Professional Documents
Culture Documents
SESSION RST-2602
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 1
Agenda
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 2
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Prerequisites
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 3
Terminology:
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Agenda
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 5
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 6
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS VPN Connection Model
P P
PE PE
VPN Backbone IGP
P P
MP-iBGP session
PE routers P Routers
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 7
Routing (RIB) and Forwarding table Populated by the MPLS backbone IGP
(CEF) associated with one or more
directly connected sites (CEs)
In PE routers may contain the BGP
Internet routes (standard ipv4 routes)
The routes the PE receives from CE
Routers are installed in the appropriate
VRF routing table(s)
blue VRF routing table or green
VRF routing table
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 8
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
VRF: Virtual Routing and Forwarding
Instance
CE
vpn site 2
VRF green
PE
EBGP,OSPF, RIPv2,Static
CE MPLS Backbone IGP (OSPF, ISIS)
vpn site 1
VRF blue
• What’s a VRF ?
• Associates to one or more interfaces on PE
Privatize an interface i.e. coloring of the interface
• Has its own routing table and forwarding table (CEF)
• VRF has its own instance for the routing protocol
(static ,RIP,BGP,EIGRP,OSPF)
• CE router runs standard routing software
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 9
CE
vpn site 2
PE
EBGP,OSPF, RIPv2,Static
CE MPLS Backbone IGP (OSPF, ISIS)
vpn site 1
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 10
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Additions in BGP: MPLS-VPN Info BGP
1:1 10.1.1.0
RD IPv4 Route-Target Label
VPNv4
1:1 10.1.1.0
RD IPv4 Route-Target Label
VPNv4
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS VPN Control Plane
MP-BGP Update Components: Route-Target
8 Bytes 4 Bytes 8 Bytes 3 Bytes
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 13
• The Label (for the VPNv4 prefix) is assigned only by the PE whose address is the
Next-Hop attribute
PE routers re-write the Next-Hop with their own address (loopback)
“Next-Hop-Self” towards MP-iBGP neighbors by default
• PE addresses used as BGP Next-Hop must be uniquely known in the backbone
IGP
DO NOT summarize the PE loopback addresses in the core
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 14
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS VPN Control Plane:
Putting It All Together
MP-iBGP update:
RD:10.10.1.0
Site 1 3 Next-hop=PE-1 Site 2
RT=Green, Label=100
CE1 CE2
10.1.1.0/24
P P
PE1 PE2
10.10.1.0/24
Next-Hop=CE-1
P
P
1
MPLS Backbone
1) PE1 receives an IPv4 update (eBGP,OSPF,EIGRP)
2) PE1 translates it into VPNv4 address
• Assigns an RT per VRF configuration
• Re-writes Next-Hop attribute to itself
• Assigns a label based on VRF and/or interface
3) PE1 sends MP-iBGP UPDATE to other PE routers
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 15
MPLS Backbone
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS VPN Forwarding Plane:
e
Site 1 Site 2
CE1 CE2
10.1.1.0/24
P1 P2
PE1 PE2
VRF Green forwarding Table
Dest->NextHop
P 10.1.1.0/24-ÆPE1, label: 100
P
•PE routers store IGP routes •PE routers store VPN routes
•Associated labels •Associated labels
•Label distributed through LDP/TDP •Labels distributed through MP-BGP
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 17
100 10.1.1.1 P
P
50 100 10.1.1.1
25 100 10.1.1.1
PE2 imposes TWO labels for each packet going to the VPN destination 10.1.1.1
• The top label is LDP learned and Derived from an IGP route
Represents LSP to PE address (exit point of a VPN route)
• The second label is learned via MP-BGP
Corresponds to the VPN address
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 18
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Agenda
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 19
PE-P Configuration
Interface Serial1
ip address 130.130.1.1 255.255.255.252
P mpls ip
Se0 PE1
s1 PE1
router ospf 1
network 130.130.1.0 0.0.0.3 area 0
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 20
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS VPN Sample Configuration
PE: MP-IBGP
router bgp 1
RR neighbor 1.2.3.4 remote-as 1
neighbor 1.2.3.4 update-source loopback 0
PE1 PE2 PE1
address-family vpnv4
neighbor 1.2.3.4 activate
neighbor 1.2.3.4 send-community both
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 21
PE-CE OSPF
Site 1 router ospf 1
!
