Documente Academic
Documente Profesional
Documente Cultură
TECIPM-3012
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Goals of this Session
§ Multi Protocol Label Switching (MPLS) has been widely
adopted by the Network Operators to provide scalable
L2, L3 VPN, and Traffic Engineering services etc.
§ Enterprises are fast adopting this technology to
address network segmentation, traffic separation
needs and Data Center consolidation.
§ This session covers major MPLS technology
components, and most adopted MPLS application like
Traffic Engineering, Layer 2 and Layer3 VPN, which
are the most adopted MPLS application.
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Speakers
§ Hernán Contreras G.
Consulting Systems Engineer
10-Year CCIE R &S, CCIP
Cisco Systems Chile
§ Marcelo Fernandez Y.
Network Consulting Engineer
CCIE SP and R&S, CCIP
Cisco Systems Chile
§ Bernard Wall R.
Network Consulting Engineer
CCIE SP and R&S, CCIP
Cisco Systems Chile
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 3
Agenda
§ Introduction
§ MPLS Network Components
§ MPLS QoS
§ MPLS Traffic Engineering
§ MPLS Layer 3 VPNs
§ MPLS Layer 2 VPN
§ High Availability
§ MPLS OAM
§ Summary
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4
Introduction
The business drivers for MPLS
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5
What Is MPLS Technology?
§ It’s all about labels …
§ Use the best of both worlds
Layer-2 (ATM/FR): efficient forwarding and traffic engineering
Layer-3 (IP): flexible and scalable
§ MPLS forwarding plane
Use of labels for forwarding Layer-2/3 data traffic
Labeled packets are being switched instead of routed
Leverage layer-2 forwarding efficiency
§ MPLS control/signaling plane
Use of existing IP control protocols extensions + new protocols
to exchange label information
Leverage layer-3 control protocol flexibility and scalability
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6
Reference Slide: MPLS Transport and
Services
MPLS L3 VPN Service
Customer A Customer A
Site 1 Site 2
MPLS Core
CE CE
PE-PE LSPs
PWES PWES
PE PE
Pseudo Wires
Customer B Customer B
PSN Tunnel Site 2
Site 1
Emulated Service
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7
MPLS Domain scope
IPv4 VPN
Mcast
CsC RSVP, QoS VPN
DS-TE
OAM Protect
IGP
+ FRR
LDP TE
IPv6 VPN
Inter-AS EoMPLS
VPLS
H-VPLS
Internet transport
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 8
MPLS - The Big Picture
End-to-end MPLSServices
End-to-end VPN Services
Network
NetworkInfrastructure
Infrastructure
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 9
MPLS Technology Framework
§ End-to-end data connectivity services across MPLS
networks (from PE to PE)
End-to-end Services
Network Infrastructure
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 10
What Is a Virtual Private Network?
§ VPN is a set of sites or groups which are allowed to communicate
with each other in a secure way
Typically over a shared public or private network infrastructure
§ VPN is defined by a set of administrative policies
Policies established by VPN customers themselves (DIY)
Policies implemented by VPN service provider (managed/unmanaged)
§ Different inter-site connectivity schemes possible
Ranging from complete to partial mesh, hub-and-spoke
§ Sites may be either within the same or in different organizations
VPN can be either intranet or extranet
§ Site may be in more than one VPN
VPNs may overlap
§ Not all sites have to be connected to the same service provider
VPN can span multiple providers
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 11
MPLS VPN Options
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 12
MPLS VPN Example
PE-CE PE-CE
Link Link
P P
CE PE PE CE
VPN
CE CE
PE P P PE
§ PE-CE link
Connect customer network to SP network; layer-2 or layer-3
§ VPN
Dedicated secure connectivity over shared infrastructure
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Layer 3 and Layer 2 VPN Characteristics
LAYER 3 VPNs LAYER 2 VPNs
1. Packet based forwarding, e.g. IP 1. Frame Based forwarding e.g.
2. SP is involved DLCI,VLAN, VPI/VCI
3. IP specific 2. No SP involvement
4. Example: RFC 2547bis VPNs 3. Multiprotocol support
(L3 MPLS-VPN) 4. Example: FR—ATM—Ethernet
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 14
Why Multi Protocol Label Switching?
§ SP/Carrier perspective
Reduce Costs (CAPEX & OPEX)
Consolidated network for multiple customers and Layer-2/3 services
Migrate legacy networks onto single converged network
Network optimization (QoS and TE)
§ Enterprise/end-user perspective
Enables site/campus network segmentation
Allows for dedicated connectivity for users, applications, etc
Virtualization and consolidation of network Resources and Applications
Government
12%
Emerging European
Markets Markets
Service Provider 20% 42%
45%
Enterprise
43%
US and Canada
27%
Source: MPLS Tracker and various other internal Cisco databases, based on 2008 data.
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 16
Enterprise MPLS Customers
§ Two types of enterprise customers for MPLS
technology
§ MPLS indirectly used as subscribed WAN service
Enterprise subscribes to WAN connectivity data service offered
by external Service Provider
Data connectivity service implemented by Service Provider via
MPLS VPN technology (e.g., layer-2 and layer-3 VPNs)
VPN Service can be managed or unmanaged
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 17
MPLS Enterprise Customer Segments
30
15
25
10 20
13 13
5 10
9
7
3 3 3
2 2
1 1 1 1 1
0
M
l
tai
y
IT
se
e
CR
are
erg
l
cia
te
t
g
Re
en
nc
l
tion
tica
r
fen
or
l
rin
era
rch
ide
na
t
an
En
hc
en
rnm
ura
rat
ctu
De
eu
rta
er
ov
ea
Fin
lom
alt
nm
eg
Ins
po
ac
Int
ve
ufa
Pr
He
es
Int
ng
tai
Go
ns
arm
/R
nt
an
ter
Co
m
Tra
nte
on
Ph
En
ste
ati
Co
ia/
Sy
uc
ed
Ed
M
Enterprise Customer Segments
Source: MPLS Tracker and various other internal Cisco databases, based on 2008 data.
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 18
Enterprise Network Virtualization
Multi-networks integration
• Virtualization: 1 to Many
• One network supports many virtual networks
Outsourced Merged New Segregated Department
IT Department Company (Regulatory Compliance)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 19
Data Center Virtualization
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 20
The Full-Service Network:
Integrated MPLS Technologies
Layer 3 Routing IP Services like NAT, Traffic Engineering for
Protocols Available on DHCP Can Be Bandwidth Protection
PE-CE—Static, RIP, Configured on per-VPN and Restoration
OSPF, EIGRP, eBGP Basis on the PE Router
CE Internet
Gateway Internet
IP/MPLS
PE Backbone
CE
CE PE
Legend
Layer 2 Circuits CE
QoS Mechanisms like Available—Ethernet,
Queuing and Policing
Layer 3 VPN
ATM, Frame Relay,
Are Configured at Layer 2 VPN
PPP, HDLC
CE and PE Routers Traffic Engineering
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 22
MPLS Technology Framework
End-to-end Services
Core MPLS
Network Infrastructure
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 23
MPLS Forwarding and Signaling
§ MPLS label forwarding and signaling mechanisms
Core MPLS
Network Infrastructure
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 24
Basic Building Blocks
§ The big picture
MPLS-enabled network devices
Label Switched Paths (LSPs)
§ The internals
MPLS labels
Processing of MPLS labels
Exchange of label mapping information
Forwarding of labeled packets
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 25
MPLS Network Overview
MPLS Domain
P P
CE PE PE CE
CE CE
PE P P PE
OSPF, IS-IS,
P EIGRP, EIGRP P
CE PE PE CE
LDP, RSVP
CE CE
PE P P PE
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 28
MPLS Control and Forwarding Plane
§ MPLS control plane
Used for distributing labels Routing
and building label-switched RIB Routing Updates/
paths (LSPs) Process Adjacencies
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 29
Label Distribution Protocol
§ MPLS nodes need to exchange label information with each other
Ingress PE node (Push operation)
Needs to know what label to use for a given FEC to send packet to neighbor
Core P node (Swap operation)
Needs to know what label to use for swap operation for incoming labeled packets
Egress PE node (Pop operation)
Needs to tell upstream neighbor what label to use for specific FEC type LDP used for
exchange of label (mapping) information
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30
Some More LDP Details
§ Assigns, distributes, and installs (in forwarding) labels for prefixes
advertised by unicast routing protocols
OSPF, IS-IS, EIGRP, etc.
§ Also used for Pseudowire/PW (VC) signaling
Used for L2VPN control plane signaling
§ Uses UDP (port 646) for session discovery and TCP (port 646) for
exchange of LDP messages
§ LDP operations
LDP Peer Discovery
LDP Session Establishment
MPLS Label Allocation, Distribution, and Updating MPLS forwarding
§ Information repositories used by LDP
LIB: Label Information Database (read/write)
RIB: Routing Information Database/routing table (read-only)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 31
LDP Operations
§ LDP startup
Local labels MPLS Node A MPLS Node B
LDP Control Plane
assigned to RIB
prefixes and stored Session Setup
RIB RIB
in LIB
LIB LIB
Peer discovery and Label Binding
Exchange
session setup
Exchange of MPLS
LDP Interactions
label bindings with
MPLS Forwarding
§ Programming of
MPLS forwarding MPLS MPLS
Forwarding Forwarding
CEF/MFI CEF/MFI
Based on LIB info
CEF/MFI updates
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 32
Frame-mode Label Distribution
Label bindings placed into the LIB
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 33
Forwarding Equivalence Class
§ Mechanism to map ingress layer-2/3 packets onto a Label
Switched Path (LSP) by ingress PE router
Part of label imposition (Push) operation
§ Variety of FEC mappings possible
IP prefix/host address
Groups of addresses/sites (VPN x)
Used for L3VPNs
Layer 2 circuit ID (ATM, FR, PPP, HDLC, Ethernet)
Used for Pseudowires (L2VPNs)
A bridge/switch instance (VSI)
Used for VPLS (L2VPNs)
Tunnel interface
Used for MPLS traffic engineering (TE)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 34
MPLS Label Operations
Label Imposition (Push) Label Swap Label Swap Label Disposition (PoP)
L1 L1 L2 L2 L3 L3
L2/L3 Packet
P P
CE PE PE CE
CE CE
PE P P PE
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 35
MPLS Label and Label Encapsulation
MPLS Label
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
LAN MAC Label Header MAC Header Label Layer 2/L3 Packet
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 36
The Label Stack
MPLS is recursive
0 Next-Hop
5171.68.10 1 7
... ... ... ... ...
171.68.10/24
Label = 5 Label = 7
Rtr-A
Label = 21 Label = 21
IP packet IP packet
D=171.68.10.12 D=171.68.10.12
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 38
Summary Steps For MPLS Forwarding
§ Each node maintains IP routing information via IGP
IP routing table (RIB) and IP forwarding table (FIB)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 39
IP Packet Forwarding Example
FIB
FIB FIB Address
I/F
Prefix
Address Address
I/F I/F
Prefix Prefix 128.89 0
128.89 1 128.89 0 171.69 1
171.69 1 171.69 1 …
… …
128.89
0
0 128.89.25.4 Data
1 128.89.25.4 Data
1
128.89.25.4 Data 128.89.25.4 Data
171.69
Packets Forwarded
Based on IP Address
(via RIB lookup)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 40
Step 1: IP Routing (IGP) Convergence
MFI/FIB MFI/FIB MFI/FIB
In Address Out Out In Address Out Out In Address Out Out
Label Prefix I’face Label Label Prefix I’face Label Label Prefix I’face Label
128.89 1 128.89 0 128.89 0
171.69 1 171.69 1
… … … … … …
0 128.89
0
1
Routing Updates
You Can Reach 171.69 Thru Me 171.69
(OSPF, EIGRP, …)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 41
Step 2a: LDP Assigns Local Labels
MFI/FIB MFI/FIB MFI/FIB
In Address Out Out In Address Out Out In Address Out Out
Label Prefix I’face Label Label Prefix I’face Label Label Prefix I’face Label
- 128.89 1 4 128.89 0 9 128.89 0 -
- 171.69 1 5 171.69 1
… … … … … … … … … … … …
0 128.89
0
1
171.69
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 42
Step 2b: LDP Assigns Remote Labels
MFI/FIB MFI/FIB MFI/FIB
In Address Out Out In Address Out Out In Address Out Out
Label Prefix I’face Label Label Prefix I’face Label Label Prefix I’face Label
- 128.89 1 4 4 128.89 0 9 9 128.89 0 -
- 171.69 1 5 5 171.69 1 7
… … … … … … … … … … … …
0 128.89
0
1
Label Distribution
Use Label 7 for 171.69 171.69
Protocol (LDP)
(Downstream Allocation)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 43
Step 3: Forwarding MPLS Packets
MFI/FIB MFI/FIB MFI/FIB
In Address Out Out In Address Out Out In Address Out Out
Label Prefix I’face Label Label Prefix I’face Label Label Prefix I’face Label
- 128.89 1 4 4 128.89 0 9 9 128.89 0 -
- 171.69 1 5 5 171.69 1 7
… … … … … … … … … … … …
0 128.89
0
128.89.25.4 Data
1
9 128.89.25.4 Data
128.89.25.4 Data 4 128.89.25.4 Data 1
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 44
Penultimate Hop Popping
In Label FEC Out Label In Label FEC Out Label In Label FEC Out Label
- 197.26.15.1/32 28 28 197.26.15.1/32 POP - 197.26.15.1/32 -
197.26.15.1/32
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 47
MPLS QoS
Technology Overview and Applications
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 48
MPLS Technology Framework
§ MPLS QoS support for traffic marking and classification
to enable differentiated services
Network Infrastructure
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 49
Why MPLS QoS?
§ Typically different traffic types (packets) sent over
MPLS networks
E.g., Web HTTP, VoIP, FTP, etc.
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 50
MPLS QoS Operations
§ MPLS EXP bits used for packet classification and
prioritization instead of IP Type of Service (ToS) field
DSCP values mapped into EXP bits at ingress PE router
§ Most providers provide 3–5 service classes
§ Different DSCP <-> EXP mapping schemes
Uniform mode, pipe mode, and short pipe mode
EXP DSCP
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 51
QoS Enabled MPLS
TC PHB TC
PHB PHB
Point-to-network guarantees
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 52
Enterprise-to-Service Provider Mapping
Five-Class Provider-Edge Model Remarking Diagram
Enterprise PE Classes
DSCP
Application
Routing CS6
Voice EF EF SP-Real Time
35%
Interactive Video AF41 è CS5 CS5
Uniform
Pipe
Short
Pipe
IP IP/MPLS IP
CE1 PE1 PE2 CE2
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 54
MPLS Uniform Mode DiffServ Tunneling
Uniform Mode Operation
P Routers
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 55
MPLS Pipe Mode DiffServ Tunneling
Pipe Mode Operation
Shaded Area Represents Provider DiffServ Domain
Assume a Policer Remarks Unshaded Areas
Out-of-Contract Traffic’s Top- Represent Customer
Most Label to MPLS EXP 0 Here DiffServ Domain
PE Router CE Router
MPLS EXP 0
IPP3/DSCP AF31 MPLS EXP 4 MPLS EXP 0 MPLS EXP 4 IPP3/DSCP AF31
Packet Initially MPLS EXP 4 MPLS EXP 4 IPP3/DSCP AF31 Original Customer-
Marked to IPP3/ Marked IP ToS
IPP3/DSCP AF31 IPP3/DSCP AF31 No Penultimate
DSCP AF31 Values Are
MPLS EXP Values Top-Most Label Is Hop Popping Preserved
Are Set Independently Marked down by (PHP)
from IPP/DSCP Values a Policer
CE CE
PE P P PE
MPLS MPLS
EXP 3 EXP 2
MPLS MPLS MPLS
EXP 3 EXP 3 EXP 2
IP IP IP IP IP
DSCP DSCP DSCP DSCP DSCP
3 3 3 3 3
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 57
MPLS QoS Summary
§ MPLS QoS used for MPLS packet-specific marking
and classification
Based on EXP bits
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 58
MPLS Traffic Engineering
Technology Overview and Applications
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 59
MPLS Technology Framework
§ Traffic engineering capabilities for bandwidth
management and network failure protection
Network Infrastructure
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 60
Traffic Engineering with MPLS
Utilizes the inherent capability of MPLS to base forwarding decisions on
criteria other than least-cost path determination
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 61
The Problem with Shortest-Path
IP (Mostly) Uses Destination-Based Least-
Cost Routing Alternate Path Under Utilized
Node Next-Hop Cost § Some links are DS3, some are OC-3
B B 10
§ Router A has 40M of traffic for
C C 10
router F, 40M of traffic for router G
D C 20
E B 20 § Massive (44%) packet loss at router
F B 30 B? router E!
G B 30
Changing to A->C->D->E won’t help
Router B Router F
OC-3 OC-3
Router A Router E
DS3
Router G
OC-3
OC-3 DS3
Router C
DS3 Router D
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 62
How MPLS TE Solves the Problem
§ Router A sees all links
Node Next-Hop Cost § Router A computes paths on
B B 10 properties other than just
C C 10 shortest cost; creation of 2
D C 20 tunnels
E B 20
§ No link oversubscribed!
