Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | dina-allison |
View: | 233 times |
Download: | 2 times |
1© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
INTER-AUTONOMOUS SYSTEM MPLS VPNDecember 2003
2© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
• Inter-Autonomous System (Inter-AS) Multiprotocol Label Switching (MPLS) VPN Overview
• Inter-AS Control Plane
• Inter-AS Forwarding Plane
• Inter-AS Connectivity Models
• Inter-AS Summary
Agenda
3© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Inter-AS MPLS VPN is a scalable mechanism for exchanging prefix and label information between
two Service Provider networks. It is an extension of the basic MPLS VPN architecture (RFC 2547bis).
4© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
• Enables communication between networks under separate autonomous systems
• Provides traffic separation and maintain end-to-end privacy while traffic traverses multiple MPLS VPN backbones in a scalable manner
• Allows VPN information to pass between MPLS VPN Service Providers so that they can successfully route traffic for a particular VPN
• Extends MPLS VPN services across geographical boundaries, so Service Providers can support their customer base in geographical locations that do not have POPs
• Allows a single Service Provider to partition its network into multiple domains for scalability and inter-departmental privacy
• Uses MPLS to forward the traffic end-to-end and across the systems
Why Inter-AS?
5© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
• More than ten Service Providers globally
• Hardware
Cisco 7200 and 7500 Series Routers
Cisco 10000 and 12000 Series Internet Routers
• Popular Inter-AS connectivity models
Back-to-Back VRF
MP-eBGP between ASBRs
eBGP between ASBRs and MP-eBGP between RRs
Inter-AS Deployment
6© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
VPN-B-1
PE-1
VPN-B-2
PE-2
CE-4
VPN-G-1
CE-B2CE-B1
CE-3
VPN-G-2
PE-ASBR-1
PE-ASBR-2
AS #100 AS #200
VPN-R-1HUBv
CE-R1
VPN-R-2Spoke
VPN-R-3Spoke
Internet
Interne-GWInterne-GW
Shared Services for VPNsShared Services for VPNsShared Services for VPNsShared Services for VPNs
Shared Services for VPNsShared Services for VPNs Shared Services for VPNsShared Services for VPNs
Inter-AS Topology Overview
7© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Inter-AS Functionality
• MPLS VPN providers exchange routes across VRF interfaces
• Each PE-ASBR router treats the other as a CE
• Provider edge routers are gateways used for VPNv4 route exchange
• PE-ASBR to PE-ASBR link may use any supported PE-CE routing protocol
8© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
• Each AS operates under different administrative control and runs different IGP
• No IGP routing information exchange between the domains
• All routing information exchange between the domains is via Exterior Routing Protocol
• Routing policies may differ between the exchange points
• Customer VPN routes are distributed into VRFs at the ingress PE of the ISP
• Each PE assigns labels for the routes to establish connections
Routing For Each Service Provider Domain
9© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
INTER-AS CONTROL PLANE
10© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
• Establishes EBGP session between the PE-ASBRs
• Distribute IPv4 routes for the VPNs in the form of VPNv4 addresses
• PE-ASBRs re-write Next-hop and labels when a route is distributed to a neighbor
• PE-ASBRs store ALL VPN routes that need to be exchanged
• Routes are in the MP-BGP table but not in any other routing tables
PE-ASBRs do not have any VRF
MP-eBGP labels are used in LFIB
Inter-AS Control Plane
11© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
CE-B-1
