Documentos de Académico
Documentos de Profesional
Documentos de Cultura
BRKRST-2102 14416_04_2008_c1
Cisco Public
Abstract
Multi Protocol Label Switching (MPLS) has been widely adopted by the Network Operators to provide scalable L2, L3 VPN, traffic engineering services etc. Enterprises are fast adopting this technology to address network segmentation and traffic separation needs. This session covers MPLS Layer3 VPN, which is the most adopted MPLS application. The session will cover:
MPLS VPN Technology Overview (RFC2547/RFC4364) MPLS/VPN Configuration Overview MPLS/VPN-based services (multihoming, Hub&Spoke, extranet, Internet, NAT, VRF-lite, etc.)
Best Practices
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Agenda
MPLS VPN Overview
MPLS VPN Services Best Practices
Conclusion
BRKRST-2102 14416_04_2008_c1
Cisco Public
Prerequisites
Must understand basic IP routing, especially BGP
Must understand MPLS basics (push, pop, swap, label stacking) Should understand MPLS VPN basics Must keep the speaker engaged
by asking bad questions
BRKRST-2102 14416_04_2008_c1
Cisco Public
Terminology
LSR: label switch router LSP: label switched path
The chain of labels that are swapped at each hop to get from one LSR to another
MP-BGP: multiprotocol BGP PE: provider edge router interfaces with CE routers P: provider (core) router, without knowledge of VPN VPNv4: address family used in BGP to carry MPLS-VPN routes RD: route distinguisher
Distinguish same network/mask prefix in different VRFs
Agenda
MPLS VPN Overview
Technology (how it works) Configuration
BRKRST-2102 14416_04_2008_c1
Cisco Public
MPLS-VPN Technology
More than one routing and forwarding tables
Control planeVPN route propagation Data or forwarding planeVPN packet forwarding
BRKRST-2102 14416_04_2008_c1
Cisco Public
PE Routers Sit at the Edge Use MPLS with P routers Uses IP with CE routers Distributes VPN information through MP-BGP to other PE routers
P Routers Sit inside the network Forward packets by looking at labels P and PE routers share a common IGP
BRKRST-2102 14416_04_2008_c1
Cisco Public
MPLS-VPN Technology
Separate Routing Tables at PE
CE2
VPN 2
PE
CE1
VPN 1
Customer Specific Routing Table Routing (RIB) and forwarding table (CEF) dedicated to VPN customer
VPN1 routing table VPN2 routing table
Global Routing Table Created when IP routing is enabled on PE. Populated by OSPF, ISIS, etc. inside the MPLS backbone
Referred to as VRF table for the <named VPN>. show ip route vrf <name>
show ip route
BRKRST-2102 14416_04_2008_c1
Cisco Public
VPN 2 CE1
VPN 1
VRF Blue
VRF must be defined (locally significant) on each PE and associated with one or more PE-CE interfaces;
Privatize an interface, i.e., coloring of the interface
Each VRF has a dedicated routing table and forwarding table, and a dedicated instance of the routing protocol (static, RIP, BGP, EIGRP, ISIS, OSPF) PE(conf)#ip vrf green
PE is capable of VRF-aware routing protocol
VPN 2
EBGP, OSPF, RIPv2, Static CE1 VPN 1 PE MPLS Backbone IGP (OSPF, ISIS)
PE installs the routes, learned from CE routers or other PE routers, in the appropriate VRF routing table(s).
More on this in the Control Plane slides later on.
Cisco Public
11
1:1 RD VPNv4
12
MP_REACH_NLRI 1:1:200.1.62.4/30
BRKRST-2102 14416_04_2008_c1
Cisco Public
13
1:1 RD VPNv4
BRKRST-2102 14416_04_2008_c1
* After 12.4(3)T, 12.4(3) 12.2(32)S, 12.0(32)S etc., RD Configuration within VRF Has BecomeInc. All rights reserved.Prior to that, It Was Mandatory. 2008 Cisco Systems, Optional. Cisco Public
14
1:1 RD VPNv4
10.1.1.0 IPv4
BRKRST-2102 14416_04_2008_c1
Cisco Public
15
1:1 RD VPNv4
10.1.1.0 IPv4
50 Label
PE addresses used as BGP next-hop must be uniquely known in the backbone IGP
Do not summarize the PE loopback addresses in the core
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
16
3
CE1
Site 2
2
10.1.1.0/24 Next-Hop=CE-1
CE2
PE1
P PE2
MPLS Backbone
1. PE1 receives an IPv4 update (eBGP/OSPF/ISIS/RIP/EIGRP) 2. PE1 translates it into VPNv4 address and constructs the MPiBGP UPDATE message
Associates the RT values (import RT value=1:2) per VRF configuration Rewrites next-hop attribute to itself Assigns a label (100, say); Installs it in the MPLS forwarding table.
