7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
1/292
AMVS
Advanced MPLS
VPN Solutions
Volume 1Version 1.0
Student Guide
Text Part Number: 97-0624-01
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
2/292
The products and specifications, configurations, and other technical information regarding the products in this
manual are subject to change without notice. All statements, technical information, and recommendations in this
manual are believed to be accurate but are presented without warranty of any kind, express or implied. You
must take full responsibility for their application of any products specified in this manual.
LICENSE
PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE MANUAL,
DOCUMENTATION, AND/OR SOFTWARE (MATERIALS). BY USING THE MATERIALS YOU
AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE. IF YOU DO NOT
AGREE WITH THE TERMS OF THIS LICENSE, PROMPTLY RETURN THE UNUSED MATERIALS
(WITH PROOF OF PAYMENT) TO THE PLACE OF PURCHASE FOR A FULL REFUND.
Cisco Systems, Inc. (Cisco) and its suppliers grant to you (You) a nonexclusive and nontransferable licenseto use the Cisco Materials solely for Your own personal use. If the Materials include Cisco software
(Software), Cisco grants to You a nonexclusive and nontransferable license to use the Software in object code
form solely on a single central processing unit owned or leased by You or otherwise embedded in equipment
provided by Cisco. You may make one (1) archival copy of the Software provided You affix to such copy all
copyright, confidentiality, and proprietary notices that appear on the original. EXCEPT AS EXPRESSLY
AUTHORIZED ABOVE, YOU SHALL NOT: COPY, IN WHOLE OR IN PART, MATERIALS; MODIFY
THE SOFTWARE; REVERSE COMPILE OR REVERSE ASSEMBLE ALL OR ANY PORTION OF THE
SOFTWARE; OR RENT, LEASE, DISTRIBUTE, SELL, OR CREATE DERIVATIVE WORKS OF THE
MATERIALS.
You agree that aspects of the licensed Materials, including the specific design and structure of individual
programs, constitute trade secrets and/or copyrighted material of Cisco. You agree not to disclose, provide, or
otherwise make available such trade secrets or copyrighted material in any form to any third party without the
prior written consent of Cisco. You agree to implement reasonable security measures to protect such trade
secrets and copyrighted Material. Title to the Materials shall remain solely with Cisco.
This License is effective until terminated. You may terminate this License at any time by destroying all copies
of the Materials. This License will terminate immediately without notice from Cisco if You fail to comply with
any provision of this License. Upon termination, You must destroy all copies of the Materials.
Software, including technical data, is subject to U.S. export control laws, including the U.S. Export
Administration Act and its associated regulations, and may be subject to export or import regulations in other
countries. You agree to comply strictly with all such regulations and acknowledge that it has the responsibility
to obtain licenses to export, re-export, or import Software.
This License shall be governed by and construed in accordance with the laws of the State of California, United
States of America, as if performed wholly within the state and without giving effect to the principles of conflict
of law. If any portion hereof is found to be void or unenforceable, the remaining provisions of this License shall
remain in full force and effect. This License constitutes the entire License between the parties with respect to
the use of the Materials
Restricted Rights - Ciscos software is provided to non-DOD agencies with RESTRICTED RIGHTS and its
supporting documentation is provided with LIMITED RIGHTS. Use, duplication, or disclosure by the U.S.Government is subject to the restrict ions as set forth in subparagraph C of the Commercial Computer
Software - Restricted Rights clause at FAR 52.227-19. In the event the sale is to a DOD agency, the U.S.
Governments rights in software, supporting documentation, and technical data are governed by the restrictions
in the Technical Data Commercial Items clause at DFARS 252.227-7015 and DFARS 227.7202.
DISCLAIMER OF WARRANTY. ALL MATERIALS ARE PROVIDED AS IS WITH ALL FAULTS.
CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,
WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST
PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS
MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. In no event shall Ciscos or its suppliers liability to You, whether in contract, tort
(including negligence), or otherwise, exceed the price paid by You. The foregoing limitations shall apply even
if the above-stated warranty fails of its essential purpose.
The following information is for FCC compliance of Class A devices: This equipment has been tested and
found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits
are designed to provide reasonable protection against harmful interference when the equipment is operated in a
commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not
installed and used in accordance with the instruction manual, may cause harmful interference to radio
communications. Operation of this equipment in a residential area is likely to cause harmful interference, in
which case users will be required to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual
generates and may radiate radio-frequency energy. If it is not installed in accordance with Ciscos installation
instructions, it may cause interference with radio and television reception. This equipment has been tested and
found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
3/292
the FCC rules. These specifications are designed to provide reasonable protection against such interference in a
residential installation. However, there is no guarantee that interference will not occur in a particular
installation.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, i t
was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes
interference to radio or television reception, try to correct the interference by using one or more of the following
measures:
Turn the television or radio antenna until the interference stops.
Move the equipment to one side or the other of the television or radio.
Move the equipment farther away from the television or radio.
Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, makecertain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate
your authority to operate the product.
The following third-party software may be included with your product and will be subject to the software
license agreement:
CiscoWorks software and documentation are based in part on HP OpenView under license from the Hewlett-
Packard Company. HP OpenView is a trademark of the Hewlett-Packard Company. Copyright 1992, 1993
Hewlett-Packard Company.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the
University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating
system. All rights reserved. Copyright 1981, Regents of the University of California.
Network Time Protocol (NTP). Copyright 1992, David L. Mills. The University of Delaware makes no
representations about the suitability of this software for any purpose.
Point-to-Point Protocol. Copyright 1989, Carnegie-Mellon University. All rights reserved. The name of the
University may not be used to endorse or promote products derived from this software without specific prior
written permission.
The Cisco implementation of TN3270 is an adaptation of the TN3270, curses, and termcap programs developed
by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating
system. All rights reserved. Copyright 1981-1988, Regents of the University of California.
Cisco incorporates Fastmac and TrueView software and the RingRunner chip in some Token Ring products.
Fastmac software is licensed to Cisco by Madge Networks Limited, and the RingRunner chip is licensed to
Cisco by Madge NV. Fastmac, RingRunner, and TrueView are trademarks and in some jurisdictions registered
trademarks of Madge Networks Limited. Copyright 1995, Madge Networks Limited. All rights reserved.
XRemote is a trademark of Network Computing Devices, Inc. Copyright 1989, Network Computing Devices,
Inc., Mountain View, California. NCD makes no representations about the suitabili ty of this software for any
purpose.
The X Window System is a trademark of the X Consortium, Cambridge, Massachusetts. All rights reserved.
Access Registrar, AccessPath, Any to Any, Are You Ready, AtmDirector, Browse with Me, CCDA, CCDE,
CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, the Cisco logo, Cisco Certified Internetwork Expert logo,
CiscoLink, the Cisco Management Connection logo, the Cisco NetWorks logo, the Cisco Powered Network
logo, Cisco Systems Capital, the Cisco Systems Capital logo, Cisco Systems Networking Academy, the Cisco
Systems Networking Academy logo, the Cisco Technologies logo, Fast Step, FireRunner, Follow Me Browsing,
FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, IQ Breakthrough, IQ
Expertise, IQ FastTrack, IQ Readiness Scorecard, The IQ Logo, Kernel Proxy, MGX, Natural Network Viewer,
NetSonar, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy
Builder, Precept, RateMUX, ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast,
SMARTnet, SVX, The Cell, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router,
Workgroup Director, and Workgroup Stack are trademarks; Changing the Way We Work, Live, Play, and
Learn, Empowering the Internet Generation, The Internet Economy, and The New Internet Economy are service
marks; and Aironet, ASIST, BPX, Catalyst, Cisco, Cisco IOS, the Cisco IOS logo, Cisco Systems, the Cisco
Systems logo, the Cisco Systems Cisco Press logo, CollisionFree, Enterprise/Solver, EtherChannel,EtherSwitch, FastHub, FastLink, FastPAD, FastSwitch, GeoTel, IOS, IP/TV, IPX, LightStream, LightSwitch,
MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, TeleRouter, and VCO are
registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other
trademarks mentioned in this document are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any of its resellers. (0005R)
Advanced MPLS VPN Solutions, Revision 1.0: Student Guide
Copyright 2000, Cisco Systems, Inc.
