PE-CE session up
show ip bgp vpnv4 vrf CUST_A summary
! Expected: State = Established, PfxRcd > 0
!
! Prefixes seen from CE
show ip bgp vpnv4 vrf CUST_A neighbors 192.168.10.2 received-routes
!
! Prefixes installed in VRF
show ip route vrf CUST_A bgp
!
! End-to-end reachability through MPLS
ping vrf CUST_A 10.20.30.40 source Loopback100

A real deployment, end-to-end

I helped a Pune fintech move from static routes to PE-CE eBGP across 23 branches in Q2 2025. They were running a FMC (Firepower Management Center) at HQ. The single biggest surprise was that the SP-managed CE had a private AS that overlapped with their internal AS 65010: classic AS-loop scenario. We turned on as-override under the VRF address-family at the PE, watched the prefix counts move from 7 to 412 in show bgp vpnv4 unicast vrf CUST_A summary, and the apps team finally stopped paging us about asymmetric routing. Quote price for the BGP migration was around ₹4.8 lakh including Ingram Micro's implementation hours.

Gotchas I keep running into

Community strategy

I tag every PE-CE prefix on the CE with at least two communities: site code (65010:1001) and traffic class (65010:200 for production, 65010:300 for backup). On a FMC (Firepower Management Center) that gives you per-site filtering at the PE without touching prefix-lists. Route-policy hygiene saves hours later when adding a new site.

Rollback plan

Always capture show running-config | section bgp and show ip bgp vpnv4 vrf CUST_A before the change. If the cutover misbehaves, removing neighbor activate tears down the session cleanly. For added safety, configure the new neighbour as shutdown first, then no shutdown after the config is verified.

India context

Most of the rollouts I touch in India go through one of three integrators. Redington, Ingram Micro, or Comsys Mumbai. GeM (Government e-Marketplace) tenders for Catalyst kit have specific compliance requirements: BIS registration, MII (Make-in-India) preference, and a 60-day delivery window from PO. If you're sourcing a Catalyst 9300 stack for a state-government project in 2026, plan a 10-12 week procurement cycle. The kit itself lands at roughly ₹3.2-4.8 lakh per 9300-48UXM-A switch, plus ₹85k SmartNet/year per chassis. Don't quote 4-week delivery to your customer. You will be wrong.

Hand-off notes for the NOC

Before you mark the change complete, drop these into the runbook: the exact show commands you ran for verification, the timestamps from %LINEPROTO-5-UPDOWN and %SYS-5-CONFIG_I events captured during the change, and a one-line rollback. NOCs across India that I work with, Bengaluru, Chennai, Mumbai: all use a shared 'change card' template. The clearer the hand-off, the fewer 2 AM calls.

Frequently asked questions

Should I use eBGP or iBGP between PE and CE?

eBGP is standard. The CE is in a different AS, the PE is in the SP AS. iBGP between PE and CE creates next-hop and AS-path headaches you don't want.

Do I need send-community both?

Yes if you want extended communities (RT) to propagate across MP-BGP, and you almost always do.

Why does my CE see prefixes but the PE doesn't install them in the VRF?

Missing activate under address-family ipv4 vrf CUST_A, or the route-target import doesn't match what the other PEs are exporting.

Can I run this over a Meraki MX as the CE?

Yes. Meraki MX 250+ supports eBGP under the SD-WAN tab, but the AS-override and as-path manipulation options are limited compared to IOS XE.

What's the rough deployment cost in India?

A typical 20-branch PE-CE BGP rollout via Redington / Ingram Micro plus a partner like Comsys Mumbai lands between ₹3.5 lakh and ₹6 lakh in implementation fees, excluding kit.

Related guides worth a look while you sort this one out:

References

Cost and licensing, honestly

The FMC (Firepower Management Center) hardware cost is only one third of the real bill. In India in 2026 you should also budget for: SmartNet TAC support (₹85,000 to ₹2,00,000 per chassis per year depending on tier: 8x5xNBD vs 24x7x4), a DNA Advantage or Network Advantage subscription (₹40k-₹85k per device per year if you want Catalyst Center features), and the implementation hours from your integrator. A Redington or Ingram Micro distribution invoice for a 6-site MPLS turn-up usually lands between ₹18 lakh and ₹26 lakh end-to-end, hardware, licences, install, and post-go-live support for 90 days. If your customer asks for a US-dollar equivalent for a global parent budget, that's roughly USD 22,000 to USD 31,000 at current rates.

Lab it before you ship it

Every change like this should hit a lab first. I run mine in CML 2.7 (Cisco Modeller Labs) with a 4-node MPLS core and 2 PE / 2 CE topology. For SD-WAN scenarios I add a vManage instance and a pair of vEdges. The lab catches the silly mistakes. typos in the RT, forgotten address-family activation, missing mpls ip on the core interface. If you don't have CML, Cisco's dCloud has free MPLS L3VPN sandboxes that work for proof-of-config exercises. I tell every junior engineer: spend the 90 minutes labbing the config you're about to push at 11 PM on a Saturday. The lab time is cheaper than the rollback time.

Monitoring after go-live

For the first 72 hours after a cutover I want every %LINEPROTO-5-UPDOWN, %BGP-5-ADJCHANGE, %OSPF-5-ADJCHG, and %LDP-5-NBRCHG piped to a syslog server with a 30-day retention. I usually push them through ELK or Cisco's Stealthwatch if the customer owns it. For longer-term health I rely on Catalyst Center's Assurance dashboard, it spots flap patterns I'd miss eyeballing logs. If something does flap during the warranty period, the SmartNet TAC engineer always wants the pre-change config, the post-change config, and the show tech-support output. Save those three on the bastion before you walk away.

One last note from the field

Cisco IOS XE Stack-Wise V1/V2 mismatch will bite you on Catalyst stacks the first time you do a mid-life refresh: verify the stack version on every member with show switch stack-ring speed before touching MPLS or LDP config. On a FMC (Firepower Management Center), the lesson I've drilled into every L2 I've trained: read the logs, capture the show output, and never push a route-target change without an exit-strategy. I've seen engineers spend 4 hours chasing a 'BGP not coming up' ticket that turned out to be a misplaced space in a route-map name. If you've got a real-world central security manager story or a war story from a turn-up that went sideways, I read every email at pandralasaikiran@gmail.com. Configs get faster every year. Care for the network you run does not.