Top Banner

of 101

MPLS VPN Configurations

Apr 09, 2018

Download

Documents

Asif Darvesh
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
  • 8/8/2019 MPLS VPN Configurations

    1/101

    1CQFE rev17 Russ Davis 1999, Cisco Systems, Inc.

    MPLS VPN Configurations

    Khalid Raza

    MPLS VPN Configurations

    Khalid Raza

  • 8/8/2019 MPLS VPN Configurations

    2/101

    2CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    AgendaAgenda

    Introduction to VPNs concepts

    VPN definitions

    Types of VPNs (Overlay/Peer)

    Comparison between Overlay and Peermodel

    Benefits for MPLS VPNs

  • 8/8/2019 MPLS VPN Configurations

    3/101

    3CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    AgendaAgenda

    Idea behind VRF, RD, RT

    Route propagation in MP-BGP

    Routing between PE-CE

    MPLS Packet Forwarding

  • 8/8/2019 MPLS VPN Configurations

    4/101

    4CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    AgendaAgenda

    MPLS configuration

    VRF

    MP-BGP

    PE-CE configuration

    Advance configuration

  • 8/8/2019 MPLS VPN Configurations

    5/101

    5CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    AgendaAgenda

    MPLS topologies VPN connectivity

    Design considerations

    Deployment strategies

  • 8/8/2019 MPLS VPN Configurations

    6/101

    6CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN/MPLS ConceptsVPN/MPLS Concepts

    VPN

    Concept is to use the service providers sharedresources connecting multiple customer sites

    Technologies such as X.25, Frame-relay which usevirtual circuits to establish end-to-end connectionusing shared service of the provider infrastructure

    This statistical sharing of resources enables theservice provider to offer low cost services to theend user

  • 8/8/2019 MPLS VPN Configurations

    7/101

    7CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Terminology

    Provider Network (P-Network)

    The backbone under control of a Service

    Provider

    Customer Network (C-Network)

    Network under customer control

    CE routerCustomer Edge router. Part of the C-

    network and interfaces to a PE router

  • 8/8/2019 MPLS VPN Configurations

    8/101

    8CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Terminology

    Site

    Set of (sub)networks part of the C-network and co-located

    A site is connected to the VPN backbonethrough one or more PE/CE links

    PE router

    Provider Edge router. Part of the P-Network and interfaces to CE routers

    P router

    Provider (core) router, without knowledge

    of VPN

  • 8/8/2019 MPLS VPN Configurations

    9/101

    9CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Service Provider Network

    Provider Edge

    (PE) device

    Provider Edge

    (PE) device

    VPN Site

    VPN Site

    VPN TerminologyVPN Terminology

    CPE (CE)

    Device

    CPE (CE)

    Device

    Provider core

    (P) device

  • 8/8/2019 MPLS VPN Configurations

    10/101

    10CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Types of VPNsTypes of VPNs

    VPN services are offered in two majorways

    Overlay Model where the service providerprovides the virtual connections between sites

    Peer model where the service providerparticipates in the layer routing of the customer

  • 8/8/2019 MPLS VPN Configurations

    11/101

    11CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Overlay ModelVPN Overlay Model

    Service provider network is a connection

    of point-to-point links Routing within the customer network is

    transparent to the service providernetwork

    Service provider is responsible purely fordata transport between customer sites

  • 8/8/2019 MPLS VPN Configurations

    12/101

    12CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Overlay ModelVPN Overlay Model

    Layer 1 implementation (IP, HDLC,

    PPP (customer) - provider gives bitpipes only

    Layer 2 implementation - serviceprovider responsible for L2 VC viaATM, Frame-relay

  • 8/8/2019 MPLS VPN Configurations

    13/101

    13CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Service Provider Network

    Provider Edge

    (PE) device

    Provider Edge

    (PE) device

    VPN Site VPN Site

    Virtual Circuit

    VPN Overlay ModelVPN Overlay Model

    CPE (CE)

    Device

    CPE (CE)

    Device

    Layer-3 Routing Adjacency

  • 8/8/2019 MPLS VPN Configurations

    14/101

    14CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Peer Model

    Both provider and customer network usesame network protocol

    CE and PE routers have a routing

    adjacency at each site All provider routers hold the full routing

    information about all customer networks

    Private addresses are not allowed May use the virtual router capability

    Multiple routing and forwarding tablesbased on Customer Networks

  • 8/8/2019 MPLS VPN Configurations

    15/101

    15CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Service Provider Network

    Provider Edge

    (PE) Router

    Provider Edge

    (PE) Router

    VPN Site VPN Site

    CPE (CE)

    Router

    CPE (CE)

