Upload
asif-darvesh
View
255
Download
1
Embed Size (px)
8/8/2019 MPLS VPN Configurations
1/101
1CQFE rev17 Russ Davis 1999, Cisco Systems, Inc.
MPLS VPN Configurations
Khalid Raza
MPLS VPN Configurations
Khalid Raza
8/8/2019 MPLS VPN Configurations
2/101
2CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
AgendaAgenda
Introduction to VPNs concepts
VPN definitions
Types of VPNs (Overlay/Peer)
Comparison between Overlay and Peermodel
Benefits for MPLS VPNs
8/8/2019 MPLS VPN Configurations
3/101
3CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
AgendaAgenda
Idea behind VRF, RD, RT
Route propagation in MP-BGP
Routing between PE-CE
MPLS Packet Forwarding
8/8/2019 MPLS VPN Configurations
4/101
4CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
AgendaAgenda
MPLS configuration
VRF
MP-BGP
PE-CE configuration
Advance configuration
8/8/2019 MPLS VPN Configurations
5/101
5CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
AgendaAgenda
MPLS topologies VPN connectivity
Design considerations
Deployment strategies
8/8/2019 MPLS VPN Configurations
6/101
6CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN/MPLS ConceptsVPN/MPLS Concepts
VPN
Concept is to use the service providers sharedresources connecting multiple customer sites
Technologies such as X.25, Frame-relay which usevirtual circuits to establish end-to-end connectionusing shared service of the provider infrastructure
This statistical sharing of resources enables theservice provider to offer low cost services to theend user
8/8/2019 MPLS VPN Configurations
7/101
7CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Terminology
Provider Network (P-Network)
The backbone under control of a Service
Provider
Customer Network (C-Network)
Network under customer control
CE routerCustomer Edge router. Part of the C-
network and interfaces to a PE router
8/8/2019 MPLS VPN Configurations
8/101
8CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Terminology
Site
Set of (sub)networks part of the C-network and co-located
A site is connected to the VPN backbonethrough one or more PE/CE links
PE router
Provider Edge router. Part of the P-Network and interfaces to CE routers
P router
Provider (core) router, without knowledge
of VPN
8/8/2019 MPLS VPN Configurations
9/101
9CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Service Provider Network
Provider Edge
(PE) device
Provider Edge
(PE) device
VPN Site
VPN Site
VPN TerminologyVPN Terminology
CPE (CE)
Device
CPE (CE)
Device
Provider core
(P) device
8/8/2019 MPLS VPN Configurations
10/101
10CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Types of VPNsTypes of VPNs
VPN services are offered in two majorways
Overlay Model where the service providerprovides the virtual connections between sites
Peer model where the service providerparticipates in the layer routing of the customer
8/8/2019 MPLS VPN Configurations
11/101
11CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Overlay ModelVPN Overlay Model
Service provider network is a connection
of point-to-point links Routing within the customer network is
transparent to the service providernetwork
Service provider is responsible purely fordata transport between customer sites
8/8/2019 MPLS VPN Configurations
12/101
12CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Overlay ModelVPN Overlay Model
Layer 1 implementation (IP, HDLC,
PPP (customer) - provider gives bitpipes only
Layer 2 implementation - serviceprovider responsible for L2 VC viaATM, Frame-relay
8/8/2019 MPLS VPN Configurations
13/101
13CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Service Provider Network
Provider Edge
(PE) device
Provider Edge
(PE) device
VPN Site VPN Site
Virtual Circuit
VPN Overlay ModelVPN Overlay Model
CPE (CE)
Device
CPE (CE)
Device
Layer-3 Routing Adjacency
8/8/2019 MPLS VPN Configurations
14/101
14CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Peer Model
Both provider and customer network usesame network protocol
CE and PE routers have a routing
adjacency at each site All provider routers hold the full routing
information about all customer networks
Private addresses are not allowed May use the virtual router capability
Multiple routing and forwarding tablesbased on Customer Networks
8/8/2019 MPLS VPN Configurations
15/101
15CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Service Provider Network
Provider Edge
(PE) Router
Provider Edge
(PE) Router
VPN Site VPN Site
CPE (CE)
Router
CPE (CE)
Router
Layer-3 Routing Adjacency
VPN Peer-to-Peer ModelVPN Peer-to-Peer Model
Layer-3 Routing Adjacency
8/8/2019 MPLS VPN Configurations
16/101
16CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Peer ModelVPN Peer Model
Peer model used two types ofapproach
Shared router
Dedicated router
8/8/2019 MPLS VPN Configurations
17/101
17CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Peer ModelVPN Peer Model
Shared router
Where a common router was used, extensivepacket filtering is used on the PE router toisolate customer