F Tunnel 0 30
G Tunnel 1 30
Router B Router F
OC-3 OC-3
Router A Router E
DS3
Router G
OC-3
OC-3 DS3
Router C
DS3 Router D
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 63
MPLS TE Overview
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 64
How MPLS TE Works
§ Link information Distribution*
Head end ISIS-TE
OSPF-TE
IP/MPLS
§ Path Calculation (CSPF)*
§ Path Setup (RSVP-TE)
§ Forwarding Traffic
down Tunnel
Auto-route
Static
PBR
Mid-point Tail end CBTS / PBTS
TE LSP Forwarding Adjacency
Tunnel select
* Optional
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 65
For your
Link Information Distribution reference
only
BRKRST-1101 http://www.cisco.com/go/mpls
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 66
Path Calculation
Find shortest
path to R8
§ TE nodes can perform
with 8Mbps constraint-based routing
IP/MPLS
R1 § Constraints and topology
15 3
database as input to path
5
10
R8 computation
10
10 8 § Shortest-path-first algorithm
10
ignores links not meeting
constraints
§ Tunnel can be signaled once a
TE path is found
Topology
database § Not required if using offline
path computation
BRKRST-1101 http://www.cisco.com/go/mpls
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 67
For your
TE LSP Signaling reference
only
LABEL (RESV)
PATH
EXPLICIT_ROUTE
RECORD_ROUTE (PATH/RESV)
Input Out Label,
SESSION_ATTRIBUTE (PATH) Label Interface
17 16, 0
§ LFIB populated using TE LSP
RSVP labels allocated by RESV
messages
BRKRST-1101 http://www.cisco.com/go/mpls
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 68
Traffic Selection
TE LSP
§ Traffic enters tunnel
at head end
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 69
Autoroute
Node Next-Hop Cost
B B 10
C C 10
D C 20
Everything “behind” the
E B 20
tunnel is routed via the
F B 30
tunnel
G B 30
Tunnel1
H B 40
Tunnel1
I B 40 B
Tunnel1 F
A E H
Tunnel1 G
I
C D
Physical topology
BRKRST-1101
èSPF topology
© 2009 Cisco Systems, Inc. All rights reserved.
èAutoroute
Cisco Public 70
Forwarding Adjacency
interface tunnel xx
mpls traffic-eng forwarding-adjacency
isis metric <x> level-<y>
R9
R3
R4
R2
TE tunnels
with FA, R5
Load-balancing metric 10
between R2 and R6
R1
R1 sees two-equal R6 R7
cost paths to R9
R67 all links : metric 10
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 71
Configuring Tunnel at Head End
(Cisco IOS)
interface Tunnel1 Destination (tunnel
description FROM-ROUTER-TO-DST1
tail end)
ip unnumbered Loopback0 TE tunnel (as
tunnel destination 172.16.255.3 opposed to GRE or
tunnel mode mpls traffic-eng others)
tunnel mpls traffic-eng priority 5 5
tunnel mpls traffic-eng bandwidth 10000 Setup/hold
tunnel mpls traffic-eng affinity 0x0 mask 0xF priorities
tunnel mpls traffic-eng path-option 5 explicit name PATH1 Signaled
tunnel mpls traffic-eng path-option 10 dynamic bandwidth
!
ip explicit-path name PATH1 enable Consider links with
next-address 172.16.0.1 0x0/0xF as
next-address 172.16.8.0 attribute flags
! Tunnel path
options (PATH1,
otherwise dynamic)
Explicit PATH1
definition
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 72
Configuring Tunnel at Head End
(Cisco IOS XR)
explicit-path name PATH1 Explicit PATH1
index 1 next-address ipv4 unicast 172.16.0.4
definition
index 2 next-address ipv4 unicast 172.16.0.7 MPLS TE P2P
index 3 next-address ipv4 unicast 172.16.4.2 tunnel
!
interface tunnel-te1 Setup/hold
priorities
description FROM-ROUTER-TO-DST1
ipv4 unnumbered Loopback0 Signaled
priority 5 5 bandwidth
signalled-bandwidth 100000
destination 172.16.255.2 Destination (tunnel
path-option 10 explicit name PATH1 tail end)
path-option 20 dynamic
Tunnel path
affinity f mask f
options (PATH1,
! otherwise dynamic)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 73
Configuring MPLS TE and Link Information
Distribution Using IS-IS (Cisco IOS)
mpls traffic-eng tunnels Enable MPLS TE on this
! node
interface POS0/1/0
ip address 172.16.0.0 255.255.255.254 Enable MPLS TE on this
ip router isis interface
mpls traffic-eng tunnels
Attribute flags
mpls traffic-eng attribute-flags 0xF
mpls traffic-eng administrative-weight 20 TE metric
ip rsvp bandwidth 100000
! Maximum reservable
router isis bandwidth
net 49.0001.1720.1625.5001.00
is-type level-2-only
Enable wide metric format
metric-style wide and TE extensions (TE Id,
mpls traffic-eng router-id Loopback0 router level)
mpls traffic-eng level-2
passive-interface Loopback0
!
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 74
Configuring MPLS TE and Link Information
Distribution Using OSPF (Cisco IOS XR)
router ospf DEFAULT Enable TE extensions on
this area
area 0
mpls traffic-eng
TE router Id
interface Loopback0
passive
!
Configuration mode for
RSVP global and interface
interface POS0/3/0/0 commands
!
mpls traffic-eng router-id Loopback0
Maximum reservable
!
bandwidth
rsvp
interface POS0/3/0/0
bandwidth 100000
Configuration mode for
MPLS TE global and
!
interface commands
!
mpls traffic-eng
interface POS0/3/0/0
TE metric
admin-weight 5
attribute-flags 0x8 Attribute flags
!
!
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 75
MPLS TE Integration with Network Services
A TE LSP provides transport for network services
PE PE CE
CE ATM ATM
CE CE
IP/MPLS
PE PE
Frame
CE Ethernet
Relay CE
CE
PE
CE CE
PE PE
CE Ethernet Ethernet CE
VPN Site
VPN Site
Ip route NH=Green
to TE_Green
VPN Site
VPN Site
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 77
Per VPN TE
Or even inside VPN TE
And in addition:
One one side:
ip vrf green
address-family vpnv4
rd 10:2
neighbor 1.1.12.1 activate
export map Set_RT70
neighbor 1.1.12.1 send-community extended
route-target both 10:2
neighbor 1.1.12.1 route-map set-pref-nh out
!
access-list 1 permit 100.10.2.12
ip extcommunity-list 70 permit rt:10:70
!
route-map set-pref-nh permit 10
route-map Set_RT70 permit 10
match extcommunity 70
match ip address 1
set ip next-hop 10.52.52.52
set extcommunity rt:10:70 additive
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 78
MPLS TE Deployment Models
Bandwidth Optimization Tactical
Strategic
R1 IP/MPLS R1 IP/MPLS
R8 R8
R2 R2
R8 R8
R2 R2
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 79
Strategic Bandwidth Optimization
§ Unconstrained tunnels
§ Interface MIB AS65001 AS65002 AS65003
Communities
POP POP
AS path
IP prefix Server Server
Farm Farm
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 81
Auto Bandwidth
Total Bandwidth
bandwidth available to
for all TE other tunnels
tunnels Max
on a path
Min
Tunnel
resized to
measured rate
Time
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 82
AutoTunnel Mesh
New mesh
§ Mesh group: LSRs to mesh group
automatically member
§ Membership identified by
Matching TE Router ID
against ACL
New mesh
IGP mesh-group group
advertisement member
§ Each member automatically
creates tunnel upon
detection of a member
§ Tunnels instantiated from
template
§ Individual tunnels not
displayed in router
configuration
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 83
Configuring AutoTunnel Mesh
(Cisco IOS)
mpls traffic-eng tunnels Enable Auto-tunnel Mesh
mpls traffic-eng auto-tunnel mesh
!
Tunnel template
interface Auto-Template1
ip unnumbered Loopback0 Template cloned for each
tunnel destination mesh-group 10 member of mesh group 10
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
Dynamic (CSPF) path to
tunnel mpls traffic-eng path-option 10 dynamic
each mesh group member
tunnel mpls traffic-eng auto-bw frequency 3600
!
router ospf 16 Tunnels will adjust
log-adjacency-changes bandwidth reservation
mpls traffic-eng router-id Loopback0 automatically
mpls traffic-eng area 0
mpls traffic-eng mesh-group 10 Loopback0 area 0 Advertise mesh group 10
passive-interface Loopback0 membership in area 0
network 172.16.0.0 0.0.255.255 area 0
!
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 84
Tactical Bandwidth Optimization
Bandwidth Optimization Tactical
Strategic
R1 IP/MPLS R1 IP/MPLS
R8 R8
R2 R2
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 85
Tactical TE Deployment
Internet
Service Provider
Backbone
Oversubscribed
Shortest Links
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 86
MPLS TE Deployment Models
Bandwidth Optimization Tactical
Strategic
R1 IP/MPLS R1 IP/MPLS
R8 R8
R2 R2
R8 R8
R2 R2
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 87
Traffic Protection Using MPLS TE Fast
Re-Route (FRR)
R8
§ Greater protection granularity
R2
§ Cost-effective alternative to
1:1 protection
§ Bandwidth protection
Primary TE LSP
Backup TE LSP
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 88
FRR Link Protection Operation
Primary TE LSP
Backup TE LSP
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 89
FRR Node Protection Operation
§ Requires next-next-hop
(NNHOP) backup tunnel IP/MPLS
§ Point of Local Repair (PLR) R3
25
swaps next-hop label and 36 36
pushes
backup label R1 R2 R4 R6 R7
§ Backup terminates on
Merge Point (MP) where 16 22 36
traffic rejoins primary
§ Restoration time depends
R5
on failure detection time
Primary TE LSP
Backup TE LSP
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 90
Link Protection Example
Protected Link
Fast Reroute Path Pop
R1 17 R5
Headend For R6 R7
Primary Path 22
Primary Path: R1 è R2 è R3 è R9
Fast Reroute Path: R2 è R6 è R7 è R3
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 91
Normal TE Operation
Pop 14
R8 Swap 37 with 14
R9
R
R2 R3
3
Push 37
R1 R5
R6 R7
IP 14
37
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 92
Fast Reroute Link Failure
Pop 14
R8 Swap 37 with 14
R9
R2 R3
Push 37
R1 R5
Push 17 Pop 22
R6 R7
Swap 17 with 22
IP 14 17
37 22
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 93
Configuring FRR (Cisco IOS)
Primary Tunnel
interface Tunnel1
description FROM-ROUTER-TO-DST1-FRR
ip unnumbered Loopback0
tunnel destination 172.16.255.2
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng bandwidth 20000
tunnel mpls traffic-eng path-option 10 dynamic Indicate the desire for
tunnel mpls traffic-eng fast-reroute
! local protection during
signaling
Backup Tunnel
interface Tunnel1 Explicitly routed backup
description NNHOP-BACKUP
ip unnumbered Loopback0
to 172.16.255.2 with
tunnel destination 172.16.255.2 zero bandwidth
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng path-option 10 explicit name PATH1
!
interface POS1/0/0
ip address 172.16.192.5 255.255.255.254 Use Tunnel1 as backup
mpls traffic-eng tunnels for protected LSPs
mpls traffic-eng backup-path Tunnel1 through POS1/0/0
ip rsvp bandwidth
!
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 94
Define a Backup TE Tunnel
hostname [P1]
!
interface Tunnel1 Destination ( P2)
description P1-P3-P2-BACKUP
ip unnumbered Loopback0
no ip directed-broadcast Use Path EXPL-
tunnel destination 172.16.255.130 P1-TO-P2 to
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng path-option 10 explicit name EXPL-P1-TO-P2
Reach NHOP
!
interface Serial2/0 Tunnel1 as
mpls traffic-eng backup-path Tunnel1
!
Backup for
ip explicit-path name EXPL-P1-TO-P2 enable Failures on
next-address 172.16.0.2 Serial2/0
next-address 172.16.0.6
!
Path with
Explicit Hops
3-4
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 95
Configuring FRR (Cisco IOS XR)
Primary Tunnel
interface tunnel-te1
description FROM-ROUTER-TO-DST1-FRR
ipv4 unnumbered Loopback0
signalled-bandwidth 30000
destination 172.16.255.2
fast-reroute
path-option 10 dynamic Indicate the desire for local
! protection during signaling
Backup Tunnel
interface tunnel-te1 Explicitly routed backup to
description NHOP-BACKUP 172.16.255.130 with zero
ipv4 unnumbered Loopback0
destination 172.16.255.130
bandwidth
path-option 10 explicit name PATH1
!
mpls traffic-eng
interface POS0/3/0/0
backup-path tunnel-te 1 Use tunnel-te1 as backup
! for protected LSPs through
! POS0/3/0/0
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 96
Bidirectional Forwarding Detection Trigger for
FRR
Backup TE LSP
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 97
BFD-Triggered TE Fast Re-Route (FRR)
§ Use of BFD for failure detection of protected links,
triggering switchover to MPLS TE backup path
HE
PLR MP
PathErr
PE1 P1 P2 PE2
Primary Tunnel
BFD session Primary TE Tunnel: PE1 -> P1 -> P2 -> PE2 Protected Link: P1 – P2
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 98
Bandwidth Protection
§ Backup tunnel with
associated bandwidth
capacity IP/MPLS
§ Backup tunnel may or may R3
not actually signal
bandwidth
R1 R2 R4 R6 R7
§ PLR will decide best
backup to protect primary
(nhop/nnhop, backup-bw,
class-type, node-protection
flag)
R5
Primary TE LSP
Backup TE LSP
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 99
AutoTunnel: Primary Tunnels
What’s the Problem?
§ FRR can protect
TE Traffic IP/MPLS
R1
§ No protection mechanism
for IP or LDP traffic R8
R2
§ How to leverage FRR
for all traffic?
§ What if protection
desired without traffic
engineering?
Primary TE LSP
Backup TE LSP
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 100
AutoTunnel: Primary Tunnels
Why One-Hop Tunnels?
§ CSPF and SPF yield same
results (absence
of tunnel constraints) IP/MPLS
R1
§ Auto-route forwards
all traffic through R8
one-hop tunnel
R2
§ Traffic logically mapped to
tunnel but no label imposed
(imp-null)
§ traffic is forwarded
as if no tunnel was
in place
Primary TE LSP
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 101
AutoTunnel: Primary Tunnels
What’s the Solution?
Forward all traffic through a one-
hop protected primary TE tunnel
§ Create protected one-hop tunnels
IP/MPLS on all TE links
R1
Priority 7/7
Bandwidth 0
R8
Affinity 0x0/0xFFFF
R2 Auto-BW OFF
Auto-Route ON
Fast-Reroute ON
Forwarding-Adj OFF
Load-Sharing OFF
§ Tunnel interfaces not shown on
router configuration
Primary TE LSP
§ Configure desired backup tunnels
(manually or automatically)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 102
Configuring AutoTunnel Primary
Tunnels (Cisco IOS)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 103
AutoTunnel: Backup Tunnels
What’s the Problem?
§ MPLS FRR requires
backup tunnels to be
preconfigured IP/MPLS
R1
§ Automation of backup R8
tunnels is desirable
R2
Primary TE LSP
Backup TE LSP
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 104
AutoTunnel: Backup Tunnels
What’s the Solution?
Create backup tunnels
automatically as needed
IP/MPLS § Detect if a primary tunnel requires
R1
protection and is not protected
R8 § Verify that a backup tunnel
doesn’t already exist
R2
§ Compute a backup path to NHOP
and NNHOP excluding the
protected facility
§ Optionally, consider shared risk
link groups during backup path
computation
Primary TE LSP
Backup TE LSP
§ Signal the backup tunnels
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 105
Configuring AutoTunnel Backup Tunnels
(Cisco IOS)
Consider SRLGs
preferably
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 106
What About Path Protection?
