Implementing Internet Access and MPLS

Layer 3 VPNs
Complex MPLS Layer 3 VPNs

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-1
Objectives
• Describe common customer Internet connectivity scenarios and identify
design models for combining Internet access with MPLS Layer 3 VPN
services
• Describe implementation of the Internet access service totally separate
from MPLS Layer 3 VPN services
• Describe implementation of the Internet access solutions in which
Internet access is provided as a separate VPN

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-2
Internet Access Models with MPLS VPNs

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-3
Customer Internet Connectivity Scenarios
• Internet routing is usually performed via the BGP table of the MPLS
VPN network of the service provider.
• By default, the VRF sites:
- Can communicate only with devices in other VRF sites of the same VPN
- Cannot communicate with devices in the global routing space
• There is potential security risk in providing Internet connectivity:
- Firewalls are used to ensure the highest possible level of security.

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-4
Classical Internet Access
• Customer connects to the Internet through a central site firewall:
- Deals with security issues
- Provides NAT or proxy services as needed
• Internet traffic goes across the central site:
- Traffic flow is not optimal.
Service
Provider

Customer A
(Center)

Customer A (1) Customer A (2)

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-5
Multisite Internet Access
• Customers have Internet access directly from every site.
• Optimum traffic flow for Internet traffic
• Each site has to deal with security issues:
- Managed firewall offered by service provider
- Customer firewall

Service
Provider

Customer A
(Center)

Customer A (1) Customer A (2)

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-6
Wholesale Internet Access
• Customer chooses an ISP and selects services.
• User can access different services offered by different service providers.
• Internet access backbone:
- Provided by NSP
- Used to interconnect customer with service provider

Service Provider X
Customer A

Network Service
Provider Service Provider Y
Customer B
Backbone

Service Provider Z
Customer C

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-7
Service Provider Shared Backbone
• Internet used to be the most popular service.
• Clients expect different services from their service providers now:
- Internet, video, IP telephony, cloud services, and so on
• Cisco IP NGN architecture supports multiple services in a common
backbone.

Customer A (1) Service Provider X

Customer A VPN, Internet Internet, IP
(Central) Telephony, Video
VPN, Internet

Network Service Service Provider Y

Customer B Provider Internet, Cloud,
IP Telephony, IP Telephony
Internet Backbone

Service Provider Z
Customer C VPN, Internet,
Internet, Cloud IP Telephony

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-8
Major Design Models of Service Provider Networks
• Two major design models:
- Internet access through global routing
- Internet access as a separate VPN service
• Internet access through route leaking is not an appropriate model for
service providers:
- Scalability problems

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-9
Internet Access Through Global Routing
• Separate interface for VPN and Internet:
- In global routing table
- Static default routing on a PE
- BGP between CE and PE
• Benefits:
- Well-known setup (equivalent to classical Internet service)
- Easy to implement
- Offers a wide range of design options
• Drawback:
- Requires separate physical links or WAN encapsulation that supports
subinterfaces

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-10
Internet Access Through a Separate VPN Service
• Implementation through a separate VPN
• Benefits:
- Provider backbone is isolated from the Internet.
- Increased security
• Drawbacks:
- All Internet routes are carried as VPN routes.
- Scalability problems—full Internet routing table in VPN

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-11
Internet Access Through Route Leaking
• Not a recommended design:
- Formerly used in corporate environments
- Internet access across corporate VPN:
• Leaking routes between VRF and global routing table
• Benefits:
- Does not use a separate connection for Internet traffic
• Drawbacks:
- Insecure—Internet traffic mixed with VPN traffic
- Hard to apply security policies
- Scalability problems—hard to implement full Internet routing

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-12
Separate Internet Access and VPN
Services

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-13
Classic Internet Access for a VPN Customer

Customer A (1) Customer A (3)

VPN VPN

Internet GW
Shared
PE1 Backbone
PE4
MPLS VPN &
Internet

PE2
PE3

Customer A (2) Customer A (4)

VPN VPN

Customer A
(Central)
VPN & Internet

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-14
Using Separate Subinterfaces
• Separating physical links for VPN and Internet is sometimes
unacceptable because of high cost.
• Subinterfaces can be used:
- Over WAN links
• Frame Relay
• ATM
- Over LAN links (802.1Q)
• A tunnel interface could be used over a VRF-aware tunnel, so that VPN
traffic does not run over a global tunnel.

