Inter As Mpls Ciscolive BRKMPL 2105

Inter-AS MPLS Solutions
BRKMPL-2105
Sangita Pandya, TME, Cisco Systems, Inc. SPANDYA@cisco.com
The Prerequisites
Must understand basic IP routing Familiar with MPLS architectures Familiar with MPLS applications Some level of MPLS network design/ deployment experience
BRKMPL-2105
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Goal
Explore Inter-AS MPLS VPN use cases
Discuss various architectures that facilitate support of MPLS VPN services in Inter-AS environment Highlight some of the key differences between IOS and IOS XR Introduce some of the key commands in IOS or IOS XR For full configuration examples please refer to www.cisco.com
BRKMPL-2105
Cisco Public
Agenda
Inter-AS Networks
Inter-AS Connectivity Models
Carrier Supporting Carrier

CSC Service Models
Inter-AS L3 VPNs Inter-AS L2VPNs Inter-AS Multicast VPNs
MPLS L3 VPNs Multicast VPNs MPLS L2 VPNs
Inter-AS RSVP-TE
BRKMPL-2105
Cisco Public
Inter-AS MPLS Service Use Cases

Subscriber1 AS1 Provider 1 Subscriber1 AS2 Provider 2 AS3 Provider 2 SubscriberN
SubscriberN
Extend VPN services over multiple independently managed MPLS domains

Fast geographic service coverage expansion Two MPLS VPN Providers peering to cover for a common customer base
Build MPLS VPN networks on original multi-domain network

IGP isolation with service continuity Interconnect BGP confederations with different IGPs in the same AS
Two available as described in RFC 4364 :

1.Carrier Supporting Carrier (CSC)
BRKMPL-2105
2.Inter-Autonomous Systems (I-AS)

Cisco Public
Carrier Supporting Carrier vs. Inter-AS

Customer Carrier-B
MPLS Backbone Provider
ASBR-A ASBR-B
Customer Carrier-B
Provider-A
Subscriber A Site1
Provider-B
Subscriber A Site1
Subscriber A Site2
Subscriber A Site2
CSC
IP/MPLS Carrier doesnt want to manage own MPLS backbone IP/MPLS Carrier is a customer of another MPLS backbone provider Only the backbone provider is required to have MPLS VPN core Customer Carriers do not distribute their subscribers VPN info to the backbone carrier Client-Server model
Inter-AS
Single SP POPs not available in all geographical areas required by their subscribers/customers SPs provide services to the common customer base Both SPs must support MPLS VPNs Subscribers VPN information distributed to peering SPs network Peer-Peer model
Cisco Public
BRKMPL-2105
Inter-AS L3 VPNs Overview
BRKMPL-2105
Cisco Public
Extending VPN services over Inter-AS networks

VPN Sites attached to different MPLS VPN Service Providers How do you distribute and share VPN routes between ASs
ASBR1
Back-to-Back VRFs (Option A) MP-eBGP for VPNv4 (Option B)
ASBR2
AS #1
PE11
AS #2
PE22
Multihop MP-eBGP between RRs (Option C) MP-eBGP+Labels CE2
CE1
VPN-R1
VPN-R2
BRKMPL-2105
Cisco Public
Intra-AS MPLS VPNs Review

MP-iBGP Update
Route Distinguisher (RD) convert IPv4 routes to VPNv4 Routes Route Target allows VPN routes to be imported/exported to/from a VPN Peer PE loopbacks are known via IGP
VPN/VRF Endpoints
18.1/16
IP
BGP VPN-IPv4 Net=RD:16.1/16 NH=PE1 Route Target 100:1 VPN Label=40
VPN/VRF Endpoints
16.1/16
IP
PE1
P1 P2
PE2
MPLS Core
MP-iBGP Update:
MP-BGP protocol carries VPNv4 routes and communities using BGP address-families
IP
40
P1
IP
40
@PE1
BRKMPL-2105
@PE2
9
Cisco Public
Inter-AS VPNOption A
Connecting ASBRs using Back-to-Back VRFs

Each ASBR Thinks the Other Is a CE
PE1
P1
P1
Unlabeled IP Packets
VRF-Lite Configuration
PE2
P2
AS1
IP
PE-ASBR1
IP 40
PE-ASBR2
IP 80 P2
AS2
IP 80 IP
IP
40
P1
IP
Two providers prefer not to share MPLS link
One logical interface per VPN/VRF on directly connected ASBRs;

Packet is forwarded as an IP packet between the ASBRs Link may use any supported PE-CE routing protocol
IP QoS policies negotiated and configured manually on the ASBRs

Option A is the most secure and easiest to provision May not be easy to manage as #s of VPNs grow
BRKMPL-2105
Cisco Public
10
Inter-AS VPNOption B
Connecting two ASBRs Two Methods

1. Redistribute eBGP link into the IGP of both AS
ASBR1 AS #1
IGP1
ASBR2 AS #2
IGP2
PE1
PE2
2. Receiving PE-ASBRs be the next hop

Im the Next Hop to AS2
ASBR1 AS #1
Im the Next Hop to AS1

ASBR2
AS #2 PE2
PE1
BRKMPL-2105
Cisco Public
11
Establishing reachability between geographically dispersed VPNs using Next Hop Self on ASBRs
eBGP for VPNv4
VPN-v4 update: RD:1:27:152.12.4.0 /24, NH=PE1 RT=1:222, Label=(L1) PE1
ASBR1
Label Exchange between Gateway PE-ASBR Routers Using eBGP
ASBR2
VPN-v4 update: RD:1:27:152.12.4.0/24, NH=ASBR2 RT=1:222, Label=(L3)
AS #1
VPN-v4 update: RD:1:27:152.12.4.0 /24, NH=ASBR1 RT=1:222, Label=(L2)
AS #2
PE2
CE2 BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE2
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE2
CE1
Customer-A 152.12.4.0/24
Customer-A
BRKMPL-2105
All VPNv4 Prefixes/Labels from PEs Distributed to ASBRs Next Hop and labels are rewritten on ASBRs when routes are advertised across domains. ASBRs store all VPNv4 routes in BGP table.
Cisco Public
12
Establishing reachability between geographically dispersed VPNs using Next Hop Self on ASBRs
No Virtual Routing Forwarding tables on ASBRs unless ASBR also supports PE functionality (has VRF interfaces)
In IOS, Receiving PE-ASBR automatically creates a /32 host route to a peer ASBR
Which must be advertised into receiving IGP if next-hop-self is not in operation to maintain the LSP
In XR, must define a static route to the Next Hop of peer ASBR for Option B and C as well as all address families (IPv4, IPv6, VPNv4, VPNv6). The CLI is only shown in Option B configuration example. In XR, must define route-policy to pass or filter selected VPNv4 routes for for Option B and Option C as well as all address families (IPv4, IPv6, VPNv4, VPNv6). The CLI is only shown in Option B configuration example.
ASBR-ASBR link must be directly connected!!!!!! Could use GRE tunnelconsidered directly connected.
BRKMPL-2105
Cisco Public
13
End-to-end VPN packet forwarding - Next Hop Self on ASBRs

