Sei sulla pagina 1di 64
MPLS – VPN Configuration Mitrabh Shukla National IP Manager

MPLS VPN Configuration

Mitrabh Shukla National IP Manager

Objectives

Upon completion of this chapter you will be able to:

Describe MPLS VPN mechanisms Use the command line interface to configure a VPN Verify VPN functionality

For internal use

2 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

interface to configure a VPN Verify VPN functionality For internal use 2 © Nokia Siemens Networks

Agenda

What is a VPN?

How Do MPLS VPNs Work? What Are Some Scaling Techniques?

How Do I Configure MPLS VPNs?

For internal use

3 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

Some Scaling Techniques? How Do I Configure MPLS VPNs? For internal use 3 © Nokia Siemens

What is a MPLS VPN?

VPN A
VPN A

VPN C

What is a MPLS VPN? VPN A VPN C VPN B Provider Backbone For internal use
What is a MPLS VPN? VPN A VPN C VPN B Provider Backbone For internal use
What is a MPLS VPN? VPN A VPN C VPN B Provider Backbone For internal use

VPN B

What is a MPLS VPN? VPN A VPN C VPN B Provider Backbone For internal use
What is a MPLS VPN? VPN A VPN C VPN B Provider Backbone For internal use

Provider

Backbone

For internal use

4 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

VPN AVPN? VPN A VPN C VPN B Provider Backbone For internal use 4 © Nokia Siemens

VPN A VPN C VPN B Provider Backbone For internal use 4 © Nokia Siemens Networks
VPN A VPN C VPN B Provider Backbone For internal use 4 © Nokia Siemens Networks
VPN A VPN C VPN B Provider Backbone For internal use 4 © Nokia Siemens Networks
VPN A VPN C VPN B Provider Backbone For internal use 4 © Nokia Siemens Networks
VPN A VPN C VPN B Provider Backbone For internal use 4 © Nokia Siemens Networks

VPN B

VPN C

VPN A VPN C VPN B Provider Backbone For internal use 4 © Nokia Siemens Networks
VPN A VPN C VPN B Provider Backbone For internal use 4 © Nokia Siemens Networks
VPN A VPN C VPN B Provider Backbone For internal use 4 © Nokia Siemens Networks

MPLS-VPN Terminology

VPN A Site1 AS200 AS100 Site1 VPN A Site2 Site2 VPN B
VPN A
Site1
AS200
AS100
Site1
VPN A
Site2
Site2
VPN B

MPLS / Mitrabh Shukla

VPN-Aware network

Provider Network

P router

PE router

Border Router

Customer Network

Site

CE router

For internal use

5 © Nokia Siemens Networks

Network P router PE router Border Router Customer Network Site CE router For internal use 5

Agenda

What is a VPN?

How do MPLS VPNs Work?

Control Plane Forwarding Plane What Are Some MPLS VPN Scaling Techniques? How Do I Configure MPLS VPNs?

For internal use

6 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

VPN Scaling Techniques? How Do I Configure MPLS VPNs? For internal use 6 © Nokia Siemens

What Makes MPLS VPNs Work?

CE MP-iBGP sessions CE VPN A VPN A P P 10.2.0.0 11.5.0.0 CE VPN B
CE
MP-iBGP sessions
CE
VPN A
VPN A
P
P
10.2.0.0
11.5.0.0
CE
VPN B
CE
VPN A
10.2.0.0
PE
PE
CE
10.1.0.0
VPN A
PE
PE
CE
11.6.0.0
VPN B
CE
VPN B
10.3.0.0
P
P
10.1.0.0

Five keys to MPLS VPNs functionality:

1. MPLS Forwarding

2. Separation of VPN Routes (VPN Routing and Forwarding Instances (VRF))

3. VPN Membership Selection (Route Target)

4. IP Address Overlap (Route Distinguisher)

5. VPN Route Distribution (MP-BGP for VPN-ipv4)

For internal use

7 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

• 5. VPN Route Distribution (MP-BGP for VPN-ipv4) For internal use 7 © Nokia Siemens Networks

1. MPLS Forwarding

MPLS VPN Requirement

PE to PE Label Switched Path (LSP)

P1 P2 PE1 PE2
P1
P2
PE1
PE2
PE to PE Label Switched Path (LSP) P1 P2 PE1 PE2 VRF VRF VRF VRF P

VRF

PE to PE Label Switched Path (LSP) P1 P2 PE1 PE2 VRF VRF VRF VRF P
PE to PE Label Switched Path (LSP) P1 P2 PE1 PE2 VRF VRF VRF VRF P

VRF

VRF

to PE Label Switched Path (LSP) P1 P2 PE1 PE2 VRF VRF VRF VRF P E

VRF

PE2s perspective

PE1’s perspective

Global routing table entries to reach

Global routing table entries to reach

PE2 -> next-hop: P1, label: 50 P2 -> next-hop: P1, label: 65 P1 -> next-hop: interface, label: pop

PE1 -> next-hop: P2, label: 25

P1 -> next-hop: P2, label: 35 P2 -> next-hop: interface, label: pop

P2, label: 35 P2 -> next-hop: interface, label: pop For internal use 8 © Nokia Siemens

For internal use

8 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

P2, label: 35 P2 -> next-hop: interface, label: pop For internal use 8 © Nokia Siemens

2. How Are VPN Routes Kept Separate?

VPN Routing and Forwarding Instances (VRF)

provides the separation

and Forwarding Instances (VRF) provides the separation VRF=Routing Table for VPN Site-1 CE Yellow Site-1 CE
and Forwarding Instances (VRF) provides the separation VRF=Routing Table for VPN Site-1 CE Yellow Site-1 CE

VRF=Routing Table for VPN

Site-1 CE Yellow Site-1 CE Green
Site-1
CE
Yellow
Site-1
CE
Green
Table for VPN Site-1 CE Yellow Site-1 CE Green PE VPN Backbone IGP (OSPF, IS-IS) VRF
PE
PE

