Deploying MPLS VPNs-2up

Deploying MPLS VPN Networks
BRKRST-2102
BRKRST-2102 13902_06_2007_x1
2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Other MPLS Related Sessions

BRKRST-1101 Introduction to MPLS BRKRST-2102 Deploying MPLS VPNs BRKRST-2103 Migration Considerations When Buying MPLS VPN Services from Service Providers BRKRST-2104 Deploying MPLS Traffic Engineering BRKRST-2105 Inter-AS MPLS Solutions BRKRST-3101 Advanced Topics and Future Directions in MPLS TECAGG-2003 Layer 2 Virtual Private Networks LABRST-2105 Implementing MPLS in Service Provider Networks LABRST-2106 Enabling MPLS in Enterprise Networks
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
2007, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr
Agenda
MPLS VPN Explained MPLS VPN Services Best Practices Conclusion
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
Prerequisites
Must be willing to bet
on MPLS VPN Networks
Must understand basic IP routing, especially BGP Must understand MPLS basics (push, pop, swap, label stacking) Must be able to keep the speaker awake
by asking Bad questions
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
Terminology
LSR: Label switch router LSP: Label switched path
The chain of labels that are swapped at each hop to get from one LSR to another
VRF: VPN routing and forwarding

Mechanism in Cisco IOS used to build per-interface RIB and FIB
MP-BGP: Multiprotocol BGP PE: Provider edge router interfaces with CE routers P: Provider (core) router, without knowledge of VPN VPNv4: Address family used in BGP to carry MPLS-VPN routes RD: Route distinguisher
Distinguish same network/mask prefix in different VRFs
RT: Route target

Extended community attribute used to control import and export policies of VPN routes
LFIB: Label forwarding information base FIB: Forwarding information base

BRKRST-2102 13902_06_2007_x1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Agenda
MPLS VPN Explained
Technology Configuration
MPLS-VPN Services Best Practices Conclusion
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
MPLS-VPN Technology
Control planeVPN route propagation Data planeVPN packet forwarding
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
MPLS-VPN Technology
MPLS VPN Connection Model
P PE VPN Backbone IGP P P P PE
MP-iBGP Session
PE Routers
Edge routers Use MPLS with P routers Uses IP with CE routers Connects to both CE and P routers Distribute VPN information through MP-BGP to other PE router with VPN-IPv4 addresses, extended community, label
P Routers
P routers are in the core of the MPLS cloud P routers do not need to run BGP and doesnt need to have any VPN knowledge Forward packets by looking at labels P and PE routers share a common IGP
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
MPLS-VPN Technology
Separate Routing Tables at PE
VPN 2 CE PE CE VPN 1 MPLS Backbone IGP (OSPF, ISIS)
VRF Routing Table

Routing (RIB) and forwarding table (CEF) associated with one or more directly connected sites (CEs) The routes the PE receives from CE routers are installed in the appropriate VRF routing table(s)
blue VRF routing table or green VRF routing table
The Global Routing Table

Populated by the IGP within MPLS backbone
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
MPLS-VPN Technology
VPN 2 CE VRF Green PE
Virtual Routing and Forwarding Instance (1)
EBGP, OSPF, RIPv2, Static CE VPN 1 VRF Blue
MPLS Backbone IGP (OSPF, ISIS)
Whats a VRF ? Associates to one or more interfaces on PE

Privatize an interface i.e., coloring of the interface
Has its own routing table and forwarding table (CEF) VRF has its own instance for the routing protocol
(static, RIP, BGP, EIGRP, OSPF)
CE router runs standard routing software

10
MPLS-VPN Technology
VPN 2 CE PE
Virtual Routing and Forwarding Instance (2)
EBGP, OSPF, RIPv2, Static CE VPN 1
MPLS Backbone IGP (OSPF, ISIS)
PE installs the routes, learned from CE routers, in the appropriate VRF routing table(s) PE installs the IGP (backbone) routes in the global routing table VPN customers can use overlapping IP addresses
11
MPLS-VPN Technology
Control Plane
8 Bytes 1:1 RD VPNv4 4 Bytes 10.1.1.0 IPv4 Route-Target Label 8 Bytes 3 Bytes
MP_REACH_NLRI attribute within MP-BGP UPDATE message Lets Discuss:

Route Distinguisher (RD); VPNv4 route Route Target (RT) Label
12
MPLS VPN Control Plane

8 Bytes 1:1 RD VPNv4 4 Bytes 10.1.1.0 IPv4
MP-BGP Update Components: VPNv4 Address

8 Bytes 3 Bytes
Route-Target
Label
MP-IBGP update with RD, RT, and label To convert an IPv4 address into a VPNv4 address, RD is appended to the IPv4 address i.e. 1:1:10.1.1.0
Makes the customers IPv4 route globally unique
Each VRF must be configured with an RD at the PE

RD is what that defines the VRF
BRKRST-2102 13902_06_2007_x1
! ip vrf v1 rd 1:1 !
Cisco Confidential
13

MP-BGP Update Components: Route-Target

8 Bytes 2:2 Route-Target Label 3 Bytes
MP-IBGP update with RD, RT, and Label Route-target (RT): Identifies the VRF for the received VPNv4 prefix. It is an 8-byte extended community (a BGP attribute) Each VRF is configured with RT(s) at the PE
RT helps to color the prefix
! ip vrf v1 route-target import 1:1 route-target export 1:2 !
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
14

MP-BGP Update Components: Label

8 Bytes 2:2 Route-Target 3 Bytes 50 Label
MP-IBGP update with RD, RT, and label

The Label (for the VPNv4 prefix) is assigned only by the PE whose address is the next-hop attribute
PE routers rewrite the next-hop with their own address (loopback) Next-hop-self towards MP-iBGP neighbors by default
PE addresses used as BGP next-hop must be uniquely known in the backbone IGP
Do Not Summarize the PE Loopback Addresses in the Core
15

Putting It All Together
Site 1
10.1.1.0/24
3
CE1 PE1
MP-iBGP Update: RD:10.1.1.0 Next-Hop=PE-1 RT=Green, Label=100
Site 2 CE2
10.1.1.0/24 Next-Hop=CE-1
PE2
MPLS Backbone
1. PE1 receives an IPv4 update (eBGP/OSPF/ISIS/RIP/EIGRP) 2. PE1 translates it into VPNv4 address
Assigns an RT per VRF configuration Rewrites next-hop attribute to itself Assigns a label based on VRF and/or interface
5. PE1 sends MP-iBGP update to other PE routers

16

Putting It All Together
Site 1
10.1.1.0/24
3
CE1 PE1
MP-iBGP Update: RD:10.1.1.0 Next-Hop=PE-1 RT=Green, Label=100
10.1.1.0/24 Next-Hop=PE-2
Site 2
CE2 P P PE2
10.1.1.0/24 Next-Hop=CE-1
MPLS Backbone
4. PE2 receives and checks whether the RT=green (40:103, say) is locally configured within any VRF, if yes, then 5. PE2 translates VPNv4 prefix back into IPv4 prefix,
Installs the prefix into the VRF routing table Updates the VRF CEF table with label=100 for 10.1.1.0/24 Advertise this IPv4 prefix to CE2 (using EBGP/RIP/OSPF/ISIS/EIGRP)
17
MPLS-VPN Technology
Forwarding Plane
Site 1
10.1.1.0/24
Site 2 CE1 PE1 P1 P2 PE2 CE2

VRF Green Forwarding Table Dest->NextHop 10.1.1.0/24-PE1, label: 100
10.1.1.0/24 Next-Hop=CE-1
P Global Routing/Forwarding Table Dest->Next-Hop PE2 P1, Label: 50
Global Routing/Forwarding Table Dest->Next-Hop PE1 P2, Label: 25
The Global Forwarding Table (show ip cef)

