8-Complex MPLS Layer 3 VPNs

Complex MPLS Layer 3 VPNs
© 2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.0—3-1
• Describe overlapping VPNs
• Describe central service VPNs and advanced VRF features
• Describe managed CE router service
Overlapping VPNs
Access
Aggregation
IP Edge
Core
Residential
Mobile Users
Business
IP Infrastructure Layer
Access Aggregation IP Edge Core
• Complex MPLS Layer 3 VPNs are part of the Cisco IP NGN

infrastructure layer.
• Layer 3 VPNs are usually configured on IP edge devices.
• MPLS runs on IP core devices.
Customer A (1) Customer A (2)
MPLS
Backbone
Customer B (2) PE1 PE2 Customer B (1)
Central sites communicate

with each other
Customer A Customer B
(Central) (Central)
• Central sites are reachable from multiple VPNs:

- Overlapping VPN
• IP addressing in common sites should not overlap:
- NAT can be used when networks overlap.
• At least one customer site needs to be reachable by sites in different
VPNs:
- A service provider may provide services to many customers.
- Some service provider customers may want connectivity to one of their
partners through the MPLS network.
- Limit visibility between different departments in an organization.
SP
Shared
resources Shared
resources
Customer A
Customer C
Customer A Customer C
Customer B
Customer B
Customer A (1) Customer A (2) Customer B (1) Customer B (2)
RD 1:210 RD 1:210 RD 1:220 RD 1:220
Import Import
Export Export
RT 1:210 RT 1:220
Import
Customer A Export Customer B
(Central) RT 1:1000 (Central)
RD 1:211 RD 1:221
• Customer A (central) import and export:

- RT 1:210 (customer VPN)
- RT 1:1000 (overlapping VPN)
• Customer B (central) import and export:
- RT 1:220 (customer VPN)
- RT 1:1000 (overlapping VPN)
Customer A (1) Customer A (2) Customer B (1) Customer B (2)
RD 1:210 RD 1:210 RD 1:220 RD 1:220
(Central) (Central)
RD 1:211 RD 1:221
• Customer A (central) client can communicate with:

- All Customer A sites (customer VPN)
- Customer B central site (overlapping VPN)
• Customer B (central) client can communicate with:
- All Customer B sites (customer VPN)
- Customer A central site (verlapping VPN)
• Configure a new VRF instance for the central site:
- Import and export RTs for remote sites.
- Import and export RTs for overlapping sites.
• Update BGP configuration:
- Set RD for the central site.
- Under the proper address family (IPv4 or IPv6), configure route redistribution.
vrf CustomerA-Cent vrf CustomerB-Cent
description Customer A Cent description Customer B Cent
address-family ipv4 unicast address-family ipv4 unicast
import route-target import route-target
1:210 1:220
1:1000 1:1000
export route-target export route-target
1:210 1:220
1:1000 1:1000
! !

RD 1:210 RD: 1.210
MPLS
Customer B (2)
Backbone Customer B (1)
PE1 PE2
RD 1:220 RD 1.220
Import
RD 1:211 RD 1:221
router bgp 64500 router bgp 64500
vrf CustomerA vrf CustomerA
rd 1:210 rd 1:210
redistribute connected redistribute connected
! !
vrf CustomerB vrf CustomerB
rd 1:220 rd 1:220
vrf CustomerA-Cent vrf CustomerB-Cent
rd 1:211 rd 1:221
! !

RD 1:210 RD: 1.210
MPLS
Customer B (2)
PE1 PE2
RD 1:220 RD 1.220
Import
RD 1:211 RD 1:221
Central Service VPNs
• Multiple VPNs need to share a
common set of servers:
VPN D - VPNs are called clients.
(Client)
• Servers reside in central services
VPN E
VPN:
(Client)
- VPNs are called servers.
• Clients from other VPNs cannot
communicate with each other.
Central Services
VPN
(Server)
VPN C
(Client)
VPN A
(Client)
VPN B
(Client)
Import • Client VPN routes:
Export
RT 1:220 - Exported to the server site
VPN B
(Client) Export • Server VPN routes:
RD 1:220 RT 1:501
Import - Exported to client sites
Export
Import - Exported to servers sites
RT 1:210
RT 1:502
• No route exchange between
Export
VPN A
Import RT 1:502
client sites
(Client) Import
RD 1:210 RT 1:502 RT 1:501
Export
RT 1:502
Central Services VPN
Export (Server)
RT 1:501 RD 1:500
Import
RT 1:501
Import
Export
RT 1:500
• Clients can talk to servers:
- Client VRF contains server routes.
VPN B
(Client) • Servers can talk to clients:
RD 1:220
- Server VRF contains client routes.
• Clients cannot communicate:
- Client VRFs do not contain routes
VPN A from other clients;
(Client)
RD 1:210 • Make sure that there is no
client-to-client leakage across
Central Services VPN
(Server) server sites.
RD 1:500
• Client sites:
- Use a separate VRF per client site.
- Use a unique RD on each client site.
- Import and export routes within customer sites.
- Export routes to server sites.
- Import routes from server sites.
• Server sites:
- Use one VRF for each service type.
- Use a unique RD on each service type.
- Import and export routes within server sites.
- Export server site routes to clients.
- Import routes from client sites.
VPN A
(Client) Central Services VPN
RD 1:210 (Server)
MPLS RD 1:500
PE1 PE-CS-1
VPN B
(Client)
RD 1:220
vrf CustomerA vrf Server

