Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
BRKMPL-2102
Abstract
This session describes the implementation of IP Virtual Private Networks (IP
VPNs) using MPLS. It is the most common Layer 3 VPN technology, as
standardized by IETF RFC2547/4364, realizing IP connectivity between VPN
site and MPLS network.
Service Providers have been using IP VPN to provide scalable site-to-site/WAN
connectivity to Enterprises/SMBs for more than a decade. Enterprises have
been using it to address network segmentation (virtualization and traffic
separation) inside the site e.g. Campus, Data Center. This technology realizes
IP connectivity between VPN site and MPLS network.
The session will cover:
IP VPN Technology Overview (RFC2547/RFC4364)
IP VPN Configuration Overview
IP VPN Deployment Scenarios
IP VPN Use-Cases
Best Practices
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
MPLS Content at Cisco Live US 2015
BRKMPL-1100 - Introduction to MPLS
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
TECMPL-3200 - SDN WAN Orchestration in MPLS and Segment Routing Networks
Prerequisites Reference
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Terminology Reference
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
IP/VPN Overview
IP/VPN Deployment Scenarios
Best Practices
Use-Cases
Conclusion
Agenda
IP/VPN Overview
Technology Overview (How It Works)
Configuration Overview
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
IP/VPN Technology
MPLS based IP/VPN Topology / Connection Model
MPLS Network
CE P P
CE
PE PE
P P
CE
CE
MP-iBGP Session
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
IP/VPN Technology Overview
Virtual Routing and Forwarding (VRF) Instance
CE2
VPN 2 VRF
Green PE
CE1 MPLS Network IGP (OSPF, ISIS)
VPN 1 Ser0/0
VRF Blue
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
IP/VPN Technology Overview
Virtual Routing and Forwarding Instance
EIGRP, eBGP, OSPF, RIPv2, Static Routing Advertisements
CE2
VPN 2 VRF Green
PE
CE1 MPLS Network IGP (OSPF, ISIS)
VPN 1
VRF Blue
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
IP/VPN Technology Overview
VPN Control Plane
MP-iBGP Session
PE
PE
MPLS Networ PE
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
IP/VPN Technology Overview
VPN Control Plane = Multi-Protocol BGP (MP-BGP)
8 Bytes 4 Bytes 8 Bytes 3 Bytes
MP-BGP UPDATE Message
1:1 10.1.1.0
Showing VPNv4 route, RT,
RD IPv4 Route-Target Label
VPNv4 Label only
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
IP/VPN Technology Overview: Control Plane Reference
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
IP/VPN Technology Overview: Control Plane
Putting it all together
MP-iBGP Update:
RD:10.1.1.0
Site 1 3 Next-Hop=PE-1 Site 2
RT=1:2, Label=100
10.1.1.0/24 CE1
2 P P
CE2
10.1.1.0/24
Next-Hop=CE-1
P P
1 PE1 PE2
MPLS Backbone
MPLS Backbone
4
4. PE2 receives and checks whether the RT=1:2 is locally configured as import RT within
any VRF, if yes, then
PE2 translates VPNv4 prefix back to IPv4 prefix
Updates the VRF CEF Table for 10.1.1.0/24 with label=100
5.
