7/28/2019 RST 2602 Mpls VPN Deployment
1/96
7/28/2019 RST 2602 Mpls VPN Deployment
2/96
7/28/2019 RST 2602 Mpls VPN Deployment
3/96
7/28/2019 RST 2602 Mpls VPN Deployment
4/96
7/28/2019 RST 2602 Mpls VPN Deployment
5/96
7/28/2019 RST 2602 Mpls VPN Deployment
6/96
7/28/2019 RST 2602 Mpls VPN Deployment
7/96
7/28/2019 RST 2602 Mpls VPN Deployment
8/96
7/28/2019 RST 2602 Mpls VPN Deployment
9/96
7/28/2019 RST 2602 Mpls VPN Deployment
10/96
7/28/2019 RST 2602 Mpls VPN Deployment
11/96
7/28/2019 RST 2602 Mpls VPN Deployment
12/96
7/28/2019 RST 2602 Mpls VPN Deployment
13/96
7/28/2019 RST 2602 Mpls VPN Deployment
14/96
7/28/2019 RST 2602 Mpls VPN Deployment
15/96
7/28/2019 RST 2602 Mpls VPN Deployment
16/96
7/28/2019 RST 2602 Mpls VPN Deployment
17/96
7/28/2019 RST 2602 Mpls VPN Deployment
18/96
7/28/2019 RST 2602 Mpls VPN Deployment
19/96
7/28/2019 RST 2602 Mpls VPN Deployment
20/96
7/28/2019 RST 2602 Mpls VPN Deployment
21/96
7/28/2019 RST 2602 Mpls VPN Deployment
22/96
7/28/2019 RST 2602 Mpls VPN Deployment
23/96
7/28/2019 RST 2602 Mpls VPN Deployment
24/96
7/28/2019 RST 2602 Mpls VPN Deployment
25/96
7/28/2019 RST 2602 Mpls VPN Deployment
26/96
7/28/2019 RST 2602 Mpls VPN Deployment
27/96
7/28/2019 RST 2602 Mpls VPN Deployment
28/96
7/28/2019 RST 2602 Mpls VPN Deployment
29/96
7/28/2019 RST 2602 Mpls VPN Deployment
30/96
7/28/2019 RST 2602 Mpls VPN Deployment
31/96
7/28/2019 RST 2602 Mpls VPN Deployment
32/96
7/28/2019 RST 2602 Mpls VPN Deployment
33/96
7/28/2019 RST 2602 Mpls VPN Deployment
34/96
7/28/2019 RST 2602 Mpls VPN Deployment
35/96
7/28/2019 RST 2602 Mpls VPN Deployment
36/96
7/28/2019 RST 2602 Mpls VPN Deployment
37/96
7/28/2019 RST 2602 Mpls VPN Deployment
38/96
7/28/2019 RST 2602 Mpls VPN Deployment
39/96
7/28/2019 RST 2602 Mpls VPN Deployment
40/96
7/28/2019 RST 2602 Mpls VPN Deployment
41/96
7/28/2019 RST 2602 Mpls VPN Deployment
42/96
7/28/2019 RST 2602 Mpls VPN Deployment
43/96
7/28/2019 RST 2602 Mpls VPN Deployment
44/96
7/28/2019 RST 2602 Mpls VPN Deployment
45/96
7/28/2019 RST 2602 Mpls VPN Deployment
46/96
7/28/2019 RST 2602 Mpls VPN Deployment
47/96
7/28/2019 RST 2602 Mpls VPN Deployment
48/96
7/28/2019 RST 2602 Mpls VPN Deployment
49/96
7/28/2019 RST 2602 Mpls VPN Deployment
50/96
7/28/2019 RST 2602 Mpls VPN Deployment
51/96
7/28/2019 RST 2602 Mpls VPN Deployment
52/96
7/28/2019 RST 2602 Mpls VPN Deployment
53/96
7/28/2019 RST 2602 Mpls VPN Deployment
54/96
7/28/2019 RST 2602 Mpls VPN Deployment
