Virtualized Network Design

Deploying a Virtualized Campus
Network Infrastructure
BRKCRS-2033 Ray Blair – rablair@cisco.com
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
 Why Virtualize your Campus Infrastructure?

 What are the Virtualization Components?
 How do Network Virtualization Techniques Compare?
 What are the Infrastructure Requirements?
 What are some Additional Virtualized Services?
 Case studies
 Putting it all together
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Informational Icons
“For Your Reference” – these slides are used to help you configure a
particular feature or technology solution
“Emerging Technology” – this indicates future technologies
“Where to learn more” – for additional details, please see the

indicated presentation
Agenda

 How can you Deploy Network Virtualization?
 Case studies
Why Virtualize?
Creates Logical Partitions
 Allows the use of unique security policies per logical domain
 Provides traffic isolation per application, group, service etc…
 The logical separation of traffic using one physical infrastructure
Guest Access Merged Company Isolated Service(s)
Virtual Network Virtual Network Virtual Network
Virtual “Private” Network
Actual Physical Infrastructure
Virtualization Benefits
 Groups and services are logically separated

Guest/partner access
Department separation
Telephony systems
Building control and video surveillance
 Security Policies are unique to each virtual group/service

HIPAA/PCI compliance
Agenda
 Case studies
Network Virtualization
Components
Service Access Control Path Isolation Services Edge
Branch – Campus WAN – MAN – Campus Data Center – Internet Edge
Data
GRE
GRE MPLS
MPLS Center
VRFs
802.1q
Internet
Functions  Authenticate client (user,  Maintain traffic partitioned over  Provide access to services
device, app) attempting Layer 3 infrastructure Shared
to gain network access
 Transport traffic over isolated Dedicated
 Authorize client into a Layer 3 partitions  Apply policy per partition
partition (VLAN)
 Map Layer 3 isolated path  Isolate application
 Deny access to to VLANs / VRFs in access and environments if necessary
unauthenticated clients services edge
Access Control Path Isolation Services Edge
Access Control GRE

GRE MPLS
MPLS
Data
Center
VRFs
 Authentication - Who are you?

802.1q
Internet
 Client-based
 802.1X – assigned to VLAN
 Identity Services Engine (ISE)
 Clientless
 Web authentication
 MAC-addressed based
 Static control
 Port security (static VLAN, ACL, MAC, etc…)
 Authorization - Where can you go?

 VLAN – 802.1X, Clean Access, etc…
 Policy enforcement via Identity Services Engine (ISE)
Identity Technologies GRE

GRE MPLS
MPLS
Data
Center
TrustSec - What are They? VRFs

802.1q
Internet
 802.1X
Provides authentication and authorization services to known entities
equipped with an 802.1X client (aka supplicant)
 MAC-Authentication-Bypass (MAB)
Provides authentication and authorization services to known entities
not equipped with an 802.1X client
 802.1X Auth-Fail VLAN
Provides network access to entities (known or unknown) failing the
802.1X authentication attempt
 802.1X Guest VLAN
Provides authentication and authorization services to unknown
entities not equipped with an 802.1X client
 Web-based Authentication
Provides authentication based on username and password
Enables policy definition, control, posture assessment, and reporting
Identity Services Engine
Consolidated Services, Session Directory Flexible Service
Software Packages Deployment
ACS User ID Access Rights

NAC Manager
Admin M&T
All-in- Console
NAC Profiler One HA
NAC Server ISE Pair
Distributed Session Nodes
Location Device
NAC Guest IOS Device Sensor (Cat3/4K)
(IP/MAC)
Simplify Deployment & Admin Tracks Active Users & Devices Optimize Where Services Run
Policy Extensibility Manage Security System-wide Monitoring

Group Access & Troubleshooting
SGT Public Private
Staff Permit Permit
Guest Permit Deny
Link in Policy Information Points Keep Existing Logical Design Consolidate Data, Three-Click Drill-In
Path Isolation GRE

GRE MPLS
MPLS
Data
Center
Device Virtualization VRFs

802.1q
Internet
 One physical device

 Switch
 Router
 Firewall
VRF
 Etc…
VRF
 Virtually multiple
VRF
 Control plane virtualization
 Data plane virtualization
 Services virtualization
 VRF: Virtual Routing and Forwarding

Path Isolation GRE

GRE MPLS
MPLS
Data
Center
Connecting to a VRF – Client Side VRFs

802.1q
Internet
 Physical interface
 Ethernet
VRF
VRF
 Logical interface VRF
 VLAN - 802.1q trunk
Path Isolation GRE

GRE MPLS
MPLS
Data
Center
Data Path Virtualization – Network Side VRFs

802.1q
Internet
 Hop-by-Hop
 VRF-Lite End-to-End
 EVN (Easy Virtual Network)
 802.1q for Separation
 Multi-Hop
 VRF-Lite + GRE
 GRE for Separation
 Multi-Hop
 MPLS-VPN
 MPLS Labels for Separation
Services Edge GRE

GRE MPLS
MPLS
Data
Center
Sharing Services Between VPNs VRFs

802.1q
Internet
 Unnecessary to duplicated services per group

 E-mail, DNS, LDAP, Storage, etc…
 Economical
 Efficient and manageable
Shared
 Policies centrally deployed Resource
Red
Red Data Resource
User Center Green
Green
Campus Resource
User Network Blue
Resource
Blue
User
Internet
Services Edge GRE

GRE MPLS
MPLS
Data
Center
Sharing Resources VRFs

802.1q
Internet
 Firewall (multi-context) - FWSM / ASA / ASA Module

 Server Load Balancing (multi-context) - ACE
 IPSec / SSL VPN - Router (F-VRF) / ASA VLAN mapping
Shared
Shared
Resource
Resource
Red
Red Data Resource
User Center Green
Green
Campus Resource
User Network Blue
Resource
Blue
User
Internet
Agenda
 Case studies
VRF-Lite and GRE tunnels
VRF-Lite and GRE Tunnels
20 Byte IP GRE
Header
Header
4/8 Bytes
Original Packet
GRE encapsulation represent 24 extra bytes or 28 if a key is present
20 Byte IP GRE
Header
Header
4/8 Bytes
Original Packet
GRE encapsulation represent 24 extra bytes or 28 if a key is present
Configuration
vrf definition GRN
!
address-family ipv4
!
address-family ipv6 Defining the VRFs
!
vrf definition RED IPv4 and IPv6
!
address-family ipv4
!
address-family ipv6
interface Ethernet0/2
vrf forwarding GRN
ip address 172.17.8.8 255.255.255.0
ipv6 address 2001:17:8::8/64
!
Client Side Interface
vrf forwarding RED
ip address 172.16.8.8 255.255.255.0
ipv6 address 2001:16:8::8/64
Configuration
interface Loopback101
ip address 192.168.101.8 255.255.255.255 Loopback interfaces for
! tunnel termination
interface Loopback102
ip address 192.168.102.8 255.255.255.255
Network side
interface Tunnel1
vrf forwarding RED Tunnel interfaces
ip address 172.16.87.8 255.255.255.0
ipv6 address 2001:16:87::8/64
tunnel source Loopback101 Associate local source to
tunnel destination 192.168.101.7 loopbacks and destination to
!
interface Tunnel2
peer loopback
vrf forwarding GRN
ip address 172.17.87.8 255.255.255.0 Assign IPv4 and v6
ipv6 address 2001:17:87::8/64
tunnel source Loopback102
addresses
tunnel destination 192.168.102.7
Network side
Configuration
router eigrp LAB

