Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2001, Cisco Systems, Inc. Course Number Presentation_ID MPLS VPN TOI

Similar presentations


Presentation on theme: "1 © 2001, Cisco Systems, Inc. Course Number Presentation_ID MPLS VPN TOI"— Presentation transcript:

1 1 © 2001, Cisco Systems, Inc. Course Number Presentation_ID MPLS VPN TOI

2 2 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Agenda How MPLS VPN works What Code Is MPLS VPN In? Platform Issues in Implementation Lab Demo - config

3 3 TOI-VPN eosborne © 2001, Cisco Systems, Inc. How MPLS-VPN Works Concepts and goals Terminology Connection model Forwarding Mechanisms Topologies Scaling Configuration

4 4 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS-VPN What is a VPN ? An IP network infrastructure delivering private network services over a public infrastructure Use a layer 3 backbone Scalability, easy provisioning Global as well as non-unique private address space QoS Controlled access Easy configuration for customers

5 5 TOI-VPN eosborne © 2001, Cisco Systems, Inc. VPN Models - The Overlay model Private trunks over a TELCO/SP shared infrastructure Leased/Dialup lines FR/ATM circuits IP (GRE) tunnelling Transparency between provider and customer networks Optimal routing requires full mesh over over backbone

6 6 TOI-VPN eosborne © 2001, Cisco Systems, Inc. VPN Models - The Peer model Both provider and customer network use same network protocol CE and PE routers have a routing adjacency at each site All provider routers hold the full routing information about all customer networks Private addresses are not allowed May use the virtual router capability Multiple routing and forwarding tables based on Customer Networks

7 7 TOI-VPN eosborne © 2001, Cisco Systems, Inc. VPN Models - MPLS-VPN: The True Peer model Same as Peer model BUT !!! Provider Edge routers receive and hold routing information only about VPNs directly connected Reduces the amount of routing information a PE router will store Routing information is proportional to the number of VPNs a router is attached to MPLS is used within the backbone to switch packets (no need of full routing)

8 8 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Agenda Concepts and goals Terminology Connection model Forwarding Mechanisms Topologies Scaling Configuration

9 9 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS-VPN Terminology Provider Network (P-Network) The backbone under control of a Service Provider Customer Network (C-Network) Network under customer control CE router Customer Edge router. Part of the C- network and interfaces to a PE router

10 10 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS-VPN Terminology Site Set of (sub)networks part of the C- network and co-located A site is connected to the VPN backbone through one or more PE/CE links PE router Provider Edge router. Part of the P- Network and interfaces to CE routers P router Provider (core) router, without knowledge of VPN

11 11 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS-VPN Terminology Border router Provider Edge router interfacing to other provider networks Extended Community BGP attribute used to identify a Route- origin, Route-target Site of Origin Identifier (SOO) 64 bits identifying routers where the route has been originated

12 12 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS-VPN Terminology Route-Target 64 bits identifying routers that should receive the route Route Distinguisher Attributes of each route used to uniquely identify prefixes among VPNs (64 bits) VRF based (not VPN based) VPN-IPv4 addresses Address including the 64 bits Route Distinguisher and the 32 bits IP address

13 13 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS-VPN Terminology VRF VPN Routing and Forwarding Instance Routing table and FIB table Populated by routing protocol contexts VPN-Aware network A provider backbone where MPLS-VPN is deployed

14 14 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Agenda Concepts and goals Terminology Connection model Forwarding Mechanisms Topologies Scaling Configuration

15 15 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model A VPN is a collection of sites sharing a common routing information (routing table) A site can be part of different VPNs A VPN has to be seen as a community of interest (or Closed User Group) Multiple Routing/Forwarding instances (VRF) on PE routers

16 16 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model A site belonging to different VPNs may or MAY NOT be used as a transit point between VPNs If two or more VPNs have a common site, address space must be unique among these VPNs Site-1 Site-3 Site-4 Site-2 VPN-A VPN-C VPN-B

17 17 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model The VPN backbone is composed by MPLS LSRs PE routers (edge LSRs) P routers (core LSRs) PE routers are faced to CE routers and distribute VPN information through MP-BGP to other PE routers VPN-IPv4 addresses, Extended Community, Label P routers do not run BGP and do not have any VPN knowledge

18 18 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model VPN_A VPN_B PP PP PE CE VPN_A VPN_B CE PE CE VPN_A CE iBGP sessions P routers (LSRs) are in the core of the MPLS cloud PE routers use MPLS with the core and plain IP with CE routers P and PE routers share a common IGP PE router are MP-iBGP fully meshed

19 19 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model PE and CE routers exchange routing information through: EBGP, OSPF, RIPv2, Static routing CE router run standard routing software PE CE CECE Site-2 Site-1 EBGP,OSPF, RIPv2,Static

20 20 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model PE routers maintain separate routing tables The global routing table With all PE and P routes Populated by the VPN backbone IGP (ISIS or OSPF) VRF (VPN Routing and Forwarding) Routing and Forwarding table associated with one or more directly connected sites (CEs) VRF are associated to (sub/virtual/tunnel)interfaces Interfaces may share the same VRF if the connected sites may share the same routing information PE CE CECE Site-2 Site-1 VPN Backbone IGP (OSPF, ISIS) EBGP,OSPF, RIPv2,Static

21 21 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model Different site sharing the same routing information, may share the same VRF Interfaces connecting these sites will use the same VRF Sites belonging to the same VPN may share same VRF PE CE CECE Site-2 Site-1

22 22 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model The routes the PE receives from CE routers are installed in the appropriate VRF The routes the PE receives through the backbone IGP are installed in the global routing table By using separate VRFs, addresses need NOT to be unique among VPNs PE CE CECE Site-2 Site-1 VPN Backbone IGP EBGP,OSPF, RIPv2,Static

23 23 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model The Global Routing Table is populated by IGP protocols. In PE routers it may contain the BGP Internet routes (standard BGP- 4 routes) BGP-4 (IPv4) routes go into global routing table MP-BGP (VPN-IPv4) routes go into VRFs

24 24 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model PE VPN Backbone IGP iBGP session PE P P P P PE and P routers share a common IGP (ISIS or OSPF) PEs establish MP-iBGP sessions between them PEs use MP-BGP to exchange routing information related to the connected sites and VPNs VPN-IPv4 addresses, Extended Community, Label

25 25 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model MP-BGP Update VPN-IPV4 address Route Distinguisher 64 bits Makes the IPv4 route globally unique RD is configured in the PE for each VRF RD may or may not be related to a site or a VPN IPv4 address (32bits) Extended Community attribute (64 bits) Site of Origin (SOO): identifies the originating site Route-target (RT): identifies the set of sites the route has to be advertised to

26 26 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model MP-BGP Update Any other standard BGP attribute Local Preference MED Next-hop AS_PATH Standard Community... A Label identifying: The outgoing interface The VRF where a lookup has to be done (aggregate label) The BGP label will be the second label in the label stack of packets travelling in the core

27 27 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model MP-BGP Update - Extended community BGP extended community attribute Structured, to support multiple applications 64 bits for increased range General form : : Registered AS number : : Registered IP address

28 28 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model MP-BGP Update - Extended community The Extended Community is used to: Identify one or more routers where the route has been originated (site) Site of Origin (SOO) Selects sites which should receive the route Route-Target