VPN Backbone IGP

(OSPF, IS-IS)

VRF (VPN Routing and Forwarding)

Assigned a symbolic name ip vrf green

Global Routing Table

For internal use

9 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

a symbolic name ip vrf green Global Routing Table For internal use 9 © Nokia Siemens

MPLS VPN Routing Requirements

Customer routers (CE-routers) have to run standard IP routing

software Provider core routers (P-routers) have no VPN routes Provider edge routers (PE-routers) have to support MPLS VPN and Internet routing

For internal use

10 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

have to support MPLS VPN and Internet routing For internal use 10 © Nokia Siemens Networks

MPLS VPN Routing (CE- Router Perspective)

CE - Router

MPLS VPN Routing (CE- Router Perspective) CE - Router CE - Router MPLS VPN Backbone PE
MPLS VPN Routing (CE- Router Perspective) CE - Router CE - Router MPLS VPN Backbone PE

CE - Router

MPLS VPN Backbone PE Router
MPLS VPN Backbone
PE Router

Customer routers run standard IP routing software and exchange routing updates with the PE-router

EBGP, OSPF, RIPv2 , EIGRP or static routes are supported

PE-router appears as another router in the customer’s network

For internal use

11 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

appears as another router in the customer’s network For internal use 11 © Nokia Siemens Networks

MPLS VPN Routing

PE-Router Perspective

MPLS VPN Routing PE-Router Perspective PE-routers: • Exchange VPN routes with CE-routers via per-VPN routing protocols

PE-routers:

Exchange VPN routes with CE-routers via per-VPN routing protocols

Exchange core routes with P-routers and PE-routers via

core IGP

Exchange VPNv4 routes with other PE-routers via multi- protocol IBGP sessions

MPLS / Mitrabh Shukla

For internal use

12 © Nokia Siemens Networks

other PE-routers via multi- protocol IBGP sessions MPLS / Mitrabh Shukla For internal use 12 ©

MPLS VPN Support for

Internet Routing

MPLS VPN Support for Internet Routing PE-routers can run standard IPv4 BGP in the global routing

PE-routers can run standard IPv4 BGP in the global routing table

Exchange Internet routes with other PE routers

CE-routers do not participate in Internet routing

P-routers do not need to participate in Internet routing

For internal use

13 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

do not need to participate in Internet routing For internal use 13 © Nokia Siemens Networks

MPLS VPN End-to-End

Routing Information Flow (1/3)

MPLS VPN End-to-End Routing Information Flow (1/3) PE-routers receive IPv4 routing updates from CE-routers and install

PE-routers receive IPv4 routing updates from CE-routers

and install them in the appropriate Virtual Routing and

Forwarding (VRF) table

For internal use

14 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

appropriate Virtual Routing and Forwarding (VRF) table For internal use 14 © Nokia Siemens Networks MPLS

MPLS VPN End-to-End

Routing Information Flow (2/3)

MPLS VPN End-to-End Routing Information Flow (2/3) PE-routers export VPN routes from VRF into MP-IBGP and

PE-routers export VPN routes from VRF into MP-IBGP

and propagate them as VPNv4 routes to other PE-

routers

IBGP full mesh is needed between PE-routers

For internal use

15 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

routers IBGP full mesh is needed between PE-routers For internal use 15 © Nokia Siemens Networks

VRF CE Routing

and Sharing

CE to PE Routing

Site-1 Yellow CE
Site-1
Yellow CE
VRF CE Routing and Sharing CE to PE Routing Site-1 Yellow CE 1 Interface attached to
1 Interface attached to VRF
1 Interface attached to VRF
to PE Routing Site-1 Yellow CE 1 Interface attached to VRF PE VPN Backbone IGP (OSPF,
PE
PE
PE Routing Site-1 Yellow CE 1 Interface attached to VRF PE VPN Backbone IGP (OSPF, IS-IS)

VPN Backbone IGP

(OSPF, IS-IS)

EBGP, RIP, OSPF, Static

PE VPN Backbone IGP (OSPF, IS-IS) EBGP, RIP, OSPF, Static Site-1 CE Green Sharing Site-1 Green
Site-1 CE Green
Site-1
CE
Green

Sharing

Site-1 Green CE
Site-1
Green CE
PE (OSPF, IS-IS) Site-2 CE Green Multiple interfaces attached to VRF (Can NOT have multiple
PE
(OSPF, IS-IS)
Site-2
CE
Green
Multiple interfaces attached to VRF
(Can NOT have multiple VRFs connected to 1 interface)

MPLS / Mitrabh Shukla

VPN Backbone IGP

Same VPN

Animated
Animated

For internal use

16 © Nokia Siemens Networks

VRF and Multiple Routing Instances

PE to CE Routing Processes

Routing

Contexts

VRF Routing Tables

VRF Forwarding Tables

BGP
BGP
EIGRP RIP
EIGRP
RIP
Static
Static
OSPF
OSPF
OSPF
OSPF
Tables VRF Forwarding Tables BGP EIGRP RIP Static OSPF OSPF Routing processes support routing contexts (sub-processes
Tables VRF Forwarding Tables BGP EIGRP RIP Static OSPF OSPF Routing processes support routing contexts (sub-processes

Routing processes support routing contexts (sub-processes within main process) Populate specific VPN routing table and FIBs (VRF) separate OSPF process for each VRF

For internal use

17 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

and FIBs (VRF) separate OSPF process for each VRF For internal use 17 © Nokia Siemens

17

What are MPLS VPN Extranets?

