111 © 2003 Cisco Systems, Inc. All rights reserved. Half Duplex VRFs, 12/03 HALF DUPLEX VRFs: A...

111© 2003 Cisco Systems, Inc. All rights reserved.

Half Duplex VRFs, 12/03

HALF DUPLEX VRFs: A SCALABLE HUB & SPOKE IMPLEMENTATIONDECEMBER 2003



HALF DUPLEX VRFs (HDV)





• Only way to implement hub and spoke topology is to put every spoke into a single and unique VRF

Ensures that spokes do not communicate directly

• Single VRF model, which does not include HDV, impairs the ability to bind traffic on the upstream ISP Hub

Why Half Duplex VRFs?Problem



• HDV allows the wholesale Service Provider to provide true hub and spoke connectivity to subscribers, who can be connected to the:

Same or different PE-router(s)

Same or different VRFs, via the upstream ISP

Why Half Duplex VRFs?Solution



• Problem

PE requires multiple VRF tables for multiple VRFs to push spoke traffic via hub

If the spokes are in the same VRF (no HDV), traffic will be switched locally and will not go via the hub site

• Solution

HDVs allows all the spoke site routes in one VRF

• Benefit

Scalability for RA to MPLS connections

Reduces memory requirements by using just two VRF tables

Simplifies provisioning, management, and troubleshooting by reducing the number of Route Target and Route Distinguisher configuration

Technical Justification



PE MPLSCORE ISP

ISPHUB

VPNport

VPN port

VPNport

A

B

• All the spokes in the same VPN (yellow)

• Dedicated (separate) VRF per spoke is needed to push all traffic through upstream ISP Hub

Spoke AVRF

Spoke BVRF

CEHUBSite PE

SpokeSite PE

Hub & Spoke Connectivity Without HDV Requires Dedicated VRF Tables Per Spoke



PE MPLSCORE ISPCE

ServiceLoopback

HUB

VPNport

VPNport

VPN port

A

B

• If two subscribers of the same service terminate on the same PE-router, then traffic between them can be switched locally at the PE-router (as shown), which is undesirable

• All inter-subscriber traffic needs to follow the default route via the Home Gateway (located at upstream ISP).

Single VRF table

HubSite PE

SpokeSite PE

Hub & Spoke Connectivity Without HDV Using A Single VRF



• Upstream VRF

Used to forward packets from Spokes to Hub

Contains a static default route

• Downstream VRF

Use to forward packets from Hub to Spoke

Contains a /32 route to a subscriber (installed from PPP)

Terminology



PE MPLSCORE ISPCE

HUB

VPNport

VPNport

VPN port

A

B

• If two subscribers of the same service terminate on the same PE-router, traffic between them is not switched locally

• All inter-subscriber traffic follows the default route via the Home Gateway (located at upstream ISP)

Single VRF table

HUBSite PE

SpokeSite PE

Hub & Spoke Connectivity With HDVUsing A Single VRF



1. HDVs are used in only one direction by incoming traffic

Ex: upstream toward the MPLS VPN backbone or downstream toward the attached subscriber

2. PPP client dial, and is authenticated, authorized, and assigned an IP address.

3. Peer route is installed in the downstream VRF table

One single downstream VRF for all spokes in the single VRF

4. To forward the traffic among spokes (users), upstream VRF is consulted at the Spoke PE and traffic is forwarded from a Hub PE to Hub CE

Return path: downstream VRF is consulted on the Hub PE before forwarding traffic to appropriate spoke PE and to the spoke (user)

5. Source address look up occurs in the downstream VRF, if unicast RPF check is configured on the interface on which HDV is enabled

Half Duplex VRF Functionality



1. PPP user initiates a session with PPP session using a name [email protected] and password

2. LAC/PE-router sends username information to the WholesaleServiceProvider Radius Server

3. ISP-A (service name) is used to index into a profile that contains information on the IP address of the Radius server of the ISP-A

4. [email protected] and password is then forwarded from the Wholesale Provider Radius server (which acts as a "proxy-radius"), towards the ISP Radius server

5. ISP-A Radius server authenticates and assigns IP address

6. ISP-A Radius server sends "Access-Accept" to Wholesale Service Provider Radius Server

7. The wholesale Service Provider Radius server adds authorization information to the Access-Accept, (based on the domain or servicename)and the VRF to be used by Subscriber-A, and forwards it to PE-WholesaleProvider-LAC router

8. PE-WholesaleProvider-LAC router creates temporary Virtual-Access interface (with associated /32 IP address) and places it into the appropriate VRF

PE-WholeSaleProvider-LAC PE-ISP

PPP UserSubscriber-A

Wholesale Service Provider AAA Server

ISP-AAAA Server

MPLS Core

Subscriber Connection Process



!

interface <> ip vrf forwarding <vrf-name1> [downstream <vrf-

name2>]

!

vrf-name1: First VRF that the interface is associated with.

vrf-name2: This is the downstream VRF. PPP peer route and per-user routes from AAA server are installed in this VRF.

