Sie sind auf Seite 1von 103

Deploying MPLS VPN Networks

Ade Yudha G Rahman Isnaini Rommy Kuntoro

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Abstract
Multi Protocol Label Switching (MPLS) has been widely adopted by the Network Operators to provide scalable L2, L3 VPN, traffic engineering services etc. Enterprises are fast adopting this technology to address network segmentation and traffic separation needs. This session covers MPLS Layer3 VPN, which is the most adopted MPLS application. The session will cover:
MPLS VPN Technology Overview (RFC2547/RFC4364) MPLS/VPN Configuration Overview MPLS/VPN-based services (multihoming, Hub&Spoke, extranet, Internet, NAT, VRF-lite, etc.)

Best Practices
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Agenda
MPLS VPN Overview
MPLS VPN Services Best Practices

Conclusion

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Prerequisites
Must understand basic IP routing, especially BGP
Must understand MPLS basics (push, pop, swap, label stacking) Should understand MPLS VPN basics Must keep the speaker engaged
by asking bad questions

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Terminology
LSR: label switch router LSP: label switched path
The chain of labels that are swapped at each hop to get from one LSR to another

VRF: VPN routing and forwarding


Mechanism in Cisco IOS used to build per-customer RIB and FIB

MP-BGP: multiprotocol BGP PE: provider edge router interfaces with CE routers P: provider (core) router, without knowledge of VPN VPNv4: address family used in BGP to carry MPLS-VPN routes RD: route distinguisher
Distinguish same network/mask prefix in different VRFs

RT: route target


Extended community attribute used to control import and export policies of VPN routes

LFIB: label forwarding information base FIB: forwarding information base


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Agenda
MPLS VPN Overview
Technology (how it works) Configuration

MPLS-VPN Services Best Practices Conclusion

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

MPLS-VPN Technology
More than one routing and forwarding tables
Control planeVPN route propagation Data or forwarding planeVPN packet forwarding

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

MPLS-VPN Technology MPLS VPN Connection Model


CE PE CE MPLS Backbone P P CE MP-iBGP Session P P PE CE

PE Routers Sit at the Edge Use MPLS with P routers Uses IP with CE routers Distributes VPN information through MP-BGP to other PE routers

P Routers Sit inside the network Forward packets by looking at labels P and PE routers share a common IGP

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

MPLS-VPN Technology
Separate Routing Tables at PE
CE2

VPN 2
PE

CE1
VPN 1

MPLS Backbone IGP (OSPF, ISIS)

Customer Specific Routing Table Routing (RIB) and forwarding table (CEF) dedicated to VPN customer
VPN1 routing table VPN2 routing table

Global Routing Table Created when IP routing is enabled on PE. Populated by OSPF, ISIS, etc. inside the MPLS backbone

Referred to as VRF table for the <named VPN>. show ip route vrf <name>

show ip route

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

MPLS-VPN Technology Virtual Routing and Forwarding Instance (1)


CE2

VPN 2 CE1
VPN 1

VRF Green PE MPLS Backbone IGP (OSPF, ISIS)


Ser0/0

VRF Blue

Whats a Virtual Routing and Forwarding (VRF) ?


VRF represents the VPN customer inside the SP MPLS network Each VPN is associated with at least one VRF

VRF must be defined (locally significant) on each PE and associated with one or more PE-CE interfaces;
Privatize an interface, i.e., coloring of the interface

Each VRF has a dedicated routing table and forwarding table, and a dedicated instance of the routing protocol (static, RIP, BGP, EIGRP, ISIS, OSPF) PE(conf)#ip vrf green
PE is capable of VRF-aware routing protocol

No changes needed at the CE


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved.

PE(conf)#interface Ser0/0 PE(conf)#ip vrf forwarding blue 10

CE router runs whatever software Cisco Public

MPLS-VPN Technology Virtual Routing and Forwarding Instance (2)


CE2

VPN 2
EBGP, OSPF, RIPv2, Static CE1 VPN 1 PE MPLS Backbone IGP (OSPF, ISIS)

PE installs the routes, learned from CE routers or other PE routers, in the appropriate VRF routing table(s).
More on this in the Control Plane slides later on.

PE installs the IGP (backbone) routes in the global routing table

VPN customers can use overlapping IP addresses


BGP plays a key role. Lets understand few BGP specific details..
BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

11

MPLS-VPN Technology: Control Plane


The Control Plane for MPLS VPN Is Multi-Protocol BGP
8 Bytes 4 Bytes 8 Bytes 3 Bytes

1:1 RD VPNv4

10.1.1.0 IPv4 Route-Target Label

MP-BGP UPDATE message showing only VPNv4 address, RT, Label


MP-BGP Customizes the VPN customer Routing Information as per the locally configured VRF information at the PE -

Route Distinguisher (RD)


Route Target (RT) Label
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

12

MPLS-VPN Technology: Control Plane MP-BGP UPDATE Message Capture


This capture might help to visualize how the BGP UPDATE message advertising VPNv4 routes look like.
Notice the Path Attributes.
Route Target 3:3

MP_REACH_NLRI 1:1:200.1.62.4/30

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

13

MPLS VPN Control Plane


MP-BGP Update Components: RD & VPNv4 Address
8 Bytes 4 Bytes 8 Bytes 3 Bytes

1:1 RD VPNv4

10.1.1.0 IPv4 Route-Target Label

MP-BGP update showing RD, RT, and label


VPN customer IPv4 address is converted into a VPNv4 address by appending RD to the IPv4 address i.e. 1:1:10.1.1.0
Makes the customers IPv4 route unique inside the SP MPLS network.

Each VRF should* be configured with an RD at the PE


RD is what that defines the VRF
! ip vrf green rd 1:1 !

BRKRST-2102 14416_04_2008_c1

* After 12.4(3)T, 12.4(3) 12.2(32)S, 12.0(32)S etc., RD Configuration within VRF Has BecomeInc. All rights reserved.Prior to that, It Was Mandatory. 2008 Cisco Systems, Optional. Cisco Public

14

MPLS VPN Control Plane


MP-BGP Update Components: Route-Target
8 Bytes 4 Bytes 8 Bytes 2:2 Route-Target Label 3 Bytes

1:1 RD VPNv4

10.1.1.0 IPv4

MP-BGP update showing RD, RT, and Label


Route-target (RT): identifies the VRF for the received VPNv4 prefix. It is an 8-byte extended community attribute. Each VRF is configured with a set of RT(s) at the PE
RT helps to identify which VRF(s) get the VPN route
! ip vrf green route-target import 1:1 route-target export 1:2 !