29 29 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model MP-BGP Update The Label can be assigned only by the router which address is the Next-Hop attribute PE routers re-write the Next-Hop with their own address (loopback interface address) “Next-Hop-Self” BGP command towards iBGP neighbors Loopback addresses are advertised into the backbone IGP PE addresses used as BGP Next-Hop must be uniquely known in the backbone IGP No summarisation of loopback addresses in the core

30 30 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model PE-1 VPN Backbone IGP PE-2 P P P P PE routers receive IPv4 updates (EBGP, RIPv2, Static) PE routers translate into VPN-IPv4 Assign a SOO and RT based on configuration Re-write Next-Hop attribute Assign a label based on VRF and/or interface Send MP-iBGP update to all PE neighbors BGP,RIPv2 update for Net1,Next- Hop=CE-1 VPN-IPv4 update: RD:Net1, Next-hop=PE- 1 SOO=Site1, RT=Green, Label=(intCE1) CE-1 Site-2 VPN-IPv4 update is translated into IPv4 address (Net1) put into VRF green since RT=Green and advertised to CE-2 Site-1 CE-2

31 31 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model Receiving PEs translate to IPv4 Insert the route into the VRF identified by the RT attribute (based on PE configuration) The label associated to the VPN-IPv4 address will be set on packet forwarded towards the destination PE-1 VPN Backbone IGP PE-2 P P P P BGP,OSPF, RIPv2 update for Net1 Next-Hop=CE-1 VPN-IPv4 update: RD:Net1, Next-hop=PE- 1 SOO=Site1, RT=Green, Label=(intCE1) CE-1 Site-2 VPN-IPv4 update is translated into IPv4 address (Net1) put into VRF green since RT=Green and advertised to CE-2 Site-1 CE-2

32 32 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Connection Model Route distribution to sites is driven by the Site of Origin (SOO) and Route-target attributes BGP Extended Community attribute A route is installed in the site VRF corresponding to the Route-target attribute Driven by PE configuration A PE which connects sites belonging to multiple VPNs will install the route into the site VRF if the Route-target attribute contains one or more VPNs to which the site is associated

33 33 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Agenda Concepts and goals Terminology Connection model Forwarding Mechanisms Topologies Scaling Configuration

34 34 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS Forwarding Packet forwarding PE and P routers have BGP next-hop reachability through the backbone IGP Labels are distributed through LDP (hop- by-hop) corresponding to BGP Next-Hops Label Stack is used for packet forwarding Top label indicates BGP Next-Hop (interior label) Second level label indicates outgoing interface or VRF (exterior label)

35 35 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS Forwarding Packet forwarding MPLS nodes forward packets based on the top label P routers do not have BGP (nor VPN) knowledge No VPN routing information No Internet routing information

36 36 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS Forwarding Penultimate Hop Popping The upstream LDP peer of the BGP next-hop (PE router) will pop the first level label The penultimate hop will pop the label Requested through LDP The egress PE router will forward the packet based on the second level label which gives the outgoing interface (and VPN)

37 37 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS Forwarding MPLS Forwarding - Penultimate Hop Popping PE2 PE1 CE1 CE2 P1 P2 IGP Label(PE2) VPN Label IP packet PE1 receives IP packet Lookup is done on site VRF BGP route with Next-Hop and Label is found BGP next-hop (PE2) is reachable through IGP route with associated label IGP Label(PE2) VPN Label IP packet P routers switch the packets based on the IGP label (label on top of the stack) VPN Label IP packet Penultimate Hop Popping P2 is the penultimate hop for the BGP next- hop P2 remove the top label This has been requested through LDP by PE2 IP packet PE2 receives the packets with the label corresponding to the outgoing interface (VRF) One single lookup Label is popped and packet sent to IP neighbor IP packet CE3

38 38 TOI-VPN eosborne © 2001, Cisco Systems, Inc. T1 T7 T2 T8 T3 T9 T4 T7 T5 TB T6 TB T7 T8 MPLS VPN Forwarding VPN_A VPN_B PP PP PE CE Data, iBGP next hop PE1, iBGP next hop PE2, iBGP next hop PE3, iBGP next hop PE1, iBGP next hop PE4, iBGP next hop PE2, iBGP NH= PE2, T2 T8 Ingress PE receives normal IP Packets from CE router VPN_B FIB PE2 T2 T8PE router does “IP Longest Match” from VPN_B FIB, find iBGP next hop PE2 and impose a stack of labels: exterior Label T2 + Interior Label T8 DataT8T2 VPN_A VPN_B CE PE1 PE2 CE VPN_A CE

39 39 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Forwarding VPN_A VPN_B PP PP PE CE T7 T8 T9 Ta Tb Tu Tw Tx Ty Tz T8, TA T2Data T8 Data T2Data TB outin / All Subsequent P routers do switch the packet Solely on Interior Label Egress PE router, removes Interior Label Egress PE uses Exterior Label to select which VPN/CE to forward the packet to. Exterior Label is removed and packet routed to CE router VPN_A VPN_B CE PE1 PE2 CE VPN_A CE T2Data TAT2

40 40 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Agenda Concepts and goals Terminology Connection model Forwarding Mechanisms Topologies Scaling Configuration

41 41 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN mechanisms VRF and Multiple Routing Instances VRF: VPN Routing and Forwarding Instance VRF Routing Protocol Context VRF Routing Tables VRF CEF Forwarding Tables

42 42 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN mechanisms VRF and Multiple Routing Instances VPN aware Routing Protocols Select/Install routes in appropriate routing table Per-instance router variables Not necessarily per-instance routing processes eBGP, OSPF, RIPv2, Static

43 43 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN mechanisms VRF and Multiple Routing Instances VRF Routing table contains routes which should be available to a particular set of sites Analogous to standard IOS routing table, supports the same set of mechanisms Interfaces (sites) are assigned to VRFs One VRF per interface (sub-interface, tunnel or virtual-template) Possible many interfaces per VRF

44 44 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN mechanisms VRF and Multiple Routing Instances StaticBGPRIP Routing processe s Routing contexts VRF Routing tables VRF Forwarding tables Routing processes run within specific routing contexts Populate specific VPN routing table and FIBs (VRF) Interfaces are assigned to VRFs

45 45 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN mechanisms VRF and Multiple Routing Instances Site-1Site-2Site-3Site-4 Logical view Routing view VRF for site-1 Site-1 routes Site-2 routes VRF for site-4 Site-3 routes Site-4 routes VRF for site-2 Site-1 routes Site-2 routes Site-3 routes VRF for site-3 Site-2 routes Site-3 routes Site-4 routes Site-1 Site-3 Site-4 Site-2 VPN-A VPN-C VPN-B PE PP Multihop MP-iBGP

46 46 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Agenda Concepts and goals Terminology Connection model Forwarding Mechanisms Topologies Scaling BGP-4 Enhancements Cap. Negotiation, MPLS, Route Refresh, ORF Configuration

47 47 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Topologies VPN_A VPN_B PP PP PE CE VPN_A VPN_B CE PE CE VPN_A CE VPN-IPv4 address are propagated together with the associated label in BGP Multiprotocol extension Extended Community attribute (route-target) is associated to each VPN-IPv4 address, to populate the site VRF iBGP sessions