L3 ASBR1 152.12.4.1 ASBR2 152.12.4.1
L1 AS #1
L2 152.12.4.1 AS #2 PE2 CE1 VPN-R1 152.12.4.0/24
PE1
152.12.4.1
CE2
VPN-R2
152.12.4.1
L1, L2, L3 are BGP VPN label.
The Outer Most Core (IGP Labels in an AS) Label Is not displayed in on this slide.
BRKMPL-2105
Cisco Public
14
ASBR1
Cisco IOS ASBR eBGP configuration

eBGP for VPNv4
ASBR2
AS #1 PE1 CE1 VPN-R1
AS #2
PE2
! router bgp 1 neighbor <ASBR2> remote-as 2 neighbor <PE1> remote-as 1 neighbor <PE1> update-source loopback0 no bgp default route-target filter ! address-family vpnv4 neighbor <PE1> remote-as 1 activate neighbor <PE1> remote-as 1 next-hop-self neighbor <ASBR2> remote-as 2 activate neighbor <ASBR2> remote-as 2 send-community extended
CE2
VPN-R2
ASBRs require no bgp default route-target filter command to store VPNv4 routes as it does not have any VRF interfaces.
BRKMPL-2105
Cisco Public
15
ASBR1 PE1
AS #1
Cisco IOS XR ASBR1 Configuration

eBGP for VPNv4 Int gig0/0/1
50.0.0.1
Int gig0/0/1
50.0.0.2
ASBR2
PE2 AS #2
router bgp 1 mpls activate
(!Enables MPLS forwarding onASBR!) (!Specify ASBR-ASBR link!) !
interface <type & #>
address-family vpnv4 unicast
neighbor <ASBR2> remote-as 2 address-family vpnv4 unicast route-policy pass-all in route-policy pass-all out
(!Initialize VPNv4 address family for ASBR)
(!Allow forwarding of VPNv4 routes to other AS!) !
route-policy pass-all pass

end-policy ! BRKMPL-2105
! neighbor <PE1> remote-as 1 update-source loopback0 address-family vpnv4 unicast next-hop-self (!Set ASBR1 as next-hop-self!) ! router static 50.0.0.2/32 interface gig0/0/1 ! (!Static Route for ASBR-ASBR link must be configured. It is not installed automatically like in IOS!)
Note: Static route and route-policy required for all address-families & Option B and C
Cisco Public
16
Inter-AS VPNOption C
Route Reflectors exchange VPNv4 routes ASBRs Exchange PE loopbacks (IPv4) with labels as these are BGP NH addresses
Multihop eBGP VPNv4 Between RRs for better scale
Eliminates LFIB duplication at ASBRs. ASBRs dont hold VPNv4 prefix/label info.
Two Options for Label Distribution for BGP NH Addresses for PEs in each domain:
RR1
Exchange VPNv4 Routes
RR2
1. BGP IPv4 + Labels (RFC3107) most preferred & recommended

2. IGP + LDP BGP exchange Label Advertisement Capability Enables end-end LSP Paths Subsequent Address Family Identifier (SAFI value 4) field is used to indicate that the NLRI contains a label Disable Next-hop-self on eBGP RRs (peers)
BRKMPL-2105
AS #1
ASBR1 ASBR2
AS #2
eBGP IPv4 + Labels
PE1
IGP + LDP
PE2
Cisco Public
17
I-AS VPNOption C
Establishing reachability between VPNs

BGP VPNv4 update: RD:1:27:152.12.4.0/24, NH=PE1 RT=1:222, Label=(L1)
BGP update: RD:1:27:152.12.4.0/24, NH=PE1 RT=1:222, Label=(L1)
RR1
RR2
AS #1 PE1 BGP, OSPF, RIPv2 CE1 152.12.4.0/24,NH=CE2 VPN-R1 152.12.4.0/24
ASBR1
ASBR2
BGP VPN-v4 update: RD:1:27:152.12.4.0/2 4, NH=PE1 RT=1:222, Label=(L1)
PE2
To ASBR2: Network=PE1 NH=ASBR-1 Label=(L2)
From ASBR1: Network=PE1 NH=ASBR-2 Label=(L3)
BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE2
CE2
VPN-R2
ASBRs store PE loopbacks & exchange labels for PE Loopback addresses

RRs store and exchage VPNv4 routes & labels
BRKMPL-2105
Cisco Public
18
I-AS VPNOption C
VPN packet forwarding
RR1
RR2
ASBR1
L1 152.12.4.1 PE1
ASBR2 L3
L1
152.12.4.1 PE2
L2
CE1
L1
152.12.4.1
CE2
152.12.4.1
152.12.4.1
VPN-R1 152.12.4.0/24
VPN-R2
L1 is a VPN label. L2 and L3 are IPv4 labels.
The Outer Most Core (IGP Labels in an AS) Label Is not displayed in on this slide.
BRKMPL-2105
Cisco Public
19
I-AS VPNOption C
! address-family ipv4 neighbor <RR1> activate neighbor <RR1> send-label !
IPv4+Label, Cisco IOS Configuration

! router bgp 1 neighbor <RR2> ebgp-multihop 255 ! address-family ipv4 RR2activate neighbor <RR2> ASBR1 neighbor <PE1> activate neighbor <PE1> send-label
RR1
AS #1
PE1
! address-family ipv4 neighbor <ASBR2> activate neighbor <ASBR2> send-label
neighbor ASBR2 <ASBR1> activate neighbor <ASBR1> send-label PE2 ! address-family vpnv4 neighbor <RR2> next-hop-unchanged exit-address-family !
neighbor <RR1> activate neighbor <RR1> next-hop-self neighbor <RR1> send-label !

BRKMPL-2105
Cisco Public
20
I-AS VPNOption C
! Command towards all peers! address-family ipv4 labeled-unicast ! RR1
AS #1 PE1 ! router bgp 1 address-family vpnv4 unicast ! neighbor <RR2> remote-as 2 address-family vpnv4 unicast ebgp-multihop 255 next-hop-unchanged !
BRKMPL-2105
IPv4+Label, Cisco IOS XR Configuration

! Command towards all peers! address-family ipv4 labeled-unicast !
RR2
ASBR1
ASBR2 PE2
Cisco Public
21
Inter-AS Multipath Load Balance Options

AS1 Support VPNv4 and label negotiated IPv4 eBGP sessions between ASBR1 loopbacks of directly connected routers w/o the use of LDP on the Topo-1 connecting interfaces
Consider the three topologies Designated by Topo-1, Topo-2, Topo-3 Load balancing for Inter-AS sub-cases with:
1. 2. 3. 4. Interface Peering Loopback peering IPv4 + Label VPNv4 + Label
ASBR1
AS2
ASBR2
ASBR2 ASBR3
Topo-2
ASBR1
ASBR2
ASBR3
ASBR4
Topo-3
BRKMPL-2105
Cisco Public
22
Inter-AS Loopback Peering for Directly Connected ASBRs