Configuration Command



ip vrf Internet-ISPA-upstream rd 10:26 route-target import 10:26!ip vrf Internet-ISPA-downstream rd 10:27 route-target export 10:27

• Upstream VRF only requires a route-target import statement

Imports the default route from the hub PE router (@WholeSale Provider)

• Downstream VRF only requires a route-target export command

Used to export all of the /32 (virtual-access ints) addresses toward the hub PE-router

• Each VRF is created on the Spoke PE-router (LAC) before PPPoA or PPPoE client connections are established

Sample Configuration



• Reverse Path Forwarding (RPF)

Used by Service Provider determine the source IP address of an incoming IP packet and ascertain whether it entered the router via the correct inbound interface

• Concern

HDV populates a different VRF than the one used for “upstream” forwarding

• Solution

Extend the RPF mechanism so the “downstream” VRF is checked

• To enable RPF extension, configure:

ip verify unicast reverse-path <downstream vrfname>

Reverse Path Forwarding Check



• IP unnumbered any point-to-point interfaces, including virtual access/template interfaces

• Spokes connected to Spoke PE or the Hub PE

• Subscriber using single or multiple ISPs

• Reverse Path Forwarding Check

HDV Supported Features



• HDV-1Base image: Release 12.2(14.6)T1

No unicast RPF support

• HDV-2Base image: Release 12.2(15)T

Unicast RPF support added

• HDV-3Base image: Release 12.2(15)T2

Handles cases when downstream VRF is deleted

Added support for distributed hardware; unicast RPF HDV info is propagated to linecards

show ip vrf detail

show ip interface

show ip cef interface internal

• HDV-4Same as HDV-3; based on Release 12.3(3)

HDV Support: Cisco IOS Software Images



• Software

Only supports Virtual Access/Template interfaces

– Must be configured with IP unnumbered

– "ip address ..." is not allowed on HDV interfaces

PE-CE link: supports only static routing

• Hardware

Release 12.3: feature will be available only on Cisco 6400 Series (NRP and NRP2 router blades)

Restrictions



• These commands highlight upstream / downstream VRFs bound to particular interfaces and give detailed information about VRFs

PE-router# sh ip int vi 3Virtual-Access3 is up, line protocol is up

Interface is unnumbered. Using address of Loopback2 (2.0.0.8) VPN Routing/Forwarding "U"Downstream VPN Routing/Forwarding "D"IP multicast fast switching is disabled

Show Commands

Partial output highlighting only HDV related information



PE-router#sh ip vrf detail DVRF D; default RD 1:8; default VPNID <not set> Description: Downstream VRF - to spokes No interfaces Interfaces using this VRF as downstream: Virtual-Access3 Virtual-Access4 Connected addresses are not in global routing table Export VPN route-target communities RT:1:100 No Import VPN route-target communities No import route-map No export route-map

PE-router# sh cef interface vi 3 int Virtual-Access3 is up (if_number 35) Subblocks:

ip verify: via=rx, acl=0, drop=0, sdrop=0, downstream VRF D

Show Commands (Cont.)



CASE STUDY





Case Study

• Scenario

Wholesale Service Provider and ISPs are offering services in partnership to the subscribers

Subscribers connect to the Wholesale Service Provider network, which directs them to the appropriate ISP based on the Subscribed services

• Network topology and specification

Multiple Spoke sites are connected to the same PE router in a Hub/Spoke topology over PPPoE

Hub-PE is a separate PE router

This topology serves PPP clients, who are authenticated and authorized by a Radius server via LNS (SpokeSitePE)



Topology

SpokeSitePE(LNS1)

MPLS Core

HubSitePE

SpokeSiteCE1(LAC1)Subscriber1

SpokeSiteCE2(LAC2)Subscriber2

ISP1_Hub_CE

AAARadius Server

Subscribers

Subscribers



Topology (Cont.)