    Router

    Layer-3 Routing Adjacency

    VPN Peer-to-Peer ModelVPN Peer-to-Peer Model

    Layer-3 Routing Adjacency

  • 8/8/2019 MPLS VPN Configurations

    16/101

    16CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Peer ModelVPN Peer Model

    Peer model used two types ofapproach

    Shared router

    Dedicated router

  • 8/8/2019 MPLS VPN Configurations

    17/101

    17CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Peer ModelVPN Peer Model

    Shared router

    Where a common router was used, extensivepacket filtering is used on the PE router toisolate customer

    Service provider allocated addresses out of itsspace to the customer and managed the packetfilter to ensure same customer reachability,

    and isolation between customers.High maintenance cost associated with packetfilters

    Performance impact due to packet filtering

  • 8/8/2019 MPLS VPN Configurations

    18/101

    18CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Peer-to-Peer ModelShared Router Approach

    Peer-to-Peer ModelShared Router Approach

    PE

    CE

    VPN-A

    VPN-B

    CEVPN-C

    CE

    Shared router approach with complex filters

    Paris

    London

    Munich

    interface Serial0/1

    description ** interface to VPN-A customer

    ip address 192.168.61.6 255.255.255.252ip access-group VPN-A inip access-group VPN-A out

    !interface Serial0/2

    description ** interface to VPN-B customerip address 192.168.61.9 255.255.255.252

    ip access-group VPN-B inip access-group VPN-B out

    !interface Serial0/3

    description ** interface to VPN-C customerip address 192.168.62.6 255.255.255.252

    ip access-group VPN-C inip access-group VPN-C out

    PE Routing TableVPN-A routesVPN-B routes

    VPN-C routes

  • 8/8/2019 MPLS VPN Configurations

    19/101

    19CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Peer ModelVPN Peer Model

    Dedicated router

    Customer isolation is achieved via dedicatedrouters connected to customer

    POP edge router filter routing updates betweendifferent provider edge routers

    Route filtering is achieved via BGPCommunities

    Not cost effective

  • 8/8/2019 MPLS VPN Configurations

    20/101

    20CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Peer-to-Peer ModelDedicated Router Approach

    Peer-to-Peer ModelDedicated Router Approach

    VPN-A PE

    CE

    VPN-A

    VPN-B

    CE

    Dedicated router approach expensive to deploy

    Paris

    London

    P Routing TableVPN-A routes (community 111:1)

    VPN-B routes (community 111:2)

    VPN-B PE

    P Router CE VPN-A

    Brussels

    VPN-A routes ONLYVPN-B

    router bgp 111

    neighbor 10.13.1.2 remote-as 111

    neighbor 10.13.1.2 route-reflector-client

    neighbor 10.13.1.2 route-map VPN-A out

    !

    route-map VPN-A permit 10

    match community-list 75

    !

    ip community-list 75 permit 111:1

  • 8/8/2019 MPLS VPN Configurations

    21/101

    21CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Comparison Betweenthe Two Models

    Comparison Betweenthe Two Models

    Overlay Model

    Easy to implement

    No knowledge ofcustomer routing

    Isolation betweenthe two network

    Peer Model

    Optimal routing

    Easy to provisionadditional VPNsthrough site

    provisioning - noneed for linkprovisioning

  • 8/8/2019 MPLS VPN Configurations

    22/101

    22CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Comparison Betweenthe Two Models

    Comparison Betweenthe Two Models

    Overlay Model

    Optimal routing betweensites requires full mesh

    Bandwidth provisioning

    Virtual circuits have tobe manually configured

    Peer Model

    Customerconvergence isdepended on SProuting convergence

    Lot of routes withthe providernetworks causesscalability problems

  • 8/8/2019 MPLS VPN Configurations

    23/101

    23CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Benefits of MPLS VPNsBenefits of MPLS VPNs

    Best of both worlds

    PE participates in routing so you canachieve optimal routing between sites

    PE isolates customer routing informationlike dedicated router solution

    Overlapping addresses are permittedbetween customers

  • 8/8/2019 MPLS VPN Configurations

    24/101

    24CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Benefits of MPLS VPNsBenefits of MPLS VPNs

    PE router is subdivided into virtual routers

    Similar to the dedicated router approach

    Each customer is assigned independentrouting tables

    IOS does this isolation through theconcept of VRF (Virtual Routing andForwarding)

  • 8/8/2019 MPLS VPN Configurations

    25/101

    25CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Benefits of MPLS VPNsBenefits of MPLS VPNs

