Académique Documents
Professionnel Documents
Culture Documents
L3 VPN Segmentation
over IP-Based WAN
Craig Hill Distinguished Systems Engineer
CCIE #1628
crhill@cisco.com
@netwrkr95
BRKRST-2045
Agenda
Technology Deep-Dive on
Advancements in L3 VPN over IP
Summary
Agenda
Introduction - Network
Segmentation Drivers and Concepts
Technology Deep-Dive on
Advancements in L3 VPN over IP
Summary
Secure Domain
Routers
MPLS
Virtual Circuits
HSRP
GRE
TDM
MPLS VPN
VRF Lite
AToM
VLANs
L2TPv3
Time
VPLS
1000v
OVS
Virtual
Port
Channel
Virtual
Device
Context
CSR
1000v
SDN
NfV
2016+
Giving One physical network the ability to support multiple L3 virtual networks
Merged Company
Virtual Network
Virtual Network
Cost Reductionallowing a single physical network the ability to offer multiple users
and virtual networks
Security
Regulation requirements
Airports airlines (United, Delta, etc) sharing network transport space (physical)
Government Facilities Federal agencies sharing single building/campus
Intra Organisation segmentation Separation of sales, engineering, HR, LoB
Company mergers allowing slow migration for transition, overlapping addressing
Data Centre Applications VMVLANVRF orchestration for segmentation
Separation of Facility equipment (IP cameras, badge readers) from the user data
L3 segmentation (VRFs) are configured dynamically, or part of the automation process, in multitenant cloud environments for network segmentation (over WAN, to Branch, etc)
Device
Partitioning
WAN
Interconnect
WAN
Virtualising the
Routing and
Forwarding of the
Device
Device
Pooling
Si
Si
Virtualising
Multiple Devices
to Function as a
Single Device
Device
Partitioning
Device
Pooling
Si
Si
VLANs
VRFs
EVN
HSRP/GLBP
VDC (NX-OS)
Stackwise
SDR (IOS-XR)
(Secure Domain Routers)
Device
Partitioning
WAN
Interconnect
WAN
Device
Pooling
Si
Si
VLANs
VRFs
(Easy Virtual Network)
VDC (NX-OS)
EVN
SDR (IOS-XR)
(Secure Domain Routers)
Agenda
Technology Deep-Dive on
Advancements in L3 VPN over IP
Summary
2.
WAN
LAN
LAN
Self
Deployed
BGPTheir
MPLS
IP VPN
Backbone
(RFCNetwork
4364) Controls E2E
Customer
Deploys
Own
Internal
MPLS VPN
CE
Branch
Site
PE
CE
CE
P
P
PE
Campus
DC
PE Routers owned by SP
Site1
CE
PE
Site 2
SP Managed Domain
CE
L3 VPN
Service
Provider
CE
Site 3
PE
IP Routing Peer
(BGP, Static, IGP)
Customer
Managed Domain
Customer
Managed Domain
Site 1
CE
SP Managed Domain
PE
Site 2
CE
Customer
Managed Domain
L3 VPN
Service
Provider
CE
Site 3
PE
IP Routing Peer
(BGP, Static, IGP)
VRFs
Customer
Managed Domain
MPLS
VPN IP
over
theService
top of(Layer
an SP 3Managed
VPN Transport
Service
SP Offered
VPN
Service) IP
- Customer
owns CE
Site1
CE
SP Managed Domain
PE
Site 2
CE
Customer
Managed Domain
L3 VPN
Service
Provider
CE
Site 3
PE
IP Routing Peer
(BGP, Static, IGP)
VRFs
Customer
Managed Domain
VRF 2
VRF 1
eBGP/Static
CE
PE
Service Provider
MPLS
Backbone
PE
VRF 2
eBGP/Static
CE
VRF 1
CE
SP Managed Domain
PE
Site 2
L3 VPN
Service
Provider