§ Primary and backup
share head and tail,
but diversely routed IP/MPLS
R1
§ Expected to result in R8
higher restoration
R2
times compared to
local protection
§ Doubles number of
TE LSPs (1:1
protection)
Primary TE LSP
§ May be an acceptable
Backup TE LSP
solution for restricted
topologies (e.g. rings)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 107
Configuring Enhanced Path Protection
(Cisco IOS)
mpls traffic-eng path-option list name PATH-LST List of backup
path-option 10 explicit name PE1-P3-P4-PE2 paths
path-option 20 explicit name PE1-P5-P6-PE2
path-option 30 explicit name PE1-P7-P8-PE2
!
interface Tunnel1
ip unnumbered Loopback0
tunnel mode mpls traffic-eng
tunnel destination 172.16.255.2
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 10 explicit name PE1-P1-P2-PE2
tunnel mpls traffic-eng path-option protect 10 list name PATH-LST
! Use path list to
protect primary
path
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 108
Shared Risk Link Group (SRLG)
Layer-3 Plus
Layer-3 Topology
Physical Topology
SRLG 10
IP/MPLS R2-R4
IP/MPLS
R2-R3
R2 R4 R2 R4
R1 R5 R1 R5 SRLG 20
R4-R2
R4-R3
R3 R3
SRLG 30
R3-R2
R3-R4
§ Some links may share same physical resource (e.g. fiber, conduit)
§ AutoTunnel Backup can force or prefer exclusion of SRLG
to guarantee diversely routed backup tunnels
§ IS-IS and OSPF flood SRLG membership as an additional
link attribute
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 109
Configuring SRLG (Cisco IOS)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 110
MPLS TE Deployment Models
QoS and TE
Bandwidth Optimization Tactical
Strategic
R1 IP/MPLS R1 IP/MPLS
R8 R8
R2 R2
R8 R8
R2 R2
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 111
Motivations
§ Point-to-point SLAs
§ Admission control
PE1 IP/MPLS
§ Integration with DiffServ
PE3 § Increased routing control
PE2 to improve network
performance
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 112
Network with MPLS TE
Service
Differentiation § A solution when:
No differentiation required
Optimization required
§ Full mesh or selective
deployment to avoid
over-subscription
Resource
§ Adjust link load to actual
Optimization link capacity
§ No notion of traffic classes
Load Capacity
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 113
Network with MPLS DiffServ
and MPLS TE
Service
Differentiation § A solution when:
Differentiation required
DiffServ Optimization required
+
TE
§ Adjust class capacity
to expected class load
§ Adjust class load to actual
class capacity for one class
Resource § Alternatively, adjust
Optimization
link load to actual
Class2
link capacity
Load Capacity
Class1
Load Capacity
Load Capacity
Class3
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 114
Network with MPLS DiffServ
and MPLS DS-TE
Service
Differentiation § A solution when:
DiffServ
+ Strong differentiation required
DS-TE
Fine optimization required
§ Control both load and
capacity per class
§ Adjust class capacity to
expected class load
Resource § Adjust class load to actual
Optimization
class capacity
Class2
Load Capacity
Class1
Load Capacity
Load Capacity
Class3
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 115
DiffServ-Aware Traffic Engineering
MAM RDM
One BC per CT One or more CTs per BC
Sum of all BCs may exceed maximum BC0 always equals to maximum
reservable bandwidth reservable bandwidth
Preemption not required to provide Preemption required to provide bandwidth
bandwidth guarantees per CT guarantees per CT
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 119
Configuring DS-TE Classes and
Bandwidth Constraints (Cisco IOS)
RDM
mpls traffic-eng tunnels Enable IETF DS-
mpls traffic-eng ds-te mode ietf TE
mpls traffic-eng ds-te te-classes
te-class 0 class-type 1 priority 0
te-class 1 class-type 1 priority 1
te-class 2 class-type 1 priority 2 Explicit TE-Class
te-class 3 class-type 1 priority 3 definition
te-class 4 class-type 0 priority 4
te-class 5 class-type 0 priority 5
te-class 6 class-type 0 priority 6 RDM bandwidth
te-class 7 class-type 0 priority 7 constraints
!
interface POS0/1/0
ip address 172.16.0.0 255.255.255.254
mpls traffic-eng tunnels Enable IETF DS-
ip rsvp bandwidth rdm bc0 155000 bc1 55000
! TE and use default
TE-Class definition
MAM
mpls traffic-eng tunnels
mpls traffic-eng ds-te mode ietf Enable MAM
mpl traffic-eng ds-te bc-model mam
!
interface POS0/1/0 MAM bandwidth
ip address 172.16.0.0 255.255.255.254 constraints
mpls traffic-eng tunnels
ip rsvp bandwidth mam max-reservable-bw 155000 bc0 100000 bc1 55000
!
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 120
Configuring DS-TE Classes and
Bandwidth Constraints (Cisco IOS XR)
RDM
rsvp
interface POS0/3/0/0
bandwidth rdm bc0 155000 bc1 55000 RDM bandwidth
! constraints
mpls traffic-eng
interface POS0/3/0/0
!
ds-te mode ietf
ds-te te-classes Enable IETF DS-
te-class 0 class-type 1 priority 0 TE
te-class 1 class-type 1 priority 1
te-class 2 class-type 1 priority 2
te-class 3 class-type 1 priority 3 Explicit TE-Class
te-class 4 class-type 0 priority 4 definition
te-class 5 class-type 0 priority 5
te-class 6 class-type 0 priority 6
te-class 7 class-type 0 priority 7 MAM bandwidth
!
constraints
MAM
rsvp
interface POS0/3/0/0
bandwidth mam max-reservable-bw 155000 bc0 100000 bc1 55000 Enable IETF DS-
! TE and use default
!
mpls traffic-eng
TE-Class definition
interface POS0/3/0/0
!
ds-te mode ietf
ds-te bc-model mam
Enable MAM
!
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 121
TE-Class Definition Examples
TE-Class definition MUST be consistent throughout the network
Default TE-Class definition
Priority 0 Priority 1 Priority 2 Priority 3 Priority 4 Priority 5 Priority 6 Priority 7
CT0 (Global) TE-Class4 TE-Class0
CT1 (Sub) TE-Class5 TE-Class1
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 122
Configuring DS-TE Tunnel (Cisco IOS)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 123
Configuring DS-TE Tunnels
(Cisco IOS XR)
interface tunnel-te1 Signal tunnel-te1
description FROM-ROUTER-TO-DST1-CT0
ipv4 unnumbered Loopback0
with CT0 (priority
priority 5 5 and CT must
signalled-bandwidth 100000 class-type 0 match valid TE-
destination 172.16.255.2 Class)
path-option 10 dynamic
!
interface tunnel-te2
description FROM-ROUTER-TO-DST1-CT1
ipv4 unnumbered Loopback0
priority 0 0 Signal tunnel-te2
signalled-bandwidth 50000 class-type 1 with CT1 (priority
destination 172.16.255.2 and CT must
path-option 10 dynamic
! match valid TE-
Class)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 124
Class-Based Tunnel Selection: CBTS
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 125
Configuring CBTS (Cisco IOS)
interface Tunnel1 Tunnel1 will carry
ip unnumbered Loopback0 packets with MPLS
tunnel destination 172.16.255.2 EXP 5
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng bandwidth 50000 class-type 1
tunnel mpls traffic-eng path-option 10 dynamic
tunnel mpls traffic-eng exp 5 Tunnel2 will carry
! packets with MPLS
interface Tunnel2
ip unnumbered Loopback0 EXP other than 5
tunnel destination 172.16.255.2
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng bandwidth 100000 class-type 0
tunnel mpls traffic-eng path-option 10 dynamic
tunnel mpls traffic-eng exp default Tunnel10 defined as
! bundle master with
interface Tunnel10 Tunnel2 and Tunnel1
ip unnumbered Loopback0
tunnel destination 172.16.255.2 as members
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng exp-bundle master
tunnel mpls traffic-eng exp-bundle member Tunnel1
tunnel mpls traffic-eng exp-bundle member Tunnel2
!
ip route 192.168.0.0 255.255.255.0 Tunnel10 CBTS performed on
! prefix 192.168.0.0/24
using Tunnel10
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 126
Policy-based Tunnel Selection: PBTS
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 127
Configuring PBTS (Cisco IOS XR)
interface tunnel-te1 tunnel-te1 will carry
ipv4 unnumbered Loopback0 packets with MPLS
autoroute announce EXP 5
signalled-bandwidth 10000
destination 172.16.255.2
policy-class 5
path-option 10 explicit name PATH1 tunnel-te2 will carry
path-option 20 dynamic packets with MPLS
! EXP other than 5
interface tunnel-te2 (default tunnel)
ipv4 unnumbered Loopback0
autoroute announce
signalled-bandwidth 50000
destination 172.16.255.2
path-option 10 explicit name PATH2
path-option 20 dynamic
!
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 128
Tunnel-based Admission Control
IP/MPLS
IP IP
RSVPoDiffServ RSVPoDiffServ
Tunnel
Aggregation / Aggregation /
De-aggregation De-aggregation
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 130
MPLS TE Summary
§ MPLS TE can be used to implement traffic engineering to enable
enhanced network availability, utilization, and performance
§ Enhanced network availability can be implemented via MPLS TE
Fast Re-Route (FRR)
Link, node, and path protection
Automatically route around failed links/nodes; like SONET APS
§ Better network bandwidth utilization can be implemented via
creation of MPLS TE tunnels using explicit routes
Route on the non-shortest path
§ MPLS TE can be used for capacity planning by creation of
bandwidth-specific tunnels with explicit paths through the network
Bandwidth management across links and end-to-end paths
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 131
MPLS Layer-3 VPNs
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 132
MPLS VPN Technology Overview
(RFC2547 / RFC4364)
site 3 site 4
MPLS provides an efficient
mechanism for supporting L3 VPNs
This capability is implemented through Virtual
PE PE Routing/Forwarding (VRF) tables for each
customer existing at Provider Edge Routers
(PE), which labels the packets and routes them
through its MPLS core to the edge router that is
P closest to the destination.
§ Traffic Separation at Layer 3 Each VPN Has
Unique Routing Table (VRF)
§ Per VRF Routing/Label distribution via MP-BGP
and VPNv4 address family
PE PE
§ Forwarding of VPN trraffic via MPLS Label
Stacking, with privacy and isolation equivalent to
CE
frame-Relay model
site 1 site 2
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 133
MPLS VPN Connection Model (PE-CE)
VPN Site VPN Site
P Router
CE Router CE Router
EBGP, OSPF, RIPv2, Static
PE IP/MPLS Backbone PE
Paris PE
MPLS Backbone
VPN-A VRF for VPN-A
CE
IGP & BGP
London
VRF for VPN-B
VPN-B CE
§ One VRF created for each customer VPN on PE router (provides routing
isolation for different VPNs)
§ VRF associated with one or more customer interfaces
§ VRF has its own instance of routing table (RIB) and forwarding table
(FIB, handled by CEF).
§ VRF has its own instance for PE-CE configured routing protocols
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 135
VPN Routing & Forwarding Instance (VRF)
PE-CE Routing Protocol Per VPN
Virtual Routing Table
VPN-A eBGP Virtual Forwarding Table
CE
RiPv2
Paris Static PE
OSPF
VPN-A VRF for VPN-A
CE EIGRP
IGP &/or
London BGP
VRF for VPN-B
VPN-B CE
Router …
Munich address-family ipv4 vrf blue Global Routing Table
• Separate routing context for each VRF ( “show ip route vrf <name>”)
routing protocol context (BGP-4 & EIGRP & RIP V2)
distinct process (OSPF) or distinct address-family instances depending on version
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 136
MPLS VPN Connection Model (PE-P)
P P
CE CE
PE PE
MPLS Backbone
P P
CE
CE
MP-iBGP Session
P Router
CE Router PE PE CE Router
Router bgp .
address-family vpnv4
* Multiprotocol BGP, RFC2858 (obsoleted by RFC4760)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 138
VPN Route Distribution
PE routers exchange VPN-IPv4 updates through MP-iBGP sessions
VPN Route Exchange
Customer Customer
Route BGP RR Route
Exchange Exchange
P P
CE PE PE CE
VRF
VPN 1 VRF
CE CE
VRF
VPN 2 VRF
PE P P PE
1:1 10.1.1.0
RD IPv4 Route-Target Label
VPNv4
ip vrf Green
RD 1:100
route-target export 1:100
route-target import 1:100
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 141
VPNv4 and MP-BGP Update
Route Target
Extended Community Route-Target is used import/export routes from/to
VRFs
8 Bytes 4 Bytes 8 Bytes 3 Bytes
MP-iBGP
(RFC2858)
RD1@Net1; RT: 1 ,2
RD2@Net3; RT: 3
RD4@Net4; RT: 4
RT Import: 1
RT Export: 4
P P
1 ip vrf Green
RD 1:100
route-target export 1:100
MPLS
route-target Backbone
import 1:100
3
RD:10.1.1.0
5 Next-Hop=PE-2
Next-Hop=PE-1
Site 1 RT=Green, Label=100
CE1 CE2 Site 2
10.1.1.0/24
P P
PE1 PE2
10.1.1.0/24
Next-Hop=CE-1
VRF
VPN 1 VRF
P P
1 ip vrf Green
RD 1:100
route-target export 1:100
route-targetMPLS Backbone
import 1:100
4. PE2 receives and checks whether the RT=green (40:103, say) is locally
configured within any VRF (RT import), if yes, then
PE2 translates VPNv4 prefix back into IPv4 prefix and installs the prefix into the
VRF routing table
Updates the VRF CEF table with label=100 for 10.1.1.0/24
§ PE2 Advertise this IPv4 prefix to CE2 (using BGP/RIP/OSPF/EIGRP)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 146
MP-BGP peering design
Scalability using Route-Reflectors and clustering
Optional Clustering with RT filtering, only for Extranet
RR RR
CE
CE
P P PE CE
CE PE2
CE P P
PE CE
PE1
CE
MP-iBGP Update:
RD:10.1.1.0
Paris Next-Hop= 197.26.15.1
RT=Green, Label=100 London
10.1.1.0/24
IPv4 P1 P2 IPv4
Packet PE1 PE2 Packet
CE1 CE2
VRF
VPN 1 VRF
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 149
MPLS-VPN Forwarding Plane
Packet Forwarding Summary
Site 1 Site 2
CE1
10.1.1.0/24 CE2
P3 P4
PE1 PE2
10.1.1.1 10.1.1.1 IP Packet
100 10.1.1.1 P1 P2
VRF Green Forwarding Table
IP Packet
Dest à NextHop
10.1.1.0/24-à PE1, label: 100
PE1 PE1
Se0 s1
router ospf 1
network 130.130.1.0 0.0.0.3 area 0
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 152
Slide 152
C1 Animation
Cisco, 5/21/2004
C2
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 153
Slide 153
C2 Animation
Cisco, 5/21/2004
C3
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 154
Slide 154
C3 Animation
Cisco, 5/21/2004
C4
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 155
Slide 155
C4 Animation
Cisco, 5/21/2004
C5
192.168.10.2 PE1
192.168.10.1
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 156
Slide 156
C5 Animation
Cisco, 5/21/2004
C6
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 157
Slide 157
C6 Animation
Cisco, 5/21/2004
MPLS VPN Sample Configuration (IOX)
Reference
router bgp 1
PE-CE Routing: BGP vrf VPN-A
rd 1:1
address-family ipv4 unicast
redistribute connected
Site 1
CE1 !
neighbor 192.168.10.2
10.1.1.0/24 PE1 remote-as 2
address-family ipv4 unicast
192.168.10.2 PE1
route-policy raj-temp in
192.168.10.1 !
!
!
!
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 158
C30
MPLS-VPN Services: Import and export RT
values must be equals
Intranet Model (Any-to-Any connectivity)
PE-Central
Site B PE-B
CE-SB CE-Central
171.68.2.0/24
ip vrf green
description Green-Site B
rd 300:111 If BGP is used between every PE and CE, and Sites use
route-target export 1:1 the same BGP ASN then as-override* knobs must be used
route-target import 1:1
at PE
C30 Animation
Cisco, 5/21/2004
AS-Override
AS= 1 / 1 / 1 / …
AS 65001 AS 1 AS 65001
Neighbor .. As-override
Eth0/0.1
PE-Hub Eth0/0.2
Spoke B PE-SB
CE-SB CE-Hub
MPLS VPN Backbone
171.68.2.0/24
ip vrf HUB-OUT
ip vrf green-spoke2 description VRF for traffic to HUB
description VRF for SPOKE B rd 300:12
rd 300:112 route-target export 2:2
route-target export 1:1
route-target import 2:2 If BGP is used between every PE and CE, and Sites use
the same BGP ASN then allowas-in and as-override* knobs
must be used at PE
Note: Only VRF Configuration Is Shown Here
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 161
Slide 161
C8 Animation
Cisco, 5/21/2004
Allow-AS-In AS 65001
AS= 65001/1 / 1 / 1 / …
AS 1
Neighbor .. Allow-AS-in 4
AS 65001 AS 65001
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 162
C10
MPLS-VPN Services:
Hub and Spoke Service: Control Plane
VRF FIB and LFIB MPLS Backbone
Destination NextHop Label FIB—IP Forwarding Table
171.68.0.0/16 PE-Hub 35 LFIB—MPLS Forwarding Table
171.68.1.0/24 CE -SA
MP-iBGP update
VRF FIB and LFIB
171.68.0.0/16
VRF HUB-IN
171.68.0.0/16 PE-Hub 35
Label 35 PE-Hub VRF HUB-OUT
171.68.2.0/24 CE -SB
PE-SB Route-Target 2:2
C10 Animation
Cisco, 5/21/2004
C11
MPLS-VPN Services:
Hub and Spoke Service: Forwarding Plane
VRF HUB-IN
CE-Hub
Spoke B PE-Hub
VRF HUB-OUT
CE-SB PE-SB L1 35 171.68.1.1
171.68.1.1
171.68.2.0/24
171.68.1.1
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 164
Slide 164
C11 Animation
Cisco, 5/21/2004
MPLS-VPN Services
Extranet VPN
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 165
Extranet Model
All Sites of Both VPN Green and Orange can Communicate
with Each Other.