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

15

MPLS VPN Control Plane


MP-BGP Update Components: Label
8 Bytes 4 Bytes 8 Bytes 2:2 Route-Target 3 Bytes

1:1 RD VPNv4

10.1.1.0 IPv4

50 Label

MP-BGP update showing RD, RT, and label


PE assigns a label for the VPNv4 prefix; Label is not an attribute.
Next-hop-self towards MP-iBGP neighbors by default i.e. PE sets the NEXTHOP attribute to its own address (loopback)

PE addresses used as BGP next-hop must be uniquely known in the backbone IGP
Do not summarize the PE loopback addresses in the core
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

16

MPLS VPN Control Plane:


Putting It All Together
Site 1
10.1.1.0/24

3
CE1

MP-iBGP Update: RD:10.1.1.0 Next-Hop=PE-1 RT=1:2, Label=100

Site 2

2
10.1.1.0/24 Next-Hop=CE-1

CE2

PE1

P PE2

MPLS Backbone

1. PE1 receives an IPv4 update (eBGP/OSPF/ISIS/RIP/EIGRP) 2. PE1 translates it into VPNv4 address and constructs the MPiBGP UPDATE message
Associates the RT values (import RT value=1:2) per VRF configuration Rewrites next-hop attribute to itself Assigns a label (100, say); Installs it in the MPLS forwarding table.

3. PE1 sends MP-iBGP update to other PE routers


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

17

MPLS VPN Control Plane:


Putting It All Together
Site 1
10.1.1.0/24

3
CE1

MP-iBGP Update: RD:10.1.1.0 Next-Hop=PE-1 RT=1:2, Label=100

10.1.1.0/24 Next-Hop=PE-2

Site 2

5 4
CE2

2
10.1.1.0/24 Next-Hop=CE-1

PE1

P PE2

MPLS Backbone

4. PE2 receives and checks whether the RT=1:2 is locally configured as import RT within any VRF, if yes, then
PE2 translates VPNv4 prefix back in IPv4 prefix
Updates the VRF CEF Table for 10.1.1.0/24 with label=100

5. PE2 advertises this IPv4 prefix to CE2 (using whatever routing protocol)

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

18

MPLS-VPN Forwarding Plane Review


Site 1
10.1.1.0/24

Site 2 CE1 PE1 P3 P4 PE2 CE2

P1

P2

VRF Green Forwarding Table Dest NextHop 10.1.1.0/24-PE1, label: 100

Global Routing/Forwarding Table Dest Next-Hop PE2 P3, Label: 50

Global Routing/Forwarding Table Dest Next-Hop PE1 P2, Label: 25

Global Forwarding Table (show ip cef)


Stores Next-hop routes with associated labels Next-hop routes learned through IGP Label learned through LDP/TDP

VRF Forwarding Table (show ip cef vrf <vrf>)


Stores VPN routes with associated labels

VPN routes learned through BGP


Labels learned through MP-BGP

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

19

MPLS-VPN Forwarding Plane Packet Forwarding


Site 1
10.1.1.0/24

Site 2 CE1 P3 10.1.1.1 IP Packet PE1 P4 PE2 10.1.1.1 P1 P2

CE2 10.1.1.1
IP Packet

100

50

100

10.1.1.1

25

100

10.1.1.1

MPLS Packet

PE2 imposes two labels (MPLS headers) for each packet going to the VPN destination 10.1.1.1.
Outer label is LDP learned; Corresponds derived from an IGP route

Inner label is learned via MP-BGP; corresponds to the VPN address

PE1 recovers the IP packet (from the received MPLS packet) and forwards it to CE1.
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

20

MPLS-VPN Technology: Control Plane MPLS Packet Capture


This capture might be helpful if you never captured an MPLS packet before.

Ethernet Header Outer Label Inner Label IP packet

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

21

Agenda
MPLS VPN Explained
Technology Configuration

MPLS-VPN Services Best Practices Conclusion

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

22

MPLS VPN Sample Configuration (IOS)


VRF Definition
Site 1 CE1
10.1.1.0/24 ip vrf VPN-A rd 1:1 route-target export route-target import 100:1 100:1

PE1 Se0 192.168.10.1


PE1
interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A

PE-P Configuration
P Se0

Interface Serial1 ip address 130.130.1.1 255.255.255.252 mpls ip

PE1 s1

PE1
router ospf 1 network 130.130.1.0 0.0.0.3 area 0

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

23

MPLS VPN Sample Configuration (IOS)


PE: MP-IBGP Config
RR PE1 PE2
router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback0 ! address-family vpnv4 neighbor 1.2.3.4 activate neighbor 1.2.3.4 send-community both !

PE1

RR: MP-IBGP Config


RR PE1 PE2 RR

router bgp 1 no bgp default route-target filter neighbor 1.2.3.6 remote-as 1 neighbor 1.2.3.6 update-source loopback0 ! address-family vpnv4 neighbor 1.2.3.6 route-reflector- client neighbor 1.2.3.6 activate !

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

24

MPLS VPN Sample Configuration (IOS)


PE-CE Routing:
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1

BGP
PE1
router bgp 1 ! address-family ipv4 vrf VPN-A neighbor 192.168.10.2 remote-as 2 neighbor 192.168.10.2 activate exit-address-family !

CE1

PE1

PE-CE Routing:
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1

OSPF
PE1 PE1
router ospf 1 ! router ospf 2 vrf VPN-A network 192.168.10.0 0.0.0.255 area 0 redistribute bgp 1 subnets !

CE1

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

25

MPLS VPN Sample Configuration (IOS)


PE-CE Routing:
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1

RIP

CE1

PE1

router rip ! address-family ipv4 vrf VPN-A version 2 no auto-summary network 192.168.10.0 redistribute bgp 1 metric transparent !

PE-CE Routing:
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1

EIGRP

CE1 PE1

router eigrp 1 ! address-family ipv4 vrf VPN-A no auto-summary network 192.168.10.0 0.0.0.255 autonomous-system 1 redistribute bgp 1 metric 100000 100 255 1 1500 !