!
address-family ipv4 unicast vrf RED autonomous-system 16
topology base
network 172.16.0.0
!
address-family ipv4 unicast vrf GRN autonomous-system 17 Routing
topology base
network 172.17.0.0 processes for
! each VRF
topology base
!
address-family ipv6 unicast vrf GRN autonomous-system 17
topology base
! Routing process
address-family ipv4 unicast autonomous-system 1
topology base
for ―global‖ routing
network 192.168.0.0 0.0.255.255 table
VRF-Lite and GRE
Traffic Example
H9#traceroute 172.16.8.11
Tracing the route to 172.16.8.11
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.7.7 0 msec 0 msec 1 msec Traceroute indicates tunnel
2 172.16.87.8 1 msec 2 msec 2 msec only
3 172.16.8.11 1 msec * 2 msec
H9 S7
VRF info: (vrf in name/id, vrf out name/id) Si
H10
1 172.17.7.7 1 msec 5 msec 0 msec
2 172.17.87.8 1 msec 0 msec 1 msec S3 S4
3 172.17.8.12 1 msec * 1 msec
H9#traceroute 2001:16:8::11
Tracing the route to 2001:16:8::11 S1 S2
1 2001:16:7::7 1 msec 0 msec 0 msec
2 2001:16:87::8 1 msec 1 msec 1 msec
S5 S6
3 2001:16:8::11 1 msec 6 msec 6 msec
H11
H10#traceroute 2001:17:8::12 Si
Tracing the route to 2001:17:8::12 H12 S8
1 2001:17:7::7 1 msec 0 msec 5 msec

2 2001:17:87::8 2 msec 1 msec 1 msec
3 2001:17:8::12 0 msec 2 msec 0 msec
Deployment Summary
 Recommended for hub-and-spoke requirements

 Limited scale for single or few VPN applications WAN Internet
Internet
(guest access, NAC remediation) Data
Center
 GRE supported in HW on Catalyst 6500 and

Nexus 7K
Application and Services

 Multiple VRF-aware services available
Learning Curve
 Familiar routing protocols can be used
 IP Based solution
VRF-Lite and
Easy Virtual Network (EVN)
VRF-Lite/EVN End-to-End
 Packets processed per VRF
 Unique Control Plane and Data Plane
802.1q
VRF-Lite/EVN End-to-End
 Packets processed per VRF
 Unique Control Plane and Data Plane
802.1q
VRF-Lite/EVN
Client-Side Configuration
vrf definition GRN
!
address-family ipv4
H9 S7
!
address-family ipv6 Si
!
Defining the VRFs H10
vrf definition RED IPv4 and IPv6 S3 S4

!
address-family ipv4
!
address-family ipv6 S1 S2
S6
interface Vlan17 S5
vrf forwarding GRN

ip address 172.17.8.8 255.255.255.0 Si
ipv6 address 2001:17:8::8/64 S8

!
Client-side Interface
interface Vlan16
vrf forwarding RED
ip address 172.16.8.8 255.255.255.0
ipv6 address 2001:16:8::8/64
Currently no IPv6 support for EVN
VRF-Lite
Network-Side Configuration
interface Ethernet0/0.16
vrf forwarding RED
encapsulation dot1Q 16 Assign IPv4 and v6 addresses
ip address 172.16.85.8 255.255.255.0 H9 S7
ipv6 address 2001:16:85::8/64

!
Currently supported on H10
Si
interface Ethernet0/0.17 Catalyst 6500 and Nexus 7000 S3 S4

vrf forwarding GRN
encapsulation dot1Q 17
ip address 172.17.85.8 255.255.255.0
Network side interface
ipv6 address 2001:17:85::8/64 S1 S2
!
!
interface Ethernet0/1.16 S5 S6
vrf forwarding RED

encapsulation dot1Q 16 Si
ip address 172.16.86.8 255.255.255.0 S8

ipv6 address 2001:16:86::8/64
!
vrf forwarding GRN
ip address 172.17.86.8 255.255.255.0
ipv6 address 2001:17:86::8/64
EVN
Network-Side Configuration
vrf definition GRN

vnet tag 102
H9 S7
! VRF Definition and
address-family ipv4 Si
!
VNET tag association H10
vrf definition RED S3 S4

vnet tag 101
!
address-family ipv4
S1 S2
S6
interface Ethernet0/0 S5
vnet trunk
ip address 192.168.74.7 255.255.255.0 Si
! S8
interface Ethernet0/1 Network-side interfaces
vnet trunk
ip address 192.168.73.7 255.255.255.0
!
VRF-Lite/EVN
Routing Protocol Configuration
Routing processes for each

router eigrp LAB VRF
!
topology base OSPF uses multiple process
network 172.16.0.0 IDs
!
topology base Global routing process not
network 172.17.0.0 required
!
topology base Don’t forget to include the
! network statement for the
topology base
physical interface when
using EVN
VRF-Lite End-to-End
Traffic Example
H9 S7
1 172.16.7.7 0 msec 0 msec 0 msec
2 172.16.73.3 1 msec 0 msec 1 msec Si
H10
3 172.16.31.1 1 msec 5 msec 5 msec
4 172.16.61.6 1 msec 1 msec 1 msec S3 S4
5 172.16.86.8 1 msec 5 msec 6 msec
6 172.16.8.11 1 msec 1 msec 2 msec
Traceroute indicates
every L3 hop S1 S2
H10#traceroute 2001:17:8::12
Tracing the route to 2001:17:8::12
S5 S6
1 2001:17:7::7 0 msec 0 msec 0 msec
2 2001:17:74::4 1 msec 0 msec 1 msec H11
3 2001:17:41::1 1 msec 1 msec 5 msec Si
4 2001:17:61::6 1 msec 1 msec 1 msec H12 S8
5 2001:17:86::8 1 msec 1 msec 2 msec

6 2001:17:8::12 1 msec 1 msec 0 msec
EVN
Derived Configuration
#show derived-config
Physical interface H9 S7
Si
interface Ethernet0/0 H10

vnet trunk Network Side
ip address 192.168.74.7 255.255.255.0 S3 S4
!
interface Ethernet0/0.101 Sub-interfaces created
description Subinterface for VNET RED
vrf forwarding RED
automatically S1 S2

ip address 192.168.74.7 255.255.255.0 Descriptions added S5 S6
!
description Subinterface for VNET GRN Reuse of IP address – Si
vrf forwarding GRN logically separated on trunk S8

ip address 192.168.74.7 255.255.255.0
Network Side Interface
EVN
Traffic Example
Type escape sequence to abort.
1 172.16.7.7 (RED,RED/101) 0 msec 1 msec 1 msec H9 S7
2 192.168.74.4 (RED/101,RED/101) 1 msec 0 msec 1 msec Si
3 192.168.42.2 (RED/101,RED/101) 1 msec 0 msec 0 msec H10

4 192.168.52.5 (RED/101,RED/101) 1 msec 1 msec 0 msec
5 192.168.85.8 (RED/101,RED) 2 msec 5 msec 4 msec S3 S4
6 172.16.8.11 5 msec * 5 msec Traceroute indicates

every L3 hop and
provides VRF name S1 S2
Tracing the route to 172.17.8.12 and VLAN

VRF info: (vrf in name/id, vrf out name/id) S5 S6
1 172.17.7.7 (GRN,GRN/102) 0 msec 0 msec 1 msec H11
2 192.168.73.3 (GRN/102,GRN/102) 1 msec 0 msec 1 msec
3 192.168.32.2 (GRN/102,GRN/102) 5 msec 5 msec 5 msec H12
Si
S8
5 192.168.85.8 (GRN/102,GRN) 5 msec 5 msec 4 msec
6 172.17.8.12 5 msec * 5 msec
VRF-Lite End-to-End
Summary
Deployment
 End-to-End IP based Solution
 Easy migration from existing campus WAN
Data
Internet
Internet
Center
architecture
 Any to any connectivity within VPNs
 8 or less VRFs recommended
 Supported on Catalyst 6500, 4500, 3700
families, and Nexus 7000
 Multiple VRF-aware Services available
Learning Curve
 Familiar routing protocols
 IP Alternative to MPLS
EVN
Summary
Deployment
 End-to-End IP based Solution
 Easy integration with VRF-Lite WAN
Data
Internet
Internet
 Any to any connectivity within VPNs Center
 Route replication
 Supported on ASR1K, Sup2T, and Cat4K*
 32 or less VRFs supported
Applications and Services

