RST 2602 PDF

Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
1 2004 Cisco Systems, Inc. All rights reserved.
RST-2602
9908_06_2004_X2
DEPLOYING MPLS-VPN
SESSION RST-2602
Rajiv Asati (rajiva@cisco.com)
RST-2602
9908_06_2004_X2
Agenda
MPLS VPN Definition?
Technology
Configuration
MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites
Providing Hub&Spoke service to the VPN customers
Providing MPLS VPN Extranet service
Providing Internet access service to VPN customers
Providing VRF-selection based services
Providing Remote Access MPLS VPN
Providing VRF-aware NAT services
Advanced MPLS VPN Topics
Inter-AS MPLS-VPN
CsC Carrier Supporting Carrier
Best Practices
Conclusion.
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Prerequisites
Must understand basic IP routing, especially BGP
Must understand MPLS basics (push, pop, swap,
label stacking)
Must finish the evaluation
http://www.networkers04.com/desktop
RST-2602
9908_06_2004_X2
Terminology:
LSR : Label Switch Router
LSP : Label Switched Path
The chain of labels that are swapped at each hop to get from one LSR to another
VRF : VPN Routing and Forwarding
Mechanism in IOS used to build per-interface RIB and FIB
MP-BGP : Multi-Protocol BGP
PE : Provider Edge router Interfaces with CE routers
P : Provider (core) router, without knowledge of VPN
VPNv4 : Address family used in BGP to carry MPLS-VPN routes
RD : Route Distinguisher
Distinguish same network/mask prefix in different VRFs
RT : Route Target
Extended Community attribute used to control import and export policies of VPN
routes
LFIB : Label Forwarding Information Base
FIB : Forwarding Information Base (FIB)
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Agenda
Technology
Configuration
MPLS-VPN Services
Inter-AS MPLS-VPN
Best Practices
Conclusion.
RST-2602
9908_06_2004_X2
MPLS-VPN Operations Theory
VPN definition: VRF instance
VPN Route Propagation (Control Plane)
VPN Packet forwarding (Data Plane)
8181_05_2003_c2
RST-2602
9908_06_2004_X2
MPLS VPN Connection Model
PE
VPN Backbone IGP
MP-iBGP session
PE
P P
P P
PE routers
Edge Routers
Use MPLS with P routers
Uses IP with CE routers
Connects to both CE and P routers.
Distribute VPN information through
MP-BGP to other PE router with
VPN-IPv4 addresses, Extended
Community, Label
P Routers
P routers are in the core of the MPLS
cloud
P routers do not need to run BGP and
doesnt need to have any VPN knowledge
Forward packets by looking at labels
P and PE routers share a common IGP
RST-2602
9908_06_2004_X2
MPLS VPN: Separate Routing Tables in PE
The Global routing table
Populated by the MPLS backbone IGP
In PE routers may contain the BGP
Internet routes (standard ipv4 routes)
CE
PE
CE
EBGP,OSPF, RIPv2,Static
vpn site 1
vpn site 2
MPLS Backbone IGP (OSPF, ISIS)
VRF routing table
Routing (RIB) and Forwarding table
(CEF) associated with one or more
directl y connected sites (CEs)
The routes the PE receives from CE
Routers are installed in the appropriate
VRF routing table(s)
blue VRF routing table or green
VRF routing table
8181_05_2003_c2
RST-2602
9908_06_2004_X2
VRF: Virtual Routing and Forwarding
Instance
Whats a VRF ?
Associates to one or more interfaces on PE
Privatize an interface i.e. coloring of the interface
Has its own routing table and forwarding table (CEF)
VRF has its own instance for the routing protocol
(static ,RIP,BGP,EIGRP,OSPF)
CE router runs standard routing software
CE
PE
CE
vpn site 1
vpn site 2
VRF blue
VRF green
10 10 10 2004 Cisco Systems, Inc. All rights reserved.
RST-2602
9908_06_2004_X2
CE
PE
CE
vpn site 1
vpn site 2
VRF: Virtual Routing and Forwarding
Instance
PE installs the routes, learned from CE routers, in
the appropriate VRF routing table(s)
PE installs the IGP (backbone) routes in the global
routing table
VPN customers can use overlapping IP addresses.
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Additions in BGP: MPLS-VPN Info BGP
RD: Route Distinguisher
VPNv4 routes
RT: Route Target
Label
8 Bytes
Route-Target
3 Bytes
Label
MP-iBGP update with RD, RT, and Label
1:1
8 Bytes 4 Bytes
RD IPv4
VPNv4
10.1.1.0
RST-2602
9908_06_2004_X2
MPLS VPN Control Plane
MP-BGP Update Components: VPNv4 address
To convert an IPv4 address into a VPNv4 address, RD
is appended to the IPv4 address i.e 1:1:10.1.1.0
Makes the customers IPv4 route globally unique.
Each VRF must be configured with an RD at the PE
RD is what that defines the VRF
8 Bytes
Route-Target
3 Bytes
Label
MP-IBGP update with RD, RT, and Label
1:1
8 Bytes 4 Bytes
RD IPv4
VPNv4
10.1.1.0
!
ip vrf v1
rd 1:1
!
8181_05_2003_c2
RST-2602
9908_06_2004_X2
MP-BGP Update Components: Route-Target
Route-target (RT): Identifies the VRF for the received VPNv4
prefix. It is an 8-byte extended Community (a BGP attribute)
Each VRF is configured with RT(s) at the PE
RT helps to color the prefix
8 Bytes
Route-Target
3 Bytes
Label
1:1
8 Bytes 4 Bytes
RD IPv4
VPNv4
10.1.1.0 2:2
!
ip vrf v1
route-target import 1:1
route-target export 1:2
!
