Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
SESSION RST-2602
RST-2602 9908_06_2004_X2
Agenda
MPLS VPN Definition?
Technology Configuration
MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites Providing Hub&Spoke service to the VPN customers Providing MPLS VPN Extranet service Providing Internet access service to VPN customers Providing VRF-selection based services Providing Remote Access MPLS VPN Providing VRF-aware NAT services
Best Practices
Conclusion.
RST-2602 9908_06_2004_X2
Prerequisites
Must understand basic IP routing, especially BGP Must understand MPLS basics (push, pop, swap, label stacking) Must finish the evaluation
http://www.networkers04.com/desktop
RST-2602 9908_06_2004_X2
Terminology:
LSR LSP : Label Switch Router : Label Switched Path
The chain of labels that are swapped at each hop to get from one LSR to another
VRF
MP-BGP PE P
VPNv4
RD RT
: Route Target
Extended Community attribute used to control import and export policies of VPN routes
LFIB FIB
RST-2602 9908_06_2004_X2
Agenda
MPLS VPN Definition?
Technology Configuration
MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites Providing Hub&Spoke service to the VPN customers Providing MPLS VPN Extranet service Providing Internet access service to VPN customers Providing VRF-selection based services Providing Remote Access MPLS VPN Providing VRF-aware NAT services
Best Practices
Conclusion.
RST-2602 9908_06_2004_X2
RST-2602 9908_06_2004_X2
PE
P P
MP-iBGP session
PE routers
Edge Routers Use MPLS with P routers Uses IP with CE routers Connects to both CE and P routers. Distribute VPN information through MP-BGP to other PE router with VPN-IPv4 addresses, Extended Community, Label
RST-2602 9908_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
P Routers
P routers are in the core of the MPLS cloud
P routers do not need to run BGP and doesnt need to have any VPN knowledge
Forward packets by looking at labels P and PE routers share a common IGP
Populated by the MPLS backbone IGP In PE routers may contain the BGP Internet routes (standard ipv4 routes)
RST-2602 9908_06_2004_X2
VRF blue
Has its own routing table and forwarding table (CEF) VRF has its own instance for the routing protocol
(static ,RIP,BGP,EIGRP,OSPF)
CE
PE CE
EBGP,OSPF, RIPv2,Static
vpn site 1
PE installs the routes, learned from CE routers, in the appropriate VRF routing table(s)
PE installs the IGP (backbone) routes in the global routing table
10
1:1 RD VPNv4
MP-iBGP update with RD, RT, and Label RD: Route Distinguisher VPNv4 routes
11
VPNv4 address
3 Bytes
1:1
RD
To convert an IPv4 address into a VPNv4 address, RD is appended to the IPv4 address i.e 1:1:10.1.1.0 Makes the customers IPv4 route globally unique. Each VRF must be configured with an RD at the PE RD is what that defines the VRF
RST-2602 9908_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
! ip vrf v1 rd 1:1 !
12
Route-Target
3 Bytes
1:1
RD
RST-2602 9908_06_2004_X2
13
Label
3 Bytes
1:1
50 Label
RD
RST-2602 9908_06_2004_X2
14
Site 2
CE2
P PE2 P
PE1
MPLS Backbone
RST-2602 9908_06_2004_X2
15
10.1.1.0/24 Next-Hop=PE-2
Site 2
MPLS Backbone
4) PE2 receives and checks whether the RT=green is locally configured within any VRF, if yes, then 5) PE2 translates VPNv4 prefix back into IPv4 prefix,
Installs the prefix into the VRF Routing table
16
Site 2
CE2
RST-2602 9908_06_2004_X2
17
Site 2
CE2
P PE2
10.1.1.1 10.1.1.1
PE1
100
P
10.1.1.1 25
50
100
100
10.1.1.1
PE2 imposes TWO labels for each packet going to the VPN destination 10.1.1.1 The top label is LDP learned and Derived from an IGP route Represents LSP to PE address (exit point of a VPN route) The second label is learned via MP-BGP Corresponds to the VPN address
RST-2602 9908_06_2004_X2
18
Agenda
MPLS VPN Definition?
