Sie sind auf Seite 1von 117

Deploying MPLS VPN Networks

BRKIPM-2001

Rajiv Asati

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Abstract
Multi Protocol Label Switching (MPLS) has been widely adopted by the Network Operators to provide scalable L2, L3 VPN, traffic engineering services etc. Enterprises are fast adopting this technology to address network segmentation and traffic separation needs. This session covers MPLS Layer3 VPN, which is the most adopted MPLS application. The session will cover MPLS VPN Technology Overview (RFC2547 / RFC4364) MPLS/VPN Configuration Overview MPLS/VPN based Services (Multi-homing, Hub&Spoke, Extranet, Internet, NAT, VRF-lite, etc.)

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Other MPLS related Sessions


BRKIPM-2002 Deploying MPLS Traffic Engineering BRKIPM-2003 Inter-AS MPLS Solutions BRKIPM-3017 Advanced MPLS Designs BRKIPM-3009 Advanced Topics and Future Directions in MPLS

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Agenda
MPLS VPN Explained MPLS VPN Services Best Practices Conclusion

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Prerequisites
MUST understand basic IP routing, especially BGP MUST understand MPLS basics (push, pop, swap, label stacking) SHOULD understand MPLS VPN basics. Must keep the speaker engaged
by asking Bad questions

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Terminology
LSR: Label switch router LSP: Label switched path
The chain of labels that are swapped at each hop to get from one LSR to another

VRF: VPN routing and forwarding


Mechanism in Cisco IOS used to build per-customer RIB and FIB

MP-BGP: Multiprotocol BGP PE: Provider edge router interfaces with CE routers P: Provider (core) router, without knowledge of VPN VPNv4: Address family used in BGP to carry MPLS-VPN routes RD: Route distinguisher
Distinguish same network/mask prefix in different VRFs

RT: Route target


Extended community attribute used to control import and export policies of VPN routes

LFIB: Label forwarding information base FIB: Forwarding information base


2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Agenda
MPLS VPN Explained
Technology Configuration

MPLS-VPN Services Best Practices Conclusion

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

MPLS-VPN Technology
Control planeVPN route propagation Data planeVPN packet forwarding

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

MPLS-VPN Technology MPLS VPN Connection Model


P PE MPLS Backbone P P P PE

MP-iBGP Session

PE Routers
Edge routers Use MPLS with P routers Uses IP with CE routers Connects to both CE and P routers Distribute VPN information through MP-BGP to other PE router with VPNIPv4 addresses, extended community, label

P Routers
P routers are in the core of the MPLS cloud P routers do not need to run BGP and doesnt need to have any VPN knowledge Forward packets by looking at labels P and PE routers share a common IGP

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

MPLS-VPN Technology
Separate Routing Tables at PE
VPN 2 CE 2 PE CE1 VPN 1 MPLS Backbone IGP (OSPF, ISIS)

Customer Specific Routing Table Routing table (RIB) and forwarding table (CEF) associated dedicated to customer
Blue or VPN1 Routing Table Green or VPN2 Routing Table

Global Routing Table Populated by OSPF, ISIS etc. inside the MPLS backbone show ip route.

Flexibility exists to create per interface (or per CE) Routing table. show ip route vrf <name>

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

10

MPLS-VPN Technology Virtual Routing and Forwarding Instance (1)


VPN 2 CE VRF Green PE EBGP, OSPF, RIPv2, Static CE VPN 1 VRF Blue

MPLS Backbone IGP (OSPF, ISIS)

Whats a VRF ?
Each VPN customer is associated with at least one VRF. Think of VRF as the representation of the VPN inside the network.

VRF must be defined on PE and associated with one or more interfaces


Privatize an interface i.e., coloring of the interface

Each VRF has a dedicated routing table & forwarding table, and a dedicated instance of the routing protocol (static, RIP, BGP, EIGRP, OSPF).
PE is capable of VRF-aware routing protocol.

No changes needed at the CE.


CE router runs whatever software
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

PE(conf)#ip vrf v1

11

MPLS-VPN Technology Virtual Routing and Forwarding Instance (2)


VPN 2 CE PE MPLS Backbone IGP (OSPF, ISIS) EBGP, OSPF, RIPv2, Static CE VPN 1

PE installs the routes, learned from CE routers, in the appropriate VRF routing table(s) PE installs the IGP (backbone) routes in the global routing table VPN customers can use overlapping IP addresses
BGP plays a key role. Lets understand few specifics
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

12

MPLS-VPN Technology: Control Plane


The control plane for MPLS VPN is Multi-Protocol BGP.
8 Bytes 4 Bytes 8 Bytes 3 Bytes

1:1 RD VPNv4

10.1.1.0 IPv4 Route-Target Label

MP_REACH_NLRI attribute within MP-BGP UPDATE message BGP customizes the routing information as per the VRF (or info from the VRF) Route Distinguisher (RD); VPNv4 route Route Target (RT) Label
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

13

MPLS VPN Control Plane


MP-BGP Update Components: VPNv4 Address
8 Bytes 4 Bytes 8 Bytes 3 Bytes

1:1 RD VPNv4

10.1.1.0 IPv4 Route-Target Label

MP-IBGP update with RD, RT, and label To convert an IPv4 address into a VPNv4 address, RD is appended to the IPv4 address i.e. 1:1:10.1.1.0
Makes the customers IPv4 route globally unique

Each VRF should* be configured with an RD at the PE


RD is what that defines the VRF
* After 12.4(3)T, 12.4(3) 12.2(32)S, 12.0(32)S etc., RD configuration within VRF has become optional. Prior to that, it was mandatory.
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

! ip vrf v1 rd 1:1 !

14

MPLS VPN Control Plane


MP-BGP Update Components: Route-Target
8 Bytes 4 Bytes 8 Bytes 2:2 Route-Target Label 3 Bytes

1:1 RD VPNv4

10.1.1.0 IPv4

MP-IBGP update with RD, RT, and Label Route-target (RT): Identifies the VRF for the received VPNv4 prefix. It is an 8-byte extended community (a BGP attribute) Each VRF is configured with RT(s) at the PE
RT helps to color the prefix
! ip vrf v1 route-target import 1:1 route-target export 1:2 !

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

15

MPLS VPN Control Plane


MP-BGP Update Components: Label
8 Bytes 4 Bytes 8 Bytes 2:2 Route-Target 3 Bytes

1:1 RD VPNv4

10.1.1.0 IPv4

50 Label

MP-IBGP update with RD, RT, and label


The Label (for the VPNv4 prefix) is assigned only by the PE whose address is the next-hop attribute
PE routers rewrite the next-hop with their own address (loopback) Next-hop-self towards MP-iBGP neighbors by default

PE addresses used as BGP next-hop must be uniquely known in the backbone IGP
Do Not Summarize the PE Loopback Addresses in the Core
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

16

MPLS VPN Control Plane:


Putting It All Together
Site 1
10.1.1.0/24

3
CE1 PE1

MP-iBGP Update: RD:10.1.1.0 Next-Hop=PE-1 RT=Green, Label=100

Site 2 CE2

PE2

10.1.1.0/24 Next-Hop=CE-1

MPLS Backbone

1. PE1 receives an IPv4 update (eBGP/OSPF/ISIS/RIP/EIGRP) 2. PE1 translates it into VPNv4 address
Assigns an RT per VRF configuration Rewrites next-hop attribute to itself Assigns a label based on VRF and/or interface

3. PE1 sends MP-iBGP update to other PE routers


2008 Cisco Systems, Inc. All rights reserved. Cisco Public

17

MPLS VPN Control Plane:


Putting It All Together
Site 1
10.1.1.0/24

3
CE1 PE1

MP-iBGP Update: RD:10.1.1.0 Next-Hop=PE-1 RT=Green, Label=100

10.1.1.0/24 Next-Hop=PE-2

Site 2

CE2 P P PE2

10.1.1.0/24 Next-Hop=CE-1

MPLS Backbone

4. PE2 receives and checks whether the RT=green (40:103, say) is locally configured within any VRF, if yes, then 5. PE2 translates VPNv4 prefix back into IPv4 prefix,
Installs the prefix into the VRF routing table Updates the VRF CEF table with label=100 for 10.1.1.0/24 Advertise this IPv4 prefix to CE2 (using EBGP/RIP/OSPF/ISIS/EIGRP)
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

18

MPLS-VPN Technology:
Forwarding Plane
Site 1
10.1.1.0/24

Site 2 CE1 PE1 P3 P4 PE2 CE2

P1 Global Routing/Forwarding Table Dest Next-Hop PE2 P3, Label: 50

P2

VRF Green Forwarding Table Dest NextHop 10.1.1.0/24- PE1, label: 100

Global Routing/Forwarding Table Dest Next-Hop PE1 P2, Label: 25

Global Forwarding Table (show ip cef)


PE routers store IGP routes Associated labels Label distributed through LDP/TDP

VRF Forwarding Table (show ip cef vrf <vrf>)


PE routers store VPN routes Associated labels Labels distributed through MP-BGP

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

19

MPLS-VPN Technology: Forwarding Plane


Site 1
10.1.1.0/24

Site 2 CE1 P3
10.1.1.1

P4 PE2

CE2
10.1.1.1

PE1
100 10.1.1.1

IP packet

IP packet

P1

P2

50

100

10.1.1.1

25

100

10.1.1.1

MPLS packet

PE2 imposes TWO labels for each packet going to the VPN destination 10.1.1.1.
Outer label is LDP learned and derived from an IGP route Inner label is learned via MP-BGP. Corresponds to the VPN address

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

20

Agenda
MPLS VPN Explained
Technology Configuration

MPLS-VPN Services Best Practices Conclusion

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

21

MPLS VPN Sample Configuration (IOS)


VRF Definition
Site 1
10.1.1.0/24 ip vrf VPN-A rd 1:1 route-target export route-target import 100:1 100:1

CE1 PE1 Se0 192.168.10.1 PE1

interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A

PE-P Configuration
P Se0 PE1 s1 PE1
router ospf 1 network 130.130.1.0 0.0.0.3 area 0 Interface Serial1 ip address 130.130.1.1 255.255.255.252 mpls ip

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

22

MPLS VPN Sample Configuration (IOS)


PE: MP-IBGP
RR PE1 PE2 PE1
router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback0 ! address-family vpnv4 neighbor 1.2.3.4 activate neighbor 1.2.3.4 send-community both !

RR: MP-IBGP
RR PE1 PE2 RR

router bgp 1 no bgp default route-target filter neighbor 1.2.3.6 remote-as 1 neighbor 1.2.3.6 update-source loopback0 ! address-family vpnv4 neighbor 1.2.3.6 route-reflector- client neighbor 1.2.3.6 activate !

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

23

MPLS VPN Sample Configuration (IOS)


PE-CE
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1

BGP
CE1 PE1 PE1
router bgp 1 ! address-family ipv4 vrf VPN-A neighbor 192.168.10.2 remote-as 2 neighbor 192.168.10.2 activate exit-address-family !

PE-CE
Site 1
10.1.1.0/24 192.168.10.2

OSPF
CE1 PE1 PE1
router ospf 1 ! router ospf 2 vrf VPN-A network 192.168.10.0 0.0.0.255 area 0 redistribute bgp 1 subnets !

192.168.10.1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

24

MPLS VPN Sample Configuration (IOS)


PE-CE
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1

RIP
CE1 PE1
router rip ! address-family ipv4 vrf VPN-A version 2 no auto-summary network 192.168.10.0 redistribute bgp 1 metric transparent !

PE-CE
Site 1
10.1.1.0/24 192.168.10.2

EIGRP
CE1 PE1
router eigrp 1 ! address-family ipv4 vrf VPN-A no auto-summary network 192.168.10.0 0.0.0.255 autonomous-system 1 redistribute bgp 1 metric 100000 100 255 1 1500 !

192.168.10.1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

25

MPLS VPN Sample Configuration (IOS)


PE-CE
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1

Static
CE1 PE1
ip route vrf VPN-A 10.1.1.0 255.255.255.0 192.168.10.2

If PE-CE protocol is non-BGP, then redistribution of other sites VPN routes from MP-IBGP is required (shown below for RIP) -

PE-CE MB-iBGP Routes to VPN


Site 1 RR PE1
router rip address-family ipv4 vrf VPN-A version 2 redistribute bgp 1 metric transparent no auto-summary network 192.168.10.0 exit-address-family

CE1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

26

MPLS VPN Sample Configuration (IOS)


If PE-CE protocol is non-BGP, then redistribution of local VPN routes into MP-IBGP is required (shown below) -

PE-RR (VPN Routes to VPNv4)


Site 1
RR PE1 CE1 router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback 0 address-family ipv4 vrf VPN-A redistribute {rip|connected|static|eigrp|ospf}

For config hands-on, please attend Configuring MPLS VPNs (LABCRT-2208) session. Having familiarized with IOS based config, lets glance through the IOX based config for VPNs.
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

27

MPLS VPN Sample Configuration (IOX)


VRF Definition
Site 1
10.1.1.0/24 vrf VPN-A router-id 192.168.10.1 address-family ipv4 unicast import route-target 100:1 export route-target 100:1 export route-policy raj-exp interface Serial0 vrf VPN-A ipv4 address 192.168.10.1/24

CE1 PE1 Se0 192.168.10.1 PE1

PE-CE
Site 1
10.1.1.0/24 192.168.10.2

BGP
CE1 PE1 PE1

192.168.10.1

router bgp 1 vrf VPN-A rd 1:1 address-family ipv4 unicast redistribute connected ! neighbor 192.168.10.2 remote-as 2 address-family ipv4 unicast route-policy raj-temp in ! ! ! !
28

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP transport Providing Multi-VRF CE Service

Best Practices Conclusion


2008 Cisco Systems, Inc. All rights reserved. Cisco Public

29

MPLS VPN Services:


1. Loadsharing for the VPN Traffic
RR PE11
171.68.2.0/24

CE1 PE12

PE2

CE2

Site A MPLS Backbone Route Advertisement

Site B

VPN sites (such as Site A) could be multihomed VPN customer may demand the traffic (to the multihomed site) be loadshared

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

30

MPLS VPN Services:


1. Loadsharing for the VPN Traffic: Cases
1 CE
171.68.2.0/24

2 PEs
PE11 CE1 PE12

RR

PE2

CE2

Site A MPLS Backbone Traffic Flow

Site B

2 CEs

2 PEs
RR PE11 CE1 PE2 CE2

171.68.2.0/24

CE2 PE12 Site B MPLS Backbone Traffic Flow


2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Site A

31

MPLS VPN Services:


1. Loadsharing for the VPN Traffic: Deployment
How to deploy the loadsharing? Configure unique RD per VRF per PE for multihomed site/interfaces Enable BGP multipath within the relevant BGP VRF address-family at remote/receiving PE2 (why PE2?)
ip vrf green rd 300:11 route-target both 1:1 PE11 CE1 PE12 MPLS Backbone Site B ip vrf green rd 300:13 route-target both 1:1
32

2 RR

router bgp 1 address-family ipv4 vrf green maximum-paths eibgp 2 PE2 CE2

171.68.2.0/24

ip vrf green rd 300:12 route-target both 1:1

Site A

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

MPLS VPN Services:


1. Loadsharing for the VPN Traffic
RR PE11 CE1 PE12 Site A MPLS Backbone Site B PE2 CE2 Route Advertisement

171.68.2.0/24

If RR exists in the network, then RR must advertise all the BGP paths learned via PE11 and PE12 to the remote PE routers that are to select BGP multipaths
Please note that without unique RD per VRF per PE, RR would advertise only one of the received paths for 171.68.2.0/24 to other PEs.