RR1
L0:10.10.10.10 L0:10.20.20.20/32
E0/0: 168.192.0.2 ASBR-2
RR2
E0/0: 168.192.0.1 ASBR-1
PE1
AS #1
AS #2
PE2
E2/0: 168.192.2.1
E2/0: 168.192.2.2
Create loopback interfaces on directly connected ASBRs HOSTNAME ASBR2 (IOS configuration)
! interface e0/0 ip address 168.192.0.2 255.255.255.252 mpls bgp forwarding ! Enable BGP forwarding on connecting interfaces ! interface e2/0 ip address 168.192.2.2 255.255.255.252 mpls bgp forwarding ! router bgp 2 neighbor 10.10.10.10 remote-as 1 neighbor 10.10.10.10 disable-connected-check neighbor 10.10.10.10 update-source Loopback0 !
! address-family vpnv4 neighbor 10.10.10.10 activate neighbor 10.10.10.10 send-community extended ! ip route 10.10.10.10 255.255.255 e0/0 168.192.0.1 ip route 10.10.10.10 255.255.255 e2/0 168.192.2.1 ! Configure /32 static routes to the eBGP neighbor loopback address
BRKMPL-2105
Cisco Public
23
Inter-AS Security Elements

MD5 Authentication on LDP/BGP Sessions
Apply max prefix Static Labels TTL check to diagnose DoS attacks Filtering with BGP attributes ASPATH, ext communities, RDs checks, etc. Set route-maps to filter and send only the desirable prefixes RT Constraint (filtering) Customize Route Targets, RT Rewrite
BRKMPL-2105
Cisco Public
24
Route Target Rewrite Example

VPN-A
Export RT 100:1 Rewrite RT: 100:1->200:1
VPN-A
Export RT 200:1
Import RT 100:1
VPNv4 Exchange
PE-ASBR1
Import RT 200:1
PE-1
AS #1
PE-ASBR2
AS #2
PE2 CE2
CE-1
VPN-A-1
Rewrite RT: 200:1->100:1
Replace Incoming Update on ASBR2:
ip extcommunity-list 1 permit rt 100:1 ! route-map extmap permit 10 match extcommunity 1 set extcomm-list 1 delete set extcommunity rt 200:1 additive ! route-map extmap permit 20 ! neighbor X.X.X.X route-map extmap in
Cisco Public
VPN-A-2
BRKMPL-2105
25
Inter-AS L3VPN Summary

Three models: Option A, B, and C
Option A is the most secured, least invasive. Support granular QoS.
Option B, more scalable than Option-A for high numbers of VRFs. more adoptable by different provider corporations
Less invasive than Option C, More invasive than Option A More scalable than Option-A if have high numbers of VRFs Use eBGP for ASBR peering ASBRs store VPNv4 routes and allocate labels for VPN prefixes
Option C, most scalable, most invasive, mostly deployed in a single service providers multi-AS network
Use ASBRs to handle IPv4 PE loopbacks Route Reflectors exchange VPNv4 routes
BRKMPL-2105
Cisco Public
26
Inter-AS IPV6 VPNs
BRKMPL-2105
Cisco Public
27
Inter-AS IPv6 VPN

2003:1:: is reachable via BGP Next Hop = 10.10.20.2
2003:1:: is reachable via BGP Next Hop = 10.10.20.2 10.10.10.1
ASBR1
10.10.10.2
ASBR2
10.10.20.2
2003:1:: is reachable via BGP Next Hop = 10.10.20.1 bind BGP label to 2003:1:: (*)
6VPE1
AS1
AS2
10.10.20.1
6VPE2
CE1
VPN-R1 2001:0db8::
CE2
VPN-R2 2003:1::
All three ASBR-to-ASBR connectivity options discussed in earlier sections are supported for
-IPv6 Provider Edge Router - 6PE model (uses vanilla IPv6) -IPv6 VPN Provider Edge - 6VPE model (uses option A,B,C)
IPv4 address is used for PE-ASBR and ASBR-ASBR peering

BRKMPL-2105
Cisco Public
28
Inter-AS IPv6 VPN IOS Configuration

ASBR1
10.10.10.2
10.10.10.1
ASBR2
20.20.20.2
AS1
AS2
20.20.20.1
6VPE1
6VPE2
CE1
VPN-R1 2001:0db8::
router bgp 1 no bgp default ipv4-unicast no bgp default route-target filter neighbor 20.20.20.2 remote-as 2 neighbor 10.10.10.1 remote-as 1 neighbor 10.10.10.1 update-source Loopback1 ! address-family vpnv6 !Peering to ASBR2 over an IPv4 link! neighbor 20.20.20.2 activate neighbor 20.20.20.2 send-community extended !Peering to PE1 over an IPv4 link! neighbor 10.10.10.1 activate neighbor 10.10.10.1 next-hop-self neighbor 10.10.10.1 send-community extended
CE2
VPN-R2 2003:1::
BRKMPL-2105
Cisco Public
29
Inter-AS IPv6 VPN IOS XR Configuration

ASBR1
10.10.10.2
10.10.10.1
ASBR2
20.20.20.2
AS1
AS2
20.20.20.1
6VPE1
6VPE2
CE1
VPN-R1 2001:0db8::
router bgp 1 ! address-family vpnv6 unicast !Peering to ASBR2 over an IPv4 link! neighbor 20.20.20.2 remote-as 2 address-family vpnv6 unicast
CE2
VPN-R2 2003:1::
!Peering to PE1 over an IPv4 link! neighbor 10.10.10.1 remote-as 1 address-family vpnv6 unicast
BRKMPL-2105
Cisco Public
30
Inter-AS L2 VPNs
BRKMPL-2105
Cisco Public
31
Enabling L2VPNs
Targetted-LDP Peers VC types & Labels exchanged PE1
PW1 Pseudowire
CE1
PE2
PW2
CE3
CE2
AC
IP/MPLS AS1
AC
CE4
An L2VPN is comprised of switched connections between subscriber endpoints over a shared network PW is an emulated circuit over IP or MPLS core Virtual Circuit(VC) is created for every Attachment Circuit (AC) Goal is to transport Native Services without loosing original encapsulation format
L2VPN PEs exchange labels for VC types

BRKMPL-2105
Cisco Public
32
Building L2VPNs in I-AS environment

Challenge:
LDP or BGP L2VPN (for VPWS or VPLS) peers are located in different AS
Solution:
Use Option A, dont need to know loopbacks of L2VPN peers in other AS
Use Option B to establish NLRI beween L2VPN peers Use Option C to establish NLRI between L2VPN peers
BRKMPL-2105
Cisco Public
33
Inter-AS L2VPN Multiple PW Segments Using Option A

T-LDP Peers VC type & Label
PW1
T-LDP Peers VC type & Label

PW1
Pseudowire PW Label PL = Payload
CE1
PE1
PW2
ASBR1
ASBR2
PE2
PW2
CE2
AC PL 40
IP/MPLS AS1 PL 40
. .
AC
PL 80
IP/MPLS AS2 PL 80
AC
Any Transport over MPLS is a point-to-point L2VPN service
Need T-LDP sessions to build a PW. Need an IP address to build T-LDP session. One PW/AC (AC types: Ethernet, VLAN, PPP, ATM, TDM, FR, HDLC) Clear demarcation between ASs
PE-ASBR exchange PW (VC) label Granular QoS control between ASBRs
BRKMPL-2105
Cisco Public
34
Inter-AS L2VPN Multihop PW Using Option B

T-LDP Peers
PW Labels PL = Payload
T-LDP Peers ASBR1

PW2
PE1
ASBR2
PW3
PW1
PE2 IP/MPLS AS2
IP/MPLS AS1
T-LDP
Peers
PL
40
PL
40
PL
10
PL
80
PL
80
PE and P devices do not learn remote PW endpoint addresses