48 48 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Topologies VPN sites with optimal intra-VPN routing Each site has full routing knowledge of all other sites (of same VPN) Each CE announces his own address space MP-BGP VPN-IPv4 updates are propagated between PEs Routing is optimal in the backbone Each route has the BGP Next-Hop closest to the destination No site is used as central point for connectivity

49 49 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Topologies VPN sites with optimal intra-VPN routing Site-1 VRF for site-1 N1,NH=CE 1 N2,NH=PE 2 N3,NH=PE 3 PE1 PE3 PE2 N1 Site-3 N3 N2 VPN-IPv4 updates exchanged between PEs RD:N1, NH=PE1,Label=IntCE1, RT=Blue RD:N2, NH=PE2,Label=IntCE2, RT=Blue RD:N3, NH=PE3,Label=IntCE3, RT=Blue IntCE 1 IntCE3 N1 NH=CE1 Routing Table on CE1 N1, Local N2, PE1 N3, PE1 EBGP/RIP/Static VRF for site-3 N1,NH=PE 1 N2,NH=PE 2 N3,NH=CE 3 Routing Table on CE3 N1, PE3 N2, PE3 N3, Local N3 NH=CE3 EBGP/RIP/Static Site-2 IntCE2 Routing Table on CE2 N1,NH=PE2 N2,Local N3,NH=PE2 N2,NH=CE2 EBGP/RIP/Static VRF for site-2 N1,NH=PE 1 N2,NH=CE 2 N3,NH=PE 3

50 50 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Topologies VPN sites with Hub & Spoke routing One central site has full routing knowledge of all other sites (of same VPN) Hub-Site Other sites will send traffic to Hub-Site for any destination Spoke-Sites Hub-Site is the central transit point between Spoke-Sites Use of central services at Hub-Site

51 51 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Topologies VPN sites with Hub & Spoke routing PE2 PE1 PE3 Site-1 N1 N3 VPN-IPv4 updates advertised by PE3 RD:N1, NH=PE3,Label=IntCE3-Spoke, RT=Spoke RD:N2, NH=PE3,Label=IntCE3-Spoke, RT=Spoke RD:N3, NH=PE3,Label=IntCE3-Spoke, RT=Spoke Site-3 Site-2 N2 IntCE3-Spoke VRF (Export RT=Spoke) N1,NH=CE3- Spoke N2,NH=CE3- Spoke N3,NH=CE3- Spoke CE1 CE3-Spoke CE2 CE3-Hub IntCE3-Hub VRF (Import RT=Hub) N1,NH=PE1 N2,NH=PE2 VPN-IPv4 update advertised by PE1 RD:N1, NH=PE1,Label=IntCE1, RT=Hub VPN-IPv4 update advertised by PE2 RD:N2, NH=PE2,Label=IntCE2, RT=Hub IntCE2 VRF (Import RT=Spoke) (Export RT=Hub) N1,NH=PE3 (imported) N2,NH=CE2 (exported) N3,NH=PE3 (imported) IntCE1 VRF (Import RT=Spoke) (Export RT=Hub) N1,NH=CE1 (exported) N2,NH=PE3 (imported) N3,NH=PE3 (imported BGP/RIPv2 Routes are imported/exported into VRFs based on RT value of the VPN-IPv4 updates PE3 uses 2 (sub)interfaces with two different VRFs

52 52 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Topologies VPN sites with Hub & Spoke routing PE2 PE1 PE3 Site-1 N1 N3 Site-3 Site-2 N2 IntCE3-Spoke VRF (Export RT=Spoke) N1,NH=CE3- Spoke N2,NH=CE3- Spoke N3,NH=CE3- Spoke CE1 CE3-Spoke CE2 CE3-Hub IntCE3-Hub VRF (Import RT=Hub) N1,NH=PE1 N2,NH=PE2 IntCE2 VRF (Import RT=Spoke) (Export RT=Hub) N1,NH=PE3 (imported) N2,NH=CE2 (exported) N3,NH=PE3 (imported) IntCE1 VRF (Import RT=Spoke) (Export RT=Hub) N1,NH=CE1 (exported) N2,NH=PE3 (imported) N3,NH=PE3 (imported BGP/RIPv2 Traffic from one spoke to another will travel across the hub site Hub site may host central services Security, NAT, centralised Internet access

53 53 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Topologies VPN sites with Hub & Spoke routing If PE and Hub-site use BGP the PE should not check the received AS_PATH The update the Hub-site advertise contains the VPN backbone AS number By configuration the AS_PATH check is disabled Routing loops are detected through the SOO attribute PE and CE routers may use RIPv2 and/or static routing

54 54 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Internet Routing In a VPN, sites may need to have Internet connectivity Connectivity to the Internet means: Being able to reach Internet destinations Being able to be reachable from any Internet source Security mechanism MUST be used as in ANY other kind of Internet connectivity

55 55 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Internet Routing The Internet routing table is treated separately In the VPN backbone the Internet routes are in the Global routing table of PE routers Labels are not assigned to external (BGP) routes P routers need not (and will not) run BGP

56 56 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Internet routing VRF specific default route A default route is installed into the site VRF and pointing to a Internet Gateway The default route is NOT part of any VPN A single label is used for packets forwarded according to the default route The label is the IGP label corresponding to the IP address of the Internet gateway Known in the IGP

57 57 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Internet routing VRF specific default route PE router originates CE routes for the Internet Customer (site) routes are known in the site VRF Not in the global table The PE/CE interface is NOT known in the global table. However: A static route for customer routes and pointing to the PE/CE interface is installed in the global table This static route is redistributed into BGP-4 global table and advertised to the Internet Gateway The Internet gateway knows customer routes and with the PE address as next-hop

58 58 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Internet routing VRF specific default route The Internet Gateway specified in the default route (into the VRF) need NOT to be directly connected Different Internet gateways can be used for different VRFs Using default route for Internet routing does NOT allow any other default route for intra-VPN routing As in any other routing scheme

59 59 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Internet routing VRF specific default route PE Internet Site-1 PE-IG Site-2 Network /16 Serial ip vrf VPN-A rd 100:1 route-target both 100:1 ! Interface Serial0 ip address ip vrf forwarding VPN-A ! Router bgp 100 no bgp default ipv4-unicast network mask neighbor remote 100 neighbor activate neighbor next-hop-self neighbor update-source loopback0 ! address-family ipv4 vrf VPN-A neighbor remote-as neighbor activate exit-address-family ! address-family vpnv4 neighbor activate exit-address-family ! ip route Serial0 ip route vrf VPN-A global BGP-4 MP-BGP

60 60 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Internet routing VRF specific default route PE Internet Site-1 PE-IG Site-2 Network /16 Serial Site-2 VRF / (global) Site-1 routes Site-2 routes Global Table and LFIB /32 Label= /32 Label=5... IP packet D=cisco.co m Label = 3 IP packet D=cisco.co m

61 61 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Internet routing VRF specific default route PE routers need not to hold the Internet table PE routers will use BGP-4 sessions to originate customer routes Packet forwarding is done with a single label identifying the Internet Gateway IP address More labels if Traffic Engineering is used

62 62 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Internet Routing Separated (sub)interfaces If CE wishes to receive and announce routes from/to the Internet A dedicated BGP session is used over a separate (sub) interface The PE imports CE routes into the global routing table and advertise them to the Internet The interface is not part of any VPN and does not use any VRF Default route or Internet routes are exported to the CE PE needs to have Internet routing table