All rights reserved. Printed in USA.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
4/292
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
5/292
Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions v
Table of Contents
Volume 1
ADVANCED MPLS VPN SOLUTIONS 1-1
Overview 1-1
Course Objectives 1-2
Course Objectives Implementation 1-3Course Objectives Solutions 1-4
Prerequisites 1-5
Participant Role 1-7
General Administration 1-9
Sources of Information 1-10
MPLS VPN TECHNOLOGY 2-1
Overview 2-1Objectives 2-1
Introduction to Virtual Private Networks 2-2Objectives 2-2
Summary 2-8Review Questions 2-8
Overlay and Peer-to-Peer VPN 2-9
Objectives 2-9Overlay VPN Implementations 2-13
Summary 2-23
Review Questions 2-24Major VPN Topologies 2-25
Objectives 2-25VPN Categorizations 2-25
Summary 2-38Review Questions 2-38
MPLS VPN Architecture 2-39
Objectives 2-39Summary 2-60
Review Questions 2-61
MPLS VPN Routing Model 2-62Objectives 2-62
Summary 2-78Review Questions 2-78
MPLS VPN Packet Forwarding 2-79Objectives 2-79Summary 2-91
Review Questions 2-91Lesson Summary 2-92
Answers to Review Questions 2-93Introduction to Virtual Private Networks 2-93Overlay and Peer-to-Peer VPN 2-93
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
6/292
vi Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
Major VPN Topologies 2-94
MPLS VPN Architecture 2-94MPLS VPN Routing Model 2-95MPLS VPN Packet Forwarding 2-96
MPLS/VPN CONFIGURATION ON IOS PLATFORMS 3-1
Overview 3-1
Objectives 3-1
MPLS/VPN Mechanisms in Cisco IOS 3-2Objectives 3-2Summary 3-16Review Questions 3-16
Configuring Virtual Routing and Forwarding Table 3-17Objectives 3-17
Summary 3-26Review Questions 3-26
Configuring a Multi-Protocol BGP Session Between the PE Routers 3-27
Objectives 3-27Summary 3-43
Review Questions 3-43
Configuring Routing Protocols Between PE and CE Routers 3-44Objectives 3-44
Summary 3-55Review Questions 3-55
Monitoring MPLS/VPN Operation 3-56Objectives 3-56Summary 3-82
Review Questions 3-82
Troubleshooting MPLS/VPN 3-83
Objectives 3-83Summary 3-100Review Questions 3-100
Advanced VRF Import/Export Features 3-101Objectives 3-101
Summary 3-115Review Questions 3-115
Advanced PE-CE BGP Configuration 3-116
Objectives 3-116Summary 3-134
Review Questions 3-134
USING OSPF IN AN MPLS VPN ENVIRONMENT 4-1
Overview 4-1
Objectives 4-1
Using OSPF as the PE-CE Protocol in an MPLS VPN Environment 4-2
Objectives 4-2Summary 4-26
Review Questions 4-26
Configuring and Monitoring OSPF in an MPLS VPN Environment 4-27Objectives 4-27
Summary 4-35Review Questions 4-35
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
7/292
Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions vii
Summary 4-36
Answers to Review Questions 4-37
Using OSPF as the PE-CE Protocol in an MPLS VPN Environment 4-37Configuring and Monitoring OSPF in an MPLS VPN Environment 4-37
Volume 2
MPLS VPN TOPOLOGIES 5-1
Overview 5-1Objectives 5-1
Simple VPN with Optimal Intra-VPN Routing 5-2
Objectives 5-2Summary 5-17
Review Questions 5-17
Using BGP as the PE-CE Routing Protocol 5-18Objectives 5-18
Summary 5-23Review Questions 5-23
Overlapping Virtual Private Networks 5-24
Objectives 5-24
Summary 5-33Review Questions 5-33
Central Services VPN Solutions 5-34
Objectives 5-34Summary 5-47Review Questions 5-47
Hub-andSpoke VPN Solutions 5-48Objectives 5-48
Summary 5-54Review Questions 5-54
Managed CE-Router Service 5-55
Objectives 5-55
Summary 5-60Review Questions 5-60Chapter Summary 5-60
INTERNET ACCESS FROM A VPN 6-1
Overview 6-1Objectives 6-1
Integrating Internet Access with the MPLS VPN Solution 6-2Objectives 6-2Summary 6-16
Review Questions 6-16
Design Options for Integrating Internet Access with MPLS VPN 6-17Objectives 6-17Summary 6-23Review Questions 6-23
Leaking Between VPN and Global Backbone Routing 6-24Objectives 6-24
Usability of Packet Leaking for Various Internet Access Services 6-32Redundant Internet Access with Packet Leaking 6-36Summary 6-38
Review Questions 6-38
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
8/292
viii Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
Separating Internet Access from VPN Service 6-39
Objectives 6-39Usability of Separated Internet Access for Various InternetAccess Services 6-44
Summary 6-46Review Questions 6-46
Internet Access Backbone as a Separate VPN 6-47Objectives 6-47Usability of Internet in a VPN Solution for Various Internet
Access Services 6-52Summary 6-56
Review Questions 6-57Chapter Summary 6-57
MPLS VPN DESIGN GUIDELINES 7-1
Overview 7-1Objectives 7-1
Backbone and PE-CE Link Addressing Scheme 7-2Objectives 7-2
Summary 7-15
Review Questions 7-16Backbone IGP Selection and Design 7-17
Objectives 7-17Summary 7-30
Review Questions 7-31
Route Distinguisher and Route Target Allocation Schemes 7-32Objective 7-32
Summary 7-37Review Questions 7-37
End-to-End Convergence Issues 7-38Objectives 7-38Summary 7-52
Review Questions 7-52Chapter Summary 7-53
Answers to Review Questions 7-54Backbone and PE-CE Link Addressing Scheme 7-54Backbone IGP Selection and Design 7-55
Route Distinguisher and Route Target Allocation Scheme 7-56End-to-End Convergence Issues 7-56
LARGE-SCALE MPLS VPN DEPLOYMENT 8-1
Overview 8-1Objectives 8-1
MP-BGP Scalability Mechanisms 8-2Objectives 8-2
Summary 8-12Review Questions 8-12
Partitioned Route Reflectors 8-13
Objectives 8-13Summary 8-28
Review Questions 8-28
Chapter Summary 8-29
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
9/292
Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions ix
MPLS VPN MIGRATION STRATEGIES 9-1
Overview 9-1Objective 9-1
Infrastructure Migration 9-2
Objective 9-2Summary 9-9
Review Questions 9-9
Customer Migration to MPLS VPN service 9-10Objective 9-10
Generic Customer Migration Strategy 9-11Migration From Layer-2 Overlay VPN 9-13
Migration from GRE Tunnel-Based VPN 9-16Migration from IPSec-Based VPN 9-19Migration from L2F-Based VPN 9-20
Migration From Unsupported PE-CE Routing Protocol 9-22Summary 9-26
Review Questions 9-26
Chapter Summary 9-26
INTRODUCTION TO LABORATORY EXERCISES A-1
Overview A-1
Physical And Logical Connectivity A-2
IP Addressing Scheme A-5
Initial BGP Design A-7
Notes Pages A-8
LABORATORY EXERCISESFRAME-MODE MPLS CONFIGURATION B-1
Overview B-1
Laboratory Exercise B-1: Basic MPLS Setup B-2Objectives B-2Command list B-2
Task 1: Configure MPLS in your backbone B-2Task 2: Remove BGP from your P-routers B-2
Verification: B-3Review Questions B-4
Laboratory Exercise B-2: Disabling TTL Propagation B-5Objective B-5Command list B-5
Task: Disable IP TTL Propagation B-5Verification B-5
Laboratory Exercise B-3: Conditional Label Advertising B-6Objective B-6Command list B-6
Task: Configure Conditional Label Advertising B-6Verification B-6
Review Questions B-7
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
10/292
x Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
LABORATORY EXERCISESMPLS VPN IMPLEMENTATION C-1
Overview C-1
Laboratory Exercise C-1: Initial MPLS VPN Setup C-2Objectives C-2
Background Information C-2Command list C-3Task 1: Configure multi-protocol BGP C-3
Task 2: Configure Virtual Routing and Forwarding Tables C-4Additional Objective C-5
Task 3: Configuring Additional CE routers C-5Verification C-6
Laboratory Exercise C-2: Running OSPF Between PE and CE Routers C-9
Objectives C-9Visual Objective C-9
Command list C-10Task 1: Configure OSPF on CE routers C-10
Task 2: Configure OSPF on PE routers C-10Verification C-11Task 3: Configure OSPF connectivity with additional CE routers C-11
Verification C-12Laboratory Exercise C-3: Running BGP Between the PE and CE Routers C-13
Objectives C-13Background Information C-13Command list C-14
Task 1: Configure Additional PE-CE link C-14Task 2: Configure BGP as the PE-CE routing protocol C-14
Verification C-15Task 3: Select Primary and Backup Link with BGP C-16
Verification: C-16Task 4: Convergence Time Optimization C-17Verification C-17
LABORATORY EXERCISESMPLS VPN TOPOLOGIES D-1
Overview D-1
Laboratory Exercise D-1: Overlapping VPN Topology D-2
Objective D-2Visual Objective D-2
Command list D-3Task 1: Design your VPN solution D-4
Task 2: Remove WGxA1/WGxB1 from existing VRFs D-4Task 3: Configure new VRFs for WGxA1 and WGxB1 D-4Verification: D-4
Laboratory Exercise D-2: Common Services VPN D-8Objective D-8
Background Information D-9Command list D-10
