I-AS MPLS Solutionspalo/Rozne/cisco-expo-2009/Presentation - DAY1/C3... · MPLS VPN Inter-AS Option AB VPN-B1 PE-1 VPN-G1 CE-1 CE-2 ASBR1 AS 1 VPN-B2 PE-2 CE-3 CE-4 VPN-G2 ASBR2 Data

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

I-AS MPLS Solutions

Stefan KollarConsulting System Engineer, CCIE #10668 [email protected]

2© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

Agenda 1. Inter-AS Networks

Inter-AS Connectivity ModelsInter-AS L3 VPNsInter-AS L2VPNsInter-AS Multicast VPNs

1. Carrier Supporting Carrier CSC Service ModelsMPLS L3 VPNsMulticast VPNsMPLS L2 VPNs


Carrier Supporting Carrier vs. Inter-AS

CSC1. Client-Server model2. IP/MPLS Carrier is a customer

of another MPLS backbone provider

3. IP/MPLS Carrier doesn’t want to manage own backbone

4. Only the backbone provider is required to have MPLS VPN core

5. Customer Carriers do not distribute their subscribers’ VPN info to the backbone carrier

Inter-AS1. Peer-Peer model2. SPs provide services to the

common customer base3. Single SP POPs not available in

all geographical areas required by their subscribers/customers

4. Both SPs must support MPLS VPNs

5. Subscriber VPN information shared between peering SPs(ASs)

MPLS Backbone ProviderCustomer

Carrier-B Customer Carrier-B

Subscriber A Site1 Subscriber A

Site1Subscriber A Site1 Subscriber A

Site2

Provider-A Provider-BASBR-A ASBR-B


I-AS L3 VPNs


Inter-AS VPNv4 Distribution Options

VPN-R1 VPN-R2

PE22

CE2 CE1

AS #1 AS #2PE11

MP-eBGP for VPNv4

Multihop MP-eBGPbetween RRs

Back-to-Back VRFsASBR1 ASBR2

How to Distribute VPN Routes between ASBRs?

VPN Sites Attached to Different MPLS VPN Service Providers


Each ASBR Thinks the Other Is a CE

Inter-AS VPN—Option ABack-to-Back VRFs

1. One logical interface per VPN on directly connected ASBRs2. Packet is forwarded as an IP packet between the ASBRs3. Link may use any supported PE-CE routing protocol 4. IP QoS policies negotiated and configured manually on the ASBRs5. Option A is the most secure and easiest to provision6. May not be easy to manage as #s of VPNs grow

AS1 PE-ASBR1

PE1P1

Use VPN label 40 Unlabeled IP Packets

AS2PE-ASBR2

PE2

P2

Use VPN label 80

P1

IP IP 40 P1 IP 42 IP IPIP 80 P2 IP 80


AS #1 AS #2PE1 PE2

VPN-R1

CE1 CE2

VPN-R2

ASBR1

152.12.4.0/24

BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE2

VPN-v4 update:RD:1:27:152.12.4.0

/24, NH=PE1RT=1:222, Label=(L1)

VPN-v4 update:RD:1:27:152.12.4.0/24,

NH=ASBR2RT=1:222, Label=(L3)

BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE2

Inter-AS VPN—Option BControl Plane

ASBR2

All VPNv4 Prefixes/Labels from PEs Distributed to PE-ASBRs

VPN-v4 update:RD:1:27:152.12.4.0/24, NH=ASBR1

RT=1:222, Label=(L2)

eBGP for VPNv4

Label Exchangebetween GatewayPE-ASBR Routers

Using eBGP


Inter-AS VPN—Option BKey Points

1. PE-ASBRs exchange routes directly using eBGPExternal MP-BGP for VPNv4 prefix exchange;

2. MP-BGP session with NH to advertising PE-ASBRNext-hop and labels are rewritten when advertised across the inter-provider MP-BGP

session3. Receiving PE-ASBR automatically creates a /32 host route to a peer

ASBRWhich must be advertised into receiving IGP if next-hop-self is not in operation to maintain

the LSP4. PE-ASBR stores all VPN routes that need to be exchanged

But only within the BGP tableNo VRFs; labels are populated into the LFIB of the PE-ASBR