PE routers store IGP routes Associated labels Label distributed through LDP/TDP
VRF Forwarding Table (show ip cef vrf <vrf>)

PE routers store VPN routes Associated labels Labels distributed through MP-BGP
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
18
MPLS-VPN Technology
Forwarding Plane
Site 1
10.1.1.0/24
Site 2 CE1 P
10.1.1.1
P PE2
CE2
10.1.1.1
PE1
100 10.1.1.1
P
10.1.1.1 25
50
100
100
10.1.1.1
PE2 imposes TWO labels for each packet going to the VPN destination 10.1.1.1 The top label is LDP learned and derived from an IGP route
Represents LSP to PE address (exit point of a VPN route)
The second label is learned via MP-BGP

Corresponds to the VPN address
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
19
Agenda
MPLS VPN Explained
Technology Configuration
MPLS-VPN Services Best Practices Conclusion
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
20
10
MPLS VPN Sample Configuration (Cisco IOS)

VRF Definition
Site 1
10.1.1.0/24 ip vrf VPN-A rd 1:1 route-target export route-target import 100:1 100:1
CE1 Se0 192.168.10.1 PE1
PE1
interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A
PE-P Configuration
P Se0 PE1 s1 PE1
router ospf 1 network 130.130.1.0 0.0.0.3 area 0 Interface Serial1 ip address 130.130.1.1 255.255.255.252 mpls ip
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
21

PE: MP-IBGP
RR PE1 PE2 PE1
router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback0 ! address-family vpnv4 neighbor 1.2.3.4 activate neighbor 1.2.3.4 send-community both !
RR: MP-IBGP
RR PE1 PE2 RR
router bgp 1 no bgp default route-target filter neighbor 1.2.3.6 remote-as 1 neighbor 1.2.3.6 update-source loopback0 ! address-family vpnv4 neighbor 1.2.3.6 route-reflector- client neighbor 1.2.3.6 activate !
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
22
11

PE-CE
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1
BGP
CE1 PE1 PE1
router bgp 1 ! address-family ipv4 vrf VPN-A neighbor 192.168.10.2 remote-as 2 neighbor 192.168.10.2 activate exit-address-family !
PE-CE
Site 1
10.1.1.0/24 192.168.10.2
OSPF
CE1 PE1 PE1
router ospf 1 ! router ospf 2 vrf VPN-A network 192.168.10.0 0.0.0.255 area 0 redistribute bgp 1 subnets !
192.168.10.1
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
23

PE-CE
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1
RIP
CE1 PE1
router rip ! address-family ipv4 vrf VPN-A version 2 no auto-summary network 192.168.10.0 redistribute bgp 1 metric transparent !
PE-CE
Site 1
10.1.1.0/24 192.168.10.2
EIGRP
CE1 PE1
router eigrp 1 ! address-family ipv4 vrf VPN-A no auto-summary network 192.168.10.0 0.0.0.255 autonomous-system 1 redistribute bgp 1 metric 100000 100 255 1 1500 !
192.168.10.1
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
24
12

PE-CE
Site 1
10.1.1.0/24 192.168.10.2 192.168.10.1
Static
CE1 PE1
ip route vrf VPN-A 10.1.1.0 255.255.255.0 192.168.10.2
If PE-CE protocol is non-BGP, then redistribution of other sites VPN routes from MP-IBGP is required (shown below for RIP) -
PE-CE MB-iBGP Routes to VPN

Site 1 RR PE1
router rip address-family ipv4 vrf VPN-A version 2 redistribute bgp 1 metric transparent no auto-summary network 192.168.10.0 exit-address-family
CE1
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
25

If PE-CE protocol is non-BGP, then redistribution of local VPN routes into MP-IBGP is required (shown below) -
PE-RR (VPN Routes to VPNv4)

Site 1
RR PE1 router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback 0 address-family ipv4 vrf VPN-A redistribute {rip|connected|static|eigrp|ospf}
CE1
For config hands-on, please attend Configuring MPLS VPNs (LABCRT-2208) session Having familiarized with Cisco IOS based config, lets glance through the IOX based config for VPNs
26
13
MPLS VPN Sample Configuration (IOX)

VRF Definition
Site 1
10.1.1.0/24 vrf VPN-A router-id 192.168.10.1 address-family ipv4 unicast import route-target 100:1 export route-target 100:1 export route-policy raj-exp interface Serial0 vrf VPN-A ipv4 address 192.168.10.1/24
CE1 Se0 192.168.10.1 PE1
PE1
PE-CE
Site 1
10.1.1.0/24 192.168.10.2
BGP
CE1 PE1 PE1
192.168.10.1
router bgp 1 vrf VPN-A rd 1:1 address-family ipv4 unicast redistribute connected ! neighbor 192.168.10.2 remote-as 2 address-family ipv4 unicast route-policy raj-temp in ! ! ! !
27
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
Agenda
MPLS VPN Explained MPLS-VPN Services
1. Providing Load-Shared Traffic to the Multihomed VPN Sites 2. Providing Hub and Spoke Service to the VPN Customers 3. Providing MPLS VPN Extranet Service 4. Providing Internet Access Service to VPN Customers 5. Providing VRF-Selection Based Services 6. Providing Remote Access MPLS VPN 7. Providing VRF-Aware NAT Services 8. Providing QoS Service to VPNs 9. Providing Multicast Service to VPNs 10. Providing MPLS/VPN over IP transport 11. Providing Multi-VRF CE Service
Best Practices Conclusion

28
14
MPLS VPN Services:

PE11
171.68.2.0/24
1. Loadsharing for the VPN Traffic

RR CE2
CE1 PE12
PE2
Site A
MPLS Backbone Route Advertisement
Site B
VPN sites (such as Site A) could be multihomed VPN customer may demand the traffic (to the multihomed site) be loadshared
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
29
MPLS VPN Services:

1 CE 2 PEs
171.68.2.0/24
1. Loadsharing for the VPN Traffic: Cases

RR PE11 PE2 PE12 Site A MPLS Backbone Traffic Flow Site B CE2
CE1
2 CEs 2 PEs
CE1
171.68.2.0/24
RR PE11 PE2 PE12 MPLS Backbone Traffic Flow Site B CE2
CE2
Site A
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
30
15
MPLS VPN Services:

How to deploy the loadsharing?
1. Loadsharing for the VPN Traffic: Deployment
Configure unique RD per VRF per PE for multihomed site/interfaces Enable BGP multipath within the relevant BGP VRF address-family at remote/receiving PE2 (why PE2?)
1 ip vrf green rd 300:11 route-target both 1:1 PE11
171.68.2.0/24
2 RR
router bgp 1 address-family ipv4 vrf green maximum-paths eibgp 2 PE2 CE2
CE1 PE12 MPLS Backbone 1
Site A ip vrf green rd 300:12 route-target both 1:1
Site B ip vrf green rd 300:13 route-target both 1:1

31
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
MPLS VPN Services:

PE11
171.68.2.0/24
1. Loadsharing for the VPN Traffic

RR Route Advertisement PE2 PE12 Site A MPLS Backbone Site B CE2
CE1
If RR exists in the network, then RR must advertise all the BGP paths learned via PE11 and PE12 to the remote PE routers that are to select BGP multipaths
Please note that without unique RD per VRF per PE, RR would advertise only one of the received paths for 171.68.2.0/24 to other PEs
Watch out for the increased memory consumption (within BGP) due to multipaths at the PEs eiBGP multipath implicitly provides both eBGP and iBGP multipath for VPN paths
32
16
MPLS VPN Services:

Traffic is dropped by PE11
1. VPN Fast Convergence PE-CE Link Failure

RR PE11 PE2 VPN Traffic Redirected VPN traffic CE2
171.68.2.0/24
CE1
Site A PE12
MPLS Backbone
Site B
In a classic case, PE11, upon detecting the PE-CE link failure, sends BGP message to withdraw all the related VPN routes from the MPLS/VPN network
This results in the remote PE routers selecting the alternate bestpath (if any), but until then, they keep sending the MPLS/VPN traffic to PE11, which keeps dropping the traffic
Cisco IOS and IOX now have incorporated a Fast Local Repair feature to minimize the loss due to the PE-CE link failure from sec to msec
33
MPLS VPN Services:

Traffic is redirected by PE11
1. VPN Fast Convergence PE-CE Link Failure

RR PE11 PE2 VPN Traffic Redirected VPN traffic CE2
171.68.2.0/24
CE1
Site A PE12
MPLS Backbone
Site B
This feature helps PE11 to minimize the traffic loss from sec to msec, by redirecting the CE1 bound traffic to PE12 (with the right label), which forwards the traffic to CE1
PE11 reprograms the forwarding entry after selecting the alternate BGP best path (which is via PE12)
In parallel, PE11 sends the BGP withdraw message to RR/PE2, which will run the bestpath algorithm and removes the path learned via PE11, and then adjust their forwarding entries via PE12 This feature is independent of whether multipath is enabled on PE2 or not, however, dependent on VPN site multihoming
34
17
Agenda

35
MPLS-VPN Services:
2. Hub and Spoke Service to the VPN Customers Traditionally, VPN deployments are Hub and Spoke
Spoke to spoke communication is via Hub site only
Despite MPLS VPNs implicit any-to-any, i.e, full-mesh connectivity, Hub and Spoke service can easily be offered
Done with import and export of route-target (RT) values
PE routers can run any routing protocol with VPN customers Hub and spoke sites independently
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
36
18
MPLS-VPN Services:
ip vrf green-spoke1 description VRF for SPOKE A rd 300:111 route-target export 1:1 route-target import 2:2 Spoke A
171.68.1.0/24
2. Hub and Spoke Service: Configuration
CE-SA
PE-SA
ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1 Eth0/0.1 PE-Hub Eth0/0.2
Spoke B
171.68.2.0/24
CE-SB
PE-SB
MPLS VPN Backbone ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2
ip vrf green-spoke2 description VRF for SPOKE B rd 300:112 route-target export 1:1 route-target import 2:2
BRKRST-2102 13902_06_2007_x1
Note - Only VRF configuration is shown here.

2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
37
MPLS-VPN Services:
2. Hub and Spoke Service: Configuration If BGP is used between every PE and CE, then asoverride and allowas-in knobs must be used at the PE_Hub*
Otherwise AS_PATH looping will occur
If the spoke sites only need the default route from the hub site, then it is possible to use a single interface between PE-hub and CE-hub (instead of two interfaces as shown on the previous slide)
Let CE-hub router advertise the default or aggregate Avoid generating a BGP aggregate at the PE
* Configuration for this is shown on the next slide

38
19
MPLS-VPN Services:
ip vrf green-spoke1 description VRF for SPOKE A rd 300:111 route-target export 1:1 route-target import 2:2 Spoke A
171.68.1.0/24
2. Hub and Spoke Service: Configuration

router bgp <ASN> address-family ipv4 vrf HUB-OUT neighbor <CE> as-override
CE-SA
PE-SA
ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1 Eth0/0.1 PE-Hub Eth0/0.2
Spoke B
171.68.2.0/24
CE-SB
PE-SB
MPLS VPN Backbone ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2
router bgp <ASN> address-family ipv4 vrf HUB-IN neighbor <CE> allowas-in 2
Cisco Confidential
ip vrf green-spoke2 description VRF for SPOKE B rd 300:112 route-target export 1:1 route-target import 2:2
BRKRST-2102 13902_06_2007_x1
39
MPLS-VPN Services:
2. Hub and Spoke Service: Control Plane

MPLS Backbone Spoke A
171.68.1.0/24
CE-SA
PE-SA
MP-iBGP 171.68.1.0/24 Label 40 Route-Target 1:1
VRF HUB-OUT RT and LFIB Destination NextHop Label 171.68.1.0/24 PE-SA 40 171.68.2.0/24 PE-SB 50 MP-iBGP 171.68.0.0/16 Label 35 Route-Target 2:2
VRF RT and LFIB at PE-SA 171.68.0.0/16 PE-Hub 35 171.68.1.0/24 CE-SA VRF RT and LFIB at PE-SB 171.68.0.0/16 PE-Hub 35 171.68.2.0/24 CE-SB
VRF HUB-OUT
PE-Hub
VRF HUB-IN
171.68.2.0/24
CE-SB
PE-SB
Spoke B
MP-iBGP 171.68.2.0/24 Label 50 Route-Target 1:1
VRF HUB-IN Routing Table Destination NextHop 171.68.0.0/16 CE-H1
Two VRFs at the PE-hub:

VRF HUB_OUT would have knowledge of every spoke routes VRF HUB_IN only have a 171.68.0.0/16 route and advertise that to spoke PEs
Import and export route-target within a VRF must be different

40
20
MPLS-VPN Services:
2. Hub and Spoke Service: Forwarding Plane This is how the spoke-to-spoke traffic flows MPLS Backbone Spoke A
171.68.1.0/24 171.68.1.1
CE-SA
PE-SA
L2
40
171.68.1.1
VRF HUB-OUT
PE-Hub Spoke B
171.68.2.0/24 171.68.1.1
CE-SB
PE-SB
L1
35
171.68.1.1
VRF HUB-IN
L1 is the label to get to PE-Hub L2 is the label to get to PE-SA

BRKRST-2102 13902_06_2007_x1
Cisco Confidential
41
MPLS-VPN Services:
2. Hub and Spoke Service: Half-Duplex VRF Why do we need Half-duplex VRF? If more than one spoke router (CE) connects to the same PE router within the single VRF, then such spokes can reach other without needing the Hub
This defeats the purpose of doing Hub and Spoke
Half-duplex VRF is the answer

Half-duplex VRF is specific to virtual-template* i.e. dial-user
It requires two VRFs on the PE (Spoke) router

Upstream VRF for Spoke->Hub communication Downstream VRF for Spoke<-Hub communication
* Being extended to other interfaces as well
42
21
MPLS-VPN Services:
ip vrf red-vrf description VRF upstream flow rd 300:111 route-target import 2:2
2. Hub and Spoke Service: Half-Duplex VRF

ip vrf blue-vrf description VRF downstream flow rd 300:112 route-target export 1:1 ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1
Spoke A
171.68.1.0/24
CE-SA PE-SA MPLS Backbone PE-Hub
Spoke B
171.68.2.0/24
CE-SB
Int virtual-template1 . ip vrf forward red-vrf downstream blue-vrf
Upstream VRF
Downstream VRF
ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2
PE-SA installs the spoke routes only in downstream VRF i.e. blue-VRF PE-SA forwards the incoming IP traffic (from Spokes) using the upstream VRF i.e. red-vrf routing table
43
Agenda

44
22
MPLS-VPN Services
3. Extranet VPN MPLS VPN, by default, isolates one VPN customer from another
Separate virtual routing table for each VPN customer
Communication between VPNs may be required i.e., extranet

External intercompany communication (dealers with manufacturer, retailer with wholesale provider, etc.) Management VPN, shared-service VPN, etc.
Needs right import and export route-target (RT) values configuration within the VRFs
Export-map or import-map should be used
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
45
3. MPLS-VPN Services: Extranet VPN