CE1
10.1.1.0/24 router ospf 2 vrf VPN-A
192.168.10.2 PE1 network 192.168.10.0 0.0.0.255 area 0
PE1 !
192.168.10.1
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 22
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS VPN Sample Configuration
PE-CE RIP
router rip
Site 1
CE1 address-family ipv4 vrf VPN-A
10.1.1.0/24
version 2
192.168.10.2 no auto-summary
PE1
network 192.168.10.0
192.168.10.1
exit-address-family
PE-CE EIGRP
Site 1 router eigrp 1
CE1
10.1.1.0/24 address-family ipv4 vrf VPN-A
192.168.10.2
network 192.168.10.0 0.0.0.255
PE1 autonomous-system 1
192.168.10.1 exit-address-family
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 23
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS VPN Sample Configuration
PE-RR (VPN routes to VPNv4)
router bgp 1
Site 1
RR neighbor 1.2.3.4 remote-as 1
neighbor 1.2.3.4 update-source loopback 0
PE1
CE1 address-family ipv4 vrf VPN-A
redistribute {rip|connected|static|eigrp|ospf}
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 25
Agenda
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 26
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS VPN Services:
1. Loadsharing for the VPN traffic
RR
PE11
CE2
PE2
CE1
171.68.2.0/24
PE12
Site A Site B
MPLS Backbone
Route Advertisement
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 27
CE2
CE1 PE2
171.68.2.0/24
PE12
Site A
Site B
MPLS Backbone
Traffic Flow
2 CEs Æ 2 PEs
RR
PE11
CE2
PE2
CE1
171.68.2.0/24
PE12
CE2
Site B
MPLS Backbone
Site A
Traffic Flow
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 28
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS VPN Services:
1. Loadsharing for the VPN Traffic: Deployment
1 2
ip vrf green router bgp 1
RR address-family ipv4 vrf green
rd 300:11
route-target both 1:1 PE11 maximum-paths eibgp 2
CE2
PE2
CE1
171.68.2.0/24
PE12
Site A MPLS Backbone Site B
1
ip vrf green ip vrf green
rd 300:12 1
rd 300:13
route-target both 1:1
RST-2602
route-target both 1:1
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 29
CE2
PE2
CE1
171.68.2.0/24
PE12
Site A
Site B
MPLS Backbone
• RR must advertise all the paths learned via PE11 and PE12 to the
remote PE routers
With different RD per VRF, RR does the Best path calculation per
RD and advertise them to remote PE
• Watch out for the increased (~20%) memory consumption (within
BGP) due to multipaths at the PEs
• “eiBGP multipath” implicitly provides eBGP and iBGP multipath for
VPN paths
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 30
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS-VPN Services:
2. Hub & Spoke Service to the VPN Customers
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 31
MPLS-VPN Services:
2. Hub & Spoke Service - Configuration
ip vrf green-spoke1
description VRF for SPOKE A
rd 300:111 ip vrf HUB-OUT
route-target export 1:1 description VRF for traffic from HUB
route-target import 2:2 rd 300:11
route-target import 1:1
Spoke A PE-SA
CE-SA
171.68.1.0/24
Eth0/0.1
PE-Hub Eth0/0.2
Spoke B PE-SB
CE-SB
171.68.2.0/24 MPLS VPN Backbone
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 32
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS-VPN Services:
2. Hub & Spoke Service – Control Plane
MPLS Backbone
Spoke A
Adv 171.68.1.0/24
VRF HUB-OUT RT and LFIB
CE-SA PE-SA Label 40
171.68.1.0/24 Destination NextHop Label
Route-Target 1:1
171.68.1.0/24 PE-SA 40
171.68.2.0/24 PE-SB 50
VRF RT and LFIB at PE-SA
0.0.0.0 PE-Hub 35
171.68.1.0/24 CE-SA Adv 0.0.0.0 VRF HUB-OUT
Label 35
VRF RT and LFIB at PE-SB Route-Target 2:2 PE-Hub
0.0.0.0 PE-Hub 35 VRF HUB-IN
171.68.2.0/24 CE-SB VRF HUB-IN Routing Table
Adv 171.68.2.0/24 Destination NextHop
171.68.2.0/24 Label 50 0.0.0.0 CE-H1
CE-SB PE-SB Route-Target 1:1
Spoke B
• All traffic between spokes must pass through the Hub/Central Site.
Hub Site could offer FireWall, NAT like applications.
• Two VRF solution at the PE-Hub:
• VRF HUB_OUT would have knowledge of every spoke routes.