5. ASBR-ASBR link must be directly connected!!!!!! Could use GRE tunnel-considered directly connected

6. Receiving PE-ASBRs may allocate new labelControlled by configuration of next-hop-self (default is off)


ASBR1 ASBR2

152.12.4.1

LR1’’ 152.12.4.1152.12.4.1LR1

152.12.4.1

PE1

VPN-R1

CE1

152.12.4.0/24

PE2

CE2

VPN-R2

Inter-AS VPN—Option BForwarding Plane

152.12.4.1LR1’

152.12.4.1LASBR2 LR1’

152.12.4.1LPE1 LR1


PE1 PE2

AS #1 AS #2

CE1

VPN-R1 VPN-R2

CE2

ASBR1 ASBR2eBGP for VPNv4

Inter-AS VPN—Option BCisco IOS Configuration

L0:194.1.1.2

!router bgp 1neighbor 195.1.1.2 remote-as 2neighbor 194.1.1.2 remote-as 1neighbor 194.1.1.2 update-source loop0no bgp default route-target filter!address-family vpnv4neighbor 194.1.1.2 remote-as 1 activateneighbor 194.1.1.2 remote-as 1 next-hop-selfneighbor 195.1.1.2 remote-as 2 activateneighbor 195.1.1.2 remote-as 2 send-community extended

L0:195.1.1.1 L0:195.1.1.2

ASBR1#sh mpls forwarding-table label 18 detLocal Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 18 20 1:100:100.0.0.5/32 \

0 Se2/0 point2point MAC/Encaps=4/8, MRU=1500, Label Stack{20}0F008847 00014000

Ser2/0


PE1AS #1 AS #2ASBR2

eBGP IPv4 + Labels IGP + LDP

Inter-AS VPN—Option CMulti-hop EBGP VPNv4 between RRs

1. Eliminates LFIB duplication at ASBRs. ASBRs don’t hold VPNv4 prefix/label info.2. ASBRs Exchange PE loopbacks (IPv4) with labels as these are BGP NH

addresses3. Two Options for Label Distribution for BGP NH Addresses:

IGP + LDP OR eBGP IPv4 + Labels (RFC3107)4. BGP exchange Label Advertisement Capability Enables end-end LSP Paths5. Subsequent Address Family Identifier (value 4) field is used to indicate that the

NLRI contains a label6. Disable Next-hop-self on RRs

RR2RR1 Exchange VPNv4 Routes

ASBR1

PE2


VPN-R1

CE1CE2

VPN-R2

ASBR1

RR2

ASBR2

BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE1

VPN-v4 update:RD:1:27:152.12.4.0/24,NH=PE1RT=1:222, Label=(L1)

VPN-v4 update:RD:1:27:152.12.4.0/24, NH=PE1RT=1:222, Label=(L1)

BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE2

PE1 PE2

I-AS VPN—Option CControl Plane

AS #1

VPN-v4 update:RD:1:27:152.12.4.0/24, NH=PE1RT=1:222, Label=(L1)

To ASBR2:Network=PE1 NH=ASBR-1Label=(L2)

From ASBR1:Network=PE1 NH=ASBR-2Label=(L3)

152.12.4.0/24

RR1

IGP+label(LDP)or iBGP+label


VPN-ias

CE1 CE2

VPN-ias

ASBR1

RR2

ASBR2

RR1

PE1

152.12.4.1

L4 L1 152.12.4.1

152.12.4.1L1

152.12.4.1

I-AS VPN—Option CForwarding Plane

PE2

L1L2 152.12.4.1

152.12.4.0/24

152.12.4.1L1L5152.12.4.1L1L2L3

PE2#sh ip cef vrf ias 152.12.4.1 det152.12.4.0/24, epoch 0recursive via 10.254.254.254 label 23recursive via 10.254.254.3 label 24nexthop 10.0.2.2 Ethernet1/0 label 17

Lo: 10.254.254.254

Lo: 10.254.254.3Eth1/0: 10.0.2.2


ASBR1

RR2

ASBR2

RR1

PE1PE2

I-AS VPN—Option CCisco IOS Configuration_related to I-AS only!address-family ipv4neighbor <RR1> activateneighbor <RR1> send-label!

!router bgp 1neighbor <RR2> ebgp-multihop 255!address-family ipv4neighbor <RR2> activateneighbor <PE1> activateneighbor <PE1> send-labelneighbor <ASBR1> activateneighbor <ASBR1> send-label!address-family vpnv4neighbor <RR2> next-hop-unchangedexit-address-family!

!address-family ipv4neighbor <ASBR2> activateneighbor <ASBR2> send-labelneighbor <RR1> activateneighbor <RR1> next-hop-selfneighbor <RR1> send-label!

