Professional Documents
Culture Documents
Mpls VPN ppt3 PDF
Mpls VPN ppt3 PDF
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 1
References
• Recap
Multi-Protocol Label Switching (MPLS) Review
MPLS REVIEW
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 4
• MPLS Basics
• MPLS L3 VPNs
• MPLS TE
• AToM
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 5
MPLS Basics
• MPLS fundamentals
• MPLS components
• MPLS operation
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 6
MPLS Components
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 8
• Neighbor discovery
Basic and extended discovery
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 9
ATM Cell Header GFC VPI VCI PTI CLP HEC DATA
Label
LAN MAC Label Header MAC Header Label Header Layer 3 Header
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 10
MPLS Operation
171.69 1 5 5 171.69 1 7
... ... ... ... ... ... ... ... ... ... ... ...
0 128.89
0
128.89.25.4 Data
1
9 128.89.25.4 Data
128.89.25.4 Data 4 128.89.25.4 Data 1
Agenda
• MPLS Basics
• MPLS L3 VPNs
• MPLS TE
• AToM
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 14
Route Distinguisher
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 17
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 18
VPN C/Site 2
CEA2 12.1/16
VPN B/Site 1
CE1B1 Static CEB2
16.1/16 RIPv2
16.2/16
RIPv2
P1 PE2
CE2B1
VPN B/Site 2
BGP
RIPv2 PE1
P2 IGP/eBGP CE
Step 3 Net=16.1/16 A3
Step 1
IGP/eBGP Step 4 OSPF
Net=16.1/16
OSPF Step 2
CEA1 VPN-IPv4
Step 5 16.2/16
P3 PE3
Net=RD:16.1/16 BGP
NH=PE1 CEB3 VPN A/Site 2
Route Target
16.1/16 Label=42
VPN C/Site 1
12.2/16
VPN A/Site 1
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 19
VPN-
VPN-IPv4
Net=RD:16.1/16
NH=PE1 P1
Label=42 PE2
BGP
PE1
P2 IP
IP Dest=16.1.1.1 CEA3
Dest=16.1.1.1 Step 3
Step 4
CEA1 Label 42 Step 1 16.2/16
Dest=CEa1 P3 Step 2 PE3
IP Label N VPN A/Site 2
Dest=16.1.1.1 Dest=PE1
16.1/16 Label 42
Dest=CEa1
IP
VPN A/Site 1 Dest=16.1.1.1
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 20
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 21
Agenda
• MPLS Basics
• MPLS L3 VPNs
• MPLS TE
• AToM
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 22
• MPLS-TE uses RSVP and MPLS to build a Label Switched Path (LSP)
Traffic source, as well as destination, is taken into account when path is build
Encapsulating IP in MPLS along an explicit path avoids temporary routing loops
• MPLS-TE looks a lot like Frame Relay, but with a single Control Plane
for both the “PVC” and IP portions of the network
• MPLS-TE is something you do to your own network, not (yet) a
service you sell directly to customers
• MPLS-TE can provide failure protection (Fast ReRoute) and
bandwidth optimization
• MPLS-TE another (powerful, complex) tool in your toolbox
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 23
• Network engineering
Build your network to carry your predicted traffic
• Traffic engineering
Manipulate your traffic to fit your network
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 24
R8
R4
R2 R5
R1 R6 R7
GigE
R1 (1Gbps)
GigE
(1 Gbps)
R6 GigE R7
(1 Gbps)
40 Mbps
Traffic to R5
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 27
The TE Solution
20 Mbps 20 Mbps Traffic
Traffic to R5 R3 to R5 from R8
R8
R4
R5
R2 40 Mbps
Traffic
to R1 from R8
R1
R6 R7
40 Mbps
Traffic to R5
• MPLS Labels can be used to engineer explicit paths
• Tunnels are UNI-DIRECTIONAL
Normal path: R8 Î R2 Î R3 Î R4 Î R5
Tunnel path: R1 Î R2 Î R6 Î R7 Î R4
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 28
• Strategic
Mesh of TE tunnels between a level of routers
Typically P-to-P but can be PE-to-PE in smaller networks
N(N-1) LSPs (one in each direction)
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 29
Scalability
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 31
R3 R4 R5
• Node protection +
ENHANCEMENTS: the
backup tunnel tail-end
(MP) is two hops away
R1 R2 R6 R7 R8 from the PLR
12.0(22)S
R9
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 32
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 33
Summary: MPLS TE
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 34
• MPLS Basics
• MPLS L3 VPNs
• MPLS TE
• AToM
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 35
Customer Customer
Site PSN Tunnel Site
Pseudowires PWES
PWES
PE PE
Emulated Service
A Pseudowire (PW) Is a Connection Between Two Provider Edge (PE) Devices
which Connects Two Pseudowire End-Services (PWESs) of the Same Type
Service Types:
• Ethernet • HDLC
• 802.1Q (VLAN) • PPP
PWES
• ATM VC or VP • Frame Relay VC
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 37
ISP C
ISP 1
PE PE
ISP 3 Enterprise LAN
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 38
Any Transport
MPLS over MPLS
Backbone (AToM) Tunnel
PE PE
Virtual Leased DS-TE
Line (DS-TE + Tunnel
QoS)
ATM ATM
Frame Relay
DLCI
Any Transport
MPLS over MPLS
Backbone (AToM) Tunnel
PE PE
Virtual Leased DS-TE
Line (DS-TE + Tunnel
QoS)
Frame Frame
Relay Relay
Frame Relay
DLCI
MPLS LSP
CPE Router, CPE Router,
FRAD Any Transport FRAD
over MPLS
(AToM) Tunnel
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 41
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 42
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 43
VPN “A”
• Services need to be replicated per VPN VPN “B”
Poor efficiency
High Traffic Load
Management nightmare
Internet Internet
Gateway Gateway
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 45
MPLS/VPN:
Supporting Shared Services
VPN “B”
In-POP Internet
Services MPLS Network
POP POP
PE PE PE PE
VRF-A VRF-B VRF-B VRF-A VRF-B
Agenda
• Managed IP Services
• Managed Security Services
• SP Edge Redundancy
• Shared Management
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 48
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 49
VRF-AWARE DHCP
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 50
VRF-B
VRF-B
VRF-A
VRF-A VRF-B
VRF-AWARE ODAP
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 54
10.88.1.128/25
#4 DHCP 10.88.1.114 #3 use 10.88.1.0/25 10.88.1.0/25
#1
DHCP? #2 DHCP+ VRF-A
DHCP (CNR r5.5)
VRF-A or RADIUS
CE-A1 PE Cisco IOS
MPLS-VPN Server
10.88.1.0 VRF-B DHCP Server
CE-B1
#3
RST-2T09
10.88.1.0
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 56
#1 #2
DHCP? DHCP+ VRF-A
DHCP (CNR r5.5)
VRF-A or RADIUS
CE-A1 PE MPLS-VPN Server
Cisco IOS
10.88.1.0 VRF-B
DHCP Server
CE-B1
RST-2T09
10.88.1.0
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 57
• Configuration
Set initial pool size
Expansion/Contraction increment
High/Low utilization mark (% of pool)
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 58
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 59
Problem
• MPLS VPNs allow independent use of the same
IP address
• Overlapping private addresses prevent access
to shared services
• IP endpoints that access a shared service need
to be uniquely addressable
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 60
Solution
• Overlapping addresses are distinguished by their
associated VPN ID
• VRF-Aware NAT creates different translations per
VPN by including VRF info in the address
translation entries
• VRF-Aware NAT allows access to shared services
from multiple MPLS VPN customers, even though
IP addresses overlap
Outcome
• ISPs can offer centralized address translation
services
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 61
NAT PE CE-B2
VRF-B
Internet INSIDE
INTERFACE CE-B2
VRF-B
VRF-A VRF-B
VRF-A VRF-B
NAT
ip nat pool pool1 172.0.0.1 172.0.0.254 mask 255.255.255.0
Ethernet 0
ip nat pool pool2 172.0.1.1 172.0.1.254 mask 255.255.255.0
outside if
ip nat inside source list 1 pool pool1 vrf A
ip nat inside source list 1 pool pool2 vrf B
NAT PE Routing
Serial 1
ip route vrf A 172.0.3.0 255.255.255.0 int e0 global
Inside ip route vrf B 172.0.3.0 255.255.255.0 int e0 global
MPLS Backbone Interface
interface ethernet0
ip nat outside
A
B interface serial1
ip nat inside
interface serial2
ip nat inside
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 64
• Managed IP Services
• Managed Security Services
• SP Edge Redundancy
• Shared Management
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 65
Security Concerns
• What MPLS does and doesn’t cover?
• Inherited security concerns:
–User level security
authentication, authorization, local or Radius
–Device level security
ACLs, policing, privilege levels, login passwords…etc.
–Protocol level security
MD5 authentication, route filtering/max limit, route originate,
…etc.
–Network Security
QoS, ACLs…etc.
–Peripheral security
Encryption, IDS, Firewall…etc.
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 66
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 67
VRF-AWARE IPSEC
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 68
Corp B Corp B
Site 2 Site 1
Company Confidential
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 70
Leased Line/
Frame Relay/ATM/
DSL Dedicated Cisco IOS
Local or Access MPLS
Direct- PE
Dial ISP MPLS
• VRF instance
• MPLS distribution
• Key rings:
Are required
They store keys belonging to different VRFs
IKE exchange is authenticated if the peer key is present in
the keyring belonging to the FVRF of the IKE SA
• Front door VRF
Local endpoint (or outer IKE source/destination) of the IPSec
tunnel belongs to the FVRF
• Inside VRF
The source and destination addresses of the inside packet belong
to the IVRF
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 72
PE PE
Corp A Corp A
Site 1 MPLS Core Site 2
FVRF
PE PE
Corp A Corp A
Site 1 MPLS Core Site 2
IVRF
• IPSec
• Enhance crypto maps to support multiple VRFs
• Cisco IOS switching path
• Secure socket API
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 75
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 76
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 77
• An ISAKMP profile is a repository for IKE Phase 1 and IKE Phase 1.5
configuration for a set of peers; an ISAKMP profile defines items such
as keepalive, trustpoints, peer identities, and XAUTH AAA list during
the IKE Phase 1 and Phase 1.5 exchange; there can be zero or more
ISAKMP profiles on the Cisco IOS router
Aggregator-PE:
CPE1: crypto keyring vpn1
crypto isakmp policy 1 pre-shared-key address 172.16.1.1 key vpn1
encr 3des !
authentication pre-share crypto isakmp policy 1
group 2 encr 3des
authentication pre-share
crypto isakmp key vpn1 address 172.18.1.1 group 2
! !
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac crypto isakmp profile vpn1
! vrf vpn1
crypto map vpn1 1 ipsec-isakmp keyring vpn1
match identity address 172.16.1.1 255.255.255.255
set peer 172.18.1.1 !
set transform-set vpn1 crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
match address 101 !
! crypto map crypmap 1 ipsec-isakmp
set peer 172.16.1.1
interface FastEthernet1/0 set transform-set vpn1
ip address 172.16.1.1 255.255.255.0 set isakmp-profile vpn1
crypto map vpn1 match address 101
! !
interface FastEthernet1/1 interface Ethernet1/2
ip address 172.18.1.1 255.255.255.0
ip address 10.2.1.1 255.255.0.0 crypto map crypmap
! !
access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255 ip route vrf vpn1 10.2.0.0 255.255.0.0 172.18.1.2 global
! !
RST-2T09 access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 79
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 80
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 81
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 84
PE Internet
VPN Site Remote User
Shared
RST-2T09
Services
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 85
• Distributed model
• Hub-and-spoke model
• Virtual interface for VRF firewall
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 86
Site A Site A
CE CE
CE
VPN FW Protects VPN Site B
PE1 PE2
SS FW Protects SS
MPLS
Cloud
PE3
Shared
Service
• Pros
Firewall processing load is distributed to participating PEs
Firewall features can be deployed in the inbound direction
Shared services is protected @ ingress, malicious packets
from VPNs don’t travel through the network
• Cons
MPLS cloud is open to the shared services; malicious
packets from shared services travel through MPLS NW
Shared service FW features can’t be deployed in the
inbound direction
Distributed provisioning, management, and troubleshooting
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 88
Site A Site A
CE CE
CE
PE1 PE2
Site B
MPLS
Cloud
SS FW Protects SSc
PE3
Shared
Service
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 89
• Pros
Firewall deployed centrally, easier prov., mgmt, troubleshooting
Shared services FW can be applied in the inbound direction
VPN site is protected from shared service at egress PE itself;
malicious packets from shared service will be filtered at this PE
before they enter into MPLS cloud
• Cons
VPN firewall features can not be deployed in the inbound
direction
MPLS cloud is open to the VPN site; the malicious packets from
VPN sites will be filtered only at egress PE—after traveling
through all core routers
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 90
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 91
interface Ethernet0/1.10
description VPN Site Bank(CE) to PE1
ip inspect bank-vpn-fw in
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 92
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 93
Agenda
• Managed IP Services
• Managed Security Services
• SP Edge Redundancy
• Shared Management
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 94
HSRP Enhancements
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 96
10.2.2.0
CE-B2
CE-Primary NAT PE
VRF-B
10.2.0.0
VRF-A
PE-1
VRF-B
Internet
CE-Backup VRF-A MPLS Core
PE-2
VRF-B
VRF-B
VRF-A
VRF-A VRF-B
Agenda
• Managed IP Services
• Managed Security Services
• SP Edge Redundancy
• Shared Management
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 100
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 101
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 102
Summary
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 104
NETWORK INTEGRATION
WITH MPLS: ADVANCED L3
VPN SERVICES MODELS
AND MECHANISMS
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 106
• Multi-VRF
• Remote Access to MPLS Solutions
VRF Select
Half Duplex VRFs
VPNID
• InterProvider Solutions
Inter-AS Service Models
RT Rewrite, ipV4BGP Label Distribution
Carrier Supporting Carrier Service Models
VRF-Aware MPLS Static Labels
• Multipath Load Balancing
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 107
Multi-VRF Architecture
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 109
13.1/24
Client 5
10.1/24 PE
2. PE 1 Learns Client 1’s VPN
Service Green Routes from the CE-
Segment Local VPN Blue Routes from VRF and Installs Them into
Client 4 Are Not Associated VRF Green
with VPN Green and Are Not
Imported into VRF Green
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 110
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 111
Multi-VRF Applications
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 112
Application 2:
VLAN-Based VPN Services
San Francisco
VPN McGrawHill
PE MPLS PE CE
Network VPN PG&E
VPN CharlesSchwab
Application 4:
L3 VLAN Service Model
VPN Green Site
10.1/24
11.1/24
Client 3 CE-VRF
12.1/24
VPN Red Not Allowed
to Access VPN Blue
13.1/24 or Any Other VPNs
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 117
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 118
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 119
VPN3
CE
ISP4 Owns
• VRF select decouples the interface with a VRF 40.X.X.X Network
• The VRF selection will be based on the source
address of the incoming traffic
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 120
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 122
Problem
• Only way to implement hub-and-spoke topology: put every
spoke into a single and unique VRF
To ensure that spokes do not communicate directly
• Single VRF model does not include HDV
Impairs the ability to bind traffic on the upstream ISP Hub
Solution
• Support hub-and-spoke model without 1 VRF per spoke site
• The wholesale SPs can provide true hub-and-spoke
connectivity to subscribers that can be connected:
To the same or different PE-router(s)
To the same or different VRFs, via the upstream ISP
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 123
Technical Justification
Problem
• PE requires multiple VRF tables for multiple VRFs to push
spoke traffic via hub
• If the spokes are in the same VRF (no HDV), traffic will be
switched locally and will not go via the hub site
Solution
• HDVs allows all the spoke site routes in one VRF
Benefit
• Scalability for RA to MPLS connections
• Reduces memory requirements by using just two VRF tables
• Simplifies provisioning, management, and troubleshooting by
reducing the number of Route Target and Route Distinguisher
configuration
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 124
SpokeSite
A PE VPNport MPLS
CORE VPNport
CE ISP1
VPNport
B Hub HUB
Site PE
Single
VRF Table
Sample Configuration
• Each VRF is created on the Spoke PE-router (LAC) before PPPoA
or PPPoE client connections are established
ip vrf U
rd 10:26
route-target import 10:26
!
ip vrf D
rd 10:27
route-target export 10:27
• Upstream VRF:
Used for forwarding packets from spokes to hub & contains a
static default route
Imports the default route from the Hub PE router ( @WholeSale
Provider)
Only requires a route-target import statement
• Downstream VRF:
Used for forwarding packets from hub to spoke
Contains a /32 route to a subscriber (installed from PPP)
Used to export all of the /32 (virtual-access ints) addresses
RST-2T09
toward the Hub PE-router; only requires a route-target export command
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 128
ip vrf D
rd 1:8
route-target export 1:100
!
AAA ip vrf U
ip vrf HUB rd 1:0
Radius route-target import 1:0
rd 1:20 Server
!
vpdn-group U
accept-dialin
route-target export 1:0 protocol pppoe
virtual-template 1
!
route-target import 1:100 interface Loopback2
ip vrf forwarding U
!
interface Virtual-Template1
Subscriber1
ip vrf forwarding U downstream D
ip unnumbered Loopback2
HubSitePE SpokeSitePE
(LNS1) SpokeSiteCE1
(LAC1)
MPLS Core
ISP1_Hub_CE
LNS1:
ip vrf D
description Downstream VRF - to
spokes SpokeSiteCE2
rd 1:8
route-target export 1:100 (LAC2)
!
ip vrf U LNS1: Subscriber2
description Upstream VRF - to hub !
rd 1:0 address-family ipv4 vrf U
route-target import 1:0 no auto-summary
! no synchronization
vpdn-group U exit-address-family
accept-dialin !
protocol pppoe address-family ipv4 vrf D
virtual-template 1 redistribute static
RST-2T09 no auto-summary
no synchronization
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. exit-address-family 129
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 131
VPNID
• VPNID components:
vpn id oui:vpn-index
oui (universal LAN MAC addresses assigned by
IEEE Registration authority-3octets hex #)
vpn-index (4-octet hex #, identifies each VPN within
a company
• Sample config:
!
ip vrf Cisco
vpn id 36B:10
!
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 133
INTER-PROVIDER SOLUTIONS:
INTER-AS MPLS-VPN
RST-2T09
9890_06_2004_c2
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 134
Customer
MPLS Customer
Carrier A
Backbone Carrier A
Carrier A
Carrier B
CSC Inter-AS
• Client-server topologies • Peer-to-peer topologies
• ISP or MPLS VPN provider is a • Two ISPs peer up providing
customer of another MPLS VPN services to some of the common
backbone provider customer base
• MPLS VPN backbone services • Single SP POPs not available in all
needed between the same geographical areas required by
carrier POPs their customers
• Subscribing Service Provider may • Both SPs must support MPLS VPNs
or may not have been MPLS-enabled • Customer’s sites distribute
• Customer’s sites do not distribute reachability information directly to
reachability information to the the participating Service Providers
backbone carrier
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 135
Why Inter-AS?
VPN-v4 update:
RD:1:27:149.27.2.0/24, Edge Router1 Edge Router2
NH=PE-1
RT=1:231, Label=(28) VPN-A VRF
Import Routes with
AS #1 AS #2 route-target 1:231
PE-1
PE2
How to Distribute
BGP, OSPF, RIPv2 Routes between
149.27.2.0/24,NH=CE-1
SPs?
CE-1 CE2
VPN-A-1
VPN-A-2
149.27.2.0/24
PE-ASBR-1 PE-ASBR-2
Back-to-Back VRFs
AS #1 AS #2
PE-1 Multihop MP-eBGP
between RRs
PE2
CE-1 CE2
VPN-A-1
VPN-A-2
Label Exchange
between Gateway
AS #1 PE-ASBR Routers AS #2
PE-1 Using eBGP
PE-2
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 141
PE-ASBR-1 PE-ASBR-2
VPN-B-1 VPN-B-2
152.12.4.0/24
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 142
LDP PE-1
Label L1
152.12.4.1 PE-ASBR-1 PE-ASBR-2 L3 152.12.4.1
VPN-B-1 VPN-B-2
152.12.4.0/24
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 143
ASBR-1 ASBR-2
AS #1 AS #2
PE-1
eBGP IPv4 + Labels PE-2
ASBRs Exchange BGP
next-hop Addresses
with Labels
CE-1 CE-2 CE-3 CE-4
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 145
VPN-v4 update:
RD:1:27:152.12.4.0/24,
RR-1 NH=PE-1 RR-2
VPN-v4 update: RT=1:222, Label=(L1) VPN-v4 update:
RD:1:27:152.12.4.0/24, RD:1:27:152.12.4.0/24,
NH=PE-1 ASBR-1 ASBR-2 NH=PE-1
RT=1:222, Label=(L1) Network=PE-1 RT=1:222, Label=(L1)
NH=ASBR-2
PE-1 Label=(L3)
Network=PE-1
PE-2
NH=ASBR-1
Label=(L2)
BGP, OSPF, RIPv2 CE-2 CE-3 BGP, OSPF, RIPv2
152.12.4.0/24,NH=CE-2 152.12.4.0/24,NH=PE-2
VPN-B-1 VPN-B-2
152.12.4.0/24
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 146
RR-1 RR-2
VPN-B-1 VPN-B-2
152.12.4.0/24
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 147
ASBR-1 ASBR-2
AS #100 AS #200
eBGP IPv4 +
AS1_PE1 Labels AS2_PE1
Benefits:
• Eliminates the need for any other label distribution protocol
between the two ASBRs
• Allows a non-VPN core network to act as a transit network
for VPN traffic
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 148
On ASBRs(and RR if in use)
address-family ipv4
neighbor <peer’s loopback add> send-label
On AS1_PE1
neighbor <RR> send-label
neighbor <ASBR-1> send-label
On RR
neighbor <ASBR-1> send-label
neighbor <AS1_PE1> send-label
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 150
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 151
VPN-A VPN-A
Rewrite RT:
Export RT 100:1 100:1->200:1 Export RT 200:1
VPNv4
Import RT 100:1 Exchange Import RT 200:1
ASBR1
AS #100 AS #200
PE-1
ASBR2
PE2
CE2
CE-1 Rewrite RT:
200:1->100:1 Replace Incoming Update on ASBR2:
VPN-A-1 VPN-A-2
ip extcommunity-
extcommunity-list 1 permit rt 100:1
!
route-
route-map extmap permit 10
match extcommunity 1
set extcomm-
extcomm-list 1 delete
set extcommunity rt 200:1 additive
!
route-
route-map extmap permit 20
!
RST-2T09
neighbor X.X.X.X route-
route-map extmap in
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 152
RST-2T09
9890_06_2004_c2
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 153
The Problem
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 154
P1 PE2
PE1
P2 IP CEA3
Dest=Internet
CEA1 P3 Step 1
PE3
ISP A/Site 2
iBGP IPv4
ISP A/Site 1
Internet
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 155
P1 PE2
Label (iBGP VPnv4)
PE1 Dest=VRF A
P2 IP CEA3
Dest=1.2.3.4
CEA1 P3 Step 1
PE3
ISP A/Site 2
iBGP VPNv4
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 156
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 157
P1 PE2 Label
(LDP/BGP+Label)
PE1 Dest=CEa1
IP
P2 IP CEA3
Dest=Internet
Dest=Internet Step 3
Step 2
Step 4 Label (VPNv4)
CEA1 Dest=CEa1 Step 1
P3 Label (LDP/TE) PE3
IP Dest=PE1
Dest=Internet VPN A/Site 2
Label (VPNv4/IBGP)
Dest=CEa1
IP
Dest=Internet
VPN A/Site 1 Internet
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 158
Label (LDP/BGP)
Dest=CEa1
P1 Label (iBGP
PE2
VPNv4)
Label (VPNv4) Dest=VPN1
Dest=VPN1 PE1
P2 IP CEA3
IP Dest=VPN1-Cust
Dest=VPN1-Cust Step 3
Step 2
Step 4 Label (VPnv4)
CEA1 Dest=CEa1 Step 1
P3 PE3
Label (VPNv4) Label (LDP/TE)
Dest=VPN1 Dest=PE1 VPN A/Site 2
IP Label (VPnv4)
Dest=VPN1-Cust Dest=CEa1
Label (VPNv4)
VPN A/Site 1 VPN1-Cust
Dest=VPN1
IP
Dest=VPN1-Cust
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 159
(2) LDP
• Control Plane configuration is similar to MPLS VPN
• BGP-4 used by customer to distribute external routing information
between all sites
• BGP next-hop addresses exchanged between customer and carrier
PE routers and are placed into VRFs and distributed using MP-BGP
• The only addition is (*) LDP at the PE-CE links
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 160
P P2
CC-CE1 BC-PE1 BC-PE2 CC-CE2
IP Network IP Network
Site 1 P Site 2
Backbone Carrier
Customer Carrier LDP ON ALL SHOWN LINKS
Customer Carrier
RR RR
MPLS
Network P P CC-CE2
BC-PE1 BC-PE2 MPLS
Network
CC-CE1 P
CC-CE3
Site 1 Site 2
CE3 CE3 CE3 PE2 CE3 PE2 CE3 CE3 CE3
Legend:
• LSP is extended into the sites, CC-CE advertises labels to PE IGP Label
internal routes VPN Label
• CE1 perform label swap for the site IGP label, PE swaps the site IP Packet
IGP label with a VPN label and pushes IGP label
• PHP is now extended to inside of site 2
• External routes are carried by BGP between sites, same as before
• The same BGP peering from before can be used here
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 162
CC-CE2 P
C-PE1 C-PE2
Customers Customers
NWs PHP PHP NWs
VPN CE3 VPN CE3 VPN CE3 PE2 VPN CE3 PE2 VPN CE3 VPN CE3 VPN
Legend:
IGP Label
• LSP is extended to C-PE, CE advertises labels for internal routes to VPN Label
PE; C-PE1 perform imposition for site VPN label and IGP label Site VPN
• PE swaps the site IGP label with a BB VPN label and push IGP label; Label
PHP is now extended to inside of site 2 IP Packet
eiBGP MULTIPATH
LOAD BALANCING
RST-2T09
9890_06_2004_c2
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 166
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 167
• eBGP Multipath
• iBGP Multipath
• eiBGP Multipath (MPLS/VPN)
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 168
ASBR1-AS100
AS100 AS200
ASBR2-AS200
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 169
h1
2.2.2.2 -pat
I GP
th 2
PE2 AS 200 IGP-pa PE2
AS200
10.0.0.0/8 10.0.0.0/8
PE1 AS 100 11.0.0.0/8 PE1 IGP
-pat 11.0.0.0/8
h3
IGP- PE3
PE3 path
4
3.3.3.3
RST-2T09
9890_06_2004_c2
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 173
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 174
PE-1 PE-2
CE-3
Site 1
CE-2
CE-1
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 175
! exit-address-family
Site-2
10.13.1.12
CE-1 CE-2
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 176
Case II Case IV
Site 3
Site 2
PE1 CE3
Site 1 PE1 CE3 CE1
CE1 PE3
Site 1 Site 2
CE2 PE2 PE2 CE2
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 177
Q&A
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 178
NETWORK INTEGRATION
WITH MPLS: ADVANCED
TE APPLICATIONS
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 180
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 181
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 182
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 183
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 184
1.0.0.0/8
Tun1
CE21
CE11
PE1 PE2
Tun2 RID=192.168.1.2
CE12
CE22
2.0.0.0/8
Goal:
CE11ÆCE21 via Tun1
CE12ÆCE22 via Tun2
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 185
1.0.0.0/8
Tun1
CE21
CE11
PE1 PE2
Tun2 RID=192.168.1.2
CE12
CE22
RST-2T09
2.0.0.0/8
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 186
1.0.0.0/8
Tun1
CE21
CE11
PE1 PE2
Tun2 RID=192.168.1.2
CE12
CE22
RST-2T09
2.0.0.0/8
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 187
1.0.0.0/8
Tun1
CE21
CE11
PE1 PE2
Tun2 RID=192.168.1.2
CE12
CE22
RST-2T09
2.0.0.0/8
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 188
1.0.0.0/8
Tun1
CE21
CE11
PE1 PE2
Tun2 RID=192.168.1.2
Loop1=10.1.1.1
CE12 Loop2=10.2.2.2
CE22
ip route 10.1.1.1 255.255.255.255 Tunnel1
ip route 10.2.2.2 255.255.255.255 Tunnel2
2.0.0.0/8
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 189
ip vrf one
rd 100:1 1.0.0.0/8
route-target export 100:1
route-target import 100:1
Tun1 bgp next-hop Loopback1
CE21
CE11
PE1 PE2
Tun2 RID=192.168.1.2
Loop1=10.1.1.1
CE12 Loop2=10.2.2.2
CE22
ip vrf two
rd 100:2
2.0.0.0/8
route-target export 100:2
route-target import 100:2
bgp next-hop Loopback2
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 190
1.0.0.0/8
Tun1
CE21
CE11
PE1 PE2
Tun2 RID=192.168.1.2
Loop1=10.1.1.1
CE12 Loop2=10.2.2.2
CE22
2.0.0.0/8
PE1#sh ip cef vrf one 1.0.0.0
1.0.0.0/8, version 12, epoch 0, cached adjacency to Tunnel1
…
PE1#sh ip cef vrf two 2.0.0.0 int
2.0.0.0/8, version 9, epoch 0, cached adjacency to Tunnel2
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 191
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 193
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 194
• Autoroute
• Forwarding-adjacency
• Static routes
• … just like any other traffic down a TE tunnel
• Covered in RST-2603, “Deploying MPLS-TE”
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 195
interface Tunnel2
1. Build your TE tunnel
ip unnumbered Loopback0
tunnel destination 192.168.1.21
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng path-option 10
dynamic
tunnel mpls traffic-eng fast-reroute
interface Serial2/0
3. Attach the pw-class to a xconnect 192.168.1.21 1 pw-class
customer-facing interface protected
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 197
INTER-AS TE
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 198
AS1 SP1
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 199
Inter-AS TE
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 200
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 201
Fast Reroute
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 202
• Node protection +
R3 R4 R5 ENHANCEMENTS: the
backup tunnel tail-end
(MP) is two hops away
R1 R2 R6 R7 R8
from the PLR
12.0(22)S
R9
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 203
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 204
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 205
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 206
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 207
FRR Scalability
10 4 40 160 100
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 208
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 209
TE AUTOMATION
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 210
• Autotunnel
Primary 1hop
Backup
Meshgroup
• Autobandwidth
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 211
• Primary onehop—build
a TE tunnel to each
directly connected
neighbor
• This is so we have
something to protect
• Not terribly useful by
itself, designed to be
used in conjunction
with NHop tunnels
(next slide)
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 212
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 213
• Automatically build
a full mesh of TE
tunnels between a
set of routers
• Lets you take
advantage of
NNHop protection
• Also can use the full
mesh for a traffic matrix
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 214
• Different combinations
(primary onehop) + (NHop) == link protection
(mesh group) + (NHop) == link protection, full mesh
(mesh group) + (NNHop) + (NHop) == link and node
protection, full mesh
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 215
Configuring Autotunnel
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 216
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 217
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 218
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 219
Autobandwidth
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 220
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 221
• Scalable Debugs
• Refresh Reduction
• Pacing
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 222
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 223
Scalable Debugs
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 224
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 225
Refresh Reduction
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 226
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 227
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 228
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 229
Agenda
• Summary
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 230
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 231
RP Failures
Problem:
• With RP failures, need to wait for
Standby RP to initialize
Configuration synch up
• With RPR+:
• Full software image pre-initialized on standby RP
• Line cards stay up with NO reload/reinitialization
• Both startup and running configs are synced to the
standby RP
• No link flaps for HDLC (POS) and Ethernet (need to consider
for existing HA feature such as FRR, dual homing)
• Recovery in 5–30 seconds
• No MPLS specific changes
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 232
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 233
LSPs LSPs
2 2
RST-2T09
LSPs LSPs
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 234
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 235
IPC
RP Checkpointing RP
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 236
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 237
X
IPC
forwarding ASICs
3. Active RP fails RP Checkpointing RP
Switchover starts, checkpointing stops
Forwarding continues on LCs/FP;
RP B assumes Active role and begins
providing L2, L3 services;
L2 continues where it left off;
L3 reconverges, updates RIB then FIB
Line Card Line Card Line Card
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 238
X
IPC
forwarding ASICs.
3. Active RP fails RP Checkpointing RP
Switchover starts, checkpointing stops
Forwarding continues on LCs/FP;
RP B assumes Active role and begins
providing L2, L3 services;
L2 continues where it left off;
L3 reconverges, updates RIB then FIB
4. RP A reloads, reboots, reinitializes and Line Card Line Card Line Card
rejoins as Standby;
Checkpointing resumes from Active to Standby
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 239
Agenda
• MPLS HA Overview
• Coexistence with IP NSF/SSO
• MPLS HA Components
MPLS HA—LDP NSF/SSO
MPLS HA—BGP VPNv4 NSF/SSO
MPLS HA—Management
• Summary
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 240
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 241
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 244
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 245
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 246
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 247
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 248
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 249
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 250
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 251
Agenda
• MPLS HA Overview
• Coexistence with IP NSF/SSO
• MPLS HA Components
MPLS HA—LDP NSF/SSO
MPLS HA—BGP VPNv4 NSF/SSO
MPLS HA—Management
• Summary
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 252
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 253
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 254
FT Flags Reserved
0 7 15
FT Reconnect Timeout (in milliseconds)
R Reserved SAC L
LSR LSR
LDP GR No LDP GR 2. I Don’t Know What
1.Intialization with
FT Session TLV = (0x0503) FT Session TLV =
(0x0503)
Discard
3. Propose Normal LDP Session
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 257
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 258
MP-BGP GR
P PE1
HA Aware HA HA Aware
HA Aware RR
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 260
A B C
Configuration Options:
• If enable globally, don’t need to enable per interface
• Don’t need to enable globally, can enable on
selected interfaces
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 262
Agenda
• MPLS HA Overview
• Coexistence with IP NSF/SSO
• MPLS HA Components
MPLS HA––LDP NSF/SSO
MPLS HA—BGP VPNv4 NSF/SSO
MPLS HA—Management
• Summary
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 264
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 265
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 266
LSP
LSP
LSP
LSP
Supported Features:
• MPLS VPN BGP GR for VPNv4
• MPLS VPN BGP checkpointing
• MPLS VPN SSO/NSF support for VRF
• MPLS VPN SSO/NSF support for I-AS
• MPLS VPN SSO/NSF support for CSC
Additional features will be supported in subsequent
releases; please refer to Cisco Feature Navigator for
the latest information
http://www.cisco.com/go/fn
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 273
Agenda
• MPLS HA Overview
• Coexistence with IP NSF/SSO
• MPLS HA Components
MPLS HA—LDP NSF/SSO
MPLS HA—BGP VPNv4 NSF/SSO
MPLS HA—Management
• Summary
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 274
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 275
Agenda
• MPLS HA Overview
• MPLS HA Coexistence with IP NSF/SSO
• MPLS HA Components
MPLS HA—LDP NSF/SSO
MPLS HA—BGP VPNv4 NSF/SSO
MPLS HA—Management
• Summary
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 276
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 277
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 278
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 279
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 280
• GMPLS—Generalized MPLS
Extensions to MPLS to integrate IP and optical networks
• OUNI—Optical UNI
• UCP—Unified Control Plane
Same control plane for MPLS and GMPLS
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 281
UCP Overview
• GMPLS provides
Connection protection/restoration capabilities
Separation b/w transmission, control and
management plane
Network management using SNMP (dedicated MIB)
• Optical UNI
Signaling interface (demarcation) between the optical
user equipment and Service Provider transport network
Signaling and routing interface between optical
networking elements
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 282
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 283
Relationship/Coordination between
Control Plane Standards Bodies
NNI 1.0
Routing
• OIF on apps and interop Link Management
OSPF-TE/IS-IS
(LMP, LMP-WDM)
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 284
*draft-ietf-ccamp-gmpls-architecture
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 286
*draft-ietf-ccamp-gmpls-architecture
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 287
• Topology discovery
Running an IGP (OSPF or IS-IS)
with extensions
Routing Signaling
• Route computation
R Route computation done by NEs
C
O I S Link state aggregation and lack of
R lightpath related information affects
S S V efficiency
L
P I P
D • Neighbor discovery
F S T
P Link Management Protocol like
E
LMP/NDP run in distributed way
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 289
GMPLS Mechanisms
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 290
FSC λ FSC
Interfaces That…
• … recognise bits
• … recognise packet or cell boundaries
• … can make forwarding decisions based on the
content of the appropriate packet or MPLS header
• … are capable of receiving and processing routing
and signalling messages on in-band channels
Examples:
Interfaces on…Routers, MPLS LSRs
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 294
Interfaces That…
• … recognise bits
• … recognise packet or cell boundaries
• … can make forwarding decisions based on
the content of the appropriate frame/cell header
(e.g. MAC Address, DLCI, VPI/VCI)
• … are capable of receiving and processing routing
and signalling messages on in-band channels
Examples:
Interfaces on…Ethernet Switches, ATM
Switches, Frame Relay Switches
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 295
Optical Devices
• OXCs
Interfaces
… recognize wavelengths
… setup light paths—wavelength cross connects
• OADM
Interfaces
… work with OC-n channels
… Cross connect and setup channels
…
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 296
...
...
...
In-Band
Component Links FA
Link Verification Messages
• LMP Functionality
Most LMP messages sent out-of-band through CC
In-band messages sent for Component Link Verification
Once allocated, Component Link is not assumed to be opaque
Port ID mapping
One CC per one or more Component Link Bundles
Fault isolation
End-system and service discovery (UNI related)
• Flooding Adjacencies are maintained over CC
(via control network)
• Forwarding Adjacencies (FA) are maintained over draft-ietf-ccamp-lmp
Component Links and announced as links into the IGP draft-ietf-ccamp-lmp-wdm
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 297
LSR1 LSR2
• Issue
Neighboring LSRs connected by multiple parallel links
Each link is addressed at each end and advertised into routing
database… lots of links!!!
• Solution
Aggregate multiple components links into a single abstract link
Use (router ID, interface #) for link identifiers
• Reduces number of links in routing database and
amount of per-link configuration
draft-kompella-mpls-bundle
draft-kompella-mpls-unnum
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 298
GMPLS Signaling
TE
LSP
TE
LSP
OTN
GMPLS Domain
• Extended label semantics for Fiber, Waveband, Lambda, TDM and PSC LSP setup
• Extend RSVP-TE/CR-LDP to support new label objects over explicit/non explicit path
• Suggested label—conveyed by upstream LSR to downstream LSR to speed up
configuration (on upstream)
• Label set—limits choice of labels that downstream LSR can choose from
If no wavelength conversion available then same lambdas must be used ete
• Bidirectional LSP setup
RFC 3471 Generalized Multi-Protocol Label Switching (GMPLS) Signaling
Functional Description
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 300
draft-ietf-ccamp-gmpls-routing
draft-ietf-ccamp-ospf-gmpls-extensions
draft-ietf-isis-gmpls-extensions
draft-ietf-ccamp-rsvp-te-exclude-route
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 301
• Link descriptor
Link encoding type and bandwidth granularity
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 302
Analysis draft-ietf-ccamp-gmpls-recovery-analysis
Functional
Specification draft-ietf-ccamp-gmpls-recovery-functional
GMPLS RSVP-
RSVP-TE
Specification draft-ietf-ccamp-gmpls-recovery-e2e-signaling
• Interface standby
Similar to link protection of MPLS FRR
• End-to-end protection
Similar to path protection of MPLS FRR
End-to-End
TDM
12K OCn
* NNI OCn 12K
TDM
PoS
* Optical Core PoS
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 304
Overlay Model
• GMPLS LSR
GMPLS GMPLS
computes path within
LSR LSR
optical network
• Router has no visibility
of path detail
Peer Model
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 306
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 307
UNI UNI
LSP
draft-ietf-ccamp-gmpls-overlay-xx.txt
(RSVP Support for Overlay Model)
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 308
Signaling/Routing
LMP LMP LMP LMP
LSP
Section Outline
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 310
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 311
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 312
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 315
What Is O-UNI?
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 316
User Domain
OXC
UNI(Transport) OXC
OXC OXC
Optical Transport Network UNI
What Is O-NNI?
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 318
O-NNI-IrDI O-NNI-IrDI
OXC OXC
Optical Transport Network
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved.
Service Provider B Domain (Centralized) 319
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 320
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 321
Summary
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 323
References: GMPLS
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 325
References: (G)MPLS-TE
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 326
MPLS DEPLOYMENT
EXPERIENCE
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 328
• Scalability
• Core vs Edge
• Management
• Migrations L3 and L2
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 329
Assumption:
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 330
MPLS
Core
OSPF/LDP Router
10000 routes
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 331
MPLS
PE Backbone PE
Legend
MPLS Link
IP Router
IP only link
Not Yet MPLS Enabled ATM or L2 link
Core Con't
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 335
QoS: Core
• Disable propagate-ttl:
Customer traceroute no longer shows the core network
hops.
Monitoring
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 338
• Billing models:
PVC charge/ KB of CIR
RST-2T09 Usage based ( Port aggregate/PVC )
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 339
L2 Deployment OAM:
• Example - Ethernet:
No Management LMI/Ping
Monitor Error counters
Interface flaps ( Syslog/Traps )
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 340
• Several approaches:
Link by link migration with new transport
Individual Existing tail circuit move to new MPLS router.
All tail circuits for a particular ATM customer moved at once.
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 342
RST-2T09
9890_06_2004_c2 © 2004 Cisco Systems, Inc. All rights reserved. 343
RST-2T09
9890_06_2004_c1 © 2004 Cisco Systems, Inc. All rights reserved. 344