Watch out for the increased memory consumption (within BGP) due to multipaths at the PEs eiBGP multipath implicitly provides both eBGP and iBGP multipath for VPN paths
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

33

MPLS VPN Services:


1. VPN Fast Convergence PE-CE Link failure
Traffic is dropped by PE11

RR PE11 PE2

VPN Traffic Redirected VPN traffic CE2

171.68.2.0/24

CE1

Site A PE12

MPLS Backbone

Site B

In a classic case, PE11, upon detecting the PE-CE link failure, sends BGP message to withdraw all the related VPN routes from the MPLS/VPN network.
This results in the remote PE routers selecting the alternate bestpath (if any), but until then, they keep sending the MPLS/VPN traffic to PE11, which keeps dropping the traffic.

IOS and IOX now have incorporated a Fast Local Repair feature to minimize the loss due to the PE-CE link failure from sec to msec.
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

34

MPLS VPN Services:


1. VPN Fast Convergence PE-CE Link failure
Traffic is redirected by PE11

RR PE11 PE2

VPN Traffic Redirected VPN traffic CE2

171.68.2.0/24

CE1

Site A PE12

MPLS Backbone

Site B

This feature helps PE11 to minimize the traffic loss from sec to msec, by redirecting the CE1 bound traffic to PE12 (with the right label), which forwards the traffic to CE1.
PE11 reprograms the forwarding entry after selecting the alternate BGP best path (which is via PE12).

In parallel, PE11 sends the BGP withdraw message to RR/PE2, which will run the bestpath algorithm and removes the path learned via PE11, and then adjust their forwarding entries via PE12. This feature is independent of whether multipath is enabled on PE2 or not, however, dependent on VPN site multihoming.
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

35

Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP transport

Best Practices Conclusion

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

36

MPLS-VPN Services:
2. Hub and Spoke Service to the VPN Customers
Traditionally, VPN deployments were Hub and Spoke, and need to continue for valid reasons.
Spoke to spoke communication is via Hub site only

Despite MPLS VPNs implicit any-to-any, i.e, full-mesh connectivity, Hub and Spoke service can easily be offered
Done with import and export of route-target (RT) values

PE routers can run any routing protocol with VPN customer Hub and spoke sites independently.

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

37

MPLS-VPN Services:
2. Hub and Spoke Service: Configuration
ip vrf green-spoke1 description VRF for SPOKE A rd 300:111 route-target export 1:1 route-target import 2:2 Spoke A
171.68.1.0/24

CE-SA

PE-SA

ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1 Eth0/0.1 PE-Hub Eth0/0.2

Spoke B
171.68.2.0/24

CE-SB

PE-SB MPLS VPN Backbone ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2

ip vrf green-spoke2 description VRF for SPOKE B rd 300:112 route-target export 1:1 route-target import 2:2

Note - Only VRF configuration is shown here.


2008 Cisco Systems, Inc. All rights reserved. Cisco Public

38

MPLS-VPN Services:
2. Hub and Spoke Service: Configuration
If BGP is used between every PE and CE, then asoverride and allowas-in knobs must be used at the PE_Hub *
Otherwise AS_PATH looping will occur

If the spoke sites only need the default route from the hub site, then it is possible to use a single interface between PE-hub and CE-hub (instead of two interfaces as shown on the previous slide)
Let CE-hub router advertise the default or aggregate Avoid generating a BGP aggregate at the PE

* Configuration for this is shown on the next slide


2008 Cisco Systems, Inc. All rights reserved. Cisco Public

39

MPLS-VPN Services:
2. Hub and Spoke Service: Configuration
ip vrf green-spoke1 description VRF for SPOKE A rd 300:111 route-target export 1:1 route-target import 2:2 Spoke A
171.68.1.0/24 router bgp <ASN> address-family ipv4 vrf HUB-OUT neighbor <CE> as-override

CE-SA

PE-SA

ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1 Eth0/0.1 PE-Hub Eth0/0.2

Spoke B
171.68.2.0/24

CE-SB

PE-SB MPLS VPN Backbone ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2
router bgp <ASN> address-family ipv4 vrf HUB-IN neighbor <CE> allowas-in 2

ip vrf green-spoke2 description VRF for SPOKE B rd 300:112 route-target export 1:1 route-target import 2:2

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

40

MPLS-VPN Services:
2. Hub and Spoke Service: Control Plane
MPLS Backbone Spoke A
171.68.1.0/24

FIB IP forwarding table LFIB MPLS Forwarding Table

CE-SA

PE-SA

MP-iBGP update 171.68.1.0/24 Label 40 Route-Target 1:1

VRF HUB-OUT FIB and LFIB Destination NextHop Label 171.68.1.0/24 PE-SA 40 171.68.2.0/24 PE-SB 50

VRF FIB and LFIB at PE-SA 171.68.0.0/16 PE-Hub 35 171.68.1.0/24 CE-SA VRF FIB and LFIB at PE-SB 171.68.0.0/16 PE-Hub 35 171.68.2.0/24 CE-SB

MP-iBGP update 171.68.0.0/16 Label 35 Route-Target 2:2 MP-iBGP update 171.68.2.0/24 Label 50 Route-Target 1:1

VRF HUB-OUT
PE-Hub

VRF HUB-IN
VRF HUB-IN FIB Destination NextHop 171.68.0.0/16 CE-H1

171.68.2.0/24

CE-SB Spoke B

PE-SB

Two VRFs at the PE-hub:


VRF HUB_OUT would have knowledge of every spoke routes VRF HUB_IN only have a 171.68.0.0/16 route and advertise that to spoke PEs

Import and export route-target within a VRF must be different


2008 Cisco Systems, Inc. All rights reserved. Cisco Public

41

MPLS-VPN Services:
2. Hub and Spoke Service: Forwarding Plane
This is how the spoke-to-spoke traffic flows MPLS Backbone Spoke A
171.68.1.0/24 171.68.1.1

PE-SA
L2 40 171.68.1.1

CE-SA

VRF HUB-OUT

PE-Hub Spoke B
171.68.2.0/24 171.68.1.1

PE-SB CE-SB

L1

35

171.68.1.1

VRF HUB-IN

L1 is the label to get to PE-Hub L2 is the label to get to PE-SA

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

42

MPLS-VPN Services:
2. Hub and Spoke Service: Half-Duplex VRF
Why do we need Half-duplex VRF? If more than one spoke router (CE) connects to the same PE router within the single VRF, then such spokes can reach other without needing the Hub
This defeats the purpose of doing Hub and Spoke

Half-duplex VRF is the answer.


Half-duplex VRF is specific to virtual-template* i.e. dial-user

It requires two VRFs on the PE (Spoke) router


Upstream VRF for Spoke->Hub communication Downstream VRF for Spoke<-Hub communication
* Being extended to other interfaces as well
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

43

MPLS-VPN Services:
2. Hub and Spoke Service: Half-Duplex VRF
ip vrf red-vrf description VRF upstream flow rd 300:111 route-target import 2:2 ip vrf blue-vrf description VRF downstream flow rd 300:112 route-target export 1:1 ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1

Spoke A
171.68.1.0/24

CE-SA PE-SA MPLS Backbone PE-Hub

Spoke B
171.68.2.0/24

CE-SB

Int virtual-template1 . ip vrf forward red-vrf downstream blue-vrf

Upstream VRF

Downstream VRF

ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2

PE-SA installs the spoke routes only in downstream VRF i.e. blue-VRF PE-SA forwards the incoming IP traffic (from Spokes) using the upstream VRF i.e. red-vrf routing table
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

44

Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP transport

Best Practices Conclusion

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

45

MPLS-VPN Services
3. Extranet VPN
MPLS VPN, by default, isolates one VPN customer from another.
Separate virtual routing table for each VPN customer

Communication between VPNs may be required i.e., extranet


External intercompany communication (dealers with manufacturer, retailer with wholesale provider, etc.) Management VPN, shared-service VPN, etc.

