Scribd
Upload
125 views

Deploying IP MPLS VPNs

Deploying IP MPLS VPNs

Uploaded by

nits123
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
125 views

Deploying IP MPLS VPNs

Deploying IP MPLS VPNs

Uploaded by

nits123
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 127

Deploying IP/MPLS VPNs

BRKMPL-2102

Rajiv Asati
Distinguished Engineer

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
Abstract

 Multi Protocol Label Switching (MPLS) has been widely


adopted by the Network Operators to provide scalable
L2, L3 VPN, traffic engineering services etc. Enterprises
are fast adopting this technology to address network
segmentation and traffic separation needs.
 This session covers MPLS Layer3 VPN, which is the
most adopted MPLS application. The session will
cover:
• MPLS VPN Technology Overview (RFC2547/RFC4364)
• MPLS/VPN Configuration Overview
• MPLS/VPN-based services (multihoming, Hub&Spoke,
extranet, Internet, NAT, VRF-lite, etc.)
• Best Practices

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Other MPLS-Related Sessions

Session-ID Session Name


BRKRST-1101 Introduction to MPLS
BRKRST-2103 Migration Considerations When
Buying MPLS VPN Service
BRKRST-2105 Inter-AS MPLS Solutions

BRKRST-3101 Advanced Topics and Future


Directions in MPLS

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda

 MPLS VPN Overview


 MPLS VPN Services
 Best Practices
 Conclusion

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Prerequisites Reference

 Must understand basic IP routing, especially BGP


 Must understand MPLS basics (push, pop, swap,
label stacking)
 Should understand MPLS VPN basics
 Must keep the speaker engaged…
…by asking bad questions 

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Terminology Reference

 LSR: label switch router


 LSP: label switched path
The chain of labels that are swapped at each hop to get from one LSR to another
 VRF: VPN routing and forwarding
Mechanism in Cisco IOS® used to build per-customer RIB and FIB
 MP-BGP: multiprotocol BGP
 PE: provider edge router interfaces with CE routers
 P: provider (core) router, without knowledge of VPN
 VPNv4: address family used in BGP to carry MPLS-VPN routes
 RD: route distinguisher
Distinguish same network/mask prefix in different VRFs
 RT: route target
Extended community attribute used to control import and export policies
of VPN routes
 LFIB: label forwarding information base
 FIB: forwarding information base
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda

 MPLS VPN Overview


Technology (How It Works)
Configuration

 MPLS-VPN Services
 Best Practices
 Conclusion

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
MPLS-VPN Technology

 More than one routing and forwarding tables


 Control plane—VPN route propagation
 Data or forwarding plane—VPN packet forwarding

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
MPLS-VPN Technology
MPLS VPN Connection Model
P P
CE CE
PE PE
MPLS Backbone
P P
CE
CE

MP-iBGP Session

PE Routers P Routers
Sit at the Edge Sit inside the network
Use MPLS with P routers Forward packets by looking
Uses IP with CE routers at labels
Distributes VPN information P and PE routers share a
through MP-BGP to other PE common IGP
routers

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
MPLS-VPN Technology
Separate Routing Tables at PE
CE2
VPN 2
PE
CE1 MPLS Backbone IGP (OSPF, ISIS)
VPN 1

Customer Specific Routing Table Global Routing Table


 Routing (RIB) and forwarding table  Created when IP routing is
(CEF) dedicated to VPN customer enabled on PE.
VPN1 routing table
VPN2 routing table  Populated by OSPF, ISIS, etc.
inside the MPLS backbone

 Referred to as VRF table for the


<named VPN>.  “show ip route”
 “show ip route vrf <name>”

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
MPLS-VPN Technology
Virtual Routing and Forwarding Instance (1)
CE2
VPN 2 VRF Green
PE
CE1 MPLS Backbone IGP (OSPF, ISIS)
VPN 1 Ser0/0
VRF Blue

 What‘s a Virtual Routing and Forwarding (VRF) ?


Representation of VPN customer inside the SP MPLS network
Each VPN is associated with at least one VRF
 VRF configured on each PE and associated with PE-CE interface(s)
Privatize an interface, i.e., coloring of the interface

 VRF-aware routing protocol (static, RIP, BGP, EIGRP, ISIS, OSPF)

 No changes needed at CE PE(conf)#ip vrf blue

PE(conf)#interface Ser0/0
PE(conf)#ip vrf forwarding blue

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
MPLS-VPN Technology
Virtual Routing and Forwarding Instance (2)
CE2
VPN 2
PE
EBGP, OSPF, RIPv2, Static
CE1 MPLS Backbone IGP (OSPF, ISIS)
VPN 1

 PE installs the backbone routes (IGP) in global routing table


 PE installs the VPN routes in VRF routing table(s).
VPN routes are learned from CE routers or remote PE routers

 VPN customers can use overlapping IP addresses


BGP plays a key role. Let‘s understand few BGP specific details..…

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
MPLS-VPN Technology: Control Plane
The Control Plane for MPLS VPN Is Multi-Protocol BGP

8 Bytes 4 Bytes 8 Bytes 3 Bytes

1:1 10.1.1.0
RD IPv4 Route-Target Label
VPNv4

MP-BGP UPDATE Message Showing


Only VPNv4 Address, RT, Label

MP-BGP Customizes the VPN Customer Routing Information as per


the Locally Configured VRF Information at the PE
 Route Distinguisher (RD)
 Route Target (RT)
 Label
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
MPLS-VPN Technology: Control Plane
MP-BGP UPDATE Message Capture Reference

 Visualize how the


BGP UPDATE
message advertising
VPNv4 routes looks
like.
 Notice the Path
Attributes.

Route Target 3:3

VPNv4 Prefix with Label


Is Encoded in This
Attribute

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
MPLS VPN Control Plane
MP-BGP Update Components: RD and VPNv4 Address

8 Bytes 4 Bytes 8 Bytes 3 Bytes

1:1 10.1.1.0
RD IPv4 Route-Target Label
VPNv4

MP-BGP Update Showing RD, RT, and Label

 VPN customer IPv4 address (10.1.1.0, say) is converted into a


VPNv4 address by appending the RD to the IPv4 address
=>1:1:10.1.1.0
Makes the customer‘s IPv4 address unique inside the SP MPLS network.
 Route Distinguisher (RD) is configured inside the VRF at PE
RD is not a BGP attribute, just a field.
!
ip vrf green
* After 12.4(3)T, 12.4(3) 12.2(32)S, 12.0(32)S etc., RD Configuration within rd 1:1
VRF Has Become Optional. Prior to That, It Was Mandatory. !
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
MPLS VPN Control Plane
MP-BGP Update Components: Route-Target

8 Bytes 4 Bytes 8 Bytes 3 Bytes

1:1 10.1.1.0 1:2


RD IPv4 Route-Target Label
VPNv4

MP-BGP Update Showing RD, RT, and Label

 Route-target (RT): identifies the VRF for the received


VPNv4 prefix. It is an 8-byte extended community attribute.
 Each VRF is configured with a set of RT(s) at the PE
RT identifies which VRF(s) keep which VPN route !
ip vrf green
route-target import 1:1
 Export RT(s) attached to VPN routes in PE->PE !
route-target export 1:2

advertisements
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
MPLS VPN Control Plane
MP-BGP Update Components: Label

8 Bytes 4 Bytes 8 Bytes 3 Bytes

1:1 10.1.1.0 2:2 50


RD IPv4 Route-Target Label
VPNv4

MP-BGP Update Showing RD, RT, and Label

 PE assigns a label for the VPNv4 prefix; Label is not an attribute.


Next-hop-self towards MP-iBGP neighbors by default i.e. PE sets the NEXT-
HOP attribute to its own address (loopback)

 PE addresses used as BGP next-hop must be uniquely known in


the backbone IGP
Do not summarize the PE loopback addresses in the core

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
MPLS VPN Control Plane:
Putting It All Together
MP-iBGP Update:
RD:10.1.1.0
Site 1 3 Next-Hop=PE-1 Site 2
RT=1:2, Label=100
10.1.1.0/24 CE1
2 P P
CE2
10.1.1.0/24
Next-Hop=CE-1
P P
1 PE1 PE2

MPLS Backbone

1. PE1 receives an IPv4 update (eBGP/OSPF/ISIS/RIP/EIGRP)


2. PE1 translates it into VPNv4 address and constructs the MP-
iBGP UPDATE message
Associates the RT values (export RT =1:2, say) per VRF configuration
Rewrites next-hop attribute to itself
Assigns a label (100, say); Installs it in the MPLS forwarding table.
3. PE1 sends MP-iBGP update to other PE routers
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
MPLS VPN Control Plane:
Putting It All Together
MP-iBGP Update:
RD:10.1.1.0 10.1.1.0/24

Site 1 3 Next-Hop=PE-1 Next-Hop=PE-2 Site 2


RT=1:2, Label=100
10.1.1.0/24 CE1 5
2 P P 4
CE2
10.1.1.0/24
Next-Hop=CE-1
P P
1 PE1 PE2

MPLS Backbone

4. PE2 receives and checks whether the RT=1:2 is locally configured as


‗import RT‘ within any VRF, if yes, then
PE2 translates VPNv4 prefix back in IPv4 prefix
Updates the VRF CEF Table for 10.1.1.0/24 with label=100
5. PE2 advertises this IPv4 prefix to CE2 (using whatever routing protocol)

