DEPLOYING MPLS-VPN
SESSION RST-2602
Rajiv Asati (rajiva@cisco.com)
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
1
Agenda
• MPLS VPN Definition?
Technology
Configuration
• MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites
Providing Hub&Spoke service to the VPN customers
Providing MPLS VPN Extranet service
Providing Internet access service to VPN customers
Providing VRF-selection based services
Providing Remote Access MPLS VPN
Providing VRF-aware NAT services
• Advanced MPLS VPN Topics
Inter-AS MPLS-VPN
CsC Carrier Supporting Carrier
• Best Practices
• Conclusion.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
2
Prerequisites
• Must understand basic IP routing, especially BGP
• Must understand MPLS basics (push, pop, swap,
label stacking)
• Must finish the evaluation
http://www.networkers04.com/desktop
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
3
Terminology:
• LSR
: Label Switch Router
• LSP
: Label Switched Path
The chain of labels that are swapped at each hop to get from one LSR to another
• VRF
: VPN Routing and Forwarding
Mechanism in IOS used to build per-interface RIB and FIB
• MP-BGP
: Multi-Protocol BGP
• PE
: Provider Edge router Interfaces with CE routers
• P
: Provider (core) router, without knowledge of VPN
• VPNv4
: Address family used in BGP to carry MPLS-VPN routes
• RD
: Route Distinguisher
Distinguish same network/mask prefix in different VRFs
• RT
: Route Target
Extended Community attribute used to control import and export policies of VPN
routes
• LFIB
: Label Forwarding Information Base
• FIB
: Forwarding Information Base (FIB)
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
4
Agenda
• MPLS VPN Definition?
Technology
Configuration
• MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites
Providing Hub&Spoke service to the VPN customers
Providing MPLS VPN Extranet service
Providing Internet access service to VPN customers
Providing VRF-selection based services
Providing Remote Access MPLS VPN
Providing VRF-aware NAT services
• Advanced MPLS VPN Topics
Inter-AS MPLS-VPN
CsC Carrier Supporting Carrier
• Best Practices
• Conclusion.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
5
MPLS-VPN Operation’s Theory
• VPN definition: VRF instance
• VPN Route Propagation (Control Plane)
• VPN Packet forwarding (Data Plane)
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
6
MPLS VPN Connection Model
P
P
PE
PE
VPN Backbone IGP
P
P
MP-iBGP session
PE routers
Edge Routers
P Routers
P routers are in the core of the MPLS
cloud
Use MPLS with P routers
Uses IP with CE routers
Connects to both CE and P routers.
Distribute VPN information through
MP-BGP to other PE router with
VPN-IPv4 addresses, Extended
Community, Label
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
P routers do not need to run BGP and
doesn’t need to have any VPN knowledge
Forward packets by looking at labels
P and PE routers share a common IGP
7
MPLS VPN: Separate Routing Tables in PE
vpn site 2
CE
PE
EBGP,OSPF, RIPv2,Static
CE
MPLS Backbone IGP (OSPF, ISIS)
vpn site 1
VRF routing table
Routing (RIB) and Forwarding table
(CEF) associated with one or more
directly connected sites (CEs)
The routes the PE receives from CE
Routers are installed in the appropriate
VRF routing table(s)
blue VRF routing table or green
The Global routing table
Populated by the MPLS backbone IGP
In PE routers may contain the BGP
Internet routes (standard ipv4 routes)
VRF routing table
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
8
VRF: Virtual Routing and Forwarding
Instance
vpn site 2
CE
VRF green
PE
EBGP,OSPF, RIPv2,Static
CE
vpn site 1
MPLS Backbone IGP (OSPF, ISIS)
VRF blue
• What’s a VRF ?
• Associates to one or more interfaces on PE
Privatize an interface i.e. coloring of the interface
• Has its own routing table and forwarding table (CEF)
• VRF has its own instance for the routing protocol
(static ,RIP,BGP,EIGRP,OSPF)
• CE router runs standard routing software
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
9
VRF: Virtual Routing and Forwarding
Instance
vpn site 2
CE
PE
EBGP,OSPF, RIPv2,Static
CE
MPLS Backbone IGP (OSPF, ISIS)
vpn site 1
• PE installs the routes, learned from CE routers, in
the appropriate VRF routing table(s)
• PE installs the IGP (backbone) routes in the global
routing table
• VPN customers can use overlapping IP addresses.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
10
Additions in BGP: MPLS-VPN Info BGP
8 Bytes
4 Bytes
1:1
10.1.1.0
RD
IPv4
8 Bytes
Route-Target
3 Bytes
Label
VPNv4
MP-iBGP update with RD, RT, and Label
• RD: Route Distinguisher
• VPNv4 routes
• RT: Route Target
• Label
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
11
MPLS VPN Control Plane
MP-BGP Update Components:
8 Bytes
4 Bytes
1:1
10.1.1.0
RD
IPv4
8 Bytes
Route-Target
VPNv4 address
3 Bytes
Label
VPNv4
MP-IBGP update with RD, RT, and Label
• To convert an IPv4 address into a VPNv4 address, RD
is appended to the IPv4 address i.e 1:1:10.1.1.0
• Makes the customer’s IPv4 route globally unique.
• Each VRF must be configured with an RD at the PE
• RD is what that defines the VRF
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
!
ip vrf v1
rd 1:1
!
12
MPLS VPN Control Plane
MP-BGP Update Components:
8 Bytes
4 Bytes
8 Bytes
1:1
10.1.1.0
2:2
RD
IPv4
Route-Target
Route-Target
3 Bytes
Label
VPNv4
MP-IBGP update with RD, RT, and Label
•
Route-target (RT):
•
Each VRF is configured with RT(s) at the PE
Identifies the VRF for the received VPNv4
prefix. It is an 8-byte extended Community (a BGP attribute)
RT helps to color the prefix
!
ip vrf v1
route-target import 1:1
route-target export 1:2
!
