Vous êtes sur la page 1sur 126

MPLS Bootcamp MPLS VPN

Khalid Raza, Kyle Bearden, & Munther Antoun March, 2001 Version 0.1

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

MPLS VPN Agenda


VPN Concepts MPLS VPN Functional Components MPLS VPN Architectural Components VPN Routing & Forwarding MPLS VPN Route Distribution MPLS VPN Data Plane MPLS VPN Topologies Convergence & Scaling Considerations QoS Deployment Strategies MPLS VPN Labs

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

Virtual Private Networks


Concepts

MPLS Bootcamp NW00 Paris

2000, Cisco Systems, Inc.

Cisco Confidential

Virtual Private Networks


An IP Network Infrastructure Delivering Private Network Services over a Public Infrastructure
Certainly not a new concept
Leased Lines --> Statistical Multiplexing

Delivered at Layer-2 (SP backbone) or Layer-3 (IP backbone) Private connectivity amongst multiple sites
Controlled access into the VPN

Global or non-unique private IP addressing space amongst the different VPNs


MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

Virtual Private Networks


irt al t orks

irt al Pri at

t orks

irt al ial p

t orks

irt al L

O rla

P r-to-P r P

La r-2 P

La r-3 P

Acc ss lists (S ar ro t r)

Split ro ti ( icat ro t r)

MPLS/VP

X.25

F/R

ATM

RE

IPS c

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

VPN - Overlay Model


Virtual Circuit Layer-3 Routing Adjacency
CPE (CE) Device VPN Site CPE (CE) Device VPN Site

Provider Edge (PE) device

Provider Edge (PE) device

Service Provider Network

Private Trunks Across a Telco/SP Shared Infrastructure Leased/Dialup Lines FR/ATM Virtual Circuits IP(GRE) Tunnelling Point-to-point Solution between Customer Sites How to Size Inter-site Circuit Capacities? Full Mesh Requirement for Optimal Routing CPE Routing Adjacencies between Sites
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

VPN - Peer-to-Peer Model


Layer-3 Routing Adjacencies

CPE Router

Provider Edge Router

Provider Edge Router

CPE Router

VPN Site 1

Service Provider Network

VPN Site 2

Provider Edge Device Exchanges Routing Information with CPE All customer routes carried within SP IGP Simple routing scheme for VPN customer Routing between sites is optimal Circuit sizing no longer an issue Private Addressing is N T an ption Addition of New Sites is Simpler No overlay mesh to contend with
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

VPN - MPLS VPN Model


Static, RIP, OSPF, or eBGP Routing

MP-iBGP Session
Customer Edge (CE) Router VPN Site 1 Customer Edge (CE) Router VPN Site 2

Provider Edge (PE) Router

Provider Edge (PE) Router

Service Provider Network

Combines Benefits of verlay and Peer-to-peer Paradigms verlay (security and isolation amongst customers) Peer-to-peer (simplified customer routing) PE Routers only Hold Routes for Attached VPNs Reduces size of PE routing information Proportional to number of VPNs attached MPLS Used to Forward Packets (not Traditional IP Routing) Full routing within backbone no longer required
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

MPLS VPN Functional Components

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

MPLS VPN Connection Model The Whole Picture


VPN_A

10.2.0.0 CE
VPN_B

iBGP sessions
CE P P

VPN_A

11.5.0.0
VPN_A

10.2.0.0 CE
VPN_A

PE

PE

CE

10.1.0.0

11.6.0.0
VPN_B

CE PE

P PE CE

VPN_B

10.3.0.0

10.1.0.0 CE

P Routers (LSRs) are in the core of the MPLS cloud PE Routers (Edge LSRs or LERs) use MPLS with the core and plain IP with CE routers P and PE routers share a common IGP PE routers are MP-iBGP fully-meshed
or use Route-Reflectors (RRs)
MPLS Bootcamp
2000, Cisco Systems, Inc.

Confederations supported in IOS 12.1(5)T & higher [maybe also 10 Cisco Confidential 12.0(14)ST?]

MPLS VPN Model

P Router
CE Router

PE Router

PE Router

CE Router

VPN Site P-Network

VPN Site

C-Network

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

11

MPLS VPN Connectivity Model

A VPN is a collection of sites sharing common routing information


Same set of routes within the routing table

A site may belong to more than one VPN


through sharing of routing information

A VPN can be thought of as a closed user group (CUG) or community of interest

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

12

MPLS VPN Architectural Components

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

13

MPLS VPN Architectural Components

Control Planes LDP/TDP, MP-BGP, CE-PE Peering, IGP Forwarding Table VRF

Data Plane

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

14

VPN Routing & Forwarding Instance (VRF)


PEs Maintain Separate Routing Tables
Global Routing Table
Contains all PE and P routes (perhaps non-VPN BGP) Populated by the VPN backbone IGP

VRF (VPN Routing & Forwarding)


Routing & forwarding table associated with one or more directly connected sites (CE Routers) VRF is associated with any type of interface, whether logical or physical (e.g. Sub/Virtual/Tunnel) Interfaces may share the same VRF if the connected sites share the same routing information
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

15

VPN Routing & Forwarding Instances (VRF)


VPN Routing Table

VPN-A

CE PE
VRF for VPN-A

Paris

VPN-A

CE
IGP & nonVPN BGP VRF for VPN-B

London

VPN-B

CE

Munich Global Routing Table

Multiple routing & forwarding instances (VRFs) provide separation amongst different customers
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

16

MPLS VPN Connectivity Model


Private addressing in multiple VPNs no longer an issue
Provided that members of a VPN do not use the same address range
VPN A
London 10.2.1.0/24 Address space for VPN A and B must be unique 10.4.12.0/24 Milan Brussels 10.2.1.0/24 Vienna 10.22.12.0/24 Paris 10.3.3.0/24 Munich 10.2.12.0/24

VPN B
MPLS Bootcamp
2000, Cisco Systems, Inc.

