Documente Academic
Documente Profesional
Documente Cultură
sbng@cisco.com
ttheera@cisco.com
limfung@cisco.com
Abstract
This session describes the implementation of IP Virtual Private Networks (IP
VPNs) using MPLS. It is the most common Layer 3 VPN technology, as
standardized by IETF RFC2547/4364, realizing IP connectivity between VPN
site and MPLS network.
Service Providers have been using IP VPN to provide scalable site-to-site/WAN
connectivity to Enterprises/SMBs for more than a decade. Enterprises have
been using it to address network segmentation (virtualization and traffic
separation) inside the site e.g. Campus, Data Center. This technology realizes
IP connectivity between VPN site and MPLS network.
The session will cover:
Prerequisites
Reference
Terminology
Reference
Agenda
IP/VPN Overview
IP/VPN Deployment Scenarios
Best Practices
Use-Cases
Conclusion
Agenda
IP/VPN Overview
Technology Overview (How It Works)
Configuration Overview
IP/VPN Technology
MPLS based IP/VPN Topology / Connection Model
MPLS Network
P
CE
PE
CE
PE
CE
P
CE
MP-iBGP Session
CE Routers
PE Routers
P Routers
Sit inside the network
Forward packets by looking
at labels
Share a common IGP with PE
CE1
VPN 1
VPN 2
PE
MPLS Network IGP (OSPF, ISIS)
CE1
VPN 1
Ser0/0
VRF Blue
No changes needed at CE
IOS_PE(conf)#interface Ser0/0
IOS_PE(conf)#ip vrf forwarding blue
11
VRF Green
PE
MPLS Network IGP (OSPF, ISIS)
CE1
VPN 1
VRF Blue
12
MP-iBGP Session
PE
PE
MPLS Network
PE
13
4 Bytes
1:1
10.1.1.0
RD
IPv4
VPNv4
8 Bytes
Route-Target
3 Bytes
Label
Label
14
Reference
Reference
15
1:1
4 Bytes
8 Bytes
3 Bytes
200.1.64.0
RD
IPv4
Route-Target
Label
VPNv4
VPN customer IPv4 prefix is converted into a VPNv4 prefix by appending the
RD (1:1, say) to the IPv4 address (200.1.64.0, say) => 1:1:200.1.64.0
Makes the customers IPv4 address unique inside the SP MPLS network.
IOS_PE#
!
ip vrf green
rd 1:1
!
16
8 Bytes
4 Bytes
1:1
10.1.1.0
RD
IPv4
8 Bytes
3 Bytes
1:2
Route-Target
Label
VPNv4
IOS_PE#
!
ip vrf green
route-target import 1:2
route-target export 1:2
!
17
8 Bytes
4 Bytes
1:1
10.1.1.0
1:2
100
IPv4
Route-Target
Label
RD
8 Bytes
3 Bytes
VPNv4
18
Site 1
MP-iBGP Update:
RD:10.1.1.0
Next-Hop=PE-1
RT=1:2, Label=100
Site 2
CE1
10.1.1.0/24
CE2
10.1.1.0/24
Next-Hop=CE-1
PE1
PE2
MPLS Backbone
19
Site 1
MP-iBGP Update:
RD:10.1.1.0
Next-Hop=PE-1
RT=1:2, Label=100
10.1.1.0/24
Next-Hop=PE-2
CE1
10.1.1.0/24
4
CE2
10.1.1.0/24
Next-Hop=CE-1
PE1
Site 2
PE2
MPLS Backbone
44. PE2 receives and checks whether the RT=1:2 is locally configured as import RT within
55. PE2 advertises this IPv4 prefix to CE2 (using whatever routing protocol)
20
Site 1
10.1.1.0/24
CE1
PE1
CE2
PE2
MPLS Backbone
IOS:show ip cef
NX-OS: show forwarding ipv4
IOS-XR: show cef ipv4
21
Site 2
CE1
P3
10.1.1.1
IP Packet
CE2
P4
PE1
100
PE2
10.1.1.1 P1
50
100
10.1.1.1
10.1.1.1
IP Packet
P2
25
100
10.1.1.1
MPLS Packet
PE2 imposes two labels (MPLS headers) for each IP packet going to site1
Outer label is learned via LDP; Corresponds to PE1 address (e.g. IGP route)
Inner label is learned via BGP; corresponds to the VPN address (BGP route)
