MPLS VPN

DEPLOYING MPLS-VPN
SESSION RST-2602
Rajiv Asati (rajiva@cisco.com)
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 1
Agenda
• MPLS VPN Definition?

Technology
Configuration
• MPLS-VPN Services
Providing load-shared traffic to the multihomed VPN sites
Providing Hub&Spoke service to the VPN customers
Providing MPLS VPN Extranet service
Providing Internet access service to VPN customers
Providing VRF-selection based services
Providing Remote Access MPLS VPN
Providing VRF-aware NAT services
• Advanced MPLS VPN Topics
Inter-AS MPLS-VPN
CsC Carrier Supporting Carrier
• Best Practices
• Conclusion.
RST-2602
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Prerequisites
• Must understand basic IP routing, especially BGP

• Must understand MPLS basics (push, pop, swap,
label stacking)
• Must finish the evaluation
http://www.networkers04.com/desktop
RST-2602
Terminology:
• LSR : Label Switch Router

• LSP : Label Switched Path
The chain of labels that are swapped at each hop to get from one LSR to another
• VRF : VPN Routing and Forwarding
Mechanism in IOS used to build per-interface RIB and FIB
• MP-BGP : Multi-Protocol BGP
• PE : Provider Edge router Interfaces with CE routers
• P : Provider (core) router, without knowledge of VPN
• VPNv4 : Address family used in BGP to carry MPLS-VPN routes
• RD : Route Distinguisher
Distinguish same network/mask prefix in different VRFs
• RT : Route Target
Extended Community attribute used to control import and export policies of VPN
routes
• LFIB : Label Forwarding Information Base
• FIB : Forwarding Information Base (FIB)
RST-2602
8181_05_2003_c2
Agenda

Technology
Configuration
Inter-AS MPLS-VPN
• Best Practices
• Conclusion.
RST-2602
MPLS-VPN Operation’s Theory
• VPN definition: VRF instance

• VPN Route Propagation (Control Plane)
• VPN Packet forwarding (Data Plane)
RST-2602
8181_05_2003_c2
MPLS VPN Connection Model
P P
PE PE
VPN Backbone IGP
P P
MP-iBGP session
PE routers P Routers
Edge Routers P routers are in the core of the MPLS

cloud
Use MPLS with P routers
P routers do not need to run BGP and
Uses IP with CE routers doesn’t need to have any VPN knowledge
Connects to both CE and P routers. Forward packets by looking at labels

Distribute VPN information through
MP-BGP to other PE router with P and PE routers share a common IGP
VPN-IPv4 addresses, Extended
Community, Label
RST-2602
MPLS VPN: Separate Routing Tables in PE

CE
vpn site 2
PE
EBGP,OSPF, RIPv2,Static
CE MPLS Backbone IGP (OSPF, ISIS)
vpn site 1
VRF routing table The Global routing table
Routing (RIB) and Forwarding table Populated by the MPLS backbone IGP
(CEF) associated with one or more
directly connected sites (CEs)
In PE routers may contain the BGP
Internet routes (standard ipv4 routes)
The routes the PE receives from CE
Routers are installed in the appropriate
VRF routing table(s)
blue VRF routing table or green
VRF routing table
RST-2602
8181_05_2003_c2
VRF: Virtual Routing and Forwarding
Instance
CE
vpn site 2
VRF green
PE
vpn site 1
VRF blue
• What’s a VRF ?
• Associates to one or more interfaces on PE
Privatize an interface i.e. coloring of the interface
• Has its own routing table and forwarding table (CEF)
• VRF has its own instance for the routing protocol
(static ,RIP,BGP,EIGRP,OSPF)
• CE router runs standard routing software
RST-2602
VRF: Virtual Routing and Forwarding

Instance
CE
vpn site 2
PE
vpn site 1
• PE installs the routes, learned from CE routers, in

the appropriate VRF routing table(s)
• PE installs the IGP (backbone) routes in the global
routing table
• VPN customers can use overlapping IP addresses.
RST-2602
8181_05_2003_c2
Additions in BGP: MPLS-VPN Info BGP
8 Bytes 4 Bytes 8 Bytes 3 Bytes
1:1 10.1.1.0
RD IPv4 Route-Target Label
VPNv4
MP-iBGP update with RD, RT, and Label
• RD: Route Distinguisher

• VPNv4 routes
• RT: Route Target
• Label
RST-2602
MPLS VPN Control Plane

MP-BGP Update Components: VPNv4 address
1:1 10.1.1.0
VPNv4
MP-IBGP update with RD, RT, and Label
• To convert an IPv4 address into a VPNv4 address, RD

is appended to the IPv4 address i.e 1:1:10.1.1.0
• Makes the customer’s IPv4 route globally unique.
• Each VRF must be configured with an RD at the PE !

ip vrf v1
• RD is what that defines the VRF rd 1:1
!
RST-2602
8181_05_2003_c2
MP-BGP Update Components: Route-Target
1:1 10.1.1.0 2:2

VPNv4
• Route-target (RT): Identifies the VRF for the received VPNv4

prefix. It is an 8-byte extended Community (a BGP attribute)
• Each VRF is configured with RT(s) at the PE
RT helps to color the prefix
!
ip vrf v1
route-target import 1:1
route-target export 1:2
!
RST-2602

MP-BGP Update Components: Label
1:1 10.1.1.0 2:2 50

VPNv4
• The Label (for the VPNv4 prefix) is assigned only by the PE whose address is the
Next-Hop attribute
PE routers re-write the Next-Hop with their own address (loopback)
“Next-Hop-Self” towards MP-iBGP neighbors by default
• PE addresses used as BGP Next-Hop must be uniquely known in the backbone
IGP
DO NOT summarize the PE loopback addresses in the core
RST-2602
8181_05_2003_c2
MPLS VPN Control Plane:
Putting It All Together
MP-iBGP update:
RD:10.10.1.0
Site 1 3 Next-hop=PE-1 Site 2
RT=Green, Label=100
CE1 CE2
10.1.1.0/24
P P
PE1 PE2
10.10.1.0/24
Next-Hop=CE-1
P
P
1
MPLS Backbone
1) PE1 receives an IPv4 update (eBGP,OSPF,EIGRP)
2) PE1 translates it into VPNv4 address
• Assigns an RT per VRF configuration
• Re-writes Next-Hop attribute to itself
• Assigns a label based on VRF and/or interface
3) PE1 sends MP-iBGP UPDATE to other PE routers
RST-2602
MPLS VPN Control Plane:

Putting It All Together
MP-iBGP update: 10.1.1.0/24
RD:10.10.1.0
3 Next-hop=PE-1
5 Next-Hop=PE-2
Site 2
Site 1
RT=Green, Label=100
CE1 CE2
10.1.1.0/24
P P
PE1 PE2
10.1.1.0/24
Next-Hop=CE-1
P
P
1
MPLS Backbone
4) PE2 receives and checks whether the RT=green is locally

configured within any VRF, if yes, then
5) PE2 translates VPNv4 prefix back into IPv4 prefix,
• Installs the prefix into the VRF Routing table
• Updates the VRF CEF table with label=100 for 10.1.1.0/24
• Advertise this IPv4 prefix to CE2 (EBGP, OSPF, EIGRP)
RST-2602
8181_05_2003_c2
MPLS VPN Forwarding Plane:
e
Site 1 Site 2
CE1 CE2
10.1.1.0/24
P1 P2
PE1 PE2
VRF Green forwarding Table
Dest->NextHop
P 10.1.1.0/24-ÆPE1, label: 100
P
Global routing/forwarding table Global routing/forwarding table