Service provider allocated addresses out of itsspace to the customer and managed the packetfilter to ensure same customer reachability,
and isolation between customers.High maintenance cost associated with packetfilters
Performance impact due to packet filtering
8/8/2019 MPLS VPN Configurations
18/101
18CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Peer-to-Peer ModelShared Router Approach
Peer-to-Peer ModelShared Router Approach
PE
CE
VPN-A
VPN-B
CEVPN-C
CE
Shared router approach with complex filters
Paris
London
Munich
interface Serial0/1
description ** interface to VPN-A customer
ip address 192.168.61.6 255.255.255.252ip access-group VPN-A inip access-group VPN-A out
!interface Serial0/2
description ** interface to VPN-B customerip address 192.168.61.9 255.255.255.252
ip access-group VPN-B inip access-group VPN-B out
!interface Serial0/3
description ** interface to VPN-C customerip address 192.168.62.6 255.255.255.252
ip access-group VPN-C inip access-group VPN-C out
PE Routing TableVPN-A routesVPN-B routes
VPN-C routes
8/8/2019 MPLS VPN Configurations
19/101
19CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Peer ModelVPN Peer Model
Dedicated router
Customer isolation is achieved via dedicatedrouters connected to customer
POP edge router filter routing updates betweendifferent provider edge routers
Route filtering is achieved via BGPCommunities
Not cost effective
8/8/2019 MPLS VPN Configurations
20/101
20CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Peer-to-Peer ModelDedicated Router Approach
Peer-to-Peer ModelDedicated Router Approach
VPN-A PE
CE
VPN-A
VPN-B
CE
Dedicated router approach expensive to deploy
Paris
London
P Routing TableVPN-A routes (community 111:1)
VPN-B routes (community 111:2)
VPN-B PE
P Router CE VPN-A
Brussels
VPN-A routes ONLYVPN-B
router bgp 111
neighbor 10.13.1.2 remote-as 111
neighbor 10.13.1.2 route-reflector-client
neighbor 10.13.1.2 route-map VPN-A out
!
route-map VPN-A permit 10
match community-list 75
!
ip community-list 75 permit 111:1
8/8/2019 MPLS VPN Configurations
21/101
21CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Comparison Betweenthe Two Models
Comparison Betweenthe Two Models
Overlay Model
Easy to implement
No knowledge ofcustomer routing
Isolation betweenthe two network
Peer Model
Optimal routing
Easy to provisionadditional VPNsthrough site
provisioning - noneed for linkprovisioning
8/8/2019 MPLS VPN Configurations
22/101
22CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Comparison Betweenthe Two Models
Comparison Betweenthe Two Models
Overlay Model
Optimal routing betweensites requires full mesh
Bandwidth provisioning
Virtual circuits have tobe manually configured
Peer Model
Customerconvergence isdepended on SProuting convergence
Lot of routes withthe providernetworks causesscalability problems
8/8/2019 MPLS VPN Configurations
23/101
23CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Benefits of MPLS VPNsBenefits of MPLS VPNs
Best of both worlds
PE participates in routing so you canachieve optimal routing between sites
PE isolates customer routing informationlike dedicated router solution
Overlapping addresses are permittedbetween customers
8/8/2019 MPLS VPN Configurations
24/101
24CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Benefits of MPLS VPNsBenefits of MPLS VPNs
PE router is subdivided into virtual routers
Similar to the dedicated router approach
Each customer is assigned independentrouting tables
IOS does this isolation through theconcept of VRF (Virtual Routing andForwarding)
8/8/2019 MPLS VPN Configurations
25/101
25CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Benefits of MPLS VPNsBenefits of MPLS VPNs
PE
CE
VPN-A
VPN-A
CEVPN-B
Global Routing Table
VRF for VPN-A
VRF for VPN-B
VPN Routing Table
CE
Multiple routing & forwarding instances (VRFs) providethe separation
Paris
London
Munich
IGP &/or BGP
8/8/2019 MPLS VPN Configurations
26/101
26CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
ProblemProblem
How to propagate routing across the
network between the PE devices? We need a routing protocol that will
transport the customer routes across theprovider network
Need to maintain the independency ofcustomers routing and address space
8/8/2019 MPLS VPN Configurations
27/101
27CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Easy and Lazy AnswerEasy and Lazy Answer
Run multiple routing protocols, one eachfor customer
But PE routers will have to run largenumber of routing instances
Poor P router will have to carry all the VPNroutes
P routers still will run into overlappingaddress problem unless you configure allthe vrfs on the PE router
Does not scale
8/8/2019 MPLS VPN Configurations
28/101
28CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Better SolutionBetter Solution
Run a routing protocol that canexchange the routing updates onlybetween PE routers
P router is protected from customerroutes
8/8/2019 MPLS VPN Configurations
29/101
29CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
But how to do it ?But how to do it ?