22
Reference
Reference
Ethernet Header
Outer MPLS header
Inner MPLS Header
IP Header
2014 Cisco and/or its affiliates. All rights reserved.
23
Agenda
IP/VPN Explained
Technology Overview
Configuration Overview (IOS, IOS-XR and NX-OS)
IP/VPN Services
Best Practices
Use-Cases
Conclusion
24
ip vrf VPN-A
rd 1:1
route-target export
route-target import
Site 1
10.1.1.0/24
CE1
Se0
192.168.10.1
PE1
PE
1
PE-P Configuration
PE1 s1
interface Serial0
ip address 192.168.10.1/24
ip vrf forwarding VPN-A
100:1
100:1
interface Serial0
ip address 192.168.10.1/24
vrf forwarding VPN-A
Interface Serial1
ip address 130.130.1.1 255.255.255.252
mpls ip
P
Se0
100:1
100:1
Reference
PE
1
router ospf 1
network 130.130.1.0 0.0.0.3 area 0
25
PE2
PE
1
PE2
RR
Reference
router bgp 1
neighbor 1.2.3.4 remote-as 1
neighbor 1.2.3.4 update-source loopback0
!
address-family vpnv4
neighbor 1.2.3.4 activate
neighbor 1.2.3.4 send-community both
!
router bgp 1
no bgp default route-target filter
neighbor 1.2.3.6 remote-as 1
neighbor 1.2.3.6 update-source loopback0
!
address-family vpnv4
neighbor 1.2.3.6 route-reflector- client
neighbor 1.2.3.6 activate
!
26
Reference
CE1
10.1.1.0/24
PE1
192.168.10.2
PE1
router bgp 1
!
address-family ipv4 vrf VPN-A
neighbor 192.168.10.2 remote-as 2
neighbor 192.168.10.2 activate
exit-address-family
!
192.168.10.1
CE1
PE1
10.1.1.0/24
192.168.10.2
PE1
router ospf 1
!
router ospf 2 vrf VPN-A
network 192.168.10.0 0.0.0.255 area 0
redistribute bgp 1 subnets
!
192.168.10.1
27
CE1
PE1
10.1.1.0/24
192.168.10.2
PE1
Reference
router rip
!
address-family ipv4 vrf VPN-A
version 2
no auto-summary
network 192.168.10.0
redistribute bgp 1 metric transparent
!
192.168.10.1
CE1
PE1
10.1.1.0/24
192.168.10.2
PE1
192.168.10.1
router eigrp 1
!
address-family ipv4 vrf VPN-A
no auto-summary
network 192.168.10.0 0.0.0.255
autonomous-system 10
redistribute bgp 1 metric 100000 100
255 1 1500
!
28
Reference
CE1
PE1
10.1.1.0/24
192.168.10.2
PE1
192.168.10.1
PE1
router rip
address-family ipv4 vrf VPN-A
version 2
redistribute bgp 1 metric transparent
no auto-summary
network 192.168.10.0
exit-address-family
29
Reference
CE1
PE1
router bgp 1
neighbor 1.2.3.4 remote-as 1
neighbor 1.2.3.4 update-source loopback 0
address-family ipv4 vrf VPN-A
redistribute {rip|connected|static|eigrp|ospf}
Having familiarized with IOS based config, lets peek through IOS-XR and NXOS config for VPNs
30
CE1
GE
0
192.168.10.1
PE1
PE
1
Reference
vrf VPN-A
address-family ipv4 unicast
import route-target 100:1
export route-target 100:1
!
router bgp 1
vrf VPN-A
rd 1:1
Interface GE0
ipv4 address 192.168.10.1 255.255.255.0
vrf VPN-A
PE-P Configuration
Mpls ldp
int GE1
!