MPLS Backbone VPN_A Site#1 171.68.0.0/16 SO PE1 P PE2
Goal: Only VPN_A site#1 to Be Reachable to VPN_B

192.6.0.0/16 VPN_A Site#2
180.1.0.0/16 VPN_B Site#1
ip vrf VPN_A rd 3000:111 export map VPN_A_Export import map VPN_A_Import route-target import 3000:111 route-target export 3000:111 route-target import 3000:1 ! route-map VPN_A_Export permit 10 match ip address 1 set extcommunity rt 3000:2 ! route-map VPN_A_Import permit 10 match ip address 2 ! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0
ip vrf VPN_B rd 3000:222 export map VPN_B_Export import map VPN_B_Import route-target import 3000:222 route-target export 3000:222 route-target import 3000:2 ! route-map VPN_B_Export permit 10 match ip address 2 set extcommunity rt 3000:1 ! route-map VPN_B_Import permit 10 match ip address 1 ! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0
Only Site#1 of both VPN_A and VPN_B would Communicate with Each Other, Site#2 Wont be part of it.
46
23
Agenda

47
MPLS-VPN Services
4. Internet Access Service to VPN Customers Internet access service could be provided as another value-added service to VPN customers Security mechanism must be in place at both provider network and customer network
To protect from the Internet vulnerabilities
VPN customers benefit from the single point of contact for both Intranet and Internet connectivity
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
48
24
MPLS-VPN Services
4. Internet Access: Different Methods of Service Four ways to provide the Internet service
1. VRF specific default route with global keyword 2. Separate PE-CE sub-interface (non-VRF) 3. Extranet with Internet-VRF 4. VRF-aware NAT
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
49
MPLS-VPN Services
1. VRF specific default route
4. Internet Access: Different Methods of Service
1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF
3. Separate PE-CE sub-interface (non-VRF)

May run BGP to propagate Internet routes between PE and CE
5. Extranet with Internet-VRF

VPN packets never leave VRF context; issue with overlapping VPN address
7. Extranet with Internet-VRF along with VRF-aware NAT

VPN packets never leave VRF context; works well with overlapping VPN address
50
25
MPLS-VPN Services:
Site1 171.68.0.0/16 CE1 SO PE1 192.168.1.2
PE1# ip vrf VPN-A rd 100:1 route-target both 100:1 Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A Router bgp 100 no bgp default ipv4-unicast redistribute static neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0
4.1 Internet Access: VRF Specific Default Route

MPLS Backbone Internet ASBR P 192.168.1.1 Internet GW
A default route, pointing to the ASBR, is installed into the site VRF at each PE The static route, pointing to the VRF interface, is installed in the global routing table and redistributed into BGP
51
ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global ip route 171.68.0.0 255.255.0.0 Serial0
MPLS-VPN Services:
Site1 171.68.0.0/16
IP Packet D=171.68.1.1 IP Packet D=Cisco.com Label = 30 IP Packet D=Cisco.com
4.1 Internet Access: VRF Specific Default Route (Forwarding)

MPLS Backbone
IP Packet D=Cisco.com
Internet
Se0
192.168.1.2
PE1 P
PE2
Label = 35 IP Packet D=171.68.1.1
SO
192.168.1.1
IP Packet D=171.68.1.1
Global Routing/FIB Table Destination Label/Interface 192.168.1.1/32 Label=30 171.68.0.0/16 Serial 0
Global Table and LFIB Destination Label/Interface 192.168.1.2/32 Label=35 171.68.0.0/16 192.168.1.2 Internet Serial 0
VRF Routing/FIB Table Destination Label/Interface 0.0.0.0/0 192.168.1.1 (global) Site-1 Serial 0
Pros Different Internet gateways can be used for different VRFs PE routers need not to hold the Internet table Simple configuration
Cons Using default route for Internet routing does NOT allow any other default route for intra-VPN routing Increasing size of global routing table by leaking VPN routes Static configuration (possibility of traffic blackholing)
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
52
26
MPLS-VPN Services
4.2 Internet Access
1. VRF specific default route
1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF
3. Separate PE-CE sub-interface (non-VRF)

May run BGP to propagate Internet routes between PE and CE
5. Extranet with Internet-VRF

VPN packets never leave VRF context; overlapping VPN addresses could be a problem
7. Extranet with Internet-VRF along with VRF-aware NAT

VPN packets never leave VRF context; works well with overlapping VPN addresses
53
4.2 Internet Access Service to VPN

Site1 171.68.0.0/16 CE1 BGP-4 Se0.2 PE1 192.168.1.2 Se0.1
ip vrf VPN-A rd 100:1 route-target both 100:1 Interface Serial0.1 ip vrf forwarding VPN-A ip address 192.168.20.1 255.255.255.0 frame-relay interface-dlci 100 ! Interface Serial0.2 ip address 171.68.10.1 255.255.255.0 frame-relay interface-dlci 200 ! Router bgp 100 no bgp default ipv4-unicast neighbor 171.68.10.2 remote-as 502
Customers Using Separate Sub-Interface (Config)

MPLS Backbone Internet Internet
192.168.1.1
ASBR
P Internet GW
One sub-interface for VPN routing associated to a VRF Another sub-interface for Internet routing associated to the global routing table Could advertise full Internet routes or a default route to CE The PE will need to advertise VPN routes to the Internet (via global routing table)
54
27
Internet Access Service to VPN Customer

4.2 Using Separate Sub-Interface (Forwarding)
Site1 171.68.0.0/16
IP Packet D=Cisco.com Label = 30 IP Packet D=Cisco.com
MPLS Backbone Internet Internet
S0.2 S0.1 CE Routing Table VPN Routes Serial0.1 Internet Routes Serial0.2 PE Global Table and FIB Internet Routes 192.168.1.1 192.168.1.1 Label=30
IP Packet D=Cisco.com
PE1 192.168.1.2 P
192.168.1.1
PE2
PE-Internet GW
Pros
CE could dual home and perform optimal routing Traffic separation done by CE
Cons
PE to hold full Internet routes BGP complexities introduced in CE; CE1 may need to aggregate to avoid AS_PATH looping
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
55
Internet Access Service

4.3 Extranet with Internet-VRF The Internet routes could be placed within the VRF at the Internet-GW i.e. ASBR VRFs for customers could extranet with the Internet VRF and receive either default, partial or full Internet routes Be careful if multiple customer VRFs, at the same PE, are importing full Internet routes Works well only if the VPN customers dont have overlapping addresses
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
56
28
Internet Access Service
4.4 Internet Access Using VRF-Aware NAT If the VPN customers need Internet access without Internet routes, then VRF-aware NAT can be used at the Internet-GW i.e. ASBR The Internet GW doesnt need to have Internet routes either Overlapping VPN addresses is no longer a problem More in the VRF-aware NAT slides
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
57
Agenda

58
29
MPLS VPN Service

5. VRF-Selection The common notion is that a single VRF must be associated to an interface VRF-selection breaks this association and enables to associate multiple VRFs to an interface Each packet on the PE-CE interface could be handled (based on certain criteria) via different VRF routing tables
Criteria such as source/dest IP address, ToS, TCP port, etc. specified via a route-map
Voice and data can be separated out into different VRFs at the PE; Service enabler
59
MPLS VPN Service

