Top Banner

of 292

Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

Apr 05, 2018

Download

Documents

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    1/292

    AMVS

    Advanced MPLS

    VPN Solutions

    Volume 1Version 1.0

    Student Guide

    Text Part Number: 97-0624-01

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    2/292

    The products and specifications, configurations, and other technical information regarding the products in this

    manual are subject to change without notice. All statements, technical information, and recommendations in this

    manual are believed to be accurate but are presented without warranty of any kind, express or implied. You

    must take full responsibility for their application of any products specified in this manual.

    LICENSE

    PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE MANUAL,

    DOCUMENTATION, AND/OR SOFTWARE (MATERIALS). BY USING THE MATERIALS YOU

    AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE. IF YOU DO NOT

    AGREE WITH THE TERMS OF THIS LICENSE, PROMPTLY RETURN THE UNUSED MATERIALS

    (WITH PROOF OF PAYMENT) TO THE PLACE OF PURCHASE FOR A FULL REFUND.

    Cisco Systems, Inc. (Cisco) and its suppliers grant to you (You) a nonexclusive and nontransferable licenseto use the Cisco Materials solely for Your own personal use. If the Materials include Cisco software

    (Software), Cisco grants to You a nonexclusive and nontransferable license to use the Software in object code

    form solely on a single central processing unit owned or leased by You or otherwise embedded in equipment

    provided by Cisco. You may make one (1) archival copy of the Software provided You affix to such copy all

    copyright, confidentiality, and proprietary notices that appear on the original. EXCEPT AS EXPRESSLY

    AUTHORIZED ABOVE, YOU SHALL NOT: COPY, IN WHOLE OR IN PART, MATERIALS; MODIFY

    THE SOFTWARE; REVERSE COMPILE OR REVERSE ASSEMBLE ALL OR ANY PORTION OF THE

    SOFTWARE; OR RENT, LEASE, DISTRIBUTE, SELL, OR CREATE DERIVATIVE WORKS OF THE

    MATERIALS.

    You agree that aspects of the licensed Materials, including the specific design and structure of individual

    programs, constitute trade secrets and/or copyrighted material of Cisco. You agree not to disclose, provide, or

    otherwise make available such trade secrets or copyrighted material in any form to any third party without the

    prior written consent of Cisco. You agree to implement reasonable security measures to protect such trade

    secrets and copyrighted Material. Title to the Materials shall remain solely with Cisco.

    This License is effective until terminated. You may terminate this License at any time by destroying all copies

    of the Materials. This License will terminate immediately without notice from Cisco if You fail to comply with

    any provision of this License. Upon termination, You must destroy all copies of the Materials.

    Software, including technical data, is subject to U.S. export control laws, including the U.S. Export

    Administration Act and its associated regulations, and may be subject to export or import regulations in other

    countries. You agree to comply strictly with all such regulations and acknowledge that it has the responsibility

    to obtain licenses to export, re-export, or import Software.

    This License shall be governed by and construed in accordance with the laws of the State of California, United

    States of America, as if performed wholly within the state and without giving effect to the principles of conflict

    of law. If any portion hereof is found to be void or unenforceable, the remaining provisions of this License shall

    remain in full force and effect. This License constitutes the entire License between the parties with respect to

    the use of the Materials

    Restricted Rights - Ciscos software is provided to non-DOD agencies with RESTRICTED RIGHTS and its

    supporting documentation is provided with LIMITED RIGHTS. Use, duplication, or disclosure by the U.S.Government is subject to the restrict ions as set forth in subparagraph C of the Commercial Computer

    Software - Restricted Rights clause at FAR 52.227-19. In the event the sale is to a DOD agency, the U.S.

    Governments rights in software, supporting documentation, and technical data are governed by the restrictions

    in the Technical Data Commercial Items clause at DFARS 252.227-7015 and DFARS 227.7202.

    DISCLAIMER OF WARRANTY. ALL MATERIALS ARE PROVIDED AS IS WITH ALL FAULTS.

    CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,

    WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE

    AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE

    PRACTICE.

    IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,

    CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST

    PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS

    MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF

    SUCH DAMAGES. In no event shall Ciscos or its suppliers liability to You, whether in contract, tort

    (including negligence), or otherwise, exceed the price paid by You. The foregoing limitations shall apply even

    if the above-stated warranty fails of its essential purpose.

    The following information is for FCC compliance of Class A devices: This equipment has been tested and

    found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits

    are designed to provide reasonable protection against harmful interference when the equipment is operated in a

    commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not

    installed and used in accordance with the instruction manual, may cause harmful interference to radio

    communications. Operation of this equipment in a residential area is likely to cause harmful interference, in

    which case users will be required to correct the interference at their own expense.

    The following information is for FCC compliance of Class B devices: The equipment described in this manual

    generates and may radiate radio-frequency energy. If it is not installed in accordance with Ciscos installation

    instructions, it may cause interference with radio and television reception. This equipment has been tested and

    found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    3/292

    the FCC rules. These specifications are designed to provide reasonable protection against such interference in a

    residential installation. However, there is no guarantee that interference will not occur in a particular

    installation.

    You can determine whether your equipment is causing interference by turning it off. If the interference stops, i t

    was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes

    interference to radio or television reception, try to correct the interference by using one or more of the following

    measures:

    Turn the television or radio antenna until the interference stops.

    Move the equipment to one side or the other of the television or radio.

    Move the equipment farther away from the television or radio.

    Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, makecertain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.)

    Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate

    your authority to operate the product.

    The following third-party software may be included with your product and will be subject to the software

    license agreement:

    CiscoWorks software and documentation are based in part on HP OpenView under license from the Hewlett-

    Packard Company. HP OpenView is a trademark of the Hewlett-Packard Company. Copyright 1992, 1993

    Hewlett-Packard Company.

    The Cisco implementation of TCP header compression is an adaptation of a program developed by the

    University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating

    system. All rights reserved. Copyright 1981, Regents of the University of California.

    Network Time Protocol (NTP). Copyright 1992, David L. Mills. The University of Delaware makes no

    representations about the suitability of this software for any purpose.

    Point-to-Point Protocol. Copyright 1989, Carnegie-Mellon University. All rights reserved. The name of the

    University may not be used to endorse or promote products derived from this software without specific prior

    written permission.

    The Cisco implementation of TN3270 is an adaptation of the TN3270, curses, and termcap programs developed

    by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating

    system. All rights reserved. Copyright 1981-1988, Regents of the University of California.

    Cisco incorporates Fastmac and TrueView software and the RingRunner chip in some Token Ring products.

    Fastmac software is licensed to Cisco by Madge Networks Limited, and the RingRunner chip is licensed to

    Cisco by Madge NV. Fastmac, RingRunner, and TrueView are trademarks and in some jurisdictions registered

    trademarks of Madge Networks Limited. Copyright 1995, Madge Networks Limited. All rights reserved.

    XRemote is a trademark of Network Computing Devices, Inc. Copyright 1989, Network Computing Devices,

    Inc., Mountain View, California. NCD makes no representations about the suitabili ty of this software for any

    purpose.

    The X Window System is a trademark of the X Consortium, Cambridge, Massachusetts. All rights reserved.

    Access Registrar, AccessPath, Any to Any, Are You Ready, AtmDirector, Browse with Me, CCDA, CCDE,

    CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, the Cisco logo, Cisco Certified Internetwork Expert logo,

    CiscoLink, the Cisco Management Connection logo, the Cisco NetWorks logo, the Cisco Powered Network

    logo, Cisco Systems Capital, the Cisco Systems Capital logo, Cisco Systems Networking Academy, the Cisco

    Systems Networking Academy logo, the Cisco Technologies logo, Fast Step, FireRunner, Follow Me Browsing,

    FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, IQ Breakthrough, IQ

    Expertise, IQ FastTrack, IQ Readiness Scorecard, The IQ Logo, Kernel Proxy, MGX, Natural Network Viewer,

    NetSonar, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy

    Builder, Precept, RateMUX, ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast,

    SMARTnet, SVX, The Cell, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router,

    Workgroup Director, and Workgroup Stack are trademarks; Changing the Way We Work, Live, Play, and

    Learn, Empowering the Internet Generation, The Internet Economy, and The New Internet Economy are service

    marks; and Aironet, ASIST, BPX, Catalyst, Cisco, Cisco IOS, the Cisco IOS logo, Cisco Systems, the Cisco

    Systems logo, the Cisco Systems Cisco Press logo, CollisionFree, Enterprise/Solver, EtherChannel,EtherSwitch, FastHub, FastLink, FastPAD, FastSwitch, GeoTel, IOS, IP/TV, IPX, LightStream, LightSwitch,

    MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, TeleRouter, and VCO are

    registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other

    trademarks mentioned in this document are the property of their respective owners. The use of the word partner

    does not imply a partnership relationship between Cisco and any of its resellers. (0005R)

    Advanced MPLS VPN Solutions, Revision 1.0: Student Guide

    Copyright 2000, Cisco Systems, Inc.

