Mpls10sae-Mpls VPN Design Guidelines

8/14/2019 Mpls10sae-Mpls VPN Design Guidelines

1/66

2001, Cisco Systems, Inc.

Appendix E

MPLS VPN Design

Guidelines


2/66

2001, Cisco Systems, Inc. MPLS v1.0E-2

Objectives

Upon completion of this chapter, youwill be able to perform the followingtasks:

Select a proper addressing schemefor the MPLS VPN backbone

Select the optimal Interior GatewayProtocol

Develop comprehensive RouteDistinguisher and Route TargetAllocation Schemes

Design BGP in the MP-BGP backbone

Optimize overall network convergence


3/66

Backbone and PE-CE Link

Addressing Scheme



4/66


Objectives

Upon completion of this section,you will be able to perform thefollowing tasks:

Decide when to use numbered orunnumbered links

Decide when to use public or private

IP addressesDevelop an addressing scheme withinthe backbone and between the PE andCE routers


5/66


Backbone AddressingOverview

Most Internet service providers (ISPs)use registered addresses over numberedlinks.

Troubleshooting and management aresimplified.

Enabling MPLS in ATM-based ISPenvironments reduces routingadjacenciesper label switch router (LSR).

Hop-by-hop links replace end-to-endpermanent virtual connections.

There is no need to fully mesh routingadjacencies between edge routers.


6/66


Numbered or UnnumberedLinks in the Backbone

Benefits of unnumbered links: Save address space

May simplify routing configuration

Drawbacks of unnumbered links:

Cannot ping individual interfaces

Syslog/Simple Network ManagementProtocol (SNMPL) monitoring stillavailable

Cannot perform hop-by-hop Telnet

Cannot perform IOS upgrades on low-endrouters

Cannot distinguish parallel links fortraffic engineering


7/66


8/66 2001, Cisco Systems, Inc. MPLS v1.0E-8

Private Versus Public IPAddresses in the Backbone

Private addresses can be used inthe MPLS VPN backbone:

Backbone nodes and links will not be

accessible to other service providers(in some cases even to customers).

There is no need to give visibility tocustomers on the backbone topology.

Do not propagate time-to-live (TTL) inlabel header.



Effects of Private Addresseson Traceroute

Traceroute should work across backbones withprivate addresses, but:

Internet Control Message Protocol (ICMP)replies from backbone routers will come from

private address space. Responses from private addresses cannot be

resolved via Domain Name System (DNS).

Every decent firewall will drop packets

coming from private address space asspoofing attacks.

Conclusion: disable TTL propagation if you useprivate addresses in the core.



Registered IP Addresses inthe Backbone

Easier management wheninterconnecting (merging) with othernetworks

Less statistical risk of duplicateaddresses

Possible need for ISP to troubleshootrouting with other ISPs, which requiresregistered addresses

Backbone hidden from customers butmay be visible to peer providers

Option: Combination of registeredaddresses at the edge and privateaddresses in the core



Backbone AddressingRecommendations

Use registered addresses if possible

Use registered host addresses from oneaddress block for PE loopbackaddresses

Using host addresses for loopbackinterfaces is not mandatory, but highlyrecommended

Using addresses from one block makes iteasy to avoid summarization of loopbackaddresses

Allows easy conditional label advertisingonly for BGP next hops

More controlled migration toward MPLS backbone



Numbered or UnnumberedPE-CE Links

Do not use unnumbered provideredge-customer edge links

Unnumbered links get their IP address

from another interface (loopback),which has to be in the same VPNrouting/forwarding instance (VRF)

Increases management burden

Increases number of interfaces

Cannot perform PE-CE Telnet in caseof CE router problems



Private Versus Public PE-CEAddresses

Do not use private addresses forPE-CE links:

Customers are free to use any private

addresses in the networks.There is always the potential foroverlap with customer addresses.

Drawback: assigning unique publicsubnet to every PE-CE linkconsumes too much address space.



Reusing Registered IPAddresses on PE-CE Links

The same registered subnet can beassigned to multiple interfacesbelonging to different VRFs.

This options is dangerouscustomersmight establish VPN connectivity even ifthey are connected to a wrong physicalinterface.