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
MPLS-VPN Forwarding Plane
Review

Site 1 Site 2

10.1.1.0/24 CE1 CE2


P3 P4
PE1 PE2
VRF Green Forwarding Table
Dest  NextHop
10.1.1.0/24-PE1, Label: 100
P1 P2

Global Routing/Forwarding Table Global Routing/Forwarding Table


Dest  Next-Hop Dest  Next-Hop
PE2  P3, Label: 50 PE1  P2, Label: 25

Global Forwarding Table VRF Forwarding Table


(show ip cef) (show ip cef vrf <vrf>)
 Stores Next-hop routes with associated
 Stores VPN routes with associated labels
labels
 Next-hop routes learned through IGP  VPN routes learned through BGP
 Label learned through LDP/TDP  Labels learned through MP-BGP

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
MPLS-VPN Forwarding Plane
Packet Forwarding
Site 1 Site 2
CE1
10.1.1.0/24 CE2
P3 P4
PE1 PE2
10.1.1.1 10.1.1.1 IP Packet
100 10.1.1.1 P1 P2
IP Packet

50 100 10.1.1.1 25 100 10.1.1.1 MPLS Packet

 PE2 imposes two labels (MPLS headers) for each packet going to
the VPN destination 10.1.1.1.
Outer label is LDP learned; Corresponds derived from an IGP route
Inner label is learned via MP-BGP; corresponds to the VPN address

 PE1 recovers the IP packet (from the received MPLS packet) and
forwards it to CE1.
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
MPLS-VPN Technology: Forwarding Plane
MPLS Packet Capture Reference

 This capture
might be helpful
if you never
captured an
MPLS packet
before.

Ethernet Header
Outer Label

Inner Label
IP Packet

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Agenda

 MPLS VPN Explained


Technology
Configuration

 MPLS-VPN Services
 Best Practices
 Conclusion

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
MPLS VPN Sample Configuration (IOS) Reference

VRF Definition ip vrf VPN-A


rd 1:1
Site 1 route-target export 100:1
CE1 route-target import 100:1
10.1.1.0/24
PE1
PE1 interface Serial0
Se0 ip address 192.168.10.1 255.255.255.0
192.168.10.1 ip vrf forwarding VPN-A

PE-P Configuration Interface Serial1


ip address 130.130.1.1 255.255.255.252
P mpls ip

PE1 s1 PE1
Se0
router ospf 1
network 130.130.1.0 0.0.0.3 area 0

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
MPLS VPN Sample Configuration (IOS) Reference

PE: MP-IBGP Config router bgp 1


neighbor 1.2.3.4 remote-as 1
RR neighbor 1.2.3.4 update-source loopback0
!
PE1 PE2 PE1 address-family vpnv4
neighbor 1.2.3.4 activate
neighbor 1.2.3.4 send-community both
!

RR: MP-IBGP Config router bgp 1


no bgp default route-target filter
neighbor 1.2.3.6 remote-as 1
RR neighbor 1.2.3.6 update-source loopback0
RR !
PE1 PE2 address-family vpnv4
neighbor 1.2.3.6 route-reflector- client
neighbor 1.2.3.6 activate
!

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
MPLS VPN Sample Configuration (IOS) Reference

PE-CE Routing: BGP


router bgp 1
Site 1 !
CE1
address-family ipv4 vrf VPN-A
10.1.1.0/24 PE1 neighbor 192.168.10.2 remote-as 2
neighbor 192.168.10.2 activate
192.168.10.2 PE1 exit-address-family
!
192.168.10.1

PE-CE Routing: OSPF


router ospf 1
Site 1 !
CE1
router ospf 2 vrf VPN-A
10.1.1.0/24 PE1 network 192.168.10.0 0.0.0.255 area 0
redistribute bgp 1 subnets
192.168.10.2 PE1 !
192.168.10.1

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
MPLS VPN Sample Configuration (IOS) Reference

PE-CE Routing: RIP router rip


!
Site 1 address-family ipv4 vrf VPN-A
CE1
version 2
10.1.1.0/24 PE1 no auto-summary
network 192.168.10.0
192.168.10.2 PE1 redistribute bgp 1 metric transparent
!
192.168.10.1

PE-CE Routing: EIGRP router eigrp 1


!
address-family ipv4 vrf VPN-A
Site 1
CE1 no auto-summary
PE1 network 192.168.10.0 0.0.0.255
10.1.1.0/24
autonomous-system 1
redistribute bgp 1 metric 100000 100
192.168.10.2 PE1 255 1 1500
!
192.168.10.1

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
MPLS VPN Sample Configuration (IOS) Reference

PE-CE Routing: Static


Site 1
CE1
ip route vrf VPN-A 10.1.1.0 255.255.255.0
10.1.1.0/24 PE1 192.168.10.2

192.168.10.2 PE1

192.168.10.1

If PE-CE Protocol Is Non-BGP (Such as RIP), then Redistribution of


VPN Routes from MP-IBGP Is Required (Shown Below for RIP) -

PE-CE: MB-iBGP Routes to VPN


router rip
Site 1
address-family ipv4 vrf VPN-A
RR version 2
redistribute bgp 1 metric transparent
PE1 PE1 no auto-summary
CE1 network 192.168.10.0
exit-address-family

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
MPLS VPN Sample Configuration (IOS) Reference

If PE-CE Protocol Is Non-BGP, then Redistribution of Local


VPN Routes into MP-IBGP Is Required (Shown Below)

PE-RR (VPN Routes to VPNv4)


Site 1 router bgp 1
RR neighbor 1.2.3.4 remote-as 1
neighbor 1.2.3.4 update-source loopback 0
PE1
PE1 address-family ipv4 vrf VPN-A
CE1 redistribute {rip|connected|static|eigrp|ospf}

 For hands-on learning, please attend the lab sessions:


LTRMPL-2104 Implementing MPLS in SP Networks (Intro Level)
LTRMPL-2105 Implementing MPLS in SP Networks (Advanced Level)

 Having familiarized with IOS based config, let‘s glance


through the IOS-XR based config for VPNs
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
MPLS VPN Sample Configuration (IOX) Reference

VRF Definition vrf VPN-A


router-id 192.168.10.1
Site 1 address-family ipv4 unicast
CE1 import route-target 100:1
10.1.1.0/24 export route-target 100:1
PE1 export route-policy raj-exp
PE1 interface Serial0
Se0
vrf VPN-A
192.168.10.1
ipv4 address 192.168.10.1/24

router bgp 1
PE-CE Routing: BGP vrf VPN-A
rd 1:1
address-family ipv4 unicast
redistribute connected
Site 1
CE1 !
neighbor 192.168.10.2
10.1.1.0/24 PE1 remote-as 2
address-family ipv4 unicast
192.168.10.2 PE1 route-policy raj-temp in
!
192.168.10.1
!
!
!

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Agenda

 MPLS VPN Explained


 MPLS-VPN Services
1. Load-Sharing for Multihomed VPN Sites
2. Hub and Spoke Service
3. MPLS VPN Extranet Service
4. Internet Access Service
5. VRF-Aware NAT Services
6. VRF-Selection Based Services
7. Remote VPN Access Service
8. QoS Service
9. Multicast VPN Service
10. MPLS/VPN over IP Transport
11. IPv6 VPN Service
12. Multi-VRF CE Service
 Best Practices
 Conclusion
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
MPLS VPN Services:
1. Loadsharing for the VPN Traffic
RR
PE11

CE1 PE2 CE2


171.68.2.0/24
PE12
Site A Site B
MPLS Backbone

Route Advertisement

 VPN sites (such as Site A) could be multihomed


 VPN customer may demand the traffic (to the
multihomed site) be loadshared

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
MPLS VPN Services:
1. Loadsharing for the VPN Traffic: Cases
RR
1 CE 2 PEs
PE11

CE1 PE2 CE2


171.68.2.0/24
PE12
Site A Site B
MPLS Backbone

Traffic Flow

2 CEs  2 PEs
RR
PE11
CE1
PE2 CE2
171.68.2.0/24 CE2
PE12
Site B
Site A MPLS Backbone

Traffic Flow

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
MPLS VPN Services:
1. Loadsharing for the VPN Traffic: Deployment

 Configure unique RD per VRF per PE for multihomed site/interfaces


Assuming RR exists

 Enable BGP multipath within the relevant BGP VRF address-family


at remote PE routers such as PE2 (why PE2?).

ip vrf green
1 2 router bgp 1
rd 300:11
RR address-family ipv4 vrf green
route-target both 1:1
PE11 maximum-paths eibgp 2

CE1 CE2
PE2
171.68.2.0/24
PE12
Site A MPLS Backbone Site B
1 ip vrf green
rd 300:12 ip vrf green
route-target both 1:1 1 rd 300:13
route-target both 1:1

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
MPLS VPN Services:
1. VPN Fast Convergence—PE-CE Link Failure
Traffic Is RR VPN Traffic
Dropped
by PE11 PE11 Redirected VPN Traffic

CE1 PE2 CE2


171.68.2.0/24
PE12
Site A MPLS Backbone Site B

 In a classic multi-homing case, PE11, upon detecting the PE-CE


link failure, sends BGP message to withdraw the VPN routes
towards other PE routers.
This results in the remote PE routers selecting the alternate bestpath
(if any), but until then, they keep sending the MPLS/VPN traffic to PE11,
which keeps dropping the traffic.