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
13
MPLS VPN Control Plane
MP-BGP Update Components:
Label
8 Bytes
4 Bytes
8 Bytes
3 Bytes
1:1
10.1.1.0
2:2
50
RD
IPv4
Route-Target
Label
VPNv4
MP-IBGP update with RD, RT, and Label
•
The Label (for the VPNv4 prefix) is assigned only by the PE whose address is the
Next-Hop attribute
PE routers re-write the Next-Hop with their own address (loopback)
“Next-Hop-Self” towards MP-iBGP neighbors by default
•
PE addresses used as BGP Next-Hop must be uniquely known in the backbone
IGP
DO NOT summarize the PE loopback addresses in the core
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
14
MPLS VPN Control Plane:
Putting It All Together
3
Site 1
MP-iBGP update:
RD:10.10.1.0
Next-hop=PE-1
RT=Green, Label=100
Site 2
CE1
10.1.1.0/24
CE2
P
10.10.1.0/24
Next-Hop=CE-1
P
PE1
PE2
P
1
P
MPLS Backbone
1) PE1 receives an IPv4 update (eBGP,OSPF,EIGRP)
2) PE1 translates it into VPNv4 address
• Assigns an RT per VRF configuration
• Re-writes Next-Hop attribute to itself
• Assigns a label based on VRF and/or interface
3) PE1 sends MP-iBGP UPDATE to other PE routers
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
15
MPLS VPN Control Plane:
Putting It All Together
3
Site 1
MP-iBGP update:
RD:10.10.1.0
Next-hop=PE-1
RT=Green, Label=100
5
10.1.1.0/24
Next-Hop=PE-2
CE1
10.1.1.0/24
CE2
P
10.1.1.0/24
Next-Hop=CE-1
Site 2
P
PE1
PE2
P
1
P
MPLS Backbone
4) PE2 receives and checks whether the RT=green is locally
configured within any VRF, if yes, then
5) PE2 translates VPNv4 prefix back into IPv4 prefix,
• Installs the prefix into the VRF Routing table
• Updates the VRF CEF table with label=100 for 10.1.1.0/24
• Advertise this IPv4 prefix to CE2 (EBGP, OSPF, EIGRP)
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
16
MPLS VPN Forwarding Plane:
e
Site 2
Site 1
10.1.1.0/24
CE1
CE2
P1
P2
PE1
PE2
P
Global routing/forwarding table
Dest->Next-Hop
PE2 P1, label: 50
The Global Forwarding table
(show ip cef)
•PE routers store IGP routes
•Associated labels
•Label distributed through LDP/TDP
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
P
VRF Green forwarding Table
Dest->NextHop
10.1.1.0/24-PE1, label: 100
Global routing/forwarding table
Dest->NextHop
PE1 P2, label: 25
VRF Forwarding table
(show ip cef vrf <vrf>)
•PE routers store VPN routes
•Associated labels
•Labels distributed through MP-BGP
17
MPLS VPN Forwarding Plane:
e
Site 2
Site 1
10.1.1.0/24
CE1
CE2
P
10.1.1.1
P
PE1
PE2
100
50
10.1.1.1
100
10.1.1.1
P
P
10.1.1.1
25
100
10.1.1.1
PE2 imposes TWO labels for each packet going to the VPN destination 10.1.1.1
•
The top label is LDP learned and Derived from an IGP route
Represents LSP to PE address (exit point of a VPN route)
•
The second label is learned via MP-BGP
Corresponds to the VPN address
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
18
Agenda
• MPLS VPN Definition?
Technology
Configuration
• MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites
Providing Hub&Spoke service to the VPN customers
Providing MPLS VPN Extranet service
Providing Internet access service to VPN customers
Providing VRF-selection based services
Providing Remote Access MPLS VPN
Providing VRF-aware NAT services
• Advanced MPLS VPN Topics
Inter-AS MPLS-VPN
CsC Carrier Supporting Carrier
• Best Practices
• Conclusion.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
19
MPLS VPN Sample Configuration
VRF Definition
ip vrf VPN-A
rd 1:1
route-target export 100:1
route-target import 100:1
Site 1
CE1
10.1.1.0/24
PE1
Se0
PE1
Interface Serial0
ip address 192.168.10.1 255.255.255.0
ip vrf forwarding VPN-A
192.168.10.1
PE-P Configuration
Interface Serial1
ip address 130.130.1.1 255.255.255.252
mpls ip
P
Se0
PE1
s1
PE1
router ospf 1
network 130.130.1.0 0.0.0.3 area 0
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
20
MPLS VPN Sample Configuration
PE:
MP-IBGP
router bgp 1
neighbor 1.2.3.4 remote-as 1
neighbor 1.2.3.4 update-source loopback 0
RR
PE1
RR:
PE2
PE1
address-family vpnv4
neighbor 1.2.3.4 activate
neighbor 1.2.3.4 send-community both
MP-IBGP
router bgp 1
no bgp default route-target filter
neighbor 1.2.3.6 remote-as 1
neighbor 1.2.3.6 update-source loopback0
RR
PE1
RST-2602
9908_06_2004_X2
PE2
© 2004 Cisco Systems, Inc. All rights reserved.
RR
address-family vpnv4
neighbor 1.2.3.6 route-reflector-client
Neighbor 1.2.3.6 activate
21
MPLS VPN Sample Configuration
PE-CE
BGP
Site 1
CE1
10.1.1.0/24
PE1
192.168.10.2
PE1
192.168.10.1
PE-CE
router bgp 1
!
address-family ipv4 vrf VPN-A
neighbor 192.168.10.2 remote-as 2
neighbor 192.168.10.2 activate
exit-address-family
!
OSPF
Site 1
CE1
10.1.1.0/24
192.168.10.2
PE1
PE1
router ospf 1
!
router ospf 2 vrf VPN-A
network 192.168.10.0 0.0.0.255 area 0
!
192.168.10.1
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
22
MPLS VPN Sample Configuration
PE-CE
RIP
router rip
Site 1
CE1
10.1.1.0/24
192.168.10.2
PE1
192.168.10.1
PE-CE
EIGRP
router eigrp 1
Site 1
CE1
10.1.1.0/24
192.168.10.2
PE1
192.168.10.1
RST-2602
9908_06_2004_X2
address-family ipv4 vrf VPN-A
version 2
no auto-summary
network 192.168.10.0
exit-address-family
© 2004 Cisco Systems, Inc. All rights reserved.
address-family ipv4 vrf VPN-A
network 192.168.10.0 0.0.0.255
autonomous-system 1
exit-address-family
23
MPLS VPN Sample Configuration
PE-CE
Static
Site 1
CE1
10.1.1.0/24
ip route vrf VPN-A 10.1.1.0 255.255.255.0 192.168.10.2
192.168.10.2
PE1
192.168.10.1
PE-CE MB-iBGP routes to VPN
Site 1
RR
PE1
CE1
RST-2602
9908_06_2004_X2
router rip
address-family ipv4 vrf VPN-A
version 2
redistribute bgp 1 metric 1
no auto-summary
network 192.168.10.0
exit-address-family
If PE-CE protocol is non BGP then redistribution
of other sites VPN routes from MP-IBGP is required.
© 2004 Cisco Systems, Inc. All rights reserved.
24
MPLS VPN Sample Configuration
PE-RR
(VPN routes to VPNv4)
Site 1
RR
PE1
CE1
router bgp 1
neighbor 1.2.3.4 remote-as 1
neighbor 1.2.3.4 update-source loopback 0
address-family ipv4 vrf VPN-A
redistribute {rip|connected|static|eigrp|ospf}
If PE-CE protocol is non BGP then redistribution
of other sites VPN routes into MP-IBGP is required.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
25
Agenda
• MPLS VPN Definition?
