Deploying IPMPLSVPN

Deploying MPLS VPN Networks
Ade Yudha G Rahman Isnaini Rommy Kuntoro
BRKRST-2102 14416_04_2008_c1
2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Abstract
Multi Protocol Label Switching (MPLS) has been widely adopted by the Network Operators to provide scalable L2, L3 VPN, traffic engineering services etc. Enterprises are fast adopting this technology to address network segmentation and traffic separation needs. This session covers MPLS Layer3 VPN, which is the most adopted MPLS application. The session will cover:
MPLS VPN Technology Overview (RFC2547/RFC4364) MPLS/VPN Configuration Overview MPLS/VPN-based services (multihoming, Hub&Spoke, extranet, Internet, NAT, VRF-lite, etc.)
Best Practices
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Agenda
MPLS VPN Overview
MPLS VPN Services Best Practices
Conclusion
BRKRST-2102 14416_04_2008_c1
Cisco Public
Prerequisites
Must understand basic IP routing, especially BGP
Must understand MPLS basics (push, pop, swap, label stacking) Should understand MPLS VPN basics Must keep the speaker engaged
by asking bad questions
BRKRST-2102 14416_04_2008_c1
Cisco Public
Terminology
LSR: label switch router LSP: label switched path
The chain of labels that are swapped at each hop to get from one LSR to another
VRF: VPN routing and forwarding

Mechanism in Cisco IOS used to build per-customer RIB and FIB
MP-BGP: multiprotocol BGP PE: provider edge router interfaces with CE routers P: provider (core) router, without knowledge of VPN VPNv4: address family used in BGP to carry MPLS-VPN routes RD: route distinguisher
Distinguish same network/mask prefix in different VRFs
RT: route target

Extended community attribute used to control import and export policies of VPN routes
LFIB: label forwarding information base FIB: forwarding information base

Agenda
MPLS VPN Overview
Technology (how it works) Configuration
MPLS-VPN Services Best Practices Conclusion
BRKRST-2102 14416_04_2008_c1
Cisco Public
MPLS-VPN Technology
More than one routing and forwarding tables
Control planeVPN route propagation Data or forwarding planeVPN packet forwarding
BRKRST-2102 14416_04_2008_c1
Cisco Public
MPLS-VPN Technology MPLS VPN Connection Model

CE PE CE MPLS Backbone P P CE MP-iBGP Session P P PE CE
PE Routers Sit at the Edge Use MPLS with P routers Uses IP with CE routers Distributes VPN information through MP-BGP to other PE routers
P Routers Sit inside the network Forward packets by looking at labels P and PE routers share a common IGP
BRKRST-2102 14416_04_2008_c1
Cisco Public
MPLS-VPN Technology
Separate Routing Tables at PE
CE2
VPN 2
PE
CE1
VPN 1
MPLS Backbone IGP (OSPF, ISIS)
Customer Specific Routing Table Routing (RIB) and forwarding table (CEF) dedicated to VPN customer
VPN1 routing table VPN2 routing table
Global Routing Table Created when IP routing is enabled on PE. Populated by OSPF, ISIS, etc. inside the MPLS backbone
Referred to as VRF table for the <named VPN>. show ip route vrf <name>
show ip route
BRKRST-2102 14416_04_2008_c1
Cisco Public
MPLS-VPN Technology Virtual Routing and Forwarding Instance (1)

CE2
VPN 2 CE1
VPN 1
VRF Green PE MPLS Backbone IGP (OSPF, ISIS)

Ser0/0
VRF Blue
Whats a Virtual Routing and Forwarding (VRF) ?

VRF represents the VPN customer inside the SP MPLS network Each VPN is associated with at least one VRF
VRF must be defined (locally significant) on each PE and associated with one or more PE-CE interfaces;
Privatize an interface, i.e., coloring of the interface
Each VRF has a dedicated routing table and forwarding table, and a dedicated instance of the routing protocol (static, RIP, BGP, EIGRP, ISIS, OSPF) PE(conf)#ip vrf green
PE is capable of VRF-aware routing protocol
No changes needed at the CE

BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved.
PE(conf)#interface Ser0/0 PE(conf)#ip vrf forwarding blue 10
CE router runs whatever software Cisco Public
MPLS-VPN Technology Virtual Routing and Forwarding Instance (2)

CE2
VPN 2
EBGP, OSPF, RIPv2, Static CE1 VPN 1 PE MPLS Backbone IGP (OSPF, ISIS)
PE installs the routes, learned from CE routers or other PE routers, in the appropriate VRF routing table(s).
More on this in the Control Plane slides later on.
PE installs the IGP (backbone) routes in the global routing table
VPN customers can use overlapping IP addresses

BGP plays a key role. Lets understand few BGP specific details..
BRKRST-2102 14416_04_2008_c1
Cisco Public
11
MPLS-VPN Technology: Control Plane

The Control Plane for MPLS VPN Is Multi-Protocol BGP
8 Bytes 4 Bytes 8 Bytes 3 Bytes
1:1 RD VPNv4
10.1.1.0 IPv4 Route-Target Label
MP-BGP UPDATE message showing only VPNv4 address, RT, Label

MP-BGP Customizes the VPN customer Routing Information as per the locally configured VRF information at the PE -
Route Distinguisher (RD)

Route Target (RT) Label
12
MPLS-VPN Technology: Control Plane MP-BGP UPDATE Message Capture

This capture might help to visualize how the BGP UPDATE message advertising VPNv4 routes look like.
Notice the Path Attributes.
Route Target 3:3
MP_REACH_NLRI 1:1:200.1.62.4/30
BRKRST-2102 14416_04_2008_c1
Cisco Public
13
MPLS VPN Control Plane

MP-BGP Update Components: RD & VPNv4 Address
8 Bytes 4 Bytes 8 Bytes 3 Bytes
1:1 RD VPNv4
10.1.1.0 IPv4 Route-Target Label
MP-BGP update showing RD, RT, and label

VPN customer IPv4 address is converted into a VPNv4 address by appending RD to the IPv4 address i.e. 1:1:10.1.1.0
Makes the customers IPv4 route unique inside the SP MPLS network.
Each VRF should* be configured with an RD at the PE

RD is what that defines the VRF
! ip vrf green rd 1:1 !
BRKRST-2102 14416_04_2008_c1
* After 12.4(3)T, 12.4(3) 12.2(32)S, 12.0(32)S etc., RD Configuration within VRF Has BecomeInc. All rights reserved.Prior to that, It Was Mandatory. 2008 Cisco Systems, Optional. Cisco Public
14

MP-BGP Update Components: Route-Target
8 Bytes 4 Bytes 8 Bytes 2:2 Route-Target Label 3 Bytes
1:1 RD VPNv4
10.1.1.0 IPv4
MP-BGP update showing RD, RT, and Label

Route-target (RT): identifies the VRF for the received VPNv4 prefix. It is an 8-byte extended community attribute. Each VRF is configured with a set of RT(s) at the PE
RT helps to identify which VRF(s) get the VPN route
! ip vrf green route-target import 1:1 route-target export 1:2 !
BRKRST-2102 14416_04_2008_c1
Cisco Public
15

MP-BGP Update Components: Label
8 Bytes 4 Bytes 8 Bytes 2:2 Route-Target 3 Bytes
1:1 RD VPNv4
10.1.1.0 IPv4
50 Label
MP-BGP update showing RD, RT, and label

