Beruflich Dokumente
Kultur Dokumente
Blank Page
Basic Services VPRN Configuration 862
Objectives
Basic Services VPRN Configuration 86
Upon successful completion of this module, the student will be familiar with:
Operation and benefits of a VPRN service VPRN features, functions, components and topologies VPRN configuration on the Service Router using the SAM
CE B
RI-1 RI-2
PE B
VPRN is a class of VPN that allows the connection of multiple sites in a routed domain over a provider managed IP/MPLS network
From the customers perspective it looks as if all sites are connected to a routed domain Service provider can reuse the IP/MPLS infrastructure to offer multiple services Each VPRN appears like an additional routing instance, routes for a service between the various PEs are exchanged using MP-BGP Customer data is encapsulated using MPLS or GRE encapsulation
RI-1 RI-2
PE A
PE C
CE C
CE A
IP / MPLS Network
PE D
RI-1
CE D
RI-2
In Feb. 2006, Internet Draft RFC2547bis was moved to standard status, as RFC 4364.
All Rights Reserved Alcatel-Lucent 2007
A Virtual Private Routed Network (VPRN) service allows service providers to use their IP backbone to provide a Layer 3 VPN service to their customers. VPRNs are also known as BGP/MPLS VPNs because BGP is used to distribute VPN routing information across the provider's backbone and MPLS is used to forward VPN traffic from one VPN site to another. Each CE router becomes a peer of the PE router that it is directly connected to, not a peer to the other CE routers. A CE router provides the PE router with route information for the private customer network. Each associated PE router maintains a separate IP forwarding table for each VPRN. Additionally, the PE routers exchange the routing information configured or learned from all customer sites via MP-BGP peering. Each route exchanged via the MP-BGP protocol includes a Route Distinguisher (RD), which identifies the VPRN association. MPLS handles the forwarding between the PE routers. This means that the routers in the core of the network need not know about the routes connecting the private networks. A VPRN service uses a two-level label stack the ingress PE router pushes both an inner VC label and an outer tunnel label onto a packet. After reaching the egress PE router via one or more MPLS Label Switched Paths (LSPs), the PE router pops the MPLS headers and delivers a normal IP packet to the customer.
VPRN Features
Basic Services VPRN Configuration 86
Consistent QoS model used across all VPN services Highly scalable implementation Per VPN controls to limit route table growth Consistent service and feature support over IP or MPLS backbone PE-CE routing support Comprehensive set of OA&M tools Statistics, billing and accounting data
Highly scalable: VPN routing and forwarding (VRF) tables Total routes BGP Peerings IP Interfaces PE-CE routing supports: Static Routes BGP RIP OSPF Statistics, billing and accounting data: Per IP-VPN (VPRN) Current routes Current routes per protocol source (Static, Local, BGP (PE-CE or Network), OSPF Maximum number of routes (high watermark) Per IP-VPN Interface: Packets (In/Out) Bytes (In/Out) Errors In/Out
backbone.
5620 Service Aware Manager 5.0 Core
2. Virtual Routing and Forwarding (VRF) tables on PEs specifying the import and export rules for customer routes advertised between PEs. 3. Configured or learned VPRN routes from the customer sites. 4. MPLS or GRE tunnels between PEs for transporting customers traffic across the service providers backbone.
PE
CE
PE
CE
CE CE Customer 1 VPN
CE
PE
CE
Customer 2 VPN
PE
CE
Core Network
CE CE CE to PE Routing: BGP RIP Static OSPF
5620 Service Aware Manager 5.0 Core
VPRN Functions
Basic Services VPRN Configuration 86
Distributing Routes
The PEs establish MP-BGP sessions with each other to distribute the routes they have learned from locally connected CEs. The PEs maintain one or more VRF for each VPRN it is involved with, depending on the VPN topology (mesh or hub and spoke, intranet or extranet).
The PEs forward customer traffic across the service providers network via GRE or LSP tunnels (outer label). LSPs can be established using LDP or RSVP-TE signaling. When the destination PE receives a data packet it determines the appropriate VRF to use to forward the packet onward to the correct CE based on the inner label associated to a given VRF. The inner label is allocated by the local PE and advertised to the peer PE as part of a VPN-IPv4 route update.