Technology
Configuration
• MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites
Providing Hub&Spoke service to the VPN customers
Providing MPLS VPN Extranet service
Providing Internet access service to VPN customers
Providing VRF-selection based services
Providing Remote Access MPLS VPN
Providing VRF-aware NAT services
• Advanced MPLS VPN Topics
Inter-AS MPLS-VPN
CsC Carrier Supporting Carrier
• Best Practices
• Conclusion.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
26
MPLS VPN Services:
1. Loadsharing for the VPN traffic
RR
PE11
PE2
CE1
CE2
171.68.2.0/24
PE12
Site A
Site B
MPLS Backbone
Route Advertisement
• VPN sites (such as Site A) could be multihomed
• VPN customer may demand the traffic to the multihomed sites be
loadshared
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
27
MPLS VPN Services:
1. Loadsharing for the VPN traffic: Cases
1 CE 2 PEs
RR
PE11
PE2
CE1
CE2
171.68.2.0/24
PE12
Site A
Site B
MPLS Backbone
Traffic Flow
2 CEs 2 PEs
RR
PE11
PE2
CE1
171.68.2.0/24
CE2
CE2
PE12
Site B
MPLS Backbone
Site A
RST-2602
9908_06_2004_X2
Traffic Flow
© 2004 Cisco Systems, Inc. All rights reserved.
28
MPLS VPN Services:
1. Loadsharing for the VPN Traffic: Deployment
How to deploy the loadsharing ?
1.
Configure different VRFs i.e RDs for multihomed site/interfaces.
2.
Enable BGP multipath within the relevant BGP VRF addressfamily at Remote/Receiving PE2.
2
1
ip vrf green
rd 300:11
route-target both 1:1
RR
PE11
router bgp 1
address-family ipv4 vrf green
maximum-paths eibgp 2
PE2
CE1
CE2
171.68.2.0/24
PE12
Site A
1
ip vrf green
rd 300:12
route-target both 1:1
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
MPLS Backbone
1
Site B
ip vrf green
rd 300:13
route-target both 1:1
29
MPLS VPN Services:
1. Loadsharing for the VPN Traffic(实验)
RR
Route Advertisement
PE11
PE2
CE1
CE2
171.68.2.0/24
PE12
Site A
Site B
MPLS Backbone
• RR must advertise all the paths learned via PE11 and PE12 to the
remote PE routers
With different RD per VRF, RR does the Best path
RD and advertise them to remote PE
calculation per
• Watch out for the increased (~20%) memory consumption (within
BGP) due to multipaths at the PEs
• “eiBGP multipath” implicitly provides eBGP and iBGP multipath for
VPN paths
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
30
MPLS-VPN Services:
2. Hub & Spoke Service to the VPN Customers
• Traditionally, VPN deployments are Hub&Spoke.
Spoke to spoke communication is via Hub site only.
• Despite MPLS VPN’s implicit any-to-any i.e fullmesh connectivity, Hub&Spoke service can easily
be offered.
Done with import and export of Route-Target (RT).
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
31
MPLS-VPN Services:
2. Hub & Spoke Service - Configuration
ip vrf green-spoke1
description VRF for SPOKE A
rd 300:111
route-target export 1:1
route-target import 2:2
Spoke A
CE-SA
ip vrf HUB-OUT
description VRF for traffic from HUB
rd 300:11
route-target import 1:1
PE-SA
171.68.1.0/24
Eth0/0.1
PE-Hub
Spoke B
PE-SB
CE-SB
MPLS VPN Backbone
171.68.2.0/24
ip vrf green-spoke2
description VRF for SPOKE B
rd 300:112
route-target export 1:1
route-target import 2:2
RST-2602
9908_06_2004_X2
Eth0/0.2
© 2004 Cisco Systems, Inc. All rights reserved.
ip vrf HUB-IN
description VRF for traffic to HUB
rd 300:12
route-target export 2:2
32
MPLS-VPN Services:
2. Hub & Spoke Service – Control Plane
MPLS Backbone
Spoke A
CE-SA
PE-SA
171.68.1.0/24
Adv 171.68.1.0/24
Label 40
Route-Target 1:1
VRF RT and LFIB at PE-SA
0.0.0.0
PE-Hub
35
171.68.1.0/24 CE-SA
Adv 0.0.0.0
Label 35
Route-Target 2:2
VRF RT and LFIB at PE-SB
0.0.0.0
PE-Hub
35
171.68.2.0/24 CE-SB
171.68.2.0/24
CE-SB
VRF HUB-OUT RT and LFIB
Destination
NextHop Label
171.68.1.0/24
PE-SA 40
171.68.2.0/24
PE-SB 50
VRF HUB-OUT
PE-Hub
VRF HUB-IN
PE-SB
Adv 171.68.2.0/24
Label 50
Route-Target 1:1
VRF HUB-IN Routing Table
Destination
NextHop
0.0.0.0
CE-H1
Spoke B
• All traffic between spokes must pass through the Hub/Central Site.
Hub Site could offer FireWall, NAT like applications.
• Two VRF solution at the PE-Hub:
• VRF HUB_OUT would have knowledge of every spoke routes.
• VRF HUB_IN only have Default Route and advertise that to Spoke PEs.
• Import and export Route-Target within a VRF must be different.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
33
MPLS-VPN Services(实验内容):
2. Hub & Spoke Service – Forwarding Plane
MPLS Backbone
Spoke A
171.68.1.1
CE-SA
PE-SA
LA
40
171.68.1.1
171.68.1.0/24
VRF HUB-OUT
PE-Hub
Spoke B
PE-SB
CE-SB
LH
35
171.68.1.1
VRF HUB-IN
171.68.2.0/24
171.68.1.1
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
34
MPLS-VPN Services
3. Extranet VPN
• MPLS VPN, by default, isolates one VPN customer
from another.
Separate Virtual Routing Table for each VPN customer
• Communication between VPNs may be required i.e.
Extranet.
External Inter-company communication (dealers with
manufacturer, Retailer with wholesale provider etc)
Management VPN, Shared-service VPN etc.
• Needs right import and export route-target (RT)
values configuration within the VRFs
export-map or import-map should be used
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
35
3. MPLS-VPN Services: Extranet VPN
Goal: Only VPN_A site#1 to be reachable to VPN_B
MPLS Backbone
192.6.0.0/16
VPN_A Site#2
VPN_A Site#1
171.68.0.0/16
so PE1
PE2
P
180.1.0.0/16
VPN_B Site#1
ip vrf VPN_A
rd 3000:111
export map VPN_A_Export
import map VPN_A_Import
route-target import 3000:111
route-target export 3000:111
route-target import 3000:1
!
route-map VPN_A_Export permit 10
match ip address 1
set extcommunity rt 3000:2
!
route-map VPN_A_Import permit 10
match ip address 2
!
access-list 1 permit 171.68.0.0 0.0.0.0
access-list 2 permit 180.1.0.0 0.0.0.0
ip vrf VPN_B
rd 3000:222
export map VPN_B_Export
import map VPN_B_Import
route-target import 3000:222
route-target export 3000:222
route-target import 3000:2
!
route-map VPN_B_Export permit 10
match ip address 2
set extcommunity rt 3000:1
!
route-map VPN_B_Import permit 10
match ip address 1
!
access-list 1 permit 171.68.0.0 0.0.0.0
access-list 2 permit 180.1.0.0 0.0.0.0
Only Site#1 of both VPNs will communicate to
each other, Site#2 won’t.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
36
MPLS-VPN Services
4. Internet Access Service to VPN Customers
• Could be provided as another value-added service.