 Multiple VRF-aware services available
Learning Curve
 Familiar routing protocols can be used
 IP Alternative to MPLS
MPLS-VPN
Test Diagram
H9 S7
Si
PE
H10
P P
S3 S4
Route P P Route
Reflector Reflector
R13 S1 S2 R14
P P
S5 S6
H11 PE
Si
H12 S8
MPLS-VPN
Overview
 P (Provider) router = label switching router = core router (LSR)

Switches MPLS-labeled packets
Runs an IGP and LDP
 PE (Provider Edge) router = edge router (LSR)
Imposes and removes MPLS labels
Runs an IGP, LDP and MP-BGP
 CE (Customer Edge) router
Connects customer network to MPLS network
 Route-Target
64 bits identifying routers that should receive the route
 Route Distinguisher
Attribute of each route used to uniquely identify prefixes among VPNs (64 bits)
 VPN-IPv4 addresses
Address including the 64 bit Route Distinguisher and the 32 bit IP address
MPLS-VPN
BGP Scalability – iBGP Neighbor Relationships
iBGP requires a full mesh of neighbors

N * (N-1) / 2 = 8 * 7 / 2 = 28
R1 R4
MPLS-VPN
BGP Scalability – Route Reflectors
Route Reflector Route Reflector
R1 R4
MPLS-VPN
Label Stack
PE
PE
4 Byte 4 Byte
IGP Label VPN Label
Original Packet
MPLS VPN packet format
MPLS-VPN
Label Stack
PE
PE
4 Byte 4 Byte
IGP Label VPN Label
Original Packet
MPLS-VPN
Label Stack
PE
PE
4 Byte 4 Byte
IGP Label VPN Label
Original Packet
MPLS-VPN – Label Exchange
Router Router
Router PE1 P2 P3 Router PE4
BGP OSPF OSPF OSPF OSPF BGP
VRF RED VRF RED
RT 1:1 Routing Routing Routing Routing RT 1:1
Routing Table Table Table Table Routing
172.16.1.0 172.16.4.0
Table 172.16.1.0 172.16.1.0 Table
FIB FIB FIB FIB
FIB FIB
LFIB LFIB LFIB LFIB
VRF GRN VRF GRN
RT 1:2 RT 1:2
IGP Label Exchange
Routing Routing
172.17.1.0 172.17.4.0
Table 172.17.1.0 172.17.1.0 Table
FIB FIB
172.17.1.0 172.17.1.0
RT1:2 RT1:2
172.16.1.0 172.16.1.0
RT1:1 RT1:1
172.16.1.0 RT=1:1 NH=PE1 VPN Label
MP-BGP MP-BGP
MPLS-VPN – Packet Flow
Router Router
Router PE1 P2 P3 Router PE4
BGP OSPF OSPF OSPF OSPF BGP
VRF RED VRF RED
RT 1:1 Routing Routing Routing Routing RT 1:1
Routing Table Table Table Table Routing
172.16.1.0 172.16.4.0
Table 172.16.1.0 172.16.1.0 Table
FIB FIB FIB FIB
FIB FIB
LFIB LFIB LFIB LFIB
VRF GRN VRF GRN
RT 1:2 RT 1:2
Routing Routing
172.17.1.0 4 Byte 172.17.4.0
Table 172.17.1.0 4 Byte
VPN Original Packet 172.17.1.0 Table
IGP Label
Label
FIB FIB
172.17.1.0 172.17.1.0
RT1:2 RT1:2
172.16.1.0 172.16.1.0
RT1:1 RT1:1
MP-BGP MP-BGP
MPLS-VPN
Configuration (PE)
vrf definition GRN
rd 1:2
! H9 S7
address-family ipv4
Defining the VRFs PE
Si
route-target export 1:2 IPv4 and IPv6 H10

P P
route-target import 1:2 S3 S4
exit-address-family
!
RD is required for BGP
Route P P Route
address-family ipv6 Reflector Reflector
route-target export 1:2
S1 S2
route-target import 1:2
exit-address-family P P
! S5 S6
vrf definition RED

H11
rd 1:1 PE
Si
! H12 S8
address-family ipv4 Import and Export to
route-target export 1:1 populate VRF routing
exit-address-family
table
!
address-family ipv6
exit-address-family
MPLS-VPN
Configuration (PE)
interface Loopback0
ip address 192.168.0.8 255.255.255.255 Host-route on loopback for
directed LDP session H9 PE
S7
Si
interface Ethernet0/0 H10

P P
ip address 192.168.85.8 255.255.255.0 Network Side Interfaces S3 S4
mpls ip
!
P P
interface Ethernet0/1 Label switching Route
Reflector
Route
Reflector
ip address 192.168.86.8 255.255.255.0 S1 S2
mpls ip
! IGP for propagation of P P
router eigrp 1 S5 S6
network 192.168.0.0 0.0.255.255

loopbacks
H11 PE
Si
interface Ethernet0/2 H12 S8

vrf forwarding GRN Client Side Interface
ip address 172.17.8.8 255.255.255.0
ipv6 address 2001:17:8::8/64
!
interface Ethernet0/3 IPv4 and IPv6 address
vrf forwarding RED
assignment
ip address 172.16.8.8 255.255.255.0
ipv6 address 2001:16:8::8/64
MPLS-VPN
Configuration (PE)
H9 S7
PE
router bgp 65000 Si
H10
neighbor 192.168.0.13 remote-as 65000 P P
neighbor 192.168.0.13 update-source Loopback0 S3 S4
neighbor 192.168.0.14 remote-as 65000

BGP base configuration
neighbor 192.168.0.14 update-source Loopback0 Route P P Route
! Reflector Reflector
address-family vpnv4 S1 S2
neighbor 192.168.0.13 activate
neighbor 192.168.0.13 send-community extended VPNv4 configuration P P
S5 S6
neighbor 192.168.0.14 send-community extended H11 PE
! Si
address-family vpnv6 H12 S8

neighbor 192.168.0.13 send-community extended VPNv6 configuration
neighbor 192.168.0.14 send-community extended
MPLS-VPN
Configuration (PE)
H9 S7
PE
Si
router bgp 65000 H10

P P
! S3 S4
address-family ipv4 vrf GRN
redistribute connected
Route P P Route
! Reflector Reflector
VRF address-family S1 S2
! P P
address-family ipv4 vrf RED Redistribute locally S5 S6
connected routes H11
! PE
Si
address-family ipv6 vrf RED H12 S8

MPLS-VPN
Configuration (RR)
router bgp 65000

H9 S7
no bgp default route-target filter PE
Si
neighbor AS65000 peer-group

neighbor AS65000 remote-as 65000 BGP base configuration H10
P P
neighbor AS65000 update-source Loopback0 S3 S4
neighbor AS65000 route-reflector-client Route-target filter to allow

neighbor 192.168.0.7 peer-group AS65000 P P
neighbor 192.168.0.8 peer-group AS65000 all VPN routes in Route
Reflector
Route
Reflector
! S1 S2
address-family vpnv4
neighbor AS65000 send-community extended P P
S5 S6
neighbor AS65000 route-reflector-client
VPNv4 configuration
neighbor 192.168.0.7 activate H11 PE
neighbor 192.168.0.8 activate Si
! H12 S8
address-family vpnv6
neighbor AS65000 send-community extended
neighbor AS65000 route-reflector-client VPNv6 configuration
MPLS-VPN
Traffic Example
H9#trace 172.16.8.11
Tracing the route to 172.16.8.11 H9 PE
S7
VRF info: (vrf in name/id, vrf out name/id) Si
1 172.16.7.7 0 msec 4 msec 4 msec H10

2 192.168.74.4 [MPLS: Labels 22/22 Exp 0] 0 msec 4 msec 2 msec P P
S4
S3
3 192.168.41.1 [MPLS: Labels 22/22 Exp 0] 0 msec 1 msec 0 msec
5 172.16.8.8 1 msec 1 msec 5 msec Route
Reflector
P P Route
Reflector
6 172.16.8.11 1 msec * 0 msec
S1 S2
H10#trace 172.17.8.12 P P
Tracing the route to 172.17.8.12 S5 S6
1 172.17.7.7 2 msec 0 msec 0 msec H11 PE