VPN C
17

Cisco Confidential

VRF Route Population


VRF populated locally through PE and CE routing protocol
RIP, SPF, BGP-4 & Static routing

Separate routing context for each VRF


Routing Protocol Context (BGP-4 & RIP V2) Separate Process ( SPF)
C E
Site-1

PE
EBGP,OSPF, RIPv2,Static

CE
Site-2

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

18

VRF Route Distribution


PE routers distribute local VPN information across the MPLS VPN backbone
through MP-iBGP & redistribution from VRF Receiving PE imports routes into attached VRFs

P Router
CE Router PE PE CE Router

Site

MP-iBGP

Site

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

19

Multi-Protocol BGP (MP-BGP) VPN Components

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

20

MP-BGP VPN Components

Route Distinguisher (RD)

Route Target (RT) Site of Origin (SOO)

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

21

VPN Routing & Forwarding Instances

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

22

MPLS VPN Table Population


The global (non-VRF) routing table is populated through IGP protocols
May also contain BGP-4 (IPv4) routes No VPN routes

VRF routing tables contain VPN-specific routes


MP-iBGP routes imported into VRFs CE routes populate VRFs based on routing protocol context
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

23

VRF Population of MP-iBGP

VPN-A CE
Paris

PE

PE

VPN-A

CE MP-iBGP

London

BGP Table
Routes from VPN-A Routes from VPN-B
VRF VPN-A VRF VPN-B

VPN-B

CE
Munich

Re-distribution from VRFs into MP-iBGP for VPN information exchange


MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

24

VRF Population through MP-iBGP


Receiving PE router needs to understand:
where the route originated from into which VRF(s) the route should be placed how to distinguish between duplicate addresses

Uniqueness of IPv4 prefix achieved through the use of a Route Distinguisher


RD (64-bit) identifier VPNv4 Route: 96-bit NLRI (RD + 32-bit IPv4 NLRI)
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

25

Extended Community Attribute


Permits placement in the proper VRF and site origin BGP transitive optional attributes containing a set of extended communities
Route Target
Identifies set of sites to which a particular route should be exported

(Site of

rigin)

( ptionally) refers to the site that originated a particular route


MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

26

VRF Population of MP-iBGP


MP-iBGP PE
BGP, OSPF, RIPv2 update for 149.27.2.0/24,NH=CE-1 VPN-v4 update: RD:1:27:149.27.2.0/24, Nexthop=PE-1 SOO=Paris, RT=VPN-A, Label=(28)

PE

CE-1
Paris

CE-2

London

PE Routers Translate (32-bit) IPv4 Prefix into (96-bit) VPN-v4 Route


Assign a RD, RT and ( ptional) S based on configuration Re-write next-hop attribute (to PE loopback) Assign a label based on VRF and/or interface Send MP-iBGP update to all PE neighbors
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

27

MP-iBGP Update
VPN-V4 Address
Route Distinguisher (64 bits) Makes the IPv4 route globally unique RD is configured in the PE for each VRF RD may or may not be related to a site or a VPN IPv4 address (32bits)

Route Target (RT) & Optional Site of (S )

rigin

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

28

MP-iBGP Update
Any other standard BGP attribute
Local Preference MED Next-hop AS_PATH Standard community

A Label identifying:
The outgoing interface or VRF where a lookup has to be performed (Aggregate/Connected) MP-iBGP utilizes a second label in the label stack
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

29

VRF Population of MP-iBGP


MP-iBGP PE
VPN-v4 update: RD:1:27:149.27.2.0/24, Nexthop=PE-1 SOO=Paris, RT=VPN-A, Label=(28) ip vrf VPN-B route-target import VPN-A

PE

CE-1
Paris

VPN-v4 update is translated into IPv4 address and put into VRF VPN-A as RT=VPN-A and optionally advertised to CE2

CE-2
London

Receiving PE routers translate to IPv4


Insert the route into the VRF identified by the RT attribute (based on PE configuration)

The label associated to the VPN-V4 address will be set on packets forwarded towards the destination
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

30

Basic Intranet Model

VPN A

MPLS VPN Backbone


SiteSite-1 & Site-2 routes SiteRT=VPNRT=VPN-A SiteSite-3 & Site-4 routes SiteRT=VPNRT=VPN-A

VPN A

SITESITE-1

SITESITE-3

MP-iBGP

P Router

SITESITE-2
VPN A

SiteSite-1 routes SiteSite-2 routes SiteSite-3 routes SiteSite-4 routes

SiteSite-1 routes SiteSite-2 routes SiteSite-3 routes SiteSite-4 routes

SITESITE-4
VPN A

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

31

MP-BGP Route Target (RT) and Site of Origin (SOO)

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

32

RT & SOO
Two EXTENDED (64-bit) BGP Attributes Used to Define
Route-target Set of routers the route has to be exported to SOO (Site of Origin Identifier) Routers where the route has been originated

This enables the closed user group functionality Set by PE routers in order to define import/export policies on a per-site/VRF basis
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

33

BGP-4 Enhancements

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

34

Extended Community

Extended community attribute type code: TBD


Type Field: 2 bytes Value Field: 6 bytes

Types 0 through 0x7FFF inclusive are assigned by IANA Types 0x8000 through 0xFFFF inclusive are vendor-specific
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

35

Extended Community

High order bit of the type field 0x00


Administrator sub-field: 2 bytes (AS#) Assigned number sub-field: 4 bytes Example: 9177:123

High order bit of the type field 0x01


Administrator sub-field: 4 bytes (IP address) Assigned number sub-field: 2 bytes Example: 141.253.1.1:123

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

36

Extended Community

Router origin community Identifies one or more routers that inject a set of routes (that carry this community) into BGP
The Type field for the Route Origin community is 0x0001 or 0x0101

Similar to the Site of Origin (SOO)


Site of Origin use code 0x0003 and 0x0103

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

37

Extended Community

Route target community


Identifies one or more routers that may receive a set of routes (that carry this community) carried by BGP The type field for the route target community is 0x0002 or 0x0102
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

38

Extended Community

Site of Origin (SOO)


Identifies customer site Used to prevent loops when AS_PATH cannot be used The type field for SOO is 0x0003 or 0x0103