AS #1

Loopbacks(/32) of remote PE routers distributed via iBGPNOT made known to the P routers


MPLS VPN Inter-AS Option AB

VPN-B1

PE-1

VPN-G1

CE-2CE-1

ASBR1

AS 1

VPN-B2

PE-2

CE-4 CE-3

VPN-G2

ASBR2

AS 2Data forwarding on per VRF interface

as in Option A

vpn-Gvpn-B

MP-eBGP between ASBRs on a control plane interface

in global table

1. Combines the benefits of Option A & Option B.2. eBGP sessions are reduced to a single session between the ASBRs as

defined in RFC 4363 Option B, leading to a better scaling and reduced configurations.

3. Separate per VRF interfaces between ASBRs forward data as in Option A. This provides security and QoS benefits of IP forwarding on the I-AS link.


VPN-B1

PE1

VPN-G1

CE-2CE-1

ASBR1

AS 100

VPN-B2

CE-4 CE-3

VPN-G2

ASBR2

AS 200VPN-GVPN-B

eBGP Peering Interface

MPLS VPN Inter-AS Option AB Sample Configuration

!ip vrf VPN-Brd 200:21route-target both 100:3route-target both 100:2inter-as-hybrid !ip vrf VPN-Grd 200:22route-target both 200:3route-target both 200:2inter-as-hybrid !router bgp 200neighbor 103.0.0.1 remote-as 100!address-family vpnv4neighbor 103.0.0.1 inter-as-hybridexit-address-family!

!ip vrf VPN-Brd 100:11route-target both 100:1route-target both 100:3 inter-as-hybrid !ip vrf VPN-Grd 100:21route-target both 200:1route-target both 200:3inter-as-hybrid !router bgp 100neighbor 103.0.0.2 remote-as 200!address-family vpnv4neighbor 103.0.0.2 inter-as-hybridexit-address-family!

ASBR2ASBR1PE2


Inter-AS Multipath Load Balance Options

1. Support VPNv4 and label negotiated IPv4 eBGP sessions between loopbacks of directly connected routers w/o the use of LDP on the connecting interfaces

2. Consider the three topologies –Designated by Topo-1, Topo-2, Topo-3

3. Load balancing for Inter-AS sub-cases with:

Interface PeeringLoopback peeringIPv4 + LabelVPNv4 + Label

ASBR1

ASBR1

ASBR3ASBR2

ASBR2

Topo-1

Topo-2

Topo-3

AS1 AS2

ASBR1

ASBR3ASBR4

ASBR2


Inter-AS Loopback Peering for Directly Connected ASBRs

HOSTNAME ASBR2!interface e0/0ip address 168.192.0.2 255.255.255.252 mpls bgp forwarding ! Enable BGP forwarding on connecting interfaces

!interface e2/0ip address 168.192.2.2 255.255.255.252 mpls bgp forwardingrouter bgp 2neighbor 10.10.10.10 remote-as 1neighbor 10.10.10.10 disable-connected-check neighbor 10.10.10.10 update-source Loopback0 !address-family vpnv4 neighbor 10.10.10.10 activate neighbor 10.10.10.10 send-community extended !ip route 10.10.10.10 255.255.255 e0/0 168.192.0.1 ip route 10.10.10.10 255.255.255 e2/0 168.192.2.1! Configure /32 static routes to the eBGP neighbor

loopbackaddress

PE2PE1 AS #1 AS #2RR2RR1

ASBR-1 ASBR-2E0/0: 168.192.0.1

E2/0: 168.192.2.1

L0:10.20.20.20/32L0:10.10.10.10

E2/0: 168.192.2.2

E0/0: 168.192.0.2

Create loopback interfaces on directly connected ASBRs


Inter-AS Security Elements 1. MD5 Authentication on LDP/BGP Sessions2. Apply max prefix3. Static Labels4. TTL Check to diagnose DoS attacks5. Filtering with BGP attributes ASPATH, ext communities, RDs

checks, …etc. Set route-maps to filter and send only the desirable prefixes

6. Customize Route Targets


Inter-AS L3VPN Summary 1. Models: Option A, B, C and AB2. Option A is the most secured. Support granular QoS3. Option B, less invasive4. Option B, only need to know the loopback or interface

address of directly connected ASBR5. Option C, most scalable, most invasive, mostly

deployed in a single service provider’s multi-AS network


I-AS L2 VPNs:AToM


Inter-AS AToMLayer 2 Peering—Option A

1. One layer-2 interface per PW2. Clear demarcation between ASs3. No reachability information shared between ASs4. Granular QoS control between ASBRs

