Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

1/292

AMVS

Advanced MPLS

VPN Solutions

Volume 1Version 1.0

Student Guide

Text Part Number: 97-0624-01


2/292

The products and specifications, configurations, and other technical information regarding the products in this

manual are subject to change without notice. All statements, technical information, and recommendations in this

manual are believed to be accurate but are presented without warranty of any kind, express or implied. You

must take full responsibility for their application of any products specified in this manual.

LICENSE

PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE MANUAL,

DOCUMENTATION, AND/OR SOFTWARE (MATERIALS). BY USING THE MATERIALS YOU

AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE. IF YOU DO NOT

AGREE WITH THE TERMS OF THIS LICENSE, PROMPTLY RETURN THE UNUSED MATERIALS

(WITH PROOF OF PAYMENT) TO THE PLACE OF PURCHASE FOR A FULL REFUND.

Cisco Systems, Inc. (Cisco) and its suppliers grant to you (You) a nonexclusive and nontransferable licenseto use the Cisco Materials solely for Your own personal use. If the Materials include Cisco software

(Software), Cisco grants to You a nonexclusive and nontransferable license to use the Software in object code

form solely on a single central processing unit owned or leased by You or otherwise embedded in equipment

provided by Cisco. You may make one (1) archival copy of the Software provided You affix to such copy all

copyright, confidentiality, and proprietary notices that appear on the original. EXCEPT AS EXPRESSLY

AUTHORIZED ABOVE, YOU SHALL NOT: COPY, IN WHOLE OR IN PART, MATERIALS; MODIFY

THE SOFTWARE; REVERSE COMPILE OR REVERSE ASSEMBLE ALL OR ANY PORTION OF THE

SOFTWARE; OR RENT, LEASE, DISTRIBUTE, SELL, OR CREATE DERIVATIVE WORKS OF THE

MATERIALS.

You agree that aspects of the licensed Materials, including the specific design and structure of individual

programs, constitute trade secrets and/or copyrighted material of Cisco. You agree not to disclose, provide, or

otherwise make available such trade secrets or copyrighted material in any form to any third party without the

prior written consent of Cisco. You agree to implement reasonable security measures to protect such trade

secrets and copyrighted Material. Title to the Materials shall remain solely with Cisco.

This License is effective until terminated. You may terminate this License at any time by destroying all copies

of the Materials. This License will terminate immediately without notice from Cisco if You fail to comply with

any provision of this License. Upon termination, You must destroy all copies of the Materials.

Software, including technical data, is subject to U.S. export control laws, including the U.S. Export

Administration Act and its associated regulations, and may be subject to export or import regulations in other

countries. You agree to comply strictly with all such regulations and acknowledge that it has the responsibility

to obtain licenses to export, re-export, or import Software.

This License shall be governed by and construed in accordance with the laws of the State of California, United

States of America, as if performed wholly within the state and without giving effect to the principles of conflict

of law. If any portion hereof is found to be void or unenforceable, the remaining provisions of this License shall

remain in full force and effect. This License constitutes the entire License between the parties with respect to

the use of the Materials

Restricted Rights - Ciscos software is provided to non-DOD agencies with RESTRICTED RIGHTS and its

supporting documentation is provided with LIMITED RIGHTS. Use, duplication, or disclosure by the U.S.Government is subject to the restrict ions as set forth in subparagraph C of the Commercial Computer

Software - Restricted Rights clause at FAR 52.227-19. In the event the sale is to a DOD agency, the U.S.

Governments rights in software, supporting documentation, and technical data are governed by the restrictions

in the Technical Data Commercial Items clause at DFARS 252.227-7015 and DFARS 227.7202.

DISCLAIMER OF WARRANTY. ALL MATERIALS ARE PROVIDED AS IS WITH ALL FAULTS.

CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,

WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE

AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE

PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,

CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST

PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS

MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF

SUCH DAMAGES. In no event shall Ciscos or its suppliers liability to You, whether in contract, tort

(including negligence), or otherwise, exceed the price paid by You. The foregoing limitations shall apply even

if the above-stated warranty fails of its essential purpose.

The following information is for FCC compliance of Class A devices: This equipment has been tested and

found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits

are designed to provide reasonable protection against harmful interference when the equipment is operated in a

commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not

installed and used in accordance with the instruction manual, may cause harmful interference to radio

communications. Operation of this equipment in a residential area is likely to cause harmful interference, in

which case users will be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual

generates and may radiate radio-frequency energy. If it is not installed in accordance with Ciscos installation

instructions, it may cause interference with radio and television reception. This equipment has been tested and

found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of


3/292

the FCC rules. These specifications are designed to provide reasonable protection against such interference in a

residential installation. However, there is no guarantee that interference will not occur in a particular

installation.

You can determine whether your equipment is causing interference by turning it off. If the interference stops, i t

was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes

interference to radio or television reception, try to correct the interference by using one or more of the following

measures:

Turn the television or radio antenna until the interference stops.

Move the equipment to one side or the other of the television or radio.

Move the equipment farther away from the television or radio.

Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, makecertain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.)

Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate

your authority to operate the product.

The following third-party software may be included with your product and will be subject to the software

license agreement:

CiscoWorks software and documentation are based in part on HP OpenView under license from the Hewlett-

Packard Company. HP OpenView is a trademark of the Hewlett-Packard Company. Copyright 1992, 1993

Hewlett-Packard Company.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the

University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating

system. All rights reserved. Copyright 1981, Regents of the University of California.

Network Time Protocol (NTP). Copyright 1992, David L. Mills. The University of Delaware makes no

representations about the suitability of this software for any purpose.

Point-to-Point Protocol. Copyright 1989, Carnegie-Mellon University. All rights reserved. The name of the

University may not be used to endorse or promote products derived from this software without specific prior

written permission.

The Cisco implementation of TN3270 is an adaptation of the TN3270, curses, and termcap programs developed

by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating

system. All rights reserved. Copyright 1981-1988, Regents of the University of California.

Cisco incorporates Fastmac and TrueView software and the RingRunner chip in some Token Ring products.

Fastmac software is licensed to Cisco by Madge Networks Limited, and the RingRunner chip is licensed to

Cisco by Madge NV. Fastmac, RingRunner, and TrueView are trademarks and in some jurisdictions registered

trademarks of Madge Networks Limited. Copyright 1995, Madge Networks Limited. All rights reserved.

XRemote is a trademark of Network Computing Devices, Inc. Copyright 1989, Network Computing Devices,

Inc., Mountain View, California. NCD makes no representations about the suitabili ty of this software for any

purpose.

The X Window System is a trademark of the X Consortium, Cambridge, Massachusetts. All rights reserved.

Access Registrar, AccessPath, Any to Any, Are You Ready, AtmDirector, Browse with Me, CCDA, CCDE,

CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, the Cisco logo, Cisco Certified Internetwork Expert logo,

CiscoLink, the Cisco Management Connection logo, the Cisco NetWorks logo, the Cisco Powered Network

logo, Cisco Systems Capital, the Cisco Systems Capital logo, Cisco Systems Networking Academy, the Cisco

Systems Networking Academy logo, the Cisco Technologies logo, Fast Step, FireRunner, Follow Me Browsing,

FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, IQ Breakthrough, IQ

Expertise, IQ FastTrack, IQ Readiness Scorecard, The IQ Logo, Kernel Proxy, MGX, Natural Network Viewer,

NetSonar, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy

Builder, Precept, RateMUX, ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast,

SMARTnet, SVX, The Cell, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router,

Workgroup Director, and Workgroup Stack are trademarks; Changing the Way We Work, Live, Play, and

Learn, Empowering the Internet Generation, The Internet Economy, and The New Internet Economy are service

marks; and Aironet, ASIST, BPX, Catalyst, Cisco, Cisco IOS, the Cisco IOS logo, Cisco Systems, the Cisco

Systems logo, the Cisco Systems Cisco Press logo, CollisionFree, Enterprise/Solver, EtherChannel,EtherSwitch, FastHub, FastLink, FastPAD, FastSwitch, GeoTel, IOS, IP/TV, IPX, LightStream, LightSwitch,

MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, TeleRouter, and VCO are

registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other

trademarks mentioned in this document are the property of their respective owners. The use of the word partner

does not imply a partnership relationship between Cisco and any of its resellers. (0005R)

Advanced MPLS VPN Solutions, Revision 1.0: Student Guide

Copyright 2000, Cisco Systems, Inc.