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

39

Site of Origin
Site-1 192.168.0.5/32

PE

CE

7200-1#sh ip route vrf odd C 192.168.65.0/24 is directly connected, Serial2 B 192.168.0.5 [20/0] via 192.168.65.5, 00:08:44, Serial2 7200-1# 7200-1#sh ip bgp vpn all Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:1 (default for vrf odd) *> 192.168.0.5/32 192.168.65.5 0 0 250 i 7200-1#sh ip bgp vpn all 192.168.0.5 BGP routing table entry for 100:1:192.168.0.5/32, version 17 Paths: (1 available, best #1) Advertised to non peer-group peers: 192.168.0.7 250 192.168.65.5 from 192.168.65.5 (192.168.0.5) Origin IGP, metric 0, localpref 100, valid, external, best Extended community: SoO:100:65 RT:100:3 7200-1#

ip vrf odd rd 100:1 route-target export 100:3 route-target import 100:3 ! interface Serial1 ip vrf forwarding odd ip address 192.168.65.6 255.255.255.0 ! router bgp 100 no synchronization no bgp default ipv4-unicast neighbor 192.168.0.7 remote-as 100 neighbor 192.168.0.7 update-source Loop0 neighbor 192.168.0.7 activate neighbor 192.168.0.7 next-hop-self no auto-summary ! address-family ipv4 vrf odd neighbor 192.168.65.5 remote-as 250 neighbor 192.168.65.5 activate neighbor 192.168.65.5 route-map setsoo in no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor 192.168.0.7 activate neighbor 192.168.0.7 send-community extended no auto-summary exit-address-family ! route-map setsoo permit 10 set extcommunity soo 100:65
40

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

Site of Origin

VPN-IPv4 update: RD:192.168.0.5/32, Next-hop=PE-1 SOO=100:65, RT=100:3, Label=(intCE1)

PE-1
intCE1

PE-2
eBGP4 update: 192.168.0.5/32

eBGP4 update: 192.168.0.5/32

PE-2 will not propagate the route since the update SOO is equal to the one configured for the site

CE-1
192.168.0.5/32

Site-1 SOO=100:65

CE-2

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

41

Multi-Protocol BGP

Extension to the BGP protocol in order to carry routing information about other protocols
Multicast MPLS IPv6

Exchange of Multi-Protocol NLRI must be negotiated at session set up


BGP Capabilities negotiation
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

42

Multi-Protocol BGP - RFC2858


Obsoletes RFC2283 New non-transitive and optional BGP attributes
MP_REACH_NLRI
Carry the set of reachable destinations together with the next-hop information to be used for forwarding to these destinations

MP_UNREACH_NLRI
Carry the set of unreachable destinations

Attribute contains one or more triples


Address Family Information (AFI) Next-Hop Information NLRI
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

43

Labelled VPN-IPV4 Addresses in BGP-4

Labelled VPN-IPV4 address appears in BGP NLRI


AFI = 1 - Sub-AFI = 128

NLRI is encoded as one or more triples


Length: total length of Label + prefix (RD included) Label: 24 bits Prefix: RD (64 bits) + IPv4 prefix (32 bits)

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

44

Labelled VPN-IPV4 Addresses in BGP-4

The label is assigned by the router originating the NLRI


i.e., the router identified by the next-hop value

The label is changed by the router that modifies the next-hop value
Typically the EBGP speaker Or iBGP forwarder configured with next-hop-self

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

45

Labelled VPN-IPV4 addresses in BGP-4

Next-hop address must be of the same family of the NLRI


The next-hop will be a VPN-IPv4 address with RD set to 0

BGP will consider two VPN-IPV4 comparable even with different labels
A withdrawn of a VPN-IPv4 address will be considered for all NLRI corresponding to the VPN-IPV4 address, whatever are the different assigned labels
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

46

BGP Capabilities Negotiation

BGP routers establish BGP sessions through the OPEN message OPEN message contains optional parameters BGP session is terminated if OPEN parameters are not recognised A new optional parameter: CAPABILITIES
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

47

BGP Capabilities Negotiation

A BGP router sends an OPEN message with CAPABILITIES parameter containing its capabilities:
Multiprotocol extension Route Refresh Co-operative Route Filtering ...
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

48

BGP Capabilities Negotiation


BGP routers determine capabilities of their neighbors by looking at the capabilities parameters in the open message Unknown or unsupported capabilities may trigger the transmission of a NOTIFICATION message
The decision to send the NOTIFICATION message and terminate peering is local to the speaker. Such peering should not be re-established automatically draft-ietf-idr-bgp4-cap-neg

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

49

BGP Capabilities Negotiation

BGP routers use BGP-4 Multiprotocol Extension to carry label (label) mapping information
Multiprotocol Extension capability Used to negotiate the Address Family Identifier AFI = 1 Sub-AFI = 128 for MPLS-VPN

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

50

BGP Route Refresh


New BGP Capability: Route Refresh Allows a router to request to any neighbor the re-transmission of BGP updates
Useful when inbound policy has been modified Similar to Cisco soft-reconfiguration without need to store any route

BGP speakers may send Route-Refresh message only to neighbors from which the capability has been exchanged
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

51

BGP Route Refresh

When the inbound policy has been modified, the BGP speaker sends a Route-Refresh message to its neighbors
With AFI, Sub-AFI attributes

Neighbors will re-transmit all routes for that particular AFI and Sub-AFI

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

52

BGP Co-operative Route Filtering


In order to reduce amount of BGP traffic and CPU used to process updates, routers exchange filter configurations BGP speakers advertise to downstream neighbors the outbound filter(s) they have to use Filters are described in ORF entries
Outbound Route Filter

ORF entries are part of the Route-Refresh message


MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

53

BGP Co-operative Route Filtering

ORF capability must be negotiated during session set-up


Capability negotiation

ORF capable BGP speaker will install ORFs per neighbor Each ORF will be defined by the upstream neighbor through routerefresh messages
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

54

BGP Co-operative Route Filtering ORF Entry

ORF Entry
AFI/Sub-AFI Filter will apply only to selected address families ORF-Type Determine the content of ORF-Value NLRI is one ORF-Type NLRI is used to match IP addresses (subnets)

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

55

BGP Co-operative Route Filtering ORF Entry

ORF Entry
Action ADD: Add an ORF entry to the current ORF DELETE: Delete a previously received ORF entry DELETE ALL: Delete all existing ORF entries Match PERMIT: Pass routes that match the ORF entry DENY: Do not pass routes that match the ORF entry
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

56

BGP Co-operative Route Filtering ORF Entry ORF Entry


ORF-Value (for ORF-Type=NLRI) is <Scope,NLRI> Scope EXACT: Remote peer should consider routes equal to the NLRI specified in the ORF REFINE: Remote peer should consider routes that are part of a subset of the NLRI specified in the ORF NLRI: <length, prefix> Multiple ORF entries will follow longest match