SpokeSitePE(LNS1)

MPLS Core

HubSitePESpokeSiteCE1(LAC1)

SpokeSiteCE2(LAC2)

ISP1_Hub_CE

AAARadius Server

ip vrf D

rd 1:8

route-target export 1:100

ip vrf U rd 1:0

route-target import 1:0

ip vrf HUB rd 1:20 route-target export 1:0 route-target import 1:100 Subscriber1

Subscriber2



Configuration Steps To Enable HDV

• HubSitePERegular VRF and VPNv4 configuration associated with HUB VRF

• SpokeSitePE (LNS)Create upstream & downstream VRFs

Configure VPDN & AAA related configuration as usual

Configure VPNv4 and VRFs as in basic MPLS VPN including upstream and downstream VRFs VPNv4 address-families

• SpokeSiteCE (LAC)Create upstream & downstream VRFs

Configure VPDN & AAA related configuration as usual

Bind VRF on appropriate interfaces (VirtualTemplate, Loopback)

• Radius ServerConfigure user profiles on a Radius Server



Radius Server Configuration

DEFAULT Service-Type == Framed-User Framed-Protocol = PPP, cisco-avpair += "lcp:interface-config=ip vrf forwarding U downstream D", cisco-avpair += "lcp:interface-config=ip unnumbered loopback 2", cisco-avpair += "ip:addr-pool=U-pool", Fall-Through = Yes

subscriber1 Auth-Type := Local, User-Password == “subscriber1" cisco-avpair += "ip:route=2.0.0.5 255.255.255.255"

subscriber2 Auth-Type := Local, User-Password == “subscriber2" cisco-avpair += "ip:route=2.0.0.2 255.255.255.255"

Spokes will inherit the default configuration



Configuration: HubSitePE

!

router bgp 1

no bgp default ipv4-unicast

bgp log-neighbor-changes

neighbor 100.0.0.34 remote-as 1

neighbor 100.0.0.34 update-source Loopback0

no auto-summary

!

address-family ipv4 multicast

no auto-summary

exit-address-family

!

address-family vpnv4

neighbor 100.0.0.34 activate

neighbor 100.0.0.34 send-community extended

no auto-summary

exit-address-family

!

address-family ipv4

no auto-summary

no synchronization

exit-address-family

!

!

address-family ipv4 vrf HUB

neighbor 1.20.1.2 remote-as 100

neighbor 1.20.1.2 activate

no auto-summary

no synchronization

exit-address-family

!

ip vrf HUB

rd 1:20

route-target export 1:0

route-target import 1:100

!



Configuration: SpokeSitePE(LNS)

hostname SpokeSitePEaaa new-model!aaa group server radius R server 22.0.20.26 auth-port 1812 acct-port 1813!aaa authentication ppp default group radiusaaa authorization network default group radius!ip vrf D description Downstream VRF - to spokes rd 1:8 route-target export 1:100!ip vrf U description Upstream VRF - to hub rd 1:0 route-target import 1:0!ip cef vpdn enable! vpdn-group U accept-dialin protocol pppoe virtual-template 1!

interface Loopback2 ip vrf forwarding U ip address 2.0.0.8 255.255.255.255!interface ATM2/0 description Mze ATM3/1/2 no ip address no atm ilmi-keepalive pvc 0/16 ilmi ! pvc 3/100 protocol pppoe ! pvc 3/101 protocol pppoe !interface Virtual-Template1 no ip address ppp authentication chap!router bgp 1 no synchronization no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 100.0.0.34 remote-as 1 neighbor 100.0.0.34 update-source Loopback0 no auto-summary



Configuration: SpokeSitePE(LNS)

! address-family ipv4 multicast no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor 100.0.0.34 activate neighbor 100.0.0.34 send-community extended no auto-summary exit-address-family ! address-family ipv4 vrf U no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf D redistribute static no auto-summary no synchronization exit-address-family! ip local pool U-pool 2.8.1.1 2.8.1.100!radius-server host 22.0.20.26 auth-port 1812 acct-port 1813radius-server key cisco



Show Log: SpokeSitePE(LNS)

SpokeSitePE#sh run int virtual-access 3Building configuration...Current configuration : 92 bytes!interface Virtual-Access3 ip vrf forwarding U downstream D ip unnumbered Loopback2end

SpokeSitePE#sh run int virtual-access 4Building configuration...Current configuration : 92 bytes!interface Virtual-Access4 ip vrf forwarding U downstream D ip unnumbered Loopback2end

Both subscribers available on the SpokeSitePE



Show Log: SpokeSitePE(LNS) (Cont.)

SpokeSitePE#sh ip route vrf D Routing Table: DCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2,

ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last resort is not set

2.0.0.0/8 is variably subnetted, 5 subnets, 2 masksU 2.0.0.2/32 [1/0] via 2.8.1.1S 2.0.0.0/8 is directly connected, Null0U 2.0.0.5/32 [1/0] via 2.8.1.2C 2.8.1.2/32 is directly connected, Virtual-Access4C 2.8.1.1/32 is directly connected, Virtual-Access3

Shows downstream VRF table




SpokeSitePE#sh ip route vrf U

Routing Table: UCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route

Gateway of last resort is 100.0.0.20 to network 0.0.0.0

2.0.0.0/32 is subnetted, 1 subnetsC 2.0.0.8 is directly connected, Loopback2B* 0.0.0.0/0 [200/0] via 100.0.0.20, 1w5d