    All rights reserved. Printed in USA.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    4/292

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    5/292

    Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions v

    Table of Contents

    Volume 1

    ADVANCED MPLS VPN SOLUTIONS 1-1

    Overview 1-1

    Course Objectives 1-2

    Course Objectives Implementation 1-3Course Objectives Solutions 1-4

    Prerequisites 1-5

    Participant Role 1-7

    General Administration 1-9

    Sources of Information 1-10

    MPLS VPN TECHNOLOGY 2-1

    Overview 2-1Objectives 2-1

    Introduction to Virtual Private Networks 2-2Objectives 2-2

    Summary 2-8Review Questions 2-8

    Overlay and Peer-to-Peer VPN 2-9

    Objectives 2-9Overlay VPN Implementations 2-13

    Summary 2-23

    Review Questions 2-24Major VPN Topologies 2-25

    Objectives 2-25VPN Categorizations 2-25

    Summary 2-38Review Questions 2-38

    MPLS VPN Architecture 2-39

    Objectives 2-39Summary 2-60

    Review Questions 2-61

    MPLS VPN Routing Model 2-62Objectives 2-62

    Summary 2-78Review Questions 2-78

    MPLS VPN Packet Forwarding 2-79Objectives 2-79Summary 2-91

    Review Questions 2-91Lesson Summary 2-92

    Answers to Review Questions 2-93Introduction to Virtual Private Networks 2-93Overlay and Peer-to-Peer VPN 2-93

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    6/292

    vi Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    Major VPN Topologies 2-94

    MPLS VPN Architecture 2-94MPLS VPN Routing Model 2-95MPLS VPN Packet Forwarding 2-96

    MPLS/VPN CONFIGURATION ON IOS PLATFORMS 3-1

    Overview 3-1

    Objectives 3-1

    MPLS/VPN Mechanisms in Cisco IOS 3-2Objectives 3-2Summary 3-16Review Questions 3-16

    Configuring Virtual Routing and Forwarding Table 3-17Objectives 3-17

    Summary 3-26Review Questions 3-26

    Configuring a Multi-Protocol BGP Session Between the PE Routers 3-27

    Objectives 3-27Summary 3-43

    Review Questions 3-43

    Configuring Routing Protocols Between PE and CE Routers 3-44Objectives 3-44

    Summary 3-55Review Questions 3-55

    Monitoring MPLS/VPN Operation 3-56Objectives 3-56Summary 3-82

    Review Questions 3-82

    Troubleshooting MPLS/VPN 3-83

    Objectives 3-83Summary 3-100Review Questions 3-100

    Advanced VRF Import/Export Features 3-101Objectives 3-101

    Summary 3-115Review Questions 3-115

    Advanced PE-CE BGP Configuration 3-116

    Objectives 3-116Summary 3-134

    Review Questions 3-134

    USING OSPF IN AN MPLS VPN ENVIRONMENT 4-1

    Overview 4-1

    Objectives 4-1

    Using OSPF as the PE-CE Protocol in an MPLS VPN Environment 4-2

    Objectives 4-2Summary 4-26

    Review Questions 4-26

    Configuring and Monitoring OSPF in an MPLS VPN Environment 4-27Objectives 4-27

    Summary 4-35Review Questions 4-35

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    7/292

    Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions vii

    Summary 4-36

    Answers to Review Questions 4-37

    Using OSPF as the PE-CE Protocol in an MPLS VPN Environment 4-37Configuring and Monitoring OSPF in an MPLS VPN Environment 4-37

    Volume 2

    MPLS VPN TOPOLOGIES 5-1

    Overview 5-1Objectives 5-1

    Simple VPN with Optimal Intra-VPN Routing 5-2

    Objectives 5-2Summary 5-17

    Review Questions 5-17

    Using BGP as the PE-CE Routing Protocol 5-18Objectives 5-18

    Summary 5-23Review Questions 5-23

    Overlapping Virtual Private Networks 5-24

    Objectives 5-24

    Summary 5-33Review Questions 5-33

    Central Services VPN Solutions 5-34

    Objectives 5-34Summary 5-47Review Questions 5-47

    Hub-andSpoke VPN Solutions 5-48Objectives 5-48

    Summary 5-54Review Questions 5-54

    Managed CE-Router Service 5-55

    Objectives 5-55

    Summary 5-60Review Questions 5-60Chapter Summary 5-60

    INTERNET ACCESS FROM A VPN 6-1

    Overview 6-1Objectives 6-1

    Integrating Internet Access with the MPLS VPN Solution 6-2Objectives 6-2Summary 6-16

    Review Questions 6-16

    Design Options for Integrating Internet Access with MPLS VPN 6-17Objectives 6-17Summary 6-23Review Questions 6-23

    Leaking Between VPN and Global Backbone Routing 6-24Objectives 6-24

    Usability of Packet Leaking for Various Internet Access Services 6-32Redundant Internet Access with Packet Leaking 6-36Summary 6-38

    Review Questions 6-38

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    8/292

    viii Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    Separating Internet Access from VPN Service 6-39

    Objectives 6-39Usability of Separated Internet Access for Various InternetAccess Services 6-44

    Summary 6-46Review Questions 6-46

    Internet Access Backbone as a Separate VPN 6-47Objectives 6-47Usability of Internet in a VPN Solution for Various Internet

    Access Services 6-52Summary 6-56

    Review Questions 6-57Chapter Summary 6-57

    MPLS VPN DESIGN GUIDELINES 7-1

    Overview 7-1Objectives 7-1

    Backbone and PE-CE Link Addressing Scheme 7-2Objectives 7-2

    Summary 7-15

    Review Questions 7-16Backbone IGP Selection and Design 7-17

    Objectives 7-17Summary 7-30

    Review Questions 7-31

    Route Distinguisher and Route Target Allocation Schemes 7-32Objective 7-32

    Summary 7-37Review Questions 7-37

    End-to-End Convergence Issues 7-38Objectives 7-38Summary 7-52

    Review Questions 7-52Chapter Summary 7-53

    Answers to Review Questions 7-54Backbone and PE-CE Link Addressing Scheme 7-54Backbone IGP Selection and Design 7-55

    Route Distinguisher and Route Target Allocation Scheme 7-56End-to-End Convergence Issues 7-56

    LARGE-SCALE MPLS VPN DEPLOYMENT 8-1

    Overview 8-1Objectives 8-1

    MP-BGP Scalability Mechanisms 8-2Objectives 8-2

    Summary 8-12Review Questions 8-12

    Partitioned Route Reflectors 8-13

    Objectives 8-13Summary 8-28

    Review Questions 8-28

    Chapter Summary 8-29

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    9/292

    Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions ix

    MPLS VPN MIGRATION STRATEGIES 9-1

    Overview 9-1Objective 9-1

    Infrastructure Migration 9-2

    Objective 9-2Summary 9-9

    Review Questions 9-9

    Customer Migration to MPLS VPN service 9-10Objective 9-10

    Generic Customer Migration Strategy 9-11Migration From Layer-2 Overlay VPN 9-13

    Migration from GRE Tunnel-Based VPN 9-16Migration from IPSec-Based VPN 9-19Migration from L2F-Based VPN 9-20

    Migration From Unsupported PE-CE Routing Protocol 9-22Summary 9-26

    Review Questions 9-26

    Chapter Summary 9-26

    INTRODUCTION TO LABORATORY EXERCISES A-1

    Overview A-1

    Physical And Logical Connectivity A-2

    IP Addressing Scheme A-5

    Initial BGP Design A-7

    Notes Pages A-8

    LABORATORY EXERCISESFRAME-MODE MPLS CONFIGURATION B-1

    Overview B-1

    Laboratory Exercise B-1: Basic MPLS Setup B-2Objectives B-2Command list B-2

    Task 1: Configure MPLS in your backbone B-2Task 2: Remove BGP from your P-routers B-2

    Verification: B-3Review Questions B-4

    Laboratory Exercise B-2: Disabling TTL Propagation B-5Objective B-5Command list B-5

    Task: Disable IP TTL Propagation B-5Verification B-5

    Laboratory Exercise B-3: Conditional Label Advertising B-6Objective B-6Command list B-6

    Task: Configure Conditional Label Advertising B-6Verification B-6

    Review Questions B-7

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    10/292

    x Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    LABORATORY EXERCISESMPLS VPN IMPLEMENTATION C-1

    Overview C-1

    Laboratory Exercise C-1: Initial MPLS VPN Setup C-2Objectives C-2

    Background Information C-2Command list C-3Task 1: Configure multi-protocol BGP C-3

