RST 2602 Mpls VPN Deployment

7/28/2019 RST 2602 Mpls VPN Deployment

1/96


2/96


3/96


4/96


5/96


6/96


7/96


8/96


9/96


10/96


11/96


12/96


13/96


14/96


15/96


16/96


17/96


18/96


19/96


20/96


21/96


22/96


23/96


24/96


25/96


26/96


27/96


28/96


29/96


30/96


31/96


32/96


33/96


34/96


35/96


36/96


37/96


38/96


39/96


40/96


41/96


42/96


43/96


44/96


45/96


46/96


47/96


48/96


49/96


50/96


51/96


52/96


53/96


54/96


55/96


56/96


57/96


58/96


59/96


60/96


61/96


62/96


63/96


64/96


65/96


66/96


67/96


68/96


69/96


70/96


71/96

717171 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2

MPLS/VPN Networks without CsC

The no of VPN routes is one of the biggest limitingfactor in scaling the PE router

Few SPs are running into this scalaing limitation

If no of VPN routes can be reduced somehow(without loosing the functionality), then the existinginvestment can be protected

The same PE can still be used to connect more VPNcustomers

Carrier Supporting Carrier (CsC) provides themechanism to reduce the no of routes from eachVRF by enabling MPLS on the PE-CE link


72/96


73/96


What Do I Need to Enable CsC ?

1. Build an MPLS- VPN enabled carriers network

2. Connect ISP/SPs sites (or PoPs) to the Carriers PEs

3. Exchange internal routes + labels between Carriers PE &ISP/SPs CE

4. Exchange external routes directly between ISP/SPs sites


74/96


CsC Deployment Models

PE1 PE2

ISP PoPSite-1

CE-1CE-2

IPv4 routes withlabel distribution

ISP PoPSite-2

MP-iBGP for VPNv4

Carriers MPLS Core

P1

ASBR-2

R1R2

ISP customers =external routes

Full-mesh iBGPfor external routes

IPv4 routes withlabel distribution

ASBR-1

internal routes= IGP routes

Internal routes =IGP routes

IGP+LDP IGP+LDP

INTERNET

C1

MPLS enabled VRF int


75/96


CsC Deployment Models

1. Customer-ISP not running MPLS

2. Customer-ISP running MPLS

3. Customer-ISP running MPLS-VPN

Model 1 and 2 are less common deployments. Model 3 will be discussed in detail.

CsC: ISP Sites Are Running MPLS-VPN


76/96


PE1 PE2

ISP PoPSite-1

CE-1CE-2

30.1.61.25/32,NH=CE-1, Label = 5030.1.61.25/32,

NH=PE-2, Label = 52

ISP PoPSite-2

MP-iBGP update:1:1:30.1.61.25/32 , RT=1:1NH =PE-1 , Label=51

Carriers Core

P1

ASBR_PE-130.1.61.25/32

ASBR_PE-2

R1R2Network =

10.1.1.0/24

MP-iBGP update:1:1: 10.1.1.0/24, RT=1:1NH =30.1.61.25/32, Label = 90

IGP+LDP,Net=PE-1,Label = pop

IGP+LDP,Net=PE-1,Label = 16

VPN Site-2

10.1.1.0/24, NH=R1

10.1.1.0/24, NH=ASBR_PE-2

IGP+LDP30.1.61.25/32, Label = pop

IGP+LDP,30.1.61.25/32

NH=CE-2, Label=60

IGP+LDP,30.1.61.25/32 NH=C1,

Label=70

VPN Site-1

C1

Hierarchical MPLS-VPN Control Plane

CsC: ISP Sites Are Running MPLS-VPN


77/96


PE1PE2

ISP PoPSite-1

CE-1CE-2

ISP PoPSite-2

Carriers Core

P1

ASBR-1 ASBR-2

R1 R2Network =10.1.1.0/24

10.1.1.110.1.1.1 10.1.1.19070

10.1.1.19050

10.1.1.1905116

10.1.1.19052

10.1.1.19060

10.1.1.19051

10.1.1.190

VPN Site-1 VPN Site-2

C1

Hierarchical MPLS-VPN Forwarding Plane


78/96


Security Mechanism in CsC

BGP/LDP MD5 on PE-CE

To prevent label spoofing, PE Maintains Label VRF table association Checks during LFIB lookup that received packets label is

what was allocated

If the check fails, then the packet is dropped.