    PE

    CE

    VPN-A

    VPN-A

    CEVPN-B

    Global Routing Table

    VRF for VPN-A

    VRF for VPN-B

    VPN Routing Table

    CE

    Multiple routing & forwarding instances (VRFs) providethe separation

    Paris

    London

    Munich

    IGP &/or BGP

  • 8/8/2019 MPLS VPN Configurations

    26/101

    26CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    ProblemProblem

    How to propagate routing across the

    network between the PE devices? We need a routing protocol that will

    transport the customer routes across theprovider network

    Need to maintain the independency ofcustomers routing and address space

  • 8/8/2019 MPLS VPN Configurations

    27/101

    27CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Easy and Lazy AnswerEasy and Lazy Answer

    Run multiple routing protocols, one eachfor customer

    But PE routers will have to run largenumber of routing instances

    Poor P router will have to carry all the VPNroutes

    P routers still will run into overlappingaddress problem unless you configure allthe vrfs on the PE router

    Does not scale

  • 8/8/2019 MPLS VPN Configurations

    28/101

    28CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Better SolutionBetter Solution

    Run a routing protocol that canexchange the routing updates onlybetween PE routers

    P router is protected from customerroutes

  • 8/8/2019 MPLS VPN Configurations

    29/101

    29CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    But how to do it ?But how to do it ?

    Use BGP to pass the routing information

    between PE devices

    Use MPLS labels to exchange packetsbetween next-hops (PE routers)

    Extend BGP to be able to handleoverlapping addresses

  • 8/8/2019 MPLS VPN Configurations

    30/101

    30CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    PE routers maintain separate routing tables

    Global routing table

    contains all PE and P routes (perhaps BGP)

    populated by the VPN backbone IGP

    VRF (VPN routing & forwarding)

    routing & forwarding table associated with one or moredirectly connected sites (CE routers)

    VRF is associated with any type of interface, whetherlogical or physical (e.g. sub/virtual/tunnel)

    interfaces may share the same VRF if the connectedsites share the same routing information

    VPN Routing & ForwardingInstance (VRF)

    VPN Routing & ForwardingInstance (VRF)

  • 8/8/2019 MPLS VPN Configurations

    31/101

    31CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Routing & ForwardingInstance (VRF)

    VPN Routing & ForwardingInstance (VRF)

    PE

    CE

    VPN-A

    VPN-A

    CEVPN-B

    Global Routing Table

    VRF for VPN-A

    VRF for VPN-B

    VPN Routing Table

    CE

    Multiple routing & forwarding instances (VRFs) providethe separation

    Paris

    London

    Munich

    IGP &/or BGP

  • 8/8/2019 MPLS VPN Configurations

    32/101

    32CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS/VPN Connectivity ModelMPLS/VPN Connectivity Model

    Private addressing in multiple VPNs nolonger an issue

    provided that members of a VPN do not use the

    same address range

    VPN A

    VPN B VPN C

    London

    Milan

    Paris Munich

    Brussels Vienna

    Address space for

    VPN A and B must be

    unique

    10.2.1.0/24 10.22.12.0/24

    10.2.1.0/24 10.3.3.0/24 10.2.12.0/24

    10.4.12.0/24

  • 8/8/2019 MPLS VPN Configurations

    33/101

    33CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Routing & ForwardingInstance (VRF)

    VPN Routing & ForwardingInstance (VRF)

    VRF can be thought of as a virtual routerwith the following structures:

    forwarding table based on CEF

    a set of interfaces that use the derived forwarding table

    rules to control import/export of routes from/into the VPNrouting table

    set of routing protocols/peers which inject information intothe VPN routing table (including static routing)

    router variables associated with the routing protocol usedto populate the VPN routing table

  • 8/8/2019 MPLS VPN Configurations

    34/101

    34CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VRF Route PopulationVRF Route Population

    VRF is populated locally through PE and CErouting protocol exchange

    RIP Version 2, OSPF, BGP-4 & Static routing

    Separate routing context for each VRF

    routing protocol context (BGP-4 & RIP V2)

    separate process (OSPF)

    PE

    CE

    CE

    Site-2

    Site-1

    EBGP,OSPF, RIPv2,Static

  • 8/8/2019 MPLS VPN Configurations

    35/101

    35CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Local VRF Route PopulationLocal VRF Route Population

    PE

    CE

    VPN-A

    VPN-A

    CEVPN-B

    VRF for VPN-A

    VRF for VPN-B

    CE

    Local VRF population driven by routing protocol contextor process (OSPF)

    Paris

    London

    Munich

    Which routingprotocol context or

    process ?