VPN A VPN B VPN C Site4 Site1 Site5 Site2 Site3
VPN A
VPN B
VPN C
Site4
Site1
Site5
Site2
Site3

Belonging to more than one VRF

NOTE: A VRF is NOT a VPN

Terms sometime used interchangably but the are NOT the same

VRF is the routing table

VPN is collection of sites that can access that table

• VPN is collection of sites that can access that table For internal use 18 ©

For internal use

18 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

3. How is VPN Membership Determined?

VPN membership is based on filtering routes to be installed in

VRF Route Target import/export filtering Route Target (RT) is a BGP Extended Community

Used to constrain distribution of routing information

Identifier for VRFs that may receive set of routes tagged with given RT (route filtering)

Based on RFC 2547

For internal use

19 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

with given RT (route filtering) Based on RFC 2547 For internal use 19 © Nokia Siemens

What is a Route Target?

Route Target (RT) is a BGP Extended Community

Used to constrain distribution of routing information

Identifier for VRFs that may receive set of routes tagged with

given RT (route filtering)

For internal use

20 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

of routes tagged with given RT (route filtering) For internal use 20 © Nokia Siemens Networks

20

What is a Route Distinguisher?

Route Distinguisher:

converts non-unique IP addresses into unique VPN-IPv4 addresses

Not used for constrained distribution of routing information (route filtering)

VPN-IPv4 addresses

Must be globally unique

Route Distinguisher (RD) + IP address

RDs are assigned by a service provider

For internal use

21 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

IP address – RDs are assigned by a service provider For internal use 21 © Nokia

4. How Can MPLS VPN Addresses Overlap?

Same Addresses

CE CE VPN A VPN A P P 10.2.0.0 11.5.0.0 CE VPN B CE VPN
CE
CE
VPN A
VPN A
P
P
10.2.0.0
11.5.0.0
CE
VPN B
CE
VPN A
10.2.0.0
PE
PE
CE
10.1.0.0
VPN A
PE
PE
CE
11.6.0.0
VPN B
CE
VPN B
10.3.0.0
P
P
10.1.0.0

Route Distinguisher provides the separation

For internal use

22 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

10.1.0.0 Route Distinguisher provides the separation For internal use 22 © Nokia Siemens Networks MPLS /

What is a Route Distinguisher?

Route Distinguisher:

converts non-unique IP addresses into unique VPN-IPv4 addresses (overlapping Private address)

Not used for constrained distribution of routing information (route filtering)

VPN-IPv4 addresses Route Distinguisher (RD) 64Bits + IP address = 96 Bits

RDs are assigned by a service provider

RDs should be globally unique

For internal use

23 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

a service provider – RDs should be globally unique For internal use 23 © Nokia Siemens

5. How are VPN Routes Distributed?

MP-iBGP (PE to PE) to carry VPN-IPv4 Information

P1 P2 PE1 PE2
P1
P2
PE1
PE2
VPN yellow VPN yellow Site-CE11 CE2 Site-2
VPN yellow
VPN yellow
Site-CE11
CE2
Site-2

Why MP-iBGP?

BGP supports large numbers of routes

BGP is multi-protocol and scales

BGP does not require directly connected peers

BGP optional, transitive attributes

For internal use

24 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

peers • BGP optional, transitive attributes For internal use 24 © Nokia Siemens Networks MPLS /

What is in an MP-BGP VPNv4 Update?

MP-iBGP (PE to PE) to carry VPN-IPv4 Information

Update? MP-iBGP (PE to PE) to carry VPN-IPv4 Information P1 P2 PE1 PE2 For internal use
P1 P2 PE1 PE2
P1
P2
PE1
PE2

For internal use

25 © Nokia Siemens Networks

VPN-IPv4 update:

RD1:Net1, Next-hop=PE1 SOO=Site1, RT=Yellow, Label=10

VPN-IPv4 update:

RD2:Net1, Next-hop=PE1 SOO=Site1, RT=Green, Label=12

RT=Yellow, Label=10 VPN-IPv4 update: RD2:Net1, Next-hop=PE1 SOO=Site1, RT=Green, Label=12 MPLS / Mitrabh Shukla

MPLS / Mitrabh Shukla

RT=Yellow, Label=10 VPN-IPv4 update: RD2:Net1, Next-hop=PE1 SOO=Site1, RT=Green, Label=12 MPLS / Mitrabh Shukla

What is in an MP-BGP Update?

VPN-IPV4 address (96 bits)

Route Distinguisher (RD) (64 bits)

IPv4 address (32bits)

Extended Community

Route target (RT) - required

Site of Origin (SOO) - optional

(prevents routing loops in multihomed CE topologies)

Any other standard BGP attribute (Ex. VPN Labels) A second label in the label stack

For internal use

26 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

( Ex. VPN Labels) A second label in the label stack For internal use 26 ©

Why MP-iBGP?

MP-iBGP session

VPN yellow VPN yellow Site-1 CE1 CE2 Site-2 P1 P2 PE1 PE2
VPN yellow
VPN yellow
Site-1 CE1
CE2
Site-2
P1
P2
PE1
PE2

BGP supports large numbers of routes

BGP is multi-protocol and scales BGP does not require directly connected peers

BGP has optional, transitive attributes

For internal use

27 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

peers BGP has optional, transitive attributes For internal use 27 © Nokia Siemens Networks MPLS /

How Does the MPLS VPN

Control Plane Work?

VPN-v4 update: RD:1:27:152.12.4.0/24 NH=PE1, RT=1:1, VPN Label=(29)
VPN-v4 update:
RD:1:27:152.12.4.0/24
NH=PE1, RT=1:1,
VPN Label=(29)

VPN-B VRF

Import routes with

route-target 1:1

   

PE1

P1

PE1 P1 P2 PE2
P2
P2
P2

PE2

LDP Update: Next hop=PE1 Label=(imp-null)
LDP Update:
Next hop=PE1
Label=(imp-null)
LDP Update: Next hop=P1 Label=(41)
LDP Update:
Next hop=P1
Label=(41)

MPLS LSP Foundation

BGP, OSPF, RIP 152.12.4.0/24, NH=CE1
BGP, OSPF, RIP
152.12.4.0/24,
NH=CE1

CE1

VPN B

152.12.4.0/24

For internal use

28 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

LDP Update: Next hop=P2 Label=(32)
LDP Update:
Next hop=P2
Label=(32)
BGP, OSPF, RIP 152.12.4.0/24, NH=PE2
BGP, OSPF, RIP
152.12.4.0/24,
NH=PE2

CE2

VPN B

Animated
Animated

How Does the MPLS VPN

Forwarding Plane Work?