63 63 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Internet Routing Separated (sub)interfaces The PE uses separate (sub)interfaces with the CE One (sub)interface for VPN routing associated to a VRF Can be a tunnel interface One (sub)interface for Internet routing Associated to the global routing table

64 64 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Internet Routing Separated (sub)interfaces PE Internet Site-1 PE-IG Site-2 Network /16 Serial ip vrf VPN-A rd 100:1 route-target both 100:1 ! Interface Serial0 no ip address ! Interface Serial0.1 ip address ip vrf forwarding VPN-A ! Interface Serial0.2 ip address ! Router bgp 100 no bgp default ipv4-unicast neighbor remote 100 neighbor activate neighbor next-hop-self neighbor update-source loopback0 neighbor remote 502 ! address-family ipv4 vrf VPN-A neighbor remote-as 502 neighbor activate exit-address-family ! address-family vpnv4 neighbor activate exit-address-family BGP-4 MP-BGP Serial0.2 BGP-4

65 65 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Internet Routing Separated (sub)interfaces PE Internet Site-1 PE-IG Site-2 Network /16 Serial Serial0.2 Serial0.1 Serial0.2 CE routing table Site-2 routes ----> Serial0.1 Internet routes ---> Serial0.2 IP packet D=cisco.co m PE Global Table Internet routes ---> , Label=3 Label = 3 IP packet D=cisco.co m

66 66 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Agenda Concepts and goals Terminology Connection model Forwarding Mechanisms Topologies Scaling Configuration

67 67 TOI-VPN eosborne © 2001, Cisco Systems, Inc.Scaling Existing BGP techniques can be used to scale the route distribution: route reflectors Each edge router needs only the information for the VPNs it supports Directly connected VPNs RRs are used to distribute VPN routing information

68 68 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Scaling Very highly scalable: Initial VPN release: 1000 VPNs x 1000 sites/VPN = 1,000,000 sites Architecture supports 100,000+ VPNs, 10,000,000+ sites BGP “segmentation” through RRs is essential !!!! Easy to add new sites configure the site on the PE connected to it the network automagically does the rest See also platform issues, later on

69 69 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS-VPN Scaling BGP VPN_A VPN_B PP PP PE CE RR Route Reflectors VPN_A VPN_B CE PE1 PE2 CE VPN_A CE Route Reflectors may be partitioned Each RR store routes for a set of VPNs Thus, no BGP router needs to store ALL VPNs information PEs will peer to RRs according to the VPNs they directly connect

70 70 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS-VPN Scaling BGP updates filtering iBGP full mesh between PEs results in flooding all VPNs routes to all PEs Scaling problems when large amount of routes. In addition PEs need only routes for attached VRFs Therefore each PE will discard any VPN-IPv4 route that hasn’t a route-target configured to be imported in any of the attached VRFs This reduces significantly the amount of information each PE has to store Volume of BGP table is equivalent of volume of attached VRFs (nothing more)

71 71 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS-VPN Scaling BGP updates filtering Each VRF has an import and export policy configured Policies use route-target attribute (extended community) PE receives MP-iBGP updates for VPN-IPv4 routes If route-target is equal to any of the import values configured in the PE, the update is accepted Otherwise it is silently discarded PE MP-iBGP sessions VRFs for VPNs yellow green VPN-IPv4 update: RD:Net1, Next-hop=PE- X SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE- X SOO=Site1, RT=Red, Label=XYZ Import RT=yellow Import RT=green

72 72 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS-VPN Scaling Route Refresh Policy may change in the PE if VRF modifications are done New VRFs, removal of VRFs However, the PE may not have stored routing information which become useful after a change PE request a re-transmission of updates to neighbors Route-Refresh PE VPN-IPv4 update: RD:Net1, Next-hop=PE- X SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE- X SOO=Site1, RT=Red, Label=XYZ Import RT=yellow Import RT=green Import RT=red 1. PE doesn’t have red routes (previously filtered out) 2. PE issue a Route- Refresh to all neighbors in order to ask for re- transmission 3. Neighbors re-send updates and “red” route-target is now accepted

73 73 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS-VPN Scaling Outbound Route Filters - ORF PE router will discard update with unused route- target Optimisation requires these updates NOT to be sent Outbound Route Filter (ORF) allows a router to tell its neighbors which filter to use prior to propagate BGP updates PE VPN-IPv4 update: RD:Net1, Next-hop=PE- X SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE- X SOO=Site1, RT=Red, Label=XYZ Import RT=yellow Import RT=green 1. PE doesn’t need red routes 2. PE issue a ORF message to all neighbors in order not to receive red routes 3. Neighbors dynamically configure the outbound filter and send updates accordingly

74 74 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Agenda Concepts and goals Terminology Connection model Forwarding Mechanisms Topologies Scaling BGP-4 Enhancements Cap. Negotiation, MPLS, Route Refresh, ORF Configuration

75 75 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN - Configuration VPN knowledge is on PE routers PE router have to be configured for VRF and Route Distinguisher VRF import/export policies (based on Route- target) Routing protocol used with CEs MP-BGP between PE routers BGP for Internet routers With other PE routers With CE routers

76 76 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN - Configuration VRF and Route Distinguisher RD is configured on PE routers (for each VRF) VRFs are associated to RDs in each PE Common (good) practice is to use the same RD for the same VPN in all PEs But not mandatory VRF configuration command ip vrf rd route-target import route-target export

77 77 TOI-VPN eosborne © 2001, Cisco Systems, Inc. CLI - VRF configuration Site-1Site-2Site-3Site-4 VRF for site-1 (100:1) Site-1 routes Site-2 routes VRF for site-4 (100:4) Site-3 routes Site-4 routes VRF for site-2 (100:2) Site-1 routes Site-2 routes Site-3 routes VRF for site-3 (100:3) Site-2 routes Site-3 routes Site-4 routes PE1 PE2 PP Multihop MP-iBGP ip vrf site1 rd 100:1 route-target export 100:1 route-target import 100:1 ip vrf site2 rd 100:2 route-target export 100:2 route-target import 100:2 route-target import 100:1 route-target export 100:1 ip vrf site1 rd 100:1 route-target export 100:1 route-target import 100:1 ip vrf site2 rd 100:2 route-target export 100:2 route-target import 100:2 route-target import 100:1 route-target export 100:1 ip vrf site3 rd 100:3 route-target export 100:2 route-target import 100:2 route-target import 100:3 route-target export 100:3 ip vrf site-4 rd 100:4 route-target export 100:3 route-target import 100:3 ip vrf site3 rd 100:3 route-target export 100:2 route-target import 100:2 route-target import 100:3 route-target export 100:3 ip vrf site-4 rd 100:4 route-target export 100:3 route-target import 100:3 Site-1 Site-3 Site-4 Site-2 VPN-A VPN-C VPN-B

78 78 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN - Configuration PE/CE routing protocols PE/CE may use BGP, RIPv2 or Static routes A routing context is used for each VRF Routing contexts are defined within the routing protocol instance Address-family router sub-command Router rip version 2 address-family ipv4 vrf … any common router sub-command …

79 79 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN - Configuration PE/CE routing protocols BGP uses same “address-family” command Router BGP... address-family ipv4 vrf … any common router BGP sub- command … Static routes are configured per VRF ip route vrf …