Task 1: Design your Network Management VPN D-10Task 2: Create Network Management VRF D-10Verification D-11
Task 3: Establish connectivity between NMS VRF and other VRFs D-11Verification D-11
Task 4: Establish routing between WGxPE2 and the NMS router D-12
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
11/292
Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions xi
Verification D-13
Laboratory Exercise D-3: Internet Connectivity Through Route Leaking D-14
Objective D-14Visual Objective D-14
Command list D-15Task 1: Cleanup from the previous VPN exercises D-15
Task 2: Configure route leaking between customer VPN andthe Internet D-15Verification D-16
Additional exercise: Fix intra-VPN routing D-17Laboratory Exercise D-4: Separate Interface for Internet Connectivity D-18
Objective D-18Visual Objective D-19
Command list D-20Task 1: Cleanup from the previous exercise D-20Verification D-21
Task 2: Establishing connectivity in the global routing table D-21Task 3: Routing between the PE-router and the CE-router D-21
Verification D-22
Laboratory Exercise D-5: Internet in a VPN D-23Objective D-23
Visual Objective D-23Command list D-24
Task 1: Design your Internet VPN D-24Task 2: Migrate Internet routers in a VPN D-24
Verification D-25Additional Task: Direct Internet connectivity for all CE-routers D-26Verification D-26
INITIAL LABORATORY CONFIGURATION E-1
Overview E-1
Laboratory Exercise E-1: Initial Core Router Configuration E-2
Objective E-2Task: Configure Initial Router Configuration E-2
Verification E-3
Laboratory Exercise E-2: Initial Customer Router Configuration E-4Objective E-4
Task: Configure Customer Routers E-4Verification E-5
Laboratory Exercise E-3: Basic ISP Setup E-6Objective E-6Task 1: Configure IS-IS in your backbone E-6
Task 2: Configure BGP in your backbone E-6Task 3: Configure Customer Routing E-6
Task 4: Peering with other Service Providers E-7Task 5: Establishing Network Management Connectivity E-7
Verification E-7
INITIAL ROUTER CONFIGURATION F-1
Overview F-1
Router WGxPE1 F-2
Router WGxPE2 F-4
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
12/292
xii Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
Router WGxPE3 F-6
Router WGxPE4 F-8
Router WGxP F-10
Router WGxA1 F-12
Router WGxA2 F-14
Router WGxB1 F-15
Router WGxB2 F-17
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
13/292
1
Advanced MPLSVPN Solutions
Overview
Advanced MPLS VPN Solutions (AMVS) is an instructor-led course presented by
Cisco training partners to their end-user customers. This four-day course focuses
on using Virtual Private Networks (VPN) implemented with Multi-Protocol Label
Switching (MPLS) technology.
Upon completion of this training course, you will be able to design, implement
and troubleshoot MPLS VPN networks.
This chapter outlines the course prerequisites and course highlights, as well as
some administrative issues. It includes the following topics:
I Course Objectives
I Course Topics
I Prerequisites
I Participant Role
I General Administration
I
Sources of InformationI Course Syllabus
I Graphic Symbols
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
14/292
1-2 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
Course Objectives
This section lists the course objectives.
2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-2
Course ObjectivesTechnology
Course ObjectivesTechnology
Upon completion of this course, youwill be able to perform the following tasks:
Identify major VPN categories and topologies, theirapplications and technologies that can be used toimplement them
Describe MPLS/VPN terminology and architecture
Describe the routing and forwarding model ofMPLS/VPN
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
15/292
Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-3
Course Objectives Implementation
2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-3
Course ObjectivesImplementation
Course ObjectivesImplementation
Upon completion of this course, youwill be able to perform the following tasks:
Configure Virtual Routing and Forwarding tables
Configure Multi-protocol BGP in MPLS/VPN backboneand the PE-CE routing protocols
Configure advanced MPLS/VPN features
Monitor and troubleshoot MPLS/VPN operations
Describe the specifics of OSPF operation inside a VPN
network
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
16/292
1-4 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
Course Objectives Solutions
2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-4
Course ObjectivesSolutions
Course ObjectivesSolutions
Upon completion of this course, youwill be able to perform the following tasks:
Design and implement various MPLS/VPN topologies
Connect your VPN customers to the Internet
Design and implement MPLS/VPN backbone
Build large-scale MPLS VPN backbones
Develop a migration strategy toward MPLS/VPN from
a wide range of existing network infrastructures
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
17/292
Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-5
Prerequisites
This section lists the course prerequisites.
2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-5
Advanced
MPLS VPN
Solutions
Advanced
MPLS VPN
Solutions
PrerequisitesPrerequisites
Successful completion of:
Building Scalable CiscoNetworks (BSCN)
Configuring BGP on CiscoRouters
One of the MPLS technologycourses
Recommended:
CCNP or CCIE
certification
In-depth OSPF or IS-IS
knowledge
MPLS Traffic
Engineering and QoS
knowledge
To fully benefit from AMVS, you should already possess certain knowledge and
skills gained in a structured learning environment. You need to be have:
I In-depth understanding of IP routing and route redistribution in Cisco IOS
I
In-depth knowledge of Border Gateway Protocol (BGP) and practicalexperience in configuring BGP networks
I Baseline MPLS knowledge.
These skills can be gained from self-paced or instructor-led training sessions and
from work experience. The best way to gain the skills you need to follow the
CBCR course is:
I To gain IP routing and route redistribution skills, attend Building Scalable
Cisco Networks (BSCN) course
I To gain BGP-related skills, attend Configuring BGP on Cisco Routers
(CBCR) course
I To gain MPLS knowledge, attend MPLS Technology Essentials or Cisco
MPLS course.
You will be able to gain more practical experience from the course if already have
work experience and router configuration skills. These skills are best demonstrated
through Cisco career certifications Cisco Certified Networking Professional
(CCNP) or Cisco Certified Internetworking Expert (CCIE). In-depth knowledge of
Open Shortest Path First (OSPF) or Integrated Intermediate System Intermediate
System (IS-IS) routing protocol will help you perform the laboratory exercises
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
18/292
1-6 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
better. MPLS Traffic Engineering and MPLS Quality of Service knowledge will
help you understand how these technologies relate to MPLS VPN.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
19/292
Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-7
Participant Role
This section discusses your responsibilities as a student.
2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-6
Student role
Meet prerequisites
Introduce yourself
Ask and answer questions
Participant RoleParticipant Role
To take full advantage of the information presented in this course, you should
meet the prerequisites for this class.
Introduce yourself to the instructor and other students who will be working with
you during the five days of this course.
You are encouraged to ask any questions relevant to the course materials.
If you have pertinent questions concerning other Cisco features and products not
covered in this course, please bring these topics up during breaks or after class,
and the instructor will try to answer the questions or direct you to an appropriate
information source.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
20/292
1-8 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-7
Welcome: PleaseIntroduce YourselfWelcome: Please
Introduce Yourself
Your name and work location
Your job responsibilities
Your internetworking experience
Your objectives for this week
Introduce yourself, stating your name and the job function you perform at your
work location.