5 PE2 advertises this IPv4 prefix to CE2 (using whatever routing protocol)
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
IP/VPN Technology Overview
Forwarding Plane
Site 1 Site 2
10.1.1.0/24 CE1
P P
CE2
P P
PE1 PE2
MPLS Backbone
Stores VPN routes with associated labels Stores next-hop i.e. PE routes with associated
VPN routes learned via BGP labels
Labels learned via BGP Next-hop i.e. PE routes learned through IGP
Label learned through LDP or RSVP
IOS: show ip cef vrf <name>
IOS:show ip cef
NX-OS: show forwarding vrf <name> NX-OS: show forwarding ipv4
IOS-XR: show cef vrf <name> ipv4 IOS-XR: show cef ipv4
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
IP/VPN Technology Overview: Forwarding Plane
Packet Forwarding
Site 1 Site 2
CE1
10.1.1.0/24 CE2
P3 P4
PE1 PE2
10.1.1.1 10.1.1.1 IP Packet
100 10.1.1.1 P1 P2
IP Packet
PE2 imposes two labels (MPLS headers) for each IP packet going to site2
Outer label is learned via LDP; Corresponds to PE1 address (e.g. IGP route)
Inner label is learned via BGP; corresponds to the VPN address (BGP route)
Ethernet Header
Outer MPLS header
IP Header
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Agenda
IP/VPN Overview
Technology Overview (How It Works)
Configuration Overview (IOS, IOS-XR and NX-OS)
PE-P Configuration
Interface Serial1
ip address 130.130.1.1 255.255.255.252
mpls ip
P
PE1 s1 PE
Se0
1 router ospf 1
network 130.130.1.0 0.0.0.3 area 0
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Reference
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Reference
192.168.10.1
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Reference
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Reference
Site 1
CE1
ip route vrf VPN-A 10.1.1.0 255.255.255.0
10.1.1.0/24 PE1 192.168.10.2
192.168.10.2 PE1
192.168.10.1
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Reference
Having familiarized with IOS based config, lets peek through IOS-XR and NX-
OS config for VPNs
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Reference
vrf VPN-A
VRF Definition address-family ipv4 unicast
import route-target 100:1
Site 1 export route-target 100:1
CE1 !
10.1.1.0/24 router bgp 1
PE vrf VPN-A
GE 1 rd 1:1
PE1
0 Interface GE0
192.168.10.1 ipv4 address 192.168.10.1 255.255.255.0
vrf VPN-A
PE-P Configuration
mpls ip
int GE1
P !
PE1 GE1 PE
GE
1 router ospf 1
0
area 0
interface GE1
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Reference
router bgp 1
RR: MP-IBGP Config router-id 1.2.3.4
address-family vpnv4 unicast
!
R neighbor 1.2.3.1
R remote-as 1
RR update-source loopback0
PE1 PE2
address-family vpnv4 unicast
send-community extended
route-reflector-client
!
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Reference
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Reference
192.168.10.1
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Reference
192.168.10.1
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Reference
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Reference
PE-P Configuration
Interface GE1
ip address 130.130.1.1 255.255.255.252
mpls ip
P ip ospf 1 area 0
PE1 GE1 PE
GE
1
0 router ospf 1
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Reference
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Reference
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Reference
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Reference
Site 1
CE1 vrf context VPN-A
10.1.1.0/24 PE1 ip route 10.1.1.0/8 192.168.10.2
192.168.10.1
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Reference
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Agenda
IP/VPN Overview
IP/VPN Deployment Scenarios
Multihoming & Load-sharing
Hub and Spoke
Extranet
Internet Access
IP/VPN over IP Transport
IPv6
Multi-VRF CE
Best Practices
Use-Cases
Conclusion
IP/VPN Deployment Scenarios:
1. Multi-homing & Loadsharing of VPN Traffic
RR
PE11
PE12
Site A Site B
MPLS Backbone
Route Advertisement
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
IP/VPN Deployment Scenarios:
1. Multi-homing & Loadsharing of VPN Traffic
2 <BGP>
1 rd 300:11 RR
address-family ipv4 vrf green
route-target both 1:1 PE11 maximum-paths eibgp 2
CE1 PE2 CE2
171.68.2.0/24
PE12
Site A Site B
1 MPLS Backbone
rd 300:12
route-target both 1:1 rd 300:13
route-target both 1:1
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Supported in IOS,
and IOS-XR
IP/VPN Deployment Scenarios:
1. VPN Fast ConvergencePE-CE Link Failure
Traffic Is RR
Dropped VPN Traffic
by PE11 PE11 Redirected VPN Traffic
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Supported in IOS,
IP/VPN Deployment Scenarios: and IOS-XR 3.4
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Agenda
IP/VPN Overview
IP/VPN Deployment Scenarios
Multihoming & Load-sharing
Hub and Spoke
Extranet
Internet Access
IP/VPN over IP Transport
IPv6
Multi-VRF CE
Best Practices
Use-Cases
Conclusion
IP/VPN Deployment Scenarios:
2. Hub and Spoke Service
Many VPN deployments require hub and spoke topology
Spoke to spoke communication via Hub site only
Example: ATM Machines to HQ, Router Management traffic to NMS/DC
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
IP/VPN Deployment Scenarios:
2. Hub and Spoke Service
Two configuration Options :
1. 1 PE-CE interface to Hub & 1 VRF;
2. 2 PE-CE interfaces to Hub & 2 VRFs;
Use option#1 if VPN Hub site advertises default or summary routes towards the
Spoke sites, otherwise use Option#2
PE-Hub
Eth0/0
Spoke B PE-SB
CE-SB CE-Hub
MPLS VPN Backbone
171.68.2.0/24
Eth0/0.1
PE-Hub Eth0/0.2
Spoke B PE-SB
CE-SB CE-Hub
MPLS VPN Backbone
171.68.2.0/24
<VRF IN for Hub>
rd 300:12
<VRF GREEN for Spoke B> route-target export 2:2
rd 300:112
route-target export 1:1
route-target import 2:2
* Only If Hub and Spoke Sites Use the Same BGP ASN
** Configuration for This Is Shown on the Next Slide
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Supported in IOS,
NXOS and IOS-XR
IP/VPN Deployment Scenarios:
2. Hub and Spoke Service: Configuration
<BGP>
Option#2
address-family ipv4 vrf HUB-IN
neighbor <CE> as-override
Spoke A PE-SA
CE-SA
171.68.1.0/24
Eth0/0.