80 80 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN - Configuration PE router commands All show commands are VRF based Show ip route vrf... Show ip protocol vrf Show ip cef … … PING and Telnet commands are VRF based telnet /vrf ping vrf

81 81 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN - Configuration PE/CE routing protocols Site-1Site-2Site-3Site-4 PE1 PE2 PP Multihop MP-iBGP Site-1 Site-3 Site-4 Site-2 VPN-A VPN-C VPN-B VRF for site-1 (100:1) Site-1 routes Site-2 routes VRF for site-4 (100:4) Site-3 routes Site-4 routes VRF for site-2 (100:2) Site-1 routes Site-2 routes Site-3 routes VRF for site-3 (100:3) Site-2 routes Site-3 routes Site-4 routes ip vrf site3 rd 100:3 route-target export 100:23 route-target import 100:23 route-target import 100:34 route-target export 100:34 ip vrf site-4 rd 100:4 route-target export 100:34 route-target import 100:34 ! interface Serial4/6 ip vrf forwarding site3 ip address encapsulation ppp ! interface Serial4/7 ip vrf forwarding site4 ip address encapsulation ppp ip vrf site3 rd 100:3 route-target export 100:23 route-target import 100:23 route-target import 100:34 route-target export 100:34 ip vrf site-4 rd 100:4 route-target export 100:34 route-target import 100:34 ! interface Serial4/6 ip vrf forwarding site3 ip address encapsulation ppp ! interface Serial4/7 ip vrf forwarding site4 ip address encapsulation ppp ip vrf site1 rd 100:1 route-target export 100:12 route-target import 100:12 ip vrf site2 rd 100:2 route-target export 100:12 route-target import 100:12 route-target import 100:23 route-target export 100:23 ! interface Serial3/6 ip vrf forwarding site1 ip address encapsulation ppp ! interface Serial3/7 ip vrf forwarding site2 ip address encapsulation ppp ip vrf site1 rd 100:1 route-target export 100:12 route-target import 100:12 ip vrf site2 rd 100:2 route-target export 100:12 route-target import 100:12 route-target import 100:23 route-target export 100:23 ! interface Serial3/6 ip vrf forwarding site1 ip address encapsulation ppp ! interface Serial3/7 ip vrf forwarding site2 ip address encapsulation ppp

82 82 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN - Configuration PE/CE routing protocols Site-1Site-2Site-3Site-4 PE1 PE2 PP Multihop MP-iBGP Site-1 Site-3 Site-4 Site-2 VPN-A VPN-C VPN-B VRF for site-1 (100:1) Site-1 routes Site-2 routes VRF for site-4 (100:3) Site-3 routes Site-4 routes VRF for site-2 (100:2) Site-1 routes Site-2 routes Site-3 routes VRF for site-3 (100:2) Site-2 routes Site-3 routes Site-4 routes router bgp 100 no bgp default ipv4-unicast neighbor remote-as 100 neighbor update-source Loop0 ! address-family ipv4 vrf site4 neighbor remote-as neighbor activate exit-address-family ! address-family ipv4 vrf site3 neighbor remote-as neighbor activate exit-address-family ! address-family vpnv4 neighbor activate neighbor next-hop-self exit-address-family router bgp 100 no bgp default ipv4-unicast neighbor remote-as 100 neighbor update-source Loop0 ! address-family ipv4 vrf site4 neighbor remote-as neighbor activate exit-address-family ! address-family ipv4 vrf site3 neighbor remote-as neighbor activate exit-address-family ! address-family vpnv4 neighbor activate neighbor next-hop-self exit-address-family router bgp 100 no bgp default ipv4-unicast neighbor remote-as 100 neighbor update-source Loop0 ! address-family ipv4 vrf site2 neighbor remote-as neighbor activate exit-address-family ! address-family ipv4 vrf site1 neighbor remote-as neighbor activate exit-address-family ! address-family vpnv4 neighbor activate neighbor next-hop-self exit-address-family router bgp 100 no bgp default ipv4-unicast neighbor remote-as 100 neighbor update-source Loop0 ! address-family ipv4 vrf site2 neighbor remote-as neighbor activate exit-address-family ! address-family ipv4 vrf site1 neighbor remote-as neighbor activate exit-address-family ! address-family vpnv4 neighbor activate neighbor next-hop-self exit-address-family

83 83 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Summary Supports large scale VPN services Increases value add by the VPN Service Provider Decreases Service Provider’s cost of providing VPN services Mechanisms are general enough to enable VPN Service Provider to support a wide range of VPN customers See RFC2547

84 84 TOI-VPN eosborne © 2001, Cisco Systems, Inc. ip vrf odd rd 100:1 route-target export “Green” route-target import “Green” Route Target PE-1 VPN Backbone IGP PE-2 P P P P BGP,RIPv2 update for Net1,Next-Hop=CE-1 VPN-IPv4 update: RD:Net1, Next-hop=PE-1 SOO=Site1, RT=Green, Label=(intCE1) CE-1 Site-2 VPN-IPv4 update is translated into IPv4 address (Net1) put into VRF green since RT=Green and advertised to CE-2 Site-1 CE-2 Receiving PE is inserting the route into the VRF identified by the RT attribute (based on PE configuration) In this example RT = Green.

85 85 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Inbound Filtering Proprietary feature VPN-IPv4 update is silently rejected when it reaches PE since there isn’t any VRF configured with import RT = Red. Automatic (always on) rejection of all prefixes where at least one route target extended community attribute does not match any of route targets configured at the PE. Any VRF configuration change triggers “Route Refresh” PE creates a union of all configured RTs and automatically compares all incoming RTs for non null intersection PE MP-iBGP sessions VRFs for VPNs yellow green VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Red, Label=XYZ Import RT=yellow Import RT=green

86 86 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Route Refresh Based on: draft-chen-bgp-route-refresh-01.txt When the inbound policy has been modified, the BGP speaker sends a Route-Refresh message to its neighbors With AFI, Sub-AFI attributes Neighbors will re-transmit all routes for that particular AFI and Sub-AFI Routers not refresh capable will reset BGP session Used for vpnv4 sessions, for ipv4 sessions manual soft refresh trigger: clear ip bgp neighbour x.x.x.x soft-in

87 87 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Policy may change in the PE if VRF modifications are done New VRFs, removal of VRFs, RT addition or deletion However, the PE may not have stored routing information which become useful after a change PE request a re-transmission of updates to neighbors via Route-Refresh PE VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Red, Label=XYZ Import RT=yellow Import RT=green Import RT=red 1. PE doesn’t have red routes (previously filtered out) 2. PE issue a Route-Refresh to all neighbors in order to ask for re-transmission 3. Neighbors re-send updates and “red” route- target is now accepted Route Refresh and filtering

88 88 TOI-VPN eosborne © 2001, Cisco Systems, Inc. One central site has full routing knowledge of all other sites (of same VPN) Hub-Site Other sites will send traffic to Hub-Site for any destination Spoke-Sites Hub-Site is the central transit point between Spoke-Sites Use of central services at Hub-Site Allow AS