Briefly describe what experience you have with installing and configuring Cisco
routers, attending Cisco classes, and how your work experience helped you meet
the prerequisites highlighted earlier.
You should also state what you expect to learn from this course.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
21/292
Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-9
General Administration
This section highlights miscellaneous administrative tasks that must be addressed.
2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-8
General AdministrationGeneral Administration
Class-related
Sign-in sheet
Length and times
Participant materials
Attire
Facilities-related
Rest rooms
Site emergencyprocedures
Break and lunchroom locations
Communications
The instructor will discuss the administrative issues in detail so you will know
exactly what to expect from both the class and facilities. The following items will
be discussed:
I Recording your name on a sign-in sheet
I The starting and anticipated ending time of each class day
I What materials you can expect to receive during the class
I The appropriate attire during class attendance
I Rest room locations
I What to do in the event of an emergency
I Class breaks and lunch facilities
I How to send and receive telephone, e-mail, and fax messages
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
22/292
1-10 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
Sources of Information
This section identifies additional sources of information.
2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-9
Sources of InformationSources of Information
Student kit
www.cisco.com
CD-ROMs
Cisco Press
Most of the information presented in this course can be found on the Cisco
Systems Web site or on CD-ROM. These supporting materials are available in
HTML format and as manuals and release notes.
To learn more about the subjects covered in this course, feel free to access the
following sources of information:
I Cisco Documentation CD-ROM
I ITM CD-ROM
I Cisco IOS 12.1 Configuration Guide
I Cisco IOS 12.1 Command Reference Guide
Many of these documents can be found at the following URL:
http://www.cisco.com
Cisco Press books and documents can be found at the following URL:
http://www.ciscopress.com
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
23/292
Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-11
2000, Cisco Systems, Inc. www.cisco.com BSCN v1.01-10
Course SyllabusCourse Syllabus
MPLS VPN
Technology
MPLS VPNTopologies
Internet Accessfrom a VPN
MPLS VPN DesignGuidelines
Large-Scale MPLSVPN Deployment
MPLS VPNMigration Strategies
Technology Implementation Solutions
MPLS VPN
Configuration on
IOS platforms
Running OSPF
in an MPLS VPN
Environment
The following schedule reflects the recommended structure for this course. This
structure allows enough time for your instructor to present the course information
to you and for you to work through the laboratory exercises. The exact timing of
the subject materials and labs depends on the pace of your specific class.
Module 1, MPLS VPN Technology (0,5 day)
The purpose of this module is to introduce you to the concept of Virtual
Private Networks and MPLS VPN Architecture. The module also
discusses routing and data forwarding model of MPLS VPN.
Module 1 includes the following chapters:
I Chapter 1, Introduction
I Chapter 2, MPLS VPN Technology
Module 2, MPLS VPN Implementation (1,5 day)
The purpose of this module is to describe the operation and
configuration of MPLS VPN on Cisco IOS platforms.
Module 2 includes the following chapters:
I Chapter 3, MPLS VPN Configuration on IOS Platforms
I Chapter 4, Using OSPF in an MPLS VPN Environment
Module 3, MPLS VPN Solutions (2 days)
The purpose of the module is to describe typical MPLS VPN usage
scenarios and give you design and implementation guidelines needed to
deploy these scenarios in your network.
Module 3 includes the following chapters:
I Chapter 5, MPLS VPN Topologies
I Chapter 6, Internet Access from a VPN
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
24/292
1-12 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
I Chapter 7, MPLS VPN Design Guidelines
I Chapter 8, Large-Scale MPLS VPN Deployment
I Chapter 9, MPLS VPN Migration Strategies
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
25/292
2
MPLS VPN Technology
Overview
This lesson introduces Virtual Private Networks (VPN) and two major VPN
design options overlay VPN and peer-to-peer VPN. VPN terminology and
topologies are introduced.
The lesson then describes MPLS VPN architecture, operations and terminology.
It details CE-PE routing from various perspectives and BGP extensions (route
targets, and extended community attributes) that allow I-BGP to transport
customer routes over a provider network. The MPLS VPN forwarding model is
also covered together with its integration with core routing protocols
Objectives
Upon completion of this lesson, you will be able to perform the following tasks:
I Identify major Virtual Private network topologies, their characteristics and
usage scenarios
I Describe the differences between overlay VPN and peer-to-peer VPN
I List major technologies supporting overlay VPNs and peer-to-peer VPNs
I Position MPLS VPN in comparison with other peer-to-peer VPN
implementations
I Describe major architectural blocks of MPLS VPN
I Describe MPLS VPN routing model and packet forwarding
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
26/292
2-2 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
Introduction to Virtual Private Networks
Objectives
Upon completion of this section, you will be able to perform the following tasks:
I Describe the concept of VPNI Understand VPN terminology as defined by MPLS VPN architecture
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
27/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-3
2000, Cisco Systems, Inc. www.cisco.com Page5
Traditional Router-BasedNetworks
Traditional Router-BasedNetworks
Traditional router-based networks connectcustomersites through routers connected viadedicated point-to-point links
Site C
Site BSite A
Site D
Traditional router-based networks were implemented with dedicated point-to-point
links connecting customer sites. The cost of such an approach was comparatively
high for a number of reasons:
I The dedicated point-to-point links prevented any form of statistical
infrastructure sharing on the Service Provider side, resulting in high costs for
the end-customer
I Every link required a dedicated port on a router, resulting in high equipment
costs.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
28/292
2-4 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
2000, Cisco Systems, Inc. www.cisco.com Page6
Service Provider Network
Virtual Private NetworksVirtual Private Networks
Virtual Private Networks replace dedicated point-to-point links with emulated point-to-point links sharingcommon infrastructure
Customers use VPNs primarily to reduce theiroperational costs
Customer site
Customer Premisesrouter (CPE) Large customer site
CPE router
Othercustomerrouters
Provider edge device(Frame Relay switch)
PE device
Provider coredevice
PE device CPE router
Virtual Circuit (VC) #2
Virtual Circuit (VC) #1
Virtual Private Networks (VPNs) were introduced very early in the history of data
communications with technologies like X.25 and Frame Relay, which use virtual
circuits to establish the end-to-end connection over a shared service provider
infrastructure. These technologies, although sometimes considered legacy and
obsolete, still share the basic business assumptions with the modern VPN
approaches:
I The dedicated links are replaced with common infrastructure that emulates
point-to-point links for the customer, resulting in statistical sharing of Service
Provider infrastructure
I Statistical sharing of infrastructure enables the service provider to offer the
connectivity for lower price, resulting in lower operational costs for the end
customers.
The statistical sharing is illustrated in the graphic, where you can see the CPE
router on the left has one physical connection to the service provider with two
virtual circuits provisioned. Virtual Circuit 1 (VC # 1) provides connectivity to the
top CPE router on the right. Virtual Circuit 2 (VC #2) provides the connectivity to
the bottom CPE router on the right.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
29/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-5
2000, Cisco Systems, Inc. www.cisco.com Page7
Customer site
Large customer site
VPN TerminologyVPN Terminology
Customer Network (C-Network): the part of
the network still under customer control
Provider Network (P-Network): the
Service Provider infrastructure used to
provide VPN services
Customer Site: a contiguous part of customer
network (can encompass many physical locations)
There are many conceptual models and terminologies describing various Virtual
Private Network technologies and implementations. In this section well focus on
the terminology introduced by MPLS VPN architecture. As youll see, the
terminology is generic enough to cover any VPN technology or implementation
and is thus extremely versatile.
The major parts of an overall VPN solution are always:
I The Service Provider network (P-network): the common infrastructure the
Service Provider uses to offer VPN services to the customers
I The Customer network (C-network): the part of the overall customer networkthat is still exclusively under customer control.
I Customersites: contiguous parts of customer network.
A typical customer network implemented with any VPN technology would
contain islands of connectivity completely under customer control (customersites)
connected together via the Service Provider infrastructure (P-network).
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
30/292
2-6 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
2000, Cisco Systems, Inc. www.cisco.com Page8
Service Provider Network
Customer site
Large customer site
VPN TerminologyVPN Terminology
Customer Edge (CE) device: the device in
the C-network with link into P-network.