CE
Site 3
IP Routing Peer
(BGP, Static, IGP)
PE
CE
Customer Ex: 30-60 days VRF change in SP | 1 hour VRF change in Private IP VPN Solution
Can still leverage encryption, QoS, and private BGP AS over the top
Target Use cases: IPv4 VPN, v6 VPN over v4, align QoS with provider, scale
Agenda
Technology Deep-Dive on
Advancements in L3 VPN over IP
Summary
Private IP VPN
Over the Top
Solution Options
Customer may not control the WAN transport Between MPLS networks
Leveraging any IP transport between MPLS PEs is cost effective and simpler
Primary Components
Segmentation component
VRF
VRF
VRF
VRF has its own routing table (RIB) and forwarding table (FIB)
VRF has its own instance for the routing protocols
(static, RIP, BGP, EIGRP, OSPF)
MPLS-VPN Technology
Control Plane Component
8 Bytes
4 Bytes
1:1
RD
10.1.1.0
IPv4
8 Bytes
Route-Target
3 Bytes
Label
VPNv4
Key Components:
Label
Original IP Header
IP Payload
20 Bytes
New IP Header
20 Bytes
4 Bytes
IP Payload
20 Bytes
Protocol Version Number: 137
Indicates an MPLS Unicast Packet
Bit 0:
Bit 1-12:
Bit 13-15:
Bit 16-31:
Check Sum
Reserved
Version Number
Protocol Type
Fwding Label
VPN Label
Original IP Header
IP Payload
New IP Header
GRE Header
20 Bytes
VPN Label
4 Bytes
Original IP Header
IP Payload
20 Bytes
Remote Site
Remote Site
Remote Site
IP Tunnel
IP Network
Central
Site
IP Network
Central
Site
Advancements in Private
IP VPNs Over the Top
Internet
Campus
RR
Shared
VRF
PE
IP
Transport
mGRE any-to-any IP
connectivity
VRF-Lite or
MPLS
VPN in Campus
mGRE
Tunnel
C-PE
C-PE
C-PE
Branch LAN
Remote Branches
mGRE Interface
mGRE
interface
802.1q Trunk or
Physical Cable
Data Centre/HQ
Branch Site
c-PE
RR
SP
IP VPN
Service
C-PE
c-PE = Customer PE
Routing to SP
BGP/Static
BGP/Static
Shared VRF
Campus
DC
VRF-Lite or MPLS
VPN in Campus/DC
Enterprise
Routing
RR = iBGP Route
Reflector
RR
SP
IP VPN
Service
c-PE
Routing to SP
Data Centre/HQ
mGRE Encapsulation
Branch Site
c-PE = Customer PE
Internet
mGRE
BGP/Static
C-PE
mGRE
Shared VRF
Campus
DC
VRF-Lite or MPLS
VPN in Campus/DC
BGP/Static
Enterprise
Routing
Routing and data forwarding done Over the Top of SP IP VPN Service
eBGP: (1) exchange tunnel end point routes with SP (or directly connected)
Enterprise
Routing
RR = iBGP Route
Reflector
c-PE
Internet
iBGP
AS 65000
SP Cloud
172.16.1.1
AS 1
Service Provider IP
Service (eBGP)
(AS 1)
Data Centre/HQ
RR
eBGP
Shared VRF
C-PE
Campus
DC
VRF-Lite or MPLS
VPN in Campus/DC
MPLS-VPN over mGRE
Overlay
(AS 65000)
i-BGP (AS 65000): used for MP-BGP and VPNv4 prefix and label exchange
eBGP used for advertising iBGP next-hop (and mGRE tunnel endpoint) only
VRF, RD, RT
To user Campus/DC
networks with VRF
segmentation (802.1Q,
port, etc)
Gold
mGRE
Interface
Global
VRF, RD, RT
Blue
WAN to
Provider
PHY
Interface
Logical mGRE interface
de-coupled from a
physical interface
SP WAN
Transport
2 iBGP
172.16.255.3
172.16.255.2
1
172.16.255.1
PE1
PE3
IP Transport
PE4
172.16.255.4
PE6
