Professional Documents
Culture Documents
Advanced MPLS
VPN Solutions
Volume 1
Version 1.0
Student Guide
Text Part Number: 97-0624-01
The products and specifications, configurations, and other technical information regarding the products in this
manual are subject to change without notice. All statements, technical information, and recommendations in this
manual are believed to be accurate but are presented without warranty of any kind, express or implied. You
must take full responsibility for their application of any products specified in this manual.
LICENSE
PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE MANUAL,
DOCUMENTATION, AND/OR SOFTWARE (MATERIALS). BY USING THE MATERIALS YOU
AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE. IF YOU DO NOT
AGREE WITH THE TERMS OF THIS LICENSE, PROMPTLY RETURN THE UNUSED MATERIALS
(WITH PROOF OF PAYMENT) TO THE PLACE OF PURCHASE FOR A FULL REFUND.
Cisco Systems, Inc. (Cisco) and its suppliers grant to you (You) a nonexclusive and nontransferable license
to use the Cisco Materials solely for Your own personal use. If the Materials include Cisco software
(Software), Cisco grants to You a nonexclusive and nontransferable license to use the Software in object code
form solely on a single central processing unit owned or leased by You or otherwise embedded in equipment
provided by Cisco. You may make one (1) archival copy of the Software provided You affix to such copy all
copyright, confidentiality, and proprietary notices that appear on the original. EXCEPT AS EXPRESSLY
AUTHORIZED ABOVE, YOU SHALL NOT: COPY, IN WHOLE OR IN PART, MATERIALS; MODIFY
THE SOFTWARE; REVERSE COMPILE OR REVERSE ASSEMBLE ALL OR ANY PORTION OF THE
SOFTWARE; OR RENT, LEASE, DISTRIBUTE, SELL, OR CREATE DERIVATIVE WORKS OF THE
MATERIALS.
You agree that aspects of the licensed Materials, including the specific design and structure of individual
programs, constitute trade secrets and/or copyrighted material of Cisco. You agree not to disclose, provide, or
otherwise make available such trade secrets or copyrighted material in any form to any third party without the
prior written consent of Cisco. You agree to implement reasonable security measures to protect such trade
secrets and copyrighted Material. Title to the Materials shall remain solely with Cisco.
This License is effective until terminated. You may terminate this License at any time by destroying all copies
of the Materials. This License will terminate immediately without notice from Cisco if You fail to comply with
any provision of this License. Upon termination, You must destroy all copies of the Materials.
Software, including technical data, is subject to U.S. export control laws, including the U.S. Export
Administration Act and its associated regulations, and may be subject to export or import regulations in other
countries. You agree to comply strictly with all such regulations and acknowledge that it has the responsibility
to obtain licenses to export, re-export, or import Software.
This License shall be governed by and construed in accordance with the laws of the State of California, United
States of America, as if performed wholly within the state and without giving effect to the principles of conflict
of law. If any portion hereof is found to be void or unenforceable, the remaining provisions of this License shall
remain in full force and effect. This License constitutes the entire License between the parties with respect to
the use of the Materials
Restricted Rights - Ciscos software is provided to non-DOD agencies with RESTRICTED RIGHTS and its
supporting documentation is provided with LIMITED RIGHTS. Use, duplication, or disclosure by the U.S.
Government is subject to the restrictions as set forth in subparagraph C of the Commercial Computer
Software - Restricted Rights clause at FAR 52.227-19. In the event the sale is to a DOD agency, the U.S.
Governments rights in software, supporting documentation, and technical data are governed by the restrictions
in the Technical Data Commercial Items clause at DFARS 252.227-7015 and DFARS 227.7202.
DISCLAIMER OF WARRANTY. ALL MATERIALS ARE PROVIDED AS IS WITH ALL FAULTS.
CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,
WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST
PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS
MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. In no event shall Ciscos or its suppliers liability to You, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by You. The foregoing limitations shall apply even
if the above-stated warranty fails of its essential purpose.
The following information is for FCC compliance of Class A devices: This equipment has been tested and
found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits
are designed to provide reasonable protection against harmful interference when the equipment is operated in a
commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not
installed and used in accordance with the instruction manual, may cause harmful interference to radio
communications. Operation of this equipment in a residential area is likely to cause harmful interference, in
which case users will be required to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual
generates and may radiate radio-frequency energy. If it is not installed in accordance with Ciscos installation
instructions, it may cause interference with radio and television reception. This equipment has been tested and
found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of
the FCC rules. These specifications are designed to provide reasonable protection against such interference in a
residential installation. However, there is no guarantee that interference will not occur in a particular
installation.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it
was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes
interference to radio or television reception, try to correct the interference by using one or more of the following
measures:
Turn the television or radio antenna until the interference stops.
Move the equipment to one side or the other of the television or radio.
Move the equipment farther away from the television or radio.
Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make
certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate
your authority to operate the product.
The following third-party software may be included with your product and will be subject to the software
license agreement:
CiscoWorks software and documentation are based in part on HP OpenView under license from the HewlettPackard Company. HP OpenView is a trademark of the Hewlett-Packard Company. Copyright 1992, 1993
Hewlett-Packard Company.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the
University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating
system. All rights reserved. Copyright 1981, Regents of the University of California.
Network Time Protocol (NTP). Copyright 1992, David L. Mills. The University of Delaware makes no
representations about the suitability of this software for any purpose.
Point-to-Point Protocol. Copyright 1989, Carnegie-Mellon University. All rights reserved. The name of the
University may not be used to endorse or promote products derived from this software without specific prior
written permission.
The Cisco implementation of TN3270 is an adaptation of the TN3270, curses, and termcap programs developed
by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating
system. All rights reserved. Copyright 1981-1988, Regents of the University of California.
Cisco incorporates Fastmac and TrueView software and the RingRunner chip in some Token Ring products.
Fastmac software is licensed to Cisco by Madge Networks Limited, and the RingRunner chip is licensed to
Cisco by Madge NV. Fastmac, RingRunner, and TrueView are trademarks and in some jurisdictions registered
trademarks of Madge Networks Limited. Copyright 1995, Madge Networks Limited. All rights reserved.
XRemote is a trademark of Network Computing Devices, Inc. Copyright 1989, Network Computing Devices,
Inc., Mountain View, California. NCD makes no representations about the suitability of this software for any
purpose.
The X Window System is a trademark of the X Consortium, Cambridge, Massachusetts. All rights reserved.
Access Registrar, AccessPath, Any to Any, Are You Ready, AtmDirector, Browse with Me, CCDA, CCDE,
CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, the Cisco logo, Cisco Certified Internetwork Expert logo,
CiscoLink, the Cisco Management Connection logo, the Cisco NetWorks logo, the Cisco Powered Network
logo, Cisco Systems Capital, the Cisco Systems Capital logo, Cisco Systems Networking Academy, the Cisco
Systems Networking Academy logo, the Cisco Technologies logo, Fast Step, FireRunner, Follow Me Browsing,
FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, IQ Breakthrough, IQ
Expertise, IQ FastTrack, IQ Readiness Scorecard, The IQ Logo, Kernel Proxy, MGX, Natural Network Viewer,
NetSonar, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy
Builder, Precept, RateMUX, ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast,
SMARTnet, SVX, The Cell, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router,
Workgroup Director, and Workgroup Stack are trademarks; Changing the Way We Work, Live, Play, and
Learn, Empowering the Internet Generation, The Internet Economy, and The New Internet Economy are service
marks; and Aironet, ASIST, BPX, Catalyst, Cisco, Cisco IOS, the Cisco IOS logo, Cisco Systems, the Cisco
Systems logo, the Cisco Systems Cisco Press logo, CollisionFree, Enterprise/Solver, EtherChannel,
EtherSwitch, FastHub, FastLink, FastPAD, FastSwitch, GeoTel, IOS, IP/TV, IPX, LightStream, LightSwitch,
MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, TeleRouter, and VCO are
registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other
trademarks mentioned in this document are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any of its resellers. (0005R)
Advanced MPLS VPN Solutions, Revision 1.0: Student Guide
Copyright 2000, Cisco Systems, Inc.
All rights reserved. Printed in USA.
Table of Contents
Volume 1
ADVANCED MPLS VPN SOLUTIONS
1-1
Overview
1-1
Course Objectives
Course Objectives Implementation
Course Objectives Solutions
1-2
1-3
1-4
Prerequisites
1-5
Participant Role
1-7
General Administration
1-9
Sources of Information
1-10
2-1
Overview
Objectives
2-1
2-1
2-2
2-2
2-8
2-8
2-9
2-9
2-13
2-23
2-24
2-25
2-25
2-25
2-38
2-38
2-39
2-39
2-60
2-61
2-62
2-62
2-78
2-78
2-79
2-79
2-91
2-91
2-92
2-93
2-93
2-93
2-94
2-94
2-95
2-96
3-1
Overview
Objectives
3-1
3-1
3-2
3-2
3-16
3-16
3-17
3-17
3-26
3-26
3-27
3-27
3-43
3-43
3-44
3-44
3-55
3-55
3-56
3-56
3-82
3-82
Troubleshooting MPLS/VPN
Objectives
Summary
Review Questions
3-83
3-83
3-100
3-100
3-101
3-101
3-115
3-115
3-116
3-116
3-134
3-134
4-1
Overview
Objectives
vi
4-1
4-1
4-2
4-2
4-26
4-26
4-27
4-27
4-35
4-35
Summary
4-36
4-37
4-37
4-37
Volume 2
MPLS VPN TOPOLOGIES
5-1
Overview
Objectives
5-1
5-1
5-2
5-2
5-17
5-17
5-18
5-18
5-23
5-23
5-24
5-24
5-33
5-33
5-34
5-34
5-47
5-47
5-48
5-48
5-54
5-54
5-55
5-55
5-60
5-60
5-60
6-1
Overview
Objectives
6-1
6-1
6-2
6-2
6-16
6-16
6-17
6-17
6-23
6-23
6-24
6-24
6-32
6-36
6-38
6-38
vii
6-44
6-46
6-46
6-47
6-47
6-52
6-56
6-57
6-57
7-1
Overview
Objectives
7-1
7-1
7-2
7-2
7-15
7-16
7-17
7-17
7-30
7-31
7-32
7-32
7-37
7-37
7-38
7-38
7-52
7-52
7-53
7-54
7-54
7-55
7-56
7-56
viii
6-39
6-39
8-1
8-1
8-1
8-2
8-2
8-12
8-12
8-13
8-13
8-28
8-28
Chapter Summary
8-29
9-1
Overview
Objective
9-1
9-1
Infrastructure Migration
Objective
Summary
Review Questions
9-2
9-2
9-9
9-9
9-10
9-10
9-11
9-13
9-16
9-19
9-20
9-22
9-26
9-26
Chapter Summary
9-26
A-1
Overview
A-1
A-2
IP Addressing Scheme
A-5
A-7
Notes Pages
A-8
B-1
Overview
B-1
B-2
B-2
B-2
B-2
B-2
B-3
B-4
B-5
B-5
B-5
B-5
B-5
B-6
B-6
B-6
B-6
B-6
B-7
ix
C-1
C-2
C-2
C-2
C-3
C-3
C-4
C-5
C-5
C-6
C-9
C-9
C-9
C-10
C-10
C-10
C-11
C-11
C-12
C-13
C-13
C-13
C-14
C-14
C-14
C-15
C-16
C-16
C-17
C-17
D-1
Overview
D-1
D-2
D-2
D-2
D-3
D-4
D-4
D-4
D-4
C-1
D-8
D-8
D-9
D-10
D-10
D-10
D-11
D-11
D-11
D-12
Verification
D-13
D-14
D-14
D-14
D-15
D-15
D-18
D-18
D-19
D-20
D-20
D-21
D-21
D-21
D-22
D-23
D-23
D-23
D-24
D-24
D-24
D-25
D-26
D-26
D-15
D-16
D-17
E-1
Overview
E-1
E-2
E-2
E-2
E-3
E-4
E-4
E-4
E-5
E-6
E-6
E-6
E-6
E-6
E-7
E-7
E-7
F-1
Overview
F-1
Router WGxPE1
F-2
Router WGxPE2
F-4
xi
xii
Router WGxPE3
F-6
Router WGxPE4
F-8
Router WGxP
F-10
Router WGxA1
F-12
Router WGxA2
F-14
Router WGxB1
F-15
Router WGxB2
F-17
Advanced MPLS
VPN Solutions
Overview
Advanced MPLS VPN Solutions (AMVS) is an instructor-led course presented by
Cisco training partners to their end-user customers. This four-day course focuses
on using Virtual Private Networks (VPN) implemented with Multi-Protocol Label
Switching (MPLS) technology.
Upon completion of this training course, you will be able to design, implement
and troubleshoot MPLS VPN networks.
This chapter outlines the course prerequisites and course highlights, as well as
some administrative issues. It includes the following topics:
Course Objectives
Course Topics
Prerequisites
Participant Role
General Administration
Sources of Information
Course Syllabus
Graphic Symbols
Course Objectives
This section lists the course objectives.
Course Objectives
Technology
Upon completion of this course, you
will be able to perform the following tasks:
Identify major VPN categories and topologies, their
applications and technologies that can be used to
implement them
Describe MPLS/VPN terminology and architecture
Describe the routing and forwarding model of
MPLS/VPN
1-2
www.cisco.com
BSCN v1.01-2
Course Objectives
Implementation
Upon completion of this course, you
will be able to perform the following tasks:
Configure Virtual Routing and Forwarding tables
Configure Multi-protocol BGP in MPLS/VPN backbone
and the PE-CE routing protocols
Configure advanced MPLS/VPN features
Monitor and troubleshoot MPLS/VPN operations
Describe the specifics of OSPF operation inside a VPN
network
2000, Cisco Systems, Inc.
www.cisco.com
BSCN v1.01-3
1-3
Course Objectives
Solutions
Upon completion of this course, you
will be able to perform the following tasks:
Design and implement various MPLS/VPN topologies
Connect your VPN customers to the Internet
Design and implement MPLS/VPN backbone
Build large-scale MPLS VPN backbones
Develop a migration strategy toward MPLS/VPN from
a wide range of existing network infrastructures
1-4
www.cisco.com
BSCN v1.01-4
Prerequisites
This section lists the course prerequisites.
Prerequisites
Successful completion of:
Recommended:
CCNP or CCIE
certification
In-depth OSPF or IS-IS
knowledge
MPLS Traffic
Engineering and QoS
knowledge
Advanced
Advanced
MPLS
MPLS VPN
VPN
Solutions
Solutions
2000, Cisco Systems, Inc.
www.cisco.com
BSCN v1.01-5
To fully benefit from AMVS, you should already possess certain knowledge and
skills gained in a structured learning environment. You need to be have:
These skills can be gained from self-paced or instructor-led training sessions and
from work experience. The best way to gain the skills you need to follow the
CBCR course is:
You will be able to gain more practical experience from the course if already have
work experience and router configuration skills. These skills are best demonstrated
through Cisco career certifications Cisco Certified Networking Professional
(CCNP) or Cisco Certified Internetworking Expert (CCIE). In-depth knowledge of
Open Shortest Path First (OSPF) or Integrated Intermediate System Intermediate
System (IS-IS) routing protocol will help you perform the laboratory exercises
Copyright 2000, Cisco Systems, Inc.
1-5
better. MPLS Traffic Engineering and MPLS Quality of Service knowledge will
help you understand how these technologies relate to MPLS VPN.
1-6
Participant Role
This section discusses your responsibilities as a student.
Participant Role
Student role
Meet prerequisites
Introduce yourself
Ask and answer questions
www.cisco.com
BSCN v1.01-6
To take full advantage of the information presented in this course, you should
meet the prerequisites for this class.
Introduce yourself to the instructor and other students who will be working with
you during the five days of this course.
You are encouraged to ask any questions relevant to the course materials.
If you have pertinent questions concerning other Cisco features and products not
covered in this course, please bring these topics up during breaks or after class,
and the instructor will try to answer the questions or direct you to an appropriate
information source.
1-7
Welcome: Please
Introduce Yourself
Your name and work location
Your job responsibilities
Your internetworking experience
Your objectives for this week
www.cisco.com
BSCN v1.01-7
Introduce yourself, stating your name and the job function you perform at your
work location.
Briefly describe what experience you have with installing and configuring Cisco
routers, attending Cisco classes, and how your work experience helped you meet
the prerequisites highlighted earlier.
You should also state what you expect to learn from this course.
1-8
General Administration
This section highlights miscellaneous administrative tasks that must be addressed.
General Administration
Class-related
Facilities-related
Sign-in sheet
Rest rooms
Site emergency
procedures
Participant materials
Attire
Communications
www.cisco.com
BSCN v1.01-8
The instructor will discuss the administrative issues in detail so you will know
exactly what to expect from both the class and facilities. The following items will
be discussed:
1-9
Sources of Information
This section identifies additional sources of information.
Sources of Information
Student kit
www.cisco.com
CD-ROMs
Cisco Press
www.cisco.com
BSCN v1.01-9
Most of the information presented in this course can be found on the Cisco
Systems Web site or on CD-ROM. These supporting materials are available in
HTML format and as manuals and release notes.
To learn more about the subjects covered in this course, feel free to access the
following sources of information:
ITM CD-ROM
1-10
Course Syllabus
Technology
Implementation
MPLS VPN
MPLS VPN
Technology
Configuration on
Solutions
MPLS VPN
Topologies
IOS platforms
Internet Access
from a VPN
Running OSPF
in an MPLS VPN
Large-Scale MPLS
VPN Deployment
Environment
MPLS VPN
Migration Strategies
www.cisco.com
BSCN v1.01-10
The following schedule reflects the recommended structure for this course. This
structure allows enough time for your instructor to present the course information
to you and for you to work through the laboratory exercises. The exact timing of
the subject materials and labs depends on the pace of your specific class.
Module 1, MPLS VPN Technology (0,5 day)
The purpose of this module is to introduce you to the concept of Virtual
Private Networks and MPLS VPN Architecture. The module also
discusses routing and data forwarding model of MPLS VPN.
Module 1 includes the following chapters:
Chapter 1, Introduction
1-11
1-12
Overview
This lesson introduces Virtual Private Networks (VPN) and two major VPN
design options overlay VPN and peer-to-peer VPN. VPN terminology and
topologies are introduced.
The lesson then describes MPLS VPN architecture, operations and terminology.
It details CE-PE routing from various perspectives and BGP extensions (route
targets, and extended community attributes) that allow I-BGP to transport
customer routes over a provider network. The MPLS VPN forwarding model is
also covered together with its integration with core routing protocols
Objectives
Upon completion of this lesson, you will be able to perform the following tasks:
2-2
Traditional Router-Based
Networks
Site B
Site A
Site C
Site D
www.cisco.com
Page5
2-3
PE device
Customer site
Customer Premises
router (CPE)
Provider core
device
Provider edge device
(Frame Relay switch)
PE device
CPE router
Other
customer
routers
Large customer site
CPE router
Virtual Private Networks replace dedicated point-topoint links with emulated point-to-point links sharing
common infrastructure
Customers use VPNs primarily to reduce their
operational costs
2000, Cisco Systems, Inc.
www.cisco.com
Page6
Virtual Private Networks (VPNs) were introduced very early in the history of data
communications with technologies like X.25 and Frame Relay, which use virtual
circuits to establish the end-to-end connection over a shared service provider
infrastructure. These technologies, although sometimes considered legacy and
obsolete, still share the basic business assumptions with the modern VPN
approaches:
The dedicated links are replaced with common infrastructure that emulates
point-to-point links for the customer, resulting in statistical sharing of Service
Provider infrastructure
The statistical sharing is illustrated in the graphic, where you can see the CPE
router on the left has one physical connection to the service provider with two
virtual circuits provisioned. Virtual Circuit 1 (VC # 1) provides connectivity to the
top CPE router on the right. Virtual Circuit 2 (VC #2) provides the connectivity to
the bottom CPE router on the right.
2-4
VPN Terminology
Customer site
www.cisco.com
Page7
There are many conceptual models and terminologies describing various Virtual
Private Network technologies and implementations. In this section well focus on
the terminology introduced by MPLS VPN architecture. As youll see, the
terminology is generic enough to cover any VPN technology or implementation
and is thus extremely versatile.
The major parts of an overall VPN solution are always:
The Customer network (C-network): the part of the overall customer network
that is still exclusively under customer control.
2-5
VPN Terminology
Customer site
Page8
The devices that enable the overall VPN solution are named based on their
position in the network:
Customer router that connected the customer site to the Service Provider
network is called a Customer Edge router (CE-router). Traditionally this
device is called Customer Premises Equipment (CPE).
Note
2-6
If the CE device is not a router, but, for example, a Packet Assembly and
Disassembly (PAD) device, we can still use a generic term CE-device.
Service Provider devices where the customer devices are attached are called
Provider Edge (PE) devices. In traditional switched Wide Area Network
(WAN) implementations, these devices would be Frame Relay or X.25 edge
switches.
Service Provider devices that only provide data transport across the Service
Provider backbone and have no customers attached to them are called
Provider (P) devices. In traditional switched WAN implementations these
would be core (or transit) switches.
VPN Terminology
Specific to Switched WAN
Virtual Circuit (VC) #1
PE device
Customer site
Customer Premises
Router (CPE)
Provider core
device
Provider edge device
(Frame Relay switch)
PE device
CPE router
Other
customer
routers
Large customer site
CPE router
www.cisco.com
Page9
2-7
Summary
Virtual Private Networks were introduced by Service Providers to offer a more
cost-effective alternative to traditional customer network design, which relied on
dedicated point-to-point links between customer sites.
The overall network implemented with a VPN solution is divided into the
Customer network (C-network), which is exclusively under customers control
and the Provider network (P-network), the shared infrastructure used to offer the
VPN services. A contiguous part of the C-network is called a customer site.
The device linking a customer site with the P-network is called Customer Edge
(CE) device. Most commonly this is a router, called CE-router. This component
was traditionally named Customer Premises Equipment (CPE).
The edge device in Service Provider network, to which the customers are attached,
is called Provider Edge (PE) device. The device inside the Provider network with
no customer connectivity is a Provider (P) device.
Review Questions
Answer the following questions:
2-8
What is a C-network?
What is a CE-router?
What is a P-network?
2-9
VPN Implementation
Technologies
VPN services can be offered based on
two major paradigms:
Overlay Virtual Private Networks where the
Service Provider provides virtual point-topoint links between customer sites
Peer-to-Peer Virtual Private Networks where
the Service Provider participates in the
customer routing
www.cisco.com
Page14
Traditional VPN implementations were all based on the overlay paradigm the
Service Provider sells virtual circuits between customer sites as a replacement for
dedicated point-to-point links. The overlay paradigm has a number of drawbacks
that will be identified in this section. To overcome these drawbacks (particularly
in IP-based customer networks), a new paradigm called peer-to-peer VPN was
introduced where the Service Provider actively participates in customer routing.
2-10
Customer Site
Router A
Customer Site
Customer Site
Router C
(VC) #1
Frame Relay
Edge Switch
Frame Relay
Edge Switch
Frame Relay
Edge Switch
Router B
Customer Site
Router D
www.cisco.com
Page15
The diagram above shows a typical overlay VPN, implemented by a Frame Relay
network. The customer needs to connect three sites (site Alpha being the central
site the hub) and orders connectivity between Alpha (Hub) and Beta (Spoke) and
between Alpha (Hub) and Gamma (Spoke). The Service Provider implements this
request by providing two PVCs across the Frame Relay network.
2-11
Router B
Router C
Router D
www.cisco.com
Page16
From the layer-3 perspective, the Service Provider network is invisible the
customer routers are linked with emulated point-to-point links. The routing
protocol is run directly between customer routers that establish routing adjacencies
and exchange routing information.
The Service Provider is not aware of customer routing and has no information
about customer routes. The responsibility of the Service Provider is purely the
point-to-point data transport between customer sites.
2-12
Overlay VPN
Layer-1 Implementation
IP
PPP
ISDN
HDLC
SDH, SONET
www.cisco.com
Page17
In layer-1 overlay VPN implementation, the Service Provider sells layer-1 circuits
(bit pipes) implemented with technologies like ISDN, DS0, E1, T1, SDH or
SONET. The customer takes responsibility for layer-2 encapsulation between
customer devices and the transport of IP data across the infrastructure.
2-13
Overlay VPN
Layer-2 Implementation
IP
X.25
Frame Relay
ATM
www.cisco.com
Page18
2-14
Overlay VPN
IP Tunneling
Internet Protocol (IP)
IP Security (IPSec)
www.cisco.com
Page19
With the success of Internet Protocol (IP) and associated technologies, some
Service Providers started to implement pure IP backbones to offer VPN services
based on IP. In other cases, the customers want to take advantage of low cost and
universal availability of Internet to build low-cost private networks over it.
Whatever the business reasons behind it, overlay Layer 3 VPN implementation
over IP backbone always involves tunneling (encapsulation of protocol units at a
certain layer of OSI model into protocol units at the same or higher layer of OSI
model).
Two well-known tunneling technologies are IP Security (IPSEC) and Generic
Route Encapsulation (GRE). GRE is fast and simple to implement and supports
multiple routed protocols, but provides no security and is thus unsuitable for
deployment over the Internet. An alternate tunneling technology is IPSec, which
provides network layer authentication and optional encryption to make data
transfer over the Internet secure. IPSec only supports the IP routed protocol.
2-15
Overlay VPN
Layer-2 Forwarding
Internet Protocol (IP)
Point-to-Point Protocol (PPP)
Layer-2 Transport
Protocol (L2TP)
Layer-2
Forwarding (L2F)
Point-to-Point
Tunneling (PPTP)
www.cisco.com
Page20
Yet another tunneling technique that was first implemented in dial-up networks,
where the Service Providers wanted to tunnel customer dial-up data encapsulated
in point-to-point protocol (PPP) frames over an IP backbone to the customers
central site. To make the Service Provider transport transparent to the customer,
PPP frames are exchanged between the customer sites (usually a dial-up user and a
central site) and the customer is responsible for establishing layer-3 connectivity
above PPP.
There are three well-known PPP forwarding implementations:
2-16
Router C
Router A
Customer Site
Customer Site
(PE) Router
(PE) Router
(PE) Router
Customer Site
Router D
Router B
www.cisco.com
Page21
2-17
Customer A
Site #2
Shared router
Customer B
Site #1
www.cisco.com
Page22
The first peer-to-peer VPN solutions appeared several years ago. Architectures
similar to the Internet were used to build them and special provisions had to be
taken in account to transform the architecture, which was targeted toward public
backbones (Internet) into a solution where the customers would be totally isolated
and able to exchange their corporate data securely.
The more common peer-to-peer VPN implementation uses packet filters on the
PE-routers to isolate the customers. The Service Provider allocates portions of its
address space to the customers and manages the packet filters on the PE-routers to
ensure full Reachability between sites of a single customer and isolation between
customers.
2-18
Customer A
Site #2
PE-router
Customer-A
P-router
PE-router
Customer-B
Customer B
Site #1
www.cisco.com
Page23
Default routes used anywhere in the customer or Service Provider network break
isolation between the customers and have to be avoided.
2-19
Peer-to-Peer VPN
Guarantees optimum
routing between
customer sites
Easier to provision an
additional VPN
Only the sites are
provisioned, not the
links between them
www.cisco.com
Page24
Overlay VPNs are well known and easy to implement, both from customer
and Service Provider perspective
2-20
Peer-to-Peer VPN
Implementing optimum
routing requires fullmesh of virtual circuits
Virtual circuits have to
be provisioned manually
Bandwidth must be
provisioned on a site-tosite basis
Always incurs
encapsulation overhead
Service Provider
participates in customer
routing
SP becomes responsible
for customer
convergence
PE routers carry all
routes from all
customers
SP needs detailed IP
routing knowledge
www.cisco.com
Page25
Overlay VPNs require a full mesh of virtual circuit between customer sites to
provide optimum inter-site routing
All the virtual circuits between customer sites in an overlay VPN have to be
provisioned manually and the bandwidth must be provisioned on a site-to-site
basis (which is not always easy to achieve).
The IP-based overlay VPN implementations (with IPSEC or GRE) also incur
high encapsulation overhead (ranging from 20 to 80 bytes per transported
datagram).
The major drawbacks of peer-to-peer VPN arise from the Service Providers
involvement in customer routing:
The Service Provider becomes responsible for correct customer routing and
for fast convergence of customer network following a link failure.
The Service Provider P-routers have to carry all customer routes that were
hidden from the Service Provider in the overlay VPN paradigm.
2-21
Dedicated PE router
Lower performance
each packet has to pass
a packet filter
www.cisco.com
Page26
2-22
Summary
VPN Taxonomy
Virtual Networks
Virtual Private
Networks
Overlay VPN
Layer 2 VPN
Virtual LANs
Peer-to-Peer VPN
Layer 3 VPN
Access Lists
(Shared Router)
X.25
GRE
Split Routing
(Dedicated Router)
F/R
IPSec
ATM
MPLS VPN
www.cisco.com
Page27
There are a number of different Virtual Networking concepts present in the data
communications fields:
The Virtual Local Area Networks (VLAN) allow you to implement isolated
LANs over the same physical infrastructure
Overlay VPN, where the Service Provider gives the customer emulated pointto-point links across Service Provider backbone and
The overlay VPNs are implemented with a number of technologies, ranging from
traditional layer-1 technologies (ISDN, SDH, SONET) and layer-2 technologies
(X.25, Frame Relay, ATM) to modern IP-based solutions (GRE and IPSec).
2-23
The overlay VPNs, although well known and easy to implement, are harder to
operate due to higher maintenance costs:
Traditional peer-to-peer VPNs are implemented with packet filters on shared PErouters or with dedicated per-customer PE-routers. Along with high maintenance
costs (for packet-filter approach) or equipment costs (for dedicated per-customer
PE-router approach), both methods require customer to accept the Service
Provider assigned address space or use public IP addresses in the private customer
network.
MPLS VPN, introduced in the next sections, provides all the benefits of peer-topeer VPNs and alleviates most of the peer-to-peer VPN drawbacks (for example,
the need for common customer address space).
Review Questions
Answer the following questions:
2-24
Which routing protocol runs between the customer and the service provider in
an overlay VPN?
VPN Categorizations
There are three major VPN categorizations:
2-25
www.cisco.com
Page32
The oldest VPN categorization was based on the topology of point-to-point links
in an overlay VPN implementation:
Full-mesh topology provides a dedicated virtual circuit between any two CErouters in the network
2-26
Overlay VPN
Hub-and-Spoke Topology
Remote site (spoke)
Central site
(HUB)
Central site
router
www.cisco.com
Page33
The hub-and-spoke topology is the simplest overlay VPN topology all remote
sites are linked with a single virtual circuit to a central CE-router. The routing is
also extremely simple static routing or distance-vector protocol like RIP are
more than adequate. If you are using dynamic routing protocol like RIP, splithorizon must be disabled at the hub router, or you must use point-to-point subinterfaces at the hub router to overcome the split-horizon problem.
2-27
Overlay VPN
Redundant Hub-And-Spoke
Remote site (spoke)
Central site
(HUB)
Redundant
Central site
router
Redundant
Central site
router
www.cisco.com
Page34
2-28
Overlay VPN
Partial Mesh
Guam
Moscow
New York
Berlin
Hong Kong
Sydney
www.cisco.com
Page35
Partial mesh is used in environments where the cost or complexity factors prevent
a full-mesh between customer sites. The virtual circuits in a partial mesh can be
established based on a wide range of criteria:
Cost considerations
2-29
Overlay VPN
Multi-Level Hub-and-Spoke
Distribution site
Remote site (spoke)
Distribution-layer
router
Redundant central
site router
Redundant central
site router
Distribution-layer
router
Distribution site
www.cisco.com
Page36
Various overlay VPN topologies are usually combined in a large network. For
example, in the diagram above, a redundant hub-and-spoke topology is used in
network core and a non-redundant hub-and-spoke is used between distribution
sites and remote sites. This topology would be commonly used in environments
where all traffic flows between the central site and remote sites and there is little
(or no) traffic exchanged directly between the remote sites.
2-30
www.cisco.com
Page37
Another very popular VPN categorization classifies VPNs based on the business
needs they fulfill:
Access VPN - Virtual Private Dialup Networks that provide dial-up access
into a customer network.
2-31
Extranet VPN
Overlay VPN Implementation
Frame Relay Virtual
Circuits (DLCI)
GlobalMotors
Firewall
Provider IP backbone
BoltsAndNuts
Frame Relay
switch
Firewall
Frame Relay
switch
AirFilters Inc.
Firewall
Firewall
SuperBrakes Inc.
Frame Relay
switch
Frame Relay
switch
Firewall
www.cisco.com
Page38
2-32
Extranet VPNPeer-to-Peer
VPN Implementation
GlobalMotors
Provider IP backbone
Firewall
Provider edge
(PE) router
Firewall
Provider edge
(PE) router
BoltsAndNuts
Provider edge
(PE) router
AirFilters Inc.
Firewall
Firewall
SuperBrakes Inc.
Provider edge
(PE) router
Provider edge
(PE) router
www.cisco.com
Firewall
Page39
2-33
VPN Connectivity
Categorization
VPNs can also be categorized by the
connectivity required between sites:
Simple VPNevery site can communicate with
every other site
Overlapping VPNsome sites participate in more
than one simple VPN
Central Services VPNall sites can communicate
with central servers, but not with each other
Managed Networka dedicated VPN is
established to manage CE routers
www.cisco.com
Page40
The virtual private networks discussed so far were usually very simple in
connectivity terms:
In most cases, full connectivity between sites was required (in overlay Intranet
VPN implementations, this usually means that some customer sites act as
transit sites)
There are, however, a number of advanced VPN topologies with more complex
connectivity requirements:
2-34
Central Services VPN, where the sites are split in two classes server sites
that can communicate with all other sites and client sites that can only
communicate with the servers, but not with other clients.
Customer A
VoIP GW
Customer B
London
VoIP GW
Paris
Customer C
VoIP GW
www.cisco.com
Page41
2-35
VoIP GW
Frame
Relay
Infrastructure
Service provider
Extranet Infrastructure
Provider Edge
Router
Frame Relay
Edge switch
Provider Edge
Router
London
VoIP GW
Provider Edge
Router
Customer B
Frame Relay
Edge switch
Provider Edge
Router
Paris
VoIP GW
Customer A
Customer C
Frame Relay
Edge switch
Provider Edge
Router
Frame Relay Virtual Circuit
www.cisco.com
Page42
The network diagram shown above describes an interesting scenario where peerto-peer VPN and overlay VPN implementation can be used to provide end-to-end
service to the customer.
The VoIP service is implemented with Central Services extranet topology, which
is in turn implemented with peer-to-peer VPN. The connectivity between PErouters in the peer-to-peer VPN and the customer routers is implemented with an
overlay VPN based on Frame Relay. The PE-router of the peer-to-peer VPN and
the CE-routers act as CE-devices of the Frame Relay network.
2-36
Managed Network
Overlay VPN Implementation
Service provider network
Redundant central
site router
www.cisco.com
Dedicated Virtual
Circuits are used for
network management
Page43
2-37
Summary
There are three major categorizations of Virtual Private networks:
The topology categorization ranges VPNs from full mesh, where there is a direct
virtual circuit between any two sites, to partial mesh, which is built based on a
number of constraints (traffic patterns and cost being the most important of them)
and finally hub-and-spoke where a central site acts as the transit point between all
spoke sites. Real-life large networks are usually implemented with a combination
of these topologies.
The connectivity categorization divides VPNs into simple VPNs (with any-to-any
connectivity), overlay VPNs where a single site participates in more than one
simple VPN, Central Services VPNs, where some sites have limited connectivity
and Network Management VPNs, which are really only a special case of Central
Services VPN.
Review Questions
Answer the following questions:
2-38
Why would the customers prefer partial mesh over full mesh topology?
What is the difference between a simple VPN and a Central Services VPN?
Explain the need for route distinguisher (RD) and route target (RT)
2-39
www.cisco.com
Page48
The MPLS VPN architecture provides the Service Providers with a peer-to-peer
VPN architecture that combines the best features of overlay VPN (support for
overlapping customer address spaces) with the best features of peer-to-peer VPNs:
2-40
PE routers carry separate set of routes for each customer, resulting in perfect
isolation between the customers.
Remote
Office
Customer A
Site #2
P-Network
Site #1
CE router
PE-Router
POP-X
P-Router
Customer A
Site #4
PE-Router
POP-Y
Customer B
Site #2
Customer A
Site #3
Customer B
Site #3
Customer B
Site #1
Customer B
Site #4
www.cisco.com
Page49
The MPLS VPN terminology divides the overall network into customer controlled
part (C-network) and provider controlled part (P-network). Contiguous portions
of C-network are called sites and are linked with the P-network via CE-routers.
The CE-routers are connected to the PE-routers, which serve as the edge devices
of the Provider network. The core devices in the provider network (P-routers)
provide the transit transport across the provider backbone and do not carry
customer routes.
2-41
Global IP router
Customer A
Site #1
Customer A
Site #2
Customer A
Site #3
Customer B
Site #1
Virtual IP routing
table for Customer A
Virtual IP routing
table for Customer B
Global IP
routing table
P-router
www.cisco.com
Page50
2-42
IOS implements isolation between customers via virtual routing and forwarding
tables (VRFs). The whole PE-router is still configured and managed as a single
device, not as a set of virtual routers.
Customer A
Customer B
Customer C
PE-Router-X
P-Router
Customer B
PE-Router-Y
P-Network
Customer C
Customer A
www.cisco.com
Page51
While the virtual routing tables provide the isolation between customers, the data
from these routing tables still needs to be exchanged between PE-routers to enable
data transfer between sites attached to different PE-routers. We therefore need a
routing protocol that will transport all customer routes across the Provider network
while maintaining the independency of individual customer address spaces.
An obvious solution, implemented by various VPN vendors, is to run a separate
routing protocol for each customer. The PE-routers could be connected via pointto-point tunnels (and the per-customer routing protocols would run between PErouters) or the P-routers could participate in the customer routing.
This solution, although very simple to implement (and even used by some
customers), is not appropriate in Service Provider environments, as it simply does
not scale:
2-43
Customer B
Customer C
Customer B
PE-Router-X
P-Router
PE-Router-Y
P-Network
Customer C
Customer A
www.cisco.com
Page52
2-44
Customer B
Customer C
Customer B
PE-Router-X
P-Router
PE-Router-Y
P-Network
Customer C
Customer A
www.cisco.com
Page53
The best solution to customer route propagation is hence to run a single routing
protocol between PE-routers that will exchange all customer routes without the
involvement of the P-routers. This solution is scalable:
2-45
Customer B
Customer C
Customer B
PE-Router-X
P-Router
P-Network
PE-Router-Y
Customer C
Customer A
www.cisco.com
Page54
The next design decision to be made is the choice of the routing protocol running
between PE-routers. As the total number of customer routes is expected to be very
large, the only well known protocol with the required scalability is Border
Gateway Protocol (BGP).
Conclusion:
2-46
Customer B
Customer C
Customer B
PE-Router-X
P-Router
P-Network
PE-Router-Y
Customer C
Customer A
Q: Customers can have overlapping address space. How will you propagate
information about the same subnet of two customers via a single
routing protocol?
A: Customer addresses are extended with 64-bit prefix (Route
DistinguisherRD) to make them unique. Unique 96-bit addresses are
exchanged between PE-routers.
2000, Cisco Systems, Inc.
www.cisco.com
Page55
2-47
Route Distinguisher
Route Distinguisher (RD) is a 64-bit quantity
prepended to an IPv4 address to make it
globally unique
The resulting 96-bit address is called VPNv4
address
VPNv4 addresses are only exchanged via
BGP between PE routers
BGP supporting other address families than
IPv4 addresses is called multi-protocol BGP
www.cisco.com
Page56
Route Distinguisher (RD) is a 64-bit prefix that is only used to transform nonunique 32-bit customer IPv4 addresses into unique 96-bit VPNv4 addresses (also
called VPN_IPv4 addresses).
The VPNv4 addresses are only exchanged between PE-routers; they are never
used between CE-routers and CE-routers. BGP between PE-routers must therefore
support exchange of traditional IPv4 prefixes as well as exchange of VPNv4
prefixes. The BGP session between PE-routers is consequently called multiprotocol BGP session.
Note
2-48
Initial MPLS VPN implementation in Cisco IOS only supports MPLS VPN services
within a single autonomous system. In such a scenario, the BGP session between
PE-routers is always an internal BGP (IBGP) session.
P-network
Customer-A
Customer-A
PE-1
PE-2
Customer-B
Customer-B
www.cisco.com
Page57
The customer route propagation across MPLS VPN network is performed in the
following steps:
Step 1
Step 2
PE-router prepends 64-bit route distinguisher to the IPv4 routing update, resulting
in globally unique 96-bin VPNv4 prefix
Step 3
2-49
P-network
Customer-A
Customer-A
PE-1
PE-2
Customer-B
Customer-B
2-50
www.cisco.com
Page58
Step 4
The receiving PE-routers strip the route distinguisher from the VPNv4 prefix,
resulting in IPv4 prefix
Step 5
The IPv4 prefix is forwarded to other CE-routers within an IPv4 routing update.
www.cisco.com
Page59
The route distinguisher has no special meaning or role in MPLS VPN architecture
its only function is to make overlapping IPv4 addresses globally unique.
Note
The route distinguisher is configured at the PE router as part of the setup of a VPN
site. It is not configured on the customer equipment, and is not visible to the
customer.
Simple VPN topologies only require one route distinguisher per customer, raising
the possibility that RD could serve as VPN identifier. This design, however,
would not allow implementation of more complex VPN topologies, like when a
customer site belongs to multiple VPNs.
2-51
PE-Router-X
P-Router
PE-Router-Y
Customer B
Site 2
Customer A
Site 1
Customer A
Site 2
Customer B
Central Site
VoIP
gateway
P-Network
VoIP
gateway
Customer B
Site 1
Requirements:
All sites of one customer need to communicate
Central sites of both customers need to communicate with VoIP gateways
and other central sites
Other sites from different customers do not communicate with each other
2000, Cisco Systems, Inc.
www.cisco.com
Page60
To illustrate the need for more versatile VPN indicator than the route
distinguisher, consider the Voice-over-IP service illustrated in the figure above.
The connectivity requirements of this service are as follows:
Note
2-52
Additional security measures would have to be put in place at central sites to make
sure that the central sites only exchange VoIP calls with other central sites,
otherwise the corporate network of a customer could be compromised by another
customer using VoIP service.
Site A-1
Site A-2
POP-X
VoIP Gateway
POP-Y
VoIP Gateway
Customer B
Central Site B
Site B-1
www.cisco.com
Site B-2
Page61
The connectivity requirements of the VoIP service are illustrated in the diagram
above. There are three VPNs needed to implement the desired connectivity two
customer VPNs and a shared Voice-over-IP VPN. Central customer sites
participate in the customer VPN as well as in the Voice-over-IP VPN
2-53
Route Targets
Some sites have to participate in more
than one VPNroute distinguisher
cannot identify participation in VPN
A different method is needed where a
set of identifiers can be attached to a
route
Route Targets were introduced in the
MPLS VPN architecture to support
complex VPN topologies
2000, Cisco Systems, Inc.
www.cisco.com
Page62
2-54
www.cisco.com
Page63
Route targets are extended BGP communities that are attached to a VPNv4 BGP
route to indicate its VPN membership. As with standard BGP communities, a set
of extended communities can be attached to a single BGP route, satisfying the
requirements of complex VPN topologies.
Extended BGP communities are 64-bit values. The semantics of the extended BGP
community is encoded in the high-order 16 bits of the value, making them useful
for a number of different applications. For example, the value of high-order 16
bits of extended BGP community is two (2) for MPLS VPN Route Targets.
2-55
www.cisco.com
Page64
MPLS VPN route targets are attached to a customer route at the moment when its
converted from IPv4 route to a VPNv4 route by the PE-router. The route targets
attached to the route are called export route target and are configured separately
for each virtual routing table in a PE-router. The export route targets identify a set
of VPNs in which sites associated with the virtual routing table belong.
When the VPNv4 routes are propagated to other PE-routers, those routers need to
select the routes to import into their virtual routing tables. This selection is done
based on import route targets. Each virtual routing table in a PE-router can have
a number of import route targets configured, identifying the set of VPNs from
which this virtual routing table is accepting routes.
Note
Please refer to MPLS VPN Implementation on Cisco IOS chapter for more
details on import and export route targets.
In overlapping VPN topologies, the route targets are used to identify VPN
membership. Advanced VPN topologies (for example, central services VPN) use
route targets in more complex scenarios please refer to MPLS VPN Topologies
chapter of MPLS VPN Solutions lesson for more details.
2-56
www.cisco.com
Page65
2-57
www.cisco.com
Page66
A single virtual routing table can only be used for sites with identical connectivity
requirements. Complex VPN topologies therefore require more than one virtual
routing table per VPN.
Note
If you would associate sites with different requirements with the same virtual
routing table, some of them might be able to access destinations that should not
be accessible to them otherwise.
As each virtual routing table requires a distinctive route distinguisher value, the
number of route distinguisher in MPLS VPN network increases with the
introduction of overlapping VPNs. Moreover, the simple association between
route distinguisher and VPN that was true for simple VPNs is also gone.
2-58
Voice-over-IP VPN
Customer A
Central Site A
Site A-1
POP-X
VoIP Gateway
POP-Y
VoIP Gateway
Central Site B
Site B-2
Customer B
Site A-2
www.cisco.com
Page67
To illustrate the requirements for multiple virtual routing tables, consider the
sample VoIP service with 3 VPNs (Customer A VPN, Customer B VPN, and the
Voice-over-IP VPN). The following five virtual routing tables are needed to
implement this service:
All sites of customer A (apart from the central site) can share the same virtual
routing table, as they only belong in a single VPN
The same is true for all sites of Customer B (apart from the central site)
The VoIP gateways are only participating in VoIP VPN and can belong to a
single virtual routing table
So in this example, five different VRF tables are needed to support three VPNs.
There is no one-to-one relationship between the number of VRFs and the number
of VPNs.
2-59
Summary
www.cisco.com
Page68
Like all peer-to-peer VPNs, MPLS VPN is easier to provision and provides
automatic optimum routing between customer sites
Like the overlay VPNs, MPLS VPN allow overlapping customer address
space through the use of route distinguishers, 64-bit quantities that make
overlapping customer addresses globally unique when prepended to them.
Another building block of MPLS VPN architecture, route targets, allow you to
build complex VPN topologies that far surpass anything that can be built with
peer-to-peer VPNs.
2-60
Review Questions
Answer the following questions:
How are route targets used to build virtual routing tables in the PE routers?
What is the impact of complex VPN topologies on virtual routing tables in the
PE routers?
2-61
2-62
Describe the MPLS VPN routing model from customer and provider
perspective
www.cisco.com
Page73
The designers of MPLS VPN technology were faced with the following routing
requirements:
The customer routers should not be MPLS VPN-aware. They should run
standard IP routing software
The provider core routers (P-routers) must not carry VPN routes to make the
MPLS VPN solution scalable
The provider edge routers (PE-routers) must support MPLS VPN services and
traditional Internet services.
2-63
www.cisco.com
Page74
The MPLS VPN backbone should look like a standard corporate backbone to the
CE-routers. The CE-routers run standard IP routing software and exchange routing
updates with the PE-routers that appear as to them as normal routers in customers
network.
Note
2-64
In Cisco IOS 12.1, the choice of routing protocols that can be run between CErouter and PE-router is limited to static routes, RIP version 2, OSPF and external
BGP.
PE-router
CE-router
PE-router
Site IGP
Site IGP
Site IGP
www.cisco.com
Page75
From the customers network designer, the MPLS VPN backbone looks like intracompany BGP backbone with PE-routers performing the route redistribution
between individual sites and the core backbone. The standard design rules that are
used for enterprise BGP backbones can be applied to the design of the customers
network.
The P-routers are hidden from the customers view; the internal topology of the
BGP backbone is therefore totally transparent to the customer.
2-65
PE-router
P-router
PE-router
www.cisco.com
Page76
From the P-router perspective, the MPLS VPN backbone looks even simpler the
P-routers do not participate in MPLS VPN routing and do not carry VPN routes.
They only run backbone IGP with other P-routers and with PE-routers and
exchange information about core subnets. BGP deployment on P-routers is not
needed for proper MPLS VPN operation; it might be needed, however, to support
traditional Internet connectivity that was not yet migrated to MPLS.
2-66
CE-router
VPN routing
PE-router
P-router
Core IGP
CE-router
VPN routing
PE-router
Core IGP
CE-router
CE-router
PE-routers:
Exchange VPN routes with CE-routers via per-VPN routing
protocols
Exchange core routes with P-routers and PE-routers via
core IGP
Exchange VPNv4 routes with other PE-routers via multiprotocol IBGP sessions
2000, Cisco Systems, Inc.
www.cisco.com
Page77
The PE-routers are the only routers in the MPLS VPN architecture that see all
routing aspects of the MPLS VPN:
They exchange IPv4 VPN routes with CE-routers via various routing
protocols running in the virtual routing tables.
They exchange VPNv4 routes via multi-protocol internal BGP sessions with
other PE-routers
They exchange core routes with P-routers and other PE-routers via core IGP.
2-67
PE-router
P-router
Core IGP
CE-router
PE-router
Core IGP
CE-router
CE-router
www.cisco.com
Page78
2-68
MP-BGP
PE-router
P-router
Core IGP
CE-router
PE-router
Core IGP
CE-router
www.cisco.com
Page79
The global IP routing table (the IP routing table that is always present in an
IOS-based router even if its not running MPLS VPN) contains all core routes
(inserted by core IGP) and the Internet routes (inserted from global IPv4 BGP
table)
The Virtual Routing and Forwarding (VRF) tables contain sets of routes for
sites with identical routing requirements. The VRFs are filled with intra-VPN
IGP information exchanged with the CE-routers and with VPNv4 routes
received through MP-BGP sessions from the other PE-routers
2-69
The following slides give you an overview of end-to-end routing information flow
in an MPLS VPN network.
IPv4 update
CE-router
PE-router
P-router
CE-router
PE-router
CE-router
www.cisco.com
Page80
The PE-routers receive IPv4 routing updates from the CE-routers and install them
in appropriate Virtual Routing and Forwarding table.
2-70
IPv4 update
CE-router
MP-BGP update
PE-router
P-router
CE-router
PE-router
CE-router
www.cisco.com
Page81
The customer routes from VRFs tables are exported as VPNv4 routes into MPBGP and propagated to other PE-routers.
Initial MPLS VPN implementation in Cisco IOS (IOS releases 12.0T and 12.1)
supports MPLS VPN services only within the scope of a single autonomous
system. The MP-BGP sessions between the PE-routers are therefore IBGP
sessions and are subject to the IBGP split horizon rules. Full mesh of MP-IBGP
sessions is thus required between PE-routers or you could use route reflectors to
reduce the full mesh IBGP requirement.
2-71
MP-BGP Update
MP-BGP update contains:
VPNv4 address
Extended communities (route targets,
optionally site-of-origin)
Label used for VPN packet forwarding
Any other BGP attribute (AS-Path, Local
Preference, MED, standard community )
www.cisco.com
Page82
VPNv4 address
Label used for VPN packet forwarding (the MPLS VPN Packet Forwarding
section later in this lesson explains how the label is used)
Optionally, the MP-BGP update can contain any other BGP attribute, for example,
local preference, MED or standard BGP community.
2-72
MP-BGP Update
VPNv4 address
VPN-IPV4 address contains:
Route Distinguisher
64 bits
Makes the IPv4 route globally unique
RD is configured in the PE for each VRF
RD may or may not be related to a site or a
VPN
www.cisco.com
Page83
2-73
MP-BGP Update
Extended Communities
64-bit long attribute attached to a route
A set of communities can be attached to a single
route
High-order 16 bits identify extended community type
Route-target (RT): identifies the set of sites the route has
to be advertised to
Site of Origin (SOO): identifies the originating site
OSPF Route Type: identifies the LSA type of OSPF route
redistributed into MP-BGP
www.cisco.com
Page84
Extended BGP communities (at least route targets) are always attached to the
VPNv4 routes in MP-BGP updates. These communities are 64-bit long attributes,
where the high-order 16 bits identify the community meaning and the network
administrator defines the low-order 48 bits.
So far, three extended community types have been defined:
Site of origin (SOO), which identifies the customer site originating the route.
Site of origin is used to prevent routing loops in network designs with
multihomed sites.
OSPF route type, which identifies the LSA type of an OSPF route converted
into MP-BGP VPNv4 route.
The following values are used in the high-order 16 bits of the extended BGP
community to indicate community type:
Community type
Route target
Site of origin
OSPF route type
2-74
www.cisco.com
Page85
The low-order 48 bits of the extended BGP community can be displayed in two
different formats:
The display format is encoded in one of the high-order 16 bits of the extended
community to ensure consistent formatting across all routers participating in an
MPLS VPN network.
2-75
CE-router
MP-BGP update
PE-router
P-router
CE-router
PE-router
CE-router
www.cisco.com
Page86
The PE-routers receiving MP-BGP updates will import the incoming VPNv4
routes into their VRFs based on route targets attached to the incoming VPNv4
routes and import route targets configured in the VRFs. The VPNv4 routes
installed in VRFs are converted to IPv4 routes then propagated to the CE-routers.
2-76
Route Distribution to
CE-routers
Route distribution to sites is driven by the
Site of Origin and Route-target extended BGP
communities
A route is installed in the site VRF that
matches the Route-target attribute
A PE which connects sites belonging to multiple
VPNs will install the route into the site VRF if the
Route-target attribute contains one or more VPNs
to which the site is associated
www.cisco.com
Page87
The route targets attached to a route and the import route targets configured in the
VRF drive the import of VPNv4 routes into VRFs on the receiving PE-router the
incoming VPNv4 route is imported into the VRF only if at least one route target
attached to the route matches at least one import route target configured in the
VRF.
The site-of-origin attribute attached to the VPNv4 route controls the IPv4 route
propagation to the CE-routers. A route inserted into a VRF is not propagated to a
CE-router if the site-of-origin attached to the route is equal to the site-of-origin
attribute associated with the CE-router. The site-of-origin can thus be used to
prevent routing loops in MPLS VPN networks with multihomed sites.
2-77
Summary
MPLS VPN routing model differs widely based on the perspective you take:
The CE-routers do not see any difference between a private network and a
network built with MPLS VPN technology
The customer network designer perceives the MPLS VPN backbone as the
BGP backbone of the enterprise network
The P-routers do not see the customers or their VPN routing, they only
propagate subnets of the MPLS backbone
The PE-routers, however, run a variety of routing protocols with the VPN
customers, propagate customer routes via MP-BGP updates to other PErouters and at the same time participate in core IGP and Internet routing.
The CE-routers shall run standard IP software and shall not be MPLS VPNaware
The P-routers shall not be MPLS VPN-aware and shall not carry customer
routes
The PE-routers shall support core IGP and Internet routing together with the
MPLS VPN service.
Review Questions
Answer the following questions:
2-78
Which routing protocols fill the Virtual Routing table (VRF) of a PE-router
Which BGP attributes drive the import of VPNv4 route into a VRF?
Which BGP attributes control the VPN route distribution toward CE-routers?
2-79
CE-router
IP
IP
Ingress-PE
P-router
P-router
CE-router
Egress-PE
CE-router
Q: How will PE routers forward VPN packets across MPLS VPN backbone?
A1: Just forward pure IP packets.
Wrong answer:
P-routers do not have VPN routes, packet is dropped on IP lookup.
How about using MPLS for packet propagation across backbone?
www.cisco.com
Page93
With the customer routes being propagated across MPLS VPN backbone, all the
routers are ready to start forwarding customer data. The customer traffic between
CE-routers and PE-routers is always sent as pure IP packets, satisfying the
requirement that the CE-routers run standard IP software and are not MPLS VPNaware.
In a very simplistic approach to packet forwarding across MPLS VPN backbone,
the PE-routers might just forward IP packets received from the customer routers
toward other PE-routers. This approach would clearly fail, as the P-routers have
no knowledge of the customer routes and therefore cannot forward customer IPpackets. A better approach would be to use MPLS Label Switched Path (LSP)
between PE-routers and a label to determine the proper LSP to use.
2-80
CE-router
IP
Ingress-PE
L1
IP
P-router
L2
IP
P-router
CE-router
L3
CE-router
Egress-PE
CE-router
Q: How will PE routers forward VPN packets across MPLS VPN backbone?
A2: Label VPN packets with LDP label for egress PE-router, forward labeled
packets across MPLS backbone.
Better answer:
P-routers perform label switching, packet reaches egress PE-router.
However, egress PE-router does not know which VRF to use for packet
lookuppacket is dropped.
How about using a label stack?
2000, Cisco Systems, Inc.
www.cisco.com
Page94
2-81
CE-router
IP
V L1
IP
V L2
IP
V L3
CE-router
IP
Ingress-PE
P-router
P-router
CE-router
Egress-PE
CE-router
Q: How will PE routers forward VPN packets across MPLS VPN backbone?
A3: Label VPN packets with a label stack. Use LDP label for egress
PE-router as the top label, VPN label assigned by egress PE-router
as the second label in the stack.
Correct answer:
P-routers perform label switching, packet reaches egress PE-router.
Egress PE-router performs lookup on the VPN label and forwards the
packet toward the CE-router.
2000, Cisco Systems, Inc.
www.cisco.com
Page95
MPLS label stack can be used to indicate to the egress PE-router what to do with
the VPN packet. When using the label stack, the ingress PE-router labels incoming
IP packet with two labels. The top label in the stack is the LDP label for the egress
PE-router that will guarantee that the packet will traverse the MPLS VPN
backbone and arrive at the egress PE-router. The second label in the stack is
assigned by the egress PE-router and tells the router how to forward the incoming
VPN packet. The second label in the stack could point directly toward an outgoing
interface, in which case the egress PE-router only performs label lookup on the
VPN packet. The second label could also point to a VRF, in which case the egress
PE-router performs a label lookup first to find the target VRF and then performs
an IP lookup within the VRF.
Both methods are used in Cisco IOS. The second label in the stack points toward
an outgoing interface whenever the CE-router is the next-hop of the VPN route.
The second label in the stack points to the VRF table for aggregate VPN routes,
VPN routes pointing to null interface and routes for directly connected VPN
interfaces.
Two-level MPLS label stack satisfies all MPLS VPN forwarding requirements:
2-82
P-routers perform label switching on the LDP-assigned label toward the egress
PE-router
Egress PE-router performs label switching on the second label (that it has
previously assigned) and either forwards the IP packet toward the CE-router
or performs another IP lookup in the VRF pointed to by the second label in
the stack.
CE-router
IP
V L1
IP
V L2
IP
CE-router
IP
Ingress-PE
P-router
P-router
CE-router
Egress-PE
CE-router
www.cisco.com
Page96
Penultimate hop popping (removal of top label in the stack on hop prior to the
egress router) can be performed in frame-based MPLS networks. In these
networks, the last P-router in the label switched path pops the LDP label (as
previously requested by the egress PE-router through LDP) and the PE-router
receives a labeled packet that contains only the VPN label. In most cases, a single
label lookup performed on that packet in the egress PE-router is enough to
forward the packet toward the CE-router. The full IP lookup through Forwarding
Information Base (FIB) is therefore performed only once in the ingress PErouter; even without the penultimate hop popping.
Note
Please refer to MPLS Technology chapter for more information on penultimate hop
popping.
2-83
CE-router
Ingress-PE
P-router
P-router
Egress-PE
CE-router
CE-router
Q: How will the ingress PE-router get the second label in the label stack
from the egress PE-router?
A: Labels are propagated in MP-BGP VPNv4 routing updates.
www.cisco.com
Page97
In the previous slides, youve seen that MPLS label stack, with the second label
being assigned by the egress PE-router, is mandatory for proper MPLS VPN
operation. These labels have to be propagated between PE-routers to enable proper
packet forwarding and MP-BGP was chosen as the propagation mechanism. Every
MP-BGP update thus carries a label assigned by the egress PE-router together
with the 96-bit VPNv4 prefix.
2-84
The following slides illustrate the VPN label propagation between PE-routers.
CE-router
Ingress-PE
P-router
P-router
Egress-PE
CE-router
CE-router
Step #1: VPN label is assigned to every VPN route by the egress
PE router
Egress-PE#show
Egress-PE#show tag-switching
tag-switching forwarding
forwarding vrf
vrf SiteA2
SiteA2
Local
Prefix
Bytes
Local Outgoing
Outgoing
Prefix
Bytes tag
tag Outgoing
Outgoing
tag
tag
or
switched
interface
tag
tag or
or VC
VC
or Tunnel
Tunnel Id
Id
switched
interface
26
Aggregate
150.1.31.36/30[V]
26
Aggregate
150.1.31.36/30[V] 00
37
Untagged
203.1.2.1/32[V]
00
Se1/0.20
37
Untagged
203.1.2.1/32[V]
Se1/0.20
38
Untagged
203.1.20.0/24[V]
Se1/0.20
38
Untagged
203.1.20.0/24[V] 00
Se1/0.20
2000, Cisco Systems, Inc.
Step 1
www.cisco.com
Next
Next Hop
Hop
point2point
point2point
point2point
point2point
Page98
Egress PE-routers assign a label to every VPN route received from attached CErouters and to every summary route summarized inside the PE-router. This label is
then used as the second label in the MPLS label stack by the ingress PE-routers
when labeling VPN packets.
The VPN labels assigned locally by the PE-router can be inspected with the show
tag-switching forwarding vrf command.
2-85
CE-router
Ingress-PE
P-router
P-router
Egress-PE
CE-router
CE-router
Step 2
www.cisco.com
Page99
VPN labels assigned by the egress PE-routers are advertised to all other PErouters together with VPNv4 prefix in MP-BGP updates.
These labels can be inspected with the show ip bgp vpnv4 all tags command on
the ingress PE-router.
The routes that have an input label but no output label are the routes received from
CE-routers (and the input label was assigned by the local PE-router). The routes
with an output label but no input label are the routes received from the other PErouters (and the output label was assigned by the remote PE-router).
For example, the VPN label for destination 203.1.20.0 is 38 and was assigned by
another PE-router (Egress-PE in the previous slide).
Note
2-86
Like many other IOS show commands, the show ip bgp vpnv4 tags command
uses the old terminology labels are still called tags.
CE-router
Ingress-PE
P-router
P-router
Egress-PE
CE-router
CE-router
Step 3
www.cisco.com
Page100
The ingress PE-router has two labels associated with a remote VPN route a label
for BGP next-hop assigned by the next-hop P-router via LDP (and taken from
local Label Information Base LIB) as well as the label assigned by remote PErouter and propagated via MP-BGP update. Both labels are combined in a label
stack and installed in the virtual forwarding (VRF) table.
The label stack in the virtual forwarding table can be inspected with the show ip
cef vrf detail command. The tags imposed part of the printout displays the MPLS
label stack. The first label in the MPLS label stack is the TDP/LDP label toward
the egress PE-router and the second label is the VPN label advertised by the egress
PE-router.
2-87
www.cisco.com
Page101
MPLS VPN packet forwarding works correctly if and only if the router specified
as the BGP next-hop in incoming BGP update is the same router as the one that
has assigned the second label in the label stack. There are three scenarios that can
cause the BGP next hop to be different from the IP address of the PE-router
assigning the VPN label:
2-88
If the customer route is received from the CE-router via external BGP session,
the next-hop of the VPNv4 route is still the IP address of the CE-router (BGP
next hop of an outgoing IBGP update is always identical to the BGP next hop
of the incoming EBGP update). You have to configure next-hop-self on the
MP-BGP sessions between PE-routers to make sure that the BGP next hop of
the VPNv4 route is always the IP address of the PE-router, regardless of the
routing protocol used between the PE-router and the CE-router.
The BGP next hop should not change inside an autonomous system. It can
change, however, if you use next-hop-self on inter-AS boundary inside a BGP
confederation or if you use inbound route-map on a PE-route to change nexthop (a strongly discouraged practice). To prevent this, make sure that you
never change BGP next-hop with a route-map or next-hop-self inside an
autonomous system.
The BGP next hop is always changed on an external BGP session. If the
MPLS VPN network spans multiple public autonomous systems (not just
autonomous systems within a BGP confederation), special provisions must be
made in the AS boundary routers to re-originate the VPN label at the same
time as the BGP next hop is changed. This functionality is supported from
IOS releases 12.1(4)T and 12.2.
www.cisco.com
Page102
The second requirement for successful propagation of MPLS VPN packets across
an MPLS backbone is an unbroken label switched path (LSP) between PE-routers.
The second label in the stack is recognized only by the egress PE-router that has
originated it and would not be understood by any other router, should it ever
become exposed.
There are two scenarios that could cause the LSP between PE-routers to break:
If the P-routers perform summarization of the address range within which the
IP address of the egress PE-router lies, the LSP will be disrupted at the
summarization point, as illustrated on the next slide.
2-89
P-router performs
penultimate hop popping
MPLS VPN Backbone
IP
CE-router
IP
Ingress-PE
V L1
IP
P-router
CE-router
P-router
Egress-PE
P-router summarizes
PE loopback
CE-router
CE-router
www.cisco.com
Page103
In the example above, the P-router summarizes the loopback address of the egress
PE-router. LSP is broken at a summarization point, as the summarizing router
needs to perform full IP lookup. In a frame-based MPLS network, the P-router
would request penultimate hop popping for the summary route and the upstream
P-router (or a PE-router) would remove the LDP label, exposing the VPN label to
the P-router. As the VPN label was not assigned by the P-router, but by the egress
PE-router, the label will not be understood by the P-router and the VPN packet
will be dropped or misrouted.
2-90
Summary
Customer VPN packets are forwarded across MPLS VPN backbone encapsulated
in an MPLS label stack composed of two labels:
The top label in the stack is the LDP-assigned label toward the egress PErouter
The second label in the stack is the VPN label assigned by the egress PErouter and propagated to other PE-routers in the MP-BGP update together
with the VPNv4 route
Successful forwarding of customer data packets across MPLS VPN backbone can
only happen if the label switched path between ingress and egress PE-router is
unbroken and if the router that is specified as the BGP next hop assigns the VPN
label. There are a number of scenarios that can cause MPLS VPN connectivity to
break:
BGP next hop is the IP address of the CE-router fix by specifying next-hopself on the PE-router
BGP next hop is changed inside the autonomous system fix by removing
next-hop-self on BGP confederation boundary or by removing set next-hop
from inbound route-maps
BGP next hop is changed when the MP-BGP update crosses autonomous
system boundary this is the default BGP behavior that cannot be changed,
use IOS release that supports inter-AS MPLS VPN (starting with IOS
12.1(4)T)
Label switched path is broken between the PE-routers, for example due to
route summarization in the MPLS core.
Review Questions
Answer the following questions:
How can P-routers forward VPN packets if they dont have VPN routes?
2-91
Lesson Summary
After completing this lesson, you should be able to perform the following tasks:
2-92
What is a C-network?
The C-network is the part of the network under customer control.
What is a CE-router?
The CE-router is a router in the C-network with a link to the Service
Provider network
What is a P-network?
The P-network is part of the network under Service Provider control
Which routing protocol runs between the customer and the service provider in
an overlay VPN?
There customer routing protocol in not extended to the Service Provider.
The only routing protocol running between the customer and the service
provider is the routing protocol needed to implement underlying Service
Provider connectivity.
2-93
Why would the customers prefer partial mesh over full mesh topology?
Connectivity costs usually dictate use of partial mesh.
What is the difference between a simple VPN and a Central Services VPN?
Every customer site can exchange traffic with every other customer site
in simple VPN. In central services VPN, the client sites can only
exchange traffic with server sites.
2-94
How are route targets used to build virtual routing tables in the PE routers?
Every customer route exported from a VRF is tagged with appropriate
export route targets. VPN Routes received by a PE-router are matched
against import route targets configured in a VRF.
What is the impact of complex VPN topologies on virtual routing tables in the
PE routers?
Complex VPN topologies might require more than one VRF per VPN.
Which routing protocols fill the Virtual Routing table (VRF) of a PE-router
The VRF table is filled with information from the VRF routing protocols
running between the PE-routers and the CE-routers and with the
information received by the PE-routers through MP-BGP.
2-95
Which BGP attributes drive the import of VPNv4 route into a VRF?
Route targets control the import of VPNv4 routes into VRFs.
Which BGP attributes control the VPN route distribution toward CE-routers?
Site-of-origin controls the distribution of VPN routes toward CE-routers.
How can P-routers forward VPN packets if they dont have VPN routes?
The P-routers only perform label lookup and thus never see the VPN
packets.
2-96
MPLS/VPN
Configuration on
IOS Platforms
Overview
This lesson covers MPLS/VPN configuration on Cisco IOS platforms. It includes
the following topics:
Objectives
Upon completion of this lesson, you will be able to perform the following tasks:
3-2
Describe the interaction between PE-CE routing protocols, backbone MPBGP and virtual routing and forwarding tables
www.cisco.com
The route distinguisher which is prepended to all routes exported from the
VRF into the global VPNv4 BGP table
A set of export route targets which are attached to any route exported from the
VRF
A set of import route targets, which are used to select VPNv4 routes that are to
be imported into the VRF
3-3
MPLS/VPN backbone
CE-VPN-A
VPN B
RIP
CE-VPN-B
10.1.1.0/24
PE router
3-4
www.cisco.com
Routing Contexts were introduced in Cisco IOS to support the need for separate
isolated copies of VPN routing protocols. The routing contexts can be
implemented as separate routing processes (OSPF), similar to traditional IOS
implementation, or as separate isolated instances of the same routing protocol.
If the routing contexts are implemented as instances of the same routing protocol,
each instance contains its own independent routing-protocol parameters (for
example, networks over which the routing protocol is run, timers, authentication
parameters, passive interfaces, neighbors etc.), giving the network designer
maximum flexibility in implementing routing protocols between PE and CE
routers.
3-5
www.cisco.com
The routes received from VRF routing protocol instances or from dedicated VRF
routing processes are inserted into the IP routing table contained within the VRF.
This IP routing table supports exactly the same set of mechanisms as the standard
IOS routing table, including filtering mechanisms (distribute lists or prefix lists)
and inter-protocol route selection mechanisms (administrative distances).
The per-VRF forwarding table (FIB) is built from the per-VRF routing table and is
used to forward all the packets received through the interfaces associated with the
VRF. Any interface can be associated with a VRF, be it physical interface,
subinterface, or a logical interface, as long as it supports CEF switching.
Note
There is no limit to the number of interfaces associated with one VRF (the only
limit is the number of interfaces supported by the router), however, each interface
can be associated only with one VRF, because the router needs to uniquely
identify the forwarding table to be used for packets received over an interface.
3-6
CE-RIP-A
CE-RIP-B
www.cisco.com
This and the following slides will illustrate the interactions between VRF
instances of routing processes, VRF routing tables, and the global VPNv4 BGP
routing process. A simple MPLS/VPN network will be used throughout the
example. The network contains two VPN customers (called VPN-A and VPN-B).
The customer sites are connected to a number of Provider Edge (PE) routers, but
in the example well focus only on a single PE router, which contains two VRFs
one for each customer. Two sites of each customer are connected to the PE router,
one site running BGP, the other site running RIP as the PE-CE routing protocol.
3-7
CE-RIP-A
CE-RIP-B
www.cisco.com
10
3-8
CE-RIP-A
CE-RIP-B
www.cisco.com
11
3-9
CE-RIP-A
CE-RIP-B
RIP routes entered in the VRF routing table are redistributed into BGP
for further propagation into the MPLS/VPN backbone
Redistribution between RIP and BGP has to be configured for proper
MPLS/VPN operation
2000, Cisco Systems, Inc.
www.cisco.com
12
Failure to redistribute non-BGP routes into per-VRF instance of BGP is one of the most
common MPLS/VPN configuration failures.
3-10
CE-RIP-A
CE-RIP-B
Route distinguisher
is prepended during route export to the BGP routes
Instance for VRF-B
from VRF instance of BGP process to convert them into VPNv4 prefixes.
Route targets are attached to these prefixes
CE-BGP-B
www.cisco.com
13
The RIP routes redistributed into the per-VRF instance of the BGP process as well
as the BGP routes received from BGP-speaking CE routers are copied into the
multi-protocol BGP table for further propagation to other PE routers. The IP
prefixes are prepended with the Route Distinguisher (RD) and the set of route
targets (extended BGP communities) configured as export route targets for the
VRF is attached to the resulting VPNv4 route.
Note
The difference between per-VRF BGP table and global MP-BGP table holding
VPNv4 routes is displayed only to illustrate the steps in the route propagation
process. In reality, there is no separate per-VRF BGP table in the Cisco IOS.
3-11
CE-RIP-A
CE-RIP-B
www.cisco.com
14
As the other PE routers start originating VPNv4 routes, the MP-BGP process in
our PE router will receive these routes. The routes are filtered based on route
target attributes attached to them and inserted into the proper per-VRF IP routing
tables based on the import route targets configured for individual VRF. The
route distinguisher that was prepended by the originating PE router is removed
before the route is inserted into IPv4 the per-VRF IP routing table.
3-12
CE-RIP-A
CE-RIP-B
www.cisco.com
15
The MP-IBGP VPNv4 routes received from other PE routers and selected by the
import route targets of a VRF are automatically propagated as 32-bit IPv4 routes
to all BGP-speaking CE neighbors of the PE router.
3-13
CE-RIP-A
CE-RIP-B
MP-IBGP routes imported into a VRF are redistributed into the instance
of RIP configured for that VRF
Redistribution between BGP and RIP has to be configured for endto-end RIP routing between CE routers
2000, Cisco Systems, Inc.
www.cisco.com
16
The same routes, although they are inserted in the per-VRF IP routing table, are
not propagated to RIP-speaking CE routers automatically. To propagate these
routes (which appear as standard BGP routes in the per-VRF IP routing table) to
the RIP-speaking CE routers, redistribution between per-VRF instance of BGP
and per-VRF instance of RIP needs to be manually configured.
3-14
CE-RIP-A
CE-RIP-B
Routes redistributed from BGP into a VRF instance of RIP are sent to
RIP-speaking CE routers
www.cisco.com
17
When the IBGP routes from the per-VRF IP routing table are successfully
redistributed into the per-VRF instance of RIP process, the RIP process announces
these routes to RIP-speaking CE routers, thus achieving transparent end-to-end
connectivity between the CE routers.
3-15
Summary
MPLS/VPN enabled network separates the layer 3 routing task by splitting a
single physical router into a number of virtual routers. Routers basic function is
switching packets between interfaces. Virtual routing and forwarding or VRF is
used to create a virtual router that contains its own routing table, CEF cache and
interfaces.
To optimize performance a single BGP process or RIP process is used for all
VRFs. A Route Distinguisher is used to distinguish between IP version 4 networks
belonging to different VPNs. We need, however, a separate OSPF process for
every VRF configured.
To send information from one CE router to another CE router an update is sent
using one of the supported routing protocols. The update is received by the PE
router that has to redistribute the information into BGP. The information is
translated into MP-BGP format where, upon export, a Route Target is added. This
information is then sent to other PE routers where it is imported into VRFs that are
using the same Route Target. The other PE routers redistribute this information
into the IGP used between the PE and the CE routers and send it to the CE routers.
Review Questions
3-16
Specify Routing Distinguisher and Route Targets for the created VRF
3-17
Configuring VRF
VRF Configuration tasks:
Create VRF
Assign Route Distinguisher to the VRF
Specify export and import route targets
Assign interfaces to VRFs
www.cisco.com
22
Note
Note
3-18
Import and export route target should be equal to route distinguisher for simple
VPN service. For other options, please refer to Chapter #1 of the SS_MPLS_VPN
lesson.
ip vrf name
rd route-distinguisher
23
ip vrf
To configure a VRF routing table, use the ip vrf command in global configuration
mode. To remove a VRF routing table, use the no form of this command.
ip vrf vrf-name
no ip vrf vrf-name
Syntax Description
vrf-name
Defaults
No VRFs are defined. No import or export lists are associated with a VRF. No
route maps are associated with a VRF.
3-19
rd
To create routing and forwarding tables for a VRF, use the rd command in VRF
submode.
rd route-distinguisher
Syntax Description
route-distinguisher
Defaults
There is no default. An RD must be configured for a VRF to be functional.
3-20
route-target export RT
route-target import RT
www.cisco.com
24
route-target
To create a route-target extended community for a VRF, use the route-target
command in VRF submode. To disable the configuration of a route-target
community option, use the no form of this command.
route-target {import | export | both} route-target-ext-community
no route-target {import | export | both} route-target-ext-community
Syntax Description
import
Defaults
There are no defaults. A VRF has no route-target extended community attributes
associated with it until specified by the route-target command.
Copyright 2000, Cisco Systems, Inc.
3-21
route-target both RT
www.cisco.com
25
Whenever a route target is both an import and an export route target for a VRF;
you can use the route-target both command to simplify the configuration. For
example, the two route-target configuration lines in the sample router
configuration above could be reduced into a single command route-target both
12703:15.
3-22
26
ip vrf forwarding
To associate a VRF with an interface or subinterface, use the ip vrf forwarding
command in interface configuration mode. To disassociate a VRF, use the no form
of this command.
ip vrf forwarding vrf-name
no ip vrf forwarding vrf-name
Syntax Description
vrf-name
Defaults
The default for an interface is the global routing table.
3-23
CE-RIP-A2
CE-BGP-A1
CE-BGP-A2
PE-Site-X
PE-Site-Y
CE-RIP-B1
CE-RIP-B2
www.cisco.com
27
3-24
CE-RIP-A1
CE-BGP-A1
PE-Site-X
CE-RIP-B1
CE-RIP-A2
!
ip vrf Customer_B
CE-BGP-A2
rd 115:47
route-target
both
115:47
PE-Site-Y
!
interface serial 1/0/1
CE-RIP-B2
ip forwarding vrf Customer_A
ip address 10.1.0.1 255.255.255.252
!
interface serial 1/0/2
ip vrf forwarding Customer_A
ip address 10.1.0.5 255.255.255.252
!
interface serial 1/1/3
ip vrf forwarding Customer_B
ip address 10.2.0.1 255.255.255.252
www.cisco.com
28
3-25
Summary
To create a virtual router or a VRF use the ip vrf global command where the VRF
is identified by a case-sensitive name.
Within the VRF configuration mode use the rd command to set the Route
Distinguisher.
If sites belonging to the same VPN are connected to different PE routers you have
to specify at least one Route Target extended community for import and export.
Use the route-target import, route-target export or route-target both
commands to set Route Target extended communities for import and export.
The last step in the configuration is specifying the interfaces that belong to the
virtual router. Use the ip forwarding vrf interface command to assign an interface
to a VRF.
Review Questions
3-26
How many formats can you use to specify RD and RT? What are these
formats?
How many import route targets have to match a route for the route to be
imported into the VRF?
3-27
www.cisco.com
33
The MPLS/VPN architecture uses BGP routing protocol in two different ways:
VPNv4 routes are propagated across a MPLS/VPN backbone using multiprotocol BGP between the PE routers
BGP can be used as the PE-CE routing protocol to exchange VPN routes
between the provider edge routers and the customer edge routers
Independently from MPLS/VPN, the PE router can also use BGP to receive and
propagate Internet routes in scenarios where the PE routers are also used to
provide Internet connectivity to the customers.
All three route exchange mechanisms take place in one BGP process (as you can
only configure one BGP process per router) and the routing contexts (called
address families from router configuration perspective) are used to configure all
three independent route exchange mechanisms.
3-28
address-family vpnv4
34
Internet routing (global IP routing table) is the default address family that you
configure when you start configuring the BGP routing process;
To configure BGP between the PE routers and the CE routes within individual
VRF, use the ipv4 vrf name address family
router bgp
To configure the Border Gateway Protocol (BGP) routing process, use the router
bgp global configuration command. To remove a routing process, use the no form
of this command.
router bgp autonomous-system
no router bgp autonomous-system
Syntax Description
autonomous-system
Default
No BGP routing process is enabled by default.
3-29
address-family
To enter the address family submode for configuring routing protocols, such as
BGP, RIP and static routing, use the address-family command in address family
configuration submode. To disable the address family submode for configuring
routing protocols, use the no form of this command.
VPN-IPv4 unicast
address-family vpnv4 [unicast]
no address-family vpnv4 [unicast]
IPv4 unicast
address-family ipv4 [unicast]
no address-family ipv4 [unicast]
IPv4 unicast with CE router
address-family ipv4 [unicast] vrf vrf-name
no address-family ipv4 [unicast] vrf vrf-name
Syntax Description
ipv4
vpnv4
unicast
vrf vrf-name
3-30
BGP Neighbors
Multi-protocol BGP neighbors are
configured under BGP routing process
These neighbors need to be activated for each
global address family they support
Per-address-family parameters can be
configured for these neighbors
www.cisco.com
35
Global BGP neighbors (other PE routers), with which the PE router can
exchange multiple types of routes. These neighbors are defined in the global
BGP definition and only have to be activated for individual address families
Per-VRF BGP neighbors (the CE routers) which are configured and activated
within the ipv4 vrf name address family
3-31
Configuring MP-BGP
MPLS/VPN Multiprotocol BGP
configuration steps:
Configure MP-BGP neighbor under BGP
routing process
Configure BGP address family VPNV4
Activate configured BGP neighbor for VPNV4
route exchange
Specify additional parameters for VPNV4
route exchange (filters, next-hops etc.)
2000, Cisco Systems, Inc.
www.cisco.com
36
The remote PE router is configured as global BGP neighbor under BGP router
configuration mode
Parameters that affect all BGP route exchange (for example, source address
for the TCP session) are defined on the global BGP neighbor
VPNv4 address family is selected and the BGP neighbor is activated for
VPNv4 route exchange
Note
3-32
IPv4-specific BGP parameters are still configured under the BGP router
configuration mode there is no special IPv4 address family.
Configuring MP-IBGP
router(config)#
address-family vpnv4
37
The initial commands that are needed to configure MP-IBGP session between PE
routers are:
neighbor remote-as
To add an entry to the BGP neighbor table, use the neighbor remote-as router
configuration command. To remove an entry from the table, use the no form of
this command.
neighbor {ip-address | peer-group-name} remote-as number
no neighbor {ip-address | peer-group-name} remote-as number
Syntax Description
ip-address
peer-group-name
number
Neighbor's IP address.
Name of a BGP peer group.
Autonomous system to which the neighbor belongs.
Default
There are no BGP neighbor peers.
3-33
neighbor update-source
To have the Cisco IOS software allow internal BGP sessions to use any
operational interface for TCP connections, use the neighbor update-source router
configuration command. To restore the interface assignment to the closest
interface, which is called the best local address, use the no form of this command
neighbor {ip-address | peer-group-name} update-source interface
no neighbor {ip-address | peer-group-name} update-source interface
Syntax Description
ip-address
peer-group-name
interface
Default
Best local address
3-34
Configuring MP-IBGP
router(config-router-af)#
www.cisco.com
38
After the remote PE router has been defined as a global BGP neighbor, it has to be
activated for VPNv4 route exchange. The default IBGP next-hop processing needs
to be disabled for VPNv4 route exchange with next-hop-self command.
Note
If you dont disable default next-hop processing, the VPN IP address of a BGPspeaking CE router might become VPNv4 BGP next hop and the connectivity
across the MPLS/VPN backbone is broken.
neighbor activate
To enable the exchange of information with a BGP neighboring router, use the
neighbor activate router configuration command. To disable the exchange of an
address with a neighboring router, use the no form of this command.
neighbor {ip-address | peer-group-name} activate
no neighbor {ip-address | peer-group-name} activate
Syntax Description
ip-address
peer-group-name
Defaults
The exchange of addresses with neighbors is enabled by default for the IPv4
address family. For all other address families, address exchange is disabled by
default. You can explicitly activate the default command using the appropriate
address family submode.
3-35
neighbor next-hop-self
To disable next-hop processing of BGP updates on the router, use the neighbor
next-hop-self router configuration command. To disable this feature, use the no
form of this command.
neighbor {ip-address | peer-group-name} next-hop-self
no neighbor {ip-address | peer-group-name} next-hop-self
Syntax Description
ip-address
peer-group-name
Default
Disabled
3-36
Configuring MP-EBGP
router(config)#
12.1(4)T
address-family vpnv4
neighbor IP-address activate
www.cisco.com
39
Multi-protocol EBGP session is configured in exactly the same way as the multiprotocol IBGP session, the only difference being that the AS-number of the
neighboring PE-router differs from the local AS-number.
Note
The support for VPNv4 information exchange over an EBGP session has been
added in IOS release 12.1(4)T.
3-37
12.1(4)T
www.cisco.com
40
By default, the PE routers discard VPNv4 updates not related to the VRFs
configured on the PE routers, the only exceptions being BGP route reflectors. A
PE router exchanging VPNv4 routes over an EBGP session would deploy the
same filter (and drop some VPNv4 routes) unless it would be configured as a route
reflector. The no bgp default route-target-filter command was introduced to
disable the default VPNv4 filter and allow the PE router to propagate all VPNv4
routes between autonomous systems.
3-38
Configuring MP-BGP
BGP Community Propagation
router(config-router-af)#
www.cisco.com
41
neighbor send-community
To specify that a COMMUNITIES attribute should be sent to a BGP neighbor, use
the neighbor send-community router configuration command. To remove the
entry, use the no form of this command.
neighbor {ip-address | peer-group-name} send-community [ extended | both ]
no neighbor {ip-address | peer-group-name} send-community
Syntax Description
ip-address
peer-group-name
Neighbor's IP address.
Name of a BGP peer group.
Default
No COMMUNITIES attribute is sent to any neighbor.
3-39
CE-RIP-A2
CE-BGP-A1
CE-BGP-A2
PE-Site-X
CE-RIP-B1
PE-Site-Y
interface loopback 0
ip address 172.16.1.1 255.255.255.255 CE-RIP-B2
!
router bgp 115
neighbor 172.16.1.2 remote-as 115
neighbor 172.16.1.2 update-source loopback 0
!
address-family vpnv4
neighbor 172.16.1.2 activate
neighbor 172.16.1.2 next-hop-self
neighbor 172.16.1.2 send-community both
www.cisco.com
42
3-40
Step 1
A loopback interface is defined that will serve as the BGP next-hop for VPNv4
routes and as the source address for IBGP session
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Configuring MP-BGP
Disabling IPv4 Route Exchange
router(config-router)#
www.cisco.com
43
The BGP configuration discussed so far is appropriate for scenarios where the PE
routers provide Internet and VPN connectivity. If the PE routers provide only
VPN connectivity, they dont need Internet routing and the IPv4 route exchange
needs to be disabled. There are two ways of disabling IPv4 route exchange:
If you only want to disable IPv4 route exchange for a few neighbors, the best
option is to disable the IPv4 route exchange on a neighbor-by-neighbor basis
by using no neighbor activate command
If you want to disable IPv4 route exchange for most (or all) of the neighbors,
you can use no bgp default ipv4 unicast command. After you enter this
command, IPv4 route exchange has to be manually activated for each
configured global BGP neighbor.
3-41
www.cisco.com
44
In this example, only a subset of BGP neighbors needs to receive IPv4 routes. The
default propagation of IPv4 routes is thus disabled and IPv4 route exchange as
well as VPNv4 route exchange is manually activated on a neighbor-by-neighbor
basis.
3-42
Summary
MP-BGP is used to propagate VPN specific information between PE routers.
Standard BGP version 4 can also be used with the CE routers. Address families
are used to tell the BGP process which routing table to use to find neighbor and
where to put the received updates. There is a separate address family for each VRF
and one address family for VPN-IPv4 updates.
Other PE routers are configured as standard BGP neighbors in the global part of
the BGP configuration and have to be activated in the vpn_ipv4 address family.
Extended communities are propagated while standard communities are not. Use
the neighbor neighbor send-community command to change the default.
You should use the neighbor neighbor next-hop-self command to make sure the
PE loopbacks are used as the next hop address.
Review Questions
Which are the mandatory parameters that you have to configure on MP-BGP
neighbor?
Why would you want to disable propagation of IPv4 routing updates between
MP-BGP neighbors?
3-43
3-44
Configuring PE-CE
Routing Protocols
PE-CE routing protocols are configured for individual
VRFs
Per-VRF routing protocols can be configured in two
ways:
There is only one BGP or RIP process per router, per-VRF
parameters are specified in routing contexts, which are
selected with the address family command
A separate OSPF process has to be started for each VRF
www.cisco.com
49
The per-VRF configuration of the PE-CE routing protocols is another good reason
for grouping as many sites into a VRF as possible.
As separate routing processes. This option is used for more complex routing
protocols that need to maintain separate topology database for each VRF, for
example, OSPF
Note
3-45
router rip
address-family ipv4 vrf vrf-name
... Per-VRF RIP definitions ...
Similar to BGP, select per-VRF RIP context with the address-family
command
Configure all per-VRF RIP parameters there starting with network
numbers
2000, Cisco Systems, Inc.
www.cisco.com
50
The VRF routing context is selected with the address-family ipv4 vrf name
command in the RIP and BGP routing processes. All per-VRF routing protocol
parameters (network numbers, passive interfaces, neighbors, filters etc.) are
configured under this address family.
Note
Common parameters defined in the router configuration mode are inherited by all
address families defined for this routing process and can be overridden for each
individual address family.
router rip
To configure the Routing Information Protocol (RIP) routing process, use the
router rip global configuration command. To turn off the RIP routing process,
use the no form of this command.
router rip
no router rip
Syntax Description
This command has no arguments or keywords.
Default
No RIP routing process is defined.
3-46
www.cisco.com
51
When configuring BGP as the PE-CE routing protocol, start the per-VRF BGP
configuration with the address-family ipv4 vrf name router configuration
command. After entering the address family configuration mode, you define the
BGP neighbors and activate them. You also have to configure redistribution from
all other per-VRF routing protocols into BGP.
Note
You always have to configure BGP address-family for each VRF and configure
route redistribution into BGP for each VRF even if you dont use BGP as the PECE routing protocol
Several BGP options have different default values when you configure per-VRF
BGP routing context:
3-47
MPLS/VPN backbone
neighbor 10.200.1.2
CE-RIP-A1
remote-as 115
network 10.1.0.0 mask 255.255.0.0
CE-RIP-A2
CE-BGP-A1
CE-BGP-A2
PE-Site-X
PE-Site-Y
CE-RIP-B1
CE-RIP-B2
www.cisco.com
52
Continuing the example from page 40, BGP is started on the CE router, and the
PE router is defined as a BGP neighbor. Similarly, the CE router is defined as a
BGP neighbor and activated under address-family ipv4 vrf Customer_A.
3-48
www.cisco.com
53
Configuring RIP as the PE-CE routing protocol is even simpler than configuring
BGP. You start the configuration of individual routing context with the addressfamily ipv4 vrf name router configuration command. All standard RIP parameters
can be entered in the per-VRF routing context. Global RIP parameters entered in
the scope of RIP router configuration are inherited by each routing context and
can be overwritten if needed in each routing context.
Note
Only RIPv2 is supported as the PE-CE routing protocol. Its a good configuration
practice to configure RIP version as a global RIP parameter using the version 2
router configuration command.
3-49
router rip
address-family ipv4 vrf vrf-name
redistribute bgp metric transparent
www.cisco.com
54
IGP metric is always copied into the MED attribute of the BGP route when an IGP
route is redistributed into BGP. Within standard BGP implementation, the MED
attribute is only used as a route selection criterion and is not copied back into the
IGP metric the IGP metric has to be specified in the redistribute command or
by using the default-metric router configuration command.
The MPLS/VPN extension to the redistribute command metric transparent
option allows MED to be inserted as the IGP metric of a route redistributed from
BGP back into RIP. This extension gives you a transparent end-to-end (from
customers perspective) RIP routing:
RIP hop count is inserted into BGP attribute MED when the RIP route is
redistributed into BGP by the ingress PE router (enabled by default)
The value of MED attribute (the original RIP hop count) is copied into RIP
hop count, if so configured, when the BGP route is redistributed back into
RIP. The whole MPLS/VPN backbone thus looks like a single hop to the CE
routers.
Note
3-50
You should not change the MED value within BGP if you use the redistribute
metric transparent option.
CE-RIP-A2
CE-BGP-A1
CE-BGP-A2
PE-Site-X
CE-RIP-B1
PE-Site-Y
router rip
CE-RIP-B2
version 2
address-family ipv4 vrf Customer_ABC
network 10.0.0.0
redistribute bgp 12703 metric transparent
!
router bgp 12703
address-family ipv4 vrf Customer_ABC
redistribute rip
www.cisco.com
55
The RIP routing process is configured. The RIP version is configured as the
global RIP parameter
The RIP routing context is configured for every VRF where you want to run
RIP as the PE-CE routing protocol. The directly connected networks
(configured on interfaces in the VRF) over which you want to run RIP are
specified to be with standard RIP configuration
3-51
www.cisco.com
56
3-52
www.cisco.com
57
OSPF is the only PE-CE routing protocol, which is not fully VPN aware. A
separate OSPF process is run for every VRF.
router ospf
To configure an OSPF routing process within a VRF, use the router ospf global
configuration command. To terminate an OSPF routing process, use the no form
of this command.
router ospf process-id vrf vrf-name
no router ospf process-id vrf vrf-name
Syntax Description
process-id
vrf-name
Default
No OSPF routing process is defined.
3-53
Configuring Per-VRF
Static Routes
router(config)#
www.cisco.com
58
ip route vrf
To establish static routes for a VRF, use the ip route vrf command in global
configuration mode. To disable static routes, use the no form of this command.
ip route vrf vrf-name prefix mask [next-hop-address] [interface {interfacenumber}] [global] [distance] [permanent] [tag tag]
no ip route vrf vrf-name prefix mask [next-hop-address] [interface {interfacenumber}] [global] [distance] [permanent] [tag tag]
Syntax Description
vrf-name
prefix
mask
next-hop-address
interface
interface-number
global
distance
permanent
tag tag
3-54
Summary
There is a limited range of routing protocols that can be used between PE and CE
routers static routes, RIP version 2, external BGP and OSPF.
RIP and BGP are fully VPN aware routing protocols where the configuration is
split into address families representing VRFs. OSPF, on the other hand, is not
fully VPN aware and, therefore, has to be enabled per VRF.
All VRF specific routing information except BGP has to be redistributed into
BGP.
Review Questions
3-55
3-56
Monitoring VRF
router#
show ip vrf
www.cisco.com
64
show ip vrf
To display the set of defined VRFs (VPN routing/forwarding instances) and
associated interfaces, use the show ip vrf command in EXEC mode.
show ip vrf [{brief | detail | interfaces}] [vrf-name] [output-modifiers]
Syntax Description
brief
detail
interfaces
vrf-name
output-modifiers
Defaults
When no optional parameters are specified, the command shows concise
information about all configured VRFs.
3-57
show ip vrf
Router#show ip vrf
Name
SiteA2
SiteB
SiteX
Router#
Default RD
103:30
103:11
103:20
Interfaces
Serial1/0.20
Serial1/0.100
Ethernet0/0
www.cisco.com
65
The show ip vrf command displays concise information on the VRF(s) and
associated interfaces. The following table describes the fields displayed by this
command.
Table: show ip vrf field descriptions
Field
Name
Default RD
Interfaces
3-58
Description
Specifies the VRF name.
Specifies the default route distinguisher.
Specifies the network interfaces.
www.cisco.com
66
To display detailed information on the VRFs and associated interfaces, use the
show ip vrf detail command. The following table describes the additional fields
shown by this command.
Table: show ip vrf detail Field Descriptions
Field
Interfaces
Export
Import
Description
Specifies the network interfaces.
Specifies VPN route-target export communities.
Specifies VPN route-target import communities.
3-59
VRF
SiteA2
SiteB
SiteX
Protocol
up
up
up
www.cisco.com
67
To display the interfaces bound to a particular VRF (or interfaces bound to any
VRF), use the show ip vrf interfaces command, which displays the fields
described in the following table.
Table: show ip vrf interfaces Field Descriptions
Field
Interface
IP-Address
VRF
Protocol
3-60
Description
Specifies the network interfaces for a VRF.
Specifies the IP address of a VRF interface.
Specifies the VRF name.
Displays the state of the protocol (up/down) for each VRF
interface.
68
There are three commands that can be used to monitor VRF routing:
3-61
3-62
output-modifiers
network-address
mask
cidr-only
community
community-list
dampened-paths
filter-list
flap-statistics
inconsistent-as
neighbors
paths
line
peer-group
quote-regexp
regexp
summary
tags
3-63
www.cisco.com
69
The show ip protocol vrf command displays summary information about all
routing protocol instances active in the specified VRF. The fields displayed by this
command are shown in the following table.
Table: show ip protocols vrf Field Descriptions
Field
Gateway
Distance
Last update
3-64
Description
Displays the IP address of the router identifier for all routers in
the network.
Displays the metric used to access the destination route.
Displays the last time the routing table was updated from the
source.
rest deleted
www.cisco.com
70
The show ip route vrf command displays the contents of the VRF IP routing table
in the same format as used by the show ip route command.
3-65
www.cisco.com
71
Defaults
This command has no default values.
Usage Guidelines
Use this command to display detailed information about BGP neighbors
associated with MPLS VPN.
3-66
www.cisco.com
72
The show ip bgp neighbor command, described in details in the Basic BGP
Technology and Configuration lesson is also used to monitor BGP sessions with
other PE routers as well as the address families negotiated with these neighbors.
3-67
www.cisco.com
73
show ip bgp neighbors [address] [received-routes | routes | advertisedroutes | {paths regular-expression} | dampened-routes]
Syntax Description
3-68
address
received-routes
routes
advertised-routes
paths regular-expression
dampened-routes
Examples
The following is sample output from the show ip bgp neighbors command:
Router# show ip bgp neighbors 171.69.232.178
BGP neighbor is 171.69.232.178, remote AS 10, external link
Index 1, Offset 0, Mask 0x2
Inbound soft reconfiguration allowed
BGP version 4, remote router ID 171.69.232.178
BGP state = Established, table version = 27, up for
00:06:12
Last read 00:00:12, hold time is 180, keepalive interval
is 60 seconds
Minimum time between advertisement runs is 30 seconds
Received 19 messages, 0 notifications, 0 in queue
Sent 17 messages, 0 notifications, 0 in queue
Inbound path policy configured
Route map for incoming advertisements is testing
Connections established 2; dropped 1
Connection state is ESTAB, I/O status: 1, unread input
bytes: 0
Local host: 171.69.232.181, Local port: 11002
Foreign host: 171.69.232.178, Foreign port: 179
Enqueued packets for retransmit: 0, input: 0, saved: 0
Event Timers (current time is 0x530C294):
Timer
Starts
Wakeups
Retrans
12
0
TimeWait
0
0
AckHold
12
10
SendWnd
0
0
KeepAlive
0
0
GiveUp
0
0
PmtuAger
0
0
iss: 133981889 snduna: 133982166
sndwnd: 16108
irs: 3317025518 rcvnxt: 3317025810
delrcvwnd:
291
Next
0x0
0x0
0x0
0x0
0x0
0x0
0x0
sndnxt:
133982166
rcvwnd:
16093
SRTT: 441 ms, RTTO: 2784 ms, RTV: 951 ms, KRTT: 0 ms
minRTT: 0 ms, maxRTT: 300 ms, ACK hold: 300 ms
Flags: higher precedence, nagle
Datagrams (max data segment is 1460 bytes):
Rcvd: 15 (out of order: 0), with data: 12, total data bytes:
291
Sent: 23 (retransmit: 0), with data: 11, total data bytes:
276
3-69
3-70
Field
Description
BGP neighbor
BGP version
BGP state
table version
Indicates that the neighbor has been updated with this version of
the primary BGP routing table.
up for
Last read
hold time
keepalive interval
Received
notifications
Sent
Total number of BGP messages that have been sent to this peer,
including keepalives.
notifications
Connections
established
dropped
Connection state
Foreign host,
Foreign port
Event Timers
Table displays the number of starts and wakeups for each timer.
iss
snduna
Last send sequence number the local host sent but has not
received an acknowledgment for.
sndnxt
sndwnd
irs
rcvnxt
rcvwnd
delrecvwnd
Delayed receive window---data the local host has read from the
connection, but has not yet subtracted from the receive window the
host has advertised to the remote host. The value in this field
gradually increases until it is larger than a full-sized packet, at
which point it is applied to the rcvwnd field.
SRTT
RTTO
Round-trip timeout.
RTV
KRTT
Field
Description
minRTT
maxRTT
ACK hold
Flags
Datagrams: Rcvd
with data
Sent
with data
3-71
www.cisco.com
74
The show ip bgp neighbor command displays per address-family information for
neighbors that exchange MP-BGP updates with this router. The most interesting
details of the printout produced by this command are highlighted in blue color in
the example above.
3-72
www.cisco.com
75
The show ip bgp command is used to display IPv4 BGP information as well as
VPNv4 BGP information. To display VPNv4 BGP information, use the vpnv4
keyword followed by one of these keywords:
vrf name to display VPNv4 information associated with the specified VRF
3-73
www.cisco.com
76
Defaults
This command has no default values.
Usage Guidelines
Use this command to display VPNv4 information associated with a VRF from the
BGP database. A similar command show ip bgp vpnv4 all displays all
available VPNv4 information. The command show ip bgp vpnv4 summary
displays BGP neighbor status.
3-74
www.cisco.com
77
3-75
www.cisco.com
78
There are three commands that can be used to display per-VRF FIB and LFIB
structures:
3-76
show ip cef vrf command displays the VRF Forwarding Information Base
show ip cef vrf detail command displays detailed information about a single
entry in the VRF FIB
www.cisco.com
79
3-77
glean
null
punt
non-recursive
summary
traffic
prefix-length
unresolved
Gleans adjacency.
Null adjacency.
Punts adjacency.
(Optional) Displays only non-recursive routes.
(Optional) Displays a CEF table summary.
(Optional) Displays traffic statistics.
(Optional) Displays traffic statistics by prefix size.
(Optional) Displays only unresolved routes.
Defaults
This command has no default values.
Usage Guidelines
Used with the vrf-name argument, the show ip cef vrf command shows a
shortened display of the CEF table.
Used with the detail argument, the show ip cef vrf command shows
detailed information for all CEF table entries.
3-78
show tag-switching
forwarding vrf
Router#show tag-switching forwarding
Local Outgoing
Prefix
tag
tag or VC
or Tunnel Id
26
Aggregate
150.1.31.36/30[V]
37
Untagged
203.1.2.1/32[V]
38
Untagged
203.1.20.0/24[V]
vrf SiteA2
Bytes tag
switched
0
0
0
Outgoing
interface
Next Hop
Se1/0.20
Se1/0.20
point2point
point2point
tags 37 detail
Outgoing
Next Hop
interface
Se1/0.20
point2point
www.cisco.com
80
Defaults
No default behavior or values.
Usage Guidelines
Use this command to display label forwarding entries associated with a particular
VRF or IP prefix.
3-79
www.cisco.com
81
The show ip bgp vnpv4 tags command can be used to display tags assigned to
local or remote VRF routes by the local or remote PE router. The command
displays tags associated with all VPNv4 routes (when using all keyword) or tags
associated with a specified route distinguisher or VRF.
The following fields are displayed in the printout:
3-80
Field
Description
Network
Next Hop
In Tag
Out Tag
www.cisco.com
82
ping vrf command can be used to ping a destination host reachable through a
VRF
trace vrf command can be used to trace a path toward a destination reachable
through a VRF.
3-81
Summary
A number of monitoring commands is available to support management and
troubleshooting of MPLS/VPN networks.
There are some well-known commands that perform the same task for the VRF as
they do for a normal router. They may also display some additional information.
There are also many new commands that are either MPLS or MPLS/VPN specific.
Review Questions
3-82
How would you inspect a label stack associated with a remote MPLS/VPN
route?
How would you display all routes with a specified route distinguisher?
Why do you only see labels for routes learned from CE routers?
Would you ever see labels for routes received through MP-BGP in your
TFIB?
Troubleshooting MPLS/VPN
Objectives
Upon completion of this section, you will be able to perform the following tasks:
3-83
MPLS/VPN Troubleshooting
Preliminary steps
Perform basic MPLS troubleshooting
Is CEF enabled?
Are labels for IGP routes generated and
propagated?
Are large labeled packets propagated across
MPLS backbone (MTU issues)
www.cisco.com
87
Before you start in-depth MPLS/VPN troubleshooting, you should ask the
following standard MPLS troubleshooting questions:
Is CEF enabled on all routers in the transit path between the PE routers?
Are there any MTU issues in the transit path (for example, LAN switches not
supporting jumbo Ethernet frame)?
Please refer to the Configuring Frame-mode MPLS on Cisco IOS Platforms and
Configuring Cell-mode MPLS on Cisco IOS Platforms for detailed description
of these troubleshooting steps.
3-84
MPLS/VPN Troubleshooting
Verify routing information flow
Are CE routes received by PE?
Are routes redistributed into MP-BGP with proper
extended communities?
Are VPNv4 routes propagated to other PE routers?
Is BGP route selection process working correctly?
Are VPNv4 routes inserted into VRFs on other PE routers?
Are VPNv4 routes redistributed from BGP into PE-CE
routing protocol?
Are VPNv4 routes propagated to other CE routers?
www.cisco.com
88
Verify the routing information flow using the checks outlined in the slide
3-85
CE-Spoke
PE-1
PE-2
CE-Spoke
CE-Spoke
www.cisco.com
89
3-86
CE-Spoke
PE-1
PE-2
CE-Spoke
CE-Spoke
www.cisco.com
90
Not configuring redistribution between the PE-CE routing protocol and perVRF routing context of the BGP
3-87
CE-Spoke
PE-1
PE-2
CE-Spoke
CE-Spoke
www.cisco.com
91
Automatic route filters are based on route targets; verify that the route targets
attached to the CE route in the originating PE router match at least one of the route
targets configured as import route targets in the VRF on the receiving PE router.
3-88
CE-Spoke
PE-1
PE-2
CE-Spoke
CE-Spoke
www.cisco.com
92
3-89
CE-Spoke
PE-1
PE-2
CE-Spoke
CE-Spoke
www.cisco.com
93
The VPNv4 routes received by the PE router have to be inserted into the proper
VRF, which can be verified with show ip route vrf command. Common
configuration mistakes in this step include:
The validity of the import route targets can be verified with the show ip bgp
vpnv4 all prefix command, which displays the route targets attached to a VPNv4
route and with the show ip vrf detail command that lists the import route targets
for a VRF. At least one route target attached to the VPNv4 route needs to match at
least one route-target in the VRF.
Note
3-90
Be patient when troubleshooting this step the import of VPNv4 routes into VRFs
is not immediate and can take more than a minute in worst circumstances. Please
refer to the MPLS VPN Solutions lesson for more information on improving route
import speed.
CE-Spoke
PE-1
PE-2
CE-Spoke
CE-Spoke
Are VPNv4 routes redistributed from BGP into PECE routing protocol?
Verify redistribution configuration - is IGP metric
specified?
Perform traditional routing protocol troubleshooting
www.cisco.com
94
Finally, the BGP routes received via MP-BGP and inserted into the VRF need to
be redistributed into the PE-CE routing protocol. A number of common
redistribution mistakes sometimes occur here, starting with missing redistribution
metrics.
Please refer to the Building Scalable Cisco Networks (BSCN) and Cisco
Internetworking Troubleshooting (CIT) courses for more information on route
redistribution troubleshooting.
3-91
CE-Spoke
PE-1
PE-2
CE-Spoke
CE-Spoke
www.cisco.com
95
Last but not least, the routes redistributed into the PE-CE routing protocol have to
be propagated to CE routers (or the CE routers need a default route toward PE
routers). Use standard routing protocol troubleshooting techniques in this step.
Note
3-92
When using a default route on the CE routers, verify that the CE routers use
classless routing configured with the ip classless command.
MPLS/VPN Troubleshooting
Verify proper data flow
Is CEF enabled on ingress PE router interface?
Is the CEF entry correct on the ingress PE router?
Is there an end-to-end LSP between PE routers?
Is the LFIB entry on egress PE router correct?
www.cisco.com
96
After youve verified a proper route exchange, start MPLS/VPN data flow
troubleshooting using the checks listed in the slide.
3-93
CE-Spoke
PE-1
PE-2
CE-Spoke
CE-Spoke
www.cisco.com
97
One of the most common data-flow related configuration mistakes is the failure to
enable CEF in ingress PE router interface, which can be verified with the show cef
interface command. CEF is the only switching method that can perform per-VRF
lookup and thus support MPLS/VPN architecture.
There are three common reasons for this problem (assuming that CEF is enabled
on the router):
3-94
Another feature has been configured on the interface that disables CEF (for
example, IP precedence accounting)
www.cisco.com
98
Usage Guidelines
This command is available on routers that have RP cards and line cards.
The detail keyword displays more CEF-related information for the specified
interface. You can use this command to show the CEF state on an individual
interface.
The following table describes the fields shown in the output.
3-95
3-96
CE-Spoke
PE-1
PE-2
CE-Spoke
CE-Spoke
www.cisco.com
99
If the CEF switching is enabled on ingress interface, you can verify the validity of
CEF entry and the associated label stack with the show ip cef vrf name prefix
detail command. The top label in the stack should correspond to the BGP nexthop label as displayed by the show tag forwarding command on the ingress
router and the second label in the stack should correspond to the label allocated by
the egress router as displayed by the show tag forwarding command on the
egress router.
3-97
CE-Spoke
PE-1
PE-2
CE-Spoke
CE-Spoke
www.cisco.com
100
If the CEF is enabled on the ingress interface and the CEF entry contains proper
labels, the data flow problem might lie inside the MPLS core. Two common
mistakes include summarization of BGP next hops inside the core IGP and MTU
issues.
The quickest check on a potential summarization problem can be done by
disabling IP TTL propagation into the MPLS label header by using the no tagswitching ip ttl-propagate command. The traceroute command toward BGP nexthop shall display no intermediate hops when the TTL propagation is disabled. If
the intermediate hops are displayed, the label switched path between PE routers is
broken at those hops and the VPN traffic cannot flow.
3-98
CE-Spoke
PE-1
PE-2
CE-Spoke
CE-Spoke
www.cisco.com
101
As a last troubleshooting measure (usually not needed), you can verify the
contents of Label Forwarding Information Base (LFIB) on the egress PE router
and compare it with the second label in the label stack on the ingress PE router. A
mismatch indicates an internal IOS error that has to be reported to Cisco Technical
Assistance Center (TAC).
3-99
Summary
To verify the proper operation of the MPLS/VPN network first perform the
internal connectivity tests within the core network by pinging between the
loopbacks of the PE routers. Make sure that ICMP packets were label-switched. In
the second step you should verify the propagation of customer networks through
MP-BGP and installation of VPN labels into the forwarding table. Pinging
between the CE routers should confirm that the VPN is functional.
Review Questions
3-100
How would you verify that the VPNv4 routes are entered in the proper VRF?
How would you verify redistribution of VPNv4 routes into the PE-CE routing
protocol?
How would you verify that the CE routes get redistributed into MP-BGP with
proper route targets?
How would you check for potential MTU size issues on the path taken by PEto-PE LSP?
How would you verify that the PE router ingress interface supports CEF
switching?
3-101
Selective export
Specify additional route targets attached to
exported routes
VRF Limit
Specify the maximum number of routes in a VRF
to prevent memory exhaustion on PE router or
denial-of-service attacks
2000, Cisco Systems, Inc.
www.cisco.com
106
There are a number of advanced VRF features that allow you to deploy advanced
MPLS/VPN topologies or to increase the stability of your MPLS/VPN backbone:
3-102
The selective import feature allows you to select routes to be imported into a
VRF based on criteria other than route target
The selective export feature allows you to attach specific route targets only to
a subset of routes exported from a VRF (by default, the same route targets get
attached to all exported routes)
The VRF route limit feature allows you to limit the number of routes the
customer (or other PE routers) can insert in the VRF, therefore preventing
fatal consequences of configuration errors or denial-of-service attacks.
www.cisco.com
107
Selective route import into a VRF allows you to narrow the route import criteria
by using a route-map that can filter the routes selected by the route-target import
filter. The routes imported into a VRF are BGP routes, so you can use match
conditions in a route-map to match any BGP attribute of a route, including, for
example, communities, local-preference, MED, AS-path, etc.
The import route-map filter is combined with the route-target import filter a
route has to pass the route-target import filter first and then the import route map.
The necessary conditions for a route to be imported into a VRF are thus:
At least one of the route-targets attached to the route matches one of the
import route targets configured in the VRF
3-103
Configuring Selective
VRF import
router(config-vrf)#
www.cisco.com
108
import map
To configure an import route map for a VRF, use the import map command in
VRF submode.
import map route-map
Syntax Description
route-map
Specifies the route map to be used as an import route map for the
VRF.
Defaults
There is no default. A VRF has no import route map unless one is configured
using the import map command.
3-104
CE-BGP-A1
AS 115
VPN-IPv4 update:
RD:192.168.30.3/32
RT=115:317
VPN-IPv4 update:
RD:192.168.31.0/24
RT=115:317
PE-Site-X
ip vrf Site_A
First update has matching
rd 115:317
RT and is accepted by the
import map RTMAP
route-map
route-target both 115:317
!
access-list 10 permit 192.168.30.0 0.0.0.255
!
route-map RTMAP permit 10
match ip address 10
2000, Cisco Systems, Inc.
www.cisco.com
109
The slide shows an example where an import route-map is used to match the IPv4
portion incoming of VPNv4 routes and import only routes matching a certain
prefix into the VRF. A configuration similar to this one could be used to:
Note
A similar function is usually not needed in an intranet scenario, because all the
customer routers in an intranet are usually under common administration.
3-105
Selective Export
Routes from a VRF might have to be
exported with different route-targets
Example: export management routes with
particular RT
www.cisco.com
110
Some advanced MPLS/VPN topologies are easiest to implement if you can attach
a variety of route targets to routes exported from the same VRF, so that only a
subset of the routes exported from a VRF is imported into another VRF. Most of
the services where the customer routers need to connect to a common server, be it
a network management station, voice gateway or an application server, fall into
this category.
The export route-map function provides exactly this functionality a route map
can be specified for each VRF to attach additional route targets to routes exported
from a VRF. The export route-map performs only the attachment of route targets,
it does not perform any filtering function and you cannot change any other route
attributes with this route-map.
Attributes attached to a route with an export route-map are combined with the
export route-target attributes. If you specify export route-targets in a VRF and set
route targets with an export route-map, all of the specified route targets are
attached to the exported route.
Note
3-106
Export route-map provides functionality that is almost identical to the import routemap, but applied to a different VRF. Any requirement that can be implemented
with an export route-map can also be implemented with an import route-map, but
usually in a more awkward manner.
Configuring Selective
VRF Export
router(config)#
www.cisco.com
111
set extcommunity
To set the extended communities attribute, use the set extcommunity route-map
configuration command. To delete the entry, use the no form of this command.
set extcommunity extcommunity-type community-number [additive]
no set extcommunity extcommunity-type community-number [additive]
Syntax Description
extcommunity-type
3-107
export map
To apply a route map to filter and modify exported routes, use the export map
VRF configuration command. To remove the route map from the VRF, use the no
form of this command.
export map route-map-name
no export map route-map-name
Syntax Description
route-map-name
Default
No route map is used.
3-108
CE-BGP-A1
AS 115
VPN-IPv4 update:
RD:192.168.0.5/32
RT=115:317
VPN-IPv4 update:
RD:192.168.30.0/24
RT=115:317 115:273
PE-Site-X
ip vrf Site_A
rd 115:317
export map RTMAP
route-target both 115:317
!
access-list 10 permit 192.168.30.0 0.0.0.0
!
route-map RTMAP permit 10
match ip address 10
set extcommunity rt 115:273 additive
2000, Cisco Systems, Inc.
www.cisco.com
112
This example mirrors the example from page 105, this time implemented with an
export-map. In the example on page 105, the selective import of routes into a VRF
was achieved with an import route-map in the receiving VRF that allowed only
routes from a certain address block to be inserted into the VRF. In this example,
routes from certain address block are marked with an additional route-target in the
originating VRF and are automatically inserted into the receiving VRF based on
their route target.
The main difference between import and export route-map is therefore the
deployment point:
Based on your network design, one or the other functionality might be preferred.
3-109
www.cisco.com
113
3-110
The VRF route limit limits the total number of routes in a VRF, regardless of
whether they are received from CE routers or from other PE routers via MPIBGP
www.cisco.com
114
neighbor maximum-prefix
To control how many prefixes can be received from a neighbor, use the neighbor
maximum-prefix router configuration command. To disable this function, use the
no form of this command.
neighbor {ip-address | peer-group-name} maximum-prefix maximum
[threshold]
[warning-only]
no neighbor {ip-address | peer-group-name} maximum-prefix maximum
Syntax Description
ip-address
peer-group-name
maximum
threshold
warning-only
Default
Disabled; there is no limit on the number of prefixes.
3-111
www.cisco.com
115
The VRF route limit, contrary to the BGP maximum-prefix limit, limits the overall
number of routes in a VRF, regardless of their origin. Similar to BGP maximumprefix, the network operator might be warned when the number of routes exceeds
a certain threshold via the syslog mechanism. Additionally, you can configure IOS
to ignore new VRF routes when the total number of routes exceeds the maximum
configured limit.
The route limit is configured for each individual VRF, giving you maximum
design and configuration flexibility.
Note
3-112
The per-VRF limit could be used to implement add-on MPLS/VPN services, where
a user paying for a better service might be able to insert more VPN routes into the
network.
www.cisco.com
116
maximum routes
To limit the maximum number of routes in a VRF to prevent a PE router from
importing too many routes, use the maximum routes command in VRF submode.
To remove the limit on the maximum number of routes allowed, use the no form
of this command.
maximum routes limit {warn threshold | warn-only}
no maximum routes
Syntax Description
limit
warn threshold
warn-only
Defaults
No default behavior or values.
3-113
AS 115
IPv4 update:
192.168.50.0/24
IPv4 update:
192.168.55.0/24
VPN-IPv4 update:
RD:192.168.60.0/24
RT=100:1
PE-Site-X
VPN-IPv4 update:
RD:192.168.70.0/24
RT=100:1
PE-Site-Y
ip vrf Site_A
rd 115:317
route-target both 115:317
maximum-routes 4 75
www.cisco.com
117
In this example, the network designer has decided to limit the number of routes in
a VRF to four, with the warning threshold being set at 75% (or three routes).
When the first two routes are received and inserted in the VRF, the router accepts
them. When the third route is received, a warning message is generated and the
message is repeated with the insertion of the fourth route.
Note
When the PE router receives the fifth route, the maximum route limit is exceeded
and the route is ignored. The network operator is notified through another syslog
message.
3-114
Summary
Route maps can be used to filter routes to be imported and exported. Route maps
used to import routes can match on standard and extended BGP parameters. Route
maps used to export routes can match on standard BGP parameters.
To prevent CE routers from flooding the PE routers with excessive number of
routes, a limit can be set on the number of updates accepted from BGP neighbors.
A limit can also be set for the number of routing entries in the VRF.
Review Questions
3-115
3-116
CE-BGP-A1
10.1.0.0/16 213
P-Network
AS 115
Site B
AS 213
PE-Site-X
PE-Site-Y
i 10.1.0.0/16 213
CE-BGP-A2
www.cisco.com
122
There are two ways an MPLS/VPN customer can deploy the BGP as the routing
protocol between the PE and the CE routers:
If the customer has used any other routing protocol in the traditional overlay
VPN network before, there are no limitations on the numbering of customers
autonomous systems; every site could be a separate autonomous system
If, however, the customer has been using BGP as the routing protocol before,
there is a good chance that all the sites (or a subset of the sites) were using the
same autonomous system number
3-117
AS-Override Overview
New AS-Path update procedures have
been implemented in order to re-use the
same ASN on all VPN sites
The procedures allow the use of private
as well as public ASN
Same ASN may be used for all sites,
whatever is their VPN
www.cisco.com
123
3-118
AS-Override Implementation
With AS-Override configured, the AS_PATH
update procedure on the PE router is as follows:
If the first ASN in the AS_PATH is equal to the
neighbouring one, it is replaced by the provider
ASN
If first ASN has multiple occurrences (due to
AS_PATH prepend) all the occurrences are
replaced with provider-ASN value
After this operation, provider AS number is
prepended to the AS_PATH
www.cisco.com
124
The procedure is only used if the first AS number in the AS-path is equal to
the AS-number of the receiving BGP router
In this case, all the leading occurrences of the AS number of the receiving
BGP router are replaced with the AS number of the sending BGP router. Any
other occurrences (further down the AS path) of the receiving routers AS
number are not replaced because they indicate a real routing information loop
3-119
Configuring AS-Override
router(config-router-af)#
www.cisco.com
125
neighbor as-override
To configure a PE router to override a site's ASN with a provider's ASN, use the
neighbor as-override router configuration command. To remove VPN IPv4
prefixes from a specified router, use the no form of this command.
neighbor ip-address as-override
no neighbor ip-address as-override
Syntax Description
ip-address
Defaults
No default behavior or values.
3-120
AS-Override in Action
router bgp 115
address-family ipv4 vrf Customer_A
neighbor 10.200.2.1 remote-as 213
neighbor 10.200.2.1 activate
neighbor 10.200.2.1 as-override
Site A
AS 213
CE-BGP-A1
10.1.0.0/16 213
AS 115
Site B
AS 213
PE-Site-X
PE-Site-Y
i 10.1.0.0/16 213
CE-BGP-A2
www.cisco.com
126
In the example above, two customer sites (Site A and Site B) use BGP to
communicate with the MPLS/VPN backbone. Both sites use AS 213 and Site B
would drop the update sent by Site A without the AS-override mechanism.
The AS-override mechanism, configured on PE-Site-Y router, replaces the
customer AS number (213) with the provider AS number (115) before sending the
update to the customer site. An extra copy of the provider AS number is
prepended to the AS-path during the standard EBGP update processing.
3-121
CE-BGP-A1
AS 115
Site B
AS 213
PE-Site-X
PE-Site-Y
CE-BGP-A2
www.cisco.com
127
If the customer is using AS prepending to influence BGP path selection within the
MPLS/VPN backbone, the PE router has to send a route with an AS path
containing multiple copies of the customer AS number to the CE router. In this
case, all the leading copies of the customer AS number are replaced with the
provider AS number (resulting in two occurrences of the provider AS number in
the example above) and the third occurrence of the provider AS number is
prepended to the BGP update before its sent out to the CE router.
3-122
VPN-B
CE-BGP-A1
www.cisco.com
128
This setup is not a usual setup because it deviates from the basic goal of
MPLS/VPN replace hub-and-spoke routing of traditional overlay VPN with
optimum any-to-any routing.
3-123
VPN-A
PE-1
P-Network
AS 115
VPN-B
PE-2
CE-BGP-A1
C-Network
AS 213
P-Network
AS 115
www.cisco.com
129
The setup where a customer router links two VPN networks in an MPLS/VPN
backbone can be viewed from several different perspectives:
There is no problem with the proposed customer setup if analyzed through these
perspectives they all represent valid connectivity or routing options. The
problem occurs when we analyze the BGP perspective, where the CE router has to
propagate routes between two PE routers, which are both in the same autonomous
system.
3-124
VPN-A
PE-1
VPN-B
10.1.0.0/16 115
P-Network
AS 115
CE-BGP-A1
C-Network
AS 213
PE-2
P-Network
AS 115
www.cisco.com
130
Similar to the situation where two customer sites were using the same AS number,
BGP loop prevention rules prevent a PE router from accepting the routing update
sent by the CE router if that routing update already contains the AS number of the
MPLS/VPN backbone (which it will if the CE router is propagating routes
between two VPNs).
The solution to this BGP routing problem could be identical to the previous one
AS-override has to be used on the CE router. This solution would, however,
require a very recent IOS version (12.0T or 12.1 IOS release) on the CE router and
is therefore not enforceable in every customer situation.
3-125
Allowas-in
The Allowas-in BGP option disables
AS_PATH check on the PE router
The number of occurrences of routers own
AS number is limited to suppress real routing
loops
The limit has to be configured
PE router will only REJECT the update if its
AS number appears in the AS_PATH more
often than the configured limit
www.cisco.com
131
3-126
Configuring Allowas-in
router(config-router)#
www.cisco.com
132
neighbor allowas-in
To configure PE routers to allow readvertisement of all prefixes containing
duplicate ASNs, use the neighbor allowas-in command in router configuration
mode. To disable the readvertisement of a PE router's ASN, use the no form of
this command.
neighbor allowas-in number
no neighbor allowas-in number
Syntax Description
number
Defaults
No default behavior or values.
3-127
www.cisco.com
133
Most aspects of BGP loop prevention are bypassed when youre using either asoverride or allowas-in features. Although the routing information loops can still
be detected by counting occurrences of an autonomous system number in the AS
path in end-to-end BGP routing scenario, the situation can get worse when BGP is
mixed with other PE-CE routing protocols. The Site-of-origin extended BGP
community can be used as an additional loop prevention mechanism in these
scenarios.
Note
3-128
Site-of-origin and any other loop prevention mechanisms are only needed for
customer networks with multi-homed sites. Loops can never occur in customer
networks that only have stub sites.
www.cisco.com
134
For routes received from the BGP-speaking CE routers, the site-of-origin is set
by incoming route map on the PE-router
3-129
www.cisco.com
135
3-130
For situations where BGP is used as the PE-CE routing protocol, outbound
route maps can be used on the PE router to deny routes matching particular
value of site-of-origin
Setting Site-of-Origin on
Inbound EBGP Update
router(config)#
www.cisco.com
136
set extcommunity
To set the extended communities attribute, use the set extcommunity route-map
configuration command. To delete the entry, use the no form of this command.
set extcommunity extcommunity-type community-number [additive]
no set extcommunity extcommunity-type community-number [additive]
Syntax Description
extcommunity-type
3-131
www.cisco.com
137
ip vrf sitemap
To set the Site of Origin extended community attribute, use the ip vrf sitemap
interface configuration command. To delete the entry, use the no form of this
command.
ip vrf sitemap route-map-name
no ip vrf sitemap route-map-name
Syntax Description
route-map-name
Default
No route map is used to set the Site of Origin extended community.
3-132
www.cisco.com
138
3-133
Summary
External BGP can be used with the CE routers to exchange routing information.
If the CE sites are all using the same AS number, the information coming from
one site is regarded as a routing loop on other sites. AS-Override feature should be
enabled on all neighborships with the CE routers to overcome this problem.
If there is a multihomed site that needs to be able to re-announce the information
back into the core (Hub-and-Spoke design), the PE routers will regard this as a
routing loop. Allowas-in feature should be used to overcome this problem. This
may, however, cause routing loops and an additional extended community Site of
Origin can be used to prevent them.
Review Questions
3-134
Why cant you use the AS-override feature instead of the Allowas-In feature?
What is Site-of-Origin?
Using OSPF in
an MPLS VPN
Environment
Overview
This chapter introduces the interaction between multi-protocol Border Gateway
Protocol (MP-BGP) running between Provider Edge routers (PE-routers) and
Open Shortest Path First (OSPF) protocol running inside a Virtual Private
Network (VPN) implemented with MPLS VPN technology.
Objectives
Upon completion of this chapter, you will be able to perform the following tasks:
4-2
Describe the propagation of OSPF customer routes across the MPLS VPN
backbone
Explain why the OSPF routes propagated through MP-BGP are not reinserted
into OSPF as external (LSA type-5) routes
Area
Area
Area
www.cisco.com
Page-5
The Open Shortest Path First (OSPF) routing protocol was designed to support
hierarchical networks with a central backbone. The network running OSPF is
divided into areas. All areas have to be directly connected to the backbone area
(area 0). The whole OSPF network (backbone area and any other areas connected
to it) is called the OSPF domain.
The OSPF areas in the customer network could correspond to individual sites, but
there are also other often-encountered options:
A single area could span multiple sites (for example, the customer decides to
use an area per region, but the region contains multiple sites)
Note
Please refer to the Building Scalable Cisco Networks (BSCN) course or OSPF
curriculum for background information on OSPF.
4-3
PE-router
CE-router
PE-router
Site IGP
Site IGP
Site IGP
www.cisco.com
Page-6
The MPLS VPN routing model introduces a BGP backbone into the customer
network. Isolated copies of IGP run at every site and the multi-protocol BGP is
used to propagate routes between sites. Redistribution between customer IGP,
running between PE-routers and CE-routers and the backbone MP-BGP, is
performed at every PE-router.
4-4
OSPF-BGP Redistribution
Issue
OSPF route is redistributed into BGP
BGP backbone
PE-router
Area 1
propagated as external
route into other sites
Area 2
Area 3
www.cisco.com
Page-7
The IGP - BGP redistribution introduced by the MPLS VPN routing model does
not fit well into the customer networks running OSPF. Whenever a route is
redistributed into OSPF from another routing protocol, its redistributed as an
external OSPF route, and this is what would happen when the customer is
migrated to MPLS VPN service. The OSPF routes received by one PE-router
would be propagated across the MPLS backbone and redistributed back into OSPF
at another site as external OSPF routes.
4-5
Classic OSPF-BGP
Redistribution
OSPF route type is not preserved when
OSPF route is redistributed into BGP
All OSPF routes from a site are inserted
as external (LSA type 5) routes into
other sites
Result: OSPF route summarization and
stub areas are hard to implement
Conclusion: MPLS VPN must extend the
classic OSPF-BGP routing model
2000, Cisco Systems, Inc.
www.cisco.com
Page-8
With the traditional OSPF to BGP redistribution, the OSPF route type (internal or
external route) is not preserved when the OSPF route is redistributed into BGP.
When that same route is redistributed back in OSPF, its always redistributed as an
external OSPF route.
There are a number of caveats associated with external OSPF routes:
External routes could use a different metric type that is not comparable to
OSPF cost
External routes are not inserted in stub areas or not-so-stubby (NSSA) areas
Internal routes are always preferred over external routes, regardless of their
cost.
Because of all these caveats, migrating an OSPF customer toward MPLS VPN
service might severely impact a customers routing. The MPLS VPN architecture
must therefore extend the classic OSPF - BGP routing model to support
transparent customer migration.
4-6
PE-router
Area 0
PE-router
Area 2
Area 0
Area 3
www.cisco.com
Page-9
4-7
www.cisco.com
Page-10
The goals that have to be met by the OSPF super-backbone are as follows:
4-8
ABR
ABR
Area 0
Area 2
Area 0
Area 3
www.cisco.com
Page-11
4-9
OSPF Super-backbone
Route Propagation Example
OSPF super-backbone
ABR
ABR
Inter-area route is
propagated into
other areas
Area 0
Area 2
Area 0
Area 3
www.cisco.com
Page-12
4-10
The OSPF intra-area route (described in OSPF router LSA or network LSA) is
inserted into the OSPF super-backbone by redistributing the OSPF route into
MP-BGP. Route summarization can be performed on the redistribution
boundary by the PE-router.
www.cisco.com
Page-13
PE-routers are advertising themselves as Area Border Routers. The superbackbone appears as another area to the CE-routers
Routes redistributed into MP-BGP from OSPF will appear as inter-area routes
in other OSPF sites if the original route was an intra-area or inter-area route
and as external routes if the original route was an external route.
As a consequence to the second rule, routes from the backbone area at one site
appear as inter-area routes (not as backbone routes) in backbone areas at other
sites.
4-11
OSPF Super-backbone
Implementation
Extended BGP communities are used to
propagate OSPF route type across BGP
backbone
OSPF cost is copied into MED attribute
www.cisco.com
Page-14
A new BGP extended community was defined to carry OSPF route type and
OSPF area across the BGP backbone. The format of this community is defined
in the following table:
Field
Community type
OSPF area
2
4
LSA type
Option
Note
4-12
Number of
bytes
Comments
The community type is 0x8000
This field carries the OSPF area from which the route
was redistributed into MP-BGP
This field carries the OSPF LSA type from which the
route was redistributed into MP-BGP
This field is used for external metric type. Low-order bit is
set for External Type 2 routes.
The Option field in OSPF route type extended community is not equivalent to the
Option field in the OSPF Link State Advertisement (LSA).
As in the standard OSPF - BGP redistribution, the OSPF cost is carried in the
MED attribute.
OSPF Super-backbone
Implementation
BGP backbone
10.0.0.0/8
OSPF RT=1:1:0
MED=768
PE-router
PE-router
10.0.0.0/8
LSA type 1
OSPF cost 768
10.0.0.0/8
LSA type 3
OSPF cost 768
Area 1
Area 2
www.cisco.com
Page-15
This figure illustrates the propagation of internal OSPF routes across the MPLS
VPN super-backbone. The sending PE-router redistributes the OSPF route into
MP-BGP, copies OSPF cost into MED attribute, and sets the BGP extended
community to indicate the LSA type from which the route was derived.
The receiving PE-router redistributes the MP-BGP route back into OSPF and uses
the original LSA type and the MED attribute to generate an inter-area summary
LSA. An inter-area summary LSA is always generated, because the receiving PErouter acts as an ABR between the super-backbone and the OSPF area(s).
4-13
OSPF Super-backbone
Propagation of External Routes
BGP backbone
10.0.0.0/8
OSPF RT=1:5:1
MED=20
PE-router
PE-router
10.0.0.0/8
LSA type 5
E2 metric 20
10.0.0.0/8
LSA type 5
E2 metric 20
Area 1
Area 2
www.cisco.com
Page-16
The external OSPF routes are redistributed into the MP-BGP in exactly the same
way as the internal OSPF routes. The process changes slightly on the receiving
PE-router:
4-14
For external routes (LSA type 5), the LSA is re-originated with the receiving
PE-router being the ASBR. The external metric type is copied from the BGP
extended community and the external cost is copied from the MED.
For NSSA external routes (LSA type 7), the route is announced to the other
OSPF sites as LSA type-5 external route, since the route has already crossed
the area boundary.
OSPF Super-backbone
Mixing Routing Protocols
BGP backbone
10.0.0.0/8
MED=3
PE-router
PE-router
10.0.0.0/8
LSA type 5
E2 metric 20
10.0.0.0/8
Hop count 3
RIP
Area 2
www.cisco.com
Page-17
The MPLS VPN super-backbone still retains the traditional BGP - OSPF route
redistribution behavior for routes that did not originate in OSPF at other sites (and
therefore do not carry the OSPF extended BGP community). These routes are
inserted into the OSPF topology database as type-5 external routes (or type-7
external routes for NSSA areas), with the default OSPF metric (not the value of
MED).
4-15
PE-router
PE-router
The OSPF route
is propagated
across the area
Area 1
PE-router
The other PE router
would redistribute the
route back into BGP
Area 2
Local subnet is announced to the PE-router
www.cisco.com
Page-18
OSPF developers took many precautions to avoid routing loops between OSPF
areas for example, intra-area routes are always preferred over inter-area routes.
These rules dont work after the super-backbone is introduced. Consider, for
example, a network in the figure above, where the receiving OSPF area has two
PE-routers attached to it.
4-16
Step 1
Step 2
Step 3
Step 4
The summary route is propagated across OSPF area and received by the other PErouter attached to the same area.
Step 5
The administrative distance of the OSPF route is better than the administrative
distance of the MP-IBGP route; therefore the PE-router selects the OSPF route
and redistributes the route back into the MP-BGP process, potentially resulting in
a routing loop.
www.cisco.com
Page-19
The down bit is used between the PE-routers to indicate which routes were
inserted into the OSPF topology database from the MPLS VPN super-backbone
and thus shall not be redistributed back in the MPLS VPN super-backbone. The
PE-router that redistributes the MP-BGP route as OSPF route into the OSPF
topology database sets the down bit. Other PE-routers use the down bit to prevent
this route from being redistributed back into MP-BGP.
4-17
BGP backbone
PE-router
PE-router
Down
Area 1
PE-router
The route is never
redistributed back into
MP-BGP backbone
Area 2
The Local subnet is announced without Down bit
www.cisco.com
Page-20
The typical usage of the down bit is shown in the diagram above:
4-18
Step 1
Step 2
Step 3
The MP-BGP route is inserted as inter-area route into an OSPF area by the
receiving PE-router. The receiving PE-router sets the down bit in the summary
(type-3) LSA.
Step 4
When the other PE-routers receive the summary LSA with the down bit set, they
do not redistribute the route back into MP-BGP.
PE-router
Do
PE-router
w
www.cisco.com
Page-21
The down bit stops the routing loops between MP-BGP and OSPF. It cannot,
however, stop the routing loops when redistribution between multiple OSPF
domains is involved, as is the case in the network in the figure above.
The routing loop in the network above occurs in these steps:
Step 1
Step 2
A CE-router redistributes the OSPF route into another OSPF domain. The down
bit is lost if the CE-router does not understand this OSPF extension.
Step 3
The OSPF route is propagated through the other OSPF domain with the down bit
cleared.
Step 4
A PE-router receives the OSPF route, down bit is not set, so the route is
redistributed back into the MP-BGP backbone, resulting in a routing loop.
4-19
www.cisco.com
Page-22
The routing loops introduced by route redistribution between OSPF domains can
be solved with the help of the tag field, using standard BGP - OSPF redistribution
rules.
In standard BGP - OSPF or OSPF - OSPF redistribution, the following rules
apply:
Whenever a router redistributes a BGP route into OSPF, the tag field in the
type-5 (or type-7) LSA is set to the AS-number of the redistributing router
The tag field from an external OSPF route is propagated across OSPF
domains when the external OSPF route is redistributed into another OSPF
domain
4-20
www.cisco.com
Page-23
The OSPF tag field is only present in the external OSPF routes (type-5 LSA or
type-7 LSA). This technique therefore cannot detect cross-domain loops involving
internal OSPF routes. There are two manual methods that can be used to overcome
this OSPF limitation:
The tag field can be set manually on the router redistributing routes between
OSPF domains using the redistribute ospf source-process-id tag value
command.
The PE-router can be configured to redistribute only internal OSPF routes into
MP-BGP.
4-21
PE-router
Do
www.cisco.com
Page-24
The diagram above illustrates how the OSPF tag field could be used to prevent
routing loops when the redistribution is done between OSPF domains.
4-22
Step 1
Step 2
Step 3
When the route is redistributed into another OSPF domain, the tag field is
propagated, but the down bit is cleared.
Step 4
Another PE-router receives the external OSPF route and filters the route based on
the tag field. The route is not redistributed into MP-BGP.
PE-router
PE-router
Down
PE-router
Area 1
Area 2
Another site
www.cisco.com
Page-25
The PE-router redistributes the OSPF route into MP-BGP. The route is propagated
to other PE-routers as an MP-BGP route. It is also redistributed into other OSPF
areas.
Step 2
The redistributed OSPF route is propagated across the OSPF area with the down
bit set.
Step 3
4-23
www.cisco.com
Page-26
To prevent the customer sites from acting as transit parts of the MPLS VPN
network, the OSPF route selection rules in PE-routers need to be changed. The
PE-routers have to ignore all OSPF routes with the down bit set, as these routes
originated in the MP-BGP backbone and the MP-BGP route should be used as the
optimum route toward the destination.
This rule is implemented with the routing bit in the OSPF LSA. For routes with
the down bit set, the routing bit is cleared and these routes never enter the IP
routing table, even if they are selected as the best routes by the Shortest Path First
(SPF) algorithm.
Note
4-24
The routing bit is Ciscos extension to OSPF and is used only internally in the
router. It is never propagated between routers in LSA updates.
PE-router
PE-router
Down
PE-router
Area 1
Area 2
Another site
www.cisco.com
Page-27
With the new route OSPF selection rules in place, the packet forwarding in the
network shown above follows the desired path:
Step 1
Step 2
Step 3
Other PE-routers might receive the MP-BGP and OSPF routes, but will ignore the
OSPF route for routing purposes because it has the down bit set. The data packets
will flow across the MPLS VPN backbone following only the MP-BGP routes, not
the OSPF routes derived from the MP-BGP routes.
4-25
Summary
The MPLS VPN architecture introduces a routing model where a BGP backbone
is inserted into the customer network. Traditional OSPF - BGP interactions would
imply that the OSPF routes received from one customer site would be inserted as
external OSPF routes into other customer sites. As the external OSPF routes are
treated differently from internal OSPF routes and the customer OSPF routing
often relies on properties of various OSPF route types, this option is not
acceptable. A different model is needed where the MPLS VPN backbone would be
implemented transparently to the customer.
The OSPF super-backbone was introduced in MPLS VPN architecture to support
the transparency requirements. The OSPF super-backbone, although implemented
with MP-BGP, looks like a regular area to the CE-routers and the PE-routers look
like Area Border Routers (ABR) even though they are in reality redistributing
routes between MP-BGP and OSPF.
Additional extended BGP communities are used to propagate the OSPF route type
across an MP-BGP backbone. The OSPF route type carried in the MP-BGP update
received by the PE-router is used to generate a summary LSA in the OSPF
topology database. An additional bit (called the down bit) is used in the Options
field of the OSPF header to prevent routing loops between MP-BGP and OSPF.
The same bit is also used on the PE-routers to prefer MP-BGP routes over OSPF
routes derived from MP-BGP routes through redistribution.
Review Questions
Answer the following questions:
4-26
How are OSPF route attributes propagated across an MPLS VPN backbone?
What is the influence of the Down bit on route selection process? Why is this
influence needed?
4-27
www.cisco.com
Page-32
Configure per-VRF copy of OSPF process and define all usual OSPF parameters
(networks, areas, neighbors).
Step 2
Step 3
4-28
Contrary to conventional wisdom, two-way redistribution between OSPF and MPBGP is safe in MPLS VPN environments because of additional mechanisms that
prevent routing loops or suboptimal routing.
www.cisco.com
Page-33
The per-VRF OSPF process is started with the router ospf process-id vrf name
command.
Note
A separate OSPF process is needed for every VRF in the router, even if the VRFs
participate in the same VPN. As the number of routing processes in Cisco IOS is
limited to 32, the number of OSPF customers that can be supported by any single
PE-router is limited.
4-29
Configuring Route
Redistribution
router(config)#
www.cisco.com
Page-34
The OSPF routes are redistributed into MP-BGP with the redistribute ospf
process-id command, which needs to be configured in the proper VRF address
family. The VRF address family is selected with the address-family ipv4 vrf
name command.
Note
Please refer to the MPLS VPN Implementation chapter for more information on
BGP address families.
4-30
show ip ospf
www.cisco.com
Page-35
4-31
show ip ospf
Router#show
Router#show ip
ip ospf
ospf
Routing
Routing Process
Process "ospf
"ospf 250"
250" with
with ID
ID 10.2.3.4
10.2.3.4
Supports
Supports only
only single
single TOS(TOS0)
TOS(TOS0) routes
routes
Supports
Supports opaque
opaque LSA
LSA
Connected
Connected to
to MPLS
MPLS VPN
VPN Superbackbone
Superbackbone
It
It is
is an
an area
area border
border and
and autonomous
autonomous system
system boundary
boundary
router
router
Redistributing
Redistributing External
External Routes
Routes from,
from,
bgp
bgp 1,
1, includes
includes subnets
subnets in
in redistribution
redistribution
www.cisco.com
Page-36
The show ip ospf command displays whether the router is a PE-router (and thus
connected to the MPLS VPN super-backbone). A PE-router is always an area
border router (ABR) or an AS boundary router (ASBR).
4-32
www.cisco.com
Page-37
The show ip ospf database type prefix command displays the status of the down
bit. If the down bit is set, you will see the keyword Downward displayed in the
Options field of the LSA. If the bit is not set, the keyword Upward will be
displayed.
4-33
www.cisco.com
Page-38
The show ip bgp vpnv4 vrf customer prefix command displays all details of a
MP-BGP route, including the OSPF extended BGP community. In the printout
above, the route redistributed into MP-BGP from OSPF was a summary route
(LSA type 3) redistributed from OSPF area 0.
4-34
Summary
The OSPF process in a VRF is started with the router ospf process vrf name
command. As the overall number of routing processes per router is limited to 32, a
single PE-router can serve only a small number of VRFs.
Two-way redistribution between BGP and OSPF is usually configured. The
redistribution is safe because of additional attributes introduced with the superbackbone architecture.
By default, only major networks are redistributed into OSPF. Redistribution of
subnets needs to be configured with the redistribute subnets command.
By default, only internal OSPF routes are redistributed from OSPF into MP-BGP.
Redistribution of external routes has to be configured with the redistribute
match route-type-list command.
The show ip ospf command will display whether a router is a PE-router connected
to the MPLS VPN backbone. The detailed printouts from the show ip ospf
database command will display the value of the down bit. The detailed printouts
from the show ip bgp command will display the OSPF-specific extended BGP
community.
Review Questions
How can you verify if an OSPF route was received from a local OSPF router or
through an MPLS VPN backbone?
4-35
Summary
After completing this chapter, you should be able to perform the following tasks:
4-36
How are OSPF route attributes propagated across MPLS VPN backbone?
OSPF area, route type, and metric type are propagated in an extended
BGP community. OSPF cost or external metric is propagated in the BGP
MED attribute.
What is the influence of the Down bit on the route selection process? Why is
this influence needed?
OSPF routes with the Down bit set are never entered in the routing table.
This ensures that the MP-IBGP routes from which the OSPF routes were
derived will be used for packet forwarding even though the IBGP routes
have a higher administrative distance than the OSPF routes.
4-37
4-38