55/96
7/28/2019 RST 2602 Mpls VPN Deployment
56/96
7/28/2019 RST 2602 Mpls VPN Deployment
57/96
7/28/2019 RST 2602 Mpls VPN Deployment
58/96
7/28/2019 RST 2602 Mpls VPN Deployment
59/96
7/28/2019 RST 2602 Mpls VPN Deployment
60/96
7/28/2019 RST 2602 Mpls VPN Deployment
61/96
7/28/2019 RST 2602 Mpls VPN Deployment
62/96
7/28/2019 RST 2602 Mpls VPN Deployment
63/96
7/28/2019 RST 2602 Mpls VPN Deployment
64/96
7/28/2019 RST 2602 Mpls VPN Deployment
65/96
7/28/2019 RST 2602 Mpls VPN Deployment
66/96
7/28/2019 RST 2602 Mpls VPN Deployment
67/96
7/28/2019 RST 2602 Mpls VPN Deployment
68/96
7/28/2019 RST 2602 Mpls VPN Deployment
69/96
7/28/2019 RST 2602 Mpls VPN Deployment
70/96
7/28/2019 RST 2602 Mpls VPN Deployment
71/96
717171 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
MPLS/VPN Networks without CsC
The no of VPN routes is one of the biggest limitingfactor in scaling the PE router
Few SPs are running into this scalaing limitation
If no of VPN routes can be reduced somehow(without loosing the functionality), then the existinginvestment can be protected
The same PE can still be used to connect more VPNcustomers
Carrier Supporting Carrier (CsC) provides themechanism to reduce the no of routes from eachVRF by enabling MPLS on the PE-CE link
7/28/2019 RST 2602 Mpls VPN Deployment
72/96
7/28/2019 RST 2602 Mpls VPN Deployment
73/96
737373 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
What Do I Need to Enable CsC ?
1. Build an MPLS- VPN enabled carriers network
2. Connect ISP/SPs sites (or PoPs) to the Carriers PEs
3. Exchange internal routes + labels between Carriers PE &ISP/SPs CE
4. Exchange external routes directly between ISP/SPs sites
7/28/2019 RST 2602 Mpls VPN Deployment
74/96
747474 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
CsC Deployment Models
PE1 PE2
ISP PoPSite-1
CE-1CE-2
IPv4 routes withlabel distribution
ISP PoPSite-2
MP-iBGP for VPNv4
Carriers MPLS Core
P1
ASBR-2
R1R2
ISP customers =external routes
Full-mesh iBGPfor external routes
IPv4 routes withlabel distribution
ASBR-1
internal routes= IGP routes
Internal routes =IGP routes
IGP+LDP IGP+LDP
INTERNET
C1
MPLS enabled VRF int
7/28/2019 RST 2602 Mpls VPN Deployment
75/96
757575 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
CsC Deployment Models
1. Customer-ISP not running MPLS
2. Customer-ISP running MPLS
3. Customer-ISP running MPLS-VPN
Model 1 and 2 are less common deployments. Model 3 will be discussed in detail.