Technology Configuration
MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites Providing Hub&Spoke service to the VPN customers Providing MPLS VPN Extranet service Providing Internet access service to VPN customers Providing VRF-selection based services Providing Remote Access MPLS VPN Providing VRF-aware NAT services
Best Practices
Conclusion.
RST-2602 9908_06_2004_X2
19
PE1
Se0
192.168.10.1
PE1
PE-P Configuration
P
Se0
PE1
s1
RST-2602 9908_06_2004_X2
20
MP-IBGP
RR PE2
PE1
address-family vpnv4 neighbor 1.2.3.4 activate neighbor 1.2.3.4 send-community both
RR:
MP-IBGP
RR
router bgp 1 no bgp default route-target filter neighbor 1.2.3.6 remote-as 1 neighbor 1.2.3.6 update-source loopback0
PE2
PE1
RR
RST-2602 9908_06_2004_X2
21
BGP
CE1
PE1
PE1
router bgp 1 ! address-family ipv4 vrf VPN-A neighbor 192.168.10.2 remote-as 2 neighbor 192.168.10.2 activate exit-address-family !
PE-CE
Site 1
10.1.1.0/24
192.168.10.2
OSPF
CE1
PE1
PE1
router ospf 1 ! router ospf 2 vrf VPN-A network 192.168.10.0 0.0.0.255 area 0 !
192.168.10.1
RST-2602 9908_06_2004_X2
22
RIP
router rip
CE1 PE1
PE-CE
Site 1
10.1.1.0/24
192.168.10.2
EIGRP
router eigrp 1
CE1 PE1
192.168.10.1
RST-2602 9908_06_2004_X2
23
Static
CE1
RR PE1 CE1
router rip address-family ipv4 vrf VPN-A version 2 redistribute bgp 1 metric 1 no auto-summary network 192.168.10.0 exit-address-family If PE-CE protocol is non BGP then redistribution of other sites VPN routes from MP-IBGP is required.
RST-2602 9908_06_2004_X2
24
router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback 0 address-family ipv4 vrf VPN-A redistribute {rip|connected|static|eigrp|ospf}
CE1
If PE-CE protocol is non BGP then redistribution of other sites VPN routes into MP-IBGP is required.
RST-2602 9908_06_2004_X2
25
Agenda
MPLS VPN Definition?
Technology Configuration
MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites Providing Hub&Spoke service to the VPN customers Providing MPLS VPN Extranet service Providing Internet access service to VPN customers Providing VRF-selection based services Providing Remote Access MPLS VPN Providing VRF-aware NAT services
Best Practices
Conclusion.
RST-2602 9908_06_2004_X2
26
PE2
CE2
PE12
Site A
Site B
VPN sites (such as Site A) could be multihomed VPN customer may demand the traffic to the multihomed sites be loadshared
RST-2602 9908_06_2004_X2
27
RR
PE11 PE2 CE2
PE12 Site A
Site B
2 CEs 2 PEs
RR PE11 CE1
171.68.2.0/24
PE2
CE2
CE2
PE12 Site B
MPLS Backbone
Site A
RST-2602 9908_06_2004_X2
Traffic Flow
2004 Cisco Systems, Inc. All rights reserved.
28
RR PE11
PE12
Site A
Site B
29
Route Advertisement
PE2 CE2
MPLS Backbone
RR must advertise all the paths learned via PE11 and PE12 to the remote PE routers
With different RD per VRF, RR does the Best path RD and advertise them to remote PE calculation per
Watch out for the increased (~20%) memory consumption (within BGP) due to multipaths at the PEs eiBGP multipath implicitly provides eBGP and iBGP multipath for VPN paths
RST-2602 9908_06_2004_X2
30
MPLS-VPN Services:
2. Hub & Spoke Service to the VPN Customers
Traditionally, VPN deployments are Hub&Spoke.
Spoke to spoke communication is via Hub site only.
Despite MPLS VPNs implicit any-to-any i.e fullmesh connectivity, Hub&Spoke service can easily be offered.
Done with import and export of Route-Target (RT).