Si
H12 S8
5 172.17.8.8 1 msec 1 msec 1 msec
6 172.17.8.12 0 msec * 1 msec Traceroute
indicates labels
The hosts in this example (H9/H10) are IOS routers
MPLS-VPN Traceroute
Traffic Example indicates labels
IPv4 core only
H9#trace 2001:16:8::11 H9 PE
S7
Tracing the route to 2001:16:8::11 Si
1 2001:16:7::7 1 msec 0 msec 4 msec H10

2 ::FFFF:192.168.73.3 [MPLS: Labels 22/23 Exp 0] 0 msec 0 msec 0 msec P P
S4
S3
3 ::FFFF:192.168.32.2 [MPLS: Labels 22/23 Exp 0] 1 msec 1 msec 2 msec
5 2001:16:8::8 0 msec 0 msec 0 msec Route
Reflector
P P Route
Reflector
6 2001:16:8::11 1 msec 5 msec 1 msec
S1 S2
P P
H10#trace 2001:17:8::12 S5 S6
1 2001:17:7::7 4 msec 5 msec 4 msec H11 PE
Si
2 ::FFFF:192.168.74.4 [MPLS: Labels 22/21 Exp 0] 2 msec 1 msec 0 msec H12 S8

5 2001:17:8::8 0 msec 1 msec 1 msec
6 2001:17:8::12 1 msec 1 msec 1 msec
The hosts in this example (H9/H10) are IOS routers
MPLS-VPN
ASR 9000 - IOS XR Configuration 4.2.1.23I Page 1
vrf GRN
address-family ipv4 unicast
interface Loopback0
import route-target
ipv4 address 192.168.255.14 255.255.255.255
65000:2
!
export route-target
interface TenGigE0/0/0/1
65000:2 router ospf 65000
ipv4 address 192.168.114.14 255.255.255.0
address-family ipv6 unicast router-id 192.168.255.14
!
import route-target mpls ldp sync
65000:2 area 0
ipv4 address 192.168.140.14 255.255.255.0
export route-target interface Loopback0
!
65000:2 interface TenGigE0/0/0/0
interface TenGigE0/0/0/2.121
! interface TenGigE0/0/0/1
vrf RED
vrf RED
ipv4 address 172.16.14.14 255.255.255.0
ipv6 address 2001:172:16:14::14/64
import route-target
encapsulation dot1q 121
65000:1
!
export route-target
interface TenGigE0/0/0/2.122
65000:1
vrf GRN
ipv4 address 172.17.14.14 255.255.255.0
import route-target
ipv6 address 2001:172:17:14::14/64
65000:1
encapsulation dot1q 122
export route-target
65000:1
MPLS-VPN
router bgp 65000

bgp router-id 192.168.255.14 neighbor 192.168.255.11
vrf GRN
address-family ipv4 unicast use neighbor-group AS65000
rd 65000:2
address-family vpnv4 unicast address-family ipv4 unicast
address-family ipv6 unicast address-family vpnv4 unicast
address-family vpnv6 unicast address-family vpnv6 unicast
address-family ipv4 mdt address-family ipv4 mdt
! !
!
session-group AS65000 neighbor 192.168.255.12
vrf RED
remote-as 65000 use neighbor-group AS65000
rd 65000:1
update-source Loopback0 address-family ipv4 unicast
! address-family vpnv4 unicast
neighbor-group AS65000 address-family vpnv6 unicast
use session-group AS65000 address-family ipv4 mdt
route-reflector-client
MPLS-VPN
mpls ldp
router-id 192.168.255.14
!
multicast-routing
address-family ipv4
mdt source Loopback0
interface all enable
!
vrf GRN
address-family ipv4
mdt data 232.0.2.0/24 threshold 10
mdt default ipv4 232.0.0.2
!
vrf RED
address-family ipv4
mdt data 232.0.1.0/24 threshold 10
mdt default ipv4 232.0.0.1
MPLS-VPN
Considerations
Deployment
 MPLS based solution WAN
Data
Internet
Internet
Center
 Highly scalable L3 VPN solution (Hundreds/Thousands)
‒ Purpose built route-reflectors recommended
 Any-to-any connectivity within VPNs
 Pseudo-wire support (DCI/Legacy applications) Route-Reflector Route-Reflector
 Supported on Catalyst 6500 (Sup720 and Sup32 –

no DFC3A/PFC3A), Sup2T, Nexus 7000, ME3600 and
ASR9K

 Multiple VRF-aware Services available
Learning Curve
 Longer learning curve for Enterprise customers
- MPLS
- Multi-Protocol BGP
Virtualization Commands
Old CLI
ip vrf Red
VRF definition
rd 1:1
! IPv4 only
ip vrf Green
rd 2:2
No support for IPv6
interface Vlan21
ip vrf forwarding Red
ip address 10.137.21.1 255.255.255.0
! VLAN to VRF mapping
interface Vlan22
ip vrf forwarding Green
ip address 10.137.22.1 255.255.255.0
NX-OS CLI
vrf context Red

!
vrf context Green VRF definition
interface Vlan21
vrf member Red
ip address 10.137.21.1 255.255.255.0
!
interface Vlan22 VLAN to VRF mapping
vrf member Green
ip address 10.137.22.1 255.255.255.0
Available on Nexus 7000, Nexus 3000

and Nexus 5500 (with L3 module)
Agenda
 Case studies
Solid Design
What’s Required?
 Hierarchical Network Design
Core, Distribution, Access WAN Internet
Internet
Data
Access
Center
 Redundancy, Load balancing
FHRP – HSRP, VRRP, GLBP
Redundant paths
CEF L3/L4 Load Balancing Distribution
 Minimize Protocol Exchanges

Summarize Distribution to core
Passive interfaces on Access
Core
Hardset Trunks and Channels
 Optimize and Hardening of L2
Convergence and Security
Use RSTP+ Distribution
Set STP Roles (Root, Backup)
STP Toolkit (RootGuard, STP priorities, BPDU
Guard) Access
Control Plane Policing (CPP)
Catalyst Integrated Security
Features (CISF)
Agenda
 Case studies
Authentication
802.1X with Dynamic VLAN Assignment
Authentication
Request
Authentication Backend
Authentication Authentication Server
and VLAN Request
Assignment (RADIUS)
(RADIUS)
Authenticator Data
Authentication
Center Response
EAP over LAN Campus
(EAPoL) Network
Supplicant
Wireless
 L3 (IP) CAPWAP Tunnel

between controller and AP Data
Center
WLAN WLAN
WLAN Client Data Encapsulation—UDP 5247 Controller Controller
Control Messages—UDP 5246

802.1Q
802.1Q
 Uses any IP infrastructure

 Layer 3 (IP) Wired Network— CAPWAP CAPWAP
Tunnel Tunnel
Single or Multiple IP Subnets
(broadcast domains)
LWAP LWAP
Wireless
Implementation
802.1Q
 SSID to VLAN mapping
 VLAN to VRF mapping
CAPWAP
Tunnel
IP Network
SSID RED SSID GRN
Unicast Shared Services
 Provides access to services

Route
without requiring traffic to be SVCS 10.0.0.0/24
enforced through the firewall Leaking
VRF
front-ending each VPN
 Useful for sharing specific
services (DHCP and DNS
servers, for example)
‒ Not recommended to provide
inter-VPN communication
172.16.8.0/24 172.17.8.0/24
 Leverage the BGP route-target
mechanism for route leaking
‒ No support for overlapping IP
addresses across VPNs
MPLS-VPN Configuration
vrf definition SVCS

rd 1:100
! Defining the VRFs Route SVCS
address-family ipv4 IPv4 and IPv6 Leaking VRF
route-target export 1:2 RD is required for BGP
Import and Export to
! populate VRF routing
address-family ipv6 table
MPLS-VPN Verification
S8#show ip route vrf RED
10.0.0.0/24 is subnetted, 1 subnets
B 10.0.0.0 [200/0] via 192.168.0.7, 00:16:35
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.8.0/24 is directly connected, Ethernet0/3
L 172.16.8.8/32 is directly connected, Ethernet0/3
S8#show ip route vrf GRN