CsC: ISP Sites Are Running MPLS-VPN
7/28/2019 RST 2602 Mpls VPN Deployment
76/96
767676 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
PE1 PE2
ISP PoPSite-1
CE-1CE-2
30.1.61.25/32,NH=CE-1, Label = 5030.1.61.25/32,
NH=PE-2, Label = 52
ISP PoPSite-2
MP-iBGP update:1:1:30.1.61.25/32 , RT=1:1NH =PE-1 , Label=51
Carriers Core
P1
ASBR_PE-130.1.61.25/32
ASBR_PE-2
R1R2Network =
10.1.1.0/24
MP-iBGP update:1:1: 10.1.1.0/24, RT=1:1NH =30.1.61.25/32, Label = 90
IGP+LDP,Net=PE-1,Label = pop
IGP+LDP,Net=PE-1,Label = 16
VPN Site-2
10.1.1.0/24, NH=R1
10.1.1.0/24, NH=ASBR_PE-2
IGP+LDP30.1.61.25/32, Label = pop
IGP+LDP,30.1.61.25/32
NH=CE-2, Label=60
IGP+LDP,30.1.61.25/32 NH=C1,
Label=70
VPN Site-1
C1
Hierarchical MPLS-VPN Control Plane
CsC: ISP Sites Are Running MPLS-VPN
7/28/2019 RST 2602 Mpls VPN Deployment
77/96
777777 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
PE1PE2
ISP PoPSite-1
CE-1CE-2
ISP PoPSite-2
Carriers Core
P1
ASBR-1 ASBR-2
R1 R2Network =10.1.1.0/24
10.1.1.110.1.1.1 10.1.1.19070
10.1.1.19050
10.1.1.1905116
10.1.1.19052
10.1.1.19060
10.1.1.19051
10.1.1.190
VPN Site-1 VPN Site-2
C1
Hierarchical MPLS-VPN Forwarding Plane
7/28/2019 RST 2602 Mpls VPN Deployment
78/96
787878 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
Security Mechanism in CsC
BGP/LDP MD5 on PE-CE
To prevent label spoofing, PE Maintains Label VRF table association Checks during LFIB lookup that received packets label is
what was allocated
If the check fails, then the packet is dropped.
7/28/2019 RST 2602 Mpls VPN Deployment
79/96
797979 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
CsC Deployment Guideline
Two choices for deploying CsC1. IGP+LDP on the PE-CE, or
2. eBGP ipv4 +label on the PE-CE (RFC3107)
Choice selection is driven by the choice of routingprotocol on the PE-CE CE has to run MPLS-aware code
CsC: IOS Commands/Configs
7/28/2019 RST 2602 Mpls VPN Deployment
80/96
808080 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
gChoice 1: What All You Need to Configure?
Sh mpls interface [vrf ] all
Sh mpls ldp disc [vrf ] all
Sh mpls ldp bind vrf
Sh mpls ip bind vrf
Sh mpls ldp neighbor [vrf ] all
Sh mpls forward [vrf ]
int ser0/0
ip vrf forwarding green
mpls ip
mpls ldp protcol ldp
int ser0/0 mpls ip
mpls ldp protcol ldp
Sh mpls interfaceSh mpls ldp discovery
Sh mpls ldp bind
Sh mpls ldp neighbor
Sh mpls forward
Choice1: Enable LDP on PE-CE;
PE-1
CE-1
VRF IntIGP+LDP
PE1
CE1
CsC: IOS Commands/Configs
7/28/2019 RST 2602 Mpls VPN Deployment
81/96
818181 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
gChoice 2: What All You Need to Configure?
router bgp 1
address-family ip vrf green
neighbor 200.1.61.6 remote-as 2
neighbor 200.1.61.6 send-label
router bgp 2
neighbor 200.1.61.5 remote-as 1
neighbor 200.1.61.5 send-label
Choice2: Enable eBGP+label on PE-CE;
PE-1
CE-1
eBGP+label
VRF Int
1. No IGP needed on PE-CE2. No LDP needed on PE-CE
PE1
CE1
IOS Commands/Configs
7/28/2019 RST 2602 Mpls VPN Deployment
82/96
828282 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
Choice 2: eBGP+label on the PE-CE
On PESh ip bgp vpn vrf neighbor
Sh ip bgp vpn vrf label
Sh mpls forward vrf
On CESh ip bgp neighbor
Sh ip bgp labels
Sh mpls forward
7/28/2019 RST 2602 Mpls VPN Deployment
83/96
838383 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
Agenda
MPLS VPN Definition?TechnologyConfiguration
MPLS-VPN ServicesProviding load-shared traffic to the multihomed VPN sitesProviding Hub&Spoke service to the VPN customers
Providing MPLS VPN Extranet serviceProviding Internet access service to VPN customersProviding VRF-selection based servicesProviding Remote Access MPLS VPNProviding VRF-aware NAT services
Advanced MPLS VPN TopicsInter-AS MPLS-VPNCsC Carrier Supporting Carrier
Best Practices Conclusion.