Only PW endpoint address (ASBR) leaked between ASs ASBRs swap PW (Virtual Circuit) Label
BRKMPL-2105
Cisco Public
35
Inter-AS L2VPN Option B IOS Configuration

! !
HOSTNAME PE1
! interface giga1/0 xconnect <ASBR1> 10 encapsulation mpls !
HOSTNAME PE2
! interface giga1/0 xconnect <ASBR2> 20 encapsulation mpls !
PE1
ASBR1
PW1 IP/MPLS AS1
ASBR2
PW3
PE2
IP/MPLS AS2
PW2
HOSTNAME ASBR1
! pseudowire-class pw-switch encapsulation mpls
HOSTNAME ASBR2
! pseudowire-class pw-switch encapsulation mpls
! l2 vfi pw-switch point-to-point neighbor <ASBR2> 100 pw-class pw-switch neighbor <PE3> 10 pw-class pw-switch !
Interface giga3/0 mpls bgp forwarding ! ! router bgp 1 Neighbor <ASBR2-WAN> remote-as 2 exit-address-family ! *Also announce the loopback address (xconnect ID) of ASBR1 in IGP(AS1) and eBGP
BRKMPL-2105
! L2 vfi pw-switch point-to-point neighbor <ASBR1> 100 pw-class pw-switch neighbor <PE4> 20 pw-class pw-switch !
Interface giga3/0 mpls bgp forwarding ! router bgp 2 neighbor <ASBR1-WAN> remote-as1 exit-address-family ! *Also announce the loopback address of ASBR2 in IGP(AS2) and eBGP
Cisco Public
36
Inter-AS L2VPNOption C Single-Hop PW: BGP IPv4+label

PW Labels PL = Payload
T-LDP Peers PE1 IP/MPLS AS1 ASBR1
ASBR2
PE2 IP/MPLS AS2
PL
40
10
PL
40
20
PL
40
PL
40
Single physical interface between ASBRs
PW endpoint addresses leaked between ASs using eBGP IPv4+label and distributed to PEs using iBGP IPv4+label
PWs are not terminated on ASBRs
BRKMPL-2105
Cisco Public
37
Inter-AS AToM Option CConfiguration

HOSTNAME PE3 ! interface Gig1/1/1 xconnect <PE4> 100 encapsulation mpls ! ! Activate IPv4 label capability ! router bgp 1 ! address-family ipv4 neighbor <ASBR-1> send-label exit-address-family !
Notice PW configuration remains the same as in intra-AS network
HOSTNAME PE4 ! interface Gig1/1/1 xconnect <PE3> 100 encapsulation mpls ! ! Activate IPv4 label capability ! router bgp 2 ! address-family ipv4 neighbor <ASBR-2> send-label exit-address-family !
T-LDP Peers
PE3
Int Gig1/1/1
ASBR1 IP/MPLS AS1
ASBR2 IP/MPLS AS2

HOSTNAME ASBR2 ! Activate IPv4 label capability ! router bgp 2 ! address-family ipv4 neighbor <PE4> send-label neighbor <ASBR-1> send-label exit-address-family !
Cisco Public
PE4
Int Gig1/1/1
HOSTNAME ASBR1 ! Activate IPv4 label capability ! router bgp 1 ! address-family ipv4 neighbor <PE3> send-label neighbor <ASBR-2> send-label exit-address-family !
BRKMPL-2105
38
I-AS L2VPNs Key Points

All three I-AS models are supported to carry VPWS or VPLS PWs
Transparently forwarding of data over PWs IOS supports LDP for signaling, BGP for Autodiscovery(VPLS) IOS XR supports both LDP and BGP signaling Option B is not supported for BGP signaled PWs Per-PW Quality of Service (QoS) is not supported. Attachment circuit inter-working is supported in IOS XR Transporting L2VPN virtual circuit over Traffic Engineering (TE) (tunnel selection) or GRE is supported.
BRKMPL-2105
Cisco Public
39
Inter-AS mVPNs
BRKMPL-2105
Cisco Public
40
mVPN Concept and Fundamentals Review

Multicast Applications: E-Learning, Gaming, Conferencing, Monitoring mVPN over IP
(eric-rosen draft)
Receiver 4
CE
A Source
B2 A B
New York
CE
B1
San Francisco
CE
CE
E
PE PE
E
In an mVPN network CEs join MPLS Core through providers PE devices
PE
PEs perform RPF check on Source to build Default and Data Trees (Multicast Data Trees MDT) Interfaces are associated with mVRF Source-Receivers communicate using mVRFs
Default MDT
For low Bandwidth & control traffic only. Los Angeles
MPLS VPN Core
CE
F
Data MDT
D
C
For High Bandwidth traffic only.
PE PE
Receiver 3
CE
D
Dallas
C
Join high bandwidth source
CE
High bandwidth multicast source

BRKMPL-2105
Receiver 2
41
Cisco Public
I-AS mVPN Requirements Extending mVPN service offerings

Challenge: Setup Multicast Data Trees across ASs
To form the Default MDT, PE routers must perform an RPF check on the source
The Source address is not shared between ASs
Solution:
Support reverse path forwarding (RPF) check for I-AS sources P and PE devices
Build I-AS MDTs
Introduced two new components:

1. BGP Connector Attribute
2. PIM RPF Vector

BRKMPL-2105
Cisco Public
42
RPF Check with Option B and Option C

ASBR1 ASBR2
PE1
CE1 VPN-A1
P11
AS #1
MDTs
AS #2
PE2
CE4 VPN-A2
For Option B(eBGP between ASBRs): Use BGP Connector Attribute to RPF to source that is reachable via PE router in remote AS
Preserves identity of a PE router originating a VPNv4 Prefix
Receiving PEs in the remote AS use RPF Connector to resolve RPF
For Option B and C: Use PIM RPF Vector to help P routers build an I-AS MDT to Source PEs in remote AS
Leverage BGP MDT SAFI on ASBRs and receiver PEs to insert the RPF Vector needed to build an I-AS MDT to source PEs in remote ASs
BRKMPL-2105
Cisco Public
43
I-AS MVPN MDT Establishment for Option B using BGP connector attribute
From ASBR1 to PE1 RD 1:1, Prefix 152.12.4.0/24 NH ASBR1, CONN PE2
From ASBR2 to ASBR1 RD 1:1, Prefix 152.12.4.0/24 NH ASBR2, CONN PE2

BGP MDT SAFI Update RD1:1, Prefix PE2, MDT 232.1.1.1, NH ASBR2
BGP MDT SAFI Update RD1:1, Prefix PE2, MDT 232.1.1.1, NH ASBR1
3.
ASBR1
2.
ASBR2
PE1 CE2
P11 AS #1
MDTs
AS #2
PE2
CE-4
1. VPN-A1
VPN-A2
BGP VPNv4 Update from PE2 to ASBR2 RD 1:1, Prefix 152.12.4.0/24 NH PE2, CONN PE2 BGP MDT SAFI Update (Source and Group) RD1:1, Prefix PE2, MDT 232.1.1.1, NH PE2
BRKMPL-2105
Cisco Public
44
SSM Default PIM Join for option B