10.0.0.0/24 is subnetted, 1 subnets
B 10.0.0.0 [200/0] via 192.168.0.7, 00:16:42
S8#show ipv6 route vrf RED Each VRF contains local

B 2001:10::/64 [200/0] and shared routing
via 192.168.0.7%default, indirectly connected
C 2001:16:8::/64 [0/0] information
via Ethernet0/3, directly connected
L 2001:16:8::8/128 [0/0]
via Ethernet0/3, receive
L FF00::/8 [0/0]
via Null0, receive
S8#show ipv6 route vrf GRN

B 2001:10::/64 [200/0]
via 192.168.0.7%default, indirectly connected
C 2001:17:8::/64 [0/0]
via Ethernet0/2, directly connected
L 2001:17:8::8/128 [0/0]
via Ethernet0/2, receive
L FF00::/8 [0/0]
via Null0, receive
EVN
H9 S7
10.0.0.0/24
10.15.15.15
PE
R15
H10
S3 S4
S1 S2
S5 S6
H11
Si
H12 S8
EVN Configuration
vrf definition GRN
vnet tag 102
!
address-family ipv4
route-replicate from vrf SVCS unicast all
!
vrf definition RED
vnet tag 101 Defining the IPv4
! VRFs, assign a
address-family ipv4
route-replicate from vrf SVCS unicast all tag and configure
! route replication
vrf definition SVCS
vnet tag 100
!
address-family ipv4
route-replicate from vrf RED unicast all route-map RED-IMPORT
route-replicate from vrf GRN unicast all route-map GRN-IMPORT
route-map RED-IMPORT permit 10

match ip address RED-ACL
!
route-map GRN-IMPORT permit 10
match ip address GRN-ACL Create route-
map and access-
ip access-list standard GRN-ACL
permit 172.17.0.0 0.0.255.255 lists
ip access-list standard RED-ACL
permit 172.16.0.0 0.0.255.255
EVN Configuration
router eigrp LAB

!
!
topology base
redistribute vrf SVCS eigrp 100
exit-af-topology
network 172.16.0.0
network 192.168.0.0 0.0.255.255
! Redistribute
! routing
topology base information
redistribute vrf SVCS eigrp 100
exit-af-topology
network 172.17.0.0
network 192.168.0.0 0.0.255.255
!
address-family ipv4 unicast vrf SVCS autonomous-system 100
!
topology base
redistribute vrf RED eigrp 16
redistribute vrf GRN eigrp 16
exit-af-topology
network 10.0.0.0
EVN Verification
S7#routing-context vrf SVCS
S7%SVCS#sh ip route
Routing Table: SVCS

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 New commands
ia - IS-IS inter area, * - candidate default, U - per-user static route to easily view
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override VRF information
Gateway of last resort is not set

D 10.15.15.0/24 [90/409600] via 10.0.0.15, 01:19:53, Ethernet1/0
C + 172.16.7.0/24 is directly connected (RED), Ethernet0/3
L + 172.16.7.7/32 is directly connected (RED), Ethernet0/3
Imported RED
D + 172.16.8.0/24 routes
[90/384000] via 192.168.74.4 (RED), 02:00:56, Ethernet0/0.101
[90/384000] via 192.168.73.3 (RED), 02:00:56, Ethernet0/1.101
C + 172.17.7.0/24 is directly connected (GRN), Ethernet0/2 Imported GRN
L + 172.17.7.7/32 is directly connected (GRN), Ethernet0/2
D + 172.17.8.0/24 routes
[90/384000] via 192.168.74.4 (GRN), 02:00:55, Ethernet0/0.102
[90/384000] via 192.168.73.3 (GRN), 02:00:55, Ethernet0/1.102
EVN Verification
Traceroute indicates a
valid path
1 172.17.8.8 (GRN,GRN/102) 5 msec 5 msec 5 msec
2 192.168.85.5 (GRN/102,GRN/102) 5 msec 5 msec 5 msec H9 S7

R15
4 192.168.32.3 (GRN/102,GRN/102) 5 msec 5 msec 5 msec H10
5 192.168.73.7 (GRN/102) 7 msec 6 msec 5 msec S3 S4

6 10.0.0.15 5 msec * 6 msec
S1 S2
S5 S6
H11
Si
H12 S8
EVN Verification
S7%RED#show ip route
Routing Table: RED
Imported
C + 10.0.0.0/24 is directly connected (SVCS), Ethernet1/0 SVCS routes
L + 10.0.0.7/32 is directly connected (SVCS), Ethernet1/0
D + 10.15.15.0/24 [90/409600] via 10.0.0.15 (SVCS), 01:21:55, Ethernet1/0 10.0.0.0
D 172.16.8.0/24 [90/384000] via 192.168.74.4, 02:02:58, Ethernet0/0.101
[90/384000] via 192.168.73.3, 02:02:58, Ethernet0/1.101
D 192.168.12.0/24 [90/332800] via 192.168.74.4, 02:03:02, Ethernet0/0.101
[90/332800] via 192.168.73.3, 02:03:02, Ethernet0/1.101
**** Routes removed for brevity! ****
D 192.168.56.0/24 [90/358400] via 192.168.74.4, 02:03:02, Ethernet0/0.101

[90/358400] via 192.168.73.3, 02:03:02, Ethernet0/1.101
D 192.168.61.0/24 [90/332800] via 192.168.74.4, 02:03:02, Ethernet0/0.101
[90/332800] via 192.168.73.3, 02:03:02, Ethernet0/1.101
D 192.168.62.0/24 [90/332800] via 192.168.74.4, 02:03:02, Ethernet0/0.101
[90/332800] via 192.168.73.3, 02:03:02, Ethernet0/1.101
RED routes
D 192.168.65.0/24 [90/358400] via 192.168.74.4, 02:03:02, Ethernet0/0.101
[90/358400] via 192.168.73.3, 02:03:02, Ethernet0/1.101
C 192.168.73.0/24 is directly connected, Ethernet0/1.101
L 192.168.73.7/32 is directly connected, Ethernet0/1.101
C 192.168.74.0/24 is directly connected, Ethernet0/0.101
L 192.168.74.7/32 is directly connected, Ethernet0/0.101
D 192.168.85.0/24 [90/358400] via 192.168.74.4, 02:03:02, Ethernet0/0.101
[90/358400] via 192.168.73.3, 02:03:02, Ethernet0/1.101
D 192.168.86.0/24 [90/358400] via 192.168.74.4, 02:03:02, Ethernet0/0.101
[90/358400] via 192.168.73.3, 02:03:02, Ethernet0/1.101
Shared Services Edge
Fusion Router
 Deployment of a fusion router in the Shared
services edge to provide:
Inter-VPN connectivity
Services
Protected access to shared resources
 Firewall for: Fusion
VPN isolation/protection
Router
Application of per VPN policies
Leverage the multi-context
functionality available with FWSM,
PIX, ASA and ASA blade
 Routing between VRFs and Fusion
Router depends on the FW mode of
operation
FW in Transparent Mode  IGP or eBGP
FW in Routed Mode  Static Routing or
eBGP
 This may be a dedicated device
Protected Services
Deploying Firewall Contexts in Routed Mode
 Firewall contexts in routed mode act as L3 hop

routing traffic between interfaces Shared
Services
‒ No routing protocol support on FW deployed in multi-
context mode
‒ The firewall must have static routes for internal and
external networks!
 The recommended peering protocol is eBGP, L3 L3
independently from the Path Isolation technique
adopted in the Campus
Configuring static routing is possible but not
recommended
 The fusion router would typically advertise only a
default route into the various VRFs
 A dedicated ―Fusion‖ VRF may be used in place
of an external fusion router device
Protected Services
Deploying Firewall Contexts in Transparent Mode
 Firewall contexts in transparent mode act as L2 bridges
Shared
 Fusion router establishes routing peering with the various VRFs
Services
The fusion router has complete knowledge of all the routes
existing in the defined VRFs
 Must define MAC addresses on switch interfaces
 The peering protocol may vary depending on the
path isolation strategy L2 L2
Use IGP (EIGRP or OSPF) for
VRF-lite deployments
Use eBGP for MPLS-VPN scenarios
 The fusion router could typically advertise only a default