• Security mechanism must be in place at both
provider network and customer network
To protect from the Internet vulnerabilities
• VPN customers benefit from the single point of
contact for both Intranet and Internet connectivity
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
37
MPLS-VPN Services
4. Internet Access: Different Methods of Service
•
Four ways to provide the Internet service
1. VRF Specific default route with “global” keyword
2. Separate PE-CE sub-interface (nonVRF)
3. Extranet with Internet-VRF
4. VRF-aware NAT
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
38
MPLS-VPN Services(实验内容)
4. Internet Access: Different Methods of Service
1. VRF Specific default route
1.1 Static default route to move traffic from VRF to Internet (global
routing table)
1.2 Static routes for VPN customers to move traffic from Internet
(global routing table) to VRF
2. Separate PE-CE sub-interface (non VRF)
May run BGP to propagate Internet routes between PE and CE
3. Extranet with Internet-VRF
VPN packets never leave VRF context ; issue with Overlapping
VPN address
4. Extranet with Internet-VRF along with VRF-aware NAT
VPN packets never leave VRF context; works well with
overlapping VPN address
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
39
MPLS-VPN Services:
4.1 Internet access: VRF Specific Default Route (Config)
MPLS Backbone
Site1
Internet
CE1
171.68.0.0/16
so PE1192.168.1.2
ip vrf VPN-A
rd 100:1
route-target both 100:1
Interface Serial0
ip address 192.168.10.1 255.255.255.0
ip vrf forwarding VPN-A
Router bgp 100
no bgp default ipv4-unicast
redistribute static
neighbor 192.168.1.1 remote 100
neighbor 192.168.1.1 activate
neighbor 192.168.1.1 next-hop-self
neighbor 192.168.1.1 update-source loopback0
ASBR
P
192.168.1.1
Internet GW
•
A default route, pointing to the ASBR, is installed
into the site VRF at each PE
A single label is used for packets forwarded
according to the default route
The label is the IGP label corresponding to the
IP address of the ASBR known via the IGP
•
The static route, pointing to the VRF interface, is
installed in the global routing table and
redistributed into BGP
ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global
ip RST-2602
route 171.68.0.0 255.255.0.0 Serial0
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
40
MPLS-VPN Services:
4.1 Internet access: VRF Specific Default Route (Forwarding)
MPLS Backbone
Internet
Site1
171.68.0.0/16
IP packet
D=171.68.1.1
IP packet
D=Cisco.com
so
Label = 30
IP packet
D=Cisco.com
IP packet
D=Cisco.com
PE1
PE2
so
P
192.168.1.2
192.168.1.1
Global Routing/FIB Table
Destination
Label/Interface
192.168.1.1/32 Label=30
171.68.0.0/16
Serial 0
VRF Routing/FIB Table
Destination
Label/interface
0.0.0.0/0 192.168.1.1 (global)
Site-1
Serial 0
Label = 35
IP packet
D=171.68.1.1
Pros
Different Internet gateways
can be used for different VRFs
PE routers need not to hold
the Internet table
Simple Configuration
IP packet
D=171.68.1.1
Global Table and LFIB
Destination Label/Interface
192.168.1.2/32
Label=35
171.68.0.0/16
192.168.1.2
Internet
Serial 0
Cons
Using default route for Internet
routing does NOT allow any other
default route for intrA_VPN routing
Increasing size of global routing
Table by leaking VPN routes.
Static configuration
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
41
MPLS-VPN Services
4.2 Internet Access
1. VRF Specific default route
1.1 Static default route to move traffic from VRF to Internet (global
routing table)
1.2 Static routes for VPN customers to move traffic from Internet
(global routing table) to VRF
2. Separate PE-CE sub-interface (non VRF)
May run BGP to propagate Internet routes between PE and CE
3. Extranet with Internet-VRF
VPN packets never leave VRF context ; Overlapping VPN
addresses could be a problem
4. Extranet with Internet-VRF alongwith VRF-aware NAT
VPN packets never leave VRF context; works well with
overlapping VPN addresses
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
42
4.2 Internet Access Service to VPN Customers
Using Separate Sub-Interface (Config)
Site1
171.68.0.0/16
MPLS Backbone
CE1
Internet
Internet
BGP-4
S0.2
PE1
ASBR
192.168.1.1
192.168.1.2
S0.1
ip vrf VPN-A
rd 100:1
route-target both 100:1
Interface Serial0.1
ip vrf forwarding VPN-A
ip address 192.168.20.1 255.255.255.0
frame-relay interface-dlci 100
!
Interface Serial0.2
ip address 171.68.10.1 255.255.255.0
frame-relay interface-dlci 200
!
Router bgp 100
no bgp default ipv4-unicast
[snip]…
RST-2602
neighbor
171.68.10.2 remote
502
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
P
Internet GW
One sub-interface for VPN routing
associated to a VRF
Another sub-interface for Internet routing
associated to the global routing table.
Could advertise full Internet Routes or a
default route to CE.
The PE will need to advertise VPN routes
to the Internet (via global routing table)
43
Internet Access Service to VPN Customers
4.2 Using Separate Sub-Interface (Forwarding)
Site1
171.68.0.0/16
Internet
IP packet
D=Cisco.com
S0.2
PE1
MPLS Backbone
Label = 30
IP packet
D=Cisco.com
PE2
192.168.1.1
192.168.1.2
S0.1
P
PE-Internet GW
CE routing table
VPN routes
Serial0.1
Internet routes
Serial0.2
PE Global Table and FIB
Internet routes
192.168.1.1
192.168.1.1
Label=30
Pros
CE could dual home and
perform optimal routing.
Traffic separation done
by CE.
RST-2602
9908_06_2004_X2
IP packet
D=cisco.com
© 2004 Cisco Systems, Inc. All rights reserved.
Cons
PE to hold full Internet routes.
BGP complexities introduced
in CE.
44
Internet Access Service
4.3 Extranet with Internet-VRF
• The internet routes could be placed within the VRF
at the Internet-GW i.e. ASBR
• VRFs for customers could ‘extranet’ with the
internet VRF and receive either default, partial or
full internet routes
• Be careful if duplicating the internet routes in
each VRF
• Works well when the VPN customers don’t have
overlapping addresses
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
45
Internet Access Service
4.4 Internet Access using VRF-aware NAT
• If the VPN customers need Internet access without
internet routes, then VRF-aware NAT can be used at
the Internet-GW i.e. ASBR
• The Internet GW doesn’t need to have internet
routes either
• Overlapping VPN addresses is not a problem
• More in the “VRF-aware NAT” slides,…..