 Use fast local repair feature (referred to as BGP local


convergence) to minimize the loss due to the PE-CE link failure
from sec to msec . !
ip vrf green
rd 300:11
protection local-prefixes
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
!
MPLS VPN Services:
1. VPN Fast Convergence—PE-CE Link Failure
Traffic Is RR VPN Traffic
Redirected Redirected VPN Traffic
by PE11 PE11

CE1 PE2 CE2


171.68.2.0/24

Site A MPLS Backbone Site B


PE12

 ‗BGP Local Convergence‘ feature helps PE11 to minimize the traffic loss
from sec to msec, during local PE-CE link failure
PE11 immediately reprograms the forwarding entry with the alternate BGP best path (which
is via PE12)
PE11 redirects the CE1 bound traffic to PE12 (with the right label)
 In parallel, PE11 sends the ‗BGP withdraw message‘ to RR/PE2, which
will run the bestpath algorithm and removes the path learned via PE11,
and then adjust their forwarding entries via PE12
 This feature is independent of whether multipath is enabled on PE2
or not, however, dependent on VPN site multihoming

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Agenda

 MPLS VPN Explained


 MPLS-VPN Services
1. Load-Sharing for Multihomed VPN Sites
2. Hub and Spoke Service
3. MPLS VPN Extranet Service
4. Internet Access Service
5. VRF-Aware NAT Services
6. VRF-Selection Based Services
7. Remote VPN Access Service
8. QoS Service
9. Multicast VPN Service
10. MPLS/VPN over IP Transport
11. IPv6 VPN Service
12. Multi-VRF CE Service
 Best Practices
 Conclusion
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
MPLS-VPN Services:
2. Hub and Spoke Service

 Many VPN deployments need to be hub and spoke


Spoke to spoke communication via Hub site only

 Despite MPLS VPN‘s implicit any-to-any, i.e.,


full-mesh connectivity, hub and spoke service
can easily be offered
Done with import and export of route-target (RT) values
Requires unique RD per VRF per PE

 PE routers can run any routing protocol with VPN


customer‘ hub and spoke sites independently

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
MPLS-VPN Services:
2. Hub and Spoke Service

 Two configuration Options :


1. 1 PE-CE interface to Hub & 1 VRF;
2. 2 PE-CE interfaces to Hub & 2 VRFs;

 Use option#1 if Hub site advertises default or


summary routes towards the Spoke sites, otherwise
use Option#2

 HDVRF feature* allows the option#2 to use just one


PE-CE interface

* HDVRF Feature Is Discussed Later


BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Import and Export RT
Values Must Be Different
MPLS-VPN Services:
2. Hub and Spoke Service: Configuration – Option#1
ip vrf green-spoke1
description VRF for SPOKE A
rd 300:111 ip vrf HUB
route-target export 1:1 description VRF for HUB
route-target import 2:2 rd 300:11
Spoke A route-target import 1:1
CE-SA PE-SA
route-target export 2:2
171.68.1.0/24

PE-Hub
Eth0/0

Spoke B PE-SB
CE-SB CE-Hub
MPLS VPN Backbone
171.68.2.0/24

ip vrf green-spoke2
description VRF for SPOKE B
rd 300:112
route-target export 1:1
route-target import 2:2

Note: OnlyBRKMPL-2102
VRF Configuration IsCisco
© 2011 Shown HereAll rights reserved.
and/or its affiliates. Cisco Public 41
Import and Export RT
Values Must Be Different
MPLS-VPN Services:
2. Hub and Spoke Service: Configuration – Option#2
ip vrf green-spoke1
description VRF for SPOKE A
rd 300:111
route-target export 1:1
ip vrf HUB-IN
route-target import 2:2
description VRF for traffic from HUB
Spoke A PE-SA rd 300:11
CE-SA route-target import 1:1
171.68.1.0/24

Eth0/0.1
PE-Hub Eth0/0.2
Spoke B PE-SB
CE-SB CE-Hub
MPLS VPN Backbone
171.68.2.0/24
ip vrf HUB-OUT
description VRF for traffic to HUB
ip vrf green-spoke2 rd 300:12
description VRF for SPOKE B route-target export 2:2
rd 300:112
route-target export 1:1
route-target import 2:2

Note: OnlyBRKMPL-2102
VRF Configuration IsCisco
© 2011 Shown HereAll rights reserved.
and/or its affiliates. Cisco Public 42
MPLS-VPN Services:
2. Hub and Spoke Service: Configuration – Option#2

 If BGP is used between every PE and CE, then


allowas-in and as-override* knobs must be used at
the PE_Hub**
Otherwise AS_PATH looping will occur

* Only If Hub and Spoke Sites Use the Same BGP ASN
** Configuration for This Is Shown on the Next Slide
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
MPLS-VPN Services:
2. Hub and Spoke Service: Configuration – Option#2
router bgp <ASN>
ip vrf green-spoke1
address-family ipv4 vrf HUB-IN
description VRF for SPOKE A neighbor <CE> as-override
rd 300:111
route-target export 1:1
route-target import 2:2 ip vrf HUB-IN
description VRF for traffic from HUB
Spoke A PE-SA rd 300:11
CE-SA route-target import 1:1
171.68.1.0/24

Eth0/0.1
PE-Hub Eth0/0.2
Spoke B PE-SB
CE-SB CE-Hub
MPLS VPN Backbone
171.68.2.0/24

ip vrf green-spoke2 ip vrf HUB-OUT


description VRF for SPOKE B description VRF for traffic to HUB
rd 300:112 rd 300:12
route-target export 1:1 route-target export 2:2
route-target import 2:2
router bgp <ASN>
address-family ipv4 vrf HUB-OUT
neighbor <CE> allowas-in 2

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
MPLS-VPN Services:
2. Hub and Spoke Service: Control Plane (Option#2)
VRF FIB and LFIB
Destination NextHop Label MPLS Backbone
171.68.0.0/16 PE-Hub 35 FIB—IP Forwarding Table
171.68.1.0/24 CE-SA LFIB—MPLS Forwarding Table

Spoke A MP-iBGP Update


VRF HUB-IN FIB and LFIB
171.68.1.0/24
171.68.1.0/24 CE-SA PE-SA Label 40
Destination NextHop Label
171.68.1.0/24 PE-SA 40
Route-Target 1:1
171.68.2.0/24 PE-SB 50

MP-iBGP Update
VRF FIB and LFIB VRF HUB-IN
171.68.0.0/16 PE-Hub 35 171.68.0.0/16
171.68.2.0/24 CE-SB Label 35 PE-Hub VRF HUB-OUT
PE-SB Route-Target 2:2
Spoke B VRF HUB-OUT FIB CE-Hub
MP-iBGP Update Destination NextHop
171.68.2.0/24 CE-SB 171.68.2.0/24 171.68.0.0/16 CE-H1
Label 50
Route-Target 1:1

 Two VRFs at the PE-Hub:


VRF HUB-IN to learn every spoke routes from remote PEs
VRF HUB-OUT to advertise spoke routes or summary 171.68.0.0/16 routes to
remote PEs

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
MPLS-VPN Services:
2. Hub and Spoke Service: Forwarding Plane (Option#2)

This Is How the Spoke-to-Spoke Traffic Flows

171.68.1.1 MPLS Backbone


Spoke A
PE-SA
CE-SA L2 40 171.68.1.1
171.68.1.0/24 171.68.1.1

VRF HUB-IN
CE-Hub
Spoke B PE-Hub
VRF HUB-OUT
CE-SB PE-SB L1 35 171.68.1.1
171.68.1.1
171.68.2.0/24

171.68.1.1

L1 Is the Label to Get to PE-Hub


L2 Is the Label to Get to PE-SA
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
MPLS-VPN Services:
2. What If Many Spoke Sites Connect to the
Same PE Router?