IBGPRoute=Site2Next hop=ASBR-SP2Label=L’
CE-B-2
SP1MPLS Core
SP2MPLS Core
PE1-SP1ASBR-SP2ASBR-SP1
EBGPRoute=Site2Next hop=ASBR-SP2Label=L’
IBGPRoute=Site2Next hop=PE1-SP2Label=L’
PE1-SP2
Route=VPN Blue Site1Via:StaticEBGPOSPFEIGRPRIPv2
Route=VPN Blue Site1Via:StaticEBGPOSPFEIGRPRIPv2
Inter-AS Control Plane Route Exchange
12© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
PE-1
PE-ASBR1
CE-2
PE-ASBR2
PE-3
CE-1
PE-2
CE-5
CE-4
CE-3
RR-1
Core of P LSRs
RR-2 Core of P LSRs
Network=RD1:NNext-hop=PE1Label=L1
Network=RD1:NNext-hop=PE-ASBR1Label=L2
Network=RD1:NNext-hop=PE1Label=L1 Network=RD1:N
Next-hop=PE-ASBR2Label=L3
Network=RD1:NNext-hop=PE-ASBR2Label=L3
Network=NNext-hop=CE2
Network=NNext-hop=PE3
SP1SP2
Inter-AS Control Plane
13© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
INTER-AS FORWARDING PLANE
14© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
PE-1PE-2
VPN-B-1
CE-2 CE-3
VPN-B-2
PE-ASBR-1 PE-ASBR-2
152.12.4.0/24
152.12.4.1
LDP PE-ASBR-2 Label L3
152.12.4.1
152.12.4.1L3
L2 152.12.4.1
LDP PE-1 Label L1 152.12.4.1
152.12.4.1 L1
152.12.4.1
External MP-BGP for VPNv4 Forwarding Plane
15© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
PE-1
PE-ASBR1
CE-2
PE-ASBR2
PE-3
CE-1
PE-2
CE-5
CE-4
CE-3
RR-1
Core of P LSRs
RR-2 Core of P LSRs
SP1 SP2
152.12.4.1
152.12.4.1L3
L2 152.12.4.1
152.12.4.1L1
152.12.4.1
Inter-As Forwarding Plane
16© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
• A VPNv4 TFIB entry corresponds to VPNv4RD+Prefix
Inter-AS VPNv4 TFIB Entries
17© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
• Create a loopback address on participating ASBRs
• Setup ASBRs for VPNv4 route distribution
• Setup ASBRs for IPV4 route distribution
• Disable automatic route filtering feature
• Set ASBR as Next-Hop-Self
Inter-AS Basic Configuration
18© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Inter-AS Memory and Performance Impact
• Similar to that of basic VPNv4 for the same number of VRFs and router per VRF
19© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
VPN Client Connectivity
VPN-A-1VPN-A-2
PE-1
PE2
CE2
Edge Router1 Edge Router2
CE-1
VPN Sites attached to different MPLS VPN Service Providers
AS #100 AS #200
149.27.2.0/24
VPN-v4 update:RD:1:27:149.27.2.0/24,
NH=PE-1RT=1:231, Label=(28)
VPN-v4 update:RD:1:27:149.27.2.0/24,
NH=PE-1RT=1:231, Label=(28)
BGP, OSPF, RIPv2 149.27.2.0/24,NH=CE-1
BGP, OSPF, RIPv2 149.27.2.0/24,NH=CE-1
VPN-A VRFImport routes with route-target 1:231
How to distribute routes between
SPs ?
20© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
VPNv4 Distribution Options in Inter-AS
VPN-A-1
PE-1
VPN-A-2
PE-2
CE-2
Back-to-back VRFs
MP-eBGP for VPNv4
Multihop MP-eBGP between RRs
Non-VPN Transit Provider
Several options available for distribution of VPNv4 prefix information
AS #100 AS #200
PE-ASBR-1 PE-ASBR-2
CE-1
Multihop MP-eBGP
21© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
INTER-AS CONNECTIVITY MODELS
22© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
• Back-to-back VRFs
• External MP-eBGP for VPNv4
• Multihop MP-eBGP
• Multihop MP-eBGP between RRs
• Non-VPN Transit Provider
Inter-AS Connectivity Models
23© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Option 1: Back-to-Back VRF Connectivity
• Recommended for fewer VRFs requiring simpler connectivity when ASBRs are directly connected over a physical interface
• ASBRs are directly connected over a physical interface
• Sub-interface per VRF is created and mapped
• Packet is forwarded as an IP packet between the ASBRs
• Each PE-ASBR router treats the other as a CE
• PE-ASBR to PE-ASBR link may use any supported PE-CE routing protocol
• Scalability issues if need to support large numbers of VRFs
24© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Back-to-Back VRF Connectivity
