CSC Webcast Aug 17 MPLS VPN Nagendra Presentation

Thank you for joining us today
Introduction to MPLS VPN

Audio
Question & Answer
You will not hear audio till the Event Starts
Please use the Q&A Panel during the session to ask a Question to the Presenter or Panelist When you have a question please feel free to enter it into the WebEx Q&A panel You can find the Q&A panel in the bottom right hand corner of the consol.
Due to the large audience in attendance today you will remain muted throughout the Event Teleconference

If your computer does not have speakers or you are experiencing difficulties you may request to join the Teleconference. Select the Request button on the right console and allow a few minutes to receive a response.
Chat Panel
Please use the Chat Panel if you are experiencing any technical difficulties
This is located in the bottom right hand corner of the consol
We will begin at 4:00 am Pacific Daylight Time (San Francisco, GMT-07:00)

Nagendra Kumar, CSE
Cisco Support Community Expert Series Webcast

Todays featured expert is Cisco Support Engineer Nagendra Kumar
Ask him questions now about MPLS VPN
Nagendra Kumar
CCIE in Routing and Switching, & Service Provider
2011 Cisco and/or its affiliates. All rights reserved.
Thank You for Joining Us Today

Todays presentation will include audience polling questions
We encourage you to participate!
Thank You for Joining Us Today

If you would like a copy of the presentation slides, click the PDF link in the chat box on the right or go to https://supportforums.cisco.com/community/netpro/serviceproviders
Or, https://supportforums.cisco.com/docs/DOC-17930
Polling Question 1
What is your level of experience with MPLS VPN?
a) I know basic MPLS, but no idea about MPLS VPN
b) I theoretically know MPLS VPN, but no practical experience.

c) Im playing with it in the lab.
d) Im running it in production.
Submit Your Questions Now

Use the Q&A text box to submit your questions

Nagendra Kumar, CCIE
Agenda
MPLS VPN Architecture Control Plane Functionality
Data Plane Functionality

Basic Configuration
MPLS VPN Troubleshooting Overview

Summary
MPLS VPNs
Layer 3
What Is a Virtual Private Network?

VPN is a set of sites or groups which are allowed to communicate with each other VPN is defined by a set of administrative policies
Policies established by VPN customers Policies could be implemented completely by VPN service providers
Flexible inter-site connectivity

Ranging from complete to partial mesh
Sites may be either within the same or in different organizations

VPN can be either intranet or extranet
Site may be in more than one VPN

VPNs may overlap
Not all sites have to be connected to the same service provider

VPN can span multiple providers
11
L2 vs. L3 VPNs
Layer 2 VPNs
Customer endpoints (CPE) connected via Layer 2 such as Frame Relay DLCI, ATM VC or point-to-point connection Provider network is not responsible for distributing site routers as routing relationship is between the customer endpoints Provider will need to manually fully mesh end points if any-to-any connectivity is required
Layer 3 VPN
Customer end points peer with providers routers @ L3 Provider network responsible for distributing routing information to VPN sites Dont have to manually fully mesh customer endpoints to support any-to-any connectivity
12
Layer 3 VPNs
IP L3 vs. MPLS L3 VPNs

VPN B VPN A VPN C VPN C
Multicast
VPN B Intranet
VoIP
VPN A VPN A VPN B VPN C

Extranet
Hosting
VPN A VPN B VPN C
Overlay VPN
ACLs, ATM/FR, IP tunnels, IPSec, etc. requiring n*(n-1) peering points Transport dependent Groups endpoints, not groups Pushes content outside the network Costs scale exponentially NAT necessary for overlapping address space Limited scaling QoS complexity
MPLS-Based VPNs
Point to Cloud single point of connectivity Transport independent Easy grouping of users and services Enables content hosting inside the network
Flat cost curve Supports private overlapping IP addresses Scalable to over millions of VPNs Per VPN QoS
14
VPN Model
A
B
A
Provider Backbone
15
MPLS VPN Architecture