 If more than one spoke router (CE) connects to the


same PE router (within the same VRF), then such
spokes can reach other without needing the hub.
Defeats the purpose of hub and spoke 
PE-Hub
CE-SA1

CE-SA2 PE-SA

CE-SA3
 Half-duplex VRF is the answer
Uses two VRFs on the PE (spoke) router :
A VRF for spoke->hub communication (e.g. upstream)
A VRF for spoke<-hub communication (e.g. downstream)

Note: 12.2(33) SRE Supports Any Interface Type (Eth, Ser, POS, Virtual-Access, etc.)
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
MPLS-VPN Services:
2. Hub and Spoke Service: Half-Duplex VRF
ip vrf green-up ip vrf green-down
description VRF - upstream traffic description VRF - downstream traffic
rd 300:111 rd 300:112
route-target import 2:2 route-target export 1:1
ip vrf HUB-IN
description VRF for traffic from HUB
rd 300:11
Spoke A route-target import 1:1
CE-SA
171.68.1.0/24 S
Hub Site
w GE0/0 MPLS Backbone
PE-SA

PE-Hub
Spoke B CE-Hub
Interface GigEthernet 0/0
ip vrf HUB-OUT
171.68.2.0/24 ip address 172.18.13.1 255.255.255.0
description VRF for traffic to HUB
ip vrf forward green-up downstream green-down
CE-SB .. rd 300:12
route-target export 2:2

Upstream VRF Downstream VRF

1. PE-SA installs the Spoke routes only in downstream VRF i.e. green-down
2. PE-SA installs the Hub routes only in upstream VRF i.e. green-up
3. PE-SA forwards the incoming IP traffic (from Spokes) using upstream VRF i.e. green-up routing table.
4. PE-SABRKMPL-2102
forwards the incoming MPLS
© 2011 Cisco traffic
and/or its affiliates. (from
All rights Hub) using
reserved. downstream VRF i.e. green-down routing table
Cisco Public 48
Agenda

 MPLS VPN Explained


 MPLS-VPN Services
1. Load-Sharing for Multihomed VPN Sites
2. Hub and Spoke Service
3. MPLS VPN Extranet Service
4. Internet Access Service
5. VRF-Aware NAT Services
6. VRF-Selection Based Services
7. Remote VPN Access Service
8. QoS Service
9. Multicast VPN Service
10. MPLS/VPN over IP Transport
11. IPv6 VPN Service
12. Multi-VRF CE Service
 Best Practices
 Conclusion
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
MPLS-VPN Services
3. Extranet VPN

 MPLS VPN, by default, isolates one VPN customer


from another
Separate virtual routing table for each VPN customer

 Communication between VPNs may be required


i.e., extranet
External intercompany communication (dealers with
manufacturer, retailer with wholesale provider, etc.)
Management VPN, shared-service VPN, etc.

 Needs to share the import and export route-target


(RT) values within the VRFs of extranets.
Export-map or import-map may be used for advanced
extranet.

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
MPLS-VPN Services
3. Extranet VPN – Simple Extranet
192.6.0.0/16
MPLS Backbone
VPN_A Site#2
VPN_A Site#1
71.8.0.0/16 PE1 PE2
P 180.1.0.0/16
VPN_B Site#1

ip vrf VPN_A ip vrf VPN_B


rd 3000:111 rd 3000:222
route-target import 3000:111 route-target import 3000:222
route-target export 3000:111 route-target export 3000:222
route-target import 3000:222 route-target import 3000:111

All Sites of Both VPN_A and VPN_B Can Communicate


with Each Other
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
MPLS-VPN Services
3. Extranet VPN – Advanced Extranet
192.6.0.0/16
MPLS Backbone
VPN_A Site#2
VPN_A Site#1
71.8.0.0/16 PE1 PE2
P 180.1.0.0/16
VPN_B Site#1

ip vrf VPN_A ip vrf VPN_B


rd 3000:111 rd 3000:222
route-target import 3000:111 route-target import 3000:222
route-target export 3000:111 route-target export 3000:222
route-target import 3000:1 route-target import 3000:2
import map VPN_A_Import import map VPN_B_Import
export map VPN_A_Export export map VPN_B_Export
! !
route-map VPN_A_Export permit 10 route-map VPN_B_Export permit 10
match ip address 1 match ip address 2
set extcommunity rt 3000:2 additive set extcommunity rt 3000:1 additive Lack of ‘Additive’
! ! Would Result in
route-map VPN_A_Import permit 10 route-map VPN_B_Import permit 10 3000:222 Being
match ip address 2 match ip address 1 Replaced with
! ! 3000:1. We Don’t
access-list 1 permit 71.8.0.0 0.0.0.0 access-list 1 permit 71.8.0.0 0.0.0.0 Want That.
access-list 2 permit 180.1.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0

Only Site #1 of Both VPN_A and VPN_B Would Communicate


with Each Other
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Agenda

 MPLS VPN Explained


 MPLS-VPN Services
1. Load-Sharing for Multihomed VPN Sites
2. Hub and Spoke Service
3. MPLS VPN Extranet Service
4. Internet Access Service
5. VRF-Aware NAT Services
6. VRF-Selection Based Services
7. Remote VPN Access Service
8. QoS Service to VPNs
9. Multicast VPN Service
10. MPLS/VPN over IP Transport
11. IPv6 VPN Service
12. Multi-VRF CE Service
 Best Practices
 Conclusion
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
MPLS-VPN Services
4. Internet Access Service to VPN Customers

 Internet access service could be provided as


another value-added service to VPN customers
 Security mechanism must be in place at both
provider network and customer network
To protect from the Internet vulnerabilities

 VPN customers benefit from the single point of


contact for both Intranet and Internet connectivity

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
MPLS-VPN Services
4. Internet Access: Design Options

Four Options to Provide the Internet Service -

1. VRF specific default route with ―global‖ keyword


2. Separate PE-CE sub-interface (non-VRF)
3. Extranet with Internet-VRF
4. VRF-aware NAT

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
MPLS-VPN Services
4. Internet Access: Design Options

1. VRF specific default route


1.1 Static default route to move traffic from VRF to Internet
(global routing table)
1.2 Static routes for VPN customers to move traffic from Internet (global
routing table) to VRF

2. Separate PE-CE subinterface (non-VRF)


May run BGP to propagate Internet routes between PE and CE

3. Extranet with Internet-VRF


VPN packets never leave VRF context; issue with overlapping VPN
address

4. Extranet with Internet-VRF along with VRF-aware NAT


VPN packets never leave VRF context; works well with overlapping
VPN address

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
MPLS-VPN Services: Internet Access
4.1 Option#1: VRF Specific Default Route

Site1 MPLS Backbone


CE1
71.8.0.0/16 Internet
SO 192.168.1.2 ASBR

P
PE1 192.168.1.1
PE1#
ip vrf VPN-A
Internet GW
rd 100:1
route-target both 100:1
Interface Serial0
ip address 192.168.10.1 255.255.255.0  A default route, pointing to the
ip vrf forwarding VPN-A ASBR, is installed into the site
Router bgp 100 VRF at each PE
no bgp default ipv4-unicast
redistribute static
neighbor 192.168.1.1 remote 100  The static route, pointing to the
neighbor 192.168.1.1 activate VRF interface, is installed in the
neighbor 192.168.1.1 next-hop-self
neighbor 192.168.1.1 update-source loopback0 global routing table and
redistributed into BGP
ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global
ip route 71.8.0.0 255.255.0.0 Serial0
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
MPLS-VPN Services: Internet Access
4.1 Option#1: VRF Specific Default Route
(Forwarding)
Site1 MPLS Backbone
IP Packet
IP Packet Internet
71.8.0.0/16 5.1.1.1 MPLS Packet
30 5.1.1.1 5.1.1.1 (5.1.0.0/16)
S0 PE1 PE2
71.8.1.1 P 71.8.1.1 IP Packet
192.168.1.2 S0
192.168.1.1

PE1: Global Routing/FIB Table


71.8.1.1 35 71.8.1.1 PE2: Global Table and LFIB
Destination Label/Interface IP Packet
MPLS Packet Destination Label/Interface
192.168.1.1/32 Label=30 192.168.1.2/32 Label=35
71.8.0.0/16 Serial 0 71.8.0.0/16 192.168.1.2
5.1.0.0/16 Serial 0

PE1: VRF Routing/FIB Table Pros Cons


Destination Label/Interface  Using default route
0.0.0.0/0 192.168.1.1 (Global) for Internet
Site-1 Serial 0  Different Internet gateways
 Routing does not allow any other
 Can be used for default route for intra-VPN routing
different VRFs Increasing size
 PE routers need not to of global routing table by leaking
hold the Internet table VPN routes
 Simple configuration  Static configuration (possibility of
traffic blackholing)

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
MPLS-VPN Services: Internet Access
4.2 Option#2: Separate PE-CE Subinterfaces
Site1
71.8.0.0/16 MPLS Backbone
iBGP Internet
Internet
CE1
Se0.2
PE1 PE2
Se0.1 192.168.1.2 P
192.168.1.1
ip vrf VPN-A
rd 100:1 Internet GW
route-target both 100:1

Interface Serial0.1  PE1-CE1 has one sub-interface


ip vrf forwarding VPN-A associated to a VRF for VPN routing
ip address 192.168.20.1 255.255.255.0
frame-relay interface-dlci 100  PE1-CE has another subinterface
! (global) for Internet routing
Interface Serial0.2
ip address 71.8.10.1 255.255.0.0  PE1 may have eBGP peering with
frame-relay interface-dlci 200 CE1 over the global interface and
!
advertise full Internet routes or a
default route to CE1
Router bgp 100
no bgp default ipv4-unicast  PE2 must advertise VPN/site1 routes
neighbor 71.8.10.2 remote-as 502 to the Internet.
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
MPLS-VPN Services: Internet Access
4.2 Option#2: Separate PE-CE Subinterfaces
(Forwarding)
Site1
MPLS Backbone
71.8.0.0/16 IP Packet
5.1.1.1
IP Packet Internet
Internet
CE1
MPLS Packet 5.1.1.1
S0.2
PE1 30 5.1.1.1 PE2
S0.1 192.168.1.2 P
192.168.1.1

CE Routing Table PE-Internet GW


VPN Routes Serial0.1
Internet Routes Serial0.2

Pros Cons
PE1 Global Table and FIB
Internet Routes 192.168.1.1 1. CE is dual-homed and can 1. PE to Hold Full Internet Routes
192.168.1.1 Label=30 perform Optimal Routing or default route via the Internet
GW
2. Traffic Separation Done
by CE . BGP Complexities Introduced at
CE; CE1 May Need to Aggregate
to Avoid AS_PATH Looping