P
GE
0
PE1 GE1
PE
1
router ospf 1
area 0
interface GE1
31
PE2
PE
1
PE2
RR
Reference
router bgp 1
router-id 1.2.3.1
address-family vpnv4 unicast
!
neighbor 1.2.3.4
remote-as 1
update-source loopback0
address-family vpnv4 unicast
send-community extended
!
router bgp 1
router-id 1.2.3.4
address-family vpnv4 unicast
!
neighbor 1.2.3.1
remote-as 1
update-source loopback0
address-family vpnv4 unicast
send-community extended
route-reflector-client
!
32
CE1
10.1.1.0/24
PE1
192.168.10.2
GE0
PE1
192.168.10.1
Reference
router bgp 1
!
vrf VPN-A
neighbor 192.168.10.2
remote-as 2
address-family ipv4 unicast
route-policy pass-all in|out
!
!
!
!
CE1
PE1
10.1.1.0/24
192.168.10.2
GE0
PE1
192.168.10.1
router ospf 2
vrf VPN-A
address-family ipv4 unicast
redistribute bgp 1
!
area 0
interface GE0
!
33
Reference
CE1
PE1
10.1.1.0/24
192.168.10.2
GE0
PE1
router rip
vrf VPN-A
interface GE0
redistribute bgp 1
!
192.168.10.1
CE1
PE1
10.1.1.0/24
192.168.10.2
GE0
PE1
router eigrp 1
vrf VPN-A
address-family ipv4
as 10
default-metric 100000 100 255 1 1500
interface GE0
redistribute bgp 1
192.168.10.1
34
Reference
CE1
PE1
10.1.1.0/24
192.168.10.2
GE0
PE1
router static
vrf VPN-A
address-family ipv4 unicast
ip route 10.1.1.0/8 192.168.10.2
192.168.10.1
35
Reference
If PE-CE Protocol Is Non-BGP, then Redistribution of Local VPN Routes into MP-IBGP Is
Required (Shown Below)
PE1
router bgp 1
vrf VPN-A
address-family ipv4 unicast
redistribute {rip|connected|static|eigrp|ospf}
CE1
36
CE1
GE
0
192.168.10.1
PE1
PE
1
PE-P Configuration
PE1 GE1
Interface GE1
ip address 130.130.1.1 255.255.255.252
mpls ip
ip ospf 1 area 0
P
GE
0
Reference
PE
1
router ospf 1
37
Reference
PE2
PE
1
PE2
RR
router bgp 1
router-id 1.2.3.1
neighbor 1.2.3.4 remote-as 1
update-source loopback0
address-family vpnv4 unicast
send-community extended
!
router bgp 1
router-id 1.2.3.4
neighbor 1.2.3.1 remote-as 1
update-source loopback0
address-family vpnv4 unicast
send-community extended
route-reflector-client
!
38
Reference
CE1
10.1.1.0/24
PE1
192.168.10.2
GE0
PE1
router bgp 1
!
vrf VPN-A
neighbor 192.168.10.2 remote-as 2
address-family ipv4 unicast
!
192.168.10.1
CE1
PE1
10.1.1.0/24
192.168.10.2
GE0
PE1
router ospf 2
vrf VPN-A
address-family ipv4 unicast
redistribute bgp 1 route-map name
!