RST-2602
9908_06_2004_X2
MP-BGP Update Components: Label
The Label (for the VPNv4 prefix) is assigned onl y by the PE whose address is the
Next-Hop attribute
PE routers re-write the Next-Hop with their own address (loopback)
Next-Hop-Self towards MP-iBGP neighbors by default
PE addresses used as BGP Next-Hop must be uniquely known in the backbone
IGP
DO NOT summarize the PE loopback addresses in the core
8 Bytes
Route-Target
3 Bytes
Label
1:1
8 Bytes 4 Bytes
RD IPv4
VPNv4
10.1.1.0 2:2 50
8181_05_2003_c2
RST-2602
9908_06_2004_X2
MPLS VPN Control Plane:
Putting It All Together
10.10.1.0/24
Next-Hop=CE-1
MP-iBGP update:
RD:10.10.1.0
Next-hop=PE-1
RT=Green, Label=100
1
3
10.1.1.0/24
PE1 PE2
P
P
P
P
CE2
CE1
MPLS Backbone
Site 1
Site 2
1) PE1 recei ves an IPv4 update (eBGP,OSPF,EIGRP)
2) PE1 translates it into VPNv4 address
Assigns an RT per VRF configuration
Re-writes Next-Hop attribute to itself
Assigns a label based on VRF and/or interface
3) PE1 sends MP-iBGP UPDATE to other PE routers
RST-2602
9908_06_2004_X2
5
10.1.1.0/24
Next-Hop=CE-1
MP-iBGP update:
RD:10.10.1.0
Next-hop=PE-1
RT=Green, Label=100
1
3
10.1.1.0/24
PE1 PE2
P
P
P
P
CE2
CE1
MPLS Backbone
Site 1
Site 2
10.1.1.0/24
Next-Hop=PE-2
4) PE2 recei ves and checks whether the RT=green is locally
configured within any VRF, if yes, then
5) PE2 translates VPNv4 prefix back into IPv4 prefix,
Installs the prefix into the VRF Routing table
Updates the VRF CEF table with label=100 for 10.1.1.0/24
Advertise this IPv4 prefix to CE2 (EBGP, OSPF, EIGRP)
MPLS VPN Control Plane:
Putting It All Together
8181_05_2003_c2
RST-2602
9908_06_2004_X2
10.1.1.0/24
PE1 PE2
P2
P
P
P1
CE2
CE1
Site 1
Site 2
Global routing/forwarding table
Dest->Next-Hop
PE2 P1, label: 50
Global routing/forwarding table
Dest->NextHop
PE1 P2, label: 25
VRF Green forwarding Table
Dest->NextHop
10.1.1.0/24-PE1, label: 100
e
VRF Forwarding table
(show ip cef vrf <vrf>)
PE routers store VPN routes
Associated labels
Labels distributed through MP-BGP
The Global Forwarding table
(show ip cef)
PE routers store IGP routes
Associated labels
Label distributed through LDP/TDP
MPLS VPN Forwarding Plane:
RST-2602
9908_06_2004_X2
PE2 imposes TWO labels for each packet going to the VPN destination 10.1.1.1
The top label is LDP learned and Derived from an IGP route
Represents LSP to PE address (exit point of a VPN route)
The second label is learned via MP-BGP
Corresponds to the VPN address
10.1.1.0/24
PE1 PE2
CE2
CE1
Site 1
Site 2
e
10.1.1.1
10.1.1.1
MPLS VPN Forwarding Plane:
P
P
P
P
10.1.1.1 100 25
10.1.1.1 100 50
10.1.1.1 100
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Agenda
Technology
Configuration
MPLS-VPN Services
Inter-AS MPLS-VPN
Best Practices
Conclusion.
RST-2602
9908_06_2004_X2
MPLS VPN Sample Configuration
ip vrf VPN-A
rd 1:1
Interface Serial0
ip address 192.168.10.1 255.255.255.0
ip vrf forwarding VPN-A
VRF Definition
PE-P Configuration
P
PE1
s1
Interface Serial1
ip address 130.130.1.1 255.255.255.252
mpls ip
router ospf 1
network 130.130.1.0 0.0.0.3 area 0
10.1.1.0/24
PE1
CE1
Site 1
192.168.10.1
Se0
Se0
PE1
PE1
8181_05_2003_c2
RST-2602
9908_06_2004_X2
router bgp 1
neighbor 1.2.3.4 remote-as 1
neighbor 1.2.3.4 update-source loopback 0
address-famil y vpnv4
neighbor 1.2.3.4 activate
neighbor 1.2.3.4 send-community both
PE: MP-IBGP
RR: MP-IBGP
router bgp 1
no bgp default route-target filter
neighbor 1.2.3.6 update-source loopback0
neighbor 1.2.3.6 route-reflector-client
Neighbor 1.2.3.6 activate
PE1 PE2
RR
PE1 PE2
RR
PE1
RR
RST-2602
9908_06_2004_X2
router bgp 1
!
address-famil y ipv4 vrf VPN-A
exit-address-famil y
!
PE-CE BGP
PE-CE OSPF
router ospf 1
!
router ospf 2 vrf VPN-A
network 192.168.10.0 0.0.0.255 area 0
!
10.1.1.0/24
PE1
CE1
Site 1
192.168.10.1
192.168.10.2
10.1.1.0/24
PE1
CE1
Site 1
192.168.10.1
192.168.10.2
PE1
PE1
8181_05_2003_c2
RST-2602
9908_06_2004_X2
router rip
version 2
no auto-summary
network 192.168.10.0
PE-CE RIP
PE-CE EIGRP
router eigrp 1
network 192.168.10.0 0.0.0.255
autonomous-system 1
10.1.1.0/24
PE1
CE1
Site 1
192.168.10.1
192.168.10.2
10.1.1.0/24
PE1
CE1
Site 1
192.168.10.1
192.168.10.2
RST-2602
9908_06_2004_X2
ip route vrf VPN-A 10.1.1.0 255.255.255.0 192.168.10.2
PE-CE Static
PE-CE MB-iBGP routes to VPN
router rip
version 2
redistribute bgp 1 metric 1
no auto-summary
network 192.168.10.0
10.1.1.0/24
PE1
CE1
Site 1
192.168.10.1
192.168.10.2
If PE-CE protocol is non BGP then redistribution
of other sites VPN routes from MP-IBGP is required.
PE1
RR
CE1
Site 1
8181_05_2003_c2
RST-2602
9908_06_2004_X2
router bgp 1
neighbor 1.2.3.4 update-source loopback 0
redistribute {rip|connected|static|eigrp|ospf}
PE-RR (VPN routes to VPNv4)
PE1
RR
CE1
Site 1
If PE-CE protocol is non BGP then redistribution
of other sites VPN routes into MP-IBGP is required.
RST-2602
9908_06_2004_X2
Agenda
Technology
Configuration
MPLS-VPN Services
Inter-AS MPLS-VPN
Best Practices
Conclusion.
8181_05_2003_c2
RST-2602
9908_06_2004_X2
MPLS VPN Services:
1. Loadsharing for the VPN traffic
VPN sites (such as Site A) could be multihomed
VPN customer may demand the traffic to the multihomed sites be
loadshared
PE11
PE2
MPLS Backbone
PE12
CE1
Site A
171.68.2.0/24
Site B
CE2
RR
Route Advertisement
RST-2602
9908_06_2004_X2
MPLS VPN Services:
1. Loadsharing for the VPN traffic: Cases
PE11
PE2
MPLS Backbone
PE12
CE1
Site A
171.68.2.0/24
Site B
CE2
RR
Traffic Flow
RR
PE11
PE2
MPLS Backbone
PE12
CE1
Site A
171.68.2.0/24
Site B
CE2
CE2
Traffic Flow
1 CE 2 PEs
2 CEs 2 PEs
8181_05_2003_c2
RST-2602
9908_06_2004_X2
MPLS VPN Services:
1. Loadsharing for the VPN Traffic: Deployment
How to deploy the loadsharing ?
1. Configure different VRFs i.e RDs for multihomed site/interfaces.
2. Enable BGP multipath within the relevant BGP VRF address-
family at Remote/Recei vi ng PE2.