17
3
CE1
10.1.1.0/24 Next-Hop=PE-2
Site 2
5 4
CE2
2
10.1.1.0/24 Next-Hop=CE-1
PE1
P PE2
MPLS Backbone
4. PE2 receives and checks whether the RT=1:2 is locally configured as import RT within any VRF, if yes, then
PE2 translates VPNv4 prefix back in IPv4 prefix
Updates the VRF CEF Table for 10.1.1.0/24 with label=100
5. PE2 advertises this IPv4 prefix to CE2 (using whatever routing protocol)
BRKRST-2102 14416_04_2008_c1
Cisco Public
18
P1
P2
BRKRST-2102 14416_04_2008_c1
Cisco Public
19
CE2 10.1.1.1
IP Packet
100
50
100
10.1.1.1
25
100
10.1.1.1
MPLS Packet
PE2 imposes two labels (MPLS headers) for each packet going to the VPN destination 10.1.1.1.
Outer label is LDP learned; Corresponds derived from an IGP route
PE1 recovers the IP packet (from the received MPLS packet) and forwards it to CE1.
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
20
BRKRST-2102 14416_04_2008_c1
Cisco Public
21
Agenda
MPLS VPN Explained
Technology Configuration
BRKRST-2102 14416_04_2008_c1
Cisco Public
22
PE-P Configuration
P Se0
PE1 s1
PE1
router ospf 1 network 130.130.1.0 0.0.0.3 area 0
BRKRST-2102 14416_04_2008_c1
Cisco Public
23
PE1
router bgp 1 no bgp default route-target filter neighbor 1.2.3.6 remote-as 1 neighbor 1.2.3.6 update-source loopback0 ! address-family vpnv4 neighbor 1.2.3.6 route-reflector- client neighbor 1.2.3.6 activate !
BRKRST-2102 14416_04_2008_c1
Cisco Public
24
BGP
PE1
router bgp 1 ! address-family ipv4 vrf VPN-A neighbor 192.168.10.2 remote-as 2 neighbor 192.168.10.2 activate exit-address-family !
CE1
PE1
PE-CE Routing:
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1
OSPF
PE1 PE1
router ospf 1 ! router ospf 2 vrf VPN-A network 192.168.10.0 0.0.0.255 area 0 redistribute bgp 1 subnets !
CE1
BRKRST-2102 14416_04_2008_c1
Cisco Public
25
RIP
CE1
PE1
router rip ! address-family ipv4 vrf VPN-A version 2 no auto-summary network 192.168.10.0 redistribute bgp 1 metric transparent !
PE-CE Routing:
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1
EIGRP
CE1 PE1
router eigrp 1 ! address-family ipv4 vrf VPN-A no auto-summary network 192.168.10.0 0.0.0.255 autonomous-system 1 redistribute bgp 1 metric 100000 100 255 1 1500 !
BRKRST-2102 14416_04_2008_c1
Cisco Public
26
Static
ip route vrf VPN-A 10.1.1.0 255.255.255.0 192.168.10.2
CE1
PE1
If PE-CE Protocol Is non-BGP, then Redistribution of Other Sites VPN Routes from MP-IBGP Is Required (Shown Below for RIP)
BRKRST-2102 14416_04_2008_c1
Cisco Public
27
For config hands-on, please attend Configuring MPLS VPNs (LABCRT-2208) session
Having familiarized with IOS based config, lets glance through the IOX-based config for VPNs
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
28
PE-CE Routing:
Site 1
10.1.1.0/24
BGP
192.168.10.2
192.168.10.1
router bgp 1 vrf VPN-A rd 1:1 address-family ipv4 unicast redistribute connected ! neighbor 192.168.10.2 remote-as 2 address-family ipv4 unicast route-policy raj-temp in ! ! ! !