    Global

  • 8/8/2019 MPLS VPN Configurations

    36/101

    36CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VRF Route DistributionVRF Route Distribution

    PE routers distribute local VPN informationacross the MPLS/VPN backbone

    through the use of MP-BGP & redistribution from VRF

    receiving PE imports routes into attached VRFs

    PE PECE Router CE Router

    P Router

    VPN Site VPN SiteMP-BGP

    MPLS/VPN Backbone

  • 8/8/2019 MPLS VPN Configurations

    37/101

    37CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Concept of RDConcept of RD

    If customers have overlapping address,

    BGP will treat them is single prefix

    Extend the prefix with a 64-bit prefix(route-distinguisher)

    Now, with 32 bit IP address and 64 bit RD,the two overlapping IP address are unique

  • 8/8/2019 MPLS VPN Configurations

    38/101

    38CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Concept of RDConcept of RD

    32 bit IP prefix is the IPv4 address

    With 64 bit RD, it is now extended to96 bit and is now VPNv4 address

    This address is exchanged only

    between the PE routers via BGP

    This is carried in Multi-Protocol BGP

  • 8/8/2019 MPLS VPN Configurations

    39/101

    39CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Concept of RDConcept of RD

    PE1

    CE

    VPN-A

    VPN-B

    VPN-B

    CE

    MP-BGP

    PE2

    BGP Table

    Routes from VPN-A

    Routes from VPN-B

    Munich

    MPLS/VPN Backbone

    CE router sends 32 bit IPv4 prefix

    PE router converts it into a 96 bit VPNv4 prefix

  • 8/8/2019 MPLS VPN Configurations

    40/101

    40CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Processing of RDProcessing of RD

    RD is propagated between the PE

    routers RD is removed by the receiving PE

    routers

    CE router receives just the IPv4prefixes

  • 8/8/2019 MPLS VPN Configurations

    41/101

    41CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Usage of RDUsage of RD

    RD is only used to extend the IP prefixsuch that overlapping address are unique

    Simple VPN topologies require single RDper customer

    In some cases multiple RDs may berequired

  • 8/8/2019 MPLS VPN Configurations

    42/101

    42CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Can RD be the VPN Identifier?Can RD be the VPN Identifier?

    Yes - it could be a VPN identifier Complex topologies require another

    component for VPN topologies other

    than RD, just like communities aremore flexible.

  • 8/8/2019 MPLS VPN Configurations

    43/101

    43CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Concept of RTConcept of RT

    Sites that have to participate in more than

    one VPN- RD is not sufficient You need another way of deciding the

    membership

    RT was introduced to support complextopologies such that separation andgrouping is easier

  • 8/8/2019 MPLS VPN Configurations

    44/101

    44CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Concept of RTConcept of RT

    RT is extended BGP communities,attached to VPNv4 address

    Give more flexibility to the VPNmembership

    Any number of RT can be attached to aroute

    Extended communities are 64 bit values

  • 8/8/2019 MPLS VPN Configurations

    45/101

    45CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Concept of RTConcept of RT

    RTs are either exported or imported

    Export route target are attached to theroute the moment it is converted from IPv4to VPNv4

    Import RT is used to decide the routes thatwould be imported into the VPN

  • 8/8/2019 MPLS VPN Configurations

    46/101

    46CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Routing Within MPLS VPNRouting Within MPLS VPN

    Pass IPv4 to the customer routers

    No VPN routes within the MPLS core (Prouters)

    P routers run IGP and global BGP (ifneeded)

    Provider Edge router carries connectedVPN routes and Internet routes

  • 8/8/2019 MPLS VPN Configurations

    47/101

    47CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Routing P-router PerspectiveRouting P-router Perspective

    Runs IGP with all the P and PErouters in the network

    No MPLS VPN routing information

    Very simple view of the network

  • 8/8/2019 MPLS VPN Configurations

    48/101

    48CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Routing PE-router PerspectiveRouting PE-router Perspective

    Exchanges IPv4 routes with CE router Exchange VPNv4 routes with other PE

    routers

    Run common IGP with P router and alsointernet BGP with P routers (if needed)

  • 8/8/2019 MPLS VPN Configurations

    49/101

    49CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Routing Table on PE RouterRouting Table on PE Router

    PE router has to maintain number ofrouting tables

    Global routing table (IGP, Internet routes)

    VRF routing information for VPNsconnected

    VRF routing is populated via CE and otherPE routes

  • 8/8/2019 MPLS VPN Configurations

    50/101

    50CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    PE to PE RouteInformation FlowPE to PE Route

    Information Flow

    PE router creates VPNv4 update

    Adds extended community attribute (RT,

    SOO)

    All other BGP attributes

    Received route is imported into

    appropriate VRF according to RT values

    Routes installed into VRF are propagatedto CE routers

  • 8/8/2019 MPLS VPN Configurations

    51/101

    51CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MP-BGP UpdateMP-BGP Update