Source, Group and RPF Vector is learned via BGP SAFI Update
PIM Join From PE1 to P11 Source PE2, RD 1:1, Group 232.1.1.1 RPF Neighbor P11, RPF Vector ASBR1
1.
ASBR1
ASBR2
P11 AS #1
PE1
2.
MDTs AS #2 PE2
PIM Join From P11 to ASBR1 Source PE2, RD 1:1, Group 232.1.1.1 RPF Neighbor ASBR1, RPF Vector ASBR1
BRKMPL-2105
Cisco Public
45
SSM Default PIM Join for option B

From ASBR1 to ASBR2 Source PE2, RD 1:1, Group 232.1.1.1 RPF Neighbor ASBR2, NH ASBR2
3.
ASBR1
ASBR2
PE1
AS #1
P11
MDTs
AS #2
PE2
CE-4
From ASBR2 to PE2 Source PE2, RD 1:1, Group 232.1.1.1 RPF Neighbor PE2
4.
VPN-A2
Step #4 completes the setup of the SSM tree for MDT Default Group 232.1.1.1 rooted at PE2. The SSM Setup from CE1 to PE2 follows the same procedure
BRKMPL-2105
Cisco Public
46
I-AS MVPN Configuration Procedure Option B (SSM) ASBR1

! PE1 Configuration: ! PE1 ip multicast-routing AS #1 ip multicast routing vrf VPN-A ip multicast vrf VPN-A rpf proxy rd vector ! router bgp 1 ! address-family ipv4 mdt neighbor <ASBR1> activate neighbor <ASBR1> next-hop-self exit-address-family ! ip pim ssm default !
ASBR2 Configuration: ! ASBR1 ! ip multicast-routing PE2 AS #2 ip multicast routing vrf VPN-A ! router bgp 1 CE-4 ! address-family ipv4 mdt neighbor <ASBR2> activate neighbor <PE1> activate neighbor <PE1> next-hop-self exit-address-family ! ip pim ssm default !
1. 2.
Enable RPF Vector in the Global table

ip multicast rpf vector
Setup Multicast Address family on ASBRs

address-family ipv4 mdt
3.
Configure PE router to send BGP MDT updates to build the Default MDT
ip multicast vrf <vrf name> rpf proxy rd vector
BRKMPL-2105
Cisco Public
47
Agenda
Inter-AS Networks

CSC Service Models
Inter-AS RSVP-TE
BRKMPL-2105
Cisco Public
48
Carrier Supporting Carrier Use Cases
How can Tier 2 or Tier 3 MPLS VPN service providers interconnect remote sites without self managing own MPLS WAN
MPLS NW San Francisco Tier 2 or 3 ISP Site 1 MPLS NW
MPLS Backbone
San Francisco Tier 2 or 3 ISP Site 1
How can a corporation (enterprise network) MPLS VPN service providers interconnect remote sites without self managing own MPLS WAN
New York Enterprise MPLS VPN NW
MPLS Backbone
Las Vegas Enterprise MPLS VPN NW
BRKMPL-2105
Cisco Public
49
Carrier Supporting Carrier Use Cases

Backbone Service Provider
MPLS Backbone
MPLS NW PoP 1 ISP1
MPLS NW PoP 2 ISP1
MPLS VPN services offerings by an MPLS VPN backbone provider to customers with MPLS networks
Provide business continuity by extending segmented networks
Customer networks include ISP, Carriers, or other enterprise networks

Addressing scalability issues in a provider network MPLS-VPN works well for carrying customer IGPs Reduce #s of VPN routes carried by a PE by using hierarchical model Platforms, network scale to N*O(IGP) routes: Internet Routes Separate Carriers Internal routes from external routes eliminating the need to store customers external routes
BRKMPL-2105
Cisco Public
50
Carriers Carrier Building Blocks

San Francisco ISP1
PE1
MPLS

CSC-PE1
CSC-RR1
London ISP1
RR1
CSC-CE1
CSC-PE2
RR2
PE4
MPLS
PE2 Customer Carrier1
MPLS Backbone
CSC-CE2
PE3 Customer Carrier1
MPLS-VPN enabled Carriers backbone
CSC-PE: MPLS VPN PEs located in backbone Carriers Core CSC-CE: Located at the Customer Carrier (ISP/SPs/Enterprise) network edge and connects to a CSC-PE
PE: located in Customer carrier networks & carries customer VPN routes CSC-RR: Route Reflectors located in MPLS Backbone provider network RR: Route Reflectors located in Customer Carrier Network
MPLS Label exchange between Carriers PE & ISP/SPs CE

BRKMPL-2105
Cisco Public
51
Carriers Carrier Building Blocks (Cont.)

San Francisco ISP1 London ISP1
Internal Routes
PE1

CSC-PE1
Internal Routes
RR2
RR1
CSC-RR1
CSC-PE2
PE4
MPLS
CSC-CE1
MPLS
PE2
MPLS Backbone
CSC-CE2
PE3
CE1R External Routes
CE1G External Routes
CE2G External Routes
CE2R External Routes
MPLS VPN Customers
MPLS VPN Customers
External Routes: IP routes from VPN customer networks Internal Routes: Internal routes (global table) of Customer Carrier network
External routes are stored and exchanged among Customer Carrier PEs MPLS Backbone network doesnt have any knowledge of external routes Customer Carrier selectively provides NLRI to MPLS VPN backbone provider
BRKMPL-2105
Cisco Public
52
Carriers Carrier Building Blocks (Cont.) What is unique between Subscriber to Provider connection?
San Francisco ISP1
PE1
RR1
CSC-CE1

CSC-PE1 CSC-RR1 CSC-PE2 CSC-CE2
London ISP1
RR2
PE4
MPLS
MPLS
PE2
eBGP + Label
MPLS Backbone
eBGP + Label
PE3
CE1R
CE1G
CE2G
CE2R
MPLS VPN Customers
MPLS VPN Customers
Must build Label Switched paths between CSC-CE and CSC-PE
CSC-PE and CSC-CE exchange MPLS Labels -this is necessary to transport labeled traffic from a Customer Carrier IP between CE and PE for customer Carriers VPN customers
BRKMPL-2105
Cisco Public
53
CSC Building Blocks (Cont.)