IP/MPLSASBR1 ASBR2

IP/MPLS

..PW1 PW2

Pseudowire

PE1 PE2

LDP LDPForwarding LSP

PW Signaling

LDP/RSVP LDP/RSVP


Layer-2 payloadLayer-2 payload

LabelLabelLabelLabel

PayloadPayload

PopPushPush

PushPush Pop


PayloadPayload

Inter-AS AToMLayer 2 Peering—Option A

IP/MPLSASBR1 ASBR2

IP/MPLS

..PW1 PW2

Pseudowire

PE1 PE2


LDPLDP

Inter-AS AToMMulti-Hop PW—Option B

1. Single (labeled) interface between ASBRs2. Single peering point (only one PW endpoint address leaked

between ASs)3. PE and P devices do not learn remote PW endpoint addresses

LDP

LDP/RSVP LDP/RSVPeBGPIPv4+Label

Pseudowire

PW Signaling

Forwarding LSP

IP/MPLSASBR1 ASBR2

IP/MPLS

PW1 PW2PE1 PE2PW2


Inter-AS L2VPN Multi-Hop PW—Option B

LabelLabel

PushPush Pop

LabelLabel LabelLabelLabelLabelLabelLabel

PayloadPayload PayloadPayloadPayloadPayload

PopPush

PopPushPush

PseudowireIP/MPLS

ASBR1 ASBR2IP/MPLS

PW1 PW2PE1 PE2PW2


Data Center 2

Data Center 1

Inter-AS AToM Option B—ConfigurationNeed to Switch Pseudowires on ASBRs

AS1

ASBR1 ASBR2

!HOSTNAME PE3!interface giga1/0xconnect <ASBR1> 10 encapsulation mpls! *no BGP needed, just IGP

!HOSTNAME PE4!interface giga1/0xconnect <ASBR2> 20 encapsulation mpls!*no BGP needed, just IGP

PE3 PE4Intgig3/0

HOSTNAME ASBR1!pseudowire-class pw-switchencapsulation mpls!l2 vfi pw-switch point-to-pointneighbor <ASBR2> 100 pw-class pw-switchneighbor <PE3> 10 pw-class pw-switch!Interface giga3/0mpls bgp forwarding!! router bgp 1Neighbor <ASBR2-WAN> remote-as 2Neighbor <ASBR2-WAN> send-label! *Also announce the loopback address (xconnect ID) of ASBR1 in IGP(AS1) and eBGP

HOSTNAME ASBR2!pseudowire-class pw-switchencapsulation mpls!L2 vfi pw-switch point-to-pointneighbor <ASBR1> 100 pw-class pw-switchneighbor <PE4> 20 pw-class pw-switch!Interface giga3/0mpls bgp forwarding!router bgp 2neighbor <ASBR1-WAN> remote-as1Neighbor <ASBR1-WAN> send-label! *Also announce the loopback address of ASBR2 in IGP(AS2) and eBGP

Intgig1/0

AS2


Inter-AS AToM Option C—IPv4+LabelSingle Hop Pseudowire

1. I-AS AToM is also known as a pseudowire switching, stitching, or routing where PW is signalled across AS boundaries

2. IPv4 routes for PEs exchanged with labels between directly connected ASBRs

3. PWs are transported through ASBRs. ASBRs don’t store any PW information.

C2S2C2S1 IPv4 + LabelsMPLS

AS1PE3 PE4MPLS AS2ASBR1 ASBR2

PE2PE1C1S2C1S1

C3S1C4S1 C4S2C3S2


iBGPIPv4+Label

iBGPIPv4+Label

Inter-AS AToM—Option C Single-Hop PW: BGP IPv4+label

1. Single (labeled) interface between ASBRs2. PW endpoint addresses leaked between ASs using eBGP

IPv4+label and distributed to PEs using iBGP IPv4+label3. Only PEs and ASBRs learn PW endpoint addresses

IP/MPLS ASBR1 ASBR2 IP/MPLS

LDP

PW1

eBGPIPv4+Label

PE1 PE2

LDP/RSVP LDP/RSVP

Pseudowire

Forwarding LSP

PW Signaling

Forwarding LSP



Inter-AS AToM—Option CSingle-Hop PW: BGP IPv4+label, Cont.