89 89 TOI-VPN eosborne © 2001, Cisco Systems, Inc. PE2 PE1 PE3 Site-1 N1 N3 VPN-IPv4 updates advertised by PE3 RD:N1, NH=PE3,Label=IntCE3-Spoke, RT=Spoke RD:N2, NH=PE3,Label=IntCE3-Spoke, RT=Spoke RD:N3, NH=PE3,Label=IntCE3-Spoke, RT=Spoke Site-3 Site-2 N2 IntCE3-Spoke VRF (Export RT=Spoke) N1,NH=CE3-Spoke N2,NH=CE3-Spoke N3,NH=CE3-Spoke CE1 CE3-Spoke CE2 CE3-Hub IntCE3-Hub VRF (Import RT=Hub) N1,NH=PE1 N2,NH=PE2 VPN-IPv4 update advertised by PE1 RD:N1, NH=PE1,Label=IntCE1, RT=Hub VPN-IPv4 update advertised by PE2 RD:N2, NH=PE2,Label=IntCE2, RT=Hub IntCE2 VRF (Import RT=Spoke) (Export RT=Hub) N1,NH=PE3 (imported) N2,NH=CE2 (exported) N3,NH=PE3 (imported) IntCE1 VRF (Import RT=Spoke) (Export RT=Hub) N1,NH=CE1 (exported) N2,NH=PE3 (imported) N3,NH=PE3 (imported BGP/RIPv2 Routes are imported/exported into VRFs based on RT value of the VPN-IPv4 updates PE3 uses 2 (sub)interfaces with two different VRFs Allow AS

90 90 TOI-VPN eosborne © 2001, Cisco Systems, Inc. PE2 PE1 PE3 Site-1 N1 N3 Site-3 Site-2 N2 IntCE3-Spoke VRF (Export RT=Spoke) N1,NH=CE3-Spoke N2,NH=CE3-Spoke N3,NH=CE3-Spoke CE1 CE3-Spoke CE2 CE3-Hub IntCE3-Hub VRF (Import RT=Hub) N1,NH=PE1 N2,NH=PE2 IntCE2 VRF (Import RT=Spoke) (Export RT=Hub) N1,NH=PE3 (imported) N2,NH=CE2 (exported) N3,NH=PE3 (imported) IntCE1 VRF (Import RT=Spoke) (Export RT=Hub) N1,NH=CE1 (exported) N2,NH=PE3 (imported) N3,NH=PE3 (imported BGP/RIPv2 Traffic from one spoke to another will travel across the hub site Hub site may host central services Security, NAT, centralised Internet access Allow AS

91 91 TOI-VPN eosborne © 2001, Cisco Systems, Inc. If PE and Hub-site use BGP the PE should not check the received AS_PATH The update the Hub-site advertise contains the VPN backbone AS number By configuration the AS_PATH check is disabled Allow AS Routing loops are suppressed by the limit of occurrence of provider ASN in the AS_PATH Therefore, PE will REJECT the update if its ASN appears more than 3 times in the AS_PATH 3 is the default and can be overwritten with Allow AS

92 92 TOI-VPN eosborne © 2001, Cisco Systems, Inc. PE2 PE1 PE3 Site /32 N3 Site-3 Site-2 N2 CE1 CE3-Spoke CE2 CE3-Hub Allow AS ASN: 100 ! address-family ipv4 vrf Hub neighbor remote-as 250 neighbor activate neighbor remote-as 250 neighbor activate neighbor allowas-in no auto-summary no synchronization exit-address-family ! eBGP4 update: /32 AS_PATH: ASN: 251 ASN: 252 ASN: 250 eBGP4 update: /32 AS_PATH:

93 93 TOI-VPN eosborne © 2001, Cisco Systems, Inc. PE2 PE1 PE3 Site /32 N3 Site-3 Site-2 N2 CE1 CE3-Spoke CE2 CE3-Hub Allow AS with ASN override ASN: 100 ! address-family ipv4 vrf Hub neighbor remote-as 250 neighbor activate neighbor remote-as 250 neighbor activate neighbor allowas-in neighbor as-override no auto-summary no synchronization exit-address-family ASN: 250 eBGP4 update: /32 AS_PATH: eBGP4 update: /32 AS_PATH: eBGP4 update: /32 AS_PATH: 250 VPN-IPv4 RD: /32, AS_PATH: 250 VPN-IPv4 RD: /32, AS_PATH: eBGP4 update: /32 AS_PATH: Now the AS_PATH contains four occurrences of the provider ASN. This update will not be accepted anymore if the CE re-advertise it back to any PE

94 94 TOI-VPN eosborne © 2001, Cisco Systems, Inc. When BGP is used between PE and CE routers, the customer VPN may want to re-use ASN in different sites Private ASN procedures already exist in order to strip the private ASN from the AS_PATH However, these procedures have following constraints: Private ASN is stripped if only private ASN are present in the AS_PATH Private ASN is stripped if NOT equal to the neighbouring ASN Private ASN procedures do NOT allow the re-use of same ASN in a MPLS-VPN environment ASN Override

95 95 TOI-VPN eosborne © 2001, Cisco Systems, Inc. New procedures have been implemented in order to re-use the same ASN on all VPN sites The procedures allows the use of private as well as public ASN Same ASN may be used for all sites, whatever is their VPN ASN Override

96 96 TOI-VPN eosborne © 2001, Cisco Systems, Inc. With ASN override configured the PE does following If the last ASN in the AS_PATH is equal to the neighbouring one, it is replaced by the provider ASN If last ASN has multiple occurrences (due to AS_PATH prepend) all the occurrences are replaced with provider-ASN value After this operation, normal eBGP operation occur: Provider ASN is added to the AS_PATH ASN Override

97 97 TOI-VPN eosborne © 2001, Cisco Systems, Inc. ASN override feature is used in conjunction with SOO in order to prevent routing loops In case of multihomed sites SOO is not needed for stub sites Sites connected to a single PE Multi-homed sites need to use SOO ASN Override

98 98 TOI-VPN eosborne © 2001, Cisco Systems, Inc. ASN Override PE-1 CE /32 PE-2 CE /32 ASN: 250 ASN: 100 ip vrf odd rd 100:1 route-target export 100:3 route-target import 100:3 ! interface Serial1 ip vrf forwarding odd ip address ! router bgp 100 no synchronization no bgp default ipv4-unicast neighbor remote-as 100 neighbor update-source Loop0 neighbor activate neighbor next-hop-self no auto-summary ! address-family ipv4 vrf odd neighbor remote-as 250 neighbor activate neighbor as-override no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor activate neighbor send-community extended no auto-summary exit-address-family ! ASN: 250

99 99 TOI-VPN eosborne © 2001, Cisco Systems, Inc. ASN Override PE-1 CE /32 PE-2 CE-2 VPN-IPv4 update: RD: /32 AS_PATH: 250 eBGP4 update: /32 AS_PATH: /32 ASN: 250 eBGP4 update: /32 AS_PATH: 250 ASN: 100 PE-2 performs following actions: 1- Replace last ASN with its own ASN 2- Update AS_PATH with its own ASN 3- Forward the update to CE #sh ip bgp vpn all Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:1 (default for vrf odd) *>i / i *> / i #sh ip b Network Next Hop Metric LocPrf Weight Path *> / i *> / i