Duplicate addresses are allowed evenwithin a VPN (across PE routers) aslong as they are notredistributed intoMP-BGP.



Recommendation forRegistered IP Address Reuse

Allocate one registered addressblock that is reused on every PE

router.Uniqueness of addresses isguaranteed only at the PE leveldonot redistribute connected subnets

into MP-BGP.

This option prevents misconnection ofCE interfaces.

There is no risk of customer



Drawbacks of RegisteredAddress Block Reuse

You cannot ping a remote serialinterface.

Trace across a VPN network mayduplicate IP addresses.

For customers using RIP:

RIP needs a network command on thePE so the PE-CE network will go intothe customer routing table.



SummaryAddressing

Use registered addresses when possible;otherwise use private addresses .

Prefer numbered links for current trafficengineering.

PE loopback addresses should be takenfrom a contiguous block of address space.

PE loopback addresses should be hostroutes.

In the transition phase, bind labels only forsignificant addresses such as PEloopback addresses.

Use unique PE and CE addresses within a

PE router. Reuse the same address blockon each PE router.



Summary

After completing this section, youshould be able to perform thefollowing tasks:

Decide when to use numbered orunnumbered links

Decide when to use public or private IPaddresses

Develop an addressing scheme withinthe backbone and between the PE andCE routers



Review Questions

What are the drawbacks of usingunnumbered links?

Where should you use unnumbered links inthe MPLS backbone?

Where would you use unnumbered linksbetween PE and CE routers?

Why would you use private address spacein your IP backbone?

What are the drawbacks of using privateaddress space in your IP backbone?

How would you hide the private addressspace from your customers?



More Review Questions

What is the impact of using privatebackbone addresses on traceroute?

Why should you allocate PE loopback

addresses from a separate address block? Why should you use registered addresses

forPE-CE links?

Why is the reuse of registered addressesbetween VRFs not advisable?

When can you reuse registered addressesin the same VPN between PE routers?


21/66

Backbone IGPSelection and

Design




Objectives


Select the proper IGP to run in thebackbone

Design the selected IGP to meet MPLS

VPN requirements


23/66


IGP Selection Criteria

Convergence speed

Stability and reliability

Redistributionmay affect protocols:

Not all protocols behave the same withredistribution.

Redistribution is not needed for MPLSVPN but might be needed to support otherIP traffic.

Summarization options and multi-areasupport

Enhancements for Cisco MPLS Traffic


24/66


IGP Convergence

Convergence is becoming morecritical than in the past:

New applications: multimedia, voice

Routers have to converge faster:

Implies more CPU and memory

Not a real problem, since switching(high-end platforms) is done at linecard level; therefore, CPU has sparecycles

IGP C Di t


25/66


IGP ConvergenceDistanceVector Versus Link-State

Distance vector protocol does not havemany tuning capabilities in terms ofconvergence

Link-state protocols can be tuned inorder to speed up convergence

Shortest path first (SPF) algorithmcalculation, link-state advertisement(LSA) and link-state packet (LSP)

generation, adjacency timer

Scalability of link-state protocols hasbeen proved (live ISP backbones)

Link-state protocols have been extended

for MPLS TE

G C


26/66


IGP Convergence VersusStability

Fast convergence requires short reactiontime to events.

Short reaction time implies more routingcalculations.

More routing calculations implies lessstability. (example: a flapping link)

There is a trade-off between satisfactoryconvergence times and indispensable

stability of the backbone. Example: the Internet cannot afford to use

fast convergence. Therefore, BGP is notafast convergence protocol.