ip vrf Orange ip vrf Green
rd 500:24 rd 48:22
route-target export 500:2 route-target export 500:1
Green- route-target import 500:1
route-target import 500:1 Site A
route-target import 500:2 route-target import 500:2
Orange-
ip vrf Orange
Site B
rd 12:43
route-target export 500:2
route-target import 500:1
route-target import 500:2
P Router
ip vrf Green
rd 48:22 Orange –
Green – route-target export 500:1 Site A
Site B route-target import 500:1
route-target import 500:2
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 166
C14
MPLS-VPN Services
Extranet VPN – Advanced Extranet
192.6.0.0/16
MPLS Backbone
VPN_A Site#2
VPN_A Site#1
71.8.0.0/16 PE1 PE2
P 180.1.0.0/16
VPN_B Site#1
C14 Animation
Cisco, 5/21/2004
Use Case 3: Shared Access to Services
Company “B”
VPN_A
VPN_A
VPN_B
Company “A”
VPN_A
Site 2
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 168
Central services Model (Uncontrolled Access)
Sharing between VPNs with Route-target
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 169
Control route advertisement
between VRF
ip vrf green
rd 20:1 Works also
export map Server1 with import
route-target export 20:1 map
route-target import 20:1
!
access-list 1 permit 100.21.150.0
!
route-map Server1 permit 10
match ip address 1
set extcommunity rt 20:50 additive
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 170
MPLS-VPN Services
Internet Access Service to VPN Customers
§ Internet access service could be provided as another value-
added service to VPN customers
§ Security mechanism must be in place at both provider network
and customer network
To protect from the Internet vulnerabilities
§ VPN customers benefit from the single point of contact for both
Intranet and Internet connectivity
Four options to Provide the Internet Service -
1. VRF specific default route with “global” keyword
2. Separate PE-CE sub-interface (non-VRF)
3. Extranet with Internet-VRF
4. VRF-aware NAT
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 171
C15
P
PE1 192.168.1.1
PE1#
ip vrf VPN-A
Internet GW
rd 100:1
route-target both 100:1
Interface Serial0
ip address 192.168.10.1 255.255.255.0 • Static default route to move traffic
ip vrf forwarding VPN-A
from VRF to Internet (global
Router bgp 100 routing table)
no bgp default ipv4-unicast
redistribute static • Static routes for VPN customers
neighbor 192.168.1.1 remote 100
neighbor 192.168.1.1 activate
to move traffic from Internet (global
neighbor 192.168.1.1 next-hop-self routing table) to VRF
neighbor 192.168.1.1 update-source loopback0
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 172
Slide 172
C15 Animation
Cisco, 5/21/2004
C16
C16 Animation
Cisco, 5/3/2004
MPLS-VPN Services: Internet Access
Option#2: Separate PE-CE Subinterfaces
Site1 May run BGP to propagate Internet routes between PE and CE
71.8.0.0/16 MPLS Backbone
iBGP Internet
Internet
CE1
Se0.2
PE1 PE2
Se0.1 192.168.1.2 P
192.168.1.1
ip vrf VPN-A
rd 100:1 Internet GW
route-target both 100:1
Pros Cons
PE1 Global Table and FIB
Internet Routes 192.168.1.1 § PE to Hold Full Internet
192.168.1.1 Label=30 § CE is dual-homed and can
perform Optimal Routing Routes or default route via
the Internet GW
§ Traffic Separation Done
by CE: Network Address § . BGP Complexities
Translation (NAT) and Introduced at CE; CE1 May
Firewall, if required Need to Aggregate to
Security Avoid AS_PATH Looping
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 175
MPLS-VPN Services: Internet Access
Extranet with Internet-VRF along with VRF-aware NAT
•Have concept of outside/inside interfaces in NAT
•NAT inspects all traffic routed VRF-to-VRF or VRF-to-Global
•All native NAT applications are supported
I-GW NAT PE
Internet VRF-B
INSIDE
INTERFACE
VRF-B
VRF-A
VRF-B
VRF-B
VRF-A
CE-A1 CE-B3
CE-B1 CE-A2 10.88.3.0
10.88.1.0 10.88.1.0 10.88.2.0
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 176
MPLS VPN Services:
Loadsharing for the VPN Traffic
RR
PE11
Route Advertisement
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 177
C36
MPLS VPN Services:
Loadsharing for the VPN Traffic: Deployment
ip vrf green
1 2 router bgp 1
rd 300:11
RR address-family ipv4 vrf green
route-target both 1:1
PE11 maximum-paths eibgp 2
CE1 CE2
PE2
171.68.2.0/24
PE12
Site A MPLS Backbone Site B
1 ip vrf green
rd 300:12 ip vrf green
route-target both 1:1 1 rd 300:13
route-target both 1:1
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 178
Slide 178
C36 Animation
Cisco, 5/21/2004
MPLS VPN Services:
Loadsharing for the VPN Traffic
RR
Route Advertisement
PE11
§ If RR exists in the network, then RR must advertise all the BGP paths
learned via PE11 and PE12 to the remote PE routers that are to select
BGP multipaths
Please note that without ‘unique RD per VRF per PE’, RR would advertise only
one of the received paths for 171.68.2.0/24 to other PEs L
§ Watch out for the increased memory consumption (within BGP) due to
multipaths at the PEs
§ “eiBGP multipath” implicitly provides both eBGP and iBGP multipath for
VPN paths
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 179
MPLS VPN Services:
Loadsharing for the VPN Traffic: Cases
RR
1 CE à2 PEs
PE11
Traffic Flow
2 CEs à 2 PEs
RR
PE11
CE1
PE2 CE2
171.68.2.0/24 CE2
PE12
Site B
Site A MPLS Backbone
Traffic Flow
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 180
Multi-VRF CE (i.e. VRF-Lite)
Ability to create VRF without MPLS switching
Allows to push ‘PE-like’ function to CE
ip vrf green
rd 3000:111 NO Labels Required
ip vrf blue
rd 3000:222 •Single Physical Link
Ip vrf red •Logical Link per VRF for separation
rd 3000:333
•802.1q, FR/ATM VC’s, GREs IP VPN Service
Vrf MPLS Domain
Green
Vrf
Red CE Routing Updates
EBGP, OSPF, RIPv2, Static
PE iBGP Domain
Multi-VRF
Single router supporting
CE Router
Multiple VRF Instances
802.1q
VRF
VRF
VRF
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 182
VRF-aware IP-services
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 183
For your
Example: VRF-lite + 802.1Q reference
only
§ Layer-2 access
§ No BGP or MPLS
L2
§ VRF-lite configured on core and
distribution nodes v v
Layer 3
§ Every link is a 802.1Q trunk v v
§ Many-to-Many model
§ Restricted scalability
v v
§ Typical for department
inter-connectivity v Multi-VRF
VPN1 v v
L2
VPN2
802.1Q
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 184
VRF-Lite over GRE
Control Plane
GRE Tunnel per VRF GRE Tunnel per VRF
MPLS
Branch Site Campus/MAN
Multi-
VRF CE
IPv4 c-PE
Service
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 185
VRF-Lite over GRE
Forwarding Plane mGRE Tunnel
per VRF MPLS
Campus/MAN
Branch Site
Multi- Per-VRF
VRF CE NHRP
IPv4 Server
Service
c-PE
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 186
MPLS over Point-to-Point GRE
Control Plane
MPLS
GRE Tunnel Campus/MAN
Core/Branch Site
IPv4 VPN c-PE
Service
SP LDP
SP VPN
IP outer IP outer IP outer
GRE GRE GRE
VPN VPN VPN
IP IP IP IP IP
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 188
MPLS VPN Inter-AS
How to provide VPN connectivity between different Providers ?
Provider X Provider Y
RR1 RR2
ASBR1 ASBR2
MP-iBGP Update: ???
PE-1 AS #1 AS #2
Problem: PE2
BGP, OSPF, RIPv2
149.27.2.0/24, NH=CE-1 How Do Provider X and
Provider Y Exchange VPN
CE-1 CE2
Routes ?
VPN-A How Forward Traffic VPN-A
149.27.2.0/24
between PEs belongin to
different ASs ?
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 189
Inter-AS Deployment Scenarios
Following Options/Scenarios
for Deploying Inter-AS:
ASBR1 ASBR2
1. Back-to-Back VRFs
(Option A)
AS #1 (Option B) AS #2
PE1 3. Multihop MP-eBGP Between RRs PE2
(Option C)
CE1 CE2
4. Non-VPN Transit Provider
VPN-A VPN-A
Each Option Is Covered in Additional Slides
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 190
C31
VPN-B VPN-B
10.1.1.0/24
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 191
Slide 191
C31 Animation
Cisco, 5/21/2004
C32
Option A: Back-to-Back VRF
Forwarding Plane
ASBR-1 ASBR-2 92 10.1.1.1 P2
30 29 10.1.1.1
P1
10.1.1.1 20 92 10.1.1.1
PE-1 PE-2
IP Packets
Between ASBRs
CE-2 CE-3 10.1.1.1
10.1.1.1
VPN-B
10.1.1.0/24 VPN-B
Pros Cons
§ Per-customer QoS is possible § Not scalable. # of interface on both
§ It is simple and elegant since no need ASBRs is directly proportional to #VRF.
to load the Inter-AS code (but still not § No end-to-end MPLS
widely deployed) § Unnecessary memory consumed in
RIB/(L)FIB
§ Dual-homing of ASBR makes
provisioning worse
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 192
Slide 192
C32 Animation
Cisco, 5/21/2004
Option B: MP-eBGP bet ASBRs
for VPN Control Plane
ASBRs exchange VPN routes using eBGP (VPNv4 af)
MP-eBGP for
ASBR-1 ASBR-2
VPNv4 MP-iBGP Update:
MP-iBGP Update:
RD:1:27:10.1.1.0/24, RD:1:27:10.1.1.0/24,
NH=PE-1 NH=ASBR-2
RT=1:1, Label=(40) RT=1:1, Label=(30)
MP-eBGP Update:
RD:1:27:10.1.1.0/24,
PE-1 NH=ASBR-1 PE-2
RT=1:1, Label=(20)
BGP, OSPF, RIPv2
BGP, OSPF, RIPv2 CE-2 CE-3 10.1.1.0/24, NH=PE-2
10.1.1.0/24, NH=CE-2
VPN-B
10.1.1.0/24 VPN-B
VPN-B
10.1.1.0/24 VPN-B
Pros Cons
§ More scalable § Automatic route filtering must
Only one interface between be disabled
ASBRs routers But we can apply BGP filtering
No VRF configuration on ASBR.
Less memory consumption (no RIB/FIB memory) § ASBRs are still required to hold
§ MPLS label switching between providers VPN routes
Still simple, more scalable & works today
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 194
C33
Option C: Multihop MP-eBGP Between
RRs for VPN Routes: Control Plane
Exchange VPNv4 prefixes with labels via the Route Reflectors
Multihop MP-eBGP for VPNv4 (next-hop unhanged)
VPN-v4 Update:
RR-1 RD:1:27:10.1.1.0/24, RR-2
VPN-v4 Update: NH=PE-1 VPN-v4 Update:
RD:1:27:10.1.1.0/24, RT=1:1, Label=(90) RD:1:27:10.1.1.0/24,
NH=PE-1 NH=PE-1
ASBR-1 ASBR-2 RT=1:1, Label=(90)
RT=1:1, Label=(90)
AS#1 AS#2
PE-1 IGP+LDP:
Network=PE-1 eBGP IPv4 + Labels IGP+LDP: PE-2
NH=PE-1 Network=PE-1
Label=(40) IP-v4 Update: NH=ASBR-2 BGP, OSPF, RIPv2
BGP, OSPF, RIPv2 Network=PE-1 Label=(30) 10.1.1.0/24,NH=PE-2
CE-2 NH=ASBR-1
10.1.1.0/24,NH=CE-2
Label=(20)
VPN-B CE-3
10.1.1.0/24 VPN-B
C33 Animation
Cisco, 5/21/2004
C34
40 90 10.1.1.1
ASBR-2
ASBR-1 30 90 10.1.1.1
90 10.1.1.1 50 90 10.1.1.1
PE-1
20 90 10.1.1.1
PE-2
10.1.1.1
CE-2 CE-3 10.1.1.1
VPN-B
10.1.1.0/24
Pros VPN-B
§ More scalable than Option A and B
Cons
Separation of control and forwarding
planes
Route Reflector exchange VPNv4 § Advertising PE addresses
routes+labels (RR hold the VPNv4 to another AS may not be acceptable
information anyway) to few providers
§ ASBRs now exchange only IPv4
routes+labels
ASBR forwards MPLS packets
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 196
Slide 196
C34 Animation
Cisco, 5/21/2004
MPLS VPN Inter-AS Option AB
MP-eBGP between ASBRs
on a control plane interface
in global table
ASBR1 ASBR2
vpn-B
vpn-G
PE-1
AS 1 Data forwarding on
per VRF interface AS 2 PE-2
as in Option A
Data forwarding on
per VRF interface
Option B
MP-eBGP for All
AS #1 AS #2
Option C
PE1 VPNv4 updates
RR1 Multihop MP-eBGP RR2 PE2
between RRs
AND
eBGP IPv4 + Labels
OR IGP + LDP
between ASBRs
§ Option A offers better security but not scalable for high #s of VPNs as it
requires per VRF routing session
§ Option B removes per VRF routing sessions but VPN traffic forwarded over
the same interface(s)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 198
MPLS VPN Inter-AS Option AB
Control & Forwarding Plane
VPN-v4 update:
RD2:P, NH=ASBR1
RT=100:1, Label=(L2)
ASBR1 ASBR2
VPN-v4 update: VPN-v4 update:
RD1:P, NH=PE1 RD3:P, NH=ASBR2
vpn-B RT=100:1, Label=(L3)
RT=100:1, Label=(L1)
PE-1 IP
AS 1 AS 2 PE-2
AS1
L1 IP eBGP, OSPF, RIPv2
AS2
L3 IP P=152.12.4.0/24,
eBGP, OSPF, RIPv2
NH=PE2
P=152.12.4.0/24, IP IP
NH=CE1
CE-1 CE-4
VPN-B1 VPN-B2
VPN-G
AS 1
Data forwarding on per
PE-1 VRF interface as in
Option A PE-2
CE-1 CE-2
CE-3 CE-4
VPN-B VPN-G
Site1 Site1 VPN-G VPN-B
Site2 Site2
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 200
Multicast VPN Overview
• Allows MPLS VPN customers to access Multicast content
• Uses draft-rosen-vpn-mcast encapsulation and signaling to build MVPNs
• Highly Efficient – Multicast tree built dynamically in the core
Blue
RP
CE1
Red PIM-SM
PIM-SM
CE2 PIM-SM
PE4 Blue
PIM-SSM PE3 CE2
Red RP
PIM-SM
CE1 PIM-BIDIR RP
PE1 PIM-SM
PE2
PIM-SM
CE3 CE3
RP
Red
Blue
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 201
Multicast VPN Solution
Concept - Multicast Domains
VRF
CE
mVRF
Global Multicast PE
CE Global
PE P
PE
CE
Provider Network
CE Per VRF
MDT
PE 1
CE
PE 3
§ PE routers build a default MDT in the global table for each of its
mVRF’s using standard PIM procedures
All PE’s participating in the same mVPN join the same Default-MDT
PE are always a root (source) of the MDT
PE is also a leaf (receiver) to the MDT rooted on remote PEs
Control and data packets are transported per VRF over Default MDT
• PE Stablish a per-VRF PIM relationship for Multicast VPN
• Low-speed Multicast traffic from VPN is encapsulated in Default MDT
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 203
Default-MDT group address
configuration
ip vrf green ip vrf green
rd 1:80 rd 1:80
route-target export 1:80 route-target export 1:80
route-target import 1:80 route-target import 1:80
mdt default 239.1.1.1 mdt default 239.1.1.1 ip vrf green
rd 1:80
route-target export 1:80
route-target import 1:80
ip vrf red mdt default 239.1.1.1
rd 1:99
route-target export 1:99
route-target import 1:99
mdt default 239.1.1.2 PE2
PE3
PE4
PE1 ip vrf red
P rd 1:99
route-target export 1:99
ip vrf red route-target import 1:99
rd 1:99 mdt default 239.1.1.2
route-target export 1:99
route-target import 1:99
mdt default 239.1.1.2
MDT Tree for Green VPN (239.1.1.1)
MDT Tree for Red VPN (239.1.1.2)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 204
Default Multicast Distribution Tree
mVPN B
Customer
Default B
MDT
Root Default MDT
(*,239.192.10.2)
Leaf 239.192.10.2
PE PE
PE
Multicast Tunnel
Interfaces
CE B1 CE B3
CE B2
• Default MDT is used as a permanent channel both PIM control
messages and low bandwidth streams
• Access to the Default MDT from the mVRF is via a Multicast
Tunnel Interface (MTI)
Appears as a “TunnelX” interface in the mVRF
RPF is executed against MTI
• A PE is always a root (source) of the MDT
• A PE is also a leaf (receiver) to the MDT rooted on remote PEs
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 205
Multicast VPN – Control Plane
Multicast Domains
PE
PE CE
PE
CE Provider Network
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 206
Multicast Domains – Forwarding Plane
Forwarding is achieved by encapsulating C -packet into P -packet using GRE
C-data-packet
S=192.1.1.1
C-data-packet P-packet D=239.1.1.1
S=192.1.1.1
D=239.1.1.1
S=10.1.1.1
PE Receiver
D=239.2.2.2
Payload=C-packet
Sender 10.2.2.2 192.2.2.2
192.1.1.1 10.1.1.1 PE CE
PE C-control-packet
CE C-control-packet
P-packet S=192.2.2.2
S=192.2.2.2
S=10.2.2.2 D=224.0.0.13 (PIMRTR)
D=224.0.0.13
D=239.2.2.2
Payload=C-packet
• Both customer control and data traffic are sent over the multicast tunnel
• P routers only see MDT group packets, so they won’t build state for traffic and
groups inside the customer VPN
• Customer´s multicast packets will go to each PE router that is in the multicast
domain (default-MDT)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 207
mVPN: mGRE Encapsulation (Rosen model)
C-Packet P-Packet C-Packet
Src = 195.12.2.6 Src = 194.22.15.2 Src = 195.12.2.6
Grp = 239.255.020 Grp = 239.192.10.1 Grp = 239.255.0.20
C-Packet S G C-Packet S G S G C-Packet S G
C-Join (*, 239.255.0.20)
GRE header
and trailer
Source CE B2 CE B1 Receiver
195.12.2.6 Lo0 = 194.22.15.2
MTI
MDT-Group = 239.192.10.1
PE P PE
CE B1
Customer B
Data MDT
239.192.10.32
Customer B
Default MDT High Bandwidth
239.192.10.2 Source
PE PE
ip vrf green
û
rd 1:80 PE
route-target export 1:1
route-target import 1:1
mdt default 239.1.1.1 CE B3
CE B2
mdt data 239.1.2.0 0.0.0.3 threshold 4
Default MDT
CE PE PE CE
Receiver High
Data- Bandwidth
PE MDT Join
Data--MDT entry cached
Data Source
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 210
Multicast VPN (MVPN)
Summary
Receiver 4 Join high • Customer CE devices
CE
bandwidth source
A joins the MPLS Core
CE Receiver 1 through provider’s PE
CE CE devices
B2
B1 PE
A E
• The MPLS Core forms a
PE
Default MDT for a given
PE B MPLS VPN
Core
E Customer
Default CE
MDT • A High-bandwidth
F source for that
For low
Bandwidth &
control Data customer starts
traffic only. MDT sending traffic
PE For High
• Interested receivers 1 &
Bandwidth
D traffic only.