Needs right import and export route-target (RT) values configuration within the VRFs
Export-map or import-map should be used
46

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

3. MPLS-VPN Services: Extranet VPN


Goal: Only VPN_A site#1 to Be Reachable to VPN_B
MPLS Backbone VPN_A Site#1 171.68.0.0/16 SO PE1 PE2 P 180.1.0.0/16 VPN_B Site#1
ip vrf VPN_A rd 3000:111 export map VPN_A_Export import map VPN_A_Import route-target import 3000:111 route-target export 3000:111 route-target import 3000:1 ! route-map VPN_A_Export permit 10 match ip address 1 set extcommunity rt 3000:2 additive ! route-map VPN_A_Import permit 10 match ip address 2 ! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0 ip vrf VPN_B rd 3000:222 export map VPN_B_Export import map VPN_B_Import route-target import 3000:222 route-target export 3000:222 route-target import 3000:2 ! route-map VPN_B_Export permit 10 match ip address 2 set extcommunity rt 3000:1 additive ! route-map VPN_B_Import permit 10 match ip address 1 ! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0

192.6.0.0/16 VPN_A Site#2

Only Site#1 of both VPN_A and VPN_B would Communicate with Each Other, Site#2 Wont be part of it.
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

47

Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP transport

Best Practices Conclusion

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

48

MPLS-VPN Services
4. Internet Access Service to VPN Customers
Internet access service could be provided as another value-added service to VPN customers Security mechanism must be in place at both provider network and customer network
To protect from the Internet vulnerabilities

VPN customers benefit from the single point of contact for both Intranet and Internet connectivity

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

49

MPLS-VPN Services
4. Internet Access: Different Methods of Service
Four ways to provide the Internet service
1. VRF specific default route with global keyword 2. Separate PE-CE sub-interface (non-VRF) 3. Extranet with Internet-VRF 4. VRF-aware NAT

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

50

MPLS-VPN Services
4. Internet Access: Different Methods of Service
1. VRF specific default route
1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF

2. Separate PE-CE sub-interface (non-VRF)


May run BGP to propagate Internet routes between PE and CE

3. Extranet with Internet-VRF


VPN packets never leave VRF context; issue with overlapping VPN address

4. Extranet with Internet-VRF along with VRF-aware NAT


VPN packets never leave VRF context; works well with overlapping VPN address

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

51

MPLS-VPN Services:
4.1 Internet Access: VRF Specific Default Route
Site1 CE1 171.68.0.0/16 SO PE1 192.168.1.2
PE1# ip vrf VPN-A rd 100:1 route-target both 100:1 Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A Router bgp 100 no bgp default ipv4-unicast redistribute static neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0

MPLS Backbone Internet ASBR P 192.168.1.1 Internet GW

A default route, pointing to the ASBR, is installed into the site VRF at each PE The static route, pointing to the VRF interface, is installed in the global routing table and redistributed into BGP
52

ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global ip route 171.68.0.0 255.255.0.0 Serial0
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

MPLS-VPN Services: Internet Access


4.1 VRF Specific Default Route (Forwarding)
Site1 171.68.0.0/16
IP Packet D=171.68.1.1 IP Packet D=Cisco.com Label = 30 IP Packet D=Cisco.com

MPLS Backbone
IP Packet D=Cisco.com

Internet

Se0
192.168.1.2

PE1 P

PE2

SO

192.168.1.1 Label = 35 IP Packet D=171.68.1.1

IP Packet D=171.68.1.1

Global Routing/FIB Table Destination Label/Interface 192.168.1.1/32 Label=30 171.68.0.0/16 Serial 0

Global Table and LFIB Destination Label/Interface 192.168.1.2/32 Label=35 171.68.0.0/16 192.168.1.2 Internet Serial 0

VRF Routing/FIB Table Destination Label/Interface 0.0.0.0/0 192.168.1.1 (global) Site-1 Serial 0

Advantages Different Internet gateways can be used for different VRFs PE routers need not to hold the Internet table Simple configuration

Disadvantages Using default route for Internet routing does NOT allow any other default route for intra-VPN routing Increasing size of global routing table by leaking VPN routes Static configuration (possibility of traffic blackholing)

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

53

MPLS-VPN Services
4.2 Internet Access
1. VRF specific default route
1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF

2. Separate PE-CE sub-interface (non-VRF)


May run BGP to propagate Internet routes between PE and CE

3. Extranet with Internet-VRF


VPN packets never leave VRF context; overlapping VPN addresses could be a problem

4. Extranet with Internet-VRF along with VRF-aware NAT


VPN packets never leave VRF context; works well with overlapping VPN addresses

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

54

4.2 Internet Access Service to VPN


Customers Using Separate Sub-Interface (Config)
Site1 171.68.0.0/16 CE1 BGP-4 Se0.2 PE1 192.168.1.2 Se0.1
ip vrf VPN-A rd 100:1 route-target both 100:1 192.168.1.1

MPLS Backbone Internet Internet ASBR

P Internet GW

Interface Serial0.1 ip vrf forwarding VPN-A ip address 192.168.20.1 255.255.255.0 frame-relay interface-dlci 100 ! Interface Serial0.2 ip address 171.68.10.1 255.255.255.0 frame-relay interface-dlci 200 ! Router bgp 100 no bgp default ipv4-unicast neighbor 171.68.10.2 remote-as 502
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

One sub-interface for VPN routing associated to a VRF Another sub-interface for Internet routing associated to the global routing table Could advertise full Internet routes or a default route to CE The PE will need to advertise VPN routes to the Internet (via global routing table)
55

Internet Access Service to VPN Custome


4.2 Using Separate Sub-Interface (Forwarding)
Site1 171.68.0.0/16
IP Packet D=Cisco.com Label = 30 IP Packet D=Cisco.com

MPLS Backbone Internet Internet

S0.2 S0.1 CE Routing Table VPN Routes Serial0.1 Internet Routes Serial0.2

IP Packet D=Cisco.com

PE1 192.168.1.2 P

192.168.1.1

PE2

PE-Internet GW

PE Global Table and FIB Internet Routes 192.168.1.1 192.168.1.1 Label=30

Pros
CE could dual home and perform optimal routing Traffic separation done by CE

Cons
PE to hold full Internet routes BGP complexities introduced in CE; CE1 may need to aggregate to avoid AS_PATH looping

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

56

Internet Access Service


4.3 Extranet with Internet-VRF
The Internet routes could be placed within the VRF at the Internet-GW i.e. ASBR VRFs for customers could extranet with the Internet VRF and receive either default, partial or full Internet routes Be careful if multiple customer VRFs, at the same PE, are importing full Internet routes Works well only if the VPN customers dont have overlapping addresses

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

57

Internet Access Service


4.4 Internet Access Using VRF-Aware NAT
If the VPN customers need Internet access without Internet routes, then VRF-aware NAT can be used at the Internet-GW i.e. ASBR The Internet GW doesnt need to have Internet routes either Overlapping VPN addresses is no longer a problem More in the VRF-aware NAT slides

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

58

Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP transport

Best Practices Conclusion

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

59

MPLS VPN Service 5. VRF-Selection


The common notion is that a single VRF must be associated to an interface VRF-selection breaks this association and enables to associate multiple VRFs to an interface Each packet on the PE-CE interface could be handled (based on certain criteria) via different VRF routing tables
Criteria such as source/dest IP address, ToS, TCP port, etc. specified via a route-map