VPN-A-1
PE-1
VPN-A-2
PE-2
CE-4
VPN-B-1
CE-2CE-1 CE-3
VPN-B-2
VRF to VRF Connectivity between PE-ASBRs
One logical interface & VRF per
VPN client
PE-ASBR-1 PE-ASBR-2
AS #100 AS #200
25© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Back-to-Back VRF Connectivity Control Plane
PE-1 PE-2
VPN-B-1
CE-2 CE-3
VPN-B-2
VRF to VRF Connectivity between PE-ASBRs
PE-ASBR-1 PE-ASBR-2
152.12.4.0/24
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE-2
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE-2
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-1RT=1:222, Label=(29)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-1RT=1:222, Label=(29)
VPN-B VRFImport routes with route-target 1:222
BGP, OSPF, RIPv2 152.12.4.0/24
NH=PE-ASBR1
BGP, OSPF, RIPv2 152.12.4.0/24
NH=PE-ASBR1
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-ASBR-2RT=1:222, Label=(92)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-ASBR-2RT=1:222, Label=(92)
VPN-B VRFImport routes with route-target 1:222
BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE-2
BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE-2
26© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Back-to-Back VRF Connectivity Forwarding Plane
PE-1 PE-2
VPN-B-1
CE-2 CE-3
VPN-B-2
VRF to VRF Connectivity between PE-ASBRs
PE-ASBR-1 PE-ASBR-2
152.12.4.0/24
152.12.4.1
LDP PE-ASBR-2 Label 92
152.12.4.1152.12.4.1
LDP PE-1 Label 29 152.12.4.1
152.12.4.1
27© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Option 2: External MP-BGP for VPNv4 Prefix Exchange
• Recommended when a larger number of VRFs need to be supported
• ASBRs are directly connected and belong to only couple service providers
• Traffic will be crossing only single hop network
28© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
External MP-BGP for VPNv4 Prefix Exchange (Cont.)
• Gateway PE-ASBRs exchange routes directly using BGP
External MP-BGP for VPNv4 prefix exchange
No LDP or IGP
• MP-BGP session with next-hop set to advertising PE-ASBR
Next-hop and labels are rewritten when advertised across the Inter-Provider MP-BGP session
• PE-ASBR stores all VPN routes that need to be exchanged
Only within the BGP table (no VRFs)
Labels are populated into the LFIB of the PE-ASBR
29© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
• Receiving Gateway PE-ASBRs may allocate new label if desired
Controlled by configuration of next-hop-self (default is off)
• Receiving PE-ASBR will automatically create a /32 host route for its PE-ASBR neighbor
Which must be advertised into receiving IGP if next-hop-self is NOT in operation to maintain the LSP;
• PE-ASBRs need to hold all Inter-AS VPN routes
External MP-BGP for VPNv4
30© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
External MP-BGP for VPNv4
VPN-A-1
PE-1
VPN-A-2
PE-2
CE-4
VPN-B-1
CE-2CE-1 CE-3
VPN-B-2
MP-BGP VPNv4 prefix exchange between Gateway PE-ASBRs
PE-ASBR-1PE-ASBR-2
AS #100 AS #200
MP-eBGP for VPNv4
Label exchange between Gateway PE-ASBR routers using
MP-eBGP
31© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
External MP-BGP for VPNv4 Control Plane
PE-1 PE-2
VPN-B-1
CE-2 CE-3
VPN-B-2
PE-ASBR-1 PE-ASBR-2
152.12.4.0/24
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE-2
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE-2
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-1RT=1:222, Label=(L1)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-1RT=1:222, Label=(L1)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-ASBR-2RT=1:222, Label=(L3)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-ASBR-2RT=1:222, Label=(L3)
BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE-2
BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE-2