interface GE1
ip address 192.168.10.1/24
ip router ospf 2 area 0
192.168.10.1
39
CE1
PE1
10.1.1.0/24
192.168.10.2
GE0
PE1
Reference
192.168.10.1
CE1
PE1
10.1.1.0/24
192.168.10.2
GE0
PE1
192.168.10.1
40
Reference
CE1
PE1
10.1.1.0/24
192.168.10.2
GE0
PE1
192.168.10.1
41
Reference
PE1
router bgp 1
vrf VPN-A
address-family ipv4 unicast
redistribute {rip|direct|static|eigrp|ospf} route-map name
CE1
42
Agenda
IP/VPN Explained
IP/VPN Deployment Scenarios
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
IP/VPN Use-Cases
Best Practices
Conclusion
2014 Cisco and/or its affiliates. All rights reserved.
43
PE2
CE2
171.68.2.0/24
PE12
Site A
Site B
MPLS Backbone
Route Advertisement
44
rd 300:11
route-target both 1:1
RR
PE11
CE1
<BGP>
address-family ipv4 vrf green
maximum-paths eibgp 2
PE2
CE2
171.68.2.0/24
PE12
Site A
1
Site B
MPLS Backbone
rd 300:12
route-target both 1:1
rd 300:13
route-target both 1:1
45
Supported in IOS,
and IOS-XR
RR
VPN Traffic
Redirected VPN Traffic
PE11
CE1
PE2
CE2
171.68.2.0/24
PE12
Site A
MPLS Backbone
Site B
46
Supported in IOS,
and IOS-XR 3.4
RR
VPN Traffic
Redirected VPN Traffic
PE11
CE1
PE2
CE2
171.68.2.0/24
Site A
MPLS Backbone
Site B
PE12
47
Agenda
IP/VPN Explained
IP/VPN Deployment Scenarios
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
IP/VPN Use-Cases
Best Practices
Conclusion
2014 Cisco and/or its affiliates. All rights reserved.
48
49
Use option#1 if VPN Hub site advertises default or summary routes towards the
Spoke sites, otherwise use Option#2
50
Supported in IOS,
NXOS and IOS-XR
PE-SA
CE-SA
171.68.1.0/24
PE-Hub
Eth0/0
Spoke B
CE-SB
PE-SB
171.68.2.0/24
CE-Hub
51
Supported in IOS,
NXOS and IOS-XR
PE-SA
CE-SA
171.68.1.0/24
PE-Hub
Spoke B
CE-SB
Eth0/0.1
Eth0/0.2
PE-SB
171.68.2.0/24
CE-Hub
52
Supported in IOS,
NXOS and IOS-XR
If BGP is used between every PE and CE, then allowas-in and as-override*
knobs must be used at the PE_Hub**
Otherwise AS_PATH looping will occur
* Only If Hub and Spoke Sites Use the Same BGP ASN
** Configuration for This Is Shown on the Next Slide
53
Supported in IOS,
NXOS and IOS-XR
Spoke A
CE-SA
PE-SA
171.68.1.0/24
Eth0/0.1
Eth0/0.2
PE-Hub
Spoke B
CE-SB
PE-SB
171.68.2.0/24
CE-Hub
<BGP>
address-family ipv4 vrf HUB-OUT
neighbor <CE> allowas-in 2
2014 Cisco and/or its affiliates. All rights reserved.
54
Supported in IOS,
NXOS and IOS-XR
MPLS Backbone
Spoke A
171.68.1.0/24
CE-SA
PE-SA
171.68.2.0/24
MP-iBGP Update
171.68.0.0/16
Label 35
Route-Target 2:2
PE-SB
Spoke B
CE-SB
MP-iBGP Update
171.68.1.0/24
Label 40
Route-Target 1:1
35
MP-iBGP Update
171.68.2.0/24
Label 50
Route-Target 1:1
VRF HUB-IN
PE-Hub
VRF HUB-OUT
CE-Hub
55
Supported in IOS,
NXOS and IOS-XR
171.68.1.1
CE-SA
PE-SA
MPLS Backbone
L2
40
171.68.1.1
171.68.1.1
171.68.1.0/24
VRF HUB-IN
CE-Hub
PE-Hub
Spoke B
CE-SB
PE-SB
VRF HUB-OUT
L1
35
171.68.1.1
171.68.1.1
171.68.2.0/24
171.68.1.1
56
Supported in IOS
and IOS-XR 3.6
CESA1
CESA2
CESA3
PE-Hub
PE-SA
Note: 12.2(33) SRE. XE 3.0S Support Any Interface Type (Eth, Ser, POS, Virtual-Access, etc.)
57
Supported in IOS
ip vrf green-up
description For upstream traffic (to Hub)
rd 300:111
route-target import 2:2
ip vrf green-down
description - For downstream traffic (from Hub)
rd 300:112
route-target export 1:1
ip vrf HUB-IN
description VRF for traffic from HUB
rd 300:11
route-target import 1:1
Spoke A
171.68.1.0/24
CE-SAGE0/0
GE0/1
PE-SA
Hub Site
MPLS Backbone
PE-Hub
Spoke B
CE-Hub
171.68.2.0/24
CE-SB
Upstream VRF
ip vrf HUB-OUT
description VRF for traffic to HUB
rd 300:12
route-target export 2:2
Downstream VRF
1.