PE11
PE2
MPLS Backbone
PE12
CE1
Site A
171.68.2.0/24
Site B
CE2
RR
ip vrf green
rd 300:11
route-target both 1:1
ip vrf green
rd 300:12
router bgp 1
address-famil y ipv4 vrf green
maximum-paths eibgp 2
1
1
2
ip vrf green
rd 300:13
1
RST-2602
9908_06_2004_X2
MPLS VPN Services:
1. Loadsharing for the VPN Traffic
RR must advertise all the paths learned via PE11 and PE12 to the
remote PE routers
With different RD per VRF, RR does the Best path calculation per
RD and advertise them to remote PE
Watch out for the increased (~20%) memory consumption (within
BGP) due to multipaths at the PEs
eiBGP multipath implicitly provides eBGP and iBGP multipath for
VPN paths
PE11
PE2
MPLS Backbone
PE12
CE1
Site A
171.68.2.0/24
Site B
CE2
RR
Route Advertisement
8181_05_2003_c2
RST-2602
9908_06_2004_X2
MPLS-VPN Services:
2. Hub & Spoke Service to the VPN Customers
Traditionally, VPN deployments are Hub&Spoke.
Spoke to spoke communication is via Hub site only.
Despite MPLS VPNs implicit any-to-any i.e full-
mesh connectivity, Hub&Spoke service can easily
be offered.
Done with import and export of Route-Target (RT).
RST-2602
9908_06_2004_X2
MPLS-VPN Services:
2. Hub & Spoke Service - Configuration
PE-SA
PE-Hub
MPLS VPN Backbone
PE-SB
CE-SA
CE-SB
Spoke B
Spoke A
171.68.1.0/24
171.68.2.0/24
Eth0/0.2
Eth0/0.1
ip vrf green-spoke1
description VRF for SPOKE A
rd 300:111
ip vrf green-spoke2
description VRF for SPOKE B
rd 300:112
ip vrf HUB-OUT
description VRF for traffic from HUB
rd 300:11
ip vrf HUB-IN
description VRF for traffic to HUB
rd 300:12
8181_05_2003_c2
RST-2602
9908_06_2004_X2
MPLS-VPN Services:
2. Hub & Spoke Service Control Plane
PE-SA
MPLS Backbone
PE-SB
CE-SA
CE-SB
Spoke B
Spoke A
VRF HUB-IN
VRF HUB-OUT
VRF HUB-OUT RT and LFIB
Destination NextHop Label
171.68.1.0/24 PE-SA 40
171.68.2.0/24 PE-SB 50
171.68.1.0/24
171.68.2.0/24
All traffic between spokes must pass through the Hub/Central Site.
Hub Site could offer FireWall, NAT like applications.
Two VRF solution at the PE-Hub:
VRF HUB_OUT would have knowledge of every spoke routes.
VRF HUB_IN only have Default Route and advertise that to Spoke PEs.
Import and export Route-Target within a VRF must be different.
PE-Hub
VRF HUB-IN Routing Table
Destination NextHop
0.0.0.0 CE-H1
Adv 0.0.0.0
Label 35
Route-Target 2:2
Adv 171.68.2.0/24
Label 50
Route-Target 1:1
Adv 171.68.1.0/24
Label 40
Route-Target 1:1
VRF RT and LFIB at PE-SA
0.0.0.0 PE-Hub 35
171.68.1.0/24 CE-SA
VRF RT and LFIB at PE-SB
0.0.0.0 PE-Hub 35
171.68.2.0/24 CE-SB
RST-2602
9908_06_2004_X2
PE-SA
PE-Hub
MPLS Backbone
PE-SB
CE-SA
CE-SB
Spoke B
Spoke A
VRF HUB-IN
VRF HUB-OUT
171.68.1.0/24
171.68.2.0/24
171.68.1.1
LH 35 171.68.1.1
LA 40 171.68.1.1
171.68.1.1
MPLS-VPN Services:
2. Hub & Spoke Service Forwarding Plane
8181_05_2003_c2
RST-2602
9908_06_2004_X2
MPLS-VPN Services
3. Extranet VPN
MPLS VPN, by default, isolates one VPN customer
from another.
Separate Virtual Routing Table for each VPN customer
Communication between VPNs may be required i.e.
Extranet.
External Inter-company communication (dealers with
manufacturer, Retailer with wholesale provider etc)
Management VPN, Shared-service VPN etc.
Needs right import and export route-target (RT)
values configuration within the VRFs
export-map or import-map should be used
RST-2602
9908_06_2004_X2
3. MPLS-VPN Services: Extranet VPN
Goal: Only VPN_A site#1 to be reachable to VPN_B
171.68.0.0/16
PE1 PE2
MPLS Backbone
VPN_A Site#2
so
P
VPN_A Site#1
VPN_B Site#1
180.1.0.0/16
ip vrf VPN_A
rd 3000:111
export map VPN_A_Export
import map VPN_A_Import
!
route-map VPN_A_Export permit 10
match ip address 1
set extcommunity rt 3000:2
!
route-map VPN_A_Import permit 10
match ip address 2
!
access-list 1 permit 171.68.0.0 0.0.0.0
ip vrf VPN_B
rd 3000:222
export map VPN_B_Export
import map VPN_B_Import
!
route-map VPN_B_Export permit 10
match ip address 2
set extcommunity rt 3000:1
!
route-map VPN_B_Import permit 10
match ip address 1
!
192.6.0.0/16
Only Site#1 of both VPNs will communicate to
each other, Site#2 wont.
8181_05_2003_c2
RST-2602
9908_06_2004_X2
MPLS-VPN Services
4. Internet Access Service to VPN Customers
Could be provided as another value-added service.