27/66


Redistribution Issues

Redistributed routes may createoverhead on routing protocols

New and specific protocol packets,

possibly one per new route

Impact on flooding, more to use inrouting algorithm (SPF)

Summarization of redistributed routesnot always possible in an optimalfashion(for example, OSPF)

R di ib i


28/66


RedistributionRecommendations

Redistribution generally not thebest option

In OSPF, interfaces should be

inserted in type 1 LSA rather thanredistributed:

New command passive-interfacedefault

Redistribution not an issue with IS-IS:

All prefixes are on same LSP

All prefixes are summarizable in L1L2


29/66


Summarization Issues

Summarization is the key elementfor reducing internal routing tablesizes:

Not that important if all nonbackboneroutes are in BGP

Summarization of internal as well asredistributed routes

Not everything can be summarized:

Summarization breaks LSPneversummarize PE loopback addresses orBGP next hops


30/66


MPLS TE Enhancements

Link-state protocols were extended tocarry resource availability information:

Calculates topologies based on resourceavailability

Carried in OSPF opaque LSAs and newIS-IS (sub) type, length, value (TLV)attributes

Distance vector protocols will never

support MPLS TE Router must know complete path for

traffic engineering

Only link-state protocols allow router to

have full visibility of the area or domain

IGP S l ti


31/66


IGP SelectionRecommendation

The MPLS VPN backbone can be runwith a distance vector protocol

It will not support MPLS TE

Use only if migration toward OSPF or IS-

IS too expensive or too lengthySelect OSPF or IS-IS as the IGP in allother cases

Minor differencesthey both perform

reasonably well in large backbones Select one or the other based on existing

knowledge of your engineers and otherrequirements (for example,Connectionless Network Service [CNLS]-based management)

I Th A Diff


32/66


Is There Any DifferenceBetween OSPF and IS-IS?

Both protocols use the same algorithm (SPF,or Dijkstras algorithm).

Most existing ISP or service providerbackbones use IS-IS or OSPF.

The largest ISPs use IS-IS:

More experience with IS-IS in large topologies.

The larger a network is, the more likely is IS-

IS used. Live networks use IS-IS with more than 600

routers in a single area.

Few OSPF live networks have similarnumbers.

IS-IS area routing is an option, not a

Mi T h i l Diff


33/66


Minor Technical DifferencesBetween OSPF and IS-IS

Convergence capabilities are similar(same algorithm)

More tuning is available in IS-IS

Redistribution is less painful in IS-IS.

IS-IS does not differentiate betweeninternal and redistributed routes.

Summarization may occur in the same

router for all routes (internal andredistributed).

OSPF has more features (route tags, stubareas, not-so-stubby [NSSA] areas, on-

demand circuits, and the like).

IGP M lti d


34/66


IGP Multi-area andSummarization Concerns

Summarization should never be performed inATM LSRs:

Summarization breaks LSP tunnels.

ATM LSRs should never be LSP tunnelendpoints.

PE loopback addresses should not besummarized

Allocated PE loopback addresses from adistinct block of address space that is not

summarized Current traffic engineering implementation

does not support areas

There should be no problems if backbone isthe below ~300 routers

-


35/66


SummaryIGP Selection

Link-state protocol: IS-IS or OSPF

IS-IS is better in large topologies andwhere single area is required

IGP should be tuned in order toimprove convergence time


36/66


Summary

After completing this section, you

should be able to perform thefollowing tasks:

Select the proper IGP to run in thebackbone

Design the selected IGP to meet MPLSVPN requirements


37/66


Review Questions

List three IGP selection criteria.

What is the impact of higher convergencespeed on network stability?

How can you tune OSPF convergence?

How can you tune IS-IS convergence?

What is the difference between OSPF and IS-ISroute redistribution?

Where can you summarize redistributed routesin OSPF?

Where can you summarize redistributed routesin

IS-IS?


38/66



How do you avoid redistribution ofconnected interfaces when using OSPF?

Which routing protocols support MPLSTraffic Engineering?

Why is MPLS TE not supported by EIGRP?

When can you use EIGRP as the IGPprotocol in your MPLS VPN backbone?

What is the impact of routesummarization on MPLS VPN?

Why is IS-IS recommended for extremelylarge networks?


39/66

Route Distinguisher and

Route Target Allocation

Schemes



40/66


Objectives


Develop generic Route Distinguisher(RD) and Route Target (RT) allocationschemes

Route Distinguisher


41/66


Route DistinguisherAllocation Scheme

RD function is to make the IP version 4(IPv4) address unique across differentVPNs

64 bits prepended to the IPv4 address

From an architectural point of view,there is no format for the RDsimplify isa sequence of bits

From a practical perspective, the RD isconfigured according to the followingformat:

::

::

Route Distinguisher


42/66


Route DistinguisherAllocation Scheme

RD has VPN-local significance

All routes that are part of the samecommunity of sites (VPN) can use the same

RD No duplicate IP addresses allowed within

the same VPN

Sites belonging to the same VPN may have to

use different RDs when these sites alsobelong to other different VPNs

With central services or hub and spoketopology, all client or spoke sites must usedifferent RDs.

