BRKMPL-1102 - MPLS Enterprise Switching Product Update and Designs

MPLS Enterprise Switching
Product Update and Designs

Sankar Venkat Product Manager
Minhaj Uddin Technical Marketing Engineer
Session ID : BRKMPL-1102
Agenda
• Introduction
• Segmentation in Enterprise
• MPLS Designs for Enterprise
• MPLS Product Update
• MPLS Configurations
• Q&A
• Summary
Session Goals
This session will focus on MPLS for
Campus Switching network deployments.
At the end of the session, the participants should:

 Understand different Segmentation Options
 Understand the building blocks of MPLS in Enterprise
 Understand different MPLS designs and use cases
 Understand the different product options for MPLS design
 Understand typical configurations for MPLS in Enterprise
BRKMPL-1102 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
MPLS Enterprise Requirements
• A unique Standards Based Segmentation Technology across LAN-WAN
• Enterprise/Campus Segmentation
• L3 VPN (IPv4), L3 VPN(IPv6)
Basic MPLS Features
• L2 VPN (EoMPLS)
• Multicast VPN (MVPN)
• Data Center Interconnect/Inter Campus Connect over WAN

• L2 Extensions with EoMPLS
• Pseudowires, VPLS, H-VPLS, Advanced VPLS
Advanced MPLS Features • MPLS Services with Netflow, QoS, Multicast

• Multi-tenancy / Dual Homing
• Traffic Engineering, High Availability/Fast Reroute
Network Virtualization with MPLS
A
Data Center PE PE Backup

B MPLS Core
CE Data Center
CE
L2 VPN
MPLS
(L2 VPN)
Mirror A DC Interconnect
Campus
Mirror B Branch to DC
Storage Connectivity
Enterprise Segmentation Data Center
SP Network
Internet
Access Core Access
Bay Area DC AsiaPac DC

Enterprise WAN
(MPLS)
L2 L3 (MPLS) L2 Washington DC
L3 (MPLS) L3 (MPLS) L3 (MPLS)
Enterprise WAN Edge

Service Provider BRKMPL-1102 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Segmentation in Enterprise
Factors for Network Segmentation
 Unique security policies per logical domain
 Traffic isolation per application, group, service etc…
 Logically separate traffic using one physical infrastructure
Guest Access Merged Company Isolated Services
Virtual Network Virtual Network Virtual Network
Virtual
“Private”
Network
Actual Physical Infrastructure

Network Segmentation Benefits
 Service isolation
– Telephony systems, badging, building control, surveillance
– Security policies are unique to each virtual group/service
 Meet regulatory compliance requirements
– HIPAA
– PCI
Low Medium High
– SOX
Security Security Security
– etc…
Guest Access Merged Company Isolated Services
Virtual Network Virtual Network Virtual Network
Actual Physical Infrastructure

Network Segmentation Use Cases
Sales
Finance POS Medical Device
HR Other
Network
Network
Doctor Staff
Partner
Line of business Payment Card Industry Hospital Network
INTERNET
Bring-Your-Own-Device (BYOD) Mergers and Acquisitions Multi-Tenancy
Segmentation Options in Enterprise
Cisc
o ISE
VPN VPN
SGT SGT
VPN VPN
SGT SGT
VPN
SGT
Voice VLAN Data VLAN Guest VLAN
Endpoints
Endpoints Endpoints
Traditional Segmentation Trustsec Based Segmentation MPLS Based Segmentation

• VLAN/VRF-Lite Based Segmentation • User/Device Group Based Segmentation • L2/L3 VPN Based Logical Segmentation
• Policy enforcement is done using ACLs and • Secure Group Tags (SGT) used to create • MPLS labels used to identify and create
Firewall rules user / device group policies traffic isolation between the groups
• CLI based Manageability • Cisco ISE based Manageability • CLI based Manageability
VLAN Based Segmentation
Applications
Enforcement
access-list
access-list
102
102
deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165
deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
IP Based Policies -
access-list
access-list
102
102
permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
ACLs, Firewall Rules
access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 Propagation
Carry “Segment”
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 Enterprise
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
Backbone context through the
network using VLAN,
Aggregation Layer IP address, VRF-Lite
Limitations of Traditional Segmentation VACL
• Security Policy based on Topology
Access Layer Classification
• Not Scalable Static or Dynamic
• Complex provisioning VLAN assignments
• No notion of User/Device Group
Non-Compliant Voice Employee Supplier BYOD
Quarantine Voice Data Guest BYOD

VLAN VLAN VLAN VLAN VLAN
Cisco TrustSec Segmentation
Simplified segmentation with Group Based Policy
Enforcement
Shared Application
Group Based Policies Services Servers
ACLs, Firewall Rules
Enforcement DC Switch
or Firewall
Propagation
Carry “Group” context
through the network Enterprise
using only SGT Backbone
ISE
Classification
Static or Dynamic Campus Switch Campus Switch DC switch receives policy
for only what is connected
SGT assignments
Employee Tag
Supplier Tag
Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag
VLAN A VLAN B
Agenda
• Introduction ✓
• Segmentation in Enterprise ✓
• MPLS Designs for Enterprise
• Q&A
• Summary
MPLS Designs for Enterprise
Why choose MPLS in Enterprise ?
 End-to-end solution  IPv6

– Campus, MAN, WAN, DC head-end – 6VPE
– Standards-based – 6PE
 Layer 3 VPN/Segmentation  MPLS Services
– IPv4 VPN – MPLS QoS
– Provides Any-to-Any connectivity – MPLS over WAN
– Multicast VPN – Path Selection
 Layer 2 VPN – Traffic Engineering
– Ethernet over MPLS – Node/Link Protection
– Point-to-point “pseudo-wire” – Fast-Re-Route(FRR)
– Multi-point – VPLS/H-VPLS – 50 msec switchover
MPLS Fundamentals ReCap
Device Virtualization
 Physically one device
 Logically many devices

– Control plane
– Data plane
 Virtual devices
– Switch
– Router
– Firewall
 VRF: Virtual Routing and Forwarding VRF Red
VRF Green
VRF Blue
PE P P PE
MPLS-VPN Terminology
LDP LDP LDP
 PE (Provider Edge) router

MP-BGP
– Imposes and removes MPLS labels
– Runs an IGP, LDP and MP-BGP
 P (Provider) router
– Connects into the PE, Translates labels
– Runs an IGP and LDP
 CE (Customer Edge) router
– Connects into the PE
 Label Distribution Protocol (LDP)
– IGP to label binding
 Multi-Protocol BGP
– Address-family support (IPv4, IPv6, multicast, etc…)
– Used for VRF route exchange
PE P P PE
MPLS-VPN
Label Stack
PE
PE
4 Byte 4 Byte
IGP Label VPN Label
Original Packet
MPLS VPN packet format

PE P P PE
MPLS-VPN
Label Stack
PE
PE
4 Byte 4 Byte
IGP Label VPN Label
Original Packet

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
PE P P PE
MPLS-VPN
Label Stack
PE
PE
4 Byte 4 Byte
IGP Label VPN Label
Original Packet

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
PE P P PE
MPLS-VPN – Label Exchange

Router Router Router PE4
Router PE1
P2 P3
BGP OSPF OSPF OSPF OSPF BGP
VRF RED VRF RED
RT 1:1 Routing Routing Routing Routing RT 1:1
Routing Table Table Table Table Routing
172.16.1.0 Table Table 172.16.4.0
172.16.1.0 172.16.1.0
FIB FIB FIB FIB
FIB FIB
LFIB LFIB LFIB LFIB
VRF GRN VRF GRN
RT 1:2 RT 1:2
Routing
IGP Label Exchange
Routing
172.17.1.0 Table Table 172.17.4.0
172.17.1.0 172.17.1.0
FIB FIB
172.17.1.0 172.17.1.0
RT1:2 RT1:2
172.16.1.0 172.16.1.0
RT1:1 RT1:1
172.16.1.0 RT=1:1 NH=PE1 VPN Label
MP-BGP MP-BGP
PE P P PE
MPLS-VPN – Packet Flow

Router Router Router PE4
Router PE1
P2 P3
BGP OSPF OSPF OSPF OSPF BGP
VRF RED VRF RED
RT 1:1 Routing Routing Routing Routing RT 1:1
Routing Table Table Table Table Routing
172.16.1.0 Table Table 172.16.4.0
172.16.1.0 172.16.1.0
FIB FIB FIB FIB
FIB FIB
LFIB LFIB LFIB LFIB
VRF GRN VRF GRN
RT 1:2 RT 1:2
Routing Routing
172.17.1.0 Table 4 Byte 4 Byte Table 172.17.4.0
172.17.1.0 IGP VPN Original Packet 172.17.1.0
Label Label
FIB FIB
172.17.1.0 172.17.1.0
RT1:2 RT1:2
172.16.1.0 172.16.1.0
RT1:1 RT1:1
MP-BGP MP-BGP
MPLS-VPN Terminology
 Route-Target
– Identifier used for importing and exporting routes (64 bit)
 Route Distinguisher
– Route attribute used to uniquely identify prefixes among VPNs (64 bits)
 VPN-IPv4 addresses
– Includes the 64 bits Route Distinguisher and the 32 bits IP address
 VPN-IPv6 addresses
– Includes the 64 bits Route Distinguisher and the 128 bits IP address
MPLS-VPN - Routing and Switching
MPLS VPN
CE PE P P PE CE
Routing
MPLS VPN
Core P
Campus
Switching
Distribution PE
Access CE
MPLS L3 VPN
MPLS L3 VPN Campus Segmentation Use Cases
End to End Network Virtualization
Core Core
Core
L3 VPN
Distribution Distribution
L3 VPN
C3850
Access Access Access
L3 VPN C3850
Standard Access Routed Access Collapsed Access

MPLS L3 VPN for IPv4
SITE A SITE C
PE/Distribution PE/Distribution
IPv4 VRF CE/Access IGP CE/Access
BLUE IPv4 VRF
RED
IPv4 VRF IPv4 VRF

RED GREEN
CE/Access CE/Access
CE/Access P/Core P/Core
IPv4 VRF IPv4 VRF
GREEN BLUE
CE/Access
IPv4 VRF SITE B SITE D
RED CE/Access PE/Distribution PE/Distribution
MP-BGP
MPLS L3 VPN for IPv6 (6VPE)
SITE A SITE C
6PE/Distribution 6PE/Distribution
IPv4 VRF CE/Access IGP CE/Access
BLUE IPv6 VRF
RED
IPv6 VRF IPv4 VRF

RED GREEN
CE/Access CE/Access
CE/Access P/Core P/Core
IPv4 VRF IPv4 VRF
GREEN BLUE
CE/Access
IPv6 VRF SITE B SITE D
RED CE/Access 6PE/Distribution 6PE/Distribution
MP-BGP
• IPv6 VPN Provider Edge(6VPE) over MPLS

• 6VPE is like a regular IPv4 MPLS VPN provider edge(PE), with the addition of IPv6 support
within Virtual Routing and Forwarding (VRF).
• Provides logically separate routing table entries for VPN member devices for IPv4 & IPv6.
IPv6 over MPLS (6PE)
6PE 6PE
v6 v6
IPv6
IPv6
P/Core P/Core v6
v6
IPv6
6PE IPv6
6PE
MP-BGP
• P routers in the MPLS core are not IPv6 aware and just use IPv4 MPLS Control Plane
• PE routers are dual stack and use IPv4 MPLS Control Plane with the core, Native IPv6 with IPv6 routers
• P and PE routers share a common IPv4 IGP
• 6PE routers are MP-BGP4 capable
MPLS-VPN
BGP Scalability – iBGP Neighbor Relationships
iBGP requires a full mesh of neighbors

N * (N-1) / 2 = 8 * 7 / 2 = 28
MPLS-VPN Scale Considerations
BGP Scalability – Route Reflectors

Route Reflector Route Reflector
 Use “purpose-built” RRs
 Don’t place RRs in data path
 Geographically diverse
 Non-transit devices
L2 VPNs
L2-VPN Basics
interface Ethernet0/0
no ip address
xconnect 192.168.0.1 123 encapsulation mpls
interface Loopback0
ip address 192.168.0.2/32
MPLS
Network
interface Loopback0
ip address 192.168.0.1/32
pseudowire
Ethernet MPLS Label

MPLS Label Ethernet Payload
Header PW-ID
interface Ethernet0/0
no ip address
xconnect 192.168.0.2 123 encapsulation mpls
Virtual Private Lan Services (VPLS)
PE-2
PE-1
CE-2
CE-1
PE-3
• VPLS allows MPLS networks to offer Layer 2 Ethernet Services

• It provided Multipoint Ethernet service as compared to EoMPLS which is Point to Point
• Service Provider emulates an IEEE Ethernet bridge network.
• No routing interaction between Customer and Service Provider networks
• Virtual Bridges linked with virtual ports aka Pseudo Wires or PWs.
Hierarchical VPLS(H-VPLS) for VPLS Scaling
N-PE1 N-PE2
MPLS
CORE
U-PE2
U-PE1
.1q .1q
N-PE3
.1q .1q DC2-CE

DC3-CE
DC1-CE
• Scales VPLS deployments

• Significantly reduces complexity at the edge
• Use Cases : Campus/DC Interconnect, DCI
Advanced Virtual Private LAN Service (A-VPLS)
A-VPLS Multipoint Services
PE-2
PE-1
CE-2
CE-1
VFI VFI
VFI
PE-3
• AVPLS built on top of VPLS infrastructure

• Simplifies VPLS configurations
• Enhances VPLS Load balancing & High Availability
• Use Cases: Campus/DC Interconnect, DCI
Other MPLS Transport Options
 L2
Ethernet MPLS IP
Data
Header Label(s) Header
L2
 Point-to-point Ethernet
Header
MPLS
Label(s)
IP
Header
Data
Tunnel
– MPLS over GRE L3
 Multipoint
– MPLS-VPN over mGRE
– MPLS over DMVPN
Campus
MPLS
L3 Transport
MPLS-VPN over mGRE
MPLS VPN over mGRE
Ties MPLS VRFs across sites with IP multi-point GRE tunnel over IP Core
PE1
PE2
CE1 CE2
¥
IP
IPv4 Route Exchange IPv4 Route Exchange
VRF VRF
GRE Header
VPN Label
src add src add src add

dst add dst add dst add
data data data
• VPN traffic forwarded by PEs using separate routing instance (VRFs)

• GRE header and VPN label imposed on VPN traffic
• Packets switched to egress PE based on GRE header
• Egress PE uses VPN label to forward packet to remote CE
MPLS QoS
MPLS QoS – Uniform Mode Consistent QoS
Classification/Queueing across
Propagate EXP Markings the network
IPP 4 EXP 6 IPP 6

VPN Imposition Pop
ip packet
EXP 6 EXP 6
IPP 4 IPP 4 EXP 6 IPP 4 EXP 6 IPP 4 EXP 6 IPP 6
Ingress Egress
CE PE P PE CE
match ip prec 4
set mpls exp imp 6 mpls propagate-cos
match mpls exp 6 match mpls exp 6
priority priority
By default, IP ToS byte is unchanged. The use of “mpls propogate-cos” command will cause the EXP
value to be copied down to the IP packet after a POP operation.
MPLS QoS – Short Pipe Mode
IPP 4 EXP 6 IPP 4

VPN Imposition Pop
ip packet
EXP 6 EXP 6
Ingress Egress
CE PE P PE CE
match ip prec 4
set mpls exp imp 6
priority priority
Egress classification based on IP DSCP

not MPLS exp
MPLS QoS –Pipe Mode
IPP 4 EXP 6 IPP 4

VPN Imposition Pop
ip packet
EXP 6 EXP 6
Ingress Egress
CE PE P PE CE
match ip prec 4
set mpls exp imp 6
priority priority
Egress classification based on MPLS

Ingress EXP not IP DSCP
MPLS QoS Options Summary
Uniform, Pipe and Short Pipe Modes
Uniform Mode:
This mode provides consistent QoS classification/marking throughout the network. This includes
the CE and the Core routers. EXP marking is propagated to the underlying TOS byte on egress
Short Pipe Mode:

In this mode the QoS policies being implemented in the Core do NOT propagate to the packet TOS
byte. The classification based on MPLS EXP ends at the customer facing egress PE interface and
queuing is based on the IPP/DSCP values in the IP header (supported – default mode)
Pipe Mode:
Pipe Mode is similar to Short Pipe Mode except that at the egress PE, classification at the CE
facing interface is done based on ingress EXP
Agenda
• MPLS Designs for Enterprise ✓
• Q&A
• Summary
MPLS Product Update
MPLS Catalyst Campus Switching Portfolio
FIXED MODULAR
MPLS
Jul 16
Catalyst 3650/3850 Catalyst 6880-X Catalyst 6K
Features Features
Up to 80 10G Ports
12p/24p/48p 10G 1RU Aggregation
Catalyst C6840-X
Industry-Leading
Up to 40 10G Ports Campus Backbone Platform
Stackable Access
Scale Scale
* Roadmap Item
MPLS Portfolio – Catalyst 3K
MPLS Shipping
In Jul 2016
Catalyst 3850 Series

Stackpower 480 Gbps
Stacking Up to 100APs per stack,
FRU Fans, Power Bandwidth
Supplies and 40G per switch
Wireless CAPWAP
Up to 2000 Clients Termination
per Stack
MPLS
40 Gbps Uplink
Granular Bandwidth
QoS/Flexible NetFlow
Line Rate on All Multigigabit Full POE+ and
Ports (mGig) UPOE
MPLS on UADP powered Stackable Access Programmable Switches

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS Shipping
In Jul 2016
Cisco Catalyst 3850 Multigigabit Ethernet
48 Port Version 24 Port Version

Downlinks: Downlinks:
36 x 1G LineRate 10/100/1000BASE-T, 12 x 24 x GE/mGig/10GT
GE/mGig/10GT PoE/PoE+/UPoE, EEE, MACSec
PoE/PoE+/UPoE, EEE, MACSec
Uplinks: Uplinks:
4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G 4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G
SFP+ (NEW) SFP+ (NEW)
MPLS on Access with Multigigabit Ethernet

MPLS Shipping
In Jul 2016
Catalyst 3850 10G: 12 and 24 Port
C3850-NM-
4x10G
C3850-NM- C3850-NM- C3850-NM-

4x10G 2x40G 8x10G
Converged 1+1 Power

UADP ASIC StackWise-480 StackPower Line-Rate
Access Redundancy
MPLS Shipping
In Jul 2016
Catalyst 3850 10G: 48 Port

UADP ASIC
4 x QSFP Fixed
48 x SFP+ Fixed
Front-to-Back and New 750W AC Power Supplies

Back-to-Front Fan options 1+1 Power Supply Redundancy
*No StackWise or StackPower on 48p SKU
Converged Front-to-Back & Back-to-Front 1+1 Power

UADP ASIC Line-Rate No Stacking
Access Fans and Power Supplies Redundancy
MPLS Shipping
In Jul 2016
Cisco Catalyst 3650 Switch
Dual FRU
Power Supplies Optional StackWise-160
9 member Stack
FRU Fans
802.11n
802.11ac
Multi-Core CPU
MACsec
50 AP’s and
1000 Clients Per Stack
MPLS 40G Wireless

Capacity Per
EEE Switch
Fixed Uplinks
Full Netflow/QoS 4 x 1G
for wired/wireless 2 x10G
4 x 10G
Line Rate 2 x 40G (New)
on All Ports POE+
8 x 10G (new)
Multigigabit
(mGig) New
MPLS on UADP powered Stackable Access Programmable Switches

MPLS Portfolio – Catalyst 6K
The New Catalyst 6807-XL
Taking Catalyst 6K Up to 880G/Slot
7 Slots 10 RU
Up to 880G/Slot capable
Side-to-side air flow
(redirectable via airflow baffles)
Catalyst 6500 DNA
Next-generation ready
Investment Protection!
Compatible with Sup2T, 6700, 6800,
6900 Series and latest Service Modules
Low-power and noise
High-efficiency fans
Backwards compatible backplane connectors
Up to 4 (N+1) power
supply redundancy
3000W AC
Shipping!!
Supervisor 6T
Taking Catalyst 6800 to a New Level
1M IPv4 Route
High-Scale Control Plane
1M NetFlow
with X86 CPU
256K QoS / ACL
2 x 40G QSFP and

8 x 10G SFP+ uplinks
Improved Fabric
Provides 440G/Slot in the
6807-XL
Fiber & Copper VSS, LISP, SGT,

Management and MACSEC, HQoS, on all
Console Ports Ports
Feature Parity with Sup2T from Day 1: 3500+ Features

C6800 Multi-Rate Line Cards
32 ports of SFP/SFP+ or
up to 8 ports of QSFP* 1M IPv4 Routes 160G Throughput,
10/100/1000M GLC-T 2M NetFlow Performance mode

256K QoS & ACL for line rate
100M FX
250MB per Port

Feature Rich MPLS VSS, SGT, MACSec, LISP,
500MB per Port in HQoS
Performance Mode
* With CVR-4SFP-QSFP Adapter
Not Every Port is Created Equal!

The Catalyst 6880-X
C6K-Based “Extensible” Fixed Platform
Up to 80 x 1G/10G ports VSS, MPLS, VPLS, LISP,

MACSEC, SGT, on every port
Low Power &

Low Noise Fans Each Card has 16 x 1G/10G or
up to 4 x 40G ports
Fixed Supervisor module

X86 2.0 GHz CPU
Platinum Efficiency up to 4GB DDR3 DRAM
Redundant AC & DC PS
Front Serviceable Power Supplies and Fan Tray,

NEBS Level 3-Compliant Platform
Shipping Since
October 2015
The New Catalyst 6840-X

256K IPv4 Routes
16, 24, 32 or 40 SFP+ Uplinks 2 models with 2 QSFP Uplinks
1.5M NetFlow
Convert 4 x SFP+ to QSFP* Convert 4 x SFP+ to QSFP*
64K QoS / ACL
Height:
2RU
Depth:
21.8”
High-Scale Control 750W or 1100W Power

Plane with 2.0GHz CPU VSS, MPLS, LISP, SGT,
Redundant AC / DC
MACSEC, HQoS, etc.
Higher Scale for IA Front-to-Back Airflow
All Catalyst 6800 Features in a Smaller Fixed Form Factor

MPLS Portfolio – Catalyst N7K
MPLS on Nexus 7K - M Series
Nexus 7700 M3 Series

Nexus M2 Series Modules
10G & 40G Modules
NEW  Large Table Size & Packet Buffers -
 2M FIB (1M @ FCS), 128K ACL/QoS
 384K MAC (128K @ FCS)
 MACSEC 256-bit AES
 Deep Buffers N7K-M202CF-22L N7K-M206FQ-23L
24x 40G QSFP Ports N7K-M224XP-23L

48x 1/10G SFP+ Ports
MPLS on Nexus 7K - F3 Series
Nexus F3 Series Modules
Nexus 7700 F3 10G Nexus 7700 F3 40G Nexus 7700 F3 100G
Cisco
Nexus
7000/7700
Nexus 7000 F3 40G Nexus 7000 F3 100G

Nexus 7000 F3 10G
What product option do I choose…
MPLS Deployment Options – Medium to Large Campus
MPLS MPLS
C6K/N7K
C6K/N7K Core
C6K/N7K C6K/N7K
Distribution
Access
Catalyst 3850/3650 or 4500 Catalyst 3850/3650
Standard Access Routed Access

Key Design factors: VRF/Route Scale, Port Density, MPLS features, Fixed vs. Modular in Access/Backbone
MPLS Deployment Options – Small to Medium Campus
MPLS MPLS MPLS
Core Core Core

C6840-X C6840-X C6840-X/
C3850
C3850 Distribution C3850 Distribution
C3850/ Access +
Distribution
C3650
C3850/ C3850/
Access Access
C3650 C3650
Standard Access Routed Access Collapsed Access
Unprecedented Services
Catalyst Campus Innovations
Secure Segmentation One Policy with Identity NG PnP for Zero Touch Programmable Enterprise Network as Sensor with
with TrustSec Services Engine Deployment of Network Campus Fabric Device Profiler,
Devices Netflow and Wireshark
One Network with One Management with High Availability with VSS, UADP Flexparser ASIC, UPOE to Connect Broad
Converged Access Prime Infrastructure ISSU and Stackpower SDN-ready Range of End Points—
VDI and LED lights
Simplifies Operations Maximize Throughput IT Simplicity with Auto Conf, Energy Savings
with Instant Access and Resiliency with VSS Interface Template and EEM Rich-media Experiences
Application Visibility with Flexible NetFlow
Day0 Attacks SLA
Detect Anomaly App. M&T
Visibility Control with
Compliance Capacity Planning EEM Integration
Flexible NetFlow
TCP L2 L2 UDP IP
IP, Ports IPv6 Multicast …
Flags MAC VLAN Flags Options
Campus
BranchNetwork Virtualization
Mobility, Unified Communications,
Collector Ecosystem
Benefits Capabilities
• Lower CAPEX/OPEX • Unprecedented visibility with new L2–L7 fields
• Better insights for network capacity planning • Scalable, flexible flow monitors
• Better service and user experience • Customizable policy action with EEM
• Increased IT staff productivity, IT security • Broad collector ©partner

2016 Cisco ecosystem
and/or its affiliates. All rights reserved. Cisco Public 70
Robust Enterprise Security
IPv6 First Hop Security

RA DHCPv6 Source/Prefi Destination RA ND Multicast
Guard Guard x Guard Guard Throttler Suppress
Protection: Protection: Protection: Protection: Facilitates: Reduces:

• Rogue or • Invalid DHCP • Invalid source • DoS attacks • Scale • Control
malicious RA Offers address • Scanning converting traffic ,
• MiM attacks • DoS attacks • Invalid prefix • Invalid multicast improves
• MiM attacks • Source address destination traffic to performance
spoofing address unicast
Core Features Advance Features Scalability & Performance
Robust Security for Next Generation Enterprise
Agenda
• MPLS Designs for Enterprise ✓
• MPLS Product Update ✓
• Q&A
• Summary
MPLS Configurations
MPLS Configurations
• L3VPN
• L2VPN
• MPLS-VPN Services
L3VPN
MPLS VPN Protocols
P P P
P P
Core P P Core
IPV4 and IPv6
OSPF, ISIS
PE PE Distribution MP-IBGP L3 VPN PE PE Distribution
L3 VPN
CE CE CE CE
EBGP, OSPF, RIPv2, Static Access Access
VRF Green VRF Green VRF Blue

VRF Blue
• IGP Protocols are used to exchange the routes between PE and CE Devices
• MP-IBGP is used for exchanging VPNv4 routes between the PE Devices
• MPLS or Label forwarding is configured between PE and P Devices
VRF Definition
L3VPN Ip vrf VPN-Green

MPLS VPN Protocols Rd 1:1
Route-target import 100:1
P P P Route-target export 100:1
!
Interface vlan 10
P P Core
Ip address 192.168.10.1
255.255.255.0
Ip vrf forwarding VPN-Green
L3 VPN
PE PE
Distribution !
Router ospf 1
CE CE
OSPF Access !
Vlan 10
Router ospf 2 vrf VPN-Green
VRF Green VRF Blue Network 192.168.10.0 0.0.0.255 area
0
Redistribute bgp 1 subnets
!
Router eigrp 1
!
L3VPN address-family ipv4 vrf VPN-Green
MPLS VPN Protocols no auto-sumary
neighbor 192.168.10.0 0.0.0.255
P P P
automonous-system 1
Redistribute bgp 1 metric 100000 100
255 1 1500
P P Core !
router bgp 1
PE PE
!
L3 VPN Distribution
address-family ipv4 vrf VPN-Green
CE CE
neighbor 192.168.10.2 remote-as 2
BGP EIGRP
Access neighbor 192.168.10.2 activate
exit-address-family
VRF Green VRF Blue
!
router rip
!
L3VPN address-family ipv4 vrf VPN-Green
MPLS VPN Protocols version 2
no auto-summary
P P P
Network 192.168.10.0
Redistribute bgp 1 metric
transparent
P P Core
!
PE PE
L3 VPN Distribution
CE CE
RIP Static Ip route vrf VPN-Green 10.1.1.0
Access
255.255.255.0 192.168.10.2
VRF Green VRF Blue
L3VPN
PE-P
Interface x/x
P P PIp address 130.130.1.1 255.255.255.252
Mpls ip
!
P P Core
Router ospf 1
L3 VPN Network 130.130.1.0 0.0.0.3 area 0
OSPF
PE PE
Distribution
CE CE
Access
VRF Green VRF Blue
Router bgp 1
L3VPN Neighbor 1.2.3.4 remote-as 1
Neighbor 1.2.3.4 update-source
IBGP loopback0
!
P P P Address-family vpnv4
Neighbor 1.2.3.4 activate
Neighbor 1.2.3.4 send-community both
P P Core P P Core
L3 VPN L3 VPN
PE PE IBGP PE PE
CE CE CE CE
Access Access
VRF Green VRF Blue VRF Green VRF Blue
PE#
!
vrf definition v2
L3VPN rd 2:2
!
address-family ipv4
IPv6 VPN route-target export 1:2
route-target import 1:2
exit-address-family
P !
P P address-family ipv6
route-target export 2:2
route-target import 2:2
exit-address-family
!
P P Core P ! P
router bgp 1
! Core
L3 VPN L3 VPN address-family vpnv4
neighbor 10.13.1.21 activate
neighbor 10.13.1.21 send-community both
PE PE PE PE
exit-address-family
!
address-family vpnv6
neighbor 10.13.1.21 activate
CE CE IPV4/IPv6
CE CE
IPV4/IPv6 Access
neighbor 10.13.1.21 send-community both
exit-address-family Access
!
address-family ipv4 vrf v2
VRFexit-address-family
Green VRF Blue
VRF Green VRF Blue !
address-family ipv6 vrf v2
neighbor 200::2 remote-as 30000
neighbor 200::2 activate
exit-address-fam
L3VPN
MPLS VPN Protocols
P P P
MP-IBGP
P P
Core P P Core
IPV4 and IPv6
OSPF, ISIS
PE PE Distribution L3 VPN PE PE Distribution
L3 VPN
CE CE CE CE
EBGP, OSPF, RIPv2, Static Access Access
MPLS Configurations
• L3VPN ✓
• L2VPN
MPLS L2VPN
L2VPN Protocols
Core VPLS Core
EOMPLS
PE PE
Ethernet/Vlan Access
Distribution
Access
PE CE
CE
Access VRF Green VRF Blue

VRF Green VRF Blue
CE
VRF Green VRF Blue
MPLS L2VPN
# Vlan mode
L2VPN Protocols
interface GigabitEthernet7/4.2
encapsulation dot1Q 3
Core
Core
xconnect 13.13.13.13 3
EOMPLS
encapsulation mpls
PE Distribution
Distribution PE no shut
# Port mode Ethernet or VLAN

Ethernet or VLAN
Access
Access CE
interface GigabitEthernet7/4 CE
xconnect 13.13.13.13 3
encapsulation mpls VRF Green VRF Blue
VRF Green VRF Blue
no shut
MPLS L2VPN # L2 Interface Config -> CE
L2VPN Protocols Switchport

switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200
switchport mode trunk
Core
VPLS Core
# Define the VFI and bind it to the Intf

Distribution PE Distribution
PE
l2 vfi Cust_A manual
Ethernet/Vlan vpn id 200
Access
neighbor 10.10.10.102Distribution
encapsulation
Access mpls PE CE
CE
interface vlan 200
xconnect vfi Cust_A
Access VRF Green VRF Blue
VRF Green VRF Blue
CE
VRF Green VRF Blue
MPLS Configurations
• L3VPN ✓
• L2VPN ✓
Multicast VPN (MVPN)
# Configure the Default MDT and Data
MDT for the VRF under VRF Definition
Core
Core
MPLS Backbone
Ip vrf test Distribution
Distribution PE Rd 100:!
Route target import 100:1 PE
Default MDT Route target export 100:1
Access
for all groups mdt default group-address
Distribution
Access
CE PE
Mdt data group-address mask CE
# Enable PIM and Multicast Routing at

Access
VRF Green VRF Blue the interfaces
CE towards the CE and P VRF Green VRF Blue
VRF Green VRF Blue
MPLS over GRE
Core
Core
Distribution
Distribution PE IPv4
MPLS overCloud
GRE PE
Ethernet or VLAN L3VPN L3VPN

SITE SITE
Access
Distribution
L2VPN CE
PE CE Access
SITE L2VPN
SITE
Access
CE
VRF Green VRF Blue
MPLS-VPN Services
Providing QoS to VPN Customers
• VPN customers may want SLA so as to treat real-time, mission-critical and best-
effort traffic appropriately
• QoS can be applied to VRF interfaces
- Just like any global interface
- Same old QoS mechanisms are applicable
• Remember - IP precedence bits are copies to MPLS TC/EXP bits ( default
behavior )
• MPLS Traffic-Eng could be used to provide the bandwidth-on-demand for Fast
Rerouting to VPN customers
In Conclusion…
Key Takeaways
 MPLS offers Secure Segmentation for Enterprise Networks Design

 End to End Standards based Segmentation from Access to WAN in Enterprise
 MPLS offers a wide range of features and services
 MPLS L3VPN and L2VPN are most commonly deployed in Enterprise
 MPLS Technology is available on a wide range of Switching products:
• Cisco Catalyst 3850 and 3650 Series (New)
• Cisco Catalyst 6K Fixed and Modular Series
• Cisco Nexus 7K Series
End to End Network Virtualization for Digital Enterprise

MPLS Sessions at Cisco Live 2016
• BRKMPL-1100 Introduction to MPLS
• BRKMPL-1102 MPLS Enterprise Switching Product Update and Designs
• BRKMPL-2100 Deploying MPLS Traffic Engineering
• BRKMPL-2102 Designing MPLS-based IP VPNs
• BRKMPL-2108 Designing MPLS in Next Generation Data Center: A Case Study
• BRKMPL-2110 Enterprise MPLS - Customer Case Studies
• BRKMPL-2115 MPLS Architectural approaches for Data Center and Cloud
• BRKMPL-2333 E-VPN & PBB-EVPN: the Next Generation of MPLS-based L2VPN
• BRKMPL-3124 Troubleshooting End-to-End MPLS
• LTRMPL-2104 Cisco WAN Automation Engine (WAE) Network Programmability with Segment Routing
• LTRMPL-3102 Enterprise Network Virtualization using IP and MPLS Technologies: Advanced
• TECMPL-3200 SDN WAN Orchestration in MPLS and Segment Routing Networks
Terminology Reference
Acronyms Used in MPLS Reference Architecture
Terminology Description
AC Attachment Circuit. An AC Is a Point-to-Point, Layer 2 Circuit Between a CE and a PE.
AS Autonomous System (a Domain)
CoS Class of Service
ECMP Equal Cost Multipath
IGP Interior Gateway Protocol
LAN Local Area Network
LDP Label Distribution Protocol, RFC 3036.
LER Label Edge Router. An Edge LSR Interconnects MPLS and non-MPLS Domains.
LFIB Labeled Forwarding Information Base
LSP Label Switched Path
LSR Label Switching Router
NLRI Network Layer Reachability Information
P Router An Interior LSR in the Service Provider's Autonomous System
PE Router An LER in the Service Provider Administrative Domain that Interconnects the Customer Network and the Backbone Network.
PSN Tunnel Packet Switching Tunnel
Terminology Reference
Acronyms Used in MPLS Reference Architecture (cont.)
Terminology Description
Pseudo-Wire A Pseudo-Wire Is a Bidirectional “Tunnel" Between Two Features on a Switching Path.
PWE3 Pseudo-Wire End-to-End Emulation
QoS Quality of Service
RD Route Distinguisher
RIB Routing Information Base
RR Route Reflector
RT Route Target
RSVP-TE Resource Reservation Protocol based Traffic Engineering
VPN Virtual Private Network
VFI Virtual Forwarding Instance
VLAN Virtual Local Area Network
VPLS Virtual Private LAN Service
VPWS Virtual Private WAN Service
VRF Virtual Route Forwarding Instance
VSI Virtual Switching Instance
Further Reading
MPLS References at Cisco Press and cisco.com
• http://www.cisco.com/go/mpls
• http://www.ciscopress.com
• MPLS and VPN Architectures — Cisco Press®
• Jim Guichard, Ivan Papelnjak
• Traffic Engineering with MPLS — Cisco Press®
• Eric Osborne, Ajay Simha
• Layer 2 VPN Architectures — Cisco Press®
• Wei Luo, Carlos Pignataro, Dmitry Bokotey, and Anthony Chan
• MPLS QoS — Cisco Press ®
• Santiago Alvarez
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 Amazon gift card.
• Complete your session surveys
through the Cisco Live mobile
app or from the Session Catalog
on CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available

for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you

BRKMPL-1102 - MPLS Enterprise Switching Product Update and Designs

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKMPL-1102 - MPLS Enterprise Switching Product Update and Designs

Uploaded by

Copyright:

Available Formats

MPLS Enterprise Switching

Product Update and Designs

At the end of the session, the participants should:

 Understand the building blocks of MPLS in Enterprise

 Understand different MPLS designs and use cases

 Understand the different product options for MPLS design

 Understand typical configurations for MPLS in Enterprise

• Data Center Interconnect/Inter Campus Connect over WAN

Advanced MPLS Features • MPLS Services with Netflow, QoS, Multicast

Data Center PE PE Backup

Enterprise Segmentation Data Center

Bay Area DC AsiaPac DC

L3 (MPLS) L3 (MPLS) L3 (MPLS)

Enterprise WAN Edge

Virtual Network Virtual Network Virtual Network

Actual Physical Infrastructure

Virtual Network Virtual Network Virtual Network

Actual Physical Infrastructure

Line of business Payment Card Industry Hospital Network

Bring-Your-Own-Device (BYOD) Mergers and Acquisitions Multi-Tenancy

Traditional Segmentation Trustsec Based Segmentation MPLS Based Segmentation

Quarantine Voice Data Guest BYOD

 End-to-end solution  IPv6

 Logically many devices

 PE (Provider Edge) router

MPLS VPN packet format

MPLS VPN packet format

MPLS VPN packet format

MPLS-VPN – Label Exchange

MPLS-VPN – Packet Flow

Standard Access Routed Access Collapsed Access

IPv4 VRF IPv4 VRF

IPv6 VRF IPv4 VRF

• IPv6 VPN Provider Edge(6VPE) over MPLS

iBGP requires a full mesh of neighbors

BGP Scalability – Route Reflectors

Ethernet MPLS Label

• VPLS allows MPLS networks to offer Layer 2 Ethernet Services

.1q .1q DC2-CE

• Scales VPLS deployments

• AVPLS built on top of VPLS infrastructure

src add src add src add

data data data

• VPN traffic forwarded by PEs using separate routing instance (VRFs)

IPP 4 EXP 6 IPP 6

IPP 4 EXP 6 IPP 4

Egress classification based on IP DSCP

IPP 4 EXP 6 IPP 4

Egress classification based on MPLS

Short Pipe Mode:

Catalyst 3850 Series

MPLS on UADP powered Stackable Access Programmable Switches

Cisco Catalyst 3850 Multigigabit Ethernet

48 Port Version 24 Port Version

MPLS on Access with Multigigabit Ethernet

Catalyst 3850 10G: 12 and 24 Port

C3850-NM- C3850-NM- C3850-NM-

Converged 1+1 Power

Catalyst 3850 10G: 48 Port

Front-to-Back and New 750W AC Power Supplies

*No StackWise or StackPower on 48p SKU

Converged Front-to-Back & Back-to-Front 1+1 Power

MPLS 40G Wireless

MPLS on UADP powered Stackable Access Programmable Switches