Global Interface PE1
33.3.14.1
5. VRF-Selection: Based on Source IP Address

RR VRF Interfaces VPN Brown 33.3.0.0/16
Cable Setup
CE1 Se0/0
MPLS Backbone (Cable Company)
PE2
VPN Blue 44.3.0.0/16
66.3.1.25 44.3.12.1
Traffic Flows
interface Serial0/0 ip address 215.2.0.6 255.255.255.252 ip policy route-map PBR-VRF-Selection ip receive brown ip receive blue ip receive green access-list 40 permit 33.3.0.0 0.0.255.255 access-list 50 permit 44.3.0.0 0.0.255.255 access-list 60 permit 66.3.0.0 0.0.255.255
ip vrf brown rd 3000:111 route-target export 3000:1 route-target import 3000:1 ! ip vrf blue rd 3000:222 route-target export 3000:2 route-target import 3000:2 ! ip vrf green rd 3000:333 route-target export 3000:3 route-target import 3000:3
BRKRST-2102 13902_06_2007_x1
VPN Green 66.3.0.0/16

route-map PBR-VRF-Selection permit 10 match ip address 40 set vrf brown route-map PBR-VRF-Selection permit 20 match ip address 50 set vrf blue route-map PBR-VRF-Selection permit 30 match ip address 60 set vrf green
Cisco Confidential
60
30
Agenda

61
MPLS VPN Service

6. Remote Access Service Remote access users i.e. dial users, IPSec users could directly be terminated in VRF
PPP users can be terminated into VRFs IPSec tunnels can be terminated into VRFs
Remote access services integration with MPLS VPN opens up new opportunities for providers and VPN customers
BRKSEC-2010 Deploying Remote-Access IPSec/SSL VPNs
Remote Access is not to be confused by GET VPN that provides any-to-any (CE-based) security service
BRKSEC-4012 Advanced IPSec with GET VPN
62
31
MPLS VPN Service

Branch Office SOHO
6. Remote Access Service: IPSec to MPLS VPN

Access
PE+IPSec Aggregator Internet PE
SP Shared Network
SP AAA
Corporate Intranet
Customer AAA VPN A Customer A head office
Local or Direct Dial ISP
Cable/DSL/ ISDN ISP Remote Users/ Telecommuters
Cisco IOS VPN Routers or Cisco Client 3.x or higher
IKE_ID is IP/MPLS/Layer 2 used to map Based Network the IPSec tunnel to PE the VRF (within the ISAKMP VPN A profile)
Customer A Branch Office MPLS VPN
PE
VPN B Customer B VPN C Customer C
IP
BRKRST-2102 13902_06_2007_x1
IPSec Session
IP
63
Agenda

64
32
MPLS-VPN Services
7. VRF-Aware NAT Services VPN customers could be using overlapping IP address i.e. 10.0.0.0/8 Such VPN customers must NAT their traffic before using either Extranet or Internet or any shared* services PE is capable of NATting the VPN packets (eliminating the need for an extra NAT device)
* VoIP, Hosted Content, Management, etc.

65
MPLS-VPN Services
7. VRF-Aware NAT Services Typically, inside interface(s) connect to private address space and outside interface(s) connect to global address space
NAT occurs after routing for traffic from inside-to-outside interfaces NAT occurs before routing for traffic from outside-to-inside interfaces
Each NAT entry is associated with the VRF Works on VPN packets in the following switch paths: IP->IP, IP->MPLS and MPLS->IP
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
66
33
MPLS-VPN Services
CE1 PE11
7. VRF-Aware NAT Services: Internet Access

MPLS Backbone P PE12 IP NAT Inside IP NAT Outside ip nat pool pool-green 24.1.1.0 24.1.1.254 prefix-length 24 ip nat pool pool-blue 25.1.1.0 25.1.1.254 prefix-length 24 ip nat inside source list vpn-to-nat pool pool-green vrf green ip nat inside source list vpn-to-nat pool pool-blue vrf blue ip access-list standard vpn-to-nat permit 10.1.1.0 0.0.0.255 ip route vrf green 0.0.0.0 0.0.0.0 217.34.42.2 global ip route vrf blue 0.0.0.0 0.0.0.0 217.34.42.2 global VRF-Aware NAT Specific Config
67 10.1.1.0/24
Green VPN Site CE2
PE-ASBR
.1
217.34.42.2
Internet
10.1.1.0/24
Blue VPN Site ip vrf green rd 3000:111 route-target both 3000:1 ip vrf blue rd 3000:222 route-target both 3000:2 router bgp 3000 address-family ipv4 vrf green network 0.0.0.0 address-family ipv4 vrf blue network 0.0.0.0 VRF Specific Config
MPLS-VPN Services
Src=10.1.1.1 Dest=Internet 10.1.1.0/24
7. VRF-Aware NAT Services: Internet Access

CE1 IP Packet
10.1.1.0/24 Label=30 Src=10.1.1.1 Dest=Internet
MPLS Backbone
Src=24.1.1.1 Dest=Internet Src=25.1.1.1 Dest=Internet
Green VPN Site

CE2
Src=10.1.1.1 Dest=Internet
PE11 PE12 P
Label=40 Src=10.1.1.1 Dest=Internet
PE-ASBR
Internet
IP Packet
Blue VPN Site
Traffic Flows
MPLS Packet
PE-ASBR removes the label from the received MPLS packets per LFIB Performs NAT on the resulting IP packets Forwards the packet to the internet Returning packets are NATed and put back in the VRF context and then routed This is also one of the ways to provide Internet access to VPN customers with or without overlapping addresses
VRF IP Source 10.1.1.1 10.1.1.1
NAT Table Global IP VRF-Table-Id 24.1.1.1 green 25.1.1.1 blue
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
68
34
Agenda

69
MPLS-VPN Services:
8. Providing QoS to VPN Customers

VPN customers may want SLA so as to treat real-time, mission-critical and best-effort traffic appropriately QoS can be applied to VRF interfaces
Just like any global interface Same old QoS mechanisms are applicable
Remember IP Precedence bits are copied to MPLS EXP bits (default behavior) MPLS Traffic-Eng could be used to provide the bandwidthon-demand or Fast Rerouting to VPN customers
BRKRST-2104 BRKRST-1101 Deploying MPLS Traffic Engineering Introduction to MPLS
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
70
35
Agenda
1. Providing Load-Shared Traffic to the Multihomed VPN Sites 2. Providing Hub and Spoke Service to the VPN Customers 3. Providing MPLS VPN Extranet Service 4. Providing Internet Access Service to VPN Customers 5. Providing VRF-Selection Based Services 6. Providing Remote Access MPLS VPN 7. Providing VRF-Aware NAT Services 8. Providing QoS Service to VPNs 9. Providing Multicast Service to VPNs 10. Providing MPLS/VPN over IP Transport 11. Providing Multi-VRF CE Service

71
MPLS-VPN Services:
9. Providing Multicast Service to VPNs Multicast VPN service is also available for deployment
Current deployment model utilizes GRE encapsulation (not MPLS) within SP network
Multicast VPN also utilizes the existing 2547 infrastructure MPLS multicast i.e., mLDP and P2MP TE, is not far away either Please see the following session for details on mVPN:
BRKRST-2105 Inter-AS MPLS Solutions BRKRST-3261 Advances IP Multicast
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
72
36
Agenda
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
73
MPLS-VPN Services:
10. Providing MPLS/VPN over IP Transport MPLS/VPN (rfc2547) can also be deployed using IP transport
NO LDP or MPLS anywhere Useful when the core (P) routers are not capable of MPLS
In this mode, Instead of using the MPLS Tunnel to reach the next-hop, an IP tunnel is used
IP tunnel could be L2TPv3, GRE etc.
Basically, the MPLS/VPN packet is encapsulated inside another IP header

MPLS labels are still allocated for the VPN prefix by the PE routers and used only by the PE routers
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
74
37
MPLS-VPN Services:
10. Providing MPLS/VPN over IP Transport