Security mechanism must be in place at both
provider network and customer network
To protect from the Internet vulnerabilities
VPN customers benefit from the single point of
contact for both Intranet and Internet connectivity
RST-2602
9908_06_2004_X2
MPLS-VPN Services
4. Internet Access: Different Methods of Service
Four ways to provide the Internet service
1. VRF Specific default route with global keyword
2. Separate PE-CE sub-interface (nonVRF)
3. Extranet with Internet-VRF
4. VRF-aware NAT
8181_05_2003_c2
RST-2602
9908_06_2004_X2
MPLS-VPN Services
4. Internet Access: Different Methods of Service
1. VRF Specific default route
1.1 Static default route to move traffic from VRF to Internet
(global routing table)
1.2 Static routes for VPN customers to move traffic from Internet
(global routing table) to VRF
2. Separate PE-CE sub-interface (non VRF)
May run BGP to propagate Internet routes between PE and CE
VPN packets never leave VRF context ; issue with Overlapping
VPN address
4. Extranet with Internet-VRF along with VRF-aware NAT
VPN packets never leave VRF context; works well with
overlapping VPN address
RST-2602
9908_06_2004_X2
A default route, pointing to the ASBR, is installed
into the site VRF at each PE
A single label is used for packets forwarded
according to the default route
The label is the IGP label corresponding to the
IP address of the ASBR known via the IGP
The static route, pointing to the VRF interface, is
installed in the global routing table and redistributed
into BGP
171.68.0.0/16
PE1
ASBR
CE1
MPLS Backbone
192.168.1.1
Internet GW
so
P
ip vrf VPN-A
rd 100:1
Interface Serial0
ip address 192.168.10.1 255.255.255.0
Router bgp 100
no bgp default ipv4-unicast
redistribute static
neighbor 192.168.1.1 remote 100
neighbor 192.168.1.1 next-hop-self
neighbor 192.168.1.1 update-source loopback0
ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global
ip route 171.68.0.0 255.255.0.0 Serial0
Site1
192.168.1.2
MPLS-VPN Services:
4.1 Internet access: VRF Specific Default Route (Config)
Internet
8181_05_2003_c2
RST-2602
9908_06_2004_X2
171.68.0.0/16
PE1
PE2
MPLS Backbone
192.168.1.1
so
P
VRF Routi ng/FIB Table
Destination Label/interface
0.0.0.0/0 192.168.1.1 (global)
Site-1 Serial 0
Global Routing/FIB Table
Destination Label/Interface
192.168.1.1/32 Label=30
171.68.0.0/16 Serial 0
IP packet
D=Cisco.com
Label = 30
IP packet
D=Cisco.com
IP packet
D=Cisco.com
IP packet
D=171.68.1.1
Label = 35
IP packet
D=171.68.1.1
Global Table and LFIB
Destination Label/Interface
192.168.1.2/32 Label=35
171.68.0.0/16 192.168.1.2
Internet Serial 0
192.168.1.2
IP packet
D=171.68.1.1
Pros
Different Internet gateways
can be used for different VRFs
PE routers need not to hold
the Internet table
Simple Configuration
Cons
Using default route for Internet
routing does NOT allow any other
default route for intrA_VPN routing
Increasing size of global routing
Table by leaking VPN routes.
Static configuration
Site1
so
MPLS-VPN Services:
4.1 Internet access: VRF Specific Default Route (Forwarding)
Internet
RST-2602
9908_06_2004_X2
MPLS-VPN Services
4.2 Internet Access
1. VRF Specific default route
1.1 Static default route to move traffic from VRF to Internet
(global routing table)
1.2 Static routes for VPN customers to move traffic from Internet
(global routing table) to VRF
2. Separate PE-CE sub-interface (non VRF)
May run BGP to propagate Internet routes between PE and CE
VPN packets never leave VRF context ; Overlapping VPN
addresses could be a problem
4. Extranet with Internet-VRF alongwith VRF-aware NAT
VPN packets never leave VRF context; works well with
overlapping VPN addresses
8181_05_2003_c2
RST-2602
9908_06_2004_X2
ip vrf VPN-A
rd 100:1
Interface Serial0.1
ip address 192.168.20.1 255.255.255.0
frame-relay interface-dlci 100
!
Interface Serial0.2
ip address 171.68.10.1 255.255.255.0
frame-relay interface-dlci 200
!
Router bgp 100
no bgp default ipv4-unicast
[snip]
neighbor 171.68.10.2 remote 502
4.2 Internet Access Service to VPN Customers
Using Separate Sub-Interface (Config)
171.68.0.0/16
PE1 ASBR
CE1 MPLS Backbone
Internet GW
192.168.1.1
S0.2
P
BGP-4
Site1
192.168.1.2
S0.1
One sub-interface for VPN routing
associated to a VRF
Another sub-interface for Internet routing
associated to the global routing table.
Could advertise full Internet Routes or a
default route to CE.
The PE will need to advertise VPN routes
to the Internet (via global routing table)
Internet
Internet
RST-2602
9908_06_2004_X2
171.68.0.0/16
PE1 PE2
MPLS Backbone
PE-Internet GW
192.168.1.1
S0.2
P
Site1
192.168.1.2
S0.1
IP packet
D=Cisco.com
CE routing table
VPN routes Serial0.1
Internet routes Serial0.2
PE Global Table and FIB
Internet routes 192.168.1.1
192.168.1.1 Label=30
Label = 30
IP packet
D=Cisco.com IP packet
D=cisco.com
Pros
CE could dual home and
perform optimal routing.
Traffic separation done
by CE.
Cons
PE to hold full Internet routes.
BGP complexities introduced
in CE.
Internet Access Service to VPN Customers
4.2 Using Separate Sub-Interface (Forwarding)
Internet
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Internet Access Service
4.3 Extranet with Internet-VRF
The internet routes could be placed within the VRF
at the Internet-GW i.e. ASBR
VRFs for customers could extranet with the
internet VRF and receive either default, partial or
full internet routes
Be careful if duplicating the internet routes in
each VRF
Works well when the VPN customers dont have
overlapping addresses
RST-2602
9908_06_2004_X2
Internet Access Service
4.4 Internet Access using VRF-aware NAT
If the VPN customers need Internet access without
internet routes, then VRF-aware NAT can be used at
the Internet-GW i.e. ASBR
The Internet GW doesnt need to have internet
routes either
Overlapping VPN addresses is not a problem
More in the VRF-aware NAT slides,..
8181_05_2003_c2
RST-2602
9908_06_2004_X2
MPLS VPN Service
5. VRF-Selection
The common notion is that the VRF must be
associated to an interface
VRF-selection breaks this association and
associate multiple VRFs to an interface
Each packet on the PE-CE interface could be
handled (based on certain criteria) via different VRF
routing tables
Criteria such as source/dest IP address, ToS, TCP port etc.
specified via route-map
Voice and Data can be separated out into different
VRFs at the PE
RST-2602
9908_06_2004_X2
MPLS VPN Service
5. VRF-Selection Based on Source IP Address
PE1
PE2
MPLS Backbone
(Cable Company)
CE1
RR
44.3.12.1
66.3.0.0/16
VPN Green
44.3.0.0/16
VPN Blue
33.3.0.0/16
VPN Brown
66.3.1.25
33.3.14.1
Global Interface
Se0/0
Cable
Setup
VRF Interfaces
Traffic Flows
ip vrf brown
rd 3000:111
!
ip vrf bl ue
rd 3000:222
!