Provider Edge (PE) Label Switch Router (LSRs) Customer Edge (CE) Customer Edge (CE)
Layer 3 MPLS Backbone VRF interface
VRF interface
Provider (P) LSRs

16
MPLS VPN Building Blocks

MPLS framework (labels) in the core
IGP (any) LDP or MPLS Traffic Engineering
VRF (Virtual Routing/Forwarding) context to keep VPNs seperate

VRF on PE interface towards CE VRF routing table VRF CEF table RD is 64 bits RD allows for overlapping VPN prefixes VRF knowledge only needed on edge routers
RD attached to prefixes to make VPN prefixes unique
Route targets (ext BGP community) attached to VPN prefixes to allow prefixes to be imported/exported to VPNs
BGP in the core to advertise VPN prefix and VPN label to all Provider Edge (PE) routers
17
VRF
Virtual Routing/Forwarding Seperate context for each VPN
Seperate RIB per VPN
Seperate FIB per VPN
Each protocol needs to be VRF-aware when running across VRF interface

e.g. any routing protocol DHCP NAT MIB etc.
18
VRF Routing Tables

VRF routing table contains routes that should be available to a particular set of VPN sites VRF routing tables support the same set of mechanisms as the standard (default/global) routing table There is still the global routing table used in the core MPLS network
PE1#show ip vrf interfaces Interface IP-Address Se2/0 11.1.1.2 Lo999 200.1.1.1
VRF one two
Protocol up up
PE1#show ip vrf Name one three two
Default RD 1:1 3.3.3.3:3 1:2
Interfaces Se2/0 Lo999
19
VRF RIB
PE1# show ip route vrf one Routing Table: one Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 I - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 11.0.0.0/8 is variably subnetted, 6 subnets, 2 masks 11.1.2.0/24 [200/0] via 10.100.1.4, 2d18h 11.1.3.0/24 [200/0] via 10.100.1.6, 2d18h 11.1.1.0/24 is directly connected, Serial2/0 11.100.1.7/32 [200/1] via 10.100.1.6, 2d18h 11.100.1.5/32 [200/1] via 10.100.1.4, 2d18h 11.100.1.1/32 [120/1] via 11.1.1.1, 00:00:05, Serial2/0
B B C B B R
VRF routing tables are normal routing tables, but the next hop IP address can be in global routing table
20
VRF FIB
PE1#show ip cef vrf one Prefix Next Hop 0.0.0.0/0 drop 0.0.0.0/32 receive 11.1.1.0/24 attached 11.1.1.0/32 receive 11.1.1.2/32 11.1.1.255/32 11.1.2.0/24 11.1.3.0/24 11.100.1.1/32 11.100.1.5/32 11.100.1.7/32 receive receive 10.1.1.3 10.1.5.6 11.1.1.1 10.1.1.3 10.1.5.6 Interface Null0 (default route handler entry) Serial2/0
Serial3/0 Ethernet0/0 Serial2/0 Serial3/0 Ethernet0/0
PE1#show ip cef vrf one 11.1.2.0 11.1.2.0/24, version 9, epoch 0, cached adjacency to Serial3/0 0 packets, 0 bytes
tag information set local tag: VPN-route-head fast tag rewrite with Se3/0, point2point, tags imposed: {19 22} via 10.100.1.4, 0 dependencies, recursive next hop 10.1.1.3, Serial3/0 via 10.100.1.4/32 valid cached adjacency tag rewrite with Se3/0, point2point, tags imposed: {19 22}
21
RD
Makes customer IPv4 prefix unique RD is present in the NLRI (MP_REACH_NLRI or MP_UNREACH_NLRI), together with the IPv4 prefix and MPLS label RD = 64 bits is added to make VPNv4 prefix unique RD comprises Administrator subfield:Assigned number subfield Two formats
PE1(config)#ip vrf three PE1(config-vrf)#rd ? ASN:nn or IP-address:nn
! ip vrf three rd 3.3.3.3:3 route-target export 1:3 route-target import 1:3 ! ip vrf two rd 1:2 route-target export 1:2 route-target import 1:2
VPN Route Distinguisher
RD-type 1
RD-type 0
22
Route-Targets
Operation
Used to control which routes are imported into which VRFs from the remote PE routers and with which Route Targets the vpnv4 routes are exported towards the remote PE routers
There could be more than one Route Target attached to the vpnv4 route For the import into the VRF to be permitted, only one Route Target from the vpnv4 route needs to be matched with the configuration of the imported Route Targets under the ip vrf section on the PE router
Exporting a Route Target (RT) means that the exported vpnv4 route will receive an additional BGP extended community (this is the Route Target) as configured
under ip vrf on the PE router, when the route is redistributed from the VRF routing
table into MP-BGP. Importing a Route Target (RT) means that the received vpnv4 route from MPBGP is checked for a matching extended community (this is the route target) with the one in the configuration.
23
Intranet
Customer Equipment (CE)
ip vrf A rd 1:1 route-target export 1:1 route-target import 1:1
VPN A site 1
Provider Equipment (PE)
ip vrf A rd 1:1 route-target export 1:1 route-target import 1:1
VPN A site 2
Prefixes from VPN A site 1 will be imported into site 2 of VPN A and vice versa
24
Extranet
ip vrf B rd 1:2 route-target export 1:2 route-target import 1:2 route-target import 1:1
VPN A site 1
ip vrf A rd 1:1 route-target export 1:1 route-target import 1:1 route-target import 1:2
VPN B site 1
Prefixes from VPN A site 1 will be imported into site 1 of VPN B and vice versa
25
Polling Question 2
How familiar are you with BGP?
a) Theoretical knowledge only and BGP is not running in my production network.
b) I have minimal hands on with BGP but is not running in my production network.
c) I have BGP running in my network and work on it on a daily basis.