route into the various VRFs
 A dedicated “Fusion” VRF may be used in place of an external

fusion router device
 In failover mode, STP must be allowed to pass through the firewall
Protected Services
eBGP Single-Box Configuration
vrf definition GRN
rd 1:2
!
address-family ipv4
exit-address-family VRF for IPv4 and IPv6
!
address-family ipv6
exit-address-family
!
vrf definition RED Shared
rd 1:1 Services
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
! L2 L2
vrf definition SVCS
rd 1:100
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
Protected Services
vrf forwarding SVCS
mac-address 000b.3333.0000
ip address 172.17.0.1 255.255.255.0
ipv6 address 2001:17::1/64
!
vrf forwarding GRN
ip address 172.17.0.2 255.255.255.0
ipv6 address 2001:17::2/64 eBGP connection interfaces
!
vrf forwarding RED
ip address 172.16.0.2 255.255.255.0
ipv6 address 2001:16::2/64
!
vrf forwarding SVCS
ip address 172.16.0.1 255.255.255.0
ipv6 address 2001:16::1/64
Protected Services
vrf forwarding SVCS
ip address 10.0.0.3 255.255.255.0 SVCS interface
ipv6 address 2001:10::3/64
!
vrf forwarding GRN
ip address 172.17.2.2 255.255.255.0
ipv6 address 2001:17:2::2/64
!
interface Ethernet1/2 Client side interface
vrf forwarding RED
ip address 172.16.2.2 255.255.255.0
ipv6 address 2001:16:2::2/64
Protected Services
router bgp 65000
bgp router-id vrf auto-assign
!
neighbor 172.17.0.1 local-as 65002 no-prepend replace-as
!
address-family ipv4 vrf RED
neighbor 172.16.0.1 remote-as 65100 eBGP IPv4
!
address-family ipv4 vrf SVCS
Protected Services
router bgp 65000
bgp router-id vrf auto-assign
!
neighbor 2001:17::1 remote-as 65100
neighbor 2001:17::1 local-as 65002 no-prepend replace-as
neighbor 2001:17::1 activate
!
address-family ipv6 vrf RED
neighbor 2001:16::1 remote-as 65100 eBGP IPv6
!
address-family ipv6 vrf SVCS
Protected Services
eBGP Single-Box – Verification
1 172.16.2.2 0 msec 0 msec 0 msec
2 172.16.0.1 1 msec 0 msec 0 msec
3 10.0.0.1 1 msec * 0 msec Traceroute to SVCS
H3#traceroute 2001:10::1
Tracing the route to 2001:10::1
1 2001:16:2::2 0 msec 5 msec 5 msec
2 2001:16::1 1 msec 1 msec 0 msec
3 2001:10::1 37 msec 1 msec 0 msec Traceroute from RED
to GRN
VRF info: (vrf in name/id, vrf out name/id) Shared
Services
1 172.16.2.2 1 msec 5 msec 5 msec
10.0.0.0/24
2 172.16.0.1 1 msec 1 msec 0 msec
3 172.17.0.2 1 msec 1 msec 0 msec
4 172.17.2.4 1 msec * 1 msec
H3#traceroute 2001:17:2::4 L2 L2

1 2001:16:2::2 0 msec 5 msec 4 msec
172.16.2.0/24 172.17.2.0/24
2 2001:16::1 0 msec 0 msec 0 msec
3 2001:17::2 1 msec 1 msec 0 msec
4 2001:17:2::4 0 msec 1 msec 0 msec H3 H4
Multicast Shared Services
 Configuration to enable the multicast extranet replication
is recommended on the leaf device SVCS VRF
Independent from the path isolation strategy adopted (VRF-
Lite/EVN or MPLS-VPN)
 Multicast replication performed in HW (data plane)
 On the control plane, it is important to ensure that RPF

check is successful across VRFs in order for multicast
streams to cross the VRF boundaries
Option 1: Route-Leaking
Option 2: VRF Fallback
Option 3: VRF Select
MPLS VPN and Multicast
What is MVPN?
 Multicast not natively supported with MPLS (in RFC2547,

RFC4364)
 Cisco’s implementation is based on IETF draft
‒Multicast in MPLS/BGP IP VPNs
‒draft-ietf-l3vpn-2547bis-mcast-07
 MVPN is a scalable architecture based on native IP multicast in
the core
 A separate multicast group is assigned in the core for each
defined VPN (Default MDT)
‒Multicast packets for each VPN are GRE encapsulated and delivered
across the common core
‒Core multicast address space is independent of the multicast address
space used inside each VPN
Route-Leaking - SSM in MPLS-VPN Core
 Permits PE to directly join to a source tree rooted at another PE for MDT

 No Rendezvous Points are needed in ―service provider‖ network
‒ Reduce forwarding delay
‒ Reduces management overhead to administer group/RP mapping and redundant
RPs for reliability
‒ Eliminates a potential point of failure
Route-Leaking - MPLS-VPN RP
H9 S7 10.0.0.0/24 10.0.0.15
2001:10::0/64
R15
H10
S3 S4
Route Route
Reflector Reflector
R13 S1 S2 R14
S5 S6
H11
Si
H12 S8
Route-Leaking – MPLS-VPN Core Configuration
interface Loopback0
ip pim sparse-mode Enable PIM on loopback and
network facing interfaces
ip multicast-routing
ip pim ssm default
Turn on multicast-routing
and SSM
router bgp 65000
!
address-family ipv4 mdt
neighbor AS65000 send-community extended Configure the MDT address
neighbor AS65000 route-reflector-client family in BGP
Route-Leaking - Core Configuration
ip multicast-routing vrf SVCS

ip multicast-routing vrf GRN Enable multicast-routing for
ip multicast-routing vrf RED
each VRF
ip pim vrf SVCS rp-address 10.0.0.15
ip pim vrf GRN rp-address 10.0.0.15 Statically assign each VRF
ip pim vrf RED rp-address 10.0.0.15 to use the shared RP
ip address 10.0.0.15 255.255.255.0
Configure the RP
ip pim sparse-mode Note: the join-group is used
ip igmp join-group 224.100.100.100 for testing purposes
!
ip pim rp-address 10.0.0.15
Route-Leaking - PE Configuration
vrf definition GRN
rd 1:2
address-family ipv4
mdt default 232.0.0.2
mdt data 232.0.2.0 0.0.0.255 threshold 10
! Configure each VRF with
vrf definition RED
rd 1:1
MDT data and default
address-family ipv4
mdt default 232.0.0.1
!
vrf definition SVCS
rd 1:100
address-family ipv4
mdt default 232.0.0.100 ―Leak‖ routes between the
route-target export 1:100 SVCS VRF and the GRN and
route-target export 1:1 RED VRFs using the route-
route-target import 1:100 target import and export
route-target import 1:1 commands
Route-Leaking - Verification
H11#ping 224.100.100.100 Ping multicast address

Sending 1, 100-byte ICMP Echos to 224.100.100.100, timeout is 2 seconds:
Reply to request 0 from 10.0.0.15, 21 ms
from H11 to RP
H9 RP
r15#sh ip mroute
H10 R15
IP Multicast Routing Table
(*, 224.100.100.100), 00:22:12/stopped, RP 10.0.0.15, flags: SJCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0/0, Forward/Sparse, 00:22:12/00:02:47
(172.16.8.11, 224.100.100.100), 00:01:39/00:01:20, flags: PLX