ip vrf green
rd 3000:333
route-map PBR-VRF-Selection permit 10
match ip address 40
set vrf brown
match ip address 50
set vrf blue
match ip address 60
set vrf green
interface Serial0/0
ip address 215.2.0.6 255.255.255.252
ip policy route-map PBR-VRF-Selection
ip receive brown
ip receive blue
ip receive green
8181_05_2003_c2
RST-2602
9908_06_2004_X2
MPLS VPN Service
6. Remote Access Service
Remote access users i.e. dial users, IPSec users
could directly be terminated in VRF
PPP users can be terminated into VRFs
IPSec tunnels can be terminated into VRFs
Remote Access services integration with MPLS
VPN opens up new opportunities for Providers
RST-2602
9908_06_2004_X2
Internet
MPLS VPN Service
6. Remote Access Service IPSec to MPLS VPN
Internet
Corporate Intranet Corporate Intranet
Branch Branch
Office Office
Access Access
Remote Users/
Telecommuters
MPLS VPN IPSec Session IP IP
Cable/DSL/
ISDN ISP
IP/MPLS/Layer 2
Based Network
VPN A
VPN B
SP Shared Network SP Shared Network
Customer B
Customer A
head office
Customer C
PE
PE
PE
PE
VPN C
SOHO
Local or Direct
Dial ISP
Cisco IOS VPN Routers or
Cisco Client 3.x or higher Customer A
branch office
PE
PE
SP AAA
Customer
AAA PE+IPSec
Aggregator
VPN A
8181_05_2003_c2
RST-2602
9908_06_2004_X2
MPLS-VPN Services
7. VRF-Aware NAT Services
VPN customers could be using overlapping IP
address i.e. 10.0.0.0/8
Such VPN customers must NAT their traffic before
using either extranet or internet or any shared*
services
PE is capable of NATting the VPN packets
(eliminating the need for an extra NAT device)
* VoIP, Hosted Content, Management etc/
RST-2602
9908_06_2004_X2
MPLS-VPN Services
7. VRF-Aware NAT Services
Typically, inside interface(s) connect to private
address space and outside interface connect to
global address space
NAT occurs after routing for traffic from inside-to-outside
interfaces
NAT occurs before routing for traffic from outside-to-inside
interfaces
Each NAT entry is associated with the VRF
Works on VPN packets in the following switch
paths : IP->IP, IP->MPLS and MPLS->IP
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Internet
MPLS-VPN Services:
7. VRF-Aware NAT Services Internet Access
PE11
PE-ASBR
MPLS Backbone
PE12
CE1
Blue VPN Site
10.1.1.0/24
P
CE2
10.1.1.0/24
Green VPN Site
ip nat inside
ip nat outside
217.34.42.2 .1
VRF-aware NAT Specific Config VRF specific Config
ip nat pool pool-green 24.1.1.0 24.1.1.254 prefix-length 24
ip nat pool pool-blue 25.1.1.0 25.1.1.254 prefix-length 24
ip nat inside source list vpn-to-nat pool pool-green vrf green
ip nat inside source list vpn-to-nat pool pool-blue vrf blue
ip access-list standardvpn-to-nat
permit 10.1.1.0 0.0.0.255
ip route vrf green 0.0.0.0 0.0.0.0 217.34.42.2 global
ip route vrf blue 0.0.0.0 0.0.0.0 217.34.42.2 global
ip vrf green
rd 3000:111
ip vrf blue
rd 3000:222
router bgp 3000
address-family ipv4 vrf green
network 0.0.0.0
address-family ipv4 vrf blue
network 0.0.0.0
RST-2602
9908_06_2004_X2
MPLS-VPN Services:
7. VRF-Aware NAT Services Internet Access
This is also one of the ways to provide Internet access to VPN
customers with or without overlapping addresses
PE11
PE-ASBR
MPLS Backbone
PE12
CE1
Blue VPN Site
10.1.1.0/24
P
CE2
Traffic Flows
10.1.1.0/24
Green VPN Site
Src=10.1.1.1
Dest=Internet
Src=24.1.1.1
Dest=Internet
Src=25.1.1.1
Dest=Internet
Src=10.1.1.1
Dest=Internet
Label=30
Src=10.1.1.1
Dest=Internet
Label=40
Src=10.1.1.1
Dest=Internet
IP Packet
MPLS Packet
IP Packet
NAT Table
VRF IP Source Global IP VRF-table-id
10.1.1.1 24.1.1.1 green
10.1.1.1 25.1.1.1 blue
PE-ASBR removes the label from the received
MPLS packets per LFIB
Performs NAT on the resulting IP packets
Forwards the packet
Internet
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Agenda
Technology
Configuration
MPLS-VPN Services
Inter-AS MPLS-VPN
Best Practices
Conclusion.
RST-2602
9908_06_2004_X2
What Is Inter-AS?
VPN-A
VPN-A
PE-1
PE2
CE2 CE-1
AS #1
AS #2
149.27.2.0/24
MP-iBGP update::
MP-iBGP update::
BGP, OSPF, RIPv2
149.27.2.0/24,NH=CE-1
BGP, OSPF, RIPv2
149.27.2.0/24,NH=CE-1
Problem:
How do Provider X
and Provider Y
exchange VPN
routes ?
???
ASBR1
ASBR2
RR2
RR1
Provider X Provider Y
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Inter-AS Deployment Scenarios
VPN-A
PE1
VPN-A
PE2
CE2
1. Back-to-back VRFs
2. MP-eBGP for VPNv4
3. Multihop MP-eBGP between RRs
4. Non-VPN Transit Provi der
Following options/Scenarios for deploying Inter-AS : Following options/Scenarios for deploying Inter-AS :
AS #1 AS #2
ASBR1 ASBR2
CE1
2 and 3 are more common and will be discussed.
1 and 4 are in backup slides.
RST-2602
9908_06_2004_X2
Scenario 2: MP-eBGP between ASBRs to
Exchange VPNv4 Routes
New CLI no bgp default route-target filter is
needed on the ASBRs.
ASBRs exchange VPN routes using eBGP
(VPNv4 af)
ASBRs store all VPN routes
But only in BGP table and LFIB table
Not in routing nor in CEF table
ASBRs dont need -
VRFs to be configured on them
LDP between them
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Scenario 2: MP-eBGP bet ASBRs for VPNv4
Control Plane
PE-1
PE-2
VPN-B
CE-2 CE-3
VPN-B
ASBR-1
ASBR-2
10.1.1.0/24
BGP, OSPF, RIPv2
10.1.1.0/24, NH=CE-2
BGP, OSPF, RIPv2
10.1.1.0/24, NH=CE-2
MP-iBGP update:
RD:1:27:10.1.1.0/24,
NH=PE-1
RT=1:1, Label=(40)
MP-iBGP update:
RD:1:27:10.1.1.0/24,
NH=PE-1
RT=1:1, Label=(40)
MP-iBGP update:
RD:1:27:10.1.1.0/24,
NH=ASBR-2
RT=1:1, Label=(30)
MP-iBGP update:
RD:1:27:10.1.1.0/24,
NH=ASBR-2
RT=1:1, Label=(30)
BGP, OSPF, RIPv2
10.1.1.0/24, NH=PE-2
BGP, OSPF, RIPv2
10.1.1.0/24, NH=PE-2
MP-eBGP update:
RD:1:27:10.1.1.0/24,
NH=ASBR-1
RT=1:1, Label=(20)
MP-eBGP update:
RD:1:27:10.1.1.0/24,
NH=ASBR-1
RT=1:1, Label=(20)
RST-2602
9908_06_2004_X2
Scenario 2: MP-eBGP bet ASBRs for VPNv4
Forwarding Plane
PE-1
PE-2
VPN-B
CE-2 CE-3
VPN-B
ASBR-1
ASBR-2
10.1.1.0/24
10.1.1.1
10.1.1.1 30
20 10.1.1.1
10.1.1.1 40
10.1.1.1
10.1.1.1 30 20
10.1.1.1 40 30
P1
P2
MPLS Packets
between ASBRs
MPLS Packets
between ASBRs
More scalable.