29
BRKRST-2102 14416_04_2008_c1
Cisco Public
Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP Transport Providing Multi-VRF CE Service
30
PE2 PE12
CE2
Site B
VPN sites (such as Site A) could be multihomed VPN customer may demand the traffic (to the multihomed site) be loadshared
BRKRST-2102 14416_04_2008_c1
Cisco Public
31
Site B
2 CEs 2 PEs
PE11
RR
CE1
PE2
171.68.2.0/24 CE2
CE2
32
Enable BGP multipath within the relevant BGP VRF address-family at remote/receiving PE2 (why PE2?)
ip vrf green rd 300:11 route-target both 1:1 PE11 CE1
171.68.2.0/24
2 RR
router bgp 1 address-family ipv4 vrf green maximum-paths eibgp 2 PE2 CE2
MPLS Backbone
1
BRKRST-2102 14416_04_2008_c1
Cisco Public
Site A
MPLS Backbone
Site B
In a classic case, PE11, upon detecting the PE-CE link failure, sends BGP message to withdraw all the related VPN routes from the MPLS/VPN network
This results in the remote PE routers selecting the alternate bestpath (if any), but until then, they keep sending the MPLS/VPN traffic to PE11, which keeps dropping the traffic
IOS and IOX now have incorporated a Fast Local Repair feature to minimize the loss due to the PE-CE link failure from sec to msec
BRKRST-2102 14416_04_2008_c1
Cisco Public
35
RR PE11 PE2
Site A PE12
MPLS Backbone
Site B
This feature helps PE11 to minimize the traffic loss from sec to msec, by redirecting the CE1 bound traffic to PE12 (with the right label), which forwards the traffic to CE1
PE11 immediately reprograms the forwarding entry after selecting the alternate BGP best path (which is via PE12)
In parallel, PE11 sends the BGP withdraw message to RR/PE2, which will run the bestpath algorithm and removes the path learned via PE11, and then adjust their forwarding entries via PE12
This feature is independent of whether multipath is enabled on PE2 or not, however, dependent on VPN site multihoming
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
36
Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP Transport Providing Multi-VRF CE Service
37
MPLS-VPN Services:
2. Hub and Spoke Service to the VPN Customers
Traditionally, VPN deployments were hub and spoke, and need to continue for valid reasons
Spoke to spoke communication is via Hub site only
Despite MPLS VPNs implicit any-to-any, i.e., full-mesh connectivity, hub and spoke service can easily be offered
Done with import and export of route-target (RT) values Requires unique RD per VRF per PE
PE routers can run any routing protocol with VPN customer hub and spoke sites independently
BRKRST-2102 14416_04_2008_c1
Cisco Public
38
MPLS-VPN Services:
2. Hub and Spoke Service: Configuration
ip vrf green-spoke1 description VRF for SPOKE A rd 300:111 route-target export 1:1 route-target import 2:2 Spoke A
171.68.1.0/24
CE-SA
PE-SA
ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1 Eth0/0.1 PE-Hub Eth0/0.2
Spoke B
171.68.2.0/24
CE-SB
PE-SB MPLS VPN Backbone ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2
ip vrf green-spoke2 description VRF for SPOKE B rd 300:112 route-target export 1:1 route-target import 2:2
39
MPLS-VPN Services:
2. Hub and Spoke Service: Configuration
If BGP is used between every PE and CE, then as-override and allowas-in knobs must be used at the PE_Hub*
Otherwise AS_PATH looping will occur
If the spoke sites only need the default route from the hub site, then it is possible to use a single interface between PE-hub and CE-hub (instead of two interfaces as shown on the previous slide)
Let CE-hub router advertise the default or aggregate Avoid generating a BGP aggregate at the PE
40
MPLS-VPN Services:
2. Hub and Spoke Service: Configuration
ip vrf green-spoke1 description VRF for SPOKE A rd 300:111 route-target export 1:1 route-target import 2:2 Spoke A
171.68.1.0/24 router bgp <ASN> address-family ipv4 vrf HUB-OUT neighbor <CE> as-override
CE-SA
PE-SA
ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1 Eth0/0.1 PE-Hub Eth0/0.2
Spoke B
171.68.2.0/24
CE-SB
PE-SB MPLS VPN Backbone ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2
router bgp <ASN> address-family ipv4 vrf HUB-IN neighbor <CE> allowas-in 2
ip vrf green-spoke2 description VRF for SPOKE B rd 300:112 route-target export 1:1 route-target import 2:2