    Any other standard BGP attribute

    Local PreferenceMEDNext-hopAS_PATHStandard Community

    A Label identifying:

    The outgoing interface or VRF where a lookuphas to be performed (aggregate/connected)

    The BGP label will be the second label in thelabel stack of packets travelling in the core

  • 8/8/2019 MPLS VPN Configurations

    52/101

    52CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VRF Population of MP-BGPVRF Population of MP-BGP

    PE-1

    CE-1

    ip vrf VPN-A

    route-target import VPN-A

    VPN-v4 update:RD:1:27:149.27.2.0/24, Next-hop=PE-1SOO=Paris, RT=VPN-A,Label=(28)

    CE-2

    Receiving PE routers translate to IPv4

    Insert the route into the VRF identified by the RT

    attribute (based on PE configuration)

    The label associated to the VPN-V4 address will be

    set on packets forwarded toward the destination

    VPN-v4 update is translated intoIPv4 address and put into VRFVPN-A as RT=VPN-A andoptionally advertised to CE-2

    Paris London

    PE-2

  • 8/8/2019 MPLS VPN Configurations

    53/101

    53CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Routing Between PE-CERouting Between PE-CE

    CE does not need any understanding ofMPLS

    CE needs standard IP software

    Currently EBGP, OSPF, RIP, and staticrouting is supported

    PE router looks like a standard corporatebackbone to the CE router

  • 8/8/2019 MPLS VPN Configurations

    54/101

    54CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    In Label FEC Out Label- 197.26.15.1/32 -

    In Label FEC Out Label41 197.26.15.1/32 POP

    In Label FEC Out Label- 197.26.15.1/32 41

    MPLS/VPN Packet ForwardingMPLS/VPN Packet Forwarding

    Paris

    Use label implicit-null for

    destination 197.26.15.1/32

    Use label 41 for destination

    197.26.15.1/32

    VPN-v4 update:RD:1:27:149.27.2.0/24,NH=197.26.15.1SOO=Paris, RT=VPN-A,Label=(28)

    PE-1

    London

    PE and P routers have BGP next-hop reachability

    through the backbone IGP

    Labels are distributed through LDP correspondingto BGP Next-Hops or RSVP with Traffic Engineering

    149.27.2.0/24

    PE-2197.26.15.1

  • 8/8/2019 MPLS VPN Configurations

    55/101

    55CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS/VPN Packet ForwardingMPLS/VPN Packet Forwarding

    Label Stack is used for packet forwarding

    Top label indicates BGP Next-Hop (interior label)

    Second level label indicates outgoing interface or VRF(exterior VPN label)

    MPLS nodes forward packets based on top label

    any subsequent labels are ignored

    Penultimate Hop Popping procedures used one

    hop prior to egress PE router

  • 8/8/2019 MPLS VPN Configurations

    56/101

    56CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Penultimate Hop PoppingPenultimate Hop Popping

    LondonLondon BrusselsBrussels ParisParis

    197.26.15.1

    In Label FEC Out Label

    - 197.26.15.1/32

    In Label FEC Out Label

    41 197.26.15.1/32 POP

    In Label FEC Out Label

    - 197.26.15.1/32 41

    Use label 41 for destination

    197.26.15.1/32

    Use label implicit-null for

    destination 197.26.15.1/32

    London# show tag-switching tdp binding 197.26.15.1tib entry: 197.26.15.1/32, rev 10

    local binding: tag: imp-null(1)

    remote binding: tsr: 172.16.3.1:0, tag: 41

    Brussels# show tag-switching tdp binding 197.26.15.1tib entry: 197.26.15.1/32, rev 10local binding: tag: 41

    remote binding: tsr: 172.16.3.2:0, tag: imp-null(1)

    Brussels# show tag-switching forwardingLocal Outgoing Prefix Bytes tag Outgoing Next Hop

    tag tag or VC or Tunnel Id switched interface

    41 Pop tag 197.26.15.1/32 0 Se0/0/2 point2point

  • 8/8/2019 MPLS VPN Configurations

    57/101

    57CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    In Label FEC Out Label- 197.26.15.1/32 41

    MPLS/VPN Packet ForwardingMPLS/VPN Packet Forwarding

    Paris

    149.27.2.27

    PE-1

    London149.27.2.0/24

    Ingress PE receives normal IP packets

    PE router performs IP Longest Match fromVPN FIB, finds iBGP next-hop and imposesa stack of labels

    149.27.2.272841

    VPN-A VRF149.27.2.0/24,

    NH=197.26.15.1Label=(28)