Use BGP to pass the routing information
between PE devices
Use MPLS labels to exchange packetsbetween next-hops (PE routers)
Extend BGP to be able to handleoverlapping addresses
8/8/2019 MPLS VPN Configurations
30/101
30CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
PE routers maintain separate routing tables
Global routing table
contains all PE and P routes (perhaps BGP)
populated by the VPN backbone IGP
VRF (VPN routing & forwarding)
routing & forwarding table associated with one or moredirectly connected sites (CE routers)
VRF is associated with any type of interface, whetherlogical or physical (e.g. sub/virtual/tunnel)
interfaces may share the same VRF if the connectedsites share the same routing information
VPN Routing & ForwardingInstance (VRF)
VPN Routing & ForwardingInstance (VRF)
8/8/2019 MPLS VPN Configurations
31/101
31CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Routing & ForwardingInstance (VRF)
VPN Routing & ForwardingInstance (VRF)
PE
CE
VPN-A
VPN-A
CEVPN-B
Global Routing Table
VRF for VPN-A
VRF for VPN-B
VPN Routing Table
CE
Multiple routing & forwarding instances (VRFs) providethe separation
Paris
London
Munich
IGP &/or BGP
8/8/2019 MPLS VPN Configurations
32/101
32CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS/VPN Connectivity ModelMPLS/VPN Connectivity Model
Private addressing in multiple VPNs nolonger an issue
provided that members of a VPN do not use the
same address range
VPN A
VPN B VPN C
London
Milan
Paris Munich
Brussels Vienna
Address space for
VPN A and B must be
unique
10.2.1.0/24 10.22.12.0/24
10.2.1.0/24 10.3.3.0/24 10.2.12.0/24
10.4.12.0/24
8/8/2019 MPLS VPN Configurations
33/101
33CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VPN Routing & ForwardingInstance (VRF)
VPN Routing & ForwardingInstance (VRF)
VRF can be thought of as a virtual routerwith the following structures:
forwarding table based on CEF
a set of interfaces that use the derived forwarding table
rules to control import/export of routes from/into the VPNrouting table
set of routing protocols/peers which inject information intothe VPN routing table (including static routing)
router variables associated with the routing protocol usedto populate the VPN routing table
8/8/2019 MPLS VPN Configurations
34/101
34CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VRF Route PopulationVRF Route Population
VRF is populated locally through PE and CErouting protocol exchange
RIP Version 2, OSPF, BGP-4 & Static routing
Separate routing context for each VRF
routing protocol context (BGP-4 & RIP V2)
separate process (OSPF)
PE
CE
CE
Site-2
Site-1
EBGP,OSPF, RIPv2,Static
8/8/2019 MPLS VPN Configurations
35/101
35CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Local VRF Route PopulationLocal VRF Route Population
PE
CE
VPN-A
VPN-A
CEVPN-B
VRF for VPN-A
VRF for VPN-B
CE
Local VRF population driven by routing protocol contextor process (OSPF)
Paris
London
Munich
Which routingprotocol context or
process ?