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
46
MPLS VPN Service
5. VRF-Selection
• The common notion is that the VRF must be
associated to an interface
• “VRF-selection” breaks this association and
associate multiple VRFs to an interface
• Each packet on the PE-CE interface could be
handled (based on certain criteria) via different VRF
routing tables
Criteria such as source/dest IP address, ToS, TCP port etc.
specified via route-map
• Voice and Data can be separated out into different
VRFs at the PE
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
47
MPLS VPN Service
5. VRF-Selection – Based on Source IP Address
Global Interface
PE1
33.3.14.1
Cable
Setup
CE1
RR
VRF Interfaces
MPLS Backbone
(Cable Company)
Se0/0
VPN Brown
33.3.0.0/16
PE2
VPN Blue
44.3.0.0/16
66.3.1.25
Traffic Flows
44.3.12.1
VPN Green
66.3.0.0/16
ip vrf brown
rd 3000:111
route-target export 3000:1
route-target import 3000:1
!
ip vrf blue
rd 3000:222
route-target export 3000:2
route-target import 3000:2
!
ip vrf green
rd 3000:333
route-target export 3000:3
route-target import 3000:3
RST-2602
9908_06_2004_X2
interface Serial0/0
ip address 215.2.0.6 255.255.255.252
ip policy route-map PBR-VRF-Selection
ip receive brown
ip receive blue
ip receive green
access-list 40 permit 33.3.0.0 0.0.255.255
access-list 50 permit 44.3.0.0 0.0.255.255
access-list 60 permit 66.3.0.0 0.0.255.255
© 2004 Cisco Systems, Inc. All rights reserved.
route-map PBR-VRF-Selection permit 10
match ip address 40
set vrf brown
route-map PBR-VRF-Selection permit 20
match ip address 50
set vrf blue
route-map PBR-VRF-Selection permit 30
match ip address 60
set vrf green
48
MPLS VPN Service
6. Remote Access Service
• Remote access users i.e. dial users, IPSec users
could directly be terminated in VRF
PPP users can be terminated into VRFs
IPSec tunnels can be terminated into VRFs
• Remote Access services integration with MPLS
VPN opens up new opportunities for Providers
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
49
MPLS VPN Service
6. Remote Access Service– IPSec to MPLS VPN
Branch
Office
SP Shared Network
Access
Corporate Intranet
SP AAA
SOHO
Internet
Customer
AAA
PE+IPSec
Aggregator
VPN A
Internet
PE
Customer A
head office
PE
IP/MPLS/Layer 2
Based Network
Local or Direct
Dial ISP
VPN B
PE
Customer B
Cable/DSL/
ISDN ISP
VPN C
Remote Users/
Telecommuters
IP
RST-2602
9908_06_2004_X2
VPN A
Cisco IOS VPN Routers or
Cisco Client 3.x or higher
IPSec Session
© 2004 Cisco Systems, Inc. All rights reserved.
Customer A
branch office
MPLS VPN
Customer C
IP
50
MPLS-VPN Services
7. VRF-Aware NAT Services
• VPN customers could be using ‘overlapping’ IP
address i.e. 10.0.0.0/8
• Such VPN customers must NAT their traffic before
using either “extranet” or “internet” or any shared*
services
• PE is capable of NATting the VPN packets
(eliminating the need for an extra NAT device)
RST-2602
9908_06_2004_X2
* VoIP, Hosted Content, Management etc/
© 2004 Cisco Systems, Inc. All rights reserved.
51
MPLS-VPN Services
7. VRF-Aware NAT Services
• Typically, inside interface(s) connect to private
address space and outside interface connect to
global address space
NAT occurs after routing for traffic from inside-to-outside
interfaces
NAT occurs before routing for traffic from outside-to-inside
interfaces
• Each NAT entry is associated with the VRF
• Works on VPN packets in the following switch
paths : IP->IP, IP->MPLS and MPLS->IP
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
52
MPLS-VPN Services:
7. VRF-Aware NAT Services – Internet Access
CE1
PE11
MPLS Backbone
10.1.1.0/24
P
Green VPN Site
Internet
PE-ASBR
.1
217.34.42.2
PE12
CE2
ip nat inside
10.1.1.0/24
Blue VPN Site
ip nat outside
ip vrf green
rd 3000:111
route-target both 3000:1
ip vrf blue
rd 3000:222
route-target both 3000:2
ip nat pool pool-green 24.1.1.0 24.1.1.254 prefix-length 24
router bgp 3000
address-family ipv4 vrf green
network 0.0.0.0
address-family ipv4 vrf blue
network 0.0.0.0
ip access-list standard vpn-to-nat
permit 10.1.1.0 0.0.0.255
RST-2602
9908_06_2004_X2
ip nat pool pool-blue 25.1.1.0 25.1.1.254 prefix-length 24
ip nat inside source list vpn-to-nat pool pool-green vrf green
ip nat inside source list vpn-to-nat pool pool-blue vrf blue
ip route vrf green 0.0.0.0 0.0.0.0 217.34.42.2 global
ip route vrf blue 0.0.0.0 0.0.0.0 217.34.42.2 global
VRF specific Config
© 2004 Cisco Systems, Inc. All rights reserved.
VRF-aware NAT Specific Config
53
MPLS-VPN Services:
7. VRF-Aware NAT Services – Internet Access
Src=10.1.1.1
Dest=Internet
CE1
10.1.1.0/24
Green VPN Site
PE-ASBR
PE11
IP Packet
P
CE2
10.1.1.0/24
Src=10.1.1.1
Src=24.1.1.1
Dest=Internet
Internet
Src=25.1.1.1
Dest=Internet
PE12
Blue VPN Site
MPLS Backbone
Label=30
Src=10.1.1.1
Dest=Internet
Label=40
Src=10.1.1.1
Dest=Internet
IP Packet
Traffic Flows
Dest=Internet
MPLS Packet
•PE-ASBR removes the label from the received
MPLS packets per LFIB
•Performs NAT on the resulting IP packets
VRF IP Source
10.1.1.1
10.1.1.1
NAT Table
Global IP VRF-table-id
24.1.1.1
green
25.1.1.1
blue
•Forwards the packet
• This is also one of the ways to provide Internet access to VPN
customers with or without overlapping addresses
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
54
Agenda
• MPLS VPN Definition?
Technology
Configuration
• MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites
Providing Hub&Spoke service to the VPN customers
Providing MPLS VPN Extranet service
Providing Internet access service to VPN customers
Providing VRF-selection based services
Providing Remote Access MPLS VPN
Providing VRF-aware NAT services
• Advanced MPLS VPN Topics
Inter-AS MPLS-VPN
CsC Carrier Supporting Carrier
• Best Practices
• Conclusion.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
55
What Is Inter-AS?
Provider X
Provider Y
RR2
RR1
ASBR1
ASBR2
???
MP-iBGP update::
PE-1
AS #2
AS #1
Problem:
PE2
BGP, OSPF, RIPv2
149.27.2.0/24,NH=CE-1
CE-1
VPN-A
How do Provider X
and Provider Y
exchange VPN
routes ?
VPN-A
149.27.2.0/24
RST-2602
9908_06_2004_X2
CE2
© 2004 Cisco Systems, Inc. All rights reserved.
56
Inter-AS Deployment Scenarios
Following options/Scenarios for deploying Inter-AS :
ASBR1
1. Back-to-back VRFs
ASBR2
2. MP-eBGP for VPNv4
AS #2
AS #1
PE1
PE2
3. Multihop MP-eBGP between RRs
CE1
4. Non-VPN Transit Provider
CE2
VPN-A
VPN-A
•2 and 3 are more common and will be discussed.