PE-SA installs the Spoke routes only in downstream VRF i.e. green-down
2.
PE-SA installs the Hub routes only in upstream VRF i.e. green-up
3.
PE-SA forwards the incoming IP traffic (from Spokes) using upstream VRF i.e. green-up routing table.
4.
PE-SA forwards the incoming MPLS traffic (from Hub) using downstream VRF i.e. green-down routing table
58
Agenda
IP/VPN Explained
IP/VPN Deployment Scenarios
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
IP/VPN Use-Cases
Best Practices
Conclusion
2014 Cisco and/or its affiliates. All rights reserved.
60
Implemented by sharing import and export route-target (RT) values within the
VRFs of extranets.
Export-map or import-map may be used for advanced extranet.
61
Supported in IOS,
NXOS and IOS-XR
MPLS Backbone
VPN_A Site#1
71.8.0.0/16
PE1
VPN_A Site#2
PE2
180.1.0.0/16
VPN_B Site#1
62
Supported in IOS,
NXOS and IOS-XR
MPLS Backbone
VPN_A Site#1
71.8.0.0/16
PE1
VPN_A Site#2
PE2
180.1.0.0/16
VPN_B Site#1
Lack of Additive
Would Result in
3000:222 Being
Replaced with 3000:1.
We Dont Want That.
63
Agenda
IP/VPN Explained
IP/VPN Deployment Scenarios
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
IP/VPN Use-Cases
Best Practices
Conclusion
2014 Cisco and/or its affiliates. All rights reserved.
64
VPN customers benefit from the single point of contact for both Intranet and
Internet connectivity
65
66
Extranet between
Internet-VRF and
Customer VRFs that
need internet access
67
Supported in IOS
MPLS Backbone
CE1
Internet
71.8.0.0/16
SO
192.168.1.2
ASBR
P
PE1
PE1#
ip vrf VPN-A
rd 100:1
route-target both 100:1
Interface Serial0
ip address 192.168.10.1 255.255.255.0
ip vrf forwarding VPN-A
Router bgp 100
no bgp default ipv4-unicast
redistribute static
neighbor 192.168.1.1 remote 100
neighbor 192.168.1.1 activate
neighbor 192.168.1.1 next-hop-self
neighbor 192.168.1.1 update-source loopback0
192.168.1.1
Internet GW
68
Supported in IOS,
MPLS Backbone
IP Packet
5.1.1.1
S0 PE1
71.8.1.1
192.168.1.1
71.8.1.1
IP Packet
S
0
71.8.1.1 IP Packet
Cons
3
71.8.1.
5
1
MPLS Packet
Pros
Internet
(5.1.0.0/16)
PE2
P
192.168.1.2
PE1: Global Routing/FIB Table
Destination
Label/Interface
192.168.1.1/32
Label=30
71.8.0.0/16
Serial 0
IP Packet
5.1.1.1
MPLS Packet
3
5.1.1.1
0
69
Supported in IOS,
NXOS and IOSXR
4.2
Option#2: Separate PE-CE Subinterfaces
Site1
71.8.0.0/16
MPLS Backbone
Internet
Internet
iBGP
CE1
Se0.2
PE1
Se0.1
192.168.1.2
ip vrf VPN-A
rd 100:1
route-target both 100:1
Interface Serial0.1
ip vrf forwarding VPN-A
ip address 192.168.20.1 255.255.255.0
frame-relay interface-dlci 100
!
Interface Serial0.2
ip address 71.8.10.1 255.255.0.0
frame-relay interface-dlci 200
!