Pop


LabelLabelLabelLabel LabelLabel

PayloadPayload PayloadPayloadPayloadPayload

Swap PopPush

IP/MPLS ASBR1 ASBR2 IP/MPLSPW1PE1 PE2

PushPushPush


Inter-AS AToM Option C—Configuration

HOSTNAME ASBR1! Activate IPv4 label capability !router bgp 1!address-family ipv4neighbor <PE3> send-labelneighbor <ASBR-2> send-labelexit-address-family!

HOSTNAME ASBR2! Activate IPv4 label capability !router bgp 2!address-family ipv4neighbor <PE4> send-labelneighbor <ASBR-1> send-labelexit-address-family!

HOSTNAME PE4!interface Ethernet1/0xconnect <PE3> 100 encapsulation mpls!! Activate IPv4 label capability !router bgp 2!address-family ipv4neighbor <ASBR-2> send-labelexit-address-family!

HOSTNAME PE3!interface Ethernet1/0xconnect <PE4> 100 encapsulation mpls! ! Activate IPv4 label capability !router bgp 1!address-family ipv4neighbor <ASBR-1> send-labelexit-address-family!

IPv4 + Labels

MPLS AS1

MPLS AS2

ASBR1 ASBR2PE3 PE4

Inteth1/0 Int

eth1/0

PE1 PE2


I-AS AToM Key Points1. All three I-AS models are supported to carry point-to-

point PWs2. The sequencing data through the xconnect packet

paths are passed transparently. The endpoint PE-CE connections enforce the sequencing.

3. The control word negotiation results must match. The control word is disabled for both segments if either side doesn’t support it.

.


Inter-AS L2 VPNs: VPLS


Virtual Private LAN Service Overview 1. VPLS provides fully meshed L2 connectivity among VPN Sites2. VPLS VPN sites may span multiple Domains3. PEs aggregating VPN sites in both domains need transparency

PE3

CE4CE3

CE2CE1

CE3

CE1

CE4

CE2MPLS AS1

MPLS AS2ASBR1 ASBR2

PE4

PE1 PE2

Exchange Virtual Switching Instance

Database (VLAN IDs + Labels


Inter-AS VPLS BGP-Based Autodiscovery

1. BGP extended communities needed for VPLS BGP-based autodiscovery are transit

2. “Multihop eBGP redistribution of L2VPN NLRIs” as described in draft-ietf-l2vpn-signaling-08.txt is currently supported

3. Inter-as VPLS BGP-Based Autodiscovery is like option C in RFC 4364– eBGP multihop for l2vpn vpls via RRs across two autonomous

systems– the ASBRs perform a P router function and interconnect the PEs of

the two autonomous systems4. An inter-AS LDP peering session exist between each pair of PE

routers in the two autonomous systems– (Full) mesh of PE PWs across autonomous systems


PE3

Inter-AS VPLS—Option C Single Hop Pseudowires

1. Reachability between PEs is provided using eBGP+Labels2. Targeted LDP session is formed between PEs3. PWs are transported through ASBRs4. Auto discovery of VPLS VPNs is supported using BGP5. Route Distinguisher, Route Target and VPN IDs are used similar way as in MPLS

L3 VPNs6. RTs have to match across different domains for the same VPLS VPN sites

CE4CE3

CE1 CE2

IPv4 + Labels

MPLS AS1 MPLS

AS2

ASBR1 ASBR2 PE4

PE1 PE2


Inter-AS VPLS BGP-Based Autodiscovery

RR1 RR2

ASBR1 ASBR2PE1 PE3 CE3CE1

eBGP multi-hop for l2vpn vpls + next-hop-unchanged

eBGP for IPv4 + labels

iBGP for IPv4 + labels

iBGP for IPv4 + labels

iBGP for l2vpn vplsiBGP for l2vpn vpls

IGP with LDP or TE

IGP with LDP or TE


Inter-AS VPLS BGP-Based AutodiscoveryMPLS Label Propagation

RR1 RR2


PW label

BGP IPv4 label

BGP IPv4 label

IGP label IGP label


Inter-AS VPLS BGP-Based AutodiscoveryPacket Forwarding

RR1 RR2


Ethernet frame

IGP label to ASBR2

BGP IPv4 label

PW label

next-hop-self

Ethernet frame

BGP IPv4 label

PW label

Ethernet frame

BGP IPv4 label

PW labelEthernet frame

IGP label

PW label

Ethernet frame

PW label


VPLS BGP Auto Discovery with Inter-AS Option C—Cisco IOS Configuration

PE1

CE4CE1

CE2 VPLS ID: customer1

! Setup VPLS instance, Define discovery method and set vpn iD !HOSTNAME PE3!l2 vfi customer1 autodiscoveryvpn id 100! Activate IPv4 label capability !router bgp 1!address-family ipv4neighbor <ASBR-1> send-labelexit-address-family!