?????

How Does the MPLS VPN Forwarding Plane Work? ????? MPLS forwarding table (LFIB) lookup for NH=PE1

MPLS forwarding table (LFIB)

lookup for NH=PE1

LFIB lookup for label 29 = vrf VPN B Penultimate Hop PoP (removal of LSP
LFIB lookup
for label 29
= vrf VPN B
Penultimate Hop PoP
(removal of LSP Label)
Label Swap
LSP/MPLS Label
VPN Label
29
152.12.4.6
41
29
152.12.4.6
32
29
152.12.4.6
PE1
P1
P2
PE2
VRF lookup
for 152.12.4.6
VRF lookup
for 152.12.4.6
Packet Forwarding Based on Stack of Labels
NH=PE1
NH=CE1
VPN Label=(29)
152.12.4.6
152.12.4.6
CE1
CE2
VPN B
VPN B
152.12.4.0/24
For internal use
29
© Nokia Siemens Networks
MPLS / Mitrabh Shukla
Animated

Agenda

What is a VPN?

How Do MPLS VPNs Work? What Are Some Scaling Techniques?

How Do I Configure MPLS VPNs?

For internal use

30 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

Some Scaling Techniques? How Do I Configure MPLS VPNs? For internal use 30 © Nokia Siemens

Scaling MPLS-VPN

Route Reflectors

Green

Yellow

Yellow Yellow Green Yellow Yellow Green Green
Yellow
Yellow
Green
Yellow
Yellow
Green
Green

Use of Route Reflectors highly recommended

Route Reflectors may be partitioned

Each RR store routes for a set of VPNs

Thus, no BGP router needs to store ALL VPN information

PEs will peer to RRs according to the VPNs they directly connect

For internal use

31 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

to RRs according to the VPNs they directly connect For internal use 31 © Nokia Siemens

MPLS-VPN Scaling

BGP Automatic Route Filtering (ARF)

Import RT=yellow

PE
PE

VPN-IPv4 update:

RD:Net1, Next-hop=PE-X SOO=Site1, RT=Green, Label=XYZ

RD:Net1, Next-hop=PE-X SOO=Site1, RT= Green , Label=XYZ VRFs for VPNs yellow green MP-iBGP sessions Import RT=green

VRFs for VPNs yellow green

SOO=Site1, RT= Green , Label=XYZ VRFs for VPNs yellow green MP-iBGP sessions Import RT=green VPN-IPv4 update:
SOO=Site1, RT= Green , Label=XYZ VRFs for VPNs yellow green MP-iBGP sessions Import RT=green VPN-IPv4 update:

MP-iBGP sessions

, Label=XYZ VRFs for VPNs yellow green MP-iBGP sessions Import RT=green VPN-IPv4 update: RD:Net1, Next-hop=PE-X

Import RT=green

VPN-IPv4 update:

RD:Net1, Next-hop=PE-X

SOO=Site1, RT=Red, Label=XYZ

Each VRF has an import and export policy configured

Policies use route-target attribute (extended community) PE receives MP-iBGP updates for VPN-IPv4 routes If route-target is equal to any of the import values configured in the PE, the update is accepted Otherwise, it is silently discarded

For internal use

32 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

update is accepted Otherwise, it is silently discarded For internal use 32 © Nokia Siemens Networks

MPLS-VPN Scaling

Route Refresh

Import RT=yellow 1. PE doesn’t have red routes (previously filtered out) PE 2. PE issues
Import RT=yellow
1. PE doesn’t have red routes
(previously filtered out)
PE
2. PE issues a Route-Refresh to
all neighbors in order to ask for
Import RT=green
re-transmit
Import RT=red

VPN-IPv4 update:

RD:Net1, Next-hop=PE-X SOO=Site1, RT=Green, Label=XYZ

RD:Net1, Next-hop=PE-X SOO=Site1, RT= Green , Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT= Red

VPN-IPv4 update:

RD:Net1, Next-hop=PE-X SOO=Site1, RT=Red, Label=XYZ

RD:Net1, Next-hop=PE-X SOO=Site1, RT= Red , Label=XYZ 3. Neighbors re- send updates and “red” route -target

3. Neighbors re-send updates and “red” route-target is now accepted

Policy may change in the PE if VRF modifications are done

New VRFs, removal of VRFs

However, the PE may not have stored routing information which become useful after a change PE request a re-transmission of updates to neighbors

Route-Refresh

For internal use

33 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

of updates to neighbors Route-Refresh • For internal use 33 © Nokia Siemens Networks MPLS /

MPLS VPN Packet Forwarding

For internal use

34 © Nokia Siemens Networks

MPLS / António Santos / 04-06-2009

MPLS VPN Packet Forwarding For internal use 34 © Nokia Siemens Networks MPLS / António Santos

VPN Packet Forwarding Across

MPLS VPN Backbone

VPN Packet Forwarding Across MPLS VPN Backbone How will PE routers forward VPN packets across MPLS

How will PE routers forward VPN packets across MPLS VPN

backbone?

Just forward pure IP packets???

P-routers do not have VPN routes, packet is dropped on IP lookup.

do not have VPN routes, packet is dropped on IP lookup. For internal use 35 How

For internal use

35

How about using MPLS for packet propagation across backbone?