BRKRST-2102 14416_04_2008_c1
Cisco Public
41
MPLS-VPN Services:
2. Hub and Spoke Service: Control Plane
MPLS Backbone Spoke A
171.68.1.0/24
CE-SA
VRF FIB and LFIB at PE-SA 171.68.0.0/16 PE-Hub 35 171.68.1.0/24 CE-SA VRF FIB and LFIB at PE-SB 171.68.0.0/16 PE-Hub 35 171.68.2.0/24 CE-SB
PE-SA PE-SB
MP-iBGP update 171.68.2.0/24 Label 50 Route-Target 1:1
171.68.2.0/24
CE-SB
Spoke B
42
MPLS-VPN Services:
2. Hub and Spoke Service: Forwarding Plane This Is How The Spoke-to-Spoke Traffic Flows
Spoke A
171.68.1.0/24 VRF HUB-OUT 171.68.1.1
CE-SA
Spoke B CE-SB
171.68.2.0/24 171.68.1.1
PE-Hub PE-SB
L1 35 171.68.1.1
VRF HUB-IN
43
MPLS-VPN Services:
2. Hub and Spoke Service: Half-Duplex VRF
44
MPLS-VPN Services:
2. Hub and Spoke Service: Half-Duplex VRF
ip vrf red-vrf description VRF upstream flow rd 300:111 route-target import 2:2 ip vrf blue-vrf description VRF downstream flow rd 300:112 route-target export 1:1
Spoke A CE-SA
171.68.1.0/24
ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1
PE-SA
Spoke B
171.68.2.0/24
CE-SB
Upstream VRF
Downstream VRF
ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2
PE-SA installs the spoke routes only in downstream VRF i.e. blue-VRF PE-SA forwards the incoming IP traffic (from Spokes) using the upstream VRF i.e. red-vrf routing table
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
45
Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP Transport Providing Multi-VRF CE Service
46
MPLS-VPN Services
3. Extranet VPN
Needs right import and export route-target (RT) values configuration within the VRFs
Export-map or import-map should be used
BRKRST-2102 14416_04_2008_c1
Cisco Public
47
SO
PE1
180.1.0.0/16
VPN_B Site#1
ip vrf VPN_A rd 3000:111 export map VPN_A_Export import map VPN_A_Import route-target import 3000:111 route-target export 3000:111 route-target import 3000:1 ! route-map VPN_A_Export permit 10 match ip address 1 set extcommunity rt 3000:2 additive ! route-map VPN_A_Import permit 10 match ip address 2 ! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0
ip vrf VPN_B rd 3000:222 export map VPN_B_Export import map VPN_B_Import route-target import 3000:222 route-target export 3000:222 route-target import 3000:2 ! route-map VPN_B_Export permit 10 match ip address 2 set extcommunity rt 3000:1 additive ! route-map VPN_B_Import permit 10 match ip address 1 ! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0
Only Site #1 of Both VPN_A and VPN_B Would Communicate with Each Other, Site #2 Wont Be Part of It
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
48
Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP Transport Providing Multi-VRF CE Service
49
MPLS-VPN Services
4. Internet Access Service to VPN Customers
Internet access service could be provided as another value-added service to VPN customers
Security mechanism must be in place at both provider network and customer network
To protect from the Internet vulnerabilities
VPN customers benefit from the single point of contact for both Intranet and Internet connectivity
BRKRST-2102 14416_04_2008_c1
Cisco Public
50
MPLS-VPN Services
4. Internet Access: Different Methods of Service
BRKRST-2102 14416_04_2008_c1
Cisco Public
51
MPLS-VPN Services
4. Internet Access: Different Methods of Service
1. VRF specific default route
1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF
BRKRST-2102 14416_04_2008_c1
Cisco Public
52
MPLS-VPN Services:
4.1 Internet Access: VRF Specific Default Route
Site1 CE1 171.68.0.0/16 MPLS Backbone
Internet
192.168.1.2 P PE1 192.168.1.1 Internet GW ASBR
SO
PE1# ip vrf VPN-A rd 100:1 route-target both 100:1
Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A Router bgp 100 no bgp default ipv4-unicast redistribute static neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0
A default route, pointing to the ASBR, is installed into the site VRF at each PE The static route, pointing to the VRF interface, is installed in the global routing table and redistributed into BGP
53
ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global ip route 171.68.0.0 255.255.0.0 Serial0