! Setup VPLS instance, Define discovery method and set vpn iD, vpls-id and RT to match the other side. HOSTNAME PE4!l2 vfi customer1 autodiscoveryvpn id 200vpls-id 1:100Route-target both 1:100! Activate IPv4 label capability !router bgp 2!address-family ipv4neighbor <ASBR-2> send-labelexit-address-family!

MPLS AS1 MPLS

AS2 VPLS ID: customer1

PE3:10.0.0.1PE4

IPv4 + Labels


I-AS mVPNs


Receiver 4Receiver 4

B1

D

ACECE

CECE

High bandwidth Multicast Source



C

CECE

MPLS VPNMPLS VPNCore Core

CECE


BPEPE

PEPE

EE

PEPEA

PEPED

C

Join HighBandwidth Source

Join HighBandwidth Source

CECE

DataDataMDTMDT

For High Bandwidth

Traffic Only.

DefaultDefaultMDTMDTFor low

Bandwidth & Control

Traffic Only.

B2San

Francisco

Los Angeles

Dallas

New York

mVPN Concept and Fundamentals—Review

1. CEs join MPLS Core through provider’s PE devices

2. PEs perform RPF check on Source to build Default and Data Trees (Multicast Data Trees – MDT)

3. Interfaces are associated with mVRF

4. Source-Receivers communicate using mVRFs


Option A: Back-to-Back ASBR-PEs1. Native IP forwarding between ASBRs

Protocol change not requiredInter-AS MDT not required

2. MDT limited to one ASNo issue with managing MDT group ranges between ASNo issue with RPF

3. VRF created on the ASBRsNot scalable


PE-300 PE-200

P-200P-300

ASBR-300 ASBR-200

AS300 AS200

eBGP MDT(AFI=1, SAFI=66)

CE-300(Site 2)

CE-200(Site 1)

I-AS mVPN with Option BSolution for PE : Use BGP Connector Attribute (transitive)Preserves identity of a PE router originating a VPNv4 Prefix (Option B only)

Source = 10.1.1.1PIM NBR = PE-200BGP NH = ASBR-300RPF Check Fails !

Default-MDT = REDvrf

Receiver

Source – 10.1.1.1, Group - 239.10.10.10

Multicast Traffic

iBGP MDT(RD, S:PE-200, G:RED)PIM Join

(PE-200, RED)

1

2

3

4 iBGP MDT(RD, S:PE-200, G:RED)

eBGP MDT(RD, S:PE-200, G:RED)

5VPNv45

VPNv45

6

37VPNv4

Source = 10.1.1.1PIM NBR = PE-200BGP Connector = PE-200RPF Check Passes !

PIM adjacency over MDTDefault MDT239.232.0.1

(10.1.1.1,239.10.10.10)


300 PE-200

P-200P-300

ASBR-300 ASBR-200

AS300 AS200

CE-300(Site 2)

CE-200(Site 1)

I-AS mVPN with Option B and Option C

Default-MDT = REDvrf

ReceiverSource

PIM Join(PE-300, Default MDTVector=ASBR-200RD=300:1)

2

Solution for P : PIM RPF Vector for both options B & CHelps P router in BGP free core do RPF check for both options B & C

(PE-300, Default MDTVector=ASBR-200RD=300:1)

PIM Join3(PE-300, Default MDT

Vector=ASBR-300RD=300:1)

PIM Join4

PIM Join(PE-300, Default MDTRD=300:1)

5

PE-6

Default MDT239.232.0.1

1

iBGPMDT(PE-300,G:Deafult MDTBGP-NH=ASBR - 200)


PE1 PE2AS #1 AS #2

ASBR1I-AS MVPN Configuration Procedure Option B (SSM)

ASBR2

Configuration Steps:1. Enable RPF Vector in the Global table

ip multicast rpf vector2. Setup Multicast Address family on ASBRs

address-family ipv4 mdt3. Configure PE router to send BGP MDT updates to build the Default MDT

ip multicast vrf <vrf name> rpf proxy rd vector

CE-4

! PE1 Configuration:!ip multicast-routingip multicast routing vrf VPN-Aip multicast vrf VPN-A rpf proxy rd vector!router bgp 1!address-family ipv4 mdtneighbor <ASBR1> activateneighbor <ASBR1> next-hop-selfexit-address-family!ip pim ssm default!