Incoming interface: Ethernet0/0, RPF nbr 10.0.0.7
Outgoing interface list: Null
H11
Si
H12
VRF-Fallback - Configuration
vrf definition GRN

address-family ipv4
!
vrf definition RED Configure the VRF
address-family ipv4
! definitions
vrf definition SVCS
address-family ipv4
vrf forwarding SVCS
ip address 10.0.0.2 255.255.255.0
ip pim sparse-mode
!
interface Ethernet0/1 Define the VRF interfaces,
vrf forwarding GRN assign IP addresses and
ip address 172.17.2.2 255.255.255.0
enable PIM
ip pim sparse-mode
!
vrf forwarding RED
ip address 172.16.2.2 255.255.255.0
ip pim sparse-mode
VRF-Fallback - Configuration
ip multicast-routing vrf GRN

ip multicast-routing vrf RED
Enable multicast-routing for
ip multicast-routing vrf SVCS each VRF
ip pim vrf GRN rp-address 10.0.0.5 Statically assign each VRF
ip pim vrf RED rp-address 10.0.0.5 to use the shared RP
ip pim vrf SVCS rp-address 10.0.0.5
ip mroute vrf GRN 10.0.0.0 255.255.255.0 fallback-lookup vrf SVCS Configure GRN and RED
ip mroute vrf RED 10.0.0.0 255.255.255.0 fallback-lookup vrf SVCS VRFs for fallback
VRF-Fallback – Verification
S2#sh ip mroute vrf SVCS 224.1.1.1
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry, E - Extranet,
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
Verification of multicast
U - URD, I - Received Source Specific Host Report, routing information in
Z - Multicast Tunnel, z - MDT-data group sender,
Y - Joined MDT-data group, y - Sending to MDT-data group, SVCS VRF
V - RD & Vector, v - Vector
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
H1
Interface state: Interface, Next-Hop or VCD, State/Mode
R5
(*, 224.1.1.1), 00:10:24/stopped, RP 10.0.0.5, flags: SJCE
SVCS VRF
Extranet receivers in vrf GRN:
(*, 224.1.1.1), 00:10:58/stopped, RP 10.0.0.5, OIF count: 1, flags: SJC
Extranet receivers in vrf RED: S2
(10.0.0.1, 224.1.1.1), 00:10:24/00:02:24, flags: TE


(10.0.0.1, 224.1.1.1), 00:02:58/stopped, OIF count: 1, flags: T
Extranet receivers in vrf RED: H3 H4
S2#sh ip mroute vrf RED 224.1.1.1
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode Verification of multicast
(*, 224.1.1.1), 00:15:42/stopped, RP 10.0.0.5, flags: SJC routing information in
Incoming interface: Ethernet0/0, RPF nbr 10.0.0.5, using vrf SVCS
RED and GRN VRFs
(10.0.0.1, 224.1.1.1), 00:02:43/stopped, flags: T H1

Incoming interface: Ethernet0/0, RPF nbr 0.0.0.0, using vrf SVCS R5
S2#sh ip mroute vrf GRN 224.1.1.1 SVCS VRF

Timers: Uptime/Expires S2
(*, 224.1.1.1), 00:15:57/stopped, RP 10.0.0.5, flags: SJC

(10.0.0.1, 224.1.1.1), 00:03:03/stopped, flags: T

Outgoing interface list: H3 H4
S2#sh ip rpf vrf RED 10.0.0.1

RPF information for ? (10.0.0.1)
RPF interface: Ethernet0/0
RPF neighbor: ? (10.0.0.1) - directly connected
RPF route/mask: 10.0.0.0/24
RPF type: multicast (connected)
Doing distance-preferred lookups across tables
Using Extranet RPF Rule: Static Fallback Lookup, RPF VRF: SVCS
RPF topology: ipv4 multicast base
RPF check in RED

S2#sh ip rpf vrf GRN 10.0.0.1
RPF information for ? (10.0.0.1)
and GRN VRFs
RPF interface: Ethernet0/0
RPF neighbor: ? (10.0.0.1) - directly connected
RPF route/mask: 10.0.0.0/24
RPF type: multicast (connected)
Doing distance-preferred lookups across tables
Using Extranet RPF Rule: Static Fallback Lookup, RPF VRF: SVCS
RPF topology: ipv4 multicast base
VRF-Select - Configuration
ip mroute vrf GRN 10.0.0.0 255.255.255.0 fallback-lookup vrf SVCS Configure fallback-lookup for
ip mroute vrf RED 10.0.0.0 255.255.255.0 fallback-lookup vrf SVCS
SVCS VRF
ip multicast vrf GRN rpf select vrf SVCS group-list 1 Define allowed multicast
ip multicast vrf RED rpf select vrf SVCS group-list 1 addresses
!
access-list 1 permit 224.1.1.1
VRF-Select – Verification
S2#sh ip mroute vrf SVCS 224.1.1.1
Timers: Uptime/Expires Verification of multicast
routing information in
(*, 224.1.1.1), 00:20:42/stopped, RP 10.0.0.5, flags: SJCE SVCS VRF
H1
Extranet receivers in vrf GRN: R5
Extranet receivers in vrf RED:
SVCS VRF
(10.0.0.1, 224.1.1.1), 00:20:42/00:02:03, flags: TE
Incoming interface: Ethernet0/0, RPF nbr 0.0.0.0 S2

Extranet receivers in vrf RED:
H3 H4
MPLS VPN and Multicast Multicast
Source
Concept and Fundamentals
WAN Internet
Internet
Data
 The first step is to enable Center
multicast in the Campus core

 The MPLS Core forms a Default
MDT for each given VRF defined
on the PE Data Default
MDT
 A High-bandwidth source for that MDT
For High
customer starts sending traffic Bandwidth
traffic
For low
Bandwidth &
control traffic
 Interested receivers 1 & 2 join
that High Bandwidth source
 Data-MDT is formed for this
High-Bandwidth source
Multicast Multicast
Receiver 1 Receiver 2
VRF-Select
R5 H1
Sender
RP 10.0.0.5
10.0.0.5 224.1.1.1
 The Multicast VPN Extranet VRF Select SVCS 10.0.0.0/24

feature provides the capability for Reverse
Path Forwarding (RPF) lookups to be VRF
E0/0
performed to the same source address in S2
different VPN routing and forwarding (VRF)
instances using the group address as the
VRF selector
E0/1 E0/2
H3 H4
Receiver Receiver
172.16.2.3 172.17.2.4
VRF-Fallback
R5 H1
Sender
 A Fallback VRF is used when the RP 10.0.0.5
10.0.0.5 224.1.1.1
RP or Source is not found in the
local VRF, the fallback VRF or global SVCS 10.0.0.0/24
routing table is used for RPF VRF
E0/0
S2
E0/1 E0/2
H3 H4
Receiver Receiver
172.16.2.3 172.17.2.4
Summary
Three ways to perform Extranet with IP Multicast today:

 BGP Route-Target Import
Uses BGP to import/export routes between VRFs
Same mechanism as unicast routes
 VRF Fallback
Use a fallback VRF to RPF for the Source/RP when the route doesn’t
exist in receiver VRF
Supported on 6500 12.2(33)SXI2
Earlier releases require that mVPN is configured and an MDT exists
Cons: VRF Fallback can’t be used with a default unicast route
Can’t be used if source addresses overlap between VRFs
 Group-Based VRF Select
Statically assigns a VRF to RPF for a multicast group range
Pro: Can be used with overlapping source addresses (with Caveats)
QoS and Network Virtualization
 Classify and mark traffic at the network edge
 Traffic is queued/shaped according to DSCP WAN

Data
Internet
Internet
values or MPLS EXP bits Center
 MPLS EXP only offer 8 classes
 Traffic can be classified by type and/or VRF
 Choose the appropriate class of service
Web – Best effort/scavenger
Voice – Priority
Other – you decide
Configuration
class-map match-any DATA

match access-group name DATA-ACL
class-map match-any VOICE Define the class-
match access-group name VOICE-ACL map
!
policy-map MPLS-POLICY-MAP
class DATA
set mpls experimental imposition 3
class VOICE Configure the
set mpls experimental imposition 5
class class-default
policy-map
police 32000 conform-action
set-mpls-exp-imposition-transmit 0 exceed-action drop
!
ip access-list extended DATA-ACL
permit “You define the list” Define the
ip access-list extended VOICE-ACL
permit “You define the list” interesting traffic
!
interface GigabitEthernet1/1
vrf forwarding RED Apply the
ip address 172.16.1.1 255.255.255.0 service-policy
service-policy input MPLS-POLICY-MAP
Verification
S1#show policy-map interface g1/1
Service-policy input: MPLS-POLICY-MAP
class-map: DATA (match-any)
Match: access-group name DATA-ACL
set mpls experimental 3:
Earl in slot 1 :
230018432 bytes
5 minute offered rate 2671680 bps
aggregate-forwarded 230018432 bytes
class-map: VOICE (match-any)