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-ASBR-1RT=1:222, Label=(L2)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-ASBR-1RT=1:222, Label=(L2)
32© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
External MP-BGP for VPNv4 Forwarding Plane
PE-1PE-2
VPN-B-1
CE-2 CE-3
VPN-B-2
PE-ASBR-1 PE-ASBR-2
152.12.4.0/24
152.12.4.1
LDP PE-ASBR-2 Label L3
152.12.4.1
152.12.4.1L3
L2 152.12.4.1
LDP PE-1 Label L1 152.12.4.1
152.12.4.1 L1
152.12.4.1
33© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
• Useful for exchanging a large number of routes with the same or multiple service providers; traffic crosses more than one hop
• External MP-BGP between PE-ASBR routers (Option 2)
• PE-ASBR routers exchange routes across a Multi-hop BGP session
External MP-BGP for VPNv4 prefix exchange
• IGP and LDP required between PE-ASBR routers to maintain the end-to-end internal LSP
Can use static routing to interface addresses
• No /32 host route created for adjacent PE-ASBR routers
Option 3: Multi-Hop External MP-BGP for VPNv4
34© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
VPN-A-1
PE-1
VPN-A-2
PE-2
CE-4 CE-1
Multi-Hop session between Gateway PE-ASBRs
PE-ASBR-1PE-ASBR-2
AS #1 AS #2
Multi-Hop MP-eBGP for VPNv4
IGP & LDP
Multi-Hop External MP-BGP for VPNv4
35© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
PE-1 PE-2
VPN-B-1
CE-2 CE-3
VPN-B-2
PE-ASBR-1 PE-ASBR-2
152.12.4.0/24
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE-2
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE-2
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-1RT=1:222, Label=(L1)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-1RT=1:222, Label=(L1)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-ASBR-2RT=1:222, Label=(L3)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-ASBR-2RT=1:222, Label=(L3)
BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE-2
BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE-2
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-ASBR-1RT=1:222, Label=(L2)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-ASBR-1RT=1:222, Label=(L2)
IGP & LDP exchange of PE-ASBR-1
IGP & LDP exchange of PE-ASBR-1
Multi-Hop External MP-BGP for VPNv4 Control Plane
36© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
PE-1 PE-2
VPN-B-1
CE-2 CE-3
VPN-B-2
PE-ASBR-1 PE-ASBR-2
152.12.4.0/24
152.12.4.1
LDP PE-ASBR-2 Label L3
152.12.4.1
152.12.4.1L3
LDP PE-1 Label L1 152.12.4.1
152.12.4.1L1
152.12.4.1
LDP PE-ASBR-1 Label L2
152.12.4.1
Multi-Hop External MP-BGP for VPNv4 Forwarding Plane
37© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
• Multi-Hop MP-eBGP with RR is useful for off-loading VPNv4 routes to RR for scalability purpose. ASBRs will not need to maintain VPNv4 routes.
• MPLS VPN providers exchange VPNv4 prefixes via their Route Reflectors
Requires Multihop MP-eBGP (VPNv4 routes)
• Next-hop-self MUST be disabled on Route Reflector
Preserves next-hop and label as allocated by the originating PE router
• Providers exchange IPv4 routes with labels between directly connected ASBRs using eBGP
Only PE loopback addresses exchanged as these are BGP next-hop addresses
Option 4: Multihop MP-eBGP for VPNv4 between RRs: Application Note
38© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Multihop MP-eBGP for VPNv4 between RRs
VPN-A-1
PE-1
VPN-A-2
PE-2
CE-4
VPN-B-1
CE-2CE-1 CE-3
VPN-B-2
Multihop MP-eBGP VPNv4 prefix exchange between Route Reflectors
ASBR-1
RR-2
AS #100 AS #200
Multihop MP-eBGP for VPNv4 with no
next-hop-self
ASBRs exchange BGP next-hop addresses
with labels
ASBR-2
RR-1
eBGP IPv4 + Labels
39© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Multihop MP-eBGP for VPNv4 between RRs: Control Plane
PE-1 PE-2
VPN-B-1
CE-2 CE-3
VPN-B-2