Route Distinguisher


43/66


Route DistinguisherAllocation Scheme (cont.)

Different PEs may use the same RD forVRFs as long as the VRFs share thesame connectivity requirements.

Using a formatted RD will ensureconsistency and scalability.

Make the customer ID part of the RD.

Route Target Allocation


44/66


Route Target AllocationScheme (cont.)

RTs are used for routing policiesbetween VRFs (therefore sites).

Numbering is free.

However, consistency will help toscale.

RT numbering need notfollow RD

numbering.Numbering should not requiremodifications each time a new site isconnected

(for example, in a central services


45/66


Summary

After completing this section, you

should be able to perform thefollowing tasks:

Develop generic Route Distinguisher(RD) and Route Target (RT) allocation

schemes


46/66


Review Questions

What is the function of the routedistinguisher?

Can you reuse the same routedistinguisher on different PErouters?

Is there any topology where everysite requires a different value ofroute distinguisher?

What is the function of the routetarget?

Do you have to make the route

target equal to the route


47/66

End-to-End

Convergence Issues



48/66


Objectives


Explain the difference between overlayVPN convergence and MPLS VPNconvergence

List the elements of end-to-end

convergence in the MPLS VPN network

Optimize individual elements of MPLSVPN convergence

Traditional Overlay VPN


49/66


Traditional Overlay VPNRouting

Routing adjacency is between CE

routers.Routing protocol convergence isowned by the customer.

Frame Relay BackboneCE-RIP-A1

CE-BGP-A1

CE-RIP-A2

CE-BGP-A2

CE-RIP-B1 CE-RIP-B2

Frame Relay Frame Relay

Routing Adjacency

Traditional Overlay VPN


50/66


Traditional Overlay VPNConvergence

Elements of overlay VPN convergence:

Neighbor loss discovery (usually notimmediate but based on dead timer)..up to 40seconds

Propagation of changed routing information...fewseconds

Topology recomputation..5 to 15seconds

Frame Relay BackboneCE-RIP-A1

CE-BGP-A1

CE-RIP-A2

CE-BGP-A2

CE-RIP-B1 CE-RIP-B2

Frame Relay Frame Relay

Routing Adjacency


51/66


MPLS VPN Routing

Complex parts of the end-to-end routing areperformed by the service provider.

Routing convergence speed is primarily theresponsibility of the service provider.

PE-PE routing relies on MP-BGP, which isusually not a fast-converging protocol.

Site BSite A Provider Network (P-Network)

PE-1CE-A1

CE-A2 PE-2

PE-3 CE-3

MPLS VPN Convergence


52/66


MPLS VPN ConvergenceFailure Scenarios

Site BSite A P-Network

PE-1CE-A1

CE-A2 PE-2

PE-3 CE-3

Failure of PE-CE link or CE router failureFailure of a P router

Failure within the P-network

onvergenceF il I id P id


53/66


gFailure Inside Provider

Network

All MPLS VPN routing is based on recursive BGProuting toward BGP next hops.

Failure inside P-Network does not affect MPLS VPNrouting.

Data flow is disrupted only during P-network IGPconvergence.

Data flow continues as soon as the LSP toward the

BGP next hop is established.


PE-1CE-A1

CE-A2 PE-2

PE-3 CE-3

Failure Inside Provider Network


54/66


Failure Inside Provider Network(cont.)

Convergence time after failure inside P-Network depends solely on characteristics ofthe provider backbone.

IGP convergence time

Tag Distribution Protocol (TDP) or LDP labelpropagation time

Convergence time can be reduced by using

advanced MPLS features such as fast reroute.