Router bgp 100
no bgp default ipv4-unicast
neighbor 71.8.10.2 remote-as 502
2014 Cisco and/or its affiliates. All rights reserved.
PE2
192.168.1.1
Internet GW
Supported in IOS,
NXOS and IOSXR
4.2
Option#2: Separate PE-CE Subinterfaces (Forwarding)
Site1
MPLS Backbone
71.8.0.0/16
IP Packet
5.1.1.1
CE1
S0.2
S0.1
IP Packet
5.1.1.1
MPLS Packet
3
5.1.1.1
PE1 0
PE2
192.168.1.2
Pros
Cons
192.168.1.1
PE-Internet GW
CE Routing Table
VPN Routes
Serial0.1
Internet Routes
Serial0.2
PE1 Global Table and FIB
Internet Routes
192.168.1.1
192.168.1.1
Label=30
Internet
Internet
71
Supported in IOS,
NXOS and IOSXR
Be careful if multiple customer VRFs, at the same PE, are importing full
Internet routes
Works well only if the VPN customers dont have overlapping addresses
72
Supported in IOS,
75
Agenda
IP/VPN Explained
IP/VPN Deployment Scenarios
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
IP/VPN Use-Cases
Best Practices
Conclusion
2014 Cisco and/or its affiliates. All rights reserved.
76
Supported in IOS,
NXOS and IOS-XR
Reference
http://www.cisco.com/en/US/docs/ios/interface/configuration/guide/ir_mplsvpnomgre.html
2014 Cisco and/or its affiliates. All rights reserved.
77
Supported in IOS,
NXOS and IOS-XR
PE1
CE1
CE2
GRE/IP Tunnel
VRF
IP
VRF
IP Header
GRE Header
VPN Label
IP Packet
Src Add
Dst Add
Src Add
Dst Add
Src Add
Dst Add
Data
Data
Data
78
Agenda
IP/VPN Explained
IP/VPN Deployment Scenarios
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
IP/VPN Use-Cases
Best Practices
Conclusion
79
Supported in IOS,
NXOS and IOS-XR
PE
v4 and v6
VPN A
CE
VPN A
PE
P
P
MPLS/VPN
Network
v4 and v6
CE
VPN B v6 Only
CE
2014 Cisco and/or its affiliates. All rights reserved.
P
PE
CE
v6 Only VPN B
PE
iBGP Sessions in VPNv4 and
VPNv6 Address-Families
CE
80
Supported in IOS,
NXOS and IOS-XR
v4 and v6
VPN A
VPN A
IOS-XR_PE#
NXOS_PE#
!
vrf v2
!
address-family ipv6 unicast
route-target export 2:2
route-target import 2:2
!
router bgp 1
address-family vpnv6 unicast
!
neighbor 10.13.1.21
remote-as 30000
address-family vpnv6 unicast
!
vrf v2
rd 2:2
address-family ipv6 unicast
!
neighbor 200::2
remote-as 30000
address-family ipv6 unicast
!
PE
PE
!
vrf context v2
rd 2:2
!
address-family ipv6 unicast
route-target export 2:2
route-target import 2:2
!
router bgp 1
neighbor 10.13.1.21
remote-as 1
update-source loopback0
address-family vpnv6 unicast
send-community extended
!
vrf vpn1
neighbor 200::2
remote-as 30000
address-family ipv6 unicast
!
v4 and v6
VPN A
CE
P
P
MPLS/VPN
Network
v4 and v6
CE
VPN B v6 Only
CE
2014 Cisco and/or its affiliates. All rights
reserved.
P
PE
CE
v6 Only VPN B
PE
iBGP Sessions in VPNv4 and
CE
81
Agenda
IP/VPN Explained
IP/VPN Deployment Scenarios
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
IP/VPN Use-Cases
Best Practices
Conclusion
2014 Cisco and/or its affiliates. All rights reserved.
82
Supported in IOS,
NXOS and IOS-XR
Multi-VRF CE provides multiple virtual routing tables (and forwarding tables) per
customer at the CE router
Not a feature but an application based on VRF implementation
Any routing protocol that is supported by normal VRF can be used in
a multi-VRF CE implementation
No MPLS functionality needed on CE, no label exchange between CE and any router
(including PE)
One deployment model is to extend the VRFs to the CE, another is to extend it further