Voice and data can be separated out into different VRFs at the PE; Service enabler
60

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

MPLS VPN Service


5. VRF-Selection: Based on Source IP Address
Global Interface PE1
33.3.14.1

RR

VRF Interfaces

VPN Brown 33.3.0.0/16

Cable Setup

CE1 Se0/0

MPLS Backbone (Cable Company)

PE2 VPN Blue 44.3.0.0/16

66.3.1.25 44.3.12.1

Traffic Flows
interface Serial0/0 ip address 215.2.0.6 255.255.255.252 ip policy route-map PBR-VRF-Selection ip receive brown ip receive blue ip receive green access-list 40 permit 33.3.0.0 0.0.255.255 access-list 50 permit 44.3.0.0 0.0.255.255 access-list 60 permit 66.3.0.0 0.0.255.255

ip vrf brown rd 3000:111 route-target export 3000:1 route-target import 3000:1 ! ip vrf blue rd 3000:222 route-target export 3000:2 route-target import 3000:2 ! ip vrf green rd 3000:333 route-target export 3000:3 route-target import 3000:3

VPN Green 66.3.0.0/16


route-map PBR-VRF-Selection permit 10 match ip address 40 set vrf brown route-map PBR-VRF-Selection permit 20 match ip address 50 set vrf blue route-map PBR-VRF-Selection permit 30 match ip address 60 set vrf green

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

61

Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP transport

Best Practices Conclusion

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

62

MPLS VPN Service


6. Remote Access Service
Remote access users i.e. dial users, IPSec users could directly be terminated in VRF
PPP users can be terminated into VRFs IPSec tunnels can be terminated into VRFs

Remote access services integration with MPLS VPN opens up new opportunities for providers and VPN customers.
BRKSEC-3005 Deploying Remote-Access IPSec/SSL VPNs BRKSEC-3006 Deploying Site-to-site VPN with DMVPN

Remote Access is not to be confused by GET VPN that provides any-to-any (CE-based) security service.
BRKSEC-2007 Site to Site VPN with GET VPN
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

63

MPLS VPN Service


6. Remote Access Service: IPSec to MPLS VPN
Branch Office SOHO

Access
PE+IPSec Aggregator Internet PE

SP Shared Network
SP AAA

Corporate Intranet
Customer AAA VPN A Customer A head office

Local or Direct Dial ISP

Cable/DSL/ ISDN ISP Remote Users/ Telecommuters

Cisco IOS VPN Routers or Cisco Client 3.x or higher

IKE_ID is IP/MPLS/Layer 2 used to map Based Network the IPSec tunnel to PE the VRF (within the ISAKMP A VPN profile)
Customer A Branch Office

PE

VPN B Customer B VPN C Customer C

IP

IPSec Session
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

MPLS VPN

IP
64

Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP transport

Advanced MPLS VPN Topics Best Practices Conclusion


2008 Cisco Systems, Inc. All rights reserved. Cisco Public

65

MPLS-VPN Services
7. VRF-Aware NAT Services
VPN customers could be using overlapping IP address i.e. 10.0.0.0/8 Such VPN customers must NAT their traffic before using either Extranet or Internet or any shared* services PE is capable of NATting the VPN packets (eliminating the need for an extra NAT device)

* VoIP, Hosted Content, Management, etc.


2008 Cisco Systems, Inc. All rights reserved. Cisco Public

66

MPLS-VPN Services
7. VRF-Aware NAT Services
Typically, inside interface(s) connect to private address space and outside interface(s) connect to global address space
NAT occurs after routing for traffic from inside-to-outside interfaces NAT occurs before routing for traffic from outside-to-inside interfaces

Each NAT entry is associated with the VRF Works on VPN packets in the following switch paths: IP->IP, IP->MPLS and MPLS->IP

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

67

MPLS-VPN Services: 7. VRF-Aware NAT Services: Internet Access


10.1.1.0/24

CE1

PE11

MPLS Backbone P PE-ASBR


.1

Green VPN Site CE2 PE12

217.34.42.2

Internet

10.1.1.0/24

IP NAT Inside IP NAT Outside ip nat pool pool-green 24.1.1.0 24.1.1.254 prefix-length 24 ip nat pool pool-blue 25.1.1.0 25.1.1.254 prefix-length 24 ip nat inside source list vpn-to-nat pool pool-green vrf green ip nat inside source list vpn-to-nat pool pool-blue vrf blue ip access-list standard vpn-to-nat permit 10.1.1.0 0.0.0.255 ip route vrf green 0.0.0.0 0.0.0.0 217.34.42.2 global ip route vrf blue 0.0.0.0 0.0.0.0 217.34.42.2 global VRF-Aware NAT Specific Config
Cisco Public

Blue VPN Site

ip vrf green rd 3000:111 route-target both 3000:1 ip vrf blue rd 3000:222 route-target both 3000:2 router bgp 3000 address-family ipv4 vrf green network 0.0.0.0 address-family ipv4 vrf blue network 0.0.0.0 VRF Specific Config
2008 Cisco Systems, Inc. All rights reserved.

68

MPLS-VPN Services: 7. VRF-Aware NAT Services: Internet Access


Src=10.1.1.1 Dest=Internet 10.1.1.0/24

CE1 PE11 IP Packet


CE2

Label=30 Src=10.1.1.1 Dest=Internet

MPLS Backbone
Src=24.1.1.1 Dest=Internet Src=25.1.1.1 Dest=Internet

Green VPN Site

PE-ASBR P
Label=40 Src=10.1.1.1 Dest=Internet

Internet

PE12

10.1.1.0/24

IP Packet

Blue VPN Site

Traffic Flows

Src=10.1.1.1 Dest=Internet

MPLS Packet

PE-ASBR removes the label from the received MPLS packets per LFIB Performs NAT on the resulting IP packets Forwards the packet to the internet Returning packets are NATed and put back in the VRF context and then routed

VRF IP Source 10.1.1.1 10.1.1.1

NAT Table Global IP VRF-Table-Id 24.1.1.1 green 25.1.1.1 blue

This is also one of the ways to provide Internet access to VPN customers with or without overlapping addresses

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

69

Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP transport

Best Practices Conclusion

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

70

MPLS-VPN Services:
8. Providing QoS to VPN Customers
VPN customers may want SLA so as to treat real-time, mission-critical and best-effort traffic appropriately QoS can be applied to VRF interfaces
Just like any global interface. Same old QoS mechanisms are applicable.

Remember IP Precedence bits are copied to MPLS EXP bits (default behavior) MPLS Traffic-Eng could be used to provide the bandwidth-on-demand or Fast Rerouting to VPN customers.
BRKIPM-2002 Deploying MPLS Traffic Engineering
2008 Cisco Systems, Inc. All rights reserved.

BRKIPM-3017 Advanced MPLS Designs


Cisco Public

71

Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP Transport

Best Practices Conclusion

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

72

MPLS-VPN Services:
9. Providing Multicast Service to VPNs
Multicast VPN service is also available for deployment
Current deployment model utilizes GRE encapsulation (not MPLS) within SP network

Multicast VPN also utilizes the existing 2547 infrastructure MPLS multicast i.e., mLDP and P2MP TE, is not far away either Please see the following session for details on mVPN:
BRKRST-2105 Inter-AS MPLS Solutions BRKIPM-3017 Advanced MPLS Designs

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

73

Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs

10. Providing MPLS/VPN over IP transport 11. Providing Multi-VRF CE Service

Advanced MPLS VPN Topics Best Practices Conclusion


2008 Cisco Systems, Inc. All rights reserved. Cisco Public

74

MPLS-VPN Services:
10. Providing MPLS/VPN over IP Transport
MPLS/VPN (rfc2547) can also be deployed using IP transport
NO LDP or MPLS anywhere. Useful when the core (P) routers are not capable of MPLS

In this mode, Instead of using the MPLS Tunnel to reach the next-hop, an IP tunnel is used.
IP tunnel could be L2TPv3, GRE etc.