• VRF HUB_IN only have Default Route and advertise that to Spoke PEs.
• Import and export Route-Target within a VRF must be different.
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 33
MPLS-VPN Services:
2. Hub & Spoke Service – Forwarding Plane
MPLS Backbone
171.68.1.1
Spoke A PE-SA
CE-SA LA 40 171.68.1.1
171.68.1.0/24
VRF HUB-OUT
PE-Hub
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 34
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS-VPN Services
3. Extranet VPN
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS-VPN Services
4. Internet Access Service to VPN Customers
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 37
MPLS-VPN Services
4. Internet Access: Different Methods of Service
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 38
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS-VPN Services
4. Internet Access: Different Methods of Service
MPLS-VPN Services:
4.1 Internet access: VRF Specific Default Route (Config)
MPLS Backbone
Site1 Internet
CE1
171.68.0.0/16
so PE1192.168.1.2 ASBR
P
ip vrf VPN-A 192.168.1.1
rd 100:1
Internet GW
route-target both 100:1
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS-VPN Services:
4.1 Internet access: VRF Specific Default Route (Forwarding)
MPLS Backbone
Internet
Site1
IP packet Label = 30
D=Cisco.com IP packet
171.68.0.0/16 IP packet D=Cisco.com
D=Cisco.com
so PE1
IP packet PE2 so
D=171.68.1.1 P IP packet
192.168.1.2 D=171.68.1.1
192.168.1.1
Global Routing/FIB Table Label = 35 Global Table and LFIB
Destination Label/Interface IP packet
D=171.68.1.1 Destination Label/Interface
192.168.1.1/32 Label=30 192.168.1.2/32 Label=35
171.68.0.0/16 Serial 0 171.68.0.0/16 192.168.1.2
Internet Serial 0
Static configuration
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 41
MPLS-VPN Services
4.2 Internet Access
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
4.2 Internet Access Service to VPN Customers
Using Separate Sub-Interface (Config)
Site1
S0.2
PE1 ASBR
192.168.1.2 192.168.1.1
S0.1 P
ip vrf VPN-A Internet GW
rd 100:1
route-target both 100:1
Interface Serial0.1
ip vrf forwarding VPN-A
One sub-interface for VPN routing
associated to a VRF
ip address 192.168.20.1 255.255.255.0
!
frame-relay interface-dlci 100 Another sub-interface for Internet routing
associated to the global routing table.
Interface Serial0.2
ip address 171.68.10.1 255.255.255.0
frame-relay interface-dlci 200
Could advertise full Internet Routes or a
default route to CE.
!
Router bgp 100 The PE will need to advertise VPN routes
no bgp default ipv4-unicast to the Internet (via global routing table)
[snip]…
RST-2602
neighbor 171.68.10.2 remote
9908_06_2004_X2 502
© 2004 Cisco Systems, Inc. All rights reserved. 43
Pros Cons
PE Global Table and FIB
Internet routes 192.168.1.1 CE could dual home and PE to hold full Internet routes.
192.168.1.1 Label=30 perform optimal routing.
BGP complexities introduced
Traffic separation done in CE.
by CE.
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 44
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Internet Access Service
4.3 Extranet with Internet-VRF
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 45
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 46
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS VPN Service
5. VRF-Selection
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 47
66.3.1.25
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS VPN Service
6. Remote Access Service
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 49
Cable/DSL/ Customer B
ISDN ISP
VPN C
Remote Users/ VPN A
Telecommuters
Cisco IOS VPN Routers or
Cisco Client 3.x or higher Customer A Customer C
branch office
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS-VPN Services
7. VRF-Aware NAT Services
RST-2602
* VoIP, Hosted Content, Management etc/
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 51
MPLS-VPN Services
7. VRF-Aware NAT Services
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 52
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS-VPN Services:
7. VRF-Aware NAT Services – Internet Access
RST-2602
VRF specific Config VRF-aware NAT Specific Config
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 53
MPLS-VPN Services:
7. VRF-Aware NAT Services – Internet Access
Src=10.1.1.1
Dest=Internet MPLS Backbone
Label=30
CE1 Src=10.1.1.1
10.1.1.0/24 Dest=Internet Internet
Src=24.1.1.1
Green VPN Site PE11 PE-ASBR Dest=Internet
IP Packet P Src=25.1.1.1
PE12 Dest=Internet
CE2
10.1.1.0/24 Label=40 IP Packet
Src=10.1.1.1 Traffic Flows
Blue VPN Site Src=10.1.1.1 Dest=Internet
Dest=Internet
MPLS Packet
NAT Table
•PE-ASBR removes the label from the received VRF IP Source Global IP VRF-table-id
MPLS packets per LFIB 10.1.1.1 24.1.1.1 green
10.1.1.1 25.1.1.1 blue
•Performs NAT on the resulting IP packets
•Forwards the packet
• This is also one of the ways to provide Internet access to VPN
customers with or without overlapping addresses
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 54
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Agenda
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 55
What Is Inter-AS?