All rights reserved. Printed in USA.


4/292


5/292

Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions v

Table of Contents

Volume 1

ADVANCED MPLS VPN SOLUTIONS 1-1

Overview 1-1

Course Objectives 1-2

Course Objectives Implementation 1-3Course Objectives Solutions 1-4

Prerequisites 1-5

Participant Role 1-7

General Administration 1-9

Sources of Information 1-10

MPLS VPN TECHNOLOGY 2-1

Overview 2-1Objectives 2-1

Introduction to Virtual Private Networks 2-2Objectives 2-2

Summary 2-8Review Questions 2-8

Overlay and Peer-to-Peer VPN 2-9

Objectives 2-9Overlay VPN Implementations 2-13

Summary 2-23

Review Questions 2-24Major VPN Topologies 2-25

Objectives 2-25VPN Categorizations 2-25


MPLS VPN Architecture 2-39

Objectives 2-39Summary 2-60

Review Questions 2-61

MPLS VPN Routing Model 2-62Objectives 2-62


MPLS VPN Packet Forwarding 2-79Objectives 2-79Summary 2-91

Review Questions 2-91Lesson Summary 2-92

Answers to Review Questions 2-93Introduction to Virtual Private Networks 2-93Overlay and Peer-to-Peer VPN 2-93


6/292

vi Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

Major VPN Topologies 2-94

MPLS VPN Architecture 2-94MPLS VPN Routing Model 2-95MPLS VPN Packet Forwarding 2-96

MPLS/VPN CONFIGURATION ON IOS PLATFORMS 3-1

Overview 3-1

Objectives 3-1

MPLS/VPN Mechanisms in Cisco IOS 3-2Objectives 3-2Summary 3-16Review Questions 3-16

Configuring Virtual Routing and Forwarding Table 3-17Objectives 3-17


Configuring a Multi-Protocol BGP Session Between the PE Routers 3-27



Configuring Routing Protocols Between PE and CE Routers 3-44Objectives 3-44


Monitoring MPLS/VPN Operation 3-56Objectives 3-56Summary 3-82


Troubleshooting MPLS/VPN 3-83

Objectives 3-83Summary 3-100Review Questions 3-100

Advanced VRF Import/Export Features 3-101Objectives 3-101


Advanced PE-CE BGP Configuration 3-116



USING OSPF IN AN MPLS VPN ENVIRONMENT 4-1

Overview 4-1

Objectives 4-1

Using OSPF as the PE-CE Protocol in an MPLS VPN Environment 4-2



Configuring and Monitoring OSPF in an MPLS VPN Environment 4-27Objectives 4-27



7/292

Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions vii

Summary 4-36

Answers to Review Questions 4-37

Using OSPF as the PE-CE Protocol in an MPLS VPN Environment 4-37Configuring and Monitoring OSPF in an MPLS VPN Environment 4-37

Volume 2

MPLS VPN TOPOLOGIES 5-1


Simple VPN with Optimal Intra-VPN Routing 5-2



Using BGP as the PE-CE Routing Protocol 5-18Objectives 5-18


Overlapping Virtual Private Networks 5-24

Objectives 5-24


Central Services VPN Solutions 5-34

Objectives 5-34Summary 5-47Review Questions 5-47

Hub-andSpoke VPN Solutions 5-48Objectives 5-48


Managed CE-Router Service 5-55

Objectives 5-55

Summary 5-60Review Questions 5-60Chapter Summary 5-60

INTERNET ACCESS FROM A VPN 6-1


Integrating Internet Access with the MPLS VPN Solution 6-2Objectives 6-2Summary 6-16


Design Options for Integrating Internet Access with MPLS VPN 6-17Objectives 6-17Summary 6-23Review Questions 6-23

Leaking Between VPN and Global Backbone Routing 6-24Objectives 6-24

Usability of Packet Leaking for Various Internet Access Services 6-32Redundant Internet Access with Packet Leaking 6-36Summary 6-38



8/292

viii Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

Separating Internet Access from VPN Service 6-39

Objectives 6-39Usability of Separated Internet Access for Various InternetAccess Services 6-44


Internet Access Backbone as a Separate VPN 6-47Objectives 6-47Usability of Internet in a VPN Solution for Various Internet

Access Services 6-52Summary 6-56

Review Questions 6-57Chapter Summary 6-57

MPLS VPN DESIGN GUIDELINES 7-1


Backbone and PE-CE Link Addressing Scheme 7-2Objectives 7-2

Summary 7-15

Review Questions 7-16Backbone IGP Selection and Design 7-17



Route Distinguisher and Route Target Allocation Schemes 7-32Objective 7-32


End-to-End Convergence Issues 7-38Objectives 7-38Summary 7-52

Review Questions 7-52Chapter Summary 7-53

Answers to Review Questions 7-54Backbone and PE-CE Link Addressing Scheme 7-54Backbone IGP Selection and Design 7-55

Route Distinguisher and Route Target Allocation Scheme 7-56End-to-End Convergence Issues 7-56

LARGE-SCALE MPLS VPN DEPLOYMENT 8-1


MP-BGP Scalability Mechanisms 8-2Objectives 8-2


Partitioned Route Reflectors 8-13



Chapter Summary 8-29


9/292

Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions ix

MPLS VPN MIGRATION STRATEGIES 9-1

Overview 9-1Objective 9-1

Infrastructure Migration 9-2

Objective 9-2Summary 9-9


Customer Migration to MPLS VPN service 9-10Objective 9-10

Generic Customer Migration Strategy 9-11Migration From Layer-2 Overlay VPN 9-13

Migration from GRE Tunnel-Based VPN 9-16Migration from IPSec-Based VPN 9-19Migration from L2F-Based VPN 9-20

Migration From Unsupported PE-CE Routing Protocol 9-22Summary 9-26


Chapter Summary 9-26

INTRODUCTION TO LABORATORY EXERCISES A-1

Overview A-1

Physical And Logical Connectivity A-2

IP Addressing Scheme A-5

Initial BGP Design A-7

Notes Pages A-8

LABORATORY EXERCISESFRAME-MODE MPLS CONFIGURATION B-1

Overview B-1

Laboratory Exercise B-1: Basic MPLS Setup B-2Objectives B-2Command list B-2

Task 1: Configure MPLS in your backbone B-2Task 2: Remove BGP from your P-routers B-2

Verification: B-3Review Questions B-4

Laboratory Exercise B-2: Disabling TTL Propagation B-5Objective B-5Command list B-5

Task: Disable IP TTL Propagation B-5Verification B-5

Laboratory Exercise B-3: Conditional Label Advertising B-6Objective B-6Command list B-6

Task: Configure Conditional Label Advertising B-6Verification B-6

Review Questions B-7


10/292

x Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

LABORATORY EXERCISESMPLS VPN IMPLEMENTATION C-1

Overview C-1

Laboratory Exercise C-1: Initial MPLS VPN Setup C-2Objectives C-2

Background Information C-2Command list C-3Task 1: Configure multi-protocol BGP C-3

