Upload
james-tyler
View
220
Download
1
Tags:
Embed Size (px)
Citation preview
111© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
HALF DUPLEX VRFs: A SCALABLE HUB & SPOKE IMPLEMENTATIONDECEMBER 2003
222© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
HALF DUPLEX VRFs (HDV)
222© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
333© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
• Only way to implement hub and spoke topology is to put every spoke into a single and unique VRF
Ensures that spokes do not communicate directly
• Single VRF model, which does not include HDV, impairs the ability to bind traffic on the upstream ISP Hub
Why Half Duplex VRFs?Problem
444© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
• HDV allows the wholesale Service Provider to provide true hub and spoke connectivity to subscribers, who can be connected to the:
Same or different PE-router(s)
Same or different VRFs, via the upstream ISP
Why Half Duplex VRFs?Solution
555© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
• Problem
PE requires multiple VRF tables for multiple VRFs to push spoke traffic via hub
If the spokes are in the same VRF (no HDV), traffic will be switched locally and will not go via the hub site
• Solution
HDVs allows all the spoke site routes in one VRF
• Benefit
Scalability for RA to MPLS connections
Reduces memory requirements by using just two VRF tables
Simplifies provisioning, management, and troubleshooting by reducing the number of Route Target and Route Distinguisher configuration
Technical Justification
666© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
PE MPLSCORE ISP
ISPHUB
VPNport
VPN port
VPNport
A
B
• All the spokes in the same VPN (yellow)
• Dedicated (separate) VRF per spoke is needed to push all traffic through upstream ISP Hub
Spoke AVRF
Spoke BVRF
CEHUBSite PE
SpokeSite PE
Hub & Spoke Connectivity Without HDV Requires Dedicated VRF Tables Per Spoke
777© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
PE MPLSCORE ISPCE
ServiceLoopback
HUB
VPNport
VPNport
VPN port
A
B
• If two subscribers of the same service terminate on the same PE-router, then traffic between them can be switched locally at the PE-router (as shown), which is undesirable
• All inter-subscriber traffic needs to follow the default route via the Home Gateway (located at upstream ISP).
Single VRF table
HubSite PE
SpokeSite PE
Hub & Spoke Connectivity Without HDV Using A Single VRF
888© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
• Upstream VRF
Used to forward packets from Spokes to Hub
Contains a static default route
• Downstream VRF
Use to forward packets from Hub to Spoke
Contains a /32 route to a subscriber (installed from PPP)
Terminology
999© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
PE MPLSCORE ISPCE
HUB
VPNport
VPNport
VPN port
A
B
• If two subscribers of the same service terminate on the same PE-router, traffic between them is not switched locally
• All inter-subscriber traffic follows the default route via the Home Gateway (located at upstream ISP)
Single VRF table
HUBSite PE
SpokeSite PE
Hub & Spoke Connectivity With HDVUsing A Single VRF
101010© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
1. HDVs are used in only one direction by incoming traffic
Ex: upstream toward the MPLS VPN backbone or downstream toward the attached subscriber
2. PPP client dial, and is authenticated, authorized, and assigned an IP address.
3. Peer route is installed in the downstream VRF table
One single downstream VRF for all spokes in the single VRF
4. To forward the traffic among spokes (users), upstream VRF is consulted at the Spoke PE and traffic is forwarded from a Hub PE to Hub CE
Return path: downstream VRF is consulted on the Hub PE before forwarding traffic to appropriate spoke PE and to the spoke (user)
5. Source address look up occurs in the downstream VRF, if unicast RPF check is configured on the interface on which HDV is enabled
Half Duplex VRF Functionality
111111© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
1. PPP user initiates a session with PPP session using a name [email protected] and password
2. LAC/PE-router sends username information to the WholesaleServiceProvider Radius Server
3. ISP-A (service name) is used to index into a profile that contains information on the IP address of the Radius server of the ISP-A
4. [email protected] and password is then forwarded from the Wholesale Provider Radius server (which acts as a "proxy-radius"), towards the ISP Radius server
5. ISP-A Radius server authenticates and assigns IP address
6. ISP-A Radius server sends "Access-Accept" to Wholesale Service Provider Radius Server
7. The wholesale Service Provider Radius server adds authorization information to the Access-Accept, (based on the domain or servicename)and the VRF to be used by Subscriber-A, and forwards it to PE-WholesaleProvider-LAC router
8. PE-WholesaleProvider-LAC router creates temporary Virtual-Access interface (with associated /32 IP address) and places it into the appropriate VRF
PE-WholeSaleProvider-LAC PE-ISP
PPP UserSubscriber-A
Wholesale Service Provider AAA Server
ISP-AAAA Server
MPLS Core
Subscriber Connection Process
121212© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
!
interface <> ip vrf forwarding <vrf-name1> [downstream <vrf-
name2>]
!
vrf-name1: First VRF that the interface is associated with.
vrf-name2: This is the downstream VRF. PPP peer route and per-user routes from AAA server are installed in this VRF.