Provider X Provider Y
RR2
RR1
ASBR1 ASBR2
MP-iBGP
MP-iBGP update::
update::
???
PE-1 AS #2
AS #1
Problem:
PE2
How do Provider X
BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2
149.27.2.0/24,NH=CE-1
149.27.2.0/24,NH=CE-1 and Provider Y
CE-1 exchange VPN CE2
routes ?
VPN-A
149.27.2.0/24 VPN-A
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 56
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Inter-AS Deployment Scenarios
PE1 AS #1 AS #2
PE2
3. Multihop MP-eBGP between RRs
CE1 CE2
4. Non-VPN Transit Provider
VPN-A
VPN-A
•2 and 3 are more common and will be discussed.
1 and 4 are in backup slides.
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 57
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 58
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Scenario 2: MP-eBGP bet ASBRs for VPNv4
Control Plane
ASBR-1 ASBR-2
MP-iBGP MP-iBGP
MP-iBGP update:
update:
MP-iBGP update:
update:
RD:1:27:10.1.1.0/24, RD:1:27:10.1.1.0/24,
RD:1:27:10.1.1.0/24,
RD:1:27:10.1.1.0/24,
NH=PE-1 NH=ASBR-2
NH=ASBR-2
NH=PE-1
RT=1:1, RT=1:1,
RT=1:1, Label=(30)
Label=(30)
RT=1:1, Label=(40)
Label=(40) MP-eBGP
MP-eBGP update:
update:
RD:1:27:10.1.1.0/24,
RD:1:27:10.1.1.0/24,
NH=ASBR-1
NH=ASBR-1
RT=1:1,
RT=1:1, Label=(20)
Label=(20)
PE-1 PE-2
BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2
BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2 CE-2 CE-3 10.1.1.0/24,
10.1.1.0/24, NH=PE-2
NH=PE-2
10.1.1.0/24,
10.1.1.0/24, NH=CE-2
NH=CE-2
VPN-B VPN-B
10.1.1.0/24
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 59
40 10.1.1.1
20 10.1.1.1 20 30 10.1.1.1
PE-1
MPLS Packets PE-2
between ASBRs
10.1.1.1 CE-2 CE-3 10.1.1.1
VPN-B VPN-B
10.1.1.0/24
Pros Cons
•More scalable. •Automatic Route Filtering must be disabled
Only one interface between ASBRs routers But we can apply BGP filtering.
No VRF configuration on ASBR.
Less memory consumption (no RIB/FIB
memory) •ASBRs are still required to hold VPN routes
•MPLS label switching between providers
Still simple, more scalable & works today
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 60
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Cisco IOS Configuration
Scenario 2: External MP-BGP between ASBRs for VPNv4
MP-eBGP for
ASBR1 VPNv4 ASBR2
1.1.1.0/30
Label exchange
between ASBRs using
AS #1 MP-eBGP AS #2
PE1
ASBR MB-EBGP Configuration PE2
Router bgp x
CE-1
no bgp default route-target filter
CE-2
neighbor 1.1.1.x remote-as x
!