Task 2: Configure Virtual Routing and Forwarding Tables C-4Additional Objective C-5

Task 3: Configuring Additional CE routers C-5Verification C-6

Laboratory Exercise C-2: Running OSPF Between PE and CE Routers C-9

Objectives C-9Visual Objective C-9

Command list C-10Task 1: Configure OSPF on CE routers C-10

Task 2: Configure OSPF on PE routers C-10Verification C-11Task 3: Configure OSPF connectivity with additional CE routers C-11

Verification C-12Laboratory Exercise C-3: Running BGP Between the PE and CE Routers C-13

Objectives C-13Background Information C-13Command list C-14

Task 1: Configure Additional PE-CE link C-14Task 2: Configure BGP as the PE-CE routing protocol C-14

Verification C-15Task 3: Select Primary and Backup Link with BGP C-16

Verification: C-16Task 4: Convergence Time Optimization C-17Verification C-17

LABORATORY EXERCISESMPLS VPN TOPOLOGIES D-1

Overview D-1

Laboratory Exercise D-1: Overlapping VPN Topology D-2

Objective D-2Visual Objective D-2

Command list D-3Task 1: Design your VPN solution D-4

Task 2: Remove WGxA1/WGxB1 from existing VRFs D-4Task 3: Configure new VRFs for WGxA1 and WGxB1 D-4Verification: D-4

Laboratory Exercise D-2: Common Services VPN D-8Objective D-8

Background Information D-9Command list D-10

Task 1: Design your Network Management VPN D-10Task 2: Create Network Management VRF D-10Verification D-11

Task 3: Establish connectivity between NMS VRF and other VRFs D-11Verification D-11

Task 4: Establish routing between WGxPE2 and the NMS router D-12


11/292

Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions xi

Verification D-13

Laboratory Exercise D-3: Internet Connectivity Through Route Leaking D-14


Command list D-15Task 1: Cleanup from the previous VPN exercises D-15

Task 2: Configure route leaking between customer VPN andthe Internet D-15Verification D-16

Additional exercise: Fix intra-VPN routing D-17Laboratory Exercise D-4: Separate Interface for Internet Connectivity D-18


Command list D-20Task 1: Cleanup from the previous exercise D-20Verification D-21

Task 2: Establishing connectivity in the global routing table D-21Task 3: Routing between the PE-router and the CE-router D-21

Verification D-22

Laboratory Exercise D-5: Internet in a VPN D-23Objective D-23

Visual Objective D-23Command list D-24

Task 1: Design your Internet VPN D-24Task 2: Migrate Internet routers in a VPN D-24

Verification D-25Additional Task: Direct Internet connectivity for all CE-routers D-26Verification D-26

INITIAL LABORATORY CONFIGURATION E-1

Overview E-1

Laboratory Exercise E-1: Initial Core Router Configuration E-2

Objective E-2Task: Configure Initial Router Configuration E-2

Verification E-3

Laboratory Exercise E-2: Initial Customer Router Configuration E-4Objective E-4

Task: Configure Customer Routers E-4Verification E-5

Laboratory Exercise E-3: Basic ISP Setup E-6Objective E-6Task 1: Configure IS-IS in your backbone E-6

Task 2: Configure BGP in your backbone E-6Task 3: Configure Customer Routing E-6

Task 4: Peering with other Service Providers E-7Task 5: Establishing Network Management Connectivity E-7

Verification E-7

INITIAL ROUTER CONFIGURATION F-1

Overview F-1

Router WGxPE1 F-2

Router WGxPE2 F-4


12/292

xii Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

Router WGxPE3 F-6

Router WGxPE4 F-8

Router WGxP F-10

Router WGxA1 F-12

Router WGxA2 F-14

Router WGxB1 F-15

Router WGxB2 F-17


13/292

1

Advanced MPLSVPN Solutions

Overview

Advanced MPLS VPN Solutions (AMVS) is an instructor-led course presented by

Cisco training partners to their end-user customers. This four-day course focuses

on using Virtual Private Networks (VPN) implemented with Multi-Protocol Label

Switching (MPLS) technology.

Upon completion of this training course, you will be able to design, implement

and troubleshoot MPLS VPN networks.

This chapter outlines the course prerequisites and course highlights, as well as

some administrative issues. It includes the following topics:

I Course Objectives

I Course Topics

I Prerequisites

I Participant Role

I General Administration

I

Sources of InformationI Course Syllabus

I Graphic Symbols


14/292

1-2 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

Course Objectives

This section lists the course objectives.

2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-2

Course ObjectivesTechnology

Course ObjectivesTechnology

Upon completion of this course, youwill be able to perform the following tasks:

Identify major VPN categories and topologies, theirapplications and technologies that can be used toimplement them

Describe MPLS/VPN terminology and architecture

Describe the routing and forwarding model ofMPLS/VPN


15/292

Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-3

Course Objectives Implementation


Course ObjectivesImplementation

Course ObjectivesImplementation


Configure Virtual Routing and Forwarding tables

Configure Multi-protocol BGP in MPLS/VPN backboneand the PE-CE routing protocols

Configure advanced MPLS/VPN features

Monitor and troubleshoot MPLS/VPN operations

Describe the specifics of OSPF operation inside a VPN

network


16/292


Course Objectives Solutions


Course ObjectivesSolutions

Course ObjectivesSolutions


Design and implement various MPLS/VPN topologies

Connect your VPN customers to the Internet

Design and implement MPLS/VPN backbone

Build large-scale MPLS VPN backbones

Develop a migration strategy toward MPLS/VPN from

a wide range of existing network infrastructures


17/292


Prerequisites

This section lists the course prerequisites.


Advanced

MPLS VPN

Solutions

Advanced

MPLS VPN

Solutions

PrerequisitesPrerequisites

Successful completion of:

Building Scalable CiscoNetworks (BSCN)

Configuring BGP on CiscoRouters

One of the MPLS technologycourses

Recommended:

CCNP or CCIE

certification

In-depth OSPF or IS-IS

knowledge

MPLS Traffic

Engineering and QoS

knowledge

To fully benefit from AMVS, you should already possess certain knowledge and

skills gained in a structured learning environment. You need to be have:

I In-depth understanding of IP routing and route redistribution in Cisco IOS

I

In-depth knowledge of Border Gateway Protocol (BGP) and practicalexperience in configuring BGP networks

I Baseline MPLS knowledge.

These skills can be gained from self-paced or instructor-led training sessions and

from work experience. The best way to gain the skills you need to follow the

CBCR course is:

I To gain IP routing and route redistribution skills, attend Building Scalable

Cisco Networks (BSCN) course

I To gain BGP-related skills, attend Configuring BGP on Cisco Routers

(CBCR) course

I To gain MPLS knowledge, attend MPLS Technology Essentials or Cisco

MPLS course.

You will be able to gain more practical experience from the course if already have

work experience and router configuration skills. These skills are best demonstrated

through Cisco career certifications Cisco Certified Networking Professional

(CCNP) or Cisco Certified Internetworking Expert (CCIE). In-depth knowledge of

Open Shortest Path First (OSPF) or Integrated Intermediate System Intermediate

System (IS-IS) routing protocol will help you perform the laboratory exercises


18/292


better. MPLS Traffic Engineering and MPLS Quality of Service knowledge will

help you understand how these technologies relate to MPLS VPN.


19/292


Participant Role

This section discusses your responsibilities as a student.


Student role

Meet prerequisites

Introduce yourself

Ask and answer questions

Participant RoleParticipant Role

To take full advantage of the information presented in this course, you should

meet the prerequisites for this class.