RST-2602 9908_06_2004_X2
31
MPLS-VPN Services:
2. Hub & Spoke Service - Configuration
ip vrf green-spoke1 description VRF for SPOKE A rd 300:111 route-target export 1:1 route-target import 2:2
Spoke A
171.68.1.0/24
ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1
CE-SA
PE-SA
Eth0/0.1
PE-Hub Spoke B
171.68.2.0/24
Eth0/0.2
PE-SB CE-SB
MPLS VPN Backbone ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2
ip vrf green-spoke2 description VRF for SPOKE B rd 300:112 route-target export 1:1 route-target import 2:2
RST-2602 9908_06_2004_X2
32
MPLS-VPN Services:
PE-SA
VRF HUB-OUT RT and LFIB Destination NextHop Label 171.68.1.0/24 PE-SA 40 171.68.2.0/24 PE-SB 50
CE-SB Spoke B
PE-SB
All traffic between spokes must pass through the Hub/Central Site. Hub Site could offer FireWall, NAT like applications. Two VRF solution at the PE-Hub: VRF HUB_OUT would have knowledge of every spoke routes. VRF HUB_IN only have Default Route and advertise that to Spoke PEs. Import and export Route-Target within a VRF must be different.
RST-2602 9908_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
33
MPLS-VPN Services():
MPLS Backbone
Spoke A
171.68.1.0/24
171.68.1.1
CE-SA
PE-SA
LA 40 171.68.1.1
PE-SB CE-SB
LH
35
171.68.1.1
VRF HUB-IN
RST-2602 9908_06_2004_X2
34
MPLS-VPN Services
3. Extranet VPN
MPLS VPN, by default, isolates one VPN customer from another.
Separate Virtual Routing Table for each VPN customer
Needs right import and export route-target (RT) values configuration within the VRFs
export-map or import-map should be used
RST-2602 9908_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
35
ip vrf VPN_A rd 3000:111 export map VPN_A_Export import map VPN_A_Import route-target import 3000:111 route-target export 3000:111 route-target import 3000:1 ! route-map VPN_A_Export permit 10 match ip address 1 set extcommunity rt 3000:2 ! route-map VPN_A_Import permit 10 match ip address 2 ! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0
ip vrf VPN_B rd 3000:222 export map VPN_B_Export import map VPN_B_Import route-target import 3000:222 route-target export 3000:222 route-target import 3000:2 ! route-map VPN_B_Export permit 10 match ip address 2 set extcommunity rt 3000:1 ! route-map VPN_B_Import permit 10 match ip address 1 ! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0
RST-2602 9908_06_2004_X2
Only Site#1 of both VPNs will communicate to each other, Site#2 wont.
2004 Cisco Systems, Inc. All rights reserved.
36
MPLS-VPN Services
4. Internet Access Service to VPN Customers
Could be provided as another value-added service. Security mechanism must be in place at both provider network and customer network
To protect from the Internet vulnerabilities
VPN customers benefit from the single point of contact for both Intranet and Internet connectivity
RST-2602 9908_06_2004_X2
37
MPLS-VPN Services
4. Internet Access: Different Methods of Service
Four ways to provide the Internet service
1. VRF Specific default route with global keyword 2. Separate PE-CE sub-interface (nonVRF) 3. Extranet with Internet-VRF 4. VRF-aware NAT
RST-2602 9908_06_2004_X2
38
MPLS-VPN Services
4. Internet Access: Different Methods of Service
1. VRF Specific default route
1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF
39
MPLS-VPN Services:
4.1 Internet access: VRF Specific Default Route (Config)
MPLS Backbone Site1 171.68.0.0/16 so PE1192.168.1.2 ip vrf VPN-A rd 100:1 route-target both 100:1 Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A Router bgp 100 no bgp default ipv4-unicast redistribute static neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0 ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global ip RST-2602 route 171.68.0.0 255.255.0.0 Serial0
9908_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