100 100 TOI-VPN eosborne © 2001, Cisco Systems, Inc. ASN Override with AS_PATH prepend PE-1 CE /32 PE-2 CE-2 VPN-IPv4 update: RD: /32 AS_PATH: eBGP4 update: /32 AS_PATH: /32 ASN: 250 eBGP4 update: /32 AS_PATH: ASN: 100 PE-2 performs following actions: 1- Replace all occurrences of last ASN with its own ASN 2- Update AS_PATH with its own ASN 3- Forward the update to CE #sh ip bgp vpn all Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:1 (default for vrf odd) *>i / i *> / i #sh ip b Network Next Hop Metric LocPrf Weight Path *> / i *> / i

101 101 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Site of Origin Used to identify the site Extended Community type Used to prevent loops when AS_PATH cannot be used When BGP is used between PE and multihomed sites A BGP route is NOT advertised back to the same site Even through different PE/CE connections

102 102 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Site of Origin SOO for eBGP learned routes SOO is configured through a route-map command SOO can be applied to routes learned through a particular VRF interface (without the use of BGP between PE and CE) SOO is then configured on the interface SOO is propagated into BGP during redistribution

103 103 TOI-VPN eosborne © 2001, Cisco Systems, Inc. PE CE Site-1 Site of Origin ip vrf odd rd 100:1 route-target export 100:3 route-target import 100:3 ! interface Serial1 ip vrf forwarding odd ip address ! router bgp 100 no synchronization no bgp default ipv4-unicast neighbor remote-as 100 neighbor update-source Loop0 neighbor activate neighbor next-hop-self no auto-summary ! address-family ipv4 vrf odd neighbor remote-as 250 neighbor activate neighbor route-map setsoo in no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor activate neighbor send-community extended no auto-summary exit-address-family ! route-map setsoo permit 10 set extcommunity soo 100: #sh ip route vrf odd C /24 is directly connected, Serial2 B [20/0] via , 00:08:44, Serial # #sh ip bgp vpn all Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:1 (default for vrf odd) *> / i #sh ip bgp vpn all BGP routing table entry for 100:1: /32, version 17 Paths: (1 available, best #1) Advertised to non peer-group peers: from ( ) Origin IGP, metric 0, localpref 100, valid, external, best Extended Community: SoO:100:65 RT:100: # /32

104 104 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Site of Origin PE-1 CE-1 Site-1 SOO=100: /32 PE-2 CE-2 eBGP4 update: /32 intCE1 VPN-IPv4 update: RD: /32, Next-hop=PE-1 SOO=100:65, RT=100:3, Label=(intCE1) eBGP4 update: /32 PE-2 will not propagate the route since the update SOO is equal to the one configured for the site

105 105 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Selective Export PE may have to export VRF routes with different route-targets Example: export management routes with particular RT Export command accept route-map Route-map configured into VRF Route-map match or deny statements with extended community list

106 106 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Selective Export PE CE Site-1 ip vrf odd rd 100:1 export map RTMAP route-target import 100:3 ! … ! access-list 10 permit access-list 11 permit any ! route-map RTMAP permit 10 match ip address 10 set extcommunity rt 100:3 ! route-map RTMAP permit 20 match ip address 11 set extcommunity rt 100:4 ! / /24 VPN-IPv4 update: RD: /32 RT=100:3 VPN-IPv4 update: RD: /24 RT=100:4

107 107 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Selective Import PE may have to import routes based on other criteria than only Route-Target Import command accept route-map Route-map configured into VRF Route-map match or deny statements

108 108 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Selective Import PE CE Site-1 ip vrf odd rd 100:1 import map RTMAP route-target export 100:3 ! … ! access-list 10 permit ! route-map RTMAP permit 10 match ip address 10 ! / /24 VPN-IPv4 update: RD: /32 RT=100:3 VPN-IPv4 update: RD: /24 RT=100:4 B [200/0] via , 02:17:48

109 109 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Extended route-maps Added support for extended communities in route-maps Route-Map match/set statements: route-map permit 10 [no] match extcommunity [no] set extcommunity [rt|soo] Defining Extended Community access list: [no] ip extcommunity-list 1 [permit|deny] [rt|soo]

110 110 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Internet routing - VRF specific default route The PE installs a default route into the site VRF PE router originates CE routes for the Internet The default route points to the Internet router of the VPN backbone Possibility to use different Internet gateways per VRF No VPN default route allowed

111 111 TOI-VPN eosborne © 2001, Cisco Systems, Inc. MPLS VPN Topologies Internet routing - VRF specific default route Site-2 PE Internet IP packet D=cisco.com Destination cisco.com is covered by the default route to PE-IG Site-1 PE-IG Site-2 VRF Site-1 routes Site-2 routes /0 PE-IG Global routing table with Internet routes Site-1 VRF Site-1 routes Site-2 routes Global routing table with Internet routes IP packet D=cisco.com Label=PE-IG Ip route vrf PE-IG global

112 112 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Direct Import (RT intersection) EBGP received prefixes are now added to the vrf table in the router thread itself. Requirement to have a non null intersection between RTs for every VRF has been removed.

113 113 TOI-VPN eosborne © 2001, Cisco Systems, Inc. CE to CE convergence New BGP mechanism to be used in order to improve convergence time between sites BGP update origination, validation and advertisement Other mechanisms in order to improve import and export processes BGP update next-hop validation (done at scanner on PE) - scan-time adjustment. BGP validates updates by verifying next-hop reachability (first rule on PATH selection) By default the next-hop validation is done once every 60 seconds New command that allows to configure the timer bgp scan-time

114 114 TOI-VPN eosborne © 2001, Cisco Systems, Inc. CE to CE convergence BGP update advertisement interval (default): EBGP updates are propagated once every 30 seconds iBGP updates are propagated once every 5 seconds Default can be changed on a per neighbor basis neighbor advertisement-interval BGP import/export process (IBGP learned into vrf on remote PE) By default import/export actions are performed once every 60 seconds Command to modify the timer: bgp scan-time import Timer is configurable ONLY under address-family vpnv4

115 115 TOI-VPN eosborne © 2001, Cisco Systems, Inc. VRF Size Limit/Warning New VRF level configuration command: (config-vrf)# maximum routes { | warn-only } When of is reached then a SYSLOG error message is issued If the number of routes in the VRF routing table reaches then no more routes will be added, a SYSLOG error message will be issued when an attempt is made to add a route which is rejected, throttled to one message per-VRF in 10 minutes.