172.16.255.6
PE5
172.16.255.5
4 View for PE 4
Tunnel Endpoint DB
172.16.255.1
172.16.255.2
172.16.255.3
172.16.255.5
172.16.255.6
VPNv4 label (VRF) and VPN payload is carried in mGRE tunnel encapsulation
New encapsulation profile (see next slide) in CLI offers dynamic endpoint discovery:
Multipoint GRE
Interface
CE1
eBGP
Lo0: 10.0.0.1
IPv4
Transport
PE4
Lo0: 10.0.0.4
CE2
eBGP
CE1
eBGP
Lo0: 10.0.0.1
IPv4 Cloud
PE4
E 1/0
Lo0: 10.0.0.4
2001:db8::2 /64
CE2
eBGP
Traffic overhead
Administrational overhead
CE
CE
CE
MPLS Core
CE
CE
CE
CE
CE
PE
PE
CE
PE
Provider Network
PE routers form PIM neighbourship with other PE routers over MDT. This is a VRF specific
neighbourship
CE
Blue
CE
Red
CE
Provider
Net
CE
Blue
Red
CE
CE
Blue
CE
Red
C-PE
PE
mGRE - UNICAST
unicast
PE
C-PE
PE
C-PE
Provider Network
Leverages the SP Core for multicast replication vs. ingress replication via
GRE tunnels
C-PE customer PE
(mGRE solution)
Dynamic Tunnel endpoint discovery is done via iBGP/route-map (no static GRE tunnel)
E-BGP can/is still be used for route exchange (mGRE end-point) with the SP
Supports MVPN and IPv6 per MPLS VPN model (MDT and 6vPE respectfully)
-
MVPN Platform Support today: ISR/G2, SUP-2T, ASR 1000 Series, ISR 44xx
Supports IPSec for PE-PE encryption (GET VPN or manual SA Discussed later)
Branch LAN
mGRE
interface
VIRTUAL ROUTER
IOS
Catalyst 6500 SUP2T
Cisco 7600 ES+, SIP-400
ISR 3xxx/2xxx/1xxx/8xx
Lo0: 172.16.100.58
10.210.210.210
RR
218
E 0/0: 172.16.10.2
219
10.219.219.219
Lo0: 172.16.100.19
AS 1
eBGP
172.16.19.1
10.218.218.218
eBGP
mGRE
Lo0: 172.16.100.18
172.16.18.1
IPv4 Transport
!
vrf definition red
rd 1:1
route-target export 1:1
route-target import 1:1
!
address-family ipv4
!
interface Loopback0
ip address 172.16.100.18 255.255.255.255
!
interface Ethernet0/0
ip address 172.16.18.2 255.255.255.0
service-policy output parent
!
!
l3vpn encapsulation ip Cisco
transport ipv4 source Loopback0
mpls mtu max
!
!
route-map mgre-v4 permit 10
set ip next-hop encapsulate l3vpn Cisco
Lo0: 172.16.100.58
10.210.210.210
RR
218
E 0/0: 172.16.10.2
mGRE
219
10.219.219.219
Lo0: 172.16.100.19
AS 1
eBGP
172.16.19.1
10.218.218.218
eBGP
Lo0: 172.16.100.18
172.16.18.1
IPv4 Transport
!
router bgp 65000
neighbor 172.16.18.1 remote-as 1
neighbor 172.16.18.1 update-source Eth 0/0
neighbor 172.16.100.58 remote-as 65000
neighbor 172.16.100.58 update-source Loop 0
!
address-family ipv4
network 172.16.100.18 mask 255.255.255.255
neighbor 172.16.18.1 activate
neighbor 172.16.18.1 allowas-in 5
neighbor 172.16.100.58 activate
exit-address-family
!
address-family vpnv4
neighbor 172.16.100.58 activate
neighbor 172.16.100.58 send-community ext
neighbor 172.16.100.58 route-map mgre-v4 in
Lo0: 172.16.100.58
10.210.210.210
RR
218
E 0/0: 172.16.10.2
219
10.219.219.219
Lo0: 172.16.100.19
eBGP
172.16.19.1
10.218.218.218
eBGP
mGRE
AS 1
Lo0: 172.16.100.18
172.16.18.1
IPv4 Transport
218#conf t
Enter configuration commands, one per line.
