RST 2602 Mpls VPN Deployment

DEPLOYING MPLS-VPN
SESSION RST-2602
Rajiv Asati (rajiva@cisco.com)
RST-2602 9908_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
Agenda
MPLS VPN Definition?
Technology Configuration
MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites Providing Hub&Spoke service to the VPN customers Providing MPLS VPN Extranet service Providing Internet access service to VPN customers Providing VRF-selection based services Providing Remote Access MPLS VPN Providing VRF-aware NAT services
Advanced MPLS VPN Topics

Inter-AS MPLS-VPN CsC Carrier Supporting Carrier
Best Practices
Conclusion.
RST-2602 9908_06_2004_X2
Prerequisites
Must understand basic IP routing, especially BGP Must understand MPLS basics (push, pop, swap, label stacking) Must finish the evaluation
http://www.networkers04.com/desktop
RST-2602 9908_06_2004_X2
Terminology:
LSR LSP : Label Switch Router : Label Switched Path
The chain of labels that are swapped at each hop to get from one LSR to another
VRF
MP-BGP PE P
: VPN Routing and Forwarding

: Multi-Protocol BGP : Provider Edge router Interfaces with CE routers : Provider (core) router, without knowledge of VPN
Mechanism in IOS used to build per-interface RIB and FIB
VPNv4
RD RT
: Address family used in BGP to carry MPLS-VPN routes

: Route Distinguisher
Distinguish same network/mask prefix in different VRFs
: Route Target
Extended Community attribute used to control import and export policies of VPN routes
LFIB FIB
RST-2602 9908_06_2004_X2
: Label Forwarding Information Base : Forwarding Information Base (FIB)

Agenda
MPLS-VPN Services

Best Practices
Conclusion.
RST-2602 9908_06_2004_X2
MPLS-VPN Operations Theory

VPN definition: VRF instance VPN Route Propagation (Control Plane) VPN Packet forwarding (Data Plane)
RST-2602 9908_06_2004_X2
MPLS VPN Connection Model

P PE
VPN Backbone IGP
PE
P P
MP-iBGP session
PE routers
Edge Routers Use MPLS with P routers Uses IP with CE routers Connects to both CE and P routers. Distribute VPN information through MP-BGP to other PE router with VPN-IPv4 addresses, Extended Community, Label
RST-2602 9908_06_2004_X2
P Routers
P routers are in the core of the MPLS cloud
P routers do not need to run BGP and doesnt need to have any VPN knowledge
Forward packets by looking at labels P and PE routers share a common IGP
MPLS VPN: Separate Routing Tables in PE

vpn site 2 CE PE CE vpn site 1
EBGP,OSPF, RIPv2,Static
MPLS Backbone IGP (OSPF, ISIS)
VRF routing table

Routing (RIB) and Forwarding table (CEF) associated with one or more directly connected sites (CEs)
The routes the PE receives from CE Routers are installed in the appropriate VRF routing table(s) blue VRF routing table or green
VRF routing table
The Global routing table
Populated by the MPLS backbone IGP In PE routers may contain the BGP Internet routes (standard ipv4 routes)
RST-2602 9908_06_2004_X2
VRF: Virtual Routing and Forwarding Instance

vpn site 2 CE VRF green PE CE vpn site 1
VRF blue
Whats a VRF ? Associates to one or more interfaces on PE

Privatize an interface i.e. coloring of the interface
Has its own routing table and forwarding table (CEF) VRF has its own instance for the routing protocol
(static ,RIP,BGP,EIGRP,OSPF)
CE router runs standard routing software

RST-2602 9908_06_2004_X2
VRF: Virtual Routing and Forwarding Instance

vpn site 2
CE
PE CE
vpn site 1
PE installs the routes, learned from CE routers, in the appropriate VRF routing table(s)
PE installs the IGP (backbone) routes in the global routing table
VPN customers can use overlapping IP addresses.

RST-2602 9908_06_2004_X2
10
Additions in BGP: MPLS-VPN Info BGP

8 Bytes 4 Bytes 8 Bytes 3 Bytes
1:1 RD VPNv4
10.1.1.0 IPv4 Route-Target Label
MP-iBGP update with RD, RT, and Label RD: Route Distinguisher VPNv4 routes
RT: Route Target

Label
RST-2602 9908_06_2004_X2
11
MPLS VPN Control Plane

MP-BGP Update Components:
8 Bytes 4 Bytes 8 Bytes
VPNv4 address
3 Bytes
1:1
10.1.1.0 IPv4 VPNv4 Route-Target Label
RD
MP-IBGP update with RD, RT, and Label
To convert an IPv4 address into a VPNv4 address, RD is appended to the IPv4 address i.e 1:1:10.1.1.0 Makes the customers IPv4 route globally unique. Each VRF must be configured with an RD at the PE RD is what that defines the VRF
RST-2602 9908_06_2004_X2
! ip vrf v1 rd 1:1 !
12

8 Bytes 4 Bytes 8 Bytes 2:2 Route-Target Label
Route-Target
3 Bytes
1:1
10.1.1.0 IPv4 VPNv4
RD

Route-target (RT):
Identifies the VRF for the received VPNv4 prefix. It is an 8-byte extended Community (a BGP attribute)
Each VRF is configured with RT(s) at the PE

RT helps to color the prefix
! ip vrf v1 route-target import 1:1 route-target export 1:2 !
RST-2602 9908_06_2004_X2
13

8 Bytes 4 Bytes 8 Bytes 2:2 Route-Target
Label
3 Bytes
1:1
10.1.1.0 IPv4 VPNv4
50 Label
RD

The Label (for the VPNv4 prefix) is assigned only by the PE whose address is the Next-Hop attribute PE routers re-write the Next-Hop with their own address (loopback) Next-Hop-Self towards MP-iBGP neighbors by default PE addresses used as BGP Next-Hop must be uniquely known in the backbone IGP DO NOT summarize the PE loopback addresses in the core
RST-2602 9908_06_2004_X2
14
MPLS VPN Control Plane:

Putting It All Together
Site 1
10.1.1.0/24 CE1 P
10.10.1.0/24 Next-Hop=CE-1 MP-iBGP update: RD:10.10.1.0 Next-hop=PE-1 RT=Green, Label=100
Site 2
CE2
P PE2 P
PE1
MPLS Backbone
1) PE1 receives an IPv4 update (eBGP,OSPF,EIGRP)

2) PE1 translates it into VPNv4 address
Assigns an RT per VRF configuration Re-writes Next-Hop attribute to itself Assigns a label based on VRF and/or interface
3) PE1 sends MP-iBGP UPDATE to other PE routers
RST-2602 9908_06_2004_X2
15
MPLS VPN Control Plane:

Putting It All Together
Site 1
10.1.1.0/24 CE1 P
10.1.1.0/24 Next-Hop=CE-1
MP-iBGP update: RD:10.10.1.0 Next-hop=PE-1 RT=Green, Label=100
10.1.1.0/24 Next-Hop=PE-2
Site 2
CE2 P PE2 P PE1
MPLS Backbone
4) PE2 receives and checks whether the RT=green is locally configured within any VRF, if yes, then 5) PE2 translates VPNv4 prefix back into IPv4 prefix,
Installs the prefix into the VRF Routing table
Updates the VRF CEF table with label=100 for 10.1.1.0/24

Advertise this IPv4 prefix to CE2 (EBGP, OSPF, EIGRP)
RST-2602 9908_06_2004_X2
16
MPLS VPN Forwarding Plane:

e Site 1
10.1.1.0/24 CE1 P1 PE1 P P2 PE2
VRF Green forwarding Table Dest->NextHop 10.1.1.0/24-PE1, label: 100
Site 2
CE2
Global routing/forwarding table Dest->Next-Hop PE2 P1, label: 50
Global routing/forwarding table Dest->NextHop PE1 P2, label: 25
The Global Forwarding table (show ip cef)

PE routers store IGP routes Associated labels Label distributed through LDP/TDP
VRF Forwarding table (show ip cef vrf <vrf>)

PE routers store VPN routes Associated labels Labels distributed through MP-BGP
RST-2602 9908_06_2004_X2
17
MPLS VPN Forwarding Plane:

e Site 1
10.1.1.0/24 CE1 P
10.1.1.1
Site 2
CE2
P PE2
10.1.1.1 10.1.1.1
PE1
100
P
10.1.1.1 25
50
100
100
10.1.1.1
PE2 imposes TWO labels for each packet going to the VPN destination 10.1.1.1 The top label is LDP learned and Derived from an IGP route Represents LSP to PE address (exit point of a VPN route) The second label is learned via MP-BGP Corresponds to the VPN address
RST-2602 9908_06_2004_X2
18
Agenda
MPLS-VPN Services

Best Practices
Conclusion.
RST-2602 9908_06_2004_X2
19
MPLS VPN Sample Configuration

VRF Definition
Site 1
10.1.1.0/24 CE1
ip vrf VPN-A rd 1:1 route-target export 100:1 route-target import 100:1
PE1
Se0
192.168.10.1
PE1
Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A
PE-P Configuration
P
Interface Serial1 ip address 130.130.1.1 255.255.255.252 mpls ip

PE1 router ospf 1 network 130.130.1.0 0.0.0.3 area 0
Se0
PE1
s1
RST-2602 9908_06_2004_X2
20

PE:
PE1
MP-IBGP
RR PE2
router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback 0
PE1
address-family vpnv4 neighbor 1.2.3.4 activate neighbor 1.2.3.4 send-community both
RR:
MP-IBGP
RR
router bgp 1 no bgp default route-target filter neighbor 1.2.3.6 remote-as 1 neighbor 1.2.3.6 update-source loopback0
PE2
PE1
RR
address-family vpnv4 neighbor 1.2.3.6 route-reflector-client Neighbor 1.2.3.6 activate
RST-2602 9908_06_2004_X2
21

PE-CE
Site 1
10.1.1.0/24
192.168.10.2 192.168.10.1
BGP
CE1
PE1
PE1
router bgp 1 ! address-family ipv4 vrf VPN-A neighbor 192.168.10.2 remote-as 2 neighbor 192.168.10.2 activate exit-address-family !
PE-CE
Site 1
10.1.1.0/24
192.168.10.2
OSPF
CE1
PE1
PE1
router ospf 1 ! router ospf 2 vrf VPN-A network 192.168.10.0 0.0.0.255 area 0 !
192.168.10.1
RST-2602 9908_06_2004_X2
22

PE-CE
Site 1
10.1.1.0/24
192.168.10.2 192.168.10.1
RIP
router rip
CE1 PE1
address-family ipv4 vrf VPN-A version 2 no auto-summary network 192.168.10.0 exit-address-family
PE-CE
Site 1
10.1.1.0/24
192.168.10.2
EIGRP
router eigrp 1
CE1 PE1
192.168.10.1
address-family ipv4 vrf VPN-A network 192.168.10.0 0.0.0.255 autonomous-system 1 exit-address-family
RST-2602 9908_06_2004_X2
23

PE-CE
Site 1
10.1.1.0/24
192.168.10.2 192.168.10.1
Static
CE1
ip route vrf VPN-A 10.1.1.0 255.255.255.0 192.168.10.2

PE1
PE-CE MB-iBGP routes to VPN

Site 1
RR PE1 CE1
router rip address-family ipv4 vrf VPN-A version 2 redistribute bgp 1 metric 1 no auto-summary network 192.168.10.0 exit-address-family If PE-CE protocol is non BGP then redistribution of other sites VPN routes from MP-IBGP is required.
RST-2602 9908_06_2004_X2
24

PE-RR
Site 1
(VPN routes to VPNv4)

RR PE1
router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback 0 address-family ipv4 vrf VPN-A redistribute {rip|connected|static|eigrp|ospf}
CE1
If PE-CE protocol is non BGP then redistribution of other sites VPN routes into MP-IBGP is required.
RST-2602 9908_06_2004_X2
25
Agenda
MPLS-VPN Services

Best Practices
Conclusion.
RST-2602 9908_06_2004_X2
26
MPLS VPN Services:

1. Loadsharing for the VPN traffic
RR PE11 CE1
171.68.2.0/24
PE2
CE2
PE12
Site A
Site B
MPLS Backbone Route Advertisement
VPN sites (such as Site A) could be multihomed VPN customer may demand the traffic to the multihomed sites be loadshared
RST-2602 9908_06_2004_X2
27
MPLS VPN Services:

1. Loadsharing for the VPN traffic: Cases
1 CE 2 PEs
CE1
171.68.2.0/24
RR
PE11 PE2 CE2
PE12 Site A
Site B
MPLS Backbone Traffic Flow
2 CEs 2 PEs
RR PE11 CE1
171.68.2.0/24
PE2
CE2
CE2
PE12 Site B
MPLS Backbone
Site A
RST-2602 9908_06_2004_X2
Traffic Flow
28
MPLS VPN Services:

1. Loadsharing for the VPN Traffic: Deployment
How to deploy the loadsharing ? 1. 2. Configure different VRFs i.e RDs for multihomed site/interfaces. Enable BGP multipath within the relevant BGP VRF addressfamily at Remote/Receiving PE2.
2 ip vrf green rd 300:11 route-target both 1:1

CE1
171.68.2.0/24
RR PE11
router bgp 1 address-family ipv4 vrf green maximum-paths eibgp 2

PE2 CE2
PE12
Site A
1 ip vrf green rd 300:12 route-target both 1:1 RST-2602

9908_06_2004_X2
MPLS Backbone 1 ip vrf green rd 300:13 route-target both 1:1
Site B
29
MPLS VPN Services: 1. Loadsharing for the VPN Traffic

