View
230
Download
1
Embed Size (px)
8/8/2019 MPLS VPN Configurations
1/101
1CQFE rev17 Russ Davis 1999, Cisco Systems, Inc.
MPLS VPN Configurations
Khalid Raza
MPLS VPN Configurations
Khalid Raza
8/8/2019 MPLS VPN Configurations
2/101
2CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
AgendaAgenda
Introduction to VPNs concepts
VPN definitions
Types of VPNs (Overlay/Peer)
Comparison between Overlay and Peermodel
Benefits for MPLS VPNs
8/8/2019 MPLS VPN Configurations
3/101
3CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
AgendaAgenda
Idea behind VRF, RD, RT
Route propagation in MP-BGP
Routing between PE-CE
MPLS Packet Forwarding
8/8/2019 MPLS VPN Configurations
4/101
4CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
AgendaAgenda
MPLS configuration
VRF
MP-BGP
PE-CE configuration
Advance configuration
8/8/2019 MPLS VPN Configurations
5/101
5CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
AgendaAgenda
MPLS topologies VPN connectivity
Design considerations
Deployment strategies
8/8/2019 MPLS VPN Configurations
6/101
6CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN/MPLS ConceptsVPN/MPLS Concepts
VPN
Concept is to use the service providers sharedresources connecting multiple customer sites
Technologies such as X.25, Frame-relay which usevirtual circuits to establish end-to-end connectionusing shared service of the provider infrastructure
This statistical sharing of resources enables theservice provider to offer low cost services to theend user
8/8/2019 MPLS VPN Configurations
7/101
7CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Terminology
Provider Network (P-Network)
The backbone under control of a Service
Provider
Customer Network (C-Network)
Network under customer control
CE routerCustomer Edge router. Part of the C-
network and interfaces to a PE router
8/8/2019 MPLS VPN Configurations
8/101
8CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Terminology
Site
Set of (sub)networks part of the C-network and co-located
A site is connected to the VPN backbonethrough one or more PE/CE links
PE router
Provider Edge router. Part of the P-Network and interfaces to CE routers
P router
Provider (core) router, without knowledge
of VPN
8/8/2019 MPLS VPN Configurations
9/101
9CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Service Provider Network
Provider Edge
(PE) device
Provider Edge
(PE) device
VPN Site
VPN Site
VPN TerminologyVPN Terminology
CPE (CE)
Device
CPE (CE)
Device
Provider core
(P) device
8/8/2019 MPLS VPN Configurations
10/101
10CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Types of VPNsTypes of VPNs
VPN services are offered in two majorways
Overlay Model where the service providerprovides the virtual connections between sites
Peer model where the service providerparticipates in the layer routing of the customer
8/8/2019 MPLS VPN Configurations
11/101
11CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Overlay ModelVPN Overlay Model
Service provider network is a connection
of point-to-point links Routing within the customer network is
transparent to the service providernetwork
Service provider is responsible purely fordata transport between customer sites
8/8/2019 MPLS VPN Configurations
12/101
12CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Overlay ModelVPN Overlay Model
Layer 1 implementation (IP, HDLC,
PPP (customer) - provider gives bitpipes only
Layer 2 implementation - serviceprovider responsible for L2 VC viaATM, Frame-relay
8/8/2019 MPLS VPN Configurations
13/101
13CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Service Provider Network
Provider Edge
(PE) device
Provider Edge
(PE) device
VPN Site VPN Site
Virtual Circuit
VPN Overlay ModelVPN Overlay Model
CPE (CE)
Device
CPE (CE)
Device
Layer-3 Routing Adjacency
8/8/2019 MPLS VPN Configurations
14/101
14CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Peer Model
Both provider and customer network usesame network protocol
CE and PE routers have a routing
adjacency at each site All provider routers hold the full routing
information about all customer networks
Private addresses are not allowed May use the virtual router capability
Multiple routing and forwarding tablesbased on Customer Networks
8/8/2019 MPLS VPN Configurations
15/101
15CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Service Provider Network
Provider Edge
(PE) Router
Provider Edge
(PE) Router
VPN Site VPN Site
CPE (CE)
Router
CPE (CE)
Router
Layer-3 Routing Adjacency
VPN Peer-to-Peer ModelVPN Peer-to-Peer Model
Layer-3 Routing Adjacency
8/8/2019 MPLS VPN Configurations
16/101
16CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Peer ModelVPN Peer Model
Peer model used two types ofapproach
Shared router
Dedicated router
8/8/2019 MPLS VPN Configurations
17/101
17CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Peer ModelVPN Peer Model
Shared router
Where a common router was used, extensivepacket filtering is used on the PE router toisolate customer
Service provider allocated addresses out of itsspace to the customer and managed the packetfilter to ensure same customer reachability,
and isolation between customers.High maintenance cost associated with packetfilters
Performance impact due to packet filtering
8/8/2019 MPLS VPN Configurations
18/101
18CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Peer-to-Peer ModelShared Router Approach
Peer-to-Peer ModelShared Router Approach
PE
CE
VPN-A
VPN-B
CEVPN-C
CE
Shared router approach with complex filters
Paris
London
Munich
interface Serial0/1
description ** interface to VPN-A customer
ip address 192.168.61.6 255.255.255.252ip access-group VPN-A inip access-group VPN-A out
!interface Serial0/2
description ** interface to VPN-B customerip address 192.168.61.9 255.255.255.252
ip access-group VPN-B inip access-group VPN-B out
!interface Serial0/3
description ** interface to VPN-C customerip address 192.168.62.6 255.255.255.252
ip access-group VPN-C inip access-group VPN-C out
PE Routing TableVPN-A routesVPN-B routes
VPN-C routes
8/8/2019 MPLS VPN Configurations
19/101
19CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Peer ModelVPN Peer Model
Dedicated router
Customer isolation is achieved via dedicatedrouters connected to customer
POP edge router filter routing updates betweendifferent provider edge routers
Route filtering is achieved via BGPCommunities
Not cost effective
8/8/2019 MPLS VPN Configurations
20/101
20CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Peer-to-Peer ModelDedicated Router Approach
Peer-to-Peer ModelDedicated Router Approach
VPN-A PE
CE
VPN-A
VPN-B
CE
Dedicated router approach expensive to deploy
Paris
London
P Routing TableVPN-A routes (community 111:1)
VPN-B routes (community 111:2)
VPN-B PE
P Router CE VPN-A
Brussels
VPN-A routes ONLYVPN-B
router bgp 111
neighbor 10.13.1.2 remote-as 111
neighbor 10.13.1.2 route-reflector-client
neighbor 10.13.1.2 route-map VPN-A out
!
route-map VPN-A permit 10
match community-list 75
!
ip community-list 75 permit 111:1
8/8/2019 MPLS VPN Configurations
21/101
21CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Comparison Betweenthe Two Models
Comparison Betweenthe Two Models
Overlay Model
Easy to implement
No knowledge ofcustomer routing
Isolation betweenthe two network
Peer Model
Optimal routing
Easy to provisionadditional VPNsthrough site
provisioning - noneed for linkprovisioning
8/8/2019 MPLS VPN Configurations
22/101
22CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Comparison Betweenthe Two Models
Comparison Betweenthe Two Models
Overlay Model
Optimal routing betweensites requires full mesh
Bandwidth provisioning
Virtual circuits have tobe manually configured
Peer Model
Customerconvergence isdepended on SProuting convergence
Lot of routes withthe providernetworks causesscalability problems
8/8/2019 MPLS VPN Configurations
23/101
23CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Benefits of MPLS VPNsBenefits of MPLS VPNs
Best of both worlds
PE participates in routing so y