Lo0: 172.16.100.58
10.210.210.210
RR
218
E 0/0: 172.16.10.2
mGRE
219
10.219.219.219
Lo0: 172.16.100.19
eBGP
172.16.19.1
AS 1
IPv4 Transport
Address
172.16.10.2(3)
172.16.10.2(3)
172.16.100.19(3)
172.16.100.19(3)
10.218.218.218
eBGP
Lo0: 172.16.100.18
172.16.18.1
http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns431/ns658/white_paper_c11-726689.pdf
Internet
Shared
VRF
PE
Multipoint
GRE Tunnel
per VRF
Campus
VRF-Lite or
MPLS
VPN in Campus
IP
Transport
C-PE
MultiVRF CE
Remote
Branches
C-PE
C-PE
Branch LAN
mGRE Tunnel per
VRF
MPLS
VPN over Dynamic Multipoint VPN (DMVPN)
MPLS VPN over a DMVPN Framework
Data Centre/HQ
Internet
Campus
RR
Shared
VRF
VRF-Lite or
MPLS
PE/P VPN in Campus
IP
Transport
C-PE
C-PE
C-PE
802.1q Trunk
Physical Cable
Branch LAN
Remote
Branches
MPLS
and VPNv4
over mGRE Tunnel
MS/MR
w.x.y.1
x.y.w.2
z.q.r.5
z.q.r.5
xTR
Non-LISP
No host changes
Minimal configuration
EID
a.a.a.0/24
b.b.b.0/24
c.c.c.0/24
d.d.0.0/16
EID Space
Prefix Next-hop
Incrementally deployable
RLOC
a.a.a.0/24
b.b.b.0/24
c.c.c.0/24
d.d.0.0/16
w.x.y.1e.f.g.h
x.y.w.2e.f.g.h
z.q.r.5e.f.g.h
z.q.r.5e.f.g.h
PxTR
xTR
xTR
EID
a.a.a.0/24
b.b.b.0/24
c.c.c.0/24
d.d.0.0/16
EID-toRLOC
mapping
RLOC
Space
EID Space
RLOC
w.x.y.1
x.y.w.2
z.q.r.5
z.q.r.5
RLOC
w.x.y.1
x.y.w.2
z.q.r.5
z.q.r.5
LISP Overview
IP Transport
x.y.z.1
Device IPv4 or IPv6
address represents
identityand location
w.z.y.9
Mapping
Database System
IP Transport
x.y.z.1
Device IPv4 or IPv6
address represents
identity only.
Its location is here!
LISP Behaviour
Loc/ID split
a.b.c.1
e.f.g.7
Only the location changes
x.y.z.1
1.1.1.2
Routing
Locator
1.1.1.1 RLOC 1
Where is
1.1.1.2 RLOC 1
2.2.2.1 RLOC 2
LISP TUNNEL
RLOC 1
TO RLOC1
TO: 1.1.1.2
1.1.1.1
DATA
1.1.1.2
TO: 1.1.1.2
RLOC 2
DATA
TO: 1.1.1.2
DATA
2.2.2.1
1. Efficient Multi-Homing
2. IPv6 Transition Support
3. Network Segmentation/Multi-Tenancy
4. Host/VM Mobility
5. LISP Mobile-Node
LISP Operations
LISP IPv4 EID/IPv4 RLOC Header Example
LISP Segmentation/VPN
Efficient Segmentation/Multi-Tenancy Support Concepts
Shared Model
Parallel Model
LISP Segmentation/VPN
Efficient Segmentation/Multi-Tenancy Support Shared Model
EID namespace,
VRF Gold, IID 1
Shared RLOC
namespace
To VPNs (MPLS,
802.1Q, VRF-Lite, or
separate networks)
Gold
Blue
Default
EID namespace,
VRF Blue, IID 2
Single RLOC
namespace
Default table or RLOC
VRF
LISP Segmentation/VPN
Efficient Segmentation/Multi-Tenancy Support Parallel Model
EID namespace,
VRF Gold, IID 1
EID namespace,
VRF Blue, IID 2
To VPNs (MPLS,
802.1Q, VRF-Lite, or
separate networks)
EID
Address
CE
Space
(xTR)
Routing to SP
Enterprise
Routing
Data Centre/HQ
LISP Encapsulation
Branch Site
SP
IP VPN
Service
RLOC
Address
BGP/Static
Internet
MR/MS
CE
RLOC
(xTR)
Address
Shared VRF
Campus
DC
EID Address Space
for Enterprise
BGP/Static
Enterprise
Routing
MR = Map Resolver
MS = Map Server
LISP Segmentation
Y (6vPE)
Y (6vPE)
No (limit of GETVPN)
Y (tunable)
1000+
4000+
Multi-Homing
Y (simple)
Tunneless IP (encap)
Y (RFC 4023)
Y (native IP/UDP)
Y (hub only)
Y (RLOC)
RFC 4364
Mapping DB
RFC 4364
NHRP extensions
Encryption Support
Y (GETVPN)
Y (GETVPN)
Y (pairwise)
Route Learning
BGP (Push)
MR/MS (Pull)
BGP (PE-PE)(Push)
NHRP (S-S)(Pull)
Y (dual GRE)
MVPN Support
IPv6 Transition
NAT Traversal w/ encrypt
Scale
Agenda
Technology Deep-Dive on
Advancements in L3 VPN over IP
Summary
Securing L3 VPN
Solutions over the WAN
with GET VPN
WAN
Multicast
c-PE + GM
mGRE
mGRE
c-PE + GM
c-PE + GM
mGRE
c-PE + GM
GRE
Original IP Header
IP Payload
GRE
ToS
ToS
IP Payload
GRE
MPLS/EXP
ToS
EXP
ToS
EXP
For MPLS over GRE, the EXP marking is copied to the outer header of the GRE tunnel
This allows the IPv4 transport to perform QoS on the multi-encapsulated packet
Caveats:
Traffic originating on the router (SNMP, pak_priority for routing, etc), could have different behaviour
IP Payload
Aggregate Model
A common QoS strategy is used for all VRFs
i.e. same marking for voice, video, critical data, best effort regardless of the
VRF the traffic is sourced from or destined too.