RR PE11 CE1
171.68.2.0/24
Route Advertisement
PE2 CE2
PE12 Site A Site B
MPLS Backbone
RR must advertise all the paths learned via PE11 and PE12 to the remote PE routers
With different RD per VRF, RR does the Best path RD and advertise them to remote PE calculation per
Watch out for the increased (~20%) memory consumption (within BGP) due to multipaths at the PEs eiBGP multipath implicitly provides eBGP and iBGP multipath for VPN paths
RST-2602 9908_06_2004_X2
30
MPLS-VPN Services:
2. Hub & Spoke Service to the VPN Customers
Traditionally, VPN deployments are Hub&Spoke.
Spoke to spoke communication is via Hub site only.
Despite MPLS VPNs implicit any-to-any i.e fullmesh connectivity, Hub&Spoke service can easily be offered.
Done with import and export of Route-Target (RT).
RST-2602 9908_06_2004_X2
31
MPLS-VPN Services:
2. Hub & Spoke Service - Configuration
ip vrf green-spoke1 description VRF for SPOKE A rd 300:111 route-target export 1:1 route-target import 2:2
Spoke A
171.68.1.0/24
ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1
CE-SA
PE-SA
Eth0/0.1
PE-Hub Spoke B
171.68.2.0/24
Eth0/0.2
PE-SB CE-SB
MPLS VPN Backbone ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2
ip vrf green-spoke2 description VRF for SPOKE B rd 300:112 route-target export 1:1 route-target import 2:2
RST-2602 9908_06_2004_X2
32
MPLS-VPN Services:
2. Hub & Spoke Service Control Plane

MPLS Backbone
Spoke A CE-SA
171.68.1.0/24 VRF RT and LFIB at PE-SA 0.0.0.0 PE-Hub 35 171.68.1.0/24 CE-SA VRF RT and LFIB at PE-SB 0.0.0.0 PE-Hub 35 171.68.2.0/24 CE-SB 171.68.2.0/24
PE-SA
Adv 171.68.1.0/24 Label 40 Route-Target 1:1
VRF HUB-OUT RT and LFIB Destination NextHop Label 171.68.1.0/24 PE-SA 40 171.68.2.0/24 PE-SB 50
Adv 0.0.0.0 Label 35 Route-Target 2:2
VRF HUB-OUT PE-Hub VRF HUB-IN

VRF HUB-IN Routing Table Destination NextHop 0.0.0.0 CE-H1
CE-SB Spoke B
PE-SB
Adv 171.68.2.0/24 Label 50 Route-Target 1:1
All traffic between spokes must pass through the Hub/Central Site. Hub Site could offer FireWall, NAT like applications. Two VRF solution at the PE-Hub: VRF HUB_OUT would have knowledge of every spoke routes. VRF HUB_IN only have Default Route and advertise that to Spoke PEs. Import and export Route-Target within a VRF must be different.
RST-2602 9908_06_2004_X2
33
MPLS-VPN Services():
2. Hub & Spoke Service Forwarding Plane
MPLS Backbone
Spoke A
171.68.1.0/24
171.68.1.1
CE-SA
PE-SA
LA 40 171.68.1.1
VRF HUB-OUT PE-Hub Spoke B

171.68.2.0/24 171.68.1.1
PE-SB CE-SB
LH
35
171.68.1.1
VRF HUB-IN
RST-2602 9908_06_2004_X2
34
MPLS-VPN Services
3. Extranet VPN
MPLS VPN, by default, isolates one VPN customer from another.
Separate Virtual Routing Table for each VPN customer
Communication between VPNs may be required i.e. Extranet.

External Inter-company communication (dealers with manufacturer, Retailer with wholesale provider etc) Management VPN, Shared-service VPN etc.
Needs right import and export route-target (RT) values configuration within the VRFs
export-map or import-map should be used
RST-2602 9908_06_2004_X2
35
3. MPLS-VPN Services: Extranet VPN

Goal: Only VPN_A site#1 to be reachable to VPN_B
MPLS Backbone VPN_A Site#1 171.68.0.0/16 so PE1
PE2 P
192.6.0.0/16 VPN_A Site#2
180.1.0.0/16 VPN_B Site#1
ip vrf VPN_A rd 3000:111 export map VPN_A_Export import map VPN_A_Import route-target import 3000:111 route-target export 3000:111 route-target import 3000:1 ! route-map VPN_A_Export permit 10 match ip address 1 set extcommunity rt 3000:2 ! route-map VPN_A_Import permit 10 match ip address 2 ! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0
ip vrf VPN_B rd 3000:222 export map VPN_B_Export import map VPN_B_Import route-target import 3000:222 route-target export 3000:222 route-target import 3000:2 ! route-map VPN_B_Export permit 10 match ip address 2 set extcommunity rt 3000:1 ! route-map VPN_B_Import permit 10 match ip address 1 ! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0
RST-2602 9908_06_2004_X2
Only Site#1 of both VPNs will communicate to each other, Site#2 wont.
36
MPLS-VPN Services
4. Internet Access Service to VPN Customers
Could be provided as another value-added service. Security mechanism must be in place at both provider network and customer network
To protect from the Internet vulnerabilities
VPN customers benefit from the single point of contact for both Intranet and Internet connectivity
RST-2602 9908_06_2004_X2
37
MPLS-VPN Services
4. Internet Access: Different Methods of Service
Four ways to provide the Internet service
1. VRF Specific default route with global keyword 2. Separate PE-CE sub-interface (nonVRF) 3. Extranet with Internet-VRF 4. VRF-aware NAT
RST-2602 9908_06_2004_X2
38
MPLS-VPN Services
4. Internet Access: Different Methods of Service
1. VRF Specific default route
1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF
2. Separate PE-CE sub-interface (non VRF)

May run BGP to propagate Internet routes between PE and CE
3. Extranet with Internet-VRF

VPN packets never leave VRF context ; issue with Overlapping VPN address
4. Extranet with Internet-VRF along with VRF-aware NAT