VPRN Topologies
Basic Services VPRN Configuration 86
CE 1
CE 6
CE 2
CE 5
CE 3
Hub and spoke can be achieved in either full mesh or extranet using Route Policies that make a single PE/CE the Hub and all other PE/CE spokes
(Full or partial) Route Exchange between multiple VRFs using Route Policies
All Rights Reserved Alcatel-Lucent 2007
Full Mesh
A fully meshed VPRN network provides full redundancy. This requires each PE to be connected to every other PE in the network. The disadvantage is reduced scalability. As the number of nodes grows, the number of paths will increase exponentially.
Extranet
An Extranet topology allows routes to be exchanged between two or more VRFs. The shared routes are identified by Route Policies.
10
VRF-1
PE-A
PE-B
VRF-1
CE-1
VRF-2
Service 1
CE-2
Hub
Spoke
PE-C Spoke
CE-3
Service 1
VRF-1
Hub CE-1 advertises its routes to VRF-2 in PE-A, next hop CE-1. VRF-2 advertises its routes (or default route) via MP-BGP to PE-B & PE-C, next hop PE-A. PE-B & PE-C advertise the routes (or default route) received from the Hub to their respective CEs. The Spoke CEs advertise their routes to their respective PEs, next hop the appropriate CE The spoke PEs advertise the spoke routes to the Hub PE VRF-1, next hop the appropriate Spoke PE. The hub PE, advertises the spoke routes to the Hub CE.
In a hub and spoke topology the majority of the traffic is exchanged between spoke sites and a hub site. A banking institution is an example of a customer which would likely use a hub and spoke VPN topology as most traffic is sent between branch offices (i.e. spoke sites) and a head office (i.e. hub site). If some traffic is exchanged between spoke sites it traverses the hub site. The spoke sites advertise their routes to the hub site. The hub site may then re-advertises these routes to the other spoke sites with itself as the next hop. Hence traffic from one spoke site to another traverses the hub site. In order for the hub site to receive routes from spoke sites, and re-advertise them to the other spoke sites, it needs two VRFs one for routes coming in from the various spoke sites and one for routes it advertises out to the spoke sites (either traffic originating at the hub site, or traffic forwarded from other spoke sites).
Blank Page
Basic Services VPRN Configuration 8 6 11
Transport Tunnels
Basic Services VPRN Configuration 86
12
Each PE involved notes view! service must be configured with a tunnel to every other PE Switch to in a given VPRN participating in the same VPRN service to transport a customers VPN traffic from one site to another. The tunnel is created either through the configuration of a SDP or using the auto-bind option when creating a VPRN service instance. For VPRN services, SDP tunnels can be created using MPLS with RSVP-TE or GRE encapsulation. The auto-bind method for creating tunnels can be used with LDP or GRE. If SDP tunnels are used, they must be created prior to the creation of the VPRN services. The configuration of a SDP includes specifying the far-end PE and the type of encapsulation used, GRE or MPLS with RSVP-TE. When RSVP-TE signaling is used, the outer LSP tunnels must be explicitly configured in addition to the creation of the SDPs. When the outer tunnels are created using auto-bind with LDP there is no need to explicitly configure the LSP tunnels. It is only necessary to enable LDP signaling on the appropriate interfaces and once the MP-BGP sessions have been established, the LSP is automatically established. Similarly, outer tunnels created using auto-bind with GRE do not require any preliminary configuration the VPRN service only needs to be auto-bound to GRE. When the auto-bind option is used traffic from all VPRN services (configured with the auto-bind option) traverse the same LSPs. In this case it is not possible to have alternate tunneling mechanisms All Rights Reserved Alcatel-Lucent 2007 5620 Service Awarethe ability to configure sets of LSP's with bandwidth reservations for specific customers (like GRE) or Manager 5.0 Core as is available with explicit SDPs for the service. If LSPs with reserved bandwidth are needed then SDPs with RSVP-TE signaling should be used for the outer tunnels. If distinct tunnels per VPRN service are desired, then SDPs with GRE or RSVP-TE signaling should be used so that VPRN instances can be explicitly bound to specific SDPs.