d) I have BGP running in my network and I participate in IETF discussion for BGP WG.
26
Role of BGP
iBGP carries:
the vpnv4 prefix
vpnv4 prefix = RD + IPv4 prefix
Route Target (RT) Any other community and BGP attribute The MPLS label
Address-family (AF) vpnv4 is used Label is automatically advertised in AF vpnv4
27
Context
Multiprotocol BGP exchanging vpnv4 prefixes + MPLS label (VPN label)
VPN A site 1
Provider Equipment (PE1)
A label distribution protocol (LDP, RSVP for MPLS TE) + IGP
Provider (P)
Provider (P)
Provider Equipment (PE2)
Provider (P)
service provider running MPLS VPN

VRF Routing Table for VPN A
VPN B site 1
VRF Routing Table for VPN B
Global IP Routing Table

28
Route Exchange
3
IPv4 route is redistributed into MP-BGP RD is added to IPv4 route to make it a vpnv4 route Route Targets are added
5
Route Targets indicate to which VRF the route is imported RD is removed from vpnv4 route
4
iBGP advertises vpnv4 route with MPLS label and Route Targets
7
IGP or eBGP advertises IPv4 route
VPN 1
IGP or eBGP advertises IPv4 route
VPN 1
C CE
VRF
C
VRF
PE
PE
CE
MPLS VPN Network
Site A
2
IPv4 route is inserted into VRF routing table
IPv4 route is inserted into VRF routing table
Site B
29
Packet Forwarding
6
Lookup of VPN label in LFIB
2 5
Lookup of destination IP address in VRF FIB VPN label pushed IGP label pushed
PHP by default
3
Labeled packet forwarded
IGP
1
IP packet enters PE on VRF interface
VPN 1
Packet forwarded as IP packet
VPN IP
VPN 1
VPN IP
IP
IP
C CE
VRF
C
VRF
PE
P
P swaps IGP label
PE
CE
C 4
Site A
MPLS VPN Network