PE-Hub 1
Eth0/0.
Spoke B PE-SB 2
CE-SB CE-Hub
MPLS VPN Backbone
171.68.2.0/24
<BGP>
address-family ipv4 vrf HUB-OUT
neighbor <CE> allowas-in 2
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Supported in IOS,
NXOS and IOS-XR
IP/VPN Deployment Scenarios:
2. Hub and Spoke Service: Control Plane (Option#2)
VRF FIB and LFIB
Destination NextHop Label MPLS Backbone
171.68.0.0/16 PE-Hub 35 FIBIP Forwarding Table
171.68.1.0/24 CE-SA LFIBMPLS Forwarding Table
MP-iBGP Update
VRF FIB and LFIB
171.68.0.0/16
VRF HUB-IN
171.68.0.0/16 PE-Hub 35
Label 35
171.68.2.0/24 CE-SB PE-Hub VRF HUB-OUT
PE-SB Route-Target 2:2
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Supported in IOS,
NXOS and IOS-XR
IP/VPN Deployment Scenarios:
2. Hub and Spoke Service: Forwarding Plane (Option#2)
This Is How the Spoke-to-Spoke Traffic Flows
VRF HUB-IN
CE-Hub
Spoke B PE-Hub
VRF HUB-OUT
CE-SB PE-SB L1 35 171.68.1.1
171.68.1.1
171.68.2.0/24
171.68.1.1
PE-Hub
CE-
SA1
CE- PE-SA
SA2
Half-duplex VRF is the answer CE-
Uses two VRFs on the PE (spoke) router : SA3
A VRF for spoke->hub communication (e.g. upstream)
A VRF for spoke<-hub communication (e.g. downstream)
Note: 12.2(33) SRE. XE 3.0S Support Any Interface Type (Eth, Ser, POS, Virtual-Access, etc.)
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
IP/VPN Deployment Scenarios: Supported in IOS
ip vrf HUB-IN
description VRF for traffic from HUB
rd 300:11
Spoke A route-target import 1:1
CE-SAGE0/0
171.68.1.0/24 Hub Site
GE0/1 MPLS Backbone
PE-SA
PE-Hub
Spoke B CE-Hub
Interface GigEthernet 0/0 - 1
ip vrf HUB-OUT
171.68.2.0/24 ip address 172.18.13.x 255.255.255.0
description VRF for traffic to HUB
ip vrf forward green-up downstream green-down
CE-SB rd 300:12
..