Introduce yourself to the instructor and other students who will be working with

you during the five days of this course.

You are encouraged to ask any questions relevant to the course materials.

If you have pertinent questions concerning other Cisco features and products not

covered in this course, please bring these topics up during breaks or after class,

and the instructor will try to answer the questions or direct you to an appropriate

information source.


20/292



Welcome: PleaseIntroduce YourselfWelcome: Please

Introduce Yourself

Your name and work location

Your job responsibilities

Your internetworking experience

Your objectives for this week

Introduce yourself, stating your name and the job function you perform at your

work location.

Briefly describe what experience you have with installing and configuring Cisco

routers, attending Cisco classes, and how your work experience helped you meet

the prerequisites highlighted earlier.

You should also state what you expect to learn from this course.


21/292


General Administration

This section highlights miscellaneous administrative tasks that must be addressed.


General AdministrationGeneral Administration

Class-related

Sign-in sheet

Length and times

Participant materials

Attire

Facilities-related

Rest rooms

Site emergencyprocedures

Break and lunchroom locations

Communications

The instructor will discuss the administrative issues in detail so you will know

exactly what to expect from both the class and facilities. The following items will

be discussed:

I Recording your name on a sign-in sheet

I The starting and anticipated ending time of each class day

I What materials you can expect to receive during the class

I The appropriate attire during class attendance

I Rest room locations

I What to do in the event of an emergency

I Class breaks and lunch facilities

I How to send and receive telephone, e-mail, and fax messages


22/292


Sources of Information

This section identifies additional sources of information.


Sources of InformationSources of Information

Student kit

www.cisco.com

CD-ROMs

Cisco Press

Most of the information presented in this course can be found on the Cisco

Systems Web site or on CD-ROM. These supporting materials are available in

HTML format and as manuals and release notes.

To learn more about the subjects covered in this course, feel free to access the

following sources of information:

I Cisco Documentation CD-ROM

I ITM CD-ROM

I Cisco IOS 12.1 Configuration Guide

I Cisco IOS 12.1 Command Reference Guide

Many of these documents can be found at the following URL:

http://www.cisco.com

Cisco Press books and documents can be found at the following URL:

http://www.ciscopress.com


23/292



Course SyllabusCourse Syllabus

MPLS VPN

Technology

MPLS VPNTopologies

Internet Accessfrom a VPN

MPLS VPN DesignGuidelines

Large-Scale MPLSVPN Deployment

MPLS VPNMigration Strategies

Technology Implementation Solutions

MPLS VPN

Configuration on

IOS platforms

Running OSPF

in an MPLS VPN

Environment

The following schedule reflects the recommended structure for this course. This

structure allows enough time for your instructor to present the course information

to you and for you to work through the laboratory exercises. The exact timing of

the subject materials and labs depends on the pace of your specific class.

Module 1, MPLS VPN Technology (0,5 day)

The purpose of this module is to introduce you to the concept of Virtual

Private Networks and MPLS VPN Architecture. The module also

discusses routing and data forwarding model of MPLS VPN.

Module 1 includes the following chapters:

I Chapter 1, Introduction

I Chapter 2, MPLS VPN Technology

Module 2, MPLS VPN Implementation (1,5 day)

The purpose of this module is to describe the operation and

configuration of MPLS VPN on Cisco IOS platforms.


I Chapter 3, MPLS VPN Configuration on IOS Platforms

I Chapter 4, Using OSPF in an MPLS VPN Environment

Module 3, MPLS VPN Solutions (2 days)

The purpose of the module is to describe typical MPLS VPN usage

scenarios and give you design and implementation guidelines needed to

deploy these scenarios in your network.


I Chapter 5, MPLS VPN Topologies

I Chapter 6, Internet Access from a VPN


24/292


I Chapter 7, MPLS VPN Design Guidelines

I Chapter 8, Large-Scale MPLS VPN Deployment

I Chapter 9, MPLS VPN Migration Strategies


25/292

2

MPLS VPN Technology

Overview

This lesson introduces Virtual Private Networks (VPN) and two major VPN

design options overlay VPN and peer-to-peer VPN. VPN terminology and

topologies are introduced.

The lesson then describes MPLS VPN architecture, operations and terminology.

It details CE-PE routing from various perspectives and BGP extensions (route

targets, and extended community attributes) that allow I-BGP to transport

customer routes over a provider network. The MPLS VPN forwarding model is

also covered together with its integration with core routing protocols

Objectives

Upon completion of this lesson, you will be able to perform the following tasks:

I Identify major Virtual Private network topologies, their characteristics and

usage scenarios

I Describe the differences between overlay VPN and peer-to-peer VPN

I List major technologies supporting overlay VPNs and peer-to-peer VPNs

I Position MPLS VPN in comparison with other peer-to-peer VPN

implementations

I Describe major architectural blocks of MPLS VPN

I Describe MPLS VPN routing model and packet forwarding


26/292


Introduction to Virtual Private Networks

Objectives

Upon completion of this section, you will be able to perform the following tasks:

I Describe the concept of VPNI Understand VPN terminology as defined by MPLS VPN architecture


27/292

Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-3

2000, Cisco Systems, Inc. www.cisco.com Page5

Traditional Router-BasedNetworks

Traditional Router-BasedNetworks

Traditional router-based networks connectcustomersites through routers connected viadedicated point-to-point links

Site C

Site BSite A

Site D

Traditional router-based networks were implemented with dedicated point-to-point

links connecting customer sites. The cost of such an approach was comparatively

high for a number of reasons:

I The dedicated point-to-point links prevented any form of statistical

infrastructure sharing on the Service Provider side, resulting in high costs for

the end-customer

I Every link required a dedicated port on a router, resulting in high equipment

costs.


28/292



Service Provider Network

Virtual Private NetworksVirtual Private Networks

Virtual Private Networks replace dedicated point-to-point links with emulated point-to-point links sharingcommon infrastructure

Customers use VPNs primarily to reduce theiroperational costs

Customer site

Customer Premisesrouter (CPE) Large customer site

CPE router

Othercustomerrouters

Provider edge device(Frame Relay switch)

PE device

Provider coredevice

PE device CPE router

Virtual Circuit (VC) #2


Virtual Private Networks (VPNs) were introduced very early in the history of data

communications with technologies like X.25 and Frame Relay, which use virtual

circuits to establish the end-to-end connection over a shared service provider

infrastructure. These technologies, although sometimes considered legacy and

obsolete, still share the basic business assumptions with the modern VPN

approaches:

I The dedicated links are replaced with common infrastructure that emulates

point-to-point links for the customer, resulting in statistical sharing of Service

Provider infrastructure

I Statistical sharing of infrastructure enables the service provider to offer the

connectivity for lower price, resulting in lower operational costs for the end

customers.

The statistical sharing is illustrated in the graphic, where you can see the CPE

router on the left has one physical connection to the service provider with two

virtual circuits provisioned. Virtual Circuit 1 (VC # 1) provides connectivity to the

top CPE router on the right. Virtual Circuit 2 (VC #2) provides the connectivity to

the bottom CPE router on the right.


29/292



Customer site

Large customer site

VPN TerminologyVPN Terminology

Customer Network (C-Network): the part of

the network still under customer control

Provider Network (P-Network): the

Service Provider infrastructure used to

provide VPN services

Customer Site: a contiguous part of customer

network (can encompass many physical locations)

There are many conceptual models and terminologies describing various Virtual

Private Network technologies and implementations. In this section well focus on

the terminology introduced by MPLS VPN architecture. As youll see, the

terminology is generic enough to cover any VPN technology or implementation

and is thus extremely versatile.