Configuration Command
131313© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
ip vrf Internet-ISPA-upstream rd 10:26 route-target import 10:26!ip vrf Internet-ISPA-downstream rd 10:27 route-target export 10:27
• Upstream VRF only requires a route-target import statement
Imports the default route from the hub PE router (@WholeSale Provider)
• Downstream VRF only requires a route-target export command
Used to export all of the /32 (virtual-access ints) addresses toward the hub PE-router
• Each VRF is created on the Spoke PE-router (LAC) before PPPoA or PPPoE client connections are established
Sample Configuration
141414© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
• Reverse Path Forwarding (RPF)
Used by Service Provider determine the source IP address of an incoming IP packet and ascertain whether it entered the router via the correct inbound interface
• Concern
HDV populates a different VRF than the one used for “upstream” forwarding
• Solution
Extend the RPF mechanism so the “downstream” VRF is checked
• To enable RPF extension, configure:
ip verify unicast reverse-path <downstream vrfname>
Reverse Path Forwarding Check
151515© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
• IP unnumbered any point-to-point interfaces, including virtual access/template interfaces
• Spokes connected to Spoke PE or the Hub PE
• Subscriber using single or multiple ISPs
• Reverse Path Forwarding Check
HDV Supported Features
161616© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
• HDV-1Base image: Release 12.2(14.6)T1
No unicast RPF support
• HDV-2Base image: Release 12.2(15)T
Unicast RPF support added
• HDV-3Base image: Release 12.2(15)T2
Handles cases when downstream VRF is deleted
Added support for distributed hardware; unicast RPF HDV info is propagated to linecards
show ip vrf detail
show ip interface
show ip cef interface internal
• HDV-4Same as HDV-3; based on Release 12.3(3)
HDV Support: Cisco IOS Software Images
171717© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
• Software
Only supports Virtual Access/Template interfaces
– Must be configured with IP unnumbered
– "ip address ..." is not allowed on HDV interfaces
PE-CE link: supports only static routing
• Hardware
Release 12.3: feature will be available only on Cisco 6400 Series (NRP and NRP2 router blades)
Restrictions
181818© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
• These commands highlight upstream / downstream VRFs bound to particular interfaces and give detailed information about VRFs
PE-router# sh ip int vi 3Virtual-Access3 is up, line protocol is up
Interface is unnumbered. Using address of Loopback2 (2.0.0.8) VPN Routing/Forwarding "U"Downstream VPN Routing/Forwarding "D"IP multicast fast switching is disabled
Show Commands
Partial output highlighting only HDV related information
191919© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
PE-router#sh ip vrf detail DVRF D; default RD 1:8; default VPNID <not set> Description: Downstream VRF - to spokes No interfaces Interfaces using this VRF as downstream: Virtual-Access3 Virtual-Access4 Connected addresses are not in global routing table Export VPN route-target communities RT:1:100 No Import VPN route-target communities No import route-map No export route-map
PE-router# sh cef interface vi 3 int Virtual-Access3 is up (if_number 35) Subblocks:
ip verify: via=rx, acl=0, drop=0, sdrop=0, downstream VRF D
Show Commands (Cont.)
202020© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
CASE STUDY
202020© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
212121© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
Case Study
• Scenario
Wholesale Service Provider and ISPs are offering services in partnership to the subscribers
Subscribers connect to the Wholesale Service Provider network, which directs them to the appropriate ISP based on the Subscribed services
• Network topology and specification
Multiple Spoke sites are connected to the same PE router in a Hub/Spoke topology over PPPoE
Hub-PE is a separate PE router
This topology serves PPP clients, who are authenticated and authorized by a Radius server via LNS (SpokeSitePE)
222222© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
Topology
SpokeSitePE(LNS1)
MPLS Core
HubSitePE
SpokeSiteCE1(LAC1)Subscriber1
SpokeSiteCE2(LAC2)Subscriber2
ISP1_Hub_CE
AAARadius Server
Subscribers
Subscribers
232323© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
Topology (Cont.)