route-target export 2:2
1. PE-SA installs the Spoke routes only in downstream VRF i.e. green-down
2. PE-SA installs the Hub routes only in upstream VRF i.e. green-up
3. PE-SA forwards the incoming IP traffic (from Spokes) using upstream VRF i.e. green-up routing table.
4. PE-SA forwards the incoming MPLS traffic (from Hub) using downstream VRF i.e. green-down routing table
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Supported in IOS
IP/VPN Deployment Scenarios:
2. Hub and Spoke Service: Half-Duplex VRF on every PE
ip vrf green-up ip vrf green-down
description For upstream traffic description For downstream traffic
rd 300:111 rd 300:112
route-target import 2:2 route-target export 1:1
ip vrf HUB-IN
description VRF for traffic from HUB
rd 300:11
Spoke A route-target import 1:1 ip vrf HUB-OUT
description VRF for traffic to HUB
CE-SAGE0/0 rd 300:12
171.68.1.0/24 Hub Site route-target export 2:2
GE0/1 MPLS Backbone
PE-SA
PE-Hub
Spoke B CE-Hub
Interface GigEthernet 0/0 - 1
171.68.2.0/24 ip address 172.18.13.x 255.255.255.0
ip vrf forward green-up downstream green-down
CE-SB .. Interface GigEthernet 1/1
ip address 172.1.1.1 255.255.255.0
ip vrf forward HUB-IN downstream HUB-OUT
Upstream VRF Downstream VRF ..
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Agenda
IP/VPN Overview
IP/VPN Deployment Scenarios
Multihoming & Load-sharing
Hub and Spoke
Extranet
Internet Access
IP/VPN over IP Transport
IPv6
Multi-VRF CE
Best Practices
Use-Cases
Conclusion
MPLS-VPN Deployment Scenarios
3. Extranet VPN
MPLS based IP/VPN, by default, isolates one VPN customer from another
Separate virtual routing table for each VPN customer
Implemented by sharing import and export route-target (RT) values within the
VRFs of extranets.
Export-map or import-map may be used for advanced extranet.
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Supported in IOS,
NXOS and IOS-XR
MPLS-VPN Deployment Scenarios
3. Extranet VPN Simple Extranet (IOS Config sample)
192.6.0.0/16
MPLS Backbone
VPN_A Site#2
VPN_A Site#1
71.8.0.0/16 PE1 PE2
P 180.1.0.0/16
VPN_B Site#1
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
MPLS-VPN Deployment Scenarios
4. Internet Access: Design Options
Three Options to Provide the Internet Service -
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
MPLS-VPN Deployment Scenarios
4. Internet Access: Design Options
VRF specific default route Separate PE-CE Interface Extranet with Internet-VRF
Static default route to Besides VRF interface, a Internet routes inside a
move traffic from VRF to global interface also dedicated VRF (e.g.
Internet (global routing connect to each VPN site Internet-VRF)
table)
May use eBGP on the Extranet between
Static routes for VPN global interface, if Internet-VRF and
customers to move traffic dynamic routing pr Customer VRFs that need
from Internet (global internet routes are internet access
routing table) to VRF needed
Works well, but doesnt Works well and scales
scale well (limited to well, despite the
default routing) operational overhead
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
IP/VPN Deployment Scenarios: Internet Access Supported in IOS
P
PE1 192.168.1.1
PE1#
ip vrf VPN-A Internet GW
rd 100:1
route-target both 100:1
Interface Serial0
ip address 192.168.10.1 255.255.255.0 A default route, pointing to the
ip vrf forwarding VPN-A
ASBR, is installed into the site VRF
Router bgp 100 at each PE
no bgp default ipv4-unicast
redistribute static
neighbor 192.168.1.1 remote 100 The static route, pointing to the
neighbor 192.168.1.1 activate VRF interface, is installed in the
neighbor 192.168.1.1 next-hop-self
neighbor 192.168.1.1 update-source loopback0
global routing table and
redistributed into BGP
ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global
ip route 71.8.0.0 255.255.0.0 Serial0
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
IP/VPN Deployment Scenarios: Internet Access Supported in IOS,
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Supported in IOS,
IP/VPN Deployment Scenarios: Internet Access NXOS and IOS-XR
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Supported in IOS,
NXOS and IOS-XR
