MPLS VPN Configurations

  • View
    230

  • Download
    1

Embed Size (px)

Text of MPLS VPN Configurations

  • 8/8/2019 MPLS VPN Configurations

    1/101

    1CQFE rev17 Russ Davis 1999, Cisco Systems, Inc.

    MPLS VPN Configurations

    Khalid Raza

    MPLS VPN Configurations

    Khalid Raza

  • 8/8/2019 MPLS VPN Configurations

    2/101

    2CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    AgendaAgenda

    Introduction to VPNs concepts

    VPN definitions

    Types of VPNs (Overlay/Peer)

    Comparison between Overlay and Peermodel

    Benefits for MPLS VPNs

  • 8/8/2019 MPLS VPN Configurations

    3/101

    3CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    AgendaAgenda

    Idea behind VRF, RD, RT

    Route propagation in MP-BGP

    Routing between PE-CE

    MPLS Packet Forwarding

  • 8/8/2019 MPLS VPN Configurations

    4/101

    4CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    AgendaAgenda

    MPLS configuration

    VRF

    MP-BGP

    PE-CE configuration

    Advance configuration

  • 8/8/2019 MPLS VPN Configurations

    5/101

    5CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    AgendaAgenda

    MPLS topologies VPN connectivity

    Design considerations

    Deployment strategies

  • 8/8/2019 MPLS VPN Configurations

    6/101

    6CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN/MPLS ConceptsVPN/MPLS Concepts

    VPN

    Concept is to use the service providers sharedresources connecting multiple customer sites

    Technologies such as X.25, Frame-relay which usevirtual circuits to establish end-to-end connectionusing shared service of the provider infrastructure

    This statistical sharing of resources enables theservice provider to offer low cost services to theend user

  • 8/8/2019 MPLS VPN Configurations

    7/101

    7CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Terminology

    Provider Network (P-Network)

    The backbone under control of a Service

    Provider

    Customer Network (C-Network)

    Network under customer control

    CE routerCustomer Edge router. Part of the C-

    network and interfaces to a PE router

  • 8/8/2019 MPLS VPN Configurations

    8/101

    8CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Terminology

    Site

    Set of (sub)networks part of the C-network and co-located

    A site is connected to the VPN backbonethrough one or more PE/CE links

    PE router

    Provider Edge router. Part of the P-Network and interfaces to CE routers

    P router

    Provider (core) router, without knowledge

    of VPN

  • 8/8/2019 MPLS VPN Configurations

    9/101

    9CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Service Provider Network

    Provider Edge

    (PE) device

    Provider Edge

    (PE) device

    VPN Site

    VPN Site

    VPN TerminologyVPN Terminology

    CPE (CE)

    Device

    CPE (CE)

    Device

    Provider core

    (P) device

  • 8/8/2019 MPLS VPN Configurations

    10/101

    10CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Types of VPNsTypes of VPNs

    VPN services are offered in two majorways

    Overlay Model where the service providerprovides the virtual connections between sites

    Peer model where the service providerparticipates in the layer routing of the customer

  • 8/8/2019 MPLS VPN Configurations

    11/101

    11CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Overlay ModelVPN Overlay Model

    Service provider network is a connection

    of point-to-point links Routing within the customer network is

    transparent to the service providernetwork

    Service provider is responsible purely fordata transport between customer sites

  • 8/8/2019 MPLS VPN Configurations

    12/101

    12CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Overlay ModelVPN Overlay Model

    Layer 1 implementation (IP, HDLC,

    PPP (customer) - provider gives bitpipes only

    Layer 2 implementation - serviceprovider responsible for L2 VC viaATM, Frame-relay

  • 8/8/2019 MPLS VPN Configurations

    13/101

    13CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Service Provider Network

    Provider Edge

    (PE) device

    Provider Edge

    (PE) device

    VPN Site VPN Site

    Virtual Circuit

    VPN Overlay ModelVPN Overlay Model

    CPE (CE)

    Device

    CPE (CE)

    Device

    Layer-3 Routing Adjacency

  • 8/8/2019 MPLS VPN Configurations

    14/101

    14CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Peer Model

    Both provider and customer network usesame network protocol

    CE and PE routers have a routing

    adjacency at each site All provider routers hold the full routing

    information about all customer networks

    Private addresses are not allowed May use the virtual router capability

    Multiple routing and forwarding tablesbased on Customer Networks

  • 8/8/2019 MPLS VPN Configurations

    15/101

    15CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Service Provider Network

    Provider Edge

    (PE) Router

    Provider Edge

    (PE) Router

    VPN Site VPN Site

    CPE (CE)