    Task 2: Configure Virtual Routing and Forwarding Tables C-4Additional Objective C-5

    Task 3: Configuring Additional CE routers C-5Verification C-6

    Laboratory Exercise C-2: Running OSPF Between PE and CE Routers C-9

    Objectives C-9Visual Objective C-9

    Command list C-10Task 1: Configure OSPF on CE routers C-10

    Task 2: Configure OSPF on PE routers C-10Verification C-11Task 3: Configure OSPF connectivity with additional CE routers C-11

    Verification C-12Laboratory Exercise C-3: Running BGP Between the PE and CE Routers C-13

    Objectives C-13Background Information C-13Command list C-14

    Task 1: Configure Additional PE-CE link C-14Task 2: Configure BGP as the PE-CE routing protocol C-14

    Verification C-15Task 3: Select Primary and Backup Link with BGP C-16

    Verification: C-16Task 4: Convergence Time Optimization C-17Verification C-17

    LABORATORY EXERCISESMPLS VPN TOPOLOGIES D-1

    Overview D-1

    Laboratory Exercise D-1: Overlapping VPN Topology D-2

    Objective D-2Visual Objective D-2

    Command list D-3Task 1: Design your VPN solution D-4

    Task 2: Remove WGxA1/WGxB1 from existing VRFs D-4Task 3: Configure new VRFs for WGxA1 and WGxB1 D-4Verification: D-4

    Laboratory Exercise D-2: Common Services VPN D-8Objective D-8

    Background Information D-9Command list D-10

    Task 1: Design your Network Management VPN D-10Task 2: Create Network Management VRF D-10Verification D-11

    Task 3: Establish connectivity between NMS VRF and other VRFs D-11Verification D-11

    Task 4: Establish routing between WGxPE2 and the NMS router D-12

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    11/292

    Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions xi

    Verification D-13

    Laboratory Exercise D-3: Internet Connectivity Through Route Leaking D-14

    Objective D-14Visual Objective D-14

    Command list D-15Task 1: Cleanup from the previous VPN exercises D-15

    Task 2: Configure route leaking between customer VPN andthe Internet D-15Verification D-16

    Additional exercise: Fix intra-VPN routing D-17Laboratory Exercise D-4: Separate Interface for Internet Connectivity D-18

    Objective D-18Visual Objective D-19

    Command list D-20Task 1: Cleanup from the previous exercise D-20Verification D-21

    Task 2: Establishing connectivity in the global routing table D-21Task 3: Routing between the PE-router and the CE-router D-21

    Verification D-22

    Laboratory Exercise D-5: Internet in a VPN D-23Objective D-23

    Visual Objective D-23Command list D-24

    Task 1: Design your Internet VPN D-24Task 2: Migrate Internet routers in a VPN D-24

    Verification D-25Additional Task: Direct Internet connectivity for all CE-routers D-26Verification D-26

    INITIAL LABORATORY CONFIGURATION E-1

    Overview E-1

    Laboratory Exercise E-1: Initial Core Router Configuration E-2

    Objective E-2Task: Configure Initial Router Configuration E-2

    Verification E-3

    Laboratory Exercise E-2: Initial Customer Router Configuration E-4Objective E-4

    Task: Configure Customer Routers E-4Verification E-5

    Laboratory Exercise E-3: Basic ISP Setup E-6Objective E-6Task 1: Configure IS-IS in your backbone E-6

    Task 2: Configure BGP in your backbone E-6Task 3: Configure Customer Routing E-6

    Task 4: Peering with other Service Providers E-7Task 5: Establishing Network Management Connectivity E-7

    Verification E-7

    INITIAL ROUTER CONFIGURATION F-1

    Overview F-1

    Router WGxPE1 F-2

    Router WGxPE2 F-4

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    12/292

    xii Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    Router WGxPE3 F-6

    Router WGxPE4 F-8

    Router WGxP F-10

    Router WGxA1 F-12

    Router WGxA2 F-14

    Router WGxB1 F-15

    Router WGxB2 F-17

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    13/292

    1

    Advanced MPLSVPN Solutions

    Overview

    Advanced MPLS VPN Solutions (AMVS) is an instructor-led course presented by

    Cisco training partners to their end-user customers. This four-day course focuses

    on using Virtual Private Networks (VPN) implemented with Multi-Protocol Label

    Switching (MPLS) technology.

    Upon completion of this training course, you will be able to design, implement

    and troubleshoot MPLS VPN networks.

    This chapter outlines the course prerequisites and course highlights, as well as

    some administrative issues. It includes the following topics:

    I Course Objectives

    I Course Topics

    I Prerequisites

    I Participant Role

    I General Administration

    I

    Sources of InformationI Course Syllabus

    I Graphic Symbols

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    14/292

    1-2 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    Course Objectives

    This section lists the course objectives.

    2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-2

    Course ObjectivesTechnology

    Course ObjectivesTechnology

    Upon completion of this course, youwill be able to perform the following tasks:

    Identify major VPN categories and topologies, theirapplications and technologies that can be used toimplement them

    Describe MPLS/VPN terminology and architecture

    Describe the routing and forwarding model ofMPLS/VPN

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    15/292

    Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-3

    Course Objectives Implementation

    2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-3

    Course ObjectivesImplementation

    Course ObjectivesImplementation

    Upon completion of this course, youwill be able to perform the following tasks:

    Configure Virtual Routing and Forwarding tables

    Configure Multi-protocol BGP in MPLS/VPN backboneand the PE-CE routing protocols

    Configure advanced MPLS/VPN features

    Monitor and troubleshoot MPLS/VPN operations

    Describe the specifics of OSPF operation inside a VPN

    network

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    16/292

    1-4 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    Course Objectives Solutions

    2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-4

    Course ObjectivesSolutions

    Course ObjectivesSolutions

    Upon completion of this course, youwill be able to perform the following tasks:

    Design and implement various MPLS/VPN topologies

    Connect your VPN customers to the Internet

    Design and implement MPLS/VPN backbone

    Build large-scale MPLS VPN backbones

    Develop a migration strategy toward MPLS/VPN from

    a wide range of existing network infrastructures

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    17/292

    Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-5

    Prerequisites

    This section lists the course prerequisites.

    2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-5

    Advanced

    MPLS VPN

    Solutions

    Advanced

    MPLS VPN

    Solutions

    PrerequisitesPrerequisites

    Successful completion of:

    Building Scalable CiscoNetworks (BSCN)

    Configuring BGP on CiscoRouters

    One of the MPLS technologycourses

    Recommended:

    CCNP or CCIE

    certification

    In-depth OSPF or IS-IS

    knowledge

    MPLS Traffic

    Engineering and QoS

    knowledge

    To fully benefit from AMVS, you should already possess certain knowledge and

    skills gained in a structured learning environment. You need to be have:

    I In-depth understanding of IP routing and route redistribution in Cisco IOS

    I

    In-depth knowledge of Border Gateway Protocol (BGP) and practicalexperience in configuring BGP networks

    I Baseline MPLS knowledge.

    These skills can be gained from self-paced or instructor-led training sessions and

    from work experience. The best way to gain the skills you need to follow the

    CBCR course is:

    I To gain IP routing and route redistribution skills, attend Building Scalable

    Cisco Networks (BSCN) course

    I To gain BGP-related skills, attend Configuring BGP on Cisco Routers

    (CBCR) course

    I To gain MPLS knowledge, attend MPLS Technology Essentials or Cisco

    MPLS course.

    You will be able to gain more practical experience from the course if already have

    work experience and router configuration skills. These skills are best demonstrated

    through Cisco career certifications Cisco Certified Networking Professional

    (CCNP) or Cisco Certified Internetworking Expert (CCIE). In-depth knowledge of

    Open Shortest Path First (OSPF) or Integrated Intermediate System Intermediate

    System (IS-IS) routing protocol will help you perform the laboratory exercises

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    18/292

    1-6 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    better. MPLS Traffic Engineering and MPLS Quality of Service knowledge will

    help you understand how these technologies relate to MPLS VPN.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    19/292

    Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-7

    Participant Role

    This section discusses your responsibilities as a student.

    2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-6

    Student role

    Meet prerequisites

    Introduce yourself

    Ask and answer questions

    Participant RoleParticipant Role

    To take full advantage of the information presented in this course, you should

    meet the prerequisites for this class.

    Introduce yourself to the instructor and other students who will be working with

    you during the five days of this course.

    You are encouraged to ask any questions relevant to the course materials.

    If you have pertinent questions concerning other Cisco features and products not

    covered in this course, please bring these topics up during breaks or after class,

    and the instructor will try to answer the questions or direct you to an appropriate

    information source.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    20/292

    1-8 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-7

    Welcome: PleaseIntroduce YourselfWelcome: Please

    Introduce Yourself

    Your name and work location

    Your job responsibilities

    Your internetworking experience

    Your objectives for this week

    Introduce yourself, stating your name and the job function you perform at your

    work location.