PE assigns a label for the VPNv4 prefix; Label is not an attribute.
Next-hop-self towards MP-iBGP neighbors by default i.e. PE sets the NEXTHOP attribute to its own address (loopback)
PE addresses used as BGP next-hop must be uniquely known in the backbone IGP
Do not summarize the PE loopback addresses in the core
16
MPLS VPN Control Plane:

Putting It All Together
Site 1
10.1.1.0/24
3
CE1
MP-iBGP Update: RD:10.1.1.0 Next-Hop=PE-1 RT=1:2, Label=100
Site 2
2
10.1.1.0/24 Next-Hop=CE-1
CE2
PE1
P PE2
MPLS Backbone
1. PE1 receives an IPv4 update (eBGP/OSPF/ISIS/RIP/EIGRP) 2. PE1 translates it into VPNv4 address and constructs the MPiBGP UPDATE message
Associates the RT values (import RT value=1:2) per VRF configuration Rewrites next-hop attribute to itself Assigns a label (100, say); Installs it in the MPLS forwarding table.
3. PE1 sends MP-iBGP update to other PE routers

17
MPLS VPN Control Plane:

Putting It All Together
Site 1
10.1.1.0/24
3
CE1
MP-iBGP Update: RD:10.1.1.0 Next-Hop=PE-1 RT=1:2, Label=100
10.1.1.0/24 Next-Hop=PE-2
Site 2
5 4
CE2
2
10.1.1.0/24 Next-Hop=CE-1
PE1
P PE2
MPLS Backbone
4. PE2 receives and checks whether the RT=1:2 is locally configured as import RT within any VRF, if yes, then
PE2 translates VPNv4 prefix back in IPv4 prefix
Updates the VRF CEF Table for 10.1.1.0/24 with label=100
5. PE2 advertises this IPv4 prefix to CE2 (using whatever routing protocol)
BRKRST-2102 14416_04_2008_c1
Cisco Public
18
MPLS-VPN Forwarding Plane Review

Site 1
10.1.1.0/24
Site 2 CE1 PE1 P3 P4 PE2 CE2
P1
P2
VRF Green Forwarding Table Dest NextHop 10.1.1.0/24-PE1, label: 100
Global Routing/Forwarding Table Dest Next-Hop PE2 P3, Label: 50
Global Routing/Forwarding Table Dest Next-Hop PE1 P2, Label: 25
Global Forwarding Table (show ip cef)

Stores Next-hop routes with associated labels Next-hop routes learned through IGP Label learned through LDP/TDP
VRF Forwarding Table (show ip cef vrf <vrf>)

Stores VPN routes with associated labels
VPN routes learned through BGP

Labels learned through MP-BGP
BRKRST-2102 14416_04_2008_c1
Cisco Public
19
MPLS-VPN Forwarding Plane Packet Forwarding

Site 1
10.1.1.0/24
Site 2 CE1 P3 10.1.1.1 IP Packet PE1 P4 PE2 10.1.1.1 P1 P2
CE2 10.1.1.1
IP Packet
100
50
100
10.1.1.1
25
100
10.1.1.1
MPLS Packet
PE2 imposes two labels (MPLS headers) for each packet going to the VPN destination 10.1.1.1.
Outer label is LDP learned; Corresponds derived from an IGP route
Inner label is learned via MP-BGP; corresponds to the VPN address
PE1 recovers the IP packet (from the received MPLS packet) and forwards it to CE1.
20
MPLS-VPN Technology: Control Plane MPLS Packet Capture

This capture might be helpful if you never captured an MPLS packet before.
Ethernet Header Outer Label Inner Label IP packet
BRKRST-2102 14416_04_2008_c1
Cisco Public
21
Agenda
MPLS VPN Explained
Technology Configuration
MPLS-VPN Services Best Practices Conclusion
BRKRST-2102 14416_04_2008_c1
Cisco Public
22
MPLS VPN Sample Configuration (IOS)

VRF Definition
Site 1 CE1
10.1.1.0/24 ip vrf VPN-A rd 1:1 route-target export route-target import 100:1 100:1
PE1 Se0 192.168.10.1

PE1
interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A
PE-P Configuration
P Se0
Interface Serial1 ip address 130.130.1.1 255.255.255.252 mpls ip
PE1 s1
PE1
router ospf 1 network 130.130.1.0 0.0.0.3 area 0
BRKRST-2102 14416_04_2008_c1
Cisco Public
23

PE: MP-IBGP Config
RR PE1 PE2
router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback0 ! address-family vpnv4 neighbor 1.2.3.4 activate neighbor 1.2.3.4 send-community both !
PE1
RR: MP-IBGP Config

RR PE1 PE2 RR
router bgp 1 no bgp default route-target filter neighbor 1.2.3.6 remote-as 1 neighbor 1.2.3.6 update-source loopback0 ! address-family vpnv4 neighbor 1.2.3.6 route-reflector- client neighbor 1.2.3.6 activate !
BRKRST-2102 14416_04_2008_c1
Cisco Public
24

PE-CE Routing:
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1
BGP
PE1
router bgp 1 ! address-family ipv4 vrf VPN-A neighbor 192.168.10.2 remote-as 2 neighbor 192.168.10.2 activate exit-address-family !
CE1
PE1
PE-CE Routing:
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1
OSPF
PE1 PE1
router ospf 1 ! router ospf 2 vrf VPN-A network 192.168.10.0 0.0.0.255 area 0 redistribute bgp 1 subnets !
CE1
BRKRST-2102 14416_04_2008_c1
Cisco Public
25

PE-CE Routing:
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1
RIP
CE1
PE1
router rip ! address-family ipv4 vrf VPN-A version 2 no auto-summary network 192.168.10.0 redistribute bgp 1 metric transparent !
PE-CE Routing:
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1
EIGRP
CE1 PE1
router eigrp 1 ! address-family ipv4 vrf VPN-A no auto-summary network 192.168.10.0 0.0.0.255 autonomous-system 1 redistribute bgp 1 metric 100000 100 255 1 1500 !
BRKRST-2102 14416_04_2008_c1
Cisco Public
26

PE-CE Routing:
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1
Static
ip route vrf VPN-A 10.1.1.0 255.255.255.0 192.168.10.2
CE1
PE1
If PE-CE Protocol Is non-BGP, then Redistribution of Other Sites VPN Routes from MP-IBGP Is Required (Shown Below for RIP)
PE-CE MB-iBGP Routes to VPN

Site 1 RR PE1 CE1
router rip address-family ipv4 vrf VPN-A version 2 redistribute bgp 1 metric transparent no auto-summary network 192.168.10.0 exit-address-family
BRKRST-2102 14416_04_2008_c1
Cisco Public
27

If PE-CE Protocol Is non-BGP, then Redistribution of Local VPN Routes into MP-IBGP Is Required (Shown Below)
PE-RR (VPN Routes to VPNv4)

Site 1 RR PE1 CE1
router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback 0 address-family ipv4 vrf VPN-A redistribute {rip|connected|static|eigrp|ospf}
For config hands-on, please attend Configuring MPLS VPNs (LABCRT-2208) session
Having familiarized with IOS based config, lets glance through the IOX-based config for VPNs
28
MPLS VPN Sample Configuration (IOX)