© Nokia Siemens Networks

MPLS / Mitrabh Shukla

VPN Packet Forwarding Across

MPLS VPN Backbone

VPN Packet Forwarding Across MPLS VPN Backbone Label VPN packets with LDP label for egress PE-

Label VPN packets with LDP label for egress PE-

router, forward labeled packets across MPLS

backbone??

P-routers perform label switching, packet reaches egress PE-router.

However, egress PE-router does not know which

VRF to use for packet lookuppacket is dropped.

How about using a label stack?

MPLS / Mitrabh Shukla

For internal use

36 © Nokia Siemens Networks

— packet is dropped. How about using a label stack? MPLS / Mitrabh Shukla For internal

VPN Packet Forwarding Across

MPLS VPN Backbone

VPN Packet Forwarding Across MPLS VPN Backbone Label VPN packets with a label stack. • Use

Label VPN packets with a label stack.

Use LDP label for egress PE-router as the top label

VPN label assigned by egress PE-router as the second label in the stack.

P-routers perform label switching, packet reaches egress PE-router. Egress PE-router performs lookup on the VPN label and forwards the packet toward the CE-router.

MPLS / Mitrabh Shukla

label and forwards the packet toward the CE-router. MPLS / Mitrabh Shukla For internal use 37

For internal use

37 © Nokia Siemens Networks

VPN Packet Forwarding

Penultimate Hop Popping

VPN Packet Forwarding Penultimate Hop Popping Penultimate hop popping on the LDP label can be performed

Penultimate hop popping on the LDP label can be performed

on the last P-router Egress PE-router performs only label lookup on VPN label, resulting in faster and simpler label lookup IP lookup is performed only oncein ingress PE router

For internal use

38 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

lookup is performed only once — in ingress PE router For internal use 38 © Nokia

VPN Label Propagation

VPN Label Propagation How will the ingress PE-router get the second label in the label stack

How will the ingress PE-router get the second label in

the label stack from the egress PE-router?

Labels are propagated in MP-BGP VPNv4 routing updates.

For internal use

39 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

Labels are propagated in MP-BGP VPNv4 routing updates. For internal use 39 © Nokia Siemens Networks

VPN Label Propagation

© Nokia Siemens Networks MPLS / Mitrabh Shukla
© Nokia Siemens Networks
MPLS / Mitrabh Shukla

For internal use

40

VPN Label Propagation

VPN Label Propagation For internal use 41 © Nokia Siemens Networks MPLS / Mitrabh Shukla

For internal use

41 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

VPN Label Propagation For internal use 41 © Nokia Siemens Networks MPLS / Mitrabh Shukla

Impacts of MPLS VPN Label

Propagation

The VPN label has to be assigned by the BGP next-

hop

BGP next-hop should not be changed in MP-IBGP update propagation

Do not use next-hop-self on confederation boundaries

PE-router has to be BGP next-hop

Use next-hop-self on the PE-router

Label has to be re-originated if the next-hop is changed

A new label is assigned every time the MP-BGP update crosses AS-boundary where the next-hop is changed

For internal use

42 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

crosses AS-boundary where the next-hop is changed For internal use 42 © Nokia Siemens Networks MPLS

Impacts of MPLS VPN Packet

Forwarding

VPN label is only understood by egress PE-router End-to-end Label Switched Path is required between ingress and egress PE-router BGP next-hops shall not be announced as BGP routes

LDP labels are not assigned to BGP routes

BGP next-hops announced in IGP shall not be

summarized in the core network

Summarization breaks LSP

For internal use

43 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

in the core network • Summarization breaks LSP For internal use 43 © Nokia Siemens Networks

Agenda

What is a VPN?

How Do MPLS VPNs Work? What Are Some Scaling Techniques?

How Do I Configure MPLS VPNs?

1.

Configure VRFs

2.

associate interfaces with VRFs

3.

Configure MP-iBGP routing

4.

Configure CE to PE routing

5.

Verify VPN operation

For internal use

44 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

CE to PE routing 5. Verify VPN operation For internal use 44 © Nokia Siemens Networks

Configure VRF

Logical name of the VPN use something that makes sense

VRF Logical name of the VPN use something that makes sense ip vrf < vrf-symbolic-name >

ip vrf <vrf-symbolic-name>

that makes sense ip vrf < vrf-symbolic-name > rd < route-distinguisher-value > route-target

rd <route-distinguisher-value>

route-target export <community>

route-target import <community>

The extended community string you will RECEIVE and put into your vrf

The extended community string you will SEND with your routes

Number to uniquely id the prefix value Convention is ASN:xxxx

to uniquely id the prefix value Convention is ASN:xxxx For internal use 45 © Nokia Siemens

For internal use

45 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

Configure VRF

VPN red E1/0 PE CE E2/0 VPN blue Create the VRFs on the PE Router
VPN red
E1/0
PE
CE
E2/0
VPN blue
Create the VRFs on the
PE Router
CE
vrf symbolic name
Case sensitive
PE1(config)#ip vrf red
PE1(config)#ip vrf blue

For internal use

46 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

PE1(config)#ip vrf red PE1(config)#ip vrf blue For internal use 46 © Nokia Siemens Networks MPLS /

Configure RD

VPN red E1/0 PE CE E2/0 VPN blue Create the VRFs on the PE Router
VPN red
E1/0
PE
CE
E2/0
VPN blue
Create the VRFs on the
PE Router
CE
PE1(config)#ip vrf red
PE1(config-vrf)#rd 100:10
ASN:variable
or
IP:variable
PE1(config)#ip vrf blue
PE1(config-vrf)#rd 100:20

For internal use

47 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

PE1(config)#ip vrf blue PE1(config-vrf)#rd 100:20 For internal use 47 © Nokia Siemens Networks MPLS / Mitrabh