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
MPLS Backbone
IP Packet D=Cisco.com
Internet
Se0
192.168.1.2
PE1 P
PE2 SO IP Packet
Label = 35 IP Packet D=171.68.1.1
192.168.1.1
D=171.68.1.1
Global Table and LFIB Destination Label/Interface 192.168.1.2/32 Label=35 171.68.0.0/16 192.168.1.2 Internet Serial 0
VRF Routing/FIB Table Destination Label/Interface 0.0.0.0/0 192.168.1.1 (global) Site-1 Serial 0
Advantages
Different Internet gateways Can be used for different VRFs PE routers need not to hold the Internet table Simple configuration
Disadvantages
Using default route for Internet Routing does not allow any other default route for intraVPN routing Increasing size of global routing table by leaking VPN routes Static configuration (possibility of traffic blackholing)
54
BRKRST-2102 14416_04_2008_c1
Cisco Public
MPLS-VPN Services
4.2 Internet Access
1. VRF specific default route
1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF
BRKRST-2102 14416_04_2008_c1
Cisco Public
55
Internet Internet
ASBR
Se0.1
ip vrf VPN-A rd 100:1 route-target both 100:1
PE1
Internet GW
Interface Serial0.1 ip vrf forwarding VPN-A ip address 192.168.20.1 255.255.255.0 frame-relay interface-dlci 100 ! Interface Serial0.2 ip address 171.68.10.1 255.255.255.0 frame-relay interface-dlci 200 ! Router bgp 100 no bgp default ipv4-unicast neighbor 171.68.10.2 remote-as 502
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
MPLS Backbone
Internet Internet
192.168.1.1
S0.2 S0.1
PE2
IP Packet D=Cisco.com
PE1
CE Routing Table VPN Routes Serial0.1 Internet Routes Serial0.2
PE-Internet GW
Pros
CE Could Dual Home and Perform Optimal Routing Traffic Separation Done by CE
Cons
PE to Hold Full Internet Routes BGP Complexities Introduced in CE; CE1 May Need to Aggregate to Avoid AS_PATH Looping
BRKRST-2102 14416_04_2008_c1
Cisco Public
57
The Internet routes could be placed within the VRF at the Internet-GW i.e., ASBR
VRFs for customers could extranet with the Internet VRF and receive either default, partial or full Internet routes Be careful if multiple customer VRFs, at the same PE, are importing full Internet routes
Works well only if the VPN customers dont have overlapping addresses
BRKRST-2102 14416_04_2008_c1
Cisco Public
58
If the VPN customers need Internet access without Internet routes, then VRF-aware NAT can be used at the Internet-GW i.e., ASBR
The Internet GW doesnt need to have Internet routes either Overlapping VPN addresses is no longer a problem More in the VRF-aware NAT slides
BRKRST-2102 14416_04_2008_c1
Cisco Public
59
Agenda
MPLS VPN Explained MPLS-VPN Services
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Providing Load-Shared Traffic to the Multihomed VPN Sites Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP Transport Providing Multi-VRF CE Service
66
MPLS-VPN Services
7. VRF-Aware NAT Services
67
MPLS-VPN Services
7. VRF-Aware NAT Services
Typically, inside interface(s) connect to private address space and outside interface(s) connect to global address space
NAT occurs after routing for traffic from inside-to-outside interfaces NAT occurs before routing for traffic from outside-to-inside interfaces
Works on VPN packets in the following switch paths: IP->IP, IP->MPLS and MPLS->IP
BRKRST-2102 14416_04_2008_c1
Cisco Public
68
MPLS-VPN Services:
7. VRF-Aware NAT Services: Internet Access
CE1
10.1.1.0/24
PE11 PE12
.1
217.34.42.2
Internet
IP NAT Inside IP NAT Outside ip nat pool pool-green 24.1.1.0 24.1.1.254 prefix-length 24 ip nat pool pool-blue 25.1.1.0 25.1.1.254 prefix-length 24 ip nat inside source list vpn-to-nat pool pool-green vrf green ip nat inside source list vpn-to-nat pool pool-blue vrf blue ip access-list standard vpn-to-nat permit 10.1.1.0 0.0.0.255 ip route vrf green 0.0.0.0 0.0.0.0 217.34.42.2 global ip route vrf blue 0.0.0.0 0.0.0.0 217.34.42.2 global VRF-Aware NAT Specific Config
Cisco Public
ip vrf green rd 3000:111 route-target both 3000:1 ip vrf blue rd 3000:222 route-target both 3000:2 router bgp 3000 address-family ipv4 vrf green network 0.0.0.0 address-family ipv4 vrf blue network 0.0.0.0 VRF Specific Config
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved.