VPN-A address-family vpnv4
neighbor 1.1.1.x activate VPN-A
neighbor 1.1.1.x send-com extended
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 61
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 62
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Scenario 3: Multihop MP-eBGP between
RRs for VPN routes : Control Plane
VPN-v4
VPN-v4 update:
update:
RD:1:27:10.1.1.0/24,
RD:1:27:10.1.1.0/24,
NH=PE-1
NH=PE-1 RR-2
RR-1 RT=1:1,
RT=1:1, Label=(90)
Label=(90)
VPN-v4 VPN-v4
VPN-v4 update:
update:
VPN-v4 update:
update:
RD:1:27:10.1.1.0/24, RD:1:27:10.1.1.0/24,
RD:1:27:10.1.1.0/24,
RD:1:27:10.1.1.0/24,
NH=PE-1 NH=PE-1
NH=PE-1
NH=PE-1
RT=1:1, Label=(90)
RT=1:1, Label=(90) ASBR-1 ASBR-2 RT=1:1,
RT=1:1, Label=(90)
Label=(90)
AS#1 AS#2
PE-1 IGP+LDP:
IGP+LDP:
Network=PE-1
Network=PE-1 IP-v4
IP-v4 update:
update: PE-2
IGP+LDP:
IGP+LDP:
NH=PE-1
NH=PE-1 Network=PE-1
Network=PE-1 Network=PE-1
Network=PE-1
Label=(40)
Label=(40) NH=ASBR-1
NH=ASBR-1 NH=ASBR-2
NH=ASBR-2
Label=(20)
Label=(20) BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2
BGP, Label=(30)
Label=(30)
BGP, OSPF,
OSPF, RIPv2
RIPv2 CE-2 10.1.1.0/24,NH=PE-2
10.1.1.0/24,NH=PE-2
10.1.1.0/24,NH=CE-2
10.1.1.0/24,NH=CE-2
CE-3
VPN-B VPN-B
10.1.1.0/24
RR-1
RR-2
P1 P2
40 90 10.1.1.1
ASBR-2 30 90 10.1.1.1
90 10.1.1.1 ASBR-1
50 90 10.1.1.1
PE-1
20 90 10.1.1.1
PE-2
10.1.1.1
CE-2 CE-3 10.1.1.1
VPN-B VPN-B
10.1.1.0/24
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 64
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Scenario 3: Pros/Cons
Pros Cons
•More scalable than Scenario 1 and 2.
Separation of control and forwarding planes •Advertising PE addresses to another AS
may not be acceptable to few providers.
•Route Reflector exchange VPNv4 routes+labels
RR hold the VPNv4 information anyway
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 65
ASBR-1 ASBR-2
PE1
PE2
AS #1 AS #2
CE-1
eBGP IPv4 + Labels
CE-2
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Inter-AS Deployment Guidelines
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 67
Agenda
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 68
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Carrier Supporting Carriers: CsC
• Benefits of CsC
• What do I need to do to enable CsC ?
• Deployment models
• Security in CsC
• Deployment Guideline
• Deployment Scenarios
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 69
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 70
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
MPLS/VPN Networks without CsC
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 71
Benefits of CsC
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 72
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
What Do I Need to Enable CsC ?
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 73
MP-iBGP
MP-iBGP for
for VPNv4
VPNv4
P1
PE1 IGP+LDP
IGP+LDP IGP+LDP
PE2
IGP+LDP
Full-mesh
Full-mesh iBGP
iBGP
ISP PoP for
for external
external routes
routes ISP PoP
Site-1 Site-2
internal
internal routes
routes
== IGP
C1
IGP routes
routes ASBR-2
ASBR-1
Internal
Internal routes
routes ==
IGP
IGP routes
routes
R2
INTERNET
R1
ISP customers =
external routes
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 74
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
CsC Deployment Models
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 75
P1
IGP+LDP,
PE1 Net=PE-1, IGP+LDP,
Net=PE-1, PE2
Label = pop
Label = 16
Carrier’s Core
30.1.61.25/32,
30.1.61.25/32,
NH=CE-1,
NH=CE-1, Label
Label == 50
50
30.1.61.25/32,
30.1.61.25/32,
NH=PE-2,
NH=PE-2, Label
Label == 52
52
CE-1
CE-2
MP-iBGP
MP-iBGP update:
update:
ISP PoP 1:1:10.1.1.0/24,
1:1:10.1.1.0/24, RT=1:1
RT=1:1
NH IGP+LDP,
IGP+LDP,
NH =30.1.61.25/32,
=30.1.61.25/32, Label
Label == 90
90 ISP PoP
Site-1 30.1.61.25/32
30.1.61.25/32
Site-2 NH=CE-2,
NH=CE-2, Label=60
Label=60
IGP+LDP
IGP+LDP
30.1.61.25/32,Label
30.1.61.25/32,Label == pop
pop C1
ASBR_PE-1 ASBR_PE-2
30.1.61.25/32
10.1.1.0/24,
10.1.1.0/24, NH
NH
=ASBR_PE-2 IGP+LDP,
IGP+LDP,
=ASBR_PE-2 30.1.61.25/32
10.1.1.0/24,
10.1.1.0/24, NH=R1
NH=R1 30.1.61.25/32
NH=C1,
NH=C1, Label=70
Label=70
R2
Network = R1
10.1.1.0/24
VPN Site-1 VPN Site-2
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 76
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
CsC: ISP Sites Are Running MPLS-VPN
Hierarchical MPLS-VPN Forwarding Plane
P1
51 90 10.1.1.1
16 51 90 10.1.1.1
PE1
PE2
Carrier’s Core
50 90 10.1.1.1
52 90 10.1.1.1
CE-1
CE-2
70 90 10.1.1.1
10.1.1.1 10.1.1.1
R1 R2
Network =
10.1.1.0/24
VPN Site-1 VPN Site-2
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 77
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 78
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
CsC Deployment Guideline
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 79
PE-1
CE1
int ser0/0 ¾ Sh mpls interface VRF Int
IGP+LDP
mpls ip ¾ Sh mpls ldp discovery
¾ Sh mpls ldp bind CE-1
mpls ldp protcol ldp
¾ Sh mpls ldp neighbor
¾ Sh mpls forward
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 80
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
CsC: IOS Commands/Configs
Choice 2: What All You Need to Configure?