Internet
CE1
A default route, pointing to the ASBR, is installed into the site VRF at each PE
A single label is used for packets forwarded according to the default route
The label is the IGP label corresponding to the IP address of the ASBR known via the IGP The static route, pointing to the VRF interface, is installed in the global routing table and redistributed into BGP
40
MPLS-VPN Services:
4.1 Internet access: VRF Specific Default Route (Forwarding)
MPLS Backbone Site1 171.68.0.0/16
IP packet D=171.68.1.1 IP packet D=Cisco.com
Internet
Label = 30 IP packet D=Cisco.com
IP packet D=Cisco.com
so
192.168.1.2
PE1 P
PE2
192.168.1.1 Label = 35 IP packet D=171.68.1.1
so
IP packet D=171.68.1.1
Global Table and LFIB Destination Label/Interface 192.168.1.2/32 Label=35 171.68.0.0/16 192.168.1.2 Internet Serial 0
VRF Routing/FIB Table Destination Label/interface 0.0.0.0/0 192.168.1.1 (global) Site-1 Serial 0
Pros
Different Internet gateways can be used for different VRFs PE routers need not to hold the Internet table Simple Configuration
Cons
Using default route for Internet routing does NOT allow any other default route for intrA_VPN routing Increasing size of global routing Table by leaking VPN routes. Static configuration
RST-2602 9908_06_2004_X2
41
MPLS-VPN Services
4.2 Internet Access
1. VRF Specific default route
1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF
42
MPLS Backbone
BGP-4
Internet Internet
PE1
192.168.1.2 P
ASBR 192.168.1.1
Internet GW
Interface Serial0.1 ip vrf forwarding VPN-A ip address 192.168.20.1 255.255.255.0 frame-relay interface-dlci 100 ! Interface Serial0.2 ip address 171.68.10.1 255.255.255.0 frame-relay interface-dlci 200 ! Router bgp 100 no bgp default ipv4-unicast [snip] RST-2602 neighbor 171.68.10.2 remote 502 9908_06_2004_X2 2004 Cisco Systems, Inc. All rights reserved.
S0.2 S0.1 CE routing table VPN routes Serial0.1 Internet routes Serial0.2
PE1
192.168.1.2 P
PE2 192.168.1.1
PE-Internet GW
Pros
CE could dual home and perform optimal routing. Traffic separation done by CE.
Cons
PE to hold full Internet routes. BGP complexities introduced in CE.
RST-2602 9908_06_2004_X2
44
RST-2602 9908_06_2004_X2
45
RST-2602 9908_06_2004_X2
46
Each packet on the PE-CE interface could be handled (based on certain criteria) via different VRF routing tables
Criteria such as source/dest IP address, ToS, TCP port etc. specified via route-map
Voice and Data can be separated out into different VRFs at the PE
RST-2602 9908_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
47
RR
VRF Interfaces
VPN Brown
33.3.0.0/16
Cable Setup
CE1
Se0/0
66.3.1.25 44.3.12.1
Traffic Flows interface Serial0/0 ip address 215.2.0.6 255.255.255.252 ip policy route-map PBR-VRF-Selection ip receive brown ip receive blue ip receive green access-list 40 permit 33.3.0.0 0.0.255.255 access-list 50 permit 44.3.0.0 0.0.255.255 access-list 60 permit 66.3.0.0 0.0.255.255
VPN Green
66.3.0.0/16
ip vrf brown rd 3000:111 route-target export 3000:1 route-target import 3000:1 ! ip vrf blue rd 3000:222 route-target export 3000:2 route-target import 3000:2 ! ip vrf green rd 3000:333 route-target export 3000:3 route-target import 3000:3
RST-2602 9908_06_2004_X2
route-map PBR-VRF-Selection permit 10 match ip address 40 set vrf brown route-map PBR-VRF-Selection permit 20 match ip address 50 set vrf blue route-map PBR-VRF-Selection permit 30 match ip address 60 set vrf green
48
Remote Access services integration with MPLS VPN opens up new opportunities for Providers
RST-2602 9908_06_2004_X2
49
SP Shared Network
SP AAA
Corporate Intranet
Customer AAA VPN A
PE
Cable/DSL/ ISDN ISP Remote Users/ Telecommuters VPN A Cisco IOS VPN Routers or Cisco Client 3.x or higher Customer A branch office