2 join that High
CE C
PE Bandwidth source
D
145.95.0.0 v4 v6 2001:CAFE::
6PE P P 6PE
Dual Stack IPv4-IPv6 Routers Dual Stack IPv4-IPv6 Routers
2001:F00D:: v6
P P
CE
6PE IPv4 6PE
MPLS v4
192.76.10.0 v4 192.254.10.0
CE CE
§ PEs are updated to support dual stack/6PE
§ IPv4 or MPLS core infrastructure is IPv6-unaware
§ IPv6 reachability exchanged among 6PEs via iBGP (MBGP)
IPv6 AF + Label SAFI used to exchange prefixes between PEs
§ IPv6 packets transported from 6PE to 6PE inside MPLS (label switching)
http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/iosip_an.htm
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 212
6PE Routing/Label Distribution
Connectivity Model is very similar to VPN-MPLS for IPv4
6PE-2 Sends MP-iBGP Advertisement to 6PE-1 Which Says:
IGP or MP-BGP 2001:F00D:: Is Reachable
Advertising Via BGP Next Hop = 200.10.10.1 (6PE-2)
2001:F00D:: Bind BGP Label to 2001:F00D:: (*)
IPv6 Next Hop Is an IPv4 Mapped IPv6 Address Built from 200.10.10.1
2001:DB8::
200.11.11.1
P1 P2
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 214
6PE Forwarding (P1)
6PE-2
P1 P2
LDP/v4
MP-BGP
Label2 to IPv6 Packet
6PE-2 Label
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 215
6PE Forwarding (P2)
6PE-2
P1 P2 MP-BGP
IPv6 Packet
Label
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 216
6PE Forwarding (6PE-2)
§ MPLS label forwarding:
§ 6PE-2 receives an MPLS packet
§ Lookup is done on label
§ Result is:
2001:DB8:: Pop label and do IPv6 lookup
on v6 destination
6PE-1 2001:F00D::
6PE-2
P1 P2
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 217
6PE Benefits/Drawbacks
§ IPv6 global table connectivity for different sites
§ Core network (Ps) untouched (no HW/SW upgrade,
no configuration change)
§ IPv6 traffic inherits MPLS benefits (wire-rate, fast re-
route, TE, etc.)
§ Incremental deployment possible (i.e., only upgrade
the PE routers which have to provide IPv6 connectivity)
§ Each site can be v4-only, v4VPN-only, v4+v6,
v4VPN+v6
§ P routers won’t be able to send ICMP messages
(TTL expired, traceroute)
§ No VRF configuration
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 218
6PE-1 Configuration
2001:DB8::
ipv6 cef iBGP Session
!
mpls label protocol ldp
!
6PE-2
router bgp 100
6PE-1
no synchronization
no bgp default ipv4 unicast
neighbor 2001:DB8:1::1 remote-as 65014 2001:DB8:1::1 Is the Local CE
neighbor 200.10.10.1 remote-as 100 200.10.10.1 Is the Remote 6PE
neighbor 200.10.10.1 update-source Loopback0
!
address-family ipv6
neighbor 200.10.10.1 activate
neighbor 200.10.10.1 send-label Send Labels Along with
neighbor 2001:DB8:1::1 activate IPv6 Prefixes by Means of
MP-BGP Note: Will Cause
redistribute connected Session to Flap
no synchronization
exit-address-family
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 219
6PE Configuration-IOS-XR
PE1-PE2
PE1 PE2
CE1-BLUE CE2-BLUE
PE1# MP-iBGP Tunnel
PE2#
interface GigabitEthernet0/0/1/5 interface GigabitEthernet0/0/1/5
cdp cdp
ipv6 address 2001:db84:beef:1::1/64 ipv6 address 2001:db82:cafe:1::1/64
! !
router bgp 3 router bgp 3
! address-family ipv4 unicast
address-family vpnv4 unicast !
! address-family ipv6 unicast
address-family ipv6 unicast network 2001:db82:cafe:1::/64
network 2001:db84:beef:1::/64 allocate-label all
allocate-label all !
! address-family vpnv6 unicast
address-family vpnv6 unicast !
neighbor 192.168.253.4
neighbor 192.168.253.4 remote-as 3
remote-as 3 update-source Loopback0
update-source Loopback0 address-family ipv4 unicast
! !
address-family ipv4 unicast address-family vpnv4 unicast
! !
address-family ipv6 labeled-unicast address-family ipv6 labeled-unicast
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 220
6VPE: BGP-MPLS VPN extension for IPv6 (RFC 4659)
Layer-3 VPNs for IPv6 customers
v4 and v6 VPN iBGP (MBGP) Sessions v4 and v6 VPN
VPN BLUE
VPN BLUE
10.1.1.0/24 10.1.2.0/24
2001:db8:beef:1::/64 P P 2001:db8:beef:2::/64
200.10.10.1 200.11.11.1
IPv4 VRF
IPv4 VRF
IPv4
IPv6 MPLS IPv6
CE1 6VPE1 6VPE2 CE2
172.16.1.0/30 172.16.3.0/30
P P
2001:db8:cafe:1::/64 2001:db8:cafe:3::/64
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 222
6VPE1 General Configuration
IPv6 IPv6 VPN LDP IPv6
Packet Packet Label Label Packet
10.1.1.0/24 10.1.2.0/24
2001:db8:beef:1::/64 P P 2001:db8:beef:2::/64
200.10.10.1 200.11.11.1
IPv4 VRF
IPv4 VRF
IPv4
IPv6 MPLS IPv6
CE1 6VPE1 6VPE2 CE2
172.16.1.0/30 172.16.3.0/30
P P
2001:db8:cafe:1::/64 2001:db8:cafe:3::/64
ipv6 unicast-routing !
ipv6 cef interface Ethernet2/0
! description Link to Core Network
interface Loopback0 ip address 192.168.1.1 255.255.255.252
ip address 200.10.10.1 255.255.255.255 mpls ip
! !
interface Ethernet0/0 router ospf 1
Description Link to CE1 log-adjacency-changes
vrf forwarding GREEN redistribute connected subnets
ip address 172.16.1.2 255.255.255.0 passive-interface Loopback0
ipv6 address 2001:db8:cafe:1::2/64 network 192.168.1.0 0.0.0.255 area 0
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 223
6VPE1 BGP Configuration
IPv6 IPv6 VPN LDP IPv6
Packet Packet Label Label Packet
10.1.1.0/24 10.1.2.0/24
2001:db8:beef:1::/64 P P 2001:db8:beef:2::/64
200.10.10.1 200.11.11.1
IPv4 VRF
IPv4 VRF
IPv4
IPv6 MPLS IPv6
CE1 6VPE1 6VPE2 CE2
172.16.1.0/30 172.16.3.0.0/30
P P
2001:db8:cafe:1::/64 2001:db8:cafe:3::/64
e-BGP
advertising 6VPE-2 sends MP-iBGP advertisement to 6VPE-1 which
2001:0421:: says:
2001:0420:: 2001:0421:: is reachable
via BGP Next Hop = ::FFFF:192.254.10.17 (6VPE-2)
Site-1
bind BGP 16010 to 2001:0421::
6VPE-1
2001:0421::
192.72.170.13
Site-1
6VPE-2
P1 P2 192.254.10.17
e-BGP
advertising
2001:0421::
192.72.170.13
P1 P2 192.254.10.17
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 226
6VPE Forwarding (6VPE-1)
2001:0420::
2001:0421::
6VPE-2
P1 P2 192.254.10.17
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 228
6VPE Forwarding (P2)
2001:0420::
2001:0421::
IPv6 packet
to 2001:0421::
Site-1
6VPE-1
IPv6 packet
to 2001:0421::
6VPE-2
P1 P2 192.254.10.17
6VPE-2
P1 P2 192.254.10.17
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 230
6VPE Summary
§ RFC4659: BGP-MPLS IP Virtual Private Network
(VPN) Extension for IPv6 VPN
§ 6VPE simply adds IPv6 support to current IPv4 MPLS
VPN offering
§ For end-users: v6-VPN is same as v4-VPN services
(QoS, hub and spoke, internet access, etc.)
§ For operators:
Same configuration operation for v4 and v6 VPN
No upgrade of IPv4/MPLS core (IPv6 unaware)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 231
MPLS Layer-3 VPN Summary
§ Provide layer-3 connectivity among CE sites via IP peering
(across PE-CE link)
§ Implemented via VRFs on edge/PE nodes providing customer
route and forwarding segmentation
§ Support for IPv4, IPv6 and Multicast
§ BGP used for control plane to exchange customer VPN (VPNv4)
routes between PE routers
§ MPLS VPNs enable full-mesh, hub-and-spoke, and hybrid IP
connectivity among connected CE sites
§ MPLS VPN support for Single o Multiple Operator enviroment
(Inter-AS)
§ Proven and Scalable solution for both Service Provider and
Enterprise networks
§ L3 VPNs for enterprise network segmentation can also be
implemented via VRFs + GRE tunnels or VLANs
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 232
MPLS Layer-2 VPNs
Technology Overview and Applications
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 233
Why Is L2VPN Needed?
§ It allows SP and Enterprise to have a single
infrastructure for both IP and legacy services
For SP Move legacy ATM/FR traffic to MPLS/IP core without
interrupting current services
Enterprise allow them to build better DataCenter and spam
across L2 AC across WAN/MPLS and provide better HA
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 234
Motivation for L2VPNs
I’ve Really Got to Consolidate These Networks
MPLS or IP
IP IP
ATM
FR/ATM
FR/ATM
Metro
Ethernet
Ethernet
Access Access
Multiple Access Services Require Multiple Core Technologies = $$$ High Costs/Complex
Management
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 235
Layer-2 VPN Overview
§ Enables transport of any Layer-2
traffic over MPLS network SP
Interconnection
Includes label encapsulation PE Router
and translation
SP
Network
PE Router
Pseudo Wire
Many Subscriber
FR Encapsulations
ATM
Supportable
PPP HDLC
Ethernet
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 236
L2VPN Options
L2VPN Models
VPWS VPLS
Virtual Private Wire Service Virtual Private LAN Service
Point to Point Point to Multipoint
MPLS Core
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 237
Point-to-Point vs. Multipoint
§ Point-to-Point (VPWS, E-LINE, EWS/ERS, and so on)
One virtual circuit connect two UNIs
UNI can be on the same box or two boxes
No MAC learning or MAC-based forwarding are involved
Virtual Circuit is tied to port/VLAN, it doesn’t need systemwide
VLAN resource, potential large scale number of circuit are supported
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 238
L2 VPN Services
VPWS VPLS
AAL5 over FR over Ethernet Relay Ethernet Multipoint
Pseudo Wire Pseudo Wire Service (ERS) Service (EMS)
Muxed UNI
Muxed
Unmuxed UNI Unmuxed UNI UNI
Other Variants…
PPP/HDLC
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 239
Technology for L2VPNs: Pseudowires
§ L2VPNs are built with “Pseudowire” (PW) technology
§ PW is an emulated circuit
§ PWs provide an common intermediate format to transport multiple
types of network services over a Packet Switched Network (PSN)
§ Any Transport over MPLS (AToM) is PW based L2VPNs for
various encapsulations
§ PW technology provides Like-to-Like (L2L) transport and also
Interworking (IW)
What Is a Pseudowire?
§ A pseudowire (PW) is an emulation of a telecommunications
service over a Packet Switched Network (PSN)
§ PWs emulate the essential attributes of the native service
§ The PSN may be IP or IP/MPLS
§ Packets are transported over IP/MPLS networks using a PSN
Tunnel (LSP) setup between PEs.
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 241
Slide 241
Customer2 Customer2
Site1 PWES PSN Tunnel PWES Site2
Pseudo-Wires
Customer1 PE PE Customer1
Site1 Site2
PWES PWES
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 242
AToM Technology Components
§ PE-CE link
Referred to as Attachment Circuit (AC)
Can be any type of layer-2 connection (e.g., FR, Ethernet)
§ AToM Control Plane
Targeted LDP (Label Distribution Protocol) Session
Virtual Connection (VC)-label negotiation, withdrawal, error notification
§ AToM Forwarding Plane
2 labels used for encapsulation + control word
Outer tunnel (LDP) label
To get from ingress to egress PE using MPLS LSP
Inner de-multiplexer (VC) label
To identify L2 circuit (packet) encapsulated within tunnel label
Control word
Replaces layer-2 header at ingress; used to rebuild layer-2 header at
egress
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 243
AToM Control Plane Processing
4 Label Mapping Messages
5 5
2 3 LDP session
2
P P
CE1 PE1 PE2 CE2
Layer-2 Layer-2
Connection Connection
VC1 PE1
Directed LDP
PE2
VC2
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 245
PWE3: VC Label distributed through directed
LDP session
2. PE1 binds
Label Mapping Msg
VCID to VC VC FEC TLV 4. PE2
Label repeats same
VC Label TLV steps
Directed LDP
PE1 PE2
P1 P3
CE1
CE2
Site1
VC1 VC2 Site2
P2 P4
3. PE2
1. Provision VC C VC VC Info matches its
TLV Type Length VCID to one
AC & PW
Group ID received
xconnect <PE2> <VCID>
VC ID
Interface Parameters
PWid FEC TLV
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 246
LDP: PWid FEC TLV
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 247
AToM Forwarding Plane Processing
Tunnel VC Tunnel VC Tunnel VC
L2 Label C Label L2 Label B Label L2 Label A Label L2 L2
Layer-2 P1 P2 Layer-2
CE1 Packet PE1 Directed LDP PE2 Packet
CE2
Label Exchange for VC Label
Processing Steps:
1. CE2 forwards layer-2 packet to PE2.
2. PE2 imposes VC (inner) label to layer-2 packet received from
CE2 and optionally a control word as well (not shown).
3. PE2 imposes Tunnel outer label and forwards packet to P2.
4. P2 and P1 router forwards packet using outer (tunnel) label.
5. Router PE2 strips Tunnel label and, based on VC label, layer-2
packet is forwarded to customer interface to CE1, after VC label
is removed
In case control word is used, new layer-2 header is generated first.
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 248
Pseudowire Traffic Encapsulation
0 1 2 3
0 1 2 3 4 5 67 8 9 01 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Layer 2 PDU
§ Three-level encapsulation
Tunnel Label – Determines path through network Control Word
VC Label – Identifies VC at endpoint Encap. Required
Control Word – Contains attributes of L2 payload
CR No
§ Packets switched between PEs using top
(tunnel) label AAL5 Yes
Eth No
§ VC label identifies PW
FR Yes
§ VC label negotiated between PE with directed LDP
HDLC No
§ Optional control word carries Layer 2 control bits and enables
sequencing PPP No
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 249
VPWS EoMPLS— RFC 4448
Original Ethernet or VLAN Frame
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 250
A Typical Configuration: EoMPLS VLAN
R201 R202 R203
10.0.0.201 10.0.0.202 10.0.0.203
hostname R203
hostname R201 !
! ip cef
ip cef mpls ip
mpls ip mpls label protocol ldp
mpls label protocol ldp mpls ldp router-id Loopback0 force
mpls ldp router-id Loopback0 force !
! interface Loopback0
interface Loopback0 ip address 10.0.0.203 255.255.255.255
ip address 10.0.0.201 255.255.255.255 !