Basically, the MPLS/VPN packet is encapsulated inside another IP header.


MPLS labels are still allocated for the VPN prefix by the PE routers and used only by the PE routers.
75

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

MPLS-VPN Services:
10. Providing MPLS/VPN over IP Transport
2547 over L2TPv3

2547 over GRE

Ingress PE encapsulates the incoming IP packet (on VRF interface) into an MPLS packet and then encapsulates that MPLS packet inside the IP tunnel such as L2TPv3 tunnel Egress PE decapsulates the incoming L2TP packet and recirculates the resulting MPLS packet for usual MPLS packet forwarding Core routers forward the packet based on IP header
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

76

MPLS-VPN Services:
10. Providing MPLS/VPN over IP Transport
PE CE IP/MPLS Network PE

MPLS/IP
CE CE IP Network

MPLS/MPLS
IP/MPLS Network

The IP tunnel could be a p2p or multipoint tunnel.

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

77

Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs

10. Providing MPLS/VPN over IP Transport 11. Providing Multi-VRF CE Service

Best Practices Conclusion

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

78

MPLS-VPN Services:
11. Providing Multi-VRF CE Service
Is it possible for an IP router to keep multiple customer connections separated ?
Yes, multi-VRF CE aka vrf-lite can be used.

Multi-VRF CE provides multiple virtual routing tables (and forwarding tables) per customer at the CE router
Not a feature but an application based on VRF implementation Any routing protocol that is supported by normal VRF can be used in a MultiVRF CE implementation

Note that there is no MPLS functionality needed on the CE, no label exchange between the CE and any router (including PE). One of the deployment models is to extend the VRFs to the CE, another is to extend it further inside the Campus => Virtualization.
Campus Virtualization blends really well.

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

79

MPLS-VPN Services:
11. Providing Multi-VRF CE Service
One Deployment ModelExtending MPLS/VPN to CE
Campus
ip vrf green rd 3000:111 route-target both 3000:1 ip vrf blue rd 3000:222 route-target both 3000:2 ip vrf red rd 3000:333 route-target both 3000:3

Campus
Vrf green

Vrf green

SubInterface Link *
Vrf red

Vrf green

MPLS Network
PE Router Vrf red PE Router

Vrf red

Multi-VRF CE Router

ip vrf green rd 3000:111 ip vrf blue rd 3000:222 Ip vrf red rd 3000:333

*SubInterface Link Any Interface type that supports Sub Interfaces, FE-Vlan, Frame Relay, ATM VCs
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

80

Agenda
MPLS VPN Explained MPLS-VPN Services Best Practices Conclusion

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

81

Best Practices
1. 2. 3. 4. Use RR to scale BGP; deploy RRs in pair for the redundancy
Keep RRs out of the forwarding paths and disable CEF (saves memory)

RT and RD should have ASN in them i.e. ASN: X


Reserve first few 100s of X for the internal purposes such as filtering

Consider unique RD per VRF per PE, if load sharing of VPN traffic is required Don't use customer names as the VRF names; nightmare for the NOC. Use simple combination of numbers and characters in the VRF name
For example: v101, v102, v201, v202, etc. Use description.

5.

PE-CE IP address should come out of SPs public address space to avoid overlapping
Use /31 subnetting on PE-CE interfaces

6.

Define an upper limit at the PE on the number of prefixes received from the CE for each VRF or neighbor
Max-prefix within the VRF configuration; Do suppress the inactive routes. Max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE)

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

82

Agenda
MPLS VPN Explained MPLS-VPN Services Best Practices Conclusion

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

83

Conclusion
MPLS VPN is becoming a cheaper & faster alternative to traditional l2vpn
Secured VPN.

MPLS-VPN paves the way for new revenue streams


VPN customers could outsource their layer3 to the provider

Straightforward to configure any-to-any VPN topology


Partial-mesh, Hub and Spoke topologies can also be easily deployed

CsC and Inter-AS could be used to expand into new markets VRF-aware services could be deployed to maximize the investment
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

84

Q and A

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

85

Recommended Reading
Continue your Networkers at Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store


2008 Cisco Systems, Inc. All rights reserved. Cisco Public

86

Complete Your Online Session Evaluation


Win fabulous prizes; Give us your feedback Receive ten Passport Points for each session evaluation you complete Go to the Internet stations located throughout the Convention Center to complete your session evaluation Drawings will be held in the World of Solutions
Tuesday, June 20 at 12:15 p.m. Wednesday, June 21 at 12:15 p.m. Thursday, June 22 at 12:15 p.m. and 2:00 p.m.

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

87

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

88

Additional Slides

Advanced MPLS VPN Topics Inter-AS and CsC

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

89

Agenda
Advanced MPLS VPN Topics
Inter-AS MPLS-VPN CsC Carrier Supporting Carrier

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

90

What Is Inter-AS?
Provider X
RR1
MP-iBGP Update:

Provider Y
RR2 ASBR1 ASBR2

???
PE1

AS #1

AS #2 Problem:
PE2

BGP, OSPF, RIPv2 149.27.2.0/24, NH=CE-1

CE-1

How do Provider X and Provider Y exchange VPN routes?

CE2

VPN-A
149.27.2.0/24

VPN-A

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

91

Inter-AS Deployment Scenarios


Following Options/Scenarios for Deploying Inter-AS:
ASBR1
1. Back-to-Back VRFs (option A) 2. MP-eBGP for VPNv4 (option B)

ASBR2

PE1

AS #1

3. Multihop MP-eBGP Between RRs (Option C)

AS #2
PE2

CE1

4. Non-VPN Transit Provider

CE2

VPN-A
Each Option Is Covered in Additional Slides

VPN-A

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

92

Scenario 1: Back-to-back VRF Control Plane


ASBR-1
VPN-v4 update: VPN-v4 update: RD:1:27:10.1.1.0/24 RD:1:27:10.1.1.0/24 NH=PE-1 NH=PE-1 RT=1:1, Label=(29) RT=1:1, Label=(29) VPN-B VRF Import routes with route-target 1:1

ASBR-2
VPN-v4 update: VPN-v4 update: RD:1:27:10.1.1.0/24, RD:1:27:10.1.1.0/24, NH=ASBR-2 NH=ASBR-2 RT=1:1, Label=(92) RT=1:1, Label=(92)

PE-1

BGP, OSPF, RIPv2 BGP, OSPF, RIPv2 10.1.1.0/24 10.1.1.0/24 NH=ASBR-2 NH=ASBR-2

VPN-B VRF Import routes with route-target 1:1

PE-2
BGP, OSPF, RIPv2 BGP, OSPF, RIPv2 10.1.1.0/24,NH=PE-2 10.1.1.0/24,NH=PE-2

BGP, OSPF, RIPv2 BGP, OSPF, RIPv2 10.1.1.0/24,NH=CE-2 10.1.1.0/24,NH=CE-2

CE-2

CE-3

VPN-B
10.1.1.0/24

VPN-B

VRF to VRF Connectivity between ASBRs


2008 Cisco Systems, Inc. All rights reserved. Cisco Public

93

Scenario 1: Back-to-back VRF


Forwarding Plane
30 29 10.1.1.1

ASBR-1

ASBR-2

92

10.1.1.1

P2

P1
10.1.1.1 20 92 10.1.1.1

PE-1

PE-2

IP Packets between ASBRs


10.1.1.1

CE-2

CE-3

10.1.1.1

VPN-B
10.1.1.0/24

VPN-B

Pros Per-customer QoS is possible It is simple and elegant since no need to load the Inter-AS code (but still not widely deployed).