Global
8/8/2019 MPLS VPN Configurations
36/101
36CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VRF Route DistributionVRF Route Distribution
PE routers distribute local VPN informationacross the MPLS/VPN backbone
through the use of MP-BGP & redistribution from VRF
receiving PE imports routes into attached VRFs
PE PECE Router CE Router
P Router
VPN Site VPN SiteMP-BGP
MPLS/VPN Backbone
8/8/2019 MPLS VPN Configurations
37/101
37CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Concept of RDConcept of RD
If customers have overlapping address,
BGP will treat them is single prefix
Extend the prefix with a 64-bit prefix(route-distinguisher)
Now, with 32 bit IP address and 64 bit RD,the two overlapping IP address are unique
8/8/2019 MPLS VPN Configurations
38/101
38CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Concept of RDConcept of RD
32 bit IP prefix is the IPv4 address
With 64 bit RD, it is now extended to96 bit and is now VPNv4 address
This address is exchanged only
between the PE routers via BGP
This is carried in Multi-Protocol BGP
8/8/2019 MPLS VPN Configurations
39/101
39CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Concept of RDConcept of RD
PE1
CE
VPN-A
VPN-B
VPN-B
CE
MP-BGP
PE2
BGP Table
Routes from VPN-A
Routes from VPN-B
Munich
MPLS/VPN Backbone
CE router sends 32 bit IPv4 prefix
PE router converts it into a 96 bit VPNv4 prefix
8/8/2019 MPLS VPN Configurations
40/101
40CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Processing of RDProcessing of RD
RD is propagated between the PE
routers RD is removed by the receiving PE
routers
CE router receives just the IPv4prefixes
8/8/2019 MPLS VPN Configurations
41/101
41CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Usage of RDUsage of RD
RD is only used to extend the IP prefixsuch that overlapping address are unique
Simple VPN topologies require single RDper customer
In some cases multiple RDs may berequired
8/8/2019 MPLS VPN Configurations
42/101
42CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Can RD be the VPN Identifier?Can RD be the VPN Identifier?
Yes - it could be a VPN identifier Complex topologies require another
component for VPN topologies other
than RD, just like communities aremore flexible.
8/8/2019 MPLS VPN Configurations
43/101
43CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Concept of RTConcept of RT
Sites that have to participate in more than
one VPN- RD is not sufficient You need another way of deciding the
membership
RT was introduced to support complextopologies such that separation andgrouping is easier
8/8/2019 MPLS VPN Configurations
44/101
44CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Concept of RTConcept of RT
RT is extended BGP communities,attached to VPNv4 address
Give more flexibility to the VPNmembership
Any number of RT can be attached to aroute
Extended communities are 64 bit values
8/8/2019 MPLS VPN Configurations
45/101
45CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Concept of RTConcept of RT
RTs are either exported or imported
Export route target are attached to theroute the moment it is converted from IPv4to VPNv4
Import RT is used to decide the routes thatwould be imported into the VPN
8/8/2019 MPLS VPN Configurations
46/101
46CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Routing Within MPLS VPNRouting Within MPLS VPN
Pass IPv4 to the customer routers
No VPN routes within the MPLS core (Prouters)
P routers run IGP and global BGP (ifneeded)
Provider Edge router carries connectedVPN routes and Internet routes
8/8/2019 MPLS VPN Configurations
47/101
47CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Routing P-router PerspectiveRouting P-router Perspective
Runs IGP with all the P and PErouters in the network
No MPLS VPN routing information
Very simple view of the network
8/8/2019 MPLS VPN Configurations
48/101
48CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Routing PE-router PerspectiveRouting PE-router Perspective
Exchanges IPv4 routes with CE router Exchange VPNv4 routes with other PE
routers
Run common IGP with P router and alsointernet BGP with P routers (if needed)
8/8/2019 MPLS VPN Configurations
49/101
49CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Routing Table on PE RouterRouting Table on PE Router