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

26

MPLS VPN Sample Configuration (IOS)


PE-CE Routing:
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1

Static
ip route vrf VPN-A 10.1.1.0 255.255.255.0 192.168.10.2

CE1

PE1

If PE-CE Protocol Is non-BGP, then Redistribution of Other Sites VPN Routes from MP-IBGP Is Required (Shown Below for RIP)

PE-CE MB-iBGP Routes to VPN


Site 1 RR PE1 CE1
router rip address-family ipv4 vrf VPN-A version 2 redistribute bgp 1 metric transparent no auto-summary network 192.168.10.0 exit-address-family

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

27

MPLS VPN Sample Configuration (IOS)


If PE-CE Protocol Is non-BGP, then Redistribution of Local VPN Routes into MP-IBGP Is Required (Shown Below)

PE-RR (VPN Routes to VPNv4)


Site 1 RR PE1 CE1
router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback 0 address-family ipv4 vrf VPN-A redistribute {rip|connected|static|eigrp|ospf}

For config hands-on, please attend Configuring MPLS VPNs (LABCRT-2208) session

Having familiarized with IOS based config, lets glance through the IOX-based config for VPNs
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

28

MPLS VPN Sample Configuration (IOX)


VRF Definition
Site 1 CE1
10.1.1.0/24 vrf VPN-A router-id 192.168.10.1 address-family ipv4 unicast import route-target 100:1 export route-target 100:1 export route-policy raj-exp interface Serial0 vrf VPN-A ipv4 address 192.168.10.1/24

PE1 Se0 192.168.10.1 PE1

PE-CE Routing:
Site 1
10.1.1.0/24

BGP

CE1 PE1 PE1

192.168.10.2
192.168.10.1

router bgp 1 vrf VPN-A rd 1:1 address-family ipv4 unicast redistribute connected ! neighbor 192.168.10.2 remote-as 2 address-family ipv4 unicast route-policy raj-temp in ! ! ! !
29

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP Transport Providing Multi-VRF CE Service

Best Practices Conclusion


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

30

MPLS VPN Services:


1. Loadsharing for the VPN Traffic
RR PE11 CE1
171.68.2.0/24

PE2 PE12

CE2

Site A MPLS Backbone Route Advertisement

Site B

VPN sites (such as Site A) could be multihomed VPN customer may demand the traffic (to the multihomed site) be loadshared

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

31

MPLS VPN Services:


1. Loadsharing for the VPN Traffic: Cases
1 CE 2 PEs
CE1
171.68.2.0/24

RR PE11 PE2 PE12 CE2

Site A MPLS Backbone Traffic Flow

Site B

2 CEs 2 PEs
PE11

RR

CE1
PE2
171.68.2.0/24 CE2

CE2

PE12 Site B Site A MPLS Backbone Traffic Flow


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

32

MPLS VPN Services:


1. Loadsharing for the VPN Traffic: Deployment
How to deploy the loadsharing?
Configure unique RD per VRF per PE for multihomed site/interfaces
Assuming RR exists

Enable BGP multipath within the relevant BGP VRF address-family at remote/receiving PE2 (why PE2?)
ip vrf green rd 300:11 route-target both 1:1 PE11 CE1
171.68.2.0/24

2 RR

router bgp 1 address-family ipv4 vrf green maximum-paths eibgp 2 PE2 CE2

PE12 1 Site A ip vrf green rd 300:12 route-target both 1:1

MPLS Backbone
1

Site B ip vrf green rd 300:13 route-target both 1:1


33

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

MPLS VPN Services:


1. VPN Fast ConvergencePE-CE Link Failure
Traffic Is Dropped by PE11 CE1
171.68.2.0/24

RR PE11 PE2 PE12

VPN Traffic Redirected VPN Traffic CE2

Site A

MPLS Backbone

Site B

In a classic case, PE11, upon detecting the PE-CE link failure, sends BGP message to withdraw all the related VPN routes from the MPLS/VPN network
This results in the remote PE routers selecting the alternate bestpath (if any), but until then, they keep sending the MPLS/VPN traffic to PE11, which keeps dropping the traffic

IOS and IOX now have incorporated a Fast Local Repair feature to minimize the loss due to the PE-CE link failure from sec to msec
BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

35

MPLS VPN Services:


1. VPN Fast ConvergencePE-CE Link Failure
Traffic Is Redirected by PE11 CE1
171.68.2.0/24

RR PE11 PE2

VPN Traffic Redirected VPN Traffic CE2

Site A PE12

MPLS Backbone

Site B

This feature helps PE11 to minimize the traffic loss from sec to msec, by redirecting the CE1 bound traffic to PE12 (with the right label), which forwards the traffic to CE1
PE11 immediately reprograms the forwarding entry after selecting the alternate BGP best path (which is via PE12)

In parallel, PE11 sends the BGP withdraw message to RR/PE2, which will run the bestpath algorithm and removes the path learned via PE11, and then adjust their forwarding entries via PE12

This feature is independent of whether multipath is enabled on PE2 or not, however, dependent on VPN site multihoming
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

36

Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP Transport Providing Multi-VRF CE Service

Best Practices Conclusion


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

37

MPLS-VPN Services:
2. Hub and Spoke Service to the VPN Customers

Traditionally, VPN deployments were hub and spoke, and need to continue for valid reasons
Spoke to spoke communication is via Hub site only

Despite MPLS VPNs implicit any-to-any, i.e., full-mesh connectivity, hub and spoke service can easily be offered
Done with import and export of route-target (RT) values Requires unique RD per VRF per PE

PE routers can run any routing protocol with VPN customer hub and spoke sites independently

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

38

MPLS-VPN Services:
2. Hub and Spoke Service: Configuration
ip vrf green-spoke1 description VRF for SPOKE A rd 300:111 route-target export 1:1 route-target import 2:2 Spoke A
171.68.1.0/24

CE-SA

PE-SA

ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1 Eth0/0.1 PE-Hub Eth0/0.2

Spoke B
171.68.2.0/24

CE-SB

PE-SB MPLS VPN Backbone ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2

ip vrf green-spoke2 description VRF for SPOKE B rd 300:112 route-target export 1:1 route-target import 2:2

Note: Only VRF Configuration Is Shown Here


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

39

MPLS-VPN Services:
2. Hub and Spoke Service: Configuration

If BGP is used between every PE and CE, then as-override and allowas-in knobs must be used at the PE_Hub*
Otherwise AS_PATH looping will occur

If the spoke sites only need the default route from the hub site, then it is possible to use a single interface between PE-hub and CE-hub (instead of two interfaces as shown on the previous slide)
Let CE-hub router advertise the default or aggregate Avoid generating a BGP aggregate at the PE

* Configuration for this Is Shown on the Next Slide


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

40

MPLS-VPN Services:
2. Hub and Spoke Service: Configuration
ip vrf green-spoke1 description VRF for SPOKE A rd 300:111 route-target export 1:1 route-target import 2:2 Spoke A
171.68.1.0/24 router bgp <ASN> address-family ipv4 vrf HUB-OUT neighbor <CE> as-override

CE-SA

PE-SA

ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1 Eth0/0.1 PE-Hub Eth0/0.2

Spoke B
171.68.2.0/24

CE-SB

PE-SB MPLS VPN Backbone ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2
router bgp <ASN> address-family ipv4 vrf HUB-IN neighbor <CE> allowas-in 2

ip vrf green-spoke2 description VRF for SPOKE B rd 300:112 route-target export 1:1 route-target import 2:2