Customer B
VPN C
Customer C
IP
RST-2602 9908_06_2004_X2
IPSec Session
2004 Cisco Systems, Inc. All rights reserved.
MPLS VPN
IP
50
MPLS-VPN Services
7. VRF-Aware NAT Services
VPN customers could be using overlapping IP address i.e. 10.0.0.0/8 Such VPN customers must NAT their traffic before using either extranet or internet or any shared* services PE is capable of NATting the VPN packets (eliminating the need for an extra NAT device)
RST-2602 9908_06_2004_X2
51
MPLS-VPN Services
7. VRF-Aware NAT Services
Typically, inside interface(s) connect to private address space and outside interface connect to global address space
NAT occurs after routing for traffic from inside-to-outside interfaces
NAT occurs before routing for traffic from outside-to-inside interfaces
RST-2602 9908_06_2004_X2
52
MPLS-VPN Services:
PE11
MPLS Backbone
P PE-ASBR .1 217.34.42.2
Internet
ip nat inside ip nat outside ip nat pool pool-green 24.1.1.0 24.1.1.254 prefix-length 24 ip nat pool pool-blue 25.1.1.0 25.1.1.254 prefix-length 24 ip nat inside source list vpn-to-nat pool pool-green vrf green ip nat inside source list vpn-to-nat pool pool-blue vrf blue ip access-list standard vpn-to-nat permit 10.1.1.0 0.0.0.255 ip route vrf green 0.0.0.0 0.0.0.0 217.34.42.2 global ip route vrf blue 0.0.0.0 0.0.0.0 217.34.42.2 global VRF-aware NAT Specific Config
53
ip vrf green rd 3000:111 route-target both 3000:1 ip vrf blue rd 3000:222 route-target both 3000:2 router bgp 3000 address-family ipv4 vrf green network 0.0.0.0 address-family ipv4 vrf blue network 0.0.0.0
RST-2602 9908_06_2004_X2
MPLS-VPN Services:
7. VRF-Aware NAT Services Internet Access
Src=10.1.1.1 Dest=Internet Label=30 Src=10.1.1.1 Dest=Internet
MPLS Backbone
Src=24.1.1.1 Dest=Internet
CE1
10.1.1.0/24
Internet
PE11 P PE12
Label=40 Src=10.1.1.1 Dest=Internet
PE-ASBR
CE2
10.1.1.0/24
Src=25.1.1.1 Dest=Internet
IP Packet
Traffic Flows
Src=10.1.1.1
Dest=Internet
MPLS Packet
PE-ASBR removes the label from the received MPLS packets per LFIB
Performs NAT on the resulting IP packets Forwards the packet
This is also one of the ways to provide Internet access to VPN customers with or without overlapping addresses
RST-2602 9908_06_2004_X2
54
Agenda
MPLS VPN Definition?
Technology Configuration
MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites Providing Hub&Spoke service to the VPN customers Providing MPLS VPN Extranet service Providing Internet access service to VPN customers Providing VRF-selection based services Providing Remote Access MPLS VPN Providing VRF-aware NAT services
Best Practices
Conclusion.
RST-2602 9908_06_2004_X2
55
What Is Inter-AS?
Provider X
RR1 ASBR1
MP-iBGP update::
Provider Y
RR2 ASBR2
???
PE-1
AS #1
AS #2
Problem:
PE2
CE-1
VPN-A
149.27.2.0/24
CE2
VPN-A
RST-2602 9908_06_2004_X2
56
PE1
AS #1
AS #2
3. Multihop MP-eBGP between RRs PE2
CE2
VPN-A
VPN-A 2 and 3 are more common and will be discussed. 1 and 4 are in backup slides.