VRF Definition
Site 1 CE1
10.1.1.0/24 vrf VPN-A router-id 192.168.10.1 address-family ipv4 unicast import route-target 100:1 export route-target 100:1 export route-policy raj-exp interface Serial0 vrf VPN-A ipv4 address 192.168.10.1/24
PE1 Se0 192.168.10.1 PE1
PE-CE Routing:
Site 1
10.1.1.0/24
BGP
CE1 PE1 PE1
192.168.10.2
192.168.10.1
router bgp 1 vrf VPN-A rd 1:1 address-family ipv4 unicast redistribute connected ! neighbor 192.168.10.2 remote-as 2 address-family ipv4 unicast route-policy raj-temp in ! ! ! !
29
BRKRST-2102 14416_04_2008_c1
Cisco Public
Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP Transport Providing Multi-VRF CE Service
Best Practices Conclusion

30
MPLS VPN Services:

1. Loadsharing for the VPN Traffic
RR PE11 CE1
171.68.2.0/24
PE2 PE12
CE2
Site A MPLS Backbone Route Advertisement
Site B
VPN sites (such as Site A) could be multihomed VPN customer may demand the traffic (to the multihomed site) be loadshared
BRKRST-2102 14416_04_2008_c1
Cisco Public
31
MPLS VPN Services:

1. Loadsharing for the VPN Traffic: Cases
1 CE 2 PEs
CE1
171.68.2.0/24
RR PE11 PE2 PE12 CE2
Site A MPLS Backbone Traffic Flow
Site B
2 CEs 2 PEs
PE11
RR
CE1
PE2
171.68.2.0/24 CE2
CE2
PE12 Site B Site A MPLS Backbone Traffic Flow

32
MPLS VPN Services:

1. Loadsharing for the VPN Traffic: Deployment
How to deploy the loadsharing?
Configure unique RD per VRF per PE for multihomed site/interfaces
Assuming RR exists
Enable BGP multipath within the relevant BGP VRF address-family at remote/receiving PE2 (why PE2?)
ip vrf green rd 300:11 route-target both 1:1 PE11 CE1
171.68.2.0/24
2 RR
router bgp 1 address-family ipv4 vrf green maximum-paths eibgp 2 PE2 CE2
PE12 1 Site A ip vrf green rd 300:12 route-target both 1:1
MPLS Backbone
1
Site B ip vrf green rd 300:13 route-target both 1:1

33
BRKRST-2102 14416_04_2008_c1
Cisco Public
MPLS VPN Services:

1. VPN Fast ConvergencePE-CE Link Failure
Traffic Is Dropped by PE11 CE1
171.68.2.0/24
RR PE11 PE2 PE12
VPN Traffic Redirected VPN Traffic CE2
Site A
MPLS Backbone
Site B
In a classic case, PE11, upon detecting the PE-CE link failure, sends BGP message to withdraw all the related VPN routes from the MPLS/VPN network
This results in the remote PE routers selecting the alternate bestpath (if any), but until then, they keep sending the MPLS/VPN traffic to PE11, which keeps dropping the traffic
IOS and IOX now have incorporated a Fast Local Repair feature to minimize the loss due to the PE-CE link failure from sec to msec
BRKRST-2102 14416_04_2008_c1
Cisco Public
35
MPLS VPN Services:

1. VPN Fast ConvergencePE-CE Link Failure
Traffic Is Redirected by PE11 CE1
171.68.2.0/24
RR PE11 PE2
VPN Traffic Redirected VPN Traffic CE2
Site A PE12
MPLS Backbone
Site B
This feature helps PE11 to minimize the traffic loss from sec to msec, by redirecting the CE1 bound traffic to PE12 (with the right label), which forwards the traffic to CE1
PE11 immediately reprograms the forwarding entry after selecting the alternate BGP best path (which is via PE12)
In parallel, PE11 sends the BGP withdraw message to RR/PE2, which will run the bestpath algorithm and removes the path learned via PE11, and then adjust their forwarding entries via PE12
This feature is independent of whether multipath is enabled on PE2 or not, however, dependent on VPN site multihoming
36
Agenda

37
MPLS-VPN Services:
2. Hub and Spoke Service to the VPN Customers
Traditionally, VPN deployments were hub and spoke, and need to continue for valid reasons
Spoke to spoke communication is via Hub site only
Despite MPLS VPNs implicit any-to-any, i.e., full-mesh connectivity, hub and spoke service can easily be offered
Done with import and export of route-target (RT) values Requires unique RD per VRF per PE
PE routers can run any routing protocol with VPN customer hub and spoke sites independently
BRKRST-2102 14416_04_2008_c1
Cisco Public
38
MPLS-VPN Services:
2. Hub and Spoke Service: Configuration
ip vrf green-spoke1 description VRF for SPOKE A rd 300:111 route-target export 1:1 route-target import 2:2 Spoke A
171.68.1.0/24
CE-SA
PE-SA
ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1 Eth0/0.1 PE-Hub Eth0/0.2
Spoke B
171.68.2.0/24
CE-SB
PE-SB MPLS VPN Backbone ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2
ip vrf green-spoke2 description VRF for SPOKE B rd 300:112 route-target export 1:1 route-target import 2:2
Note: Only VRF Configuration Is Shown Here

39
MPLS-VPN Services:
If BGP is used between every PE and CE, then as-override and allowas-in knobs must be used at the PE_Hub*
Otherwise AS_PATH looping will occur
If the spoke sites only need the default route from the hub site, then it is possible to use a single interface between PE-hub and CE-hub (instead of two interfaces as shown on the previous slide)
Let CE-hub router advertise the default or aggregate Avoid generating a BGP aggregate at the PE
* Configuration for this Is Shown on the Next Slide

40
MPLS-VPN Services:
ip vrf green-spoke1 description VRF for SPOKE A rd 300:111 route-target export 1:1 route-target import 2:2 Spoke A
171.68.1.0/24 router bgp <ASN> address-family ipv4 vrf HUB-OUT neighbor <CE> as-override
CE-SA
PE-SA
ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1 Eth0/0.1 PE-Hub Eth0/0.2
Spoke B
171.68.2.0/24
CE-SB
PE-SB MPLS VPN Backbone ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2
router bgp <ASN> address-family ipv4 vrf HUB-IN neighbor <CE> allowas-in 2
ip vrf green-spoke2 description VRF for SPOKE B rd 300:112 route-target export 1:1 route-target import 2:2
BRKRST-2102 14416_04_2008_c1
Cisco Public
41
MPLS-VPN Services:
2. Hub and Spoke Service: Control Plane
MPLS Backbone Spoke A
171.68.1.0/24
FIBIP Forwarding Table LFIBMPLS Forwarding Table

VRF HUB-OUT FIB and LFIB Destination NextHop Label 171.68.1.0/24 PE-SA 40 171.68.2.0/24 PE-SB 50
CE-SA
MP-iBGP update 171.68.1.0/24 Label 40 Route-Target 1:1
VRF FIB and LFIB at PE-SA 171.68.0.0/16 PE-Hub 35 171.68.1.0/24 CE-SA VRF FIB and LFIB at PE-SB 171.68.0.0/16 PE-Hub 35 171.68.2.0/24 CE-SB
PE-SA PE-SB
VRF HUB-OUT PE-Hub VRF HUB-IN

VRF HUB-IN FIB Destination NextHop 171.68.0.0/16 CE-H1
171.68.2.0/24
CE-SB
Spoke B
Two VRFs at the PE-hub:

VRF HUB_OUT to learn every spoke routes from remote PEs VRF HUB_IN to advertise either summary 171.68.0.0/16 or specific routes to remote PEs
Import and export route-target within a VRF must be different

42
MPLS-VPN Services:
2. Hub and Spoke Service: Forwarding Plane This Is How The Spoke-to-Spoke Traffic Flows
Spoke A
171.68.1.0/24 VRF HUB-OUT 171.68.1.1
MPLS Backbone PE-SA

L2 40 171.68.1.1
CE-SA
Spoke B CE-SB
171.68.2.0/24 171.68.1.1
PE-Hub PE-SB
L1 35 171.68.1.1
VRF HUB-IN
L1 Is the Label to Get to PE-Hub L2 Is the Label to Get to PE-SA

43
MPLS-VPN Services:
2. Hub and Spoke Service: Half-Duplex VRF
Why do we need half-duplex VRF?

If more than one spoke router (CE) connects to the same PE router within the single VRF, then such spokes can reach other without needing the hub
This defeats the purpose of doing hub and spoke
Half-duplex VRF is the answer

Half-duplex VRF is specific to virtual-template* i.e., dial-user
It requires two VRFs on the PE (spoke) router

Upstream VRF for spoke->hub communication Downstream VRF for spoke<-hub communication
* Being Extended to Other Interfaces as Well
44
MPLS-VPN Services:
2. Hub and Spoke Service: Half-Duplex VRF
ip vrf red-vrf description VRF upstream flow rd 300:111 route-target import 2:2 ip vrf blue-vrf description VRF downstream flow rd 300:112 route-target export 1:1
Spoke A CE-SA
171.68.1.0/24
ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1
PE-SA
MPLS Backbone PE-Hub
Spoke B
171.68.2.0/24
CE-SB
Int virtual-template1 . ip vrf forward red-vrf downstream blue-vrf
Upstream VRF
Downstream VRF
ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2
PE-SA installs the spoke routes only in downstream VRF i.e. blue-VRF PE-SA forwards the incoming IP traffic (from Spokes) using the upstream VRF i.e. red-vrf routing table
45
Agenda

46
MPLS-VPN Services
3. Extranet VPN
MPLS VPN, by default, isolates one VPN customer from another

Separate virtual routing table for each VPN customer
Communication between VPNs may be required i.e., extranet

External intercompany communication (dealers with manufacturer, retailer with wholesale provider, etc.) Management VPN, shared-service VPN, etc.
Needs right import and export route-target (RT) values configuration within the VRFs
Export-map or import-map should be used
BRKRST-2102 14416_04_2008_c1
Cisco Public
47
3. MPLS-VPN Services: Extranet VPN

Goal: Only VPN_A Site#1 to Be Reachable to VPN_B
MPLS Backbone VPN_A Site#1 171.68.0.0/16 192.6.0.0/16 VPN_A Site#2 PE2
SO
PE1
180.1.0.0/16
VPN_B Site#1
ip vrf VPN_A rd 3000:111 export map VPN_A_Export import map VPN_A_Import route-target import 3000:111 route-target export 3000:111 route-target import 3000:1 ! route-map VPN_A_Export permit 10 match ip address 1 set extcommunity rt 3000:2 additive ! route-map VPN_A_Import permit 10 match ip address 2 ! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0
ip vrf VPN_B rd 3000:222 export map VPN_B_Export import map VPN_B_Import route-target import 3000:222 route-target export 3000:222 route-target import 3000:2 ! route-map VPN_B_Export permit 10 match ip address 2 set extcommunity rt 3000:1 additive ! route-map VPN_B_Import permit 10 match ip address 1 ! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0
Only Site #1 of Both VPN_A and VPN_B Would Communicate with Each Other, Site #2 Wont Be Part of It
48
Agenda

49
MPLS-VPN Services
4. Internet Access Service to VPN Customers
Internet access service could be provided as another value-added service to VPN customers
Security mechanism must be in place at both provider network and customer network
To protect from the Internet vulnerabilities
VPN customers benefit from the single point of contact for both Intranet and Internet connectivity
BRKRST-2102 14416_04_2008_c1
Cisco Public
50
MPLS-VPN Services
4. Internet Access: Different Methods of Service
Four Ways to Provide the Internet Service

1. VRF specific default route with global keyword 2. Separate PE-CE sub-interface (non-VRF)
3. Extranet with Internet-VRF

4. VRF-aware NAT
BRKRST-2102 14416_04_2008_c1
Cisco Public
51
MPLS-VPN Services
4. Internet Access: Different Methods of Service
1. VRF specific default route
1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF
2. Separate PE-CE subinterface (non-VRF)

May run BGP to propagate Internet routes between PE and CE

VPN packets never leave VRF context; issue with overlapping VPN address
4. Extranet with Internet-VRF along with VRF-aware NAT

VPN packets never leave VRF context; works well with overlapping VPN address
BRKRST-2102 14416_04_2008_c1
Cisco Public
52
MPLS-VPN Services:
4.1 Internet Access: VRF Specific Default Route
Site1 CE1 171.68.0.0/16 MPLS Backbone
Internet
192.168.1.2 P PE1 192.168.1.1 Internet GW ASBR
SO
PE1# ip vrf VPN-A rd 100:1 route-target both 100:1
Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A Router bgp 100 no bgp default ipv4-unicast redistribute static neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0
A default route, pointing to the ASBR, is installed into the site VRF at each PE The static route, pointing to the VRF interface, is installed in the global routing table and redistributed into BGP
53
ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global ip route 171.68.0.0 255.255.0.0 Serial0
MPLS-VPN Services: Internet Access

4.1 VRF Specific Default Route (Forwarding)
Site1 171.68.0.0/16
IP Packet D=171.68.1.1
Global Routing/FIB Table Destination Label/Interface 192.168.1.1/32 Label=30 171.68.0.0/16 Serial 0
Label = 30 IP Packet D=Cisco.com IP Packet D=Cisco.com
MPLS Backbone
IP Packet D=Cisco.com
Internet
Se0
192.168.1.2
PE1 P
PE2 SO IP Packet
Label = 35 IP Packet D=171.68.1.1
192.168.1.1
D=171.68.1.1
Global Table and LFIB Destination Label/Interface 192.168.1.2/32 Label=35 171.68.0.0/16 192.168.1.2 Internet Serial 0
VRF Routing/FIB Table Destination Label/Interface 0.0.0.0/0 192.168.1.1 (global) Site-1 Serial 0
Advantages
Different Internet gateways Can be used for different VRFs PE routers need not to hold the Internet table Simple configuration
Disadvantages
Using default route for Internet Routing does not allow any other default route for intraVPN routing Increasing size of global routing table by leaking VPN routes Static configuration (possibility of traffic blackholing)
54
BRKRST-2102 14416_04_2008_c1
Cisco Public
MPLS-VPN Services
4.2 Internet Access
1. VRF specific default route
1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF
2. Separate PE-CE sub-interface (non-VRF)

May run BGP to propagate Internet routes between PE and CE

VPN packets never leave VRF context; overlapping VPN addresses could be a problem
4. Extranet with Internet-VRF along with VRF-aware NAT

VPN packets never leave VRF context; works well with overlapping VPN addresses
BRKRST-2102 14416_04_2008_c1
Cisco Public
55
4.2 Internet Access Service to VPN