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
MPLS-VPN Services: Internet Access
4.3 Option#3: Extranet with Internet-VRF

 The Internet routes could be placed within the VRF


at the Internet-GW i.e., ASBR
 VRFs for customers could ‗extranet‘ with the
Internet VRF and receive either default, partial or
full Internet routes
 Be careful if multiple customer VRFs, at the same
PE, are importing full Internet routes
 Works well only if the VPN customers don‘t have
overlapping addresses

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
MPLS-VPN Services: Internet Access
4.4 Option#4: Using VRF-Aware NAT

 If the VPN customers need Internet access without


Internet routes, then VRF-aware NAT can be used
at the Internet-GW i.e., ASBR
 The Internet GW doesn‘t need to have Internet
routes either
 Overlapping VPN addresses is no longer a problem
 More in the ―VRF-aware NAT‖ slides…

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Agenda

 MPLS VPN Explained


 MPLS-VPN Services
1. Load-Sharing for Multihomed VPN Sites
2. Hub and Spoke Service
3. MPLS VPN Extranet Service
4. Internet Access Service
5. VRF-Aware NAT Services
6. VRF-Selection Based Services
7. Remote VPN Access Service
8. QoS Service
9. Multicast VPN Service
10. MPLS/VPN over IP Transport
11. IPv6 VPN Service
12. Multi-VRF CE Service
 Best Practices
 Conclusion
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
MPLS-VPN Services
5. VRF-Aware NAT Services

 VPN customers could be using ‗overlapping‘ IP


address i.e.,10.0.0.0/8
 Such VPN customers must NAT their traffic before
using either ―Extranet‖ or ―Internet‖ or any shared*
services
 PE is capable of NATting the VPN packets
(eliminating the need for an extra NAT device)

* VoIP, Hosted Content, Management, etc.


BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
MPLS-VPN Services
5. VRF-Aware NAT Services

 Typically, inside interface(s) connect to private


address space and outside interface(s) connect to
global address space
NAT occurs after routing for traffic from inside-to-outside
interfaces
NAT occurs before routing for traffic from outside-to-inside
interfaces

 Each NAT entry is associated with the VRF


 Works on VPN packets in the following switch
paths: IP->IP, IP->MPLS and MPLS->IP

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
MPLS-VPN Services:
5. VRF-Aware NAT Services: Internet Access

CE1
10.1.1.0/24 MPLS Backbone
Green VPN Site PE-ASBR Internet
PE11 .1 217.34.42.2
P
PE12
CE2
10.1.1.0/24 IP NAT Inside
Blue VPN Site
IP NAT Outside

ip vrf green ip nat pool pool-green 24.1.1.0 24.1.1.254 prefix-length 24


rd 3000:111
route-target both 3000:1 ip nat pool pool-blue 25.1.1.0 25.1.1.254 prefix-length 24
ip vrf blue
rd 3000:222 ip nat inside source list vpn-to-nat pool pool-green vrf green
route-target both 3000:2 ip nat inside source list vpn-to-nat pool pool-blue vrf blue

router bgp 3000 ip access-list standard vpn-to-nat


address-family ipv4 vrf green permit 10.1.1.0 0.0.0.255
network 0.0.0.0
address-family ipv4 vrf blue ip route vrf green 0.0.0.0 0.0.0.0 217.34.42.2 global
network 0.0.0.0 ip route vrf blue 0.0.0.0 0.0.0.0 217.34.42.2 global
VRF Specific Config VRF-Aware NAT Specific Config
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
MPLS-VPN Services:
5. VRF-Aware NAT Services: Internet Access
Src=10.1.1.1
Dest=Internet Label Stack 30 MPLS Backbone
CE1 Src=10.1.1.1
10.1.1.0/24 Dest=Internet Src=24.1.1.1
Green VPN Site PE-ASBR Dest=Internet
PE11 Internet
IP Packet P
PE12 Src=25.1.1.1
CE2 Dest=Internet
Label Stack 40
10.1.1.0/24 IP Packet
Src=10.1.1.1
Blue VPN Site Dest=Internet Traffic Flows
Src=10.1.1.1
Dest=Internet MPLS Packet
NAT Table
 PE-ASBR removes the label from the VRF IP Source Global IP VRF-Table-ID
received MPLS packets per LFIB 10.1.1.1 24.1.1.1 Green
10.1.1.1 25.1.1.1 Blue
 Performs NAT on the resulting
IP packets
 Forwards the packet to the internet
 Returning packets are NATed and
put back in the VRF context and
then routed
 This is also one of the ways to provide
Internet access to VPN customers
with or without overlapping addresses
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
MPLS-VPN Services:
5. VRF-Aware NAT Services: Internet Access Reference

 The previous example uses one of many variations


of NAT configuration
 Other variations (few below) work fine as well
Extended vs. standard ACL for traffic classification
PAT (e.g. overload config)
Route-map instead of ACL for traffic classification
Single NAT pool instead of two pools

http://www.cisco.com/en/US/partner/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Agenda

 MPLS VPN Explained


 MPLS-VPN Services
1. Load-Sharing for Multihomed VPN Sites
2. Hub and Spoke Service
3. MPLS VPN Extranet Service
4. Internet Access Service
5. VRF-Aware NAT Services
6. VRF-Selection Based Services
7. Remote VPN Access Service
8. QoS Service
9. Multicast VPN Service
10. MPLS/VPN over IP Transport
11. IPv6 VPN Service
12. Multi-VRF CE Service
 Best Practices
 Conclusion
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
MPLS VPN Service
6. VRF-Selection Reference

 The common notion is that a single VRF must be


associated to an interface
 ―VRF-selection‖ breaks this association and
enables multiple VRFs associated to an interface
 Each packet on PE-CE interface is classified in
real-time and mapped to one of many VRFs
Classification criteria could be source/dest IP address, ToS,
TCP port, etc. specified in the ACL

 Voice and data traffic on a single PE-CE interface


can be separated out into different VRFs at the PE;
Service enabler

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
MPLS VPN Service
6. VRF-Selection: Based on Source IP Address Reference

RR VPN Brown
Global Interface VRF Interfaces 33.3.0.0/16

PE1 MPLS Backbone PE2


33.3.14.1 Cable (Cable Company)
VPN Yellow
Setup CE1 Se0/0 44.3.0.0/16
33.3.1.25
VPN Green
44.3.12.1 Traffic Flows 66.3.0.0/16
ip vrf red
interface Serial0/0 route-map PBR-VRF-Selection permit 10
rd 3000:111
ip address 215.2.0.6 255.255.255.252 match ip address 40
route-target export 3000:1
ip policy route-map PBR-VRF-Selection set vrf red
route-target import 3000:1
ip vrf receive red !
!
ip vrf receive yellow route-map PBR-VRF-Selection permit 20
ip vrf yellow
ip vrf receive green match ip address 50
rd 3000:222
! set vrf yellow
route-target export 3000:2
access-list 40 permit 33.3.0.0 0.0.255.255 !
route-target import 3000:2
access-list 50 permit 44.3.0.0 0.0.255.255 route-map PBR-VRF-Selection permit 30
!
access-list 100 permit udp 33.3.1.0 0.0.0.255 any match ip address 100
ip vrf green
dscp ef range 30000 31000 set vrf green
rd 3000:333
!
route-target export 3000:3
ip route vrf red 33.3.14.0 0.0.0.255 Se0/0
route-target import 3000:3
ip route vrf yellow 44.3.1.0 0.0.0.255 Se2/0
ip route vrf green 33.3.1.0 0.0.0.255 Se2/0
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Agenda

 MPLS VPN Explained


 MPLS-VPN Services
1. Load-Sharing for Multihomed VPN Sites
2. Hub and Spoke Service
3. MPLS VPN Extranet Service
4. Internet Access Service
5. VRF-Aware NAT Services
6. VRF-Selection Based Services
7. Remote VPN Access Service
8. QoS Service
9. Multicast VPN Service
10. MPLS/VPN over IP Transport
11. IPv6 VPN Service
12. Multi-VRF CE Service
 Best Practices
 Conclusion
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
MPLS VPN Service
7. Remote Access Service Reference

 Remote access users i.e., dial users, IPSec users could


directly be terminated in VRF
PPP users can be terminated into VRFs
IPSec tunnels can be terminated into VRFs
 Remote access services integration with MPLS VPN opens up
new opportunities for providers and VPN customers
BRKSEC-3005 Deploying Remote-Access IPSec/SSL VPNs
BRKSEC-3006 Deploying Site-to-site VPN with DMVPN
 ―Remote Access‖ is not to be confused by ―GET VPN‖ that
provides any-to-any (CE-based) security service
BRKSEC-2007 Site to Site VPN with GET VPN

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
MPLS VPN Service
7. Remote Access Service: IPSec to MPLS VPN Reference

Branch Access SP Shared Network Corporate Intranet


Office
SP AAA Customer
PE+IPSec AAA
SOHO
Aggregator
VPN A
Customer A
PE PE Head Office
Internet IKE_ID Is 2
IP/MPLS/Layer
Local or
Direct Used
Basedto Map
Network
Dial ISP the IPSec
VPN B
Tunnel to PE
Cable/DSL/ the VRF Customer B
ISDN ISP
(Within the
ISAKMP VPN C
VPN A
Remote Users/ Profile)
Cisco IOS VPN
Telecommuters
Routers or Cisco Customer A Customer C
Client 3.x or Higher Branch Office