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

41

MPLS-VPN Services:
2. Hub and Spoke Service: Control Plane
MPLS Backbone Spoke A
171.68.1.0/24

FIBIP Forwarding Table LFIBMPLS Forwarding Table


VRF HUB-OUT FIB and LFIB Destination NextHop Label 171.68.1.0/24 PE-SA 40 171.68.2.0/24 PE-SB 50

CE-SA

MP-iBGP update 171.68.1.0/24 Label 40 Route-Target 1:1

VRF FIB and LFIB at PE-SA 171.68.0.0/16 PE-Hub 35 171.68.1.0/24 CE-SA VRF FIB and LFIB at PE-SB 171.68.0.0/16 PE-Hub 35 171.68.2.0/24 CE-SB

PE-SA PE-SB
MP-iBGP update 171.68.2.0/24 Label 50 Route-Target 1:1

MP-iBGP update 171.68.0.0/16 Label 35 Route-Target 2:2

VRF HUB-OUT PE-Hub VRF HUB-IN


VRF HUB-IN FIB Destination NextHop 171.68.0.0/16 CE-H1

171.68.2.0/24

CE-SB

Spoke B

Two VRFs at the PE-hub:


VRF HUB_OUT to learn every spoke routes from remote PEs VRF HUB_IN to advertise either summary 171.68.0.0/16 or specific routes to remote PEs

Import and export route-target within a VRF must be different


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

42

MPLS-VPN Services:
2. Hub and Spoke Service: Forwarding Plane This Is How The Spoke-to-Spoke Traffic Flows
Spoke A
171.68.1.0/24 VRF HUB-OUT 171.68.1.1

MPLS Backbone PE-SA


L2 40 171.68.1.1

CE-SA

Spoke B CE-SB
171.68.2.0/24 171.68.1.1

PE-Hub PE-SB
L1 35 171.68.1.1
VRF HUB-IN

L1 Is the Label to Get to PE-Hub L2 Is the Label to Get to PE-SA


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

43

MPLS-VPN Services:
2. Hub and Spoke Service: Half-Duplex VRF

Why do we need half-duplex VRF?


If more than one spoke router (CE) connects to the same PE router within the single VRF, then such spokes can reach other without needing the hub
This defeats the purpose of doing hub and spoke

Half-duplex VRF is the answer


Half-duplex VRF is specific to virtual-template* i.e., dial-user

It requires two VRFs on the PE (spoke) router


Upstream VRF for spoke->hub communication Downstream VRF for spoke<-hub communication
* Being Extended to Other Interfaces as Well
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

44

MPLS-VPN Services:
2. Hub and Spoke Service: Half-Duplex VRF
ip vrf red-vrf description VRF upstream flow rd 300:111 route-target import 2:2 ip vrf blue-vrf description VRF downstream flow rd 300:112 route-target export 1:1

Spoke A CE-SA
171.68.1.0/24

ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1

PE-SA

MPLS Backbone PE-Hub

Spoke B
171.68.2.0/24

CE-SB

Int virtual-template1 . ip vrf forward red-vrf downstream blue-vrf

Upstream VRF

Downstream VRF

ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2

PE-SA installs the spoke routes only in downstream VRF i.e. blue-VRF PE-SA forwards the incoming IP traffic (from Spokes) using the upstream VRF i.e. red-vrf routing table
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

45

Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP Transport Providing Multi-VRF CE Service

Best Practices Conclusion


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

46

MPLS-VPN Services
3. Extranet VPN

MPLS VPN, by default, isolates one VPN customer from another


Separate virtual routing table for each VPN customer

Communication between VPNs may be required i.e., extranet


External intercompany communication (dealers with manufacturer, retailer with wholesale provider, etc.) Management VPN, shared-service VPN, etc.

Needs right import and export route-target (RT) values configuration within the VRFs
Export-map or import-map should be used
BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

47

3. MPLS-VPN Services: Extranet VPN


Goal: Only VPN_A Site#1 to Be Reachable to VPN_B
MPLS Backbone VPN_A Site#1 171.68.0.0/16 192.6.0.0/16 VPN_A Site#2 PE2

SO

PE1

180.1.0.0/16
VPN_B Site#1

ip vrf VPN_A rd 3000:111 export map VPN_A_Export import map VPN_A_Import route-target import 3000:111 route-target export 3000:111 route-target import 3000:1 ! route-map VPN_A_Export permit 10 match ip address 1 set extcommunity rt 3000:2 additive ! route-map VPN_A_Import permit 10 match ip address 2 ! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0

ip vrf VPN_B rd 3000:222 export map VPN_B_Export import map VPN_B_Import route-target import 3000:222 route-target export 3000:222 route-target import 3000:2 ! route-map VPN_B_Export permit 10 match ip address 2 set extcommunity rt 3000:1 additive ! route-map VPN_B_Import permit 10 match ip address 1 ! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0

Only Site #1 of Both VPN_A and VPN_B Would Communicate with Each Other, Site #2 Wont Be Part of It
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

48

Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP Transport Providing Multi-VRF CE Service

Best Practices Conclusion


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

49

MPLS-VPN Services
4. Internet Access Service to VPN Customers

Internet access service could be provided as another value-added service to VPN customers
Security mechanism must be in place at both provider network and customer network
To protect from the Internet vulnerabilities

VPN customers benefit from the single point of contact for both Intranet and Internet connectivity

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

50

MPLS-VPN Services
4. Internet Access: Different Methods of Service

Four Ways to Provide the Internet Service


1. VRF specific default route with global keyword 2. Separate PE-CE sub-interface (non-VRF)

3. Extranet with Internet-VRF


4. VRF-aware NAT

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

51

MPLS-VPN Services
4. Internet Access: Different Methods of Service
1. VRF specific default route
1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF

2. Separate PE-CE subinterface (non-VRF)


May run BGP to propagate Internet routes between PE and CE

3. Extranet with Internet-VRF


VPN packets never leave VRF context; issue with overlapping VPN address

4. Extranet with Internet-VRF along with VRF-aware NAT


VPN packets never leave VRF context; works well with overlapping VPN address

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

52

MPLS-VPN Services:
4.1 Internet Access: VRF Specific Default Route
Site1 CE1 171.68.0.0/16 MPLS Backbone

Internet
192.168.1.2 P PE1 192.168.1.1 Internet GW ASBR

SO
PE1# ip vrf VPN-A rd 100:1 route-target both 100:1

Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A Router bgp 100 no bgp default ipv4-unicast redistribute static neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0