VPN packets never leave VRF context; works well with overlapping VPN address
RST-2602 9908_06_2004_X2
39
MPLS-VPN Services:
4.1 Internet access: VRF Specific Default Route (Config)
MPLS Backbone Site1 171.68.0.0/16 so PE1192.168.1.2 ip vrf VPN-A rd 100:1 route-target both 100:1 Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A Router bgp 100 no bgp default ipv4-unicast redistribute static neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0 ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global ip RST-2602 route 171.68.0.0 255.255.0.0 Serial0
9908_06_2004_X2
Internet
CE1
ASBR P 192.168.1.1 Internet GW
A default route, pointing to the ASBR, is installed into the site VRF at each PE
A single label is used for packets forwarded according to the default route
The label is the IGP label corresponding to the IP address of the ASBR known via the IGP The static route, pointing to the VRF interface, is installed in the global routing table and redistributed into BGP
40
MPLS-VPN Services:
4.1 Internet access: VRF Specific Default Route (Forwarding)
MPLS Backbone Site1 171.68.0.0/16
IP packet D=171.68.1.1 IP packet D=Cisco.com
Internet
Label = 30 IP packet D=Cisco.com
IP packet D=Cisco.com
so
192.168.1.2
PE1 P
PE2
192.168.1.1 Label = 35 IP packet D=171.68.1.1
so
IP packet D=171.68.1.1
Global Routing/FIB Table Destination Label/Interface 192.168.1.1/32 Label=30 171.68.0.0/16 Serial 0
Global Table and LFIB Destination Label/Interface 192.168.1.2/32 Label=35 171.68.0.0/16 192.168.1.2 Internet Serial 0
VRF Routing/FIB Table Destination Label/interface 0.0.0.0/0 192.168.1.1 (global) Site-1 Serial 0
Pros
Different Internet gateways can be used for different VRFs PE routers need not to hold the Internet table Simple Configuration
Cons
Using default route for Internet routing does NOT allow any other default route for intrA_VPN routing Increasing size of global routing Table by leaking VPN routes. Static configuration
RST-2602 9908_06_2004_X2
41
MPLS-VPN Services
4.2 Internet Access
1. VRF Specific default route
1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF
2. Separate PE-CE sub-interface (non VRF)

May run BGP to propagate Internet routes between PE and CE
3. Extranet with Internet-VRF

VPN packets never leave VRF context ; Overlapping VPN addresses could be a problem
4. Extranet with Internet-VRF alongwith VRF-aware NAT

VPN packets never leave VRF context; works well with overlapping VPN addresses
RST-2602 9908_06_2004_X2
42
4.2 Internet Access Service to VPN Customers

Using Separate Sub-Interface (Config)
Site1 171.68.0.0/16
CE1
MPLS Backbone
BGP-4
Internet Internet
S0.2 S0.1 ip vrf VPN-A rd 100:1 route-target both 100:1
PE1
192.168.1.2 P
ASBR 192.168.1.1
Internet GW
Interface Serial0.1 ip vrf forwarding VPN-A ip address 192.168.20.1 255.255.255.0 frame-relay interface-dlci 100 ! Interface Serial0.2 ip address 171.68.10.1 255.255.255.0 frame-relay interface-dlci 200 ! Router bgp 100 no bgp default ipv4-unicast [snip] RST-2602 neighbor 171.68.10.2 remote 502 9908_06_2004_X2 2004 Cisco Systems, Inc. All rights reserved.
One sub-interface for VPN routing

associated to a VRF
Another sub-interface for Internet routing

associated to the global routing table.
Could advertise full Internet Routes or a

default route to CE.
The PE will need to advertise VPN routes

to the Internet (via global routing table)
43
Internet Access Service to VPN Customers

4.2 Using Separate Sub-Interface (Forwarding)
Site1 171.68.0.0/16
IP packet D=Cisco.com
Internet MPLS Backbone

Label = 30 IP packet D=Cisco.com IP packet D=cisco.com
S0.2 S0.1 CE routing table VPN routes Serial0.1 Internet routes Serial0.2
PE1
192.168.1.2 P
PE2 192.168.1.1
PE-Internet GW
PE Global Table and FIB Internet routes 192.168.1.1 192.168.1.1 Label=30
Pros
CE could dual home and perform optimal routing. Traffic separation done by CE.
Cons
PE to hold full Internet routes. BGP complexities introduced in CE.
RST-2602 9908_06_2004_X2
44
Internet Access Service

4.3 Extranet with Internet-VRF
The internet routes could be placed within the VRF at the Internet-GW i.e. ASBR VRFs for customers could extranet with the internet VRF and receive either default, partial or full internet routes Be careful if duplicating the internet routes in each VRF Works well when the VPN customers dont have overlapping addresses
RST-2602 9908_06_2004_X2
45
Internet Access Service

4.4 Internet Access using VRF-aware NAT
If the VPN customers need Internet access without internet routes, then VRF-aware NAT can be used at the Internet-GW i.e. ASBR
The Internet GW doesnt need to have internet routes either

Overlapping VPN addresses is not a problem
More in the VRF-aware NAT slides,..
RST-2602 9908_06_2004_X2
46
MPLS VPN Service

5. VRF-Selection
The common notion is that the VRF must be associated to an interface VRF-selection breaks this association and
associate multiple VRFs to an interface
Each packet on the PE-CE interface could be handled (based on certain criteria) via different VRF routing tables
Criteria such as source/dest IP address, ToS, TCP port etc. specified via route-map
Voice and Data can be separated out into different VRFs at the PE
RST-2602 9908_06_2004_X2
47
MPLS VPN Service
5. VRF-Selection Based on Source IP Address

Global Interface
PE1
33.3.14.1
RR
VRF Interfaces
VPN Brown
33.3.0.0/16
Cable Setup
CE1
MPLS Backbone (Cable Company)
PE2 VPN Blue

44.3.0.0/16
Se0/0
66.3.1.25 44.3.12.1
Traffic Flows interface Serial0/0 ip address 215.2.0.6 255.255.255.252 ip policy route-map PBR-VRF-Selection ip receive brown ip receive blue ip receive green access-list 40 permit 33.3.0.0 0.0.255.255 access-list 50 permit 44.3.0.0 0.0.255.255 access-list 60 permit 66.3.0.0 0.0.255.255
VPN Green
66.3.0.0/16
ip vrf brown rd 3000:111 route-target export 3000:1 route-target import 3000:1 ! ip vrf blue rd 3000:222 route-target export 3000:2 route-target import 3000:2 ! ip vrf green rd 3000:333 route-target export 3000:3 route-target import 3000:3
RST-2602 9908_06_2004_X2
route-map PBR-VRF-Selection permit 10 match ip address 40 set vrf brown route-map PBR-VRF-Selection permit 20 match ip address 50 set vrf blue route-map PBR-VRF-Selection permit 30 match ip address 60 set vrf green
48
MPLS VPN Service

6. Remote Access Service
Remote access users i.e. dial users, IPSec users could directly be terminated in VRF
PPP users can be terminated into VRFs
IPSec tunnels can be terminated into VRFs
Remote Access services integration with MPLS VPN opens up new opportunities for Providers
RST-2602 9908_06_2004_X2
49
MPLS VPN Service

Branch Office
SOHO
6. Remote Access Service IPSec to MPLS VPN

Access
Internet Internet PE+IPSec Aggregator PE
SP Shared Network
SP AAA
Corporate Intranet
Customer AAA VPN A
PE
Customer A head office
Local or Direct Dial ISP
IP/MPLS/Layer 2 Based Network