PE router has to maintain number ofrouting tables
Global routing table (IGP, Internet routes)
VRF routing information for VPNsconnected
VRF routing is populated via CE and otherPE routes
8/8/2019 MPLS VPN Configurations
50/101
50CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
PE to PE RouteInformation FlowPE to PE Route
Information Flow
PE router creates VPNv4 update
Adds extended community attribute (RT,
SOO)
All other BGP attributes
Received route is imported into
appropriate VRF according to RT values
Routes installed into VRF are propagatedto CE routers
8/8/2019 MPLS VPN Configurations
51/101
51CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MP-BGP UpdateMP-BGP Update
Any other standard BGP attribute
Local PreferenceMEDNext-hopAS_PATHStandard Community
A Label identifying:
The outgoing interface or VRF where a lookuphas to be performed (aggregate/connected)
The BGP label will be the second label in thelabel stack of packets travelling in the core
8/8/2019 MPLS VPN Configurations
52/101
52CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
VRF Population of MP-BGPVRF Population of MP-BGP
PE-1
CE-1
ip vrf VPN-A
route-target import VPN-A
VPN-v4 update:RD:1:27:149.27.2.0/24, Next-hop=PE-1SOO=Paris, RT=VPN-A,Label=(28)
CE-2
Receiving PE routers translate to IPv4
Insert the route into the VRF identified by the RT
attribute (based on PE configuration)
The label associated to the VPN-V4 address will be
set on packets forwarded toward the destination
VPN-v4 update is translated intoIPv4 address and put into VRFVPN-A as RT=VPN-A andoptionally advertised to CE-2
Paris London
PE-2
8/8/2019 MPLS VPN Configurations
53/101
53CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Routing Between PE-CERouting Between PE-CE
CE does not need any understanding ofMPLS
CE needs standard IP software
Currently EBGP, OSPF, RIP, and staticrouting is supported
PE router looks like a standard corporatebackbone to the CE router
8/8/2019 MPLS VPN Configurations
54/101
54CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
In Label FEC Out Label- 197.26.15.1/32 -
In Label FEC Out Label41 197.26.15.1/32 POP
In Label FEC Out Label- 197.26.15.1/32 41
MPLS/VPN Packet ForwardingMPLS/VPN Packet Forwarding
Paris
Use label implicit-null for
destination 197.26.15.1/32
Use label 41 for destination
197.26.15.1/32
VPN-v4 update:RD:1:27:149.27.2.0/24,NH=197.26.15.1SOO=Paris, RT=VPN-A,Label=(28)
PE-1
London
PE and P routers have BGP next-hop reachability
through the backbone IGP
Labels are distributed through LDP correspondingto BGP Next-Hops or RSVP with Traffic Engineering
149.27.2.0/24
PE-2197.26.15.1
8/8/2019 MPLS VPN Configurations
55/101
55CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS/VPN Packet ForwardingMPLS/VPN Packet Forwarding
Label Stack is used for packet forwarding
Top label indicates BGP Next-Hop (interior label)
Second level label indicates outgoing interface or VRF(exterior VPN label)
MPLS nodes forward packets based on top label
any subsequent labels are ignored
Penultimate Hop Popping procedures used one
hop prior to egress PE router
8/8/2019 MPLS VPN Configurations
56/101
56CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
Penultimate Hop PoppingPenultimate Hop Popping
LondonLondon BrusselsBrussels ParisParis
197.26.15.1
In Label FEC Out Label
- 197.26.15.1/32
In Label FEC Out Label
41 197.26.15.1/32 POP
In Label FEC Out Label
- 197.26.15.1/32 41
Use label 41 for destination
197.26.15.1/32
Use label implicit-null for
destination 197.26.15.1/32
London# show tag-switching tdp binding 197.26.15.1tib entry: 197.26.15.1/32, rev 10
local binding: tag: imp-null(1)
remote binding: tsr: 172.16.3.1:0, tag: 41
Brussels# show tag-switching tdp binding 197.26.15.1tib entry: 197.26.15.1/32, rev 10local binding: tag: 41
remote binding: tsr: 172.16.3.2:0, tag: imp-null(1)
Brussels# show tag-switching forwardingLocal Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
41 Pop tag 197.26.15.1/32 0 Se0/0/2 point2point
8/8/2019 MPLS VPN Configurations
57/101
57CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
In Label FEC Out Label- 197.26.15.1/32 41
MPLS/VPN Packet ForwardingMPLS/VPN Packet Forwarding
Paris
149.27.2.27
PE-1