! pseudowire-class eompls
interface Ethernet0/0.10 encapsulation mpls
description *** To R200 *** !
encapsulation dot1Q 10 interface Ethernet0/0.10
xconnect 10.0.0.203 10 encapsulation mpls description *** To R204
encapsulation dot1Q 10
xconnect 10.0.0.201 10 pw-class eompls
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 251
Calculating MTU Requirements
for the Core
§ Core MTU = Edge MTU + Transport Header + AToM
Header + (MPLS Label Stack * MPLS Header Size)
§ Edge MTU is the MTU configured in the CE-facing
PE’s interface
§ Examples (all in bytes):
MPLS MPLS
Edge Transport AToM Total
Stack Header
1526
EoMPLS Port Mode 1500 14 4 [0] 2 4
[1522]
1530
EoMPLS VLAN Mode 1500 18 4 [0] 2 4
[1526]
1530
EoMPLS Port w/ TE FRR 1500 14 4 [0] 3 4
[1526]
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 252
Example of large MTU requirement
4 Bytes
Back--up FRR Label (VC)
Back EXP S TTL
4 Bytes
TE or primary FRR Label (VC) EXP S TTL
4 Bytes
Core LDP Label (VC) EXP S TTL
4 Bytes
VPN label (L2 or L3) EXP S TTL
4 Bytes
Optional Control-
Control-word
4 Bytes
Dot1Q Header (only in Port Mode Xconnect)
PDU
Per VLAN
VC/GRE
Per VLAN
alternate path
L2 L2
L2 Etherchannel L2 Etherchannel
as VSS Is Viewed as VSS Is Viewed
as One Device as One Device
Aggregation Aggregation
Si Si Si Si
VSL VSL
MEC
Access Access Si Si
VSL
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 254
Configuration Example
Frame-Relay to Ethernet
Frame Link
frame-relay switching Ethernet/VLAN Link
! !
pseudowire-class atom_fr_vlan pseudowire-class atom_vlan_fr
encapsulation mpls encapsulation mpls
interworking ip interworking ip
! !
interface serial3/0 interface GigabitEthernet4/0.310
encapsulation frame-relay encapsulation dot1Q 310
clock source internal xconnect 192.168.200.1 210 pw-class atom_vlan_fr
frame-relay lmi-type ansi
frame-relay intf-type dce
!
connect fr-vlan serial3/0 210 l2transport
xconnect 192.168.200.2 210 pw-class atom_fr_vlan
MPLS/IP
VLAN 310
DLCI 210
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 255
ATM / IMA Over Pseudowires
§ IMA terminated on Cell-site
router. L2 MPLS MPLS Control ATM
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 256
256
Circuit Emulation over Packet (CEoP)
TDM/ATM Circuits Standards based CEoP TDM/ATM Circuits
(ChSTM1/OC3, (ChSTM1/OC3,
T1/E1 etc.) Packet T1/E1 etc.)
Switche
d
Network
§ Circuit Emulation over Packet (CEoP) allows customers to provide TDM circuit
service over a Packet Switched Network (PSN)
Circuit Emulation = imitation of a physical communication link
§ CEoP imitates a physical communication link across Packet network
Available for AToM (MPLS) now; L2TPv3 (IP) in future
§ Allows the transport of any type of communication over Packet
§ Ideal for TDM or Leased Line replacement and legacy network consolidation
§ CEoP emulates T1/E1, T3/E3 and OC3/STM-1, unstructured and structured, down
to nxDS0 circuits
§ SATOP
Unstructured E1 frame
§ CESoPSN
Structured Unchannelized E1 frame (timeslots 1-31)
Structured Channelized E1 frame (timeslot x-y)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 257
Signal PW Type (CEM)
Group ID
VC ID
Interface Parameter
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 258
CEoP Configuration Example
Attachment Circuit Attachment Circuit
Pseudo-Wire
CEM Circuit 7600 7600 CEM Circuit
MPLS
BTS BSC
T1 Data T1 Data
card type t1 1 3
card type t1 3 3 controller T1 1/3/0
controller T1 3/3/0 framing esf
framing esf cem-group 0 timeslots 1-24
cem-group 0 timeslots 1-24 !
! controller T1 1/3/1
controller T1 3/3/1 framing esf
framing esf cem-group 1 timeslots 1-5
cem-group 1 timeslots 1-5 cem-group 5 timeslots 10-15
! !
controller T1 3/3/2 controller T1 1/3/2
framing unframed framing unframed
cem-group 2 unframed cem-group 2 unframed
interface CEM3/3/0 [CESoP] interface CEM1/3/0 [CESoP]
cem 0 cem 0
xconnect 192.168.37.3 330 encapsulation mpls xconnect 192.168.37.2 330 encapsulation mpls
! !
interface CEM3/3/1 [CESoP] interface CEM1/3/1 [CESoP]
cem 1 cem 1
xconnect 192.168.37.3 331 encapsulation mpls xconnect 192.168.37.2 331 encapsulation mpls
! cem 5
interface CEM3/3/2 [SAToP] xconnect ....
cem 2 !
xconnect 192.168.37.3 332 encapsulation mpls interface CEM1/3/2 [SAToP]
cem 2
BRKRST-1101 xconnect 192.168.37.2 Cisco
© 2009 Cisco Systems, Inc. All rights reserved.
332Public
encapsulation mpls 259
Coupling Layer-2 Services with MPLS
TE—AToM Tunnel Selection
§ Static mapping between
pseudo-wire and TE CE
Tunnel on PE PE1
IP/MPLS
Layer 2 Circuit
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 260
ATOM: Preferred Path TE Tunnels
§ Three TE tunnels (Tunnel 0, Tunnel 1 and Tunnel2) between PE1 and PE2
§ “Preferred path” can be used to map each vc (or multiple vcs) traffic into different
TE tunnels
Site 1 TE Tunnel 0
TE Tunnel 2 Site 2
192.168.0.5/32 CE2
CE1
10.1.1.0/24 P3 P4
30
CE2 Site 2
Site 1 CE1
35
10.1.1.0/24
PE1
PE2
CE1
P2 P1
34
CE2 Site 2
Site 1
10.1.1.0/24
TE Tunnel 1
interface Ethernet2/0.1
pseudowire -class test description green vc
encapsulation mpls xconnect 192.168.0.5 1 encapsulation mpls pw-class test
preferred-path interface Tunnel0 !
! interface Ethernet2/0.2
pseudowire -class test1 description red vc
encapsulation mpls xconnect 192.168.0.5 20 encapsulation mpls pw-class test1
preferred-path interface Tunnel1 !
! interface Ethernet2/0.3
pseudowire -class test2 description dark green vc
encapsulation mpls xconnect 192.168.0.5 30 encapsulation mpls pw-class test2
preferred-path interface Tunnel2
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 261
Inter-AS PW using Tunnel Stitching
– Reference Model
PE-22 VC 101
PE11 eBGP IPv4
VC 201 +
Labels
VC 201/404 VC 404/101
ASBR-11 ASBR-21
AS 1 AS 2
VC 202 VC 202/303 PE-22
VC 303/102 VC102
Attachment-
Attachment- AS1 PW–AS1
Pseudowire Tunnel Stitch PW Pseudowire-AS2
AS2 PW circuit
circuit
Tunnel Label 37 22
VC Label 24 24 38 34 34
L2 Frame Frame Frame Frame Frame Frame Frame
PE1
ASBR1 ASBR2 PE2
AS 1 AS 2
P11 P21
• Tunnel/IGP • VC Label •VC Label • Tunnel Label •VC Label
Label Entry Entry
- Label 36 (24) - Label 56 (38) - Label 52 (34)
-Label 55 ( 37) - Label 34 (22)
- Exp = 0 - Exp = 0 - Exp = 0
-Exp = 0 - Exp = 0
- S=1 - S=1 - S=1
-S = 0 -S=0
- TTL = 254 - TTL = 255 - TTL = 254
-TTL = 254 - TTL = 254
• VC Label • VC Label
- Label 36 (24) - Label 52 (34)
- Exp = 0 - Exp = 0
- S=1 - S=1
- TTL = 255 - TTL = 255
Attachment
Attachment- AS1 PW–AS1
Pseudowire TunnelStitch
Tunnel StitchPW
PW Pseudowire-AS2
AS2 PW circuit
circuit
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 263
Inter-AS VPLS ASBR-ASBR Switching Options
Option A: § Clear demarcation between ASs
facilitates management and
Layer-2 troubleshooting Pseudowire
Peering § Granular QoS control
PE1 IP/MPLS IP/MPLS PE3
between § No reachability information shared ASBR1 ASBR2
ASBRs between ASs ..
PE2 PE4
§ LDP and L2TPv3 signaling can be
combined
§ May require a large number of ACs
between ASBRs
MPLS
WAN
PE PE
CE CE
CE
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 266
VPLS Technology Components
§ PE-CE link
Referred to as Attachment Circuit (AC)
Ethernet VCs are either port mode or VLAN ID
§ VPLS Control Plane
Full mesh of targeted LDP sessions
Virtual Connection (VC)-label negotiation, withdrawal, error
notification
§ VPLS Forwarding Plane
Virtual Switching Instance: VSI or VFI (Virtual Forwarding Instance),
Uses a Virtual Forwarding Instances (VFI, like VLAN) for
customer separation
VPN ID: Unique value for each VPLS instance
PWs for interconnection of related VSI instances
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 267
VPLS Components
Attachment Circuit
Full Mesh of Targeted-LDP Sessions
Exchange VC Labels
n-PE n-PE
CE CE
PW
Tunnel LSP PW
CE CE
PW
CE CE
Red VSI Red VSI
Blue VSI Directed LDP Blue VSI
Green VSI Session Between Green VSI
CE
Participating PEs Full Mesh of PWs
Between VSIs
§ AC (Attachment Circuit)
Connect to CE device, it could be Ethernet physical or logical port, ATM bridging (RFC-1483), FR
bridging (RFC-1490), even AToM pseudo wire; one or multiple ACs can belong to same VFI
§ VC (Virtual Circuit)
EoMPLS data encapsulation, tunnel label is used to reach remote PE, VC label is used to identify VFI;
one or multiple VCs can belong to same VFI
§ VFI (Virtual Forwarding Instance)
Also called VSI (Virtual Switching Instance); VFI create L2 multipoint bridging among all ACs and VCs;
it’s L2 broadcast domain like VLAN
Multiple VFI can exist on the same PE box to separate user traffic like VLAN
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 268
VPLS Components
CE router CE router
N-PE
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 269
VPLS Data Plane and Control Plane
BGP-Based VPLS Auto Discovery
Data Plane
§ Although VPLS simulate multipoint virtual LAN service, the
individual VC is still point-to-point EoMPLS; it uses the same data
encapsulation as point-to-point EoMPLS
Unidirectional LSP carries Ethernet frames between pair of N-PE Per
Control Plane
§ Signaling
Same as EoMPLS, using targeted LDP session to exchange VC information
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 270
VPLS – Forwarding Plane
VPLS Simulates a Virtual LAN Service, It Must Operate Like a
Traditional L2 LAN Switch as Well
§ Flooding/Forwarding
Forwarding based on (per VFI) MAC Destination Address
MAC table instances per customer (per VFI) for each PE
Unknown Ucast/Mcast/Broadcast—flood to all ports and pseudowires
(IGMP snooping can be used to constrict multicast flooding)
§ Address Learning/Aging/Withdrawal
Dynamic learning based on Source MAC and per VFI
LDP enhanced with additional MAC List TLV (label withdrawal)
MAC timers refreshed with incoming frames
§ Loop Prevention
Create full-mesh of Pseudo Wire VCs (EoMPLS)
A VPLS instance use “split horizon” concepts to prevent loops
Spanning Tree disable at VPLS Domain
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 271
Loop Prevention: Split-Horizon
N-PE3 MPLS N-PE4
VFI VFI
VFI
N-PE1
DC-1 DC-2
A B C D A B C D
METRO CORE
DC Core DC Core
Agg Agg
PW – Pseudo Wires
Metro Core Metro Core
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 274
VPLS for Data Center Interconecction
interface Vlan3700
Layer 3 Core interface Vlan3700
no ip address
load-interval 30 Intranet no ip address
load-interval 30
xconnect vfi vlan3700
xconnect vfi vlan3700
METRO CORE
DC Core DC Core
VLAN
Agg
3700 Agg
PW – Pseudo Wires
Metro Core Metro Core
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 275
Layer 2 Extension
VPLS over GRE
Per VLAN
VFI/GRE
Per VLAN
alternate path
L3 L3 L3
DCI DCI DCI DCI DCI
DCI Si Si Si Si Si Si
L2 L2 L2
L2 Etherchannel L2 Etherchannel L2 Etherchannel
as VSS Is Viewed as VSS Is Viewed as VSS Is Viewed
as One Device as One Device as One Device
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 276
EoMPLS / VPLS over GRE for DCI
EoMPLS VPLS
§ EoMPLS connectivity over IP-only network § VPLS connectivity over IP-only
§ EoMPLS VCs are established over network.
MPLSoGRE Tunnels § VPLS VCs are established over
MPLSoGRE Tunnels (Requires SIP-
400 on the 6500 with SUP720)
EoMPLS
vpls
instance EoMPLS
instance vpls
instance
instance
CE
MPLSoGRE Tunnels CE CE
MPLSoGRE CE
Tunnels
Customer A1 Customer A1
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 278
A Simple VPLS Configuration Example
VLAN Tag Tunnel LabelVC Label
11 3 7 11
VFI
VFI
N-PE3 N-PE4
interface Loopback0 interface Loopback0
ip address 10.0.0.3 255.255.255.255 VFI ip address 10.0.0.4 255.255.255.255
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 280
Why H-VPLS?
VPLS H-VPLS
PE
CE
CE CE
PE-rs MTU-s
PE PE
CE
CE PE PE CE PE-rs
PE-rs
CE
CE
PE PE
PE-rs PE-r
PE-rs PE-rs
CE CE
CE
PE
CE
Split-Horizon Rule
§ Between no-split-horizon VCs à forwarding
§ Between no-split-horizon VCs and split-horizon VCs à forwarding
§ Between split-horizon VCs à blocking
§ Between ACs and VCs à forwarding
§ Between ACs à forwarding
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 282
H-VPLS With MPLS Access Example
C-tag 3 7 C-tag 4 8 C-tag 5 3 C-tag C-tag
N-PE3 Configuration
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 283
VPLS Configuration Example
Autodiscovery
Neighbor statements are no longer used to identify PE VPLS peers
MPLS Network
! !
MPLS Network
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 285
Layer-2 VPN Summary
§ Enables transport of any Layer-2 traffic over MPLS
network
§ Two types of L2 VPNs; AToM for point-to-point and
VPLS point-to-multipoint layer-2 connectivity
§ Layer-2 VPN forwarding based on Pseudo Wires (PW),
which use VC label for L2 packet encapsulation
LDP used for PW signaling
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 286
High Availability
Carrier Class MPLS Networks
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 287
High Availability in MPLS Networks
§ MPLS has incorporated a lot of resilience mechanism
to provide high availability services
Core MPLS
Network Infrastructure
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 288
Availability Definitions
• The probability that an item (or network, etc.) is operational, and
functional as needed, at any point in time
Network Provider
Shared Network
User Server
Network Network
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 289
What Is High Availability?
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 290
Components of High Availability
Network Operations
Network Center Business
Architecture Alignment
§ Highly resilient architecture § People, Process, & Tools § Partnership between the
and design Business & IT
§ Metrics
§ Standardized designs and § Knowledge of business
§ Industry standard
configurations critical functions and
methodologies (ITIL
applications
§ Network Scalability Framework)
§ Network Delivery Scorecard
§ 7x24x365
§ Service Level Agreements
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 291
Carrier Class MPLS
System & Network Level Resiliency
§ MPLS core resiliency
Focus on MPLS path between adjacent or end-to-en nodes nodes
- MPLS control plane resiliency (Fast-IGP, BFD, LDP/IGP Sync, LDP
Session Protection, Graceful Restart Capabilities for LDP and RSVP)
- MPLS data-plane support for Fast Re-Route (MPLS TE-FRR Link and
Node protection )
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 292
Core Failures
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 294
Fast convergence
Fast detection is key
• Detection of Link failure
– Direct detection of Link down: LoS (loss of Signal)*
– Indirect detection: BFD, CFM (802.1ag)
– Consider using IP Event Dampening to quell link flaps
§ Detection of Node Failure
– BFD
– Fast IGP Hellos for OSPF, IS-IS, PIM and RSVP
– Next-Hop Tracking for BGP
– Triggered RPF Check for PIM (Multicast)
MPLS - SP A
C-A-R2
C-A-R1 C-A-R4
C-A-R3
HQ-W 1
BR-W 1
Router(config-if)#carrier-delay up msec ?
<0-1000> Carrier Down Transitions delay milliseconds
Router(config-if)#carrier-delay down ?