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-15
Internet Access Using Static Routes
vrf CustomerA
Customer A (1) address-family ipv4 unicast
VPN import route-target
10.10.1.0/24 1:210
IBGP export route-target
Internet GW 1:210
Shared !
Backbone interface GigabitEthernet0/1
PE1
no ip address
!
MPLS VPN
interface GigabitEthernet0/1.2
description Internet
encapsulation dot1Q 2 native
PE2 ip address 172.16.10.1 255.255.255.252
PE3
Customer A (2) !
VPN interface GigabitEthernet0/1.3
10.10.2.0/24 description MPL VPN
ip vrf forwarding CustomerA
interface GigabitEthernet0/1.2 encapsulation dot1Q 3 native
description Internet ip address 192.168.16.1 255.255.255.252
encapsulation dot1Q 2 native !
ip address 172.16.10.2 255.255.255.252 router static
! address-family ipv4 unicast
interface GigabitEthernet0/1.3 209.165.201.0/27
209.165.201.0/27 172.16.10.2
description MPLS VPN Customer A !
encapsulation dot1Q 3 (Central) router bgp 64500
ip address 192.168.16.2 255.255.255.252 VPN & Internet address-family ipv4 unicast
! redistribute static
ip route 0.0.0.0 0.0.0.0 172.16.10.1 !
ip route 10.10.0.0 255.255.0.0 192.168.16.1

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-16
Internet Access Using Dynamic Routing Protocol
vrf CustomerA
Customer A (1) address-family ipv4 unicast
VPN import route-target
10.10.1.0/24 1:210
IBGP export route-target
Internet GW 1:210
Shared !
Backbone interface GigabitEthernet0/1.2
PE1
description Internet
Customer A (2) encapsulation dot1Q 2
VPN PE2 MPLS VPN ip address 172.16.10.1 255.255.255.252
10.10.2.0/24 !
interface GigabitEthernet0/1.3
encapsulation dot1Q 3
PE3
interface GigabitEthernet0/1.2 vrf Customer-A
description Internet ip address 192.168.16.1 255.255.255.252
encapsulation dot1Q 2 EBGP !
ip address 172.16.10.2 255.255.255.252 router bgp 64500
! address-family ipv4 unicast
interface GigabitEthernet0/1.3 neighbor 172.16.10.2
description MPLS VPN remote-as 64503
encapsulation dot1Q 3 update-source GigabitEthernet0/0/0/0.2
ip address 192.168.16.2 255.255.255.252 address-family ipv4 unicast
209.165.201.0/24
! route-policy pass in
Customer A route-policy Only_Default out
router bgp 64503
network 209.165.201.0 mask 255.255.255.0 (Central) default-originate
neighbor 172.16.10.1 remote-as 64500 VPN & Internet next-hop-self
! !
ip route 209.165.201.0 255.255.255.0 null route-policy Only_Default
! if destination in (0.0.0.0/0) then
pass
endif
end-policy

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-17
Multisite Internet Access
• Every CE router needs two links (or subinterfaces).
• Complex network setup
• Expensive solution

Customer A (1)
Customer A (3)
VPN VPN
VPN & Internet
VPN & Internet
Internet GW
Shared
PE1 Backbone
PE4
MPLS VPN &
Internet

PE2
PE3

Customer A (2)
Customer A (4)
VPN
VPN
VPN & Internet
VPN & Internet

Customer A
(Central)
VPN & Internet

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-18
Benefits and Limitations
• Benefits of separate Internet access:
- Well-known model
- Supports all customer requirements
- Allows all Internet service implementations
• Drawbacks of separate Internet access:
- Requires separate physical link
- PE routers must be able to perform Internet routing
• Potentially carry full Internet routing table
• Wholesale Internet access cannot be implemented in this model.

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-19
Internet Access as a Separate VPN

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-20
Internet Access as a Separate VPN
• Service provider gateway is connected as a CE router to the MPLS VPN
backbone.
• Global Internet routing table is very big:
- Only default route and some specific regional routes are distributed to the
MPLS VPN network.
• Many service providers on same network backbone:
- Customer can chose service provider.
- Customer site is assigned to VRF of service provider.