  • 8/8/2019 MPLS VPN Configurations

    58/101

    58CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    In Label FEC Out Label41 197.26.15.1/32 POP

    MPLS/VPN Packet ForwardingMPLS/VPN Packet Forwarding

    Paris

    149.27.2.27

    PE-1

    London149.27.2.0/24

    149.27.2.272841

    VPN-A VRF149.27.2.0/24,

    NH=197.26.15.1Label=(28)

    149.27.2.2728

    In Label FEC Out Label28(V) 149.27.2.0/24 -

    VPN-A VRF149.27.2.0/24,

    NH=Paris

    149.27.2.27

    Penultimate PE router removes the IGP label

    Penultimate Hop Popping procedures (implicit-null label)

    Egress PE router uses the VPN label to selectwhich VPN/CE to forward the packet to

    VPN label is removed and the packet is routedtoward the VPN site

  • 8/8/2019 MPLS VPN Configurations

    59/101

    59CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS/VPN Configuration andImplementation

    MPLS/VPN Configuration andImplementation

  • 8/8/2019 MPLS VPN Configurations

    60/101

    60CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    VRF: Sites requiring same routingpolicies share same VRF

    IP routing table

    CEF forwarding

    Route distinguisher

    Route Target (export, import)

  • 8/8/2019 MPLS VPN Configurations

    61/101

    61CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    VRF configuration

    Step 1. Create VRF

    Step 2. Assign an RD

    Step 3. RT export

    Step 4. RT import

    Step 5. Define an interface to a VRF

  • 8/8/2019 MPLS VPN Configurations

    62/101

    62CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    VRF configuration

    Step 1.Creating a VRF

    ip vrfname

    Example ip vrfbootcampWhere bootcamp is just a name like route-map name

  • 8/8/2019 MPLS VPN Configurations

    63/101

    63CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    VRF configurations

    Step 2.

    Every VRF needs an associated RD

    rd route-distinguisher

    Could be AS:X or IP address :X

    Example: rd 109:12345

  • 8/8/2019 MPLS VPN Configurations

    64/101

    64CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    VRF configuration

    Step 3.Defining a route target that will be exportedwith every route that is send from the VRF

    Multiple route-target can be attached to a vrf

    route-target export RT

    Example: route-target export 109:1234

  • 8/8/2019 MPLS VPN Configurations

    65/101

    65CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    VRF configuration

    Step 4.

    Define a route-target that will be accepted bythe router to be imported into the VRF

    route-target import

    Example: route-target import 109:1345

  • 8/8/2019 MPLS VPN Configurations

    66/101

    66CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    VRF configuration

    Step 5.

    Associate an interface to the VRF; this willremove the interface from the global routingprocess

    Existing IP address is removed once the

    interface is defined to a VRF; you will have tore-configure the IP address

  • 8/8/2019 MPLS VPN Configurations

    67/101

    67CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    VRF configurationIp vrf GREEN

    rd 109:145

    route-target export 109:145

    route-target import 109:145

    interface serial 1/0/1

    ip forwarding vrf GREEN

    ip address 10.1.1.5 255.255.255.252

  • 8/8/2019 MPLS VPN Configurations

    68/101

    68CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    MP-BGP configuration

    BGP process is extended to perform three

    functions

    Tasks are configured in same BGP processthrough address families

    1. Maintain and exchange global routing information(IPv4 routing)

    2. VPNv4 routing

    3. VRF routing exchange with CE

  • 8/8/2019 MPLS VPN Configurations

    69/101

    69CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    MP-BGP configurations

    Global neighbor are configured under theglobal BGP process (All P and PE neighbors)

    These neighbors need to be activated underthe appropriate address family according torequirements

    VRF specific neighbors are defined under thecorresponding VRFs

  • 8/8/2019 MPLS VPN Configurations

    70/101

    70CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    MP-BGP configurations

    Step 1. Configure neighbors and theirparameters under the global process

    Step 2. Configure address family VPNv4

    Step 3. Activate neighbors to carry VPNv4

    routesStep 4. Activate the VPNv4 specific parameters

    under the address family (filter, etc.)