SpokeSitePE(LNS1)
MPLS Core
HubSitePESpokeSiteCE1(LAC1)
SpokeSiteCE2(LAC2)
ISP1_Hub_CE
AAARadius Server
ip vrf D
rd 1:8
route-target export 1:100
ip vrf U rd 1:0
route-target import 1:0
ip vrf HUB rd 1:20 route-target export 1:0 route-target import 1:100 Subscriber1
Subscriber2
242424© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
Configuration Steps To Enable HDV
• HubSitePERegular VRF and VPNv4 configuration associated with HUB VRF
• SpokeSitePE (LNS)Create upstream & downstream VRFs
Configure VPDN & AAA related configuration as usual
Configure VPNv4 and VRFs as in basic MPLS VPN including upstream and downstream VRFs VPNv4 address-families
• SpokeSiteCE (LAC)Create upstream & downstream VRFs
Configure VPDN & AAA related configuration as usual
Bind VRF on appropriate interfaces (VirtualTemplate, Loopback)
• Radius ServerConfigure user profiles on a Radius Server
252525© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
Radius Server Configuration
DEFAULT Service-Type == Framed-User Framed-Protocol = PPP, cisco-avpair += "lcp:interface-config=ip vrf forwarding U downstream D", cisco-avpair += "lcp:interface-config=ip unnumbered loopback 2", cisco-avpair += "ip:addr-pool=U-pool", Fall-Through = Yes
subscriber1 Auth-Type := Local, User-Password == “subscriber1" cisco-avpair += "ip:route=2.0.0.5 255.255.255.255"
subscriber2 Auth-Type := Local, User-Password == “subscriber2" cisco-avpair += "ip:route=2.0.0.2 255.255.255.255"
Spokes will inherit the default configuration
262626© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
Configuration: HubSitePE
!
router bgp 1
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 100.0.0.34 remote-as 1
neighbor 100.0.0.34 update-source Loopback0
no auto-summary
!
address-family ipv4 multicast
no auto-summary
exit-address-family
!
address-family vpnv4
neighbor 100.0.0.34 activate
neighbor 100.0.0.34 send-community extended
no auto-summary
exit-address-family
!
address-family ipv4
no auto-summary
no synchronization
exit-address-family
!
!
address-family ipv4 vrf HUB
neighbor 1.20.1.2 remote-as 100
neighbor 1.20.1.2 activate
no auto-summary
no synchronization
exit-address-family
!
ip vrf HUB
rd 1:20
route-target export 1:0
route-target import 1:100
!
272727© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
Configuration: SpokeSitePE(LNS)
hostname SpokeSitePEaaa new-model!aaa group server radius R server 22.0.20.26 auth-port 1812 acct-port 1813!aaa authentication ppp default group radiusaaa authorization network default group radius!ip vrf D description Downstream VRF - to spokes rd 1:8 route-target export 1:100!ip vrf U description Upstream VRF - to hub rd 1:0 route-target import 1:0!ip cef vpdn enable! vpdn-group U accept-dialin protocol pppoe virtual-template 1!
interface Loopback2 ip vrf forwarding U ip address 2.0.0.8 255.255.255.255!interface ATM2/0 description Mze ATM3/1/2 no ip address no atm ilmi-keepalive pvc 0/16 ilmi ! pvc 3/100 protocol pppoe ! pvc 3/101 protocol pppoe !interface Virtual-Template1 no ip address ppp authentication chap!router bgp 1 no synchronization no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 100.0.0.34 remote-as 1 neighbor 100.0.0.34 update-source Loopback0 no auto-summary
282828© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
Configuration: SpokeSitePE(LNS)
! address-family ipv4 multicast no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor 100.0.0.34 activate neighbor 100.0.0.34 send-community extended no auto-summary exit-address-family ! address-family ipv4 vrf U no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf D redistribute static no auto-summary no synchronization exit-address-family! ip local pool U-pool 2.8.1.1 2.8.1.100!radius-server host 22.0.20.26 auth-port 1812 acct-port 1813radius-server key cisco
292929© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
Show Log: SpokeSitePE(LNS)
SpokeSitePE#sh run int virtual-access 3Building configuration...Current configuration : 92 bytes!interface Virtual-Access3 ip vrf forwarding U downstream D ip unnumbered Loopback2end
SpokeSitePE#sh run int virtual-access 4Building configuration...Current configuration : 92 bytes!interface Virtual-Access4 ip vrf forwarding U downstream D ip unnumbered Loopback2end
Both subscribers available on the SpokeSitePE
303030© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
Show Log: SpokeSitePE(LNS) (Cont.)
SpokeSitePE#sh ip route vrf D Routing Table: DCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2,
ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last resort is not set
2.0.0.0/8 is variably subnetted, 5 subnets, 2 masksU 2.0.0.2/32 [1/0] via 2.8.1.1S 2.0.0.0/8 is directly connected, Null0U 2.0.0.5/32 [1/0] via 2.8.1.2C 2.8.1.2/32 is directly connected, Virtual-Access4C 2.8.1.1/32 is directly connected, Virtual-Access3
Shows downstream VRF table
313131© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
Show Log: SpokeSitePE(LNS) (Cont.)
SpokeSitePE#sh ip route vrf U
Routing Table: UCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route
Gateway of last resort is 100.0.0.20 to network 0.0.0.0
2.0.0.0/32 is subnetted, 1 subnetsC 2.0.0.8 is directly connected, Loopback2B* 0.0.0.0/0 [200/0] via 100.0.0.20, 1w5d
Shows upstream VRF table
323232© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
Show Log: SpokeSitePE(LNS) (Cont.)