inside the Campus => Campus Virtualization
83
Supported in IOS,
NXOS and IOS-XR
Building
Vrf
Green
Campus
MPLS
Network
SubInterfaces*
Vrf
Red
Multi-VRF
CE Router
Vrf Red
Vrf Green
PE
Router
PE
Vrf Red
*SubInterfaces Any Interface Type that Supports Sub Interfaces = Ethernet Vlan,
Frame Relay, ATM VCs
2014 Cisco and/or its affiliates. All rights reserved.
84
Agenda
IP/VPN Explained
IP/VPN Deployment Scenarios
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
IP/VPN Use-Cases
Best Practices
Conclusion
2014 Cisco and/or its affiliates. All rights reserved.
85
Supported in IOS
86
Supported in IOS
87
Supported in IOS
IP/VPN Services:
8. VRF-Aware NAT Services: Internet Access
CE1
10.1.1.0/24
MPLS Backbone
PE11
PE12
10.1.1.0/24
PEASBR .1
217.34.42.2
Internet
IP NAT Inside
IP NAT Outside
ip nat pool pool-green 24.1.1.0 24.1.1.254 prefix-length 24
ip nat pool pool-blue 25.1.1.0 25.1.1.254 prefix-length 24
88
Supported in IOS
IP/VPN Services:
8. VRF-Aware
NAT Services: Internet Access
Src=10.1.1.1
10.1.1.0/24
PE11
IP Packet
CE2
PE12
10.1.1.0/24
MPLS Backbone
Label Stack 30
Src=10.1.1.1
Dest=Internet
Dest=Internet
CE1
Src=10.1.1.1
Dest=Internet
P
Label Stack 40
Src=10.1.1.1
Dest=Internet
PEASBR
Src=24.1.1.1
Dest=Internet
Internet
Src=25.1.1.1
Dest=Internet
IP Packet
Traffic Flows
MPLS Packet
NAT Table
VRF IP Source
Global IP
VRF-Table-ID
10.1.1.1
24.1.1.1
Green
10.1.1.1
25.1.1.1
Blue
89
Supported in IOS
IP/VPN Services:
8. VRF-Aware NAT Services: Internet Access
The previous example uses one of many variations of NAT configuration
Other variations (few below) work fine as well
http://www.cisco.com/en/US/partner/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
90
Agenda
IP/VPN Explained
IP/VPN Deployment Scenarios
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
IP/VPN Use-Cases
Best Practices
Conclusion
2014 Cisco and/or its affiliates. All rights reserved.
91
Supported in IOS
Voice and data traffic on a single PE-CE interface can be separated out into
different VRFs at the PE;
Service enabler
92
Supported in IOS
Cable
Setup
CE1
RR
VRF
Interfaces
MPLS Backbone
(Cable Company)
Se0/0
VPN Brown
33.3.0.0/16
PE2
VPN Yellow
44.3.0.0/16
33.3.1.25
Traffic Flows
44.3.12.1
ip vrf red
rd 3000:111
route-target export 3000:1
route-target import 3000:1
!
ip vrf yellow
rd 3000:222
route-target export 3000:2
route-target import 3000:2
!
ip vrf green
rd 3000:333
route-target export 3000:3
route-target import 3000:3
interface Serial0/0
ip address 215.2.0.6 255.255.255.252
ip policy route-map PBR-VRF-Selection
ip vrf receive red
ip vrf receive yellow
ip vrf receive green
!
access-list 40 permit 33.3.0.0 0.0.255.255
access-list 50 permit 44.3.0.0 0.0.255.255
access-list 100 permit udp 33.3.1.0 0.0.0.255 any
dscp ef range 30000 31000
!
ip route vrf red 33.3.14.0 0.0.0.255 Se0/0
ip route vrf yellow 44.3.1.0 0.0.0.255 Se2/0
ip route vrf green 33.3.1.0 0.0.0.255 Se2/0
VPN Green
66.3.0.0/16
route-map PBR-VRF-Selection permit 10
match ip address 40
set vrf red
!
route-map PBR-VRF-Selection permit 20
match ip address 50
set vrf yellow
!