import route-target import route-target
1:210 1:500
1:502 1:501
export route-target export route-target
1:210 1:500
1:501 1:502
! !
vrf CustomerB
address-family ipv4 unicast
import route-target
1:220
1:502
export route-target
1:220
1:501
!
• Customers run a simple VPN.
• Only A-Central and B-Central need access to central servers.
• Solution:
- Combine a simple VPN and central services VPN.
- Configure a separate VPN per customer.
- Configure a separate VRF for central servers.
- Configure a separate VRF for clients that need access to central servers (per
site).
• Combination of rules from:
- Overlapping VPN
- Central services VPN
• Only central sites need access to central servers.
• Configuration steps:
- Configure the customer VPN import-export RT in all VRFs participating in the
customer VPN.
- Configure a unique import-export RT in every VRF that is only a client of
central servers.
- Configure the central services import and export RTs in VRFs that participate
in the central services VPN.
• Selective import:
- This feature allows you to specify additional criteria for importing routes into
the VRF.
• Selective export:
- This feature allows you to specify additional RTs that are attached to exported
routes.
• VRF import criteria are more specific than just the match in RT:
- Import only routes with specific BGP attributes
- Import routes with specific prefixes or subnet masks
• Route policy is used to make the route import selection more specific.
• Use the import route-policy <name> command in VRF configuration
submode.
PE-1#
vrf CustomerA
address-family ipv4 unicast Customer A PE-1
import route-policy CustA-Policy
import route-target
1:210
!
export route-target
1:210
!
route-policy CustA-Policy
if destination in (192.168.1.0/24) then
pass
endif
end-policy
PE-2
• Routes from a VRF might have to be exported with different RTs:
- Export management routes with particular RTs.
• An export route policy is used to set extended community RTs.
PE-1#
vrf CustomerA
import route-target
1:210 Customer A PE-1
!
export route-policy ExportPol
export route-target
1:210
!
route-policy ExportPol
set extcommunity rt 1:555 additive
else
pass
endif
end-policy PE-2
Managed CE Router Service
• Service providers use network management VPN to manage the CE
routers of all VPNs:
- Central server NMS needs access to the loopback address of all CE routers.
- Similar to central services and simple VRFs
- CE routers participate in the central services VPN.
- Only loopback addresses of the CE routers are exported into the central
services VPN.
• Create one VRF per customer VPN per PE router:
- Assign the same RD to each customer VRF.
• Create an NMS VRF on the central services PE router:
- Assign a unique RD to the NMS VRF.

RD 1:210 RD: 1.210
MPLS
Customer B (2)
PE1 PE2
RD 1:220 RD 1.220
PE-CS
RD 1:210 NMS Server RD 1:220
RD 1:500
RD 1:210 RD: 1.210
MPLS
Customer B (2)
PE1 PE2
RD 1:220 RD 1.220
PE-CS
Customer A NMS Server Customer B
RD 1:210 RD 1:500 RD 1:220
vrf CustomerA
import route-target vrf NMS_Servers
1:210 address-family ipv4 unicast
1:500 import route-target
export route-policy MGMT_Pol 1:500
export route-target 1:501
1:210 export route-target
! 1:500
route-policy MGMT_Pol !
set extcommunity rt 1:501 additive
else
pass
endif
end-policy
• Overlapping VPNs are used to provide connectivity between segments
in two VPNs.
• Central services VPNs offer the following:
- Customers can access common services.
- Customers cannot communicate with each other.
- Route policies can be used for selective route import and export.
• Service providers can access the management loopback interface of CE
routers. Service providers use:
- NMS VRF
- Export route policy

8-Complex MPLS Layer 3 VPNs

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

8-Complex MPLS Layer 3 VPNs

Uploaded by

Copyright:

Available Formats

Complex MPLS Layer 3 VPNs

Access Aggregation IP Edge Core

• Complex MPLS Layer 3 VPNs are part of the Cisco IP NGN

Central sites communicate

• Central sites are reachable from multiple VPNs:

RD 1:210 RD 1:210 RD 1:220 RD 1:220

• Customer A (central) import and export:

RD 1:210 RD 1:210 RD 1:220 RD 1:220

• Customer A (central) client can communicate with:

Customer A (1) Customer A (2)

Customer A (1) Customer A (2)

vrf CustomerA vrf Server

Customer A (1) Customer A (2)

You might also like