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

57

ORF Entries and Route-Refresh


ORF entries are carried in BGP RouteRefresh messages AFI/Sub-AFI are encoded into the AFI/SubAFI field of the route refresh message
WHEN-TO-REFRESH field IMMEDIATE: apply the filter immediately DEFER: wait for subsequent route-refresh message ORF-Type to be extended for Extended Communities

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

58

Packet Forwarding MPLS VPN Data Plane

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

59

MPLS VPN Forwarding


VPN_A VPN_A

10.2.0.0 CE
VPN_B

CE P2 PE2 P1 P4 PE4 P3
L8L2Data

11.5.0.0
VPN_A

10.2.0.0 CE
VPN_A

CE
Data

10.1.0.0

11.6.0.0
VPN_B

CE PE1

PE3

CE

VPN_B

10.3.0.0

10.1.0.0 CE
<RD_B,10.1> iBGP NH= PE2 L2 <RD_B,10.2> ,, iBGPnext hop PE1,T1 L7 L8 <RD_B,10.2> , iBGP next hop <RD_B,10.3> , iBGP next hop <RD_A,11.6> , iBGP next hop <RD_A,10.1> , iBGP next hop <RD_A,10.4> , iBGP next hop <RD_A,10.2> , iBGP next hop PE2 L2 PE3 L3 PE1 L4 PE4 L5 PE4 L6 L7 PE2

Ingress PE Receives Normal IP Packets from CE Router PE Router Does IP Longest Match in VRF , Finds iBGP Next Hop PE2 and Imposes a Stack of Labels: Second Level Label L2 + Top Label L8
MPLS Bootcamp
2000, Cisco Systems, Inc.

L8 L9 L7 LB LB L8

Cisco Confidential

60

MPLS VPN Forwarding


VPN_A

10.2.0.0
VPN_B VPN_A

CE CE
Data L2 Data

VPN_A

11.5.0.0
VPN_A

10.2.0.0 CE 11.6.0.0
VPN_B

PE2

P2

P4 PE4
L2 Data

LAL2 Data

CE
Data

10.1.0.0

P1 CE PE1

P3

PE3

CE

VPN_B

10.3.0.0

10.1.0.0 CE

in / out
L8, POP T8 Lw
T7 Lu L9 Lx La Ly Lb Lz

All subsequent P routers switch packet solely on top label Egress PE routers upstream LDP neighbor (Penultimate Hop or PH) removes top label (PHP) Egress PE uses bottom (VPN) label to select which VPN/CE to forward the Packet to
MPLS Bootcamp

Bottom label is removed and packet forwarded to CE router


2000, Cisco Systems, Inc.

Cisco Confidential

61

MPLS VPN Packet Forwarding


In Label FEC 197.26.15.1/32 Out Label In Label 41 FEC 197.26.15.1/32 Out Label POP In Label FEC 197.26.15.1/32 Out Label 41

PE-1 P router
Use label implicit-null for destination 197.26.15.1/32 VPN-v4 update: RD:1:27:149.27.2.0/24, NH=197.26.15.1 SOO=Paris, RT=VPN-A, Label=(28) Use label 41 for destination 197.26.15.0/24

Paris
149.27.2.0/24

London

PE and P routers have BGP next-hop reachability through the backbone IGP Labels are distributed through LDP corresponding to BGP next-hops or RSVP with Traffic Engineering
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

62

MPLS VPN Packet Forwarding


Label Stack is used for packet forwarding
Top label indicates BGP next-hop (exterior label) Second level label indicates outgoing interface or VRF (interior VPN label)

MPLS nodes forward packets based on top label


any subsequent labels are ignored

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

63

MPLS VPN Packet Forwarding


In Label FEC 197.26.15.1/32 Out Label 41 VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28) 41 28 149.27.2.27 149.27.2.27

PE-1

Paris
149.27.2.0/24

London

Ingress PE receives normal IP packets PE router performs IP Longest Match from VPN FIB, finds iBGP next-hop and imposes a stack of labels <IGP, VPN>
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

64

MPLS VPN Packet Forwarding


In Label In Label 28(V) FEC 149.27.2.0/24 Out Label In Label 68 FEC 197.26.15.1/32 Out Label POP VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28) 28 149.27.2.27 68 28 149.27.2.27 41 28 149.27.2.27 149.27.2.27 41 FEC 197.26.15.1/32 Out Label 68

VPN-A VRF 149.27.2.0/24, NH=Paris

PE-1

149.27.2.27

Paris
149.27.2.0/24

London

Penultimate PE router removes the IGP label


Penultimate Hop Popping procedures (implicit-null label)

Egress PE router uses the VPN label to select which VPN/CE to forward the packet to VPN label is removed and the packet is routed toward the VPN site
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

65

MPLS VPN Topologies

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

66

MPLS VPN Extranet Support


Extranet support is simply the import of routes from one VRF into another VRF which services a different VPN Controlled through the use of Route Target
if we import the route, we have access

Various topologies are viable using this technique


MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

67

MPLS VPN Extranet Support


VPN-A CE
Paris VPN-A Paris Routes VPN-B Munich Routes

PE
VRF for VPN-A Extranet VPN Routing Table VRF for VPN-B

VPN-A

VPN-B CE
Munich

Sharing of VPN information between VRFs provides Extranet support


MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

68

Central Services Model


Common topology is central services VPN
client sites may access central services but may not communicate directly with other client sites

Once again controlled through the use of route target


client sites belong to unique VRF, servers share common VRF client exports routes using client-rt and imports server-rt server exports routes using server-rt and imports server-rt & client-rt
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

69

Central Services Model

195.12.2.0/24

VPN A VRF (Export RT=client-rt) (Import RT=server-rt) VPN A VRF 195.12.2.0/24 146.12.9.0/24 MP-iBGP Update RD:195.12.2.0/24, RT=client-rt 146.12.9.0/24 MP-iBGP Update RD:146.12.9.0/24, RT=server-rt

VPN A

Central Server Site

VPN B VRF 146.12.7.0/24 146.12.9.0/24

MP-iBGP Update RD:146.12.7.0/24, RT=client-rt

VPN B
VPN B VRF (Export RT=client-rt) (Import RT=server-rt)

Server VRF (Export RT=server-rt) (Import RT=server-rt) (Import RT=client-rt)