London149.27.2.0/24
Ingress PE receives normal IP packets
PE router performs IP Longest Match fromVPN FIB, finds iBGP next-hop and imposesa stack of labels
149.27.2.272841
VPN-A VRF149.27.2.0/24,
NH=197.26.15.1Label=(28)
8/8/2019 MPLS VPN Configurations
58/101
58CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
In Label FEC Out Label41 197.26.15.1/32 POP
MPLS/VPN Packet ForwardingMPLS/VPN Packet Forwarding
Paris
149.27.2.27
PE-1
London149.27.2.0/24
149.27.2.272841
VPN-A VRF149.27.2.0/24,
NH=197.26.15.1Label=(28)
149.27.2.2728
In Label FEC Out Label28(V) 149.27.2.0/24 -
VPN-A VRF149.27.2.0/24,
NH=Paris
149.27.2.27
Penultimate PE router removes the IGP label
Penultimate Hop Popping procedures (implicit-null label)
Egress PE router uses the VPN label to selectwhich VPN/CE to forward the packet to
VPN label is removed and the packet is routedtoward the VPN site
8/8/2019 MPLS VPN Configurations
59/101
59CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS/VPN Configuration andImplementation
MPLS/VPN Configuration andImplementation
8/8/2019 MPLS VPN Configurations
60/101
60CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
VRF: Sites requiring same routingpolicies share same VRF
IP routing table
CEF forwarding
Route distinguisher
Route Target (export, import)
8/8/2019 MPLS VPN Configurations
61/101
61CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
VRF configuration
Step 1. Create VRF
Step 2. Assign an RD
Step 3. RT export
Step 4. RT import
Step 5. Define an interface to a VRF
8/8/2019 MPLS VPN Configurations
62/101
62CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
VRF configuration
Step 1.Creating a VRF
ip vrfname
Example ip vrfbootcampWhere bootcamp is just a name like route-map name
8/8/2019 MPLS VPN Configurations
63/101
63CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
VRF configurations
Step 2.
Every VRF needs an associated RD
rd route-distinguisher
Could be AS:X or IP address :X
Example: rd 109:12345
8/8/2019 MPLS VPN Configurations
64/101
64CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
VRF configuration
Step 3.Defining a route target that will be exportedwith every route that is send from the VRF
Multiple route-target can be attached to a vrf
route-target export RT
Example: route-target export 109:1234
8/8/2019 MPLS VPN Configurations
65/101
65CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
VRF configuration
Step 4.
Define a route-target that will be accepted bythe router to be imported into the VRF
route-target import
Example: route-target import 109:1345
8/8/2019 MPLS VPN Configurations
66/101
66CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
VRF configuration
Step 5.
Associate an interface to the VRF; this willremove the interface from the global routingprocess
Existing IP address is removed once the
interface is defined to a VRF; you will have tore-configure the IP address
8/8/2019 MPLS VPN Configurations
67/101
67CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
VRF configurationIp vrf GREEN
rd 109:145
route-target export 109:145
route-target import 109:145
interface serial 1/0/1
ip forwarding vrf GREEN
ip address 10.1.1.5 255.255.255.252
8/8/2019 MPLS VPN Configurations
68/101
68CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
MP-BGP configuration
BGP process is extended to perform three
functions
Tasks are configured in same BGP processthrough address families
1. Maintain and exchange global routing information(IPv4 routing)
2. VPNv4 routing
3. VRF routing exchange with CE
8/8/2019 MPLS VPN Configurations
69/101
69CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
MP-BGP configurations
Global neighbor are configured under theglobal BGP process (All P and PE neighbors)
These neighbors need to be activated underthe appropriate address family according torequirements
VRF specific neighbors are defined under thecorresponding VRFs
8/8/2019 MPLS VPN Configurations
70/101
70CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
MP-BGP configurations
Step 1. Configure neighbors and theirparameters under the global process
Step 2. Configure address family VPNv4
Step 3. Activate neighbors to carry VPNv4
routesStep 4. Activate the VPNv4 specific parameters
under the address family (filter, etc.)
