Professional Documents
Culture Documents
Virtualized Network Design
Virtualized Network Design
Network Infrastructure
BRKCRS-2033 Ray Blair – rablair@cisco.com
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Informational Icons
“For Your Reference” – these slides are used to help you configure a
particular feature or technology solution
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Why Virtualize?
Creates Logical Partitions
Allows the use of unique security policies per logical domain
Provides traffic isolation per application, group, service etc…
The logical separation of traffic using one physical infrastructure
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Virtualization Benefits
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Agenda
Case studies
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Network Virtualization
Components
Service Access Control Path Isolation Services Edge
Branch – Campus WAN – MAN – Campus Data Center – Internet Edge
Data
GRE
GRE MPLS
MPLS Center
VRFs
802.1q
Internet
Functions Authenticate client (user, Maintain traffic partitioned over Provide access to services
device, app) attempting Layer 3 infrastructure Shared
to gain network access
Transport traffic over isolated Dedicated
Authorize client into a Layer 3 partitions Apply policy per partition
partition (VLAN)
Map Layer 3 isolated path Isolate application
Deny access to to VLANs / VRFs in access and environments if necessary
unauthenticated clients services edge
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Access Control Path Isolation Services Edge
VRFs
Client-based
802.1X – assigned to VLAN
Identity Services Engine (ISE)
Clientless
Web authentication
MAC-addressed based
Identity Services Engine (ISE)
Static control
Port security (static VLAN, ACL, MAC, etc…)
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Access Control Path Isolation Services Edge
802.1X
Provides authentication and authorization services to known entities
equipped with an 802.1X client (aka supplicant)
MAC-Authentication-Bypass (MAB)
Provides authentication and authorization services to known entities
not equipped with an 802.1X client
802.1X Auth-Fail VLAN
Provides network access to entities (known or unknown) failing the
802.1X authentication attempt
802.1X Guest VLAN
Provides authentication and authorization services to unknown
entities not equipped with an 802.1X client
Web-based Authentication
Provides authentication based on username and password
Identity Services Engine (ISE)
Enables policy definition, control, posture assessment, and reporting
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Identity Services Engine
Consolidated Services, Session Directory Flexible Service
Software Packages Deployment
Link in Policy Information Points Keep Existing Logical Design Consolidate Data, Three-Click Drill-In
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Access Control Path Isolation Services Edge
Physical interface
Ethernet
VRF
VRF
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Access Control Path Isolation Services Edge
Hop-by-Hop
VRF-Lite End-to-End
EVN (Easy Virtual Network)
802.1q for Separation
Multi-Hop
VRF-Lite + GRE
GRE for Separation
Multi-Hop
MPLS-VPN
MPLS Labels for Separation
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Access Control Path Isolation Services Edge
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Access Control Path Isolation Services Edge
Shared
Shared
Resource
Resource
Red
Red Data Resource
User Center Green
Green
Campus Resource
User Network Blue
Resource
Blue
User
Internet
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Agenda
Case studies
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
VRF-Lite and GRE tunnels
VRF-Lite and GRE Tunnels
20 Byte IP GRE
Header
Header
4/8 Bytes
Original Packet
GRE encapsulation represent 24 extra bytes or 28 if a key is present
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
VRF-Lite and GRE Tunnels
20 Byte IP GRE
Header
Header
4/8 Bytes
Original Packet
GRE encapsulation represent 24 extra bytes or 28 if a key is present
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
VRF-Lite and GRE Tunnels
Configuration
vrf definition GRN
!
address-family ipv4
!
address-family ipv6 Defining the VRFs
!
vrf definition RED IPv4 and IPv6
!
address-family ipv4
!
address-family ipv6
interface Ethernet0/2
vrf forwarding GRN
ip address 172.17.8.8 255.255.255.0
ipv6 address 2001:17:8::8/64
!
Client Side Interface
interface Ethernet0/3
vrf forwarding RED
ip address 172.16.8.8 255.255.255.0
ipv6 address 2001:16:8::8/64
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
VRF-Lite and GRE Tunnels
Configuration
interface Loopback101
ip address 192.168.101.8 255.255.255.255 Loopback interfaces for
! tunnel termination
interface Loopback102
ip address 192.168.102.8 255.255.255.255
Network side
interface Tunnel1
vrf forwarding RED Tunnel interfaces
ip address 172.16.87.8 255.255.255.0
ipv6 address 2001:16:87::8/64
tunnel source Loopback101 Associate local source to
tunnel destination 192.168.101.7 loopbacks and destination to
!
interface Tunnel2
peer loopback
vrf forwarding GRN
ip address 172.17.87.8 255.255.255.0 Assign IPv4 and v6
ipv6 address 2001:17:87::8/64
tunnel source Loopback102
addresses
tunnel destination 192.168.102.7
Network side
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
VRF-Lite and GRE Tunnels
Configuration
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
VRF-Lite and GRE
Traffic Example
H9#traceroute 172.16.8.11
Tracing the route to 172.16.8.11
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.7.7 0 msec 0 msec 1 msec Traceroute indicates tunnel
2 172.16.87.8 1 msec 2 msec 2 msec only
3 172.16.8.11 1 msec * 2 msec
H10#traceroute 172.17.8.12
H9 S7
Tracing the route to 172.17.8.12
VRF info: (vrf in name/id, vrf out name/id) Si
H10
1 172.17.7.7 1 msec 5 msec 0 msec
2 172.17.87.8 1 msec 0 msec 1 msec S3 S4
3 172.17.8.12 1 msec * 1 msec
H9#traceroute 2001:16:8::11
Tracing the route to 2001:16:8::11 S1 S2
1 2001:16:7::7 1 msec 0 msec 0 msec
2 2001:16:87::8 1 msec 1 msec 1 msec
S5 S6
3 2001:16:8::11 1 msec 6 msec 6 msec
H11
H10#traceroute 2001:17:8::12 Si
Learning Curve
Familiar routing protocols can be used
IP Based solution
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
VRF-Lite and
Easy Virtual Network (EVN)
VRF-Lite/EVN End-to-End
Packets processed per VRF
Unique Control Plane and Data Plane
802.1q
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
VRF-Lite/EVN End-to-End
Packets processed per VRF
Unique Control Plane and Data Plane
802.1q
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
VRF-Lite/EVN
Client-Side Configuration
vrf definition GRN
!
address-family ipv4
H9 S7
!
address-family ipv6 Si
!
Defining the VRFs H10
S6
interface Vlan17 S5
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
VRF-Lite
Network-Side Configuration
interface Ethernet0/0.16
vrf forwarding RED
encapsulation dot1Q 16 Assign IPv4 and v6 addresses
ip address 172.16.85.8 255.255.255.0 H9 S7
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
EVN
Network-Side Configuration
!
VNET tag association H10
S6
interface Ethernet0/0 S5
vnet trunk
ip address 192.168.74.7 255.255.255.0 Si
! S8
interface Ethernet0/1 Network-side interfaces
vnet trunk
ip address 192.168.73.7 255.255.255.0
!
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
VRF-Lite/EVN
Routing Protocol Configuration
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
VRF-Lite End-to-End
Traffic Example
H9#traceroute 172.16.8.11
Tracing the route to 172.16.8.11
H9 S7
1 172.16.7.7 0 msec 0 msec 0 msec
2 172.16.73.3 1 msec 0 msec 1 msec Si
H10
3 172.16.31.1 1 msec 5 msec 5 msec
4 172.16.61.6 1 msec 1 msec 1 msec S3 S4
5 172.16.86.8 1 msec 5 msec 6 msec
6 172.16.8.11 1 msec 1 msec 2 msec
Traceroute indicates
every L3 hop S1 S2
H10#traceroute 2001:17:8::12
Tracing the route to 2001:17:8::12
S5 S6
1 2001:17:7::7 0 msec 0 msec 0 msec
2 2001:17:74::4 1 msec 0 msec 1 msec H11
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
EVN
Derived Configuration
#show derived-config
Physical interface H9 S7
Si
!
interface Ethernet0/0.101 Sub-interfaces created
description Subinterface for VNET RED
vrf forwarding RED
automatically S1 S2
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
EVN
Traffic Example
H9#traceroute 172.16.8.11
Type escape sequence to abort.
Tracing the route to 172.16.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.7.7 (RED,RED/101) 0 msec 1 msec 1 msec H9 S7
2 192.168.74.4 (RED/101,RED/101) 1 msec 0 msec 1 msec Si
S8
4 192.168.52.5 (GRN/102,GRN/102) 6 msec 5 msec 5 msec
5 192.168.85.8 (GRN/102,GRN) 5 msec 5 msec 4 msec
6 172.17.8.12 5 msec * 5 msec
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
VRF-Lite End-to-End
Summary
Deployment
End-to-End IP based Solution
Easy migration from existing campus WAN
Data
Internet
Internet
Center
architecture
Any to any connectivity within VPNs
8 or less VRFs recommended
Supported on Catalyst 6500, 4500, 3700
families, and Nexus 7000
Application and Services
Multiple VRF-aware Services available
Learning Curve
Familiar routing protocols
IP Alternative to MPLS
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
EVN
Summary
Deployment
End-to-End IP based Solution
Easy integration with VRF-Lite WAN
Data
Internet
Internet
Route replication
Supported on ASR1K, Sup2T, and Cat4K*
32 or less VRFs supported
Learning Curve
Familiar routing protocols can be used
IP Alternative to MPLS
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
MPLS-VPN
Test Diagram
H9 S7
Si
PE
H10
P P
S3 S4
Route P P Route
Reflector Reflector
R13 S1 S2 R14
P P
S5 S6
H11 PE
Si
H12 S8
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
MPLS-VPN
Overview
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
MPLS-VPN
BGP Scalability – iBGP Neighbor Relationships
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
MPLS-VPN
BGP Scalability – Route Reflectors
R1 R4
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
MPLS-VPN
Label Stack
PE
PE
4 Byte 4 Byte
IGP Label VPN Label
Original Packet
MPLS VPN packet format
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
MPLS-VPN
Label Stack
PE
PE
4 Byte 4 Byte
IGP Label VPN Label
Original Packet
MPLS VPN packet format
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
MPLS-VPN
Label Stack
PE
PE
4 Byte 4 Byte
IGP Label VPN Label
Original Packet
MPLS VPN packet format
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
MPLS-VPN – Label Exchange
Router Router
Router PE1 P2 P3 Router PE4
BGP OSPF OSPF OSPF OSPF BGP
VRF RED VRF RED
RT 1:1 Routing Routing Routing Routing RT 1:1
Routing Table Table Table Table Routing
172.16.1.0 172.16.4.0
Table 172.16.1.0 172.16.1.0 Table
FIB FIB FIB FIB
FIB FIB
LFIB LFIB LFIB LFIB
VRF GRN VRF GRN
RT 1:2 RT 1:2
IGP Label Exchange
Routing Routing
172.17.1.0 172.17.4.0
Table 172.17.1.0 172.17.1.0 Table
FIB FIB
172.17.1.0 172.17.1.0
RT1:2 RT1:2
172.16.1.0 172.16.1.0
RT1:1 RT1:1
172.16.1.0 RT=1:1 NH=PE1 VPN Label
MP-BGP MP-BGP
172.17.1.0 RT=1:2 NH=PE1 VPN Label
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
MPLS-VPN – Packet Flow
Router Router
Router PE1 P2 P3 Router PE4
BGP OSPF OSPF OSPF OSPF BGP
VRF RED VRF RED
RT 1:1 Routing Routing Routing Routing RT 1:1
Routing Table Table Table Table Routing
172.16.1.0 172.16.4.0
Table 172.16.1.0 172.16.1.0 Table
FIB FIB FIB FIB
FIB FIB
LFIB LFIB LFIB LFIB
VRF GRN VRF GRN
RT 1:2 RT 1:2
Routing Routing
172.17.1.0 4 Byte 172.17.4.0
Table 172.17.1.0 4 Byte
VPN Original Packet 172.17.1.0 Table
IGP Label
Label
FIB FIB
172.17.1.0 172.17.1.0
RT1:2 RT1:2
172.16.1.0 172.16.1.0
RT1:1 RT1:1
172.16.1.0 RT=1:1 NH=PE1 VPN Label
MP-BGP MP-BGP
172.17.1.0 RT=1:2 NH=PE1 VPN Label
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
MPLS-VPN
Configuration (PE)
vrf definition GRN
rd 1:2
! H9 S7
address-family ipv4
Defining the VRFs PE
Si
! H12 S8
address-family ipv4 Import and Export to
route-target export 1:1 populate VRF routing
route-target import 1:1
exit-address-family
table
!
address-family ipv6
route-target export 1:1
route-target import 1:1
exit-address-family
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
MPLS-VPN
Configuration (PE)
interface Loopback0
ip address 192.168.0.8 255.255.255.255 Host-route on loopback for
directed LDP session H9 PE
S7
Si
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
MPLS-VPN
Configuration (PE)
H9 S7
PE
H10
neighbor 192.168.0.13 remote-as 65000 P P
neighbor 192.168.0.13 update-source Loopback0 S3 S4
address-family vpnv4 S1 S2
neighbor 192.168.0.13 activate
neighbor 192.168.0.13 send-community extended VPNv4 configuration P P
S5 S6
neighbor 192.168.0.14 activate
neighbor 192.168.0.14 send-community extended H11 PE
! Si
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
MPLS-VPN
Configuration (PE)
H9 S7
PE
Si
redistribute connected
connected routes H11
! PE
Si
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
MPLS-VPN
Configuration (RR)
! S1 S2
address-family vpnv4
neighbor AS65000 send-community extended P P
S5 S6
neighbor AS65000 route-reflector-client
VPNv4 configuration
neighbor 192.168.0.7 activate H11 PE
neighbor 192.168.0.8 activate Si
! H12 S8
address-family vpnv6
neighbor AS65000 send-community extended
neighbor AS65000 route-reflector-client VPNv6 configuration
neighbor 192.168.0.7 activate
neighbor 192.168.0.8 activate
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
MPLS-VPN
Traffic Example
H9#trace 172.16.8.11
Tracing the route to 172.16.8.11 H9 PE
S7
VRF info: (vrf in name/id, vrf out name/id) Si
H10#trace 172.17.8.12 P P
Tracing the route to 172.17.8.12 S5 S6
VRF info: (vrf in name/id, vrf out name/id)
1 172.17.7.7 2 msec 0 msec 0 msec H11 PE
H12 S8
3 192.168.32.2 [MPLS: Labels 22/20 Exp 0] 1 msec 1 msec 1 msec
4 192.168.62.6 [MPLS: Labels 22/20 Exp 0] 1 msec 1 msec 0 msec
5 172.17.8.8 1 msec 1 msec 1 msec
6 172.17.8.12 0 msec * 1 msec Traceroute
indicates labels
The hosts in this example (H9/H10) are IOS routers
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
MPLS-VPN Traceroute
Traffic Example indicates labels
IPv4 core only
H9#trace 2001:16:8::11 H9 PE
S7
Tracing the route to 2001:16:8::11 Si
P P
H10#trace 2001:17:8::12 S5 S6
Tracing the route to 2001:17:8::12
1 2001:17:7::7 4 msec 5 msec 4 msec H11 PE
Si
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
MPLS-VPN
ASR 9000 - IOS XR Configuration 4.2.1.23I Page 1
vrf GRN
address-family ipv4 unicast
interface Loopback0
import route-target
ipv4 address 192.168.255.14 255.255.255.255
65000:2
!
export route-target
interface TenGigE0/0/0/1
65000:2 router ospf 65000
ipv4 address 192.168.114.14 255.255.255.0
address-family ipv6 unicast router-id 192.168.255.14
!
import route-target mpls ldp sync
interface TenGigE0/0/0/2
65000:2 area 0
ipv4 address 192.168.140.14 255.255.255.0
export route-target interface Loopback0
!
65000:2 interface TenGigE0/0/0/0
interface TenGigE0/0/0/2.121
! interface TenGigE0/0/0/1
vrf RED
vrf RED
ipv4 address 172.16.14.14 255.255.255.0
address-family ipv4 unicast
ipv6 address 2001:172:16:14::14/64
import route-target
encapsulation dot1q 121
65000:1
!
export route-target
interface TenGigE0/0/0/2.122
65000:1
vrf GRN
address-family ipv6 unicast
ipv4 address 172.17.14.14 255.255.255.0
import route-target
ipv6 address 2001:172:17:14::14/64
65000:1
encapsulation dot1q 122
export route-target
65000:1
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
MPLS-VPN
ASR 9000 - IOS XR Configuration 4.2.1.23I Page 2
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
MPLS-VPN
ASR 9000 - IOS XR Configuration 4.2.1.23I Page 3
mpls ldp
router-id 192.168.255.14
interface TenGigE0/0/0/0
interface TenGigE0/0/0/1
!
multicast-routing
address-family ipv4
mdt source Loopback0
interface all enable
!
vrf GRN
address-family ipv4
mdt data 232.0.2.0/24 threshold 10
mdt default ipv4 232.0.0.2
interface all enable
!
vrf RED
address-family ipv4
mdt data 232.0.1.0/24 threshold 10
mdt default ipv4 232.0.0.1
interface all enable
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
MPLS-VPN
Considerations
Deployment
MPLS based solution WAN
Data
Internet
Internet
Center
Highly scalable L3 VPN solution (Hundreds/Thousands)
‒ Purpose built route-reflectors recommended
Any-to-any connectivity within VPNs
Pseudo-wire support (DCI/Legacy applications) Route-Reflector Route-Reflector
ip vrf Red
VRF definition
rd 1:1
! IPv4 only
ip vrf Green
rd 2:2
No support for IPv6
interface Vlan21
ip vrf forwarding Red
ip address 10.137.21.1 255.255.255.0
! VLAN to VRF mapping
interface Vlan22
ip vrf forwarding Green
ip address 10.137.22.1 255.255.255.0
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Virtualization Commands
NX-OS CLI
interface Vlan21
vrf member Red
ip address 10.137.21.1 255.255.255.0
!
interface Vlan22 VLAN to VRF mapping
vrf member Green
ip address 10.137.22.1 255.255.255.0
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Agenda
Case studies
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Solid Design
What’s Required?
Hierarchical Network Design
Core, Distribution, Access WAN Internet
Internet
Data
Access
Center
Redundancy, Load balancing
FHRP – HSRP, VRRP, GLBP
Redundant paths
CEF L3/L4 Load Balancing Distribution
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Agenda
Case studies
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Authentication
802.1X with Dynamic VLAN Assignment
Authentication
Request
Authentication Backend
Authentication Authentication Server
and VLAN Request
Assignment (RADIUS)
(RADIUS)
Authenticator Data
Authentication
Center Response
EAP over LAN Campus
(EAPoL) Network
Supplicant
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Wireless
LWAP LWAP
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Wireless
Implementation
802.1Q
SSID to VLAN mapping
VLAN to VRF mapping
CAPWAP
Tunnel
IP Network
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Unicast Shared Services
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Unicast Shared Services
MPLS-VPN Configuration
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Unicast Shared Services
MPLS-VPN Verification
S8#show ip route vrf RED
10.0.0.0/24 is subnetted, 1 subnets
B 10.0.0.0 [200/0] via 192.168.0.7, 00:16:35
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.8.0/24 is directly connected, Ethernet0/3
L 172.16.8.8/32 is directly connected, Ethernet0/3
S3 S4
S1 S2
S5 S6
H11
Si
H12 S8
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Unicast Shared Services
EVN Configuration
vrf definition GRN
vnet tag 102
!
address-family ipv4
route-replicate from vrf SVCS unicast all
!
vrf definition RED
vnet tag 101 Defining the IPv4
! VRFs, assign a
address-family ipv4
route-replicate from vrf SVCS unicast all tag and configure
! route replication
vrf definition SVCS
vnet tag 100
!
address-family ipv4
route-replicate from vrf RED unicast all route-map RED-IMPORT
route-replicate from vrf GRN unicast all route-map GRN-IMPORT
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Unicast Shared Services
EVN Verification
S7#routing-context vrf SVCS
S7%SVCS#sh ip route
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Unicast Shared Services
EVN Verification
Traceroute indicates a
valid path
H12#traceroute 10.15.15.15
Type escape sequence to abort.
Tracing the route to 10.15.15.15
VRF info: (vrf in name/id, vrf out name/id)
1 172.17.8.8 (GRN,GRN/102) 5 msec 5 msec 5 msec
2 192.168.85.5 (GRN/102,GRN/102) 5 msec 5 msec 5 msec H9 S7
S1 S2
S5 S6
H11
Si
H12 S8
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Unicast Shared Services
EVN Verification
S7%RED#show ip route
Routing Table: RED
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
Imported
C + 10.0.0.0/24 is directly connected (SVCS), Ethernet1/0 SVCS routes
L + 10.0.0.7/32 is directly connected (SVCS), Ethernet1/0
D + 10.15.15.0/24 [90/409600] via 10.0.0.15 (SVCS), 01:21:55, Ethernet1/0 10.0.0.0
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.7.0/24 is directly connected, Ethernet0/3
L 172.16.7.7/32 is directly connected, Ethernet0/3
D 172.16.8.0/24 [90/384000] via 192.168.74.4, 02:02:58, Ethernet0/0.101
[90/384000] via 192.168.73.3, 02:02:58, Ethernet0/1.101
D 192.168.12.0/24 [90/332800] via 192.168.74.4, 02:03:02, Ethernet0/0.101
[90/332800] via 192.168.73.3, 02:03:02, Ethernet0/1.101
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Shared Services Edge
Fusion Router
Deployment of a fusion router in the Shared
services edge to provide:
Inter-VPN connectivity
Services
Protected access to shared resources
Firewall for: Fusion
VPN isolation/protection
Router
Application of per VPN policies
Leverage the multi-context
functionality available with FWSM,
PIX, ASA and ASA blade
Routing between VRFs and Fusion
Router depends on the FW mode of
operation
FW in Transparent Mode IGP or eBGP
FW in Routed Mode Static Routing or
eBGP
This may be a dedicated device
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Protected Services
Deploying Firewall Contexts in Routed Mode
interface Ethernet0/0
vrf forwarding SVCS
mac-address 000b.3333.0000
ip address 172.17.0.1 255.255.255.0
ipv6 address 2001:17::1/64
!
interface Ethernet0/1
vrf forwarding GRN
mac-address 000b.3333.0001
ip address 172.17.0.2 255.255.255.0
ipv6 address 2001:17::2/64 eBGP connection interfaces
!
interface Ethernet0/2
vrf forwarding RED
mac-address 000b.3333.0002
ip address 172.16.0.2 255.255.255.0
ipv6 address 2001:16::2/64
!
interface Ethernet0/3
vrf forwarding SVCS
mac-address 000b.3333.0003
ip address 172.16.0.1 255.255.255.0
ipv6 address 2001:16::1/64
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Protected Services
eBGP Single-Box Configuration
interface Ethernet1/0
vrf forwarding SVCS
ip address 10.0.0.3 255.255.255.0 SVCS interface
ipv6 address 2001:10::3/64
!
interface Ethernet1/1
vrf forwarding GRN
ip address 172.17.2.2 255.255.255.0
ipv6 address 2001:17:2::2/64
!
interface Ethernet1/2 Client side interface
vrf forwarding RED
ip address 172.16.2.2 255.255.255.0
ipv6 address 2001:16:2::2/64
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Protected Services
eBGP Single-Box Configuration
router bgp 65000
bgp router-id vrf auto-assign
!
address-family ipv4 vrf GRN
redistribute connected
neighbor 172.17.0.1 remote-as 65100
neighbor 172.17.0.1 local-as 65002 no-prepend replace-as
neighbor 172.17.0.1 activate
!
address-family ipv4 vrf RED
redistribute connected
neighbor 172.16.0.1 remote-as 65100 eBGP IPv4
neighbor 172.16.0.1 local-as 65001 no-prepend replace-as
neighbor 172.16.0.1 activate
!
address-family ipv4 vrf SVCS
redistribute connected
neighbor 172.16.0.2 remote-as 65001
neighbor 172.16.0.2 local-as 65100 no-prepend replace-as
neighbor 172.16.0.2 activate
neighbor 172.17.0.2 remote-as 65002
neighbor 172.17.0.2 local-as 65100 no-prepend replace-as
neighbor 172.17.0.2 activate
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Protected Services
eBGP Single-Box Configuration
router bgp 65000
bgp router-id vrf auto-assign
!
address-family ipv6 vrf GRN
redistribute connected
neighbor 2001:17::1 remote-as 65100
neighbor 2001:17::1 local-as 65002 no-prepend replace-as
neighbor 2001:17::1 activate
!
address-family ipv6 vrf RED
redistribute connected
neighbor 2001:16::1 remote-as 65100 eBGP IPv6
neighbor 2001:16::1 local-as 65001 no-prepend replace-as
neighbor 2001:16::1 activate
!
address-family ipv6 vrf SVCS
redistribute connected
neighbor 2001:16::2 remote-as 65001
neighbor 2001:16::2 local-as 65100 no-prepend replace-as
neighbor 2001:16::2 activate
neighbor 2001:17::2 remote-as 65002
neighbor 2001:17::2 local-as 65100 no-prepend replace-as
neighbor 2001:17::2 activate
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Protected Services
eBGP Single-Box – Verification
H3#traceroute 10.0.0.1
Tracing the route to 10.0.0.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.2.2 0 msec 0 msec 0 msec
2 172.16.0.1 1 msec 0 msec 0 msec
3 10.0.0.1 1 msec * 0 msec Traceroute to SVCS
H3#traceroute 2001:10::1
Tracing the route to 2001:10::1
1 2001:16:2::2 0 msec 5 msec 5 msec
2 2001:16::1 1 msec 1 msec 0 msec
3 2001:10::1 37 msec 1 msec 0 msec Traceroute from RED
H3#traceroute 172.17.2.4
to GRN
Tracing the route to 172.17.2.4
VRF info: (vrf in name/id, vrf out name/id) Shared
Services
1 172.16.2.2 1 msec 5 msec 5 msec
10.0.0.0/24
2 172.16.0.1 1 msec 1 msec 0 msec
3 172.17.0.2 1 msec 1 msec 0 msec
4 172.17.2.4 1 msec * 1 msec
H3#traceroute 2001:17:2::4 L2 L2
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
MPLS VPN and Multicast
What is MVPN?
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Multicast Shared Services
Route-Leaking - SSM in MPLS-VPN Core
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Multicast Shared Services
Route-Leaking - MPLS-VPN RP
H9 S7 10.0.0.0/24 10.0.0.15
2001:10::0/64
R15
H10
S3 S4
Route Route
Reflector Reflector
R13 S1 S2 R14
S5 S6
H11
Si
H12 S8
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Multicast Shared Services
Route-Leaking – MPLS-VPN Core Configuration
interface Loopback0
ip pim sparse-mode Enable PIM on loopback and
network facing interfaces
ip multicast-routing
ip pim ssm default
Turn on multicast-routing
and SSM
router bgp 65000
!
address-family ipv4 mdt
neighbor AS65000 send-community extended Configure the MDT address
neighbor AS65000 route-reflector-client family in BGP
neighbor 192.168.0.7 activate
neighbor 192.168.0.8 activate
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Multicast Shared Services
Route-Leaking - Core Configuration
interface Ethernet0/0
ip address 10.0.0.15 255.255.255.0
Configure the RP
ip pim sparse-mode Note: the join-group is used
ip igmp join-group 224.100.100.100 for testing purposes
!
ip pim rp-address 10.0.0.15
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Multicast Shared Services
Route-Leaking - PE Configuration
vrf definition GRN
rd 1:2
address-family ipv4
mdt default 232.0.0.2
mdt data 232.0.2.0 0.0.0.255 threshold 10
route-target export 1:2
route-target import 1:2
! Configure each VRF with
vrf definition RED
rd 1:1
MDT data and default
address-family ipv4
mdt default 232.0.0.1
mdt data 232.0.1.0 0.0.0.255 threshold 10
route-target export 1:1
route-target import 1:1
!
vrf definition SVCS
rd 1:100
address-family ipv4
mdt default 232.0.0.100 ―Leak‖ routes between the
mdt data 232.0.100.0 0.0.0.255 threshold 10
route-target export 1:100 SVCS VRF and the GRN and
route-target export 1:1 RED VRFs using the route-
route-target export 1:2
route-target import 1:100 target import and export
route-target import 1:1 commands
route-target import 1:2
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Multicast Shared Services
Route-Leaking - Verification
H9 RP
r15#sh ip mroute
H10 R15
IP Multicast Routing Table
(*, 224.100.100.100), 00:22:12/stopped, RP 10.0.0.15, flags: SJCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Ethernet0/0, Forward/Sparse, 00:22:12/00:02:47
H12
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Multicast Shared Services
VRF-Fallback - Configuration
interface Ethernet0/0
vrf forwarding SVCS
ip address 10.0.0.2 255.255.255.0
ip pim sparse-mode
!
interface Ethernet0/1 Define the VRF interfaces,
vrf forwarding GRN assign IP addresses and
ip address 172.17.2.2 255.255.255.0
enable PIM
ip pim sparse-mode
!
interface Ethernet0/2
vrf forwarding RED
ip address 172.16.2.2 255.255.255.0
ip pim sparse-mode
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Multicast Shared Services
VRF-Fallback - Configuration
ip mroute vrf GRN 10.0.0.0 255.255.255.0 fallback-lookup vrf SVCS Configure GRN and RED
ip mroute vrf RED 10.0.0.0 255.255.255.0 fallback-lookup vrf SVCS VRFs for fallback
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Multicast Shared Services
VRF-Fallback – Verification
S2#sh ip mroute vrf SVCS 224.1.1.1
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry, E - Extranet,
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
Verification of multicast
U - URD, I - Received Source Specific Host Report, routing information in
Z - Multicast Tunnel, z - MDT-data group sender,
Y - Joined MDT-data group, y - Sending to MDT-data group, SVCS VRF
V - RD & Vector, v - Vector
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
H1
Interface state: Interface, Next-Hop or VCD, State/Mode
R5
(*, 224.1.1.1), 00:10:24/stopped, RP 10.0.0.5, flags: SJCE
Incoming interface: Ethernet0/0, RPF nbr 10.0.0.5
Outgoing interface list: Null
SVCS VRF
Extranet receivers in vrf GRN:
(*, 224.1.1.1), 00:10:58/stopped, RP 10.0.0.5, OIF count: 1, flags: SJC
Extranet receivers in vrf RED: S2
(*, 224.1.1.1), 00:10:48/stopped, RP 10.0.0.5, OIF count: 1, flags: SJC
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Multicast Shared Services
VRF-Fallback – Verification
S2#sh ip mroute vrf RED 224.1.1.1
IP Multicast Routing Table
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode Verification of multicast
(*, 224.1.1.1), 00:15:42/stopped, RP 10.0.0.5, flags: SJC routing information in
Incoming interface: Ethernet0/0, RPF nbr 10.0.0.5, using vrf SVCS
Outgoing interface list:
RED and GRN VRFs
Ethernet0/2, Forward/Sparse, 00:14:48/00:03:25
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Multicast Shared Services
VRF-Fallback – Verification
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Multicast Shared Services
VRF-Select - Configuration
ip mroute vrf GRN 10.0.0.0 255.255.255.0 fallback-lookup vrf SVCS Configure fallback-lookup for
ip mroute vrf RED 10.0.0.0 255.255.255.0 fallback-lookup vrf SVCS
SVCS VRF
ip multicast vrf GRN rpf select vrf SVCS group-list 1 Define allowed multicast
ip multicast vrf RED rpf select vrf SVCS group-list 1 addresses
!
access-list 1 permit 224.1.1.1
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Multicast Shared Services
VRF-Select – Verification
S2#sh ip mroute vrf SVCS 224.1.1.1
IP Multicast Routing Table
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires Verification of multicast
Interface state: Interface, Next-Hop or VCD, State/Mode
routing information in
(*, 224.1.1.1), 00:20:42/stopped, RP 10.0.0.5, flags: SJCE SVCS VRF
Incoming interface: Ethernet0/0, RPF nbr 10.0.0.5
Outgoing interface list: Null
H1
Extranet receivers in vrf GRN: R5
(*, 224.1.1.1), 01:08:40/stopped, RP 10.0.0.5, OIF count: 1, flags: SJC
Extranet receivers in vrf RED:
(*, 224.1.1.1), 01:08:31/stopped, RP 10.0.0.5, OIF count: 1, flags: SJC
SVCS VRF
(10.0.0.1, 224.1.1.1), 00:20:42/00:02:03, flags: TE
Incoming interface: Ethernet0/0, RPF nbr 0.0.0.0 S2
Outgoing interface list: Null
H3 H4
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
MPLS VPN and Multicast Multicast
Source
Concept and Fundamentals
WAN Internet
Internet
Data
The first step is to enable Center
Multicast Multicast
Receiver 1 Receiver 2
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Multicast Shared Services
VRF-Select
R5 H1
Sender
RP 10.0.0.5
10.0.0.5 224.1.1.1
E0/1 E0/2
H3 H4
Receiver Receiver
172.16.2.3 172.17.2.4
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Multicast Shared Services
VRF-Fallback
R5 H1
Sender
A Fallback VRF is used when the RP 10.0.0.5
10.0.0.5 224.1.1.1
RP or Source is not found in the
local VRF, the fallback VRF or global SVCS 10.0.0.0/24
routing table is used for RPF VRF
E0/0
S2
E0/1 E0/2
H3 H4
Receiver Receiver
172.16.2.3 172.17.2.4
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Multicast Shared Services
Summary
Voice – Priority
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
QoS and Network Virtualization
Configuration
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
QoS and Network Virtualization
Verification
S1#show policy-map interface g1/1
Service-policy input: MPLS-POLICY-MAP
class-map: DATA (match-any)
Match: access-group name DATA-ACL
set mpls experimental 3:
Earl in slot 1 :
230018432 bytes
5 minute offered rate 2671680 bps
aggregate-forwarded 230018432 bytes
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
EoMPLS
Based on IETF’s Pseudo-Wire (PW)
WAN Internet
Internet
Reference Model Data
Center
• PW is a connection (tunnel)
between 2 PE Devices
Point-to-point (bidirectional)
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
EoMPLS – Port Mode
H9 S7
Configuration Example
S5 S6
H11
Si
S8
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Layer-2 VPN
Summary
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Datacenter
Integration
Virtualized Service
VSANS
VLAN Separation
SLB/SSL/FW/IDS/IPS
VRF/VDC on Nexus 7K
Virtualized
Virtualized Network Network
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Agenda
Case studies
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
VRF-lite End-to-End
Pros:
No MP-BGP configuration WAN Internet
Internet
Data
L3 to the edge 7xxx
Center
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
EVN w/ L2 access
Pros:
No MP-BGP configuration WAN Internet
Internet
Data
L3 to the edge Center
65xx
Lower cost solution
VSS
45xx
Cons:
Limited product support (today)
No IPv6 support (today) 3xxx/29xx
FHRP on distribution devices
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
MPLS-VPN w/ L2 access
Pros:
Very scalable WAN Internet
Internet
Data
Pseudo-wire support 9xxx
Center
Cons: 65xx
MP-BGP configuration
Multicast configuration is complex
ME3600
FHRP on distribution devices
3xxx/29xx
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
MPLS-VPN w/ L3 VRF-lite/EVN access
Pros:
L3 to the edge WAN Internet
Internet
Data
Minimize impact on 9xxx
Center
Cons: 65xx
ME3600
3xxx
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Agenda
Case studies
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Network Virtualization
Putting It All Together
WAN Internet
Data
Internet
Extending VPNs over Center
MAN/WAN cloud
VLANs
Partition
Server Farms
Virtualized
Services:
Firewall, ACE
VRF-Lite + GRE,
VRF-Lite End-to-End,
MPLS VPN
L3 VRFs
User Identification
(Static/NAC/Identity)
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Recommended Reading
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Complete Your Online
Session Evaluation
Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points for each
session evaluation you complete.
Complete your session evaluation
online now (open a browser through
our wireless network to access our Don’t forget to activate your
portal) or visit one of the Internet Cisco Live Virtual account for access to
stations throughout the Convention all session material, communities, and
on-demand and live activities throughout
Center. the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Final Thoughts
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Network Virtualization
Where to Go for More Information
www.cisco.com/go/networkvirtualization
BRKCRS-2033 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 124