Also called Customer Premises Equipment
(CPE)
Provider Edge (PE) device: the device in
the P-network to which the CE-devices
are connected
Provider core (P) device: the
device in the P-network with
no customer connectivity
The devices that enable the overall VPN solution are named based on their
position in the network:
I Customer router that connected the customer site to the Service Provider
network is called a Customer Edge router (CE-router). Traditionally this
device is called Customer Premises Equipment (CPE).
Note If the CE device is not a router, but, for example, a Packet Assembly and
Disassembly (PAD) device, we can still use a generic term CE-device.
I Service Provider devices where the customer devices are attached are called
Provider Edge (PE) devices. In traditional switched Wide Area Network
(WAN) implementations, these devices would be Frame Relay or X.25 edge
switches.
I Service Provider devices that only provide data transport across the Service
Provider backbone and have no customers attached to them are called
Provider (P) devices. In traditional switched WAN implementations these
would be core (or transit) switches.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
31/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-7
2000, Cisco Systems, Inc. www.cisco.com Page9
Service Provider Network
Customer site
Customer Premises
Router (CPE) Large customer site
CPE router
Othercustomerrouters
Provider edge device(Frame Relay switch)
PE device
Provider coredevice
PE device
CPE router
Virtual Circuit (VC) #2
Virtual Circuit (VC) #1
VPN TerminologySpecific to Switched WAN
VPN TerminologySpecific to Switched WAN
Permanent Virtual Circuit (PVC) is established through out-of-band means
(network management) and is always active
Switched Virtual Circuit (SVC) is established through CE-PE signaling on
demand from the CE device
Virtual Circuit (VC): emulated point-to-
point link established across shared
layer-2 infrastructure
Switched WAN technologies introduced a term Virtual Circuit (VC), which is an
emulated point-to-point link established across layer-2 infrastructure (for example,
Frame Relay network). The virtual circuits are further differentiated into
Permanent Virtual Circuits (PVC) which are pre-established by means of
network management or manual configuration and Switched Virtual Circuits
(SVC) which are established on demand through a call setup request from the CE
device.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
32/292
2-8 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
Summary
Virtual Private Networks were introduced by Service Providers to offer a more
cost-effective alternative to traditional customer network design, which relied on
dedicated point-to-point links between customer sites.
The overall network implemented with a VPN solution is divided into the
Customer network(C-network), which is exclusively under customers control
and the Provider network(P-network), the shared infrastructure used to offer theVPN services. A contiguous part of the C-network is called a customersite.
The device linking a customer site with the P-network is called Customer Edge
(CE) device. Most commonly this is a router, called CE-router. This component
was traditionally named Customer Premises Equipment (CPE).
The edge device in Service Provider network, to which the customers are attached,
is called Provider Edge (PE) device. The device inside the Provider network with
no customer connectivity is a Provider (P) device.
Review Questions
Answer the following questions:
I Why are customers interested in Virtual Private Networks?
I What is the main role of a VPN?
I What is a C-network?
I What is a customer site?
I What is a CE-router?
I What is a P-network?
I What is the difference between a PE-device and a P-device?
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
33/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-9
Overlay and Peer-to-Peer VPN
Objectives
Upon completion of this section, you will be able to perform the following tasks:
I Describe the differences between overlay and peer-to-peer VPNI Describe the benefits and drawbacks of each VPN implementation option
I List major technologies supporting overlay VPNs
I Describe traditional peer-to-peer VPN implementation options
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
34/292
2-10 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
2000, Cisco Systems, Inc. www.cisco.com Page14
VPN ImplementationTechnologies
VPN ImplementationTechnologies
VPN services can be offered based ontwo major paradigms:
Overlay Virtual Private Networks where theService Provider provides virtual point-to-point links between customer sites
Peer-to-Peer Virtual Private Networks wherethe Service Provider participates in thecustomer routing
Traditional VPN implementations were all based on the overlayparadigm the
Service Provider sells virtual circuits between customer sites as a replacement for
dedicated point-to-point links. The overlay paradigm has a number of drawbacks
that will be identified in this section. To overcome these drawbacks (particularly
in IP-based customer networks), a new paradigm called peer-to-peer VPN was
introduced where the Service Provider actively participates in customer routing.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
35/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-11
2000, Cisco Systems, Inc. www.cisco.com Page15
Service Provider Network
Overlay VPN Implementation(Frame Relay Example)
Overlay VPN Implementation(Frame Relay Example)
Customer Site
Router A
Customer Site
Router B
Customer Site
Router C
Customer Site
Router D
Provider Edge Device
(Frame Relay Switch)
Frame Relay
Edge Switch
Frame Relay
Edge Switch
Frame Relay
Edge Switch
Virtual Circuit (VC) #3
Virtual Circuit (VC) #2
(VC) #1
The diagram above shows a typical overlay VPN, implemented by a Frame Relay
network. The customer needs to connect three sites (site Alpha being the central
site the hub) and orders connectivity between Alpha (Hub) and Beta (Spoke) and
between Alpha (Hub) and Gamma (Spoke). The Service Provider implements this
request by providing two PVCs across the Frame Relay network.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
36/292
2-12 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
2000, Cisco Systems, Inc. www.cisco.com Page16
Layer-3 routing in OverlayVPN implementation
Layer-3 routing in OverlayVPN implementation
Service Provider infrastructure appears as point-to-point links to customer routes
Routing protocols run directly between customerrouters
Service Provider does not see customer routes and isresponsible only for providing point-to-pointtransport of customer data
Router A
Router B Router C Router D
From the layer-3 perspective, the Service Provider network is invisible the
customer routers are linked with emulated point-to-point links. The routing
protocol is run directly between customer routers that establish routing adjacencies
and exchange routing information.
The Service Provider is not aware of customer routing and has no information
about customer routes. The responsibility of the Service Provider is purely the
point-to-point data transport between customer sites.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
37/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-13
Overlay VPN Implementations
There are a number of different overlay VPN implementations, ranging from
traditional Time Division Multiplexing (TDM) to highly complex technologies
running across IP backbones. In the following slides, well introduce major VPN
technologies and implementations.
2000, Cisco Systems, Inc. www.cisco.com Page17
Overlay VPNLayer-1 Implementation
Overlay VPNLayer-1 Implementation
This is the traditional TDM solution:
Service Provider establishes physical-layerconnectivity between customer sites
Customer takes responsibility for all higher layers
ISDN E1, T1, DS0 SDH, SONET
PPP HDLC
IP
In layer-1 overlay VPN implementation, the Service Provider sells layer-1 circuits(bit pipes) implemented with technologies like ISDN, DS0, E1, T1, SDH or
SONET. The customer takes responsibility for layer-2 encapsulation between
customer devices and the transport of IP data across the infrastructure.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
38/292
2-14 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
2000, Cisco Systems, Inc. www.cisco.com Page18
Overlay VPNLayer-2 Implementation
Overlay VPNLayer-2 Implementation
This is the traditional Switched WAN solution:
Service Provider establishes layer-2 virtual circuitsbetween customer sites
Customer takes responsibility for all higher layers
X.25 Frame Relay ATM
IP
Layer-2 VPN implementation is the traditional switched WAN model,
implemented with technologies like X.25, Frame Relay, ATM or SMDS. The
Service Provider is responsible for transport of layer-2 frames between customer
sites and the customer takes responsibility for all higher layers.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
39/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-15
2000, Cisco Systems, Inc. www.cisco.com Page19
Overlay VPNIP TunnelingOverlay VPNIP Tunneling
VPN is implemented with IP-over-IP tunnels
Tunnels are established with GRE or IPSec
GRE is simpler (and quicker), IPSec providesauthentication and security
Generic Route Encapsulation
(GRE)IP Security (IPSec)
Internet Protocol (IP)
Internet Protocol (IP)
With the success of Internet Protocol (IP) and associated technologies, some
Service Providers started to implement pure IP backbones to offer VPN services
based on IP. In other cases, the customers want to take advantage of low cost and
universal availability of Internet to build low-cost private networks over it.
Whatever the business reasons behind it, overlay Layer 3 VPN implementation
over IP backbone always involves tunneling (encapsulation of protocol units at a
certain layer of OSI model into protocol units at the same or higher layer of OSI
model).