A default route, pointing to the ASBR, is installed into the site VRF at each PE The static route, pointing to the VRF interface, is installed in the global routing table and redistributed into BGP
53

ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global ip route 171.68.0.0 255.255.0.0 Serial0
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

MPLS-VPN Services: Internet Access


4.1 VRF Specific Default Route (Forwarding)
Site1 171.68.0.0/16
IP Packet D=171.68.1.1
Global Routing/FIB Table Destination Label/Interface 192.168.1.1/32 Label=30 171.68.0.0/16 Serial 0

Label = 30 IP Packet D=Cisco.com IP Packet D=Cisco.com

MPLS Backbone
IP Packet D=Cisco.com

Internet

Se0
192.168.1.2

PE1 P

PE2 SO IP Packet
Label = 35 IP Packet D=171.68.1.1
192.168.1.1

D=171.68.1.1

Global Table and LFIB Destination Label/Interface 192.168.1.2/32 Label=35 171.68.0.0/16 192.168.1.2 Internet Serial 0

VRF Routing/FIB Table Destination Label/Interface 0.0.0.0/0 192.168.1.1 (global) Site-1 Serial 0

Advantages
Different Internet gateways Can be used for different VRFs PE routers need not to hold the Internet table Simple configuration

Disadvantages
Using default route for Internet Routing does not allow any other default route for intraVPN routing Increasing size of global routing table by leaking VPN routes Static configuration (possibility of traffic blackholing)
54

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

MPLS-VPN Services
4.2 Internet Access
1. VRF specific default route
1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF

2. Separate PE-CE sub-interface (non-VRF)


May run BGP to propagate Internet routes between PE and CE

3. Extranet with Internet-VRF


VPN packets never leave VRF context; overlapping VPN addresses could be a problem

4. Extranet with Internet-VRF along with VRF-aware NAT


VPN packets never leave VRF context; works well with overlapping VPN addresses

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

55

4.2 Internet Access Service to VPN


Customers Using Separate Subinterface (Config)
Site1 171.68.0.0/16 CE1 Se0.2
192.168.1.2

MPLS Backbone BGP-4


192.168.1.1

Internet Internet
ASBR

Se0.1
ip vrf VPN-A rd 100:1 route-target both 100:1

PE1

Internet GW

Interface Serial0.1 ip vrf forwarding VPN-A ip address 192.168.20.1 255.255.255.0 frame-relay interface-dlci 100 ! Interface Serial0.2 ip address 171.68.10.1 255.255.255.0 frame-relay interface-dlci 200 ! Router bgp 100 no bgp default ipv4-unicast neighbor 171.68.10.2 remote-as 502
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

One sub-interface for VPN routing associated to a VRF


Another subinterface for Internet routing associated to the global routing table Could advertise full Internet routes or a default route to CE The PE will need to advertise VPN routes to the Internet (via global routing table)
56

Internet Access Service to VPN Customer


4.2 Using Separate Subinterface (Forwarding)
Site1 171.68.0.0/16
IP Packet D=Cisco.com Label = 30 IP Packet D=Cisco.com 192.168.1.2

MPLS Backbone

Internet Internet
192.168.1.1

S0.2 S0.1

PE2

IP Packet D=Cisco.com

PE1
CE Routing Table VPN Routes Serial0.1 Internet Routes Serial0.2

PE-Internet GW

PE Global Table and FIB Internet Routes 192.168.1.1 192.168.1.1 Label=30

Pros
CE Could Dual Home and Perform Optimal Routing Traffic Separation Done by CE

Cons
PE to Hold Full Internet Routes BGP Complexities Introduced in CE; CE1 May Need to Aggregate to Avoid AS_PATH Looping

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

57

Internet Access Service


4.3 Extranet with Internet-VRF

The Internet routes could be placed within the VRF at the Internet-GW i.e., ASBR
VRFs for customers could extranet with the Internet VRF and receive either default, partial or full Internet routes Be careful if multiple customer VRFs, at the same PE, are importing full Internet routes

Works well only if the VPN customers dont have overlapping addresses

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

58

Internet Access Service


4.4 Internet Access Using VRF-Aware NAT

If the VPN customers need Internet access without Internet routes, then VRF-aware NAT can be used at the Internet-GW i.e., ASBR
The Internet GW doesnt need to have Internet routes either Overlapping VPN addresses is no longer a problem More in the VRF-aware NAT slides

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

59

Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP Transport Providing Multi-VRF CE Service

Best Practices Conclusion


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

66

MPLS-VPN Services
7. VRF-Aware NAT Services

VPN customers could be using overlapping IP address i.e.,10.0.0.0/8


Such VPN customers must NAT their traffic before using either Extranet or Internet or any shared* services PE is capable of NATting the VPN packets (eliminating the need for an extra NAT device)

* VoIP, Hosted Content, Management, etc.


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

67

MPLS-VPN Services
7. VRF-Aware NAT Services

Typically, inside interface(s) connect to private address space and outside interface(s) connect to global address space
NAT occurs after routing for traffic from inside-to-outside interfaces NAT occurs before routing for traffic from outside-to-inside interfaces

Each NAT entry is associated with the VRF

Works on VPN packets in the following switch paths: IP->IP, IP->MPLS and MPLS->IP

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

68

MPLS-VPN Services:
7. VRF-Aware NAT Services: Internet Access
CE1
10.1.1.0/24

Green VPN Site CE2


10.1.1.0/24

PE11 PE12

MPLS Backbone PE-ASBR

.1

217.34.42.2

Internet

IP NAT Inside IP NAT Outside ip nat pool pool-green 24.1.1.0 24.1.1.254 prefix-length 24 ip nat pool pool-blue 25.1.1.0 25.1.1.254 prefix-length 24 ip nat inside source list vpn-to-nat pool pool-green vrf green ip nat inside source list vpn-to-nat pool pool-blue vrf blue ip access-list standard vpn-to-nat permit 10.1.1.0 0.0.0.255 ip route vrf green 0.0.0.0 0.0.0.0 217.34.42.2 global ip route vrf blue 0.0.0.0 0.0.0.0 217.34.42.2 global VRF-Aware NAT Specific Config
Cisco Public

Blue VPN Site

ip vrf green rd 3000:111 route-target both 3000:1 ip vrf blue rd 3000:222 route-target both 3000:2 router bgp 3000 address-family ipv4 vrf green network 0.0.0.0 address-family ipv4 vrf blue network 0.0.0.0 VRF Specific Config
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved.