VPN B
PE
Cable/DSL/ ISDN ISP Remote Users/ Telecommuters VPN A Cisco IOS VPN Routers or Cisco Client 3.x or higher Customer A branch office
Customer B
VPN C
Customer C
IP
RST-2602 9908_06_2004_X2
IPSec Session
MPLS VPN
IP
50
MPLS-VPN Services
7. VRF-Aware NAT Services
VPN customers could be using overlapping IP address i.e. 10.0.0.0/8 Such VPN customers must NAT their traffic before using either extranet or internet or any shared* services PE is capable of NATting the VPN packets (eliminating the need for an extra NAT device)
RST-2602 9908_06_2004_X2
* VoIP, Hosted Content, Management etc/

51
MPLS-VPN Services
7. VRF-Aware NAT Services
Typically, inside interface(s) connect to private address space and outside interface connect to global address space
NAT occurs after routing for traffic from inside-to-outside interfaces
NAT occurs before routing for traffic from outside-to-inside interfaces
Each NAT entry is associated with the VRF

Works on VPN packets in the following switch paths : IP->IP, IP->MPLS and MPLS->IP
RST-2602 9908_06_2004_X2
52
MPLS-VPN Services:
PE11
7. VRF-Aware NAT Services Internet Access

CE1
10.1.1.0/24
MPLS Backbone
P PE-ASBR .1 217.34.42.2
Internet
Green VPN Site PE12 CE2

10.1.1.0/24
ip nat inside ip nat outside ip nat pool pool-green 24.1.1.0 24.1.1.254 prefix-length 24 ip nat pool pool-blue 25.1.1.0 25.1.1.254 prefix-length 24 ip nat inside source list vpn-to-nat pool pool-green vrf green ip nat inside source list vpn-to-nat pool pool-blue vrf blue ip access-list standard vpn-to-nat permit 10.1.1.0 0.0.0.255 ip route vrf green 0.0.0.0 0.0.0.0 217.34.42.2 global ip route vrf blue 0.0.0.0 0.0.0.0 217.34.42.2 global VRF-aware NAT Specific Config
53
Blue VPN Site
ip vrf green rd 3000:111 route-target both 3000:1 ip vrf blue rd 3000:222 route-target both 3000:2 router bgp 3000 address-family ipv4 vrf green network 0.0.0.0 address-family ipv4 vrf blue network 0.0.0.0
RST-2602 9908_06_2004_X2
VRF specific Config

MPLS-VPN Services:
7. VRF-Aware NAT Services Internet Access
Src=10.1.1.1 Dest=Internet Label=30 Src=10.1.1.1 Dest=Internet
MPLS Backbone
Src=24.1.1.1 Dest=Internet
CE1
10.1.1.0/24
Internet
Green VPN Site IP Packet
PE11 P PE12
Label=40 Src=10.1.1.1 Dest=Internet
PE-ASBR
CE2
10.1.1.0/24
Src=25.1.1.1 Dest=Internet
IP Packet
Traffic Flows
Blue VPN Site
Src=10.1.1.1
Dest=Internet
MPLS Packet
PE-ASBR removes the label from the received MPLS packets per LFIB
Performs NAT on the resulting IP packets Forwards the packet
VRF IP Source 10.1.1.1 10.1.1.1
NAT Table Global IP VRF-table-id 24.1.1.1 green 25.1.1.1 blue
This is also one of the ways to provide Internet access to VPN customers with or without overlapping addresses
RST-2602 9908_06_2004_X2
54
Agenda
MPLS-VPN Services

Best Practices
Conclusion.
RST-2602 9908_06_2004_X2
55
What Is Inter-AS?
Provider X
RR1 ASBR1
MP-iBGP update::
Provider Y
RR2 ASBR2
???
PE-1
AS #1
AS #2
Problem:
PE2
BGP, OSPF, RIPv2 149.27.2.0/24,NH=CE-1
CE-1
VPN-A
149.27.2.0/24
How do Provider X and Provider Y exchange VPN routes ?
CE2
VPN-A
RST-2602 9908_06_2004_X2
56
Inter-AS Deployment Scenarios

Following options/Scenarios for deploying Inter-AS :
ASBR1 1. Back-to-back VRFs ASBR2
2. MP-eBGP for VPNv4
PE1
AS #1
AS #2
3. Multihop MP-eBGP between RRs PE2
CE1 4. Non-VPN Transit Provider
CE2
VPN-A
VPN-A 2 and 3 are more common and will be discussed. 1 and 4 are in backup slides.
RST-2602 9908_06_2004_X2
57
Scenario 2: MP-eBGP between ASBRs to Exchange VPNv4 Routes

New CLI no bgp default route-target filter is needed on the ASBRs. ASBRs exchange VPN routes using eBGP (VPNv4 af) ASBRs store all VPN routes
But only in BGP table and LFIB table
Not in routing nor in CEF table
ASBRs dont need VRFs to be configured on them
LDP between them

RST-2602 9908_06_2004_X2
58
Scenario 2: MP-eBGP bet ASBRs for VPNv4 Control Plane

ASBR-1
MP-iBGP update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(40)
ASBR-2
MP-iBGP update: RD:1:27:10.1.1.0/24, NH=ASBR-2 RT=1:1, Label=(30)
MP-eBGP update: RD:1:27:10.1.1.0/24, NH=ASBR-1 RT=1:1, Label=(20)
PE-1
PE-2
BGP, OSPF, RIPv2 10.1.1.0/24, NH=PE-2
BGP, OSPF, RIPv2 10.1.1.0/24, NH=CE-2
CE-2
CE-3
VPN-B
10.1.1.0/24
VPN-B
RST-2602 9908_06_2004_X2
59
Scenario 2: MP-eBGP bet ASBRs for VPNv4 Forwarding Plane

30 40 10.1.1.1
ASBR-1 P1
ASBR-2
30
10.1.1.1
P2
40
10.1.1.1
20
10.1.1.1
20
30
10.1.1.1
PE-1
MPLS Packets between ASBRs

CE-2
PE-2
10.1.1.1
VPN-B
10.1.1.0/24
CE-3
VPN-B
10.1.1.1
Pros
More scalable. Only one interface between ASBRs routers No VRF configuration on ASBR. Less memory consumption (no RIB/FIB memory) MPLS label switching between providers Still simple, more scalable & works today
RST-2602 9908_06_2004_X2
Cons
Automatic Route Filtering must be disabled But we can apply BGP filtering. ASBRs are still required to hold VPN routes
60
Cisco IOS Configuration

Scenario 2: External MP-BGP between ASBRs for VPNv4
ASBR1
MP-eBGP for VPNv4

1.1.1.0/30 Label exchange between ASBRs using MP-eBGP
ASBR2
AS #1
PE1
AS #2
PE2
CE-1
VPN-A
ASBR MB-EBGP Configuration Router bgp x no bgp default route-target filter neighbor 1.1.1.x remote-as x ! address-family vpnv4 neighbor 1.1.1.x activate neighbor 1.1.1.x send-com extended
CE-2
VPN-A
Note: ASBR must already have MPiBGP session with iBGP neighbors such as RRs or PEs.
RST-2602 9908_06_2004_X2 61
Scenario 3: Multihop MP-eBGP between RRs to exchange VPNv4 routes