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-21
Internet Gateway Configuration
• Internet gateway has full Internet routing table:
- Only subset of all routes sent to customers
• Internet gateway acts as a CE router.
• Internet VPN is used for Internet access.
• Customers are assigned to Internet VPN.
Internet

Internet GW

Customer B (1) Customer A (1)

VPN VPN

PE-GW
Shared
PE1 Backbone PE4
MPLS VPN &
Internet

Customer B PE2
PE3
(Center) Customer A
VPN, Internet (Center)
VPN, Internet

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-22
Internet Gateway Configuration Example

PE-GW: Internet GW:

vrf Internet interface GigabitEthernet0/1
description Internet ip address 172.16.255.2 255.255.255.252
address-family ipv4 unicast !
import route-target router bgp 64510
1:2000 address-family ipv4 unicast
! !
export route-target neighbor 172.16.255.1
1:2000 remote-as 64500
! update-source GigabitEthernet0/1
interface GigabitEthernet0/1 address-family ipv4 unicast
vrf Internet route-policy pass in
ip address 172.16.255.1 255.255.255.252 route-policy Only_Default out
! default originate
router bgp 64500 !
vrf Internet route-policy Only_Default
rd 1:2000 if destination in (0.0.0.0/0) then
address-family ipv4 unicast pass
! endif
neighbor 172.16.255.2 end-policy
remote-as 64510
update-source GigabitEthernet0/1 172.16.255.1
address-family ipv4 unicast
route-policy pass in 172.16.255.2
route-policy pass out PE-GW Internet
next-hop-self
! Internet GW
BGP

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-23
Customer Internet Access from Central Site

PE1:
vrf CustomerA Internet
address-family ipv4 unicast
import route-target
1:210
export route-target Internet GW
1:210
!
interface GigabitEthernet0/1.2
description Internet
encapsulation dot1Q 2 PE-GW
ip address 172.16.10.1 255.255.255.252
! MPLS
router bgp 64500
address-family ipv4 unicast
! PE1
address-family vpnv4 unicast
!
!
vrf Internet
rd 1:2000
neighbor 172.16.10.2
remote-as 64503
address-family ipv4 unicast
Customer A
network 0.0.0.0/0
!
Internet,VPN

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-24
Redundant Internet Access
• All Internet gateways advertise
routes.
IBGP GW3
GW1
• Internet gateways are connected to
the same VRF. GW2

• BGP metric is used to select the best

route to the Internet. EBGP EBGP EBGP

• MED is used to define the primary

PE-GW2
Internet gateway. PE-GW1 PE-GW3

MPLS

PE1 PE3
PE2

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-25
Multisite Customer Internet Access
• Internet VRF is configured on
every location.
• Adds complexity Internet
Customer A (3)
• Firewall on every site: Internet,VPN
Internet GW
- Managed firewall can be used.

PE-GW
PE3
MPLS

PE2 PE1

Customer A (2) Customer A (1)

Internet,VPN Internet,VPN

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-26
Wholesale Internet Access
• A separate VPN is created for each upstream ISP.
• Each ISP gateway announces the default route to the VPN.
• Customers are assigned into the right VRF:
- VRF assignment corresponds to ISP selection.
• ISP change is easy for administrator:
- Only VRF has to be changed.

Customer A (1) Service Provider X

Customer A VPN, Internet Internet, IP
(Central) Telephony, Video
VPN, Internet

Network Service Service Provider Y

Provider Internet, Cloud,
Customer B
IPT, Internet IP Telephony
Backbone

Service Provider Z
Customer C VPN, Internet,
Internet, Cloud IP Telephony

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-27
Limitations of Running Internet in a VPN
• Benefits:
- Supports all Internet access service types
- Easy to make changes
- Can support customer requirements
• Drawbacks:
- Full Internet routing cannot be carried in the VPN:
• Suboptimal routing
- Overlapping Internet and VPN backbone design requires special care.

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-28
Summary
• Internet access types include the following:
- Classical Internet access
- Multisite Internet access
- Wholesale Internet access
• Two recommended service provider designs are as follows:
- Global routing (global routing table is used for Internet routing)
- Internet service as a separate VPN
• Wholesale Internet access is easy to implement when you use Internet
service as a separate VPN.

© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-29
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-30