79/96


CsC Deployment Guideline

Two choices for deploying CsC1. IGP+LDP on the PE-CE, or

2. eBGP ipv4 +label on the PE-CE (RFC3107)

Choice selection is driven by the choice of routingprotocol on the PE-CE CE has to run MPLS-aware code

CsC: IOS Commands/Configs


80/96


gChoice 1: What All You Need to Configure?

Sh mpls interface [vrf ] all

Sh mpls ldp disc [vrf ] all

Sh mpls ldp bind vrf

Sh mpls ip bind vrf

Sh mpls ldp neighbor [vrf ] all

Sh mpls forward [vrf ]

int ser0/0

ip vrf forwarding green

mpls ip

mpls ldp protcol ldp

int ser0/0 mpls ip

mpls ldp protcol ldp

Sh mpls interfaceSh mpls ldp discovery

Sh mpls ldp bind

Sh mpls ldp neighbor

Sh mpls forward

Choice1: Enable LDP on PE-CE;

PE-1

CE-1

VRF IntIGP+LDP

PE1

CE1

CsC: IOS Commands/Configs


81/96


gChoice 2: What All You Need to Configure?

router bgp 1

address-family ip vrf green

neighbor 200.1.61.6 remote-as 2

neighbor 200.1.61.6 send-label

router bgp 2

neighbor 200.1.61.5 remote-as 1

neighbor 200.1.61.5 send-label

Choice2: Enable eBGP+label on PE-CE;

PE-1

CE-1

eBGP+label

VRF Int

1. No IGP needed on PE-CE2. No LDP needed on PE-CE

PE1

CE1

IOS Commands/Configs


82/96


Choice 2: eBGP+label on the PE-CE

On PESh ip bgp vpn vrf neighbor

Sh ip bgp vpn vrf label

Sh mpls forward vrf

On CESh ip bgp neighbor

Sh ip bgp labels

Sh mpls forward


83/96


Agenda

MPLS VPN Definition?TechnologyConfiguration

MPLS-VPN ServicesProviding load-shared traffic to the multihomed VPN sitesProviding Hub&Spoke service to the VPN customers

Providing MPLS VPN Extranet serviceProviding Internet access service to VPN customersProviding VRF-selection based servicesProviding Remote Access MPLS VPNProviding VRF-aware NAT services

Advanced MPLS VPN TopicsInter-AS MPLS-VPNCsC Carrier Supporting Carrier

Best Practices Conclusion.


84/96


Best Practices

1. Use RR to scale BGP.2. Deploy RRs in pair for the redundancy

3. Keep RRs out of the forwarding paths and disable CEF (saves memory).

4. Consider Unique RD per VRF per PE, if Load sharing of VPN traffic is reqd.

5. RT and RD should have ASN in them i.e. ASN : XReserve first few 100s of X for the internal purposes such as filtering

6. Don't use customer names as the VRF names; Nightmare for the NOC. Usesimple combination of numbers and characters in the VRF name

For example - v101, v102, v201, v202 etc. Use description.

7. Define an upper limit at the PE on the # of prefixes received from the CE for each VRF or neighbor

max-prefix within the VRF configuration

max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE)

C l i


85/96


Conclusion

MPLS VPN is a cheaper alternative to traditional l2vpn MPLS-VPN paves the way for new revenue streams

VPN customers could outsource their layer3 to the provider Straightforward to configure any-to-any VPN topology

partial-mesh, hub&spoke topologies can also be easily deployed CsC and Inter-AS could be used to expand into new markets VRF-aware services could be deployed to maximize the

investment

C l Y O li S i E l i !


86/96


Complete Your Online Session Evaluation!

WHAT : Complete an online session evaluationand your name will be entered into adaily drawing

WHY: Win fabulous prizes! Give us your feedback!

WHERE : Go to the Internet stations locatedthroughout the Convention Center

HOW: Winners will be posted on the onsite

Networkers Website; four winners per day

http: / /www.networkers04.com/desktop
http://www.networkers04.com/desktophttp://www.networkers04.com/desktop


87/96


Thanks for your time.