1 and 4 are in backup slides.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
57
Scenario 2: MP-eBGP between ASBRs to
Exchange VPNv4 Routes
• New CLI “no bgp default route-target filter” is
needed on the ASBRs.
• ASBRs exchange VPN routes using eBGP
(VPNv4 af)
• ASBRs store all VPN routes –
But only in BGP table and LFIB table
Not in routing nor in CEF table
• ASBRs don’t need VRFs to be configured on them
LDP between them
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
58
Scenario 2: MP-eBGP bet ASBRs for VPNv4
Control Plane (实验内容)
ASBR-1
MP-iBGP update:
RD:1:27:10.1.1.0/24,
NH=PE-1
RT=1:1, Label=(40)
ASBR-2
MP-iBGP update:
RD:1:27:10.1.1.0/24,
NH=ASBR-2
RT=1:1, Label=(30)
MP-eBGP update:
RD:1:27:10.1.1.0/24,
NH=ASBR-1
RT=1:1, Label=(20)
PE-1
PE-2
BGP, OSPF, RIPv2
10.1.1.0/24, NH=CE-2
CE-2
CE-3
VPN-B
BGP, OSPF, RIPv2
10.1.1.0/24, NH=PE-2
VPN-B
10.1.1.0/24
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
59
Scenario 2: MP-eBGP bet ASBRs for VPNv4
Forwarding Plane
30
40
10.1.1.1
ASBR-1
ASBR-2
30
10.1.1.1
P2
P1
40
10.1.1.1
20
PE-1
10.1.1.1
10.1.1.1
20
MPLS Packets
between ASBRs
CE-2
VPN-B
30
10.1.1.1
PE-2
CE-3
VPN-B
10.1.1.1
10.1.1.0/24
Pros
•More scalable.
Only one interface between ASBRs routers
No VRF configuration on ASBR.
Less memory consumption (no RIB/FIB
memory)
•MPLS label switching between providers
Still simple, more scalable & works today
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
Cons
•Automatic Route Filtering must be disabled
But we can apply BGP filtering.
•ASBRs are still required to hold VPN routes
60
Cisco IOS Configuration
Scenario 2: External MP-BGP between ASBRs for VPNv4(
实验内容)
MP-eBGP for
VPNv4
ASBR1
ASBR2
1.1.1.0/30
Label exchange
between ASBRs using
MP-eBGP
AS #1
AS #2
PE1
CE-1
VPN-A
ASBR MB-EBGP Configuration
Router bgp x
no bgp default route-target filter
neighbor 1.1.1.x remote-as x
!
address-family vpnv4
neighbor 1.1.1.x activate
neighbor 1.1.1.x send-com extended
PE2
CE-2
VPN-A
Note: ASBR must already have MPiBGP session with iBGP neighbors
such as RRs or PEs.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
61
Scenario 3: Multihop MP-eBGP between
RRs to exchange VPNv4 routes
• Exchange VPNv4 prefixes via the Route Reflectors
Requires Multihop MP-eBGP (with next-hop-unchanged)
• Exchange IPv4 routes with labels between directly
connected ASBRs using eBGP
Only PE loopback addresses need to be exchanged (they
are BGP next-hop addresses of the VPN routes)
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
62
Scenario 3: Multihop MP-eBGP between
RRs for VPN routes : Control Plane
RR-1
VPN-v4 update:
RD:1:27:10.1.1.0/24,
NH=PE-1
RT=1:1, Label=(90)
AS#1
VPN-v4 update:
RD:1:27:10.1.1.0/24,
NH=PE-1
RT=1:1, Label=(90)
ASBR-1
IGP+LDP:
Network=PE-1
NH=PE-1
Label=(40)
PE-1
BGP, OSPF, RIPv2
10.1.1.0/24,NH=CE-2
CE-2
IP-v4 update:
Network=PE-1
NH=ASBR-1
Label=(20)
RR-2
VPN-v4 update:
RD:1:27:10.1.1.0/24,
NH=PE-1
RT=1:1, Label=(90)
ASBR-2
AS#2
PE-2
IGP+LDP:
Network=PE-1
NH=ASBR-2
Label=(30)
BGP, OSPF, RIPv2
10.1.1.0/24,NH=PE-2
CE-3
VPN-B
VPN-B
10.1.1.0/24
Note - Instead of IGP+Label, iBGP+Label
can be used to exchange PE routes/label.
Please see Scenario#5 on slide#49 and 50.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
63
Scenario 3: Multihop MP-eBGP between
RRs for VPN routes : Forwarding Plane
RR-1
RR-2
P2
P1
40
90
10.1.1.1
90
ASBR-2
ASBR-1
10.1.1.1
30
90
10.1.1.1
50
90
10.1.1.1
PE-1
20
10.1.1.1
90
10.1.1.1
PE-2
CE-2
CE-3
VPN-B
10.1.1.1
VPN-B
10.1.1.0/24
Note - Instead of IGP+Label, iBGP+Label
can be used to exchange PE routes/label.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
64
Scenario 3: Pros/Cons
Pros
•More scalable than Scenario 1 and 2.
Separation of control and forwarding planes
Cons
•Advertising PE addresses to another AS
may not be acceptable to few providers.
•Route Reflector exchange VPNv4 routes+labels
RR hold the VPNv4 information anyway
•ASBRs now exchange only IPv4 routes+labels
ASBR Forwards MPLS packets
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
65
Cisco IOS Configuration
Scenario 3: Multihop MP-eBGP between RRs for VPNv4(实
验)
Multihop MP-eBGP
for VPNv4 with
next-hop-unchange
RR-1
ASBR-1
PE1
RR-2
ASBR-2
PE2
AS #1
CE-1
AS #2
eBGP IPv4 + Labels
RR Configuration
VPN-A
router bgp x
neighbor <RR-x> remote-as x
neighbor <RR-x> ebgp-multihop
neighbor <RR-x> update loopback 0
!
address-family vpnv4
neighbor <RR-x> activate
neighbor <RR-x> send-com extended
neighbor <RR-x> next-hop-unchanged
RST-2602
9908_06_2004_X2
CE-2
ASBR Configuration
router ospf x
redistribute bgp 1 subnets
!
router bgp x
neighbor < ASBR-x > remote-as x
!
address-family ipv4
Network <PEx> mask 255.255.255.255
Network <RRx> mask 255.255.255.255
neighbor < ASBR-x > activate
neighbor < ASBR-x > send-label
VPN-A
iBGPipv4+label could also be used in within each AS (instead of
“network <x.x.x.x>”) to propagate the label information for PEs.
© 2004 Cisco Systems, Inc. All rights reserved.
66
Inter-AS Deployment Guidelines
1. Use ASN in the Route-target i.e. ASN:xxxx
2. Max-prefix limit (both BGP and VRF) on PEs
3. Security (BGP MD5, BGP filtering, BGP max-prefix
etc) on ASBRs
4. End-to-end QoS agreement on ASBRs
5. Route-Target rewrite on ASBR
6. Internet connectivity on the same ASBR ??
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
67
Agenda
• MPLS VPN Definition?