Customers Using Separate Subinterface (Config)
Site1 171.68.0.0/16 CE1 Se0.2
192.168.1.2
MPLS Backbone BGP-4

192.168.1.1
Internet Internet
ASBR
Se0.1
ip vrf VPN-A rd 100:1 route-target both 100:1
PE1
Internet GW
Interface Serial0.1 ip vrf forwarding VPN-A ip address 192.168.20.1 255.255.255.0 frame-relay interface-dlci 100 ! Interface Serial0.2 ip address 171.68.10.1 255.255.255.0 frame-relay interface-dlci 200 ! Router bgp 100 no bgp default ipv4-unicast neighbor 171.68.10.2 remote-as 502
One sub-interface for VPN routing associated to a VRF

Another subinterface for Internet routing associated to the global routing table Could advertise full Internet routes or a default route to CE The PE will need to advertise VPN routes to the Internet (via global routing table)
56
Internet Access Service to VPN Customer

4.2 Using Separate Subinterface (Forwarding)
Site1 171.68.0.0/16
IP Packet D=Cisco.com Label = 30 IP Packet D=Cisco.com 192.168.1.2
MPLS Backbone
Internet Internet
192.168.1.1
S0.2 S0.1
PE2
IP Packet D=Cisco.com
PE1
CE Routing Table VPN Routes Serial0.1 Internet Routes Serial0.2
PE-Internet GW
PE Global Table and FIB Internet Routes 192.168.1.1 192.168.1.1 Label=30
Pros
CE Could Dual Home and Perform Optimal Routing Traffic Separation Done by CE
Cons
PE to Hold Full Internet Routes BGP Complexities Introduced in CE; CE1 May Need to Aggregate to Avoid AS_PATH Looping
BRKRST-2102 14416_04_2008_c1
Cisco Public
57
Internet Access Service

4.3 Extranet with Internet-VRF
The Internet routes could be placed within the VRF at the Internet-GW i.e., ASBR
VRFs for customers could extranet with the Internet VRF and receive either default, partial or full Internet routes Be careful if multiple customer VRFs, at the same PE, are importing full Internet routes
Works well only if the VPN customers dont have overlapping addresses
BRKRST-2102 14416_04_2008_c1
Cisco Public
58
Internet Access Service

4.4 Internet Access Using VRF-Aware NAT
If the VPN customers need Internet access without Internet routes, then VRF-aware NAT can be used at the Internet-GW i.e., ASBR
The Internet GW doesnt need to have Internet routes either Overlapping VPN addresses is no longer a problem More in the VRF-aware NAT slides
BRKRST-2102 14416_04_2008_c1
Cisco Public
59
Agenda

66
MPLS-VPN Services
7. VRF-Aware NAT Services
VPN customers could be using overlapping IP address i.e.,10.0.0.0/8

Such VPN customers must NAT their traffic before using either Extranet or Internet or any shared* services PE is capable of NATting the VPN packets (eliminating the need for an extra NAT device)
* VoIP, Hosted Content, Management, etc.

67
MPLS-VPN Services
7. VRF-Aware NAT Services
Typically, inside interface(s) connect to private address space and outside interface(s) connect to global address space
NAT occurs after routing for traffic from inside-to-outside interfaces NAT occurs before routing for traffic from outside-to-inside interfaces
Each NAT entry is associated with the VRF
Works on VPN packets in the following switch paths: IP->IP, IP->MPLS and MPLS->IP
BRKRST-2102 14416_04_2008_c1
Cisco Public
68
MPLS-VPN Services:
7. VRF-Aware NAT Services: Internet Access
CE1
10.1.1.0/24
Green VPN Site CE2

10.1.1.0/24
PE11 PE12
MPLS Backbone PE-ASBR
.1
217.34.42.2
Internet
IP NAT Inside IP NAT Outside ip nat pool pool-green 24.1.1.0 24.1.1.254 prefix-length 24 ip nat pool pool-blue 25.1.1.0 25.1.1.254 prefix-length 24 ip nat inside source list vpn-to-nat pool pool-green vrf green ip nat inside source list vpn-to-nat pool pool-blue vrf blue ip access-list standard vpn-to-nat permit 10.1.1.0 0.0.0.255 ip route vrf green 0.0.0.0 0.0.0.0 217.34.42.2 global ip route vrf blue 0.0.0.0 0.0.0.0 217.34.42.2 global VRF-Aware NAT Specific Config
Cisco Public
Blue VPN Site
ip vrf green rd 3000:111 route-target both 3000:1 ip vrf blue rd 3000:222 route-target both 3000:2 router bgp 3000 address-family ipv4 vrf green network 0.0.0.0 address-family ipv4 vrf blue network 0.0.0.0 VRF Specific Config
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved.
69
MPLS-VPN Services:
7. VRF-Aware NAT Services: Internet Access
CE1
10.1.1.0/24 Src=10.1.1.1 Dest=Internet Label=30 Src=10.1.1.1 Dest=Internet
MPLS Backbone PE-ASBR

Src=24.1.1.1 Dest=Internet Src=25.1.1.1 Dest=Internet
Green VPN Site IP Packet CE2

10.1.1.0/24
PE11 PE12
P
Label=40 Src=10.1.1.1 Dest=Internet MPLS Packet
Internet
IP Packet Traffic Flows NAT Table Global IP VRF-Table-Id 24.1.1.1 green 25.1.1.1 blue
Blue VPN Site
Src=10.1.1.1 Dest=Internet
PE-ASBR removes the label from the received MPLS packets per LFIB Performs NAT on the resulting IP packets Forwards the packet to the internet Returning packets are NATed and put back in the VRF context and then routed This is also one of the ways to provide Internet access to VPN customers with or without overlapping addresses
VRF IP Source 10.1.1.1 10.1.1.1
70
Agenda
1. Providing Load-Shared Traffic to the Multihomed VPN Sites 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP Transport Providing Multi-VRF CE Service

79
MPLS-VPN Services:
11. Providing Multi-VRF CE Service
Is it possible for an IP router to keep multiple customer connections separated ?
Yes, multi-VRF CE a.k.a. vrf-lite can be used
Multi-VRF CE provides multiple virtual routing tables (and forwarding tables) per customer at the CE router
Not a feature but an application based on VRF implementation Any routing protocol that is supported by normal VRF can be used in a multi-VRF CE implementation
Note that there is no MPLS functionality needed on the CE, no label exchange between the CE and any router (including PE) One of the deployment models is to extend the VRFs to the CE, another is to extend it further inside the Campus => Virtualization
Campus Virtualization blends really well
80
MPLS-VPN Services:
11. Providing Multi-VRF CE Service One Deployment ModelExtending MPLS/VPN to CE
Campus
Vrf Green
ip vrf green rd 3000:111 route-target both 3000:1 ip vrf blue rd 3000:222 route-target both 3000:2 ip vrf red rd 3000:333 route-target both 3000:3
SubInterface Link * Vrf Green
Campus
Vrf Green
MPLS Network
Vrf Red
Multi-VRF CE Router
ip vrf green rd 3000:111 ip vrf blue rd 3000:222 Ip vrf red rd 3000:333
Vrf Red
PE Router
Vrf Red
PE Router
*SubInterface LinkAny Interface Type that Supports Sub Interfaces, FE-Vlan, Frame Relay, ATM VCs
81
Agenda
MPLS VPN Explained
MPLS-VPN Services Best Practices
Conclusion
BRKRST-2102 14416_04_2008_c1
Cisco Public
82
Best Practices
1.
2. 3. 4.
Use RR to scale BGP; deploy RRs in pair for the redundancy