Site B
30
MPLS L3 VPN Control Plane Basics

iBGPVPNv4 Label Exchange
CE4
CE3
VRF P1 P2 VRF
VRF PE1
LDP iBGPVPNv4
LDP
LDP
PE3 iBGPVPNv4 VRF
PE2
CE1
1. VPN service is enabled on PEs (VRFs are created and applied to VPN site interface) 2. VPN sites CE1 connects to a VRF enabled interface on a PE1 3. VPN site routing by CE1 is distributed to MP-iBGP on PE1 4. PE1 allocates VPN label for each prefix, sets itself as a next hop and relays VPN site routes to PE3 5. PE3 distributes CE1s routes to CE2 (Similar happens from CE2 side)
CE2
31
How Control Plane Information Is Separated

VPN-IPv4 Net=RD:16.1/16 NH=PE1 Route Target 100:1 Label=42
iBGPVPNv4 Label Exchange
16.1.0.0/16
IGP/eBGP Net=16.1.0.0/16
CE1
IPv4 Route Exchange
P1
No VPN routes in the Core(P)
IGP/eBGP Net=16.10.0/16
P2
CE2 PE2
IPv4 Route Exchange
PE1
ip vrf Yellow RD 1:100 route-target export 1:100 route-target import 1:100
MPLS VPN Control Plane Components:

Route Distinguisher: 8 byte fieldunique value assigned by a provider to each VPN to make a route unique so customers dont see each others routes VPNv4 address: RD+VPN IP prefix; Route Target: RT-8bytes field, unique value assigned by a provider to define the import/export rules for the routes from/to each VPN MP-BGP: facilitates the advertisement of VPNv4* prefixes + labels between MP-BGP peers Virtual Routing Forwarding Instance (VRF): contains VPN site routes Global Table: Contains core routes, Internet or routes to other services
32
How Does It Work? How Data Plane Is Separated

2 MPLS labels
VPN label LDP label
IPv4
IPv4
IPv4
CE1
IPv4 CE1 Forwards IPv4 Packet
P1 PE1
! Interface S1/0 ip vrf forwarding Yellow !
P2 PE2
CE2
IPv4 CE2 Receives IPv4 Packet
1. PE1 imposes pre allocated label for the prefix 2. Core facing interface allocates IGP label 3. Core swap IGP labels 4. PE2 strips off VPN label and forwards the packet to CE2 as an IP packet
33
Config on PE Router
Definition of VRF
Assigning CE-facing interface to VRF
PE-CE routing protocol
Confiuring BGP vpnv4 peering (to all other PEs or RRs)
Configuring VRF BGP (redistribution)

ip vrf one rd 1:1 route-target export 1:1 route-target import 1:1 ! interface FastEthernet2/1 ip vrf forwarding one ip address 99.1.1.2 255.255.255.0 ! router ospf 100 vrf one log-adjacency-changes redistribute bgp 1 metric 10 subnets network 99.1.1.0 0.0.0.255 area 0 ! router bgp 1 bgp log-neighbor-changes neighbor 11.100.100.4 remote-as 1 neighbor 11.100.100.4 update-source Loopback0 ! address-family ipv4 no synchronization neighbor 11.100.100.4 activate neighbor 11.100.100.4 send-community both exit-address-family ! address-family vpnv4 neighbor 11.100.100.4 activate neighbor 11.100.100.4 send-community both exit-address-family ! address-family ipv4 vrf one redistribute connected redistribute ospf 100 vrf one exit-address-family
34
Verifying VPNv4 Prefixes in BGP