The major parts of an overall VPN solution are always:

I The Service Provider network (P-network): the common infrastructure the

Service Provider uses to offer VPN services to the customers

I The Customer network (C-network): the part of the overall customer networkthat is still exclusively under customer control.

I Customersites: contiguous parts of customer network.

A typical customer network implemented with any VPN technology would

contain islands of connectivity completely under customer control (customersites)

connected together via the Service Provider infrastructure (P-network).


30/292




Customer site

Large customer site

VPN TerminologyVPN Terminology

Customer Edge (CE) device: the device in

the C-network with link into P-network.

Also called Customer Premises Equipment

(CPE)

Provider Edge (PE) device: the device in

the P-network to which the CE-devices

are connected

Provider core (P) device: the

device in the P-network with

no customer connectivity

The devices that enable the overall VPN solution are named based on their

position in the network:

I Customer router that connected the customer site to the Service Provider

network is called a Customer Edge router (CE-router). Traditionally this

device is called Customer Premises Equipment (CPE).

Note If the CE device is not a router, but, for example, a Packet Assembly and

Disassembly (PAD) device, we can still use a generic term CE-device.

I Service Provider devices where the customer devices are attached are called

Provider Edge (PE) devices. In traditional switched Wide Area Network

(WAN) implementations, these devices would be Frame Relay or X.25 edge

switches.

I Service Provider devices that only provide data transport across the Service

Provider backbone and have no customers attached to them are called

Provider (P) devices. In traditional switched WAN implementations these

would be core (or transit) switches.


31/292




Customer site

Customer Premises

Router (CPE) Large customer site

CPE router

Othercustomerrouters

Provider edge device(Frame Relay switch)

PE device

Provider coredevice

PE device

CPE router



VPN TerminologySpecific to Switched WAN

VPN TerminologySpecific to Switched WAN

Permanent Virtual Circuit (PVC) is established through out-of-band means

(network management) and is always active

Switched Virtual Circuit (SVC) is established through CE-PE signaling on

demand from the CE device

Virtual Circuit (VC): emulated point-to-

point link established across shared

layer-2 infrastructure

Switched WAN technologies introduced a term Virtual Circuit (VC), which is an

emulated point-to-point link established across layer-2 infrastructure (for example,

Frame Relay network). The virtual circuits are further differentiated into

Permanent Virtual Circuits (PVC) which are pre-established by means of

network management or manual configuration and Switched Virtual Circuits

(SVC) which are established on demand through a call setup request from the CE

device.


32/292


Summary

Virtual Private Networks were introduced by Service Providers to offer a more

cost-effective alternative to traditional customer network design, which relied on

dedicated point-to-point links between customer sites.

The overall network implemented with a VPN solution is divided into the

Customer network(C-network), which is exclusively under customers control

and the Provider network(P-network), the shared infrastructure used to offer theVPN services. A contiguous part of the C-network is called a customersite.

The device linking a customer site with the P-network is called Customer Edge

(CE) device. Most commonly this is a router, called CE-router. This component

was traditionally named Customer Premises Equipment (CPE).

The edge device in Service Provider network, to which the customers are attached,

is called Provider Edge (PE) device. The device inside the Provider network with

no customer connectivity is a Provider (P) device.

Review Questions

Answer the following questions:

I Why are customers interested in Virtual Private Networks?

I What is the main role of a VPN?

I What is a C-network?

I What is a customer site?

I What is a CE-router?

I What is a P-network?

I What is the difference between a PE-device and a P-device?


33/292


Overlay and Peer-to-Peer VPN

Objectives


I Describe the differences between overlay and peer-to-peer VPNI Describe the benefits and drawbacks of each VPN implementation option

I List major technologies supporting overlay VPNs

I Describe traditional peer-to-peer VPN implementation options


34/292



VPN ImplementationTechnologies

VPN ImplementationTechnologies

VPN services can be offered based ontwo major paradigms:

Overlay Virtual Private Networks where theService Provider provides virtual point-to-point links between customer sites

Peer-to-Peer Virtual Private Networks wherethe Service Provider participates in thecustomer routing

Traditional VPN implementations were all based on the overlayparadigm the

Service Provider sells virtual circuits between customer sites as a replacement for

dedicated point-to-point links. The overlay paradigm has a number of drawbacks

that will be identified in this section. To overcome these drawbacks (particularly

in IP-based customer networks), a new paradigm called peer-to-peer VPN was

introduced where the Service Provider actively participates in customer routing.


35/292




Overlay VPN Implementation(Frame Relay Example)

Overlay VPN Implementation(Frame Relay Example)

Customer Site

Router A

Customer Site

Router B

Customer Site

Router C

Customer Site

Router D

Provider Edge Device

(Frame Relay Switch)

Frame Relay

Edge Switch

Frame Relay

Edge Switch

Frame Relay

Edge Switch



(VC) #1

The diagram above shows a typical overlay VPN, implemented by a Frame Relay

network. The customer needs to connect three sites (site Alpha being the central

site the hub) and orders connectivity between Alpha (Hub) and Beta (Spoke) and

between Alpha (Hub) and Gamma (Spoke). The Service Provider implements this

request by providing two PVCs across the Frame Relay network.


36/292



Layer-3 routing in OverlayVPN implementation

Layer-3 routing in OverlayVPN implementation

Service Provider infrastructure appears as point-to-point links to customer routes

Routing protocols run directly between customerrouters

Service Provider does not see customer routes and isresponsible only for providing point-to-pointtransport of customer data

Router A

Router B Router C Router D

From the layer-3 perspective, the Service Provider network is invisible the

customer routers are linked with emulated point-to-point links. The routing

protocol is run directly between customer routers that establish routing adjacencies

and exchange routing information.

The Service Provider is not aware of customer routing and has no information

about customer routes. The responsibility of the Service Provider is purely the

point-to-point data transport between customer sites.


37/292


Overlay VPN Implementations

There are a number of different overlay VPN implementations, ranging from

traditional Time Division Multiplexing (TDM) to highly complex technologies

running across IP backbones. In the following slides, well introduce major VPN

technologies and implementations.


Overlay VPNLayer-1 Implementation


This is the traditional TDM solution:

Service Provider establishes physical-layerconnectivity between customer sites

Customer takes responsibility for all higher layers

ISDN E1, T1, DS0 SDH, SONET

PPP HDLC

IP

In layer-1 overlay VPN implementation, the Service Provider sells layer-1 circuits(bit pipes) implemented with technologies like ISDN, DS0, E1, T1, SDH or

SONET. The customer takes responsibility for layer-2 encapsulation between

customer devices and the transport of IP data across the infrastructure.


38/292





This is the traditional Switched WAN solution:

Service Provider establishes layer-2 virtual circuitsbetween customer sites

Customer takes responsibility for all higher layers

X.25 Frame Relay ATM

IP

Layer-2 VPN implementation is the traditional switched WAN model,

implemented with technologies like X.25, Frame Relay, ATM or SMDS. The

Service Provider is responsible for transport of layer-2 frames between customer

sites and the customer takes responsibility for all higher layers.


39/292



Overlay VPNIP TunnelingOverlay VPNIP Tunneling

VPN is implemented with IP-over-IP tunnels

Tunnels are established with GRE or IPSec

GRE is simpler (and quicker), IPSec providesauthentication and security

Generic Route Encapsulation

(GRE)IP Security (IPSec)

Internet Protocol (IP)


With the success of Internet Protocol (IP) and associated technologies, some

Service Providers started to implement pure IP backbones to offer VPN services

based on IP. In other cases, the customers want to take advantage of low cost and

universal availability of Internet to build low-cost private networks over it.