2547 over L2TPv3
2547 over GRE
Ingress PE encapsulates the incoming IP packet (on VRF interface) into an MPLS packet and then encapsulates that MPLS packet inside the IP tunnel such as L2TPv3 tunnel Egress PE decapsulates the incoming L2TP packet and recirculates the resulting MPLS packet for usual MPLS packet forwarding Core routers forward the packet based on IP header
75
MPLS-VPN Services:
10. Providing MPLS/VPN over IP Transport

PE PE CE IP/MPLS Network
MPLS/IP
CE
CE
IP Network
MPLS/MPLS
IP/MPLS Network
The IP tunnel could be a p2p or multipoint tunnel
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
76
38
Agenda
1. Providing Load-Shared Traffic to the Multihomed VPN Sites 2. Providing Hub and Spoke Service to the VPN Customers 3. Providing MPLS VPN Extranet Service 4. Providing Internet Access Service to VPN Customers 5. Providing VRF-Selection Based Services 6. Providing Remote Access MPLS VPN 7. Providing VRF-Aware NAT Services 8. Providing QoS Service to VPNs 9. Providing Multicast Service to VPNs 10. Providing MPLS/VPN over IP Transport 11. Providing Multi-VRF CE Service

77
MPLS-VPN Services:
11. Providing Multi-VRF CE Service

Is it possible for an IP router to keep multiple customer connections separated?
Yes, multi-VRF CE aka vrf-lite can be used
Multi-VRF CE provides multiple virtual routing tables (and forwarding tables) per customer at the CE router
Not a feature but an application based on VRF implementation Any routing protocol that is supported by normal VRF can be used in a Multi-VRF CE implementation
Note that there is no MPLS functionality needed on the CE, no label exchange between the CE and any router (including PE) One of the deployment models is to extend the VRFs to the CE, another is to extend it further inside the Campus => Virtualization
Campus Virtualization blends really well
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
78
39
MPLS-VPN Services:
11. Providing Multi-VRF CE Service One Deployment ModelExtending MPLS/VPN to CE

Campus
ip vrf green rd 3000:111 route-target both 3000:1 ip vrf blue rd 3000:222 route-target both 3000:2 ip vrf red rd 3000:333 route-target both 3000:3
Vrf green
SubInterface Link Vrf * green

Vrf red
Campus
Vrf green
MPLS Network
PE Router PE Router Vrf red
Vrf red
Multi-VRF CE Router
ip vrf green rd 3000:111 ip vrf blue rd 3000:222 Ip vrf red rd 3000:333
*SubInterface Link Any Interface type that supports Sub Interfaces, FE-Vlan, Frame Relay, ATM VCs
79
Agenda
MPLS VPN Explained MPLS-VPN Services Best Practices Conclusion
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
80
40
Best Practices
1. Use RR to scale BGP; deploy RRs in pair for the redundancy
Keep RRs out of the forwarding paths and disable CEF (saves memory)
2. RT and RD should have ASN in them i.e. ASN: X

Reserve first few 100s of X for the internal purposes such as filtering
3. Consider unique RD per VRF per PE, if load sharing of VPN traffic is required 4. Don't use customer names as the VRF names; nightmare for the NOC. Use simple combination of numbers and characters in the VRF name
For example: v101, v102, v201, v202, etc. Use description.
5. PE-CE IP address should come out of SPs public address space to avoid overlapping
Use /31 subnetting on PE-CE interfaces
6. Define an upper limit at the PE on the number of prefixes received from the CE for each VRF or neighbor
Max-prefix within the VRF configuration; Do suppress the inactive routes. Max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE)
81
Agenda
MPLS VPN Explained MPLS-VPN Services Best Practices Conclusion
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
82
41
Conclusion
MPLS VPN is a cheaper alternative to traditional l2vpn
Secured VPN
MPLS-VPN paves the way for new revenue streams

VPN customers could outsource their layer3 to the provider
Straightforward to configure any-to-any VPN topology

Partial-mesh, Hub and Spoke topologies can also be easily deployed
CsC and Inter-AS could be used to expand into new markets VRF-aware services could be deployed to maximize the investment
83
Q and A
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
84
42
Recommended Reading
Continue your Networkers at Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company Store

85
Complete Your Online Session Evaluation

Win fabulous prizes; give us your feedback Receive ten Passport Points for each session evaluation you complete Go to the Internet stations located throughout the Convention Center to complete your session evaluation Winners will be announced daily at the Internet stations
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
86
43
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
87
Additional Slides
Advanced MPLS VPN Topics Inter-AS and CsC
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
88
44
Agenda
Advanced MPLS VPN Topics
Inter-AS MPLS-VPN CsC Carrier Supporting Carrier
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
89
What Is Inter-AS?
Provider X
RR1
MP-iBGP Update:
Provider Y
ASBR1 RR2 ASBR2
???
PE1
AS #1
AS #2
PE2
Problem: How do Provider X and Provider Y exchange VPN routes?
BGP, OSPF, RIPv2 149.27.2.0/24, NH=CE-1
CE-1
CE2
VPN-A
149.27.2.0/24
VPN-A
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
90
45
Inter-AS Deployment Scenarios

Following Options/Scenarios for Deploying Inter-AS:
ASBR1
1. Back-to-Back VRFs (option A) 2. MP-eBGP for VPNv4 (option B)
ASBR2
PE1
AS #1
3. Multihop MP-eBGP Between RRs (Option C)
AS #2
PE2
CE1
4. Non-VPN Transit Provider
CE2
VPN-A
Each Option Is Covered in Additional Slides
BRKRST-2102 13902_06_2007_x1
VPN-A
Cisco Confidential
91
Scenario 1: Back-to-Back VRF

Control Plane
ASBR-1
VPN-v4 update: RD:1:27:10.1.1.0/24 NH=PE-1 RT=1:1, Label=(29) VPN-B VRF Import routes with route-target 1:1
ASBR-2
VPN-v4 update: RD:1:27:10.1.1.0/24, NH=ASBR-2 RT=1:1, Label=(92)
PE-1
BGP, OSPF, RIPv2 10.1.1.0/24 NH=ASBR-2
VPN-B VRF Import routes with route-target 1:1
PE-2
BGP, OSPF, RIPv2 10.1.1.0/24,NH=PE-2
BGP, OSPF, RIPv2 10.1.1.0/24,NH=CE-2
CE-2
CE-3
VPN-B
10.1.1.0/24
VPN-B
VRF to VRF Connectivity between ASBRs

92
46
Scenario 1: Back-to-Back VRF

Forwarding Plane
30 29 10.1.1.1
ASBR-1
ASBR-2
92
10.1.1.1
P2
P1
10.1.1.1 20 92 10.1.1.1
PE-1
10.1.1.1
CE-2
IP Packets between ASBRs

CE-3
PE-2
10.1.1.1
VPN-B
10.1.1.0/24
VPN-B
Pros
Per-customer QoS is possible It is simple and elegant since no need to load the Inter-AS code (but still not widely deployed)
Cons
Not scalable. # of interface on both ASBRs is directly proportional to #VRF No end-to-end MPLS Unnecessary memory consumed in RIB/(L)FIB Dual-homing of ASBR makes provisioning worse
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
93
Cisco IOS Configuration

ASBR1
1.1.1.0/30
Scenario 1: Back-to-Back VRF Between ASBRs

ASBR2
AS #1
PE1
VRF routes exchange via any routing protocol
AS #2
PE2
ASBR VRF and BGP config ip vrf green rd 1:1 route-target both 1:1 ! Router bgp x Address-family ipv4 vrf green neighbor 1.1.1.x activate
Note: ASBR must already have MPiBGP session with iBGP neighbors such as RRs or PEs.
CE-1
CE-2
VPN-A
VPN-A
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
94
47
Scenario 2: MP-eBGP Between ASBRs to Exchange VPNv4 Routes