Exchange VPNv4 prefixes via the Route Reflectors
Requires Multihop MP-eBGP (with next-hop-unchanged)
Exchange IPv4 routes with labels between directly connected ASBRs using eBGP
Only PE loopback addresses need to be exchanged (they are BGP next-hop addresses of the VPN routes)
RST-2602 9908_06_2004_X2
62
Scenario 3: Multihop MP-eBGP between RRs for VPN routes : Control Plane
VPN-v4 update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(90)
RR-1
RR-2
AS#1
IGP+LDP: Network=PE-1 NH=PE-1 Label=(40)
ASBR-1
ASBR-2
AS#2
IGP+LDP: Network=PE-1 NH=ASBR-2 Label=(30)
PE-1
IP-v4 update: Network=PE-1 NH=ASBR-1 Label=(20)
PE-2
BGP, OSPF, RIPv2 10.1.1.0/24,NH=PE-2
CE-2
CE-3
VPN-B
10.1.1.0/24
VPN-B
Note - Instead of IGP+Label, iBGP+Label can be used to exchange PE routes/label. Please see Scenario#5 on slide#49 and 50.
RST-2602 9908_06_2004_X2
63
Scenario 3: Multihop MP-eBGP between RRs for VPN routes : Forwarding Plane
RR-1 P1
40 90 10.1.1.1 90 10.1.1.1
RR-2
P2
ASBR-2
ASBR-1
30
90
10.1.1.1 50 90 10.1.1.1
PE-1
20 10.1.1.1 90
10.1.1.1
PE-2 CE-3
10.1.1.1
CE-2
VPN-B
10.1.1.0/24
VPN-B
Note - Instead of IGP+Label, iBGP+Label can be used to exchange PE routes/label.

RST-2602 9908_06_2004_X2 64
Scenario 3: Pros/Cons
Pros
More scalable than Scenario 1 and 2. Separation of control and forwarding planes Route Reflector exchange VPNv4 routes+labels RR hold the VPNv4 information anyway ASBRs now exchange only IPv4 routes+labels ASBR Forwards MPLS packets
Cons
Advertising PE addresses to another AS may not be acceptable to few providers.
RST-2602 9908_06_2004_X2
65

Scenario 3: Multihop MP-eBGP between RRs for VPNv4
RR-1 Multihop MP-eBGP for VPNv4 with next-hop-unchange ASBR-1 ASBR-2 PE2 RR-2
PE1
AS #1
CE-1 eBGP IPv4 + Labels
AS #2
CE-2
RR Configuration VPN-A
router bgp x neighbor <RR-x> remote-as x neighbor <RR-x> ebgp-multihop neighbor <RR-x> update loopback 0 ! address-family vpnv4 neighbor <RR-x> activate neighbor <RR-x> send-com extended neighbor <RR-x> next-hop-unchanged
ASBR Configuration
router ospf x redistribute bgp 1 subnets ! router bgp x neighbor < ASBR-x > remote-as x ! address-family ipv4 Network <PEx> mask 255.255.255.255 Network <RRx> mask 255.255.255.255 neighbor < ASBR-x > activate neighbor < ASBR-x > send-label
VPN-A
RST-2602 9908_06_2004_X2
iBGPipv4+label could also be used in within each AS (instead of network <x.x.x.x>) to propagate the label information for PEs.
66
Inter-AS Deployment Guidelines

1. Use ASN in the Route-target i.e. ASN:xxxx 2. Max-prefix limit (both BGP and VRF) on PEs 3. Security (BGP MD5, BGP filtering, BGP max-prefix etc) on ASBRs 4. End-to-end QoS agreement on ASBRs 5. Route-Target rewrite on ASBR 6. Internet connectivity on the same ASBR ??
RST-2602 9908_06_2004_X2
67
Agenda
MPLS-VPN Services

Best Practices
Conclusion.
RST-2602 9908_06_2004_X2
68
Carrier Supporting Carriers: CsC

Benefits of CsC What do I need to do to enable CsC ? Deployment models Security in CsC Deployment Guideline
Deployment Scenarios
RST-2602 9908_06_2004_X2
69
MPLS/VPN Networks without CsC

Large Number of VPN Routes at the PE May Pose Limitation to the PE
Unwanted routing updates in the Carriers network => CPU+memory Label/prefix consumptions at PE => memory Scalability issue at PE
RST-2602 9908_06_2004_X2
70
MPLS/VPN Networks without CsC

The no of VPN routes is one of the biggest limiting factor in scaling the PE router
Few SPs are running into this scalaing limitation
If no of VPN routes can be reduced somehow (without loosing the functionality), then the existing investment can be protected
The same PE can still be used to connect more VPN customers
Carrier Supporting Carrier (CsC) provides the mechanism to reduce the no of routes from each VRF by enabling MPLS on the PE-CE link
RST-2602 9908_06_2004_X2
71
Benefits of CsC
Provide transport for ISPs ($)
No need to manage external routes from ISPs
Build MPLS Internet Exchange (MPLS-IX) ($$)

Media Independence; POS/FDDI/PPP possible Higher speed such OC192 or more Operational benefits
Sell VPN service to subsidiary companies that provide VPN service ($)
RST-2602 9908_06_2004_X2
72
What Do I Need to Enable CsC ?

1. Build an MPLS-VPN enabled carriers network 2. Connect ISP/SPs sites (or PoPs) to the Carriers PEs 3. Exchange internal routes + labels between Carriers PE & ISP/SPs CE 4. Exchange external routes directly between ISP/SPs sites
RST-2602 9908_06_2004_X2
73
CsC Deployment Models

MP-iBGP for VPNv4 P1 PE1
IGP+LDP
IGP+LDP
PE2
Carriers MPLS Core

IPv4 routes with label distribution
MPLS enabled VRF int

CE-1 CE-2 Full-mesh iBGP for external routes
IPv4 routes with label distribution
ISP PoP Site-1

internal routes = IGP routes
ISP PoP Site-2

C1 ASBR-2
ASBR-1 R2
INTERNET
Internal routes = IGP routes
R1
ISP customers = external routes
RST-2602 9908_06_2004_X2
74
CsC Deployment Models

1. Customer-ISP not running MPLS 2. Customer-ISP running MPLS 3. Customer-ISP running MPLS-VPN
Model 1 and 2 are less common deployments. Model 3 will be discussed in detail.
RST-2602 9908_06_2004_X2
75
CsC: ISP Sites Are Running MPLS-VPN Hierarchical MPLS-VPN Control Plane
MP-iBGP update: 1:1:30.1.61.25/32, RT=1:1 NH =PE-1, Label=51
PE1
IGP+LDP, Net=PE-1, Label = pop
P1
IGP+LDP, Net=PE-1, Label = 16
PE2
Carriers Core
30.1.61.25/32, NH=CE-1, Label = 50 30.1.61.25/32, NH=PE-2, Label = 52
CE-1 CE-2
MP-iBGP update: 1:1:10.1.1.0/24, RT=1:1 NH =30.1.61.25/32, Label = 90
ISP PoP Site-1