ASBR-1
RR-2
SP #2
ASBR-2
RR-1
Network=PE-1 NH=ASBR-1Label=(L2)
Network=PE-1 NH=ASBR-1Label=(L2)
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE-2
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE-2
152.12.4.0/24
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-1RT=1:222, Label=(L1)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-1RT=1:222, Label=(L1)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-1RT=1:222, Label=(L1)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-1RT=1:222, Label=(L1)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-1RT=1:222, Label=(L1)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=PE-1RT=1:222, Label=(L1)
BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE-2
BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE-2
Network=PE-1 NH=ASBR-2Label=(L3)
Network=PE-1 NH=ASBR-2Label=(L3)
40© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Multihop MP-eBGP for VPNv4 between RRs: Forwarding Plane
PE-1PE-2
VPN-B-1
CE-2 CE-3
VPN-B-2
ASBR-1
RR-2
ASBR-2
RR-1
152.12.4.0/24
152.12.4.1
L1LDP PE-ASBR-2 Label
L3 L1 152.12.4.1
152.12.4.1L3
L2 L1 152.12.4.1
LDP PE-1 Label L1
152.12.4.1
152.12.4.1L1
152.12.4.1
41© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Option 5: Non-VPN Transit Provider
• Two MPLS VPN providers may exchange routes via third parties (non-VPN transit backbones running MPLS)
• Multihop MP-eBGP deployed between edge providersWith the exchange of BGP next-hops via the transit provider
• Providers may change the AS# within each regionTransit network is not part of the AS path
• Requirement to propagate BGP next-hops and also build end-to-end LSPs
• Options for end-to-end LSP creationMerge IGPs of all AS’s including the transit network
Redistribute PE host routes between AS’s
Use static routes across boundaries; redistribute to IGP
Use IPv4 + labels
42© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Non-VPN Transit Provider
PE-1
PE-2VPN-B-1
CE-2
CE-3
VPN-B-2
ASBR-1
RR-2
Non-VPN MPLS Transit Backbone
Multihop MP-eBGP or MP-iBGP for VPNv4
ASBR-2
RR-1
ASBR-3
ASBR-4NO next-hop-self
eBGP IPv4 + Labels
eBGP IPv4 + Labels
MPLS VPN Provider #100
MPLS VPN Provider #200
eBGP IPv4 + Labels
eBGP IPv4 + Labels eBGP IPv4 + Labels
43© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Non-VPN Transit ProviderControl Plane
PE1
PE2VPN-B-1
CE-2
CE-3
VPN-B-2
ASBR-1
RR-2
Non-VPN MPLS Transit Backbone
ASBR-2
RR-1
ASBR-3
ASBR-4
MPLS VPN Provider #2
152.12.4.0/24
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE-2
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE-2
152.12.4.0/24, NH=PE-1
RT=1:222, Label=(L1)
152.12.4.0/24, NH=PE-1
RT=1:222, Label=(L1)
Network=PE-1 NH=ASBR-1Label=(L2)
Network=PE-1 NH=ASBR-1Label=(L2)
152.12.4.0/24, NH=PE-1
RT=1:222, Label=(L1)
152.12.4.0/24, NH=PE-1
RT=1:222, Label=(L1)
152.12.4.0/24, NH=PE-1
RT=1:222, Label=(L1)
152.12.4.0/24, NH=PE-1
RT=1:222, Label=(L1)
Network=PE-1 NH=ASBR-2Label=(L3)
Network=PE-1 NH=ASBR-2Label=(L3)
Network=PE-1 NH=ASBR-3Label=(L4)
Network=PE-1 NH=ASBR-3Label=(L4)
Network=PE-1 NH=ASBR-4Label=(L5)
Network=PE-1 NH=ASBR-4Label=(L5)
End-to-End LSP(Forwarding
Path)
Inner Label Exchange
44© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Non-VPN Transit ProviderForwarding Plane
PE1
VPN-B-1
CE-2
CE-3
VPN-B-2
ASBR-1
RR-2
Non-VPN MPLS Transit Backbone
ASBR-2
RR-1
ASBR-3
ASBR-4
152.12.4.0/24
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE-2
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE-2
152.12.4.1
LDP PE-ASBR-4 Label L5 L1
152.12.4.1
152.12.4.1L1L4
LDP PE-ASBR-2 Label L3 L1
152.12.4.1
L1L2 152.12.4.1
LDP PE-1 Label L1 152.12.4.1
L1 152.12.4.1
PE2
45© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Why IPV4 BGP Label Distribution?