13
Outer Label
Each PE in the VPRN connected by a tunnel Tunnels created by: Creating an SDP (RSVP-TE or GRE) Auto-bind (LDP only)
PE to CE Route Distribution
Basic Services VPRN Configuration 86
14
eBGP Routing
eBGP is configured between the PE and each attached CE belonging to the same VPRN in the VPRN service instance. The explicit configuration of the autonomous system number and router-id is optional. If omitted, these values simply inherit the routers global AS number and router-id. The local address is also an optional parameter. When it is not specified, it inherits the system IP address when communicating with IBGP peers and the interface address for directly connected eBGP peers. If no import route policy is specified, then all BGP routes advertised by the CE are accepted by the PE. An export policy is needed for the PE to advertise the routes learned from other PE sites in the VPRN instance via MP-BGP to the CE router via eBGP.
RIP Routing
When RIP is used as the PE-CE routing protocol, a RIP instance must be enabled on the PE router in the router context. Subsequently RIP can be configured on the PE-CE interface during the All Rights Reserved Alcatel-Lucent 2007 configuration Manager VPRN 5620 Service Aware of the 5.0 Core service. RIP is configured between the PE and each attached CE belonging to the same VPN in the VPRN service instance. By default RIP does not export routes it has learned to its neighbors. Therefore it is necessary to configure an export policy to enable MP-BGP routes learned from remote CEs belonging to the VPN, to be redistributed into RIP and to the local CE.
OSPF Routing
As of R4.0 of the 7X50 routers, OSPF can be used at the PE-CE routing protocol. This provides a way for a network to continue using a single protocol as it is migrated to an IP-VPN backbone. OSPF LSA information is not transmitted natively across the IP-VPN. The OSPF routes are imported into MP-BGP as AS externals. As a result, other OSPF-attached VPRN sites on remote PEs will receive these via type 5 LSA. This process is not automatic and requires the configuration of (existing) Route Policies. Stub areas, OSPF-TE and sham links are not currently supported.
Create a Customer
Add a Layer 3 Access Interface to each site Configure Access ports Specify MTU Assign Encapsulation value Service Topology View Properties
All Rights Reserved Alcatel-Lucent 2007
Enable BGP
Basic Services VPRN Configuration 8 6 16
BGP Configuration
The following steps will cover the configuration of an iBGP mesh, which will be used for the advertisement of VPRN routes from each customers VRFs. An BGP mesh will be required among all participating sites in the VPRN service. Check that BGP is enabled on the base routing instance as should have been configured previously. Right click on Routing Instance 1, select the Protocols tab, and verify that BGP is checked.
Configure BGP AS
Basic Services VPRN Configuration 8 6 17
Configure BGP AS
Select the BGP routing instance for your router from the Navigation Tree Network view, right click and select Properties. In the General tab, verify the Site ID is the system interface IP address.
Configure BGP AS
Basic Services VPRN Configuration 8 6 18
Configure BGP AS
Select the AS Properties tab, and verify the AS Number; 100 is used here as an example. Leave all other entries as the defaults. In the VPN tab, enable Family: VPN-IPV4 and IPv4. It is essential that you enable the VPN-IPV4 family as this is required to carry VPRN routes.