Red VRF
Green VRF
Si
Branch 1
Egress CIR =
600 Mb
IP VPN
Service
Red VRF
Green VRF
Branch 2
Red VRF
Green VRF
Branch 3
WAN
Edge
1 GE
Red VRF
Campus
Green VRF
Si
mGRE
Voice
Video
Best Effort
Scavanger
HQ/DC
LLQ +
Shaper
Gig 0/1
Service Level
Video
Best
Effort
Scav
Voice
600
Mbps
mGRE traffic +
Gig 0/1
Service Level
Video
Best
Effort
Scav
Voice
600
Mbps
MTU=1500
R1
MTU=1000
R2
MTU=1500
R3
MTU=1500
R4
The use of GRE tunnels increase the chances of MTU issues (i.e. fragmentation)
due to the increase in IP packet size GRE adds
Main Issue: The performance impact to the router when the GRE tunnel
destination router must re-assemble fragmented GRE packets
Prior to XE 3.16, MTU default = 1476 and no option for making it smaller
This will allow non-static MTU settings for the MPLS VPN over mGRE feature
!
l3vpn encapsulation ip Cisco
transport ipv4 source Loopback0
mpls mtu 1120
Configure ip tcp adjust-mss for assist with TCP host segment overhead
MTU Setting options:
interface Tunnel0
. . .
ip mtu 1472
Best to fragment prior to encapsulation, than after encapsulation, as this forces the host to do packet
reassembly (vs. the remote router)
Agenda
Technology Deep-Dive on
Advancements in L3 VPN over IP
Summary
N9500
iBGP
N9500
iBGP /
eBGP
N9500
CE-PE
Spine
Routing
Leafs
Leaf
N9300
N9300
N9500N9500 N9300
EVPN
Control
Plane
Data Center 1
VXLAN
EVPN
IP
N9300
Fabric
Extenders
PE-CE
VXLAN
EVPN Route
RD, Prefix , RT, L3 VNI
Next Hop VTEP IP
Tunnel Encap VXLAN
Router MAC
MPLS
IP Route
Solution Characteristics
Agenda
Technology Deep-Dive on
Advancements in L3 VPN over IP
Summary
Summary Key
Takeaways
The ability for an enterprise to extend Layer 3 (L3) Segmentation technologies over the
WAN is critical for todays applications
The ability to transport VRF-Lite and MPLS-VPN over IP allows flexible transport
options, including ability to encrypt segmented traffic
Understanding key network criteria (topology, traffic patterns, VRFs, scale, expansion) is
vital to choosing the optimal solution for extending Segmentation over the WAN
MPLS VPN over mGRE offers simpler, and more scalable, deployment, eliminating LDP,
manual GRE, for the WAN
Understand the options for QoS, GET VPN in mGRE environments, and the impact of
MTU and available tools in IOS for MTU discovery
Begin to understand Cisco innovations (MPLS VPN over mGRE, EVN, LISP
Segmentation) and how they can help simplify network Segmentation in the WAN for
future designs
East Theater
West
Theater
Global
IP/MPLS Core
In-Theater
IP/MPLS Core
West Region
Internet
Cloud
Public
Voice/Video
Mobility
East Region
Private
IP
Service
Metro
Service
Tier 3
Tier 2
Public
IP
Service
Metro
Service
Q&A
Table Topics
Recommended Reading
Thank you