    Briefly describe what experience you have with installing and configuring Cisco

    routers, attending Cisco classes, and how your work experience helped you meet

    the prerequisites highlighted earlier.

    You should also state what you expect to learn from this course.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    21/292

    Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-9

    General Administration

    This section highlights miscellaneous administrative tasks that must be addressed.

    2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-8

    General AdministrationGeneral Administration

    Class-related

    Sign-in sheet

    Length and times

    Participant materials

    Attire

    Facilities-related

    Rest rooms

    Site emergencyprocedures

    Break and lunchroom locations

    Communications

    The instructor will discuss the administrative issues in detail so you will know

    exactly what to expect from both the class and facilities. The following items will

    be discussed:

    I Recording your name on a sign-in sheet

    I The starting and anticipated ending time of each class day

    I What materials you can expect to receive during the class

    I The appropriate attire during class attendance

    I Rest room locations

    I What to do in the event of an emergency

    I Class breaks and lunch facilities

    I How to send and receive telephone, e-mail, and fax messages

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    22/292

    1-10 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    Sources of Information

    This section identifies additional sources of information.

    2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-9

    Sources of InformationSources of Information

    Student kit

    www.cisco.com

    CD-ROMs

    Cisco Press

    Most of the information presented in this course can be found on the Cisco

    Systems Web site or on CD-ROM. These supporting materials are available in

    HTML format and as manuals and release notes.

    To learn more about the subjects covered in this course, feel free to access the

    following sources of information:

    I Cisco Documentation CD-ROM

    I ITM CD-ROM

    I Cisco IOS 12.1 Configuration Guide

    I Cisco IOS 12.1 Command Reference Guide

    Many of these documents can be found at the following URL:

    http://www.cisco.com

    Cisco Press books and documents can be found at the following URL:

    http://www.ciscopress.com

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    23/292

    Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-11

    2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-10

    Course SyllabusCourse Syllabus

    MPLS VPN

    Technology

    MPLS VPNTopologies

    Internet Accessfrom a VPN

    MPLS VPN DesignGuidelines

    Large-Scale MPLSVPN Deployment

    MPLS VPNMigration Strategies

    Technology Implementation Solutions

    MPLS VPN

    Configuration on

    IOS platforms

    Running OSPF

    in an MPLS VPN

    Environment

    The following schedule reflects the recommended structure for this course. This

    structure allows enough time for your instructor to present the course information

    to you and for you to work through the laboratory exercises. The exact timing of

    the subject materials and labs depends on the pace of your specific class.

    Module 1, MPLS VPN Technology (0,5 day)

    The purpose of this module is to introduce you to the concept of Virtual

    Private Networks and MPLS VPN Architecture. The module also

    discusses routing and data forwarding model of MPLS VPN.

    Module 1 includes the following chapters:

    I Chapter 1, Introduction

    I Chapter 2, MPLS VPN Technology

    Module 2, MPLS VPN Implementation (1,5 day)

    The purpose of this module is to describe the operation and

    configuration of MPLS VPN on Cisco IOS platforms.

    Module 2 includes the following chapters:

    I Chapter 3, MPLS VPN Configuration on IOS Platforms

    I Chapter 4, Using OSPF in an MPLS VPN Environment

    Module 3, MPLS VPN Solutions (2 days)

    The purpose of the module is to describe typical MPLS VPN usage

    scenarios and give you design and implementation guidelines needed to

    deploy these scenarios in your network.

    Module 3 includes the following chapters:

    I Chapter 5, MPLS VPN Topologies

    I Chapter 6, Internet Access from a VPN

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    24/292

    1-12 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    I Chapter 7, MPLS VPN Design Guidelines

    I Chapter 8, Large-Scale MPLS VPN Deployment

    I Chapter 9, MPLS VPN Migration Strategies

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    25/292

    2

    MPLS VPN Technology

    Overview

    This lesson introduces Virtual Private Networks (VPN) and two major VPN

    design options overlay VPN and peer-to-peer VPN. VPN terminology and

    topologies are introduced.

    The lesson then describes MPLS VPN architecture, operations and terminology.

    It details CE-PE routing from various perspectives and BGP extensions (route

    targets, and extended community attributes) that allow I-BGP to transport

    customer routes over a provider network. The MPLS VPN forwarding model is

    also covered together with its integration with core routing protocols

    Objectives

    Upon completion of this lesson, you will be able to perform the following tasks:

    I Identify major Virtual Private network topologies, their characteristics and

    usage scenarios

    I Describe the differences between overlay VPN and peer-to-peer VPN

    I List major technologies supporting overlay VPNs and peer-to-peer VPNs

    I Position MPLS VPN in comparison with other peer-to-peer VPN

    implementations

    I Describe major architectural blocks of MPLS VPN

    I Describe MPLS VPN routing model and packet forwarding

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    26/292

    2-2 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    Introduction to Virtual Private Networks

    Objectives

    Upon completion of this section, you will be able to perform the following tasks:

    I Describe the concept of VPNI Understand VPN terminology as defined by MPLS VPN architecture

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    27/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-3

    2000, Cisco Systems, Inc. www.cisco.com Page5

    Traditional Router-BasedNetworks

    Traditional Router-BasedNetworks

    Traditional router-based networks connectcustomersites through routers connected viadedicated point-to-point links

    Site C

    Site BSite A

    Site D

    Traditional router-based networks were implemented with dedicated point-to-point

    links connecting customer sites. The cost of such an approach was comparatively

    high for a number of reasons:

    I The dedicated point-to-point links prevented any form of statistical

    infrastructure sharing on the Service Provider side, resulting in high costs for

    the end-customer

    I Every link required a dedicated port on a router, resulting in high equipment

    costs.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    28/292

    2-4 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    2000, Cisco Systems, Inc. www.cisco.com Page6

    Service Provider Network

    Virtual Private NetworksVirtual Private Networks

    Virtual Private Networks replace dedicated point-to-point links with emulated point-to-point links sharingcommon infrastructure

    Customers use VPNs primarily to reduce theiroperational costs

    Customer site

    Customer Premisesrouter (CPE) Large customer site

    CPE router

    Othercustomerrouters

    Provider edge device(Frame Relay switch)

    PE device

    Provider coredevice

    PE device CPE router

    Virtual Circuit (VC) #2

    Virtual Circuit (VC) #1

    Virtual Private Networks (VPNs) were introduced very early in the history of data

    communications with technologies like X.25 and Frame Relay, which use virtual

    circuits to establish the end-to-end connection over a shared service provider

    infrastructure. These technologies, although sometimes considered legacy and

    obsolete, still share the basic business assumptions with the modern VPN

    approaches:

    I The dedicated links are replaced with common infrastructure that emulates

    point-to-point links for the customer, resulting in statistical sharing of Service

    Provider infrastructure

    I Statistical sharing of infrastructure enables the service provider to offer the

    connectivity for lower price, resulting in lower operational costs for the end

    customers.

    The statistical sharing is illustrated in the graphic, where you can see the CPE

    router on the left has one physical connection to the service provider with two

    virtual circuits provisioned. Virtual Circuit 1 (VC # 1) provides connectivity to the

    top CPE router on the right. Virtual Circuit 2 (VC #2) provides the connectivity to

    the bottom CPE router on the right.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    29/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-5

    2000, Cisco Systems, Inc. www.cisco.com Page7

    Customer site

    Large customer site

    VPN TerminologyVPN Terminology

    Customer Network (C-Network): the part of

    the network still under customer control

    Provider Network (P-Network): the

    Service Provider infrastructure used to

    provide VPN services

    Customer Site: a contiguous part of customer

    network (can encompass many physical locations)

    There are many conceptual models and terminologies describing various Virtual

    Private Network technologies and implementations. In this section well focus on

    the terminology introduced by MPLS VPN architecture. As youll see, the

    terminology is generic enough to cover any VPN technology or implementation

    and is thus extremely versatile.

    The major parts of an overall VPN solution are always:

    I The Service Provider network (P-network): the common infrastructure the

    Service Provider uses to offer VPN services to the customers

    I The Customer network (C-network): the part of the overall customer networkthat is still exclusively under customer control.

    I Customersites: contiguous parts of customer network.

    A typical customer network implemented with any VPN technology would

    contain islands of connectivity completely under customer control (customersites)

    connected together via the Service Provider infrastructure (P-network).

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    30/292

    2-6 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    2000, Cisco Systems, Inc. www.cisco.com Page8

    Service Provider Network

    Customer site

    Large customer site

    VPN TerminologyVPN Terminology

    Customer Edge (CE) device: the device in

    the C-network with link into P-network.