IP IPSec Session MPLS VPN IP


BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Agenda

 MPLS VPN Explained


 MPLS-VPN Services
1. Load-Sharing for Multihomed VPN Sites
2. Hub and Spoke Service
3. MPLS VPN Extranet Service
4. Internet Access Service
5. VRF-Selection Based Services
6. Remote VPN Access
7. VRF-Aware NAT Services
8. QoS Service
9. Multicast VPN Service
10. MPLS/VPN over IP Transport
11. IPv6 VPN Service
12. Multi-VRF CE Service
 Best Practices
 Conclusion
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
MPLS-VPN Services:
8. Providing QoS to VPN Customers Reference

 VPN customers may want SLA so as to treat


real-time, mission-critical and best-effort traffic appropriately
 QoS can be applied to VRF interfaces
- Just like any global interface
- Same old QoS mechanisms are applicable
 Remember—IP precedence bits are copied to MPLS TC/EXP
bits (default behavior)
 MPLS Traffic-Eng could be used to provide the bandwidth-on-
demand or Fast Rerouting to VPN customers
BRKIPM-2104 Deploying MPLS Traffic Engineering
BRKIPM-3071 Advanced MPLS Designs
BRKIPM-2018 QoS Decomposed

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Agenda

 MPLS VPN Explained


 MPLS-VPN Services
1. Load-Sharing for Multihomed VPN Sites
2. Hub and Spoke Service
3. MPLS VPN Extranet Service
4. Internet Access Service
5. VRF-Selection Based Services
6. Remote VPN Access
7. VRF-Aware NAT Services
8. QoS Service
9. Multicast VPN Service
10. MPLS/VPN over IP Transport
11. IPv6 VPN Service
12. Multi-VRF CE Service
 Best Practices
 Conclusion
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
MPLS-VPN Services:
9. Providing Multicast Service to VPNs Reference

 Multicast VPN service is also available for


deployment
Current deployment model utilizes GRE encapsulation
(not MPLS) within SP network

 Multicast VPN also utilizes the existing 2547


infrastructure
 MPLS multicast i.e. mLDP and P2MP TE, is not far
away either
 Please see the following session for details on
mVPN:
BRKIPM-2261 Deploying IP Multicast
BRKIPM-3261 Advances in IP Multicast
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Agenda

 MPLS VPN Explained


 MPLS-VPN Services
1. Load-Sharing for Multihomed VPN Sites
2. Hub and Spoke Service
3. MPLS VPN Extranet Service
4. Internet Access Service to VPN Customers
5. VRF-Selection Based Services
6. Remote Access MPLS VPN
7. VRF-Aware NAT Services
8. QoS Service to VPNs
9. Multicast Service to VPNs
10. MPLS/VPN over IP Transport
11. IPv6 VPN Service
12. Multi-VRF CE Service
 Best Practices
 Conclusion
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
MPLS-VPN Services:
10. Providing MPLS/VPN over IP Transport Reference

 MPLS/VPN (rfc2547) can also be deployed using


IP transport
No MPLS needed in the core

 PE-to-PE IP tunnel is used, instead of MPLS tunnel,


for sending MPLS/VPN packets
MPLS labels are still allocated for VPN prefixes by PE
routers and used only by the PE routers
MPLS/VPN packet is encapsulated inside an IP header

 IP tunnel could be GRE, mGRE etc.

http://www.cisco.com/en/US/docs/ios/interface/configuration/guide/ir_mplsvpnomgre.html
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
MPLS-VPN Services:
10. Providing MPLS/VPN over IP Transport Reference

PE1 PE2
CE1 CE2
GRE/IP Tunnel

IP
VRF VRF

IP Header
GRE Header
VPN Label

Src Add Src Add Src Add


IP Packet Dst Add Dst Add Dst Add

Data Data Data

 GRE/IP header and VPN label imposed on VPN traffic by PE1

 VPN traffic is forwarded towards egress PE using IP forwarding

 Egress PE2 decapsulates, and uses VPN label to forward packet to CE2

Source -- http://www.cisco.com/en/US/docs/ios/interface/configuration/guide/ir_mplsvpnomgre.html
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Agenda

 MPLS VPN Explained


 MPLS-VPN Services
1. Load-Sharing for Multihomed VPN Sites
2. Hub and Spoke Service
3. MPLS VPN Extranet Service
4. Internet Access Service to VPN Customers
5. VRF-Selection Based Services
6. Remote Access MPLS VPN
7. VRF-Aware NAT Services
8. QoS Service to VPNs
9. Multicast Service to VPNs
10. MPLS/VPN over IP Transport
11. IPv6 VPN Service
12. Multi-VRF CE Service
 Best Practices
 Conclusion
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
MPLS-VPN Services:
11. IPv6 VPN Service

 Similar to IPv4 VPN, IPv6 VPN can also be offered.


Referred to as ―IPv6 VPN Provider Edge (6VPE)‖.
 No modification on the MPLS core.
IPv4 and IPv6 VPNs can be offered on the same PE-CE interface
 Config and operation of IPv6 VPN are similar to IPv4 VPN

v4 and v6 PE PE v4 and v6
VPN A VPN A
CE
P P CE
MPLS/VPN
VPN A v4 and v6 Network
CE P P v6 Only VPN B
PE PE
VPN B v6 Only CE
iBGP Sessions in VPNv4 and
BRKMPL-2102 CE VPNv6 Address-Families
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
PE#
!
MPLS-VPN Services: vrf definition v2
rd 2:2
!
11. IPv6 VPN Service address-family ipv4
route-target export 1:2
route-target import 1:2
exit-address-family
!
address-family ipv6
route-target export 2:2
route-target import 2:2
exit-address-family
!
!
router bgp 1
!
address-family vpnv4
neighbor 10.13.1.21 activate
neighbor 10.13.1.21 send-community both
exit-address-family
!
address-family vpnv6
neighbor 10.13.1.21 activate
neighbor 10.13.1.21 send-community both
exit-address-family
!
address-family ipv4 vrf v2
exit-address-family
!
v4 and v6 address-family ipv6 vrf v2
PE PE
neighbor 200::2v4remote-as
and v6 30000
VPN A neighbor 200::2 activate VPN A
CE exit-address-family
P P ! CE
MPLS/VPN
VPN A v4 and v6 Network
CE P P v6 Only VPN B
PE PE
VPN B v6 Only CE
iBGP Sessions in VPNv4 and
BRKMPL-2102 CE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPNv6 Address-Families 84
Agenda

 MPLS VPN Explained


 MPLS-VPN Services
1. Load-Sharing for Multihomed VPN Sites
2. Hub and Spoke Service
3. MPLS VPN Extranet Service
4. Internet Access Service to VPN Customers
5. VRF-Selection Based Services
6. Remote Access MPLS VPN
7. VRF-Aware NAT Services
8. QoS Service to VPNs
9. Multicast Service to VPNs
10. MPLS/VPN over IP Transport
11. IPv6 VPN Service
12. Multi-VRF CE Service
 Best Practices
 Conclusion
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
MPLS-VPN Services:
12. Providing Multi-VRF CE Service

 Is it possible for an IP router to keep multiple customer


connections separated ?
Yes, ―multi-VRF CE‖ a.k.a. vrf-lite can be used
 ―Multi-VRF CE‖ provides multiple virtual routing tables
(and forwarding tables) per customer at the CE router
Not a feature but an application based on VRF implementation
Any routing protocol that is supported by normal VRF can be used in
a multi-VRF CE implementation
 No MPLS functionality needed on CE, no label exchange
between CE and any router (including PE) 

 One deployment model is to extend the VRFs to the CE,


another is to extend it further inside the Campus =>
Virtualization

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
MPLS-VPN Services:
12. Providing Multi-VRF CE Service
One Deployment Model—Extending MPLS/VPN to CE
ip vrf green
rd 3000:111
route-target both 3000:1
ip vrf blue
Campus rd 3000:222
route-target both 3000:2
ip vrf red
rd 3000:333
route-target both 3000:3
Vrf Campus
Green SubInterface
Link * MPLS
Vrf Green
Network Vrf Green
Vrf
Red Vrf Red PE
Multi-VRF PE Router
CE Router
Vrf Red
ip vrf green
rd 3000:111
ip vrf blue
rd 3000:222
Ip vrf red
rd 3000:333

*SubInterface Link—Any Interface Type that Supports Sub Interfaces, FE-Vlan,


Frame Relay, ATM VCs
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Agenda

 MPLS VPN Explained


 MPLS-VPN Services
 Best Practices
 Conclusion

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Best Practices (1)

1. Use RR to scale BGP; deploy RRs in pair for the redundancy


Keep RRs out of the forwarding paths and disable CEF (saves memory)
2. Choose AS format for RT and RD i.e., ASN: X
Reserve first few 100s of X for the internal purposes such as filtering
3. Consider unique RD per VRF per PE,
Helpful for many scenarios such as multi-homing, hub&spoke etc.
Helpful to avoid add-path, shadow RR etc.
4. Don‘t use customer names (V458:GodFatherNYC32ndSt) as the
VRF names; nightmare for the NOC.
Consider v101, v102, v201, v202, etc. and Use description for naming
5. Utilize SP‘s public address space for PE-CE IP addressing
Helps to avoid overlapping; Use /31 subnetting on PE-CE interfaces
6. Limit the number of prefixes per-VRF and/or per-neighbor on PE
Max-prefix within the VRF configuration; Do suppress the inactive routes
Max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE)

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Best Practices (2)

7. Leverage BGP Prefix Independent Convergence (PIC) for fast


convergence <100ms (IPv4 and IPv6):
• PIC Core
• PIC Edge
• Best-external advertisement
• Next-hop tracking (ON by default)
8. Consider RT-constraint for Route-reflector scalability
9. Consider ‗BGP slow peer‘ for PE or RR – faster BGP convergence

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Agenda

 MPLS VPN Explained


 MPLS-VPN Services
 Best Practices
 Conclusion

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Conclusion

 MPLS L3VPN is the most optimal VPN technology


Any-to-any IPv4 or IPv6 VPN topology
Partial-mesh, Hub and Spoke topologies also possible

 VRF-aware services for additional value/revenue


CsC and Inter-AS could be used to expand into new markets.