Control Plane configuration is similar to single domain MPLS VPN
CSC-CE to CSC-PE is a VPN link to exchange Customer Carriers internal routes. These routes are redistributed into the BSPs CSC PE using:
1. Static Routes OR 2. Dynamic IGP OR 3. eBGP
Customer Carriers dont exchange their Subscribers (external) VPN routes with the Backbone Service Provider CSC-PE-to-CSC-CE links extend Label Switching Path using:
1. IGP+LDP 2. eBGPv4 + Labels
BRKMPL-2105
Cisco Public
54
Carrier Supporting Carrier Models

1. Customer Carrier Is Running IP Only
-similar to basic MPLS L3 VPN environment
2. Customer Carrier Is Running MPLS

-LSP is established between CSC-CE and CSC-PE -Customer carrier is VPN subscriber of MPLS VPN backbone provider
3. Customer Carrier Supports MPLS VPNs

-LSP is established between CSC-CE and CSC-PE -Customer carrier is VPN subscriber of MPLS VPN backbone provider -True hierarchical VPN model
BRKMPL-2105
Cisco Public
55
CSC Model III Customer Carrier Supports MPLS VPNs

MPLS NW
San Francisco ISP1

eBGP + Label
MPLS Backbone
eBGP + Label
MPLS NW
London ISP1
LSP is extended to CSC-PE, CSC-CE advertises labels for internal routes to CSC-PE; CSC-PE1 performs imposition for site VPN label and IGP label PE swaps the site IGP label with a BB VPN label and push IGP label; PHP is now extended to inside of site 2
External and VPNv4 routes are carried by MP-BGP between customer carrier sites
CSC-CE and CSC-PE exchange labels using IGP+LDP or eBGP+Label
BRKMPL-2105
Cisco Public
56
CSC Model III Routing Exchange

San Francisco ISP1
PE1 RR1
CSC-CE1

CSC-PE1 CSC-RR1 CSC-PE2 CSC-CE2
London ISP1
RR2 PE4
MPLS
eBGP + Label
MPLS
PE2
MPLS Backbone
eBGP + Label
PE3
CE1R RR1R
CE1G RR1G
CE2G
CE2R
RR2G
RR2R
RR1R and RR2R exchange Red VPN site routes
RR1 and RR2 exchange ISP1 site routes

CSC-RR1 updates CSC-PEs ISP1 adds Subscriber VPN Label which is removed by the remote ISP1 VPN site
Backbone CSC-PE1 adds backbone VPN label which is removed by backbone CSC-PE2
BRKMPL-2105
Cisco Public
57
Customer Carrier Supports MPLS VPNs Establishing peers and forwarding VPN traffic
MP-iBGP Peering VPN-v4 Update: RD:1:27:149.27.2.0/24, NH=PE2 RT=1:231, Label=(28)
MPLS
PE1
VRF
CSC-CE1
IP/MPLS
VRF
Site A VPNA
MPLS
CSC-CE2
PE2 VRF
VRF
CSC-PE1
AS2
CSC-PE2
AS1
CE1
149.27.2.0/24 Site B VPN A

CE2
AS1
Swap
Swap Push Swap Label
Push Push
Pop
Pop
Label
CE2-VPN-Label
Label=120 Label=28
Label=50 Label=28
Label=100
Label=28
Label
Label=28
Label=28
Payload
Payload
Payload
Payload
Payload
Payload
Payload
BRKMPL-2105
Cisco Public
58
Overlapping VPN elements in customer carrier and backbone provider networks

VRF name, RD, RT can be the same in Backbone and Customer carrier network
BB-P1 CSC-PE2
GC-CSC-CE2
CSC-PE1 GC-CSC-CE1 GlobalCom San Francisco
GlobalCom London
MPLS Backbone
GC-SFPE2 CE-VPN-GC CE-VPN-B1 CSC-PE1# ip vrf GC rd 1:100 route-target export 1:100 route-target import 1:100 ! CSC-PE1# ip vrf GC rd 1:100 route-target export 1:100 route-target import 1:100 !
GC-LONPE1
CE-VPN-A2 CE-VPN-B2
GC-SFPE2# ip vrf GC rd 1:100 route-target export 1:100 route-target import 1:100 !
GC-SFPE2# ip vrf VPNA rd 1:100 route-target export 1:100 route-target import 1:100 !
BRKMPL-2105
Cisco Public
59
CSC Security Elements

MD5 authentication on LDP/BGP sessions
Applying max prefix limits per VRF Use of static labels between CSC-CE and CSC-PE Route Filtering
Customer Carrier may not want to send all the internal routes to MPLS VPN backbone provider Use Route-maps (IOS) with match and set capabilities in route-maps Use route-policy (XR) to control route distribution & filter routes
BRKMPL-2105
Cisco Public
60
Services support over a CSC network

MPLS IPV4 VPNs
MPLS IPV6 VPNs mVPNs
-for PIM require native multicast in the provider network
RSVP-TE MPLS L2VPNs
BRKMPL-2105
Cisco Public
61
L2VPN service support over a CSC network

Single-Hop PW
Customer Carrier A ASBR1 PW1 MPLS Backbone Carrier ASBR3 ASBR4 (CsC)
ASBR2 Pseudowire
Customer Carrier A
PE2
PE1
Multi-Hop PW
ASBR1 ASBR3 ASBR4 ASBR2
Pseudowire
PE1
PW1 Customer Carrier A
PE2
MPLS Backbone Carrier (CsC)
Customer Carrier A
BRKMPL-2105
Cisco Public
62
Best Practice Recommendations

Do not use Static default routes on CSC-CE
End-End LSP is required across the VPN and MPLS VPN backbone
Use dynamic protocol instead of static on CSC-CE CSC-PE link preferably eBGP+IPv4 Labels
Set Next-Hop-Self on ASBRs carrying external routes If using IGP on CSC-CE routers, use filters to limit incoming routes from the CSC-PE side
If using RRs in customer carrier network, set next-hop-unchanged on RRs
BRKMPL-2105
Cisco Public
63
CSC Summary
CSC supports hierarchical VPNs VPNs inside customer carriers network are transparent to the backbone MPLS VPN Service Provider QoS will be honored based on MPLS EXP bits between CSC-CE and CSC-PE Granular QoS policies should be pre-negotiated and manually configured Services supported over CSC network
MPLS IPV6 VPNs Multicast VPNs (for PIM, require native mulitcast in the provider network)
MPLS L2 VPNs
MPLS TE
BRKMPL-2105
Cisco Public
64
Agenda
Inter-AS Networks

CSC Service Models
Inter-AS RSVP-TE
BRKMPL-2105
Cisco Public
65
Inter-AS TE Applications
Transporting CustomerVPN traffic over TE tunnels
IP/MPLS
ASBR1 ASBR2
L2/L3 VPN Site 1
P2
P4
IP/MPLS
P6
PE11
PE7
L2/L3 VPN Site 2
P3
ASBR3
ASBR4
P5
Reserved guaranteed BW path between two PoPs

IP/MPLS
P2 ASBR1 ASBR2 P4
IP/MPLS
P6
SP1 PoP1
PE11
PE7
SP1 PoP2
P3
ASBR3
ASBR4
P5
BRKMPL-2105
Cisco Public
66
How MPLS TE Works in a Single Domain

1. Head-end learns network topology information TE using: Headend
ISIS-TE RESV
TE Mid points
RESV
RESV
PATH
OSPF-TE
full view of the topology PATH
PATH
TE Tailend
2. Path Calculation (CSPF)

3. Path Setup (RSVP-TE):
Label_Request (PATH)
5. Packets forwarded onto a tunnel via:

Static routed Autoroute
Label (RESV)
Explicit_Route Object Record_Route (Path/RESV)
Policy route
CBTS
Session_Attribute (Path)
Tunnel Select
Forwarding Adjacency
4. LFIB populated using RSVP labels

BRKMPL-2105
6. Packets follow the tunnel LSP and Not the IGP LSP
Cisco Public
67
Inter-Domain Traffic Engineering