Technology
Configuration
• MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites
Providing Hub&Spoke service to the VPN customers
Providing MPLS VPN Extranet service
Providing Internet access service to VPN customers
Providing VRF-selection based services
Providing Remote Access MPLS VPN
Providing VRF-aware NAT services
• Advanced MPLS VPN Topics
Inter-AS MPLS-VPN
CsC Carrier Supporting Carrier
• Best Practices
• Conclusion.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
68
Carrier Supporting Carriers: CsC
• Benefits of CsC
• What do I need to do to enable CsC ?
• Deployment models
• Security in CsC
• Deployment Guideline
• Deployment Scenarios
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
69
MPLS/VPN Networks without CsC
Large Number of VPN Routes at the PE May
Pose Limitation to the PE
• Unwanted routing updates in the Carrier’s network
=> CPU+memory
• Label/prefix consumptions at PE => memory
• Scalability issue at PE
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
70
MPLS/VPN Networks without CsC
• The no of VPN routes is one of the biggest limiting
factor in scaling the PE router
Few SPs are running into this scalaing limitation
• If no of VPN routes can be reduced somehow
(without loosing the functionality), then the existing
investment can be protected
The same PE can still be used to connect more VPN
customers
• Carrier Supporting Carrier (CsC) provides the
mechanism to reduce the no of routes from each
VRF by enabling MPLS on the PE-CE link
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
71
Benefits of CsC
• Provide transport for ISPs ($)
No need to manage external routes from ISPs
• Build MPLS Internet Exchange (MPLS-IX) ($$)
Media Independence; POS/FDDI/PPP possible
Higher speed such OC192 or more
Operational benefits
• Sell VPN service to subsidiary companies that
provide VPN service ($)
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
72
What Do I Need to Enable CsC ?
1. Build an MPLS-VPN enabled carrier’s network
2. Connect ISP/SPs sites (or PoPs) to the Carrier’s PEs
3. Exchange internal routes + labels between Carrier’s PE &
ISP/SP’s CE
4. Exchange external routes directly between ISP/SP’s sites
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
73
CsC Deployment Models
MP-iBGP for VPNv4
P1
PE1
IGP+LDP
PE2
IGP+LDP
Carrier’s MPLS Core
IPv4 routes with
label distribution
IPv4 routes with
label distribution
MPLS enabled VRF int
CE-1
CE-2
Full-mesh iBGP
for external routes
ISP PoP
Site-1
internal routes
= IGP routes
ISP PoP
Site-2
C1
ASBR-2
ASBR-1
Internal routes =
IGP routes
R2
INTERNET
R1
ISP customers =
external routes
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
74
CsC Deployment Models
1. Customer-ISP not running MPLS
2. Customer-ISP running MPLS
3. Customer-ISP running MPLS-VPN
•Model 1 and 2 are less common deployments.
•Model 3 will be discussed in detail.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
75
CsC: ISP Sites Are Running MPLS-VPN
Hierarchical MPLS-VPN Control Plane
MP-iBGP update:
1:1:30.1.61.25/32, RT=1:1
NH =PE-1, Label=51
IGP+LDP,
Net=PE-1,
Label = pop
PE1
P1
IGP+LDP,
Net=PE-1,
Label = 16
PE2
Carrier’s Core
30.1.61.25/32,
NH=CE-1, Label = 50
30.1.61.25/32,
NH=PE-2, Label = 52
CE-1
CE-2
MP-iBGP update:
1:1:10.1.1.0/24, RT=1:1
NH =30.1.61.25/32, Label = 90
ISP PoP
Site-1
ISP PoP
Site-2
IGP+LDP
30.1.61.25/32,Label = pop
C1
ASBR_PE-1
30.1.61.25/32
10.1.1.0/24, NH=R1
Network =
10.1.1.0/24
RST-2602
9908_06_2004_X2
IGP+LDP,
30.1.61.25/32
NH=CE-2, Label=60
ASBR_PE-2
10.1.1.0/24,
NH
=ASBR_PE-2
R2
IGP+LDP,
30.1.61.25/32 NH=C1,
Label=70
R1
VPN Site-1
© 2004 Cisco Systems, Inc. All rights reserved.
VPN Site-2
76
CsC: ISP Sites Are Running MPLS-VPN
Hierarchical MPLS-VPN Forwarding Plane
P1
51
90
10.1.1.1
16
PE1
51
90
10.1.1.1
PE2
Carrier’s Core
50
90
10.1.1.1
52
90
10.1.1.1
CE-1
CE-2
ISP PoP
Site-1
90
10.1.1.1
60
90
10.1.1.1
ISP PoP
Site-2
C1
ASBR-1
10.1.1.1
Network =
10.1.1.0/24
RST-2602
9908_06_2004_X2
R1
VPN Site-1
© 2004 Cisco Systems, Inc. All rights reserved.
ASBR-2
10.1.1.1
70
90
10.1.1.1
R2
VPN Site-2
77
Security Mechanism in CsC
• BGP/LDP MD5 on PE-CE
To prevent label “spoofing”, PE
• Maintains Label <=> VRF table association
• Checks during LFIB lookup that received packet’s label is
what was allocated
If the check fails, then the packet is dropped.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
78
CsC Deployment Guideline
•
Two choices for deploying CsC
1. IGP+LDP on the PE-CE, or
2. eBGP ipv4 +label on the PE-CE (RFC3107)
•
Choice selection is driven by the choice of routing
protocol on the PE-CE
•
CE has to run MPLS-aware code
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
79
CsC: IOS Commands/Configs
Choice 1: What All You Need to Configure?
Choice1: Enable LDP on PE-CE;
• Sh mpls interface [vrf <name>] all
PE1
int
Sh mpls ldp disc [vrf <name>] all
ser0/0
Sh mpls ldp bind vrf <name>
ip vrf forwarding green
Sh mpls ip bind vrf <name>
Sh mpls ldp neighbor [vrf <name>] all
mpls ip
Sh mpls forward [vrf <name>]
mpls ldp protcol ldp
PE-1
CE1
Sh mpls interface
int ser0/0
Sh mpls ldp discovery
mpls ip
mpls ldp protcol ldp
Sh mpls ldp bind
VRF Int
IGP+LDP
CE-1
Sh mpls ldp neighbor
Sh mpls forward
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
80
CsC: IOS Commands/Configs
Choice 2: What All You Need to Configure?
Choice2: Enable eBGP+label on PE-CE;
router bgp 1
PE1
address-family ip vrf green
PE-1
neighbor 200.1.61.6 remote-as 2
neighbor 200.1.61.6 send-label
VRF Int
eBGP+label
CE-1
router bgp 2
CE1
neighbor 200.1.61.5 remote-as 1
1. No IGP needed on PE-CE
2. No LDP needed on PE-CE
neighbor 200.1.61.5 send-label
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
81
IOS Commands/Configs
Choice 2: eBGP+label on the PE-CE
• On PE
Sh ip bgp vpn vrf <vrf> neighbor
Sh ip bgp vpn vrf <vrf> label
Sh mpls forward vrf <vrf>
• On CE
Sh ip bgp neighbor
Sh ip bgp labels
Sh mpls forward
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
82
Agenda
• MPLS VPN Definition?