Whatever the business reasons behind it, overlay Layer 3 VPN implementation

over IP backbone always involves tunneling (encapsulation of protocol units at a

certain layer of OSI model into protocol units at the same or higher layer of OSI

model).

Two well-known tunneling technologies are IP Security (IPSEC) and GenericRoute Encapsulation (GRE). GRE is fast and simple to implement and supports

multiple routed protocols, but provides no security and is thus unsuitable for

deployment over the Internet. An alternate tunneling technology is IPSec, which

provides network layer authentication and optional encryption to make data

transfer over the Internet secure. IPSec only supports the IP routed protocol.


40/292



Overlay VPNLayer-2 Forwarding

Overlay VPNLayer-2 Forwarding

VPN is implemented with PPP-over-IP tunnels

Usually used in access environments (dial-up, DSL)

Layer-2 Transport

Protocol (L2TP)


Point-to-Point Protocol (PPP)

Layer-2

Forwarding (L2F)

Point-to-Point

Tunneling (PPTP)


Yet another tunneling technique that was first implemented in dial-up networks,

where the Service Providers wanted to tunnel customer dial-up data encapsulated

in point-to-point protocol (PPP) frames over an IP backbone to the customers

central site. To make the Service Provider transport transparent to the customer,

PPP frames are exchanged between the customer sites (usually a dial-up user and a

central site) and the customer is responsible for establishing layer-3 connectivity

above PPP.

There are three well-known PPP forwarding implementations:

I Layer 2 Forwarding (L2F)

I Layer 2 Transport Protocol (L2TP)

I Point-to-Point Tunneling Protocol (PPTP)


41/292




Peer-to-Peer VPN ConceptPeer-to-Peer VPN Concept

Customer Site

Router A

Customer Site

Router B

Customer Site

Router C

Customer Site

Router D

Provider Edge (PE)Router

(PE) Router

(PE) Router

(PE) Router

Routing information is exchanged between

customer and service-provider routers

Service Provider routers

exchange customer routes

through the core network

Finally, the customer routes propagatedthrough the service-provider network are

sent to other customer routers

Overlay VPN paradigm has a number of drawbacks, most significant of them

being the need for the customer to establish point-to-point links or virtual circuits

between sites. The formula to calculate how many point-to-point links or virtual

circuits you need in the worst case is ((n)(n-1))/2, where n is the number of sites

you need to connect. For example, if you need to have fullmesh connectivity

between 4 sites, you will need a total of 6 point-to-point links or virtual circuits.

To overcome this drawback and provide the customer with optimum data transport

across the Service Provider backbone, the peer-to-peer VPN concept was

introduced where the Service Provider actively participates in the customer

routing, accepting customer routes, transporting them across the Service Providerbackbone and finally propagating them to other customer sites.


42/292



Peer-to-Peer VPN withPacket Filters

Peer-to-Peer VPN withPacket Filters

Service provider networkCustomer ASite #1

Customer ASite #2

Customer BSite #1

Point-of-Presence

Shared router

POP router carries all

customer routes

Isolation between

customers is achieved

with packet filters on

PE-CE interfaces

The first peer-to-peer VPN solutions appeared several years ago. Architectures

similar to the Internet were used to build them and special provisions had to be

taken in account to transform the architecture, which was targeted toward public

backbones (Internet) into a solution where the customers would be totally isolated

and able to exchange their corporate data securely.

The more common peer-to-peer VPN implementation uses packet filters on the

PE-routers to isolate the customers. The Service Provider allocates portions of its

address space to the customers and manages the packet filters on the PE-routers to

ensure full Reachability between sites of a single customer and isolation between

customers.


43/292



Peer-to-Peer VPN withControlled Route Distribution

Peer-to-Peer VPN withControlled Route Distribution

Service provider networkCustomer ASite #1

Customer ASite #2

Customer BSite #1

Point-of-Presence

PE-routerCustomer-A

PE-routerCustomer-B

P-router

Uplink

Each customer has a

dedicated PE router that

only carries its routes

The P-router contains all

customer routes

Customer isolation is achieved

through lack of routing

information on PE router

Maintaining packet filters is a mundane and error-prone task. Some Service

Providers thus implemented more innovative solutions based on controlled route

distribution. In this approach, the core Service Provider routers (the P-routers)

would contain all customer routes and the PE-routers would only contain routes of

a single customer, requiring a dedicated PE-router per customer per Point-of-

Presence (POP). The customer isolation is achieved solely through lack of routing

information on the PE-router. Using route filtering between the P-router and the

PE-routers, the PE-router for Customer A will only learn routes belonging to

Customer A, and the PE-router for Customer B will only learn routes belonging to

Customer B. Border Gateway Protocol (BGP) with BGP communities is usuallyused inside the Provider backbone since it offers the most versatile route filtering

tools.

Note Default routes used anywhere in the customer or Service Provider network break

isolation between the customers and have to be avoided.


44/292



Benefits of Various VPNImplementations

Benefits of Various VPNImplementations

Overlay VPN

Well-known and easy toimplement

Service Provider doesnot participate incustomer routing

Customer network andService Providernetwork are well isolated

Peer-to-Peer VPN

Guarantees optimumrouting betweencustomer sites

Easier to provision anadditional VPN

Only the sites areprovisioned, not thelinks between them

Each VPN paradigm has a number of benefits:

I Overlay VPNs are well known and easy to implement, both from customer

and Service Provider perspective

I The Service Provider does not participate in customer routing in overlay

VPNs, making the demarcation point between the Service Provider and the

customer easier to manage.

On the other hand, the peer-to-peer VPN give you:

I Optimum routing between customer sites without any special design or

configuration effort

I Easy provisioning of additional VPNs or customer sites, as the Service

Provider only needs to provision individual sites, not the links between

individual customer sites.


45/292



Drawbacks of Various VPNImplementations

Drawbacks of Various VPNImplementations

Overlay VPN

Implementing optimum

routing requires full-mesh of virtual circuits

Virtual circuits have tobe provisioned manually

Bandwidth must beprovisioned on a site-to-site basis

Always incursencapsulation overhead

Peer-to-Peer VPN

Service Provider

participates in customerrouting

SP becomes responsiblefor customerconvergence

PE routers carry allroutes from allcustomers

SP needs detailed IProuting knowledge

Each VPN paradigm also has a number of drawbacks:

I Overlay VPNs require a full mesh of virtual circuit between customer sites to

provide optimum inter-site routing

I All the virtual circuits between customer sites in an overlay VPN have to be

provisioned manually and the bandwidth must be provisioned on a site-to-site

basis (which is not always easy to achieve).

I The IP-based overlay VPN implementations (with IPSEC or GRE) also incur

high encapsulation overhead (ranging from 20 to 80 bytes per transported

datagram).

The major drawbacks of peer-to-peer VPN arise from the Service Providers

involvement in customer routing:

I The Service Provider becomes responsible for correct customer routing and

for fast convergence of customer network following a link failure.

I The Service Provider P-routers have to carry all customer routes that were

hidden from the Service Provider in the overlay VPN paradigm.

I The Service Provider needs detailed IP routing knowledge, which is not

readily available in traditional Service Provider teams.


46/292



Drawbacks of Traditional Peer-to-Peer VPNs

Drawbacks of Traditional Peer-to-Peer VPNs

Shared PE router

All customers share thesame (provider-assignedor public) address space

High maintenance costsassociated with packetfilters

Lower performanceeach packet has to passa packet filter

Dedicated PE router

All customers share thesame address space

Each customer requiresa dedicated router ateach POP

The pre-MPLS VPN implementations of peer-to-peer VPNs all shared a common

drawback the customers have to share the same address space, either using

public IP addresses in their private networks or relying on service provider-

assigned IP addresses. In both cases, connecting a new customer to a peer-to-peer

VPN service usually requires IP renumbering inside the customer network an

operation, which most customers are reluctant to perform.