Keep RRs out of the forwarding paths and disable CEF (saves memory)
RT and RD should have ASN in them i.e., ASN: X

Reserve first few 100s of X for the internal purposes such as filtering
Consider unique RD per VRF per PE, if load sharing of VPN traffic is required Dont use customer names as the VRF names; nightmare for the NOC. Use simple combination of numbers and characters in the VRF name.
For example: v101, v102, v201, v202, etc. Use description
5.
PE-CE IP address should come out of SPs public address space to avoid overlapping
Use /31 subnetting on PE-CE interfaces
6.
Define an upper limit at the PE on the number of prefixes received from the CE for each VRF or neighbor
Max-prefix within the VRF configuration; Do suppress the inactive routes Max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE)
BRKRST-2102 14416_04_2008_c1
Cisco Public
83
Agenda
MPLS VPN Explained
MPLS-VPN Services Best Practices
Conclusion
BRKRST-2102 14416_04_2008_c1
Cisco Public
84
Conclusion
MPLS VPN is becoming a cheaper and faster alternative to traditional l2vpn
Secured VPN
MPLS-VPN paves the way for new revenue streams

VPN customers could outsource their layer3 to the provider
Straightforward to configure any-to-any VPN topology

Partial-mesh, Hub and Spoke topologies can also be easily deployed
CsC and Inter-AS could be used to expand into new markets VRF-aware services could be deployed to maximize the investment
85
Q and A
BRKRST-2102 14416_04_2008_c1
Cisco Public
86
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press
Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company Store

87
Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Dont forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008. Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.
BRKRST-2102 14416_04_2008_c1
Cisco Public
88
BRKRST-2102 14416_04_2008_c1
Cisco Public
89
Additional Slides
Advanced MPLS VPN Topics Inter-AS and CsC
BRKRST-2102 14416_04_2008_c1
Cisco Public
90
Agenda
Advanced MPLS VPN Topics
Inter-AS MPLS-VPN CsC Carrier Supporting Carrier
BRKRST-2102 14416_04_2008_c1
Cisco Public
91
What Is Inter-AS?
Provider X
RR1 MP-iBGP Update: PE-1
Provider Y
RR2 ASBR2
ASBR1
???
AS #1 AS #2
Problem:
BGP, OSPF, RIPv2 149.27.2.0/24, NH=CE-1 CE-1
PE2
VPN-A
149.27.2.0/24
How Do Provider X and Provider Y Exchange VPN Routes?
CE2
VPN-A
BRKRST-2102 14416_04_2008_c1
Cisco Public
92
Inter-AS Deployment Scenarios

Following Options/Scenarios for Deploying Inter-AS:
ASBR1 1. Back-to-Back VRFs (Option A) 2. MP-eBGP for VPNv4 ASBR2
AS #1
PE1
(Option B) 3. Multihop MP-eBGP Between RRs
AS #2
PE2
(Option C)
CE1 4. Non-VPN Transit Provider CE2
VPN-A
Each Option Is Covered in Additional Slides
VPN-A
BRKRST-2102 14416_04_2008_c1
Cisco Public
93
Scenario 1: Back-to-Back VRF

Control Plane
ASBR-1
VPN-v4 Update: RD:1:27:10.1.1.0/24 NH=PE-1 RT=1:1, Label=(29)
VPN-B VRF Import routes with Route-Target 1:1
ASBR-2
VPN-v4 Update: RD:1:27:10.1.1.0/24, NH=ASBR-2 RT=1:1, Label=(92) VPN-B VRF Import Routes with Route-Target 1:1
PE-1 CE-2
BGP, OSPF, RIPv2 10.1.1.0/24 NH=ASBR-2
PE-2
BGP, OSPF, RIPv2 10.1.1.0/24,NH=PE-2
BGP, OSPF, RIPv2 10.1.1.0/24,NH=CE-2
CE-3
VPN-B 10.1.1.0/24
VPN-B
VRF-to-VRF Connectivity Between ASBRs

94
Scenario 1: Back-to-Back VRF

Forwarding Plane
30 29 10.1.1.1
ASBR-1
ASBR-2
92
10.1.1.1
P2
P1
10.1.1.1 20 92 10.1.1.1
PE-1
IP Packets Between ASBRs

CE-2 VPN-B 10.1.1.0/24 CE-3
PE-2
10.1.1.1
10.1.1.1
VPN-B
Pros
Per-customer QoS is possible It is simple and elegant since no need to load the Inter-AS code (but still not widely deployed)
Cons
Not scalable. # of interface on both ASBRs is directly proportional to #VRF. No end-to-end MPLS Unnecessary memory consumed in RIB/(L)FIB Dual-homing of ASBR makes provisioning worse
95
BRKRST-2102 14416_04_2008_c1
Cisco Public
Cisco IOS Configuration

Scenario 1: Back-to-Back VRF Between ASBRs
ASBR1 ASBR2
1.1.1.0/30 VRF Routes Exchange via any Routing Protocol

ASBR VRF and BGP config CE-1 ip vrf green rd 1:1 route-target both 1:1 ! Router bgp x Address-family ipv4 vrf green neighbor 1.1.1.x activate CE-2
AS #1
PE1
AS #2
PE2
VPN-A
VPN-A
Note: ASBR Must Already Have MP-iBGP Session with iBGP Neighbors such as RRs or PEs
96
Scenario 2: MP-eBGP Between ASBRs to Exchange VPNv4 Routes

New CLI no bgp default route-target filter is needed on the ASBRs
ASBRs exchange VPN routes using eBGP (VPNv4 af) ASBRs store all VPN routes
But only in BGP table and LFIB table Not in routing nor in CEF table
ASBRs dont need

VRFs to be configured on them LDP between them
BRKRST-2102 14416_04_2008_c1
Cisco Public
97
Scenario 2: MP-eBGP bet ASBRs for VPN Control Plane

ASBR-1
MP-iBGP Update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(40)
ASBR-2
MP-iBGP Update: RD:1:27:10.1.1.0/24, NH=ASBR-2 RT=1:1, Label=(30)
PE-1
MP-eBGP Update: RD:1:27:10.1.1.0/24, NH=ASBR-1 RT=1:1, Label=(20)
PE-2
BGP, OSPF, RIPv2 10.1.1.0/24, NH=PE-2
BGP, OSPF, RIPv2 10.1.1.0/24, NH=CE-2
CE-2 VPN-B 10.1.1.0/24
CE-3
VPN-B
BRKRST-2102 14416_04_2008_c1
Cisco Public
98
Scenario 2: MP-eBGP bet ASBRs for VPN Forwarding Plane

30 40 10.1.1.1 30 10.1.1.1
ASBR-1
ASBR-2
P2
40
10.1.1.1
20
10.1.1.1
20
30
10.1.1.1
PE-1
MPLS Packets Between ASBRs

CE-2 VPN-B 10.1.1.0/24 CE-3
10.1.1.1
10.1.1.1
VPN-B
Pros
More scalable
Only one interface between ASBRs routers No VRF configuration on ASBR. Less memory consumption (no RIB/FIB memory)
Cons
Automatic route filtering must be disabled
But we can apply BGP filtering
MPLS label switching between providers