PE1#show ip bgp vpnv4 all BGP table version is 15, local router ID is 10.100.1.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1:1 (default for vrf one) *> 11.1.1.0/24 0.0.0.0 0 32768 ? *>i11.1.2.0/24 10.100.1.4 0 100 0? *>i11.1.3.0/24 10.100.1.6 0 100 0? *> 11.100.1.1/32 11.1.1.1 1 32768 ? *>i11.100.1.5/32 10.100.1.4 1 100 0? *>i11.100.1.7/32 10.100.1.6 1 100 0? Route Distinguisher: 1:2 (default for vrf two) *>i14.1.1.1/32 10.100.1.4 0 100 0? PE1#debug ip bgp vpnv4 unicast updates BGP updates debugging is on for address family: VPNv4 Unicast BGP(2): 10.100.1.4 rcvd UPDATE w/ attr: nexthop 10.100.1.4, origin ?, localpref 100, metric 0, extended community RT:1:2 BGP(2): 10.100.1.4 rcvd 1:2:14.1.1.1/32
35
MPLS Aware ICMP

PE1#trace vrf one 11.100.1.5
Type escape sequence to abort. Tracing the route to 11.100.1.5
1 10.1.1.3 [MPLS: Labels 19/23 Exp 0] 32 msec 60 msec 40 msec 2 11.1.2.4 [MPLS: Label 23 Exp 0] 40 msec 20 msec 20 msec 3 11.1.2.5 60 msec * 64 msec
ICMP in IOS can carry the label stack when generating ICMP reply messages
36
PE-CE Routing Protocols

Connected
Static RIPv2
OSPF
EIGRP eBGP
37
VRF Access
Cisco IOS commands were made VRF aware in order
to be able to communicate with the CE devices or IP addresses on the PE router in the VRF context
london# ping vrf cust-one 10.10.100.1 london# traceroute vrf cust-one 10.10.100.1 london# telnet 10.10.100.1 /vrf cust-one
38
MPLS VPN Troubleshooting

Basic Checks:
ping and traceroute CE-to-CE Ping local PE-CE Ping from PE to remote PE-CE Ping and traceroute PE-to-PE in global RIB (between PE loopback)
Ping check connectivity Traceroute can tell us if LSP is broken (look for missing label)
If there is a failure:
check routing tables (global and VRF) Check forwarding vector Check CEF tables (global and VRF) Check forwarding vector and labels Check BGP vpnv4 table Check next-hop and labels
39
MPLS VPN Troubleshooting: Example

CE1#ping 11.100.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.100.1.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 60/60/64 ms CE1#trace 11.100.1.5 Type escape sequence to abort. Tracing the route to 11.100.1.5 1 11.1.1.2 20 msec 20 msec 20 msec 2 10.1.1.3 [MPLS: Labels 19/23 Exp 0] 60 msec 60 msec 60 msec 3 11.1.2.4 [MPLS: Label 23 Exp 0] 40 msec 40 msec 40 msec 4 11.1.2.5 48 msec * 64 msec
10.1.0.0/16
11.100.1.1/32 10.100.1.2/32
MPLS core
10.100.1.3/32
Eth0/0 Eth0/0 .4 Eth1/0 .4 S2/0 S2/0 11.1.2.5/24
10.100.1.4/32
11.100.1.5/32
S2/0
S2/0 .2
S3/0
S3/0 .3
R1 R1
11.1.1.1/24
R2 R2
10.1.1.2/24
R3 R3
10.1.3.3/24 Eth1/0 10.1.4.3/24
R4 R5
.4
R6 R5
CE1
PE1
PE2
CE2
40

PE1#ping vrf one 11.100.1.5
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 11.100.1.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/52/72 ms
PE1#trace vrf one 11.100.1.5 Type escape sequence to abort. Tracing the route to 11.100.1.5 1 10.1.1.3 [MPLS: Labels 19/23 Exp 0] 32 msec 60 msec 40 msec 2 11.1.2.4 [MPLS: Label 23 Exp 0] 40 msec 20 msec 20 msec 3 11.1.2.5 60 msec * 64 msec 10.1.0.0/16
11.100.1.1/32 10.100.1.2/32
MPLS core
10.100.1.3/32
Eth0/0 Eth0/0 .4 Eth1/0 .4 S2/0 S2/0 11.1.2.5/24
10.100.1.4/32
11.100.1.5/32
S2/0
S2/0 .2
S3/0
S3/0 .3
R1 R1
11.1.1.1/24
R2 R2
10.1.1.2/24
R3 R3
10.1.3.3/24 Eth1/0 10.1.4.3/24
R4 R5
.4
R6 R5
CE1
PE1
PE2
CE2
41