8/8/2019 MPLS VPN Configurations
71/101
71CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
MP-BGP configurationsStep 1. Configure BGP process
router bgp 110
neighbor 131.108.1.1 remote-as 110
neighbor 131.108.1.1 update-source loopback 0
8/8/2019 MPLS VPN Configurations
72/101
72CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
MP-BGP Configurations
Step 2. Configure the address family, activate theneighbor under the address family for VNPv4routes. Neighbor that was defined earlier undermain BGP process
address-family vpnv4
neighbor 131.108.1.1 activate
neighbor 131.108.1.1 next-hop-self
8/8/2019 MPLS VPN Configurations
73/101
73CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
Lets talk a little about the IPv4address family
Address-family IPv4 is same is yourregular BGP process
Configurations done under this family
will be added to the global BGPconfigurations
8/8/2019 MPLS VPN Configurations
74/101
74CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
no bgp default ipv4 unicast
Disables the default behavior of IPv4 routepropagation
Activate the neighbors that need to getIPv4 routes
Isolation of VPNv4 and IPv4 routes suchthat few neighbors get both and fewreceive VPnv4 only
8/8/2019 MPLS VPN Configurations
75/101
75CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
Example: 3 neighbors: two of themneed IPv4 routes, one does not
Requirements
Neighbor 131.108.1.1 (IPv4, VPNv4)
Neighbor 131.108.1.2 (IPv4 only)
Neighbor 131.108.1.3 (VPNv4 only)
8/8/2019 MPLS VPN Configurations
76/101
76CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
Router bgp 110
No bgp default ipv4 unicast
Neighbor 131.108.1.1 remote-as 110
Neighbor 131.108.1.2 remote-as 110
Neighbor 131.108.1.3 remote-as 110
Neighbor 131.108.1.1 activate
Neighbor 131.108.1.2 activate
Address-family vpnv4
Neighbor 131.108.1.1 activate
Neighbor 131.108.1.3 activate
8/8/2019 MPLS VPN Configurations
77/101
77CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
Configuring PE-CE Routing
BGP between PE-CE
RIP between PE-CE
OSPF between PE-CEStatic routes
8/8/2019 MPLS VPN Configurations
78/101
78CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
BGP/RIP require single routing process
Distance/path vector no databaseseparation needed; done through address-families
OSPF requires a separate routing processfor each VRF to maintain a separatedatabase
8/8/2019 MPLS VPN Configurations
79/101
79CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
All non-BGP VRF routes have to beredistributed
No sync is default
No auto summary is default
8/8/2019 MPLS VPN Configurations
80/101
80CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
BGP
Define the neighbor under the address-familyvrf and not under the global BGP
router bgp 110
!
address-family ipv4 vrf Green
neighbor 10.1.1.1 remote-as 115
neighbor 10.1.1.1 activate
8/8/2019 MPLS VPN Configurations
81/101
81CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
RIP
Single routing process
RIP parameters in each VRFrouter rip
version 2
address-family ipv4 vrf BLUE
network 10.0.0.0
redistribute bgp 110 metric transparent
8/8/2019 MPLS VPN Configurations
82/101
82CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS OSPFMPLS OSPF
IGP-BGP redistribution is done byMPLS
Not a very good thing for OSPF
Routes redistributed in OSPF are
external Single LSA for every external route
8/8/2019 MPLS VPN Configurations
83/101
83CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS OSPFMPLS OSPF
If all the routes are carried as
external Route summarization would be a
problem
Stub areas would be hard toimplement
8/8/2019 MPLS VPN Configurations
84/101
84CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS OSPFMPLS OSPF
MPLS VPNs needed to be extended tocarry OSPF information
Per se create a concept of super backbone
Super backbone is created with MP-BGPbetween the PE-routers
This super backbone is between the PErouters; it is transparent to OSPF
8/8/2019 MPLS VPN Configurations
85/101
85CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS OSPFMPLS OSPF
CE
VPN-A CEVPN-B
MPLS BGPbackbone
VPN-A
CE
ParisLondon
Area 0
Area 1
VPN-A CEVPN-B
Area 2
Area 0
8/8/2019 MPLS VPN Configurations
86/101
86CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS OSPFMPLS OSPF
OSPF between sites does not use normalOSPF-BGP redistribution
Internal OSPF routes are kept internal toOSPF
External routes are kept external
OSPF metrics are preserved MPLS OSPF backbone is transparent to
CE OSPF that runs standard software
8/8/2019 MPLS VPN Configurations