Only one interface between ASBRs routers
No VRF configuration on ASBR.
Less memory consumption (no RIB/FIB
memory)
MPLS label switching between providers
Still simple, more scalable & works today
Pros Cons
Automatic Route Filtering must be disabled
But we can apply BGP filtering.
ASBRs are still required to hold VPN routes
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Cisco IOS Configuration
Scenario 2: External MP-BGP between ASBRs for VPNv4
VPN-A
PE1
VPN-A
PE2
CE-2
CE-1
ASBR1 ASBR2
AS #1 AS #2
MP-eBGP for
VPNv4
Label exchange
between ASBRs using
MP-eBGP
1.1.1.0/30
Note: ASBR must already have MP-
iBGP session with iBGP neighbors
such as RRs or PEs.
Router bgp x
neighbor 1.1.1.x remote-as x
!
neighbor 1.1.1.x activate
neighbor 1.1.1.x send-com extended
ASBR MB-EBGP Configuration
RST-2602
9908_06_2004_X2
Scenario 3: Multihop MP-eBGP between
RRs to exchange VPNv4 routes
Exchange VPNv4 prefixes via the Route Reflectors
Requires Multihop MP-eBGP (with next-hop-unchanged)
Exchange IPv4 routes with labels between directly
connected ASBRs using eBGP
Only PE loopback addresses need to be exchanged (they
are BGP next-hop addresses of the VPN routes)
8181_05_2003_c2
RST-2602
9908_06_2004_X2
RRs for VPN routes : Control Plane
PE-1
PE-2
VPN-B
CE-2
CE-3
VPN-B
ASBR-1
RR-2
AS#2
ASBR-2
RR-1
IP-v4 update:
Network=PE-1
NH=ASBR-1
Label=(20)
IP-v4 update:
Network=PE-1
NH=ASBR-1
Label=(20)
BGP, OSPF, RIPv2
10.1.1.0/24,NH=CE-2
BGP, OSPF, RIPv2
10.1.1.0/24,NH=CE-2
10.1.1.0/24
VPN-v4 update:
RD:1:27:10.1.1.0/24,
NH=PE-1
RT=1:1, Label=(90)
VPN-v4 update:
RD:1:27:10.1.1.0/24,
NH=PE-1
RT=1:1, Label=(90)
VPN-v4 update:
RD:1:27:10.1.1.0/24,
NH=PE-1
RT=1:1, Label=(90)
VPN-v4 update:
RD:1:27:10.1.1.0/24,
NH=PE-1
RT=1:1, Label=(90)
VPN-v4 update:
RD:1:27:10.1.1.0/24,
NH=PE-1
RT=1:1, Label=(90)
VPN-v4 update:
RD:1:27:10.1.1.0/24,
NH=PE-1
RT=1:1, Label=(90)
BGP, OSPF, RIPv2
10.1.1.0/24,NH=PE-2
BGP, OSPF, RIPv2
10.1.1.0/24,NH=PE-2
AS#1
IGP+LDP:
Network=PE-1
NH=ASBR-2
Label=(30)
IGP+LDP:
Network=PE-1
NH=ASBR-2
Label=(30)
IGP+LDP:
Network=PE-1
NH=PE-1
Label=(40)
IGP+LDP:
Network=PE-1
NH=PE-1
Label=(40)
Note - Instead of IGP+Label, iBGP+Label
can be used to exchange PE routes/label.
Please see Scenario#5 on slide#49 and 50.
RST-2602
9908_06_2004_X2
RRs for VPN routes : Forwarding Plane
PE-1
PE-2
VPN-B
CE-2 CE-3
VPN-B
RR-2
ASBR-2
RR-1
10.1.1.0/24
10.1.1.1
90 10.1.1.1 30
20 90 10.1.1.1
10.1.1.1 90
10.1.1.1
50 90 10.1.1.1
40 90 10.1.1.1
ASBR-1
P1
P2
Note - Instead of IGP+Label, iBGP+Label
can be used to exchange PE routes/label.
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Scenario 3: Pros/Cons
Pros
Cons
More scalable than Scenario 1 and 2.
Separation of control and forwarding planes
Route Reflector exchange VPNv4 routes+labels
RR hold the VPNv4 information anyway
ASBRs now exchange onl y IPv4 routes+labels
ASBR Forwards MPLS packets
Advertising PE addresses to another AS
may not be acceptable to few providers.
RST-2602
9908_06_2004_X2
Scenario 3: Multihop MP-eBGP between RRs for VPNv4
VPN-A
PE1
VPN-A
PE2
CE-2
CE-1
ASBR-1
RR-2
AS #1 AS #2
Multi hop MP-eBGP
for VPNv4 with
next-hop-unchange
ASBR-2
RR-1
eBGP IPv4 + Labels
iBGPipv4+label could also be used in within each AS (instead of
network <x.x.x.x> ) to propagate the label information for PEs.
router ospf x
redistribute bgp 1 subnets
!
router bgp x
neighbor < ASBR-x > remote-as x
!
address-family i pv4
Network <PEx> mask 255.255.255.255
Network <RRx> mask 255.255.255.255
neighbor < ASBR-x > activate
neighbor < ASBR-x > send-label
router bgp x
neighbor <RR-x> remote-as x
neighbor <RR-x> ebgp-multi hop
neighbor <RR-x> update loopback 0
!
address-family vpnv4
neighbor <RR-x> activate
neighbor <RR-x> send-com extended
neighbor <RR-x> next-hop-unchanged
RR Configuration
ASBR Configuration
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Inter-AS Deployment Guidelines
1. Use ASN in the Route-target i.e. ASN:xxxx
2. Max-prefix limit (both BGP and VRF) on PEs
3. Security (BGP MD5, BGP filtering, BGP max-prefix
etc) on ASBRs
4. End-to-end QoS agreement on ASBRs
5. Route-Target rewrite on ASBR
6. Internet connectivity on the same ASBR ??
RST-2602
9908_06_2004_X2
Agenda
Technology
Configuration
MPLS-VPN Services
Inter-AS MPLS-VPN
Best Practices
Conclusion.
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Carrier Supporting Carriers: CsC
Benefits of CsC
What do I need to do to enable CsC ?
Deployment models
Security in CsC
Deployment Guideline
Deployment Scenarios
RST-2602
9908_06_2004_X2
MPLS/VPN Networks without CsC
Unwanted routing updates in the Carriers network
=> CPU+memory
Label/prefix consumptions at PE => memory
Scalability issue at PE
Large Number of VPN Routes at the PE May
Pose Limitation to the PE
8181_05_2003_c2
RST-2602
9908_06_2004_X2
MPLS/VPN Networks without CsC
The no of VPN routes is one of the biggest limiting
factor in scaling the PE router
Few SPs are running into this scalaing limitation
If no of VPN routes can be reduced somehow
(without loosing the functionality), then the existing
investment can be protected
The same PE can still be used to connect more VPN
customers
Carrier Supporting Carrier (CsC) provides the
mechanism to reduce the no of routes from each
VRF by enabling MPLS on the PE-CE link
RST-2602
9908_06_2004_X2
Benefits of CsC
Provide transport for ISPs ($)
No need to manage external routes from ISPs
Build MPLS Internet Exchange (MPLS-IX) ($$)
Media Independence; POS/FDDI/PPP possible
Higher speed such OC192 or more
Operational benefits
Sell VPN service to subsidiary companies that
provide VPN service ($)
8181_05_2003_c2
RST-2602
9908_06_2004_X2
What Do I Need to Enable CsC ?