116 116 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Agenda How MPLS VPN works What Code Is MPLS VPN In? Platform Issues in Implementation Lab Demo - config

117 117 TOI-VPN eosborne © 2001, Cisco Systems, Inc. What Code Is MPLS VPN In? Introduced in 12.0(5)T and 12.0(9)ST Also in 12.1M and derivatves 12.0(15)SL, 12.0(17)ST for ESR

118 118 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Agenda How MPLS VPN works What Code Is MPLS VPN In? Platform Issues in Implementation Lab Demo - config

119 119 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Things That Make Up MPLS-VPN MPLS Forwrding – ENG TAG VPN Functional Spec – ENG MPLS VPN on GSR E2 cards – ENG …as a reference to a HW implementation

120 120 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Software-based platforms If you are developing a new software- based platform (like 2600, 3600, 4500, etc), should be pretty simple Concentrate on testing different packet paths and interface types

121 121 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Hardware-based platforms Label Imposition:could be 0, 1, or 2 labels Label Exposition: need to deal with aggregate label, very likely 2 lookups on the same packet

122 122 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Label Imposition (Push) CE3 CE4: PE3 imposes 0 labels, does regular FIB lookup in VRF table CE3->CE1: PE3 imposes 1 label (VPN label), IGP label is effectively PHP’d CE3->CE2: PE3 imposes 2 labels: (IGP label to PE2, VPN label) Explicit-null mitigates PHP PE1CE1 PE3 CE2 CE3 PE2P1 CE4

123 123 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Label Exposition (Pop) VPN advertises “aggregate label” for scalability Aggregate label leads to 2 lookups on egress PE (1 LIB, 1 FIB) Label lookup turns aggregate label into IP address within a VRF, IP lookup necessary to figure out correct L2 encap

124 124 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Aggregate Label 1.PE3 does MPLS lookup on VPN label, finds outgoing VRF 2.PE3 does IP lookup in VRF routing table, finds L2 encap, sends packet PE1CE1 PE3 CE3 CE4 VPN label = 42 IP packet Dst = LabelVRF 42Red IP AddressPort /24POS1/0

125 125 TOI-VPN eosborne © 2001, Cisco Systems, Inc. CPU Considerations QOS Considerations Platform Specific Considerations PE Memory Considerations Sizing Provider Edge (PE) Routers

126 126 TOI-VPN eosborne © 2001, Cisco Systems, Inc. PE to CE Connectivity Type Sizing Provider Edge (PE) CPU Considerations STATIC OSPF BGP-4 # of provisioned VRFs # of VPN clients/routes Amount of provisioned QOS Several factors determine CPU Usage # of backbone BGP peers Packet forwarding CEF vs. process

127 127 TOI-VPN eosborne © 2001, Cisco Systems, Inc. PlatformProcessor TypeInternal Clock Speed NPE 225RM MHz NPE 300R MHz NPE 400R MHz RSP 4R MHz RSP 8R MHz GRPR MHz Platform Processor Types

128 128 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Baseline (No Traffic) CPU Comparison Small VPN: 500 VRFs (11 routes per-VRF) NPE225 – 262 MHz NPE300 – 262 MHz NPE400 – 350 MHz RSP8 – 250 MHz

129 129 TOI-VPN eosborne © 2001, Cisco Systems, Inc. # of neighbors and type of connectivity Sizing Provider Edge (PE) Memory Considerations STATIC OSPF BGP-4 # of provisioned VRFs # of local VPN routes Unique or non-unique RD allocation ? Several factors determine Memory Usage # of backbone BGP peers (paths) # of remote VPN routes Spread of IP addressing structure

130 130 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Sizing Provider Edge (PE) Memory Considerations BGP Memory Several Areas of Memory Usage Routing Table MPLS CEF IDB

131 131 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Sizing Provider Edge (PE) BGP Memory BGP Memory ndc-brighton# show ip bgp v a s BGP router identifier , local AS number 2 BGP table version is 21, main routing table version 21 1 network entries and 2 paths using 189 bytes of memory 2 BGP path attribute entries using 108 bytes of memory 2 BGP AS-PATH entries using 48 bytes of memory 1 BGP extended community entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP activity 8/58 prefixes, 8/6 paths, scan interval 15 secs Mp = (N*128) + (P*60) + (Pa * 24) + (Ec * 24) Mp = Total memory used by PE in Bytes N = Number of BGP network entries P = Number of path entries Pa = Number of AS_PATH entries Ec = Number of Extended Community entries

132 132 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Sizing Provider Edge (PE) Routing Table Memory Routing Table Memory ndc-brighton# show memory summary | include IP: Control Block 0x60567BB IP: Control Block Each VRF consumes : 1 IP control block -> 33,184 bytes 1 Network Descriptor Block (NDB) per route (64 bytes) 1 Routing Descriptor Block (RDB) per path (144 bytes) ndc-brighton# show ip route vrf testing summary IP routing table name is testing(1) Source Networks Subnets Overhead Memory (bytes) connected External: 0 Internal: 0 Local: 0 internal Total

133 133 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Sizing Provider Edge (PE) MPLS Memory ndc-brighton# show memory allocating-process total | include TFIB tag_ 0x60DC5D TFIB tag_rewrite chunk 0x60DC5DB TFIB tag_info chunk 0x60DC5DA TFIB tag_info chunk 0x60DC5D TFIB tag_rewrite chunk ndc-brighton# show memory allocating-process total | include TIB 0x60FC7E TIB entry MPLS forwarding memory (TFIB) consumes one 'taginfo‘ (64 bytes) per route, plus one forwarding entry (104 bytes) for each path MPLS Memory

134 134 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Sizing Provider Edge (PE) IDB Memory IDB Memory ndc-brighton# show memory summary | include IDB 0x602F88E *Hardware IDB* 0x602F *Software IDB* Hardware IDB Software IDB Interface Description Block Hardware IDB: 4692 bytes (One per physical interface) Software IDB: 2576 bytes (One per interface and per sub-interface) Note: The amount of memory required will differ from platform to platform

135 135 TOI-VPN eosborne © 2001, Cisco Systems, Inc. PE VRF Memory Sizing NO VPN routes Used Memory 8,187,968 MB Used Memory 56,243,216 MB Used Memory 69,631,904 MB

136 136 TOI-VPN eosborne © 2001, Cisco Systems, Inc. VPN Memory Comparison

137 137 TOI-VPN eosborne © 2001, Cisco Systems, Inc. PE Memory Sizing Design Rules ~ 60-70K per VRF 33K for base VRF control block, other memory such as CEF, TFIB overhead, IDBs and so on ~ bytes per route (includes CEF, TFIB and RIB Memory in BGP) Remember IOS uses memory! Remember Internet Routes! Remember to leave transient memory Recommended to leave ~ 20MB free

138 138 TOI-VPN eosborne © 2001, Cisco Systems, Inc. PE Memory Sizing Design Observations 128 MB platforms are very limited (NPE 225, 3640 *NOT* suitable for full Internet table and VPNs!!!) 256 MB Minimum recommended on PE devices Limit the number of RDs per VRF in the same VPN unless you require iBGP load balancing with RRs

139 139 TOI-VPN eosborne © 2001, Cisco Systems, Inc. VRF and Route Limits Summary VRF Limits Constrained mainly by CPU Between 500 & 1000 VRFs for static routing (depending on platform – 10 routes per VRF) Between 250 & 500 VRFs if using EBGP or RIPv2 (depending on platform routes per VRF) VPN & Global Route Limits Constrained mainly by available memory With 256 MB, 200,000 routes total (IPv4 and VPNv4) If Internet table is present, this reduces the memory available for VPNs (Current calculations are near 65 Meg for 100K Internet routes – with tightly packed attributes)

140 140 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Agenda How MPLS VPN works What Code Is MPLS VPN In? Platform Issues in Implementation Lab Demo - config

141 141 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Core Topology

142 142 TOI-VPN eosborne © 2001, Cisco Systems, Inc. VPN toplogy NOTES: -VXR15,16,12,11 are PEs -VXR14,13,10,9 are CEs -all CEs have x as their RID -GSR6 is VPNv4 RR


Download ppt "1 © 2001, Cisco Systems, Inc. Course Number Presentation_ID MPLS VPN TOI"

Similar presentations


Ads by Google