Two well-known tunneling technologies are IP Security (IPSEC) and GenericRoute Encapsulation (GRE). GRE is fast and simple to implement and supports
multiple routed protocols, but provides no security and is thus unsuitable for
deployment over the Internet. An alternate tunneling technology is IPSec, which
provides network layer authentication and optional encryption to make data
transfer over the Internet secure. IPSec only supports the IP routed protocol.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
40/292
2-16 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
2000, Cisco Systems, Inc. www.cisco.com Page20
Overlay VPNLayer-2 Forwarding
Overlay VPNLayer-2 Forwarding
VPN is implemented with PPP-over-IP tunnels
Usually used in access environments (dial-up, DSL)
Layer-2 Transport
Protocol (L2TP)
Internet Protocol (IP)
Point-to-Point Protocol (PPP)
Layer-2
Forwarding (L2F)
Point-to-Point
Tunneling (PPTP)
Internet Protocol (IP)
Yet another tunneling technique that was first implemented in dial-up networks,
where the Service Providers wanted to tunnel customer dial-up data encapsulated
in point-to-point protocol (PPP) frames over an IP backbone to the customers
central site. To make the Service Provider transport transparent to the customer,
PPP frames are exchanged between the customer sites (usually a dial-up user and a
central site) and the customer is responsible for establishing layer-3 connectivity
above PPP.
There are three well-known PPP forwarding implementations:
I Layer 2 Forwarding (L2F)
I Layer 2 Transport Protocol (L2TP)
I Point-to-Point Tunneling Protocol (PPTP)
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
41/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-17
2000, Cisco Systems, Inc. www.cisco.com Page21
Service Provider Network
Peer-to-Peer VPN ConceptPeer-to-Peer VPN Concept
Customer Site
Router A
Customer Site
Router B
Customer Site
Router C
Customer Site
Router D
Provider Edge (PE)Router
(PE) Router
(PE) Router
(PE) Router
Routing information is exchanged between
customer and service-provider routers
Service Provider routers
exchange customer routes
through the core network
Finally, the customer routes propagatedthrough the service-provider network are
sent to other customer routers
Overlay VPN paradigm has a number of drawbacks, most significant of them
being the need for the customer to establish point-to-point links or virtual circuits
between sites. The formula to calculate how many point-to-point links or virtual
circuits you need in the worst case is ((n)(n-1))/2, where n is the number of sites
you need to connect. For example, if you need to have fullmesh connectivity
between 4 sites, you will need a total of 6 point-to-point links or virtual circuits.
To overcome this drawback and provide the customer with optimum data transport
across the Service Provider backbone, the peer-to-peer VPN concept was
introduced where the Service Provider actively participates in the customer
routing, accepting customer routes, transporting them across the Service Providerbackbone and finally propagating them to other customer sites.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
42/292
2-18 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
2000, Cisco Systems, Inc. www.cisco.com Page22
Peer-to-Peer VPN withPacket Filters
Peer-to-Peer VPN withPacket Filters
Service provider networkCustomer ASite #1
Customer ASite #2
Customer BSite #1
Point-of-Presence
Shared router
POP router carries all
customer routes
Isolation between
customers is achieved
with packet filters on
PE-CE interfaces
The first peer-to-peer VPN solutions appeared several years ago. Architectures
similar to the Internet were used to build them and special provisions had to be
taken in account to transform the architecture, which was targeted toward public
backbones (Internet) into a solution where the customers would be totally isolated
and able to exchange their corporate data securely.
The more common peer-to-peer VPN implementation uses packet filters on the
PE-routers to isolate the customers. The Service Provider allocates portions of its
address space to the customers and manages the packet filters on the PE-routers to
ensure full Reachability between sites of a single customer and isolation between
customers.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
43/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-19
2000, Cisco Systems, Inc. www.cisco.com Page23
Peer-to-Peer VPN withControlled Route Distribution
Peer-to-Peer VPN withControlled Route Distribution
Service provider networkCustomer ASite #1
Customer ASite #2
Customer BSite #1
Point-of-Presence
PE-routerCustomer-A
PE-routerCustomer-B
P-router
Uplink
Each customer has a
dedicated PE router that
only carries its routes
The P-router contains all
customer routes
Customer isolation is achieved
through lack of routing
information on PE router
Maintaining packet filters is a mundane and error-prone task. Some Service
Providers thus implemented more innovative solutions based on controlled route
distribution. In this approach, the core Service Provider routers (the P-routers)
would contain all customer routes and the PE-routers would only contain routes of
a single customer, requiring a dedicated PE-router per customer per Point-of-
Presence (POP). The customer isolation is achieved solely through lack of routing
information on the PE-router. Using route filtering between the P-router and the
PE-routers, the PE-router for Customer A will only learn routes belonging to
Customer A, and the PE-router for Customer B will only learn routes belonging to
Customer B. Border Gateway Protocol (BGP) with BGP communities is usuallyused inside the Provider backbone since it offers the most versatile route filtering
tools.
Note Default routes used anywhere in the customer or Service Provider network break
isolation between the customers and have to be avoided.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
44/292
2-20 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
2000, Cisco Systems, Inc. www.cisco.com Page24
Benefits of Various VPNImplementations
Benefits of Various VPNImplementations
Overlay VPN
Well-known and easy toimplement
Service Provider doesnot participate incustomer routing
Customer network andService Providernetwork are well isolated
Peer-to-Peer VPN
Guarantees optimumrouting betweencustomer sites
Easier to provision anadditional VPN
Only the sites areprovisioned, not thelinks between them
Each VPN paradigm has a number of benefits:
I Overlay VPNs are well known and easy to implement, both from customer
and Service Provider perspective
I The Service Provider does not participate in customer routing in overlay
VPNs, making the demarcation point between the Service Provider and the
customer easier to manage.
On the other hand, the peer-to-peer VPN give you:
I Optimum routing between customer sites without any special design or
configuration effort
I Easy provisioning of additional VPNs or customer sites, as the Service
Provider only needs to provision individual sites, not the links between
individual customer sites.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
45/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-21
2000, Cisco Systems, Inc. www.cisco.com Page25
Drawbacks of Various VPNImplementations
Drawbacks of Various VPNImplementations
Overlay VPN
Implementing optimum
routing requires full-mesh of virtual circuits
Virtual circuits have tobe provisioned manually
Bandwidth must beprovisioned on a site-to-site basis
Always incursencapsulation overhead
Peer-to-Peer VPN
Service Provider
participates in customerrouting
SP becomes responsiblefor customerconvergence
PE routers carry allroutes from allcustomers
SP needs detailed IProuting knowledge
Each VPN paradigm also has a number of drawbacks:
I Overlay VPNs require a full mesh of virtual circuit between customer sites to
provide optimum inter-site routing
I All the virtual circuits between customer sites in an overlay VPN have to be
provisioned manually and the bandwidth must be provisioned on a site-to-site
basis (which is not always easy to achieve).
I The IP-based overlay VPN implementations (with IPSEC or GRE) also incur
high encapsulation overhead (ranging from 20 to 80 bytes per transported
datagram).
The major drawbacks of peer-to-peer VPN arise from the Service Providers
involvement in customer routing:
I The Service Provider becomes responsible for correct customer routing and
for fast convergence of customer network following a link failure.
I The Service Provider P-routers have to carry all customer routes that were
hidden from the Service Provider in the overlay VPN paradigm.
I The Service Provider needs detailed IP routing knowledge, which is not
readily available in traditional Service Provider teams.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
46/292
2-22 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
2000, Cisco Systems, Inc. www.cisco.com Page26
Drawbacks of Traditional Peer-to-Peer VPNs
Drawbacks of Traditional Peer-to-Peer VPNs
Shared PE router
All customers share thesame (provider-assignedor public) address space
High maintenance costsassociated with packetfilters
Lower performanceeach packet has to passa packet filter
Dedicated PE router
All customers share thesame address space
Each customer requiresa dedicated router ateach POP
The pre-MPLS VPN implementations of peer-to-peer VPNs all shared a common
drawback the customers have to share the same address space, either using
public IP addresses in their private networks or relying on service provider-
assigned IP addresses. In both cases, connecting a new customer to a peer-to-peer
VPN service usually requires IP renumbering inside the customer network an
operation, which most customers are reluctant to perform.
The peer-to-peer VPNs based on packet filters also incur high operational costs
associated with packet filter maintenance as well as performance degradation due
to heavy usage of packet filters.