 MPLS-VPN paves the way for virtualization.


Benefits whether SP or Enterprise.

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Q&A

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Meet the Expert

 To make the most of your time at Cisco Networkers 2010,


schedule a Face-to-Face Meeting with a top Cisco Expert.

 Designed to provide a "big picture" perspective as well as


"in-depth" technology discussions, these face-to-face
meetings will provide fascinating dialogue and a wealth of
valuable insights and ideas.

 Visit the Meeting Centre reception desk located in the


Meeting Centre in World of Solutions

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Recommended Reading

Source: Cisco Press


BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Complete Your Online
Session Evaluation

 Receive 25 Cisco Preferred Access points for each session


evaluation you complete.
 Give us your feedback and you could win fabulous prizes.
Points are calculated on a daily basis. Winners will be notified
by email after July 22nd.
 Complete your session evaluation online now (open a browser
through our wireless network to access our portal) or visit one
of the Internet stations throughout the Convention Center.
 Don‘t forget to activate your Cisco Live and Networkers Virtual
account for access to all session materials, communities, and
on-demand and live activities throughout the year. Activate
your account at any internet station or visit
www.ciscolivevirtual.com.

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Visit the Cisco Store for
Related Titles
http://theciscostores.com

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Thank you.

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Additional Slides
Advanced MPLS VPN Topics
Inter-AS and CsC

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Agenda

 Advanced MPLS VPN Topics


Inter-AS MPLS-VPN
CsC Carrier Supporting Carrier

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
What Is Inter-AS?

Provider X Provider Y

RR1 RR2
ASBR1 ASBR2
MP-iBGP Update: ???
PE-1 AS #1 AS #2
Problem: PE2
BGP, OSPF, RIPv2
149.27.2.0/24, NH=CE-1 How Do Provider
CE-1
X and Provider Y CE2
Exchange VPN
VPN-A VPN-A
149.27.2.0/24 Routes?

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Inter-AS Deployment Scenarios

Following Options/Scenarios
for Deploying Inter-AS:
ASBR1 ASBR2
1. Back-to-Back VRFs
(Option A)

2. MP-eBGP for VPNv4

AS #1 (Option B) AS #2
PE1 3. Multihop MP-eBGP Between RRs PE2
(Option C)

CE1 CE2
4. Non-VPN Transit Provider

VPN-A VPN-A
Each Option Is Covered in Additional Slides

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Scenario 1: Back-to-Back VRF
Control Plane

ASBR-1 VPN-B VRF ASBR-2


Import Routes with
VPN-v4 Update: Route-Target 1:1
RD:1:27:10.1.1.0/24 VPN-v4 Update:
NH=PE-1 RD:1:27:10.1.1.0/24,
RT=1:1, Label=(29) NH=ASBR-2
RT=1:1, Label=(92)

BGP, OSPF, RIPv2 VPN-B VRF


10.1.1.0/24 Import Routes with
PE-1 NH=ASBR-2 Route-Target 1:1 PE-2

CE-2 CE-3 BGP, OSPF, RIPv2


BGP, OSPF, RIPv2 10.1.1.0/24,NH=PE-2
10.1.1.0/24,NH=CE-2

VPN-B VPN-B
10.1.1.0/24

VRF-to-VRF Connectivity Between ASBRs

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Scenario 1: Back-to-Back VRF
Forwarding Plane
ASBR-1 ASBR-2 92 10.1.1.1 P2
30 29 10.1.1.1

P1
10.1.1.1 20 92 10.1.1.1

PE-1 PE-2
IP Packets
Between ASBRs
CE-2 CE-3 10.1.1.1
10.1.1.1

VPN-B
10.1.1.0/24 VPN-B

Pros Cons
 Per-customer QoS is possible  Not scalable. # of interface on both
ASBRs is directly proportional to #VRF.
 It is simple and elegant since no need
to load the Inter-AS code (but still not  No end-to-end MPLS
widely deployed)  Unnecessary memory consumed in
RIB/(L)FIB
 Dual-homing of ASBR makes
provisioning worse
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Cisco IOS Configuration
Scenario 1: Back-to-Back VRF Between ASBRs

ASBR1 ASBR2

1.1.1.0/30

VRF Routes Exchange via


AS #1 Any Routing Protocol AS #2
PE1 PE2
ASBR VRF and BGP Config
ip vrf green
CE-1 CE-2
rd 1:1
route-target both 1:1
!
Router bgp x
VPN-A Address-family ipv4 vrf green VPN-A
neighbor 1.1.1.x activate

Note: ASBR Must Already Have MP-iBGP Session with iBGP Neighbors such as RRs or PEs
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Scenario 2: MP-eBGP Between ASBRs
to Exchange VPNv4 Routes

 New CLI ―no bgp default route-target filter‖ is


needed on the ASBRs
 ASBRs exchange VPN routes using eBGP (VPNv4
af)
 ASBRs store all VPN routes
But only in BGP table and LFIB table
Not in routing nor in CEF table

 ASBRs don‘t need


VRFs to be configured on them
LDP between them

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Scenario 2: MP-eBGP bet ASBRs
for VPN Control Plane

ASBR-1 ASBR-2
MP-iBGP Update: MP-iBGP Update:
RD:1:27:10.1.1.0/24, RD:1:27:10.1.1.0/24,
NH=PE-1 NH=ASBR-2
RT=1:1, Label=(40) MP-eBGP Update: RT=1:1, Label=(30)
RD:1:27:10.1.1.0/24,
NH=ASBR-1
PE-1 RT=1:1, Label=(20) PE-2

BGP, OSPF, RIPv2


BGP, OSPF, RIPv2 CE-2 CE-3 10.1.1.0/24, NH=PE-2
10.1.1.0/24, NH=CE-2

VPN-B
10.1.1.0/24 VPN-B

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Scenario 2: MP-eBGP Bet ASBRs
for VPN Forwarding Plane
30 40 10.1.1.1 30 10.1.1.1
P2
ASBR-1 ASBR-2

20 10.1.1.1 20 30 10.1.1.1
40 10.1.1.1

PE-1 MPLS Packets


Between ASBRs

10.1.1.1 CE-2 CE-3 10.1.1.1

VPN-B
10.1.1.0/24 VPN-B

Pros Cons
 More scalable  Automatic route filtering must
Only one interface between be disabled
ASBRs routers But we can apply BGP filtering
No VRF configuration on ASBR.
Less memory consumption (no RIB/FIB memory)  ASBRs are still required to hold
 MPLS label switching between providers VPN routes
Still simple, more scalable & works today

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Cisco IOS Configuration
Scenario 2: External MP-BGP Between ASBRs for
VPN
MP-eBGP for
ASBR1 ASBR2
VPNv4
1.1.1.0/30

Label Exchange
AS #1 Between ASBRs AS #2
Using MP-eBGP
PE1 PE2

ASBR MB-EBGP Configuration


CE-1 Router bgp x CE-2
no bgp default route-target filter
neighbor 1.1.1.x remote-as x
!
address-family vpnv4
VPN-A neighbor 1.1.1.x activate VPN-A
neighbor 1.1.1.x send-com extended

Note: ASBR Must Already Have MP-iBGP Session with iBGP Neighbors such as RRs or PEs
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Scenario 3: Multihop MP-eBGP Between
RRs to Exchange VPNv4 Routes

 Exchange VPNv4 prefixes via the Route Reflectors


Requires Multihop MP-eBGP (with next-hop-unchanged)

 Exchange IPv4 routes with labels between directly


connected ASBRs using eBGP
Only PE loopback addresses need to be exchanged (they
are BGP next-hop addresses of the VPN routes)

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Scenario 3: Multihop MP-eBGP Between
RRs for VPN Routes: Control Plane

VPN-v4 Update:
RD:1:27:10.1.1.0/24,
RR-1 NH=PE-1 RR-2
RT=1:1, Label=(90)
VPN-v4 Update: VPN-v4 Update:
RD:1:27:10.1.1.0/24, RD:1:27:10.1.1.0/24,
NH=PE-1 NH=PE-1
ASBR-1 ASBR-2 RT=1:1, Label=(90)
RT=1:1, Label=(90)
AS#1 AS#2
IGP+LDP:
PE-1 IP-v4 Update: PE-2
Network=PE-1 IGP+LDP:
NH=PE-1 Network=PE-1 Network=PE-1
Label=(40) NH=ASBR-1 NH=ASBR-2 BGP, OSPF, RIPv2
BGP, OSPF, RIPv2 Label=(20) Label=(30) 10.1.1.0/24,NH=PE-2
CE-2
10.1.1.0/24,NH=CE-2

VPN-B CE-3
10.1.1.0/24 VPN-B

Note: Instead of IGP+Label, iBGP+Label Can Be Used to Exchange PE Routes/Label.