Challenge:
Head end and Tail end are located in different domains IGP information is not shared between domains Head end lacks the knowledge of complete network topology to perform path computation
Solution: Use Explicit Route Object (ERO) Loose Hop Expansion, Node-id, and Path re-evaluation request/reply Flags to provide per-domain path computation at the head-end + RSVP Policy Control and Confidentiality
RFCs: 3209, 4736, 4561, etc.
draft-ietf-ccamp-inter-domain-rsvp-te-06.txt draft-ietf-ccamp-inter-domain-pd-path-comp-05.txt
BRKMPL-2105
Cisco Public http://www.cisco.com/go/mpls
68
Per-Domain Path Computation Using ERO Loose-Hop Expansion Path Computation

Head-End Defines the Path with ASBR and the Destination as Loose Hops
P2
Completed During TE LSP Setup
IP/MPLS
ASBR1
ASBR2
P4
IP/MPLS
P6
PE11
P3 ASBR3 ASBR4 P5
PE7
Inter-AS TE LSP ERO

ASBR4 (Loose) PE7 (Loose) R1 Topology Database
Expansion
ERO
R3, ASBR3, ASBR4 PE7 (Loose)
ERO
PE7 (Loose) Expansion
ERO
P5, PE7
ASBR4 Topology Database
BRKMPL-2105
Cisco Public
69
Inter-Domain TETE LSP Reoptimization

IP/MPLS
P2 Make PE1 before break P3 PATH ASBR1 ASBR2 P4
IP/MPLS
P6
Inter-AS TE LSP before reoptimization
PE7
Inter-AS TE LSP after reoptimization
ASBR3
ASBR4
PathErr
P5
Path re-evaluation request
Preferable Path exists
Reoptimization can be timer/event/admin triggered Head end sets path re-evaluation request flag (SESSION_ATTRIBUTE)
Head end receives a PathErr message notification from the boundary router if a preferable path exists
Make-before-break TE LSP setup can be initiated after PathErr notification

BRKMPL-2105
Cisco Public
70
Inter-Domain TEFast Reroute

Primary TE LSP Backup TE LSP
IP/MPLS
P2
ASBR1
ASBR2
P4
IP/MPLS
P6 PE7
PE1
P3
ASBR3
ASBR4
P5
Same configuration as single domain scenario
Link and Node protection include ASBRs and ASBR to ASBR links Support for Node-id sub-object is required to implement ABR/ASBR node protection
Node-id helps point of local repair (PLR) detect a merge point (MP) Node-id flag defined in draft-ietf-nodeid-subobject
BRKMPL-2105
Cisco Public
71
Inter-Domain TEPolicy Control and Confidentiality

Inter-AS TE LSP
IP/MPLS
P2
ASBR1
ASBR2
P4
IP/MPLS
P6 PE7
PE1
Policy
P3
ASBR3
ASBR4
P5
ASBR may enforce a local policy during Inter-AS TE LSPs setup (e.g. limit bandwidth, message types, protection, etc.)
Route Recording may be limited ASBR may modify source address of messages (PathErr) originated in the AS
ASBR may perform RSVP authentication (MD5/SHA-1)

BRKMPL-2105
Cisco Public
72
Configuring Inter-AS Tunnels (Cisco IOS)

mpls traffic-eng tunnels !
interface Tunnel1
ip unnumbered Loopback0
no ip directed-broadcast
tunnel destination 172.31.255.5
Loose-hop path
tunnel mode mpls traffic-eng

tunnel mpls traffic-eng priority 7 7
tunnel mpls traffic-eng bandwidth 1000

tunnel mpls traffic-eng path-option 10 explicit name LOOSE-PATH
!
ip route 172.31.255.5 255.255.255.255 Tunnel1
!
ip explicit-path name LOOSE-PATH enable
Static route mapping IP traffic to Tunnel1 List of ASBRs as loose hops
next-address loose 172.24.255.1

next-address loose 172.31.255.1
BRKMPL-2105
Cisco Public
73
Configuring Inter-AS TE at ASBR (Cisco IOS)

mpls traffic-eng tunnels ! key chain A-ASBR1-key key 1 key-string 7 151E0E18092F222A ! interface Serial1/0 ip address 192.168.0.1 255.255.255.252 mpls traffic-eng tunnels mpls traffic-eng passive-interface nbr-te-id 172.16.255.4 nbr-igp-id ospf 172.16.255.4 ip rsvp bandwidth ip rsvp authentication key-chain A-ASBR1-key ip rsvp authentication type sha-1 ip rsvp authentication ! router bgp 65024 no synchronization bgp log-neighbor-changes neighbor 172.24.255.3 remote-as 65024 neighbor 172.24.255.3 update-source Loopback0 neighbor 192.168.0.2 remote-as 65016 no auto-summary ! ip rsvp policy local origin-as 65016 no fast-reroute maximum bandwidth single 10000 forward all !
Authentication key
Add ASBR link to TE topology database

Enable RSVP authentication
Process signaling from AS 65016 if FRR not requested and 10M or less
BRKMPL-2105
Cisco Public
74
Inter-AS Session Summary
BRKMPL-2105
Cisco Public
75
Lets Summarize
CSC: Hierarchical VPNs
Customer Carrier-B
MPLS Backbone Provider
Inter-AS: Extending VPN Boundaries

ASBR-A ASBR-B
Customer Carrier-B Subscriber A Site1
Provider-A
Subscriber A Site1
Provider-B
Subscriber A Site1
Subscriber A Site2
MPLS VPNs model A, B and C have been deployed to support VPNs among Service Providers and within a single Service Providers multi-AS networks MPLS L2 VPNs, L3VPNs (IPv4, IPv6, and multicast VPNs) are supported in multi-domain environment
MPLS TE is also supported in multi-area or multi-AS networks QoS policies across the ASBRs need to be agreed by the partners
BRKMPL-2105
Cisco Public
76
Other related Sessions

BRKMPL-1101 Introduction to MPLS BRKMPL-2001 Implementation and Utilization of Layer 2 VPN Technologies
BRKMPL-2102 Deploying IP/MPLS VPNs BRKMPL-2103 Design considerations for enterprise WAN migrating to subscribed MPLS VPN services
BRKMPL-2104 Deploying MPLS Traffic Engineering BRKMPL-2107 Data Center deployments with MPLS on NX-OS (Nexus 7000)
BRKMPL-2108 Global WAN Redesign Case Study BRKMPL-3101 Advanced Topics and Future Directions in MPLS BRKMPL-3102 Designing NGN Networks for Scale, Resiliency and Reliability
BRKMPL-2105
Cisco Public
77
Other related Sessions

LTRMPL-2104 Implementing MPLS in Service Provider Networks: Introduction
LTRMPL-2105 Implementing MPLS in Service Provider Networks LTRMPL-2106 Enterprise Network Virtualization using IP and MPLS Technologies
TECVIR-2003 Enterprise Network Virtualization

TECMPL-3001 Layer 2 Virtual Private Networks - Converged IP/MPLS Network
BRKMPL-2105
Cisco Public
78
Meet the Engineer

To make the most of your time at Networkers at Cisco Live 2010, schedule a Face-to-Face Meeting with top Cisco Engineers
Designed to provide a big picture perspective as well as in-depth technology discussions, these Face-to-Face meetings will provide fascinating dialogue and a wealth of valuable insights and ideas Visit the Meeting Centre reception desk located in the Meeting Centre in World of Solutions
BRKMPL-2105
Cisco Public
79
Recommended Reading
LTRRST-2106
Source: Cisco Press