The peer-to-peer VPNs implemented with per-customer PE-routers are easier to
maintain and can give you optimum routing performance, but are usually more
expensive since every customer requires a dedicated router in every POP. This
approach is thus usually used in scenarios where the Service Provider only
provides service to a small number of large customers.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
47/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-23
Summary
2000, Cisco Systems, Inc. www.cisco.com Page27
VPN TaxonomyVPN Taxonomy
Virtual Networks
Virtual Dialup Networks Virtual LANsVirtual Private
Networks
Peer-to-Peer VPN
Access Lists
(Shared Router)
Split Routing
(Dedicated Router)
MPLS VPN
Overlay VPN
Layer 2 VPN Layer 3 VPN
X.25
F/R
ATM
IPSec
GRE
There are a number of different Virtual Networking concepts present in the data
communications fields:
I The Virtual Local Area Networks (VLAN) allow you to implement isolated
LANs over the same physical infrastructure
I Virtual Private Dialup Networks (VPDN) allow customers to use dial-in
infrastructure of a Service Provider for their private dial-up connectionsI Virtual Private Networks (VPN) allow customers to use shared infrastructure
of a Service Provider to implement their private networks.
There are two major VPN paradigms:
I Overlay VPN, where the Service Provider gives the customer emulated point-
to-point links across Service Provider backbone and
I Peer-to-peer VPN, where the Service Provider becomes actively involved in
customer routing and acts as the core layer-3 backbone of the customer
network.
The overlay VPNs are implemented with a number of technologies, ranging from
traditional layer-1 technologies (ISDN, SDH, SONET) and layer-2 technologies
(X.25, Frame Relay, ATM) to modern IP-based solutions (GRE and IPSec).
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
48/292
2-24 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
The overlay VPNs, although well known and easy to implement, are harder to
operate due to higher maintenance costs:
I Every individual virtual circuit needs to be provisioned
I Optimum routing between customer sites requires a full mesh of virtual
circuits between sites
I Bandwidth has to be provisioned on site-to-site basis.
Traditional peer-to-peer VPNs are implemented with packet filters on shared PE-
routers or with dedicated per-customer PE-routers. Along with high maintenance
costs (for packet-filter approach) or equipment costs (for dedicated per-customer
PE-router approach), both methods require customer to accept the Service
Provider assigned address space or use public IP addresses in the private customer
network.
MPLS VPN, introduced in the next sections, provides all the benefits of peer-to-
peer VPNs and alleviates most of the peer-to-peer VPN drawbacks (for example,
the need for common customer address space).
Review Questions
Answer the following questions:
I What is an overlay VPN?
I Which routing protocol runs between the customer and the service provider in
an overlay VPN?
I Which routers are routing protocol neighbors of a CE-router in overlay VPN?
I List three IP-based overlay VPN technologies.
I What is the major benefit of peer-to-peer VPN as compared to overlay VPN?
I List two traditional peer-to-peer VPN implementations?
I What is the drawback of all traditional peer-to-peer VPN implementations?
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
49/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-25
Major VPN Topologies
Objectives
Upon completion of this section, you will be able to perform the following tasks:
I Identify the three major categorizations of VPNI Identify the three Overlay VPN topologies
I Understand the implications of using overlay VPN approach with each
topology
I List sample usage scenarios for each topology
I Identify the three VPN categorization based on business needs
I Identify the three VPN categorization based on connectivity needs
VPN Categorizations
There are three major VPN categorizations:
I Topology categorization, which only applies to overlay VPNs
I Business categorization, which categorizes VPNs based on the business needs
they fulfill
I Connectivity categorization, which classifies VPNs based on their
connectivity requirements.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
50/292
2-26 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
2000, Cisco Systems, Inc. www.cisco.com Page32
VPN Topology CategorizationVPN Topology Categorization
Overlay VPNs are categorized based onthe topology of the virtual circuits:
(Redundant) Hub-and-spoke topology
Partial-mesh topology
Full-mesh topology
Multi-level topologycombines several levelsof overlay VPN topologies
The oldest VPN categorization was based on the topology of point-to-point links
in an overlay VPN implementation:
I Full-mesh topology provides a dedicated virtual circuit between any two CE-
routers in the network
I Partial-mesh topology reduces the number of virtual circuits, usually to the
minimum number that still provides optimum transport between major sites
I Hub-and-spoke topology is the ultimate reduction of partial-mesh many
sites (spokes) are only connected with the central site(s) (hubs) with no direct
connectivity between the spokes. To prevent single points of failure, the hub-and-spoke topology is sometimes extended to redundant hub-and-spoke
topology.
Large networks usually deploy a layered combination of these technologies, for
example:
I Partial mesh in the network core
I Redundant hub-and-spoke for larger branch offices (spokes) connected to
distribution routers (hubs)
I Simple hub-and-spoke for non-critical remote locations (for example, home
offices).
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
51/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-27
2000, Cisco Systems, Inc. www.cisco.com Page33
Service Provider Network
Overlay VPNHub-and-Spoke Topology
Overlay VPNHub-and-Spoke Topology
Central site(HUB)
Remote site (spoke)
Remote site (spoke)
Remote site (spoke)Central site
router
Remote site (spoke)
The hub-and-spoke topology is the simplest overlay VPN topology all remote
sites are linked with a single virtual circuit to a central CE-router. The routing is
also extremely simple static routing or distance-vector protocol like RIP are
more than adequate. If you are using dynamic routing protocol like RIP, split-
horizon must be disabled at the hub router, or you must use point-to-point sub-
interfaces at the hub router to overcome the split-horizon problem.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
52/292
2-28 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
2000, Cisco Systems, Inc. www.cisco.com Page34
Service Provider Network
Overlay VPNRedundant Hub-And-Spoke
Overlay VPNRedundant Hub-And-Spoke
Central site(HUB)
Remote site (spoke)
Remote site (spoke)
Remote site (spoke)Redundant
Central site
router
Remote site (spoke)Redundant
Central site
router
A typical redundant hub-and-spoke topology introduces central site redundancy
(more complex topologies might also introduce router redundancy at spokes).
Each remote site is linked with two central routers via two virtual circuits. The two
virtual circuits can be used for load sharing or in a primary/backup configuration.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
53/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-29
2000, Cisco Systems, Inc. www.cisco.com Page35
Overlay VPNPartial MeshOverlay VPNPartial Mesh
Moscow
Sydney
Guam
Berlin
Hong Kong
New York
Virtual circuits (Frame Relay DLCI)
Partial mesh is used in environments where the cost or complexity factors prevent
a full-mesh between customer sites. The virtual circuits in a partial mesh can be
established based on a wide range of criteria:
I Traffic pattern between sites
I Availability of physical infrastructure
I Cost considerations
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
54/292
2-30 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
2000, Cisco Systems, Inc. www.cisco.com Page36
Service Provider Network
Overlay VPNMulti-Level Hub-and-Spoke
Overlay VPNMulti-Level Hub-and-Spoke
Central site (hub)
Remote site (spoke)
Remote site (spoke)
Remote site (spoke)
Redundant centralsite router
Redundant centralsite router
Distribution site
Distribution-layerrouter
Distribution site
Distribution-layerrouter
Remote site (spoke)
Various overlay VPN topologies are usually combined in a large network. For
example, in the diagram above, a redundant hub-and-spoke topology is used in
network core and a non-redundant hub-and-spoke is used between distribution
sites and remote sites. This topology would be commonly used in environments
where all traffic flows between the central site and remote sites and there is little
(or no) traffic exchanged directly between the remote sites.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
55/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-31
2000, Cisco Systems, Inc. www.cisco.com Page37
VPN Business CategorizationVPN Business Categorization
VPNs can be categorized on the businessneeds they fulfill:
Intranet VPNconnects sites within anorganization
Extranet VPNconnects differentorganizations in a secure way
Access VPN Virtual Private Dialup Network(VPDN) provides dial-up access into acustomer network
Another very popular VPN categorization classifies VPNs based on the business
needs they fulfill:
I Intranet VPNs connect sites within an organization. Security mechanisms are
usually not deployed in an Intranet, as all sites belong to the same
organization.