RST-2602 9908_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
57
58
ASBR-2
MP-iBGP update: RD:1:27:10.1.1.0/24, NH=ASBR-2 RT=1:1, Label=(30)
PE-1
PE-2
BGP, OSPF, RIPv2 10.1.1.0/24, NH=PE-2
CE-2
CE-3
VPN-B
10.1.1.0/24
VPN-B
RST-2602 9908_06_2004_X2
59
ASBR-1 P1
ASBR-2
30
10.1.1.1
P2
40
10.1.1.1
20
10.1.1.1
20
30
10.1.1.1
PE-1
PE-2
10.1.1.1
VPN-B
10.1.1.0/24
CE-3
VPN-B
10.1.1.1
Pros
More scalable. Only one interface between ASBRs routers No VRF configuration on ASBR. Less memory consumption (no RIB/FIB memory) MPLS label switching between providers Still simple, more scalable & works today
RST-2602 9908_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
Cons
Automatic Route Filtering must be disabled But we can apply BGP filtering. ASBRs are still required to hold VPN routes
60
ASBR2
AS #1
PE1
AS #2
PE2
CE-1
VPN-A
ASBR MB-EBGP Configuration Router bgp x no bgp default route-target filter neighbor 1.1.1.x remote-as x ! address-family vpnv4 neighbor 1.1.1.x activate neighbor 1.1.1.x send-com extended
CE-2
VPN-A
Note: ASBR must already have MPiBGP session with iBGP neighbors such as RRs or PEs.
RST-2602 9908_06_2004_X2 61
Exchange IPv4 routes with labels between directly connected ASBRs using eBGP
Only PE loopback addresses need to be exchanged (they are BGP next-hop addresses of the VPN routes)
RST-2602 9908_06_2004_X2
62
Scenario 3: Multihop MP-eBGP between RRs for VPN routes : Control Plane
VPN-v4 update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(90)
RR-1
VPN-v4 update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(90)
RR-2
VPN-v4 update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(90)
AS#1
IGP+LDP: Network=PE-1 NH=PE-1 Label=(40)
ASBR-1
ASBR-2
AS#2
IGP+LDP: Network=PE-1 NH=ASBR-2 Label=(30)
PE-1
PE-2
BGP, OSPF, RIPv2 10.1.1.0/24,NH=PE-2
CE-2
CE-3
VPN-B
10.1.1.0/24
VPN-B
Note - Instead of IGP+Label, iBGP+Label can be used to exchange PE routes/label. Please see Scenario#5 on slide#49 and 50.
RST-2602 9908_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
63
Scenario 3: Multihop MP-eBGP between RRs for VPN routes : Forwarding Plane
RR-1 P1
40 90 10.1.1.1 90 10.1.1.1
RR-2
P2
ASBR-2
ASBR-1
30
90
10.1.1.1 50 90 10.1.1.1
PE-1
20 10.1.1.1 90
10.1.1.1
PE-2 CE-3
10.1.1.1
CE-2
VPN-B
10.1.1.0/24
VPN-B
Scenario 3: Pros/Cons
Pros
More scalable than Scenario 1 and 2. Separation of control and forwarding planes Route Reflector exchange VPNv4 routes+labels RR hold the VPNv4 information anyway ASBRs now exchange only IPv4 routes+labels ASBR Forwards MPLS packets
Cons
Advertising PE addresses to another AS may not be acceptable to few providers.
RST-2602 9908_06_2004_X2
65
PE1
AS #1
CE-1 eBGP IPv4 + Labels
AS #2
CE-2
RR Configuration VPN-A
router bgp x neighbor <RR-x> remote-as x neighbor <RR-x> ebgp-multihop neighbor <RR-x> update loopback 0 ! address-family vpnv4 neighbor <RR-x> activate neighbor <RR-x> send-com extended neighbor <RR-x> next-hop-unchanged
ASBR Configuration
router ospf x redistribute bgp 1 subnets ! router bgp x neighbor < ASBR-x > remote-as x ! address-family ipv4 Network <PEx> mask 255.255.255.255 Network <RRx> mask 255.255.255.255 neighbor < ASBR-x > activate neighbor < ASBR-x > send-label
VPN-A
RST-2602 9908_06_2004_X2
iBGPipv4+label could also be used in within each AS (instead of network <x.x.x.x>) to propagate the label information for PEs.
2004 Cisco Systems, Inc. All rights reserved.
66
RST-2602 9908_06_2004_X2
67
Agenda
MPLS VPN Definition?
Technology Configuration
MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites Providing Hub&Spoke service to the VPN customers Providing MPLS VPN Extranet service Providing Internet access service to VPN customers Providing VRF-selection based services Providing Remote Access MPLS VPN Providing VRF-aware NAT services
Best Practices
Conclusion.