7/28/2019 RST 2602 Mpls VPN Deployment
84/96
848484 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
Best Practices
1. Use RR to scale BGP.2. Deploy RRs in pair for the redundancy
3. Keep RRs out of the forwarding paths and disable CEF (saves memory).
4. Consider Unique RD per VRF per PE, if Load sharing of VPN traffic is reqd.
5. RT and RD should have ASN in them i.e. ASN : XReserve first few 100s of X for the internal purposes such as filtering
6. Don't use customer names as the VRF names; Nightmare for the NOC. Usesimple combination of numbers and characters in the VRF name
For example - v101, v102, v201, v202 etc. Use description.
7. Define an upper limit at the PE on the # of prefixes received from the CE for each VRF or neighbor
max-prefix within the VRF configuration
max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE)
C l i
7/28/2019 RST 2602 Mpls VPN Deployment
85/96
858585 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
Conclusion
MPLS VPN is a cheaper alternative to traditional l2vpn MPLS-VPN paves the way for new revenue streams
VPN customers could outsource their layer3 to the provider Straightforward to configure any-to-any VPN topology
partial-mesh, hub&spoke topologies can also be easily deployed CsC and Inter-AS could be used to expand into new markets VRF-aware services could be deployed to maximize the
investment
C l Y O li S i E l i !
7/28/2019 RST 2602 Mpls VPN Deployment
86/96
868686 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
Complete Your Online Session Evaluation!
WHAT : Complete an online session evaluationand your name will be entered into adaily drawing
WHY: Win fabulous prizes! Give us your feedback!
WHERE : Go to the Internet stations locatedthroughout the Convention Center
HOW: Winners will be posted on the onsite
Networkers Website; four winners per day
http: / /www.networkers04.com/desktop
http://www.networkers04.com/desktophttp://www.networkers04.com/desktop7/28/2019 RST 2602 Mpls VPN Deployment
87/96
87 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
Thanks for your time.
Q & A
Eval - ht tp: / /www.networkers04.com/desktop
http://www.networkers04.com/desktophttp://www.networkers04.com/desktop7/28/2019 RST 2602 Mpls VPN Deployment
88/96
888888 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
7/28/2019 RST 2602 Mpls VPN Deployment
89/96
898989 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
BACK UP SLIDES
Scenario 1: Back-to-back VRFC t l Pl
7/28/2019 RST 2602 Mpls VPN Deployment
90/96
909090 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
Control Plane
PE-1 PE-2
VPN-B
CE-2 CE-3
VPN-B
VRF to VRF Connectivity between ASBRs
ASBR-1 ASBR-2
10.1.1.0/24
BGP, OSPF, RIPv210.1.1.0/24,NH=CE-2
VPN-v4 update:RD:1:27: 10.1.1.0/24 NH=PE-1 RT= 1:1 , Label=( 29 )
VPN-B VRFImport routes with
route-target 1:1
BGP, OSPF, RIPv210.1.1.0/24NH=ASBR-2
VPN-v4 update:RD:1:27: 10.1.1.0/24, NH=ASBR-2 RT= 1:1 , Label=( 92 )
VPN-B VRFImport routes with
route-target 1:1
BGP, OSPF, RIPv210.1.1.0/24,NH=PE-2
Scenario 1: Back-to-back VRFF di Pl
7/28/2019 RST 2602 Mpls VPN Deployment
91/96
919191 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
Not scalable. #of interface on both ASBRs isdirectly proportional to #VRF. No end-to-end MPLS. Unnecessary memory consumed in RIB/(L)FIB Dual-homing of ASBR makes provisioningworse
Forwarding Plane
PE-1 PE-2
VPN-B
CE-2 CE-3
VPN-B
ASBR-1 ASBR-2
10.1.1.0/24
10.1.1.1
10.1.1.1
10.1.1.1
10.1.1.12930
10.1.1.19220
P2
P1
10.1.1.192
IP Packets betweenASBRs
Per-customer QoS is possible It is simple and elegant since no need to loadthe Inter-AS code (but still not widelydeployed).