I Extranet VPN connects different organizations. Extranets implementations
usually rely on security mechanisms to ensure protection of individual
organizations participating in the Extranet. The security mechanisms are
usually the responsibility of individual participation organizations.I Access VPN - Virtual Private Dialup Networks that provide dial-up access
into a customer network.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
56/292
2-32 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
The following two diagrams compare overlay VPN implementation of an Extranet
with a peer-to-peer one. Similar comparisons could be made for Intranets as well.
2000, Cisco Systems, Inc. www.cisco.com Page38
Extranet VPNOverlay VPN Implementation
Extranet VPNOverlay VPN Implementation
Provider IP backboneGlobalMotors
Firewall
AirFilters Inc.
Firewall
BoltsAndNuts
Firewall
SuperBrakes Inc.
Firewall
FirewallFrame Relay
switch
Frame Relayswitch
Frame Relay
switch
Frame Relayswitch
Frame Relay Virtual
Circuits (DLCI)
In an overlay implementation of an Extranet, organizations are linked with
dedicated virtual circuits. Traffic between two organizations can only flow if:
I There is a direct virtual circuit between the organizations or
I There is a third organization linked with both of them that is willing to
provide transit traffic capability to them. As establishing virtual circuits
between two organizations is always associated with costs, the transit traffic
capability is almost never granted free-of-charge.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
57/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-33
2000, Cisco Systems, Inc. www.cisco.com Page39
Extranet VPNPeer-to-PeerVPN Implementation
Extranet VPNPeer-to-PeerVPN Implementation
Provider IP backboneGlobalMotors
Firewall
AirFilters Inc.
Firewall
BoltsAndNuts
Firewall
SuperBrakes Inc.
Firewall
Provider edge(PE) router
Provider edge
(PE) router
Provider edge(PE) router
Provider edge
(PE) router
Firewall Provider edge
(PE) router
Peer-to-peer VPN implementation of an Extranet VPN is very simple compared to
an overlay VPN implementation all sites are connected to the Service Provider
network and the optimum routing between sites is enabled by default.
The cost model of peer-to-peer implementation is also simpler usually every
organization pays its connectivity fees for participation in the Extranet and gets
full connectivity to all other sites.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
58/292
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
59/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-35
2000, Cisco Systems, Inc. www.cisco.com Page41
Central Services ExtranetCentral Services Extranet
Service Provider Network
Service provider ExtranetInfrastructure
London
VoIPGW
Amsterdam
VoIPGW
Paris
VoIPGW
Customer A
Customer B
Customer C
This diagram shows a sample Central Services extranet implementing
international Voice-over-IP service. Every customer of this service can access
voice gateways in various countries, but cannot access other customers using the
same service.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
60/292
2-36 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
2000, Cisco Systems, Inc. www.cisco.com Page42
Central Services ExtranetHybrid(Overlay + P2P) Implementation
Central Services ExtranetHybrid(Overlay + P2P) Implementation
Service Provider Network
Service providerExtranet Infrastructure
London
VoIPGW
Amsterdam
VoIPGW
Paris
VoIPGW
Customer A
Customer B
Customer C
FrameRelayInfrastructure
Frame RelayEdge switch
Frame RelayEdge switch
Frame RelayEdge switch
Provider EdgeRouter
Frame Relay Virtual Circuit
Provider Edge
Router
Provider EdgeRouter
Provider EdgeRouter
Provider EdgeRouter
The network diagram shown above describes an interesting scenario where peer-
to-peer VPN and overlay VPN implementation can be used to provide end-to-end
service to the customer.
The VoIP service is implemented with Central Services extranet topology, which
is in turn implemented with peer-to-peer VPN. The connectivity between PE-
routers in the peer-to-peer VPN and the customer routers is implemented with an
overlay VPN based on Frame Relay. The PE-router of the peer-to-peer VPN and
the CE-routers act as CE-devices of the Frame Relay network.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
61/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-37
2000, Cisco Systems, Inc. www.cisco.com Page43
Managed NetworkOverlay VPN Implementation
Managed NetworkOverlay VPN Implementation
Central site (hub)
Service provider network Remote site (spoke)
Remote site (spoke)
Remote site (spoke)
Redundant central
site router
Redundant central
site router
Network Management Center
Dedicated Virtual
Circuits are used for
network management
Network management VPN is traditionally implemented in combination with
overlay VPN services. Dedicated virtual circuits are deployed between any
managed CE-router and the central network management router (NMS-router) to
which the Network Management Station (NMS) is connected.
This network management VPN implementation is sometimes called rainbow
implementation, as the physical link between the NMS-router and the core of the
Service Provider network carries a number of virtual circuits one circuit per
managed router.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
62/292
2-38 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
Summary
There are three major categorizations of Virtual Private networks:
I Topology categorization, which classifies the VPNs based on the topology of
point-to-point connections in overlay VPN implementation
I Business categorization, which classifies VPNs into Intranets, Extranets and
niche solutions like Virtual Private Dialup Networks
I Connectivity categorization, which classifies VPNs based on the connectivity
needs.
The topology categorization ranges VPNs from full mesh, where there is a direct
virtual circuit between any two sites, to partial mesh, which is built based on a
number of constraints (traffic patterns and cost being the most important of them)
and finally hub-and-spoke where a central site acts as the transit point between all
spoke sites. Real-life large networks are usually implemented with a combination
of these topologies.
The connectivity categorization divides VPNs into simple VPNs (with any-to-any
connectivity), overlay VPNs where a single site participates in more than one
simple VPN, Central Services VPNs, where some sites have limited connectivityand Network Management VPNs, which are really only a special case of Central
Services VPN.
Review Questions
Answer the following questions:
I What are the major Overlay VPN topologies
I Why would the customers prefer partial mesh over full mesh topology?
I What is the difference between an Intranet and an Extranet?
I What is the difference between a simple VPN and a Central Services VPN?
I What are the connectivity requirements of a Central Services VPN?
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
63/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-39
MPLS VPN Architecture
Objectives
Upon completion of this section, you will be able to perform the following tasks:
I Understand the difference between traditional peer-to-peer models and MPLSVPN
I List the benefits of MPLS VPN
I Describe major architectural blocks of MPLS VPN
I Explain the need for route distinguisher (RD) and route target (RT)
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
64/292
2-40 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
2000, Cisco Systems, Inc. www.cisco.com Page48
MPLS VPN ArchitectureMPLS VPN Architecture
MPLS VPN combines the best features ofoverlay VPN and peer-to-peer VPN
PE routers participate in customer routing,guaranteeing optimum routing between sitesand easy provisioning
PE routers carry a separate sets of routes foreach customer (similar to dedicated PE routerapproach)
Customers can use overlapping addresses
The MPLS VPN architecture provides the Service Providers with a peer-to-peer
VPN architecture that combines the best features of overlay VPN (support for
overlapping customer address spaces) with the best features of peer-to-peer VPNs:
I PE routers participate in customer routing, guaranteeing optimum routing
between customer sites
I PE routers carry separate set of routes for each customer, resulting in perfect
isolation between the customers.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
65/292
Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-41
2000, Cisco Systems, Inc. www.cisco.com Page49
MPLS VPN TerminologyMPLS VPN Terminology
Customer A
Site #1
Site #1
CE router
Customer A
Site #2
Customer B
Site #1
Customer B
Site #3
Customer B
Site #2
Customer A
Site #4
Remote
Office
Remote
Office
Customer A
Site #3
Customer B
Site #4
PE-Router
POP-XP-Router PE-Router
POP-Y
P-Network
The MPLS VPN terminology divides the overall network into customer controlled
part (C-network) and provider controlled part (P-network). Contiguous portions
of C-network are called sites and are linked with the P-network via CE-routers.
The CE-routers are connected to the PE-routers, which serve as the edge devices
of the Provider network. The core devices in the provider network (P-routers)
provide the transit transport across the provider backbone and do not carry
customer routes.
7/31/2019 Advanced MPLS VPN Solutions (AMVS) 1.0 Volume 1
66/292
2-42 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.
2000, Cisco Systems, Inc. www.cisco.com Page50
Provider Edge RouterArchitecture
Provider Edge RouterArchitecture
PE-router
Global IP router
Virtual router for
Customer B
Virtual router for
Customer A
P-router
Customer ASite #1
Customer ASite #2
Customer B
Site #1
Virtual IP routing
table for Customer A
Virtual IP r