RST-2602 9908_06_2004_X2
68
Deployment Scenarios
RST-2602 9908_06_2004_X2
69
RST-2602 9908_06_2004_X2
70
If no of VPN routes can be reduced somehow (without loosing the functionality), then the existing investment can be protected
The same PE can still be used to connect more VPN customers
Carrier Supporting Carrier (CsC) provides the mechanism to reduce the no of routes from each VRF by enabling MPLS on the PE-CE link
RST-2602 9908_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
71
Benefits of CsC
Provide transport for ISPs ($)
No need to manage external routes from ISPs
Sell VPN service to subsidiary companies that provide VPN service ($)
RST-2602 9908_06_2004_X2
72
RST-2602 9908_06_2004_X2
73
IGP+LDP
PE2
ASBR-1 R2
INTERNET
R1
ISP customers = external routes
RST-2602 9908_06_2004_X2
74
Model 1 and 2 are less common deployments. Model 3 will be discussed in detail.
RST-2602 9908_06_2004_X2
75
CsC: ISP Sites Are Running MPLS-VPN Hierarchical MPLS-VPN Control Plane
MP-iBGP update: 1:1:30.1.61.25/32, RT=1:1 NH =PE-1, Label=51
PE1
P1
IGP+LDP, Net=PE-1, Label = 16
PE2
Carriers Core
30.1.61.25/32, NH=CE-1, Label = 50 30.1.61.25/32, NH=PE-2, Label = 52
CE-1 CE-2
MP-iBGP update: 1:1:10.1.1.0/24, RT=1:1 NH =30.1.61.25/32, Label = 90
C1 ASBR_PE-1 30.1.61.25/32
10.1.1.0/24, NH=R1
10.1.1.0/24, NH =ASBR_PE-2
Network = 10.1.1.0/24
RST-2602 9908_06_2004_X2
R2 R1 VPN Site-1
2004 Cisco Systems, Inc. All rights reserved.
VPN Site-2
76
CsC: ISP Sites Are Running MPLS-VPN Hierarchical MPLS-VPN Forwarding Plane
P1
51 90 10.1.1.1 16 51 90 10.1.1.1
PE1
PE2
Carriers Core
50 90 10.1.1.1 52 90 10.1.1.1
CE-1 CE-2
90
10.1.1.1 60 90 10.1.1.1
ASBR-1
10.1.1.1
ASBR-2
10.1.1.1 70 90 10.1.1.1
Network = 10.1.1.0/24
RST-2602 9908_06_2004_X2
R1 VPN Site-1
2004 Cisco Systems, Inc. All rights reserved.
R2 VPN Site-2
77
RST-2602 9908_06_2004_X2
78
Choice selection is driven by the choice of routing protocol on the PE-CE CE has to run MPLS-aware code
RST-2602 9908_06_2004_X2
79
PE1 int
ser0/0
PE-1
CE1
int ser0/0 mpls ip mpls ldp protcol ldp
Sh mpls interface Sh mpls ldp discovery Sh mpls ldp bind Sh mpls ldp neighbor Sh mpls forward
IGP+LDP
VRF Int
CE-1
RST-2602 9908_06_2004_X2
80
PE1
PE-1
CE1
RST-2602 9908_06_2004_X2
81
IOS Commands/Configs
Choice 2: eBGP+label on the PE-CE
On PE
Sh ip bgp vpn vrf <vrf> neighbor Sh ip bgp vpn vrf <vrf> label Sh mpls forward vrf <vrf>
On CE
Sh ip bgp neighbor Sh ip bgp labels Sh mpls forward
RST-2602 9908_06_2004_X2
82
Agenda
MPLS VPN Definition?
Technology Configuration
MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites Providing Hub&Spoke service to the VPN customers Providing MPLS VPN Extranet service Providing Internet access service to VPN customers Providing VRF-selection based services Providing Remote Access MPLS VPN Providing VRF-aware NAT services
Best Practices
Conclusion.