Still simple, more scalable & works today
ASBRs are still required to hold VPN routes
99

Scenario 2: External MP-BGP between ASBRs for VPN
MP-eBGP for ASBR1 VPNv4 ASBR2
1.1.1.0/30
AS #1
PE1
Label Exchange Between ASBRs Using MP-eBGP
AS #2
PE2
CE-1
VPN-A
ASBR MB-EBGP Configuration Router bgp x no bgp default route-target filter neighbor 1.1.1.x remote-as x ! address-family vpnv4 neighbor 1.1.1.x activate neighbor 1.1.1.x send-com extended
CE-2
VPN-A
Note: ASBR Must Already Have MP-iBGP Session with iBGP Neighbors such as RRs or PEs
100
Scenario 3: Multihop MP-eBGP Between RRs to Exchange VPNv4 Routes

Exchange VPNv4 prefixes via the Route Reflectors
Requires Multihop MP-eBGP (with next-hop-unchanged)
Exchange IPv4 routes with labels between directly connected ASBRs using eBGP
Only PE loopback addresses need to be exchanged (they are BGP next-hop addresses of the VPN routes)
BRKRST-2102 14416_04_2008_c1
Cisco Public
101
Scenario 3: Multihop MP-eBGP Between RRs for VPN Routes: Control Plane
VPN-v4 Update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(90) RR-2 VPN-v4 Update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(90)
RR-1 VPN-v4 Update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(90)
AS#1
IGP+LDP: Network=PE-1 NH=PE-1 Label=(40) CE-2
ASBR-1
ASBR-2
AS#2
IGP+LDP: Network=PE-1 NH=ASBR-2 Label=(30)
PE-1
BGP, OSPF, RIPv2 10.1.1.0/24,NH=CE-2
IP-v4 Update: Network=PE-1 NH=ASBR-1 Label=(20)
PE-2 BGP, OSPF, RIPv2 10.1.1.0/24,NH=PE-2
VPN-B
10.1.1.0/24
CE-3
VPN-B
Note: Instead of IGP+Label, iBGP+Label Can Be Used to Exchange PE Routes/Label. Please see Scenario#5 on slide#49 and 50.
102
Scenario 3: Multihop MP-eBGP Between RRs for VPN Routes: Forwarding Plane
RR-1 P1 40 90 10.1.1.1 90 10.1.1.1 ASBR-1 ASBR-2 RR-2
P2
30
90
10.1.1.1 50 90
10.1.1.1
PE-1 20 10.1.1.1 CE-2 90
10.1.1.1
PE-2 CE-3 10.1.1.1
VPN-B
10.1.1.0/24
VPN-B
Note: Instead of IGP+Label, iBGP+Label Can Be Used to Exchange PE Routes/Label.

103
Scenario 3: Pros/Cons
Pros
More scalable than Scenario 1 and 2
Separation of control and forwarding planes
Cons
Advertising PE addresses to another AS may not be acceptable to few providers
Route Reflector exchange VPNv4 routes+labels

RR hold the VPNv4 information anyway
ASBRs now exchange only IPv4 routes+labels

ASBR forwards MPLS packets
BRKRST-2102 14416_04_2008_c1
Cisco Public
104

Scenario 3: Multihop MP-eBGP between RRs for VPN
RR-1 PE1 Multihop MP-eBGP for VPNv4 with next-hop-unchange
ASBR-1 ASBR-2
RR-2
PE2
AS #1
CE-1 RR Configuration VPN-A eBGP IPv4 + Labels
AS #2
CE-2 ASBR Configuration
router ospf x redistribute bgp 1 subnets ! router bgp x neighbor < ASBR-x > remote-as x ! address-family ipv4 Network <PEx> mask 255.255.255.255 Network <RRx> mask 255.255.255.255 neighbor < ASBR-x > activate neighbor < ASBR-x > send-label
router bgp x neighbor <RR-x> remote-as x neighbor <RR-x> ebgp-multihop neighbor <RR-x> update loopback 0 ! address-family vpnv4 neighbor <RR-x> activate neighbor <RR-x> send-com extended neighbor <RR-x> next-hop-unchanged
VPN-A
iBGPipv4+label Could Also Be Used in Within Each AS (Instead of network <x.x.x.x>) to Propagate the Label Information for PEs
105
Scenario 4: Non-VPN Transit Provider

Two MPLS VPN providers may exchange routes via one or more transit providers
Which may be non-VPN transit backbones just running MPLS
Multihop MP-eBGP deployed between edge providers

With the exchange of BGP next-hops via the transit provider
BRKRST-2102 14416_04_2008_c1
Cisco Public
106
Scenario 4: Non-VPN Transit Provider

eBGP IPv4 + Labels
ASBR-1
ASBR-2
iBGP IPv4 + Labels
MPLS VPN Provider #1 PE1 RR-1
Non-VPN MPLS Transit Backbone ASBR-3
CE-2
next-hop-unchanged
Multihop MP-eBGP OR MP-iBGP for VPNv4
ASBR-4
eBGP IPv4 + Labels
VPN-B
RR-2
iBGP IPv4 + Labels MPLS VPN Provider #2 PE2
CE-3
VPN-B
BRKRST-2102 14416_04_2008_c1
Cisco Public
107
Route-Target Rewrite at ASBR

ASBR can add/delete route-target associated with a VPNv4 prefix
Secures the VPN environment
ASBR(conf)#router bgp 1000

ASBR(conf-router)#neighbor 1.1.1.1 route-map route-target-deletion out ASBR(conf-router)#exit ASBR(conf)#route-map route-target-delete ASBR(conf-route-map)#match extcommunity 101 ASBR(conf-route-map)#set extcomm-list 101 delete ASBR(conf-route-map)#set extcommunity rt 123:123 additive ASBR(conf)# ip extcommunity-list 101 permit rt 100:100
BRKRST-2102 14416_04_2008_c1
Cisco Public
108
Inter-AS Deployment Guidelines

1. Use ASN in the Route-target i.e., ASN:xxxx
2. Max-prefix limit (both BGP and VRF) on PEs 3. Security (BGP MD5, BGP filtering, BGP max-prefix, etc.) on ASBRs 4. End-to-end QoS agreement on ASBRs 5. Route-target rewrite on ASBR
6. Internet connectivity on the same ASBR??
BRKRST-2102 14416_04_2008_c1
Cisco Public
109
Agenda
Advanced MPLS VPN Topics
Inter-AS MPLS-VPN Carrier Supporting Carrier (CsC)
BRKRST-2102 14416_04_2008_c1
Cisco Public
110
MPLS/VPN Networks Without CsC

Number of VPN routes is one of the biggest limiting factors in scaling the PE router
Few SPs are running into this scaling limitation
If number of VPN routes can be reduced somehow (without loosing the functionality), then the existing investment can be protected
The same PE can still be used to connect more VPN customers
Carrier Supporting Carrier (CsC) provides the mechanism to reduce the number of routes from each VRF by enabling MPLS on the PE-CE link
BRKRST-2102 14416_04_2008_c1
Cisco Public
111
CsC Deployment Model

MP-iBGP for VPNv4 P1 PE1
IGP+LDP IGP+LDP
PE2
Carriers MPLS Core

IPv4 Routes with Label Distribution IPv4 Routes with Label Distribution
CE-1 ISP PoP Site-1

Internal Routes = IGP Routes
MPLS-Enabled VRF Int
CE-2
Full-Mesh iBGP for External Routes
ISP PoP Site-2 C1
ASBR-1 R1 Internet
ASBR-2 R2
Internal Routes = IGP Routes
ISP Customers = External Routes

Cisco Public
BRKRST-2102 14416_04_2008_c1
112
Benefits of CsC
Provide transport for ISPs ($)
No need to manage external routes from ISPs
Build MPLS Internet Exchange (MPLS-IX) ($$)

Media Independence; POS/FDDI/PPP possible Higher speed such OC192 or more Operational benefits
Sell VPN service to subsidiary companies that provide VPN service ($)
BRKRST-2102 14416_04_2008_c1
Cisco Public
113
What Do I Need to Enable CsC ?