Match: access-group name VOICE-ACL
set mpls experimental 5: Validate traffic
Earl in slot 1 :
32662144 bytes match
aggregate-forwarded 32662144 bytes
class-map: class-default (match-any)
Match: any
police :
32000 bps 1500 limit 1500 extended limit
Earl in slot 1 :
52170132 bytes
aggregate-forwarded 3995207 bytes action: set-mpls-exp-transmit
exceeded 48174925 bytes action: drop
aggregate-forward 32408 bps exceed 121088 bps
EoMPLS
 Based on IETF’s Pseudo-Wire (PW)
WAN Internet
Internet
Reference Model Data
Center
 MPLS Labels are used to

encapsulate traffic
• PW is a connection (tunnel)
between 2 PE Devices
Point-to-point (bidirectional)
Both devices appear on the same

network
• For limited deployment

Legacy application support Emulated Layer-2 Service
EoMPLS – Port Mode
H9 S7
Configuration Example
S7# show run interface Ethernet0/3 S3 S4

no ip address
xconnect 192.168.0.8 78 encapsulation mpls
10.1.1.0/24
S8# show run interface Ethernet0/3

interface Ethernet0/3 S1 S2
no ip address
xconnect 192.168.0.7 78 encapsulation mpls
S5 S6
H11
Si
S8
Layer-2 VPN
Summary
 Enables transport of any Layer-2 traffic over MPLS network

 Two types of L2 VPNs; EoMPLS for point-to-point and VPLS point-to-multipoint
layer-2 connectivity
 Layer-2 VPN forwarding based on Pseudo Wires (PW), which use VC label for L2
packet encapsulation
‒ LDP used for PW signaling
 EoMPLS suited for implementing transparent point-to-point connectivity between
Layer-2 circuits
 VPLS suited for implementing transparent point-to-multipoint connectivity between
Ethernet links/sites
Datacenter
Integration
Virtualized Service
VSANS
UCS with FCoE
VLAN Separation
SLB/SSL/FW/IDS/IPS
VRF/VDC on Nexus 7K
Virtualized
Virtualized Network Network
Agenda
 Case studies
VRF-lite End-to-End
Pros:
 No MP-BGP configuration WAN Internet
Internet
Data
 L3 to the edge 7xxx
Center
 Minimize impact on distribution

layer (FHRP)
65xx
 Lower cost solution
 VSS
45xx
Cons:
 Adding VRFs is arduous
 Limited scalability
3xxx
 Import/export of routes requires
additional equipment
EVN w/ L2 access
Pros:
 No MP-BGP configuration WAN Internet
Internet
Data
 L3 to the edge Center
65xx
 Lower cost solution
 VSS
45xx
Cons:
 Limited product support (today)
 No IPv6 support (today) 3xxx/29xx
 FHRP on distribution devices
MPLS-VPN w/ L2 access
Pros:
 Very scalable WAN Internet
Internet
Data
 Pseudo-wire support 9xxx
Center
 IPv6 support (6VPE)

7xxx
 VSS
Cons: 65xx
 MP-BGP configuration
 Multicast configuration is complex
ME3600
 FHRP on distribution devices
3xxx/29xx
MPLS-VPN w/ L3 VRF-lite/EVN access
Pros:
 L3 to the edge WAN Internet
Internet
Data
 Minimize impact on 9xxx
Center
distribution layer (FHRP)

7xxx
Cons: 65xx
 Complex route redistribution
ME3600
3xxx
Agenda
 Case studies
Putting It All Together
WAN Internet
Data
Internet
Extending VPNs over Center
MAN/WAN cloud
VLANs
Partition
Server Farms
Virtualized
Services:
Firewall, ACE
VRF-Lite + GRE,
VRF-Lite End-to-End,
MPLS VPN
L3 VRFs
Per User Role

L2 VLANs
User Identification
(Static/NAC/Identity)
Recommended Reading
Complete Your Online
Session Evaluation
 Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
 Receive 20 Passport points for each
session evaluation you complete.
 Complete your session evaluation
online now (open a browser through
our wireless network to access our Don’t forget to activate your
portal) or visit one of the Internet Cisco Live Virtual account for access to
stations throughout the Convention all session material, communities, and
on-demand and live activities throughout
Center. the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.
Final Thoughts
 Get hands-on experience with the Walk-in Labs located in World of

Solutions, booth 1042
 Come see demos of many key solutions and products in the main Cisco
booth 2924
 Visit www.ciscoLive365.com after the event for updated PDFs, on-
demand session videos, networking, and more!
 Follow Cisco Live! using social media:
‒ Facebook: https://www.facebook.com/ciscoliveus
‒ Twitter: https://twitter.com/#!/CiscoLive
‒ LinkedIn Group: http://linkd.in/CiscoLI
Where to Go for More Information
www.cisco.com/go/networkvirtualization

Virtualized Network Design

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Virtualized Network Design

Încărcat de

Drepturi de autor:

Formate disponibile

Deploying a Virtualized Campus

 Why Virtualize your Campus Infrastructure?

“Emerging Technology” – this indicates future technologies

“Where to learn more” – for additional details, please see the

 Why Virtualize your Campus Infrastructure?

Guest Access Merged Company Isolated Service(s)

Virtual Network Virtual Network Virtual Network

Virtual “Private” Network

Actual Physical Infrastructure

 Groups and services are logically separated

 Security Policies are unique to each virtual group/service

 Why Virtualize your Campus Infrastructure?

 What are the Virtualization Components?

 How do Network Virtualization Techniques Compare?

 What are the Infrastructure Requirements?

 What are some Additional Virtualized Services?

 Putting it all together

Access Control GRE

 Authentication - Who are you?

 Authorization - Where can you go?

Identity Technologies GRE

TrustSec - What are They? VRFs

ACS User ID Access Rights

Policy Extensibility Manage Security System-wide Monitoring

Staff Permit Permit

Guest Permit Deny

Path Isolation GRE

Device Virtualization VRFs

 One physical device

 VRF: Virtual Routing and Forwarding

Path Isolation GRE

Connecting to a VRF – Client Side VRFs

 Logical interface VRF

 VLAN - 802.1q trunk

Path Isolation GRE

Data Path Virtualization – Network Side VRFs

Services Edge GRE

Sharing Services Between VPNs VRFs

 Unnecessary to duplicated services per group

Services Edge GRE

Sharing Resources VRFs

 Firewall (multi-context) - FWSM / ASA / ASA Module

 Why Virtualize your Campus Infrastructure?

 What are the Virtualization Components?

 How do Network Virtualization Techniques Compare?

 What are the Infrastructure Requirements?

 What are some Additional Virtualized Services?

 Putting it all together

router eigrp LAB

Tracing the route to 2001:17:8::12 H12 S8

1 2001:17:7::7 1 msec 0 msec 5 msec

 Recommended for hub-and-spoke requirements

 GRE supported in HW on Catalyst 6500 and

Application and Services

vrf definition RED IPv4 and IPv6 S3 S4

vrf forwarding GRN

ipv6 address 2001:17:8::8/64 S8

ipv6 address 2001:16:85::8/64

interface Ethernet0/0.17 Catalyst 6500 and Nexus 7000 S3 S4

vrf forwarding RED

ip address 172.16.86.8 255.255.255.0 S8

vrf definition GRN

vrf definition RED S3 S4

Routing processes for each

Routes removed for brevity!