! ASBR1 Configuration:!ip multicast-routingip multicast routing vrf VPN-A!router bgp 1!address-family ipv4 mdtneighbor <ASBR2> activateneighbor <PE1> activateneighbor <PE1> next-hop-selfexit-address-family!ip pim ssm default!


Carrier Supporting Carrier (CSC)


Introducing Carrier Supporting Carrier

1. CSC is one of the VPN services that is applicable in a Multi-AS network environment

2. CSC VPN service is a VPN service that provides MPLS transport for customers with MPLS networks

3. It is also known as hierarchical MPLS VPN service since MPLS VPN customer carrier subscribes MPLS VPN service from an MPLS Backbone provider

4. Defined in RFC 4364. (previously well know by draft 2547biz)

MPLS Backbone

Backbone Service Provider

Customer Carrier ISP1

MPLS NWMPLS NWCustomer Carrier ISP1


Carrier’s Carrier building blocks

� External Routes: IP routes from VPN customer networks� Internal Routes: Internal routes (global table) of Customer Carrier network� External routes are stored and exchanged among Customer Carrier PEs� MPLS Backbone network doesn’t have any knowledge of external routes� Customer Carrier selectively provides NLRI to MPLS VPN backbone provider

MPLS Backbone

CSC-PE1 CSC-PE2

CSC-CE2

Backbone Service Provider

CSC-CE1

San Francisco ISP1 London ISP1

PE1 RR1

PE2

RR2 PE4

PE3

MPLSMPLSCSC-RR1

CE1R CE1G

VPN Customers

External Routes

External Routes

CE2G CE2R

VPN Customers

External Routes

External Routes

Internal RoutesInternal Routes Internal RoutesInternal Routes


Carrier’s Carrier building blocks (continue)

Label Switched paths between CSC-CE and CSC-PE IGP+LDP or eBGPv4 + Labels� CSC-PE and CSC-CE exchange MPLS Labels

-this is necessary to transport labeled traffic from a Customer Carrier

MPLS Backbone

CSC-PE1 CSC-PE2 CSC-CE2

Backbone Service ProviderCSC-CE1

San FranciscoISP1

LondonISP1

PE1 RR1

PE2

RR2 PE4

PE3

MPLSMPLSCSC-RR1

CE1R CE1G CE2G CE2R


Carrier Supporting Carrier Models

I. Customer Carrier Is Running IP Only-similar to basic MPLS L3 VPN environment

II. Customer Carrier Is Running MPLS-LSP is established between CSC-CE and CSC-PE-Customer carrier is VPN subscriber of MPLS VPN backbone provider

III. Customer Carrier Supports MPLS VPNs-LSP is established between CSC-CE and CSC-PE-Customer carrier is VPN subscriber of MPLS VPN backbone provider-True hierarchical VPN model


IGP LabelIGP LabelLabel=101Label=101Label=120Label=120

IGP LabelIGP LabelLabel=50Label=50

CSC Model III—Customer Carrier Supports MPLS VPNs

IP/MPLS CSC-PE1 CSC-PE2 IP/MPLS

Label=100Label=100

SwapPushPush Swap Swap

Label=140Label=140Label=28Label=28

PayloadPayload

PE1

Site A – VPNA Site B – VPN A149.27.2.0/24

CE1CE2

MP-iBGP Peering& Label Exchange

BGP or (OSPF, RIPv2) +LDP Network=PE2, NH=CSC-CE2

Label=(100)

MP-iBGP PeeringVPN-v4 Update:

RD:1:30:149.27.2.0/24,NH=PE2

RT=1:200, Label=(28)

Label=28Label=28

PayloadPayload

Label=28Label=28

PayloadPayloadPayloadPayload

Label=28Label=28

PayloadPayload

SwapPush

Label=28Label=28

PayloadPayload

Pop

PayloadPayload

PE2VRF VRFIP/MPLS

VRFVRF CSC-CE2CSC-CE1

BGP or (OSPF, RIPv2) +LDP Network=PE2, NH=CSC-PE1

Label=(120)

VPN-v4 Update:RD:1:27:CSC-CE2, PE2

NH=CSC-PE2RT=1:27, Label=(50)