Cons Not scalable. #of interface on both ASBRs is directly proportional to #VRF. No end-to-end MPLS. Unnecessary memory consumed in RIB/(L)FIB Dual-homing of ASBR makes provisioning worse
94

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Cisco IOS Configuration


Scenario 1: Back-to-Back VRF between ASBRs
ASBR1
1.1.1.0/30

ASBR2

AS #1
PE1

VRF routes exchange via any routing protocol

AS #2
PE2

ASBR VRF and BGP config


CE-1

VPN-A

ip vrf green rd 1:1 route-target both 1:1 ! Router bgp x Address-family ipv4 vrf green neighbor 1.1.1.x activate
Note: ASBR must already have MPiBGP session with iBGP neighbors such as RRs or PEs.

CE-2

VPN-A

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

95

Scenario 2: MP-eBGP between ASBRs to Exchange VPNv4 Routes


New CLI no bgp default route-target filter is needed on the ASBRs. ASBRs exchange VPN routes using eBGP (VPNv4 af) ASBRs store all VPN routes
But only in BGP table and LFIB table Not in routing nor in CEF table

ASBRs dont need VRFs to be configured on them LDP between them

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

96

Scenario 2: MP-eBGP bet ASBRs for VPN Control Plane


ASBR-1
MP-iBGP update: MP-iBGP update: RD:1:27:10.1.1.0/24, RD:1:27:10.1.1.0/24, NH=PE-1 NH=PE-1 RT=1:1, Label=(40) RT=1:1, Label=(40)

ASBR-2
MP-iBGP update: MP-iBGP update: RD:1:27:10.1.1.0/24, RD:1:27:10.1.1.0/24, NH=ASBR-2 NH=ASBR-2 RT=1:1, Label=(30) RT=1:1, Label=(30)

MP-eBGP update: MP-eBGP update: RD:1:27:10.1.1.0/24, RD:1:27:10.1.1.0/24, NH=ASBR-1 NH=ASBR-1 RT=1:1, Label=(20) RT=1:1, Label=(20)

PE-1

PE-2
BGP, OSPF, RIPv2 BGP, OSPF, RIPv2 10.1.1.0/24, NH=PE-2 10.1.1.0/24, NH=PE-2

BGP, OSPF, RIPv2 BGP, OSPF, RIPv2 10.1.1.0/24, NH=CE-2 10.1.1.0/24, NH=CE-2

CE-2

CE-3

VPN-B
10.1.1.0/24

VPN-B

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

97

Scenario 2: MP-eBGP bet ASBRs for VPN Forwarding Plane


30 40 10.1.1.1

ASBR-1 P1

ASBR-2

30

10.1.1.1

P2

40

10.1.1.1

20

10.1.1.1

20

30

10.1.1.1

PE-1

MPLS Packets between ASBRs


CE-2

PE-2

10.1.1.1

VPN-B
10.1.1.0/24

CE-3

VPN-B

10.1.1.1

Pros
More scalable. Only one interface between ASBRs routers No VRF configuration on ASBR. Less memory consumption (no RIB/FIB memory) MPLS label switching between providers Still simple, more scalable & works today
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Cons
Automatic Route Filtering must be disabled But we can apply BGP filtering. ASBRs are still required to hold VPN routes

98

Cisco IOS Configuration


Scenario 2: External MP-BGP between ASBRs for VPN
ASBR1

MP-eBGP for VPNv4


1.1.1.0/30 Label exchange between ASBRs using MP-eBGP

ASBR2

AS #1
PE1

AS #2
PE2

CE-1

VPN-A

ASBR MB-EBGP Configuration Router bgp x no bgp default route-target filter neighbor 1.1.1.x remote-as x ! address-family vpnv4 neighbor 1.1.1.x activate neighbor 1.1.1.x send-com extended

CE-2

VPN-A

Note: ASBR must already have MPiBGP session with iBGP neighbors such as RRs or PEs.
99

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Scenario 3: Multihop MP-eBGP between RRs to exchange VPNv4 routes


Exchange VPNv4 prefixes via the Route Reflectors
Requires Multihop MP-eBGP (with next-hop-unchanged)

Exchange IPv4 routes with labels between directly connected ASBRs using eBGP
Only PE loopback addresses need to be exchanged (they are BGP next-hop addresses of the VPN routes)

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

100

Scenario 3: Multihop MP-eBGP between RRs for VPN routes : Control Plane
RR-1
VPN-v4 update: VPN-v4 update: RD:1:27:10.1.1.0/24, RD:1:27:10.1.1.0/24, NH=PE-1 NH=PE-1 RT=1:1, Label=(90) RT=1:1, Label=(90) VPN-v4 update: VPN-v4 update: RD:1:27:10.1.1.0/24, RD:1:27:10.1.1.0/24, NH=PE-1 NH=PE-1 RT=1:1, Label=(90) RT=1:1, Label=(90)

RR-2
VPN-v4 update: VPN-v4 update: RD:1:27:10.1.1.0/24, RD:1:27:10.1.1.0/24, NH=PE-1 NH=PE-1 RT=1:1, Label=(90) RT=1:1, Label=(90)

AS#1
IGP+LDP: IGP+LDP: Network=PE-1 Network=PE-1 NH=PE-1 NH=PE-1 Label=(40) Label=(40)

ASBR-1

ASBR-2

AS#2
IGP+LDP: IGP+LDP: Network=PE-1 Network=PE-1 NH=ASBR-2 NH=ASBR-2 Label=(30) Label=(30)

PE-1

BGP, OSPF, RIPv2 BGP, OSPF, RIPv2 10.1.1.0/24,NH=CE-2 10.1.1.0/24,NH=CE-2

IP-v4 update: IP-v4 update: Network=PE-1 Network=PE-1 NH=ASBR-1 NH=ASBR-1 Label=(20) Label=(20)

PE-2
BGP, OSPF, RIPv2 BGP, OSPF, RIPv2 10.1.1.0/24,NH=PE-2 10.1.1.0/24,NH=PE-2

CE-2

CE-3

VPN-B
10.1.1.0/24

VPN-B

Note - Instead of IGP+Label, iBGP+Label can be used to exchange PE routes/label. Please see Scenario#5 on slide#49 and 50.
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

101

Scenario 3: Multihop MP-eBGP between RRs for VPN routes : Forwarding Plane
RR-1 P1
40 90 10.1.1.1 90 10.1.1.1

RR-2 P2 ASBR-2

ASBR-1

30

90

10.1.1.1 50 90 10.1.1.1

PE-1
20 10.1.1.1 90 10.1.1.1

PE-2 CE-3
10.1.1.1

CE-2

VPN-B
10.1.1.0/24

VPN-B

Note - Instead of IGP+Label, iBGP+Label can be used to exchange PE routes/label.

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

102

Scenario 3: Pros/Cons
Pros
More scalable than Scenario 1 and 2. Separation of control and forwarding planes Route Reflector exchange VPNv4 routes+labels RR hold the VPNv4 information anyway ASBRs now exchange only IPv4 routes+labels ASBR Forwards MPLS packets

Cons
Advertising PE addresses to another AS may not be acceptable to few providers.