IP/VPN Deployment Scenarios: Internet Access
4.3 Option#3: Extranet with Internet
The Internet routes could be placed within the VRF at the Internet-GW i.e.,
ASBR
VRFs for customers could extranet with the Internet VRF and receive either
default, partial or full Internet routes
Default route is recommended
Be careful if multiple customer VRFs, at the same PE, are importing full Internet
routes
Works well only if the VPN customers dont have overlapping addresses
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
IOS-XR 4.3.1
IP/VPN Deployment Scenarios: Internet Access IOS-XE 3.7
VRF red
import ipv4 unicast map foo (10.5/16) export # from global
export ipv4 unicast map bar (192.34/16) # to global 10.5.0.0/16
2001:FD8::/32
10.5
192.34.0.0/
16
CE 192.34 PE MPLS-VPN
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Agenda
IP/VPN Overview
IP/VPN Deployment Scenarios
Multihoming & Load-sharing
Hub and Spoke
Extranet
Internet Access
IP/VPN over IP Transport
IPv6
Multi-VRF CE
Best Practices
Use-Cases
Conclusion
Supported in IOS,
NXOS and IOS-XR
IP/VPN Deployment Scenarios: Reference
http://www.cisco.com/en/US/docs/ios/interface/configuration/guide/ir_mplsvpnomgre.html
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Supported in IOS,
NXOS and IOS-XR
IP/VPN Deployment Scenarios: Reference
VRF
IP VRF
IP Header
GRE Header
VPN Label
Egress PE2 decapsulates, and uses VPN label to forward packet to CE2
Source -- http://www.cisco.com/en/US/docs/ios/interface/configuration/guide/ir_mplsvpnomgre.html BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Agenda
IP/VPN Overview
IP/VPN Deployment Scenarios
Multihoming & Load-sharing
Hub and Spoke
Extranet
Internet Access
IP/VPN over IP Transport
IPv6
Multi-VRF CE
Best Practices
Use-Cases
Conclusion
IP/VPN Deployment Scenarios: Supported in IOS,
NXOS and IOS-XR
v4 and v6 PE PE v4 and v6
VPN A VPN A
CE P CE
P
MPLS/VPN
v4 and v6 Network
VPN A
CE P P v6 Only VPN B
PE PE
VPN B v6 Only CE
iBGP Sessions in VPNv4 and
CE VPNv6 Address-Families
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
IP/VPN Deployment Scenarios: Supported in IOS,
NXOS and IOS-XR
v4 and v6 PE PE v4 and v6
VPN A VPN A
CE P CE
P
MPLS/VPN
v4 and v6 Network
VPN A
CE P P v6 Only VPN B
PE PE
VPN B v6 Only CE
iBGP Sessions in VPNv4 and
CE VPNv6 Address-Families
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Agenda
IP/VPN Overview
IP/VPN Deployment Scenarios
Multihoming & Load-sharing
Hub and Spoke
Extranet
Internet Access
IP/VPN over IP Transport
IPv6
Multi-VRF CE
Best Practices
Use-Cases
Conclusion
Supported in IOS,
NXOS and IOS-XR
IP/VPN Deployment Scenarios:
7. Providing Multi-VRF CE Service
Is it possible for an IP router to keep multiple customer connections separated ?
Yes, multi-VRF CE a.k.a. vrf-lite can be used
Multi-VRF CE provides multiple virtual routing tables (and forwarding tables)
per customer at the CE router
Not a feature but an application based on VRF implementation
Any routing protocol that is supported by normal VRF can be used in
a multi-VRF CE implementation
No MPLS functionality needed on CE, no label exchange between CE and any
router (including PE)
One deployment model is to extend the VRFs to the CE, another is to extend it
further inside the Campus => Campus Virtualization
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Supported in IOS,
IP/VPN Deployment Scenarios: NXOS and IOS-XR
*SubInterfaces Any Interface Type that Supports Sub Interfaces = Ethernet Vlan,
Frame Relay, ATM VCs
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Agenda
IP/VPN Overview
IP/VPN Deployment Scenarios
Best Practices
Use-Cases
Conclusion
Best Practices (1)
1. Use RR to scale BGP; deploy RRs in pair for the redundancy
Keep RRs out of the forwarding paths and disable CEF (saves memory)
2. Choose AS format for RT and RD i.e., ASN: X
Reserve first few 100s of X for the internal purposes such as filtering
3. Consider unique RD per VRF per PE,
Helpful for many scenarios such as multi-homing, hub&spoke etc.
Helpful to avoid add-path, shadow RR etc.
4. Dont use customer names (V458:GodFatherNYC32ndSt) as the VRF names; nightmare for
the NOC.