<0-60> Carrier Up/Down Transitions delay seconds
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 296
IP Event Dampening – Algorithm
Illustration
Actual
interface
state
Maximum penalty
Reuse threshold
Interface
state seen
by routing
protocols
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 297
High Availability
Link Failure Detection
§ POS
AIS alarm is used to trigger FRR protection, detected within a few ms
SDH/SONET has end to end signalling
§ GE
LOS based GE triggers FRR when GE interface goes down
Can be as fast as POS but should only be deployed over dark fibre or optical
network with end to end signalling
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 298
BFD Protocol Overview
§ Lightweight hello protocol
§ Configurable transmit and receive time intervals
§ Neighbors negotiate rate at which to send BFD control packets
§ Neighbors exchange hello packets at negotiated regular intervals
§ If a BFD control packet is not received in the negotiated detect time, the
peer is indicated as down
§ BFD sessions are established by the clients e.g. OSPF, IS-IS, EIGRP,
BGP
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 299
Fast IGP (OSPF, IS-IS)
Fast ISIS/OSPF introduced msec timers and throttling for Update
(LSA/LSP) generation and SPF computation
• Fast LSA/LSP Generation after Initial Event
Exponential Backoff (Repeated events increase regeneration delay)
• Inmediate SPF/PRC Calculation
Exponential Backoff algorithm protect the router as the cost of
convergence time
Partial SPF/PRC
• Fast Flooding of LSA/LSPs
Pacing timer is 33ms by default (jittered by 10%)
• Prefix Prioritization
/32 IPv4 and /128 IPv6 prefixes are classified by default in Medium Priority
Fast IGP is a key component for MPLS Networks !
MPLS Convergence = Fast IGP + LDP + FRR
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 300
Fast IGP Exponential Backoff
timers throttle lsa all <lsa-start> <lsa-hold> <lsa-max>
timers throttle spf <spf-start> <spf-hold> <spf-max>
All values are in ms
NOTE: MinLSArrival must be <= lsa-hold
Events Causing LSA Generation timers throttle lsa all 10 500 5000
1000
t1 t2 time [ms]
LSA Generation
time [ms]
LSA Generation – Back-off Alg.
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 301
Convergence in MPLS Networks
LDP IGP Sync
• Problem:
– Traffic hit on link up when IGP converges before MPLS (LDP)
– Traffic loss when no LDP session on outbound interfaces
– Traffic hit/loss for any VPN traffic or multi-label traffic
• Solution:
– Makes sure that no traffic is routed towards links on which MPLS
(LDP) is not yet converged
– Synchronize IGP with LDP so that LDP controls IGP metric for given
link, depending on LDP state on given link
– A link is advertised by IGP with max metric if LDP session is not yet
up or not yet converged (label bindings exchange)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 302
Convergence in MPLS Networks
LDP IGP Sync (cont’d)
• IGP sync feature enabled only under IGP
router(config-isis-if-af)#
mpls ldp sync [ level <1-2> ]
• To delay declaring sync up, a delay time can be configured under LDP:
router(config-ldp)#
igp sync delay seconds
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 303
Convergence in MPLS Networks
LDP Session Protection
• Problem:
– Link up: IP converges much faster/earlier than MPLS (LDP).
– Link up, MPLS traffic loss until MPLS converges .
– Link flap: LDP session also flaps.
• Solution:
– Protect an LDP (link) session by means of “parallel” source of
targeted discovery/hello.
– Given IP connectivity, LDP session is kept alive and neighbor label
bindings are maintained while link is down.
– Minimizes traffic loss as well as enables faster MPLS convergence
on link coming up.
router(config-ldp)#
session protection [for peer-acl] [duration seconds]
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 304
LDP Local Label Allocation Filtering
§ Per default LDP generates label bindings for all IGP or statically
derived prefixes
§ To optimize MPLS L3VPN end2end VPN convergence, people
want to limit label bindings to PE loopbacks in order to make IGP
converge faster
§ This feature allows use of prefix-lists to control label bindings
being generated
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 305
Convergence in MPLS Networks
Traffic Engineering / Fast Re-Route
Protected Node
X
X
CEoP
CEoP
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 306
Deployment scenarios
P
§ Scenario 1 : One-Hop TE LSPs on P-P links
P P
PE
PE LDP LSP logically nested into one-hop TE LSP
Logical nesting, as there is no label on one-hop LSP (if PHP
active)
P P P
P P P
§ Scenario 2 : Full mesh of P nodes
PE PE TE capabilities in P network
LDP/TDP LSP nested into TE LSP
P P P
100 PE / 20 P
Scenario 1 Scenario 2 Scenario 3
15 FRR links
BRKRST-1101 # of TE LSP 30 (2x15) < 380 (20x19)
© 2009 Cisco Systems, Inc. All rights reserved.
9900 (100x99)
Cisco Public 307
1-Hop Tunnel Deployment
Requirement: Need Protection Only — Minimize Packet Loss of
Bandwidth in the Core
Solution: Deploy MPLS Fast Reroute for Less than 50ms Failover Time
with 1-Hop Primary TE Tunnels and Backup Tunnel for Each
Service Provider
Backbone
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 308
Edge Failures
PE3
CE3
P1 P2
PE1
CE1 PE2 CE2
P3
MPLS Core
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 311
Site-to-Site Convergence in MPLS
VPN Environment
Receipt of Local M P-BGP
Routes into BGP Table Table Receipt of Advertised
on the PE Router RR Routes into BGP Table
M P-BGP on the PE Router
Vrf Table
Table
Vrf
Table RIB FIB
RIB FIB T4 T4 T5
LC-HW LC T3 Advertisement LC-HW
FIB
LC
FIB
FIB FIB
Local_PE of Routes to Remote_PE
MP-BGP
Peers = 5 sec T6
T2
Import of Local
Routing T7 Import of Newly
Information into the T1 Received Routes
Corresponding into Local
Advertisement of
Ingress VRF Routes to CE VRF’s Routing
Routing Table PE Router Table = 15 sec
Receives a Routers = 30 sec
Routing Update
from a CE Router T8
Local_CE = 30 sec Remote_CE
Processing of Incoming
Updates by the CE Router
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 313
Convergence Basics – BGP Scanner
How quickly can BGP propagate the change throughout the network?
• Every 60 seconds the BGP scanner recalculates bestpath for all prefixes
Check each BGP nexthop’s IGP cost every 60 seconds (Polling model)
Invalidates paths whose NH is unreachable
Performs best-path when metric to NH was changes
• Changes to the IGP cost of a BGP nexthop will go unnoticed until
scanner’s next run
IGP may converge in less than a second (fast convergence)
BGP may not react for as long as 60 seconds L
Periodic nature of BGP scanner delays reaction to NH failures (for example PE
node failures) for up to 60 seconds
• Need to change from a polling model to an event driven model to improve
convergence
BGP Next Hop Tracking: BGP is informed when the IGP cost to a BGP nexthop
changes (Event driven model)
BGP NHT will trigger a lightweight “BGP Scanner” run
Enabled by default ([no] bgp nexthop trigger enable)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 316
Convergence in MPLS VPN
PE node failure
PE2 CE2
CE1 PE1 P2 VPN1
P1
HQ
VPN1 PE3 CE3
site
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 319
Faster Convergence Post-Failure:
Prefix-Independent-Convergence Effect
iox-crs1-P-ISIS-BGPipv4-dpi2i-021307_154358-l-nlb
Agilent measurements
400
350
0%
300 50%
150 50%
90%
100 100%
50
0
0 1000 2000 3000 4000 5000 6000 7000
BGP PIC
prefix nr
effect
§ Testbed: Tier1 ISP topology, CRS1, IOX3.5, 5000 ISIS prefixes, 350k IPv4 BGP
dependents to impacted BGP nhop
§ When ISIS converges, all the BGP dependents immediately leverage the ISIS
convergence
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 320
Core MPLS
RR Failure
• PE1 receives routes via both RR1 and RR2, select RR1 for bestpath
• RR1 becomes unreachable or blows up
• Traffic flows until RR1-PE1 BGP session is detected down
• PE1 will delete the bestpath
•The other path via RR2 is not available for immediate import L
• It is imported during the next import scanner run !
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 322
Convergence in MPLS VPN :
VPN Fast Convergence—PE-CE Link Failure
!
Traffic Is PE-1: Point of
Local repair
RR ip vrf green
rd 300:11
Redirected protection local-prefixes
by PE11 PE11 !
MPLS Backbone
Site A Site B
PE12 VPN Traffic
Redirected VPN Traffic
§ ‘BGP Local Convergence’ feature helps PE11 to minimize the traffic loss from
sec to msec, during local PE-CE link failure
PE11 immediately reprograms the forwarding entry with the alternate BGP best path
(which is via PE12)
PE11 redirects the CE1 bound traffic to PE12 (with the right label)
§ In parallel, PE11 sends the ‘BGP withdraw message’ to RR/PE2, which will
run the bestpath algorithm and removes the path learned via PE11, and then
adjust their forwarding entries via PE12
§ This feature is independent of whether multipath is enabled on PE2 or
not, however, dependent on VPN site multihoming
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 323
Configuring MPLS VPN –
BGP Local Convergence
§ Can be enabled/disabled on a per VRF basis
§ Cleanup Timer of 5 minutes is not configurable
tuonno(config-vrf)#protection ?
local-prefixes Enable protection for local prefixes
14000
12000
Convergence Time (ms)
10000
Min - ON
Ave - ON
8000
Max - ON
Min - OFF
6000
Ave - OFF
Max - OFF
4000
2000
0
100 200 500 1000
Protected Routes
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 325
Fast Convergence Key Takeaways
§ Fast detection is key
LoS, BFD & IGP Fast-hellos
NHT
§ Fast Convergence based on core and edge optimization
Core optimization: FRR + Fast IGP + LDP
Edge optimization: Fast MP-iBGP, Fast BGP
§ Unique RD is a key element
§ Convergence affected with Label rewrite (ie impact of full routing) -
> requires PIC
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 326
Convergence in MPLS VPN
Site-to-Site Convergence Tuning
RR
Designated VPNv4 RRs
Local_CE Remote_CE
Performance
Routing (OER)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 327
L2VPN Convergence Elements
End-2-End Failure Scenarios
Protection Schema:
Fail 1: Attachment Circuit Redundancy
Fail 2: PW re-routing or TE/FRR or PW-RED
Fail 3: PW-RED with VPLS MAC Withdrawal TLV
Fail 4: VPLS PW re-routing or TE/FRR
Fail 5: Attachment Circuit Redundancy or Dual-Homed CE
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 328
50 msec TE/FRR Protection for H-VPLS
Fail #2 Fail #1
Primary - PW
Agt Port Agt Port
XXX XXX
EoMPLS
VPLS
Access
Core
Backup-TE
Protection Schema:
Fail 1: TE/FRR or PW re-routing or PW-RED
Fail 2: VPLS PW re-routing or TE/FRR
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 329
PW High Availability
PE1 PE3
P1 P3
Site1 P2 P4
Site2
PE2 PE4
CE2
CE1
§ Failure in the Provider core mitigated with link redundancy and FRR
§ PE router failure – PE Diversity
§ Attachment Circuit failure – Need Pair of Attachment Ckts end-to-end
§ CE Router failure – Redundant CEs
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 330
L2VPN Networks—Dual Homed PW
Sites Without Redundancy Feature
interface e 1/0.1
encapsulation dot1q 10
xconnect <PE3 router ID> <VCID> encapsulation mpls
x
PE1 PE3
P1 P3
Site1 P2 P4 Site2
PE2
PE4
CE1 CE2
CE3
Interface e1/0.1
encapsulation dot1q 10
xconnect <PE4 router ID> <VCID> encapsulation mpls
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 331
Data Center Option Utilizing Layer 2 VPN to Provide High Availability
Between Two Data Centers and Two Service Providers
6500-DCN-SWITCH PE1-COREB
! !
interface gigabitethernet 1/0/1 COREA interface gigabitethernet 1/0/0
channel-group 1 mode on no switchport
switchport xconnect X.X.X.PE2 70 encapsulation mpls PE2-COREA
switchport trunk encapsulation dot1q __________________________________________________
switchport mode trunk PE2-COREB
! !
interface gigabitethernet 1/0/2 COREB interface gigabitethernet 1/0/0
channel-group 1 mode on no switchport
switchport xconnect X.X.X.PE1 70 encapsulation mpls PE1-COREA
switchport trunk encapsulation dot1q
switchport mode trunk
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 332
Data Center Option Utilizing Layer 2 VPN to Provide Physical High
Availability Dual Switches Between Two Data Centers STP Free
Topology
6500-A
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 333
Data Center Option Utilizing Layer 2 VPN
and Virtual Switching New Features
PE1-COREA
interface gigabitethernet 3/0 < -6500 B PE1-COREB
interface gigabitethernet 3/0 < -6500 A
xconnect 10.1.1.2 20 encapsulation mpls
! xconnect 10.1.1.1 20 encapsulation mpls
!
interface gigabitethernet 4/0 < -6500 B
xconnect 10.1.1.2 40 encapsulation mpls interface gigabitethernet 4/0 < -6500 B
xconnect 10.1.1.1 40 encapsulation mpls
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 334
High Availability in L2VPN Networks
PE3
PE1
P1 P3
Primary
Site1 Primary
Standby
P2 P4 Site2
Primary
PE4
§ If PE3 fail or PE3 attachment circuit fail, PW will go down. TE/FRR won’t
help this scenario.
§ Solution – create backup PW between PE1 and PE4. When primary PW
goes down, backup PE will come up. Traffic will continue between CEs.
§ Primary and backup PW can be between same pair of PEs, with different
Attachment Circuit, or between different pair of PE like this example
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 335
Dual Homed PW Sites—
with Redundancy Feature
x
PE1 PE3
P1 P3
CE2
Site1 P2 P4 Site2
PE2
PE4
CE3
CE1
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 336
Pseudowire Redundancy
ACR: Attachment Circuit Redundancy
MR-APSAPS 1+1
Node B Primary PW
Working
Backup PW Protection
Example setup:
§ RNC and BSC are using MR-APS (traditional)
§ “Primary PWE3” from NodeB (ATM) and BTS (TDM)
§ “Backup PWE3” from NodeB (ATM) and BTS (TDM)
§ Force APS failover on RNC and BSC, MR-APS on Aggregation router
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 337
Data Center Option utilizing Layer 2 VPN to Provide Physical High
Availability Dual Switches Between Three Data Centers and One Transit
Data Center
X
PE1 PE2
interface gigabitethernet 3/0 interface gigabitethernet 3/0
xconnect 10.1.1.3 20 encapsulation mpls backup peer xconnect 10.1.1.3 30 encapsulation mpls backup peer
10.1.1.2 200 10.1.1.1 200
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 338
H-VPLS MPLS Access Redundancy
Overview
PW redundancy
N-PE11
N-PE21
U-PE11
P P VFI
VFI
P P
VFI VFI
P
N-PE12
UPE12 N-PE22
P P
VFI VFI
P MAC withdrawal
N-PE12
UPE12 N-PE22
§ MAC withdrawal solves traffic blackhole due to outdated MAC tables after PW
switchover; i.e. as long as VFI and VC’s are up MAC entries are active until
aged out.
§ U-PE11 switchover to backup PW if primary PW goes down
§ When backup PW come active, U-PE generates MAC withdrawal message via D-
LDP to N-PE12. N-PE12 will flush it’s MAC table and forward this message to its
peers
§ After receive the MAC withdrawal message, remote PEs will flush MAC address
tables.
§ Packet from N-PE21 will flood to all N-PEs. Flooding will stop if PE receive
packet from the reverse direction.
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 340
Hot Standby Pseudowire Concept
Minimize service downtime due to an unavailability of the backup PW
Pri PW
PE1 PE2
Backup PW PE3
AC PE1 PE2 AC
LDP Notification Message
PW Status TLV
PW Status Code
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 342
PW Preferential Forwarding Status Bit
Failure Log: AC in Standby
Pri PW
PE1 PE2
Standby PW PE3
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 343
mLACP With Two Sided
VPWS/VPLS Redundancy
MPLS
PW 2 L3
L2 Standby Active
Standby PE1 PE2 Active
PW 1
Standby Active
PW 3
L1 Standby
L4
DHD1 Active DHD2
Active PE4 Standby
PE3 E Active PW 4
Standby
§ VPWS
Two PEs form one virtual group on each site, one PE is primary the other is backup
PE’s send primary/backup information during PW signaling
PW with both sides status <active> are established, others are hot standby
MPLS uplinks, attachment circuits and PW status tracking
Message exchange within virtual group (for mLACP it is ICC) with redundancy status
§ VPLS
PW will be active between PE’s with active access circuits only
Single active path through VPLS domain between PE virtual group
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 344
L2 VPN PE Redundancy Summary
§ 50 msec TE/FRR for P node and link protection
§ PW redundancy for PE node protection
PW switchover can be as fast as second (or sub-second)
Hot Standby PW (active-active model, VC independent)
§ End-to-End EoMPLS/VPLS Redundancy Solution
P-to-P EoMPLS PW for single or dual homed CEs
H-VPLS with both MPLS access and Ethernet access
Pw Redundancy with VPLS MAC address withdrawal
Full integration with Access technologies (MST, REP)
§ Two-way PW redundancy via mLACP
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 345
End-to-End L2VPN Redundancy Overview
H-VPLS MPLS Aggregation (H-)VPLS Ethernet Aggregation
MPLS P VPLS Core L2 switch
MPLS PE
n-PE3 2
u-PE1 n-PE1
1 5
3 1
4
5
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 346
MPLS High Availability
§ MPLS network resiliency
Focus on MPLS path between adjacent MPLS nodes or end-
to-end path in MPLS network
– Failure detection enhancements for MPLS control plane
protocols
– Resilience and Restoration under Link and Node Failures
§ MPLS node resiliency
Focus on MPLS edge (PE) nodes with dual RPs
Cisco Non Stop Forwarding (NSF)
• Continuous MPLS packet forwarding during RP switch-over while MPLS
peering relationships are reestablished via Graceful Restart (GR)
procedures
Cisco Stateful Switch-Over (SSO)
• Active RP synchronizes (checkpoints) MPLS protocol state information with
standby RP
• MPLS control plane state preserved after RP switchover
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 347
Cisco NSF/SSO
Nonstop Forwarding with Stateful Switchover
Non Stop Forwarding (NSF) with Stateful Switch Over (SSO) allows the standy Supervisor to
take control and continue forwarding data in the event of the active Supervisor failing.