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

103

Cisco IOS Configuration


Scenario 3: Multihop MP-eBGP between RRs for VPN
RR-1 Multihop MP-eBGP for VPNv4 with next-hop-unchange ASBR-1 ASBR-2 PE2 RR-2

PE1

AS #1
CE-1 eBGP IPv4 + Labels

AS #2
CE-2

RR Configuration VPN-A
router bgp x neighbor <RR-x> remote-as x neighbor <RR-x> ebgp-multihop neighbor <RR-x> update loopback 0 ! address-family vpnv4 neighbor <RR-x> activate neighbor <RR-x> send-com extended neighbor <RR-x> next-hop-unchanged

ASBR Configuration
router ospf x redistribute bgp 1 subnets ! router bgp x neighbor < ASBR-x > remote-as x ! address-family ipv4 Network <PEx> mask 255.255.255.255 Network <RRx> mask 255.255.255.255 neighbor < ASBR-x > activate neighbor < ASBR-x > send-label

VPN-A

iBGPipv4+label could also be used in within each AS (instead of network <x.x.x.x>) to propagate the label information for PEs.
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

104

Scenario 4: Non-VPN Transit Provider


Two MPLS VPN providers may exchange routes via one or more transit providers
Which may be non-VPN transit backbones just running MPLS

Multihop MP-eBGP deployed between edge providers


With the exchange of BGP next-hops via the transit provider

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

105

Scenario 4: Non-VPN Transit Provider


ASBR-1
eBGP IPv4 + Labels

ASBR-2
iBGP IPv4 + Labels

MPLS VPN Provider #1 RR-1 PE1

Non-VPN MPLS Transit Backbone

ASBR-3 ASBR-4 CE-2 next-hop-unchanged


Multihop MP-eBGP OR MP-iBGP for VPNv4 eBGP IPv4 + Labels

VPN-B

RR-2

MPLS VPN Provider #2 PE2

iBGP IPv4 + Labels

CE-3

VPN-B

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

106

Route-Target rewrite at ASBR


ASBR can add/delete route-target associated with a VPNv4 prefix Secures the VPN environment

ASBR(conf)#router bgp 1000 ASBR(conf-router)#neighbor 1.1.1.1 route-map route-target-deletion out ASBR(conf-router)#exit ASBR(conf)#route-map route-target-delete ASBR(conf-route-map)#match extcommunity 101 ASBR(conf-route-map)#set extcomm-list 101 delete ASBR(conf-route-map)#set extcommunity rt 123:123 additive ASBR(conf)# ip extcommunity-list 101 permit rt 100:100

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

107

Inter-AS Deployment Guidelines


1. Use ASN in the Route-target i.e. ASN:xxxx 2. Max-prefix limit (both BGP and VRF) on PEs 3. Security (BGP MD5, BGP filtering, BGP max-prefix etc) on ASBRs 4. End-to-end QoS agreement on ASBRs 5. Route-Target rewrite on ASBR 6. Internet connectivity on the same ASBR ??

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

108

Agenda
Advanced MPLS VPN Topics
Inter-AS MPLS-VPN Carrier Supporting Carrier (CsC)

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

109

MPLS/VPN Networks Without CsC


Number of VPN routes is one of the biggest limiting factors in scaling the PE router
Few SPs are running into this scaling limitation

If number of VPN routes can be reduced somehow (without loosing the functionality), then the existing investment can be protected
The same PE can still be used to connect more VPN customers

Carrier Supporting Carrier (CsC) provides the mechanism to reduce the number of routes from each VRF by enabling MPLS on the PE-CE link

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

110

CsC Deployment Model


MP-iBGP for VPNv4 P1 PE1
IGP+LDP IGP+LDP

PE2

Carriers MPLS Core


IPv4 Routes with Label Distribution

MPLS Enabled VRF Int CE1 ISP PoP Site-1


Internal Routes = IGP Routes

IPv4 Routes with Label Distribution

CE-2 Full-Mesh iBGP for External Routes ISP PoP Site-2 ASBR-2 R2 C1
Internal Routes = IGP Routes

ASBR-1

INTERNET

R1
ISP Customers = External Routes

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

111

Benefits of CsC
Provide transport for ISPs ($)
No need to manage external routes from ISPs

Build MPLS Internet Exchange (MPLS-IX) ($$)


Media Independence; POS/FDDI/PPP possible Higher speed such OC192 or more Operational benefits

Sell VPN service to subsidiary companies that provide VPN service ($)

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

112

What Do I Need to Enable CsC ?


1. Build an MPLS-VPN enabled carriers network 2. Connect ISP/SPs sites (or PoPs) to the Carriers PEs 3. Exchange internal routes + labels between Carriers PE & ISP/SPs CE 4. Exchange external routes directly between ISP/SPs sites

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

113

CsC Deployment Models


MP-iBGP for VPNv4 MP-iBGP for VPNv4 P1 PE1
IGP+LDP IGP+LDP

IGP+LDP IGP+LDP

PE2

Carriers MPLS Core


IPv4 routes with IPv4 routes with label distribution label distribution

MPLS enabled VRF int


CE-1 CE-2 Full-mesh iBGP Full-mesh iBGP for external routes for external routes

IPv4 routes with IPv4 routes with label distribution label distribution

ISP PoP Site-1


internal routes internal routes = IGP routes = IGP routes

ISP PoP Site-2


C1 ASBR-2

ASBR-1 R2
INTERNET

Internal routes = Internal routes = IGP routes IGP routes

R1
ISP customers = external routes

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

114

CsC Deployment Models


1. Customer-ISP not running MPLS 2. Customer-ISP running MPLS 3. Customer-ISP running MPLS-VPN

Model 1 and 2 are less common deployments. Model 3 will be discussed in detail.

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

115

CsC: ISP Sites Are Running MPLS-VPN Hierarchical MPLS-VPN Control Plane
MP-iBGP update: MP-iBGP update: 1:1:30.1.61.25/32, RT=1:1 1:1:30.1.61.25/32, RT=1:1 NH =PE-1, Label=51 NH =PE-1, Label=51

PE1

IGP+LDP, Net=PE-1, Label = pop

P1
IGP+LDP, Net=PE-1, Label = 16

PE2

Carriers Core
30.1.61.25/32, 30.1.61.25/32, NH=CE-1, Label = 50 NH=CE-1, Label = 50 30.1.61.25/32, 30.1.61.25/32, NH=PE-2, Label = 52 NH=PE-2, Label = 52

CE-1 CE-2
MP-iBGP update: MP-iBGP update: 1:1:10.1.1.0/24, RT=1:1 1:1:10.1.1.0/24, RT=1:1 NH =30.1.61.25/32, Label = 90 NH =30.1.61.25/32, Label = 90

ISP PoP Site-1


IGP+LDP IGP+LDP 30.1.61.25/32,Label = pop 30.1.61.25/32,Label = pop

ISP PoP Site-2


ASBR_PE-2

IGP+LDP, IGP+LDP, 30.1.61.25/32 30.1.61.25/32 NH=CE-2, Label=60 NH=CE-2, Label=60

C1 ASBR_PE-1 30.1.61.25/32
10.1.1.0/24, NH=R1 10.1.1.0/24, NH=R1 10.1.1.0/24, 10.1.1.0/24, NH NH =ASBR_PE-2 =ASBR_PE-2

Network = 10.1.1.0/24

R2 R1 VPN Site-1
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

IGP+LDP, IGP+LDP, 30.1.61.25/32 30.1.61.25/32 NH=C1, Label=70 NH=C1, Label=70

VPN Site-2
116

CsC: ISP Sites Are Running MPLS-VPN Hierarchical MPLS-VPN Forwarding Plane
P1
51 90 10.1.1.1 16 51 90 10.1.1.1

PE1

PE2

Carriers Core
50 90 10.1.1.1 52 90 10.1.1.1

CE-1 CE-2

ISP PoP Site-1

90

10.1.1.1 60 90 10.1.1.1

ISP PoP Site-2


C1

ASBR-1
10.1.1.1

ASBR-2
10.1.1.1 70 90 10.1.1.1

Network = 10.1.1.0/24

R1 VPN Site-1
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

R2 VPN Site-2
117