Using MPLS/VPN for Policy Routing Walt Prue With Significant Help From Ken Lindahl and Jim Warner Sponsored by CENIC (Corporation for Education Network Initiatives in California 9/17/2018

Introduction Cisco suggested MPLS/VPN as a possible solution to CENIC’s policy routing needs. CENIC needs to know if it will scale to the requirements of the network. 9/17/2018

Agenda Define Problem Examine Cisco’s ability to solve our problem Viability of Cisco’s solution Junipers Compatibility with Cisco’s MPLS/VPN 9/17/2018

Overview Does it scale to 100,000+ routes? Can the existing equipment be used? Can it be maintained? Can CENIC introduce technology with minimal disruption? Can Junipers play too? 9/17/2018

Vocabulary MPLS (MultiProtocol Label Switching) VPN (Virtual Private Network) VRF (VPN Routing and Forwarding) PE (Provider Edge) router P (Provider) router CE (Customer Edge) router 9/17/2018

MPLS Label Exp S TTL P PE PE P Tag in Tag out I/F out 1 55 4 … 14 23 2 IP 14 IP P IP 23 PE IP 17 PE IP Tag in Tag out I/F out 1 55 4 … 14 23 2 - 17 … 9 72 1 I/F out Tag out Tag in P 1 17 23 … 7 44 I/F out Tag out Tag in 9/17/2018

MPLS Issues MPLS over ethernet MTU discovery TTL Traceroute Across MPLS Enabled Net MPLS and ATM 9/17/2018

MPLS/VPN Route Nexthop 10.1.1.0 10.1.1.1 192.168.6.0 128.2.0.0 PE PE 10.1.1.1 134.1.17.1 ip vrf cust-a rd 1:100 route-target export 1:100 route-target import 1:100 cust-a VRF BGP Table Route Nexthop 10.1.1.0 10.1.1.1 192.168.6.0 128.2.0.0 134.1.17.1 route RD 10.1.1.0 1:100 128.1.0.0 192.168.6.0 1.100 9/17/2018

Policy Routing on CENIC ISP-B ISP-A Cisco SB CIT SB Campus CIT Campus ESnet UCLA Campus UCLA USC USC Campus 9/17/2018

Routing Connectivity Matrix 9/17/2018

Cisco’s MPLS/VPN Current rel. 12 software can’t support 100,000 routes Engine 1 gigabit ethernet ports couldn’t support MPLS/VPN MPLS/VPN doesn’t currently support multicast Cisco can forward MPLS traffic at near OC-12 line rates with engine 0 line cards A workaround solution exists for multicast and 100,000 routes problem Use 803.1Q for virtual ports on Gig-e I/F 9/17/2018

Configuring and Maintaining MPLS/VPN Configuring and syntax was straight forward (see below) Troubleshooting was reasonable but a bit different than net engineers are used to Installing on existing network would be disruptive Each campus would need two logical ports for access to multicast and ISP service (use to reduce installation disruption ) Cisco has MPLS/VPN Tools Available 9/17/2018

Syntax (Global) ip vrf VPN-A rd 52:1 route-target import 12334:1 route-target export 52:1 route-target import 52:1 9/17/2018

Per CE I/F interface serial0 ip vrf forarding VPN-A ip address 10.1.2.3 255.255.255.0   9/17/2018

Per Trunk I/F interface serial4/0/0 ip mpls mpls label-distribution ldp ip address 1.2.3.4 255.255.255.0 Or globally as: mpls label protocol ldp 9/17/2018

Routing router bgp 11422 no bgp default ipv4-unicast neighbor 2.3.4.5 remote-as 11422 neighbor 2.3.4.5 update-source loopback0 ...   9/17/2018

Routing (cont.) address-family ipv4 vrf VPN-A neighbor 1.2.3.4 remote-as 52 neighbor 1.2.3.4 activate no auto-summary no syncronization exit-address-family   address-family vpnv4 neighbor 2.3.4.5 activate neighbor 2.3.4.5 send-community extended exit address-family 9/17/2018

Junipers and MPLS/VPN Compatible if LDP used instead of TAG distribution A bit more complex to configure Can handle 200,000+ routes Can forward at OC-12 Line Rates 9/17/2018

Summary MPLS/VPN can be used to solve our policy routing problems Ciscos can’t do MPLS/VPN with full routes or supporting multicast today With a modified network design MPLS/VPN may be our solution 9/17/2018

Where to Get More Information RFC2547 BGP/MPLS VPNs RFC 3031 Muliprotocol Label Switching Architecture MPLS and VPN Architectures – Cisco Press Juniper Documentation CD-ROM Release 5.0 9/17/2018