Consider v101, v102, v201, v202, etc. and Use VRF description for naming
5. Utilize SPs public address space for PE-CE IP addressing
Helps to avoid overlapping; Use /31 subnetting on PE-CE interfaces
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Best Practices (2)
6. Limit number of prefixes per-VRF and/or per-neighbor on PE
Max-prefix within VRF configuration; Suppress the inactive routes
Max-prefix per neighbor (PE-CE) within OSPF/RIP/BGP VRF af
7. Leverage BGP Prefix Independent Convergence (PIC) for fast convergence <100ms (IPv4
and IPv6):
PIC Core
PIC Edge
Best-external advertisement
Next-hop tracking (ON by default)
8. Consider RT-constraint for Route-reflector scalability
9. Consider BGP slow peer for PE or RR faster BGP convergence
10. Use a dedicated L3VPN for CE Management
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Agenda
IP/VPN Overview
IP/VPN Deployment Scenarios
Best Practices
Use-Cases
Conclusion
Use-Cases
1. SP Business VPN Service
2. SP Internal Usage (e.g. IT)
3. Enterprise Campus Virtualization/Segmentation
4. Data Center Multi-Tenancy
5. Data Center Cloud/Virtualization/Hypervisor
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Use-Case #1
SP Business VPN Services
SPs can use IP/VPN to offer L3 site-to-site connectivity to Enterprises/SMB
customers ==
SPs can even offer Remote Access integrated with L3VPN
Enterprise Green
Site 1 Enterprise Green
CE1 Site 2
P P
CE2
Enterprise Green Enterprise Green
Site 3 P P Site 4
PE1 PE2
CE4
SP Network
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Use-Case #2
SP Internal Usage (e.g. IT)
SP/ISPs can overlay its Enterprise and/or IT WAN connectivity over its MPLS
network (that is used to offer L3VPN services to its customers)
SP IT
SP IT
Site 1
Site 2
SP Network
SP IT
Site 3
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Use-Case#3
Enterprise Campus Segmentation/Virtualization
IP/VPN can be used to create multiple logical topologies in the Campus
Allows the use of unique security policies per logical domain
Provides traffic isolation per application, group, service etc. per logical domain
IP/VPN segmentation in the Campus can also be extended over the WAN
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Use-Case#3
Enterprise Campus Segmentation/Virtualization
Data Center 1 WAN Internet
Red VRF PE
Green VRF
Yellow VRF
PE
Branch 1
Si Si
Campus
PE
Red VRF
Green VRF Si Si
Yellow VRF
Branch 2
PE PE
Allow Virtualization over the WAN via Si Si Si Si
MPLS
MPLS upto TOR/Leaf;
Segment Routing could be used
PE
MPLS PE function on TOR / Leaf
Layer-2
Device
CE function on VMs or Bare Metal CE
Layer2 between PE and CE POD POD POD
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Use-Case#4
Data Center Multi-Tenancy
IPv4 IPv6
ASBR ASBR
PE PE
200 Customers
MPLS Core
5K 5k 5K 5k L2 65 switches
FCOE
FW 10GE L3/CE
N1Kv N1Kv N1Kv N1Kv
POD 4xServers/VM
4xServers 4xServers 4xServers HP/IBM Hypervisors
100 VMs 100 VMs 100 VMs 100sVMs
(VLAN1-100)
Storage Disk
MPLS
MPLS upto x86 Host;
Segment Routing could be used
MPLS PE function on virtual Router
(VM) or Virtual Forwarder (VM or
Container)
PE
SDN Control Plane and Data Plane
Separation in case of latter
CE
POD POD POD
CE function on VMs or Bare Metal
Layer2 between PE and CE Please attend BRKMPL-2115 for MPLS in DC/Cloud Details
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Agenda
IP/VPN Overview
IP/VPN Deployment Scenarios
Best Practices
Use-Cases
Conclusion
Conclusion
MPLS based IP/VPN is the most optimal L3VPN technology
Any-to-any IPv4 or IPv6 VPN topology
Partial-mesh, Hub and Spoke topologies also possible
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Complete Your Online Session Evaluation
Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 Amazon gift card.
Complete your session surveys
through the Cisco Live mobile
app or from the Session Catalog
on CiscoLive.com/us.
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Lunch & Learn
Meet the Engineer 1:1 meetings
Related sessions
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Recommended Reading
Source:
Cisco Press
BRKMPL-2102 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Thank you