1. Build an MPLS-VPN enabled carriers network
2. Connect ISP/SPs sites (or PoPs) to the Carriers PEs
3. Exchange internal routes + labels between Carriers PE &
ISP/SPs CE
4. Exchange external routes directly between ISP/SPs sites
RST-2602
9908_06_2004_X2
CsC Deployment Models
PE1
PE2
ISP PoP
Site-1
CE-1
CE-2
IPv4 routes with
label distribution
IPv4 routes with
label distribution
ISP PoP
Site-2
MP-iBGP for VPNv4
MP-iBGP for VPNv4
Carriers MPLS Core
P1
ASBR-2
R1
R2
ISP customers =
external routes
Full-mesh iBGP
for external routes
Full-mesh iBGP
for external routes
IPv4 routes with
label distribution
IPv4 routes with
label distribution
ASBR-1
internal routes
= IGP routes
internal routes
= IGP routes
Internal routes =
IGP routes
Internal routes =
IGP routes
IGP+LDP
IGP+LDP
IGP+LDP
IGP+LDP
INTERNET
C1
MPLS enabled VRF int
8181_05_2003_c2
RST-2602
9908_06_2004_X2
CsC Deployment Models
1. Customer-ISP not running MPLS
2. Customer-ISP running MPLS
3. Customer-ISP running MPLS-VPN
Model 1 and 2 are less common deployments.
Model 3 will be discussed in detail.
RST-2602
9908_06_2004_X2
PE1
PE2
ISP PoP
Site-1
CE-1
CE-2
30.1.61.25/32,
NH=CE-1, Label = 50
30.1.61.25/32,
NH=CE-1, Label = 50
30.1.61.25/32,
NH=PE-2, Label = 52
30.1.61.25/32,
NH=PE-2, Label = 52
ISP PoP
Site-2
MP-iBGP update:
1:1:30.1.61.25/32, RT=1:1
NH =PE-1, Label=51
MP-iBGP update:
1:1:30.1.61.25/32, RT=1:1
NH =PE-1, Label=51
Carriers Core
P1
ASBR_PE-1
30.1.61.25/32
ASBR_PE-2
R1
R2
Network =
10.1.1.0/24
MP-iBGP update:
1:1:10.1.1.0/24, RT=1:1
NH =30.1.61.25/32, Label = 90
MP-iBGP update:
1:1:10.1.1.0/24, RT=1:1
NH =30.1.61.25/32, Label = 90
IGP+LDP,
Net=PE-1,
Label = pop
IGP+LDP,
Net=PE-1,
Label = 16
VPN Site-2
10.1.1.0/24, NH=R1
10.1.1.0/24, NH=R1
10.1.1.0/24, NH
=ASBR_PE-2
10.1.1.0/24, NH
=ASBR_PE-2
IGP+LDP
30.1.61.25/32,Label = pop
IGP+LDP
30.1.61.25/32,Label = pop
IGP+LDP,
30.1.61.25/32
NH=CE-2, Label=60
IGP+LDP,
30.1.61.25/32
NH=CE-2, Label=60
IGP+LDP,
30.1.61.25/32
NH=C1, Label=70
IGP+LDP,
30.1.61.25/32
NH=C1, Label=70
VPN Site-1
C1
CsC: ISP Sites Are Running MPLS-VPN
Hierarchical MPLS-VPN Control Plane
8181_05_2003_c2
RST-2602
9908_06_2004_X2
PE1
PE2
ISP PoP
Site-1
CE-1
CE-2
ISP PoP
Site-2
Carriers Core
P1
ASBR-1 ASBR-2
R1 R2
Network =
10.1.1.0/24
10.1.1.1 10.1.1.1
10.1.1.1 90 70
10.1.1.1 90 50
10.1.1.1 90 51 16
10.1.1.1 90 52
10.1.1.1 90 60
10.1.1.1 90 51
10.1.1.1 90
VPN Site-1 VPN Site-2
C1
CsC: ISP Sites Are Running MPLS-VPN
Hierarchical MPLS-VPN Forwarding Plane
RST-2602
9908_06_2004_X2
Security Mechanism in CsC
BGP/LDP MD5 on PE-CE
To prevent label spoofing , PE
Maintains Label <=> VRF table association
Checks during LFIB lookup that received packets label is
what was allocated
If the check fails, then the packet is dropped.
8181_05_2003_c2
RST-2602
9908_06_2004_X2
CsC Deployment Guideline
Two choices for deploying CsC
1. IGP+LDP on the PE-CE, or
2. eBGP ipv4 +label on the PE-CE (RFC3107)
Choice selection is driven by the choice of routing
protocol on the PE-CE
CE has to run MPLS-aware code
RST-2602
9908_06_2004_X2
CsC: IOS Commands/Configs
Choice 1: What All You Need to Configure?
Sh mpls interface [vrf <name>] all
Sh mpls ldp disc [vrf <name>] all
Sh mpls ldp bind vrf <name>
Sh mpls ip bind vrf <name>
Sh mpls ldp neighbor [vrf <name>] all
Sh mpls forward [vrf <name>]
int ser0/0
ip vrf forwarding green
mpls ip
mpls ldp protcol ldp
int ser0/0
mpls ip
Sh mpls interface
Sh mpls ldp discovery
Sh mpls ldp bind
Sh mpls ldp neighbor
Sh mpls forward
Choice1: Enable LDP on PE-CE;
PE-1
CE-1
VRF Int
IGP+LDP
PE1
CE1
8181_05_2003_c2
RST-2602
9908_06_2004_X2
CsC: IOS Commands/Configs
Choice 2: What All You Need to Configure?
router bgp 1
address-family ip vrf green
neighbor 200.1.61.6 send-label
router bgp 2
neighbor 200.1.61.5 send-label
Choice2: Enable eBGP+label on PE-CE;
PE-1
CE-1
eBGP+label
VRF Int
1. No IGP needed on PE-CE
2. No LDP needed on PE-CE
PE1
CE1
RST-2602
9908_06_2004_X2
IOS Commands/Configs
Choice 2: eBGP+label on the PE-CE
On PE
Sh ip bgp vpn vrf <vrf> neighbor
Sh ip bgp vpn vrf <vrf> label
Sh mpls forward vrf <vrf>
On CE
Sh ip bgp neighbor
Sh ip bgp labels
Sh mpls forward
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Agenda
Technology
Configuration
MPLS-VPN Services
Inter-AS MPLS-VPN
Best Practices
Conclusion.