• Allows a VPN service provider network to exchange IPv4 routes with MPLS labels
• Use BGP to distribute labels associated with the routes at the same time it distributes the routes
ASBR-1
AS #100 AS #200
ASBR-2
eBGP IPv4 + Labels AS2_PE1AS1_PE1
Benefits:
• Eliminate the need for any other Label distribution protocol between the two ASBRs
• Allow a non-VPN core network to act as a transit network for VPN traffic
46© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
IPV4 BGP Label Distribution Architecture
• Subsequent Address Family Identifier (value 4) field is used to indicate that the NLRI contains a label
• If a BGP peer indicates, through BGP Capability Advertisement, that it can process Update messages with the specified SAFI field, a BGP speaker can use BGP to send labels
• No specific procedures are enforced in RFC when the BGP peers are non-adjacent
• Accept labels from only trusted source to assure proper security
47© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
IPV4 BGP Label Distribution Configuration
• ASBRs (and RR if in use)
address-family ipv4 ! Redistributing IGP into BGP
neighbor <neighbors loopback add> send-label
• AS1_PE1
neighbor <RR> send-label
neighbor <ASBR-1> send-label
• RR
neighbor <ASBR-1> send-label
neighbor <AS1_PE1> send-label
48© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Summary: Back-to-back VRF Connectivity
• Scalability is an issue with many VPNs
One VRF & logical interface required per VPN client;
Gateway PE-ASBR must hold ALL routing information
• PE-ASBR must filter & store VPNv4 prefixes
Plus import into VRFs thus increasing MPLS, CEF & routing table memory
• No MPLS label switching required between providers
Standard IP between gateway PE-ASBRs;
No exchange of routes using MP-eBGP;
Simple solution, works today but limited in deployment scope
49© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Summary: MP-eBGP for VPNv4 Prefix Exchange
• Scalability less of an issue when compared to back-to-back VRF connectivity
Only one interface required between PE-ASBR routers;
No VRF requirement on any PE-ASBR router interfaces
• Automatic Route Filtering must be disabled
Hence filtering on RT values essential, and good filtering policy must be applied on EVERY PE-ASBR;
Import of routes into VRFs is not required which reduces the memory impact on PE-ASBR routers
• MPLS label switching required between providers
Routes exchanged using MP-eBGP;
Still simple, more scalable & works today
50© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Summary: Multi-hop MP-eBGP for VPNv4
• More scalable than back-to-back VRF or MP-eBGP for VPNv4
As ALL VPNv4 routes held on route reflectors and NOT PE-ASBR routers
• Route Reflectors hold VPNv4 information
Each provider utilizes route reflectors locally for VPNv4 prefix distribution;
eBGP connection added for exchange with external peer
• BGP next-hop addresses exchanged between providers across PE-ASBR links using IPv4 + labels
Separation of forwarding & control planes;
IPv4 + labels
51© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
INTER-AS SAMPLE CONFIGURATIONS
515151© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
52© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Multihop and Label Distribution with RR: Network Topology
PE-1 PE-2
ASBR-1
RR-2
AS #100 AS #200
Multihop MP-eBGP for VPNv4 with no
next-hop-self
ASBRs exchange BGP next-hop addresses
with labels
ASBR-2
RR-1
eBGP IPv4 + Labels
aa.aa bb.bb
ee.ee ff.ff
ww.ww xx.xx
Goal: distribute the VPNv4 and IPv4 routes, and the MPLS labels of remote PEs/RRs to local PEs and RRs
53© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Network Specifications and Requirements
• AS 100 uses the route reflectors to distribute the IPv4/VPNv4 routes and MPLS labels from the ASBR to the PE
• In AS 200, the IPv4 routes that ASBR2 learned are redistributed into IGP
• IP Addressing:
RR1: aa.aa
RR2: bb.bb
ASBR-1: ww.ww
ASBR-2: xx.xx
PE1: ee.ee
PE2: ff.ff
54© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
Network Specifications and Requirements
• RR1 exchanges VPNv4 routes with RR2, using multiprotocol, multihop EBGP
• VPNv4 next hop information and VPN label are preserved across the autonomous systems
• RR1 reflects to PE1 the VPNv4 routes learned from RR2 and the IPv4 routes and MPLS labels learned from ASBR1
55© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
ip subnet-zero ip cef ! interface Loopback0 ip address aa.aa.aa.aa 255.255.255.255 no ip directed-broadcast
router bgp 100 bgp cluster-id 1 bgp log-neighbor-changes timers bgp 10 30 neighbor ee.ee.ee.ee remote-as 100 neighbor ee.ee.ee.ee update-source Loopback0 neighbor ww.ww.ww.ww remote-as 100 neighbor ww.ww.ww.ww update-source Loopback0 neighbor bb.bb.bb.bb remote-as 200 neighbor bb.bb.bb.bb ebgp-multihop 255 neighbor bb.bb.bb.bb update-source Loopback0 no auto-summary !