69
MPLS-VPN Services:
7. VRF-Aware NAT Services: Internet Access
CE1
10.1.1.0/24 Src=10.1.1.1 Dest=Internet Label=30 Src=10.1.1.1 Dest=Internet
PE11 PE12
P
Label=40 Src=10.1.1.1 Dest=Internet MPLS Packet
Internet
IP Packet Traffic Flows NAT Table Global IP VRF-Table-Id 24.1.1.1 green 25.1.1.1 blue
Src=10.1.1.1 Dest=Internet
PE-ASBR removes the label from the received MPLS packets per LFIB Performs NAT on the resulting IP packets Forwards the packet to the internet Returning packets are NATed and put back in the VRF context and then routed This is also one of the ways to provide Internet access to VPN customers with or without overlapping addresses
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
70
Agenda
MPLS VPN Explained MPLS-VPN Services
1. Providing Load-Shared Traffic to the Multihomed VPN Sites 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Providing Hub and Spoke Service to the VPN Customers Providing MPLS VPN Extranet Service Providing Internet Access Service to VPN Customers Providing VRF-Selection Based Services Providing Remote Access MPLS VPN Providing VRF-Aware NAT Services Providing QoS Service to VPNs Providing Multicast Service to VPNs Providing MPLS/VPN over IP Transport Providing Multi-VRF CE Service
79
MPLS-VPN Services:
11. Providing Multi-VRF CE Service
Is it possible for an IP router to keep multiple customer connections separated ?
Yes, multi-VRF CE a.k.a. vrf-lite can be used
Multi-VRF CE provides multiple virtual routing tables (and forwarding tables) per customer at the CE router
Not a feature but an application based on VRF implementation Any routing protocol that is supported by normal VRF can be used in a multi-VRF CE implementation
Note that there is no MPLS functionality needed on the CE, no label exchange between the CE and any router (including PE) One of the deployment models is to extend the VRFs to the CE, another is to extend it further inside the Campus => Virtualization
Campus Virtualization blends really well
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
80
MPLS-VPN Services:
11. Providing Multi-VRF CE Service One Deployment ModelExtending MPLS/VPN to CE
Campus
Vrf Green
ip vrf green rd 3000:111 route-target both 3000:1 ip vrf blue rd 3000:222 route-target both 3000:2 ip vrf red rd 3000:333 route-target both 3000:3
Campus
Vrf Green
MPLS Network
Vrf Red
Multi-VRF CE Router
ip vrf green rd 3000:111 ip vrf blue rd 3000:222 Ip vrf red rd 3000:333
Vrf Red
PE Router
Vrf Red
PE Router
*SubInterface LinkAny Interface Type that Supports Sub Interfaces, FE-Vlan, Frame Relay, ATM VCs
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
81
Agenda
MPLS VPN Explained
MPLS-VPN Services Best Practices
Conclusion
BRKRST-2102 14416_04_2008_c1
Cisco Public
82
Best Practices
1.
2. 3. 4.
Consider unique RD per VRF per PE, if load sharing of VPN traffic is required Dont use customer names as the VRF names; nightmare for the NOC. Use simple combination of numbers and characters in the VRF name.
For example: v101, v102, v201, v202, etc. Use description
5.
PE-CE IP address should come out of SPs public address space to avoid overlapping
Use /31 subnetting on PE-CE interfaces
6.
Define an upper limit at the PE on the number of prefixes received from the CE for each VRF or neighbor
Max-prefix within the VRF configuration; Do suppress the inactive routes Max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE)
BRKRST-2102 14416_04_2008_c1
Cisco Public
83
Agenda
MPLS VPN Explained
MPLS-VPN Services Best Practices
Conclusion
BRKRST-2102 14416_04_2008_c1
Cisco Public
84
Conclusion
MPLS VPN is becoming a cheaper and faster alternative to traditional l2vpn
Secured VPN
CsC and Inter-AS could be used to expand into new markets VRF-aware services could be deployed to maximize the investment
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
85
Q and A
BRKRST-2102 14416_04_2008_c1
Cisco Public
86
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press
Check the Recommended Reading flyer for suggested books
87
BRKRST-2102 14416_04_2008_c1
Cisco Public
88
BRKRST-2102 14416_04_2008_c1
Cisco Public
89
Additional Slides
BRKRST-2102 14416_04_2008_c1
Cisco Public
90
Agenda
Advanced MPLS VPN Topics
Inter-AS MPLS-VPN CsC Carrier Supporting Carrier
BRKRST-2102 14416_04_2008_c1
Cisco Public
91
What Is Inter-AS?