RST-2602 9908_06_2004_X2
83
Best Practices
1. 2. 3. 4. 5. 6. Use RR to scale BGP. Deploy RRs in pair for the redundancy Keep RRs out of the forwarding paths and disable CEF (saves memory). Consider Unique RD per VRF per PE, if Load sharing of VPN traffic is reqd. RT and RD should have ASN in them i.e. ASN : X
Reserve first few 100s of X for the internal purposes such as filtering
Don't use customer names as the VRF names; Nightmare for the NOC. Use simple combination of numbers and characters in the VRF name
For example - v101, v102, v201, v202 etc. Use description.
7.
Define an upper limit at the PE on the # of prefixes received from the CE for each VRF or neighbor
max-prefix within the VRF configuration max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE)
RST-2602 9908_06_2004_X2
84
Conclusion
MPLS VPN is a cheaper alternative to traditional l2vpn MPLS-VPN paves the way for new revenue streams
VPN customers could outsource their layer3 to the provider
CsC and Inter-AS could be used to expand into new markets VRF-aware services could be deployed to maximize the investment
RST-2602 9908_06_2004_X2
85
WHY:
HOW:
Winners will be posted on the onsite Networkers Website; four winners per day
http://www.networkers04.com/desktop
RST-2602 9908_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
86
Q&A
Eval http://www.networkers04.com/desktop
RST-2602 9908_06_2004_X2
2004 Cisco Systems, Inc. All rights reserved.
87
RST-2602 9908_06_2004_X2
88
BACK UP SLIDES
RST-2602 9908_06_2004_X2
89
ASBR-2
VPN-v4 update: RD:1:27:10.1.1.0/24, NH=ASBR-2 RT=1:1, Label=(92)
PE-1
PE-2
BGP, OSPF, RIPv2 10.1.1.0/24,NH=PE-2
CE-2
CE-3
VPN-B
10.1.1.0/24
VPN-B
90
ASBR-1
ASBR-2
92
10.1.1.1
P2
P1
10.1.1.1 20 92 10.1.1.1
PE-1
PE-2
CE-2
CE-3
10.1.1.1
VPN-B
10.1.1.0/24
VPN-B
Pros
Cons Not scalable. #of interface on both ASBRs is directly proportional to #VRF. No end-to-end MPLS. Unnecessary memory consumed in RIB/(L)FIB Dual-homing of ASBR makes provisioning worse
91
ASBR2
AS #1
PE1
AS #2
PE2
VPN-A
ip vrf green rd 1:1 route-target both 1:1 ! Router bgp x Address-family ipv4 vrf green neighbor 1.1.1.x activate
Note: ASBR must already have MPiBGP session with iBGP neighbors such as RRs or PEs.
CE-2
VPN-A
RST-2602 9908_06_2004_X2
92
IOS Configuration
Scenario 2.5: Multi-Hop MP-eBGP for VPNv4
ASBR1
ASBR2
AS #1
PE1
AS #2
PE2
interface serial 0 ip address 1.1.1.x/30 mpls ldp protcol ldp router bgp x no bgp default route-target filter neighbor < ASBR-x > remote-as x neighbor < ASBR-x > update loopback0 neighbor < ASBR-x > ebgp-multihop ! address-family vpnv4 neighbor < ASBR-x > activate neighbor < ASBR-x > send-comm extended
2004 Cisco Systems, Inc. All rights reserved.
CE-2
VPN-A
VPN-A
RST-2602 9908_06_2004_X2
93
RST-2602 9908_06_2004_X2
94
ASBR-1
ASBR-2
iBGP IPv4 + Labels
VPN-B
RR-2
CE-3
VPN-B
RST-2602 9908_06_2004_X2
95
ASBR(conf)#router bgp 1000 ASBR(conf-router)#neighbor 1.1.1.1 route-map route-target-deletion out ASBR(conf-router)#exit ASBR(conf)#route-map route-target-delete ASBR(conf-route-map)#match extcommunity 101 ASBR(conf-route-map)#set extcomm-list 101 delete ASBR(conf-route-map)#set extcommunity rt 123:123 additive ASBR(conf)# ip extcommunity-list 101 permit rt 100:100
RST-2602 9908_06_2004_X2 96