PE1#show ip cef vrf one 11.100.1.5 11.100.1.5/32, version 10, epoch 0, cached adjacency to Serial3/0 0 packets, 0 bytes tag information set local tag: VPN-route-head fast tag rewrite with Se3/0, point2point, tags imposed: {19 23} via 10.100.1.4, 0 dependencies, recursive next hop 10.1.1.3, Serial3/0 via 10.100.1.4/32 valid cached adjacency tag rewrite with Se3/0, point2point, tags imposed: {19 23}
PE1#show ip cef 10.100.1.4 10.100.1.4/32, version 20, epoch 0, cached adjacency to Serial3/0 0 packets, 0 bytes tag information set, shared local tag: 23 fast tag rewrite with Se3/0, point2point, tags imposed: {19} via 10.1.1.3, Serial3/0, 2 dependencies next hop 10.1.1.3, Serial3/0 valid cached adjacency tag rewrite with Se3/0, point2point, tags imposed: {19}
BGP next-hop
10.1.0.0/16
11.100.1.1/32 10.100.1.2/32
MPLS
PE1#show ip bgp vpnv4 vrf one 11.100.1.5 BGP routing table entry for 1:1:11.100.1.5/32, version 12 Paths: (1 available, best #1, table one) Not advertised to any peer Local 10.100.1.4 (metric 75) from 10.100.1.4 (10.100.1.4) Origin incomplete, metric 0, localpref 100, valid, internal, best core Extended Community: RT:1:1 mpls labels in/out nolabel/23
10.100.1.3/32
Eth0/0 Eth0/0 .4 Eth1/0 .4 S2/0 S2/0 11.1.2.5/24
10.100.1.4/32
11.100.1.5/32
S2/0
S2/0 .2
S3/0
S3/0 .3
R1 R1
11.1.1.1/24
R2 R2
10.1.1.2/24
R3 R3
10.1.3.3/24 Eth1/0 10.1.4.3/24
R4 R5
.4
R6 R5
CE1
PE1
PE2
CE2
42

P#show mpls forwarding-table 10.100.1.4 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 19 Pop tag 10.100.1.4/32 1220 Et1/0 10.1.4.4 Pop tag 10.100.1.4/32 1051348 Et0/0 10.1.3.4
10.1.0.0/16
11.100.1.1/32 10.100.1.2/32
MPLS core
10.100.1.3/32
Eth0/0 Eth0/0 .4 Eth1/0 .4 S2/0 S2/0 11.1.2.5/24
10.100.1.4/32
11.100.1.5/32
S2/0
S2/0 .2
S3/0
S3/0 .3
R1 R1
11.1.1.1/24
R2 R2
10.1.1.2/24
R3 R3
10.1.3.3/24 Eth1/0 10.1.4.3/24
R4 R5
.4
R6 R5
CE1
PE1
PE2
CE2
43
PE2#show mpls forwarding-table labels 23 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 23 No Label 11.100.1.5/32[V] 0 Se2/0 point2point
MPLS core
10.1.0.0/16
11.100.1.1/32 10.100.1.2/32 10.100.1.3/32
Eth0/0 S2/0 S2/0 .2 S3/0 S3/0 .3 10.1.3.3/24 Eth1/0 10.1.4.3/24 Eth0/0 .4 Eth1/0 .4 S2/0 S2/0 11.1.2.5/24
10.100.1.4/32
11.100.1.5/32
R1 R1
11.1.1.1/24
R2 R2
10.1.1.2/24
R3 R3
R4 R5
.4
R6 R5
CE1
PE1
PE2
CE2
44
MPLS VPN Troubleshooting: Example Debugging Control plane