  • 8/8/2019 MPLS VPN Configurations

    71/101

    71CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    MP-BGP configurationsStep 1. Configure BGP process

    router bgp 110

    neighbor 131.108.1.1 remote-as 110

    neighbor 131.108.1.1 update-source loopback 0

  • 8/8/2019 MPLS VPN Configurations

    72/101

    72CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    MP-BGP Configurations

    Step 2. Configure the address family, activate theneighbor under the address family for VNPv4routes. Neighbor that was defined earlier undermain BGP process

    address-family vpnv4

    neighbor 131.108.1.1 activate

    neighbor 131.108.1.1 next-hop-self

  • 8/8/2019 MPLS VPN Configurations

    73/101

    73CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    Lets talk a little about the IPv4address family

    Address-family IPv4 is same is yourregular BGP process

    Configurations done under this family

    will be added to the global BGPconfigurations

  • 8/8/2019 MPLS VPN Configurations

    74/101

    74CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    no bgp default ipv4 unicast

    Disables the default behavior of IPv4 routepropagation

    Activate the neighbors that need to getIPv4 routes

    Isolation of VPNv4 and IPv4 routes suchthat few neighbors get both and fewreceive VPnv4 only

  • 8/8/2019 MPLS VPN Configurations

    75/101

    75CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    Example: 3 neighbors: two of themneed IPv4 routes, one does not

    Requirements

    Neighbor 131.108.1.1 (IPv4, VPNv4)

    Neighbor 131.108.1.2 (IPv4 only)

    Neighbor 131.108.1.3 (VPNv4 only)

  • 8/8/2019 MPLS VPN Configurations

    76/101

    76CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    Router bgp 110

    No bgp default ipv4 unicast

    Neighbor 131.108.1.1 remote-as 110

    Neighbor 131.108.1.2 remote-as 110

    Neighbor 131.108.1.3 remote-as 110

    Neighbor 131.108.1.1 activate

    Neighbor 131.108.1.2 activate

    Address-family vpnv4

    Neighbor 131.108.1.1 activate

    Neighbor 131.108.1.3 activate

  • 8/8/2019 MPLS VPN Configurations

    77/101

    77CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    Configuring PE-CE Routing

    BGP between PE-CE

    RIP between PE-CE

    OSPF between PE-CEStatic routes

  • 8/8/2019 MPLS VPN Configurations

    78/101

    78CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    BGP/RIP require single routing process

    Distance/path vector no databaseseparation needed; done through address-families

    OSPF requires a separate routing processfor each VRF to maintain a separatedatabase

  • 8/8/2019 MPLS VPN Configurations

    79/101

    79CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    All non-BGP VRF routes have to beredistributed

    No sync is default

    No auto summary is default

  • 8/8/2019 MPLS VPN Configurations

    80/101

    80CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    BGP

    Define the neighbor under the address-familyvrf and not under the global BGP

    router bgp 110

    !

    address-family ipv4 vrf Green

    neighbor 10.1.1.1 remote-as 115

    neighbor 10.1.1.1 activate

  • 8/8/2019 MPLS VPN Configurations

    81/101

    81CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    RIP

    Single routing process

    RIP parameters in each VRFrouter rip

    version 2

    address-family ipv4 vrf BLUE

    network 10.0.0.0

    redistribute bgp 110 metric transparent

  • 8/8/2019 MPLS VPN Configurations

    82/101

    82CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS OSPFMPLS OSPF

    IGP-BGP redistribution is done byMPLS

    Not a very good thing for OSPF

    Routes redistributed in OSPF are

    external Single LSA for every external route

  • 8/8/2019 MPLS VPN Configurations

    83/101

    83CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS OSPFMPLS OSPF

    If all the routes are carried as

    external Route summarization would be a

    problem

    Stub areas would be hard toimplement

  • 8/8/2019 MPLS VPN Configurations

    84/101

    84CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS OSPFMPLS OSPF

    MPLS VPNs needed to be extended tocarry OSPF information

    Per se create a concept of super backbone

    Super backbone is created with MP-BGPbetween the PE-routers

    This super backbone is between the PErouters; it is transparent to OSPF

  • 8/8/2019 MPLS VPN Configurations

    85/101

    85CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS OSPFMPLS OSPF

    CE

    VPN-A CEVPN-B

    MPLS BGPbackbone

    VPN-A

    CE

    ParisLondon

    Area 0

    Area 1

    VPN-A CEVPN-B

    Area 2

    Area 0

  • 8/8/2019 MPLS VPN Configurations

    86/101

    86CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS OSPFMPLS OSPF

    OSPF between sites does not use normalOSPF-BGP redistribution

    Internal OSPF routes are kept internal toOSPF

    External routes are kept external

    OSPF metrics are preserved MPLS OSPF backbone is transparent to

    CE OSPF that runs standard software

  • 8/8/2019 MPLS VPN Configurations

    87/101

    87CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS OSPFMPLS OSPF

    PE routers act as ABRs

    In the case of no stub area, PErouters also act as ASBRs

    For CE routers perspective, send an

    inter-area route into the connectedarea

  • 8/8/2019 MPLS VPN Configurations

    88/101

    88CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS OSPFMPLS OSPF

    Intra-area OSPF routes are

    redistributed into BGP by the PErouter

    Route Summarization can be done at

    the redistribution point by the PErouter

  • 8/8/2019 MPLS VPN Configurations

    89/101

    89CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS OSPFMPLS OSPF

    Super backbone acts just like area 0 inregular OSPF

    Redistributed routes at the PE routersappear as inter-area routes

    Routes from one area 0 site into anotherarea 0 sites appear as inter-area routes

    Redistributed intra- and inter-area routesappear as inter-area routes; external stillappear as external