! address-family ipv4 neighbor ee.ee.ee.ee activate neighbor ee.ee.ee.ee route-reflector-client !IPv4+labels session to PE1 neighbor ee.ee.ee.ee send-label neighbor ww.ww.ww.ww activate neighbor ww.ww.ww.ww route-reflector-client !IPv4+labels session to ASBR1 neighbor ww.ww.ww.ww send-label no neighbor bb.bb.bb.bb activate no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor ee.ee.ee.ee activate neighbor ee.ee.ee.ee route-reflector-client !VPNv4 session with PE1 neighbor ee.ee.ee.ee send-community extended neighbor bb.bb.bb.bb activate neighbor bb.bb.bb.bb next-hop-unchanged !MH-VPNv4 session with RR2 neighbor bb.bb.bb.bb send-community extended next-hop-unchanged exit-address-family !
Route Reflector 1 Configuration (Cont.)
56© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
ip subnet-zero ip cef ! interface Loopback0 ip address bb.bb.bb.bb 255.255.255.255 no ip directed-broadcast ! router bgp 200 bgp cluster-id 1 bgp log-neighbor-changes timers bgp 10 30 neighbor aa.aa.aa.aa remote-as 100 neighbor aa.aa.aa.aa ebgp-multihop 255 neighbor aa.aa.aa.aa update-source Loopback0 neighbor ff.ff.ff.ff remote-as 200 neighbor ff.ff.ff.ff update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor aa.aa.aa.aa activate neighbor aa.aa.aa.aa next-hop-unchanged !Multihop VPNv4 session with RR1 neighbor aa.aa.aa.aa send-community extended next-hop-unchanged neighbor ff.ff.ff.ff activate neighbor ff.ff.ff.ff route-reflector-client !VPNv4 session with PE2 neighbor ff.ff.ff.ff send-community extended exit-address-family !
• RR2 exchanges VPNv4 routes with RR1 through multihop, multiprotocol EBGP
• Next-hop and the VPN label are preserved across the autonomous systems
Route Reflector 2 Configuration (Cont.)
57© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
ip subnet-zero mpls label protocol tdp ! interface Loopback0 ip address ww.ww.ww.ww 255.255.255.255 no ip directed-broadcast no ip route-cache no ip mroute-cache
address-family ipv4 ! Redistributing IGP into BGP redistribute ospf 10 ! so that PE1 & RR1 loopbacks neighbor aa.aa.aa.aa activate ! get into the BGP table neighbor aa.aa.aa.aa send-label neighbor hh.0.0.1 activate neighbor hh.0.0.1 advertisement-interval 5 neighbor hh.0.0.1 send-label neighbor hh.0.0.1 route-map IN in !accepting routes from route-map IN. neighbor hh.0.0.1 route-map OUT out !distributing routes from route-map OUT. no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor aa.aa.aa.aa activate neighbor aa.aa.aa.aa send-community extended exit-address-family
ASBR1 exchanges IPv4 routes and MPLS labels with ASBR2
! access-list 1 permit ee.ee.ee.ee log !Set up the access lists. access-list 2 permit ff.ff.ff.ff log access-list 3 permit aa.aa.aa.aa log access-list 4 permit bb.bb.bb.bb log route-map IN permit 10 !Setting up the route maps. match ip address 2 match mpls-label
!ASBR1 should accept PE2's route (ff.ff) with labels and !RR2's route (bb.bb) without labels.