146.12.7.0/24

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

70

MPLS VPN Internet Connectivity


Static Default Route
VPN sites may require Internet access
either directly or via a central site - no full routing

Default route provided through static or dynamic route within the VRF
extension to ip route command - Global keyword Internet gateway points to an exit point whose address is within the global routing table

PE router generates VPN customer routes into BGP through global static routes
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

71

MPLS VPN Internet Connectivity


Static Default Route
VPN A

195.12.2.0/24

ip route vrf VPN_A 0.0.0.0 0.0.0.0 Internet-PE global ip route 195.12.2.0 255.255.255.0 serial 1/0 VPN A VRF 0.0.0.0 NH=Internet-PE NH=Internet-

Internet Routing Table

MPLS VPN Backbone

Global Internet Access

VPN B VRF 0.0.0.0 NH=Internet PE

VPN B 146.12.9.0/24

ip route vrf VPN_B 0.0.0.0 0.0.0.0 Internet-PE global ip route 146.12.9.0 255.255.255.0 serial 1/1

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

72

MPLS VPN Internet Connectivity


Dynamic Default Route
VPN A Central Site VPN B Central Site

Export VPN A default with RT=17:22 RT=17:22 and VPN B default with RT=17:28 RT=17:28

VPNVPN-IPv4 Update Net=0.0.0.0/0 RT=17:28 RT=17:28 VPNVPN-IPv4 Update Net=0.0.0.0/0 RT=17:22 RT=17:22

VPNVPN-IPv4 Update Net=0.0.0.0/0 RT=17:28 RT=17:28 VPNVPN-IPv4 Update Net=0.0.0.0/0 RT=17:22 RT=17:22

VPN A

MPLS VPN Backbone


VPN A VRF (Import RT=17:22) VPN B VRF (Import RT=17:28)

VPN B

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

73

MPLS VPN Internet Connectivity


Separate BGP Session PE/CE Link
Many clients wish to send/receive routes directly with the Internet
default route is not sufficient in this environment

Routes reside on the PE router


but within the global not VRF tables

Mechanism needed to distribute this routing information to VPN customer sites


and also receive routes and place them into the global, and not VRF table
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

74

MPLS VPN Internet Connectivity


Separate BGP Session PE/CE Link
Achieved by using a second interface to the client site
either physical or logical, such as sub-interface or tunnel
(sub)interface associated with VRF

Internet Routes VPN Site CE PE Global Internet

(sub)interface associated with global routing table

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

75

MPLS VPN Internet Connectivity


Global Internet Table Association
If multiple exit points, then possibility to associate full Internet routes with a VRF
if only one exit point, then default pointing to Internet exit point interface will normally suffice

With multiple interfaces, sub-optimal routing a possibility with default route generation
as multiple defaults would allow load balancing but no best path selection

Association of Internet routes with VRF provide ability to generate aggregate default
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

76

MPLS VPN Internet Connectivity


Global Internet Table Association

ISP A

ISP B

Export default route with Internet_access route target

Export default route with Internet_access route target

PE

Static default pointing to loopback interface so lookup in VRF will occur on incoming packets

PE

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

77

MPLS VPN Internet Connectivity


Global Internet Table Association
Optimal routing between providers now possible Need to filter everything other than default
cpu and administrative overhead

Label assignment will occur for every route within the VRF
memory overhead even though labels are never used

If full routes distributed, could result in multiple copies of Internet routing table
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

78

MPLS VPN Convergence

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

79

Routing Convergence
Convergence needs to be assessed in two main areas
convergence within the MPLS VPN backbone convergence between VPN client sites

Both areas are completely independent ...


but work together to provide end-to-end convergence as perceived by the VPN client
therefore must be assessed in conjunction

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

80

End-to-End Routing Convergence

VPN Client A
New VPN route propagated across MPiBGP session New VPN route advertised

VPN Client A

PE

PE

Advertisement of new VPN route to relevant VPN sites

If link fails, MPLS VPN backbone IGP converges on new path to

New VPN route imported into relevant VRFs

BGP next-hop

Client-to-client and MPLS VPN backbone IGP convergence are independent


MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

81

Convergence Across Backbone


Convergence of MPLS VPN backbone IGP will not affect client-to-client route convergence
unless BGP next-hop becomes unavailable; but will affect client-to-client traffic while backbone converges

Backbone may be router-only based or based on ATM switches


convergence will be different for the MPLS forwarding plane - cell-mode versus frame-mode implementation

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

82

Convergence - Router Based Backbone


Unsolicited Downstream
Bindings advertised as soon as route is in the routing table

Liberal Label Retention


If multiple neighbors, next-hop change causes new label to be used for forwarding

Immediate Notification of Routing Table Change


A route change (addition/deletion) immediately propagated to MPLS process
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

83

Convergence - Router Based Backbone


If P-1 to PE-2 link fails, PE-1 nexthop to destinations reachable via 197.26.15.1/32 (PE-2 Loopback) will change to P-3. As label exists (41), convergence is as quick as the IGP

VPN Client A
Use label 23 for destination 197.26.15.1/32 Use label POP for destination 197.26.15.1/32

VPN Client A

PE-1 P-1
Use label 41 for destination 197.26.15.1/32

PE-2

Use label POP for destination 197.26.15.1/32

P-3
Use label 25 for destination 197.26.15.1/32

P-2

MPLS & IGP backbone convergence are closely entwined


MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

84

Convergence - ATM Backbone


Downstream-on-demand
Affects convergence as LSR must signal for downstream label binding

Conservative Label Retention


Convergence is affected as LSR must signal for downstream label binding if one does not exist Next-hop change will cause label request

Two-stage Convergence:
IGP: converge around topology changes MPLS: re-establish label mappings
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

85

Convergence - ATM Based Backbone


If P-1 to PE-2 link fails, PE-1 nexthop to destinations reachable via 197.26.15.1/32 (PE-2 Loopback) will change to P-3. As label does not exist, PE-1 must signal the next-hop downstream ATM-LSR

VPN Client A
Use label 1/239 for destination 197.26.15.1/32 Use label 1/321 for destination 197.26.15.1/32

VPN Client A

PE-1 P-1
Label request for destination 197.26.15.1/32

PE-2

Label request for destination 197.26.15.1/32

P-3
Label request for destination 197.26.15.1/32

P-2

MPLS LSR must re-converge on IGP change AND resignal for label mapping to downstream next-hop
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

86

Client-to-Client Convergence
Four Main Convergence Areas
Advertisement of routes from CE to PE and placement into VRF Propagation of routes across the MPLS VPN backbone Import process of these routes into relevant VRFs Advertisement of VRF routes to attached VPN sites

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

87

Backbone Route Propagation

Changes are not propagated to other BGP speakers immediately


Batched together and sent at advertisementinterval
Default = 5 seconds for iBGP, 30 for eBGP

Can be tweaked using the neighbor advertisement-interval command


Needs to be changed for both backbone and CE routers if BGP between PE & CE
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

88

Import Process
Import Process Uses a Separate Invocation of the Scanner Process
Default = 15 seconds Can be tuned using the bgp scan-time import command

Can take up to 15 Seconds for a Route to be Placed into a Receiving VRF


and then potentially another 30 Seconds to be advertised to CE if eBGP is in operation!