eBGP+label
CE-1
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 81
IOS Commands/Configs
Choice 2: eBGP+label on the PE-CE
• On PE
Sh ip bgp vpn vrf <vrf> neighbor
Sh ip bgp vpn vrf <vrf> label
Sh mpls forward vrf <vrf>
• On CE
Sh ip bgp neighbor
Sh ip bgp labels
Sh mpls forward
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 82
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Agenda
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 83
Best Practices
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 84
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Conclusion
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 85
http://www.networkers04.com/desktop
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 86
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Q&A
Eval -
http://www.networkers04.com/desktop
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 87
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 88
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
BACK UP SLIDES
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 89
ASBR-1 ASBR-2
VPN-B VRF
Import routes with
route-target 1:1 VPN-v4
VPN-v4 update:
update:
VPN-v4
VPN-v4 update:
update:
RD:1:27:10.1.1.0/24 RD:1:27:10.1.1.0/24,
RD:1:27:10.1.1.0/24,
RD:1:27:10.1.1.0/24
NH=PE-1 NH=ASBR-2
NH=ASBR-2
NH=PE-1
RT=1:1, RT=1:1, Label=(92)
RT=1:1, Label=(92)
RT=1:1, Label=(29)
Label=(29)
BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2
10.1.1.0/24
10.1.1.0/24 VPN-B VRF
NH=ASBR-2
NH=ASBR-2 Import routes with
PE-1 route-target 1:1 PE-2
BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2
CE-2 CE-3 10.1.1.0/24,NH=PE-2
10.1.1.0/24,NH=PE-2
BGP,
BGP, OSPF,
OSPF, RIPv2
RIPv2
10.1.1.0/24,NH=CE-2
10.1.1.0/24,NH=CE-2
VPN-B VPN-B
10.1.1.0/24
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Scenario 1: Back-to-back VRF
Forwarding Plane
92 10.1.1.1 P2
ASBR-1 ASBR-2
30 29 10.1.1.1
P1
10.1.1.1 20 92 10.1.1.1
PE-1 PE-2
IP Packets between
ASBRs
10.1.1.1 CE-2 CE-3 10.1.1.1
VPN-B
10.1.1.0/24 VPN-B
Pros Cons
ASBR1 ASBR2
1.1.1.0/30
CE-1
ip vrf green
rd 1:1 CE-2
route-target both 1:1
!
VPN-A Router bgp x
Address-family ipv4 vrf green VPN-A
neighbor 1.1.1.x activate
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 92
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
IOS Configuration
Scenario 2.5: Multi-Hop MP-eBGP for VPNv4
Multi-Hop MP-eBGP
ASBR1 for VPNv4 ASBR2
so so
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 94
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Option 4: Non-VPN Transit Provider
Non-VPN MPLS
MPLS VPN Provider Transit Backbone
#1
RR-1
PE1
ASBR-3
CE-2 next-hop-unchanged
Multihop MP-eBGP
OR iBGP IPv4 + Labels
MP-iBGP for VPNv4
MPLS VPN Provider
VPN-B RR-2
#2
PE2
CE-3
VPN-B
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 95
RST-2602
9908_06_2004_X2 © 2004 Cisco Systems, Inc. All rights reserved. 96
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2