Provider X
RR1 MP-iBGP Update: PE-1
Provider Y
RR2 ASBR2
ASBR1
???
AS #1 AS #2
Problem:
BGP, OSPF, RIPv2 149.27.2.0/24, NH=CE-1 CE-1
PE2
VPN-A
149.27.2.0/24
CE2
VPN-A
BRKRST-2102 14416_04_2008_c1
Cisco Public
92
AS #1
PE1
AS #2
PE2
(Option C)
CE1 4. Non-VPN Transit Provider CE2
VPN-A
Each Option Is Covered in Additional Slides
VPN-A
BRKRST-2102 14416_04_2008_c1
Cisco Public
93
ASBR-2
VPN-v4 Update: RD:1:27:10.1.1.0/24, NH=ASBR-2 RT=1:1, Label=(92) VPN-B VRF Import Routes with Route-Target 1:1
PE-1 CE-2
PE-2
BGP, OSPF, RIPv2 10.1.1.0/24,NH=PE-2
CE-3
VPN-B 10.1.1.0/24
VPN-B
94
ASBR-1
ASBR-2
92
10.1.1.1
P2
P1
10.1.1.1 20 92 10.1.1.1
PE-1
PE-2
10.1.1.1
10.1.1.1
VPN-B
Pros
Per-customer QoS is possible It is simple and elegant since no need to load the Inter-AS code (but still not widely deployed)
Cons
Not scalable. # of interface on both ASBRs is directly proportional to #VRF. No end-to-end MPLS Unnecessary memory consumed in RIB/(L)FIB Dual-homing of ASBR makes provisioning worse
95
BRKRST-2102 14416_04_2008_c1
Cisco Public
AS #1
PE1
AS #2
PE2
VPN-A
VPN-A
Note: ASBR Must Already Have MP-iBGP Session with iBGP Neighbors such as RRs or PEs
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
96
BRKRST-2102 14416_04_2008_c1
Cisco Public
97
ASBR-2
MP-iBGP Update: RD:1:27:10.1.1.0/24, NH=ASBR-2 RT=1:1, Label=(30)
PE-1
PE-2
BGP, OSPF, RIPv2 10.1.1.0/24, NH=PE-2
CE-3
VPN-B
BRKRST-2102 14416_04_2008_c1
Cisco Public
98
ASBR-1
ASBR-2
P2
40
10.1.1.1
20
10.1.1.1
20
30
10.1.1.1
PE-1
10.1.1.1
VPN-B
Pros
More scalable
Only one interface between ASBRs routers No VRF configuration on ASBR. Less memory consumption (no RIB/FIB memory)
Cons
Automatic route filtering must be disabled
But we can apply BGP filtering
99
1.1.1.0/30
AS #1
PE1
AS #2
PE2
CE-1
VPN-A
ASBR MB-EBGP Configuration Router bgp x no bgp default route-target filter neighbor 1.1.1.x remote-as x ! address-family vpnv4 neighbor 1.1.1.x activate neighbor 1.1.1.x send-com extended
CE-2
VPN-A
Note: ASBR Must Already Have MP-iBGP Session with iBGP Neighbors such as RRs or PEs
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
100
Exchange IPv4 routes with labels between directly connected ASBRs using eBGP
Only PE loopback addresses need to be exchanged (they are BGP next-hop addresses of the VPN routes)
BRKRST-2102 14416_04_2008_c1
Cisco Public
101
Scenario 3: Multihop MP-eBGP Between RRs for VPN Routes: Control Plane
VPN-v4 Update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(90) RR-2 VPN-v4 Update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(90)
AS#1
IGP+LDP: Network=PE-1 NH=PE-1 Label=(40) CE-2
ASBR-1
ASBR-2
AS#2
IGP+LDP: Network=PE-1 NH=ASBR-2 Label=(30)
PE-1
VPN-B
10.1.1.0/24
CE-3
VPN-B
Note: Instead of IGP+Label, iBGP+Label Can Be Used to Exchange PE Routes/Label. Please see Scenario#5 on slide#49 and 50.