New CLI no bgp default route-target filter is needed on the ASBRs ASBRs exchange VPN routes using eBGP (VPNv4 af) ASBRs store all VPN routes
But only in BGP table and LFIB table Not in routing nor in CEF table
ASBRs dont need VRFs to be configured on them LDP between them
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
95
Scenario 2: MP-eBGP Between ASBRs for VPN Control Plane

ASBR-1
MP-iBGP update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(40)
ASBR-2
MP-iBGP update: RD:1:27:10.1.1.0/24, NH=ASBR-2 RT=1:1, Label=(30)
MP-eBGP update: RD:1:27:10.1.1.0/24, NH=ASBR-1 RT=1:1, Label=(20)
PE-1
PE-2
BGP, OSPF, RIPv2 10.1.1.0/24, NH=PE-2
BGP, OSPF, RIPv2 10.1.1.0/24, NH=CE-2
CE-2
CE-3
VPN-B
10.1.1.0/24
VPN-B
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
96
48
Scenario 2: MP-eBGP Between ASBRs for VPN Forwarding Plane

30 40 10.1.1.1
ASBR-1
ASBR-2
30
10.1.1.1
P2
P1
40
10.1.1.1
20
10.1.1.1
20
30
10.1.1.1
PE-1
MPLS Packets between ASBRs

CE-2
PE-2 CE-3
10.1.1.1
VPN-B
10.1.1.0/24
VPN-B
10.1.1.1
More scalable
Pros
Automatic Route Filtering must be disabled

But we can apply BGP filtering
Cons
Only one interface between ASBRs routers No VRF configuration on ASBR Less memory consumption (no RIB/FIB memory)
ASBRs are still required to hold VPN routes
MPLS label switching between providers

Still simple, more scalable and works today
97

ASBR1
Scenario 2: External MP-BGP Between ASBRs for VPN

MP-eBGP for VPNv4
1.1.1.0/30 Label exchange between ASBRs using MP-eBGP
ASBR2
AS #1
PE1
AS #2
PE2
CE-1
VPN-A
ASBR MB-EBGP Configuration Router bgp x no bgp default route-target filter neighbor 1.1.1.x remote-as x ! address-family vpnv4 neighbor 1.1.1.x activate neighbor 1.1.1.x send-com extended
CE-2
VPN-A
Note: ASBR must already have MPiBGP session with iBGP neighbors such as RRs or PEs.
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
98
49
Scenario 3: Multihop MP-eBGP Between RRs to Exchange VPNv4 Routes

Exchange VPNv4 prefixes via the Route Reflectors
Requires Multihop MP-eBGP (with next-hop-unchanged)
Exchange IPv4 routes with labels between directly connected ASBRs using eBGP 499-0753 Only PE loopback addresses need to be exchanged (they are
BGP next-hop addresses of the VPN routes)
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
99
Scenario 3: Multihop MP-eBGP Between RRs for VPN Routes: Control Plane
RR-1
VPN-v4 update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(90) VPN-v4 update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(90)
RR-2
VPN-v4 update: RD:1:27:10.1.1.0/24, NH=PE-1 RT=1:1, Label=(90)
AS#1
IGP+LDP: Network=PE-1 NH=PE-1 Label=(40)
ASBR-1
ASBR-2
AS#2
PE-1
BGP, OSPF, RIPv2 10.1.1.0/24,NH=CE-2
IP-v4 update: Network=PE-1 NH=ASBR-1 Label=(20)
CE-2
IGP+LDP: Network=PE-1 NH=ASBR-2 Label=(30)
PE-2
BGP, OSPF, RIPv2 10.1.1.0/24,NH=PE-2
CE-3
VPN-B
10.1.1.0/24
VPN-B
Note - Instead of IGP+Label, iBGP+Label can be used to exchange PE routes/label. Please see Scenario#5 on slide#49 and 50.
100
50
Scenario 3: Multihop MP-eBGP Between RRs for VPN Routes: Forwarding Plane
RR-1 P1
40 90 10.1.1.1 90 10.1.1.1
RR-2
P2
ASBR-1
ASBR-2
30
90
10.1.1.1 50 90 10.1.1.1
PE-1
20 10.1.1.1 90 10.1.1.1
PE-2 CE-3
10.1.1.1
CE-2
VPN-B
10.1.1.0/24
VPN-B
Note - Instead of IGP+Label, iBGP+Label can be used to exchange PE routes/label.

BRKRST-2102 13902_06_2007_x1
Cisco Confidential
101
Scenario 3: Pros/Cons
Pros
More scalable than Scenario 1 and 2
Separation of control and forwarding planes
Cons
Advertising PE addresses to another AS may not be acceptable to few providers
Route Reflector exchange VPNv4 routes+labels

RR hold the VPNv4 information anyway
ASBRs now exchange only IPv4 routes+labels

ASBR Forwards MPLS packets
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
102
51

RR-1 Multihop MP-eBGP for VPNv4 with next-hop-unchange ASBR-1
Scenario 3: Multihop MP-eBGP Between RRs for VPN

RR-2
PE1
ASBR-2
AS #1
CE-1 eBGP IPv4 + Labels
AS #2
PE2
CE-2
VPN-A
RR Configuration
router bgp x neighbor <RR-x> remote-as x neighbor <RR-x> ebgp-multihop neighbor <RR-x> update loopback 0 ! address-family vpnv4 neighbor <RR-x> activate neighbor <RR-x> send-com extended neighbor <RR-x> next-hop-unchanged
ASBR Configuration
router ospf x redistribute bgp 1 subnets ! router bgp x neighbor < ASBR-x > remote-as x ! address-family ipv4 Network <PEx> mask 255.255.255.255 Network <RRx> mask 255.255.255.255 neighbor < ASBR-x > activate neighbor < ASBR-x > send-label
VPN-A
iBGPipv4+label could also be used in within each AS (instead of network <x.x.x.x>) to propagate the label information for PEs.
103
Scenario 4: Non-VPN Transit Provider

Two MPLS VPN providers may exchange routes via one or more transit providers
Which may be non-VPN transit backbones just running MPLS
Multihop MP-eBGP deployed between edge providers

With the exchange of BGP next-hops via the transit provider
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
104
52
Scenario 4: Non-VPN Transit Provider

ASBR-1
eBGP IPv4 + Labels
ASBR-2
iBGP IPv4 + Labels
MPLS VPN Provider #1 PE1 RR-1
Non-VPN MPLS Transit Backbone
ASBR-3 ASBR-4 CE-2 next-hop-unchanged

Multihop MP-eBGP OR MP-iBGP for VPNv4 eBGP IPv4 + Labels
VPN-B
RR-2
MPLS VPN Provider #2 PE2
iBGP IPv4 + Labels
CE-3
VPN-B
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
105
Route-Target Rewrite at ASBR

ASBR can add/delete route-target associated with a VPNv4 prefix Secures the VPN environment
ASBR(conf)#router bgp 1000 ASBR(conf-router)#neighbor 1.1.1.1 route-map route-target-deletion out ASBR(conf-router)#exit ASBR(conf)#route-map route-target-delete ASBR(conf-route-map)#match extcommunity 101 ASBR(conf-route-map)#set extcomm-list 101 delete ASBR(conf-route-map)#set extcommunity rt 123:123 additive ASBR(conf)# ip extcommunity-list 101 permit rt 100:100
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
106
53
Inter-AS Deployment Guidelines