The peer-to-peer VPNs based on packet filters also incur high operational costs

associated with packet filter maintenance as well as performance degradation due

to heavy usage of packet filters.

The peer-to-peer VPNs implemented with per-customer PE-routers are easier to

maintain and can give you optimum routing performance, but are usually more

expensive since every customer requires a dedicated router in every POP. This

approach is thus usually used in scenarios where the Service Provider only

provides service to a small number of large customers.


47/292


Summary


VPN TaxonomyVPN Taxonomy

Virtual Networks

Virtual Dialup Networks Virtual LANsVirtual Private

Networks

Peer-to-Peer VPN

Access Lists

(Shared Router)

Split Routing

(Dedicated Router)

MPLS VPN

Overlay VPN

Layer 2 VPN Layer 3 VPN

X.25

F/R

ATM

IPSec

GRE

There are a number of different Virtual Networking concepts present in the data

communications fields:

I The Virtual Local Area Networks (VLAN) allow you to implement isolated

LANs over the same physical infrastructure

I Virtual Private Dialup Networks (VPDN) allow customers to use dial-in

infrastructure of a Service Provider for their private dial-up connectionsI Virtual Private Networks (VPN) allow customers to use shared infrastructure

of a Service Provider to implement their private networks.

There are two major VPN paradigms:

I Overlay VPN, where the Service Provider gives the customer emulated point-

to-point links across Service Provider backbone and

I Peer-to-peer VPN, where the Service Provider becomes actively involved in

customer routing and acts as the core layer-3 backbone of the customer

network.

The overlay VPNs are implemented with a number of technologies, ranging from

traditional layer-1 technologies (ISDN, SDH, SONET) and layer-2 technologies

(X.25, Frame Relay, ATM) to modern IP-based solutions (GRE and IPSec).


48/292


The overlay VPNs, although well known and easy to implement, are harder to

operate due to higher maintenance costs:

I Every individual virtual circuit needs to be provisioned

I Optimum routing between customer sites requires a full mesh of virtual

circuits between sites

I Bandwidth has to be provisioned on site-to-site basis.

Traditional peer-to-peer VPNs are implemented with packet filters on shared PE-

routers or with dedicated per-customer PE-routers. Along with high maintenance

costs (for packet-filter approach) or equipment costs (for dedicated per-customer

PE-router approach), both methods require customer to accept the Service

Provider assigned address space or use public IP addresses in the private customer

network.

MPLS VPN, introduced in the next sections, provides all the benefits of peer-to-

peer VPNs and alleviates most of the peer-to-peer VPN drawbacks (for example,

the need for common customer address space).

Review Questions


I What is an overlay VPN?

I Which routing protocol runs between the customer and the service provider in

an overlay VPN?

I Which routers are routing protocol neighbors of a CE-router in overlay VPN?

I List three IP-based overlay VPN technologies.

I What is the major benefit of peer-to-peer VPN as compared to overlay VPN?

I List two traditional peer-to-peer VPN implementations?

I What is the drawback of all traditional peer-to-peer VPN implementations?


49/292


Major VPN Topologies

Objectives


I Identify the three major categorizations of VPNI Identify the three Overlay VPN topologies

I Understand the implications of using overlay VPN approach with each

topology

I List sample usage scenarios for each topology

I Identify the three VPN categorization based on business needs

I Identify the three VPN categorization based on connectivity needs

VPN Categorizations

There are three major VPN categorizations:

I Topology categorization, which only applies to overlay VPNs

I Business categorization, which categorizes VPNs based on the business needs

they fulfill

I Connectivity categorization, which classifies VPNs based on their

connectivity requirements.


50/292



VPN Topology CategorizationVPN Topology Categorization

Overlay VPNs are categorized based onthe topology of the virtual circuits:

(Redundant) Hub-and-spoke topology

Partial-mesh topology

Full-mesh topology

Multi-level topologycombines several levelsof overlay VPN topologies

The oldest VPN categorization was based on the topology of point-to-point links

in an overlay VPN implementation:

I Full-mesh topology provides a dedicated virtual circuit between any two CE-

routers in the network

I Partial-mesh topology reduces the number of virtual circuits, usually to the

minimum number that still provides optimum transport between major sites

I Hub-and-spoke topology is the ultimate reduction of partial-mesh many

sites (spokes) are only connected with the central site(s) (hubs) with no direct

connectivity between the spokes. To prevent single points of failure, the hub-and-spoke topology is sometimes extended to redundant hub-and-spoke

topology.

Large networks usually deploy a layered combination of these technologies, for

example:

I Partial mesh in the network core

I Redundant hub-and-spoke for larger branch offices (spokes) connected to

distribution routers (hubs)

I Simple hub-and-spoke for non-critical remote locations (for example, home

offices).


51/292




Overlay VPNHub-and-Spoke Topology

Overlay VPNHub-and-Spoke Topology

Central site(HUB)

Remote site (spoke)

Remote site (spoke)

Remote site (spoke)Central site

router

Remote site (spoke)

The hub-and-spoke topology is the simplest overlay VPN topology all remote

sites are linked with a single virtual circuit to a central CE-router. The routing is

also extremely simple static routing or distance-vector protocol like RIP are

more than adequate. If you are using dynamic routing protocol like RIP, split-

horizon must be disabled at the hub router, or you must use point-to-point sub-

interfaces at the hub router to overcome the split-horizon problem.


52/292




Overlay VPNRedundant Hub-And-Spoke

Overlay VPNRedundant Hub-And-Spoke

Central site(HUB)

Remote site (spoke)

Remote site (spoke)

Remote site (spoke)Redundant

Central site

router

Remote site (spoke)Redundant

Central site

router

A typical redundant hub-and-spoke topology introduces central site redundancy

(more complex topologies might also introduce router redundancy at spokes).

Each remote site is linked with two central routers via two virtual circuits. The two

virtual circuits can be used for load sharing or in a primary/backup configuration.


53/292



Overlay VPNPartial MeshOverlay VPNPartial Mesh

Moscow

Sydney

Guam

Berlin

Hong Kong

New York

Virtual circuits (Frame Relay DLCI)

Partial mesh is used in environments where the cost or complexity factors prevent

a full-mesh between customer sites. The virtual circuits in a partial mesh can be

established based on a wide range of criteria:

I Traffic pattern between sites

I Availability of physical infrastructure

I Cost considerations


54/292




Overlay VPNMulti-Level Hub-and-Spoke

Overlay VPNMulti-Level Hub-and-Spoke

Central site (hub)

Remote site (spoke)

Remote site (spoke)

Remote site (spoke)

Redundant centralsite router

Redundant centralsite router

Distribution site

Distribution-layerrouter

Distribution site

Distribution-layerrouter

Remote site (spoke)

Various overlay VPN topologies are usually combined in a large network. For

example, in the diagram above, a redundant hub-and-spoke topology is used in

network core and a non-redundant hub-and-spoke is used between distribution

sites and remote sites. This topology would be commonly used in environments

where all traffic flows between the central site and remote sites and there is little

(or no) traffic exchanged directly between the remote sites.


55/292



VPN Business CategorizationVPN Business Categorization

VPNs can be categorized on the businessneeds they fulfill:

Intranet VPNconnects sites within anorganization

Extranet VPNconnects differentorganizations in a secure way

Access VPN Virtual Private Dialup Network(VPDN) provides dial-up access into acustomer network

Another very popular VPN categorization classifies VPNs based on the business

needs they fulfill:

I Intranet VPNs connect sites within an organization. Security mechanisms are

usually not deployed in an Intranet, as all sites belong to the same

organization.