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

89

Scanner Process

Scanner process will also have an effect on convergence


Used to check next-hop reachability and to process any network commands within the BGP process Invoked every 60 seconds by default Can be tuned with the bgp scan-time command Large BGP table and small scan-time can be VERY CPU intensive - beware !
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

90

BGP Route Advertisement


In addition to the scanning and importing of routes, each PE router needs to advertise the best routes within each VRF to all its VRF neighbors
This occurs at both ingress and egress of the MPLS VPN network With eBGP CE neighbors, advertisement of these routes occurs every 30 seconds With (iBGP) PE neighbors, routes advertisement occurs every 5 seconds Can be tuned with the neighbor a.b.c.d advertisement-interval command
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

91

MPLS VPN Scaling

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

92

Scaling
Existing BGP techniques can be used to scale the route distribution: route reflectors (RRs) & BGP confederations (Inter-AS VPN) Each edge router needs only the information for the directly-connected VPNs it supports RRs are used to distribute VPN routing information

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

93

MPLS-VPN Scaling BGP


Route Reflectors

Route reflectors may be partitioned Each RR stores routes for a set of VPNs Thus, no BGP router needs to store information on ALL VPNs PEs will peer to RRs according to the VPNs they support
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

94

MPLS-VPN Scaling BGP Updates Filtering

iBGP full mesh amongst PEs results in flooding of all VPN routes to all PEs Scaling problems when large amount of routes. PEs need routes for only attached VRFs

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

95

MPLS-VPN Scaling BGP Updates Filtering

Each PE will discard any VPN-IPv4 route that hasnt a route-target configured to be imported in any of the attached VRFs This reduces significantly the amount of information each PE has to store Volume of BGP table is equivalent of volume of attached VRFs (nothing more)
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

96

MPLS-VPN Scaling BGP Updates Filtering


Import RT=yellow VRFs for VPNs yellow green Import RT=green

PE
MP-iBGP sessions

VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Red, Label=XYZ

Each VRF has an import and export policy configured Policies use route-target attribute (extended community) PE receives MP-iBGP updates for VPN-IPv4 routes If route-target is equal to any of the import values configured in the PE, the update is accepted Otherwise it is silently discarded
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

97

MPLS-VPN Scaling Route Refresh


PE
2. PE issue a Route-Refresh to all neighbors in order to ask for retransmission VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Red, Label=XYZ 1. PE doesnt have red routes (previously filtered out) 3. Neighbors re-send updates and red route-target is now accepted

Import RT=green Import RT=red

Policy may change in the PE if VRF modifications are done


New VRFs, removal of VRFs

However, the PE may not have stored routing information which become useful after a change PE request a re-transmission of updates to neighbors Route-Refresh
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

98

MPLS-VPN Scaling Outbound Route Filters - ORF


Import RT=yellow

PE

2. PE issue a Route-Refresh message with a ORF entry to neighbors in order not to receive red routes: Permit RT = Green, Yellow

VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOO=Site1, RT=Red, Label=XYZ

Import RT=green
1. PE doesnt need red routes

3. Neighbors dynamically configure the outbound filter and send updates accordingly

PE router will discard update with unused routetarget Optimisation requires these updates NOT to be sent Outbound Route Filter (ORF) allows a router to tell its neighbors which filter to use prior to propagate BGP updates
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

99

Connecting MPLS-VPN Backbones

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

100

Connecting MPLS-VPN Backbones


Providers exchange routes between PEASBR routers MP-eBGP for (Labelled) VPNv4 addresses between ASBRs
Next-hop and labels are re-written by the PE-ASBRs

Requires PE-ASBRs to store VPN routes that need to be exchanged Routes are in the MP-BGP table but not in any routing table
PE-ASBRs do not have any VRFs MP-eBGP labels are used in LFIB
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

101

Connecting MPLS-VPN backbones


RR-1 reflects VPNv4 internal routes PE-ASBR1 advertises VPNv4 external routes RR-1 Core of P LSRs PE-1 MP-eBGP VPNv4 routes with label distribution PE-2 PE-3 RR-2 RR-2 reflects VPNv4 internal routes PE-ASBR2 advertises VPNv4 external routes Core of P LSRs

PE-ASBR1

PE-ASBR2

PE-ASBRs exchange VPNv4 addresses with labels CE-2 CE-1 CE-5

CE-3 CE-4

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

102

Connecting MPLS-VPN backbones


Network=RD1:N Next-hop=PE1 Label=L1 RR-1 Network=RD1:N Core of P LSRs Next-hop=PE1 Label=L1 PE-1 RR-2 Network=RD1:N Next-hop=PE-ASBR2 Label=L3 Core of P LSRs

Network=RD1:N Next-hop=PE-ASBR1 Label=L2

Network=RD1:N Next-hop=PE-ASBR2 Label=L3

PE-2

PE-3

PE-ASBR1

PE-ASBR2

Network=N Next-hop=CE2

Network=N Next-hop=PE3

CE-2 CE-1 CE-5

CE-3 CE-4

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

103

Multi-AS MPLS-VPN backbones


VPNV4 routes exchanged between PE-ASBRs

L1 Dest=N

RR-1 Core of P LSRs LDP-PE1-label L1 Dest=N

RR-2 L3 Dest=N

Core of P LSRs LDP-PE-ASBR2-label L3 Dest=N PE-2 PE-3

PE-1

L2 Dest=N PE-ASBR2

PE-ASBR1 Dest=N

Dest=N

CE-2 CE-1 CE-5

CE-3 CE-4

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

104

MPLS VPN Configuration

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

105

MPLS VPN Configuration


VPN knowledge is on PE routers Several basic steps are necessary to provision a PE router for VPN service
configuration of VRFs configuration of Route Distinguishers configuration of import/export policies configuration of PE to CE links association of VRFs to interfaces configuration of MP-BGP
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