  • 8/8/2019 MPLS VPN Configurations

    90/101

    90CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS OSPFMPLS OSPF

    For MP-BGP, extended community of

    0x8000 is used

    OSPF cost is copied as MED for BGP

    LSA type and metric are carriedacross

  • 8/8/2019 MPLS VPN Configurations

    91/101

    91CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS OSPFMPLS OSPF

    OSPF-BGP loop avoidance

    VPN-AVPN-B

    MPLS BGP

    backbone

    VPN-A

    CE

    ParisArea 0

    VPN-AVPN-BArea 0

    OSPF route

    Redistributed into BGPPE1 PE2PE3

  • 8/8/2019 MPLS VPN Configurations

    92/101

    92CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS OSPFMPLS OSPF

    PE1 learns the route via OSPF intra-area

    PE1 advertises the route to PE2 and PE3via MP-BGP

    One of the PE router redistributes it first(sort of race condition)

    PE2 sends the route to PE3 via OSPFsummary LSA

  • 8/8/2019 MPLS VPN Configurations

    93/101

    93CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS OSPFMPLS OSPF

    PE3 removes the iBGP route for the

    destination and installs the OSPF summaryroute, due to lower admin distance

    You can solve the problem by lowering the

    administrative distance of iBGP to beless not a clean solution

    S OSS OS

  • 8/8/2019 MPLS VPN Configurations

    94/101

    94CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS OSPFMPLS OSPF

    To solve this problem a (Down bit) hasbeen added to option field of the header

    like ISIS TLV 135 PE router sets the down bit when

    redistributing routes from MP-BGP toOSPF

    PE router will never redistribute OSPFroute back into BGP with down bit set

    MPLS OSPFMPLS OSPF

  • 8/8/2019 MPLS VPN Configurations

    95/101

    95CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS OSPFMPLS OSPF

    Double redistribution loop is still possible

    When the CE does redistribution between

    domains and the down bit is lost

    For this purpose, tag field is used as doneby standard BGP-OSPF redistribution

    PE routers never redistributes OSPFroutes with Tag field equal to their own ASnumber into MP-BGP

    MPLS C fi tiMPLS C fi ti

  • 8/8/2019 MPLS VPN Configurations

    96/101

    96CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS ConfigurationMPLS Configuration

    OSPF

    Configuration is still simple

    router ospf 110 vrf RED

    network 10.1.0.0 0.0.255.255 area 0redistribute bgp 110

    MPLS IS ISMPLS IS IS

  • 8/8/2019 MPLS VPN Configurations

    97/101

    97CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS IS-ISMPLS IS-IS

    VPN backbone is treated as a level

    above L2 All L1/L2 routes will be redistributed

    into BGP at the PE router

    New extended community in BGP0x0006

    MPLS IS ISMPLS IS IS

  • 8/8/2019 MPLS VPN Configurations

    98/101

    98CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS IS-ISMPLS IS-IS

    Same as route leaking concept: dontsend out IS-IS back into BGP ifUP/Down bit is set

    Dont send route if the route in thetable is not learned via IS-IS

    MPLS IS ISMPLS IS IS

  • 8/8/2019 MPLS VPN Configurations

    99/101

    99CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS IS-ISMPLS IS-IS

    At the receiving site redistribute theroute into IS-IS with UP/Down bit set

    Same concept as separation of

    LSDB: one DB can belong to one VPN

    MPLS IS ISMPLS IS IS

  • 8/8/2019 MPLS VPN Configurations

    100/101

    100CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    MPLS IS-ISMPLS IS-IS

    Configuration is similar to OSPF

    router isis tag1 vrf vpn-bluenet 49.0001.1201.0003.0001.00redistribute bgp 65000 metric transparent level-1-2

    MPLS C fi tiMPLS C fi ti

  • 8/8/2019 MPLS VPN Configurations

    101/101

    MPLS ConfigurationMPLS Configuration

    Static

    Used to configure VRF specific routes

    Always need to specify the interfaceeven though you have the next-hop

    ip route vrf YELLOW 10.1.0.0 255.255.0.0 10.1.1.5 serial 2/0