route-map PBR-VRF-Selection permit 30
match ip address 100
set vrf green
93
Agenda
IP/VPN Explained
IP/VPN Services
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Best Practices
Conclusion
2014 Cisco and/or its affiliates. All rights reserved.
94
Supported in IOS
Remote access services integration with MPLS based IP/VPN opens up new opportunities for
providers and VPN customers
DMVPN
Deployment Models
Remote Access is not to be confused by GET VPN that provides any-to-any (CE-based)
security service
Deploying GET to Secure VPNs
95
Supported in IOS
Access
SP Shared Network
Corporate Intranet
SP AAA
Customer
AAA
PE+IPSec
Aggregator
SOHO
Internet
PE
Local or
Direct
Dial ISP
PE
IP/MPLS/Layer 2
Based Network
VPN A
Customer A
Head Office
VPN B
PE
Cable/DSL/
ISDN ISP
Remote Users/
Telecommuters
IP
Customer B
VPN A
Cisco IOS VPN
Routers or Cisco
Client 3.x or Higher
IPSec Session
Customer A
Branch Office
MPLS VPN
VPN C
IKE_ID Is
Used to Map
the IPSec
Tunnel to
the VRF
(Within the
ISAKMP
Profile)
Customer C
IP
96
Agenda
IP/VPN Explained
IP/VPN Services
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Best Practices
Conclusion
2014 Cisco and/or its affiliates. All rights reserved.
97
Supported in IOS,
NXOS, and IOS-XR
IP/VPN Services:
11. Providing QoS to VPN Customers
VPN customers may want SLA so as to treat
real-time, mission-critical and best-effort traffic appropriately
QoS can be applied to VRF interfaces
-
RememberIP precedence bits are copied to MPLS TC/EXP bits (default behavior)
MPLS Traffic-Eng could be used to provide the bandwidth-on-demand or Fast Rerouting (FRR)
to VPN customers
98
Agenda
IP/VPN Explained
IP/VPN Services
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Best Practices
Conclusion
2014 Cisco and/or its affiliates. All rights reserved.
99
Supported in IOS,
NXOS, and IOS-XR
IP/VPN Services:
12. Providing Multicast Service to VPNs
Multicast VPN (mVPN) service is available for deployment
MPLS Multicast (e.g. Label Switched Multicast) is now available
GRE encapsulation for mVPN is also available
100
Agenda
IP/VPN Explained
IP/VPN Deployment Scenarios
Best Practices
Use-Cases
Conclusion
101
4. Dont use customer names (V458:GodFatherNYC32ndSt) as the VRF names; nightmare for
the NOC.
Consider v101, v102, v201, v202, etc. and Use VRF description for naming
102
7. Leverage BGP Prefix Independent Convergence (PIC) for fast convergence <100ms (IPv4
and IPv6):
PIC Core
PIC Edge
Best-external advertisement
103
Agenda
IP/VPN Overview
IP/VPN Services
Best Practices
Use-Cases
Conclusion
104
Use-Cases
1.
2.
3.
4.
5.
105
Use-Case #1
SP Business VPN Services
SPs can use IP/VPN to offer L3 site-to-site connectivity to Enterprises/SMB
customers
==
SPs can even offer Remote Access integrated with L3VPN
Enterprise Green
Site 1
Enterprise Green
Site 2
CE1
P
Enterprise Green
Site 3
PE1
CE2
Enterprise Green
Site 4
PE2
CE4
SP Network
106
Use-Case #2
SP Internal Usage (e.g. IT)
SP/ISPs can overlay its Enterprise and/or IT WAN connectivity over its MPLS
network (that is used to offer L3VPN services to its customers)
SP IT
Site 1
SP IT
Site 2
PE4
Enterprise Green
Site 1
PE5
Enterprise Green
Site 2
CE1
P
Enterprise Green
Site 3
PE1
CE2
Enterprise Green
Site 4
PE2
CE4
SP IT
Site 3
2014 Cisco and/or its affiliates. All rights reserved.
SP Network
107
Use-Case#3
Enterprise Campus Segmentation/Virtualization
IP/VPN can be used to create multiple logical topologies in the Campus
Allows the use of unique security policies per logical domain
Provides traffic isolation per application, group, service etc. per logical domain
IP/VPN segmentation in the Campus can also be extended over the WAN
108
Use-Case#4
Data Center Multi-Tenancy
Global
Interconnect
Internet
Campus
/WAN
Edge
PE
L2
Layer-2
MPLS
POD
POD
POD
110
Agenda
IP/VPN Overview
IP/VPN Services
Best Practices
Use-Cases
Conclusion
111
Conclusion
MPLS based IP/VPN is the most optimal L3VPN technology
Any-to-any IPv4 or IPv6 VPN topology
112