Please See Scenario #5 on Slides #49 and 50.
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Scenario 3: Multihop MP-eBGP Between
RRs for VPN Routes: Forwarding Plane

RR-1
RR-2
P1 P2

40 90 10.1.1.1
ASBR-2
30 90 10.1.1.1
90 10.1.1.1 ASBR-1
50 90 10.1.1.1

PE-1
20 90 10.1.1.1
PE-2
10.1.1.1
CE-2 CE-3 10.1.1.1

VPN-B
10.1.1.0/24 VPN-B

Note: Instead of IGP+Label, iBGP+Label Can Be Used to Exchange PE Routes/Label.


BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Scenario 3: Pros/Cons
Pros Cons
 More scalable than Scenario 1  Advertising PE addresses
and 2 to another AS may not be
Separation of control and acceptable to few providers
forwarding planes
 Route Reflector exchange
VPNv4 routes+labels
RR hold the VPNv4
information anyway
 ASBRs now exchange only
IPv4 routes+labels
ASBR forwards MPLS packets

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Cisco IOS Configuration
Scenario 3: Multihop MP-eBGP Between RRs for VPN
Multihop MP-eBGP RR-2
RR-1
for VPNv4 with Next-
Hop-Unchange
PE1
ASBR-1 ASBR-2
PE2
AS #1 AS #2
CE-1 CE-2
eBGP IPv4 + Labels

RR Configuration ASBR Configuration

router ospf x
VPN-A VPN-A
router bgp x redistribute bgp 1 subnets
neighbor <RR-x> remote-as x !
neighbor <RR-x> ebgp-multihop router bgp x
neighbor <RR-x> update loopback 0 neighbor < ASBR-x > remote-as x
! !
address-family vpnv4 address-family ipv4
neighbor <RR-x> activate Network <PEx> mask 255.255.255.255
neighbor <RR-x> send-com extended Network <RRx> mask 255.255.255.255
neighbor <RR-x> next-hop-unchanged neighbor < ASBR-x > activate
neighbor < ASBR-x > send-label

iBGPipv4+label Could Also Be Used Within Each AS (Instead of


“network <x.x.x.x>”) to Propagate the Label Information for PEs
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Scenario 4: Non-VPN Transit Provider

 Two MPLS VPN providers may exchange routes via


one or more transit providers
Which may be non-VPN transit backbones just running
MPLS

 Multihop MP-eBGP deployed between edge


providers
With the exchange of BGP next-hops via the transit
provider

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Scenario 4: Non-VPN Transit Provider

eBGP IPv4 + Labels


ASBR-1 ASBR-2
iBGP IPv4 + Labels

MPLS VPN Non-VPN MPLS


Provider #1 Transit Backbone
PE1 RR-1
ASBR-3
eBGP IPv4 + Labels
ASBR-4
CE-2 Next-Hop-Unchanged
Multihop MP-eBGP OR iBGP IPv4 + Labels
MPLS VPN
MP-iBGP for VPNv4 RR-2
VPN-B Provider #2 PE2

CE-3

VPN-B

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Route-Target Rewrite at ASBR

 ASBR can add/delete route-target associated with a


VPNv4 prefix
 Secures the VPN environment

ASBR(conf)#router bgp 1000


ASBR(conf-router)#neighbor 1.1.1.1 route-map route-target-deletion
out
ASBR(conf-router)#exit
ASBR(conf)#route-map route-target-delete
ASBR(conf-route-map)#match extcommunity 101
ASBR(conf-route-map)#set extcomm-list 101 delete
ASBR(conf-route-map)#set extcommunity rt 123:123 additive
ASBR(conf)# ip extcommunity-list 101 permit rt 100:100

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Inter-AS Deployment Guidelines

1. Use ASN in the Route-target i.e., ASN:xxxx


2. Max-prefix limit (both BGP and VRF) on PEs
3. Security (BGP MD5, BGP filtering, BGP max-
prefix, etc.) on ASBRs
4. End-to-end QoS agreement on ASBRs
5. Route-target rewrite on ASBR
6. Internet connectivity on the same ASBR??

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Agenda

 Advanced MPLS VPN Topics


Inter-AS MPLS-VPN
Carrier Supporting Carrier (CsC)

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
MPLS/VPN Networks Without CsC

 Number of VPN routes is one of the biggest limiting


factors in scaling the PE router
Few SPs are running into this scaling limitation

 If number of VPN routes can be reduced somehow


(without loosing the functionality), then the existing
investment can be protected
The same PE can still be used to connect more VPN
customers

 Carrier Supporting Carrier (CsC) provides the


mechanism to reduce the number of routes from
each VRF by enabling MPLS on the PE-CE link

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
CsC Deployment Model
MP-iBGP for VPNv4
P1
PE1
IGP+LDP PE2
IGP+LDP

Carrier’s MPLS Core


IPv4 Routes with IPv4 Routes with
Label Distribution Label Distribution
MPLS-Enabled VRF Int
CE-1 CE-2

Full-Mesh iBGP
ISP PoP for External Routes ISP PoP
Site-1 Site-2
Internal Routes =
IGP Routes C1
ASBR-1 ASBR-2 Internal Routes =
IGP Routes
R1 R2
Internet
ISP Customers =
External Routes

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Benefits of CsC

 Provide transport for ISPs ($)


No need to manage external routes from ISPs

 Build MPLS Internet Exchange (MPLS-IX) ($$)


Media Independence; POS/FDDI/PPP possible
Higher speed such OC192 or more
Operational benefits

 Sell VPN service to subsidiary companies that


provide VPN service ($)

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
What Do I Need to Enable CsC?

1. Build an MPLS-VPN enabled carrier‘s network


2. Connect ISP/SPs sites (or PoPs) to the Carrier‘s
PEs
3. Exchange internal routes + labels between
Carrier‘s PE and ISP/SP‘s CE
4. Exchange external routes directly between
ISP/SP‘s sites

BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
CsC Deployment Models

MP-iBGP for VPNv4

P1
PE1
IGP+LDP
PE2
IGP+LDP

Carrier’s MPLS Core


IPv4 Routes with
Label Distribution IPv4 Routes with
Label Distribution
MPLS-Enabled VRF Int
CE-1
CE-2
Full-Mesh iBGP
ISP PoP ISP PoP
for External Routes
Site-1 Site-2

Internal Routes
= IGP Routes ASBR-2 C1
ASBR-1
Internal Routes =
R2 IGP Routes
Internet R1
ISP Customers =
External Routes
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
CsC Deployment Models

1. Customer-ISP not running MPLS


2. Customer-ISP running MPLS
3. Customer-ISP running MPLS-VPN

Model 1 and 2 Are Less Common Deployments.


Model 3 Will Be Discussed in Detail.
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
CsC: ISP Sites Are Running MPLS-VPN
Hierarchical MPLS-VPN Control Plane
MP-iBGP Update:
1:1:30.1.61.25/32, RT=1:1
NH =PE-1, Label=51

P1
IGP+LDP,
PE1 Net=PE-1, IGP+LDP,
PE2
Label = Pop Net=PE-1,
Label = 16
Carrier’s Core
30.1.61.25/32,
NH=CE-1, Label = 50 30.1.61.25/32,
NH=PE-2, Label = 52
CE-1
CE-2
MP-iBGP Update:
ISP PoP 1:1:10.1.1.0/24, RT=1:1 IGP+LDP,
NH =30.1.61.25/32, Label = 90 ISP PoP 30.1.61.25/32
Site-1
Site-2 NH=CE-2, Label=60
IGP+LDP
30.1.61.25/32,Label = Pop
ASBR_PE-1 ASBR_PE-2
30.1.61.25/32 C1
10.1.1.0/24, NH
=ASBR_PE-2 IGP+LDP,
10.1.1.0/24, NH=R1 30.1.61.25/32
Network =
R2 NH=C1, Label=70
10.1.1.0/24 R1
VPN Site-1
VPN Site-2
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
CsC: ISP Sites Are Running MPLS-VPN
Hierarchical MPLS-VPN Forwarding Plane

P1

51 90 10.1.1.1
PE1 16 51 90 10.1.1.1
PE2
Carrier’s Core

50 90 10.1.1.1
52 90 10.1.1.1

CE-1 CE-2

ISP PoP ISP PoP


Site-1 90 10.1.1.1 Site-2
60 90 10.1.1.1
C1
ASBR-1 ASBR-2

10.1.1.1 10.1.1.1 70 90 10.1.1.1

Network = R1 R2
10.1.1.0/24
VPN Site-1
VPN Site-2
BRKMPL-2102 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 128

You might also like