69

MPLS-VPN Services:
7. VRF-Aware NAT Services: Internet Access
CE1
10.1.1.0/24 Src=10.1.1.1 Dest=Internet Label=30 Src=10.1.1.1 Dest=Internet

MPLS Backbone PE-ASBR


Src=24.1.1.1 Dest=Internet Src=25.1.1.1 Dest=Internet

Green VPN Site IP Packet CE2


10.1.1.0/24

PE11 PE12

P
Label=40 Src=10.1.1.1 Dest=Internet MPLS Packet

Internet

IP Packet Traffic Flows NAT Table Global IP VRF-Table-Id 24.1.1.1 green 25.1.1.1 blue

Blue VPN Site

Src=10.1.1.1 Dest=Internet

PE-ASBR removes the label from the received MPLS packets per LFIB Performs NAT on the resulting IP packets Forwards the packet to the internet Returning packets are NATed and put back in the VRF context and then routed This is also one of the ways to provide Internet access to VPN customers with or without overlapping addresses
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

VRF IP Source 10.1.1.1 10.1.1.1

70

Agenda
MPLS VPN Explained MPLS-VPN Services
1. Providing Load-Shared Traffic to the Multihomed VPN Sites 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP Transport Providing Multi-VRF CE Service

Best Practices Conclusion


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

79

MPLS-VPN Services:
11. Providing Multi-VRF CE Service
Is it possible for an IP router to keep multiple customer connections separated ?
Yes, multi-VRF CE a.k.a. vrf-lite can be used

Multi-VRF CE provides multiple virtual routing tables (and forwarding tables) per customer at the CE router
Not a feature but an application based on VRF implementation Any routing protocol that is supported by normal VRF can be used in a multi-VRF CE implementation

Note that there is no MPLS functionality needed on the CE, no label exchange between the CE and any router (including PE) One of the deployment models is to extend the VRFs to the CE, another is to extend it further inside the Campus => Virtualization
Campus Virtualization blends really well
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

80

MPLS-VPN Services:
11. Providing Multi-VRF CE Service One Deployment ModelExtending MPLS/VPN to CE
Campus
Vrf Green
ip vrf green rd 3000:111 route-target both 3000:1 ip vrf blue rd 3000:222 route-target both 3000:2 ip vrf red rd 3000:333 route-target both 3000:3

SubInterface Link * Vrf Green

Campus
Vrf Green

MPLS Network

Vrf Red

Multi-VRF CE Router
ip vrf green rd 3000:111 ip vrf blue rd 3000:222 Ip vrf red rd 3000:333

Vrf Red

PE Router
Vrf Red

PE Router

*SubInterface LinkAny Interface Type that Supports Sub Interfaces, FE-Vlan, Frame Relay, ATM VCs
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

81

Agenda
MPLS VPN Explained
MPLS-VPN Services Best Practices

Conclusion

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

82

Best Practices
1.
2. 3. 4.

Use RR to scale BGP; deploy RRs in pair for the redundancy


Keep RRs out of the forwarding paths and disable CEF (saves memory)

RT and RD should have ASN in them i.e., ASN: X


Reserve first few 100s of X for the internal purposes such as filtering

Consider unique RD per VRF per PE, if load sharing of VPN traffic is required Dont use customer names as the VRF names; nightmare for the NOC. Use simple combination of numbers and characters in the VRF name.
For example: v101, v102, v201, v202, etc. Use description

5.

PE-CE IP address should come out of SPs public address space to avoid overlapping
Use /31 subnetting on PE-CE interfaces

6.

Define an upper limit at the PE on the number of prefixes received from the CE for each VRF or neighbor
Max-prefix within the VRF configuration; Do suppress the inactive routes Max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE)

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

83

Agenda
MPLS VPN Explained
MPLS-VPN Services Best Practices

Conclusion

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

84

Conclusion
MPLS VPN is becoming a cheaper and faster alternative to traditional l2vpn
Secured VPN

MPLS-VPN paves the way for new revenue streams


VPN customers could outsource their layer3 to the provider

Straightforward to configure any-to-any VPN topology


Partial-mesh, Hub and Spoke topologies can also be easily deployed

CsC and Inter-AS could be used to expand into new markets VRF-aware services could be deployed to maximize the investment
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

85

Q and A

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

86

Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press
Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

87

Complete Your Online Session Evaluation


Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Dont forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008. Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

88

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

89

Additional Slides

Advanced MPLS VPN Topics Inter-AS and CsC

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

90

Agenda
Advanced MPLS VPN Topics
Inter-AS MPLS-VPN CsC Carrier Supporting Carrier

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

91

What Is Inter-AS?
Provider X
RR1 MP-iBGP Update: PE-1

Provider Y
RR2 ASBR2

ASBR1

???
AS #1 AS #2

Problem:
BGP, OSPF, RIPv2 149.27.2.0/24, NH=CE-1 CE-1

PE2

VPN-A
149.27.2.0/24

How Do Provider X and Provider Y Exchange VPN Routes?

CE2

VPN-A

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

92

Inter-AS Deployment Scenarios


Following Options/Scenarios for Deploying Inter-AS:
ASBR1 1. Back-to-Back VRFs (Option A) 2. MP-eBGP for VPNv4 ASBR2

AS #1
PE1

(Option B) 3. Multihop MP-eBGP Between RRs

AS #2
PE2

(Option C)
CE1 4. Non-VPN Transit Provider CE2

VPN-A
Each Option Is Covered in Additional Slides

VPN-A

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

93

Scenario 1: Back-to-Back VRF


Control Plane
ASBR-1
VPN-v4 Update: RD:1:27:10.1.1.0/24 NH=PE-1 RT=1:1, Label=(29)

VPN-B VRF Import routes with Route-Target 1:1

ASBR-2
VPN-v4 Update: RD:1:27:10.1.1.0/24, NH=ASBR-2 RT=1:1, Label=(92) VPN-B VRF Import Routes with Route-Target 1:1

PE-1 CE-2

BGP, OSPF, RIPv2 10.1.1.0/24 NH=ASBR-2

PE-2
BGP, OSPF, RIPv2 10.1.1.0/24,NH=PE-2

BGP, OSPF, RIPv2 10.1.1.0/24,NH=CE-2

CE-3

VPN-B 10.1.1.0/24

VPN-B

VRF-to-VRF Connectivity Between ASBRs


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

94

Scenario 1: Back-to-Back VRF


Forwarding Plane
30 29 10.1.1.1

ASBR-1

ASBR-2

92

10.1.1.1

P2

P1
10.1.1.1 20 92 10.1.1.1

PE-1

IP Packets Between ASBRs


CE-2 VPN-B 10.1.1.0/24 CE-3

PE-2

10.1.1.1

10.1.1.1

VPN-B

Pros
Per-customer QoS is possible It is simple and elegant since no need to load the Inter-AS code (but still not widely deployed)