Technology
Configuration
• MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites
Providing Hub&Spoke service to the VPN customers
Providing MPLS VPN Extranet service
Providing Internet access service to VPN customers
Providing VRF-selection based services
Providing Remote Access MPLS VPN
Providing VRF-aware NAT services
• Advanced MPLS VPN Topics
Inter-AS MPLS-VPN
CsC Carrier Supporting Carrier
• Best Practices
• Conclusion.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
83
Best Practices
1.
Use RR to scale BGP.
2.
Deploy RRs in pair for the redundancy
3.
Keep RRs out of the forwarding paths and disable CEF (saves memory).
4.
Consider Unique RD per VRF per PE, if Load sharing of VPN traffic is reqd.
5.
RT and RD should have ASN in them i.e. ASN : X
Reserve first few 100s of X for the internal purposes such as filtering
6.
Don't use customer names as the VRF names; Nightmare for the NOC. Use
simple combination of numbers and characters in the VRF name
For example - v101, v102, v201, v202 etc. Use description.
7.
Define an upper limit at the PE on the # of prefixes received from the CE for
each VRF or neighbor
max-prefix within the VRF configuration
max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE)
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
84
Conclusion
• MPLS VPN is a cheaper alternative to traditional l2vpn
• MPLS-VPN paves the way for new revenue streams
VPN customers could outsource their layer3 to the provider
• Straightforward to configure any-to-any VPN topology
partial-mesh, hub&spoke topologies can also be easily deployed
• CsC and Inter-AS could be used to expand into new markets
• VRF-aware services could be deployed to maximize the
investment
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
85
Complete Your Online Session Evaluation!
WHAT:
Complete an online session evaluation
and your name will be entered into a
daily drawing
WHY:
Win fabulous prizes! Give us your feedback!
WHERE: Go to the Internet stations located
throughout the Convention Center
HOW:
Winners will be posted on the onsite
Networkers Website; four winners per day
http://www.networkers04.com/desktop
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
86
Q&A
Thanks for your time.
Eval http://www.networkers04.com/desktop
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
87
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
88
BACK UP SLIDES
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
89
Scenario 1: Back-to-back VRF
Control Plane
ASBR-1
VPN-v4 update:
RD:1:27:10.1.1.0/24
NH=PE-1
RT=1:1, Label=(29)
VPN-B VRF
Import routes with
route-target 1:1
BGP, OSPF, RIPv2
10.1.1.0/24
NH=ASBR-2
PE-1
BGP, OSPF, RIPv2
10.1.1.0/24,NH=CE-2
CE-2
ASBR-2
VPN-v4 update:
RD:1:27:10.1.1.0/24,
NH=ASBR-2
RT=1:1, Label=(92)
VPN-B VRF
Import routes with
route-target 1:1
CE-3
VPN-B
PE-2
BGP, OSPF, RIPv2
10.1.1.0/24,NH=PE-2
VPN-B
10.1.1.0/24
VRF to VRF Connectivity between ASBRs
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
90
Scenario 1: Back-to-back VRF
Forwarding Plane
30
29
ASBR-2
ASBR-1
10.1.1.1
92
10.1.1.1
P2
P1
10.1.1.1
92
20
PE-1
10.1.1.1
PE-2
IP Packets between
ASBRs
10.1.1.1
CE-2
CE-3
VPN-B
10.1.1.0/24
Pros
•Per-customer QoS is possible
•It is simple and elegant since no need to load
the Inter-AS code (but still not widely
deployed).
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
10.1.1.1
VPN-B
Cons
•Not scalable. #of interface on both ASBRs is
directly proportional to #VRF.
•No end-to-end MPLS.
•Unnecessary memory consumed in RIB/(L)FIB
•Dual-homing of ASBR makes provisioning
worse
91
Cisco IOS Configuration
Scenario 1: Back-to-Back VRF between ASBRs
ASBR1
ASBR2
1.1.1.0/30
VRF routes exchange via
any routing protocol
AS #1
AS #2
PE1
ASBR VRF and BGP config
CE-1
VPN-A
ip vrf green
rd 1:1
route-target both 1:1
!
Router bgp x
Address-family ipv4 vrf green
neighbor 1.1.1.x activate
PE2
CE-2
VPN-A
Note: ASBR must already have MPiBGP session with iBGP neighbors
such as RRs or PEs.
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
92
IOS Configuration
Scenario 2.5: Multi-Hop MP-eBGP for VPNv4
ASBR1
Multi-Hop MP-eBGP
for VPNv4
so
so
IGP & LDP
AS #1
ASBR2
AS #2
PE1
PE2
Multi-Hop MP-BGP session between ASBRs
CE-1
VPN-A
RST-2602
9908_06_2004_X2
interface serial 0
ip address 1.1.1.x/30
mpls ldp protcol ldp
router bgp x
no bgp default route-target filter
neighbor < ASBR-x > remote-as x
neighbor < ASBR-x > update loopback0
neighbor < ASBR-x > ebgp-multihop
!
address-family vpnv4
neighbor < ASBR-x > activate
neighbor < ASBR-x > send-comm extended
© 2004 Cisco Systems, Inc. All rights reserved.
CE-2
VPN-A
93
Scenario 4: Non-VPN Transit Provider
• Two MPLS VPN providers may exchange routes via
one or more transit providers
Which may be non-VPN transit backbones just running
MPLS
• Multihop MP-eBGP deployed between edge
providers
With the exchange of BGP next-hops via the transit
provider
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
94
Option 4: Non-VPN Transit Provider
eBGP IPv4 + Labels
ASBR-1
ASBR-2
iBGP IPv4 + Labels
Non-VPN MPLS
Transit Backbone
MPLS VPN Provider
#1
RR-1
PE1
ASBR-3
ASBR-4
CE-2
VPN-B
eBGP IPv4 + Labels
next-hop-unchanged
Multihop MP-eBGP OR
MP-iBGP for VPNv4
iBGP IPv4 + Labels
RR-2
MPLS VPN Provider
#2
PE2
CE-3
VPN-B
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
95
Route-Target rewrite at ASBR
• ASBR can add/delete route-target associated with a
VPNv4 prefix
• Secures the VPN environment
ASBR(conf)#router bgp 1000
ASBR(conf-router)#neighbor 1.1.1.1 route-map route-target-deletion
out
ASBR(conf-router)#exit
ASBR(conf)#route-map route-target-delete
ASBR(conf-route-map)#match extcommunity 101
ASBR(conf-route-map)#set extcomm-list 101 delete
ASBR(conf-route-map)#set extcommunity rt 123:123 additive
ASBR(conf)# ip extcommunity-list 101 permit rt 100:100
RST-2602
9908_06_2004_X2
© 2004 Cisco Systems, Inc. All rights reserved.
96