106

VRF & RD Configuration


RD is configured on PE routers
separate RD per VRF good practise is to use the same RD for the same VPN in all PE routers
although this is not mandatory

VRF configuration commands


ip vrf <vrf-symbolic-name> rd <route-distinguisher-value> route-target import <Import route-target community> route-target export <Import route-target community>

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

107

VRF Configuration
ip vrf VPN-A rd 1:129 route-target export 100:1 route-target import 100:1 ip vrf VPN-B rd 1:131 route-target export 100:2 route-target import 100:2

VPN-A CE
Paris

PE

VPN-A

CE

London VRF VPN-A VRF VPN-B

VPN-B

CE
Munich VRF for VPN-A (RT100:1) Paris routes London routes VRF for VPN-B (RT100:2) Munich routes

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

108

PE/CE Routing Protocol


PE/CE can use BGP, RIPv2, OSPF or Static Routing context used for all except OSPF which uses a separate process Routing contexts are defined within the routing protocol instance
router rip version 2 ! address-family ipv4 vrf <vrf symbolic-name> version 2 network 195.27.15.0 ! address-family ipv4 vrf <vrf symbolic-name> ..
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

109

PE/CE Routing Protocol


OSPF uses a different process
router ospf 100 vrf <vrf-symbolic-name> ! router ospf 200 vrf <vrf symbolic-name>

BGP uses address-family command


router bgp <AS #> ! address-family ipv4 vrf <vrf symbolic-name> ! address-family vpnv4

Static routes are configured per-VRF


ip route vrf <vrf symbolic-name>

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

110

PE/CE Routing Protocol


interface Serial3/5 ip vrf forwarding VPN-A ip address 192.168.61.6 255.255.255.252 encapsulation ppp ! interface Serial3/6 ip vrf forwarding VPN-A ip address 192.168.61.9 255.255.255.252 encapsulation ppp ! interface Serial3/7 ip vrf forwarding VPN-B ip address 192.168.62.6 255.255.255.252 encapsulation ppp

VPN-A

CE
Paris

PE

VPN-A

CE
London

VPN-B

CE
Munich

router bgp 109 no bgp default ipv4-unicast neighbor 195.27.2.1 remote-as 100 neighbor 195.27.2.1 update-source Loopback0 ! address-family ipv4 vrf VPN-B neighbor 192.168.62.5 remote-as 65503 neighbor 192.168.62.5 activate exit-address-family ! address-family ipv4 vrf VPN-A neighbor 192.168.61.5 remote-as 65501 neighbor 192.168.61.5 activate neighbor 192.168.61.10 remote-as 65502 neighbor 192.168.61.10 activate exit-address-family ! address-family vpnv4 neighbor 195.27.2.1 activate neighbor 195.27.2.1 send-community extended exit-address-family

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

111

VRF Based Commands


All show commands are VRF based
show ip route vrf <vrf-symbolic-name> show ip protocol vrf <vrf-symbolic-name> show ip cef vrf <vrf-symbolic-name>

Ping and Telnet commands are VRF based


ping x.x.x.x vrf <vrf-symbolic-name> telnet x.x.x.x /vrf <vrf-symbolic-name>

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

112

MPLS VPN Internet Routing


VRF Specific Default Route
192.168.1.1 BGP-4
ip vrf VPN-A rd 100:1 route-target both 100:1 ! Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A ! Router bgp 100 no bgp default ipv4-unicast network 171.68.0.0 mask 255.255.0.0 neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0 ! address-family ipv4 vrf VPN-A neighbor 192.168.10.2 remote-as 65502 neighbor 192.168.10.2 activate exit-address-family ! address-family vpnv4 neighbor 192.168.1.2 activate exit-address-family ! ip route 171.68.0.0 255.255.0.0 Serial0 ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global

Internet PE-IG

MP-BGP 192.168.1.2

PE
Serial0

PE

Site-1 Network 171.68.0.0/16 Site-2

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

113

MPLS VPN Internet Routing


VRF Specific Default Route
IP packet D=cisco.com

192.168.1.1

Internet

PE-IG

Label = 3 IP packet D=cisco.com

192.168.1.2

PE
Serial0

Global Table and LFIB 192.168.1.1/32 Label=3 192.168.1.2/32 Label=5 ... Site-2 VRF 0.0.0.0/0 192.168.1.1 (global) Site-1 routes Site-2 routes

PE

IP packet D=cisco.com

Site-1 Network 171.68.0.0/16 Site-2

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

114

MPLS VPN Internet Routing


Separated (sub)Interfaces
192.168.1.1 BGP-4
ip vrf VPN-A rd 100:1 route-target both 100:1 ! Interface Serial0 no ip address ! Interface Serial0.1 ip address 192.168.20.1 255.255.255.0 ip vrf forwarding VPN-A ! Interface Serial0.2 ip address 171.68.10.1 255.255.255.0 ! Router bgp 100 no bgp default ipv4-unicast neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0 network 171.68.0.0 mask 255.255.0.0 neighbor 171.68.10.2 remote 502 ! address-family ipv4 vrf VPN-A neighbor 192.168.20.2 remote-as 502 neighbor 192.168.20.2 activate exit-address-family ! address-family vpnv4 neighbor 192.168.1.2 activate exit-address-family
115

Internet PE-IG

MP-BGP 192.168.1.2

PE

PE

Serial0.1

Serial0.2

BGP-4 Site-1 Network 171.68.0.0/16 Site-2

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

MPLS VPN Internet Routing


Separate (sub)Interfaces
IP packet D=cisco.com

192.168.1.1

Internet

PE-IG

Label = 3 IP packet D=cisco.com

PE Global Table Internet routes ---> 192.168.1.1 192.168.1.1, Label=3

192.168.1.2

PE
Serial0.1 Serial0.2
IP packet D=cisco.com

PE

Serial0.1 Site-1

Serial0.2 CE routing table Site-1 routes ----> Serial0.1 Internet routes ---> Serial0.2

Network 171.68.0.0/16 Site-2

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

116

MPLS-VPN Scaling Route Refresh


Import RT=yellow

PE

2. PE issue a Route-Refresh to all neighbors in order to ask for retransmission

VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOI=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOI=Site1, RT=Red, Label=XYZ

Import RT=green Import RT=red


1. PE doesnt have red routes (previously filtered out)

3. Neighbors re-send updates and red route-target is now accepted

New BGP capability: route refresh Allows a router to request to any neighbor the re-transmission of BGP updates
Useful when inbound policy has been modified Similar to Cisco soft-reconfiguration without need to store any route
MPLS Bootcamp

BGP speakers may send Route-Refresh Cisco Confidential message only to neighbors from which the
2000, Cisco Systems, Inc.