route-map IN permit 11 match ip address 4
!ASBR1 should distribute PE1's route (ee.ee) with labels and !RR1's route (aa.aa) without labels.
route-map OUT permit 12 match ip address 3 ! route-map OUT permit 13 match ip address 1 set mpls-label
ASBR-1 Configuration
58© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
• ASBR2 and ASBR1 exchange IPv4 routes and MPLS labels
• ASBR2 does not use the RR to reflect IPv4 routes and MPLS labels to PE2
• ASBR2 redistributes the IPv4 routes and MPLS labels learned from ASBR1 into IGP
• PE2 can now reach the prefixes
ASBR-2 Configuration
59© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
ip subnet-zero ip cef ! interface Loopback0 ip address xx.xx.xx.xx 255.255.255.255 no ip directed-broadcast !router bgp 200 bgp log-neighbor-changes timers bgp 10 30 neighbor bb.bb.bb.bb remote-as 200 neighbor bb.bb.bb.bb update-source Loopback0 neighbor hh.0.0.2 remote-as 100 no auto-summary ! address-family ipv4 redistribute ospf 20 !Redistributing IGP into BGP neighbor hh.0.0.2 activate !so that PE2 & RR2 loopbacks neighbor hh.0.0.2 advertisement-interval 5 !will get into the BGP-4 table. neighbor hh.0.0.2 route-map IN in neighbor hh.0.0.2 route-map OUT out neighbor hh.0.0.2 send-label no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor bb.bb.bb.bb activate neighbor bb.bb.bb.bb send-community extended exit-address-family
! access-list 1 permit ff.ff.ff.ff log !Setting up the access lists. access-list 2 permit ee.ee.ee.ee log access-list 3 permit bb.bb.bb.bb log access-list 4 permit aa.aa.aa.aa log route-map IN permit 11 !Setting up the route maps. match ip address 2 match mpls-label !
! route-map IN permit 12 match ip address 4 ! route-map OUT permit 10 match ip address 1 set mpls-label ! route-map OUT permit 13 match ip address 3 !
ASBR-2 Configuration (Cont.)
60© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
INTER-AS SUMMARY
61© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
• Service Providers have deployed Inter-AS for:
Scalability purposes
Partitioning the network based on services or management boundaries
• Some contract work is in progress amongst Service Providers to establish partnership and offer end-end VPN services to the common customer base
• Service Provider networks are completely separate
Do not need to exchange internal prefix or label information
• Each Service Provider establishes a direct MP-eBGP session with the others to exchange VPN-IPv4 addresses with labels
• /32 route to reach the ASBR is created by default so ASBRs can communicate without a need for IGP
Must be redistributed in the receiving Service Provider’s IGP
Inter-AS Summary
62© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
• IGP or LDP across ASBR links is not required
Labels are already assigned to the routes when exchanged via MP-eBGP
Interface used to establish MP-eBGP session does not need to be associated with a VRF
• Direct eBGP routes and labels can be exchanged.
• Next-Hop self can be turned on on ASBRs, enabling the ASBR to use its own address for next-hop
• Using the next-hop self requires an additional entry in the TFIB for each VPNv4 route (about 180) bytes
• If the Service Provider wishes to hide the Inter-AS link then use the next-hop-self method otherwise use the redistribute connected subnets method
Inter-AS Summary (Cont.)
63© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
• Multi-hop MP-eBGP sessions can be passed between Service Providers without conversions to VPNv4 routes
• Configuration of VRFs is not required on the ASBRs because bgp default route-target filter (automatic route filtering feature) has been disabled
• To conserve memory on both sides of the boundary and implement a simple form of security, always configure inbound route-maps to filter only routes that need to be passed to the other AS
Inter-AS Summary (Cont.)
64© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03
References
• Inter-AS for MPLS VPNs CCO Documentation:
www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t5/interas.htm
• MPLS and VPN architectures Jim Guichard/Ivan Pepelnjak ISBN 1-58705-002-1:
www.ciscopress.com/book.cfm?book=168
• Support for Inter-provider MPLS VPN ENG-48803 Dan Tappan, (internal only)
65© 2003 Cisco Systems, Inc. All rights reserved.
MPLS VPN Inter-AS, 12/03