SpokeSitePE#sh ip int vi 3Virtual-Access3 is up, line protocol is up Interface is unnumbered. Using address of Loopback2 (2.0.0.8) Broadcast address is 255.255.255.255 Peer address is 2.8.1.1 MTU is 1492 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is enabled IP Flow switching is disabled IP CEF switching is enabled IP Feature Fast switching turbo vector IP VPN CEF switching turbo vector VPN Routing/Forwarding "U" Downstream VPN Routing/Forwarding "D" IP multicast fast switching is disabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled
SpokeSitePE#sh cef interface vi 3 intVirtual-Access3 is up (if_number 35) Corresponding hwidb fast_if_number 35 Corresponding hwidb firstsw->if_number 35 Internet address is 0.0.0.0/0 Unnumbered interface. Using address of Loopback2 (2.0.0.8) ICMP redirects are always sent Per packet load-sharing is disabled IP unicast RPF check is enabled Inbound access list is not set Outbound access list is not set IP policy routing is disabled BGP based policy accounting is disabled Interface is marked as point to point interface Hardware idb is Virtual-Access3 Fast switching type 7, interface type 21 IP CEF switching enabled IP Feature Fast switching turbo vector IP VPN Feature CEF switching turbo vector VPN Forwarding table "U" Input fast flags 0x5000, Output fast flags 0x0 ifindex 23(23) Slot -1 Slot unit 3 Unit 3 VC -1 Transmit limit accumulator 0x0 (0x0) IP MTU 1492 Subblocks: ip verify: via=rx, acl=0, drop=0, sdrop=0, downstream VRF D
SpokeSitePE#sh ip vrf detail DVRF D; default RD 1:8; default VPNID <not set> Description: Downstream VRF - to spokes No interfaces Interfaces using this VRF as downstream: Virtual-Access3 Virtual-Access4 Connected addresses are not in global routing table Export VPN route-target communities RT:1:100 No Import VPN route-target communities No import route-map No export route-map
333333© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
Configuration: SpokeSiteCE(LAC1)
username subscriber1 password 0 subscriber1username subscriber2 password 0 subscriber2 !ip vrf D rd 1:8 route-target export 1:100!ip vrf U rd 1:0 route-target import 1:0!ip cefvpdn enable!vpdn-group U accept-dialin protocol pppoe virtual-template 1!interface Loopback2 ip vrf forwarding U ip address 2.0.0.8 255.255.255.255!
!interface ATM2/0 description Mze ATM3/1/2 no ip address no atm ilmi-keepalive pvc 0/16 ilmi ! pvc 3/100 protocol pppoe ! pvc 3/101 protocol pppoe !!interface Virtual-Template1 ip vrf forwarding U downstream D ip unnumbered Loopback2 peer default ip address pool U-pool ppp authentication chap!ip local pool U-pool 2.8.1.1 2.8.1.100
343434© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
BACKUP SLIDES
343434© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
353535© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
PE Home Gateway
MPLSCORE ISPPE CE
ServiceLoopback
ServiceLoopback
HUBPE
SPOKE 1
SPOKE 2
vpn port
vpn port
vpn port
A
B
• Upstream traffic (ie: traffic toward the upstream ISP or toward another subscriber) is sent to the hub PE-router and forwarded across the link between the wholesale SP and the ISP
• Subscriber traffic follows a default route within the VRF
• Traffic is forwarded towards and received from the wholesale Service Providers PE-router and the subscriber
Topology I: Hub and Spoke Connectivity Between Distributed PE-Routers
363636© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
PE
Home Gateway
MPLSCORE
ISPPE CE
ServiceLoopback
ServiceLoopback
HUB
PE
SPOKE 1
SPOKE 2
vpnport
vpnport
vpnportA
B Home Gateway
ISPPE CE
HUB
vpnport
NAP
• Data flow between two subscribers that belong to different services goes through the hub location of the Service Provider
• Data will traverse through a network exchange point, either public or private, by following a default route within the subscriber VRF
Topology II: Hub and Spoke Connectivity Between Subscribers Of Different Services
373737© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03
Home Gateway
MPLSCORE
ISPPE CE
HUB
vpnport
Home Gateway
ISPPE CE
HUB
vpnport
PEServiceLoopbacks
SPOKE 1
vpnport
vpnport
A
B
• If two subscribers are terminated on the same PE-router and belong to different services, the data is required to traverse through the home gateways of both services.
Topology III: Hub and Spoke Connectivity Via the Same PE-Router (Different Services)
383838© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03 383838© 2003 Cisco Systems, Inc. All rights reserved.
Half Duplex VRFs, 12/03