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
102
Scenario 3: Multihop MP-eBGP Between RRs for VPN Routes: Forwarding Plane
RR-1 P1 40 90 10.1.1.1 90 10.1.1.1 ASBR-1 ASBR-2 RR-2
P2
30
90
10.1.1.1 50 90
10.1.1.1
10.1.1.1
VPN-B
10.1.1.0/24
VPN-B
103
Scenario 3: Pros/Cons
Pros
More scalable than Scenario 1 and 2
Separation of control and forwarding planes
Cons
Advertising PE addresses to another AS may not be acceptable to few providers
BRKRST-2102 14416_04_2008_c1
Cisco Public
104
RR-2
PE2
AS #1
CE-1 RR Configuration VPN-A eBGP IPv4 + Labels
AS #2
CE-2 ASBR Configuration
router ospf x redistribute bgp 1 subnets ! router bgp x neighbor < ASBR-x > remote-as x ! address-family ipv4 Network <PEx> mask 255.255.255.255 Network <RRx> mask 255.255.255.255 neighbor < ASBR-x > activate neighbor < ASBR-x > send-label
router bgp x neighbor <RR-x> remote-as x neighbor <RR-x> ebgp-multihop neighbor <RR-x> update loopback 0 ! address-family vpnv4 neighbor <RR-x> activate neighbor <RR-x> send-com extended neighbor <RR-x> next-hop-unchanged
VPN-A
iBGPipv4+label Could Also Be Used in Within Each AS (Instead of network <x.x.x.x>) to Propagate the Label Information for PEs
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
105
BRKRST-2102 14416_04_2008_c1
Cisco Public
106
ASBR-1
ASBR-2
iBGP IPv4 + Labels
CE-2
next-hop-unchanged
Multihop MP-eBGP OR MP-iBGP for VPNv4
ASBR-4
VPN-B
RR-2
CE-3
VPN-B
BRKRST-2102 14416_04_2008_c1
Cisco Public
107
BRKRST-2102 14416_04_2008_c1
Cisco Public
108
BRKRST-2102 14416_04_2008_c1
Cisco Public
109
Agenda
Advanced MPLS VPN Topics
Inter-AS MPLS-VPN Carrier Supporting Carrier (CsC)
BRKRST-2102 14416_04_2008_c1
Cisco Public
110
If number of VPN routes can be reduced somehow (without loosing the functionality), then the existing investment can be protected
The same PE can still be used to connect more VPN customers
Carrier Supporting Carrier (CsC) provides the mechanism to reduce the number of routes from each VRF by enabling MPLS on the PE-CE link
BRKRST-2102 14416_04_2008_c1
Cisco Public
111
PE2
CE-2
ASBR-1 R1 Internet
ASBR-2 R2
BRKRST-2102 14416_04_2008_c1
112
Benefits of CsC
Provide transport for ISPs ($)
No need to manage external routes from ISPs
Sell VPN service to subsidiary companies that provide VPN service ($)
BRKRST-2102 14416_04_2008_c1
Cisco Public
113
BRKRST-2102 14416_04_2008_c1
Cisco Public
114
P1 PE1
IGP+LDP IGP+LDP
PE2
ASBR-1
ASBR-2
R2 Internet R1
BRKRST-2102 14416_04_2008_c1
Cisco Public
115
Model 1 and 2 Are Less Common Deployments. Model 3 Will Be Discussed in Detail.
BRKRST-2102 14416_04_2008_c1 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
116
CsC: ISP Sites Are Running MPLS-VPN Hierarchical MPLS-VPN Control Plane
MP-iBGP Update: 1:1:30.1.61.25/32, RT=1:1 NH =PE-1, Label=51
P1 PE1
IGP+LDP, Net=PE-1, Label = pop IGP+LDP, Net=PE-1, Label = 16
PE2
Carriers Core
30.1.61.25/32, NH=CE-1, Label = 50
CE-2
IGP+LDP, 30.1.61.25/32 NH=CE-2, Label=60
ASBR_PE-1 30.1.61.25/32
10.1.1.0/24, NH=R1
10.1.1.0/24, NH =ASBR_PE-2
Network = 10.1.1.0/24
BRKRST-2102 14416_04_2008_c1
R2 R1
VPN Site-1
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
VPN Site-2
117
CsC: ISP Sites Are Running MPLS-VPN Hierarchical MPLS-VPN Forwarding Plane
P1
51 90 10.1.1.1 16 51 90 10.1.1.1
PE1
PE2
Carriers Core
50 90
10.1.1.1 52 90
10.1.1.1
10.1.1.1 60 90 10.1.1.1
ASBR-1
10.1.1.1 Network = 10.1.1.0/24
BRKRST-2102 14416_04_2008_c1
ASBR-2
10.1.1.1 70 90 10.1.1.1
R1
VPN Site-1
2008 Cisco Systems, Inc. All rights reserved. Cisco Public
R2 VPN Site-2
118