1. Use ASN in the Route-target i.e. ASN:xxxx 2. Max-prefix limit (both BGP and VRF) on PEs 3. Security (BGP MD5, BGP filtering, BGP max-prefix etc.) on ASBRs 4. End-to-end QoS agreement on ASBRs 5. Route-Target rewrite on ASBR 6. Internet connectivity on the same ASBR??
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
107
Agenda
Advanced MPLS VPN Topics
Inter-AS MPLS-VPN Carrier Supporting Carrier (CsC)
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
108
54
MPLS/VPN Networks Without CsC

Number of VPN routes is one of the biggest limiting factors in scaling the PE router
Few SPs are running into this scaling limitation
If number of VPN routes can be reduced somehow (without loosing the functionality), then the existing investment can be protected
The same PE can still be used to connect more VPN customers
Carrier Supporting Carrier (CsC) provides the mechanism to reduce the number of routes from each VRF by enabling MPLS on the PE-CE link
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
109
CsC Deployment Model

MP-iBGP for VPNv4 P1 PE1
IGP+LDP IGP+LDP
PE2
Carriers MPLS Core

IPv4 Routes with Label Distribution
MPLS Enabled VRF Int CE1 ISP PoP Site-1

Internal Routes = IGP Routes
IPv4 Routes with Label Distribution
CE-2 Full-Mesh iBGP for External Routes ISP PoP Site-2 ASBR-2 R2 C1
Internal Routes = IGP Routes
ASBR-1 R1
INTERNET
ISP Customers = External Routes 110
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
55
Benefits of CsC
Provide transport for ISPs ($)
No need to manage external routes from ISPs
Build MPLS Internet Exchange (MPLS-IX) ($$)

Media Independence; POS/FDDI/PPP possible Higher speed such OC192 or more Operational benefits
Sell VPN service to subsidiary companies that provide VPN service ($)
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
111
What Do I Need to Enable CsC?

1. Build an MPLS-VPN enabled carriers network 2. Connect ISP/SPs sites (or PoPs) to the Carriers PEs 3. Exchange internal routes + labels between Carriers PE and ISP/SPs CE 4. Exchange external routes directly between ISP/SPs sites
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
112
56
CsC Deployment Models

MP-iBGP for VPNv4 P1 PE1
IGP+LDP
IGP+LDP
PE2
Carriers MPLS Core

IPv4 routes with label distribution
MPLS enabled VRF int

CE-1 Full-mesh iBGP for external routes CE-2
IPv4 routes with label distribution
ISP PoP Site-1

internal routes = IGP routes
ISP PoP Site-2

ASBR-2 R2 C1
Internal routes = IGP routes
ASBR-1
INTERNET
R1
ISP customers = external routes
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
113
CsC Deployment Models

1. Customer-ISP not running MPLS 2. Customer-ISP running MPLS 3. Customer-ISP running MPLS-VPN
Model 1 and 2 are less common deployments. Model 3 will be discussed in detail.
BRKRST-2102 13902_06_2007_x1
Cisco Confidential
114
57
CsC: ISP Sites Are Running MPLS-VPN Hierarchical MPLS-VPN Control Plane
MP-iBGP update: 1:1:30.1.61.25/32, RT=1:1 NH =PE-1, Label=51
PE1
IGP+LDP, Net=PE-1, Label = pop
P1
IGP+LDP, Net=PE-1, Label = 16
PE2
Carriers Core
30.1.61.25/32, NH=CE-1, Label = 50 30.1.61.25/32, NH=PE-2, Label = 52
CE-1
CE-2
MP-iBGP update: 1:1:10.1.1.0/24, RT=1:1 NH =30.1.61.25/32, Label = 90
ISP PoP Site-1

IGP+LDP 30.1.61.25/32,Label = pop
ISP PoP Site-2

ASBR_PE-2
IGP+LDP, 30.1.61.25/32 NH=CE-2, Label=60
ASBR_PE-1 30.1.61.25/32
10.1.1.0/24, NH=R1
C1
10.1.1.0/24, NH =ASBR_PE-2
Network = 10.1.1.0/24
BRKRST-2102 13902_06_2007_x1
R1 VPN Site-1
R2 VPN Site-2
IGP+LDP, 30.1.61.25/32 NH=C1, Label=70
115
CsC: ISP Sites Are Running MPLS-VPN
Hierarchical MPLS-VPN Forwarding Plane

P1
51 90 10.1.1.1 16 51 90 10.1.1.1
PE1
PE2
Carriers Core
50 90 10.1.1.1 52 90 10.1.1.1
CE-1
CE-2
ISP PoP Site-1
90
10.1.1.1 60 90 10.1.1.1
ISP PoP Site-2

C1
ASBR-1
10.1.1.1
ASBR-2
10.1.1.1 70 90 10.1.1.1
Network = 10.1.1.0/24
BRKRST-2102 13902_06_2007_x1
R1 VPN Site-1
R2 VPN Site-2
116
58

Deploying MPLS VPNs-2up

Uploaded by

Copyright:

Available Formats

Deploying MPLS VPNs-2up

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Deploying MPLS VPNs-2up

Uploaded by

Copyright:

Available Formats

Deploying MPLS VPN Networks

2007 Cisco Systems, Inc. All rights reserved.

Other MPLS Related Sessions

2007 Cisco Systems, Inc. All rights reserved.

2007, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

2007, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

VRF: VPN routing and forwarding

RT: Route target

LFIB: Label forwarding information base FIB: Forwarding information base

MPLS-VPN Services Best Practices Conclusion

2007 Cisco Systems, Inc. All rights reserved.

2007, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

2007, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

VRF Routing Table

The Global Routing Table

2007 Cisco Systems, Inc. All rights reserved.

Virtual Routing and Forwarding Instance (1)

EBGP, OSPF, RIPv2, Static CE VPN 1 VRF Blue

MPLS Backbone IGP (OSPF, ISIS)

Whats a VRF ? Associates to one or more interfaces on PE

CE router runs standard routing software

2007, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

Virtual Routing and Forwarding Instance (2)

EBGP, OSPF, RIPv2, Static CE VPN 1

MPLS Backbone IGP (OSPF, ISIS)

MP_REACH_NLRI attribute within MP-BGP UPDATE message Lets Discuss:

2007, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

MPLS VPN Control Plane

MP-BGP Update Components: VPNv4 Address

Each VRF must be configured with an RD at the PE

2007 Cisco Systems, Inc. All rights reserved.

MPLS VPN Control Plane

MP-BGP Update Components: Route-Target

2007 Cisco Systems, Inc. All rights reserved.

2007, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

MPLS VPN Control Plane

MP-BGP Update Components: Label

MP-IBGP update with RD, RT, and label

MPLS VPN Control Plane

MP-iBGP Update: RD:10.1.1.0 Next-Hop=PE-1 RT=Green, Label=100

5. PE1 sends MP-iBGP update to other PE routers

2007, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

MPLS VPN Control Plane

MP-iBGP Update: RD:10.1.1.0 Next-Hop=PE-1 RT=Green, Label=100

Site 2 CE1 PE1 P1 P2 PE2 CE2

P Global Routing/Forwarding Table Dest->Next-Hop PE2 P1, Label: 50

Global Routing/Forwarding Table Dest->Next-Hop PE1 P2, Label: 25

The Global Forwarding Table (show ip cef)

VRF Forwarding Table (show ip cef vrf <vrf>)

2007 Cisco Systems, Inc. All rights reserved.

2007, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr

The second label is learned via MP-BGP

2007 Cisco Systems, Inc. All rights reserved.

MPLS-VPN Services Best Practices Conclusion

2007 Cisco Systems, Inc. All rights reserved.

2007, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr