Cisco BRKRST-2069

Network Virtualisation Design
Concepts LAN and WAN (VRF, MPLS,

EVN)
BRKRST-2069
www.ciscolivevirtual.com
Craig Hill
Assumptions/Disclaimers [email protected]
Participants should have:

A solid base knowledge of IP routing, IP tunnels, and Campus and WAN design
fundamentals and technologies
Basic knowledge of VRFs, GRE tunnels, and DMVPN
Basic understanding of MP-BGP, MPLS control/forwarding plane
This discussion will not cover VMware, Virtual Machines, or other server virtualization
technologies
Understanding Data Center Interconnection (DCI) is an important application that
leverages WAN virtualization infrastructure, it is not a focus in this session nor is Layer
2 Virtualization technologies
RFC 2547 (BGP/MPLS IP VPNs) is referenced frequently for MPLS VPN. This is for
familiarity only. RFC 2547 is now replaced with RFC 4364.
BRKRST-2069 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Agenda
Network Virtualization Drivers and Building
Blocks
Enterprise Campus and WAN Deployment
Considerations and Variations
Deployment Solutions for a Virtualized
Campus and WAN
QoS Deployment Considerations in a
Virtualized Campus and WAN
Recent Innovations at Cisco in Virtualization
Summary
Agenda
Blocks
Campus and WAN
Summary
Evolution of Network Virtualization
Means Many Things to Many People
It has evolved a long way from technologies like TDM (1960s)
From TDM, ATM/FR Virtual Circuits in the WAN, to
VLANs in the Campus, to
Logical/Virtual Routers on routing devices, to
Virtual Machines on server clusters in the data center Virtual Sw
Secure Domain System VN Link
Routers
Virtual Circuits MPLS Virtual
VRF Lite Virtual
HSRP MPLS VPN Port
GRE Machines
VPLS Channel
(VMware)
TDM VLANs AToM
L2TPv3 Virtual
Device
Context
2012+
Time
What Is Network Virtualization?
Giving One physical network the ability to support multiple virtual networks
End-user perspective is that of being connected to a dedicated network (security, independent
set of policies, routing decisions)
Maintains Hierarchy, Virtualizes devices, data paths, and services
Allows for better utilization of network resources
Internal Organizational
Separation (Eng, Sales) Merged Company Guest Access Network
Virtual Network Virtual Network Virtual Network
Actual Physical Infrastructure

Why Network Virtualization?
Key Drivers
Cost Reductionallowing a single physical network the ability to support multiple
users and virtual networks
Simpler OAMreducing the amount of network devices needing to be managed and
monitored
Securitymaintaining segmentation of the network for different departments over a
single device/Campus/WAN
High Availabilityleverage virtualization through clustering devices that appear as
one (vastly increased uptime)
Data Center Applicationsrequire maintained separation,
end-to-end (i.e. continuity of virtualization from server-to-campus-to-WAN) , including
Multi-tenant DCs for Cloud Computing
Common Use Cases
Guest Access, Airports, Cloud Computing IaaS, Physical Security Separation, Company Mergers
Regulation/Compliance Health Care (HIPPA), Credit Card (PCI)
Enterprise Network Virtualization
Key Building Blocks
Device Virtualized Device

Partitioning Interconnect Pooling
Si
Si Si
Virtualizing the Extending and Virtualizing

Routing and Maintaining the Multiple Devices
Forwarding of the Virtualized to Function as a
Device Devices/Pools over Any Single Device
Media
The Building Blocks Example Technologies

Si
Si Si
VLANs
VRFs
EVN
(Easy Virtual Network) VSS
VDC (NX-OS) Stackwise
L3 VPNs MPLS VPNs, GRE, VRF-Lite,
(Virtual Device Context) MPLS services (L2/L3) over GRE Virtual Port Channel
SDR (IOS-XR) (vPC)
L2 VPNs - AToM, Unified I/O, VLAN trunks
(Secure Domain Routers)
Evolving TRILL, 802.1ah, 802.1af HSRP/GLBP
FW Contexts

Si
Si Si
VLANs
Virtual Sw System (VSS)
VRFs Virtual Port Channel (vPC)
VDCs L3 VPNs MPLS VPNs, GRE, VRF-
HSRP/GLBP
Lite, MPLS services (L2/L3) over
SDR (XR) GRE Stackwise
FW L2 VPNs - AToM, Unified I/O, VLAN
Contexts 2012 Ciscotrunks
BRKRST-2069 and/or its affiliates. All rights reserved. Cisco Public 13

WAN Si Si
Campus
VLANs
VRFs
L3 VPNs MPLS VPNs, VRF-Lite, MPLS VPN or VRF-Lite
EVN
over IP
(Easy Virtual Network) VSS
L2 VPNs PWE3, VPLS, L2 VPN over IP, L2TPv3, OTV
VDC (NX-OS) (Overlay Transport Virtualization) Stackwise
(Virtual Device Context) Evolving Standards Fat-PW, MPLS-TP, Ethernet-VPN, LISP Virtual Port Channel
SDR (IOS-XR) Virtualization
(vPC)
(Secure Domain Routers) MPLS-TP = MPLS Transport Profile
FW Contexts HSRP/GLBP
Agenda
Blocks
Campus and WAN
Summary
Differences Applying
Virtualization to Campus and
WAN
Campus and WAN Deployment Criteria
Key Differences and Similarities
Campus/LAN WAN
Bandwidth Free (link between devices) Cost (month, Yr)
Transport Devices Owned by Enterprise Mix SP and ENT
Transport/Fiber Owned by Customer Owned by Service Provider
Network Access Customer Controlled (802.1x) SP or Customer Controlled
IP Encapsulation Design Specific Relevant for Over the Top

Options transport options by end
Customer or if IPSec is Used
Encryption Specific cases (802.1AE?) Common (IPSec)
Topologies Point-to-point Many variations
Media Ethernet Many variations

What is Unique in the WAN for
Virtualization?
WAN
Todays WAN Transport Options

LAN LAN
Topologies Media
Point-point, multi-point Serial, ATM/FR, OC-x
Full/partial mesh Dark fiber, Lambda
Hub/Spoke or Multi-Tier Ethernet
VPN Transport Services Overlay Options

L2 - Metro-E (p2p, p2mp) GRE
L3 Private IP VPN Dynamic Multipoint VPN (DMVPN)
L3 Public (Internet) L2/L3 VPN over IP
Self Deployed MPLS vs. SP L3 Managed
Network Virtualization Deployment Options
Self Deployed MPLS SP Managed IP VPN Service
Customer Customer
Customer Managed
Managed Managed
Site1 CE Customer Deployed CE SP Demarcation
MPLS Backbone Site1
CE Provider CE
P P Site3 MPLS Site3
Site 2 PE P PE Site 2 PE PE
VPN
CE CE IP Routing Peer
Self Deployed MPLS
Backbone (BGP, Static, IGP)
* No Labels Are Exchanged with the SP

Customer manages and owns:
CE Routers owned by customer
IP routing, provisioning
PE Routers owned by SP
Transport for PE-P, P-P, PE-CE Customer peers to PE via IP
SLAs, to end customer Exchanges routing with SP via routing protocol (or
static route)
QoS, Traffic Engineering
Customer relies on SP to advertise routes to
Allows customer full control E2E reach other customer CEs
Self Deployed MPLS over SP L3 Managed Service
Creates a Carrier over Carrier Model
SP Managed IP VPN Service L3 VPN over IP WAN Service
Customer Customer Customer Managed VRF/MPLS over IP
Managed Managed
SP Demarc
CE C-PE
SP Demarc
Customer MPLS VPN
Site1 Provider CE Site1 Provider C-PE
MPLS MPLS
PE PE PE PE
VPN Site3 VPN Site3
Site 2 CE VRFs Site 2 C-PE VRFs
IP Routing to SP X over GRE
IP Routing to SP X over GRE
CE Routers owned by customer CE routers become MPLS PE (c-PE)
PE Routers owned by SP
VRFs or MPLS labels are encapsulated in IP
Other options not as scalable or more complex:
Customer peers to PE via IP
Carrier Supporting Carrier
Exchanges routing with SP Back to Back VRFs/Inter-AS Option A
Add overlay of IP that allows self-deployed MPLS
Layer 2 Service (e.g. VPLS)
over an IP Service
What is Unique in the LAN for
Virtualization?
Campus Network Design Best Practices
Access
Hierarchical Net - Offers hierarchyeach
layer has specific role
Modular topology building blocks Si Si Si Si Si Si
Distribution
Easy to grow, understand, and troubleshoot
Creates small fault domains Clear
demarcations and isolation
Layer 3 Layer 3 Core
Promotes load balancing and redundancy Equal Cost Si Si Equal Cost
Promotes deterministic traffic patterns Links Links
Incorporates balance of both Layer 2 and
Layer 3 technology, leveraging the strength Si Si Si Si Distribution
of both Si Si
Utilizes Layer 3 routing for load balancing,

fast
Access
WAN Data Center Internet
BRKRST-2069 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public VRF/VLAN 26
Access Control Campus On Ramp
Authentication, Authorization
Resources Internet
AuthenticationWho/what is requesting
access?
Holistic controlClient-based, infrastructure
integrated 802.1X
User-based controlClientlessWeb
authentication, Webauth
Device-specific controlMAC-address based
Machine Auth, AAA Override, SSID (guest)
AuthorizationWhere/how is the access
granted?
Allow access to the network to a particular Dept A Dept B Partner Guest
VLAN or VRF Edge Access Control
Services Edge
Sharing Services Between VPNs
Services usually not duplicated per group
Economical
Shared
Resource
Efficient and manageable Internet/ Campus
Shared Core
Policies centrally deployed
Shared for All Groups:
Internet
Gateway
Video Red User
Server
Blue VPN
Firewall
and NAT
Green VPN
Hosted Blue User Green User
Content
Red VPN
DHCP
IPSec Resources
Gateway
Enterprise Virtualization End to End
WAN Virtualization WAN Internet
Data Center 1
Red VRF
Green VRF
Yellow VRF
Branch 1
Si Si
Campus
Red VRF
Green VRF Si Si
Yellow VRF
Branch 2
Si Si Si Si
Allow Virtualization over the WAN via

Red VRF any transport/media
Green VRF support QoS and multicast
Yellow VRF
Offer variations of complexity and scale
Leverage industry standards
Branch 3
BRKRST-2069 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Distribution Blocks 31
Agenda
Blocks
Campus and WAN
Summary
Layer 3 Network Virtualization
Technology Overview
VRF-Lite
Campus WAN
What Is VRF Lite? Per VRF:
Virtual Routing Table
Virtual Forwarding Table
WAN/Campus
VRF VRF
VRF VRF
VRF VRF
802.1q, DLCI, VPI/VCI, GRE

Defines router supports routing (RIB), forwarding (FIB), and interface per VRF !!
Leverages Virtual encapsulation for separation:
ATM VCs, Frame Relay, Ethernet/802.1Q
The routing protocol is also VRF aware
EIGRP, OSPF, BGP, RIP/v2, static (per VFR)
Layer 3 VRF interfaces cannot belong to more than a single VRF
VRF-Lite over Layer 2 Transport
Extend Virtualization over WAN L2 Service
Internet Campus
FR Sub-
Interfaces Data Center/HQ
Branch Site WAN
Transport Shared
Multi-
VRF VRF-Lite or
VRF CE
VPNv4 to
Campus
Frame PE VRF-Lite or MPLS
FR VCs Relay VPN in PE
IGP/DLCI per VRF

Enterprise Routing IGP/DLCI per VRF
IGP/DLCI per VRF
Each Frame Relay VC contains a sub-interface

Unique DLCI per VRF
Routing protocol process created per VRF in both Branch/Campus
Offers virtualized segmentation within a single interface
Same applies to 802.1Q (if Ethernet Services was utilized)
VRF-Lite End-to-End
Target Requirements in the Campus
End to End segmentation, per VRF and per
inteface
VLAN 10
Targets a small number of VRFs are required VLAN 20
Usually deployed in campus networks requiring a where

the hop count is smaller as well (~1-2) VLAN 11
VLAN 12
VLAN 21 VLAN 22
Seen frequently in Access Distribution (vs.
end to end)
IGPs
No MP-BGP or control plane signaling is
required and does not use labels
VLAN 14
VLAN 13
VLAN 24
No LDP is required (i.e. MPLS) VLAN 23
Still leverages existing QoS model and VLAN 16

VLAN 15 VLAN 26
supports IP multicast VLAN 25
Full range of platform support within the Cisco
portfolio of switches and routers
VRF-Lite in the Campus and WAN
Summary
Leverages VRF in router (RIB/FIB, interface) and interface for

segmentation
No MPLS, LDP, or BGP required
Optimal solution when VRF count is small (~ <8)
Scale usually dependent on routing protocol
Supports multicast and QoS solutions
Most common deployments?
Campus Small # of VRFs, AccessDistribution, DistCore
WAN - Branch Back-haul to campus, Branch Back-haul to aggregation PE running full
MPLS VPN
Sub Interface per
VRF
Multi-Protocol Label Switching
(MPLS) over L2 Encapsulation in
the WAN
MPLS: Robust WAN/Campus Virtualization Enabler
Allows Vast Network Service Capabilities over an IP Backbone
Layer 3 VPN/Segmentation
VPN (RFC 2547bis)
Provides Any-to-Any connectivity
Maximize Link Utilization with Selective Routing/Path
Manipulation
Traffic Engineering Key Virtualization
Optimization of bandwidth and protection using Fast-ReRoute (FRR) Mechanisms over
Layer 2 VPN/Transport an IP Infrastructure
AToM (Any Transport over MPLS) i.e. pseudo-wire
Layer-2 transport: Ethernet, ATM/FR, HDLC/PPP, interworking
Layer-2 VPN: VPLS for bridged L2 domains over MPLS
QoS Capabilities
Diffserv, Diffserv aware Traffic Engineering (DS-TE)
Bandwidth Protection Services
Combination of TE, Diffserv, DS-TE, and FRR
IP Multicast (per VPN/VRF)
Transport of IPv6 over an IPv4 (Global Routing Table) Infrastructure
Unified Control Plane (Generalized MPLS)
MPLS Label Encapsulations
Applicable When Using MPLS over Layer 2 Transport
PPP Header PPP Header Label Layer 2/L3 Packet
(Packet over SONET/SDH)

One or More Labels Appended to the Packet
LAN MAC Label Header MAC Header Label Layer 2/L3 Packet
Inner Label
L3 VPN
L2 VPN
Label Stacking MAC Header Label 1 Label 2 IP Header

Outer Label
(LAN Example) (Used for Forwarding)
MPLS VPN TechnologyRefresher Campus WAN
MPLS VPN Connection Model
Global Address Space
CE P P
VPN 2 VRF Green PE
EBGP, OSPF, RIPv2, Static
PE
VPN Backbone IGP
VPN 1 P P
VRF Blue
CE
MP-iBGP VPNv4 Label Exchange
CE Routers PE Routers P Routers
VRF Associates to one or more
MPLS Edge routers P routers are in the core of
interfaces on PE
the MPLS cloud
Has its own routing table and MPLS forwarding to P routers
forwarding table (CEF) P routers do not need to run BGP
VRF has its own instance for the IGP/BGP IP to CE routers
routing protocol Do not have knowledge of VPNs
Distributes VPN information through MP-
(static, RIP, BGP, EIGRP, OSPF)
BGP to other PE routers with VPN-IPv4 Switches packets based on labels
addresses, extended community, VPN (push/pop) not IP
labels
MPLS VPN over L2
Configuration Example (IOS)
CE P P
VPN 2 VRF Green
EBGP, OSPF, RIPv2, Static
PE PE
VPN Backbone IGP
CE P P
VPN 1
VRF Blue
MP-iBGP VPNv4
Label Exchange
VRF Configuration (PE) MP-iBGP Configuration (PE)
! PE Router Multiple VRFs ! PE router
ip vrf blue router bgp 65100
rd 65100:10 neighbor 192.168.100.4 remote-as 65100
route-target import 65100:10 !
route-target export 65100:10 address-family vpnv4
ip vrf green neighbor 192.168.100.4 activate
rd 65100:20 neighbor 192.168.100.4 send-community extended
route-target import 65100:20 exit-address-family
route-target export 65100:20 !
! address-family ipv4 vrf blue
interface GigabitEthernet0/1.10
neighbor 172.20.10.1 remote-as 65111
ip vrf forwarding blue
neighbor 172.20.10.1 activate
interface GigabitEthernet0/1.20
exit-address-family
ip vrf forwarding green
MPLS-VPNs in the Campus Architecture
General Design Considerations
Highly scalable
Usually deployed in large campus networks requiring a
large number of VRFs
Any to any connectivity per user group
User to cloud connectivity
PE PE PE PE PE
VPN traffic is tunneled across the MPLS core PE
Access Layer Options

1 - L2 VLAN extension to PE
MPLS
2 - L3 VRF Lite from Access to Distribution P P
Core
3 - L3 MPLS on the Access switch (6500 only
today)
PE PE PE PE PE PE
Campus platform support for MPLS VPN
currently targets Catalyst 6500 Series and
Nexus 7000
WAN Internet
Support for Cisco Catalyst 6500 Series running MPLS in Data Center
VSS mode available
from 12.2(33)SXI2 release
MPLS VPN over L2 WAN and Campus
Summary and Deployment Targets
Targets large-scale VRFs and customers wanting control!

Leverages standard based L2 transports (no overlay) in the WAN (Campus still
Ethernet)
Target customers usually function as an internal Service Provider for their
company/agency
Allows full deployment of MPLS services
L2 VPN, QoS, Multicast, IPv6, MPLS TE, TE-FRR
Offers tight control for QoS Service Level requirements
Offers rapid deployment for virtualization turn up
Extremely scalable but requires a higher level of Operational expertise
L3 Virtualization over IP
Why Do We Need IP Virtualization over IP?
VRF-Lite Requires Layer 2 for Separation
Need to leverage IP for broader reach, and more transport options
Not all networks are MPLS
MPLS is not available for transport on every network
Enterprise wants to turn on their own MPLS VPN service (on their CE) while using an SP managed MPLS
VPN service
IP Only Transit Option Between MPLS Islands (i.e. networks)
Core/transit network not owned by Enterprise, and IP transport is only option
Source/Destination Network islands are IP only
IP VPN Service from SP is only offering available (vs. L2 option)
Customer uses external IP encryption units (i.e. device does not support MPLS)
Extend MPLS Services over any IP Transport
Designer can utilize any IP transport that exists
Leverage internet reach for access outside controlled area
In Summary, the Implementation Strategy Described Enables the Deployment of BGP/MPLS IP VPN Technology
in Networks Whose Edge Devices are MPLS and VPN Aware, But Whose Interior Devices Are Not
(Source: RFC 4797)
VRF-Lite over IP
GRE Tunnel Encapsulation (RFC 2784)
Applicable over Any IP WAN Transport
Original IP Datagram (Before Forwarding)
Bit 0: Check Sum
Bit 1-12: Reserved Original IP Header IP Payload
Bit 13-15: Version Number
Bit 16-31: Protocol Type
20 Bytes
GRE Packet with New IP Header:

Protocol 47 (Forwarded Using New IP Dst)
New IP Header GRE Header Original IP Header IP Payload
20 Bytes 4 Bytes 20 Bytes
IP WAN
GRE Tunnel
Router A Router B
Can Also Leverage IPSec When IP Encryption Is Required of an Untrusted WAN
VRF-Lite over IP Transport Campus WAN
VRF-Lite over GRE
Per VRF:
Virtual Routing Table
Campus/WAN
IP Transport
GRE Tunnel
VRF VRF
GRE Tunnel
VRF VRF
GRE Tunnel
VRF VRF
VRF Lite can also leverage GRE tunnels as a segmentation

technology
Each VRF uses a unique GRE tunnel
GRE tunnel interface is VRF aware

Campus WAN
VRF-Lite over the WAN
VRF-Lite per GRE Tunnels
Internet Campus
mGRE Tunnel
per VRF Data Center/HQ
Branch Site Shared
Multi- VRF-Lite or
VRF
VRF CE IPv4 VPNv4 to
Campus
Service
PE VRF-Lite or MPLS
VPN in PE
Routing to SP BGP/Static BGP/Static
IGP per VRF
Enterprise Routing
IGP per VRF
IGP per VRF
Each GRE tunnel contains a VRF for extension
Routing protocol process created per VRF (each end)
Common Deployment: BranchAggregation Backhaul, low number of VRFs are required
Configuration Note: Each GRE Tunnel Could Require Unique Source/Dest IP (Platform Dependent)
VRF-Lite over Point-to-Point GRE Campus WAN
Example for Blue VRF (IOS)
Internet Campus
ip vrf blue Manually Configured Tunnel
rd 2:2 Physical: Data Center/HQ
172.16.5.2 (E0/0)
IP Shared
VRF-Lite or
11.1.0.x
Transport VRF VPNv4 to
Campus
Lo0:
172.16.100.50 PE VRF-Lite or MPLS
Branch Site Prefix Advertised to SP VPN in PE
Branch Configuration DC/HQ Configuration
interface Loopback100 interface Loopback100
ip address 172.16.100.50 255.255.255.255 ip address 172.16.100.10 255.255.255.255
! !
interface Tunnel100 interface Tunnel100
Description GRE to PE router 201 Description GRE to PE router 201
VRF Command ip vrf forwarding blue
ip address 11.1.0.2 255.255.255.0 Applied per ip address 11.1.0.1 255.255.255.0
tunnel source Loopback100 tunnel source Loopback100
tunnel destination 172.16.100.10 GRE Tunnel tunnel destination 172.16.100.50
! !
interface Ethernet0/0 interface Ethernet0/0
ip address 172.16.5.2 255.255.255.0 ip address 172.16.6.2 255.255.255.0
! !
router eigrp 1 router eigrp 1
! !
address-family ipv4 vrf blue autonomous-system 1 address-family ipv4 vrf blue autonomous-system 1
network 11.0.0.0 network 11.0.0.0
no auto-summary no auto-summary
exit-address-family exit-address-family
no auto-summary no auto-summary
VRF-Lite over GRE Tunnels in the Campus
General Design Considerations
Deployment
Recommended for hub-and-spoke one off
requirements
Limited scale for single or few VPN
applications (guest access, NAC PE PE PE PE PE PE
remediation)
GRE supported in HW on Catalyst 6500,
Nexus 7000 IP
P P
Backbone
Application and Services
Multiple VRF-aware Services available PE PE PE PE PE PE
Learning Curve
Familiar routing protocols can be used WAN Internet
Data Center
IP Based transport solution

VRF over GRE
MPLS VPN over IP
GRE (RFC 2784) with GRE+MPLS (RFC 4023)
Packet Format
Original IP Datagram (Before Forwarding)
Original IP Header IP Payload

20 Bytes
GRE pPacket with New IP Header:
Protocol 47 (Forwarded Using New IP Dst)
New IP Header GRE Header Original IP Header IP Payload
Protocol Version Number: 137

Indicates an MPLS Unicast Packet
Bit 0: Check Sum
Bit 1-12: Reserved Protocol Type (MPLS over GRE)
Bit 13-15: Version Number Unicast: 0x8847
Bit 16-31: Protocol Type Multicast: 0x8848
GRE Tunnel Format with MPLS
(Reference: RFC 4023)
Original MPLS/IP Datagram (Before Forwarding)
L2 Header Fwding Label VPN Label Original IP Header IP Payload
MPLS/IP Datagram over GRE (After Forwarding)

L2 Header New IP Header GRE Header VPN Label Original IP Header IP Payload
Ethertype in the Protocol VPN Label Is Signaled via MP-

Type Field Will Indicate BGP . This Is Normal MPLS VPN
an MPLS Label Follows Control Plane Operation.
MPLS Tunnel label (top) is replaced with destination PEs IP address

Encapsulation defined in RFC 4023
Most widely deployed form of MPLS over IP encapsulation
Virtualization over Multipoint GRE
(mGRE) Tunnels
GRE Tunnel Modes
Stateful vs. Stateless
Point-to-Point GRE Multipoint GRE
Remote Site Remote Sites
IP Tunnel
IP Network IP Network Central
Central
Site Site
Single multipoint tunnel interface is created per

Source and destination requires manual node
configuration
Only the tunnel source is defined
Tunnel end-points are stateful neighbors
Tunnel destination is derived dynamically through
Tunnel destination is explicitly configured some control plane mechanism (i.e. BGP, NHRP)
or discovery end-point concept
Creates a logical point-to-point Tunnel
Creates an encapsulation using IP headers
(GRE)
WAN
Dynamic Multipoint VPN

Provides full meshed connectivity Secure On-Demand Meshed Tunnels
with simple configuration of hub Hub
and spoke
Supports dynamically addressed
spokes
VPN
Facilitates zero-touch Spoke 1
configuration for addition of new
spokes
Features automatic IPsec Spoke n Spoke 2
DMVPN Tunnels
triggering for building an IPsec Traditional Static Tunnels
tunnel Static Known IP Addresses
Dynamic Unknown IP Addresses
VRF-Lite over Dynamic Multipoint VPN (DMVPN) WAN
L3 Virtualization Extension over DMVPN
Data Center/HQ Campus
Internet Allows virtualization over DMVPN
Shared framework
VRF
PE
VRF-Lite or A Multipoint GRE (mGRE) interface is
MPLS
VPN in Campus enabled per VRF (1:1)
Multipoint
IP
Solution allows spoke-to-spoke data
GRE Tunnel
per VRF Transport forwarding per VRF
Deployment Target: Customers
already running DMVPN, but needs to
C-PE C-PE
Multi-
C-PE
add VRF capabilities to sites
VRF CE
Branch LAN
Remote
mGRE Tunnel per
Branches VRF
VRF-Lite over DMVPN
Example (IOS)
mGRE Tunnel Internet Campus
Branch Site per VRF
mGRE Tunnel
per VRF Data Center/HQ
Branch Site Shared
Multi- Per-VRF
VRF NHRP
VRF CE
Server
IP
Transport PE VRF-Lite or MPLS
VPN in Campus
Spoke Configuration Hub Configuration
ip vrf blue
!
interface Loopback0 ip vrf blue
ip add 10.123.100.1 255.255.255.255 !
! interface Loopback0
interface Tunnel0 ip address 10.126.100.1 255.255.255.255
description GRE to hub !
ip vrf forwarding blue interface Tunnel0
ip address 11.1.1.10 255.255.255.0 description mGRE for blue
ip nhrp network-id 100 ip vrf forwarding blue
ip nhrp nhs 11.1.1.1 ip address 11.1.1.1 255.255.255.0
tunnel source Loopback0 no ip redirects
tunnel destination 10.126.100.1 ip nhrp map multicast dynamic
! ip nhrp network-id 100
interface Vlan10 tunnel source Loopback0
description blue Subnet tunnel mode gre multipoint
ip address 11.1.100.1 255.255.255.0
Unique network-id Parameter per VRF

VRF-Lite Solutions over the Campus/WAN
Comparison Matrix
VRF-Lite VRF-Lite VRF-Lite

over Serial, over P2P GRE over DMVPN
FR/ATM
Target Deployment Campus/WAN Campus/WAN WAN
(Ethernet in Campus)
Target Number of VRFs <8 <8 <8
Uses Dynamic Endpoint Discovery No No Yes (NHRP)
Leverages Multipoint GRE Tunnels No No Yes
Ability to Hide IP Addresses from Yes Yes Yes

SP
Supports VPN Multicast (per VRF) Yes Yes Yes (Hub Sourced
Only)
Support for IPv6 (Inside IPv4 Yes Yes Yes
Address
BRKRST-2069 Space) 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
MPLS VPN over
Multipoint GRE (mGRE)
MPLS over Dynamic Multipoint VPN (DMVPN)
MPLS VPN over a DMVPN Framework
Data Center/HQ Campus Allows MPLS VPN to leverage a DMVPN
Internet
RR framework
Shared
VRF VRF-Lite or Leverages NHRP for dynamic endpoint
MPLS discovery
PE/P VPN in Campus
Data path for spoke-to-spoke traffic transits
the Hub (P function)
Single mGRE
Tunnel Running IP QoS uses typical best-practices
LDP Transport
Multicast replication is done at the Hub
(even if source is at spoke)
Solution is operational in customer networks
C-PE C-PE today 802.1q Trunk
C-PE Physical Cable
Branch LAN
Remote MPLS/LDP
and VPNv4
Branches over mGRE Tunnel
MPLS VPN over Multipoint GRE (mGRE)
MPLS VPNs over Multipoint GRE Using BGP for End Point Discovery
Offers MPLS-VPN over IP
Data Center/HQ Campus
Internet Dynamic spoke-to-spoke access
RR
Shared
VRF VRF-Lite or Uses standards-based RFC 2547 MP-BGP control
MPLS plane
PE VPN in Campus
Offers dynamic Tunnel Endpoint Discovery via
Multipoint
BGP
GRE Interface IP
Transport Requires only a single IP address for transport over
SP network
Reduces configuration tasks: Requires NO LDP,

C-PE C-PE NO GRE configuration tasks
C-PE 802.1q Trunk
Physical Cable
Branch LAN
VPNv4 Label
Remote
over mGRE Encapsulation
Branches
Control Plane
iBGP MPLS
mGRE Campus/MAN
Branch Site RR
c-PE IPv4 VPN c-PE P/PE
Service
mGRE mGRE
Routing to SP BGP/Static BGP/Static
Enterprise Routing iBGP

VPNv4 Routes Advertised via BGP
IGP, LDP
VPN Labels Exchanged via BGP
Tunnel Endpoints Learned During BGP Update
Leverages SP IP transport while overlaying self deployed MPLS VPN

MP-iBGP neighbors are established over SP VPN cloud
i-BGP used to:
Advertise VPNv4 routes, exchange VPN labels, and learn tunnel end-points
E-BGP used to exchange routes with SP
Feature Components
2 172.16.255.3
172.16.255.2 IP View for PE 4
1 Multipoint PE2 Service PE3 4 Tunnel Endpoint
GRE Tunnel (mGRE) 172.16.255.1
PE1 PE4
172.16.255.1 172.16.255.2
172.16.255.4
mGRE Encapsulation of 172.16.255.3
3 VPNv4 Label + VPN Payload 172.16.255.5
PE6 172.16.255.6 PE5 172.16.255.5 172.16.255.6
1 mGRE is a multipoint bi-directional GRE tunnel
Control Plane is based on RFC 2547 using MP-BGP

Multipoint GRE
2 Signaling VPNv4 routes, VPN labels, and tunnel endpoints Interface
3 VPNv4 label and VPN payload is carried in mGRE tunnel encap
New encapsulation profile in CLI offers dynamic endpoint discovery:

4
(1) Sets IP encapsulation for next-hop, (2) Installs Rx prefixes to tunnel database
Solution does NOT require manual GRE interfaces or the configuration of LDP on any interface(s)
(IPv4 Configuration Example)
mGRE
PE1 PE4
IPv4 Cloud CE2
CE1
eBGP Lo0: 10.0.0.1 Lo0: 10.0.0.4 eBGP
Example for PE4

interface Loopback0
ip address 10.0.0.4 255.255.255.255
!
l3vpn encapsulation ip Cisco Sets mGRE Encapsulation Profile for
transport ipv4 source Loopback0
BGP Next-Hop
!
router bgp 100
. . .
address-family vpnv4
neighbor 10.0.0.1 activate
neighbor 10.0.0.1 send-community extended Apply Route-Map to Received Advertisement
neighbor 10.0.0.1 route-map next-hop-TED in from Remote iBGP Neighbor
exit-address-family
. . .
! Use IP Encap (GRE) for Next-Hop and Install
route-map next-hop-TED permit 10
set ip next-hop encapsulate l3vpn Cisco
Prefix in VPN Table as Connected Tunnel
Interface
(IPv6 Configuration Example)
mGRE
3FFE:1001::2 /64
PE1 PE4
IPv4 Cloud E 1/0
CE2
CE1
eBGP Lo0: 10.0.0.1 Lo0: 10.0.0.4 eBGP
Example for PE4

interface Ethernet 1/0 NOTE: Relevant MPLS VPN over
vrf forwarding green mGRE Commands That Are Same for
ip address 209.165.200.253 255.255.255.224
IPv4, Are Not Shown in This IPv6
ipv6 address 3FFE:1001::/64 eui-64
! Example
router bgp 100
. . .
address-family vpnv6 IPv6 Address Applied to CE2 Facing
neighbor 10.0.0.1 activate Interface
neighbor 10.0.0.1 send-community both
neighbor 10.0.0.1 route-map next-hop-TED in Apply Route-Map to Received Advertisement
exit-address-family from Remote iBGP Neighbor (Same as
. . .
! vpnv4)
route-map next-hop-TED permit 10
set ip next-hop encapsulate l3vpn Cisco Use IP Encap (GRE) for Next-Hop and Install
set ipv6 next-hop encapsulate l3vpn Cisco IPv6 Prefix in VPNv6 Table as Connected
Tunnel Interface
MPLS-VPN over IP
Leveraging MPLS-VPN over mGRE in the Campus MPLS
VPN
Border
Highly scalable
Usually deployed in large campus networks
requiring the definition of a large number of
VRFs
Any to any connectivity per user group
User to cloud connectivity PE PE PE PE PE PE
MPLS VPN PEs still positioned at the

distribution layer
IP
VPN traffic is tunneled across an IP P Backbone P
Core (no MPLS or LDP needed )
Leverages mGRE, so no manual PE PE PE PE PE PE
configuration of tunnels needed
Supports mVPN and IPv6
Supported on Catalyst 6500 SUP-2T, WAN
Data Center
Internet
targeted at campus deployments
Multipoint GRE (mGRE)
Summary and Configuration Notes
Solution requires only a single IP address to SP for operation
Solution leverages standard MP-BGP control plane (RFC 4364)
Tunnel endpoint discovery is done via iBGP/route-map
E-BGP can/is still used for route exchange with the SP
Solution requires NO GRE tunnel configuration or LDP

Supports multicast and IPv6 per MPLS VPN model (MDT and 6vPE respectfully)
MVPN Support: ASR 1000, ISR/G2
Supports IPSec for PE-PE encryption (GET VPN or manual SA)
Platform Support
Today: 7600 12.2(33) SRE, ASR 1000 (RLS 6), ISR 15.1(2)T
Future: 6500 (SUP-2T, CY11), IOS-XR Platforms (Future, Planned) Branch LAN
VPNv4 Label
over mGRE Encapsulation
MPLS VPN over GRE Solutions
Comparison Matrix
MPLS VPN over MPLS VPN over MPLS VPN over
mGRE DMVPN P2P GRE
Target Deployment Campus/WAN WAN Campus/WAN
MPLS VPN Target VRFs Yes (> 8 VRFs) Yes (> 8 VRFs) Yes (> 8 VRFs)
Uses a Dynamic Endpoint Discovery Yes (BGP) Yes (NHRP) No

Mechanism
Avoids Manual Full-Mesh GRE Yes Yes No
Configurations (mGRE)
Requires LDP over the Tunnel No Yes Yes
Current Scaling of End Nodes (Tested) 1000+ (Recommend RRs) EIGRP 1000 (ASR 1K) 1000+ (Manually
OSPF 600 (7200) Intensive)
BGP 1800 (ASR 1K)
Supports IPSec Encryption Yes (GET, SA) Yes Yes
Supports MVPN Multicast Yes * Yes Yes

Supports IPv6 VPN (6vPE) Yes No (Future) Yes
* DMVPN requires traffic be sent spoke-hub-spoke, if source is located at spoke site

Cisco L3 Virtualization
Platforms and Feature Support for WAN and Branch
Platform Cisco ISR-
Cisco 7200 ASR 1000 Catalyst 6500 Cisco 7600
Feature G2
VRF Lite S S S S S
VRF Lite over GRE S S S S S
VRF Lite over DMVPN S S S S S
MPLS-VPN S S S S S
MPLS VPN over GRE S (SIP-400), S (SIP-400,

S S S
(P2P) SUP-2T ES+)
MPLS VPN over S (SIP-400), S (SIP-400,
S S S
DMVPN (mGRE) SUP-2T ES+)
MPLS VPN over R (2H11) SUP- S (SIP-400,
S S S
mGRE (BGP) 2T ES+)
S = Supported Today R = Roadmap

Agenda
Blocks
Campus and WAN
Summary
QoS in a Virtualized WAN
QoS with GRE, MPLS over GRE
ToS Reflection
GRE Header Outer GRE IP Header GRE Original IP Header IP Payload
GRE IP Hdr ToS (IP Hdr)
GRE Header with
ToS
ToS
Outer GRE IP Header GRE Original IP Header IP Payload
ToS Reflection
GRE (IP Hdr) EXP (MPLS Label) ToS (IP Hdr)

MPLS over GRE
EXP
EXP
ToS
ToS
MPLS MPLS
Header with ToS Outer GREShim
IP Header GRE Original IP Header IP Payload
Shim
Reflection
Router will copy original ToS marking to outer GRE header

For MPLS over GRE, the EXP marking is copied to the outer header of the GRE tunnel
This allows the IPv4 transport to perform QoS on the multi-encapsulated packet
QoS Deployment Models in a
Virtualized Environment
Aggregate Model
A common QoS strategy is used for all VRFs
i.e. same marking for voice, video, critical data, best effort
Allows identical QoS strategy to be used with/without virtualization
Prioritized VRF Model
Traffic in some VRFs are prioritized over other VRFs (i.e. Production over Guest
VRF)
Aggregate vs. Prioritized Model

Following the Aggregate Model Allows the Identical QoS Strategy to Be Used
With/Without Network Virtualization
ICR Ingress Committed Rate
QoS Models ECR Egress Committed Rate
Virtual Links
Serial 0 Remote Sites
Remote Sites ICR
Central ECR Central

Site Site
Point-to-Point
Connection oriented service
Point-to-Cloud
No point-to-point (site-to-site) guarantees
Logical/physical interfaces/connections
Any site can transmit up to ICR into the cloud
Logical - GRE, FR/ATM/Ethernet VC
Any site can receive up to ECR from the cloud
Virtualization options connection oriented:
VRF-Lite over P2P GRE SLA offers guarantees for conforming traffic
MPLS VPN over P2P GRE Virtualization options leveraging point-to-cloud:
* VRF-Lite over DMVPN MPLS VPNs over mGRE
* 2547 over DMVPN * Using per tunnel QoS
QoS Deployment with Network Virtualization
Point-to-Cloud Example - Hierarchical QoS + MPLS VPN over mGRE
Classify and
Red VRF Mark Traffic
Green VRF at Edge
Branch 1 Si
Egress CIR = WAN

600 Mb Edge Red VRF
Campus
Red VRF IP VPN 1 GE Green VRF
Green VRF Service Si
mGRE
Branch 2 Voice
HQ/DC
Video
Best Effort
LLQ +
Scavanger Shaper
1st Layer GRE Tunnel (Parent)
Red VRF Shaper per GRE
2nd Layer - Service Queuing per GRE (child)
Green VRF
Queuing determines order of packets sent to shaper
Branch 3 H-QoS policy applies to main interface (not mGRE)
Hierarchical QoS Example
H-QoS Policy on Interface to SP, Shaper = CIR
Two MQC Levels

Policy-map PARENT
Gig 0/1.100
class class-default
Service Level
shape average 600000000
service-policy output CHILD
Policy-map CHILD
class Voice
police cir percent 10
priority level 1 Best
class Video
600 Mbps
police cir percent 20 Video Effort
priority level 2
class Scav
bandwidth remaining ratio 1 Scav
class class-default
bandwidth remaining ratio 9 Voice
Interface gigabitethernet 0/1.100

service-policy output PARENT
QoS for Virtualization Summary
Aggregate QoS model is the simplest and most straight forward
approach (Recommended)
Simplification using the Aggregate model recommends:

Traffic class marking identical to non virtualization scheme
Traffic class marking identical between VRFs
Leverage H-QoS on virtualized interfaces (GRE, .1Q)
Router dynamically copies ToSEXPToS (GRE)
Prioritized VRF model can be used to prefer traffic originating in one VRF
over another (e.g. guest access, mission critical apps)
Summary: Consider implementing the same QoS approach that is

used for non-virtualized, when deploying QoS in virtualized
enterprise network designs
Agenda
Blocks
Campus and WAN
Summary
Easy Virtual Network (EVN)
http://www.cisco.com/go/evn
What Is EVN? Per VRF:
Easy Virtual Network (EVN) Virtual Routing Table
VRF VRF
VRF VRF
VRF VRF
VNET Trunk
Consider EVN as a framework
1. Offers a dynamic way to configure the trunk between two devices for carrying multiple VRFs
2. Makes the IOS CLI VRF context aware for configuration, show, and trouble-shooting commands (debug, traceroute)
3. Simplifies route replication configuration where a shared VRF is required (vs. complex BGP import/export)
EVN, like VRF-Lite, still leverages:

VRF aware routing (RIB) and forwarding (FIB)
VRF aware routing protocol processes (EIGRP, OSPF, BGP, RIPv2, static)
VRF-Lite and VNET Trunk Compatibility in EVN
ip vrf red
rd 101:101
ip vrf green
rd 102:102
* VNET Trunk Config

VRF-Lite Subinterface Config
interface TenGigabitEthernet1/1 interface TenGigabitEthernet1/1
ip address 10.122.5.29 255.255.255.252 vnet trunk
ip pim query-interval 333 msec ip address 10.122.5.30 255.255.255.252
ip pim sparse-mode
ip pim query-interval 333 msec
logging event link-status
ip pim sparse-mode
interface TenGigabitEthernet1/1.101 logging event link-status
description Subinterface for Red VRF
encapsulation dot1Q 101
ip vrf forwarding Red Both Routers Have VRFs Defined
ip address 10.122.5.29 255.255.255.252
ip pim query-interval 333 msec VNET Router Has Tags
ip pim sparse-mode
logging event subif-link-status Global Config:
vrf definition red
interface TenGigabitEthernet1/1.102
description Subinterface for Green VRF vnet tag 101
encapsulation dot1Q 102
ip vrf forwarding Green vrf definition green
ip address 10.122.5.29 255.255.255.252 vnet tag 102
ip pim query-interval 333 msec
ip pim sparse-mode
logging event subif-link-status * RouterEVN# Show derived-config (will display the config
beyond what EVN displays from a simplification perspective
EVN - Routing Context Simplified CLI
Routing Context
Router# routing-context vrf red
Router%red#
IOS CLI
Router# show ip route vrf red Router%red# show ip route
Routing table output for red Routing table output for red
Router# ping vrf red 10.1.1.1 Router%red# ping 10.1.1.1

Ping result using VRF red Ping result using VRF red
Router# telnet 10.1.1.1 /vrf red Router%red# telnet 10.1.1.1

Telnet to 10.1.1.1 in VRF red Telnet to 10.1.1.1 in VRF red
Router# traceroute vrf red 10.1.1.1 Router%red# traceroute 10.1.1.1

Traceroute output in VRF red Traceroute output in VRF red
Shared Services in Virtualized Networks
Services that you dont want to duplicate:
Internet Gateway
Firewall and NAT - DMZ
DNS
DHCP
Corporate Communications - Hosted Content
Requires IP Connectivity between VRFs

This is usually accomplished through some type of
Extranet Capability or Fusion Router/FW
Best Methods for Shared Services
Fusion Router/FW Internet Gateway, NAT/DMZ
Extranet DNS, DHCP, Corp Communications

VRF Simplification - Shared Services
Before: Sharing Servers in After: Simple Shared Service Definition
Existing Technologies
ip vrf SHARED vrf definition SHARED
rd 3:3
route-target export 3:3 address-family ipv4
route-target import 1:1 route-replicate from vrf RED unicast all route-map red-map
route-target import 2:2
! route-replicate from vrf GREEN unicast all route-map grn-map
ip vrf RED
rd 1:1
route-target export 1:1
vrf definition RED
! address-family ipv4
ip vrf GREEN
rd 2:2 route-replicate from vrf SHARED unicast all
! vrf definition GREEN
router bgp 65001
bgp log-neighbor-changes address-family ipv4
!
address-family ipv4 vrf SHARED
route-replicate from vrf SHARED unicast all
redistribute ospf 3
no auto-summary
no synchronization
exit-address-family
Route-Replication Advantage:
!
address-family ipv4 vrf RED
No BGP required
redistribute ospf 1
no auto-summary
No Route Distinguisher required
no synchronization
exit-address-family
No Route Targets required
!
address-family ipv4 vrf GREEN
No Import/Export required
redistribute ospf 2
no auto-summary
Simple Deployment
no synchronization
exit-address-family
Supports both Unicast/Mcast
!
EVN - Easy Virtual Network Roadmap
Platform Release FCS Date
ASR1K IOS XE 3.2S Nov 2010

Cat6K Sup2T 15.0(1)SY1 Q1CY2012
Cat4K K10 IOS XE 3.3.0 SG Q2CY2012
Cat4K K5 15.1(1)SG Q2CY2012
Cat6K Sup720* 15.1(1)SY Q1CY2013
Cat3K-X not ECed

ISR-G2 not ECed
Nexus 7K TBD
All dates are target FCS
Vlan ID Re-use shipped on Sup2T in 12.2(50)SY, June 2011
* Sup720 will not support VNET Trunk
Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This
roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products
or features set forth in this document.
Easy Virtual Network (EVN)
WAN Extension
http://www.cisco.com/go/evn
Extending EVN over the WAN
Leverage MPLS VPN over mGRE for EVN Extension
VRF VRF
VRF WAN VRF
VRF VRF
VNET Trunk VNET Trunk
EVN does not currently support the VNET trunk to be directly extended over MPLS
or GRE today
EVN can leverage existing WAN virtualization technologies available today
The VNET tag can be applied under the vrf definition context
The integration of VNET + VRF definition allows full use of existing WAN
virtualization solutions for VNET trunks
Extending EVN over the WAN
Leverage MPLS VPN over mGRE for EVN Extension
MP-BGP
RR
VNET Tag = 10 Update
mGRE
VNET Trunk WAN VNET Trunk
E 0/0 E 1/0
R3 OSPF R2 OSPF R4
R1
On MPLS PE, apply the vnet tag under the vrf definition
This injects the VNET into the VRF and is handled as normal VRF
! forwarding (over MPLS VPN over GRE in this example)
vrf definition red
vnet tag 10 VNET Tag Applied under the vrf
Definition
rd 1:1
route-target import 1:1 Normal rd and route-target Applied in
! MPLS VPN Case
!
address-family ipv4 Injects Routes from VNET Trunk into VRF, Allowing Any VRF
exit-address-family over WAN Solution to Be Applied Using VNET
!
MTU Considerations
in a Virtualized WAN
MTU Considerations with GRE Tunnels
Issues
MTU=1500-24=1476
MTU=1500 MTU=1500 MTU=1000 MTU=1500 MTU=1500
S R1 R2
X R3 R4 C
Fragmentation is unavoidable in some cases
The use of GRE tunnels increase the chances of MTU issues due to the increase in IP packet
size GRE adds
PMTUD is used on host (DF = 1) to determine path MTU
There can be a performance impact on the router when the GRE tunnel destination router must
re-assemble fragmented GRE
Performance impact includes packet re-assembly of fragmented packets
Common Cases where fragmentation occurs?:
Customer does not control IP path, and segment has MTU less than max packet
Router generates an ICMP message, but the ICMP message gets blocked by a router or
firewall (between the router and the sender). Most Common!!
Path MTU Discovery (PMTUD) with GRE
Example
MTU=1500-24=1476
MTU=1500 MTU=1500 MTU=1000 MTU=1500 MTU=1500
S R1 R2 R3 R4 C
1. R1 needs to fragment but original IP has DF=1
2. R1 sends ICMP destination unreachable (Type 3, code 4) to
source IP address at S
GRE Packet Is Too Large and Is Further Fragmented

(DF=0)
1. Upon receive of ICMP unreachable, S will

send maximum 1476 bytes
2. 2nd IP packet is 1476 bytes long
1. R4 reassembles to reconstruct the GRE packet (R4 is the
destination of GRE packets)
2. GRE packet is decapsulated
3. The original IP datagram is forwarded
MTU Recommendations
Point to Point GRE
Avoid fragmentation (if at all possible)
Consider tunnel path-mtu-discovery command to allow the GRE interface to copy DF=1
to GRE header, and run PMTUD on GRE
Use
Each Set ip mtu on the GRE to allow for MPLS label overhead (4-bytes)
If using IPSec, ip mtu 1400 is recommended
Configure ip tcp adjust-mss for assist with TCP host segment overhead
MTU Setting options: interface Ethernet 1/0
. . .
Setting the MTU on the physical interface larger than the IP MTU
mtu 1500
interface Tunnel0
Set IP MTU to GRE default (1476) + MPLS service label (4) . . .
ip mtu 1472
Best to fragment prior to encapsulation, than after encap, as remote router (GRE dest) must
reassemble GRE tunnel packets
MTU Recommendations
Multipoint GRE
Multipoint GRE (mGRE) interfaces are stateless
tunnel path-mtu-discovery command is not supported on mGRE interfaces (defaults to DF=0 for
MPLS VPN o mGRE)
For the MPLS VPN over mGRE Feature, ip mtu is automatically configured to allow for GRE
overhead (24-bytes)
interface Tunnel 0
. . . IP MTU Defaults to 1476
Tunnel protocol/transport multi-GRE/IP When MPLS VPN over
Key disabled, sequencing disabled mGRE Is Used
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Configure ip tcp adjust-mss for assist with TCP hosts (inside interface)
MTU Setting options:
Setting the MTU on the physical interface larger than the IP MTU
Best to fragment prior to encapsulation, than after encap, as remote router (GRE dest) must reassemble GRE tunnel
packets
IP MTU Technical White Paper:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
Campus-to-WAN Virtualization
Interconnect
Campus-to-WAN Interconnection
Interconnect Virtualization Policy WAN Campus
WAN Supporting MPLS Campus Running MPLS VPN or
VPN or VRF-Lite VRF Lite
AS 1 Campus
C-PE 2
(iBGP) Extend Campus
WAN
C-PE 3 ASBR Virtualization ASBR
L3/L2 Si Si
C-PE 4 WAN
Service C-PE 3
C-PE x GRE Tunnel Si Si
mGRE
Interface
Requirement is needed to integrate and connect the virtualization model between the Si Si Si Si
campus and WAN

Several options exist
Solution chosen evaluates scale and complexity
No solution is a one-size-fits-all
BRKRST-2069 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Distribution Blocks 117
Locator/ID Separation Protocol
(LISP)
VPN Extension Option over the WAN
More Details on LISP Covered in Session BRKRST-3045

VPN Option over the WAN Using LISP
Locator/ID Separation Protocol (LISP) for VPNs in WAN
IETF Draft: http://tools.ietf.org/html/draft-farinacci-lisp-12
LISP creates a Level of indirection with two namespaces: EID and RLOC
Needs:
Highly-scalable VPNs
Remove IGP scaling limitations Data User
for Branch WAN aggregation Center Network
HQ LISP Site
LISP Solution:
Offers VPN segmentation + LISP
Allows GETVPN to be leveraged Internet
with LISP forwarding
Remote Remote
Remote Remote
Integrated Multi-homing LISP Site . . x1,000 . . LISP Site
LISP Site LISP Site
IPv4/IPv6 co-existence
Benefits:
High scale WAN aggregation (1000s of sites)
Minimal State on Branch Routers
ISP Transparency More Details on LISP Covered in Session BRKRST-3045
Agenda
Blocks
Campus and WAN
Summary
WAN VirtualizationKey Takeaways
The ability for an enterprise to extend Layer 3 (L3) virtualization technologies over the Campus/WAN is
critical for todays applications
VRF-lite and MPLS-VPNs is key to scalable L3 virtualization extension from HQ to remote
branch/WAN sites
The ability to transport VRF-Lite and MPLS-VPN over IP allows flexible transport options, including
ability to encrypt segmented traffic
Understanding key network criteria (topology, traffic patterns, VRFs, scale, expansion) is vital to
choosing the optimal solution for extending virtualization over the WAN
MPLS VPN over mGRE offers simpler, and more scalable, deployment, eliminating LDP, manual GRE,
for Campus and WAN
Understand the options for QoS, and the impact of MTU and available tools in IOS for MTU discovery
Begin to understand Cisco innovations (MPLS VPN over mGRE, EVN, LISP Virtualization) and how
they can help simplify network virtualization in the WAN/Campus for future designs
Leverage the technology, but Keep it Simple when possible
Recommended Reading
Complete Your Online Session
Evaluation
Complete your session evaluation:
Directly from your mobile device by visiting
www.ciscoliveaustralia.com/mobile and login
by entering your badge ID (located on the
front of your badge)
Visit one of the Cisco Live internet

stations located throughout the venue
Open a browser on your own computer Dont forget to activate your Cisco Live
Virtual account for access to all session materials,
to access the Cisco Live onsite portal communities, and on-demand and live activities
throughout the year. Activate your account at any
internet station or visit www.ciscolivevirtual.com.

Cisco BRKRST-2069

Uploaded by

Copyright:

Available Formats

Cisco BRKRST-2069

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco BRKRST-2069

Uploaded by

Copyright:

Available Formats

Network Virtualisation Design

Concepts LAN and WAN (VRF, MPLS,

Participants should have:

Virtual Network Virtual Network Virtual Network

Actual Physical Infrastructure

Device Virtualized Device

Virtualizing the Extending and Virtualizing

Device Virtualized Device

Device Virtualized Device

Device Virtualized Device

Transport Devices Owned by Enterprise Mix SP and ENT

Transport/Fiber Owned by Customer Owned by Service Provider

Network Access Customer Controlled (802.1x) SP or Customer Controlled

IP Encapsulation Design Specific Relevant for Over the Top

Topologies Point-to-point Many variations

Media Ethernet Many variations

Todays WAN Transport Options

VPN Transport Services Overlay Options

* No Labels Are Exchanged with the SP

Utilizes Layer 3 routing for load balancing,

Allow Virtualization over the WAN via

802.1q, DLCI, VPI/VCI, GRE

IGP/DLCI per VRF

Each Frame Relay VC contains a sub-interface

Usually deployed in campus networks requiring a where

Still leverages existing QoS model and VLAN 16

Leverages VRF in router (RIB/FIB, interface) and interface for

PPP Header PPP Header Label Layer 2/L3 Packet

(Packet over SONET/SDH)

Label Stacking MAC Header Label 1 Label 2 IP Header

Access Layer Options

Targets large-scale VRFs and customers wanting control!

GRE Packet with New IP Header:

VRF Lite can also leverage GRE tunnels as a segmentation

GRE tunnel interface is VRF aware

IP Based transport solution

Original IP Header IP Payload

Protocol Version Number: 137

MPLS/IP Datagram over GRE (After Forwarding)

Ethertype in the Protocol VPN Label Is Signaled via MP-

MPLS Tunnel label (top) is replaced with destination PEs IP address

Remote Site Remote Sites

Single multipoint tunnel interface is created per

Dynamic Multipoint VPN

Unique network-id Parameter per VRF

VRF-Lite VRF-Lite VRF-Lite

Target Number of VRFs <8 <8 <8

Uses Dynamic Endpoint Discovery No No Yes (NHRP)

Leverages Multipoint GRE Tunnels No No Yes

Ability to Hide IP Addresses from Yes Yes Yes

Reduces configuration tasks: Requires NO LDP,

Routing to SP BGP/Static BGP/Static

Enterprise Routing iBGP

Leverages SP IP transport while overlaying self deployed MPLS VPN

1 mGRE is a multipoint bi-directional GRE tunnel

Control Plane is based on RFC 2547 using MP-BGP

New encapsulation profile in CLI offers dynamic endpoint discovery:

Example for PE4

Example for PE4