    Router

    CPE (CE)

    Router

    Layer-3 Routing Adjacency

    VPN Peer-to-Peer ModelVPN Peer-to-Peer Model

    Layer-3 Routing Adjacency

  • 8/8/2019 MPLS VPN Configurations

    16/101

    16CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Peer ModelVPN Peer Model

    Peer model used two types ofapproach

    Shared router

    Dedicated router

  • 8/8/2019 MPLS VPN Configurations

    17/101

    17CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Peer ModelVPN Peer Model

    Shared router

    Where a common router was used, extensivepacket filtering is used on the PE router toisolate customer

    Service provider allocated addresses out of itsspace to the customer and managed the packetfilter to ensure same customer reachability,

    and isolation between customers.High maintenance cost associated with packetfilters

    Performance impact due to packet filtering

  • 8/8/2019 MPLS VPN Configurations

    18/101

    18CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Peer-to-Peer ModelShared Router Approach

    Peer-to-Peer ModelShared Router Approach

    PE

    CE

    VPN-A

    VPN-B

    CEVPN-C

    CE

    Shared router approach with complex filters

    Paris

    London

    Munich

    interface Serial0/1

    description ** interface to VPN-A customer

    ip address 192.168.61.6 255.255.255.252ip access-group VPN-A inip access-group VPN-A out

    !interface Serial0/2

    description ** interface to VPN-B customerip address 192.168.61.9 255.255.255.252

    ip access-group VPN-B inip access-group VPN-B out

    !interface Serial0/3

    description ** interface to VPN-C customerip address 192.168.62.6 255.255.255.252

    ip access-group VPN-C inip access-group VPN-C out

    PE Routing TableVPN-A routesVPN-B routes

    VPN-C routes

  • 8/8/2019 MPLS VPN Configurations

    19/101

    19CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    VPN Peer ModelVPN Peer Model

    Dedicated router

    Customer isolation is achieved via dedicatedrouters connected to customer

    POP edge router filter routing updates betweendifferent provider edge routers

    Route filtering is achieved via BGPCommunities

    Not cost effective

  • 8/8/2019 MPLS VPN Configurations

    20/101

    20CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Peer-to-Peer ModelDedicated Router Approach

    Peer-to-Peer ModelDedicated Router Approach

    VPN-A PE

    CE

    VPN-A

    VPN-B

    CE

    Dedicated router approach expensive to deploy

    Paris

    London

    P Routing TableVPN-A routes (community 111:1)

    VPN-B routes (community 111:2)

    VPN-B PE

    P Router CE VPN-A

    Brussels

    VPN-A routes ONLYVPN-B

    router bgp 111

    neighbor 10.13.1.2 remote-as 111

    neighbor 10.13.1.2 route-reflector-client

    neighbor 10.13.1.2 route-map VPN-A out

    !

    route-map VPN-A permit 10

    match community-list 75

    !

    ip community-list 75 permit 111:1

  • 8/8/2019 MPLS VPN Configurations

    21/101

    21CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Comparison Betweenthe Two Models

    Comparison Betweenthe Two Models

    Overlay Model

    Easy to implement

    No knowledge ofcustomer routing

    Isolation betweenthe two network

    Peer Model

    Optimal routing

    Easy to provisionadditional VPNsthrough site

    provisioning - noneed for linkprovisioning

  • 8/8/2019 MPLS VPN Configurations

    22/101

    22CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Comparison Betweenthe Two Models

    Comparison Betweenthe Two Models

    Overlay Model

    Optimal routing betweensites requires full mesh

    Bandwidth provisioning

    Virtual circuits have tobe manually configured

    Peer Model

    Customerconvergence isdepended on SProuting convergence

    Lot of routes withthe providernetworks causesscalability problems

  • 8/8/2019 MPLS VPN Configurations

    23/101

    23CQFE rev14 Russ Davis 1999, Cisco Systems, Inc. www.Cisco.com

    Benefits of MPLS VPNsBenefits of MPLS VPNs

    Best of both worlds

    PE participates in routing so y

Search related