Configure Route Target

VPN red E1/0 PE CE E2/0 VPN blue Create the VRFs on the PE Router
VPN red
E1/0
PE
CE
E2/0
VPN blue
Create the VRFs on the
PE Router
CE
PE1(config)#ip vrf red
PE1(config-vrf)#rd 100:10
PE1(config-vrf)#route-target import 100:1
PE1(config-vrf)#route-target export 100:1
RD to RT matching
just makes it easy
PE1(config)#ip vrf blue
PE1(config-vrf)#rd 100:20
PE1(config-vrf)#route-target import 100:2
PE1(config-vrf)#route-target export 100:2

<both> shortcut if import and export are the same

For internal use

48 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

shortcut if import and export are the same For internal use 48 © Nokia Siemens Networks

VRF Options

VPN red E1/0 PE CE E2/0 VPN blue
VPN red
E1/0
PE
CE
E2/0
VPN blue

Create the VRFs on the PE Router

CE

Online documentation

Create the VRFs on the PE Router CE Online documentation PE1(config)#ip vrf red PE1(config-vrf)#description VPN for

PE1(config)#ip vrf red PE1(config-vrf)#description VPN for CE1

PE1(config-vrf)#rd 100:10 PE1(config-vrf)#route-target import 100:1 PE1(config-vrf)#route-target export 100:1 PE1(config-vrf)#maximum routes 2000 warning-only

100:1 PE1(config-vrf)#maximum routes 2000 warning-only Protect your network and PE from saturation (scaling factor)

Protect your network and PE from saturation (scaling factor)

Protect your network and PE from saturation (scaling factor) For internal use 49 © Nokia Siemens

For internal use

49 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

your network and PE from saturation (scaling factor) For internal use 49 © Nokia Siemens Networks

Associate PE interfaces to VRFs

VPN red E1/0 PE CE E2/0 VPN blue Configure interfaces to belong to the VRF
VPN red
E1/0
PE
CE
E2/0
VPN blue
Configure interfaces to
belong to the VRF
CE
PE1(config)#interface ethernet 2/0
PE1(config-if)#ip vrf forwarding blue
PE1(config-if)#ip address 172.11.2.2 255.255.255.252
PE1(config)#interface ethernet 1/0
PE1(config-if)#ip vrf forwarding red
PE1(config-if)#ip address 172.11.2.2 255.255.255.252
match vrf symbolic name

For internal use

50 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

172.11.2.2 255.255.255.252 match vrf symbolic name For internal use 50 © Nokia Siemens Networks MPLS /

Common VRF Configuration Gotcha

Configuring an interface to the VRF: IP address must be removed from global routing table

PE1(config)#interface ethernet 3/0 PE1(config-if)#ip vrf forwarding red % Interface Ethernet1/0 IP address 10.131.31.245 removed due to enabling VRF red PE1(config-if)#ip address 10.131.31.245 255.255.255.252

red PE1(config-if)#ip address 10.131.31.245 255.255.255.252 Also, can only assign 1 VRF to an interface For internal

Also, can only assign 1 VRF to an interface

For internal use

51 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

Also, can only assign 1 VRF to an interface For internal use 51 © Nokia Siemens

Configure MP-BGP Peering between PEs

PE2 PE1 MP-BGP PE2 PE1 VPN Backbone IGP Router config for VPNv4 prefixes
PE2
PE1
MP-BGP
PE2
PE1
VPN Backbone
IGP
Router config for VPNv4 prefixes
PE1 VPN Backbone IGP Router config for VPNv4 prefixes PE1(config)#router bgp 100 PE1(config-router)#neighbor

PE1(config)#router bgp 100 PE1(config-router)#neighbor 10.131.63.252 remote-as 100 PE1(config-router)#neighbor 10.131.63.252 desc MP-BGP to PE2 PE1(config-router)#neighbor 10.131.63.252 update-source Loopback0

standard BGP configuration entries apply

PE1(config-router)#address-family vpnv4 PE1(config-router-af)#neighbor 10.131.63.252 activate

PE1(config-router-af)#neighbor 10.131.63.252 send-community extended

10.131.63.252 send-community extended PE1(config-router-af)#exit-address-family activate neighbor
10.131.63.252 send-community extended PE1(config-router-af)#exit-address-family activate neighbor

PE1(config-router-af)#exit-address-family

activate neighbor to advertise routes send extended community to id the VRF (default entry)
activate neighbor to advertise routes send extended community to id the VRF (default entry)

activate neighbor to advertise routes

activate neighbor to advertise routes send extended community to id the VRF (default entry)
send extended community to id the VRF (default entry)

send extended community to id the VRF (default entry)

For internal use

52 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

Configure VRF Routing Contexts

PE2

PE1

MP-BGP PE2 PE1 VPN Backbone IGP
MP-BGP
PE2
PE1
VPN Backbone
IGP

PE1(config-router)#address-family ipv4 vrf red PE1(config-router-af)#no auto-summary PE1(config-router-af)#no synchronization

PE1(config-router-af)#exit-address-family

PE1(config-router)#address-family ipv4 vrf blue PE1(config-router-af)#no auto-summary PE1(config-router-af)#no synchronization

PE1(config-router-af)#exit-address-family

For internal use

53 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

PE1(config-router-af)#exit-address-family For internal use 53 © Nokia Siemens Networks MPLS / Mitrabh Shukla

The VRF is now operational

The previous configuration creates the VRF and associated

CEF and routing table VRF Implementation Considerations

Many commands are now VRF context sensitive VPN Routes are not yet present The RD and import and export policies (RT) will be used to fill the VRF routing table with routes learned by the PE via MP- BGP