    Also called Customer Premises Equipment

    (CPE)

    Provider Edge (PE) device: the device in

    the P-network to which the CE-devices

    are connected

    Provider core (P) device: the

    device in the P-network with

    no customer connectivity

    The devices that enable the overall VPN solution are named based on their

    position in the network:

    I Customer router that connected the customer site to the Service Provider

    network is called a Customer Edge router (CE-router). Traditionally this

    device is called Customer Premises Equipment (CPE).

    Note If the CE device is not a router, but, for example, a Packet Assembly and

    Disassembly (PAD) device, we can still use a generic term CE-device.

    I Service Provider devices where the customer devices are attached are called

    Provider Edge (PE) devices. In traditional switched Wide Area Network

    (WAN) implementations, these devices would be Frame Relay or X.25 edge

    switches.

    I Service Provider devices that only provide data transport across the Service

    Provider backbone and have no customers attached to them are called

    Provider (P) devices. In traditional switched WAN implementations these

    would be core (or transit) switches.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    31/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-7

    2000, Cisco Systems, Inc. www.cisco.com Page9

    Service Provider Network

    Customer site

    Customer Premises

    Router (CPE) Large customer site

    CPE router

    Othercustomerrouters

    Provider edge device(Frame Relay switch)

    PE device

    Provider coredevice

    PE device

    CPE router

    Virtual Circuit (VC) #2

    Virtual Circuit (VC) #1

    VPN TerminologySpecific to Switched WAN

    VPN TerminologySpecific to Switched WAN

    Permanent Virtual Circuit (PVC) is established through out-of-band means

    (network management) and is always active

    Switched Virtual Circuit (SVC) is established through CE-PE signaling on

    demand from the CE device

    Virtual Circuit (VC): emulated point-to-

    point link established across shared

    layer-2 infrastructure

    Switched WAN technologies introduced a term Virtual Circuit (VC), which is an

    emulated point-to-point link established across layer-2 infrastructure (for example,

    Frame Relay network). The virtual circuits are further differentiated into

    Permanent Virtual Circuits (PVC) which are pre-established by means of

    network management or manual configuration and Switched Virtual Circuits

    (SVC) which are established on demand through a call setup request from the CE

    device.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    32/292

    2-8 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    Summary

    Virtual Private Networks were introduced by Service Providers to offer a more

    cost-effective alternative to traditional customer network design, which relied on

    dedicated point-to-point links between customer sites.

    The overall network implemented with a VPN solution is divided into the

    Customer network(C-network), which is exclusively under customers control

    and the Provider network(P-network), the shared infrastructure used to offer theVPN services. A contiguous part of the C-network is called a customersite.

    The device linking a customer site with the P-network is called Customer Edge

    (CE) device. Most commonly this is a router, called CE-router. This component

    was traditionally named Customer Premises Equipment (CPE).

    The edge device in Service Provider network, to which the customers are attached,

    is called Provider Edge (PE) device. The device inside the Provider network with

    no customer connectivity is a Provider (P) device.

    Review Questions

    Answer the following questions:

    I Why are customers interested in Virtual Private Networks?

    I What is the main role of a VPN?

    I What is a C-network?

    I What is a customer site?

    I What is a CE-router?

    I What is a P-network?

    I What is the difference between a PE-device and a P-device?

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    33/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-9

    Overlay and Peer-to-Peer VPN

    Objectives

    Upon completion of this section, you will be able to perform the following tasks:

    I Describe the differences between overlay and peer-to-peer VPNI Describe the benefits and drawbacks of each VPN implementation option

    I List major technologies supporting overlay VPNs

    I Describe traditional peer-to-peer VPN implementation options

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    34/292

    2-10 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    2000, Cisco Systems, Inc. www.cisco.com Page14

    VPN ImplementationTechnologies

    VPN ImplementationTechnologies

    VPN services can be offered based ontwo major paradigms:

    Overlay Virtual Private Networks where theService Provider provides virtual point-to-point links between customer sites

    Peer-to-Peer Virtual Private Networks wherethe Service Provider participates in thecustomer routing

    Traditional VPN implementations were all based on the overlayparadigm the

    Service Provider sells virtual circuits between customer sites as a replacement for

    dedicated point-to-point links. The overlay paradigm has a number of drawbacks

    that will be identified in this section. To overcome these drawbacks (particularly

    in IP-based customer networks), a new paradigm called peer-to-peer VPN was

    introduced where the Service Provider actively participates in customer routing.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    35/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-11

    2000, Cisco Systems, Inc. www.cisco.com Page15

    Service Provider Network

    Overlay VPN Implementation(Frame Relay Example)

    Overlay VPN Implementation(Frame Relay Example)

    Customer Site

    Router A

    Customer Site

    Router B

    Customer Site

    Router C

    Customer Site

    Router D

    Provider Edge Device

    (Frame Relay Switch)

    Frame Relay

    Edge Switch

    Frame Relay

    Edge Switch

    Frame Relay

    Edge Switch

    Virtual Circuit (VC) #3

    Virtual Circuit (VC) #2

    (VC) #1

    The diagram above shows a typical overlay VPN, implemented by a Frame Relay

    network. The customer needs to connect three sites (site Alpha being the central

    site the hub) and orders connectivity between Alpha (Hub) and Beta (Spoke) and

    between Alpha (Hub) and Gamma (Spoke). The Service Provider implements this

    request by providing two PVCs across the Frame Relay network.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    36/292

    2-12 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    2000, Cisco Systems, Inc. www.cisco.com Page16

    Layer-3 routing in OverlayVPN implementation

    Layer-3 routing in OverlayVPN implementation

    Service Provider infrastructure appears as point-to-point links to customer routes

    Routing protocols run directly between customerrouters

    Service Provider does not see customer routes and isresponsible only for providing point-to-pointtransport of customer data

    Router A

    Router B Router C Router D

    From the layer-3 perspective, the Service Provider network is invisible the

    customer routers are linked with emulated point-to-point links. The routing

    protocol is run directly between customer routers that establish routing adjacencies

    and exchange routing information.

    The Service Provider is not aware of customer routing and has no information

    about customer routes. The responsibility of the Service Provider is purely the

    point-to-point data transport between customer sites.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    37/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-13

    Overlay VPN Implementations

    There are a number of different overlay VPN implementations, ranging from

    traditional Time Division Multiplexing (TDM) to highly complex technologies

    running across IP backbones. In the following slides, well introduce major VPN

    technologies and implementations.

    2000, Cisco Systems, Inc. www.cisco.com Page17

    Overlay VPNLayer-1 Implementation

    Overlay VPNLayer-1 Implementation

    This is the traditional TDM solution:

    Service Provider establishes physical-layerconnectivity between customer sites

    Customer takes responsibility for all higher layers

    ISDN E1, T1, DS0 SDH, SONET

    PPP HDLC

    IP

    In layer-1 overlay VPN implementation, the Service Provider sells layer-1 circuits(bit pipes) implemented with technologies like ISDN, DS0, E1, T1, SDH or

    SONET. The customer takes responsibility for layer-2 encapsulation between

    customer devices and the transport of IP data across the infrastructure.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    38/292

    2-14 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    2000, Cisco Systems, Inc. www.cisco.com Page18

    Overlay VPNLayer-2 Implementation

    Overlay VPNLayer-2 Implementation

    This is the traditional Switched WAN solution:

    Service Provider establishes layer-2 virtual circuitsbetween customer sites

    Customer takes responsibility for all higher layers

    X.25 Frame Relay ATM

    IP

    Layer-2 VPN implementation is the traditional switched WAN model,

    implemented with technologies like X.25, Frame Relay, ATM or SMDS. The

    Service Provider is responsible for transport of layer-2 frames between customer

    sites and the customer takes responsibility for all higher layers.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    39/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-15

    2000, Cisco Systems, Inc. www.cisco.com Page19

    Overlay VPNIP TunnelingOverlay VPNIP Tunneling

    VPN is implemented with IP-over-IP tunnels

    Tunnels are established with GRE or IPSec

    GRE is simpler (and quicker), IPSec providesauthentication and security

    Generic Route Encapsulation

    (GRE)IP Security (IPSec)

    Internet Protocol (IP)

    Internet Protocol (IP)

    With the success of Internet Protocol (IP) and associated technologies, some

    Service Providers started to implement pure IP backbones to offer VPN services

    based on IP. In other cases, the customers want to take advantage of low cost and

    universal availability of Internet to build low-cost private networks over it.

    Whatever the business reasons behind it, overlay Layer 3 VPN implementation

    over IP backbone always involves tunneling (encapsulation of protocol units at a

    certain layer of OSI model into protocol units at the same or higher layer of OSI

    model).