STANDBY
STANDBY
ACTIV
• Cisco SSO
E
Allows the standby RP to take immediate
control and maintain connectivity Cisco
Express
Cisco
Express
protocols Forwarding Forwarding
Cisco
Maintains connectivity for L2 protocols Express
Line Card
Line Card
Line Card
Line Card
Forwarding
• NSF
Continues to forward using current FIB
while routing information (RIB) is
validated
Stateful Switchover (SSO)—Zero
Layer 3 (BGP, OSPF, IS-IS) recovers Interruption in Layer 2 Connectivity
routing information from neighbors, Nonstop Forwarding (NSF)—
updates Continuous Packet Forwarding
BRKRST-1101 with
© 2009 Cisco Systems, Inc. All rights Minimal Packet Loss
reserved. Cisco Public 348
348
NSF-Aware Neighbors
Graceful Restart procedures for OSPF, IS-IS and BGP
NSF-capable router
Standby
Active
SSO
NSF-aware
neighbor
Failover time:
0-3s
NSF-aware
neighbor
Line Cards
Predictable traffic path
No route Flap
•NSF-aware neighbors do not reconverge •NSF-capable router rebuild their L3
•NSF-aware neighbors help the NSF-capable routing protocol database from
router restart neighbor
•NSF-aware neighbors continue forwarding •Data is forwarded in hardware based
traffic to the restarting router on pre-switchover CEF information
while routing protocols reconverge
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 349
MPLS High Availability (HA)
NSF/SSO for MPLS
Proven Cisco NSF/SSO Technology for MPLS LDP and VPNs
§ Extended MPLS NSF/SSO capabilities (Packet forwarding with
no disruption during RP-switchover) for MPLS LDP, RSVP and
MPLS VPNs (including Inter-AS and CsC)
§ MPLS HA—LDP NSF/SSO
1. Checkpointing local label bindings to backup RP
On devices with route processor redundancy
LSP
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 353
NSR – Non Stop Routing
§ Simplified deployment for
service providers
Only PEs need to be upgraded
to support NSR (incremental
deployment)
CEs are not touched! (i.e., no
software upgrade required)
§ Scaling optimizations
PE uses NSR with CEs that are
not NSF-aware
PE uses NSF (Graceful Re-
Start) with NSF-aware CEs
iBGP sessions to RRs use NSF
(Graceful Re-Start)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 354
Focus: Carrier Class MPLS
End-to-End Resilience
• Both link and node availability along MPLS path need to be
considered (Core and Edge Resilience)
• MPLS HA (NSF/SSO) focused on MPLS failure protection,
detection, and (auto) correction mechanisms
HA HA
TE
HA
Customer’s
Network Provider’s
PE
Provider’s ASBR ASBR
CE Network Network
PE-CE
link
Prot.
• MPLS NSF/SSO support
• MPLS FRR (node + link protection)
• Embedded MPLS OAM and diagnostics
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 355
MPLS HA Components - Summary
MPLS node and network protection capabilities
Embedded management capabilities to detect MPLS failures
Scope Feature Capabilities
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 357
MPLS Technology Framework
§ MPLS management using SNMP MPLS MIB and
MPLS OAM capabilities
Network Infrastructure
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 358
MPLS Operations Lifecycle
§ Build and plan the network
Capacity planning and resource
monitoring
One-time Strategic Operations
§ Monitor the network
External-Focused Operations
Internal-Focused Operations
Node/link failure detection Network Service
Configuration Configuration
May impact multiple services and Planning and Planning
configuration
§ Monitor service
Ongoing Tactical Operations
End-to-end monitoring
Linked to customer SLAs
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 359
What’s Needed for MPLS management?
§ What’s needed beyond the basic MPLS CLI?
CLI used for basic configuration and trouble shooting (show commands)
VRF-Aware commands for traditional troubleshooting tools
Traditional management tools:
§ MIBs to provide management information for SNMP management
applications
MIB counters and Trap notifications form MPLS
New management tools:
§ MPLS OAM -> for reactive trouble shooting
Ping and trace capabilities of MPLS label switched paths
§ Monitoring and Performance Management via MPLS Aware Netflow
and IP SLA for MPLS L3 VPN
§ Automated MPLS OAM -> for proactive trouble shooting
Automated LSP ping/trace via Auto IP SLA
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 360
Embedded Management for MPLS
OAM Tools
LSP Ping and Trace for LDP, RSVP distribution mechanisms and VCCV
Deployment Standard
OAM Feature Cisco Value Add
Scope Compliance
VCCV – LSP Ping (single and multi-segment RFC 5085 Use of LSP Ping for liveliness
PW) IETF Draft detection
PW3E
Use of BFD over VCCV control
VCCV – BFD (incl. Fault, AC Notification) IETF Draft
channel for failure detection
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 361
MPLS LSP Ping/Traceroute
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 362
MPLS OAM
Embedded management capabilities used for node-specific and end-to-
end MPLS failure detection
§ A broken LSP will affect end to end connectivity and services, it is
difficult to troubleshoot an MPLS failure:
Requires the operator to do manual/hop-by-hop work MPLS
§ Various reasons for an LSP to break: 50
49
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 364
MPLS OAM Theory of Operation (1 of 2)
MPLS Echo-Req
50 SA DA=127/8 Echo SA DA=127/8 Echo
SA=Source Addr 49
DA=Destination Addr 50
R1
R3 R4 R2
§ Label stack is same as used by the LSP and this makes the echo to be
switched in-band of LSP
? Same label stack ? takes the same path as MPLS data
§ Where the LSP is broken, the Packet Is “consumed” by the router trying to
forward the packet using the IP header
IP-DA = Loopback
§ In this case R2 would not forward the echo-req to R1, but rather
consumes the packet and reply to it accordingly
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 365
MPLS OAM Theory of Operation (2 of 2)
§ LSP reply will be generated as an IP packet which may use an LSP path
back if available
§ Reply contains Return Code information
§ An Echo reply, which may or not be labeled, Information is displayed on
R3 which initiated the MPLS OAM test (probe)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 368
Automated MPLS OAM
§ Automatic MPLS OAM probes between PE routers
Automatic discovery of PE targets via BGP next-hop discovery
Automatic discovery of all available LSP paths for PE targets via LSP
multi-path trace
Scheduled LSP pings to verify LSP path connectivity
3 consecutive LSP ping failures result in SNMP Trap notification
P1 P2
PE1 PE2
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 369
Automated LSP Verification
IPSLA VPN
IP SLAs
CE
MPLS
IP SLAs LSP Health Monitor
§ Proactive end-to-end LSP verification
Standards-based LSP-Ping
Automatic Neighbor PE discovery (per VRF) 100s of PEs
Ingress + Egress
LSP Path Discovery for each Egress PE (including multiple
paths)
IP SLAs
§ Scalability
Fast retry on failure CE
IP SLA VPN
Ease of configuration- automated test setup
Intelligent group-based notifications
Group scheduling
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 370
IP SLAs LSP Health Monitor
Functionality - in Detailed Steps
0. User configures 3. IP SLA+ LSP-Ping
Auto-Command per • Send LSP ping to Neighbor at a time and rate
VRF or for the PE controlled by IP SLA (random Start)
• Fast retry on failure; send trap on
IPSLA VPN timeout/connection loss
IP SLAs
PE2
CE PE1
PE3
MPLS
2. IP SLA Agent
• Group-Schedule of
1. Automated LSP Discovery IP SLA probes: Probes
• Find BGP Next hops generated from source to
all destination PEs using PEx
• For all VPNs, or for selected VPN(s) /32 MP-IBGP VPNv4 loopbacks
• Use a single probe template
PE50
4. VPN Discovery interval updates
• LSP Scan Rate (SR); add probes if new IP SLAs
BGP neighbor
• LSP Scan Rate Factor “N” (SRxN) ?
Delete probes (ex: VRF removed or no
route in the VRF)
IP SLA VPN
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 371
Virtual Circuit Connection Verification
(VCCV)
• Ability to provide end-to-end fault detection and
diagnostics for an emulated pseudowire service
Requirement One tunnel can serve many pseudowires
MPLS LSP ping is sufficient to monitor the PSN tunnel
(PE-PE connectivity), but not VCs inside of tunnel
Applications
§ Layer 2 transport over MPLS
FRoMPLS, ATMoMPLS, EoMPLS
Customer VLAN
7600
MPLS 7600
QinQ
Customer VLAN
• Verify/Trace Path of LSP Tunnels between PEs.
• Verify/Trace Emulated services (e.g. Ethernet) mapped to Customer VLANS
(Attachment VCs)
• Trace/Verify packets take same path as data packets
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 373
Connectivity Trace Using VCCV EoMPLS
§ VCCV marks the payload as control packet for switching purpose;
packet follows the PW data path
§ Control packets sent over the AToM tunnels are intercepted by the
egress PE
PE1#ping mpls pseudowire 172.16.255.4 333
Attachment
Circuit
PE1
VCCV Packet
•TTL in VC label is set appropriately at the is Lost
initiator to reach the node of interest to
verify the connectivity to
•VCCV packets use the same path as the Attachment
data packets (may use different path than Circuit
signaling traffic)
PE2
Connectivity of single-segment PW is implemented using VCCV CC type1 (RFC 5085)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 374
VCCV Switching Types
Three different Switching Modes
Type 1 Type 1 involves defining the upper nibble of the CW
(control word) as a Protocol ID (PID) field to signal in-
(in-band vccv)
band VCCV [RFC4385]
• Cisco Routers always use Type 1, if available, for LSP Ping over an AToM
VC Control Channel.
• Type 2 Switching accommodates those VC types and implementations that
do not support or interpret the AToM Control word.
•A new CC Type 3 – new switching point TLV - is introduced to support VCCV
in MS-PWs (RFC 5085)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 375
VCCV Switching Types (Type–2)
Signal out-of-band VCCV using MPLS router alert label.
Shim an MPLS Router Alert Label Between the IGP Label
Stack and VC Label.
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 376
VCCV for Multi-Segmented Pseudowires
Ping Operation using VCCV Type III
Ping from T-PE2 to S-PE1
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 378
Example: MPLS VPN Aware Netflow
vrf = red
172.16.99.1
VPN Traffic
flow Netflow Interface
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 379
Example: MPLS VPN Aware Netflow
172.16.99.1
VPN Traffic
flow Netflow Interface
Pos:Lbl-Exp-S 1:18-0-1
Label = 18
EXP = 0
BRKRST-1101 Stack = 1
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 380
Embedded Management for MPLS:
SNMP MIBs and Traps
Deployment Standard
MIB Module/OAM Feature Cisco Value Add
Scope Compliance
LDP MPLS
MPLS-FTN-MIB RFC3814 VRF-aware MIB capabilities
Core
LDP session status Trap
MPLS-LDP-STD-MIB
notifications
VRF max-route Trap
MPLS-L3VPN-STD-MIB
notifications
MPLS-TE-MIB RFC3812 -
Traffic
Engineered MPLS-FRR-MIB IETF Draft -
MPLS Core
TE Tunnel status Trap
MPLS-TE-STD-MIB
notifications
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 381
LDP Event Monitoring Using LDP Traps
Time = t: Received SNMPv2c Trap from pe1: Time = t: Received SNMPv2c Trap from pe1:
sysUpTimeInstance = 8159606 sysUpTimeInstance = 8159606
snmpTrapOID.0 = mplsLdpSessionDown snmpTrapOID.0 = mplsLdpSessionDown
mplsLdpSessionState.<index> = nonexistent(1)
mplsLdpSessionState.<index> = nonexistent(1)
mplsLdpSessionDiscontinuityTime.<index> = 8159605
mplsLdpSessionDiscontinuityTime.<index> = 8159605
mplsLdpSessionStatsUnknownMesTypeErrors.<index> = 0
mplsLdpSessionStatsUnknownMesTypeErrors.<index> = 0
mplsLdpSessionStatsUnknownTlvErrors.<index> = 0
mplsLdpSessionStatsUnknownTlvErrors.<index> = 0
ifIndex.5 = 5
ifIndex.5 = 5
Interface goes down LDP session goes down
Time = t+1: Received SNMPv2c Trap from pe1:
sysUpTimeInstance = 8159906 Time = t+1: Received SNMPv2c Trap from p01:
snmpTrapOID.0 = linkDown sysUpTimeInstance = 8160579
ifIndex.5 = 5 snmpTrapOID.0 = mplsLdpSessionDown
ifDescr.5 = Ethernet1/0 mplsLdpSessionState.<index> = nonexistent(1)
PE1
ifType.5 = ethernetCsmacd(6)
locIfReason.5 = administratively down
PE1
mplsLdpSessionDiscontinuityTime.<index> = 8160579
mplsLdpSessionStatsUnknownMesTypeErrors.<index> = 0
P1 P1
mplsLdpSessionStatsUnknownTlvErrors.<index> = 0
Time = t+2:LDP
Received
session SNMPv2c Trap from p01: ifIndex.5 = 5 LDP session
sysUpTimeInstance = 8160579
snmpTrapOID.0 = mplsLdpSessionDown
mplsLdpSessionState.<index> = nonexistent(1)
mplsLdpSessionDiscontinuityTime.<index> = 8160579
mplsLdpSessionStatsUnknownMesTypeErrors.<index> = 0
mplsLdpSessionStatsUnknownTlvErrors.<index> = 0
ifIndex.5 = 5
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 382
MPLS Management Summary
§ MPLS management operations include MPLS node
and service configuration, and monitoring
§ In addition to CLI, SNMP MIBs and OAM capabilities
are available for MPLS management
§ MPLS MIBs provide LDP, VPN, and TE management
information, which can be collected by SNMP tools
MIB counters, Trap notifications
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 383
Cisco MPLS Management Architecture
Operations Support
GUI System Software Partners
• CORBA
• SNMP
• TL1
• XML
Element
Fault Configuration Performance
and Accounting
Management
System
Infrastructure
Enhancements
• Alarm Notification • Config Upload • Data Collection
• Alarm • Incremental • Data Export
Synchronisation Configuration • SNMP Get and
• Threshold Alerts • Change Notification GetBulk Performance
• Diagnostic Monitoring • Programmatic • Bulk file transfer IP SLA
• SNMP Get, getBulk, Interface • NetFlow MIBs
Traps • CLI
• Syslogs • TFTP
• RMON
MPLS
CNS Bus FCAPS
SNMP HTTP Telnet
NetFlow SSH Accounting
LSP Ping
XML MPLS Traceroute
NetFlow
CLI VCCV
SNMP Embedded Protocol
Enhancements
Cisco IOS Management AutoTunnel
Programmatic
AutoMEsh
Interface Security
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 384
Summary
Final Notes and Wrap Up
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 385
MPLS Technology
Summary and Key Takeaways
§ It’s all about labels …
Label-based forwarding and IP protocol extensions for label exchange
Best of both worlds … L2-type forwarding and L3 control plane
§ Key application of MPLS is to implement VPN services
Secure and scalable layer 2 and 3 VPN connectivity
§ MPLS supports advanced traffic engineering capabilities
QoS, bandwidth control, and failure protection
§ MPLS is a mature technology with widespread deployments
Both SP and enterprise networks
§ Two types of MPLS users
Indirect (Subscriber): MPLS used as transport for subscribed service
Direct (DIY): MPLS implemented in (own) SP or enterprise network
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 386
MPLS, The Foundation for the NGN
A quick recap of the Benefits
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 388
MPLS Applications
Service Enterprise Data Data center EWAN
Providers Center interconnects Edge
L2/L3VPN’s
Key Features
§ Layer 3 Segmentation
VPN (RFC 2547bis)
Provides Any-to-Any connectivity
§ QoS Capabilities
Diffserv, Diffserv aware Traffic Engineering (DS-TE)
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 392
Recommended Reading
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 396
Terminology Reference
Terminology Description
A Pseudo-Wire Is a Bidirectional “Tunnel" Between Two Features on a
Pseudo-Wire
Switching Path.
PWE3 Pseudo-Wire End-to-End Emulation
QoS Quality of Service
RD Route Distinguisher
RIB Routing Information Base
RR Route Reflector
RT Route Target
RSVP-TE Resource Reservation Protocol based Traffic Engineering
VPN Virtual Private Network
VFI Virtual Forwarding Instance
VLAN Virtual Local Area Network
VPLS Virtual Private LAN Service
VPWS Virtual Private WAN Service
VRF Virtual Route Forwarding Instance
VSI Virtual Switching Instance
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 397
BRKRST-1101 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 398