MPLSVPN 3225

MPLS Bootcamp MPLS VPN
Khalid Raza, Kyle Bearden, & Munther Antoun March, 2001 Version 0.1
MPLS Bootcamp
2000, Cisco Systems, Inc.
Cisco Confidential
MPLS VPN Agenda

VPN Concepts MPLS VPN Functional Components MPLS VPN Architectural Components VPN Routing & Forwarding MPLS VPN Route Distribution MPLS VPN Data Plane MPLS VPN Topologies Convergence & Scaling Considerations QoS Deployment Strategies MPLS VPN Labs
MPLS Bootcamp
Cisco Confidential
Virtual Private Networks

Concepts
MPLS Bootcamp NW00 Paris
Cisco Confidential

An IP Network Infrastructure Delivering Private Network Services over a Public Infrastructure
Certainly not a new concept
Leased Lines --> Statistical Multiplexing
Delivered at Layer-2 (SP backbone) or Layer-3 (IP backbone) Private connectivity amongst multiple sites
Controlled access into the VPN
Global or non-unique private IP addressing space amongst the different VPNs

MPLS Bootcamp
Cisco Confidential

irt al t orks
irt al Pri at
t orks
irt al ial p
t orks
irt al L
O rla
P r-to-P r P
La r-2 P
La r-3 P
Acc ss lists (S ar ro t r)
Split ro ti ( icat ro t r)
MPLS/VP
X.25
F/R
ATM
RE
IPS c
MPLS Bootcamp
Cisco Confidential
VPN - Overlay Model

Virtual Circuit Layer-3 Routing Adjacency
CPE (CE) Device VPN Site CPE (CE) Device VPN Site
Provider Edge (PE) device
Provider Edge (PE) device
Service Provider Network
Private Trunks Across a Telco/SP Shared Infrastructure Leased/Dialup Lines FR/ATM Virtual Circuits IP(GRE) Tunnelling Point-to-point Solution between Customer Sites How to Size Inter-site Circuit Capacities? Full Mesh Requirement for Optimal Routing CPE Routing Adjacencies between Sites
MPLS Bootcamp
Cisco Confidential
VPN - Peer-to-Peer Model

Layer-3 Routing Adjacencies
CPE Router
Provider Edge Router
Provider Edge Router
CPE Router
VPN Site 1
VPN Site 2
Provider Edge Device Exchanges Routing Information with CPE All customer routes carried within SP IGP Simple routing scheme for VPN customer Routing between sites is optimal Circuit sizing no longer an issue Private Addressing is N T an ption Addition of New Sites is Simpler No overlay mesh to contend with
MPLS Bootcamp
Cisco Confidential
VPN - MPLS VPN Model

Static, RIP, OSPF, or eBGP Routing
MP-iBGP Session
Customer Edge (CE) Router VPN Site 1 Customer Edge (CE) Router VPN Site 2
Provider Edge (PE) Router
Provider Edge (PE) Router
Combines Benefits of verlay and Peer-to-peer Paradigms verlay (security and isolation amongst customers) Peer-to-peer (simplified customer routing) PE Routers only Hold Routes for Attached VPNs Reduces size of PE routing information Proportional to number of VPNs attached MPLS Used to Forward Packets (not Traditional IP Routing) Full routing within backbone no longer required
MPLS Bootcamp
Cisco Confidential
MPLS VPN Functional Components
MPLS Bootcamp
Cisco Confidential
MPLS VPN Connection Model The Whole Picture

VPN_A
10.2.0.0 CE
VPN_B
iBGP sessions
CE P P
VPN_A
11.5.0.0
VPN_A
10.2.0.0 CE
VPN_A
PE
PE
CE
10.1.0.0
11.6.0.0
VPN_B
CE PE
P PE CE
VPN_B
10.3.0.0
10.1.0.0 CE
P Routers (LSRs) are in the core of the MPLS cloud PE Routers (Edge LSRs or LERs) use MPLS with the core and plain IP with CE routers P and PE routers share a common IGP PE routers are MP-iBGP fully-meshed
or use Route-Reflectors (RRs)
MPLS Bootcamp
Confederations supported in IOS 12.1(5)T & higher [maybe also 10 Cisco Confidential 12.0(14)ST?]
MPLS VPN Model
P Router
CE Router
PE Router
PE Router
CE Router
VPN Site P-Network
VPN Site
C-Network
MPLS Bootcamp
Cisco Confidential
11
MPLS VPN Connectivity Model
A VPN is a collection of sites sharing common routing information

Same set of routes within the routing table
A site may belong to more than one VPN

through sharing of routing information
A VPN can be thought of as a closed user group (CUG) or community of interest
MPLS Bootcamp
Cisco Confidential
12
MPLS VPN Architectural Components
MPLS Bootcamp
Cisco Confidential
13
MPLS VPN Architectural Components
Control Planes LDP/TDP, MP-BGP, CE-PE Peering, IGP Forwarding Table VRF
Data Plane
MPLS Bootcamp
Cisco Confidential
14
VPN Routing & Forwarding Instance (VRF)

PEs Maintain Separate Routing Tables
Global Routing Table
Contains all PE and P routes (perhaps non-VPN BGP) Populated by the VPN backbone IGP
VRF (VPN Routing & Forwarding)

Routing & forwarding table associated with one or more directly connected sites (CE Routers) VRF is associated with any type of interface, whether logical or physical (e.g. Sub/Virtual/Tunnel) Interfaces may share the same VRF if the connected sites share the same routing information
MPLS Bootcamp
Cisco Confidential
15
VPN Routing & Forwarding Instances (VRF)

VPN Routing Table
VPN-A
CE PE
VRF for VPN-A
Paris
VPN-A
CE
IGP & nonVPN BGP VRF for VPN-B
London
VPN-B
CE
Munich Global Routing Table
Multiple routing & forwarding instances (VRFs) provide separation amongst different customers
MPLS Bootcamp
Cisco Confidential
16
MPLS VPN Connectivity Model

Private addressing in multiple VPNs no longer an issue
Provided that members of a VPN do not use the same address range
VPN A
London 10.2.1.0/24 Address space for VPN A and B must be unique 10.4.12.0/24 Milan Brussels 10.2.1.0/24 Vienna 10.22.12.0/24 Paris 10.3.3.0/24 Munich 10.2.12.0/24
VPN B
MPLS Bootcamp
VPN C
17
Cisco Confidential
VRF Route Population

VRF populated locally through PE and CE routing protocol
RIP, SPF, BGP-4 & Static routing
Separate routing context for each VRF

Routing Protocol Context (BGP-4 & RIP V2) Separate Process ( SPF)
C E
Site-1
PE
EBGP,OSPF, RIPv2,Static
CE
Site-2
MPLS Bootcamp
Cisco Confidential
18
VRF Route Distribution

PE routers distribute local VPN information across the MPLS VPN backbone
through MP-iBGP & redistribution from VRF Receiving PE imports routes into attached VRFs
P Router
CE Router PE PE CE Router
Site
MP-iBGP
Site
MPLS Bootcamp
Cisco Confidential
19
Multi-Protocol BGP (MP-BGP) VPN Components
MPLS Bootcamp
Cisco Confidential
20
MP-BGP VPN Components
Route Distinguisher (RD)
Route Target (RT) Site of Origin (SOO)
MPLS Bootcamp
Cisco Confidential
21
VPN Routing & Forwarding Instances
MPLS Bootcamp
Cisco Confidential
22
MPLS VPN Table Population

The global (non-VRF) routing table is populated through IGP protocols
May also contain BGP-4 (IPv4) routes No VPN routes
VRF routing tables contain VPN-specific routes

MP-iBGP routes imported into VRFs CE routes populate VRFs based on routing protocol context
MPLS Bootcamp
Cisco Confidential
23
VRF Population of MP-iBGP
VPN-A CE
Paris
PE
PE
VPN-A
CE MP-iBGP
London
BGP Table
Routes from VPN-A Routes from VPN-B
VRF VPN-A VRF VPN-B
VPN-B
CE
Munich
Re-distribution from VRFs into MP-iBGP for VPN information exchange

MPLS Bootcamp
Cisco Confidential
24
VRF Population through MP-iBGP

Receiving PE router needs to understand:
where the route originated from into which VRF(s) the route should be placed how to distinguish between duplicate addresses
Uniqueness of IPv4 prefix achieved through the use of a Route Distinguisher

RD (64-bit) identifier VPNv4 Route: 96-bit NLRI (RD + 32-bit IPv4 NLRI)
MPLS Bootcamp
Cisco Confidential
25
Extended Community Attribute

Permits placement in the proper VRF and site origin BGP transitive optional attributes containing a set of extended communities
Route Target
Identifies set of sites to which a particular route should be exported
(Site of
rigin)
( ptionally) refers to the site that originated a particular route

MPLS Bootcamp
Cisco Confidential
26

MP-iBGP PE
BGP, OSPF, RIPv2 update for 149.27.2.0/24,NH=CE-1 VPN-v4 update: RD:1:27:149.27.2.0/24, Nexthop=PE-1 SOO=Paris, RT=VPN-A, Label=(28)
PE
CE-1
Paris
CE-2
London
PE Routers Translate (32-bit) IPv4 Prefix into (96-bit) VPN-v4 Route

Assign a RD, RT and ( ptional) S based on configuration Re-write next-hop attribute (to PE loopback) Assign a label based on VRF and/or interface Send MP-iBGP update to all PE neighbors
MPLS Bootcamp
Cisco Confidential
27
MP-iBGP Update
VPN-V4 Address
Route Distinguisher (64 bits) Makes the IPv4 route globally unique RD is configured in the PE for each VRF RD may or may not be related to a site or a VPN IPv4 address (32bits)
Route Target (RT) & Optional Site of (S )
rigin
MPLS Bootcamp
Cisco Confidential
28
MP-iBGP Update
Any other standard BGP attribute
Local Preference MED Next-hop AS_PATH Standard community
A Label identifying:
The outgoing interface or VRF where a lookup has to be performed (Aggregate/Connected) MP-iBGP utilizes a second label in the label stack
MPLS Bootcamp
Cisco Confidential
29

MP-iBGP PE
VPN-v4 update: RD:1:27:149.27.2.0/24, Nexthop=PE-1 SOO=Paris, RT=VPN-A, Label=(28) ip vrf VPN-B route-target import VPN-A
PE
CE-1
Paris
VPN-v4 update is translated into IPv4 address and put into VRF VPN-A as RT=VPN-A and optionally advertised to CE2
CE-2
London
Receiving PE routers translate to IPv4

Insert the route into the VRF identified by the RT attribute (based on PE configuration)
The label associated to the VPN-V4 address will be set on packets forwarded towards the destination
MPLS Bootcamp
Cisco Confidential
30
Basic Intranet Model
VPN A
MPLS VPN Backbone

SiteSite-1 & Site-2 routes SiteRT=VPNRT=VPN-A SiteSite-3 & Site-4 routes SiteRT=VPNRT=VPN-A
VPN A
SITESITE-1
SITESITE-3
MP-iBGP
P Router
SITESITE-2
VPN A
SiteSite-1 routes SiteSite-2 routes SiteSite-3 routes SiteSite-4 routes
SiteSite-1 routes SiteSite-2 routes SiteSite-3 routes SiteSite-4 routes
SITESITE-4
VPN A
MPLS Bootcamp
Cisco Confidential
31
MP-BGP Route Target (RT) and Site of Origin (SOO)
MPLS Bootcamp
Cisco Confidential
32
RT & SOO
Two EXTENDED (64-bit) BGP Attributes Used to Define
Route-target Set of routers the route has to be exported to SOO (Site of Origin Identifier) Routers where the route has been originated
This enables the closed user group functionality Set by PE routers in order to define import/export policies on a per-site/VRF basis
MPLS Bootcamp
Cisco Confidential
33
BGP-4 Enhancements
MPLS Bootcamp
Cisco Confidential
34
Extended Community
Extended community attribute type code: TBD

Type Field: 2 bytes Value Field: 6 bytes
Types 0 through 0x7FFF inclusive are assigned by IANA Types 0x8000 through 0xFFFF inclusive are vendor-specific
MPLS Bootcamp
Cisco Confidential
35
Extended Community
High order bit of the type field 0x00

Administrator sub-field: 2 bytes (AS#) Assigned number sub-field: 4 bytes Example: 9177:123
High order bit of the type field 0x01

Administrator sub-field: 4 bytes (IP address) Assigned number sub-field: 2 bytes Example: 141.253.1.1:123
MPLS Bootcamp
Cisco Confidential
36
Extended Community
Router origin community Identifies one or more routers that inject a set of routes (that carry this community) into BGP
The Type field for the Route Origin community is 0x0001 or 0x0101
Similar to the Site of Origin (SOO)

Site of Origin use code 0x0003 and 0x0103
MPLS Bootcamp
Cisco Confidential
37
Extended Community
Route target community

Identifies one or more routers that may receive a set of routes (that carry this community) carried by BGP The type field for the route target community is 0x0002 or 0x0102
MPLS Bootcamp
Cisco Confidential
38
Extended Community
Site of Origin (SOO)

Identifies customer site Used to prevent loops when AS_PATH cannot be used The type field for SOO is 0x0003 or 0x0103
MPLS Bootcamp
Cisco Confidential
39
Site of Origin
Site-1 192.168.0.5/32
PE
CE
7200-1#sh ip route vrf odd C 192.168.65.0/24 is directly connected, Serial2 B 192.168.0.5 [20/0] via 192.168.65.5, 00:08:44, Serial2 7200-1# 7200-1#sh ip bgp vpn all Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:1 (default for vrf odd) *> 192.168.0.5/32 192.168.65.5 0 0 250 i 7200-1#sh ip bgp vpn all 192.168.0.5 BGP routing table entry for 100:1:192.168.0.5/32, version 17 Paths: (1 available, best #1) Advertised to non peer-group peers: 192.168.0.7 250 192.168.65.5 from 192.168.65.5 (192.168.0.5) Origin IGP, metric 0, localpref 100, valid, external, best Extended community: SoO:100:65 RT:100:3 7200-1#
ip vrf odd rd 100:1 route-target export 100:3 route-target import 100:3 ! interface Serial1 ip vrf forwarding odd ip address 192.168.65.6 255.255.255.0 ! router bgp 100 no synchronization no bgp default ipv4-unicast neighbor 192.168.0.7 remote-as 100 neighbor 192.168.0.7 update-source Loop0 neighbor 192.168.0.7 activate neighbor 192.168.0.7 next-hop-self no auto-summary ! address-family ipv4 vrf odd neighbor 192.168.65.5 remote-as 250 neighbor 192.168.65.5 activate neighbor 192.168.65.5 route-map setsoo in no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor 192.168.0.7 activate neighbor 192.168.0.7 send-community extended no auto-summary exit-address-family ! route-map setsoo permit 10 set extcommunity soo 100:65
40
MPLS Bootcamp
Cisco Confidential
Site of Origin
VPN-IPv4 update: RD:192.168.0.5/32, Next-hop=PE-1 SOO=100:65, RT=100:3, Label=(intCE1)
PE-1
intCE1
PE-2
eBGP4 update: 192.168.0.5/32
eBGP4 update: 192.168.0.5/32
PE-2 will not propagate the route since the update SOO is equal to the one configured for the site
CE-1
192.168.0.5/32
Site-1 SOO=100:65
CE-2
MPLS Bootcamp
Cisco Confidential
41
Multi-Protocol BGP
Extension to the BGP protocol in order to carry routing information about other protocols
Multicast MPLS IPv6
Exchange of Multi-Protocol NLRI must be negotiated at session set up

BGP Capabilities negotiation
MPLS Bootcamp
Cisco Confidential
42
Multi-Protocol BGP - RFC2858

Obsoletes RFC2283 New non-transitive and optional BGP attributes
MP_REACH_NLRI
Carry the set of reachable destinations together with the next-hop information to be used for forwarding to these destinations
MP_UNREACH_NLRI
Carry the set of unreachable destinations
Attribute contains one or more triples

Address Family Information (AFI) Next-Hop Information NLRI
MPLS Bootcamp
Cisco Confidential
43
Labelled VPN-IPV4 Addresses in BGP-4
Labelled VPN-IPV4 address appears in BGP NLRI

AFI = 1 - Sub-AFI = 128
NLRI is encoded as one or more triples

Length: total length of Label + prefix (RD included) Label: 24 bits Prefix: RD (64 bits) + IPv4 prefix (32 bits)
MPLS Bootcamp
Cisco Confidential
44
Labelled VPN-IPV4 Addresses in BGP-4
The label is assigned by the router originating the NLRI

i.e., the router identified by the next-hop value
The label is changed by the router that modifies the next-hop value
Typically the EBGP speaker Or iBGP forwarder configured with next-hop-self
MPLS Bootcamp
Cisco Confidential
45
Labelled VPN-IPV4 addresses in BGP-4
Next-hop address must be of the same family of the NLRI

The next-hop will be a VPN-IPv4 address with RD set to 0
BGP will consider two VPN-IPV4 comparable even with different labels
A withdrawn of a VPN-IPv4 address will be considered for all NLRI corresponding to the VPN-IPV4 address, whatever are the different assigned labels
MPLS Bootcamp
Cisco Confidential
46
BGP Capabilities Negotiation
BGP routers establish BGP sessions through the OPEN message OPEN message contains optional parameters BGP session is terminated if OPEN parameters are not recognised A new optional parameter: CAPABILITIES
MPLS Bootcamp
Cisco Confidential
47
A BGP router sends an OPEN message with CAPABILITIES parameter containing its capabilities:
Multiprotocol extension Route Refresh Co-operative Route Filtering ...
MPLS Bootcamp
Cisco Confidential
48

BGP routers determine capabilities of their neighbors by looking at the capabilities parameters in the open message Unknown or unsupported capabilities may trigger the transmission of a NOTIFICATION message
The decision to send the NOTIFICATION message and terminate peering is local to the speaker. Such peering should not be re-established automatically draft-ietf-idr-bgp4-cap-neg
MPLS Bootcamp
Cisco Confidential
49
BGP routers use BGP-4 Multiprotocol Extension to carry label (label) mapping information
Multiprotocol Extension capability Used to negotiate the Address Family Identifier AFI = 1 Sub-AFI = 128 for MPLS-VPN
MPLS Bootcamp
Cisco Confidential
50
BGP Route Refresh

New BGP Capability: Route Refresh Allows a router to request to any neighbor the re-transmission of BGP updates
Useful when inbound policy has been modified Similar to Cisco soft-reconfiguration without need to store any route
BGP speakers may send Route-Refresh message only to neighbors from which the capability has been exchanged
MPLS Bootcamp
Cisco Confidential
51
BGP Route Refresh
When the inbound policy has been modified, the BGP speaker sends a Route-Refresh message to its neighbors
With AFI, Sub-AFI attributes
Neighbors will re-transmit all routes for that particular AFI and Sub-AFI
MPLS Bootcamp
Cisco Confidential
52
BGP Co-operative Route Filtering

In order to reduce amount of BGP traffic and CPU used to process updates, routers exchange filter configurations BGP speakers advertise to downstream neighbors the outbound filter(s) they have to use Filters are described in ORF entries
Outbound Route Filter
ORF entries are part of the Route-Refresh message

MPLS Bootcamp
Cisco Confidential
53
BGP Co-operative Route Filtering
ORF capability must be negotiated during session set-up

Capability negotiation
ORF capable BGP speaker will install ORFs per neighbor Each ORF will be defined by the upstream neighbor through routerefresh messages
MPLS Bootcamp
Cisco Confidential
54
BGP Co-operative Route Filtering ORF Entry
ORF Entry
AFI/Sub-AFI Filter will apply only to selected address families ORF-Type Determine the content of ORF-Value NLRI is one ORF-Type NLRI is used to match IP addresses (subnets)
MPLS Bootcamp
Cisco Confidential
55
BGP Co-operative Route Filtering ORF Entry
ORF Entry
Action ADD: Add an ORF entry to the current ORF DELETE: Delete a previously received ORF entry DELETE ALL: Delete all existing ORF entries Match PERMIT: Pass routes that match the ORF entry DENY: Do not pass routes that match the ORF entry
MPLS Bootcamp
Cisco Confidential
56
BGP Co-operative Route Filtering ORF Entry ORF Entry

ORF-Value (for ORF-Type=NLRI) is <Scope,NLRI> Scope EXACT: Remote peer should consider routes equal to the NLRI specified in the ORF REFINE: Remote peer should consider routes that are part of a subset of the NLRI specified in the ORF NLRI: <length, prefix> Multiple ORF entries will follow longest match
MPLS Bootcamp
Cisco Confidential
57
ORF Entries and Route-Refresh

ORF entries are carried in BGP RouteRefresh messages AFI/Sub-AFI are encoded into the AFI/SubAFI field of the route refresh message
WHEN-TO-REFRESH field IMMEDIATE: apply the filter immediately DEFER: wait for subsequent route-refresh message ORF-Type to be extended for Extended Communities
MPLS Bootcamp
Cisco Confidential
58
Packet Forwarding MPLS VPN Data Plane
MPLS Bootcamp
Cisco Confidential
59
MPLS VPN Forwarding

VPN_A VPN_A
10.2.0.0 CE
VPN_B
CE P2 PE2 P1 P4 PE4 P3
L8L2Data
11.5.0.0
VPN_A
10.2.0.0 CE
VPN_A
CE
Data
10.1.0.0
11.6.0.0
VPN_B
CE PE1
PE3
CE
VPN_B
10.3.0.0
10.1.0.0 CE
<RD_B,10.1> iBGP NH= PE2 L2 <RD_B,10.2> ,, iBGPnext hop PE1,T1 L7 L8 <RD_B,10.2> , iBGP next hop <RD_B,10.3> , iBGP next hop <RD_A,11.6> , iBGP next hop <RD_A,10.1> , iBGP next hop <RD_A,10.4> , iBGP next hop <RD_A,10.2> , iBGP next hop PE2 L2 PE3 L3 PE1 L4 PE4 L5 PE4 L6 L7 PE2
Ingress PE Receives Normal IP Packets from CE Router PE Router Does IP Longest Match in VRF , Finds iBGP Next Hop PE2 and Imposes a Stack of Labels: Second Level Label L2 + Top Label L8
MPLS Bootcamp
L8 L9 L7 LB LB L8
Cisco Confidential
60
MPLS VPN Forwarding

VPN_A
10.2.0.0
VPN_B VPN_A
CE CE
Data L2 Data
VPN_A
11.5.0.0
VPN_A
10.2.0.0 CE 11.6.0.0
VPN_B
PE2
P2
P4 PE4
L2 Data
LAL2 Data
CE
Data
10.1.0.0
P1 CE PE1
P3
PE3
CE
VPN_B
10.3.0.0
10.1.0.0 CE
in / out
L8, POP T8 Lw
T7 Lu L9 Lx La Ly Lb Lz
All subsequent P routers switch packet solely on top label Egress PE routers upstream LDP neighbor (Penultimate Hop or PH) removes top label (PHP) Egress PE uses bottom (VPN) label to select which VPN/CE to forward the Packet to
MPLS Bootcamp
Bottom label is removed and packet forwarded to CE router

Cisco Confidential
61
MPLS VPN Packet Forwarding

In Label FEC 197.26.15.1/32 Out Label In Label 41 FEC 197.26.15.1/32 Out Label POP In Label FEC 197.26.15.1/32 Out Label 41
PE-1 P router
Use label implicit-null for destination 197.26.15.1/32 VPN-v4 update: RD:1:27:149.27.2.0/24, NH=197.26.15.1 SOO=Paris, RT=VPN-A, Label=(28) Use label 41 for destination 197.26.15.0/24
Paris
149.27.2.0/24
London
PE and P routers have BGP next-hop reachability through the backbone IGP Labels are distributed through LDP corresponding to BGP next-hops or RSVP with Traffic Engineering
MPLS Bootcamp
Cisco Confidential
62

Label Stack is used for packet forwarding
Top label indicates BGP next-hop (exterior label) Second level label indicates outgoing interface or VRF (interior VPN label)
MPLS nodes forward packets based on top label

any subsequent labels are ignored
MPLS Bootcamp
Cisco Confidential
63

In Label FEC 197.26.15.1/32 Out Label 41 VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28) 41 28 149.27.2.27 149.27.2.27
PE-1
Paris
149.27.2.0/24
London
Ingress PE receives normal IP packets PE router performs IP Longest Match from VPN FIB, finds iBGP next-hop and imposes a stack of labels <IGP, VPN>
MPLS Bootcamp
Cisco Confidential
64

In Label In Label 28(V) FEC 149.27.2.0/24 Out Label In Label 68 FEC 197.26.15.1/32 Out Label POP VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28) 28 149.27.2.27 68 28 149.27.2.27 41 28 149.27.2.27 149.27.2.27 41 FEC 197.26.15.1/32 Out Label 68
VPN-A VRF 149.27.2.0/24, NH=Paris
PE-1
149.27.2.27
Paris
149.27.2.0/24
London
Penultimate PE router removes the IGP label

Penultimate Hop Popping procedures (implicit-null label)
Egress PE router uses the VPN label to select which VPN/CE to forward the packet to VPN label is removed and the packet is routed toward the VPN site
MPLS Bootcamp
Cisco Confidential
65
MPLS VPN Topologies
MPLS Bootcamp
Cisco Confidential
66
MPLS VPN Extranet Support

Extranet support is simply the import of routes from one VRF into another VRF which services a different VPN Controlled through the use of Route Target
if we import the route, we have access
Various topologies are viable using this technique

MPLS Bootcamp
Cisco Confidential
67
MPLS VPN Extranet Support

VPN-A CE
Paris VPN-A Paris Routes VPN-B Munich Routes
PE
VRF for VPN-A Extranet VPN Routing Table VRF for VPN-B
VPN-A
VPN-B CE
Munich
Sharing of VPN information between VRFs provides Extranet support

MPLS Bootcamp
Cisco Confidential
68
Central Services Model

Common topology is central services VPN
client sites may access central services but may not communicate directly with other client sites
Once again controlled through the use of route target

client sites belong to unique VRF, servers share common VRF client exports routes using client-rt and imports server-rt server exports routes using server-rt and imports server-rt & client-rt
MPLS Bootcamp
Cisco Confidential
69
Central Services Model
195.12.2.0/24
VPN A VRF (Export RT=client-rt) (Import RT=server-rt) VPN A VRF 195.12.2.0/24 146.12.9.0/24 MP-iBGP Update RD:195.12.2.0/24, RT=client-rt 146.12.9.0/24 MP-iBGP Update RD:146.12.9.0/24, RT=server-rt
VPN A
Central Server Site
VPN B VRF 146.12.7.0/24 146.12.9.0/24
MP-iBGP Update RD:146.12.7.0/24, RT=client-rt
VPN B
VPN B VRF (Export RT=client-rt) (Import RT=server-rt)
Server VRF (Export RT=server-rt) (Import RT=server-rt) (Import RT=client-rt)
146.12.7.0/24
MPLS Bootcamp
Cisco Confidential
70
MPLS VPN Internet Connectivity

Static Default Route
VPN sites may require Internet access
either directly or via a central site - no full routing
Default route provided through static or dynamic route within the VRF
extension to ip route command - Global keyword Internet gateway points to an exit point whose address is within the global routing table
PE router generates VPN customer routes into BGP through global static routes
MPLS Bootcamp
Cisco Confidential
71

Static Default Route
VPN A
195.12.2.0/24
ip route vrf VPN_A 0.0.0.0 0.0.0.0 Internet-PE global ip route 195.12.2.0 255.255.255.0 serial 1/0 VPN A VRF 0.0.0.0 NH=Internet-PE NH=Internet-
Internet Routing Table
MPLS VPN Backbone
Global Internet Access
VPN B VRF 0.0.0.0 NH=Internet PE
VPN B 146.12.9.0/24
ip route vrf VPN_B 0.0.0.0 0.0.0.0 Internet-PE global ip route 146.12.9.0 255.255.255.0 serial 1/1
MPLS Bootcamp
Cisco Confidential
72

Dynamic Default Route
VPN A Central Site VPN B Central Site
Export VPN A default with RT=17:22 RT=17:22 and VPN B default with RT=17:28 RT=17:28
VPNVPN-IPv4 Update Net=0.0.0.0/0 RT=17:28 RT=17:28 VPNVPN-IPv4 Update Net=0.0.0.0/0 RT=17:22 RT=17:22
VPNVPN-IPv4 Update Net=0.0.0.0/0 RT=17:28 RT=17:28 VPNVPN-IPv4 Update Net=0.0.0.0/0 RT=17:22 RT=17:22
VPN A
MPLS VPN Backbone

VPN A VRF (Import RT=17:22) VPN B VRF (Import RT=17:28)
VPN B
MPLS Bootcamp
Cisco Confidential
73

Separate BGP Session PE/CE Link
Many clients wish to send/receive routes directly with the Internet
default route is not sufficient in this environment
Routes reside on the PE router

but within the global not VRF tables
Mechanism needed to distribute this routing information to VPN customer sites

and also receive routes and place them into the global, and not VRF table
MPLS Bootcamp
Cisco Confidential
74

Separate BGP Session PE/CE Link
Achieved by using a second interface to the client site
either physical or logical, such as sub-interface or tunnel
(sub)interface associated with VRF
Internet Routes VPN Site CE PE Global Internet
(sub)interface associated with global routing table
MPLS Bootcamp
Cisco Confidential
75

Global Internet Table Association
If multiple exit points, then possibility to associate full Internet routes with a VRF
if only one exit point, then default pointing to Internet exit point interface will normally suffice
With multiple interfaces, sub-optimal routing a possibility with default route generation
as multiple defaults would allow load balancing but no best path selection
Association of Internet routes with VRF provide ability to generate aggregate default
MPLS Bootcamp
Cisco Confidential
76

ISP A
ISP B
Export default route with Internet_access route target
Export default route with Internet_access route target
PE
Static default pointing to loopback interface so lookup in VRF will occur on incoming packets
PE
MPLS Bootcamp
Cisco Confidential
77

Optimal routing between providers now possible Need to filter everything other than default
cpu and administrative overhead
Label assignment will occur for every route within the VRF
memory overhead even though labels are never used
If full routes distributed, could result in multiple copies of Internet routing table
MPLS Bootcamp
Cisco Confidential
78
MPLS VPN Convergence
MPLS Bootcamp
Cisco Confidential
79
Routing Convergence
Convergence needs to be assessed in two main areas
convergence within the MPLS VPN backbone convergence between VPN client sites
Both areas are completely independent ...

but work together to provide end-to-end convergence as perceived by the VPN client
therefore must be assessed in conjunction
MPLS Bootcamp
Cisco Confidential
80
End-to-End Routing Convergence
VPN Client A
New VPN route propagated across MPiBGP session New VPN route advertised
VPN Client A
PE
PE
Advertisement of new VPN route to relevant VPN sites
If link fails, MPLS VPN backbone IGP converges on new path to
New VPN route imported into relevant VRFs
BGP next-hop
Client-to-client and MPLS VPN backbone IGP convergence are independent

MPLS Bootcamp
Cisco Confidential
81
Convergence Across Backbone

Convergence of MPLS VPN backbone IGP will not affect client-to-client route convergence
unless BGP next-hop becomes unavailable; but will affect client-to-client traffic while backbone converges
Backbone may be router-only based or based on ATM switches

convergence will be different for the MPLS forwarding plane - cell-mode versus frame-mode implementation
MPLS Bootcamp
Cisco Confidential
82
Convergence - Router Based Backbone

Unsolicited Downstream
Bindings advertised as soon as route is in the routing table
Liberal Label Retention

If multiple neighbors, next-hop change causes new label to be used for forwarding
Immediate Notification of Routing Table Change

A route change (addition/deletion) immediately propagated to MPLS process
MPLS Bootcamp
Cisco Confidential
83
Convergence - Router Based Backbone

If P-1 to PE-2 link fails, PE-1 nexthop to destinations reachable via 197.26.15.1/32 (PE-2 Loopback) will change to P-3. As label exists (41), convergence is as quick as the IGP
VPN Client A
Use label 23 for destination 197.26.15.1/32 Use label POP for destination 197.26.15.1/32
VPN Client A
PE-1 P-1
Use label 41 for destination 197.26.15.1/32
PE-2
Use label POP for destination 197.26.15.1/32
P-3
Use label 25 for destination 197.26.15.1/32
P-2
MPLS & IGP backbone convergence are closely entwined

MPLS Bootcamp
Cisco Confidential
84
Convergence - ATM Backbone

Downstream-on-demand
Affects convergence as LSR must signal for downstream label binding
Conservative Label Retention

Convergence is affected as LSR must signal for downstream label binding if one does not exist Next-hop change will cause label request
Two-stage Convergence:
IGP: converge around topology changes MPLS: re-establish label mappings
MPLS Bootcamp
Cisco Confidential
85
Convergence - ATM Based Backbone

If P-1 to PE-2 link fails, PE-1 nexthop to destinations reachable via 197.26.15.1/32 (PE-2 Loopback) will change to P-3. As label does not exist, PE-1 must signal the next-hop downstream ATM-LSR
VPN Client A
Use label 1/239 for destination 197.26.15.1/32 Use label 1/321 for destination 197.26.15.1/32
VPN Client A
PE-1 P-1
Label request for destination 197.26.15.1/32
PE-2
P-3
P-2
MPLS LSR must re-converge on IGP change AND resignal for label mapping to downstream next-hop
MPLS Bootcamp
Cisco Confidential
86
Client-to-Client Convergence
Four Main Convergence Areas
Advertisement of routes from CE to PE and placement into VRF Propagation of routes across the MPLS VPN backbone Import process of these routes into relevant VRFs Advertisement of VRF routes to attached VPN sites
MPLS Bootcamp
Cisco Confidential
87
Backbone Route Propagation
Changes are not propagated to other BGP speakers immediately

Batched together and sent at advertisementinterval
Default = 5 seconds for iBGP, 30 for eBGP
Can be tweaked using the neighbor advertisement-interval command

Needs to be changed for both backbone and CE routers if BGP between PE & CE
MPLS Bootcamp
Cisco Confidential
88
Import Process
Import Process Uses a Separate Invocation of the Scanner Process
Default = 15 seconds Can be tuned using the bgp scan-time import command
Can take up to 15 Seconds for a Route to be Placed into a Receiving VRF

and then potentially another 30 Seconds to be advertised to CE if eBGP is in operation!
MPLS Bootcamp
Cisco Confidential
89
Scanner Process
Scanner process will also have an effect on convergence

Used to check next-hop reachability and to process any network commands within the BGP process Invoked every 60 seconds by default Can be tuned with the bgp scan-time command Large BGP table and small scan-time can be VERY CPU intensive - beware !
MPLS Bootcamp
Cisco Confidential
90
BGP Route Advertisement

In addition to the scanning and importing of routes, each PE router needs to advertise the best routes within each VRF to all its VRF neighbors
This occurs at both ingress and egress of the MPLS VPN network With eBGP CE neighbors, advertisement of these routes occurs every 30 seconds With (iBGP) PE neighbors, routes advertisement occurs every 5 seconds Can be tuned with the neighbor a.b.c.d advertisement-interval command
MPLS Bootcamp
Cisco Confidential
91
MPLS VPN Scaling
MPLS Bootcamp
Cisco Confidential
92
Scaling
Existing BGP techniques can be used to scale the route distribution: route reflectors (RRs) & BGP confederations (Inter-AS VPN) Each edge router needs only the information for the directly-connected VPNs it supports RRs are used to distribute VPN routing information
MPLS Bootcamp
Cisco Confidential
93
MPLS-VPN Scaling BGP

Route Reflectors
Route reflectors may be partitioned Each RR stores routes for a set of VPNs Thus, no BGP router needs to store information on ALL VPNs PEs will peer to RRs according to the VPNs they support
MPLS Bootcamp
Cisco Confidential
94
MPLS-VPN Scaling BGP Updates Filtering
iBGP full mesh amongst PEs results in flooding of all VPN routes to all PEs Scaling problems when large amount of routes. PEs need routes for only attached VRFs
MPLS Bootcamp
Cisco Confidential
95
Each PE will discard any VPN-IPv4 route that hasnt a route-target configured to be imported in any of the attached VRFs This reduces significantly the amount of information each PE has to store Volume of BGP table is equivalent of volume of attached VRFs (nothing more)
MPLS Bootcamp
Cisco Confidential
96

Import RT=yellow VRFs for VPNs yellow green Import RT=green
PE
MP-iBGP sessions
VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Red, Label=XYZ
Each VRF has an import and export policy configured Policies use route-target attribute (extended community) PE receives MP-iBGP updates for VPN-IPv4 routes If route-target is equal to any of the import values configured in the PE, the update is accepted Otherwise it is silently discarded
MPLS Bootcamp
Cisco Confidential
97
MPLS-VPN Scaling Route Refresh

PE
2. PE issue a Route-Refresh to all neighbors in order to ask for retransmission VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Red, Label=XYZ 1. PE doesnt have red routes (previously filtered out) 3. Neighbors re-send updates and red route-target is now accepted
Import RT=green Import RT=red
Policy may change in the PE if VRF modifications are done

New VRFs, removal of VRFs
However, the PE may not have stored routing information which become useful after a change PE request a re-transmission of updates to neighbors Route-Refresh
MPLS Bootcamp
Cisco Confidential
98
MPLS-VPN Scaling Outbound Route Filters - ORF

Import RT=yellow
PE
2. PE issue a Route-Refresh message with a ORF entry to neighbors in order not to receive red routes: Permit RT = Green, Yellow
VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Red, Label=XYZ
Import RT=green
1. PE doesnt need red routes
3. Neighbors dynamically configure the outbound filter and send updates accordingly
PE router will discard update with unused routetarget Optimisation requires these updates NOT to be sent Outbound Route Filter (ORF) allows a router to tell its neighbors which filter to use prior to propagate BGP updates
MPLS Bootcamp
Cisco Confidential
99
Connecting MPLS-VPN Backbones
MPLS Bootcamp
Cisco Confidential
100
Connecting MPLS-VPN Backbones

Providers exchange routes between PEASBR routers MP-eBGP for (Labelled) VPNv4 addresses between ASBRs
Next-hop and labels are re-written by the PE-ASBRs
Requires PE-ASBRs to store VPN routes that need to be exchanged Routes are in the MP-BGP table but not in any routing table
PE-ASBRs do not have any VRFs MP-eBGP labels are used in LFIB
MPLS Bootcamp
Cisco Confidential
101
Connecting MPLS-VPN backbones

RR-1 reflects VPNv4 internal routes PE-ASBR1 advertises VPNv4 external routes RR-1 Core of P LSRs PE-1 MP-eBGP VPNv4 routes with label distribution PE-2 PE-3 RR-2 RR-2 reflects VPNv4 internal routes PE-ASBR2 advertises VPNv4 external routes Core of P LSRs
PE-ASBR1
PE-ASBR2
PE-ASBRs exchange VPNv4 addresses with labels CE-2 CE-1 CE-5
CE-3 CE-4
MPLS Bootcamp
Cisco Confidential
102
Connecting MPLS-VPN backbones

Network=RD1:N Next-hop=PE1 Label=L1 RR-1 Network=RD1:N Core of P LSRs Next-hop=PE1 Label=L1 PE-1 RR-2 Network=RD1:N Next-hop=PE-ASBR2 Label=L3 Core of P LSRs
Network=RD1:N Next-hop=PE-ASBR1 Label=L2
Network=RD1:N Next-hop=PE-ASBR2 Label=L3
PE-2
PE-3
PE-ASBR1
PE-ASBR2
Network=N Next-hop=CE2
Network=N Next-hop=PE3
CE-2 CE-1 CE-5
CE-3 CE-4
MPLS Bootcamp
Cisco Confidential
103
Multi-AS MPLS-VPN backbones

VPNV4 routes exchanged between PE-ASBRs
L1 Dest=N
RR-1 Core of P LSRs LDP-PE1-label L1 Dest=N
RR-2 L3 Dest=N
Core of P LSRs LDP-PE-ASBR2-label L3 Dest=N PE-2 PE-3
PE-1
L2 Dest=N PE-ASBR2
PE-ASBR1 Dest=N
Dest=N
CE-2 CE-1 CE-5
CE-3 CE-4
MPLS Bootcamp
Cisco Confidential
104
MPLS VPN Configuration
MPLS Bootcamp
Cisco Confidential
105
MPLS VPN Configuration

VPN knowledge is on PE routers Several basic steps are necessary to provision a PE router for VPN service
configuration of VRFs configuration of Route Distinguishers configuration of import/export policies configuration of PE to CE links association of VRFs to interfaces configuration of MP-BGP
MPLS Bootcamp
Cisco Confidential
106
VRF & RD Configuration

RD is configured on PE routers
separate RD per VRF good practise is to use the same RD for the same VPN in all PE routers
although this is not mandatory
VRF configuration commands

ip vrf <vrf-symbolic-name> rd <route-distinguisher-value> route-target import <Import route-target community> route-target export <Import route-target community>
MPLS Bootcamp
Cisco Confidential
107
VRF Configuration
ip vrf VPN-A rd 1:129 route-target export 100:1 route-target import 100:1 ip vrf VPN-B rd 1:131 route-target export 100:2 route-target import 100:2
VPN-A CE
Paris
PE
VPN-A
CE
London VRF VPN-A VRF VPN-B
VPN-B
CE
Munich VRF for VPN-A (RT100:1) Paris routes London routes VRF for VPN-B (RT100:2) Munich routes
MPLS Bootcamp
Cisco Confidential
108
PE/CE Routing Protocol

PE/CE can use BGP, RIPv2, OSPF or Static Routing context used for all except OSPF which uses a separate process Routing contexts are defined within the routing protocol instance
router rip version 2 ! address-family ipv4 vrf <vrf symbolic-name> version 2 network 195.27.15.0 ! address-family ipv4 vrf <vrf symbolic-name> ..
MPLS Bootcamp
Cisco Confidential
109

OSPF uses a different process
router ospf 100 vrf <vrf-symbolic-name> ! router ospf 200 vrf <vrf symbolic-name>
BGP uses address-family command

router bgp <AS #> ! address-family ipv4 vrf <vrf symbolic-name> ! address-family vpnv4
Static routes are configured per-VRF

ip route vrf <vrf symbolic-name>
MPLS Bootcamp
Cisco Confidential
110

interface Serial3/5 ip vrf forwarding VPN-A ip address 192.168.61.6 255.255.255.252 encapsulation ppp ! interface Serial3/6 ip vrf forwarding VPN-A ip address 192.168.61.9 255.255.255.252 encapsulation ppp ! interface Serial3/7 ip vrf forwarding VPN-B ip address 192.168.62.6 255.255.255.252 encapsulation ppp
VPN-A
CE
Paris
PE
VPN-A
CE
London
VPN-B
CE
Munich
router bgp 109 no bgp default ipv4-unicast neighbor 195.27.2.1 remote-as 100 neighbor 195.27.2.1 update-source Loopback0 ! address-family ipv4 vrf VPN-B neighbor 192.168.62.5 remote-as 65503 neighbor 192.168.62.5 activate exit-address-family ! address-family ipv4 vrf VPN-A neighbor 192.168.61.5 remote-as 65501 neighbor 192.168.61.5 activate neighbor 192.168.61.10 remote-as 65502 neighbor 192.168.61.10 activate exit-address-family ! address-family vpnv4 neighbor 195.27.2.1 activate neighbor 195.27.2.1 send-community extended exit-address-family
MPLS Bootcamp
Cisco Confidential
111
VRF Based Commands

All show commands are VRF based
show ip route vrf <vrf-symbolic-name> show ip protocol vrf <vrf-symbolic-name> show ip cef vrf <vrf-symbolic-name>
Ping and Telnet commands are VRF based

ping x.x.x.x vrf <vrf-symbolic-name> telnet x.x.x.x /vrf <vrf-symbolic-name>
MPLS Bootcamp
Cisco Confidential
112
MPLS VPN Internet Routing

VRF Specific Default Route
192.168.1.1 BGP-4
ip vrf VPN-A rd 100:1 route-target both 100:1 ! Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A ! Router bgp 100 no bgp default ipv4-unicast network 171.68.0.0 mask 255.255.0.0 neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0 ! address-family ipv4 vrf VPN-A neighbor 192.168.10.2 remote-as 65502 neighbor 192.168.10.2 activate exit-address-family ! address-family vpnv4 neighbor 192.168.1.2 activate exit-address-family ! ip route 171.68.0.0 255.255.0.0 Serial0 ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global
Internet PE-IG
MP-BGP 192.168.1.2
PE
Serial0
PE
Site-1 Network 171.68.0.0/16 Site-2
MPLS Bootcamp
Cisco Confidential
113

VRF Specific Default Route
IP packet D=cisco.com
192.168.1.1
Internet
PE-IG
Label = 3 IP packet D=cisco.com
192.168.1.2
PE
Serial0
Global Table and LFIB 192.168.1.1/32 Label=3 192.168.1.2/32 Label=5 ... Site-2 VRF 0.0.0.0/0 192.168.1.1 (global) Site-1 routes Site-2 routes
PE
Site-1 Network 171.68.0.0/16 Site-2
MPLS Bootcamp
Cisco Confidential
114

Separated (sub)Interfaces
192.168.1.1 BGP-4
ip vrf VPN-A rd 100:1 route-target both 100:1 ! Interface Serial0 no ip address ! Interface Serial0.1 ip address 192.168.20.1 255.255.255.0 ip vrf forwarding VPN-A ! Interface Serial0.2 ip address 171.68.10.1 255.255.255.0 ! Router bgp 100 no bgp default ipv4-unicast neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0 network 171.68.0.0 mask 255.255.0.0 neighbor 171.68.10.2 remote 502 ! address-family ipv4 vrf VPN-A neighbor 192.168.20.2 remote-as 502 neighbor 192.168.20.2 activate exit-address-family ! address-family vpnv4 neighbor 192.168.1.2 activate exit-address-family
115
Internet PE-IG
MP-BGP 192.168.1.2
PE
PE
Serial0.1
Serial0.2
BGP-4 Site-1 Network 171.68.0.0/16 Site-2
MPLS Bootcamp
Cisco Confidential

Separate (sub)Interfaces
192.168.1.1
Internet
PE-IG
Label = 3 IP packet D=cisco.com
PE Global Table Internet routes ---> 192.168.1.1 192.168.1.1, Label=3
192.168.1.2
PE
Serial0.1 Serial0.2
PE
Serial0.1 Site-1
Serial0.2 CE routing table Site-1 routes ----> Serial0.1 Internet routes ---> Serial0.2
Network 171.68.0.0/16 Site-2
MPLS Bootcamp
Cisco Confidential
116
MPLS-VPN Scaling Route Refresh

Import RT=yellow
PE
2. PE issue a Route-Refresh to all neighbors in order to ask for retransmission
VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOI=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOI=Site1, RT=Red, Label=XYZ
Import RT=green Import RT=red

1. PE doesnt have red routes (previously filtered out)
3. Neighbors re-send updates and red route-target is now accepted
New BGP capability: route refresh Allows a router to request to any neighbor the re-transmission of BGP updates
Useful when inbound policy has been modified Similar to Cisco soft-reconfiguration without need to store any route
MPLS Bootcamp
BGP speakers may send Route-Refresh Cisco Confidential message only to neighbors from which the
117
MPLS-VPN Scaling Outbound Route Filters - ORF

Import RT=yellow
PE
2. PE issue a ORF message to all neighbors in order not to receive red routes
VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOI=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOI=Site1, RT=Red, Label=XYZ
Import RT=green
1. PE doesnt need red routes
3. Neighbors dynamically configure the outbound filter and send updates accordingly
PE router will discard update with unused route-target Optimisation requires these updates NOT to be sent Outbound Route Filter (ORF) allows a router to tell its neighbors which filter to Cisco Confidential use prior to propagate BGP updates
MPLS Bootcamp
118
MPLS VPN - Configuration

ip vrf site1 rd 100:1 route-target export 100:1 route-target import 100:1 ip vrf site2 rd 100:2 route-target export 100:2 route-target import 100:2 route-target import 100:1 route-target export 100:1 ! interface Serial3/6 ip vrf forwarding site1 ip address 192.168.61.6 255.255.255.0 encapsulation ppp ! interface Serial3/7 ip vrf forwarding site2 ip address 192.168.62.6 255.255.255.0 encapsulation ppp Site-4 Site-1 ip vrf site3 rd 100:2 Site-3 route-target export 100:2 Site-2 VPN-B route-target import 100:2 route-target import 100:3 route-target export 100:3 ip vrf site-4 rd 100:3 Multihop MP-iBGP route-target export 100:3 route-target import 100:3 P P ! interface Serial4/6 ip vrf forwarding site3 PE2 ip address 192.168.73.7 255.255.255.0 encapsulation ppp ! VRF VRF VRF for site-2 for site-3 interface Serial4/7 for site-4 (100:2) (100:2) ip vrf forwarding site4 (100:3) Site-1 routes Site-2 routes Site-3 routes ip address 192.168.74.7 Site-2 routes Site-3 routes Site-4 routes 255.255.255.0 Site-3 routes Site-4 routes encapsulation ppp
VPN-C
VPN-A
PE1
VRF for site-1 (100:1) Site-1 routes Site-2 routes
Site-1
MPLS Bootcamp
Site-2
Site-3
Site-4
119
Cisco Confidential
MPLS VPN - Configuration

PE/CE routing protocols
router bgp 100 Site-4 no bgp default ipv4-unicast neighbor 7.7.7.7 remote-as 100 Site-1 VPN-C neighbor 7.7.7.7 update-source VPN-A Loop0 ! Site-3 Site-2 address-family ipv4 vrf site2 VPN-B neighbor 192.168.62.2 remote-as 65502 neighbor 192.168.62.2 activate MP-iBGP exit-address-family ! address-family ipv4 vrf site1 P P neighbor 192.168.61.1 remote-as 65501 neighbor 192.168.61.1 activate PE1 PE2 exit-address-family ! address-family vpnv4 VRF VRF neighbor 7.7.7.7 activate VRF VRF for site-2 for site-3 neighbor 7.7.7.7 next-hop-self for site-4 for site-1 (100:2) (100:2) (100:3) (100:1) exit-address-family Site-1 routes Site-2 routes
Site-1 routes Site-2 routes Site-2 routes Site-3 routes Site-3 routes Site-4 routes
router bgp 100 no bgp default ipv4-unicast neighbor 6.6.6.6 remote-as 100 neighbor 6.6.6.6 update-source Loop0 ! address-family ipv4 vrf site4 neighbor 192.168.74.4 remote-as 65504 neighbor 192.168.74.4 activate exit-address-family ! address-family ipv4 vrf site3 neighbor 192.168.73.3 remote-as 65503 neighbor 192.168.73.3 activate exit-address-family ! address-family vpnv4 neighbor 6.6.6.6 activate neighbor 6.6.6.6 next-hop-self exit-address-family
Site-3 routes Site-4 routes
Site-1
MPLS Bootcamp
Site-2
Site-3
Site-4
120
Cisco Confidential
IOS Support for MPLS
MPLS Bootcamp
Cisco Confidential
121
MPLS-VPN IOS Releases - LDP Status
Initial limited deployment release in 12.0(10)ST and up 12.0(11)ST available on CCO General deployment also planned for 12.2(1)T Will be based on the current IETF draft (draft-ietf-mpls-ldp-11.txt?)
MPLS Bootcamp
Cisco Confidential
122
References
MPLS Bootcamp
Cisco Confidential
123
References
RFCs and Internet Drafts
draft-rosen-rfc2547bis-02.txt (was RFC2547) RFC2858 (Obsoletes RFC2283) draft-ietf-mpls-bgp4-mpls-02.txt draft-ramachandra-bgp-extcommunities04.txt
Textbook
MPLS and VPN Architectures, by Ivan Pepelnjak, Jim Guichard (ISBN# 1-58705-002-1) MPLS: Technology and Applications, by Bruce Davie, Yakov Rekhter (ISBN#1-55860-656-4)
Useful URLs
http://wwwin-mpls.cisco.com/ http://wwwin-ch.cisco.com/SQA/devtest/tag-switching/ http://wwwin-people.cisco.com/sprevidi/
MPLS Bootcamp
Cisco Confidential
124
Reference Pointers
Mailing Lists
tag-vpn@cisco.com <-- (mpls-vpn questions) cs-tagswitching@cisco.com <-- (general mpls questions) CS-rrr@cisco.com <--(mpls-te questions) mpls-deployment@cisco.com
MPLS Bootcamp
Cisco Confidential
125
NW00 Paris
126

MPLSVPN 3225

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

MPLSVPN 3225

Încărcat de

Drepturi de autor:

Formate disponibile

MPLS Bootcamp MPLS VPN

2000, Cisco Systems, Inc.

MPLS VPN Agenda

2000, Cisco Systems, Inc.

Virtual Private Networks

MPLS Bootcamp NW00 Paris

2000, Cisco Systems, Inc.

Virtual Private Networks

Global or non-unique private IP addressing space amongst the different VPNs

Virtual Private Networks

2000, Cisco Systems, Inc.

VPN - Overlay Model

Provider Edge (PE) device

Provider Edge (PE) device

Service Provider Network

VPN - Peer-to-Peer Model

Provider Edge Router

Provider Edge Router

Service Provider Network

VPN - MPLS VPN Model

Provider Edge (PE) Router

Provider Edge (PE) Router

Service Provider Network

MPLS VPN Functional Components

2000, Cisco Systems, Inc.

MPLS VPN Connection Model The Whole Picture

MPLS VPN Model

VPN Site P-Network

2000, Cisco Systems, Inc.

MPLS VPN Connectivity Model

A VPN is a collection of sites sharing common routing information

A site may belong to more than one VPN

A VPN can be thought of as a closed user group (CUG) or community of interest

2000, Cisco Systems, Inc.

MPLS VPN Architectural Components

2000, Cisco Systems, Inc.

MPLS VPN Architectural Components

2000, Cisco Systems, Inc.

VPN Routing & Forwarding Instance (VRF)

VRF (VPN Routing & Forwarding)

VPN Routing & Forwarding Instances (VRF)

Munich Global Routing Table

MPLS VPN Connectivity Model

VRF Route Population

Separate routing context for each VRF

2000, Cisco Systems, Inc.

VRF Route Distribution

2000, Cisco Systems, Inc.

Multi-Protocol BGP (MP-BGP) VPN Components

2000, Cisco Systems, Inc.

MP-BGP VPN Components

Route Distinguisher (RD)

Route Target (RT) Site of Origin (SOO)

2000, Cisco Systems, Inc.

VPN Routing & Forwarding Instances

2000, Cisco Systems, Inc.

MPLS VPN Table Population

VRF routing tables contain VPN-specific routes

VRF Population of MP-iBGP

Re-distribution from VRFs into MP-iBGP for VPN information exchange

VRF Population through MP-iBGP

Uniqueness of IPv4 prefix achieved through the use of a Route Distinguisher