BRKMPL-2105
Cisco Public
80
Complete Your Online Session Evaluation

Receive 25 Cisco Preferred Access points for each session evaluation you complete. Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by email after July 22nd.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Dont forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
BRKMPL-2105
Cisco Public
81
Visit the Cisco Store for Related Titles http://theciscostores.com
BRKMPL-2105
Cisco Public
82
BRKMPL-2105
Cisco Public
83
Inter-AS mVPNs Option C
I-AS MVPN MDT Establishment for option C

(SSM)
MP-iBGP MDT 2. ASBR1 RR1
MP-iBGP MDT 3.
ASBR2 MP-iBGP MDT RR2
PE1
P21 P11 AS #1
MDTs
AS #2
P21
P22 PE2
1.
VPN-A1
VPN-A2
BGP MDT SAFI Update Sequence:
1. From PE2 to RR2 RD 1:1, Prefix PE2, MDT 232.1.1.1, NH PE2 2. From RR2 to RR1 (MP-iBGP MDT) RD 1:1, Prefix PE2, MDT 232.1.1.1, NH PE2 3. From RR1 to PE1 RD 1:1, Prefix PE2, MDT 232.1.1.1, NH PE2
BRKMPL-2105
Cisco Public
85
SSM Default PIM Join with Proxy Vector for option C

ASBR1
1. RR1 4.
ASBR2 RR2
P21 P11 AS #1
2.
3.
MDTs AS #2
P21 P22 PE2
VPN-A1
PE1
VPN-A2
1.From PE1 to P11

Source PE2, RD 1:1, Group 232.1.1.1 Proxy Vector: ASBR1, RPF Neighbor P11
2.From P11 to P21 Source PE2, RD 1:1, Group 232.1.1.1 Proxy Vector: ASBR1, RPF Neighbor P21 3.From P21 to ASBR1 Source PE2, RD 1:1, Group 232.1.1.1 Proxy Vector: ASBR1, RPF Neighbor ASBR1
4.From ASBR1 to PE2

BRKMPL-2105
Source PE2, RD 1:1, Group 232.1.1.1, RPF Neighbor ASBR1

Cisco Public
86
I-AS MVPN Configuration for option C

(SSM)
! RR1 Configuration !ASBR2 address-family ipv4 ASBR1 RR1 RR2 neighbor <PE11> activate AS #1 AS #2 PE1 P11 neighbor <PE11> send-label Neighbor <ASBR1> send-label ! address-family ipv4 mdt ! PE1 Configuration neighbor <RR2> activate ip multicast-routing neighbor <RR2> next-hop-unchanged ip multicast routing vrf VPN-A neighbor <PE1> activate ip multicast rpf proxy vector exit-address-family ! ! ASBR1 Configuration ! address-family ipv4 ip pim ssm default ip multicast-routing neighbor <RR1> activate ip multicast routing vrf VPN-A ! neighbor <RR1> activate send-label ! ! address-family ipv4 address-family ipv4 mdt neighbor <RR1> activate neighbor <RR1> activate neighbor <RR1> next-hop-self neighbor <RR1> send-community extended neighbor <RR1> activate send-label exit-address-family neighbor <ASBR2> activate ! neighbor <ASBR2> activate send-label ip pim ssm default ! ! ip pim ssm default BRKMPL-2105 Cisco Public 2011 Cisco and/or its affiliates. All rights reserved. 87 !

Inter As Mpls Ciscolive BRKMPL 2105

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Inter As Mpls Ciscolive BRKMPL 2105

Hochgeladen von

Copyright:

Verfügbare Formate

Inter-AS MPLS Solutions

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

Carrier Supporting Carrier

Inter-AS L3 VPNs Inter-AS L2VPNs Inter-AS Multicast VPNs

MPLS L3 VPNs Multicast VPNs MPLS L2 VPNs

2011 Cisco and/or its affiliates. All rights reserved.

Inter-AS MPLS Service Use Cases

Extend VPN services over multiple independently managed MPLS domains

Build MPLS VPN networks on original multi-domain network

Two available as described in RFC 4364 :

2.Inter-Autonomous Systems (I-AS)

Carrier Supporting Carrier vs. Inter-AS

2011 Cisco and/or its affiliates. All rights reserved.

Inter-AS L3 VPNs Overview

2011 Cisco and/or its affiliates. All rights reserved.

Extending VPN services over Inter-AS networks

Back-to-Back VRFs (Option A) MP-eBGP for VPNv4 (Option B)

Multihop MP-eBGP between RRs (Option C) MP-eBGP+Labels CE2

2011 Cisco and/or its affiliates. All rights reserved.

Intra-AS MPLS VPNs Review

BGP VPN-IPv4 Net=RD:16.1/16 NH=PE1 Route Target 100:1 VPN Label=40

Connecting ASBRs using Back-to-Back VRFs

Two providers prefer not to share MPLS link

One logical interface per VPN/VRF on directly connected ASBRs;

IP QoS policies negotiated and configured manually on the ASBRs

Connecting two ASBRs Two Methods

2. Receiving PE-ASBRs be the next hop

Im the Next Hop to AS1

VPN-v4 update: RD:1:27:152.12.4.0 /24, NH=PE1 RT=1:222, Label=(L1) PE1

Label Exchange between Gateway PE-ASBR Routers Using eBGP

VPN-v4 update: RD:1:27:152.12.4.0/24, NH=ASBR2 RT=1:222, Label=(L3)

VPN-v4 update: RD:1:27:152.12.4.0 /24, NH=ASBR1 RT=1:222, Label=(L2)

BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE2

2011 Cisco and/or its affiliates. All rights reserved.

End-to-end VPN packet forwarding - Next Hop Self on ASBRs

L1, L2, L3 are BGP VPN label.

Cisco IOS ASBR eBGP configuration

AS #1 PE1 CE1 VPN-R1

Cisco IOS XR ASBR1 Configuration

router bgp 1 mpls activate

(!Enables MPLS forwarding onASBR!) (!Specify ASBR-ASBR link!) !

interface <type & #>

address-family vpnv4 unicast

(!Initialize VPNv4 address family for ASBR)

(!Allow forwarding of VPNv4 routes to other AS!) !

route-policy pass-all pass

2011 Cisco and/or its affiliates. All rights reserved.

Multihop eBGP VPNv4 Between RRs for better scale

Exchange VPNv4 Routes

1. BGP IPv4 + Labels (RFC3107) most preferred & recommended

eBGP IPv4 + Labels

Establishing reachability between VPNs

BGP update: RD:1:27:152.12.4.0/24, NH=PE1 RT=1:222, Label=(L1)

AS #1 PE1 BGP, OSPF, RIPv2 CE1 152.12.4.0/24,NH=CE2 VPN-R1 152.12.4.0/24

BGP VPN-v4 update: RD:1:27:152.12.4.0/2 4, NH=PE1 RT=1:222, Label=(L1)

To ASBR2: Network=PE1 NH=ASBR-1 Label=(L2)

From ASBR1: Network=PE1 NH=ASBR-2 Label=(L3)

BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE2

ASBRs store PE loopbacks & exchange labels for PE Loopback addresses

L1 is a VPN label. L2 and L3 are IPv4 labels.

IPv4+Label, Cisco IOS Configuration