Q & A

Eval - ht tp: / /www.networkers04.com/desktop
http://www.networkers04.com/desktophttp://www.networkers04.com/desktop


88/96



89/96


BACK UP SLIDES

Scenario 1: Back-to-back VRFC t l Pl


90/96


Control Plane

PE-1 PE-2

VPN-B

CE-2 CE-3

VPN-B

VRF to VRF Connectivity between ASBRs

ASBR-1 ASBR-2

10.1.1.0/24

BGP, OSPF, RIPv210.1.1.0/24,NH=CE-2

VPN-v4 update:RD:1:27: 10.1.1.0/24 NH=PE-1 RT= 1:1 , Label=( 29 )

VPN-B VRFImport routes with

route-target 1:1

BGP, OSPF, RIPv210.1.1.0/24NH=ASBR-2

VPN-v4 update:RD:1:27: 10.1.1.0/24, NH=ASBR-2 RT= 1:1 , Label=( 92 )

VPN-B VRFImport routes with

route-target 1:1

BGP, OSPF, RIPv210.1.1.0/24,NH=PE-2

Scenario 1: Back-to-back VRFF di Pl


91/96


Not scalable. #of interface on both ASBRs isdirectly proportional to #VRF. No end-to-end MPLS. Unnecessary memory consumed in RIB/(L)FIB Dual-homing of ASBR makes provisioningworse

Forwarding Plane

PE-1 PE-2

VPN-B

CE-2 CE-3

VPN-B

ASBR-1 ASBR-2

10.1.1.0/24

10.1.1.1

10.1.1.1

10.1.1.1

10.1.1.12930

10.1.1.19220

P2

P1

10.1.1.192

IP Packets betweenASBRs

Per-customer QoS is possible It is simple and elegant since no need to loadthe Inter-AS code (but still not widelydeployed).

Pros Cons

Cisco IOS ConfigurationS i 1 B k B k VRF b ASBR


92/96


Scenario 1 : Back-to-Back VRF between ASBRs

AS #1 AS #2VRF routes exchange via

any routing protocol

Note: ASBR must already have MP-iBGP session with iBGP neighborssuch as RRs or PEs.

1.1.1.0/30

ip vrf greenrd 1:1route-target both 1:1

!Router bgp xAddress-family ipv4 vrf greenneighbor 1.1.1.x activate

ASBR VRF and BGP config

VPN-A

PE1

CE-1

VPN-A

CE-2

PE2

ASBR1 ASBR2

IOS ConfigurationS i 2 5 M lti H MP BGP f VPN 4


93/96


VPN-A

PE1

VPN-A

PE2

CE-2CE-1

ASBR1 ASBR2

AS #1 AS #2

Multi-Hop MP-eBGP

for VPNv4

IGP & LDP

interface serial 0ip address 1.1.1.x/30mpls ldp protcol ldp

router bgp xno bgp default route-target filter neighbor < ASBR-x > remote-as xneighbor < ASBR-x > update loopback0neighbor < ASBR-x > ebgp-multihop!address-family vpnv4neighbor < ASBR-x > activate

neighbor < ASBR-x > send-comm extended

Multi-Hop MP-BGP session between ASBRs

so so

Scenario 2.5: Multi-Hop MP-eBGP for VPNv4

Scenario 4: Non VPN Transit Provider


94/96


Scenario 4: Non-VPN Transit Provider

Two MPLS VPN providers may exchange routes viaone or more transit providers

Which may be non-VPN transit backbones just runningMPLS

Multihop MP-eBGP deployed between edgeproviders

With the exchange of BGP next-hops via the transitprovider

Option 4: Non VPN Transit Provider


95/96


Option 4: Non-VPN Transit Provider

PE1

PE2VPN-B

CE-2

CE-3

VPN-B

ASBR-1

RR-2

Non-VPN MPLSTransit Backbone

Multihop MP-eBGP ORMP-iBGP for VPNv4

ASBR-2

RR-1

ASBR-3

ASBR-4next-hop-unchanged

eBGP IPv4 + Labels

eBGP IPv4 + Labels

MPLS VPN Provider #1

MPLS VPN Provider #2

iBGP IPv4 + Labels

iBGP IPv4 + Labels

Route Target rewrite at ASBR


96/96

Route-Target rewrite at ASBR

ASBR can add/ delete route-target associated with aVPNv4 prefix

Secures the VPN environment

ASBR(conf)#router bgp 1000

ASBR(conf-router)#neighbor 1.1.1.1 route-map route-target-deletionout

ASBR(conf-router)#exit

ASBR(conf)#route-map route-target-deleteASBR(conf-route-map)#match extcommunity 101

ASBR(conf-route-map)#set extcomm-list 101 delete

ASBR(conf-route-map)#set extcommunity rt 123:123 additive

RST 2602 Mpls VPN Deployment

Documents

Transcript of RST 2602 Mpls VPN Deployment