PE1#debug ip bgp vpnv4 unicast updates BGP updates debugging is on for address family: VPNv4 Unicast PE1#show debug IP routing: BGP updates debugging is on for address family: VPNv4 Unicast PE2#debug ip bgp vpnv4 unicast updates BGP updates debugging is on for address family: VPNv4 Unicast PE2#show debug IP routing: BGP updates debugging is on for address family: VPNv4 Unicast
CE1#debug ip routing IP routing debugging is on CE1#show debug IP routing: IP routing debugging is on 10.1.0.0/16
11.100.1.1/32 10.100.1.2/32
MPLS core
CE2#debug ip routing IP routing debugging is on CE2#show debug IP routing: IP routing debugging is on

10.100.1.4/32
10.100.1.3/32
Eth0/0 Eth0/0 .4 Eth1/0 .4
11.100.1.5/32
S2/0
S2/0 .2
S3/0
S3/0 .3
R1 R1
11.1.1.1/24
R2 R2
10.1.1.2/24
R3 R3
10.1.3.3/24 Eth1/0 10.1.4.3/24
S2/0
S2/0 11.1.2.5/24
R4 R5
.4
R6 R5
CE1
PE1
PE1#debug ip routing vrf one IP routing debugging is on for VRF one PE1#show debug IP routing: IP routing debugging is on for VRF one
PE2#debug ip routing vrf one IP routing debugging is on for VRF one PE2#show debug IP routing: IP routing debugging is on for VRF one
45
PE2
CE2
Summary
The Full Service Network: Integrated MPLS Technologies

Layer 3 Routing protocols available on PE-CE Static, RIP, OSPF, EIGRP, eBGP IP Services like NAT, DHCP can be configured on per-VPN basis on the PE router Traffic Engineering for Bandwidth protection and restoration
CE PE
IP/MPLS Backbone
Internet Gateway
Internet
CE CE Legend
QoS mechanisms like Queuing and Policing are configured at CE and PE routers
PE
Layer 3 VPN Layer 2 VPN Traffic Engineering
Layer 2 Circuits available Ethernet, ATM, Frame Relay, PPP, HDLC
CE
Layer 3 VPNs & Layer 2 VPNs, Traffic Engineering + QoS + IP Services

47
Polling Question 3
What Advanced MPLS topic are you interested in
a) MPLS Traffic Engineering.
b) Layer 2 VPN (AToM).

c) Multicast over MPLS (MVPN). d) MPLS QoS.
48
Submit Your Questions Now

Use the Q&A text box to submit your questions
49
Q&A
50
We Appreciate Your Feedback!

The first 5 listeners who fill out the Evaluation Survey will receive a free: $20 USD Gift Certificate
To complete the evaluation, please click on link provided in the chat.
51
If you have additional questions, you can ask them to Nagendra here:
https://supportforums.cisco.com/community/netpro/ask-theexpert He will be answering from August 17th to August 26th.
in Spanish
Topic: Firewall Service Module: Architecture and Operation
Tuesday, August 30th, at
7:00 a.m. Pacific (UTC -7)

9:00 a.m Mexico city (UTC -7) 4:00 p.m Madrid (UTC +2)
Join Security CCIE and Certified Ethical Hacker from ECCouncil Ivan Martin from HTTS group in Latin America He will talk about the architecture, operation and
configuration of the Firewall Service Modules, as well as Firewall technologies in general.