For internal use

54 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

table with routes learned by the PE via MP- BGP For internal use 54 © Nokia

Example VRF Configuration

VPN1 VPN2 VPN1 VPN2 Site A Site A Site B Site B CE-1A CE-2A CE-1B
VPN1
VPN2
VPN1
VPN2
Site A
Site A
Site B
Site B
CE-1A
CE-2A
CE-1B
CE-2B
lo0 172.16.1.1/24
lo0 172.16.1.1/24
lo0 172.17.1.1/24
lo0 172.17.1.1/24
s0/0 172.16.2.1/30
s0 172.16.2.1/30
s0 172.17.2.1/30
s0/0 172.17.2.1/30
s1/0 172.16.2.2/30
s1/1 172.16.2.2/30
s1/0 172.17.2.2/30
s1/1 172.17.2.2/30
PE-A lo0 200.200.0.11
P-A lo0 200.200.0.1
P-B lo0 200.200.0.2
lo0 200.200.0.11 P-A lo0 200.200.0.1 P-B lo0 200.200.0.2 PE-A(config)#ip vrf VPN1 PE-A(config-vrf)#rd 100:1

PE-A(config)#ip vrf VPN1

PE-A(config-vrf)#rd 100:1 PE-A(config-vrf)#route-target export 100:10

PE-A(config-vrf)#route-target import 100:10

PE-A(config)#ip vrf VPN2 PE-A(config-vrf)#rd 100:2 PE-A(config-vrf)#route-target export 100:20

PE-A(config-vrf)#route-target import 100:20

MPLS / Mitrabh Shukla

MPLS Core

BGPAS100

OSPF Area 0

VPN1 RD 100:1

PE-B lo0 200.200.0.12 VPN2 RD 100:2

Core BGPAS100 OSPF Area 0 VPN1 RD 100:1 PE-B lo0 200.200.0.12 VPN2 RD 100:2 For internal

For internal use

55 © Nokia Siemens Networks

Associate VRFs to Interfaces

For each interface participating in the VPN

to Interfaces For each interface participating in the VPN interface Serial1/0 ip vrf forwarding VPN1 match

interface Serial1/0 ip vrf forwarding VPN1

match vrf-symbolic-name

ip address 172.16.2.2 255.255.255.252

For internal use

56 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

ip address 172.16.2.2 255.255.255.252 For internal use 56 © Nokia Siemens Networks MPLS / Mitrabh Shukla

Example VRF Interface Configuration

VPN1 VPN2 Site A Site A CE-1A CE-2A lo0 172.16.1.1/24 S1/0 lo0 172.16.1.1/24 s0/0 172.16.2.1/30
VPN1
VPN2
Site A
Site A
CE-1A
CE-2A
lo0 172.16.1.1/24
S1/0
lo0 172.16.1.1/24
s0/0 172.16.2.1/30
s0 172.16.2.1/30
s1/0 172.16.2.2/30
s1/1 172.16.2.2/30
PE-A lo0 200.200.0.11
P-A lo0 200.200.0.1
VPN1 VPN2 Site B Site B CE-1B CE-2B lo0 172.17.1.1/24 lo0 172.17.1.1/24 s0 172.17.2.1/30 s0/0
VPN1
VPN2
Site B
Site B
CE-1B
CE-2B
lo0 172.17.1.1/24
lo0 172.17.1.1/24
s0 172.17.2.1/30
s0/0 172.17.2.1/30
s1/0 172.17.2.2/30
s1/1 172.17.2.2/30
P-B lo0 200.200.0.2

MPLS Core

BGPAS100

OSPF Area 0

VPN1 RD 100:1

PE-B lo0 200.200.0.12 VPN2 RD 100:2

PE-A(config)#interface Serial1/0

PE-A(config-if)#ip vrf forwarding VPN1 PE-A(config-if)#ip address 172.16.2.2 255.255.255.252

PE-A(config)#interface Serial1/1 PE-A(config-if)#ip vrf forwarding VPN2

PE-A(config-if)#ip address 172.16.2.2 255.255.255.252

For internal use

57 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

address 172.16.2.2 255.255.255.252 For internal use 57 © Nokia Siemens Networks MPLS / Mitrabh Shukla

Configure MP-BGP

router bgp 100

Configure MP-BGP router bgp 100 AS number Router config for standard IP Version 4 address prefixes

AS number

Router config for standard IP Version 4 address prefixes

address-family ipv4 vrf VPN1 no auto-summary

no synchronization

exit-address-family

Router config for standard VPN

Version 4 address prefixes

address-family vpnv4

VPN Version 4 address prefixes address-family vpnv4 neighbor 200.200.0.12 activate neighbor 200.200.0.12

neighbor 200.200.0.12 activate

neighbor 200.200.0.12 send-community extended neighbor 200.200.0.13 activate

neighbor 200.200.0.13 send-community extended

exit-address-family

200.200.0.13 send-community extended exit-address-family Advertise Routes extended community string to id the VRF For
200.200.0.13 send-community extended exit-address-family Advertise Routes extended community string to id the VRF For

Advertise Routes

extended community string to id the VRF

Advertise Routes extended community string to id the VRF For internal use 58 © Nokia Siemens

For internal use

58 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

Example MP-BGP Configuration

VPN1 VPN2 VPN1 VPN2 Site A Site A Site B Site B CE-1A CE-2A CE-1B
VPN1
VPN2
VPN1
VPN2
Site A
Site A
Site B
Site B
CE-1A
CE-2A
CE-1B
CE-2B
lo0 172.16.1.1/24
lo0 172.16.1.1/24
lo0 172.17.1.1/24
lo0 172.17.1.1/24
s0/0 172.16.2.1/30
s0 172.16.2.1/30
s0 172.17.2.1/30
s0/0 172.17.2.1/30
s1/0 172.16.2.2/30
s1/1 172.16.2.2/30
s1/0 172.17.2.2/30
s1/1 172.17.2.2/30
PE-A lo0 200.200.0.11
PE-B lo0 200.200.0.12
P-A lo0 200.200.0.1
P-B lo0 200.200.0.2
lo0 200.200.0.12 P-A lo0 200.200.0.1 P-B lo0 200.200.0.2 MPLS Core PE-A(config)#router bgp 100