    Two well-known tunneling technologies are IP Security (IPSEC) and GenericRoute Encapsulation (GRE). GRE is fast and simple to implement and supports

    multiple routed protocols, but provides no security and is thus unsuitable for

    deployment over the Internet. An alternate tunneling technology is IPSec, which

    provides network layer authentication and optional encryption to make data

    transfer over the Internet secure. IPSec only supports the IP routed protocol.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    40/292

    2-16 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    2000, Cisco Systems, Inc. www.cisco.com Page20

    Overlay VPNLayer-2 Forwarding

    Overlay VPNLayer-2 Forwarding

    VPN is implemented with PPP-over-IP tunnels

    Usually used in access environments (dial-up, DSL)

    Layer-2 Transport

    Protocol (L2TP)

    Internet Protocol (IP)

    Point-to-Point Protocol (PPP)

    Layer-2

    Forwarding (L2F)

    Point-to-Point

    Tunneling (PPTP)

    Internet Protocol (IP)

    Yet another tunneling technique that was first implemented in dial-up networks,

    where the Service Providers wanted to tunnel customer dial-up data encapsulated

    in point-to-point protocol (PPP) frames over an IP backbone to the customers

    central site. To make the Service Provider transport transparent to the customer,

    PPP frames are exchanged between the customer sites (usually a dial-up user and a

    central site) and the customer is responsible for establishing layer-3 connectivity

    above PPP.

    There are three well-known PPP forwarding implementations:

    I Layer 2 Forwarding (L2F)

    I Layer 2 Transport Protocol (L2TP)

    I Point-to-Point Tunneling Protocol (PPTP)

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    41/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-17

    2000, Cisco Systems, Inc. www.cisco.com Page21

    Service Provider Network

    Peer-to-Peer VPN ConceptPeer-to-Peer VPN Concept

    Customer Site

    Router A

    Customer Site

    Router B

    Customer Site

    Router C

    Customer Site

    Router D

    Provider Edge (PE)Router

    (PE) Router

    (PE) Router

    (PE) Router

    Routing information is exchanged between

    customer and service-provider routers

    Service Provider routers

    exchange customer routes

    through the core network

    Finally, the customer routes propagatedthrough the service-provider network are

    sent to other customer routers

    Overlay VPN paradigm has a number of drawbacks, most significant of them

    being the need for the customer to establish point-to-point links or virtual circuits

    between sites. The formula to calculate how many point-to-point links or virtual

    circuits you need in the worst case is ((n)(n-1))/2, where n is the number of sites

    you need to connect. For example, if you need to have fullmesh connectivity

    between 4 sites, you will need a total of 6 point-to-point links or virtual circuits.

    To overcome this drawback and provide the customer with optimum data transport

    across the Service Provider backbone, the peer-to-peer VPN concept was

    introduced where the Service Provider actively participates in the customer

    routing, accepting customer routes, transporting them across the Service Providerbackbone and finally propagating them to other customer sites.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    42/292

    2-18 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    2000, Cisco Systems, Inc. www.cisco.com Page22

    Peer-to-Peer VPN withPacket Filters

    Peer-to-Peer VPN withPacket Filters

    Service provider networkCustomer ASite #1

    Customer ASite #2

    Customer BSite #1

    Point-of-Presence

    Shared router

    POP router carries all

    customer routes

    Isolation between

    customers is achieved

    with packet filters on

    PE-CE interfaces

    The first peer-to-peer VPN solutions appeared several years ago. Architectures

    similar to the Internet were used to build them and special provisions had to be

    taken in account to transform the architecture, which was targeted toward public

    backbones (Internet) into a solution where the customers would be totally isolated

    and able to exchange their corporate data securely.

    The more common peer-to-peer VPN implementation uses packet filters on the

    PE-routers to isolate the customers. The Service Provider allocates portions of its

    address space to the customers and manages the packet filters on the PE-routers to

    ensure full Reachability between sites of a single customer and isolation between

    customers.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    43/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-19

    2000, Cisco Systems, Inc. www.cisco.com Page23

    Peer-to-Peer VPN withControlled Route Distribution

    Peer-to-Peer VPN withControlled Route Distribution

    Service provider networkCustomer ASite #1

    Customer ASite #2

    Customer BSite #1

    Point-of-Presence

    PE-routerCustomer-A

    PE-routerCustomer-B

    P-router

    Uplink

    Each customer has a

    dedicated PE router that

    only carries its routes

    The P-router contains all

    customer routes

    Customer isolation is achieved

    through lack of routing

    information on PE router

    Maintaining packet filters is a mundane and error-prone task. Some Service

    Providers thus implemented more innovative solutions based on controlled route

    distribution. In this approach, the core Service Provider routers (the P-routers)

    would contain all customer routes and the PE-routers would only contain routes of

    a single customer, requiring a dedicated PE-router per customer per Point-of-

    Presence (POP). The customer isolation is achieved solely through lack of routing

    information on the PE-router. Using route filtering between the P-router and the

    PE-routers, the PE-router for Customer A will only learn routes belonging to

    Customer A, and the PE-router for Customer B will only learn routes belonging to

    Customer B. Border Gateway Protocol (BGP) with BGP communities is usuallyused inside the Provider backbone since it offers the most versatile route filtering

    tools.

    Note Default routes used anywhere in the customer or Service Provider network break

    isolation between the customers and have to be avoided.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    44/292

    2-20 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    2000, Cisco Systems, Inc. www.cisco.com Page24

    Benefits of Various VPNImplementations

    Benefits of Various VPNImplementations

    Overlay VPN

    Well-known and easy toimplement

    Service Provider doesnot participate incustomer routing

    Customer network andService Providernetwork are well isolated

    Peer-to-Peer VPN

    Guarantees optimumrouting betweencustomer sites

    Easier to provision anadditional VPN

    Only the sites areprovisioned, not thelinks between them

    Each VPN paradigm has a number of benefits:

    I Overlay VPNs are well known and easy to implement, both from customer

    and Service Provider perspective

    I The Service Provider does not participate in customer routing in overlay

    VPNs, making the demarcation point between the Service Provider and the

    customer easier to manage.

    On the other hand, the peer-to-peer VPN give you:

    I Optimum routing between customer sites without any special design or

    configuration effort

    I Easy provisioning of additional VPNs or customer sites, as the Service

    Provider only needs to provision individual sites, not the links between

    individual customer sites.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    45/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-21

    2000, Cisco Systems, Inc. www.cisco.com Page25

    Drawbacks of Various VPNImplementations

    Drawbacks of Various VPNImplementations

    Overlay VPN

    Implementing optimum

    routing requires full-mesh of virtual circuits

    Virtual circuits have tobe provisioned manually

    Bandwidth must beprovisioned on a site-to-site basis

    Always incursencapsulation overhead

    Peer-to-Peer VPN

    Service Provider

    participates in customerrouting

    SP becomes responsiblefor customerconvergence

    PE routers carry allroutes from allcustomers

    SP needs detailed IProuting knowledge

    Each VPN paradigm also has a number of drawbacks:

    I Overlay VPNs require a full mesh of virtual circuit between customer sites to

    provide optimum inter-site routing

    I All the virtual circuits between customer sites in an overlay VPN have to be

    provisioned manually and the bandwidth must be provisioned on a site-to-site

    basis (which is not always easy to achieve).

    I The IP-based overlay VPN implementations (with IPSEC or GRE) also incur

    high encapsulation overhead (ranging from 20 to 80 bytes per transported

    datagram).

    The major drawbacks of peer-to-peer VPN arise from the Service Providers

    involvement in customer routing:

    I The Service Provider becomes responsible for correct customer routing and

    for fast convergence of customer network following a link failure.

    I The Service Provider P-routers have to carry all customer routes that were

    hidden from the Service Provider in the overlay VPN paradigm.

    I The Service Provider needs detailed IP routing knowledge, which is not

    readily available in traditional Service Provider teams.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    46/292

    2-22 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    2000, Cisco Systems, Inc. www.cisco.com Page26

    Drawbacks of Traditional Peer-to-Peer VPNs

    Drawbacks of Traditional Peer-to-Peer VPNs

    Shared PE router

    All customers share thesame (provider-assignedor public) address space

    High maintenance costsassociated with packetfilters

    Lower performanceeach packet has to passa packet filter

    Dedicated PE router

    All customers share thesame address space

    Each customer requiresa dedicated router ateach POP

    The pre-MPLS VPN implementations of peer-to-peer VPNs all shared a common

    drawback the customers have to share the same address space, either using

    public IP addresses in their private networks or relying on service provider-

    assigned IP addresses. In both cases, connecting a new customer to a peer-to-peer

    VPN service usually requires IP renumbering inside the customer network an

    operation, which most customers are reluctant to perform.

    The peer-to-peer VPNs based on packet filters also incur high operational costs

    associated with packet filter maintenance as well as performance degradation due

    to heavy usage of packet filters.