1. Build an MPLS-VPN enabled carriers network
2. Connect ISP/SPs sites (or PoPs) to the Carriers PEs 3. Exchange internal routes + labels between Carriers PE and ISP/SPs CE 4. Exchange external routes directly between ISP/SPs sites
BRKRST-2102 14416_04_2008_c1
Cisco Public
114
CsC Deployment Models

MP-iBGP for VPNv4
P1 PE1
IGP+LDP IGP+LDP
PE2
Carriers MPLS Core

IPv4 Routes with Label Distribution IPv4 Routes with Label Distribution
CE-1 ISP PoP Site-1

internal Routes = IGP Routes
MPLS-Enabled VRF int CE-2 Full-Mesh iBGP for External Routes
ISP PoP Site-2

C1 Internal Routes = IGP Routes ISP Customers = External Routes
ASBR-1
ASBR-2
R2 Internet R1
BRKRST-2102 14416_04_2008_c1
Cisco Public
115
CsC Deployment Models

1. Customer-ISP not running MPLS
2. Customer-ISP running MPLS 3. Customer-ISP running MPLS-VPN
Model 1 and 2 Are Less Common Deployments. Model 3 Will Be Discussed in Detail.
116
CsC: ISP Sites Are Running MPLS-VPN Hierarchical MPLS-VPN Control Plane
MP-iBGP Update: 1:1:30.1.61.25/32, RT=1:1 NH =PE-1, Label=51
P1 PE1
IGP+LDP, Net=PE-1, Label = pop IGP+LDP, Net=PE-1, Label = 16
PE2
Carriers Core
30.1.61.25/32, NH=CE-1, Label = 50
30.1.61.25/32, NH=PE-2, Label = 52
CE-1 ISP PoP Site-1

IGP+LDP 30.1.61.25/32,Label = pop
MP-iBGP Update: 1:1:10.1.1.0/24, RT=1:1 NH =30.1.61.25/32, Label = 90
CE-2
IGP+LDP, 30.1.61.25/32 NH=CE-2, Label=60
ISP PoP Site-2 ASBR_PE-2
ASBR_PE-1 30.1.61.25/32
10.1.1.0/24, NH=R1
10.1.1.0/24, NH =ASBR_PE-2
C1 IGP+LDP, 30.1.61.25/32 NH=C1, Label=70
Network = 10.1.1.0/24
BRKRST-2102 14416_04_2008_c1
R2 R1
VPN Site-1
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
VPN Site-2
117
CsC: ISP Sites Are Running MPLS-VPN Hierarchical MPLS-VPN Forwarding Plane
P1
51 90 10.1.1.1 16 51 90 10.1.1.1
PE1
PE2
Carriers Core
50 90
10.1.1.1 52 90
10.1.1.1
CE-1 ISP PoP Site-1 90
CE-2 ISP PoP Site-2

C1
10.1.1.1 60 90 10.1.1.1
ASBR-1
10.1.1.1 Network = 10.1.1.0/24
BRKRST-2102 14416_04_2008_c1
ASBR-2
10.1.1.1 70 90 10.1.1.1
R1
VPN Site-1
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
R2 VPN Site-2
118

Deploying IPMPLSVPN

Cargado por

Información del documento

Descripción original:

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Deploying IPMPLSVPN

Cargado por

Copyright:

Formatos disponibles

Deploying MPLS VPN Networks

Ade Yudha G Rahman Isnaini Rommy Kuntoro

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

VRF: VPN routing and forwarding

RT: route target

LFIB: label forwarding information base FIB: forwarding information base

MPLS-VPN Services Best Practices Conclusion

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

MPLS-VPN Technology MPLS VPN Connection Model

2008 Cisco Systems, Inc. All rights reserved.

MPLS Backbone IGP (OSPF, ISIS)

2008 Cisco Systems, Inc. All rights reserved.

MPLS-VPN Technology Virtual Routing and Forwarding Instance (1)

VRF Green PE MPLS Backbone IGP (OSPF, ISIS)

Whats a Virtual Routing and Forwarding (VRF) ?

No changes needed at the CE

PE(conf)#interface Ser0/0 PE(conf)#ip vrf forwarding blue 10

CE router runs whatever software Cisco Public

MPLS-VPN Technology Virtual Routing and Forwarding Instance (2)

PE installs the IGP (backbone) routes in the global routing table

VPN customers can use overlapping IP addresses

2008 Cisco Systems, Inc. All rights reserved.

MPLS-VPN Technology: Control Plane

10.1.1.0 IPv4 Route-Target Label

MP-BGP UPDATE message showing only VPNv4 address, RT, Label

Route Distinguisher (RD)

MPLS-VPN Technology: Control Plane MP-BGP UPDATE Message Capture

2008 Cisco Systems, Inc. All rights reserved.

MPLS VPN Control Plane

10.1.1.0 IPv4 Route-Target Label

MP-BGP update showing RD, RT, and label

Each VRF should* be configured with an RD at the PE

MPLS VPN Control Plane

MP-BGP update showing RD, RT, and Label

2008 Cisco Systems, Inc. All rights reserved.

MPLS VPN Control Plane

MP-BGP update showing RD, RT, and label

MPLS VPN Control Plane:

MP-iBGP Update: RD:10.1.1.0 Next-Hop=PE-1 RT=1:2, Label=100

3. PE1 sends MP-iBGP update to other PE routers

MPLS VPN Control Plane:

MP-iBGP Update: RD:10.1.1.0 Next-Hop=PE-1 RT=1:2, Label=100

2008 Cisco Systems, Inc. All rights reserved.

MPLS-VPN Forwarding Plane Review

Site 2 CE1 PE1 P3 P4 PE2 CE2

VRF Green Forwarding Table Dest NextHop 10.1.1.0/24-PE1, label: 100

Global Routing/Forwarding Table Dest Next-Hop PE2 P3, Label: 50

Global Routing/Forwarding Table Dest Next-Hop PE1 P2, Label: 25

Global Forwarding Table (show ip cef)

VRF Forwarding Table (show ip cef vrf <vrf>)

VPN routes learned through BGP

2008 Cisco Systems, Inc. All rights reserved.

MPLS-VPN Forwarding Plane Packet Forwarding

Site 2 CE1 P3 10.1.1.1 IP Packet PE1 P4 PE2 10.1.1.1 P1 P2

Inner label is learned via MP-BGP; corresponds to the VPN address

MPLS-VPN Technology: Control Plane MPLS Packet Capture

Ethernet Header Outer Label Inner Label IP packet

2008 Cisco Systems, Inc. All rights reserved.

MPLS-VPN Services Best Practices Conclusion