I Extranet VPN connects different organizations. Extranets implementations

usually rely on security mechanisms to ensure protection of individual

organizations participating in the Extranet. The security mechanisms are

usually the responsibility of individual participation organizations.I Access VPN - Virtual Private Dialup Networks that provide dial-up access

into a customer network.


56/292


The following two diagrams compare overlay VPN implementation of an Extranet

with a peer-to-peer one. Similar comparisons could be made for Intranets as well.


Extranet VPNOverlay VPN Implementation

Extranet VPNOverlay VPN Implementation

Provider IP backboneGlobalMotors

Firewall

AirFilters Inc.

Firewall

BoltsAndNuts

Firewall

SuperBrakes Inc.

Firewall

FirewallFrame Relay

switch

Frame Relayswitch

Frame Relay

switch

Frame Relayswitch

Frame Relay Virtual

Circuits (DLCI)

In an overlay implementation of an Extranet, organizations are linked with

dedicated virtual circuits. Traffic between two organizations can only flow if:

I There is a direct virtual circuit between the organizations or

I There is a third organization linked with both of them that is willing to

provide transit traffic capability to them. As establishing virtual circuits

between two organizations is always associated with costs, the transit traffic

capability is almost never granted free-of-charge.


57/292



Extranet VPNPeer-to-PeerVPN Implementation

Extranet VPNPeer-to-PeerVPN Implementation

Provider IP backboneGlobalMotors

Firewall

AirFilters Inc.

Firewall

BoltsAndNuts

Firewall

SuperBrakes Inc.

Firewall

Provider edge(PE) router

Provider edge

(PE) router

Provider edge(PE) router

Provider edge

(PE) router

Firewall Provider edge

(PE) router

Peer-to-peer VPN implementation of an Extranet VPN is very simple compared to

an overlay VPN implementation all sites are connected to the Service Provider

network and the optimum routing between sites is enabled by default.

The cost model of peer-to-peer implementation is also simpler usually every

organization pays its connectivity fees for participation in the Extranet and gets

full connectivity to all other sites.


58/292


59/292



Central Services ExtranetCentral Services Extranet


Service provider ExtranetInfrastructure

London

VoIPGW

Amsterdam

VoIPGW

Paris

VoIPGW

Customer A

Customer B

Customer C

This diagram shows a sample Central Services extranet implementing

international Voice-over-IP service. Every customer of this service can access

voice gateways in various countries, but cannot access other customers using the

same service.


60/292



Central Services ExtranetHybrid(Overlay + P2P) Implementation

Central Services ExtranetHybrid(Overlay + P2P) Implementation


Service providerExtranet Infrastructure

London

VoIPGW

Amsterdam

VoIPGW

Paris

VoIPGW

Customer A

Customer B

Customer C

FrameRelayInfrastructure

Frame RelayEdge switch



Provider EdgeRouter

Frame Relay Virtual Circuit

Provider Edge

Router

Provider EdgeRouter

Provider EdgeRouter

Provider EdgeRouter

The network diagram shown above describes an interesting scenario where peer-

to-peer VPN and overlay VPN implementation can be used to provide end-to-end

service to the customer.

The VoIP service is implemented with Central Services extranet topology, which

is in turn implemented with peer-to-peer VPN. The connectivity between PE-

routers in the peer-to-peer VPN and the customer routers is implemented with an

overlay VPN based on Frame Relay. The PE-router of the peer-to-peer VPN and

the CE-routers act as CE-devices of the Frame Relay network.


61/292



Managed NetworkOverlay VPN Implementation

Managed NetworkOverlay VPN Implementation

Central site (hub)

Service provider network Remote site (spoke)

Remote site (spoke)

Remote site (spoke)

Redundant central

site router

Redundant central

site router

Network Management Center

Dedicated Virtual

Circuits are used for

network management

Network management VPN is traditionally implemented in combination with

overlay VPN services. Dedicated virtual circuits are deployed between any

managed CE-router and the central network management router (NMS-router) to

which the Network Management Station (NMS) is connected.

This network management VPN implementation is sometimes called rainbow

implementation, as the physical link between the NMS-router and the core of the

Service Provider network carries a number of virtual circuits one circuit per

managed router.


62/292


Summary

There are three major categorizations of Virtual Private networks:

I Topology categorization, which classifies the VPNs based on the topology of

point-to-point connections in overlay VPN implementation

I Business categorization, which classifies VPNs into Intranets, Extranets and

niche solutions like Virtual Private Dialup Networks

I Connectivity categorization, which classifies VPNs based on the connectivity

needs.

The topology categorization ranges VPNs from full mesh, where there is a direct

virtual circuit between any two sites, to partial mesh, which is built based on a

number of constraints (traffic patterns and cost being the most important of them)

and finally hub-and-spoke where a central site acts as the transit point between all

spoke sites. Real-life large networks are usually implemented with a combination

of these topologies.

The connectivity categorization divides VPNs into simple VPNs (with any-to-any

connectivity), overlay VPNs where a single site participates in more than one

simple VPN, Central Services VPNs, where some sites have limited connectivityand Network Management VPNs, which are really only a special case of Central

Services VPN.

Review Questions


I What are the major Overlay VPN topologies

I Why would the customers prefer partial mesh over full mesh topology?

I What is the difference between an Intranet and an Extranet?

I What is the difference between a simple VPN and a Central Services VPN?

I What are the connectivity requirements of a Central Services VPN?


63/292


MPLS VPN Architecture

Objectives


I Understand the difference between traditional peer-to-peer models and MPLSVPN

I List the benefits of MPLS VPN

I Describe major architectural blocks of MPLS VPN

I Explain the need for route distinguisher (RD) and route target (RT)


64/292



MPLS VPN ArchitectureMPLS VPN Architecture

MPLS VPN combines the best features ofoverlay VPN and peer-to-peer VPN

PE routers participate in customer routing,guaranteeing optimum routing between sitesand easy provisioning

PE routers carry a separate sets of routes foreach customer (similar to dedicated PE routerapproach)

Customers can use overlapping addresses

The MPLS VPN architecture provides the Service Providers with a peer-to-peer

VPN architecture that combines the best features of overlay VPN (support for

overlapping customer address spaces) with the best features of peer-to-peer VPNs:

I PE routers participate in customer routing, guaranteeing optimum routing

between customer sites

I PE routers carry separate set of routes for each customer, resulting in perfect

isolation between the customers.


65/292



MPLS VPN TerminologyMPLS VPN Terminology

Customer A

Site #1

Site #1

CE router

Customer A

Site #2

Customer B

Site #1

Customer B

Site #3

Customer B

Site #2

Customer A

Site #4

Remote

Office

Remote

Office

Customer A

Site #3

Customer B

Site #4

PE-Router

POP-XP-Router PE-Router

POP-Y

P-Network

The MPLS VPN terminology divides the overall network into customer controlled

part (C-network) and provider controlled part (P-network). Contiguous portions

of C-network are called sites and are linked with the P-network via CE-routers.

The CE-routers are connected to the PE-routers, which serve as the edge devices

of the Provider network. The core devices in the provider network (P-routers)

provide the transit transport across the provider backbone and do not carry

customer routes.


66/292



Provider Edge RouterArchitecture

Provider Edge RouterArchitecture

PE-router

Global IP router

Virtual router for

Customer B

Virtual router for

Customer A

P-router

Customer ASite #1

Customer ASite #2

Customer B

Site #1

Virtual IP routing

table for Customer A

Virtual IP r

Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

Documents