    The peer-to-peer VPNs implemented with per-customer PE-routers are easier to

    maintain and can give you optimum routing performance, but are usually more

    expensive since every customer requires a dedicated router in every POP. This

    approach is thus usually used in scenarios where the Service Provider only

    provides service to a small number of large customers.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    47/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-23

    Summary

    2000, Cisco Systems, Inc. www.cisco.com Page27

    VPN TaxonomyVPN Taxonomy

    Virtual Networks

    Virtual Dialup Networks Virtual LANsVirtual Private

    Networks

    Peer-to-Peer VPN

    Access Lists

    (Shared Router)

    Split Routing

    (Dedicated Router)

    MPLS VPN

    Overlay VPN

    Layer 2 VPN Layer 3 VPN

    X.25

    F/R

    ATM

    IPSec

    GRE

    There are a number of different Virtual Networking concepts present in the data

    communications fields:

    I The Virtual Local Area Networks (VLAN) allow you to implement isolated

    LANs over the same physical infrastructure

    I Virtual Private Dialup Networks (VPDN) allow customers to use dial-in

    infrastructure of a Service Provider for their private dial-up connectionsI Virtual Private Networks (VPN) allow customers to use shared infrastructure

    of a Service Provider to implement their private networks.

    There are two major VPN paradigms:

    I Overlay VPN, where the Service Provider gives the customer emulated point-

    to-point links across Service Provider backbone and

    I Peer-to-peer VPN, where the Service Provider becomes actively involved in

    customer routing and acts as the core layer-3 backbone of the customer

    network.

    The overlay VPNs are implemented with a number of technologies, ranging from

    traditional layer-1 technologies (ISDN, SDH, SONET) and layer-2 technologies

    (X.25, Frame Relay, ATM) to modern IP-based solutions (GRE and IPSec).

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    48/292

    2-24 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    The overlay VPNs, although well known and easy to implement, are harder to

    operate due to higher maintenance costs:

    I Every individual virtual circuit needs to be provisioned

    I Optimum routing between customer sites requires a full mesh of virtual

    circuits between sites

    I Bandwidth has to be provisioned on site-to-site basis.

    Traditional peer-to-peer VPNs are implemented with packet filters on shared PE-

    routers or with dedicated per-customer PE-routers. Along with high maintenance

    costs (for packet-filter approach) or equipment costs (for dedicated per-customer

    PE-router approach), both methods require customer to accept the Service

    Provider assigned address space or use public IP addresses in the private customer

    network.

    MPLS VPN, introduced in the next sections, provides all the benefits of peer-to-

    peer VPNs and alleviates most of the peer-to-peer VPN drawbacks (for example,

    the need for common customer address space).

    Review Questions

    Answer the following questions:

    I What is an overlay VPN?

    I Which routing protocol runs between the customer and the service provider in

    an overlay VPN?

    I Which routers are routing protocol neighbors of a CE-router in overlay VPN?

    I List three IP-based overlay VPN technologies.

    I What is the major benefit of peer-to-peer VPN as compared to overlay VPN?

    I List two traditional peer-to-peer VPN implementations?

    I What is the drawback of all traditional peer-to-peer VPN implementations?

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    49/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-25

    Major VPN Topologies

    Objectives

    Upon completion of this section, you will be able to perform the following tasks:

    I Identify the three major categorizations of VPNI Identify the three Overlay VPN topologies

    I Understand the implications of using overlay VPN approach with each

    topology

    I List sample usage scenarios for each topology

    I Identify the three VPN categorization based on business needs

    I Identify the three VPN categorization based on connectivity needs

    VPN Categorizations

    There are three major VPN categorizations:

    I Topology categorization, which only applies to overlay VPNs

    I Business categorization, which categorizes VPNs based on the business needs

    they fulfill

    I Connectivity categorization, which classifies VPNs based on their

    connectivity requirements.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    50/292

    2-26 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    2000, Cisco Systems, Inc. www.cisco.com Page32

    VPN Topology CategorizationVPN Topology Categorization

    Overlay VPNs are categorized based onthe topology of the virtual circuits:

    (Redundant) Hub-and-spoke topology

    Partial-mesh topology

    Full-mesh topology

    Multi-level topologycombines several levelsof overlay VPN topologies

    The oldest VPN categorization was based on the topology of point-to-point links

    in an overlay VPN implementation:

    I Full-mesh topology provides a dedicated virtual circuit between any two CE-

    routers in the network

    I Partial-mesh topology reduces the number of virtual circuits, usually to the

    minimum number that still provides optimum transport between major sites

    I Hub-and-spoke topology is the ultimate reduction of partial-mesh many

    sites (spokes) are only connected with the central site(s) (hubs) with no direct

    connectivity between the spokes. To prevent single points of failure, the hub-and-spoke topology is sometimes extended to redundant hub-and-spoke

    topology.

    Large networks usually deploy a layered combination of these technologies, for

    example:

    I Partial mesh in the network core

    I Redundant hub-and-spoke for larger branch offices (spokes) connected to

    distribution routers (hubs)

    I Simple hub-and-spoke for non-critical remote locations (for example, home

    offices).

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    51/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-27

    2000, Cisco Systems, Inc. www.cisco.com Page33

    Service Provider Network

    Overlay VPNHub-and-Spoke Topology

    Overlay VPNHub-and-Spoke Topology

    Central site(HUB)

    Remote site (spoke)

    Remote site (spoke)

    Remote site (spoke)Central site

    router

    Remote site (spoke)

    The hub-and-spoke topology is the simplest overlay VPN topology all remote

    sites are linked with a single virtual circuit to a central CE-router. The routing is

    also extremely simple static routing or distance-vector protocol like RIP are

    more than adequate. If you are using dynamic routing protocol like RIP, split-

    horizon must be disabled at the hub router, or you must use point-to-point sub-

    interfaces at the hub router to overcome the split-horizon problem.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    52/292

    2-28 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    2000, Cisco Systems, Inc. www.cisco.com Page34

    Service Provider Network

    Overlay VPNRedundant Hub-And-Spoke

    Overlay VPNRedundant Hub-And-Spoke

    Central site(HUB)

    Remote site (spoke)

    Remote site (spoke)

    Remote site (spoke)Redundant

    Central site

    router

    Remote site (spoke)Redundant

    Central site

    router

    A typical redundant hub-and-spoke topology introduces central site redundancy

    (more complex topologies might also introduce router redundancy at spokes).

    Each remote site is linked with two central routers via two virtual circuits. The two

    virtual circuits can be used for load sharing or in a primary/backup configuration.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    53/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-29

    2000, Cisco Systems, Inc. www.cisco.com Page35

    Overlay VPNPartial MeshOverlay VPNPartial Mesh

    Moscow

    Sydney

    Guam

    Berlin

    Hong Kong

    New York

    Virtual circuits (Frame Relay DLCI)

    Partial mesh is used in environments where the cost or complexity factors prevent

    a full-mesh between customer sites. The virtual circuits in a partial mesh can be

    established based on a wide range of criteria:

    I Traffic pattern between sites

    I Availability of physical infrastructure

    I Cost considerations

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    54/292

    2-30 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    2000, Cisco Systems, Inc. www.cisco.com Page36

    Service Provider Network

    Overlay VPNMulti-Level Hub-and-Spoke

    Overlay VPNMulti-Level Hub-and-Spoke

    Central site (hub)

    Remote site (spoke)

    Remote site (spoke)

    Remote site (spoke)

    Redundant centralsite router

    Redundant centralsite router

    Distribution site

    Distribution-layerrouter

    Distribution site

    Distribution-layerrouter

    Remote site (spoke)

    Various overlay VPN topologies are usually combined in a large network. For

    example, in the diagram above, a redundant hub-and-spoke topology is used in

    network core and a non-redundant hub-and-spoke is used between distribution

    sites and remote sites. This topology would be commonly used in environments

    where all traffic flows between the central site and remote sites and there is little

    (or no) traffic exchanged directly between the remote sites.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    55/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-31

    2000, Cisco Systems, Inc. www.cisco.com Page37

    VPN Business CategorizationVPN Business Categorization

    VPNs can be categorized on the businessneeds they fulfill:

    Intranet VPNconnects sites within anorganization

    Extranet VPNconnects differentorganizations in a secure way

    Access VPN Virtual Private Dialup Network(VPDN) provides dial-up access into acustomer network

    Another very popular VPN categorization classifies VPNs based on the business

    needs they fulfill:

    I Intranet VPNs connect sites within an organization. Security mechanisms are

    usually not deployed in an Intranet, as all sites belong to the same

    organization.