IGP+LDP 30.1.61.25/32,Label = pop
ISP PoP Site-2

ASBR_PE-2
IGP+LDP, 30.1.61.25/32 NH=CE-2, Label=60
C1 ASBR_PE-1 30.1.61.25/32
10.1.1.0/24, NH=R1
10.1.1.0/24, NH =ASBR_PE-2
Network = 10.1.1.0/24
RST-2602 9908_06_2004_X2
R2 R1 VPN Site-1
IGP+LDP, 30.1.61.25/32 NH=C1, Label=70
VPN Site-2
76
CsC: ISP Sites Are Running MPLS-VPN Hierarchical MPLS-VPN Forwarding Plane
P1
51 90 10.1.1.1 16 51 90 10.1.1.1
PE1
PE2
Carriers Core
50 90 10.1.1.1 52 90 10.1.1.1
CE-1 CE-2
ISP PoP Site-1
90
10.1.1.1 60 90 10.1.1.1
ISP PoP Site-2

C1
ASBR-1
10.1.1.1
ASBR-2
10.1.1.1 70 90 10.1.1.1
Network = 10.1.1.0/24
RST-2602 9908_06_2004_X2
R1 VPN Site-1
R2 VPN Site-2
77
Security Mechanism in CsC

BGP/LDP MD5 on PE-CE To prevent label spoofing, PE
Maintains Label <=> VRF table association Checks during LFIB lookup that received packets label is what was allocated If the check fails, then the packet is dropped.
RST-2602 9908_06_2004_X2
78
CsC Deployment Guideline

Two choices for deploying CsC
1. IGP+LDP on the PE-CE, or 2. eBGP ipv4 +label on the PE-CE (RFC3107)
Choice selection is driven by the choice of routing protocol on the PE-CE CE has to run MPLS-aware code
RST-2602 9908_06_2004_X2
79
CsC: IOS Commands/Configs

Choice 1: What All You Need to Configure?
Choice1: Enable LDP on PE-CE;
Sh mpls interface [vrf <name>] all Sh mpls ldp disc [vrf <name>] all Sh mpls ldp bind vrf <name>
PE1 int
ser0/0
ip vrf forwarding green

mpls ip mpls ldp protcol ldp
Sh mpls ip bind vrf <name>

Sh mpls ldp neighbor [vrf <name>] all Sh mpls forward [vrf <name>]
PE-1
CE1
int ser0/0 mpls ip mpls ldp protcol ldp
Sh mpls interface Sh mpls ldp discovery Sh mpls ldp bind Sh mpls ldp neighbor Sh mpls forward
IGP+LDP
VRF Int
CE-1
RST-2602 9908_06_2004_X2
80
CsC: IOS Commands/Configs

Choice 2: What All You Need to Configure?
Choice2: Enable eBGP+label on PE-CE; router bgp 1 address-family ip vrf green neighbor 200.1.61.6 remote-as 2 neighbor 200.1.61.6 send-label
eBGP+label CE-1 VRF Int
PE1
PE-1
router bgp 2 neighbor 200.1.61.5 remote-as 1
CE1
1. No IGP needed on PE-CE 2. No LDP needed on PE-CE
neighbor 200.1.61.5 send-label
RST-2602 9908_06_2004_X2
81
IOS Commands/Configs
Choice 2: eBGP+label on the PE-CE
On PE
Sh ip bgp vpn vrf <vrf> neighbor Sh ip bgp vpn vrf <vrf> label Sh mpls forward vrf <vrf>
On CE
Sh ip bgp neighbor Sh ip bgp labels Sh mpls forward
RST-2602 9908_06_2004_X2
82
Agenda
MPLS-VPN Services

Best Practices
Conclusion.
RST-2602 9908_06_2004_X2
83
Best Practices
1. 2. 3. 4. 5. 6. Use RR to scale BGP. Deploy RRs in pair for the redundancy Keep RRs out of the forwarding paths and disable CEF (saves memory). Consider Unique RD per VRF per PE, if Load sharing of VPN traffic is reqd. RT and RD should have ASN in them i.e. ASN : X
Reserve first few 100s of X for the internal purposes such as filtering
Don't use customer names as the VRF names; Nightmare for the NOC. Use simple combination of numbers and characters in the VRF name
For example - v101, v102, v201, v202 etc. Use description.
7.
Define an upper limit at the PE on the # of prefixes received from the CE for each VRF or neighbor
max-prefix within the VRF configuration max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE)
RST-2602 9908_06_2004_X2
84
Conclusion
MPLS VPN is a cheaper alternative to traditional l2vpn MPLS-VPN paves the way for new revenue streams
VPN customers could outsource their layer3 to the provider
Straightforward to configure any-to-any VPN topology

partial-mesh, hub&spoke topologies can also be easily deployed
CsC and Inter-AS could be used to expand into new markets VRF-aware services could be deployed to maximize the investment
RST-2602 9908_06_2004_X2
85
Complete Your Online Session Evaluation!

WHAT: Complete an online session evaluation and your name will be entered into a daily drawing
WHY:
Win fabulous prizes! Give us your feedback!
WHERE: Go to the Internet stations located throughout the Convention Center
HOW:
Winners will be posted on the onsite Networkers Website; four winners per day
http://www.networkers04.com/desktop
RST-2602 9908_06_2004_X2
86
Q&A
Thanks for your time.
Eval http://www.networkers04.com/desktop
RST-2602 9908_06_2004_X2
87
RST-2602 9908_06_2004_X2
88
BACK UP SLIDES
RST-2602 9908_06_2004_X2
89
Scenario 1: Back-to-back VRF Control Plane

ASBR-1
VPN-v4 update: RD:1:27:10.1.1.0/24 NH=PE-1 RT=1:1, Label=(29) VPN-B VRF Import routes with route-target 1:1
ASBR-2
VPN-v4 update: RD:1:27:10.1.1.0/24, NH=ASBR-2 RT=1:1, Label=(92)
PE-1
BGP, OSPF, RIPv2 10.1.1.0/24 NH=ASBR-2
VPN-B VRF Import routes with route-target 1:1
PE-2
BGP, OSPF, RIPv2 10.1.1.0/24,NH=PE-2
CE-2
CE-3
VPN-B
10.1.1.0/24
VPN-B
VRF to VRF Connectivity between ASBRs

RST-2602 9908_06_2004_X2
90
Scenario 1: Back-to-back VRF

Forwarding Plane
30 29 10.1.1.1
ASBR-1
ASBR-2
92
10.1.1.1
P2
P1
10.1.1.1 20 92 10.1.1.1
PE-1
PE-2
IP Packets between ASBRs