117

MPLS-VPN Scaling Outbound Route Filters - ORF


Import RT=yellow

PE

2. PE issue a ORF message to all neighbors in order not to receive red routes

VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOI=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE-X SOI=Site1, RT=Red, Label=XYZ

Import RT=green
1. PE doesnt need red routes

3. Neighbors dynamically configure the outbound filter and send updates accordingly

PE router will discard update with unused route-target Optimisation requires these updates NOT to be sent Outbound Route Filter (ORF) allows a router to tell its neighbors which filter to Cisco Confidential use prior to propagate BGP updates
2000, Cisco Systems, Inc.

MPLS Bootcamp

118

MPLS VPN - Configuration


ip vrf site1 rd 100:1 route-target export 100:1 route-target import 100:1 ip vrf site2 rd 100:2 route-target export 100:2 route-target import 100:2 route-target import 100:1 route-target export 100:1 ! interface Serial3/6 ip vrf forwarding site1 ip address 192.168.61.6 255.255.255.0 encapsulation ppp ! interface Serial3/7 ip vrf forwarding site2 ip address 192.168.62.6 255.255.255.0 encapsulation ppp Site-4 Site-1 ip vrf site3 rd 100:2 Site-3 route-target export 100:2 Site-2 VPN-B route-target import 100:2 route-target import 100:3 route-target export 100:3 ip vrf site-4 rd 100:3 Multihop MP-iBGP route-target export 100:3 route-target import 100:3 P P ! interface Serial4/6 ip vrf forwarding site3 PE2 ip address 192.168.73.7 255.255.255.0 encapsulation ppp ! VRF VRF VRF for site-2 for site-3 interface Serial4/7 for site-4 (100:2) (100:2) ip vrf forwarding site4 (100:3) Site-1 routes Site-2 routes Site-3 routes ip address 192.168.74.7 Site-2 routes Site-3 routes Site-4 routes 255.255.255.0 Site-3 routes Site-4 routes encapsulation ppp

VPN-C

VPN-A

PE1

VRF for site-1 (100:1) Site-1 routes Site-2 routes

Site-1
MPLS Bootcamp
2000, Cisco Systems, Inc.

Site-2

Site-3

Site-4
119

Cisco Confidential

MPLS VPN - Configuration


PE/CE routing protocols
router bgp 100 Site-4 no bgp default ipv4-unicast neighbor 7.7.7.7 remote-as 100 Site-1 VPN-C neighbor 7.7.7.7 update-source VPN-A Loop0 ! Site-3 Site-2 address-family ipv4 vrf site2 VPN-B neighbor 192.168.62.2 remote-as 65502 neighbor 192.168.62.2 activate MP-iBGP exit-address-family ! address-family ipv4 vrf site1 P P neighbor 192.168.61.1 remote-as 65501 neighbor 192.168.61.1 activate PE1 PE2 exit-address-family ! address-family vpnv4 VRF VRF neighbor 7.7.7.7 activate VRF VRF for site-2 for site-3 neighbor 7.7.7.7 next-hop-self for site-4 for site-1 (100:2) (100:2) (100:3) (100:1) exit-address-family Site-1 routes Site-2 routes
Site-1 routes Site-2 routes Site-2 routes Site-3 routes Site-3 routes Site-4 routes

router bgp 100 no bgp default ipv4-unicast neighbor 6.6.6.6 remote-as 100 neighbor 6.6.6.6 update-source Loop0 ! address-family ipv4 vrf site4 neighbor 192.168.74.4 remote-as 65504 neighbor 192.168.74.4 activate exit-address-family ! address-family ipv4 vrf site3 neighbor 192.168.73.3 remote-as 65503 neighbor 192.168.73.3 activate exit-address-family ! address-family vpnv4 neighbor 6.6.6.6 activate neighbor 6.6.6.6 next-hop-self exit-address-family

Site-3 routes Site-4 routes

Site-1
MPLS Bootcamp
2000, Cisco Systems, Inc.

Site-2

Site-3

Site-4
120

Cisco Confidential

IOS Support for MPLS

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

121

MPLS-VPN IOS Releases - LDP Status

Initial limited deployment release in 12.0(10)ST and up 12.0(11)ST available on CCO General deployment also planned for 12.2(1)T Will be based on the current IETF draft (draft-ietf-mpls-ldp-11.txt?)
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

122

References

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

123

References
RFCs and Internet Drafts
draft-rosen-rfc2547bis-02.txt (was RFC2547) RFC2858 (Obsoletes RFC2283) draft-ietf-mpls-bgp4-mpls-02.txt draft-ramachandra-bgp-extcommunities04.txt

Textbook
MPLS and VPN Architectures, by Ivan Pepelnjak, Jim Guichard (ISBN# 1-58705-002-1) MPLS: Technology and Applications, by Bruce Davie, Yakov Rekhter (ISBN#1-55860-656-4)

Useful URLs
http://wwwin-mpls.cisco.com/ http://wwwin-ch.cisco.com/SQA/devtest/tag-switching/ http://wwwin-people.cisco.com/sprevidi/
MPLS Bootcamp
2000, Cisco Systems, Inc.

Cisco Confidential

124

Reference Pointers
Mailing Lists
tag-vpn@cisco.com <-- (mpls-vpn questions) cs-tagswitching@cisco.com <-- (general mpls questions) CS-rrr@cisco.com <--(mpls-te questions) mpls-deployment@cisco.com

MPLS Bootcamp

2000, Cisco Systems, Inc.

Cisco Confidential

125

NW00 Paris

2000, Cisco Systems, Inc.

126