Shows upstream VRF table




SpokeSitePE#sh ip int vi 3Virtual-Access3 is up, line protocol is up Interface is unnumbered. Using address of Loopback2 (2.0.0.8) Broadcast address is 255.255.255.255 Peer address is 2.8.1.1 MTU is 1492 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is enabled IP Flow switching is disabled IP CEF switching is enabled IP Feature Fast switching turbo vector IP VPN CEF switching turbo vector VPN Routing/Forwarding "U" Downstream VPN Routing/Forwarding "D" IP multicast fast switching is disabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled

SpokeSitePE#sh cef interface vi 3 intVirtual-Access3 is up (if_number 35) Corresponding hwidb fast_if_number 35 Corresponding hwidb firstsw->if_number 35 Internet address is 0.0.0.0/0 Unnumbered interface. Using address of Loopback2 (2.0.0.8) ICMP redirects are always sent Per packet load-sharing is disabled IP unicast RPF check is enabled Inbound access list is not set Outbound access list is not set IP policy routing is disabled BGP based policy accounting is disabled Interface is marked as point to point interface Hardware idb is Virtual-Access3 Fast switching type 7, interface type 21 IP CEF switching enabled IP Feature Fast switching turbo vector IP VPN Feature CEF switching turbo vector VPN Forwarding table "U" Input fast flags 0x5000, Output fast flags 0x0 ifindex 23(23) Slot -1 Slot unit 3 Unit 3 VC -1 Transmit limit accumulator 0x0 (0x0) IP MTU 1492 Subblocks: ip verify: via=rx, acl=0, drop=0, sdrop=0, downstream VRF D

SpokeSitePE#sh ip vrf detail DVRF D; default RD 1:8; default VPNID <not set> Description: Downstream VRF - to spokes No interfaces Interfaces using this VRF as downstream: Virtual-Access3 Virtual-Access4 Connected addresses are not in global routing table Export VPN route-target communities RT:1:100 No Import VPN route-target communities No import route-map No export route-map



Configuration: SpokeSiteCE(LAC1)

username subscriber1 password 0 subscriber1username subscriber2 password 0 subscriber2 !ip vrf D rd 1:8 route-target export 1:100!ip vrf U rd 1:0 route-target import 1:0!ip cefvpdn enable!vpdn-group U accept-dialin protocol pppoe virtual-template 1!interface Loopback2 ip vrf forwarding U ip address 2.0.0.8 255.255.255.255!

!interface ATM2/0 description Mze ATM3/1/2 no ip address no atm ilmi-keepalive pvc 0/16 ilmi ! pvc 3/100 protocol pppoe ! pvc 3/101 protocol pppoe !!interface Virtual-Template1 ip vrf forwarding U downstream D ip unnumbered Loopback2 peer default ip address pool U-pool ppp authentication chap!ip local pool U-pool 2.8.1.1 2.8.1.100



BACKUP SLIDES





PE Home Gateway

MPLSCORE ISPPE CE

ServiceLoopback

ServiceLoopback

HUBPE

SPOKE 1

SPOKE 2

vpn port

vpn port

vpn port

A

B

• Upstream traffic (ie: traffic toward the upstream ISP or toward another subscriber) is sent to the hub PE-router and forwarded across the link between the wholesale SP and the ISP

• Subscriber traffic follows a default route within the VRF

• Traffic is forwarded towards and received from the wholesale Service Providers PE-router and the subscriber

Topology I: Hub and Spoke Connectivity Between Distributed PE-Routers



PE

Home Gateway

MPLSCORE

ISPPE CE

ServiceLoopback

ServiceLoopback

HUB

PE

SPOKE 1

SPOKE 2

vpnport

vpnport

vpnportA

B Home Gateway

ISPPE CE

HUB

vpnport

NAP

• Data flow between two subscribers that belong to different services goes through the hub location of the Service Provider

• Data will traverse through a network exchange point, either public or private, by following a default route within the subscriber VRF

Topology II: Hub and Spoke Connectivity Between Subscribers Of Different Services



Home Gateway

MPLSCORE

ISPPE CE

HUB

vpnport

Home Gateway

ISPPE CE

HUB

vpnport

PEServiceLoopbacks

SPOKE 1

vpnport

vpnport

A

B

• If two subscribers are terminated on the same PE-router and belong to different services, the data is required to traverse through the home gateways of both services.

Topology III: Hub and Spoke Connectivity Via the Same PE-Router (Different Services)


Half Duplex VRFs, 12/03 383838© 2003 Cisco Systems, Inc. All rights reserved.


Date post:	16-Dec-2015
Category:	Documents
Upload:	james-tyler
View:	215 times
Download:	1 times

111 © 2003 Cisco Systems, Inc. All rights reserved. Half Duplex VRFs, 12/03 HALF DUPLEX VRFs: A...

Documents