RST-2602
9908_06_2004_X2
Best Practices
1. Use RR to scale BGP.
2. Deploy RRs in pair for the redundancy
3. Keep RRs out of the forwarding paths and disable CEF (saves memory).
4. Consider Unique RD per VRF per PE, if Load sharing of VPN traffic is reqd.
5. RT and RD should have ASN in them i.e. ASN : X
Reserve first few 100s of X for the internal purposes such as filtering
6. Don't use customer names as the VRF names; Nightmare for the NOC. Use
simple combination of numbers and characters in the VRF name
For example - v101, v102, v201, v202 etc. Use description.
7. Define an upper limit at the PE on the # of prefixes recei ved from the CE for
each VRF or neighbor
max-prefix within the VRF configuration
max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE)
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Conclusion
MPLS VPN is a cheaper alternative to traditional l2vpn
MPLS-VPN paves the way for new revenue streams
VPN customers could outsource their layer3 to the provider
Straightforward to configure any-to-any VPN topology
partial-mesh, hub&spoke topologies can also be easily deployed
CsC and Inter-AS could be used to expand into new markets
VRF-aware services could be deployed to maximize the
investment
RST-2602
9908_06_2004_X2
Complete Your Online Session Evaluation!
WHAT: Complete an online session evaluation
and your name will be entered into a
daily drawing
WHY: Win fabulous prizes! Give us your feedback!
WHERE: Go to the Internet stations located
throughout the Convention Center
HOW: Winners will be posted on the onsite
Networkers Website; four winners per day
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Thanks for your time.
Q & A
Eval -
RST-2602
9908_06_2004_X2
8181_05_2003_c2
RST-2602
9908_06_2004_X2
BACK UP SLIDES
RST-2602
9908_06_2004_X2
Scenario 1: Back-to-back VRF
Control Plane
PE-1
PE-2
VPN-B
CE-2 CE-3
VPN-B
VRF to VRF Connectivity between ASBRs VRF to VRF Connectivity between ASBRs
ASBR-1
ASBR-2
10.1.1.0/24
BGP, OSPF, RIPv2
10.1.1.0/24,NH=CE-2
BGP, OSPF, RIPv2
10.1.1.0/24,NH=CE-2
VPN-v4 update:
RD:1:27:10.1.1.0/24
NH=PE-1
RT=1:1, Label=(29)
VPN-v4 update:
RD:1:27:10.1.1.0/24
NH=PE-1
RT=1:1, Label=(29)
VPN-B VRF
Import routes with
route-target 1:1
BGP, OSPF, RIPv2
10.1.1.0/24
NH=ASBR-2
BGP, OSPF, RIPv2
10.1.1.0/24
NH=ASBR-2
VPN-v4 update:
RD:1:27:10.1.1.0/24,
NH=ASBR-2
RT=1:1, Label=(92)
VPN-v4 update:
RD:1:27:10.1.1.0/24,
NH=ASBR-2
RT=1:1, Label=(92)
VPN-B VRF
Import routes with
route-target 1:1
BGP, OSPF, RIPv2
10.1.1.0/24,NH=PE-2
BGP, OSPF, RIPv2
10.1.1.0/24,NH=PE-2
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Not scalable. #of interface on both ASBRs is
directl y proportional to #VRF.
No end-to-end MPLS.
Unnecessary memory consumed in RIB/(L)FIB
Dual-homing of ASBR makes provisioning
worse
Scenario 1: Back-to-back VRF
Forwarding Plane
PE-1
PE-2
VPN-B
CE-2 CE-3
VPN-B
ASBR-1
ASBR-2
10.1.1.0/24
10.1.1.1
10.1.1.1
10.1.1.1
10.1.1.1 29 30
10.1.1.1 92 20
P2
P1
10.1.1.1 92
IP Packets between
ASBRs
IP Packets between
ASBRs
Per-customer QoS is possible
It is simple and elegant since no need to load
the Inter-AS code (but still not widely
deployed).
Pros Cons
RST-2602
9908_06_2004_X2
Scenario 1: Back-to-Back VRF between ASBRs
AS #1 AS #2
VRF routes exchange via
any routing protocol
Note: ASBR must already have MP-
iBGP session with iBGP neighbors
such as RRs or PEs.
1.1.1.0/30
ip vrf green
rd 1:1
!
Router bgp x
Address-famil y ipv4 vrf green
neighbor 1.1.1.x activate
ASBR VRF and BGP config
VPN-A
PE1
CE-1
VPN-A
CE-2
PE2
ASBR1 ASBR2
8181_05_2003_c2
RST-2602
9908_06_2004_X2
VPN-A
PE1
VPN-A
PE2
CE-2
CE-1
ASBR1 ASBR2
AS #1 AS #2
Multi-Hop MP-eBGP
for VPNv4
IGP & LDP
interface serial 0
ip address 1.1.1.x/30
router bgp x
neighbor < ASBR-x > remote-as x
neighbor < ASBR-x > update loopback0
neighbor < ASBR-x > ebgp-multihop
!
neighbor < ASBR-x > activate
neighbor < ASBR-x > send-comm extended
Multi-Hop MP-BGP session between ASBRs
so so
IOS Configuration
Scenario 2.5: Multi-Hop MP-eBGP for VPNv4
RST-2602
9908_06_2004_X2
Scenario 4: Non-VPN Transit Provider
Two MPLS VPN providers may exchange routes via
one or more transit providers
Which may be non-VPN transit backbones just running
MPLS
Multihop MP-eBGP deployed between edge
providers
With the exchange of BGP next-hops via the transit
provider
8181_05_2003_c2
RST-2602
9908_06_2004_X2
Option 4: Non-VPN Transit Provider
PE1
PE2
VPN-B
CE-2
CE-3
VPN-B
ASBR-1
RR-2
Non-VPN MPLS
Transit Backbone
Multihop MP-eBGP
OR
MP-iBGP for VPNv4
ASBR-2
RR-1
ASBR-3
ASBR-4
next-hop-unchanged
eBGP IPv4 + Labels
eBGP IPv4 + Labels
MPLS VPN Provider
#1
MPLS VPN Provider
#2
iBGP IPv4 + Labels
iBGP IPv4 + Labels
RST-2602
9908_06_2004_X2
Route-Target rewrite at ASBR
ASBR can add/delete route-target associated with a
VPNv4 prefix
Secures the VPN environment
ASBR(conf)#router bgp 1000
ASBR(conf-router)#neighbor 1.1.1.1 route-map route-target-deletion
out
ASBR(conf-router)#exit
ASBR(conf)#route-map route-target-delete
ASBR(conf-route-map)#match extcommunity 101
ASBR(conf-route-map)#set extcomm-list 101 delete
ASBR(conf-route-map)#set extcommunity rt 123:123 additive
ASBR(conf)# ip extcommunity-list 101 permit rt 100:100

RST 2602 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

RST 2602 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.

Das könnte Ihnen auch gefallen