4. Select the AS Properties tab 5. Set the Peer AS to 100 6. Select OK, OK, Apply and Yes
3.Enter the System ID for the other router 4.In the General tab, choose Select under the Routing Instance group
1. Select the Peer Group from the list 2. Click OK, OK, Apply and Yes 3. Click Close or Cancel
Create a Customer
Basic Services VPRN Configuration 8 6 23
2.Select Create
Configure a Customer
A service it must be associated with a customer. The customer may be associated with multiple services yet there can only be one customer per service. To create a customer: Select Manage Customers from the Main menu Click on the Create button Under the General tab of the Customer Create window, complete the appropriate customer information then click OK. Verify that the customer has been created by selecting Manage Customers from the Main menu and click the Search button. A list of customers, based upon the configured filter, will appear. Verify the customer appears in the list. Alternatively, you can select a previously configured customer in the Create Service stage
Create a VPRN
Basic Services VPRN Configuration 8 6 25
Create a VPRN
To create a service, select the service type and assign the managed devices upon which the service will terminate, referred to as the Service Sites. To create a VPRN: Select Create Service VPRN from the Main Menu Click the Select button in the Customer block Select a customer from the list that appears and click the OK button Complete the remaining parameters, as required. Though optional, providing a service name and relevant description will enable the network administrator or operator to find the service using the Search filter. Click Apply
Create a VPRN
Basic Services VPRN Configuration 8 6 26
Create a VPRN
Add and configure PE Sites: Click on the Components Tab then right click on VPRN. Select Create Site Select the sites participating in the service. Click OK Select the Components Tab to view the service sites.
Create a VPRN
Basic Services VPRN Configuration 8 6 27
1. 2.
Create a VPRN
Select the first Routing Instance Right click and select Properties. Give the site a Name and a Description.
Create a VPRN
Basic Services VPRN Configuration 8 6 28
Create a VPRN
Click on the Routing tab. This enables us to configure the virtual router instance. Configure the following properties: Router id = the system address of the router AS number = 100 Route Distinguisher Type = Type 0 (use an assigned value as a route distinguisher) Type 0 Administrative Value = 100 Type 0 Assigned Value = a unique identifier in order to make the network address unique to this VPRN; 60 is used as an example.
Create a VPRN
Basic Services VPRN Configuration 8 6 29
Create a VPRN
Click on the VRF-Target sub tab and set the VRF route target properties as follows: VRF Target Type = Define Default Target Format = AS Target AS Value = 100 Target Extended Community Value = unique value, which must match each distant end Route Target Value of the other sites participating in the service in order to allow the population of network addresses in the VRF; 95 is used as an example.
Create a VPRN
Basic Services VPRN Configuration 8 6 30
Create a VPRN
Click on the Auto-Bind tab and set the Transport to MPLS:LDP. This will enable the use of LDP signaled LSPs to reach each remote site, rather than SDPs. Click OK and OK.
Port Selection
Add a SAP to the interface via the Port tab In the Port tab, Choose Select in the Terminating Port Region. Click OK. In the Select Terminating Port window, select Search.
IP Address Assignment
Select the Address tab. Click Add. Configure an address on the interface of the specific router. Note: Unlike IES, it does not matter if customer address spaces overlap on each VPRN service as the route distinguisher keeps them unique. In the IP Address window, type in the IP Address and Prefix Length, and click OK, OK, OK, OK.
Repeat all of the previous steps, starting with assigning a Name and Description for the other site(s) participating in the service. In this example, the other site is node 146.
Final Steps
Basic Services VPRN Configuration 8 6 35
Final Steps
In the Components window, select Apply, Yes and then Topology View to view the newly created VPRN.
Service Access Point Port ID:Outer Encap: Inner Encap Service Tunnels Service Type Service ID: Site ID
Blank Page
Basic Services VPRN Configuration 8 6 37
Blank Page
Basic Services VPRN Configuration 8 6 38
Questions
Basic Services VPRN Configuration 86
39
Questions
1. What method does a VPRN service use to differentiate overlapping customer address space?
a. Service Aware and Autonomous 5620 IP-Address Manager 5.0 Core c. IP-Address and Cluster-Id d. Router-Id and Cluster-Id
4. What method is used to exchange routes between PEs? a. OSPF b. RIP c. Static d. MP-BGP
Answers
Basic Services VPRN Configuration 86
40
Answers
1. What method does a VPRN service use to differentiate overlapping customer address space?
a. Service Aware and Autonomous 5620 IP-Address Manager 5.0 Core c. IP-Address and Cluster-Id d. Router-Id and Cluster-Id
4. What method is used to exchange routes between PEs? a. OSPF b. RIP c. Static d. MP-BGP
8 6 41
Blank Page
Basic Services VPRN Configuration 8 6 42