Cons
Not scalable. # of interface on both ASBRs is directly proportional to #VRF. No end-to-end MPLS Unnecessary memory consumed in RIB/(L)FIB Dual-homing of ASBR makes provisioning worse
95

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Cisco IOS Configuration


Scenario 1: Back-to-Back VRF Between ASBRs
ASBR1 ASBR2

1.1.1.0/30 VRF Routes Exchange via any Routing Protocol


ASBR VRF and BGP config CE-1 ip vrf green rd 1:1 route-target both 1:1 ! Router bgp x Address-family ipv4 vrf green neighbor 1.1.1.x activate CE-2

AS #1
PE1

AS #2
PE2

VPN-A

VPN-A

Note: ASBR Must Already Have MP-iBGP Session with iBGP Neighbors such as RRs or PEs
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

96

Scenario 2: MP-eBGP Between ASBRs to Exchange VPNv4 Routes


New CLI no bgp default route-target filter is needed on the ASBRs
ASBRs exchange VPN routes using eBGP (VPNv4 af) ASBRs store all VPN routes
But only in BGP table and LFIB table Not in routing nor in CEF table

ASBRs dont need


VRFs to be configured on them LDP between them

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

97

Scenario 2: MP-eBGP bet ASBRs for VPN Control Plane


ASBR-1
MP-iBGP Update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(40)

ASBR-2
MP-iBGP Update: RD:1:27:10.1.1.0/24, NH=ASBR-2 RT=1:1, Label=(30)

PE-1

MP-eBGP Update: RD:1:27:10.1.1.0/24, NH=ASBR-1 RT=1:1, Label=(20)

PE-2
BGP, OSPF, RIPv2 10.1.1.0/24, NH=PE-2

BGP, OSPF, RIPv2 10.1.1.0/24, NH=CE-2

CE-2 VPN-B 10.1.1.0/24

CE-3

VPN-B

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

98

Scenario 2: MP-eBGP bet ASBRs for VPN Forwarding Plane


30 40 10.1.1.1 30 10.1.1.1

ASBR-1

ASBR-2

P2

40

10.1.1.1

20

10.1.1.1

20

30

10.1.1.1

PE-1

MPLS Packets Between ASBRs


CE-2 VPN-B 10.1.1.0/24 CE-3
10.1.1.1

10.1.1.1

VPN-B

Pros
More scalable
Only one interface between ASBRs routers No VRF configuration on ASBR. Less memory consumption (no RIB/FIB memory)

Cons
Automatic route filtering must be disabled
But we can apply BGP filtering

MPLS label switching between providers


Still simple, more scalable & works today
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

ASBRs are still required to hold VPN routes

99

Cisco IOS Configuration


Scenario 2: External MP-BGP between ASBRs for VPN
MP-eBGP for ASBR1 VPNv4 ASBR2

1.1.1.0/30

AS #1
PE1

Label Exchange Between ASBRs Using MP-eBGP

AS #2
PE2

CE-1

VPN-A

ASBR MB-EBGP Configuration Router bgp x no bgp default route-target filter neighbor 1.1.1.x remote-as x ! address-family vpnv4 neighbor 1.1.1.x activate neighbor 1.1.1.x send-com extended

CE-2

VPN-A

Note: ASBR Must Already Have MP-iBGP Session with iBGP Neighbors such as RRs or PEs
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

100

Scenario 3: Multihop MP-eBGP Between RRs to Exchange VPNv4 Routes


Exchange VPNv4 prefixes via the Route Reflectors
Requires Multihop MP-eBGP (with next-hop-unchanged)

Exchange IPv4 routes with labels between directly connected ASBRs using eBGP
Only PE loopback addresses need to be exchanged (they are BGP next-hop addresses of the VPN routes)

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

101

Scenario 3: Multihop MP-eBGP Between RRs for VPN Routes: Control Plane
VPN-v4 Update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(90) RR-2 VPN-v4 Update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(90)

RR-1 VPN-v4 Update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(90)

AS#1
IGP+LDP: Network=PE-1 NH=PE-1 Label=(40) CE-2

ASBR-1

ASBR-2

AS#2
IGP+LDP: Network=PE-1 NH=ASBR-2 Label=(30)

PE-1

BGP, OSPF, RIPv2 10.1.1.0/24,NH=CE-2

IP-v4 Update: Network=PE-1 NH=ASBR-1 Label=(20)

PE-2 BGP, OSPF, RIPv2 10.1.1.0/24,NH=PE-2

VPN-B
10.1.1.0/24

CE-3

VPN-B

Note: Instead of IGP+Label, iBGP+Label Can Be Used to Exchange PE Routes/Label. Please see Scenario#5 on slide#49 and 50.
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

102

Scenario 3: Multihop MP-eBGP Between RRs for VPN Routes: Forwarding Plane
RR-1 P1 40 90 10.1.1.1 90 10.1.1.1 ASBR-1 ASBR-2 RR-2

P2

30

90

10.1.1.1 50 90

10.1.1.1

PE-1 20 10.1.1.1 CE-2 90

10.1.1.1

PE-2 CE-3 10.1.1.1

VPN-B
10.1.1.0/24

VPN-B

Note: Instead of IGP+Label, iBGP+Label Can Be Used to Exchange PE Routes/Label.


BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

103

Scenario 3: Pros/Cons
Pros
More scalable than Scenario 1 and 2
Separation of control and forwarding planes

Cons
Advertising PE addresses to another AS may not be acceptable to few providers

Route Reflector exchange VPNv4 routes+labels


RR hold the VPNv4 information anyway

ASBRs now exchange only IPv4 routes+labels


ASBR forwards MPLS packets

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

104

Cisco IOS Configuration


Scenario 3: Multihop MP-eBGP between RRs for VPN
RR-1 PE1 Multihop MP-eBGP for VPNv4 with next-hop-unchange
ASBR-1 ASBR-2

RR-2

PE2

AS #1
CE-1 RR Configuration VPN-A eBGP IPv4 + Labels

AS #2
CE-2 ASBR Configuration
router ospf x redistribute bgp 1 subnets ! router bgp x neighbor < ASBR-x > remote-as x ! address-family ipv4 Network <PEx> mask 255.255.255.255 Network <RRx> mask 255.255.255.255 neighbor < ASBR-x > activate neighbor < ASBR-x > send-label

router bgp x neighbor <RR-x> remote-as x neighbor <RR-x> ebgp-multihop neighbor <RR-x> update loopback 0 ! address-family vpnv4 neighbor <RR-x> activate neighbor <RR-x> send-com extended neighbor <RR-x> next-hop-unchanged