PoP

Label=50Label=50Label=28Label=28

PayloadPayload

LDP LDP


CSC Model III -Cisco IOS Show configs& commands

MPLS Backbone

CSC-PE1200.0.0.4/32

CSC-PE2200.0.0.6/32

kkkk

ISPaISPaCSC-CE1

100.0.0.3/32CSC-CE2

100.0.0.7/32

PE2100.0.0.8/32

PE1100.0.0.2/32

CE-VPN-A110.1.1.1/32

CE-VPN-B150.0.0.1/32 CE-VPN-A2

10.1.1.9/32 CE-VPN-B250.0.0.9/32

BB-P1200.0.0.5/32

192.168.0.x/24192.168.2.x/24

172.16.0.x/24 172.16.1.x/24

CSC-PE1#sh mpls forwarding-table label 27 detLocal Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 27 22 100.0.0.8/32[V] 72864 Se0/0 point2point

MAC/Encaps=4/12, MRU=1496, Label Stack{16 22}!interface Serial1/0ip vrf forwarding ISPaip address 10.0.0.4 255.255.255.0mpls label protocol ldpmpls ip

CSC-PE2#sh mpls forwarding-table label 22Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 22 17 100.0.0.8/32[V] 69298 Se0/0 point2pointCSC-CE1#sh mpls forwarding label 21

Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 21 27 100.0.0.8/32 67228 Se0/0 point2point

CSC-CE2#sh mpls forwarding-table label 17Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 17 Pop Label 100.0.0.8/32 65251 Se0/0 point2point

PE1#sh ip cef vrf kk 50.0.0.950.0.0.9/32nexthop 192.168.0.3 Serial0/0 label 21 26

PE1#sh ip bgp vpnv4 all summBGP router identifier 100.0.0.2, local AS number 2..Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd100.0.0.8 4 2 580 577 13 0 0 10:36:23

PE2#sh mpls forwarding-table label 26 detLocal Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 26 No Label 50.0.0.9/32[V] 0 Se0/0 point2point

MAC/Encaps=4/4, MRU=1504, Label Stack{}0F000800 VPN route: kk

ISPaISPa

kkkk


Customer Carrier A

ASBR1 ASBR2PW1PE1 PE2ASBR3 ASBR4

MPLS L2VPNs Across a CSC Network

ASBR1 ASBR2

PW1PE1 PE2ASBR3 ASBR4

Multi-Hop PW

Single-Hop PW Pseudowire

Pseudowire

MPLS Backbone Carrier(CsC)

MPLS Backbone Carrier(CsC)

Customer Carrier A

Customer Carrier A

Customer Carrier A


CSC Security Elements 1. MD5 authentication on LDP/BGP sessions2. Applying max prefix limits per VRF3. Use of static labels4. Route Filtering

…Customer Carrier may not want to send all the internal routes to MPLS VPN backbone provider…

Use Route-maps to control route distribution & filter routesUse match and set capabilities in route-maps


CSC Security Elements1. MPLS static labels introduced in 12.0.23S, but only supported

global routing tables (not VRF aware):Config. only MPLS forwarding table entries for the global tableAssign label values to FECs learned by the LDP for the global tableLimits usage to the provider core only

2. Feature is enhanced so static labels can be used for VRF trafficat the VPN edge for CSC networks:In 12.0(26)S, the MPLS LDP—VRF-Aware Static Labels feature was

introduced, allowing MPLS static labels to be used for VRF traffic at the VPN edge.

In 12.3(14)T, 12.2(33)SRA,12.2(33)SXH, 12.2(33)SB, this feature was integrated.


Best Practice Recommendations1. Do not use Static default routes on CSC-CE

Need end-end LSP is required across the VPN and MPLS VPN backbone

2. Use dynamic protocol instead of static on CSC-CE –CSC-PE link

3. Set Next-Hop-Self on PEs carrying external routes4. If using IGP on CSC-CE routers, use filters to limit

incoming routes from the CSC-PE side5. If using RRs in customer carrier network, set next-

hop-unchanged on RRs6. If using BGP on CSC-PE-CE link, use as-override on

CSC-PE


I-AS MPLS Solutionspalo/Rozne/cisco-expo-2009/Presentation - DAY1/C3... · MPLS VPN Inter-AS Option AB VPN-B1 PE-1 VPN-G1 CE-1 CE-2 ASBR1 AS 1 VPN-B2 PE-2 CE-3 CE-4 VPN-G2 ASBR2 Data

Documents