PE-1CE-A1

CE-A2 PE-2

PE-3 CE-3

MPLS VPN Convergence


55/66



PE-1CE-A1

CE-A2 PE-2

PE-3 CE-3

MPLS VPN ConvergencePE Router Failure

Other PE routers detect the failure by twomeans:

BGP keepalive holdtime expires BGP next hop is no longer reachable through IGP

CE routers detect the failure through usualPE-CE routing protocol mechanisms

Changing BGP Keepalive


56/66


Changing BGP KeepaliveTimer

neighbor ip-addresstimers keepalive hold

router(config-

router)#

Changes the BGP keepalive timer and hold

timeout

Reducing the values can significantly

improve neighbor loss detection, but

Disruption of IBGP session involves too

much floodingbe conservative with BGPtimers

Changing BGP Update


57/66


Changing BGP UpdateValidation Timer

bgp scan-time time-in-seconds

router(config-

router)#

BGP routing process periodically

validates routes in BGP table

Routes with unreachable next hops are

removed from the BGP table, resulting in

selection of the next best BGP route

Default scan time is 60 secondsreducing the scan time improves

convergence in case of PE router failure

MPLS VPN Convergence PE-CE Link


58/66



PE-1CE-A1

CE-A2 PE-2

PE-3 CE-3

MPLS VPN Convergence PE CE LinkFailure or CE Router Failure

PE router detects CE router failure or link failure throughstandard means:

Link failure is detected by Layer 1 or Layer 2mechanisms

CE router failure is detected by dead timer or holdtimeout

The CE route has to be revoked from MP-BGP table, thechange propagated through the network and inserted into

remote VRFs

MPLS VPN Convergence PE-CE Link


59/66



PE-1CE-A1

CE-A2 PE-2

PE-3 CE-3

MPLS VPN Convergence PE CE LinkFailure or CE Router Failure

Convergence element #1

Route has to be exported from VRF into

MP-BGP


MP-BGP update has to be propagatedConvergence element #3

New best route has to be selected

(immediate)


New route has to be imported into VRF

Changing BGP Route


60/66


Changing BGP RouteExport/Import Timer

bgp scan-time import timer

router(config-

router-af)#

By default, export and import actions are

performed every 60 seconds.

Reducing the BGP import/export scan timer

will improve convergence (but also increase

CPU utilization).

Changing BGP Update


61/66


Changing BGP UpdateInterval

neighbor ip-addressadvertisment-interval timeout

router(config-

router)#

By default, updates are sent to IBGP

neighbors every 5 seconds, to EBGP

neighbors every 30 seconds

End-to-end convergence across IBGP

backbone can be longer if route reflectors

are deployed Change the advertisement interval to

improve the IBGP/EBGP convergence speed

S


62/66


Summary

After completing this section, youshould be able to perform thefollowing tasks:

Explain the difference between overlayVPN convergence and MPLS VPNconvergence

List the elements of end-to-endconvergence in the MPLS VPN network

Optimize individual elements of MPLSVPN convergence

R i Q ti


63/66


Review Questions

What are the major elements of end-to-endconvergence in traditional overlay VPNnetworks?

Which part of the end-to-end MPLS VPNsolution performs the most complex routing?

What are the three common failure scenariosin MPLS VPN solution?

How is the MPLS VPN routing influenced by afailure in a provider network?

What influences the overall convergenceafter a failure in a provider network?

How can a PE router detect the failure ofanother PE router?

M R i Q ti


64/66



How can a CE router detect the failureof an adjacent PE router?

Which parameters influence the MPLSVPN convergence after PE routerfailure?

How can a PE router detect the PE-CElink failure?

Which convergence steps need to betaken after PE-CE link failure?

Which parameters influence the MPLSVPN convergence after PE-CE link

failure?

S mmar


65/66


Summary

After completing this chapter, youshould be able to perform thefollowing tasks:

Select a proper addressing scheme forthe MPLS VPN backbone

Select the optimal Interior GatewayProtocol

Develop comprehensive RouteDistinguisher and Route TargetAllocation Schemes

Design BGP in the MP-BGP backbone


66/66

Mpls10sae-Mpls VPN Design Guidelines

Documents

Transcript of Mpls10sae-Mpls VPN Design Guidelines