Dest->Next-Hop Dest->NextHop
PE2 Æ P1, label: 50 PE1 Æ P2, label: 25
The Global Forwarding table VRF Forwarding table

(show ip cef) (show ip cef vrf <vrf>)
•PE routers store IGP routes •PE routers store VPN routes
•Associated labels •Associated labels
•Label distributed through LDP/TDP •Labels distributed through MP-BGP
RST-2602
MPLS VPN Forwarding Plane:

e
Site 1 Site 2
CE1 CE2
10.1.1.0/24
P P
PE1 PE2 10.1.1.1
10.1.1.1
100 10.1.1.1 P
P
50 100 10.1.1.1
25 100 10.1.1.1
PE2 imposes TWO labels for each packet going to the VPN destination 10.1.1.1
• The top label is LDP learned and Derived from an IGP route
Represents LSP to PE address (exit point of a VPN route)
• The second label is learned via MP-BGP
Corresponds to the VPN address
RST-2602
8181_05_2003_c2
Agenda

Technology
Configuration
Inter-AS MPLS-VPN
• Best Practices
• Conclusion.
RST-2602
MPLS VPN Sample Configuration

VRF Definition ip vrf VPN-A
rd 1:1
Site 1 route-target export 100:1
10.1.1.0/24
CE1 route-target import 100:1
PE1
PE1 Interface Serial0
Se0
192.168.10.1 ip address 192.168.10.1 255.255.255.0
ip vrf forwarding VPN-A
PE-P Configuration
Interface Serial1
ip address 130.130.1.1 255.255.255.252
P mpls ip
Se0 PE1
s1 PE1
router ospf 1
network 130.130.1.0 0.0.0.3 area 0
RST-2602
8181_05_2003_c2
PE: MP-IBGP
router bgp 1
RR neighbor 1.2.3.4 remote-as 1
neighbor 1.2.3.4 update-source loopback 0
PE1 PE2 PE1
address-family vpnv4
neighbor 1.2.3.4 activate
neighbor 1.2.3.4 send-community both
RR: MP-IBGP router bgp 1

no bgp default route-target filter
neighbor 1.2.3.6 update-source loopback0
PE1 PE2 RR
neighbor 1.2.3.6 route-reflector-client
Neighbor 1.2.3.6 activate
RST-2602

PE-CE BGP
Site 1 router bgp 1
CE1 !
10.1.1.0/24 address-family ipv4 vrf VPN-A
PE1
192.168.10.2 neighbor 192.168.10.2 remote-as 2
PE1 neighbor 192.168.10.2 activate
192.168.10.1 exit-address-family
!
PE-CE OSPF
Site 1 router ospf 1
!
CE1
10.1.1.0/24 router ospf 2 vrf VPN-A
192.168.10.2 PE1 network 192.168.10.0 0.0.0.255 area 0
PE1 !
192.168.10.1
RST-2602
8181_05_2003_c2
PE-CE RIP
router rip
Site 1
CE1 address-family ipv4 vrf VPN-A
10.1.1.0/24
version 2
192.168.10.2 no auto-summary
PE1
network 192.168.10.0
192.168.10.1
exit-address-family
PE-CE EIGRP
Site 1 router eigrp 1
CE1
10.1.1.0/24 address-family ipv4 vrf VPN-A
192.168.10.2
network 192.168.10.0 0.0.0.255
PE1 autonomous-system 1
192.168.10.1 exit-address-family
RST-2602

PE-CE Static
Site 1
CE1
10.1.1.0/24
ip route vrf VPN-A 10.1.1.0 255.255.255.0 192.168.10.2
192.168.10.2
PE1
192.168.10.1
PE-CE MB-iBGP routes to VPN

Site 1 router rip
RR address-family ipv4 vrf VPN-A
version 2
PE1 redistribute bgp 1 metric 1
CE1 no auto-summary
network 192.168.10.0
exit-address-family
If PE-CE protocol is non BGP then redistribution

of other sites VPN routes from MP-IBGP is required.
RST-2602
8181_05_2003_c2
PE-RR (VPN routes to VPNv4)
router bgp 1
Site 1
neighbor 1.2.3.4 update-source loopback 0
PE1
CE1 address-family ipv4 vrf VPN-A
redistribute {rip|connected|static|eigrp|ospf}
If PE-CE protocol is non BGP then redistribution

of other sites VPN routes into MP-IBGP is required.
RST-2602
Agenda

Technology
Configuration
Inter-AS MPLS-VPN
• Best Practices
• Conclusion.
RST-2602
8181_05_2003_c2
MPLS VPN Services:
1. Loadsharing for the VPN traffic
RR
PE11
CE2
PE2
CE1
171.68.2.0/24
PE12
Site A Site B
MPLS Backbone
Route Advertisement
• VPN sites (such as Site A) could be multihomed

• VPN customer may demand the traffic to the multihomed sites be
loadshared
RST-2602
MPLS VPN Services:

1. Loadsharing for the VPN traffic: Cases
1 CE Æ2 PEs RR
PE11
CE2
CE1 PE2
171.68.2.0/24
PE12
Site A
Site B
MPLS Backbone
Traffic Flow
2 CEs Æ 2 PEs
RR
PE11
CE2
PE2
CE1
171.68.2.0/24
PE12
CE2
Site B
MPLS Backbone
Site A
Traffic Flow
RST-2602
8181_05_2003_c2
MPLS VPN Services:
1. Loadsharing for the VPN Traffic: Deployment
How to deploy the loadsharing ?

1. Configure different VRFs i.e RDs for multihomed site/interfaces.
2. Enable BGP multipath within the relevant BGP VRF address-
family at Remote/Receiving PE2.
1 2
ip vrf green router bgp 1
RR address-family ipv4 vrf green
rd 300:11
route-target both 1:1 PE11 maximum-paths eibgp 2
CE2
PE2
CE1
171.68.2.0/24
PE12
Site A MPLS Backbone Site B
1
ip vrf green ip vrf green
rd 300:12 1
rd 300:13
route-target both 1:1
RST-2602
MPLS VPN Services:

1. Loadsharing for the VPN Traffic
RR
Route Advertisement
PE11
CE2
PE2
CE1
171.68.2.0/24
PE12
Site A
Site B
MPLS Backbone
• RR must advertise all the paths learned via PE11 and PE12 to the
remote PE routers
With different RD per VRF, RR does the Best path calculation per
RD and advertise them to remote PE
• Watch out for the increased (~20%) memory consumption (within
BGP) due to multipaths at the PEs
• “eiBGP multipath” implicitly provides eBGP and iBGP multipath for
VPN paths
RST-2602
8181_05_2003_c2
MPLS-VPN Services:
2. Hub & Spoke Service to the VPN Customers
• Traditionally, VPN deployments are Hub&Spoke.

Spoke to spoke communication is via Hub site only.
• Despite MPLS VPN’s implicit any-to-any i.e full-

mesh connectivity, Hub&Spoke service can easily
be offered.
Done with import and export of Route-Target (RT).
RST-2602
MPLS-VPN Services:
2. Hub & Spoke Service - Configuration
ip vrf green-spoke1
description VRF for SPOKE A
rd 300:111 ip vrf HUB-OUT
route-target export 1:1 description VRF for traffic from HUB
route-target import 2:2 rd 300:11
Spoke A PE-SA
CE-SA
171.68.1.0/24
Eth0/0.1
PE-Hub Eth0/0.2
Spoke B PE-SB
CE-SB
171.68.2.0/24 MPLS VPN Backbone
ip vrf green-spoke2 ip vrf HUB-IN

description VRF for SPOKE B description VRF for traffic to HUB
rd 300:112 rd 300:12
route-target export 1:1 route-target export 2:2
RST-2602
8181_05_2003_c2
MPLS-VPN Services:
2. Hub & Spoke Service – Control Plane
MPLS Backbone
Spoke A
Adv 171.68.1.0/24
VRF HUB-OUT RT and LFIB
CE-SA PE-SA Label 40
171.68.1.0/24 Destination NextHop Label
Route-Target 1:1
171.68.1.0/24 PE-SA 40
171.68.2.0/24 PE-SB 50
VRF RT and LFIB at PE-SA
0.0.0.0 PE-Hub 35
171.68.1.0/24 CE-SA Adv 0.0.0.0 VRF HUB-OUT
Label 35
VRF RT and LFIB at PE-SB Route-Target 2:2 PE-Hub
0.0.0.0 PE-Hub 35 VRF HUB-IN
171.68.2.0/24 CE-SB VRF HUB-IN Routing Table
Adv 171.68.2.0/24 Destination NextHop
171.68.2.0/24 Label 50 0.0.0.0 CE-H1
CE-SB PE-SB Route-Target 1:1
Spoke B
• All traffic between spokes must pass through the Hub/Central Site.
Hub Site could offer FireWall, NAT like applications.
• Two VRF solution at the PE-Hub:
• VRF HUB_OUT would have knowledge of every spoke routes.
• VRF HUB_IN only have Default Route and advertise that to Spoke PEs.
• Import and export Route-Target within a VRF must be different.
RST-2602
MPLS-VPN Services:
2. Hub & Spoke Service – Forwarding Plane
MPLS Backbone
171.68.1.1
Spoke A PE-SA
CE-SA LA 40 171.68.1.1
171.68.1.0/24
VRF HUB-OUT
PE-Hub
Spoke B PE-SB VRF HUB-IN

LH 35 171.68.1.1
CE-SB
171.68.2.0/24
171.68.1.1
RST-2602
8181_05_2003_c2
MPLS-VPN Services
3. Extranet VPN
• MPLS VPN, by default, isolates one VPN customer

from another.
Separate Virtual Routing Table for each VPN customer
• Communication between VPNs may be required i.e.

Extranet.
External Inter-company communication (dealers with
manufacturer, Retailer with wholesale provider etc)
Management VPN, Shared-service VPN etc.
• Needs right import and export route-target (RT)

values configuration within the VRFs
export-map or import-map should be used
RST-2602
3. MPLS-VPN Services: Extranet VPN

Goal: Only VPN_A site#1 to be reachable to VPN_B
MPLS Backbone 192.6.0.0/16
VPN_A Site#2
VPN_A Site#1
171.68.0.0/16 so PE1 PE2
P
180.1.0.0/16
VPN_B Site#1
ip vrf VPN_A ip vrf VPN_B

rd 3000:111 rd 3000:222
export map VPN_A_Export export map VPN_B_Export
import map VPN_A_Import import map VPN_B_Import
route-target import 3000:111 route-target import 3000:222
route-target export 3000:111 route-target export 3000:222
route-target import 3000:1 route-target import 3000:2
! !
route-map VPN_A_Export permit 10 route-map VPN_B_Export permit 10
match ip address 1 match ip address 2
set extcommunity rt 3000:2 set extcommunity rt 3000:1
! !
route-map VPN_A_Import permit 10 route-map VPN_B_Import permit 10
match ip address 2 match ip address 1
! !
access-list 1 permit 171.68.0.0 0.0.0.0 access-list 1 permit 171.68.0.0 0.0.0.0
access-list 2 permit 180.1.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0
Only Site#1 of both VPNs will communicate to

RST-2602
each other, Site#2 won’t.
8181_05_2003_c2
MPLS-VPN Services
4. Internet Access Service to VPN Customers
• Could be provided as another value-added service.

• Security mechanism must be in place at both
provider network and customer network
To protect from the Internet vulnerabilities
• VPN customers benefit from the single point of

contact for both Intranet and Internet connectivity
RST-2602
MPLS-VPN Services
4. Internet Access: Different Methods of Service
• Four ways to provide the Internet service

1. VRF Specific default route with “global” keyword
2. Separate PE-CE sub-interface (nonVRF)
3. Extranet with Internet-VRF
4. VRF-aware NAT
RST-2602
8181_05_2003_c2
MPLS-VPN Services
4. Internet Access: Different Methods of Service
1. VRF Specific default route

1.1 Static default route to move traffic from VRF to Internet
(global routing table)
1.2 Static routes for VPN customers to move traffic from Internet
(global routing table) to VRF
2. Separate PE-CE sub-interface (non VRF)
May run BGP to propagate Internet routes between PE and CE
VPN packets never leave VRF context ; issue with Overlapping
VPN address
4. Extranet with Internet-VRF along with VRF-aware NAT
VPN packets never leave VRF context; works well with
overlapping VPN address
RST-2602
MPLS-VPN Services:
4.1 Internet access: VRF Specific Default Route (Config)
MPLS Backbone
Site1 Internet
CE1
171.68.0.0/16
so PE1192.168.1.2 ASBR
P
ip vrf VPN-A 192.168.1.1
rd 100:1
Internet GW
Interface Serial0 • A default route, pointing to the ASBR, is installed

ip address 192.168.10.1 255.255.255.0 into the site VRF at each PE
ip vrf forwarding VPN-A A single label is used for packets forwarded
according to the default route
Router bgp 100 The label is the IGP label corresponding to the
no bgp default ipv4-unicast IP address of the ASBR known via the IGP
redistribute static
neighbor 192.168.1.1 remote 100 • The static route, pointing to the VRF interface, is
neighbor 192.168.1.1 activate installed in the global routing table and redistributed
into BGP
neighbor 192.168.1.1 next-hop-self
neighbor 192.168.1.1 update-source loopback0
ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global

ip RST-2602
route 171.68.0.0 255.255.0.0 Serial0
8181_05_2003_c2
MPLS-VPN Services:
4.1 Internet access: VRF Specific Default Route (Forwarding)
MPLS Backbone
Internet
Site1
IP packet Label = 30
D=Cisco.com IP packet
171.68.0.0/16 IP packet D=Cisco.com
D=Cisco.com
so PE1
IP packet PE2 so
D=171.68.1.1 P IP packet
192.168.1.2 D=171.68.1.1
192.168.1.1
Global Routing/FIB Table Label = 35 Global Table and LFIB
Destination Label/Interface IP packet
D=171.68.1.1 Destination Label/Interface
192.168.1.1/32 Label=30 192.168.1.2/32 Label=35
171.68.0.0/16 Serial 0 171.68.0.0/16 192.168.1.2
Internet Serial 0
VRF Routing/FIB Table Pros Cons

Destination Label/interface
0.0.0.0/0 192.168.1.1 (global) Different Internet gateways Using default route for Internet
Site-1 Serial 0 can be used for different VRFs routing does NOT allow any other
PE routers need not to hold default route for intrA_VPN routing
the Internet table
Increasing size of global routing
Simple Configuration Table by leaking VPN routes.
Static configuration
RST-2602
MPLS-VPN Services
4.2 Internet Access
1. VRF Specific default route

1.1 Static default route to move traffic from VRF to Internet
(global routing table)
1.2 Static routes for VPN customers to move traffic from Internet
(global routing table) to VRF
2. Separate PE-CE sub-interface (non VRF)
May run BGP to propagate Internet routes between PE and CE
VPN packets never leave VRF context ; Overlapping VPN
addresses could be a problem
4. Extranet with Internet-VRF alongwith VRF-aware NAT
VPN packets never leave VRF context; works well with
overlapping VPN addresses
RST-2602
8181_05_2003_c2
4.2 Internet Access Service to VPN Customers
Using Separate Sub-Interface (Config)
Site1
171.68.0.0/16 CE1 MPLS Backbone

Internet
BGP-4 Internet
S0.2
PE1 ASBR
192.168.1.2 192.168.1.1
S0.1 P
ip vrf VPN-A Internet GW
rd 100:1
Interface Serial0.1
ip vrf forwarding VPN-A
One sub-interface for VPN routing
associated to a VRF
ip address 192.168.20.1 255.255.255.0
!
frame-relay interface-dlci 100 Another sub-interface for Internet routing
associated to the global routing table.
Interface Serial0.2
ip address 171.68.10.1 255.255.255.0
frame-relay interface-dlci 200
Could advertise full Internet Routes or a
default route to CE.
!
Router bgp 100 The PE will need to advertise VPN routes
no bgp default ipv4-unicast to the Internet (via global routing table)
[snip]…
RST-2602
neighbor 171.68.10.2 remote
9908_06_2004_X2 502
© 2004 Cisco Systems, Inc. All rights reserved. 43
Internet Access Service to VPN Customers

4.2 Using Separate Sub-Interface (Forwarding)
Site1
Internet
171.68.0.0/16 MPLS Backbone
IP packet
D=Cisco.com Label = 30
IP packet
D=Cisco.com IP packet
S0.2 D=cisco.com
PE1 PE2
192.168.1.2 192.168.1.1
S0.1 P
CE routing table PE-Internet GW

VPN routes Serial0.1
Internet routes Serial0.2
Pros Cons
PE Global Table and FIB
Internet routes 192.168.1.1 CE could dual home and PE to hold full Internet routes.
192.168.1.1 Label=30 perform optimal routing.
BGP complexities introduced
Traffic separation done in CE.
by CE.
RST-2602
8181_05_2003_c2
Internet Access Service
4.3 Extranet with Internet-VRF
• The internet routes could be placed within the VRF

at the Internet-GW i.e. ASBR
• VRFs for customers could ‘extranet’ with the
internet VRF and receive either default, partial or
full internet routes
• Be careful if duplicating the internet routes in
each VRF
• Works well when the VPN customers don’t have
overlapping addresses
RST-2602
Internet Access Service

4.4 Internet Access using VRF-aware NAT
• If the VPN customers need Internet access without

internet routes, then VRF-aware NAT can be used at
the Internet-GW i.e. ASBR
• The Internet GW doesn’t need to have internet
routes either
• Overlapping VPN addresses is not a problem
• More in the “VRF-aware NAT” slides,…..
RST-2602
8181_05_2003_c2
MPLS VPN Service
5. VRF-Selection
• The common notion is that the VRF must be

associated to an interface
• “VRF-selection” breaks this association and
associate multiple VRFs to an interface
• Each packet on the PE-CE interface could be

handled (based on certain criteria) via different VRF
routing tables
Criteria such as source/dest IP address, ToS, TCP port etc.
specified via route-map
• Voice and Data can be separated out into different

VRFs at the PE
RST-2602
MPLS VPN Service

5. VRF-Selection – Based on Source IP Address
VPN Brown
Global Interface RR VRF Interfaces
33.3.0.0/16
PE1 MPLS Backbone

PE2
33.3.14.1 Cable CE1 (Cable Company) VPN Blue
Setup Se0/0 44.3.0.0/16
66.3.1.25
44.3.12.1 Traffic Flows VPN Green

66.3.0.0/16
ip vrf brown
rd 3000:111 interface Serial0/0
route-map PBR-VRF-Selection permit 10
route-target export 3000:1 ip address 215.2.0.6 255.255.255.252
match ip address 40
route-target import 3000:1 ip policy route-map PBR-VRF-Selection set vrf brown
! ip receive brown
ip vrf blue ip receive blue route-map PBR-VRF-Selection permit 20
rd 3000:222 ip receive green match ip address 50
route-target export 3000:2 set vrf blue
! access-list 40 permit 33.3.0.0 0.0.255.255
route-map PBR-VRF-Selection permit 30
ip vrf green access-list 50 permit 44.3.0.0 0.0.255.255 match ip address 60
rd 3000:333 access-list 60 permit 66.3.0.0 0.0.255.255 set vrf green
route-target export 3000:3
RST-2602
8181_05_2003_c2
MPLS VPN Service
6. Remote Access Service
• Remote access users i.e. dial users, IPSec users

could directly be terminated in VRF
PPP users can be terminated into VRFs
IPSec tunnels can be terminated into VRFs
• Remote Access services integration with MPLS

VPN opens up new opportunities for Providers
RST-2602
MPLS VPN Service

6. Remote Access Service– IPSec to MPLS VPN
Branch SP Shared Network Corporate Intranet
Access
Office
SP AAA Customer
PE+IPSec AAA
SOHO Internet Aggregator
VPN A
Customer A
Internet PE
PE PE
PE head office
IP/MPLS/Layer 2
Local or Direct
Based Network
Dial ISP
VPN B
PE
PE
Cable/DSL/ Customer B
ISDN ISP
VPN C
Remote Users/ VPN A
Telecommuters
Cisco IOS VPN Routers or
Cisco Client 3.x or higher Customer A Customer C
branch office
IP IPSec Session MPLS VPN IP

RST-2602
8181_05_2003_c2
MPLS-VPN Services
7. VRF-Aware NAT Services
• VPN customers could be using ‘overlapping’ IP

address i.e. 10.0.0.0/8
• Such VPN customers must NAT their traffic before
using either “extranet” or “internet” or any shared*
services
• PE is capable of NATting the VPN packets
(eliminating the need for an extra NAT device)
RST-2602
* VoIP, Hosted Content, Management etc/
MPLS-VPN Services
7. VRF-Aware NAT Services
• Typically, inside interface(s) connect to private

address space and outside interface connect to
global address space
NAT occurs after routing for traffic from inside-to-outside
interfaces
NAT occurs before routing for traffic from outside-to-inside
interfaces
• Each NAT entry is associated with the VRF

• Works on VPN packets in the following switch
paths : IP->IP, IP->MPLS and MPLS->IP
RST-2602
8181_05_2003_c2
MPLS-VPN Services:
7. VRF-Aware NAT Services – Internet Access
PE11 MPLS Backbone

CE1
10.1.1.0/24
Internet
P PE-ASBR
Green VPN Site
.1 217.34.42.2
PE12
CE2
10.1.1.0/24 ip nat inside
Blue VPN Site ip nat outside
ip vrf green ip nat pool pool-green 24.1.1.0 24.1.1.254 prefix-length 24

rd 3000:111
route-target both 3000:1 ip nat pool pool-blue 25.1.1.0 25.1.1.254 prefix-length 24
ip vrf blue
rd 3000:222 ip nat inside source list vpn-to-nat pool pool-green vrf green
route-target both 3000:2 ip nat inside source list vpn-to-nat pool pool-blue vrf blue
router bgp 3000 ip access-list standard vpn-to-nat

address-family ipv4 vrf green permit 10.1.1.0 0.0.0.255
network 0.0.0.0
address-family ipv4 vrf blue ip route vrf green 0.0.0.0 0.0.0.0 217.34.42.2 global
network 0.0.0.0 ip route vrf blue 0.0.0.0 0.0.0.0 217.34.42.2 global
RST-2602
VRF specific Config VRF-aware NAT Specific Config
MPLS-VPN Services:
7. VRF-Aware NAT Services – Internet Access
Src=10.1.1.1
Dest=Internet MPLS Backbone
Label=30
CE1 Src=10.1.1.1
10.1.1.0/24 Dest=Internet Internet
Src=24.1.1.1
Green VPN Site PE11 PE-ASBR Dest=Internet
IP Packet P Src=25.1.1.1
PE12 Dest=Internet
CE2
10.1.1.0/24 Label=40 IP Packet
Src=10.1.1.1 Traffic Flows
Blue VPN Site Src=10.1.1.1 Dest=Internet
Dest=Internet
MPLS Packet
NAT Table
•PE-ASBR removes the label from the received VRF IP Source Global IP VRF-table-id
MPLS packets per LFIB 10.1.1.1 24.1.1.1 green
10.1.1.1 25.1.1.1 blue
•Performs NAT on the resulting IP packets
•Forwards the packet
• This is also one of the ways to provide Internet access to VPN
customers with or without overlapping addresses
RST-2602
8181_05_2003_c2
Agenda

Technology
Configuration
Inter-AS MPLS-VPN
• Best Practices
• Conclusion.
RST-2602
What Is Inter-AS?
Provider X Provider Y
RR2
RR1
ASBR1 ASBR2
MP-iBGP
MP-iBGP update::
update::
???
PE-1 AS #2
AS #1
Problem:
PE2
How do Provider X
BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2
149.27.2.0/24,NH=CE-1
149.27.2.0/24,NH=CE-1 and Provider Y
CE-1 exchange VPN CE2
routes ?
VPN-A
149.27.2.0/24 VPN-A
RST-2602
8181_05_2003_c2
Inter-AS Deployment Scenarios
Following options/Scenarios for deploying Inter-AS :
ASBR1 1. Back-to-back VRFs ASBR2
2. MP-eBGP for VPNv4
PE1 AS #1 AS #2
PE2
3. Multihop MP-eBGP between RRs
CE1 CE2
4. Non-VPN Transit Provider
VPN-A
VPN-A
•2 and 3 are more common and will be discussed.
1 and 4 are in backup slides.
RST-2602
Scenario 2: MP-eBGP between ASBRs to

Exchange VPNv4 Routes
• New CLI “no bgp default route-target filter” is

needed on the ASBRs.
• ASBRs exchange VPN routes using eBGP
(VPNv4 af)
• ASBRs store all VPN routes –
But only in BGP table and LFIB table
Not in routing nor in CEF table
• ASBRs don’t need -

VRFs to be configured on them
LDP between them
RST-2602
8181_05_2003_c2
Scenario 2: MP-eBGP bet ASBRs for VPNv4
Control Plane
ASBR-1 ASBR-2
MP-iBGP MP-iBGP
MP-iBGP update:
update:
MP-iBGP update:
update:
RD:1:27:10.1.1.0/24, RD:1:27:10.1.1.0/24,
RD:1:27:10.1.1.0/24,
RD:1:27:10.1.1.0/24,
NH=PE-1 NH=ASBR-2
NH=ASBR-2
NH=PE-1
RT=1:1, RT=1:1,
RT=1:1, Label=(30)
Label=(30)
RT=1:1, Label=(40)
Label=(40) MP-eBGP
MP-eBGP update:
update:
RD:1:27:10.1.1.0/24,
RD:1:27:10.1.1.0/24,
NH=ASBR-1
NH=ASBR-1
RT=1:1,
RT=1:1, Label=(20)
Label=(20)
PE-1 PE-2
BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2
BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2 CE-2 CE-3 10.1.1.0/24,
10.1.1.0/24, NH=PE-2
NH=PE-2
10.1.1.0/24,
10.1.1.0/24, NH=CE-2
NH=CE-2
VPN-B VPN-B
10.1.1.0/24
RST-2602
Scenario 2: MP-eBGP bet ASBRs for VPNv4

Forwarding Plane
30 40 10.1.1.1
ASBR-1 30 10.1.1.1 P2
ASBR-2
P1
40 10.1.1.1
20 10.1.1.1 20 30 10.1.1.1
PE-1
MPLS Packets PE-2
between ASBRs
10.1.1.1 CE-2 CE-3 10.1.1.1
VPN-B VPN-B
10.1.1.0/24
Pros Cons
•More scalable. •Automatic Route Filtering must be disabled
Only one interface between ASBRs routers But we can apply BGP filtering.
No VRF configuration on ASBR.
Less memory consumption (no RIB/FIB
memory) •ASBRs are still required to hold VPN routes
•MPLS label switching between providers
Still simple, more scalable & works today
RST-2602
8181_05_2003_c2
Cisco IOS Configuration
Scenario 2: External MP-BGP between ASBRs for VPNv4
MP-eBGP for
ASBR1 VPNv4 ASBR2
1.1.1.0/30
Label exchange
between ASBRs using
AS #1 MP-eBGP AS #2
PE1
ASBR MB-EBGP Configuration PE2
Router bgp x
CE-1
CE-2
neighbor 1.1.1.x remote-as x
!
VPN-A address-family vpnv4
neighbor 1.1.1.x activate VPN-A
neighbor 1.1.1.x send-com extended
Note: ASBR must already have MP-

iBGP session with iBGP neighbors
such as RRs or PEs.
RST-2602
Scenario 3: Multihop MP-eBGP between

RRs to exchange VPNv4 routes
• Exchange VPNv4 prefixes via the Route Reflectors

Requires Multihop MP-eBGP (with next-hop-unchanged)
• Exchange IPv4 routes with labels between directly

connected ASBRs using eBGP
Only PE loopback addresses need to be exchanged (they
are BGP next-hop addresses of the VPN routes)
RST-2602
8181_05_2003_c2
RRs for VPN routes : Control Plane
VPN-v4
VPN-v4 update:
update:
RD:1:27:10.1.1.0/24,
RD:1:27:10.1.1.0/24,
NH=PE-1
NH=PE-1 RR-2
RR-1 RT=1:1,
RT=1:1, Label=(90)
Label=(90)
VPN-v4 VPN-v4
VPN-v4 update:
update:
VPN-v4 update:
update:
RD:1:27:10.1.1.0/24, RD:1:27:10.1.1.0/24,
RD:1:27:10.1.1.0/24,
RD:1:27:10.1.1.0/24,
NH=PE-1 NH=PE-1
NH=PE-1
NH=PE-1
RT=1:1, Label=(90)
RT=1:1, Label=(90) ASBR-1 ASBR-2 RT=1:1,
RT=1:1, Label=(90)
Label=(90)
AS#1 AS#2
PE-1 IGP+LDP:
IGP+LDP:
Network=PE-1
Network=PE-1 IP-v4
IP-v4 update:
update: PE-2
IGP+LDP:
IGP+LDP:
NH=PE-1
NH=PE-1 Network=PE-1
Network=PE-1 Network=PE-1
Network=PE-1
Label=(40)
Label=(40) NH=ASBR-1
NH=ASBR-1 NH=ASBR-2
NH=ASBR-2
Label=(20)
Label=(20) BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2
BGP, Label=(30)
Label=(30)
BGP, OSPF,
OSPF, RIPv2
RIPv2 CE-2 10.1.1.0/24,NH=PE-2
10.1.1.0/24,NH=PE-2
10.1.1.0/24,NH=CE-2
10.1.1.0/24,NH=CE-2
CE-3
VPN-B VPN-B
10.1.1.0/24
Note - Instead of IGP+Label, iBGP+Label

can be used to exchange PE routes/label.
Please see Scenario#5 on slide#49 and 50.
RST-2602

RRs for VPN routes : Forwarding Plane
RR-1
RR-2
P1 P2
40 90 10.1.1.1
ASBR-2 30 90 10.1.1.1
90 10.1.1.1 ASBR-1
50 90 10.1.1.1
PE-1
20 90 10.1.1.1
PE-2
10.1.1.1
CE-2 CE-3 10.1.1.1
VPN-B VPN-B
10.1.1.0/24
Note - Instead of IGP+Label, iBGP+Label

can be used to exchange PE routes/label.
RST-2602
8181_05_2003_c2
Scenario 3: Pros/Cons
Pros Cons
•More scalable than Scenario 1 and 2.
Separation of control and forwarding planes •Advertising PE addresses to another AS
may not be acceptable to few providers.
•Route Reflector exchange VPNv4 routes+labels
RR hold the VPNv4 information anyway
•ASBRs now exchange only IPv4 routes+labels

ASBR Forwards MPLS packets
RST-2602

Scenario 3: Multihop MP-eBGP between RRs for VPNv4
Multihop MP-eBGP
RR-1 for VPNv4 with RR-2
next-hop-unchange
ASBR-1 ASBR-2
PE1
PE2
AS #1 AS #2
CE-1
eBGP IPv4 + Labels
CE-2
RR Configuration ASBR Configuration

VPN-A
router ospf x
VPN-A
router bgp x redistribute bgp 1 subnets
neighbor <RR-x> remote-as x !
neighbor <RR-x> ebgp-multihop router bgp x
neighbor <RR-x> update loopback 0 neighbor < ASBR-x > remote-as x
! !
address-family vpnv4 address-family ipv4
neighbor <RR-x> activate Network <PEx> mask 255.255.255.255
neighbor <RR-x> send-com extended Network <RRx> mask 255.255.255.255
neighbor <RR-x> next-hop-unchanged neighbor < ASBR-x > activate
neighbor < ASBR-x > send-label
iBGPipv4+label could also be used in within each AS (instead of

RST-2602
“network <x.x.x.x>”) to propagate the label information for PEs.
8181_05_2003_c2
Inter-AS Deployment Guidelines
1. Use ASN in the Route-target i.e. ASN:xxxx

2. Max-prefix limit (both BGP and VRF) on PEs
3. Security (BGP MD5, BGP filtering, BGP max-prefix
etc) on ASBRs
4. End-to-end QoS agreement on ASBRs
5. Route-Target rewrite on ASBR
6. Internet connectivity on the same ASBR ??
RST-2602
Agenda

Technology
Configuration
Inter-AS MPLS-VPN
• Best Practices
• Conclusion.
RST-2602
8181_05_2003_c2
Carrier Supporting Carriers: CsC
• Benefits of CsC
• What do I need to do to enable CsC ?
• Deployment models
• Security in CsC
• Deployment Guideline
• Deployment Scenarios
RST-2602
MPLS/VPN Networks without CsC
Large Number of VPN Routes at the PE May

Pose Limitation to the PE
• Unwanted routing updates in the Carrier’s network

=> CPU+memory
• Label/prefix consumptions at PE => memory
• Scalability issue at PE
RST-2602
8181_05_2003_c2
MPLS/VPN Networks without CsC
• The no of VPN routes is one of the biggest limiting

factor in scaling the PE router
Few SPs are running into this scalaing limitation
• If no of VPN routes can be reduced somehow

(without loosing the functionality), then the existing
investment can be protected
The same PE can still be used to connect more VPN
customers
• Carrier Supporting Carrier (CsC) provides the

mechanism to reduce the no of routes from each
VRF by enabling MPLS on the PE-CE link
RST-2602
Benefits of CsC
• Provide transport for ISPs ($)

No need to manage external routes from ISPs
• Build MPLS Internet Exchange (MPLS-IX) ($$)

Media Independence; POS/FDDI/PPP possible
Higher speed such OC192 or more
Operational benefits
• Sell VPN service to subsidiary companies that

provide VPN service ($)
RST-2602
8181_05_2003_c2
What Do I Need to Enable CsC ?
1. Build an MPLS-VPN enabled carrier’s network

2. Connect ISP/SPs sites (or PoPs) to the Carrier’s PEs
3. Exchange internal routes + labels between Carrier’s PE &
ISP/SP’s CE
4. Exchange external routes directly between ISP/SP’s sites
RST-2602
CsC Deployment Models
MP-iBGP
MP-iBGP for
for VPNv4
VPNv4
P1
PE1 IGP+LDP
IGP+LDP IGP+LDP
PE2
IGP+LDP
Carrier’s MPLS Core

IPv4
IPv4 routes
routes with
with
label
label distribution
distribution
IPv4
IPv4 routes
routes with
with
MPLS enabled VRF int label
label distribution
distribution
CE-1
CE-2
Full-mesh
Full-mesh iBGP
iBGP
ISP PoP for
for external
external routes
routes ISP PoP
Site-1 Site-2
internal
internal routes
routes
== IGP
C1
IGP routes
routes ASBR-2
ASBR-1
Internal
Internal routes
routes ==
IGP
IGP routes
routes
R2
INTERNET
R1
ISP customers =
external routes
RST-2602
8181_05_2003_c2
CsC Deployment Models
1. Customer-ISP not running MPLS

2. Customer-ISP running MPLS
3. Customer-ISP running MPLS-VPN
•Model 1 and 2 are less common deployments.

•Model 3 will be discussed in detail.
RST-2602
CsC: ISP Sites Are Running MPLS-VPN

Hierarchical MPLS-VPN Control Plane
MP-iBGP
MP-iBGP update:
update:
1:1:30.1.61.25/32,
1:1:30.1.61.25/32, RT=1:1
RT=1:1
NH
NH =PE-1,
=PE-1, Label=51
Label=51
P1
IGP+LDP,
PE1 Net=PE-1, IGP+LDP,
Net=PE-1, PE2
Label = pop
Label = 16
Carrier’s Core
30.1.61.25/32,
30.1.61.25/32,
NH=CE-1,
NH=CE-1, Label
Label == 50
50
30.1.61.25/32,
30.1.61.25/32,
NH=PE-2,
NH=PE-2, Label
Label == 52
52
CE-1
CE-2
MP-iBGP
MP-iBGP update:
update:
ISP PoP 1:1:10.1.1.0/24,
1:1:10.1.1.0/24, RT=1:1
RT=1:1
NH IGP+LDP,
IGP+LDP,
NH =30.1.61.25/32,
=30.1.61.25/32, Label
Label == 90
90 ISP PoP
Site-1 30.1.61.25/32
30.1.61.25/32
Site-2 NH=CE-2,
NH=CE-2, Label=60
Label=60
IGP+LDP
IGP+LDP
30.1.61.25/32,Label
30.1.61.25/32,Label == pop
pop C1
ASBR_PE-1 ASBR_PE-2
30.1.61.25/32
10.1.1.0/24,
10.1.1.0/24, NH
NH
=ASBR_PE-2 IGP+LDP,
IGP+LDP,
=ASBR_PE-2 30.1.61.25/32
10.1.1.0/24,
10.1.1.0/24, NH=R1
NH=R1 30.1.61.25/32
NH=C1,
NH=C1, Label=70
Label=70
R2
Network = R1
10.1.1.0/24
VPN Site-1 VPN Site-2
RST-2602
8181_05_2003_c2
CsC: ISP Sites Are Running MPLS-VPN
Hierarchical MPLS-VPN Forwarding Plane
P1
51 90 10.1.1.1
16 51 90 10.1.1.1
PE1
PE2
Carrier’s Core
50 90 10.1.1.1
52 90 10.1.1.1
CE-1
CE-2
ISP PoP ISP PoP

Site-1 90 10.1.1.1
Site-2
60 90 10.1.1.1
C1
ASBR-1 ASBR-2
70 90 10.1.1.1
10.1.1.1 10.1.1.1
R1 R2
Network =
10.1.1.0/24
VPN Site-1 VPN Site-2
RST-2602
Security Mechanism in CsC
• BGP/LDP MD5 on PE-CE
To prevent label “spoofing”, PE

• Maintains Label <=> VRF table association
• Checks during LFIB lookup that received packet’s label is
what was allocated
If the check fails, then the packet is dropped.
RST-2602
8181_05_2003_c2
CsC Deployment Guideline
• Two choices for deploying CsC

1. IGP+LDP on the PE-CE, or
2. eBGP ipv4 +label on the PE-CE (RFC3107)
• Choice selection is driven by the choice of routing

protocol on the PE-CE
• CE has to run MPLS-aware code
RST-2602
CsC: IOS Commands/Configs

Choice 1: What All You Need to Configure?
Choice1: Enable LDP on PE-CE; • Sh mpls interface [vrf <name>] all

¾ Sh mpls ldp disc [vrf <name>] all
PE1
int ser0/0 ¾ Sh mpls ldp bind vrf <name>
ip vrf forwarding green ¾ Sh mpls ip bind vrf <name>
¾ Sh mpls ldp neighbor [vrf <name>] all
mpls ip
¾ Sh mpls forward [vrf <name>]
mpls ldp protcol ldp
PE-1
CE1
int ser0/0 ¾ Sh mpls interface VRF Int
IGP+LDP
mpls ip ¾ Sh mpls ldp discovery
¾ Sh mpls ldp bind CE-1
¾ Sh mpls ldp neighbor
¾ Sh mpls forward
RST-2602
8181_05_2003_c2
CsC: IOS Commands/Configs
Choice 2: What All You Need to Configure?
Choice2: Enable eBGP+label on PE-CE;
router bgp 1 PE1

address-family ip vrf green PE-1
neighbor 200.1.61.6 remote-as 2

neighbor 200.1.61.6 send-label VRF Int
eBGP+label
CE-1
router bgp 2 CE1 1. No IGP needed on PE-CE

2. No LDP needed on PE-CE
neighbor 200.1.61.5 remote-as 1
neighbor 200.1.61.5 send-label
RST-2602
IOS Commands/Configs
Choice 2: eBGP+label on the PE-CE
• On PE
Sh ip bgp vpn vrf <vrf> neighbor
Sh ip bgp vpn vrf <vrf> label
Sh mpls forward vrf <vrf>
• On CE
Sh ip bgp neighbor
Sh ip bgp labels
Sh mpls forward
RST-2602
8181_05_2003_c2
Agenda

Technology
Configuration
Inter-AS MPLS-VPN
• Best Practices
• Conclusion.
RST-2602
Best Practices
1. Use RR to scale BGP.

2. Deploy RRs in pair for the redundancy
3. Keep RRs out of the forwarding paths and disable CEF (saves memory).
4. Consider Unique RD per VRF per PE, if Load sharing of VPN traffic is reqd.
5. RT and RD should have ASN in them i.e. ASN : X
Reserve first few 100s of X for the internal purposes such as filtering
6. Don't use customer names as the VRF names; Nightmare for the NOC. Use
simple combination of numbers and characters in the VRF name
For example - v101, v102, v201, v202 etc. Use description.
7. Define an upper limit at the PE on the # of prefixes received from the CE for
each VRF or neighbor
max-prefix within the VRF configuration
max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE)
RST-2602
8181_05_2003_c2
Conclusion
• MPLS VPN is a cheaper alternative to traditional l2vpn

• MPLS-VPN paves the way for new revenue streams
VPN customers could outsource their layer3 to the provider
• Straightforward to configure any-to-any VPN topology
partial-mesh, hub&spoke topologies can also be easily deployed
• CsC and Inter-AS could be used to expand into new markets
• VRF-aware services could be deployed to maximize the
investment
RST-2602
Complete Your Online Session Evaluation!
WHAT: Complete an online session evaluation

and your name will be entered into a
daily drawing
WHY: Win fabulous prizes! Give us your feedback!
WHERE: Go to the Internet stations located
throughout the Convention Center
HOW: Winners will be posted on the onsite
Networkers Website; four winners per day
RST-2602
8181_05_2003_c2
Q&A
Thanks for your time.
Eval -
RST-2602
RST-2602
8181_05_2003_c2
BACK UP SLIDES
RST-2602
Scenario 1: Back-to-back VRF

Control Plane
ASBR-1 ASBR-2
VPN-B VRF
Import routes with
route-target 1:1 VPN-v4
VPN-v4 update:
update:
VPN-v4
VPN-v4 update:
update:
RD:1:27:10.1.1.0/24 RD:1:27:10.1.1.0/24,
RD:1:27:10.1.1.0/24,
RD:1:27:10.1.1.0/24
NH=PE-1 NH=ASBR-2
NH=ASBR-2
NH=PE-1
RT=1:1, RT=1:1, Label=(92)
RT=1:1, Label=(92)
RT=1:1, Label=(29)
Label=(29)
BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2
10.1.1.0/24
10.1.1.0/24 VPN-B VRF
NH=ASBR-2
NH=ASBR-2 Import routes with
PE-1 route-target 1:1 PE-2
BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2
CE-2 CE-3 10.1.1.0/24,NH=PE-2
10.1.1.0/24,NH=PE-2
BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2
10.1.1.0/24,NH=CE-2
10.1.1.0/24,NH=CE-2
VPN-B VPN-B
10.1.1.0/24
VRF to VRF Connectivity between ASBRs

RST-2602
8181_05_2003_c2
Scenario 1: Back-to-back VRF
Forwarding Plane
92 10.1.1.1 P2
ASBR-1 ASBR-2
30 29 10.1.1.1
P1
10.1.1.1 20 92 10.1.1.1
PE-1 PE-2
IP Packets between
ASBRs
10.1.1.1 CE-2 CE-3 10.1.1.1
VPN-B
10.1.1.0/24 VPN-B
Pros Cons
•Not scalable. #of interface on both ASBRs is

•Per-customer QoS is possible directly proportional to #VRF.
•It is simple and elegant since no need to load •No end-to-end MPLS.
the Inter-AS code (but still not widely •Unnecessary memory consumed in RIB/(L)FIB
deployed). •Dual-homing of ASBR makes provisioning
worse
RST-2602

Scenario 1: Back-to-Back VRF between ASBRs
ASBR1 ASBR2
1.1.1.0/30
VRF routes exchange via

any routing protocol
AS #1 AS #2
PE1
ASBR VRF and BGP config PE2
CE-1
ip vrf green
rd 1:1 CE-2
!
VPN-A Router bgp x
Address-family ipv4 vrf green VPN-A
neighbor 1.1.1.x activate
Note: ASBR must already have MP-

iBGP session with iBGP neighbors
such as RRs or PEs.
RST-2602
8181_05_2003_c2
IOS Configuration
Scenario 2.5: Multi-Hop MP-eBGP for VPNv4
Multi-Hop MP-eBGP
ASBR1 for VPNv4 ASBR2
so so
AS #1 IGP & LDP AS #2

PE1
PE2
Multi-Hop MP-BGP session between ASBRs
CE-1 interface serial 0
CE-2
ip address 1.1.1.x/30
VPN-A
router bgp x VPN-A
neighbor < ASBR-x > remote-as x
neighbor < ASBR-x > update loopback0
neighbor < ASBR-x > ebgp-multihop
!
neighbor < ASBR-x > activate
RST-2602 neighbor < ASBR-x > send-comm extended
Scenario 4: Non-VPN Transit Provider
• Two MPLS VPN providers may exchange routes via

one or more transit providers
Which may be non-VPN transit backbones just running
MPLS
• Multihop MP-eBGP deployed between edge

providers
With the exchange of BGP next-hops via the transit
provider
RST-2602
8181_05_2003_c2
Option 4: Non-VPN Transit Provider
eBGP IPv4 + Labels

ASBR-1 ASBR-2
iBGP IPv4 + Labels
Non-VPN MPLS
MPLS VPN Provider Transit Backbone
#1
RR-1
PE1
ASBR-3
ASBR-4 eBGP IPv4 + Labels
CE-2 next-hop-unchanged
Multihop MP-eBGP
OR iBGP IPv4 + Labels
MP-iBGP for VPNv4
MPLS VPN Provider
VPN-B RR-2
#2
PE2
CE-3
VPN-B
RST-2602
Route-Target rewrite at ASBR
• ASBR can add/delete route-target associated with a

VPNv4 prefix
• Secures the VPN environment
ASBR(conf)#router bgp 1000

ASBR(conf-router)#neighbor 1.1.1.1 route-map route-target-deletion
out
ASBR(conf-router)#exit
ASBR(conf)#route-map route-target-delete
ASBR(conf-route-map)#match extcommunity 101
ASBR(conf-route-map)#set extcomm-list 101 delete
ASBR(conf-route-map)#set extcommunity rt 123:123 additive
ASBR(conf)# ip extcommunity-list 101 permit rt 100:100
RST-2602
8181_05_2003_c2

MPLS VPN

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MPLS VPN

Uploaded by

Copyright:

Available Formats

DEPLOYING MPLS-VPN

Rajiv Asati (rajiva@cisco.com)

• MPLS VPN Definition?

• Must understand basic IP routing, especially BGP

• LSR : Label Switch Router

• MPLS VPN Definition?

MPLS-VPN Operation’s Theory

• VPN definition: VRF instance

Edge Routers P routers are in the core of the MPLS

Connects to both CE and P routers. Forward packets by looking at labels

MPLS VPN: Separate Routing Tables in PE

VRF routing table The Global routing table

VRF: Virtual Routing and Forwarding

• PE installs the routes, learned from CE routers, in

8 Bytes 4 Bytes 8 Bytes 3 Bytes

MP-iBGP update with RD, RT, and Label

• RD: Route Distinguisher

MPLS VPN Control Plane

MP-IBGP update with RD, RT, and Label

• To convert an IPv4 address into a VPNv4 address, RD

• Each VRF must be configured with an RD at the PE !

1:1 10.1.1.0 2:2

MP-IBGP update with RD, RT, and Label

• Route-target (RT): Identifies the VRF for the received VPNv4

MPLS VPN Control Plane

1:1 10.1.1.0 2:2 50

MP-IBGP update with RD, RT, and Label

MPLS VPN Control Plane:

4) PE2 receives and checks whether the RT=green is locally

Global routing/forwarding table Global routing/forwarding table

The Global Forwarding table VRF Forwarding table

MPLS VPN Forwarding Plane:

• MPLS VPN Definition?

MPLS VPN Sample Configuration

RR: MP-IBGP router bgp 1

MPLS VPN Sample Configuration

MPLS VPN Sample Configuration

PE-CE MB-iBGP routes to VPN

If PE-CE protocol is non BGP then redistribution

If PE-CE protocol is non BGP then redistribution

• MPLS VPN Definition?

• VPN sites (such as Site A) could be multihomed

MPLS VPN Services:

How to deploy the loadsharing ?

MPLS VPN Services:

• Traditionally, VPN deployments are Hub&Spoke.

• Despite MPLS VPN’s implicit any-to-any i.e full-

ip vrf green-spoke2 ip vrf HUB-IN

Spoke B PE-SB VRF HUB-IN

• MPLS VPN, by default, isolates one VPN customer

• Communication between VPNs may be required i.e.

• Needs right import and export route-target (RT)

3. MPLS-VPN Services: Extranet VPN

ip vrf VPN_A ip vrf VPN_B

Only Site#1 of both VPNs will communicate to

• Could be provided as another value-added service.

• VPN customers benefit from the single point of

• Four ways to provide the Internet service

1. VRF Specific default route

Interface Serial0 • A default route, pointing to the ASBR, is installed

ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global

VRF Routing/FIB Table Pros Cons

1. VRF Specific default route