Pros Cons
Cisco IOS ConfigurationS i 1 B k B k VRF b ASBR
7/28/2019 RST 2602 Mpls VPN Deployment
92/96
929292 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
Scenario 1 : Back-to-Back VRF between ASBRs
AS #1 AS #2VRF routes exchange via
any routing protocol
Note: ASBR must already have MP-iBGP session with iBGP neighborssuch as RRs or PEs.
1.1.1.0/30
ip vrf greenrd 1:1route-target both 1:1
!Router bgp xAddress-family ipv4 vrf greenneighbor 1.1.1.x activate
ASBR VRF and BGP config
VPN-A
PE1
CE-1
VPN-A
CE-2
PE2
ASBR1 ASBR2
IOS ConfigurationS i 2 5 M lti H MP BGP f VPN 4
7/28/2019 RST 2602 Mpls VPN Deployment
93/96
939393 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
VPN-A
PE1
VPN-A
PE2
CE-2CE-1
ASBR1 ASBR2
AS #1 AS #2
Multi-Hop MP-eBGP
for VPNv4
IGP & LDP
interface serial 0ip address 1.1.1.x/30mpls ldp protcol ldp
router bgp xno bgp default route-target filter neighbor < ASBR-x > remote-as xneighbor < ASBR-x > update loopback0neighbor < ASBR-x > ebgp-multihop!address-family vpnv4neighbor < ASBR-x > activate
neighbor < ASBR-x > send-comm extended
Multi-Hop MP-BGP session between ASBRs
so so
Scenario 2.5: Multi-Hop MP-eBGP for VPNv4
Scenario 4: Non VPN Transit Provider
7/28/2019 RST 2602 Mpls VPN Deployment
94/96
949494 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
Scenario 4: Non-VPN Transit Provider
Two MPLS VPN providers may exchange routes viaone or more transit providers
Which may be non-VPN transit backbones just runningMPLS
Multihop MP-eBGP deployed between edgeproviders
With the exchange of BGP next-hops via the transitprovider
Option 4: Non VPN Transit Provider
7/28/2019 RST 2602 Mpls VPN Deployment
95/96
959595 2004 Cisco Systems, Inc. All rights reserved.RST-26029908_06_2004_X2
Option 4: Non-VPN Transit Provider
PE1
PE2VPN-B
CE-2
CE-3
VPN-B
ASBR-1
RR-2
Non-VPN MPLSTransit Backbone
Multihop MP-eBGP ORMP-iBGP for VPNv4
ASBR-2
RR-1
ASBR-3
ASBR-4next-hop-unchanged
eBGP IPv4 + Labels
eBGP IPv4 + Labels
MPLS VPN Provider #1
MPLS VPN Provider #2
iBGP IPv4 + Labels
iBGP IPv4 + Labels
Route Target rewrite at ASBR
7/28/2019 RST 2602 Mpls VPN Deployment
96/96
Route-Target rewrite at ASBR
ASBR can add/ delete route-target associated with aVPNv4 prefix
Secures the VPN environment
ASBR(conf)#router bgp 1000
ASBR(conf-router)#neighbor 1.1.1.1 route-map route-target-deletionout
ASBR(conf-router)#exit
ASBR(conf)#route-map route-target-deleteASBR(conf-route-map)#match extcommunity 101
ASBR(conf-route-map)#set extcomm-list 101 delete
ASBR(conf-route-map)#set extcommunity rt 123:123 additive