VPN-A

iBGPipv4+label Could Also Be Used in Within Each AS (Instead of network <x.x.x.x>) to Propagate the Label Information for PEs
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

105

Scenario 4: Non-VPN Transit Provider


Two MPLS VPN providers may exchange routes via one or more transit providers
Which may be non-VPN transit backbones just running MPLS

Multihop MP-eBGP deployed between edge providers


With the exchange of BGP next-hops via the transit provider

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

106

Scenario 4: Non-VPN Transit Provider


eBGP IPv4 + Labels

ASBR-1

ASBR-2
iBGP IPv4 + Labels

MPLS VPN Provider #1 PE1 RR-1

Non-VPN MPLS Transit Backbone ASBR-3

CE-2

next-hop-unchanged
Multihop MP-eBGP OR MP-iBGP for VPNv4

ASBR-4

eBGP IPv4 + Labels

VPN-B

RR-2

iBGP IPv4 + Labels MPLS VPN Provider #2 PE2

CE-3

VPN-B

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

107

Route-Target Rewrite at ASBR


ASBR can add/delete route-target associated with a VPNv4 prefix
Secures the VPN environment

ASBR(conf)#router bgp 1000


ASBR(conf-router)#neighbor 1.1.1.1 route-map route-target-deletion out ASBR(conf-router)#exit ASBR(conf)#route-map route-target-delete ASBR(conf-route-map)#match extcommunity 101 ASBR(conf-route-map)#set extcomm-list 101 delete ASBR(conf-route-map)#set extcommunity rt 123:123 additive ASBR(conf)# ip extcommunity-list 101 permit rt 100:100

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

108

Inter-AS Deployment Guidelines


1. Use ASN in the Route-target i.e., ASN:xxxx
2. Max-prefix limit (both BGP and VRF) on PEs 3. Security (BGP MD5, BGP filtering, BGP max-prefix, etc.) on ASBRs 4. End-to-end QoS agreement on ASBRs 5. Route-target rewrite on ASBR

6. Internet connectivity on the same ASBR??

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

109

Agenda
Advanced MPLS VPN Topics
Inter-AS MPLS-VPN Carrier Supporting Carrier (CsC)

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

110

MPLS/VPN Networks Without CsC


Number of VPN routes is one of the biggest limiting factors in scaling the PE router
Few SPs are running into this scaling limitation

If number of VPN routes can be reduced somehow (without loosing the functionality), then the existing investment can be protected
The same PE can still be used to connect more VPN customers

Carrier Supporting Carrier (CsC) provides the mechanism to reduce the number of routes from each VRF by enabling MPLS on the PE-CE link

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

111

CsC Deployment Model


MP-iBGP for VPNv4 P1 PE1
IGP+LDP IGP+LDP

PE2

Carriers MPLS Core


IPv4 Routes with Label Distribution IPv4 Routes with Label Distribution

CE-1 ISP PoP Site-1


Internal Routes = IGP Routes

MPLS-Enabled VRF Int

CE-2

Full-Mesh iBGP for External Routes

ISP PoP Site-2 C1

ASBR-1 R1 Internet

ASBR-2 R2

Internal Routes = IGP Routes

ISP Customers = External Routes


Cisco Public

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

112

Benefits of CsC
Provide transport for ISPs ($)
No need to manage external routes from ISPs

Build MPLS Internet Exchange (MPLS-IX) ($$)


Media Independence; POS/FDDI/PPP possible Higher speed such OC192 or more Operational benefits

Sell VPN service to subsidiary companies that provide VPN service ($)

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

113

What Do I Need to Enable CsC ?


1. Build an MPLS-VPN enabled carriers network
2. Connect ISP/SPs sites (or PoPs) to the Carriers PEs 3. Exchange internal routes + labels between Carriers PE and ISP/SPs CE 4. Exchange external routes directly between ISP/SPs sites

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

114

CsC Deployment Models


MP-iBGP for VPNv4

P1 PE1
IGP+LDP IGP+LDP

PE2

Carriers MPLS Core


IPv4 Routes with Label Distribution IPv4 Routes with Label Distribution

CE-1 ISP PoP Site-1


internal Routes = IGP Routes

MPLS-Enabled VRF int CE-2 Full-Mesh iBGP for External Routes

ISP PoP Site-2


C1 Internal Routes = IGP Routes ISP Customers = External Routes

ASBR-1

ASBR-2

R2 Internet R1

BRKRST-2102 14416_04_2008_c1

2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

115

CsC Deployment Models


1. Customer-ISP not running MPLS
2. Customer-ISP running MPLS 3. Customer-ISP running MPLS-VPN

Model 1 and 2 Are Less Common Deployments. Model 3 Will Be Discussed in Detail.
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

116

CsC: ISP Sites Are Running MPLS-VPN Hierarchical MPLS-VPN Control Plane
MP-iBGP Update: 1:1:30.1.61.25/32, RT=1:1 NH =PE-1, Label=51

P1 PE1
IGP+LDP, Net=PE-1, Label = pop IGP+LDP, Net=PE-1, Label = 16

PE2

Carriers Core
30.1.61.25/32, NH=CE-1, Label = 50

30.1.61.25/32, NH=PE-2, Label = 52

CE-1 ISP PoP Site-1


IGP+LDP 30.1.61.25/32,Label = pop
MP-iBGP Update: 1:1:10.1.1.0/24, RT=1:1 NH =30.1.61.25/32, Label = 90

CE-2
IGP+LDP, 30.1.61.25/32 NH=CE-2, Label=60

ISP PoP Site-2 ASBR_PE-2

ASBR_PE-1 30.1.61.25/32
10.1.1.0/24, NH=R1

10.1.1.0/24, NH =ASBR_PE-2

C1 IGP+LDP, 30.1.61.25/32 NH=C1, Label=70

Network = 10.1.1.0/24
BRKRST-2102 14416_04_2008_c1

R2 R1
VPN Site-1
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

VPN Site-2
117

CsC: ISP Sites Are Running MPLS-VPN Hierarchical MPLS-VPN Forwarding Plane
P1
51 90 10.1.1.1 16 51 90 10.1.1.1

PE1

PE2

Carriers Core
50 90
10.1.1.1 52 90

10.1.1.1

CE-1 ISP PoP Site-1 90

CE-2 ISP PoP Site-2


C1

10.1.1.1 60 90 10.1.1.1

ASBR-1
10.1.1.1 Network = 10.1.1.0/24
BRKRST-2102 14416_04_2008_c1

ASBR-2
10.1.1.1 70 90 10.1.1.1

R1
VPN Site-1
2008 Cisco Systems, Inc. All rights reserved. Cisco Public

R2 VPN Site-2
118