10.1.1.1
CE-2
CE-3
10.1.1.1
VPN-B
10.1.1.0/24
VPN-B
Pros
Cons Not scalable. #of interface on both ASBRs is directly proportional to #VRF. No end-to-end MPLS. Unnecessary memory consumed in RIB/(L)FIB Dual-homing of ASBR makes provisioning worse
91
Per-customer QoS is possible

It is simple and elegant since no need to load the Inter-AS code (but still not widely deployed).
RST-2602 9908_06_2004_X2

Scenario 1: Back-to-Back VRF between ASBRs
ASBR1
1.1.1.0/30
ASBR2
AS #1
PE1
VRF routes exchange via any routing protocol
AS #2
PE2
ASBR VRF and BGP config

CE-1
VPN-A
ip vrf green rd 1:1 route-target both 1:1 ! Router bgp x Address-family ipv4 vrf green neighbor 1.1.1.x activate
Note: ASBR must already have MPiBGP session with iBGP neighbors such as RRs or PEs.
CE-2
VPN-A
RST-2602 9908_06_2004_X2
92
IOS Configuration
Scenario 2.5: Multi-Hop MP-eBGP for VPNv4
ASBR1
Multi-Hop MP-eBGP for VPNv4 so so
ASBR2
AS #1
PE1
IGP & LDP
AS #2
PE2
Multi-Hop MP-BGP session between ASBRs

CE-1
interface serial 0 ip address 1.1.1.x/30 mpls ldp protcol ldp router bgp x no bgp default route-target filter neighbor < ASBR-x > remote-as x neighbor < ASBR-x > update loopback0 neighbor < ASBR-x > ebgp-multihop ! address-family vpnv4 neighbor < ASBR-x > activate neighbor < ASBR-x > send-comm extended
CE-2
VPN-A
VPN-A
RST-2602 9908_06_2004_X2
93
Scenario 4: Non-VPN Transit Provider

Two MPLS VPN providers may exchange routes via one or more transit providers
Which may be non-VPN transit backbones just running MPLS
Multihop MP-eBGP deployed between edge providers

With the exchange of BGP next-hops via the transit provider
RST-2602 9908_06_2004_X2
94
Option 4: Non-VPN Transit Provider

eBGP IPv4 + Labels
ASBR-1
ASBR-2
iBGP IPv4 + Labels
MPLS VPN Provider #1 RR-1 PE1
Non-VPN MPLS Transit Backbone
ASBR-3 ASBR-4 CE-2 next-hop-unchanged

Multihop MP-eBGP OR MP-iBGP for VPNv4 eBGP IPv4 + Labels
VPN-B
RR-2
MPLS VPN Provider #2 PE2
iBGP IPv4 + Labels
CE-3
VPN-B
RST-2602 9908_06_2004_X2
95
Route-Target rewrite at ASBR

ASBR can add/delete route-target associated with a VPNv4 prefix Secures the VPN environment
ASBR(conf)#router bgp 1000 ASBR(conf-router)#neighbor 1.1.1.1 route-map route-target-deletion out ASBR(conf-router)#exit ASBR(conf)#route-map route-target-delete ASBR(conf-route-map)#match extcommunity 101 ASBR(conf-route-map)#set extcomm-list 101 delete ASBR(conf-route-map)#set extcommunity rt 123:123 additive ASBR(conf)# ip extcommunity-list 101 permit rt 100:100
RST-2602 9908_06_2004_X2 96

RST 2602 Mpls VPN Deployment

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

RST 2602 Mpls VPN Deployment

Caricato da

Copyright:

Formati disponibili

DEPLOYING MPLS-VPN

Rajiv Asati (rajiva@cisco.com)

2004 Cisco Systems, Inc. All rights reserved.

Advanced MPLS VPN Topics

2004 Cisco Systems, Inc. All rights reserved.

2004 Cisco Systems, Inc. All rights reserved.

: VPN Routing and Forwarding

Mechanism in IOS used to build per-interface RIB and FIB

: Address family used in BGP to carry MPLS-VPN routes

Distinguish same network/mask prefix in different VRFs

: Label Forwarding Information Base : Forwarding Information Base (FIB)

Advanced MPLS VPN Topics

2004 Cisco Systems, Inc. All rights reserved.

MPLS-VPN Operations Theory

2004 Cisco Systems, Inc. All rights reserved.

MPLS VPN Connection Model

MPLS VPN: Separate Routing Tables in PE

MPLS Backbone IGP (OSPF, ISIS)

VRF routing table

The Global routing table

2004 Cisco Systems, Inc. All rights reserved.

VRF: Virtual Routing and Forwarding Instance

MPLS Backbone IGP (OSPF, ISIS)

Whats a VRF ? Associates to one or more interfaces on PE

CE router runs standard routing software

VRF: Virtual Routing and Forwarding Instance

MPLS Backbone IGP (OSPF, ISIS)

VPN customers can use overlapping IP addresses.

2004 Cisco Systems, Inc. All rights reserved.

Additions in BGP: MPLS-VPN Info BGP

10.1.1.0 IPv4 Route-Target Label

RT: Route Target

MPLS VPN Control Plane

10.1.1.0 IPv4 VPNv4 Route-Target Label

MP-IBGP update with RD, RT, and Label

MPLS VPN Control Plane

10.1.1.0 IPv4 VPNv4

MP-IBGP update with RD, RT, and Label

Each VRF is configured with RT(s) at the PE

2004 Cisco Systems, Inc. All rights reserved.

MPLS VPN Control Plane

10.1.1.0 IPv4 VPNv4

MP-IBGP update with RD, RT, and Label

2004 Cisco Systems, Inc. All rights reserved.

MPLS VPN Control Plane:

1) PE1 receives an IPv4 update (eBGP,OSPF,EIGRP)

3) PE1 sends MP-iBGP UPDATE to other PE routers

2004 Cisco Systems, Inc. All rights reserved.

MPLS VPN Control Plane:

MP-iBGP update: RD:10.10.1.0 Next-hop=PE-1 RT=Green, Label=100

CE2 P PE2 P PE1

Updates the VRF CEF table with label=100 for 10.1.1.0/24

MPLS VPN Forwarding Plane:

Global routing/forwarding table Dest->Next-Hop PE2 P1, label: 50

Global routing/forwarding table Dest->NextHop PE1 P2, label: 25

The Global Forwarding table (show ip cef)

VRF Forwarding table (show ip cef vrf <vrf>)

2004 Cisco Systems, Inc. All rights reserved.

MPLS VPN Forwarding Plane:

2004 Cisco Systems, Inc. All rights reserved.

Advanced MPLS VPN Topics

2004 Cisco Systems, Inc. All rights reserved.

MPLS VPN Sample Configuration