87/101
87CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS OSPFMPLS OSPF
PE routers act as ABRs
In the case of no stub area, PErouters also act as ASBRs
For CE routers perspective, send an
inter-area route into the connectedarea
8/8/2019 MPLS VPN Configurations
88/101
88CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS OSPFMPLS OSPF
Intra-area OSPF routes are
redistributed into BGP by the PErouter
Route Summarization can be done at
the redistribution point by the PErouter
8/8/2019 MPLS VPN Configurations
89/101
89CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS OSPFMPLS OSPF
Super backbone acts just like area 0 inregular OSPF
Redistributed routes at the PE routersappear as inter-area routes
Routes from one area 0 site into anotherarea 0 sites appear as inter-area routes
Redistributed intra- and inter-area routesappear as inter-area routes; external stillappear as external
8/8/2019 MPLS VPN Configurations
90/101
90CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS OSPFMPLS OSPF
For MP-BGP, extended community of
0x8000 is used
OSPF cost is copied as MED for BGP
LSA type and metric are carriedacross
8/8/2019 MPLS VPN Configurations
91/101
91CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS OSPFMPLS OSPF
OSPF-BGP loop avoidance
VPN-AVPN-B
MPLS BGP
backbone
VPN-A
CE
ParisArea 0
VPN-AVPN-BArea 0
OSPF route
Redistributed into BGPPE1 PE2PE3
8/8/2019 MPLS VPN Configurations
92/101
92CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS OSPFMPLS OSPF
PE1 learns the route via OSPF intra-area
PE1 advertises the route to PE2 and PE3via MP-BGP
One of the PE router redistributes it first(sort of race condition)
PE2 sends the route to PE3 via OSPFsummary LSA
8/8/2019 MPLS VPN Configurations
93/101
93CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS OSPFMPLS OSPF
PE3 removes the iBGP route for the
destination and installs the OSPF summaryroute, due to lower admin distance
You can solve the problem by lowering the
administrative distance of iBGP to beless not a clean solution
S OSS OS
8/8/2019 MPLS VPN Configurations
94/101
94CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS OSPFMPLS OSPF
To solve this problem a (Down bit) hasbeen added to option field of the header
like ISIS TLV 135 PE router sets the down bit when
redistributing routes from MP-BGP toOSPF
PE router will never redistribute OSPFroute back into BGP with down bit set
MPLS OSPFMPLS OSPF
8/8/2019 MPLS VPN Configurations
95/101
95CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS OSPFMPLS OSPF
Double redistribution loop is still possible
When the CE does redistribution between
domains and the down bit is lost
For this purpose, tag field is used as doneby standard BGP-OSPF redistribution
PE routers never redistributes OSPFroutes with Tag field equal to their own ASnumber into MP-BGP
MPLS C fi tiMPLS C fi ti
8/8/2019 MPLS VPN Configurations
96/101
96CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS ConfigurationMPLS Configuration
OSPF
Configuration is still simple
router ospf 110 vrf RED
network 10.1.0.0 0.0.255.255 area 0redistribute bgp 110
MPLS IS ISMPLS IS IS
8/8/2019 MPLS VPN Configurations
97/101
97CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS IS-ISMPLS IS-IS
VPN backbone is treated as a level
above L2 All L1/L2 routes will be redistributed
into BGP at the PE router
New extended community in BGP0x0006
MPLS IS ISMPLS IS IS
8/8/2019 MPLS VPN Configurations
98/101
98CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS IS-ISMPLS IS-IS
Same as route leaking concept: dontsend out IS-IS back into BGP ifUP/Down bit is set
Dont send route if the route in thetable is not learned via IS-IS
MPLS IS ISMPLS IS IS
8/8/2019 MPLS VPN Configurations
99/101
99CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS IS-ISMPLS IS-IS
At the receiving site redistribute theroute into IS-IS with UP/Down bit set
Same concept as separation of
LSDB: one DB can belong to one VPN
MPLS IS ISMPLS IS IS
8/8/2019 MPLS VPN Configurations
100/101
100CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com
MPLS IS-ISMPLS IS-IS
Configuration is similar to OSPF
router isis tag1 vrf vpn-bluenet 49.0001.1201.0003.0001.00redistribute bgp 65000 metric transparent level-1-2
MPLS C fi tiMPLS C fi ti
8/8/2019 MPLS VPN Configurations
101/101
MPLS ConfigurationMPLS Configuration
Static
Used to configure VRF specific routes
Always need to specify the interfaceeven though you have the next-hop
ip route vrf YELLOW 10.1.0.0 255.255.0.0 10.1.1.5 serial 2/0