    I Extranet VPN connects different organizations. Extranets implementations

    usually rely on security mechanisms to ensure protection of individual

    organizations participating in the Extranet. The security mechanisms are

    usually the responsibility of individual participation organizations.I Access VPN - Virtual Private Dialup Networks that provide dial-up access

    into a customer network.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    56/292

    2-32 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    The following two diagrams compare overlay VPN implementation of an Extranet

    with a peer-to-peer one. Similar comparisons could be made for Intranets as well.

    2000, Cisco Systems, Inc. www.cisco.com Page38

    Extranet VPNOverlay VPN Implementation

    Extranet VPNOverlay VPN Implementation

    Provider IP backboneGlobalMotors

    Firewall

    AirFilters Inc.

    Firewall

    BoltsAndNuts

    Firewall

    SuperBrakes Inc.

    Firewall

    FirewallFrame Relay

    switch

    Frame Relayswitch

    Frame Relay

    switch

    Frame Relayswitch

    Frame Relay Virtual

    Circuits (DLCI)

    In an overlay implementation of an Extranet, organizations are linked with

    dedicated virtual circuits. Traffic between two organizations can only flow if:

    I There is a direct virtual circuit between the organizations or

    I There is a third organization linked with both of them that is willing to

    provide transit traffic capability to them. As establishing virtual circuits

    between two organizations is always associated with costs, the transit traffic

    capability is almost never granted free-of-charge.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    57/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-33

    2000, Cisco Systems, Inc. www.cisco.com Page39

    Extranet VPNPeer-to-PeerVPN Implementation

    Extranet VPNPeer-to-PeerVPN Implementation

    Provider IP backboneGlobalMotors

    Firewall

    AirFilters Inc.

    Firewall

    BoltsAndNuts

    Firewall

    SuperBrakes Inc.

    Firewall

    Provider edge(PE) router

    Provider edge

    (PE) router

    Provider edge(PE) router

    Provider edge

    (PE) router

    Firewall Provider edge

    (PE) router

    Peer-to-peer VPN implementation of an Extranet VPN is very simple compared to

    an overlay VPN implementation all sites are connected to the Service Provider

    network and the optimum routing between sites is enabled by default.

    The cost model of peer-to-peer implementation is also simpler usually every

    organization pays its connectivity fees for participation in the Extranet and gets

    full connectivity to all other sites.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    58/292

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    59/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-35

    2000, Cisco Systems, Inc. www.cisco.com Page41

    Central Services ExtranetCentral Services Extranet

    Service Provider Network

    Service provider ExtranetInfrastructure

    London

    VoIPGW

    Amsterdam

    VoIPGW

    Paris

    VoIPGW

    Customer A

    Customer B

    Customer C

    This diagram shows a sample Central Services extranet implementing

    international Voice-over-IP service. Every customer of this service can access

    voice gateways in various countries, but cannot access other customers using the

    same service.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    60/292

    2-36 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    2000, Cisco Systems, Inc. www.cisco.com Page42

    Central Services ExtranetHybrid(Overlay + P2P) Implementation

    Central Services ExtranetHybrid(Overlay + P2P) Implementation

    Service Provider Network

    Service providerExtranet Infrastructure

    London

    VoIPGW

    Amsterdam

    VoIPGW

    Paris

    VoIPGW

    Customer A

    Customer B

    Customer C

    FrameRelayInfrastructure

    Frame RelayEdge switch

    Frame RelayEdge switch

    Frame RelayEdge switch

    Provider EdgeRouter

    Frame Relay Virtual Circuit

    Provider Edge

    Router

    Provider EdgeRouter

    Provider EdgeRouter

    Provider EdgeRouter

    The network diagram shown above describes an interesting scenario where peer-

    to-peer VPN and overlay VPN implementation can be used to provide end-to-end

    service to the customer.

    The VoIP service is implemented with Central Services extranet topology, which

    is in turn implemented with peer-to-peer VPN. The connectivity between PE-

    routers in the peer-to-peer VPN and the customer routers is implemented with an

    overlay VPN based on Frame Relay. The PE-router of the peer-to-peer VPN and

    the CE-routers act as CE-devices of the Frame Relay network.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    61/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-37

    2000, Cisco Systems, Inc. www.cisco.com Page43

    Managed NetworkOverlay VPN Implementation

    Managed NetworkOverlay VPN Implementation

    Central site (hub)

    Service provider network Remote site (spoke)

    Remote site (spoke)

    Remote site (spoke)

    Redundant central

    site router

    Redundant central

    site router

    Network Management Center

    Dedicated Virtual

    Circuits are used for

    network management

    Network management VPN is traditionally implemented in combination with

    overlay VPN services. Dedicated virtual circuits are deployed between any

    managed CE-router and the central network management router (NMS-router) to

    which the Network Management Station (NMS) is connected.

    This network management VPN implementation is sometimes called rainbow

    implementation, as the physical link between the NMS-router and the core of the

    Service Provider network carries a number of virtual circuits one circuit per

    managed router.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    62/292

    2-38 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    Summary

    There are three major categorizations of Virtual Private networks:

    I Topology categorization, which classifies the VPNs based on the topology of

    point-to-point connections in overlay VPN implementation

    I Business categorization, which classifies VPNs into Intranets, Extranets and

    niche solutions like Virtual Private Dialup Networks

    I Connectivity categorization, which classifies VPNs based on the connectivity

    needs.

    The topology categorization ranges VPNs from full mesh, where there is a direct

    virtual circuit between any two sites, to partial mesh, which is built based on a

    number of constraints (traffic patterns and cost being the most important of them)

    and finally hub-and-spoke where a central site acts as the transit point between all

    spoke sites. Real-life large networks are usually implemented with a combination

    of these topologies.

    The connectivity categorization divides VPNs into simple VPNs (with any-to-any

    connectivity), overlay VPNs where a single site participates in more than one

    simple VPN, Central Services VPNs, where some sites have limited connectivityand Network Management VPNs, which are really only a special case of Central

    Services VPN.

    Review Questions

    Answer the following questions:

    I What are the major Overlay VPN topologies

    I Why would the customers prefer partial mesh over full mesh topology?

    I What is the difference between an Intranet and an Extranet?

    I What is the difference between a simple VPN and a Central Services VPN?

    I What are the connectivity requirements of a Central Services VPN?

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    63/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-39

    MPLS VPN Architecture

    Objectives

    Upon completion of this section, you will be able to perform the following tasks:

    I Understand the difference between traditional peer-to-peer models and MPLSVPN

    I List the benefits of MPLS VPN

    I Describe major architectural blocks of MPLS VPN

    I Explain the need for route distinguisher (RD) and route target (RT)

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    64/292

    2-40 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    2000, Cisco Systems, Inc. www.cisco.com Page48

    MPLS VPN ArchitectureMPLS VPN Architecture

    MPLS VPN combines the best features ofoverlay VPN and peer-to-peer VPN

    PE routers participate in customer routing,guaranteeing optimum routing between sitesand easy provisioning

    PE routers carry a separate sets of routes foreach customer (similar to dedicated PE routerapproach)

    Customers can use overlapping addresses

    The MPLS VPN architecture provides the Service Providers with a peer-to-peer

    VPN architecture that combines the best features of overlay VPN (support for

    overlapping customer address spaces) with the best features of peer-to-peer VPNs:

    I PE routers participate in customer routing, guaranteeing optimum routing

    between customer sites

    I PE routers carry separate set of routes for each customer, resulting in perfect

    isolation between the customers.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    65/292

    Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-41

    2000, Cisco Systems, Inc. www.cisco.com Page49

    MPLS VPN TerminologyMPLS VPN Terminology

    Customer A

    Site #1

    Site #1

    CE router

    Customer A

    Site #2

    Customer B

    Site #1

    Customer B

    Site #3

    Customer B

    Site #2

    Customer A

    Site #4

    Remote

    Office

    Remote

    Office

    Customer A

    Site #3

    Customer B

    Site #4

    PE-Router

    POP-XP-Router PE-Router

    POP-Y

    P-Network

    The MPLS VPN terminology divides the overall network into customer controlled

    part (C-network) and provider controlled part (P-network). Contiguous portions

    of C-network are called sites and are linked with the P-network via CE-routers.

    The CE-routers are connected to the PE-routers, which serve as the edge devices

    of the Provider network. The core devices in the provider network (P-routers)

    provide the transit transport across the provider backbone and do not carry

    customer routes.

  • 7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1

    66/292

    2-42 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

    2000, Cisco Systems, Inc. www.cisco.com Page50

    Provider Edge RouterArchitecture

    Provider Edge RouterArchitecture

    PE-router

    Global IP router

    Virtual router for

    Customer B

    Virtual router for

    Customer A

    P-router

    Customer ASite #1

    Customer ASite #2

    Customer B

    Site #1

    Virtual IP routing

    table for Customer A

    Virtual IP r