MPLS Core

PE-A(config)#router bgp 100

PE-A(config-router)#no synchronization PE-A(config-router)#no bgp default ipv4-unicast PE-A(config-router)#bgp log-neighbor-changes PE-A(config-router)#neighbor 200.200.0.12 remote-as 100

PE-A(config-router)#neighbor 200.200.0.12 update-source Loopback0

PE-A(config-router)#no auto-summary PE-A(config-router)#address-family ipv4 vrf VPN1 PE-A(config-router-af)#no auto-summary

PE-A(config-router-af)#no synchronization PE-A(config-router-af)#exit-address-family PE-A(config-router)#address-family ipv4 vrf VPN2

PE-A(config-router-af)#no auto-summary PE-A(config-router-af)#no synchronization

PE-A(config-router-af)#exit-address-family PE-A(config-router)#address-family vpnv4 PE-A(config-router-af)#neighbor 200.200.0.12 activate

PE-A(config-router-af)#neighbor 200.200.0.12 send-community extended PE-A(config-router-af)#exit-address-family

BGPAS100

OSPF Area 0

VPN1 RD 100:1

VPN2 RD 100:2

BGPAS100 OSPF Area 0 VPN1 RD 100:1 VPN2 RD 100:2 For internal use 59 © Nokia

For internal use

59

© Nokia Siemens Networks

Configure Route Advertisements

CE config

ip route 0.0.0.0 0.0.0.0 172.16.2.2

PE config

CE config ip route 0.0.0.0 0.0.0.0 172.16.2.2 PE config Define static routes at CE and PE

Define static routes at CE and PE

ip route vrf VPN1 172.16.1.0 255.255.255.0 172.16.2.1 ip route vrf VPN2 172.16.1.0 255.255.255.0 172.16.2.1

router bgp 100 address-family ipv4 vrf VPN1 network 172.16.1.0 mask 255.255.255.0 network 172.16.2.0 mask 255.255.255.252 exit-address-family

For internal use

60 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

exit-address-family For internal use 60 © Nokia Siemens Networks MPLS / Mitrabh Shukla Define BGP routes

Define BGP routes at PE

exit-address-family For internal use 60 © Nokia Siemens Networks MPLS / Mitrabh Shukla Define BGP routes

Example Routing Configuration

CE-1A(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2

VPN1 VPN2 VPN1 VPN2 Site A Site A Site B Site B CE-1A CE-2A CE-1B
VPN1
VPN2
VPN1
VPN2
Site A
Site A
Site B
Site B
CE-1A
CE-2A
CE-1B
CE-2B
lo0 172.16.1.1/24
lo0 172.16.1.1/24
lo0 172.17.1.1/24
lo0 172.17.1.1/24
s0/0 172.16.2.1/30
s0 172.16.2.1/30
s0 172.17.2.1/30
s0/0 172.17.2.1/30
s1/0 172.16.2.2/30
s1/1 172.16.2.2/30
s1/0 172.17.2.2/30
s1/1 172.17.2.2/30
PE-A lo0 200.200.0.11
P-A lo0 200.200.0.1
P-B lo0 200.200.0.2

MPLS Core

BGPAS100

OSPF Area 0

VPN1 RD 100:1

PE-B lo0 200.200.0.12 VPN2 RD 100:2

Area 0 VPN1 RD 100:1 PE-B lo0 200.200.0.12 VPN2 RD 100:2 PE-A(config)#ip route vrf VPN1 172.

PE-A(config)#ip route vrf VPN1 172.

16.1.0 255.255.255.0 172.16.2.1

PE-A(config)#ip route vrf VPN2 172.16.1.0 255.255.255.0 172.16.2.1 PE-A(config)#router bgp 100

PE-A(config-router)#address-family ipv4 vrf VPN1

PE-A(config-router-af)#network 172.16.1.0 mask 255.255.255.0 PE-A(config-router-af)#network 172.16.2.0 mask 255.255.255.252 PE-A(config-router-af)#exit-address-family PE-A(config-router)#address-family ipv4 vrf VPN2 PE-A(config-router-af)#network 172.16.1.0 mask 255.255.255.0

PE-A(config-router-af)#network 172.16.2.0 mask 255.255.255.252

PE-A(config-router-af)#exit-address-family

MPLS / Mitrabh Shukla

For internal use

61 © Nokia Siemens Networks

PE-A(config-router-af)#exit-address-family MPLS / Mitrabh Shukla For internal use 61 © Nokia Siemens Networks

MPLS VPN Verification Steps

Verify the VRFs

show ip vrf [{detail|interfaces}]

Verify routing Information

show ip route vrf [detail] [vrf-name] [interfaces]

show ip bgp neighbors

show ip bgp vpnv4 all show ip bgp vpnv4 vrf VRF-name

show ip bgp vpnv4 vrf VRF-name [ip-address]

Verify Labels

show ip bgp vpnv4 all [labels/tags]

show ip cef vrf [detail]

For internal use

62 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

vpnv4 all [labels/tags] • show ip cef vrf [detail] For internal use 62 © Nokia Siemens

Ping, Traceroute, Telnet Caveats

Ping and Traceroute in MPLS VPN network only succeed if

end-to-end path is successful Good verification if successful but NOT for troubleshooting

Ping/Traceroute Command Syntax

traceroute VRF [vrf-name] ip-address

ping VRF [vrf-name] ip-address

Telnet Command Syntax

telnet ip-address /vrf [vrf-name]

For internal use

63 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

Syntax • telnet ip-address / vrf [ vrf-name ] For internal use 63 © Nokia Siemens

Chapter Summary

You should now be able to:

Describe MPLS VPN mechanisms Use the command line interface to configure a VPN Verify VPN functionality

For internal use

64 © Nokia Siemens Networks

MPLS / Mitrabh Shukla

interface to configure a VPN Verify VPN functionality For internal use 64 © Nokia Siemens Networks