During this interactive session you will be able ask all your questions related to this topic.
Register for this live Webcast at

http://bitly.com/webcast_registration
53
Topic: Things I Can Do to Protect My Network from Getting Hacked

Tuesday, September 13th, at
8:00 a.m. Pacific Time 6:00 p.m. CEST Brussels (UTC +2), 11:00 a.m. EDT New York (UTC -4).
Join double CCIE, Technical Leader Jazib Frahim from RTP. He will provide reasons why enterprise network segments get compromised despite their state-of-the-art network security technologies and products that are deployed.
During this interactive session you will be able ask all your questions related to this topic.
Register for this live Webcast at

www.CiscoLive.com/ATE
54
If you speak Polish, Japanese, or Spanish, we invite you to ask your questions and collaborate in your language.
Spanish https://supportforums.cisco.com/community/spanish
Polish https://supportforums.cisco.com/community/ etc/netpro-polska

Japanese https://supportforums.cisco.com/community/csc-japan Were also running a pilot for Russian and Portuguese. You can register at the following links Russian:
https://www.ciscofeedback.vovici.com/se.ashx?s=6A5348A712220E19
Portuguese:
https://www.ciscofeedback.vovici.com/se.ashx?s=6A5348A77EE5C0B7
55
Thank You for Your Time

Please Take a Moment to Complete the Evaluation

CSC Webcast Aug 17 MPLS VPN Nagendra Presentation

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CSC Webcast Aug 17 MPLS VPN Nagendra Presentation

Hochgeladen von

Copyright:

Verfügbare Formate

Thank you for joining us today

Introduction to MPLS VPN

Question & Answer

You will not hear audio till the Event Starts

This is located in the bottom right hand corner of the consol

We will begin at 4:00 am Pacific Daylight Time (San Francisco, GMT-07:00)

Introduction to MPLS VPN

Cisco Support Community Expert Series Webcast

Thank You for Joining Us Today

2011 Cisco and/or its affiliates. All rights reserved.

Thank You for Joining Us Today

2011 Cisco and/or its affiliates. All rights reserved.

b) I theoretically know MPLS VPN, but no practical experience.

2011 Cisco and/or its affiliates. All rights reserved.

Submit Your Questions Now

2011 Cisco and/or its affiliates. All rights reserved.

Introduction to MPLS VPN

Data Plane Functionality

MPLS VPN Troubleshooting Overview

2011 Cisco and/or its affiliates. All rights reserved.

What Is a Virtual Private Network?

Flexible inter-site connectivity

Sites may be either within the same or in different organizations

Site may be in more than one VPN

Not all sites have to be connected to the same service provider

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

IP L3 vs. MPLS L3 VPNs

2011 Cisco and/or its affiliates. All rights reserved.

MPLS VPN Architecture

Layer 3 MPLS Backbone VRF interface

Provider (P) LSRs

MPLS VPN Building Blocks

VRF (Virtual Routing/Forwarding) context to keep VPNs seperate

RD attached to prefixes to make VPN prefixes unique

2011 Cisco and/or its affiliates. All rights reserved.

Each protocol needs to be VRF-aware when running across VRF interface

2011 Cisco and/or its affiliates. All rights reserved.

VRF Routing Tables

VRF one two

PE1#show ip vrf Name one three two

Default RD 1:1 3.3.3.3:3 1:2

Interfaces Se2/0 Lo999

2011 Cisco and/or its affiliates. All rights reserved.

Serial3/0 Ethernet0/0 Serial2/0 Serial3/0 Ethernet0/0

VPN Route Distinguisher

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

ip vrf A rd 1:1 route-target export 1:1 route-target import 1:1

Provider Equipment (PE)

Provider Equipment (PE)

ip vrf A rd 1:1 route-target export 1:1 route-target import 1:1

Customer Equipment (CE)

Provider Equipment (PE)

Provider Equipment (PE)

Customer Equipment (CE)

c) I have BGP running in my network and work on it on a daily basis.

2011 Cisco and/or its affiliates. All rights reserved.

Address-family (AF) vpnv4 is used Label is automatically advertised in AF vpnv4

2011 Cisco and/or its affiliates. All rights reserved.

Multiprotocol BGP exchanging vpnv4 prefixes + MPLS label (VPN label)

Provider Equipment (PE1)

A label distribution protocol (LDP, RSVP for MPLS TE) + IGP